Sharks and Security Tech

So I saw this news story over the weekend and honestly after watching the video, the first thing I thought of was firewalls. Kind of sad that this is the first analogy I drew from this, but that’s OK. It goes with the turf.


So often in IT we bet on a technology to keep us secure, whether that be next generation firewalls, process whitelisting, anti-malware, network segmentation, and all of these are good things, no security consultant should ever argue against the concept of defense in depth. The problem is that we can end up shifting our thinking once we have these technologies in place that we are “good”, or that we’re “safe”.

Here are some examples of those thoughts:

  • “We have new next generation firewalls, nothing can get us now”
  • “We segmented off all our DB servers, we should be good now”
  • “We have no admin on any user boxes and antimalware everywhere”

I’m wondering how many cages that diver is going to trust after this terrifying diving experience. I bet netsec employees that have suffered a serious breach probably feel the same way about some of these technologies.

The point I’m trying to make with this post is that I never would have thought something like this could happen; those cages were ENGINEERED to withstand any kind of shark coming at it.

Understanding how you perceive technologies that you are a fan of is extremely important. Always understand your personal status quo and your thoughts and feelings around how you’ve been successful with a particular product. Don’t let success modify your thinking that a particular solution is impossible to break or breach, because that trust can very easily turn to complacency. Just because it works and reduces threats doesn’t make you bullet proof.

On an updated note, I’m updating my bucket list and removing an item.



The Digital Workspace – I Fight For the Users

The Digital Frontier Workspace

In the 1981 version of the movie TRON, there is a phrase that TRON says and sort of defines his purpose. The phrase he uses is “I Fight for the Users”.

Having become a VDI/Presentation specialist over the past several years, I’m pretty sure I’ve felt this way several times. At the end of the day, our job as IT employees is to provide value to the business. Below is a quick list of things I’ve done in the past that felt like I had to “Fight for the users”

  • Proved the need for more compute resource for overly dense environments
  • Rationalize the upgrade of underperforming storage
  • Justified the value of graphics capabilities inside a remote session
  • Worked with IT departments to enable faster and less disruptive delivery of updates and net new applications
  • Troubleshot performance, network and software issues that were impeding progress of application delivery

The transformation of “remote access” to “Digital Workspace” has been a very long time coming, and for the most part the concept isn’t new. The new catch is that with the prevalence of SaaS becoming a normal delivery method of applications, this can add a great deal of complexity when attempting to deliver all the applications someone might need in a “one shop stop”. This was the message from the stage at VMworld this year. “Consumer Simple, Enterprise Secure” was the verbiage Sanjay Poonen used. He also used the term “Sesame Street Simple”, to describe the end user experience for signing on and accessing applications safely and securely, with a fast and simple BYOD enrollment process.

Here is where it gets fuzzy, the “Sesame Street Simple” concept in my opinion does not necessarily apply to the engineers and architects behind the solution. It’s the same when developing software, in order to make it simple for the end user it requires a very high amount of complexity on the backend to make it work with as simple of a workflow as possible. We can simplify on portions of the tasks such as the storage and compute expansion with the prevalence of HCI, but overall, providing a one shop stop to on-prem and SaaS based apps with one sign-on action is a daunting task. It’s for this reason that I bring up the concept of fighting for the user, this is not an easy task. It’s a fight that we must constantly keep in mind, that we are in the business of enabling the business, and therefore the users, regardless of where the applications reside. I fight for the users, and sometimes that means against IT departments who are reducing their value proposition in a fast shifting SaaS landscape. If you cannot service the business with an acceptable SLAs or timely responses, shadow IT will creep in, and/or it will cause damage to the organization.

Myself, I will continue to propose solutions that ATTEMPT to make lives easier for both end users and the engineers, but the very nature of making it simple on one side of the equation will almost always make it more complex on the other.

In regards to Workspace One, I’m actually very excited to watch the evolution of A2, which will be delivering AppStacks directly to physical Windows 10 endpoints, likely via AirWatch. As a former veteran Microsoft SCCM (ConfigMgr) engineer, delivering applications and controls on Windows devices that aren’t connected to the corporate network isn’t a new concept, it’s been possible by establishing a PKI for quite some time, albeit complex. What is new is the concept that with the improvements that the Windows 10 operating system has brought about, it’s now possible to manage policy and applications on Windows 10 devices natively with Unified Endpoint Management software, which can provide sandboxing technology. This sandboxing and isolation is a BYOD game changer and when combined with application delivery and seamless experience between different operating systems and devices can make a huge difference and reduce the BS logon and auth time in-between actual work. It’s my personal opinion  that we’ll see a real uptick in uptick in UEM combined with Digital Workspace transformation the next 3 years.

Until next time my friends, I hope to see you all on the battlefield of fighting for the users.

Horizon View 6.2 – Cannot Disable Connection Server – Failed to update Connection Server

Recently saw an error message when trying to disable the connection server via the admin UI, which reads:

Failed to update the Connection Server.

Images taken from a twitter post by Ronald Westerhout @rwesterhout81


So it turns out from Ronald that unless you have both the SSL gateway and Blast gateway either checked OR unchecked the disable button won’t work. Not sure in what versions of View this problem exists, because I’m pretty much only disabling connection servers when there’s a problem or when doing an upgrade. Either it’s a bug, or a KB needs to be built for this error dialog. Until then, I hope this post finds you well fellow Horizon administrators!



How To Reclaim ESXi VMFS storage with Ubuntu VMs

First of all, zero the space in the guest. You can do that easily with secure-delete. In the Ubuntu guest, this srm command will recursively delete all files and folders, quickly, verbosely, zero the old file and will only do it with one pass.

df -h
sudo apt-get install secure-delete
sudo srm -r -f -v -z -l -l /dir/to/clean/*
df -h

Next, simply vMotion the VM to another datastore with the thin option set. If that’s not an option for you, you’ll need to power off the VM.

In ESXi:

<Power off the VM>

cd /vmfs/volumes/to/your/vm/folder
vmkfstools --punchzero vmdk-to-shrink.vmdk

How to configure PERC H730 RAID Cards for VMware VSAN

Hey All, just wanted to write up a quick post with pics on how to configure the H730 RAID card for VMware VSAN.

First of all, the H730 is on the HCL and is a great choice due to the ample queue depth of 895 as determined by esxtop.


The following was how we configured it per the configuration guide best practices with:

  • Passthrough mode
  • Controller caching disabled
  • BIOS Mode pause on error (rather than stop)

Per the guide:


Just figured this might help some other wayward souls out there. : )


raid_03 raid_04 raid_05 raid_06