V Workspace 60

Quest vWorkspace 6.
0
Administration Guide
Copyright Quest Software, Inc. 2009. All rights reserved.
This guide contains proprietary information protected by copyright. The software described in this guide is furnished under a software license or nondisclosure agreement. This software may be used or copied only in accordance with the terms of the applicable agreement. No part of this guide may be reproduced or transmitted in any form or by any means, electronic or mechanical, including photocopying and recording for any purpose other than the purchaser's personal use without the written permission of Quest Software, Inc. If you have any questions regarding your potential use of this material, contact: Quest Software World Headquarters LEGAL Dept 5 Polaris Way Aliso Viejo, CA 92656 USA www.quest.com email: legal@quest.com Refer to our Web site for regional and international office information.
TRADEMARKS
Quest, Quest Software, the Quest Software logo, Aelita, Akonix, AppAssure, Benchmark Factory, Big Brother, ChangeAuditor, DataFactory, DeployDirector, ERDisk, Foglight, Funnel Web, GPOAdmin, I/Watch, Imceda, InLook, IntelliProfile, InTrust, Invertus, IT Dad, I/Watch, JClass, Jint, JProbe, LeccoTech, LiteSpeed, LiveReorg, MessageStats, NBSpool, NetBase, Npulse, NetPro, PassGo, PerformaSure, Quest Central, SharePlex, Sitraka, SmartAlarm, Spotlight, SQL LiteSpeed, SQL Navigator, SQL Watch, SQLab, Stat, StealthCollect, Tag and Follow, Toad, T.O.A.D., Toad World, vAnalyzer, vAutomator, vControl, vConverter, vEssentials, vFoglight, vMigrator, vOptimizer Pro, vPackager, vRanger, vRanger Pro, vReplicator, vSpotlight, vToad, Vintela, Virtual DBA, VizionCore, Vizioncore vAutomation Suite, Vizioncore vEssentials, Xaffire, and XRT are trademarks and registered trademarks of Quest Software, Inc in the United States of America and other countries. Other trademarks and registered trademarks used in this guide are property of their respective owners.
Disclaimer
The information in this document is provided in connection with Quest products. No license, express or implied, by estoppel or otherwise, to any intellectual property right is granted by this document or in connection with the sale of Quest products. EXCEPT AS SET FORTH IN QUEST'S TERMS AND CONDITIONS AS SPECIFIED IN THE LICENSE AGREEMENT FOR THIS PRODUCT, QUEST ASSUMES NO LIABILITY WHATSOEVER AND DISCLAIMS ANY EXPRESS, IMPLIED OR STATUTORY WARRANTY RELATING TO ITS PRODUCTS INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTY OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, OR NON-INFRINGEMENT. IN NO EVENT SHALL QUEST BE LIABLE FOR ANY DIRECT, INDIRECT, CONSEQUENTIAL, PUNITIVE, SPECIAL OR INCIDENTAL DAMAGES (INCLUDING, WITHOUT LIMITATION, DAMAGES FOR LOSS OF PROFITS, BUSINESS INTERRUPTION OR LOSS OF INFORMATION) ARISING OUT OF THE USE OR INABILITY TO USE THIS DOCUMENT, EVEN IF QUEST HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. Quest makes no representations or warranties with respect to the accuracy or completeness of the contents of this document and reserves the right to make changes to specifications and product descriptions at any time without notice. Quest does not make any commitment to update the information contained in this document.
Quest vWorkspace Administration Guide v.4 Updated - January 2009 Software Version - 6.0
CONTENTS
WHATS NEW IN VWORKSPACE 6.0 . . . . . . . . . . . . . . . . . . . . XVII UPGRADE CONSIDERATIONS . . . . . . . . . . . . . . . . . . . . . XVII FEATURES . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . XVII
Parallels Virtuozzo Containers Integration . . . . . . . . . Experience Optimized Protocol Features . . . . . . . . . . Geographic Locations vWorkspace . . . . . . . . . . . . . . Web Access Interface . . . . . . . . . . . . . . . . . . . . . . . HP Remote Graphics Software . . . . . . . . . . . . . . . . . Remote Control Sessions for VDI . . . . . . . . . . . . . . . Assignment of VM. . . . . . . . . . . . . . . . . . . . . . . . . . User Profiles Enhancements and Support for Desktops Microsoft Windows Vista and Server 2008 Support . . . Security Enhancements . . . . . . . . . . . . . . . . . . . . . . Persistent Disks and Memory for VMware . . . . . . . . . USB Redirection . . . . . . . . . . . . . . . . . . . . . . . . . . . Bandwidth Optimization . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xviii xviii xviii . xix . xix . xx . xx . xx . xx . xx . xxi . xxi . xxi
WHATS CHANGED . . . . . . . . . . . . . . . . . . . . . . . . . . . . . XXI ABOUT THIS GUIDE . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . XXIII OVERVIEW . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . XXIV CONVENTIONS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . XXIV ABOUT QUEST SOFTWARE . . . . . . . . . . . . . . . . . . . . . . . . . XXV CONTACT QUEST SOFTWARE . . . . . . . . . . . . . . . . . . . . XXV
VWORKSPACE
RESOURCES . . . . . . . . . . . . . . . . . . . . . . . . XXVI
CONTACT SUPPORT . . . . . . . . . . . . . . . . . . . . . . . . . . . . . XXVI DOCUMENT FEEDBACK . . . . . . . . . . . . . . . . . . . . . . . . XXVI CHAPTER 1 INTRODUCTION TO VWORKSPACE . . . . . . . . . . . . . . . . . . . . . . . . 1 OVERVIEW . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2 PRODUCT SUITES . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3 ENTERPRISE EDITION . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5 TERMINAL SERVICES ENHANCEMENTS . . . . . . . . . . . . . . . . 5
Provision-IT . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5 Secure-IT . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5 Web Access . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6
DESKTOP SERVICES EDITION . . . . . . . . . . . . . . . . . . . . . . . . 6

