440  Advanced Server Virtualization
  e current power state of the virtual machine, whether it is powered on,
off , or suspended.
  e virtual machine ID (VMID) and the process ID (PID).  is number
is useful when trying to locate the virtual machine in the running processes
of the host server (either in the Windows Task Manager or the Linux Pro-
cess Status).
  e number of virtual processors confi gured for the virtual machine.
  e average, minimum, and maximum percentage of the GSX Server host
processor that the virtual machine used in the previous minute.
  e average, minimum, and maximum percentage of the GSX Server host
memory that the virtual machine used in the previous minute.
  e up time or how long the virtual machine has been powered on and
running.
  e status of VMware Tools on the virtual machine - whether it is running
or not available.
  e average number of heartbeats received by a virtual machine.
  e IP address of the virtual machine.
 Links to modify the virtual machine's hardware and confi guration fi le.
  e guest operating system installed inside of the virtual machine.  is
information is gathered from the virtual machine's confi guration fi le.
  e amount of memory allocated to the virtual machine.
  e path to the virtual machine's confi guration fi le (.vmx).
The Hardware Tab
Clicking on the Hardware tab (see Figure 20.20) lists the virtual hardware for
the selected virtual machine.  e virtual hardware is broken out into two catego-
ries: Removable Devices and Other Hardware. Removable devices include such
Figure 20.20 Virtual
Machine Overview—Hard-
ware.
Marshall_AU3931_C020.indd 440Marshall_AU3931_C020.indd 440 4/13/2006 1:44:17 PM4/13/2006 1:44:17 PM

Confi guring VMware GSX Server  441
virtual hardware as the fl oppy drive, DVD/CD-ROM drive, and the network
adapter. Other hardware may include such components as the virtual processor
and memory, and the virtual disk.  is page allows the virtual hardware for the
selected virtual machine to be confi gured by either adding new devices, remov-
ing existing devices, or editing existing devices. Figure 20.21 provides a list of
additional devices that may be added to a virtual machine.
When confi guring the virtual hardware, diff erent options or choices may be
available based on the current power state of the virtual machine or the type of
component being confi gured. For example, when confi guring a removable de-
vice such as a fl oppy drive or a DVD/CD-ROM drive, if the virtual machine is
powered off , then the device’s connection status can be toggled on and off . Oth-
erwise, the option is grayed out. Likewise, while a virtual machine is powered
on, other options such as adding a new device, removing a device, or editing a
device may become grayed out as well. When a virtual machine is powered off ,
the virtual device may also be modifi ed to change the way it functions. For ex-
ample, the virtual network adapter allows its network connection to be changed
from Bridged to NAT or its virtual device to be modifi ed from vlance to vmxnet.
Additionally, a virtual disk may have its disk mode confi guration changed from
Persistent to Nonpersistent. Network adapter connection types and virtual disk
modes are covered in detail in chapter 22. It is safe to say however, that most vir-
tual hardware can only be confi gured while the virtual machine is powered off .
The Options Tab
 e Options page (see Figure 20.22) allows for review and modifi cation of basic
information about the selected virtual machine. It also off ers direct access to the
selected virtual machine’s confi guration fi le.  ese confi guration options include
the following:
Figure 20.21 Add Hardware Device Types.
Marshall_AU3931_C020.indd 441Marshall_AU3931_C020.indd 441 4/13/2006 1:44:18 PM4/13/2006 1:44:18 PM
442  Advanced Server Virtualization

 Display Name—descriptive name used to identify the virtual machine
in the management interface or the console virtual machine listing. As
a best practice, the display name should be an informative name to pro-
vide some level of detail about the virtual machine, such as its operat-
ing system, department, or functional role. The display name can be
changed while the virtual machine is either powered on or off.
 Guest Operating System—indicates the guest operating system selected
during the creation of the virtual machine. While it should match the
guest operating system that is installed on the virtual disk, it does not have
to match for the virtual machine to power on and function.  erefore, do
not assume that what is populated here is in fact the operating system that
is installed.
 Suspend File Location—specifi es the location of the suspended state fi le.
By default, the suspended state fi le is stored in the directory where the
virtual machine's confi guration fi le resides. Suspend fi les can become very
large in size, therefore it is recommended that the suspend fi le location is
stored on a physical disk with enough space to accommodate it.
 Enable Logging—indicates whether logging for the virtual machine is en-
abled. Logging of a virtual machine may accumulate large amounts of data
that in turn may take away precious disk space from a host server, which
is one reason to disable logging. However, if a virtual machine crashes or
VMware support is needed to troubleshoot a problem with the virtual
machine, these log fi les may be required to diagnose the problem.
 Run with Debugging Information—indicates whether the virtual machine
is running with debugging information. By default, this option is disabled.
Enabling this setting will aff ect the performance of the virtual machine;
however, if the virtual machine is exhibiting problems, enabling this fea-
ture may help troubleshoot the issue.
Figure 20.22 Virtual
Machine Overview—

