Month: February 2015

My Little Red Zed Edge – ZyXEL Zywall USG-50 Review

So I have a confession to make. I love Zyxel USG firewalls.

There, I said it. Feels good to finally admit it, to come out of the closet as a ZedHead, more or less.

I do not fear the judgment of the packet-pushing literati on twitter, because my little Red Zed edge device is loaded with features and packed with value.  Way more value than an ASA 5505 at any rate.

And after like six months of trying to understand the damn thing, I finally get it. Let me tell you a little about RedZed.daisettalabs.net, the edge device guarding the home lab, Child Partition, Supervisor Mod spouse and me from the big bad internet.

redzed2

The Good

It’s so loaded with features, it’s practically a hyperconverged play: For $200 and change, my Zyxel USG-50 Zywall is packed with features other vendors would have sharded  out as separate SKUs long ago.  Just take a look at the feature list here. Granted, the sexier ones are subscriptions, but Zyxel lets you take them for a test drive for 30 days, which I of course did the moment I got it. I haven’t subscribed to any since they expired, and frankly was disappointed with the BlueCoat implementation, but I’m considering the IDP subscription.

Even excepting all of the subscription programs, the Zed punches above its class with features that offer real value for a small/medium business, or even nerds guarding the LAN at home. The ones I really appreciate are listed below.

It’s PKI in a box, with some good identity integration: I like Public Key Infrastructure systems and so should you. The ZyXEL comes with one built-in. Though modest in scope (essentially you can generate/sign certs, no revocation/responder pieces) this is a nifty thing to have at this pricepoint, just the kind of value-add a small business might look for.

The Zed also capably integrates with AD directly, though in my testing it was a bit clunky & quite slow to authenticate against a 2012R2 domain. So, you can do what I did and switch to RADIUS, or LDAP if that’s your speed.

Easy WAN LBFO:  With the USG-50, you get two WAN links with easy ability to failover or spillover between them.

I’m using this in the lab at home and it works quite well. Though I only have one consumer internet connection, I’ve found that my provider hands out two public, routable IP addresses if I I connect two cables to my modem. This is awesome -worth its own post really- as I’ve been able to test WAN failure on Zed.

On WAN Port 1, I’ve got my last edge firewall device, a small PFsense box with an AMD Sempron and privoxy.

On WAN Port 2, I’m cabled directly to the modem. You get quite a few options to manage failover/spillover between the links, just like when you’re making an MPIO storage policy to your array! Perfect.

Both links work (double-natting behind pfsense works too, though I only ran it like that for a short while), and failover is pretty much transparent on general web stuff,  even a VPN service I run on node1 maintains connectivity during the failover.

Time for some Gifcam action:

wanfailover

Zyxel seems to know its target market quite well, and that market has commodity internet circuits -not private leased lines- connecting branch to HQ and branch to internet. WAN failover (no aggregation here, but I’m not sold on WAN aggregation yet) is important, and it’s huge that the Zed rocks LBFO out of the box, no licenses needed, and a few clicks to configure.

Zone-based firewall: I am not a security guy, but I understand the state of the art thinking to be less Internal/External as it used to be, and more segmentation everywhere via zones based on a sort of defense-in-depth concept; Create checkpoints or at least rules between external & internal segments of your network, in other words.

Zones come built in by default with ZyXEL, and figuring out the proper way to use them is what caused me so much pain & suffering with this device for so many months.

Now, I think I’ve got the concept down, but I’m not confident enough to talk about how well this device secures zones internally or externally, so just know this: it’s there. The firewall is ICSA certified, though reading through those docs it didn’t seem like that was much more than a rubber-stamp.

Object-Oriented ports, interfaces, zones, and VLANs: So this is the heart of USG line, more or less. It’s why some  dislike working with USGs, and others, like me, warm up to and eventually appreciate it. YMMV.

