Home > Blogs > Support Insider > Monthly Archives: March 2011

Monthly Archives: March 2011

New Mind Map – Troubleshooting vSphere Management Issues

Here is a brand new document guaranteed to be popular—Our Mind Map for vSphere Management issues!

We have featured Mind Maps before in this blog and gotten fabulous feedback on them, so we are continuing to develop these using the latest interactive PDF document technology. These new, Flash-embedded PDFs are clickable so that you can expand sections and drill down to the problem you may be experiencing. We’re also trying to make them a little easier on the eyes.  Let us know what you think of the new look.

Today’s Mind Map details our Resolution Paths for vSphere Management issues. If you recall, a Resolution Path is a collection of KB articles sequenced in a specific order to resolve a specific issue. Since many steps are repeated for different problems, we create separate articles for those steps and reuse them as needed.

Please help us spread the word on this – These are some of our most common issues that customers face.

Troubleshooting vSphere Issues
Click here to open the download page

Using The PCoIP Secure Gateway to extend PCoIP Connections

by Hasan Mahmood

In VMware View 4.5 and earlier, PCoIP connections were restricted to internal connections or connections through VPN as a direct connection was required between the Client and the View Desktops. Starting with VMware View 4.6 we have the ability to use PCoIP connections from outside the firewall. This version allows us to connect to the View Desktops on the 4172 port through the server that is running the PCoIP Secure Gateway. Who says we don’t listen to our customers!

The PCoIP Secure gateway can be run on the Security Server or the Connection Broker. You can have multiple PCoIP Secure gateways running. Any Security Server or Connection broker that will run the PCoIP Security Server is required to run Windows 2008 R2 64 bit. With a properly configured PCoIP Secure Gateway, PCoIP traffic is passed through the gateway between the View Client and the View Desktop allowing for a single IP address/port to be opened in the firewall to allow PCoIP communications.

The PCoIP Secure Gateway must be run on the server where the Clients will be connecting, for external users it will be the Security Server, for internal users it will be Connection Server. Internal users do not require to use a gateway server for PCoIP, however it may be required if there is no direct connection possible between the clients and the View Desktops. Also note that the use of the PCoIP Secure gateway is configured from a Connection Server and applies to a Connection server and Security Server pair. Where there is only one Connection server and Security Server all users, both external and internal will need to use the PCoIP Secure Gateway and the gateway must be run on both the connection Server and the Security server.

When configuring a PCoIP Secure Gateway, one must keep in mind that the gateway uses port 4172 for remote console connection while the USB traffic is diverted through port 443 for VMware View Clients. Thin Clients use port 4172 for all communication. The PCoIP Secure Gateway configuration requires two parameters: External URL and PCoIP External URL. On the Security Server the External URL is a URL that is resolvable from the locations the clients are connecting from. It is the firewall IP that is forwarded to the Security Server.

The PCoIP External URL must be provided as an IP address. This can be the same firewall IP for the External URL. Connections from the outside on port 443 (TCP) and 4172(TCP, UDP) must be open.

When configuring PCoIP on a Connection Server, the External URL and PCoIP External URL refer to the DNS name of the Connection server. The requirement that the PCoIP External URL be specified as IP address also applies.

When using the Security Server as the PCoIP Secure Gateway in a DMZ, the firewall must be configured so that the Security Server can connect to all the View desktops on port 4172 and 32111. There are other firewall rules you need to follow as well. Consult the View Architectures Planning for complete details.

VMware KB articles Configuring PCoIP Secure Gateway in VMware View 4.6, Troubleshooting PCoIP Secure Gateway (PSG) issues and VMware View Administration are useful in configuring and troubleshooting PCoIP Secure Gateway.

When the Knowledge Base is not enough: Desktop edition

by Stephen Gardner

It might sound strange coming from the VMware Knowledge Management Team, but the VMware Knowledge Base should not be your only stop for self-help. In fact, as a veteran Support Insider, I’d like to tell you about a few other places you should be checking in your quest for information. (In keeping with the Support Insider theme, this is actually adapted from an email I sent to the rest of my support team a few weeks ago!)

