2. Computers & electronics
  3. Software
  4. VMware
  5. ACE 2.6

VMware ACE 2.6 User manual

  • Hello! I am an AI chatbot trained to assist you with the VMware ACE 2.6 User manual. I’ve already reviewed the document and can help you find the information you need or explain it in simple terms. Just ask your questions, and providing more details will help me assist you more effectively!
ACE Management Server
Administrator’s Manual
VMware ACE 2.6
This document supports the version of each product listed and
supports all subsequent versions until the document is replaced
by a new edition. To check for more recent editions of this
document, see http://www.vmware.com/support/pubs.
EN-000169-00
VMware, Inc.
3401 Hillview Ave.
Palo Alto, CA 94304
www.vmware.com
2 VMware, Inc.
ACE Management Server Administrator’s Manual
You can find the most up-to-date technical documentation on the VMware Web site at:
http://www.vmware.com/support/
The VMware Web site also provides the latest product updates.
If you have comments about this documentation, submit your feedback to:
docfeedback@vmware.com
Copyright © 2007–2009 VMware, Inc. All rights reserved. This product is protected by U.S. and international copyright and
intellectual property laws. VMware products are covered by one or more patents listed at
http://www.vmware.com/go/patents.
VMware is a registered trademark or trademark of VMware, Inc. in the United States and/or other jurisdictions. All other marks
and names mentioned herein may be trademarks of their respective companies.
