Blog sobre assuntos IT Pro

Eventos sobre PHP e Open Source

Os últimos livros grátis referentes à celebração dos 25 anos da Microsoft Press

Viva,

O que é bom sempre acaba :)

Junho é o último mês onde a Microsoft Press oferece livros.

Se se interessa pelas comunicações unificadas, então não perca:

Programming for Unified Communications with Microsoft Office Communications Server 2007 R2
By Rui Maximo, Kurt De Ding, Vishwa Ranjan, Chris Mayo, Oscar Newkerk, and the Microsoft Office Communications Server team

Microsoft Office Communications Server 2007 R2 Resource Kit
By Rui Maximo, Rick Kingslan, Rajesh Ramanathan, and Nirav Kamdar with the Microsoft Office Communications Server Team

Tenha em conta o seguinte: A possibilidade para descarregar os livros expira no próximo dia 24 de Junho 09

Boas Leituras,

Sérgio Martinho

Lista de Software e Hardware compatível com Windows Server 2008

Viva,

Se está interessado em saber onde procurar pelo software e hardware oficialmente compatível com o Windows Server 2008, então é obrigatória a visita ao site: www.windowsservercatalog.com

Sérgio Martinho

Windows Server 2008 R2 - Licenciamento

Olá,

Gostaria de esclarecer uma questão em relação ao licenciamento do Windows Server 2008 R2.

Os clientes que tiverem Software Assurance (SA) vão ter direito à actualização para o Windows Server 2008 R2. Clientes que não tenham SA, terão de adquirir a nova licença do R2.

Consistente com o Windows Server 2003 R2, não há necessidade de novas CALs (Client Access Licensing) para os clientes que já tenham adquirido as CALs do Windows Server 2008 ou tenham SA nas CALs.

Em relação ao Windows Server 2008 R2:

Neste momento está em Release Candidate (RC), se estiver interessado, pode descarregar a RC seguindo este Link.

Iremos efectuar o lançamento em Portugal no último trimestre de 2009.

Obrigado,

Sérgio Martinho

Livros Grátis: Windows Server 2008 Terminal Services Resource kit e o The Practical Guide to Defect Prevention

Viva,

 A Microsoft Press, como forma de celebrar os seus 25 anos, volta a oferecer livros de grande interesse.

Desta vez são 2:

Windows Server 2008 Terminal Services Resource Kit, by Christa Anderson and Kristin L. Griffin with the Microsoft Presentation Hosted Desktop Virtualization Team

The Practical Guide to Defect Prevention, by Marc McDonald, Robert Musson, and Ross Smith

Atenção que estas ofertas expiram no dia 27 de Maio 2009.

Boas Leituras,

Sérgio Martinho

Disponibilização do Service Pack 2 (SP2) para o Microsoft Office system de 2007

Caros, 

A Microsoft disponibiliza hoje o Service Pack 2 (SP2) para o Microsoft Office system de 2007, com significativas optimizações na estabilidade, desempenho e interoperabilidade.

Estes melhoramentos incluem:

·         Optimizações de desempenho no Microsoft Office Outlook.

·         Suporte adicional aos formatos de ficheiro ODF, PDF e XPS.

As optimizações no SP2 vão beneficiar aplicações clientes e servidoras, podendo destacar-se as seguintes:

Programas Office Desktop

·         O Outlook 2007 SP2 é 26% mais rápido do que o seu predecessor num conjunto de tarefas habituais e ainda mais rápido (35%) com caixas de correio grandes.

·         Capacidade de desagrupar gráficos SmartArt® (e, como resultado, capacidade de os animar no PowerPoint)

·         Ferramenta que permite a desinstalação dos Service Packs do Office.

Servidores – desempenho e disponibilidade

·         O Microsoft Office SharePoint Server 2007 Service Pack 2 endereça um conjunto de questões a nível da segurança, desempenho e estabilidade nas areas de Enterprise Content Management, Search, Excel Services e Form Services.

·         Em conjunto com o cliente Office 2007, com o Service Pack 2 é possível gravar e abrir ficheiros em formato ODF directamente no SharePoint.

·         Finalmente, o Service Pack 2 disponibilizará diversas ferramentas novas para programadores que facilitam o processo de desenvolvimento no ambiente Office.

O artigo da Knowledge Base http://support.microsoft.com/kb/968170 inclui a lista completa das actualizações.

Os elementos da equipa de desenvolvimento do Office apresentam ainda um conjunto de informação interessante e relevante nos seguintes blogs:

·         Sustained Engineering blog – Uma visão pormenorizada do SP2

·         Office Interoperability blog, Doug Mahugh – Os formatos adicionais suportados pelo Office

·         Microsoft on the Issues blog – Discussão das opções de formatos de ficheiros

·         Gray Matter, Gray Knowlton – A perspectiva para a comunidade de desenvolvimento

Onde é que se pode obter o Service Pack 2?

O SP2 pode ser descarregado a partir de http://www.microsoft.com/downloads/details.aspx?FamilyID=b444bf18-79ea-46c6-8a81-9db49b4ab6e5, o qual será também disponibilizado através do Microsoft Update no prazo máximo de 3 meses.

Um obrigado especial ao Henrique Carreiro pela disponibilização desta informação

Sérgio Martinho

Livro grátis: Windows Small Business Server 2008 Administrator´s Companion

A Microsoft Press está a comemorar os 25 anos e como forma de celebrar a ocasião, está a oferecer o livro "Windows Small Business Server 2008 Administrator´s Companion".

Para ter acesso ao livro terá simplesmente que seguir este link: http://csna01.libredigital.com/?urws8un4p7 

Atenção que esta oferta é somente válida até ao dia 22 de Abril 2009. 

São 719 páginas de conteúdo muito interessante para todos os que se interessam pelo Small Business Server, especialmente pela última versão, a 2008.

Boas leituras!

Sérgio Martinho

Microsoft Virtualization Fundamentals Web Seminar Series

Que a Virtualização veio para ficar, julgo que não seja uma novidade para ninguém.

O interessante é a relação inversamente proporcional que existe nesta área.

Eu explico.

Quanto maior a facilidade que apresentamos ao utilizador final, maior é a dificuldade / complexidade que existe na respectiva infra-estrutura.

Para facilitar a compreensão deste vasto universo, gostaria de partilhar convosco recursos de grande interesse, são web seminars, ou seja recursos que pode ser consumidos via web, ao ritmo que entenderem.

http://www.msdev.com/Directory/SeriesDescription.aspx?CourseId=82 é o sítio a visitar. 

Aconselho começarem pelo: Microsoft Virtualization Fundamentals Series Part 1: Overview of the Microsoft Virtualization Vision

Nesta sessão é explicada a visão da Microsoft para área da Virtualização. O que é a Virtualização, o que pode e deve ser virtualizado, são 40mn que vale a pena investir.

A parte 2, entra em mais pormenor: Microsoft Virtualization Fundamentals Series Part 2: Introduction to Server Virtualization (Usage Scenarios) especialmente porque fala sobre os produtos para a virtualização na área do servidor.

A parte 3 dedica-se à virtualização da aplicação, onde são referidos alguns cenários de utilização: Microsoft Virtualization Fundamentals Series Part 3: Introduction to Application Virtualization (Usage Scenarios)

Na parte 4, os cenários utilizados são os da Virtualização da apresentação: Microsoft Virtualization Fundamentals Series Part 4: Introduction to Presentation Virtualization (Usage Scenarios)

Se o se interessa pela parte da arquitectura, não deixe de ver a parte 5: Microsoft Virtualization Fundamentals Series Part 5: Server Virtualization Architecture

Nem a parte 6: Microsoft Virtualization Fundamentals Series Part 6: Application Virtualization Architecture

Muito menos a parte 8 que compara o Hyper-V com VMware: Microsoft Virtualization Fundamentals Series Part 8: Comparing Hyper-V and VMWare

Eu achei estes recursos de grande valor, se concordar comigo, partilhe a sua opinião, se não concordar... partilhe na mesma! J

Sérgio Martinho

Livro grátis: Understanding Microsoft Virtualization Solutions

Viva,

Apenas para chamar a atenção para o facto que é possivel efectuar o download do livro "Understanding Microsoft Virtualization Solutions ".

