Best posts made by NetworkNerd

We lit up a new site earlier this year with Charter fiber and needed to connect it back to HQ. Then another site in our area needed to be connected back to HQ, presenting a firewall decision. Should we look to next generation Cisco ASA gear to replace our aging (and soon out of life) 5505s and 5510, look at a different type of product for a firewall, or look at UTMs as a viable option? Our network has been a hub and spoke for a while now with a 5510 at HQ and 5-6 other ASA 5505s out in the wild.

After much research and deliberation, we landed on Meraki MX gear. We got a MX84 for HQ and MX64s for the remote sites. This post is a little bit about the implementation and some hurdles we needed to jump to get the different gear working for site-to-site VPN capabilities to work as expected.

The plan was to take care of the spoke sites first, get all of the ASA 5505s replaced with MX64s, and connect them back to HQ's 5510 using IPSec. Then we'd replace the ASA 5510 with the MX84 and connect all sites again. I started reading up on this before we got the Meraki gear to prepare for what was coming. When deploying ASAs in the past, we had hired a consultant to do the configuration for us since none of us are Cisco proficient. I know enough to be dangerous within ASDM, but I cannot say the same from the command line. After several years in IT, I had never once tried to setup an IPSec tunnel on my own. This was the time. I'd save the company consultant fees for every device by tackling it myself.

Here's the KB from Meraki on creating a tunnel between Cisco ASAs and Meraki MX: https://documentation.meraki.com/MX-Z/Site-to-site_VPN/Cisco_ASA_Site-to-site_VPN_with_MX_Series. That article is written for ASA version 8.3 and higher. We just happened to be on version 8.4(4)1 across the board, so things looked a little different. In any case, the directions were pretty easy to follow. Here's a click by click using ASDM in the version we had. The steps were similar to this and performed on our ASA 5510

• Go to Wizards -> VPN Wizard -> Site-to-Site VPN Wizard, and click Next to continue.
  

• Leave the VPN interface as outside, and enter the peer ip (which, in my case, was the WAN ip of one of the MX64 devices).
  

• Turn off IKEv2 since Meraki only supports v1.
  

• Identify local and remote networks. We liked using network objects in the ASA.
  

• Enter the pre-shared key for your tunnel. No device certificate is needed here.
  

• There is no need to change anything here. As the Meraki KB states, the MX security appliance can accept any of the following Encryption algorithms: DES, 3DES, AES-128, AES-192 and AES-256. Additionally the MX can accept either SHA1 or MD5 as the authentication hashing algorithm.
  

• Be sure to check the option to exempt ASA side host/network from address translation, and leave it set to inside interface.
  

• Now you see the summary of the changes, so go ahead and click finish to setup the connection profile on the ASA side.
  

As seen in the connection Profiles list...

• As we all know, sometimes using a wizard enables some options you don't want. At this point, I like to go to Configuration -> Site-to-Site VPN in ASDM and edit the connection profile. Once the edit profile window opens, expand Advanced from the left-hand tree, and go to Cryptomap Entry. Uncheck the option for NAT-T (since we have no other NAT device between the ASA and the MX). Click ok, and apply the changes. Be sure to save those to the startup configuration of the ASA as well.
  

• That's all that should be needed on the ASA side in terms of changes, so the rest we do on the Meraki MX side. This involves jumping into the Dashboard and setting up a Non-Meraki Peer (under Security Appliance -> Site-to-Site VPN on the Meraki network in question). We'll assume the public ip of the ASA is 2.2.2.2. Use the same pre-shared key for the tunnel as you entered on the ASA side. Save your changes, and wait a couple of minutes.
  

• If you start testing after making these changes to the MX, you will find that the tunnel connects, and you can send traffic between networks. It may even work for the better part of a day, but the tunnel will eventually drop unexpectedly. The root cause here is that the phase 1 and phase 2 negotiations for IKE / IPSec start to fail according to what you see in the Meraki event logs. But I followed the article. Everything should be fine, right? Wrong.

