Shellshock Vulnerability and Potential Exploitation (not another blog post on CVE-2014-6271 / CVE-2014-7169)

Bash (Shell Shock) Exploit LogoAs tempting as it is, I have no intention of jumping on the ‘Shellshock’ band wagon and writing a vague post on the subject. However, I do find this recent bash exploit interesting and worthy of investigation as it’s simple to test and has a plethora of vectors that could be exploited. I’ve read many media reports on this and unfortunately some of their layman’s terms are inaccurate or do not provide the full picture. The purpose of this blog post is for my own reference and anybody that needs starting point of where to look. For an in-depth look at this then I would recommend you read Troy Hunt’s article. For a quick technical reference then feel free to read on… [Read more...]

Virtual Design Master ‘Community and Learning’ VCP, VCAP, VCDX

Design-MasterIf you follow the virtualization community on Twitter then you may have already seen the hashtag #VirtualDesignMaster, and it’s something that I really think deserves more attention. The series over at presents competitors with a design challenge that puts their knowledge to the test, requiring many skills and disciplines from the virtualization industry. Even if you are not a veteran virtualization guru, the competitors come from all backgrounds and including networking and storage. In fact the competitors range from those holding VCP, VCAP, MCSE and other industry certifications to just solid work experience.

This series is in it’s 2nd season now, following on from a theme where zombies start taking over our planet and a virtual infrastructure design is required as part of the effort to save the world. It really does seem like great fun and you don’t have to be officially competing to take part as the design scenario is available on the website.

I just love the creativity and thought that has gone into this, and if you are studying for any design certification such as the VCAP-DCD or VCDX then I’d strongly recommend that you check out their Google Hangout recording on YouTube for a feel of what it’s about. In this video Melissa Palmer @vMiss33, Eric Wright @discoposse and Angelo Luciani @AngeloLuciani chat to the judges and competitors for Team Alpha and Team Beta.

New VCDX successes make the grade!

VCDX Make It SoCongratulations to the latest VCDX successes that made it in July 2014. You’ll find the VCDX Directory ( has been updated once again following the recent design defence round in Frankfurt this month. I’d just like to personally congratulate @harsha_hosur , @safouh75, @robertquast,  @elgwhoppo, @sidbrydon, @vTerahertz, @agmalanco, @NiranEC, and @Gortees. This is an awesome achievement and it’s great that this once small group of experts is growing to a huge army of architects! [Read more...]

VMware Horizon 6 View Configuration Maximums

VMware Horizon 6 Configuration MaximumsVMware doesn’t currently maintain an official Horizon 6 or View Configuration Maximums document, unlike the vSphere configuration maximums PDF which is has existed for many years. There are some maximum configurations in the Horizon 6 official documentation, and release notes but this does not include everything. Before diving into the configuration maximums below, let me first explain how they are derived. Many of the configuration maximums come from testing by developers at VMware and part of the Quality Assurance (QA) process before a product is released to GA (General Availability). These are what you’ll find in the product release notes or architecture guides. Other configuration maximums are derived from best practices, benchmark tests, and observations from many implementations and tests in the real world.

A configuration maximum that has caused some confusion over recent years in the number of linked clone virtual machines per datastore/LUN. For VMware View 5.1 and prior this was documented as a maximum of 64 linked clones per LUN (VMFS). Since View 5.2 this increased to 128 linked clones per VMFS datastore, and 140 if VAAI is enabled. Today with Horizon 6 this guidance hasn’t changed and this is reflected in the maximums below. If you refer to the Storage Sizing Guide for Windows 7 for View 5.2, page 6, you will see it is also stated there (in case you doubt!). [Read more...]

VMware Horizon 6 (View) Firewall & Network Ports

Updated (July 3rd 2014): Even higher resolution, includes RDS (Remote Desktop Session) hosts, Workspace Portal, MMR and correct PCoIP ports (TCP and UDP)

Back in April 2012 I posted my original View network firewall ports diagram, and it’s been used widely both internally at VMware and in the community. Since Horizon 6 launched this week I thought I’d create a brand new full size diagram to include Cloud Pod Architecture. This updated diagram contains a better layout and a new color theme to boot!  This image is 3767 x 2355 pixels, so simply click to enlarge then ‘Save Image’ to get the full size HD version.

