how to use vmware - part 1

8/13/2019 How to use VMware - part 1

1/70

Installation and Administration

GuideVMware Virtual Desktop Manager 2.0


2/70

VMware, Inc.3401 Hillview Ave.Palo Alto, CA 94304www.vmware.com

2 VMware, Inc.

Installation and Administration Guide

You can find the most up-to-date technical documentation on our Web site at

http://www.vmware.com/support/

The VMware Web site also provides the latest product updates.

If you have comments about this documentation, submit your feedback to:

[email protected]

2008 VMware, Inc. All rights reserved. Protected by one or more of U.S. Patent Nos. 6,397,242,6,496,847, 6,704,925, 6,711,672, 6,725,289, 6,735,601, 6,785,886, 6,789,156, 6,795,966, 6,880,022,6,944,699, 6,961,806, 6,961,941, 7,069,413, 7,082,598, 7,089,377, 7,111,086, 7,111,145, 7,117,481,7,149,843, 7,155,558, 7,222,221, 7,260,815, 7,260,820, 7,269,683, 7,275,136, 7,277,998, 7,277,999,

7,278,030, 7,281,102, and 7,290,253; patents pending.

VMware, the VMware boxes logo and design, Virtual SMP and VMotion are registered trademarks ortrademarks of VMware, Inc. in the United States and/or other jurisdictions. All other marks and namesmentioned herein may be trademarks of their respective companies.


Revision: 20080501Item: VDM-ENG-Q108-450
http://www.vmware.com/supportmailto:[email protected]://www.vmware.com/supportmailto:[email protected]


3/70

VMware, Inc. 3

Contents

AboutThisBook 5

VDMQuickStartGuide 7Introduction 7

HardwareRequirements 7

Prerequisites 8

PreinstallationChecklist 9

PrepareDesktopVirtualMachines 9

InstallingtheVDMConnectionServer 10

SingleServerInstallation 10

OneTimeConfiguration 11

CreatingDesktops 12

CreatinganIndividualDesktop 12

EntitlingaDesktop 13

ConnectingtoDesktops 14

VDMIntroductionandSystemRequirements 17VDMOverview 17

SystemRequirements 19

VDMConnectionServer 19

VDMClient 20

SupportedThinClientDevices 20

VDMWebAccess 21

VDMAgentVirtualDesktop 21

Prerequisites 21

InstallingandConfiguringVDM 23PrepareDesktopVirtualMachines 24

UsingtheVDMAgentonVirtualMachineswithMultipleNICs 25

InstallingtheVDMConnectionServer 26

SingleServerInstallation 26

MultiserverInstallation 27

OneTimeConfiguration 29


4/70


4 VMware, Inc.

EndtoEndConfiguration 29

ConfigurationforaPooledDesktop 31

EntitlingaDesktop 38

ConnectingtoDesktops 39

VDMAdministratorUserInterface 41

InventoryPage 42

ConfigurationPage 43

EventsPage 44

SearchingDesktopsandEntitledUsersandGroups 44

WorkingwithActiveSessions 45

GlobalConfigurationSettings 46

ViewingEvents 47

RSASecurID 48

DeletingVDMObjects 49

InstallingSSLCertificates 50

CreatingtheCSR 51

VDMLoadBalancing 54

LoadBalancinginaNonDMZDeployment 54SessionSetupandLoadBalancing 55

DNSRequirementsforaLoadBalancedSolution 56

LoadBalancingSolution 56

VDMDMZDeployment 57

DMZinstallation 57

LoadBalancinginaDMZDeployment 59

ConfiguringFirewallPortsforDMZDeployments 59BackingupandRestoringADAMData 59

TroubleshootingVDM 60

Appendix:VDMClientAdvancedActiveDirectoryRDPSettings 61UsingActiveDirectoryGroupPoliciesforAdvancedSettings 63

Glossary 65

Index 69


5/70

VMware, Inc. 5

Thismanual,theInstallationandAdministrationGuideprovidesinformationaboutsettingup,installing,andconfiguringVMwareVirtualDesktopManager(VDM),

includinghowtoinstallthevarioussoftwarecomponents,howtodeployservers,and

howtoconfigureandconnecttovirtualdesktops.Italsodescribeshowtosetuploadbalancing,security,andgivesinformationaboutsupportedoperatingsystemsandthin

clientdevices.

Thischaptercoversthesetopics:

IntendedAudienceonpage 5

DocumentFeedbackonpage 5

TechnicalSupportandEducationResourcesonpage 6

Intended Audience

Thismanualisintendedforanyonewhowantstoinstall,administrate,orconfigure

VDM.TheinformationinthismanualiswrittenforexperiencedWindowsorLinux

systemadministratorswhoarefamiliarwithvirtualmachinetechnologyand

datacenteroperations.

Document Feedback

VMwarewelcomesyoursuggestionsforimprovingourdocumentation.Ifyouhave

comments,sendyourfeedbackto:

[email protected]

About This Book
mailto:[email protected]:[email protected]


6/70


6 VMware, Inc.

Technical Support and Education Resources

Thefollowingsectionsdescribethetechnicalsupportresourcesavailabletoyou.You

canaccessthemostcurrentversionsofthismanualandotherbooksbygoingto:

http://www.vmware.com/support/pubs

Online and Telephone Support

Useonlinesupporttosubmittechnicalsupportrequests,viewyourproductand

contractinformation,andregisteryourproducts.Goto

http://www.vmware.com/support.

Customerswithappropriatesupportcontractsshouldusetelephonesupportforthe

fastestresponseonpriority1issues.Goto

http://www.vmware.com/support/phone_support.html.

Support Offerings

FindouthowVMwaresupportofferingscanhelpmeetyourbusinessneeds.Gotohttp://www.vmware.com/support/services.

VMware Education Services

VMwarecoursesofferextensivehandsonlabs,casestudyexamples,andcourse

materialsdesignedtobeusedasonthejobreferencetools.Formoreinformationabout

VMwareEducationServices,gotohttp://mylearn1.vmware.com/mgrreg/index.cfm.
http://www.vmware.com/support/pubshttp://www.vmware.com/supporthttp://www.vmware.com/support/phone_support.htmlhttp://www.vmware.com/support/serviceshttp://mylearn1.vmware.com/mgrreg/index.cfmhttp://mylearn1.vmware.com/mgrreg/index.cfmhttp://mylearn1.vmware.com/mgrreg/index.cfmhttp://www.vmware.com/support/serviceshttp://www.vmware.com/support/phone_support.htmlhttp://www.vmware.com/supporthttp://www.vmware.com/support/pubs


7/70

VMware, Inc. 7

1

ThischapterprovidesabriefoverviewoftheVMwareVirtualDesktopManager

(VDM)administratoruserinterfaceandbasicVDMinstallationinstructions.It

providesgeneralguidelinestoperformbasicconfigurationandtocreatevirtual

desktops.Itprovidesabriefintroductiontobasicadministrationtasksandprovidespointerstomoredetailedinformationinotherchapters.

Introduction

VDMispartoftheVMwareVirtualDesktopInfrastructurewhichenablesenterprises

tohostdesktopvirtualmachinesintheirdatacenterusingVMwaresoftwareand

provideusers

access

from

aPC

or

thin

client

using

aremote

display

protocol.

VDM

providesthesoftwaretoolsforsettingupandconfiguringyourvirtualdesktop

environment.

Hardware Requirements

VDMrequiresadedicatedphysicalorvirtualserverwithfollowingspecificationsfor

runningVDM.

Asaminimum,aPentiumIV2.0Ghzprocessor.Dualprocessorsareecommended.

Asaminimum,2GBRAM.3GBRAMisrecommendedfordeploymentsof

50ormoredesktops.

Aminimumofone10/100MbpsNIC.1GbpsNICisrecommend.

ForDMZdeployments,VDMrequiresanadditionaldedicatedhardwareorsoftware

serverwithsimilarspecifications.

VDM Quick Start Guide

1


8/70


8 VMware, Inc.

Forhighavailabilitydeployments,eachVDMConnectionServerrequiresadedicated

hardwareorsoftwareserverwithsimilarspecifications.

Prerequisites

VDMConnectionServerhasthefollowingprerequisites:

VMwareInfrastructure3(currentversionsofESXServerandVirtualCenter)with

atleastoneESXhostandoneVirtualCenterinstance

ServersrunningVDMConnectionServerstandardorreplicainstancesthatare

joinedto

an

Active

Directory

domain

IfyouareusingVI3guestcustomization, MicrosoftSyspreptoolsinstalledonyour

VCServer

Acustomization

specification

that

permits

cloned

virtual

machines

to

join

the

AD

domain(optional)

AvalidlicensekeyforVDM

TheVDMAgent,VDMClient,andVDMWebAccesshavethefollowingprerequisites:

ForWindowsguestdesktopsandWindowsclients,youmusthaveadministrative

privilegestoinstalltheVDMClientandtheVDMAgent.

TheuseofActiveXcontrolsandInternetExplorer6orabovearerequiredfor

WindowsclientuserswhoaccesstheirdesktopsusingVDMWebAccess.

WebAccessusingLinuxorMacOSXrequiresJavaJREversion1.5.0or1.6.0.

MicrosoftRemoteDesktopConnection6.0recommended(notrequired)

ItisrecommendedthatyouupgradeVDMClientmachinestouseMicrosoft

Remote

Desktop

Connection

(RDC)

6.0.

This

recommendation

applies

to

machines

runningWindowsXPandWindowsXPe.Windows2000doesnotsupportRDC

6.0.WindowsVistacomeswithRDC6.0installed.

RDC6.0canbedownloadedatthefollowingURL:

http://www.microsoft.com/downloads/details.aspx?FamilyId=26F11F0C0D1843

06ABCFD4F18C8F5DF9&displaylang=en

NOTE VDMConnectionServerdoesnotmakenorrequireanyschemaor

configurationupdatestoActiveDirectory.


9/70

VMware, Inc. 9

Chapter 1 VDM Quick Start Guide

IfconnectingtoaWindowsVistadesktopusingaLinuxclient,youmustinstallthe

rdesktopremotedesktopprotocolclientversion1.5.0,whichyoucandownload

fromthefollowingURL:

http://www.rdesktop.org/

Afteryoudownloadrdesktop,followtheinstructionsinthereadmefile.

Preinstallation Checklist

BeforeyouinstallVDM,usethefollowingchecklisttomakesureyouarereadyto

performthe

installation.

MakesurethemachinethatistoactastheconnectionserverisintheWindows

domain.

MakesuretheconnectionserverhasonlyoneNIC.

MakesureyoucanpingtheFQDNoftheconnectionserver.

UninstallanypreviousversionsofVDM.

Prepare Desktop Virtual Machines

BeforeyouinstalltheVDMsoftware,preparedesktopvirtualmachinesforuse.Where

changesinVirtualCenterarerequired,seethelatestVirtualCenterdocumentationfor

specificsteps.