Check the Help menu!

Your first stop, when you have a question about the product or how it works, should be the product’s own Help menu.

Yes, I know that’s hard to believe – I can’t believe I’m saying it! I’ve struggled with plenty of products’ help systems that just have next to nothing in them. Luckily, VMware help is usually better than that. I’ll give some specific examples:

Workstation and ACE

Our published documentation is here: http://www.vmware.com/support/pubs/ws_pubs.html

It includes:

  • Release notes – good for seeing known issues, new features, etc.
  • Product manuals, in PDF form. (These are the same as the in-product help)
  • The Workstation and ACE Online Library. This is also the same as the in-product help, but it’s in HTML format. It has an index, and it’s easily searchable. For instance, searching for “team”, you can find these instructions for creating a team: http://pubs.vmware.com/ws71_ace27/ws_user/ws_team_create.html
  • The Guest Operating System Installation Guide – this guide tells you how to install each of our supported OSes. There’s both a PDF version and an HTML one.
  • A link to the VMware Compatibility Guide, a searchable database that tells you which host OSes and guest OSes are supported for the various Workstation versions.
  • PDF guides for things like vmrun, virtual disk manager, vmware disk mount, and more – I’m not linking here, because I don’t want to spoil it for you.

Also available from the published documentation page, but hidden in the header, is a link to the Workstation and ACE Technical White Papers. These papers have more of the theory and background that go into our products, such as the one on Understanding Full Virtualization, Paravirtualization, and Hardware Assist, but there are also some practical guidelines like Best Practices for Setting Up VMware ACE 2.0 Enterprise Edition. There are 17 more white papers there, so have a look!

The VMware Workstation Community is thriving, with lots of knowledgeable folks answering lots of hard questions (and some easy ones, too). The discussions are worth joining if you want to share your knowledge, or take advantage of someone else’s. Often overlooked, however, is the Documents area of the community. Users post procedures, guidelines, answers to commonly-asked questions, and some genuinely interesting information there. If you’re wondering if someone else has tried to do what you’re trying to do, this is the place to check.

VMware Fusion

Our published documentation is here: http://www.vmware.com/support/pubs/fusion_pubs.html

It includes:

  • Release notes – good for seeing known issues, new features, etc.
  • The Getting Started guide, which explains how to install Fusion and the Guest OS
  • A PDF for vmrun, a utility for managing your virtual machine.

It does not include Fusion help. This is currently available only from within the product, but I’m working to change that. The Fusion help has answers to common questions, like how to set up and use the Applications menu (see the Help topic Using the VMware Fusion Applications Menu), or what the different options are concerning the virtual CD/DVD drive (see the Help topic Add a CD/DVD Drive).

You may find it helpful to look at the published Workstation documentation, as some of the linked documents and sites (like the VMware Compatibility Guide) are also applicable to Fusion.

The VMware Fusion community is even better than the Workstation community, especially when it comes to the Documents section. VMware staff and users have written some very informative guides, answering common questions and exploring some unsupported areas.

All products

Finally, there are some good non-VMware resources. They are worth mentioning because not all problems you run into while using VMware products are necessarily due to the VMware product… So, if you have a question about your host or Guest OS, don’t forget to check their documentation! For instance:

  • Windows: Microsoft has their own Knowledge Base and product Solution Centers, accessible here: http://support.microsoft.com/ I search their KB, and check the Vista and 7 areas, just about every day. I also check TechNet when I have a question about a server OS, or something more in depth (memory management, and environment variables, most recently).
  • Mac OS: Apple has a whole lot of documentation, articles, and resources: http://www.apple.com/support/ Either click through the page to find out what you want, or use the Searchlight-like search box to find exactly what you need. (Be sure to wait for the dropdown, which offers some helpful suggestions!)
  • Ubuntu: Canonical publishes some great documentation, both officially-created and community-sourced, here: https://help.ubuntu.com/
  • OpenSUSE: There’s a very nice wiki here: http://en.opensuse.org/Main_Page
  • Red Hat: There’s some good documentation available, but most of it is behind a customer login: https://access.redhat.com/knowledge/

Is there a topic you’re looking for documentation on, but can’t find? I can’t make any promises, but we’ll see what we can do!