i
vWorkspace Administration Guide
DESKTOP SERVICES EDITION ANATOMY AND FEATURES . . . . . 7

About the Connection Broker . . . . . . . . . . . . . . . . . About Single Access Infrastructure . . . . . . . . . . . . . About User Experience and Last-Mile Enhancements . Key Features . . . . . . . . . . . . . . . . . . . . . . . . . . . . How Desktop Services Edition Works . . . . . . . . . . . . . . . . . . . . . . . . . . .8 .8 .9 .9 14
TCP PORT REQUIREMENTS . . . . . . . . . . . . . . . . . . . . . . . . .16 CLIENT CONNECTIVITY . . . . . . . . . . . . . . . . . . . . . . . . . . . .17 MICROSOFT WINDOWS . . . . . . . . . . . . . . . . . . . . . . . . .18 WINDOWS CE THIN CLIENT TERMINALS . . . . . . . . . . . . . .18
VWORKSPACE
LINUX CLIENT . . . . . . . . . . . . . . . . . . . . .19
THIN CLIENT DEVICES . . . . . . . . . . . . . . . . . . . . . . . . .20

Wyse Thin OS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20 Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20
BENEFITS OF VWORKSPACE-ENABLED DESKTOP SERVICES . . . . . .22 POWER TOOLS SUITE FOR TERMINAL SERVERS STANDARD EDITION .24 LICENSING . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .26 CUSTOMER INFORMATION . . . . . . . . . . . . . . . . . . . . . . .28 LICENSES . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .29 USER SESSIONS . . . . . . . . . . . . . . . . . . . . . . . . . . . .30 CHAPTER 2 DEPLOYMENT PLANNING . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31 CONSIDERATIONS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .32 CHAPTER 3 INSTALLATION . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 35 INSTALLATION REQUIREMENTS . . . . . . . . . . . . . . . . . . . . . . .36 VIRTUALCENTER SSL CERTIFICATE . . . . . . . . . . . . . . . . . . . .39
Export the SSL Certificate .............................................. 40 Import the SSL Certificate .............................................. 41 View or Modify Keystore Registry Entries .......................... 41 Copy to Other Connection Brokers ................................... 42
MICROSOFT SQL SERVER . . . . . . . . . . . . . . . . . . . . . . . . . .42

Install Microsoft SQL Server 2005 Express........................ 43
CHAPTER 4 VWORKSPACE INSTALLATION . . . . . . . . . . . . . . . . . . . . . . . . . . 45 DOWNLOAD VWORKSPACE . . . . . . . . . . . . . . . . . . . . . . . . . .46

ii
INSTALL THE CONNECTION BROKER . . . . . . . . . . . . . . . . . . . .48

VWORKSPACE VWORKSPACE
TERMINAL SERVERS . . . . . . . . . . . . . . . . . . . . .55 CONNECTIVITY FEATURES . . . . . . . . . . . . . . . . .58 SSL GATEWAY . . . . . . . . . . . . . . . . . . . . .58
Install Terminal Server Components ................................ 57 VWORKSPACE VWORKSPACE VWORKSPACE
Install the SSL Gateway ................................................. 58
PERIPHERAL SERVER EXTENSIONS . . . . . . . . . . . .59 ADDITIONAL COMPONENTS . . . . . . . . . . . . . . . . .60
Install Peripheral Server Extensions................................. 59
PASSWORD RESET SERVICE . . . . . . . . . . . . . . . . . . . . . .61

