VMware ACE 2.6 User manual

Brand: VMware

Model: ACE 2.6

Category: Software

Type: User manual

ACE Management Server

Administrator’s Manual

VMware ACE 2.6

This document supports the version of each product listed and

supports all subsequent versions until the document is replaced

by a new edition. To check for more recent editions of this

document, see http://www.vmware.com/support/pubs.

EN-000169-00

VMware, Inc.

3401 Hillview Ave.

Palo Alto, CA 94304

www.vmware.com

2 VMware, Inc.

ACE Management Server Administrator’s Manual

You can find the most up-to-date technical documentation on the VMware Web site at:

http://www.vmware.com/support/

The VMware Web site also provides the latest product updates.

If you have comments about this documentation, submit your feedback to:

docfeedback@vmware.com

intellectual property laws. VMware products are covered by one or more patents listed at

http://www.vmware.com/go/patents.

VMware is a registered trademark or trademark of VMware, Inc. in the United States and/or other jurisdictions. All other marks

and names mentioned herein may be trademarks of their respective companies.

VMware, Inc. 3

Contents

AboutThisBook 7

1 Introduction 9

FeaturesofACEManagementServer 9

SystemRequirements 10

RequiredHardware 10

SupportedOperatingSystems 10

SupportedExternalDatabases 10

SupportedProxies 11

RequiredWebBrowsers 11

Licensing 11

2 PlanninganACEManagementServerDeployment 13

DeploymentComponents 13

HostSystemOptions 14

WindowsHosts 14

LinuxHosts 14

ServerApplianceOption 14

DatabaseOptions 15

ActiveDirectoryAuthenticationOptions 15

PerformingCapacityPlanning 15

DatabaseThroughputandScalability 16

LDAPThroughput 16

NetworkBandwidthandPolicyUpdateFrequency 16

ACEPolicyConfiguration 17

LoadBalancers 17

SecurityFeaturesandConsiderations 17

UsingSSLCertificatesandProtocol 18

AccessingACEManagementServerfromOutsidetheCorporateFirewall 19

DeploymentPlanningWorksheet 19

3 InstallingandConfiguringACE Management Server 21

PreparingforInstallation 21

ConfigureTLSinYourBrowser 21

InstallingandUpgradingACEManagementServer 22

InstallanACEManagementServeronaWindowsHost 22

InstallACEManagementServeronaLinuxSystem 23

InstallanACEManagementServerAppliance 24

VerifyThattheApacheServiceIsStartedorRestarted 25

StartandConfigureACEManagementServer 26

LogInto

ACEManagementServer 26

ACE Management Server Administrator’s Manual

4 VMware, Inc.

4 ConfigurationOptionsforACEManagementServer 29

PrerequisitesforConfiguringtheServer 29

CreateUsersandGroupsforIntegrationwithActiveDirectory 29

SetUpanExternalDatabase 30

CreatingaSystemDSNEntryforanExternalDatabase 31

IncreasetheNumberofDatabaseConnectionsAllowed 32

EnableDatabaseConnectionPoolingonLinux 33

SetUpaConnectionBetweentheServerApplianceandanExternalDatabase 33

PrepareCustomSecurityCertificates 33

ViewthePropertiesoftheSelf‐SignedCertificateFile 34

StartingACEManagementServerConfiguration 34

ViewingandChangingLicensingInformation 34

UsinganExternalDatabase 35

CreatingAccessControl 35

UploadingCustomSSLCertificates 36

LoggingEvents 37

ApplyingConfigurationSettings 37

5 Load‐BalancingMultipleACEManagementServerInstances 39

TypicalSetupUsingLoad‐BalancedACEManagementServerInstances 40

InstalltheRequiredServicesforLoadBalancing 40

UsetheSameSSLCertificateonAllServers 41

CreateNewSSLCertificatesandKeysforEachServer 41

InstallingandConfiguringtheLoadBalancer 43

VerifyThatACEInstancesAreUsingtheLoadBalancer 43

6 ManagingACEInstances 45

ViewingACEInstancesThattheServerManages 45

UsetheVMwareACEHelpDeskApplication 46

UsetheInstanceViewinWorkstation 46

SearchforanInstance 47

SortbyColumnHeadingandChangeColumnWidth 47

Show,Hide,andMoveColumnsintheInstanceView 48

CreateorDeleteCustomColumnsintheInstanceView 48

ViewInstanceDetails 48

Reactivate,Deactivate,

orDeleteanACEInstance 49

PoliciesTab 49

ChangeaCopyProtectionID 49

ResettheAuthenticationPassword 50

AddInformationforCustomColumns 50

7 TroubleshootingandMaintenance 51

TroubleshootingConfigurationProblems 51

ConnectionProblemsBetweenaLinuxACEInstanceandACEManagementServer 51

ChangethePortAssignmentforACEManagementServer 51

DeletetheServerConfigurationFileandSetaNewAdministratorPassword 52

RestoreaBackupCopyofanSSLCertificate 52

ConfiguringMultipleACEManagementServerInstancestoUseSSL 53

DatabaseBackup 53

VMware, Inc. 5

Contents

Appendix:DatabaseSchemaandAuditEventLogData 55

UsingDatabaseReportingTools 55

DatabaseSchema 55

QueryingtheAuditEventLogData 59

Glossary 63

Index 65

ACE Management Server Administrator’s Manual

6 VMware, Inc.

VMware, Inc. 7

Thismanual,theVMwareACEManagementServerAdministrator’sManual,providesinformationabout

