Installing VMware Server is the first step, but configuration is a whole new deck of cards.
By submitting your email address, you agree to receive emails regarding relevant topic offers from TechTarget and its partners. You can withdraw your consent at any time. Contact TechTarget at 275 Grove Street, Newton, MA.
If you've been following our series about VMware Server on Windows thus far, you'll know we've discussed the various components and walked through installation and configuration of Windows on a host server, including several security adjustments. Then we discussed installing VMware Server. Now we'll turn our attention to configuration of VMware Server.
VMware Server may be installed, but its MUI is useless at this point, because when IIS was secured, all of the MIME types were removed from the root of the IIS.
Instead of adding a blanket number of MIME types to the root of IIS, or even to the root of the VMware Server Web site, would it not be more secure if every single folder in the VMware Server Web site was configured at the folder level to serve only the files that exist in that folder at the time of the initial installation? Of course it would, but that configuration would be incredibly tedious to create. That is, unless there already a script that does just that!
There is in fact such a script, and it is available for download at my website. Editor's note: You will need a zip file manager, like Winzip, to open this file. chmt.wsf stands for "Change Mime Types." It enumerates a Web site by a given Web site identifier and then recurses through the physical folders and files of the Web site's content, restricting the corresponding folders in the IIS metabase to only serve the MIME types of the files that exist in the physical folder at the time the script is run.
In order to obtain the ID of the VMware MUI Web site, open the IIS Manager and click on the folder labeled "Web Sites." On the right side of the screen should be an entry labeled "VMware Management Interface 1.0.1" with a number under the "Identifier."
The script requires the IIS admin script "adsUtil.vbs" exist somewhere on the server as well. This is typically in "c:\inetpub\adminscripts".
Here is an example of the "chmt.wsf" script's usage:
C:\Inetpub\AdminScripts>cscript chmt.wsf Microsoft (R) Windows Script Host Version 5.6 Copyright (C) Microsoft Corporation 1996-2001. All rights reserved. Usage: chmt.wsf /w3svcID:value [/webRootPath:value] [/adsUtilPath:value] Options: w3svcID : The IIS ID of the website. webRootPath : The path to the directory of the web root. adsUtilPath : The path to the adsUtil.vbs file.
The option "webRootPath" defaults to "%ProgramFiles%\VMware\VMware Management Interface\htdocs" and the option "adsUtilPath" defaults to "c:\inetpub\adminscripts\adsutil.vbs".
Virtual machines' locations
After the MIME types have been configured, load the VMware Server console client by clicking on the "Start" button, click "All Programs," click "VMware," click "VMware Server" and then click "VMware Server Console."
The console will open with a smaller window above the large one. The small window is titled "VMware Server Console - Connect to Host"
Click the "OK" button to connect. Then click the "Host" menu item and then click "Settings." Change the value of "Default location for virtual machines" to "e:\var\vms". This location was secured earlier so that only the "SYSTEM" account and users in the "Administrators" group can access it.
The next step is to keep VMware Server from attempting to use the network interface that has been dedicated to server management. To do this, click on the menu item labeled "Host" and then click on "Virtual Network Settings". A window will pop up titled "Virtual Network Editor." Click on the tab labeled "Automatic Bridging" so that the window resembles the following image.
Click on the button labeled "Add" and add the network interface that was selected earlier to be the dedicated management interface. This is also the interface that listens for RDP traffic. In the screenshot, this is the "Broadcom NetXtreme Gigabit Ethernet" interface.
This step will prevent VMware Server from attempting to receive or send network traffic from or to VMs operating in Bridged mode.
Click the button labeled "OK" to exit this screen. It is okay to close the VMware Server Console for now.
Before securing the VMware Server logs, enable logging for the VMware authorization service. This is turned off by default, but it can very helpful for debugging certain problems with VMware Server.
To enable logging add the following lines to the file "%ALLUSERSPROFILE%\application data\vmware\vmware server\config.ini":
vmauthd.logEnabled = TRUE log.vmauthdFileName = "vmauthd.log"
Open a command prompt and type the following commands:
net stop vmauthdservice net start vmauthdservice
This will restart the VMware authorization service with logging enabled.
Secure the VMware Server logs by restricting the following locations' permissions so that the "SYSTEM" account and the "Administrators" group have full control and all other permissions are removed:
- %SystemRoot%\system32\vmauthd.log - this is the VMware authorization service log
- %ProgramFiles%\VMware\VMware Management Interface\mui.log - this is the VMware Server MUI log.
These are not the locations of all the log files, only the log files particular to its running system services. There are log files that are associated with individual users and individual VMs. For more information on the VMware Server log files, see page 22 of the VMware Server Admin Manual.
The VMware Server MUI SSL certificates are stored in "%ProgramFiles%\VMware\VMware Management Interface\SSL". By default this directory is dangerously unsecure. Remove inheritance for this directory and copy existing permissions. Remove all other permissions on this directory except for the "SYSTEM" account and the "Administrators" group. Click "OK".
Enter the "SSL" directory. The file "mui.key" is the MUI's private SSL key file. At this point it should be inheriting permissions from its parent and the "SYSTEM" account and the "Administrators" group have full control and no other permissions exist on the file. Even this configuration is too loose for a private key file. Remove inheritance directly from this file and configure the permissions so that the "SYSTEM" account and the "Administrators" group only have read permissions on the file.
It is possible to monitor VMware Server through any of several methods. The easiest way to see how things are working is to access the VMware Server MUI at https://%HOSTNAME%:8333/. The MUI will display the usage statistics of the running VMs on the server.
Another way to monitor VMware Server is with VirtualCenter 1.x. VirtualCenter 1.x can manage VMware Server hosts, as well as provide limited statistics about them.
Finally, it is also possible to monitor VMware Server with the Microsoft Performance Monitor. VMware Server installs performance counters that can be used to monitor virtual disk activity, memory usage and the network traffic to and from the VMs.
VMware Server does not have the same hot backup capabilities that ESX does, so it is necessary to suspend a VM before backing it up. Page 95 of the VMware Server Admin Manual has very concise instructions for backing up VMs on the host and configuring backup agents inside the VMs themselves. It is pointless to repeat VMware's own instructions verbatim, so this section defers to the official guide.
Next we'll go through the process of creating a virtual machine.
|Go back to part five||Go to part seven|