Home > Blogs > VMware Consulting Blog > Tag Archives: Horizon View

Tag Archives: Horizon View

VMware Horizon 7 Instant Clones Best Practices

Dale CarterBy Dale Carter

Recently, I have been working with Instant Clones in my lab. Although I have found this easy to get up and running (for more information, see my blog here), it hasn’t been easy to find best practices around configuring Instant Clones, as they are so new.

I reached out to the engineering team, and they provided me with the following best practices for using Instant Clones in VMware Horizon 7.0.2.

Check OS Support for Instant Clones

The following table shows what desktop operating systems are supported when using Instant Clones.

Guest Operating System Version Edition Service Pack
Windows 10 64-Bit and 32-Bit Enterprise None
Windows 7 64-Bit and 32-Bit Enterprise and Professional SP1

For more information, see the architecture planning guide.

Remote Monitor Limitations

If you use Instant Clone desktop pools, the maximum number of monitors that you can use to display a remote desktop is two, with a resolution of up to 2560 X 1600. If your users require more monitors or a higher resolution, I recommend using a Linked Clone desktop pools for these users.

For more information, see the architecture planning guide.

Instant Clones on vSAN

When running Instant Clones on vSAN it is recommended to the R5 configuration that will have the following settings

Name Checksum Rain Level Duplication and Compression Client Cache Sparse Swap
R5 Yes 5 No Enabled Disabled

For more information, see the VMware Horizon 7 on VMware Virtual SAN 6.2 All-Flash, Reference Architecture.

Unsupported Features when using Instant Clones

The following features are currently not supported when using Instant Clones.

View Persona Management

The View Persona Management feature is not supported with Instant Clones. I recommend the User Environment Manager for managing the user’s environment settings.

For more information, see the architecture planning guide.

3D Graphics Features

The software and hardware accelerated graphics features available with the Blast Extreme or PCoIP display protocol are currently not supported with Instant Clones desktops. If your users require this feature, I recommend you use a Linked Clone desktop for them.

For more information, see the architecture planning guide.

Virtual Volumes

VMware vSphere Virtual Volumes Datastores are currently not supported for Instant clone desktop pools. For Instant Clone desktop pools, you can use other storage options, such as VMware Virtual SAN.

For more information, see the architecture planning guide.

Persistent User Disk

Instant Clone pools do not support the creation of a persistent virtual disk. If you have a requirement to store a user’s profile and application data on a separate disk, you can use the writeable disk feature of VMware App Volumes to store this data. The App Volumes writeable volume can also be used to store user installed applications.

For more information, see the architecture planning guide.

Disposable Virtual Disk

Instant Clone pools do not support configuration of a separate, disposable virtual disk for storing the guest operating system’s paging and temp files. Each time a user logs out of an instant clone desktop, Horizon View automatically deletes the clone and provisions and powers on another instant clone based on the latest OS image available for the pool. Any guest operating systems paging and temp files are automatically deleted during the logo operation.

For more information, see the architecture planning guide.

Hopefully, this information will help you configure Instant Clones in your environment. I would like to thank the VMware Engineering team for helping me put this information together.


Dale Carter is a Senior Solutions Architect and member of the CTO Ambassadors. Dale focuses in the End User Compute space, where Dale has become a subject matter expert in a number of the VMware products. Dale has more than 20 years’ experience working in IT having started his career in Northern England before moving the Spain and finally the USA. Dale currently holds a number of certifications including VCP-DV, VCP-DT, VCAP-DTD and VCAP-DTA. For more blog post from Dale visit his website athttp://vdelboysview.com

User Environment Manager 8.7 working with Horizon 6.2

By Dale Carter

With the release of VMware User Environment Manager 8.7 VMware added a number of new feature, all of which you will find in the VMware User Environment Manager Release Notes.

However, in this blog, I would like to call out two new features that help when deploying User Environment Manager alongside VMware Horizon 6.2. VMware’s EUC teams did a great job in my opinion getting these two great features added or enhanced to work with Horizon 6.2 in the latest releases.

Terminal Server Client IP Address or Terminal Server Client Name

The first feature, which has been enhanced to work with Horizon 6.2, is one I think will have a number of benefits. This feature gives support for detecting client IP and client names in Horizon View 6.2 and later. With this feature it is now possible to apply conditions based on the location of your physical device.

An example would be if a user connects to a virtual desktop or RDS host from their physical device in the corporate office, an application could be configured to map a drive to corporate data or configure a printer in the office. However, if the user connects to the same virtual desktop or RDS host from a physical device at home or on an untrusted network, and launches the same application, then the drive or printer may not be mapped to the application.

Another example would be to combine the Terminal Server Client IP Address or Terminal Server Client Name with a triggered task. This way you could connect/disconnect a different printer at login/logoff or disconnect/reconnect depending on where the user is connecting from.

To configure a mapped drive or printer that will be assigned when on a certain network, you would use the Terminal Server Client IP Address or Terminal Server Client Name condition as shown below.

DCarter Drive Mapping

If you choose to limit access via the physical client name, this can be done using a number of different options.

DCarter Terminal Server Client Name 1

On the other hand, if you choose to limit access via the IP address, you can use a range of addresses.

DCarter Terminal Server Client 2

Detect PCoIP and Blast Connections

The second great new feature is the ability to detect if the user is connecting to the virtual desktop or RDS host via a PCoIP or Blast connection.

The Remote Display Protocol setting was already in the User Environment Manager, but as you can see below it now includes the Blast and PCoIP protocols.

DCarter Remote Display Protocol

 

This feature has many uses, one of which could be to limit what icons a user sees when using a specific protocol.

An example would be maybe you only allow users to connect to their virtual desktops or RDS hosts remotely using the blast protocol, but when they are on the corporate network they use PCoIP. You could then limit applications that have access to sensitive data to only show in the start menu or desktop when they are using the PCoIP protocol to connect.

