VMware ACE 2.7 User manual

Brand: VMware

Model: ACE 2.7

Category: Software

Type: User manual

ACE Management Server

Administrator’s Manual

VMware ACE 2.7

This document supports the version of each product listed and

supports all subsequent versions until the document is replaced

by a new edition. To check for more recent editions of this

document, see http://www.vmware.com/support/pubs.

EN-000405-00

VMware, Inc.

3401 Hillview Ave.

Palo Alto, CA 94304

www.vmware.com

2 VMware, Inc.

ACE Management Server Administrator’s Manual

You can find the most up-to-date technical documentation on the VMware Web site at:

http://www.vmware.com/support/

The VMware Web site also provides the latest product updates.

If you have comments about this documentation, submit your feedback to:

docfeedback@vmware.com

intellectual property laws. VMware products are covered by one or more patents listed at

http://www.vmware.com/go/patents.

VMware is a registered trademark or trademark of VMware, Inc. in the United States and/or other jurisdictions. All other marks

and names mentioned herein may be trademarks of their respective companies.

VMware, Inc. 3

Contents

AboutThisBook 5

1 Introduction 7

FeaturesofACEManagementServer 7

SystemRequirements 8

RequiredHardware 8

SupportedOperatingSystems 8

SupportedExternalDatabases 9

SupportedProxies 9

RequiredWebBrowsers 9

Licensing 9

2 PlanninganACEManagementServerDeployment 11

DeploymentComponents 11

HostSystemOptions 12

WindowsHosts 12

LinuxHosts 12

ServerApplianceOption 12

DatabaseOptions 13

ActiveDirectoryAuthenticationOptions 13

PerformingCapacityPlanning 13

DatabaseThroughputandScalability 14

LDAPThroughput 14

NetworkBandwidthandPolicyUpdateFrequency 15

ACEPolicyConfiguration 15

LoadBalancers 15

SecurityFeaturesandConsiderations 16

UsingSSLCertificatesandProtocol 16

AccessingACEManagementServerfromOutsidetheCorporateFirewall 17

DeploymentPlanningWorksheet 18

3 InstallingandConfiguringACE Management Server 19

PreparingforInstallation 19

ConfigureTLSinYourBrowser 20

InstallingandUpgradingACEManagementServer 20

InstallanACEManagementServeronaWindowsHost 20

InstallACEManagementServeronaLinuxSystem 21

InstallanACEManagementServerAppliance 22

VerifyThattheApacheServiceIsStartedorRestarted 23

StartandConfigureACEManagementServer 24

LogInto

ACEManagementServer 25

4 ConfigurationOptionsforACEManagementServer 27

PrerequisitesforConfiguringtheServer 27

CreateUsersandGroupsforIntegrationwithActiveDirectory 27

SetUpanExternalDatabase 28

CreatingaSystemDSNEntryforanExternalDatabase 29

ACE Management Server Administrator’s Manual

4 VMware, Inc.

IncreasetheNumberofDatabaseConnectionsAllowed 30

EnableDatabaseConnectionPoolingonLinux 31

SetUpaConnectionBetweentheServerApplianceandanExternalDatabase 31

PrepareCustomSecurityCertificates 32

ViewthePropertiesoftheSelf‐SignedCertificateFile 32

StartingACEManagementServerConfiguration 33

ViewingandChangingLicensingInformation 33

UsinganExternalDatabase 33

CreatingAccessControl 34

UploadingCustomSSLCertificates 34

LoggingEvents 35

ApplyingConfigurationSettings 36

5 Load‐BalancingMultipleACEManagementServerInstances 37

TypicalSetupUsingLoad‐BalancedACEManagementServerInstances 38

InstalltheRequiredServicesforLoadBalancing 38

UsetheSameSSLCertificateonAllServers 39

CreateNewSSLCertificatesandKeysforEachServer 40

InstallingandConfiguringtheLoadBalancer 41

VerifyThatACEInstancesAreUsingtheLoadBalancer 41

6 ManagingACEInstances 43

ViewingACEInstancesThattheServerManages 43

UsetheVMwareACEHelpDeskApplication 44

UsetheInstanceViewinWorkstation 44

SearchforanInstance 45

SortbyColumnHeadingandChangeColumnWidth 46

Show,Hide,andMoveColumnsintheInstanceView 46

CreateorDeleteCustomColumnsintheInstanceView 46

ViewInstanceDetails 47

Reactivate,Deactivate,

orDeleteanACEInstance 47

ChangeaCopyProtectionID 47

ResettheAuthenticationPassword 48

AddInformationforCustomColumns 48

7 TroubleshootingandMaintenance 49

TroubleshootingConfigurationProblems 49

ConnectionProblemsBetweenaLinuxACEInstanceandACEManagementServer 49

ChangethePortAssignmentforACEManagementServer 49

DeletetheServerConfigurationFileandSetaNewAdministratorPassword 50

RestoreaBackupCopyofanSSLCertificate 50

ConfiguringMultipleACEManagementServerInstancestoUseSSL 51

DatabaseBackup 52

Appendix:DatabaseSchemaandAuditEventLogData 53

UsingDatabaseReportingTools 53

DatabaseSchema 53

QueryingtheAuditEventLogData 57

Glossary 61

Index 63

VMware, Inc. 5

Thismanual,theVMwareACEManagementServerAdministrator’sManual,providesinformationabout

installingandusingtheVMware

ACEManagementServer,whichenablesyoutomanageACEinstancesin

realtime.UsingACEManagementServerisoptional,butdoingsoprovidesthefollowingbenefits:

 ManageactivationofACEpackages.

