Wordfence 7.8.0 Is Out! Here Is What Is Included

Wordfence 7.8.0 is out! A huge thanks to our quality assurance team, our team of developers and our ops team for planning, implementing and releasing Wordfence 7.8.0. This release has several fixes to make Wordfence even more robust, and includes a fundamental change in the way our signup works.

Since our launch in 2012, the signup flow for Wordfence has not required you to leave your own WordPress installation and come to our website. We briefly required this, but removed it 10 days after launch.

Wordfence has grown to a community of over 4 million active websites and a very large number of paying customers. Wordfence is now downloaded over 30,000 times every day. Today we spend a huge amount of money on providing the services that our free and paid community needs to stay secure. Privacy laws have also changed profoundly since 2012.

Scaling up our operations has required us to get better at capacity planning, which means knowing how many installations we’re getting, how many are bots or spam, who is communicating with our servers during a scan, and whether it is a real website running Wordfence, a nulled plugin or someone simply using our resources to power something unrelated to Wordfence.

Privacy laws have also added the need for us to be able to communicate with our free customers to alert them to privacy policy and terms of use changes.

This has required us to adjust our signup flow to match other popular plugins out there, like Akismet. Many customers may find this is a clearer signup workflow because we no longer need to shoehorn a complex user experience into a set of modals on a site where we don’t control presentation.

This change will not disrupt any of our existing free or paid customers. If you have a free API key that Wordfence automatically fetched when you installed it, that key will remain valid and your site will continue uninterrupted. If you have a paid Wordfence API key, your key will continue to work without disruption. We are not requiring any existing customers to visit our site to install a new key.

The only users this affects are new free Wordfence installations. The installation process is quite simple. You install Wordfence and are directed to our site. You can choose a paid or free option. If you choose the paid option, you’ll go through our checkout process as usual. If you choose free, we’ll email you your key. The email includes a button that you can click to automatically take you back to your site where your key will be automatically installed. The email also includes your Wordfence key in case you need to manually install it.

A side benefit of this new process is that our free customers will now have a record of their API key in their email inbox for future reference.

If you have any questions related to this change, our customer service team is standing by to assist you on our forums for free customers, and via our ticket system for paid customers. We welcome your input.

We’re including the full changelog for Wordfence 7.8.0 below. You’ll notice that we’ve mentioned that additional WooCommerce support is on its way, so keep an eye out for that.

Thanks for choosing Wordfence!

Mark Maunder – Wordfence Founder & CEO.

Wordfence 7.8.0 Changelog

Change: Updated Wordfence registration workflow

For new installations of Wordfence, registering for a new license key now occurs on wordfence.com instead of within the plugin interface. Allows us to provide a more complete signup experience for our free and paid customers. Also allows us to do better capacity planning.

Improvement: Added feedback when login form is submitted with 2FA

When logging in with two-factor authentication, the “Log In” button is now disabled during processing, so that it is clear the button was clicked. Sometimes on slower sites, it was hard to tell whether the login was going through, leading users to click more than once.

Fix: Restored click support on login button when using 2FA with WooCommerce

Clicking the “Log In” button after entering a 2FA code on a WooCommerce site was no longer working, while pressing “Enter” still worked. Both methods now work as expected. Additional support for WooCommerce is coming in the near future.

Fix: Corrected display issue with reCAPTCHA score history graph

The reCAPTCHA score history graph was sometimes displayed larger than intended when switching tabs. It now has a set size, so that it does not become unusually large.

Fix: Prevented errors on PHP caused by corrupted login timestamps

One Wordfence user reported an error on PHP 8, and upon investigation, we found that a timestamp for some user records contained invalid data instead of the expected timestamp. We don’t expect this to occur on other sites, but in case another plugin had modified the value, we now check the value before formatting it as a timestamp.

Fix: Prevented deprecation notices on PHP 8.2 related to dynamic properties

Future versions of PHP will no longer allow use of variables on an object unless they are previously declared. This is still allowed even in PHP 8.2, but PHP 8.2 can log a warning about the upcoming change, so Wordfence has been updated to declare a few variables where necessary, before using them.

Did you enjoy this post? Share it!

Source :
https://www.wordfence.com/blog/2022/11/wordfence-7-8-0-announcement/

How to Install and Configure Free Hyper-V Server 2019/2016?

Microsoft Hyper-V Server is a free version of Windows hypervisor that can be used to run virtual machines. In this guide, we’ll look at how to install and configure Microsoft Hyper-V Server 2019  (this guide also applies to Hyper-V Server 2016).

Contents:

Microsoft announced that they won’t not be releasing a Hyper-V Server 2022 version. This is because they are currently focusing on another strategic product, Azure Stack HCI.

Hyper-V Server 2019 is suitable for those who don’t want to pay for a hardware virtualization operating system. The Hyper-V has no restrictions and is completely free. Key benefits of Microsoft Hyper-V Server:

  • Support of all popular OSs. There are no compatibility problems. All Windows and modern Linux and FreeBSD operating systems support Hyper-V;
  • A lot of different ways to backup virtual machines: simple scripts, open-source software, free and commercial versions of popular backup programs;
  • Although Hyper-V Server doesn’t have a Windows Server GUI (graphical management interface), you can manage it remotely using a standard Hyper-V Manager console or Windows Admin Center web interface;
  • Hyper-V Server is based on a popular Windows Server platform, familiar and easy to work with;
  • You can install Hyper-V on a pseudoRAID, for example, Inter RAID controller, or Windows software RAID;
  • You do not need to license your hypervisor, it is suitable for VDI or Linux VMs;
  • Low hardware requirements. Your processor must support software virtualization (Intel-VT or VMX by Intel, AMD-V/ SVM by AMD) and second-level address translation (SLAT) (Intel EPT or AMD RV). These processor options must be enabled in BIOS/UEFI/nested host. You can find full system requirements on the Microsoft website;
  • It is recommended to install Hyper-V on hosts with at least 4 GB RAM.

Do not confuse a Windows Server 2022/2019/2016 (Full GUI or Server Core edition) with the Hyper-V role installed with Free Microsoft Hyper-V Server 2019/2016. These are different products.

It is worth to note that if you are using a free hypervisor, you are still responsible for licensing your virtual machines. You can run any number of VMs running any open-source OS, like Linux, but you have to license your Windows virtual machines. If you are using Windows Server as a guest OS, you must license it by the number of physical cores on your Hyper-V host. See more details on Windows Server licensing in a virtual environment here 

What’s New in Microsoft Hyper-V Server 2019?

Let’s consider the new Hyper-V Server 2019 features in brief:

  • Added support for Shielded Virtual Machines for Linux;
  • VM configuration version 9.0 (with hibernation support);
  • ReFS deduplication support;
  • Core App Compatibility: the ability to run additional graphic management panels in the Hyper-V server console;
  • Support for 2-node Hyper-V cluster and cross-domain cluster migration

How to Install Hyper-V Server 2019/2016?

You can download Hyper-V Server 2019 ISO install image here: https://www.microsoft.com/en-us/evalcenter/evaluate-hyper-v-server-2019.

download microsoft hyper-v server 2019 iso image

After clicking on the “Continue” button, a short registration form will appear. Fill in your data and select the language of the OS to be installed. Wait till the Hyper-V image download is over. The .iso file size is about 3 GB.

hyper-v server download

Installing Microsoft Hyper-V Server is identical to installing Windows 10/11 on a desktop computer. Just boot your server (computer) from the bootable USB flash drive with the Microsoft Hyper-V Server installation image (the easiest way to burn the ISO image to a USB drive is to use the Rufus tool). Then follow the instructions of the Windows setup wizard.

install hyper-v server 2019

Manage Hyper-V Server Basic Settings Using Sconfig

After the installation, the system will prompt you to change the administrator password. Change it, and you will get to the hypervisor console.

set hyper-v administrator password

Please note that Hyper-V Server does not have a familiar Windows GUI. You will have to configure most settings through the command line.

sconfig tool - configure hyper-v basic settings

There are two windows on the desktop — the standard command prompt and the sconfig.cmd script window. You can use this script to perform the initial configuration of your Hyper-V server. Enter the number of the menu item you are going to work with in the “Enter number to select an option:” line.

  1. The first menu item allows you to join your server to an AD domain or a workgroup; join hyper-v to domain or workgroup
  2. Set a hostname for your Hyper-V Server;
  3. Create a local administrator user (another account, besides the built-in administrator account). I’d like to note that when you enter the local administrator password, the cursor stays in the same place. However, the password and its confirmation are successfully entered;
  4. Enable remote access to your server. Thus, you will be able to manage it using Server Manager, MMC consoles, and PowerShell, connect via RDP, check its availability using ping or tracert;
  5. Configure Windows Update. Select one of the three modes:
    • Automatic (automatic update download and installation)
    • DownloadOnly (only download without installation)
    • Manual (the administrator decides whether to download or install the updates)
  6. Download and install the latest Windows security updates.
  7. Enable RDP access with/without NLA.
  8. Configure your network adapter settings. By default, your server receives the IP address from the DHCP server. It is better to configure the static IP address here;configuring ip addres on hyper-v server
  9. Set the date and time of your system.
  10. Configure the telemetry. The Hyper-V won’t allow you to disable it completely. Select the mode you want. hyper-v telemetry settings

You can also configure the date, time, and time zone using the following command:

control timedate.cpl

Regional settings:

control intl.cpl

These commands will open standard Windows consoles.

set time and date on hyper-v

Note! If you accidentally close all windows and see the black Hyper-V screen, press Ctrl+Shift+Esc to start the Task Manager (this keyboard shortcut works in an RDP session as well). You can use Task Manager to start the command prompt or the Hyper-V configuration tool (click File -> Run Task -> cmd.exe or sconfig.cmd).

How to Remotely Manage Hyper-V Server 2019?

To conveniently manage Free Hyper-V Server 2019 from the graphic interface, you can use:

  • Windows Admin Center – a web-based console;
  • Hyper-V Manager — can be installed both on Windows Server and Windows 10/11 desktop computers.

To manage the Hyper-V Server 2016/2019, you will need a computer running x64 Windows 10/11 Pro or Enterprise edition.

Remotely Manage a Non-Domain Hyper-V Server with Hyper-V Manager

Let’s look at how to remotely connect to a Hyper-V Server host from another Windows computer using the Hyper-V Manager console. In this article, we assume that you have a Hyper-V Server and a Windows 10 computer in the same workgroup.

First, make settings on the Hyper-V Server. Start the PowerShell console (powershell.exe) and run the following commands:

Enable-PSRemoting
Enable-WSManCredSSP -Role server

Answer YES to all questions. Thus you will configure the automatic startup of the WinRM service and enable remote management rules in your firewall.

hyper-v: enable winrm and credssp server

Now let’s move on to setting up the Windows 10 or 11 client computer that you will use to manage your Hyper-V Server host.

The Hyper-V server must be accessible by its hostname.  In the domain network, it must correspond to the A-record on the DNS server. In a workgroup environment, you will have to create the A record manually on your local DNS or add it to the hosts file (C:\Windows\System32\drivers\etc\hosts) on a client computer. In our case, it looks like this:

192.168.13.55  HV19

You can add an entry to the hosts file using PowerShell:

Add-Content -Path "C:\Windows\System32\drivers\etc\hosts" -Value "192.168.13.55 hv19"

Add your Hyper-V server to the trusted host list:

Set-Item WSMan:\localhost\Client\TrustedHosts -Value "hv19"

If the account you are using on a client computer differs from the Hyper-V administrator account (and it should be so), you will have to explicitly save your credentials used to connect to the Hyper-V server to the Windows Credential Manager. To do it, run this command:

cmdkey /add:hv19 /user:Administrator /pass:HV1Pa$$w0drd

Check the network profile you are using on the Windows 10 client. If the network type is Public, you need to change the location to Private:

Get-NetConnectionProfile|select InterfaceAlias,NetworkCategory

windows: set network category to private

Set-NetConnectionProfile -InterfaceAlias "EthernetLAN2" -NetworkCategory Private

Run the command:

Enable-WSManCredSSP -Role client -DelegateComputer "hv19"

enable-wsmancredssp client

Now run the gpedit.msc command to open the Local Group Policy Editor.

