vSphere 5.x Firewalls

By Joe Piggee

By default, when ESXi is installed, the firewall is enabled. The default configuration is to permit only the required operational traffic and to deny all others. As a note, the command esxcfg-firewall was retired and replaced by esxcli network firewall in vSphere 5.

To enable the firewall:

esxcli network firewall set –enabled true

To disable the firewall

esxcli network firewall set –enabled false

Enable/Disable pre-configured services

• List the services and record the proper ruleset ID for your service
• esxcli network firewall ruleset list
• To enable:
• esxcli network firewall ruleset –enabled true –ruleset-id rulesetName
• To disable:
• esxcli network firewall ruleset –enabled false –ruleset-id rulesetName

Configure service behavior automation

1. Login to vSphere client
2. Enter the Hosts and Clusters View (Ctrl + Shift + H)
3. Select a host
4. Click the Configuration tab
5. Under the Software view, select Security Profile
6. Under Security Profile > Services, click Properties
7. Highlight a service
8. Click Options
9. The service operational controls are listed
1. Start automatically if any ports are open, and stop when all ports are closed
2. Start and stop with host
3. Start and stop manually (Select this to effectively disable the service)

Open/Close ports in the firewall

1. Login to vSphere client
2. Enter the Hosts and Clusters View (Ctrl + Shift + H)
3. Select a host
4. Click the Configuration tab
5. Under the Software view, select Security Profile
6. Under Security Profile > Firewall, click Properties
7. Highlight a service
8. To enable a firewall rule, check the check box next to the traffic label
9. Click Options to set the service start automation settings as described above
10. Click the firewall button to define what connections can be made to the services. All connections may be allowed or it can be restricted to a single IPv4 or IPv6 addresses and/or IPv4 or IPv6 networks.

Alternatively, to define the allowed IP addresses, you may configure this from the command line:
esxcli network firewall ruleset allowedip add –ruleset-id RulesetName –ip-address IPAddress/Network
esxcli network firewall ruleset allowedip add –ruleset-id RulesetName –ip-address IPAddress
esxcli network firewall ruleset allowedip remove –ruleset-id RulesetName –ip-address IPAddress/Network
esxcli network firewall ruleset allowedip remove –ruleset-id RulesetName –ip-address IPAddress
esxcli network firewall ruleset allowedip list –ruleset-id RulesetName

Note that you may edit the /etc/vmware/firewall/services.xml file for the pre-configured services. After you update any port numbers, remember to refresh the firewall:
esxcli network firewall refresh

ESXCLI Firewall Commands

By Joe Piggee

esxcli firewall commands

Command	Description
esxcli network firewall get	Returns the enabled or disabled status of the firewall and lists default actions
esxcli network firewall set –defaultaction	Update default actions
esxcli network firewall set –enabled	Set to true to enable the firewall, set to false to disable the firewall
esxcli network firewall load	Load the firewall module and rule set configuration
esxcli network firewall refresh	Refresh the firewall configuration by reading the rule set files if the firewall module is loaded
esxcli network firewall unload	Destroy filters and unload the firewall module
esxcli network firewall ruleset list	Set the allowedall flag
esxcli network firewall ruleset set –allowedall	Enable or disable the specified rule set
esxcli network firewall ruleset set –enabled	Enable or disable the specified rule set
esxcli network firewall ruleset allowedip list	List the allowed IP addresses of the specified rule set.
esxcli network firewall ruleset allowedip add	Allow access to the rule set from the specified IP address or range of IP addresses
esxcli network firewall ruleset allowedip remove	Remove access to the rule set from the specified IP address or range of IP addresses.

Configuring VLANs on UCS and VMware

By Joe Piggee

 

 

These are the steps required to add VLANs to both UCS and VMware. In UCS each VLAN is identified by a unique ID. The VLAN ID is a number that represents that particular VLAN. The name that you assign to a VLAN ID adds a layer of abstraction that allows you to globally update all servers associated with service profiles that use the named VLAN. You can also create more than one named VLANs with the same VLAN ID. Note that the name of a VLAN is known only within the UCS environment, and outside of the UCS the VLAN is represented by the unique ID.

 

VLAN Configuration on the UCS

Depending on how the UCS infrastructure is configured, VLAN availability for physical hosts may have to be configured on either a port group or individual host basis. The same applies in the VMWare environment.

 

Follow the steps to configure VLAN on UCS:

 

a) Open UCS manager. In the Navigation pane on the left of the application, select the LAN tab.

 

b) Expand the navigation tree so that the VLANs branch is visible.  Right click on the VLANs branch and select Create VLAN(s).

 

c) Provide a meaningful name for the VLAN, this name cannot be changed once saved. For most situations the Common/Global radio button should be selected to ensure the same configuration is applied to both Fabrics.  Enter the VLAN ID(s), then press the Check Overlap button to ensure there is no conflict with existing configuration and if unique, press OK.

 

.

d) Check that the newly created VLAN appears in the list of configured VLANs in the navigation pane.

 

e) If the platform is using vNIC templates then the next step is to add the created VLAN to the required templates. Expand the vNIC Templates branch of the navigation pane (LAN -> Policies -> root -> vNIC Templates) and select the template which should have the VLAN available.