É um e-book de 15Mb, bastante abrangente, com mais de 400 páginas.

Cobre todas as tecnologias de Virtualização da Microsoft, incluíndo as últimas novidades como o Microsoft Desktop Virtualization (MED-V) e o VDI.

O livro em questão cobre também o modelo Core Infraestructure Optimization;  como a implementação  das tecnologias de virtualização poderá ajudar a organização a ter uma infra-estrutura mais eficaz, mais dinâmica.

Para obter o livro, deverá seguir este link: http://csna01.libredigital.com/?urmvs17u33

Uma vez autenticado utilizando o Passport / Live ID, os únicos campos requeridos para o registo, são os seguintes:Nome, País, endereço de correio electrónico.

Sinopse:

Como fazer para analisar o desempenho do Hyper-V?

Viva,

Por vezes é necessário recolher dados para análise de desempenho do Hyper-V.

Se tem esta necessidade, poderá utilizar os performance counters do sistema operativo.

Existe um documento bastante interessante que tem uma secção dedicada a este tema: "Optimizing Performance on Hyper-V".

O documento em questão, apesar de estar focado na análise de desempenho do BizTalk, pode ser facilmente extrapolado para outros cenários.

Poderá encontra-lo seguindo este link:

http://msdn.microsoft.com/en-us/library/cc768535.aspx

Measuring Performance on Hyper-V

While most of the principles of analyzing performance of a guest operating system installed on a Hyper-V virtual machine performance are the same as analyzing the performance of an operating system installed on a physical machine, many of the collection methods are different. The following considerations are significant when evaluating performance of your BizTalk Server solution running on a guest operating system installed on a Hyper-V virtual machine.

 Measuring Disk I/O Performance

The following considerations apply when measuring disk I/O performance on a guest operating system installed on a Hyper-V virtual machine:

• Measure disk latency on a Hyper-V host operating system – The best initial indicator of disk performance on a Hyper-V host operating system is obtained by using the “\Logical Disk(*)\Avg. sec/Read” and “\Logical Disk(*)\Avg. sec/Write” performance monitor counters. These performance monitor counters measure the amount of time that read and write operations take to respond to the operating system. As a general rule of thumb, average response times greater than 15ms are considered sub-optimal. This is based on the typical seek time of a single 7200 RPM disk drive without cache. The use of logical disk versus physical disk performance monitor counters is recommended because Windows applications and services utilize logical drives represented as drive letters wherein the physical disk (LUN) presented to the operating system can be comprised of multiple physical disk drives in a disk array. Use the following rule of thumb when measuring disk latency on the Hyper-V host operating system using the \Logical Disk(*)\Avg. Disk sec/Read or \Logical Disk(*)\Avg. Disk sec/Write performance monitor counters:

·         1ms to 15ms = Healthy

·         15ms to 25ms = Warning or Monitor

·         26ms or greater = Critical, performance will be adversely affected

• Measure disk latency on guest operating systems – Response times of the disks used by the guest operating systems can be measured using the same performance monitor counters used to measure response times of the disks used by the Hyper-V host operating system.

For more information about disk performance analysis, see the following resources:

• Ruling Out Disk-Bound Problems at http://go.microsoft.com/fwlink/?LinkId=120947.
• SQL Server Predeployment I/O Best Practices at http://go.microsoft.com/fwlink/?LinkId=120948.
• How to Identify a Disk Performance Bottleneck Using the Microsoft Server Performance Advisor (SPA) Tool at http://go.microsoft.com/fwlink/?LinkID=98096.

 Measuring Memory Performance

Use the following performance monitor counters to measure the impact of available memory on the performance of a guest operating system installed on a Hyper-V virtual machine:

• Measure available memory on the Hyper-V host operating system – The amount of physical memory available to the Hyper-V host operating system can be determined by monitoring the “\Memory\Available MBytes” performance monitor counter on the physical computer. This counter reports the amount of free physical memory available to the host operating system. Use the following rules of thumb when evaluating available physical memory available to the host operating system:

·         \Memory\Available Mbytes – Available MBytes measures the amount of physical memory available to processes running on the computer, as a percentage of physical memory installed on the computer. The following guidelines apply when measuring the value of this performance monitor counter:

·         50% of free memory available or more = Healthy

·         25% of free memory available = Monitor

·         10% of free memory available = Warning

·         Less than 5% of free memory available = Critical, performance will be adversely affected

·         \Memory\Pages/sec – This performance monitor counter measures the rate at which pages are read from or written to disk to resolve hard page faults. To resolve hard page faults, the operating system must swap the contents of memory to disk, which negatively impacts performance. A high number of pages per second in correlation with low available physical memory may indicate a lack of physical memory. The following guidelines apply when measuring the value of this performance monitor counter:

·         Less than 500 = Healthy

·         500 - 1000 = Monitor or Caution

·         Greater than 1000 = Critical, performance will be adversely affected

For more information about the impact of available physical memory on application server performance, see the Exchange Server 2003 Help topic “Ruling Out Memory-Bound Problems” at http://go.microsoft.com/fwlink/?LinkId=121056.

• Measure available memory on the guest operating system – Memory that is available to the guest operating systems can be measured with the same performance monitor counters used to measure memory available to the Hyper-V host operating system.

 Measuring Network Performance

Hyper-V allows guest computers to share the same physical network adapter. While this helps to consolidate hardware, take care not to saturate the physical adapter. Use the following methods to ensure the health of the network used by the Hyper-V virtual machines:

• Test network latency – Ping each virtual machine to ensure adequate network latency. On local area networks, expect to receive less than 1ms response times.
• Test for packet loss – Use the pathping.exe utility to test packet loss between virtual machines. Pathping.exe measures packet loss on the network and is available with all versions of Windows Server since Windows Server 2000. Pathping.exe sends out a burst of 100 ping requests to each network node and calculates how many pings are returned. On local area networks there should be no loss of ping requests from the pathping.exe utility.
• Test network file transfers – Copy a 100MB file between virtual machines and measure the length of time required to complete the copy. On a healthy 100Mbit (megabit) network, a 100MB (megabyte) file should copy in 10 to 20 seconds. On a healthy 1Gbit network, a 100MB file should copy in about 3 to 5 seconds. Copy times outside of these parameters are indicative of a network problem. One common cause of poor network transfers occurs when the network adapter has “auto detected” a 10MB half-duplex network which prevents the network adapter from taking full advantage of available bandwidth.
• Measure network utilization on the Hyper-V host operating system – Use the following performance monitor counters to measure network utilization on the Hyper-V host operating system:

·         \Network Interface(*)\Bytes Total/sec – The percentage of network utilization is calculated by multiplying Bytes Total/sec by 8 to convert it to bits, multiply the result by 100, then divide by the network adapter’s current bandwidth. Use the following thresholds to evaluate network bandwidth utilization:

·         Less than 40% of the interface consumed = Healthy

·         41%-64% of the interface consumed = Monitor or Caution

·         65-100% of the interface consumed = Critical, performance will be adversely affected

·         \Network Interface(*)\Output Queue Length – The output queue length measures the number of threads waiting on the network adapter. If there are more than 2 threads waiting on the network adapter, then the network may be a bottleneck. Common causes of this are poor network latency and/or high collision rates on the network. Use the following thresholds to evaluate output queue length:

·         0 = Healthy

·         1-2 = Monitor or Caution

·         Greater than 2 = Critical, performance will be adversely affected.