 Manageauthenticationofthoseactivatedpackages.

 DynamicallydeliverpolicyupdatestomanagedACEinstances.

 DynamicallydeliverinstancecustomizationdataformanagedACEinstanceswithWindowsguest

operatingsystems.

Intended Audience

Thisbookisintendedforanyonewhoneedstoinstall,upgrade,oruseACEManagementServertomanage

ACEinstances.ACEManagementServerisintendedforACEadministratorswhomustmaintainandupdate

ACEpoliciesusedonvirtualmachinesdeployedthroughoutanenterprise.

Document Feedback

VMwarewelcomesyoursuggestionsforimprovingourdocumentation.Ifyouhavecomments,sendyour

feedbackto:docfeedback@vmware.com

Technical Support and Education Resources

Thefollowingsectionsdescribethetechnicalsupportresourcesavailabletoyou.Toaccessthecurrentversion

ofthisbookandotherbooks,gotohttp://www.vmware.com/support/pubs.

Online and Telephone Support

Touseonlinesupporttosubmittechnicalsupportrequests,viewyourproductandcontractinformation,and

Customerswithappropriatesupportcontractsshouldusetelephonesupportforthefastestresponseon

priority1issues.Gotohttp://www.vmware.com/support/phone_support.html.

Support Offerings

TofindouthowVMwaresupportofferingscanhelpmeetyourbusinessneeds,goto

http://www.vmware.com/support/services.

About This Book

ACE Management Server Administrator’s Manual

6 VMware, Inc.

VMware Professional Services

VMwareEducationServicescoursesofferextensivehands‐onlabs,casestudyexamples,andcoursematerials

designedtobeusedason‐the‐jobreferencetools.Coursesareavailableonsite,intheclassroom,andlive

online.Foronsitepilotprograms andimplementationbestpractices,VMwareConsultingServicesprovides

offeringsto helpyouassess,plan,

build,andmanageyourvirtualenvironment.Toaccessinformationabout

educationclasses,certificationprograms,andconsultingservices,gotohttp://www.vmware.com/services.

VMware, Inc. 7

TheVMwareACEManagementServerenablesyoutomanageVMwareACEinstances,todynamically

publishpolicychangesforthoseinstances,andtotestanddeploypackagesmoreeasily.

Thischapterincludesthefollowingtopics:

 “FeaturesofACEManagementServer”onpage 7

 “SystemRequirements”onpage 8

Features of ACE Management Server

ACEManagementServeroffersscalabilityandreliability:

 Youcanincreasecapacitybyaddingnetworkresourcessuchasloadbalancersandextraserverhardware.

 Fortestingenvironments,thedefaultembeddedbackingstoreprovidesasimpleandefficientdatabase

solution.ToscaleACEManagementServerforproductiondeployments,youcanconfigureandusean

externalrelationaldatabasemanagementsystem(RDBMS).

 InWindows,multithreadedprocesseshandleserverrequests.InLinux,multipleprocesseshandleserver

requests.Ifoneprocessfails,anothertakesover.

ACEManagementServeroffersActiveDirectoryintegration:

 YoucanuseActiveDirectorytoauthenticateusersofACEinstances.

 YoudonotneedaschemachangeforyourexistingActiveDirectory.

 LDAPisusedtoaccessActiveDirectory.

 InformationaboutWindowsdomainuseraccountstatesisprovidedinclearandusefulmessages.

Reasonsforloginfailuresarepresentedas“lockedout”or“passwordexpired.”

 ACEManagementServeractsasanActiveDirectorypasswordchangeproxy.

 YoucanusetheinstancecustomizationfeatureinACEwithyourownestablishednamingconventionsto

associateuserswithmachines.

Securityfeaturesincludethefollowing:

 EncryptedcommunicationsbetweenserverandclientstraveloverHTTPStraffic.

 Passwordsarestoredsecurelyinhashedforminthebackingstore.

 FlexibledatabaseoptionsallowuseofanembeddeddatabaseorexternalRDBMStostoreACEinstance

dataandpolicies.

 YoucanuploadcustomSSLcertificatewhileconfiguringtheACEManagementServer.

Introduction

ACE Management Server Administrator’s Manual

8 VMware, Inc.

ACEManagementServeriseasytoinstallandconfigure.Clienttrafficcanbeproxiedbyeasilyavailable

products.Theserveruseseasilyavailablesoftwarecomponents:

 ApacheWebserver2.0

 ThedefaultSQLitedatabasestore

Theserversetupusesindustry‐standardprotocols:

 HTTPSandLDAP

 XML‐RPCformessageencapsulation

ACEManagementServeroffersextensibilityandavailability:

 YoucancreateandusemorethanoneACEManagementServer.Whenyouusemorethanoneserver,you

cansettheserversupsothattheysharethesamedatabaseforloadbalancingorincreasedfaulttolerance.

 AWindowsACEManagementServercanbeonthesamesystemasWorkstation.

 YoucandesignateasingleACEManagementServername,suchas

https://ace.policyserver.company.com,anduseDNSlookuptotranslatethehostnametoan

address.TheaddressiscachedifaDNSserverisnotavailable.Additionally,youcanusedifferentACE

ManagementServerinstancesifuserstravelbetweenofficesin

differentgeographiclocations.