installingandusingtheVMware

ACEManagementServer,whichenablesyoutomanageACEinstancesin

realtime.UsingACEManagementServerisoptional,butdoingsoprovidesthefollowingbenefits:

 ManageactivationofACEpackages.

 Manageauthenticationofthoseactivatedpackages.

 DynamicallydeliverpolicyupdatestomanagedACEinstances.

 DynamicallydeliverinstancecustomizationdataformanagedACEinstanceswithWindowsguest

operatingsystems.

Intended Audience

Thisbookisintendedforanyonewhoneedstoinstall,upgrade,oruseACEManagementServertomanage

ACEinstances.ACEManagementServerisintendedforACEadministratorswhomustmaintainandupdate

ACEpoliciesusedonvirtualmachinesdeployedthroughoutanenterprise.

Document Feedback

VMwarewelcomesyoursuggestionsforimprovingourdocumentation.Ifyouhavecomments,sendyour

feedbackto:

[email protected]

Technical Support and Education Resources

Thefollowingsectionsdescribethetechnicalsupportresourcesavailabletoyou.Toaccessthecurrentversion

ofthisbookandotherbooks,gotohttp://www.vmware.com/support/pubs.

Online and Telephone Support

Touseonlinesupporttosubmittechnicalsupportrequests,viewyourproductandcontractinformation,and

Customerswithappropriatesupportcontractsshouldusetelephonesupportforthefastestresponseon

priority1issues.Gotohttp://www.vmware.com/support/phone_support.html.

Support Offerings

TofindouthowVMwaresupportofferingscanhelpmeetyourbusinessneeds,goto

http://www.vmware.com/support/services.

About This Book

ACE Management Server Administrator’s Manual

8 VMware, Inc.

VMware Professional Services

VMwareEducationServicescoursesofferextensivehands‐onlabs,casestudyexamples,andcoursematerials

designedtobeusedason‐the‐jobreferencetools.Coursesareavailableonsite,intheclassroom,andlive

online.Foronsitepilotprograms andimplementationbestpractices,VMwareConsultingServicesprovides

offeringsto helpyouassess,plan,

build,andmanageyourvirtualenvironment.Toaccessinformationabout

educationclasses,certificationprograms,andconsultingservices,gotohttp://www.vmware.com/services.

VMware, Inc. 9

TheVMwareACEManagementServerenablesyoutomanageVMwareACEinstances,todynamically

publishpolicychangesforthoseinstances,andtotestanddeploypackagesmoreeasily.

Thischapterincludesthefollowingtopics:

 “FeaturesofACEManagementServer”onpage 9

 “SystemRequirements”onpage 10

Features of ACE Management Server

ACEManagementServeroffersscalabilityandreliability:

 Youcanincreasecapacitybyaddingnetworkresourcessuchasloadbalancersandextraserverhardware.

 Fortestingenvironments,thedefaultembeddedbackingstoreprovidesasimpleandefficientdatabase

solution.ToscaleACEManagementServerforproductiondeployments,youcanconfigureandusean

externalrelationaldatabasemanagementsystem(RDBMS).

 InWindows,multithreadedprocesseshandleserverrequests.InLinux,multipleprocesseshandleserver

requests.Ifoneprocessfails,anothertakesover.

ACEManagementServeroffersActiveDirectoryintegration:

 YoucanuseActiveDirectorytoauthenticateusersofACEinstances.

 YoudonotneedaschemachangeforyourexistingActiveDirectory.

 LDAPisusedtoaccessActiveDirectory.

 InformationaboutWindowsdomainuseraccountstatesisprovidedinclearandusefulmessages.

Reasonsforloginfailuresarepresentedas“lockedout”or“passwordexpired.”

 ACEManagementServeractsasanActiveDirectorypasswordchangeproxy.

 YoucanusetheinstancecustomizationfeatureinACEwithyourownestablishednamingconventionsto

associateuserswithmachines.

Securityfeaturesincludethefollowing:

 EncryptedcommunicationsbetweenserverandclientstraveloverHTTPStraffic.

 Passwordsarestoredsecurelyinhashedforminthebackingstore.

