Can I Upgrade Veeam 10 to Veeam 11?

KB ID 0001758

Problem

People are always ‘a bit twitchy‘ about upgrading their backup software. Mines on my test network so I’m a little more cavalier about diving in and clicking next. So when you want to Upgrade Veeam 10 to Veeam 11, peoples main concerns are;

  1. Will I lose my backup / replication jobs?
  2. Will I need to rescan backup repositories?

Remember Veeam keeps all its data in a database, so your configs should remain unaffected but just to prove it.

Can I Upgrade Veeam 10 to Veeam 11 – Yes

Obviously close any Veeam management windows (in all logged in  profiles) before starting.

Version 10

 

Download the media and run the upgrade procedure;

And to prove it’s not smoke and mirrors;

If anyone upgrades from version 9 to 11, and can confirm it’s just as painless, post your comments below.

Related Articles, References, Credits, or External Links

NA

 

VMware View Connection Server – Stop Session timeouts

KB ID 0000605

Problem

For security reasons, the VMware View Administrator will timeout after a short period of inactivity, and you will see the following.

Server Error
Your session has timed out. Please log in again.
Click OK to be redirected to the login screen.

However if you work in the console a lot, this can get quite annoying.

Solution

From within the View Administrator console > View Configuration > Global settings > Edit > Tick “Enable automatic status updates” > OK > OK.

Note: Another advantage to doing this is, you don’t have to keep pressing refresh to update the interface.

Related Articles, References, Credits, or External Links

NA

Cisco ASA 5506-X: Bridged BVI Interface

KB ID 0001422

Problem

When the ASA 5506-X appeared there was much grumbling, “This is not a replacement for the ASA 5505, I need to buy a switch as well!”  and “I have six ports on the firewall I cant use” etc.

While I understand that, and if truth be told the ASA 5505, was SUPPOSED to be used in SOHO environments where an all in one device, (with PoE) was a great fit. The problem was, people started throwing them in everywhere, I’ve seen them in large businesses, and in data centres. Because it’s easier to sell a firewall that cost less than 500 quid, than it is to sell a firewall that fits the network requirements! 

To ‘fix’ the problem would probably mean changing hardware, so Cisco gave us a BVI, Bridge Virtual Interface instead (with version 9.7). Well not strictly true, Cisco ASA has had BVI interfaces in ‘transparent mode‘ for some time. So on the ASA 5506-X with a default configuration, it ‘Bridges’ interfaces Ge0/2 to Ge0/8, into one interface which you can call the inside interface an give it an IP address.

Oh Great! So Just Like an ASA5505 Then? Well no sorry, I don’t like it because it needs an access-group/ACL for each bridged interface, and a NAT statement for each bridged interface. Unless you have a very simple network that can get very complicated, very quickly! Also note, the same holds true for remote management via SSH/ADSM etc.

Changes to ASA for BVI Interface

I’ll shorten the default firewall config and show you the ‘added commands’ that are used for this configuration.

[box]

!
interface GigabitEthernet1/2
 bridge-group 1
 nameif inside_1
 security-level 100
!
interface GigabitEthernet1/3
 bridge-group 1
 nameif inside_2
 security-level 100
!
interface GigabitEthernet1/4
 bridge-group 1
 nameif inside_3
 security-level 100
!
interface GigabitEthernet1/5
 bridge-group 1
 nameif inside_4
 security-level 100
!
interface GigabitEthernet1/6
 bridge-group 1
 nameif inside_5
 security-level 100
!
interface GigabitEthernet1/7
 bridge-group 1
 nameif inside_6
 security-level 100
!
interface GigabitEthernet1/8
 bridge-group 1
 nameif inside_7
 security-level 100
!
interface BVI1
 nameif inside
 security-level 100
 ip address 192.168.1.1 255.255.255.0
!
same-security-traffic permit inter-interface
!
object network obj_any1
 subnet 0.0.0.0 0.0.0.0
object network obj_any2
 subnet 0.0.0.0 0.0.0.0
object network obj_any3
 subnet 0.0.0.0 0.0.0.0
object network obj_any4
 subnet 0.0.0.0 0.0.0.0
object network obj_any5
 subnet 0.0.0.0 0.0.0.0
object network obj_any6
 subnet 0.0.0.0 0.0.0.0
object network obj_any7
 subnet 0.0.0.0 0.0.0.0
!
mtu outside 1500
mtu inside_1 1500
mtu inside_2 1500
mtu inside_3 1500
mtu inside_4 1500
mtu inside_5 1500
mtu inside_6 1500
mtu inside_7 1500
!
object network obj_any1
 nat (inside_1,outside) dynamic interface
object network obj_any2
 nat (inside_2,outside) dynamic interface
object network obj_any3
 nat (inside_3,outside) dynamic interface
object network obj_any4
 nat (inside_4,outside) dynamic interface
object network obj_any5
 nat (inside_5,outside) dynamic interface
object network obj_any6
 nat (inside_6,outside) dynamic interface
object network obj_any7
 nat (inside_7,outside) dynamic interface
!
http 192.168.1.0 255.255.255.0 inside_1
http 192.168.1.0 255.255.255.0 inside_2
http 192.168.1.0 255.255.255.0 inside_3
http 192.168.1.0 255.255.255.0 inside_4
http 192.168.1.0 255.255.255.0 inside_5
http 192.168.1.0 255.255.255.0 inside_6
http 192.168.1.0 255.255.255.0 inside_7
!