System Requirements

ThefollowingsectionsdescribetheACEManagementServersystemrequirements.

Required Hardware

 Aminimumofan800MHz‐compatiblex86andx86‐64architectureprocessor

Compatibleprocessorsinclude:

Celeron,PentiumII,PentiumIII,Pentium4,PentiumM(includingcomputerswithCentrinomobile

technology),Xeon(includingPrestonia),AMD,Athlon,Athlon MP,AthlonXP,Duron,Opteron,AMD64

Opteron,andAthlon64

 ExperimentalsupportforIntelIA‐32eCPU

 40MBoffreespaceisrequiredforbasicinstallation.VMwarerecommendsatleast10GBoffreediskspace.

 An8‐bitdisplayadapterisrequired.

 Forlocalareanetworking,anyEthernetcontrollerthattheoperatingsystemsupportsissufficient.

Supported Operating Systems

FollowingarethesupportedoperatingsystemsforACEManagementServer:

 WindowsServer2003WebEditionSP1andSP2,WindowsServer2003StandardEditionSP1andSP2,

WindowsServer2003EnterpriseEditionSP1andSP2(includes64‐bitandR2editions)

 WindowsXPProfessional(includes64‐biteditions)

 Windows2000ServerServicePack4andWindows2000AdvancedServerServicePack 4

 RedHatEnterpriseLinuxAdvancedServer4.0withUpdate 4.

 SUSELinuxEnterpriseServer9ServicePack3

OTEYourservernamemustbeeitherthemachinenameinEnglishortheIP address.International

charactersarenotsupported.

VMware, Inc. 9

Chapter 1 Introduction

Supported External Databases

AnSQLitedatabaseengineisembeddedinACEManagementServer.Althoughthisdatabaseisadequatefor

testingpurposes,useoneofthefollowingexternaldatabasesinproductionenvironments:

 ForaWindows‐basedACEManagementServer–MicrosoftSQLServer2000orhigher;

Oracle Database 10g

IfyouuseaMicrosoftSQLServerdatabase,thedatabasemustbehostedonasystemthatusesthesame

localeasthesystemthathostsACEManagementServer.Forexample,ifACEManagementServeris



installedonaJapanesesystem,thedatabaseservermustalsobeinstalledonaJapanesesystemandmust

useJapanesecollation.

 ForaLinux‐basedACEManagementServer–PostgreSQL7.4orhigher

Supported Proxies

YoucandeployACEManagementServerwiththefollowingHTTPSproxysolutions:

 ApacheProxy–Usingmod_proxy

 ZeusTechnologyLoadBalancer–Acommerciallyavailableloadbalancerandtrafficmanagement

solution

Required Web Browsers

Thebrowser‐basedACEManagementServerSetupapplicationandtheVMwareACEHelpDeskapplication

requireoneofthefollowingWebbrowsers:

 MozillaFirefox1.52orhigher.

 InternetExplorer6.0orhigher.MakesurethattheInternetExplorerbrowserhasTLS1.0checkedtolog

intotheAMSwebconfigurationpage.

Licensing

YoumustconfiguretheserverandentertheserialnumberintheserversetupWebapplication.Ifyoudonot,

youcannotconnecttotheserverinWorkstation.

Yourserialnumberisontheregistrationcardinyourpackage.IfyoupurchasedVMwareACEonline,the

serialnumberissentby

email.WorkstationandACEinstancescannotconnecttoanACEManagementServer

withanexpiredornonexistentlicense.

ACE Management Server Administrator’s Manual

10 VMware, Inc.

VMware, Inc. 11

ThischapterprovidesguidelinesfordeployingVMwareACEManagementServerinstances,including

capacityplanningandbestpractices.Thischapterincludesthefollowingtopics:

 “DeploymentComponents”onpage 11

 “PerformingCapacityPlanning”onpage 13

 “SecurityFeaturesandConsiderations”onpage 16

 “A c c e s s i n g ACEManagementServerfromOutsidetheCorporateFirewall”onpage 17

 “DeploymentPlanningWorksheet”onpage 18

Deployment Components

AtypicalACEManagementServerdeploymenthasthefollowingcomponents:

 OneormoreACEManagementServerinstances–Configuringmultipleserverstousethesame

databaseincreasesthenumberofACEclientsyoucanmanageandguaranteeshighavailability.

 Databaseserver–Forproductiondeployments,VMwarerecommendsOracleDatabase 10gorMS‐SQL

forACEManagementServerinstalledonaWindowshost,andPostgresforACEManagementServer

installedonaLinuxhost.

 (Optional)ActiveDirectorydomaincontroller–ToenabletheACEManagementServerActive

Directoryintegration,youmustconfigureACEManagementServertocommunicatewithyourdomain

controller.

 (Optional)HTTPloadbalancer–UsealoadbalancertohelpscalethecapacityofyourACEManagement

Serverdeployment.

 (Optional)HTTPproxy–IfclientswillaccessACEManagementServerfromoutsidethecorporate

firewall,VMwarerecommendsusinganHTTPSproxyintheDMZ.YoucanuseACEManagementServer

withApacheProxyandZeusTechnologyLoadBalancer.

ForanexampleofanACEManagementServerdeployment,seeFigure 2‐1.

