Minor Update to vCheck 5.31 — beta testers required

Posted on March 30, 2011 by brian.wuchner

I typically do not view my vCheck report as an email message…I have a link to the report on the home screen of my vSphere Client (if you’d like to see how to do that, please check out this post: http://enterpriseadmins.org/blog/scripting/vcheck-as-a-vsphere-client-solution-and-application/). However, I’ve noticed many comments requesting better email support. From my research, it appears that the problem is likely with Outlook 2007 — since it does not properly support all cascading style sheets (CSS) properties. After a little bit of testing, I believe I have found a rather simple way to work around this. The change adjusts the e-mail output and leaves the standard HTML output file alone.

This is a very minor change and I plan to include it in a future release. If you get a chance please test it out and report back if it works for you too.

Change line #2158 from

send-SMTPmail $EmailTo $EmailFrom "$VISRV vCheck Report" $SMTPSRV $MyReport

to

send-SMTPmail $EmailTo $EmailFrom "$VISRV vCheck Report" $SMTPSRV $MyReport.Replace("class=`"dsp ","class=`"")

This simply removes one of the CSS tags from the email message body, making the report easier to read from email clients (at this point the format has only been tested with Outlook 2007).

If you need a copy of the vCheck 5.31 version, you can get it here: http://enterpriseadmins.org/blog/wp-content/uploads/2011/02/vCheck5.31.ps1_.txt

Posted in Scripting, Virtualization | 3 Comments

vCenter Mobile Access (vCMA) and custom SSL certificates

Posted on March 18, 2011 by brian.wuchner

If you haven’t heard of the vCMA Fling, you should stop reading this article and check out http://labs.vmware.com/flings. It is by far my favorite application available.

I like to use valid certificates on all VMware products. I’ve replaced certificates used by vCenter, Update Manager, View and individual ESX/ESXi hosts. Today I started using the newest version of vCMA (vCenter Mobile Access) that has built in SSL support — but uses a generic certificate. I decided to find out how much effort would be required to replace this cert with a valid certificate issued from a certificate authority.

I found the following article that helped a lot. You’ll need everything on page 2 and 3 of the document: http://www.informit.com/articles/article.aspx?p=407886&seqNum=2

The first step was to find the keytool required. A simple “find /|grep keytool” showed me right where the command was, so I changed to that directory:

cd /usr/lib/vmware/mobile/java/jre1.6.0_11/bin

Once in the proper directory, I decided to create a new key file (using the steps in the above article)

./keytool -genkey -alias mobile-vmware -keyalg RSA -keysize 2048 -dname "CN=vcma.domain.test,OU=Organization Name,O=Parent Organization,L=City,ST=State,C=US,emailAddress=vmware-admin@domain.test" -keypass mypass -keystore /etc/mobile/ssl/mobile-vmware.jks -storepass mypass

Easy enough. Now we need to create a certificate request

./keytool -certreq -v -alias mobile-vmware -file /etc/mobile/ssl/csr-mobile-vmware.pem -keypass mypass -storepass mypass -keystore /etc/mobile/ssl/mobile-vmware.jks

The command returns the following information if successful
Certification request stored in file
Submit this to your CA

Take the contents of the generated file and submit them to your certificate authority. Once the file is returned, copy it to /etc/mobile/ssl (I used WinSCP for this task). Another file you’ll need to transfer at this time is the CA certificate (Verisign/internal/etc).

Once you have the two files copied over to the vCMA appliance, you’ll want to prepare your keystore to accept the certificate by importing the CA’s certificate. You can do that with this command:

./keytool -import -v -noprompt -trustcacerts -alias rootcacert -file /etc/mobile/ssl/rootca-certnew.cer -keystore /etc/mobile/ssl/mobile-vmware.jks -storepass mypass

The following results should be returned from that command:
Certificate was added to keystore
[Storing /etc/mobile/ssl/mobile-vmware.jks]

Now we are ready to import our actual certificate:

./keytool -import -v -alias mobile-vmware -file /etc/mobile/ssl/mobile-vmware-certnew.cer -keystore /etc/mobile/ssl/mobile-vmware.jks -keypass mypass -storepass mypass

The following results should be returned from that command:
Certificate reply was installed in keystore
[Storing /etc/mobile/ssl/mobile-vmware.jks]

Almost at the end now…

We need a text editor, so I went the easy way and installed one I know how to use. You can do the same with “yum install nano”.

nano /usr/lib/vmware/mobile/tomcat/apache-tomcat-6.0.28/conf/server.xml

Look through the code for a line that starts 

<Connector port="443" protocol="HTTP/1.1"

  In that section you’ll want to change the keystore file to “/etc/mobile/ssl/mobile-vmware.jks” and the keystorepass to “mypass”.

Once the code is modified, save the file and exit nano. Now type the following:

service mobile restart

This restarts the vCMA application to read in the certificate changes we made. Now when you access vCMA you should check the certificate — it should be the valid one you created.

Posted in Virtualization | 6 Comments

Get ActiveSync Users

Posted on March 3, 2011 by Steve Kremer

When you have almost 30,000 mailboxes, managing ActiveSync can become a nightmare.  The nice thing about ActiveSync is that is just works.  There is not too much configuration to get it setup, but if you do not plan ahead, you can find yourself in the same predicament as us and have 1500 people connecting through some sort of mobile device without any sort of security policy.  This is a huge security risk, and to combat it we are slowy implementing security policies by agency. So the first step in my process was to get a list of all users that have connected in the last 30 days.

