VMware View

Tommy Walker, Global Desktop Architect with VMware has been working with EMC to produce some documentation on how to implement SRM with View. Below is the culmination of all that hard work. Thank you Tommy and EMC!

 

Disaster recovery for VMware View is a topic that is often discussed as desktop virtualization enables many options that are not present in the physical world.  Whenever someone thinks of disaster recovery and VMware they immediately think of VMware vCenter Site Recovery Manager as a tool to help them achieve this.  Currently VMware View and SRM are not compatible out of the box.  EMC and VMware have been working on both manual processes and now a fully scripted approach to delivering this solution.  The attached links will lead you to a blueprint for walking through the process and soon the scripts to test this in your own environment.

 

This is an advanced series of steps and scripting so please test in a non-production environment.  This is in the early stages of development and there will continue to be enhancements in both SRM and View to allow tighter integration.  This is just one example of how these technologies can work together using multiple recovery plans and augmented scripting work flows.

 

http://www.vdi.com/upload_desc.php?user=57&upid=38   Blueprint PDF

I keep getting asked this question and it's a tough one to answer. It really depends on the Thin Client OS. So in looking around and asking around, my German co-hort Christoph Dommermuth came up with this fantastic matrix. So here you go!

		View Client for Windows
		W2k		Xppro		Xpe		Vista
Function
USB Redirection				x		x		x
Multimedia Redirection		x		x		x
Virtual Printing		x		x		x		x
CAC/ Smart Card		x		x		x		x
Broker SSL tunneling		x		x		x		x
Broker direct mode		x		x		x		x
Requirements
Browser
Java JRE
RDP		Included in the OS,
		6.x is the best choice due to performance reasons
View for Linux   View Open Client   View Web-Access Windows Linux Mac Function USB Redirection 3.1 Multimedia Redirection 3.1 x Virtual Printing CAC/ Smart Card 3.1 3.1 Broker SSL tunneling x x x x x Broker direct mode x x x x x Requirements Browser Internet Explorer Firefox Firefox or Safari Java JRE 1.5 or 1.6 1.5 or 1.6 RDP rdesktop rdesktop OS integrated rdesktop RDC 2.0 Additional Information Only from certified TC vendors Administrative rights needed for installation

Among the many cool things you can do with View 3.1 is the ability to pass information about the client into the VM. You can now pass the client name, IP address and MAC into the VM. A big thank you to Todd D for all the heavy lifting with this post!

This information is sent to the View agent running in the VM and is stored in the registry.

HKCU\Volatile Environment
ViewClient_MachineName: TC01
ViewClient_IP_Address: 10.10.10.1
ViewClient_MAC_Address: 0a:0a:0a:0a:0a:0a

This information can be gathered every time you log in. So if a user changes location you can see that change in the variables. This can be run with the CommandsToRunOnConnect once the VDM_AGENT.ADM template has been configured in your AD and have assigned the polices for CommandToRunOnConnect and/or CommandToRunOnReconnectoption.

Here is an example of how it can be used. Values on the guest VM should be as follows:

HKLM\Software\Policies\VMware, Inc.\Vmware VDM\Agent\Configuration\CommandsToRunOnConnect
Command1=“wscript.exe  c:\reconnectscript.vbs”

HKLM\Software\Policies\VMware, Inc.\VMware VDM\Agent\Configuration\CommandsToRunOnReconnect
Command1=“wscript.exe  c:\reconnectscript.vbs”

Then write the script to look something like the following. The below will pop the information up in a small window:

-------------------------------------------------
Begin Script
-------------------------------------------------
Const HKEY_CURRENT_USER  = &H80000001

Set wmiLocator=CreateObject("WbemScripting.SWbemLocator")
Set wmiNameSpace = wmiLocator.ConnectServer(".", "root\default")
Set objRegistry = wmiNameSpace.Get("StdRegProv")

sPath = "Volatile Environment"

lRC = objRegistry.GetStringValue(HKEY_CURRENT_USER, sPath, "ViewClient_Machine_Name", vMachine)
lRC = objRegistry.GetStringValue(HKEY_CURRENT_USER, sPath, "ViewClient_IP_Address", vIP)
lRC = objRegistry.GetStringValue(HKEY_CURRENT_USER, sPath, "ViewClient_MAC_Address", vMAC)

msgbox "The Remote Device Name is " & vMachine & " @ " & vIP & " (" & vMAC & ") "

-------------------------------------------------
End Script
-------------------------------------------------

The idea is that now I can pass that information to applications that could map things like printers to an actual location that the user in coming in from. The possibilities are endless. Enjoy.

