VMware vCenter Configuration Manager - 5.5 Administrator’s Guide

VMware vCenter Configuration Manager

Administration Guide

vCenter Configuration Manager 5.5

This document supports the version of each product listed and supports all subsequent versions until the document is replaced by a new edition. To check for more recent editions of this document, see

http://www.vmware.com/support/pubs.

EN-000674-00

vCenter Configuration Manager Administration Guide

You can find the most up-to-date technical documentation on the VMware Web site at:

http://www.vmware.com/support/

The VMware Web site also provides the latest product updates.

If you have comments about this documentation, submit your feedback to:

docfeedback@vmware.com

http://www.vmware.com/go/patents.

VMware is a registered trademark or trademark of VMware, Inc. in the United States and/or other jurisdictions. All other marks and names mentioned herein may be trademarks of their respective companies.

VMware, Inc.

3401 Hillview Ave. Palo Alto, CA 94304 www.vmware.com

VMware, Inc.

Contents

About This Book 9

Getting Started with VCM 11

Understanding User Access 11

Running VCM as Administrator on the Collector 12 Log In to VCM 12 Getting Familiar with the Portal 13

General Information Bar 13

Toolbar 14

Sliders 15 Customizing VCM for your Environment 16

Installing and Getting Started with VCM Tools 19

Install the VCM Tools Only 19 VCM Import/Export and Content Wizard Tools 20

Run the Import/Export Tool 21

Run the Content Wizard to Access Additional Compliance Content 21 Run the Deployment Utility 21 Package Studio 22 Foundation Checker 22

Configuring VMware Cloud Infrastructure 23

Virtual Environments Configuration 23

Managing Agents 24

Managing vCenter Server Instances, Hosts, and Guest Virtual Machines 25

Managing Instances of vCloud Director and vApp Virtual Machines 25

Managing vShield Manager Instances 25 Configure Virtual Environments Collections 25 Configure Managing Agent Machines 26

Collect Machines Data From the Managing Agent Machines 27

Set the Trust Status for Managing Agent Machines 27

Configure HTTPS Bypass Setting 28

Enable Managing Agent Machines 28 Obtain the SSL Certificate Thumbprint 29 Configure vCenter Server Data Collections 30

Add vCenter Server Instances 30

Configure the vCenter Server Settings 31

Collect vCenter Server Data 32

vCenter Server Collection Results 33 Configure vCenter Server Virtual Machine Collections 33

Collect vCenter Server Virtual Machines Data 34

Manage vCenter Server Virtual Machines 34 Configure vCloud Director Collections 35

Add vCloud Director Instances 35

Configure the vCloud Director Settings 36

Collect vCloud Director Data 37

vCloud Director Collection Results 38 Configure vCloud Director vApp Virtual Machines Collections 39

Network Address Translation and vCloud Director vApp Discovery Rules 39

Discover vCloud Director vApp Virtual Machines 41

VMware, Inc.

vCenter Configuration Manager Administration Guide

Configure vShield Manager Collections 45 Configure ESX Service Console OS Collections 48

Configure the Collector as an Agent Proxy 49

Configure Virtual Machine Hosts 50

Copy Files to the ESX/ESXi Servers 51

Collect ESX Logs Data 53

Virtualization Collection Results 53 Configure the vSphere Client VCM Plug-In 54

Configuring the vSphere Client VCM Plug-In Integration Settings 55

Manage Machines from the vSphere Client 56

Troubleshooting the vSphere Client VCM Plug-In Registration 56

Running Compliance for the VMware Cloud Infrastructure 59

Create and Run Virtual Environment Compliance Templates 59 Create Virtual Environment Compliance Rule Groups 60 Create and Test Virtual Environment Compliance Rules 60 Create and Test Virtual Environment Compliance Filters 61 Preview Virtual Environment Compliance Rule Groups 62 Create Virtual Environment Compliance Templates 63 Run Virtual Environment Compliance Templates 64 Create Virtual Environment Compliance Exceptions 64

Configuring vCenter Operations Manager Integration 67

Configure vCenter Operations Manager with VCM 67

Auditing Security Changes in Your Environment 69

Configuring Windows Machines 71

Verify Available Domains 72 Check the Network Authority 72 Assign Network Authority Accounts 73 Discover Windows Machines 73 License Windows Machines 74 Disable User Account Control for VCM Agent Installation 75

Disable User Account Control for a Windows Machine 75

Disable User Account Control By Using Group Policy 76 Install the VCM Windows Agent on Your Windows Machines 77

Locate the Enterprise Certificate 78

Manually Install the VCM Windows Agent 78

Manually Uninstall the VCM Windows Agent 82 Enable UAC After VCM Agent Installation 83

Enable User Account Control on a Single Windows Machine 83

Enable UAC By Using a Group Policy 83 Collect Windows Data 84 Windows Collection Results 85 Getting Started with Windows Custom Information 86

Prerequisites to Collect Windows Custom Information 87

Using PowerShell Scripts for WCI Collections 87

Windows Custom Information Change Management 97

Collecting Windows Custom Information 98

Create Your Own WCI PowerShell Collection Script 99

Verify that Your Custom PowerShell Script is Valid 99

Install PowerShell 100

Collect Windows Custom Information Data 100

Run the Script-Based Collection Filter 101

View Windows Custom Information Job Status Details 102

VMware, Inc.

Contents

Windows Custom Information Collection Results 103

Run Windows Custom Information Reports 104

Troubleshooting Custom PowerShell Scripts 104

Configuring Linux and UNIX Machines 107

Upgrade Requirements for UNIX/Linux Machines 107 Add UNIX/Linux Machines 108 License UNIX/Linux Machines 109 Install the Agent on UNIX/Linux Machines 109

Installation Options for UNIX/Linux csi.config 113

Manually Uninstall the UNIX/Linux Agent 115 Collect UNIX/Linux Data 116

Updates to UNIXPatch Assessment Content Affects UNIX Agent Performance 116 UNIX/Linux Collection Results 116 Configuring Oracle Instances 117

Discover Oracle Instances 118

Edit Oracle Instances 118

Collect Oracle Data 123

Oracle Collection Results 124

Configuring Mac OS X Machines 125

Add Mac OS X Machines 125 License Mac OS X Machines 126 Install the Agent on Mac OS X Machines 127

Installation Options for Max OS X csi.config 130

Manually Uninstall the Mac OS X Agent 132 Collect Mac OS X Data 132

Collected Mac OS X Data Types 133 Mac OS X Collection Results 133

Patching Managed Machines 135

VCM Patching for Windows Machines 135

VCM Patching for UNIX and Linux Machines 136 UNIXand Linux Patch Assessment and Deployment 136

New UNIX Patch Assessment Content 137 Getting Started with VCM Patching 138

Getting Started with VCM Patching for Windows Machines 138

Check for Updates to Bulletins 139

Collect Data from Windows Machines by Using the VCM Patching Filter Sets 139

Assess Windows Machines 140

Review VCM Patching Windows Assessment Results 141

Prerequisites for Patch Deployment 141

Default Location for UNIX/Linux Patches 143

Location for UNIX/Linux Patches 143

Default Location for UNIX/Linux Patches 144

vCenter Software Content Repository Tool 144

Deploy Patches to Windows Machines 144

Getting Started with VCM Patching for UNIX and Linux Machines 146

Check for Updates to Bulletins 146

Collect Patch Assessment Data from UNIX and Linux Machines 147

Explore Assessment Results and Acquire and Store the Patches 148

Default Location for UNIX/Linux Patches 150

Deploy Patches to UNIX/Linux Machines 150

How the Deploy Action Works 151 Running VCM Patching Reports 151 Customize Your Environment for VCMPatching 152

Running and Enforcing Compliance 153

VMware, Inc.

vCenter Configuration Manager Administration Guide

Getting Started with SCAP Compliance 153

Conduct SCAP Compliance Assessments 154

Provisioning Physical or Virtual Machine Operating Systems 157

Operating System Provisioning Components 157

How Operating System Provisioning Works 158 Configure Operating System Provisioning Servers 159

Add Operating System Provisioning Servers 160

Set the Trust Status for Operating System Provisioning Servers 160

Collect Operating System Distributions 161

Discover Provisionable Machines 161 Provision Machines with Operating System Distributions 162

Provision Windows Machines 162

Provision Linux Machines 165

Change Agent Communication 171 Provisioned Machines Results 171 Reprovision Machines 172

Provisioning Software on Managed Machines 175

Using Package Studio to Create Software Packages and Publish to Repositories 175

Software Repository for Windows 175

Package Manager for Windows 175

Software Provisioning Component Relationships 176 Install the Software Provisioning Components 176

Install Software Repository for Windows 177

Install Package Studio 178

Install Package Manager on Managed Machines 180 Using Package Studio to Create Software Packages and Publish to Repositories 181

Creating Packages 181 Using VCM Software Provisioning for Windows 183

Collect Package Manager Information from Machines 183

Collect Software Repository Data 184

Add Repository Sources to Package Managers 185

Install Packages 186 Related Software Provisioning Actions 188

Viewing Provisioning Jobs in the Job Manager 188

Create Compliance Rules Based on Software Provisioning Data 189

Create Compliance Rules Containing Software Provisioning Remediation Actions 190

Configuring Active Directory Environments 193

Configure Domain Controllers 193

Verify Available Domains 194

Check the Network Authority Account 194

Assign Network Authority Accounts 195

Discover Domain Controllers 195

License Domain Controllers 196

Install the VCM Windows Agent on Your Domain Controllers 197

Collect Domain Controller Data 198 Configure VCM for Active Directory as an Additional Product 199

Install VCM for Active Directory on the Domain Controllers 199

Run the Determine Forest Action 200

Run the Domain Controller Setup Action 201 Collect Active Directory Data 201 Active Directory Collection Results 202

Configuring Remote Machines 205

VCM Remote Management Workflow 205

VMware, Inc.

Contents

Configuring VCM Remote Connection Types 205

Using Certificates With VCM Remote 206 Configure and Install the VCM Remote Client 206

Configure the VCM Remote Settings 206

Install the VCMRemote Client 209

Connect VCM Remote Client Machines to the Network 216

VCM Remote Collection Results 217

Tracking Unmanaged Hardware and Software Asset Data 219

Configure Asset Data Fields 219

Review Available Asset Data Fields 220

Add an Asset Data Field 220

Edit an Asset Data Field 221

Delete a VCM for Assets Data Field 222

Change the Order of Asset Data Columns 222

Refresh Dynamic Asset Data Fields 223 Configure Asset Data Values for VCM Machines 223 Configure Asset Data for Other Hardware Devices 224

Add Other Hardware Devices 224

Add Multiple Similar Other Hardware Devices 225

Edit Asset Data for Other Hardware Devices 225

Edit Asset Data Values for Other Hardware Devices 226

Delete Other Hardware Devices 226 Configure Asset Data for Software 227

Add Software Assets 227

Add Multiple Similar Software Assets 228

Edit Asset Data for Software 229

Edit Asset Data Values for Software 229

Delete Software Data 230

Managing Changes with Service Desk Integration 231

Configure Service Desk Integration 231 View Service Desk Integration in the Console 231 View Service Desk Integration in Job Manager 232

Index 233

VMware, Inc.

vCenter Configuration Manager Administration Guide

VMware, Inc.

About This Book

The VMware vCenter Configuration Manager Administration Guide describes the steps required to configure VCM to collect and manage data from your virtual and physical environment.

Read this document and complete the associated procedures to prepare for a successful implementation of the components.

Intended Audience

This information is written for experienced Windows or UNIX/Linux/Mac OS X system administrators who are familiar with managing network users and resources and with performing system maintenance.

To use this information effectively, you must have a basic understanding of how to configure network resources, install software, and administer operating systems. You also need to fully understand your network topology and resource naming conventions.

Document Feedback

VMware welcomes your suggestions for improving our documentation. If you have comments, send your feedback to docfeedback@vmware.com.

VMware VCM Documentation

The vCenter Configuration Manager (VCM) documentation consists of the VCM Installation Guide, VCM Troubleshooting Guide, VCM online Help, and other associated documentation.

VMware, Inc.

vCenter Configuration Manager Administration Guide

Technical Support and Education Resources

The following technical support resources are available to you. To access the current version of this book and other books, go to http://www.vmware.com/support/pubs.

Online and Telephone Support

To use online support to submit technical support requests, view your product and contract information, and register your products, go to

http://www.vmware.com/support.

Customers with appropriate support contracts should use telephone support for priority 1 issues. Go to http://www.vmware.com/support/phone_support.html.

Support Offerings To find out how VMware support offerings can help meet your business needs,

go to http://www.vmware.com/support/services.

VMware Professional Services

VMware Education Services courses offer extensive hands-on labs, case study examples, and course materials designed to be used as on-the-job reference tools. Courses are available onsite, in the classroom, and live online. For onsite pilot programs and implementation best practices, VMware Consulting Services provides offerings to help you assess, plan, build, and manage your virtual environment. To access information about education classes, certification programs, and consulting services, go to http://www.vmware.com/services.

VMware, Inc.

Getting Started with VCM

When you use VCM, you must understand user access and how to start VCM from any physical or virtual machine. You must also familiarize yourself with the VCM Web Console features.

"Understanding User Access" on page 11

User access determines who has access to VCM and with what roles.

"Log In to VCM" on page 12

Access VCM from any physical or virtual machine in your network.

"Getting Familiar with the Portal" on page 13

The VCM Web Console provides access to all VCM features to manage your environment.

Understanding User Access

User access determines who has access to VCM and with what roles. To manage your user access, create rules that are assigned to roles. VCM assigns the roles to each user login you create. User access is managed in the Administration User Manager node.

The user account that was used to install VCM is automatically granted access to VCM, placed in the roles of ADMIN and USER, and placed into the Admin role. This user can log in to VCM using the Admin role. The AD_Admin role allows full administration access to AD objects only.

When a user is added to the Admin role in VCM or granted access to the Administration User Manager node, that user is placed in the fixed machine roles Security Administrators and Bulk Insert Administrators Groups. They are also added to the database roles of public, ADMIN, and User in the VCM Database.

Users who will not have access to the Administration User Manager node will be assigned to public. Depending on the functions granted to a user, they might need additional or fewer privileges for their role to function properly.

VCM provides a Change Restricted role to limit users from making certain changes in your environment. With this role, users can discover, collect data from machines, assess machines, display bulletin and template details, check for updates, and view history. Users can add, edit, and delete reports, compliance rules and rule groups, and compliance and patch assessment templates.They can also install the Agent, upgrade VCM, and uninstall VCM.

When you apply the VCM Change Restricted role to a user’s VCM login, they cannot perform the following actions.

VMware, Inc.

vCenter Configuration Manager Administration Guide

Remote command execution

Change actions against target managed machines

Change rollback

Compliance enforcement

Patch deployment

Software deployment

OS provisioning

Machine reboots

All VCM user accounts must have the following rights on the VCM Collector machine.

Ability to log on locally to access IIS

Read access to the System32 folder

Write access to the CMFiles$\Exported_Reports folder to export reports

If default permissions have been changed, read access to the C:\Program Files (x86)\VMware\VCM\WebConsole directory and all subdirectories and files

Users who add machines to VCM using a file or the Available Machines Add Machines action must have write access to CMFiles$\Discovery_Files.

Running VCM as Administrator on the Collector

By default for localhost, Internet Explorer on Windows Server 2008 R2 runs with Protected Mode enabled. If you are logged in to VCM as an Administrator, because Protected Mode is enabled, problems can occur with the SQLServer Reporting Service (SSRS) Web service interface components such as dashboards and node summaries.

CAUTION Although you should not access VCM on the Collector using a Web console, to restore

the SSRS functionality you can run Internet Explorer as administrator or disable Protected Mode for the zone of the Collector (localhost). If you perform this action, you must take additional precautions to protect the Collector because of the increased exposure to attacks on the Collector through the Web browser, such as cross-site scripting.

Log In to VCM

Access VCM from any physical or virtual machine in your network. The level of access is determined by your VCM administrator.

Prerequisites

Verify that the physical or virtual machines from which you are accessing VCM have a supported version of Internet Explorer installed. For supported platforms, see the VCM Installation Guide.

Configure the Internet Explorer Pop-up Blocker settings to add your Collector to your list of allowed Web sites, or disable Pop-up Blocker. Click Internet Explorer and select Tools > Pop-up Blocker > Pop- up Blocker Settings and then add the path for your Collector in the allowable address field.

VMware, Inc.

Procedure

1. To connect to VCM from a physical or virtual machine on your network, open Internet Explorer and type http://<name-or-IP-address-of-Collector-machine>/VCM.

2. Type your user network credentials.

3. (Optional) Select Automatically log on using this role to have VCM log you in.

4. Click Log On.

Your VCM user account can have multiple roles. If you selected the Automatically log on using this role option, VCM will automatically log you on as the User Role displayed on the Logon screen. To change roles, you must use the Logoff button in the top right corner of the Console. This action will return you to the Logon screen so that you can use the drop-down menu to select a different role.

Getting Familiar with the Portal

The VCM Web Console provides access to all VCM features to manage your environment.

The Web Console uses a browser-based interface to run from any Windows machine that has access to the server on which VCM is installed. The Windows machine must be running Internet Explorer or Mozilla Firefox with the Internet Explorer tab plug-in installed.

The Web Console includes several major areas and controls.

Getting Started with VCM

General Information Bar

The general information bar displays the VCM Collector’s active SQL Server name, your VCM user name and active Role, and the following buttons.

VMware, Inc.

vCenter Configuration Manager Administration Guide

Log Out: Exits the Web Console. The Web Console closes and the VCM Logon screen appears.

About: Displays information about how to contact VMware Technical Support and version information for VCM and all of its components. This information may be important when you contact VMware Technical Support.

Help: Opens the online Help for the currently-active display.

Toolbar

The global toolbar provides you with easily-accessible options to enhance control of your environment and data.

The left and right arrow buttons navigate to the previous or next page in the data area.

The Jobs button opens the Jobs Running status window. This button provides access to the Collector status and allows you to stop and restart the Collector service.

The Collect button opens a wizard that allows you to define and initiate data collections.

The Remote Commands button allows you to invoke the Remote Commands wizard from the toolbar without having to access the node.

The Refresh data grid view button refreshes the data grid. Press F5 on the keyboard as an alternative action.

The View row cells button displays a vertically scrolling view of a single row of data, rather than the table-based data grid view in a separate window, and allows you to move between records.

The Select all displayed data rows button selects all the rows in the data grid.

The Copy button copies information from the selected rows in the data grid to the clipboard.

The Copy link to clipboard button copies the link of the content on-screen to the clipboard.

The View data grid in separate window button displays the data grid in a separate window.

The Export displayed d ata button exports data to a CSV formatted file. This file is exported to

Reports

The Options button opens the User Options window. These s ettings pertain to the User who is logged in to VCM. All VCM users can configure these settings to their individual preferences.

\\<name_of_Collector_machine>\CMfiles$\Exported

VMware, Inc.

Getting Started with VCM

Sliders

The sliders on the left side of the Web Console include the items listed and described in the following table. The individual items that you see in VCM will vary depending on the components that you have licensed.

Active Directory and AD objects are available only when VCM for Active Directory (AD) is licensed. This slider is viewable based on your role.

Patching options are available only when VCM Patching is licensed. This slider is viewable based on your role.

Administration is visible only to users who have Administrative rights to VCM as part of their VCM role.

For detailed instructions about any of these features, see the online Help.

Slider Actio n

Console

View, export, or print enterprise-wide, summary information.

Review or acknowledge current alert notifications.

Manage VCM discovered and non-VCM discovered hardware and software assets.

Review changes that occurred from one collection to the next.

Compliance

Active Directory

Create, edit, or run remote commands on a VCM managed Windows or UNIX machine.

View information about VCM discovered domains.

Navigate and manage integrated service desk events.

