The Soul of a Virtual Machine : Remote Access & Mgmt

SSL and Virtual Server

megand — Thu, 19 May 2005 02:29:00 GMT

Q: Rod has this question: "I recently made the switch over to Virtual Server 2005 from VMware. I love the web based interface but am having troubles with enabling SSL. Can I use SelfSSL from the IIS6 Reskit? Could I set up a CA in a virtual machine to create the website and VMRC SSL certificates? Any tips on securing the Admin website and VMRC?

A: Here's a response from Ed Reed, a developer on the Virtual Machine team, and our resident VM security expert:

For the Administration Website, there are no special requirements for an SSL certificate. As long as the certificate supports Server Authentication, it really doesn't matter where the certificate comes from. The choice of certificate, however, determines the level of security that SSL encryption can provide. Here are some links to relevant information:

Designing a Public Key Infrastructure:
http://www.microsoft.com/technet/prodtechnol/windowsserver2003/library/DepKit/b1ee9920-d7ef-4ce5-b63c-3661c72e0f0b.mspx
Best Practices for Implementing a Microsoft Windows Server 2003 Public Key Infrastructure: http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/security/ws3pkibp.mspx
Windows Server 2003 PKI Operations Guide: http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/security/ws03pkog.mspx
How to implement SSL with a stand-alone certificate server in Virtual Server 2005: http://support.microsoft.com/default.aspx?scid=kb;en-us;887490

The requirements are different, however, for VMRC. Because Virtual Server runs as NetworkService, you need to create the VMRC SSL certificate using the IVMVirtualServer::VMRCCreateEncryptionCertificateRequest COM interface. You can also create this certificate from the Administration Website on the Virtual Machine Remote Control (VMRC) Server Properties page. This request makes a temporary certificate that can be used to perform SSL encryption, however, it doesn't have the full security of a certificate signed by a third-party CA. If you use MAKECERT or some other tool, the private key is stored such that it is inaccessible to NetworkService. Such a certificate will not work for VMRC.

Announcing Virtual Server Deployment Manager (VSDM) 1.3.0

megand — Fri, 15 Apr 2005 20:32:00 GMT

Finally, this very cool tool created by Nelson Araujo is available as a free download from Microsoft (it was demo'd last year at TechEd in WINIL401). VSDM manages a virtual library of templates and ISO images and provides a streamlined way to manage and deploy virtual machines. Administrators can configure VSDM to allow non-administrators to create and manage their own machines without impacting other users' machines, or even being able to view them. This is a "must have" tool if you manage a large number of virtual machines or need to frequently recreate images based on a master image (template).

To download VSDM, go to http://www.microsoft.com/downloads/details.aspx?familyid=FF59C543-5107-42F6-9252-A8CDE3B53915&displaylang=en.

For lots of good information and support for using the tool, see Nelson's blog: http://blogs.msdn.com/nelson_araujo/archive/category/9970.aspx. For some draft installation instructions, see Paul Adare's blog: http://www.identit.ca/blogs/paul.

MOM report for evaluating virtualization candidates

megand — Fri, 15 Apr 2005 04:15:00 GMT

Chong Lee and Thomas Mathew -- Technology Specialists here at Microsoft -- are developing a report that you can load into Microsoft Operations Manager 2005 (MOM) to monitor the performance of physical computers that are candidates for virtualization. This report can help you determine which computers are good candidates for virtualization, and of those, which computers you can virtualize on the same hardware. This report will be available for download when it's complete. I'll let you know where you can get it. In the meantime, you can ask your TAM or account rep for a copy.

Click here to see a view of the report: http://megandavis.members.winisp.net/Resources/VS-Candidate-Report.JPG

Just released: Virtual Server Management Pack for MOM 2005

megand — Fri, 08 Apr 2005 01:26:00 GMT

This Management Pack is an add-on for Microsoft Operations Manager (MOM) 2005. It monitors the health, availability, and performance of Virtual Server. You can download it from the Microsoft Web site at: http://www.microsoft.com/downloads/details.aspx?FamilyId=B8BBF08F-134A-46CE-9D63-FB7EF5258059&displaylang=en.

