Will VMware customers using agentless security be facing high costs when upgrading to vSphere 2015?

At VMworld 2008 VMware introduced a new way for protecting  virtual machines. Previously anti-virus, firewall, file integrity  and malware protection had to be performed at the virtual  machine level by installing an agent.

With the introduction of the VMsafe.API network traffic can be now intercepted at the hypervisor level and inspected by a virtual appliance.

The VMsafe.API is used by selected number of third party vendors. However VMware announced in 2013 the end of life for the VMsafe.API. Customers wishing to continue agentless solutions might be  facing high costs when upgrading to the vSphere 2015 release which is scheduled to  replace vSphere 5.5 .

Introduction to agentless security

A traditional security agent installed in a virtual machine has a couple of disadvantages:

  1. consumption of resources. Each agent in each guest consumes compute, memory and storage resources. Imagine a situation where each anti-virus guest performs a scheduled scan on viruses at the same time. This will result in many storage IO. These scanning storms are not a nice situation for VDI.
  2. many virusses try to disable the anti-virus agent. By not using an agent but using technology in the kernel instead a much safer protection is created.
  3. powered off guests cannot be protected by using an agent but they can be infected .

VMware announced at VMworld Europe 2008 the VMsafe API.  Basically the API allows inspection of network traffic at the hypervisor level. Network traffic can be intercepted after entering the physical network interface in the ESX(i) host. It is then routed to a vendor appliance. The appliance does the actual scanning on virusses and malware instead of the traditional deployment where agents are used in each virtual machine.

Agentless is not completely true. While an anti-virus agent is not installed in the guest, you still need to install a vShield agent. (thin  agent)

This image below shows the flow of network traffic when VMsafe.API is used. The image is published at Rational Survivability. 


After a rather slow adoption  during the next years vendors started to support the API.  Trend Micro was the first vendor to use VMsafe API for protection against virusses. Later McAfee joined supporting VMsafe with their MOVE product. Kaspersky Security for Virtualization  also uses the API.

Juniper Firefly uses the API for firewall purposes like some other vendors.

To use the VMsafe API a seperate VMware product called vShield Endpoint needs to be installed. Initially vShield Endpoint inclusion was limited to the more expensive editions of vSphere.  Alternatively vShield Endpoint could be purchased. At the release of vSphere 5.1 VMware made vShield Endpoint available for free for vSphere Standard Edition and higher.

It looked like VMware was promoting agentless solutions.

In 2013 VMware announced it will no longer support the VMsafe API in ESXi 5.5 . See this KB article titled ‘End of Life support for VMsafe and Partner Solutions using VMsafe on vSphere 5.5 (2058911)‘ for the details. Trend Micro and other vendors stated they will continue supporting the API in vSphere 5.5. To be able to use Trend Micro Deep Security in  vSphere 5.5 and to get full Trend Micro support ,  customers have to use Deep Security version 9 Service Pack 1, PAtch 2.

While in vSphere 5.5 using VMsafe.API is still possible, the next release of vSphere, likely to be named vSphere 6.0, VMsafe.API is no longer included in the kernel of ESXi. VMsafe.API is being replaced by the VMware NSX API (formery known as the NetX API). 

Customers wanting to continue to use agentless security solutions for vSphere 6.0 are likely required to adopt the VMware NSX for vSphere platform.

This raises some questions. NSX is targeted at large enterprises and service providers. It is a network virtualization tool which uses central management for provisioning and configuration of networks. NSX is not for the masses; it can only be sold by a limited number of certified VMware partners called NSX Elite partners. It is not available for public download. Organizations interested in purchasing NSX will have to do a paid Proof of Concept. The PoC will be built by VMware PSO staff.

NSX is also not a cheap extra license on top of vSphere. The list price is almost 5000,- or  $5,996 per CPU. 

VMware partners are not happy about replacing the VMsafe.API with the  NSX.API. This API offers less features as documented in this article.

Some vendors prevent using VMware API or hypervisor based agents. For example InMage, recently acquired by Microsoft, uses agents in guest for replication. They state here: 

Some vendors run an agent in the hypervisor for replication. Problem is that when vSphere 5 came out VMWare broke that connection for other ISV’s. VMware knew in vSphere 4 that they had a heterogeneity problem and needed storage replication. SRM’s failover and failback used to be a framework product to run on array replication. Since VMware is not open source the company does what is in THEIR best interest and put replication in the hypervisor and still supports array based replication. This took off value for other ISV’s because they now were locked out from providing that feature.

