WinCC Virtualization

Siemens WinCC V7.4 SP1 / WinCC Professional V15 Industry Online https://support.industry.siemens.com/cs/ww/en/view/49368181 Support Warranty and Liability Warranty and Liability

Note The Application Examples are not binding and do not claim to be complete with regard to configuration, equipment or any contingencies. The Application Examples do not represent customer-specific solutions. They are only intended to provide support for typical applications. You are responsible for the correct operation of the described products. This Application Example does not relieve you of the responsibility of safely and professionally using, installing, operating and servicing equipment. When using this Application Example, you recognize that we cannot be made liable for any damage/claims beyond the liability clause described. We reserve the right to make changes to this Application Example at any time and without prior notice. If there are any deviations between the recommendations provided in this Application Example and other Siemens publications – e. g. catalogs – the contents of the other documents shall have priority. We do not accept any liability for the information contained in this document. Any claims against us – based on whatever legal reason – resulting from the use of the examples, information, programs, engineering and performance data etc., described in this Application Example shall be excluded. Such an exclusion shall not apply in the case of mandatory liability, e.g. under the German Product Liability Act (“Produkthaftungsgesetz”), in case of intent, gross negligence, or injury of life, body or health, guarantee for the quality of a product, fraudulent concealment of a deficiency or breach of fundamental contractual obligations (“wesentliche Vertragspflichten”). The compensation for damages due to a breach of a fundamental contractual obligation is, however, limited to the foreseeable damage, typical for the type of contract, except in the event of intent or gross negligence or d e v injury to life, body or health. The above provisions do not imply a change of the r e s e burden of proof to your detriment. r s t h g i Any form of duplication or distribution of these Application Examples or excerpts r l l

A hereof is prohibited without the expressed consent of Siemens AG. 8 1 0 2 G A s

n Siemens provides products and solutions with Industrial Security functions that support

e Security m the secure operation of plants, systems, machines and networks. e i informa- S To protect plants, systems, machines and networks against cyber threats, it is necessary ã tion to implement (and continuously maintain) a holistic, state-of-the-art Industrial Security concept. Products and solutions from Siemens are only one part of such a concept. It is the customer’s responsibility to prevent unauthorized access to the customer’s plants, systems, machines and networks. Systems, machines and components should only be connected with the company’s network or the Internet, when and insofar as this is required and the appropriate protective measures (for example, use of firewalls and network segmentation) have been taken. In addition, Siemens’ recommendations regarding appropriate protective action should be followed. For more information on Industrial Security, visit http://www.siemens.com/industrialsecurity. Siemens’ products and solutions undergo continuous development to make them even more secure. Siemens strongly recommends to carry out updates as soon as the respective updates are available and always only to use the current product versions. Use of product versions that are no longer supported, and failure to apply latest updates may increase customer’s exposure to cyber threats. In order to always be informed about product updates, subscribe to the Siemens Industrial Security RSS Feed at http://www.siemens.com/industrialsecurity.

WinCC Virtualization Entry ID: 49368181, V2.0, 08/2018 2 Table of Contents Table of Contents Warranty and Liability ...... 2 1 Preface ...... 5 1.1 Purpose of the document ...... 5 1.2 Validity ...... 5 2 Automation Task ...... 6 2.1 Introduction ...... 6 2.2 Virtualization requirements...... 6 2.3 Fields of application for virtualization ...... 6 3 Automation Solution ...... 7 3.1 WinCC system architecture in virtual environment...... 7 3.2 What is virtualization? ...... 8 3.2.1 Definition ...... 8 3.2.2 Server-based virtualization (type 1: native)...... 10 3.2.3 Client-based virtualization (type 2: hosted) ...... 10 3.2.4 Summary of server-based and client-based virtualization ...... 11 3.2.5 Advantages and disadvantages of the virtualization ...... 12 3.3 SIMATIC Virtualization as a Service...... 14 4 Configuration ...... 15

d 4.1 General hardware compatibility ...... 15 e v r e 4.1 Configuration of the host systems ...... 15 s e r 4.2 Configuration of guest systems ...... 17 s t h g i 4.2.1 General information ...... 17 r l l

A 4.2.2 Configuration of network cards...... 18 8 1

0 4.3 Remote access ...... 19 2 G

A 4.4 Communication...... 21 s n

e 4.4.1 Name resolution ...... 21 m e i 4.4.2 VLANs ...... 21 S

ã 4.4.3 Redundancy connection between servers ...... 21 4.5 SIMATIC software redundancy ...... 22 5 Licensing of SIMATIC Products ...... 23 5.1 Licensing with a single license ...... 23 5.2 Licensing with floating licenses ...... 23 6 Diagnostic capabilities ...... 24 6.1 Diagnostics using VMware vSphere client ...... 24 6.2 Diagnostics in the virtual system ...... 25 6.3 Performance problems...... 27 7 Further Notes, Tips and Tricks ...... 28 7.1 Pass-through (VMDirectPath IO)...... 28 7.2 Managed USB HUB ...... 29 7.3 General recommendations ...... 30 7.3.1 Snapshots ...... 30 7.3.2 vMotion or vMotion Storage ...... 30 7.3.3 SDRS (Storage DRS) ...... 31 7.3.4 Fault Tolerance...... 31 7.3.5 Cloning virtual machines (VM) ...... 31 7.3.6 VMware Tools ...... 31 7.3.7 Increasing performance of vnetflt.sys driver ...... 32 7.3.8 Hard drives ...... 33 7.3.9 Unnecessary hardware in virtual machines ...... 33

WinCC Virtualization Entry ID: 49368181, V2.0, 08/2018 3 Table of Contents

7.3.10 Synchronizing the virtual machines ...... 33 7.4 Security settings ...... 34 7.4.1 Disabling automatic update of VMware Tools ...... 34 7.4.2 Time synchronization through NTP ...... 35 7.4.3 Applying patches for ESXi ...... 35 7.4.4 Security in general ...... 35 8 Glossary ...... 36 9 Appendix...... 39 9.1 Service and Support ...... 39 9.2 Links and literature ...... 40 9.3 Change documentation ...... 41 d e v r e s e r s t h g i r l l A 8 1 0 2 G A s n e m e i S ã