*Here's another article Meraki links to at the bottom of that first article - https://documentation.meraki.com/MX-Z/Site-to-site_VPN/Troubleshooting_Non-Meraki_Site-to-site_VPN_Peers. Inside that article they finally tell you the default settings a MX uses when connecting with a 3rd party vendor's gear:

Cisco Meraki devices have the following requirements for their VPN connections to non-Meraki peers:
Preshared keys (no certificates).
LAN static routes (no routing protocol for the VPN interface).
IKEv1 (IKEv2 not supported) in Main Mode (aggressive mode not supported).
Access through UDP ports 500 and 4500.

• Go back to the ASA for a second, and dig into the connection profile you setup earlier. In the Basic settings, you see the IKE Policy list. Click the Manage button next to that to see a listing of all IKE policies.
  
  If you highlight one of the polcies and choose to edit, you will see the default negotiation settings the ASA is using.
  

At this point there are two options - change negotiation settings on the ASA side to match the Meraki MX, or change the Meraki MX negotiation settings to match the ASA side. I went with the latter option since I had the ASA 5510 connected to several 5505s and did not want to have to touch all of them.

• Back inside the same Site-to-Site VPN area of Meraki Dashboard as before, click the Custom link under IPsec Policies.
  

*Once that opens, you can adjust all of the parameters so that the lifetime matches and the encryption and authentication settings for both settings match everything being used in your IKE Policies from the Cisco ASA. The settings below are what worked for me.

Once these changes were made, the tunnel was solid. I learned this the hard way so hopefully this can benefit someone else. I will also say that every MX device you want to connect back to a 3rd party device must be in Hub mode (can't just be in spoke mode). The Non-Meraki peer you setup will be available to connect to any other MX devices in your Meraki Organization.

Deep inside you lies an impostor. Rather than an opinion, this is a fact for many of us, regardless of profession. The impostor exists in that deep, dark place you hope no one can see, waiting to ruin everything you’ve achieved professionally.

Is this impostor your alter ego like Dr. Jekyll’s Mr. Hyde? Perhaps. Does he / she even resemble the real you? How do you keep the impostor at bay? Is it even possible?

Back up for a second. The impostor is someone you have let yourself become, existing because of fear and doubt. These two feelings shackle your mind and change your own self-perception. Do you ever wonder if others feel the same? I guarantee you they do. I suspect these feelings come easier to folks who have achieved things they didn’t think were previously possible. Let’s take some examples.

An Example from the Realm of Education
When I was teaching high school math several years ago, I made students write a paper at the beginning of the year describing their general attitude toward math and what had shaped it in the past. I asked for brutal honesty, and in most cases, I got it. Many students hated math because they were never good at it, were discouraged because of previous teachers, or didn’t feel the subject was worth their time. My goal was to help these students put aside the previous experiences and to help them keep an open mind to the possibility of being able to succeed. While it certainly did not work in every case, a number of students were able to reach new heights only because they began to believe they could. It was easy to see the pride on their faces as their grades began to soar higher than they had in previous years.

Read the rest of the article here - http://blog.thenetworknerd.com/2018/06/30/fighting-the-impostor-within.

When is the last time you remember having a dream of some sort of achievement? Maybe it was what you wanted to be when you grew up as of Kindergarten graduation, or perhaps it was something else. Are the young the only ones who dream? Are they the only ones who would pursue a dream? With age comes responsibility. Marriage, children, a mortgage, and a job that supports the family are all part of it. And as responsibility comes, we tend do give up on our dreams. We give up our own dreams for those of our children. The dream becomes, as Langston Hughes put it, deferred.

I’d like to share the story of one of my dreams. And in a way, it’s a dream that, rather than me chasing it for many years, found me.

Ten years ago I walked out of my classroom for the last time. After 3.5 years teaching high school math, it was time for a new adventure. I told the principal I was giving up something I loved for something I loved even more, which was the dream of someday being a dad.

