Skip navigation

Tag Archives: Vmware

First of all, Happy New Year of 2013!! I am happy the whole world didn’t blow up and my guess those Mayan dudes just running out of space on that piece of stone  so they think, why the hell I need to care about world in thousands years later? Winking smile

Now, back to Vmware. With vSphere 5.1.0b released, I start to wonder whether it’s time to consider to use vDS (Virtual distribution switch) to replace VSS.

vDS has been around for years, only Enterprise plus license would actually use it. The concept of vDS is great, but the real world is not practical from my point of View to use vDS to complete replace VSS.

My suggestion is to have hybrid environment with vSS and vDS. As matter of fact, that , I’m afraid, is your only option. There will be time for you to failover VMs from broken vDS to something else, so between another vDS and vSS, which one you would go?

I did a little bit research regarding vDS and I would like to share some tricks and “how to” to everyone. Feel free to pop up question and correct my mistakes as usual.

vSphere Client or vSphere Web Client?

Now, with vSphere Web Client getting more and more popular, should we use Web Client and dump old one? The answer is No. The new Web Client is incompleted, slow but it does provide more functions than C++ version. I will stick with Web client in this post as much as possible.

What’s is vDS?

You can always find this answer from my old post here. Comparing with vSS, vDS provide more virtual gateways (not like vSS, vDS also virtualize Uplink). More control and monitoring on the traffic going through virtual switch and also profile base deploying from vCenter to Hosts so vDS is aware all hosts network rather than working alone like vSS.

However, it does bring lots of other issue if you want to put vDS into production. One of few issues is to rename Uplink.

Why do we need to rename Uplink?

Uplink exists on vDS only. It’s a virtual port group which you connects your physical  nics to. Assuming you have 10 hosts, it’s hard to guarantee all vmnic01 will connect to Uplink01 since vmnic01 may connect to different network in the real world. After a while, you may get confused about what each Uplink for.


Always rename your Uplink before you start to connect anything to vDS.

You need to rename your Uplink ASAP after you create your vDS. Once vDS is hook up something, it simply won’t let you touch Uplink because it may connect to something. Even if you remove the connection to another link, the vDS will still hold same configuration till refresh time. (for me details and solution, please check my old post).

Steps to rename Uplink

Login to Web Client,


After you rename your Uplink, you can start to create vMotion group for vDS.

Create vMotion for vDS

The funny thing for this step is you have to create a vDS port group first before you can do anything lese.




Now, you can create a new Uplink for vMotion





I skip the rest of parts.


I don’t think you can vMotion between vss and vDS. You can only vmotion between same type of vSwitch. Although you can migrate vms from VSS to vDS with few ping drops.

Assign specific vmnic to Uplink

One thing you would like to do is to assign vmnic01 (for example) to a specific Uplink. Please follow these steps.

Add Physical adapters into vDS via web client


change Auto-assign to a specific Uplink


Delete a Uplink (not physical nic connection)

The simple thing I want to do is to remove one of Uplinks. It’s virtual Uplink on vSwitch, it is NOT the physical nic which I connect to Uplink. but this very simple thing almost can’t be done via either vSphere Client or Web client.

To give you a better understanding, a new vDS coming with 4 Uplinks connecting with nothing. What happen if I add more uplinks now and want to remove some Uplinks latter?

The way you add more Uplink is here


Unfortunately, the only way to remove Uplink is either rebuild a new vDS or migrate all your VMs to other switch and remove all physical host nic connection to Uplink and go back to here and to set a LOWER number!

If you set this number to 3, 2 uplinks will disappear but it won’t let you choose which 2 uplinks. Therefore, you better move all VMs and connections between physical host nics to Uplink before you remove Uplink.

This is not just my conclusion, a Vmware Support Engineer was on the phone 1 hour with me and come up with this solution. Maybe there is another way to do it, but we are not able to find out. If you know how to do it, please let me know or leave it in comment.


There are still lots testing we can do with vDS, but at this stage, I definitely wouldn’t recommend to ditch vSS and use vDS solely. A hybrid environment is what I would recommend.

What is UCS VIC failover.

Put it into a simple way, each blade can have a VIC card. Each VIC card has 2 10gbit/s ports like the one we are using, CISCO UCS M81KR.

