Home > Blogs > VMware Consulting Blog > Monthly Archives: February 2015

Monthly Archives: February 2015

Use Horizon View to Access Virtual Desktops Remotely – Without a VPN

 

By Eric Monjoin and Xavier Montaron

VMware Horizon View enables you to access a virtual desktop from anywhere, anytime. You can work remotely from your office or from a cybercafé, or anywhere else as long as there is a network connection to connect you to Horizon View infrastructure. It’s an ideal solution – but external connections can be risky.

So, how do you protect and secure your data? How do you authorize only some users—or groups of users—to connect from an external network without establishing a VPN connection?

You can achieve this by relaying into an external solution like F5 Networks’ BIG-IP Access Policy Manager (APM). It can perform pre-authentication checks to end-points based on criteria like user rights, desktop compliancy, antivirus up-to-date, and more. Or, you can simply use the built-in capabilities of Horizon View, which is perfect if you are a small or medium company with a limited budget.

There are two ways to achieve this with Horizon View:

  •  Pool tagging
  •  Two-factor authentication

Pool Tagging

Pool tagging consists of setting one or more tags on each View Connection Server (see Figure 1) and restricting desktop pools using those tags to specific brokers (see Figure 2).

EMonjoin Figure 1

Figure 1. View Connection Server tagging

In the following example a tag “EXTERNAL” has been created for brokers paired with a View Security Server, and it is dedicated to an external connection with the tag “INTERNAL,” which has been created for brokers dedicated to internal connections only. Only desktop pools assigned with the “EXTERNAL” tag will be available, and will appear in the desktop pool list while connected to a broker used for external connections.

EMonjoin Figure 2

Figure 2. Desktop pools tagging

As shown in Table 1, if you fail to restrict a pool with a tag, that pool will be available on all View Connection Servers. So, as soon as you start using tags, you have to use tags for all of your desktop pools.

Connection to View Connection Server with following tags Desktop pools with following restricted tag set Pool appears in desktop pools list
EXTERNAL EXTERNAL YES
EXTERNAL INTERNAL NO
INTERNAL EXTERNAL NO
INTERNAL INTERNAL YES
INTERNAL or EXTERNAL INTERNAL and EXTERNAL YES
INTERNAL or EXTERNAL “None” YES

Table 1. TAG relationships between VCS and desktop pools

Keep in mind that when using tags, it is implied that the administrator has created specific pools for external connections, and specific pools for internal connections.

 

Two-Factor Authentication

The other method when using Horizon View is two-factor authentication. This requires two separate methods of authentication to increase security.

The mechanism is simple; you first authenticate yourself using a one-time password (OTP) passcode as seen in Figure 3. These are generated approximatively every 45 seconds depending on the solution provider. If the provided credentials are authorized, a second login screen appears (see Figure 4) where you enter your Active Directory login and password used for single sign-on to the hosted virtual desktop.

EMonjoin Figure 3

Figure 3. OTP login screen

EMonjoin Figure 4

Figure 4. Domain login screen

 

The advantages with this solution are:

  • Enhanced security You need to have the OTP passcode (the user’s token) and must know the user’s Active Directory login and password.
  • Simplicity There is no need to create two separate desktop pools – one for external connections and another for internal connections.
  • You can be selective Distribute tokens only to employees who require external access.

The most commonly and widely implemented solution is RSA Security from EMC (see below), but you can also use any solution that is RADIUS-compliant.

For more detailed information you can read the white paper “ How to Set Up 2-Factor Authentication in Horizon View with Google Authenticator.” It describes how to set up FreeRADIUS and Google Authenticator to secure external connections, and authorize only specific users or groups of users to connect to Horizon View. This solution was successfully implemented at no cost at the City Hall in Drancy, France, by its chief information officer, Xavier Montaron.

 

Sources:

F5 BIG-IP Access Policy Manager 

http://www.f5.com/pdf/white-papers/f5-vmware-view-wp.pdf

https://support.f5.com/content/kb/en-us/products/big-ip_apm/manuals/product/apm-vmware-integration-implementations-11-4-0/_jcr_content/pdfAttach/download/file.res/BIG-IP_Access_Policy_Manager__VMware_Horizon_View_Integration_Implementations.pdf

RSA SecureID

http://kb.vmware.com/selfservice/microsites/search.do?language=en_US&cmd=displayKC&externalId=2003455

https://gallery.emc.com/servlet/JiveServlet/download/1971-24-4990/VMware_Horizon_View_52_AM8.0.pdf

 

 


Eric MonjoinEric Monjoin joined VMware France in 2009 as PSO Senior Consultant after spending 15 years at IBM as a Certified IT Specialist. Passionate for new challenges and technology, Eric has been a key leader in the VMware EUC practice in France. Recently, Eric has moved to the VMware Professional Services Engineering organization as Technical Solutions Architect. Eric is certified VCP6-DT, VCAP-DTA and VCAP-DTD and was awarded vExpert for the 4th consecutive year.