Ensure that the network adapters for all computers (physical and virtual) in the solution are configured to use the same value for maximum transmission unit (MTU). For more information about configuring the MTU value see “Appendix A: TCP/IP Configuration Parameters” at http://go.microsoft.com/fwlink/?LinkId=113716.
If an output queue length of 2 or more is measured, consider adding one or more physical network adapters to the physical computer that hosts the virtual machines and bind the network adapters used by the guest operating systems to these physical network adapters.

• Measure network utilization on the guest operating systems – If a network adapter on the Hyper-V root partition is busy as indicated by the performance monitor counters mentioned above, then consider using the "\Hyper-V Virtual Network Adapter(*)\Bytes/sec" performance monitor counter to identify which virtual network adapters are consuming the most network utilization.

For more information about network performance analysis, see “Chapter 15 - Measuring .NET Application Performance” at http://go.microsoft.com/fwlink/?LinkId=121073.

 Measuring Processor Performance

The following considerations apply when evaluating processor performance on a guest operating system installed on a Hyper-V virtual machine:

• Guest operating system processors do not have a set affinity to physical processors/cores – The hypervisor determines how physical resources are used. In the case of processor utilization, the hypervisor schedules the guest processor time to physical processor in the form of threads. This means the processor load of virtual machines will be spread across the processors of the physical computer. Furthermore, virtual machines cannot exceed the processor utilization of the configured number of logical processors, for example if a single virtual machine is configured to run with 2 logical processors on a physical computer with 8 processors/cores, then the virtual machine cannot exceed the processor capacity of the number of configured logical processors (in this case 2 processors).
• Measure guest operating system processor utilization – Traditionally, processor performance can be measured using the “\Processor(*)\% Processor Time” performance monitor counter. This is not an accurate counter for evaluating processor utilization of a guest operating system though because Hyper-V measures and reports this value relative to the number of processors allocated to the virtual machine. If more processors are allocated to running virtual machines than are actually present on the physical computer, the value returned by each guest operating system for the “\Processor(*)\% Processor Time” performance monitor counter will be low, even if in fact processor utilization is a bottleneck. This occurs because the virtual processors utilize the physical processors in a round-robin fashion. Each virtual processor will try and allocate itself a share of overall system resources, so in a 4 physical processor system, each virtual processor will by default try to utilize 25% of the system resources. If 8 virtual processors are created this means that collectively the virtual processors will attempt to utilize 200% of the server CPU capacity. In this case, each virtual processor will report a low utilization as measured by the “\Processor(*)\% Processor Time” performance monitor counter (relative to the level it expects) and the excessive context switching between the virtual processors will result in poor performance for each virtual machine. In this scenario, consider reducing the number of virtual processors allocated to Hyper-V virtual machines on the host operating system.
  Hyper-V provides hypervisor performance objects to monitor the performance of both logical and virtual processors. A logical processor correlates directly to the number of processors or cores that are installed on the physical computer. For example, 2 quad core processors installed on the physical computer would correlate to 8 logical processors. Virtual processors are what the virtual machines actually use, and all execution in the root and child partitions occurs in virtual processors.
  To accurately measure the processor utilization of a guest operating system, use the “\Hyper-V Hypervisor Logical Processor(_Total)\% Total Run Time” performance monitor counter on the Hyper-V host operating system. Use the following thresholds to evaluate guest operating system processor utilization using the “\Hyper-V Hypervisor Logical Processor(_Total)\% Total Run Time” performance monitor counter:

·         Less than 60% consumed = Healthy

·         60% - 89% consumed = Monitor or Caution

·         90% - 100% consumed = Critical, performance will be adversely affected

To troubleshoot processor performance of guest operating systems on a Hyper-V environment, it is best to strive for a balance between the values reported by the host operating system for “\Hyper-V Hypervisor Logical Processor(_Total)\% Total Run Time” (LPTR) and “\Hyper-V Hypervisor Virtual Processor(_Total)\% Total Run Time” (VPTR). If LPTR is high and VPTR is low then verify that there are not more processors allocated to virtual machines than are physically available on the physical computer. Use the “\Hyper-V Hypervisor Virtual Processor(*)\%Guest Run Time” counters to determine which virtual Processors are consuming CPU and de-allocate virtual processors from virtual machines as appropriate to configure a one to one mapping of virtual processors to logical processors. For more information about configuring a one to one mapping of virtual processors to logical processors see the “Optmizing Processor Performance” section in Optimizing Performance on Hyper-V. If VPTR is high and LPTR is low then consider allocating additional processors to virtual machines if there are available logical processors and if additional processors are supported by the guest operating system. In the case where VPTR is high, LPTR is low, there are available logical processors to allocate, but additional processors are not supported by the guest operating system, consider scaling out by adding additional virtual machines to the physical computer and allocating available processors to these virtual machines. In the case where both VPTR and LPTR are high, the configuration is pushing the limits of the physical computer and should consider scaling out by adding another physical computer and additional Hyper-V virtual machines to the environment. The flowchart below describes the process that should be used when troubleshooting processor performance in a Hyper-V environment.

Troubleshooting CPU performance in a Hyper-V Environment

• Measure overall processor utilization of the Hyper-V environment using Hyper-V performance monitor counters – For purposes of measuring processor utilization, the host operating system is logically viewed as just another guest operating system. Therefore, the “\Processor(*)\% Processor Time” monitor counter measures the processor utilization of the host operating system only. To measure total physical processor utilization of the host operating system and all guest operating systems, use the “\Hyper-V Hypervisor Logical Processor(_Total)\% Total Run Time” performance monitor counter. This counter measures the total percentage of time spent by the processor running the both the host operating system and all guest operating systems. Use the following thresholds to evaluate overall processor utilization of the Hyper-V environment using the “\Hyper-V Hypervisor Logical Processor(_Total)\% Total Run Time” performance monitor counter:

·         Less than 60% consumed = Healthy

·         60% - 89% consumed = Monitor or Caution

·         90% - 100% consumed = Critical, performance will be adversely affected

For more information about processor utilization review the following resources:

• “How To: Identify Functions causing a High User-mode CPU Bottleneck for Server Applications in a Production Environment” at http://go.microsoft.com/fwlink/?LinkID=107047.
• “Chapter 15 - Measuring .NET Application Performance” at http://go.microsoft.com/fwlink/?LinkId=121073.

Apresentação Microsoft = Segurança?

Viva,

No dia 19 de Novembro irei estar em Coimbra, na 4ª Conferência Nacional sobre Segurança Informática nas Organizações, SINO 2008.

Esta conferência vai decorrer no Auditório da Faculdade de Ciências e Tecnologia

Pólo II da Universidade de Coimbra.

PROGRAMA:

Registo (9.00-9.30)

Abertura e Apresentação Convidada (9.30-10.30)

• Abertura

João Gabriel Silva, Presidente da FCTUC

• Microsoft = segurança?