Manage virtual machines.

View your Windows NT Domain and Active Directory related data.

View information for enterprise-level applications.

Review non-security related UNIX machine-specific information.

Review UNIX security data to ensure consistent security configurations across your environment.

Create and manage Compliance rule groups and templates based on AD objects or machine group data.

View, export, or print enterprise-wide, summary information for Active Directory objects.

Review alert notifications for the selected AD location.

Review Active Directory-related changes that occurred from one collection to the next.

View collected information about Active Directory objects such as Users, Groups, Contacts, Computers, Printers, Shares, and Organizational Units.

VMware, Inc.

Review Active Directory site lists, including Site Links, Site Link Bridges, Subnets, Intersite Transports, Servers, Connections and Licensing.

View Active Directory Group Policy Container Settings.

View information about Active Directory Domains, DCs, and Trusts.

Track and display access control entries and security descriptor data on all collected

vCenter Configuration Manager Administration Guide

Slider Actio n

objects.

View Active Directory Schema information.

Reports

Patching

Run out-of-the-box reports against your collected data.

Write your own SQL and SSRS reports using VCM’s report wizard.

Review a list of bulletins available to VCM.

Create, run, or import VCM Patching templates to display the machines that require the patches described in each bulletin.

Monitor VCM Patching jobs.

Deploy patches.

AdministrationnManage basic configuration options for VCM.

Establish filters to limit the data you collect from machines in your environment.

Review how your VCM licenses are being used.

Identify and manage your physical and virtual machines.

Manage VCM Logins and Roles.

Set options for assessment and deployment.

View the status of jobs that are currently running, scheduled to run, or completed.

Configure VCM to notify you of certain conditions in your environment.

Customizing VCM for your Environment

Create a machine group structure that matches the organization of the machines in your environment. With these machine groups, you can manage specific machines in your environment such as all SQL Servers in a particular location. You can apply specific changes or create roles and rules for those machines independently from other machines in your environment. This approach ensures that you can restrict access to critical machines to the appropriate users with rights to VCM.

You can customize the following options for your environment.

Alerts: Define the objects and types of changes that you are alerted to when they are detected in VCM. For example, you can set an alert to notify you if a registry setting changes in your environment.

Collection Filters and Filter Sets: Use collection filters to specify the data to collect from the VCM managed machines. A default collection filter is provided for each data type. You can add custom collection filters that are specific to your enterprise. You can apply filters during instant collections and scheduled collections if the filters are included in a filter set. After you create collection filters, organize them into filter sets. You can create specific filter sets or filter set groups for different machine groups. You can apply filter sets during instant collections or scheduled collections.

Compliance Templates and Rule Groups: Use compliance templates and rule groups to define specific settings and verify whether the machines match those criteria. VCM provides prepackaged templates and rules to check the compliance of your machines with regulatory, industry, and vendor standards. VMware provides additional compliance packages that you can import into VCM.

Reports: Create and print tailored reports of information that does not appear in VCM. VCM provides prepackaged reports that you can run after you collect data from your VCM managed machines.

VMware, Inc.

Getting Started with VCM

Roles and Rules: VCM roles and access rules work together to control user access to VCM. For example, you can create a role that allows a user to view all data, but not make changes to the environment. You can create a role to run certain reports or a role that allows unlimited access to a single machine group.

The VCM Change Restricted role limits users from making certain changes in your environment. See

"Understanding User Access" on page 11.

For information to import additional compliance packages into VCM, see Import/Export and Content

Wizard.

VMware, Inc.

vCenter Configuration Manager Administration Guide

VMware, Inc.

Installing and Getting Started with VCM Tools

VCM Installation Manager installs several VCM components and tools on the Collector machine during the installation.

Using VCM Installation Manager, you can install the following tools.

"Run the Import/Export Tool" on page 21

Use the Import/Export Tool to back up your VCM database business objects and import them into a new VCM database or into a recovered VCM database. This tool also supports the migration of any VCM Management Extension for Asset data that was manually added to VCM.

"Run the Content Wizard to Access Additional Compliance Content" on page 21

Use the Content Wizard to import additional VMware content such as VCM Compliance Content Packages.

"Run the Deployment Utility" on page 21

The Deployment Utility for UNIX/Linux and ESX/vSphere copies files to multiple target machines when you configure UNIX/Linux and ESX/vSphere machines for management in VCM.

"Package Studio" on page 22

Use Package Studio to create software packages that can be installed by VCM.

"Foundation Checker" on page 22

Use the Foundation Checker tool to verify that a Windows machine designated as a VCM Collector meets all of the prerequisites necessary to install VCM.

Install the VCM Tools Only

You can install the VCM tools on a non-Collector Windows machine.

If you plan to install VCMon the non-Collector Windows machine later, you must uninstall the tools and then install VCM.

Prerequisites

Perform the installation requirements for each tool in the Advanced Installation selection. For example, you can install Import/Export (I/E) and Content Wizard only on a machine that is running VCM.

VMware, Inc.

vCenter Configuration Manager Administration Guide

Procedure

1. On the non-Collector Windows machine on which you want to install the tools, insert the installation CD.

2. In Installation Manager, click Run Installation Manager.

During the installation, follow the installation requirements that Installation Manager reports when Foundation Checker runs.

3. Complete the initial installation pages, and click Next on subsequent pages to access the Select Installation Type page.

a. Clear the VMware vCenter Configuration Manager check box.

b. Select Tools.

c. To install a subset of tools, clear the Tools check box and select only the individual tools to install.

4. Click Next.

5. Complete the remaining instructions and click Next.

6. On the Installation Complete page, click Finish.

7. On the Installation Manager page, click Exit.

VCM Import/Export and Content Wizard Tools

Use the Import/Export Tool and the Content Wizard Tool to move or update VCM business objects. These tools support the migration of any VCM Management Extension for Asset data that was added to VCM manually, but does not import or export any collected data.

The Import/Export Tool supports the following scenarios.

Back up (export) and restore (import) business objects to the same machine.

Back up (export) and import (if needed) business objects during a VCM upgrade.

Export and migrate (import) business objects to additional machines in a multi-Collector environment during setup or to move custom content.

Use the Content Wizard to download current Compliance Content from VMware and import it into an existing database.

Using the Command Line Interface, automate the propagation of content to other machines in a multicollector environment with a “golden machine”.

Aid in disaster recovery by using the Command Line Interface to automate and schedule the backup of VCM content and configuration parameters.

The Command Line Interface (CLI) is a powerful extension of the Import/Export graphic user interface (GUI). In addition to supporting the scenarios noted above, the CLI allows content to be overwritten, as opposed to “rename only”, and provides for automation through scripting suitable for customizations.

IMPORTANT Use of the CLI should be restricted to advanced users who exercise caution when testing

their scripts.

The Import/Export Tool and Content Wizard Tool were installed on your Collector machine during your VCM installation.

VMware, Inc.

Installing and Getting Started with VCM Tools

Run the Import/Export Tool

Prerequisites

Install the Import/Export Tool. See "Installing and Getting Started with VCM Tools" on page 19.

Procedure

1. On the Collector, click Start.

2. Select All Programs > VMware vCenter Configuration Manager > Tools > Import Export Tool.

3. For importing and exporting procedures, click Help > Contents and use the online help.

Run the Content Wizard to Access Additional Compliance Content

Use the Content Wizard to import additional VMware content such as VCM Compliance Content Packages. These packages are not available in VCM until you download and import them. Check the VCM Compliance Content Packages to determine if you need to import them.

Prerequisites

Install the Content Wizard. See "Installing and Getting Started with VCM Tools" on page 19.

Procedure

1. On the Collector, click Start.

2. Select All Programs > VMware vCenter Configuration Manager > Tools > Content Wizard Tool.

3. In the Content Wizard, select Get Updates from the Internet and click Next.

4. After the wizard identifies available content, click Next.

5. Select the updates to install on your Collector and click Install.

When the installation is finished, the Event Log Results window appears.

6. On the Event Log Results window, click Save and specify a location to save the logs.

7. Click Close.

8. On the Content Wizard page, click Exit.

What to do next

View the imported data in VCM. For example, click Compliance and select Machine Group Compliance > Templates. You can now run any imported compliance template against your collected data.

Run the Deployment Utility

The Deployment Utility for UNIX/Linux and ESX/vSphere copies files to multiple target machines when you configure UNIX/Linux and ESX/vSphere machines for management in VCM.

VMware, Inc.

vCenter Configuration Manager Administration Guide

Procedure

1. On the Collector, navigate to C:\Program Files (x86)\VMware\VCM\Tools.

2. Copy the DeployUtility-<version>.zip file from the Collector to your Windows machine.

3. Extract the files.

4. Double-click DeployUtil.exe to start the application.

What to do next

In the Deployment Utility, click Help and review the procedure for the type of machine you are configuring.

Package Studio

Use Package Studio to create software packages that can be installed by VCM. It is one component of VCM Software Provisioning that includes the Software Repository for Windows and the Package Manager.

For procedures to run the Package Studio, see the Software Provisioning Components Installation and User's Guide.

Foundation Checker

Use the Foundation Checker tool to verify that a Windows machine designated as a VCM Collector meets all of the prerequisites necessary to install VCM.

Installation Manager uses VCM Foundation Checker to check a machine’s viability for a successful VCM deployment. Foundation Checker runs system checks that determine various conditions, settings, and requirements, and displays a results file that displays the system checks that passed, failed, or generated warnings.

If the checks run without error, you can install VCM. If the checks identify missing components or incorrect configurations, Foundation Checker instructs you where to verify the component or configuration and how to remedy the errors.

To run the Foundation Checker on a Windows machine on which you will install another instance of VCM, see the Foundation Checker User's Guide.

VMware, Inc.

Configuring VMware Cloud Infrastructure

VCM collects information from your instances of vCenter Server, vCloud Director, and vShield Manager so that you can then use the information to manage and maintain your virtual environment.

The collected data appears in the Console under the Virtual Environments node. The information is organized in logical groupings based on the information sources, including vCenter Server, vCloud Director, and vShield Manager.

Based on the collected virtual environments data, you can manage the objects and data at an enterprise and individual level, including running compliance rules and reports; running actions, such as changing settings and taking virtual machine snapshots; and managing the guest operating systems as fully managed VCM machines.

Virtual Environments Configuration

To manage your virtual environments, you collect vCenter Server, vCloud Director, and vShield Manager data. To collect the data, you use one or more Managing Agent machines.

After configuring your Managing Agent machines, you add and configure your vCenter Server, vCloud Director, and vShield Manager instances in VCMto use the Managing Agent for communication. For a diagram illustrating how the components are configured together, see Figure 3–1. Virtual Environments

Configuration Diagram.

VMware, Inc.

vCenter Configuration Manager Administration Guide

Figure 3–1. Virtual Environments Configuration Diagram

Managing Agents

The Managing Agent machines must have the 5.5 Agent or later installed. They must also be configured to manage the secure communication between the vCenter Server, vCloud Director, and vShield Manager instances and the Collector. Depending on the size of your Cloud Infrastructure environment, you can use your Collector as a Managing Agent or you can use another Windows machine. If your individual vCenter Server instances manage no more than 1–30 hosts and a maximum of 1000 guests, then you can use the Collector as your Managing Agent. If any of your vCenter Server instances exceed this amount, you must use a Windows machine that is not your Collector as a Managing Agent.

VMware, Inc.

Configuring VMware Cloud Infrastructure

CAUTION Do not use the Windows machines on which your vCenter Server instances are running

as Managing Agent machines.

Managing vCenter Server Instances, Hosts, and Guest Virtual Machines

You collect data from vCenter Server instances regarding resources managed by the vCenter Server, and to identify and manage the host and guest machines. The host and guest machines are managed based on configured vCenter Server instances. From VCM, you can run vCenter Server actions such as configuring settings, turning the power on and off, or taking a snapshot. To fully manage the guest machines, install the VCM Agent on the virtual machines and manage their operating system.

Managing Instances of vCloud Director and vApp Virtual Machines

You collect data from vCloud Director instances regarding their configurations, resources managed by vCloud Director, and to identify and manage the vApp virtual machine guest operating systems. To fully manage the guest machines, you install the VCM Agent on the virtual machines and manage their operating system.

Managing vShield Manager Instances

You collect from vShield Manager instances to gather data regarding vShield App security groups. You can run reports on the collected data.

Configure Virtual Environments Collections

To manage your virtual environments, configure your Managing Agent and then implement the procedures that suit your environment.

Procedure

1. "Configure Managing Agent Machines" on page 26

The Managing Agents are one or more physical or virtual machine running a supported Windows operating system that manages the communication between the Collector and your instances of vCenter Server, vCloud Director, and vShield Manager.

2. "Obtain the SSL Certificate Thumbprint" on page 29

When configuring the settings for your virtual environments systems, you can use an SSL certificate thumbprint file to ensure secure communication between the Collector and your instances of vCenter Server, vCloud Director, and vShield Manager.

3. "Configure vCenter Server Data Collections" on page 30

Collect data from your vCenter Server so that you can identify and manage your virtual environments, including ESX and ESXi hosts, and guest virtual machines.

4. "Configure vCenter Server Virtual Machine Collections" on page 33

Configure virtual machine collections so that you can identify and manage the guest operating systems on the vCenter Server virtual machines.

VMware, Inc.

5. "Configure vCloud Director Collections" on page 35

Configure collections from your vCloud Director instances so that you can run compliance and reports, and identify your vApp virtual machines.

6. "Configure vCloud Director vApp Virtual Machines Collections" on page 39

vCenter Configuration Manager Administration Guide

Collect vCloud Director data so that you can identify and manage the guest operating systems of the vApp virtual machines.

7. "Configure vShield Manager Collections" on page 45

Configure collections from your vShield Manager instances so that you can run reports on the collected data.

8. "Configure ESX Service Console OS Collections" on page 48

The ESX Service Console OS Linux data type data and the ESXlogs are collected directly from the ESX operating systems, not from vCenter Server. Configure the ESX servers so that you can collect the Linux data type and ESX log data from the ESX service console operating system.

9. "Configure the vSphere Client VCM Plug-In" on page 54

The vSphere Client VCM Plug-In provides contextual access to VCM change, compliance, and management functions. It also provides direct access to collected vCenter Server, virtual machine host, and virtual machine guest data.

Configure Managing Agent Machines

CAUTION Do not use the Windows machines on which your vCenter Server instances are running

as Managing Agent machines.

Procedure

1. "Collect Machines Data From the Managing Agent Machines" on page 27

Collect data from your Managing Agent machines to ensure that VCM identifies the Windows machines as licensed and that the 5.5 Agent or later is installed.

2. "Set the Trust Status for Managing Agent Machines" on page 27

You set the trusted status is on machines where you verify that the connection is legitimate. When you set the trust status, you are marking the Agent certificate as trusted.

3. "Configure HTTPS Bypass Setting" on page 28

If your Collector is not configured to use HTTPS, you must configure the Collector to allow HTTP communication when entering sensitive parameter values.

4. "Enable Managing Agent Machines" on page 28

Managing Agent machines must be enabled to perform the necessary communication with your instances of vCenter Server, vCloud Director, and vShield Manager.

VMware, Inc.

Configuring VMware Cloud Infrastructure

Collect Machines Data From the Managing Agent Machines

Collect data from your Managing Agent machines to ensure that VCM identifies the Windows machines as licensed and that the 5.5 Agent or later is installed.

The Managing Agent is the Agent used to collect data from your instances of vCenter Server, vCloud Director and vShield Manager.

Prerequisit es

Verify that the Windows machine that you designated as the Managing Agent is licensed and that it has the VCM Agent 5.5 or later installed. See "Configuring Windows Machines" on page 71.

Procedu re

1. Click Administration.

2. Select Machines Manager > Licensed Machines > Licensed Windows Machines.

3. Select the Managing Agent machines and click Collect on the VCM toolbar.

4. On the Collection Type page, select Machine Data and click OK.

5. On the Machines page, verify that the Selected list includes the Managing Agent machine and click Next.

6. On the Data Types page, expand Windows.

7. Select Machines, and click Next.

8. On the Important page, resolve any conflicts and click Finish.

9. When the job finishes, verify that the Agent Version value in the data grid is 5.5 or later.

What to do next

Configure the trust status for the Managing Agents. See "Set the Trust Status for Managing Agent

Machines" on page 27.

Set the Trust Status for Managing Agent Machines

You set the trusted status is on machines where you verify that the connection is legitimate. When you set the trust status, you are marking the Agent certificate as trusted.

When you transmit sensitive information, such as credentials, between the Collector and physical or virtual machines on which the Managing Agent is installed, the Agent certificate, including the Agent certificate on the Collector, must be trusted.

If you do not use this level of security, you can set the Allow sensitive parameters to be passed to agents not verified as Trusted option to Yes. To override the setting, click Administration and select Settings > General Settings > Collector.

Prerequisites

Ensure that you collected the Machines data type from the Windows machines you are using as Managing Agents. See "Collect Machines Data From the Managing Agent Machines" on page 27.

VMware, Inc.

vCenter Configuration Manager Administration Guide

Procedure

1. Click Administration.

2. Select Certificates.

3. Select the Managing Agent machines and click Change Trust Status.

4. Add any additional machines to trust to the lower data grid.

5. Select Check to trust or uncheck to untrust the selected machines and click Next.

6. Review the number of machines affected and click Finish.

What to do next

If your Collector is not configured to use HTTPS, set the HTTPS bypass. See "Configure HTTPS Bypass

Setting" on page 28.

Identify the Windows machines as Managing Agents. See "Enable Managing Agent Machines" on page

28.

Configure HTTPS Bypass Setting

If your Collector is not configured to use HTTPS, you must configure the Collector to allow HTTP communication when entering sensitive parameter values.

If your Collector is configured to use HTTPS, you do not need to modify this setting.

Procedure

1. Click Administration.

2. Select Settings > General Settings > Collector.

3. Select Allow HTTP communication (HTTPS bypass) when entering sensitive parameter values and click Edit Settings.

4. Select Yes and click Next.

5. Review the summary and click Finish.

What to do next

Identify the Windows machines as Managing Agents. See "Enable Managing Agent Machines" on page 28.

Enable Managing Agent Machines

Managing Agent machines must be enabled to perform the necessary communication with your instances of vCenter Server, vCloud Director, and vShield Manager.

Prerequisites

Ensure that the Managing Agent machines are trusted machines. See "Set the Trust Status for Managing

Agent Machines" on page 27.

If your Collector is not configured to use HTTPS, set the HTTPS bypass. See "Configure HTTPS Bypass

Setting" on page 28.

VMware, Inc.

Configuring VMware Cloud Infrastructure

Procedure

1. Click Administration.

2. Select Administration > Machines Manager > Licensed Machines > Licensed Windows Machiens.

3. Select the Managing Agent machines and click Change Managing Agent Status.

4. Add any additional machines to the lower data grid.

5. Select Enable - allow the selected machines to be used as managing agents and click Next.

6. Review the number of machines affected and click Finish.

What to do next

To maintain secure communication, you need the SSLcertificates from your instances of vCenter Server, vCloud Director, and vShield Manager. See "Obtain the SSL Certificate Thumbprint" on page 29.

Configure the collections from your instances of vCenter Server, vCloud Director, and vShield Manager.

See "Configure vCenter Server Data Collections" on page 30.

See "Configure vCloud Director Collections" on page 35.

See "Configure vShield Manager Collections" on page 45.

Obtain the SSL Certificate Thumbprint

You can use this procedure to copy and save the thumbprint in advance of configuring the settings, or you can follow the process while you are using the wizard.

This procedure applies when your certificates are not properly trusted. If your certificates are configured and trusted, you must log onto the target machine to retrieve the thumbprint from the certificate store.

Prerequisites

Ensure that you have network access to the target instances of vCenter Server, vCloud Director, and vShield Manager from which you need the thumbprint string.