 

 

f) On the General tab for each Template click Modify VLANs.

 

g) In the window that opens add the new VLAN.

Repeat this for each Template.

 

h) Switch to the servers tab in the Navigation Pane and expand the Service Profiles and the root node, the service profiles for each Chassis/Blade should be visible.

 

.

i) Expand each service profile in turn so that the vNIC for the Chassis/Blade is visible.  If the vNIC is bound to one of the templates modified earlier then the VLAN will be listed under the vNIC.

 

j) If the VLAN is not listed then select the vNIC and in the main panel click the Modify VLANs link.  For vNICs bound to templates, this link will be greyed out.

 

k) In the window that opens select the new VLAN.

Repeat this process for each vNIC that is not bound to a template.

 

Once all the vNICs have the VLAN available to them, exit UCS Manager.

 

VLAN Configuration on VMware

Follow these steps to add VLAN on VMware:

 

a) Open vSphere Client and connect to the VCENTER server.  Navigate to the blade that the VLAN is required on (Home -> Inventory -> Hosts and Clusters).  Expand the Navigation tree, to locate the server name and then select the Configuration tab in the main window.  From within the Configuration window, select Networking.

 

b) Click on the Properties link for the Virtual Switch, then in the opened window click on the Add button.

 

 

c) In the next window select Virtual Machine in the Connection Types and click next.

 

 

d) Under Port Group Properties enter a Network Label and the VLAN ID, then click Next 

 

e) Now the new VLAN should show under Host networking vSwitch, click Finish.

 

f) To add a virtual machine to the VLAN, edit the machine configuration, select the Network Adapter and from the Network Connection drop down list select the new VLAN.

 

 

That’s it. You should be all set.

 

EMC VNX CLI Reference – VNX 5300, VNX5500

By Joe Piggee

*Please note that EMC advises using the GUI, or opening a SR prior to using CLI. These commands have been gather from multiple sites and is pretty straight forward

 

 
Server specific commands:
 
server_cpu server_<x> -r now   Reboots a datamover
server_ping <IP>    ping any IP from the control station
server_ifconfig server_2 –all   View all configured interfaces
server_route server_2 {-list,flush,add,delete}   Routing table commands
server_mount     Mount a filesystem
server_export     Export a filesystem
server_stats     Provides realtime stats for a datamover, many different options.
server_sysconfig    Modifies hardware config of the data movers.
server_devconfig    Configures devices on the data movers.
server_sysstat     Shows current Memory, CPU, and thread utilization
server_log server_2    Shows current log
vi /nas/jserver/logs/system_log   Java System log
vi /var/log/messages    System Messages
server_ifconfig server_2 <interface_name> up  Bring up a specific interface
server_ifconfig server_2 <interface_name> down Take a specific interface down
server_date     Sets system time and NTP server settings
server_file     FTP equivalent command
server_dns     Configure DNS
server_cifssupport    Support services for CIFS users
 
To view HBA Statistics:
.server_config server_2 -v “printstats fcp reset”  Toggles the service on/off
.server_config server_2 -v “printstats fcp full”     View the stats table (must wait a while for some stats to collect before viewing)
 
To Join/Unjoin a CIFS Server from the domain:
server_cifs server_2 -Join compname=SERVERNAME,domain=DOMAIN.COM,admin=ADMINID
server_cifs server_2 -Unjoin compname=SERVERNAME,domain=DOMAIN.COM,admin=ADMINID
 
To view the current domain controllers visible on the data mover:
.server_config server_2 -v “pdc dump”
 
To enable or disable a domain controller on the data mover:
.server_config server_2 -v “pdc enable=<ip_address>”  Enable a domain controller
.server_config server_2 -v “pdc disable=<ip_address>”  Disable a domain controller
 
To stop and start the CIFS service:
server_setup server_2 -P cifs -o stop   Stop CIFS Service
server_setup server_2 -P cifs -o start  Start CIFS Service
 
To stop, start or check the status of the iSCSI service:
server_iscsi server_2 -service -start     Start iSCSI service
server_iscsi server_2 -service -stop      Stop iSCSI service
server_iscsi server_2 -service -status  Check the status of the iSCSI service
 
To enable/disable NDMP Logging:
Turn it on:
.server_config  server_x  “logsys set  severity  NDMP=LOG_DBG2″
.server_config  server_x  “logsys set  severity  PAX=LOG_DBG2″
Turn it off:
.server_config  server_x  “logsys  set severity  NDMP=LOG_ERR”
.server_config  server_x  “logsys set severity   PAX=LOG_ERR”
 
For gathering performance statistics:
server_netstat server_x -i               Interface statistics
server_sysconfig server_x -v         Lists virtual devices
server_sysconfig server_x -v -i vdevice_name  Informational stats on the virtual device
server_netstat server_x -s -a tcp  Retransmissions
server_nfsstat server_x                    NFS SRTs
server_nfsstat server_x -zero        Reset NFS stats
 