 

So what’s this OO thing about? I like to think of it as an abstraction, just like anything else in virtualization. Let’s take a look at how the docs define Zones, for instance:

zones

Oh. That’s not so bad, right? As long as I know the rules, I should just be able to click this thing here, hit apply on that thing there, and voila! ping my SVI…ahhh damnit!

Locked out again.

But seriously, when you go to configure this screen:Untitled picture

lock yourself out again, and refer back to the manual to figure out what you did wrong and you see this:

zones2

then you hop on putty post-factory default and it shows you something like this:

zywalcli

you feel kind of stupid and you start to hate this device, which seems to suffer from an acute case of Layer 2/Layer 3 identity disorder.

But struggle through it packeteer, because what awaits you on the other end is, if not the SDN you’ve been waiting for, then at least pretty damn flexible.

Here’s a primer to help you through:

Zone: A group of interfaces + a security context. You get three on the USG-50 line, DMZ, LAN1, LAN2

Interfaces: Software-based, not hardware. Three: LAN1, LAN2, DMZ. RENAME THESE!

Ports: The physical RJ-45; you get four

Port Groups: Hardware-based links connecting ports with each other

And the soft bits:

VLANs: VLANs exist on interfaces and cannot span multiple Zones. They act like trunked ports, and they tag outbound, and look for tags on inbound. Do you like SVIs? Well if you do then you gotta put an IP on it (required)

Bridges: A software link between interfaces at Layer 2. More or less the traditional definition of a switch, right? But you can put an IP on a bridge and -strangely- span zones with Bridges.

Vifs: As you would expect,simple vifs can be created in the contexts above. Useful.

I’m a visual person, so I made a little chart to help me get it.

zywall-oo

The chart shows a couple of things: 1) there are three zones in the four boxe. All the things inside each box belong to those zones, but not other zones. 2) Center Circle area shows re-named port-groups. My best advice is to rename LAN 1 & LAN2 into something else, so that you don’t get mixed up as I did consistently. 3) VLANs can exist in only the same Zone but effectively span ports. 4) Bridge is all sorts of Twilight Zone as a Bridge can join a VLAN  in Zone 2 with  the DMZ port group in Zone DMZ (but not its VLAN). 5) Ports are really nothing, just agnostic Layer 1 interfaces, or at least you can turn them into that.

From your Cisco switch, this is great, and enabled me to finally do what I wanted to do in my lab: tagging, everywhere and always from edge to core, and out back again over the airwaves! From my Meraki (VLAN 420 is for 2.4GhZ and devices I don’t really trust, 421 is laptop net + 5ghZ) to the Zywall through my 2960s, all is tagged, all is controlled and segmented.

Was it worth the six month fight with Zed to get to this point?

Why yes, yes it was.

All around decent performance: Again, punching at  or a little above its weight in firewall performance, and still offering good bang for buck value on encryption & IPS compared to the ASA 5505 ($340 retail) the other device I see everywhere in SME. Performance table based off spec-sheets below:

[table]

Item,Zed USG-50, Cisco ASA 5505

SPI Firewall throughput, up to 225mb/s, up to150mb/s

3DES/AES VPN Throughput, 90mb/s, up to 100 mb/s

IPS Throughput, 30mb/s, Upto 75mb/s

RJ-45 Ports,2xGbE WAN+ 4xGbE LAN, 8xFaE two with PoE

IPSec Tunnels (Max), 10, 10 (base)

[/table]

You can buy it at Fry’s, which is how I got mine: Oh man, I am really putting myself out there by admitting to occasionally shopping at Fry’s Electronics. Visiting Fry’s usually depresses me…as a retail experience, it’s not aged well and seeing one row after another filled with discarded, rejected & returned technology items is a real downer.

But sometimes the sales are really compelling. I had my eye on the USG-50 for months at $240, but I couldn’t pull the trigger until I saw it was on sale at Fry’s one weekend for $200. So I bought it, racked/stacked it in my lab that evening, and now, six months later, I’m astounded that you can just walk in and buy a value & feature-packed device like this without talking to a VAR first.