Procedure

1. Open Internet Explorer.

2. In the address bar, type https:\\<your vcenter server, vcloud director, or vshield manager instance>.

3. On the certificate error page, click Continue to this website.

4. On the address bar, click Certificate Error and select View Certificates.

5. Click the Details tab.

VMware, Inc.

6. In the list, select Thumbprint.

7. Copy the thumbprint string to your clipboard or to a file so that you can access it when needed.

vCenter Configuration Manager Administration Guide

Configure vCenter Server Data Collections

Collect data from your vCenter Server so that you can identify and manage your virtual environments, including ESX and ESXi hosts, and guest virtual machines.

Prerequist es

Configure your Managing Agent machines. See "Configure Managing Agent Machines" on page 26.

To maintain secure communication, you need the SSLcertificates from your instances of vCenter Server. See "Obtain the SSL Certificate Thumbprint" on page 29.

Procedure

1. "Add vCenter Server Instances" on page 30

Add the vCenter Server instances to VCM so that you can license and collect vCenter Server data using the Managing Agent.

2. "Configure the vCenter Server Settings" on page 31

Configure the Managing Agent, communication, and vCenter Server access options so that VCM can collect host and guest data from the vCenter Server instances.

3. "Collect vCenter Server Data" on page 32

Collect the vCenter Server, host, and guest data from the vCenter Server instances. The data is displayed by detailed data type and appears in the VCM Console.

The collectedvCenter Server data appears in the Console in the Virtual Environments node. The collected vCenter Server data helps you identify and manage vCenter Server, host, and guest objects. See " vCenter

Server Collection Results" on page 33.

Add vCenter Server Instances

Add the vCenter Server instances to VCM so that you can license and collect vCenter Server data using the Managing Agent.

In addition to adding the vCenter Server instances, and you can also add the Windows machine on which the vCenter Server is installed and manage the underlying Windows operating system.

Prerequisit es

Know the names and domain information for the vCenter Server instances in your environment.

Procedu re

1. Click Administration.

2. Select Machines Manager > Available Machines.

3. Click Add Machines.

4. On the Add Machines page, select Basic: Name, Domain, Type, Automatically license machines, and click Next.

5. On the Manually Add Machines - Basic page, configure these options to identify the vCenter Server instances.

Option Description

Machine Name of the vCenter Server.

VMware, Inc.

Configuring VMware Cloud Infrastructure

Option Description

Domain Domain to which the vCenter Server belongs.

Type Domain type.

Machine Type Select vCenter (Windows).

6. Click Add.

The machine information is added to the list.

7. (Optional) Add other vCenter Server instances as needed.

8. When all your vCenter Server are added to the list, click Next.

9. On the Information page, review the summary and click Finish.

What to do next

Configure the vCenter Server settings. See "Configure the vCenter Server Settings" on page 31.

Manage the Windows operating systems on which vCenter Server instances are running. See

"Configuring Windows Machines" on page 71.

Configure the vCenter Server Settings

Configure the Managing Agent, communication, and vCenter Server access options so that VCM can collect host and guest data from the vCenter Server instances.

Prerequisit es

Collect Machines data from the Windows machine that you designated as your Managing Agent. See

"Collect Machines Data From the Managing Agent Machines" on page 27.

If you are using SSL Certificates to maintain secure communication, you must provide the certificate thumbprint from the target system when configuring the settings. See "Obtain the SSL Certificate

Thumbprint" on page 29.

Procedu re

1. Click Administration.

2. Select Machines Manager > Licensed Machines > Licensed Virtual Environments.

3. Select the vCenter Server instances and click Configure Settings.

4. On the Virtual Environment page, verify that the vCenter Server instances appear in the lower pane and click Next.

5. On the Managing Agent and Communication Settings page, configure the settings that are applied to all selected vCenter Server instances and click Next.

Option Description

VMware, Inc.

Managing Agent Select the Windows machine to manage

communication between the Collector and the vCenter Server instances.

This Windows machine must have the 5.5 Agent or later installed.

vCenter Configuration Manager Administration Guide

Option Description

Port Type the port used by the VMware Infrastructure

User ID Type a vCenter Server instance user name.

Password Type the password for the vCenter Server

Confirm Password Type the password again.

Ignore untrusted SSL Certificate Select one of the following certificate options.

You can use the Collector as your managing agent.

SDK on the vCenter Server instances.

The default value is 443.

The user must have a vCenter Server administrative role or an unrestricted read only role.

instance user ID.

Yes: Ignores the requirement for a valid signed certificate.

No: Requires a valid signed certificate.

6. If you selected No on the Managing Agent and Communication Settings page, you must type or paste

the thumbprint string in the text box and click Next.

7. On the Important page, click Finish.

What to do next

Collect vCenter Server data. See "Collect vCenter Server Data" on page 32.

Collect vCenter Server Data

Collect the vCenter Server, host, and guest data from the vCenter Server instances. The data is displayed by detailed data type and appears in the VCM Console.

Prerequisit es

Configure the vCenter Server settings. See "Configure the vCenter Server Settings" on page 31.

Procedu re

1. Click Administration.

2. Select Machines Manager > Licensed Machines > Licensed Virtual Environments.

3. Select the vCenter Server instances and click Collect on the VCM toolbar.

4. On the Collection Type page, select Machine Data and click OK.

5. On the Machines page, verify that the Selected list includes all the vCenter Server instances from which you are collecting and click Next.

6. On the Data Types page, select the Virtualization vCenter Server data types that you want to collect from the vCenter Server instances and click Next.

7. On the Important page, resolve any conflicts and click Finish.

VMware, Inc.

Configuring VMware Cloud Infrastructure

What to do next

Review the collected virtualization data. Click Console and select Virtual Environments > vCenter.

vCenter Server Collection Results

The collectedvCenter Server data appears in the Console in the Virtual Environments node. The collected vCenter Server data helps you identify and manage vCenter Server, host, and guest objects.

Option Description

Console View the Virtual Environments dashboards. Click Click Console and select

Dashboards > Virtual Environments.

View the collected vCenter Server data. Click Console and select Virtual Environments > vCenter to access the collected data.

View the change logs for the virtual environments. Click Console and select Change Management to access the collected data.

Compliance Access compliance rules that you create based on the collected vCenter Server

data using the Virtual Environment Compliance node. You cannot create enforceable compliance rules for vCenter Server data.

The compliance rules for the virtual machines you license and on which you install the Agent are managed in the Machine Group Compliance node.

Reports Run configured Virtual Environments reports. Click Reports and select

Machine Group Reports > Virtual Environments.

Create reports based collected vCloud Director objects. Click Reports and select Virtual Object Reports.

Administration Displays managed vCenter Server instances from which you are collecting

data.

Click Administration and select Machines Manager > Licensed Machines > Licensed Virtual Environments to view licensed vCenter Server instances.

Administration > Machine Groups

Dynamic machine groups based on vCenter Server objects. These objects include instances, hosts, and guest machines, and are used to limit the displayed data.

Configure vCenter Server Virtual Machine Collections

Configure virtual machine collections so that you can identify and manage the guest operating systems on the vCenter Server virtual machines.

VCM manages virtual machines as guest machines and as Windows, Linux, or UNIX machines. To manage the virtual machines as guest machines, you collect vCenter Guests data from your vCenter Server. To manage the virtual machines based on operating system, you license, install the VCM Agent, and collect data directly from the managed machines.

You can identify the virtual machines in your environment two ways.

VMware, Inc.

vCenter Configuration Manager Administration Guide

Collect vCenter Guests data from you vCenter Servers and manage the virtual Windows, Linux, or UNIX machines. See "Collect vCenter Server Virtual Machines Data" on page 34.

Manually discover Windows Machines or add Linux or UNIX machines. For Windows machines, see

"Discover Windows Machines" on page 73. For Linux or UNIX machines, see "Add UNIX/Linux Machines" on page 108.

Collect vCenter Server Virtual Machines Data

Identify and license your virtual machines that are identified based on collected vCenter Guests data.

Prerequisites

Manage your vCenter Servers in VCM. See "Configure vCenter Server Data Collections" on page 30.

Procedure

1. Click Administration.

2. Select Machines Manager > Available Machines > Licensed Virtual Environments.

3. Select the vCenter Servers and click Collect on the VCM toolbar.

4. On the Collection Type page, select Machine Data and click OK.

5. On the Machines page, verify that the Selected list includes all the vCenter Servers from which you are collecting and click Next.

6. On the Data Types page select Virtualization > vCenter Guests and click Next.

7. On the Important page, resolve any conflicts and click Finish.

What to do next

License your virtual machines. See "Manage vCenter Server Virtual Machines " on page 34.

Manage vCenter Server Virtual Machines

Add and license the virtual machines identified based on a vCenter Guests collection from your vCenter Servers. If you are managing Windows virtual machines, you can also install the VCM Agent.

Using the Manage Guests wizard, you can add the virtual machines to the appropriate Available Machines data grid based on operating system, license the virtual machine based on operating system, or, for Windows machines, license and install the Agent.

Prerequisites

Collect vCenter Guests data from your vCenter Servers. See "Collect vCenter Server Virtual Machines

Data" on page 34.

Procedure

1. Click Console.

2. Select Virtual Environments > vCenter > Guests > Summary.

3. Select either your Windows virtual machines or your UNIX/Linux virtual machines and click Manage Guests.

4. On the Default Domain page, configure the options and click Next.

a. Specify the Domain in which the machines are running.

b. Select the Domain Type.

VMware, Inc.

5. On the Edit VMGuest Machine Info page, review the list and update or remove virtual machines, and click Next.

6. On the License VMGuests page, configure the options and click Next.

a. Select License the selected machines.

b. (Windows machines only) Select Install VCMagents for the selected Windows machines, and

click Next.

7. On the Confirm Your Changes page, review the changes and click Finish.

What to do next

For Windows operating system guest machines on which you installed the Agent, collect from the Windows virtual machines. See "Collect Windows Data" on page 84. If you did not install the Agent, see

"Install the VCM Windows Agent on Your Windows Machines" on page 77.

For UNIX/Linux operating system guest machines you must install the Agent. See "Install the Agent on

UNIX/Linux Machines" on page 109.

Configure vCloud Director Collections

Configure collections from your vCloud Director instances so that you can run compliance and reports, and identify your vApp virtual machines.

Configuring VMware Cloud Infrastructure

Prerequist es

Configure your Managing Agent machines. See "Configure Managing Agent Machines" on page 26.

To maintain secure communication, you need the SSLcertificates from your instances of vCloud Director. See "Obtain the SSL Certificate Thumbprint" on page 29.

Procedure

1. "Add vCloud Director Instances" on page 35

Add the instances of vCloud Director to VCM so that you can license and collect vCloud Director data using the Managing Agent.

2. "Configure the vCloud Director Settings" on page 36

Configure the Managing Agent, communication, and vCloud Director access options so that VCM can collect virtual machine data from your instances of vCloud Director.

3. "Collect vCloud Director Data" on page 37

Collect the data from the instances of vCloud Director. The data is displayed by detailed data type and appears in the VCM Console.

The collected vCloud Director data appears in the Console in the Virtual Environments node. The data helps you identify and manage vApp virtual machines. See "vCloud Director Collection Results" on page

38.

Add vCloud Director Instances

Add the instances of vCloud Director to VCM so that you can license and collect vCloud Director data using the Managing Agent.

In addition to adding the instances of vCloud Director, and you can also add the Red Hat machine on which the vCloud Director instance is installed and manage the underlying Red Hat operating system.

VMware, Inc.

vCenter Configuration Manager Administration Guide

Prerequisit es

Know the names and domain information for the instances of vCloud Director in your environment.

Procedu re

1. Click Administration.

2. Select Machines Manager > Available Machines.

3. Click Add Machines.

4. On the Add Machines page, select Basic: Name, Domain, Type, Automatically license machines, and click Next.

5. On the Manually Add Machines - Basic page, configure these options to identify the instances of vCloud Director.

Option Description

Machine Name of the vCloud Director instance.

Domain Domain to which the vCloud Director instance belongs.

Type Domain type.

Machine Type Select vCloud Director.

6. Click Add.

The machine information is added to the list.

7. (Optional) Add other instances of vCloud Director as needed.

8. When all your instances of vCloud Director are added to the list, click Next.

9. On the Information page, review the summary and click Finish.

What to do next

Configure the vCloud Director settings. See "Configure the vCloud Director Settings" on page 36.

Manage the Red Hat operating systems on which your vCloud Director instances are running. See

"Configuring Linux and UNIX Machines" on page 107.

Configure the vCloud Director Settings

Configure the Managing Agent, communication, and vCloud Director access options so that VCM can collect virtual machine data from your instances of vCloud Director.

Prerequisit es

Collect Machines data from the Windows machine that you designated as your Managing Agent. See

"Collect Machines Data From the Managing Agent Machines" on page 27.

If you are using SSL Certificates to maintain secure communication, you must provide the certificate thumbprint from the target system when configuring the settings. See "Obtain the SSL Certificate

Thumbprint" on page 29.

VMware, Inc.

Configuring VMware Cloud Infrastructure

Procedu re

1. Click Administration.

2. Select Machines Manager > Licensed Machines > Licensed Virtual Environments.

3. Select the vCloud Director instances and click Configure Settings.

4. On the Virtual Environment page, verify that the vCloud Director instances appear in the lower pane and click Next.

5. On the Managing Agent and Communication Settings page, configure the settings that are applied to all selected vCloud Director instances and click Next.

Option Description

Managing Agent Select the Windows machine to manage

communication between the Collector and the vCloud Director instances.

This Windows machine must have the 5.5 Agent or later installed.

You can use the Collector as your managing agent.

Port Type the port used by the API on the vCloud

Director instance.

The default value is 443.

User ID Type a vCloud Director instance user name.

The user must have a vCloud Director administrative role or an unrestricted read only role. Use a full vCloud Director administrative user, such as administrator@system.

Password Type the password for the vCloud Director

instance user ID.

Confirm Password Type the password again.

Ignore untrusted SSL Certificate Select one of the following certificate options.

Yes: Ignores the requirement for a valid signed certificate.

No: Requires a valid signed certificate.

6. If you selected No on the Managing Agent and Communication Settings page, you must type or paste the thumbprint string in the text box and click Next.

7. On the Important page, click Finish.

What to do next

Collect vCloud Director data. See "Collect vCloud Director Data" on page 37.

Collect vCloud Director Data

Collect the data from the instances of vCloud Director. The data is displayed by detailed data type and appears in the VCM Console.

VMware, Inc.

vCenter Configuration Manager Administration Guide

Prerequisit es

Configure the vCloud Director settings. See "Configure the vCloud Director Settings" on page 36.

Procedu re

1. Click Administration.

2. Select Machines Manager > Licensed Machines > Licensed Virtual Environments.

3. Select the vCloud Director instances and click Collect on the VCM toolbar.

4. On the Collection Type page, select Machine Data and click OK.

5. On the Machines page, verify that the Selected list includes all the vCloud Director instances from which you are collecting and click Next.

6. On the Data Types page, select the Virtualization vCloud Director data type that you want to collect from the vCloud Director instances and click Next.

7. On the Important page, resolve any conflicts and click Finish.

What to do next

Review the collected virtualization data. Click Console and select Virtual Environments > vCloud Director.

Discover the vApp virtual machines created by the vCloud Director and make them available in VCM. See

"Discover vCloud Director vApp Virtual Machines" on page 41.

vCloud Director Collection Results

The collected vCloud Director data appears in the Console. The discovered virtual machines appear on Administration. After you license the virtual machines and install the Agent, you manage them based on their operating system.

The displayed data is only as current as the last time you collected data from your vCloud Director instances and from your managed machines.

Option Description

Console View collected vCloud Director instance data. Click Console and

selectVirtual Environments > vCloud Director.

View the change logs for the virtual environments. Click Console and select Change Management to access the collected data.

Compliance Access compliance rules that you create based on the collected vCloud

Director data using the Virtual Environment Compliance node. You cannot create enforceable compliance rules for vCloud Director data.

The compliance rules for the virtual machines that you license and on which you install the Agent are managed in the Machine Group Compliance node.

Reports Run a configured vCloud Director report. Click Reports and select

Machine Group Reports > Virtual Environments > vCloud Director Managed VMs. The report includes the vCloud Director Instance,

Organization, Organization virtual datacenter, vApp Name, the VC Machine Name, and the related networking data.

Create reports based collected vCloud Director objects. Click Reports and select Virtual Object Reports.

VMware, Inc.

Configuring VMware Cloud Infrastructure

Option Description

Administration Displays managed vCloud Director instances from which you are

collecting data. Click Administration and select Machines Manager > Licensed Machines > Licensed Virtual Environments.

Displays the discovered virtual machines with a machine name that is based on your configuration options in the discovery rule.

For example, OrgName:vAppName:VirtualMachineName.

Click Administration and select Machines Manager.

If the machines are not licensed and the Agent is not installed, the machines appear in the Available Machines data grid based on the operating system.

If the machines are licensed and the Agent is installed, the machines appear in the Licensed Machines data grid based on the operating system.

Administration > Machine Groups

Dynamic machine groups based on vCloud Director objects, including instances and guest machines, are used to limit the displayed data.

Configure vCloud Director vApp Virtual Machines Collections

Collect vCloud Director data so that you can identify and manage the guest operating systems of the vApp virtual machines.

To accommodate how vCloud Director manages vApps, which can include duplicate names, IP addresses, and MAC addresses, VCM collects and displays internal and external IP address information, internal machine name information, and vCenter machine name information collected directly from vCloud Director. Based on the collected data, you determine how VCM constructs a unique virtual machine name and specify which IP address to use based on the network address translation (NAT) mapping level.

To identify the vCloud Director virtual machines, you configure discovery rules that analyze data collected from the vCloud Director REST API and use the vApp virtual machine information to add new virtual machines to VCM. After installing the Agent and licensing the virtual machines, you manage the new machines based on their operating systems. The machines appear in VCM based on your configured naming convention.

Network Address Translation and vCloud Director vApp Discovery Rules

To configure the connection string when creating a vCloud Director virtual machines discovery rule, you must know how network address translation (NAT) is implemented in your vCloud Director instances.

The vCloud Director administrator configures the NATmapping. How the virtual machines are configured with NATand where VCM is in the network determines the connection string that VCM uses to communicate with the virtual machines.

vCloud Director 1.0 and 1.5 support a variety of vApp network configurations. VCM supports these scenarios.

VMware, Inc.

vCenter Configuration Manager Administration Guide

VCM is located in the vApp with the virtual machines that it is managing.

The vApp has a direct connection to the org network.

The vApp has a direct connection to the external network.

The vApp has a one-to-one IP address NAT connection to the organization network with direct connection to the external network.

The vApp has a one-to-one IP address NAT connection to the organization network with a one one-toone IP address NAT connection to the external network.

The vApp has a direct connection to the organization network with one IP address to one IP address NAT connection to the external network.

VCM does not support one to many IP addresses NAT mapping for vCloud Director vApp virtual machines.

To determine the connection string to use when discovering the vCloud Director virtual machines, you must know where VCM is located in the network and how NAT is implemented.

Table 3–1. Determining the Connection String Based on Network Configuration

Location of VCM or the Proxy Server on the Network

External Network Organization Network Discovery

Rule Con nection String

In the

NA NA Internal IP managed vApp

On Org Network

NA Direct connection. None (use

DNS) or Internal IP

On Org Network

On External

NA NATat vApp level. vApp

External IP

Direct Connection Not connected or direct connection. Internal IP Network

On External Network

Direct from

NAT at vApp level. vApp

Organization

NAT at Org level The vApp level IPis collected from

vCloud Director, but it is not used for

External IP

Org External IP

the VCM connection.

After you collect the vCloud Director data, you can view the internal and external IP addresses in network information for the virtual machines.

Best Practice

VCM cannot use DCOM to communicate with vCloud Director vApp virtual machines across NAT mapped networks.

