1 / 72

CIT 198 Week#11 Module 9 from the eBook Access and Authentication Control Sybex Chapter#9 Maintain Service Levels

CIT 198 Week#11 Module 9 from the eBook Access and Authentication Control Sybex Chapter#9 Maintain Service Levels. Instructor - Allan Ackerman VCA-DCV & VCP5-DCV. Click the graphic for assessment. This week our objectives will be. Complete labs 15 & 16 from the NDG/Cisco

phong
Télécharger la présentation

CIT 198 Week#11 Module 9 from the eBook Access and Authentication Control Sybex Chapter#9 Maintain Service Levels

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. CIT 198 Week#11Module 9 from the eBook Access and Authentication ControlSybex Chapter#9Maintain Service Levels Instructor - Allan Ackerman VCA-DCV & VCP5-DCV Click the graphic for assessment

  2. This week our objectives will be • Complete labs 15 & 16 from the NDG/Cisco • Complete labs 22, 23, & 24 on the in-class virtual lab. • If you are behind – let’s get caught up tonight. No one has lab 21 complete yet so that needs to be top priority. • In chapter 9 of the Sybex book we will be covering maintaining service levels. • In chapter 9 of the eBook we will be covering Access and Authentication Control. • Next week’s quiz will be evenly distributed from the Sybex book chapter 9, our eBook Chapter 9 and tonight’s labs and PowerPoint. Week#11 vSphere 5.1 & 5.5

  3. Important classroom info for the week of April 8 • The seventh quiz average is back down to 68%. Let’s get the average back up to at least a C. • 2 people did not take the quiz – so no one ask if you can take them at home anymore – quizzes are to be done in-class only. • First do NDG labs 15 & 16 • Next finish off in-class lab#21 – so far no one has it complete. It will take a couple of hours. • Next complete all in-class labs through lab#24. Week#11 vSphere 5.1 & 5.5

  4. Our NDG lab#15 Our goals in this lab will be to: • Setup new user accounts on vCenter. • Observe incorrect login behavior. • Grant non-administrator access to a user. • Access vCenter with a non-administrative account • We will be using the Linux command adduser. The eBook uses the –m switch you should know what that means. (makes a home directory for the new user and –M does not make the home directory) Week#11 vSphere 5.1 & 5.5

  5. Our NDG lab#16 Our goals in the lab will be to • Create a custom role in the vCenter Server. • Assign permissions on vCenter Server inventory objects. • Verify permission usability. • There are some logic errors in this lab. We only have an ISO for 2k03 32bit server. When you create the YourName-Temp VM you should switch to the OS ISO we have and not use the defaults – 08R2 64 bit. • Since you did not give rights to the NFS datastore library to vuser, you cannot mount an ISO and you can install nothing. Basically, the VM creator role is worthless in our virtual lab and it needs to be fixed. We will fix this in our in-class lab and get some more practice with the web client. • As you do lab 16 you will note that NDG forgets to logout the vuser account at one point. Week#11 vSphere 5.1 & 5.5

  6. Our in-class lab#23 Our goals in the lab will be to setup a vApp, a DRS cluster, and a HA cluster. The vApp inventory object will give you a way to package multiple VMs into on single object. We can clone and also export this single object using the OVF or OVA format. (Remember this one object might contain three or four VMs.) We will be able to control the startup and shutdown order of our VMs inside the vApp and also be able to control how CPU and memory contention is handled. In today’s lecture I will show you how to setup IP pools on the Datacenter object. Week#11 vSphere 5.1 & 5.5

  7. Our in-class lab#23 On page 360, Lab 6.18, in the Sybex book there is a vApp lab using IP pools. It does not work. A year or so back I spent 3+ hours trying to get this lab to work and gave up. I was using vSphere 5.1. This weekend I gave it another try using vSphere 5.5. It still did not work. I will demo the problem in class. If anyone can get the transient option to work on the vApp – I will give you 2 extra credit points on your lab grade. Remember for last week’s lecture the transient option lets the vApp and vCenter become a DHCP allocator service. After you test out your vApp you will delete the object from your inventory. Week#11 vSphere 5.1 & 5.5

