Home > Blogs > Support Insider > Monthly Archives: March 2011

Monthly Archives: March 2011

New Mind Map – Troubleshooting vSphere Management Issues

Here is a brand new document guaranteed to be popular—Our Mind Map for vSphere Management issues!

We have featured Mind Maps before in this blog and gotten fabulous feedback on them, so we are continuing to develop these using the latest interactive PDF document technology. These new, Flash-embedded PDFs are clickable so that you can expand sections and drill down to the problem you may be experiencing. We’re also trying to make them a little easier on the eyes.  Let us know what you think of the new look.

Today’s Mind Map details our Resolution Paths for vSphere Management issues. If you recall, a Resolution Path is a collection of KB articles sequenced in a specific order to resolve a specific issue. Since many steps are repeated for different problems, we create separate articles for those steps and reuse them as needed.

Please help us spread the word on this – These are some of our most common issues that customers face.

Troubleshooting vSphere Issues
Click here to open the download page

Using The PCoIP Secure Gateway to extend PCoIP Connections

by Hasan Mahmood

In VMware View 4.5 and earlier, PCoIP connections were restricted to internal connections or connections through VPN as a direct connection was required between the Client and the View Desktops. Starting with VMware View 4.6 we have the ability to use PCoIP connections from outside the firewall. This version allows us to connect to the View Desktops on the 4172 port through the server that is running the PCoIP Secure Gateway. Who says we don’t listen to our customers!

The PCoIP Secure gateway can be run on the Security Server or the Connection Broker. You can have multiple PCoIP Secure gateways running. Any Security Server or Connection broker that will run the PCoIP Security Server is required to run Windows 2008 R2 64 bit. With a properly configured PCoIP Secure Gateway, PCoIP traffic is passed through the gateway between the View Client and the View Desktop allowing for a single IP address/port to be opened in the firewall to allow PCoIP communications.

The PCoIP Secure Gateway must be run on the server where the Clients will be connecting, for external users it will be the Security Server, for internal users it will be Connection Server. Internal users do not require to use a gateway server for PCoIP, however it may be required if there is no direct connection possible between the clients and the View Desktops. Also note that the use of the PCoIP Secure gateway is configured from a Connection Server and applies to a Connection server and Security Server pair. Where there is only one Connection server and Security Server all users, both external and internal will need to use the PCoIP Secure Gateway and the gateway must be run on both the connection Server and the Security server.

When configuring a PCoIP Secure Gateway, one must keep in mind that the gateway uses port 4172 for remote console connection while the USB traffic is diverted through port 443 for VMware View Clients. Thin Clients use port 4172 for all communication. The PCoIP Secure Gateway configuration requires two parameters: External URL and PCoIP External URL. On the Security Server the External URL is a URL that is resolvable from the locations the clients are connecting from. It is the firewall IP that is forwarded to the Security Server.

The PCoIP External URL must be provided as an IP address. This can be the same firewall IP for the External URL. Connections from the outside on port 443 (TCP) and 4172(TCP, UDP) must be open.

When configuring PCoIP on a Connection Server, the External URL and PCoIP External URL refer to the DNS name of the Connection server. The requirement that the PCoIP External URL be specified as IP address also applies.

When using the Security Server as the PCoIP Secure Gateway in a DMZ, the firewall must be configured so that the Security Server can connect to all the View desktops on port 4172 and 32111. There are other firewall rules you need to follow as well. Consult the View Architectures Planning for complete details.

VMware KB articles Configuring PCoIP Secure Gateway in VMware View 4.6, Troubleshooting PCoIP Secure Gateway (PSG) issues and VMware View Administration are useful in configuring and troubleshooting PCoIP Secure Gateway.

When the Knowledge Base is not enough: Desktop edition

by Stephen Gardner

It might sound strange coming from the VMware Knowledge Management Team, but the VMware Knowledge Base should not be your only stop for self-help. In fact, as a veteran Support Insider, I’d like to tell you about a few other places you should be checking in your quest for information. (In keeping with the Support Insider theme, this is actually adapted from an email I sent to the rest of my support team a few weeks ago!)

Check the Help menu!

Your first stop, when you have a question about the product or how it works, should be the product’s own Help menu.

