Category: Uncategorized

ZScaler: The Game Changer Making Healthcare Access Simple and Secure

October 23rd, 2025
You know those projects that make you think, “This is exciting… but wow, I really hope I don’t mess this up”? That was me when this one came my way.

It wasn’t that I didn’t want it, I did! I love a good challenge. I just wanted to make sure I could handle it well. In healthcare, every second counts, and the technology behind the scenes has to perform flawlessly. When clinicians depend on what you build, “good enough” just isn’t good enough.

That’s where this project came in and why it ended up being one of the most rewarding experiences I’ve had as an architect.

The Challenge

We had remote users who needed to access medical images securely and efficiently. The system we had technically worked, but it was overly complicated, the kind of setup that makes you wish you had an extra cup of coffee before logging in.

Here was the old workflow:
1. Log into a pod
2. Log into Windows
3. Launch VPN
4. Check all USB devices
5. Verify that all four monitors were functioning
6. Make sure someone had logged into the image within the last 30 days (so it didn’t fall off the domain — yes, that was really a thing)
7. And finally… start working
Maintaining it was complex, troubleshooting it was painful, and explaining it to new users required patience and possibly a flowchart. We needed something simpler, faster, and more secure.

The Research

Like any determined IT person faced with a messy process, I started digging for a better way. After researching several options (and more than a few cups of coffee), an amazing friend and resource, Steve Lieberson, introduced me to ZScaler.

Now, I’ll admit, I don’t come from a heavy security background, so ZScaler’s zero trust architecture felt a little foreign at first. But the more I learned, the more it clicked. This wasn’t just a new tool; it was a completely different approach to access and security.

After reviewing case studies, mapping the design, and building a solid proof of concept, I presented it to management. They approved it, and that’s when things got interesting.

The Execution

Enter Frank Van Emburgh, the application expert who helped turn this plan into a success. I can build the infrastructure all day long, but when it comes to application configuration, Frank is the guy you want on your team. Together, we made it happen.

Here’s what changed:

Before:
- Log into the pod
- Log into Windows
- Launch VPN
- Check USB devices
- Verify all four monitors
- Make sure someone logs into the image within 30 days so it doesn’t fall off the domain
- Finally, start working
After:
- Open ZScaler Private Access (ZPA)
- Open your apps
- Start working
That’s it. Seriously.

The difference was night and day. The physicians were thrilled, one even said, “Wait, that’s all I have to do now?” Coming from a workflow that used to take several steps and logins, that’s high praise.

Why ZScaler Works

ZScaler’s app segmentation is a game changer. Instead of giving users broad access to the network, it gives them only what they need, nothing more, nothing less. Imagine a physician connecting remotely: they see only access specific applications, and everything else stays invisible.

Built on a zero trust architecture, ZScaler doesn’t assume any connection is safe. Every session is verified and authorized in real time. Unlike traditional VPNs, which can feel like opening the whole network door, ZScaler acts as a secure broker, users never actually reach your internal systems, and your apps remain hidden from the internet.

And the protection goes deep:
- Inline threat inspection: every session is scanned for malware or suspicious activity.
- Micro-segmentation: even if someone gains access to one application, they can’t move sideways through the network.
- Continuous trust assessment: ZScaler keeps evaluating device health, user behavior, and location, if something changes mid-session, access can be cut off instantly.
- Data Loss Prevention: if someone accidentally tries to move sensitive data to an unauthorized place, ZScaler blocks it automatically.
We also implemented ZScaler Digital Experience (ZDX) for full visibility across applications, devices, and network hops. Now, when a user experiences slowness, we can pinpoint exactly where the issue lies, no more “it’s the network” debates.

The Outcome

After a successful proof of concept, we went live, and the results have been fantastic. We replaced a traditional perimeter-based model with a modern, identity-based solution that follows the user wherever they go.

The workflow is simpler, performance is faster, and security is stronger. Most importantly, the physicians can focus on their work without wrestling with logins and connections.

Looking Back

As someone who started out deep in infrastructure and grew into an architect role, this project reminded me why I love what I do. It pushed me to learn, grow, and think differently.

I wasn’t afraid of the project itself, I just wanted to make sure I did it right. And that feeling, the mix of excitement and nerves is exactly what keeps me passionate about technology.

Because when a project challenges you, it’s not a sign of doubt. It’s a sign that you’re about to level up.