VMware View 3.1 Download

Release Notes

View Manager 3.1 includes the following enhancements:

• Performance Improvements - Login times are significantly improved and server utilization is reduced.
• Automated LDAP Data and View Composer Database Backup - You can now configure automated backup of LDAP data and View Composer databases in View Administrator, enabling disaster recovery.
• Client Information - Information about the client device that the end user is connecting from is now provided for the desktop session as registry settings. This enables customers to use third party tools or create custom scripts to map local printers to devices. The information available includes the device name, IP address, and MAC address.
• Improved Logging - Debug logs are now enabled by default. Logging has been improved to provide more informational messages with minimal performance impact.
• Edit Desktop Wizard Navigation - Improved wizard navigation enables you to quickly modify existing desktop pools.
• USB Improvements - View 3.1 offers more reliable and broader device support with reduced bandwidth consumption. A separate TCP/IP stream is used.
• Multimedia Redirection (MMR) for Windows Vista - MMR is now supported in Windows Vista environments. MMR technology delivers the multimedia stream directly to the client using an RDP virtual channel instead of decoding and rendering it with RDP. This enables full fidelity playback in View Client.
• Adobe Flash Bandwidth Reduction - The Adobe Flash bandwidth reduction feature improves end-user productivity when browsing Adobe Flash content.
• Multi-Protocol Support - View Client can now use HP Remote Graphics Software (RGS) as the display protocol when connecting to HP Blade PCs, HP Workstations, and HP Blade Workstations. The connection is brokered by View Manager. HP RGS is a display protocol from HP that allows a user to access the desktop of a remote computer over a standard network. VMware View 3.1 supports HP RGS Version 5.2.5. VMware does not bundle or license HP RGS with View 3.1. Please contact HP to license a copy of HP RGS software version 5.2.5 to use with View 3.1. This release does not support HP RGS connections to virtual machines.

There are several reasons why you might need several GINA's using View. Problem is it's not well documented on how to actually chain them together and make it work. So here is a quick post on how to do that.

Verify the View GINA is the Winlogon GINA.

HKey_Local_Machine\Software\Microsoft\WindowsNT\CurrentVersion\WinlogonGinaDLL:
"C:\Program Files\VMware\VMware View\Agent\bin\wsgina.dll"

Note* You will need to create the VdmGinaChainDll string value as it does not exist. Under the following regkey create vdmGinaChainDLL and place the secondary GINA dll name in it.

HKey_Local_Machine\Software\Microsoft\WindowsNT\CurrentVersion\VdmGinaChainDLL:
yourotherGINA.dll

Sometimes the chaining GINA will still call the MSGINA afterwards. Here is an example.

HKey_Local_Machine\Software\Novell or Sentillion or whatever\I put my GINA here key\SomethinglikeLoadGinaDLL = msgina

Now you may ignore the no longer used key: HKey_Local_Machine\Software\Microsoft\WindowsNT\CurrentVersion\Winlogon\Notify\WSGINA

There you go, you are now GINA chaining, enjoy. Thank you to Andrew and his customer for the heavy lifting on this one!

Running Novell eDirectory with view is problematic and not supported. However here is how you do it if you feel so inclined. I would like to thank a very good customer of mine, Carl Hooker for helping me solve this riddle in his environment.