Options.
Marshall_AU3931_C020.indd 442Marshall_AU3931_C020.indd 442 4/13/2006 1:44:18 PM4/13/2006 1:44:18 PM
Confi guring VMware GSX Server  443
 Startup and Shutdown Options—indicates whether the virtual machine
should start when the host server starts or shut down when the host server
is shut down.  e virtual machines can also be set to stagger starting up
or shutting down so that multiple virtual machines do not all start or stop
at the same time, which could cause a performance problem for the host
server or the virtual machines on that host server.
 Verbose Options—allows the virtual machine's confi guration fi le to be
modifi ed directly. VMware recommends only an experienced and ad-
vanced user modify the fi le directly. Modifying the confi guration fi le with
an incorrect setting can cause the virtual machine to no longer boot.
Users and Events Tab
 e Users and Events page (see Figure 20.23) contains information that relates
to the virtual machine such as currently connected users, permissions of the cur-
rent user, and events that have taken place in relation to the virtual machine.
 Virtual Machine Console Connections—identifi es a list of users that are
connected to the virtual machine either with a console connection or by
using a VMware Scripting API.  e list provides the date and time stamp
along with the IP address of the user connected to the virtual machine.
 is feature provides important information when trying to determine
security issues related to access of a virtual machine.
 Permissions—indicates what abilities the currently logged in user has on
the virtual machine.  e following options are either allowed or denied.
Figure 20.23 Virtual
Machine Overview—Users
and Events.
Marshall_AU3931_C020.indd 443Marshall_AU3931_C020.indd 443 4/13/2006 1:44:18 PM4/13/2006 1:44:18 PM
444  Advanced Server Virtualization

1. View virtual machine status
2. Modify virtual machine confi guration
3. Control virtual machine (powering it on, off , or suspending it)
 Events—displays a log of the 15 most recent actions or events record-
ed for the virtual machine.  e log shows date and time stamps for the
event along with an explanation. Information can include a power state
change on the virtual machine (powered on, off , or suspended), errors
produced, or GSX Server question and answer information.  e event log
retrieves its data from the log fi le for the virtual machine's confi guration
fi le. By default, this log fi le is stored in the virtual machine's directory. On
a Windows host, the default directory is <installdrive>:\Virtual Machines\
<guestOS>. On a Linux host, the default directory is /var/lib/vmware/
Virtual Machines/<guestOS>. Many of these events are also tracked on a
Windows host server in the Windows Event Viewer under the Application
log using VMware GSX Server as the source and Virtual machines as the
category.
Security
In the past, the computer industry has been focused on security, primarily being
concerned with defending against external threats. Perimeters were created to
help ward off these threats by introducing various tools such as antivirus soft-
ware, fi rewalls and intrusion detection and prevention systems. However, as the
human factor (namely end users) grew within the industry, security problems
were faced on two fronts: servers still needed protection from external threats
more than ever, but now they also needed protection against threats from within.
Add virtualization into the server mix and security concerns become that much
more exasperated. Why? With the addition of the GSX Server environment into
the physical environment, both the guest operating system and the host operat-
ing system must deal with security concerns and issues.
In order to properly secure a host and guest operating system in a GSX Server
environment, it is important to undergo proper planning when creating virtual

machines. In other words, it is important to fully understand the role and func-
tion of all virtual machines that are created. For example, a virtual machine or
group of virtual machines created to test an application may be confi gured in an
isolated network environment.  is confi guration may not cause as much secu-
rity alarm as a virtual machine that is created to act as the production network
domain controller. Additionally, a virtual machine acting as a Web server may
raise even more alarm since it is being directly accessed by unknown users from
the Internet.  is section will outline the various methods to help deal with the
security concerns and issues brought about with the introduction of virtualiza-
tion.
Marshall_AU3931_C020.indd 444Marshall_AU3931_C020.indd 444 4/13/2006 1:44:19 PM4/13/2006 1:44:19 PM
Confi guring VMware GSX Server  445
Securing the Host Server
 is section describes a number of methods to properly secure the GSX Server
host. Keep in mind, the GSX Server host is still a physical server. Any normal
best practices used to secure other physical servers in the environment should
also be followed, unless it negatively impacts something required for VMware
GSX Server to operate properly.
Antivirus Software
A Windows host operating system exposed to the outside world needs to have
virus protection installed. It is important to monitor the performance of the
host server, to make sure that real-time virus scanning does not interfere with
the virtualization processes or the virtual machines. If performance is running
too high, it might make sense to change the real-time virus scanning to only scan
modifi ed fi les. It is also important to disable scanning any of the following by us-
ing an exclusion rule: the installation path of GSX Server and any virtualization
fi les such as virtual disk fi les, suspend fi les, confi guration fi les, fl oppy images and
ISO images.
Prevent Virtual Machines from Running in Full Screen Mode
On a Linux host server, the vmware-remotemks binary (the program that al-

lows the VMware Virtual Machine Console to connect to a GSX Server host
remotely) runs as root with the setuid bit set.  is allows a virtual machine to
enter full screen mode. To disable the setuid bit and keep the program from run-
ning as root, switch to the root user and change to the directory where vmware-
remotemks was installed.  e default location is /usr/bin. Type the following
command at a terminal:
chmod -Xs vmware-remotemks
Doing so will increase host security, but the down side to disabling the setuid
bit is that virtual machines on the host server will no longer be able to enter full
screen mode.
Network Segmentation
Depending on the role of the virtual machines, it may be a good idea to seg-
ment the physical servers from the virtual machines by creating multiple net-
works at the physical switch. If the virtual machines are being created for some
other purpose other than production environment resources, segmenting the
two networks (physical and virtual) will help to secure the production environ-
ment from loosely controlled virtual machines that may not be up to production
security standards.
Marshall_AU3931_C020.indd 445Marshall_AU3931_C020.indd 445 4/13/2006 1:44:19 PM4/13/2006 1:44:19 PM
446  Advanced Server Virtualization
Securing IIS for GSX Server for Windows Hosts
GSX Server for Windows uses Microsoft’s Internet Information Server (IIS) to
host the VMware Management Interface. In order to maintain security, com-
monly used best practices to secure IIS should be followed. In addition to these
best practices, the following suggestions can also be used to help secure the en-
vironment.
 Do not host other Web sites on the GSX Server host machine. Web sites
should be hosted on nonvirtualization-based physical servers or within
virtual machines.
 With the exception of the VMware Management Interface Web site, all