I went from math teacher to support analyst. Six months later I took a role that was part analyst and part IT. Over the course of nine years with the company, the role took me into full blown IT systems administration. I made a move one year ago to a different company to help rebuild the server infrastructure. While I enjoyed the work I was doing, something unexpected happened.

You can read the rest here - http://blog.thenetworknerd.com/2017/12/04/a-letter-to-the-dreamer-be-brave-enough.

For about 25 years now, my family has been carving pumpkins at Halloween as a tradition started by my aunt when she brought home a Pumpkin Masters kit on that fateful day. Ever since, we have been hooked. Each year we seem to carve more pumpkins, often times with better or more difficult patterns. It's literally our favorite holiday.

I remember my aunt from Texas would come to Tennessee where we lived (until I finished college) to carve pumpkins at Halloween. She would stay for the week, often using all of her vacation time. We became "those people with all the pumpkins." Then, when we moved to Texas in 2003, we became The Pumpkin People. I got married in 2005, and my wife got involved. My sister got married a few years ago, and her husband joined in the crew. It's still a family thing.

Even though Aunt Tonie (the one who started it all) passed away back in 2006 after losing her battle with cancer, the tradition carries on each year. Now it's sort of become our way of honoring her memory because it's something she loved to do, and we all loved to do with her. And we love it when people come by the house to get some candy on Halloween to see the display.

So if you want to check out some of our designs this year, have a look:
https://www.facebook.com/pumpkinpeople
http://brandibug.blogspot.com/2014/10/halloween-2014-lets-get-started.html

My employer is a PEO and encourages employees to write blog posts for their website. I thought it was time they had one in there from someone in IT. This one recommends some ways you can prevent Shadow IT in your organization. Let me know what you think.

https://www.staffone.com/avoid-threat-shadow-it-tech-policies/

A few months ago I agreed to participate in a beta test program for Artic Wolf. They are a Spiceworks partner and have a really interesting product. They send you an appliance that just analyzes traffic on your network, nothing more than a passthrough device. But they have a security concierge service that actively watches and manages customer devices for threats. They've detected some threats that we did not even know existed (some that even VIPRE did not catch).

Today we got an alert from VIPRE about active protection and it blocking an attempt to run FileExtractorSetup.exe on someone's machine. That was good. We started scrubbing that machine pretty soon afterward. Then, only a few minutes later, we get the following message from Artic Wolf:

Nick,
A file was recently seen being downloaded to a workstation within your network that may have undesired results if installed. The file is called "FileExtractorSetupG.exe", and was downloaded to the following workstation: ipdaddress\WorkstationName.
I ran an analysis on the file and it came back with the following results:
SHA256: 6f8f317a612e1f20a5810210554ef24fb099a0b2263bef429c58cfd1f3723eac
File name: FileExtractorSetupG.exe
AV Detection ratio: 3 / 50
Analysis date: 2014-03-07 15:41:44 UTC ( 0 minutes ago )

AV Agent Virus Signature AV Date
DrWeb Adware.Downware.1838 20140307
Norman FakeNSIS.A 20140307
VIPRE InstallCore (fs) 20140307
If you have any questions please let me know.

I must say I have been very impressed with their product, especially the security concierge service. They analyze traffic to see trends, if devices on your network might be attempting to access systems in other countries, etc. They do all of the analysis and log review that you wish you did. Definitely check them out if you get the chance.

Now I just need to try and convince management to keep their service for the next year (which will be a paid endeavor).

I was asked a couple of times about sending the slide deck to people and wanted to post it here. Here's a list of what I have prepared for those who asked:

• PowerPoint slides

• Link to video of the presentation

• Transcription of best comments from audience in the presentation

• Answers to questions people sent out via Twitter during the presentation

You can find it all here:

http://blog.thenetworknerd.com/2017/10/21/spiceworld-2017-session-the-it-managers-guide-to-shadow-it...