Of course you could also use the Terminal Server Client IP Address or Terminal Server Client Name to limit the user from seeing an application based on their physical IP address or physical name.

The examples in this blog are just a small number of uses for these great new and enhanced features, and I would encourage everyone to download User Environment Manager 8.7 and Horizon 6.2 to see how they can help in your environment.


Dale is a Senior Solutions Architect and member of the CTO Ambassadors. Dale focuses in the End User Compute space, where Dale has become a subject matter expert in a number of the VMware products. Dale has more than 20 years experience working in IT having started his career in Northern England before moving the Spain and finally the USA. Dale currently hold a number of certifications including VCP-DV, VCP-DT, VCAP-DTD and VCAP-DTA.

For updates you can follow Dale on twitter @vDelboy

VMware Horizon View Secret Weapon

Andreas LambrechtBy Andreas Lambrecht

Over the last couple of years, I have worked on many challenging Horizon View projects with different business, technical and security requirements. Finding the balance between these points is not always easy. During design workshops and the discussions with desktop management teams and security departments the following questions come up over and over again:

“How can we apply different settings (e.g., clip boards, redirection, printing, etc.) to the user session or desktop based on the user’s location?”

“How can we apply PCoIP optimization to the user session or desktop based on the user’s location?”

Note that these can be internal (LAN or office) or external (Internet or home office) connections.

From the Horizon View architecture point of view we can create different desktop pools with different hardening policies and PCoIP settings, but this means the user will have two different virtual desktops: one for internal and one for external. This may not be optimal in terms of the end user experience because they expect the same virtual desktop behavior in both working environments; when they disconnect the session in the office they expect to continue working on the same document from home without encountering issues. And here is the challenge: ensuring a positive end user experience vs. security policies/PCoIP optimization.

After some research on this particular use case I found a way to manage this requirement without additional costs – while using out-of-the-box Horizon View features. This service comes with the Horizon View Agent as a standard feature and offers many capabilities. I call it the Horizon View Secret Weapon.

Let’s take a closer look at what this secret weapon looks like and what it offers. There are three main ingredients:

  1. VMware Horizon View Script Host Service
  2. System information sent to View Desktop upon user connect or reconnect.
  3. Start Session Script. But note, the intelligence of this script depends on the use case, the security requirements and the ingenuity of the script owner.

Official recommendation: Use start session scripts only if you have a particular need to configure desktop policies before a desktop session begins. As a best practice, use the View Agents CommandsToRunOnConnect and CommandsToRunOnReconnect group policy settings to run command scripts after a desktop session is connected or reconnected. Running scripts within a desktop session will satisfy most use cases. For details, see “Running Commands on View Desktops” in the View Administration document.

For some requirements you can use the View Agents CommandsToRunOnConnect and

CommandsToRunOnReconnect group policy settings, as mentioned above. But what if this is a computer setting or view desktops setting that needs to be configured before the desktop session starts, e.g., PCoIP optimization, clipboard redirection, etc. This is where the secret weapon kicks in and can help fulfill this requirement.

Note: To apply PCoIP optimization there is no need to reconnect because these settings are set before the session or PCoIP protocol start.

In this example I would like to cover a use case with the following technical requirements.

Internal connect

Clipboard redirection:

  • Enabled in both directions

PCoIP settings:

  • BTL set to off
  • Maximum image quality 80
  • Minimum image quality 40
  • Maximum frames per seconds 20

PCoIP Audio limit:

  • 250 kbit/s

USB access:

  • Enabled

ThinPrint:

  • Enabled

External connect

Clipboard redirection:

  • Disabled in both directions

PCoIP setting:

  • BTL set to off
  • Maximum image quality 70
  • Minimum image quality 30
  • Maximum frames per seconds 16

PCoIP Audio limit:

  • 50 kbits/s

USB access:

  • Disabled

ThinPrint:

  • Disabled

First, we must enable the VMware Horizon View Script Host Service on each View Desktop where we want View to run the start session script (e.g., on the base image for a Linked Clone Pool). The service is disabled by default.

To configure the VMware View Script Host Service:

  1. Start the Windows Services tool by entering msc in the command prompt.
  2. In the details pane, right-click on the VMware View Script Host service entry and select Properties.
  3. On the General tab, in Startup type, select Automatic.
  4. If you do not want the local system account to run the start session script, select This account, and enter the details of the account to run the start session script.
  5. Click OK and exit the Services tool.

ALambrecht 1
For more details see “Dynamically Setting Desktop Policies with Start Session Scripts.“

Now we need to find a way to differentiate between an internal and external connection. Here we can draw on the information the Horizon View client has gathered about the client system when a user connects or reconnects to the View Desktop, or we can use the values sent directly from the View Connection Server. This can be any variable from the list (see link below) but I would recommend using ViewClient_Broker_DNS_Name. The reason for this choice is simple: if the user connects from the outside (external connect) the authentication will be managed by the View Connection Server that is paired with the View Security Server. But keep an important View Architecture rule in mind; the View Connection Server paired with the View Security Server should be used exclusively for external connections.

For more details see “Client System Information Sent to View Desktops.”

Important note: The start session variables have the prefix VDM_StartSession_ instead of ViewClient_. This is important for our scripts and is described below.

We are now at the point where we need to talk about the most important ingredient of the secret weapon. But before we start writing the script we need to set some registry values to make the start session script available for execution.

  1. Start the Windows Registry Editor by entering regedit at the command prompt.
  2. In the registry, navigate to HKLM\SOFTWARE\VMware, Inc.\VMware VDM\ScriptEvents.
  3. Edit > Select New > Key, and create a key named StartSession.
  4. In the navigation area, right-click StartSession, select New > String Value, and create a string value (REG_SZ) “Bullet1” and at the command line enter (wscript C:\Program Files\VMware\VMware View\Agent\scripts\bullet1.vbs) .
  5. This will invoke the start session script. Click OK.

