Running the Ubiquiti UniFi Controller as a service

Posted on by
7

Introduction

I recently had to prepare replacing an aging Aruba Wi-FI deployment with an effective, more capable and budget friendly solution. It needed to offer both corporate (Radius Server) and guest Wi-Fi access for modern workplace needs.

We selected Ubiquiti equipment to comply with the requirements. Apart from the WAPs all gear goes into server & network racks. The controller had to be implemented on-premises (self-managed, not via a service provider). As they have a modern Hyper-V environment we opted to deploy the controller on a Windows 2019 virtual machine. By the time the solution is deployed that will have become generally available. A Cloud Key appliance or Raspberry PI was less interesting in this environment that had professional racks in available in dedicated server & network rooms.

OK, you can use Windows Server 2016 or Windows Server 2012 R2 as well. Note that I don’t like using a client OS for an infrastructure role. I would also not use older server versions because I like longevity in support. I dislike solutions that are out of support a week after I deployed it. The big take away here is that you want to tweak the standard deployment of the controller a bit.

  1. Change the install so it is not tied to a user profile
  2. Run the controller as a service rather than an app you need to start manually or add to auto start.
  3. Configure a certificate for a decent user experience with the UniFi dashboard

Below are my lab notes as reference to myself and my readers in regards to running the Ubiquiti UniFi Controller as a service on Windows Server 2019.

Installation

For some reason the installer dumps all the files in the user profile of the person running the installer. Which is easy in terms of permissions. But people leave and profiles get deleted. Multiple people need to manage systems so having it tied to an individual isn’t that great.

For a UniFi install is first install java (x64) and a x64 bit browser. Chrome & Firefox are support, others may be as well or just work. The controller runs on Java so that’s a no brainer you need it. You don’t need a browser on the virtual machine per se, but it acts as a console access to the controller via the VM in case of network issues. Having multiple options is good.  If you don’t need that, Windows Core will do.

Step by Step

1. Install the controller with the UniFi-installer.exe installer. It will put the installation under C:\Users\USERNAME\Ubiquiti UniFi
2. To move the UniFi controller app you copy the entire folder to the desired location. That could be C:\Program Files or C:\ProgramData. You can even create your own root folder if you don’t want any admin permission to be needed for the folder. For this demo I used C:\ProgramData\Ubiquiti UniFi.
3. I create a shortcut https://unifi.workinghardinit.work:8443 and change the Icon to one I created for this purpose.

clip_image001

4. I then also change the “Target” path to “C:\ProgramData\Ubiquiti UniFi\lib\ace.jar” ui and “Start in” path to “C:\ProgramData\Ubiquiti UniFi”path. That way that short cut points to the right location. However, I want my controller to run as a service so we won’t be using that shortcut too much.

clip_image003

Anyway, we have a clean nice setup right now to continue with. Please note you do not need to install a browser on the server itself. This was done to give people a virtual machine console access option in case they have network issue. If don’t want that you can use Windows Server Core

Running as a service

Since we want the controller to always run and behave like a service, we just have some extra work to do. This is documented here: https://help.ubnt.com/hc/en-us/articles/205144550-UniFi-Run-the-Controller-as-a-Windows-service I just adapted this to my path.

1. Close any instances of the UniFi software on the computer. If you just installed the UniFi controller, make sure to open it once by using the icon on the desktop or within the start menu. Once it says “UniFi Controller (a.b.c) started.” you can close the controller program. This is needed to generate some required files for the service to work.
2. Open the command prompt as an Administrator. For example, on Windows 10, right click on the Start Menu and choose “Command Prompt (Admin)”.
3. Change directory to the location of UniFi in your computer using the following command (exactly as it is here, no substituting needed): cd “C:\ProgramData\Ubiquiti UniFi\”
4. Once in the root of the UniFi folder, issue the following (this installs the UniFi Controller service): java -jar lib\ace.jar installsvc
5. Once you’re at a new command prompt line, after it says “Complete Installation…”, issue the following: java -jar lib\ace.jar startsvc

Installing a proper certificate

After entering the FQDN A record or CNAME to your DNS infra you will still get a security warning as we haven’t installed a proper certificate yet.

clip_image005

Let’s fix this unprofessional looking fist view of your controller web application! We’ll use a recent cert from either a corporate or public PKI. Take your pick, there are free ones out there if you need that.