Thanks so much to everyone who came and made this such a great discussion. I think my favorite question was the one @JaredBusch asked about keeping yourself from Shadow IT. And I want to give a special shout out to Paul Mai for recording the session for me.

Also, thanks to the Mango community for vetting the original blog post I wrote months ago that gave me the idea for a presentation. @MattSpeller

I know in the not so distant past there was a large following who dropped LogMeIn because of pricing and the communication thereof. This thread is not really about that particular instance, nor is it meant to bash LogMeIn. I just want to share a conversation I had with someone there yesterday afternoon.

We still use LogMeIn and really like it. We have about 180 servers / pcs with LMI installed that we manage (and even some on which it is not installed yet).

I called to ask a question about our renewal price and why it was more than triple what we paid to renew in 2013. They told me about the changes made to LogMeIn Central and how they have now split it into 3 different products - Basic, Pro, and Premium. There's one LMI client, and based on your version of Central, the client software features get unlocked automatically (no separate installer). They told me how they did away with the mix of LMI Pro and LMI Free clients and let Central dictate what features are unlocked for all clients. They put more development into the product for newer features, etc. They analyze your usage and try to help you make a decision on which version of Central to pick, which I found pretty helpful. They had me on the right tier for 101 - 250 computers and didn't really try to upsell me on going from Basic to Pro.

So here's the kicker...I was given a renewal price to stay with Basic or to go up to Pro, and honestly, both were pretty reasonable. The Basic renewal price I got over the phone was more than even my "discounted" renewal price online (so shocker there). I don't really think it is that expensive to renew based on our usage. But to be thorough, I asked the question, "what happens if at some point during the subscription year I exceed the 250 clients and need to move up to the next tier (which is 251 - 500 clients)?"

The person on the other end told me that whether I was on the Basic or on the Pro version of Central, moving up to the next tier requires me to pay FULL LIST PRICE for the next tier. Now, you do have to manually request to move to the next tier, which is good. But it does not matter if I decide to change to the next tier 1 month after my renewal, 7 months into it, or even 4 weeks before the next renewal. I get hit with the FULL LIST PRICE of the next tier. And then, they will credit back to me the portion of my former subscription (the one on the 101 - 250 computer tier) that I was unable to use because I had to change tiers. That does not renew you for another year once you hit the next tier. You just get hit with the full price of the next tier.

What I took from that is there is no incentive to upgrade past the tier where I am currently. I even asked if they prorated the next tier's list price if you change tiers in the middle of a subscription. They said no. That seems really backward to me. Basically, they will get your money one way or another, whether through price hikes on your current subscription (as people have seen) or by getting you when you have to go to a new tier. Has anyone else heard a similar story?

I'm not bitter toward LogMeIn or anything, but this makes no logical sense. I will likely renew with them this year and then look to move away in the coming subscription year if we get closer to our tier ceiling of computers.

The work day is almost over when you’re interrupted with an emergency. A certain time sensitive financial function of one of your information systems isn’t working. As luck would have it, the error is something you’ve never seen. And the business is counting on you to fix it quickly, or this could be a very expensive problem. I found myself in that exact scenario a couple of days ago. But in this case, it was the end user who really saved the day. Keep reading.

The rest of the story can be found here -
http://blog.thenetworknerd.com/2017/10/07/when-the-end-user-saves-the-day/

I think we need a video talking about what HA actually is, what people seem to think it is different levels of HA (hypervisor, application, etc.), and what vSphere HA is / how it works.

Imagine having just configured some LUNs on your new PowerVault MD3820i. Encryption key management has been configured, and 20 SEDs (self-encrypting drives) are spinning and ready for use with vSphere. There are 4 SSDs in the PowerVault to use for caching that just need to be configured.

“What do you mean these cache disks aren’t supported for use with SEDs?” That was the question posed to Dell Support after being told we could not add cache disks for our SED LUNs in this array.