 FlexibledatabaseoptionsallowuseofanembeddeddatabaseorexternalRDBMStostoreACEinstance

dataandpolicies.

Introduction

ACE Management Server Administrator’s Manual

10 VMware, Inc.

ACEManagementServeriseasytoinstallandconfigure.Clienttrafficcanbeproxiedbyeasilyavailable

products.Theserveruseseasilyavailablesoftwarecomponents:

 ApacheWebserver2.0

 ThedefaultSQLitedatabasestore

Theserversetupusesindustry‐standardprotocols:

 HTTPSandLDAP

 XML‐RPCformessageencapsulation

ACEManagementServeroffersextensibilityandavailability:

 YoucancreateandusemorethanoneACEManagementServer.Whenyouusemorethanoneserver,you

cansettheserversupsothattheysharethesamedatabaseforloadbalancingorincreasedfaulttolerance.

 AWindowsACEManagementServercanbeonthesamesystemasWorkstation.

 YoucandesignateasingleACEManagementServername,suchas

https://ace.policyserver.company.com,anduseDNSlookuptotranslatethehostnametoan

address.TheaddressiscachedifaDNSserverisnotavailable.Additionally,youcanusedifferentACE

ManagementServerinstancesifuserstravelbetweenofficesin

differentgeographiclocations.

System Requirements

ThefollowingsectionsdescribetheACEManagementServersystemrequirements.

Required Hardware

 Aminimumofan800MHz‐compatiblex86andx86‐64architectureprocessor

Compatibleprocessorsinclude:

Celeron,PentiumII,PentiumIII,Pentium4,PentiumM(includingcomputerswithCentrinomobile

technology),Xeon(includingPrestonia),AMD,Athlon,Athlon MP,AthlonXP,Duron,Opteron,AMD64

Opteron,andAthlon64

 ExperimentalsupportforIntelIA‐32eCPU

 40MBoffreespaceisrequiredforbasicinstallation.VMwarerecommendsatleast10GBoffreediskspace.

 An8‐bitdisplayadapterisrequired.

 Forlocalareanetworking,anyEthernetcontrollerthattheoperatingsystemsupportsissufficient.

Supported Operating Systems

FollowingarethesupportedoperatingsystemsforACEManagementServer:

 WindowsServer2003WebEditionSP1andSP2,WindowsServer2003StandardEditionSP1andSP2,

WindowsServer2003EnterpriseEditionSP1andSP2(includes64‐bitandR2editions)

 WindowsXPProfessional(includes64‐biteditions)

 Windows2000ServerServicePack4andWindows2000AdvancedServerServicePack 4

 RedHatEnterpriseLinuxAdvancedServer4.0withUpdate 4.

 SUSELinuxEnterpriseServer9ServicePack3

OTEYourservernamemustbeeitherthemachinenameinEnglishortheIP address.International

charactersarenotsupported.

VMware, Inc. 11

Chapter 1 Introduction

Supported External Databases

AnSQLitedatabaseengineisembeddedinACEManagementServer.Althoughthisdatabaseisadequatefor

testingpurposes,useoneofthefollowingexternaldatabasesinproductionenvironments:

 ForaWindows‐basedACEManagementServer–MicrosoftSQLServer2000orhigher;

Oracle Database 10g

IfyouuseaMicrosoftSQLServerdatabase,thedatabasemustbehostedonasystemthatusesthesame

localeasthesystemthathostsACEManagementServer.Forexample,ifACEManagementServeris



installedonaJapanesesystem,thedatabaseservermustalsobeinstalledonaJapanesesystemandmust

useJapanesecollation.

 ForaLinux‐basedACEManagementServer–PostgreSQL7.4orhigher

Supported Proxies

YoucandeployACEManagementServerwiththefollowingHTTPSproxysolutions:

 ApacheProxy–Usingmod_proxy

 ZeusTechnologyLoadBalancer–Acommerciallyavailableloadbalancerandtrafficmanagement

solution

Required Web Browsers

Thebrowser‐basedACEManagementServerSetupapplicationandtheVMwareACEHelpDeskapplication

requireoneofthefollowingWebbrowsers:

 MozillaFirefox1.52orhigher

 InternetExplorer6.0orhigher.MakesurethattheInternetExplorerbrowserhasTLS1.0checkedtolog

intotheAMSwebconfigurationpage.

Licensing

YoumustconfiguretheserverandentertheserialnumberintheserversetupWebapplication.Ifyoudonot,

youcannotconnecttotheserverinWorkstation.

Yourserialnumberisontheregistrationcardinyourpackage.IfyoupurchasedVMwareACEonline,the

serialnumberissentby

email.WorkstationandACEinstancescannotconnecttoanACEManagementServer

withanexpiredornonexistentlicense.