New Articles Published for week ending 3/26/11

VMware ESX
High Availability fails to configure with error: HA agent on xxxxxx in cluster xxxxx in xxxxxxx has an error: error while running health check script (1021173)
Date Published: 3/25/2011
How to set up sudo with active directory accounts (1027766)
Date Published: 3/21/2011
When using NetXen 1G NX3031 or multiple 10G NX2031 devices, ESX hosts fail to boot with the error: Out of interrupt vectors error during bootup (1033299)
Date Published: 3/21/2011
After upgrading to ESX/ESXi 4.1, the default pathing policy for LUNs that are used with MSCS is set to Round Robin (1033678)
Date Published: 3/23/2011
Hot adding a network adapter to a virtual machine fails with the error: Communication with the virtual machine may have been interrupted (1035232)
Date Published: 3/21/2011
Synchronizing ESX/ESXi time with a Microsoft Domain Controller (1035833)
Date Published: 3/24/2011
Cannot mount an USB or a disk device media to the ESX/ESXi host (1036340)
Date Published: 3/25/2011
Using Antivirus and Malware Detection software in VMware ESX/ESXi (1036544)
Date Published: 3/24/2011
The VMware Tools version to install when building a virtual appliance for OVF deployment (1022056)
Date Published: 3/21/2011
Upgrading from ESX 3.5 to ESX 4.0/4.1 using VMware Update Manager fails with the error: cannot upgrade GRUB configurations (1031204)
Date Published: 3/25/2011

VMware ESXi
vCenter Server 4.1 Agent Pre-upgrade Check fails on ESXi 3.5 hosts with the error: Insufficient Available Memory (1029433)
Date Published: 3/21/2011
After upgrading to ESXi 4.1, syslog continuously reports the error: Authentication exit /lib/libsfcBasicAuthentication.so not found (1030818)
Date Published: 3/23/2011
Changing a LUN to use a different Path Selection Policy (PSP) (1036189)
Date Published: 3/22/2011

VMware Player
Cannot use USB device in a virtual machine on a RHEL 4 x64 host (1036506)
Date Published: 3/24/2011

VMware Service Manager
Federated CMDB is not using the audit trail functionality (1036037)
Date Published: 3/25/2011

VMware vCenter Chargeback
Troubleshooting vCenter Server connectivity issues in vCenter Chargeback (1030758)
Date Published: 3/24/2011

VMware vCenter Operations Standard
Expanding the data disk of the vCenter Operations Standard virtual appliance (1035655)
Date Published: 3/27/2011

VMware vCenter Server
Accessing Performance and Hardware Status tabs in vCenter Server fails with the HTTP Status 500 error (1029647)
Date Published: 3/25/2011
After upgrading from vCenter Server 4.0 to 4.1, deploying a template with guest customization fails (1036224)
Date Published: 3/22/2011
Performance Charts in the VI Client fail to load fully (1036409)
Date Published: 3/24/2011
Installing vCenter Server 4.1 fails with the error: Please make sure SQL Server Agent service is running on the database server (1036518)
Date Published: 3/25/2011
Analyzing physical machines using VMware Guided Consolidation fails with the error: Bad credentials or insufficient privileges (1031721)
Date Published: 3/24/2011
Configuring Windows Server 2008 to allow a smaller range of ports for Linked Mode communications (1036180)
Date Published: 3/21/2011
Backing up the vCenter Server 4.x bundle using the Data Migration tool fails with the error: Object reference not set to an instance of an object (1036228)
Date Published: 3/23/2011

