Which of the following methods can be used to restrict which servers can connect to an iscsi target?

  1. Last updated
  2. Save as PDF

This article applies to Windows Server 2012, 2012R2, 2016, 2019, 2022

  1. Overview
  2. Setup Using Windows Server and FlashArray Management Tools
    1. Configure MSiSCSI (Part 1 of 2)
    2. Configure FlashArray Host and Volume
    3. Configure MSiSCSI (Part 2 of 2)
    4. Using CHAP with iSCSI
      1. Configure CHAP on the Windows host:
        1. Configure CHAP using PowerShell
        2. Testing Windows Server iSCSI CHAP
    5. Optimizing Latency on Windows Hosts
  3. Test Connectivity

Overview

The Pure Storage FlashArray supports the Internet Small Computer Systems Interface an Internet Protocol (IP) based storage networking standard for linking data storage facilities. Using iSCSI provides access to the Pure Storage FlashArray by issuing SCSI commands over the TCP/IP network. 

The screenshot below illustrates four connected Ethernet Ports (CT0.ETH6/ETH7 and CT1.ETH6/ETH7) in a Pure Storage FlashArray. These ports will be configured on the FlashArray and Windows Server for connectivity in Setup iSCSI Connectivity.

Which of the following methods can be used to restrict which servers can connect to an iscsi target?

The following steps will configure the MSiSCSI Initiator Service to connect to the Pure Storage FlashArray iSCSI ports using the Windows Server management tools.

Setup Using Windows Server and FlashArray Management Tools

This section walks through the steps for configuring MSiSCSI using the Graphical User Interface (GUI) tools provided by Windows Server and Pure Storage FlashArray management interface.

Configure MSiSCSI (Part 1 of 2)

  1. Open up Server Manager. By default Server Manager starts when logging into Windows Server. 
  2. Click Tools and select iSCSI Initiator to start the MSiSCSI Initiator Service.
  3. The Microsoft iSCSI dialog will open indicating that the service is not running. Click Yes to start the service and also set it to startup automatically when the server reboots.

    Which of the following methods can be used to restrict which servers can connect to an iscsi target?

  4. After the MSiSCSI Initiator Service has started the Properties dialog will be opened. Click the Configuration tab to retrieve the iSCSI Qualified Name (IQN). 

Write down or cut-and-paste the Initiator Name value.

Which of the following methods can be used to restrict which servers can connect to an iscsi target?

 

This step has started the Microsoft iSCSI Service so the Initiator Name could be retrieved which is required for the next section.

Configure FlashArray Host and Volume

Connecting a volume to a configured iSCSI host on the Pure Storage FlashArray is required before configuring MSiSCSI. if a volume is not connected, you will receive an Authorization Failure.

 

Which of the following methods can be used to restrict which servers can connect to an iscsi target?

  1. Open the Pure Storage FlashArray Management interface and log into the FlashArray.
  2. Click on the Storage tab.
  3. Click on the + in the Hosts section and select Create Host.

    Which of the following methods can be used to restrict which servers can connect to an iscsi target?

  4. Select the newly created host, Server01, then click the Ellipsis on the top right, then click Configure IQNs.

    Which of the following methods can be used to restrict which servers can connect to an iscsi target?

  5. The Configure iSCSI IQNs dialog box will open. Enter the IQN from the previous section then click Add.

    Which of the following methods can be used to restrict which servers can connect to an iscsi target?

  6. Click on the + in the Volumes section to create a volume. For this example the name iSCSI-TestVolume with a size of 500GB is being used. A different name and size can be used.
     
  7. After creating the new volume click the elipsys in the Connected Volumes section and then select Connect.

    Which of the following methods can be used to restrict which servers can connect to an iscsi target?

  8. The Connect Volumes to Host dialog will open. Select the checkbox next to the iSCSI-TestVolume (or whatever volume name was created), then click Connect.

    Which of the following methods can be used to restrict which servers can connect to an iscsi target?

  9. Now the new host, Server01, is connected to the new volume, iSCSI-TestVolume, with the host port IQN set to iqn.1991-05.com.microsoft:server01.

    Which of the following methods can be used to restrict which servers can connect to an iscsi target?

Configure MSiSCSI (Part 2 of 2)

In this section the configuration of MSiSCSI will be continued using the iSCSI Initiator tool. 

  1. Open Server Manager
  2. Click Tools and select iSCSI Initiator to open the iSCSI Initiator Properties dialog.
  3. Click on the Discover Portal... button which will display the Discover Target Portals dialog.

These are the iSCSI Services that were configured in the Setup iSCSI on the FlashArray topic. These need to be in place before proceeding. 

4. Enter the IP Address or DNS name for the target ports on the Pure Storage FlashArray. Leave the Port default set to 3260.

Repeat Step 4 for each iSCSI service you have configured on the FlashArray. In this example there are four iSCSI services set up on the FlashArray.

Which of the following methods can be used to restrict which servers can connect to an iscsi target?

5. Once all of the Target Ports have been configured the Discovery tab Target portals list should look like the below example. This could differ based on the number of iSCSI initiators that are in the FlashArray.

