VMware

VMware ACE 2.0 Release Notes

Documentation | ACE Community

Notes on VMware ACE 2.0.3

Build 80004 is a release build of VMware Workstation ACE Edition and ACE Management Server. The release notes cover the following topics:

New in Version 2.0.3

VMware ACE 2.0.3 is a maintenance release. This release includes some modifications to the user interface, including the following:

Power-off script

You can now configure access control policies to include a power-off script. You can use the power-off script to reset any changes made to the host from a power-on script, reset authentication settings, or other procedures you want performed as the instance powers off.

Perform the following steps to include a power-on/off script in the ACE master’s packages:
  1. Create the script and save it in the ACE Resources folder.
  2. On the access control policy page, click the Power-on/off scripts button at the bottom right. The Power-on/off scripts dialog box appears.
  3. If the deployment platform setting in package settings is set to Both Windows and Linux, then the Choose Power-on/off scripts dialog box contains text fields for both Windows and Linux script specifications.
  4. Select Use power-off script to set a power-off script.
  5. Click Set to open the Set Custom Script dialog box. Refer to the ACE Administrator's Manual for details on setting custom scripts.
    6. If you are enabling a power-on/off script after you have already deployed packages with this ACE master, provide the script to the user using a policy/server update package or a custom package with ACE Resources.

Windows login

The package settings now include a Windows login feature. The ACE administrator will be required to enter the guest operating system's user name and password to perform instance customization.

Open the Package settings dialog box, enable instance customization, and select Windows Login. Enter the guest operating system's Windows login information. On managed systems, enter a user name and password. On unmanaged systems, enter only a user name.

The user name you enter must have permission to copy files into the guest operating system and to run the Microsoft sysprep deployment tools. For managed ACE masters, the user name and password are stored in the ACE Management Server. For unmanaged ACE masters, the user name is stored in the ACE master policy file. For security reasons, the password is not stored.

MAC address pools

You can now add a MAC address pool to the database of an ACE master. Note, however, that this feature might not work when the ACE Management Server uses an Oracle Database 10g.

For more information on how to add a MAC address pool, refer to the technical note at the following URL:

http://www.vmware.com/pdf/ams_map.pdf

VMware ACE 2.0.3 addresses the following security issues:

  • On Windows hosts, if you have configured and enabled a shared folder, it is possible for an attacker to write arbitrary content from a guest system to arbitrary locations on the host system (CORE-2007-0930). (bug 200360)
  • This release updates the libpng library to version 1.2.22 to remove various security vulnerabilities. (bug 224453)
  • This release updates the OpenSSL library to address various vulnerabilities to denial-of-service attacks and buffer overflows. The Common Vulnerabilities and Exposures project (cve.mitre.org) assigned the following names to these issues: CVE-2006-2940, CVE-2006-2937, CVE-2006-4343. (bug 216493)

Key Features in Version 2.0.2

VMware ACE 2.0.2 is a maintenance release. It contains bug fixes described in Fixed Bugs, and also incorporates the following new feature:

Improved Pocket ACE instance closing

This feature enables you to configure a policy to set how your Pocket ACE instances close.

Key Features in Version 2.0.1

Updated Support for Host and Guest Operating Systems

Refer to the Workstation 6.0 Release Notes for a complete list of supported operating systems. The Workstation 6.0 Release Notes are available at the following URL:

http://www.vmware.com/support/ws6/doc/releasenotes_ws6.html

This release also includes the following new features:

  • Enablement for Japanese Product Versions
    For more information, see the Japanese release notes.
    Note: Technical Support services for VMware Workstation are currently delivered in English. Japanese-speaking support engineers are available in a limited capacity during the operating hours of the local support center. For more information, see VMware local language support.
  • Active Directory multi-domain — Domain forests and other distributed domain topologies are supported by ACE Management Server.
  • Bulk deployment of VMware Pocket ACE packages — Workstation ACE Edition has the ability to run multiple deployments from the same package at the same time using a CLI feature. Refer to the VMware ACE Administrator’s Manual for more information.
  • Dynamic package lifetime configuration — You can change the package lifetime settings on managed packages. Settings can be changed before or after package creation.
  • Saved queries in the ACE Management Server search interface — Search query parameters can be saved in the ACE Management Server instance view.
  • Clone a virtual machine from an ACE instance — You can convert an ACE instance into a virtual machine for troubleshooting or repair purposes.
  • Player control — You can control which virtual machines and ACE instances can be run on a host where you have deployed an ACE instance.