other Web, FTP and SMTP services listed in the IIS Manager should be
removed.
 IP address restrictions can be used to limit access to the management in-
terface.
1. In IIS Manager, in the Web Sites directory, right click the management
interface Web site and then select Properties.
2. Click the Directory Security tab.
3. Click Edit in the IP address and domain name restrictions section.
4. Click either Granted access or Denied access. When selecting Denied
access, access to all computers and domains are denied. When selecting
Granted access, access to all computers and domains are granted, except
to those specifi cally denied access.
5. Click Add and then select either Single computer or Group of computers.
6. Enter either the IP address or the Network ID and Subnet mask and
then click OK.
 Increase the VMware Management Interface application protection op-
tion from Low (IIS Process) to High (Isolated).  is setting helps reduce
the risk of compromise by any unforeseen vulnerability within the man-
agement scripts.
1. In IIS Manager, in the Web Sites directory, right click the management
interface Web site and then select Properties.
2. Click the Home Directory tab.
3. Set the value for Application Protection to High.
4. Click OK to confi rm the settings change.
5. Stop and start the IIS service to allow the change to take eff ect.
  e confi gured IIS fi le extensions used by the VMware Management In-
terface scripts do not perform a check to see if the script fi le exists before
attempting to execute it.  ere could be a security risk allowing a remote
user to invoke the script interpreter without needing to pass it a legitimate
fi le that exists. To circumvent this potential security problem, the Check

that fi le exists option should be enabled in the fi le extension mappings for
.pl and .xvm.
Marshall_AU3931_C020.indd 446Marshall_AU3931_C020.indd 446 4/13/2006 1:44:19 PM4/13/2006 1:44:19 PM
Confi guring VMware GSX Server  447
1. In IIS Manager, in the Web Sites directory, right click the management
interface Web site and then select Properties.
2. Click the Home Directory tab and then click Confi guration.
3. Under Application Extensions, select .pl and then click Edit. Select the
Check that fi le exists option and then click OK.
4. Under Application Extensions, select .xvm and then click Edit. Select
the Check that fi le exists option and then click OK.
5. Click OK to confi rm the settings changes.
6. Stop and start the IIS service to allow the change to take eff ect.
Securing Connections with SSL
By default, GSX Server 3 has SSL enabled for secure connections using both
the VMware Virtual Machine Console and the VMware Management Inter-
face. Using SSL for the console and the management interface connection keeps
the network traffi c secure by encrypting the username, password and network
packets sent to the GSX Server host. With SSL enabled, GSX Server creates its
own security certifi cates and stores them on the host server. Unfortunately, these
certifi cates are not signed by a trusted certifi cate authority, and therefore do not
provide authentication. If encryption is needed across remote connections ex-
ternally, a certifi cate from a trusted certifi cate authority should be purchased. To
use a purchased security certifi cate, use the information below.
 On a Windows host, run the Microsoft Management Console (MMC)
and select the purchased certifi cate. If the VMware Management Interface
is ever upgraded, the certifi cate will need to be reassigned to the manage-
ment interface.
 On a Linux host, copy the purchased certifi cate for the VMware Manage-
ment Interface to /etc/vmware-mui/ssl.  e management interface certifi -

cate consists of two fi les: the certifi cate is the mui.crt fi le and the private
key is the mui.key fi le.  e private key fi le should be assigned permissions
so that only the root user can read it. If the management interface is up-
graded or removed on a Linux host, the certifi cate and directory remain in
place.
Restricting Virtual Machine and Virtual Disk Creation
Any user with access to the GSX Server host, by default, has the ability to create
a virtual machine or a virtual disk fi le on the host server. While many users may
be allowed to access the host server, as a security precaution for the host server
and all running virtual machines, the number of users allowed to create virtual
machines or disk fi les should be limited. Without any controls in place, a user
may accidentally consume too much disk space on the host server or add an un-
Marshall_AU3931_C020.indd 447Marshall_AU3931_C020.indd 447 4/13/2006 1:44:19 PM4/13/2006 1:44:19 PM
448  Advanced Server Virtualization
patched virtual machine that could cause security problems for the other virtual
machines or physical machines on the same network. To restrict the ability to
create a virtual machine or virtual disk on the host server, the following steps
should be performed:
1. On the GSX Server host, create a fi le and assign it a name (referred to as
<name> going forward).
2. Assign write permissions to <name>, only to the users and/or groups that
are allowed to create a virtual machine or virtual disk on that host server.
3. Use a text editor to modify the GSX Server confi guration fi le. If the host
server is a Windows server, the fi le is C:\Documents and Settings\All Us-
ers\Application Data\VMware\VMware GSX Server\confi g.ini. If the
host server is a Linux server, the fi le is /etc/vmware/confi g.
4.  e following lines should be added to the confi guration fi le:
Serverd.doCreateCheck = “TRUE”
Serverd.createCheckFile = “<name>”
Where <name> is the name of the fi le created in Step 1.

5. Save the fi le and then close and exit the text editor.
6. On a Windows host, restart the VMware Registration Service by open-
ing the Services console, right click the service and select Restart.
On a Linux host, restart the vmware-serverd process with the following
command:
kill -TERM `pidof vmware-serverd`
If the vmware-serverd process does not restart automatically, reboot the
GSX Server host.
Now, only users or members of the group with write access to the <name> fi le
can create virtual machines or virtual disk fi les on the host server. If a change is
made to the user or group list in the fi le permissions of <name>, then Step 6 will
need to be executed again to update the GSX Server host with the permission
changes.
Disabling Guest Operating System Logging
Virtual machines can log troubleshooting data into a log fi le stored on the host
server’s disk drive.  ese log fi les are not secured. Any user or process in the vir-
tual machine can maliciously use this logging process to cause large amounts of
data to be logged.  e data may eventually grow large enough to fi ll up the host
server’s hard disk, thereby leading to a denial of service. To secure the host, this
logging feature can be disabled on the host server by adding the following line
to each virtual machine’s confi guration fi le:
isolation.tools.log.disable = TRUE
Marshall_AU3931_C020.indd 448Marshall_AU3931_C020.indd 448 4/13/2006 1:44:19 PM4/13/2006 1:44:19 PM
Confi guring VMware GSX Server  449
If you disable this logging feature, VMware Support may not
be able to provide any help troubleshooting problems that
might arise. Logging may need to be re-enabled and the prob-
lem may then need to be reproduced. Keep in mind, this op-
tion only disables logging from the guest operating system and does not
disable logging generated by GSX Server.