ACE Management Server Administrator’s Manual

12 VMware, Inc.

VMware, Inc. 13

ThischapterprovidesguidelinesfordeployingVMwareACEManagementServerinstances,including

capacityplanningandbestpractices.Thischapterincludesthefollowingtopics:

 “DeploymentComponents”onpage 13

 “PerformingCapacityPlanning”onpage 15

 “SecurityFeaturesandConsiderations”onpage 17

 “A c c e s s i n g ACEManagementServerfromOutsidetheCorporateFirewall”onpage 19

 “DeploymentPlanningWorksheet”onpage 19

Deployment Components

AtypicalACEManagementServerdeploymenthasthefollowingcomponents:

 OneormoreACEManagementServerinstances–Configuringmultipleserverstousethesame

databaseincreasesthenumberofACEclientsyoucanmanageandguaranteeshighavailability.

 Databaseserver–Forproductiondeployments,VMwarerecommendsOracleDatabase 10gorMS‐SQL

forACEManagementServerinstalledonaWindowshost,andPostgresforACEManagementServer

installedonaLinuxhost.

 (Optional)ActiveDirectorydomaincontroller–ToenabletheACEManagementServerActive

Directoryintegration,youmustconfigureACEManagementServertocommunicatewithyourdomain

controller.

 (Optional)HTTPloadbalancer–UsealoadbalancertohelpscalethecapacityofyourACEManagement

Serverdeployment.

 (Optional)HTTPproxy–IfclientswillaccessACEManagementServerfromoutsidethecorporate

firewall,VMwarerecommendsusinganHTTPSproxyintheDMZ.YoucanuseACEManagementServer

withApacheProxyandZeusTechnologyLoadBalancer.

ForanexampleofanACEManagementServerdeployment,seeFigure 2‐1.

Planning an ACE Management Server

Deployment

ACE Management Server Administrator’s Manual

14 VMware, Inc.

Figure 2-1. Comprehensive ACE Management Server Deployment

ACEManagementServeroffersconvenienceandflexibilityinitssetupoptions.

YoucaninstalltheserveronWindowsorLinuxhosts.Fortestingpurposes,youcandownloadandrunthe

serverasavirtualappliance.ACEManagementServerincludesitsownsecuritycertificatesandembedded

database,butyoucanuse

anexternaldatabaseandusecertificatesfromacertificateauthorityifyouprefer.

YoucanalsoconfigureACEManagementServertouseActiveDirectoryforauthentication.

Host System Options

YoucaninstallACEManagementServeronaWindowshost,aLinuxhost,orasavirtualappliance.Ifyouset

upmultipleACEManagementServerinstances,theymustallbethesametype.

Windows Hosts

IfyouplantointegratewithActiveDirectory,VMwarerecommendsthatyouinstallACEManagementServer

onaWindowshost.

TheWindowsACEManagementServerusestheWinLDAPlibrarybundledwithyourWindowsoperating

systemtointegratewithActiveDirectory.InternaltestingresultsindicatethattheWindowsimplementation

providesbetterperformance

thanLinux.

Linux Hosts

YoucaninstallACEManagementServeronaLinuxhostanduseActiveDirectoryforauthentication,even

thoughperformanceisslowerthanonWindowshosts.IfyouplantouseaLinuxhostinproduction

environments,usetheLinuxinstallerratherthantheACEManagementServerappliance.Ifyoudonot

have

thesupportedLinuxoperatingsystemsinstalledonaphysicalserver,youcancreateavirtualmachine,install

asupportedLinuxoperatingsystem,andinstallACEManagementServerinthevirtualmachine.

Server Appliance Option

TheACEManagementServerapplianceisaself‐contained,preinstalled,andpreconfiguredACE

ManagementServerpackagedwithasmallLinuxoperatingsysteminavirtualmachine.Theapplianceis

convenientandquicktosetupinatestingenvironmentbutisnotrecommendedforproductionenvironments.

Bydefault,theapplianceattempts

toconfigureitsnetworkbyusingDHCP.IfyoudonotwanttouseDHCP,

youcanusethebrowser‐basedACEManagementServerSetupapplicationtoconfigurethenetworksettings.

Youcanusethesameinterfacetoupdatetheappliancewhenupdatesbecomeavailable.

Youmusthaveaccesstoa

Webbrowser(Mozilla1.52orhigherorInternetExplorer6.0orhigher)tochange

networksettingsorobtainupdatesfortheappliance.

ACE Management Server

(one or more)

Active Directory

domain controller

(optional)

database

server

proxy for ACE Management Server

service through corporate firewall

(optional)

WSAE client

(within

corporate

network)

load

balancer

(optional)

ACE Player client

(outside corporate network)

ACE Player client

(within

corporate

network)

LDAP

Kerberos

ODBC

HTTPS

HTTPSHTTPS

VMware, Inc. 15

Chapter 2 Planning an ACE Management Server Deployment

Database Options

ACEManagementServeroffersthefollowingdatabaseoptions:

 EmbeddedSQLitedatabase–ThedefaultmodeofACEManagementServerworkswithanembedded

SQLite3databaseengine.TheSQLitedatabaseengineisinitializedduringserverinstallationandrequires

nospecialconfiguration.The embeddeddatabasesupportsuptoseveralgigabytesofdata.