Which of the following methods can be used to restrict which servers can connect to an iscsi target?

6. Click on the Targets tab select the newly Discovered target and click the Connect button. This will establish a connection to the Pure Storage FlashArray iSCSI services. 

Before connecting the Status will show as Inactive.

Which of the following methods can be used to restrict which servers can connect to an iscsi target?

After connecting the Status will show as Connected.

Which of the following methods can be used to restrict which servers can connect to an iscsi target?

If a FlashArray volume has not been connected to the host where the iSCSI Initiator Service is being set up you will see the error, Authorization Failure. 

Which of the following methods can be used to restrict which servers can connect to an iscsi target?

This is the same FlashArray iSCSI Qualified Name (IQN) that can be seen from the FlashArray management interface.

Which of the following methods can be used to restrict which servers can connect to an iscsi target?

7. Select the newly connected Discovered target and click the Properties... button to add sessions to the connection.

Which of the following methods can be used to restrict which servers can connect to an iscsi target?

8. The Properties dialog will open. Click Add session, this will open up the Connect to Target dialog.

Best Practice: For best performance out of a single host, eight (8) iSCSI sessions are recommended. A session is normally created for every target port where a host is connected. If the host is connected to less than eight (8) paths, additional sessions can be configured going to the same target ports.

Which of the following methods can be used to restrict which servers can connect to an iscsi target?

9. Click Enable multi-path then click Advanced... button.

Which of the following methods can be used to restrict which servers can connect to an iscsi target?

10. In the Advanced Settings dialog select the Microsoft iSCSI Initiator from the Local adapter dropdown. Select the appropriate IP Address from the Initiator IP dropdown. Select the Target portal IP from the dropdown that will map to the Initiator IP. 

Repeat Step 9 for all of the Initiator IPs and map to their appropriate Target portal IP.

Which of the following methods can be used to restrict which servers can connect to an iscsi target?

11. After completing the setup of the Initiator IPs and Target Portal IPs, click the Favorite Targets tab and all of the configured paths should be visible. 

Which of the following methods can be used to restrict which servers can connect to an iscsi target?

12. Open up the FlashArray Management interface, click the System tab, click Connections, click Host Connections, and select the host that was just configured. The Host Port Connectivity should show Redundant connections. 

Which of the following methods can be used to restrict which servers can connect to an iscsi target?

If the deployed switches in the fabric support changing the Maximum Transmission Unit (MTU) from 1500 to 9000 (referred to as Jumbo Frames), this can be accomplished using the FlashArray Management GUI, or by running the Windows PowerShell cmdlets from the Pure Storage PowerShell SDK. 

Using the FlashArray Management GUI

  1. Click on Settings on the left menu.
  2. Click on Network on the top menu.
  3. Find the iSCSI Network interfaces and click on the Edit icon located at the end of the row.
  4. Change the MTU size and click on Apply.

Using the PowerShell SDK

PS >$FlashArray = New-PfaArray -EndPoint 10.21.201.57 -Credentials (Get-Credential) -IgnoreCertificateError PS >Get-PfaNetworkInterfaces -Array $FlashArray | Format-Table -AutoSize PS > Get-PfaNetworkInterfaces -Array $FlashArray | Format-Table -AutoSize subnet name enabled mtu services netmask slaves address hwaddr speed ------ ---- ------- --- -------- ------- ------ ------- ------ ----- ct0.eth0 True 1500 {management} 255.255.255.0 {} 10.21.201.55 24:a9:37:00:38:8f 1000000000 ct0.eth2 False 1500 {management} 64 {} 2620:125:9004:2021::200 24:a9:37:00:38:8e 1000000000 ct0.eth3 False 1500 {management} {} 24:a9:37:00:38:91 10000000000 ct0.eth6 True 9000 {iscsi} 255.255.255.0 {} 10.21.201.59 90:e2:ba:4d:75:51 10000000000 ct0.eth7 True 9000 {iscsi} 255.255.255.0 {} 10.21.201.61 90:e2:ba:4d:75:50 10000000000 ct1.eth0 True 1500 {management} 255.255.255.0 {} 10.21.201.56 24:a9:37:00:39:07 1000000000 ct1.eth2 False 1500 {management} 64 {} 2620:125:9004:2021::201 24:a9:37:00:39:06 1000000000 ct1.eth3 False 1500 {management} {} 24:a9:37:00:39:09 10000000000 ct1.eth6 True 9000 {iscsi} 255.255.255.0 {} 10.21.201.60 90:e2:ba:53:ba:19 10000000000 ct1.eth7 True 9000 {iscsi} 255.255.255.0 {} 10.21.201.62 90:e2:ba:53:ba:18 10000000000 replbond True 1500 {replication} 255.255.255.0 {ct1.eth2, ct0.eth2} 10.21.201.58 92:76:9c:80:b9:77 0 vir0 True 1500 {management} 255.255.255.0 {} 10.21.201.57 8e:85:63:ff:fd:dd 1000000000 vir1 False 1500 {management} 64 {} 2620:125:9004:2021::202 ce:f6:e1:ed:26:ec 1000000000 PS >Set-PfaInterfaceMtu -Array $FlashArray -Name 'ct0.eth6' -Mtu 9000 PS >Set-PfaInterfaceMtu -Array $FlashArray -Name 'ct0.eth7' -Mtu 9000 PS >Set-PfaInterfaceMtu -Array $FlashArray -Name 'ct1.eth6' -Mtu 9000 PS >Set-PfaInterfaceMtu -Array $FlashArray -Name 'ct1.eth6' -Mtu 9000

Using CHAP with iSCSI

When using the Challenge Handshake Authentication Protocol (CHAP) with an iSCSI target, it can be a connection that is bi-directional (or "mutual"), which means that the initiator and target both do authentication. Alternatively, it can be a one-way connection which has only the target authenticating to the initiator.