  1. Navigate to Local Computer Policy -> Computer Configuration -> Administrative Templates -> System -> Credentials Delegation;
  2. Enable the parameter Allow Delegating Fresh Credentials with NTLM-only Server Authentication;
  3. Click the Show button and add two string values: wsman/hv19 and wsman/hv19.local
  4. Close the GPO editor console and update your local group policy settings using the command gpupdate /force
gpo: allow delegating ntlm credentials for hyper-v server

Now you need to install the Hyper-V Manager console in Windows. Open the Programs and Features snap-in and go to Turn Windows Features on or off. In the next window, find Hyper-V, and check Hyper-V GUI Management Tools to install it.

Also, you can install the Hyper-V Manager snap-in on Windows 10/11 using PowerShell:

Enable-WindowsOptionalFeature -Online –FeatureName Microsoft-Hyper-V-Management-Clients

install hyper-v manager gui on windows 10

Run the Hyper-V Manager snap-in (virtmgmt.msc), right-click Hyper-V Manager and select Connect to Server. Specify the name of your Hyper-V Server.

hyperv manager: connect remote server

Now you can manage Hyper-V Server settings, and create and manage virtual machines from the graphical console.

manage hyper-v server from win10

Managing Hyper-V Server with Windows Admin Center

You can use the Windows Admin Center (WAC) to remotely manage a Hyper-V Server host. WAC is a web-based console and dashboard to manage Windows Server, Server Core, and Hyper-V Server hosts.

Enable the rules to allow SMB connections in Windows Defender Firewall on the Hyper-V Server:

Set-NetFirewallRule -DisplayGroup "File and Printer Sharing" -Enabled true -PassThru

Now you need to download (https://aka.ms/WACDownload) and install the Windows Admin Center agent on your Hyper-V host. Download WindowsAdminCenter2110.2.msi on any Windows computer. You can copy the installation MSI file to the Hyper-V Server using a remote SMB connection to the administrative share C$. Run the following command on your Windows client device:

Win+R -> \\192.168.13.55\C$ and enter the Hyper-V administrator password. Create a folder and copy the MSI file to the Hyper-V Server host.

copy windowsadmincenter.msi to hyperv server

Now run the WAC installation from the Hyper-V console:

c:\distr\WindowsAdminCenter2110.2.msi

install windows admin center on hyper-v

Install WAC with default settings.

You can secure your remote connection using WinRM over HTTPS.

After the installation is complete, you can connect to your Hyper-V Server from a browser, just go to the URL https:\\192.168.13.55:443

You will see the dashboard of your Hyper-V Server host. Here you can check basic information about the server, resources used, etc.

WAC Hyper-V dashboard

Hyper-V host settings can be configured under WAC -> Settings -> Hyper-V Host Settings. The following sections are available:

  • General
  • Enhanced Session Mode
  • NUMA Spanning
  • Live Migration
  • Storage Migration
Configure Microsoft Hyper-V Server using Windows Admin Center web console

You will primarily use two sections in the WAC console to manage Hyper-V:

WAC: manage Hyper-V VMs from browser

Next, I will look at some ways to manage Hyper-V Server settings using PowerShell

Configuring Hyper-V Server 2019 Host with PowerShell

You can configure Hyper-V Server settings using PowerShell. There are over 238 cmdlets available in the Hyper-V module for managing Hyper-V hosts and VMs.

Get-Command –Module Hyper-V | Measure-Object

Configure the automatic start of the PowerShell console (instead of cmd.exe) after logon.

New-ItemProperty -path HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\run -Name PowerShell -Value "cmd /c start /max C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe -noExit" -Type string

set powershell.exe as a default processor on hyper-v server

Now, when you log into the server, a PowerShell prompt will appear.

How to Configure Hyper-V Server 2019 Network Settings with PowerShell?

If you have not set the network settings using sconfig.cmd, you configure them through PowerShell. Using Get-NetIPConfiguration cmdlet, you can view the current IP configuration of network interfaces.

Get-NetIPConfiguration - view ip setting on hyper-v

Use PowerShell to assign a static IP address, netmask, default gateway, and DNS server addresses. You can get the network adapter index (InterfaceIndex) from the output of the previous cmdlet.

New-NetIPAddress -InterfaceIndex 4 -IPAddress 192.168.1.2 -DefaultGateway 192.168.1.1 -PrefixLength 24

set ip addres on hyper-v server using New-NetIPAddress

Set-DnsClientServerAddress -InterfaceIndex 4 -ServerAddresses 192.168.1.3,192.168.1.4

Set-DnsClientServerAddress

To configure IPv6, get the interface name using the Get-NetAdapter cmdlet from the PowerShell NetTCPIP module.

Get-NetAdapter

Check the current IPv6 setting using the following command:

Get-NetAdapterBinding -InterfaceDescription "Intel(R) PRO/1000 MT Network Connection" | Where-Object -Property DisplayName -Match IPv6 | Format-Table –AutoSize

hyper-v set ipv6 settings powershell

You can disable IPv6 as follows:

Disable-NetAdapterBinding -InterfaceDescription "Intel(R) PRO/1000 MT Network Connection " -ComponentID ms_tcpip6

Enable Hyper-V Remote Management Firewall Rules

You can view the list of cmdlets to manage Windows Firewall using Get-Command:

Get-Command -Noun *Firewall* -Module NetSecurity

powershell NetSecurity module to manage firewall on hyper-v host

To allow full remote management of your server, run the following commands one by one to enable Windows Firewall rules using PowerShell:

Enable-NetFireWallRule -DisplayName "Windows Management Instrumentation (DCOM-In)"
Enable-NetFireWallRule -DisplayGroup "Remote Event Log Management"
Enable-NetFireWallRule -DisplayGroup "Remote Service Management"
Enable-NetFireWallRule -DisplayGroup "Remote Volume Management"
Enable-NetFireWallRule -DisplayGroup "Windows Defender Firewall Remote Management"
Enable-NetFireWallRule -DisplayGroup "Remote Scheduled Tasks Management"

Configuring Hyper-V Storage for Virtual Machines

We will use a separate partition on a physical disk to store Hyper-V files (virtual machine files and iso files). View the list of physical disks on your server.

Get-Disk

Get-Disk - get physical disk info

Create a new partition of the largest possible size on the drive and assign the drive letter D: to it. Use the DiskNumber from Get-Disk results.

New-Partition -DiskNumber 0 -DriveLetter D –UseMaximumSize

Then format the partition to NTFS and specify its label:

Format-Volume -DriveLetter D -FileSystem NTFS -NewFileSystemLabel "VMStorage"

Learn more on how to manage disks and partitions using PowerShell.

Create a directory where you will store virtual machine settings and vhdx files using the New-Item cmdlet:

New-Item -Path "D:\HyperV\VHD" -Type Directory

Create D:\ISO folder to store OS installation ISO images (distros):

New-Item -Path D:\ISO -ItemType Directory

In order to create a shared network folder, use the New-SmbShare cmdlet. Grant full access permissions to the local server administrators group:

New-SmbShare -Path D:\ISO -Name ISO -Description "OS Distributives" -FullAccess "BUILTIN\Administrators"

For more information on the basic configuration of Hyper-V Server and Windows Server Core from the command line, see this article.

Configure Hyper-V Server Host Settings with PowerShell

List current Hyper-V Server host settings using this command:

Get-VMHost | Format-List

Set-VMHost - change hyper-v server settings via powershell

By default, Hyper-V stores virtual machine configuration files and virtual disks on the same partition where your operating system is installed. It is recommended to store VM files on a separate drive (partition). You can change the default VM folder path with this command:

Set-VMHost -VirtualMachinePath D:\Hyper-V -VirtualHardDiskPath 'D:\HyperV\VHD'

Creating a Virtual Switch for Hyper-V VMs

Create an external switch connected to the physical NIC of the Hyper-V server. Your virtual machines will access the physical network through this network adapter.

Check the SR-IOV (Single-Root Input/Output (I/O) Virtualization) support:

Get-NetAdapterSriov

Get the list of connected network adapters:

Get-NetAdapter | where {$_.status -eq "up"}

Bind your virtual switch to the network adapter and enable SR-IOV support if it is available.

Hint. You won’t be able to enable or disable SR-IOV support after creating the vswitch. You will have to recreate the switch to change this parameter.

New-VMSwitch -Name "Extenal_network" -NetAdapterName "Ethernet 2" -EnableIov 1

Use these cmdlets to check your virtual switch settings:

Get-VMSwitch
Get-NetIPConfiguration –Detailed

This completes the initial setup of Microsoft Hyper-V Server 2016/2019. You can move on to creating and configuring your virtual machines.

We described PowerShell commands for managing Hyper-V and virtual machines in more detail in this article.

Source :
http://woshub.com/install-configure-free-hyper-v-server/

How to Deploy Dell SupportAssist using SCCM | ConfigMgr

In this guide, I will show you how to deploy Dell SupportAssist using SCCM (ConfigMgr). We’ll get the latest version of the Dell SupportAssist tool, create an application in SCCM, and then deploy it to our computers.

According to Dell, the SupportAssist is an automated proactive and predictive support solution for computers and tablets. SupportAssist also evaluates the health of your servers, storage, and networking devices to eliminate downtime before it even starts.

When you purchase brand-new laptops and desktop computers from Dell, SupportAssist is already preinstalled. SupportAssist is installed on most Dell PCs with Windows 10 and Windows 11. You can find it by searching for “SupportAssist” in your Windows start menu. Home users can use the Dell SupportAssist tool to update drivers, including the system BIOS, and resolve problems.

Configuration Manager is the best choice for Dell SupportAssist deployment on multiple computers. You can deploy the Dell Support Assist to client computers and allows users to install it via Software Center. An added advantage of Dell SupportAssist deployment using SCCM is Dell provides .msi installer for application deployment for enterprises.

If you are using Configuration Manager to manage Dell laptops, you can use the application model to deploy Dell SupportAssist software to client computers using SCCM. The application can also be added to a task sequence, which lets you use the bare-metal deployment scenarios to install Dell SupportAssist on new laptops.

Recommended ArticleDeploy Windows 11 22H2 using SCCM | Configuration Manager

What is Dell SupportAssist Tool?

Let’s understand what exactly is the Dell SupportAssist tool and identify its features. The SupportAssist by Dell is the smart technology, available on your PC that will keep it running like new by removing viruses, detecting issues, optimizing settings and telling you when you need to make updates.

With SupportAssist tool, you can perform the following

  • Update your drivers and applications for peak PC performance
  • Remove virus and malware infested files before then can harm your system.
  • Scan your PCs hardware to find issues and deliver proactive and predictive support.
  • Clean files, tune performance, and adjust network settings to optimize speed, storage space and stability.

The Dell SupportAssist also has an OS Recovery environment that enables you to diagnose hardware issues, repair your computer, back up your files, or restore your computer to its factory state. The Dell Support Assist OS Recovery is only available on certain Dell laptops with a Microsoft Windows 10/11 operating system that was installed by Dell.

Download Dell SupportAssist MSI Installer

Dell provides the .msi installer for SupportAssist and the same installer can be used for deployment with SCCM. You can download the Dell SupportAssist .msi installer from the following direct download link. Note that this is an offline installer and will include all the installation files without having the system connect to internet to download further files.

Along with Dell SupportAssist msi installer, I recommend you to download a logo for the application. We will assign this logo to the Dell SupportAssist application in SCCM. Copy both the installer and logo to a separate folder on SCCM server or shared folder. We will reference the same folder when we create the Dell SupportAssist application in ConfigMgr.

Recommended ArticleHow to Import Dell CAB Drivers into SCCM

Dell SupportAssist .MSI Install and Uninstall Commands

If you want to manually install the Dell SupportAssist using command line, you can download the .msi installer and install it with following commands.