Note: As a best practice, place the start session scripts in the following location: %ProgramFiles%\VMware\VMware View\Agent\scripts. By default, this folder is accessible only by the SYSTEM and administrator accounts.

ALambrecht 2

  1. Navigate to HKLM\SOFTWARE\VMware, Inc.\VMware VDM\Agent\Configuration.
  2. Edit > Select New > DWord (32 bit) Value, and type RunScriptsOnStartSession and type 1 to enable start session scripting.

ALambrecht 3

  1. Navigate to HKLM\SOFTWARE\VMware, Inc.\VMware VDM\ScriptEvents.
  2. Add a DWord value called TimeoutsInMinutes.
  3. Set a data value of 0.

ALambrecht 4

For more details see “Add Windows Registry Entries for a Start Session Script.”

Here is a simple script example which covers the technical requirements of this use case.

‘===========================================================================

‘ This script dynamically applies specific session settings based on

‘ the user location.

‘ Author: Andreas Lambrecht VMware PSO CEMEA.

‘ Date: October 2015

‘===========================================================================

Option Explicit

On Error Resume Next

 

Dim objShell

Dim WshShell

Dim objWMIService

Dim strComputer

Dim colServiceList

Dim objService

Dim WScript

 

strComputer = “.”

Set objWMIService = GetObject(“winmgmts:\\” & strComputer & “\root\cimv2”)

Set objShell = CreateObject(“WScript.Shell”)

‘————————————————————————–

‘ Check to see if the user was authenticated and has assigned the session

‘ by the “external” View Connection Servers, which is paired with

‘ View Security Server or by the “internal” View Connection Server.

‘ Based on the result this script will set appropriate settings.

‘————————————————————————–

If objShell.ExpandEnvironmentStrings(“%VDM_StartSession_Broker_DNS_Name%”)=”NAMEOFYOURCONNECTIONSERVER1″ Or objShell.ExpandEnvironmentStrings(“%VDM_StartSession_Broker_DNS_Name%”) = “NAMEOFYOURCONNECTIONSERVER2” Then

‘————————————————————————–

‘ Apply the settings for external connect

‘ – Stop and disable TP Auto Connect Service and TP VC Gateway Service

‘ – Disable enable_build_to_lossless

‘ – Set minimum_image_quality to 30

‘ – Set maximum_initial_image_quality to 70

‘ – Set maximum_frame_rate to 12

‘ – Disable Use image settings from Zero client, if available

‘ – Disable server_clipboard_state in both directions

‘ – Set audio_bandwidth_limit to 80

‘ – Exclude all USB devices

‘————————————————————————–

Set colServiceList = objWMIService.ExecQuery _

(“Select * from Win32_Service where Name = ‘TPAutoConnSvc’ OR Name = ‘TPVCGateway'”)

 

For Each objService in colServiceList

If objService.State = “Running” Then

objService.StopService()

objService.ChangeStartMode(“Disabled”)

Wscript.Sleep 5000

End If

Set WshShell = CreateObject( “WScript.Shell” )

WshShell.RegWrite “HKLM\SOFTWARE\Policies\Teradici\PCoIP\pcoip_admin\pcoip.enable_build_to_lossless”, 0, “REG_DWORD”

WshShell.RegWrite “HKLM\SOFTWARE\Policies\Teradici\PCoIP\pcoip_admin\pcoip.minimum_image_quality”, 30, “REG_DWORD”

WshShell.RegWrite “HKLM\SOFTWARE\Policies\Teradici\PCoIP\pcoip_admin\pcoip.maximum_initial_image_quality”, 70, “REG_DWORD”

WshShell.RegWrite “HKLM\SOFTWARE\Policies\Teradici\PCoIP\pcoip_admin\pcoip.maximum_frame_rate”, 12, “REG_DWORD”

WshShell.RegWrite “HKLM\SOFTWARE\Policies\Teradici\PCoIP\pcoip_admin\pcoip.use_client_img_settings”, 0, “REG_DWORD”

WshShell.RegWrite “HKLM\SOFTWARE\Policies\Teradici\PCoIP\pcoip_admin\pcoip.server_clipboard_state”, 0, “REG_DWORD”

WshShell.RegWrite “HKLM\SOFTWARE\Policies\Teradici\PCoIP\pcoip_admin\pcoip.audio_bandwidth_limit”, 80, “REG_DWORD”

WshShell.RegWrite “HKLM\SOFTWARE\Policies\VMware, Inc.\VMware VDM\Agent\USB\ExcludeAllDevices”, “true”, “REG_SZ”

Set WshShell = Nothing

Next

Else

‘————————————————————————–

‘ Apply the settings for internal connect

‘ – Start and enable TP Auto Connect Service and TP VC Gateway Service

‘ – Disable enable_build_to_lossless

‘ – Set minimum_image_quality to 40

‘ – Set maximum_initial_image_quality to 80

‘ – Set maximum_frame_rate to 20

‘ – Disable Use image settings from Zero client, if available

‘ – Enable server_clipboard_state in both directions

‘ – Set audio_bandwidth_limit to 250

‘ – Disable Exclude all USB devices

‘————————————————————————–

Set colServiceList = objWMIService.ExecQuery _

(“Select * from Win32_Service where Name = ‘TPAutoConnSvc’ OR Name = ‘TPVCGateway'”)

For Each objService in colServiceList

If objService.State = “Stopped” Then

objService.ChangeStartMode(“Automatic”)

objService.StartService()

Wscript.Sleep 5000

End If

Set WshShell = CreateObject( “WScript.Shell” )