WinCC Virtualization Entry ID: 49368181, V2.0, 08/2018 4 1 Preface 1 Preface

1.1 Purpose of the document

This document describes the virtualization of WinCC V7 and WinCC Professional in connection with an ESXi server. In this document you will find · Information on the infrastructure for the use of WinCC · Demonstration of special features · Diagnostic capabilities 1.2 Validity

This document is based on the following versions · WinCC V7.4 SP1 · WinCC Professional V15 · VMware ESXi V6.0 · VMware vSphere V6.0

General statements are also valid for other WinCC V7 and WinCC Professional versions. d e v r Software-dependent releases can be found in the Compatibility tool \3\ e s e r s t h g i r l l A 8 1 0 2 G A s n e m e i S ã

WinCC Virtualization Entry ID: 49368181, V2.0, 08/2018 5 2 Automation Task 2 Automation Task

2.1 Introduction

Virtualization of servers is already of high importance in information technology. In automation technology the advantages of virtualization shall also be achieved.

2.2 Virtualization requirements

The availability of the plant and the automation technology has the highest priority. The same applies for plants with real computers and for plants that are operated in a virtual environment. For plant operation in a virtual environment, there should be no visible difference to real computers. 2.3 Fields of application for virtualization

Depending on the area of application, different hardware and software are used for the virtualization solutions.

Application Virtualization solution d e

v Engineering, training and short tests VMware Player, VMware Workstation, Windows r e s Virtual PC… e r s t

h VMware vSphere, HyperV g i r l l Production plants VMware vSphere, HyperV A 8 1 0 2 G A s n e

m Topics not covered by this application e i S

ã This document describes the use and the approach using VMware ESXi and VMware vSphere. The VMware Workstation or VMware Player is not considered. These products are not released for productive operation.

WinCC Virtualization Entry ID: 49368181, V2.0, 08/2018 6 3 Automation Solution 3 Automation Solution

3.1 WinCC system architecture in virtual environment

Figure 3-1 d e v r e s e r s t h g i r l l A 8 1 0 2 G A s n e m e i S ã

WinCC Virtualization Entry ID: 49368181, V2.0, 08/2018 7 3 Automation Solution

3.2 What is virtualization?

3.2.1 Definition

Virtualization is the abstraction of physical hardware from the operating system. For this purpose, a special virtualization layer, the so-called hypervisor, is located on a real computer. This makes it possible to implement several virtual machines (VM) that are isolated from each other, with their own virtual hardware components and their proprietary operating systems on a real, physical computer (host system).

They act like real computers and can execute applications themselves.

Layout for virtualization Figure 3-2 d e v r e s e r s t h g i r l l A 8 1 0 2 G A s n e m e i S ã Tasks of the hypervisor Among other things, the hypervisor has the following tasks: · The hypervisor is the virtualization layer in which the VMs run. · The hypervisor manages the resource allocation of the real hardware to the VMs and the execution of the VMs. · The hypervisor is also called VMM (Virtual Machine Manager or Monitor).

WinCC Virtualization Entry ID: 49368181, V2.0, 08/2018 8 3 Automation Solution

Physical and virtual setup

Figure 3-3

d Variants e v r e s e Basically, there are two types of virtualization, which differ in terms of configuration r s t h and structure. g i r l l

A · Server-based virtualization (type 1: native) 8 1 0 2 · Client-based virtualization (type 2: hosted) G A s n e m e i S ã

WinCC Virtualization Entry ID: 49368181, V2.0, 08/2018 9 3 Automation Solution

3.2.2 Server-based virtualization (type 1: native)

The virtualization variant is characterized by the following characteristics: · The hypervisor runs directly on the hardware of the host and is more efficient. It requires fewer resources, but has to provide all drivers. · No direct operation: The VMs are operated via remote clients. · Fields of application are data centers and production plants. · Examples for type 1 are "VMware ESX/ESXi" and "Hyper-V".

Figure 3-4 d e v r e s e r s t h g i r l l A 8 1 0 2 G A s n e m e i S ã

3.2.3 Client-based virtualization (type 2: hosted)

This virtualization variant is characterized by the following characteristics: · The hypervisor is based on a fully-fledged operating system, e.g. Windows, and uses the device drivers of the operating system. · Direct operation: The VMs are operated directly on the computer via graphics card and monitor. · Areas of application are mainly engineering and short tests. · Examples for type 2 are "VMware Workstation and VMware Player", "VirtualBox" or "Windwos Virtual PC".

WinCC Virtualization Entry ID: 49368181, V2.0, 08/2018 10 3 Automation Solution

Figure 3-5

Note This document describes only type 1 with VMware ESX/ESXi.

3.2.4 Summary of server-based and client-based virtualization d e

v Server-based virtualization Client-based virtualization r e s e Type 1 native (ESXi server) Type 2 hosted (VMware Workstation) r s t h g i r l l A 8 1 0 2 G A s n e m e i S ã

· The hypervisor runs directly on the · The hypervisor is based on a fully- hardware of the host and is more fledged operating system (e.g. efficient. It requires fewer resources, Windows) and uses the device drivers but has to provide all drivers. of the operating system. · No direct operation: · Direct operation: The VMs are operated via remote The VMs are operated directly on the clients. computer via graphics card and monitor · Areas of application: · Areas of application: Data centers and production plants Engineering and short tests

WinCC Virtualization Entry ID: 49368181, V2.0, 08/2018 11 3 Automation Solution

3.2.5 Advantages and disadvantages of the virtualization

Table 3-1 Advantages Disadvantages Costs Reduction of costs Additional license costs for · Consolidation of physical virtualization depending on computers, cables, switches, the range of functions etc. · Reduction of energy consumption · Reduction of space requirements less expensive hardware can be used for clients (so-called thin client solutions) Software costs for the operating system remain. Security Increased security Possibly increased security · Increased security due to expenses (additional layer, remote access and centralized data security) rights management · Reduced attack possibilities with thin clients; central protection on the ESXi server d

e for the virtual machines v r e s

e Availability Increased availability · Danger of a "Single r s t Point of Failure" h · Easy exchange of virtual g i r l l machines on ESXi server · Support may not come A