You’ll notice the addition of VIPA (View inter-pod API) and ADLDS port 22389 which are both used for Cloud Pod Architecture. Bear in mind that between your View Pods, you will still require the usual Active Directory ports.

Key Firewall Considerations for VMware Horizon 6

  • TCP 8472: View interpod API (Cloud Pod Architecture) – NEW
  • TCP 22389: Global ADLDS (Cloud Pod Architecture) – NEW
  • HTTPS (443): Horizon Client access, authentication and RDP tunnel (HTTPS Secure Gateway)
  • HTTPS (8443): Used by HTML Access (Blast)
  • HTTPS (22443): HTML Access (Blast) to Virtual Desktops
  • TCP 9427: Used by Windows multimedia redirection (MMR)
  • TCP 32111: USB Redirection
  • ESP (Protocol 50) used for Security Server and Connection Server IPSEC communication (requires Windows firewall with Advanced Security to be enabled)
  • UDP 500: IPsec negotiation for Security Server and Connection Server communication and pairing.

For a full list of network ports please refer to the latest Horizon 6 documentation:

Double VCDX – VCDX-DT Achievement Unlocked!

Yes I really did use a permanent marker on my MacBook!

Yes I really did use a permanent marker on my MacBook!

Yes I have just drawn on my MacBook with permanent marker, but that’s due to the excitement of receiving the results of my VCDX-DT application which I applied for in early April 2014. I am the fourth (out of 5) Double VCDX certification holders, along with @vcloudmatt@fojta@magander3 and @SimonLong_, and I am proud to be the first to have passed the VCDX-DT certification.

I must admit my blog has been relatively quiet for the last few months due to various life events, mainly travel (jet lag!), rebuilding my home lab, family, work commitments and I guess the VCDX-DT application has also taken up my time.

If you are aspiring to become VCDX (Data Center, Cloud or Desktop) and by the mere fact you are reading this blog post, then you are already part of an amazing technical community that drew me into virtualization, EUC and VMware in the first place back in 2006. I’ve already posted my thoughts on preparing for the VCDX certification, and hope I’ll also be part of future VCDX panels so you haven’t heard the last of me yet!

In 2012 when I took on an EUC design for a car manufacturer here in the UK, I decided that I’d approach the entire process as a VCDX. Being able to do this gave me a huge advantage as I was practically living with that customer for the best part of 12 months, and beyond if you count much of the testing, validation and assistance I’ve provided since. I feel that given the way I like to work, which means I very much become part of the customer team, I was able to understand the intricacies of the project, politics, warts and all.

That much time with a customer and spending many nights in a hotel could be seen as a jail sentence for some, but I took this as an opportunity to refine the design and tackle the VCDX head on. I was able to use the same design for both the Desktop and Data Center Virtualization. Without that much time invested in the project I wouldn’t have been able to pass first time. Remember the VCDX is for consultants and architects that want to prove a high standard of design skills, and the VCAP pre-requisites will have already tested your technical skills. You don’t have to have the perfect design, and you certainly are not expected to recite all of the vSphere PDF manuals from the top of your head, well maybe one or two :). What you do need is a lot of time and evidence that you can approach a design with an architectural methodology and mindset that takes the customer requirements into the core of the design document and deliver a solution that meets those requirements. In fact, whilst mentoring other potential VCDX candidates I have actually picked up on design methodology more than technical errors. I’ve referred to a masters thesis from a Swedish university which covers risk mitigation in the conceptual design. It’s a really good read, and has nothing to do with VMware. This type of paper is really good preparation for the VCDX, especially since we’re so engrained in the technology every day.

Thanks to Mark Brunstad by the way, he is doing an amazing job managing the VCDX program at VMware and it really is appreciated given the travel, time and dedication you put into this.

VCDX-DT - Ray-Heffer (Double VCDX)