WshShell.RegWrite “HKLM\SOFTWARE\Policies\Teradici\PCoIP\pcoip_admin\pcoip.enable_build_to_lossless”, 0, “REG_DWORD”

WshShell.RegWrite “HKLM\SOFTWARE\Policies\Teradici\PCoIP\pcoip_admin\pcoip.minimum_image_quality”, 40, “REG_DWORD”

WshShell.RegWrite “HKLM\SOFTWARE\Policies\Teradici\PCoIP\pcoip_admin\pcoip.maximum_initial_image_quality”, 80, “REG_DWORD”

WshShell.RegWrite “HKLM\SOFTWARE\Policies\Teradici\PCoIP\pcoip_admin\pcoip.maximum_frame_rate”, 20, “REG_DWORD”

WshShell.RegWrite “HKLM\SOFTWARE\Policies\Teradici\PCoIP\pcoip_admin\pcoip.use_client_img_settings”, 0, “REG_DWORD”

WshShell.RegWrite “HKLM\SOFTWARE\Policies\Teradici\PCoIP\pcoip_admin\pcoip.server_clipboard_state”, 1, “REG_DWORD”

WshShell.RegWrite “HKLM\SOFTWARE\Policies\Teradici\PCoIP\pcoip_admin\pcoip.audio_bandwidth_limit”, 250, “REG_DWORD”

WshShell.RegWrite “HKLM\SOFTWARE\Policies\VMware, Inc.\VMware VDM\Agent\USB\ExcludeAllDevices”, “false”, “REG_SZ”

Set WshShell = Nothing

Next

End If

 

Now the secret weapon is ready for use.

Once the secret weapon is implemented and is running, we need to validate whether the specified settings were applied accordingly.

There are four places where we can check the functionality of our solution:

  1. VDM Debug log for StartSessionScript

ALambrecht 5

In the red rectangle we can see that the Start Session Script was sucessfully applied before the PCoIP protocol starts.

For more details see “Location of VMware View log files (1027744).“

  1. PCoIP Server log for PCoIP optimization

ALambrecht 6

In this red rectangle was can see the PCoIP optimization for external connect, as specified in the script.

For more details see “Location of VMware View log files (1027744).“

  1. Management Tools > Services.exe for ThinPrint settings

ALambrecht 7

Here we can see that the ThinPrint services have been stopped and disabled, and the user is no longer able to print.

  1. Registry.exe for USB Access, PCoIP Optimization and Clipboard redirection

ALambrecht 8

 

ALambrecht 9

Finally we can see that all settings were applied as specified by the secret weapon.


 

Andreas Lambrecht is an experienced senior consultant and architect for VMware’s Professional Services Organization specializing in the EUC space. He has worked at VMware for the past 4 years with more than 15 years of experience in the IT industry. Andreas is certified VCP-DCV, VCP-DT, VCAP-DTA VCAP-DTD and also owns the ITIL v4 Foundation certification.

vSphere Datacenter Design – vCenter Architecture Changes in vSphere 6.0 – Part 1

jonathanm-profileBy Jonathan McDonald

As a member of VMware Global Technology and Professional Services at VMware I get the privilege of being able to work with products prior to its release. This not only gets me familiar with new changes, but also allows me to question—and figure out—how the new product will change the architecture in a datacenter.

Recently, I have been working on exactly that with vCenter 6.0 because of all the upcoming changes in the new release. One of my favorite things about vSphere 6.0 is the simplification of vCenter and associated services. Previously, each individual major service (vCenter, Single Sign-On, Inventory Service, the vSphere Web Client, Auto Deploy, etc.) was installed individually. This added complexity and uncertainty in determining the best way to architect the environment.

With the release of vSphere 6.0, vCenter Server installation and configuration has been dramatically simplified. The installation of vCenter now consists of only two components that provide all services for the virtual datacenter:

  • Platform Services Controller – This provides infrastructure services for the datacenter. The Platform Services Controller contains these services:
    • vCenter Single Sign-On
    • License Service
    • Lookup Service
    • VMware Directory Service
    • VMware Certificate Authority
  • vCenter Services – The vCenter Server group of services provides the remainder of the vCenter Server functionality, which includes:
    • vCenter Server
    • vSphere Web Client
    • vCenter Inventory Service
    • vSphere Auto Deploy
    • vSphere ESXi Dump Collector
    • vSphere Syslog Collector (Microsoft Windows)/VMware Syslog Service (Appliance)

So, when deploying vSphere 6.0 you need to understand the implications of these changes to properly architect the environment, whether it is a fresh installation, or an upgrade. This is a dramatic change from previous releases, and one that is going to be a source of many discussions.

To help prevent confusion, my colleagues in VMware Global Support, VMware Engineering, and I have developed guidance on supported architectures and deployment modes. This two-part blog series will discuss how to properly architect and deploy vCenter 6.0.

vCenter Deployment Modes

There are two basic architectures that can be used when deploying vSphere 6.0:

  • vCenter Server with an Embedded Platform Services Controller – This mode installs all services on the same virtual machine or physical server as vCenter Server. The configuration looks like this:

JMcDonald 1

This is ideal for small environments, or if simplicity and reduced resource utilization are key factors for the environment.

  • vCenter Server with an External Platform Services Controller – This mode installs the platform services on a system that is separate from where vCenter services are installed. Installing the platform services is a prerequisite for installing vCenter. The configuration looks as follows:

JMcDonald 2

 

This is ideal for larger environments, where there are multiple vCenter servers, but you want a single pane-of-glass for the site.

Choosing your architecture is critical, because once the model is chosen, it is difficult to change, and configuration limits could inhibit the scalability of the environment.

