Google Core Web Vitals for WordPress: How to Test and Improve Them

Table of Contents

Heard about this new Google Core Web Vitals project but not sure how it connects to your WordPress site? Or maybe you have no idea what the Core Web Vitals project is and why it matters for WordPress?

Either way, this post is going to cover everything you need to know about Core Web Vitals and WordPress. We’ll tell you what they are, how to test them, and how to improve your site’s scores to create a better user experience and maybe even boost your search rankings in 2021 and beyond.

What Are Google Core Web Vitals?

Core Web Vitals are a new initiative from Google designed to measure and improve user experience on the web. Instead of focusing on generic metrics like how long it takes your entire website to load, Core Web Vitals focus on how your WordPress site’s performance connects to delivering a high-quality user experience.

Users care about how fast they can start interacting with a page. That’s precisely what the Core Web Vitals metrics aim to measure.

Currently, there are three Core Web Vitals: Largest Contentful Paint (loading performance), Cumulative Layout Shift (visual stability), and First Input Delay (interactivity).

According to Google, these metrics are the most important ones for providing a great user experience.

If you think that these names are confusing, and if you tend to mix one metric with another, don’t worry! We’ll explain each metric in the easiest way. We want you to understand what each Core Web Vital means and its impact on user experience.

It’s the first step for improving the scores and your overall SEO and WordPress performance.

Explaining Largest Contentful Paint (LCP)

Largest Contentful Paint (LCP) measures how long it takes for the most meaningful content on your site to load – that’s usually your site’s hero section or featured image.

According to Google, how long it takes for a page’s main content to load affects how quickly users perceive your site to load.

Practical example: you land on a page and don’t see the top image fully displayed right away. You would be annoyed, right? You would even think about leaving the page right away. Here’s why the Largest Contentful Paint metric is closely related to user experience — more than the overall site’s loading time.

The LCP “element” is different for each site, and it’s also different between the mobile and desktop versions of your site. Sometimes the LCP element could be an image, while other times, it could just be text. You’ll get a clear example in the section on how to test and measure Core Web Vitals.

If you’re wondering what a good LCP time is, here are Google’s thresholds:

Good – Less than or equal to 2.5 seconds
Needs Improvement – Less than or equal to 4.0 seconds
Poor – More than 4.0 seconds.

On a side note: LCP is very similar to First Contentful Paint (FCP), another metric included in PageSpeed Insights.

The key difference is that LCP measures when the “main” content loads. FCP is focused on just when the “first” content loads — which could be a splash screen or loading indicator, that’s a less relevant user-experience element.

Explaining Cumulative Layout Shift (CLS)

The Cumulative Layout Shift (CLS) measures how much your site’s content “shifts” or “moves around” as it loads.

Practical example: you’re about to click on a link or CTA, and you can’t do it because your content has just gone down after being loaded. You have a terrible user experience, and that’s a layout shift. The same goes when you accidentally click the wrong button because the late-loading content caused a button to shift.

Or, have you ever been on a news website where the content in the article keeps shifting around as the site loads ads, and you are unable to keep reading? That’s a layout shift, too.

You can see from yourself how the cumulative layout shift is super annoying for users and how they will have a poor experience.

Here’s how Google defines the CLS scores:

Good – Less than or equal to 0.1 seconds
Needs Improvement – Less than or equal to 0.25 seconds
Poor – More than 0.25 seconds.

Explaining First Input Delay (FID)

First Input Delay (FID) measures the time between when a user interacts with something on your page (e.g., clicking a button or a link) and when their browser can begin processing that event.

Practical example: if you click on a button to expand an accordion section, how long does it take for your site to respond to that and show the content?

First Input Delay is probably the most complicated metric to understand and optimize for, also because it’s heavily affected by JavaScript.

Let’s say that you land on a site from mobile and click on a link, but you don’t get an immediate response. It could be because your phone is busy processing a large JavaScript file from that site.

Here’s how Google defines FID scores:

Good – Less than or equal to 100 ms
Needs Improvement – Less than or equal to 300 ms
Poor – More than 300 ms.

Do Core Web Vitals Affect SEO as a Ranking Factor?

In June 2021, Google will start using Core Web Vitals as a ranking factor – therefore, these metrics could affect your SEO performance.

Core Web Vitals will be part of the new Page experience signals, together with HTTPS-security, safe-browsing, mobile-friendliness, and intrusive interstitial guidelines.

Core Web Vitals will affect both mobile and desktop organic results, as well as whether or not your site appears in Top Stories. Previously, your site needed to use AMP to appear in Top Stories. That will no longer be the case when Google rolls out the change, but your site will need to meet specific minimum Core Web Vitals scores to appear in Top Stories.

What’s more, it seems like all Core Web Vitals metrics need to be met to improve organic ranking. And the Core Web Vitals score for noindexed pages may matter, too.

In short: if you care about your SEO performance, improving your Core Web Vital scores is now mandatory.

How to Test & Measure Core Web Vitals on WordPress

You can test and measure the Core Web Vitals with all of Google’s tools for web developers, from PageSpeed Insights to the Chrome DevTools, the CrUX Report, and much more.

As you can see in the image below, Google’s tools measure all the three metrics — except for Chrome DevTools and Lighthouse.

These two tools use the Total Blocking Time as a proxy for the First Input Delay. That’s because FID can only be measured with real user data (Field Data), whereas Lighthouse only provides Lab Data.

Google’s tools to measure Core Web Vitals

If you prefer using another performance tool, you should know that both GTmetrix and WebPageTest have started to use the Lighthouse performance score.

Keep in mind that both tools only provide you with the Largest Contentful Paint and the Cumulative Layout Shift scores.

The reason is always the same: the First Input Delay can only be measured with real user interaction, and these tools rely on the Lighthouse Lab Data.

Let’s now go over two of the most popular tools: PageSpeed Insights and Search Console. The first one helps you detect individual page issues; the other allows you to diagnose sitewide problems.

How to Test and Measure the Core Web Vitals with PageSpeed Insights

The easiest way to test your site’s pages against Core Web Vitals is via Google PageSpeed Insights.

Google’s tool provides data on all three metrics and gives specific recommendations to improve their performance.

The Diagnostics section will become your best ally to get a better score!

Just plug in your site’s URL, and you’ll see Core Web Vitals metrics in both the Field Data (based on the CrUX report) and the Lab Data (based on Lighthouse 6.0).

The Core Web Vitals metrics are marked with a blue ribbon – as long as you get it, you meet the threshold required by Google.

PageSpeed score for the WP Rocket homepage

You should keep in mind some notes:

The Core Web Vitals scores can slightly differ between the Field and Lab Data. In the screenshot above, LCP is 1.8 s according to the Field Data and 2.2 s in the Lab Data. That’s normal, and it depends on how data is collected.
Not having any Field Data when running your test is not an issue. It’s because there’s not enough real user data available. It doesn’t impact your Core Web Vitals because PageSpeed Insights considers the Lab Data for the page speed score.If you’re wondering what happens with the First Input Delay, not included in the Lab Data, you’ll get your answer in a few lines!
Always check both the mobile and desktop results. Your Core Web Vitals metrics will differ between the two. Keep in mind that the mobile score is the most relevant and the most challenging.

Let’s now look at how you can use PageSpeed Insights to identify the Core Web Vitals elements that need improvement.

Discovering the Largest Contentful Paint Element with PageSpeed Insights

As we explained, the LCP score measures how long it takes for the most meaningful element to become visible to your visitors.

To discover your site’s Largest Contentful Paint element, scroll down to the Diagnostics section and expand the Largest Contentful Paint element tab.

There, Google will display the HTML for the element that it’s using to measure LCP.

For example, on the desktop version of the WordPress.org homepage, the LCP element is an image:

The LCP element from the desktop – PageSpeed Insights

However, on the mobile version of the site, the LCP element is the subheading text:

The LCP element from the mobile – PageSpeed Insights

Discovering the Cumulative Layout Shift Elements with PageSpeed Insights

Quick recap: the Cumulative Layout Shift deals with how your site loads and whether or not your content “moves around” as new content is loaded.

To find the individual elements on your site that are “shifting” and affecting your score, go to the Avoid large layout shifts section in the Diagnostics area:

The CLS elements - PageSpeed Insights — The CLS elements – PageSpeed Insights

Discovering First Input Delay and Total Blocking Time with PageSpeed Insights

First Input Delay is about user interaction, remember? Meaning, how long it takes for the page to respond after interacting with an element such as a link or a button.

That’s why FID is based on actual user data, and you won’t find its score in the Lab Data. As we explained, you’ll only see FID times in the Field Data section — and only if the CrUX report has collected enough data.

In the Field Data, Total Blocking Time (TBT) will replace First Input Delay.

Total Blocking Time replaces First Input Delay in the Lab Data.

As long as you improve your Total Blocking Time, you’ll likely improve the FID score.

If you have a bad TBT score, you should go to the Minimize third-party usage section in the Diagnostics section.

Here, you’ll see what you can minimize in terms of third-party usage. It’s one of the main performance issues you need to solve – unless it’s already solved and included under the “Passed audits” sections, as you can see below:

Minimize third-party usage recommendation – PageSpeed Insights

How to Read the Core Web Vitals Report on Search Console

If you want to diagnose issues with your site as a whole, you should use the Core Web Vitals report in Google Search Console.

The report is based on an aggregate of real users’ data from CrUX. For this reason, the data included in the report could take a while before reporting issues. That’s why the Lab Data from Lighthouse is always valuable.

That said, the Core Web Vitals report is great to identify the groups of pages that require attention – both for desktop and mobile.