Planning an ACE Management Server

Deployment

ACE Management Server Administrator’s Manual

12 VMware, Inc.

Figure 2-1. Comprehensive ACE Management Server Deployment

ACEManagementServeroffersconvenienceandflexibilityinitssetupoptions.

YoucaninstalltheserveronWindowsorLinuxhosts.Fortestingpurposes,youcandownloadandrunthe

serverasavirtualappliance.ACEManagementServerincludesitsownsecuritycertificatesandembedded

database,butyoucanuse

anexternaldatabaseandusecertificatesfromacertificateauthorityifyouprefer.

YoucanalsoconfigureACEManagementServertouseActiveDirectoryforauthentication.

Host System Options

YoucaninstallACEManagementServeronaWindowshost,aLinuxhost,orasavirtualappliance.Ifyouset

upmultipleACEManagementServerinstances,theymustallbethesametype.

Windows Hosts

IfyouplantointegratewithActiveDirectory,VMwarerecommendsthatyouinstallACEManagementServer

onaWindowshost.

TheWindowsACEManagementServerusestheWinLDAPlibrarybundledwithyourWindowsoperating

systemtointegratewithActiveDirectory.InternaltestingresultsindicatethattheWindowsimplementation

providesbetterperformance

thanLinux.

Linux Hosts

YoucaninstallACEManagementServeronaLinuxhostanduseActiveDirectoryforauthentication,even

thoughperformanceisslowerthanonWindowshosts.IfyouplantouseaLinuxhostinproduction

environments,usetheLinuxinstallerratherthantheACEManagementServerappliance.Ifyoudonot

have

thesupportedLinuxoperatingsystemsinstalledonaphysicalserver,youcancreateavirtualmachine,install

asupportedLinuxoperatingsystem,andinstallACEManagementServerinthevirtualmachine.

Server Appliance Option

TheACEManagementServerapplianceisaself‐contained,preinstalled,andpreconfiguredACE

ManagementServerpackagedwithasmallLinuxoperatingsysteminavirtualmachine.Theapplianceis

convenientandquicktosetupinatestingenvironmentbutisnotrecommendedforproductionenvironments.

Bydefault,theapplianceattempts

toconfigureitsnetworkbyusingDHCP.IfyoudonotwanttouseDHCP,

youcanusethebrowser‐basedACEManagementServerSetupapplicationtoconfigurethenetworksettings.

Youcanusethesameinterfacetoupdatetheappliancewhenupdatesbecomeavailable.

Youmusthaveaccesstoa

Webbrowser(Mozilla1.52orhigherorInternetExplorer6.0orhigher)tochange

networksettingsorobtainupdatesfortheappliance.

ACE Management Server

(one or more)

Active Directory

domain controller

(optional)

database

server

proxy for ACE Management Server

service through corporate firewall

(optional)

WSAE client

(within

corporate

network)

load

balancer

(optional)

ACE Player client

(outside corporate network)

ACE Player client

(within

corporate

network)

LDAP

Kerberos

ODBC

HTTPS

HTTPSHTTPS

VMware, Inc. 13

Chapter 2 Planning an ACE Management Server Deployment

Database Options

ACEManagementServeroffersthefollowingdatabaseoptions:

 EmbeddedSQLitedatabase–ThedefaultmodeofACEManagementServerworkswithanembedded

SQLite3databaseengine.TheSQLitedatabaseengineisinitializedduringserverinstallationandrequires

nospecialconfiguration.The embeddeddatabasesupportsuptoseveralgigabytesofdata.

TheSQLitedatabaseisfilebasedandisnot

designedtobe effectivelysharedacrossmultipleprocesses.If

youusethird‐partytoolstoaccessthedatabaseforareadoperation,therefore,youcannotdependon

transactionalisolationofthependingwriteoperationsoftheACEManagementServer.

Theembeddeddatabaseisadequatefortestingpurposes,butVMwarerecommendsthat

youusean

externaldatabaseinproductionenvironments.

 Supportedexternaldatabase–Inproductionenvironments,useasupportedexternaldatabaseasa

backingstoreforACEManagementServer,throughODBCconnectivity.Supportedexternaldatabase

enginesarethefollowing:

 ForWindows‐basedACEManagementServer,useMicrosoftSQLServer(SQLServer2000orSQL

Server2005)orOracleDatabase10ginstalledonthesamesystemoradifferentWindowssystem

 ForLinux‐basedACEManagementServer,usePostgreSQL7.4orhigherinstalledonthesame

systemoradifferentLinuxsystem

UsinganexternaldatabasewithACEManagementServeroffersthefollowingbenefits:

 OnlinebackupsothatyoudonothavetoshutdownACEManagementServertobackupthe

database.

 Enhancedsecuritymodel.Youcanfine‐tunepermissionstoaccesssensitivedata.TheSQLite

databaseengineprovidesfile‐systembasedsecurity.

 Performancefine‐tuning.

 Abilitytouseexternaldatabasemanagementandreportingtools.

 AbilitytouseloadbalancerswithmultipleACEManagementServerinstances.Youmustusean

externalRDBMSasthebackingstore,becausetheSQLitedatabaseisnotdesignedtobeeffectively

sharedacrossmultipleprocesses.

Active Directory Authentication Options

ActiveDirectoryintegrationprovidesthefollowingbenefits:

 PermitsjoininganoperatingsystemthatisrunninganACEinstancetothedomainremotely.