VMware, Inc.

Configuring VMware Cloud Infrastructure

In a NATmapped network environment, your best practice is to install the Agent on the vApp template machines. You must manually install the Agent with the HTTP mode enabled, but you must not collect data from these template machines. Collecting from the template machines generates machine-specific information that will cause the virtual machines created from the template to run incomplete collections.

If you discovered NAT mapped vApp virtual machines that do not have the Agent preinstalled on the templates from which they were created, you must manually install the Agent. The Agent must be installed with the HTTP protocol enabled. See "Manually Install the VCM Windows Agent" on page 78.

Discover vCloud Director vApp Virtual Machines

To begin managing the vCloud Director vApp virtual machines, create and run a VCM discovery rule. The rule runs against the collected vCloud Director data in the VCM database.

Prerequisites

Collect vCloud Director data. You can run the discovery only on the collected data. See Collect vCloud

Director Data.

Determine how NATis used in your vCloud Director network and where VCM is located in relationship to the network. See "Network Address Translation and vCloud Director vApp Discovery

Rules" on page 39.

Procedure

1. Click Administration.

2. Select Machines Manager > Discovery Rules.

3. On the data grid toolbar, click Add.

4. On the Discovery Rules page, type a Name and Description, and click Next.

5. On the Discovery Method page, select By DB Discovery and click Next.

6. On the Discovery Query page, in the Discovery Query drop-down menu, select vCloud Director Managed VMs and click Next.

7. On the Discovery Query Parameters page, configure the options to use when discovering and adding the data to VCM and click Next.

Option Description

Machine Name Format

Select the format used to display the virtual machine name.

You can select the vCenter name for the virtual machine or select a combination of names for the virtual machine that includes the vApp that contains the virtual machine, the vCloud Director organization, and the vCloud Director instance. With these formats, you can easily sort, group, and display the data in VCM.

The composite name is limited to 128 characters.

VCName: Name of the virtual machinein vCenter. vCloud Director creates the virtual machine and generates the name of the virtual machine, which includes the machine's host name and the 10-digit identification number of the virtual machinein vCenter. This name is unique in a single vCloud Director instance.

VMware, Inc.

vApp:VCName: Name of the vApp that contains the virtual machine and the name of the virtual machinein vCenter.

vDC:vApp:VCName: Name of the virtual datacenter with the vApp name and the name of the virtual machinein vCenter.

vCenter Configuration Manager Administration Guide

Option Description

Org:vDC:vApp:VCName: Name of the vCloud Director organization with the virtual datacenter name, the name of the vApp that contains the virtual machine, and the name of the virtual machinein vCenter.

Cloud:Org:vDC:vApp:VCName: Name of the vCloud Director instance with the name of the vCloud Director organization, the virtual datacenter name, the name of the vApp that contains the virtual machine, and the name of the virtual machinein vCenter.

Machine Name

Select a character to separate the elements of the vCloud Director hierarchy that you use as the machine name.

Delimiter

Domain

Type or select the domain in which you are managing the virtual machines.

Name

Domain

Select the type of domain to which you are adding the virtual machines.

Type

Protocol Select the protocol by which the Collector will communicate with the Agent.

If the virtual machines in the vApp uses NAT mapping, you must select HTTP. If the virtual machines do not use NAT, you can use HTTP or DCOM.

HTTPPort If you selected the HTTP protocol, you must specify the port used to communicate

with the Collector.

Uses the HTTP Listener on the target machine. The listener is configured to listen on the designated port. Port 26542 is the default setting. Accepted port values range from 1–65535. Other applications should not use this port.

VMware, Inc.

Option Description

Configuring VMware Cloud Infrastructure

Use a proxy server

Connection String

Select Yes if you use a proxy server for communication between the Collector and the Agents on the virtual Windows machines.

Select No if you do not use a proxy server or if you are managing UNIX/Linux machines.

If the machines you add are Windows machines, you can select a proxy server for communication between the Collector and the Agents on managed machines that are located on the other side of a proxy server. The proxy server routes requests from the Collector to the Agents on managed machines. A proxy server can only be used with Windows HTTP agents.

Select the IP address to use when communicating with the virtual machines.

This address can differ from the address that resolves by machine name from DNS or other name resolution systems. Use this address when VCM must contact a vApp virtual machine through a Network Address Translation (NAT) address, or when DNS available to the Collector cannot resolve the vApp virtual machines.

If the virtual machines that appear in the console as part of your vCloud Director collections are not added as part of your database discovery of vCloud Director data, ensure that the internal or external connection string is valid for the virtual machines. If the connection string is set to External IP, you will discover only machines with external IP addresses.

The connection string depends on the type and level at which NAT mapping is configured.

Cloud Name Filter

Org Name Filter

vDC Name Filter

None (use DNS): The Collector resolves the IP address to the virtual machine based on the configured name resolution mechanisms. For example, DNS or Hosts.

Internal IP: The IP address that the virtual machine has in the vApp.

vApp External IP: The IP address external to the vApp addresses of the virtual machines that are configured with NAT at the vApp level.

Org External IP: The IP address external to the organization addresses of the virtual machines that are configured with NAT at the organization level or at the organization and vApp level. If NATis implemented at the vApp and organization level, select this option.

To run the query against all system resources in a vCloud Director instance, type the name of the vCloud Director instance.

SQL wildcard expressions are allowed.

Discovers all virtual machines managed by the vCloud Director instance.

To run the query against an organization in a vCloud Director instance, type the name of the organization.

SQL wildcard expressions are allowed.

Discovers all virtual machines in the organization.

To run the query against a virtual datacenter in a vCloud Director instance, type the name of the virtual datacenter.

SQL wildcard expressions are allowed.

VMware, Inc.

vCenter Configuration Manager Administration Guide

Option Description

Discovers all virtual machines in the virtual datacenter.

vApp Name Filter

VM Name Filter

To run the query against a vApp, type the name of the vApp.

SQL wildcard expressions are allowed.

Discovers all virtual machines in the vApp.

To run the query to add a specific virtual machine, type the name of the machine.

SQL wildcard expressions are allowed.

Discovers the virtual machine.

Network Name Filter

To run the query against resources on a particular network, type the name of the network.

SQL wildcard expressions are allowed.

Discovers all virtual machines on the network.

IP Address Filter

To run the query to add virtual machines with a particular IP address, type the address.

SQL wildcard expressions are allowed.

Discovers all virtual machines with that IPaddress.

Include rule in post collection IPupdate

Select Yes to include the properties of this discovery rule to update the connection string information for the discovered machines when new vCloud Director data is collected.

Select No to not update the connection string information.

8. On the Important page, select the options and click Finish.

Option Descriptio n

Would you like to run this

Select Yes.

Discovery Rule now?

License and Install Agent on Discovered Machines

If you do not use NAT mapping, select the option to install the Agent.

If you use NATmapping, you must manually install the Agent on the discovered machines.

What to do next

Review the discovery jobs to determine if your job finished. Click Administration and select Job Manager > History > Other Jobs.

Review the collected vCloud Director vApp virtual machine data. Click Administration and select Machines Manager. In Available Machines and Licensed Machines, select the operating system type

and review the list for the added virtual machines.

If the discovered machines are listed only in the Available Machines list and the virtual machines use NAT mapping, you must manually install the Agent appropriate for the operating system. For Windows operating systems, see "Manually Install the VCM Windows Agent" on page 78. For Linux or UNIX operating systems, see "Install the Agent on UNIX/Linux Machines" on page 109.

VMware, Inc.

Configure vShield Manager Collections

Configure collections from your vShield Manager instances so that you can run reports on the collected data.

Prerequist es

Configure your Managing Agent machines. See "Configure Managing Agent Machines" on page 26.

To maintain secure communication, you need the SSLcertificates from your instances of vShield Manager. See "Obtain the SSL Certificate Thumbprint" on page 29.

Procedure

1. "Add vShield Manager Instances" on page 45

Add the instances of vShield Manager to VCM so that you can license and collect vShield Manager data using the Managing Agent.

2. "Configure the vShield Manager Settings" on page 46

Configure the Managing Agent, communication, and vShield Manager access options so that VCM can collect group and group member data from your instances of vShield Manager.

"Collect vShield Manager Data" on page 47

Collect the data from the instances of vShield Manager. The data is displayed by detailed data type and appears in the VCM Console.

Configuring VMware Cloud Infrastructure

The collected vShield Manager data appears in the Console in the Virtual Environments node. See "vShield

Manager Collection Results" on page 48.

Add vShield Manager Instances

Add the instances of vShield Manager to VCM so that you can license and collect vShield Manager data using the Managing Agent.

Most vShield Manager instances are discovered, added, and licensed. Use this procedure of they are not added to VCM.

Prerequisit es

Ensure that the vCenter Server that each instance of vShield Manager is managing is added to VCM. See "Add vCenter Server Instances" on page 30.

Know the names and domain information for the instances of vShield Manager in your environment.

Procedu re

1. Click Administration.

2. Select Machines Manager > Available Machines.

3. Click Add Machines.

4. On the Add Machines page, select Basic: Name, Domain, Type, Automatically license machines, and click Next.

VMware, Inc.

5. On the Manually Add Machines - Basic page, configure these options to identify the instances of vShield Manager.

vCenter Configuration Manager Administration Guide

Option Description

Machine Name of the instance of vShield Manager.

Domain Domain to which the instance of vShield Manager belongs.

Type Domain type.

Machine Type Select vShield.

6. Click Add.

The machine information is added to the list.

7. (Optional) Add other instances of vShield Manager as needed.

8. When all your instances of vShield Manager are added to the list, click Next.

9. On the Information page, review the summary and click Finish.

What to do next

Configure the vShield Manager settings. See "Configure the vShield Manager Settings" on page 46.

Configure the vShield Manager Settings

Configure the Managing Agent, communication, and vShield Manager access options so that VCM can collect group and group member data from your instances of vShield Manager.

Prerequisit es

Collect Machines data from the Windows machine that you designated as your Managing Agent. See

"Collect Machines Data From the Managing Agent Machines" on page 27.

If you are using SSL Certificates to maintain secure communication, you must provide the certificate thumbprint from the target system when configuring the settings. See "Obtain the SSL Certificate

Thumbprint" on page 29.

Procedu re

1. Click Administration.

2. Select Machines Manager > Licensed Machines > Licensed Virtual Environments.

3. Select the instances of vShield Manager and click Configure Settings.

4. On the Virtual Environment page, verify that the vShield Manager instances appear in the lower pane and click Next.

5. On the Managing Agent and Communication Settings page, configure the settings that are applied to all selected vShield Manager instances and click Next.

Option Description

Managing Agent Select the Windows machine to manage

communication between the Collector and the vShield Manager instances.

This Windows machine must have the 5.5 Agent or later installed.

You can use the Collector as your managing agent.

VMware, Inc.

Configuring VMware Cloud Infrastructure

Option Description

Port Type the port used by the API on the vShield

Manager instances.

The default value is 443.

User ID Type a vShield Manager instance user name.

The user must have a vShield Manager administrative role or an unrestricted read only role.

Password Type the password for the vShield Manager

instance user ID.

Confirm Password Type the password again.

Ignore untrusted SSL Certificate Select one of the following certificate options.

Yes: Ignores the requirement for a valid signed certificate.

No: Requires a valid signed certificate.

Select vCenter for vShield Select the vCenter Server instance managed by this

vShield Manager instance.

6. If you selected No on the Managing Agent and Communication Settings page, you must type or paste

the thumbprint string in the text box and click Next.

7. On the Important page, click Finish.

What to do next

Collect vCloud Director data. See "Collect vShield Manager Data" on page 47.

Collect vShield Manager Data

Collect the data from the instances of vShield Manager. The data is displayed by detailed data type and appears in the VCM Console.

Prerequisit es

Configure the vShield Manager settings. See "Configure the vShield Manager Settings" on page 46.

Procedu re

1. Click Administration.

2. Select Machines Manager > Licensed Machines > Licensed Virtual Environments.

3. Select the vShield Manager instances and click Collect on the VCM toolbar.

VMware, Inc.

4. On the Collection Type page, select Machine Data and click OK.

5. On the Machines page, verify that the Selected list includes all the vShield Manager instances from which you are collecting and click Next.

6. On the Data Types page, select the Virtualization that you want to collect from the vShield Manager instances and click Next.

7. On the Important page, resolve any conflicts and click Finish.

vCenter Configuration Manager Administration Guide

What to do next

Review the collected virtualization data. Click Console and select Virtual Environments > vCloud Director.

Discover the vApp virtual machines created by the vCloud Director and make them available in VCM. See

"Discover vCloud Director vApp Virtual Machines" on page 41.

vShield Manager Collection Results

The collected vShield Manager data appears in the Console and is available to generate reports.

The displayed data is only as current as the last time you collected data from your vShield Manager instances.

Option Description

Console Displays collected vShield Manager instance data.

Click Console and selectVirtual Environments > vCloud Director.

Reports Create and run configured vShield Manager reports.

Administration Displays managed vShield Manager instances from which you are

collecting data.

Click Administration and select Machines Manager > Licensed Machines > Licensed Virtual Environments to view licensed vShield Manager instances.

Administration > Machine Groups

Dynamic machine groups based on vShield App instances security group membership and are used to limit the displayed data.

Configure ESX Service Console OS Collections

To collect the data, VCM uses an Agent Proxy rather than a VCM Agent installed directly on the ESX and ESXi machines. To support the Agent Proxy, you must copy required files and certificates on the ESX and ESXi servers to manage the data collection from those machines.

Perform the required tasks first for ESX servers, and then for ESXi servers.

1. "Configure the Collector as an Agent Proxy" on page 49

The Agent Proxy machine is a Windows machine configured to communicate with ESX and ESXi servers and to remotely collect data from those servers. The Collector automatically meets the Agent Proxy requirements. You license the Collector and then collect the Machines data type.

2. "Configure Virtual Machine Hosts" on page 50

License virtual machine hosts to generate a file containing machine names and settings. You use the generated file to configure the ESX machines for management in VCM.

3. "Copy Files to the ESX/ESXi Servers" on page 51

To import target machine information and copy the required files from VCM, you use the

VMware, Inc.

Configuring VMware Cloud Infrastructure

4. "Collect ESX Logs Data" on page 53

An initial collection of Virtual Environments data identifies your virtual machine hosts and their guest machines.

You have several options for reviewing and using ESX Logs data in VCM. The data used is only as current as the last collection, and the amount of time it takes for the data to display is based on the volume or complexity of the data requested. See "Virtualization Collection Results" on page 53.

Configure the Collector as an Agent Proxy

NOTE If you manage more than fifty host machines, you must use a separate Windows machine as your Agent Proxy. Moving the Agent Proxy activity to the separate machine optimizes performance. See "Configuring Standalone Agent Proxy Machines" in the online Help.

Procedure

1. Click Administration.

2. Select Machines Manager > Licensed Machines > Licensed Windows Machines.

3. Determine whether the Collector machine name appears in the data grid.

If it is listed in the data grid, the machine is licensed. If it is not listed, continue with the licensing process.

4. License the Collector.

a. Select Machines Manager > Available Machines.

b. Select the Collector in the data grid and click License

c. On the Machines page of the Available Machines License wizard, verify that the Collector machine

name appears in the Selected list and click Next.

d. Review the Product License Details page and click Next.

e. Review the Important page and click Finish.

f. Select Administration > Machines Manager > Licensed Machines > Licensed Windows Machines

to verify that the Collector is now licensed.

g. Click Refresh on the Console toolbar to update the data.

5. Run a collection for machines data to identify the Collector as an available Windows machine.

a. Select Machines Manager > Licensed Windows Machines, select the Collector in the data grid, and

click Collect on the Console toolbar.

b. On the Collection Type page, click Machine Data and click OK.

c. On the Machines page, verify that the Collector machine name appears in the Selected list.

VMware, Inc.

vCenter Configuration Manager Administration Guide

d. Click Select Data Types to collect from these machines and click Next.

e. On the Data Types page, expand the Windows tree and select Machines.

f. Select Use default filters and click Next.

g. Review the Important page and click Finish.

The collection job starts. You can use the Job Manager to determine when the collection is finished.

What to do next

When the collection is completed, verify that the Collector machine Agent Proxy State equals Current Agent. Click Administration and select Machines Manager > Agent Proxies and review the data grid.

License and configure the target virtual machine hosts. See "Configure Virtual Machine Hosts" on page

50.

Configure Virtual Machine Hosts

License virtual machine hosts to generate a file containing machine names and settings. You use the generated file to configure the ESX machines for management in VCM.

All Virtualization data types are collected through Web Services communication except for the VM Logs, which are collected through SSH and only from ESX machines.

Prerequisites

Verify that at least one Agent Proxy machine is configured. See "Configure the Collector as an Agent

Proxy" on page 49.

Procedure

1. Click Administration.

2. Select Machines Manager > Licensed Machines > Licensed ESX/ESXi Hosts.

3. Select the ESX host and click Configure Settings.

4. Add the machines to be configured to the lower grid and click Next.

The selected machines will use the same Agent Proxy and the same SSHand Web Services settings.

VMware, Inc.

Configuring VMware Cloud Infrastructure

5. Configure the settings on the Agent Proxy and Communication Setting page.

Option Description

Agent Proxy

SSH Settings

Web Services Settings

The configured Agent Proxy used to manage the selected virtual machine host machines.

This option is required when you are licensing host machines, but it is optional if you are modifying the settings.

Select the check box to configure the settings for your ESX machines. Configure these settings so that you can collect ESX Logs data from the managed host machines.

Port: Used by VMware Web Services SDK for the ESX server on which SSH listening. The Agent Proxy communicates with the ESX server using this port. The default port (22) is set to the default value for SSH on ESX.

User ID: Used by the Agent Proxy to communicate with the ESX server through SSH. This account must have certain permissions, for example, sudoers, defined in the installation process. Authentication for this account uses public key cryptography that was setup during the installation process.

(Optional) Select the check box to configure the settings for your ESX and ESXi machines. Configure the settings to collect virtual environment data from a host machine.

Port: The port on the ESXserver used by the Agent Proxy to communicate with the VMware web services interface.

User ID: The account that has access to the VMware Web services interface. If you are using ESX, this account must have Administrator access to Web services on the ESX server. This user ID may be different from the user ID for SSH communication, depending on whether you created different accounts during the ESX installation process.

Password: The password for the Web services User ID specified above. This password is encrypted in the VCM database.

Confirm Password: Retype the password.

Ignore untrusted SSL Certificate: Connection allowed even when certificates are not verified as trusted.

6. On the Important page, record the .xml file name.

The file is saved to the location configured for CMFiles$\VMHosts_Config. The default location is \Program Files (x86)\VMware\VCM\WebConsole\L1033\Files\VMHosts_Config.

7. Click Finish.

What to do next

Copy the copy SSH public key file, the csiprep.py file, and the csiprep.config file to the target ESX machines. See "Copy Files to the ESX/ESXi Servers" on page 51.

Copy Files to the ESX/ESXi Servers

To import target machine information and copy the required files from VCM, you use the UNIX/ESX/vSphere Deployment Utility on your Agent Proxy machines.

VMware, Inc.

vCenter Configuration Manager Administration Guide

For ESX machines, you import target machine information from VCM and copy the SSH public key file, the csiprep.py file, and the csiprep.config file to the target ESX machines.

For ESXi machines, you import machine information and copy the necessary Web Services settings to the target machines.

Prerequisites

License the ESX and ESXi machines. See "Configure Virtual Machine Hosts" on page 50.

Locate the UNIX/ESX/vSphere Deployment Utility file in C:\Program Files (x86)\VMware\VCM\Tools\DeployUtility-<version number>. Consult the Deployment Utility

online help when using the tool.

Procedure

1. Copy the UNIX/ESX/vSphere Deployment Utility file to the Agent Proxy machine, either a standalone Windows machine or the Collector, and unzip the file.

