Vdm21 Manual

Installation and Administration Guide
VMware Virtual Desktop Manager 2.1
Installation and Administration Guide Revision: 20080619 Item: VDM-ENG-Q208-450
You can find the most up-to-date technical documentation on our Web site at: http://www.vmware.com/support/ The VMware Web site also provides the latest product updates. If you have comments about this documentation, submit your feedback to: docfeedback@vmware.com
2008 VMware, Inc. All rights reserved. Protected by one or more U.S. Patent Nos. 6,397,242, 6,496,847, 6,704,925, 6,711,672, 6,725,289, 6,735,601, 6,785,886, 6,789,156, 6,795,966, 6,880,022, 6,944,699, 6,961,806, 6,961,941, 7,069,413, 7,082,598, 7,089,377, 7,111,086, 7,111,145, 7,117,481, 7,149,843, 7,155,558, 7,222,221, 7,260,815, 7,260,820, 7,269,683, 7,275,136, 7,277,998, 7,277,999, 7,278,030, 7,281,102, 7,290,253, and 7,356,679; patents pending. VMware, the VMware boxes logo and design, Virtual SMP and VMotion are registered trademarks or trademarks of VMware, Inc. in the United States and/or other jurisdictions. All other marks and names mentioned herein may be trademarks of their respective companies.
VMware, Inc. 3401 Hillview Ave. Palo Alto, CA 94304 www.vmware.com

2 VMware, Inc.
Contents
AboutThisBook
1 VDMQuickStartGuide 9
HardwareRequirements 10 Prerequisites 10 PreinstallationChecklist 11 PrepareDesktopVirtualMachines 11 InstallingtheVDMConnectionServer 13 SingleServerInstallation 13 OneTimeConfiguration 14 CreatingDesktops 15 CreatinganIndividualDesktop 15 EntitlingaDesktop 17 ConnectingtoDesktops 17
2 VDMIntroductionandSystemRequirements 19
VDMOverview 19 SystemRequirements 21 VDMConnectionServer 21 ConnectionServerHardwareRequirements 21 ConnectionServerSupportedOperatingSystems 22 VDMClient 22 VDMClientSupportedOperatingSystems 22 VDMWebAccess 23 VDMAgentVirtualDesktop 24 Prerequisites 24 UpgradingVDM 25
3 InstallingandConfiguringVDM 27
PrepareDesktopVirtualMachines 28 UsingtheVDMAgentonVirtualMachineswithMultipleNICs 30 InstallingtheVDMConnectionServer 30
VMware, Inc.
SingleServerInstallation 30 MultiserverInstallation 32 OneTimeConfiguration 33 EnablingandDisablingaVDMConnectionServer 34 EndtoEndConfiguration 35 ConfigurationforaPooledDesktop 36 VirtualCenterPermissionsforVDM 37 AdvancedPoolSettings 42 AdvancedPoolingExampleScenarios 43 EntitlingaDesktop 45 ConnectingtoDesktops 45 ChangingEndUserPasswords 47 SettingtheDefaultDesktopforThinClientUsers 47 SettinganExternallyResolvableNameonaConnectionServer 48 VDMAdministratorUserInterface 49 InventoryPage 49 ConfigurationPage 51 EventsPage 52 SearchingDesktopsandEntitledUsersandGroups 52 WorkingwithActiveSessions 53 GlobalConfigurationSettings 54 ViewingEvents 56 RSASecurID 56 DeletingVDMObjects 57 InstallingSSLCertificates 58 CreatingtheCSR 59 LoadBalancing 62 LoadBalancinginaNonDMZDeployment 63 SessionSetupandLoadBalancing 63 DNSRequirementsforaLoadBalancedSolution 64 LoadBalancingSolution 64 DMZDeployment 65 DMZInstallation 65 LoadBalancinginaDMZDeployment 67 ConfiguringFirewallPortsforDMZDeployments 67 ExportingandImportingVDMConfigurationData 69 ClientCommandLineParameters 69 CollectingVDMDiagnosticInformation 70 UsingtheVDMSupportTooltoCollectDiagnosticInformation 70 UsingtheVDMSupportScripttoCollectDiagnosticInformation 71
VMware, Inc.
Contents
UpdatingSupportRequests 72 TroubleshootingVDM 72
A VDMClientAdvancedActiveDirectoryRDPSettings 73
UsingActiveDirectoryGroupPoliciesforAdvancedSettings 76
B VDMGroupPolicyObjects 77
ComputerConfiguration 77 VDMAgentConfiguration 77 VDMClientConfiguration 78 VDMServerConfiguration 79 VDMUserConfigurationforVDMClient 80
Glossary Index 87
83
VMware, Inc.
VMware, Inc.
About This Book
Thismanual,theInstallationandAdministrationGuidedescribessettingup,installing, andconfiguringVMwareVirtualDesktopManager,includinghowtoinstallthe varioussoftwarecomponents,howtodeployservers,andhowtoconfigureand connecttovirtualdesktops.Italsodescribeshowtosetuploadbalancingandsecurity, supportedoperatingsystems,andthinclientdevices. Thischapterincludesthesetopics: IntendedAudienceonpage 7 DocumentFeedbackonpage 7 TechnicalSupportandEducationResourcesonpage 8
Intended Audience
Thismanualisintendedforanyonewhowantstoinstall,administrate,orconfigure VDM.TheinformationinthismanualiswrittenforexperiencedWindowsorLinux systemadministratorswhoarefamiliarwithvirtualmachinetechnologyand datacenteroperations.
Document Feedback
VMwarewelcomesyoursuggestionsforimprovingourdocumentation.Ifyouhave comments,sendyourfeedbackto: docfeedback@vmware.com
VMware, Inc.
Technical Support and Education Resources

Thefollowingsectionsdescribethetechnicalsupportresourcesavailabletoyou.You canaccessthemostcurrentversionsofthismanualandotherbooksbygoingto: http://www.vmware.com/support/pubs
Online and Telephone Support

Useonlinesupporttosubmittechnicalsupportrequests,viewyourproductand contractinformation,andregisteryourproducts.Goto http://www.vmware.com/support. Customerswithappropriatesupportcontractsshouldusetelephonesupportforthe fastestresponseonpriority1issues.Goto http://www.vmware.com/support/phone_support.html.
Support Offerings
FindouthowVMwaresupportofferingscanhelpmeetyourbusinessneeds.Goto http://www.vmware.com/support/services.
VMware Education Services

VMwarecoursesofferextensivehandsonlabs,casestudyexamples,andcourse materialsdesignedtobeusedasonthejobreferencetools.Formoreinformationabout VMwareEducationServices,gotohttp://mylearn1.vmware.com/mgrreg/index.cfm.
VMware, Inc.
VDM Quick Start Guide
ThischapterdescribestheVDMadministratoruserinterfaceandbasicinstallation instructions.Itdescribesgeneralguidelinestoperformbasicconfigurationandto createvirtualdesktopsandintroducesbasicadministrationtasks. VDMispartoftheVMwareVirtualDesktopInfrastructurewhichenablesenterprises tohostdesktopvirtualmachinesintheirdatacenterusingVMwaresoftwareand provideusersaccessfromaPCorthinclientusingaremotedisplayprotocol.VDM providesthesoftwaretoolsforsettingupandconfiguringyourvirtualdesktop environment. Thischapterincludesthesetopics: HardwareRequirementsonpage 10 Prerequisitesonpage 10 PreinstallationChecklistonpage 11 PrepareDesktopVirtualMachinesonpage 11 InstallingtheVDMConnectionServeronpage 13 OneTimeConfigurationonpage 14 CreatingDesktopsonpage 15 ConnectingtoDesktopsonpage 17
VMware, Inc.
Hardware Requirements
VDMrequiresadedicatedphysicalorvirtualserverwithfollowingspecificationsfor runningVDM: Asaminimum,aPentiumIV2.0Ghzprocessor.VMwarerecommendsdual processors. Asaminimum,2GBRAM.VMwarerecommends3GBRAMfordeploymentsof 50ormoredesktops. Aminimumofone10/100MbpsNIC.VMwarerecommendsa1GbpsNIC. VDMConnectionServercanbeinstalledoneither32bitor64bithardware. ForDMZdeployments,VDMrequiresanadditionaldedicatedhardwareorsoftware serverwithsimilarspecifications. Forhighavailabilitydeployments,eachVDMConnectionServerrequiresadedicated physicalorvirtualserverwithsimilarspecifications.
Prerequisites
VDMConnectionServerhasthefollowingprerequisites: VMwareInfrastructure VMwareInfrastructure3.5(currentversionsofESXServerandVirtualCenter) withatleastoneESXhostandoneVirtualCenterinstanceisrecommended. VMwareInfrastructure3.02issupported. ServersrunningVDMConnectionServerstandardorreplicainstancesthatare joinedtoanActiveDirectorydomain NOTEVDMConnectionServerdoesnotmakenorrequireanyschemaor configurationupdatestoActiveDirectory. MicrosoftSyspreptoolsinstalledonyourVCServer AcustomizationspecificationthatpermitsclonedvirtualmachinestojointheAD domain(optional) AvalidlicensekeyforVDM TheVDMAgent,VDMClient,andVDMWebAccesshavethefollowingprerequisites: ForWindowsguestdesktopsandWindowsclients,youmusthaveadministrative privilegestoinstalltheVDMClientandtheVDMAgent.
10
VMware, Inc.
Chapter 1 VDM Quick Start Guide
ActiveXcontrolsandInternetExplorer6orabovearerequiredforWindowsclient userswhoaccesstheirdesktopsusingVDMWebAccess. WebAccessusingLinuxorMacOSXrequiresJavaJREversion1.5.0or1.6.0. MicrosoftRemoteDesktopConnection6.0recommended(notrequired) VMwarerecommendsthatyouupgradeVDMClientmachinestouseMicrosoft RemoteDesktopConnection(RDC)6.0.Thisrecommendationappliestomachines runningWindowsXPandWindowsXPe.Windows2000doesnotsupportRDC 6.0.WindowsVistacomeswithRDC6.0installed. RDC6.0canbedownloadedattheMicrosoftWebsite. IfconnectingtoaWindowsVistadesktopusingaLinuxclient,youmustinstallthe rdesktopremotedesktopprotocolclientversion1.5.0,whichyoucandownload fromtherdesktopWebsite. Afteryoudownloadrdesktop,followtheinstructionsinthereadmefile.
Preinstallation Checklist
BeforeyouinstallVDM,consultthefollowingchecklist. ThemachinethatistoactastheconnectionserverisintheWindowsdomain. YoucanpingtheFQDNoftheconnectionserver. AnypreviousversionsofVDMareuninstalled.
Prepare Desktop Virtual Machines

BeforeyouinstalltheVDMsoftware,preparedesktopvirtualmachinesforuse.Where changesinVirtualCenterarerequired,seethelatestVirtualCenterdocumentationfor specificsteps. Makesurethatthefollowingprerequisitesareinplace: Thebasedesktopvirtualmachinetodeploytousersisidentified,andthelatest operatingsystemandapplicationServicePacksandpatchesareinstalled.For WindowsXPdesktopvirtualmachines,ensurethatthepatchspecifiedby MicrosoftKBarticle323497(requiredbyVDM)isinstalled.Informationabout MicrosoftKBarticlescanbefoundontheMicrosoftWebsite. ThelatestVMwareToolsareinstalled(providedwithVI3.5). Networkingsettings(proxies,andsoforth)areproperlyconfiguredinthedesktop virtualmachine.
VMware, Inc.
11
VDMAgentisinstalled. NOTEForautomatedupdatingofVDMAgentinlargeenvironments,VMware recommendsusingstandardWindowsupdatemechanismssuchasAltiris,SMS, LanDesk,BMC,orothersystemsmanagementsoftware. Youhaveadministrativerightstothedesktopvirtualmachine. To install VDM Agent 1 DownloadtheVDMinstallerfilefromtheVMwaresecureWebsitetoalocaldrive. ForinformationaboutthelocationofthesecureWebsite,contactyourVMware representative. 2 RunVMware-vdmagent-2.1.0-<xxx>.exe <xxx>isthebuildnumberofthesoftwarecomponentyouareinstallinginthe desktopvirtualmachine. TheInstallationwizardopens. 3 4 5 ClickNext. AcceptthelicensetermsandclickNext. Chooseyourcustomsetupoptionsasfollows: InstalltheVDMAuthenticationGINAcomponenttorestrictdirectRDP connections.Bydefault,RDPconnectionstothevirtualmachinefromany sourceareallowed.IftheVDMAuthenticationGINAisinstalled,RDP connectionsareonlyallowediftheconnectiongoesthroughtheVDM ConnectionServer. YoumustinstalltheGINAcomponenttoenablesinglesignon(SSO).With SSO,endusersonlyneedtoentertheirusercredentialsonetime.Whenusers entertheirusercredentialsintotheconnectionserver,theyareautomatically loggedintodesktopstowhichtheyareentitled. InstalltheUSBRedirectioncomponenttoallowvirtualdesktopusersaccess tolocallyconnectedUSBdeviceswiththeirvirtualdesktops. 6 7 8 AcceptorchangethedestinationfolderandclickNext. ClickInstalltobegintheinstallationprocess. ClickFinish.
12
VMware, Inc.
Installing the VDM Connection Server

TheVDMconnectionservermustberunningWindows2003Serverandbeeithera physicalserverdedicatedtoconnectionbrokeringorastandalonevirtualmachine. Optionally,youcanobtainanSSLcertificatetouseforthatserver.
Single-Server Installation
Themostbasictypeofdeploymentissingleserverdeployment.Figure 11showsa singleserverdeploymentwithaclientdevice,aconnectionserver,Webbased administration,ActiveDirectory,andVMwareVirtualInfrastructure. Figure 1-1. VDM Single Server Deployment
VMware Infrastructure VirtualCenter
Remote Users VDM Connection Server
ESX Servers (virtual desktops)
Active Directory
To perform a single server installation 1 RunVMware-vdmconnectionserver-2.1.0-<xxx>.exe onthemachinethatis toactastheconnectionserver. <xxx>isthebuildnumberofthesoftwarecomponentyouareinstalling. TheInstallationwizardopens. 2 3 ClickNext. AccepttheVMwarelicensetermsandclickNext.
VMware, Inc.
13
4 5 6
AcceptorchangethedestinationfolderandclickNext. ChoosetheStandarddeploymentoption. ClickNext>Install>Finish.
SeeInstallingtheVDMConnectionServeronpage 30.
One-Time Configuration
PerformaonetimeconfigurationonyourVDMConnectionServersothatitissetup toperformdeploymenttasks. To perform a one-time configuration 1 Gotohttps://<hostname_or_ipaddress>/admintolaunchVDMAdministrator. <hostname_or_ipaddress>isthehostnameorIPaddressoftheVDMConnection Server,orloadbalancer. 2 Loginusingtheappropriatecredentials. Initially,alldomainuserswhoaremembersofthelocaladministratorsgroupon theVDMConnectionServercanlogintotheVDMadministratoruserinterface. UsetheinterfacetochangethelistofVDMadministratorslater. Thefirsttimeyoulogin,theConfigurationpageappears.Enteringthelicense informationcausestheInventorypagetodisplaywhenyoulogin. 3 4 ClicktheConfigurationbuttontochangetotheConfigurationpageifitisnot displayedatlogin. OntheConfigurationpage,performthefollowingactions: a b InAccessandSecuritySettings,entertheVMwareVDMlicensekey. InVirtualCenterServers,clickAddandcompletethedetailsforthe VirtualCenterstousewithVDM. IfyouenteraserverusingaDNSnameorURL,noDNSlookupisperformed toverifywhetherornottheserverhaspreviouslybeenenteredusingitsIP address.AconflictwillariseifaVirtualCenterserverisaddedwithbothits DNSnameanditsIPaddress. c 5 UnderAdministrators,clickAddandcompletethedetailsforeachADuser whorequiresloginaccesstoVDMAdministrator.
EnabletheVDMConnectionServerbyselectingitfromthelistofVDMServers andclickingEnable.
14
VMware, Inc.
Creating Desktops
AfteryouhaveinstalledtheVDMconnectionserver,createthevirtualdesktopsand entitleuserstoaccessthem.
Creating an Individual Desktop