 Providessearchfunctionssoyoucanquicklyfindaparticularindividualorgroup.

 EnablesyoutouseActiveDirectoryUsersandGroupstoconfigurerole‐basedaccesstothefeaturesof

ACEManagementServer.

Performing Capacity Planning

ACEManagementServerenablesyoutomanageACEinstancesandpoliciesinrealtime.Thenumberof

clientsthatasingleACEManagementServercanservedependsonseveralkeyfactors:

 Databasethroughputandscalability

 LDAPthroughput(ifyouareusingActiveDirectory)

 Networkbandwidthavailableforincomingclientrequests

OTEIfACEManagementServerisdeployedintheDMZ,useanexternaldatabaselocatedinsideyour

corporatenetworkbehindafirewall.

ACE Management Server Administrator’s Manual

14 VMware, Inc.

 ACEpolicyconfiguration

 Loadbalancersforverylargedeployments(morethan5,000clients)

Table 2‐1listsrecommendationsforthenumberofclientssupportedbasedonthehardwareyouareusing.The

figuresforrecommendedclientsreservesomeserverprocessingpowersothatinteractiveclientsreceive

responsesinatimelyfashionandtheserversatisfies

increasesindemand.

Database Throughput and Scalability

Forproductiondeployments,VMwarerecommendsthatyouuseOracle,MS‐SQL,orPostgresasyour

databaseplatform.

Morethan95percentofthestoragespacethatanACEManagementServerrequiresisusedtologevent

information,whichisanaudittrailofalltransactionsperformedthroughACEManagementServer.Table 2

‐2

listsrecommendeddatabasesizesbasedonthenumberofclientsbeingserved.

Thefiguresinthetablearebasedona90‐daydatabasearchivalperiod.Backupthedatabaserecordsevery90

daysandkeepeventlogsfor90days.YoucanconfigureACEManagementServertopurgeevent

logsevery

90days.

Theauthenticationeventgeneratesmostofthedatabecauseaneventisgeneratedeverytimesomeone

attemptstoauthenticatetoACEManagementServer.YoucanconfigureACEManagementServertologless

eventinformation.See“LoggingEvents”onpage 35.

LDAP Throughput

ACEManagementServercancommunicatewithyourActiveDirectorydomaincontrollertoauthenticateuser

credentials.YourdomaincontrollerinfrastructurehandlestheLDAPtrafficrequiredtosupportthenumber

ofclientsthatyouanticipate.

IntegratingwithActiveDirectorythroughLDAPisimplementeddifferentlyintheWindowsACE

ManagementServerthaninthe

Linux‐basedACEManagementServer.TheWindowsACEManagement

ServerusestheWinLDAPlibrarybundledwithyourWindowsoperatingsystem.TheLinuxACE

ManagementServerusesathird‐partyKerberosLibraryandOpenSSL.VMwareinternaltestingresults

indicatethattheWindowsimplementationprovidesbetterperformancethanLinux.

Table 2-1. Number of Clients Supported

Hardware Recommended Clients

2‐GHzAMD2‐wayserver(Opteron280,4GBRAM) 6,000

2‐GHzIntel2‐waydesktopmachine(4GBRAM) 4,000

Table 2-2. Database Storage Recommendations

Number of Clients Recommended Database Size

100 50Mb

1,000 500Mb

10,000 5,000Mb

VMware, Inc. 15

Chapter 2 Planning an ACE Management Server Deployment

Network Bandwidth and Policy Update Frequency

TheamountofnetworkbandwidththatACEManagementServ erandACEinstancesrequiredependsonthe

frequencyofpolicyupdatesthatyouconfigure.Table 2‐3showstheamountofbandwidthneededwhenyou

useapolicyupdatefrequencyvalueof10 minutes.

VMwarerecommendsthatforlargedeployments(morethan5,000clients),

youincreasethetimebetween

policyupdatesbyclientsbecausethisreducestheamountofrequiredbandwidth.

Table 2‐4showsthebandwidthneededwhenthepolicyupdatefrequencyvalueissetto30minutes.

Theamountofnetworkbandwidthrequiredcanalsobehigherifyourpolicysetisverycomplex.

VMware

recommendsthatyouhaveaseparatenetworklinkbetweenACEManagementServerandyour

databaseserver,sothattrafficcomingandgoingfromACEManagementServertoitsclientsdoesnotinterfere

withthetraffictoandfromyourdatabaseserver.

ACE Policy Configuration

TheconfigurationofACEpoliciescanaffectperformance.Youcanincreasetheamountofdatathatis

transferredbetweenACEManagementServerandACEPlayerbyusingoneofthefollowingmethods:

 Hostpolicies–Enablinghostpolicies(suchashostnetworkquarantine)requiresthatahost‐sidedaemon

retrievesthehostpoliciesfromtheACEManagementServer.

 Complexnetworkquarantinepolicies–Ifthesetofrulesthatmakesupyournetworkquarantineisvery

large,thetransferoftheserulesfromtheACEManagementServertotheclientscanaffectthescalability.

ThenumbersshowninTable 2‐3andTable 2‐4areestimatesofrequiredbandwidthgiven

average‐size

rulesetsfornetworkquarantine.YoucanviewthesizeofyourpolicysetbyexaminingtheACEfile

directoryandcountingthesizeofthe.vmplfile.Anaveragepolicysetis15KBorless.