VMware, Inc. 3
Contents
AboutThisBook 7
1 Introduction 9
FeaturesofACEManagementServer 9
SystemRequirements 10
RequiredHardware 10
SupportedOperatingSystems 10
SupportedExternalDatabases 10
SupportedProxies 11
RequiredWebBrowsers 11
Licensing 11
2 PlanninganACEManagementServerDeployment 13
DeploymentComponents 13
HostSystemOptions 14
WindowsHosts 14
LinuxHosts 14
ServerApplianceOption 14
DatabaseOptions 15
ActiveDirectoryAuthenticationOptions 15
PerformingCapacityPlanning 15
DatabaseThroughputandScalability 16
LDAPThroughput 16
NetworkBandwidthandPolicyUpdateFrequency 16
ACEPolicyConfiguration 17
LoadBalancers 17
SecurityFeaturesandConsiderations 17
UsingSSLCertificatesandProtocol 18
AccessingACEManagementServerfromOutsidetheCorporateFirewall 19
DeploymentPlanningWorksheet 19
3 InstallingandConfiguringACE Management Server 21
PreparingforInstallation 21
ConfigureTLSinYourBrowser 21
InstallingandUpgradingACEManagementServer 22
InstallanACEManagementServeronaWindowsHost 22
InstallACEManagementServeronaLinuxSystem 23
InstallanACEManagementServerAppliance 24
VerifyThattheApacheServiceIsStartedorRestarted 25
StartandConfigureACEManagementServer 26
LogInto
ACEManagementServer 26
ACE Management Server Administrator’s Manual
4 VMware, Inc.
4 ConfigurationOptionsforACEManagementServer 29
PrerequisitesforConfiguringtheServer 29
CreateUsersandGroupsforIntegrationwithActiveDirectory 29
SetUpanExternalDatabase 30
CreatingaSystemDSNEntryforanExternalDatabase 31
IncreasetheNumberofDatabaseConnectionsAllowed 32
EnableDatabaseConnectionPoolingonLinux 33
SetUpaConnectionBetweentheServerApplianceandanExternalDatabase 33
PrepareCustomSecurityCertificates 33
ViewthePropertiesoftheSelfSignedCertificateFile 34
StartingACEManagementServerConfiguration 34
ViewingandChangingLicensingInformation 34
UsinganExternalDatabase 35
CreatingAccessControl 35
UploadingCustomSSLCertificates 36
LoggingEvents 37
ApplyingConfigurationSettings 37
5 LoadBalancingMultipleACEManagementServerInstances 39
TypicalSetupUsingLoadBalancedACEManagementServerInstances 40
InstalltheRequiredServicesforLoadBalancing 40
UsetheSameSSLCertificateonAllServers 41
CreateNewSSLCertificatesandKeysforEachServer 41
InstallingandConfiguringtheLoadBalancer 43
VerifyThatACEInstancesAreUsingtheLoadBalancer 43
6 ManagingACEInstances 45
ViewingACEInstancesThattheServerManages 45
UsetheVMwareACEHelpDeskApplication 46
UsetheInstanceViewinWorkstation 46
SearchforanInstance 47
SortbyColumnHeadingandChangeColumnWidth 47
Show,Hide,andMoveColumnsintheInstanceView 48
CreateorDeleteCustomColumnsintheInstanceView 48
ViewInstanceDetails 48
Reactivate,Deactivate,
orDeleteanACEInstance 49
PoliciesTab 49
ChangeaCopyProtectionID 49
ResettheAuthenticationPassword 50
AddInformationforCustomColumns 50
7 TroubleshootingandMaintenance 51
TroubleshootingConfigurationProblems 51
ConnectionProblemsBetweenaLinuxACEInstanceandACEManagementServer 51
ChangethePortAssignmentforACEManagementServer 51
DeletetheServerConfigurationFileandSetaNewAdministratorPassword 52
RestoreaBackupCopyofanSSLCertificate 52
ConfiguringMultipleACEManagementServerInstancestoUseSSL 53
DatabaseBackup 53
VMware, Inc. 5
Contents
Appendix:DatabaseSchemaandAuditEventLogData 55
UsingDatabaseReportingTools 55
DatabaseSchema 55
QueryingtheAuditEventLogData 59
Glossary 63
Index 65
ACE Management Server Administrator’s Manual
6 VMware, Inc.
VMware, Inc. 7
Thismanual,theVMwareACEManagementServerAdministrator’sManual,providesinformationabout
installingandusingtheVMware
®
ACEManagementServer,whichenablesyoutomanageACEinstancesin
realtime.UsingACEManagementServerisoptional,butdoingsoprovidesthefollowingbenefits:
ManageactivationofACEpackages.
Manageauthenticationofthoseactivatedpackages.
DynamicallydeliverpolicyupdatestomanagedACEinstances.
DynamicallydeliverinstancecustomizationdataformanagedACEinstanceswithWindowsguest
operatingsystems.
Intended Audience
Thisbookisintendedforanyonewhoneedstoinstall,upgrade,oruseACEManagementServertomanage
ACEinstances.ACEManagementServerisintendedforACEadministratorswhomustmaintainandupdate
ACEpoliciesusedonvirtualmachinesdeployedthroughoutanenterprise.
Document Feedback
VMwarewelcomesyoursuggestionsforimprovingourdocumentation.Ifyouhavecomments,sendyour
feedbackto:
[email protected]
Technical Support and Education Resources
Thefollowingsectionsdescribethetechnicalsupportresourcesavailabletoyou.Toaccessthecurrentversion
ofthisbookandotherbooks,gotohttp://www.vmware.com/support/pubs.
Online and Telephone Support
Touseonlinesupporttosubmittechnicalsupportrequests,viewyourproductandcontractinformation,and
registeryourproducts,gotohttp://www.vmware.com/support.
Customerswithappropriatesupportcontractsshouldusetelephonesupportforthefastestresponseon
priority1issues.Gotohttp://www.vmware.com/support/phone_support.html.
Support Offerings
TofindouthowVMwaresupportofferingscanhelpmeetyourbusinessneeds,goto
http://www.vmware.com/support/services.
About This Book
ACE Management Server Administrator’s Manual
8 VMware, Inc.
VMware Professional Services
VMwareEducationServicescoursesofferextensivehandsonlabs,casestudyexamples,andcoursematerials
designedtobeusedasonthejobreferencetools.Coursesareavailableonsite,intheclassroom,andlive
online.Foronsitepilotprograms andimplementationbestpractices,VMwareConsultingServicesprovides
offeringsto helpyouassess,plan,
build,andmanageyourvirtualenvironment.Toaccessinformationabout
educationclasses,certificationprograms,andconsultingservices,gotohttp://www.vmware.com/services.
VMware, Inc. 9
1
TheVMwareACEManagementServerenablesyoutomanageVMwareACEinstances,todynamically
publishpolicychangesforthoseinstances,andtotestanddeploypackagesmoreeasily.
Thischapterincludesthefollowingtopics:
“FeaturesofACEManagementServeronpage 9
“SystemRequirements”onpage 10
Features of ACE Management Server
ACEManagementServeroffersscalabilityandreliability:
Youcanincreasecapacitybyaddingnetworkresourcessuchasloadbalancersandextraserverhardware.
Fortestingenvironments,thedefaultembeddedbackingstoreprovidesasimpleandefficientdatabase
solution.ToscaleACEManagementServerforproductiondeployments,youcanconfigureandusean
externalrelationaldatabasemanagementsystem(RDBMS).
InWindows,multithreadedprocesseshandleserverrequests.InLinux,multipleprocesseshandleserver
requests.Ifoneprocessfails,anothertakesover.
ACEManagementServeroffersActiveDirectoryintegration:
YoucanuseActiveDirectorytoauthenticateusersofACEinstances.
YoudonotneedaschemachangeforyourexistingActiveDirectory.
LDAPisusedtoaccessActiveDirectory.
InformationaboutWindowsdomainuseraccountstatesisprovidedinclearandusefulmessages.
Reasonsforloginfailuresarepresentedas“lockedout”or“passwordexpired.”