Enhanced Linked Mode

As a result of these architectural changes, Platform Services Controllers can be linked together. This enables a single pane-of-glass view of any vCenter server that has been configured to use the Platform Services Controller domain. This feature is called Enhanced Linked Mode and is a replacement for Linked Mode, which was a construct that could only be used with vCenter for Windows. The recommended configuration when using Enhanced Linked Mode is to use an external platform services controller.

Note: Although using embedded Platform Services Controllers and enabling Enhanced Linked Mode can technically be done, it is not a recommended configuration. See List of Recommended topologies for vSphere 6.0 (2108548) for further details.

The following are some recommend options on how—and how not to—configure Enhanced Linked Mode.

  • Enhanced Linked Mode with an External Platform Services Controller with No High Availability (Recommended)

In this case the Platform Services Controller is configured on a separate virtual machine, and then the vCenter servers are joined to that domain, providing the Enhanced Linked Mode functionality. The configuration would look this way:

JMcDonald 3

 

There are benefits and drawbacks to this approach. The benefits include:

  • Fewer resources consumed by the combined services
  • More vCenter instances are allowed
  • Single pane-of-glass management of the environment

The drawbacks include:

  • Network connectivity loss between vCenter and the Platform Service Controller can cause outages of services
  • More Windows licenses are required (if on a Windows Server)
  • More virtual machines to manage
  • Outage on the Platform Services Controller will cause an outage for all vCenter servers connected to it. High availability is not included in this design.
  • Enhanced Linked Mode with an External Platform Services Controller with High Availability (Recommended)

In this case the Platform Services Controllers are configured on separate virtual machines and configured behind a load balancer; this provides high availability to the configuration. The vCenter servers are then joined to that domain using the shared Load Balancer IP address, which provides the Enhanced Linked Mode functionality, but is resilient to failures. This configuration looks like the following:

JMcDonald 4

There are benefits and drawbacks to this approach. The benefits include:

  • Fewer resources are consumed by the combined services
  • More vCenter instances are allowed
  • The Platform Services Controller configuration is highly available

The drawbacks include:

  • More Windows licenses are required (if on a Windows Server)
  • More virtual machines to manage
  • Enhanced Linked Mode with Embedded Platform Services Controllers (Not Recommended)

In this case vCenter is installed as an embedded configuration on the first server. Subsequent installations are configured in embedded mode, but joined to an existing Single Sign-On domain.

Linking embedded Platform Services Controllers is possible, but is not a recommended configuration. It is preferred to have an external configuration for the Platform Services Controller.

The configuration looks like this:

JMcDonald 5

 

  • Combination Deployments (Not Recommended)

In this case there is a combination of embedded and external Platform Services Controller architectures.

Linking an embedded Platform Services Controller and an external Platform Services Controller is possible, but again, this is not a recommended configuration. It is preferred to have an external configuration for the Platform Services Controller.

Here is as an example of one such scenario:

JMcDonald 6

  • Enhanced Linked Mode Using Only an Embedded Platform Services Controller (Not Recommended)

In this case there is an embedded Platform Services Controller with vCenter Server linked to an external standalone vCenter Server.

Linking a second vCenter Server to an existing embedded vCenter Server and Platform Services Controller is possible, but this is not a recommended configuration. It is preferred to have an external configuration for the Platform Services Controller.

Here is an example of this scenario:

JMcDonald 7

 

Stay tuned for Part 2 of this blog post where we will discuss the different platforms for vCenter, high availability and different deployment recommendations.


Jonathan McDonald is a Technical Solutions Architect for the Professional Services Engineering team. He currently specializes in developing architecture designs for core Virtualization, and Software-Defined Storage, as well as providing best practices for upgrading and health checks for vSphere environments.

Link VMware Horizon Deployments Together with Cloud Pod Architecture

By Dale Carter

VMware has just made life easier for VMware Horizon administrators. With the release of VMware Horizon 6.1, VMware has added a popular feature—from the Horizon 6 release—to the web interface. Using Cloud Pod Architecture you can now link a number of Horizon deployments together to create a larger global pool – and these pools can span two different locations.

Cloud Pod Architecture in Horizon 6 was sometimes difficult to configure because you had to use a command line interface on the connection brokers. Now, with Horizon 6.1, you can configure and manage Cloud Pod Architecture via the Web Admin Portal, and this greatly improves the Cloud Pod Architecture feature.

When you deploy Cloud Pod Architecture with Horizon 6.1 you can:

  • Enable Horizon deployments across multiple data centers
  • Replicate new data layers across Horizon connection servers
  • Support a single namespace for end-users with a global URL
  • Assign and manage desktops and users with the Global Entitlement layer

The significant benefits you gain include:

  • The ability to scale Horizon deployments to multiple data centers with up to 10,000 sessions
  • Horizon deployment support for active/active and disaster recovery use cases
  • Support for geo-roaming users

This illustration shows how two Horizon deployments—one in Chicago and another in London—are linked together.

DCarter View 6.1

To configure Cloud Pod Architecture for supporting a global name space you first:

  • Set up at least two Horizon Connection Servers – one at each site; each server would have desktop pools
  • Test them to ensure they work properly, including assigning users (or test users) to the environments

Following this initial step you create global pools, then configure local pools with global pools, and finally set up user entitlements, which can be done from any Horizon Connection Server.

For more detailed information, and for a complete walk-through on setting up your Cloud Pod Architecture feature, read the white paper “Cloud Pod Architecture with VMware Horizon 6.1“.


Dale is a Senior Solutions Architect and member of the CTO Ambassadors. Dale focuses in the End User Compute space, where Dale has become a subject matter expert in a number of the VMware products. Dale has more than 20 years experience working in IT having started his career in Northern England before moving the Spain and finally the USA. Dale currently hold a number of certifications including VCP-DV, VCP-DT, VCAP-DTD and VCAP-DTA.