ACE 2.0.1 addresses the following security issues:

  • This release fixes several security vulnerabilities in the VMware DHCP server that could enable a malicious user to gain system-level privileges.
    Thanks to Neel Mehta and Ryan Smith of the IBM Internet Security Systems X-Force for discovering and researching these vulnerabilities.
    The Common Vulnerabilities and Exposures project (cve.mitre.org) assigned the following names to these issues: CVE-2007-061, CVE-2007-062, CVE-2007-063.
  • This release fixes a security vulnerability that could allow a malicious remote user to exploit the library file vielib.dll to overwrite files in a system.
    Thanks to the Goodfellas Security Research Team for discovering and researching these vulnerabilities.
    The Common Vulnerabilities and Exposures project (cve.mitre.org) assigned the following names to this issue: CVE-2007-4155.
  • This release fixes a security vulnerability that could allow a guest operating system user with administrative privileges to cause memory corruption in a host process, and thus potentially execute arbitrary code on the host. The Common Vulnerabilities and Exposures project (cve.mitre.org) assigned the following name to this issue: CVE-2007-4496.
    Thanks to Rafal Wojtczvk of McAfee for identifying and reporting this issue.
  • This release fixes a security vulnerability that could allow a guest operating system user without administrator privileges to cause a host process to become unresponsive or exit unexpectedly, making the guest operating system unusable. The Common Vulnerabilities and Exposures project (cve.mitre.org) assigned the following name to this issue: CVE-2007-4497.
    Thanks to Rafal Wojtczvk of McAfee for identifying and reporting this issue.

Key Features in VMware ACE 2.0

Some terminology for ACE 2.0:

Workstation ACE Edition – The software used by the ACE administrator to create virtual machines and package them for distribution to ACE end users.
ACE master – A virtual machine template created by the ACE administrator. An ACE master can be configured with various policies and devices and package settings and then used as the basis for creating any number of packages to be sent to ACE users.
ACE instance – The virtual machine that ACE administrators create, associate to virtual rights management (VRM) policies, and then package for deployment to end users. In short form, an ACE instance is an ACE.