I’m using a wild card certificate and will show you how to implement it with the Unifi controller. The trick is to replace default Keystore with a custom one in which you added your certificate. There is are nice tools for that and the exact method will vary a bit. This is what I did. Note that you can do this on your workstation, no need o do all this on your server with the UniFi Controller. Keep that tidy.

Make sure you have your cert available (exported) as a pfx file.

The Windows application method

Download KeyStore Explorer (http://keystore-explorer.org/downloads.html) and install in on your PC, the default settings are just fine.

Have your certificate exported as pfx file with private key and the option “Include all certificates in the certification path if possible”.

Run KeyStore Explorer and under tools select “Import Key Pair”

clip_image006

As type select PKCS #12

clip_image007

Browse to your pfx cert you created, fill out the correct password and click “Import”

clip_image008

I’m happy with my default alias of * as I have a wild card cert. You should use unifi.domain.ext if you don’t have a wild card to be clear.

clip_image009

Enter the new Key Pair password, again I use “aircontrolenterprise”

clip_image010

Click OK and your see that your import was successful. Click OK.

clip_image012

Now select your keypair and under the File menu select “Save As”

clip_image013

For the password, again, use aircontrolenterprise, click OK and fill out keystore for the file name.

clip_image015

Click save, your done here.

I actually delete the imported key pair form KeyStore Explorer and also shift delete the export pfx. It’s better not to have these sorts of files lingering around on your workstation even when using bitlocker. You must have a cert management process.

The results of your work

Now on your controller VM navigate to your data path, in my case it’s C:\ProgramData\Ubiquiti UniFi\data. Rename the original keystore file to keystor.ori and past the one you created in this folder.

clip_image019

You then need to restart the UniFi Controller service, either in the GUI or via the command prompt.

clip_image020

clip_image021

Give the controller 10 second to get going properly and click your UniFi Dashboard shortcut to browse to the application. And now, as you can see, below we have a much better user experience. This is actually the logon screen after you’ve run through the initial install wizard when you first launch the application.

clip_image023

We now have a well-behaved web application to securely access the UniFi controller and manage the Wi-Fi setup.jjj

The native java tools method

If you want you can use native Java tools to do the same as with the KeyStore Explorer app replace those steps above by the one below.

C:\Program Files\Java\jre1.8.0_181\bin>Keytool.exe -list -keystore C:\SysAdmin\Certs\exported_wildcard_workinghardinit_work.pfx -storetype pkcs12  which prompts for your password and outputs:

Enter keystore password:
Keystore type: PKCS12
Keystore provider: SunJSSE

Your keystore contains 1 entry

1524853e062d1785ac5ebedb44a61065, Aug 30, 2018, PrivateKeyEntry,
Certificate fingerprint (SHA1): 7A:82:FC:6E:2D:4D:79:F2:43:7A:FE:57:48:BE:13:FB:C4:AF:ED:71

C:\Program Files\Java\jre1.8.0_181\bin>keytool -importkeystore -srcstoretype pkcs12 -srcalias 1524853e062d1785ac5ebedb44a61065 -srckeystore C:\SysAdmin\Certs\exported_wildcard_workinghardinit_work.pfx -keystore C:\SysAdmin\Certs\keystore -destalias *.workinghardinit.work

Importing keystore C:\SysAdmin\Certs\exported_wildcard_workinghardinit_work.pfx to C:\SysAdmin\Certs\keystore…

Enter destination keystore password: aircontrolenterprise
Re-enter new password: aircontrolenterprise
Enter source keystore password: aircontrolenterprise => the password use to protect the pfx exported, can be anything

Warning:
The JKS keystore uses a proprietary format. It is recommended to migrate to PKCS12 which is an industry standard format using “keytool -importkeystore -srckeystore C:\SysAdmin\Certs\keystore -destkeystore C:\SysAdmin\Certs\keystore -deststoretype pkcs12”.

Conclusion

Ubiquiti delivers value for money Wi-fi solutions. The gear is good and affordable with manageability options that serve the majority of needs for the SME. It perfect for the more demanding SOHO environment.

Ubiquiti offers flexibility but also requires some “tweaking” to get just right. This goes for both the software installation (fixing some default installation choices and installing a certificate) as well as some of the hardware (installing less loud fans) shortcomings.