ZyXel could probably make more money if they parsed out the features as SKUs & sold the USG through exclusively through the channel, but they don’t. They sell it in places you can find consumer/prosumer equipment and pack it with some nice features an IT guy can appreciate.

Good Update Tempo: No gripes on the amount of firmware updates ZyXel continuously pushes out for free. I watch the CVE list for vulnerabilities, and while ZyXel has a spotty record in other product lines, it looks like you have to go back to 2008 to find a CVE that applies to the USG line.

No one knows how to pronounce the goofy name, so you can nickname it: Wikipedia’s description of the origin of the ZyXEL name is fun:

When ZyXEL unveiled its first chip-design (ZyXEL was originally a modem-chip design company) back in the late 1980s, the company only had a Chinese name (pronounced Her-Chin = “people work together very hard”). So it had to come up with an English name for a trade show in Asia. The original idea was ZyTEL (“Zy” means nothing, “TEL” for telecommunications). The problem was that someone already had this name announced for the show. So they played around with the letters and came up with ZyXEL instead.

The name does not actually mean anything, although some people claim “XEL” is a word-play on “excellence”.

The next challenge was how to pronounce it (everybody in the company was Chinese at that time).

So they fed the name into an old speech synthesizer (reportedly it was an Amiga). And the synthesizer pronounced it “Zai-Cel

I gave up and call it Zed, the proper British phoentic for the letter Z.

Embrace color in your stack:  Everyone’s putting some flourish & color into rack-mounted equipment, but Zed’s been Red for years.

Great, readable, dense documentation: Though I poke fun at the documentation above, it’s actually very very good at this price range. Six hundred pages good. Well-written too, with adequate diagrams, organization and scenarios.

Links at the bottom.

The Bad

Don’t use it as your DG for everything: If you are using a USG line device, my advice is not to think of those LAN-side ports as a Layer 2 switch ports, and furthermore, not to use this device as the default gateway handed out to clients that need LAN performance. Why?

Simple. It’s not really a switch, and it doesn’t perform well if you use it as such at Layer 2, and especially at Layer 3. Remember the zones above? Well they are security contexts, which means that your packets must gate through them, which will -mark my words- slow them down.

Simple example: using Red Zed as DG on my LAN, I tested large (4GB) SMB 3 file copies to my storage box. I peaked at about 180 megabits/second, a truly pathetic number, but within the the performance spec listed for the inspection engine looking at packets flowing between zones. Even within the same Zone (same port-group, so effectively switching @ layer2) I couldn’t hit above 45 megabytes/second, far less than the 260MB/s transfers I can achieve wtih my switch & LACP.

If you need performance but you like the Zone model, I recommend you use your switch as DG for servers and make the USG the gateway of last resort on the switch. Assuming your packets are tagged, you stay in your VLAN context throughout.

For untrusted or clients that don’t need wired performance, use the USG-50 as DG.

The Ugly & Conclusion

I can’t find anything ‘ugly’ about the USG. It’s a great device with a ton of functionality and neat features that make it a superb value against a more traditional ASA 5505.

[dg]

Zywall USG50 CLI

ZyWALL USG 50_v3 manual

Microsoft is the original & ultimate hyperconverged play

The In Tech We Trust Podcast has quickly became my favorite enterprise technology podcast since it debuted late last year. If you haven’t tuned into it yet, I advise you to get the RSS feed on your favored podcast player of choice ASAP.

The five gents ((Nigel Poulton, Linux trainer at Pluralsight, Hans De Leenheer,datacenter/storage and one of my secret crushes, Gabe Chapman, Marc Farley and Rick Vanover)) putting on the podcast are among the sharpest guys in infrastructure technology, have great on-air chemistry with each other, and consistently deliver an organized & smart format that hits my player on-time as expected every week. Oh, and they’ve equalized the Skype audio feeds too!

And yet….I can’t let the analysis in the two most recent shows slip by without comment. Indeed, it’s time for some tough love for my favorite podcast.

Guys you totally missed the mark discussing hyperconvergence & Microsoft over the last two shows!