The SSDs were in the PowerVault, and the device recognized them without an issue. We just couldn’t configure them as cache. Even the documentation from Dell mentioned this configuration is not supported. As it turns out, the SSDs we received were not SEDs and could not be used as cache in combination with SEDs.

While the SAN with SEDs would meet the corporate encryption requirements, losing caching capabilities meant the storage would no longer meet our IOPs needs. And that is where our story begins.

You can read the rest here - http://blog.thenetworknerd.com/2018/01/28/journey-to-vsan-a-technical-adventure.

A recent discussion with a friend inspired this post.

Whether you are a workaholic, forced to work overtime each week, or never take work home, when is the last time you stopped to reflect on career? It seems to be something many of us consistently overlook. Working on career progression through an iterative, routine process is key for self-development. But when is the last time you thought about it?

Regardless of job or employer, you are capable of greater things. I’m not saying you should be job hunting. I’m saying you should be constantly seeking to improve. How do you get started? Here are some suggestions to get the juices flowing:

• Set aside some time to think in a distraction free environment. No matter how busy you think you are, just do it. Start with 15 minutes per day. Continue daily until a full evaluation of your current career state has been captured.

• Though it is not required, put your thoughts in writing (stored electronically, backed up in 3 places, not on your work computer, etc.). It will help you remember and will direct your next steps on the career progression journey.

You can read the rest of the story here - http://blog.thenetworknerd.com/2018/02/22/get-crafty-with-career-progression.

When is the last time you embarked on a journey? A journey is likened to a lengthy adventure with a number of challenges to overcome along the way which result in personal development. Movies like Homeward Bound: The Incredible Journey or Journey to the Center of the Earth serve as excellent illustrations of what a journey might entail.

Think of your career as a journey. The journey begins on your first day of employment as a professional and continues to retirement. For some, the journey is well underway, and for others, the journey is only beginning. But the real question to consider is whether you as an individual are developing through career advancement as the journey continues. Could it be the journey is underway, but you’re no different than when you began? Did you expect to be farther along on the journey than you are at present?

A journey can be difficult without a guide.

The History
Several years ago I joined the Spiceworks Community and received help from a number of individuals. Solving these technical problems propelled my career forward to reach new heights and take on new challenges. I eventually made it to my first IT conference (Spiceworld) and was able to meet some of the community members who had helped me in person. On one particular evening of the conference, I met John White. He had been instrumental in helping me understand the basics of virtualization. We sat down with a bunch of other nerds and had a great conversation. Time passed, but we stayed in touch through the community. John ended up giving me additional career advice down the road and recommended me for a job at VMware. Perhaps without knowing it, John became a guide for my career journey. And without his influence and help, I definitely would not be where I am today. Even now, this nerd journey continues as I look to drive forward and improve in everything I do.

You can read the rest of the story here - http://blog.thenetworknerd.com/2018/07/17/two-nerds-on-a-journey.

It's podcast Tuesday again! This week John and I discuss the different types of phone interviews one might expect early on in the hiring process. Give it a listen, and definitely let us know what you think!

The full episode with show notes can be found here - https://t.co/REFqQcsox4.

We often discuss how career may affect our family or family life, but have you ever thought about how family influence affects career?

Think about the influence your parents had / have on your life. What lessons, if any, did you learn from watching the way your parents approached career? How did those observations affect the way you approach career today? There’s a lesson here for all of us. Observing others, especially those with whom we spend the most time, exposes us to qualities we wish we possessed and those we hope we will never possess. But those observations also have great potential to shape the choices we make.

Not everyone is fortunate to have good parents. Not everyone has more than one parent or even a decent parental figure. I was very fortunate to have two dads – my biological father and my adoptive father. After just completing a cross-country road trip to attend my adoptive father’s memorial due to his recent passing, I’d like to share some of the lessons he taught me that apply to career as a tribute.

You can read the rest of the story here.

Here's something to entertain everyone....