So what do you expect when high volume products don’t use open source or standard API’s? Unless that is their business strategy companies have no obligation to maintain standards. If you try to go into the vSphere and use a link such as VMSCSI you have no assurance that VMware won’t make changes that will break the software without notice.


At the moment nothing is known about what will be the cost for customers wanting to upgrade to vSphere 6.0 while continue to use agentless security solutions like Trend Micro Deep Security.

A possibility is that a limited edition of NSX will become available which provides the NSX.API functionality to third party solutions. VMware will shoot itself again it the foot (remember vTAX) when requiring their customers to purchase the full VMware NSX for vSphere SKU just to use agentless security solutions. Also their partners will not be happy with this possible move.





Microsoft publishes Technical Documentation for System Center 2012 R2

At July 15 Microsoft released a set of documents titled “Technical Documentation for Getting Started with System Center 2012 R2″

This set is very usefull for anyone working with System Center 2012.

The download has 2 documents which are available in both Word and Adobe PDF format:

System Requirements for System Center 2012 R2 is a very comprehensive Word file documenting requirements for hardware, server and client operating system, SQL
Server, Web console, PowerShell, and .NET Framework.

Upgrade Sequencing for System Center 2012 R2  describes the sequence of upgrading System Center 2012 Service Pack 1 (SP1) components to
System Center 2012 R2

Download here

Microsoft also published ‘Technical Documentation for System Center 2012 – Virtual Machine Manager’. This document has 757 pages.

Lots and lots of information on common tasks in SC Virtual Machine Manager. This document has been updated in July 2014.

Microsoft now recommends not using AlwaysOn in Microsoft SQL Server. If you use AlwaysOn, and you are running an asynchronous commit mode, the replica of the database can be out of date for a period of time after each commit. This can make it appear as if the database were back in time which might cause loss of customer data,
inadvertent disclosure of information, or possibly elevation of privilege.

Download here



Microsoft acquires InMage. Enhanced disaster recovery services for Microsoft Azure

Today Microsoft announced it  has acquired InMage. InMage is a US company while software development is done in India. InMage offers software to enable disaster recovery (DR) for mid-market and enterprises. 

There are many solutions on the market offering DR. However InMage is the only one supporting all assets in a datacenter: both physical and virtual servers ( VMware vSphere, Microsoft Hyper-V and XenServer). It supports Windows Server, Linux, IBM AIX  and Solaris. It supports major enterprise applications like Exchange, SQL, Oracle, SAP and Sharepoint.

One of the software solutions of InMage is Scout. Scout is storage agnostic and allows to replicate virtual machines as well as physical servers to a target location. This can be either a secondary datacenter, to a cloud provider like Azure or to a Managed Service Provider datacenter. InMage has many Service Provider customers in the US. For example SunGuard. Cisco uses InMage Scout in its blueprints which can be used by partners building DRaaS solutions. InMage partners with HP, Hitachi and Fujitsu which provide DR services.

Scout current version is 7.1.

The solutions are offered in three form factors: software, a hardware and as Software as a Service.

Scout will be integrated in the current Microsoft Azure service called ‘Azure Site Recovery’ which is in Preview at the moment.

Besides the support for all major hypervisors a very interesting feature of InMage Scout is the ability to covert hypervisor virtual machine disk formats. So a VMware customer can protect their virtual machines running on vSphere  (which uses  VMDK format) to Microsoft Azure which uses Hyper-V .VHD virtual disks.

Also for example an Amazon customer can easily migrate virtual machines to Azure using InMage Scout.

In this  blogpost,  Takeshi Numoto – Corporate Vice President, Cloud and Enterprise Marketing , states

This acquisition will accelerate our strategy to provide hybrid cloud business continuity solutions for any customer IT environment, be it Windows or Linux, physical or virtualized on Hyper-V, VMware or others. This will make Azure the ideal destination for disaster recovery for virtually every enterprise server in the world. As VMware customers explore their options to permanently migrate their applications to the cloud, this will also provide a great onramp.

Microsoft has two main goals by the acquistion of InMage:

  1. attract Microsoft customers to Microsoft Azure
  2. attract VMware and other non Hyper-V customers to Microsoft Azure. VMware has a large installed base but not every VMware customer can afford a secondary datacenter. Especially in Europe there are not many Service Providers offering a mature Disaster Recovery as a Service offering. VMware itself only recently introduced its vCHS-DR service.