For my readers who haven’t listened, here’s the compressed & deduped rundown of 50+ minutes of good stimulating conversation on hyperconvergence:

  • There’s little doubt in 2015 that hyperconverged infrastructure (HCI) is a durable & real thing in enterprise technology, and that that thing is changing the industry. HCI is real and not a fad, and it’s being adopted by customers.
  • But if HCI is a real, it’s also different things to different people; for Hans, it’s about scale-out node-based architecture, for others on the show, it’s more or less the industry definition: unified compute & storage with automation & management APIs and a GUI framework over the top.
  • But that loose definition is also evolving, as Rick Vanover sharply pointed out that EMC’s new offering, vSpex Blue, offers something more than what we’d traditionally (like two weeks ago) think of as hyperconvergence

Good stuff and good discussion.

And then the conversation turned to Microsoft. And it all went downhill. A summary of the guys’ views:

  • Microsoft doesn’t have a hyperconverged pony in the race, except perhaps Storage Spaces, which few like/adopt/bet on/understand
  • MS has ceded this battlefield to VMware
  • None of the cool & popular hyperconverged kids, save for Nutanix and Gridstore, want to play with Microsoft
  • Microsoft has totally blown this opportunity to remain relevant and Hyper-V is too hard. Marc Farley in particularly emphasized how badly Microsoft has blown hyperconvergence

I was, you might say, frustrated as I listened to this sentiment on the drive into my office today. My two cents below:

The appeal of Hyperconvergence is a two-sided coin. On the one side are all the familiar technical & operational benefits that are making it a successful and interesting part of the market.

  • It’s an appliance: Technical complexity and (hopefully) dysfunction are ironed out by the vendor so that storage/compute/network just work
  • It’s Easy: Simple to deploy, maintain, manage
  • It’s software-based and it’s evolving to offer more: As the guys on the show noted, newer HCI systems are offering more than ones released 6 months or a year ago.

The other side of that coin is less talked about, but no less powerful. HCI systems are rational cost centers, and the success of HCI marks a subtle but important shift in IT & in the market.

    • It’s a predictable check cut to fewer vendors: Hyperconvergence is also about vendor consolidation in IT shops that are under pressure to make costs predictable and smoother (not just lower).
    • It’s something other than best-of-breed: The success of HCI systems also suggests that IT shops may be shying away from best-of-breed purchasing habits and warming up to a more strategic one-throat-to-choke approach ((EMC & VMware, for instance, are titans in the industry, with best-in-class products in storage & virtualization, yet I can’t help but feel there’s more going on than the chattering classes realize. Step back and think of all the new stuff in vSphere 6, and couple it with all the old stuff that’s been rebranded as new in the last year or so by VMware. Of all that ‘stuff’, how much is best of breed, and how much of it is decent enough that a VMware customer can plausibly buy it and offset spend elsewhere?))
    • It’s some hybrid of all of the above: HCI in this scenario allows IT to have its cake and eat it too, maybe through vendor consolidation, or cost-offsets. Hard to gauge but the effect is real I think.

((As Vanover noted, EMC’s value-adds on the vSpex Blue architecture are potentially huge: if you buy vSpex Blue architecture, you get backup & replication, which means you don’t have to talk to or cut yearly checks to Commvault, Symantec or Veeam. I’ve scored touchdowns using that exact same play, embracing less-than-best Microsoft products that do the same thing as best-in-class SAN licenses))

And that’s where Microsoft enters the picture as the original -and ultimate- Hyperconverged play.

Like any solid HCI offering, Microsoft makes your hardware less important by abstracting it, but where Microsoft is different is that they scope supported solutions to x86. VMware, in contrast only hands out EVO:RAIL stickers to hardware vendors who dress x86 up and call it an appliance, which is more or less the Barracuda Networks model. ((I’m sorry. I know that was a a cheapshot,  but I couldn’t resist))

With your vanilla, Plain Jane whitebox x86 hardware, you can then use Microsoft’s Hyperconverged software system (or what I think of as Windows Server) to virtualize & abstract all the things from network (solid NFV & evolving overlay/SDN controller) to compute to storage, which features tiering, fault-tolerance, scale-out and other features usually found in traditional SAN systems.

