Archives for May 2012

VMware View 5.1 Installation Part 2 – View Composer

This series includes:
VMware View 5.1 Installation Part 1 – View Connection Server

This is the second installment in the VMware View 5.1 installation and configuration series. The first part covered the installation of View connection server and its SSL certificate. This post covers the optional component, View Composer 3.0. Composer is part of the View Premier bundle, and allows you to deploy link-clones for stateless VDI.

Unlike the Connection server, the View Composer 3.0 requires a SQL database back-end. Unfortunately, View Composer does NOT support Windows authentication if the SQL server is not on the Composer server. This is disappointing, as SQL authentication is not secure and other VMware products fully support Windows authentication to SQL such as vCenter, VUM, and UMDS. I would strongly uge you configure SQL transport encryption so that the weak SQL authentication is wrapped in SSL. For some guidance on configuring SQL SSL, check out this article.

Let’s get started on installing VMware Composer 3.0:

1. If your SQL server is not co-located with your Composer 3.0 server, then make sure your SQL server allows mixed mode authentication. To verify the authentication mode open Microsoft SQL Server Management studio. In the Object Explorer right click on the SQL server name and select Properties. Then click on Security, and change the authentication mode to SQL Server and Windows Authentication mode. Restart the SQL services if you had to change the mode.

2. You need to create the View composer database. You can do this manually, or modify the script below to suit your sizing requirements and file paths. You can cut and paste the script below into the Microsoft SQL Server Management Studio, then click on Execute.

USE master
create database “SD01-vCenter Composer”
( name = ‘SD01-vCenter Composer’,
  filename = ‘K:Microsoft SQL ServerMSSQLDataSD01-vCenter_Composer.mdf’,
  size = 250MB,
  filegrowth = 25MB )
  log on
  ( name = ‘SD01-vCenter Composer log’,
    filename = ‘L:Microsoft SQL ServerMSSQLDataLogsSD01-vCenter_Composer.ldf’,
    size = 100MB,
    filegrowth = 10MB )
    COLLATE SQL_Latin1_General_CP1_CI_AS;

3. Since Composer uses SQL authentication, you need to create an account within SQL server. Pay close attention to the password policy, as it may default to require you to change password at next login, which is not what we want for a service account. Change the default database to the Composer database.

4. Next, we need to give the SQL account permissions to the Composer database. To do this we need to add a new user to the SQL database Give the SQL account db_owner permissions for the schema and database.

5. Switch over to what will be the View Composer server (could be your vCenter server, your View Composer server or a another server). Install the Microsoft SQL Native Client, then start the Composer installation and click through the wizard unitl you get to the database configuration. Click on ODBC DSN Setup then click on System DSN.

6. Click Add and on the next screen the SQL Server should be listed. Click Finish.

7. On the next screen fill in the DSN name you want to use, and the FQDN of the SQL server. Copy the name to the clipboard.

8. Select SQL Authentication then enter the SQL account credentials that you created in SQL server.

9. Change the default database to the Composer database that you created earlier.
10. Optionally configure strong SQL encryption, if you have configured your SQL server with a SSL certificate. Otherwise don’t enable encryption or the SQL client won’t be able to connect. Finish out the rest of the ODBC wizard.
11. Back in the Composer installation window, paste the DSN from the clipboard and enter the SQL account credentials.

12. If you are installing Composer on the same server as View Connection server, you should already have a SSL certificate installed if you followed my previous instructions here. If you are installing on the vCenter server or another server, then follow that link and do steps 1-7 to install a SSL certificate. Select the appropriate certificate by looking at the thumbprint.

To lookup the certificate thumbprint open a blank MMC, add the certificate snap-in for the computer account, then open the Details of the right  certificate and look for the Thumbprint value.

13. Wait for the installation to complete and reboot the server if prompted.
VMware View Composer 3.0 is now installed! The next article in this series will configure View Administrator.