Sérgio Martinho, Microsoft

Coffee break (10.30-11.00)

Sessão Técnica I (11.00-12.30)

Chair: Paulo Sousa

• A Token-based Reputation Framework

Ricardo Godinho, IST–Taguspark

Carlos Ribeiro, IST–Taguspark

• Nonius, o Nível de Segurança da Internet Portuguesa

Francisco Rente, CERT-IPN

Mário Rela, Universidade de Coimbra

Hugo Trovão, CERT-IPN

Sérgio Alves, CERT-IPN

• Segurança em Redes de Acesso Triple-Play

Tiago Cruz, Universidade de Coimbra

Thiago Leite, Universidade de Coimbra

Patrício Baptista, Universidade de Coimbra

Rui Vilão, Universidade de Coimbra

Paulo Simões, Universidade de Coimbra

Fernando Bastos, PT Inovação

Edmundo Monteiro, Universidade de Coimbra

Almoço (12.30-14.00)

Apresentações Convidadas (14.00-15.30)

Chair: Paulo Simões

• Segurança e Disponibilidade através de Resiliência Proactiva

Paulo Sousa, LaSIGE – Faculdade de Ciências da Univ. de Lisboa

• Detecção de Tráfego Peer-to-Peer Encriptado

Mário Freire, Universidade da Beira Interior

Coffee break (15.30-16.00)

Sessão Técnica II (16.00-17.30)

Chair: Henrique Santos

• Towards Intrusion-Tolerant Process Control Software

Hugo Ortiz, LaSIGE – Faculdade de Ciências da Universidade de Lisboa

Paulo Sousa, LaSIGE – Faculdade de Ciências da Univ. de Lisboa

Paulo Veríssimo, LaSIGE – Faculdade de Ciências da Universidade de Lisboa

• Democratizando a Filtragem e Bloqueio de Conteúdos Web

Filipe Pires, ESTCB - Instituto Politécnico de Castelo Branco

Alexandre Fonte, ESTCB - Instituto Politécnico de Castelo Branco

Vasco Soares, ESTCB - Instituto Politécnico de Castelo Branco

• A Evolução do Parâmetro de Hurst e a Destruição da Auto-Semelhança Durante um Ataque de Rede Intenso

Pedro R. M. Inácio, Univ. da Beira Interior e Nokia Siemens Networks

Mário M. Freire, Universidade da Beira Interior

Manuela Pereira, Universidade da Beira Interior

Paulo P. Monteiro, NSN e IT-Aveiro

Best Paper Award e Encerramento (17.30)

            Paulo Simões, Universidade de Coimbra

Edmundo Monteiro, Universidade de Coimbra

Após a apresentação, irei colocar aqui o deck de slides que suportou a sessão.

System Center Virtual Machine Manager 2008 já entrou em produção!

Viva,

O System Center Virtual Machine Manager 2008 já entrou em produção!

É verdade, desde o dia 21 de Outubro que o System Center Virtual Machine Manager 2008 (VMM 2008) está disponível para ajudar os nossos profissionais de TI a tirar o melhor partido dos seus ambientes virtualizados.

O que é o VMM 2008?

É uma solução de gestão da família System Center, especialmente desenhada para gerir ambientes virtualizados.

Principais características:

Através de uma única consola permite a gestão centralizada da infra-estrutura das máquinas virtuais, aumentando por isso a utilização do servidor físico.

Aprovisionamento rápido de máquinas virtuais.

Optimização do desempenho e recursos sejam eles hardware, sistemas operativos ou aplicações.

Onde ir para saber mais sobre o VMM:

Descrição geral: http://technet.microsoft.com/pt-br/library/cc764267(en-us).aspx

O que há de novo: http://technet.microsoft.com/pt-br/library/cc764316(en-us).aspx

Requisitos de sistema: http://technet.microsoft.com/pt-br/library/cc764328(en-us).aspx

Descarregar a versão de teste: http://www.microsoft.com/downloads/details.aspx?FamilyId=ED012990-6E86-4B43-9842-DA5C02FF1C83&displaylang=en

Como fazer para migrar para a versão VMM 2008: http://technet.microsoft.com/pt-br/library/cc764337(en-us).aspx

Sérgio Martinho

Webcasts: Windows Small Business Server 2008 e Windows Essential Business Server 2008

Prepare-se para o Windows Essential Server Solutions!

Dentro em breve a Microsoft volta a inovar no nosso mercado!

Dentro em breve iremos ter não uma mas duas ofertas especialmente criadas para sermos mais assertivos no nosso tecido empresarial.

Iremos ter uma oferta para empresas que tipicamente não tem pessoal IT dedicado, normalmente nestas empresas existem 75 ou menos PCs.

A outra oferta é para aquelas empresas que estão com 250 PC´s ou  menos.  

Segundo o estudo do Instituto Nacional de Estatística, empresas em Portugal – 2006, ano de edição 2008 (http://www.ine.pt/xportal/xmain?xpid=INE&xpgid=ine_publicacoes&PUBLICACOESpub_boui=375351&PUBLICACOESmodo=2 ) 99,99% das empresas Portuguesas têm 249 ou menos pessoas ao serviço.

No dia 12 de Novembro de 2008 a Microsoft Portugal irá estar alinhada com o lançamento mundial destas duas ofertas:

O Windows Small Business Server 2008 e o Windows Essential Business Server 2008.

Porquê a nossa aposta nestas áreas?

Porque queremos que este tipo de empresas tenha acesso facilitado à tecnologia de ponta na parte dos sistemas de informação. Sabemos que o mercado é extraordinariamente dinâmico e as PME´s têm crescentes necessidades a este nível.

Os nossos clientes necessitam de proteger os dados contra falhas, acidentes e ataques porque hoje em dia, mesmo as empresas mais pequenas necessitam de estar online, porque o seu negócio assim o exige, mas estar online sem a devida segurança é algo que está completamente fora de questão. Estas empresas cada vez mais terão de se focar em encontrar novos clientes e para isso necessitam que os sistemas de informação as ajudem a usar melhor a informação para que essa informação seja facilmente transformada no conhecimento que faça a diferença.

Como se costuma dizer, onde há dois, há escolha, por isso, a questão premente que se coloca logo inicialmente é: Qual das soluções escolher?

O Windows Small Business Server 2008 deverá ser escolhido se o cliente tiver 50 ou menos PC´s.

Esta oferta foi desenhada para empresas sem profissionais de TI dedicados, onde a administração foi simplificada ao máximo, sem no entanto existir a perca das funcionalidades essenciais críticas a este tipo de empresas.

O Windows Small Business Server 2008 poderá servir de base, como o investimento certo pronto a crescer, porque rentabiliza o investimento existente se for necessário evoluir para uma plataforma tecnicamente mais avançada: o Windows Essential Business Server 2008. O WESS 2008 foi desenhado para empresas que já tem nos seus quadros profissionais de TI. Nesta oferta foi data especial atenção à administração centralizada, tipicamente a ser utilizado para empresas com 250 ou menos PC´s.

Estão desde já convidados a estar presentes nas seguintes webcasts:

Sérgio Martinho

ISA Server e Hyper-V: Considerações de segurança

Viva,

Tendo em conta que o a virtualização é algo que veio para ficar, convém estar a par das implicações do processo de virtualização em múltiplas vertentes.

A da segurança, nomeadamente segurança perimétrica é uma delas.

Foi publicado no Technet um artigo muito bom acerca deste tema.

Published: August 2008

Authors:

Jim Harrison, Program Manager, ISA SE

Gershon Levitz, Program Manager, Forefront Edge

 

Technical Reviewers:

Yuri Diogenes; CSS Security Support Engineer

Mohit Saxena; CSS Security Technical Lead

Virtualization of server workloads has become an increasingly popular method for making more efficient use of computer hardware and the supporting infrastructure. Virtualization provides many advantages to the data center administrator, while necessarily changing the way they create and manage their deployments. Server application virtualization is a more difficult undertaking due to the complexity of properly allocating the hardware across multiple server workloads. Combining applications which cannot coexist on a single machine across multiple Child partitions within the same host presents unique sizing and security challenges as well. Likewise, resulting network virtualization and the potential for multiple simultaneous server failures when the Parent partition fails presents unique security and availability problems.

This article will provide specific guidelines for deploying Microsoft ISA Server and Microsoft Forefront TMG within hardware virtualization. We strongly recommend that you also become familiar with deployment and best practices documents provided in the References section.