Make

sure

that

the

following

prerequisites

are

in

place: Identifythebasedesktopvirtualmachinetodeploytousers,andinstallthelatest

operatingsystemandapplicationServicePacksandpatches.ForWindowsXP

desktopvirtualmachines,ensurethatthefollowingMicrosoftpatchthatVDM

requiresisinstalled:

http://support.microsoft.com/kb/323497

Thelatest

VMware

Tools

are

installed

(provided

with

VI

3).

Makesurethatnetworkingsettings(proxies,andsoforth)areproperlyconfigured

inthedesktopvirtualmachine.

VMwareVDMAgentisinstalled.
http://support.microsoft.com/kb/323497http://support.microsoft.com/kb/323497


10/70


10 VMware, Inc.

Makesurethatyouhaveadministrativerightstothedesktopvirtualmachine.

To install VMware VDM Agent

1 DownloadtheVDMinstallerfilefromtheVMwaresecureWebsitetoalocaldrive.

ForinformationaboutthelocationofthesecureWebsite,contactyourVMware

representative.

2 RunVMware-vdmagent-2.0.0-.exe

xxxisthebuildnumberofthesoftwarecomponentyouareinstallinginthedesktopvirtualmachine.

TheVMwareInstallationwizardopens.

3 ClickNext.

4 AccepttheVMwarelicensetermsandclickNext.

5 Chooseyourcustomsetupoptions.

6 AcceptorchangethedestinationfolderandclickNext.

7 ClickInstalltobegintheinstallationprocess.

8 ClickFinish.

Installing the VDM Connection Server

TheVDMconnectionservermustberunningWindows2003Serverandbeeithera

physicalserverdedicatedtoconnectionbrokeringorastandalonevirtualmachine.

Optionally,youcanobtainanSSLcertificatetouseforthatserver.

Single-Server Installation

Themostbasictypeofdeploymentissingleserverdeployment.Figure 11showsa

singleserverdeploymentwithaclientdevice,aconnectionserver,Webbased

administration,ActiveDirectory,andVMwareVirtualInfrastructure.

NOTE VDMAgentsoftwareisnotautomaticallyupdatedandmustbemanually

uninstalledandreplacedwithanewversion.ForautomatedupdatingofVDM

Agentin

large

environments,

VMware

recommends

using

standard

Windows

updatemechanismssuchasAltiris,SMS,LanDesk,BMC,orothersystems

managementsoftware.


11/70

VMware, Inc. 11


Figure 1-1. VDM Single Server Deployment

To perform a single server installation

1 RunVMware-vdmconnectionserver-2.0.0-.exe onthemachinethatis

toactastheconnectionserver.

xxxis

the

build

number

of

the

software

component

you

are

installing.


2 ClickNext.



5 Choosethe

Standard

deployment

option.

6 ClickNext>Install>Finish.

FormoreinformationaboutinstallingtheVDMConnectionServer,seeInstallingthe

VDMConnectionServeronpage 26.

One-Time Configuration

PerformaonetimeconfigurationonyourVDMConnectionServersothatitissetup

toperformdeploymenttasks.

Remote Users

VDMConnection Server

VMware Infrastructure

VirtualCenter

ESX Servers(virtual desktops)

Active Directory


12/70


12 VMware, Inc.

To perform a one-time configuration

1 Gotohttps:///admintolaunchVDMAdministrator.

isthehostnameorIPaddressoftheVDMConnectionServer,orloadbalancer.

2 Loginusingtheappropriatecredentials.

Initially,alldomainuserswhoaremembersofthelocaladministratorsgroupon

theVDMConnectionServerareallowedtologintotheVDMadministratoruser

interface.YoucanusetheinterfacetochangethelistofVDMadministratorslater.

Thefirsttimeyoulogin,theConfigurationpageappears.Afteryouenterthe

licenseinformation,theInventorypagedisplayswhenyoulogin.

3 ClicktheConfigurationbuttontochangetotheConfigurationpageifitisnot

displayedatlogin.OntheConfigurationpage,performthefollowingactions:

a InAccessandSecuritySettings,entertheVMwareVDMlicensekey.

b InVirtualCenterServers,clickAddandcompletethedetailsforthe

VirtualCenterstousewithVDM.

VDMdoesnotperformaDNSlookuptoverifywhetheranotherserveris

usingtheIPaddressyouenterintotheserveraddressfield.Theconflictmight

ariseifaVirtualCenterserverwasaddedbyenteringitsDNSnameorURLin

theserveraddressfield.

c GrantAdministrativerightstoADuserswhohaveloginaccesstoVDM

Administrator.

Creating Desktops

AfteryouhaveinstalledtheVDMconnectionserver,createthevirtualdesktopsand

entitleuserstoaccessthem.

Creating an Individual DesktopCreatedesktopssothatenduserscanaccesstheVDMservice.

To create an individual desktop

1 ClicktheInventorytab.

2 InAllDesktops,clicktheDesktopstabandclickAdd.

3 InSelectdesktop

type,clickIndividual

desktop

andclickNext.

4 EntertheDesktopIDandtheDesktopDisplayName.


13/70

VMware, Inc. 13


ThedesktopIDisthenamethatVDMusestoidentifythedesktop.Thedesktop

displaynameiswhattheenduserseeswhenloggingintothedesktop.The

desktopIDmustbeuniqueforeachdesktop,butthedisplaynamedoesnotneed

tobeunique.ThedesktopIDanddisplaynameshouldcorrelatetosomethingwithinyourenvironment(departmentnameorlocation,forexample).Ifyoudo

notspecifyadisplaynameusersseethedesktopID.

5 ClickNext.

6 Setthedesktopparameters.

SettheDesktopstatetoeitherEnabledorDisabled.

SettingittoEnabledmeansthatthedesktopisautomaticallyenabledafterit

iscreated.SettingittoDisabledmeansthatyoumustmanuallychangethe

settingtoEnabledinordertoactivatethedesktopafteritiscreated.

SelectRemainonifyouwantthedesktoptoalwaysremainon.SelectAlways

poweredonifyouwantthedesktoptoremainpoweredon.

SelectSuspendwhennotinuseifyouwantthedesktoptobesuspended

whentheuserisnotloggedin.SelectPoweroffwhennotinuseifyouwant

todesktoptopoweroffwhennotinuse.

7 ClickNext.

8 FromthelistofVirtualCenterservers,selecttheVirtualCenterserverthatthe

desktopistouseandclickNext.

9 In

the

table

on

the

Virtual

Machine

Selection

page,

select

the

virtual

machine

that

thedesktopistouse.

Allavailablevirtualmachinesthatarerunningasupportedguestoperating

systemandthatanothervirtualdesktopisnotusingappearinthetable,including

thosethataresuspendedornotpoweredon.

10 ClickNext.

11 Reviewthe

information

in

Ready

to

Complete

andclick

Finish

toaccept

it

or

Back

tomakecorrections.

12 ClickFinish.

Forinformationaboutcreatingdesktoppools,seeConfigurationforaPooled

Desktoponpage 31.

Entitling a DesktopAfteranindividualorpooleddesktophasbeenadded,entitleittoADusersorgroups.


14/70


14 VMware, Inc.

To entitle a desktop to an AD user or group

1 InAllDesktopsontheInventorytab,selectthedesktopthatyouwanttoentitle.

2 ClickEntitle.

3 ClickAdd.

4 IntheSelectobjecttypesection,selectUsersand/orGroups.

5 Chooseadomainwheretheobjectyouareentitlingresidesorselect

EntireDirectorytosearchacrosstheentireActiveDirectorydomainforest.

Youcan

search

by

name

or

description.

6 Selecttheobjecttoaddtotheentitlement.

7 ClickOK.

8 Inentitlement,clickOK.

Connecting to Desktops

VDMprovidestwooptionsforconnectingtothedesktopvirtualmachine:youcanuse

theVDMClientorVDMWebAccess.

To connect to desktops using the VDM Client

1 Makesureyouhaveadministrativerightstotheclientmachine.

2 DownloadandrunVMware-vdmclient-2.0.0-.exe.

xxxisthebuildnumberofthesoftwarecomponentyouareinstalling.


3 ClickNext.



6 ConfigureshortcutsfortheVDMClientor,ifyoudonotwanttouseshortcuts,

deselectallchoices.

7 ClickNext.

8 ClickInstall.

9 ClickFinish.

10 StarttheVMwareVDMClient.


15/70

VMware, Inc. 15


11 IntheVDMServerdropdownmenu,enterthehostnameorIPaddressofthe

VDMServer.

12 ClickConnect.

13 Enterentitleduserscredentials,selectthedomainandclickLogin.

14 ChoosetheentitleddesktopandclickOK.

Thedesktopvirtualmachineisconnected.

To connect to desktops using VDM Web Access

1 StartthebrowserandgototheVDMConnectionServerURL.

Forexample:https://,whereis

thehostnameorIPaddressoftheVDMConnectionServer.

2 Enterentitledusersnameandpasswordandmakesurethatyouselectthecorrect

domainfromthedropdownmenu.

3 ClickLogin.

4 WhenAccessStatusisReady,selectadesktopfromthelistandclickConnect.

Thedesktopisconnected.


16/70


16 VMware, Inc.


17/70

VMware, Inc. 17

2

ThischapterintroducesVDManddescribesthesystemrequirementsforinstallingand

runningit.VDMisaconnectionbrokerforVMwareVirtualDesktopInfrastructure.It

connectsuserstovirtualdesktopsrunningonVMwareVirtualInfrastructure,and

playsacriticalroleinsecurity,accesscontrol,andoveralldesktopmanagement.

Thischapterdiscussesthesetopics:

VDMOverviewonpage 17

SystemRequirementsonpage 19

Prerequisitesonpage 21

VDM Overview

VDMintegrateswithActiveDirectoryandVMwareVirtualCentertomanageand

deploydesktopstoendusers.VDMalsoprovidesaclientthatenablesuserstoconnect

tovirtualdesktopsusingeitheraWindowsPC,thinclient,Linuxdesktop,orMacintosh

computer.VDMprovidesasecureenvironmentfordeployingandaccessingvirtual

desktopsandusesexistingActiveDirectoryfunctionalityforauthenticationanduser

andusergroupmanagement.

VDMhasthefollowingmaincomponents:

VDMClientUserfacingcomponentthatconnectstoVDMConnectionServerto

connecttovirtualdesktops.Itisafeaturerich,nativewindowsapplication.

VDMWebAccessUserfacingcomponentthatconnectstoVDMConnection

Servertoconnecttovirtualdesktops.VDMWebAccessinstallstheclientthefirst

timeyouconnectandconnectstovirtualdesktopsusingaWebbrowser.

VDM Introduction and

System Requirements

2


18/70


18 VMware, Inc.

VDMAdministratorWebapplicationthatistheprimarymechanismfor

configuringVDMandmanagingusersanddesktops.

VDM

Connection

Server

Software

that

acts

as

a

connection

broker

and

provides

managementanduserauthenticationforvirtualdesktops.TheVDMConnection

Serverdirectsincomingremotedesktopuserrequeststotheappropriatevirtual

desktopandenhancestheuserexperience.