2. Double-click DeployUtil.exe to start the Deployment Utility.

3. Click the ESX/vSphere Configuration tab.

4. Click File > Open.

5. Browse to the location of the virtual machine hosts configuration file generated when you licensed and configured the virtual machine hosts.

The default location on the Collector is \Program Files (x86)\VMware\VCM\WebConsole\L1033\Files\VMHosts_Config.

6. Select the .xml file and click Open.

The machine information in the .xml file is imported into the ESX Server Settings table on the ESX/vSphere Configuration tab with the settings that you defined in VCM.

7. Select a configuration option.

Option Descriptio n

Configure ESX 3.x

Servers

Configure ESXiServers Passes the Web Services to the target ESXmachines

Configures the SSH certificate, the csiprep.py file, the csiprep.config

file, and passes the SSH and Web Services user information to the target ESX

machines.

8. (Optional) Configure the default server location.

The following settings are automatically configured to the default server locations. If you need to change the paths, click the ellipsis button.

SSH Public Key file (ESX 3.x only)

Log Files Location

csiprep.py File (ESX 3.x only)

csiprep.config File (ESX 3.x only)

9. (Optional) Configure the VCM user name and password.

To modify the settings in VCM, use the following options or manually change the values in the ESX Server Settings table. For more information about the settings, see the Deployment Utility online Help.

VMware, Inc.

Configuring VMware Cloud Infrastructure

Use the same user name for both SSH and Web Services collections (ESX 3.x only).

Use the same password for all WebServices users.

Apply the same user names and passwords to all ESX servers.

10. Click Configure.

All the machines where the Configure check box is selected now have the same version of the files copied to the location specified in the Remote Path field in the table. If no path is specified, the files are copied to the /tmp directory.

What to do next

Collect data from the target virtual machine hosts. See "Collect ESX Logs Data" on page 53.

Collect ESX Logs Data

An initial collection of Virtual Environments data identifies your virtual machine hosts and their guest machines.

Procedure

1. On the Portal toolbar, click Collect.

2. Select your ESX Servers.

To avoid configuration conflicts, do not select both for one action. The selected machines appear in the Selected list.

3. Click Select Data Types to collect from these machines and click Next.

4. Expand the UNIX node and select the Machines - General data type.

5. Expand the Virtualization node and select the ESX Logs data types.

6. Click Use default filters and click Next.

7. Click Finish.

Monitor the collection job in Job Manager. When the collection is completed, the data appears is available for reports and compliance assessments.

What to do next

Review the collected data in the Console, run reports, configure alerts, and use the machine groups. See

"Virtualization Collection Results" on page 53.

Virtualization Collection Results

Option Description

VMware, Inc.

Console View ESX logs.

Click Console and select Virtual Environments > ESX Logs.

vCenter Configuration Manager Administration Guide

Configure the vSphere Client VCM Plug-In

When using the vSphere Client VCM Plug-In, the virtual machine host name in vCenter must match the virtual machine host name in VCM.

CAUTION Anyone accessing VCM and the vSphere Client must have a unique login. Do not share

vSphere Client logins between VCM users. Do not share vSphere Client logins between VCM users and non-VCM users.

Procedure

1. "Register the vSphere Client VCM Plug-In" on page 54

The registration process configures the URL in the VMware vSphere Client to the VCM Collector and makes the VCM Summary and VCM Actions tabs available in the vSphere Client.

2. "Configuring the vSphere Client VCM Plug-In Integration Settings" on page 55

Configure integration settings in VCM for your vSphere Client VCM Plug-In users. The settings enable users to view the VCM reports.

3. "Manage Machines from the vSphere Client" on page 56

vSphere Client-managed machines are available in the vSphere Client VCM Plug-In when they licensed and have the VCM Agent installed. The available actions include collecting new data and running compliance, patching, and reports for the selected machines.

Register the vSphere Client VCM Plug-In

The registration process configures the URL in the VMware vSphere Client to the VCM Collector and makes the VCM Summary and VCM Actions tabs available in the vSphere Client.

The plug-in is installed with VCM. To unregister a previous version of the plug-in, see Upgrade the .

IMPORTANT The account that you use to register the vSphere Client VCM Plug-In should be a local

administrator on the vSphere instance. The account must connect to a machine that has a valid SSL certificate or must register an invalid certificate (for example, a development certificate) when that user logs into the vSphere Client.

Prerequsites

Verify that you are using VMware vCenter 4 Server.

Verify that the VMware vSphere Client is installed.

Verify that the VMware Tools is installed on the virtual machines.

VMware, Inc.

Configuring VMware Cloud Infrastructure

Procedure

1. On the VCM Collector, browse to [path]\VMware\VCM\Tools\vSphere Client VCM Plugin\bin and double-click VCVPInstaller.exe.

2. In the VCVP Plug-in Registration dialog box, configure the following options.

Option Description

Select Unregister only if you are discontinuing the use of the plug-in on the target vSphere Client.

Server URL Type the http or https path, where <server> is your

vSphere Client server.

Administrator User Name Type the name of a user with Administrator privileges

in the vSphere Client.

Administrator Password Type the associated password.

URLto vSphereClientVCMPlugin.xml Type the http path, where <VCMserver> is the name or

IP address for the VCM Collector. The xml file is located in

\VMware\VCM\WebConsole\L1033\VCVPAnon\Xml\

vSphereClientVCMPlugin.xml

3. Click OK.

4. Start VCM.

5. On the login screen, select the role that you are using to log into the vSphere Client VCM Plug-In.

6. Select the Automatically log in using this role check box.

7. Start the vSphere Client.

8. Select a Guest machine.

What to do next

Confirm that you can access the VCM Summary and VCM Actions tabs.

Configure the vSphere Client VCM Plug-In integration settings in VCM. See "Configuring the vSphere

Client VCM Plug-In Integration Settings" on page 55.

Configuring the vSphere Client VCM Plug-In Integration Settings

Configure integration settings in VCM for your vSphere Client VCM Plug-In users. The settings enable users to view the VCM reports.

Prerequisites

Verify that the vSphere Client VCM Plug-In is registered. See "Register the vSphere Client VCM Plug-In"

on page 54.

VMware, Inc.

vCenter Configuration Manager Administration Guide

Procedure

1. Select Administration > Settings > Integrated Products > VMware > vSphere Client VCM Plug-In.

2. Select the setting that you want to configure and click Edit Settings.

3. On the Settings Wizard page for each setting, configure the options.

Option Description

Machine group against which the external reports will be run

Type the name of the machine group.

The default value is All Machines.

Role to use for external report access Type the name of the user role to be used to

access the reports.

The default value is Read-Only. Users other than Admin must have the role selected here in order to see reports in the vSphere Client.

User name to use for assessments Type the name of the user who will be

running assessments to obtain data for generating reports.

4. Click Next.

5. Verify your settings and click Finish.

What to do next

You manage machines by running compliance, patching, and reports. See "Manage Machines from the

vSphere Client" on page 56.

Manage Machines from the vSphere Client

Prerequisites

License Windows and UNIX\Linux virtual machines. See "License Windows Machines" on page 74 and

"License UNIX/Linux Machines" on page 109.

Install the Agent on the virtual machine. See "Install the VCM Windows Agent on Your Windows

Machines" on page 77 and "Install the Agent on UNIX/Linux Machines" on page 109.

Verify that the integration settings are configured. See "Configuring the vSphere Client VCM Plug-In

Integration Settings" on page 55.

Procedure

1. Start the vSphere Client.

2. Click the VCM Actions tab.

What to do next

Click help on the VCMActions tab for more information about the actions.

Troubleshooting the vSphere Client VCM Plug-In Registration

With the vSphere Client VCM Plug-In, you can view and run certain VCM actions in the vSphere Client.

VMware, Inc.

Configuring VMware Cloud Infrastructure

You can use troubleshooting options to identify and resolve any problems.

Invalid Certificate on a vSphere Client

The vSphere Client connects to the vCenter Server using the SSL certificate and displays the datacenters, hosts, and any clusters.

Problem

When logging into a vSphere Client for the first time, if the certificate is not valid, a security warning about the SSL certificate appears.

Cause

The certificate is not valid.

Solution

1. Select the Install this certificate and do not display any security warnings for <vCenter_Server_ Instance> option.

2. Click Ignore.

HTTPS/SSL Is Not Configured on the Collector

If the VCM Summary and VCM Actions tabs are not displayed, the settings are improperly configured.

Problem

In the vSphere Client, you cannot see the VCM Summary or VCM Actions tabs.

Cause

If Use SSL was selected during VCM installation, the https/SSL is not properly configured on the Collector.

Solution

1. Open the .xml file specified during the registration.

2. Edit the file to reflect the configured connection method, either http or https.

vSphere Client VCM Plug-In Is Not Enabled

If the VCM Summary and VCM Actions tabs are not displayed, the plug-in is not properly configured.

Problem

In the vSphere Client, you cannot see the VCM Summary or VCM Actions tabs.

Cause

The plug-in is not enabled in the vSphere Client.

Solution

When the tabs appear, you are ready to use the vSphere Client VCM Plug-In.

VMware, Inc.

1. In the vSphere Client, select Plug-ins > Manage Plug-ins.

2. In the Installed Plug-ins area, right-click the vCenter Configuration Manager Extension plug-in, and select Enable.

3. Close the Plug-in Manager.

vCenter Configuration Manager Administration Guide

VMware, Inc.

Running Compliance for the VMware Cloud Infrastructure

Compliance templates evaluate the virtual environment object data to determine if the objects meets the criteria in the rules. If the property values on an object do not meet the criteria, and if there is no exception defined, then the object is flagged as noncompliant. When an object is non compliant, the template results provide the details of the settings or configurations that do not match the rules. You can use this information to resolve the issue.

Compliance templates include the following components:

Rule Groups: The rule groups comprise rules and filters.

Rules: The rules define the optimal configuration standard.

Filters: The filters limit the objects on which the template runs to only the objects that meet the filter criteria. If filters are not defined, the rules are run against all objects in the virtual objects group.

Exceptions: The exceptions are optional temporary or permanent exceptions to the template results. The defined exception indicates that a specific result is compliant or noncompliant even though it does not match the requirements of the rules.

Create and Run Virtual Environment Compliance Templates

Create compliance templates that evaluate your virtual environment object data to determine if the objects meet the criteria in the rules that define objects as compliant or noncompliant.

The example used in this procedure is whether VMware Tools is running on guest virtual machines on all vCenter Server instances, but excluding vCenter_Dev.

Prerequisites

Collect virtual environments data. See "Configure Virtual Environments Collections" on page 25.

Procedure

1. "Create Virtual Environment Compliance Rule Groups" on page 60

Create rule groups so that you can add rules and filters.

2. "Create and Test Virtual Environment Compliance Rules" on page 60

Create rules that define the ideal value that objects should have to be considered compliant.

3. "Create and Test Virtual Environment Compliance Filters" on page 61

Create filters that limit the objects on which the templates run to only the objects that meet the filter criteria.

VMware, Inc.

vCenter Configuration Manager Administration Guide

4. "Preview Virtual Environment Compliance Rule Groups" on page 62

Preview the rule group to ensure that your combination of rules and filters are returning the expected results. Use the rules preview action, with the filters turned off and then turned on to determine if a rule group is returning the expected results.

5. "Create Virtual Environment Compliance Templates" on page 63

Create compliance templates that include one or more rule groups configured to assess your selected object group to determine which objects are compliant and noncompliant.

6. "Run Virtual Environment Compliance Templates" on page 64

Run templates against your collected data to determine which objects are compliant or noncompliant.

7. (Optional) "Create Virtual Environment Compliance Exceptions" on page 64

Create exceptions so that you can temporarily or permanently override specific template results.

Create Virtual Environment Compliance Rule Groups

Create rule groups so that you can add rules and filters.

Templates can include one or more rule groups. Rule groups comprise rules and filters.

The example used in this procedure is whether VMware Tools is running on guest virtual machines on all vCenter Server instances, but excluding vCenter_Dev.

Procedure

1. Click Compliance.

2. Select Virtual Environment Compliance > Rule Groups.

3. Click Add.

4. Type the Rule Group Name and Description in the text boxes and click OK.

For example, Guest Tools Running and a description.

What to do next

Add a rule to the rule group. See "Create and Test Virtual Environment Compliance Rules" on page 60.

Create and Test Virtual Environment Compliance Rules

Create rules that define the ideal value that objects should have to be considered compliant.

The data types correspond to the collected virtual environments data that is displayed in the Console. To identify the values you are configuring for compliance, review the data grids so that you can locate the correct data type in the rule wizard.

The example used in this procedure is whether VMware Tools is running on guest virtual machines on all vCenter Server instances, but excluding vCenter_Dev.

Prerequisites

Create a rule group. See "Create Virtual Environment Compliance Rule Groups" on page 60.

VMware, Inc.

Running C ompliance for the VMware Cloud Infrastructure

Procedure

1. Click Compliance.

2. Select Virtual Environment Compliance > Rule Groups > rule group name > Rules.

Guest Tools Running is the rule group in this example.

3. Click Add.

4. Type the Name and Description in the text boxes and click Next.

For example, Tools Running.

5. Expand Virtualization, select vCenter - Guests - Summary, and click Next.

The collected guest summary data includes whether the VMware Tools is installed and running on the guest virtual machines.

6. Select Basic and click Next.

7. Click Add and configure the rules with the ideal values.

In the properties drop-down menu, select Tools Running Status.

Select = as the rule operator.

Click the ellipsis button and select guestToolsRunning and click OK.

Click Next.

8. Select the Severity of a failure in the drop-down menu and click Next.

9. Review the changes and click Finish.

The rule is added to the data grid.

10. Select your new rule and click Preview.

11. Select Do not apply machine filters to preview and click OK.

When you test a rule, test first without the filter to ensure that the rule returns the expected results.

12. Review the data in the Non-compliant results window to verify that your rule is behaving as expected.

What to do next

Add a filter to the rule group. See "Create and Test Virtual Environment Compliance Filters" on page 61.

Create and Test Virtual Environment Compliance Filters

Create filters that limit the objects on which the templates run to only the objects that meet the filter criteria. If filters are not defined, the rules are run against all objects in the selected virtual objects group.

The example used in this procedure is whether VMware Tools is running on guest virtual machines on all vCenter Server instances, but excluding vCenter_Dev.

Prerequisites

VMware, Inc.

Create a rule group. See "Create Virtual Environment Compliance Rule Groups" on page 60.

Create a rule. See "Create and Test Virtual Environment Compliance Rules" on page 60.

vCenter Configuration Manager Administration Guide

Procedure

1. Click Compliance.

2. Select Virtual Environment Compliance > Rule Groups > rule group name > Filters.

Guest Tools Running is the rule group in this example.

3. Click Add.

4. Type the Name and Description in the text boxes and click Next.

For example, Not vCenter_Dev

5. Expand Virtualization, select vCenter - Guest - Summary, and click Next.

The collected guest summary data includes vCenter names.

6. Select Basic and click Next.

7. Click Add and configure the filter with the values to limit assessed objects or to exclude objects from assessment.

In the properties drop-down menu, select vCenter.

Select <> as the filter operator.

Click the ellipsis and select vCenter_Dev and click OK.

Click Next.

8. Review the changes and click Finish.

The filter is added to the data grid.

9. Select your new filter and click Preview.

10. Review the data in the Machines window to verify that your filter is behaving as expected.

What to do next

Test your rule and filter together. See "Preview Virtual Environment Compliance Rule Groups" on page

62.

Preview Virtual Environment Compliance Rule Groups

The example used in this procedure is whether VMware Tools is running on guest virtual machines on all vCenter Server instances, but excluding vCenter_Dev.

Prerequisites

Create a rule group. See "Create Virtual Environment Compliance Rule Groups" on page 60.

Create a rule. See "Create and Test Virtual Environment Compliance Rules" on page 60.

Create compliance filters. See "Create and Test Virtual Environment Compliance Filters" on page 61.

VMware, Inc.

Running C ompliance for the VMware Cloud Infrastructure

Procedure

1. Click Compliance.

2. Select Virtual Environment Compliance > Rule Groups.

Guest Tools Running is the rule group in this example.

3. Select your new rule group and click Preview.

4. Select Do not apply machine filters to preview and click OK.

When you test a rule, test first without the filter to ensure that the rule returns the expected results.

5. Review the data in the Non-compliant results window to verify that your rule is behaving as expected.

6. Close the window.

7. Select your new rule group and click Preview.

8. Select Apply machine filters to preview and click OK.

9. Review the data in the Non-compliant results window to verify that your rule is behaving as expected. If the results are incorrect, adjust your rules and filters until they work correctly when you preview them.

What to do next

If you have more than one rule that you must run in a particular order, set the order. The Set Order option is located on the toolbar.

Create a template. See "Create Virtual Environment Compliance Templates" on page 63.

Create Virtual Environment Compliance Templates

Create compliance templates that include one or more rule groups configured to assess your selected object group to determine which objects are compliant and noncompliant.

The example used in this procedure is whether VMware Tools is running on guest virtual machines on all vCenter Server instances, but excluding vCenter_Dev.

Prerequisites

Create a rule group. See "Create and Test Virtual Environment Compliance Rules" on page 60.

Procedure

1. Click Compliance.

2. Select Virtual Environment Compliance > Templates.

3. Click Add.

4. Type the Name and Description in the text boxes and click Next.

For example, Tools Running Not vCenter_Dev and a description.

5. Move the rule group, for this example, Guest Tools Running, to the list on the right and click Next.

VMware, Inc.

6. Select Return both compliant and non-compliant and click Next.

Returning complaint and noncompliant results will help you determine whether your template is returning the correct results.

7. Review your changes and click Finish.

vCenter Configuration Manager Administration Guide

What to do next

Run the template. See "Run Virtual Environment Compliance Templates" on page 64.

Run Virtual Environment Compliance Templates

Run templates against your collected data to determine which objects are compliant or noncompliant.

When a compliance template is run, the results appear in a report format and a data grid format.

The example used in this procedure is whether VMware Tools is running on guest virtual machines on all vCenter Server instances, but excluding vCenter_Dev.

Prerequisites

Create a template. See "Create Virtual Environment Compliance Templates" on page 63.

Procedure

1. Click Compliance.

2. Select Virtual Environment Compliance > Templates.

3. Select your template in the data grid and click Run.

In this example, select Tools Running Not vCenter_Dev.

4. Click OK.

5. When the template run is finished, click Close.

6. Double-click the template name in the data grid.

Unless you turned off the summary view, the Virtual Environments Compliance Results report appears. The report includes the number of objects that are compliant and the number that are noncompliant.

7. To view the results in the data grid, click View data grid.

What to do next

If you find results that you want to temporarily make compliant or noncompliant, create an exception. See "Create Virtual Environment Compliance Exceptions" on page 64.

Evaluate the results and resolve any issues on the noncompliant objects.

Create Virtual Environment Compliance Exceptions

Create exceptions so that you can temporarily or permanently override specific template results.

The exceptions are defined against the template results and indicate that a specific result is compliant or noncompliant even though it does not match the requirements of the rules.

You can add exceptions only to existing templates.

The example used in this procedure is whether VMware Tools is running on guest virtual machines on all vCenter Server instances, but excluding vCenter_Dev.

To create an exception in this example, a virtual machine, RHEL_60_ProdDev, is approved to be excluded from the noncompliant results because you never require VMware Tools to be running on this machine.

Prerequisites

Create a template. See "Create Virtual Environment Compliance Templates" on page 63.

VMware, Inc.

Running C ompliance for the VMware Cloud Infrastructure

Procedure

1. Click Compliance.

2. Select Virtual Environment Compliance > Templates > template name.

3. Select the noncompliant result on which you are basing the exception and click Add Exception.

In this example, the noncompliant result is the RHEL_60_ProdDev guest machine.

