vdm20 intro
TRANSCRIPT
-
7/21/2019 Vdm20 Intro
1/32
Introduction to Virtual DesktopManager
-
7/21/2019 Vdm20 Intro
2/32
VMware, Inc.3401 Hillview Ave.Palo Alto, CA 94304www.vmware.com
2 VMware, Inc.
Introduction to Virtual Desktop Manager
You can find the most up-to-date technical documentation on our Web site at
http://www.vmware.com/support/
The VMware Web site also provides the latest product updates.
If you have comments about this documentation, submit your feedback to:
2008 VMware, Inc. All rights reserved. Protected by one or more of U.S. Patent Nos. 6,397,242,6,496,847, 6,704,925, 6,711,672, 6,725,289, 6,735,601, 6,785,886, 6,789,156, 6,795,966, 6,880,022,6,944,699, 6,961,806, 6,961,941, 7,069,413, 7,082,598, 7,089,377, 7,111,086, 7,111,145, 7,117,481,7,149,843, 7,155,558, 7,222,221, 7,260,815, 7,260,820, 7,269,683, 7,275,136, 7,277,998, 7,277,999,
7,278,030, 7,281,102, and 7,290,253; patents pending.
VMware, the VMware boxes logo and design, Virtual SMP and VMotion are registered trademarks ortrademarks of VMware, Inc. in the United States and/or other jurisdictions. All other marks and namesmentioned herein may be trademarks of their respective companies.
Introduction to Virtual Desktop Manager
Revision: 20080527Item: VDM-ENG-Q108-451
http://www.vmware.com/supportmailto:[email protected]://www.vmware.com/supportmailto:[email protected] -
7/21/2019 Vdm20 Intro
3/32
VMware, Inc. 1
Contents
Contents
IntroductiontoVirtualDesktopManager 3Introduction 3
Features 4
VDMOverview 5
VDMUserAuthentication 9
VDMExtendedUSBDeviceRedirection 11
VDMSecureAccess 12
VDMVirtualDesktopPoolManagement 13
VDMHighAvailabilityandScalability 15
VDMConnectionServerDMZDeployment 17
VDMConnection
Server
Components 21
VDMBroker 22
VDMSecureGatewayServer 22
VDMLDAP 23
VDMMessaging 24
VDMSecurityServer 24
Glossary 27
http://-/?-http://-/?- -
7/21/2019 Vdm20 Intro
4/32
Introduction to Virtual Desktop Manager
2 VMware, Inc.
-
7/21/2019 Vdm20 Intro
5/32
VMware, Inc. 3
VMwareVirtualDesktopManager2(VDM)isakeycomponentintheVMwareVirtual
DesktopInfrastructure(VDI)solution.VDMisanenterpriseclassvirtualdesktop
managerthatsecurelyconnectsauthorizeduserstocentralizedvirtualdesktops.It
workswith
VMware
Virtual
Infrastructure
3to
provide
acomplete,
end
to
end
VDI
solutionthatimprovescontrolandmanageabilityandprovidesafamiliardesktop
experience.
ThebenefitsofVDIwithVDMincludethefollowing:
ControlandmanageabilityinasingleproductAdministratorscanmoreeasily
provision,manage,andmaintaindesktopsbecausethedesktopsarerunninginthe
datacenter.
FamiliarenduserexperienceUsersgetflexibleaccesstoapersonalized,virtual
desktopthatbehavesjustliketheirPCdesktops.
VMwareInfrastructure3integrationVDIextendsthebenefitsofVMware
Infrastructure3tothedesktopbyleveragingthebackup,failover,anddisaster
recoverycapabilitiesofVMwareInfrastructure3.
Lowertotal
cost
of
ownership
(TCO)
By
reducing
administration
and
energy
costsandextendingtheusefullifeofPCs,VDIdeliverslowerTCO.
Introduction to Virtual Desktop
Manager
-
7/21/2019 Vdm20 Intro
6/32
Introduction to Virtual Desktop Manager
4 VMware, Inc.
Features
ThefeaturesofVDMinVDIincludethefollowing:
EnterpriseclassconnectionbrokeringVDMmanagestheconnectionsbetween
usersandtheirvirtualdesktops.WhenuserslogintoVDM,thevirtualdesktops
theyareauthorizedtoaccessappears.Afterconnectingtoavirtualdesktop,users
accesstheirapplicationsasiftheapplicationsarerunninglocally.
USBclientdevicesupportUSBdevicescanbelocallyconnectedtoclientsand
accessedthroughavirtualdesktop.
Webbased
management
user
interface
A
Web
based
management
console
allowsvirtualdesktopstobemanagedfromanylocation.
SmartpoolingcapabilitiesArangeofpersistentandnonpersistentpooling
capabilitiessimplifiestheprovisioningandmanagementofcentralizeddesktops.
SecureaccessOptionalsecureencapsulationcapabilitiesallowallnetwork
connectionstobeencrypted.
Integrationwith
Microsoft
Active
Directory
Connection
to
Active
Directory,
whichallowsyoutolocateuserandusergroupaccountsandusethe
authenticationfeaturesinActiveDirectorytocontrolwhichuserscanaccess
virtualdesktops.
SupportfortwofactorauthenticationWithRSASecurID,accesscontrolis
strengthened.
Seamlessintegration
with
VMware
Virtual
Infrastructure
3Works
closely
with
VMwareVirtualCentertoprovideadvancedvirtualdesktopmanagement
capabilities,suchasautomaticsuspendandresume,whichreducesthememory
andprocessingpowerrequiredtohostvirtualdesktops.Byleveragingthe
capabilitiesofVMwareVirtualInfrastructure3,desktopscanrunevenwhen
serverhardwarefailsandrecoverquicklyfromunplannedoutageswithout
duplicatehardware.