Yes, I know that’s hard to believe – I can’t believe I’m saying it! I’ve struggled with plenty of products’ help systems that just have next to nothing in them. Luckily, VMware help is usually better than that. I’ll give some specific examples:

Workstation and ACE

Our published documentation is here: http://www.vmware.com/support/pubs/ws_pubs.html

It includes:

  • Release notes – good for seeing known issues, new features, etc.
  • Product manuals, in PDF form. (These are the same as the in-product help)
  • The Workstation and ACE Online Library. This is also the same as the in-product help, but it’s in HTML format. It has an index, and it’s easily searchable. For instance, searching for “team”, you can find these instructions for creating a team: http://pubs.vmware.com/ws71_ace27/ws_user/ws_team_create.html
  • The Guest Operating System Installation Guide – this guide tells you how to install each of our supported OSes. There’s both a PDF version and an HTML one.
  • A link to the VMware Compatibility Guide, a searchable database that tells you which host OSes and guest OSes are supported for the various Workstation versions.
  • PDF guides for things like vmrun, virtual disk manager, vmware disk mount, and more – I’m not linking here, because I don’t want to spoil it for you.

Also available from the published documentation page, but hidden in the header, is a link to the Workstation and ACE Technical White Papers. These papers have more of the theory and background that go into our products, such as the one on Understanding Full Virtualization, Paravirtualization, and Hardware Assist, but there are also some practical guidelines like Best Practices for Setting Up VMware ACE 2.0 Enterprise Edition. There are 17 more white papers there, so have a look!

The VMware Workstation Community is thriving, with lots of knowledgeable folks answering lots of hard questions (and some easy ones, too). The discussions are worth joining if you want to share your knowledge, or take advantage of someone else’s. Often overlooked, however, is the Documents area of the community. Users post procedures, guidelines, answers to commonly-asked questions, and some genuinely interesting information there. If you’re wondering if someone else has tried to do what you’re trying to do, this is the place to check.

VMware Fusion

Our published documentation is here: http://www.vmware.com/support/pubs/fusion_pubs.html

It includes:

  • Release notes – good for seeing known issues, new features, etc.
  • The Getting Started guide, which explains how to install Fusion and the Guest OS
  • A PDF for vmrun, a utility for managing your virtual machine.

It does not include Fusion help. This is currently available only from within the product, but I’m working to change that. The Fusion help has answers to common questions, like how to set up and use the Applications menu (see the Help topic Using the VMware Fusion Applications Menu), or what the different options are concerning the virtual CD/DVD drive (see the Help topic Add a CD/DVD Drive).

You may find it helpful to look at the published Workstation documentation, as some of the linked documents and sites (like the VMware Compatibility Guide) are also applicable to Fusion.

The VMware Fusion community is even better than the Workstation community, especially when it comes to the Documents section. VMware staff and users have written some very informative guides, answering common questions and exploring some unsupported areas.

All products

Finally, there are some good non-VMware resources. They are worth mentioning because not all problems you run into while using VMware products are necessarily due to the VMware product… So, if you have a question about your host or Guest OS, don’t forget to check their documentation! For instance:

  • Windows: Microsoft has their own Knowledge Base and product Solution Centers, accessible here: http://support.microsoft.com/ I search their KB, and check the Vista and 7 areas, just about every day. I also check TechNet when I have a question about a server OS, or something more in depth (memory management, and environment variables, most recently).
  • Mac OS: Apple has a whole lot of documentation, articles, and resources: http://www.apple.com/support/ Either click through the page to find out what you want, or use the Searchlight-like search box to find exactly what you need. (Be sure to wait for the dropdown, which offers some helpful suggestions!)
  • Ubuntu: Canonical publishes some great documentation, both officially-created and community-sourced, here: https://help.ubuntu.com/
  • OpenSUSE: There’s a very nice wiki here: http://en.opensuse.org/Main_Page
  • Red Hat: There’s some good documentation available, but most of it is behind a customer login: https://access.redhat.com/knowledge/

Is there a topic you’re looking for documentation on, but can’t find? I can’t make any promises, but we’ll see what we can do!

How to configure the PCoIP Secure Gateway in VMware View 4.6

We have a new KB TV video for you today on configuring the PCoIP Secure Gateway to allow PCoIP connections through the Security Server or the Connection Server.

The video complements, and is embedded in KB article 1036208 Configuring PCoIP Secure Gateway in VMware View 4.6

PCoIP Secure Gateway, introduced in VMware View 4.6, provides the functionality to pass the connection (proxy) through the Connection Server or the Security Server. Now, both the Security Server and the Connection Server can work as proxy. Security Servers are used with external connections and Connection Servers are used with internal connections.