It is interesting to see how the currently in Preview service ‘Azure Site Recovery’ (ASR) will mature now InMage has been acquired. ASR support is limited to Hyper-V virtual machines running on-premises. It provides some orchestration features but is limited in out of the box post-processing of failover of virtual machines. For example changing IP addresses needs to be scripted. It is not unlikely development of ASR will change course.

InMage Scout uses agents which are installed in a source server (physcial or virtual server). This agent copies every write to disk and sents it to a software appliance called the InMage Scout Server. I understand this can be either a virtual machine (called the Process server) or a hardware appliance 

This appliance has two functions:

  • -a backup function. It stores backup data on disk.
  • -a disaster recovery function. It replicates data to a secondary site or to the cloud. It does compression and encryption as well.

In the secondary location there is a virtual appliance as well which is used to process the replicated data. It stores the replicated virtual disks on storage. Replica’s of virtual machines do not have to be powered on during the replication. This is very usefull as it does not consume compute and memory resources thus lowering costs.

At failover or failover testing virtual machines are created and started.


The acquisition of InMage is a very interesting one. Many see Disaster Recovery as a Service as a  first step for organizations to embrace cloud computing. Now DraaS is open for any enterprise, also non Hyper-V customers. The barrier for using DRaaS is lowered now.


Possible announcements for VMworld 2014

Like every year VMware will announce new and updated products and services at VMworld 2014. While VMware never releases information about VMworld announcements, there are always some indications,  rumours and educated guesses which provide some insights on what to expect.

Lets do some speculation and guesses what could be announced at VMworld 2014. VMworld USA is often used for  annoucements on vSphere, vCloud Suite and  vCenter   while VMworld Europe mostly has annoucements on management tooling and end user computing.

Let me be clear: All being written in this blogpost is mostly  based on internet sources (some at VMware.com) , some speculation and partly educated guessing. 

  • project Marvin / Mystic
  • VMware vSphere next (2015)
  • introduction of Virtual Volumes (VVOLs)
  • VSAN 2.0
  • NSX channel program competency
  • replacement for vCenter Heartbeat
  • vCHS -> more European datacenters

Project Mystic  and VMware MARVIN

Several indications show both VMware & EMC are working on a converged infrastructure solution. CRN published an article about Project Mystic. Mystic could be a converged system in which compute and storage hardware is supplied by EMC while VMware produces the software. The software is nicknamed MARVIN in which VSAN likely has a major share .

‘Mystic’ is said to compete solutions like Nutanix and Simplivity.

Fletcher Cocquyt spotted this poster attached on a window at the VMware campus showing project MARVIN.

CRN has published an article on Mystic


VMware vSphere announcement
A major release of  vSphere is announced about every two years. So likely is that this year vSphere next will be announced at VMworld. In July a private beta was made available to the public. Anyone interested to know  the features and participate in making vSphere better  are welcome to join this beta. Anyone can join and find out the new features of vSphere next. For whatever reason the information available to anyone (only have to join the beta) is still under NDA. As I joined the beta I am not allowed to blog about the new features.

vSphere next is not expected to be released in 2014. Early 2015 is a likely time as this blogpost at VMware.com suggests.

Join the beta!

VSAN 2.0
When VMware acquired Virsto it also got hold of a lot of knowledge on using clever techniques. The engineers which worked for Virsto are likely to use their knowledge for new features in VSAN 2.0. I am not sure when VSAN 2.0 will be released. It could be as the same time as vSphere 2015 or in a seperate Update to vSphere 2015.

Replacement for vCenter Heartbeat 

VMware announced  the end of availability of vCenter Heartbeat. This solution made vCenter highly available especially when vCenter was installed on a physical server. But even on a virtual machine HA or vMotion might not be sufficient. So we might see a new way of providing redundancy for vCenter announced at VMworld.

Virtual Volumes (VVOLs)
VMware has been talking about Virtual Volumes ever since 2011. So far it did not lead to an available technology. VVOLs is all about the VMDK. Instead of presenting LUNs storage arrays are serving VMDK files. For each VMDK policies can be set like if the VMDK requires replication, thin provisioning and maybe some sort of Quality of Service .

Two of the advantages of VVOLs is offloading tasks to the storage array. Both snapshots and cloning will be performed by the storage array when VVOLs are used. Performance is not affected when snapshots are made or commited. Tintri had a demo at VMworld 2013 of VVOLs. See the video here. Nimble has a demo video as well. NetApp has a demo as well as shown in this blog.