Xavier_MontaronXavier Montaron owns a Master in Computer Science from EPITECH school and has a strong developer background. He joined Town Hall of Drancy during December 2007 in the CIO organization, and became the actual CIO since 2010. Town Hall of Drancy has been a long-time IT innovator and user of VMware technology, both for infrastructure servers as well as for VDI, where all desktops have been fully virtualized since 2011 with Horizon View. Town Hall of Drancy recently has decided to externalize all servers and VDI infrastructure and are now hosted by OVH, a global leader in internet hosting based in France.

VMware App Volumes™ with F5’s Local Traffic Manager

By Dale Carter, Senior Solutions Architect, End User Computing & Justin Venezia, Senior Solutions Architect, F5 Networks

App Volumes™—a result of VMware’s recent acquisition of Cloud Volumes—provides an alternative, just-in-time method for integrating and delivering applications to virtualized desktop- and Remote Desktop Services (RDS)-based computing environments. With this real-time application delivery system, applications are delivered by attaching virtual disks (VMDKs) to the virtual machine (VM) without modifying the VM – or the applications themselves. Applications can be scaled out with superior performance, at lower costs, and without compromising the end-user experience.

For this blog post, I have colluded with Justin Venezia – one of my good friends and a former colleague now working at F5 Networks. Justin and I will discuss ways to build resiliency and scalability within the App Volumes architecture using F5’s Local Traffic Manager (LTM).

App Volumes Nitty-Gritty

Let’s start out with the basics. Harry Labana’s blog post gives a great overview of how App Volumes work and what it does. The following picture depicts a common App Volumes conceptual architecture:

HLabana AppVolumes

 

Basically, App Volumes does a “real time” attachment of applications (read-only and writable) to virtual desktops and RDS hosts using VMDKs. When the App Volumes Agent checks in with the manager, the App Volumes Manager (the brains of App Volumes) will attach the necessary VMDKs to the virtual machines through a connection with a paired vCenter. The App Volumes Agent manages the redirection of file system calls to AppStacks (read-only VMDK of applications) or Writeable Volumes (a user-specific writeable VMDK). Through the Web-based App Volumes Manager console, IT administrators can dynamically provision, manage, or revoke applications access. Applications can even be dynamically delivered while users are logged into the RDS session or virtual desktop.

The App Volumes Manager is a critical component for administration and Agent communications. By using F5’s LTM capabilities, we can intelligently monitor the health of each App Volumes Manager server, balance and optimize the communications for the App Volume Agents, and build a level of resiliency for maximum system uptime.

Who is Talking with What?

As with any application, there’s always some back-and-forth chatter on the network. Besides administrator-initiated actions to the App Volumes Manager using a web browser, there are four other events that will generate traffic through the F5’s BIG-IP module; these four events are very short, quick communications. There aren’t any persistent or long-term connections kept between the App Volumes Agent and Manager.

When an IT administrator assigns an application to a desktop/user that is already powered on and logged in, the App Volumes Manager talks directly with vCenter and attaches the VMDK. The Agent then handles the rest of the integration of the VMDK into the virtual machine. When this event occurs, the agent never communicates with the App Volumes Manager during this process.

Configuring Load Balancing with App Volume Managers

Setting up the load balancing for App Volumes Manager servers is pretty straightforward. Before we walk through the load-balancing configuration, we’ll assume your F5 is already set up on your internal network and has the proper licensing for LTM.

Also, it’s important to ensure the App Volume agents will be able to communicate with the BIG-IP’s virtual IP address/FQDN assigned to App Volumes Manager; take the time to check routing and access to/from the agents and BIG-IP.

Since the App Volumes Manager works with both HTTP and HTTPS, we’ll show you how to load balance App Volumes using SSL Termination. We’ll be doing SSL Bridging: SSL from the client to the F5 → it is decrypted → it is re-encrypted and sent to the App Volumes Manager server. This method will allow the F5 to use advanced features—such as iRules and OneConnect—while maintaining a secure, end-to-end connection.

Click here to get a step-by-step guide on integrating App Volumes Manager servers with F5’s LTM. Here are some prerequisites you’ll need to consider before you start:

  • Determine what the FQDN will be and what virtual IP address will be used.
  • Add the FQDN and virtual IP into your company’s DNS.
  • Create and/or import the certificate that will be used; this blog post, does not cover creating, importing and chaining certificates.