For updates you can follow Dale on twitter @vDelboy

Use Horizon View to Access Virtual Desktops Remotely – Without a VPN

 

By Eric Monjoin and Xavier Montaron

VMware Horizon View enables you to access a virtual desktop from anywhere, anytime. You can work remotely from your office or from a cybercafé, or anywhere else as long as there is a network connection to connect you to Horizon View infrastructure. It’s an ideal solution – but external connections can be risky.

So, how do you protect and secure your data? How do you authorize only some users—or groups of users—to connect from an external network without establishing a VPN connection?

You can achieve this by relaying into an external solution like F5 Networks’ BIG-IP Access Policy Manager (APM). It can perform pre-authentication checks to end-points based on criteria like user rights, desktop compliancy, antivirus up-to-date, and more. Or, you can simply use the built-in capabilities of Horizon View, which is perfect if you are a small or medium company with a limited budget.

There are two ways to achieve this with Horizon View:

  •  Pool tagging
  •  Two-factor authentication

Pool Tagging

Pool tagging consists of setting one or more tags on each View Connection Server (see Figure 1) and restricting desktop pools using those tags to specific brokers (see Figure 2).

EMonjoin Figure 1

Figure 1. View Connection Server tagging

In the following example a tag “EXTERNAL” has been created for brokers paired with a View Security Server, and it is dedicated to an external connection with the tag “INTERNAL,” which has been created for brokers dedicated to internal connections only. Only desktop pools assigned with the “EXTERNAL” tag will be available, and will appear in the desktop pool list while connected to a broker used for external connections.

EMonjoin Figure 2

Figure 2. Desktop pools tagging

As shown in Table 1, if you fail to restrict a pool with a tag, that pool will be available on all View Connection Servers. So, as soon as you start using tags, you have to use tags for all of your desktop pools.

Connection to View Connection Server with following tags Desktop pools with following restricted tag set Pool appears in desktop pools list
EXTERNAL EXTERNAL YES
EXTERNAL INTERNAL NO
INTERNAL EXTERNAL NO
INTERNAL INTERNAL YES
INTERNAL or EXTERNAL INTERNAL and EXTERNAL YES
INTERNAL or EXTERNAL “None” YES

Table 1. TAG relationships between VCS and desktop pools

Keep in mind that when using tags, it is implied that the administrator has created specific pools for external connections, and specific pools for internal connections.

 

Two-Factor Authentication

The other method when using Horizon View is two-factor authentication. This requires two separate methods of authentication to increase security.

The mechanism is simple; you first authenticate yourself using a one-time password (OTP) passcode as seen in Figure 3. These are generated approximatively every 45 seconds depending on the solution provider. If the provided credentials are authorized, a second login screen appears (see Figure 4) where you enter your Active Directory login and password used for single sign-on to the hosted virtual desktop.

EMonjoin Figure 3

Figure 3. OTP login screen

EMonjoin Figure 4

Figure 4. Domain login screen

 

The advantages with this solution are:

  • Enhanced security You need to have the OTP passcode (the user’s token) and must know the user’s Active Directory login and password.
  • Simplicity There is no need to create two separate desktop pools – one for external connections and another for internal connections.
  • You can be selective Distribute tokens only to employees who require external access.

The most commonly and widely implemented solution is RSA Security from EMC (see below), but you can also use any solution that is RADIUS-compliant.

For more detailed information you can read the white paper “ How to Set Up 2-Factor Authentication in Horizon View with Google Authenticator.” It describes how to set up FreeRADIUS and Google Authenticator to secure external connections, and authorize only specific users or groups of users to connect to Horizon View. This solution was successfully implemented at no cost at the City Hall in Drancy, France, by its chief information officer, Xavier Montaron.

 

Sources:

F5 BIG-IP Access Policy Manager 

http://www.f5.com/pdf/white-papers/f5-vmware-view-wp.pdf

https://support.f5.com/content/kb/en-us/products/big-ip_apm/manuals/product/apm-vmware-integration-implementations-11-4-0/_jcr_content/pdfAttach/download/file.res/BIG-IP_Access_Policy_Manager__VMware_Horizon_View_Integration_Implementations.pdf

RSA SecureID

http://kb.vmware.com/selfservice/microsites/search.do?language=en_US&cmd=displayKC&externalId=2003455

https://gallery.emc.com/servlet/JiveServlet/download/1971-24-4990/VMware_Horizon_View_52_AM8.0.pdf

 

 


Eric MonjoinEric Monjoin joined VMware France in 2009 as PSO Senior Consultant after spending 15 years at IBM as a Certified IT Specialist. Passionate for new challenges and technology, Eric has been a key leader in the VMware EUC practice in France. Recently, Eric has moved to the VMware Professional Services Engineering organization as Technical Solutions Architect. Eric is certified VCP6-DT, VCAP-DTA and VCAP-DTD and was awarded vExpert for the 4th consecutive year.


Xavier_MontaronXavier Montaron owns a Master in Computer Science from EPITECH school and has a strong developer background. He joined Town Hall of Drancy during December 2007 in the CIO organization, and became the actual CIO since 2010. Town Hall of Drancy has been a long-time IT innovator and user of VMware technology, both for infrastructure servers as well as for VDI, where all desktops have been fully virtualized since 2011 with Horizon View. Town Hall of Drancy recently has decided to externalize all servers and VDI infrastructure and are now hosted by OVH, a global leader in internet hosting based in France.

Upgrading VMware Horizon View with Zero Downtime

By Dale Carter, Senior Solutions Architect, End-User Computing

Over the last few years working with VMware Horizon View and doing many upgrades, two of the biggest issues I would hear from customers when planning for an upgrade was: “Why do we have to have so much downtime, and with seven connection brokers, why do we have to take them all down at once?”

These questions and issues came up when I was speaking to Engineering about the upgrade process and making it smoother for the customer.