TheSQLitedatabaseisfilebasedandisnot

designedtobe effectivelysharedacrossmultipleprocesses.If

youusethird‐partytoolstoaccessthedatabaseforareadoperation,therefore,youcannotdependon

transactionalisolationofthependingwriteoperationsoftheACEManagementServer.

Theembeddeddatabaseisadequatefortestingpurposes,butVMwarerecommendsthat

youusean

externaldatabaseinproductionenvironments.

 Supportedexternaldatabase–Inproductionenvironments,useasupportedexternaldatabaseasa

backingstoreforACEManagementServer,throughODBCconnectivity.Supportedexternaldatabase

enginesarethefollowing:

 ForWindows‐basedACEManagementServer,useMicrosoftSQLServer(SQLServer2000orSQL

Server2005)orOracleDatabase10ginstalledonthesamesystemoradifferentWindowssystem

 ForLinux‐basedACEManagementServer,usePostgreSQL7.4orhigherinstalledonthesame

systemoradifferentLinuxsystem

UsinganexternaldatabasewithACEManagementServeroffersthefollowingbenefits:

 OnlinebackupsothatyoudonothavetoshutdownACEManagementServertobackupthe

database.

 Enhancedsecuritymodel.Youcanfine‐tunepermissionstoaccesssensitivedata.TheSQLite

databaseengineprovidesfile‐systembasedsecurity.

 Performancefine‐tuning.

 Abilitytouseexternaldatabasemanagementandreportingtools.

 AbilitytouseloadbalancerswithmultipleACEManagementServerinstances.Youmustusean

externalRDBMSasthebackingstore,becausetheSQLitedatabaseisnotdesignedtobeeffectively

sharedacrossmultipleprocesses.

Active Directory Authentication Options

ActiveDirectoryintegrationprovidesthefollowingbenefits:

 PermitsjoininganoperatingsystemthatisrunninganACEinstancetothedomainremotely.

 Providessearchfunctionssoyoucanquicklyfindaparticularindividualorgroup.

 EnablesyoutouseActiveDirectoryUsersandGroupstoconfigurerole‐basedaccesstothefeaturesof

ACEManagementServer.

Performing Capacity Planning

ACEManagementServerenablesyoutomanageACEinstancesandpoliciesinrealtime.Thenumberof

clientsthatasingleACEManagementServercanservedependsonseveralkeyfactors:

 Databasethroughputandscalability

 LDAPthroughput(ifyouareusingActiveDirectory)

 Networkbandwidthavailableforincomingclientrequests

OTEIfACEManagementServerisdeployedintheDMZ,useanexternaldatabaselocatedinsideyour

corporatenetworkbehindafirewall.

ACE Management Server Administrator’s Manual

16 VMware, Inc.

 ACEpolicyconfiguration

 Loadbalancersforverylargedeployments(morethan5,000clients)

Table 2‐1listsrecommendationsforthenumberofclientssupportedbasedonthehardwareyouareusing.The

figuresforrecommendedclientsreservesomeserverprocessingpowersothatinteractiveclientsreceive

responsesinatimelyfashionandtheserversatisfies

increasesindemand.

Database Throughput and Scalability

Forproductiondeployments,VMwarerecommendsthatyouuseOracle,MS‐SQL,orPostgresasyour

databaseplatform.

Morethan95percentofthestoragespacethatanACEManagementServerrequiresisusedtologevent

information,whichisanaudittrailofalltransactionsperformedthroughACEManagementServer.Table 2

‐2

listsrecommendeddatabasesizesbasedonthenumberofclientsbeingserved.

Thefiguresinthetablearebasedona90‐daydatabasearchivalperiod.Backupthedatabaserecordsevery90

daysandkeepeventlogsfor90days.YoucanconfigureACEManagementServertopurgeevent

logsevery

90days.

Theauthenticationeventgeneratesmostofthedatabecauseaneventisgeneratedeverytimesomeone

attemptstoauthenticatetoACEManagementServer.YoucanconfigureACEManagementServertologless

eventinformation.See“LoggingEvents”onpage 36.

LDAP Throughput

ACEManagementServercancommunicatewithyourActiveDirectorydomaincontrollertoauthenticateuser

credentials.YourdomaincontrollerinfrastructurehandlestheLDAPtrafficrequiredtosupportthenumber

ofclientsthatyouanticipate.