The Core Web Vitals report in Search Console – Overview

Once you open the report, you’ll find a Details tab that groups the URL performance by several criteria:

Status (Poor or Need improvement)
Metric type (e.g., CLS issue: more than 0.25 (desktop))
URL group (the list of URLs with similar performance).

Once you have fixed the URLs that needed an improvement, you’ll also be able to click on the Validation column and move forward with the “Validate Fix” option. Keep in mind that the validation process takes up to two weeks — be patient!

The Core Web Vitals report in Search Console – Details tab

How to Measure Core Web Vitals with Chrome Extensions

If you’re looking for a useful Chrome Extension, you could choose Web Vitals.

It gives you the Core Web Vital scores for any page you’re browsing:

You may also want to try CORE Serp Vitals, which shows you the Core Web Vitals results directly on the SERP. Remember that you need to enter a Chrome UX Report API key to let the extension work.

How to Improve Core Web Vitals on WordPress

Now for the critical question — if you aren’t currently meeting Google’s recommendations for the three Core Web Vitals metrics, how can you optimize your WordPress site to improve your Core Web Vitals scores?

The strategies are different for each metric. Most optimizations involve implementing WordPress performance best practices, though with a few points of emphasis — and that’s why choosing the best WordPress caching plugin will help you with no effort from your side.

Watch the video to understand how to optimize your Core Web Vitals, and keep reading to learn more about it.

How to Improve Largest Contentful Paint on WordPress

Optimizing for Largest Contentful Paint is the most straightforward metric as it’s pretty much entirely WordPress performance best practices:

Set up page caching. Page caching speeds up how quickly your server can respond and reduces the server response times (TTFB). Did you know that WP Rocket enables this automatically?
Optimize browser caching. You should set the right option for the static files that your browser keeps in its cache. By doing so, you’ll address the “Serve static assets with an efficient cache policy” PageSpeed Insights recommendation. Guess what? WP Rocket enables the optimal expiration length automatically.
Optimize your images. A lot of times, your LCP element will be an image. Optimizing your images will speed up your site and address PageSpeed recommendations such as “Properly size images”, “Defer offscreen images”, “Serve images in next-gen formats”, and “Efficiently encode images”. You can use Imagify to optimize WordPress images automatically.
Optimize your code. Loading unnecessary CSS or JavaScript files before your main content will slow down the loading time. You can fix this by eliminating render-blocking resources on your WordPress site. You should also minify CSS and Javascript files and remove unused CSS. Optimizing your code will help you address the “Avoid chaining critical requests” PageSpeed recommendation. Once again, you’ll get most of the job done by setting these optimizations up in the File Optimization tab in WP Rocket.
Use server-level compression. Using Gzip or Brotli compression will reduce your site’s file size, which speeds up LCP and addresses the “Enable text compression” recommendation. WP Rocket automatically enables Gzip compression.
Use preconnect for important resources. Preconnect lets you establish important third-party connections early and addresses the “Preload key requests” and “Preconnect to required origins” recommendations. You can learn more in our tutorial.
Use a content delivery network (CDN) for global audiences. If you have a global audience, a CDN can speed up your LCP time for visitors around the world. It’s another effective way to reduce the Time to First Byte (TTFB). You can use our RocketCDN service.

The easiest way to implement most of these best practices is to use WP Rocket. WP Rocket will automatically apply page caching and server-level compression as soon as you activate it. It also includes other features to help you optimize your site’s code and performance, all of which improve your LCP time.

Source :
https://wp-rocket.me/google-core-web-vitals-wordpress/

Teaming in Azure Stack HCI

As we’re deprecating the vSwitch attached to an LBFO team, this article introduces a new tool for converting your LBFO team to a SET team. To download this tool, run the following command or see the end of this article.

Install-Module Convert-LBFO2SET

Windows Server currently has two inbox teaming mechanisms with two very different purposes. In this article, we’ll describe several reasons why you should use Switch Embedded Teaming (SET) for Azure Stack HCI scenarios and we’ll discuss several long-held teaming myths – We’d love to hear your feedback in the comments below. Let’s get started!

In Windows Server 2012 we released LBFO as an inbox teaming mechanism, with many customers leveraging this technology to provide load-balancing and fail-over between network adapters. Since then, the rise of software-defined storage and software defined networking has brought performance and compatibility challenges to the forefront (outlined in this article) with the LBFO architecture that required a change in direction.

This new direction is called Switch Embedded Teaming (SET) and was introduced in Windows Server 2016. SET is available when Hyper-V is installed on any Server OS (Windows Server 2016 and higher) and Windows 10 version 1809 (and higher). You’re not required to run virtual machines to use SET, but the Hyper-V role must be installed.

In summary, LBFO is our older teaming technology that will not see future investment, is not compatible with numerous advanced capabilities, and has been exceeded in both performance and stability by our new technology (SET). We’d like to discuss why you should move off LBFO for virtualized and cloud scenarios. Let’s dig into this paragraph a bit.

LBFO is our older teaming technology that will not see future investment

thumbnail image 1 of blog post titled

Teaming in Azure Stack HCI

With the intent to bring software-defined technologies like SDNv2 and containers to Windows Server, it became clear that we needed an alternative teaming solution and so we set off creating SET, circa 2014. Simultaneously reaching feature parity and stability with LBFO took time; several early adopters of SET will remember some of these pains. However, SET’s stability, performance, and features have now far surpassed LBFO.

All new features released since Windows Server 2016 (see below) were developed and tested with SET in mind – This includes all Azure Stack HCI solutions you may have purchased; Azure Stack HCI is not tested or certified with LBFO. This is largely due to development simplicity and testing; without driving too far into unimportant details, LBFO teams adapters inside NDIS which is a large and complex component – its roots date back to Windows 95 (of course updated considerably since then). If your system has a NIC, you’re using NDIS. In the picture shown above, each component below the vSwitch was part of NDIS.

The size and complexity of scenarios included in NDIS made for very complex testing requirements that were only compounded by virtualized and software-defined technologies that considerably hampered feature innovation. You might think that this is just a Microsoft problem, but really this affects NIC vendor driver development time and stability as well.

All-in-all, we’re not focusing on LBFO much these days, particularly as software-defined Windows Server networking scenarios become more exotic with the rise of containers, software-defined networking, and much more. There’s a faster, more stable, and performant teaming solution, called Switch Embedded Teaming.

LBFO is not compatible with several advanced capabilities

Here’s a smattering of scenarios and features that are supported with SET but NOT LBFO:

Windows Admin Center – WAC is the de facto management tool for Windows Server and Azure Stack HCI, with millions of nodes under management. You can create and manage a SET team for a single host, or deploy a SET team to multiple hosts with the new Cluster Creation UI we released to help you deploy Azure Stack HCI solutions at Microsoft Ignite this year (watch the session, try it out, and give us feedback).

LBFO is not available for configuration in Windows Admin Center.

RDMA Teaming – Only SET can team RDMA adapters. RDMA is used for example with Storage Spaces Direct (S2D) which requires a reliable high bandwidth, low latency network connection between each node. High-bandwidth? Low Latency? That’s RDMA’s bag so it is the recommended pattern with S2D. Reliability? That’s SET’s claim-to-fame so these two are a logical pairing.

Guest RDMA: SET supports RDMA into a virtual machine. This doesn’t work with LBFO for two reasons:

RDMA adapters cannot be teamed with LBFO both host adapters and virtual adapters.
RDMA uses SMB multichannel which requires multiple adapters to balance traffic across. Since you can’t assign a vNIC to pNIC affinity with LBFO, neither the SMB nor non-SMB traffic can be made highly available.

Guest Teaming is a strange one; you could add multiple virtual NICs to a Hyper-V VM; inside the VM, you could use LBFO to team the virtual NICs. However, you cannot affinitize a virtual NIC (vNIC) to a physical NIC (pNIC), so it’s possible that both vNICs added in the VM are sending and receiving traffic out of the same pNIC. If that pNIC fails, you lose both of your virtual NICs.

SET allows you to map each vNIC to a pNIC to ensure that they don’t overlap, ensuring that a Guest Team is able to survive an adapter outage.

Microsoft Software Defined Networking – (SDN) was first released in its modern form in Windows Server 2016 and requires a virtual switch extension called the Virtual Filtering Platform (VFP). VFP is the brains behind SDN, the same extension that runs our public cloud, Azure. VFP can only be added to a SET team.

This means that any of the SDN features (which are included with a Datacenter Edition license) like the Software Load Balancer, Gateways, Distributed Firewall (ACLs), and our modern network QoS capability are also unavailable if you’re using LBFO.

Container Networking – Containers relies on a service called the Host Network Service (HNS). HNS also leverages VFP and as mentioned in the SDN section, VFP can only be added to a Switch Embedded Team (SET). For more information on Container Networking, please see this link.

Virtual Machine Multi-Queues – VMMQ is a critical performance feature for Azure Stack HCI. VMMQ allows you to assign multiple VMQs to the same virtual NIC without which, you rely on expensive software spreading operations (the OS spreads packets across multiple CPUs without hardware (NIC) assistance) that greatly increases CPU utilization on the host, reducing the number of virtual machines you can run.

Moreover, if your vNIC doesn’t get a VMQ, all traffic is processed by the default queue. With SET you can assign multiple VMQs to the default queue which can be shared as needed by any vNIC allowing more VMs to get the bandwidth they need.

In this video, you can see the performance (throughput) benefits of Switch Embedded Teaming over that of LBFO. The video demonstrates a 2x throughput improvement with SET over LBFO, while consuming ~10% additional CPU (a result of double the throughput).