VMware VCAP5-DCD Exam Registration Open!

For those of you wishing to take the VMware Certified Advanced Professional  – Datacenter Design (VCAP5-DCD) for vSphere 5.0, the wait is now over! Registration is live for the VCAP5-DCD exam. This is a tough exam….not your granny’s VCP5 exam! You must currently hold a VCP5 certification, or be a VDAP4-DCD until August 17, 2012 during which time you don’t have to achieve being a VCP5.

Note that during the registration process it may ask you for your “VMware ID”. This is NOT your VCP number. I found my “VMware ID” by looking at a prior exam results on the Pearson Vue site and it is shown there as your “VCP ID” and starts with the letters VCP followed by six digits.

According to the VMware site:

VCAP5-DCD is designed for IT architects who design and integrate VMware solutions in multi-site, large enterprise, virtualized environments. Successful candidates possess a deep understanding of datacenter design principles and methodologies, as well as VMware core components and their relation to storage and networking. Successful candidates also have broad knowledge of applications and infrastructure services, and how they relate and integrate with the virtual infrastructure.
Achieving a VCAP5-DCD certification validates your ability to:

  • Create a vSphere conceptual design.
  • Create a vSphere logical design from an existing conceptual design.
  • Create a vSphere physical design from an existing logical design.
  • Create and execute an implementation plan.

Become a VCAP5-DCD

To achieve VCAP5-DCD status, you must complete two core validation components:

  1. Be a VMware Certified Professional 5 (VCP5)
  2. Pass the VCAP5-DCD exam

Note: Until August 17, 2012 if you are a current VCAP4-DCD you do not need to achieve VCP5 certification first; you only need to pass the VCAP5-DCD exam to obtain VCAP5-DCD status.

VMware View 5.1 client enhancements

Along with the release of the server components of VMware View 5.1, VMware also updated all of their clients. You can download the clients here. Clients include: Mac, iPad, Ubuntu Linux, Windows (32-bit and 64-bit), and Android. On a security related note, the View client has a security vulnerability, so you should upgrade to 4.6.1 or later such as 5.1.

Also, if you are interested in the Linux View client, the only official one that VMware produces is for Ubuntu, and has a limited feature set (no USB access, no smart card support, or virtual printing). However, many vendors create their own View client with enhanced features and support for different embedded Linux distros. For example, Wyse provides day 1 support for View 5.1 in their thin clients. To date I haven’t seen any support statement from HP for View 5.1 clients, although I’m sure that’s in the works..just lagging Wyse.

What’s new in all of the View clients? Check ’em out:

View Client for Windows 5.1

  • Video playback improvements – Up to 3X better video playback performance.
  • Two-factor authentication improvements – RADIUS two-factor authentication is now supported with VMware View 5.1.
  • View Client with Local Mode improvements – The virtual machines used for local mode View desktops can now use virtual hardware version 8, which is included with vSphere 5. For information about the features enabled with virtual hardware version 8, see the vSphere 5 release notes.
  • Improved mouse responsiveness

View Client for Linux 1.5

  • Video playback improvements – Up to 3X better video playback performance.
  • Two-factor authentication improvements – RADIUS two-factor authentication is now supported with VMware View 5.1.
  • Improved mouse responsiveness
  • Works with Ubuntu 12.04 – The version of View Client for Linux 1.5 that is available from the Ubuntu Software Center works with both 32-bit and 64-bit versions of Ubuntu 12.04.

View Client for Mac 1.5

  • Audio and video improvements – Up to 3X better video playback performance. Greatly improved audio/video synchronization.
  • Two-factor authentication improvements – RADIUS two-factor authentication is now supported with VMware View 5.1.
  • Mouse improvements – Improved mouse responsiveness. Resolved mouse tracking issue when switching to and from View Client.

View Client for Android 1.5
  • Support for Ice Cream Sandwich
  • – View Client for Android now supports the Android 4.0 operating system.