The Dell SupportAssist silent install command is as follows:

msiexec /i "SupportAssistx64-3.10.4.18.msi" /q

To uninstall the Dell SupportAssist silently using command line, run the below command.

msiexec /x {E0659C89-D276-4B77-A5EC-A8F2F042E78F} /q

Each MSI installer has a unique product code and this can be seen under the installer properties. Configuration Manager uses the product to detect if the Dell SupportAssist application already exists on system. If you are curious to know the detection method for Dell SupportAssist application, SCCM basically uses the MSI product code: {E0659C89-D276-4B77-A5EC-A8F2F042E78F} of the installer.

After you have created the Dell Support Assist application in SCCM, go to the Application deployment properties and switch to Detection Method tab. Here you can see the detection method used for Dell SupportAssist application. We see the MSI product code being used for the application detection.

Dell SupportAssist Detection Method
Dell SupportAssist Detection Method

Create Dell SupportAssist Application in SCCM

Let’s create a new application for the Dell SupportAssist in SCCM.

  • Launch the Configuration Manager console.
  • Go to Software Library > Overview > Application Management.
  • Right-click Applications and select Create Application.
Create Dell SupportAssist Application in SCCM
Create Dell SupportAssist Application in SCCM

On the General window, select Automatically detect information about this application from installation files. The application type should be Windows Installer (*.msi file) and specify the location of the Dell SupportAssist msi file. Click Next.

Create Dell SupportAssist Application in SCCM
Create Dell SupportAssist Application in SCCM

With MSI installers, the Configuration Manager can import information such as product code, install commands, uninstall commands, detection methods etc. In the below screenshot, we see the product information has been populated from Dell SupportAssist MSI installer and imported into SCCM.

Application name: Dell SupportAssist
Publisher: 
Software version: 

Deployment type name: Dell SupportAssist - Windows Installer (*.msi file)
Product Code: {E0659C89-D276-4B77-A5EC-A8F2F042E78F}
Installation behavior: Install for system

Content location: \\corpcm\Sources\Applications\SupportAssist\
Number of files: 2
Content files: 
dellSA_logo.jpg
SupportAssistx64-3.10.4.18.msi
Create Dell SupportAssist Application in SCCM
Create Dell SupportAssist Application in SCCM

In the General Information tab, enter the basic information about the Dell Support Assist application. For example, you can specify the application name, publisher details, software version etc. The details that you specify here will be displayed to users when the Dell SupportAssist application is selected in Software Center.

The Configuration Manager also populates the silent installation command for Dell SupportAssist from the .msi installer. You may modify the existing command and add additional parameters supported for .msi installation.

Silent Command Line for Dell SupportAssist installation = msiexec /i "SupportAssistx64-3.10.4.18.msi" /q
Create Dell SupportAssist Application in SCCM
Create Dell SupportAssist Application in SCCM

Review the Support Assist application settings on Summary window and click Next. On the Completion tab, click Close button to exit the create application wizard.

Create Dell SupportAssist Application in SCCM
Create Dell SupportAssist Application in SCCM

This completes the steps to create application for Dell SupportAssist in SCCM. After this step, the application will appear in the Application node of Configuration Manager console.

Specify an Icon for Dell SupportAssist Application

Configuration Manager lets you specify a logo for Application via the Application Properties and this logo appears along with the application in Software Center. If you are looking to customize software center, use the following guide to customize software center appearance and branding. Assigning an application logo is not mandatory, but it helps users identify the application quickly in Software Center.

The newly created Dell SupportAssist application is located in Software Library\Overview\Application Management\Applications of Configuration Manager console. Right-click on Dell SupportAssist application and select Properties.

Specify an Icon for Dell SupportAssist Application
Specify an Icon for Dell SupportAssist Application

In the Application properties window, choose the Software Center tab. Click on Browse and select an icon for Dell SupportAssist and click Apply and OK.

Specify an Icon for Dell SupportAssist Application
Specify an Icon for Dell SupportAssist Application

Deploy Dell SupportAssist using SCCM | ConfigMgr

In this section, we will look at the steps to deploy the Dell SupportAssist using SCCM (ConfigMgr). The deploy software wizard contains steps where you can distribute the content to DP’s along with the application deployment.

When you perform Dell SupportAssist deployment using SCCM, you deploy it either to a device collection or user collection. Typically, applications are deployed to device collections, and we will use the same approach here. You can create device collections for Windows 10 and Windows 11 computers using the following guides.

Once the device collections are ready, you can deploy the application using the deploy software wizard. To deploy the Dell SupportAssist application, launch the Configuration Manager console. Navigate to Software Library\Overview\Application Management\Applications. Right-click Dell SupportAssist application and select Deploy.

Deploy Dell SupportAssist using SCCM
Deploy Dell SupportAssist using SCCM

On the General page of Deploy Software Wizard, click Browse and select a device collection to which you want to deploy the Support Assist application. Click Next.

Deploy Dell SupportAssist using SCCM
Deploy Dell SupportAssist using SCCM

On the Content page, click Add button and specify the distribution points to which you would like to distribute the Dell Support Assist application content. You may also select distribution point groups when you have numerous distribution points. Click Next to continue.

Deploy Dell SupportAssist using SCCM
Deploy Dell SupportAssist using SCCM

On the Deployment Settings window, specify the settings to control the deployment. Select the Action as Install and Purpose as Available. Learn the difference between Available and Required deployment in SCCM. Click Next.

Dell SupportAssist Deployment using SCCM
Dell SupportAssist Deployment using SCCM

On the Scheduling tab, you can specify the schedule for the deployment. If you want to deploy the application as soon as possible, then don’t configure anything under Scheduling. Click Next.

Dell SupportAssist Deployment using SCCM
Dell SupportAssist Deployment using SCCM

Specify the user experience settings for the application deployment. For user notifications, select the option “Display in Software Center and show all notifications“. Click Next to continue.

Deploy Dell SupportAssist using SCCM User Experience Settings
Deploy Dell SupportAssist using SCCM User Experience Settings

In the Alerts tab, click Next. Review all the Dell SupportAssist deployment settings on Summary tab and click Next. On the Completion window, click Close.

The Dell SupportAssist application is now distributed to the select distribution points and the client machines should now have the application listed in the Software Center. This completes the steps for Dell SupportAssist deployment with Configuration Manager.

Deploy Dell SupportAssist using SCCM Completion
Deploy Dell SupportAssist using SCCM Completion

Test Dell SupportAssist Deployment on Client Computers

After you have created the Dell SupportAssist application and deployed it to device collection, it’s time to test the deployment on devices. Log in to a client computer, and launch the Software center. Click on the Applications tab and select Dell SupportAssist application. To install the application, click the Install button.

Test Dell SupportAssist Deployment on Client Computers
Test Dell SupportAssist Deployment on Client Computers

The Dell Support Assist application is now downloaded from the local distribution point server for installation. The installation commands specified during the application creation are executed. You can monitor the application installation process by reviewing the AppEnforce.log located on the client computer.

To locate the AppEnforce.log file and other important files, refer to the SCCM Log files which contains all the log files for troubleshooting issues.

Matched exit code 0 to a Success entry in the exit codes table” confirms that the Dell Support Assist application has been installed successfully on the computer. The uninstall command that we specified during application packaging should also work fine.

+++ Starting Install enforcement for App DT "Dell SupportAssist - Windows Installer (*.msi file)" ApplicationDeliveryType - ScopeId_67D9092A-81B2-464F-8F38-4D634303C416/DeploymentType_ccf9c1b2-8d31-4cab-87e9-56c700d64d52, Revision - 1, ContentPath - C:\Windows\ccmcache\2, Execution Context - System
    Performing detection of app deployment type Dell SupportAssist - Windows Installer (*.msi file)(ScopeId_67D9092A-81B2-464F-8F38-4D634303C416/DeploymentType_ccf9c1b2-8d31-4cab-87e9-56c700d64d52, revision 1) for system.
    Prepared working directory: C:\Windows\ccmcache\2
Found executable file msiexec with complete path C:\Windows\system32\msiexec.exe
    Prepared command line: "C:\Windows\system32\msiexec.exe" /i "SupportAssistx64-3.10.4.18.msi" /q /qn
Valid MSI Package path = C:\Windows\ccmcache\2\SupportAssistx64-3.10.4.18.msi
    Advertising MSI package [C:\Windows\ccmcache\2\SupportAssistx64-3.10.4.18.msi] to the system.
    Executing Command line: "C:\Windows\system32\msiexec.exe" /i "SupportAssistx64-3.10.4.18.msi" /q /qn with user context
    Working directory C:\Windows\ccmcache\2
    Post install behavior is BasedOnExitCode	AppEnforce
    Waiting for process 3896 to finish.  Timeout = 120 minutes
    Process 3896 terminated with exitcode: 0
    Looking for exit code 0 in exit codes table.
    Matched exit code 0 to a Success entry in exit codes table
Test Dell SupportAssist Deployment on Client Computers
Test Dell SupportAssist Deployment on Client Computers

Source :
https://www.prajwaldesai.com/deploy-dell-supportassist-using-sccm/

How to setup SMTP Relay in Office 365

If you plan to keep your existing on-prem exchange server then it can be used / utilized as a SMTP Relay server. Else, if you plan to decommission the exchange server for good, you can utilize Office365 as a SMTP Relay server to relay the emails.

There are three ways to setup SMTP Relay in Office 365:

  • SMTP Auth client Submission
  • Direct Send
  • Office 365 SMTP Relay

I recommend using either Office 365 SMTP Relay method or Direct Send method to configure SMTP Relay in Office 365. Please refer to the section Direct Send vs Office 365 SMTP Relay which will help you decide which one to use for your organization.

Below are some suggestions which can help you choose between Office 365 SMTP Relay and Direct Send method.

📌 Direct Send Method does not work if you want to send the email to External recipients for example any Gmail, Yahoo, Hotmail email address. Direct End method can send an email to External recipients if the External Organization is also using Office 365 to host the mailboxes.

📌If your requirement is to send emails to Internal and any External domain recipients then choose Office 365 SMTP Relay Method.

1. SMTP Auth client Submission Method

Below are the Pre-requisites for using SMTP Auth client submission method to configure SMTP relay in Office365:

  • Licensed Office365 User Mailbox is required.
  • SMTP AUTH must be enabled for Mailbox which will be used to send the emails.
  • Device must support TLS 1.2 or above (Please check the vendor documentation to confirm this).

If your authentication policy disables basic authentication for SMTP, clients cannot use the SMTP AUTH protocol. Microsoft will disable Basic authentication for all new and existing tenants starting from 1st Oct 2022. Therefore, this is my least recommended option for configuration of SMTP relay in Office 365.

Direct Send vs Office 365 SMTP Relay

Direct Send method and Office 365 SMTP Relay method both use MX Endpoint of your domain to configure SMTP Relay. Both can be used when your environment has SMTP AUTH disabled.

Use Direct Send when you need to send messages to recipients in your own organization who have mailboxes in Office 365. Direct send will not work if you want to send email to External email address (Gmail, yahoo, hotmail etc.). However, If the external recipient mailboxes are also hosted on Office 365, it will work fine.

Direct Send does not require your device or application to have a static IP address to configure it. However, Static IP address is recommended so that an SPF record can be created for your domain. The SPF record helps avoid your messages being flagged as spam.

Direct Send and Office 365 Relay both does not require your device to Support TLS.

Direct Send method Office 365 SMTP Relay
Source:Microsoft. How Direct Send Works ?
FeatuesDirect SendOffice 365 SMTP Relay
Send to Internal UsersYesYes
Send to External UsersNo (Yes, for external recipients having Office365 Mailboxes)Yes
Network Port RequirementPort 25Port 25
TLS RequirementOptionalOptional
Requires AuthenticationNoneDevice / Printer / Application must have Static IP address assigned.

2. Configure SMTP Relay in Office 365 using Direct Send method

In the previous section of this blog post, I have explianed the difference between Direct Send and Office 365 SMTP Relay method. If Direct Send meets your requirements and you do not have any requirements for sending an email to External recipients like Gmail, yahoo, hotmail etc. You can follow below steps to configure it.