Flexibledeployment
options
Critical
components
can
be
deployed
in
avariety
ofconfigurationsandtodifferentpartsofthenetwork,whichimprovesecurity,
scalability,andreliability.MultipleVirtualCenterserversaresupported,andVDM
canscalehorizontallytosupportmanyvirtualdesktops.
HighavailabilityServerscanbeclusteredforhighavailabilityandscalability
withautomaticfailover.Theseserverscanalsoleverageindustrystandard
loadbalancingsolutions.
-
7/21/2019 Vdm20 Intro
7/32
VMware, Inc. 5
Introduction to Virtual Desktop Manager
VDM Overview
VDMincludesthefollowingkeycomponents:
VDMConnectionServer
VDMAgent
VDMClient
VDMWebAccess
VDMAdministrator
-
7/21/2019 Vdm20 Intro
8/32
Introduction to Virtual Desktop Manager
6 VMware, Inc.
Figure 1showsthephysicaltopologyofaVDIinfrastructurewithVDMandshowsthe
relationshipbetweenthemainVDMcomponents.
Figure 1. Physical Topology of VMware VDI Infrastructure with VDM
network
ESX Server hosts runningVirtual Desktop VMs
VDMConnectionServer
VDMAdministrator(browser)
VirtualCenterManagement Server
MicrosoftActive Directory
network
WindowsVDM Client
MacVDM Web Access
LinuxVDM Web Access Thin Client
virtual desktops
ESX Server host
VM VM VM
VM VM VM
virtual machine
desktop OS
app app app
VDM Agent
-
7/21/2019 Vdm20 Intro
9/32
VMware, Inc. 7
Introduction to Virtual Desktop Manager
VDM Connection Server
ThiscomponentistheVDIconnectionbrokerthatmanagessecureaccesstovirtual
desktops
and
works
with
VirtualCenter
to
provide
advanced
management
capabilities.
ItisinstalledonaMicrosoftWindowsServer2003serverthatispartofanActive
Directorydomain.
VDMConnectionServerisinstalledasoneofthefollowinginstances:
StandardThisinstanceappearsinFigure 1.Itprovidesstandalonefunctionality
andisusedastheonlyVDMConnectionServer(orthefirstofagroupofVDM
ConnectionServersthatactaspartofahighavailability,fullyreplicatedgroup).
ReplicaThisinstanceisinstalledasasecondorsubsequentVDMserverina
highavailabilitygroup.ConfigurationdataisinitializedfromanexistingVDM
serverandisautomaticallyreplicatedbetweenVDMgroupmembers.
SecurityServerThisinstanceimplementsasubsetoftheVDMConnection
Serverfunctionalityandisusedinademilitarizedzone(DMZ)deployment.A
VDMSecurityServerdoesnotneedtobeinanActiveDirectorydomain.The
Standardand
Replica
instances
automatically
include
the
Security
Server
functionality.
TheinstancetypeisselectedduringVDMConnectionServerinstallation.
HighavailabilityandDMZdeploymentsofVDMConnectionServerusingReplicaand
SecurityServerinstancesaredescribedinVDMConnectionServerDMZDeployment.
ConfigurationdataisstoredinanembeddedLDAPdirectoryoneachStandardand
Replicainstance.
-
7/21/2019 Vdm20 Intro
10/32
Introduction to Virtual Desktop Manager
8 VMware, Inc.
VDM Agent
Thiscomponentrunsoneachvirtualdesktopandisusedforsessionmanagementand
single
sign
on.
With
VDM
Client,
this
component
supports
optional
USB
device
redirection.Thisagentcanbeinstalledonavirtualmachinetemplatesothatvirtual
desktopscreatedfromthattemplateautomaticallyincludetheVDMAgent.
PlacevirtualdesktopsinanActiveDirectorydomainthatisoneofthefollowing:
ThesamedomaintowhichtheVDMConnectionServersarejoined
AdomainwithatrustagreementwiththeVDMConnectionServerdomain
Whenusers
connect
to
their
virtual
desktops,
they
are
automatically
logged
in
using
thesamecredentialstheyusetologintotheirdomain.Thesinglesignoncapabilitycan
bedisabledinVDMAgentwhichmeandthatusersarealwaysrequiredtologontothe
virtualdesktopmanually.Ifthevirtualdesktopisnotpartofadomainorispartofa
domainwithwhichnotrustagreementexists,singlesignonisnotavailable,andthe
usermustmanuallylogintothevirtualdesktop.
VDM ClientThiscomponentrunsonaWindowsPCasanativeWindowsapplicationandallows
userstoconnecttotheirvirtualdesktopsthroughVDM.Thiscomponentconnectstoa
VDMConnectionServerandallowstheusertologonusinganyofthesupported
authenticationmechanisms.Afterloggingin,userscanselectfromthelistofvirtual
desktopsforwhichtheyareauthorized.Thisstepprovidesremoteaccesstotheir
virtualdesktopandprovidesuserswithafamiliardesktopexperience.
VDMClient
also
works
closely
with
VDM
Agent
to
provide
enhanced
USB
support.
BasicUSBsupport(suchasUSBdrivesandUSBprinters)issupportedwithoutVDM
USBsupport,butVDMextendsthissupporttoincludeadditionalUSBdevices.You
canspecifyVDMUSBsupportinVDMClientduringtheinstallation.
VDM Web Access
ThiscomponentissimilartoVDMClientbutprovidesaVDMuserinterfacethrougha
Webbrowser.
VDM
Web
Access
is
included
automatically
during
the
VDM
ConnectionServerinstallation.VDMWebAccessissupportedonLinuxandMacOS/X,
butthisWebaccessdoesnotsupportVDMUSBextensions.AllnecessaryVDM
softwareisinstalledautomaticallyontheclientthroughtheWebbrowser.VDMWeb
AccessonLinuxusesrdesktopandonMacOS/XusesMicrosoftRemoteDesktop
ConnectionClientforMac.