Changing the Console Port Number
By default, the VMware Virtual Machine Console connects to the GSX Server
host and its virtual machines on port 902. If this port is already used for another
application, deemed a security risk because it is a default port, or if the port
number needs to be diff erent per host because diff erent groups of users are ac-
cessing diff erent host servers then the port number should be changed on the
host and the remote console accessing it.
Changing the Port Number on a Windows Host or Client
In order to change the port number on a GSX Server for Windows host server,
the following line must be added to the confi g.ini fi le located in C:\Documents
and Settings\All Users\Application Data\VMware\VMware GSX Server:
authd.port = <NewPort>
Where <NewPort> is the modifi ed port number that all consoles need to use
to properly connect to the GSX Server host or its virtual machines.
In order to change the port number used by the console, whether on the
Windows host server or client, a confi g.ini fi le must be created and placed in C:\
Documents and Settings\All Users\Application Data\VMware\VMware Virtual
Machine Console.  e following line should be added to the fi le:
authd.client.port = <NewPort>
Where <NewPort> is the modifi ed port number that all consoles need to use
to properly connect to the GSX Server host or its virtual machines.  e authd.
port on the GSX Server host must have this same port number assigned.
To assign the port number to a specifi c user that is using the console installed
locally on the Windows host server, add the following line to the preferences.
ini fi le located in C:\Documents and Settings\<user name>\Application Data\
VMware:
authd.client.port = <NewPort>
Where <NewPort> is the modifi ed port number that only this specifi ed user
account will use to properly connect to the GSX Server host or its virtual ma-
chines.  e authd.port on the GSX Server host must have this same port num-

ber assigned in the confi g.ini fi le.
Marshall_AU3931_C020.indd 449Marshall_AU3931_C020.indd 449 4/13/2006 1:44:19 PM4/13/2006 1:44:19 PM
450  Advanced Server Virtualization
Changing the Port Number on a Linux Host or Client
In order to change the port number on a GSX Server for Linux host server, the
fi rst step is to determine whether the host server is confi gured to use xinetd or
inetd. If the host server is using xinetd, the following line located in /etc/xinetd/
vmware-authd must be changed:
port = 902
Change the port number to the new port number that all consoles need to use
to properly connect to the GSX Server host or its virtual machines.
If the host server is using inetd, the following line located in /etc/inetd.conf
must be changed:
902 … vmware-authd
Change the port number to the new port number that all consoles need to use
to properly connect to the GSX Server host or its virtual machines.
In order to change the port number used by the console, whether on the
Linux host server or client, the following line should be added to either /etc/vm-
ware-console/confi g or /usr/lib/vmware-console/confi g:
authd.client.port = <NewPort>
Where <NewPort> is the modifi ed port number that all consoles need to use
to properly connect to the GSX Server host or its virtual machines.  e authd.
port on the GSX Server host must have this same port number assigned.
To assign the port number to a specifi c user that is using the console installed
locally on the Linux host server, add the following line to ~/.vmware/prefer-
ences:
authd.client.port = <NewPort>
Where <NewPort> is the modifi ed port number that only this specifi ed user
account will use to properly connect to the GSX Server host or its virtual ma-
chines.  e authd.port on the GSX Server host must have this same port num-

ber assigned in its vmware-authd fi le. When this user is logged in, the modifi ed
port number in the preferences supersedes the port number specifi ed in the
confi g fi le.
Securing the Virtual Machine
 is section describes a number of methods to properly secure the virtual ma-
chines. Keep in mind that virtual machines still function as if they were physical
servers. For the most part, any best practices that are normally followed to secure
physical servers should also be followed for virtual machines.
Antivirus Software
A Windows guest operating system exposed to the outside world needs to have
virus protection much like a physical server. It does not matter if antivirus soft-
Marshall_AU3931_C020.indd 450Marshall_AU3931_C020.indd 450 4/13/2006 1:44:19 PM4/13/2006 1:44:19 PM
Confi guring VMware GSX Server  451
ware is installed on the host server. A virtual machine needs its own copy of an-
tivirus installed. Unlike a physical server, there are a few things to consider when
confi guring an antivirus solution in a Windows guest operating system.
 Make sure you account for the extra overhead that an antivirus solution
provides when creating a virtual machine confi guration fi le. During the
planning process, make sure enough disk space is available for virus defi ni-
tion downloads and enough memory and processor is available to run the
software and the virus scanning.
 If there are a number of running virtual machines on the host server, be
sure to stagger the virus scanning schedule. If all of the virtual machines
on the host server start their virus scans at the same time, the host server
performance may become starved for resources.
 If the antivirus software provides real-time scanning, monitor the proces-
sor utilization to make sure the process is not running higher than normal.
In some cases, real-time virus scanning on the guest operating system may
spike to a percentage of utilization beyond what is acceptable. If this is
the case, modifying the real-time scan to only scan fi les that have been