[/box]

Yes I’m not making it up, that’s the added default config for a new 5506-X firewall, (post version 9.7) if you issue a configure factory-default, that’s what you will get! (Don’t panic: If you upgrade a firewall it wont add this in!) 

Is That What You Wanted?

Well if you are a small business and make very little changes to the firewall then this may be fine, (if a little cumbersome to setup). But to be honest I think its pretty bobbins! So I’ll be ripping it out of every 5506-X I deploy.

ASA 5506-X Remove the BVI Interface From CLI

First you have to remove the bridge group from the physical interfaces, but first you need to remove the interface name, or it will error. Obviously connect via the console cable, or from the outside interface, (because you’re about to remove the configured inside interface, until we recreate it again).

[box]

!
interface GigabitEthernet1/2
 no nameif
 no bridge-group 1
interface GigabitEthernet1/3
 no nameif
 no bridge-group 1
interface GigabitEthernet1/4
 no nameif
 no bridge-group 1
interface GigabitEthernet1/5
 no nameif
 no bridge-group 1
interface GigabitEthernet1/6
 no nameif
 no bridge-group 1
interface GigabitEthernet1/7
 no nameif
 no bridge-group 1
interface GigabitEthernet1/8
 no nameif
 no bridge-group 1
!

[/box]

Only now can you remove the BVI interface.

[box]

clear configure interface BVI1
WARNING: DHCPD bindings cleared on interface 'inside', address pool removed
WARNING: BVI interface 1 is in use.

[/box]

Note: The BVI1 interface will now disappear from the config, (if you’re used to working on routers it’s a bit like removing a loopback interface). Now Remove the ‘defunct’ object groups that were being used for NAT.

[box]

no object network obj_any1
no object network obj_any2
no object network obj_any3
no object network obj_any4
no object network obj_any5
no object network obj_any6
no object network obj_any7

[/box]

Assuming your outside Interface (GigabitEthernet0/1) is still up and connected, (by default it will be set to DHCP and also set to get its outside automatically). You would then need to configure an ‘inside’ interface (I’ll use GigabitEthernet0/2) and specify a NAT/PAT rule to allow traffic out.

[box]

!
interface GigabitEthernet1/2
 nameif inside
 security-level 100
 ip address 192.168.1.254 255.255.255.0
!
object network OBJ-NAT-ALL
 subnet 0.0.0.0 0.0.0.0
 nat (inside,outside) dynamic interface
!

[/box]

That gets everything up and connected, (all traffic out allowed, and all traffic in (initiated from outside) is blocked)).

ASA 5506-X Remove the BVI Interface From CLI

Configuration > Device Setup > Interface Settings > Interfaces > Select interface 1/8 > Edit.

Remove the Interface name > OK >OK.

Change the Bridge Group to ‘None’ > OK.

Repeat for interfaces 0/7 to 0/2 > Apply.

Select BVI1 > Delete > Yes.

Configuration > Firewall > Objects > Network Objects/Groups > obj_any1 > Delete > Repeat for tall the other objects.

Save the changes.

 

Related Articles, References, Credits, or External Links

NA

Deploy Cisco FirePOWER Management Center (Appliance)

KB ID 0001263

Problem

You have been able to manage your firewalls Internal SFR module for  while using the ASDM

Setup FirePOWER Services (for ASDM)

For most people that’s fine, but if you have a lot of FirePOWER devices to manage that does not scale well. In those cases you should use theFMC  (FirePOWER Management Center). Here ‘Im going to use the Vmware virtual appliance, (at time of writing there is no Hyper-V version).