  • ACE Management Server — The ACE Management Server enables you to manage ACE instances, to dynamically publish policy changes for those instances, and to test and deploy packages more easily. It adds new integration with your Active Directory setups and provides Active Directory/LDAP integration. The SQLite database is embedded in the ACE Management Server, and you can use an external Microsoft SQL Server database or an external Oracle Database 10g database with a Windows server and an external PostgreSQL database with a Linux server. Roles-based secure SSL communications between ACE Management Server and client is also a feature.
  • ACE Management Server Appliance — The ACE Management Server Appliance is a self-contained, pre-installed, pre-configured ACE Management Server that is packaged with a small operating system in a virtual machine. Using this appliance is the fastest way to get an ACE Management Server running in your environment.
  • Instance View — Instance View enables an administrator to view and control all managed ACE instances. An advanced search function enables you to locate instances in the database quickly. You can also customize the Instance View by adding searchable custom fields.
  • Help Desk — Help Desk is a Web application for use with ACE instances that are managed through an ACE Management Server. Administrators and help desk assistants can use the Help Desk to fix common user problems such as lost passwords and expired instances.
  • Pocket ACE — Pocket ACE enables an administrator to bundle and deploy an ACE onto a USB portable media device, including USB flash drives, Apple iPod mobile digital devices, and portable hard drives. It runs directly from the USB portable media device and can be run with the VMware Player that is bundled with the software.
  • Virtual Printer — VMware ACE includes a virtual printer that enables users to print to any printer available to the host computer from applications inside a virtual machine without installing additional drivers in the virtual machine.
  • Network Access — These policies give you fine-grained and flexible control over the network access you provide to users of your ACE instances. Using a packet filtering firewall, the network access feature of ACE 2 lets you specify exactly which machines or subnets an ACE instance or its host system may access.
  • USB Device Policy — This policy provides enhanced control of USB devices.
  • Instance Customization (Automated sysprep) — The instance customization feature automates Microsoft Sysprep deployment tools actions and streamlines the process of customizing instances after they have been deployed to user machines.
  • Remote Domain Join — The remote domain join feature enables you to automate the join of a remote ACE instance through your own VPN client/server setup to the domain that you specify.
  • Updated Policy and Package Settings — Enhancements to the policies and package settings you can apply and the ways in which you can update policies make it easier for you to secure and manage your ACE deployments. All policies are dynamic. Updated policies and package settings include
    • Snapshots policy, for allowing users to take and/or revert to both user snapshots and reimage snapshots.
    • Enhanced copy protection policy for managed instances.
    • Administrator mode, which enables you to configure virtual machine settings directly on the users’ machines (for ACE instances running in VMware Player on Windows systems) and to use the vmware-acetool command-line program with standalone ACE instances to fix some common problems such as lost or forgotten passwords.
    • Runtime preferences policy, which enables you to configure settings that your end users can access when running ACE instances.
    • Hot fix policy, which enables you to activate the hot fix feature for standalone ACE instances, allowing an administrator to respond to hot fix requests from users to fix such common problems as lost or forgotten passwords.
    • Resource signing policy, which enables you to specify that ACE Resource files be protected from all tampering.
    • Custom EULA package setting, which enables you to provide a custom EULA (end-user license agreement) that appears when an ACE instance is activated.
  • Linux Systems Available as Host Systems for ACE User Machines
  • Troubleshooting tools — The vmware-acetool command-line program and the hot fix feature are available for use by administrators to fix users’ common problems on standalone ACE instances, such as expired ACE instances, copy-protection violations, and password resets. The Help Desk Web application and the Instance View can be used to fix those same problems for managed instances.
  • New ACE Master Wizard and Clone ACE Master Wizard — The New ACE Master Wizard now provides custom settings that allow you to fine-tune settings for your ACE masters. The Clone ACE Master Wizard enables you to create an ACE master quickly from an existing ACE master.
  • Enhancements to Preview Mode — Preview mode enables you to run the ACE instance as it will run on the end user’s machine as well as see the effects of changed policies as they will appear on the ACE user’s machine without your having to package and install them.
  • New ACE Integration with Workstation — Workstation, when licensed with the ACE option pack, can now be used to create and manage ACE virtual machines.

Before You Begin

Read the following before you install and configure this software:

  • The VMware ACE 1.x to VMware ACE 2.x upgrade is a manual process. Follow the instructions in the VMware ACE Administrator's Manual very carefully.
  • Register your serial number to obtain access to technical support.
    If you have purchased VMware ACE, you must register your serial number before you can access technical support. Evaluation serial numbers have been pre-registered. You do not need to register evaluation serial numbers to access technical support.
  • VMware Workstation ACE Edition cannot be installed on a computer with any versions of VMware Workstation, VMware Player, VMware GSX Server, VMware Server, or VMware ACE software. Follow the same guidelines for installing the VMware Player application on end users' computers.
  • Install the latest version of VMware Tools. Be sure to install the version of VMware Tools included in this release (VM > Install VMware Tools) in your ACE masters.
  • Workstation ACE Edition and an ACE Management Server that is integrated with Active Directory must be on the same domain. Ensure that your Workstation ACE Edition program and the ACE Management Server are on the same domain. If they are not, then users cannot be authenticated and thus cannot run ACE instances.
  • ODBC driver 2.2.10 is the supported driver if you are running ACE Management Server on a SLES9 operating system with an external database. (KB 1000205)

Fixed Bugs

The following sections contains bugs that were fixed for the ACE 2.0.2 release:

Workstation ACE Edition

  • Hosts with AMD Duron processors might not be able to power on virtual machines. This problem resulted because Duron processors that are based on Athlon do not have Intel SSE (Streaming SIMD Extensions). (bug 183866)
  • Ubuntu 7.04 virtual machines sometimes power off unexpectedly if paravirtual kernel support is enabled. (bug 190499)