Overview of the Virtual Server Management Pack
The Microsof Virtual Server 2005 section of the Virtual Server Management Pack monitors the performance and availability of Virtual Server and virtual machines. By detecting and providing alerts for critical events and performance indicators, this Management Pack helps you correct and prevent possible service outages. As a result, this Management Pack can play an important role in ensuring that Virtual Server and virtual machines are available and working correctly.

By using embedded expertise, this Management Pack provides alerts for performance, health, and availability conditions that indicate problems. In some cases it can even identify issues before they become critical, allowing you to maintain a high level of availability and performance for Virtual Server and your virtual machines. As a result, this Management Pack can reduce the cost of ownership by enabling proactive management and reducing resolution times for identified issues.

Virtual Server script repository

megand — Mon, 17 Jan 2005 21:49:00 GMT

You probably already know that Virtual Server provides a complete set of COM interfaces for programmatic management (see Start > All Programs > Microsoft Virtual Server > Virtual Server Programmer's Guide). But did you know about the Virtual Server script repository on TechNet? It contains sample scripts for tasks such as managing virtual hard disks, configuring Virtual Server and virtual machines, configuring security, and managing virtual networks.You can find the repository at http://www.microsoft.com/technet/scriptcenter/scripts/vs/default.mspx.

HP Webinar: Virtual Machine Management Pack

megand — Fri, 07 Jan 2005 02:17:00 GMT

HP is delivering a live Webinar on January 14, 2005 on Virtual Machine Management. Here's the description from HP: "Learn the advantages of virtual machine technology and understand how the Virtual Machine Management Pack allows you to manage and control the VMWare and Microsoft Virtual Server resources in your environment." To register, go to http://www.hpbroadband.com/program.cfm?key=Q91MTB88Y.

Can’t open the Virtual Server Administration Website

megand — Wed, 24 Nov 2004 00:03:00 GMT

(Updated to correct an error: You want to enable DCOM for Authenticated Users rather than Everyone.)

On Windows XP SP2, you may no longer be able to open the Administration Website, although you could before you installed Windows XP SP2. This is due to tighter security measures in Windows XP SP2. To fix the problem, either uninstall and reinstall Virtual Server, or else do the following:

Click "Start," click "Control Panel," and then double-click "Administrative Tools."
Double-click "Component Services."
Expand "Component Services", 'Computers," "My Computer,' and "DCOM Config."
Right-click the first instance of Virtual Server in the list, and then click "Properties."
On the "Security" tab, in "Launch Permissions" click "Edit."
Select "Authenticated Users" and then, next to "Launch Permission," select "Allow." If "Authenticated Users" doesn't appear in the list, you'll need to add it before you can take this step.

If you've installed (the currently pre-release version of) Windows Server 2003 SP1, the same issue may exist. If you can’t open the Administration Website locally, you can try configuring your LAN settings so that the proxy server is bypassed for the Administration Website URL, as follows.

In Internet Explorer, click "Tools" and then "Internet Options."
On the "Connections" tab, click "LAN Settings" and then "Advanced."
In "Exceptions," type the full URL of the Administration Website, and then click "OK."

You can also try changing the DCOM configuration, as for Windows XP SP2. The UI is slightly different, though:

Click "Start," point to "Administrative Tools," and then click "Component Services."
Expand "Component Services," "Computers," "My Computer," and "DCOM Config."
Right-click "Virtual Server" and then click "Properties."
On the "Security" tab, in "Launch and Activation Permissions" click "Edit."
Select "Authenticated Users" and then next to "Local Launch," select "Allow." If "Authenticated Users" doesn't appear in the list, you'll need to add it before you can take this step.
If you want to also allow remote DCOM, next to "Remote Launch," select "Allow."