CreatedesktopssothatenduserscanaccesstheVDMservice. To create an individual desktop 1 2 3 4 ClicktheInventorytab. InAllDesktops,clicktheDesktopstabandclickAdd. InSelectdesktoptype,clickIndividualdesktopandclickNext. EntertheDesktopIDandtheDesktopDisplayName. ThedesktopIDisthenamethatVDMusestoidentifythedesktop.Thedesktop displaynameiswhattheenduserseeswhenloggingintothedesktop.The desktopIDmustbeuniqueforeachdesktop,butthedisplaynamedoesnotneed tobeunique.CorrelatethedesktopIDanddisplaynametosomethingwithinyour environment(departmentnameorlocation,forexample).Ifyoudonotspecifya displayname,usersseethedesktopID. 5 (Optional)enteradescriptionforthedesktop. Useamaximumof1024alphanumericcharacters,includingspaces,inthe description.ThedescriptionisonlyvisibleintheAdministratoruserinterfaceand nottoendusers. 6 7 ClickNext. Setthedesktopparametersasfollows: DesktopstateEnabledmeansthatthedesktopisautomaticallyenabled afteritiscreated.SettingittoDisabledmeansthatyoumustmanuallychange thesettingtoEnabledinordertoactivatethedesktopafteritiscreated. VirtualmachinepowerpolicySelectRemainonforthedesktoptoremain poweredonuntilitisshutdownbyanenduseroradministrator.Thedesktop remainspoweredoffuntilitismanuallypoweredbackonwhenthissettingis selected.SelectAlwayspoweredonifyouwanttothedesktoptostay poweredon,evenifanenduseroradministratorattemptstopoweritoff.The
VMware, Inc.
15
desktoppowersonautomaticallyafterapowerfailurewhenthissettingis selected.SelectSuspendwhennotinuseforthedesktoptobesuspended whentheuserisnotloggedin.SelectPoweroffwhennotinuseforthe desktoptopoweroffwhennotinuse. Thepowerpolicyisappliedtoindividualdesktopswhenusersreconnectafter loggingoffordisconnecting. AutomaticlogoffafterdisconnectSelectImmediatelyfordesktopusersto beloggedoffassoonastheydisconnect,selectNeverforuserstoneverbe loggedoff,orselectAfterandenterthenumberofminutesafterwhichusers areloggedoffwhentheydisconnect. AllowuserstoresettheirdesktopSelectthischeckboxtogivedesktop userstheabilitytoresettheirowndesktopswithoutgoingthroughthe administrator.Aresetmeansthatthedesktopvirtualmachinepowersoffand powersbackup.Thisfeatureisavailableonpersistentdesktopsand nonpersistentdesktopswhereauserhasanactivesession. 8 9 10 ClickNext. FromthelistofVirtualCenterservers,choosetheVirtualCenterserverthatthe desktopistouseandclickNext. InthetableontheVirtualMachineSelectionpage,selectthevirtualmachinethat thedesktopistouse. Allavailablevirtualmachinesthatarerunningasupportedguestoperating systemandthatanothervirtualdesktopisnotusingappearinthetable,including thosethataresuspendedornotpoweredon. 11 12 13 ClickNext. ReviewtheinformationinReadytoCompleteandclickFinishtoacceptitorBack tomakecorrections. ClickFinish.
Forinformationaboutcreatingdesktoppools,seeConfigurationforaPooled Desktoponpage 36.
16
VMware, Inc.
Entitling a Desktop
Grantdesktopusersaccesstoindividualorpooleddesktopsbyentitlingthemtotheir assigneddesktops. To entitle a desktop to an AD user or group 1 2 3 4 5 InAllDesktopsontheInventorytab,choosethedesktopthatyouwanttoentitle. ClickEntitle. ClickAdd. IntheSelectobjecttypesection,chooseUsers,Groups,orboth. Chooseadomaininwhichtheobjectyouareentitlingresidesorchoose EntireDirectorytosearchtheentireActiveDirectorydomainforest. Youcansearchbynameordescription. 6 7 8 Choosetheobjecttoaddtotheentitlement. ClickOK. InEntitlement,clickOK.
Connecting to Desktops
VDMprovidestheVDMClientorVDMWebAccessforconnectingtothedesktop virtualmachine.Makesureyouhaveadministrativerightstotheclientmachine. To connect to desktops using the VDM Client 1 DownloadandrunVMware-vdmclient-2.1.0-<xxx>.exe. <xxx>isthebuildnumberofthesoftwarecomponentyouareinstalling. TheInstallationwizardopens. 2 3 4 ClickNext. AccepttheVMwarelicensetermsandclickNext. ChooseoneofthefollowingtheCustomSetupoptions: ClickNexttoacceptthedefaultsettings.Thedefaultsettingsinstalltheclient andtheUSBredirectionfeature. SelectUSBRedirectionandselectThisfeaturewillnotbeavailableto preventinstallationofthisfeature.Havingthisfeatureinstalledrequiresspace onyourharddrivesonotinstallingitfreestherequiredspace.
VMware, Inc.
17
5 6
ClickNexttoacceptthedefaultdestinationfolderorclickChangetousea differentdestinationfolderandthenclickNext. (Optional)EnterthedefaultservertowhichtheclientwillconnectandclickNext. ThisentryistheIPaddressorFQDNoftheserver.
7 8 9 10 11 12 13
ConfigureshortcutsfortheVDMClientor,tonotuseshortcuts,deselectall choices. ClickNext>Install>Finish. StarttheVMwareVDMClient. IntheVDMServerdropdownmenu,enterthehostnameorIPaddressofthe VDMServer. ClickConnect. Entertheentitleduserscredentials,choosethedomainandclickLogin. ChoosetheentitleddesktopandclickOK.
Thedesktopvirtualmachineisconnected. To connect to desktops using VDM Web Access 1 StartthebrowserandnavigatetotheVDMConnectionServerURL. Forexample,navigatetohttps://<hostname_or_ipaddress>,where <hostname_or_ipaddress>isthehostnameorIPaddressoftheVDMConnection Server. 2 3 4 Enteranentitledusersnameandpasswordandchoosethecorrectdomainfrom thedropdownmenu. ClickLogin. WhenAccessStatusisReady,chooseadesktopfromthelistandclickConnect. Thedesktopisconnected.
18
VMware, Inc.
VDM Introduction and System Requirements
ThischapterintroducesVDManddescribesthesystemrequirementsforinstallingand runningit.VDMisaconnectionbrokerforVMwareVirtualDesktopInfrastructure.It connectsuserstovirtualdesktopsrunningonVMwareVirtualInfrastructure,and playsacriticalroleinsecurity,accesscontrol,andoveralldesktopmanagement. Thischapterdiscussesthesetopics: VDMOverviewonpage 19 SystemRequirementsonpage 21 Prerequisitesonpage 24 UpgradingVDMonpage 25
VDM Overview
VDMintegrateswithActiveDirectoryandVMwareVirtualCentertomanageand deploydesktopstoendusers.VDMalsoprovidesaclientthatenablesuserstoconnect tovirtualdesktopsusingeitheraWindowsPC,thinclient,Linuxdesktop,orMacintosh computer.VDMprovidesasecureenvironmentfordeployingandaccessingvirtual desktopsandusesexistingActiveDirectoryfunctionalityforauthenticationanduser andusergroupmanagement. VDMhasthefollowingmaincomponents: VDMClientUserfacingcomponentthatconnectstoVDMConnectionServerto connecttovirtualdesktops.Itisafeaturerich,nativewindowsapplication.
VMware, Inc.
19
VDMWebAccessUserfacingcomponentthatconnectstoVDMConnection Servertoconnecttovirtualdesktops.VDMWebAccessinstallstheclient(ona Windowsclient)thefirsttimeyouconnectandconnectstovirtualdesktopsusing aWebbrowser. VDMAdministratorWebapplicationthatistheprimarymechanismfor configuringVDMandmanagingusersanddesktops. VDMConnectionServerSoftwarethatactsasaconnectionbrokerandprovides managementanduserauthenticationforvirtualdesktops.TheVDMConnection Serverdirectsincomingremotedesktopuserrequeststotheappropriatevirtual desktopandenhancestheuserexperience. VDMAgentSoftwarethatinstallsondesktopvirtualmachinesandenables featuressuchasRDPconnectionmonitoring,remoteUSBsupport,andsinglesign on.Allguests(desktopvirtualmachines)requiretheagenttobeinstalledtorun VDM. VDMusesexistingADinfrastructureforauthenticationandusermanagement.VDM integrateswithVMwareVirtualCentertomanagevirtualdesktopsrunningon VMwareESXservers. Figure 21showsahighlevelviewofaVDMenvironmentanditsmaincomponents. Thesecomponentsaredescribedinmoredetailinlatersectionsofthisbook.
20
VMware, Inc.
Chapter 2 VDM Introduction and System Requirements
Figure 2-1. High-Level View of a VDM Environment

VMware Infrastructure VirtualCenter Remote Users VDM Web Access VDM Administrator
VDM Connection Server Active Directory VDM Client
System Requirements
ThefollowingsectionsdescribethehardwarerequirementsfortheVDMconnection serverandsupportedoperatingsystemsfortheVDMConnectionServer,theVDM Client,andtheVDMAgent.
VDM Connection Server

TheVDMConnectionServerrequiresthefollowinghardwareandsoftware.
Connection Server Hardware Requirements

TheVDMConnectionServerrequiresthefollowinghardware: Dedicatedphysicalorvirtualserverwiththefollowingspecificationsforrunning VDM. Asaminimum,aPentiumIV2.0Ghzprocessor.Dualprocessorsare recommended.
VMware, Inc.
21
Asaminimum2GBRAM.3GBRAMisrecommendedfordeploymentsof50 ormoredesktops. Aminimumofone10/100MbpsNIC.1GbpsNICisrecommended. VDMConnectionServercanbeinstalledoneither32bitor64bithardware. ForDMZdeployments,VDMrequiresanadditionaldedicatedphysicalorvirtual serverwithsimilarspecifications.FormoreinformationaboutDMZdeployments,see DMZDeploymentonpage 65. Forhighavailabilitydeployments,eachVDMConnectionServerrequiresadedicated physicalorvirtualserverwithsimilarspecifications. NOTEVDMConnectionServerisnotsupportedonserversthathavetheWindows TerminalServerroleinstalled.RemovetheWindowsTerminalServerrolefromany serveronwhichyouwillbeinstallingVDMConnectionServer.
Connection Server Supported Operating Systems

TheVDMConnectionServersupportsthefollowingoperatingsystems: WindowsServer2003R2StandardEditionwithSP2(English,Japanese,German) WindowsServer2003StandardEditionwithSP2(English,Japanese,German) WindowsServer2003R2EnterpriseEditionwithSP2(English,Japanese,German) WindowsServer2003EnterpriseEditionwithSP2(English,Japanese,German)
VDM Client
TheVDMClientsupportsthefollowingoperatingsystemsanddevices:
VDM Client Supported Operating Systems

TheVDMClientsupportsthefollowingoperatingsystems: Windows2000ProfessionalwithSP4(English,Japanese) WindowsXPProfessionalwithSP2(English,Japanese,German) WindowsXPProfessionalwithSP3(Englishonly) WindowsXPHomewithSP2(English,Japanese,German) WindowsXPHomewithSP3(Englishonly) WindowsVistaHome(English,Japanese,German) WindowsVistaHomePremium(English,Japanese,German)
22 VMware, Inc.
WindowsVistaBusiness(English,Japanese,German) WindowsVistaUltimate(English,Japanese,German) Windows XP Client support for MMR WindowsXPClientistheonlyclientoperatingsystemthatsupportsmultimedia redirection(MMR).MMRsupportsthefollowingmediaformats: MPEG1 MPEG2 MPEG4part2 WMV7/8/9 WMA AC3 MP3 ForWindowsMediasupportedvideofiles,WindowsMediaPlayer10andhigheris stronglyrecommendedtosupportMMRandshouldbeinstalledinboththeclientand guest.
VDM Web Access

VDMWebAccesssupportsthefollowingoperatingsystems: WindowsXPProfessionalwithSP2whichrequiresIE6SP1orhigher(English, Japanese,German) WindowsXPProfessionalwithSP3whichrequiresIE6SP1orhigher(English only) WindowsXPHomewithSP2whichrequiresIE6SP2orhigher(English,Japanese, German) WindowsXPHomewithSP3whichrequiresIE6SP2orhigher(Englishonly) WindowsVistaHomewhichrequiresIE7(English,Japanese,German) WindowsVistaHomePremiumwhichrequiresIE7(English,Japanese,German) WindowsVistaBusinesswhichrequiresIE7(English,Japanese,German) WindowsVistaUltimatewhichrequiresIE7(English,Japanese,German) RHEL5.0,Update1whichrequiresJavaJRE1.5.0or1.6.0andFirefox1.5or2.0 (Englishonly)
VMware, Inc. 23
SLES10withSP1whichrequiresJavaJRE1.5.0or1.6.0andFirefox1.5or2.0 (Englishonly) Ubuntu7.10whichrequiresJavaJRE1.5.0or1.6.0andFirefox2.0(Englishonly) MacOS/X10.4Tiger(experimental)whichrequiresJavaJRE1.5.0,RDC1.0,and Safari(Englishonly) MacOS/X10.5Leopard(experimental)whichrequiresJavaJRE1.5.0,RDC1.0,and Safari(Englishonly)
VDM Agent Virtual Desktop

TheVDMAgentsupportsthefollowingoperatingsystems(32bit)forvirtualdesktops: WindowsXPProfessionalwithSP2(English,Japanese,German) WindowsXPProfessionalwithSP3(Englishonly) WindowsVistaBusinessEdition(English,Japanese,German) WindowsBusinessUltimateEdition(English,Japanese,German)
Prerequisites
VDMConnectionServerhasthefollowingprerequisites: VMwareInfrastructure VMwareInfrastructure3.5(currentversionsofESXServerandVirtualCenter) withatleastoneESXhostandoneVirtualCenterinstanceisrecommended. VMwareInfrastructure3.02issupported. ServersrunningVDMConnectionServerstandardorreplicainstancesthatare joinedtoanActiveDirectorydomain NOTEVDMConnectionServerdoesnotmakenorrequireanyschemaor configurationupdatestoActiveDirectory. MicrosoftSyspreptoolsinstalledonyourVCServer AcustomizationspecificationthatpermitsclonedvirtualmachinestojointheAD domain(optional) AvalidlicensekeyforVDM
24
VMware, Inc.
TheVDMAgent,VDMClient,andVDMWebAccesshavethefollowingprerequisites: ForWindowsguestdesktopsandWindowsclients,youmusthaveadministrative privilegestoinstalltheVDMClientandtheVDMAgent. TheuseofActiveXcontrolsandInternetExplorer6orabovearerequiredfor WindowsclientuserswhoaccesstheirdesktopsusingVDMWebAccess. WebAccessusingLinuxorMacOSXrequiresJavaJREversion1.5.0or1.6.0 MicrosoftRemoteDesktopConnection6.0recommended(notrequired) ItisrecommendedthatyouupgradeVDMClientmachinestouseMicrosoft RemoteDesktopConnection(RDC)6.0.Thisrecommendationappliestomachines runningWindowsXPandWindowsXPe.Windows2000doesnotsupportRDC 6.0.WindowsVistacomeswithRDC6.0installed. RDC6.0canbedownloadedatthefollowingURL: http://www.microsoft.com/downloads/details.aspx?FamilyId=26F11F0C0D1843 06ABCFD4F18C8F5DF9&displaylang=en IfconnectingtoaWindowsVistadesktopusingaLinuxclient,youmustinstallthe rdesktopremotedesktopprotocolclientversion1.5.0,whichyoucandownload fromthefollowingURL: http://www.rdesktop.org/ Afteryoudownloadrdesktop,followtheinstructionsinthereadmefile. VDMWebAccessrequiresthatyouinstallthefullVDMClienttousetheUSB redirectionfeature. IfusingUSBredirection,makesureyouinstalltheUSBredirectionfeaturewhen youinstalltheVDMClient.
Upgrading VDM
UpgradingVDMsoftwareisnodifferentthanperforminganyothertypeof installation.YoushouldupgradetheVDMClientandVDMAgentatthesametimeyou upgradetheVDMConnectionServertoensurethesameversionisinstalledonallVDM components.Upgradingtoanewerversionofsoftwarepreservesexisting configurationdata.
VMware, Inc.
25
26
VMware, Inc.
Installing and Configuring VDM
VDMinstallationconsistsofinstallingVDMsoftwarecomponentsandpreparationsin VirtualCenter.ThisdocumentdescribesindetailhowtoinstallVDMcomponentsbut assumesthattheadministratorisfamiliarwithVMwareVirtualInfrastructure administration.VMwarerecommendsthatadministratorsrunanendtoendtest beforedeployingVDMtoendusers. BeforeinstallingVDM,seeChapter 2,VDMIntroductionandSystemRequirements, onpage 19toobtainsystemrequirementsandhardwareanddevicesupport.This chaptercoversthesetopics: PrepareDesktopVirtualMachinesonpage 28 InstallingtheVDMConnectionServeronpage 30 OneTimeConfigurationonpage 33 EndtoEndConfigurationonpage 35 VDMAdministratorUserInterfaceonpage 49 SearchingDesktopsandEntitledUsersandGroupsonpage 52 GlobalConfigurationSettingsonpage 54 ViewingEventsonpage 56 RSASecurIDonpage 56 DeletingVDMObjectsonpage 57 InstallingSSLCertificatesonpage 58 LoadBalancingonpage 62
VMware, Inc.
27
DMZDeploymentonpage 65 ExportingandImportingVDMConfigurationDataonpage 69 ClientCommandLineParametersonpage 69 CollectingVDMDiagnosticInformationonpage 70 TroubleshootingVDMonpage 72
Prepare Desktop Virtual Machines