  • Mouse support improvements – View Client now supports hover, right-click, and the scroll wheel mouse events on Ice Cream Sandwich devices.
  • Video playback improvements – Up to 2X better video playback performance.
  • Two-factor authentication improvements – RADIUS two-factor authentication is now supported with VMware View 5.1.
  • Save password option with VMware View 5.1 – When connecting to a View 5.1 server and if the View administrator enables this feature, end users have the option of saving their user name and password to simplify login to their desktop.
  • Internationalization improvements – French, German, and Spanish keyboards are supported when using VMware View 5.1 servers and appropriate international desktop keyboards. Direct Korean language input is supported when using VMware View 5.1 servers and desktops.
  • Touch in text fields to activate the onscreen keyboard – This feature is available when using VMware View 5.1 servers and virtual desktops. Click in a text field and the keyboard will be activated. You also have the ability to turn this feature off.
  • User interface improvements – More refined interface for small screen devices, all new Settings interface, and new, improved graphics.

View Client for iPad 1.5
  • Support for the new iPad
  • Video playback improvements – Up to 50% better video playback performance.
  • Two-factor authentication improvements – RADIUS two-factor authentication is now supported with VMware View 5.1.
  • Save password option with VMware View 5.1 – When connecting to a View 5.1 server and if the View administrator enables this feature, end users have the option of saving their user name and password to simplify login to their desktop.
  • Internationalization improvements – French, German, and Spanish keyboards are supported when using VMware View 5.1 servers and appropriate international desktop keyboards. Direct Korean language input is supported when using VMware View 5.1 servers and desktops.
  • Touch in text fields to activate the onscreen keyboard – This feature is available when using VMware View 5.1 servers and virtual desktops. Click in a text field and the keyboard will be activated. You also have the ability to turn this feature off.
  • Bluetooth keyboard improvements – The extended keyboard bar longer covers the Start menu and task bar when using a Bluetooth keyboard. Also, the touch in text fields option introduced in View 5.1 will activate the Bluetooth keyboard when clicking in a text field.
  • User interface improvements – More refined interface with new, improved graphics.

How to create custom Microsoft CA SSL certificate templates

There are a variety of ways to create a trusted SSL certificate in the Windows world, but this article will focus on an internal network that has a Windows Server 2008 R2 Certificate Authority and member servers. This guide will show you how to create a custom Microsoft CA SSL certificate template. This can be very useful for VMware environments, where you may need to tweak certificate template properties.

IIS has a built-in domain certificate request wizard, but you can’t specify a custom web server certificate template to use. The built-in Web server template in the Microsoft CA is fine and dandy, but you might want to customize the certificate to extend the validity period, increase the key length, allow private key exporting, or a variety of features. Or you may have other enterprise services that can use certificates stored in the Microsoft computer certificate store, such as VMware View 5.1 connection server.

Whatever the case may be, the steps below will show you how to create a custom Microsoft CA SSL certificate template in your Microsoft CA, then perform a certificate request using that custom template.

Create the Microsoft CA SSL Certificate Template

1. Logon to your Microsoft Root CA and open the Certificate Services MMC. Expand the first Certificate Templates tree, which should reveal more than 30 Certificate Templates.

2. Right click on Web Server, duplicate the template, and then select either template type, but I choose Windows Server 2003 Enterprise. The 2008 template gives you more options, and is required if you want to use Suite-B encryption algorithms like elliptical curve. However, the Windows Server 2008 certificate template will NOT work with VMware View 5.1 connection server, so use 2003 instead.