Key Takeaway:
If a project makes you a little nervous, that’s a good thing. It means it’s worth doing.
Yes, vCenter 7 Goes EOL 10/2/2025. Yes, You Need to Upgrade Now

September 29th, 2025
Look, I know you’ve seen the https://knowledge.broadcom.com/external/article/372863 (Upgrade vCenter Server 7.0 to 8.0), but sometimes you just want a real human to walk you through it without the corporate jargon, right?

So here we are.

Before You Touch Anything:
- Read the compatibility matrix (I know it’s boring, but do it anyway)
- Test your login credentials for vCenter, VCSA, and ESXi, now’s not the time to discover you can’t remember your password
- Confirm with your backup team that the last appliance backup actually succeeded
- Log into VCSA and verify storage health
- Check your certificates (covered in Step 3 below)
The Upgrade Process:

1. Take a snapshot
You know why. Do it.

2. Download the ISO
Get the vCenter 8.0 installer from VMware.

3. Run certificate prechecks
Make sure nothing’s expired or about to cause you grief mid-upgrade.

for store in $(/usr/lib/vmware-vmafd/bin/vecs-cli store list | grep -v TRUSTED_ROOT_CRLS); do echo “[*] Store :” $store; /usr/lib/vmware-vmafd/bin/vecs-cli entry list –store $store –text | grep -ie “Alias” -ie “Not After”;done;

4. Note your current vCenter host
Document which ESXi host is currently running your vCenter appliance.

5. Verify VCSA storage
Check available disk space and storage health one more time.

6. Mount the ISO and launch the installer
Navigate to vcsa-ui-installer\win32 (assuming you’re on Windows).

7. Click “Upgrade” and follow the prompts
- Enter your existing appliance details
- Specify the target ESXi host for the new appliance
- Configure network settings
- Review everything carefully
8. Be patient during Stage 1
This is where the new appliance deploys. Go grab coffee. Maybe a snack.

9. Continue to Stage 2
- The installer will run pre-upgrade checks
- Select which data to migrate
- Review your selections one last time
10. Be patient again
Stage 2 takes a while. This is normal. Don’t panic.

11. You’re done!
If everything completed successfully, congratulations, you’ve just saved yourself from running an unsupported vCenter environment.

Pro tip: If something goes wrong, that snapshot you took in Step 1 is about to become your best friend or maybe that backup as a last resort
VxRail 7 to 8 Upgrade Adventures (a.k.a. “It Should Have Been Easy…”)

September 9th, 2025
So the day finally came: time to upgrade one of our VxRail clusters from 7 to 8. On paper, it looked simple. Run the pre-check, hit upgrade, sip coffee, and bask in the glory of being done before lunch.

Spoiler: that didn’t happen.

(And yes, we’re still on good ol’ vSphere. Don’t laugh. Hopefully one day soon, we’ll have a shiny VCF setup. I’m already daydreaming about VCF 9.1, where VMware promises the VxRail upgrade path will finally feel less like a haunted house tour.)

The Plot Twist: vCenter Said “Nope”

Everything looked good until the vCenter upgrade step:
- GUI Error: Failed to upgrade VMware vCenter Server Appliance
- CMD Error: Could not found system credential with name psc_root_
Because of course, nothing screams “fun” like errors that sound like they were written by a cryptic fortune cookie.

Meanwhile, In Appliance Land…

Even though the upgrade bombed, I poked around on the new vCenter appliance anyway. Powered it on, ran through the wizard, got to the pre-check, and was greeted by another beautiful error.

A quick search later, I stumbled across Broadcom KB 312122:
vCenter Server preupgrade check error explained

Followed their fix, went back to VxRail Manager, resumed the upgrade, and… miracle of miracles, it worked.

My “Unofficial” VxRail 7 → 8 Upgrade Checklist
1. History lesson – If someone else managed your environment before you, get the backstory. Ghost PSCs are real.
2. Run your pre-checks – Don’t just trust the green check marks; actually read the details.
3. VXverify – This one is critical. Run it. Love it. Respect it. Make sure to get the newest version – https://www.dell.com/support/kbdoc/en-us/000021527/vxrail-how-to-run-vxverify#downloadlatest
4. Passwords – Double-check your account creds. Nothing like a forgotten password to turn an upgrade into a therapy session.
Bonus Round
- Reboots matter – If your hosts haven’t been rebooted in forever, give them some love. Same for the VxRail Manager appliance.
- Dell ProSupport Plus – If you’ve got it and don’t feel 100% confident, open a ticket. No shame in phone-a-friend.
- Local updates > Internet updates – Trust me, you’ll sleep better.
Final Thoughts

Upgrading VxRail should be “push button, drink coffee.”
But in reality? It’s more like “push button, panic, Google error, find obscure KB, try again, finally succeed, then finally drink coffee.”