For many people a virtual machine with Windows is something they already have the infrastructure for. It fist perfectly into their existing operational processes. A virtual machine also fits well into many customers their existing backup and restore scenarios. A virtual machine can also easily be “checkpointed” to revert to a known good situation. This is an extra benefit in case something goes wrong during an upgrade or update wrong. This combined with the Auto Backup Configuration of the UniFi controller cover most bases for quick recovery. Not too many people can restore their raspberry PI or appliance that fast.

We chose to use Windows Server 2019 in this demo as we wanted to future proof the deployment . So we want to deliver the controller on an OS that will serve them well for many years to come.

To recap, first I showed you how to improve on the default installation. We than made the UniFi controller runs as a service. Finally I configured an SSL certficate for the controller app. I hope you liked it and that it helps you out.

Windows Server 2019 in place upgrade testing

Posted on by
13

Windows Server 2019 in place upgrade testing

In theory in place upgrade testing is easy. You just validate Microsoft’s efforts and testing that went into the process. If it succeeds all is well. Well, not really. The amount of permutations in real life are so large it can never be done for all of them. But even today in this era of “services as cattle” they have a role to play. I would say, even more than before. That means that Windows Server 2019 in place upgrade testing is also important.

image

In place upgrade paths to Windows Server 2019

In-place upgrade allows an administrator to upgrade an existing installation of Windows Server to a newer version, retaining settings and installed features.

The following (Long Term Service Branch) LTSC versions and editions of Windows Server with their supported path for in-place upgrade are shown below:

image

Please note that when you are performing cluster operating system rolling upgrades this can only be done from N-1 to N. This means that you can only do those from Windows Server 2016 to Windows Server 2019.

image

The ability to perform cluster operating system rolling upgrades is just one benefit you get by keeping your environment current.

Conclusion

Currently Myself and a couple of fellow MVPs are busy  doing some testing on “real” hardware. That means servers, the kind you’d use in a professional environment, not the PC lab. Testing on virtual machines rocks and those are heavily used in real life, but you can’t test everything you need to verify hardware deployments. Think about S2D, Persistent Memory, SET, vRSS/VMQ/VMMQ etc.

Part of that testing is in place upgrades. Yes, there are times and places when I will avoid them, there are also moments where I leverage them. I do think they are important and they have their place. Doing them depends on the value it can offer.

Whatever you do, you test, you verify and your break stuff in the lab before casually on a Monday morning upgrading a cluster to a new version of the Operating System. I hope I don’t need explain this anymore anno 2018? Or actually I do, we always have new talent join us and we all have to learn. So big tip, learning on the job doesn’t always equal learning in production. That will happen anyway, but don’t default to it.

SC Series SCOS 7.3

Posted on by
2

Introduction

While I was on vacation the SC Series SCOS 7.3 was announced by DELL to the public at large. Finally, I would almost say as I really expected this to be a bigger thing at DELL World 2018. SCOS updates are free to people with a valid support contract. Bar bug fixes and feature enhancements or additions we really get a lot in this new version. As a matter of fact, we get so much I can only wonder what they have planned for 8.x! SCOS 7.3

clip_image001_thumb[1]

What’s new in SC Series SCOS 7.3

Let’s look very briefly at what is new in the SC Series SCOS 7.3 release:

  • Considerable performance gains for Hybrid or All Flash Arrays. I tend to use 70/30 read/write ratio and random IO for my base lines. So, it won’t be a magical doubling of speed. But hey IOPS/latency/bandwidth measurements are a sport by itself. As long as you can measure real and useful to significant progress for your workloads against a baseline you’re doing well!
  • Easy SC4020 upgrades: you can now migrate the storage enclosure to new controller units.
  • 25GbE &100GbE iSCSI support for SC5020, SC5020F, SC7020, SC7020F and SC9000.
  • CloudIQ support. CloudIQ is a free cloud-based analytics and monitoring tool for Unity that is now available for the SC Series.
  • Management with Unisphere :
    • “Unisphere for SC HTML5 Web UI” – the web UI is back & no more Java.
    • “Unisphere for SC” for managing a single array.
    • “Unisphere Central for SC” when you need to manage multiple arrays.
  • SCv2000 can now federate &replicates with other SC arrays models.
  • Capacity increases for many SC series models.
  • Distributed spares offer up to 500% faster rebuilds. On top of that all drives are now used instead of leaving assigned hot spare drives go to waste when not needed.
  • ALUA support for Live Volumes brings lower latency by reducing/optimizing network traffic
  • Increases the number of Live Volumes supported in the array.