  8. Our in-class lab#23 You will also be introduced to the concept of reservation and a limit as a means of dealing with contention. Make sure you know the following two terms for next week’s quiz. CPU Reservation: (this definition was taken from the management guide)Consider a virtual machine with reservation=2GHz that istotally idle. It has 2GHz reserved, but it is not using any ofits reservation. Other virtual machines cannot reserve these 2GHz. Other virtual machines can use these 2GHz, that is, idleCPU reservations are not wasted. Week#11 vSphere 5.1 & 5.5

  9. Our in-class lab#23 Memory Reservation: (this definition was taken from the management guide)If a virtual machine has a memory reservation but has not yet accessed its full reservation, the unused memory can be reallocated to other virtual machines. After a virtual machine has accessed its full reservation, ESX Server allows the virtual machine to retain this much memory, and will not reclaim it, even if the virtual machine becomes idle and stops accessing memory. So you can think of a reservation as a guarantee that the host (hypervisor) will save that amount of that resource for you. If you do not need it all, however, it will let other VMs use it. Week#11 vSphere 5.1 & 5.5

  10. Our in-class lab#23 Limits: This is a hard coded maximum. Let me give an example and you should get the idea. Say you allocated 8GB RAM to a MS2008R2 server. You have a reservation of 2GB but a limit of 4GB. The reservation term has been covered on the previous two slides so we know what that means. The limit means the host will give the VM a maximum of 4GB of host RAM. So as the VM attempts to use more memory, as it does have 8GB allocated, it must resort to swapping. (When the host uses the .vswp file for memory – performance is really bad.) Note – remember there are two swap files the VMware swap file and the OS swap file. We are just talking about the VMware swap file when we are dealing in Limits. Week#11 vSphere 5.1 & 5.5

  11. Our in-class lab#23 You should also be able to calculate the size of the .vswp file when the VM is turned on. The formula is Memory allocated minus the Reservation. So in this example the .vswp file size would be 8-2 = 6GB. The second part of the this lab we will create a HA cluster and a DRS cluster. We will let the DRS cluster load balance our three XP pro VMs. Week#11 vSphere 5.1 & 5.5

  12. Our in-class lab#24 Our goals in the lab will be to • Create a custom role, Template Deployer, in the vCenter Server. • Assign permissions on vCenter Server datacenter object and have the permission propagate through the datacenter. • Verify the new permission’s usability. In NDG lab#16 they had us create a limited user, vuser, and then created a permission for that limited user. They forgot to give us permission to a drive that we needed – we could not get to our ISO folder. So the reality of the new virtual machine creatorpermission in the NDG lab is that vuser could create nothing. Our lab#24 will actually work and can be used through out the entire Training datacenter. Week#11 vSphere 5.1 & 5.5

  13. Our in-class lab#24 We will not make that mistake that NDG did in our in-class lab#24 and we will get some more practice creating permissions. This time with the Web Client and not the c# client. Here are the perquisites for Lab#24. • Make sure lab21 is complete • You have AD setup for an authentication source • Lab13 is back up and running. • Your VMs and templates are back in inventory. • Make sure you have an XP customization specification file • Check that your sysprep files for XP are still in place. Week#11 vSphere 5.1 & 5.5

  14. Access and Authentication Control Module 9 Week#11 vSphere 5.1 & 5.5

  15. You Are Here Access and Authentication Control Week#11 vSphere 5.1 & 5.5

  16. Importance • When multiple users are accessing the VMware vSphere® environment, a best practice is to give each user only the necessary permissions and nothing more. VMware® vCenter Server™ allows flexible assignment of permissions. Week#11 vSphere 5.1 & 5.5