modifi ed as opposed to all fi les should bring processor utilization back to
a normal and acceptable amount.
Operating System and Application Security Patches
It is important to keep the guest operating system and all applications up to date
with any security patches or service packs. Operating systems and applications
installed on a virtual machine suff er from the same security concerns and prob-
lems as those faced in a physical server. If an application such as a Web server
(IIS or Apache) becomes exploited, it should be patched immediately. However,
if a guest operating system comes out with a new update, it is not always a good
idea to quickly update the virtual machine. A new service pack in the guest
operating system may cause problems for the host platform. Case in point, the
Windows Server 2003 Service Pack 1 was not offi cially supported as a guest
operating system until VMware GSX 3.2. While that does not mean that the
service pack would not function correctly in the virtual machine, it does mean
that it was not supported. And as such, VMware support would not be able to
help troubleshoot any problems that may arise.
Network Isolation
A simple way to secure a virtual machine from the outside world is to create
its confi guration fi le without a virtual network adapter. In a workstation class
virtualization environment, this option might be common. But in a server class
virtualization environment, chances are the virtual machine is going to have to
at least interact with other virtual machines. In this case, one possible solution
Marshall_AU3931_C020.indd 451Marshall_AU3931_C020.indd 451 4/13/2006 1:44:20 PM4/13/2006 1:44:20 PM
452  Advanced Server Virtualization
is to segment the virtual machine into an isolated virtual network environment.
By creating the virtual machine with a virtual network adapter confi gured for
host-only networking, the virtual machine can remain isolated from all external
networks, which in turn gives the virtual machine an added layer of security.
Marking the Virtual Machine as Private
By default, when a new virtual machine is created, it is created as private. When

marked as private, only the user that created the virtual machine can see it in the
inventory of the host server. Other users cannot browse to the virtual machine or
add it to their inventory.  erefore, marking the virtual machine as private can
add to the virtual machine’s security. To mark a virtual machine as private after
it has been created, complete the following steps:
1. Select the virtual machine in a console and then select VM > Settings to
open the virtual machine settings editor.
2. Click the Options tab and then click Permissions.
3. To mark the virtual machine as private, activate the checkbox next to
Make this virtual machine private.
4. Click OK to save the settings and close the settings editor window.
Virtual Machines and File Permissions
As explained in previous chapters, virtual machine components are simply made
up of fi les that reside on the physical host server. Two common fi le types are
the confi guration fi le (.vmx) and the virtual hard disk (.vmdk), both of which
reside on a physical disk. File permissions on these and other fi les or folders are
very important for security reasons. Without the proper security permissions,
the virtual machines become exposed. If the fi les are not secured, any one of the
following scenarios could occur:
 Virtual machine fi les can be copied elsewhere with the intent of hacking
into and exploiting the guest operating system at a later date.
 Virtual machine fi les can be copied elsewhere with the intent of stealing
private data, software, or code.
 Virtual machine fi les can be accidentally or maliciously deleted causing the
virtual machine to be rendered useless.
 A malicious user can alter the security settings on the fi les to lock out the
real owner of the virtual machine.
 A user may connect to a virtual machine and alter the guest operating
system or software in an unwanted manner.
Marshall_AU3931_C020.indd 452Marshall_AU3931_C020.indd 452 4/13/2006 1:44:20 PM4/13/2006 1:44:20 PM

Confi guring VMware GSX Server  453
Access to a virtual machine is based on the user permissions granted to the
virtual machine’s confi guration fi le. On a Windows host server, when a user
connects to the VMware Virtual Machine Console or the VMware Management
Interface, the VMware Authorization Service requests a username and password
for authentication. On a Linux host server, the VMware authentication daemon
(vmware-authd) requests a username and password and then passes them to
the Linux Pluggable Authentication Modules (PAM) for authentication. Dif-
ferent permissions allow for access to virtual machines in diff erent ways.  ey
include:
 Browsing a virtual machine allows the user to connect to the virtual ma-
chine with a console, however they can only see the virtual machine's
power state.  ere is no interaction with virtual machine whatsoever. To
browse a virtual machine, the user needs the following permission: on a
Windows host server—Read; and on a Linux host server—read (r) permis-
sion.
 Interacting with a virtual machine allows the user to change the virtual
machine's power state or connect and disconnect removable devices. To
interact with a virtual machine, the user must have the following permis-
sions: on a Windows host server—Read & Execute; and on a Linux host
server—read and execute (r and x).
 Confi guring a virtual machine allows the user to add and remove virtual
hardware to and from a virtual machine. To confi gure a virtual machine,
the user must have the following permissions: on a Windows host server—
Read and Write permissions for the virtual machine's confi guration fi le as
well as the virtual machine resources; and on a Linux host server—read
and write (r and w).
 An administrator or root user may confi gure the GSX Server host or any
virtual machines on that host. On a Windows host server, the user must
be a member of the host server's Administrators group. On a Linux host

server, the user should have root access to the directories containing the
virtual machine fi les. To have specifi c administration over a single virtual
machine, the user should have Read & Execute and Write permissions on
a Windows host server or read, write, and execute (r, w, and x) permissions
on a Linux host server to the particular virtual machine.
Permissions for Removable Devices for Virtual Machines
Normal users and processes within virtual machines have the ability to connect
or disconnect certain devices identifi ed in a virtual machine’s confi guration fi le.
For example, a virtual machine may have a CD-ROM drive attached, yet dis-
connected, that points to physical media in the host server’s CD-ROM drive.
Marshall_AU3931_C020.indd 453Marshall_AU3931_C020.indd 453 4/13/2006 1:44:20 PM4/13/2006 1:44:20 PM
454  Advanced Server Virtualization
 is CD-ROM may contain confi dential data that should not be exposed to a
normal user with access to a virtual machine. Once a user has access to the vir-
tual machine in this state, they can gain access to the data on the CD-ROM by
simply connecting the removable device. Another example, a normal user that
has access to a virtual machine in the production network may accidentally or
maliciously remove a virtual network adapter from the virtual machine, causing
a denial of service. To prevent these things from happening, add the following
option to the virtual machine’s confi guration fi le.
<device>.allowGuestConnectionControl = FALSE
Where <device> is a device name specifi ed such as ethernet0.
Summary
After the installation of VMware GSX Server is complete, the host server is ready
to be confi gured for daily use. To help with that process, VMware provides two
solutions to help confi gure and manage both the virtual machines and the host
environment. Both solutions provide similar management and confi guration
features but off er them in a diff erent way. One solution is a Web-based man-
agement tool called the VMware Management Interface. It provides additional
resource monitoring information that can prove useful during troubleshooting