BeforeyouinstalltheVDMsoftware,preparedesktopvirtualmachinesforuse.Where changesinVirtualCenterarerequired,seethelatestVirtualCenterdocumentationfor specificsteps. Makesurethatthefollowingprerequisitesareinplace: Identifythebasedesktopvirtualmachinetodeploytousers,andinstallthelatest operatingsystemandapplicationServicePacksandpatches.ForWindowsXP desktopvirtualmachines,ensurethatthefollowingMicrosoftpatchthatVDM requiresisinstalled: http://support.microsoft.com/kb/323497 ThelatestVMwareToolsareinstalled(providedwithVI3.5). Makesurethatnetworkingsettings(proxies,andsoforth)areproperlyconfigured inthedesktopvirtualmachine. VMwareVDMAgentisinstalled. NOTEForautomatedupdatingofVDMAgentinlargeenvironments,VMware recommendsusingstandardWindowsupdatemechanismssuchasAltiris,SMS, LanDesk,BMC,orothersystemsmanagementsoftware. Makesurethatyouhaveadministrativerightstothedesktopvirtualmachine. To install VMware VDM Agent 1 DownloadtheVDMinstallerfilefromtheVMwaresecureWebsitetoalocaldrive. ForinformationaboutthelocationofthesecureWebsite,contactyourVMware representative. 2 RunVMware-vdmagent-2.1.0-<xxx>.exe <xxx> isthebuildnumberofthesoftwarecomponentyouareinstallinginthe desktopvirtualmachine.
28
VMware, Inc.
Chapter 3 Installing and Configuring VDM
TheVMwareInstallationwizardopens. 3 4 5 ClickNext. AccepttheVMwarelicensetermsandclickNext. Chooseyourcustomsetupoptions. InstalltheVDMAuthenticationGINAcomponenttorestrictdirectRDP connections.Bydefault,RDPconnectionstothevirtualmachinefromanysource areallowed.IftheVDMAuthenticationGINAisinstalled,RDPconnectionsare onlyallowediftheconnectiongoesthroughtheVDMConnectionServer. InstallingtheVDMAuthenticationGINAalsoenablessinglesignon(SSO). InstalltheUSBRedirectioncomponentifvirtualdesktopusersneedtoaccess locallyconnectedUSBdeviceswiththeirvirtualdesktops. 6 7 8 AcceptorchangethedestinationfolderandclickNext. ClickInstalltobegintheinstallationprocess. ClickFinish.
To create a desktop virtual machine template 1 InVirtualCenter,convertthedesktopvirtualmachinetoatemplate. YoumustcreateadesktopvirtualmachinetemplatetousedesktoppoolsinVDM. 2 (Optional)InVirtualCenter,createaguestcustomizationspecification. UseDHCPforthespecificationandsetthecomputernametothevirtualmachine name.ClonedvirtualmachinesalsoneedtobeabletojoinADdomainsiftheVDM singlesignonfeatureisrequired. 3 Asatest,deployavirtualmachinefromthetemplatetovalidatethat customizationissuccessful. MakesurethatADdomainjoinandauthenticationworks. 4 Ifafolderwasnotautomaticallycreated,createoneintheVirtualMachinesand TemplatesInventoryview.
VMware, Inc.
29
Using the VDM Agent on Virtual Machines with Multiple NICs

ForGuestVirtualMachineswithmorethanonevirtualNIC,youneedtoconfigurethe subnetthattheVDMAgentwilluse.ThisdetermineswhichnetworkaddresstheVDM AgentprovidestotheVDMServerforclientRDPconnections.Toconfigurethissubnet, createthefollowingREG_SZregistryvalueinthevirtualmachineonwhichtheVDM Agentisinstalled: HKLM\Software\VMware, Inc.\VMware VDM\Node Manager\subnet = n.n.n.n/m (REG_SZ) Intheregistryvalue,n.n.n.nistheTCP/IPsubnetandmisthenumberofbitsinthe subnetmask.
Installing the VDM Connection Server

TheVDMConnectionServermustberunningonWindows2003Serverandbelocated oneitheraphysicalorvirtualserverdedicatedtoconnectionbrokering.Donothave theconnectionserverperformanyotherfunctionsorroles(forexample,donot designatethesameservertobetheVirtualCenterserver).Theconnectionservermust bejoinedtothedomain(butcannotbeadomaincontroller)anditisrecommendedthat eachconnectionserverhasastaticIPaddressassignedtoit.Thedomainuseraccount usedtoinstalltheconnectionservermusthaveadministrativeprivilegesonthatserver. TheconnectionserveradministratoralsoneedstoknowtheVirtualCentercredentials. ItisrecommendedthatyouobtainanSSLcertificatetouseforthatVDMConnection Server.FormoreinformationaboutSSLcertificateinstallation,seeInstallingSSL Certificatesonpage 58.
Single-Server Installation
Themostbasictypeofdeploymentissingleserverdeployment.Thefollowingdiagram showsasingleserverdeploymentwithaclientdevice,aconnectionserver,Webbased administration,ActiveDirectory,andVMwareVirtualInfrastructure.
30
VMware, Inc.
Figure 3-1. VDM Single Server Deployment

VMware Infrastructure VirtualCenter
Remote Users VDM Connection Server
Active Directory
To perform a single server installation 1 RunVMware-vdmconnectionserver-2.1.0-<xxx>.exe onthemachinethatis toactastheconnectionserver. <xxx> isthebuildnumberofthesoftwarecomponentyouareinstalling. TheVMwareInstallationwizardopens. 2 3 4 5 6 ClickNext. AccepttheVMwarelicensetermsandclickNext. AcceptorchangethedestinationfolderandclickNext. ChoosetheStandarddeploymentoption. ClickNext>Install>Finish.
VMware, Inc.
31
Multiserver Installation
VDMConnectionServercanalsobedeployedinamultiserverconfigurationforhigh availabilityandloadbalancing.Thefollowinghighleveldiagramshowsamultiserver deployment,connectionservers,aloadbalancer,Webbasedadministration,Active Directory,andVMwareVirtualInfrastructure(whichincludesESXservershostingthe virtualdesktops). Figure 3-2. VDM Multiserver Deployment
VMware Infrastructure VirtualCenter Remote Users VDM Connection Servers
ThirdParty Load Balancer
Active Directory
Local Users
NOTEMultiserverinstallationassumesthatoneotherinstanceofVDMConnection Serverisinstalledusingthestandarddeploymentoption.Multiserverinstallationis performedonsecond,orsubsequent,servers.SeeSingleServerInstallationon page 30formoreinformation. To perform a multiserver installation 1 RunVMware-vdmconnectionserver-2.1.0-<xxx>.exe onthemachinethatis toactastheconnectionserver. <xxx> isthebuildnumberofthesoftwarecomponentyouareinstalling. TheVMwareInstallationwizardopens.
32
VMware, Inc.
2 3 4 5 6 7 8 9
ClickNext. AccepttheVMwarelicenseterms,andclickNext. Acceptorchangethedestinationfolder,andclickNext. ChoosetheReplicadeploymentoption. EnterthehostnameorIPaddressoftheexistingconnectionserverthatyou replicate. ClickNext. ClickInstall. ClickFinish.
One-Time Configuration
PerformaonetimeconfigurationonyourVDMConnectionServersothatitissetup toperformdeploymenttasks. To perform a one-time configuration 1 Gotohttps://<hostname_or_ipaddress>/admintolaunchVDMAdministrator. <hostname_or_ipaddress>isthehostnameorIPaddressoftheVDMConnection Server,orloadbalancer. 2 Loginusingtheappropriatecredentials. Initially,alldomainuserswhoaremembersofthelocaladministratorsgroupon theVDMConnectionServerareallowedtologintotheVDMadministratoruser interface.YoucanusetheinterfacetochangethelistofVDMadministratorslater. Thefirsttimeyoulogin,theConfigurationpageappears.Afteryouenterthe licenseinformation,theInventorypagedisplayswhenyoulogin. 3 ClicktheConfigurationbuttontochangetotheConfigurationpageifitisnot displayedatlogin.
VMware, Inc.
33
OntheConfigurationpage,performthefollowingactions: a b InAccessandSecuritySettings,entertheVMwareVDMlicensekey. InVirtualCenterServers,clickAddandcompletethedetailsforthe VirtualCenterstousewithVDM. IfyouenteraserverusingaDNSnameorURL,noDNSlookupisperformed toverifywhetherornottheserverhaspreviouslybeenenteredusingitsIP address.AconflictwillariseifaVirtualCenterserverisaddedwithbothits DNSnameanditsIPaddress. c GrantAdministrativerightstoADuserswhohaveloginaccesstoVDM Administrator.
Enabling and Disabling a VDM Connection Server

EnabletheVDMConnectionServersothatuserscanlogin.DisabletheVDM ConnectionServertopreventusersfromloggingin.Currentlyloggedinusersarenot affectedwhenyoudisabletheVDMConnectionServer.DisablingtheVDMConnection Serverisusefulifyouneedtotakeitoutofserviceforanyreason.WhenaVDM ConnectionServerisdisabled,enduserswhoattempttologinseeamessagestating thattheVDMServerConnectionfailedandtheVDMServeriscurrentlydisabled. To enable a VDM Connection Server 1 2 ClicktheConfigurationtab. SelecttheVDMConnectionServerfromthelistofVDMServersandclickEnable.
To disable a VDM Connection Server 1 2 ClicktheConfigurationtab. SelecttheVDMConnectionServerfromthelistofVDMServersandclickDisable. DisablingaVDMConnectionServerdoesnotaffectthecurrentactivedesktop sessionsnorwillitpreventnewdesktopsessionsfrombeingestablished.
34
VMware, Inc.
End-to-End Configuration
Performanendtoendconfigurationonnewinstallationstoensurethatinstallation andconfigurationissuescanbeeasilyresolved.Thissectionreferstobothindividual andpooleddesktops. To perform a configuration for an individual desktop 1 2 3 4 ClicktheInventorytab. InAllDesktops,clicktheDesktopstabandclickAdd. InSelectdesktoptype,clickIndividualdesktopandclickNext. EntertheDesktopIDandtheDesktopDisplayName. ThedesktopIDisthenamethatVDMusestoidentifythedesktop.Thedesktop displaynameiswhattheenduserseeswhenloggingintothedesktop.The desktopIDmustbeuniqueforeachdesktop,butthedisplaynamedoesnotneed tobeunique.ThedesktopIDanddisplaynameshouldcorrelatetosomething withinyourenvironment(departmentnameorlocation,forexample).Ifyoudo notspecifyadisplaynameusersseethedesktopID. 5 (Optional)enteradescriptionforthedesktop. Youcanuseanyalphanumericcharactersinthedescriptionandthedescription cancontainamaximumof1024characters,includingspaces.Thedescriptionis onlyvisibleintheAdministratoruserinterfaceandnottoendusers. 6 7 ClickNext. Setthedesktopparametersasfollows: DesktopstateEnabledmeansthatthedesktopisautomaticallyenabled afteritiscreated.SettingittoDisabledmeansthatyoumustmanuallychange thesettingtoEnabledinordertoactivatethedesktopafteritiscreated. VirtualmachinepowerpolicySelectRemainonforthedesktoptoremain poweredonuntilitisshutdownbyanenduseroradministrator.Thedesktop remainspoweredoffuntilitismanuallypoweredbackonwhenthissettingis selected.SelectAlwayspoweredonifyouwanttothedesktoptostay poweredon,evenifanenduseroradministratorattemptstopoweritoff.The desktoppowersonautomaticallyafterapowerfailurewhenthissettingis selected.SelectSuspendwhennotinuseforthedesktoptobesuspended whentheuserisnotloggedin.SelectPoweroffwhennotinuseforthe desktoptopoweroffwhennotinuse.
VMware, Inc.
35
Thepowerpolicyisappliedtoindividualdesktopswhenusersreconnectafter loggingoffordisconnecting. AutomaticlogoffafterdisconnectSelectImmediatelyfordesktopusersto beloggedoffassoonastheydisconnect,selectNeverforuserstoneverbe loggedoff,orselectAfterandenterthenumberofminutesafterwhichusers areloggedoffwhentheydisconnect. AllowuserstoresettheirdesktopSelectthischeckboxtogivedesktop userstheabilitytoresettheirowndesktopswithoutgoingthroughthe administrator.Aresetmeansthatthedesktopvirtualmachinepowersoffand powersbackup.Thisfeatureisavailableonpersistentdesktopsand nonpersistentdesktopswhereauserhasanactivesession. 8 9 10 ClickNext. FromthelistofVirtualCenterservers,selecttheVirtualCenterserverthatthe desktopistouseandclickNext. InthetableontheVirtualMachineSelectionpage,selectthevirtualmachinethat thedesktopistouse. Allavailablevirtualmachinesthatarerunningasupportedguestoperating systemandthatanothervirtualdesktopisnotusingappearinthetable,including thosethataresuspendedornotpoweredon. 11 12 13 ClickNext. ReviewtheinformationinReadytoCompleteandclickFinishtoacceptitorBack tomakecorrections. ClickFinish. Afteradesktopisadded,entitleittoanADuserorgroup.SeeEntitlinga Desktoponpage 45. Forinformationabouttestingthedesktoplaunch,seeConnectingtoDesktops onpage 45.
Configuration for a Pooled Desktop

Performaconfigurationonnewinstallationstoensurethatinstallationand configurationissuescanbeeasilyresolved.Deployasinglevirtualmachinefromthe templatetomakesurevirtualmachinescandeployfromthistemplate.
36
VMware, Inc.
Beforeyoudeploypooleddesktops,createatemplateandacustomizationspecification (ifusingcustomization)inVirtualCenter.Makesureyoucanmanuallycreatevirtual machinesandcustomizethembyusingthecustomizationspecification.Toensurethat singlesign(SSO)functions,thecustomizationspecificationmustusedynamicaddress assignment(specifically,DHCP),thecomputernameneedstobesettothevirtual machinenameandthevirtualmachineautomaticallyjoinedtothedomain.For informationaboutcreatingtemplatesandcustomizationspecifications,seethemost recentVirtualCenterdocumentation. Afteryoucompletethesetemplateandcustomizationspecificationitems,ensurethat thevirtualmachinesuccessfullyjoinedthedomain.Finally,makesurethatallguest virtualmachinenames,includingthosedeployedfromthetemplateforthepooled desktop,areregisteredinDNS.BecauseyouareusingdynamicallyassignedIP addresses,useADintegratedDNSandlettheDHCPclientregistervirtualmachines withthedynamicDNS. NOTETestindividualdesktopsbeforetestingpools.
VirtualCenter Permissions for VDM