  17. Module Lessons • Lesson 1: Configuring ESXi Host Access and Authentication • Lesson 2: Configuring Roles and Permissions • Lesson 3: vShield Endpoint in vSphere 5.1 Week#11 vSphere 5.1 & 5.5

  18. Lesson 1 Configuring ESXi Host Access and Authentication Week#11 vSphere 5.1 & 5.5

  19. Learner Objectives • After this lesson, you should be able to do the following: • Configure the VMware vSphere® ESXi™ firewall by enabling and disabling services. • Enable and disable lockdown mode on an ESXi host. • Configure user logins to authenticate with directory services. Week#11 vSphere 5.1 & 5.5

  20. Configuring Security Profile Services It’s in the configuration tab of your host. Week#11 vSphere 5.1 & 5.5

  21. Configuring the ESXi Firewall It’s in the configuration tab of your host. Week#11 vSphere 5.1 & 5.5

  22. Enabling and Disabling Lockdown Mode Week#11 vSphere 5.1 & 5.5

  23. Integrating ESXi with AD Week#11 vSphere 5.1 & 5.5

  24. Review of Learner Objectives • You should be able to do the following: • Configure the ESXi firewall by enabling and disabling services. • Enable and disable lockdown mode on an ESXi host. • Configure user logins to authenticate with directory services. Week#11 vSphere 5.1 & 5.5

  25. Lesson 2 Configuring Roles and Permissions Week#11 vSphere 5.1 & 5.5

  26. Learner Objectives • After this lesson, you should be able to do the following: • Define a permission. • Describe the rules for applying permissions. • Create a custom role. • Create a permission. Week#11 vSphere 5.1 & 5.5

  27. Access Control Overview • The access control system allows the vCenter Server administrator to define a user’s privileges to access objects in the inventory. • Key concepts: • Privilege – Defines an action that can be performed • Role – A set of privileges • Object – The target of the action • User/group – Indicates who can perform the action • Together, a role, a user or group, and an object define a permission. Week#11 vSphere 5.1 & 5.5

  28. Users and Groups • vCenter Server or ESXi users/groups can be local users or Active Directory (AD) domain users. • AD services provides authentication for all local services: • VMware vSphere® Client™ • Direct console user interface • Technical support mode (local and remote) • Access through the VMware vSphere® API • Users who are in the AD group ESX Admins are automatically assigned the Administrator role. Week#11 vSphere 5.1 & 5.5

  29. Roles • Roles are collections of privileges: • They allow users to perform tasks. • They are grouped in categories. • Roles include system roles, sample roles, and custom-built roles. Week#11 vSphere 5.1 & 5.5

  30. Objects • Objects are entities on which actions are performed. • Objects include datacenters, folders, resource pools, clusters, hosts, datastores, networks, and virtual machines. • All objects have a Permissions tab. • This tab shows which user or group and role are associated with the selected object. Week#11 vSphere 5.1 & 5.5

  31. Assigning Permissions • To assign a permission: • Select a user. • Select a role. • (Optional)Propagate the permission to child objects. Week#11 vSphere 5.1 & 5.5

  32. Viewing Roles and Assignments • The Roles pane shows which users are assigned the selected role on a particular object. Week#11 vSphere 5.1 & 5.5

  33. Applying Permissions: Scenario 1 • A permission can propagate down the object hierarchy to all subobjects or it can apply only to an immediate object. Greg – Administrator Greg – No Access Week#11 vSphere 5.1 & 5.5

  34. Applying Permissions: Scenario 2 • When a user is a member of multiple groups with permissions on the same object: • The user is assigned the union of privileges assigned to the groups for that object. Group1 – VM_Power_On (custom role) Group2 – Take_Snapshots (custom role) Members of Group1: Greg Susan Members of Group2: Greg Carla Week#11 vSphere 5.1 & 5.5