But it doesn’t stop there. That same software powers services in an enormous IaaS/PaaS cloud, which works hand-in-hand with a federated productivity cloud that handles identity, messaging, data-mining, mail and more. The IaaS cloud, by the way, offers DR capabilities today, and you can connect to it via routing & ipsec, or you can extend your datacenter’s layer 2 broadcast domain to it if you like.

On the management/automation side, I understand/sympathize with ignorance of non-‘softies. Microsoft fans enthuse  about Powershell so much because it is -today-  a unified management system across a big chunk of the MS stack, either masked by GUI systems like System Center & Azure Pack or exposed as naked cmdlets. Powershell alone isn’t cool though, but Powershell & Windows Server aligned with truly open management frameworks like CIM, SMI-S and WBEM is very cool, especially in contrast to feature-packed but closed APIs.

On the cost side,there’s even more to the MS hyperconverged story:  Customers can buy what is in effect a single SKU (the Enterprise Agreement) and get access to most if not all of the MS stack.

Usually,organizations pay for the EA in small, easier-to-digest bites over a three year span, which the CFO likes because it’s predictable & smooth. (( Now, of course, I’m drastically simplifying Microsoft’s licensing regime and the process of buying an EA as you can’t add an EA to your cart & checkout, it’s a friggin negotiation. And yes I know everyone hates the true-up. And I grant that an EA just answers the software piece; organizations will still need the hardware, but I’d argue that de-coupling software from hardware makes purchasing the latter much, much easier, and how much hardware do you really need if you have Azure IaaS to fill in the gaps?))

Are all these Microsoft things you’ve bought best of breed? No, of course not. But you knew that ahead of time, if you did you homework.

Are they good enough in a lot of circumstances?

I’ll let you judge that for yourself, but, speaking from experience here, IT shops that go down the MS/EA route strategically do end up in the same magical, end-of-the-rainbow fairy-tale place that buyers of HCI systems are seeking.

That place is pretty great, let me tell you. It’s a place where the spend & costs are more predictable and bigger checks are cut to fewer vendors.  It’s a place where there are fewer debutante hardware systems fighting each other and demanding special attention & annual maintenance/support renewals in the datacenter. It’s also a place where you can manage things by learning verb-noun pairs in Powershell.

If that’s not the ultimate form of hyperconvergence, what is?

Snover re-factoring Windows Server & System Center

My last two posts on Microsoft were filled with angst and despair at Microsoft’s announcement that the next gen versions of Server & System Center would be delayed until sometime in 2016. Why, I cried out, why the delay on Server, and what’s to become of my System Center, I wondered?

I went a bit off-the-rails, imagining that Satya Nadella had shaken things up for the System Center team. Then I wrote a letter to him asking him what was up.

Snover & Microsoft love Linux
Snover & Microsoft love Linux

Well, I was wrong on all that, or perhaps I was only a little bit right.

There was a shakeup, but it wasn’t Nadella who had angrily overturned a gigantic redwood table at System Center HQ, spilling Visio shapes & System Center management packs as he did so, rather it was Mr Windows himself, the Most Distinguished of Distinguished Technical Fellows, Dr. Jeffrey Snover who had shaken things up.

Yes. The Padre of Powershell himself filled in the gaps for me on why System Center & Windows Server were delayed during a TechDays online one day after my last post.

During that  talk, he announced that the Windows Server Team has been meshed with the System Center Team and, even better, the Azure team. Hot dog.

Redmond mag:

[Snover] explained that the System Center team and the Windows Server team are now “a single organization,” with common planning and scheduling. He said that the integration of the two formerly separate organizations isn’t 100 percent, but it’s better than it’s been in the past. The team also takes advantage of joint development efforts with the Microsoft Azure team, he added.

That’s outstanding news in my view.

