You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@cloudstack.apache.org by Len Bellemore <Le...@ControlCircle.com> on 2013/04/05 12:43:54 UTC
Windows Product Activation and KMS Server
Hi Guys,
Anyone have a solution for activating Windows instances using a KMS server?
Given that the KMS server needs to be publicly available to Cloud users, but not to general internet traffic, we need to make the KMS server available in a semi-secure area. How do I get the instances to activate against my KMS?
Are people informing customers that they need to configure outbound internet access on their virtual routers so that they can activate against Microsoft's servers? How can I get them to authenticate on my KMS server that is on my network?
Thanks
Len
Re: Windows Product Activation and KMS Server
Posted by Ignazio Cassano <ig...@gmail.com>.
Hi, I do not know kms server so I used sysprep.
Regards
2013/4/5 Len Bellemore <Le...@controlcircle.com>
> Hi Guys,
>
> Anyone have a solution for activating Windows instances using a KMS server?
>
> Given that the KMS server needs to be publicly available to Cloud users,
> but not to general internet traffic, we need to make the KMS server
> available in a semi-secure area. How do I get the instances to activate
> against my KMS?
>
> Are people informing customers that they need to configure outbound
> internet access on their virtual routers so that they can activate against
> Microsoft's servers? How can I get them to authenticate on my KMS server
> that is on my network?
>
> Thanks
> Len
>
RE: Windows Product Activation and KMS Server
Posted by Oliver Leach <Ol...@tatacommunications.com>.
I did notice this which might help you in the future...
https://issues.apache.org/jira/browse/CLOUDSTACK-1578
But you are right, maybe some script logic may help but that's not 100% going to solve this problem. It would be nice to be able to specify allowed subnets via global settings for this type of scenario but still have all other egress traffic locked down for securtiy purposes..
-----Original Message-----
From: Len Bellemore [mailto:Len.Bellemore@ControlCircle.com]
Sent: Friday, April 05, 2013 12:17 PM
To: users@cloudstack.apache.org
Subject: RE: Windows Product Activation and KMS Server
That's kind of what I was thinking, but what about the fact that the virtual router blocks outbound internet by default?
Thanks
Len
-----Original Message-----
From: Oliver Leach [mailto:Oliver.Leach@tatacommunications.com]
Sent: 05 April 2013 12:14
To: users@cloudstack.apache.org
Subject: RE: Windows Product Activation and KMS Server
You could write a script that runs once on boot, say after sysprep has completed, that registers the Windows instance with a public facing KMS server that is only accessible in your environment, for example, the public IP ranges supplied in Cloudstack that your instances use as a source NAT to access the internet. The lock down would be done on your firewall.
The script could be a batch file or a vbs script and the command would look like this:
c:\windows\slmgr.vbs -skms <public-ip-address-of-kms-server>
HTH
Oliver Leach
Platform Architect
InstaCompute
Mobile +44 (0) 7787 690 607
-----Original Message-----
From: Len Bellemore [mailto:Len.Bellemore@ControlCircle.com]
Sent: Friday, April 05, 2013 11:44 AM
To: users@cloudstack.apache.org
Subject: Windows Product Activation and KMS Server
Hi Guys,
Anyone have a solution for activating Windows instances using a KMS server?
Given that the KMS server needs to be publicly available to Cloud users, but not to general internet traffic, we need to make the KMS server available in a semi-secure area. How do I get the instances to activate against my KMS?
Are people informing customers that they need to configure outbound internet access on their virtual routers so that they can activate against Microsoft's servers? How can I get them to authenticate on my KMS server that is on my network?
Thanks
Len
RE: Windows Product Activation and KMS Server
Posted by Len Bellemore <Le...@ControlCircle.com>.
That's kind of what I was thinking, but what about the fact that the virtual router blocks outbound internet by default?
Thanks
Len
-----Original Message-----
From: Oliver Leach [mailto:Oliver.Leach@tatacommunications.com]
Sent: 05 April 2013 12:14
To: users@cloudstack.apache.org
Subject: RE: Windows Product Activation and KMS Server
You could write a script that runs once on boot, say after sysprep has completed, that registers the Windows instance with a public facing KMS server that is only accessible in your environment, for example, the public IP ranges supplied in Cloudstack that your instances use as a source NAT to access the internet. The lock down would be done on your firewall.
