NSX+: The Future of Security and Networking for Hybrid Cloud Environments

In today’s digital age, organizations are increasingly adopting hybrid cloud strategies to stay agile, flexible, and competitive. However, this shift towards hybrid cloud environments also introduces new security challenges, as legacy security tools struggle to keep pace with the rapidly evolving threat landscape. To address these challenges, VMware has been working behind the scenes to develop NSX+, a Software as a Service (SaaS) deployment that aims to provide five “as-a-service” services for consistent security and networking policies across all locations.

The five services offered by NSX+ are:

1. Policy Management: Customers can define and deploy consistent security and network policies across all locations, ensuring that their organization has one dashboard to rule them all when it comes to security.

2. Application Visibility: Network flow recommendations for applications allow organizations to create more efficient and accurate application mappings, essentially enabling the creation of a zero-trust micro-segmentation environment.

3. Network Detection & Response: The ability to triage and block/isolate incoming threats in the environment, providing an additional layer of security.

4. AVI Controller Capability: The capability to deploy and run AVI controllers from the cloud, allowing organizations to migrate virtual machines between whichever cloud deployment they might have.

5. Hybrid Cloud Extension Service: The ability to extend the hybrid cloud environment to any location, allowing organizations to seamlessly move workloads between environments.

Multi-Tenant Self-Service Policy Management

One of the most exciting capabilities of NSX+ is its multi-tenancy for self-service cloud consumption. This feature allows different lines of business areas to have their own project administrators, who can configure their part independently without affecting each other or involving the Enterprise Administrators. This feature is similar to federation capabilities in NSX, but on steroids, allowing organizations to manage all their locations from a single management console.

Virtual Private Clouds

Another key capability of NSX+ is the ability to create virtual private clouds (VPCs). Public clouds have had this capability for a while, but providing it in NSX will simplify and accelerate the deployment of standard configurations inside projects. Defining a VPC will be similar to how you do it in the public cloud today, with the interface asking the project admin about the subnet needs with connectivity configuration, and NSX creating that isolated environment for consumption by that project.

Enhanced Security and Networking for Hybrid Cloud Environments

NSX+ offers several enhancements to security and networking for hybrid cloud environments. The application visibility feature provides network flow recommendations for applications, allowing organizations to create more efficient and accurate application mappings. The network detection & response capability allows organizations to triage and block/isolate incoming threats in the environment, providing an additional layer of security.

The Future of Security and Networking

With NSX+, VMware is taking a significant step towards addressing the security challenges faced by hybrid cloud environments. The platform’s ability to provide consistent policy management, application visibility, network detection & response, AVI controller capability, and hybrid cloud extension service will help organizations improve their security posture and simplify their networking operations.

As more and more organizations adopt hybrid cloud strategies, the need for robust security and networking solutions will only continue to grow. With NSX+, VMware is poised to play a leading role in shaping the future of security and networking for hybrid cloud environments.

In conclusion, NSX+ offers a range of exciting features that can help organizations simplify their security and networking operations while improving their overall security posture. With its multi-tenancy for self-service cloud consumption, virtual private clouds, and enhanced security and networking capabilities, NSX+ is set to revolutionize the way organizations approach hybrid cloud security. Stay tuned for more information on these exciting new features and how they can help your organization thrive in today’s digital age.

Playing with PartyRock: A Fun and Educational Generative AI Experience

Last week, AWS introduced PartyRock, a revolutionary Amazon Bedrock Playground interface that lets you build fun applications using Generative AI without coding knowledge. This innovative tool not only makes it easy to create engaging applications but also provides an opportunity to learn about Prompt Engineering and Large Language Models in an enjoyable way.

Inspired by the weekend and my love for food, I decided to create an application that would help me decide what to have for dinner. With PartyRock’s ease of use, it only took me about 5 minutes to develop the “Cheeky and Chatty Dinner Decider.” This app lets me ask a few questions about the dish before deciding to make it, and even better, the food answers my questions!