Yesterday one of the guys that works for me got a call from a newly installed executive at one of our remote sites who had been given a Surface Pro 3 tablet the previous day. The call was about the type cover not working, and according to what the user had read online, he needed to restore his Surface to an earlier time. Well, the technician walked him through what he needed to do to restore his system to a previous day (a day before the update that broke the keyboard was installed). The technician hung up the phone, thinking it was ok to close the ticket.

Fast forward a few minutes. The technician comes to my office and says there is a big problem. He then continued to tell me that the user in question had factory reset his Surface Pro 3. But hey, at least the keyboard works, right? The technician and I were so frustrated all we could do was laugh about it.

The technician in question had to spend part of today setting up that Surface...again. But the Surface is now setup like it was the first time, and this time, we have an image of the Surface as a fail safe. You're probably wondering why the user in question had rights do do what he did. Well, that's more of a cultural thing that I was not able to change.

We have VIPRE on all workstations here at my 9-5 and have USB devices set to scan by default.. I received some notifications about high risk spyware being quarantined, and it turned out to be a machine not far from my desk. I went over to ask the user if she had plugged in a jump drive, but in fact it was her LG phone that triggered the scan and quarantine (plugged into a XP box). This is an older version of VIPRE, but I was still pretty impressed:

Scan Date: 3/3/2014 3:47 PM
Software Version: 4.0.3907
ThreatDB Version: 27044
Policy: Workstations

Threat: Trojan.Win32.Generic!BT
Category: Trojan
Severity: High Risk
Action: Quarantined

Traces Found:

File: G:\download\musicoasis.exe

Threat: Trojan.Win32.Generic!BT
Category: Trojan
Severity: High Risk
Action: Quarantined

Traces Found:

File: G:\download\musicoasis-1.exe

Threat: Trojan.Win32.Generic!BT
Category: Trojan
Severity: High Risk
Action: Quarantined

Traces Found:

File: G:\download\musicoasis-2.exe

Threat: Trojan.Win32.Generic!BT
Category: Trojan
Severity: High Risk
Action: Quarantined

Traces Found:

File: G:\download\musicoasis-3.exe

The Problem
When working in SMB IT, budgets can be tight. You want to meet the needs of the business but also don't want to overspend. Taking that ideal solution and trimming it down to get in under budget but still meet business needs can be a challenge.

If you're going to have servers at your location and not inside a data center with clean, consistent, redundant power, you'll likely need a UPS (or perhaps more than one). The question is...did you select the right one to keep your infrastructure online long enough when the facility loses power to shutdown servers gracefully? And if the facility has a generator, does the UPS last long enough to keep things online until the generators kick in (which could be manual or automatic)?

Business leaders tend to think a UPS will solve all of the problems in a power outage. It's one thing to get a UPS, plug it in, and connect all of your rack equipment. Will the UPS now magically shutdown all your equipment when it gets low on juice? Without some additional effort, the battery is just delaying the same event which would happen if you didn’t have a UPS – everything gets powered off.

That doesn’t seem like a big problem until the power comes on again. Sometimes you get lucky, and everything works as it did previously. Sometimes you find the ERP system database or other important files have been corrupted. No matter what problems happen after this kind of power event, you get to fix it, and you’re still the one who overlooked getting those servers shutdown gracefully. Since we are likely talking about host servers running virtual machines, that could mean hundreds of VMs were just powered off.

A Project to Address the Problem
We recently deployed an ESXi host at one of our remote offices. We got a refurbished server through Xbyte for the job and a refurbished APC UPS through CoastTec. We did not add a network management card to the UPS.

The server is running ESXi 6.0U2 (vSphere Essentials) and a couple of VMs. I wanted to make sure we had something in place that would shutdown the host and its VMs if there was a power outage at the facility. I started looking at what APC had to offer as far as software goes - https://community.spiceworks.com/topic/1652163-vsphere-6-0u2-vma-a-ups-and-graceful-vm-shutdown. In order to shutdown the host and its VMs, I’d have to deploy the vMA (vSphere Management Appliance) and install APC’s software on it. But, APC could not confirm they officially support ESXi 6.0U2 or if they even would.