VDMAgentSoftwarethatinstallsondesktopvirtualmachinesandenables

featuressuchasRDPconnectionmonitoring,remoteUSBsupport,andsinglesign

on.Allguests(desktopvirtualmachines)requiretheagenttobeinstalledtorun

VDM.

VDMusesexistingADinfrastructureforauthenticationandusermanagement.VDM

integrateswithVMwareVirtualCentertomanagevirtualdesktopsrunningon

VMwareESXservers.

Figure 21showsahighlevelviewofaVDMenvironmentanditsmaincomponents.

Thesecomponentsaredescribedinmoredetailinlatersectionsofthisbook.

Figure 2-1. High-Level View of a VDM Environment

VDMAdministrator

Remote Users



VirtualCenter


Active Directory

VDM Client

VDM WebAccess


19/70

I t ll ti d Ad i i t ti G id


20/70


20 VMware, Inc.

VDM Client

TheVDMClientsupportsthefollowingoperatingsystemsanddevices:

VDM Client Supported Operating Systems

TheVDMClientsupportsthefollowingoperatingsystems:

Windows2000Professional,SP4

WindowsXPProfessional,SP1,SP2

WindowsXPHome,SP2

WindowsVistaHome

WindowsVistaHomePremium

WindowsVistaBusiness

WindowsVistaUltimate

Supported Thin Client Devices

ThefollowingthinclientdeviceshavebeentestedtoconnecttoVDM2.0:

HPCompaqt5730ThinClient

HPCompaqt5735ThinClient

HPCompaq6720tMobileThinClient

HPNeowarec50(XPe)

WyseS10VDIEdition

WyseV10L

WyseV90

WyseV90L

NOTE ForinformationaboutconfiguringWysethinclientdevices,seetheVMware

technoteatthefollowingURL:

http://www.vmware.com/info?id=347

Chapter 2 VDM Introduction and System Requirements


21/70

VMware, Inc. 21

Chapter 2 VDM Introduction and System Requirements

VDM Web Access

VDMWebAccesssupportsthefollowingoperatingsystems:

WindowsXPProfessionalSP1,SP2(requiresIE6SP1orhigher)

WindowsXPHomeSP2(requiresIE6SP2orhigher)

WindowsVistaHome(requiresIE7)

WindowsVistaHomePremium(requiresIE7)

WindowsVistaBusiness(requiresIE7)

WindowsVistaUltimate(requiresIE7)

RHEL4.0,Update4(requiresJavaJRE1.5.0or1.6.0andFirefox1.5or2.0)

SLES10(requiresJavaJRE1.5.0or1.6.0andFirefox1.5or2.0)

Ubuntu7.04(requiresJavaJRE1.5.0or1.6.0andFirefox2.0)

MacOS/XTiger(experimental, requiresJavaJRE1.5.0,RDC1.0,andSafari)

MacOS/XPanther(experimental,requiresJavaJRE1.5.0,RDC1.0,andSafari)

VDM Agent Virtual Desktop

TheVDMAgentsupportsthefollowingoperatingsystemsforvirtualdesktops:

WindowsXPProfessional,SP2(32bit)

WindowsVista

Business

Edition

(32

bit)

WindowsBusinessUltimateEdition(32bit)

Prerequisites

VDMConnectionServerhasthefollowingprerequisites:

VMwareInfrastructure3(currentversionsofESXServerandVirtualCenter)with

atleastoneESXhostandoneVirtualCenterinstance

ServersrunningVDMConnectionServerstandardorreplicainstancesthatare

joinedtoanActiveDirectorydomain

NOTE VDMConnectionServerdoesnotmakenorrequireanyschemaor

configurationupdatestoActiveDirectory.



22/70


22 VMware, Inc.

IfyouareusingVI3guestcustomization, MicrosoftSyspreptoolsinstalledonyour

VCServer

AcustomizationspecificationthatpermitsclonedvirtualmachinestojointheAD

domain(optional)

AvalidlicensekeyforVDM

TheVDMAgent,VDMClient,andVDMWebAccesshavethefollowingprerequisites:

ForWindowsguestdesktopsandWindowsclients,youmusthaveadministrative

privilegestoinstalltheVDMClientandtheVDMAgent.

TheuseofActiveXcontrolsandInternetExplorer6orabovearerequiredforWindowsclientuserswhoaccesstheirdesktopsusingVDMWebAccess.

WebAccessusingLinuxorMacOSXrequiresJavaJREversion1.5.0or1.6.0.

MicrosoftRemoteDesktopConnection6.0recommended(notrequired)

ItisrecommendedthatyouupgradeVDMClientmachinestouseMicrosoft

RemoteDesktopConnection(RDC)6.0.Thisrecommendationappliestomachines

runningWindowsXPandWindowsXPe.Windows2000doesnotsupportRDC

6.0.WindowsVistacomeswithRDC6.0installed.

RDC6.0canbedownloadedatthefollowingURL:

http://www.microsoft.com/downloads/details.aspx?FamilyId=26F11F0C0D1843

06ABCFD4F18C8F5DF9&displaylang=en

IfconnectingtoaWindowsVistadesktopusingaLinuxclient,youmustinstallthe

rdesktopremotedesktopprotocolclientversion1.5.0,whichyoucandownload

fromthefollowingURL:

http://www.rdesktop.org/

Afteryoudownloadrdesktop,followtheinstructionsinthereadmefile.

VDMWebAccessrequiresthatyouinstallthefullVDMClienttousetheUSB

redirectionfeature.

IfusingUSBredirection,makesureyouinstalltheUSBredirectionfeaturewhen

youinstalltheVDMClient.
http://www.microsoft.com/downloads/details.aspx?FamilyId=26F11F0C-0D18-4306-ABCF-D4F18C8F5DF9&displaylang=enhttp://www.microsoft.com/downloads/details.aspx?FamilyId=26F11F0C-0D18-4306-ABCF-D4F18C8F5DF9&displaylang=enhttp://www.microsoft.com/downloads/details.aspx?FamilyId=26F11F0C-0D18-4306-ABCF-D4F18C8F5DF9&displaylang=enhttp://www.microsoft.com/downloads/details.aspx?FamilyId=26F11F0C-0D18-4306-ABCF-D4F18C8F5DF9&displaylang=enhttp://www.microsoft.com/downloads/details.aspx?FamilyId=26F11F0C-0D18-4306-ABCF-D4F18C8F5DF9&displaylang=enhttp://www.microsoft.com/downloads/details.aspx?FamilyId=26F11F0C-0D18-4306-ABCF-D4F18C8F5DF9&displaylang=enhttp://www.microsoft.com/downloads/details.aspx?FamilyId=26F11F0C-0D18-4306-ABCF-D4F18C8F5DF9&displaylang=enhttp://www.microsoft.com/downloads/details.aspx?FamilyId=26F11F0C-0D18-4306-ABCF-D4F18C8F5DF9&displaylang=enhttp://www.microsoft.com/downloads/details.aspx?FamilyId=26F11F0C-0D18-4306-ABCF-D4F18C8F5DF9&displaylang=enhttp://www.microsoft.com/downloads/details.aspx?FamilyId=26F11F0C-0D18-4306-ABCF-D4F18C8F5DF9&displaylang=enhttp://www.microsoft.com/downloads/details.aspx?FamilyId=26F11F0C-0D18-4306-ABCF-D4F18C8F5DF9&displaylang=en


23/70

VMware, Inc. 23

3

VDMinstallationconsistsofinstallingVDMsoftwarecomponentsandpreparationsin

VirtualCenter.ThisdocumentdescribesindetailhowtoinstallVDMcomponentsbut

assumesthattheadministratorisfamiliarwithVMwareVirtualInfrastructure

administration.VMware

recommends

that

administrators

run

an

end

to

end

test

beforedeployingVDMtoendusers.

BeforeinstallingVDM,seeChapter 2,VDMIntroductionandSystemRequirements,

onpage 17toobtainsystemrequirementsandhardwareanddevicesupport.This

chaptercoversthesetopics:

PrepareDesktopVirtualMachinesonpage 24

InstallingtheVDMConnectionServeronpage 26

OneTimeConfigurationonpage 29

EndtoEndConfigurationonpage 29

VDMAdministratorUserInterfaceonpage 41

SearchingDesktopsandEntitledUsersandGroupsonpage 44

GlobalConfigurationSettingsonpage 46

ViewingEventsonpage 47

RSASecurIDonpage 48

DeletingVDMObjectsonpage 49

InstallingSSLCertificatesonpage 50

VDMLoadBalancingonpage 54

Installing and Configuring

VDM

3



24/70

24 VMware, Inc.

VDMDMZDeploymentonpage 57

LoadBalancinginaDMZDeploymentonpage 59

BackingupandRestoringADAMDataonpage 59

TroubleshootingVDMonpage 60

Prepare Desktop Virtual Machines

BeforeyouinstalltheVDMsoftware,preparedesktopvirtualmachinesforuse.Where

changesinVirtualCenterarerequired,seethelatestVirtualCenterdocumentationfor

specificsteps.

Makesurethatthefollowingprerequisitesareinplace:

Identifythebasedesktopvirtualmachinetodeploytousers,andinstallthelatest

operatingsystemandapplicationServicePacksandpatches.ForWindowsXP

desktopvirtualmachines,ensurethatthefollowingMicrosoftpatchthatVDM

requiresisinstalled:

http://support.microsoft.com/kb/323497

ThelatestVMwareToolsareinstalled(providedwithVI3).

Makesurethatnetworkingsettings(proxies,andsoforth)areproperlyconfigured

inthedesktopvirtualmachine.

VMwareVDMAgentisinstalled.

Makesurethatyouhaveadministrativerightstothedesktopvirtualmachine.

To install VMware VDM Agent

1 DownloadtheVDMinstallerfilefromtheVMwaresecureWebsitetoalocaldrive.

ForinformationaboutthelocationofthesecureWebsite,contactyourVMware

representative.

2 RunVMware-vdmagent-2.0.0-.exe

xxxisthebuildnumberofthesoftwarecomponentyouareinstallinginthedesktopvirtualmachine.

NOTE

VDMAgentsoftwareisnotautomaticallyupdatedandmustbemanually

uninstalledandreplacedwithanewversion.ForautomatedupdatingofVDM

Agentinlargeenvironments,VMwarerecommendsusingstandardWindows

updatemechanismssuchasAltiris,SMS,LanDesk,BMC,orothersystems

managementsoftware.

Chapter 3 Installing and Configuring VDM
http://support.microsoft.com/kb/323497http://support.microsoft.com/kb/323497


25/70

VMware, Inc. 25


3 ClickNext.


5 Chooseyourcustomsetupoptions.


7 ClickInstalltobegintheinstallationprocess.

8 ClickFinish.

To Create a desktop virtual machine template

1 InVirtualCenter,convertthedesktopvirtualmachinetoatemplate.

YoumustcreateadesktopvirtualmachinetemplatetousedesktoppoolsinVDM.

2 (Optional)InVirtualCenter,createaguestcustomizationspecification.