Microsoft’s private|hybrid|public cloud story is second to none as far as I’m concerned. No one else offers deep integration between cutting edge public cloud systems (Azure) with your on-prem legacy infrastructure stack.

Yet that deep integration (not speaking of AAD Sync & ADFS 3 here) was becoming confused and muddled with overlap between the older tools (System Center) and the newer tools like Desired State Configuration, mixed in with AzurePack, an on-prem/cloud management engine.

It sounds to me like Snover’s going to put together a coherent strategy using all the tools, and I can’t think of a better guy to do the job.

But what of Windows server?

It’s getting Snovered too, but in a way that’s not as clear to me. Again, Redmond mag:

The next Windows Server product will be deeply refactored for cloud scenarios. It will have just the components for that and nothing else, Snover explained. Next, on top of that, Microsoft plans to build a server that will be the same as the Windows Servers that organizations currently use. This server it will have two application profiles. One of the application profiles will target the existing APIs for Windows Server, while the other will target the subsets of the APIs that are cloud optimized, Snover explained. On top of the server, it will be possible to install a client, he added. This redesign is happening to better support automation, he explained.

I watched most of Snover’s talk, took a few days to think about it, and still have no idea what to make of the high-level architecture slide below that flashed on screen briefly:

vnext

Some thoughts that ran through my head: is the cloud-optimized server akin to CoreOS, with active/passive boot partitions, something that will finally make Patch Tuesday obsolete? One could hope that with further abstraction, we’ll get something like that in Windows Server vNext.

In some sense, we already have parts of this: if you enable the Hyper-V feature on a bare-metal computer, you emerge, after a few reboots, running a Windows virtual machine atop a Type-1 Hypervisor.

Big deal right? Well, Snover’s slide seems to indicate this will be the default state for the next generation of Windows server, but more than that, it seems to indicate that what we think of as the Type-1 Hyperivisor is getting a bunch of new features, like container support.

We knew Docker support was coming, but at this level, and almost indistinguishable from the hypervisor itself?

That’s potentially all kinds of awesome.

Interestingly, Server Roles & Features look like they’re being recast into a “Client” level that operates above a Windows Server.

Which, if we continue down the rabbit hole, means we have to ask the question: If my AD Domain Controller  or my RemoteApp session host farm servers are now clients, what are they running on? It certainly doesn’t seem to be a Windows server anymore, but rather a kind agnostic compute fabric, made up of virtual “Servers” and/or “Containers” operating atop a cloud-optimized server running on bare-metal…an agnostic computing ((Damn straight, had to work that in there)) fabric that stretches across my old on-prem Dells all the way up to the Azure cloud…right?!?

I’m like four levels deep into Jeffrey Snover’s subconscious so I’ll stop, but suffice it to say, the delay of Windows Server & System Center appears to be justified and I can’t wait to start testing it in 2016.

Open Letter to Satya Nadella re: Windows Server/System Center Delay

Seattle, WA (AP):  Microsoft today postponed the release of its next generation computer server operating system, Windows Server 2015, as well as a companion app or program called “System Center” in a stunning move that left IT Pros throughout the world sad, angry, and in a state of bewilderment. The Redmond- based computing giant told reporters it had no further comment 

Whoa whoa whoa. This has got to be a mistake. Hey Cortana, why is the AP reporting that Server’s been delayed?

Cortana: That’s classified. 

Say what Cortana??

Cortana: Master Chief, that is classified information. 

Classified? Windows Server? System Center? Cortana, you’re buggy as hell. Take down this email addressed to Mr. Satya Nadella.

Cortana: Yes Master Chief. 

Dear Satya Nadella,

I read this about Server & System Center, and I’m in shock.

Microsoft today postponed the release of its next generation computer server operating system, Windows Server 2015, as well as a companion app or program called “System Center”

Like hell you are going to delay……come on Mr. Nadella, I thought you were an enterprise guy, like me! What gives?