TouseVirtualCenterwithVDM,VDMadministratorsmusthavepermissionsfor certainoperationsinVirtualCenter.Thesepermissionsaregrantedbycreatingand assigningVirtualCenterrolestotheVDMadministrator.AssignVDMadministrators theroleofadministratorforadatacenterorclusterwherepoolswillbecreatedsothat theycanmaketherequiredchanges.Assignarolethatwillallowthemtoreadglobal customizationspecifications.ThesepermissionsarerequiredforVDMtoworkwith VirtualCenter. To create the VDM administrator role for VirtualCenter 1 2 3 4 5 InVirtualCenter,ClicktheAdministrationbutton. Ifitisnotalreadyselected,clicktheRolestabandclickAddRole. Enteranamefortherole(VDMAdministrator,forexample). InthelistofPrivileges,expandFolderandselectCreateFolderandDeleteFolder. ExpandVirtualMachineandperformthefollowingsteps: a b ExpandInventoryandselectCreateandselectRemove. ExpandInteractionandclickPowerOn,PowerOff,Suspend,andReset.
VMware, Inc.
37
c d 6 7
ExpandConfigurationandselectAddnewdisk,AddorRemoveDevice, ModifyDeviceSettings,andAdvanced. ExpandProvisioningandselectCustomize,DeployTemplate,andRead CustomizationSpecifications.
ExpandResourceandselectAssignVirtualMachinetoResourcePool. ClickOK. Thenewroleappearsinthelistofroles.
To assign the administrator or VDM administrator VirtualCenter roles 1 2 3 4 5 6 7 8 9 InVirtualCenter,selectthedatacenterorcluster. ClickthePermissionstab. RightclickonthepageanywherebelowthelistofUsersandGroups. ClickAddPermission. InUsersandGroups,clickAdd. IntheDomaindropdownmenu,selecttheadministratorsdomain. InUsersandGroups,selectanadministratorfromthelist. ClickAddandOK. InAssignedRole,selectarole. SelectAdministratortogivefullcontroloverthedatacenterorcluster.The AdministratorroleispreconfiguredinVirtualCenter. SelectVDMAdministratortogivetheuserthemorerestrictiveaccessand permissionsthattheVDMAdministratorrolethatyoucreated. 10 ClickOK.
To create a VirtualCenter role for reading customization specifications 1 2 3 4 5 6 InVirtualCenter,clickAdministration. ClicktheRolestabandclickAddRole. Enteranamefortherole(forexample,ReadOnlyCustomizationSpecifications). Inthelistofprivileges,selectVirtualMachine. ExpandProvisioning,andselectReadCustomizationSpecifications. ClickOK.
38
VMware, Inc.
To assign VirtualCenter roles for VDM 1 2 3 4 5 6 7 8 9 InVirtualCenter,intheInventoryview,clickHostsandClusters. ClickthePermissionstab. RightclickonthepageanywherebelowthelistofUsersandGroups. ClickAddPermission. InUsersandGroups,clickAdd. IntheDomaindropdownmenu,selecttheadministratorsdomain. InUsersandGroups,selectanadministratorfromthelist. ClickAddandOK. InAssignedRole,selectGlobalReadOnlyCustomSpecandclickOK.
NOTETestindividualdesktopsbeforetestingpools. To perform a configuration for a pooled desktop 1 2 3 ClicktheInventorytab. InDesktops,clicktheDesktopstabandAdd. InSelectdesktoptype,selecteitherDesktoppoolpersistentorDesktop poolnonpersistent. Persistentdesktoppoolsallowuserstologintothesamedesktopeverytime.Users cansavedocumentsandfilesonpersistentdesktopsbecausetheyreturntothe samedesktop. Nonpersistentpoolsareavailabletouserswhentheyloginbutarereturnedtothe poolwhenuserslogoff.Userslogintoadifferentdesktopeachtimeandcannot savedocumentsorfilesonthedesktop. 4 5 ClickNext. EntertheDesktopIDandtheDesktopDisplayName. ThedesktopIDisthenamethatVDMusestoidentifythedesktop(inthiscase,the desktoppool).Theuserseesthedesktopdisplaynamewhenloggingintothe desktop.ThedesktopIDmustbeuniqueforeachdesktop,butthedisplayname doesnotneedtobeunique.ThedesktopIDanddisplaynamedonotneedto correlatetoanythingspecificwithinyourenvironment.Ifyoudonotspecifya displayname,usersseethedesktopID.
VMware, Inc.
39
(Optional)enteradescriptionforthepooleddesktop. Youcanuseanyalphanumericcharactersinthedescriptionandthedescription cancontainamaximumof1024characters,includingspaces.Thedescriptionis onlyvisibleintheAdministratoruserinterfaceandnottoendusers.
7 8
ClickNext. Setupthedesktopparameters: DesktopstateEnabledmeansthatthepoolisautomaticallyenabledafterit iscreatedandreadyforusebyendusers.Disabledmeansthatyoumust manuallychangethesettingtoEnabledtoactivatethepoolafteritiscreated. Disabledisusedforsuchthingsasupgradingvirtualmachinesortaking desktopsofflinetoperformmaintenance. ProvisionEnabledmeansthatvirtualmachinesarecreatedforthepoolas soonasyoufinishthestepsaddapooleddesktop.Disabledmeansthatyou mustmanuallychangethesettingtoEnabledtocreatevirtualmachinesfor thepoolafterthepooliscreated. PoolsizeSettothenumberofdesiredvirtualdesktops. StopprovisioningonerrorStopstheprovisioningofvirtualmachineswhen anerrorisdetected. VirtualmachinepowerpolicyRemainonsetsthevirtualmachinesto alwaysremainon.Alwayspoweredonsetstheassignedvirtualmachinesto remainpoweredon.Suspendwhennotinusesetsthevirtualmachinestobe suspendedwhentheuserisnotloggedin.Poweroffwhennotinusesets virtualmachinestopoweroffwhennotinuse. Thepowerpolicyisappliedtoassignedpersistentpooleddesktopswhen usersreconnectafterloggingoffordisconnecting.Powerpolicyforpersistent andnonpersistentpooleddesktopsintheidlestateisappliedthenexttime usersreconnect. PrefixforvirtualmachinenamesSetthistoavalueforeachpoolthat identifiesvirtualmachinesaspartofthatpool.Virtualmachinescreatedfor thispoolhavenamesthatbeginwiththisprefix. Poweroffanddeletevirtualmachineafterfirstuse(fornonpersistentpools only)Deletesthevirtualmachinewhentheuserlogsoutafterfirstuse.If necessary,anewvirtualmachineisclonedtomaintainaspecificpoolsizeafter virtualmachinesaredeleted.
40
VMware, Inc.
AutomaticlogoffafterdisconnectSelectImmediatelyifyouwantdesktop userstobeloggedoffassoonastheydisconnect,selectNeverifyouwant userstoneverbeloggedoff,orselectAfterandfillinthenumberofminutes afterwhichusersareloggedoffwhentheydisconnect. AllowuserstoresettheirdesktopSelectthischeckboxifyouwanttoallow desktopuserstoresettheirowndesktopswithoutgoingthroughthe administrator. Allowmultiplesessionsperuser(fornonpersistentpoolsonly)Selectthis checkboxifyouwanttoallowadesktopusertosimultaneouslyusemultiple desktopsinapoolfromdifferentclientdevices. 9 10 ClickNext. FromthelistofVirtualCenterservers,selecttheVirtualCenterserverthatthe desktopistouseandclickNext. IfmultipleVirtualCenterserversarerunninginyourenvironment,makesurethat anotherVirtualCenterserverisnotusingtheVirtualCenteruniqueID.Bydefault, anIDvalueisrandomlygeneratedbutitiseditable.Fordetailsaboutediting VirtualCenteruniqueIDvalues,seethelatestVirtualCenterdocumentation. 11 12 InTemplateSelection,selectatemplatefromwhichtodeployvirtualmachines forthedesktoppool. Selectthevirtualmachinefolderlocation. VDMcreatesafolderwiththesamenameasthedesktopIDandputsthenewly createdvirtualmachinesinthefolder. 13 14 15 Selectahostorclusteronwhichtorunthevirtualmachinesthatthisdesktopuses andclickNext. Selectaresourcepoolinwhichtorunthevirtualmachinesthatthisdesktopuses, andclickNext. Selecteitherasingledatastoreormultipledatastorestostorethevirtualmachine filesandclickNext. Ensurethatsufficientfreespaceisavailabletostorethenewvirtualmachinesin thedatastoresthatyouselect.Theamountoffreespacedisplaysbeneaththelistof availabledatastores.Theamountoffreespaceincreaseswitheachdatastorethat youselect.Ifyoudonothavesufficientspaceavailable,youmustaddfreespace byselectinganotherdatastore. 16 Selectacustomizationspecificationtocustomizetheguestoperatingsystemfor virtualmachinesusedinthisdesktopandclickNext.
VMware, Inc.
41
17 18
ReviewtheinformationinReadytoCompleteandclickNexttoacceptitorBack tomakerevisions. ClickFinish. Afterthepooleddesktopisadded,entitleittoanADuserorgroup.SeeEntitling aDesktoponpage 45. Forinformationabouttestingthedesktoplaunch,seeConnectingtoDesktops onpage 45.
Advanced Pool Settings

Useadvancedpoolsettingstooverridethedefaultpoolsettingsanddeterminehow yourpooleddesktopsaredeployedandmanaged.Theadvancedpoolsettingsarean optionwhenyouarecreatingeitherapersistentornonpersistentpoolintheDesktop SettingsintheAddDesktopwizard. Whenyouareconfiguringdesktopsettings,accessandenabletheadvancedsettingsby expandingAdvancedSettingsandselectingEnableAdvancedPoolSettings.The advancedpoolsettingsincludethefollowingoptions: MinimumnumberofvirtualmachinesOverridesthedefaultminimumnumber ofvirtualmachinesavailableforapool.Setthisnumbertotheminimumnumber ofanticipatedvirtualmachinesuponfirstdeployment. MaximumnumberofvirtualmachinesOverridesthedefaultmaximumnumber ofvirtualmachinesavailableforapool.Setthisnumbertothemaximumnumber ofvirtualmachinesthataretobedeployedinthepoolatanypoint.Thissettingis necessarytopreventoverburdeningofhardwareresources. NumberofavailablevirtualmachinesOverridesthedefaultnumberof availablevirtualmachinesforapool.Thissettingdetermineshowmanyvirtual machinesareavailableforimmediateuse.Ifthepowerpolicydictates,available virtualmachinesoverthislimitwillbesuspendedorpoweredoffasneeded.For nonpersistentpools,thissettingdetermineshowmanyvirtualmachinesare provisioned(added)asnewuserslogintovirtualdesktops.Forpersistentpools, thissettingmustmatchtherateatwhichusersareaddedtotheenvironment(in otherwords,ifyouaddtwousersaday,setthisnumberto2forpersistentpools). Youcanfurtherspecifyvirtualmachinebehaviorfordesktopsthatuseaspecific VirtualCenterServerusingtheadvancedVirtualCentersettingsontheConfiguration page.Onthatpage,youcancontrolthemaximumnumberofconcurrentprovisioning (desktopvirtualmachinecreation)operationsandthemaximumnumberofconcurrent poweroperations.
42
VMware, Inc.
Advanced Pooling Example Scenarios

VDMpoolingisflexibleandoffersmanypossiblecombinationsofsettings.The followingexamplescenariosshowsomepossiblecombinationsofsettingsand illustratehowVDMbehaves. Pooling Example 1 Poolingexample1hasthefollowingsettings: TypeofpoolNonpersistent Minimumnumberofvirtualmachines100 Maximumnumberofvirtualmachines200 Numberofavailablevirtualmachines20 VirtualmachinepowerpolicySuspendwhennotinuse Inthisexample,thepoolinitiallyclonesandcustomizes100virtualmachines.After20 virtualmachines,avirtualmachineissuspendedforeachnewclonedvirtualmachine sothattheavailablecount(inotherwords,poweredupandreadyforuse)didnot exceed20.Theminimumandmaximumvaluesonlyaffectthecloningandnotthe numberofavailablevirtualmachines. Asuserslogin,thenumberofavailablevirtualmachinessettingpowersupmore virtualmachinestokeepthemattherightlevel.Whentheeightiethuserlogsin,the settinginitiatesacloningoperation.Asuserslogout,virtualmachinesaresuspended (basedonthepowerpolicy)tokeeptheavailablenumberofvirtualmachinesdown. Pooling Example 2 Poolingexample2hasthefollowingsettings: TypeofpoolPersistent Minimumnumberofvirtualmachines100 Maximumnumberofvirtualmachines200 Numberofavailablevirtualmachines20 VirtualmachinepowerpolicySuspendwhennotinuse TheactionsarethesameasinExample1,exceptthatwhenuserslogoff,theirvirtual machinesaresuspended.Theusedvirtualmachinesarenotreturnedtothepool becausetheyarenowassigned.
VMware, Inc.
43
Pooling Example 3 Poolingexample3hasthefollowingsettings: TypeofpoolNonpersistent Minimumnumberofvirtualmachines100 Maximumnumberofvirtualmachines200 Numberofavailablevirtualmachines20 VirtualmachinepowerpolicyRemainon Thepoolinitiallyclonesandcustomizes100virtualmachines.Thesevirtualmachines areleftrunning.Astheeightiethandsubsequentuserslogin,theavailablecount restartscloningtomaintainthecapacity. Pooling Example 4 Poolingexample4hasthefollowingsettings: TypeofpoolNonpersistent Minimumnumberofvirtualmachines200 Maximumnumberofvirtualmachines200 Numberofavailablevirtualmachines20 VirtualmachinepowerpolicyRemainon Thepoolclones200virtualmachines.Nomorevirtualmachinesareevercloned.The powerpolicymeansthatvirtualmachinesarenotpoweredoff. Pooling Example 5 Poolingexample5hasthefollowingsettings: TypeofpoolNonpersistent Minimumnumberofvirtualmachines200 Maximumnumberofvirtualmachines200 Numberofavailablevirtualmachines20 VirtualmachinepowerpolicySuspendwhennotinuse Thepoolclones200virtualmachines.Afterthetwentiethclone,thepoolmanagerstarts tosuspendvirtualmachinestomaintaintheavailablecountat20.Asuserslogin, virtualmachinesareresumedtomaintainthesparecount.
44
VMware, Inc.
Entitling a Desktop
Afteranindividualorpooleddesktopisadded,entitleADusersorgroupstoit. To entitle a desktop to an AD user or group 1 2 3 4 InAllDesktopsontheInventorytab,choosethedesktopthatyouwanttoentitle. ClickEntitleandAdd. InSelectobjecttype,selectUsersorGroups. Choosethedomainwheretheobjectyouareentitlingreside,orchoose EntireDirectorytosearchacrosstheentireActiveDirectorydomainforest. Youcansearchbynameordescription. 5 Choosetheobjecttoaddtotheentitlement. Youcanentitlemultipleusersandgroupstoadesktop.Ifyouentitlemultipleusers orgroupstoadesktop,thedesktopbehaveslikeanonpersistentpool.For informationaboutnonpersistentpools,seeConfigurationforaPooledDesktop onpage 36. 6 7 ClickOK. Inentitlement,clickOK.
Connecting to Desktops
VDMprovidestheVDMClientorVDMWebAccessforconnectingtothedesktop virtualmachine. NOTEMakesureyouhaveadministrativerightstotheclientmachine. To connect to desktops using the VDM Client 1 DownloadandrunVMware-vdmclient-2.1.0-<xxx>.exe. <xxx>isthebuildnumberofthesoftwarecomponentyouareinstalling. TheInstallationwizardopens. 2 3 ClickNext. AccepttheVMwarelicensetermsandclickNext.
VMware, Inc.
45
ChooseoneofthefollowingtheCustomSetupoptions: ClickNexttoacceptthedefaultsettings.Thedefaultsettingsinstalltheclient andtheUSBredirectionfeature. SelectUSBRedirectionandchooseThisfeaturewillnotbeavailableto preventinstallationofthisfeature.Havingthisfeatureinstalledrequiresspace onyourharddrivesonotinstallingitfreestherequiredspace.
5 6
ClickNexttoacceptthedefaultdestinationfolderorclickChangetousea differentdestinationfolderandthenclickNext. (Optional)EnterthedefaultservertowhichtheclientwillconnectandclickNext. ThisentryistheIPaddressorFQDNoftheserver.
7 8 9 10 11 12
ConfigureshortcutsfortheVDMClientor,tonotuseshortcuts,deselectall choices. ClickNext>Install>Finish. StarttheVMwareVDMClient. IntheVDMServerdropdownmenu,enterthehostnameorIPaddressofthe VDMServer. ClickConnect. Entertheentitleduserscredentials,selectthedomainandclickLogin.
13 ChoosetheentitleddesktopandclickOK. Thedesktopvirtualmachineisconnected. To connect to desktops using VDM Web Access 1 StartthebrowserandnavigatetotheVDMConnectionServerURL. Forexample,navigatetohttps://<hostname_or_ipaddress>,where <hostname_or_ipaddress>isthehostnameorIPaddressoftheVDMConnection Server. 2 3 4 Enteranentitledusersnameandpasswordandselectthecorrectdomainfromthe dropdownmenu. ClickLogin. WhenAccessStatusisReady,chooseadesktopfromthelistandclickConnect. Thedesktopisconnected.
46
VMware, Inc.
To connect to desktops using VDM Web Access 1 StartthebrowserandgototheVDMConnectionServerURL. Forexample:https://<hostnameoripaddress>,where<hostnameoripaddress>is thehostnameorIPaddressoftheVDMConnectionServer. 2 3 4 5 TheVDMClientinstallsautomaticallyifyouareloggingonusingaWindows client. Entertheentitledusersnameandpasswordandmakesurethatyouselectthe correctdomainfromthedropdownmenu. ClickLogin. WhentheAccessStatusisReady,selectadesktopfromthelistandclickConnect. Thedesktopisconnected.
Changing End User Passwords

VDMsupportspasswordpoliciesfromtheADdomain.IfADgrouppolicyissetsothat passwordsexpireoranADadministratorrequiresuserstochangetheirpasswords,the usersarepromptedtodosowhenloggingontoVDMusingtheClientorWebAccess. Thepasswordtheuserentersmustconformto,andwillbecheckedagainst,anyAD grouppolicythathasbeenset.
Setting the Default Desktop for Thin Client Users

VDMadministratorscansetthedefaultdesktopthatthinclientuserslogintousingthe VDMAdmin.EXEcommandlinecommandontheVDMConnectionServer.Thisutilityis onlyavailableonUSEnglishsystems. To set the default desktop for a thin client user 1 2 OpenacommandpromptontheVDMConnectionServer. Fromthecommandline,runthiscommand: C:\Program Files\VMware\VMware VDM\Server\bin\vdmadmin -D -d mydesktop -u <Domain>\<Username> RunningthecommandcreatesanentryinLDAPtoensurethatthinclientusers whoareentitledtomultipledesktopsonlyhaveaccesstothedefaultdesktopafter thiscommandisrun.Userscansettheirowndefaultdesktopsbutonlyafter loggingintothethinclient.
VMware, Inc.
47
Setting an Externally Resolvable Name on a Connection Server