 Supported Virtual Environments

Microsoft ISA Server and Forefront TMG are supported on hardware virtualization in accordance with the following programs:

• Microsoft Support Lifecycle
  
• Microsoft ISA Server system requirements
  
• Forefront TMG system requirements
  
• Microsoft Server Virtualization Validation Program (SVVP)
  
• Support Policy for Microsoft software running on non-Microsoft hardware virtualization software
  

For example, if a hardware virtualization platform is listed as ”validated” with the SVVP (not “under evaluation”), Microsoft ISA Server and Forefront TMG will be supported for production use on that platform within the limits prescribed in the Microsoft Product Support Lifecycle, Non-Microsoft hardware virtualization policies and the system requirements for that product version and edition.

For hardware virtualization platforms not listed with the SVVP, Microsoft ISA Server and Forefront TMG are supported in accordance with remaining Microsoft support policies, limited as follows:

• Desktop virtualization, such as Microsoft Virtual PC or similar 3rd-party product: supported for demonstration and educational use only
  
• Server Virtualization, such as Microsoft Virtual Server or similar 3rd-party product: supported, but not recommended for production use
  

Important:
as stated in MSKB 897615, Microsoft support engineers may request that a customer reproduce a reported problem on real hardware or within an SVVP-listed hardware virtualization platform before continuing with the case. If the problem cannot be reproduced in hardware or on SVVP-listed server virtualization product of similar class, the case may be deferred to the 3rd-party vendor product support.

 Deployment Planning

The primary deployment criteria for any edge protection deployment must be security, stability and performance. Defining the priority of each of these is a task that has to incorporate deep analysis of the organization’s line-of-business (LOB) application requirements, general and network security needs as well as any regulatory compliance. Although it is not possible to address all possible scenarios, this whitepaper will outline the critical points for the most common deployments.

It is an inalterable fact that due to resource sharing among virtual machines, a server application operating on dedicated hardware will perform better than the same application operating in a virtualized environment of near-identical characteristics (same number of the same class CPU, same memory, etc.). For instance, a traffic processing load that would bring a hardware-based ISA to 80% CPU may well produce a denial-of-service (DoS) state for a similarly-configured virtual ISA Server or where the virtual parent is simply overtasked due to the total Child partition workload and resource bottlenecks created by sibling Child partitions.

What this means to the engineer who is tasked with virtualizing their server applications is that in many cases, the resource allocations for a particular application may have to be expanded to account for the resource sharing incurred in a virtual machine. Exactly how much expansion is required can only be determined through testing on the planned virtual deployment.

Likewise, data center management processes must be re-examined and redefined to accommodate the problems that will arise when human, software or hardware error causes the loss of multiple Child partitions within a Parent partition. This condition not only represents a more significant business operational impact, but also a potential security issue if the ISA Server or Forefront TMG represents one of the now-unavailable Child partitions.

Define the Traffic profile

Although this process is no different for virtual vs. hardware deployments, it is much more important since the resource requirements of one Child partition will impact those available to other partitions operating on the virtual host; especially the Parent partition.

Until the traffic profile aspect of the deployment plan is clearly understood, the performance and security requirements for ISA Server and Forefront TMG cannot be accurately determined, evaluated, or satisfied. MSKB 832017 defines the traffic profiles for most Windows-based or Microsoft-built applications including ISA Server itself, but it does not define the traffic profile for non-Microsoft products. Certain assumptions are safely made in many cases; a mail server will use common mail protocols, such as SMTP, POP3, IMAP or even HTTP(s) if it provides webmail services. If you intend to use ISA Server or Forefront TMG to control custom application traffic, you may need to seek this information from the product vendor. In some cases, you may need to experiment with the application and use a network analysis tool to sort this out.

Once the traffic profile has been determined, the next step is to determine traffic load in the context of each application or service. This step is also critical in order to accurately predict its impact on ISA Server or Forefront TMG performance and the overall network capacity. You may need to perform some traffic flow analysis in your current deployment to understand the present traffic load and thus predict how this will change as your organization and its traffic needs evolve.

Best Practices:

1. Where possible, pass traffic through a Child partition running ISA Server or Forefront TMG. This will help you control traffic between networks and detect attacks from local and remote hosts, virtual and physical
   
2. Avoid the use of “allow all” rules. If your application vendor cannot clearly define the traffic profile for you, some time spent with your favorite network capture tool can be of use.
   
3. Restrict RPC and DCOM to specific ports. By default, RPC and DCOM will use whatever ephemeral ports are available when the related server application starts up and request connections or sockets. By limiting the range of ports available to them, you can also limit your acceptable traffic profile.
   

Define the Security Boundaries

There are multiple aspects to this process and while there are a few basic rules, you must involve all of the security, networking, application and regulatory managers in the decision process. It may well be that for all your technical determination and analysis; a regulatory compliance requirement can prevent you from deploying application X as a Child partition alongside application Y on a Child partition on the same virtual host.

Application security

You should avoid mixing virtual applications or servers of differing security contexts within a single Parent partition; especially when one or more of them face the network edge. Protecting your Exchange server becomes much more difficult when the adjacent Child partitions or (worse yet) the Parent partition is hosting a game server. This is another place where ISA or TMG can offer protection between hosts. Because Child partitions on separate parents are effectively on separate networks, you can potentially use ISA or TMG to isolate those applications and achieve greater overall security than if they were deployed on dedicated hardware.

Best Practices:

1. Install Windows Server 2008 Core on the parent. This limits the attack surface and patching requirements to the bare minimum. Since Windows 2008 Core does not support applications which rely on Windows UI mechanisms, this will help prevent installation of non-essential applications on the Parent partition
   
2. Each Child partition on a specific Parent partition should be of near-identical security. For instance, the Exchange and SharePoint Child partitions that user access from the Internet should meet the same security and access requirements as much as possible. You cannot satisfy this if you deploy your Exchange and SharePoint servers and game servers as Child partitions on the same Parent partition.
   
3. The Parent partition must be up-to-date on patches. A vulnerability of the parent translates to a potential vulnerability on each and every guest it hosts.
   
4. Each Child partition must be up to date on patches. While an unpatched Child partition not generally as threatening as an unpatched Parent partition, if a compromised Child partition has access to the Parent partition, it may be able to mount an attack on the parent and thus poses a potential threat to all guests; regardless of their vulnerability to that particular threat or their network proximity to the compromised Child partition.
   
5. DO NOT use the Parent partition as a workstation. The fewer applications that are installed and running on the parent, the smaller the attack surface it presents. If you install Windows Server 2008 Core on the parent, this threat is much better mitigated.
   
6. Restrict access and management of the parent partition. As detailed later, the accounts with management access to the Parent partition effectively have full control over any and all Child partitions.
   
7. Use a TPM-based parent partition with BitLocker. The deeper you can enforce access controls to the Parent partition, the better protection you afford the Child partitions.
   

Network security

Of particular interest in the virtual environment is the question of managing traffic flow for the Child partitions, Parent partition and the physical network. If a guest has direct access to any physical network, it potentially presents a greater threat to its sibling Child partitions and Parent partition than if it were forced to pass through a traffic control such as an ISA Server or Forefront TMG. While defining a network which imposes such traffic controls is a critical part of the network design, management control of this network is even more critical.

Routing traffic around an ISA or TMG server presents a state where it is not able to provide any security for the network whatsoever simply by virtue of having been effectively removed from the traffic path. While this case seems to be no different than a mis-patched network cable in the data center, you must consider that there will be no obvious visual indicators for misrouted virtual networking as there might be with a network cable plugged into the wrong port on a physical patch panel or switch. This point will make identifying these problems correspondingly more difficult and time consuming, effectively making problem resolution that much more costly. The best way to prevent such occurrences is to define and enforce very clear data center change control policies and system monitoring / reporting systems.