3. Modify the template display name and validity period to suit your needs.

4. Click on Request Handling and change the key suite to suite your needs, and optionall check the option to allow the private key to be exported. This is REQUIRED for VMware View 5.1 Connection server to work. If you aren’t using VMware Connection Server 5.1, only check the box if you need to as it has security implications. You can also increase the key size here as well, if you want.
5. Click on the Security tab. What we need to do here is allow web servers to Enroll in this certificate type. There are several ways you could do this, with varying levels of security. One way for a non-secure lab environment is add Domain Computers to the access list and give them the Enroll permission.
However, that would allow any domain joined computer to request a web server SSL certificate, which outside of a lab is not ideal. To add a little more security I created a security group, following my RBAC naming convention, of ACL_Certificates_WebServer_Enroll and gave that group Enroll permission.

6. Click OK to close the template properties and create the new template.

7. Next, we need to make the certificate available to computers. To do this, right click on the second Certificate Templates container, as shown below. Select New -> Certificate Template to Issue. In the next window select the template that you just created.

You should now see your custom certificate template listed, as shown below. At this point you can stop, as the certificate authority is now properly configured to issue a web server certificate template.

8. If you created a group that can enroll in this certificate type, then place the computer object into the group and reboot the server, so it gets the new group membership. If you went the easy route of adding Domain Computers to the enroll permission, no reboot is needed.

Request New Certificate

1. To request a new certificate using the freshly created template, logon to the server that needs the SSL certificate and open a blank MMC then add the Certificates snap-in for the Computer account.

2. Once the MMC console is added, expand down to the personal certificates store and right click on Certificates. Select All Tasks then Request New Certificate.

3. Click through the wizard until you get to the Active Directory Enrollment Policy. Select the new web server template that you just created. Then click on More information is required…

4. In the Certificate Properties page you need at a minimum the Common name, which should be the FQDN of your web server. When I configured an alternative name using the server’s short name, I got some weird certificate issues in IE and View, so I’d just stick with configuring the common name with the FQDN and no other fields. Click Add to add the properties to the certificate request.

5. Close out the certificate window and click on Enroll. If all goes well, you should now have a new certificate listed in the MMC.

If you are using Microsoft IIS, you can now configure IIS to use the new custom web certificate. Or if you are using other products such as VMware View 5.1 connection server, you now have a SSL certificate you can use. Enjoy!

VMware View 5.1 Installation Part 1 – View Connection Server

Update: Slightly changed the discussing regarding the required certificate template type. The key to creating a certificate that will work with View is enabling the “allow private key export” option on the certificate. A “computer” or “web server” certificate will work, IF this option is enabled when the certificate is created.

This is the first post in a short series on configuring VMware View 5.1, using vSphere 5.0 Update 1, on Windows Server 2008 R2 SP1. The article assumes you already have vCenter 5.0 running in the environment, and are using Microsoft SQL Server 2008 R2, so I won’t cover how to install those products.

Other articles in this series include:
VMware View 5.1 Installation Part 2 – Composer

Having worked a lot with XenDesktop 5.5 in the past, it is interesting to see work flow for a View 5.1 installation. The first component I installed is the View Connection server, which can NOT be installed on the vCenter server. It will complain about port 80 being taken, so start off with a fresh Windows Server 2008 R2 SP1 VM for this component.

After you have provisioned a fresh VM for the View connection manager, we need to get our certificate house in order to ensure properly trusted SSL connections to this server. After the certificate is created and installed, we proceed with the basic View Connection server installation process, and finally verify the SSL certificate is working. The next article will cover the View Composer, which requires a database back-end, unlike View Connection server.

Take note the SSL certificate configuration process for View 5.1 is *completely* different from View 5.0 and previous versions. DO NOT follow VMware KB article 1008705 for View 5.1. You can find all of the View 5.1 documentation here. Should you try the View 5.0 and earlier instructions you can expect errors such as the following to be logged:

Couldn’t create SSL socket factory
java.lang.NullPointerException: invalid null input

[u] Ignoring invalid storetype: pkcs12
[u] Ignoring invalid storetype: jks

To properly configure View 5.1 connection server, follow these steps:

1. On what will be your new View Connection server open a blank MMC, add the Certificates snap-in, and manage certificates for your Computer Account.

