VMware vSphere

Hi,

I have read the recent KB about the EOGA for VSphere ESXi https://kb.vmware.com/s/article/2107518

I have recently installed VSphere ESXi 7 (at Hetzner) with a free license that has no expiration date and features 'Up to 8-way virtual SMP' according to the web interface's Licensing screen.

Although I've used ESXi in many years past, I'm a bit out of touch with the licensing and costs now and especially re: the news of EOGA.

What I can't seem to get clarity on is:

1) Despite the EOGA, will I continue to be able to get security updates for VSphere ESXi 7+ and a free license, and for how long - https://endoflife.date/esxi suggests the EOL for ESXi 7 was April 2025. Is this still honored? Basically, does EOGA apply for existing installs in terms of security updates, or just you can't install the free edition anymore going forward?

2) My machine has 24 cores. If I was to purchase a VSphere 7 license, am I right in understanding it is $50 US/per core/yr, so $1200 per year? Is there a minimum term?

3) Can I just assign such a new purchased license to my VSphere 7 ESXi install or will I need to reinstall from scratch?

4) Are discounts offered for registered non-profits in the US?

Thanks!

Hello. Broadcom acquired VMware, which has produced several changes around licensing and its products (December 2023)

The Free vSphere Hypervisor is no longer available. Therefore, free licenses for this product can no longer be obtained.

The paid versions ESXi 7 and 8 continue with their support scheme. There are no longer perpetual licenses, it has been migrated to a software subscription scheme. It is very likely that the new patches for version 7 or 8 will no longer be compatible for the free license.

The license change is always online in ESXi and does not require any reinstallation.

If you have a free license you are very lucky and could continue using it, since it was perpetual. I simply couldn't apply new patches..

VMware always offered special discounts for educational centers, government and GMOs, but now you should consult with a VMware distributor, things are changing at VMware.

do you have any further information regarding patching an esx with free license ?

does this mean i cannot patch current existing installations ?

https://docs.vmware.com/en/VMware-vSphere/7.0/rn/vsphere-esxi-70u3o-release-notes/index.html

https://www.vladan.fr/upgrade-vmware-esxi-to-7-0-u3-via-command-line/

This last batch of patches is prior to VMware's announcement, it should be applied without problems in its free license, but it would be best to carry out tests on another computer, installing its ESXi 7 version (with its free license) and then apply the batch of patches ( U3o) and validate that the free lic is still active.

good luck with your updates.

Thank you - i thought you have information about that the free license will be deactivated.

yesterday i have installed a virtual esxi 8 with free license. with this esx i will test new patches before rollout to customers

Thanks for the heads up.

I'm so glad I've save all installers and patches since vSphere 6. Y'know? Earlier at the end of last year I was about to delete the older ones to free space since they take quite a bit of space, I'm glad I didn't since I have a feeling they will disappear from the site very soon.

The server where they are stored, is also a web server, so OVAs can be deployed right into vCenter without copying files through a browser, and *hint* anybody with the URL can get them — no login, no tracking, no user agent restrictions.

Anyway, I won't happen immediately but I think Broadcom made a huge mistake, without free access to its software, it'll stop getting getting contributions from open source and VMware needs it, it's not like on its own it's that innovative, despite discontinuing support for Windows-hosted vCenter, the appliance continues to be based on Java. Without open source getting something to work on. Piracy, which I think will also became rampant (along with piracy-related opportunist malware) will only take a dev so far. Broadcom better make sure its developers are pretty well fed, rested and happy because a lot more will be riding on their shoulders now.

Hmm… in hindsight it explains why else an orchestrator web app (that's not a Microsoft product) would need a 12GB-mem VM. I stopped running both vCenter and vROps clusters bc they provided little value once network is stable. I only "wake" vCenter to move VMs, make/deploy templates, etc.

Just remember that there is a minimum of 16 cores per CPU.  So, if your 24 cores is two CPUs you will have to buy 32 cores.

I am having fun with my renewal now, and I will be paying for a bunch of cores that are not going to be used.  This is according to VMware licensing,

Do you really need security updates? I've found out that as long as you don't let a system connect to the Internet, it will be alright. I host Exchange Server, otherwise known as malware and hacker haven. It's like a honeypot. But it cannot connect to the Internet, but you can reach it from the Internet, Outlook on the Web (webmail) on it, autodiscover, Exchange Web Services, everything works. I also have domain controllers that have never gotten a security update and they're just fine.

Better than fine I'd say since they have no access to Windows Update to remotely screw them up. You just need to take really good care of your firewalls and network policies. Nothing in your network should be allowed to connect out if you don't know the reason. Ports 80 and 443, on TCP, not UDP are all you need, others ports are not needed since you should serve all services from the intranet, namely DNS, NTP, etc. and even those should be served by a second layer of servers, for instance, DNS by your domain controllers, but domain controllers (nor any Microsoft product) should be allowed to ever connect to the Internet, so they should their DNS through BIND/KnotResolver/Unbound forwarders/proxies, or place another DNS server to act as a router between Active Directory and the forwarders. Also, find lists of popular/common DoH servers to blacklist them while preemptively resolving them in one of the outer layers of DNS servers so they're blocked at the IP level too.

Use Suricata or another IDS/IPS. Don't use a firewall that claims to do all of this for you, or anything cloud-related, because they will be also collecting information "to serve you better".

It's tedious but you can go without security updates. On the flipside since this work is all done on network infrastructure, which offers many way to redirect traffic while you're working on it and none on the hypervisors themselves. So in other words, you should have to maintenance downtime.

---

 wrote:

I've found out that as long as you don't let a system connect to the Internet, it will be alright

---

This is most definitely not a correct statement.

ANY computer on your network that has internet access is a potential target, and if compromised, anything else on your network (such as your unpatched ESXi host) is fair game as well. In fact, this is exactly how most ransomware attacks work!

Readup on North,South,East,West networking to get a better understanding.

HTH