1. Find MX Endpoint of your Domain

To find the MX Endpoint of your domain, You need to follow below steps:

  1. Login on Microsoft 365 admin center.
  2. Go to Settings and click on Domains.
  3. Click on your organization domain name. For example: techpress.net.
  4. Click on DNS records Tab.
  5. You can find MX Endpoint on DNS records tab. Click on it to Open.

You will find the MX Endpoint under Points to address or value column. Click on it to copy it on a notepad.

The format of the MX Endpoint is yourdomain-com.mail.protection.outlook.com

Locate MX Endpoint of your domain from Microsoft 365 admin center
Locate MX Endpoint of your domain from Microsoft 365 admin center

2. Find the Static IP Address of the Device or Application [Optional]

As Microsoft Recommends to use Static IP Address for Direct Send Method but its not mandatory. If your Device or Application is not using a static IP address, make sure you assign a static IP address and then note down the IP Address of the device on a notepad. We will add static IP address of the device in your domain’s SPF record.

3. Update SPF Record [Optional]

This is also an optional step but highly recommended by Microsoft. Updating SPF record with Static IP Address of your Device or Application will help to avoid your emails being marked as SPAM. SPF records identifies which servers are allowed to send emails on behalf of the your domain.

Example:

  • Device / Printer IP Address: 10.20.1.56
  • Currently configured SPF recordv=spf1 include:spf.protection.outlook.com -all

Add your Device / Application IP Address in the SPF record as below:

v=spf1 ip4:10.20.1.56 include:spf.protection.outlook.com -all

4. Configure your Device / Application for Direct Send SMTP Relay

Last and final step is to configure your Device / Application and add SMTP relay details so that Device / Application can send emails using the Direct Send SMTP Relay. In our Example, we will be using a Printer to configure Direct Send. Let’s see which SMTP settings needs to be configured on the Printer.

If you want to configure SMTP Relay for a device other than your printer, You can still use below SMTP details to configure it.

SMTP ServerPortTLSUserNamePassword
MX Endpoint

For Example:
<yourdomain>-<domain extension.mail.protection.outlook.com
25Not Required (Recommendation is to enable if this option is available)Any Email Address of your domain. This user does not require a mailbox.
For example: myscanner@techpress.net
Not required (you can turn off SMTP Authentication)

Example:

I have captured a screenshot of one of my Printers to show you how to configure Direct Send. You can use the same settings to configure Direct Send on any other device as well. This screenshot is just for your reference:

Office 365 SMTP Relay Direct Send method Configuration on Konika Minolta printer
Office 365 SMTP Relay Direct Send method Configuration on Konika Minolta printer

5. Create Bypass Spam Filtering Rule [Optional]

This step is optional and you do not need to create a bypass SPAM Filtering rule in Exchange Online. You have updated SPF record with your device IP address which should avoid the emails sent from your device to be marked as SPAM.

If your emails are still going into the SPAM folder. You can create a SPAM Bypass rule in office365 for the email ID which you have used to send the email from on the device. 

  • Login to Exchange online management portal
  • Click on Mail flow -> Rule -> Create a Rule.
Create SPAM Bypass rule for the Device IP on Exchange Admin Center
Create SPAM Bypass rule for the Device IP on Exchange Admin Center

3. Configure using Office 365 SMTP Relay Method

Office 365 SMTP Relay Method - How it Works?
Source: Microsoft. Office 365 SMTP Relay Method – How it Works?

Direct Send method has limitations of sending the emails to external recipients. However, Office 365 SMTP Relay does not have that kind of limitation in place. You can use Office 365 SMTP Relay Method to send the email to any External recipient. Let’s check the steps to configure Office 365 Relay on your Device.

1. Find Public IP Address of the Device or Application

First thing you need to do is to find the public IP address of the Device or Application. If your device is not assigned with a Public IP and is using Dynamic IP address, Please update it to use Static IP Address. Copy the IP address in a notepad. We will need this IP Address while configuring a Connector in Exchange Online.

2. Create a Connector on Exchange Admin Center

Next step is to create a connector on Exchange Admin Center. Please follow below steps to create a connector:

  1. Login on Microsoft Exchange Admin Center
  2. Click on Mail Flow and then Connectors
  3. Click on + Add a connector
  4. On Add a Connector Page. Select Connection from Your organization’s email server and Connection to Office 365 and click on Next to proceed.
Create a new connector on Exchange Admin Center for configuration of SMTP Relay
Create a new connector on Exchange Admin Center for configuration of SMTP Relay
  1. Provide a Connector Name and Description. Click on Next to Proceed.
Provide a Name and Description of the Connector
Provide a Name and Description of the Connector
  1. On Authenticating sent email page. Select the option “By verifying that the IP address of the sending server matches one of the following addresses, which belongs exclusively to your organization“.

Add your Device / Application IP Addresses into the list. Add all Device’s IP addresses which you want to configure for Office 365 SMTP Relay. For example, In my organization I have 3 Printers which I want to configure for SMTP Relay. Therefore I have added the IP addresses of those 3 printers here.

Add Printer IP Addresses in Authenticating sent email
Add Printer IP Addresses in Authenticating sent email
  1. On Review connector page, you can review the connector configuration and click on Create connector to create this Connector.
Review Connector page on Exchange Admin Center
Review Connector page on Exchange Admin Center

3. Update SPF Record

Now you need to update the SPF record and add all the Device IP’s in the SPF record which you added in the connector created on Exchange Admin Center.

Example:

  • Device / Printer IP Addresses: 10.1.20.122, 10.2.1.11 and 10.2.5.89.
  • Currently configured SPF recordv=spf1 include:spf.protection.outlook.com -all

Add your Device / Application IP Addresses in the SPF record as below:

v=spf1 ip4:10.1.20.122 ip4:10.2.1.11 ipv4:10.2.5.89 include:spf.protection.outlook.com -all

4. Find MX Endpoint of your Domain

To find the MX Endpoint of your domain, You need to follow below steps:

  1. Login on Microsoft 365 admin center.
  2. Go to Settings and click on Domains.
  3. Click on your organization domain name. For example: techpress.net.
  4. Click on DNS records Tab.
  5. You can find MX Endpoint on DNS records pag. Click on it to Open.

You will find the MX Record under Points to address or value column. Click on it to copy it on a notepad.

The format of the MX Endpoint is yourdomain-com.mail.protection.outlook.com

Locate MX Endpoint of your domain from Microsoft 365 admin center
Locate MX Endpoint of your domain from Microsoft 365 admin center

5. Configure your Device / Application for Office 365 SMTP Relay

Last and final step is to configure your Device / Application and add SMTP relay details so that Device / Application can send emails using the Office 365 SMTP Relay.

SMTP ServerPortTLSUserNamePassword
MX Endpoint

For Example:
<yourdomain>-<domain extension.mail.protection.outlook.com
25Not Required (Recommendation is to enable if this option is available)Any Email Address of your domain. This user does not require a mailbox.
For example: myscanner@techpress.net
Not required (you can turn off SMTP Authentication)

6. Create SPAM Bypass rule [Optional]

Please refer to the section of Configuration of SMTP Relay using Direct Send method where the steps to create SPAM bypass rule is given. This is an optional troubleshooting step and can be used in case the emails are being marked as SPAM.

Troubleshooting Office 365 SMTP Relay

Now we have setup Office 365 SMTP Relay. In case of any issues in email delivery, you can use below steps to troubleshoot.

Check SMTP AUTH at organization level

You can use below command to check SMTP AUTH at organization level. As we are not using SMTP client submission method, SMTP AUTH should be disabled.

Get-TransportConfig | Format-List SmtpClientAuthenticationDisabled

Copy

Check SMTP AUTH at Mailbox level

Get-CASMailbox "Sonia Neil " | fl SmtpClientAuthenticationDisabled

Copy

If you see the output of the command as SmtpClientAuthenticationDisabled: That means this setting is controlled by the corresponding SmtpClientAuthenticationDisabled parameter on the Set-TransportConfig cmdlet for the whole organization.

Test Port 25 using Telnet

If you are facing any issues in email delivery then you can verify if Port 25 is opened or blocked on the Firewall. If Port 25 is blocked then you may need to ask the Network admin to open it for the device IP which is sending emails. You can follow below steps to test Port 25 via Telnet.

  1. Launch Command Prompt on a PC (IP of the PC should be in the same subnet as Device / Printer / Application)
  2. Type Command telnet <MX EndPoint> 25 and press Enter.

(If telnet command is not recognized on the Windows 10 or Windows 11 PC. The Please first Install Telnet Client by going to Start menu -> Type “Turn Windows featured on or off” and find Telnet Client, Select it and click OK).

Install Telnet Client on Windows
Install Telnet Client on Windows
  1. Once Telnet is installed on your Windows device. You can open a command prompt and type below command to test if Port 25 is opened or not.

Telnet <your MX endpoint> 25

Test Port 25 using Telnet
Test Port 25 using Telnet

Once you enter on the above command, you should get a response from the server. Which means that Port 25 is opened.

Test Port 25 using Telnet
Test Port 25 using Telnet

Send a Test email using Telnet

If you want to check the email delivery then you can use the Telnet command and send a test email. This test can confirm if there are any issues in email delivery. You can follow below steps to test a test email using telnet.

  1. Login on a computer in the same subnet as the Device / Printer / Application.
  2. Open Command prompt as administrator.
  3. Type command Telnet <your MX endpoint> 25.
Send a Test email using Telnet
Send a Test email using Telnet
  1. You will get a response back after press enter on the Telnet command. On Telnet Console Type below commands:

ehlo

mail from – Type from email address

rcpt to – Type recipient email address to send a test email.

If the recipient receives this test email then there is no issue witth email delivery.

ehlo
MAIL FROM:<myscanner@techpress.net>
250 2.1.0 Sender OK
RCPT TO:<internal email ID>
250 2.1.5 Recipient OK
DATA
354 Start mail input; end with <CRLF>.<CRLF>
SUBJECT:Hello World

This is a test message

Thanks,
John A.

. <Dot to end the email>

Copy

Check if ISP Public IP Address is banned

When you are sending an email using Telnet and if you get a message saying that your sending IP is banned. Then you need to unblock / remove your IP from banned list so that Devices on your network can send email.

Check if ISP Public IP Address is banned using Telnet
Check if ISP Public IP Address is banned using Telnet

To remove your ISP Public IP Address from banned list, you need to login on https://senders.office.com and type your email ID and ISP Public IP Address of your organization. Follow the instuctions on the site to get your IP De-listed. This may take from 30 minutes to couple of hours to unblock your IP.

After you get your IP De-listed from https://senders.office.com. Try to send an email using Telnet again. This time if your IP is successfully de-listed, the recipient should receive the email.

Check if ISP Public IP Address is banned using Telnet
Check if ISP Public IP Address is banned using Telnet

Test email has been received successfully.

Test email received using Telnet
Test email received using Telnet

Delisting / Unblock of ISP Public IP on Spamhaus.org

When you are sending an email using Telnet and if you get a message saying that service unavailable, Client host <your ISP Public IP address> blocked using Spamhaus. You need to visit the URL https://www.spamhaus.org/query/ip/<ISP Public IP Address> to get your IP De-listed.

Delisting / Unblock of ISP Public IP on Spamhaus.org
Delisting / Unblock of ISP Public IP on Spamhaus.org

How to unblock your ISP Public IP on spamhaus.org

Please follow below steps to unblock your ISP Public IP from spamhaus.org.