I was told that, in fact, this was not the case, and you did not have to take all connection brokers down during the upgrade process; you can upgrade one connection broker at a time while the other servers are happily running.

This has been changed in View 6, and the upgrade documentation now reflects it. You can find the document here.

In this blog I will show you how to upgrade a cluster of connection servers with zero downtime. For this post I will be upgrading my View 5.3 servers to View 6.0.1

Here are the steps needed to upgrade a View pod with zero downtime:

  1. Follow all prerequisites in the upgrade document referenced above, including completing all backups and snapshots.
  2. In the load balancer managing the View servers, disable the server that is going to be upgraded from the load balanced pool.
  3. Log in to the admin console.
  4. Disable the connection server you are going to upgrade. From the View Configuration menu select Server, then select Connection Servers and highlight the correct server. Finally, click Disable.
    DCarter 1
  5. Click OK. The view server will now be disabled.
    DCarter 2
  6. Log in to the View connection server and launch the executable. For this example I will launch VMware-viewconnectionserver-x86_64-6.0.1-2088845.exe. NOTE: We did not disable any services at this point.
  7. Click Next.
    D Carter 3
  8. Accept the license agreement, and click Next.
  9. Click Install.
    DCarter 4
  10. Once the process is done click Finish.
    D Carter 5
  11. Now back in the Admin Console enable the connection server by clicking Enable. Also notice the new version has been installed.
    D Carter 6
  12. In the load balancer managing the View servers, enable the server that has been upgraded in the load balanced pool.
  13. Follow step 2 – 12 to upgrade all of your View servers.
    D Carter 7

Security Servers

If one of the connection servers is paired with a security server then there are a couple of additional steps to cover.

The following steps will need to be done to upgrade a connection server that is paired with a security server.

  1. In the load balancer managing the View Security servers, disable the server that is going to be upgraded from the load balanced pool.
  2. Follow all pre-requisites in the upgrade document referenced above, including disabling IPsec rules for the security server and take snapshots.
  3. Prepare the security server to be upgraded. From the View Configuration menu select Server, then select Security Servers. Highlight the correct server, click More Commands, and then click Prepare for Upgrade or Reinstall.
    D Carter 8
  4. Click OK.
  5. Upgrade the paired Connection server outlined in steps 2 – 12.
  6. Log in to the View Security server and launch the executable. For this example I will launch VMware-viewconnectionserver-x86_64-6.0.1-2088845.exe.
  7. Click Next.
    D Carter 9
  8. Accept the License agreement and click Next.
  9. Confirm the paired Connection server and click Next.
  10. Enter the pairing password and click Next.
  11. Confirm the configuration and click Next.
  12. Click Install.
  13. In the load balancer managing the View Security servers, enable the server that has been upgraded in the load balanced pool.

Dale is a Senior Solutions Architect and member of the CTO Ambassadors. Dale focuses in the End User Compute space, where Dale has become a subject matter expert in a number of the VMware products. Dale has more than 20 years experience working in IT having started his career in Northern England before moving the Spain and finally the USA. Dale currently hold a number of certifications including VCP-DV, VCP-DT, VCAP-DTD and VCAP-DTA.

For updates you can follow Dale on twitter @vDelboy

App Volumes AppStack Creation

Dale CarterBy Dale Carter, Senior Solutions Architect, End-User Computing

VMware App Volumes provide just-in-time application delivery to virtualized desktop environments. With this real-time application delivery system, applications are delivered to virtual desktops through VMDK virtual disks, without modifying the VM or applications themselves. Applications can be scaled out with superior performance, at lower costs, and without compromising end-user experience.

In this blog post I will show you how easy it is to create a VMware App Volumes AppStack and how that AppStack can then be easily deployed to up to hundreds of users

When configuring App Volumes with VMware Horizon View an App Volumes AppStack is a read-only VMDK file that is added to a user’s virtual machine, and then the App Volumes Agent merges the two or more VMDK files so the Microsoft Windows operating system sees the files as just one drive. This way the applications look to the Windows OS as if they are natively installed and not on a separate disk.

To create an App Volumes AppStack follow these simple steps.

  1. Log in to the App Volumes Manager Web interface.
  2. Click Volumes.
    DCarter Volumes
  3. Click Create AppStack.
    DCarter AppStack
  4. Give the AppStack a name. Choose the storage location and give it a description (optional). Then click Create.
    DCarter Create AppStack
  5. Choose to either Perform in the background or Wait for completion and click Create.
    DCarter Create
  6. vCenter will now create a new VMDK for the AppStack to use.
  7. Once vCenter finishes creating the VMDK the AppStack will show up as Un-provisioned. Click the + sign.
    DCarter
  8. Click Provision
    .
    DCarter Provision
  9. Search for the desktop that will be used to install the software. Select the Desktop and click Provision.
    DCarter Provision AppStack
  10. Click Start Provisioning.
    DCarter Start Provisioning
  11.  vCenter will now attach the VMDK to the desktop.
  12. Open the desktop that will be used for provisioning the new software. You will see the following message: DO NOT click OK. You will click OK after the install of the software.
    DCarter Provisioning Mode
  13. Install the software on the desktop. This can be just one application or a number of applications. If reboots are required between installs that is OK. App Volumes will remember where you are after the install.
  14. Once all of the software has been installed click OK.
    DCarter Install
  15. Click Yes to confirm and reboot.
    DCarter Reboot
  16. Click OK.
    DCarter 2
  17. The desktop will now reboot. After the reboot you must log back in to the desktop.
  18. After you log in you must click OK. This will reconfigure the VMDK on the desktop.
    DCarter Provisioning Successful
  19. You can now connect to the App Volumes Manager Web interface and see that the AppStack is ready to be assigned.
    DCarter App Volumes Manager

Once you have created the AppStack you can assign the AppStack to an Active Directory object. This could be a user, computer or user group.