4. Type the Name, Short Description, Description, and Sponsor in the text boxes and click Next.

5. Select the template to which you are applying the exception in the drop-down menu and click Next.

For this example, select Tools Running Not vCenter_Dev.

6. Select the object group to which you are applying the exception and click Next.

For this example, select All Virtual Objects.

7. Select the override options and the expiration date.

Select Override non-compliant results to compliant.

Select No Expiration.

Click Next.

8. To define the exception values, modify, delete, or add to the properties, operators, and values for the selected results.

In this example, you are specifying the RHEL_60_ProdDev as the exception.

Click Add.

In the properties drop-down menu, select Object.

Select = as the rule operator.

Click the ellipsis button and select RHEL_60_ProdDev in the property values dialog box and click OK.

Click Finish.

What to do next

Run the template. See "Run Virtual Environment Compliance Templates" on page 64.

VMware, Inc.

vCenter Configuration Manager Administration Guide

VMware, Inc.

Configuring vCenter Operations Manager Integration

Integration of VCM with vCenter Operations Manager reports VCM configuration changes in the vCenter Operations Manager console. You configure the data types to report to vCenter Operations Manager and the threshold reporting level used to roll up the configuration changes. VCM records configuration changes in the change log regardless of whether you reported the data to vCenter Operations Manager. From vCenter Operations Manager, you can navigate to VCM to view the details.

Configure vCenter Operations Manager with VCM

You configure the data types to report to vCenter Operations Manager and the threshold reporting level used to roll up the configuration changes. VCM records configuration changes in the change log regardless of whether you reported the data to vCenter Operations Manager. From vCenter Operations Manager, you can navigate to VCM to view the details.

You can report on UNIX and Windows configuration change data and VCM initiated reboot changes. VCM reports change data to vCenter Operations Manager by default. vCenter Operations Manager polls VCM for configuration changes every 5 minutes.

The following procedure configures VCM to report a UNIXdata type to vCenter Operations Manager and sets the threshold reporting level to roll up a defined number of configuration changes into a single reporting icon to report the changes in the vCenter Operations Manager console.

Procedure

For details about the reporting settings, see the VCM online help.

VMware, Inc.

1. In VCM, click Administration.

2. Select Settings > Integrated Products > VMware > vCenter Operations Manager.

3. Configure VCM to report a UNIXdata type, such as UNIX Patch Assessment, to vCenter Operations Manager.

a. Select UNIXPatch Assessment - Report to vCenter Operations Manager, and click Edit Setting.

b. Click Yes to report the data.

c. Click Next and Finish.

4. Set the threshold reporting level to roll up the configuration changes in the vCenter Operations Manager console.

a. Select UNIXPatch Assessment - Rollup Threshold, and click Edit Setting.

b. Type the number of configuration changes for the collection to roll up into a single reporting icon

to report in vCenter Operations Manager.

c. Click Next and Finish.

vCenter Configuration Manager Administration Guide

VMware, Inc.

Auditing Security Changes in Your Envi-

ronment

The VCM Auditing capability tracks all changes in the security aspects of VCM. Security-related events are written to the Windows Event Log, which is stored on the Collector, and is independent of the VCM application. The format of the event log prohibits any modifications to the recorded entries, which makes it a secure and tamper-proof auditing record of changes in security.

When you perform an action in VCM that affects security, and the auditing setting that corresponds to that change is enabled, the event is written to the event log.

Prerequisit e

Be logged in as a user who has the Admin role assigned.

Procedu re

1. To view the VCM Auditing settings, click Administration.

2. Select Settings > General Settings > Auditing.

3. To change an auditing setting, highlight a setting and click Edit Setting.

When you change an auditing setting, the VCM Auditing data grid displays the user’s name in the Last

Modified By column.

What to do next

For details about the Auditing settings and the Windows Event Log, see the online help.

VMware, Inc.

vCenter Configuration Manager Administration Guide

VMware, Inc.

Configuring Windows Machines

To manage your virtual and physical Windows machines, you must verify domains and accounts, discover and license those machines, install the VCM Agent, and collect Windows data from those machines. You can also collect Windows Custom Information.

Procedure

1. Verify Available Domains

Allow VCM access to each domain so that the VCM Collector can interact with the Windows machines in your environment.

2. Check the Network Authority

Verify that at least one domain account with administrator privileges is available to act as a network authority account for VCM.

3. Assign Network Authority Accounts

Select and assign the network authority account that you identified for VCM access to the Windows machines.

4. Discover Windows Machines

In your network, identify the Windows machines that you are managing with VCM.

5. License Windows Machines

To manage Windows machines, you must license them in VCM.

6. Disable User Account Control for VCM Agent Installation

Disable User Account Control (UAC) on Windows 7, 2008, 2008 R2, and Vista target machines before you install the VCM Agent.

7. Install the VCM Windows Agent on Your Windows Machines

Install the VCM Windows Agent on each Windows machine so that you can collect data and manage the virtual or physical machines.

8. Enable UAC After VCM Agent Installation

Enable User Account Control (UAC) on Windows 7, 2008, 2008 R2, and Vista machines after you install the VCM Agent.

9. Collect Windows Data

Start managing the Windows machines by performing an initial collection, which adds Windows machine data to VCM.

VMware, Inc.

vCenter Configuration Manager Administration Guide

Continuous Windows machine management is based on the latest data you collect from target machines. You can view data and run actions, such as reports or compliance, based on the collected data. See

"Windows Collection Results" on page 85.

Verify Available Domains

Allow VCM access to each domain so that the VCM Collector can interact with the Windows machines in your environment.

During installation, VCM discovered all domains to which the network authority account had access. If the Windows machines belong to a domain that is not listed, you must add that domain manually.

Prerequisit es

Verify that you have the fully-qualified names of the domains to manage.

Procedu re

1. Click Administration.

2. Select Settings > Network Authority > Available Domains.

3. If the domain does not appear Available Domains view, add the domain.

a. Click Add.

b. Type the domain name and select the domain type as NetBios or AD, depending on your domain.

c. Click OK.

4. Verify that the domain appears in the data grid.

What to do next

Verify that a network authority account is available and create other necessary domain accounts. See

"Check the Network Authority" on page 72.

Check the Network Authority

Verify that at least one domain account with administrator privileges is available to act as a network authority account for VCM.

Although you specified an initial default network authority account when you installed VCM, you can add different administrator accounts if you do not assign the default account.

Prerequisit es

Verify the presence of domains. See "Verify Available Domains" on page 72.

Procedu re

1. Click Administration.

2. Select Settings > Network Authority > Available Accounts.

3. To add a new domain account, click Add.

4. Type the domain name, user name, and password, and click Next.

5. Click Finish to add the account.

VMware, Inc.

What to do next

Assign the network authority account to the domain so that VCM can access the Windows machines in the domain. See "Assign Network Authority Accounts" on page 73.

Assign Network Authority Accounts

Select and assign the network authority account that you identified for VCM access to the Windows machines.

You can assign a single account to all domains and machine groups, or assign a unique account or multiple accounts to each domain and machine group.

In this procedure, NetBios is used as the example.

Prerequisit es

Verify or add the necessary network authority account. See "Check the Network Authority" on page 72.

Procedu re

1. Click Administration.

2. Select Settings > Network Authority > Assigned Accounts > By Domain > NetBios.

Configuring Windows Machines

3. Select an assigned account.

4. Click Edit Assigned Accounts.

5. Select the account to receive authority to the domain and click Next.

6. Confirm the accounts to include in the authority list for the domain and click Finish.

What to do next

Discover the Windows machines in your environment. See "Discover Windows Machines" on page 73.

Discover Windows Machines

In your network, identify the Windows machines that you are managing with VCM.

To discover the available Windows machines, VCM uses general discovery rules to identify many Windows machines or uses specific discovery rules to identify particular Windows machines.

The time required to perform an initial discovery depends on the size and composition of your network. If all Windows machines are not available during initial discovery, such as systems that are disconnected from the network, the first discovery will not find all Windows machines. If the discovery does not identify all Windows machines, you might need to run additional discoveries after the other Windows machines become available.

NOTE You can use the Discovered Machines Import Tool (DMIT), which imports machines discovered by the Network Mapper (Nmap), to import many physical and virtual machines at one time into the VCM database. Download DMIT from the VMware Web site.

The following procedure is based on Active Directory.

Prerequisit es

Assign a Network Authority Account that VCM can use for access. See "Assign Network Authority

Accounts" on page 73.

VMware, Inc.

vCenter Configuration Manager Administration Guide

Procedu re

1. Click Administration.

2. Select Machines Manager > Discovery Rules.

3. Click Add to create a discovery rule.

4. On the Discovery Rules page, type a name and description and click Next.

5. On the Discovery Method page, select By Active Directory and click Next.

6. On the AD Domain page, specify the AD Domain, select Discover machines only from the selected domain, and click Next.

7. On the Discovery Filters page, select Discover all machines in <domain_name> Domain.

8. (Optional) Create a filter to discover Windows machines based on a limited criteria and click Next.

9. On the Important page, click Yes and click Finish.

To avoid exceeding your license count, do not select License and Install Agent on Discovered Machines.

10. On the toolbar, click Jobs to track current discovery job status.

What to do next

Verify that jobs have finished running. Click Administration and select Job Manager > History > Other Jobs > Past 24 Hours.

Verify that the Windows machines are available. Click Administration and select Machines Manager > Available Machines.

License the Windows machines in your environment. See "License Windows Machines" on page 74.

License Windows Machines

To manage Windows machines, you must license them in VCM.

The number of discovered Windows, UNIX, or Linux machines might exceed the number of your available licenses. If that happens, the number available goes negative and appears in red to indicate that you do not have enough licenses.

You can license more servers or workstations than your license key allows. Any license key counts that exceed the number of licenses provided by your license key are recorded and maintained for future auditing purposes.

Prerequisit es

Verify that the Windows machines you license are listed with a machine type of workstation or server in the Available Machines node. If the discovered or added type is not workstation or server, VCM cannot license the machines.

VMware, Inc.

Configuring Windows Machines

Procedu re

1. Click Administration.

2. Select Machines Manager > Available Machines.

3. Select the Windows machines to license.

4. Click License.

5. Verify that the Windows machines to license appear in the Selected list.

Use the arrows to move the Windows machines.

6. Click Next to view your Product License Details.

The licensed Windows machine count increases by the number of licensed machines.

7. Click Next.

VCM confirms that the licenses you requested will be applied to the selected Windows machines.

8. Click Finish.

What to do next

Disable User Account Control (UAC) on the Windows 7, 2008, 2008 R2, or Vista machines in your environment. See "Disable User Account Control for VCM Agent Installation" on page 75.

Disable User Account Control for VCM Agent Installation

Disable User Account Control (UAC) on Windows 7, 2008, 2008 R2, and Vista target machines before you install the VCM Agent.

The UAC setting on Windows 7, 2008, 2008 R2, and Vista machines prevents VCM from installing the Agent on these target machines. You can disable UAC on a single Windows machine or a group of machines.

"Disable User Account Control for a Windows Machine" on page 75

"Disable User Account Control By Using Group Policy" on page 76

Disable User Account Control for a Windows Machine

The User Account Control (UAC) on Windows 7, 2008, 2008 R2, or Vista machines prevents VCM from installing the Agent on the target machines. Before you install the Agent on a Windows 7, 2008, 2008 R2, or Vista machine, you must disable the UAC, and then re-enable UAC after you finish the installation.

In this procedure, disabling UAC on a Windows 2008 R2 machine is used as the example.

Procedure

1. On the target Windows 2008 R2 machine, click Start > Run.

2. In the Run dialog box, type msconfig and click OK.

3. In the User Account Control dialog box, click Continue.

VMware, Inc.

vCenter Configuration Manager Administration Guide

4. In the System Configuration dialog box, click the Tools tab.

5. In the Tool Name list, select Disable UAC.

6. Click Launch.

7. When the command is finished running, click Close and click Close again.

8. Restart the Windows machine to apply the changes.

What to do next

Install the VCM Windows Agent on licensed Windows machines in your environment, and then enable UAC on the target machine. See "Install the VCM Windows Agent on Your Windows Machines" on page

77.

Disable User Account Control By Using Group Policy

The User Account Control (UAC) on Windows 7, 2008, 2008 R2, and Vista machines prevents VCM from installing the Agent on the target machines. You can use a group policy to disable UAC on the Windows machines in your environment.

The following procedure is performed on a Windows 2008 R2 domain controller machine.

Prerequisites

Configure Windows 7, 2008, 2008 R2, and Vista machines that are targeted for the Agent installation into a common Active Directory domain or organizational unit (OU).

Procedure

1. On your Windows 2008 R2 domain controller, click Start and select Administrative Tools > Group Policy Management.

2. Click Forest and select Domains > your local domain > Default Domain Policy.

3. In the Default Domain Policy pane, click the Settings tab.

4. Right-click Policies and click Edit.

5. In the Console Root, expand the domain/OU.

6. Click Computer Configuration and select Policies > Windows Settings > Security Settings > Local Policies > Security Options.

7. In the right pane, locate the User Access Control policies and configure the following policies and their policy settings.

Policy Policy Setting

User Account Control: Behavior of the elevation prompt for

administration in Admin Approval Mode

User Account Control: Detect application installations and

prompt for elevation

User Account Control: Run all administrators in Admin

Approval Mode

Elevate without prompting.

Disabled.

8. Restart the domain controller machine to apply the changes.

VMware, Inc.

Configuring Windows Machines

What to do next

Install the VCM Windows Agent on licensed Windows machines in your environment, and then re-enable the group policy on the domain controller. See "Install the VCM Windows Agent on Your Windows

Machines" on page 77.

Install the VCM Windows Agent on Your Windows Machines

Install the VCM Windows Agent on each Windows machine so that you can collect data and manage the virtual or physical machines.

Before you can collect data from Windows machines, you must install the VCM Windows Agent on the licensed Windows machines in your environment to enable communication between the Collector and the target machines.

You can use VCM to install the Agent or you can install the Agent manually. When you install a VCM Collector, the VCM Windows Agent is also installed. The Collector Agent is locked and cannot be unlocked, uninstalled, or upgraded.

Standardized Windows configurations such as Federal Desktop Core Configuration (FDCC) or United States Government Configuration Baseline (USGCB) include strict security group policy settings. The Windows Firewall: Do not Allow Exceptions group policy configures Windows Firewall to block all unsolicited incoming messages, including configured exceptions. This setting overrides all configured exceptions. For VCM to communicate properly with the VCM Agent on managed machines in strict, secure environments, disable the Windows Firewall: Do not Allow Exceptions group policy on the managed machines. For more information, see support.microsoft.com.

Prerequisit es

License the Windows machines on which you install the Agent. See "License Windows Machines" on

page 74.

Disable UAC before you install the Agent on Windows 7, 2008, 2008 R2, or Vista machines. See "Disable

User Account Control for VCM Agent Installation" on page 75.

Verify that you know the communication protocols and ports that are used by the Collector and the Agents.

Procedu re

1. Click Administration.

2. Select Machines Manager > Licensed Machines > Licensed Windows Machines.

3. In the data grid, select one or more Windows machines on which to install the Agent and click Install.

4. On the Machines page, verify that the target machines appear in the Selected list and click Next.

5. On the Install Options page, select the installation options and click Next.

Option Description

Share Location to install the Agent. The default location is ADMIN$.

Path Path for the Agent files. The default path includes CMAgent.

Install From VCM Collector from which to install the Agent.

VMware, Inc.

DCOM Communication protocol for the Agent. The default setting is

DCOM.

vCenter Configuration Manager Administration Guide

Option Description

HTTP Secure communication protocol for the Agent. Use HTTP, which

Port Designated port for the HTTP Listener.

Install using a proxy server For Windows Proxies and Windows Agents only. If the target

installs the HTTP Listener on the target machine and configures it to listen on the designated port.

machine is separated from the Collector by a proxy server, this option instructs the installation process to check for available proxy servers.

Lock the machine after installation

Ensures that VCMwill not uninstall the Agent or replace it with a different version.

Reinstall Agent Overwrites an installed Agent.

6. On the Schedule page, select Run Action now and click Next.

You can schedule subsequent Agent installations to run later.

7. On the Important page, review the summary information and click Finish.

What to do next

Verify that jobs have finished running. Click Administration and select Job Manager > History > Other Jobs > Past 24 Hours.

Enable UAC on the Windows 7, 2008, 2008 R2, or Vista machines in your environment. See "Enable

UAC After VCM Agent Installation" on page 83.

Collect Windows data from VCM managed machines in your environment. See "Collect Windows

Data" on page 84.

Locate the Enterprise Certificate

Locate the Enterprise Certificate before you install the VCM Agent on the managed Windows machine. VCM must access the Enterprise Certificate during the Agent installation.

If your Collector is operating in a full Public Key Infrastructure (PKI), and the target machine can validate the Collector root certificate (Enterprise Certificate), the .pem file is not required.

Procedure

1. Locate the Enterprise Certificate .pem file in the Collector's c:\Program Files (x86)\VMware\VCM\CollectorData folder.

2. If the certificate files are not in the default location, you must confirm the path to the files.

a. Click Administration.

b. Select Settings > General Settings > Collector.

c. Select Root directory for all collector files.

d. Confirm the file path in the Value column.

Manually Install the VCM Windows Agent

You can manually install the Windows Agent on the VCM managed machine by using the executable (EXE) file or the Microsoft Installer (MSI) file that is supplied with VCM.

VMware, Inc.

Configuring Windows Machines

You use the EXE file to install the Agent in unattended, silent mode. EXE files detect an existing software version and provide the option to uninstall the existing version.

You use the MSI file to install the Agent in unattended, silent mode. MSI files are database files. The Windows msiexec.exe executable file reads the data in the MSI file, and then installs the Agent.

The MSI file uninstalls any existing, non-MSI Agent without sending a request. If you run the MSI installer again, the removal option is available.

If you use a new MSI file to upgrade an MSI-installed Agent, the old Agent is uninstalled.

The VCM Enterprise Certificate is installed when you initially installed VCM. During the Agent installation process, if you select HTTP, VCM installs the Enterprise Certificate in the certificate store on the VCM managed machine.

The Collector root certificate authenticates Collector requests on the managed machine before it processes a collection or change request. The authentication process uses the Collector Certificate and established trust to the Enterprise Certificate.

Use the EXE File to Install the Agent

You can use the EXE file to manually install the VCM Windows Agent on a target machine. The directories in this procedure are default locations.

CAUTION For Vista, Windows 7, and Windows 2008 only: If you set the compatibility mode on an Agent executable file to a previous version of Windows, VCM might report the compatible operating system instead of the actual operating system. For example, on a Windows 7 machine, if you set the Agent to run in compatibility mode for Windows XP, the Agent will report that the machine is a Windows XP machine.

Prerequisit es

Locate the Enterprise Certificate before you install the VCM Agent. See "Locate the Enterprise Certificate"

on page 78.

Procedu re

1. On your VCM Collector, open Windows Explorer and navigate to the Agent files directory at C:\Program Files (x86)\VMware\VCM\AgentFiles.

2. Copy the CMAgentInstall.exe file from the Collector to the target machine or a shared network location.

The CMAgentInstall.exe file is located in the path relative to the installed software on the Collector.

3. On the target machine, use Windows Explorer and run the installation in either normal or silent mode.

For normal mode, run CMAgentInstall.exe.

For silent mode, run CMAgentInstall.exe /s INSTALLPATH=%Systemroot%\CMAgent PORT=26542 CERT=C:\<folder_without_spaces>\vcm_cert.pem.

VMware, Inc.

The %Systemroot% environment variable specifies the directory where Windows is installed, which is typically \WINNT or \WINDOWS.

Use the following options for the installation.