My chat with “Fish and Chips” was hilarious, and I enjoyed my conversation with “Smoked Salmon and Avocado Sushi” very much. Not only did I get the recipe information, but I also received tips on variations, the dish’s origin/history, and more. The “chats” with “Jacket Potatoes” and “Hawaiian Pizza” were also entertaining and informative.

The best part about PartyRock is that it’s so easy to use. With just a few clicks, you can have an application up and running in no time. Jeff Barr has written an introductory blog post that goes through the basics, and the guidance on the page is clear and concise.

So, what are you waiting for? Go ahead and give PartyRock a try. You can use the accompanying examples to get started, and don’t forget to “Remix” my app and enhance it to suit your taste. With this amazing tool at your disposal, the possibilities are endless.

In conclusion, PartyRock is an incredible opportunity for anyone interested in Generative AI and Amazon Bedrock to have fun while learning. It’s easy to use, and the potential for creativity and exploration is immense. Don’t hesitate to give it a try and see what amazing applications you can create!

Applying Exclusions in VMware App Volumes: A Guide to Troubleshooting Intermittent Black Screen Issues

As a seasoned IT professional, I’ve encountered my fair share of intermittent black screen issues when using VMware App Volumes. These issues can be frustrating and difficult to troubleshoot, but thankfully, there are exclusions that can help with the smooth functioning of VMware App Volumes – Writable Volumes. In this blog post, I’ll share the list of exclusions I’ve discovered over the years, which can help you identify and resolve these issues in your environment.

Before we dive into the exclusions, it’s essential to understand that each environment is unique, and what works for one environment may not work for another. Therefore, I recommend testing these exclusions in your development or test environment before implementing them in production.

With that said, let’s get started with the list of exclusions:

1. VPN – Cisco AnyConnect Secure Mobility Client v4.x

The Cisco AnyConnect Secure Mobility Client v4.x can cause intermittent black screen issues in VMware App Volumes. To resolve this issue, you can exclude the VPN client from the writable volumes using the following command:

ExcludeVmwareAnyConnect

2. Cisco Falcon Agent

The Cisco Falcon Agent can also cause black screen issues in VMware App Volumes. To resolve this issue, you can exclude the Cisco Falcon Agent from the writable volumes using the following command:

ExcludeCiscoFalconAgent

3. Antivirus Software – Trellix | Revolutionary Threat Detection and Response

Some antivirus software, such as Trellix, can cause black screen issues in VMware App Volumes. To resolve this issue, you can exclude the antivirus software from the writable volumes using the following command:

ExcludeTrellix

4. Zero trust client – Zscaler Client Connector

The Zscaler Client Connector can also cause black screen issues in VMware App Volumes. To resolve this issue, you can exclude the Zscaler Client Connector from the writable volumes using the following command:

ExcludeZscalerClientConnector

5. Popular supply chain applications – Blue Yonder | World’s Leading Supply Chain Management Solutions

Some popular supply chain applications, such as Blue Yonder, can cause black screen issues in VMware App Volumes. To resolve this issue, you can exclude the supply chain applications from the writable volumes using the following command:

ExcludeBlueYonder

6. VMware Dynamic Environment Manager – Dynamic Environment Manager | Profile Management | VMware | AU

The VMware Dynamic Environment Manager can also cause black screen issues in VMware App Volumes. To resolve this issue, you can exclude the Dynamic Environment Manager from the writable volumes using the following command:

ExcludeVMwareDynamicEnvironmentManager

These exclusions can help troubleshoot intermittent black screen issues in VMware App Volumes – Writable Volumes. However, keep in mind that each environment is unique, and what works for one environment may not work for another. Therefore, it’s essential to test these exclusions in your development or test environment before implementing them in production.

If you have any questions or comments, please feel free to leave them in the comment section below. I’ll gladly add more exclusions if you want to share them, and I’ll update the post accordingly. Thank you for reading, and I hope you find this information helpful in resolving your black screen issues in VMware App Volumes.

Adding Additional DNS Client Servers via Microsoft Intune using PowerShell

In my previous blog post, I discussed how to add additional DNS client servers using Group Policy Objects (GPOs) and PowerShell. In this blog post, we will explore the same process for all of your managed devices using Microsoft Intune.