This lets you create policies centrally and then deploy them to your devices in bulk.

Solution

Deploy the FirePOWER Management Center Appliance

Obviously before you start you need to have VMware (ESX or vCenter). With 250GB of storage free, (you can deploy it thin provisioned). You will also need to allocate 8GB of RAM and 4 virtual CPUs. Whichever network (or VMware port Group) you connect the appliance to it needs to have IP connectivity to the devices you intend to manage.

Download the FMC Appliance: Be aware it downloads in tar.gz format so on a Windows machine you will need something like 7Zip to uncompress the files. You WONT find the file under the firewalls, they are listed under;

Downloads > Produces > Security > Firewalls > Firewall Management > Firepower Management Center Virtual Appliance

Make Sure: You download the same version that is installed on the modules you want to manage! (‘show module’ on the ASA will yell you).

Get the files extracted and on a machine that you can access your VMware infrastructure from;

The appliance comes in OVF format if you are unsure how to import an OVF file see the following article;

VMware vSphere – How to Import and Export OVF and OVA Files

You will need to accept the EULA, then set the admin password, and some basic IP settings.

I’ve got IPv6 disabled, if you want to address the appliance with IPv6 enter the details here.

Even after the appliance has been imported and powered on it can take 20-30 minutes before you can log on. At this point I would go and do something else. If you really must, then open a ‘console’ session and wait until the logon prompt is shown. You can then logon to the web portal.

Go to System > Updates > Download and install any updates > Visit both the ‘Rule Updates’ and the ‘Geolocation Updates’ tabs and set a time to download them.

Don’t Install the licences Just Yet! Add your devices to the FMC first, then if there’s a problem and you need to rebuild/redeploy, you don’t have to go cap in hand to Cisco licensing to get the licences re-armed. To add the SFR devices see the following article;

Cisco Add FirePOWER Module to FirePOWER Management Center

Network Discovery: Older version of the FMC used to only look for RFC 1918  IP ranges, This was changed at some point to 0.0.0.0/0 so you couldn’t misconfigure the system by having a private address space internally for example. This was a good idea but Ive seen some firewalls fall over trying to run discovery on every IP address they see!  So lets manually add in our subnets. Objects > Object Management > Add Network > Add Object > Add one for you internal network(s).

Policies > Network Discovery > Remove the 0.0.0.0 Rule.

Create a new discovery rule using just your subnet(s).

 

Adding Licences To FirePOWER Management Center

You used to have to licence the appliance itself, after version 6 you don’t need to do that, if you have a licence and you try and apply it nothing happens and you just see this message;

Note: FireSIGHT is the old name for FirePOWER Management Center.

What Licences do I need to Add? Your Next Generation Firewalls now come with a ‘CONTROL LICENSE‘ in the box, it is in a large white card envelope, you don’t need to open it the number you need is on the front of the envelope. You add a control licence for every device you want to manage (they do not expire).

System > Licences > Classic Licenses > You need to take a note of the ‘Licence Key’, (which is the MAC address of the appliance with a 66 in front of it). This is the serial number you need to enter on the Cisco licensing portal.

When you get the licence back, if you open it in a text editor, it will look like this (its essentially a digital certificate). Copy everything from ‘— BEGIN‘ to ‘License —‘ 

Paste in the text > Submit License.

Repeat for each licence (IDS, AMP, URL Filtering ,etc)

You will also need to allocate the licenses to devices. Devices > Device Management Select the Device in question > Edit.

Device > License Section >Edit > Allocate accordingly.

Configuring FirePOWER Intrusion Policy

To use an intrusion policy the devices each need a ‘Protection‘ licence. Note: You get a protection licence now automatically when you add a CONTROL licence, but you still need to pay a subscription to legally obtain the updates.

Policies > Access control > Intrusion > Create Policy.

Give the policy a recognisable name > Create and Edit policy.

The policy it creates is based on the ‘Balances Security and Connectivity’ Template. You might want to add a few extra rules > Rules > Blacklist > Select All.

Rule State > Drop and Generate Events.

Repeat for ‘Malware’. Note: This does NOT require and AMP licence@

Repeat for  PUA (Probably Unwanted Applications).