ACE Instances

  • When the host machine is suspended (stand by or hibernate), authentication is not required to gain access to a virtual machine. (bug 194374)

ACE Management Server

  • ACE Management Server leaks private virtual memory. (bug 160988, KB 1000206)
  • ACE Management Server ignores the options <conf_file></conf_file> in the <krb5> section of the ACE Management Server configuration file. (bug 192748)

The following sections contain bugs that were reported as known issues in VMware ACE 2.0 and were fixed for the ACE 2.0.1 release:

Workstation ACE Edition

  • The tools service takes a long time to start on a guest with the Virtual Printer policy enabled. (bug 159190)
  • Activation keys can only be used once. (bug 176313)
  • The Pocket ACE Deploy Utility does not detect some high-capacity USB hard drives when running on the Microsoft Vista operating system. (bug 126774, KB 1000165)
  • Activation limits are not working for groups. (bug 161891, KB 1000204)

ACE Instances — General

  • The ace_upgrade.exe application fails with certain characters in the folder name: -s, -q, -v, -?, -a, -c, or -l. (bug 161737, KB 1000203)

ACE Instances — Pocket ACE

  • The Pocket ACE performance test creates inconsistent results. (bug 163035, KB 1000208)
  • The host-guest script and power-on script do not run on Pocket ACEs. (bug 164309)
  • If you see the USB device that you are using for a Pocket ACE instance listed on the device toolbar or menu, do not attempt to connect it to the instance. (bug 136812, KB 1000195)
  • Pocket ACE crashes at startup. (bug 164719)
  • Devices using image (ISO) files do not work with Pocket ACE. (bug 166938)
  • Do not unplug a Pocket ACE while the Pocket ACE is running. (bug 125528, KB 1000196)

ACE Management Server — General

  • In Mozilla Firefox, the Help Desk application may not sort ACE instances correctly. (bug 157919)

ACE Management Server — Active Directory

  • The ACE Server Configuration web application does not support secure remote connections. (bug 159206, KB 1000191)

Known Issues

The following sections contain the known issues for this release of VMware ACE 2.0.1:

Workstation ACE Edition

  • If you are upgrading to this release from the beta release, Virtual Printer will not work properly unless you uninstall VMware Tools and then install ACE 2.0.1 Tools from the current release.

ACE Instances — General

  • DHCP traffic to and from the host system cannot be blocked with a host network access filter for an ACE instance running on a Linux host system. (KB 1000193)
  • Some USB devices might not work well with Linux 2.4.x kernel host systems. (KB 1000194)
  • To use the Virtual Printer feature, you will need to use a supported host/guest combination.
    • Supported host operating systems:
      All 32-bit Windows operating systems from Windows 2000 Professional and newer
      All 64-bit Windows operating systems for users logged in with administrative privileges
      Linux host operating systems are not supported in this release.
      On Vista 64-bit operating systems, Virtual Printer will only work when printers are local.
    • Supported guest operating systems:
      All 32-bit Windows operating systems from Windows 2000 Professional and newer
      All 64-bit Windows operating systems
      32-bit Red Hat Enterprise Linux 4 (PostScript printers only)
  • A managed ACE instance using Active Directory or user password authentication cannot be powered on after the recovery key has been enabled dynamically on the server. If active directory authentication is used and the ACE instance is powered on, you will first be asked to set up a user password and you will then encounter an application failure. If user password authentication is used and the ACE instance is powered on, you will be asked to set up the user password again and it will fail. Workaround: Disable the recovery key and publish the policies. After the recovery key is disabled, the user can power on the ACE instance again.
  • A managed ACE instance using Active Directory or user password authentication cannot be cloned to a virtual machine after the recovery key has been enabled dynamically on the server. Workaround: For an ACE instance that is using user password authentication, first disable the user password and then clone the ACE instance to a virtual machine. There is no workaround if the ACE instance is using Active Directory.
  • Blocking the use of a removable device while the ACE instance is running might not take effect until the ACE instance is powered off and powered on again. This only happens for Linux guest operating systems if the user chooses not to override the device lock in the message that appears on the host.