8 possible from a single source 1 0 2 G A s n Flexibility Increased flexibility e m e i · Hardware independence of the S

ã virtual machines · Virtual machines with different operating systems on one ESXi server · Additional virtual machines can be added by starting another VMware session · Hardware RAID can be configured as software RAID (ESXi Server) · Securing commissioning · Simple recording in the event of system failures System complexity · Significantly increasing system complexity · Higher administration effort

WinCC Virtualization Entry ID: 49368181, V2.0, 08/2018 12 3 Automation Solution

Support If a problem occurs while operating a virtual machine, the support required for this may become time-consuming. In this case, the responsibility must first be clarified, as can be seen in the following diagram. Figure 3-6

Note When using SIMATIC Virtualization as a Service (see chap. 3.3) you not only receive pre-installed and pre-configured ESXi servers including WinCC installations in the form of VMs, but also the service for these complete systems from a single source. d e You can use a support request to determine the power requirements of a v r e s virtualized SIMATIC WinCC system. Further information is available in the following e r s t FAQ: "Where do you obtain technical support for the configuration of a virtual h g i r

l SIMATIC PCS 7 / WinCC System?". \4\ l A 8 1 0 2 G A s n e m e i S ã

WinCC Virtualization Entry ID: 49368181, V2.0, 08/2018 13 3 Automation Solution

3.3 SIMATIC Virtualization as a Service

SIMATIC Virtualization as a Service is a pre-configured, ready-to-use virtualization system for implementing efficient automation solutions for SIMATIC systems.

Figure 3-7 d e v r e s e r s t h g i r l l A

8 A hypervisor is installed on a powerful server that manages the hardware 1 0 2 resources and dynamically distributes them to the virtual machines. Central G A

s management, configuration and maintenance of the virtual machines and the n e

m virtualization server are carried out via a management console. e i S

ã The virtual machines are equipped with SIMATIC PCS 7 or SIMATIC WinCC installations and are preconfigured depending on the automation task (e.g. PCS 7 ES/Client, WinCC Server). The virtualization system can be easily and efficiently extended by preconfigured virtual machines and is therefore scalable to different plant sizes. A highly available system can be realized by using additional virtualization servers. Further information on SIMATIC Virtualization as a Service is available at the following link: · SIMATIC Virtualization as a Service \5\

WinCC Virtualization Entry ID: 49368181, V2.0, 08/2018 14 4 Configuration 4 Configuration

4.1 General hardware compatibility

Each ESXi host and its components must be listed in the VMware's HCL (Hardware Compatibility List) for each ESXi version and license. For more information, please use the following link: https://www.vmware.com/resources/compatibility/search.php \6\ 4.1 Configuration of the host systems

NOTICE The user/administrator is obliged to provide and secure sufficient system resources on the virtualization server and the virtual systems. Minimum system requirements for installing ESXi/ESX (1003661) http://kb.vmware.com/selfservice/microsites/search.do?language=en_US&cmd= displayKC&externalId=1003661 \7\

Best practices to install or upgrade to ESXi 6.0 (2109712) https://kb.vmware.com/s/article/2109712 \8\ d e v r e s e r s t h Hardware example g i r l l

A Here is an example from practical experience. 8 1 0 2 · The configured main memory (RAM) of all VMs running simultaneously G A

s must not exceed 90% of the physically available RAM. n e m e i · The ratio 2:1 of the virtually configured CPU cores of all simultaneously S

ã running VMs to the physically available CPU cores should not be exceeded.

The following table shows an example of a possible assignment: Hardware Number Usage Intel® Xeon® Processor 10 Cores 1 core for host E5-2640V4 1x ES 4 vCores (25MB Cache, 2.40 GHz, 8.00 GT/s QPI) 1x OS Server: 2 vCores 5x OS Client: 10 vCores

· For performance reasons, the size of the data stores on the individual RAID systems should not exceed 2TB. · Using a RAID 10 system for the data stores offers the best read/write performance. · A better performance of WinCC can be achieved if a CPU with fewer cores and higher clock frequency is preferred to a CPU with more cores and lower clock frequency.

WinCC Virtualization Entry ID: 49368181, V2.0, 08/2018 15 4 Configuration

Network The following figure shows an example of the communication principle of a virtualization system: · The internal communication between ES, WinCC server and WinCC client. · The communication of ES, WinCC server and WinCC client to the outside, e.g. to the AS via the physical network cards of the ESXi server.

Figure 4-1 d e v r e s e r s t h g i r l l A 8 1 0 2 G A s n e m e i S ã

WinCC Virtualization Entry ID: 49368181, V2.0, 08/2018 16 4 Configuration

4.2 Configuration of guest systems

4.2.1 General information

Features Requirements VM Version 8,9,10 or 111) Hard drive storage Use type: "Thick Provision Eager Zeroed" management Virtual network modules There are as many network cards to configure as would be the case with real WinCC stations. A redundant OS server would therefore have 3 virtual network cards. Separation of networks It is recommended to physically/virtually separate terminal, system and redundancy bus and not to use VLANs. The IP addresses of terminal, system and redundancy buses have to be located in different subnets. Network cards All network cards are assigned to the "Private" network profile within Windows via group policy. CPU load The CPU continuous load of the assigned logical CPU cores must not exceed 70% - 80%. Note: When archiving large data volumes a respective reserve is required (high I/O load). d

e This load is given at a capacity of 70% - 80%. v r e s VMware Tools "VMware Tools" must be installed inside the virtual e r s t machines. This results in better performance and h g i r maintainability of the VMs. l l A 8

1 Operating states Suspend/Resume of the VMs, as well as VMware options, 0 2 (e.g. vMotion) are not supported. The VMs must be treated G A like real WinCC stations. s n e

m 1) e i A downgrade of the VM version is not possible. S ã

Note Card type of virtual network cards The card type of the virtual network cards has to be "E1000" or "vmxnet3" (recommended). The card type "vmxnet3" cannot be used until VMware Tools is installed in the VM.