ACEManagementServeractsasanActiveDirectorypasswordchangeproxy.
YoucanusetheinstancecustomizationfeatureinACEwithyourownestablishednamingconventionsto
associateuserswithmachines.
Securityfeaturesincludethefollowing:
EncryptedcommunicationsbetweenserverandclientstraveloverHTTPStraffic.
Passwordsarestoredsecurelyinhashedforminthebackingstore.
FlexibledatabaseoptionsallowuseofanembeddeddatabaseorexternalRDBMStostoreACEinstance
dataandpolicies.
Introduction
1
ACE Management Server Administrator’s Manual
10 VMware, Inc.
ACEManagementServeriseasytoinstallandconfigure.Clienttrafficcanbeproxiedbyeasilyavailable
products.Theserveruseseasilyavailablesoftwarecomponents:
ApacheWebserver2.0
ThedefaultSQLitedatabasestore
Theserversetupusesindustrystandardprotocols:
HTTPSandLDAP
XMLRPCformessageencapsulation
ACEManagementServeroffersextensibilityandavailability:
YoucancreateandusemorethanoneACEManagementServer.Whenyouusemorethanoneserver,you
cansettheserversupsothattheysharethesamedatabaseforloadbalancingorincreasedfaulttolerance.
AWindowsACEManagementServercanbeonthesamesystemasWorkstation.
YoucandesignateasingleACEManagementServername,suchas
https://ace.policyserver.company.com,anduseDNSlookuptotranslatethehostnametoan
address.TheaddressiscachedifaDNSserverisnotavailable.Additionally,youcanusedifferentACE
ManagementServerinstancesifuserstravelbetweenofficesin
differentgeographiclocations.
System Requirements
ThefollowingsectionsdescribetheACEManagementServersystemrequirements.
Required Hardware
Aminimumofan800MHzcompatiblex86andx8664architectureprocessor
Compatibleprocessorsinclude:
Celeron,PentiumII,PentiumIII,Pentium4,PentiumM(includingcomputerswithCentrinomobile
technology),Xeon(includingPrestonia),AMD,Athlon,Athlon MP,AthlonXP,Duron,Opteron,AMD64
Opteron,andAthlon64
ExperimentalsupportforIntelIA32eCPU
40MBoffreespaceisrequiredforbasicinstallation.VMwarerecommendsatleast10GBoffreediskspace.
An8bitdisplayadapterisrequired.
Forlocalareanetworking,anyEthernetcontrollerthattheoperatingsystemsupportsissufficient.
Supported Operating Systems
FollowingarethesupportedoperatingsystemsforACEManagementServer:
WindowsServer2003WebEditionSP1andSP2,WindowsServer2003StandardEditionSP1andSP2,
WindowsServer2003EnterpriseEditionSP1andSP2(includes64bitandR2editions)
WindowsXPProfessional(includes64biteditions)
Windows2000ServerServicePack4andWindows2000AdvancedServerServicePack 4
RedHatEnterpriseLinuxAdvancedServer4.0withUpdate 4.
SUSELinuxEnterpriseServer9ServicePack3
N
OTEYourservernamemustbeeitherthemachinenameinEnglishortheIP address.International
charactersarenotsupported.
VMware, Inc. 11
Chapter 1 Introduction
Supported External Databases
AnSQLitedatabaseengineisembeddedinACEManagementServer.Althoughthisdatabaseisadequatefor
testingpurposes,useoneofthefollowingexternaldatabasesinproductionenvironments:
ForaWindowsbasedACEManagementServerMicrosoftSQLServer2000orhigher;
Oracle Database 10g
IfyouuseaMicrosoftSQLServerdatabase,thedatabasemustbehostedonasystemthatusesthesame
localeasthesystemthathostsACEManagementServer.Forexample,ifACEManagementServeris
installedonaJapanesesystem,thedatabaseservermustalsobeinstalledonaJapanesesystemandmust
useJapanesecollation.
ForaLinuxbasedACEManagementServerPostgreSQL7.4orhigher
Supported Proxies
YoucandeployACEManagementServerwiththefollowingHTTPSproxysolutions:
ApacheProxyUsingmod_proxy
ZeusTechnologyLoadBalancerAcommerciallyavailableloadbalancerandtrafficmanagement
solution
Required Web Browsers
ThebrowserbasedACEManagementServerSetupapplicationandtheVMwareACEHelpDeskapplication
requireoneofthefollowingWebbrowsers:
MozillaFirefox1.52orhigher
InternetExplorer6.0orhigher.MakesurethattheInternetExplorerbrowserhasTLS1.0checkedtolog
intotheAMSwebconfigurationpage.
Licensing
YoumustconfiguretheserverandentertheserialnumberintheserversetupWebapplication.Ifyoudonot,
youcannotconnecttotheserverinWorkstation.
