IT, Cloud, Windows Etc

To content | To menu | To search

Sunday 18 June 2017

Sophos XG Firewall Setup on Hyper-V

The Sophos XG Firewall is a powerful and advanced NextGen Firewall. It works well in virtualized environment. You can find more info about Sophos XG Firewall here

The XG firewall run on Hyper-v as a Gen 1 VM, it supports VLAN in access or trunk mode and VMQ. You can use up to 8 net adapters. If you need more, you can use VLAN trunking to create more net adapters.

There are 2 ways to create an XG Firewall. You can use the ready to use VHD files or you can install it from the ISO.

I will cover only the first one.

First, we need to design the network. We need at least 3 net adapters, one for the admin network used for the first setup, one for the wan connection and one for LAN connection.

The first one is used during the setup to configure the firewall. It must be on a separate network, you will need to use 172.16.16.0/24 and you must be able to open a web browser to this network.

The WAN adapter must be bound to a virtual switch with internet access. It’s important that the firewall can access the Internet during Setup as it’s used to register the device.

The LAN adapter can be bound to any virtual switch and configured as you need. But remember, hyper-v default VM net adapter do not allow to have multiple MAC on a port, so you will have to disable this option.

Be aware the order of the net adapter is important. The first net adapter (eth0) will be used for the initial setup and the second for external access.

Let’s start,

#this script setup a new XG Firewall
#this is the Hyper-v Server used to run the virtual Firewall
$ComputerName = "MyHyperVServer"
#the name of the virtual firewall VM
$vmname = "MyNewFirewal"

 #the Ram of the firewall, from 1Gb to unlimited 
$ram = 6GB
#the number of vCpu, from 1 to unlimited check your licence
$vmproc = 4

#the path of the VM on the Hyper-V server

$path = "e:\xfSophosFirewall"



#Names of the virtual switch used in this example
#the admin vSwitch used for initial setup and later for admin
$vswitchadmin = "admin"
#The virtual Switch used for external access during the setup and later
$vswtichwan = "Wan"
#the virtual switch used for internal network
$vswitchlan = "lan"

#the Path of the 2 VHD
$fwPRIMARYVhd = "$path\PRIMARY-DISK.vhd"
$fwAUXILIARYVhd = "$path\AUXILIARY-DISK.vhd"

#create the VM
New-VM -Verbose -name $vmname -MemoryStartupBytes  $ram  -Generation 1  -Path $path  -ComputerName $ComputerName
#Setup vm processor
 Set-VMProcessor  -Count $vmProc -VMName $vmname -ComputerName $ComputerName 

#remove all net interface 
Get-VMNetworkAdapter -VMName $vmname -ComputerName $ComputerName | Remove-VMNetworkAdapter

# add the 2 harddrive to the newly vm
Add-VMHardDiskDrive -path $fwPRIMARYVhd -vmname $vmname -ComputerName $ComputerName -ControllerType IDE -ControllerNumber 0
Add-VMHardDiskDrive -path $fwAUXILIARYVhd -vmname $vmname -ComputerName $ComputerName -ControllerType IDE -ControllerNumber 0

# Admin setup interface 
# I use a vlan, but you can also use a dedicaded network
Add-VMNetworkAdapter -ComputerName $ComputerName -VMName $vmname -SwitchName $vswitchadmin -Name setup 

#Add the wan interface, on the 
Add-VMNetworkAdapter -ComputerName $ComputerName -VMName $vmname -SwitchName $vswtichwan -Name wan
Set-VMNetworkAdaptervlan -vmname $vmname -VMNetworkAdapterName wan -access -vlanID 5 -computername $ComputerName

#add the lan interface. It's a trunk interface with a default vlan
Add-VMNetworkAdapter -ComputerName $ComputerName -VMName $vmname -SwitchName $vswitchlan -Name lan
Set-VMNetworkAdapter -ComputerName $ComputerName -VMName $vmname -Name lan  -MacAddressSpoofing On
Set-VMNetworkAdaptervlan -vmname $vmname -VMNetworkAdapterName lan -Trunk -AllowedVlanIdList "6,7" -NativeVlanId 10

After the setup, you should change the admin/setup IP address to fit your admin network. If you forget this step, you may fail to setup another XG Firewall on the same network as 2 devices will have the same IP 172.16.16.16.