-
7/21/2019 Vdm20 Intro
11/32
VMware, Inc. 9
Introduction to Virtual Desktop Manager
VDMWebAccesscanalsobeusedonaWindowsclientwithVDMClient.Auser
obtainstherequiredsoftwareontheirclientdevicebyaccessingaVDMConnection
ServerwithaWebbrowser.IftheVDMClientsoftwareisinstalledwithUSBsupport
byauser
with
administrative
rights,
VDM
Web
Access
on
Windows
has
complete
VDMUSBsupport.
VDM Administrator
ThiscomponentprovidesVDMadministrationthroughaWebbrowser.Itisusedby
VDMadministratorstodothefollowing:
Makeconfigurationsettings
ManagevirtualdesktopsandentitlementsofdesktopsofWindowsusersand
groups
VDMAdministratoralsoprovidesaninterfacetomonitorlogeventsonaVDMServer
andisinstalledwithVDMConnectionServer.MoreinformationabouttheVDM
ConnectionServercomponentsandtheirrelationshipwithotherVDMcomponents,
seeVDMConnectionServerComponents.
VDM User Authentication
UsersneedtologintoVDMfirstinordertoprovetheiridentityandtogainaccessto
theirvirtualdesktops.Normally,theydothisbyenteringtheirWindowscredentialsat
theloginprompt.
Asanaddedlevelofsecurity,VDMcanbeconfiguredtorequireRSASecurID
authentication.This
requires
the
use
of
aSecurID
token
for
each
user.
As
part
of
the
loginprocess,usersmustentertheirSecurIDusernamestogetherwiththeirSecurID
PINsandtokencodes.AftersuccessfulverificationoftheSecurIDdetailsentered,users
arepromptedfortheirWindowscredentials.
Active Directory Authentication
EachVDMConnectionServermustbejoinedtoanActiveDirectorydomain.This
allowsuser
authentication
for
VDM
against
Active
Directory
for
the
joined
domain
and
foradditionaluserdomainswithwhichatrustagreementexists.Forexample,ifVDM
ConnectionServerisamemberofDomainA,andatrustagreementexistsbetween
DomainAandDomainB,usersfromeitherdomaincanlogintoVDM.
-
7/21/2019 Vdm20 Intro
12/32
Introduction to Virtual Desktop Manager
10 VMware, Inc.
ByauthenticatingusersagainstanexistingActiveDirectory,anorganizationcan
simplifytheoperationalmanagementofVDMbyensuringthatthemanagementof
useraccountsishandledinoneplace.IfauseraccountisdisabledinActiveDirectory,
thatuser
cannot
log
in
to
VDM.
Policies,
such
as
restricting
permitted
hours
of
login
andtheexpirationdateforpasswords,arealsohandledthroughexistingActive
Directoryoperationalprocedures.
RSA SecurID Authentication
VDMiscertifiedthroughtheRSASecurIDReadyprogramtooperatewithRSA
SecurIDauthenticationtechnology.IndividualVDMConnectionServerscanbe
enabledfor
RSA
SecurID
authentication.
Users
who
access
aVDM
Connection
Server
thatisenabledforRSASecurIDauthenticationarepromptedfortheirRSASecurID
usernamesandpasscodes(PINsandtokencodes).AfterauthenticatingagainstanRSA
AuthenticationManager,userscancontinuetologin.
UsingRSASecurIDprovidesenhancedsecuritywithtwofactorauthentication.This
requiresknowledgeoftheusersPINandtokencode,whichisonlyavailableonthe
physicalSecurIDtoken.AsrequiredforRSASecurIDcertification, VDMsupportsthe
fullrangeofSecurIDcapabilities,includingNewPINMode,NextTokenCodeMode,RSAAuthentication Manager,loadbalancing,andsoon.
-
7/21/2019 Vdm20 Intro
13/32
VMware, Inc. 11
Introduction to Virtual Desktop Manager
Figure 2showsthephysicaltopologydiagramforVDMwithanadditionalserverused
toauthenticateRSASecurIDusers.TheRSAAuthenticationManagerisshownasa
singleserver,butforhighavailabilitydeployments,youneedmultipleservers.
Figure 2. VDMRSASecurIDAuthenticationwithRSAAuthenticationManager
WhenusersentertheirRSASecurIDcredentials,VDMConnectionServer
communicateswithRSAAuthenticationManagertoverifytheinformation.Afterthe
credentialsareverified,VDMConnectionServerrequestsActiveDirectorydomain
credentialsfromtheuserandcommunicateswithActiveDirectorytocontinuethe
authenticationprocess.
VDM Extended USB Device Redirection
VDMallowstheredirectionofavarietyoflocallyattachedUSBdevicesforsoftware
thatrunonausersvirtualdesktop.Suitabledevices,whenattached,canbeselected
fromadynamicdropdownmenuinVDMClient.Devicesattachedafterthevirtual
desktopsessionstartswillappearinthemenuandareavailableforredirectionafter
beinginitialized.
ESX Server hosts runningVirtual Desktop virtual machines
VirtualCenterManagement Server
MicrosoftActive Directory
VDMConnection
Server
network
Client
VDMAdministrator
RSAAuthentication
Manager
-
7/21/2019 Vdm20 Intro
14/32
Introduction to Virtual Desktop Manager
12 VMware, Inc.
Somedevices,suchasprinters,localUSBflashdrives,andsmartcards,canbe
forwardedtothevirtualdesktopusingstandardMicrosoftRemoteDesktopProtocol
(RDP).ButVDMClientUSBredirectionextendstherangeofusabledevicesandthe
functionalityof
some
devices
beyond
that
provided
by
RDP.
For
example,
sound
can
bebroughttothelocalmachineusingRDP,butdisablingthisfeatureandusingVDM
USBredirectionallowsyoutouseVoIPdevices.