UseDHCPforthespecificationandsetthecomputernametothevirtualmachine

name.ClonedvirtualmachinesalsoneedtobeabletojoinADdomainsiftheVDMsinglesignonfeatureisrequired.

3 Asatest,deployavirtualmachinefromthetemplatetovalidatethat

customizationissuccessful.

MakesurethatADdomainjoinandauthenticationworks.

4 Ifafolderwasnotautomaticallycreated,createoneintheVirtualMachinesand

TemplatesInventoryview.

Using the VDM Agent on Virtual Machines with Multiple NICs

ForGuestVirtualMachineswithmorethanonevirtualNIC,youneedtoconfigurethe

subnetthattheVDMAgentwilluse.ThisdetermineswhichnetworkaddresstheVDM

AgentprovidestotheVDMServerforclientRDPconnections.Toconfigurethissubnet,

createthefollowingREG_SZregistryvalueinthevirtualmachineonwhichtheVDM

Agentisinstalled:

HKLM\Software\VMware, Inc.\VMware VDM\Node Manager\subnet = n.n.n.n/m

(REG_SZ)

Intheregistryvalue,n.n.n.nistheTCP/IPsubnetandmisthenumberofbitsinthe

subnetmask.



26/70

26 VMware, Inc.

Installing the VDM Connection Server

TheVDMConnectionServermustberunningonWindows2003Server(Englishonly)

andbe

located

on

either

aphysical

or

virtual

server

dedicated

to

connection

brokering.

Donothavetheconnectionserverperformanyotherfunctionsorroles(forexample,

donotdesignatethesameservertobetheVirtualCenterserver).Theconnectionserver

mustbejoinedtothedomain(butcannotbeadomaincontroller)andeachconnection

servermusthaveastaticIPaddressassignedtoit.Thedomainuseraccountusedto

installtheconnectionservermusthaveadministrativeprivilegesonthatserver.The

connectionserveradministratoralsoneedstoknowtheVirtualCentercredentials.Itis

recommendedthatyouobtainanSSLcertificatetouseforthatserver.Formore

informationaboutSSLcertificateinstallation,seeInstallingSSLCertificateson

page 50.

Single-Server Installation

Themostbasictypeofdeploymentissingleserverdeployment.Thefollowingdiagram

showsasingleserverdeploymentwithaclientdevice,aconnectionserver,Webbased

administration,Active

Directory,

and

VMware

Virtual

Infrastructure.

Figure 3-1. VDM Single Server Deployment

Remote Users



VirtualCenter


Active Directory



27/70

VMware, Inc. 27

To perform a single server installation



xxxisthebuildnumberofthesoftwarecomponentyouareinstalling.TheVMwareInstallationwizardopens.

2 ClickNext.



5 ChoosetheStandarddeploymentoption.


Multiserver Installation

VDMConnectionServercanalsobedeployedinamultiserverconfigurationforhigh

availabilityandloadbalancing.Thefollowinghighleveldiagramshowsamultiserverdeployment,connectionservers,aloadbalancer,Webbasedadministration, Active

Directory,andVMwareVirtualInfrastructure(whichincludesESXservershostingthe

virtualdesktops).



28/70

28 VMware, Inc.

Figure 3-2. VDM Multiserver Deployment

To perform a multiserver installation



xxxisthebuildnumberofthesoftwarecomponentyouareinstalling.TheVMwareInstallationwizardopens.

2 ClickNext.

3 AccepttheVMwarelicenseterms,andclickNext.

4 Acceptorchangethedestinationfolder,andclickNext.

5 ChoosetheReplicadeploymentoption.

6 EnterthehostnameorIPaddressoftheexistingconnectionserverthatyou

replicate.

NOTE MultiserverinstallationassumesthatoneotherinstanceofVDMConnection

Serverisinstalledusingthestandarddeploymentoption.Multiserverinstallationis

performedonsecond,orsubsequent,servers.

Local Users

Remote UsersVDM

ConnectionServers


Third-PartyLoad

Balancer

VirtualCenter


Active Directory



29/70

VMware, Inc. 29

7 ClickNext.

8 ClickInstall.

9 ClickFinish.

One-Time Configuration

PerformaonetimeconfigurationonyourVDMConnectionServersothatitissetup

toperformdeploymenttasks.

To perform a one-time configuration

1 Gotohttps:///admintolaunchVDMAdministrator.

isthehostnameorIPaddressoftheVDMConnection

Server,orloadbalancer.

2 Loginusingtheappropriatecredentials.

Initially,alldomainuserswhoaremembersofthelocaladministratorsgroupon

theVDM

Connection

Server

are

allowed

to

login

to

the

VDM

administrator

user

interface.YoucanusetheinterfacetochangethelistofVDMadministratorslater.

Thefirsttimeyoulogin,theConfigurationpageappears.Afteryouenterthe

licenseinformation,theInventorypagedisplayswhenyoulogin.

3 ClicktheConfigurationbuttontochangetotheConfigurationpageifitisnot

displayedatlogin.OntheConfigurationpage,performthefollowingactions:

a InAccessand

Security

Settings,entertheVMwareVDMlicensekey.

b InVirtualCenterServers,clickAddandcompletethedetailsfortheVirtualCenterstousewithVDM.

VDMdoesnotperformaDNSlookuptoverifywhetheranotherserveris

usingtheIPaddressyouenterintotheserveraddressfield.Theconflictmight

ariseifaVirtualCenterserverwasaddedbyenteringitsDNSnameorURLin

theserveraddressfield.

c GrantAdministrativerightstoADuserswhohaveloginaccesstoVDMAdministrator.

End-to-End Configuration

Performanendtoendconfigurationonnewinstallationstoensurethatinstallation

andconfigurationissuescanbeeasilyresolved.Thissectionreferstobothindividual

andpooleddesktops.



30/70

30 VMware, Inc.

To perform a configuration for an individual desktop


2 InAllDesktops,clicktheDesktopstabandclickAdd.

3 InSelectdesktoptype,clickIndividualdesktopandclickNext.


ThedesktopIDisthenamethatVDMusestoidentifythedesktop.Thedesktop

displaynameiswhattheenduserseeswhenloggingintothedesktop.The

desktopIDmustbeuniqueforeachdesktop,butthedisplaynamedoesnotneed

tobeunique.ThedesktopIDanddisplaynameshouldcorrelatetosomethingwithinyourenvironment(departmentnameorlocation,forexample).Ifyoudo

notspecifyadisplaynameusersseethedesktopID.

5 ClickNext.

6 Setthedesktopparameters.

SettheDesktopstatetoeitherEnabledorDisabled.

SettingittoEnabledmeansthatthedesktopisautomaticallyenabledafterit

iscreated.SettingittoDisabledmeansthatyoumustmanuallychangethe

settingtoEnabledinordertoactivatethedesktopafteritiscreated.

SelectRemainonifyouwantthedesktoptoalwaysremainon.SelectAlways

poweredonifyouwantthedesktoptoremainpoweredon.

SelectSuspendwhennotinuseifyouwantthedesktoptobesuspended

whentheuserisnotloggedin.SelectPoweroffwhennotinuseifyouwant

todesktoptopoweroffwhennotinuse.

7 ClickNext.



9 In

the

table

on

the

Virtual

Machine

Selection

page,

select

the

virtual

machine

that

thedesktopistouse.

Allavailablevirtualmachinesthatarerunningasupportedguestoperating

systemandthatanothervirtualdesktopisnotusingappearinthetable,including

thosethataresuspendedornotpoweredon.

10 ClickNext.

11 Reviewthe

information

in

Ready

to

Complete

andclick

Finish

toaccept

it

or

Back

tomakecorrections.


31/70



32/70

32 VMware, Inc.

To create the VDM administrator role for VirtualCenter

1 InVirtualCenter,Admin.

2 Ifit

is

not

already

selected,

click

the

Roles

tab

and

click

Add

Role.

3 Enteranamefortherole(VDMAdministrator,forexample).

4 InthelistofPrivileges,expandFolderandselectCreateFolderandDeleteFolder.

5 ExpandVirtualMachineandperformthefollowingsteps:

a ExpandInventoryandselectCreateandRemove.

b ExpandInteractionandclickPower

On,Power

Off,Suspend,andReset.

c ExpandConfigurationandselectAddnewdisk,AddorRemoveDevice,

ModifyDeviceSettingsandAdvanced.

d ExpandProvisioningandselectCustomize,DeployTemplate,andRead

CustomizationSpecifications.

6 ExpandResourceandselectAssignVirtualMachinetoResourcePool.

7 ClickOK.

Thenewroleappearsinthelistofroles.

To assign the administrator or VDM administrator VirtualCenter roles

1 InVirtualCenter,selectthedatacenterorclustertoassigntheadministratorroleto.

2 ClickthePermissionstab.

3 RightclickonthepageanywherebelowthelistofUsersandGroups.

4 ClickAddPermission.

5 InUsersandGroups,clickAdd.

6 IntheDomaindropdownmenu,selecttheadministratorsdomain.

7 In

Users

and

Groups,

select

the

administrator

from

the

list.

8 ClickAddandclickOK.

9 InAssignedRole,selecttherolethatyouwanttoassign.

SelectAdministratortogivefullcontroloverthedatacenterorcluster.The

AdministratorroleispreconfiguredinVirtualCenter.

SelectVDMAdministratortogivetheuserthemorerestrictiveaccessand

permissionsthattheVDMAdministratorrolethatyoucreated.



33/70

VMware, Inc. 33

10 ClickOK.

To create a VirtualCenter role for reading customization specifications

1 InVirtualCenter,clickAdmin.

2 ClicktheRolestabandclickAddRole.

3 Enteranamefortherole(forexample,ReadOnlyCustomizationSpecifications).

4 Inthelistofprivileges,selectVirtualMachine.

5 ExpandProvisioning,andselectReadCustomizationSpecifications.

6 ClickOK.

To assign VirtualCenter roles for VDM

1 InVirtualCenter,intheInventoryview,clickHostsandClusters.

2 ClickthePermissionstab.

3 RightclickonthepageanywherebelowthelistoflistofUsersandGroups.

4 ClickAddPermission.

5 InUsersandGroups,clickAdd.

6 IntheDomaindropdownmenu,selecttheadministratorsdomain.

7 InUsersandGroups,selecttheadministratorfromthelist.

8 ClickAdd.

9 ClickOK.

10 InAssignedRole,selectGlobalReadOnlyCustomSpecandclickOK.

To perform a configuration for a pooled desktop


2 InDesktops,clicktheDesktopstabandclickAdd.

3 InSelectdesktoptype,clickeitherDesktoppool persistentorDesktop

pool nonpersistent.

Persistentdesktoppoolsallowuserstologintothesamedesktopeverytime.

Userscansavedocumentsandfilesonpersistentdesktopsbecausetheyreturnto

thesamedesktop.

NOTE Testindividualdesktopsbeforetestingpools.