VMware vCenter Server Heartbeat
Implementing vCenter Server Heartbeat on a single subnet using dual NICs (1036355)
Date Published: 3/21/2011
Additional vCenter Server Heartbeat configurations for protecting a local NetApp Virtual Storage Console (1036507)
Date Published: 3/23/2011

VMware vCenter Site Recovery Manager
Configuring array managers in VMware vCenter Site Recovery Manager fails with the error: mismatched tag (1035765)
Date Published: 3/22/2011

VMware vCenter Update Manager
Update Manager fails to scan or remediate the ESX host with the error: VMware Update Manager had a failure (1020407)
Date Published: 3/25/2011

VMware View Manager
Configuring PCoIP Secure Gateway in VMware View 4.6 (1036208)
Date Published: 3/25/2011
Unable to connect to the PCoIP Secure Gateway when using Microsoft NLB Clustering (1036376)
Date Published: 3/23/2011
Smart card authentication works with RDP but not with PCoIP (1036512)
Date Published: 3/25/2011

VMware vShield Manager
I cannot log in to the vShield Manager web user interface by using default credentials after initial import from OVF (1032712)
Date Published: 3/24/2011

VMware Workstation
Activating VMware Workstation fails with the error: Invalid serial number (1036178)
Date Published: 3/24/2011
After installing Windows 7 SP1, VMware Workstation reports the error: Not enough physical memory is available to power this virtual machine (1036185)
Date Published: 3/22/2011

How to configure the PCoIP Secure Gateway in VMware View 4.6

We have a new KB TV video for you today on configuring the PCoIP Secure Gateway to allow PCoIP connections through the Security Server or the Connection Server.

The video complements, and is embedded in KB article 1036208 Configuring PCoIP Secure Gateway in VMware View 4.6

PCoIP Secure Gateway, introduced in VMware View 4.6, provides the functionality to pass the connection (proxy) through the Connection Server or the Security Server. Now, both the Security Server and the Connection Server can work as proxy. Security Servers are used with external connections and Connection Servers are used with internal connections.

New Articles Published for week ending 3/19/11

VMware Alive Enterprise
Validating SCOM Adapter login credentials in VMware Alive Enterprise (1035801)
Date Published: 3/14/2011

VMware ESX
Enabling serial-line logging for ESX and ESXi 4.1 (1030667)
Date Published: 3/14/2011
Host fails to recognize ESX installation (1034729)
Date Published: 3/15/2011
X11 settings incorrect after installing VMware Tools (1035790)
Date Published: 3/15/2011
Netware virtual machines report high CPU usage after upgrading to 4.1 (1036162)
Date Published: 3/17/2011
Cannot connect to ESX/ESXi host or add it to vCenter (1030895)
Date Published: 3/15/2011
Enabling serial-line logging for ESX and ESXi 3.x (1033868)
Date Published: 3/14/2011
How to enable the clustering features for an existing thick virtual disk without losing the data (1035823)
Date Published: 3/14/2011
vMotion fails during validation stage of migration – Compatibility Check Failure (1035834)
Date Published: 3/17/2011
Enabling vMotion and Fault tolerance logging (1036145)
Date Published: 3/17/2011
Cannot put the ESX host into maintenance mode (1036167)
Date Published: 3/17/2011

VMware ESXi
vMotion fails at 10% with the error: Migration failed while copying data.back (1030845)
Date Published: 3/15/2011
Unable to view the complete GID in esxtop if it has more than 7 characters (1031145)
Date Published: 3/15/2011
Enabling serial-line logging for ESX and ESXi 4.0 (1033880)
Date Published: 3/14/2011
Provider Order information in Windows guests is missing after upgrading VMware Tools from ESX 3.x to 4.x (1035429)
Date Published: 3/15/2011
Adding a virtual machine to a DVPortGroup in the vSphere Client fails with the error: No free port is available in DVportgroup PortGroupName (1035819)
Date Published: 3/14/2011
vMotion fails after validation stage of migration completed successfully (1036083)
Date Published: 3/17/2011