2. Open your personal certificates and review any existing certificates you may have. In this case I have Autoenroll configured, so the server automatically got a “computer” certificate installed. However, View Connection server can’t use this certificate if it was issued with all default settings, which prohibit exporting the private key.

If you try to use this certificate, the built-in web server will barf and you won’t get the login screen. The reason for this, is the default computer certificate template does not allow the private key to be exported, which View requires. So you could either alter the computer certificate request to allow private key export, or create a web server template (or request) with the allow private key export enabled.

3. Right click in the right pane and select Request New Certificate. Click Next, and on the following screen if you have a Windows CA that is online and configured to issue computer certificates, you should see something similar to the following picture. Click Next.

4. In my environment I configured my Microsoft Root CA to issue a custom web server template (Web Server v3), so I selected that enrollment policy. I recommend using a custom “web server” template as you can extend the validity period, ensure the allow private key export option is enabled, and customize the cipher strength. If you use the default computer template, you must alter the request properties to allow exporting of the private key or the certificate will not work. 
To create a custom web server certificate template, see my article How to create custom Microsoft CA SSL certificate templates to create a template. Or you can simply import a pkcs#12 certificate from a commercial CA into the computer store, such as GoDaddy or Verisign. As I’ve mentioned before the certificate template MUST have the “Allow private key to be exported” option enabled, otherwise the VMware View Security Gateway component will fail to start. Also, only use the Windows Server 2003 certificate template option, NOT Windows Server 2008, as those will NOT work.
5. Click on More information is required.. and the following window will pop up. For the subject name select common name and enter the FQDN of the View server. Click on Add to move the value to the right side.
6. On the General tab add a Friendly Name of vdm to the certificate. This is key! And only one certificate in your computer’s store can have this friendly name. Note that the friendly name is not baked into the certificate, and you can change it after the certificate is installed. If you import a certificate from a commercial CA, then open the properties of your imported certificate and change the friendly name.

7. Click OK, then click on Enroll. If all goes well, you should now see a new certificate with a friendly name of vdm in your certificate store. Note that the intended purposes is only Server Authentication.

8. Start the VMware View Connection Server installation process, and modify the installation directory as you see fit. I always install software on the D: drive, as shown below.

9. Select View Standard Server.

10. Enter a strong recovery password and optional password reminder.

11. Have the installer automatically configure your firewall.
12. Enter the group name you choose for View administrators.

13. Click through the remainder of the installation and wait for the installer to complete.

14. It is extremely unfortunate that the View console relies on Adobe Flash player, as it is riddled with nearly weekly critical security vulnerabilities. So you must install Flash player on whatever machine you want to access the View administrator console from. VMware really needs to update the interface to HTML5.

15. After you’ve lowered the security posture of your victim computer with Adobe Flash, you can browse to the FQDN and shortname URL (e.g. HTTPS://D0001View/admin) and you should get welcomed by the View Administrator logon screen and no SSL errors. In your browser open the properties of the SSL certificate and verify it is using your trusted certificate.
And now you should see the View Administrator logon!

VMware View 5.1 is now downloadable!

Yesterday, May 16, 2012 VMware released View 5.1, which has many nice improvements over View 5.0. You can find a link to all the latest documentation here. If you are licensed for View, you can download the bits here. The most exciting feature to me is CBRC, which can help reduce read I/Os on the storage system for common blocks in VDMK images. You are still on your own with handing writes, though. So this feature great for helping to mitigate boot storms. The greatly improved USB support (essentially USB pass-through) is great for environments that connect a variety of USB devices to their desktops, such as phones or other devices.