As mentioned earlier, the best method of assigning DNS servers is through the DHCP server. However, if you do not have a DHCP server or want to use a more centralized approach, Microsoft Intune provides a solution using scripts and PowerShell.

To begin with, we will need to create a script that adds the additional DNS client servers to the managed devices. The script should be saved as “AddDNSClient.ps1” and placed on the desktop. We will then upload this script to the Microsoft Intune portal.

Once the policy is uploaded, it may take approximately 15-20 minutes for the policy to apply to the managed devices. To validate that the settings have been applied correctly, we can check the log files. To do this, go to the path “C:ProgramDataMicrosoftIntuneManagementExtensionLogs” and open the file “IntuneManagementExtension.txt.”

From here, you can search for the policy ID “cf09649b-78b7-4d98-8bcc-b122c29e5527” that we copied from the Intune portal hyperlink. This will show us if the policy has been applied successfully or not.

To apply additional DNS client servers using Microsoft Intune, follow these steps:

Step 1: Create a script called “AddDNSClient.ps1” and place it on your desktop.

Step 2: Upload the script to the Microsoft Intune portal.

Step 3: Wait for approximately 15-20 minutes for the policy to apply to the managed devices.

Step 4: Validate that the settings have been applied correctly by checking the log files in “C:ProgramDataMicrosoftIntuneManagementExtensionLogs” and searching for the policy ID “cf09649b-78b7-4d98-8bcc-b122c29e5527.”

In conclusion, adding additional DNS client servers using Microsoft Intune is a straightforward process that can be accomplished using PowerShell scripts. This centralized approach provides an easy way to manage all of your managed devices from one location. If you have any questions or need further assistance, please leave a comment below. Thank you for reading!

Watermarking and Session Capture Protection in Azure Virtual Desktop using Microsoft Intune and Azure Active Directory

In the latest release of Azure Virtual Desktop (AVD) in July 2023, two exciting features have become generally available: Watermarking and Session Capture protection. These features provide an additional layer of security for your virtual desktops and help protect sensitive data from being leaked or misused. In this blog post, we will explore how to enable these features using Microsoft Intune for session host virtual machines that are Azure Active Directory (AAD) joined.

Requirements

————

Before you can roll out Watermarking and Session Capture protection, you will need the following:

* Supported client devices: To use these features, your clients must be running Azure Virtual Desktop Client or Remote Desktop Client versions 1.2.x. The features are not supported on RemoteApps.

* AAD-joined session host virtual machines: Your session host virtual machines must be joined to your Azure Active Directory (AAD) tenant.

Enabling Watermarking and Session Capture Protection using Microsoft Intune

————————————————————————

To enable Watermarking and Session Capture protection, you can use Microsoft Intune configuration profiles. Here are the steps to follow:

1. Connect to a remote session with a supported client (Azure Virtual Desktop Client or Remote Desktop Client versions 1.2.x). When you open a remote session, you should see QR codes appear. The QR code only works for Windows 11 Multi-sessionWindows 11 Enterprise (pooled or personal desktops).

2. Take a screenshot of the remote session using your mobile device. When you try to take a screenshot, the screen will be completely blank, as shown in the example below.


3. The QR code will pop up on your mobile device with the Connection ID. You can match this Connection ID in Azure Insights to find out the session information.

How to Find Session Information from QR Code using Azure Virtual Desktop Insights

—————————————————————————–

To find out the session information from the QR code, you can follow these steps:

1. Open Azure Virtual Desktop Insights and navigate to the Sessions tab.

2. Click on the “Filter” button and select “Connection ID” from the dropdown menu.

3. Enter the Connection ID you obtained from the QR code in the search bar and click “Apply”.

4. You will now see all the sessions associated with the specified Connection ID.

Benefits of Watermarking and Session Capture Protection

—————————————————

Watermarking and Session Capture protection offer several benefits, including:

* Enhanced security: These features provide an additional layer of security for your virtual desktops, helping to protect sensitive data from being leaked or misused.