WinCC Virtualization Entry ID: 49368181, V2.0, 08/2018 17 4 Configuration

4.2.2 Configuration of network cards

NOTICE Faulty process communication · No unused network cards may exist in the Windows "Network and Sharing Center". Unused cards must be disabled or removed from the virtual machine configuration. · No network card should be assigned to the public network profile. · When adding/removing network cards, their order changes in Windows. After making changes to the network configuration, check the order of the network cards according to the WinCC documentation.

Note The following group policy can be used to ensure that no network card is assigned to the "Public network" network category: Local Computer Policy > Computer Configuration > Windows Settings > Security Settings > Network Manager Policies > Non-identified Networks: Set the location type from "Not configured" to "Private".

Note First uninstall unused network cards in the Windows device manager. If you do not do this, "remaining files" will be left in the properties of the VM in Windows d e v r after you delete network cards. These "remaining files" must first be made visible e s e r in the device manager before they can be uninstalled. If these "remaining files" s t h g are not removed, the name of the deleted network card cannot be used again. i r l l A 8

1 Tip: If BGInfo (not included in Windows) is used, the desktop can show whether 0 2 "remaining files" are available. G A s n e m e i S ã

WinCC Virtualization Entry ID: 49368181, V2.0, 08/2018 18 4 Configuration

4.3 Remote access

The VMs can be accessed with a thin client or a remote system via RDP, RealVNC, vSphere Client or vSphere Web Client.

General information The following points apply to all remote connections: · All operator stations can be operated via exactly one open remote connection. · For a remote connection, the existing session must be taken over. This means that a user must be logged in at the operating station. · Remote Desktop may only be used via "mstsc/console" or "mstsc/admin". · An RDP connection may only be used for access to clients without additional functions (web functions). · With WinCC servers or the single-user system, RPP is only permitted if WinCC is running in service mode. · When using an RDP connection to a VM, the automatic logon to Windows has to be configured in this VM, e.g. using "control userpasswords2" or "Autologon for Windows" (Windows Sysinternals). · In order to access a VM with automatic logon via RDP, the following registry entry may not be present as of Windows Server 2012 R2 and Windows 10

d (default setting): "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows e v r e NT\CurrentVersion\Winlogon\ForceAutoLogon" s e r s t · Disabling the TCP auto tuning level: The TCP auto tuning settings can be h g i r l

l disabled using the following command: A 8 1 0 2 netsh interface tcp set global autotuninglevel=disabled G A s n e You can find information on this in the FAQ entry: "Which settings should you m e i

S make when an OVF export fails using the "VMware vSphere Client" ã application?" \9\

RealVNC Audio signals cannot be transmitted via a RealVNC connection. The released version of RealVNC for WinCC is included in the compatibility tool: http://www.siemens.de/kompatool \3\

WinCC Virtualization Entry ID: 49368181, V2.0, 08/2018 19 4 Configuration

vSphere Client Opening the console ("Open Console") of a VM in the vSphere client can take relatively long (35 sec). One possible reason for this is that certificates cannot be verified if there is no internet connection. This can be prevented by configuring the following group policy: Set "Computer Configuration\Administrative Templates\System\Internet Communication Management\Internet Communication settings\Turn off Automatic Root Certificates Update" to "enabled". d e v r e s e r s t h g i r l l A 8 1 0 2 G A s n e m e i S ã

WinCC Virtualization Entry ID: 49368181, V2.0, 08/2018 20 4 Configuration

4.4 Communication

4.4.1 Name resolution

In a virtual environment, a management network is usually also used to manage the virtual infrastructure. In this management network it is recommended to use a DNS server for the name resolution of ESXi servers.

Note The name resolution of the VMs necessary for the operation of WinCC must take place when using a DNS/WINS server via the terminal bus or by using the locally configured hosts and lmhosts files. The name resolution has to be done via the IPv4 protocol.

4.4.2 VLANs

VLANs can be used in WinCC. You can find information on this in the FAQ entry "How do you configure a Virtual Local Area Network (VLAN) in PCS 7?“.\10\

VLANs must not be used on the dedicated network card of the ES to the fieldbus (PROFINET). d e v r e 4.4.3 Redundancy connection between servers s e r s t h g i

r The connection between redundant WinCC servers for redundancy adjustment l l

A must be made via Ethernet. 8 1 0 2 The following figure shows settings within the configuration of SIMATIC Shell: G A s n · Selection of the virtual network card for the redundancy bus in the redundancy e m e

i settings S

ã · Disabling the serial port

Figure 4-2

WinCC Virtualization Entry ID: 49368181, V2.0, 08/2018 21 4 Configuration

4.5 SIMATIC software redundancy

With a redundant WinCC system, the runtime is active on both servers (master and standby). This has the following characteristics: · The clients are distributed between both servers (load balancing). · After a failure, the data status is synchronized on both servers by archive adjustment

The fault tolerance provided by vmWare is not a replacement for the SIMATIC redundancy and therefore cannot be used. (see chapter 7.3.4 Fault Tolerance). d e v r e s e r s t h g i r l l A 8 1 0 2 G A s n e m e i S ã

WinCC Virtualization Entry ID: 49368181, V2.0, 08/2018 22 5 Licensing of SIMATIC Products 5 Licensing of SIMATIC Products

General information As a general rule, you have to license all products/software according to the respective manufacturer's license terms and conditions. In terms of licensing, a SIMATIC software installation on a virtual machine does not differ from the installation on a real machine. Therefore, each SIMATIC software installation on a virtual machine, e.g. SIMATIC WinCC and other SIMATIC applications, has to be licensed accordingly. Likewise, each SIMATIC WinCC Client installation on a virtual machine has to be licensed accordingly. 5.1 Licensing with a single license