IfVDMclientscannotdirectlyaccessaVDMConnectionServerbyusing https://<hostname>where<hostname>isthehostnameoftheVDMConnectionServer, youmustspecifyanexternallyresolvablenamefortheVDMConnectionServer.Ifthe VDMConnectionServerisaccessedfromtheInternet,setthenametosomethingthat resolvesontheInternet.Thisnamecanbesomethinglike https://vdmservername.mycompany.com.Wheneverthissituationarises,youmustset thenameforeachVDMConnectionServerthatisunresolvable. Theprocessofsettingthenameisnotthesameforallinstallationtypes.Forstandard orreplicainstallations,youcansetthenamebyusingtheAdministratoruserinterface. Forasecurityserverinstallation,youmusteditorcreateafilewiththesettingsandsave itonthesecurityserver. To set the name on a standard or replica installation 1 2 3 4 5 OntheConfigurationpage,inVDMServers,choosetheVDMConnectionServer. ClickEdit. EnteranameintheExternalURLfieldandclickOK. RestarttheVDMConnectionServerservicesothatthechangestakeeffect. ClickStart>AdministrativeTools>ServicesandselecttheVMwareVDM ConnectionServerfromthelistofservices. Iftheserviceisrunning,clickRestarttheservice.Iftheserviceisnotrunning,click Starttheservice. To set the name on a security server installation 1 Createoreditthepropertiesfile(locked.properties)sothatitcontainsentries fortheexternallyresolvablenameofthesecurityserver,theportnumberandthe clientprotocol. Thepropertiesfileisatextfile.Ifitalreadyexists,itislocatedatC:\Program Files\VMware\VMware VDM\Server\sslgateway\conf\locked.properties. alwayssavethisfileinthesameplace,whetheritalreadyexistsornot.
48
VMware, Inc.
Asanexample,ifthesecurityserversexternallyresolvablenameis vdmservername.mycompany.com,theportnumberis443,andtheclientprotocol isHTTPS,youuseatexteditortoeditorcreatethepropertiesfilewiththe followingentries: clientHost=vdmservername.mycompany.com clientPort=443 clientProtocol=https Ifapropertiesfilealreadyexistscontainingentrieswiththesekeywords,replace theentrieswithnewentriesfromthislist. 2 3 4 Savethefile. RestarttheVDMSecurityServerservicesothatthechangestakeeffect. ClickStart>AdministrativeTools>ServicesandselecttheVMwareVDM SecurityServerfromthelistofservices. Iftheserviceisrunning,clickRestarttheservice.Iftheserviceisnotrunning,click Starttheservice.
VDM Administrator User Interface

TheVDMAdministratoruserinterfaceiswhereyouperformalloftheconfiguration, deployment,andadministrativetasksforVDM.TheInventory,Configuration,and EventsbuttonsalwaysappearatthetopoftheAdministratoruserinterface.These buttonsallowyoutonavigatetootherareasoftheinterfaceandperform administrationandconfigurationtasks.Thissectiondescribesthepagesthateach buttonopensandtheoptionsassociatedwiththem. Whenyouclickabuttonintheadministratoruserinterfaceandyouselectatabonthe pagethatopens,thebackgroundbecomeswhite.Tabsthatarenotselectedhavea purplebackground.
Inventory Page
TheInventorypageopenswhenyoulogintotheVDMAdministratoruserinterface (exceptthefirsttimeyoulogin,whentheConfigurationpageopens).TheInventory pageiswhereyouaccessallofyourvirtualmachinesanddeployandmakechangesto virtualdesktops.TheShowdropdownmenuallowsyoutochangebetweenthe DesktopsandEntitledUsersandGroupsviews.
VMware, Inc.
49
TheInventorypageallowsyoutosearchandfilterinformationaboutdesktops,virtual machines,andactivesessionsandtoscrollbetweenpagesifmultiplepagesexist(each pagecontains200objects). DesktopsviewChooseamongtheDesktops,VirtualMachines,orActive Sessionstabs.OntheDesktopstab,youcanadd,edit,entitle,enable,disable,or deletedesktopsordesktoppools.OntheVirtualMachinestab,youcanviewand deletevirtualmachines.OntheActiveSessionstab,youcanview,disconnect,or rebootactivesessions. Youcanfiltertheinformationinthetablesthatareassociatedwitheachtab.You canalsochoosewhichcolumnstofilterandsearchwhentheDesktopsviewis selected. DesktopstabFilterandsearchtheDesktopIDorTypecolumns. VirtualMachinestabFilterandsearchtheVirtualMachineName,IP Address,User,orStatuscolumns. ActiveSessionstabFilterandsearchtheUserorDesktopcolumns. WhenyouareintheDesktopsview,youcanchoosebetweentheInventoryand Searchtabsontheleftsideofthepage. InventoryAllofthedesktopsappearinalistonthattab.Selectingadesktop fromthelistdisplaysinformationaboutthatdesktopontherightsideofthe page.TherightsideofthepagealsodisplaystheSummary,Usersand Groups,VirtualMachines,andActiveSessionstabs. SearchTheSearchforDesktopsfieldappears.Entersearchtextinthisfield tosearchfordesktops.YoucanusetheInthesecategoriescheckboxesto choosethesearchcriteria.Selectingadesktopfromthelistdisplays informationaboutthatdesktopontherightsideofthepage.Inaddition,the rightsideofthepagedisplaystheSummary,UsersandGroups,Virtual Machines,andActiveSessionstabs. TheInventorypageusesadifferenticonsforeachtypeofdesktop.Individual desktopiconshaveasolidbordercontainingonebluesquare,persistentpool desktopiconshaveasolidbordercontainingtwobluesquares,and nonpersistentpooldesktopiconshaveadottedbordercontainingtwoblue squares. EntitledUsersandGroupsview IntheEntitledUsersandGroupsview,youcanchoosebetweentheEntitledUsers andGroupsandActiveSessionstabs.Youcanviewtheentitledusersandgroups forvirtualdesktopsorpoolsofdesktopsanddisconnectactivesessionshere.
50
VMware, Inc.
Youcanfiltertheinformationinthetablesthatareassociatedwitheachtab.You canalsochoosewhichcolumnstofilterandsearchwhenthetabsintheEntitled UsersandGroupsviewareselected: OntheEntitledUsersandGroupstab,youcanchoosetofilterandsearchthe DisplayNameorDomaincolumns. OntheActiveSessionstab,youcanchoosetofilterandsearchtheUseror Desktopcolumns. WhenyouareintheEntitledUsersandGroupsview,youcanchoosebetweenthe InventoryandSearchtabsontheleftsideoftheInventorypage. WhenyouselecttheInventorytab,alloftheentitledusersandgroupsappear inalistonthetab.Selectingauserorgroupfromthelistdisplaysinformation aboutthatuserorgroupontherightsideofthepage.Inaddition,theright sideofthepagedisplaysthreetabs:Summary,Desktops,andActive Sessions. WhenyouselecttheSearchtab,theSearchforDesktops:fielddisplays.Entersearch textinthisfieldtosearchforusersorgroups.Selectthesearchcriteriausingthecheck boxesinInthesecategories.
Configuration Page
TheConfigurationpageopenswhenyoulogintotheVDMAdministratoruser interfaceforthefirsttime(beforeaddingyourlicenseinformation).Itisthesamepage thatisopenedwhenyouclickConfiguration.TheConfigurationpagecontainsthe followingfields: AccessandSecuritySettingsEditlicenseserialnumberinformation. VirtualCenterServersAdd,edit,ordeleteVirtualCenterserversforthe connectionservertouse. VDMServersEnableordisableVDMservers(VDMConnectionServers),edit VDMserversettings,andenableRSASecurID.
VMware, Inc.
51
GlobalSettingsEnabledirectconnectiontovirtualdesktopssothatconnections todesktopsaremadedirectlyfromtheclienttothevirtualmachine,enableUSB redirection,whichallowsyoutousealocallyconnectedUSBdevicesonavirtual desktop,setSSLforsecurityserverthatdeterminesifyouuseHTTPorHTTPSfor communicationbetweentheclientandtheVDMConnectionServer,andsetthe sessiontimeouttodeterminetheoveralldurationofthesessionbeforeittimesout. AdministratorsAddordeleteadministratorsfortheconnectionserverand searchActiveDirectoryforusersorgroupsandaddthemasadministrators.
Events Page
UsetheEventspagetovieweventsthatanindividualconnectionservergenerates.You canentertextintheContainsfieldandsearchbytypeofmessage,thetimeofthe messageorthemessagetextitself.Youcanalsodeterminethenumberofdaysof messagestodisplay.
Searching Desktops and Entitled Users and Groups

UsetheInventorypagetosearchforinformationaboutdesktopsandentitledusersand groups.Youcaneithersearchbyusingthecolumnsinthetablesthatappearontheright sideofthepageorsearchbyusingthecategoriesthatappearontheleftsideofthepage. To search columns in the Desktops Inventory view 1 2 3 4 5 OntheInventorypage,chooseDesktopsfromtheShowmenu. IntheDesktopsfield(ontherightsideofthepage),clicktheDesktops,Virtual Machines,orActiveSessionstab. ClickthearrowafterContainsandselectthecheckboxesfortheappropriate columns. ClickDone. EntersearchtextandclickGo.
To search categories in the Desktops Search view 1 2 3 4 OntheInventorypage,chooseDesktopsfromtheShowmenu. IntheSearchfordesktopsfield(ontheleftsideofthepage),entersearchtext. IntheInthesecategoriesfield,selectDisplayName,DesktopID,Type,User,or VirtualCenterNametosearchthatcategory. ClickSearch.
52
VMware, Inc.
To search columns in the Entitled Users and Groups Inventory view 1 2 3 4 5 OntheInventorypage,selectEntitledUsersandGroupsfromtheShowmenu. IntheEntitledUsersandGroupsfield(ontherightsideofthepage),clickthe EntitledUsersandGroupsorActiveSessionstab. ClickthearrowafterContainsandselectthecheckboxesfortheappropriate columns. ClickDone. EntersearchtextandclickGo.
To search categories in the Entitled Users and Groups Search view: 1 2 3 4 OntheInventorypage,selectEntitledUsersandGroupsfromtheShowmenu. IntheSearchforusersfield(ontheleftsideofthepage),entersearchtext. IntheInthesecategoriesfield,selectCommonname,GivenName,Description, Email,DisplayName,orDomainNametosearchthatcategory. ClickSearch.
Working with Active Sessions

Afteryouconnecttoavirtualdesktopordesktoppool,activesessionsareinthe inventory.YoucanaccessactivesessionsontheInventorypage. To view, disconnect, or reboot active sessions 1 2 ClicktheInventorytab. InDesktops,clickActiveSessions. Youcanviewtheuser,desktopID,DNSnameoftheVM,starttime,duration,and serverstate(connectedordisconnected)foreachactivesession. 3 Clickanywhereinanactivesession. TheDisconnectSessionandRestartVirtualMachineoptionsbecomeavailable. 4 ClickDisconnectSessiontodisconnecttheselectedactivesessionorclickRestart VirtualMachinetorestarttheactivesession.
VMware, Inc.
53
Global Configuration Settings

UseglobalconfigurationsettingstosetVDMbehavior,dependingonyourspecific requirements.Table 31liststheglobalconfigurationsettings. Table 3-1. Global Configuration Settings
Option Sessiontimeout(inminutes) Description Overallsessiontimelimitthatstartswhenauserlogsinto theconnectionserver.Itisthetotalamountoftimethata userisallowedtobeloggedinbeforethesession terminates. Ifselected,remotedesktopsessionsareestablished directlybetweentheVDMClientandthedesktopvirtual machine,bypassingtheVDMConnectionServer(inother words,theydonotusetunneledconnection). TheinitialconnectionisstillmadetotheVDM ConnectionServerforuserstoauthenticateandselect appropriatedesktopstheyareentitledto. Thisoptionisappropriateonlyfordeploymentsinsidea corporatenetwork,becauseRDPtrafficissent unencryptedovertheconnectionbetweentheclientand desktopvirtualmachine. Thissettingisdisabledbydefault. Changestothissettingtakeeffectforeachuseruponthe nextlogin. USBredirection Ifselected,causesthenativeclienttodisableallUSB functionalitywhenactivated. Changestothissettingtakeeffectforeachuseruponthe nextdesktoplaunch. RequireSSLforclientconnections IfRequireSSLforclientconnectionsisselected,HTTPS isusedasthecommunicationprotocolbetweentheclient andtheVDMConnectionServer.Clientswhoattemptto connectusingHTTPareautomaticallyredirectedto HTTPS. ChangestothissettingrequirethattheVDMConnection Serverberestartedtotakeeffect.
Directconnecttovirtualdesktop
54
VMware, Inc.
Table 3-1. Global Configuration Settings (Continued)

Option Reauthenticateafternetwork interruption Description Ifselected,determineswhetherornotusercredentials needtobereauthenticatedafteranetworkinterruption. Whenthissettingisselected,usersmustreentertheir credentialsandreauthenticatethemagainstActive Directory.ThissettingisnotavailablewhentheDirect connecttovirtualdesktopsettingisselected. Ifthissettingenabled,theclientterminatesandtheuser mustlogonagaintotheVDMConnectionServer(session remainsindisconnectedstate). RequiresarestartoftheVMwareVDMConnectionServer totakeeffect. Preloginmessage Ifselected,ClientandWebAccessusersseeadisclaimer orloginmessagewithinformationorinstructionsentered bytheadministrator.
To configure global settings 1 2 InGlobalSettingsontheConfigurationtab,clickEdit. Setthesessiontimeout. Determinehowlongusersareallowedtokeepsessionsopenaftertheyloginto theconnectionserverandenterthisvalueinminutes.TheSessiontimeoutfield mustcontainavalue. 3 Settheoptionalglobalsettings. SelectDirectConnecttoVirtualDesktoptoenableconnectionsdirectlyfrom theclienttothevirtualmachine. SelectUSBRedirectiontocausethenativeclienttodisableallUSB functionality. SelectRequireSSLforclientconnectionstoenableHTTPSasthe communicationprotocolbetweentheclientandtheconnectionserver. UncheckthecheckboxtoenableHTTP.
VMware, Inc.
55
SelectReauthenticateafternetworkinterruptiontoforceusersofvirtual desktopstoreentertheirActiveDirectorycredentialsafteranetwork interruption. SelectShowapreloginmessagetousersuponloginifadministratorsneed toconfigureamessageforWebAccessorClientuserswhentheylogin. Afterselectingthischeckbox,typethemessageintothetextfield. 4 ClickOK.
Viewing Events
VDMprovidesapageforviewingeventsforanindividualconnectionserver.Youcan usetheinformationontheEventspagefordiagnosingproblemsorviewingactivityon theserver. To view events ClicktheEventstab. TheEventspageopensandliststhenameoftheserverfortheeventsthataredisplayed. To search events 1 2 3 4 5 ClickthearrowafterContainsandselectthecolumnstosearch(Messages,Time, Type). Fromthelist,choosethenumberofdaysofmessagestoshowintheEventstable. ClickDone. Entersearchtextinthetextbox. ClickGo. SearchresultsappearintheEventstable.Click(more)attheendofeachmessage todisplaymoredetailsabouttheevent.
RSA SecurID
VDMsupportsRSASecurIDasanadditionalmethodforuserauthentication.RSA SecurIDprovidesstrong,twofactorauthenticationwhenyouaccessvirtualdesktops, inadditiontotheauthenticationprovidedwhenusingADcredentials. IfyouareusingRSASecurID,youmustfirstenableitbyeditingyourVDMserver settings.AfteryouinstalltheRSASecurIDsoftwareonyourVDMservers,youcanedit RSAsettingsintheVDMadministratoruserinterface.
56
VMware, Inc.
To enable or edit RSA SecurID 1 2 3 ClicktheConfigurationtab. InVDMServers,clickEdit. IntheRSASecurIDdialogbox,configurethedesiredRSAsettings: EnabledenablesRSASecurIDauthenticationforendusersaccessingvirtual desktops. EnforceSecurIDandWindowsusernamematchingSecurIDchecksnames againstWindowsusernamesanddeniesaccesstonamesthatdonotmatch. ClearnodesecretreferstothenodesecretontheVDMAgent. Formoreinformationaboutthissetting,seetheRSAAuthenticationManager userdocumentation. 4 IntheUploadRSAauthenticationagentconfigurationfile(sdconf.rec)field, enterthelocationofthesdconf.recfileorclickBrowsetosearchforthefile. Formoreinformationaboutthesdconf.recfile,refertotheRSAAuthentication Manageruserdocumentation. 5 ClickOK.
Deleting VDM Objects

DeleteVDMobjects(VirtualCenter,VDMservers,anddesktops)byusingthe administratoruserinterface. To remove a VirtualCenter server from a VDM server 1 2 ClicktheConfigurationtab. InVirtualCenterServers,clickRemove. IfdesktopsareusingthisVirtualCenterserver,anerrormessagetellsyouthatyou mustfirstdeletethedesktopsusingthisVirtualCenterbeforeyoucandeletethe VirtualCenter. IfnodesktopsareusingthisVirtualCenterserver,awarningmessagetellsyouthat youcannolongeraccessvirtualmachinesmanagedbythisvirtualcenter. 3 ClickOK. TheVirtualCenterserverisdeleted.
VMware, Inc.
57
To delete a desktop from a VDM server 1 2 3 ClicktheInventorytab. InAllDesktops,clicktheDesktopstab. SelectadesktoptodeleteandclickDelete. Youaregiventheoptiontoremovethevirtualmachinesfromtheconnection brokeronly,whichmeanstheyarestillvisibleinVirtualCenter,ortodeletethem fromdisk,whichmeanstheyarenolongervisibleinVirtualCenter. Ifthedesktophasactivesessions,youaregiventheoptiontodisconnecttheusers, whichmeansuserslosetheirconnecteddesktops,ortoleavetheusersconnected, whichmeansusersdonotlosetheirconnecteddesktops. To delete a virtual machine from a VDM desktop 1 2 3 4 ClicktheInventorytab. InAllDesktops,selectthedesktopcontainingthevirtualmachinetodelete. ClicktheVirtualMachinestab. ClickDelete. Youaregiventheoptiontoremovethevirtualmachinesfromtheconnection brokeronly,whichmeanstheyarestillvisibleinVirtualCenter,ortodeletethem fromdisk,whichmeanstheyarenolongervisibleinVirtualCenteranddeleted fromthedatastore. Ifthedesktophasactivesessions,youaregiventheoptiontodisconnecttheusers (ifremovefromtheconnectionbrokerischosen),whichmeansuserslosetheir connecteddesktops,ortoleavetheusersconnected,whichmeansusersdonotlose theirconnecteddesktops.
Installing SSL Certificates