You can also find the script here

Sunday 31 July 2016

Windows Admin in a cloud World, What should you learn

This post was first published at Linkedin

Have you heard about the DevOpsification of Windows, the projection about Cloud adoption? Just listen to Jeffrey Snover at the WinOps Conference this year https://youtu.be/6Mn10BiaVaw?t=2776 https://channel9.msdn.com/Events/WinOps/WinOps-Conf-2016/Jeffrey-Snover-on-DevOps?wt.mc_id=DX_841473 How to enter in this new era you could ask. If you are a Windows Server Admin these new concepts can be difficult. This is not another post about how Devops or cloud infra that will transform the IT world or how bad is traditional IT. This post is about how to enter in the era in the Windows world when you are Windows Server Admin.

First a refresh on what is an Operating System. It may seem obvious, but a good understanding on how computer work is essential. You may not need to know what is a thread or a process when you run a files server, but to run, maintain and debug fabric and workload this skill is important.

https://www.udacity.com/course/introduction-to-operating-systems--ud923 https://www.udacity.com/course/advanced-operating-systems--ud189

Second Network. This is not about how to manipulate router or switch from a particular vendor. It is about learning how networks work. Understanding VLAN, L2/L3, advance routing, proxy … is a key for successful cloud based projects. https://www.udacity.com/course/computer-networking--ud436 https://www.coursera.org/learn/cloud-networking And because you also need to learn who you can use network inside public cloud, you should be familiar with Azure networking. https://mva.microsoft.com/en-US/training-courses/azure-networking-fundamentals-for-it-pros-8917?l=R70kv0B3_6104984382 https://mva.microsoft.com/en-US/training-courses/create-a-dynamic-datacenter-with-hybrid-softwaredefined-networking-14004?l=yc0Q2vnmB_9800115881

Then what’s about Devops. If you never hear about Devops, welcome in 2016 Marty! But if you are not a time traveler here where to start :

https://www.edx.org/course/introduction-devops-microsoft-dev212x-0

It’s just a general introduction, but in the Windows world I suggest you to follow some meetups, forums et the WinOps Conf. In the Windows server world, the most important tool for Devops is PowerShell. Of course you can try to do cloud enabled solution using VBscript but it will be inefficient. But, when I say PowerShell, is not about to be able to type a small set of command. It’s about writing scripts and modules. It can be difficult but it payoff, with little effort you can have big success. Take look at this small scripts

$VMparamHash = @{
VMName = 'MyVm'
VlanWan ='10'
VlanLan ='11'
VhdPath ='e:\vm\MyVm\MyVM.vhdx'
VMPath ='e:\vm\MyVm\'
}
new-vm -name $VMparamHash.VMName -Generation 1 -MemoryStartupBytes 4GB -path $VMparamHash.VMPath
set-vm -name  $VMparamHash.VMName -ProcessorCount 2
New-VHD -Path $VMparamHash.VhdPath -SizeBytes 200GB -Dynamic
Add-VMHardDiskDrive -VMName $VMparamHash.VMName -path $VMparamHash.VhdPath
Get-VMNetworkAdapter -VMName $VMparamHash.VMName | Remove-VMNetworkAdapter
Add-VMNetworkAdapter -VMName $VMparamHash.VMName -Name "Wan" -SwitchName "Fabric"
Add-VMNetworkAdapter -VMName $VMparamHash.VMName -Name "Lan" -SwitchName "Fabric"
Set-VMNetworkAdapterVlan -VMName $VMparamHash.VMName -VMNetworkAdapterName "Wan" -Access -VlanId $VMparamHash.VlanWan
Set-VMNetworkAdapterVlan -VMName $VMparamHash.VMName -VMNetworkAdapterName "Lan" -Access -VlanId $VMparamHash.VlanLan
Set-VMNetworkAdapter -VMName $VMparamHash.VMName -VMNetworkAdapterName "Wan"  -VmqWeight 0
Set-VMNetworkAdapter -VMName $VMparamHash.VMName -VMNetworkAdapterName "Lan"  -VmqWeight 0  -MacAddressSpoofing On

It just creates a VM with 2 net adapters and apply vlan and other network parameters. Doing this with the GUI, it took several minutes to finish the same tasks and it is error prone, only few seconds in powershell. Doing Powershell is may be not enough. Cloud infrastructure and Devops culture relay a lot on automation. It’s the purpose of DSC, Desired State of Configuration, a declarative model for system configuration. It ensures that server is configure in the ways you want. The key concept here is idempotent. The configuration is changed only if the state is not in the desired state. If the configuration is in the desired state, DSC will do nothing. A DSC configuration can be applied hundred time it will do nothing if the configuration is already applied. DSC check the current state of a server, and change the state in the desired way only if there is a difference between the current state and a state described in the DSC resource. DCS is based on resources, writing in Powershell, as module (or class in PowerShell v5). It’s the power of DSC, you can create your own resources that will check if the state you want for your server is ok and how to put the configuration of the server the way you want.