Repeat for ‘Indicator Compromise‘.

Repeat for ‘Exploit Kit‘.

Search for ‘1201’ and locate the ‘INDICATOR-COMPROMISE 403 Forbidden’ rule and DISABLE IT.

Policy Information > Commit Changes > OK.

Note: To be used, the Intrusion policy needs to be declared in an Access control policy (or set as a Default Action).

Also in the Access Policy set the logging to ‘Log at the end of connection‘.

As mentioned above you can also set it as the ‘Default Action‘.

Configuring FirePOWER AMP and File Policy

You need an AMP, (subscription based licence) to enable the ‘Malware Cloud Lookup, or Block Malware‘ Actions, but you can have a file policy and block specific file types.

Polices > Access Control > Malware and File > New File Policy.

Give the policy a name you will remember > Save.

Action = Malware Cloud lookup > Add in the files you want to scan > Below I’ve set it to store unknown files > Save.

Then create another rule below that that detects all files.

As above the file policy wont be applied to anything unless you specify it in an access policy.

In the rule also set the logging to ‘log at the end of connection’.

 

Configuring FirePOWER URL Filtering Policy

You need to have a URL filtering licence allocated to the devices you want to use this policy on.

Unlike File policies and Intrusion policies, URL filtering is configured directly on your Access Control policy > Add Rule.

Here’s an example of blocking some categories you don’t want viable in tour organisation.

In a rule that only has URL filtering set the login to ‘Log at the beginning of the conneciton‘.

 

When done, don’t forget to ‘Deploy‘ the new policy to your managed devices. Deploy > Select Devices > Deploy.

hen Related Articles, References, Credits, or External Links

NA

Cisco Stacking 3750 Switches

KB ID 0001205 

Problem

You can stack Cisco 3750-X Switches in groups of up to 9 switches, and they can then be managed as one switch. Here I’ve got 2 switches.

 

Solution

Removing 3750-X Switches Stack Configuration

One of my switches had already been in a stack, so I needed to remove its stack configuration. It thought it was switch 4 in the stack so I issued the following commands;

[box]

Switch(config)# no switch 4 provision 
Switch(config)# wr mem 

[/box]

Cisco 3750-X Configure Stacking

Don’t connect any stacking cables yet, decide which switch is going to the the ‘master’ and log onto that switch, and issue the following commands;

[box]

Switch#configure terminal
Enter configuration commands, one per line.  End with CNTL/Z.
Switch(config)#switch 1 priority 15
Changing the Switch Priority of Switch Number 1 to 15
Do you want to continue?[confirm] {Enter}
New Priority has been set successfully
Switch(config)#do write mem
Building configuration...
[OK]

Switch(config)#do reload
Proceed with reload? [confirm] {Enter}
[/box]

When the switch reloads you will see.

[box]

Waiting for Stack Master Election...
SM: Waiting for other switches in stack to boot...
###############################################################

[/box]

At this point you can connect the stack cables and power on the second switch. With multiple switches connect each stack port one, to the switch below’s stack port two. Then on the last switch connect its stack port one back to stack port two on the top switch, (so there is a ‘ring’.)

If you have more than two switches you can set their priority (as you did above) priority 15 will always win the ‘elections’ and be the master switch, number the rest accordingly. The default is ‘1’ so if you don’t then it works out the order based on MAC addresses, (which is not good!).

When all the switches are booted, check all is well;

[box]

Switch#show switch
Switch/Stack Mac Address : 74a2.e69a.0c00
                                           H/W   Current
Switch#  Role   Mac Address     Priority Version  State
----------------------------------------------------------
*1       Master 74a2.e69a.0c00     15     3       Ready
 2       Member 204c.9e5f.4000     1      3       Ready