Dynamic VMMQ – d.VMMQ won’t work either. Dynamic VMMQ is an intelligent queue scheduling algorithm for VMMQ that recognizes when CPU cores are overworked by network traffic and reassigns that network traffic processing to other cores automatically so your workloads (e.g. VMs, applications, etc.) can run without competing for processor time.

Here’s an example of some of the benefits of Dynamic VMMQ. In the video, you can see the host, spending CPU resources processing packets for a specific virtual NIC. When a competing workload begins on the system (which would prevent the virtual NIC from reaching maximum performance), we automatically tune the system by moving one of the workloads to an available processor.

RSC in the vSwitch is an acceleration that coalesces segments destined for the same virtual NIC into a larger segment.

Outbound network traffic is slimmed to fit into the mtu size of the physical network (default of ~1500 bytes). However, inbound traffic can be coalesced into one big segment. That one big segment takes far less processing than multiple small segments, so once traffic is received by the host, we can combine them and deliver several segments to the vNIC all at once. SET was made aware of RSC coalescing and supports this acceleration as of Windows Server 2019.

We’re continuing to improve this feature for even better performance in the next version of Windows Server and Azure Stack HCI by enabling RSC in the vSwitch to extend over the VMBus. In the video below, we show one VM sending traffic to another VM with the improved acceleration disabled – This is using only the original Windows Server 2019, RSC in the vSwitch capabilities.

Next we enable the Windows Server vNext improvements; throughput is improved by ~17 Gbps while CPU resourcing is reduced by approximately 12% (20 cores on the system). This type of traffic pattern is specifically valuable for container scenarios that reside on the same host.

LBFO has been exceeded in both performance and stability by SET

Note: Guest RDMA, RSC in the vSwitch, VMMQ, and Dynamic VMMQ belong in this category as well.

Certified Azure Stack and Azure Stack HCI solutions test only SET

If all that wasn’t enough, both Microsoft and our partners validate and certify their solutions on SET, not LBFO. If you bought a certified Azure Stack HCI solution from one of our partners OR a standard or premium logo’d NIC, it was tested and validated with Switch Embedded Teaming. That means all certification tests where run with SET.

Link Aggregation Control Protocol (LACP)

thumbnail image 2 of blog post titled

Teaming in Azure Stack HCI

Ok, so this one is a little counter-intuitive. LACP, allows for port-channels or switch-dependent teams to send traffic to the host over more than one physical port simultaneously.

For native hosts this means that every port in the port-channel can send traffic simultaneously – for the system on the right with 2 x 50 Gbps NICs, it looks like one big pipe with a native host potentially receiving 100 Gbps. Naturally, you’d expect that this capability could extend to virtual NICs as well.

But things change with virtualization. When the traffic gets to the host, the NICs need to interrupt multiple, independent processors to exceed what a single CPU core can process – This is what VMMQ does, and as mentioned, VMMQ does not work with LBFO.

LBFO limits you to a single VMQ and despite having (in the picture) 100 Gbps of inbound bandwidth, you would only receive about 5 Gbps per virtual NIC (or up to ~20 Gbps per vNIC at the painful expense of OS-based software spreading that could be used for running virtual machine workloads).

thumbnail image 3 of blog post titled

Teaming in Azure Stack HCI

With SET, switch-independent teaming, and the hardware assistance of VMMQ and enough CPUs in the system, you could receive all 100 Gbps of data into the host.

In summary, LACP provides no throughput benefits for Azure Stack HCI scenarios, incurs higher CPU consumption, and cannot auto-tune the system to avoid competition between workloads for virtualized scenarios (Dynamic VMMQ).

Asymmetric Adapters

While we’re myth-busting, let’s talk about adapter symmetry which describes the length to which adapters have the same make, model, speed, and configuration – SET requires adapter symmetry for Microsoft support. Usually the easiest way to identify this symmetry is by the device Interface Description (with PowerShell, use Get-NetAdapter). If the interface description matches (with exception of the unique number given to each adapter e.g. Intel NIC #1, Intel NIC #2, etc.) then the adapters are symmetric.

Prior to Windows Server 2016, conventional wisdom stated that you should use different NICs with different drivers in a team. The thinking was that if one driver had an issue, another team member would survive, and the team would remain up. This is a common benefit customers cite in favor of LBFO: it supports asymmetric adapters.

However, two drivers mean twice as many things can go wrong in fact increasing the likelihood of a problem. Instead, a properly designed infrastructure with symmetric adapters are far more stable in our review of customer support cases. As a result, support for asymmetric teams are no longer a differentiator for LBFO nor do we recommend it for Azure Stack HCI scenarios where reliability is the #1 requirement.

LBFO for management adapters

Some customers I’ve worked with have asked if they should use LBFO for management adapters when the vSwitch is not attached – Our recommendation is to always use SET whenever available. A management adapter’s goal in life is to be stable and we see less support cases with SET.

To be clear, if the adapter is not attached to a virtual switch, LBFO is acceptable however, you should endeavor to use SET whenever possible due to the support reasons outlined in this article.

vSwitch on LBFO Deprecation Status

Recently, we publicly announced our plans to deprecate the use of LBFO with the Hyper-V virtual switch. Moving forward, and due to the various reasons outlined in this article, we have decided to block the binding of the vSwitch on LBFO.

Prior to upgrading from Windows Server 2019 to vNext or if you have a fresh install of vNext, you will need to convert any LBFO teams to a SET team if it’s attached to a Hyper-V virtual switch. To make this simpler, we’re releasing a tool (available on the PowerShell gallery) called Convert-LBFO2SET.

You can install this tool using the command:

Install-Module Convert-LBFO2SET

Or for disconnected systems:

Save-Module Convert-LBFO2SET -Path C:\SomeFolderPath

Please see the wiki for instructions on how to use the tool however here’s an example where we convert a system with 10 host vNICs, 10 generation 1 VMs, and 10 generation 2 VMs.

Summary

LBFO remains our teaming solution if you are running your workloads on bare metal servers. If however, you are running virtualized or cloud scenarios like Azure Stack HCI, you should give Switch Embedded Teaming serious consideration. As we’ve described in this article, SET has been the Microsoft recommended teaming solution and focus since Windows Server 2016 as it brings better performance, stability, and feature support compared to LBFO.

Are there other questions you have about SET and LBFO? Please submit your questions in the comments below!

Thanks for reading,

Dan “All SET for Azure Stack HCI” Cuomo

Source :
https://techcommunity.microsoft.com/t5/networking-blog/teaming-in-azure-stack-hci/ba-p/1070642

Create and manage a Switch Embedded Teaming

What is Hyper-V Switch Embedded Teaming?

With Windows Server 2016, Microsoft brings us a new NIC (network interface card) teaming solution called Switch Embedded Teaming (SET). It is only available on servers running Windows Server 2016 with the Hyper-V role installed and is not backwards compatible.

SET allows us to group up to eight physical NICs to create one or more vNICs. Microsoft’s reasoning behind this is SET is best used for NICs 10 GB or bigger. SET only supports switch independent mode to make setup easy for us to configure. You can either plug all physical NICs into one physical switch or multiple physical switches if they are in the same subnet. Connecting the SET Team to multiple physical switches can give you extra redundancy.

Due to SET’s integration with the Hyper-V Virtual Switch, you are unable to use SET Teaming inside a virtual machine (VM). SET Teaming does not present the team interface to the VM, so you can utilize LBFO (load-balancing failover) Teaming inside a VM by adding additional vNICs to the VM.

Which NICS can I use?

If your NICS have passed the Windows Hardware Qualification and Logo (WHQL) test, then you can use them to create your SET Team. SET does require all NICs that are part of a SET Team to be identical. This means that they are from the same manufacturer, are the same model and have the same firmware and driver. You can only have up to eight NICs in one SET Team.

One good thing about SET teams is that you can configure Remote Direct Memory Access (RDMA) per vNIC. This means you can create multiple vNICS for your SET Team. You can configure a vNIC for storage and enable RDMA on it. You could then create another vNIC for management traffic and not enable RDMA. This is good for hyperconverged solutions.

SET compatibility with Windows Server

SET is compatible with the following networking technologies found in Windows Server 2016.

Datacentre bridging (DCB)
Hyper-V Network Virtualization — NV-GRE and VxLAN are both supported in Windows Server 2016.
Receive-side Checksum offloads (IPv4, IPv6, TCP) — These are only supported if at least one of the SET Team members support them.
Remote Direct Memory Access (RDMA)
Single root I/O virtualization (SR-IOV)
Transmit-side Checksum offloads (IPv4, IPv6, TCP) — These are only supported if all the SET team members support them.
Virtual Machine Queues (VMQ)
Virtual Receive Side Scaling (RSS)

SET is not compatible with the following networking technologies in Windows Server 2016.

1X authentication
IPsec Task Offload (IPsecTO)
QoS in host or native operating systems
Receive side coalescing (RSC)
Receive side scaling (RSS)
TCP Chimney Offload
Virtual Machine QoS (VM-QoS)

SET modes and settings

When you first create a SET Team, you are unable to configure a team name and you are unable to set NICS to standby like you can with the NIC Teaming in Windows Server 2012 r2. In fact, with SET Teams all NICS are always active.

Another difference between SET Teams and LBFO (load balanced fail over) teams is that with NIC teaming you had a choice of three different teaming modes. SET only gives you one choice: Switch Independent. Switch Independent mode means the physical switch or switches are unaware of the SET Team and do not determine how to distribute the network traffic.

There are two team properties that need to be configured when you create a SET Team. They are:

Member adapters
Load balancing mode

Member adapters

As stated earlier in this post, when you are creating a SET Team, you must use up to eight identical NICS. You can create your SET Switch with just one NIC to start, but any new members must be identical.