https://mva.microsoft.com/en-US/training-courses/getting-started-with-powershell-desired-state-configuration-dsc-8672?l=ZwHuclG1_2504984382 https://mva.microsoft.com/en-US/training-courses/advanced-powershell-desired-state-configuration-dsc-and-custom-resources-8702?l=3DnsS2H1_1504984382

But if you need to deal with a lot of Powershell files and ensure that you can come back to an old version and work in a team you will need a version control system. One of the mostly used in the Windows community is Git. There is also Github, it’s a public version control system. https://www.udacity.com/course/how-to-use-git-and-github--ud775 With a lot of Powershell scripts and modules, you need to find a way to test and correct error. Scripts can be complexes and interact with many part of one computer or several servers. In the programming world, it means Unit Testing. It’s a part of continuous integration. For Powershell you can use Pester. https://github.com/pester/Pester/wiki/Pester For more information on Unit Testing check this course https://mva.microsoft.com/en-US/training-courses/getting-started-with-unit-testing-for-crossplatform-mobile-apps-16519

The next step is to define a deployment pipeline, you have your scripts and your modules in a source control system, you have a tools for testing, you need to automate the next step, not just execution but also reporting when something is wrong and keeping an history of code execution. It’s the purpose of Jenkins. Jenkins is a Continuous Integration and Continuous Delivery server. https://hodgkins.io/automating-with-jenkins-and-powershell-on-windows-part-1

Where to apply this knowledge? First you have Hyper-V, virtualization is the essential brick in the cloud world. In Windows world, virtualization mean Hyper-V. https://www.edx.org/course/microsoft-windows-server-2012-microsoft-inf200-05x

Hyper-v run on Windows 2016 with enhancements that permit to build hyper converged platform, Compute, storage and Network. It’s called S2D and Network Virtualization. https://blogs.technet.microsoft.com/filecab/2016/04/27/s2dtp5new/ Windows 2016 introduce also a new way to install Server, Nano server. With Nano Server you can install 2 type of servers, physical for infra (Storage or Hyper-V) and VM for workload with a small foot print. It’s the perfect tool for some application that need to scale out, as it easy to install in mass. Nano Server is just the Windows Kernel, without GUI or local console. https://mva.microsoft.com/en-US/training-courses/whats-new-in-windows-server-2016-16457

https://mva.microsoft.com/en-us/training-courses/a-deep-dive-into-nano-server-13785

Another tools that make Windows 2016 an engine for agility is Containers. Containers are not just VM inside in VM, it’s a new way to deliver applications by using layer. Then you have Docker. Docker for Windows, with all the ecosystem, meaning that you can use Docker Engine, Swarm … in the same way you can use it on Linux. You can now use Windows Core and Nano Server as base image for your containers. https://channel9.msdn.com/Blogs/containers/Containers-101-with-Microsoft-and-Docker https://blog.docker.com/2016/04/docker-windows-server-tp5/ How deploy application in large scale in Nano Server and Container. Having an OS you can deploy in a minute with no local GUI or console mean that you need a new way to install application (no more screenshot remember?). One option is to use Windows Server App, it supports offline and remote installation

https://blogs.technet.microsoft.com/nanoserver/2015/11/18/installing-windows-server-apps-on-nano-server/ https://blogs.technet.microsoft.com/nanoserver/2015/11/19/hands-on-packaging-and-installing-your-first-windows-server-apps-on-nano-server/ https://github.com/PowerShell/WSAProvider Another option to deploy application and service on server is to use a packages manager. If you use Ubuntu, you are familiar with APT-GET. Powershell 5 as a similar tool, the PackageManagement module. It works on client computer (Windows 10) and Server (including NanoServer) https://blogs.technet.microsoft.com/packagemanagement/2015/04/28/introducing-packagemanagement-in-windows-10/