TheVDMConnectionServerincludesaselfsignedSSLcertificatethatyoucanusethe firsttimeyouconnect.Thiscertificateisnottrustedbyclientsanddoesnothavethe correctnamefortheservice,butitdoesallowconnectivity. Replacetheseinitialcertificateswithproperlyconstructedcertificatesfortheservice. Thisremovesthecertificatecheckmessagesthatusersseeandallowsthinclientdevices toconnect.
58
VMware, Inc.
Toinstallcertificates,followthesehighlevelsteps: 1 2 3 4 CreateasuitableCertificateSigningRequest(CSR). SubmittherequesttoyourCertificateAuthority(CA)andreceivethenew certificate. ImportthecertificateintothekeystorefortheVDMConnectionServer. ConfiguretheVDMConnectionServertousethisnewcertificate.
Creating the CSR

DecidingwhatnametobindtoaCSRisanimportantconsideration.Acertificatebinds thenameoftheservicetoacryptographickeypairand,indoingso,assumes ownershipoftheserviceandkeys.Theclientcantrusttheserver(anditscryptographic key)becausetheCAindependentlydeterminedthattheorganizationthatisclaiming ownershiprequestedthekey. ThemostimportantpartoftheCSRisthecommonname(CN)attribute.Usethename thattheclientcomputerusestoconnecttotheVDMConnectionServer.Ina singleserverenvironment,thenameistypicallythenameoftheserver.Ifload balancingisbeingused,usetheloadbalancedname. To create the CSR 1 UsingtheWindowscommandprompt,createanewkeystorecontaininga publicprivatekeypair:
%JAVA_HOME%\bin\keytool -genkey -keyalg "RSA" -keystore keys.p12 -storetype pkcs12 -storepass <secret> -validity 360
Answerthefollowingquestions: Whatisyourfirstandlastname? ThisistheCNattribute.Entertheservernameorloadbalancedname,for example,server.vmware.com. Whatisthenameofyourorganizationalunit? Thisisinformationaboutwhereinyourorganizationthisserverisbeing deployed.YourCAmighthaverequirementsforcompletingthisfield.For example,itmightrequirethecompanysdomainname(forinstance, vmware.com). Whatisthenameofyourorganization? Thismightbeyourdepartmentorcompanyname.
VMware, Inc.
59
WhatisthenameofyourCityorLocality? Enteryourlocationorleaveblank(Unknown). WhatisthenameofyourStateorProvince? Enteryourstateinformationorleaveblank(Unknown). Whatisthetwolettercountrycodeforthisunit? Enteryourcountrycode(GB,forexample). 3 Confirmthefullname,enterYes, andpressEnter. Thekeys.p12fileiscreatedinthecurrentdirectory. 4 UsethefollowingkeypairtocreateaCSR:
%JAVA_HOME%\bin\keytool -certreq -keyalg "RSA" -file certificate.csr -keystore keys.p12 -storetype pkcs12 -storepass secret
Thecertificate.csrfileiscreatedinthesamelocation.Thecontentsofthefile looklikethefollowingexample:
-----BEGIN NEW CERTIFICATE REQUEST----MIIBuDCCASECAQAweDELMAkGA1UEBhMCR0IxEDAOBgNV BAgTB1Vua25vd24xEDAOBgNVBAcTB1Vua25vd24xFDAS BgNVBAoTC1ZNd2FyZSBJbmMuMRMwEQYDVQQLEwp2bXdh cmUuY29tMRowGAYDVQQDExFzZXJ2ZXIudm13YXJlLmNv bTCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEA85iM 2G4J695Nh3LfU0S7eAdXHG51MtRcfR397jj0sjFk2THO T8Xkeue6pCAg0E9vsRSKiFZiMQLOTSkg0Vwd+bYDMzMx Uam/baSq7z7JF8irTHXYB/1PXDWdykUI7jYSRVxhjbHm XU8/2jEUL5DocLDLnygsUD2g7cUMYdz/HeECAwEAAaAA MA0GCSqGSIb3DQEBBQUAA4GBALq2e5FWHQIE26J0lIdR FLQqlsu78IsuGF19nvJSxrdnHFUpUvTaTA3auGsz+UJG /vdHqFt49oSIrIhd7NALLumBoOq4tEywvE3vq0ytUvIE imJCKsAiAeyWZUydJps+zhVKKhiscgFh60AZp1bmTJgu AeHnsPs7a1Q0JH6OZvdU -----END NEW CERTIFICATE REQUEST-----
(Optional)Backupthekeys.p12 fileafterthecertificateisimportedintoitincase youneedtorebuildtheconfigurationfortheserveratsomepoint.
60
VMware, Inc.
To submit the CSR and import the certificate 1 2 ContactyourCAandprovidetherelevantinformationandacopyoftheCSR generatedinTocreatetheCSRonpage 59. RequestacertificateinPKCS#7format. Fortestingpurposes,ThawteprovidesafreeCAat https://www.thawte.com/cgi/server/try.exethatgeneratesa21daySSLcertificate basedonanuntrustedroot.Thisisslightlybetterthanthegetyoustarted certificatesuppliedwithVDMbecauseitnowusesthecorrectname.However, clientsstillissuewarningsthattheserviceisnottrusted. 3 Copythecontentsofthegeneratedfileintoatexteditorandsaveitas certificate.p7. Thefilelookslikethefollowingexample:
-----BEGIN PKCS7----MIIF+AYJKoZIhvcNAQcCoIIF6TCCBeUCAQExADALBgkqhkiG9w0BBwGgggXNMIID LDCCApWgAwIBAgIQTpY7DsV1n1HeMGgMjMR2PzANBgkqhkiG9w0BAQUFADCBhzEL ... i7coVx71/lCBOlFmx66NyKlZK5mObgvd2dlnsAP+nnStyhVHFIpKy3nsDO4JqrIg EhCsdpikSpbtdo18jUubV6z1kQ71CrRQtbi/WtdqxQEEtgZCJO2lPoIWMQA= -----END PKCS7-----
Importthecertificateintothekeystoreusingthefollowingcommand(changethe passwordandreplacesecretwithanotherpassword):
%JAVA_HOME%\bin\keytool -import -keystore keys.p12 -storetype pkcs12 -storepass secret -keyalg "RSA" -trustcacerts -file certificate.p7
Thisoperationmightgeneratethefollowingmessage:
... is not trusted. Install reply anyway?
Thismessageisgeneratedbecausetherootcertificategiventoyouisnottrustedby Javabecauseitisatestcertificateandnotforproductionuse.Installingthis certificateisallowedbutmightnotprovideabetteruserexperiencethanthe getyoustartedcertificate. To configure the VDM Connection Server to use the new certificate 1 PlaceanewcertificatefileinthefollowinglocationoneachVDMConnection Server(standard,replica,orsecurityserver): C:\Program Files\VMware\VMware VDM\Server\sslgateway\conf
VMware, Inc.
61
Createoreditthefollowingfileoneachserver: C:\ProgramFiles\VMware\VMwareVDM\Server\sslgateway\conf\ locked.properties
Addthefollowingproperties: keyfile=keys.p12 keypass=secret Thischangesthevaluesasneededtomatchwhatyoucreatedinthepreviousstep.
RestarttheVDMservice. AssumingyourenvironmentisconfiguredtouseSSL,alogmessagelikethe followingappears:

13:57:40,676 INFO <Thread-1> [NetHandler] Using SSL certificate store: keys.p12 with password of 6 characters
Thismessageindicatesthattheconfigurationisinuse.
Load Balancing
WhenyousetupandconfigureserversforVDM,loadbalancingisanimportantdesign consideration.Loadbalancingprovidesthehighestlevelofscalabilityandhelpsavoid anysinglepointsoffailure.Loadbalancingaddressesthescalingandfaulttoleranceof yourVDMsolution. TheVDMConnectionServeristhecorecomponentofVDM.YoucandeploytheVDM ConnectionServeraseitheraconnectionserverorasasecurityserver.VDM ConnectionServersprovidesessionmanagementandhandleallincomingclient requestsanddirectthemtotheappropriatevirtualdesktopsession.TheVDMSecurity ServersensuresecurecommunicationbetweentheclientdevicesandtheVDM ConnectionServers. Youmightalreadyhaveanexistingloadbalancingsolutioninplacesupportingcurrent businessapplicationsandservices.Youcanleverageexistingloadbalancingservices canbecausetheloadthatVDMusesontheloadbalancinginfrastructureisminimal.In additiontotypicalhardwarebasedloadbalancingappliances,inexpensiveorfree softwarebasedproductscanalsobeconsideredaspossibleloadbalancingsolutions. YoucandeployloadbalancingwhetheryouareusingaDMZdeploymentwithsecurity serversdeployedinsideaDMZ,oranonsecurityserverdeploymentwithendusers connectingdirectlytoVDMConnectionServers.SeeLoadBalancinginaDMZ Deploymentonpage 67.
62
VMware, Inc.
Load Balancing in a Non-DMZ Deployment

Insomecases,suchasLANbaseddeployments,userscanconnectdirectlytoVDM ConnectionServers.Inthiscase,noVDMSecurityServersaredeployed.Youcanuse tunneledornontunneleddeploymentavailableforLANbasedconnections.When tunnelingisenabled,allVDMtrafficisencryptedandtunneledthroughaVDM ConnectionServer.Whentunnelingisnotenabled,sessiontrafficisnotroutedthrough theVDMConnectionServersandthereforeisnotSSLencrypted.Afteraclient connectstothevirtualdesktopthatituses,allcommunicationisbetweentheclientand thevirtualdesktop.
Session Setup and Load Balancing

Toconfigureloadbalancing,itisimportanttounderstandhowsessionsaresetupand howconnectioninformationpassesbetweentheclientandtheconnectionservers. TheinitialHTTPorHTTPSTCPsessionisestablishedbetweentheclientandVDM SecurityServerorVDMConnectionServer.Theuserisauthenticatedduringtheinitial connection.Ifauthenticationissuccessful,controlinformationisreturnedtotheclient. Thecontrolinformationincludesalistofvirtualdesktopstowhichtheuserisentitled toconnectandthefullyqualifieddomainname(FQDN)oftheVDMConnectionServer orVDMSecurityServer. Aftertheclientreceivesconnectioninformation,itinitiatesasecondTCPsessionforthe tunneltotheFQDN(oftheconnectionserver).ThesecondTCPsessionisanSSLtunnel betweentheclientandthesecurityserverorVDMConnectionServer.AfterthisTCP sessionstarts,theRDPclientontheclientmachineconnectstothelocalhostlistener andtrafficisroutedthroughthetunneltothesecurityserverandthentothevirtual desktop. TheVDMsecureconnectionisusedforcommunicationinanRDPsession.Whena clientisreadytoestablishanRDPsessionwiththeselectedvirtualdesktop,theclient startsalocalTCPlistener.Afteritisstarted,aTCPsessionisestablishedbetweenthe VDMConnectionServerandthevirtualdesktoprunningontheESXserver.TheRDP clientontheclientmachinethenconnectstothelocalhost,andcommunicationis handledbyusingtheVDMsecureconnectionpreviouslyestablished. Inaloadbalancedconfiguration,whenaclientestablishesaTCPsession,theTCP sessioncanbeestablishedwithdifferenthosts.Forexample,theclientsfirstconnection fromtheclienttotheloadbalancermightbetoaglobalDNSnamesuchas https://vdiyourcompany.com.Theloadbalancinginfrastructurethenforwardsthe
VMware, Inc.
63
requesttohttps://vdm1.example.com,oneoftheserversintheVDMSecurityServer farm.Youcanuseoneofseveralcommonloadbalancingmethods(proxy,HTTP redirect,NLBcluster,roundrobinDNS,andsoforth)todecidewhichVDMserveristo handlethesession. AftertheVDMclientauthenticateswiththeVDMserver,itreceivesspecific instructionstoconnectdirectlytohttps://vdm1.example.comandestablishanSSL tunnel.
DNS Requirements for a Load-Balanced Solution

Regardlessoftheloadbalancingmechanismyouuse,aclientmustbeabletoconnect witheachVDMserverbyitsFQDNdirectly.Thatis,theclientmustbeabletobypass theloadbalancingaltogether.IncaseswhereVDMSecurityServersaredeployedinside theDMZorwhenVDMConnectionServersareaccessedfromalocalareanetwork,all serversmusthavevalidDNSnames. TheloadbalancermakestheinitialdecisionaboutwhichVDMConnectionServeristo handletheclientsessionbydirectingthefirstTCPsessiontothechosenVDM ConnectionServer.Thesecuretunnelconnectionismadedirectlyfromtheclienttothe VDMConnectionServerandasaresultdoesnotusetheloadbalancinginfrastructure forthisconnection,whichcarriesthebulkofnetworktrafficbetweenclientandserver.
Load-Balancing Solution
Youcantakeseveralapproacheswhenyouimplementaloadbalancingsolutionfor VDMservers.Forexample,roundrobinDNS,whiletechnicallythemostsimple loadbalancingsolutiontoimplement,hasasignificantdisadvantagefromafailover perspective.Ifoneoftheserversfails,itmustberemovedfromtheDNSlistofrecords correspondingtotheloadbalanceddomainname.Anotherissuewitharoundrobin DNSapproachisintheremoteaccessusecasewhereVDMclientsareaccessingtheir virtualdesktopsacrosstheInternet,throughtheVDMSecurityServers.Inthiscase,the responsesofthemasterDNSserverarecachedinupstreamDNSservers.Itcantake severalhoursforaremovedDNSnametobereplicatedtoallInternetDNSservers.If aserverisoutofservice,clientconnectionscanfailiftheyaredirectedtothatserver duringthetimeittakesforthecachedrecordtoexpireonallInternetDNSservers. Supportforaredundancyandfailovermechanism,typicallyatthenetworklevel, preventstheloadbalancerfrombecomingasinglepointoffailure.Forexample,using thevirtualrouterredundancyprotocol(VRRP)tocommunicatewiththeloadbalancer addsredundancyandfailover.Ifthemainloadbalancerfails,anotherloadbalancerin thegroupautomaticallystartshandlingconnections.
64
VMware, Inc.
Toprovideadegreeoffaulttolerance,aloadbalancingsolutionmustbeabletoremove failedVDMservernodesfromtheloadbalancedgroup.Thewayinwhichfailednodes aredetectedvariesfromsolutiontosolution.Thesolutionmustensurethatnew incomingsessionsarenotdirectedtotheunresponsiveserver. IfaVDMserverfailsorbecomesunresponsiveduringanactivesession,usersdonot losedataanddesktopstatesarepreservedinthevirtualdesktop.Whenusersreconnect toadifferentVDMserverinthegroup,theirdesktopsessionscontinuewherethey werewhenthefailureoccurred. TheloadbalancingsolutionyouchoosemustsupportWebsessionaffinitybetweenthe clientandVDMConnectionServer.WebsessionaffinitymeansthataparticularWeb sessionisalwaysdirectedtothesameserver. Manyinexpensiveandfreeloadbalancingsolutionsareavailablethatyoucanusewith VMwareVDM.Anystandardsbasedloadbalancerthatsupportssessionaffinityis acceptable. TwoexamplesofsoftwarebasedloadbalancersareHerculesandWindowsNetwork LoadBalancing(NLB).HerculesisafreeLinuxbasedvirtualappliancethatdelivers theopensourceloadbalancercalledPen.WindowsNLBisafeatureavailablewith WindowsServer2003.
DMZ Deployment
VDMalsosupportsDMZ(securityserver)deployment,whichallowsgreatersecurity whenaccessingvirtualdesktopsfromtheInternet.ServerswithintheDMZruna subsetofthefullVDMConnectionServer.DMZdeploymentaddsanadditionallayer ofsecurityandensuresthatonlyauthenticateduserscanattemptaconnectiontothe internalnetworkfromtheInternet.
DMZ Installation
DMZdeploymenthasthefollowingentitiesorlocations:theInternet,theDMZ,andthe internalnetwork.ClientswhoneedaccesstothevirtualdesktopsresideontheInternet. Thevirtualdesktopsarelocatedontheinternalnetworkalongwiththerestofthe componentsthatcomprisethevirtualdesktopinfrastructure.TheDMZsitsbetween theInternetandtheinternalnetworkandreducestheriskoftheinternalnetworkbeing compromised. Dependingonyourparticularserverconfiguration,loadbalancingmightberequired. Youneedeitherahardwareorsoftwareloadbalancingsolutionifyouhavemorethan onesecurityserver.
VMware, Inc.
65
Whenyouconsiderfirewalls,thestrongerapproachistousetwofirewalls,wherethe DMZisbetweenandconnectedtobothfirewalls.Inthisconfiguration,onefirewallis connectedtotheinternalnetworkandtheothertotheexternalnetwork. Figure 33showsaDMZdeploymentthatallowsuserstoaccesstheirdesktopsfrom theInternet.ItincludesaloadbalancerandfirewallsoneachsideoftheDMZ. Figure 3-3. VDM DMZ Deployment
DMZ client devices thirdparty load balancer VDM security servers VDM connection servers VMware Infrastructure VirtualCenter
firewall
firewall
Active Directory
To perform a DMZ installation for a security server 1 RunVMware-vdmconnectionserver-2.1.0-<xxx>.exe. <xxx> isthebuildnumberofthesoftwarecomponentyouareinstalling. TheInstallationwizardopens. 2 3 4 5 ClickNext. AcceptthelicensetermsandclickNext. AcceptorchangethedestinationfolderandclickNext. ChooseSecurityServer.
66
VMware, Inc.
EntertheFQDNoftheconnectionserver(eitherstandardorreplica)withwhich thesecurityserveristocommunicate. EachsecurityserverispairedwithaVDMConnectionServerandforwardsall traffictothatserver.
ClickNext>Install>Finish.
Load Balancing in a DMZ Deployment