Yourserialnumberisontheregistrationcardinyourpackage.IfyoupurchasedVMwareACEonline,the
serialnumberissentby
email.WorkstationandACEinstancescannotconnecttoanACEManagementServer
withanexpiredornonexistentlicense.
ACE Management Server Administrator’s Manual
12 VMware, Inc.
VMware, Inc. 13
2
ThischapterprovidesguidelinesfordeployingVMwareACEManagementServerinstances,including
capacityplanningandbestpractices.Thischapterincludesthefollowingtopics:
“DeploymentComponents”onpage 13
“PerformingCapacityPlanning”onpage 15
“SecurityFeaturesandConsiderations”onpage 17
“A c c e s s i n g ACEManagementServerfromOutsidetheCorporateFirewall”onpage 19
“DeploymentPlanningWorksheet”onpage 19
Deployment Components
AtypicalACEManagementServerdeploymenthasthefollowingcomponents:
OneormoreACEManagementServerinstancesConfiguringmultipleserverstousethesame
databaseincreasesthenumberofACEclientsyoucanmanageandguaranteeshighavailability.
DatabaseserverForproductiondeployments,VMwarerecommendsOracleDatabase 10gorMSSQL
forACEManagementServerinstalledonaWindowshost,andPostgresforACEManagementServer
installedonaLinuxhost.
(Optional)ActiveDirectorydomaincontrollerToenabletheACEManagementServerActive
Directoryintegration,youmustconfigureACEManagementServertocommunicatewithyourdomain
controller.
(Optional)HTTPloadbalancerUsealoadbalancertohelpscalethecapacityofyourACEManagement
Serverdeployment.
(Optional)HTTPproxyIfclientswillaccessACEManagementServerfromoutsidethecorporate
firewall,VMwarerecommendsusinganHTTPSproxyintheDMZ.YoucanuseACEManagementServer
withApacheProxyandZeusTechnologyLoadBalancer.
ForanexampleofanACEManagementServerdeployment,seeFigure 21.
Planning an ACE Management Server
Deployment
2
ACE Management Server Administrator’s Manual
14 VMware, Inc.
Figure 2-1. Comprehensive ACE Management Server Deployment
ACEManagementServeroffersconvenienceandflexibilityinitssetupoptions.
YoucaninstalltheserveronWindowsorLinuxhosts.Fortestingpurposes,youcandownloadandrunthe
serverasavirtualappliance.ACEManagementServerincludesitsownsecuritycertificatesandembedded
database,butyoucanuse
anexternaldatabaseandusecertificatesfromacertificateauthorityifyouprefer.
YoucanalsoconfigureACEManagementServertouseActiveDirectoryforauthentication.
Host System Options
YoucaninstallACEManagementServeronaWindowshost,aLinuxhost,orasavirtualappliance.Ifyouset
upmultipleACEManagementServerinstances,theymustallbethesametype.
Windows Hosts
IfyouplantointegratewithActiveDirectory,VMwarerecommendsthatyouinstallACEManagementServer
onaWindowshost.
TheWindowsACEManagementServerusestheWinLDAPlibrarybundledwithyourWindowsoperating
systemtointegratewithActiveDirectory.InternaltestingresultsindicatethattheWindowsimplementation
providesbetterperformance
thanLinux.
Linux Hosts
YoucaninstallACEManagementServeronaLinuxhostanduseActiveDirectoryforauthentication,even
thoughperformanceisslowerthanonWindowshosts.IfyouplantouseaLinuxhostinproduction
environments,usetheLinuxinstallerratherthantheACEManagementServerappliance.Ifyoudonot
have
thesupportedLinuxoperatingsystemsinstalledonaphysicalserver,youcancreateavirtualmachine,install
asupportedLinuxoperatingsystem,andinstallACEManagementServerinthevirtualmachine.
Server Appliance Option
TheACEManagementServerapplianceisaselfcontained,preinstalled,andpreconfiguredACE
ManagementServerpackagedwithasmallLinuxoperatingsysteminavirtualmachine.Theapplianceis
convenientandquicktosetupinatestingenvironmentbutisnotrecommendedforproductionenvironments.
Bydefault,theapplianceattempts
toconfigureitsnetworkbyusingDHCP.IfyoudonotwanttouseDHCP,
youcanusethebrowserbasedACEManagementServerSetupapplicationtoconfigurethenetworksettings.
Youcanusethesameinterfacetoupdatetheappliancewhenupdatesbecomeavailable.
Youmusthaveaccesstoa
Webbrowser(Mozilla1.52orhigherorInternetExplorer6.0orhigher)tochange
networksettingsorobtainupdatesfortheappliance.