* Improved compliance: By enabling these features, you can demonstrate compliance with regulatory requirements and industry standards, such as GDPR and HIPAA.

* Better user experience: Watermarking and Session Capture protection can help to prevent unauthorized access to your virtual desktops, providing a better user experience and reducing the risk of data breaches.

Conclusion

———-

In this blog post, we have explored how to enable Watermarking and Session Capture protection using Microsoft Intune for session host virtual machines that are Azure Active Directory joined. We have also discussed the benefits of these features, including enhanced security, improved compliance, and better user experience. By implementing these features, you can provide an additional layer of security for your virtual desktops and help protect sensitive data from being leaked or misused.

In this blog post, we will explore the new Connected Frontline Cloud PCs report in Microsoft Intune, which provides valuable insights into the usage patterns of frontline workers using Windows 365 Cloud PCs. This report is crucial for businesses and IT admins to understand their usage patterns and ensure they have the correct number of licenses.

Accessing the Connected Frontline Cloud PCs Report

To view the report in the Microsoft Intune portal, follow these steps:

1. Log in to your Microsoft Intune account and navigate to the Reports tab.

2. Click on the Cloud PC Size report.

3. The report will aggregate data for the last 28 days and showcase the following information:

* Maximum concurrent connections

* Average concurrent connections

* Peak usage hours

Understanding the Report

The Connected Frontline Cloud PCs report is tailored for Windows 365 Frontline and provides insights into the usage patterns of frontline workers. If a business hasn’t purchased any Windows 365 Frontline licenses, the report will remain empty.

The report shows the maximum concurrent connections for each frontline Cloud PC, which is crucial for businesses and IT admins to understand their usage patterns and ensure they have the correct number of licenses. By analyzing the maximum concurrent connections, you can determine if there’s a need to acquire more licenses. This ensures that end users have uninterrupted access to their Frontline Cloud PCs.

The report also shows the average concurrent connections, which helps businesses and IT admins understand the typical usage patterns of frontline workers. This information can be used to plan resource allocation and ensure that the organization has enough licenses to meet the demands of its frontline workers.

In the Dec 2023 release, a new filter was introduced that shows hourly data for the consumption of Frontline Worker desktops. This provides even more precise planning and ensures that resources and licenses are allocated efficiently.

Using the Report to Make Decisions

The Connected Frontline Cloud PCs report is an essential tool for businesses and IT admins to make informed decisions about resource allocation and license management. By analyzing the usage patterns of frontline workers, you can:

1. Determine if there’s a need to acquire more licenses based on maximum concurrent connections.

2. Plan resource allocation based on typical usage patterns.

3. Ensure that end users have uninterrupted access to their Frontline Cloud PCs.

4. Make decisions about the allocation of resources and licenses based on hourly data.

Conclusion

The Connected Frontline Cloud PCs report in Microsoft Intune provides valuable insights into the usage patterns of frontline workers using Windows 365 Cloud PCs. By analyzing this report, businesses and IT admins can ensure that they have the correct number of licenses and plan resource allocation efficiently. With this information, you can make informed decisions about license management and resource allocation to meet the demands of your frontline workers.

Setting Up Aria Automation Config for Saltstack Management

In this series of posts, we will take you through the process of setting up Aria Automation Config for SaltStack management. We will cover everything from the requirements and deployment of the Aria Automation Config component to creating custom desired states and integrating with Cloud templates. In this first post, we will go over the requirements and deployment of the Aria Automation Config instance.

Requirements for Aria Automation Config

—————————————-

Before you begin, it’s important to understand the requirements for setting up Aria Automation Config. Here are some key things to keep in mind:

* Aria Automation Config requires a SaltStack environment to be already set up and configured.

* You will need an Active Directory domain to use Aria Automation Config for access control and role-based management.

* You will need at least one Ubuntu server with the required agents installed to manage and configure your infrastructure.

* You should have a basic understanding of SaltStack and Aria Automation Config concepts and features.

Deploying Aria Automation Config

——————————-

Once you have met the requirements, you can begin deploying the Aria Automation Config instance. Here are the general steps:

1. Install the Aria Automation Config package on your SaltStack master node.

2. Configure the Aria Automation Config instance by providing the necessary information such as the Active Directory domain and the IP address of your Ubuntu server.