Windows 2016 can help you to build your private cloud, for public cloud you should try to learn Azure or AWS. Even if it’s just for prototype or test. It will give you some ideas on how to run you own services on your private cloud. Azure contain tools and services that can be time consuming to implement on premise. https://www.edx.org/course/architecting-microsoft-azure-solutions-microsoft-dev205bx-0 Orchestration and deployment in Azure is down with an API called Azure Resources Manager or ARM. https://gallery.technet.microsoft.com/Cloud-Consistency-with-0b79b775 With Azure and Windows 2016 come Azure Stack, the hybrid cloud solution from Microsoft. It work in a similar way as Azure and you can use what you learn on ARM in Azure Stack. https://azure.microsoft.com/en-us/overview/azure-stack/ Orchestration is a central concept in the cloud era. It can be seen as an automated and ordered operations on a group of server to produce a service. Thinks about a service that require a Database server, one or more web server and one Load Balancer. With DSC and Powershell we have the tools to configure each server one by one. But What if I need to setup the complete solution or if I need to add a web server. This is the purpose of orchestration. There is a lot of orchestration products, ARM is one of them, but it works on Azure and Azure Stack. There are some other Ansible, SlatStack, Pupet, Chef …

In a cloud world, Windows SysAdmin, cloud admin and architect should be worry about security. It’s not only about security inside Windows, but also outside your server. Windows 2016, Azure, Powershell 5 come with a lot of tools to prevent malicious comportment and monitor activity. Take a look at Just Enough Administration, you can allow user to do specific administration task without giving them an Admin account. https://charbelnemnom.com/2016/07/step-by-step-secure-and-control-a-powershell-direct-session-with-just-enough-administration-hyperv-powershell-jea/

Monitoring and metering is an essential part of the cloud era. It permits to detect error and bug, performance management, ensure that resources are correctly used by scaling UP/DOWN/OUT resources really needed.

IT people should start to learn some programming language and API. It’s not to become programmer, but more to know what is the needs of de developer teams and how to monitor, install and troubleshot system. It can be the tools used by your clients or in house programmers. It can be Nod.js, .net core, Python, Go or anything else. You don’t need to be an expert, just enough culture to monitor, install, maintain and debug installation of this tools.

In this new era, Windows Sysadmin need to change the way they work, it’s all about culture; skills, process and team collaboration. This is only some elements to learn, I forgot some. Most of them come from the Open Source world, other from Microsoft. Some tools are already used for a long time, look at PowerShell, Hyper-V, some are not ready for production today. But more and more these skills will be needed in a daily basic. Cloud, WinOps, Automation, PowerShell skills and others will be essential to all Windows IT Professional in the next years. The most important skill to have is the ability

Friday 3 June 2016

Docker Error in Windows 2016 TP5

You want to test Docker a little deeper and you decide to install it on Windows 2016 TP5 Core. This installation process is simple

/// Ps>Install-WindowsFeature containers Ps>Install-packageprovider ContainerImage –force PS>install-containerimage –name WindowServerCore ///

Finally you install the script in https://aka.ms/tp5/Update-Container-Host to install Docker components

/// PS>invoke-webrequest https://aka.ms/tp5/Update-Container-Host -outfile update-containerhost.ps1 PS>.\update-containerhost.ps1 ///

But something wrong happen.

Docker doesn’t run and you get this error message : dockererror.png

Don’t thinks about any error related to your network.

The answer is a little more simple
First you did not use an elevated prompt to install the container
So stop the docker service
Open an elevated powershell prompt Start-Process PowerShell –Verb RunAs
And re-run the update-containerhost.ps1 script Then go to the c:\programmdata\docker You should notice that there is no tag.txt file This file is necessary to run Docker, so create an empty one (notepad tag.txt) Docker should run now.

Tuesday 17 May 2016

Running Linux on Hyper-v

With Windows 2008, running Linux as guest OS on hyper-v was sometime difficult. If you wanted to install old version of Ubuntu or a Network Virtual Appliance like pfsense you had to use Emulated device and/or to manually load hyper-v driver. Performance was sometime poor.

It’s now part of History. In July 2009, Microsoft released Hyper-v drivers for Linux under GPLv2 license. There was 7 drivers vmbus, storvsc, blkvsc, netvsc,utils and timesource in Hyper-v 2008 R2, much more in Windows 2012 R2 and Windows 2016. Modern Linux version can now run in the same way as Windows Guest and offer performance near bare metal version.

Now most feature available in windows 2012 R2 as guest are available in the latest version of major linux distribution and some of FreeBds/Linux based network virtual appliance.

Secure boot, the anti-rootkit in generation 2 VM, work with Ubuntu 16 on Windows 2016 (you have to choose “MicrosoftUEFICertificateAuthority” as secure boot template).