ACE Management Server
(one or more)
Active Directory
domain controller
(optional)
database
server
proxy for ACE Management Server
service through corporate firewall
(optional)
WSAE client
(within
corporate
network)
load
balancer
(optional)
ACE Player client
(outside corporate network)
ACE Player client
(within
corporate
network)
LDAP
Kerberos
ODBC
HTTPS
HTTPS
HTTPS
HTTPSHTTPS
VMware, Inc. 15
Chapter 2 Planning an ACE Management Server Deployment
Database Options
ACEManagementServeroffersthefollowingdatabaseoptions:
EmbeddedSQLitedatabaseThedefaultmodeofACEManagementServerworkswithanembedded
SQLite3databaseengine.TheSQLitedatabaseengineisinitializedduringserverinstallationandrequires
nospecialconfiguration.The embeddeddatabasesupportsuptoseveralgigabytesofdata.
TheSQLitedatabaseisfilebasedandisnot
designedtobe effectivelysharedacrossmultipleprocesses.If
youusethirdpartytoolstoaccessthedatabaseforareadoperation,therefore,youcannotdependon
transactionalisolationofthependingwriteoperationsoftheACEManagementServer.
Theembeddeddatabaseisadequatefortestingpurposes,butVMwarerecommendsthat
youusean
externaldatabaseinproductionenvironments.
SupportedexternaldatabaseInproductionenvironments,useasupportedexternaldatabaseasa
backingstoreforACEManagementServer,throughODBCconnectivity.Supportedexternaldatabase
enginesarethefollowing:
ForWindowsbasedACEManagementServer,useMicrosoftSQLServer(SQLServer2000orSQL
Server2005)orOracleDatabase10ginstalledonthesamesystemoradifferentWindowssystem
ForLinuxbasedACEManagementServer,usePostgreSQL7.4orhigherinstalledonthesame
systemoradifferentLinuxsystem
UsinganexternaldatabasewithACEManagementServeroffersthefollowingbenefits:
OnlinebackupsothatyoudonothavetoshutdownACEManagementServertobackupthe
database.
Enhancedsecuritymodel.Youcanfinetunepermissionstoaccesssensitivedata.TheSQLite
databaseengineprovidesfilesystembasedsecurity.
Performancefinetuning.
Abilitytouseexternaldatabasemanagementandreportingtools.
AbilitytouseloadbalancerswithmultipleACEManagementServerinstances.Youmustusean
externalRDBMSasthebackingstore,becausetheSQLitedatabaseisnotdesignedtobeeffectively
sharedacrossmultipleprocesses.
Active Directory Authentication Options
ActiveDirectoryintegrationprovidesthefollowingbenefits:
PermitsjoininganoperatingsystemthatisrunninganACEinstancetothedomainremotely.
Providessearchfunctionssoyoucanquicklyfindaparticularindividualorgroup.
EnablesyoutouseActiveDirectoryUsersandGroupstoconfigurerolebasedaccesstothefeaturesof
ACEManagementServer.
Performing Capacity Planning
ACEManagementServerenablesyoutomanageACEinstancesandpoliciesinrealtime.Thenumberof
clientsthatasingleACEManagementServercanservedependsonseveralkeyfactors:
Databasethroughputandscalability
LDAPthroughput(ifyouareusingActiveDirectory)
Networkbandwidthavailableforincomingclientrequests
N
OTEIfACEManagementServerisdeployedintheDMZ,useanexternaldatabaselocatedinsideyour
corporatenetworkbehindafirewall.
ACE Management Server Administrator’s Manual
16 VMware, Inc.
ACEpolicyconfiguration
Loadbalancersforverylargedeployments(morethan5,000clients)
Table 21listsrecommendationsforthenumberofclientssupportedbasedonthehardwareyouareusing.The
figuresforrecommendedclientsreservesomeserverprocessingpowersothatinteractiveclientsreceive
responsesinatimelyfashionandtheserversatisfies
increasesindemand.
Database Throughput and Scalability
Forproductiondeployments,VMwarerecommendsthatyouuseOracle,MSSQL,orPostgresasyour
databaseplatform.
Morethan95percentofthestoragespacethatanACEManagementServerrequiresisusedtologevent
information,whichisanaudittrailofalltransactionsperformedthroughACEManagementServer.Table 2
2
listsrecommendeddatabasesizesbasedonthenumberofclientsbeingserved.
Thefiguresinthetablearebasedona90daydatabasearchivalperiod.Backupthedatabaserecordsevery90
daysandkeepeventlogsfor90days.YoucanconfigureACEManagementServertopurgeevent
logsevery
90days.
Theauthenticationeventgeneratesmostofthedatabecauseaneventisgeneratedeverytimesomeone
attemptstoauthenticatetoACEManagementServer.YoucanconfigureACEManagementServertologless
eventinformation.See“LoggingEvents”onpage 36.