For more information on using CHAP with FlashArray, please see this article.
For more general information on Windows Server iSCSI, please refer to this Microsoft documentation.

Configure CHAP on the Windows host:

For Windows Server 2008 R2:

Administrative Tools > iSCSI Initiator > Discovery > Advanced Enter inbound values when adding a target portal. If using a bi-directional (mutual) connection, use the General > Secret area in the iSCSI Initiator Properties dialog to specify a value.

For Windows Server 2012 and later:

Server Manager > Dashboard > Tools > iSCSI Initiator > Targets > Discovery > Advanced Enter inbound values when adding a target portal. If using a bi-directional (mutual) connection, use the Configuration > CHAP area in the iSCSI Initiator Properties dialog to specify a value.

As a best practice, you should not use a password for CHAP authentication that has hexadecimal characters.

Configure CHAP using PowerShell

Create a iSCSI connection to a target with one-way authentication.

Connect-IscsiTarget -NodeAddress iqn.1991-05.com.microsoft:rx-7-iscsitarget01-target -AuthenticationType ONEWAYCHAP -ChapUsername "username" -ChapSecret "123456789012345" -IsPersistent $True

Create a iSCSI connection to a target with bi-directional (mutual) authentication.

Connect-IscsiTarget -NodeAddress iqn.1991-05.com.microsoft:rx-7-iscsitarget01-target -AuthenticationType MUTUALCHAP -ChapUsername "username" -ChapSecret "123456789012345" -IsPersistent $True

Optimizing Latency on Windows Hosts

The Windows operating system incorporates a setting for TCPIP called the Delayed Acknowledgement feature. By changing the default settings, you could possibly reduce the amount of overall network latency when using iSCSI connections. This is a recommended practice, however, the setting changes should be tested in your environment before altering a critical production system. 

Please refer to this iSCSI Best Practices article for settings and scripts to assist you with creating or changing these settings.

Configuring Volumes with Windows Server

Refer to the below article for configuring volumes with Windows Server.

  • Working with Volumes on a Windows Server Host

Test Connectivity

To test the connectivity from the host to the FlashArray, you can use DISKSPD for a basic plumbing test. DISKSPD is a storage load generator/performance test tool from the Microsoft Windows, Windows Server, and Cloud Server Infrastructure Engineering teams.

DISKSPD is not recommended for performance testing. The use case mentioned here is to simply test the connectivity to the FlashArray.

Running diskspd with the below example command line will generate I/O to evaluate connectivity. The  in the command line should be the drive letter of the newly connected volume. To learn how to set up a drive letter for a newly connected volume see Working with Volumes on a Windows Server Host.

.\Diskspd.exe -b8K -d3600 -h -L -o16 -t16 -r -w30 -c400M :\io.dat

The results of the plumbing test should generate similar output as below.

Which of the following methods can be used to restrict which servers can connect to an iscsi target?

The host can also be monitored using the Purity CLI with the below command. 

pureuser@myarray-ct0:~# purehost monitor --balance Name Time Initiator WWN Initiator IQN Target Target WWN Failover I/O Count I/O Relative to Max Server01 2017-06-07 09:30:06 PDT - iqn.1991-05.com.microsoft:server01 (primary) - - 500187 99% iqn.1991-05.com.microsoft:server01 (secondary) - 506741 100%

What name format is used to specify the iSCSI targets that are permitted to connect to an iSCSI initiator?

IQN: You can specify the IQN of the machine that has an iSCSI initiator. IQN is a qualified name of the iSCSI. The format of the IQN is “. .

What is the underlying network protocol used by iSCSI storage network?

The SNIA dictionary defines Internet Small Computer Systems Interface (iSCSI) as a transport protocol that provides for the SCSI protocol to be carried over a TCP-based IP network, standardized by the Internet Engineering Task Force and described in RFC 3720.

What protocol can be used in Windows Server 2016 to discover network based iSCSI devices?

4. What protocol can be used in Windows Server 2016 to discover network-based iSCSI devices? The iSNS protocol can be used in Windows Server 2016 to discover network-based iSCSI devices? 5.

How does the iSCSI target server make storage available to iSCSI initiators?

How iSCSI works. ISCSI works by transporting block-level data between an iSCSI initiator on a server and an iSCSI target on a storage device. The iSCSI protocol encapsulates SCSI commands and assembles the data in packets for the TCP/IP layer. Packets are sent over the network using a point-to-point connection.