As most of you know (or didn’t), Adobe Flash reached it’s End of Life on December 31st 2020, and as of January 12th 2021 does not function at all!
Since Adobe is no longer supporting Flash, they are blocking and disabling all Flash content beginning January 12 2021 from web browsers including Chrome.
For IT folks, this causes big problems when managing, maintaining, or dealing with older systems that use Adobe Flash, such as older versions of VMware vSphere, vCenter/vCSA, and VMware Horizon. This is because the admin interfaces utilize Adobe Flash. This will also apply to other software and systems.
Up until now while approaching the end of life date, special steps were required to allow Adobe Flash because of security concerns.
As of January 12, 2021 these steps no longer work. Even when choosing to “Allow” flash, Adobe will deliberately block it. You’ll see something similar to below.
This workaround should only be used for emergency situations as you should truly try to reduce your dependence on Flash.
In order for this workaround, you will need Chrome Version 87 or earlier. Version 88 does not include Adobe Flash.
On Windows, you’ll need to create a file called “mms.cfg” in the following path:
Well, it looks like it’s going to be an interested day with Google Services down. Today, December 14th 2020, it appears a number of Google Services including YouTube, some Google Account functions, Google Drive, and “Backup and Sync from Google” aren’t functioning.
Update Dec 14th 2020 6:00AM MST: It appears services have been restored.
I first noticed this thismorning when I logged in to my computer. Backup and Sync from Google was signed out and asking me to sign in. Attempting to sign in presented the following error.
At first I thought there may have been some type of security issue, issue with my firewall, but after some brief investigation (thank you Twitter), I was able to identify it’s a very large interruption.
List of Google Services Down
As of right now, I’m seeing reports that the following services are down:
Some account services
Backup and Sync from Google
While it’s easy to love cloud services, it’s not fun when they go down. I’ll update this post as I get more information.
In this post I’m going to explain what VDI is in the most simplest form and how you can benefit from using virtual desktop infrastructure (virtualized desktops) in your EUC strategy.
Virtual Desktop Infrastructure (VDI)
VDI standards for Virtual Desktop Infrastructure. Think of your existing physical desktop infrastructure (your desktop computers, also called end user computing), now virtualize those desktop computers in a virtual environment much like your servers are, and you now have Virtual Desktop Infrastructure.
End User Computing (EUC)
Traditionally end user computing has been delivered by means of deploying physical (real) computers to each user in your office (and possibly remote users). This brings with it the cost of the systems, the time/cost to maintain the systems and hardware, and the management overhead of maintaining those systems.
By utilizing VDI, you can significantly reduce the cost, management, and maintenance required to maintain your EUC infrastructure.
What is VDI
When you implement a VDI solution, you virtualize your desktops and workstations on a virtualization server, much like your servers are probably already virtualized. Users will connect via software, a thin client, or a zero client to establish the session to transmit and receive the video, monitor, and keyboard of workstation that is virtualized.
This might sound familiar, like RDS (Remote Desktop Services). However, in an RDS environment numerous users share the same server and resources and access it un a multi-user fashion, whereas with VDI they are using a virtualized Windows instance dedicated to them running an OS like Windows 10.
How does VDI work
Using the software, thin client, or zero client, a user establishes a session to a connection broker, which then passes it along to the Virtual Machine running on the server. The Virtual Machine encodes and compresses the graphics and then connects the users keyboard and mouse to the VM.
What’s even cooler, is that remote devices like printers and USB devices can also be forwarded on to the VM, giving the user the feeling that the computer that’s running on the server, is actually right in front of them.
And if that isn’t cool enough, in an environment where 3D accelerated and high-performance graphics are required, you can use special graphics cards and GPUs to provide those high end graphics remotely to users. Technically you could game, do engineering work, video and graphics editing, and more.
Why use VDI
So your desktops are now virtualized. This means you no longer need to maintain numerous physical PCs and the hardware that is inside of them.
You can deploy a standardized golden image that instantly clones as users log in to give them a pre-configured and maintained environment. This means you manage 1 or few desktops which can get deployed to hundreds of users, instead of managed hundreds of desktops.