VMware Fusion
Internal SD card reader is not detected by Fusion (1035825)
Date Published: 3/14/2011
Partner Support – Submitting a Support Request (1035867)
Date Published: 3/15/2011

VMware Service Manager
When trying to perform a Find operation on a website that has been opened in the wrapper you see the error: access violation at address 77164f27 in module ‘oleaut32.dll’ (1035893)
Date Published: 3/14/2011
In the windows application event viewer, you see the error: Index and length must refer to a location within the string (1036040)
Date Published: 3/16/2011
When logging a request in the customer portal that is pre-assigned to a workflow group, the "Forward To" field is still available (1035830)
Date Published: 3/14/2011
Unable to remove an officer from the Call forum through the Call Search or Calls Outstanding screens (1036015)
Date Published: 3/17/2011
You cannot add custom extension fields from custom screen sets in the Task Search screen (1036027)
Date Published: 3/16/2011

VMware vCenter CapacityIQ
Upgrading VMware vCenter CapacityIQ from 1.0.x to 1.5.x (1034080)
Date Published: 3/15/2011
CapacityIQ cannot upload the .pak file during upgrade process (1034269)
Date Published: 3/18/2011

VMware vCenter Chargeback
The VMware vCenter Chargeback plugin fails to load with the error: An error has occurred. Please contact your system admin (1034925)
Date Published: 3/18/2011

VMware vCenter Converter Standalone
VMware Converter fails at 1% on Windows Server 2003 with the error code 2147754774 (1035241)
Date Published: 3/15/2011
When installing vCenter Converter Standalone you receive the error: Error 1500. Another installation is in progress.. (1029761)
Date Published: 3/14/2011

VMware vCenter Lab Manager
Logging in to Lab Manager after enabling debug mode fails with the error: an item with the same Key has already been added (1032536)
Date Published: 3/18/2011
Error when upgrading from Lab Manager 4.0 to Lab Manager 4.x (1033275)
Date Published: 3/18/2011
Deploying or undeploying a virtual machine fails in a fenced and partially deployed configuration (1035448)
Date Published: 3/18/2011
Unable to upgrade Lab Manager from 3.x to Lab Manager 4.x (1033249)
Date Published: 3/18/2011
Lab Manager reports 64-bit host as 32-bit host (1023157)
Date Published: 3/18/2011
Upgrading to Lab Manager 4.0.2 fails .NET 2.0SP1 pre-check even though the requirement is met (1031409)
Date Published: 3/18/2011

VMware vCenter Operations Standard
Licensing vCenter Operations 1.x (1036209)
Date Published: 3/18/2011

VMware vCenter Orchestrator
Workarounds for vCenter Orchestrator Address Apache Struts Remote Code Execution Vulnerability (1034175)
Date Published: 3/14/2011

VMware vCenter Server
After restarting the vCenter Server, Stored Procedures stop responding in the database causing unexpected results (1030898)
Date Published: 3/15/2011
vCenter Server 4.1 Search, Storage views, Hardware Status fail after custom SSL certificates are installed (1035559)
Date Published: 3/14/2011
Performance Chart fails after changing the default port on the SQL Server (1035561)
Date Published: 3/14/2011
Dropping unwanted or unused dbo.VCI Update Manager schemas and tables from the VCenter Database (1033240)
Date Published: 3/16/2011

VMware vCloud Connector
Reclaim storage space after a failed copy to vCloud Director (1036132)
Date Published: 3/16/2011

VMware vCloud Director
vCloud Director 1.0 support for vCenter Server 4.1 Update 1 (1036109)
Date Published: 3/16/2011

VMware View Manager
Appointment times in Lotus Notes running on the View Desktop show a different time when connected through View Client (1035783)
Date Published: 3/14/2011
VMware Tools script does not recognize the version of the kernel headers in Ubuntu guests (1035767)
Date Published: 3/14/2011

VMware vShield Edge
Installing VMware vShield components times out (1033307)
Date Published: 3/15/2011

VMware vShield Zones
Installing vShield Zones fails with error: Previous installation of host service encountered error (1035397)
Date Published: 3/14/2011
Uninstalling vShield Zones (1035797)
Date Published: 3/14/2011

Update Manager Mind Map

Today we have Bryan Hornstein introducing the new Mind Map for Update Manager.