There are many customers that currently use Novell’s eDirectory to access their shared drives or other useful features. Unfortunately,  VMWare View Manager only works with Active Directory.  However, with a couple of quick settings, and a mirroring of credentials in Identity Manager, you can log into the Virtual desktop with a single sign-in.  Here are the steps on the actual Agent VM:

Install NW client(currently 4.91 SP5)
- Select Custom installation, click NEXT
- “Novell Distributed Print Services" should be UNCHECKED, click NEXT
- NMAS and NICI should be the only things CHECKED, Net Identity Agent should be UNCHECKED
- On next page, The only things that should be selected are:
- "REMOVE IPX if present" should be CHECKED and put a dot next to "IP ONLY"... then click NEXT
- On next page, "NDS" should have a dot next to it, click NEXT
- Click FINISH

Then,

Install VMWare Agent with the Typical Install (options to turn off Virtual Printing on install)
- Then open up the registry editor
- Go to Run –> Regedit
HKEY_Local_Machine\Software\Novell\Login and create the following String Values:
“TSCLientAutoAdminLogon”=”1”
“DefaultLocationProfile”=”Default”

That’s it!   Now, assuming you have the eDirectory users mirrored in the AD, their credentials will work for either or and you’ll be able to log into the VDI.

Note:  Don’t forget to manage the remote users group on the VM to include the group or groups you have mirrored in AD, otherwise you will be blocked when trying to access the VM remotely.

So there you go. One thing to keep in mind, if this does not work please don't bother to call VMware tech support on this. They will probably politely hang up on you. Instead post here and we will work on it together and see if we can get it resolved.

While Vista is still not completely supported in every variant with all features as of this writing in a View environment today, I have many customers running it and asking for tips on how to make it run better than it does out of the box. The following are some tips you can try AT YOUR OWN RISK. These are provided as tips and suggestions only. Some you might use and others not. This is provided as thinking and discussion points for running Vista.  Now that the disclaimer is out of the way lets get started :)

 

 

First things first.  Start with the XP deployment guide found here;

http://www.vmware.com/files/pdf/resources/vmware-view-xp-deployment-guide.pdf

Read that, then read this.

 

Installing

Loading of the  Vmware SCSI driver floppy is not needed in Vista as it was with XP. Vista is able to recognize the SCSI hardware just fine. However using the LSI Logic driver is optimal but in seat of the pants testing I have not noticed a difference. In a scaled up environment you might.

 

Performance

 

RDP 6.2 should be used on the clients as it has added performance enhancements for Vista and Aero should you decide you would like to use it.

 

Theme

Aero utilizes advanced graphics features that do not work well across remote protocols. It also requires substantially more processing resources. Set Theme to something other than Aero from the Appearance settings for example, Vista Classic or Windows Classic.

 

This will completely disable Aero so that the end user can not turn it back on via Registry:

 

Expand and navigate to the following registry key:

HKEY_CURRENT_USER\Software\Microsoft\Windows\DWN

 

On the right pane, there is an registry entry named ColorizationColor with type as DWORD. Right click on ColorizationColor, and select Delete on the right click menu. Click on OK to confirm the deletion.

Then right click on registry value titled Composition (type DWORD) and select Modify. Change the value to 0 (by default is 1).

Restart the computer.

 

 

Disable the screen saver

Leaving on the Screen saver will cause unneeded processor usage on the Host. This should be disabled to optimize processor usage.

Computer\Hkey_USERS\.Default\Control Panel\Desktop\ScreenSaveActive\0

 

Disable Superfetch

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management\PrefetchParameters\EnableSuperfetch

And EnablePreFetcher

 set both to 0

 

Delete contents of c:\windows\prefetch after disabling and a reboot.

 

Disk Write Cache

Ensure that Write caching  on the disk is enabled. Disk properties>Hardware>Properties>Policies

 

Swap File and RAM

System Properties>Performance >Advanced>remove Pagefile

*  Delete and disable swap file if the Host has PLENTY of RAM. 768MB of RAM at least for the VM, 1024MB for advanced users. *

This can be subjective and should be played with. If the host is constrained for RAM or applications that use a swap file are being used the USE A SWAP FILE. This allows for the use of the Balloon driver and will optimize the use of RAM for the VM's. However if you have plenty of RAM try the VM's without a swap file and see how it goes.

 

Disable ASLR will result in more memory sharing and higher RAM utilization. This will lower overall security as you will need to turn off NX in the BIOS and DEP in the OS.

 

Security

Security is a relative term and this post is about performance not security. They rarely go together. Think twice before doing these steps if your environment is risk adverse.