If a thin client or zero client fails you can simply re-deploy a new unit to the user, which are very inexpensive, and reduces downtime.
In the event of a disaster, your VDI EUC environment would be integrated in to your disaster recovery solution, meaning it would be very easy to get users back up and running.
One of the best parts is that the environment can be used inside of your office and externally, allowing you to provide a smooth experience for remote users. This made business continuity a breeze for organizations that need to deploy remote users or “Work from home” users on the fly.
The cost of VDI
The cost to roll out a VDI solution varies depending on the number of users, types of users, and functionality you’d like.
Typically, VDI is a no-brainer for large organizations and enterprises due to the cost savings on hardware, management, and maintaining the solution vs traditional desktops. But smaller organizations can also benefit from VDI, examples being organizations that use expensive desktops and/or laptops for uses such as engineering, software development, and other uses that require high-cost workstations.
One last thought I want to leave you with; imagine an environment with 50-100 systems, and all the wasted power and CPU cycles when users are just browsing the internet. In a virtual environment you can over-allocate resources, which means you can identify user trends and only purchase the hardware you need to based on observed workloads. This can significantly reduce the cost of hardware, especially for software development, engineering, and other high performance computing.
A new Side Chat Episode of the Tech Informative is now live on YouTube. In this episode we are covering HPE Integrated Lights-Out, also known as HPE iLO.
The Tech Informative is a video podcast by Stephen Wagner and Rob Dalton that hopes to explore everyday technologies from the perspective of Information Technology professionals.
Rob Dalton is a lover of IT and a Director by profession. Rob considers himself a jack of all trades, an IT veteran, and is also the author of “Secured Packets”, a technology blog with a focus on security. Rob’s blog can be found at: https://www.securedpackets.com
Did a new VM appear on your VMware vSphere cluster called “vCLS”? Maybe multiple appeared named “vCLS (1)”, “vCLS (2)”, “vCLS (3)” appeared.
This could be frightening but fear not, this is part of VMware vSphere 7.0 Update 1.
What is the vCLS VM?
The vCLS virtural machine is essentially an “appliance” or “service” VM that allows a vSphere cluster to remain functioning in the event that the vCenter Server becomes unavailable. It will maintain the health and services of that cluster.
Where did the vCLS VM come from?
The vCLS VM will appear after upgrading to vSphere 7.0 Update 1. I’m assuming it was deployed during the upgrade process.
It does not appear in the standard Cluster, Hosts, and VMs view, but does appear when looking at the vSphere objects VM lists, Storage VM lists, etc…
Is it normal to have more than one vCLS VM?
The vCLS VMs are created when hosts are added to a vSphere Cluster. Up to 3 vCLS VMs are required to run in each vSphere Cluster.
The vCLS VMs will also appear on clusters which contain only one or two hosts. These configurations will result in either 1 or 2 vCLS VMs named “vCLS (1)” and “vCLS (2)”.
A note on licensing in regards to the vCLS VM
For VMware environments that use VM based licensing like vSphere for ROBO (Remote Office Branch Office), vCLS VMs are shown in the licensing interface as counting towards licensed VMs. Please Note that these VMs do not official count towards your purchased licenses as these are VMware System VMs. Please read VMware KB 80472 for more information on this.
More Information on vCLS VMs
For more information and technical specifics, you can visit the link below:
Originally when an environment was configured with an Nvidia GRID K1 or K2 card, not only does the card provide 3D acceleration and rendering, but it also offloads the VMware BLAST h264 stream (the visual session) so that the CPU doesn’t have to. This results in less CPU usage and provides a streamlined experience for the user.
This functionality was handled via NVFBC (Nvidia Frame Buffer Capture) which was part of the Nvidia Capture SDK (formerly known as GRID SDK). This function allowed the video card to capture the video frame buffer and encode it using NVENC (Nvidia Encoder).
Ultimately after spending hours troubleshooting, I learned that NVFBC has been deprecated and is no longer support, hence why it’s no longer functioning. I also checked and noticed that tools (such as nvfbcenable) were no longer bundled with the VMware Horizon agent. One can assume that the agent doesn’t even attempt to check or use this function.