3. Deploy the Aria Automation Config agent on your Ubuntu server.

4. Configure the agent to communicate with the Aria Automation Config instance.

5. Test the setup and verify that everything is working as expected.

In the next post, we will cover how to configure the Aria Automation Config instance to utilize Active Directory for access control and role-based management. Stay tuned!

About the Author

——————

Paul Davey is the CIO at Sonar, the Automation Practice Lead at Xtravirt, and a guitarist in The Waders. He loves IT, automation, programming, and music. You can find more of his work on the AutomationPro blog.

Aria Automation Config: A Welcome Addition to the Aria Suite

In my previous posts, I have been exploring the features and capabilities of Aria Automation Config, a powerful tool that allows administrators to define the applications, files, and other settings that should be present on a given system. This feature-rich product is now tightly integrated into the Aria Automation product, enabling administrators to continue the lifecycle of deployed resources. In this post, I will guide you through setting up the Automation Config product and integrating it with your Cloud templates.

Installation and Initial Configuration

To get started with Aria Automation Config, you will need to gather some information and carry out a few steps before you start deployment. For the sake of this series of blog posts, I used the Add Product option to deploy Automation Config into an existing environment that had Aria Automation deployed. Once installation is complete, navigate to the user interface in your web browser at https://fqdn/login. Enter admin as the username and the password you used during the deployment.

Once logged in, you should be greeted with a view similar to the one below. The initial configuration of the appliance includes selecting the management server, configuring the database, and defining the desired state of the system. In the next post in this series, we will perform initial configuration of the appliance and explore how to create a custom desired state.

Benefits of Aria Automation Config

Aria Automation Config offers several benefits for administrators looking to streamline their IT operations. With this tool, you can:

1. Define the applications, files, and other settings that should be present on a given system.

2. Continuously evaluate the system against the desired state and make changes as needed.

3. Integrate with your Cloud templates for seamless deployment and management of resources.

4. Use the Aria Suite Lifecycle product to deploy and manage your systems.

Conclusion

In conclusion, Aria Automation Config is a powerful tool that allows administrators to define the applications, files, and other settings that should be present on a given system. With this tool, you can continuously evaluate the system against the desired state and make changes as needed. In the next post in this series, we will explore how to create a custom desired state and integrate with your Cloud templates. Stay tuned for the next one!

About the Author

Paul Davey is CIO at Sonar, Automation Practice Lead at Xtravirt, and guitarist in The Waders. He loves IT, automation, programming, music, and is passionate about helping organizations streamline their IT operations with Aria Automation Config.

Configuring LDAP Integration with Active Directory for Aria Automation Config

In this article, we will explore how to configure LDAP integration with Active Directory for Aria Automation Config. This will enable centralized control of access and roles within the Aria Automation Config interface. We will cover the initial requirements, configuring the LDAP option in the Aria Automation Config appliance, allocating users and groups for access, and enabling resource access.

Initial Requirements

——————–

Before we begin configuring the integration in the Aria Automation Config product, there are some initial requirements that must be met:

1. The Aria Automation Config appliance should be up and running with the necessary prerequisites installed.

2. An Active Directory server should be set up and running with the appropriate users and groups created.

3. The Aria Automation Config instance should be deployed in a lab environment for testing purposes.

Configuring LDAP Integration

—————————–

To configure LDAP integration with Active Directory, follow these steps:

1. Log in to the Aria Automation Config appliance using the admin account and password specified during deployment.

2. From the menu, expand the Administration section and select the Authentication option.

3. From the Configuration type dropdown, select the LDAP option.

4. Select the PREFILL DEFAULTS dropdown and select AD, Windows Server 2008 and later (note: ensure your AD server is version 2008 or newer).

5. The form will now display with some information included and some fields empty. The required fields are noted by a red underline.

6. Edit the fields as follows:

* Server: Enter the hostname or IP address of your Active Directory server.

* Base DN: Enter the base distinguished name of your Active Directory domain.