Load Balancers

TheACEManagementServerclient‐serverprotocolisbuiltontopoftheHTTPSprotocol.YoucanuseHTTP

load‐balancingsoftwareandhardwaresolutionstoscaleanACEManagementServerdeploymentbeyondthe

capacityofasingleserver(orforhigh‐availabilitydeployments).

ACEManagementServerscalesinalinear

fashionwhenanenterprise‐gradeHTTPSloadbalancerisused.See

Chapter 5,“Load‐BalancingMultipleACEManagementServerInstances,”onpage 37.

Table 2-3. Network Bandwidth Required with a Policy Update Frequency of 10 Minutes

Number of Clients Bandwidth Required

100 0.125Mb/sec.

1,000 1.25Mb/sec.

10,000 12.5Mb/sec.

Table 2-4. Network Bandwidth Required with a Policy Update Frequency of 30 Minutes

Number of Clients Bandwidth Required

100 0.04Mb/sec.

1,000 0.4Mb/sec.

10,000 4Mb/sec.

ACE Management Server Administrator’s Manual

16 VMware, Inc.

Security Features and Considerations

Bydefault,ACEManagementServerusestheSecureSocketsLayer(SSL)protocoltoprovideencryptedand

securecommunications.

FollowingisanoverviewofsecurityfeaturesandrecommendationsonhowtoconfiguretheACE

ManagementServertoavoidsecurityproblems:

 TraffictoandfromclientsisprotectedbyHTTPS–Bydefault,ACEManagementServercreatesa

self‐signedcertificatewhenyouinstallittouseforHTTPStraffic.Thesecertificatesaresecure,butyou

canalsoconfigureACEManagementServertouseyourowncertificateandkeypairs.

 TrafficfromACEManagementServertoActiveDirectoryisencrypted–Iftheserverisintegratedwith

anActiveDirectoryservice,itcommunicateswiththeservicethroughanSSL‐protectedlink.LDAPtraffic 

isencryptedattheapplicationlayer.CredentialsareprotectedbyusingtheKerberosprotocolto

authenticatecredentials.

 Sensitiveconfigurationoptionsareencrypted–Passwordsstoredintheconfigurationfileareencrypted.

 Databasesecurity–Thedatabasestorecontainssensitivedatasuchascryptographickeys.Configure

yourdatabasesecuritysothatitisprotectedfromintrusionandprotectedincaseofdataloss.Formore

informationaboutfeaturesthatareavailabletoprotectyourdata,seeyourdatabasedocumentation.

SSLencryptsdatathrough

theuseofapublic‐keyandprivate‐keypair.Thepublickeyisknowntoeveryone

andtheprivatekeyisknownonlytothemessagerecipient.URLs thatrequireanSSLconnectionstartwith

https.

DuringACEManagementServerinstallation,thefollowingtwofilesarecreated:

 server.key–AnRSA1024‐bitkey,thisistheprivatekey.

 server.crt–Aself‐signedcertificate.Itssignatureisverifiedbythepublickey,whichisembeddedin

thecertificate.Thispubliccertificateisvalidfor10yearsfromthedateandtimeatwhichtheserveris

installed.ThecertificatefileisencodedinPEMformat.

Bydefault,thesefiles

arestoredintheSSLdirectoryintheVMwareACEManagementServerprogram

directory.

VMwarePlayer,whichrunstheACEinstances,doesnottrustanycertificatesstoredonthehostmachineon

whichitisrunning.Instead,itreliesonacompletecertificationchainthatisincludedintheACE

package.

Usingself‐signedcertificatesisadequateformostsecurityneeds.

Youcan,however,useacertificateissuedbyacertificateauthority.IfyouhavemultipleACEManagement

Serverinstances,youcanuseonecertificateforalloryoucanuseadifferentcertificateoneachone.

Using SSL Certificates and Protocol

WhenanACE‐enabledvirtualmachineconnectstoanACEManagementServer,itdownloadsthepublic

certificateforthatserverandanychainofcertificatesrequiredtoverifytheserver’spubliccertificate.Aserver

certificatemighthaveachainofseveralcertificatesthatmustbeverifiedstepbystepuntilthe

verification

processreachestheroot,ortrusted,certificateinthecertificatestore.Thefirsttimeaconnectionismadetoa

serverbyanyACE‐enabledvirtualmachineonaWorkstationadministratormachine,thecertificateandits

verificationaredownloadedtotheWorkstationhostsystem.

Thestoreorcollectionofcertificates

thatisdownloadedwhenanACE‐enabledvirtualmachineconnectstoa

serverisincludedineachACEpackagethatyoucreatewiththatvirtualmachine.ItissavedintheACE

Resourcesdirectory.WhenyoudeployandrunanACEinstanceofthisACE‐enabledvirtualmachine,the

VMwarePlayer

applicationusesthecertificatesincludedinthepackagetoverifyconnectionsmadetotheACE

ManagementServer.ItverifiesthatthecertificatesthatareintheACEpackagematchthosethattheserver

provides.Iftheydonotmatchexactly,VMware Playerdisplaysanerrormessageanddoesnotrunthe

instance.