VDMUSBredirectionisinitiatedaftertheuserisauthenticated.Becauseofthis,smart
cardforwardingislimitedtoRDPfunctionalitysothatsmartcardscanbeusedto
authenticatethevirtualdesktopsession.Asaresult,thesedevicesdonotappearinthe
VDMClientdevicesmenu.Humaninterfacedevices(HIDs),suchasakeyboardora
mouse,are
also
filtered
from
the
USB
device
list
because
these
devices
are
required
locallyandfunctionwithoutbeingforwardedorredirected.
RDPforwardingandVDMUSBredirectioncanbegovernedthroughActiveDirectory
GroupPolicyandVDMAdministrator.UsingVDMUSBredirectionrequiresVDM
Client,VDMAgent,andtheusertohaveadministrationrightsontheVDMClientand
theVDMAgentoperatingsystems.
VDM Secure Access
VDMConnectionServerwithVDMClientandVDMWebAccessprovidessecurityfor
thedesktopprotocolsbetweentheclientdeviceandtheVDMConnectionServer.
VDMencapsulatesallprotocols,suchastheextendedRDPinanHTTPSconnection,
whichoffersthefollowingadvantages:
TheRDP
Protocol
is
tunneled
through
HTTPS
and
is
encrypted
using
SSL
Thisisapowerfulsecurityprotocolandisconsistentwiththesecurityprovidedby
othersecureWebsiteslikethoseusedforonlinebanking,creditcardpayments,
andsoon.
OneHTTPSconnectionisusedforallclientservercommunicationMultiple
desktopconnectionsaremultiplexedoverthisHTTPSconnection,whichreduces
theoverallprotocoloverheads.
VDMcontrolsbothendsofthisHTTPSconnection,sothereliabilityofthe
underlyingprotocolsissignificantlyimprovedIfausertemporarilylosesa
networkconnection,afteritisrestored,theHTTPSconnectionisreestablishedand
theRDPconnectionsautomaticallyresumewithouthavingtoreconnectandlogin
again.
-
7/21/2019 Vdm20 Intro
15/32
VMware, Inc. 13
Introduction to Virtual Desktop Manager
VDMisaccessedusingstandardWebprotocols,soitcanbeeasilyaccessed
throughcorporateproxiesInastandarddeploymentofjustVDMConnection
Servers,theHTTPSsecureconnectionterminatesattheVDMConnectionServer
andin
aDMZ
deployment,
at
the
VDM
Security
Server.
See
VDM
Connection
ServerDMZDeployment.
VDMConnectionServercanbeconfiguredtonotuseasecureconnection,sothatRDP
communicationisdirectfromtheclientdevicetothevirtualdesktop.
VDM Virtual Desktop Pool Management
VDMincludes
integrated
virtual
desktop
pool
management
capabilities
that
leverage
thecontrolprovidedbyVirtualCentertoprovisionandmanagethevirtualdesktops.
VDMprovidesthefollowingtypesofdesktops:
IndividualdesktopsTheseareexistingvirtualdesktopsthatareavailable
throughVDM.Thepoolmanagercancontrolthepowerstateofthesevirtual
desktops.
Persistentdesktop
pool
This
type
is
apool
of
virtual
desktops
whose
lifecycle
andpowerstateiscontrolledbythepoolmanager.Persistentvirtualdesktopsare
assignedtotheiruseronthefirstuse,sotheuserreturnseachtimetothesame
virtualdesktop.Thistypeofpoolisusedwhenuserswanttocustomizetheir
desktopsbyinstallingadditionalapplicationsandstoringlocaldata.
NonpersistentdesktoppoolSimilartoapersistentdesktoppool,exceptinthis
casethevirtualdesktopsarenotpermanentlyassignedtousers.Whenasessionis
finished,the
virtual
desktop
is
returned
to
the
pool
and
made
available
for
other
users.
Bydeletingthevirtualdesktopsaftereachuse,thistypeofpoolensuresthateach
userreceivesanewlyprovisionedvirtualdesktopeachtimetheuserconnects
(optional).Usethistypeofpoolwhereacleanmachineisneededforeachuser
sessionorinhighlycontrolledenvironmentsthathasnorequirementfor
customizationtobestoredonthevirtualdesktop.
-
7/21/2019 Vdm20 Intro
16/32
Introduction to Virtual Desktop Manager
14 VMware, Inc.
Thetwopooldesktopsaresizedusingthefollowingparameters:
MinimumTheminimumnumberofvirtualdesktopstobecreatedwhenthepool
is
first
created.
The
pool
manager
continues
to
create
virtual
desktops
until
this
minimumcountisreached.Thisprocessensuresthatapoolisappropriatelysized
whenauserpopulationismovedtoVDM.
MaximumThemaximumnumberofvirtualdesktopsthatcanexistinthepool.
Usethisparametertolimitthenumberofvirtualdesktopsinthepooltoavoid
overusingavailableresources.
AvailableThenumberofvirtualdesktopsthatareavailableforimmediateuse.
Forpersistent
pools,
this
parameter
relates
only
to
the
unassigned
virtual
desktops.Thisisusedtoensurethatthepoolmanagercreatesenoughvirtual
desktopsinadvancetocopewithdemand.Useahighernumberformorevolatile
environments.
Whenapoolcontainstoofewvirtualdesktops,themanagerprovisionsnewvirtual
desktopsfromadesignatedtemplate.Thesevirtualdesktopscanalsobeautomatically
customized(forexample,namedandbecomepartofanActiveDirectorydomain)orbe
leftfor
an
administrator
to
manually
configure.
PowermanagementisappliedtoallvirtualdesktopsunderVDMcontrol,andthe
followingpoliciesaresupported:
RemainonAfterbeingstarted,VDMdoesnotpowerthemachinedown.Ifa
virtualdesktopispowereddown,forexampleusingtheVirtualCenterclient,
VDMautomaticallystartsitwhenitisneeded.