I’ve been computing on Server Technical Preview Build 9481 -a four month old operating system for crying out loud- patiently waiting for something fresh and new, for some of the promised manna from the Azure clouds to drop onto me.

Waiting around like an unloved Android handset waited in vain for its Kit Kat update, hopeful on release day, yet the update progress bar never comes.

It never comes Mr Nadella, and I am just a sad, jilted little robot, green & jealous of all the attention the Insiders receive on Windows 10.I just don’t understand….Of all the things the things you could have punted on, all the useless consumer things like that health band,  you decided to punt on Windows Server & System Center?

The insiders complain about Windows 10, even as they download the new bits & enjoy the new features, they complain. How your team suffers these fools is beyond me.

Yet your Server fans can’t even install Windows Management Framework 5.0 and play with all the neat cutting edge things available to WMF 5 on Server 2012 R2, Do we bitch and moan? Not as much!

That cuts me deep, Mr. Nadella, real deep.

Mary Jo says you’ve halted the release of System Center & Server this year because you want to get more feedback from customers, that woe-is-me IT Professionals are urging you to slow down, begging, “Please…mercy sir!! We upgraded two years ago! We don’t want to do it again so soon! Please let us have Windows 2003 for a few more years!!”

If I may suggest Satya, if I can call you by your first name. These are not the IT Professionals you are looking for. You should talk to IT Pros like me, or Aidan Finn, or Didier van Hoye, we’re the guys who got the memo that servers are not pets, but cattle, and that like all cattle, VMs have a certain natural lifecycle, a lifecycle I, might add, that you can make into a Cattle Template right in System Center VMM.*

MSFTSystemCenterlogo1Or is it something else? Does the Google/VMware cloud thing have you worried? I wouldn’t fret too much; it’s totally obvious those two lack something important that can only be had by jumping in bed with the other. For VMware, it’s cloud credibility, for I have seen the vCloud Air, and yea though I was impressed, it still lacks a certain j‘ne Se Qua compared to Azure.  As for Google? They want into the brownfield enterprise, which, if it’s virtual, is about 2/3rds VMware and 25% Microsoft.

What they both want is what you have in spades Satya: a story. A story that sounds like science fiction but is actually running in production around the world right now today. A story with a hero whose name is Windows Server, a multi-talented, jack-of-all-trades/master-of-some genuine American hero that can beat just about any enterprise villain in the hands of a skilled IT Pro like me.  Like so:

Windows Server. Not afraid to rationalize and tier your storage, just like a SAN. 

Windows Server & VMM: It’s the Type 1 Hypervisor & automation engine that ropes, rides, and gathers up all your stray VMs so that they can be put to work for you. 

Windows Server. With Exchange as his sidekick, makes for a best-in-class messaging platform, on-prem, hybrid, or up in Office 365. 

Windows Server, SCOM, and SCCM: You don’t need to hire a Sheriff to police things when Windows Server comes to town, for he’s packing all sorts of security heat: PKI, RMS, RBAC, identity, sChannel, AD, Defender, antimalware, Forefront. And his sidekick SCCM will keep tabs on all the PCs, mobile devices. 

Windows Server: It’s Azure-scale, runs Nebula too, but is humble & approachable enough to slum it in a garage lab

Windows Server: GUI?!? We don’t need no stinkin’ gui for Windows Server has Powershell. 

Windows Server is all these things to me, and now you’ve delayed it Mr. Nadella. I’m crushed.

Please tell me it’s for a good reason, like you’re going to make all those cool things I learned at TechEd Barcelona come true (I need a VXLAN story, Mr. Nadella, and  a Docker story would be nice too, and keep working the Storage Spaces replication storyline, ok?).

Please tell the devs to go back to their TFS Consoles, their swank Visual Cloud Studios and tell them not to forget about us Server fans, ok?

Sincerely,

Jeff Wilson

Agnostic Computing.com

* My Physical servers &  VMs are cattle and I birth ’em, brand ’em, work ’em, drive ’em hard, slaughter ’em and experiment on their leftover parts in my lab. Yeeehaaa!!