  1. Once you land on https://www.spamhaus.org/query/ip/<ISP Public IP Address> site. Click on Show details and then click on “I am running my own mail server“.
Delisting / Unblock of ISP Public IP on Spamhaus.org
Delisting / Unblock of ISP Public IP on Spamhaus.org
  1. Select I am running my own mail server and clicon on Next steps.
Delisting / Unblock of ISP Public IP on Spamhaus.org
Delisting / Unblock of ISP Public IP on Spamhaus.org
  1. Complete the form for unblocking your ISP Public IP. Provide a NameEmail Address and Provide details regarding the issue. Once you complete this form. click on Submit button.
Delisting / Unblock of ISP Public IP on Spamhaus.org
Delisting / Unblock of ISP Public IP on Spamhaus.org
  1. Form has been submitted. You can now wait for email verification link from Spamhaus.org.
Delisting / Unblock of ISP Public IP on Spamhaus.org
Delisting / Unblock of ISP Public IP on Spamhaus.org
  1. Below is the email I received to verify my email address. Click on the link in the email for Email Verification.
Delisting / Unblock of ISP Public IP on Spamhaus.org
Delisting / Unblock of ISP Public IP on Spamhaus.org
  1. Delisting has been successful. You can now try to use Telnet to send a test email to confirm email delivery issue has been rectifed. You can also check the Device / Printer / application to confirm if its able to send the email now.
Delisting / Unblock of ISP Public IP on Spamhaus.org
Delisting / Unblock of ISP Public IP on Spamhaus.org

Conclusion

In this blog post, we have seem how to setup SMTP Relay in Office 365. There are three ways to configure it. But the most recommended option is Office 365 SMTP Relay Method. Second best method is Direct Send method which can be used if you do not have the requirements to send the emails to External recipients like gmail, yahoo etc.

Third method which is least recommended is SMTP Auth Submisson method. As It requires a licensed mailbox and SMTP AUTH to be enabled for that mailbox. There is a cost associated with licensed mailbox and Microsoft does not recommend SMTP AUTH to be enabled.

We have also see the troubleshooting steps in case of email delivery issues. These troubleshooting steps helped me fixed issues while working on Office 365 relay for Multiple clients.

Source :
https://techpress.net/office-365-smtp-relay-setup-and-configuration/

Confirmed: Metro Group victim of cyber attack

[German]Since Monday, October 17, 2022, many Metro stores worldwide have been struggling with severe IT problems. I had already suspected a cyber attack on the Metro Group in a post and I had reports from Austria, from France as well as comments from German Metro customers as well as employees. However, a cyber attack remained unconfirmed so far. Now Metro AG has confirmed such an attack to heise – and on its website.


Advertising


Metro Group with IT problems

I had already reported about the IT problems at Metro Group in the blog post Cyber attack on Metro AG or just a IT break down? Austria, France, German (and more countries?) affected. Since Monday, October 17, 2022, Metro wholesales stores have been struggling with massive IT problems. No invoices or daily passes could be issued and online orders had also disappeared, Metro customers reported. A blog reader had provided me with the following photo of a Metro notice board.

IT-Störung bei Metro
Notification about IT disruption at a Metro wholesale store

The suspicion of a cyber attack has not been confirmed by company spokespersons till today (October 21, 2022). But I have had reports from German blog readers, reporting IT issues since days and some people told me, it’s a cyber attack as a root cause.

Not only Austria and France are affected, but Metro AG worldwide. In Germany, too, the same problem has existed since last Monday. No more stock or prices can be updated or checked in the store. The checkout system is still working but also sluggishly, resulting in long lines. If you want to reserve something digitally, that doesn’t work either.

One reader noted that from what he observed, the IT problems have been going on since Friday afternoon (October 14, 2022). A reader informed me on Facebook that their email systems had delivered a 442 connection Failed-Error when communicating with the Metro mail system last Monday. By the afternoon of October 19, 2022, communication with the Metro Group email system was working again – so something is happening.


Advertising


Metro confirms cyber attack

First a speaker from Metro AG confired to German IT magazine heise a cyber attack on it’s IT systems. After searching the Metro AG site today, I finally found the following statement. It says (translated in English):

Metro cyber attack confirmation
Metro cyber attack confirmation (addenum: here is an English version)

T-Security Incident at METRO

METRO/MAKRO is currently experiencing a partial IT infrastructure outage for several technical services. METRO’s IT team, together with external experts, immediately launched a thorough investigation to determine the cause of the service disruption. The latest results of the analysis confirm a cyber attack on METRO systems as the cause of the IT infrastructure outage. METRO AG has informed all relevant authorities about the incident and will of course cooperate with them in every possible way.

During the operation of METRO stores and the regular availability of services, disruptions and delays may occur. The teams in the stores have quickly set up offline systems to process payments. Online orders via the web app and online store are being processed, but there may be individual delays here as well.

We will continue to analyze and monitor the situation intensively and provide updates if necessary.
METRO sincerely apologizes for any inconvenience this incident may cause to customers and business partners.

So they confirmed just a cyber attack, but stay tight lipped about the details. No information, whether it’s a ransomware infection nor about a possible attack vector.

Metro AG is a listed group of wholesale companies (for purchases in the gastronomy sector). Headquartered in Düsseldorf, the group employs more than 95,000 people in 681 stores worldwide, most of them in Germany. In Germany, the company mainly operates the Metro wholesale stores. Sales are 24.8 billion euros (2020).

Similar articles:
Cyber attack on Metro AG or just a IT break down? Austria, France, German (and more countries?) affected
Ransomware Attack on electronic retail markets of Media Markt/Saturn
Media Markt/Saturn: Ransomware attack by hive gang, $240 million US ransom demand

Source :
https://borncity.com/win/2022/10/21/metro-gruppe-doch-opfer-eines-cyberangriffs/

Set Port Trunking on your QNAP NAS to increase the bandwidth via 802.3ad protocol

Port Trunking, also known as LACP (Link Aggregation Control Protocol), allows you to combine multiple LAN interfaces for increased bandwidth and load balancing for multiple clients. It also provides failover capabilities to maintain network connectivity if a network port fails.

  • 802.3ad (Dynamic Link Aggregation) is the No.5 mode according to the IEEE 802.3ad specification. It uses a complex algorithm to aggregate adapters by speed and duplex settings to provide load balancing and fault tolerance but requires a switch that supports IEEE 802.3ad with LACP mode properly configured.
QNAP

Note: Your switch must support 802.3ad.
Note: A NAS with multiple LAN ports is required.

Follow these steps to set up your NAS.

  1. Log into the NAS as an administrator. Go to “Main Menu” > “Network & Virtual Switch” > “Interfaces”. Click “Port Trunking”.
    QNAP
    QNAP
  2. Click “Add” from the pop-up window.
    QNAP
  3. Select the network interfaces to use and select 802.3ad for the Port Trunking Mode.
    QNAP
  4. Click the settings button beside 802.3ad.
    QNAP
  5. Select a HASH policy for 802.3ad:
    The default setting is “layer 2 (MAC)“. This is compatible with every switch but only offers load balancing by MAC address. We recommend using “Layer 2+3 (MAC+IP)” for greater performance but you will need to check that your switch supports it.
    QNAP
  6. Click “Apply” to finish.
    QNAP

Test Results:

The test results of before and after Port Trunking is as follows.

  1. A Gigabit Ethernet Network
    1. One user downloading a large video file from the NAS:
      QNAP
    2. One user uploading a large video file to the NAS:
      QNAP
    3. Two users downloading a large video file from the NAS at the same time:
      QNAP
      QNAP
      The throughput of the NAS reaches 108~110 MB/s (downloading):
      QNAP
    4. Two users upload a large video file to the NAS at the same time:
      QNAP
      QNAP
      The throughput of NAS reaches 102~104 MB/s (uploading):
      QNAP

  2. Aggregating two Gigabit Ethernet Networks on the NAS
    1. One user downloads a large video file from the NAS:
      QNAP
    2. One user uploads a large video file to the NAS:
      QNAP
    3. Two users download a large video file from the NAS at the same time:
      QNAP
      QNAP
      The throughput of NAS reaches 210~223 MB/s (downloading):
      QNAP
    4. Two users upload a large video file to the NAS at the same time:
      QNAP
      QNAP
      The throughput of NAS reaches 200~210 MB/s (uploading):
      QNAP

As displayed by the test results, Port Trunking can increase bandwidth on a QNAP NAS . But please note the following:

  1. Port Trunking cannot break the speed limit of a single Ethernet device, but it offers a sufficient amount of bandwidth for multiple users connecting at the same time. For example, if two 1Gb NICs are used for Port Trunking, the aggregated network bandwidth will be increased to 2Gb, but the network speed will remain 1Gb.
  2. Available system resources and the maximum read/write speeds of the storage devices on the NAS will greatly influence the overall bandwidth.

    Source :
    https://www.qnap.com/en/how-to/tutorial/article/set-port-trunking-on-your-qnap-nas-to-increase-the-bandwidth-via-802-3ad-protocol

FAQs about self-encrypting drives (SEDs)

Last modified date: 2022-10-05
Applicable Products
QTS
QuTS hero
SED Usage
Can I use different types of SEDs to create a SED secure storage pool?
Yes, you can use different types of SEDs in the same SED secure storage pool.

Can I use SEDs in a normal storage pool?
Yes, normal storage pools can contain SEDs. However, the SEDs would function as regular disks without self-encryption.

When creating a normal storage pool, make sure the option Create SED secure storage pool is deselected.

If I use SEDs in a normal storage pool, will the pool be locked after the NAS restarts?
No, the system does not lock normal storage pools when the NAS restarts. SEDs in a normal storage pool function as regular disks without self-encryption.

Only SED secure storage pools are locked after the NAS restarts (unless the setting Auto unlock on startup is enabled).

SED Status
Why is my SED’s disk status “Unlocked” even though I never activated its self-encrypting function?
In QTS versions earlier than 5.0.1 and QuTS hero versions earlier than h5.0.1, only SEDs of the type TCG Opal are supported.

Starting from QTS 5.0.1 and QuTS hero h5.0.1, TCG Enterprise SEDs are also supported.

If you used any TCG Enterprise SEDs to create a normal storage pool when your NAS was running QTS versions earlier than 5.0.1 or QuTS hero versions earlier than h5.0.1, and then later upgraded your operating system to QTS 5.0.1 (or later) or QuTS hero h5.0.1 (or later), the NAS will now indicate their disk status as “Unlocked”. This does not affect the status or performance of the storage pool, and the SEDs will continue to function as regular disks.

If a TCG Enterprise SED has never been used in a storage pool, and the disk status has changed to “Unlocked” after you upgraded the NAS operating system to QTS 5.0.1 (or later) or QuTS hero h5.0.1 (or later), you can use the SED Erase function to reset the disk to factory default, and then activate self-encryption on the disk by setting an encryption password.

Resetting to Factory Default
What can I do if I cannot find the PSID on my SED?
SEDs usually have a PSID (physical secure ID) labeled on the disk. If you cannot find the PSID on the disk, please contact the disk manufacturer for assistance.

Why doesn’t the PSID work when I try to reset my SED?
If you are unable to reset your SED to factory default using its PSID (physical secure ID), please contact the disk manufacturer for technical assistance.

If the disk manufacturer is unable to help you reset the SED, you can still use the SED as a regular disk.

Source :
https://www.qnap.com/en/how-to/faq/article/faqs-about-self-encrypting-drives-seds

How to use self-encrypting drives (SEDs) on your QNAP NAS?


Last modified date: 2022-10-12

This tutorial introduces self-encrypting drives (SEDs) and how to utilize and manage them on your QNAP NAS.
 

Applicable ProductsDetails
NASAll QNAP NAS models
Operating systemQTS, QuTS hero

Self-Encrypting Drives (SEDs)

A self-encrypting drive (SED) is a drive with encryption hardware built into the drive controller. SEDs automatically encrypt all data as it is written to the drive and decrypt all data as it is read from the drive. Data stored on SEDs are always fully encrypted by a data encryption key, which is stored on the drive’s hardware and cannot be accessed by the host operating system or unauthorized users. The encryption key can also be encrypted by a user-specified encryption password that allows the SED to be locked and unlocked.

Because encryption and decryption are handled by the drive, accessing data on SEDs does not require any extra CPU resources from the host device. Data on SEDs also become inaccessible if the SEDs are physically stolen or lost. For these reasons, SEDs are widely preferred for storing sensitive information.

You can use SEDs to create SED secure storage pools in QTS and QuTS hero, and SED secure static volumes in QTS. You can also use SEDs to create regular storage pools or volumes, but the self-encrypting function on the SEDs would remain deactivated.

Why Use SEDs?

Data storage security is an extremely important matter for many enterprises and organizations, especially when they store personal data such as credit card information and identity card numbers, or industry secrets such as product blueprints and intellectual property.