AlwayspoweredonVDMensuresthatanyvirtualdesktopwiththispolicy
appliedispoweredonallthetime.Ifavirtualdesktopispowereddown,VDM
immediatelypowersitupagain.
SuspendwhennotinuseIfavirtualdesktopisnotrequired,itissuspended.
Thispolicyisappliedtoindividualandassignedpersistentvirtualdesktopswhen
theuserlogsoff.Itisalsoappliedtononpersistentvirtualdesktopswhenthereare
too
many
available
virtual
desktops.
For
example,
this
can
be
triggered
by
a
virtual
desktopbeingreturnedtothepoolwhenauserlogsout.
-
7/21/2019 Vdm20 Intro
17/32
VMware, Inc. 15
Introduction to Virtual Desktop Manager
PoweroffwhennotinuseIfavirtualdesktopisnotrequired,itispoweredoff.
ThisisjustliketheSuspendwhennotinusepolicy,exceptthatthevirtual
desktopiscompletelypoweredoff.
VDMsupportsindividualandpooleddesktopsonmultipleVirtualCenterinstances.A
poolcannotspanVirtualCenters,butVDMcanmanagemultiplepoolsacrossmultiple
VirtualCenters.VDMlimitsthenumberofprovisioningandpoweroperationsthatcan
beconcurrentlyactiveforeachVirtualCentertoensurethattherateofoperationsisnot
excessive.TheselimitsareappliedacrossallpoolsanddesktopsforeachVirtualCenter.
Inamultibrokerenvironment,theVDMConnectionServerscooperatewitheachother
toenforcetheselimitsandtoperformthepoolmanagementoperations.
VDM High Availability and Scalability
Tosupporthighavailabilityandscalabilityrequirements,VDMConnectionServercan
bedeployedusingmultipleVDMConnectionServers.ThefirstVDMConnection
ServertobedeployedisinstalledasaStandardinstance.Inthiscase,anewinstanceof
theLDAPdirectoryisinstalledandtheVDMConnectionServersupportsfull
functionality
using
its
local
LDAP
directory.Toextendtheenvironment,asecondservercanbeinstalledasaReplicainstance.
Duringthisinstallation,theuserreferencesanexistingVDMConnectionServerandthe
ReplicainstanceisjoinedtotheStandardinstancetoformaVDMConnectionServer
group.TheLDAPVDMconfigurationdatafromtheStandardinstanceiscopiedtothe
Replicainstance.AtwowayreplicationagreementisestablishedsothatVDM
configurationchangesoneitherserverareautomaticallyandimmediatelymadeonthe
other.
Bothserversofferidenticalfunctionalityandintheeventofserverfailure,theother
servercancontinuetooperatealone.Whenthefailedserverresumes,anychanged
LDAPVDMconfigurationdataisreflectedontheresumedserversothatbothservers
remainuptodate.AddingathirdandsubsequentVDMConnectionServerstothe
groupisdonebyinstallingadditionalReplicainstances.DuringtheReplicainstance
installation,theusercanreferenceanyexistinggroupmembertojointhenewserverto
thegroup.
Afterinstallation,nodifferencesexistbetweenaReplicainstanceandaStandard
instance.IfthefirstStandardinstanceisdecommissioned,additionalReplicascanbe
addedtothegroupbyreferencinganyactiveVDMConnectionServerinthegroup.All
VDMconfigurationdatacanbebackedupbybackinguptheLDAPdirectoryinstance.
-
7/21/2019 Vdm20 Intro
18/32
Introduction to Virtual Desktop Manager
16 VMware, Inc.
Figure 3showstwoVDMConnectionServersoperatingasagroup.Toautomatically
usebothVDMConnectionServersandsupporthighavailabilityandscalabilityneeds,
deployloadbalancing.Thisensuresthatloadisbalancedevenlyacrosstheavailable
VDMConnection
Servers
and
that
failed
servers
are
automatically
avoided.
VDM
ConnectionServerdoesnotprovideloadbalancingfunctionalitybutworkswith
standardthirdpartyloadbalancingsolutions.
Figure 3. MultipleVDMConnectionServers
VirtualCenterManagement Server
MicrosoftActive Directory
VDMConnection
Servers
load balancing
network
Client
ESX Server hosts runningVirtual Desktop virtual machines
-
7/21/2019 Vdm20 Intro
19/32
VMware, Inc. 17
Introduction to Virtual Desktop Manager
TheloadbalancingrequirementsforVDMConnectionServeraretosupportstandard
HTTPandHTTPSloadbalancingwithsessionaffinity.Loadbalancingsolutionsfor
VDMConnectionServercanincludeMicrosoftNetworkLoadBalancing(NLB),
standardhardware
based
load
balancers,
or
virtual
appliance
load
balancers
that
can
operateonESXServer.
UsersinaloadbalancedVDMConnectionServerenvironmentusealoadbalanced
URLtomaketheconnection.ThisisanaliasURLusedbytheloadbalancertodirect
theconnectiontoanyoftheavailableVDMConnectionServersinthegroup.
VDM Connection Server DMZ Deployment
Insecureenvironments,particularlywhenVDMisbeingaccessedfromaninsecure
networksuchastheInternet,itiscommonpracticetodeployserversinaDMZ.
VDMConnectionServerfunctionalityissplitbetweenserversinthesecurenetwork
andtheDMZ.VDMConnectionServersthatoperateinaDMZareknownasVDM
SecurityServersandareinstalledusingtheVDMConnectionServerinstallerand
specifyingaSecurityServerinstancetype.VDMSecurityServersintheDMZoperate
withVDM
Connection
Servers
(Standard
or
Replica)
in
the
secure
network.