 

Disable Fast User switching

Via GPO;

Click Start, type gpedit.msc and press Enter

Go to the following location:

Local Computer Policy | Administrative Templates | System | Logon

Set Hide entry points for Fast User Switching to Enabled

Quit the Group Policy Editor.

Via Registry

Click Start, type regedit.exe and press Enter

Navigate to the following branch:

HKEY_LOCAL_MACHINE \ SOFTWARE \ Microsoft \ Windows \ CurrentVersion \ Policies \ System

 

Create a DWORD (32-bit) Value named HideFastUserSwitching

Set the Value data for HideFastUserSwitching to 1

Quit the Registry Editor.

 

 

Windows Defender

Do you need it If refreshing the OS disk at every log out with View Composer? Probably not so disable it.

Run>msconfig>Startup> Uncheck Windows Defender.

 

 

Force Ctrl+Alt+Delete for log in for security reasons using View Manager

Press start->run

Type: secpol.msc

Press enter

Expand local policies

Click Security Options

Double-click "Interactive Login: Do not require CTRL+ALT+DEL"

Check Disabled

Click OK

This will require users to press CTRL + ALT + DELETE before being presented the welcome screen. The welcome screen will still be displayed and will allow the user to select their account from a list.

 

If you would like to remove the list of accounts and force the user to type his or her username and password, you will need to change another setting inside the local security policy window:

 

Double-click "Interactive Login: Do not display last user name"

Check Enabled

Click OK

With both of these settings in place, the same functionality of the old-style "Press CTRL + ALT + DEL to login" window is achieved.

 

Usability

Disable User Account Control (UAC). Maybe maybe not depending on your environment and the applications being used. If using Thinapp keep it, the apps will be running protected and in user mode so no worries.

 

And most important of all.

VM Tools does not install automatically. So install them, they include the balloon driver and all kinds of other goodies to make the VM run better.

 

 

Call to action

By The Way, these are just my observational testing results. If you have different results on this topic please add a comment as this should be a live document. I will update as I find more information both from you the clearly superior in mind VMware customer , myself your humble servant and the entire Desktop team here at VMware.

Make sure to start with a fresh and current image. As of this writing  that is 5.1.606 revA. Load the image and confirm that the green lock in the systray comes up green after all the rebooting. If you get a red "x" do it again. Now log in as Administrator (log out while holding the left Shift key) with a password of Administrator (capital A). Go to the Control Panel > Add/Remove programs and remove any unnecessary programs. The objective here is to keep the image as simple as possible. DO NOT REBOOT, until you have committed the changes to flash by right clicking the green lock and choosing Commit. Or via a CMD window with "ewfmgr c: -commit".

 

Once loaded and everything that can be removed from Add/Remove Programs removed, review the "List of Applicable QFE's". The link is generally on the same link page as the image. Review the list to determine what QFE's might be needed in your specific environment. For example if you are not using Internet Explorer and replacing the shell with a View client it will be unlikely that the IE QFE's will be applicable and needed in your environment as IE will not be used.

 

Start by downloading the Add-on's that are needed from the QFE list to your workstation NOT the Thin Client. Create a directory for these as you will be downloading many more add-ons later. Remember, keep the image as simple as possible by removing as much as possible.

 

Once that is done go back to the main support page and look through the list for add-On's that say "Remove" in them. These are the packages that will allow you to trim down the image even more. If you are not going to use it, get the package to remove it if you have not already done so via the Add/Remove list. This is also a good time to grab the packages you will need to add, like the background image utility or wireless support.

 

If you have an Altiris deployment server then run them on the server and they should deploy themselves in the proper directories to be deployed via Altiris. Do that and then import the .bin files into the job list and deploy away.

 

 If you don't have Altiris then create a directory that you can store and organize all the packages in.  Run the packages and point them to that directory but for each one add a descriptor to the directory list. So for the background image utility add background to the directory list so it will deploy the files to "c:\altiris\background" for example.