Here the functions available in Linux and FreeBsd: https://technet.microsoft.com/fr-fr/library/dn531031.aspx

You can find more information about feature and Ubuntu: https://technet.microsoft.com/fr-fr/library/dn531029.aspx

Installing modern Linux OS on Hyper-V 2012 R2/2016 is as simple as installing Windows Server OS.

But there are some best practices to follows.

When using dynamic disk with windows, you may need to create the VHDX file in Powershell. You can use a 1 MB block size for the VHDX file (not the logical or physical sector size).

PS> New-VHD –Path x:\localion\VMLinux.vhdx –SizeBytes 80GB –Dynamic –BlockSizeBytes 1MB

Doing so will prevent the growing of the VHDX file because of the free space used in some Linux Filesystem. Inside a VM you should always use ext4 You should also change de way how Linux schedule I/O to first in first out to pass the schedule choice to the hypervisor.

$sudo nano /etc/default/grub
/// 

Change the line 

GRUB_CMDLINE_LINUX_DEFAULT="quiet splash"

to 

GRUB_CMDLINE_LINUX_DEFAULT="quiet splash elevator=noop"
Than 

 

$sudo update-grub

And restart 

You will need to modify the GRUB menu too if the VM has more 8 vcpu or more or more than 30 GB


> 

$sudo nano /etc/default/grub GRUB_CMDLINE_LINUX_DEFAULT="quiet splash elevator=noop numa=off" /// Than /// $sudo update-grub ///

Also if you find that the resolution in the vconnect is too small for your need you can add this to the GRUB video=hyperv_fb:XXXxXXX

Don’t forget to update the GRUB and restart the server

If you had Linux VM into a hyper-v Cluster, you may need to use static MAC address. During fail over the new mac address can trigger network restart on the guest.

If you use Ubuntu LTS 14.04, 16.04 or 12.04 you can in update the kernel with the latest Hardware Enablement.

16.04 $sudo apt-get update $sudo apt-get install --install-recommends linux-virtual-lts-xenial

14.04 $sudo apt-get update $sudo apt-get install --install-recommends linux-virtual-lts-wily

12.04 $sudo apt-get update $sudo apt-get install --install-recommends linux-generic-lts-trusty

Then you need to add hyper-v daemons

16.04 $sudo apt-get install --install-recommends linux-tools-virtual-lts-xenial linux-cloud-tools-virtual-lts-xenial

14.04 $sudo apt-get install --install-recommends hv-kvp-daemon-init linux-tools-virtual-lts-wily linux-cloud-tools-virtual-lts-wily

12.04 $sudo apt-get install --install-recommends hv-kvp-daemon-init linux-tools-lts-trusty linux-cloud-tools-generic-lts-trusty

Rarely kernel update can do more arms than good. Last year in September, the Kernel 3.16.0.48 triggered network and I/O problems.

hv_netvsc vmbus_0_12 eth0: unable to send receive completion pkt (tid XXXX)...retrying 4

https://bugs.launchpad.net/ubuntu/+source/linux-lts-utopic/+bug/1491957

Automation There are no sysprep equivalent in the linux world, so how it’s possible to spawn a VM without installing it from the DVDRom. There is a solution, most Linux distribution provides cloud image, OS image optimized for cloud hosting.

from Ubuntu http://cloud-images.ubuntu.com/xenial/

It’s possible to use this version with Hyper-V. Then you have cloud-init, a tool used in Open-Stack to enable cloud automation. In Hyper-v we can’t not use cloudinit as it’s used in Open-Stack. We need to relay on CDRom to enter information.

You can check this sample on GitHub

https://github.com/Microsoft/Virtualization-Documentation/blob/master/hyperv-samples/benarm-powershell/Ubuntu-VM-Build/BaseUbuntuBuild.ps1

You just need to remember that the user in: password: $($GuestAdminPassword) is Ubuntu

You can setup the IP address for the server

instance-id: iid-abcdefg network-interfaces: | auto lo iface lo inet loopback

iface eth0 inet static address 192.168.10.10 network 192.168.10.0 netmask 255.255.255.0 broadcast 192.168.10.255 gateway 192.168.1O.1 hostname: MyServer

Monday 9 May 2016

Measure Vm

Hyper-v 2012 introduced a set of PowerShell cmdlet that allow you to measure VM resource consumption: CPU, memory, network, and storage. Measure data is stored inside the VM, so data move with the VM. The main purpose of VM resource metering is not to monitor VM host, but to provide information on resources (Cpu, Network, Memory, …) for reporting and billing, for or to balance VM in regards of resource capacity. By default, Hyper-v collect data every one hour. It can be changed only at the host level. You can use value between 1 hour and 24 hours.