LDAP Throughput
ACEManagementServercancommunicatewithyourActiveDirectorydomaincontrollertoauthenticateuser
credentials.YourdomaincontrollerinfrastructurehandlestheLDAPtrafficrequiredtosupportthenumber
ofclientsthatyouanticipate.
IntegratingwithActiveDirectorythroughLDAPisimplementeddifferentlyintheWindowsACE
ManagementServerthaninthe
LinuxbasedACEManagementServer.TheWindowsACEManagement
ServerusestheWinLDAPlibrarybundledwithyourWindowsoperatingsystem.TheLinuxACE
ManagementServerusesathirdpartyKerberosLibraryandOpenSSL.VMwareinternaltestingresults
indicatethattheWindowsimplementationprovidesbetterperformancethanLinux.
Table 2-1. Number of Clients Supported
Hardware Recommended Clients
2GHzAMD2wayserver(Opteron280,4GBRAM) 6,000
2GHzIntel2waydesktopmachine(4GBRAM) 4,000
Table 2-2. Database Storage Recommendations
Number of Clients Recommended Database Size
100 50Mb
1,000 500Mb
10,000 5,000Mb
VMware, Inc. 17
Chapter 2 Planning an ACE Management Server Deployment
Network Bandwidth and Policy Update Frequency
TheamountofnetworkbandwidththatACEManagementServ erandACEinstancesrequiredependsonthe
frequencyofpolicyupdatesthatyouconfigure.Table 23showstheamountofbandwidthneededwhenyou
useapolicyupdatefrequencyvalueof10 minutes.
VMwarerecommendsthatforlargedeployments(morethan5,000clients),
youincreasethetimebetween
policyupdatesbyclientsbecausethisreducestheamountofrequiredbandwidth.
Table 24showsthebandwidthneededwhenthepolicyupdatefrequencyvalueissetto30minutes.
Theamountofnetworkbandwidthrequiredcanalsobehigherifyourpolicysetisverycomplex.
VMware
recommendsthatyouhaveaseparatenetworklinkbetweenACEManagementServerandyour
databaseserver,sothattrafficcomingandgoingfromACEManagementServertoitsclientsdoesnotinterfere
withthetraffictoandfromyourdatabaseserver.
ACE Policy Configuration
TheconfigurationofACEpoliciescanaffectperformance.Youcanincreasetheamountofdatathatis
transferredbetweenACEManagementServerandACEPlayerbyusingoneofthefollowingmethods:
HostpoliciesEnablinghostpolicies(suchashostnetworkquarantine)requiresthatahostsidedaemon
retrievesthehostpoliciesfromtheACEManagementServer.
ComplexnetworkquarantinepoliciesIfthesetofrulesthatmakesupyournetworkquarantineisvery
large,thetransferoftheserulesfromtheACEManagementServertotheclientscanaffectthescalability.
ThenumbersshowninTable 23andTable 24areestimatesofrequiredbandwidthgiven
averagesize
rulesetsfornetworkquarantine.YoucanviewthesizeofyourpolicysetbyexaminingtheACEfile
directoryandcountingthesizeofthe.vmplfile.Anaveragepolicysetis15KBorless.
Load Balancers
TheACEManagementServerclientserverprotocolisbuiltontopoftheHTTPSprotocol.YoucanuseHTTP
loadbalancingsoftwareandhardwaresolutionstoscaleanACEManagementServerdeploymentbeyondthe
capacityofasingleserver(orforhighavailabilitydeployments).
ACEManagementServerscalesinalinear
fashionwhenanenterprisegradeHTTPSloadbalancerisused.See
Chapter 5,“LoadBalancingMultipleACEManagementServerInstances,”onpage 39.
Table 2-3. Network Bandwidth Required with a Policy Update Frequency of 10 Minutes
Number of Clients Bandwidth Required
100 0.125Mb/sec.
1,000 1.25Mb/sec.
10,000 12.5Mb/sec.
Table 2-4. Network Bandwidth Required with a Policy Update Frequency of 30 Minutes
Number of Clients Bandwidth Required
100 0.04Mb/sec.
1,000 0.4Mb/sec.
10,000 4Mb/sec.
ACE Management Server Administrator’s Manual
18 VMware, Inc.
Security Features and Considerations
Bydefault,ACEManagementServerusestheSecureSocketsLayer(SSL)protocoltoprovideencryptedand
securecommunications.
FollowingisanoverviewofsecurityfeaturesandrecommendationsonhowtoconfiguretheACE
ManagementServertoavoidsecurityproblems:
TraffictoandfromclientsisprotectedbyHTTPSBydefault,ACEManagementServercreatesa
selfsignedcertificatewhenyouinstallittouseforHTTPStraffic.Thesecertificatesaresecure,butyou
canalsoconfigureACEManagementServertouseyourowncertificateandkeypairs.