Unlimited duration standard license that can be transferred to any computer and used on this computer. The Certificate of License (CoL) defines the type of use. Licenses of the single license type can only be used locally. 5.2 Licensing with floating licenses

Unlimited license duration that can be transferred to any computer and used on this d e

v computer. The license can also be obtained from a license server over the network. r e s e r s t h g i r l l Note The freedoms gained in handling virtualization entail the risk of easily damaging A 8

1 or destroying virtual machines. When things get serious, a virtual machine will be 0 2

G irretrievably lost, including all installations and licenses. A s n e

m To minimize the risk of losing licenses, use a license server with SIMATIC e i

S floating licenses. This additionally facilitates handling licenses. ã

WinCC Virtualization Entry ID: 49368181, V2.0, 08/2018 23 6 Diagnostic capabilities 6 Diagnostic capabilities

Troubleshooting and performance (Chap 4.4 109486064) VMware provides various means to diagnose performance bottlenecks. Below, we will briefly describe use of the vSphere Client and of the "esxtop" tool. For more information, see the manual "vSphere Monitoring and Performance". https://www.vmware.com/support/pubs/ \11\

6.1 Diagnostics using VMware vSphere client

General information You can use the vSphere Client not only to configure the virtual machines (guest systems), but also to monitor the ESXi server and the individual virtual systems.

Monitoring options You can display these points as curves with the vSphere client: · Main memory usage · Operating state · CPU load d e v

r · Hard drive e s e r

s · Network utilization t h g i r l l

A The procedure in detail 8 1 0 2 Table 6-1 G A s n No. Step/action e m e i

S 1. Log on to the ESX(i) server ã · Start your VMware VSphere client. The Logon dialog appears: · Enter the IP address of your virtualization server and your user data. The vSphere Client starts. 2. Navigate to ESX(i) server diagnostics · In the navigation tree, select the top item. (The virtualization server.) · Then select the “Performance” tab. A diagram appears that shows the performance data graph. 3. Customizing the ESX(i) server diagnostics To monitor the values used for these measurements, proceed as follows: · In the top area of the tab, click “Trend settings…”. The “Adjust performance trend” dialog appears. · Monitoring the RAM – In the “Trend settings” tree, expand the “RAM” item. – In “RAM”, click “Realtime”. – In the “Performance logs” fields, deselect everything and select only “active”. – Confirm with OK. In the diagram, you can now monitor the active RAM. · Monitoring the CPU load – In the “Trend settings” tree, expand the “CPU” item. – In “CPU”, click “Realtime”. – In the “Performance logs” field, deselect everything and select only

WinCC Virtualization Entry ID: 49368181, V2.0, 08/2018 24 6 Diagnostic capabilities

No. Step/action “usage”. – Confirm with OK. In the diagram, you can now monitor the CPU load. 4. Navigate to diagnostics of the virtual system · In the navigation tree, select the item of the virtual system to be monitored. · Then select the “Performance” tab. A diagram appears that shows the performance data graph. 5. Customizing diagnostics of the virtual system To do this, proceed as described in step 3.

6.2 Diagnostics in the virtual system

For diagnostics in the virtual system, use the Windows tool Windows Performance Monitor.

The procedure in detail Table 6-2 No. Step/action 1. Starting the tool d Click “Start > Performing". e v r e The “Run...” dialog appears. s e r

s · Enter “Perfmon” and click OK. t h g i The monitoring tool starts. r l l A

8 2. Customizing the performance indicators 1 0

2 Remove all performance logs from the lower right area. G A · In this area, right-click. In the menu, select “Add performance logs...”. s n e m e i S ã

WinCC Virtualization Entry ID: 49368181, V2.0, 08/2018 25 6 Diagnostic capabilities

No. Step/action

· The “Add performance logs” dialog appears. · To display the CPU load as a percentage, select the “Processor” data object and select the “% Processor Time” performance log. Select “_Total” as the instance. · Click on "Add…". · To display the main memory allocation, select the “Memory” data object and select the “Committed Bytes” data object. · Click “Add” and select “Close” to close the dialog.

Note d e It is a problem to display both values simultaneously in one diagram. The axis v r e s scaling differs. e r s t For optimum display, adjust the scaling using the “Properties” button and the h g i r “Graphics” tab. l l A 8 1

0 For more information, follow this link: 2

G "What diagnostics options are available for WinCC and PCS 7 OS?" \12\ A s n e m e i S ã

WinCC Virtualization Entry ID: 49368181, V2.0, 08/2018 26 6 Diagnostic capabilities

6.3 Performance problems

To prevent your VM from running with poor performance, define the hardware configuration of the VM before installing the operating system. This mainly applies to: · Number of virtual sockets · Number of virtual cores per socket If you make changes to the hardware configuration, you must adjust the HCL of the VM again. Further information is available at: · Modifying the Hardware Abstraction Layer (HAL) for a Windows virtual machine (1003978) https://kb.vmware.com/selfservice/microsites/search.do?language=en_US&cmd =displayKC&externalId=1003978 \13\ · Troubleshooting a converted virtual machine that experiences poor performance (1013857) https://kb.vmware.com/selfservice/microsites/search.do?language=en_US&cm d=displayKC&externalId=1013857 \14\ · Troubleshooting ESX/ESXi virtual machine performance issues (2001003) https://kb.vmware.com/selfservice/microsites/search.do?language=en_US&cm d=displayKC&externalId=2001003 \15\ d e v r e s e r s t h g i r l l A 8 1 0 2 G A s n e m e i S ã

WinCC Virtualization Entry ID: 49368181, V2.0, 08/2018 27 7 Further Notes, Tips and Tricks 7 Further Notes, Tips and Tricks

7.1 Pass-through (VMDirectPath IO)

General information Pass-through support in VMware vSphere Server (ESXi) allows you to pass certain physical components of the server directly to the virtual machines. The virtual machine detects the new hardware automatically, if necessary appropriate drivers are installed later. As long as you use pass-through function: · the hardware is a part of the virtual machine · the HyperVisor no longer has access Various SIMATIC NET CPs have been tested for the pass-through function and can be used.