And hey… maybe once VCF 9.1 lands, this process won’t feel like an escape room with bad lighting. One can dream.
Navigating the Changes at VMware Explore 2024: Should We Be Concerned About the Future?

August 29th, 2024

**Disclaimer:** I am not affiliated with VMware nor have I received any sponsorship. These are my honest reflections as a customer.

Attending this year’s VMware Explore provided me with deeper insights into the future of a product many of us have grown to love—VMware. Compared to last year, this event had fewer attendees, a smaller expo (noticeably missing EUC vendors), and a smaller hub. However, the food was improved, and the sessions were as informative as ever. If you’re planning to attend next year, stay tuned—I’ll be posting another update on must-see speakers once the lineup is announced.

This was my fourth VMware Explore, and I’m incredibly grateful to my current and former employers for allowing me to attend. Each year, I look forward to making new connections, meeting VMware employees I usually interact with only on Zoom, talking to experts at the Experts Bar, and networking with VMUG leaders, vExperts, and Tanzu Vanguards. I always leave the conference with a wealth of new knowledge and connections.

Another highlight of this event for me was meeting Hock Tan and Chris Wolf in person. They both attended the combined community leaders (VMUG, vExpert, Tanzu Vanguard) happy hour. I managed to speak with Hock for 12-15 seconds, and he gave me the straightforward answer I was looking for—he’s a straight shooter and doesn’t indulge in any nonsense. Chris Wolf also spent a lot of time with the group I was with, which was a fantastic experience.

My Thoughts on the Future of VMware

Initially, I wasn’t sure I’d be attending this year. We faced significant challenges renewing our Enterprise License Agreement (ELA)—our account executive left, and other team members were either let go or reassigned, leaving us without a new team until a few months ago. As a customer, this was frustrating. I’ve always loved VMware for its technology, its dedicated employees, and its supportive customer community. But since the Broadcom acquisition, things have undeniably changed. There’s been a lot of concern, with some predicting that Broadcom’s acquisition strategy, which has disrupted other companies, might do the same to VMware.

Every acquisition brings change, and VMware is a much larger entity than previous companies acquired by Broadcom. I’ll admit, this year I didn’t invest as much time in training and certifications as I normally do. The acquisition has upset many customers, including myself, particularly regarding higher pricing—some say it’s increased by 7-10 times—and more difficult negotiations. From my own research and discussions within my local community, it seems negotiations are now much tougher, with little room for flexibility. You’re often forced to choose between an all-encompassing package (VCF) or another option (VVF). For a more in-depth analysis, I recommend reading William Lam’s blog on this topic. The frustration among customers is palpable.

Further discussions at the event shed light on a key concern: many customers had previously enjoyed significant discounts, making the transition to paying full retail prices particularly challenging, especially for budgeting departments. Although I’m not directly involved in budgeting, this issue was a frequent topic at community events. Before the Broadcom acquisition, VMware was known for its strong commitment to its customers, always going the extra mile to work closely with them and ensure their needs were met.

Another concern that has surfaced is the issue of delayed responses during negotiations, something we experienced firsthand. I’ve heard that these delays may be due to Hock Tan personally reviewing quotes, which, if true, could lead to significant backlogs, considering the volume of customers. VMware employees are in a difficult position, and as customers, it’s understandable that we feel frustrated. Broadcom’s communication with customers has been lacking in this transition, and this is an area where they could greatly improve. A transparent announcement addressing the reasons behind these delays might have alleviated some of the concerns.

Despite these challenges, the VMware community at this year’s Explore was open and candid, demonstrating a clear desire to improve communication and maintain the company’s long-standing customer-focused approach.

Shifting Focus: From “Cloud First” to On-Prem

In previous years, VMware emphasized a “Cloud First” approach. This year, the focus shifted to building your own private cloud. I won’t delve into the details, as every company has its own needs, but during the General Session, it was noted that 83% of organizations are trying to move back to on-prem. I’m not sure where this statistic came from, but based on conversations on LinkedIn and Reddit, it might be accurate. One highlight of the General Session was the simplification of VMware’s product line. How many times has Aria been renamed in recent years? Remember vRops? I still do! Finally, they’ve unified it under “VCF Operations,” integrating all the vRealize products into one. This is a true single pane of glass. While some management packs will no longer be supported, you can now create your own as long as you can make an API call. That’s a pretty cool feature, in my opinion. There are also rumors about simplifying alerts from vSphere and VCF Operations, and the self-service portal for Devs and Server Teams is a valuable addition. If you utilize the full suite, it could be the solution you’re looking for, offering provisioning, dashboards, reporting, cost analysis, and more—all in one place. Is there another hypervisor product that can offer this level of integration?