* User Search Filter: Enter the filter to search for users in your Active Directory domain (e.g., “(&(objectClass=user)(CN=john,OU=Engineering,DC=example,DC=com))”).

* Group Search Filter: Enter the filter to search for groups in your Active Directory domain (e.g., “(|(objectClass=group)(CN=marketing,OU=Department,DC=example,DC=com))”).

7. Once you have configured the above fields with your settings, click the UPDATE PREVIEW button.

8. The pane below will eventually load Groups and Users into view. Depending on the size of your directory, this may take some time.

9. Once you are happy with everything, click the SAVE button to save the settings and confirm the LDAP connection.

Allocating Users and Groups for Access

—————————————-

Now that we have established and saved the LDAP connection, we can proceed with allocating users and groups for access into the Aria Automation Config interface. Follow these steps:

1. From the menu on the left, under Administration, select the Groups option.

2. Find your Active Directory group you created in the requirements section from the list and tick the checkbox.

3. Click the SAVE button.

4. From the menu on the left, under Administration, select the Roles option.

5. Ensure in the left pane, the Salt Master role is selected.

6. Click on the Groups option.

7. Select the checkbox against your Active Directory group and then click SAVE.

8. Select the Resource access tab.

9. Enable both Show all * options as shown below and assign full permissions to each entry. Then click the Save button.

Signing Out and Logging In with LDAP Authentication

——————————————————-

After configuring the LDAP integration, you may notice that the login page is slightly different now. In the select authentication background dropdown, select your LDAP connection as shown below:


Enter the user account and password for the Active Directory user that is within your Active Directory group, and then login.

Congratulations! You have now established Active Directory connectivity and authentication for your Aria Automation Config instance. This integration will enable centralized control of access and roles within the Aria Automation Config interface, streamlining management and ensuring consistency across your IT infrastructure.

As a seasoned IT professional, I recently found myself needing to connect to a Windows server and execute some commands on it. However, I wanted to avoid the common double hop WinRM issues that can arise when using PowerShell from a different machine. Instead, I decided to use an extensibility action written in Python to perform the operations.

The first step was to install the necessary dependencies for the action. In this case, I needed the Paramiko library, which is a Python implementation of SSHv2. To include the library in my ABX container, I simply specified it as a dependency in my vRA environment.

Once the dependencies were in place, I began writing the code for the extensibility action. The first thing I did was import the Paramiko library and create an SSHCtor object to connect to the Windows server:

“`

import paramiko

ssh = paramiko.SSHClient()

“`

Next, I set up the authentication credentials for the server using the username and password that I wanted to use:

“`

ssh.set_username(‘my_username’)

ssh.set_password(‘my_password’)

“`

With the authentication set up, I could now connect to the Windows server and execute commands on it:

“`

stdin, stdout, stderr = ssh.exec_command(‘ipconfig’)

output = stdout.read()

“`

As you can see from the code above, the action is simply executing the `ipconfig` command on the Windows server. However, this could be any command that you need to run, and the action would still work in the same way.

One thing to note is that I didn’t use vRO for this extensibility action. Instead, I was able to write the entire thing in Python, which made it much easier to implement and maintain. Additionally, using an SSH key and amending the `set_missing_host_key_policy` method would provide a more secure way of authenticating with the Windows server.

Here’s what the output of the action looks like in vRA:

“`

{

“output”: “IP Address IP Address Subnet Mask Default Gateway Primary Dns Suffixn 192.168.1.100 192.168.1.1 255.255.255.0 192.168.1.1 .example.com”

}

“`

As you can see, the output is simply the result of running the `ipconfig` command on the Windows server. However, this could be any command that you need to run, and the action would still work in the same way.

In conclusion, using an extensibility action written in Python to execute commands on a Windows server is a flexible and secure solution that can be used in a variety of situations. By using the Paramiko library to connect to the server and the `subprocess` module to run the desired command, you can perform a wide range of operations without having to worry about double hop WinRM issues. Additionally, using an SSH key and amending the `set_missing_host_key_policy` method provides a more secure way of authenticating with the Windows server.