34/70

34 VMware, Inc.

Nonpersistentpoolsareavailabletouserswhentheyloginbutarereturnedtothe

poolwhenuserslogoff.Userslogintoadifferentdesktopeachtimeandshould

notsavedocumentsorfilesonthedesktop.

4 ClickNext.


ThedesktopIDisthenamethatVDMusestoidentifythedesktopTheusersees

thedesktopdisplaynamewhenloggingintothedesktop.ThedesktopIDmustbe

uniqueforeachdesktop,butthedisplaynamedoesnotneedtobeunique.The

desktopIDanddisplaynamedonotneedtocorrelatetoanythingspecificwithin

yourenvironment.

If

you

do

not

specify

adisplay

name,

users

see

the

desktop

ID.

6 ClickNext.

7 Setupthedesktopparameters:

DesktopstateEnabledmeansthatthepoolisautomaticallyenabledafterit

iscreatedandreadyforusebyendusers.Disabledmeansthatyoumust

manuallychangethesettingtoEnabledtoactivatethepoolafteritiscreated.

Disabledisusedforsuchthingsasupgradingvirtualmachinesortakingdesktopsofflinetoperformmaintenance.

ProvisionEnabledmeansthatvirtualmachinesarecreatedforthepoolas

soonasyoufinishthestepsaddapooleddesktop.Disabledmeansthatyou

mustmanuallychangethesettingtoEnabledtocreatevirtualmachinesfor

thepoolafterthepooliscreated.

Pool

sizeSet

to

the

number

of

desired

virtual

desktops.

StopprovisioningonerrorStopstheprovisioningofvirtualmachineswhen

anerrorisdetected.

VirtualmachinepowerpolicyRemainonsetsthevirtualmachinesto

alwaysremainon.Alwayspoweredonsetstheassignedvirtualmachinesto

remainpoweredon.Suspendwhennotinusesetsthevirtualmachinestobe

suspendedwhentheuserisnotloggedin.Poweroffwhennotinusesets

virtualmachinestopoweroffwhennotinuse.

PrefixforvirtualmachinenamesSetthistoavalueforeachpoolthat

identifiesvirtualmachinesaspartofthatpool.Virtualmachinescreatedfor

thispoolhavenamesthatbeginwiththisprefix.

Poweroffanddeletevirtualmachineafterfirstuse(fornonpersistentpools

only)Deletesthevirtualmachinewhentheuserlogsoutafterfirstuse.If

necessary,anew

virtual

machine

is

cloned

to

maintain

aspecific

pool

size

after

virtualmachinesaredeleted.



35/70

VMware, Inc. 35

8 ClickNext.



IfyouhavemultipleVirtualCenterserversrunninginyourenvironment,make

surethatanotherVirtualCenterserverisnotusingtheVirtualCenteruniqueID.By

default,anIDvalueisrandomlygeneratedbutitiseditable.Fordetailsabout

editingVirtualCenteruniqueIDvalues,seethelatestVirtualCenter

documentation.

10 TemplateSelection,chooseatemplatefromwhichtodeployvirtualmachinesfor

thedesktop

pool.

11 Selectthevirtualmachinefolderlocation.

VDMcreatesafolderwiththesamenameasthedesktopIDandputsthenewly

createdvirtualmachinesinthefolder.

12 Selectahostorclusteronwhichtorunthevirtualmachinesthatthisdesktopuses

andclickNext.

13 Selectaresourcepoolinwhichtorunthevirtualmachinesthatthisdesktopuses,

andclickNext.

14 ChooseadatastoretostorethevirtualmachinefilesandclickNext.

15 Selectacustomizationspecificationtocustomizetheguestoperatingsystemfor

VirtualMachinesusedinthisdesktopandclickNext.

16 Reviewthe

information

in

Ready

to

Completeand

click

Next

to

accept

it

or

Back

tomakerevisions.

17 ClickFinish.

Afterthepooleddesktopisadded,entitleittoanADuserorgroup.SeeEntitling

aDesktoponpage 38.

Forinformationabouttestingthedesktoplaunch,seeConnectingtoDesktops

onpage 39.

Advanced Pool Settings

VDMadvancedpoolsettingsallowyoutooverridethedefaultpoolsettingsandto

determinehowyourpooleddesktopsaredeployedandmanaged.Theadvancedpool

settingsareanoptionwhenyouarecreatingeitherapersistentornonpersistentpool

intheDesktopSettingsintheAddDesktopwizard.



36/70

36 VMware, Inc.

WhenyouareconfiguringDesktopSettings,accessandenabletheadvancedsettings

byexpandingAdvancedSettingsandselectingEnableAdvancedPoolSettings.The

advancedpoolsettingsincludethefollowingoptions:

MinimumnumberofvirtualmachinesOverridesthedefaultminimumnumberofvirtualmachinesavailableforapool.Setthisnumbertotheminimumnumber

ofanticipatedvirtualmachinesuponfirstdeployment.

MaximumnumberofvirtualmachinesOverridesthedefaultmaximumnumber

ofvirtualmachinesavailableforapool.Setthisnumbertothemaximumnumber

ofvirtualmachinesthataretobedeployedinthepoolatanypoint.Thissettingis

necessarytopreventoverburdeningofhardwareresources.

NumberofavailablevirtualmachinesOverridesthedefaultnumberofavailable

virtualmachinesforapool.Thissettingdetermineshowmanyvirtualmachines

willbeavailableforimmediateuse.Ifthepowerpolicydictates,availablevirtual

machinesoverthislimitwillbesuspendedorpoweredoffasneeded.For

nonpersistentpools,thissettingdetermineshowmanyvirtualmachinesare

provisioned(added)asnewuserslogintovirtualdesktops.Forpersistentpools,

thissettingmustmatchtherateatwhichusersareaddedtotheenvironment(in

otherwords,ifyouaddtwousersaday,setthisnumberto2forpersistentpools).

Youcanfurtherspecifyvirtualmachinebehaviorfordesktopsthatuseaspecific

VirtualCenterServerusingtheadvancedVirtualCentersettingsontheConfiguration

page.Onthatpage,youcancontrolthemaximumnumberofconcurrentprovisioning

(desktopvirtualmachinecreation)operationsandthemaximumnumberofconcurrent

poweroperations.

Advanced Pooling Example Scenarios

VDMpoolingisflexibleandoffersmanypossiblecombinationsofsettings.The

followingexamplescenariosshowsomepossiblecombinationsofsettingsand

illustratehowVDMrespondsorbehaves.

Pooling Example 1

Poolingexample

1has

the

following

settings:

TypeofpoolNonpersistent

Minimumnumberofvirtualmachines100

Maximumnumberofvirtualmachines200

Numberofavailablevirtualmachines20

VirtualmachinepowerpolicySuspendwhennotinuse


I hi l h l i i i ll l d i 100 i l hi Af 20


37/70

VMware, Inc. 37

Inthisexample,thepoolinitiallyclonesandcustomizes100virtualmachines.After20

virtualmachines,avirtualmachinewouldbesuspendedforeachnewclonedvirtual

machinesothattheavailablecount(inotherwords,poweredupandreadyforuse)did

notexceed

20.

The

minimum

and

maximum

values

only

affect

the

cloning

and

not

the

numberofavailablevirtualmachines.

Asuserslogin,thenumberofavailablevirtualmachinessettingwouldpowerupmore

virtualmachinestokeepthemattherightlevel.Whenthe80thuserlogsin,thesetting

wouldinitiateacloningoperation.Asuserslogout,virtualmachinesaresuspended

(basedonthepowerpolicy)tokeeptheavailablenumberofvirtualmachinesdown.

Pooling Example 2

Poolingexample2hasthefollowingsettings:

TypeofpoolPersistent



Numberof

available

virtual

machines

20


ThesameasthenonpersistentcaseinExample1,exceptthatwhenuserslogoff,their

virtualmachinesaresuspended.Theusedvirtualmachinesarenotreturnedtothepool

becausetheyarenowassigned.

Pooling Example 3






VirtualmachinepowerpolicyRemainon

Thepoolinitiallyclonesandcustomizes100virtualmachines.Thesevirtualmachines

areleftrunning.Astheeightiethandsubsequentuserslogin,theavailablecount

restartscloningtomaintainthecapacity.


Pooling Example 4


38/70

38 VMware, Inc.

Pooling Example 4


Type

of

pool

Non

persistent Minimumnumberofvirtualmachines200



VirtualmachinepowerpolicyRemainon

Thepool

clones

200

virtual

machines.

No

more

virtual

machines

are

ever

cloned.

The

powerpolicymeansthatvirtualmachinesarenotpoweredoff.

Pooling Example 5







Thepoolclones200virtualmachines.Afterthetwentiethclone,thepoolmanagerstarts

tosuspendvirtualmachinestomaintaintheavailablecountat20.Asuserslogin,

virtualmachinesareresumedtomaintainthesparecount.

Entitling a Desktop

Afteranindividualorpooleddesktopisadded,entitleADusersorgroupstoit.

To entitle a desktop to an AD user or group

1 InAll

Desktops

on

the

Inventory

tab,

select

the

desktop

that

you

want

to

entitle.

2 ClickEntitle>Add.

3 InSelectobjecttype,selectUsersorGroups.

4 Choosethedomainwheretheobjectyouareentitlingreside,orselect

EntireDirectorytosearchacrosstheentireActiveDirectorydomainforest.

Youcansearchbynameordescription.

5 Selecttheobjecttoaddtotheentitlement.


You can entitle multiple users and groups to a desktop If you entitle multiple users


39/70

VMware, Inc. 39

Youcanentitlemultipleusersandgroupstoadesktop.Ifyouentitlemultipleusers

orgroupstoadesktop,thedesktopbehaveslikeanonpersistentpool.For

informationaboutnonpersistentpools,seeConfigurationforaPooledDesktop

onpage 31.

6 ClickOK.

7 Inentitlement,clickOK.

Connecting to Desktops

VDMprovidestheVDMClientorVDMWebAccessforconnectingtothedesktop

virtualmachine.

To connect to desktops using the VDM Client

1 DownloadandrunVMware-vdmclient-2.0.0-.exe.

xxxis

the

build

number

of

the

software

component

you

are

installing.


2 ClickNext.



5 Configureshortcuts

for

the

VDM

Client

or,

if

you

do

not

want

to

use

shortcuts,

deselectallchoices.


7 StarttheVMwareVDMClient.

8 IntheVDMServerdropdownmenu,enterthehostnameorIPaddressofthe

VDMServer.

9 ClickConnect.

10 Entertheentitleduserscredentials,selectthedomainandclickLogin.

11 ChoosetheentitleddesktopandclickOK.

Thedesktopvirtualmachineisconnected.

NOTE Makesureyouhaveadministrativerightstotheclientmachine.




40/70

40 VMware, Inc.


1 StartthebrowserandgototheVDMConnectionServerURL.

Forexample:

https://,

where

is

thehostnameorIPaddressoftheVDMConnectionServer.

2 Entertheentitledusersnameandpasswordandmakesurethatyouselectthe

correctdomainfromthedropdownmenu.