Looking Forward: A Bright Future?

In summary, the future of VMware holds significant promise, with ongoing developments and immense potential. It’s important to let the dust settle and take a step back to assess the situation. I completely understand if you’re considering alternatives—I’ve been in the same boat. But before making any decisions, take a moment to look at the big picture. Ask yourself and your team: Are we truly evaluating all aspects, or are we reacting out of frustration and making a rushed decision?

Engage with your VMware representatives and discuss your concerns openly. It’s crucial to hash out any issues directly and seek clarity on how they plan to support your organization moving forward. Additionally, I strongly recommend attending VMUG town halls, where licensing and strategy are frequently discussed. These sessions offer valuable insights on how to navigate the changes and make the most of your VMware investment.

While it’s clear that Broadcom’s approach to communication differs from VMware’s, it’s essential to give this transition a chance. By voicing our concerns and staying engaged within the community, we can influence how these changes unfold. Remember, it’s a long battle, but the future is bright for those who stay informed and involved.
Creating a new Certificate Authority with offline root

April 3rd, 2024

This guide was a combination of Microsoft Articles and other searches while installing the new infrastructure. Use at your own risk :).

Things to keep in mind, if you currently have a CA already in place when the new CAs are set it will have the OOB templates, I highly suggest deleting the templates on the new CAs as soon as you finish the configuration, this can be added later on. Your domain joined computers will have a new root cert in addition to the current root cert, your non windows devices will not have the new root cert so you will need to share the root cert to get it added.

(First Step) Create a server for your offline root certificate and do not join it to the domain.

Add Roles and Features, Click next, Select Role-Based Click Next, Click next on server selection.

For Server Roles Click “Active Directory Certificate Services”

Click Add Features

Click next, Click next Select “Certificate Authority” then next

Install –> Close –> Click Configure Active Directory Certificate Services on the notification

Supply the credentials and click next Click Certificate Authority, then Next

Select “Stand-Alone CA” click Next
Select Root CA then next
Create a new private key then next
Select your preferred key length then next

Specify Name of the CA then Next
Click next on the location.
Confirm then click configure.

This is the time to fix your extensions “CDP/AIA”
Once done navigate to C:\Windows\System32\CertSrv\CertEnroll
Grab the two files you will need these for the subordinate CA servers

(Second Step) Creating the Subordinate and Web Enrollment Certificate servers

Create Server(s) and join to domain
Add Roles and Features
Click Next, Select Role Based Click Next, Click Next
Click on Active Director Certificate Services, Click Add Features, Click Next
Click Next, Next Select the following

Click Install
Configure the Activate Directory Certificate Services

Use a credential that is a member of the enterprise admins then click next
Select the roles then next

Select Enterprise CA click next
Select Subordinate CA Click next
Select create a new private key then next
Choose the Cryptography then next
Supply the Names then next
Remember the req file location then Click next
Click Close
Copy the req file from the Enterprise Server CA to the Offline Root Server
Login to the offline root server and open Certificate Authority

Right Click on the CAName, click on extension and update the details for CDP and AIA, click ok
Right Click on the CAName again, All Tasks, then Submit New request

Find the copied req file from the enterprise CA server then Click Open
Click on Pending Requests

Issue
Go to Issued Certificate
Open the certificate then click details
Click Copy to file
Select the options below

Save the file

On the offline root server copy the certificate you just issued and the two files located here C:\windows\system32\CertSRV\Certenroll

GO back to the enterprise root server and execute the commands below

certutil –dspublish –f C:\CompanyRoot-RootCA.crt RootCA

certutil –addstore –f root C:\CompanyRoot-RootCA.crl

certutil –addstore –f root C:\CompanyRoot-RootCA.crt

certutil -installCert C:\Company-IssuingCA.p7b

Open the CA and start services

BONUS – Your offline root is set to issue certificates for only 1 year, If you want to have the Intermediate certs more than 1 year use the commands below on your offline root cert before issuing the Certs for Subordinates (below is an example for 5 years)

certutil -setreg ca\ValidatePeriod “Years”
certutil -setreg ca\ValidityPeriodUnits 5
My previous blog site had problems

December 11th, 2023

So my previous site had problems with the domain, dont ask why but I had issues with Customer Service and support and I told them you know what just close it 😀 so here we go creating a brand new site and of course adding my archives