TrafficfromACEManagementServertoActiveDirectoryisencryptedIftheserverisintegratedwith
anActiveDirectoryservice,itcommunicateswiththeservicethroughanSSLprotectedlink.LDAPtraffic
isencryptedattheapplicationlayer.CredentialsareprotectedbyusingtheKerberosprotocolto
authenticatecredentials.
SensitiveconfigurationoptionsareencryptedPasswordsstoredintheconfigurationfileareencrypted.
DatabasesecurityThedatabasestorecontainssensitivedatasuchascryptographickeys.Configure
yourdatabasesecuritysothatitisprotectedfromintrusionandprotectedincaseofdataloss.Formore
informationaboutfeaturesthatareavailabletoprotectyourdata,seeyourdatabasedocumentation.
SSLencryptsdatathrough
theuseofapublickeyandprivatekeypair.Thepublickeyisknowntoeveryone
andtheprivatekeyisknownonlytothemessagerecipient.URLs thatrequireanSSLconnectionstartwith
https.
DuringACEManagementServerinstallation,thefollowingtwofilesarecreated:
server.keyAnRSA1024bitkey,thisistheprivatekey.
server.crtAselfsignedcertificate.Itssignatureisverifiedbythepublickey,whichisembeddedin
thecertificate.Thispubliccertificateisvalidfor10yearsfromthedateandtimeatwhichtheserveris
installed.ThecertificatefileisencodedinPEMformat.
Bydefault,thesefiles
arestoredintheSSLdirectoryintheVMwareACEManagementServerprogram
directory.
VMwarePlayer,whichrunstheACEinstances,doesnottrustanycertificatesstoredonthehostmachineon
whichitisrunning.Instead,itreliesonacompletecertificationchainthatisincludedintheACE
package.
Usingselfsignedcertificatesisadequateformostsecurityneeds.
Youcan,however,useacertificateissuedbyacertificateauthority.IfyouhavemultipleACEManagement
Serverinstances,youcanuseonecertificateforalloryoucanuseadifferentcertificateoneachone.
Using SSL Certificates and Protocol
WhenanACEenabledvirtualmachineconnectstoanACEManagementServer,itdownloadsthepublic
certificateforthatserverandanychainofcertificatesrequiredtoverifytheserverspubliccertificate.Aserver
certificatemighthaveachainofseveralcertificatesthatmustbeverifiedstepbystepuntilthe
verification
processreachestheroot,ortrusted,certificateinthecertificatestore.Thefirsttimeaconnectionismadetoa
serverbyanyACEenabledvirtualmachineonaWorkstationadministratormachine,thecertificateandits
verificationaredownloadedtotheWorkstationhostsystem.
Thestoreorcollectionofcertificates
thatisdownloadedwhenanACEenabledvirtualmachineconnectstoa
serverisincludedineachACEpackagethatyoucreatewiththatvirtualmachine.ItissavedintheACE
Resourcesdirectory.WhenyoudeployandrunanACEinstanceofthisACEenabledvirtualmachine,the
VMwarePlayer
applicationusesthecertificatesincludedinthepackagetoverifyconnectionsmadetotheACE
ManagementServer.ItverifiesthatthecertificatesthatareintheACEpackagematchthosethattheserver
provides.Iftheydonotmatchexactly,VMware Playerdisplaysanerrormessageanddoesnotrunthe
instance.
VMware, Inc. 19
Chapter 2 Planning an ACE Management Server Deployment
VMwarePlayercheckstheintegrityofthecertificatestoreincludedinthepackageeverytimeitcommunicates
withtheserver.VMwarePlayerdoesnottrustanycertificatesstoredonthehostmachineonwhichitis
running.Instead,itreliesonacompletecertificationchainthatisincludedintheACE
package.Theuseof
selfsignedcertificatesisadequateformostsecurityneeds.
If,however,yourenterpriserequirestheuseofacertificatesignedbyacertificateauthority(internalor
commercial),youcansetupthattypeofkeycertificatepairfortheACEpackagestouse.Acertificateauthority,
orCA,isanentitythatissuesandsignspublickeycertificates,typicallyforafee.
Accessing ACE Management Server from Outside the Corporate
Firewall
AllclientrequeststoACEManagementServerareHTTPStrafficonport443.This meansthatanysolution
usingaproxytosecureHTTPStrafficintoyourcorporateserverscanbeusedtoproxyACEManagement
Servertraffic.
BecauseofthenumberofdataconnectionsthattheACEManagementServermustmake
onthebackend
(LDAP,DNS,ODBC,Kerberos),VMwarerecommendsusinganHTTPSproxyintheDMZ.Thisproxycan
relayACEManagementServertraffictotheactualACEManagementServerinsidethecorporatenetwork.