3 ClickLogin.

4 WhentheAccessStatusisReady,selectadesktopfromthelistandclickConnect.

Thedesktopisconnected.

Setting an Externally Resolvable Name on a Connection Server

IfVDMclientscannotdirectlyaccessaVDMConnectionServerbyusing

https://whereisthehostnameoftheVDMConnectionServer,youmustspecifyanexternallyresolvablenamefortheVDMConnectionServer.Ifthe

VDMConnectionServerisaccessedfromtheInternet,setthenametosomethingthat

resolvesontheInternet.Thisnamecanbesomethinglike

https://vdmservername.mycompany.com. Wheneverthissituationarises,youmustset

thenameforeachVDMConnectionServerthatisunresolvable.

Theprocessofsettingthenameisnotthesameforallinstallationtypes.Forstandard

orreplicainstallations,youcansetthenamebyusingtheAdministratoruserinterface.

Forasecurityserverinstallation,youmusteditorcreateafilewiththesettingsandsave

itonthesecurityserver.

To set the name on a standard or replica installation

1 OntheConfigurationpage,inVDMServers,selecttheVDMConnectionServerto

setthenamefor.

2 ClickEdit.

3 EnterthenameintheExternalURLfield.

4 ClickOK.

5 RestarttheVDMConnectionServerservicesothatthechangestakeeffect.Click

Start>AdministrativeTools>ServicesandselecttheVMwareVDMConnection

Serverfromthelistofservices.Iftheserviceisrunning,clickRestarttheservice.

Iftheserviceisnotrunning,clickStarttheservice.


To set the name on a security server installation


41/70

VMware, Inc. 41

y

1 Createoreditthepropertiesfile(locked.properties)sothatitcontainsentriesfor

theexternallyresolvablenameofthesecurityserver,theportnumberandthe

clientprotocol.

Thepropertiesfileisatextfile.Ifitalreadyexists,itislocatedatC:\Program

Files\VMware\VMwareVDM\Server\sslgateway\conf\locked.properties.

alwayssavethisfileinthesameplace,whetheritalreadyexistsornot.

Asanexample,ifthesecurityserversexternallyresolvablenameis

vdmservername.mycompany.com,theportnumberis443,andtheclientprotocol

ishttps,

you

use

atext

editor

to

edit

or

create

the

properties

file

with

the

following

entries:

clientHost=vdmservername.mycompany.com

clientPort=443

clientProtocol=https

Ifapropertiesfilealreadyexistscontainingentrieswiththesekeywords,replace

theentrieswithnewentriesfromthislist.

2 Savethefile.

3 RestarttheVDMSecurityServerservicesothatthechangestakeeffect.Click

Start>AdministrativeTools>ServicesandselecttheVMwareVDMSecurity

Serverfromthelistofservices.Iftheserviceisrunning,clickRestarttheservice.

Iftheserviceisnotrunning,clickStarttheservice.

VDM Administrator User Interface

TheVDMadministratoruserinterfaceiswhereyouperformalloftheconfiguration,

deployment,andadministrativetasksforVDM.TheInventory,Configuration,and

EventsbuttonsalwaysappearatthetopoftheAdministratoruserinterface.These

buttonsallowyoutonavigatetootherareasoftheinterfaceandperform

administrationand

configuration

tasks.

This

section

describes

the

pages

that

each

buttonopensandtheoptionsassociatedwiththem.

Whenyouclickabuttonintheadministratoruserinterfaceandyouselectatabonthe

pagethatopens,thebackgroundbecomeswhite.Tabsthatarenotselectedhavea

purplebackground.


Inventory Page


42/70

42 VMware, Inc.

e to y age

TheInventorypageopenswhenyoulogintotheVDMAdministratoruserinterface

(exceptthefirsttimeyoulogin,whentheConfigurationpageopens).TheInventory

pageiswhereyouaccessallofyourvirtualmachinesanddeployandmakechangesto

virtualdesktops.TheShowdropdownmenuallowsyoutochangebetweenthe

DesktopsandEntitledUsersandGroupsviews.

TheInventorypageallowsyoutosearchandfilterinformationaboutdesktops,virtual

machines,andactivesessionsandtoscrollbetweenpagesifmultiplepagesexist(each

pagecontains200objects).

DesktopsviewChooseamongtheDesktops,Virtual

Machines,orActive

Sessionstabs.OntheDesktopstab,youcanadd,edit,entitle,enable,disable,or

deletedesktopsordesktoppools.OntheVirtualMachinestab,youcanviewand

deletevirtualmachines.OntheActiveSessionstab,youcanview,disconnect,or

rebootactivesessions.

Youcanfiltertheinformationinthetablesthatareassociatedwitheachtab.You

canalsochoosewhichcolumnstofilterandsearchwhentheDesktopsviewis

selected.

DesktopstabFilterandsearchtheDesktopIDorTypecolumns.

VirtualMachinestabFilterandsearchtheVirtualMachineName,IP

Address,User,orStatuscolumns.

ActiveSessionstabFilterandsearchtheUserorDesktopcolumns.

Whenyou

are

in

the

Desktops

view,

you

can

choose

between

the

Inventory

and

Searchtabsontheleftsideofthepage.

InventoryAllofthedesktopsappearinalistonthattab.Selectingadesktop

fromthelistdisplaysinformationaboutthatdesktopontherightsideofthe

page.TherightsideofthepagealsodisplaystheSummary,Usersand

Groups,VirtualMachines,andActiveSessionstabs.

SearchTheSearchforDesktopsfieldappears.Youcanentersearchtextin

thisfieldtosearchfordesktops.YoucanusetheInthese

categoriescheck

boxestochoosethesearchcriteria.Selectingadesktopfromthelistdisplays

informationaboutthatdesktopontherightsideofthepage.Inaddition,the

rightsideofthepagedisplaystheSummary,UsersandGroups,Virtual

Machines,andActiveSessionstabs.


TheInventorypageusesadifferenticonsforeachtypeofdesktop.Individual


43/70

VMware, Inc. 43

desktopiconshaveasolidbordercontainingonebluesquare,persistentpool

desktopiconshaveasolidbordercontainingtwobluesquares,and

nonpersistent

pool

desktop

icons

have

a

dotted

border

containing

two

blue

squares.

EntitledUsersandGroupsview

IntheEntitledUsersandGroupsview,youcanchoosebetweentheEntitledUsers

andGroupsandActiveSessionstabs.Youcanviewtheentitledusersandgroups

forvirtualdesktopsorpoolsofdesktopsanddisconnectactivesessionshere.

Youcan

filter

the

information

in

the

tables

that

are

associated

with

each

tab.

You

canalsochoosewhichcolumnstofilterandsearchwhenthetabsintheEntitled

UsersandGroupsviewareselected:

OntheEntitledUsersandGroupstab,youcanchoosetofilterandsearchthe

DisplayNameorDomaincolumns.

OntheActiveSessionstab,youcanchoosetofilterandsearchtheUseror

Desktopcolumns.

WhenyouareintheEntitledUsersandGroupsview,youcanchoosebetweenthe

InventoryandSearchtabsontheleftsideoftheInventorypage.

WhenyouselecttheInventorytab,alloftheentitledusersandgroupsappear

inalistonthetab.Selectingauserorgroupfromthelistdisplaysinformation

aboutthatuserorgroupontherightsideofthepage.Inaddition,theright

sideofthepagedisplaysthreetabs:Summary,Desktops,andActive

Sessions.

WhenyouselecttheSearchtab,theSearchforDesktops:fielddisplays.Youcanenter

searchtextinthisfieldtosearchforusersorgroups.Youcanchoosethesearchcriteria

usingthecheckboxesinInthesecategories.

Configuration Page

TheConfigurationpageopenswhenyoulogintotheVDMAdministratoruserinterfaceforthefirsttime(beforeaddingyourlicenseinformation).Itisthesamepage

thatisopenedwhenyouclickConfiguration.TheConfigurationpagecontainsthe

followingfields:

AccessandSecuritySettingsEditlicenseserialnumberinformation.

VirtualCenterServersAdd,edit,ordeleteVirtualCenterserversforthe

connection

server

to

use.


44/70


3 InInthesecategories,selectDisplayName,DesktopID,Type,User,orVirtual

C t N t h th t t


45/70

VMware, Inc. 45

CenterNametosearchthatcategory.

4 ClickSearch.

To search columns in the Entitled Users and Groups Inventory view

1 OntheInventorypage,selectEntitledUsersandGroupsfromtheShowmenu.

2 IntheEntitledUsersandGroupsfield(ontherightsideofthepage),clickthe

EntitledUsersandGroupsorActiveSessionstab.

3 ClickthearrowafterContainsandselectthecolumnstosearchbyclickingthe

appropriatecheckboxes.

4 ClickDone.

5 EntersearchtextintothetextfieldandclickGo.

To search categories in the Entitled Users and Groups Search view:

1 OntheInventorypage,selectEntitledUsersandGroupsfromtheShowmenu.

2 IntheSearchfor

users

field(ontheleftsideofthepage),entersearchtext.

3 InInthesecategories,selectCommonname,GivenName,Description,Email,

DisplayName,orDomainNametosearchthatcategory.

4 ClickSearch.

Working with Active Sessions

Afteryouconnecttoavirtualdesktopordesktoppool,activesessionsareinthe

inventory.YoucanaccessactivesessionsontheInventorypage.

To view, disconnect, or reboot active sessions


2 InDesktops,clickActiveSessions.

Youcanviewtheuser,desktopID,DNSnameoftheVM,starttime,duration,and

serverstate(connectedordisconnected)foreachactivesession.

3 Clickanywhereinanactivesession.

TheDisconnectSessionandRestartVirtualMachineoptionsbecomeavailable.

4 ClickDisconnectSessionwanttodisconnecttheselectedactivesessionorclick

RestartVirtual

Machine

want

to

restart

the

active

session.


Global Configuration Settings


46/70

46 VMware, Inc.

VDMprovidesseveralglobalconfigurationsettingsthatallowyoutosetVDM

behavior,dependingonyourspecificrequirements.Table 31liststheglobal

configurationsettings.

Table 3-1. Global Configuration Settings

Option Description

Sessiontimeout(inminutes) Overallsessiontimelimitfromwhenauserlogsontotheconnectionservertowhenthesessionterminatesbecauseofinactivity.

RequireSSLforclientconnections IfRequireSSLforclientconnectionsisselected,HTTPSorHTTPisusedasthecommunicationprotocolbetweentheclientandtheVDMConnectionServer.

ChangestothissettingrequirethattheVDMConnectionServerberestartedtotakeeffect.

Directconnectiontovirtualdesktop

Ifselected,remotedesktopsessionsareestablisheddirectlybetweentheVDMClientandthedesktopvirtualmachine,bypassingtheVDMConnectionServer(inotherwords,theydonotusetunneledconnection).

TheinitialconnectionisstillmadetotheVDMConnectionServerforuserstoauthenticateandselectappropriatedesktopstheyareentitledto.