The certificate should contain the FQDN that we will use for load balancing. We can actually leave the default certificates on the App Volumes Manager servers. BIG-IP will handle all the SSL translations, even with self-signed certificates created on the App Volumes servers. A standard, 2,048-bit web server (with private key) will work well with the BIG-IP, just make sure you import and chain the Root and Intermediate Certificates with the Web Server Certificate.

Once you’re done running through the instructions, you’ll have some load-balanced App Volumes Manager servers!

Again, BIG thanks to Justin Venezia from the F5 team – you can read more about Justin Venezia and his work here.


Dale is a Senior Solutions Architect and member of the CTO Ambassadors. Dale focuses in the End User Compute space, where Dale has become a subject matter expert in a number of the VMware products. Dale has more than 20 years experience working in IT having started his career in Northern England before moving the Spain and finally the USA. Dale currently hold a number of certifications including VCP-DV, VCP-DT, VCAP-DTD and VCAP-DTA.

For updates you can follow Dale on twitter @vDelboy

Justin Venezia is a Senior Solutions Architect for F5 Networks

Upgrading VMware Horizon View with Zero Downtime

By Dale Carter, Senior Solutions Architect, End-User Computing

Over the last few years working with VMware Horizon View and doing many upgrades, two of the biggest issues I would hear from customers when planning for an upgrade was: “Why do we have to have so much downtime, and with seven connection brokers, why do we have to take them all down at once?”

These questions and issues came up when I was speaking to Engineering about the upgrade process and making it smoother for the customer.

I was told that, in fact, this was not the case, and you did not have to take all connection brokers down during the upgrade process; you can upgrade one connection broker at a time while the other servers are happily running.

This has been changed in View 6, and the upgrade documentation now reflects it. You can find the document here.

In this blog I will show you how to upgrade a cluster of connection servers with zero downtime. For this post I will be upgrading my View 5.3 servers to View 6.0.1

Here are the steps needed to upgrade a View pod with zero downtime:

  1. Follow all prerequisites in the upgrade document referenced above, including completing all backups and snapshots.
  2. In the load balancer managing the View servers, disable the server that is going to be upgraded from the load balanced pool.
  3. Log in to the admin console.
  4. Disable the connection server you are going to upgrade. From the View Configuration menu select Server, then select Connection Servers and highlight the correct server. Finally, click Disable.
    DCarter 1
  5. Click OK. The view server will now be disabled.
    DCarter 2
  6. Log in to the View connection server and launch the executable. For this example I will launch VMware-viewconnectionserver-x86_64-6.0.1-2088845.exe. NOTE: We did not disable any services at this point.
  7. Click Next.
    D Carter 3
  8. Accept the license agreement, and click Next.
  9. Click Install.
    DCarter 4
  10. Once the process is done click Finish.
    D Carter 5
  11. Now back in the Admin Console enable the connection server by clicking Enable. Also notice the new version has been installed.
    D Carter 6
  12. In the load balancer managing the View servers, enable the server that has been upgraded in the load balanced pool.
  13. Follow step 2 – 12 to upgrade all of your View servers.
    D Carter 7

Security Servers

If one of the connection servers is paired with a security server then there are a couple of additional steps to cover.

The following steps will need to be done to upgrade a connection server that is paired with a security server.

  1. In the load balancer managing the View Security servers, disable the server that is going to be upgraded from the load balanced pool.
  2. Follow all pre-requisites in the upgrade document referenced above, including disabling IPsec rules for the security server and take snapshots.
  3. Prepare the security server to be upgraded. From the View Configuration menu select Server, then select Security Servers. Highlight the correct server, click More Commands, and then click Prepare for Upgrade or Reinstall.
    D Carter 8
  4. Click OK.
  5. Upgrade the paired Connection server outlined in steps 2 – 12.
  6. Log in to the View Security server and launch the executable. For this example I will launch VMware-viewconnectionserver-x86_64-6.0.1-2088845.exe.
  7. Click Next.
    D Carter 9
  8. Accept the License agreement and click Next.
  9. Confirm the paired Connection server and click Next.
  10. Enter the pairing password and click Next.
  11. Confirm the configuration and click Next.
  12. Click Install.
  13. In the load balancer managing the View Security servers, enable the server that has been upgraded in the load balanced pool.

Dale is a Senior Solutions Architect and member of the CTO Ambassadors. Dale focuses in the End User Compute space, where Dale has become a subject matter expert in a number of the VMware products. Dale has more than 20 years experience working in IT having started his career in Northern England before moving the Spain and finally the USA. Dale currently hold a number of certifications including VCP-DV, VCP-DT, VCAP-DTD and VCAP-DTA.