This VIC card will handle all network/SAN traffic from this blade to both IOMs. When there is outage on one path of uplevel, VIC can automatically redirect traffic to another working interface without outage.

For more details, please refer to reference document.


Why we need to disable UCS VIC failover.

According to UCS design document,

All Connectivity May Be Lost During Upgrades if vNIC Failover and NIC Teaming Are Both Enabled All connectivity may be lost during firmware upgrades if you have configured both Enable Failover on one or more vNICs and you have also configured NIC teaming/bonding at the host operating system level. Please design for vailability by using one or the other method, but never both.
To determine whether you have enabled failover for one or more vNICs in a Cisco UCS domain, verify the configuration of the vNICs within each service profile associated with a server. For more information, see the Cisco UCS Manager configuration guide for the release that you are running.


UCS VIC failover will have MAC conflict with Host level Nic teaming including Vmware vNic Teaming.

Comparing two solutions of nic teaming failover, Vmware nic Teaming is also providing network load balance and much more controlling over Cisco VIC failover. Hence, we need to disable VIC failover.

How to disable VIC failover

If really depends how you setup your system. In my UCS, I have deployed NIC template and therefore, I will need to modify nic template first.



Notice the nic template type is Updating Template even when service profile template is Initial template, it means the change I will make (untick the Enable Failover) will be push to blade immediately.

The good thing is we have setup our reboot policy ask “User Ask”, so UCS will reboot blade immediately. Instead, it will put request into pending Activity list for approve.


Change failover procedure





Now, you will be able to schedule to reboot your blade.








Cisco UCS B series firmware upgrade from 2.0(2q) to 2.0(4a)


Why do we upgrade UCS firmware

This is a post which describes upgrade Cisco UCS B series firmware upgrade from 2.0(2q) to 2.0(4a). The reason for this upgrade is simple. A bug.

There is a Cisco Bug in the system which prevent show tech to be generated. Without show tech file, I’m not able to diagnosis any issues. So it has been more and more critical for us.

According to Cisco, 2.0(4a) has fixed this issue. I have attached the pdf in the reference, so you will be able to download and take a look. Basically, the real upgrade is pretty close to this document with minor twist.


Download firmware

There is no drama here. Just log in with your cisco account, and follow instruction on document so you will be able to download the bundle file.

In my case, I only have UCS B series, so I only downloaded two files.




There ain’t much to do with preparation. My personal suggestion is:

make sure you have enough space on bootflash


Then, you can upload those two files into system easily from local Server.

Backup your current configuration.


You need to make sure you have filename written in the field otherwise it may not able to backup configuration.



Create Host Firmware Package

This package will delivery quite few firmware updates and will only be deployed to service Profile. In another word, your server must associate with service profile in terms of getting those firmware.


Now, with different environment, firmware package can contains different components.


In our system, UCS blade has one DCE which is M81KR. However, I didn’t include adapter firmware in the package according to PDF doc. But Cisco tech support said I should include it in the firmware.



BIOS is a must.


Storage Controller:

Because we use RAID-1 local disk for OS. so we need to upgrade that as well.

Board Controller:

Comparing with package version, there is no new version. so we don’t need to upgrade this one.


Disable Call Home Service




Update Firmware for Adapters, CIMCs,IOMs

Update firmware is just to load new version to backup Version slot. The new version will kick in as start up version once you restart components.


For just Update firmware, you can select ALL, it will not cause any harm.





Activating firmware on adapters and CIMCs

You need to do these steps in order. You can’t select adapters and select CIMCs settings and hope to click ok to apply both components at once. It will cause issue. If you somehow did select both, click Cancel.

DO NOT select ALL in the filter to activate everything in once!!

Activate firmware for Adapter.


Notice Active status is Pending Next boot



Activate CIMCs

CIMCs is separate component from data. so It will restart itself but no disruption for production data.


CIMCs will become 2.0(4a)


Activating UCS Manager Software

This will cause console,KVM to restart. No data disruption as well.


Activating IOM

IOM is important module and will cause data disruption. so this module will reboot when you reboot FI. If you have 2  FI as redundant, you can reboot one FI at a time. When you reboot FI-A, IOM-A will reboot as well. Therefore, we will only load new version to Startup version and wait for reboot.