Thisoptionisappropriateonlyfordeploymentsinsideacorporatenetwork,becauseRDPtrafficissentunencryptedovertheconnectionbetweentheclientanddesktopvirtualmachine.

Thissettingisdisabledbydefault.

Changestothissettingtakeeffectforeachuseruponthenextlogin.


Table 3-1. Global Configuration Settings (Continued)


47/70

VMware, Inc. 47

To configure global settings

1 (Optional)InGlobalSettingsontheConfigurationtab,clickedit.

2 (Optional)Selectacommunicationsprotocol.

SelectSSLforSecurityServertoenableHTTPSasthecommunicationprotocol

betweentheclientandtheconnectionserver.Uncheckthecheckboxtoenable

HTTP.

3 (Optional)SelectDirectConnect

to

Virtual

Desktoptoenableconnections

directlyfromtheclienttothevirtualmachine.

4 (Optional)SelectUSBRedirectiontocausethenativeclienttodisableallUSB

functionality.

5 (Optional)SelectReauthenticateafternetworkinterruptiontoforceusersof

virtualdesktopstoreentertheirActiveDirectorycredentialsafteranetwork

interruption.6 ClickOK.

Viewing Events

VDMprovidesapageforviewingeventsforanindividualconnectionserver.Youcan

usetheinformationontheEventspagefordiagnosingproblemsorviewingactivityon

theserver.

USBredirection Ifselected,causesthenativeclienttodisableallUSB

functionalitywhenactivated.Changestothissettingtakeeffectforeachuseruponthenextdesktoplaunch.

Reauthenticateafternetworkinterruption

Ifselected,determineswhetherornotusercredentialsneedtobereauthenticated afteranetworkinterruption.Whenthissettingisselected,usersneedtoreentertheircredentialsandhavethemreauthenticated againstActiveDirectory.ThissettingisnotavailablewhentheDirect

connectiontovirtualdesktopsettingisselected.Ifthissettingenabled,theclientterminatesandtheusermustlogonagaintotheVDMConnectionServer(sessionremainsinDisconnectedstate).

RequiresarestartoftheVMwareVDMConnectionServertotakeeffect.

Option Description


To view events


48/70

48 VMware, Inc.

ClickEvents.

TheEventspageopensandliststhenameoftheserverfortheeventsthataredisplayed.

To search events

1 Clickthearrowaftercontainsandselectthecolumnstosearch(Messages,Time,

Type).

2 Fromthelist,choosethenumberofdaysofmessagestoshowintheEventstable.

3 ClickDone.

4 Entersearchtextinthetextbox.

5 ClickGo.

YoursearchresultsappearintheEventstable.Click(more)attheendofeach

messagetodisplaymoredetailsabouttheevent.

RSA SecurIDVDMsupportsRSASecurIDasanadditionalmethodforuserauthentication.RSA

SecurIDprovidesstrong,twofactorauthenticationwhenyouaccessvirtualdesktops,

inadditiontotheauthenticationprovidedwhenusingADcredentials.

IfyouareusingRSASecurID,youmustfirstenableitbyeditingyourVDMserver

settings.AfteryouinstalltheRSASecurIDsoftwareonyourVDMservers,youcanedit

RSAsettings

in

the

VDM

administrator

user

interface.

To enable or edit RSA SecurID

1 ClicktheConfigurationtab.

2 InVDMServers,clickEdit.

3 IntheRSASecurIDdialogbox,configurethedesiredRSAsettings:

EnabledenablesRSASecurIDauthenticationforendusersaccessingvirtualdesktops.

EnforceSecurIDandWindowsusernamematchingSecurIDchecksnames

againstWindowsusernamesanddeniesaccesstonamesthatdonotmatch.

ClearnodesecretreferstothenodesecretontheVDMAgent.

Formoreinformationaboutthissetting,seetheRSAAuthenticationManager

userdocumentation.


4 IntheUploadRSAauthentication agentconfigurationfile(sdconf.rec)field,

enterthelocationofthesdconf.recfileorclickBrowsetosearchforthefile.


49/70

VMware, Inc. 49

Formoreinformationaboutthesdconf.recfile,refertotheRSAAuthentication

Manageruserdocumentation.

5 ClickOK.

Deleting VDM Objects

YoucandeleteVDMobjects(VirtualCenter,VDMservers,anddesktops)byusingthe

administratoruserinterface.Youcanchoosetodeletetheobject.

To remove a VirtualCenter server from a VDM server

1 ClicktheConfigurationtab.

2 InVirtualCenterServers,clickRemove.

IfdesktopsareusingthisVirtualCenterserver,anerrormessagetellsyouthatyou

mustfirstdeletethedesktopsusingthisVirtualCenterbeforeyoucandeletethe

VirtualCenter.

IfnodesktopsareusingthisVirtualCenterserver,awarningmessagetellsyouthat

youcannolongeraccessvirtualmachinesmanagedbythisvirtualcenter.

3 ClickOK.

TheVirtualCenterserverisdeleted.

To delete a desktop from a VDM server


2 InAllDesktops,clicktheDesktopstab.

3 SelectthedesktoptodeleteandclickDelete.

Youaregiventheoptiontoremovethevirtualmachinesfromtheconnection

brokeronly,whichmeanstheyarestillvisibleinVirtualCenter,ortodeletethem

fromdisk,whichmeanstheyarenolongervisibleinVirtualCenter.

Ifthedesktophasactivesessionsforthedesktop,youaregiventheoptionto

disconnecttheusers,whichmeansuserslosetheirconnecteddesktops,ortoleave

theusersconnected,whichmeansusersdonotlosetheirconnecteddesktops.


To delete a virtual machine from a VDM desktop

1 Click the Inventory tab


50/70

50 VMware, Inc.


2 InAllDesktops,selecttheDesktopcontainingthevirtualmachinetodelete.

3 ClicktheVirtualMachinestab.

4 ClickDelete.

Youaregiventheoptiontoremovethevirtualmachinesfromtheconnection

brokeronly,whichmeanstheyarestillvisibleinVirtualCenter,ortodeletethem

fromdisk,whichmeanstheyarenolongervisibleinVirtualCenteranddeleted

from

the

datastore.Ifthedesktophasactivesessionsforthedesktop,youaregiventheoptionto

disconnecttheusers(ifremovefromtheconnectionbrokerischosen),which

meansuserslosetheirconnecteddesktops,ortoleavetheusersconnected,which

meansusersdonotlosetheirconnecteddesktops.

Installing SSL Certificates

TheVDMConnectionServerincludesaselfsignedSSLcertificatethatyoucanuseto

connectwithforthefirsttime.Thiscertificateisnottrustedbyclientsanddoesnothave

thecorrectnamefortheservice,butitdoesallowconnectivity.

Replacetheseinitialcertificateswithproperlyconstructedcertificatesfortheservice.

Thisremovesthecertificatecheckmessagesthatusersseeandallowsthinclientdevices

toconnect.

ThissectionprovidesthestepsforinstallingSSLcertificates.Toinstallcertificates,you

mustdothefollowing:

CreateasuitableCertificateSigningRequest(CSR).

SubmittherequesttoyourCertificateAuthority(CA)andreceivethenew

certificate.

ImportthecertificateintothekeystorefortheVDMConnectionServer.

ConfiguretheVDMConnectionServertousethisnewcertificate.


Creating the CSR

Deciding what name to bind to a CSR is an important consideration A certificate binds


51/70

VMware, Inc. 51

DecidingwhatnametobindtoaCSRisanimportantconsideration.Acertificatebinds

thenameoftheservicetoacryptographickeypairand,indoingso,assumes

ownershipoftheserviceandkeys.Theclientcantrusttheserver(anditscryptographickey)becausetheCAindependentlydeterminedthattheorganizationthatisclaiming

ownershiprequestedthekey.

ThemostimportantpartoftheCSRistheCommonName(CN)attribute.Usethename

theclientcomputerusestoconnecttotheVDMConnectionServer.Inasingleserver

environment,thenameistypicallythenameoftheserver.Ifloadbalancingisbeing

used,usetheloadbalancedname.

To create the CSR

1 UsingtheWindowscommandprompt,createanewkeystorecontaininga

publicprivatekeypair:

%JAVA_HOME%\bin\keytool -genkey -keyalg "RSA" -keystore keys.p12

-storetype pkcs12 -storepass secret -validity 360

2 Answerthe

following

questions:

Whatisyourfirstandlastname?

ThisistheCNattribute.Entertheservernameorloadbalancedname,for

example,server.vmware.com.

Whatisthenameofyourorganizational unit?

Thisisinformationaboutwhereinyourorganizationthisserverisbeing

deployed.YourCAmighthaverequirementsforcompletingthisfield.For

example,itmightrequirethecompanysdomainname(forinstance,

vmware.com).

Whatisthenameofyourorganization?

Thismightbeyourdepartmentorcompanyname.

What

is

the

name

of

your

City

or

Locality?

Enteryourlocationorleaveblank(Unknown).

WhatisthenameofyourStateorProvince?

Enteryourstateinformationorleaveblank(Unknown).

Whatisthetwolettercountrycodeforthisunit?

Enteryour

country

code

(GB,

for

example).


3 Confirmthefullname,enterYesandpressEnter.

The keys.p12 file is created in the current directory.


52/70

52 VMware, Inc.

Thekeys.p12fileiscreatedinthecurrentdirectory.

4 UsethefollowingkeypairtocreateaCSR:

%JAVA_HOME%\bin\keytool -certreq -keyalg "RSA" -file certificate.csr

-keystore keys.p12 -storetype pkcs12 -storepass secret

Thecertificate.csrfileiscreatedinthesamelocation.Thecontentsofthefile

looklikethefollowingexample:

-----BEGIN NEW CERTIFICATE REQUEST-----

MIIBuDCCASECAQAweDELMAkGA1UEBhMCR0IxEDAOBgNV

BAgTB1Vua25vd24xEDAOBgNVBAcTB1Vua25vd24xFDASBgNVBAoTC1ZNd2FyZSBJbmMuMRMwEQYDVQQLEwp2bXdh

cmUuY29tMRowGAYDVQQDExFzZXJ2ZXIudm13YXJlLmNv

bTCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEA85iM

2G4J695Nh3LfU0S7eAdXHG51MtRcfR397jj0sjFk2THO

T8Xkeue6pCAg0E9vsRSKiFZiMQLOTSkg0Vwd+bYDMzMx

Uam/baSq7z7JF8irTHXYB/1PXDWdykUI7jYSRVxhjbHm

XU8/2jEUL5DocLDLnygsUD2g7cUMYdz/HeECAwEAAaAA

MA0GCSqGSIb3DQEBBQUAA4GBALq2e5FWHQIE26J0lIdR

FLQqlsu78IsuGF19nvJSxrdnHFUpUvTaTA3auGsz+UJG/vdHqFt49oSIrIhd7NALLumBoOq4tEywvE3vq0ytUvIE

imJCKsAiAeyWZUydJps+zhVKKhiscgFh60AZp1bmTJgu

AeHnsPs7a1Q0JH6OZvdU

-----END NEW CERTIFICATE REQUEST-----

5 (Optional)Backupthekeys.p12 fileafterthecertificateisimportedintoitincase

youneedtorebuildtheconfigurationfortheserveratsomepoint.