Update Manager Mind Map

Today we have Bryan Hornstein introducing the new Mind Map for Update Manager.

VMware Update Manager is a fantastic product. It allows you to manage and patch your ESX/ESXi hosts efficiently and automatically, in a quick amount of time. Instead of messing with clunky command-line interface commands, everything is in an easy to understand GUI. Tasks that would normally take hours to do can now be done within a matter of minutes. With a simple point and click Update Manager can do several tasks at once, freeing us System Administrators to do other things that our companies need us for.

With that being said, Update Manager can be very daunting to set up at first if you are not familiar with the product. Once Update Manager is setup there can be other issues that can cause it to fail if certain configurations have not been setup correctly, or verified. The idea behind these articles is to identify the most common scenarios Systems Administrators may run into, and how to easily fix them.

Before I get to the Mind Map, let me highlight a few of the KBs it covers. If you are having issues installing Update Manager or downloading and installing the plug-in that goes into vCenter Server, you will want to check out the following articles.

There are also other factors that can cause issues downloading the patches that are needed by Update Manager, your ESX/ESXi hosts, and the virtual machines themselves.  See this article for more information on troubleshooting those issues:

Finally, there are several things that need to be checked and certain configurations verified if you are having troubles staging, scanning, or upgrading an ESX/ESXi host. This can be the most common scenario that you will run into when using Update Manager. Firewalls and network configurations are usual suspects in issues like this. For help with troubleshooting these problems see the following articles:

To also assist you in navigating your issue to the right solution, we have created an interactive map of the problem you are having, and what articles can help you solve those issues. Feel free to browse the map, and become accustomed to some of the issues you may encounter when installing and using Update Manager. We hope you find these articles useful to helping you get your job done quickly and easy.

Here is the Mind Map.

Custom SSL for Virtual Center and ESX

Here is a step-by-step walk through by Tech Support Engineer Jasbinder Bhatti on how to install custom SSL certificates into your environment. These steps complement KB articles 1029944 and 1005210. We recommend you be familiar with those KB articles before you embark on this mission.


  1. Putty to the ESX Host and rename the existing key so you have backups and the ability to rollback after your new credential pair is generated and obtained from Certificate authority.

    mv /etc/vmware/ssl/rui.key rui.keybackup

    The following is an appropriate responses from ESX:

    [root@esx001 ssl]# openssl req -new -keyout rui.key -out esx.csr Generating a 1024 bit RSA private key

  2. Send the csr file off the Certificate authority and wait for the Intermediate and new server certificate (servername.crt) to be returned to you. The newly generated key will not be usable until after the new Intermediate Key and matching server certificate are received back from Certificate authority. In the interim, rename the newly generated key for later use and restore the original backed up key as shown:

    mv /etc/vmware/ssl/rui.key rui.keynew
    mv /etc/vmware/ssl/rui.keybackup rui.key

    You will notice if you cat the rui.keynew file at this stage that its indicates its encrypted from the following lines once the new servername.crt and intermediate.crt files are received back from Certificate authority.

    Proc-Type: 7, ENCRYPTED
    DEK-Info: DES-EDE4-CXD,E23F5B5323EF34E4

  3. The intermediate.crt file will also need to imported (if not already done so) to the windows Certificate Store. Check for the existence of this Certificate in Internet Options >> Content on the Intermediate Certificates Tab.
  4. Rename the original certificate and key files (rui.crt and rui.key) files for backup purposes as shown: 

    mv /etc/vmware/ssl/rui.crt rui.crtbackup
    mv /etc/vmware/ssl/rui.key rui.keybackup

  5. Rename the servername.crt and rui.keynew to rui.crt and rui.key as follows

    mv /etc/vmware/ssl/esxservername.crt rui.crt
    mv /etc/vmware/ssl/rui.keynew rui.key

  6. Reformat the x509 certificate with the commands below. Make sure you are in the /etc/vmware/ssl directory when doing so.

    openssl x509 -text -in rui.crt -out rui.text

  7. Open the file and remove all the text except the information below. In other words – you should see –begin certificate, the information in between, and – end certificate — when you have completed the edit.

    18788ylfhdlharelere ……………………………..

  8. Rename the rui.crt file back to the servername.crt. and rui.text file back to rui.crt

    mv rui.crt servename.crt
    mv rui.text rui.crt

  9. You will have to remove the encryption at this point with the following command:

    openssl rsa -in rui.key -out rui.key.unencripted

    at this point you will be prompted for the root password.