VMware Update Manager is a fantastic product. It allows you to manage and patch your ESX/ESXi hosts efficiently and automatically, in a quick amount of time. Instead of messing with clunky command-line interface commands, everything is in an easy to understand GUI. Tasks that would normally take hours to do can now be done within a matter of minutes. With a simple point and click Update Manager can do several tasks at once, freeing us System Administrators to do other things that our companies need us for.

With that being said, Update Manager can be very daunting to set up at first if you are not familiar with the product. Once Update Manager is setup there can be other issues that can cause it to fail if certain configurations have not been setup correctly, or verified. The idea behind these articles is to identify the most common scenarios Systems Administrators may run into, and how to easily fix them.

Before I get to the Mind Map, let me highlight a few of the KBs it covers. If you are having issues installing Update Manager or downloading and installing the plug-in that goes into vCenter Server, you will want to check out the following articles.

There are also other factors that can cause issues downloading the patches that are needed by Update Manager, your ESX/ESXi hosts, and the virtual machines themselves.  See this article for more information on troubleshooting those issues:

Finally, there are several things that need to be checked and certain configurations verified if you are having troubles staging, scanning, or upgrading an ESX/ESXi host. This can be the most common scenario that you will run into when using Update Manager. Firewalls and network configurations are usual suspects in issues like this. For help with troubleshooting these problems see the following articles:

To also assist you in navigating your issue to the right solution, we have created an interactive map of the problem you are having, and what articles can help you solve those issues. Feel free to browse the map, and become accustomed to some of the issues you may encounter when installing and using Update Manager. We hope you find these articles useful to helping you get your job done quickly and easy.

Here is the Mind Map.

Custom SSL for Virtual Center and ESX

Here is a step-by-step walk through by Tech Support Engineer Jasbinder Bhatti on how to install custom SSL certificates into your environment. These steps complement KB articles 1029944 and 1005210. We recommend you be familiar with those KB articles before you embark on this mission.

 

  1. Putty to the ESX Host and rename the existing key so you have backups and the ability to rollback after your new credential pair is generated and obtained from Certificate authority.

    mv /etc/vmware/ssl/rui.key rui.keybackup

    The following is an appropriate responses from ESX:

    [root@esx001 ssl]# openssl req -new -keyout rui.key -out esx.csr Generating a 1024 bit RSA private key

  2. Send the csr file off the Certificate authority and wait for the Intermediate and new server certificate (servername.crt) to be returned to you. The newly generated key will not be usable until after the new Intermediate Key and matching server certificate are received back from Certificate authority. In the interim, rename the newly generated key for later use and restore the original backed up key as shown:

    mv /etc/vmware/ssl/rui.key rui.keynew
    mv /etc/vmware/ssl/rui.keybackup rui.key

    You will notice if you cat the rui.keynew file at this stage that its indicates its encrypted from the following lines once the new servername.crt and intermediate.crt files are received back from Certificate authority.

    —–BEGIN RSA PRIVATE KEY—–
    Proc-Type: 7, ENCRYPTED
    DEK-Info: DES-EDE4-CXD,E23F5B5323EF34E4

  3. The intermediate.crt file will also need to imported (if not already done so) to the windows Certificate Store. Check for the existence of this Certificate in Internet Options >> Content on the Intermediate Certificates Tab.
  4. Rename the original certificate and key files (rui.crt and rui.key) files for backup purposes as shown: 

    mv /etc/vmware/ssl/rui.crt rui.crtbackup
    mv /etc/vmware/ssl/rui.key rui.keybackup

  5. Rename the servername.crt and rui.keynew to rui.crt and rui.key as follows

    mv /etc/vmware/ssl/esxservername.crt rui.crt
    mv /etc/vmware/ssl/rui.keynew rui.key

  6. Reformat the x509 certificate with the commands below. Make sure you are in the /etc/vmware/ssl directory when doing so.

    openssl x509 -text -in rui.crt -out rui.text

  7. Open the file and remove all the text except the information below. In other words – you should see –begin certificate, the information in between, and – end certificate — when you have completed the edit.