New Features include:

  • Advanced storage options that leverage vSphere 5.0 – The following performance optimizations and integration features take advantage of vSphere 5.0 enhancements:
    • View Storage Accelerator uses Content Based Read Cache (CBRC) – CBRC is an ESXi 5.0 server memory cache of common blocks. During peak I/O workloads such as logon boot storms, View desktops can access common blocks of the OS disk and shared applications in the main memory cache, improving performance, enhancing the user experience, and saving storage array costs.
    • Tech Preview: View Composer Array Integration with VAAI – Additional View Composer cloning options leverage the vStorage API for Array Integration (VAAI) Native Cloning capability of Network Attached Storage (NAS). Note: The storage vendors developing support for NFS native cloning (VAAI) need additional certification to support the View workload. CBRC is not supported with the NFS native cloning feature.
    • Customizable View Composer disposable disk drive letter.
    • Support for up to 32 hosts in a cluster when Network File System (NFS) is in use. (The former limit was 8 hosts per cluster.)
  • Improved USB support. USB devices are now passed through to the hosted VDI VM and do not require device-specific drivers on the Windows client device.
  • Radius two-factor authentication support.
  • View Administrator user interface (UI) enhancements – These include context menus, linking to saved View Administrator pages, enhanced table column viewing, and globalization and localization in five languages.
  • Support for pre-created Active Directory machine accounts.
  • Optional customer experience improvement program. View collects anonymous data about View usage to help make View more responsive to customer needs. No user-identifiable data is collected. You can opt in or out of the program at any time.
  • View Persona Management is supported on physical computers – View Persona Management (virtual profiles) can manage user profiles across physical computers and View desktops. Simultaneous sessions are not supported.
  • View Persona Management user profile migration – The View Persona Management utility migrates Windows user profiles from Windows XP to Windows 7. The utility migrates profiles from physical computers to View or from View to View.
  • Standalone View Composer server – View supports the installation of the View Composer server on a standalone machine separate from VMware vCenter Server.

Create Custom HP ESXi 5.0 ISO Media

Similar to my post on how to create custom Cisco UCS ESXi 5.0 installation media, I thought I would tackle the same problem for HP ProLiant servers. Yes, HP does provide regularly updated ESXi installation media that bundles in their drivers, but it doesn’t always have the latest security patches. In some circumstances you may want the very latest ESXi build when you do the base install, and not rely on VUM or manually patching after the installation.

To find out which drivers are bundled in the HP ISO images, you can find their official list here. You should also be aware that HP tests specific driver versions with certain firmware versions and considers it a “supported recipe”. To find the supported recipes, you must look at the Service Pack for ProLiant release notes (300+ pages) and they provide a table, such as the one shown below for their 2012.02.0 release.

To start building your own HP custom ISO for ESXi 5.0 follow these steps:

1) Add the HP software depot (no drivers, just HP specific packages).


2) Download the complete driver set that HP includes in their image:

Broadcom NetXtreme I (net-tg3)
Broadcom NetXtreme II (misc-cnic-register, scsi-bnx2i, net-cnic, net-bnx2x, scsi-bnx2fc, net-bnx2)
QLogic Fibre Channel and CNA (scsi-qla2xxx)
HP SAS SCSI Driver (scsi-hpsa)
Emulex Network (net-be2net)
Emulex iSCSI (be2iscsi)
Emulex HBA (lpfc820)
QLogic Network (net-qlcnic)
QLogic Network (net-nx-nic)
LSI SAS (scsi-mpt2sas)
Brocade HBA and CNA (scsi-bfa)
Mellanox (net-mlx4-en)

3) Unzip each of the files that you downloaded, which will reveal another ZIP file and a VIB file, among others. We will be using the embedded bundle ZIP files. If you downloaded all of the drivers, unpacked them, and moved the bundled ZIPs to a single directory it should look like:

4) Add each software ZIP bundle to your depot using the following command, changing the ZIP filename for each bundle.


5) List all of the packages so we know which ones to add to our image profile. Note, that we haven’t added the online VMware depot, so the only packages shown here are the ones from the HP online depot and the manually downloaded packages.

