VMware ACE 2.5 User manual

ACE Management Server

Administrator’s Manual

VMware ACE 2.5

VMware, Inc.

3401 Hillview Ave.

Palo Alto, CA 94304

www.vmware.com

2 VMware, Inc.

ACE Management Server Administrator’s Manual

You can find the most up-to-date technical documentation on the VMware Web site at:

http://www.vmware.com/support/

The VMware Web site also provides the latest product updates.

If you have comments about this documentation, submit your feedback to:

docfeedback@vmware.com

6,496,847, 6,704,925, 6,711,672, 6,725,289, 6,735,601, 6,785,886, 6,789,156, 6,795,966, 6,880,022,

6,944,699, 6,961,806, 6,961,941, 7,069,413, 7,082,598, 7,089,377, 7,111,086, 7,111,145, 7,117,481,

7,149,843, 7,155,558, 7,222,221, 7,260,815, 7,260,820, 7,269,683, 7,275,136, 7,277,998, 7,277,999,

7,278,030, 7,281,102, 7,290,253, 7,356,679, 7,409,487, 7,412,492, 7,412,702, and 7,424,710; patents

pending.

VMware, the VMware “boxes” logo and design, Virtual SMP, and VMotion are registered trademarks or

trademarks of VMware, Inc. in the United States and/or other jurisdictions. All other marks and names

mentioned herein may be trademarks of their respective companies.