My personal top favorite in SCOS 7.3 is distributed spares. First of all, this allows us to have way better performance overall as we don’t reserve hot spares physically anymore. It just reserves spaces, so all disks add to the total IOPS available.

clip_image003_thumb[1]

Secondly, the speed of rebuilds is now a lot faster due to “many to many” read/writes instead of many to one. Third, more disks help extend the life span of SSD, as do large SSD actually, so this is also an added benefit. With ever bigger SSD in our arrays, I am now leveraging All Flash Arrays (AFA)with 15TB SDDs the latter is very much needed and welcomed. If your read my blog post My first Dell SC7020(F) Array you know this was on my priority list!

Another great benefit to me is the inherent better performance SCOS 7.3 brings us. Even with AFA we can always use more especially at crunch time with transactional workloads, backups, data copies etc. VDI customers will also welcome this.

Conclusion

I really look forward to this SCOS version and I’ll share my upgrade experiences with you here. It fixes my main concern around rebuilds anno 2018. I’m still very happed with SCOS as far as general-purpose traditional SANs go for a variety of workloads. It is on my buy list and I am a repeat buyer. That is actually worth something and means they do things well. Now they should upgrade Replay Manager to really support and understand Windows Server 2016 and 2019 Hyper-V improvements. What they have now is works with (a la Windows Server 2012). I would not call that supported yet. Anyway, the SC Series SCOS 7.3 is definitely bringing a lot to the table. You can read more here.

My perspective on work and life

Posted on by
Reply

Introduction

What is so important about my perspective on work and life? Well, nothing at all unless you’re me. As an IT expert I spend way to much time in front of screens. It’s an occupational hazard. It’s not that I don’t talk to other people. I do, quite a lot. I do so for my work but also, a lot of the time, outside of my day job. That’s essential to prevent tunnel vision and echo chambers. But a big part of my time is spent working on projects (design, architecture, implementation). The remainder goes to assisting others, learning and experimenting or troubleshooting. That’s a never ending story, rinse and repeat. This never ending cycle which can lead to loss of perspective. Not just the loss of your professional perspective, but work & life wise. The rat race goes fast and in IT everything comes and goes faster than ever. You can work very hard and not get ahead. You might make lots of money but have no time to enjoy it. And it can all be over in a second.  You can spend you whole life working for something, just to have it taken away by illness, accident, natural or man made disaster or crime. Sobering thoughts, to say the least.

My perspective on work and life

While I love the IT business from silicon to the clouds I also adore the wonderful scenery that real clouds help create in the great outdoors.That’s why it’s good to take a break and go on a “walk about”. When looking out over the Grand Canyon, hiking in Yellow Stone valleys or in Great Basin with its 5000 year and older Bristlecone pines you can’t feel but insignificant. Both the big picture and over time. On a geological scale what’s a couple of million years any way, let alone less. So every now and then I get my proverbial behind out of the IT cloud, data center and out of the mind numbing open landscape offices. I go watch wild life, hike through landscapes formed by many hundreds of millions of years of natures forces at work.

image

It’s a mind set where the little aid above, the GSA (American Geological Society) geologic time scale  becomes relevant to appreciate & try to understand the natural beauty around me.

Some advise

Don’t take life and work too serious, step out of the “rat race” now and then.  Changing my priorities and my perspective on work and life during time off is a good thing. During vacations it sure is a lot different during such periods. I love it. Seeing the Rocky Mountains scenery as you drive to a hike in a comfy Ford Explorer is a just magnificent.

My perspective on work and life

From the majestic Rockies & the Pacific North & South West, the views during a road trip are stunning. The hikes amazing & the serenity is soothing to the soul. I feel great when exploring them. Take a long week-end, go on a road trip, hike around and recharge your batteries. If you’re able to work remotely, do so and explore your local natural resources during your down time or breaks.

Get over that fear of missing out and realize that “promotions” or work are less important than yourself best interest. No one will pay you double  when you work twice as hard or give you back tour time. It’s a typical example of diminishing retruns. Remember that you don’t get a second life. Live this one. Don’t pointless rush through it from birth to death. You won’t be THAT rich and THAT famous (or infamous) enough to be remembered. You’ll probably be forgotten within one or two generations. So enjoy yourself a bit. Even when Rome does burn down during your absence, that’s were new empires can grow.