If a data leak occurs, the enterprise or organization can face serious consequences. Apart from sensitive information being exposed, a data leak can also result in customer and client damages, revenue loss, and legal penalties.

Because SEDs use hardware-based full disk encryption, both the encryption and decryption processes occur in the disk hardware. This separation from the host operating system makes hardware encryption more secure than software encryption. Moreover, unlike software encryption, hardware encryption does not require extra CPU resources. If a SED is physically stolen or lost, it becomes practically impossible to obtain intelligible information from the SED.

For these reasons, SEDs are often a specified data security requirement in bidding processes for government agencies, health care institutions, and financial and banking services.

SED Types

QNAP categorizes SED types according to the industry-standard specifications defined by the Trusted Computing Group (TCG). Supported SED types are listed in the following table.

To check the SED type of an installed SED, go to Storage & Snapshots > Storage > Disks/VJBOD and click a SED.

SED TypeSupported
TCG OpalYes
TCG EnterpriseYes, in QTS 5.0.1 (or later) and QuTS hero h5.0.1 (or later)

SED Storage Creation

You can use SEDs to create SED secure storage pools in QTS and QuTS hero, and SED secure static volumes in QTS. For details, see the corresponding QNAP operating system user guide.

ActionDetails
Create a SED secure storage pool in QTSThe latest version of the QTS User Guide is available at https://www.qnap.com/go/doc/qts/.You can find the relevant topic by searching “self-encrypting drives”.
Create a SED secure static volume in QTS
Create a SED secure storage pool in QuTS heroThe latest version of the QuTS hero User Guide is available at https://www.qnap.com/go/doc/quts-hero/.You can find the relevant topic by searching “self-encrypting drives”.

SED Management

SED Storage Pool and Static Volume Actions

To perform the following actions, go to Storage & Snapshots > Storage > Storage/Snapshots, select a SED pool or volume, click Manage, then select Actions > SED Settings.

ActionDescription
Change SED Pool PasswordChange SED Volume PasswordChange the encryption password.Warning:Remember this password. If you forget the password, the pool or volume will become inaccessible and all data will be unrecoverable.You can also enable Auto unlock on startup.This setting enables the system to automatically unlock and mount the SED pool or volume whenever the NAS starts, without requiring the user to enter the encryption passwordWarning:Enabling this setting can result in unauthorized data access if unauthorized personnel are able to physically access the NAS.Tip:In some earlier versions of QTS and QuTS hero, this setting is known as Save encryption key.
LockLock the pool or volume. All volumes/shared folders, LUNs, snapshots, and data in the pool or volume will be inaccessible until it is unlocked.
UnlockUnlock a locked SED pool or volume. All volumes/shared folders, LUNs, snapshots, and data in the pool or volume will become accessible.
Disable SED SecurityRemove the encryption password and disable the ability to lock and unlock the pool or volume.
Enable SED SecurityAdd an encryption password and enable the ability to lock and unlock the pool or volume.

Removing a Locked SED Storage Pool or Static Volume

  1. Go to Storage & Snapshots > Storage > Storage/Snapshots.
  2. Select a locked SED storage pool or static volume.Note:Static volumes are only available in QTS.
  3. Click Manage, and then click Remove.The Removal Wizard window opens.
  4. Select a removal option.OptionDescriptionUnlock and remove pool, data, and saved keyThis option unlocks the SED disks in the storage pool or static volume, and then deletes all data. The storage pool or static volume is removed from the system.You must enter the encryption password.Remove pool without unlocking itThis option removes the storage pool or static volume without unlocking the disks. The SED disks cannot be used again until you perform one of the following actions:
    • Unlock the disks. Go to Disks/VJBOD, click Recover, and then select Attach and Recover Storage Pool.
    • Erase the disks using SED erase.
  5. Click Apply.

The system removes the locked SED storage pool or static volume.

Migrating a SED Secure Storage Pool to a New NAS

The following requirements apply when migrating a storage pool to a new NAS.

  • The two NAS devices must both be running QTS, or both be running QuTS hero. Migration between QTS and QuTS hero is not possible.
  • The version of QTS or QuTS hero running on the new NAS must be the same or newer than the version running on the original NAS.
  1. On the original NAS, go to Storage & Snapshots > Storage > Storage/Snapshots.
  2. Select a SED secure storage pool.
  3. Click Manage.The Storage Pool Management window opens.
  4. Click Action, and then select Safely Detach Pool.A confirmation message appears.
  5. Click Yes.The storage pool status changes to Safely Detaching…. After the system has finished detaching the pool, it disappears from Storage & Snapshots.
  6. Remove the drives containing the storage pool from the NAS.
  7. Install the drives in the new NAS.
  8. On the new NAS, go to Storage & Snapshots > Storage > Disks/VJBOD .
  9. Click Recover, and then select Attach and Recover Storage Pool.A confirmation message appears.
  10. Enter the encryption password.You must enter this password if you are using self-encrypted drives (SEDs) with encryption activated.
  11. Click Attach.The system scans the disks and detects the storage pool.
  12. Click Apply.

The storage pool appears in Storage & Snapshots on the new NAS.

Erasing a Disk Using SED Erase

SED Erase erases all of the data on a locked or unlocked SED disk and removes the encryption password.

  1. Go to Storage & Snapshots > Storage > Disks/VJBOD.
  2. Select a SED disk.
  3. Click Actions, and then select SED Erase.The SED Erase window opens.
  4. Enter the disk’s Physical Security ID (PSID).Tip:The PSID can usually be found on the disk label.If you cannot find the PSID, contact the disk manufacturer.
  5. Click Apply.

The system erases all data on the SED.

SED Status

To view the status of a SED, go to Storage & Snapshots > Storage > Disks/VJBOD and click an installed SED.

SED StatusDescription
UninitializedThe SED is uninitialized. Drive encryption is deactivated.
UnlockedThe SED is initialized and unlocked. Drive encryption is activated. Data on the SED is encrypted and accessible.
LockedThe SED is initialized and locked. Drive encryption is activated. Data on the SED is encrypted and inaccessible.
BlockedThe SED is blocked for security reasons. The drive cannot be initialized.Note:To unblock the SED, reinsert the disk or erase the disk using SED Erase. For details, see Erasing a Disk Using SED Erase.

Glossary

GlossDefinition
Auto unlock on startupSetting that allows the system to automatically unlock a SED secure storage pool or SED secure static volume after the NAS restarts
Encryption keyA unique, randomized cryptographic string physically stored within the hardware in self-encrypting drives (SEDs) for encrypting data written to the drive and decrypting data as it is read from the drive
Encryption passwordA user-defined password for locking and unlocking a SED secure storage pool or static volume
PSID (Physical Secure ID)A unique key usually labeled on a self-encrypting drive (SED) for resetting the drive to factory default
SED EraseStorage & Snapshots function for erasing all data on a self-encrypting drive (SED) and removing the encryption password

Source :
https://www.qnap.com/en/how-to/tutorial/article/how-to-use-self-encrypting-drives-seds-on-your-qnap-nas

Venus Ransomware targets publicly exposed Remote Desktop services

Threat actors behind the relatively new Venus Ransomware are hacking into publicly-exposed Remote Desktop services to encrypt Windows devices.

Venus Ransomware appears to have begun operating in the middle of August 2022 and has since encrypted victims worldwide. However, there was another ransomware using the same encrypted file extension since 2021, but it is unclear if they are related.

BleepingComputer first learned of the ransomware from MalwareHunterTeam, who was contacted by security analyst linuxct looking for information on it.

Linuxct told BleepingComputer that the threat actors gained access to a victim’s corporate network through the Windows Remote Desktop protocol.

Another victim in the BleepingComputer forums also reported RDP being used for initial access to their network, even when using a non-standard port number for the service.

How Venus encrypts Windows devices

When executed, the Venus ransomware will attempt to terminate thirty-nine processes associated with database servers and Microsoft Office applications.

taskkill, msftesql.exe, sqlagent.exe, sqlbrowser.exe, sqlservr.exe, sqlwriter.exe, oracle.exe, ocssd.exe, dbsnmp.exe, synctime.exe, mydesktopqos.exe, agntsvc.exe, isqlplussvc.exe, xfssvccon.exe, mydesktopservice.exe, ocautoupds.exe, agntsvc.exe, agntsvc.exe, agntsvc.exe, encsvc.exe, firefoxconfig.exe, tbirdconfig.exe, ocomm.exe, mysqld.exe, mysqld-nt.exe, mysqld-opt.exe, dbeng50.exe, sqbcoreservice.exe, excel.exe, infopath.exe, msaccess.exe, mspub.exe, onenote.exe, outlook.exe, powerpnt.exe, sqlservr.exe, thebat64.exe, thunderbird.exe, winword.exe, wordpad.exe

The ransomware will also delete event logs, Shadow Copy Volumes, and disable Data Execution Prevention using the following command:

wbadmin delete catalog -quiet && vssadmin.exe delete shadows /all /quiet && bcdedit.exe /set {current} nx AlwaysOff && wmic SHADOWCOPY DELETE

When encrypting files, the ransomware will append the .venus extension, as shown below. For example, a file called test.jpg would be encrypted and renamed test.jpg.venus.

Files encrypted by the Venus Ransomware
Files encrypted by the Venus Ransomware
Source: BleepingComputer

In each encrypted file, the ransomware will add a ‘goodgamer’ filemarker and other information to the end of the file. It is unclear what this additional information is at this time.

Goodgamer file marker in an encrypted file
Goodgamer file marker in an encrypted file
Source: BleepingComputer

The ransomware will create an HTA ransom note in the %Temp% folder that will automatically be displayed when the ransomware is finished encrypting the device.

As you can see below, this ransomware calls itself “Venus” and shares a TOX address and email address that can be used to contact the attacker to negotiate a ransom payment. At the end of the ransom note is a base64 encoded blob, which is likely the encrypted decryption key.

Venus Ransomware ransom note
Venus Ransomware ransom note
Source: BleepingComputer
https://6c29118eeb90b493fc8cae82084958c7.safeframe.googlesyndication.com/safeframe/1-0-38/html/container.html?upapi=true

AD

At this time, the Venus ransomware is fairly active, with new submissions uploaded to ID Ransomware daily.

As the ransomware appears to be targeting publicly-exposed Remote Desktop services, even those running on non-standard TCP ports, it is vital to put these services behind a firewall.

Ideally, no Remote Desktop Services should be publicly exposed on the Internet and only be accessible via a VPN

Related Articles:

Magniber ransomware now infects Windows users via JavaScript files

Microsoft: Iranian hackers encrypt Windows systems using BitLocker

Ransom Cartel linked to notorious REvil ransomware operation

REvil ransomware returns: New malware sample confirms gang is back

Windows 10 22H2 is released, here’s what we know

Source :
https://www.bleepingcomputer.com/news/security/venus-ransomware-targets-publicly-exposed-remote-desktop-services/

Hyper-V Virtual Networking configuration and best practices

If you’re new to the world of virtualization, networking configuration can be one of the toughest concepts to grasp. Networking is also different in Hyper-V than in other hypervisors, so even those with years of experience can stumble a bit when meeting Hyper-V for the first time. This article will start by looking at the conceptual design of virtual networking in Hyper-V, configuration and then work through implementation best practices.

Networking Basics

Before beginning, it might be helpful to ensure that you have a solid grasp of the fundamentals of Ethernet and TCP/IP networking in general. Several articles that explain common aspects begin with this explanation of the OSI model.

The Hyper-V Virtual Switch

The single most important component of networking in Hyper-V is the virtual switch. There’s an in-depth article on the Hyper-V Virtual Switch on this blog, but for the sake of this article I’ll give you a basic introduction to the concept, within the bigger picture.

The key to understanding is realizing that it truly is a switch, just like a physical switch. It operates in layer 2 as the go-between for virtual switch ports. It directs packets to MAC addresses. It handles VLAN tagging. It can even perform some Quality of Service (QoS) tasks. It’s also responsible for isolating network traffic to the virtual adapter that is supposed to be receiving it. When visualized, the Hyper-V network switch should be thought of in the same way as a standard switch:

The next part of understanding the virtual switch is how it interacts with the host. To open that discussion, you must first become acquainted with the available types of virtual switches.