I t d ti t Vi t l D kt M
-
7/21/2019 Vdm20 Intro
20/32
Introduction to Virtual Desktop Manager
18 VMware, Inc.
Figure 4showsahighavailabilityenvironmentcomprisingtwoloadbalancedVDM
SecurityServersintheDMZworkingwithtwofullVDMConnectionServers(Standard
andReplicainstance)inthesecurenetwork.
Figure 4. DMZDeploymentwithMultipleVDMConnectionServers
VirtualCenterManagement Server
MicrosoftActive Directory
VDMConnection
Servers
load balancing
VDM
SecurityServers
DMZ
external network
RemoteClient
ESX Server hosts runningVirtual Desktop virtual machines
Introduction to Virtual Desktop Manager
-
7/21/2019 Vdm20 Intro
21/32
VMware, Inc. 19
Introduction to Virtual Desktop Manager
VDMSecurityServersdonotcontainanLDAPconfigurationrepositoryanddonot
accessanyauthenticationrepositories(ActiveDirectoryorRSAAuthentication
Manager).WhenremoteusersconnectusingaVDMSecurityServer,theymust
successfullyauthenticate
before
asecure
connection
is
established.
This
means
they
cannotattempttoaccessanyvirtualdesktopsuntiltheyaresuccessfullyauthenticated.
WithappropriatefirewallrulesonbothsidesoftheDMZ,thistypeofdeploymentis
suitableforaccessingvirtualdesktopsfromInternetlocatedclientdevices.
TosupportremoteVDMClientandVDMWebAccessconnectingtotheenvironment
usingHTTPSfromanexternalnetwork,theonlyTCPportthatmustbeallowedinthe
DMZistheHTTPSport(TCPport443).VDMSecurityServersdonotneedtobepart
ofan
Active
Directory
domain,
and
no
communication
occurs
between
VDM
Security
ServersandActiveDirectory.
AlthoughFigure 4showsaonetoonerelationshipbetweenVDMSecurityServersand
VDMConnectionServers,multipleVDMSecurityServerscanbeconnectedtoeach
VDMConnectionServer.ADMZdeploymentcanbecombinedwithastandard
deploymenttoofferVDMaccessforinternalusersandexternalusers.
Figure 5shows
amore
complex
environment
where
four
VDM
Connection
Servers
act
asonegroupwiththeserversintheinternalnetworkdedicatedtotheusersofthat
network,andtheserversintheexternalnetworkdedicatedtousersofthatnetwork.
TheserversontherightcanbeenabledforRSASecurIDauthentication,sothatall
externalnetworkusersarerequiredtoauthenticateusingRSASecurIDtokens.
Introduction to Virtual Desktop Manager
-
7/21/2019 Vdm20 Intro
22/32
Introduction to Virtual Desktop Manager
20 VMware, Inc.
Figure 5. DMZDeploymentwithInternalNetworkAccess
load balancing
load balancing
VDMSecurityServers
DMZ
external network
internal network
Client
VirtualCenterManagement Server
MicrosoftActive Directory
VDMConnection
Servers
remoteClient
ESX Server hosts runningVirtual Desktop virtual machines
Introduction to Virtual Desktop Manager
-
7/21/2019 Vdm20 Intro
23/32
VMware, Inc. 21
p g
VDM Connection Server Components
Figure 6showstheVDMConnectionServercomponentsandtheirrelationshipwith
theother
VDM
components
and
the
protocols
used
for
communication
between
the
components.
ThefollowingdefaultTCPportsareusedforeachprotocol:
JMS4001
HTTP80
HTTPS443
RDP3389
SOAP80or443
Introduction to Virtual Desktop Manager
-
7/21/2019 Vdm20 Intro
24/32
22 VMware, Inc.
Figure 6. VDMComponents
VDMAdministrator
VDMMessaging
VDM SecureGW Server
VDM Broker &Admin Server
VDM SecureGW Client
VDM Agent
VDM Client
Windows Client Linux and Mac Client Thin Client
VDM Connection Server
Virtual Desktop VM
Admin Console
VDM LDAP
HTTP(S)
HTTP(S)
HTTP(S)
HTTP(S) HTTP(S)
HTTP(S)
JMS
RDP
RDPClient
RDPClient
browser
RDP
VirtualCenterServer
thin clientoperating system
SOAP
VirtualCenter
RDP RDP
Introduction to Virtual Desktop Manager
-
7/21/2019 Vdm20 Intro
25/32
VMware, Inc. 23
VDM Broker
VDMBrokeristhecoreofVDMConnectionServer.Itisresponsibleforalluser
interaction
between
the
client
(VDM
Client,
VDM
Web
Access,
and
Thin
Client)
and
the
VDMConnectionServer.
VDMBrokerprovidesthefollowing:
Userauthentication
UserdesktopentitlementswithVDMLDAP
Virtualdesktopsessionmanagement
Coordinationofthesecureconnectionestablishment,virtualdesktop
connection,andsinglesignon
AdministrationserverusedbyVDMAdministratorWebclient
Virtualdesktoppoolmanagement
VDMBrokeroperatescloselywithVirtualCentertoprovideadvancedmanagementof
virtualdesktops.
This
includes
virtual
desktop
creation
as
part
of
pool
management
andpoweroperations,suchasautomaticsuspendandresume.
VDM Secure Gateway Server
VDMSecureGatewayServerprovidestheserversidecomponentforthesecure
HTTPSconnectionbetweentheVDMClient(orVDMSecureGatewayClient)andthe
VDMConnectionServer.Aftertheuserisauthenticated,asecureHTTPSconnectionis
establishedbetween
the
client
and
the
VDM
Connection
Server.
For
aWindows
client,
thisconnectionisinitiatedbythenativeWindowsVDMClient.OnLinuxorMacOS/X,
itisinitiatedbytheJavaVDMSecureGatewayClientusingJavaWebStarttechnology.