and to help balance out the placement of new virtual machines.  e other so-
lution is a client-based management tool called the VMware Virtual Machine
Console. In addition to providing management and confi guration options, it
also provides a KVM-like remote control feature to connect to, view, and inter-
act with the virtual machine’s desktop. Host confi guration does not stop there.
With the addition of virtualization, an already high network security level just
got multiplied. Security has become a big concern, and with the ease at which
a virtual machine is created and added into a network, more security initiatives
need to take place. While there are ways to lock down and secure GSX Server
and its virtual machines, it is important to remember, the old faithful security
eff orts for a physical server and environment still hold true in a virtual machine
and a virtual environment.
Marshall_AU3931_C020.indd 454Marshall_AU3931_C020.indd 454 4/13/2006 1:44:20 PM4/13/2006 1:44:20 PM
455
Chapter 21
Creating a VMware GSX
Server Virtual Machine
Going beyond the basic installation and confi guration of GSX Server, this chap-
ter provides a step-by-step process for creating a virtual machine and installing
its guest operating system on the GSX Server platform.  e chapter stops short
of going through an entire guest operating system install, instead focusing on
the steps that lead up to and follow the operating system installation. Before a
virtual machine is created, the virtual machine’s confi guration should undergo
a process of proper preparation and a decision-making process to determine the
use of the virtual machine. Once that is complete, the virtual machine is added
through the creation of a confi guration fi le.  e confi guration fi le is a collection
of settings and resources that, when bound together, form the virtual execution
environment. Once created, the fi nal step is to power the virtual machine on and
install the guest operating system.
Preparation

 e fi rst thing to do to prepare for the creation of a virtual machine is to de-
termine the purpose or use of the virtual machine. It is important to properly
size and scope the virtual machine before blindly creating its confi guration. Ad-
ditionally, proper planning is important when creating template images, rather
than creating a department fi lled with time consuming one-off images that to-
tally negate one of the time saving features of using virtualization. Below are
sample questions that should be asked during the preparation stage; however,
chapters 6 and 24 go into much further detail to help with this process.
Marshall_AU3931_C021.indd 455Marshall_AU3931_C021.indd 455 4/13/2006 1:44:48 PM4/13/2006 1:44:48 PM
456  Advanced Server Virtualization
 What operating system is needed?
 What applications need to be installed?
 How much memory does this confi guration require to operate smoothly?
 How much disk space is needed?
 What type of networking, if any, is required?
 What other resources or devices are needed in this confi guration?
Once the planning stage is complete, it is important to gather all of the software
and hardware needed to create the virtual machine. A physical server with the
proper hardware and enough resources available to run GSX Server and the
virtual machine is needed.  e operating system software (media and/or ISO
images), application software, drivers (fl oppy disks, media or images) as well as
any license keys all need to be accumulated for use during the creation process.
 ere are also many concerns that should be noted before attempting to start
the virtual machine creation process.
 Screen savers should be disabled on the host server before the guest operat-
ing system is installed.
 Screen savers on the guest operating system may be too CPU intensive for
the host server. In some cases, it may cause a Linux host server's X server
to lock-up and freeze.
 Verify the operating system media or image is not an OEM copy that

requires installation on specifi c hardware. If so, when the initialization
process begins, the virtual hardware will not match the expected vendor
hardware and the installation will fail.
 As with physical servers, a separate operating system or application license
is usually required for each virtual machine that gets an installation. Verify
the software license agreement to make sure to stay in license compliance.
 A guest operating system's hibernation feature is not supported and should
not be used, instead, it should be disabled in favor of using the VMware
suspend feature.
 Microsoft's Activation policy can cause havoc when creating a template
image or when making confi guration changes to a virtual machine. Cer-
tain confi guration changes may require reactivating the guest operating
system. It is therefore best to either create the virtual machine in its fi nal
form with little to no changes made after the fact or to use volume license
key media where activation is not required.
 Migrating virtual machines from one host to the next that use a diff erent
type of processor may cause an issue. For example, Red Hat Linux 9.0
is sensitive to moving from AMD to Intel and vice versa because during
installation a kernel is chosen that is optimized for that specifi c proces-
sor.  e kernel may contain instruction sets that are only available for the
original processor and may cause adverse eff ects when executed against a
diff erent processor type.
Marshall_AU3931_C021.indd 456Marshall_AU3931_C021.indd 456 4/13/2006 1:44:51 PM4/13/2006 1:44:51 PM
Creating a VMware GSX Server Virtual Machine  457
Once a process is in place, creating and provisioning virtual machines becomes
a much easier operation.
Creating a Virtual Machine
GSX Server off ers a number of ways to create a new virtual machine.  ey can
be created by using the VMware Virtual Machine Console, the VMware Man-
agement Interface, VMware VirtualCenter, third-party management tools or