Option Action

CMAgentInstall.exe Executable file used to install the Agent.

vCenter Configuration Manager Administration Guide

Option Action

/s Indicates a silent install. When you run CMAgentInstall.exe

INSTALLPATH Location to install the Agent files.

from the command line, VMware recommends that you install the Agent in silent mode.

To use the silent mode, you must unlock the Agent before you can proceed with the installation. To unlock the Agent, use the UNLOCK option.

The syntax is CMAgentInstall.exe /s

INSTALLPATH=%Systemroot%\CMAgent PORT=26542

CERT=C:\<folder_without_spaces>\vcm_cert.pem.

To relock your managed machine, you must submit a lock request from the VCM Collector. To submit the lock request, click Administration and select Settings > General Settings > Installer. Edit the Lock Agent after it is installed? setting to lock the managed machine.

PORT

Port number used for HTTP Agents.

The default value is 26542.

If you do not include the PORT parameter, VCM uses DCOM and does not install the communication socket listener service. The certificate is not required.

CERT

Indicates the certificate that you generated or specified on the Collector during the Collector installation. The location of the certificate file is in the fully qualified path, local to the relative to the installed software on the Collector. By default the path is

C:\Program Files

(x86)\VMware\VCM\CollectorData\[certificate

name].pem.

If you include PORT, but do not use a certificate, you must use the CERT=SKIP parameter to allow an HTTP Agent to operate without a valid CERT path.

The CERT path cannot contain spaces, even when enclosed in quotes, so enter an 8.3 compatible path as in the preceding silent mode example.

4. On the target machine, in Windows Explorer run CMAgentInstall.exe.

What to do next

To confirm that the job finished running, click Administration and select Job Manager > History > Other Jobs > Past 24 Hours.

Collect Windows data from VCM managed machines. See "Collect Windows Data" on page 84.

Enable UAC on the Windows 7, 2008, 2008 R2, or Vista machines in your environment. See "Enable

UAC After VCM Agent Installation" on page 83.

VMware, Inc.

Configuring Windows Machines

Use the MSI File to Install the Agent

You can use the MSI file to manually install the VCM Windows Agent on a target machine. The directories specified in this procedure are default locations.

Prerequisit es

Locate the Enterprise Certificate before you install the VCM Agent. See "Locate the Enterprise Certificate"

on page 78.

Procedu re

1. On your VCM Collector, open Windows Explorer and navigate to the Agent files directory at c:\Program Files (x86)\VMware\VCM\AgentFiles.

2. Copy the CMAgent[version].msi file to the target machine or a shared network location.

The CMAgent[version].msi file is located in the path relative to the installed software on the Collector.

3. Locate the CMAgent[Version].msi file.

4. If the file does not exist, you must copy CMAgent[Version].msi to the target machine, or install it from a network share onto the target machine.

5. Copy the Enterprise Certificate .pem file to the target machine.

6. On the target machine, in Windows Explorer, run CMAgent[Version].msi using the following syntax:

msiexec /Option <Required Parameter> [Optional Parameter]

For example:

msiexec.exe /qn /i "[PathToFile]\CMAgent[Version].msi" [PORTNUMBER=<available

port>] [INSTALLDIR="<new path>"]

Use the following options for the installation.

Option Action

CMAgent[Version].msi

When used with default options, this command removes any existing Windows Agent, installs the new Agent in the %SystemRoot%\CMAgent directory, and uses DCOM for communication.

When you include an option with CMAgent[Version].msi, you must follow these conventions:

Include optional parameters in any combination and order.

After the required /i parameter, use uppercase letters for optional parameters.

Use quotation marks when a path includes spaces in the source file location and the INSTALLDIR parameter.

VMware, Inc.

To see details about the options, select Start > Run > msiexec.

%Systemroot%

Environment variable that specifies the directory where Windows is installed, which is typically \WINNT or \WINDOWS.

/qb Runs the command in a basic user interface and displays the

progress and error messages.

vCenter Configuration Manager Administration Guide

Option Action

/qn Runs the command in quiet mode without user interaction.

/i Runs the command as an installation.

/x Runs the command as an uninstall process.

PORTNUMBER

Installs the Windows Agent on the port number specified, and uses HTTP instead of DCOM. For HTTP installations where you include PORTNUMBER, you must include an Enterprise Certificate by using the following syntax:

CERTIFICATEFILE="<drive>:\[mypath]\[mycert].pem"

For example:

msiexec.exe /qn /i

"C:\temp\CMAgent[VersionNumber].msi"

PORTNUMBER=2666

CERTIFICATEFILE=”x:\mypath\mycert.pem”

If you include PORTNUMBER, you must either include the path to the certificate file, or supplement the CERTIFICATEFILE parameter with the SKIP parameter .

INSTALLDIR Location to install the Agent. Use to change the default root

directory specification, which is %SystemRoot%\CMAgent.

For example:

msiexec.exe /qn /i

"C:\temp\CMAgent[VersionNumber].msi"

INSTALLDIR="C:\VCM"

CERTIFICATEFILE

Includes the Enterprise Certificate with either the path or the SKIP parameter.

For example:

CERTIFICATEFILE="x:\[mypath]\[mycert].pem" or

CERTIFICATEFILE=”SKIP”

What to do next

To confirm that the job finished running, click Administration and select Job Manager > History > Other Jobs > Past 24 Hours.

Collect Windows data from VCM managed machines. See "Collect Windows Data" on page 84.

Enable UAC on the Windows 7, 2008, 2008 R2, or Vista machines in your environment. See "Enable

UAC After VCM Agent Installation" on page 83.

Manually Uninstall the VCM Windows Agent

When you no longer manage a Windows machine with VCM, you uninstall the Agent from that target machine. If you used VCM to install the Agent, you must use VCM to uninstall the Agent.

To keep historical data, do not remove the Windows machine from VCM. After you remove the Windows Agent and remove the managed Windows machine from the list of licensed machines, VCM no longer manages the Windows machine and you can no longer collect data from it.

VMware, Inc.

The Windows Agent uninstall executable file exists on the VCM managed machine if you installed the Agent manually using CMAgentInstall.exe or CMAgentInstall.msi. Use this manual process to uninstall the Agent only if you used either of these commands to install the Agent.

Procedure

1. On the VCM managed machine, run %SystemRoot%\CMAgent\Uninstall\Packages\CMAgentInstall\UnCMAgentInstall.exe.

This path displays the default location. The EXE file is located in the path relative to the installed software on the Collector.

Enable UAC After VCM Agent Installation

Enable User Account Control (UAC) on Windows 7, 2008, 2008 R2, and Vista machines after you install the VCM Agent.

You can enable UAC on a single Windows machine or a group of Windows machines.

"Enable User Account Control on a Single Windows Machine" on page 83

"Enable UAC By Using a Group Policy" on page 83

Enable User Account Control on a Single Windows Machine

Configuring Windows Machines

You must enable User Account Control (UAC) on Windows 7, 2008, 2008 R2, or Vista machines after you install the VCM Agent on the target machines.

This procedure is documented on a Windows 2008 machine.

Procedure

1. On the target Windows 2008 machine, click Start > Run.

2. In the Run dialog box, type msconfig and click OK.

3. In the User Account Control dialog box, click Continue.

4. In the System Configuration dialog box, click the Tools tab.

5. In the Tool Name list, select Enable UAC.

6. Click Launch.

7. When the command is finished running, click Close and click Close again.

8. Restart the Windows 2008 machine to apply the changes.

What to do next

Collect data from managed Windows machines. See "Collect Windows Data" on page 84.

Enable UAC By Using a Group Policy

If you disabled the User Account Control (UAC) using a group policy, you can re-enable UAC VCM by using a group policy.

This procedure is documented on a Windows 2008 machine.

VMware, Inc.

vCenter Configuration Manager Administration Guide

Procedure

1. On the Windows 2008 machine, click Start > Run.

2. In the Run dialog box, type msconfig and click OK.

3. In the User Account Control dialog box, click Continue.

4. In the System Configuration dialog box, click the Tools tab.

5. In the Tool Name list, select Enable UAC.

6. Click Launch.

7. When the command is finished running, click Close and click Close again.

8. Restart the Windows 2008 machine to apply the changes.

What to do next

Collect data from managed Windows machines. See "Collect Windows Data" on page 84.

Collect Windows Data

Start managing the Windows machines by performing an initial collection, which adds Windows machine data to VCM.

Use the default filter set to collect a general view of the Windows machines in your environment. The first time that you use the default filter to collect data, the Windows Agent returns all of the data specified in the filter and stores the data in the VCM database. All subsequent collections will return a delta against the data previously collected.

A delta collection includes only the differences between the data on the target machine and the data stored in the VCM database. If you need a full collection, you can specify that VCM collect all data again. A full collection can take a significant amount of time depending on the number of VCM managed Windows machines from which you are collecting.

When you perform a full collection from your entire environment, run the collection during nonworking hours so that users do not notice any performance impact on managed machines. After the initial collection is finished, subsequent delta collections will most likely not impact performance.

Prerequisit es

Collect the Accounts and Groups data types from the primary domain controller (PDC) in each domain to increase the performance of initial collections that require a SID lookup.

To collect data from Windows XP SP2 or Vista machines that use DCOM communication, you must enable ICMP pings in the firewall settings or disable ICMP pings in VCM.

Verify that DCOM is enabled on the managed machine. Run dcomcnfg and select Enable Distributed COM on this computer.

Procedu re

1. On the VCM toolbar, click Collect.

2. On the Collection Type page, select Machine Data and click OK.

3. On the Machines page, select the Windows machines from which to collect data and click Next.

VMware, Inc.

To move all visible Windows machines to the selection window, 500 at a time, use the double arrow.

4. On the Data Types page, select the Select All checkbox.

5. Select Use default filters and click Next.

6. On the Important page, resolve any conflicts and click Finish.

What to do next

Verify that jobs have finished running. Click Administration and select Job Manager > History > Other Jobs > Past 24 Hours.

Review the collection results. See "Windows Collection Results" on page 85.

Windows Collection Results

Continuous Windows machine management is based on the latest data that you collect from target machines. You can view data and run actions, such as reports or compliance, based on the collected data.

Windows data appears in VCM and is available for several management actions, including Console dashboards and reports, Compliance views, and VCMPatching. The displayed data is only as current as the last time you collected the data.

After the initial discovery is finished, perform a weekly discovery to update the list of available Windows machines. To schedule a VCM discovery job, click Administration, select Job Manager > Scheduled, and follow the wizard.

Configuring Windows Machines

Option Descriptio n

Console Displays dashboards and reports based on collected data. Use the Console to view

data that is relevant to day-to-day operations, troubleshooting, and analysis.

To view the dashboards, click Console and select Dashboards > Windows > Operating Systems.

To view the summary reports, click Console and select Windows > Operating System > Machines. You can view the data in a summary report or data grid

format.

Compliance Determines if the data collected from VCM managed Windows machines meets

specified compliance values, and allows you to run compliance remediation actions.

To run a compliance check, click Compliance and select Machine Group Compliance.

To create rule groups, rules, filters, and templates, see the online help.

Reports Runs preconfigured reports or you can create custom reports. VCM runs reports

against the latest collected data. Depending on the data volume or complexity of the requested report, it might take time to generate the report. You can also schedule and disseminate reports.

To use the reporting options, click Reports and select Machine Group Reports > Windows.

VMware, Inc.

Patching Assesses target machines to determine if the patching status of the Windows

machines is up-to-date. You can install the latest patches on target machines.

To assess and patch Windows machines, click Patching and select Windows.

vCenter Configuration Manager Administration Guide

Option Descriptio n

To run assessments and patch your Windows machines, see the online help.

Getting Started with Windows Custom Information

Windows Custom Information (WCI) is data collected from VCM managed machines that is created by PowerShell scripts. WCI supplements and extends the data collected by VCM from managed Windows machines using other VCM data types.

You can create or modify WCI scripts to collect almost any data type that is accessible from VCM managed machines. VCM supports PowerShell scripting and XML output to collect Windows Custom Information.

Figure 7–1. Windows Custom Information Collection Process

To extend the data collected by VCM from managed Windows machines using other VCM data types, collect Windows Custom Information. Configure the prerequisites and create and validate your PowerShell script.

Prerequisites

To collect Windows Custom Information from VCM managed machines, you must configure the prerequisites. See "Prerequisites to Collect Windows Custom Information" on page 87.

Procedure

VMware, Inc.

Configuring Windows Machines

1. "Collecting Windows Custom Information" on page 98

To collect Windows Custom Information (WCI) using script-based filters, you create and verify your custom PowerShell scripts, install PowerShell on the VCM managed machines, and use VCM to collect the WCI data.

Prerequisites to Collect Windows Custom Information

To collect Windows Custom Information from VCM managed machines, you must configure the prerequisites.

Prerequisites

Write your own PowerShell script to return data in a VCM compatible, element-normal XML format, or obtain PowerShell scripts from VMware Professional Services or another source. See "Using

PowerShell Scripts for WCI Collections" on page 87.

Understand the script signing policies if you use PowerShell 2.0. See "PowerShell Script Signing Policies"

on page 91.

Set the PowerShell execution policy on the VCM managed machine. See "Built-In PowerShell Policy

Settings" on page 92.

Understand how to write and run PowerShell scripts. See "References on PowerShell and Script Signing"

on page 92.

Verify that your PowerShell script is accessible when you paste the script content into the Script area of the collection filter on the VCM Collector.

Confirm that the VCM Collector includes PowerShell 2.0 if the Collector is a client for WCI collections.

Understand how VCM manages Windows Custom Information data changes. See "Windows Custom

Information Change Management" on page 97.

Confirm that PowerShell 2.0 is installed on each VCM managed machine that will be used for WCI collections. See "Install PowerShell" on page 100.

Upgrade older VCMAgents on the VCM managed machines from which you collect Windows Custom Information, and then install the VCM 5.3 Agent or later on these machines.

Confirm or update the Agent Thread Administration settings on the VCM Collector. The default value is set to below normal thread priority, and the Agent Data Retention default is set to a 15-day change log.

Using PowerShell Scripts for WCI Collections

Windows Custom Information (WCI) uses PowerShell as the scripting engine and the element-normal XML format as the output that is inserted into the VCM database.

WCI supports PowerShell 2.0 and works with later versions of PowerShell.

PowerShell 2.0 is the base requirement for WCI in VCM because of its ability to set the execution policy at the process level.

VMware, Inc.

You can run WCI PowerShell collection scripts against Windows machines that have PowerShell 1.0 installed if needed, although this usage is not supported or tested. If the collection scripts do not use PowerShell 2.0 commands, your WCI filters that use the in-line method to pass a WCI script to PowerShell will operate correctly.

vCenter Configuration Manager Administration Guide

The WCI data type uses extensions to the VCM Windows Agent. The extensions allow the Agent to invoke PowerShell scripts. Using the script-based collection filter, VCM passes the PowerShell scripts to a VCM managed machine, and the VCM Agent parses the resulting XML output. The default WCI filter returns the PowerShell version information from the managed machines.

WCIdata type extensions are flexible because they use filter parameters that the command line uses to invoke the scripting engine. The WCI extensions use a COM class name to specify the parser required for the Agent to parse the script output, and allow new types of parsers to be added at the Agent. This approach extends the support of multiple scripting engines, languages, and output formats.

Guidelines in PowerShell Scripting for WCI

When you develop custom PowerShell scripts to collect the Windows Custom Information (WCI)data type from VCM managed Windows machines, follow these guidelines.

Make XML element names unique at the same level.

For example, you can specify two child nodes that are not siblings.

Make attributes unique at the same level.

Use unique XMLelement names to generate valid VCM XML. The XML elements are code blocks that include the element's start and end tags. The element can contain other elements, text, attributes, or a combination of them.

Use repeatable identifiers to prevent false indications of changes at the Collector. If your element labels (identifiers) are not the same for every collection of the same item, you will see false additions, changes, and deletions in the VCM change log.

Confirm that the script returns valid XMLelement names and attribute names.

If the data to be returned is an element name or an attribute name that is not valid for XML, you can encode the name using the [ToCMBase64String] function. A VCM Collector job, called the inserter, is executed during each collection. The inserter recognizes the names that are encoded with this function and decodes them in the raw insertion process.

The inserter parses the resulting XML file and inserts the data into a new raw database table named VCM_Raw by default. The XML process transforms the raw data into data that appears in VCM.

The function is defined as follows.

function ToCMBase64String([string]$input_string)

{

return [string]("cmbase64-" +

[System.Convert]::ToBase64String([System.Text.Encoding]::UNICODE.GetBytes

($input_string))).replace("=","-")

}

Include a comment block and configurable parameter entries near the start of the script so that when you clone a WCI collection filter you can see the parameters and set them when you edit the collection filter. To view and edit the collection filters, click Administration and select Collection Filters > Filters.

Redirect any variable declarations in the script to out-null, along with any other tasks that generate output that is not part of the XML result set. For example, you can use the following command.

[reflection.assembly]::LoadWithPartialName("Microsoft.SqlServer.Smo") > out-

null

Do not include any formatting, white space, carriage returns, or line feeds at the end of elements, nodes, or attributes.

VMware, Inc.

Configuring Windows Machines

Challenges in PowerShell Scripting for WCI

When you develop custom collection scripts, understand the challenges that you might encounter while scripting in PowerShell to collect the Windows Custom Information (WCI)data type from VCM managed Windows machines.

PowerShell scripts can use the split method of PowerShell strings, which separates the columns of the rows into separate values in arrays. For example, Windows provides the schtasks.exe utility to manage scheduled tasks on a local or remote computer and report on the scheduled tasks.

The split method of PowerShell strings in the $schtasks script separates the columns of the $schtasks rows into separate values in arrays.

Column names row provides the names to use for attributes.

Corresponding data from the scheduled task rows provides the values to use for these attributes.

The top-level name of <schtasks> is an arbitrary name that you apply to distinguish the results of this script from other results. The XML script returns the parsed data, which resembles the following structure.

<attribute1>Value1</attribute1>

<attribute2>Value2</attribute2>

</taskname1>

<attribute1>Value1</attribute1>

<attribute2>Value2</attribute2>

</taskname2>

</schtasks>

The returned data can include the following problems with content.

White space, such as tabs or spaces, is not allowed in returned data.

Column names include spaces.

Specific task entries do not include a unique and repeatable identifier.

Values can contain XML syntax in functions, which you must enclose in CDATA.

VMware, Inc.

vCenter Configuration Manager Administration Guide

Column Names Include Spaces

Running the schtasks command without any options displays a column name of Next Run Time. Because this name includes spaces, you cannot use it as an attribute name in an XML document. Running the schtasks command verbosely generates other column names that include spaces. Although you cannot use these invalid names as attribute names, you can preserve the names by using VCM encoding standards.

To preserve these column names in the form that schtasks returns and allow for XML handling, VCM encodes the column names with the ToCMBase64String function. To create a valid XML form of an element name or attribute name, this function uses Unicode Base64 encoding and character substitution, such as using a dash instead of an equal sign, as shown in the following example.

function ToCMBase64String([string]$input_string)

{

return [string]("cmbase64-" +

[System.Convert]::ToBase64String([System.Text.Encoding]::

UNICODE.GetBytes($input_string))).replace("=","-")

}

Using this function corrects the invalid column name data.

VCM prefaces the string with cmbase64- so that the VCM inserter can decode the data and load the decoded data into the VCM database.

The valid XML appears as follows.

<cmbase64-TgBlAHgAdAAgAFIAdQBuACAAVABpAG0AZQA->

12:32:00, 5/26/2010

</cmbase64-TgBlAHgAdAAgAFIAdQBuACAAVABpAG0AZQA->

Invalid XML omits the encoding function as follows.

12:32:00, 5/26/2010

</Next Run Time>

Task Entries Do Not Include a Unique and Repeatable Identifier

The Windows schtasks command does not include a unique and repeatable identifier for specific task entries. Because unique element names are a requirement for valid VCM XML and repeatable identifiers help prevent false indications of changes at the VCM Collector, you must code the task names correctly in your script.