ACE Management Server Administrator’s Manual

Item: EN-000042-00

VMware, Inc. 3

Contents

AboutThisBook 7

1 Introduction 9

FeaturesofACEManagementServer 9

SystemRequirements 11

RequiredHardware 11

SupportedOperatingSystems 11

SupportedExternalDatabases 12

SupportedProxies 12

RequiredWebBrowsers 12

Licensing 12

2 PlanninganACEManagementServerDeployment 13

DeploymentComponents 13

HostSystemOptions 15

WindowsHosts 15

LinuxHosts 15

ServerApplianceOption 15

DatabaseOptions 16

ActiveDirectoryAuthenticationOptions 17

PerformingCapacityPlanning 17

DatabaseThroughputandScalability 18

LDAPThroughput 18

NetworkBandwidthandPolicyUpdateFrequency 19

ACEPolicyConfiguration 20

LoadBalancers 20

SecurityFeaturesandConsiderations 20

UsingSSLCertificatesandProtocol 21

AccessingACEManagementServerfromOutsidetheCorporateFirewall 22

DeploymentPlanningWorksheet 24

ACE Management Server Administrator’s Manual

4 VMware, Inc.

3 InstallingandConfiguringACE Management Server 25

PreparingforInstallation 25

ConfigureTLSinYourBrowser 26

InstallingandUpgradingACEManagementServer 26

InstallanACEManagementServeronaWindowsHost 27

InstallACEManagementServeronaLinuxSystem 28

InstallanACEManagementServerAppliance 29

VerifyThattheApacheServiceIsStartedorRestarted 31

StartandConfigureACEManagementServer 33

LogInto

ACEManagementServer 34

4 ConfigurationOptionsforACEManagementServer 37

PrerequisitesforConfiguringtheServer 37

CreateUsersandGroupsforIntegrationwithActiveDirectory 38

SetUpanExternalDatabase 39

CreatingaSystemDSNEntryforanExternalDatabase 40

IncreasetheNumberofDatabaseConnectionsAllowed 42

EnableDatabaseConnectionPoolingonLinux 43

SetUpaConnectionBetweentheServerApplianceandanExternal

Database 43

Prepare

CustomSecurityCertificates 44

ViewthePropertiesoftheSelf‐SignedCertificateFile 45

StartingACEManagementServerConfiguration 45

ViewingandChangingLicensingInformation 46

UsinganExternalDatabase 46

CreatingAccessControl 47

UploadingCustomSSLCertificates 48

LoggingEvents 49

ApplyingConfigurationSettings 50

5 Load‐BalancingMultipleACEManagementServerInstances 51

TypicalSetupUsingLoad‐BalancedACEManagementServerInstances 52

InstalltheRequiredServicesforLoadBalancing 53

UsetheSameSSLCertificateonAllServers 53

CreateNewSSLCertificatesandKeysforEachServer 55

InstallingandConfiguringtheLoadBalancer 57

VerifyThatACEInstancesAreUsingtheLoadBalancer 57

VMware, Inc. 5

Contents

6 ManagingACEInstances 59

ViewingACEInstancesThattheServerManages 60

UsetheVMwareACEHelpDeskApplication 60

UsetheInstanceViewinWorkstation 61

SearchforanInstance 62

SortbyColumnHeadingandChangeColumnWidth 63

Show,Hide,andMoveColumnsintheInstanceView 64

CreateorDeleteCustomColumnsintheInstanceView 64

ViewInstanceDetails 65

Reactivate,Deactivate,

orDeleteanACEInstance 65

ChangeaCopyProtectionID 66

ResettheAuthenticationPassword 66

AddInformationforCustomColumns 67

7 TroubleshootingandMaintenance 69

TroubleshootingConfigurationProblems 69

ConnectionProblemsBetweenaLinuxACEInstanceandACEManagement

Server 69

ChangethePortAssignmentforACEManagementServer 70

DeletetheServerConfigurationFileandSetaNewAdministrator

Password 71

RestoreaBackupCopyofanSSLCertificate 72

ConfiguringMultipleACEManagementServerInstancestoUseSSL 73

DatabaseBackup 74

Appendix:DatabaseSchemaandAuditEventLogData 75

UsingDatabaseReportingTools 75

DatabaseSchema 76

QueryingtheAuditEventLogData 81

Glossary 85

Index 89

ACE Management Server Administrator’s Manual

6 VMware, Inc.

VMware, Inc. 7

Thismanual,theVMwareACEManagementServerAdministrator’sManual,provides

informationaboutinstallingandusingtheVMware

®

ACEManagementServer,which

enablesyoutomanageACEinstancesinrealtime.UsingACEManagementServeris

optional,butdoingsoprovidesthefollowingbenefits:

 ManageactivationofACEpackages.

 Manageauthenticationofthoseactivatedpackages.

 DynamicallydeliverpolicyupdatestomanagedACEinstances.

 DynamicallydeliverinstancecustomizationdataformanagedACEinstanceswith

Windowsguestoperatingsystems.

Intended Audience

Thisbookisintendedforanyonewhoneedstoinstall,upgrade,oruseACE

ManagementServertomanageACEinstances.ACEManagementServerisintended

forACEadministratorswhomustmaintainandupdateACEpoliciesusedonvirtual

machinesdeployedthroughoutanenterprise.

Document Feedback

VMwarewelcomesyoursuggestionsforimprovingourdocumentation.Ifyouhave

comments,sendyourfeedbackto:

[email protected]

About This Book

ACE Management Server Administrator’s Manual

8 VMware, Inc.

Technical Support and Education Resources

Thefollowingsectionsdescribethetechnicalsupportresourcesavailabletoyou.

To accessthecurrentversionsofthisbookandotherbooks,goto:

http://www.vmware.com/support/pubs

Online and Telephone Support

Useonlinesupporttosubmittechnicalsupportrequests,viewyourproductand

contractinformation,andregisteryourproducts.Goto:

http://www.vmware.com/support

Customerswithappropriatesupportcontractsshouldusetelephonesupportforthe

fastestresponseonpriority1issues.Goto:

http://www.vmware.com/support/phone_support.html

Support Offerings

FindouthowVMwaresupportofferingscanhelpmeetyourbusinessneeds.Goto:

http://www.vmware.com/support/services

VMware Professional Services

VMwareEducationServicescoursesofferextensivehands‐onlabs,casestudy

examples,andcoursematerialsdesignedtobeusedason‐the‐jobreferencetools.

Coursesareavailableonsite,intheclassroom,andliveonline.Foronsitepilot

programs andimplementationbestpractices,VMwareConsultingServicesprovides

offeringsto helpyouassess,plan,

build,andmanageyourvirtualenvironment.To

accessinformationabouteducationclasses,certificationprograms,andconsulting

services,goto:

http://www.vmware.com/services

VMware, Inc. 9

1

TheVMwareACEManagementServerenablesyoutomanageVMwareACEinstances,

todynamicallypublishpolicychangesforthoseinstances,andtotestanddeploy

packagesmoreeasily.