even through the use of scripts. Each of these options basically accomplishes the
same thing: they create a virtual machine confi guration fi le, complete with the
settings and resources needed to be a working virtual machine.  is section will
cover step-by-step instructions using the Virtual Machine Console method. To
illustrate, the following steps can be used to create a new virtual machine using
the New Virtual Machine Wizard option located in the console.
New Virtual Machine Wizard
To create a new virtual machine:
1. Launch the VMware Virtual Machine Console.
2. Select File > New Virtual Machine or from the Home tab click the New
Virtual Machine icon and the New Virtual Machine Wizard will start (see
Figure 21.1). To navigate through the Wizard, Next and Back buttons are
located at the bottom of the screen. If at any point an incorrect selection
is made, click the Back button to navigate to the previous screen. Click
Next to begin.
Figure 21.1 New Virtual
Machine Confi guration.
Marshall_AU3931_C021.indd 457Marshall_AU3931_C021.indd 457 4/13/2006 1:44:51 PM4/13/2006 1:44:51 PM
458  Advanced Server Virtualization
3. Select the appropriate confi guration
 e Wizard then prompts for a virtual machine confi guration method
and off ers two types: Typical and Custom. Selecting the Typical option
will create a virtual machine with the most common devices and basic
confi guration options while selecting the Custom option will create a vir-
tual machine with additional devices and off er several more confi guration
screens. To gain better control over the creation of the virtual machine,
click the Custom option and then click Next.
 e custom option contains all of the screens found within
the typical option in addition to more features and screens.
4. Select a guest operating system (see Figure 21.2).

Select the desired guest operating system that will be installed in the vir-
tual machine. By selecting a radio button for the guest operating system
family, diff erent operating system versions are off ered in a drop-down list.
 e Wizard will make default confi guration choices based on the operat-
ing system selected. If the operating system of choice is not listed, select
Other. For this example, Windows Server 2003 Standard Edition will be
selected. Click Next to continue.
5. Name the virtual machine (see Figure 21.3).
 e Wizard then prompts for the virtual machine name and the location
to store the fi les that are associated with the virtual machine. By default,
the virtual machine and its directory folder are named for the version of
the operating system selected in the previous step. With proper planning,
these names should be changed to something more appropriate to better
identify the virtual machine or its function. For this example, a Windows
Server 2003 domain controller will be created and appropriately named
W2K3-DC-01. Click Next to continue.
Figure 21.2 Select a
Guest Operating System.
Marshall_AU3931_C021.indd 458Marshall_AU3931_C021.indd 458 4/13/2006 1:44:51 PM4/13/2006 1:44:51 PM
Creating a VMware GSX Server Virtual Machine  459
Each virtual machine will have its own directory that stores
all of its associated fi les such as the confi guration fi le, the disk
fi le(s) and the NVRAM fi le. By default, on a Windows host
server, the virtual machine directory is located on Z:\Virtual
Machines (where Z is the VMware install drive). On a Linux host server,
the default virtual machine directory is /var/lib/vmware/Virtual Machines.
For performance reasons, the default directory should be on a diff erent lo-
cal drive from the host operating system. To make that change in the con-
sole, select Host > Settings > General and select a new unique directory.
6. Set access rights (see Figure 21.4).

By default, the access rights to a newly created virtual machine are marked
as private. When a virtual machine is marked as private, only the user that
Figure 21.3. Create
a Name for the Virtual
Machine.
Figure 21.4 Setting
Access Rights.
Marshall_AU3931_C021.indd 459Marshall_AU3931_C021.indd 459 4/13/2006 1:44:51 PM4/13/2006 1:44:51 PM
460  Advanced Server Virtualization
created the virtual machine can see it listed in the inventory listing. As an
example, this feature is useful when creating template images. Until the
guest operating system is fi nished being confi gured, no other user should
have access to the virtual machine. Once completed, the permission can
be changed to allow the virtual machine to show up in inventory for other
users to view. Access rights can be changed at any time by selecting VM
> Settings > Options > Permissions. For more information about permis-
sions and security, see chapter 20. For now, leave the virtual machine
marked as private and click Next.
7. Startup/Shutdown options (see Figure 21.5).
 ere are two choices to be made on this screen, choose the user account
for running the virtual machine (Windows host only) and the host startup
and shutdown options.
Under Virtual machine account on a Windows host server, select a
user account for the virtual machine to use when it is powered on.  is
determines the network permissions from within the virtual machine and
access to virtual machine resources on the network.  ere are three pos-
sible choices:
 User that powers on the virtual machine— e virtual machine runs
as the user account that powered it on. When other users connect to
the virtual machine, it still runs as the user that initially powered it

on.  e user account lock on this virtual machine goes away when the
virtual machine is powered off . It is important to make sure the virtual
machine and its fi les are in a location that is accessible to that user.
 Local system account— is option can only be enabled by an admin-
istrator.  e reason being, with this option activated, the virtual ma-
Figure 21.5 Modifying
Startup/Shutdown Options.
Marshall_AU3931_C021.indd 460Marshall_AU3931_C021.indd 460 4/13/2006 1:44:52 PM4/13/2006 1:44:52 PM
Creating a VMware GSX Server Virtual Machine  461
chine runs as the local system account (administrator). In general, it is
not recommended to use the local system account; if compromised, it
has unlimited access to the operating system resources. Additionally,
it only has access to the local storage and cannot access fi les across the
network.
  is user— e virtual machine will run in the user context for the
specifi ed user account. A local user account or local administrator ac-
count can be used; however, it can also specify a fully qualifi ed domain
account that will allow access to virtual machine fi les spanning the net-
work (as long as the proper security is assigned to the user account).
Under Startup / Shutdown options on either a Windows host or a
Linux host, select how the virtual machine's power state should be han-
dled when the host server's power state changes.  is option can only be
enabled while the virtual machine is powered off and the virtual machine
is confi gured to run as an administrator user. It is important to under-
stand, if this feature is not activated and the host server is powered off ,
the virtual machines will not be gracefully powered down. Instead, it will
be as if the plug was pulled from the wall.  is option is also useful when
boot order of the virtual machines on a host server is important. For ex-
ample, perhaps a virtual machine acting as a domain controller needs to
boot fi rst, followed by a DHCP server, then an application server, etc.