Before I was aware of this, I noticed that while 3D Acceleration and graphics were functioning, I was experiencing high CPU usage. Upon further investigation I noticed that my VMware BLAST sessions were not offloading h264 encoding to the video card.
You’ll notice above that under the “Encoder” section, the “Encoder Name” was listed as “h264 4:2:0”. Normally this would say “NVIDIA NvEnc H264” (or “NVIDIA NvEnc HEVC” on newer cards) if it was being offloaded to the GPU.
Looking at a VMware Blast session (Blast-Worker-SessionId1.log), the following lines can be seen.
You’ll notice it tries to load the proper functions, however it fails.
Unfortunately the only solution is to upgrade to newer or different hardware.
The GRID K1 and GRID K2 cards have reached their EOL (End of Life) and are no longer support. The drivers are not being maintained or updated so I doubt they will take advantage of the newer frame buffer capture functions of Windows 10.
Newer hardware and solutions have incorporated this change and use a different means of frame buffer capture.
To resolve this in my own homelab, I plan to migrate to an AMD FirePro S7150x2.
In my diagnosis, I logged in to the SSH console of the source appliance, and noticed that the partitions containing the VUM data (which includes update files) was around 7.4GB. This is the “/storage/updatemgr/” partition.
I wasn’t sure if this was included, but the 8GB of configuration, minus the 7.4GB of VUM data, could technically get me to around 0.6GB for migration if this was in fact included.
In my environment, I have the default (and simple) implementation of VUM with the only customization being the HPE VIBs depot. I figured maybe I should blast away the VUM and start from scratch on VMware vCSA 7.0 to see if this fixes the issue.
To fix this issue, I simply completely reset the VMware Update Manager Database.
For details on this process and before performing these steps, please see VMware KB 2147284.
Let’s get to it:
Close the migration window (you can reopen this later)
Log in to your vCSA source appliance via SSH or console
Run the applicable steps as defined in the VMware KB 2147284 to reset VUM (WARNING: commands are version specific). In my case on vCSA 6.5 I ran the following commands:
When you’re looking for additional or enhanced options to secure you’re business and enterprise IT systems, MFA/2FA can help you achieve this. Get away from the traditional single password, and implement additional means of authentication! MFA provides a great compliment to your cyber-security policies.
MFA is short for Multi Factor authentication, additionally 2FA is short for Two Factor Authentication. While they are somewhat the same, multi means many, and 2 means two. Additional security is provided with both, since it provides more means of authentication.
Traditionally, users authenticate with 1 (one) level of authentication: their password. In simple terms MFA/2FA in addition to a password, provides a 2nd method of authentication and identity validation. By requiring users to authentication with a 2nd mechanism, this provides enhanced security.
Why use MFA/2FA
In a large portion of security breaches, we see users passwords become compromised. This can happen during a phishing attack, virus, keylogger, or other ways. Once a malicious user or bot has a users credentials (username and password), they can access resources available to that user.
By implementing a 2nd level of authentication, even if a users password becomes compromised, the real (or malicious user) must pass a 2nd authentication check. While this is easy for the real user, in most cases it’s nearly impossible for a malicious user. If a password get’s compromised, nothing can be accessed as it requires a 2nd level of authentication. If this 2nd method is a cell phone or hardware token, a malicious user won’t be ale to access the users resources unless they steal the cell phone, or hardware token.
How does MFA/2FA work
When deploying MFA or 2FA you have the option of using an app, hardware token (fob), or phone verification to perform the additional authentication check.
After a user attempts to logs on to a computer or service with their username and password, the 2nd level of authentication will be presented, and must pass in order for the login request to succeed.
Please see below for an example of 2FA selection screen after a successful username and password:
After selecting an authentication method for MFA or 2FA, you can use the following
2FA with App (Duo Push)
Duo Push sends an authentication challenge to your mobile device which a user can then approve or deny.
Please see below for an example of Duo Push:
Once the user selects to approve or deny the login request, the original login will either be approved or denied. We often see this as being the preferred MFA/2FA method.