Virtual Switch Modes

There are three possible modes for the Hyper-V switch: private, internal, and public. Do not confuse these with IP addressing schemes or any other virtual networking configuration in a different technology.

Hyper-V’s Private Switch

The private switch allows communications among the virtual machines on its host and nothing else. Even the management operating system is not allowed to participate. This switch is purely logical and does not use any physical adapter in any way. “Private” in this sense is not related to private IP addressing. You can mentally think of this as a switch that has no ability to uplink to other switches.

Hyper-V’s Internal Switch

The internal switch is similar to the private switch with one exception: the management operating system can have a virtual adapter on this type of switch. This allows the management operating system to directly communicate with any virtual machines that also have virtual adapters on the same internal switch. Like the private switch, the internal switch does not have any relation to a physical adapter and therefore also cannot uplink to any another switch.

Hyper-V’s External Switch

The external switch type must be connected to a physical adapter. It allows communications between the physical network and the management operating system and the virtual adapters on virtual machines. Do not confuse this switch type with public IP addressing schemes or let its name suggest that it needs to be connected to an Internet-facing system. You can use the same private IP address range for the adapters on an external virtual switch that you’re using on the physical network it’s attached to. External in this usage means that it can connect to systems that are external to the Hyper-V host.

How to Conceptualize the External Virtual Switch

Part of what makes understanding the external virtual switch artificially difficult is the way that the related settings are worded. In the Hyper-V Manager GUI, it’s worded as Allow management operating system to share this network adapter. In PowerShell’s New-VMSwitch cmdlet, there’s an AllowManagementOS parameter which is no better, and its description — Specifies whether the parent partition (i.e. the management operating system) is to have access to the physical NIC bound to the virtual switch to be created. — makes it worse. What seems to happen far too often is that people read these and think of the virtual switch and the virtual adapters like this:

Unfortunately, this is not at all an accurate representation of Hyper-V’s virtual network stack. Once the virtual switch is bound to a physical adapter, that adapter is no longer used for anything else. TCP/IP, and most other items, are removed from it. The management operating system is quite simply unable to “share” it. If you attempt to bind anything else to the adapter, it’s quite probable that you’ll break the virtual switch.

In truth, the management operating system is getting a virtual network adapter of its own. That’s what gets connected to the virtual switch. That adapter isn’t exactly like the adapters attached to the virtual machines; it’s not quite as feature-rich. However, it’s nothing at all like actually sharing the physical adapter in the way that the controls imply. A better term would be, “Connect the management operating system to the virtual switch”. That’s what the settings really do. The following image is a much more accurate depiction of what is happening:

As you can see, the management operating system’s virtual adapter is treated the same way as that of the virtual machines’ adapters. Of course, you always have the option to take one or more physical adapters out of the virtual switch. Those will be used by the management operating system as normal. If you do that, then you don’t necessarily need to “share” the virtual switch’s adapter with the management operating system:

How to Use Physical NIC Teaming with the Hyper-V Virtual Switch

As of Windows Server 2012, network adapter teaming is now a native function of the Windows Server operating system. Teaming allows you combine two or more adapters into a single logical communications channel to distribute network traffic. Hyper-V Server can also team physical adapters.

When a teamed adapter is created, the individual adapters still appear in Windows but, in a fashion very similar to the virtual switch, can no longer be bound to anything except the teaming protocol. When the team is created, a new adapter is presented to the operating system. It would be correct to call this adapter “virtual”, since it doesn’t physically exist, but that can cause confusion with the virtual adapters used with the Hyper-V virtual switch. More common terms are team adapter or logical adapter, and sometimes the abbreviation tNIC is used.

Because teaming is not a central feature or requirement of Hyper-V, it won’t be discussed in detail here. Hyper-V does utilize native adapter teaming to great effect and, therefore, it should be used whenever possible. As a general rule, you should choose the Dynamic load balancing algorithm unless you have a clearly defined overriding need; it combines the best features of the Hyper-V Port and Transport Ports algorithms. As for whether or not to use the switch independent teaming mode or one of the switch dependent modes, that is a deeper discussion that involves balancing your goals against the capabilities of the hardware that is available to you. For a much deeper treatment of the subject of teaming with Hyper-V, consult the following articles in the Altaro blog:

[thrive_leads id=’17165′]

Hyper-V and Network Convergence

Network convergence simply means that multiple traffic types are combined in a single communications channel. To a certain degree, Hyper-V always does this since several virtual machines use the same virtual switch, therefore the same network hardware. However, that could all technically be classified under a single heading of “virtual machine traffic”, so it’s not quite convergence.

In the Hyper-V space, true convergence would include at least one other role and it would include at least two physical network adapters. The simplest way to achieve this is by teaming two or more adapters as talked about in the preceding section and then creating a virtual switch atop the team adapter. When the virtual switch is created, use the “share” option or PowerShell to create a virtual adapter for the management operating system as well. If that adapter is used for anything in the management operating system, then that is considered convergence. Other possible roles will be discussed later on.

While the most common convergence typically binds all adapters of the same speed into a single channel, that’s not a requirement. You may use one team for virtual machine traffic and another for the management operating system if you wish.

Hyper-V and Networking within a Cluster

Failover Clustering has its own special networking needs, and Hyper-V extends those requirements further. Each node begins with the same requirements as a standalone Hyper-V system: one management adapter and a virtual switch. A cluster adds the need for cluster-related traffic and Live Migration.

In versions prior to 2012, the only supported configuration required that all of these roles be separated into unique gigabit connections. With the enhancements introduced in 2012 and 2012 R2, these requirements are much more relaxed. There aren’t any published requirements with the new versions (although it could be argued that the requirements for 2008 R2 were never officially superseded, so they are technically still enforced). In practice, it’s been observed that it is absolutely necessary for there to be at least two unique cluster paths, but the rest can be adjusted up or down depending on your workloads.

The following describes each role and gives a brief description of its traffic:

  • Management: This role will carry all traffic for host-level backups and any host-related file sharing activities, such as accessing or copying ISO images from a remote system. During other periods, this role usually does not experience a heavy traffic load. The typical usage is for remote management traffic, such as RDP and WS-Man (PowerShell), which are very light.
  • Cluster Communications: Each node in the cluster continually communicates with all the other nodes in a mesh pattern to ensure that the cluster is still in operation. This operation is commonly known as the “heartbeat”, although network configuration information is also traded. Heartbeat traffic is typically very light, but it is extremely sensitive to latency. If it does not have a dedicated network, it can easily be drowned out by other operations, such as large file copies, which will cause nodes to lose quorum and fail over virtual machines even though nothing is technically wrong.
    • Cluster Shared Volumes: CSV traffic is not a unique role; it travels as part of standard cluster communications. When all is well, CSV traffic is fairly minimal, only passing CSV metadata information between the nodes. If a CSV goes into Redirected Access mode, then all traffic to and from that CSV will be handled by the owner node. If any other node needs to access that CSV, it will do so over a cluster network. The cluster will ensure that the normal cluster communications, such as heartbeat, are not sacrificed, but any struggles for bandwidths will cause virtual machines to perform poorly – and possibly crash. If your cluster does not use CSVs, then this traffic is not a concern.
  • Live Migration: Without constraints, a Live Migration operation will use up as much bandwidth as it can. The typical configuration provides a dedicated adapter for this role. With converged networking, the requirement is not as strict.
  • Virtual Machine traffic: VM traffic is arguably the most important in the cluster, but it also tends to not be excessively heavy. The traditional approach is to dedicate at least one adapter to the virtual switch.

While legacy builds simply separated these onto unique, dedicated gigabit pipes, you now have more options at your disposal.

SMB Enhancements for Cluster Communications

Cluster communications have always used the SMB protocol. The SMB protocol was upgraded substantially in 2012 and now has the ability to multichannel. This feature will auto-negotiate between the source and destination host and will automatically spread SMB traffic across all available adapters.

Whereas it used to be necessary to set networks for cluster communications and then modify metric assignments to guide traffic, the preferred approach in 2012 R2 is to simply designate two or more networks as cluster networks. The hosts will automatically balance traffic loads.

SMB Enhancements for Live Migration

If the cluster’s nodes are all set to use SMB for Live Migration, then it will take advantage of the same SMB enhancements that the standard cluster communications use. In this way, management traffic, cluster communications traffic, and Live Migration could all be run across only two distinct networks instead of two. This is potentially risky, especially if Redirected Access mode is triggered.

Converged Networking Benefits for Clustering

By using converged networks, you gain substantially more options with less hardware. SMB multichannel divides traffic across distinct networks – that is, unique subnets. By using converged networks, you can create more subnets than you have physical adapters.

This is especially handy for 10GbE adapters since few hosts will have more than two. It also has its place on 1GbE networks. You can simply combine all physical adapters into one single large team and create the same number of logical networks that you would have for a traditional role, but enable each of them for cluster communications and Live Migration. This way, SMB multichannel will be able to automatically load balance its needs. Remember that even with converged networking, it’s best to not combine all roles onto a single virtual or teamed adapter. SMB multichannel requires distinct subnets to perform its role and teaming balances some traffic according to the virtual adapter.

Quality of Service Benefits for Clustering

While the concern is rarely manifested, it is technically possible for one traffic type to fully consume a converged team. There are a number of QoS (Quality of Service) options available to prevent this from occurring. You can specifically limit SMB and/or Live Migration traffic and set maximums and minimums on virtual adapters.

Before you spend much time investigating these options, be aware that most deployments do not require this degree of control and will perform perfectly well with defaults. Hyper-V will automatically work to maintain a balance of traffic that does not completely drown out any particular virtual network adapter. Because the complexity of configuring QoS outweighs its benefits in the typical environment, this topic will not be investigated in this series. The most definitive work on the subject is available on TechNet.

How to Design Cluster Networks for Hyper-V

The one critical concept is that cluster networks are defined by TCP/IP subnet. The cluster service will detect every IP address and subnet mask on each node. From those, it will create a network for each unique subnet that it finds. If any node has more than one IP address in a subnet, the cluster service will use one and ignore the rest unless the first is removed. If the service finds networks that only some nodes have IP addresses for, the network will be marked as partitioned. A network will also be marked as partitioned if cluster communications are allowed but there are problems with inter-node traffic flow. The following diagram shows some sample networks and how clustering will detect them.

In the illustration, the only valid network is Cluster Network 2. The worst is Cluster Network 4. Due to the way the subnet is configured, it overlaps with all of the other networks. The cluster service will automatically lock the node 2 adapter with IP address 192.168.5.11 out of cluster communications and mark the network as None to indicate that it is disallowed for cluster communications.

Before building your cluster, determine the IP subnets that you’ll be using. It’s perfectly acceptable to create all-new networks if necessary. For cluster communications, the nodes will not intentionally communicate with anything other than the nodes in the same cluster. The minimum number of unique networks is two. One must be marked to allow client and cluster communications; this is the management network. One must be marked to allow cluster communications (client communications optional but not recommended). Further networks are optional, but will grant the cluster the opportunity to create additional TCP streams which can help with load-balancing across teamed adapters.

Hyper-V Networking Best Practices – Configuration in Practice

There isn’t any single “correct” way to configure networking in Hyper-V any more than there is a single “correct” way to configure a physical network. This section is going to work through a number of best practices and procedures to show you how things are done and provide guidance where possible. The best advice that anyone can give you is to not overthink it. Very few virtual machines will demand a great deal of networking bandwidth.