ACE Instances — Pocket ACE

  • There are Pocket ACE performance issues. (KB 1000197)
  • You receive an error while running a Pocket ACE on a Vista host that does not have VMware Player installed. When you install an ACE package as an administrator, Player will be installed. However, when you install an ACE package as a non-administrator, you have to have Player already installed for it to work properly.

ACE Management Server

  • ACE Management Server must be reconfigured when you upgrade from ACE 2.0 to 2.0.1 if you are using LDAP.
  • ACE 2 Management Server is most efficient when configured with the fully qualified name. If it is configured with an IP address or host name, it resolves the name each time and is less efficient.
  • You may encounter problems configuring a Linux ACE Management Server to use LDAP. Workaround: Make sure that the time on the system with ACE Management Server installed and the time on the system that is running the Active Directory match. A time lag between the two systems can cause this problem. Verify your DNS settings on your active directory and make sure that the "same as parent folder" and the domain controller have the correct IP addresses.
  • You are unable to authenticate to your LDAP server after configuring your ACE Management Server appliance. Workaround: Restart the ACE Management Server.
  • IP addresses in Instance View and Help Desk are sorted alphabetically, not numerically. (KB 1000166)
  • You might have problems connecting to the Server Configuration or Help Desk web applications. (KB 1000198)
  • Load balancing two or more ACE Management Servers with chain.crt certificates fails to authenticate them properly. Use the same certificate for multiple ACE Management Servers. (KB 1000207)
  • If you configure a static IP address on the ACE Management Server appliance you must reboot for the hostname to be applied.
  • If you upgrade ACE Management Server and it was installed in a non-default directory, be sure to choose the same directory during the upgrade to ensure that your previous settings are used.
  • Upgrading from SLES93 AMS20 to SLES93 AMS201 results in a blank and non-responsive login user interface. Workaround: Set the IP address to 127.0.0.1 if using localhost. If this does not work, restart Apache Server.
  • When you use ACE Management Server on a Windows 2000 system with Active Directory, SSL must enabled on the domain controller for LDAP authentication to work correctly.
  • Connecting from ACE Management Server on a RHEL4 host to an Active Directory/LDAP server fails if the Canna server fails to start.
  • You are unable to change the password of a user if the user is not in the primary domain.
  • A first-time restart of ACE Management Server might fail to load the user interface.
  • Uploading a *.crt file from one ACE Management Server to another ACE Management Server without the corresponding *.key file causes HTTPD to fail.
  • You are unable to add users from a child domain when a managed ACE instance is configured with Windows 2000 ACE Management Server.

Known Issues on Japanese Systems

Workstation ACE Edition

  • The Virtual Printer feature is not localized in Japanese.
  • ACE does not support Virtual Printer on a Japanese guest operating system in the current release.
  • On Japanese systems, if you use instance customization and set the local administrator user name to a name that contains a Japanese 5c character (the backslash character in ASCII and the Yen character in some Japanese character sets), instance customization fails.

ACE Management Server

  • Your server name must be either the machine name in English or the IP address. Some international characters are not supported.
  • During installation, some text strings will appear only in English.
  • Since the ACE Management Server utilizes Apache as the webserver, installing to a path with two-byte Japanese characters will cause the Apache installation to fail register the Apache service and therefore ACE Management Server will not work. To prevent this from happening, only use English letters in the ACE Management Server's installation path. The Apache service monitor may not work as expected for hosts with Japanese names. Symptoms seen are the service status not showing up at all, and inability to stop or start the service from the monitor. The workaround is to restart the service using either the Windows service console or the ACE Management Server configuration webpage.
  • The Data Source Name (DSN) does not support Japanese characters.
  • Unable to authenticate with Japanese Windows 2000 Server using ACE Management Server with LDAP over SSL. Workaround: Change the value in the acesc.config by performing the following steps:
    1. Stop the Apache service from the Apache service monitor.
    2. Open the acesc.conf file located at C:\Program Files\VMware\VMware ACE Management Server\conf
    3. Search <secure>1</secure> in <ldap></ldap> section and modify the value from "1" to "0".
    4. Save the acesc.conf file.
    5. Restart the Apache service.
    When you use this workaround, you will not able to change the user password from an ACE instance.

You may also view a list of all knowledge base articles related to ACE 2.0.