2FA with phone verification (Call Me)
Duo phone verification (Call Me) will call you on your phone number (pre-configured by your IT staff) and challenge you to either hangup to deny the login request, or press a button on the keypad to accept the login request.
While we rarely use this option, it is handy to have as a backup method.
2FA with Hardware Token (Passcode)
Duo Passcode challenges are handled using a hardware token (or you can generate a passcode using the Duo App). Once you select this method, you will be prompted to enter the passcode to complete the 2FA authentication challenge. If you enter the correct passcode, the login will be accepted.
Here is a Duo D-100 Token that uses HOTP (HMAC-based One Time Password):
When you press the green button, a passcode will be temporarily displayed on the LCD display which you can use to complete the passcode challenge.
You can purchase Hardware Token’s directly from Digitally Accurate Inc by contacting us, your existing Duo Partner, or from Duo directly. Duo is also compatible with other 3rd party hardware tokens that use HOTP and TOTP.
2FA with U2F
While you can’t visibly see the option for U2F, you can use U2F as an MFA or 2FA authentication challenge. This includes devices like a Yubikey from Yubico, which plugs in to the USB port of your computer. You can attach a Yubikey to your key chain, and bring it around with you. The Yubikey simply plugs in to your USB port and has a button that you press when you want to authenticate.
When the 2FA window pops up, simply hit the button and your Yubikey will complete the MFA/2FA challange.
What can MFA/2FA protect
Duo MFA supports numerous cloud and on-premise applications, services, protocols, and technologies. While the list is very large (full list available at https://duo.com/product/every-application), we regularly deploy and use Duo Security for the following configurations.
Windows Logins (Server and Workstation Logon)
Duo MFA can be deployed to not only protect your Windows Servers and Workstations, but also your remote access system as well.
When logging on to a Windows Server or Windows Workstation, a user will be presented with the following screen for 2FA authentication:
Below you can see a video demonstration of DUO on Windows Login.
DUO works with both Windows Logins and RDP (Remote Desktop Protocol) Logins.
VMWare Horizon View Clients (VMWare VDI Logon)
Duo MFA can be deployed to protect your VDI (Virtual Desktop Infrastructure) by requiring MFA or 2FA when users log in to access their desktops.
When logging on to the VMware Horizon Client, a user will be presented with the following screen for 2FA authentication:
Below you can see a video demonstration of DUO on VMware Horizon View (VDI) Login.
Sophos UTM (Admin and User Portal Logon)
Duo MFA can be deployed to protect your Sophos UTM firewall. You can protect the admin account, as well as user accounts when accessing the user portal.
If you’re using the VPN functionality on the Sophos UTM, you can also protect VPN logins with Duo MFA.
Unix and Linux (Server and Workstation Logon)
Duo MFA can be deployed to protect your Unix and Linux Servers. You can protect all user accounts, including the root user.
We regularly deploy this with Fedora and CentOS (even FreePBX) and you can protect both SSH and/or console logins.
When logging on to a Unix or Linux server, a user will be presented with the following screen for 2FA authentication:
Below you can see a video demonstration of DUO on Linux.
Duo MFA can be deployed to protect your WordPress blog. You can protect your admin and other user accounts.
If you have a popular blog, you know how often bots are attempting to hack and brute force your passwords. If by chance your admin password becomes compromised, using MFA or 2FA can protect your site.
When logging on to a WordPress blog admin interface, a user will be presented with the following screen for 2FA authentication:
Below you can see a video demonstration of DUO on a WordPress blog.
How easy is it to implement
Implementing Duo MFA is very easy and works with your existing IT Infrastructure. It can easily be setup, configured, and maintained on your existing servers, workstations, and network devices.
Duo offers numerous plugins (for windows), as well as options for RADIUS type authentication mechanisms, and other types of authentication.
How easy is it to manage
Duo is managed through the Duo Security web portal. Your IT admins can manage users, MFA devices, tokens, and secured applications via the web interface. You can also deploy appliances that allow users to manage, provision, and add their MFA devices and settings.
Duo also integrates with Active Directory to make managing and maintaining users easy and fairly automated.
Privacy & Cookies Policy