VMware, Inc. 17

Chapter 2 Planning an ACE Management Server Deployment

VMwarePlayercheckstheintegrityofthecertificatestoreincludedinthepackageeverytimeitcommunicates

withtheserver.VMwarePlayerdoesnottrustanycertificatesstoredonthehostmachineonwhichitis

running.Instead,itreliesonacompletecertificationchainthatisincludedintheACE

package.Theuseof

self‐signedcertificatesisadequateformostsecurityneeds.

If,however,yourenterpriserequirestheuseofacertificatesignedbyacertificateauthority(internalor

commercial),youcansetupthattypeofkey‐certificatepairfortheACEpackagestouse.Acertificateauthority,

orCA,isanentitythatissuesandsignspublic‐keycertificates,typicallyforafee.

Accessing ACE Management Server from Outside the Corporate

Firewall

AllclientrequeststoACEManagementServerareHTTPStrafficonport443.This meansthatanysolution

usingaproxytosecureHTTPStrafficintoyourcorporateserverscanbeusedtoproxyACEManagement

Servertraffic.

BecauseofthenumberofdataconnectionsthattheACEManagementServermustmake

onthebackend

(LDAP,DNS,ODBC,Kerberos),VMwarerecommendsusinganHTTPSproxyintheDMZ.Thisproxycan

relayACEManagementServertraffictotheactualACEManagementServerinsidethecorporatenetwork.

Figure 2-2. Recommended Deployment for External Access

ACEManagementServercanbedeployedwiththefollowingHTTPSproxysolutions:

 ApacheProxy–Usingmod_proxy

 ZeusTechnologyLoadBalancer–Acommerciallyavailableloadbalancerandtrafficmanagement

solution

AvoidthefollowingproblemswhenyouuseaproxyfortrafficintoanACEManagementServer:

 SSLTermination–IfyourHTTPSproxyterminatestheSSLconnection,youmustusethesameSSLkey

andcertificateontheHTTPSproxyserverandACEManagementServer.Or,usetheACEManagement

ServercertificatechaintoembedtheHTTPSproxycertificateverificationchainintheACEpackage.

Anexample

ofaproxyserverthatterminatesSSLconnectionsisApacheProxy.TheZeusload‐balancing

productssupportSSLpassthrough,whichmeansthattheSSLconnectionisterminatedatACE

ManagementServer.

 MultipleACEManagementServerSSLcertificates–IfyouaredeployingmultipleACEManagement

Serverinstancesbehindaload‐balancingsolution,allACEManagementServerinstancesmustusethe

sameSSLkeyandcertificatepair.YoucanalsousetheACEManagementServercertificatechainfeature

toembedeverySSLcertificate

verificationchainintotheACEpackage.

 DNSresolution–WhenyoucreateanACE‐enabledvirtualmachine,youmustspecifyahostnamefor

ACEManagementServer.ThishostnamemustresolvetotheappropriateIPaddressforbothinternaland

externalclients.Internally,itcanresolvetoACEManagementServeritself.Externally,itcanresolveto

the

HTTPSproxyserver.

BecausethetrafficcomingintoACEManagementServerisplainHTTPStrafficandtheserverisstateless,you

candeploymanyotherconfigurationstoprovideexternalaccesstoanACEManagementServer.Whenyou

designyourdeployment,thinkofACEManagementServerasaWebserverwith

securetraffic.

HTTPS

proxy server

external client

ODBC

NETBIOS (port 137)

DNS

KRB5 (port 88)

LDAP (port 389)

HTTPS traffic

(443)

HTTPS traffic

(443)

external

firewall

AMS server

internal

firewall

ACE Management Server Administrator’s Manual

18 VMware, Inc.

Deployment Planning Worksheet

Usethedeploymentplanningworksheettorecordyourchoiceofserversystem,database,securitycertificates,

andoptionalcomponentsforaproductionenvironment.

Table 2-5. Worksheet for ACE Management Server in a Production Environment

Component Considerations Decision

Active

Directory

integration

PerformanceisbetterwhentheACE

ManagementServerisinstalledona

Windowshost.

Seealso“CreateUsersandGroupsfor

IntegrationwithActiveDirectory”on

page 27.

UseActiveDirectory?________

Ifyes,nameofuseraccountforACE

ManagementServertoquerytheActive

Directorydatabase:__________________

Fullyqualified

domainnameofthe

LDAPserver:_______________________

ACE

Management

Server

Ifyouusemultipleservers,allmustbe

installedonthesameplatform.

Forcapacityplanning,see“Numberof

ClientsSupported”onpage 14.

UseWindowsorLinux

hosts?_____________

Howmanyservers?____________

Database

server

Thedatabaseservermustbecompatible

withtheACEManagement

Serverhost.See

“SupportedExternalDatabases”onpage 9.

MSQL,Oracle,orPostgresSQLdatabase?

____________________________

Loadbalancer Usealoadbalancerforlargedeployments

orforhighavailability.Itmustsupport

HTTPSandrequiresanexternaldatabase.

See“LoadBalancers”onpage 15.

Usealoadbalancer?________

Proxy IfACEclientswillcontactACE

ManagementServer

fromoutsidethe

firewall,useaproxy.See“A c c e s s i n g ACE

ManagementServerfromOutsidethe

CorporateFirewall”onpage 17.

Useaproxy?__________

ApacheProxyorZeus TechnologyLoad

Balancer?________________________

SSL

certificates

Ifyouusemultipleserversandplantouse

adifferentSSLcertificateforeachone,you

mustcreate

orsendforthecertificates.