/// PS>set-vmhost –computername HyperVHostName -ResourceMeteringSaveInterval 24:00:00 ///


If you try to use less than one hour, PowerShell will not throw an error, instead the interval will be set to one hour. Each host in your environment should be set with the same interval. Remember Metering data are store within the VM. Data will move with the VM.

/// PS>set-vmhost –computername host01,host02,…,host03 -ResourceMeteringSaveInterval 24:00:00 ///


Now we must enable metering for each VM, again metering data are stored within the VM. We don’t want to re-enable each VM only the new one.

/// PS> get-vm -computername host01,host02,…,host03 | ? ResourceMeteringEnabled -eq $false | Enable-VMResourceMetering ///

Now we can start collecting data.

/// PS>get-vm | Measure-VM ///

MeasureVM-part1.png

AvgCpu Measure the average CPU usage in Mhz per hour. Why in Mhz and not a percent, because VM can move and they can move between host with different CPU clock speeds. Metering data are stored in the VM so a 10 % CPU usage do not reflect the situation if the VM move from a 2.5 Ghz Cpu server to a 2 Ghz CPU server percent make no sense.

Ram We have 3 measures, Average, Maximum and Minimum memory used during the interval. If you don’t use dynamic memory, the 3 values are the same. TotalDisk is the disk allocation, it includes all snapshot. When using dynamic disk, it reports not the disk space used but the final disk size.

Network External traffic is reported in MB, only external traffics are reported by default. The system uses an ACL list to measure traffic from and to 0.0.0.0/0.


Using

/// PS>get-vm | Measure-VM | fl ///

You will get more data
MeasureVM-part2.png

Since Windows 2012 R2 you can get some new metrics. AggregatedAverageNormalizedIOPS. This is an average of IOPS during 20s, not the actual measure. AggregatedAverageLatency This the cumulated Latency during a 20 s sample. AggregatedDiskDataRead and AggregatedDiskDataWritten The total data read of written during the metering duration In windows 2016 only AggregatedNormalizedIOCount

The total IO of written during the metering duration

Note that you also have a detailed network and hard drive report

Now that we have all the data needed for billing and reporting how to use it. If you only have a single Hyper-v Server with few Vm you can simply use get-vm | Measure-VM | fl and phone the billing department. But if you only have Hyper-v host there are some chance that you don’t have a billing department. You could use ConvertTo-Json, it work well if you use it with only one Metering object :

/// PS> measure-vm -Name xRPVM | ConvertTo-Json ///

But if you use more than one report in your object, you will not have the NetworkMeteredTrafficReport or the HardDiskMetrics. Instead you will have this : "Microsoft.HyperV.PowerShell.VMNetworkAdapterPortAclMeteringReport",

You can find in my github a sample to convert data in a more readable format

https://github.com/omiossec/Hyper-V-report/blob/master/measure.ps1

Monday 4 April 2016

Member, Powershell and Objects

A friend complained that it can’t get enough information about VM in PowerShell. He checked all the documentation, go to Google and Bing with no luck. Going to TechNet to get information about a PowerShell Cmdlet is OK, but there is a better way to do that. Get-member, return all the properties and method of an object. So you do not have to memorize all the Technet and Msdn sites. So if you want know all the properties associated with get-vm You can run this

Get-vm | get-member –membertype properties

((/public/powershell/.getVM_m.jpg

It works for all object

Get-vmswitch | get-member –membertype properties

get-vmSwitch.png

And you will more detail than you can have a Google search page and maybe find true Gems. net-adapter.png

Sunday 6 March 2016

Nat in Windows 2016 Hyper-v

Windows Server 2016 TP 4 include a NAT mode for VmSwitch. Even if this feature is built for container, you can use it for all VM. The NAT engine is part of the Windows core routing engine. Nat VmSwitch will have the save limit.

The process is very simple, create a vmSwtich in NAT mode and Create NAT Policy in windows

$Subnet = "192.168.100.0/23"

New-VmSwitch –name SwNat -SwitchType NAT -NatSubnetAddress $Subnet
New-NetNat -Name NatPolicy -InternalIPInterfaceAddressPrefix $Subnet

The NatSubnetAdress and InternalIPInterfaceAddressPrefix must be the Same.

For now, it’s seem that you can only have one Nat Policy with an internal Ip interface. You will have an error If you already have a Nat Policy. It is the case if you test the container on the same host.