Testing a Possible Solution
I posted on Twitter to see if anyone out there might have a solution that would work better and would officially support the version of vSphere we are running. I stumbled upon OPMONis - http://opmonis.de/. Someone from their company contacted me, and we began discussing my use case.

It turns out OPMONis is a solution crafted by German developers that can monitor your UPS via USB cable and shutdown servers automatically in the event the battery power reaches a certain threshold (a percentage of total battery life that you specify or a specified number of minutes of battery life remaining). It can shutdown servers / workstations running Linux, Windows, ESXi hosts, client ESXi VMs, Free ESXi hosts, and even client VMs running on Free ESXi. They support a number of UPS vendors out of the box and versions of ESXi 4.5 or higher.

They have a 30-day free trial (http://opmonis.de/en/licensing), so I decided to give it a try and see what happened.

Technically, the software could run on any Windows machine on a network as long as the UPS is connected to it via USB, but I chose to install it on a Server 2012 R2 VM running on the ESXi host mentioned in this post. I had to connect the APC UPS to my ESXi host via USB and pass that USB to the virtual machine that would be running OPMONis.

For best results in vSphere (screenshots here are from vCenter), it's best to power down the virtual machine first. Then, we add a host USB device to the virtual machine:

This will add the USB device and a USB controller to the VM automatically:

In this case there was only one host USB device from which to choose, so it was selected by default.

As soon as the change was confirmed and made in vCenter, I was able to see that once powered on again, the Windows VM recognized a battery was attached:

And now we install OPMONis. Downloading the trial is easy and requires no personal information be given before you download (which I liked). The installer is tiny. Here's a walk through of the install:

Notice here you'll want the service and the client. OPMONis will run as a Windows service with automatic delayed start.

Post-install, you can see OPMONis now running as a service. I'm guessing the service automatically gets a delayed start to make sure Windows has time to notice the UPS is attached.

Now, it is time to launch the OPMONis client to see what this software can do:

Upon first open, the first thing you want to do is add your UPS so OPMONis can start monitoring it.

If Windows can see the UPS device as a battery, then OPMONis should be able to see it in the list here to add and be monitored.

As you can see here, OPMONis recognized the APC UPS, shows it is 100% charged, and shows that I have 59 minutes of uptime based on the power usage of the connected equipment. In my case, the shutdown threshold is 15 minutes of time remaining. Once we're down to 15 minutes of juice left, OPMONis will shutdown my equipment.

But wait! I never added any equipment to be shutdown. From the main OPMONis menu, go to the System Administration settings:

At the moment, there are no systems setup to be shutdown by OPMONis, so we click the plus sign to add a system.

As you can see, I can add a Windows machine (physical or virtual), a Linux machine (physical or virtual), a paid ESXi host, a Free ESXi host, a paid ESXi Client VM, or a Free ESXi Client VM.

I started off thinking I should add each of my virtual machines individually as ESXi Client VMs, but by the time they shutdown, OPMONis wouldn't be able to shutdown the host too because the VM running OPMONis would be offline.

I decided to add my ESXi host and do some testing to see how this would work. Of course, you will need a user with permissions to issue a host shutdown command over the network (assuming you have the correct firewall ports open on your ESXI host to allow this).

You see that check box marked "Await Execution?" If you add several systems for shutdown and order them as desired, you can check the Await Execution box and have OPMONis wait for one machine to shutdown before proceeding to the next one in the list.

Suppose we add a Windows machine to the list (as in OPMONis will attempt to shut it down via WMI):

As you can see from the screenshot of DFWESXi1, Await Execution was not checked. That means OPMONis will, once the battery threshold is reached, attempt to shutdown both of these machines at the same time. Beware of that option as I believe it is checked by default when you add a new system to the list in this area.

For the purpose of testing, I removed all systems except for the ESXi host in question. Notice from the Systems Administration menu that I'm currently operating in Automatic mode. I can click the settings button to switch to manual mode and make OPMONis try to shutdown everything in my list of systems for testing purposes.