Thischapterincludesthefollowingtopics:

 “FeaturesofACEManagementServer”onpage 9

 “SystemRequirements”onpage 11

Features of ACE Management Server

ACEManagementServeroffersscalabilityandreliability:

 Youcanincreasecapacitybyaddingnetworkresourcessuchasloadbalancersand

extraserverhardware.

 Fortestingenvironments,thedefaultembeddedbackingstoreprovidesasimple

andefficientdatabasesolution.ToscaleACEManagementServerforproduction

deployments,youcanconfigureanduseanexternalrelationaldatabase

managementsystem(RDBMS).

 InWindows,multithreadedprocesseshandleserverrequests.InLinux,multiple

processeshandleserverrequests.Ifoneprocessfails,anothertakesover.

ACEManagementServeroffersActiveDirectoryintegration:

 YoucanuseActiveDirectorytoauthenticateusersofACEinstances.

 YoudonotneedaschemachangeforyourexistingActiveDirectory.

 LDAPisusedtoaccessActiveDirectory.

Introduction

1

ACE Management Server Administrator’s Manual

10 VMware, Inc.

 InformationaboutWindowsdomainuseraccountstatesisprovidedinclearand

usefulmessages.Reasonsforloginfailuresarepresentedas“lockedout”or

“passwordexpired.”

 ACEManagementServeractsasanActiveDirectorypasswordchangeproxy.

 YoucanusetheinstancecustomizationfeatureinACEwithyourownestablished

namingconventionstoassociateuserswithmachines.

Securityfeaturesincludethefollowing:

 EncryptedcommunicationsbetweenserverandclientstraveloverHTTPStraffic.

 Passwordsarestoredsecurelyinhashedforminthebackingstore.

 FlexibledatabaseoptionsallowuseofanembeddeddatabaseorexternalRDBMS

tostoreACEinstancedataandpolicies.

ACEManagementServeriseasytoinstallandconfigure.Clienttrafficcanbeproxied

byeasilyavailableproducts.Theserveruseseasilyavailablesoftwarecomponents:

 ApacheWebserver2.0

 ThedefaultSQLitedatabasestore

Theserversetupusesindustry‐standardprotocols:

 HTTPSandLDAP

 XML‐RPCformessageencapsulation

ACEManagementServeroffersextensibilityandavailability:

 YoucancreateandusemorethanoneACEManagementServer.Whenyouuse

morethanoneserver,youcansettheserversupsothattheysharethesame

databaseforloadbalancingorincreasedfaulttolerance.

 AWindowsACEManagementServercanbeonthesamesystemasWorkstation.

 YoucandesignateasingleACEManagementServername,suchas

https://ace.policyserver.company.com,anduseDNSlookuptotranslate

thehostnametoanaddress.TheaddressiscachedifaDNSserverisnotavailable.

Additionally,youcanusedifferentACEManagementServerinstancesifusers

travelbetweenofficesin

differentgeographiclocations.

N

OTEYourservernamemustbeeitherthemachinenameinEnglishorthe

IP address.Internationalcharactersarenotsupported.

VMware, Inc. 11

Chapter 1 Introduction

System Requirements

ThefollowingsectionsdescribetheACEManagementServersystemrequirements.

Required Hardware

 Aminimumofan800MHz‐compatiblex86andx86‐64architectureprocessor

Compatibleprocessorsinclude:

Celeron,PentiumII,PentiumIII,Pentium4,PentiumM(includingcomputerswith

Centrinomobiletechnology),Xeon(includingPrestonia),AMD,Athlon,

Athlon MP,AthlonXP,Duron,Opteron,AMD64Opteron,andAthlon64

 ExperimentalsupportforIntelIA‐32eCPU

 40MBoffreespaceisrequiredforbasicinstallation.VMwarerecommendsatleast

10GBoffreediskspace.

 An8‐bitdisplayadapterisrequired.

 Forlocalareanetworking,anyEthernetcontrollerthattheoperatingsystem

supportsissufficient.