To create unique and repeatable element names, create a task entry name based on a hash of the data in the row. You can use this method for data that does not have a name-type attribute, where the task name exists but is not guaranteed to be unique. When the task name is user-friendly and useful, you must attempt to preserve the name and use it in the collection script.

VMware, Inc.

Configuring Windows Machines

To preserve the user-friendly name, use the task name as the element name for the task rows. When you create a collection filter that uses your script, you must select the incremental duplicate handling option so that the collection process includes an incremental entry in the list of entries where the same task name appears multiple times.

For example, in a sample test environment, many Windows machines had more than one task named GoogleUpdateTaskMachineCore. A PowerShell script can label the rows as Task1, Task2, and so on. If you delete Task1, Task2 becomes Task1, and VCM displays multiple change details for Task1, such as the command line and the next run time. This report would be incorrect because even though Task 1 would have changed place in the sequence, the task would not have changed.

The task names are labeled accordingly.

The first task entry is labeled GoogleUpdateTaskMachineCore.

The second task entry is labeled GoogleUpdateTaskMachineCore_1.

Because task names can contain characters that are not valid in XML element names, VCM encodes the task names with the ToCMBase64String function. If you reorder the list of tasks whose names are identical, VCM can still report extra changes. For this reason, require the VCM user interface to display the friendly task names.

Enclose Values that Can Contain XML Syntax in CDATA

When you develop your custom PowerShell scripts to collect the Windows Custom Information data type from VCM managed Windows machines, you must use CDATA to enclose values that contain XML syntax.

For example:

function wrapInCDATA( [string]$input_string)

{

[string]$wrappedInCDATA | out-null

if ( $input_string.Length -gt 0 )

{

$wrappedInCDATA = ("<!" + "[CDATA" + "[" + $input_string + ("]" + "]" + ">")

)

}

return $wrappedInCDATA

}

PowerShell Script Signing Policies

With PowerShell 2.0 you can set the script signing policies at the machine, user, and process levels. The process level runs a single execution of powershell.exe.

In VCM, Windows Custom Information (WCI) uses script type information in the collection filter to determine how to execute PowerShell and how to pass the script to it.

Use the following methods to pass a WCI script to PowerShell.

VMware, Inc.

vCenter Configuration Manager Administration Guide

In-line: The default WCI filter uses an in-line script to collect basic information about the PowerShell version, .NET version, and execution policy settings. The in-line option requires a collection script that is represented as a single line of PowerShell code. Because the filter runs an in-line script on the PowerShell command line, instead of using a file, the execution policy does not apply.

Script file: For script-based filters in WCI, the default script type command line includes options to set the process-level execution policy to Remote Signed. The script requires that the execution policy be set to Remote Signed at the most restrictive level because the script runs from a file that resides locally on the VCM managed Windows machine. For WCI, VCM can execute collection scripts on managed machines where the machine and user level signing policies are set to any level, without requiring you to change the setting.

Built-In PowerShell Policy Settings

Before you use the WCI collection filter to run file-based PowerShell scripts on the VCM Collector and your VCM managed machines, you must change the execution policy on the VCM managed machines.

PowerShell contains built-in execution policies that limit its use as an attack vector. By default, the execution policy is set to Restricted, which is the primary policy for script execution.

The following policy settings apply to PowerShell scripts.

AllSigned: PowerShell scripts must be signed by a verifiable certificate from the Software Publishing Certificate store. The typical file extension is .ps1. For signed scripts, you can set the execution policy to All Signed. You must sign the scripts and distribute the appropriate certificates before you collect WCI data.

RemoteSigned: A verifiable certificate must sign any PowerShell script that you download from the Internet using a supported browser such as Internet Explorer. Script files that are not required to be signed are scripts that you create locally or scripts that you download using a method that does not support flagging the file source. For unsigned scripts, you must set the execution policy to the most restrictive level of Remote Signed. You can set the policy directly by using a Group Policy Object (GPO) with a VCM remote command. You can use a registry change action or enforceable compliance. For example:

HKLM\Software\Microsoft\PowerShell\1\ShellIds\Microsoft.PowerShell

"ExecutionPolicy"="RemoteSigned"

Unrestricted: All PowerShell script files run regardless of whether they are signed by a verifiable certificate.

Restricted: You can use PowerShell interactively or to run commands directly from the command line. This setting is the default.

References on PowerShell and Script Signing

For information about Windows PowerShell and script signing policies, see the Microsoft Web site.

Create an Example PowerShell Script for Scheduled Tasks

Use a custom PowerShell script to collect Windows Custom Information (WCI) data from VCM managed Windows machines. With this example, you can learn how to use PowerShell scripts to collect WCI data for scheduled tasks.

Windows provides the schtasks.exe utility to report on scheduled tasks that you create in the Task Scheduler user interface or by using the AT command. The schtasks.exe utility enables you to manage scheduled tasks on a local or remote computer and to report on the scheduled tasks.

VMware, Inc.

Configuring Windows Machines

The schtasks command returns basic information about scheduled tasks. The data returned by schtasks includes multiple rows. PowerShell structures the $schtasks variable in an array. For example, $schtasks[0] represents the first row. To view the result set, use $schtasks[n], which displays the following status:

$schtasks[0] is blank.

$schtasks[1] contains column names.

$schtasks[2] is the first row of task data.

Prerequisit es

Review the guidelines to create PowerShell scripts for WCI collections, and understand the challenges in PowerShell scripting. See "Guidelines in PowerShell Scripting for WCI" on page 88.

Understand how to write and run PowerShell scripts. See "References on PowerShell and Script Signing"

on page 92.

Procedu re

1. On your VCM managed Windows machine, click Start.

2. Select All Programs > Accessories > Windows PowerShell.

On a 64-bit Windows machine, select Windows PowerShell (x86) to run the 32-bit version of PowerShell.

On a 32-bit Windows machine, select Windows PowerShell.

3. Run the command to set the source of data for the collection script.

$schtasks = schtasks /query /v /fo:csv

Option Description

/query /v

Displays additional information about scheduled tasks. Verbose formatting is difficult for automated processing.

schtasks /query /v

/fo:csv

schtasks /query /?

Displays verbose task output and sets the source of data for the collection script to a comma-separated value (csv) result set.

Displays additional command options.

4. To return the data to the VCM Collector, parse the data into a structure that is compatible with the VCM XML format.

The sample script parses the data as shown in the following code.

###########################################################################-

# This inspection script can be used to retrieve scheduled tasks

information

VMware, Inc.

# for tasks created through the Scheduler UI or through the AT command.

vCenter Configuration Manager Administration Guide

###########################################################################-

function ToCMBase64String([string]$input_string)

{

return [string]("cmbase64-" +

[System.Convert]::ToBase64String([System.Text.Encoding]::UNICODE.GetBytes

($input_string))).replace("=","-")

}

###########################################################################-

[string]$cihash | out-null

#create a hashtable to check for duplicate rows

$hasharray = @{}

$clTasks = ("<Scheduled_Tasks>")

$split = [char]3

$schtasks = schtasks /query /v /fo:csv

if ($schtasks.count -gt 1)

{

#depending on OS, the first row may be blank

#use $k to determine whether to start at the first or second row

if ($schtasks[0] -eq "")

{

$k = 1

}

else

{

$k = 0

}

$cols = $schtasks[$k].substring(1,$schtasks[$k].length-

2).replace(""",""",$split).split($split)

#find the HostName and TaskName columns

$hostcol = -1

$namecol = -1

$j = 0

while (($j -lt $cols.count) -and (($hostcol -eq -1) -or ($namecol -eq

-1)))

{

VMware, Inc.

Configuring Windows Machines

if (([string]$cols[$j]).toupper() -eq "HOSTNAME")

{

$hostcol = $j++

}

else

{

if (([string]$cols[$j]).toupper() -eq "TASKNAME")

{

$namecol = $j++

}

else

{

$j++

}

#save first column name, to check for repeated column rows

$firstcol = $cols[0]

#encode each column name

for ($j=0;$j -lt $cols.count;$j++)

{

$cols[$j] = [string](ToCMBase64String($cols[$j]))

}

#loop through each row

#start at $k+1, because the first row may blank, and the first

populated row is column names

for ($i=$k+1;$i -lt $schtasks.count;$i++)

{

#make sure this is a data row

$row = ([string]($schtasks[$i])).trim()

if ($row.contains(""","""))

{

VMware, Inc.

#split the row

$task = $schtasks[$i].substring(1,$schtasks[$i].length-

2).replace(""",""",$split).split($split)

vCenter Configuration Manager Administration Guide

#some operating systems will return columns multiple times

in the result set

if ($task[0] -ne $firstcol)

{

#if we did not find a TaskName column, just tag each

row as Task-n

if ($namecol -gt -1)

{

$clTasks += "<" +

[string](ToCMBase64String($task[$namecol])) + ">"

}

else

{

$clTasks += ("<Task-" + ([string]($i-1)) + ">")

}

for ($j=0;$j -lt $task.count;$j++)

{

#skip the hostname field, since we are doing a

local inspection

if (-not($j -eq $hostcol))

{

$clTasks += ("<" + $cols[$j] + ">")

$clTasks += $task[$j]

$clTasks += ("</" + $cols[$j] + ">")

}

#if we did not find a TaskName column, just tag each

row as Task-n

if ($namecol -gt -1)

{

$clTasks += "</" +

[string](ToCMBase64String($task[$namecol])) + ">"

}

else

{

$clTasks += ("</Task-" + ([string]($i-1)) + ">")

}

VMware, Inc.

Configuring Windows Machines

} #end data row that is not columns repeated

} #end data row

} #end row loop

}

$clTasks += ("</Scheduled_Tasks>")

write-host $clTasks

5. After you generate your PowerShell script, perform the following steps:

Build a collection filter in VCM.

Paste the content of your script into the collection filter.

Collect data using the script-based collection filter.

To view the collected WCIdata in VCM, click Console and select Windows Operating System > Custom Information > List View.

What to do next

Develop your own custom PowerShell script. See "Create Your Own WCI PowerShell Collection Script" on

page 99.

Windows Custom Information Change Management

VCM manages Windows Custom Information (WCI) data changes on a per-filter basis on VCM managed Windows machines. When multiple filters return data using the same top-level XML element name, each filter applies unique change detection.

When you use multiple collection filters to collect WCIdata, follow these guidelines.

Create filters that collect data in a parallel manner. See the following examples.

Use one filter to collect data from C:\ and another filter to collect data from C:\Windows.

Use a separate filter to collect data from C:\Windows with audit information and another filter to collect data from C:\Windows without audit information.

When you use filters in an unparallel way, every time the file system updates to add a new file or remove an existing file, both filters generate "new file" and "deleted file" events, which causes overlap of the data.

Use one filter to collect data from NetStat.

Use multiple filters to collect data from the NTFS file system.

For example, use one filter to collect data in C:\, and another filter to collect data in C:\Windows\System. These collections merge under the top-level element NTFSDirectory without overlap, because each filter collects separate parts of the file structure and avoids extra change reporting.

Do not create filters that overlap collected WCIdata. Overlap can occur if you use filters that do not collect data in a parallel manner.

VMware, Inc.

Do not use multiple filters to collect the same data for NetStat Open Ports.

vCenter Configuration Manager Administration Guide

When the filters return data under the top-level element name and a managed machine starts to listen on port 80, each filter initially reports the data as a newly created value, which causes overlap of the data reported.

Do not create two filters to collect data on the File Permission With Audit data type from different parts of a managed machine's file system.

Collecting Windows Custom Information

Procedure

1. "Create Your Own WCI PowerShell Collection Script" on page 99

Create or modify your Windows Custom Information (WCI) scripts to collect almost any data type that is accessible from VCM managed Windows machines. To return data in a VCM compatible, element-normal XML format, you create your own PowerShell script or obtain PowerShell scripts from VMware Professional Services or another source and modify them for your own collections.

2. "Verify that Your Custom PowerShell Script is Valid" on page 99

Verify that your PowerShell script adheres to valid XML before you use the script to collect Windows Custom Information (WCI) from VCM managed machines.

3. "Install PowerShell" on page 100

Verify that PowerShell 2.0 is installed on each VCM managed Windows machine used to collect Windows Custom Information (WCI).

4. "Collect Windows Custom Information Data" on page 100

Use the Windows Custom Information (WCI) data type to perform user-defined, script-based collections on your VCM managed machines. To collect the custom data, you build a collection filter that includes a script with parameters to run the script and process the results.

5. "View Windows Custom Information Job Status Details" on page 102

When you run Windows Custom Information (WCI) collection filter scripts, VCM captures detailed information and displays status about exit codes and standard error output for each job that processed the script or filter. You can view the job status details in Job Manager.

6. "Windows Custom Information Collection Results" on page 103

Examine the results of your Windows Custom Information (WCI) collected data in the VCM tree views and list view.

7. "Run Windows Custom Information Reports" on page 104

Generate your own reports or run existing reports on Windows Custom Information (WCI)data that you collected using your custom PowerShell scripts.

8. "Troubleshooting Custom PowerShell Scripts" on page 104

If you encounter problems when you run custom PowerShell scripts, run the script as a .ps1 file and correct any errors before you use the script with a VCM collection filter.

VMware, Inc.

Configuring Windows Machines

Create Your Own WCI PowerShell Collection Script

WCI internally stores data in a hierarchy, so your collection script must provide the complete data structure in the standard tree view. The root element in the XML result data set becomes a top-level root element in the WCI data type node. Child elements appear in the same locations in VCM as the locations they populate in the XML document returned by the script.

Prerequisites

Understand how to write and run PowerShell scripts. See "References on PowerShell and Script Signing"

on page 92.

Plan your data structure to display WCI data in a tree hierarchy based on the data structure specified in the user-defined collection scripts. For an example, see Windows Custom Information Tree View Standard in the online help.

Review the guidelines to create PowerShell scripts for WCI collections and understand the challenges. See "Guidelines in PowerShell Scripting for WCI" on page 88.

Review the example PowerShell script to see a sample script used for a WCI collection. See "Create an

Example PowerShell Script for Scheduled Tasks" on page 92.

Procedure

1. On your VCM Collector or managed Windows machine, click Start.

2. Select All Programs > Accessories > Windows PowerShell.

On a 64-bit Windows machine, select Windows PowerShell (x86) to run the 32-bit version of PowerShell.

On a 32-bit Windows machine, select Windows PowerShell.

3. Create your PowerShell script and save it to the location of your choice.

What to do next

Verify that your PowerShell script adheres to valid XML before you can use the script to collect WCI data from VCM managed machines. See "Verify that Your Custom PowerShell Script is Valid" on page 99.

Verify that Your Custom PowerShell Script is Valid

Verify that your PowerShell script adheres to valid XML before you use the script to collect Windows Custom Information (WCI) from VCM managed machines.

To verify that your script is valid, run the script in PowerShell.

Procedure

1. On your VCM Collector or managed Windows machine, open a command prompt.

VMware, Inc.

2. Run powershell.exe from the command line.

3. Paste your script into the PowerShell window.

If your script does not run, press Enter.

4. Make sure that your script runs without errors.

vCenter Configuration Manager Administration Guide

Errors appear in red in the PowerShell window.

5. If errors occur, resolve them.

A valid script returns a set of XML content without any formatting, white space, carriage returns, or line feeds at the end of elements, nodes, or attributes.

What to do next

Install PowerShell on your VCM managed machines. See "Install PowerShell" on page 100.

Install PowerShell

Verify that PowerShell 2.0 is installed on each VCM managed Windows machine used to collect Windows Custom Information (WCI).

PowerShell 2.0 is supported on all platforms that support PowerShell 1.0.

PowerShell is installed by default on Windows 2008 R2 and Windows 7 machines.

For Windows XP, 2003, 2003 R2, 2008, and Vista machines, you must install PowerShell separately.

You cannot install PowerShell on Windows 2000 or NT4 machines.

Because of its ability to set the execution policy at the process level, PowerShell 2.0 is the base requirement for WCI in VCM. If you run the standard WCI non-inline collection filters against PowerShell 1.0 VCM managed machines, the collection process will fail.

Procedure

1. On your VCM managed machine, check the following registry entry to verify whether PowerShell 2.0 is installed.

a. Key Location: HKEY_LOCAL_

MACHINE\SOFTWARE\Microsoft\PowerShell\1\PowerShellEngine

b. Value Name: PowerShellVersion

c. Value Type: REG_SZ

d. Value Data: <1.0 | 2.0>

If you do not check the registry, the steps to determine if PowerShell 2.0 might differ depending on the platform type of your managed machine.

If PowerShell is not installed on the target VCM managed machine, the WCI collection returns a Not Executed status. See "View Windows Custom Information Job Status Details" on page 102.

What to do next

Reboot the VCM managed machine after you install or upgrade PowerShell to ensure that collections work properly.

Collect Windows Custom Information Data

100

VMware, Inc.

VMware vCenter Configuration Manager - 5.5 Administrator’s Guide

Specifications and Main Features

Frequently Asked Questions

User Manual

About This Book

Getting Started with VCM

Understanding User Access

Running VCM as Administrator on the Collector

Log In to VCM

Getting Familiar with the Portal

General Information Bar

Toolbar

Sliders

Customizing VCM for your Environment

Installing and Getting Started with VCM Tools

Install the VCM Tools Only

VCM Import/Export and Content Wizard Tools

Run the Import/Export Tool

Run the Content Wizard to Access Additional Compliance Content

Run the Deployment Utility

Package Studio

Foundation Checker

Configuring VMware Cloud Infrastructure

Virtual Environments Configuration

Managing Agents

Managing vCenter Server Instances, Hosts, and Guest Virtual Machines

Managing Instances of vCloud Director and vApp Virtual Machines

Managing vShield Manager Instances

Configure Virtual Environments Collections

Configure Managing Agent Machines

Collect Machines Data From the Managing Agent Machines

Set the Trust Status for Managing Agent Machines

Configure HTTPS Bypass Setting

Enable Managing Agent Machines

Obtain the SSL Certificate Thumbprint

Configure vCenter Server Data Collections

Add vCenter Server Instances

Configure the vCenter Server Settings

Collect vCenter Server Data

vCenter Server Collection Results

Configure vCenter Server Virtual Machine Collections

Collect vCenter Server Virtual Machines Data

Manage vCenter Server Virtual Machines

Configure vCloud Director Collections

Add vCloud Director Instances

Configure the vCloud Director Settings

Collect vCloud Director Data

vCloud Director Collection Results

Configure vCloud Director vApp Virtual Machines Collections

Network Address Translation and vCloud Director vApp Discovery Rules

Discover vCloud Director vApp Virtual Machines

Configure vShield Manager Collections

Configure ESX Service Console OS Collections

Configure the Collector as an Agent Proxy

Configure Virtual Machine Hosts

Copy Files to the ESX/ESXi Servers

Collect ESX Logs Data

Virtualization Collection Results

Configure the vSphere Client VCM Plug-In

Register the vSphere Client VCM Plug-In

Configuring the vSphere Client VCM Plug-In Integration Settings

Manage Machines from the vSphere Client

Troubleshooting the vSphere Client VCM Plug-In Registration

Running Compliance for the VMware Cloud Infrastructure

Create and Run Virtual Environment Compliance Templates

Create Virtual Environment Compliance Rule Groups

Create and Test Virtual Environment Compliance Rules

Create and Test Virtual Environment Compliance Filters

Preview Virtual Environment Compliance Rule Groups

Create Virtual Environment Compliance Templates

Run Virtual Environment Compliance Templates

Create Virtual Environment Compliance Exceptions

Configuring vCenter Operations Manager Integration

Configure vCenter Operations Manager with VCM

Configuring Windows Machines

Verify Available Domains

Check the Network Authority

Assign Network Authority Accounts

Discover Windows Machines

License Windows Machines