IntegratingwithActiveDirectorythroughLDAPisimplementeddifferentlyintheWindowsACE

ManagementServerthaninthe

Linux‐basedACEManagementServer.TheWindowsACEManagement

ServerusestheWinLDAPlibrarybundledwithyourWindowsoperatingsystem.TheLinuxACE

ManagementServerusesathird‐partyKerberosLibraryandOpenSSL.VMwareinternaltestingresults

indicatethattheWindowsimplementationprovidesbetterperformancethanLinux.

Table 2-1. Number of Clients Supported

Hardware Recommended Clients

2‐GHzAMD2‐wayserver(Opteron280,4GBRAM) 6,000

2‐GHzIntel2‐waydesktopmachine(4GBRAM) 4,000

Table 2-2. Database Storage Recommendations

Number of Clients Recommended Database Size

100 50Mb

1,000 500Mb

10,000 5,000Mb

VMware, Inc. 17

Chapter 2 Planning an ACE Management Server Deployment

Network Bandwidth and Policy Update Frequency

TheamountofnetworkbandwidththatACEManagementServ erandACEinstancesrequiredependsonthe

frequencyofpolicyupdatesthatyouconfigure.Table 2‐3showstheamountofbandwidthneededwhenyou

useapolicyupdatefrequencyvalueof10 minutes.

VMwarerecommendsthatforlargedeployments(morethan5,000clients),

youincreasethetimebetween

policyupdatesbyclientsbecausethisreducestheamountofrequiredbandwidth.

Table 2‐4showsthebandwidthneededwhenthepolicyupdatefrequencyvalueissetto30minutes.

Theamountofnetworkbandwidthrequiredcanalsobehigherifyourpolicysetisverycomplex.

VMware

recommendsthatyouhaveaseparatenetworklinkbetweenACEManagementServerandyour

databaseserver,sothattrafficcomingandgoingfromACEManagementServertoitsclientsdoesnotinterfere

withthetraffictoandfromyourdatabaseserver.

ACE Policy Configuration

TheconfigurationofACEpoliciescanaffectperformance.Youcanincreasetheamountofdatathatis

transferredbetweenACEManagementServerandACEPlayerbyusingoneofthefollowingmethods:

 Hostpolicies–Enablinghostpolicies(suchashostnetworkquarantine)requiresthatahost‐sidedaemon

retrievesthehostpoliciesfromtheACEManagementServer.

 Complexnetworkquarantinepolicies–Ifthesetofrulesthatmakesupyournetworkquarantineisvery

large,thetransferoftheserulesfromtheACEManagementServertotheclientscanaffectthescalability.

ThenumbersshowninTable 2‐3andTable 2‐4areestimatesofrequiredbandwidthgiven

average‐size

rulesetsfornetworkquarantine.YoucanviewthesizeofyourpolicysetbyexaminingtheACEfile

directoryandcountingthesizeofthe.vmplfile.Anaveragepolicysetis15KBorless.

Load Balancers

TheACEManagementServerclient‐serverprotocolisbuiltontopoftheHTTPSprotocol.YoucanuseHTTP

load‐balancingsoftwareandhardwaresolutionstoscaleanACEManagementServerdeploymentbeyondthe

capacityofasingleserver(orforhigh‐availabilitydeployments).

ACEManagementServerscalesinalinear

fashionwhenanenterprise‐gradeHTTPSloadbalancerisused.See

Chapter 5,“Load‐BalancingMultipleACEManagementServerInstances,”onpage 39.

Table 2-3. Network Bandwidth Required with a Policy Update Frequency of 10 Minutes

Number of Clients Bandwidth Required

100 0.125Mb/sec.

1,000 1.25Mb/sec.

10,000 12.5Mb/sec.

Table 2-4. Network Bandwidth Required with a Policy Update Frequency of 30 Minutes

Number of Clients Bandwidth Required

100 0.04Mb/sec.

1,000 0.4Mb/sec.

10,000 4Mb/sec.

ACE Management Server Administrator’s Manual

18 VMware, Inc.

Security Features and Considerations

Bydefault,ACEManagementServerusestheSecureSocketsLayer(SSL)protocoltoprovideencryptedand

securecommunications.

FollowingisanoverviewofsecurityfeaturesandrecommendationsonhowtoconfiguretheACE

ManagementServertoavoidsecurityproblems:

 TraffictoandfromclientsisprotectedbyHTTPS–Bydefault,ACEManagementServercreatesa

self‐signedcertificatewhenyouinstallittouseforHTTPStraffic.Thesecertificatesaresecure,butyou

canalsoconfigureACEManagementServertouseyourowncertificateandkeypairs.

 TrafficfromACEManagementServertoActiveDirectoryisencrypted–Iftheserverisintegratedwith

anActiveDirectoryservice,itcommunicateswiththeservicethroughanSSL‐protectedlink.LDAPtraffic 

isencryptedattheapplicationlayer.CredentialsareprotectedbyusingtheKerberosprotocolto

authenticatecredentials.