Afterthissecureconnectionisestablished,virtualdesktopprotocols(RDP)can
securelyandreliablyconnect.
WhentheVDMSecureGatewayServerseesanincomingRDPconnectionthroughthe
HTTPSconnection,itforwardsthisconnectiontotheappropriatevirtualdesktop.To
ensurethatallvirtualdesktopsareonlyaccessedthroughVDMConnectionServer,firewallrulescanbeappliedtoeachvirtualdesktopsothatallRDPconnections
originatefromaVDMConnectionServer.Thisway,directaccesstovirtualdesktops
bypassingVDMConnectionServerisnotpossiblebecauseVDMConnectionServer
actsasgatekeeperforallvirtualdesktopaccess.WithVDM2.1andnewer,theVDM
AgentcanbeconfiguredsothatdirectincomingRDPconnectionstovirtualdesktops
arenotallowed.Thisensuresthatallremoteaccesstovirtualdesktopsmustpass
throughaVDM
Connection
Server
Introduction to Virtual Desktop Manager
-
7/21/2019 Vdm20 Intro
26/32
24 VMware, Inc.
VDMSecureGatewayServerisalsoresponsibleforforwardingotherWebtraffic(such
asauthenticationtraffic,userdesktopselectiontraffic,andsoon)totheVDMbroker
fromtheVDMclients.VDMAdministratorWebtrafficispassedbyVDMSecure
GatewayServer
to
the
VDM
Broker.
VDM LDAP
VDMLDAPisanembeddedLDAPdirectoryoneachVDMConnectionServer
StandardandReplicainstances.ItisusedastheconfigurationrepositoryforallVDM
configurationdata.VDMLDAPforWindowsServer2003usesMicrosoftActive
DirectoryApplicationMode(ADAM).ThisisanembeddedLDAPdirectorybundled
withVDM.
It
installs
the
following
components
that
are
appropriate
for
VDM:
SpecificVDMschemadefinitions
Directoryinformationtree(DIT)definitions
Accesscontrollists(ACLs)
VDMLDAPalsoincludesasetofVDMpluginDLLstoprovideautomationand
notificationservices
for
other
VDM
components.
VDMLDAPcontainsentriestorepresentthefollowingconfigurationitems:
VirtualdesktopentriesthatrepresenteachaccessiblevirtualdesktopThis
containsreferencestoForeignSecurityPrincipalentriesofWindowsusersand
WindowsusergroupsinActiveDirectorywhoareauthorizedtousethisdesktop.
VirtualDesktopPoolentriesthatrepresentmultiplevirtualdesktopsmanaged
together
Virtualmachineentriesthatrepresenteachvirtualdesktop
VDMcomponentconfigurationentriesusedtostoreconfigurationsettings
WhenaStandardinstanceisinstalledduringVDMConnectionServerinstallation,a
new,localstandaloneADAMinstanceiscreated.Theschemadefinitions,DIT
definition,ACLs,andsoonareloadedandinitialdataisadded.Configurationdatain
VDMLDAP
is
mainly
maintained
from
VDM
Administrator,
although
VDM
Broker
alsomanagessomepartsautomatically.
Introduction to Virtual Desktop Manager
-
7/21/2019 Vdm20 Intro
27/32
VMware, Inc. 25
WhenaVDMConnectionServerReplicainstanceisinstalled,anADAMinstanceis
alsocreatedlocally,buttheinitialdataisretrievedfromanexistinginstance.This
meansthattheinitialdataisacopyofanexistinginstancethatincludesall
configurationsettings.
During
aReplica
instance
installation,
areplication
agreement
issetupsothatallVDMConnectionServersinthegroupsharethesameconfiguration
data.LDAPchangesonanyserverarereplicatedtoallotherservers.Thisreplication
functionalityisprovidedbyADAM,whichusesthesamereplicationtechnologyas
ActiveDirectory.
VDM Messaging
Thiscomponent
provides
the
messaging
router
for
communication
between
VDM
ConnectionServercomponentsandbetweenVDMAgentandVDMConnection
Server.ItsupportstheJavaMessageService(JMS)API,whichisusedformessagingin
VDM.
VDM Security Server
VDMSecurity
Server
is
an
instance
type
that
is
selected
when
VDM
Connection
Server
isinstalled.IthasasubsetofthefunctionalityofafullVDMConnectionServerandis
usedinaDMZdeployment.Figure 7showsaVDMSecurityServerandshowsthe
relationshipwithallotherVDMcomponentsandtheprotocolsusedfor
communicationbetweenthecomponents.
ThefollowingdefaultTCPportsareusedforeachprotocol:
JMS
4001 AJP138009
HTTP80
HTTPS443
RDP3389
SOAP
80
or
443
Introduction to Virtual Desktop Manager
-
7/21/2019 Vdm20 Intro
28/32
26 VMware, Inc.
Figure 7. VDMComponentDiagramwithSecurityServer
FormoreinformationaboutVDMdeploymentwithinaDMZ,seeVDMConnection
ServerDMZDeployment.
VDMAdministrator
VDMMessaging
VDM SecureGW Server
VDM Broker &Admin Server
VDM SecureGW Client
VDM Agent
VDM SecureGW Server
VDM Client
Windows Client Linux and Mac Client Thin Client
VDM Security Server
VDM Connection Server
Virtual Desktop VM
Admin Console
VDM LDAP
HTTP(S)
HTTP(S)
HTTP(S)
HTTP(S) HTTP(S)
JMS AJP13
HTTP(S)
JMS
RDP
RDPClient
RDPClient
browser
RDP
VirtualCenterServer
thin clientoperating system
SOAP
VirtualCenter
RDP RDP
-
7/21/2019 Vdm20 Intro
29/32
VMware, Inc. 27
A
ActiveDirectory
A
Microsoft
directory
service
that
stores
information
about
the
network
operating
systemandprovidesservices.ActiveDirectoryconfiguresandmanagesusersand
groupsandenablesadministratorstosetsecuritypolicies,controlresources,and
deployprogramsacrossanenterprise.