Supported Operating Systems

FollowingarethesupportedoperatingsystemsforACEManagementServer:

 WindowsServer2003WebEditionSP1andSP2,WindowsServer2003Standard

EditionSP1andSP2,WindowsServer2003EnterpriseEditionSP1andSP2

(includes64‐bitandR2editions)

 WindowsXPProfessional(includes64‐biteditions)

 Windows2000ServerServicePack4andWindows2000AdvancedServerService

Pack 4

 RedHatEnterpriseLinuxAdvancedServer4.0withUpdate 4.

 SUSELinuxEnterpriseServer9ServicePack3

ACE Management Server Administrator’s Manual

12 VMware, Inc.

Supported External Databases

AnSQLitedatabaseengineisembeddedintheACEManagementServer.Althoughthis

databaseisadequatefortestingpurposes,useoneofthefollowingexternaldatabases

inproductionenvironments:

 Windows‐basedservers–MicrosoftSQLServer2000orhigher;

Oracle Database 10g

IfyouuseaMicrosoftSQLServerdatabase,thedatabasemustbehostedona

systemthatusesthesamelocaleasthesystemthathostsACEManagementServer.

Forexample,ifACEManagementServerisinstalledonaJapanese

system,the

databaseservermustalsobeinstalledonaJapanesesystemandmustuseJapanese

collation.

 Linux‐basedservers–PostgreSQL7.4orhigher;RedHatEnterpriseLinux

AdvancedServer4.5orhigher.

Supported Proxies

YoucandeployACEManagementServerwiththefollowingHTTPSproxysolutions:

 ApacheProxy–Usingmod_proxy

 ZeusTechnologyLoadBalancer–Acommerciallyavailableloadbalancerand

trafficmanagementsolution

Required Web Browsers

Thebrowser‐basedACEManagementServerSetupapplicationandtheVMwareACE

HelpDeskapplicationrequireoneofthefollowingWebbrowsers:

 MozillaFirefox1.52orhigher

 InternetExplorer6.0orhigher

Licensing

YoumustconfiguretheserverandentertheserialnumberintheserversetupWeb

application.Ifyoudonot,youcannotconnecttotheserverinWorkstation.

Yourserialnumberisontheregistrationcardinyourpackage.Ifyoupurchased

VMwareACEonline,theserialnumberissentby

email.WorkstationandACE

instancescannotconnecttoanACEManagementServerwithanexpiredornonexistent

license.

VMware, Inc. 13

2

ThischapterprovidesguidelinesfordeployingVMwareACEManagementServer

instances,includingcapacityplanningandbestpractices.Thischapterincludesthe

followingtopics:

 “DeploymentComponents”onpage 13

 “PerformingCapacityPlanning”onpage 17

 “SecurityFeaturesandConsiderations”onpage 20

 “A c c e s s i n g ACEManagementServerfromOutsidetheCorporateFirewall”on

page 22

 “DeploymentPlanningWorksheet”onpage 24

Deployment Components

AtypicalACEManagementServerdeploymenthasthefollowingcomponents:

 OneormoreACEManagementServerinstances–Configuringmultipleservers

tousethesamedatabaseincreasesthenumberofACEclientsyoucanmanageand

guaranteeshighavailability.

 Databaseserver–Forproductiondeployments,VMwarerecommendsOracle

Database 10gorMS‐SQLforACEManagementServerinstalledonaWindows

host,andPostgresforACEManagementServerinstalledonaLinuxhost.

 (Optional)ActiveDirectorydomaincontroller–ToenabletheACEManagement

ServerActiveDirectoryintegration,youmustconfigureACEManagementServer

tocommunicatewithyourdomaincontroller.

Planning an ACE

Management Server

Deployment

2

ACE Management Server Administrator’s Manual

14 VMware, Inc.

 (Optional)HTTPloadbalancer–Usealoadbalancertohelpscalethecapacityof

yourACEManagementServerdeployment.

 (Optional)HTTPproxy–IfclientswillaccessACEManagementServerfrom

outsidethecorporatefirewall,VMwarerecommendsusinganHTTPSproxyinthe

DMZ.YoucanuseACEManagementServerwithApacheProxyandZeus

TechnologyLoadBalancer.

ForanexampleofanACEManagementServerdeployment,seeFigure 2‐1.

Figure 2-1. Comprehensive ACE Management Server Deployment

ACEManagementServeroffersconvenienceandflexibilityinitssetupoptions.