Activate Fabric Interconnector Firmware

With fabric Interconnector, we need to identify which one is subordinator. We will update subordinate first, then switch role to new FI with primary and update another FI. You need to make sure your redundant system is working otherwise, you will experience downtime on blades.

In my personal experience, you can actually give FI (subordinator) a reboot before you update firmware so it will clean up lots of stuck issue and processes.






If FI come up with status like that, it means it’s all good for update another FI.


check all connections including network and VIFs


essentially, if you see connections on both FI-A and FI-B, then it means it is right. Just be aware that some command line has changed once you upgrade your version of UCS Manager.

You will do the same step for the other FI but remember to switch other FI to become subordinator first.

Update blade BIOS, SLI logic controller, and others

This is the last step. Before you do anything, you need to make sure you have management policy setup correctly like this.




then you need to make sure your host firmware packages is attached with template or service profile.


Once you made change, it should pop up to reboot or not.



Choose No to reboot at your own time.


Thank you for reading. Hope it helps



Recentely, we have finally got upgrade to new environment which is Cisco UCS 2.0. We are all excited with new toy but we ran into some design issue s which I would like to record here so you can avoid it in the future.


FC Uplink needs to be at right ports.

I think this is basic common knowledge but  clearly, we don’t know. With Fabric Interconnector, we need to configure FC port to connect to Uplink FC switch. At first, we put FC ports in the middle of switch and put Ethernet Uplink at the end of switch (like port 31/32). Then, we realize it’s not doable once we get into configuration.

click that to get into FC port configuration

Click Yes

We put FC link in the middle, which is wrong. Ethernet port at the end. As you can see, there is slide bar to slide to configure. Once you slide, you will see this.

All ports on right side of bar will be FC ports. So you can either put FC to expansion model or you have to change your ports.


UCS Memory is bigger than your hard disk

Well, this actually sounds ridiculous. But it’s one of reasons why we bought UCS. Our Blade has 196GB memory and we will put Vmware on them. We also bought 100GB SSD to increase swap file speed. Unfortunately, at that time we purchased, we didn’t realize that to put swap file of vms on local disk, we need at least same size 196GB as memory so vm swap file can use local disk rather than precious of SAN storage. Even with new vSphere 5 feature (Swap host cache in SSD), that function won’t help much only we have memory contention. So if we balance it out, we should buy some big size of SAS to cover that.

vMotion is No!

Well, maybe it’s just me that I’m get used to always vMotion everywhere. Once I installed new blade and join them to our vCenter. I tried to offload my vms to new host. Then, I got this error.

Of course, what you need to do is to turn it off and migrate. But then, that’ s outage or you have to EVC.

All those errors can be avoid easily but it’s matter of experience, I guess. Hope it helps.


Well, if you are like me, you probably still receive email from Vmware and said Virtual Cloud day is open at 24th May.

But once you actually jump on Vmware site, it’s changed to July.


It makes me thinking why it changed? Is that due to new Hyper-v 3 and SCVMM 2012 SP1 totally changed the Virtualization and Vmware are unprepared? ho ho


Oh, OMG. The ugly Windows 3.1 style fish. ……

This is first feature I’m testing with Hyper-v 3. I personally is shocking with how good Dynamic Memory is. If I make any wrong comments in this blog due to lack of knowledge of Hyper-v, please leave comment. Thanks

We all know Dynamic Memory feature in Hyper-v R2. This is quite argument point between Vmware and Microsoft. Vmware claims they have Memory over committing, memory sharing(schedule not real time), memory paging and memory balloon technology. Well, Personally, I have to say Vmware has done great job to allow more VMs memory consumption then what a host can hold. It is hard to do it without knowing OS core to reuse the memory.

Microsoft, on the other hand, has Dynamic Memory. It allows you to “Dynamic using memory” by setting up lowest memory and maximized memory for each vm. Well, to be honest, I’m not very interesting about this tech since it’s very similar as what Vmware does.

Now, thing is completely different from Hyper-v 3.

You can increase your vm memory on the fly!

Yes, Vmware can do same thing long time ago. I used to write a post about it. However, it can only happen to Windows Datacenter version. Vmware does that by physically plug in virtual memory DIMMs into OS hardware. However, only Windows Datacenter level has capability to pick them up and add them into OS on the fly.

Hyper-v 3 does that with almost every Microsoft system. Following is the list.