End of June 2014 VVOLs went into a public beta. More information here. 


NSX channel program competency

NSX is a solution not suited for each and every VMware customer. It cannot be downloaded from the VMware website. Installation needs carefull planning and knowledge. Customers showing interest in NSX can order a paid Proof of Concept. A VMware will then make a design and do the implementation.

For VMware partners to succesfully sell and implement NSX a special competency will be announced according CRN. Partners will probably we able to study online and gain knowledge on NSX.

vCHS -> more European datacenters
At VMworld Europe VMware announced it would make available vCloud Hybrid Services in more European datacenters. At the moment there is a single European datacenter operational in the UK (Slough near London). An announcement of a new datacenter in France or Germany is quite well possible. In June 2014 VMware announced the opening of a 5th datacenter in the US. VMware also seems to be working on a vCHS datacenter in Japan. 


Microsoft introduces Microsoft Azure StorSimple, a new virtual appliance and 2 new arrays

Today Microsoft announced some interesting news on StorSimple:

  • introduction of two new StorSimple arrays
  • a new StorSimple Virtual Appliance
  • a new Azure service called ‘Microsoft Azure StorSimple’.

For those unaware of Microsoft StorSimple: it  is a hardware storage appliance available in 4 models which is placed in an on-premises location. It has a couple of SSD and SAS drives for local storage. Volumes are served to hosts using iSCSI. SMB shares are not supported yet. StorSimple  complements Tier1 storage systems by being able to automatically move infrequently accessed data to Microsoft Azure storage. Data stored in Azure remains available for access by users and applications. Users will only notice a small delay when accessing data stored in Azure. Think about a single stretched volume which has data located on the StorSimple local storage as well as in Azure.

The main driver to use StorSimple devices is saving on storage costs while its unique disaster recovery features are a nice bonus as well.

StorSimple is limited to serving  unstructured data like Office files etc.

The interesting news of today is that StorSimple will be available as a virtual appliance as well. An Azure virtual machine can run the StorSimple software and perform the same features as the hardware appliance placed on-premises.

This will be available from August 1.

The news was announced in this blog titled Introducing Microsoft Azure StorSimple

The two new arrays are the 8100 and the 8600. The 8100 has a raw local storage capacity of 15 TB while the 8600 has 40 TB. By using compression and deduplication the effective capacity for the 8100 is 75 TB to 200 TB for the 8600.


The new StorSimple virtual appliance  enables for example a scenario where customers replicate on-premises StorSimple snapshots to Azure based virtual appliances. Applications running in Azure can then analyze data without disrupting production workloads running on-premises.

The StorSimple virtual appliance is only supported when the StorSimple 8100 and StorSimple 8600 are used. Current models are not supported! Which is a big pity if you ask me.

Another use case is disaster recovery. A StorSimple hardware appliance is a single point of failure. If it breaks down or is destroyed because of fire/flooding/collapse of the datacenter, customers will require a spare StorSimple appliance to be able to recover data. Now recovery can be performed using StorSimple virtual appliances running in Azure.

Recovery using StorSimple is not having to wait before a restore has complete. StorSimple instant recovery works as follows: a cloudbased snapshot is mounted to a StorSimple array or virtual appliance. Then the data is made available to users instantly. The file is only moved from Azure to the appliance when it is being accessed. So instead of recovering all files, only files which are accessed are restored while showing all files.

The Virtual Appliance connects to Azure VMs using a virtual iSCSI Ethernet network and the same platform volume and storage management tools (such as Windows Disk Management) and iSCSI initiators that are used on-premises. That means many of the same system management skills used on-premises are used in Azure to do the same things there. 

This Microsoft blog has some details!

Management of the 8000 series arrays and the Azure StorSimple virtual appliance running in Azure is done using a new Azure service called ‘Azure StorSimple Manager‘.
StorSimple Manager provides a central console for monitoring multiple StorSimple devices which are located in for example branch offices. It shows whether it is online or offline, shows the ratio of the provisioned capacity to the maximum capacity of the device. It also can be used to restore a cloudbased backup from for example an on-premises StorSimple device to a StorSimple virtual device.


Two new hardware appliances will be available: the model 8100 and the 8600.The 8100 is a 2u model while the 8600 has 4u. The specifications are shown below. For a full overview see this page.


The StorSimple appliances are not cheap. The 8600 has a listprice of $ 170.000,-


The pricing overview showing all currently available StorSimple devices is here.