ADAM(ActiveDirectoryApplicationMode)
AnLDAPimplementationbasedonActiveDirectory.
activesession
AliveconnectionfromaclientorWebAccessusertoavirtualdesktop.An
establishedconnectiontoavirtualdesktopthathasnottimedout.
administratoruserinterface
TheWebbasedadministratoruserinterfaceusedtoperformconfigurationand
managementtasksinVDM.AlsoknownastheVDMAdministrator.
agent
SeeVMwareVDMAgent.
B broker
Alsoknownasaconnectionbroker.TheVDMConnectionServerisatypeof
connectionbroker.SeealsoVMwareVDMConnectionServer.
Glossary
Introduction to Virtual Desktop Manager
-
7/21/2019 Vdm20 Intro
30/32
28 VMware, Inc.
C client
SeeVMwareVDMClient.
connectionbroker
Aserverthatallowsconnectionsbetweenremoteusersandvirtualdesktopsand
providesauthenticationandsessionmanagement.TheVDMConnectionServeris
atypeofconnectionbroker.SeealsoVMwareVDMConnectionServer.
connectionserver
SeeVMwareVDMConnectionServer.
D desktopSeevirtualdesktop.
desktopvirtualmachine
Seevirtualdesktop.
desktoppool
Apool
of
virtual
machines
that
an
administrator
designates
for
users
or
groups
of
users.Seealsopersistentdesktoppool,nonpersistentdesktoppool.
DMZ(demilitarizedzone)
Alogicalorphysicalsubnetworkthatconnectsinternalserverstoalarger,
untrustednetwork(usuallytheInternet)andprovidesanadditionallayerof
securityandgivesadministratorsmorecontroloverwhocanaccessnetwork
resources.
DNS(DomainNameSystem)
AnInternetdataqueryservicethattranslateshostnamesintoIPaddresses.Also
calledDomainNameServerorDomainNameService.
F FQDN(fullyqualifieddomainname)
Thename
of
ahost,
including
both
the
host
name
and
the
domain
name.
For
example,
theFQDNofahostnamedesx1inthedomainvmware.comisesx1.vmware.com.
G guest
Seeguestoperatingsystem.
guestoperatingsystem
Anoperatingsystemthatrunsinsideavirtualmachine.
Glossary
-
7/21/2019 Vdm20 Intro
31/32
VMware, Inc. 29
H highavailability
Asystemdesignapproachthatensuresadegreeofoperationalcontinuity.
L loadbalancing
Atechniqueusedfordistributingprocessesacrossserverssothatthetrafficloadis
spreadmoreevenlyandserversdonotbecomeoverloaded.
N nonpersistentdesktoppool
Adesktoppoolinwhichusersarenotassignedtoaspecificdesktop.Whenusers
logofforaretimedoutofadesktop,theirdesktopsarereturnedtothepooland
made
available
to
other
users.
Users
should
not
save
data
or
files
to
their
desktops
whenusinganonpersistentpool.
P persistentdesktoppool
Adesktoppoolinwhichusersareassignedtoaspecificdesktop.Userslogonto
thesamedesktopeverytimeandtheirdataispreservedwhentheylogoff.Users
cansavedataandfilestotheirdesktopswhenusingapersistentpool.
R RDP(remote
desktop
protocol)
Amultichannelprotocolthatallowsausertoconnecttoacomputerremotely.
RSASecurID
AproductfromRSAthatprovidesstrongtwofactorauthenticationusinga
passwordandanauthenticator.
S securityserver
AVDMConnectionServerdeploymentthataddsalayerofsecuritybetweenthe
Internetandtheinternalnetwork.SecurityServerisanoptionthatyouchoose
duringVDMconnectionserverinstallation.SeealsoDMZ(demilitarizedzone).
T thinclient
Adevicethatallowsausertoaccessvirtualdesktopsbutrequireslittlememoryor
disk
drive
space.
Application
software,
data,
and
CPU
power
resides
on
a
network
computerandnotontheclientdevice.
V VMwareVDMAgent
Installedontheguest,theVDMAgentenablescommunicationbetweenthe
desktopvirtualmachine,theVDMConnectionServer,andenduserswhoaccess
virtualdesktopsbyusingVDMWebAccessorVDMClients.
Introduction to Virtual Desktop Manager
-
7/21/2019 Vdm20 Intro
32/32
30 VMware, Inc.
VMwareVDMClient
AWindowsbasedapplicationusedforaccessingvirtualdesktops.
VMware
VDM
Connection
ServerAconnectionbrokerthatprovidesmanagementanduserauthenticationforvirtual
desktops.TheVDMConnectionServerdirectsincomingremotedesktopuser
requeststotheappropriatevirtualdesktop.
VMwareVDMWebAccess
Webbrowserbasedapplicationforaccessingvirtualdesktops.Enduserswhorun
supportedWindows,Linux,orMacintoshoperatingsystemscanaccessvirtual
desktopsby
using
VDM
Web
Access.
virtualdesktop
Adesktopoperatingsystemthatrunsonavirtualmachine.Avirtualdesktopis
indistinguishablefromanyothercomputerrunningthesameoperatingsystem.
VMwareVirtualDesktopInfrastructure
The
VMware
desktop
infrastructure
solution
that
consists
of
VMware
ESX
Server,
VMwareVirtualCenter,andVMwareVirtualDesktopManager.VDIprovidesan
endtoendvirtualdesktopsolutionthatallowsadministratorstoeasilydeploy
andmanagevirtualdesktopenvironments.
W webaccess
SeeVMwareVDMWebAccess.