Note This is where you can find information about pass-through configurations http://kb.vmware.com/kb/1010789 \16\ d e v Note r When using SIMATIC NET CPs in a virtual environment, observe the e s e

r requirements and dependencies of SIMATIC NET. s t h g i r "SIMATIC NET PC-Software SIMATIC NET PC Software V14 SP1 installation l l A

8 manual – chapter 3 and 4" 1 0 2

G Installation, configuration of SIMATIC NET CPs in a VMware vSphere server A s (ESXi) n e m e i

S https://support.industry.siemens.com/cs/ww/en/view/77377602 \17\ ã Other compatibilities can be found here https://support.industry.siemens.com/kompatool/pages/main/index.jsf \3\

You can use WinCC ASIA dongle via pass-through. The number of ASIA dongles depends on the international USB hubs and not on the number of USB ports. Only one USB HUB is forwarded at a time.

WinCC Virtualization Entry ID: 49368181, V2.0, 08/2018 28 7 Further Notes, Tips and Tricks

7.2 Managed USB HUB

General information The following diagram shows you how a USB HUB is connected to a virtual infrastructure via the Ethernet LAN. You configure the assignment of the USB ports to the virtual machine via the hub's Web interface. Furthermore, every virtual machine that you connect to the USB HUB needs a corresponding software. Using this software, the virtual machine accesses the respective USB port (port groups). The USB devices connected to these ports are passed on to the respective virtual machine via the Ethernet LAN.

A guide showing the detailed configuration of the USB HUB is available on the Note manufacturer’s website: http://www.digi.com/products/usb/anywhereusb \18\

Figure 7-1 d e v r e s e r s t h g i r l l A 8 1 0

2 VM VM VM VM G A

s VM VM VM VM n e m e i S ã VM

RealPort USB software drivers

Ethernet LAN

AnywhereUSB

USB Device

SmartCard Remote Client

The following USB HUBs were compatibility-tested:

WinCC Virtualization Entry ID: 49368181, V2.0, 08/2018 29 7 Further Notes, Tips and Tricks

http://www.digi.com/products/usb/anywhereusb \18\ You can use WinCC ASIA dongle via USB HUB.

7.3 General recommendations

7.3.1 Snapshots

Do not use snapshots during productive operation. This can negatively affect the virtual machine's general performance capability. For more information, follow this link: https://www.vmware.com/pdf/vcops-vapp-585-deploy-guide.pdf (p. 15) \19\ Search KB entry 2000986 "Snapshots are not backups" for "Best practices for virtual machine snapshots in the VMware environment". https://kb.vmware.com/selfservice/microsites/microsite.do \20\

7.3.2 vMotion or vMotion Storage

Do not use vMotion or vMotion Storage for virtual machines in which SIMATIC software is active. d e v r e s e r s t h g i r l l A 8 1 0 2 G A s n e m e i S ã

WinCC Virtualization Entry ID: 49368181, V2.0, 08/2018 30 7 Further Notes, Tips and Tricks

7.3.3 SDRS (Storage DRS)

Storage DRS enables moving virtual machines automatically within a data store cluster. A data storage cluster consists of individual data stores. Do not move virtual machines with active SIMATIC software.

7.3.4 Fault Tolerance

Fault Tolerance (FT) provides uninterrupted availability by assuring that the states of the primary and secondary virtual machine are identical for the entire time the instruction is being executed. FT is not supported in conjunction with SIMATIC software and is not considered in this application example.

7.3.5 Cloning virtual machines (VM)

Cloning a virtual machine is not compatibility-tested and not released.

7.3.6 VMware Tools

Install the latest version of the VMware Tools. d e v r e s e r s t h g i r l l A 8 1 0 2 G A s n e m e i S ã

WinCC Virtualization Entry ID: 49368181, V2.0, 08/2018 31 7 Further Notes, Tips and Tricks

7.3.7 Increasing performance of vnetflt.sys driver

You can increase the performance of WinCC within the VM by uninstalling the "vnetflt.sys" driver.

Table 7-1

1. Start the VMware converter. 2. Select "Change" and click on the “Next" button 3. Uninstall the "NSX Network Introspection Driver" in "VMCI Driver > NSX File Introspection Driver" d e v r e s e r s t h g i r l l A 8 1 0 2 G A s n e m e i S ã

4. Restart the computer.

WinCC Virtualization Entry ID: 49368181, V2.0, 08/2018 32 7 Further Notes, Tips and Tricks

7.3.8 Hard drives

Thick provisioned eager zeroed Format Create the hard drives in the format "Thick Provision Eager Zeroed". It will provide the best performance properties. For more information, follow this link: https://www.vmware.com/pdf/vcops-vapp-585-deploy-guide.pdf (p. 15) \19\

Distributing multiple hard drives of a virtual machine Distribute the hard drives evenly across the virtual SCSI adapters. For more information, see the book "Virtualizing Microsoft Business Critical Applications on VMware vSphere" (p. 90).