Filesystem specific commands:
 
fs_ckpt      Manage Checkpoints
fs_dhsm     Manage File Mover
fs_group     Manage filesystem groups
 
Complete List of  “nas_”  Commands:
 
This is just for reference, you can easily pull up this list from a Celerra by typing nas_ and hitting the tab key.
 
nas_acl
nas_ckpt_schedule
nas_dbtable
nas_emailuser
nas_inventory
nas_pool
nas_slice
nas_task
nas_automountmap
nas_cmd
nas_devicegroup
nas_event
nas_license
nas_quotas
nas_stats
nas_version nas_cel
nas_copy
nas_disk
nas_fs
nas_logviewer
nas_replicate
nas_storage
nas_volume
nas_checkup
nas_cs
nas_diskmark
nas_fsck
nas_message
nas_server
nas_symm
nas_xml
 
Complete list of  “server_”  Commands:
 
This is just for reference, you can easily pull up this list from a Celerra by typing server_ and hitting the tab key.
 
server_archive
server_cifssupport
server_file
server_log
server_name
server_ping6
server_sysconfig
server_vtlu
server_arp
server_cpu
server_ftp
server_mgr
server_netstat
server_rip
server_sysstat
server_cdms
server_date
server_http
server_mount
server_nfs
server_route
server_tftp
server_cepp
server_dbms
server_ifconfig
server_mountpoint
server_nfsstat
server_security
server_umount
server_certificate
server_devconfig
server_ip
server_mpfs
server_nis
server_setup
server_uptime
server_checkup
server_df
server_iscsi
server_mpfsstat
server_param
server_snmpd

Technorati Tags: EMC,VNX5300,VNX5500m EMC CLI,SAN,NAS

server_usermapper
server_cifs
server_dns
server_kerberos
server_mt
server_pax
server_standby
server_version
server_cifsstat
server_export
server_ldap
server_muxconfig
server_ping
server_stats
server_viruschk
 
Complete list of  “fs_” Commands:
 
This is just for reference, you can easily pull up this list from a Celerra by typing fs_ and hitting the tab key.
 
fs_ckpt
fs_dedupe
fs_dhsm
fs_group
fs_rdf
fs_timefinder

*reference sites: http://emcsan.wordpress.com/2011/06/03/useful-celerra-commands/

https://mydocs.emc.com/VNX/relatedDocs.jsp

Check my Exchange Server Version

by Joe Piggee Sr.

1. Open EMS

2. Type  Get-ExchangeServer | fl name,edition,admindisplayversion

Check build numbers here.

How To Add Holidays to Outlook 2010

By Joe Piggee Sr.

1. Open Outlook and Click on the File Tab.
2. Scroll Down and Select “Options”
3. Click Calendar 4. Click Add Holidays

How to Remove a Domain Controller

 

By Joe Piggee Sr.

Removing a domain controller by using the Windows interface

You can use the Active Directory Domain Services Installation Wizard to remove a domain controller from an existing domain.

Administrative credentials

To perform this procedure, you must be a member of the Domain Admins group in the domain.

Click Start, click Run, type dcpromo, and then press ENTER.

1. On the Welcome to the Active Directory Domain Services Installation Wizard page, click Next.

2. If the domain controller is a global catalog server, a message appears to warn you about the effect of removing a global catalog server from the environment. Click OK to continue.

3. On the Delete the Domain page, make no selection, and then click Next.

4. If the domain controller has application directory partitions, on the Application Directory Partitions page, view the application directory partitions in the list, and then remove or retain application directory partitions, as follows:

   • If you do not want to retain any application directory partitions that are stored on the domain controller, click Next.
   • If you want to retain an application directory partition that an application has created on the domain controller, use the application that created the partition to remove it, and then click Refresh to update the list.

5. If the Confirm Deletion page appears, select the option to delete all application directory partitions on the domain controller, and then click Next.

6. On the Remove DNS Delegation page, verify that the Delete the DNS delegations pointing to this server check box is selected, and then click Next.

7. If necessary, enter administrative credentials for the server that hosts the DNS zones that contain the DNS delegation for this server, and then click OK.

8. On the Administrator Password page, type and confirm a secure password for the local Administrator account, and then click Next.

9. On the Summary page, to save the settings that you selected to an answer file that you can use to automate subsequent operations in Active Directory Domain Services (AD DS), click Export settings. Type a name for your answer file, and then click Save. Review your selections, and then click Next to remove AD DS.

10. On the Completing the Active Directory Domain Services Installation Wizard page, click Finish.

11. You can either select the Reboot on completion check box to have the server restart automatically or you can restart the server to complete the AD DS removal when you are prompted to do so.

12. Open Server Manager. Click Start, point to Administrative Tools, and then click Server Manager.

13. In Roles Summary, click Remove Roles.

14. If necessary, review the information on the Before You Begin page, and then click Next.

15. On the Remove Server Roles page, clear the Active Directory Domain Services check box, and then click Next.

16. On the Confirm Removal Selections page, click Remove.

17. On the Removal Results page, click Close, and then click Yes to restart the server.

*http://technet.microsoft.com/en-us/library/cc771844(v=ws.10).aspx