Figure 2-2. Recommended Deployment for External Access
ACEManagementServercanbedeployedwiththefollowingHTTPSproxysolutions:
ApacheProxyUsingmod_proxy
ZeusTechnologyLoadBalancerAcommerciallyavailableloadbalancerandtrafficmanagement
solution
AvoidthefollowingproblemswhenyouuseaproxyfortrafficintoanACEManagementServer:
SSLTerminationIfyourHTTPSproxyterminatestheSSLconnection,youmustusethesameSSLkey
andcertificateontheHTTPSproxyserverandACEManagementServer.Or,usetheACEManagement
ServercertificatechaintoembedtheHTTPSproxycertificateverificationchainintheACEpackage.
Anexample
ofaproxyserverthatterminatesSSLconnectionsisApacheProxy.TheZeusloadbalancing
productssupportSSLpassthrough,whichmeansthattheSSLconnectionisterminatedatACE
ManagementServer.
MultipleACEManagementServerSSLcertificatesIfyouaredeployingmultipleACEManagement
Serverinstancesbehindaloadbalancingsolution,allACEManagementServerinstancesmustusethe
sameSSLkeyandcertificatepair.YoucanalsousetheACEManagementServercertificatechainfeature
toembedeverySSLcertificate
verificationchainintotheACEpackage.
DNSresolutionWhenyoucreateanACEenabledvirtualmachine,youmustspecifyahostnamefor
ACEManagementServer.ThishostnamemustresolvetotheappropriateIPaddressforbothinternaland
externalclients.Internally,itcanresolvetoACEManagementServeritself.Externally,itcanresolveto
the
HTTPSproxyserver.
BecausethetrafficcomingintoACEManagementServerisplainHTTPStrafficandtheserverisstateless,you
candeploymanyotherconfigurationstoprovideexternalaccesstoanACEManagementServer.Whenyou
designyourdeployment,thinkofACEManagementServerasaWebserverwith
securetraffic.
HTTPS
proxy server
external client
ODBC
NETBIOS (port 137)
DNS
KRB5 (port 88)
LDAP (port 389)
HTTPS traffic
(443)
HTTPS traffic
(443)
external
firewall
AMS server
internal
firewall
ACE Management Server Administrator’s Manual
20 VMware, Inc.
Deployment Planning Worksheet
Usethedeploymentplanningworksheettorecordyourchoiceofserversystem,database,securitycertificates,
andoptionalcomponentsforaproductionenvironment.
Table 2-5. Worksheet for ACE Management Server in a Production Environment
Component Considerations Decision
Active
Directory
integration
PerformanceisbetterwhentheACE
ManagementServerisinstalledona
Windowshost.
Seealso“CreateUsersandGroupsfor
IntegrationwithActiveDirectory”on
page 29.
UseActiveDirectory?________
Ifyes,nameofuseraccountforACE
ManagementServertoquerytheActive
Directorydatabase:__________________
Fullyqualified
domainnameofthe
LDAPserver:_______________________
ACE
Management
Server
Ifyouusemultipleservers,allmustbe
installedonthesameplatform.
Forcapacityplanning,see“Numberof
ClientsSupported”onpage 16.
UseWindowsorLinux
hosts?_____________
Howmanyservers?____________
Database
server
Thedatabaseservermustbecompatible
withtheACEManagement
Serverhost.See
“SupportedExternalDatabases”on
page 11.
MSQL,Oracle,orPostgresSQLdatabase?
____________________________
Loadbalancer Usealoadbalancerforlargedeployments
orforhighavailability.Itmustsupport
HTTPSandrequiresanexternaldatabase.
See“LoadBalancers”onpage 17.
Usealoadbalancer?________
Proxy IfACEclientswillcontactACE
ManagementServer
fromoutsidethe
firewall,useaproxy.See“A c c e s s i n g ACE
ManagementServerfromOutsidethe
CorporateFirewall”onpage 19.
Useaproxy?__________
ApacheProxyorZeus TechnologyLoad
Balancer?________________________
SSL
certificates
Ifyouusemultipleserversandplantouse
adifferentSSLcertificateforeachone,you
mustcreate
orsendforthecertificates.
ACEManagementServersupportsonly
publickeycertificatesthataresignedusing
theSHA1algorithm.See“UsingSSL
CertificatesandProtocol”onpage 18.
Whichtypeofcertificate:selfsigned
thirdparty,orinternalCA(certificate
authority)?___________________
Numberofcertificates?__________
Ports ForActiveDirectory,useport389.
For
theACEManagementServer
appliance,useport8080.See“Changethe
PortAssignmentforACEManagement
Server ”onpage 51and“A c c e s s i n g ACE
ManagementServerfromOutsidethe
CorporateFirewall”onpage 19.
Port8000forconfiguringtheACE
ManagementServer.
Port443forclientrequests.
Whichadditionalports?______________
/