For updates you can follow Dale on twitter @vDelboy

Understanding View Disposable Disks

Travis WoodBy Travis Wood, VCDX-97

When VMware introduced Linked-Clones in View 4.5 there was a new type of disk included called the Disposable Disk. The purpose of this disk was to redirect certain volatile files away from the OS Disk to help reduce linked-clone growth.  I have read a lot of designs that utilize disposable disks but it has become clear that there is a lot of confusion and misunderstanding about what they do and exactly how they function.  This confusion is highlighted in a View whitepaper called View Storage Considerations which describes disposable disks as:

Utilizing the disposable disk allows you to redirect transient paging and temporary file operations to a VMDK hosted on an alternate datastore. When the virtual machine is powered off, these disposable disks are deleted.

The three elements from this paragraph I want to demystify are:

  1. What is redirected to the disposable disk?
  2. Where are disposable disks hosted?
  3. When are disposable disks deleted/refreshed?

What is redirected?

By default there are three elements that are redirected to the disposable disk.  The first is the Windows swap file, View Composer will redirect the Swap file from C: to the disposable disk. It is recommended to set this to a specific size to make capacity planning easier.

 

TWood1

 

The other elements that are redirected are the System Environment Variables TMP and TEMP.  By default, the User TEMP and TMP Environment Variables are NOT redirected.  However it is highly recommended to remove the User TEMP and TMP Environment variables, if this is done then Windows will use the System Variables instead and the user temporary files will then be redirected to the disposable disk.

TWood4

 

 

Where is the disposable disk stored?

There is a common misconception that like the User Data Disk, the Disposable Disk can be redirected to a different tier.  This is not the case and the Disposable Disk is always stored with the OS Disk.  In later versions of View you can choose the drive letter within the GUI for the Disposable Disk to avoid conflicts with mapped drives, but this setting and the size are the only customizations you can make to the disposable disk.

When is the disposable disk refreshed?

This is the question that tends to cause the most confusion.  Many people I have spoken to have said that it is refreshed when the user logs off, whilst others say it’s on reboot.  The Disposable Disk is actually only refreshed when View powers off the VM. User initiated shutdown & reboots as well as power actions within vCenter do not impact the disposable disk.  The following actions will cause the disposable disk to be refreshed:

  • Rebalance
  • Refresh
  • Recompose
  • VM powered off due to the Pool Power Policy set to “Always Powered Off”

This is quite important to understand, as if the Pool Power Policy is set to any of the other settings (Powered On, Do Nothing or Suspend) then your disposable disks are not getting refreshed automatically.

What does all this mean?

Understanding Disposable Disks and their functionality will enable you to design your environment appropriately.  The View Storage Reclamation Feature that was introduced in View 5.2 uses an SE Sparse disk for the OS Disk, this allows View to shrink OS disks if files are deleted from within the OS.  However only the OS disk is created as an SE Sparse disk, User Data Disks and Disposable Disks are created as a standard VMDK.  The key difference with this feature compared with Disposable Disks, is it relies on files being deleted from within the Guest Operating System, where as the Disposable Disk is deleted along with all the files it contains when View powers off the VM.  It is also important to note, that currently SE Sparse disks are not supported on VSAN.

If you choose to use Disposable Disks in your design, then depending on your power cycle you may want to add an operational task for administrators to periodically change the Power On setting for the pool within a maintenance window to refresh the Disposable Disk.  This is particularly important for the use case of Persistent Desktops which have long refresh/recompose cycles.


Travis Wood is a VMware Senior Solutions Architect

MomentumSI Brings New DevOps and Cloud Professional Services to VMware

By now, it is common knowledge that VMware has evolved beyond server MomentumSI_logovirtualization and is a leading Private Cloud, Hybrid Cloud, and End-User Computing provider.  To enable the transformational business outcomes that these technologies support, we have continued to invest in building the best Professional Services team in the industry.

I am excited to share that in Q4 2014, VMware acquired MomentumSI, a leading IT consultancy that expands our capabilities to help our customers transform their IT processes and infrastructures into strategic advantage.

MomentumSI is a pure-play Professional Services business that served many of the same Fortune 500 companies that VMware does today. The company focused on four key solution areas:

  • Building DevOps capabilities for customers, leveraging technologies such as Docker, Puppet, Chef, Jenkins, Salt and Ansible
  • Architecting and implementing OpenStack Private Clouds
  • Enabling Hybrid Cloud solutions, with an emphasis on AWS and vCloud Air
  • Modernizing applications for cloud environments

The MomentumSI team has joined the Americas Professional Services Organization (PSO).  Together, the combined practice will assist our clients in achieving business results through IT transformation.

So with that, we welcome the MomentumSI team to the VMware family and look forward to expanding the value that we can deliver to our customers.

For more information on the services MomentumSI is bringing to VMware, please visit http://page.momentumsi.com/vmware.

Bret