Load Balancing mode

There are two Load Balancing distribution modes for SET Teams. They are:

Hyper-V Port
Dynamic

Hyper-V port

When using Hyper-V port mode for SET Teams, VMs are connected to a port on the Hyper-V Switch. This is just like a physical server would be connected to a port on a physical switch. The Hyper-V Virtual Switch port and the VM’s MAC address are used to divide the network traffic between the SET Team members.

If you use Switch Embedded Teaming with Packet Direct, you must use the Switch Independent Teaming mode and the Hyper-V port load balancing mode.

With this teaming mode, any adjacent switches will always see a VM’s MAC address on a given port. This allows the switch to distribute the ingress load (the traffic coming into the Hyper-V host from the switch) to the port where the MAC address is located. Hyper-V port mode is very useful when you utilize Virtual Machine Queues (VMQs) because a queue can be placed on the NIC where the traffic is expected to arrive.

Hyper-V port mode is not the best if you are only hosting a few VMs due to it not being granular enough to achieve a well-balanced distribution. This mode also limits each VM to the bandwidth that’s available on a single NIC.

Dynamic

When using the Dynamic port mode for SET Teams, all outbound loads are distributed using a hash of the TCP Ports and IP addresses. Dynamic Port mode also rebalances loads in real time to allow outbound flow to move between each SET Team member.

For inbound loads, all traffic is distributed in the same way as the Hyper-V port mode. Outbound loads use flowlets to dynamically balance. A flowlet is the portion of a TCP flow between two naturally occurring breaks. When the dynamic port mode detects a flowlet boundary, it will automatically rebalance the flow to another member of the SET Team, if appropriate. It is known that in some uncommon circumstances dynamic port mode may rebalance flows that do not contain any flowlets. Due to this, the affinity between a Team member and the TCP flow can change as the traffic is balanced.

Creating and managing a SET Team

Although it is recommended that you use Microsoft Virtual Machine Manager (VMM) to configure SET Teams, not every company has this. That’s where PowerShell comes in.

In the following section, we will be go through the process of creating a SET Team, adding and removing NICs to a SET team, changing the Load Balancing Mode and removing a SET team.

Create a SET Team

You can only create a SET Team at the same NIC that is used for a Hyper-V Virtual Switch. To create a SET Team with one NIC use the following PowerShell code in an elevated PowerShell window:

New-VMSwitch -Name "SET Team" -NetAdapterName "NIC 1" -EnableEmbeddedTeaming $true

You can change SET Team to any name you need, as well as adapter name NIC 1, to the name of your NIC. This can be done by using the following PowerShell command:

Get-NetAdapter

You should have a list of all your adapters. The first column is Name. This is the name of your network adapter that you need to use for the -NetAdapterName.

To create a SET Team with more than one NIC, you can use the following PowerShell command in an elevated PowerShell window:

New-VMSwitch -Name "SET Team" -NetAdapterName "NIC 1","NIC 2"

Notice when adding more than one NIC you don’t need to add the -EnableEmbeddedTeaming because it is assumed by Windows PowerShell when the argument to -NetAdapterName is an array of NICs.

Adding and removing SET Team members

The only way to add or remove SET Team members is to use the SET-VMSwitchTeam command. You basically name the SET switch and which adapters you want to be in it. Let’s say you have created your SET switch with NIC 1 and NIC 2, and now you want to remove NIC 2 and add NIC 3:

Set-VMSwitchTeam -Name SET Team -NetAdapterName "NIC 1","NIC 3"

If you now need to remove NIC 1, you can use the following command:

Set-VMSwitchTeam -Name "SET Team" -NetAdapterName "NIC 3"

To add NIC 2 back in to the SET Team, you can use the following command:

Set-VMSwitchTeam -Name "SET Team" -NetAdapterName "NIC 3","NIC 2"

Change the Load Balancing Mode

To change the Load Balancing Mode between the two mentioned above, you can use the following PowerShell command (just Change Dynamic to HyperVPort):

Set-VMSwitchTeam -Name "SET Team" -LoadBalancingAlgorithm Dynamic

To view which Load Balancing Mode you currently have:

Get-VMSwitchTeam -Name "SET Team" | FL

Remove a SET Team

The only way to remove a SET Team is by removing the Hyper-V Virtual switch completely:

Remove-VMSwitch "SET Team"

Now you have learned how to create, manage and remove a SET switch. Hopefully, you will find this post beneficial and helpful. If you have any questions, leave a comment.

See more:

PowerShell – Hyper-V Cmdlets

Check out: PowerShell Vault, PowerShell Category, Azure Cmdlets, SCCM Cmdlets, PowerShell Cmdlets, AD Cmdlets