YoucaninstalltheserveronWindowsorLinuxhosts.Fortestingpurposes,youcan

downloadandruntheserverasavirtualappliance.ACEManagementServerincludes

itsownsecuritycertificatesandembeddeddatabase,butyoucanuse

anexternal

databaseandusecertificatesfromacertificateauthorityifyouprefer.Youcanalso

configureACEManagementServertouseActiveDirectoryforauthentication.

ACE Management Server

(one or more)

Active Directory

domain controlle

r

(optional)

database

server

proxy for ACE Management Server

service through corporate firewall

(optional)

WSAE client

(within

corporate

network)

load

balancer

(optional)

ACE Player client

(outside corporate network)

ACE Player client

(within

corporate

network)

LDAP

Kerberos

ODBC

HTTPS

HTTPSHTTPS

VMware, Inc. 15

Chapter 2 Planning an ACE Management Server Deployment

Host System Options

YoucaninstallACEManagementServeronaWindowshost,aLinuxhost,orasa

virtualappliance.IfyousetupmultipleACEManagementServerinstances,theymust

allbethesametype.

Windows Hosts

IfyouplantointegratewithActiveDirectory,VMwarerecommendsthatyouinstall

ACEManagementServeronaWindowshost.

TheWindowsACEManagementServerusestheWinLDAPlibrarybundledwithyour

WindowsoperatingsystemtointegratewithActiveDirectory.Internaltestingresults

indicatethattheWindowsimplementationprovidesbetterperformance

thanLinux.

Linux Hosts

YoucaninstallACEManagementServeronaLinuxhostanduseActiveDirectoryfor

authentication,eventhoughperformanceisslowerthanonWindowshosts.Ifyouplan

touseaLinuxhostinproductionenvironments,usetheLinuxinstallerratherthanthe

ACEManagementServerappliance.Ifyoudonot

havethesupportedLinuxoperating

systemsinstalledonaphysicalserver,youcancreateavirtualmachine,installa

supportedLinuxoperatingsystem,andinstallACEManagementServerinthevirtual

machine.

Server Appliance Option

TheACEManagementServerapplianceisaself‐contained,preinstalled,and

preconfiguredACEManagementServerpackagedwithasmallLinuxoperating

systeminavirtualmachine.Theapplianceisconvenientandquicktosetupinatesting

environmentbutisnotrecommendedforproductionenvironments.

Bydefault,theapplianceattempts

toconfigureitsnetworkbyusingDHCP.Ifyoudo

notwanttouseDHCP,youcanusethebrowser‐basedACEManagementServerSetup

applicationtoconfigurethenetworksettings.Youcanusethesameinterfacetoupdate

theappliancewhenupdatesbecomeavailable.

Youmusthaveaccesstoa

Webbrowser(Mozilla1.52orhigherorInternetExplorer6.0

orhigher)tochangenetworksettingsorobtainupdatesfortheappliance.

ACE Management Server Administrator’s Manual

16 VMware, Inc.

Database Options

ACEManagementServeroffersthefollowingdatabaseoptions:

 EmbeddedSQLitedatabase–ThedefaultmodeofACEManagementServer

workswithanembeddedSQLite3databaseengine.TheSQLitedatabaseengineis

initializedduringserverinstallationandrequiresnospecialconfiguration.

The embeddeddatabasesupportsuptoseveralgigabytesofdata.

TheSQLitedatabaseisfilebasedandisnot

designedtobeeffectivelysharedacross

multipleprocesses.Ifyouusethird‐partytoolstoaccessthedatabaseforaread

operation,therefore,youcannotdependontransactionalisolationofthepending

writeoperationsoftheACEManagementServer.

Theembeddeddatabaseisadequatefortestingpurposes,butVMware

recommendsthat

youuseanexternaldatabaseinproductionenvironments.

 Supportedexternaldatabase–Inproductionenvironments,useasupported

externaldatabaseasabackingstoreforACEManagementServer,throughODBC

connectivity.Supportedexternaldatabaseenginesarethefollowing:

 OnWindows,MicrosoftSQLServer(SQLServer2000orSQLServer2005)and

OracleDatabase10g

 OnLinux,PostgreSQL7.4orhigher

UsinganexternaldatabasewithACEManagementServeroffersthefollowing

benefits:

 OnlinebackupsothatyoudonothavetoshutdownACEManagementServer

tobackupthedatabase.