To submit the CSR and import the certificate

1 ContactyourCAandprovidetherelevantinformationandacopyoftheCSR

generatedinTocreatetheCSRonpage 51.

2 RequestacertificateinPKCS#7format.

Fortestingpurposes,ThawteprovidesafreeCAat

https://www.thawte.com/cgi/server/try.exethatgeneratesa21daySSLcertificate

basedonanuntrustedroot.ThisisslightlybetterthanthegetyoustartedcertificatesuppliedwithVDMbecauseitnowusesthecorrectname.However,

clientsstillissuewarningsthattheserviceisnottrusted.

3 Copythecontentsofthegeneratedfileintoatexteditorandsaveitas

certificate.p7.


Thefilelookslikethefollowingexample:

-----BEGIN PKCS7-----


53/70

VMware, Inc. 53

MIIF+AYJKoZIhvcNAQcCoIIF6TCCBeUCAQExADALBgkqhkiG9w0BBwGgggXNMIID

LDCCApWgAwIBAgIQTpY7DsV1n1HeMGgMjMR2PzANBgkqhkiG9w0BAQUFADCBhzEL

...

i7coVx71/lCBOlFmx66NyKlZK5mObgvd2dlnsAP+nnStyhVHFIpKy3nsDO4JqrIg

EhCsdpikSpbtdo18jUubV6z1kQ71CrRQtbi/WtdqxQEEtgZCJO2lPoIWMQA=

-----END PKCS7-----

4 Importthecertificateintothekeystoreusingthefollowingcommand(changethe

passwordandreplacesecretwithanotherpassword):

%JAVA_HOME%\bin\keytool -import -keystore keys.p12 -storetype pkcs12

-storepass secret -keyalg "RSA" -trustcacerts -file certificate.p7

Thisoperationmightgeneratethefollowingmessage:

... is not trusted. Install reply anyway?

Ifthismessageisgenerated,itimpliesthattherootcertificategiventoyouisnot

trustedbyJavabecauseitisatestcertificateandnotforproductionuse(inother

words,youreceivethismessageifyouusethetestCAreferencedabove).Installing

thiscertificateisallowedbutmightnotprovideabetteruserexperiencethanthegetyoustartedcertificate.

To configure the VDM Connection Server to use the certificate

1 PlaceanewcertificatefileinthefollowinglocationoneachVDMConnection

Server(standard,replica,orsecurityserver):

C:\Program Files\VMware\VMware VDM\Server\sslgateway\conf

2 Create(oredit)thefollowingfileoneachserver:

C:\ProgramFiles\VMware\VMwareVDM\Server\sslgateway\conf\

locked.properties

3 Addthefollowingproperties:

keyfile=keys.p12

keypass=secret

Thischangesthevaluesasneededtomatchwhatyoucreatedinthepreviousstep.

4 RestarttheVDMservice.


AssumingyourenvironmentisconfiguredtouseSSL,alogmessagelikethe

followingappears:


54/70

54 VMware, Inc.

13:57:40,676 INFO [NetHandler] Using SSL certificate store:

keys.p12 with password of 6 characters

Thismessageindicatesthattheconfigurationisinuse.

VDM Load Balancing

WhenyousetupandconfigureserversforVDM,loadbalancingisanimportantdesign

consideration.Loadbalancingprovidesthehighestlevelofscalabilityandhelpsavoid

anysingle

points

of

failure.

Load

balancing

addresses

the

scaling

and

fault

tolerance

of

yourVDMsolution.

TheVDMConnectionServeristhecorecomponentofVDM.YoucandeploytheVDM

ConnectionServeraseitheraconnectionserverorasasecurityserver.VDM

ConnectionServersprovidesessionmanagementandhandleallincomingclient

requestsanddirectthemtotheappropriatevirtualdesktopsession.TheVDMSecurity

ServersensuresecurecommunicationbetweentheclientdevicesandtheVDM

ConnectionServers.

Youmightalreadyhaveanexistingloadbalancingsolutioninplace supporting

currentbusinessapplicationsandservices.Youcanleverageexistingloadbalancing

servicescanbecausetheloadthatVDMusesontheloadbalancinginfrastructureis

minimal.Inadditiontotypicalhardwarebasedloadbalancingappliances,inexpensive

(orfree)softwarebasedproductscanalsobeconsideredaspossibleloadbalancing

solutions.

YoucandeployloadbalancingwhetheryouareusingaDMZdeploymentwithsecurity

serversdeployedinsideaDMZ,oranonsecurityserverdeploymentwithendusers

connectingdirectlytoVDMConnectionServers.Forinformationaboutloadbalancing

insideaDMZdeployment,seeLoadBalancinginaDMZDeploymentonpage 59.

Load Balancing in a Non-DMZ Deployment

Insome

cases,

such

as

LAN

based

deployments,

users

can

connect

directly

to

VDM

ConnectionServers.Inthiscase,noVDMSecurityServersaredeployed.Youcanuse

tunneledornontunneleddeploymentavailableforLANbasedconnections.When

tunnelingisenabled,allVDMtrafficisencryptedandtunneledthroughaVDM

ConnectionServer.Whentunnelingisnotenabled,sessiontrafficisnotroutedthrough

theVDMConnectionServersandthereforeisnotSSLencrypted.Afteraclient

connectstothevirtualdesktopthatituses,allcommunicationisbetweentheclientand

thevirtualdesktop.


Session Setup and Load Balancing

Toconfigureloadbalancing,itisimportanttounderstandhowsessionsaresetupand


55/70

VMware, Inc. 55

g g p p

howconnectioninformationpassesbetweentheclientandtheconnectionservers.

TheinitialHTTP/HTTPSTCPsessionisestablishedbetweentheclientandVDM

SecurityServerorVDMConnectionServer.Theuserisauthenticatedduringtheinitial

connection.Ifauthenticationissuccessful,controlinformationisreturnedtotheclient.

Thecontrolinformationincludesalistofvirtualdesktopsthattheuserisentitledto

connecttoandthefullyqualifieddomainname(FQDN)oftheVDMConnectionServer

orVDMSecurityServer.

Afterthe

client

receives

connection

information,

it

initiates

asecond

TCP

session

for

the

tunneltotheFQDNreceived(theFQDNoftheconnectionserver)duringtheinitial

connection.ThesecondTCPsessionisanSSLtunnelbetweentheclientandthesecurity

serverorVDMConnectionServer.AfterthisTCPsessionstarts,theRDPclientonthe

clientmachineconnectstothelocalhostlistenerandtrafficisroutedthroughthetunnel

tothesecurityserverandthenontothevirtualdesktop.

TheVDMsecureconnectionisusedforcommunicationinanRDPsession.Whena

clientis

ready

to

establish

an

RDP

session

with

the

selected

virtual

desktop,

the

client

startsalocalTCPlistener.Afteritisstarted,aTCPsessionisestablishedbetweenthe

VDMConnectionServerandthevirtualdesktoprunningontheESXserver.TheRDP

clientontheclientmachinethenconnectstothelocalhost,andcommunicationis

handledbyusingtheVDMsecureconnectionpreviouslyestablished.

Inaloadbalancedconfiguration,whenaclientestablishesaTCPsession,theTCP

sessioncanbeestablishedwithdifferenthosts.Forexample,theclientsfirstconnection

fromtheclienttotheloadbalancermightbetoaglobalDNSnamesuchashttps://vdiyourcompany.com.Theloadbalancinginfrastructurethenforwardsthe

requesttohttps://vdm1.example.com,oneoftheserversintheVDMSecurityServer

farm.Youcanuseoneofseveralcommonloadbalancingmethods(proxy,httpredirect,

NLBcluster,roundrobinDNS,andsoforth)todecidewhichVDMserveristohandle

thesession

AftertheVDMclientauthenticateswiththeVDMserver,itreceivesspecific

instructionstoconnectdirectlytohttps://vdm1.example.comandestablishanSSLtunnel.


DNS Requirements for a Load Balanced Solution

Regardlessoftheloadbalancingmechanismorsolutionyouuse,aclientmustbeable


56/70

56 VMware, Inc.

toconnectwitheachVDMserverbyitsFQDNdirectly.Theclientmustbypasstheload

balancingaltogether.IncaseswhereVDMSecurityServersaredeployedinsidetheDMZorwhenVDMConnectionServersareaccessedfromalocalareanetwork,all

serversshouldhavevalidDNSnames.

TheloadbalancermakestheinitialdecisionaboutwhichVDMConnectionServeristo

handletheclientsessionbydirectingthefirstTCPsessiontothechosenVDM

ConnectionServer.Thesecuretunnelconnectionismadedirectlyfromtheclienttothe

VDMConnectionServerandasaresultdoesnotusetheloadbalancinginfrastructure

forthisconnection,whichcarriesthebulkofnetworktrafficbetweenclientandserver.

Load Balancing Solution

Youcantakeseveralapproacheswhenyouimplementaloadbalancingsolutionfor

VDMservers.Forexample,roundrobinDNS,whiletechnicallythemostsimpleload

balancingsolutiontoimplement,hasasignificantdisadvantagefromafailover

perspective.

If

one

of

the

servers

fails,

it

must

be

removed

from

the

DNS

list

of

records

correspondingtotheloadbalanceddomainname.Anotherissuewitharoundrobin

DNSapproachisintheremoteaccessusecasewhereVDMclientsareaccessingtheir

virtualdesktopsacrosstheInternet,throughtheVDMSecurityServers.Inthiscase,the

responsesofthemasterDNSserverarecachedinupstreamDNSservers.Itcantake

severalhoursforaremovedDNSnametobereplicatedtoallInternetDNSservers.If

aserverisoutofservice,clientconnectionscanfailiftheyaredirectedtothatserver

duringthetimeittakesforthecachedrecordtoexpireacrosstheInternetDNSservers.

Supportforaredundancyandfailovermechanism,typicallyatthenetworklevel,

preventstheloadbalancerfrombecomingasinglepointoffailure.Forexample,using

theVirtualRouterRedundancyProtocol(VRRP)tocommunicatewiththeload

balanceraddsredundancyandfailover.Ifthemainloadbalancerfails,anotherload

balancerinthegroupautomaticallystartshandlingconnections.

Toprovideadegreeoffaulttolerance,aloadbalancingsolutionmustbeabletoremove

failedVDM

server

nodes

from

the

load

balanced

group.

The

way

in

which

failed

nodes

aredetectedvariesfromsolutiontosolution.Regardlessofthemethodusedtoremove

orblacklistanunresponsiveVDMserver,thesolutionmustensurethatnewincoming

sessionsarenotdirectedtotheunresponsiveserver.

IfaVDMserverfailsorbecomesunresponsiveduringanactivesession,usersdonot

losedataanddesktopstatesarepreservedinthevirtualdesktop.Whenusersr

how to use vmware - part 1

Documents