Add-VMDvdDrive	Adds a DVD drive to a virtual machine.
Add-VMFibreChannelHba	Adds a virtual Fibre Channel host bus adapter to a virtual machine.
Add-VMGroupMember	Adds group members to a virtual machine group.
Add-VMHardDiskDrive	Adds a hard disk drive to a virtual machine.
Add-VMMigrationNetwork	Adds a network for virtual machine migration on one or more virtual machine hosts.
Add-VMNetworkAdapter	Adds a virtual network adapter to a virtual machine.
Add-VMNetworkAdapterAcl	Creates an ACL to apply to the traffic through a virtual machine network adapter.
Add-VMNetworkAdapterExtendedAcl	Creates an extended ACL for a virtual network adapter.
Add-VMRemoteFx3dVideoAdapter	Adds a RemoteFX video adapter in a virtual machine.
Add-VMScsiController	Adds a SCSI controller in a virtual machine.
Add-VMStoragePath	Adds a path to a storage resource pool.
Add-VMSwitch	Adds a virtual switch to an Ethernet resource pool.
Add-VMSwitchExtensionPortFeature	Adds a feature to a virtual network adapter.
Add-VMSwitchExtensionSwitchFeature	Adds a feature to a virtual switch.
Add-VMSwitchTeamMember	Adds members to a virtual switch team.
Add-VmNetworkAdapterRoutingDomainMapping	Adds a routing domain and virtual subnets to a virtual network adapter.
Checkpoint-VM	Creates a checkpoint of a virtual machine.
Compare-VM	Compares a virtual machine and a virtual machine host for compatibility, returning a compatibility report.
Complete-VMFailover	Completes a virtual machine’s failover process on the Replica server.
Connect-VMNetworkAdapter	Connects a virtual network adapter to a virtual switch.
Connect-VMSan	Associates a host bus adapter with a virtual storage area network (SAN).
Convert-VHD	Converts the format, version type, and block size of a virtual hard disk file.
Copy-VMFile	Copies a file to a virtual machine.
Debug-VM	Debugs a virtual machine.
Disable-VMConsoleSupport	Disables keyboard, video, and mouse for virtual machines.
Disable-VMEventing	Disables virtual machine eventing.
Disable-VMIntegrationService	Disables an integration service on a virtual machine.
Disable-VMMigration	Disables migration on one or more virtual machine hosts.
Disable-VMRemoteFXPhysicalVideoAdapter	Disables one or more RemoteFX physical video adapters from use with RemoteFX-enabled virtual machines.
Disable-VMResourceMetering	Disables collection of resource utilization data for a virtual machine or resource pool.
Disable-VMSwitchExtension	Disables one or more extensions on one or more virtual switches.
Disable-VMTPM	Disables TPM functionality on a virtual machine.
Disconnect-VMNetworkAdapter	Disconnects a virtual network adapter from a virtual switch or Ethernet resource pool.
Disconnect-VMSan	Removes a host bus adapter from a virtual storage area network (SAN).
Dismount-VHD	Dismounts a virtual hard disk.
Enable-VMConsoleSupport	Enables keyboard, video, and mouse for virtual machines.
Enable-VMEventing	Enables virtual machine eventing.
Enable-VMIntegrationService	Enables an integration service on a virtual machine.
Enable-VMMigration	Enables migration on one or more virtual machine hosts.
Enable-VMRemoteFXPhysicalVideoAdapter	Enables one or more RemoteFX physical video adapters for use with RemoteFX-enabled virtual machines.
Enable-VMReplication	Enables replication of a virtual machine.
Enable-VMResourceMetering	Collects resource utilization data for a virtual machine or resource pool.
Enable-VMSwitchExtension	Enables one or more extensions on one or more switches.
Enable-VMTPM	Enables TPM functionality on a virtual machine.
Export-VM	Exports a virtual machine to disk.
Export-VMSnapshot	Exports a virtual machine checkpoint to disk.
Get-VHD	Gets the virtual hard disk object associated with a virtual hard disk.
Get-VHDSet	Gets information about a VHD set.
Get-VHDSnapshot	Gets information about a checkpoint in a VHD set.
Get-VM	Gets the virtual machines from one or more Hyper-V hosts.
Get-VMBios	Gets the BIOS of a virtual machine or snapshot.
Get-VMComPort	Gets the COM ports of a virtual machine or snapshot.
Get-VMConnectAccess	Gets entries showing users and the virtual machines to which they can connect on one or more Hyper-V hosts.
Get-VMDvdDrive	Gets the DVD drives attached to a virtual machine or snapshot.
Get-VMFibreChannelHba	Gets the Fibre Channel host bus adapters associated with one or more virtual machines.
Get-VMFirmware	Gets the firmware configuration of a virtual machine.
Get-VMFloppyDiskDrive	Gets the floppy disk drives of a virtual machine or snapshot.
Get-VMGroup	Gets virtual machine groups.
Get-VMHardDiskDrive	Gets the virtual hard disk drives attached to one or more virtual machines.
Get-VMHost	Gets a Hyper-V host.
Get-VMHostCluster	Gets virtual machine host clusters.
Get-VMHostNumaNode	Gets the NUMA topology of a virtual machine host.
Get-VMHostNumaNodeStatus	Gets the status of the virtual machines on the non-uniform memory access (NUMA) nodes of a virtual machine host or hosts.
Get-VMHostSupportedVersion	Returns a list of virtual machine configuration versions that are supported on a host.
Get-VMIdeController	Gets the IDE controllers of a virtual machine or snapshot.
Get-VMIntegrationService	Gets the integration services of a virtual machine or snapshot.
Get-VMKeyProtector	Retrieves a key protector for a virtual machine.
Get-VMMemory	Gets the memory of a virtual machine or snapshot.
Get-VMMigrationNetwork	Gets the networks added for migration to one or more virtual machine hosts.
Get-VMNetworkAdapter	Gets the virtual network adapters of a virtual machine, snapshot, management operating system, or of a virtual machine and management operating system.
Get-VMNetworkAdapterAcl	Gets the ACLs configured for a virtual machine network adapter.
Get-VMNetworkAdapterExtendedAcl	Gets extended ACLs configured for a virtual network adapter.
Get-VMNetworkAdapterFailoverConfiguration	Gets the IP address of a virtual network adapter configured to be used when a virtual machine fails over.
Get-VMNetworkAdapterRoutingDomainMapping	Gets members of a routing domain.
Get-VMNetworkAdapterTeamMapping
Get-VMNetworkAdapterVlan	Gets the virtual LAN settings configured on a virtual network adapter.
Get-VMProcessor	Gets the processor of a virtual machine or snapshot.
Get-VMRemoteFXPhysicalVideoAdapter	Gets the RemoteFX physical graphics adapters on one or more Hyper-V hosts.
Get-VMRemoteFx3dVideoAdapter	Gets the RemoteFX video adapter of a virtual machine or snapshot.
Get-VMReplication	Gets the replication settings for a virtual machine.
Get-VMReplicationAuthorizationEntry	Gets the authorization entries of a Replica server.
Get-VMReplicationServer	Gets the replication and authentication settings of a Replica server.
Get-VMResourcePool	Gets the resource pools on one or more virtual machine hosts.
Get-VMSan	Gets the available virtual machine storage area networks on a Hyper-V host or hosts.
Get-VMScsiController	Gets the SCSI controllers of a virtual machine or snapshot.
Get-VMSecurity	Gets security information about a virtual machine.
Get-VMSnapshot	Gets the checkpoints associated with a virtual machine or checkpoint.
Get-VMStoragePath	Gets the storage paths in a storage resource pool.
Get-VMSwitch	Gets virtual switches from one or more virtual Hyper-V hosts.
Get-VMSwitchExtension	Gets the extensions on one or more virtual switches.
Get-VMSwitchExtensionPortData	Retrieves the status of a virtual switch extension feature applied to a virtual network adapter.
Get-VMSwitchExtensionPortFeature	Gets the features configured on a virtual network adapter.
Get-VMSwitchExtensionSwitchData	Gets the status of a virtual switch extension feature applied on a virtual switch.
Get-VMSwitchExtensionSwitchFeature	Gets the features configured on a virtual switch.
Get-VMSwitchTeam	Gets virtual switch teams from Hyper-V hosts.
Get-VMSystemSwitchExtension	Gets the switch extensions installed on a virtual machine host.
Get-VMSystemSwitchExtensionPortFeature	Gets the port-level features supported by virtual switch extensions on one or more Hyper-V hosts.
Get-VMSystemSwitchExtensionSwitchFeature	Gets the switch-level features on one or more Hyper-V hosts.
Get-VMVideo	Gets video settings for virtual machines.
Get-VmNetworkAdapterIsolation	Gets isolation settings for a virtual network adapter.
Grant-VMConnectAccess	Grants a user or users access to connect to a virtual machine or machines.
Import-VM	Imports a virtual machine from a file.
Import-VMInitialReplication	Imports initial replication files for a Replica virtual machine to complete the initial replication when using external media as the source.
Measure-VM	Reports resource utilization data for one or more virtual machines.
Measure-VMReplication	Gets replication statistics and information associated with a virtual machine.
Measure-VMResourcePool	Reports resource utilization data for one or more resource pools.
Merge-VHD	Merges virtual hard disks.
Mount-VHD	Mounts one or more virtual hard disks.
Move-VM	Moves a virtual machine to a new Hyper-V host.
Move-VMStorage	Moves the storage of a virtual machine.
New-VFD	Creates a virtual floppy disk.
New-VHD	Creates one or more new virtual hard disks.
New-VM	Creates a new virtual machine.
New-VMGroup	Creates a virtual machine group.
New-VMReplicationAuthorizationEntry	Creates a new authorization entry that allows one or more primary servers to replicate data to a specified Replica server.
New-VMResourcePool	Creates a resource pool.
New-VMSan	Creates a new virtual storage area network (SAN) on a Hyper-V host.
New-VMSwitch	Creates a new virtual switch on one or more virtual machine hosts.
Optimize-VHD	Optimizes the allocation of space used by virtual hard disk files, except for fixed virtual hard disks.
Optimize-VHDSet	Optimizes VHD set files.
Remove-VHDSnapshot	Removes a checkpoint from a VHD set file.
Remove-VM	Deletes a virtual machine.
Remove-VMDvdDrive	Deletes a DVD drive from a virtual machine.
Remove-VMFibreChannelHba	Removes a Fibre Channel host bus adapter from a virtual machine.
Remove-VMGroup	Removes a virtual machine group.
Remove-VMGroupMember	Removes members from a virtual machine group.
Remove-VMHardDiskDrive	Deletes a hard disk drive from a virtual machine.
Remove-VMMigrationNetwork	Removes a network from use with migration.
Remove-VMNetworkAdapter	Removes one or more virtual network adapters from a virtual machine.
Remove-VMNetworkAdapterAcl	Removes an ACL applied to the traffic through a virtual network adapter.
Remove-VMNetworkAdapterExtendedAcl	Removes an extended ACL for a virtual network adapter.
Remove-VMNetworkAdapterRoutingDomainMapping	Removes a routing domain from a virtual network adapter.
Remove-VMNetworkAdapterTeamMapping
Remove-VMRemoteFx3dVideoAdapter	Removes a RemoteFX 3D video adapter from a virtual machine.
Remove-VMReplication	Removes the replication relationship of a virtual machine.
Remove-VMReplicationAuthorizationEntry	Removes an authorization entry from a Replica server.
Remove-VMResourcePool	Deletes a resource pool from one or more virtual machine hosts.
Remove-VMSan	Removes a virtual storage area network (SAN) from a Hyper-V host.
Remove-VMSavedState	Deletes the saved state of a saved virtual machine.
Remove-VMScsiController	Removes a SCSI controller from a virtual machine.
Remove-VMSnapshot	Deletes a virtual machine checkpoint.
Remove-VMStoragePath	Removes a path from a storage resource pool.
Remove-VMSwitch	Deletes a virtual switch.
Remove-VMSwitchExtensionPortFeature	Removes a feature from a virtual network adapter.
Remove-VMSwitchExtensionSwitchFeature	Removes a feature from a virtual switch.
Remove-VMSwitchTeamMember	Removes a member from a virtual machine switch team.
Rename-VM	Renames a virtual machine.
Rename-VMGroup	Renames virtual machine groups.
Rename-VMNetworkAdapter	Renames a virtual network adapter on a virtual machine or on the management operating system.
Rename-VMResourcePool	Renames a resource pool on one or more Hyper-V hosts.
Rename-VMSan	Renames a virtual storage area network (SAN).
Rename-VMSnapshot	Renames a virtual machine checkpoint.
Rename-VMSwitch	Renames a virtual switch.
Repair-VM	Repairs one or more virtual machines.
Reset-VMReplicationStatistics	Resets the replication statistics of a virtual machine.
Reset-VMResourceMetering	Resets the resource utilization data collected by Hyper-V resource metering.
Resize-VHD	Resizes a virtual hard disk.
Restart-VM	Restarts a virtual machine.
Restore-VMSnapshot	Restores a virtual machine checkpoint.
Resume-VM	Resumes a suspended (paused) virtual machine.
Resume-VMReplication	Resumes a virtual machine replication that is in a state of Paused, Error, Resynchronization Required, or Suspended.
Revoke-VMConnectAccess	Revokes access for one or more users to connect to a one or more virtual machines.
Save-VM	Saves a virtual machine.
Set-VHD	Sets properties associated with a virtual hard disk.
Set-VM	Configures a virtual machine.
Set-VMBios	Configures the BIOS of a Generation 1 virtual machine.
Set-VMComPort	Configures the COM port of a virtual machine.
Set-VMDvdDrive	Configures a virtual DVD drive.
Set-VMFibreChannelHba	Configures a Fibre Channel host bus adapter on a virtual machine.
Set-VMFirmware	Sets the firmware configuration of a virtual machine.
Set-VMFloppyDiskDrive	Configures a virtual floppy disk drive.
Set-VMHardDiskDrive	Configures a virtual hard disk.
Set-VMHost	Configures a Hyper-V host.
Set-VMHostCluster	Configures a virtual machine host cluster.
Set-VMKeyProtector	Configures a key protector for a virtual machine.
Set-VMMemory	Configures the memory of a virtual machine.
Set-VMMigrationNetwork	Sets the subnet, subnet mask, and/or priority of a migration network.
Set-VMNetworkAdapter	Configures features of the virtual network adapter in a virtual machine or the management operating system.
Set-VMNetworkAdapterFailoverConfiguration	Configures the IP address of a virtual network adapter to be used when a virtual machine fails over.
Set-VMNetworkAdapterTeamMapping
Set-VMNetworkAdapterVlan	Configures the virtual LAN settings for the traffic through a virtual network adapter.
Set-VMProcessor	Configures one or more processors of a virtual machine.
Set-VMRemoteFx3dVideoAdapter	Configures the RemoteFX 3D video adapter of a virtual machine.
Set-VMReplication	Modifies the replication settings of a virtual machine.
Set-VMReplicationAuthorizationEntry	Modifies an authorization entry on a Replica server.
Set-VMReplicationServer	Configures a host as a Replica server.
Set-VMResourcePool	Sets the parent resource pool for a selected resource pool.
Set-VMSan	Configures a virtual storage area network (SAN) on one or more Hyper-V hosts.
Set-VMSecurity	Configures security settings for a virtual machine.
Set-VMSecurityPolicy	Configures the security policy for a virtual machine.
Set-VMSwitch	Configures a virtual switch.
Set-VMSwitchExtensionPortFeature	Configures a feature on a virtual network adapter.
Set-VMSwitchExtensionSwitchFeature	Configures a feature on a virtual switch.
Set-VMSwitchTeam	Configures a virtual switch team.
Set-VMVideo	Configures video settings for virtual machines.
Set-VmNetworkAdapterIsolation	Modifies isolation settings for a virtual network adapter.
Set-VmNetworkAdapterRoutingDomainMapping	Sets virtual subnets on a routing domain.
Start-VM	Starts a virtual machine.
Start-VMFailover	Starts failover on a virtual machine.
Start-VMInitialReplication	Starts replication of a virtual machine.
Start-VMTrace	Starts tracing to a file.
Stop-VM	Shuts down, turns off, or saves a virtual machine.
Stop-VMFailover	Stops failover of a virtual machine.
Stop-VMInitialReplication	Stops an ongoing initial replication.
Stop-VMReplication	Cancels an ongoing virtual machine resynchronization.
Stop-VMTrace	Stops tracing to file.
Suspend-VM	Suspends, or pauses, a virtual machine.
Suspend-VMReplication	Suspends replication of a virtual machine.
Test-VHD	Tests a virtual hard disk for any problems that would make it unusable.
Test-VMNetworkAdapter	Tests connectivity between virtual machines.
Test-VMReplicationConnection	Tests the connection between a primary server and a Replica server.
Update-VMVersion	Updates the version of virtual machines.