  • Guest operating system Editions Configuration requirements
    Windows Server 2008 R2 Standard and Web editions Install Windows Server 2008 R2 SP 1 in the guest operating system.
    Windows Server 2008 R2 Enterprise and Datacenter editions Do one of the following:

    • Install Windows Server 2008 R2 SP 1 in the guest operating system.
    • Upgrade the integration services in the guest operating system to the SP 1 version.
    Installing Windows Server 2008 R2 SP1 is the recommended method because it provides the added benefit of installing all updates included with SP1.
    Windows 7 Ultimate and Enterprise editions (32-bit and 64-bit) Do one of the following:

    • Install Windows 7 SP1 in the guest operating system.
    • Upgrade the integration services in the guest operating system to the SP1 version.
    Installing SP1 is the recommended method because it provides the added benefit of installing all updates included with SP1.
    Windows Server 2008 with Service Pack 2 (SP2) Standard and Web editions (32-bit and 64-bit) Upgrade the integration services in the guest operating system to the SP1 version.Apply a hotfix as described in article 2230887(
    Windows Server 2008 with Service Pack 2 (SP2) Enterprise and Datacenter editions (32-bit and 64-bit) Upgrade the integration services in the guest operating system to the SP1 version.
    Windows Vista with Service Pack 1 (SP1) Ultimate and Enterprise editions (32-bit and 64-bit) Upgrade the integration services in the guest operating system to the SP1 version.
    Windows Server 2003 R2 with Service Pack 2 (SP2) Standard, Web, Enterprise, and Datacenter editions (32-bit and 64-bit) Upgrade the integration services in the guest operating system to the SP1 version.
    Windows Server 2003 with Service Pack 2 Standard, Web, Enterprise, and Datacenter editions (32-bit and 64-bit) Upgrade the integration services in the guest operating system to the SP1 version.

Let’s Testing!!

I tested both on windows 2008 R2 SP1 and Windows 2003 R2. The result is the same. As long as you install “Intergration Services Setup Disk”, you will be able to increase memory on any VMs on the fly!
First, I created a VM and go into settings.
This is the default settings of maximum memory settings. It has nothing to do with  your host memory. It’s just maximum figure of Hyper-v 3 can handle. We don’t want Hyper-v to handle all memory. so I changed this figure to 512MB also changed start memory to 500MB like following picture.
Then, I restarted W2K3 and you can see how much physical memory it has.  Please be aware this physical memory is just figure of minimum memory figure. It will increase with how much memory you consume.
Now, let’s change the maximum memory figure on the fly to 1GB!
Once you increased the memory, you won’t see it reflect to OS immediately. You have to use memory and beyond the current physical memory level. Let’s increase number of IE window from 1 to 102. -_-b
Amazing! isn’t it?
Few other points:
At Hyper-v 3, you can increase maximum memory but you can’t decrease them on the fly! You do can decrease minimum memory memory on the fly although I don’t see much point here.
Hyper-v 3 supports balloon technology as well. The smart-page feature may contribute some scenarios with HA. But I haven’t got time to test it.
More features updates are coming. Please stay in tune. 🙂

I have thinking recently about what and where I would be in 3 yrs regarding my career path. If I go through the certificates I got, I have a strong feeling that I don’t have any cloud certificates. so here is question.

I have VCP certificates, do I need anything else?

First of all, you need to be aware that we are talking about cloud Certificates here. It’s not virtualization certificates. Virtualization is ground brick of Cloud, but it can’t represent the concept and IT as Service. We do need something in general concept and help us to convert business mode from normal traditional EA software license to become user consumption, department consumption mode as what I called now, IT as service.

The reason for that is we need to fully understand mode and details of each department and each software usage for business so in one day, we can break down some pieces and shift them to Public cloud.

Now, back to my own topic, Certificates.


So far, I have only found one set of Cloud certificates which is EMC CIS.

The path of getting all certificates are following:


Become an IT professional who demonstrates cross-domain expertise and focus on designing cloud-based IT service solutions that drive business transformations for the enterprise and service provider organizations. This course is for those assessing, architecting, and designing IT-as-a-Service solutions as part of the transformation and optimization of virtual data centers into cloud-based IT-as-a-Service environments. Prepare for your Expert-level Cloud Architect Certification.
Exam and Practice Test
Expert E20-918 (To be announced)
Specialist E20-018
Associate E20-002




To be honest, the cost of taking those training are huge. You are basically looking at $3000 just for video training and $5000 for Lab training with limited region. As parent company of Vmware, EMC believes it earns it’s place to issue it’s certificates as first in industry. But will  you really want to get EMC certificates?