To assign an AppStack to a user, computer or user group, follow these simple steps.

  1. Log in to the App Volumes Manager Web interface.
  2. Click Volumes.
    DCarter Volumes Dashboard
  3. Click the + sign by the AppStack you want to assign.
  4. Click Assign.
    DCarter Assign
  5. Search for the Active Director object. Select the user, computer, OU or user group to assign the AppStack to. Click Assign.
    DCarter Assign Dashboard
  6. Choose either to assign the AppStack at the next login or immediately, and click Assign.
    DCarter Active Director
  7. The users will now have the AppStack assigned to them and will be able to launch the applications as they would any normal application.
    DCarter AppStack Assign

By following these simple steps you will be able to quickly create an AppStack and simply deploy that AppStack to your users.


Dale is a Senior Solutions Architect and member of the CTO Ambassadors. Dale focuses in the End User Compute space, where Dale has become a subject matter expert in a number of the VMware products. Dale has more than 20 years experience working in IT having started his career in Northern England before moving the Spain and finally the USA. Dale currently hold a number of certifications including VCP-DV, VCP-DT, VCAP-DTD and VCAP-DTA.

For updates you can follow Dale on twitter @vDelboy

How-to: Create a vCOPS for View At-A-Glance High-Level VDI Dashboard

By Anand Vaneswaran

Anand VaneswaranVDI environments are complex because there are so many moving parts. As a result, there is a real need for architects, admins, managers, or operations professionals to see a high-level breakdown of the most important stats—stats that are especially important when we receive that escalated phone call about an issue that could potentially affect a large number of users.

In this first post of a three-part blog series, I’ll provide details about a high-level VDI custom dashboard in vCenter Operations Manager for View that was renamed vCenter Operations Manager for Horizon when Horizon 6.0 was released. (I’ll also assume you’re all well versed in VDI.)

To start, some of the stats or information I deeply care about in my test environment are as follows:

Download

Download the Step-by-Step

  1. Viewing the number of tunneled connections that are coming in through my security servers.
  2. Viewing the overall health of my connection servers.
  3. Keeping tabs on the resources (CPU, RAM, Disk) of my most critical VDI servers (Connection and security servers, vCenter server, View Composer, etc.).
  4. Monitoring resources (CPU and RAM) on my ESXi hosts running VDI workloads. (I will go one step further and break it down into hosts for my full clone pools, and linked clone pools.)
  5. Finally, looking at my LUNs and keep tabs on a number of metrics, but most importantly VM-to-LUN densities.

When compiled together, the information listed above comprises the end-state dashboard I want to achieve. The dashboard will have two generic scoreboard widgets on either side to depict the number of user connections through my security servers and the workload percentage of my connection servers. In addition, two Health-Workload scoreboard widgets on either side will depict the health of security and connection servers. The scoreboard is set up so that when you click a particular object in the Generic Scoreboard widget, the scoreboard is automatically populated with the health of that relevant object.

Finally, I want four Heat Map widgets: one to provide information about critical server resources, two to give me updates on ESXi host resources, and one to give me details about VM-to-LUN densities. I chose to populate my dashboard with an assortment of these built-in Generic Scoreboard, Health-Workload, and Heat Map widgets because I find that these types of widgets provide the most efficient means of graphically conveying the state of an environment, in essence, a point-in-time snapshot of your environment at any given time.

Now, if you’re ready to build, get detailed, step-by-step instructions for creating the dashboard.


Anand Vaneswaran is a senior technology consultant with the End User Computing group at VMware. He is an expert in VMware Horizon (with View), VMware ThinApp, VMware vCenter Operations Manager, VMware vCenter Operations Manager for Horizon, and VMware Horizon Workspace. Outside of technology, his hobbies include filmmaking, sports, and traveling.

How-to: Find Composer Certificate in VMware Horizon View Administrator

By Gourav Bhardwaj with Matt Larson

GouravMatt LarsonWhile performing a Health Check on a customer’s VMware View 5.2 environment, one item that came up was to verify that the SSL certificate was configured appropriately. VMware recommends the replacement of self-signed certificates with certificates that are signed by a Certificate Authority.

When entering a new environment, or performing a health check, the most well-known approach to determining the certificate used by View Composer is using the sviconfig command referenced here, which is also used to replace the certificate.  During the replacement process, the existing certificate will be listed.  That being said, running this command requires stopping the Composer service. If there are any Composer downtime constraints; the following alternate process can be used to determine the current certificate.

In VMware Horizon View Administrator, you can determine whether the certificate is signed by a well-known certificate authority.  In the case below, the certificate is self-signed.

Composer1Block

Looking at the Certificates Management Console, multiple certificates are listed, but how do you know which one is in use?

Screen shot

To find which certificate is in use, check the registry to see the thumbprint of the certificate bound to the port used by Composer.  Find this by navigating to \HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\HTTP\Parameters\SslBindingInfo\0.0.0.0:18443 key in the registry, and noting the SslCertHash.

Screen Shot

Match the hash listed in the registry to the hash listed on one of the certificates listed in the Certificates Management Console.  The match is the certificate currently used by Composer.

Composer_4

As seen in the console, this certificate is the self-signed certificate that was created during the Composer installation process.  It is also expired.  To change the certificate, follow the article listed earlier in reference to sviconfig.

Stay tuned for more posts about evaluating the health of the virtual desktop environment.


Gourav Bhardwaj is a VMware consulting architect who has created virtualized infrastructure designs across various verticals. He has assisted IT organizations of various Fortune 500 and Fortune 1000 companies, by creating designs and providing implementation oversight. His experience includes system architecture, analysis, solution design and implementation.

Matt Larson is an experienced, independent VMware consultant working in design, implementation and operation of VMware technologies. His interests lie in enterprise architecture related to datacenter and end user computing.