Setting this option will help facilitate that function.
For now, accept the default values and leave the selection as User that
powers on the virtual machine.  ese options can be changed later by se-
lecting VM > Settings > Options > Startup/Shutdown from the console.
After setting the virtual machines on a host server to auto-
matically start up after the host boots and shut down when
the host is shut down, you can also change the order in which
it happens. In other words, you can stagger the power on and
power down of virtual machines to control their boot order. Staggering
the boot order can be important if the virtual machines have a dependency
on one another (e.g., a database server may need to be powered on before
an application server that has a dependency on a database being up and
reachable). Once the confi guration change has been made to shut down
and start the virtual machines automatically, add the following option to
the virtual machine’s confi guration fi le:
autostart.order = <n>
 e value of <n> must be a multiple of 10, and it controls the order in
which virtual machines start up and shut down. For example, the fi rst
virtual machine would have a value of 10, with the second virtual machine
having a value of 20, the third a value of 30 and so on until the last virtual
machine in the list is modifi ed.
Marshall_AU3931_C021.indd 461Marshall_AU3931_C021.indd 461 4/13/2006 1:44:52 PM4/13/2006 1:44:52 PM
462  Advanced Server Virtualization
8. Memory for the Virtual Machine (see Figure 21.6).
 e Wizard provides a guide to help identify the amount of RAM that
should be allocated to the virtual machine. Based on the guest operating
system selected earlier in the confi guration process, the Wizard provides
the minimum amount of memory recommended by the operating sys-
tem manufacturer and a GSX Server recommended range from normal to
maximum performance along with the total amount of memory available

to all running virtual machines.
To change the amount of memory, the Wizard provides a sliding scale
that can be moved left to right, a spin controller with selection arrows up
and down, and an input fi eld. Each of these can be used to allocate the ap-
propriate amount of memory to the virtual machine. GSX Server requires
that the memory confi guration be entered in multiples of 4MB.
For this example, leave the GSX Server recommended value of 384MB.
 is is suffi cient to install the operating system. It can later be modifi ed
to increase the amount of memory based on the usage of the virtual ma-
chine.
GSX Server currently has a maximum of 3.6GB of memory
that can be allocated to any one virtual machine at a time. It
also has a memory limit based on the fi le system storing the
virtual machine disk fi les. If the virtual machine is stored on
a FAT16 or FAT32 Windows fi le system, the 3.6GB maximum is lowered
to 2000MB.  erefore, if your virtual machine will require more than
2000MB of memory, make sure the virtual machine is stored on a Win-
dows NTFS fi le system.
Figure 21.6 Allocating
Memory for the Virtual
Machine.
Marshall_AU3931_C021.indd 462Marshall_AU3931_C021.indd 462 4/13/2006 1:44:52 PM4/13/2006 1:44:52 PM
Creating a VMware GSX Server Virtual Machine  463
9. Network type (see Figure 21.7).
Several networking options are off ered: bridged, network address transla-
tion (NAT), host-only networking, or no networking. Bridged network-
ing uses a virtual Ethernet adapter. It is used when the host server is on
a network that has the ability to give separate IP addresses to the virtual
machines (either manually or via DHCP) and host network or Internet
access is required. If the host network does not have enough IP addresses

to be distributed to the virtual machines and host network and Internet
connectivity is required, NAT networking can be selected. If the only
network access that is required is the virtual network and access to the
host server, host-only networking can be selected. If there is no need for
network connectivity of any kind, selecting do not use a network connec-
tion is appropriate although not as likely in a server virtualization plat-
form such as GSX Server. For more details about VMware GSX Server
networking confi guration, see the Virtual Networking section in chapter
22.
For now, select Use bridged networking.  is option can easily be
changed once the virtual machine is created by selecting VM > Settings >
Hardware, selecting the network adapter and then changing the network
connection setting.
10. Select I/O Adapter Types (see Figure 21.8).
Both an IDE and a SCSI adapter are by default added to the virtual
machine. While the IDE adapter is always ATAPI, there are two SCSI
adapter types to choose from: BusLogic and LSI Logic. Based on the guest
operating system chosen in Step 4, GSX Server will select a default SCSI
adapter. Most guest operating systems will default to BusLogic. However,
Figure 21.7 Select a
Virtual Machine’s Network
Type.
Marshall_AU3931_C021.indd 463Marshall_AU3931_C021.indd 463 4/13/2006 1:44:53 PM4/13/2006 1:44:53 PM
464  Advanced Server Virtualization
newer operating systems such as Windows Server 2003 and Red Hat En-
terprise Linux 3 default to the higher performing LSI Logic adapter. If
the operating system does not have the appropriate driver for the adapter
built-in, it must be downloaded. For more information on adapter types,
read the section Virtual Hard Disk Drives in chapter 22.
Choosing a SCSI adapter in this step does not determine what type of

hard disk will ultimately be attached to the virtual machine.  e disk type
will be determined in Step 12.  erefore in this example, take the default
that matches the Windows Server 2003 guest operating system—LSI Logic.
11. Select a Disk (see Figure 21.9).
 is step allows the hard disk of the virtual machine to be selected.  ere
are three options to choose from: create a new virtual disk, use an existing
virtual disk or use a physical disk.
Figure 21.8 Select I/O
Adapter Types.
Figure 21.9 Select the
Virtual Machine’s Disk.
Marshall_AU3931_C021.indd 464Marshall_AU3931_C021.indd 464 4/13/2006 1:44:53 PM4/13/2006 1:44:53 PM