 

After deploying the packages we need one file and need to look at another. In the RIPs Folder will be a .exe. This is the file we need to run on the Thin Client. The variables needed are in a .bat file in the Scripts folder. In the .bat file will be a section that says "set PackageOptions=" with a variable after. This is the variable we will need to deploy the package manually. Also look for a commented section that says":: Run the RIP with options" This is the actual command to run the file. Verify what needs to be run there. In some cases more than one .exe is run. This is where you would find out  what the other .exe is that needs to run also. Now that you have the .exe's and the instructions to run them. Load up a USB key, log into the Thin Client as Administrator and start running packages. This will be time consuming as you should commit changes to the flash after each package and reboot for each package.

 

Now that the image is clean and trim it's time load the CAC drivers and middleware. Any CAC readers that might attach to any of the thin clients that are deployed should be loaded on the Thin Client.  Load those based on the manufactures instructions. Now load the ActivIdentity client to the Thin Client. Test the drivers and middleware  by inserting a CAC into a reader that has be properly installed and verify that ActivIdentity is able to see the card and the certificates on the card. Then verify that Internet Explorer is able to view the certificates as well.

 

Now load the View client. If your environment has multiple certificates on your CAC then you will need to make the following change to the registry to allow the user to select the correct certificate.

 

HKEY_LOCAL_MACHINE\SOFTWARE\VMware, Inc.\VMware VDM\Client\Security\ShowCertificateSelectDialog

 

Create a REG_SZ value and set to "true", a list of possible certificates will now be displayed every time the Client connects to a View environment with CAC enabled at the gateway.

 

If using the Sygate firewall be sure to configure for the needed ports with View (80,443 and 3389 depending on your configuration). There is a policy editor Add-On package you can download to assist with making the needed changes.

 

Next step would be the optional shell replacement found here.

http://blogs.vmware.com/view/2009/02/vmware-view-client-as-a-shell-for-xpe-and-xp-pro-clients.html

 

Using the Win32 View Client on XPe or XP Pro will allow you to use the full featured View client with all the bells and whistles.  The problem is that it's still XP and can be confusing to your users to have them log into one desktop just to send them to another virtual desktop. So how can we fix that? If you replace the shell with the View client you can eliminate the XP desktop and on a boot of the client the only interface presented to a user is the View Client. This makes logging in simple and clean. The problem with just replacing the shell with the View client is that once the user exits, logs out, or just accidentally closes the client, It  will not start again automatically. Below is a way to have the Client restart automatically and hide the needed command window.

The following instructions will hide the XP  desktop and present the user with just the View client and will restart if it gets closed. This was done on an HP t5730 Thin client but the process should be the same for most XPe Thin clients and even a repurposed XP Pro desktop.

Create a View.cmd file with the following.

@echo off

:View

"C:\Program Files\VMware\VMware View\Client\bin\wswc.exe"

goto View

Place it where ever you like,  c:\BatchFiles for example

Create a vbs script with the following in it. Place it wherever you like C:\BatchFiles for example.

Set WshShell = CreateObject("WScript.Shell")

WshShell.Run chr(34) & "C:\BatchFiles\view.cmd" & Chr(34), 0

Set WshShell = Nothing

Open Regedit and go to ;

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon

Change Shell from explorer.exe to the new shell path and the Windows Scripting  command,  e.g  wscript c:\BatchFiles\view.vbs

Commit the changes to the flash drive if using XPe.

ewfmgr  c: -commit

Reboot. Enjoy the new View only interface!

Once this is done there will be no desktop for any users, including Administrator. You can still get to the Task Manager with a CTRL-ALT-DEL but the interface is gone. You can modify the Registry setting to use a specific user by logging in as that user and modifying HKEY_CURRENT_USER instead.

Today we are announcing the release of our VMware View Open Client. This is our first open source project for VMware View. We are already working with our partners to have the VMware View Open Client integrated into their product. Releasing this in the open source community will allow for faster integration of the VMware View Open Client for our partners. VMware will not provide commercial support for the VMware View Open Client. Below are the links to the press release, product info, and feature sets.

Press Release

VMware View Open Client

Included Features:

Ability to create a secure tunnel using SSL

Support for two factor authentication with RSA SecurID

Novell SLETC Add-On RPM package

Full command line interface

Features that are NOT included:

USB redirection

Multiple desktop sessions

Multimedia redirection