Source :
https://eddiejackson.net/wp/?page_id=26483

Basic Authentication Deprecation in Exchange Online – September 2022 Update

One month from today, we’re going to start to turn off basic auth for specific protocols in Exchange Online for customers who use them.

Since our first announcement nearly three years ago, we’ve seen millions of users move away from basic auth, and we’ve disabled it in millions of tenants to proactively protect them.

We’re not done yet though, and unfortunately usage isn’t yet at zero. Despite that, we will start to turn off basic auth for several protocols for tenants not previously disabled.

Starting October 1^st, we will start to randomly select tenants and disable basic authentication access for MAPI, RPC, Offline Address Book (OAB), Exchange Web Services (EWS), POP, IMAP, Exchange ActiveSync (EAS), and Remote PowerShell. We will post a message to the Message Center 7 days prior, and we will post Service Health Dashboard notifications to each tenant on the day of the change.

We will not be disabling or changing any settings for SMTP AUTH.

If you have removed your dependency on basic auth, this will not affect your tenant or users. If you have not (or are not sure), check the Message Center for the latest data contained in the monthly usage reports we have been sending monthly since October 2021. The data for August 2022 will be sent within the first few days of September.

What If You Are Not Ready for This Change?

We recognize that unfortunately there are still many tenants unprepared for this change. Despite multiple blog posts, Message Center posts, interruptions of service, and coverage via tweets, videos, conference presentations and more, some customers are still unaware this change is coming. There are also many customers aware of the deadline who simply haven’t done the necessary work to avoid an outage.

Our goal with this effort has only ever been to protect your data and accounts from the increasing number of attacks we see that are leveraging basic auth.

However, we understand that email is a mission-critical service for many of our customers and turning off basic auth for many of them could potentially be very impactful.

One-Time Re-Enablement

Today we are announcing an update to our plan to offer customers who are unaware or are not ready for this change.

When we turn off basic auth after October 1^st, all customers will be able to use the self-service diagnostic to re-enable basic auth for any protocols they need, once per protocol. Details on this process are below.

Once this diagnostic is run, basic auth will be re-enabled for those protocol(s). Selected protocol(s) will stay enabled for basic auth use until end of December 2022. During the first week of calendar year 2023, those protocols will be disabled for basic auth use permanently, and there will be no possibility of using basic auth after that.

Avoiding Disruption

If you already know you need more time and wish to avoid the disruption of having basic auth disabled you can run the diagnostics during the month of September, and when October comes, we will not disable basic for protocol(s) you specify. We will disable basic for any non-opted-out protocols, but you will be able to re-enable them (until the end of the year) by following the steps below if you later decide you need those too.

In other words – if you do not want basic for a specific protocol or protocols disabled in October, you can use the same self-service diagnostic in the month of September. Details on this process below.

Diagnostic Options

Thousands of customers have already used the self-service diagnostic we discussed in earlier blog posts (here and here) to re-enable basic auth for a protocol that had been turned off, or to tell us not to include them in our proactive protection expansion program. We’re using this same diagnostic again, but the workflow is changing a little.

Today, we have archived all prior re-enable and opt-out requests. If you have previously opted out or re-enabled basic for some protocol, you’ll need to follow the steps below during the month of September to indicate you want us to leave something enabled for basic auth after Oct 1.

To invoke the self-service diagnostic, you can go directly to the basic auth self-help diagnostic by simply clicking on this button (it’ll bring up the diagnostic in the Microsoft 365 admin center if you’re a tenant Global Admin):

thumbnail image 1 of blog post titled

Basic Authentication Deprecation in Exchange Online – September 2022 Update

Or you can open the Microsoft 365 admin center and click the green Help & support button in the lower right-hand corner of the screen.

thumbnail image 2 of blog post titled

Basic Authentication Deprecation in Exchange Online – September 2022 Update

thumbnail image 3 of blog post titled

Basic Authentication Deprecation in Exchange Online – September 2022 Update

When you click the button, you enter our self-help system. Here you can enter the phrase “Diag: Enable Basic Auth in EXO”

Customers with tenants in the Government Community Cloud (GCC) are unable to use the self-service diagnostic covered here. Those tenants may opt out by following the process contained in the Message Center post sent to their tenant today. If GCC customers need to re-enable a protocol following the Oct 1^st deadline they will need to open a support ticket.

Opting Out

During the month of September 2022, the diagnostic will offer only the option to opt-out. By submitting your opt-out request during September, you are telling us that you do not want us to disable basic for a protocol or protocols during October. Please understand we will be disabling basic auth for all tenants permanently in January 2023, regardless of their opt-out status.

The diagnostic will show a version of the dialog below, and you can re-run it for multiple protocols. It might look a bit different if some protocols have already been disabled. Note too that protocols are not removed from the list as you opt-out but rest assured (unless you receive an error) we will receive the request.

thumbnail image 4 of blog post titled

Basic Authentication Deprecation in Exchange Online – September 2022 Update

Re-Enabling Basic for protocols

Starting October 1, the diagnostic will only allow you to re-enable basic auth for a protocol that it was disabled for.

If you did not opt-out during September, and we disabled basic for a protocol you later realize you need, you can use this to re-enable it.

thumbnail image 5 of blog post titled

Basic Authentication Deprecation in Exchange Online – September 2022 Update

Within an hour (usually much sooner) after you run the diagnostics and ask us to re-enable basic for a protocol, basic auth will start to work again.

At this point, we have to remind you that by re-enabling basic for a protocol, you are leaving your users and data vulnerable to security risks, and that we have customers suffering from basic auth-based attacks every single day (but you know that already).

Starting January 1, 2023, the self-serve diagnostic will no longer be available, and basic auth will soon thereafter be disabled for all protocols.

Summary of timelines and actions

Please see the following flow chart to help illustrate the changes and actions that you might need to take:

thumbnail image 6 of blog post titled

Basic Authentication Deprecation in Exchange Online – September 2022 Update

Blocking Basic Authentication Yourself

If you re-enable basic for a protocol because you need some extra time and then afterward no longer need basic auth you can block it yourself instead of waiting for us to do it in January 2023. The quickest and most effective way to do this is to use Authentication Policies which block basic auth connections at the first point of contact to Exchange Online.

Just go into the Microsoft 365 admin center, navigate to Settings, Org Settings, Modern Authentication and uncheck the boxes to block basic for all protocols you no longer need (these checkboxes will do nothing once we block basic for a protocol permanently, and we’ll remove them some time after January 2023).

thumbnail image 7 of blog post titled

Basic Authentication Deprecation in Exchange Online – September 2022 Update

Reporting Web Service Endpoint

For those of you using the Reporting Web Service REST endpoint to get access to Message Tracking Logs and more, we’re also announcing today that this service will continue to have basic auth enabled until Dec 31^st for all customers, no opt-out or re-enablement is required. And, we’re pleased to be able to provide the long-awaited guidance for this too right here.

EOP/SCC PowerShell

Basic authentication will remain enabled until Dec 31^st, 2022. Customers need to migrate to certificate based authentication. Follow the Instructions here: App-only authentication

One Other Basic Authentication Related Update

We’re adding a new capability to Microsoft 365 to help our customers avoid the risks posed by basic authentication. This new feature changes the default behavior of Office applications to block sign-in prompts using basic authentication. With this change, if users try to open Office files on servers that only use basic authentication, they won’t see any basic authentication sign-in prompts. Instead, they’ll see a message that the file has been blocked because it uses a sign-in method that may be insecure.