When you switch to manual mode, you get asked to confirm that you really want to switch to manual mode before the change is made. Once confirmed, here is what you see:

So then I tested, and tested, and tested again...until I got it right. There's something you have to remember about ESXi hosts, especially when you are not in a HA cluster. Each host has virtual machine startup / shutdown settings (go to the host in vCenter -> Manage -> VM Startup Shutdown or Configuration -> Virtual Machine Startup / Shutdown in the vSphere Client). Pay very, very close attention to the shutdown action for your VMs, making sure it is set to Guest Shutdown:

That's the first step. By default, vSphere seems to use a shutdown delay of 120 seconds per VM. That means if you were to issue a shutdown command to the host using the vSphere Client, the host would try to shutdown the guest OS of each VM in your Startup / Shutdown settings for 2 minutes before just powering them off. If the guest OS shutdown of a VM takes less than 120 seconds, the host will proceed to shutdown the guest OS of the next VM.

What I did was run the manual shutdown using OPMONis while connected to the host with the vSphere Client. Performing this manual shutdown while watching the events on the ESXi host is a great way to see when each VM gets a command to shutdown the guest OS, when the VM is confirmed to be powered off, and when the next guest OS shutdown starts. Since I was running the vCenter Server Appliance as a VM on this host, I found it actually took longer than 2 minutes to shutdown and had to manually specify a longer shutdown delay for that VM so it could completely shutdown gracefully before the host force powered it off. Make sure you know how long it takes for your VMs to shutdown gracefully if shutting down an ESXi host with OPMONis.

How OPMONis Met This Need
Overall, I really like the OpMonis software. Their Small Business version allows you to use the software for up to 10 devices on your network. They can be workstations or servers from what I understand. You might be saying to yourself that 10 devices is not many. But if one of them is an ESXi host and can shutdown all VMs on that host for you, I'd say only counting that as one device is pretty awesome.

I think folks who only run free ESXi could really benefit from using this as well. I'm not sure if the proprietary software from other vendors can actually shutdown those hosts gracefully like OPMONis can.

You can add multiple UPS devices to be managed by the software, and I would hope you can add a different list of servers to shutdown for each UPS added. I was not able to test that one.

You might be wondering why I chose to use OPMONis Small Business Edition (which I actually ended up purchasing) instead of sticking with APC's proprietary software. I paid a one time fee for this software that can be used with many different UPS devices. If my UPS fails, and I get a different brand, I already have OPMONis at my disposal and don't need to learn and test a new software solution to shut down my servers. I'm not managing an additional VM. It was installed on an existing VM and could have been installed on a workstation directly connected to the UPS if I had wanted. And of course, if you just don't like the proprietary software that you can use to manage the UPS you bought, OPMONis is another option.

Desired Future Feature Set
I think for a software that's early in its development, they have a great foundation. I know for a fact they will be introducing SNMP support in future releases. Here's a wish list for other things I'd like to see:

• Ability to monitor a UPS over the network (coming soon)

• E-mail notifications when your battery kicks in and just before a shutdown event is kicked off

• Ability to select more than one ESXi Client VM at once to shutdown rather than adding one at a time (maybe a GUI that allows you to point at your host or vCenter and select the VMs you want to shutdown automatically). I'm still not sure why you'd only want to shut down a few VMs instead of all of them on a host, but you could choose the ESXi Client VM option for every VM on your host if you need to make sure some VMs shutdown before others (i.e. the Await Execution option).

• Hyper-V support

As a gift to her, I was torn between standing up a home PBX and building a VSphere test lab. But then I realized she would not appreciate either one. Oh well...I'll think of something else.

So for anyone in the Vegas area or the ability to get to Vegas for Veeamon next week, I have something for you. I have a free registration you can have since I am not able to go. Feel free to post back here or hit me up in the chat. I'll give the registration to the first one who responds.