Cisco has been really pushing on Virtualization and working extreme well. The flag product is UCS which earns respect and become default Blade system any company would want to have. Cisco certificates are not new to I.T so here is something new from Cisco in Cloud side.


This is new released by Cisco and that’s what Cisco picture itself in Cloud business. Since there is no doubt on network part, with help of Vmware, I’m very sure Cisco will become a true leader of Cloud certification.

However, there is one specific cloud certificate from Cisco yet, so UCS certificates should be the one you can get.

Interesting enough, not only you need to pass Cisco Exam, but also must own Vmware certificates. Hence, we know how strong the relation between Cisco and Vmware.


Here we go. There is no reason I don’t mention Vmware here. But the tricky thing is even after so many effort from Vmware for Virtualization and Cloud, there is no Vmware Cloud certificate!

My guess is Vmware is still working on how to make Cloud Director really working as it should be. All other components are made but not mature yet. We should expect to see some sort of Vmware Cloud certificates in next 2 or 3 years.



I never be a fan of Citrix. In my mind, it’s complicated, not user friendly, consuming too much resource, overhead for administration and too expensive and too many on licenses. The only reason we are still hitting on Citrix is the XenDesktop which is great on low bandwidth. Apart from that, I don’t see any attractions.

No cloud certificates on Citrix but I believe it will kick in pretty soon.


Microsoft is keeping it’s own way on Cloud definition. It seems it doesn’t like to share whatever technology it’s using. Hyper-v 3 is finally taking vDS into it but still lack of hardware vendor’s support. Windows Azure is slowly slowly moving forward with few companies doing DEV and test on it. Office 365 could be a good one but it’s charging too much and limited on customization. Leave your product into black box and you can’t manage and don’t know how it works is a scary strategy to take.


Well, as usual, drop a line to me and see what I have missed.





Thank you for still reading my blog. I just had a chance to build a FT VM lab. I record some potential issues and how to resolve the problem. I hope it will help you to understand FT.

Quote the VMware FT compatibility Requirements:

Identify VMware FT compatibility requirements

  • Same Build number for ESX(i) hosts
  • Gigabit NIC’s
  • Common Shared Storage
  • Single Proc machine
  • Thin Provisioned disks not supported (automatically converted)
  • No snapshots

Lab Environment

I have following hardware as my lab equipment.

2 identical HP server. 6 Nics on the server. 1 Test VM running W2K3R2 x64bit.

Test VM has 1 vCPU.

All right. We all set. Let’s see what we can do.

Turn on Fault Tolerance

If you got all your configuration right, all what you need to do is to right click your VM and choose Turn on Fault Tolerance.



However, you may got following errors.

Typical Errors


1.No FT VMkernel



FT requires to use specific Network to make sure logs will be copied from Primary VM to Secondary VM. You need to either create a specific VMkernel or use the exist one. In my case, I use my vMotion network since I know I don’t vMotion much.





2. Insufficient resources for HA



The FT requires HA to be enabled. However, with my scenario, I only have 2 hosts and HA enabled. The Host failure cluster tolerate is 1 host. FT won’t accept that. The easiest way is to use percentage of resrouces and setup it as 5%.



3. Thin disk need to be converted to thick



This is a test lab. The is no double I use thin disk for this test VM. so FT doesn’t work on thin disk and it has be converted to thick.


Power off test VM. Go to that VM from datastore broswer and right click the vmdk. Choose “Inflate”



Then, it should work!



Few tips for FT. FT is very powerful. I have running ping test from test VM and power off the primary host. No ping was dropped!. But it does generate heaps of traffic on FT log vmkernel (33MBPS). so Please be aware don’t put too much pressure on your network.

Have fun.



As usually, I would thank you for continuing browsing my blog although I haven’t uploaded for couple of months. I was caught by my personal errands till, today, one of my friends said, “Silver, why don’t you update your blog? Even just write some nonsense into it”.

Well, personally, I don’t write any useless information in this tech blog. But I do need to update. So here it is. Hope you can enjoy it.