If so you can remove the nat policy if you don’t want to use

Get-netnat | remove-netnat 

Or you can simply use it. In this case, the subnet is 172.16.0.0/12

If you want more detail about NetNat you can use

PS>get-command –module NetNat

get-command.png

Get-netnat give you more detail about the netnat object
get-netnat.png

Get-NetNatExternalAddress will give you all external address used in the Nat instance.

Now you can setup a VM and plug it on the Nat Switch You will need to use an IP address in the subnet 192.168.100.0/23. The default gateway is 192.168.100.1.

Check that you can access to internet. Now you can map a service to your VM, a destination NAT.

Add-NetNatStaticMapping -NatName NatPolicy  -Protocol TCP -ExternalIPAddress 0.0.0.0 -InternalIPAddress 192.168.100.25 -InternalPort 80 -ExternalPort 80

This will create destination map from everywhere to the VM with 192.168.100.25 IP using standard http port.

Nat feature is a good solution for a containers host or a lab environment. With all this limitation you should use a more robust tool. You can choose Sophos UTM in VM or a windows 2012 R2/2016 with RAS or any other firewall/network virtual appliance.

Friday 4 March 2016

Something important about LBFO

If you use LBFO nic teaming with a converged fabric on Windows 2012 R2 please read this

Windows Supportability Team Blog, from Kaushik Ainapure

Change the load balancing mode to Hyper-v Port or Hash

There is Patch https://support.microsoft.com/en-us/kb/3137691

Tuesday 23 February 2016

Playing with VM-NetworkAdapter

Changing Vlan seeting for one adapter in a VM is simple. All you have to do is to type something like this:

 Set-VMNetworkAdapterVlan –VMName MySimpleVM –Access –VlanId 10

or

Get-VMNetworkAdapter -VMName MySimpleVM | Set-VMNetworkAdapterVlan  –Access –VlanId 10

It’s the same with VmNetworkAdapterIsolation, VMNetworkAdapterRoutingDomainMapping, VMNetworkAdapterFailoverConfiguration.

But what happen if you have more than one adapter?

You will need to supply a VMNetworkAdapterName. If you have setup your VM from Hyper-vm manager, all adapters have the same name, “Network Adapter”. If you have VMM, it’s not a problem, you can rename you adapter in VMM.

If not, you will have to rename your adapter yourself.

First you will need to get the adapter mac address

get-vmnetworkadapter -vmname MySimpleVM | select switchname, macaddress

Here I use the switchname to identify the adapter, but you can also check the mac address in Hyper-v Manager.

Then you can modify the adapter name

get-vmnetworkadapter -vmname MySimpleVM | ?{$_.macaddress -eq "00155DXXXX11"} | Rename-VMNetworkAdapter -NewName MyNicPort

And know you can do whatever you want with your adapter

Set-VMNetworkAdapterVlan –VMName MySimpleVM –VMNetworkAdapterName MyNicPort –Access –VlanId 10

Friday 5 February 2016

Create a Sophos XG firewall on Hyper-V

Like UTM Firewall, Sophos XG firewall work as a VM on Hyper-v. There is an option to download a ready to run package. But there is a lack of documentation. The package, now VI-SFOS_15.01.0.HYV-376.zip, contain 2 VHD files, PRIMARY-DISK.vhd and AUXILIARY-DISK.vhd. Upload this 2 files in a folder on your hyper-v server. And create a generation VM, with the 2 disk attached on the first IDE controller. Select the amount of ram (1 Gb is the minimum) and the number processor you need. Add at least 2 network cards, remember that the first one will be the LAN and will be used for initial setup.

New-VM –Name "XGDemo" –MemoryStartupBytes 1GB -Generation 1 -Path 'X:\SophosXG' 
Set-VMProcessor  -Count 2 -VMName "XGDemo"
Add-VMHardDiskDrive -VMName "XGDemo"  -Path "X:\SophosXG\PRIMARY-DISK.vhd" -ControllerType IDE -ControllerNumber 0 -ControllerLocation 0
Add-VMHardDiskDrive -VMName "XGDemo"  -Path "X:\SophosXG\AUXILIARY-DISK.vhd" -ControllerType IDE -ControllerNumber 0 -ControllerLocation 1
Add-VMNetworkAdapter -VMName "XGDemo"  -Name "LAN_NIC1" -SwitchName SetupLan
Add-VMNetworkAdapter -VMName "XGDemo"  -Name "LAN_NIC2" -SwitchName LAN


Remember that the first NIC, LAN_NIC1, is the management port. The default IP for the management port is 172.16.16.16. It’s a problem even if you have the 172.16.16.16 as internal network. You need to create an access to https://172.16.16.16:4444 to setup the firewall. The solution creates a vswitch, internal or external, to setup the firewall from the parent partition, from another VM or an external network, if you need to access outside the hypervisor but be sure to have a dedicated nic on the parent host and a dedicated network.