Get-EsxSoftwarePackage | select Name,Version,ReleaseDate | sort ReleaseDate

6) Add the VMware software depot so we can use the latest VMware image profile:


7) We want to use the latest VMware profile, that includes all of the latest patches, so let’s list all the available profiles. The profile highlighted in yellow is the May 2012 release with several critical security patches, so we want that image (“standard” means it includes VMware tools). Choose the latest when you create your image.

Get-EsxImageProfile | Sort-Object “ModifiedTime” -Descending | format-table -property Name,CreationTime

8)  Clone the standard VMware profile so we can modify it with our driver set:

new-esximageprofile -cloneprofile ESXi-5.0.0-20120504001-standard
-name “ESXi-5.0.0-HP-05132012”

9) Using the output in step 5, we add all of those packages to our image profile:

add-esxsoftwarepackage -imageprofile ESXi-5.0.0-HP-05132012 hpbootcfg, char-hpcru, hpnmi, char-hpilo, hponcfg, hp-smx-provider, hp-ams, hpacucli, misc-cnic-register, scsi-bnx2i, net-cnic, net-bnx2x, scsi-bnx2fc, net-bnx2, net-tg3, scsi-qla2xxx, scsi-hpsa, net-be2net, scsi-be2iscsi, scsi-lpfc820, net-qlcnic, scsi-mpt2sas, scsi-bfa, net-mlx4-en, net-nx-nic, ima-be2iscsi

10) To validate that your new profile in fact has the updated and new HP drivers, use the following command:

compare-esximageprofile -comparisonprofile ESXi-5.0.0-HP-05132012 -referenceprofile ESXi-5.0.0-20120504001-standard
As you can see in the screenshot below HP drivers were added to our custom image (hpnmi, hpcru, etc.) while others were upgraded (note the output does not show the full list of upgraded drivers). 

11) To create a customized bundle that you can use later, issue the following command:
export-esximageprofile -imageprofile ESXi-5.0.0-HP-05132012 -exporttobundle -filepath
12) To create a customized bootable ISO image, issue the following command:
export-esximageprofile -imageprofile ESXi-5.0.0-HP-05132012 -exporttoISO -filepath e:ESXi-5.0.0-HP-03132012.ISO

During the boot process of the custom ISO image you will see the profile name that you configured:

VMware Releases Critical ESX(i) 3.5, 4.x and 5.0 Patches

On May 3rd, 2012 VMware released some very critical security patches for many versions of ESX/ESXi, (3.5, 4.0, 4.1, 5.0), Workstation and Player. This updates bring the ESXi 4.1 build up to 702113 and ESXi 5.0 up to 702118. Given that you can potentially cause mayhem from inside a guest VM, this is one patch I would roll out ASAP after adequate testing. Remember that you can always manually download patches from here if your VUM server isn’t connected to the internet. You can manually import the patch into an air-gapped VUM instance and patch your hosts.

For a complete guide of security updates, check out this VMware KB article. If you work in a very security conscious environment and want to build a custom ESXi 5.0 installation ISO with the security patch baked in, check out my article here. Although that article is tailored for Cisco UCS servers, you can just skip injecting the UCS drivers and build a new base image with the most current published baseline.

Bulletin summary:

ESXi NFS traffic parsing vulnerability
Due to a flaw in the handling of NFS traffic it is possible to overwrite memory. This vulnerability may allow a user with access to the network to execute code on the ESXi host without authentication. The issue is not present in cases where there is no NFS traffic.

VMware floppy device out-of-bounds memory write
Due to a flaw in the virtual floppy configuration it is possible to perform an out-of-bounds memory write. This vulnerability may allow a guest user to crash the VMX process or potentially execute code on the host.

VMware SCSI device unchecked memory write

Due to a flaw in the SCSI device registration it is possible to perform an unchecked write into memory. This vulnerability may allow a guest user to crash the VMX process or potentially execute code on the host.