ACEManagementServersupportsonly

public‐keycertificatesthataresignedusing

theSHA1algorithm.See“UsingSSL

CertificatesandProtocol”onpage 16.

Whichtypeofcertificate:self‐signed

third‐party,orinternalCA(certificate

authority)?___________________

Numberofcertificates?__________

Ports ForActiveDirectory,useport389.

For

theACEManagementServer

appliance,useport8080.See“Changethe

PortAssignmentforACEManagement

Server ”onpage 49and“A c c e s s i n g ACE

ManagementServerfromOutsidethe

CorporateFirewall”onpage 17.

Port8000forconfiguringtheACE

ManagementServer.

Port443forclientrequests.

Whichadditionalports?______________

VMware, Inc. 19

Thischapterincludesthefollowingtopics:

 “PreparingforInstallation”onpage 19

 “InstallingandUpgradingACEManagementServer”onpage 20

 “VerifyThattheApacheServiceIsStartedorRestarted”onpage 23

 “StartandConfigureACEManagementServer”onpage 24

 “LogIntoACEManagementServer”onpage 25

Preparing for Installation

BeforeyouinstallACEManagementServer,youmustplanyourdeployment.Completethefollowingtasks:

1TodeterminewhichtypeofACEManagementServerinstallertouse,howmanyserverstoinstall,and

whichdeploymentcomponentstoinclude,seeChapter 2,“PlanninganACEManagementServer

Deployment,”onpage 11.

2ToconfigureyourWeb

browsertouseTransportLayerSecurity(TLS),see“ConfigureTLSinYour

Browser”onpage 20.

3Tosynchronizetheclockonthehostsystemwiththeclientsystem,useNetworkTimeProtocol(NTP).

4TochooseanHTTPSportforthehostonwhichyouplantorunACEManagementServer,seeTable 3‐1

Installing and Configuring

ACE Management Server

Table 3-1. Port Assignments, Default Settings, for ACE Management Server

HTTPS Port Number Description

443 CommunicationsbetweenACEManagementServerandACE

instances

8000 ACEManagementServerSetup(configuration)Webapplication

ACEHelpDeskWebapplication

8080 ACEManagementServerApplianceconfiguration

NOTEIfanotherWebserverisinstalledthatusesanyofthesedefaultports,youmightneedtoresolvethe

conflict.

ACE Management Server Administrator’s Manual

20 VMware, Inc.

Configure TLS in Your Browser

TransportLayerSecurity(TLS)mustbeconfiguredonyourWebbrowsertooperateACEManagementServer.

To configure TLS in your browser

Dependingonthetypeofbrowser,dooneofthefollowing:

 ForanInternetExplorerbrowser:

a ChooseTools>InternetOptions>AdvancedandscrolldowntoSecurity.

b SelecttheUseTLS1.0checkboxandclickOK.

 ForaMozillabrowser:

a ChooseTools>Options>Advanced.

b SelecttheUseTLS1.0checkboxandclickOK.

Installing and Upgrading ACE Management Server

YoucaninstalloneormoreACEManagementServerinstancestoservicetheACEinstancesinyourenterprise.

IfyousetupmultipleACEManagementServerinstances,theyallmustbeinstalledoneitherWindowshosts

orLinuxhosts,orallmustbeinstalledasappliances.

ToupgradefromACEManagement

Server2.0to2.6,usethesameprocedureasforinstallingtheserverfor

thefirsttime.Whentheinstallerdetectsanearlierversion,ituninstallstheoldversionbeforeinstallingthe

newone.Configurationsettingsarepreserved.

Forproductiondeployments,VMwarerecommendsthatACEManagementServerbeinstalledoneither

a

dedicatedserveroravirtualplatformwithsufficientavailableresourcestoensureperformanceandstability.

SystemrequirementsdependalmostexclusivelyonthenumberofACEinstancesbeingsupportedandthe

frequencywithwhichtheyareconfiguredtocommunicatewiththeserver.Formoreinformationabout

VMwareperformancetesting,see“Performing

CapacityPlanning”onpage 13.

However,ACEManagementServerwastestedandcanbeinstalledondesktoporworkstationplatformsto

supportasmallnumberofclientsornonproductionevaluations.

Install an ACE Management Server on a Windows Host

InstallingACEManagementServeronaWindowshostinvolvesdownloadingandrunninganinstallation

wizard.YoucaninstallACEManagementServeronthefollowingWindowssystems:

 WindowsServer2003

 WindowsXPProfessional(includes64‐biteditions)

 Windows2000Server

Beforeyoubegin,makesuretheclockissynchronizedandtherequiredportsareavailable,asdescribedin

“PreparingforInstallation”onpage 19.

UsethisinstallationproceduretoinstallorupdateACEManagementServersoftware.

To install an ACE Management Server on a Windows host

1 DownloadtheVMware-ACE-Management-Server.exe filefromtheVMwareWebsiteandsavethefile

thesystemthatistohosttheserver.

ThefileisavailableasaseparatedownloadablefileinthesamedownloadlocationastheWorkstation

application.

2Double‐clicktheVMware-ACE-Management-Server.exe filetostarttheinstallationwizard.

Page is loading ...

VMware ACE 2.7 User manual

Brand: VMware

Model: ACE 2.7

Category: Software

Type: User manual

Download PDF

report

VMware ACE 2.7 User manual

VMware ACE 2.7 User manual

Related papers

Other documents