Switch#show ip int brief
Interface              IP-Address      OK? Method Status                Protocol
Vlan1                  unassigned      YES NVRAM  administratively down down
FastEthernet0          unassigned      YES NVRAM  administratively down down
GigabitEthernet1/0/1   unassigned      YES unset  down                  down
GigabitEthernet1/0/2   unassigned      YES unset  down                  down
GigabitEthernet1/0/3   unassigned      YES unset  down                  down
GigabitEthernet1/0/4   unassigned      YES unset  down                  down
{----------------Output Removed For the Sake of Brevity---------------------}
GigabitEthernet1/1/1   unassigned      YES unset  down                  down
GigabitEthernet1/1/2   unassigned      YES unset  down                  down
GigabitEthernet1/1/3   unassigned      YES unset  down                  down
GigabitEthernet1/1/4   unassigned      YES unset  down                  down
Te1/1/1                unassigned      YES unset  down                  down
Te1/1/2                unassigned      YES unset  down                  down
GigabitEthernet2/0/1   unassigned      YES unset  down                  down
GigabitEthernet2/0/2   unassigned      YES unset  down                  down
GigabitEthernet2/0/3   unassigned      YES unset  down                  down
{----------------Output Removed For the Sake of Brevity---------------------}
GigabitEthernet2/1/1   unassigned      YES unset  down                  down
GigabitEthernet2/1/2   unassigned      YES unset  down                  down
GigabitEthernet2/1/3   unassigned      YES unset  down                  down
GigabitEthernet2/1/4   unassigned      YES unset  down                  down
Te2/1/1                unassigned      YES unset  down                  down
Te2/1/2                unassigned      YES unset  down                  down
Switch#

[/box]

Make sure your stack cabling is OK;

[box]

Switch# show switch stack-ports summary

Switch#/  Stack   Neighbor   Cable    Link   Link   Sync      #         In
 Port#     Port              Length    OK   Active   OK    Changes   Loopback
          Status                                          To LinkOK
--------  ------  --------  --------  ----  ------  ----  ---------  --------
  1/1     OK         2      50 cm     Yes    Yes    Yes        1        No
  1/2     OK         2      50 cm     Yes    Yes    Yes        1        No
  2/1     OK         1      50 cm     Yes    Yes    Yes        1        No
  2/2     OK         1      50 cm     Yes    Yes    Yes        1        No

Switch# show switch stack-ring speed

Stack Ring Speed        : 32G
Stack Ring Configuration: Full
Stack Ring Protocol     : StackWisePlus
Switch#

[/box]

If you are also using XPS redundant power cables remember that’s only supported for up to four switches, (without an extra XPS-2200 rack power unit). I power off the switches before I fit these.

Why do they have green and yellow ends: If you look on the switch you will see the ‘socket’ is marked with a yellow and a green ‘semi-circle’. that means a green end or a yellow end can be plugged into that socket.

That makes no sense, so anything can plug into anything, why colour code them? That’s because there is a different cable that has a ‘red’ end on it for plugging into an XPS-2200 rack power supply, like this;

Then to test your XPS Power  Cables.

[box]

Switch>show env power all
SW  PID                 Serial#     Status           Sys Pwr  PoE Pwr  Watts
---  ------------------  ----------  ---------------  -------  -------  -----
1A  C3KX-PWR-350WAC     LIT18410MD4 OK              Good     Good     350/0
1B  Not Present
2A  C3KX-PWR-350WAC     LIT18410JJ3 OK              Good     Good     350/0
2B  Not Present

Switch#show stack-power neighbors
Power Stack           Stack   Stack    Total   Rsvd    Alloc   Unused  Num  Num
Name                  Mode    Topolgy  Pwr(W)  Pwr(W)  Pwr(W)  Pwr(W)  SW   PS
--------------------  ------  -------  ------  ------  ------  ------  ---  ---
Powerstack-2          SP-PSS  Ring     700     320     380     0       2    2

    Power Stack           Port 1  Port 1             Port 2  Port 2
SW  Name                  Status  Neighbor SW:MAC    Status  Neighbor SW:MAC
--  --------------------  ------  ----------------   ------  ----------------
1   Powerstack-2          Conn    2:204c.9e5f.4000   Conn    2:204c.9e5f.4000
2   Powerstack-2          Conn    1:74a2.e69a.0c00   Conn    1:74a2.e69a.0c00

[/box]

Stack Power Profiles (Setting Up)

Stack Power Modes

Default (Power sharing Mode): All the power from all the power supplies, is aggregated together, and no power is reserved – if a power supply failed there is a chance that there might not be enough power.

Redundant Mode: The power supplied by the largest power supply in the stack, is taken away from the total power output in case there is an outage.

Stand Alone Mode: Stops a switch participating in a power stack completely.

Each mode can be configured to run strict, or non-strict, (with the exception of a stand alone mode).

Strict: If actual power drops below budgeted power, things may get powered down.
Non Strict: Actual power can run above budgeted power, if that extra power is available.