 Enhancedsecuritymodel.Youcanfine‐tunepermissionstoaccesssensitive

data.TheSQLitedatabaseengineprovidesfile‐systembasedsecurity.

 Performancefine‐tuning.

 Abilitytouseexternaldatabasemanagementandreportingtools.

 AbilitytouseloadbalancerswithmultipleACEManagementServer

instances.YoumustuseanexternalRDBMSasthebackingstore,becausethe

SQLitedatabaseisnotdesignedtobeeffectivelysharedacrossmultiple

processes.

N

OTEIfACEManagementServerisdeployedintheDMZ,useanexternal

databaselocatedinsideyourcorporatenetworkbehindafirewall.

VMware, Inc. 17

Chapter 2 Planning an ACE Management Server Deployment

Active Directory Authentication Options

ActiveDirectoryintegrationprovidesthefollowingbenefits:

 PermitsjoininganoperatingsystemthatisrunninganACEinstancetothedomain

remotely.

 Providessearchfunctionssoyoucanquicklyfindaparticularindividualorgroup.

 EnablesyoutouseActiveDirectoryUsersandGroupstoconfigurerole‐based

accesstothefeaturesofACEManagementServer.

Performing Capacity Planning

ACEManagementServerenablesyoutomanageACEinstancesandpoliciesinreal

time.ThenumberofclientsthatasingleACEManagementServercanservedepends

onseveralkeyfactors:

 Databasethroughputandscalability

 LDAPthroughput(ifyouareusingActiveDirectory)

 Networkbandwidthavailableforincomingclientrequests

 ACEpolicyconfiguration

 Loadbalancersforverylargedeployments(morethan5,000clients)

Table 2‐1listsrecommendationsforthenumberofclientssupportedbasedonthe

hardwareyouareusing.Thefiguresforrecommendedclientsreservesomeserver

processingpowersothatinteractiveclientsreceiveresponsesinatimelyfashionand

theserversatisfies

increasesindemand.

Table 2-1. Number of Clients Supported

Hardware Recommended Clients

2‐GHzAMD2‐wayserver(Opteron280,4GBRAM) 6,000

2‐GHzIntel2‐waydesktopmachine(4GBRAM) 4,000

ACE Management Server Administrator’s Manual

18 VMware, Inc.

Database Throughput and Scalability

Forproductiondeployments,VMwarerecommendsthatyouuseOracle,MS‐SQL,or

Postgresasyourdatabaseplatform.

Morethan95percentofthestoragespacethatanACEManagementServerrequiresis

usedtologeventinformation,whichisanaudittrailofalltransactionsperformed

throughACEManagementServer.Table 2

‐2listsrecommendeddatabasesizesbased

onthenumberofclientsbeingserved.

Thefiguresinthetablearebasedona90‐daydatabasearchivalperiod.Backupthe

databaserecordsevery90daysandkeepeventlogsfor90days.YoucanconfigureACE

ManagementServertopurgeevent

logsevery90days.

Theauthenticationeventgeneratesmostofthedatabecauseaneventisgenerated

everytimesomeoneattemptstoauthenticatetoACEManagementServer.Youcan

configureACEManagementServertologlesseventinformation.See“LoggingEvents”

onpage 49.

LDAP Throughput

ACEManagementServercancommunicatewithyourActiveDirectorydomain

controllertoauthenticateusercredentials.Yourdomaincontrollerinfrastructure

handlestheLDAPtrafficrequiredtosupportthenumberofclientsthatyouanticipate.

IntegratingwithActiveDirectorythroughLDAPisimplementeddifferentlyinthe

WindowsACEManagementServerthaninthe

Linux‐basedACEManagementServer.

TheWindowsACEManagementServerusestheWinLDAPlibrarybundledwithyour

Windowsoperatingsystem.TheLinuxACEManagementServerusesathird‐party

KerberosLibraryandOpenSSL.VMwareinternaltestingresultsindicatethatthe

WindowsimplementationprovidesbetterperformancethanLinux.