    —–BEGIN CERTIFICATE—–
    18788ylfhdlharelere ……………………………..
    —–END CERTIFICATE—–

  8. Rename the rui.crt file back to the servername.crt. and rui.text file back to rui.crt

    mv rui.crt servename.crt
    mv rui.text rui.crt

  9. You will have to remove the encryption at this point with the following command:

    openssl rsa -in rui.key -out rui.key.unencripted

    at this point you will be prompted for the root password.

  10. Enter pass phrase for rui.key
  11. Rename the rui.key to rui.keynew as follows:

    mv rui.key rui.keynew

  12. Rename the rui.key.unencripted file back to rui.key as follows:

    mv rui.key.unencripted rui.key

  13. Restart the following services on the Esx Host Server as follows:

    service mgmt-vmware restart
    service vmware-vpxa restart
    service vmware-webAccess restart

  14. The Virtual Center the server will eventually come up in a “not responding” state and will need to be disconnected then reconnected after this step.To do this:

    Right Click on the ESX Host > Select "Disconnect"

    Right Click on the ESX Host > Select "Connect"

Tech Talk Episode 3 Part 1 – VMware View Discussion

Here we have another video in our on-going Tech Talk series featuring Rick Blythe and Scott Laforet.

In this episode Rick and Scott discuss VMware View. This is the first part in a three-part series which dives into various different aspects of the VMware View product. In this first installment Rick and Scott provide a high-level overview of some of the main technologies that are used within VMware View.

Be sure to keep an eye out over the next week or so for the second installment in this very informative three-part series.

 

Using Tags to control Location Based Access to pool Desktops

by Hasan Mahmood

Recently I was asked if it was possible to control access to a pool of View Desktops based on whether they were accessed internally or externally. That’s a good question.  Here’s what you need to know:

VMware View version 4.0 and above has a tagging feature that allows us to specify if a pool can be accessed when using a particular connection broker. Using this feature it is possible to differentiate your pools for internal or external access.

There are a few things you need to be aware of before you proceed with using tags.

  • The tags are applicable to Connection Servers only and not on Security Servers
  • Any Security servers paired to a Connection Server works exactly like the Connection Server.
  • If we have a load balancer in from of a group of Security Server or Connection Server they must be tagged exactly the same.
  • A single Connection Server or pool can have multiple tags
  • Multiple Connection Servers and pools can have the same tag
  • Desktop pools that do not have any tags can be accessed through any Connection Server
  • View Connection Servers that do not have any tags can only access desktop pools that also do not have any tags.
  • Tags have higher priority to user entitlement to pools.

Keeping in mind the above parameters, let’s examine a scenario where a pool named ‘mobile-users’ needs to access the corporate network. From inside the organization, this needs to be done through Connection Servers named ‘internalCS-01’ and ‘internalCS-02’. When being externally accessed, we need to go through Security Server ‘ExternalSS-01’ which is paired to Connection Server ‘externalCS-01’.

In this case all pools that need internal access should be tagged with tag ‘internal’ and the external-pool should have two tags ‘external’ and ‘internal’.

The Connection Servers internalCS01 and Internal CS02 should be tagged ‘internal’ and the externalCs01 ‘external’. Users will not be able to login until configuration to all the Connection servers and the pools are complete.

Note: Logged in users will not be disconnected even if the new rules conflict with access.

Detailed information on Tags and Restricting View Desktop Access is available in the VMware View Administration, page 116.