You can start the VM and once you get this message
SophosXGSetup3.png

You can open your browser to setup your firewall
SophosXgFirewall

Sunday 31 January 2016

Converged Fabric, Hyper-v Server and Mac confusion

Installing Hyper-v Server 2012 R2 is easy, Creating a converged fabric too. A converged fabric (or hyper-converged fabric) is a single external vSwitch connected to a team or a net adapter, with multiple vmnet adapters to server multiple roles (Management, live migration). It’s a good approach when using 10 Gbps adapters or for a lab.

Imagine the situation if you install your server via IPMI, create your converged fabric and add the management network adapter. But there is a problem. Hyper-v uses the first IPv4 on the server to build the range of MAC addresses for the virtual machine.

  • 00:15:5D for the Microsoft IEEE identifier
  • XX:XX corresponding of the 2 last octets from the first IPv4 of the server
  • The last byte, from 00 to FF for each virtual adapter

But what happen if you don’t have any IP Address. Hyper-v will assign 00:15:5D:00:00:00. Hyper-v Server wasn’t able to create a valid range. It’s not a problem for a single server, but if you have multiple servers connected to the same network, you are in trouble, and if you use a converged fabric all your servers can have the same MAC for the management adapter.

You can change that by creating the mac address range before your converged network.

PS>Set-VMHost -MacAddressMinimum 00155D020600 -MacAddressMaximum 00155D0206FF

And it’s not a bad idea to change the default Range by using something like server ID or Serial number.

Using VMM Bare Metal deployment prevent this problem

Saturday 30 January 2016

Azure Stack POC first preview

The Azure Stack preview is a single computer environment, everything is installed on one server. There are few things you should know before start. How to run this first preview?

First you need a server class computer.

CPU :2 CPU with at least 12 cores, 16 is better, with SLAT Enabled RAM :128 Gb RAM ROLE Hyper-v Enabled NIC : No real specification for Nic (they must be certified for Windows Server 2012 R2) HDD : One drive for the system (At least 200 Go, 300 is better, the setup will expend all the data here) 4 HDD for Azure Stack : this disk will be used for storage space

You need to install Windows server 2016 TP 4 datacenter with all update and https://support.microsoft.com/fr-fr/kb/3124262

You may have to

Only one port should be connected to a switch, it’s better to disable all the other port (the system will use a converged fabric using this port) and the port on the switch must be in access mode (you can use a trunk port but you will need to provide the vlan ID during the setup). The server need an access to internet (at least http/https, with access to a DNS server).

It’s better to have the NIC get an IP from DHCP server. If not, you will need to manually setup a range for the network address translation component for Azure Stack connectivity.

Be sure there no network in subnets 192.168.200.0/24, 192.168.100.0/24, or 192.168.133.0/24 can be connected to the server. This are the network ID used by the POC.

You will also need a valid Azure Active Directory account. It mean a valid Public Azure Subscription (Free Trial is ok)

Friday 29 January 2016

Azure Stack

Microsoft deliver the first Azure Stack preview on Friday 29/01. Azure Stack is the Microsoft IaaS and PaaS cloud platform with the same defined Network, compute and Storage technologies used in Azure. We will have the same portal and the same Powershell command as we have now in Azure. It will be delivered at the end of 2016. For the technical preview there are some requirements:

  • 2 CPU with at least 12 cores, 16 is better, with SLAT Enabled
  • 128 Gb RAM
  • Hyper-v Enabled
  • No real specification for Nic (they must be certified for Windows Server 2012 R2)
  • One drive for the system
  • 4 HDD for Azure Stack :
  • they must have the same size and the same type
  • they must have a single path and the system should be able to assign them (pass through mode or Raid 0)

The Software defined datacenter managed by Azure Stack will permit scale on demand. Azure Stack Resource Managed will communicate with provider, Hyper-v for compute, Storage Spaces for storage and Network Controller for Network to create service. There is several template ready now (https://github.com/Azure/AzureStack...). Azure use JSON so Azure Stack will do the same; time to learn JSON and DSC. You can check https://azure.microsoft.com/fr-fr/o...

And the webcast https://azure.microsoft.com/fr-fr/o... (on 3/2/2016)