I will show you how to configure VMware Orchestrator. This software is coming with vSphere but it is installed silently and you need to manually configure it. Reason to use VMware Orchestrator will be 2.

A. You have very large and complex Vmware environment and you would like to dig deep and become guru.

B. You need to prepare for VCAP-DCA exam.

Regardless which reason you may have, this post will give you a hand and knock the door for you.


Configure VMware Orchestrator

The first thing you need to do is to check out Service “VMware vCenter Orchestrator Configuration” is running. In default, it is manual for start up.


Once you started the Orchestrator Configuration, you can just run “Configuration”



You should see this page coming from IE.



The default username and password is vmware/vmware.

You should see main interface like this.




There is nothing you need to configure in the General class for now.



so Let’s jump on “Network”. the network configuration is for Orchestrator. So You need to put IP and DNS and keep settings. No drama on that.

Notice “SSL Certificate” page here, but we don’t configure it for now. You can choose to use CA certificate or your own certificate. In this case, we will generate Orchestrator own certificate first, then we can configure it. Please see Chapter “Server Certificate” below.


The purpose of LDAP is to let you use AD account to log in to Orchestrator client.

You need fill those blank with your DC servers, and LDAP path.


For the root and other group path information, you don’t need to run some scripts to get it. All what you need to do is to run AD Users and computers.

Right click the object (for example, the root of your AD) and click –> “Properties” and go to Attribute Editor and find distinguishedName as follow.



Same thing for the rest of page.






It’s pretty straight forward for configuring database. I’m using SQL database and



Once you install the database, jump on SQL server and verify it.



Server Certificate:

You should generate your own Server certificate here. For some reason, the certificate generate by my Domain CA doesn’t work well here. so I would suggest you do it by yourself.


Once you generate certificate, you need to export it to a file protected with password.


The next step supposes to import certificate back to “Network –>SSL configuration”. If you don’t that, you won’t get “License” right.



This is where you gain license from vCenter and also license for plug-ins.


If you don’t import SSL certificate here, you won’t get right result. Because we need to use secure channel.


You need to import your license which you export above.

This will also setup Network configuration->SSL part as well.


please be noticed:  You may need to restart vCenter to let license work!!

Start up option:

You must make sure the status is “Running”. I was stuck at “Unknown” status for a very long time even after I restart vCenter and Orchestrator services and server. The only way to resolve it is to click those “Restart” buttons in this page. Trust me, they are here for reasons.


The rest parts are very easy to configure. I just paste picture here as guide.












This is for connection to your hosts.


vCenter Server:

This is where you configure your vCenter.



once you finished the configuration, you can get into Orchestrator now via it’s own client. Run it under Vmware you shall see this interface.




There are some tricks to setup Orchestrator. But the difficult part is actually to use it since there are lack of good examples and documents.

I would suggest VMworld Orchestrator Lab manual is a very good start. If you do want to know me to give you some examples, please leave your messages.


So this is last part of this series. Hopefully, I don’t need to write another post.

From previous post, I discussed about how to install and configure Trend Deep Security 7.5 on vSheild. This post will talk little bit more about configuration and performance review.

In my last post, I have installed vShield Zone on host, Install DS Manager one of my VMs which is also vCenter, and push DS Virtual Appliance on to one of hosts.

Then, I changed the IP and network configuration on the DS VA and activate it with Deep Security Virtual Appliance.

Please be aware that Security Policy is playing an important role in the DS. You need to make sure all protected VMs having correct Security Policy.

Once you finished the VA, we can go back to DS manager and take a quick look.

I would like to list some common issues you may encounter.


If anti-Malware status is not Capable, it means vEndpoint is not installed on this ESX host.


If Anti-Malware is on, but the color is blue. It means you haven’t assigned correct policy on this VM. In default, there is no policy at all. Just right click the VM and follow the instruction.



You better actually create your own policy before you apply. Some default policy(like windows 2k3) doesn’t have all protection on and doesn’t allow certain protocol (e.g: RDP). The best way is to make copy of old policy and customize a new one for yourself.

The next step is to prepare your VMs. All what you need to do is to install vShield Driver agent and DS Agent. Once you finish installation, you must reactivate your vm from DS Manager to let DS Manager to check VM status.