I/O-intensive applications Use the paravirtual storage adapter (PVSCSI) for I/O intensive applications. It reduces the CPU load and is capable of improving especially the system's overall performance. Also observe the information provided by the following links. For more information, follow this link: https://www.vmware.com/content/dam/digitalmarketing/vmware/en/pdf/techpaper/v mware-perfbest-practices-vsphere6-0-white-paper.pdf \21\

Or in KB article 1010398. Search for "Configuring disks to use VMware Paravirtual SCSI adapters". d e v r https://kb.vmware.com/selfservice/microsites/microsite.do \20\ e s e r s t h Note g The use of SSD brings a considerable improvement in performance. i r l l A 8 1 0 2 G

A 7.3.9 Unnecessary hardware in virtual machines s n e m e i

S Remove all unnecessary hardware from the configuration. Each unnecessary ã element can negatively affect the performance capability of your virtual machine. For more information, follow this link: https://www.vmware.com/content/dam/digitalmarketing/vmware/en/pdf/techpaper/v mware-perfbest-practices-vsphere6-0-white-paper.pdf \21\

This includes: · Floppy disk · CD ROM · HD audio

7.3.10 Synchronizing the virtual machines

The host (ESXi) must use the same time source as the operating systems within the virtual machines. Before time synchronization mechanisms take effect in the virtual machine, the host's time is used when starting the virtual machine. If the two times differ, undesired behavior can occur as a result. In the virtual machine, use one of the following time synchronization methods:

WinCC Virtualization Entry ID: 49368181, V2.0, 08/2018 33 7 Further Notes, Tips and Tricks

· VMware Tools or

· Time synchronization - Time synchronization in the automation environment In this entry you will find the most important entries on the 'Time Synchronization' topic in Industry Online Support. https://support.industry.siemens.com/cs/ww/en/view/86535497.\22\

Synchronization of the hosts The ESXi hosts need a time source. Set this source accordingly using the vSphere Client. Figure 7-2 d e v r e s e r s t Figure 7-3 h g i r l l A 8 1 0 2 G A s n e m e i S ã

7.4 Security settings

7.4.1 Disabling automatic update of VMware Tools

An automatic upgrade of the VMware Tools may cause the host operating system to be restarted automatically.

Note During the restart, e.g. a WinCC server is not available or WinCC clients cannot be operated.

Disable the automatic installation of VMware Tools:

WinCC Virtualization Entry ID: 49368181, V2.0, 08/2018 34 7 Further Notes, Tips and Tricks

7.4.2 Time synchronization through NTP

Synchronize your ESXi host with a time source. Use the same time source as for time synchronization of your operating systems within the VMs.

7.4.3 Applying patches for ESXi

Always keep the patches of your ESXi hosts up to date. You can do so using the Update Manager for example.

NOTICE Restart of the host and thus also the virtualized machines necessary You may need to restart the host to successfully install patches. Note that the virtual machines running on the server also have to be restarted. WinCC servers of this host are not available for this period and WinCC clients of this host cannot be operated. WinCC servers or WinCC clients of other hosts are not affected.

For more information, follow this link: https://www.vmware.com/support/policies/security_response \24\ d e v r e s

e 7.4.4 Security in general r s t h g i r l l Siemens provides products and solutions with Industrial Security functions that A 8

1 support the secure operation of plants, systems, machines and networks. 0 2

G Further information can be found at the following links. A s n e · Which security precautions help against unauthorized access in the m e i

S SIMATIC PCS 7 / WinCC environment? ã https://support.industry.siemens.com/cs/ww/en/view/44443744 \23\ · SIMATIC process control system PCS 7 safety concept PCS 7 & WinCC (basic) https://support.industry.siemens.com/cs/ww/en/view/60119725

WinCC Virtualization Entry ID: 49368181, V2.0, 08/2018 35 8 Glossary 8 Glossary

ESX(i) Product from VMware. The software has/is its own operating system and provides virtual systems with workspace.

The software is used for virtualization on the server side.

Core installation Operating system installation without a graphical user interface; replaced by a simplified platform such as a CMD command prompt or PowerShell.

Guest A guest is a virtualized computer running within a host (equivalent to VM).

Host The “host” for virtual machines, regardless of whether this refers to the “host” for desktop or server virtualization.

d In this document, “host” is equivalent to virtualization server. e v r e s e r s t HyperV h g i r l l This software environment is provided by Microsoft through different paths and A 8

1 allows the user to provide, manage and run virtual machines on a Windows server 0 2

G or core server. A s n e m e i S ã HyperVisor Software for virtualization (of a virtualization server).

Hyper-threading Technology for better processing of commands for the processor. Here, with hyper-threading, one processor core appears as 2 process cores to the operating system.

IOPS Input/Output Operations per Second.

Management Station A PC that performs the configuration, maintenance and monitoring of one or more virtualization servers. The VMware Converter or vSphere Client applications can be used in this context.

RDP Remote Desktop Protocol is a Microsoft solution for operator control and monitoring of remote computers.

WinCC Virtualization Entry ID: 49368181, V2.0, 08/2018 36 8 Glossary

SCADA SCADA stands for “Supervisory Control and Data Acquisition”.

SSD SD stands for "solid-state drive" and is a data memory.

VDS Virtual Distributed Switch

Virtualization server (and virtual system) The real PC on which the VMware ESX(i) software runs that provides its resources to virtual systems. Computers that run within the VMware ESXi software are virtualized systems.

Virtual hardware Real resources are not directly provided to the virtualized systems to allow shared use. Such shared hardware can be network cards, processor cores or hard drives. This hardware can be used partially and jointly by all virtualized systems.

Virtual processor core d e v

r A processor core provided to the virtual machine. e s e r A vCPU is not equivalent to a pCPU or pCore. A vCPU also includes the “double s t h g i cores” due to HT. r l l A

8 In addition, VMware does not distinguish between the core and the CPU; this is 1 0

2 only relevant to the guest system. G A s n e

m Virtual network e i S

ã A network which only exists within a virtualization server and allows communication between multiple virtual systems (within one virtualization server).

VNC Virtual Network Control is an option for operator control and monitoring of remote computers.

VMware Company and vendor of virtualization software.

VMware vCenter Converter A VMware product for converting, transferring and creating virtual systems.

VMware Workstation A VMware product for creating and using virtual systems on existing operating systems.

vSphere Client A VMware product for configuring, monitoring and running a VMware ESXi Server.

vSphere Server A VMware product that is installed on the server hardware.

WinCC Virtualization Entry ID: 49368181, V2.0, 08/2018 37 8 Glossary

Also known as a HyperVisor, VMware ESX(i) Server or ESX(i) host.

vSphere vCenter Server A VMware product that is used in order to manage multiple ESX(i) HyperVisors using a vSphere Client. The vSphere VCenter Server is used to combine multiple ESX(i) hosts into a cluster, which increases effectiveness based on the available functionality.