You can read more about this great new feature here: Basic authentication sign-in prompts are blocked by default in Microsoft 365 Apps.

Office Team is looking for customers to opt-in to their Private Preview Program for this feature. Please send them an email if you are interested in signing up: basicauthdeprmailer@microsoft.com.

Summary

This effort has taken three years from initial communication until now, and even that has not been enough time to ensure that all customers know about this change and take all necessary steps. IT and change can be hard, and the pandemic changed priorities for many of us, but everyone wants the same thing: better security for their users and data.

Our customers are important to us, and we do not want to see them breached, or disrupted. It’s a fine balance but we hope this final option will allow the remaining customers using Basic auth to finally get rid of it.

The end of 2022 will see us collectively reach that goal, to Improve Security – Together.

The Exchange Team

Source :
https://techcommunity.microsoft.com/t5/exchange-team-blog/basic-authentication-deprecation-in-exchange-online-september/ba-p/3609437

UniFi – Console and Gateway Recovery Mode

The Recovery Mode User Interface (UI) is a special interface for UniFi OS Consoles (UDMP, UNVR, etc.) and gateways used to recover from various failure modes (indicated on the LCM screen of that device). From the Recovery Mode, you can perform the following actions:

Reset to Factory Defaults: Completely reset the device. Note this will also wipe out any stored backup files.
Reboot: Restart the device and re-load the existing configuration.
Power-off: Initiate a software shutdown on the device, after which you can safely remove the power cable.
Check Filesystems: Check the integrity of the file system.
Firmware Update: Upload a previously downloaded firmware image (.bin) file in order to upgrade the firmware.

You should only resort to using recovery mode if you are prompted by the LCM screen found on your device.

Performing a Device Recovery

Download the most recent firmware for your device. You can find information on our latest releases here.
Completely power-off the UniFi device and unplug it from its power source.
Press and hold the reset button and then power on the device by connecting it to the power source once again.
Keep the reset button pressed for about 5 seconds. After some time the display (in supported models) will indicate that the gateway is in Recovery Mode.
Connect an Ethernet cable from your computer to the first LAN port (port 1) on the UniFi gateway.

Note: Port 1 is always the first one. Either the top port, or the top left corner one, depending on the layout of your device’s ports.
Configure a static IP address on your computer in the 192.168.1.0/24 range (for example 192.168.1.11). Windows ClientmacOS clientNote: If a wireless adapter is enabled and connected to another network it could conflict with the connection to the UniFi device. Disable the wireless adapter if necessary.
Open a compatible web browser navigate to http://192.168.1.30 to access the Recovery Mode UI.

Note: The Recovery Mode UI is accessible via HTTP only and not HTTPS. It is possible that your browser will automatically try to redirect your session to HTTPS. Make sure to navigate to the http://192.168.1.30 address and use a different browser if necessary.
Select Firmware Update > Choose and browse your computer for the previously download firmware (.bin) image file.
Wait for the upgrade process to complete and reboot the device afterwards.

Source :
https://help.ui.com/hc/en-us/articles/360043360253-UniFi-Console-and-Gateway-Recovery-Mode

UniFi – Login with SSH (Advanced)

We do not recommend using SSH unless instructed by one of our Support Engineers as part of advanced troubleshooting. Inexperienced users risk making changes that may degrade network performance, or even worse, completely break your deployment. Proceed with caution.

Requirements

1. You are connected to the same local network as the device/console you plan to connect with via SSH. This may consist of using a laptop connected to the same WiFi network, or hardwired directly to the device.

2. SSH is enabled. UniFi Network devices and UniFi OS Consoles have independent SSH settings.

UniFi OS Consoles – Following setup, SSH is automatically disabled. It must be enabled in your UniFi OS System Settings.
UniFi Network Devices – Following setup, SSH is automatically enabled. The credentials consist of a random string of characters.

3. The device you are using has a command line interface (CLI) capable of establishing a Secure Shell (SSH) connection. Linux and macOS devices can use their native terminal. Windows OS requires PowerShell or PuTTY.

Establishing an SSH Connection

The format of the command used to establish an SSH connection is as follows:

ssh <username>@<ip-address>

The <username> for UniFi OS Consoles (UDM Pro / UNVR / Cloud Key) and UniFi Gateways (UXG Pro) is always ‘root’. For example, a Dream Machine Pro (gateway) with an IP address of 192.168.1.1 can be accessed as follows:

ssh root@192.168.1.1

Note: The UXG will use <username> = ‘root’, but the <password> will be the shared password set in your UniFi Network Application.

Default Credentials

Prior to setup/adoption, devices have a set of default credentials.

UniFi OS Consoles – root / ubnt
UniFi Gateways – root / ubnt
UniFi Devices – ubnt / ubnt

Source :
https://help.ui.com/hc/en-us/articles/204909374-UniFi-Login-with-SSH-Advanced-

UniFi – Advanced Updating Techniques

We recommend that most users enable automatic updates. Doing so allows you to specify when your UniFi deployment automatically checks for and installs updates.

UniFi OS Console and application update preferences can be configured in your UniFi OS Settings. Please note, though, that self-hosted UniFi Network applications do not offer automatic updating.

UniFi Network device update preferences are set in your Network application’s System Settings. Devices managed by other UniFi applications are automatically updated within their respective applications.

Manually Update UniFi Devices via Web Application

Updating via the Device Property Panel

Use Case: You want to try Early Access firmware releases for specific devices, or you want to return to an official release after trying an EA release.

1. Copy the firmware release link from community.ui.com/releases.

2. Paste the link in the address bar found in the Settings tab of the device’s properties panel.

Updating via Your Network Cache

Use Case: You prefer to download and store updates in your Network application so they can be used by other devices, as opposed to downloading multiple, device-specific files from the internet. This is an ideal solution for reducing bandwidth within high-volume networks that host a large number of similar UniFi devices. It is also suitable for the advanced users who disable internet access on their UniFi device’s management network.

Device updates can be cached in your Network application’s System Settings. Once an update is cached, you can open to your UniFi Devices page and click Update Available.

Note: The Cache link will appear when you hover your cursor over an update.

Updating via SSH

Note: SSH updating is not a typical or recommended method. It is only prescribed to work around specific scenarios, such as when:

Prior traditional update attempts have failed. A successful SSH update will help verify if initial failures resulted from incorrect network configuration. For more details, see Troubleshooting Device Updates.
Your UniFi Network device is not being discovered or cannot be adopted because it has been preloaded with outdated firmware.
Your UniFI OS Console cannot be set up because it has been preloaded with an outdated version of UniFi OS.

UAP/USW (Internet)

Copy the update link from community.ui.com/releases.
SSH into your device.
Run the following command:upgrade paste_download_link_here Exupgrade https://dl.ui.com/unifi/firmware/UAL6/5.60.1.12923/BZ.mt7621_5.60.1+12923.210416.1641.bin

UAP/USW (No Internet)

Download the desired firmware update from community.ui.com/releases.
Use the following SCP command to copy the file into the /tmp folder of your device. This requires a compatible SCP application (e.g., Terminal on macOS and Linux, PuTTY/PowerShell on Windows).scp /folder_path/firmwarefile.bin <user>@<IP of device>:/tmp/fwupdate.binExscp /Users/alexpro/Desktop/BZ.mt7621_5.60.1+12923.210416.1641.bin Alex@192.168.1.219:/tmp/fwupdate.bin
Enter your SSH password when prompted.
Run the following command:syswrapper.sh upgrade2 &

UDM/UDM Pro/UXG Pro (Internet)

Copy the update link from community.ui.com/releases.
SSH into your device.
Run the following command:ubnt-upgrade paste_download_link_here Exubnt-upgrade https://fw-download.ubnt.com/data/udm/7675-udmpro-1.12.22-36b5213eaa2446aca8486f0b51e64cd3.bin

UDM/UDM Pro/UXG Pro (No Internet)

Download the desired firmware update from community.ui.com/releases.
Use the following SCP command to copy the file into the /mnt/data folder of your device. This requires a compatible SCP application (e.g., Terminal on macOS and Linux, PuTTY/PowerShell on Windows).scp /folder_path/firmwarefile.bin <user>@<IP of device>:/mnt/data/fwupdate.binExscp /Users/alexpro/Desktop/7675-udmpro-1.12.22-36b5213eaa2446aca8486f0b51e64cd3.bin Alex@192.168.1.219:/mnt/data/fwupdate.bin
Enter your SSH password when prompted.
Run the following command:ubnt-upgrade /mnt/data/fwupdate.bin

UCK G2, UCK G2 Plus, UDM SE, UDR, UDW, UNVR, UNVR Pro (Internet)

Copy the update link from community.ui.com/releases.
SSH into your device.
Run the following command:ubnt-systool fwupdate paste_download_link_here Exubnt-systool fwupdate https://fw-download.ubnt.com/data/unifi-dream/dd49-UDR-2.4.10-cd3afa000ebf4a4fb15374481539961c.bin

UCK G2, UCK G2 Plus, UDM SE, UDR, UDW, UNVR, UNVR Pro (No Internet)

Download the desired firmware update from community.ui.com/releases.
Use the following SCP command to copy the file into the /tmp folder of your device. This requires a compatible SCP application (e.g., Terminal on macOS and Linux, PuTTY/PowerShell on Windows).scp /folder_path/firmwarefile.bin <user>@<IP of device>:/tmp/fwupdate.binExscp /Users/alexpro/Desktop/dd49-UDR-2.4.10-cd3afa000ebf4a4fb15374481539961c.bin
Enter your SSH password when prompted.
Run the following command:ubnt-systool fwupdate /tmp/fwupdate.bin