If you have installed both agents and apply right policy, reactivate your vm from DS Manager. You should see something like this in the DS Manager.


It should have all greens and Agent should running. Your VM should be protected at each level from crossing both Appliance(working with vEndpoint) and Agent.

One more thing when you try to install DS Agent, you need to copy the installation on local disk of VM and install. Otherwise, you will encounter this error.


Virus download test

I have a protected VM which has all features turned on. Let’s see how it react when I tried to download a virus sample file from Internet.


It actually worked!

Does Deep Security actually reduce resource consumption?

Here is the big question. The reason we spent so much time to deploy this product is the rumour that it can save the resource comparing with traditional AV solution. Let’s take a look.

I installed OfficeScan on one of test machines. I monitored the resource which has been consumed from CPU, Memory,DISK,Network for both test VM and Host as base line. I will scan a vm with officescan once. And also scan it with DS.

Protected VM CPU

Protected VM CPU with OfficeScan


CPU: 50% of one core. It lasts 10 mins.

Protected VM CPU with DS



only 22% on CPU comparing with 50% on Office Scan.

Note: I ran twice on this test.

Protected VM DISK

Protected VM disk with OfficeScan


Disk: 5000KBps for 10 mins.

Protected VM disk with DS:ds-15

It’s very interesting to see the first run disk but nothing on second. The reason is the first run has already load disk data into memory and it doesn’t require to load again at second time. It proves DS is load to memory and scan only memory theory. The DS scan finished in 4.5 mins.

Protected VM Memory

Protected VM with OfficeScan


Memory: Consumed memory is 1.25GB, and active memory is 4GB.

Protected VM with DS


50% of active memory in 4.5 mins. I ran twice.

Protected VM Network

Protected VM with OfficeScan


Network: OfficeScan tried to contact OfficeScan server at beginning. Then, it went quiet.

Protected VM Network Activity with DS:


There is almost nothing on network. It means DS is using ESX module to scan memory directly. It doesn’t go through normal network channel. Because it is using similar theory as vSwitch, I call it a protected vSwitch channel.

From what I can see via Protected VM angle, the resource has been consumed almost 50% less and use only half time to finish scan.

Because using DA actually involves to use Deep Security Virtual Appliance to scan. We need to take look about DS VA.



The truth behind scene is DS VA is actually scanning the data instead of protected VM. That’s why you see low utilization on VM because all what it did was to load data into memory and call vShield Endpoint driver to let DS VA to scan.

DS VA Disk:


Almost nothing on disk VA disk activity.

DS VA Memory:


It consume 1.5GB memory on VA. It’s understandable.

DS VA Network:


This is very interesting. According to this chart, the network activity on DS VA is very high during scanning. It means vShield Endpoint will open port for all VMs sitting on that protected vSwitch instead of just DS VA.


This is the vSwitch vShield Endpoint use. It’s just normal vSwith and you can add adapters if you want. It does bring my concern whether this could be potential security breach.

Here is moment of truth. Will DS actually save resource from ESX perspective?

Following is the data from Physical ESX Host:

ESX CPU utilization

ESX CPU with OfficeScan


4% of total CPUs on ESX box.  I have nothing else was running on that host.

ESX Host CPU Performance on DS


It does finish scan in half time but it actually use 6% of CPUs. Be aware this is not including overhead of ESX host CPU. It’s 2% of higher than OfficeScan.

ESX Disk with OfficeScan


Disk activity on ESX host.

ESX Disk activity with DS


It’s same disk activity but with half loading time.

There ain’t much point to check memory since everything is happening in the memory. Just one module to scan another chunk of memory in the host. That’s all.


Let’s sum up with what we have learned from those data. Please be aware I’m only test single machine scan.

Resource consumption:

ESX Host

OfficeScan DS 7.5
CPU Util 4% 6%
CPU Used time 10 mins 4.5 mins
DISK Util 200CMD/s 200CMD/s
DISK Used time 10 mins 4.5 mins
Memory Same Same
Network 0 0 Nothing on pNIC

It does seem like Host CPU is consumed more resource than officeScan.

but It seems that DS VA doesn’t support multiple threads scanning at same time. If that’s the case, a host can hold about 30 VMs max. So DS Manager will schedule to scan all machines in different time.

This is the end of this Session of this year!

I wish everyone has a wonderful Christmas and Happy New Year!!