[box]

Switch(config)# stack-power switch 1 port 1 enable 
Switch(config)# stack-power switch 1 port 2 enable 
Switch(config)# stack-power switch 2 port 1 enable 
Switch(config)# stack-power switch 2 port 2 enable
Switch(config)# stack-power stack Power-Stack-1 
Switch(config-stackpower)# mode redundant
Switch(config-stackpower)# stack-power switch 1
Switch(config-stackpower)# stack-power switch 2
Switch(config-stackpower)# exit

[/box]

 

Related Articles, References, Credits, or External Links

Cisco Catalyst – Upgrading ‘Stacked’ Switches

MAC OSX – Connecting to Cisco IPSEC VPN

KB ID 0001197 

Problem

Here we are dealing with the older IPSEC VPN method of remote VPNs, NOT AnyConnect. There is/was a VPN client for Mac OSX which you can still download. But modern versions of OSX have the Cisco IPSec VPN client built into them. 

I’m assuming you have already configured the firewall, if not see the article below;

Cisco ASA5500 Client IPSEC VPN Access

Solution

Open your network preferences and add in a new connection > Interface = VPN > VPN Type = Cisco IPSec > Service Name = A sensible name you will recognise, (like connection to work, or home  etc.)

 

Server address is the public IP, (or name if you have DNS setup*) of your Cisco Firewall  > Enter your VPN username > I don’t put in the password, so I will have to type in in manually > Click Authentication Settings.

*For DNS you will need a static public IP, and a registered domain name. The ASA DOES NOT support DNS updates to online services like DynDNS or No-IP etc. It does support DDNS but means the server that leases you your public address is supposed to update your DNS for you, and unless you are your own ISP, and you host your own public DNS records, this wont work!

Here you need to supply the ‘shared secret’ for the VPN tunnel, and the Group Name. Your firewall admin should give these to you.  If they don’t know, tell them to run ‘more system:running-config’ on the firewall and give you the shared secret and ‘group-policy’/’tunnel-group’ name for this remote VPN  > OK.

Nearly every time you use DHCP, the firewall with either lease you an address from a ‘pool’ of VPN addresses, or broker the connection, and use your internal DHCP server.

Now to connect the VPN, select the icon shown, and click your Cisco VPN, (in the picture I have two).

If you didn’t put your password in during setup, you will be prompted to enter it to continue.

It does not work?

With all things Cisco, if there’s a problem your easiest way to a solution, is to run a ‘debug’ on the firewall. Execute the following two commands on the firewall, and attempt to connect again, this should point you in the right direction.

[box]

debug crypto isakmp 127
debug crypto ipsec 127

[/box]

Related Articles, References, Credits, or External Links

iPhone and iPad – Configure the Cisco VPN Client

Deploying VMware View 5 – Part 5 Deploying Linked Clone View Desktops

KB ID 0000607

Problem

Note: This is an old post for VMware view version 5, you might want to read Deploying VMware Horizon View instead.

It’s been a while since I wrote Part 4, so it’s time to wrap this up. Now we have Composer installed on the Virtual Center, we can start to deploy our linked clone desktops.

Solution

VMware View – Prepare your Source Machine

1. I’ve already covered how to prepare your Windows 7 client machine to be a View client here. Once that’s done, release its IP address (ipconfig /release) and shut it down.

2. With your source machine shut down, take a snapshot of the machine.

VMware View – Create an Automated Linked Clone Pool

3. Log into your VMware View Administrator console > Inventory > Pools > Add.

4. Automated > Next.

5. Dedicated > Next (unless you want a floating user assignment, the description of each is on this page).

6. View Composer linked clones > Next (ensure your vCenter is listed, and has “Yes” in the View Composer section).

7. Give the pool an ID, name, and description. (Note: If you use folders for your VM’s, you can also select those here).

8. I tend to stick with the defaults, except I let the users reset their desktops > Next.

9. I’m not redirecting any disposable files or profiles > Next.

10. Expand Security > Logins > Create a new login.

11. For the default Image, browse to your source machine, then select the snapshot. Set the Folder, Host/Cluster, and Resource pool as applicable. Then browse for a datastore.

12. Here I’ve selected to store my disks on different datastores. If you can, put your replica disk on the FASTEST storage, as this gets the most “Read” traffic > OK > Next.

13. The domain should auto populate > Pick an OU to place the new machines into, then select either to use quickprep (the VMware one), or Sysprep (the Microsoft one). > Next.