The script could be a batch file or a vbs script and the command would look like this:
c:\windows\slmgr.vbs -skms <public-ip-address-of-kms-server>
HTH
Oliver Leach
Platform Architect
InstaCompute
Mobile +44 (0) 7787 690 607
-----Original Message-----
From: Len Bellemore [mailto:Len.Bellemore@ControlCircle.com]
Sent: Friday, April 05, 2013 11:44 AM
To: users@cloudstack.apache.org
Subject: Windows Product Activation and KMS Server
Hi Guys,
Anyone have a solution for activating Windows instances using a KMS server?
Given that the KMS server needs to be publicly available to Cloud users, but not to general internet traffic, we need to make the KMS server available in a semi-secure area. How do I get the instances to activate against my KMS?
Are people informing customers that they need to configure outbound internet access on their virtual routers so that they can activate against Microsoft's servers? How can I get them to authenticate on my KMS server that is on my network?
Thanks
Len
Re: Windows Product Activation and KMS Server
Posted by Paul Sanders <pa...@gmail.com>.
Hi Len,
You could create a NAT rule and pass that through to your KMS server. I
would set some ACLs on your firewall to only accept traffic from your
public ip range (which is assigned to your tenant VMs/Virtual Routers).
Sysprep can be used to point to the FQDN for that KMS server.
KMS agents activation usually use SRV records to find the KMS server. Maybe
worth doing something funky with DNS to make it work (may be a little
complicated as the dnssearch suffix for your tenants may be different).
Thanks
Paul
---
Kind Regards
Paul Sanders
Mob: 07988 725 883
Mail: paul.sanders87@googlemail.com
On 5 April 2013 12:13, Oliver Leach <Ol...@tatacommunications.com>wrote:
> You could write a script that runs once on boot, say after sysprep has
> completed, that registers the Windows instance with a public facing KMS
> server that is only accessible in your environment, for example, the public
> IP ranges supplied in Cloudstack that your instances use as a source NAT to
> access the internet. The lock down would be done on your firewall.
>
> The script could be a batch file or a vbs script and the command would
> look like this:
>
> c:\windows\slmgr.vbs -skms <public-ip-address-of-kms-server>
>
> HTH
>
> Oliver Leach
> Platform Architect
> InstaCompute
> Mobile +44 (0) 7787 690 607
>
>
>
> -----Original Message-----
> From: Len Bellemore [mailto:Len.Bellemore@ControlCircle.com]
> Sent: Friday, April 05, 2013 11:44 AM
> To: users@cloudstack.apache.org
> Subject: Windows Product Activation and KMS Server
>
> Hi Guys,
>
> Anyone have a solution for activating Windows instances using a KMS server?
>
> Given that the KMS server needs to be publicly available to Cloud users,
> but not to general internet traffic, we need to make the KMS server
> available in a semi-secure area. How do I get the instances to activate
> against my KMS?
>
> Are people informing customers that they need to configure outbound
> internet access on their virtual routers so that they can activate against
> Microsoft's servers? How can I get them to authenticate on my KMS server
> that is on my network?
>
> Thanks
> Len
>
RE: Windows Product Activation and KMS Server
Posted by Oliver Leach <Ol...@tatacommunications.com>.
You could write a script that runs once on boot, say after sysprep has completed, that registers the Windows instance with a public facing KMS server that is only accessible in your environment, for example, the public IP ranges supplied in Cloudstack that your instances use as a source NAT to access the internet. The lock down would be done on your firewall.
The script could be a batch file or a vbs script and the command would look like this:
c:\windows\slmgr.vbs -skms <public-ip-address-of-kms-server>
HTH
Oliver Leach
Platform Architect
InstaCompute
Mobile +44 (0) 7787 690 607
-----Original Message-----
From: Len Bellemore [mailto:Len.Bellemore@ControlCircle.com]
Sent: Friday, April 05, 2013 11:44 AM
To: users@cloudstack.apache.org
Subject: Windows Product Activation and KMS Server
Hi Guys,
Anyone have a solution for activating Windows instances using a KMS server?
Given that the KMS server needs to be publicly available to Cloud users, but not to general internet traffic, we need to make the KMS server available in a semi-secure area. How do I get the instances to activate against my KMS?
Are people informing customers that they need to configure outbound internet access on their virtual routers so that they can activate against Microsoft's servers? How can I get them to authenticate on my KMS server that is on my network?
Thanks
Len