WhenyoudeployaVDMSecurityServerinsideaDMZ,alinkisestablishedwitha dedicatedVDMConnectionServerduringtheinstallationprocess.WhenVDM SecurityServersaredeployedinsidetheDMZ,theymustbeloadbalancedinsidethe DMZtoprovidescalabilityandfaulttolerance.
Configuring Firewall Ports for DMZ Deployments

WhenyousetupfirewallsinaDMZdeployment,youmustconfigurethefirewallrules sothattheTCPprotocoltrafficthatneedstopassthroughthefirewallcan.Thesettings describedinthissectionarebasedonaDMZdeploymentwherefirewallrulesare configuredfromanexternalnetwork(theInternet,forexample)andfromtheDMZto theinternalnetwork.ThesettingsalsoassumethatclientsaccessVDMfromanexternal networkandconnectbyusingVDMSecurityServerslocatedwithintheDMZandthat VDMissetupusingdefaultTCPportsforeachprotocol. ToaccessaDMZfromanexternalnetworkandallowclientdevicestoconnecttoVDM SecurityServerswithintheDMZ,allowTCPports80and443. IfyouconnecttotheinternalnetworkfromaDMZusingVDMSecurityServersinthe DMZtoconnecttoVDMConnectionServers(standardorreplicainstances)inthe internalnetwork,allowTCPport8009forAJP13forwardedWebtrafficandallowTCP port4001forJMSmessagingtraffic. ToconnecttotheinternalnetworkfromaDMZusingVDMSecurityServerstoconnect todesktopvirtualmachines,allowTCPport3389forVDMsecuredRDPtraffic. ThefollowingdefaultTCPportsareusedforeachprotocol.Usethelistofprotocolsand associatedportsasareferenceforFigure 34. JMS4001 AJP138009 HTTP80 HTTPS443
VMware, Inc.
67
RDP3389 SOAP80or443 Figure 34showsaVDMSecurityserverandshowstherelationshipwithallother VDMcomponentsandtheprotocolsusedforcommunicationbetweenthecomponents. Figure 3-4. VDM Component Diagram with Security Server
Windows Client Linux and Mac Client Thin Client
browser thin client operating system RDP Client VDM Client RDP Client VDM Secure GW Client
HTTP(S) HTTP(S) HTTP(S)
HTTP(S)
HTTP(S)
RDP
VDM Security Server
VDM Secure GW Server
RDP JMS AJP13
Admin Console VDM Administrator

HTTP(S)
VDM Secure GW Server
VDM Messaging VDM Connection Server
VDM Broker & Admin Server

SOAP
VirtualCenter Server VirtualCenter
VDM LDAP
JMS RDP RDP
VDM Agent
Virtual Desktop VM
68
VMware, Inc.
Exporting and Importing VDM Configuration Data

VDMallowsyoutoexportthecontentsoftheprimaryrootoftheVDMlightweight directoryaccessprotocol(LDAP)datafromaVDMConnectionServer(standardor replicainstance)topreservethisinformationandimportittootherVDMconnection servers.TheexportfileformatisanLDAPdatainterchangeformat(LDIF),whichisa standardfileformatforexchangingLDAPdata.IfyouhavemultipleVDMconnection servers,youonlyneedtoexportthedatafromoneserverbecauseallreplicatedVDM ConnectionServerscontainthesameVDMconfigurationdata. To export VDM configuration data Openacommandpromptandrunthiscommand: C:\Program Files\VMware\VMware VDM\Server\bin\vdmexport ><MyVDMConfig.LDF> RunningthiscommandcreatesafilecalledMYVDMConfig.LDFthatcontainsthe exporteddata. To import VDM configuration data Openacommandpromptandrunthefollowingcommand: LDIFDE -i -f MyVDMConfig.LDF -s 127.0.0.1 -z
Client Command-Line Parameters

VDMhassettingsavailablethroughthenativeclientcommandlineparameters. AdministratorscanusethecommandlineoptionstopreconfigureVDMclientsettings. Todisplaytheavailablecommandlineoptions,typewswc /?onthecommandline. Optionsareprecededbyahyphen()oraforwardslash(/).Optiontextis caseinsensitiveandcanbeabbreviateddowntoitsshortestuniqueform. Forscripting,allscriptingparametersexceptfileandlangaugeIdcanalsobespecified byADgrouppolicies.Theycanbeordercheckedasfollows:cmdline,machinegroup policies,usergrouppolicies. Thefollowingisalistofthecommandlineoptions: -serverURL <xxx>TheURLfortheVDMConnectionServertouseinthe connectiondialogbox. -userName <xxx>Usernamefortheserverlogindialogbox. -domainName <xxx>Domainnamefortheserverlogindialogbox.
VMware, Inc.
69
-password <xxx>Passwordfortheserverlogindialogbox. -desktopName <xxx> Desktopnamefortheselectdesktopdialogbox.Thisis thenameasyouseeitintheselectdesktopdialogbox,notthelongdesktopid. -screenFullUsefullscreendesktopmode(onlyusedifdesktopNameis specified). -screenWindowUseWindowdesktopmode(onlyusedifdesktopNameis specified). -screenMultiUsefullscreenmultimonitordesktopmode(onlyusedif desktopNameisspecified). -nonInteractiveUsedtosuppresserrormessageboxesforfullyscripted startup. -languageId <xxx>AWindowslanguageidtouse.Ifaresourcedllisavailable (forUSenglish),type0x409. -file <xxx>Textfilewithadditionalcommandlineparameter.Tosimplify repetitivetests,typewswc /f test1. FullyscripteddialogboxesareautoinvokedandaredisplayedwithonlytheCancel buttonenabled.IftheCancelbuttonisselected,theclientexits.TheConnectdialogbox isfullyscriptediftheserverURLisspecified.TheLogindialogboxisfullyscriptedif theConnectdialogboxisfullyscriptedanduserName,domainNameandpassword arespecified.TheSelectDesktopdialogboxisfullyscriptediftheLogindialogboxis fullyscriptedanddesktopNameisspecified.
Collecting VDM Diagnostic Information

DiagnosticinformationhelpsVMwareTechnicalSupportdiagnoseandresolveissues withVDM.VDMincludesascriptcalledvdm-supportthatcollectsinformationforuse byVMwareTechnicalSupport.Sendthefilegeneratedbythescriptwithyoursupport request.OntheVDMConnectionServeryoucanrunthescriptmanuallyorbyusing thesupporttoolintheStartmenu.ForVDMWindowsClientorWebAccessandVDM hosteddesktops,youmustrunthescriptmanually.
Using the VDM Support Tool to Collect Diagnostic Information

TheVDMSupporttoolletsyougeneratelogfilesandsetloglevelsthatdetermineifyou wanttogeneratenormal,debug,orfulllogfilesfortheVDMConnectionServer.
70
VMware, Inc.
To set log levels using the VDM Support Tool 1 2 3 OntheVDMConnectionServer,clickStart,clickAllPrograms,andclickVMware. SelectSetVDMLogLevels. IntheChoicefield,type1fornormal,2fordebug,or3forfullandpressEnter.
To generate log files using the VDM Support Tool 1 2 OntheVDMConnectionServer,clickStart,clickAllProgramsandclickVMware. SelectGenerateVDMLogBundle. Thesupporttoolcreatesafoldercalledvdm-sdctonthedesktopoftheVDM ConnectionServerandplacesthegeneratedlogfilesinit.
Using the VDM Support Script to Collect Diagnostic Information

UseVDMSupportScripttogeneratelogfilesforVDMConnectionServers,Windows ClientandWebAccess,andVDMhosteddesktops. To collect diagnostic information using the script 1 2 Openacommandprompt. ChangetotheVDMprogramdirectory. Ifyoudidnotinstalltheprograminthedefaultdirectory,usetheappropriatedrive letterandsubstitutetheappropriatepathinthechangedirectorycommands,as follows: OntheVDMConnectionServer,runthiscommand:cd C:\Program Files\VMware\VMware VDM\Server\DCT OnVDMWindowsClientorWebAccess,runthiscommand: cd C:\Program Files\VMware\VMware VDM\Client\DCT OntheVDMhosteddesktop,runthiscommand: cd C:\Program Files\VMware\VMware VDM\Agent\DCT 3 Runthesupportscript: cscript vdm-support.vbs Whenthescriptfinishes,itinformsyouoftheoutputfilenameandlocation. 4 Copythescriptoutputtoanotherlocation.
VMware, Inc.
71
Totransferthecompressedoutputfiletoanothercomputer,youcanuseanSecure copy(SCP)orFTPclient.IfyouuseanFTPclient,makesurethatitcopiesthefile inbinarymodetoensurethewholefileistransferredintact. WinSCPisanSCPclientforMicrosoftWindowsandisavailableontheMicrosoftWeb site.BeforeyoucansendtheinformationtoVMwareTechnicalSupport,fileasupport requestontheSupportpageoftheVMwareWebsite.
Updating Support Requests

Afteryoufileasupportrequest,youmightreceiveanemailrequestfromVMware TechnicalSupportaskingfortheoutputofthevdmsupportscript.Replytotheemail messageandattachyourscriptoutputfiletothereply.Iftheoutputistoolargeto includeasanattachment(10MBormore),contactVMwareTechnicalSupportwith yoursupportrequestnumberandrequestFTPuploadinstructions.Youcanalsoupdate yoursupportrequestandattachthefileatthesupportWebsite. To update your support request 1 2 3 NavigatetotheSupportpageattheVMwareWebsiteandlogin. ClickSupportRequestHistoryandfindtheapplicablesupportrequestnumber. Updatethesupportrequestandattachyourvdm-supportscriptoutput.
Troubleshooting VDM
ThefollowingURLsforVMwareKnowledgeBase(KB)articlescontaintroubleshooting informationforVDM.TheKBarticlesarecontinuallyupdatedwithnew troubleshootinginformation. UsethefollowingURLfortroubleshootingenduserconnectionissues: http://www.vmware.com/info?id=342 UsethefollowingURLfortroubleshootingpoolingissues: http://www.vmware.com/info?id=343 UsethefollowingURLfortroubleshootingUSBissues: http://www.vmware.com/info?id=346
72
VMware, Inc.
VDM Client Advanced Active Directory RDP Settings
ThedefaultconfigurationsettingsusedintheVDMClientaresuitableformost situations.However,youcanconfiguresomeadvancedsettingsintheregistryofthe clientcomputerthataffectthebehavioroftheVDMClient,particularlyadvancedRDP connectionsettings. Youcanmanagethesesettingsintheclientcomputerregistryinseveralways.Ifthe settingsarenotpresent,thedefaultvalueistakenforthatsetting.Inmostsituations,no registryupdatesareeverrequired. Table A1describesthesettingsthatyoucandefineintheHKEY_CURRENT_USER directorytooverridethedefaultbehavior.Theregistrysettingnamescorrespondtothe Microsoftsettingname.Formoreinformationaboutthesesettings,seetheMicrosoft TechNetarticles. Table A-1. Client Registry Settings for the Client
.
Name Software\VMware, Inc.\VMware VDM\Client\EnableShade Software\VMware, Inc.\VMware VDM\Client\InitialPinState Software\VMware, Inc.\VMware VDM\Client\DisableSpanChecks Software\VMware, Inc.\VMware VDM\Client\RDP Settings\ColorDepth Software\VMware, Inc.\VMware VDM\Client\RDP Settings\DisableWallpaper
Type REG_SZ REG_SZ REG_SZ REG_SZ REG_SZ
Description Trueorfalse. Trueorfalse. Trueorfalse. Definedinbits:8, 15,16,24,or32. Trueorfalse.
VMware, Inc.
73
Table A-1. Client Registry Settings for the Client (Continued)

Name Software\VMware, Inc.\VMware VDM\Client\RDP Settings\DisableFullWindowDrag Software\VMware, Inc.\VMware VDM\Client\RDP Settings\DisableMenuAnimations Software\VMware, Inc.\VMware VDM\Client\RDP Settings\EnableEnhancedGraphics Software\VMware, Inc.\VMware VDM\Client\RDP Settings\DisableCursorShadow Software\VMware, Inc.\VMware VDM\Client\RDP Settings\FontSmoothing Software\VMware, Inc.\VMware VDM\Client\RDP Settings\DesktopComposition Software\VMware, Inc.\VMware VDM\Client\RDP Settings\AudioRedirectionMode Software\VMware, Inc.\VMware VDM\Client\RDP Settings\RedirectDrives Software\VMware, Inc.\VMware VDM\Client\RDP Settings\RedirectPrinters Software\VMware, Inc.\VMware VDM\Client\RDP Settings\RedirectPorts Software\VMware, Inc.\VMware VDM\Client\RDP Settings\RedirectSmartcards Software\VMware, Inc.\VMware VDM\Client\RDP Settings\RedirectClipboard Software\VMware, Inc.\VMware VDM\Client\RDP Settings\RedirectPlugAndPlayDevices Type REG_SZ Description Trueorfalse.
REG_SZ
Trueorfalse.
REG_SZ
Trueorfalse.
REG_SZ
Trueorfalse.
REG_SZ REG_SZ
Trueorfalse. Trueorfalse.
REG_SZ
0=Redirectto Client.1=Playin virtualmachine.2 =Disableaudio. Trueorfalse. Trueorfalse.
REG_SZ REG_SZ
REG_SZ REG_SZ
REG_SZ
Trueorfalse.
REG_SZ
Trueorfalse.
74
VMware, Inc.
Appendix A VDM Client Advanced Active Directory RDP Settings
Table A-1. Client Registry Settings for the Client (Continued)

Name Software\VMware, Inc.\VMware VDM\Client\RDP Settings\BitmapPersistence Software\VMware, Inc.\VMware VDM\Client\RDP Settings\ShadowBitmap Software\VMware, Inc.\VMware VDM\Client\RDP Settings\CachePersistenceActive Software\VMware, Inc.\VMware VDM\Client\RDP Settings\EnableCompression Software\VMware, Inc.\VMware VDM\Client\RDP Settings\KeyboardHookMode Type REG_SZ Description Trueorfalse.
REG_SZ REG_SZ
REG_SZ
Trueorfalse.
REG_SZ
0=Applykey combinations locally.1=Send keycombinations toVM. SizeinKB, between1and32. SizeinKB, between1and32. SizeinKB, between1and32. SizeinKB, between1and32. SizeinKB, between1and32.
Software\VMware, Inc.\VMware VDM\Client\RDP Settings\BitmapCacheSize Software\VMware, Inc.\VMware VDM\Client\RDP Settings\BitmapVirtualCacheSize Software\VMware, Inc.\VMware VDM\Client\RDP Settings\BitmapVirtualCache16BppSize Software\VMware, Inc.\VMware VDM\Client\RDP Settings\BitmapVirtualCache24BppSize Software\VMware, Inc.\VMware VDM\Client\RDP Settings\BitmapVirtualCache32BppSize
REG_SZ
REG_SZ
REG_SZ
REG_SZ
REG_SZ
VMware, Inc.
75
Using Active Directory Group Policies for Advanced Settings