There are a few best practices to help you make some basic configuration decisions:

  • A converged network results in the best overall bandwidth distribution. It is extremely rare to have any situation in which a single network role will be utilizing an entire gigabit connection constantly. By dedicating one or more adapters to a single role, you prevent any other role from using that adapter, even when its owning role is idle.
  • A single TCP/IP stream can only use a single physical link. One of the most confusing things about teaming that new-comers face is that combining multiple links into a single team does not automatically mean that all traffic will automatically use all available links. It means that different communications streams will be balanced across available. Or, to make that more clear, you need at least four different communications streams to fully utilize four adapters in a team.
  • Avoid using iSCSI or SMB 3 directly with teaming. It is supported for both, but it is less efficient than using MPIO (for iSCSI) or SMB multichannel. It is supported to have multiple virtual network adapters on a team that are configured for iSCSI or SMB multichannel. However, you will always get the best performance for network storage by using unteamed adapters that are not bound to a virtual switch. This article explains how to configure MPIO.
  • If iSCSI and/or SMB connections are made through virtual adapters on a converged team, they will establish only one connection per unique IP address. Create multiple virtual adapters in order to enable MPIO and/or SMB multichannel.
  • For Failover Clustering, plan in advance what IP range you want to use for each role. For example:
    • Management: 192.168.10.0/24
    • Cluster communications/CSV: 192.168.15.0/24
    • Live Migration: 192.168.20.0/24
    • SMB network 1: 192.168.30.0/24
    • SMB network 2: 192.168.31.0/24
  • The only adapter in the management operating system that should have a default gateway is the management adapter. Assigning default gateways to other adapters will cause the system unnecessary difficulty when choosing outbound connections.
  • If cluster nodes have adapters that will only be used to communicate with back-end storage (iSCSI or SMB), exclude their networks from participating in cluster communications.
  • Only the management adapter should register itself in DNS.
  • Except for the one created by checking Allow the management operating system to share this network adapter, you cannot use the GUI to create virtual network adapters for the management operating system’s use.
  • You cannot use the GUI to establish a QoS policy for the virtual switch. The only time this policy can be selected is during switch creation.
  • If desired, virtual machines can have their IP addresses in the same range as any of the cluster roles. Failover Clustering does not see the ranges in use by virtual machines and will not collide with them.
  • The management operating system will allow you to team network adapters with different feature sets and even different speeds, but it is highly recommended that you not do this. Different features can result in odd behaviors as communication are load balanced. The system balances loads in round-robin fashion, not based on adapter characteristics (for instance, it will not prioritize a 10GbE link over a 1GbE link).
  • Networking QoS only applies to outbound communications. Inbound traffic will flow as quickly as it is delivered and can be processed.
  • 10GbE links have the ability to outpace the processing capabilities of the virtual switch. A single virtual adapter or communications stream may top out at speeds as low as 3.5 Gbps, depending upon the processing power of the CPU. Balanced loads will be able to consume the entire 10GbE link, especially when offloading technologies, primarily VMQ, are in place and functional.
  • When teaming, choose the Dynamic load balancing algorithm unless you have a definite, verifiable reason not to. Do not prefer the Hyper-V Port mode simply based on its name; Dynamic combines the best aspects of the Hyper-V Port and Hash modes.
  • You can use iSCSI on a virtual machine’s virtual adapter(s) to connect it/them directly to network storage. You will have better performance and access to more features by connecting from the host and exposing storage to the guests through a VHDX. Virtual machines can have multiple network adapters, which enables you to connect the same virtual machine to different VLANs and subnets.
  • Avoid the creation of multiple virtual switches. Some other hypervisors require the administrator to create multiple virtual switches and attach them to the same hardware. Hyper-V allows only a single virtual switch per physical adapter or team. Likewise, it is not advisable to segregate physical adapters, whether standalone or in separate teams, for the purpose of hosting multiple virtual switches. It is more efficient to combine them into a single large team. The most common exception to this guideline is in situations where physical isolation of networks is required.

The necessary steps to create a team were linked earlier, but here’s the link again: https://www.altaro.com/hyper-v/how-to-set-up-native-teams-in-hyper-v-server-2012/.

Adapter and TCP/IP Configuration

If your system is running a GUI edition of Windows Server, you can configure TCP/IP for all adapters using the traditional graphical tools. For all versions, you can also use sconfig.cmd for a guided process. This section shows how to perform these tasks using PowerShell. To keep the material as concise as possible, not all possible options will be shown. Refer to the introductory PowerShell article for assistance on using discovering the capabilities of cmdlets using Get-Help and other tools.

See Adapter Status (and Names to Use in Other Cmdlets)

Get-NetAdapter

Rename a Physical or Team Adapter

Rename-NetAdapter Name CurrentName NewName NewName

Set an Adapter’s IP Address

New-NetIPAddress InterfaceAlias AdapterName IPAddress 192.168.20.20 PrefixLength 24

Set an Adapter’s Default Gateway

New-NetRoute InterfaceAlias AdapterName DestinationPrefix 0.0.0.0/0 NextHop 192.168.20.1

Tip: use “Set-NetRoute” to make changes, or “Remove-NetRoute” to get rid of a gateway.

Set DNS Server Addresses

Set-DNSClientServerAddresses InterfaceAlias AdapterName –ServerAddresses 192.168.20.5, 192.168.20.6

Prevent an Adapter from Registering in DNS

Set-DnsClient InterfaceAlias AdapterName RegisterThisConnectionsAddress $false

One final option that you may wish to consider is setting Jumbo Frames on your virtual adapters. A Jumbo Frame is any TCP/IP packet that exceeds the base size of 1514 bytes. It’s most commonly used for iSCSI connections, but can also help a bit with SMB 3 and Live Migration traffic. It’s not useful at all for traffic crossing the Internet and most regular LAN traffic doesn’t benefit much from it either. If you’d like to use it, the following post explains it in detail: https://www.altaro.com/hyper-v/how-to-adjust-mtu-jumbo-frames-on-hyper-v-and-windows-server-2012/. That particular article was written for 2012. The virtual switch in 2012 R2 has Jumbo Frames enabled by default, so you only need to follow the portions that explain how to set it on your physical and virtual adapters.

Configuring Virtual Switches and Virtual Adapters

All of the graphical tools for creating a virtual switch and setting up a single virtual adapter for the management operating system were covered in this previous article in the series. You cannot use the graphical tools to create any further virtual adapters for use by the management operating system. You also must use PowerShell to create your virtual switch if you want to control its QoS policy. The following PowerShell commands deal with the virtual switch and its adapters.

Create an External Virtual Switch

New-VMSwitch –InterfaceAlias AdapterName –Name vSwitch –AllowManagementOS $false –EnableIOV $false –MinimumBandwidthMode Weight

There are several things to note about this particular cmdlet:

  • The “InterfaceAlias” parameter shown above is actually an alias for “NetAdapterName”. The alias was chosen here because it aligns with the parameter name and output of Get-NetAdapter.
  • The cmdlet was typed with “vSwitch” as the virtual switch’s name, but you’re allowed to use anything you like. If your chosen name has a space in it, you must enclose it in single or double quotes.
  • If you do not specify the “AllowManagementOS” parameter or if you set it to true, it will automatically create a virtual adapter for the management operating system with the same name as the virtual switch. Skipping this automatic creation gives you greater control over creating and setting your own virtual adapters.
  • If you do not wish to enable SR-IOV on your virtual switch, it is not necessary to specify that parameter at all. It is shown here as a reminder that if you’re going to set it, you must set it when the switch is created. You cannot change this later.
  • The help documentation for Get-VMSwitch indicates that the default for “MinimumBandwidthMode” is “Weight”. This is incorrect. The default mode is “Absolute”. As with SR-IOV support, you cannot modify this setting after the switch is created.

Create a Private Virtual Switch

New-VMSwitch Name Isolated SwitchType Private MinimumBandwidthMode Weight

Many of the notes from the creation of the external switch apply here as well. The “EnableIOV” switch is not applicable to a private or internal switch at all. The “AllowManagementOS” switch is redundant: if the switch type is “Private” then no virtual adapter is created; if the switch type is “Internal”, then one is created. Adding one virtual adapter to the management OS on a Private switch will convert it to internal; removing all management OS virtual adapters from an Internal switch will make it Private.

Permanently Remove a Virtual Switch

Remove-VMSwitch Name vSwitch

This operation is permanent. The entire switch and all of its settings are lost. All virtual adapters in the management operating system on this switch are permanently lost. Virtual adapters in virtual machines connected to this switch are disconnected.

Add a Virtual Adapter to the Management OS

Add-VMNetworkAdapter ManagementOS SwitchName vSwitch Name 'New vAdapter'

The first thing to note is that, for some reason, this cmdlet uses “Add” instead of the normal “New” verb for creating a new object. Be aware that this new adapter will show up in Get-NetAdapter entries as vEthernet (New vAdapter) and that is the name that you’ll use for all such non-Hyper-V cmdlets. Use the same cmdlets from the previous section to configure

Retrieve a List of Virtual Adapters in the Management OS

Get-VMNetworkAdapter –ManagementOS

Rename a Virtual Adapter in the Management OS

Rename-VMNetworkAdapter ManagementOS Name CurrentName NewName NewName

How to Set VLAN Information for Hyper-V Virtual Adapters

Adapters for the management operating system and virtual machines can be assigned to VLANs. When this occurs, the Hyper-V virtual switch will handle the 802.1q tagging process for communications across the virtual switches and for packets to and from physical switches. As shown in the article on Virtual Machine settings, you can use Hyper-V Manager to change the VLAN for any of the adapters attached to virtual machines. You can only use PowerShell to change the VLAN for virtual adapters in the management operating system.

Retrieve the VLAN Assignments for All Virtual Adapters on the Host

GetVMNetworkAdapterVlan

You can use the “ManagementOS” parameter to see only adapters in the management operating system. You can use the “VMName” parameter with an asterisk to see only adapters attached to virtual machines.

Set the VLAN for a Virtual Adapter in the Management Operating System

Set-VMNetworkAdapterVlan ManagementOS VMNetworkAdapterName vAdapterName Access VlanId 10

Set the VLAN for all of a Virtual Machine’s Adapters

Set-VMNetworkAdapterVlan -VMName svtest -Access -VlanId 7

Remove VLAN Tagging from all of a Virtual Machine’s Adapters

Set-VMNetworkAdapterVlan -VMName svtest –Untagged

If a virtual machine has more than one virtual adapter and you’d like to operate on it separately, that might require a bit more work. When the GUI is used to create virtual adapters for a virtual machine, they are always named Network Adapter, even if there are several. So, you’ll have to use PowerShell to rename them as they are created or you won’t be able to use the “VMNetworkAdapterName” to distinguish them. Instead, you can use Get-VMNetworkAdapter to locate other distinguishing features and pipe the output to cmdlets that accept VMNetworkAdapter objects. For example, you want to change the VLAN of only one adapter attached to the virtual machine named “svtest”. By using the tools inside the guest operating system, you’ve determined that the MAC address of the adapter you want to change is “00-15-5D-19-0A-24”. With the MAC address, you can change the VLAN of only that adapter by using the following PowerShell construct:

GetVMNetworkAdapter VMName svtest | where { $_.MacAddress eq '00155D190A24' } | SetVMNetworkAdapterVlan –VMName Access VlanId 7

Cluster Networking Configuration

It is possible to use PowerShell to configure networking for your Failover Cluster, but it’s very inelegant with the current status of those cmdlets. At this time, they are not well-configured, so you must directly manipulate object property values and registry settings in fashions that are risky and error-prone. It is much preferred that you use Failover Cluster Manager to make these settings as explained in this article earlier on in the series.

Continue Exploring Networking

There’s a lot to digest in Hyper-V virtual networking. What you’ve seen so far truly is only the fundamentals. For a relatively simplistic deployment with no more than a few dozen virtual machines, you might not ever need any more information. As densities start to climb, the need to more closely tune networking increases. With gigabit adapters, your best option is to scale out. 10GbE adapters allow you to overcome physical CPU limitations with a number of offloading techniques, chief among these being VMQ. Begin your research on that topic by starting with the definitive article series on the subject, VMQ Deep Dive.

Otherwise, your best next steps are to practice with the PowerShell cmdlets. For example, learn how to use Set-VMNetworkAdapter to modify virtual adapters in similar fashion to the procedures you saw in the earlier GUI articles. With a little effort, you’ll be able to change groups of adapters at once. Hyper-V’s networking may be multi-faceted and complicated, but the level of control granted to you is equally vast.

Source :
https://www.altaro.com/hyper-v/virtual-networking-configuration-best-practices/