 Sensitiveconfigurationoptionsareencrypted–Passwordsstoredintheconfigurationfileareencrypted.

 Databasesecurity–Thedatabasestorecontainssensitivedatasuchascryptographickeys.Configure

yourdatabasesecuritysothatitisprotectedfromintrusionandprotectedincaseofdataloss.Formore

informationaboutfeaturesthatareavailabletoprotectyourdata,seeyourdatabasedocumentation.

SSLencryptsdatathrough

theuseofapublic‐keyandprivate‐keypair.Thepublickeyisknowntoeveryone

andtheprivatekeyisknownonlytothemessagerecipient.URLs thatrequireanSSLconnectionstartwith

https.

DuringACEManagementServerinstallation,thefollowingtwofilesarecreated:

 server.key–AnRSA1024‐bitkey,thisistheprivatekey.

 server.crt–Aself‐signedcertificate.Itssignatureisverifiedbythepublickey,whichisembeddedin

thecertificate.Thispubliccertificateisvalidfor10yearsfromthedateandtimeatwhichtheserveris

installed.ThecertificatefileisencodedinPEMformat.

Bydefault,thesefiles

arestoredintheSSLdirectoryintheVMwareACEManagementServerprogram

directory.

VMwarePlayer,whichrunstheACEinstances,doesnottrustanycertificatesstoredonthehostmachineon

whichitisrunning.Instead,itreliesonacompletecertificationchainthatisincludedintheACE

package.

Usingself‐signedcertificatesisadequateformostsecurityneeds.

Youcan,however,useacertificateissuedbyacertificateauthority.IfyouhavemultipleACEManagement

Serverinstances,youcanuseonecertificateforalloryoucanuseadifferentcertificateoneachone.

Using SSL Certificates and Protocol

WhenanACE‐enabledvirtualmachineconnectstoanACEManagementServer,itdownloadsthepublic

certificateforthatserverandanychainofcertificatesrequiredtoverifytheserver’spubliccertificate.Aserver

certificatemighthaveachainofseveralcertificatesthatmustbeverifiedstepbystepuntilthe

verification

processreachestheroot,ortrusted,certificateinthecertificatestore.Thefirsttimeaconnectionismadetoa

serverbyanyACE‐enabledvirtualmachineonaWorkstationadministratormachine,thecertificateandits

verificationaredownloadedtotheWorkstationhostsystem.

Thestoreorcollectionofcertificates

thatisdownloadedwhenanACE‐enabledvirtualmachineconnectstoa

serverisincludedineachACEpackagethatyoucreatewiththatvirtualmachine.ItissavedintheACE

Resourcesdirectory.WhenyoudeployandrunanACEinstanceofthisACE‐enabledvirtualmachine,the

VMwarePlayer

applicationusesthecertificatesincludedinthepackagetoverifyconnectionsmadetotheACE

ManagementServer.ItverifiesthatthecertificatesthatareintheACEpackagematchthosethattheserver

provides.Iftheydonotmatchexactly,VMware Playerdisplaysanerrormessageanddoesnotrunthe

instance.

VMware, Inc. 19

Chapter 2 Planning an ACE Management Server Deployment

VMwarePlayercheckstheintegrityofthecertificatestoreincludedinthepackageeverytimeitcommunicates

withtheserver.VMwarePlayerdoesnottrustanycertificatesstoredonthehostmachineonwhichitis

running.Instead,itreliesonacompletecertificationchainthatisincludedintheACE

package.Theuseof

self‐signedcertificatesisadequateformostsecurityneeds.

If,however,yourenterpriserequirestheuseofacertificatesignedbyacertificateauthority(internalor

commercial),youcansetupthattypeofkey‐certificatepairfortheACEpackagestouse.Acertificateauthority,

orCA,isanentitythatissuesandsignspublic‐keycertificates,typicallyforafee.

Accessing ACE Management Server from Outside the Corporate

Firewall

AllclientrequeststoACEManagementServerareHTTPStrafficonport443.This meansthatanysolution

usingaproxytosecureHTTPStrafficintoyourcorporateserverscanbeusedtoproxyACEManagement

Servertraffic.

BecauseofthenumberofdataconnectionsthattheACEManagementServermustmake

onthebackend

(LDAP,DNS,ODBC,Kerberos),VMwarerecommendsusinganHTTPSproxyintheDMZ.Thisproxycan

relayACEManagementServertraffictotheactualACEManagementServerinsidethecorporatenetwork.