So this way takes a long time if you have lots of mailboxes. For example, this takes over 55 minutes to complete in our environment. But if you do not have a lot of mailboxes, then this method should work fine for you. This report will create a CSV, and list the users name, and type of device.

Get-Mailbox -ResultSize:Unlimited | ForEach {Get-ActiveSyncDeviceStatistics -Mailbox:$_.Identity -ErrorAction SilentlyContinue}| Where{$_.LastSuccessSync -gt '01/01/11'} | Sort-Object -Property DeviceType,Identity | Select-Object @{name="EmailAddress";expression={$_.Identity.ToString().Split("\")[0]}},DeviceType | Export-Csv -Path:"c:\MobileDevices.csv"

One of the bad things about the above script is it will more than likely return some dupilcates. So to combat that, I added a where statement just so I can get the devices that have synced in the last 30 days.

get-mailbox -ResultSize unlimited -Filter {EmailAddresses -like "*@email.com" } | ForEach {Get-ActiveSyncDeviceStatistics -Mailbox:$_.Identity  -ErrorAction SilentlyContinue}| where {$_.lastsuccesssync -gt '02/01/2011'} | Sort-Object -Property DeviceType,Identity | Select-Object @{name="EmailAddress";expression={$_.Identity.ToString().Split("\")[0]}},DeviceType

Ok, now here is a quick way of doing the same thing but by using a filter. I recommend always using a filter to get your results. In this example we are filtering on EmailAddresses and only listing those people that have synced a device in the last 30 days. I spent a few hours trying to figure out how to best do this, and this is the best I could come up with. Please leave a comment if you know of a better way.

get-mailbox -ResultSize unlimited -Filter {EmailAddresses -like "*@email.com" } | ForEach {Get-ActiveSyncDeviceStatistics -Mailbox:$_.Identity  -ErrorAction SilentlyContinue}| where {$_.lastsuccesssync -gt '02/01/2011'} | Sort-Object -Property DeviceType,Identity | Select-Object @{name="EmailAddress";expression={$_.Identity.ToString().Split("\")[0]}},DeviceType | Export-Csv -Path:"c:\MobileDevices_email.com.csv"
Posted in Messaging, Scripting | 1 Comment

Guest bloggers

Posted on February 17, 2011 by brian.wuchner

Good evening, I have been speaking with co-workers about this blog and a few expressed interest in blogging about their day-to-day systems administration duties. In the near future you may see some posts from Steve Kremer. Steve is a co-worker of mine who deals with Active Directory, Citrix and Enterprise Messaging. Steve brings years of experience and a wide array of knowledge.

Posted in Messaging | Leave a comment

vCheck (daily report) version 5.31

Posted on February 4, 2011 by brian.wuchner

As many of you know, I have created a vCheck feature request list (http://bit.ly/dGrNjh) using comments from the Virtu-Al.net site. I’ve been working through them as time permits.

In a post earlier in the week, I provided a solution to make ‘vCheck as a vSphere Client “Solutions and Application”‘. This post attempted to resolve feature request items #16 and #17. If you are interested, that post is available here: http://enterpriseadmins.org/blog/?p=258. It is not really a change to vCheck, but some steps that need to happen to make vCheck appear in vCenter.

Today, I’m am posting more updates to vCheck. This updated version includes feature requests #2, #11 and #51.

# Version 5.31- bwuch: Bug fix for LockdownMode
# Version 5.30- bwuch: Add check for VMtools installer connected
# Version 5.29- bwuch: Add check for VM capacity forecasting
# Version 5.28- bwuch: Change to Get-HTMLTable function for possible performance improvements

I’m sure update 5.28 was suggested in the Virtu-Al.net comments, but for some reason I couldn’t find it on the feature request list.

Update 5.29 isn’t perfect and I wanted to let everyone know. There are comments in the code, but I wanted to add them to this post for reference. Instead of looping through all of the virtual machines and adding up the amount of space used, I simply subtract the data store free space from the capacity and assume that is how much is being used. We also make the assumption that no more than 85% of a datastores capacity will be used (to reserve room for thin-provisioned growth, snapshots, changed block tracking and log files). These assumptions make the code run pretty fast, but I’ve seen some oddities in my test environment. (Like -41 virtual machines remaining in a data center I’m sure has enough free space for 1 or 2 more VMs 🙂 ) Here is what I’ve added to the comments of the script for reference:

# The disk forecast will be per datacenter instead of per cluster since
# Get-Datastore -Entity only supports VirtualMachine, VMHost, and Datacenter objects.
# To improve performance in code, we are going to make the following assumptions
#   Assumption 1.) Disk capacity - Free Space = space used by VMs
#   Assumption 2.) used space / count of VMs = Avg Space used per VM
#   Assumption 3.) we will reserve 15% of capacity for overhead

If anyone else has a better solution (fast and accurate) please let me know.

Here is version 5.31 for those interested: Download vCheck5.31.ps1.txt

Posted in Scripting, Virtualization | 20 Comments