Table 2-2. Database Storage Recommendations

Number of Clients Recommended Database Size

100 50Mb

1,000 500Mb

10,000 5,000Mb

VMware, Inc. 19

Chapter 2 Planning an ACE Management Server Deployment

Network Bandwidth and Policy Update Frequency

TheamountofnetworkbandwidththatACEManagementServerandACEinstances

requiredependsonthefrequencyofpolicyupdatesthatyouconfigure.Table 2‐3shows

theamountofbandwidthneededwhenyouuseapolicyupdatefrequencyvalueof

10 minutes.

VMwarerecommendsthatforlargedeployments(morethan5,000clients),

you

increasethetimebetweenpolicyupdatesbyclientsbecausethisreducestheamountof

requiredbandwidth.

Table 2‐4showsthebandwidthneededwhenthepolicyupdatefrequencyvalueisset

to30minutes.

Theamountofnetworkbandwidthrequiredcanalsobehigherifyourpolicysetisvery

complex.

VMware

recommendsthatyouhaveaseparatenetworklinkbetweenACE

ManagementServerandyourdatabaseserver,sothattrafficcomingandgoingfrom

ACEManagementServertoitsclientsdoesnotinterferewiththetraffictoandfrom

yourdatabaseserver.

Table 2-3. Network Bandwidth Required with a Policy Update Frequency of 10 Minutes

Number of Clients Bandwidth Required

100 0.125Mb/sec.

1,000 1.25Mb/sec.

10,000 12.5Mb/sec.

Table 2-4. Network Bandwidth Required with a Policy Update Frequency of 30 Minutes

Number of Clients Bandwidth Required

100 0.04Mb/sec.

1,000 0.4Mb/sec.

10,000 4Mb/sec.

ACE Management Server Administrator’s Manual

20 VMware, Inc.

ACE Policy Configuration

TheconfigurationofACEpoliciescanaffectperformance.Youcanincreasetheamount

ofdatathatistransferredbetweenACEManagementServerandACEPlayerbyusing

oneofthefollowingmethods:

 Hostpolicies–Enablinghostpolicies(suchashostnetworkquarantine)requiresthat

ahost‐sidedaemonretrievesthehostpoliciesfromtheACEManagementServ er.

 Complexnetworkquarantinepolicies–Ifthesetofrulesthatmakesupyour

networkquarantineisverylarge,thetransferoftheserulesfromtheACE

ManagementServertotheclientscanaffectthescalability.

ThenumbersshowninTable 2‐3andTable 2‐4areestimatesofrequired

bandwidthgiven

average‐sizerulesetsfornetworkquarantine.Youcanviewthe

sizeofyourpolicysetbyexaminingtheACEfiledirectoryandcountingthesize

ofthe.vmplfile.Anaveragepolicysetis15KBorless.

Load Balancers

TheACEManagementServerclient‐serverprotocolisbuiltontopoftheHTTPS

protocol.YoucanuseHTTPload‐balancingsoftwareandhardwaresolutionstoscale

anACEManagementServerdeploymentbeyondthecapacityofasingleserver(orfor

high‐availabilitydeployments).

ACEManagementServerscalesinalinear

fashionwhenanenterprise‐gradeHTTPS

loadbalancerisused.SeeChapter 5,“Load‐BalancingMultipleACEManagement

ServerInstances,”onpage 51.

Security Features and Considerations

Bydefault,ACEManagementServerusestheSecureSocketsLayer(SSL)protocolto

provideencryptedandsecurecommunications.

Followingisanoverviewofsecurityfeaturesandrecommendationsonhowto

configuretheACEManagementServertoavoidsecurityproblems:

 TraffictoandfromclientsisprotectedbyHTTPS–Bydefault,ACEManagement

Servercreatesaself‐signedcertificatewhenyouinstallittouseforHTTPStraffic.

Thesecertificatesaresecure,butyoucanalsoconfigureACEManagementServer

touseyourowncertificateandkeypairs.

 TrafficfromACEManagementServertoActiveDirectoryisencrypted–Ifthe

serverisintegratedwithanActive Directoryservice,itcommunicateswiththeservice

throughanSSL‐protectedlink.LDAPtraf ficisencryptedattheapplicationlayer.

CredentialsareprotectedbyusingtheKerberosprot ocoltoauthenticatecredentials.

Page is loading ...

VMware ACE 2.5, ACE EN-000042-00 User manual

Related papers

Other documents