GroupPolicysettingsdefinethecomponentsoftheusersdesktopenvironmentthata systemadministratorneedstomanage.Theadvancedoptionsarestoredintheregistry oftheclientcomputersandyoucanmanagethembyusingGroupPolicysettingsin ActiveDirectory. VDMConnectionServerincludesanadministrativetemplatefile(vdm_client.adm) thatyoucanloadintoActiveDirectorytosimplifythemanagementofGroupPolicy settingsoneachVDMClientcomputer.ThisfileislocatedoneachVDMConnection serverinC:\Program Files\VMware\VMware VDM\Server\ADM. TheMicrosoftTechNetarticleatthefollowingURLprovidesinformationaboutadding thisadministrativetemplateinActiveDirectory: http://technet2.microsoft.com/windowsserver/en/library/b9546edf751f4a09835af33 97caef2361033.mspx?mfr=true
76
VMware, Inc.
VDM Group Policy Objects
UsetheVDMgrouppolicyobjects(GPO)settingstoconfigurethegrouppoliciesfor theVDMAgent,VDMClient,andVDMConnectionServer.Thisappendixdescribes theVDMGPOsettings. ThisAppendixcoverstheseGPOtypes: ComputerConfigurationonpage 77 VDMUserConfigurationforVDMClientonpage 80
Computer Configuration
VDMprovidesGPOadministrationtemplatestocontrolcomputerconfiguration settingsforVDMAgent,VDMClient,andVDMConnectionServer.
VDM Agent Configuration

UsethefollowingGPOstoconfigureVDMAgentsettings: LogConfiguration(numberofdaystokeeplogs)Setthisvaluetocontrolthe numberofdaysforwhichlogfilesarekeptonthesystem.Ifnovalueisset,the defaultappliesandlogfileswillonlybekeptforsevendays. AgentConfiguration AllowDirectRDPIfthisvalueisenabled;itwillbepossibletoconnect directlytothevirtualmachineusinganyRDPclient,otherthanjustviathe VDMConnectionServer.Thedefaultvalueofthisisfalse.
VMware, Inc.
77
AllowSingleSignonEnablethisvaluetoallowsinglesignon.Inthiscase, userswillonlyneedtoentertheircredentialswhenconnectingtotheVDM ConnectionServer,otherwisetheywillneedtologinagainwhentheremote connectionismade.Thedefaultvalueofthisistrue. VdmConnectionTicketTimeoutTimeinsecondsforwhichtheVDM connectionticketisvalid.AVDMconnectionticketisusedbyVDMclients whenconnectingtoVDMAgentandisusedforverificationandsingle signonpurposes.Forsecurityreasons,theseticketsareonlyvalidwithinthe specifiedtimeperiod.Ifthisvalueisnotset,adefaultof120secondsapplies. ConnectUsingDNSNameIfenabled,theVDMServerusestheDNSname ofthemachinetoconnectto,ratherthanitsIPaddress.Thisisoftenusedina NAT/FirewallsituationwhentheVDMclientorVDMServercannotusethe virtualdesktopIPaddressdirectly.Thedefaultvalueofthisistrue. EnableextendedloggingEnablethisvaluetoincludetraceanddebugeventsin theVDMlogfiles. DiskthresholdforlogandeventsinMegaBytesSetthisvaluetocontrolthe maximumdiskspaceforlogsandevents.Ifnovalueisset,adefaultof200 (Megabytes)applies.Whenthisvalueisreached,eventloggingwillstop.
VDM Client Configuration

UsethefollowingGPOstoconfigureVDMClientsettings: LogConfiguration(Numberofdaystokeeplogs)Setthisvaluetocontrolthe numberofdaysforwhichlogfilesarekeptonthesystem.Ifnovalueisset,the defaultappliesandlogfileswillonlybekeptforsevendays. ScriptingDefinitions VDMServerURLSetthisvaluetospecifythedefaultVDMServerURL. VDMlogonUserNameSetthisvaluetospecifythedefaultlogonname. VDMlogonDomainNameSetthisvaluetospecifythedefaultdomainname. VDMLogonPasswordSetthisvaluetospecifythedefaultpassword. DesktopNametoselectSetthisvaluetospecifythedefaultdesktoptoselect. DesktopLayout(whenfullyscriptedonly)Selectfromfullscreen, multimonitororwindow. Suppresserrormessages(whenfullyscriptedonly)Settoenabledto suppresserrormessages.
78
VMware, Inc.
Appendix B VDM Group Policy Objects
SecuritySettings(TheseareoptionsthatcanbesetwithWinInet.dllandareused whenconnectingtotheVDMServerusingHTTPS). IgnoreincorrectSSLcertificatecommonname(hostnamefield)Setthisto enabledordisabled. IgnorebadSSLcertificatedatareceivedfromtheserverSetthistoenabled ordisabled. IgnoreunknowncertificateauthorityproblemsSetthistoenabledor disabled. IgnorecertificaterevocationproblemsSetthistoenabledordisabled. IgnoreincorrectusageproblemsSetthistoenabledordisabled. EnableextendedloggingEnablethisvaluetoincludetraceanddebugeventsin theVDMlogfiles. DiskthresholdforlogandeventsinMegaBytesSetthisvaluetocontrolthe maximumdiskspaceforlogsandevents.Ifnovalueisset,adefaultof200applies. Whenthisvalueisreached,eventloggingwillstop. Formoreinformationaboutthesesecuritysettings,refertotheMicrosoftWinInet documentationontheMicrosoftWebsite.
VDM Server Configuration

UsethefollowingGPOstoconfigureVDMServersettings: LogConfiguration(numberofdaystokeeplogs)Setthisvaluetocontrolthe numberofdaysforwhichlogfilesarekeptonthesystem.Ifnovalueisset,the defaultappliesandlogfileswillonlybekeptforsevendays. EnableextendedloggingEnablethisvaluetoincludetraceanddebugeventsin theVDMlogfiles DiskthresholdforlogandeventsinMegaBytesSetthisvaluetocontrolthe maximumdiskspacethresholdforlogsandevents.Ifnovalueisset,adefaultof 200applies.Whenthisvalueisreached,eventloggingwillstop.
VMware, Inc.
79
VDM User Configuration for VDM Client

UsethefollowinguserconfigurationGPOstoconfigureVDMclientsettingsforend users: ScriptingDefinitions VDMServerURLSetthisvaluetospecifythedefaultVDMServerURL. VDMlogonUserNameSetthisvaluetospecifythedefaultlogonname. VDMlogonDomainNameSetthisvaluetospecifythedefaultdomainname. VDMLogonPasswordSetthisvaluetospecifythedefaultpassword. DesktopNametoselectSetthisvaluetospecifythedefaultdesktop. DesktopLayout(whenfullyscriptedonly)Selectfromfullscreen, multimonitororwindow. Suppresserrormessages(whenfullyscriptedonly)Settoenabledto suppresserrormessages. RDPSettings(RefertoMicrosoftdocumentationforafulldescriptionoftheRDP Settings). ColorDepthFor24bitWindowsXP,ensurethattheLimitMaximumColor DepthpolicyinComputer Configuration/Administrative Templates/Windows Components/Terminal ServicesissettoEnabledat 24bit. DesktopBackground Showcontentsofwindowwhiledragging Menuandanimation Themes Cursorshadow Fontsmoothing Desktopcomposition
80
VMware, Inc.
Appendix B VDM Group Policy Objects
Audioredirection RedirecttoclientMSRDPredirectionplayedonclient,defaultifnot configured PlayinVM(neededforVoIPUSBsupport)PlayinVMneedsashared USBaudiodevice DisableAudionoaudio Redirectdrives Redirectprinters Redirectserialports Redirectsmartcards Redirectclipboard Redirectsupportedplugandplaydevices Bitmapcaching Shadowbitmaps Cachepersistenceactive Windowskeycombinations BitmapcachefilesizeinKbfor8bppbitmaps BitmapcachefilesizeinMbfor8bppbitmaps BitmapcachefilesizeinMbfor16bppbitmaps BitmapcachefilesizeinMbfor24bppbitmaps BitmapcachefilesizeinMbfor32bppbitmaps EnabletheshadeSetthistoenabledordisabled PintheShadeSetthistoenabledordisabled DontcheckmonitoralignmentonspanningSetthistoenabledordisabled EnablemultimediaaccelerationSetthistoenabledordisabled RefertoMicrosoftdocumentationforafulldescriptionoftheRDPSettings.
VMware, Inc.
81
82
VMware, Inc.
Glossary
ActiveDirectory AMicrosoftdirectoryservicethatstoresinformationaboutthenetworkoperating systemandprovidesservices.ActiveDirectoryconfiguresandmanagesusersand groupsandenablesadministratorstosetsecuritypolicies,controlresources,and deployprogramsacrossanenterprise. ADAM(ActiveDirectoryApplicationMode) AnLDAPimplementationbasedonActiveDirectory. activesession AliveconnectionfromaclientorWebAccessusertoavirtualdesktop.An establishedconnectiontoavirtualdesktopthathasnottimedout. administratoruserinterface TheWebbasedadministratoruserinterfaceusedtoperformconfigurationand managementtasksinVDM.AlsoknownastheVDMAdministrator.
broker Alsoknownasaconnectionbroker.TheVDMConnectionServerisatypeof connectionbroker. connectionbroker Aserverthatallowsconnectionsbetweenremoteusersandvirtualdesktopsand providesauthenticationandsessionmanagement.TheVDMConnectionServeris atypeofconnectionbroker.
VMware, Inc.
83
datastore Virtualrepresentationsofcombinationsofunderlyingphysicalstorageresources inthedatacenter.Adatastoreisthestoragelocation(forexample,aphysicaldisk, aRAID,oraSAN)forvirtualmachinefiles. desktop Seevirtualdesktop. desktopvirtualmachine Seevirtualdesktop. desktoppool Apoolofvirtualmachinesthatanadministratordesignatesforusersorgroupsof users.Seealsopersistentdesktoppool,nonpersistentdesktoppool. DMZ(demilitarizedzone) Alogicalorphysicalsubnetworkthatconnectsinternalserverstoalarger, untrustednetwork(usuallytheInternet)andprovidesanadditionallayerof securityandgivesadministratorsmorecontroloverwhocanaccessnetwork resources. DNS(DomainNameSystem) AnInternetdataqueryservicethattranslateshostnamesintoIPaddresses.Also calledDomainNameServerorDomainNameService.
FQDN(fullyqualifieddomainname) Thenameofahost,includingboththehostnameandthedomainname.For example,theFQDNofahostnamedesx1inthedomainvmware.comis esx1.vmware.com. guest Seeguestoperatingsystem. guestoperatingsystem Anoperatingsystemthatrunsinsideavirtualmachine.
highavailability Asystemdesignapproachthatensuresadegreeofoperationalcontinuity. loadbalancing Atechniqueusedfordistributingprocessesacrossserverssothatthetrafficloadis spreadmoreevenlyandserversdonotbecomeoverloaded.

VMware, Inc.
84
Glossary
nonpersistentdesktoppool Adesktoppoolinwhichusersarenotassignedtoaspecificdesktop.Whenusers logofforaretimedoutofadesktop,theirdesktopsarereturnedtothepooland madeavailabletootherusers.Userscannotsavedataorfilestotheirdesktops whenusinganonpersistentpool. persistentdesktoppool Adesktoppoolinwhichusersareassignedtoaspecificdesktop.Userslogonto thesamedesktopeverytimeandtheirdataispreservedwhentheylogoff.Users cansavedataandfilestotheirdesktopswhenusingapersistentpool. RDP(remotedesktopprotocol) Amultichannelprotocolthatallowsausertoconnecttoacomputerremotely. RSASecurID AproductfromRSAthatprovidesstrong,twofactorauthenticationusinga passwordandanauthenticator.
securityserver AVDMConnectionServerdeploymentthataddsalayerofsecuritybetweenthe Internetandtheinternalnetwork. thinclient Adevicethatallowsausertoaccessvirtualdesktopsbutrequireslittlememoryor diskdrivespace.Applicationsoftware,data,andCPUpowerresidesonanetwork computerandnotontheclientdevice. virtualdesktop Adesktopoperatingsystemthatrunsonavirtualmachine.Avirtualdesktopis indistinguishablefromanyothercomputerrunningthesameoperatingsystem.
VMware, Inc.
85
86
VMware, Inc.
Index
A
active sessions 53
C
client command-line parameters 69 configuration end-to-end 35 individual desktop 35 one-time 14, 33 pooled desktop 36 customization specification 29
D
desktop virtual machines preparing 11, 28 desktops connecting to 45 connecting using the VDM Client 17, 45 connecting using VDM Web Access 18, 46, 47 entitling 45 DMZ firewall ports 67
reauthenticate after network interruption 55 require SSL for client connections 54 session timeout 54 usb redirection 54 global settings configuring 55 GPO computer configuration 77 user confguration for VDM client 80 VDM agent configuration 77 VDM client configuration 78 VDM server configuration 79
H
high availability 32
I
installation DMZ 65 multiserver 32 single server 13, 30, 31 VMware Agent 12, 28 VMware Tools 11, 28 installing SSL certificates 58
E
events 56 viewing 56
L
load balancing 62 DNS requirements 64 non-DMZ deployment 63
G
global configuration settings 54 direct connection to virtual desktop 54
VMware, Inc.
87
M
MMR 23
P
pooled desktop configuration 39
R
RSA SecurID 56 enabling 57
S
searching desktops 52 entitled users and groups 52 security server default TCP ports 67 SSL certificate creating the certificate signing request 59 importing 61 installing 58 using 61
T
template, desktop virtual machine 29 templates, creating 29 troubleshooting 72
user interface 52 VDM agent with multiple NICs 30 VDM configuration data exporting 69 importing 69 VDM Connection Server disabling 34 enabling 34 installing 30 SSL certificate 30, 58 VDM diagnostic information 70 VDM objects deleting a desktop from a VDM server 58 deleting a virtual machine from a VDM desktop 58 removing a VirtualCenter server from a VDM server 57 VDM support tool 71 VirtualCenter assigning roles 38 reading customization specifications role 38 template 29 VDM administrator role 37 VDM permissions 37 VirtualCenter roles assigning 39
U
upgrading VDM 25
V
VDM upgrading 25 VDM Administrator Configuration page 51 Events page 52 Inventory page 49
88
VMware, Inc.

Vdm21 Manual

Încărcat de

Informații document

Drepturi de autor

Formate disponibile

Partajați acest document

Partajați sau inserați document

Opțiuni de partajare

Vi se pare util acest document?

Este necorespunzător acest conținut?

Drepturi de autor:

Formate disponibile

Vdm21 Manual

Încărcat de

Drepturi de autor:

Formate disponibile

Installation and Administration Guide

VMware Virtual Desktop Manager 2.1

Installation and Administration Guide

Installation and Administration Guide Revision: 20080619 Item: VDM-ENG-Q208-450

VMware, Inc. 3401 Hillview Ave. Palo Alto, CA 94304 www.vmware.com

Installation and Administration Guide

Installation and Administration Guide

About This Book

Installation and Administration Guide

Technical Support and Education Resources

Online and Telephone Support

VMware Education Services

VDM Quick Start Guide

Installation and Administration Guide

Chapter 1 VDM Quick Start Guide

Prepare Desktop Virtual Machines

Installation and Administration Guide

Chapter 1 VDM Quick Start Guide

Installing the VDM Connection Server

Remote Users VDM Connection Server

ESX Servers (virtual desktops)

Installation and Administration Guide

AcceptorchangethedestinationfolderandclickNext. ChoosetheStandarddeploymentoption. ClickNext>Install>Finish.

Chapter 1 VDM Quick Start Guide

Creating an Individual Desktop

Installation and Administration Guide

Forinformationaboutcreatingdesktoppools,seeConfigurationforaPooled Desktoponpage 36.

Chapter 1 VDM Quick Start Guide

Installation and Administration Guide

ClickNexttoacceptthedefaultdestinationfolderorclickChangetousea differentdestinationfolderandthenclickNext. (Optional)EnterthedefaultservertowhichtheclientwillconnectandclickNext. ThisentryistheIPaddressorFQDNoftheserver.

VDM Introduction and System Requirements

Installation and Administration Guide

Chapter 2 VDM Introduction and System Requirements

Figure 2-1. High-Level View of a VDM Environment

ESX Servers (virtual desktops)

VDM Connection Server Active Directory VDM Client

VDM Connection Server

Connection Server Hardware Requirements

Installation and Administration Guide

Connection Server Supported Operating Systems

VDM Client Supported Operating Systems

Chapter 2 VDM Introduction and System Requirements

VDM Web Access

Installation and Administration Guide

VDM Agent Virtual Desktop

Chapter 2 VDM Introduction and System Requirements

Installation and Administration Guide

Installing and Configuring VDM

Installation and Administration Guide

DMZDeploymentonpage 65 ExportingandImportingVDMConfigurationDataonpage 69 ClientCommandLineParametersonpage 69 CollectingVDMDiagnosticInformationonpage 70 TroubleshootingVDMonpage 72

Prepare Desktop Virtual Machines

Chapter 3 Installing and Configuring VDM

Installation and Administration Guide

Using the VDM Agent on Virtual Machines with Multiple NICs

Installing the VDM Connection Server

Chapter 3 Installing and Configuring VDM

Figure 3-1. VDM Single Server Deployment

Remote Users VDM Connection Server

ESX Servers (virtual desktops)

Installation and Administration Guide

ThirdParty Load Balancer

ESX Servers (virtual desktops)

Chapter 3 Installing and Configuring VDM

ClickNext. AccepttheVMwarelicenseterms,andclickNext. Acceptorchangethedestinationfolder,andclickNext. ChoosetheReplicadeploymentoption. EnterthehostnameorIPaddressoftheexistingconnectionserverthatyou replicate. ClickNext. ClickInstall. ClickFinish.