Best Practices:

1. Avoid connecting the Parent partition to the Internet without additional protection. While Windows Server 2008 Filtering Platform provides a much stronger host firewall than previous Windows releases, network security best practices dictates that you should layer your network security. You can accomplish this by using an external layer-3 filtering device between the Parent connection and the Internet. ISA Server or Forefront TMG on a separate physical host works well for this purpose.
   
2. Avoid connecting the Parent partition to any virtual network unless absolutely necessary. Because the Parent partition is the key to keeping the Child partitions alive and well and because the Parent partition is likely to use at least one physical network, the fewer points of entry you provide to the Parent partition from a Child partition, the better. For instance, Hyper-V “Local” virtual networks are invisible to the Parent partition and so are good choices for use as isolated perimeter networks usable only by connected Child partitions.
   
3. Avoid sharing the same Internet virtual switch connection between multiple guests. You cannot ensure traffic security for your network if your game server Child partition is sharing the Internet connection with the ISA / TMG Child partition. Better that any Child partition which needs Internet access should access it through the ISA / TMG Child partition.
   
4. Avoid combining your perimeter network segments on a single Parent partition. In any deployment, the use of perimeter networks is intended to create security boundaries between networks of differing trusts. By placing all of these machines and networks on the same Parent partition, you may inadvertently bridge these security boundaries through one or more Parent partition virtual network connections or by mis-assignment of a server to the wrong virtual network.
   
5. Avoid collapsing your perimeter network design to simplify the virtual network design. Your perimeter network design was created to satisfy the requirements imposed on you by multiple sources. It’s highly unlikely that if the design cannot be collapsed in hardware that it can be collapsed in virtual networks.
   

The Parent partition

Regardless of whether the VM deployment is edge- or internally-placed, the Parent partition is the most important and therefore the most critical machine among them. If the Parent partition is compromised or fails, all of its Child partitions are threatened.

Best Practices:

1. Use hardware that passes Windows Hardware Quality Labs as “certified for”:
   
   • Windows Server 2008. If you expect to have server-class functionality and reliability, you cannot hope to achieve that using home-computer class system hardware or drivers. An investment in devices and related drivers that were designed and tested to experience server-class workloads will go a long way toward keeping your virtual deployments on-line under heavy loads. In particular, while it’s generally true that drivers written for Windows Vista will “work” on Windows Server 2008, the odds are that they will not stand up to the heavier workload presented by server applications or virtualization.
     
   • Hyper-V. By limiting your choices to hardware which satisfies WHQL testing specifically targeted at Microsoft Hypervisor, you provide a better chance that your virtual deployment will behave properly. Many hardware vendors are working closely with all server virtualization vendors to validate their offerings for one or more server virtualization platforms.
     
2. Keep the system drivers current. The single most common cause of server network problems is the system drivers themselves; most commonly – the network drivers. When these need to work closely with other high-performing drivers such as those found in today’s virtualization solutions, the performance and stability of the system drivers is even more important. While it may not always be possible especially in test environments, you should consider limiting your production deployments to signed drivers only.
   
3. Use Windows Server 2008 Core for the Parent partition. This provides the smallest possible attack surface of any Windows Server deployment option, while simultaneously restricting the user’s ability to weaken this security posture.
   
4. Disable any Externally-facing NICs for the Parent partition. After you have created an “external” virtual switch for use by Child partitions, you should disable the related virtual NIC in the parent to prevent access to the Parent from the Internet.
   
5. If you cannot disable “external” virtual switches for the Parent, unbind all L3+ protocols and enable WFP for those NICs. By unbinding protocols and settings a heavily-restrictive policy in WFP, a host that cannot communicate using a protocol on which an attack depends is not vulnerable to the attack from a network at which the protocol is unbound and filtered. In other words, “if I can’t hear you, you can’t bother me”.
   
6. If the previous steps cannot be employed to protect the parent, use an external layer-2+ firewall. There should be no reason to make the parent accessible to Internet-based attacks. If you find yourself considering such a deployment, you should re-evaluate your planning.
   
7. Use a dedicated, Out-Of-Band (OOB) network connection to provide management connectivity to the parent.
   
   • Dedicated connection: by providing a network connection that is unrelated to any virtual network, the parent will remain available even if the virtual networking mechanisms should fail.
     
   • OOB connection: by separating the parent management from the guest networking, you can effectively isolate the parent from the network where application-based attacks would be seen.
     
8. Use TPM-supported hardware and Bitlocker on Windows Server 2008 to control access to the Parent partition and protect Child partition disks and definition files from unauthorized access. Server theft is a reality that must be considered in any deployment and the ability to acquire multiple servers in a single box can only make this even more attractive to would-be thieves. By placing all of your guests on a Bitlocker-protected disk, you effectively hide your servers from would-be thieves.
   

Parent and Guest Connections

You must balance the requirements of your virtual networks with the security needs of the whole environment. For instance, a single virtual network for each partition connection associated with a single NIC offers better off-host network performance than does a physical connection shared by multiple partitions through a single virtual switch. If the Child partition imposes a comparatively light network requirement, then it may be a candidate for sharing a virtual network with other Child partitions.

See Appendix A for detailed discussion regarding various network definitions and the benefits and problems associated with each.

 ISA/TMG Child partition Performance Considerations

You’ll need to obtain a performance “footprint” before defining the ISA / TMG virtual machine resources. To accomplish this, you must gather performance data for an extended period (at least two weeks) using the ISA Server Performance Best Practices performance monitor recommendations for your ISA version or the TMG performance monitor reference so that you can obtain a statistical model for the machine resources used. Once you’ve accomplished this, you’ll have a reasonable idea of the minimum machine resources that you’ll need to provide for the virtual ISA / TMG server.

The next step after defining the ISA / TMG virtual machine requirement is to build a test environment where you can deploy and test the workload and traffic load combination you intend to use in production. Only through pre-testing can you determine how to best distribute the resources among the Child partitions.

CPU & RAM

Any server workload which functions at a given level on hardware of a specific configuration will perform less well on the same hardware configuration when the machine resources are shared with multiple workloads. This is true whether the workloads are combined on a single operating system instance or when the workloads are shared among multiple virtual machines. In fact, the resource requirements of managing multiple workloads is increased when those workloads are also associated with individual operating system instances. For this reason, you should familiarize yourself with the performance best practices recommendations of the virtualization technology you deploy. Although the virtualization functionality offered by each vendor are similar for a given virtualization class (desktop, server, data center), the implementations of those functionality may produce varying results for a given server workload or workload combinations as well.

Best Practices:

1. Avoid combining high-resource Child partitions on the same parent. ISA / TMG can be a significant resource consumer, depending on the traffic profile and any 3rd-party add-ons you may use. If you have multiple high-resource server workloads competing for the same resources, the performance of all workloads may be significantly degraded and may present a denial-of-service as well.
   
2. Give ISA / TMG as much CPU and memory as possible. Because they must share resources with other Child partitions, the more memory and CPU you provide, the better they can perform in a virtual machine.
   

   Note:
   neither ISA Server itself nor 3rd-party add-ons that run within ISA Server benefit from more than 4 CPU or greater than 4GB RAM. TMG imposes no such limitations.

3. Use a virtualization technology which is up to the workload task. If your traffic profile requires network performance at or greater than 1Gb per second, using a hardware virtualization product which provides a maximum of 100Mb per second performance will result in an underperforming and overtaxed server.
   