  10. Enter pass phrase for rui.key
  11. Rename the rui.key to rui.keynew as follows:

    mv rui.key rui.keynew

  12. Rename the rui.key.unencripted file back to rui.key as follows:

    mv rui.key.unencripted rui.key

  13. Restart the following services on the Esx Host Server as follows:

    service mgmt-vmware restart
    service vmware-vpxa restart
    service vmware-webAccess restart

  14. The Virtual Center the server will eventually come up in a “not responding” state and will need to be disconnected then reconnected after this step.To do this:

    Right Click on the ESX Host > Select "Disconnect"

    Right Click on the ESX Host > Select "Connect"

Tech Talk Episode 3 Part 1 – VMware View Discussion

Here we have another video in our on-going Tech Talk series featuring Rick Blythe and Scott Laforet.

In this episode Rick and Scott discuss VMware View. This is the first part in a three-part series which dives into various different aspects of the VMware View product. In this first installment Rick and Scott provide a high-level overview of some of the main technologies that are used within VMware View.

Be sure to keep an eye out over the next week or so for the second installment in this very informative three-part series.


Using Tags to control Location Based Access to pool Desktops

by Hasan Mahmood

Recently I was asked if it was possible to control access to a pool of View Desktops based on whether they were accessed internally or externally. That’s a good question.  Here’s what you need to know:

VMware View version 4.0 and above has a tagging feature that allows us to specify if a pool can be accessed when using a particular connection broker. Using this feature it is possible to differentiate your pools for internal or external access.

There are a few things you need to be aware of before you proceed with using tags.

  • The tags are applicable to Connection Servers only and not on Security Servers
  • Any Security servers paired to a Connection Server works exactly like the Connection Server.
  • If we have a load balancer in from of a group of Security Server or Connection Server they must be tagged exactly the same.
  • A single Connection Server or pool can have multiple tags
  • Multiple Connection Servers and pools can have the same tag
  • Desktop pools that do not have any tags can be accessed through any Connection Server
  • View Connection Servers that do not have any tags can only access desktop pools that also do not have any tags.
  • Tags have higher priority to user entitlement to pools.

Keeping in mind the above parameters, let’s examine a scenario where a pool named ‘mobile-users’ needs to access the corporate network. From inside the organization, this needs to be done through Connection Servers named ‘internalCS-01’ and ‘internalCS-02’. When being externally accessed, we need to go through Security Server ‘ExternalSS-01’ which is paired to Connection Server ‘externalCS-01’.

In this case all pools that need internal access should be tagged with tag ‘internal’ and the external-pool should have two tags ‘external’ and ‘internal’.

The Connection Servers internalCS01 and Internal CS02 should be tagged ‘internal’ and the externalCs01 ‘external’. Users will not be able to login until configuration to all the Connection servers and the pools are complete.

Note: Logged in users will not be disconnected even if the new rules conflict with access.

Detailed information on Tags and Restricting View Desktop Access is available in the VMware View Administration, page 116.

Changes to Support Request Numbering at VMware

To help answer some questions about changes to Support Request numbers at VMware, we’ve produced a short video explaining the changes from a customer perspective. Specifically, VMware has changed from a 10 digit Support Request number to an 11 digit Support Request number. You can still find your support request by searching with the 10 digit support request number, but your result appears as the new 11 digit support number.


Changes to SR Numbering!

Watch out!

There is one watch point that you will want to be aware of. When you enter a legacy Support Request number in the portal, our system will pull up your original legacy case, but it will display a new 11-digit Support Request number that does not match your original legacy Support Request number. If you look at the details, you will note that all of your original case information is still available**. We have simply changed the Support Request number. So, don’t worry, we still have your Support Request data, we still have your legacy Support Request number, and you can still query by legacy Support Request number. The only change is that when you run the query, a new 11-digit Support Request number is displayed.

**Note: One small exception is that attachments added in the legacy system (prior to ~6 pm PST on 3/11) are not directly viewable; however our support staff can pull up attachments from the legacy system as needed to help resolve your Support Request.

In anticipation of the questions we expect to get, we have prepared an FAQ in the Knowledgebase to answer most of your questions: FAQs about changes to filing a support request (1034261). You can also check out our new video that touches on the changes in the article at http://kb.vmware.com/kb/1021619.

If you have any questions, please call VMware Technical Support for assistance.

We appreciate your patience during this maintenance period. These system upgrades are part of our commitment to continued service improvements and will help VMware better serve your needs.