Figure 2-2. Recommended Deployment for External Access

ACEManagementServercanbedeployedwiththefollowingHTTPSproxysolutions:

 ApacheProxy–Usingmod_proxy

 ZeusTechnologyLoadBalancer–Acommerciallyavailableloadbalancerandtrafficmanagement

solution

AvoidthefollowingproblemswhenyouuseaproxyfortrafficintoanACEManagementServer:

 SSLTermination–IfyourHTTPSproxyterminatestheSSLconnection,youmustusethesameSSLkey

andcertificateontheHTTPSproxyserverandACEManagementServer.Or,usetheACEManagement

ServercertificatechaintoembedtheHTTPSproxycertificateverificationchainintheACEpackage.

Anexample

ofaproxyserverthatterminatesSSLconnectionsisApacheProxy.TheZeusload‐balancing

productssupportSSLpassthrough,whichmeansthattheSSLconnectionisterminatedatACE

ManagementServer.

 MultipleACEManagementServerSSLcertificates–IfyouaredeployingmultipleACEManagement

Serverinstancesbehindaload‐balancingsolution,allACEManagementServerinstancesmustusethe

sameSSLkeyandcertificatepair.YoucanalsousetheACEManagementServercertificatechainfeature

toembedeverySSLcertificate

verificationchainintotheACEpackage.

 DNSresolution–WhenyoucreateanACE‐enabledvirtualmachine,youmustspecifyahostnamefor

ACEManagementServer.ThishostnamemustresolvetotheappropriateIPaddressforbothinternaland

externalclients.Internally,itcanresolvetoACEManagementServeritself.Externally,itcanresolveto

the

HTTPSproxyserver.

BecausethetrafficcomingintoACEManagementServerisplainHTTPStrafficandtheserverisstateless,you

candeploymanyotherconfigurationstoprovideexternalaccesstoanACEManagementServer.Whenyou

designyourdeployment,thinkofACEManagementServerasaWebserverwith

securetraffic.

HTTPS

proxy server

external client

ODBC

NETBIOS (port 137)

DNS

KRB5 (port 88)

LDAP (port 389)

HTTPS traffic

(443)

HTTPS traffic

(443)

external

firewall

AMS server

internal

firewall

ACE Management Server Administrator’s Manual

20 VMware, Inc.

Deployment Planning Worksheet

Usethedeploymentplanningworksheettorecordyourchoiceofserversystem,database,securitycertificates,

andoptionalcomponentsforaproductionenvironment.

Table 2-5. Worksheet for ACE Management Server in a Production Environment

Component Considerations Decision

Active

Directory

integration

PerformanceisbetterwhentheACE

ManagementServerisinstalledona

Windowshost.

Seealso“CreateUsersandGroupsfor

IntegrationwithActiveDirectory”on

page 29.

UseActiveDirectory?________

Ifyes,nameofuseraccountforACE

ManagementServertoquerytheActive

Directorydatabase:__________________

Fullyqualified

domainnameofthe

LDAPserver:_______________________

ACE

Management

Server

Ifyouusemultipleservers,allmustbe

installedonthesameplatform.

Forcapacityplanning,see“Numberof

ClientsSupported”onpage 16.

UseWindowsorLinux

hosts?_____________

Howmanyservers?____________

Database

server

Thedatabaseservermustbecompatible

withtheACEManagement

Serverhost.See

“SupportedExternalDatabases”on

page 11.

MSQL,Oracle,orPostgresSQLdatabase?

____________________________

Loadbalancer Usealoadbalancerforlargedeployments

orforhighavailability.Itmustsupport

HTTPSandrequiresanexternaldatabase.

See“LoadBalancers”onpage 17.

Usealoadbalancer?________

Proxy IfACEclientswillcontactACE

ManagementServer

fromoutsidethe

firewall,useaproxy.See“A c c e s s i n g ACE

ManagementServerfromOutsidethe

CorporateFirewall”onpage 19.

Useaproxy?__________

ApacheProxyorZeus TechnologyLoad

Balancer?________________________

SSL

certificates

Ifyouusemultipleserversandplantouse

adifferentSSLcertificateforeachone,you

mustcreate

orsendforthecertificates.

ACEManagementServersupportsonly

public‐keycertificatesthataresignedusing

theSHA1algorithm.See“UsingSSL

CertificatesandProtocol”onpage 18.

Whichtypeofcertificate:self‐signed

third‐party,orinternalCA(certificate

authority)?___________________

Numberofcertificates?__________

Ports ForActiveDirectory,useport389.

For

theACEManagementServer

appliance,useport8080.See“Changethe

PortAssignmentforACEManagement

Server ”onpage 51and“A c c e s s i n g ACE

ManagementServerfromOutsidethe

CorporateFirewall”onpage 19.

Port8000forconfiguringtheACE

ManagementServer.

Port443forclientrequests.

Whichadditionalports?______________

Page is loading ...

VMware ACE 2.6 User manual

Brand: VMware

Model: ACE 2.6

Category: Software

Type: User manual

Download PDF

report

VMware ACE 2.6 User manual

VMware ACE 2.6 User manual

Related papers

Other documents