Disks

Because the default logging mechanism for ISA / TMG use a local SQL service instance (MSDE 2000, SQL Express 2005 respectively), the logging requirements for a heavily-utilized ISA / TMG server can be quite intense. For instance, the egress proxies managed by Microsoft IT (MSIT) produce over 10GB per log instance per server per day. If the current ISA / TMG deployment uses MSDE/SQLE, then the performance footprint you obtain must account for this fact. The Best Practices for logging in ISA Server 2004 provides some basic performance factors to use when estimating the logging load incurred for a given traffic load. Although the requirements are not yet fully defined for TMG yet, they can be expected to be higher than those for ISA due to the additional traffic management offered by TMG.

Best Practices:

1. Use separate drives for the Child partition OS instance and its logging destination. The temptation to combine these for server definition simplicity must be resisted regardless of the server workload. If all Child partitions are sharing the Parent partition disk where their respective virtual disks reside, write contention between guests may result in intermittent or extended logging failures. If each guest uses a single VHD for all logical drives, the Guest contention only adds to this
   
2. Use dedicated drives for the ISA / TMG logging and reporting. The overhead involved with translating Child partition disk activity to the file access on the Parent partition can be significant in high-disk IO workloads. By providing direct-disk or pass-through access, this overhead is reduced significantly and the threat of logging failure and thus traffic failure is reduced accordingly.
   

   Note:
   by assigning dedicated drives to a Child partition, you lose the ability to employ Windows Bitlocker to protect the data stored by the Child partition from theft if the Parent partition is stolen.

Networks

Another aspect of server virtualization is the effect of mixing multiple high-traffic services on a single physical network connection at the Parent partition. Even if the remaining host resources are distributed appropriately among the Child partitions, if they are all network-heavy applications (such as web sites, mail servers and ISA / TMG), and they are expected to serve non-local virtual and real clients, then it may well be beneficial to provide each Child partition its own interface to the real network. This will complicate the virtual network model and the management processes you define for your virtual deployments, but the performance and security of your virtual services will be improved.

Best Practices:

1. Keep Parent partition NIC drivers current. Where practicable, use only signed drivers.
   
2. Use application performance test tools (Exchange / SharePoint, IIS, etc.) to validate network performance in the lab before deploying in production
   
3. Assign a physical NIC to each Guest OS whenever possible
   
4. MS Loopback is *not* a high-performance interface
   

 Management

Parent Access

Best Practices:

1. Keep all Child partitions and Parent partitions up-to-date on patches. Most server workloads provide event logging of varying degrees, but these are only as useful as the amount of time spent monitoring them. An ignored security event log that is filling with logon failures is a great tool for an account-mining attacker, but of no value whatsoever for the system administrator who ignores it at his peril.
   
2. Impose stronger security requirements on the Parent partition than for any of its Child partitions. For instance, the management accounts that control the VM Exchange server should not have management access to the Parent partition. Because the accounts with management access to the Parent partition effectively have “more than admin rights” on the guest, access to the Parent partition should be heavily restricted. To help prevent accidental outages of multiple Child partitions, you should avoid using the same management accounts at the Parent partition and the Child partitions. While this can’t prevent the Parent partition management account from causing a denial-of-service for the Child partitions, it can minimize the threat of this occurring through the use of an Exchange management account.
   

Change Control

Few things have as much impact on server functionality as undocumented configuration changes. Server administrators rightly expect to find the server in a particular state when they log on and will commonly go about their task as if that state actually exists. All too often a server is rendered unusable because the current activity conflicts with previous actions taken, resulting in unexpected server behavior or at worst; outright server failure.

Best Practices:

1. Define and enforce change control processes. Only through strict change management can you know the state and functionality of your virtual deployments. Even seemingly small changes can have detrimental effects if these changes are not known when another change is planned or executed.
   
2. See Parent Access for additional best practices that apply to change control
   

 Application Security

As noted previously, your virtual deployments must take relative server security stature into account. Mixing Child partitions of dissimilar security stature on a single host is inadvisable as it may violate the precepts of least privilege and least access; especially if the network structure requires that one or more of the dissimilar applications share a common network; and especially with the Parent partition. Of course, the depth and breadth of this separation will depend on your specific resources, needs and requirements so no single recommendation is appropriate for all deployments. The following table shows an example of how one environment might define application or service prioritization:

Application or Service	Security Stature (1-3; 1=highest)
Edge Security (firewall, IDS)	1
Domain Services	1
DNS / WINS	1
Email / Webmail	2
Collaboration	2
HR / Personnel	2
External Web applications	2
File & Print	3
Internal Web applications	3

You should note that although Edge Security and Domain Services rate equally, this does not necessarily mean that you should deploy them together as Child partitions on the same virtual host. Likewise, these example assignments may not meet with your organization’s definition of relative importance. With deployments where cost is a primary factor such as Small Business Server or Essential Business Server, such combinations may be unavoidable, but these should not be deployed without giving serious consideration to alternatives. For instance, since Windows Essential Business Server deploys three separate machines, you might deploy the Security server as a Child partition on one machine and deploy the remaining servers as Child partitions on a completely separate machine. Of course, these decisions have to be made with consideration for the remaining factors which dictate your data center budget, security, functionality and auditing requirements.

 Network Security Vs. Performance

The following diagrams offer simplified forms of the most common network topologies which may be used in virtualized deployments. Each one depicts a specific combination of virtual and physical network associations as well a discussion of the benefits and drawbacks of each design. The use of multiple servers for fault tolerance or load-sharing was omitted for diagram clarity. Where one entity (such as ISA or TMG) presents a potential network performance bottleneck, load-sharing mechanisms such as NLB should be considered.

Figure A1

The diagram in Figure A1 depicts a configuration that makes use of 801.1Q VLAN tagging to separate the internal and external networks within a single virtual switch which itself is associated with a single NIC connected to a VLAN-capable network switch. All partitions use the same virtual and physical links to reach networks of unlike security context, with their traffic differentiated in the network only by 802.1Q tags. Because the network separation is strictly logical, this creates a scenario where the separation of internal and external traffic can be lost simply by mis-configuration of the associated virtual and / or physical switch. The Parent partition management network security is dependent on the same network structure which carries potentially malicious traffic, thus effectively placing the Parent and all Child partitions at equal risk. Overall network performance is limited by the combination of physical NIC connectivity as well as the processing overhead imposed by the single virtual network structure and the use of 802.1Q VLAN tagging.

Figure A2

The diagram in Figure A2 improves the overall network security and network performance by providing separate virtual and physical network connections for internal and external traffic. Note that since the Parent partition management connection remains dependent on the shared connection with the internal network, the network security for the Parent partition improves only as much as the network security for the Child partitions collectively. The potential for bridging the internal and external networks caused by misconfiguration of the virtual network assignments remains, however.

Figure A3

In Figure A3, the effective security and performance posture for the Child partitions has not changed. The Parent partition security is improved through separation of the Parent partition management network to a host NIC which is not bound to the virtualization network driver and by connecting the Parent partition to the internal network through a virtual network associated only with the Parent partition and the ISA / TMG server. Thus, ISA / TMG helps protect the Parent partition from attacks mounted against the internal network; even those from compromised Child partitions on the same host. While it may be possible to use 802.1Q to logically separate the internal and management networks, the security and performance offered by this configuration are no better than that defined in Figure A2.

Figure A4

In Figure A4, the overall network security is improved further by effectively placing ISA / TMG between Guest and Parent partitions as well as the internal network. The effective network security of the deployment is reduced by the fact that once again, 802.1Q VLAN tagging is used to maintain separation between the Guest and Parent partitions. In this deployment, ISA / TMG is limited in its ability to protect the Parent partition from the Child partitions if the virtual VLAN configuration is misconfigured. The network performance of all partitions is completely dependent on the performance offered by the ISA / TMG server.