  35. Applying Permissions: Scenario 3 • When a user is a member of multiple groups with permissions on different objects: • For each object on which the group has permissions, the same permissions apply as if they were granted directly to the user. Group1 – Administrator Group2 – Read-only Members of Group1: Greg Susan Members of Group2: Greg Carla Week#11 vSphere 5.1 & 5.5

  36. Applying Permissions: Scenario 4 • Permissions defined explicitly for the user on an object take precedence over all group permissions on that same object. Group1 – VM_Power_On (custom role) Group2 – Take_Snapshots (custom role) Greg – Read-only Members of Group1: Greg Susan Members of Group2: Greg Carla Week#11 vSphere 5.1 & 5.5

  37. Creating a Role Virtual Machine Creator role Datastore > Allocate space Network > Assign network Resource > Assign virtual machine to resource pool Virtual machine > Inventory > Create new Virtual machine > Configuration > Add new disk Virtual machine > Configuration > Add or remove device • Create roles that enable only the necessary tasks: • Example: Virtual Machine Creator • Use folders to contain the scope of permissions: • For example, assign the Virtual Machine Creator role to user Nancy and apply it to the Finance folder. Week#11 vSphere 5.1 & 5.5

  38. Lab 14 • In this lab, you will manage user access permissions. • Try to log in directly to the ESXi host. • Grant nonadministrator access to a user. • Explore the ESX Admins AD group. Week#11 vSphere 5.1 & 5.5

  39. Lab 15 • In this lab, you will use a custom user role. • Create a custom role in vCenter Server. • Assign permissions on vCenter Server inventory objects. • Verify permission usability. Week#11 vSphere 5.1 & 5.5

  40. Review of Learner Objectives • You should be able to do the following: • Define a permission. • Describe the rules for applying permissions. • Create a custom role. • Create a permission. Week#11 vSphere 5.1 & 5.5

  41. Lesson 3 vShield Endpoint in vSphere 5.1 Week#11 vSphere 5.1 & 5.5

  42. Learner Objectives • After this lesson, you should be able to do the following: • Describe how VMware® vShield™ and vSphere fit into a cloud infrastructure. • Explain how VMware® vShield Endpoint™ is integrated into vSphere. Week#11 vSphere 5.1 & 5.5

  43. VMware vShield: Foundation for a Trusted Cloud Securing the cloud from edge to endpoint VMware® vShield Edge™ VMware® vShield App™ with Data Security vShield Endpoint Secure the edge of the virtual datacenter. Protect applications from threats with trust zones. Protect against data leaks. Streamline and accelerate antivirus solutions. virtual datacenter 1 virtual datacenter 2 Web PCI DMZ HIPAA VMware® vShield Manager™ Week#11 vSphere 5.1 & 5.5

  44. vShield Endpoint Overview • Secure your virtual machines with offloaded anti-virus and anti-malware (AV) solutions without the need of agents • Included with vSphere Benefits • Simplified AV administration • Higher consolidation ratios by preventing the possibility of AV storms • Improved performance Week#11 vSphere 5.1 & 5.5

  45. Review of Learner Objectives • You should be able to do the following: • Describe how vShield and vSphere fit into a cloud infrastructure. • Explain how vShield Endpoint is integrated into vSphere. Week#11 vSphere 5.1 & 5.5

  46. Key Points • vShield products can be used to secure the datacenter, from the edge to the endpoint. • A permission is a combination of a user or group and a role that is applied to an object in the inventory. • A permission can propagate down the object hierarchy to all subobjects or it can apply only to an immediate object. • As a best practice, define a role using the smallest number of privileges possible for better security and added control. • Questions? Week#11 vSphere 5.1 & 5.5

  47. Assessment week#11

  48. In vCenter, a role is a collection of permissions • True or False Week#11 vSphere 5.1 & 5.5

  49. Answer • False - it is a collection of privileges. Week#11 vSphere 5.1 & 5.5

  50. The firewall is disabled by default and must be enabled using the vSphere client. True or False Week#11 vSphere 5.1 & 5.5

More Related