VSS Virtual Standard Switches d e v r e s e r s t h g i r l l A 8 1 0 2 G A s n e m e i S ã

WinCC Virtualization Entry ID: 49368181, V2.0, 08/2018 38 9 Appendix 9 Appendix

9.1 Service and Support

Industry Online Support Do you have any questions or need support? Siemens Industry Online Support offers access to our entire service and support know-how as well as to our services. Siemens Industry Online Support is the central address for information on our products, solutions and services. Product information, manuals, downloads, FAQs and application examples – all information is accessible with just a few mouse clicks at https://support.industry.siemens.com

Technical Support Siemens Industry's Technical Support offers quick and competent support regarding all technical queries with numerous tailor-made offers – from basic support right up to individual support contracts. Please address your requests to the Technical Support via the web form: www.siemens.en/industry/supportrequest d e SITRAIN – Training for Industry v r e s e r With our globally available training courses for our products and solutions and s t h using innovative teaching methods, we help you achieve your goals. g i r l l

A More information on the training courses offered as well as on locations and dates 8 1

0 is available at: 2 G

A www.siemens.en/sitrain s n e m e i Service offer S ã Our service offer comprises, among other things, the following services: · Product Training · Plant Data Services · Spare Parts Services · Repair Services · On Site and Maintenance Services · Retrofit and Modernization Services · Service Programs and Agreements Detailed information on our service offer is available in the Service Catalog: https://support.industry.siemens.com/cs/sc

Industry Online Support app Thanks to the "Siemens Industry Online Support" app, you will get optimum support even when you are on the move. The app is available for Apple iOS, Android and Windows Phone: https://support.industry.siemens.com/cs/ww/en/sc/2067

WinCC Virtualization Entry ID: 49368181, V2.0, 08/2018 39 9 Appendix

9.2 Links and literature

Table 9-1 No. Topic \1\ Siemens Industry Online Support https://support.industry.siemens.com \2\ Link to the entry page of the application example https://support.industry.siemens.com/cs/ww/en/view/49368181 \3\ Compatibility tool https://siemens.com/kompatool \4\ Where do you obtain technical support for the configuration of a virtual SIMATIC PCS 7 / WinCC System? https://support.industry.siemens.com/cs/en/en/view/109749129 \5\ SIMATIC Virtualization as a Service https://support.industry.siemens.com/cs/ww/en/sc/3095 \6\ VMware Compatibility Guide https://www.vmware.com/resources/compatibility/search.php \7\ Minimum system requirements for installing ESXi/ESX (1003661) http://kb.vmware.com/selfservice/microsites/search.do?language=en_US&cmd=dis playKC&externalId=1003661 \8\ Best practices to install or upgrade to ESXi 6.0 (2109712) https://kb.vmware.com/s/article/2109712 d e v r \9\ Which settings should you make when an OVF export fails using the "VMware e s e r vSphere Client" application? s t h g i https://support.industry.siemens.com/cs/ww/en/view/98158088" r l l A

8 \10\ How do you configure a Virtual Local Area Network (VLAN) in PCS 7? 1 0 2 https://support.industry.siemens.com/cs/ww/en/view/66807297" G A s \11\ Manual for vSphere monitoring and performance n e m

e https://www.vmware.com/support/pubs/ i S

ã \12\ What diagnostics options are available for WinCC and PCS 7 OS? https://support.industry.siemens.com/cs/ww/en/view/48698507 \13\ Modifying the Hardware Abstraction Layer (HAL) for a Windows virtual machine (1003978) https://kb.vmware.com/selfservice/microsites/search.do?language=en_US&cmd=dis playKC&externalId=1003978 \14\ Troubleshooting a converted virtual machine that experiences poor performance (1013857) https://kb.vmware.com/selfservice/microsites/search.do?language=en_US&cmd=dis playKC&externalId=1013857 \15\ Troubleshooting ESX/ESXi virtual machine performance issues (2001003) https://kb.vmware.com/selfservice/microsites/search.do?language=en_US&cmd=dis playKC&externalId=2001003 \16\ Configuring VMDirectPath I/O pass-through devices on a VMware ESX or VMware ESXi host (1010789) http://kb.vmware.com/kb/1010789 \17\ SIMATIC NET: PC Software SIMATIC NET PC Software V14 SP1 > Installation, configuration of SIMATIC NET CPs in a VMware vSphere server (ESXi) https://support.industry.siemens.com/cs/ww/en/view/77377602 \18\ DIGI AnywhereUSB http://www.digi.com/products/usb/anywhereusb#docs \19\ vApp Deployment and Configuration Guide https://www.vmware.com/pdf/vcops-vapp-585-deploy-guide.pdf

WinCC Virtualization Entry ID: 49368181, V2.0, 08/2018 40 9 Appendix

No. Topic \20\ VMware Knowledge Base https://kb.vmware.com/selfservice/microsites/microsite.do \21\ Performance Best Practices for VMware vSphere 6.0 https://www.vmware.com/content/dam/digitalmarketing/vmware/en/pdf/techpaper/v mware-perfbest-practices-vsphere6-0-white-paper.pdf \22\ Time synchronization - Time synchronization in the automation environment https://support.industry.siemens.com/cs/ww/en/view/86535497 \23\ Which security precautions help against unauthorized access in the SIMATIC PCS 7 / WinCC environment? https://support.industry.siemens.com/cs/ww/en/view/44443744 \24\ vmware Security Response Policy https://www.vmware.com/support/policies/security_response

9.3 Change documentation

Table 9-2 Version Date Modification V1.0 07/2015 First version d e v V2.0 08/2018 Reworking r e s e r s t h g i r l l A 8 1 0 2 G A s n e m e i S ã

WinCC Virtualization Entry ID: 49368181, V2.0, 08/2018 41