Figure A5

Figure A5 offers the highest network security possible without the addition of IPsec or other network-layer security mechanisms, such as 802.1x. The Child partitions are assigned a virtual network which is completely separate from the virtual network assigned to the Parent partition. Overall performance of the virtual deployment is still dependent on the performance offered by the ISA / TMG server itself, but is improved over that in Figure A4 because 802.1Q VLAN processing overhead for the virtual networks was removed.

 References

• Forefront TMG System Requirements
  
• Microsoft ISA Server 2000 System Requirements
  
• Microsoft ISA Server 2004 System Requirements
  
• Microsoft ISA Server 2006 System Requirements
  
• Microsoft Knowledge Base article 555975 How to improve Virtual Server Performance
  
• Microsoft Knowledge Base article 832017 Service Overview and network port requirements for the Windows Server system
  
• Microsoft Knowledge Base article 897613 Microsoft Virtual Server Support Policy
  
• Microsoft Knowledge Base article 897614 Windows Server System software not supported within a Microsoft Virtual Server environment
  
• Microsoft Knowledge Base article 897615 Support Policy for Microsoft software running on non-Microsoft hardware virtualization software
  
• Microsoft Knowledge Base article 925476 Network Load Balancing scenarios that are supported for use with Virtual Server 2005 R2
  
• Microsoft Support Lifecycle
  
• MSDN blog Hyper-V Terminology
  
• TechNet article Best Practices for Performance in ISA Server 2004
  
• TechNet article Best Practices for Performance in ISA Server 2006
  
• TechNet article ISA Server 2000 Performance Best Practices
  
• TechNet article ISA Server EE Capacity Planning
  
• TechNet article Monitoring and Troubleshooting Performance (ISA Server 2004)
  
• TechNet article Best Practices for Logging in ISA Server 2004
  
• TechNet article How to Back Up and Restore an ISA Server Enterprise Configuration (Enterprise Edition)
  
• TechNet article Windows Server 2008 Security Guide
  
• TechNet blog ISA on a Virtual Server host does not protect the guest machines
  
• TechNet blog Virtual Server Performance Tips
  
• Whitepaper Performance Tuning Guidelines for Windows Server 2003
  
• Whitepaper Performance Tuning Guidelines for Windows Server 2008
  
• Whitepaper Windows Server 2008 Hyper-V and BitLocker Drive Encryption
  
• Whitepapers Infrastructure Planning and Design
  
• Whitepapers Microsoft Assessment and Planning Solution Accelerator
  
• Windows Server Catalog; Windows Server Virtualization Validation Program
  
• Windows Server Catalog; Hardware listing
  

 Test Tools

• Web Application Stress Tool
  
• Active Directory Performance Testing Tool (ADTest.exe)
  
• Microsoft Exchange Server Stress Tools
  
• Support Tools Available For Stress Testing & Performance Analysis
  
• Office SharePoint Server Capacity Planning Tools
  

 Terms

Note:
these are excerpted from MSDN blog Hyper-V Terminology

Hypervisor

The hypervisor is the lowest level component that is responsible for interaction with core hardware.  The hypervisor is responsible for creating, managing and destroying partitions.  It directly controls access to processor resource and enforces an externally delivered policy on memory and device access.

Partition

A partition is the basic entity that is managed by the hypervisor.  It is an abstract container that consists of isolated processor and memory resources - with policies on device access.  A partition is a lighter weight concept than a virtual machine - and could be used outside of the context of virtual machines to provide a highly isolated execution environment.

Root Partition

This is the first partition on the computer.  Specifically this is the partition that is responsible for initially starting the hypervisor.  It is also the only partition that has direct access to memory and devices.

Parent Partition

The parent partition is a partition that is capable of calling the hypervisor and requesting that new partitions be created.  In the first release of Hyper-V the parent and root partitions are one and the same - and there can only be one parent partition.

Child Partition

Child partitions are partitions that have been made by the hypervisor in response to a request from the parent partition.  There are a couple of key differences between a child partition and a parent / root partition.  Child partitions are unable to create new partitions.  Child partitions do not have direct access to devices (any attempt to interact with hardware directly is routed to the parent partition).  Child partitions do not have direct access to memory (when a child partition tries to access memory the hypervisor / virtualization stack re-map the request to different memory locations).

Virtual Machine

A virtual machine is a super-set of a child partition.  A virtual machine is a child partition combined with virtualization stack components that provide functionality such as access to emulated devices, and features like being able to save state a virtual machine.  As a virtual machine is essentially a specialized partition, people tend to use the terms "partition" and "virtual machine" interchangeably.  But, while a virtual machine will always have a partition associated with it - a partition may not always be a virtual machine.

Guest Operating System

This is the operating system / runtime environment that is present inside a partition.  Historically with Virtual Server / Virtual PC we would talk about a "host operating system" and a "guest operating system" where the host ran on the physical hardware and the guest ran on the host.  With Hyper-V all operating systems on the physical computer are running on top of the hypervisor so the correct equivalent terms are actually "parent guest operating system" and "child guest operating system".  Having said that, most people find these terms confusing and instead use "physical operating system" and "guest operating system" to refer to parent and child guest operating systems respectively.

Virtual Machine Snapshot

A virtual machine snapshot is a point in time image of a virtual machine that includes its disk, memory and device state at the time that the snapshot was taken.  It can be used to return a virtual machine to a specific moment in time - at any time.  Virtual machine snapshots can be taken no matter what child guest operating system is being used and no matter what state the child guest operating system is in.

Physical Processor

This is simple.  It is the squarish chip that you put in your computer to make it go.  This is sometimes also referred to as a "package" or a "socket".

Logical Processor

This is a single execution pipeline on the physical processor.  In the "good old days" someone could tell you that they had a two processor system - and you knew exactly what they had.  Today if someone told you that they had a two processor system you do not know how many cores each processor has, or if hyperthreading is present.  A two processor computer with hyperthreading would actually have 4 execution pipelines - or 4 logical processors.  A two processor computer with quad-core processors would in turn have 8 logical processors.

Virtual Processor

A virtual processor is a single logical processor that is exposed to a partition by the hypervisor.  Virtual processors can be mapped to any of the available logical processors in the physical computer and are scheduled by the hypervisor to allow you to have more virtual processors than you have logical processors.

Virtual Rack

A virtual rack is a collection of virtual appliances running on one server.

 Fonte:http://technet.microsoft.com/pt-br/library/cc891502(en-us).aspx

Sérgio Martinho

Microsoft Forefront: Que / quais os motores anti-vírus fazem parte desta oferta?

Viva,

Como é do vosso conhecimento a marca Forefront quer dizer soluções de segurança corporativa.

Abaixo estão mapeadas as tecnologias anti-vírus que se incluem na oferta Forefront.

Forefront Security for Exchange Server:

         Esta tecnologia utilize múltiplos Anti-Vírus:  

                   Ahnlab

                  Authentium

                   Computer Associates

                   Kaspersky Labs

                   Microsoft Anti-Malware

                   Norman Data Defense

                   Sophos

                   VirusBuster

Forefront Security for Sharepoint Server:

         Esta tecnologia utilize múltiplos Anti-Vírus:  

                   Ahnlab

                  Authentium

                   Computer Associates

                   Kaspersky Labs

                   Microsoft Anti-Malware

                   Norman Data Defense

                   Sophos

                   VirusBuster

Forefront Security for Office Communication Server:

         Esta tecnologia utilize múltiplos Anti-Vírus:  

                   Ahnlab

                  Authentium

                   Computer Associates

                   Kaspersky Labs

                   Microsoft Anti-Malware

                   Norman Data Defense

                   Sophos

                   VirusBuster

Forefront Client Security:

         Esta tecnologia utilize uma tecnologia  Anti-Malware:  

                  Microsoft Anti-Malware