Note: You can also use a customization specification (yes Americans are worse at spelling than me!), you set these up in the VI client on the home screen under ‘Customization Specifications Manager’.

14. Review the information > Finish.

15. Now you have you pool, you need to allow your users to connect to it, with it selected press ‘Entitlements’.

16. Add in the users and/or groups you want to grant access to > OK.

17. It can take a while for the replica to be created then all the linked clones to become ‘Available’ watch progress under ‘Inventory > Desktops’.

18. When available you should be able to connect to them using the VMware View Client.

19. And finally get your new Windows 7 linked clone desktop.

Related Articles, References, Credits, or External Links

NA

ZyXEL – Router Setup (Public IP Range)

KB ID 0000331 

Problem

You have a ZyXEL router (In my case a P-600R-D1) and you want to put a device behind it with a public IP.

Note: I’m assuming you have agreed with your ISP that you will receive a range of public IP addresses. With some ASDL packages the first IP in the range usually gets allocated to the router, confirm this with your ISP.

BT Business Broadband Note: If you are a BT Business customer, your setup will be slightly different, I’ll point that out as we go along.

Solution

1. Connect up to the router, and you should get an IP address from it, open your web browser and proceed to http://192.168.1.1 the default password is “1234”

2. You will be prompted to change the default password, do so, then select the option to go to ‘Advanced Setup’.

3. Expand Network > WAN > Enter the ADSL details provided by your ISP (i.e. ADSL username and ADSL password). If you are having a static IP on the outside of the router you can also set that here.

Note: If you have only been given TWO IP addresses you may need to set BOTH the WAN and LAN IP address to the SAME IP (and disable NAT).

BT Business Broadband Note: Even if you have been allocated a range of public IP addresses, you LEAVE the routers outside IP address option set to, ‘Obtain an IP address automatically’

4. Disable NAT ONLY IF YOU ARE SETTING THE LAN AND WAN TO THE SAME IP: Select NAT > General > Un-tick “Active Network Address Translation (NAT)” > Apply.

4. Disable DHCP: Select LAN > DHCP Setup > Change DHCP to “None” > Apply.

5. Set the inside IP: Set this to the IP address allocated to your Router – (Note: this may be the SAME as the address allocated to the outside IP, don’t panic it will not conflict (NAT is disabled).

BT Business Broadband Note: This is typically the highest IP address in the range, BT have given you.

6. You can now connect your internal device/firewall (Note: You may need to reboot the device AND the router as the MAC address may have changed if you have been testing from your laptop/PC.) Or simply allocate another public IP address to device, then make its default route, (or default gateway) the IP address you set on the LAN port of the ZyXEL, (in our example above 123.123.123.124).

Factory Reset ZyXEL Router

If things break and you want to reset the router,

1. Power off the router.

2. Depress the reset button on the rear of the router.

3. Power on the device until the ethernet light, flashes amber.

4. Now DHCP will be turned on and the router will use 192.168.1.1 internally and the default password will be reset to 1234.

Related Articles, References, Credits, or External Links

ZyXEL Firmware downloads (Look under DSL Technology)

Original Article Written 28/09/10

Running Windows Server 8 in VMware ESXi

KB ID 0000590 

Problem

The very fist time I tried this was on ESXi 4.1, if you try and install Windows 8 Server on that platform, you will see the following.

Your computer ran into a problem and needs to restart. If you’d like to know more, you can search online later for this code: HAL_INITIALIZATION_FAILED It’s collecting error info and will restart in: x seconds

Note: You will also see this in VMware player, and VMware workstation 7.

Solution

Some internet searching told me that as far as VMware was concerned, I needed to be running VMware Workstation version 8, so I installed Workstation 8 and, accepting the fact I got the same install error that the windows 8 consumer preview gives you, (the fix is the same). It works flawlessly (unless you install the VMware tools).

Running Windows “8” Server in ESXi

I knew that the developer preview worked on ESXi 5, And VMware Workstation 8 uses VMware hardware version 8. So I guessed that it would run under ESXi 5. I set the machine type to “Windows 7 x64”, and it installed it, to my surprise it ran straight away.

And Installing VMware tools went smoothly as well.

Related Articles, References, Credits, or External Links

Windows 8 (Server and Client) Black Screen (Post VMware Tools Install)

Windows 8 -“Windows cannot read the <ProductKey> setting from the unattend answer file.