USG (Internet)

Copy the update link from community.ui.com/releases.
SSH into your device.
Run the following command:upgrade paste_download_link_here Exupgrade https://dl.ui.com/unifi/firmware/UGW3/4.4.56.5449062/UGW3.v4.4.56.5449062.tar

USG (No Internet)

Download the desired firmware update from community.ui.com/releases.
Rename the file: upgrade.tar
Use the following SCP command to copy the file into the /home/<user> folder of your USG. This requires a compatible SCP application (e.g., Terminal on macOS and Linux, PuTTY/PowerShell on Windows).scp /folder_path/upgrade.tar <user>@<IP of device>:/home/<user>/upgrade.tarExscp /Users/alexpro/Desktop/upgrade.tar Alex@192.168.1.1:/home/Alex/upgrade.tar
Enter your SSH password when prompted.
SSH into your device.
Run the following command:sudo syswrapper.sh upgrade upgrade.tar

Manually Update the Network Application

Download the desired application update from community.ui.com/releases.
SSH into your device.
Run the following command (UDM/UDM Pro Only):unifi-os shell
Remove previously installed files:rm /tmp/unifi_sysvinit_all.deb &> /dev/null
Store the new application version on your device using the download link:curl -o “/tmp/unifi_sysvinit_all.deb” <network application link.deb>Excurl -o “/tmp/unifi_sysvinit_all.deb” https://dl.ui.com/unifi/6.2.26-a79cb15f05/unifi_sysvinit_all.deb
Once downloaded, install the new version:apt-get install -y /tmp/unifi_sysvinit_all.deb
Following installation, remove the downloaded file:rm /tmp/unifi_sysvinit_all.deb

Updating Devices in a Broken State

In rare occurrences, a device may stop functioning. UniFi APs may be updated using our TFTP Recovery. This should only be used if your AP completely stops functioning as a last resort prior to submitting an RMA. UniFi OS Consoles and gateways my be updated using Recovery Mode. This should only be used if prompted on your device’s LCM screen.

Source :
https://help.ui.com/hc/en-us/articles/204910064-UniFi-Advanced-Updating-Techniques

UniFi – Getting Support Files and Logs

It may be necessary to provide support files to our team when troubleshooting issues. These contain detailed logs and information about what is happening with your UniFi system. Although sensitive information is generally removed, we do not recommend sharing these publicly.

There are two support files to be aware of:

UniFi OS Support File: This contains logs related to your UniFi OS Console, the installed applications, your adopted UniFi devices, and the client devices connected.
Navigating to unifi.ui.com (or signing in locally via IP address) > select your UniFi OS Console > Console Settings > Download Support File. Note that it will have a *.tgz extension.
UniFi Network Support File: This only contains information about your UniFi Network application, your adopted UniFi Network devices, and the connected clients. This should only be used if you are self-hosting the UniFi Network application on a Windows, macOS or Linux machine.
Navigate to your UniFi Network Application > Settings > System > Download Network Support File. Note that it will have a *.supp extension.

Advanced

If the UOS Console or UniFi applications are inaccessible and you are not able to download the support file, you can download the logs by following these instructions. Please note, our support engineer will provide detailed information on which of the following will be required for troubleshooting.

1. SSH into the machine: ssh root@192.168.1.1

Note: If you need to change your SSH password, do so in the UniFi OS Settings, by navigating to unifi.ui.com (or signing in locally via IP address) > select your UniFi OS Console > Settings > System.

2. Create ZIP files for the logs. The commands’ format will be: tar -zcvf <file name> <folders path>.

UniFi OS logs: tar -zcvf unifi-core-logs.tar.gz /data/unifi-core/logs/
UniFi local portal (ULP) logs: tar -zcvf ulp-go-logs.tar.gz /data/ulp-go/log/
UniFi Network logs:
- For UniFi Dream Machine consoles:tar -zcvf unifi-logs.tar.gz /data/unifi/logs/
- For UniFi Cloud Key Gen2 consoles:tar -zcvf unifi-logs.tar.gz /usr/lib/unifi/logs
UniFi Protect logs:
- Without external disks: tar -zcvf unifi-protect-logs.tar.gz /data/unifi-protect/logs/
- With external disks: tar -zcvf unifi-protect-logs.tar.gz /srv/unifi-protect/logs/
UniFi Talk logs:
- tar -zcvf unifi-talk-logs.tar.gz /var/log/unifi-talk/
- tar -zcvf unifi-talk-base-logs.tar.gz /var/log/unifi-base/
- tar -zcvf unifi-talk-freeswitch-logs.tar.gz /var/log/freeswitch/
UniFi Connect logs: tar -zcvf unifi-connect-logs.tar.gz /data/unifi-connect/log/
System logs:
- ubnt-systool support /tmp/system
- tar zcvf system.tar.gz /tmp/system

3. Open a new terminal window and run the SCP command to copy the logs from the UniFi OS Console and onto your computer (or system).

Note: The period (.) in the path variable means it will be copied onto the currently opened directory in the terminal. And the asterisk (*) stands for “all”. So the following command will copy everything with the extension tar.gz (i.e. all the logs you prepared in Step 2).

scp root@192.168.1.1:/root/\*.gz .

4. Close both terminal windows to close the sessions.

If other logs are needed, our support agent will guide you and provide the necessary commands.

Source :
https://help.ui.com/hc/en-us/articles/360049956374-UniFi-Getting-Support-Files-and-Logs

UniFi Network – Updating Third-Party, non-Console UniFi Network Applications (Linux – Advanced)

This article provides the steps to update the UniFi Network application to the current stable release on a Debian or Ubuntu system via APT (Advanced Package Tool). If you run into issues following the process described in this article, please take a look at the scripts provided in this Community post that includes UniFi Network software installation on Ubuntu 18.04 and 16.04 and Debian 8/9.

Requirements

In order to update the UniFi Network application via APT, it is necessary to create source files or edit lines in an existing sources.list file with Linux text editors: vi or nano. The repo structure should be permanent, but if there are any changes they will be pointed out in the UniFi Network software version release posts, found in the Release section of the Community.

Before upgrading the UniFi Network application, make sure that you have backed up the UniFi Network Database. You will need to make sure that the user has sudo permissions. For more information about adding a user to sudo list, see this Debian article.

UniFi Network APT Steps

1. Install required packages before you begin with the following command:

sudo apt-get update && sudo apt-get install ca-certificates apt-transport-https

Click to copy

2. Use the following command to add a new source list:

echo 'deb https://www.ui.com/downloads/unifi/debian stable ubiquiti' | sudo tee /etc/apt/sources.list.d/100-ubnt-unifi.list

Click to copy

3. Add the GPG Keys. To add the GPG Keys use one of the two methods described below (Method A is recommended). When using the commands below, it is assumed you have sudo and wget installed, more information about sudo can be found here, and wget here.

User Tip: For Ubuntu 18.04, run the following commands before installing UniFi in step 4.

wget -qO - https://www.mongodb.org/static/pgp/server-3.4.asc | sudo apt-key add -
echo "deb https://repo.mongodb.org/apt/ubuntu xenial/mongodb-org/3.4 multiverse" | sudo tee /etc/apt/sources.list.d/mongodb-org-3.4.list
sudo apt-get update

Click to copy

See an example of what scripts the Community is using to install the UniFi Network application on Ubuntu 16.04 and 18.04 in this Community post.

(Method A) Install the following trusted key into /etc/apt/trusted.gpg.d

sudo wget -O /etc/apt/trusted.gpg.d/unifi-repo.gpg https://dl.ui.com/unifi/unifi-repo.gpg

Click to copy

(Method B) Using apt-key.

sudo apt-key adv --keyserver keyserver.ubuntu.com --recv 06E85760C0A52C50

Click to copy

4. Install and upgrade the UniFi Network application.

Note: On some Distributions, it’s possible an incompatible Java release can be installed during this step. We recommend running the following command before proceeding with this step, to restrict Ubuntu from automatically installing Java 11. If you wish to undo this later, replace “hold” with “unhold”.

sudo apt-mark hold openjdk-11-*

Install and upgrade the UniFi Network application with the following command:

sudo apt-get update && sudo apt-get install unifi -y

Click to copy

5. This step may not be required, depending on the Linux distro you have. If your distro does not come with MongoDB, and it’s not available in their repo, then please see the MongoDB installation guide. You can find the latest installation guide for Ubuntu here, and Debian here. We recommend at least MongoDB 2.6.10. Some users have changed the backend to use MongoDB 3 successfully too.

6. The UniFi Network application should now be accessible at the computer’s configured local or public IP address, by typing that IP address in a browser’s navigation bar (Chrome is recommended). If it is not launching, use the following command: sudo service unifi start.

Other helpful commands are:

To stop the UniFi service: sudo service unifi stop
To restart the UniFi service: sudo service unifi restart
To see the status of UniFi service: sudo service unifi status

We strongly recommend staying with the stable release, but for those users who wish to do otherwise, click here to expand and see possible suite names, as well as code names in the table within.

Log Files Location

Log files will be essential for any troubleshooting you might perform. Find them here:

/usr/lib/unifi/logs/server.log
/usr/lib/unifi/logs/mongod.log

If your application is running on a Unix/Linux based system, then you will require superuser (sudo) privileges to access these log files.

User Notes & Tips

These notes have been added thanks to user collaboration. Click to expand.

Source :
https://help.ui.com/hc/en-us/articles/220066768-UniFi-Network-Updating-Third-Party-non-Console-UniFi-Network-Applications-Linux-Advanced-