Install the Password Reset Service .................................. 61 VWORKSPACE VWORKSPACE
MANAGEMENT CONSOLE . . . . . . . . . . . . . . .61
Install the vWorkspace Management Console .................... 61
CLIENT . . . . . . . . . . . . . . . . . . . . . . . . . . . .62 WEB INTERFACE . . . . . . . . . . . . . . . . . . . .64
VWORKSPACE
Install the Web Interface................................................ 65
INSTALLATION REFERENCE . . . . . . . . . . . . . . . . . . . . . . . . . .66 CHAPTER 5 EXPERIENCE OPTIMIZED PROTOCOL . . . . . . . . . . . . . . . . . . . . . 73 OVERVIEW . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .74 REQUIREMENTS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .74 OPTIMIZATION SETTINGS . . . . . . . . . . . . . . . . . . . . . . . . . .75 BIDIRECTIONAL AUDIO . . . . . . . . . . . . . . . . . . . . . . . . . . . .75 LATENCY REDUCTION . . . . . . . . . . . . . . . . . . . . . . . . . . . . .79 MULTIMEDIA REDIRECTION . . . . . . . . . . . . . . . . . . . . . . . . .81 GRAPHICS ACCELERATION . . . . . . . . . . . . . . . . . . . . . . . . . .81
VWORKSPACE
CHAPTER 6
MANAGEMENT CONSOLE . . . . . . . . . . . . . . . . . . . 83 MANAGEMENT CONSOLE WINDOW . . . . . . . . . . . .84 MENU OPTIONS AND ICONS . . . . . . . . . . . . . . . .87
ABOUT THE VWORKSPACE MANAGEMENT CONSOLE . . . . . . . . . . .84

ADMINISTRATION . . . . . . . . . . . . . . . . . . . . . . . . . . . .88
iii
Permissions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 89
Add a New Administrator................................................ 91 Edit Administration Settings ........................................... 92 Remove an Administrator ............................................... 92 Set Permission at the Object Level .................................. 92
MANUAL DATABASE CONFIGURATION . . . . . . . . . . . . . . . .92

Create a New Database and DSN .................................... 93 Connect to an Existing Database ..................................... 95 Change a Servers Database Configuration ....................... 96 VWORKSPACE
OBJECT NODES . . . . . . . . . . . . . . . . . . . . . . .96
FARM . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .96 LOCATIONS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .98 CLIENTS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .98

Client Types. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 99
Define Define Define Define Define Clients Clients Clients Clients Clients by by by by by Users .................................................. 99 Groups .............................................. 100 Device Address................................... 100 Device Name...................................... 101 Organizational Unit ............................. 101
RESOURCES . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 101
View the Resources Assigned to a Client......................... 103
PACKAGED APPLICATIONS . . . . . . . . . . . . . . . . . . . . . . . . . 104

App-V/Softgrid Node . . . . . . . . . . . . . . . . . . . . . . . . . 104
Establish a New Server Connection ................................ 104 Edit the Properties of an App-V/SoftGrid Server .............. 106 Import App-V/SoftGrid Applications ............................... 106 View/Edit Imported App-V/SoftGrid Application Properties 109
MSI Packages. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 109

Add a New MSI Package............................................... 109
PERFORMANCE OPTIMIZATION. . . . . . . . . . . . . . . . . . . . . . . 112 VIRTUAL IP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 113 FILE AND REGISTRY REDIRECTION . . . . . . . . . . . . . . . . . . . . 113 WORKLOAD EVALUATORS . . . . . . . . . . . . . . . . . . . . . . . . . 113 CHAPTER 7 VWORKSPACE LOCATIONS . . . . . . . . . . . . . . . . . . . . . . . . . . . 115 ABOUT LOCATIONS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 116 LOCATIONS NODE OPTIONS . . . . . . . . . . . . . . . . . . . . . . . . 116
iv
NEW LOCATION . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 117

Add a Location............................................................ 117 Import VMware Datacenters ......................................... 123 Import Virtual Iron Datacenters .................................... 126 Import Virtuozzo Slave Nodes ....................................... 130 Add Microsoft Hyper-V Hosts ........................................ 133 Add Independent Virtuozzo Nodes ................................. 137 Delete a Location ........................................................ 141
LOCATION PROPERTIES . . . . . . . . . . . . . . . . . . . . . . . . . . . 141 VIRTUALIZATION SERVERS. . . . . . . . . . . . . . . . . . . . . . . . . 145

Add Virtualization Server Connections ............................ 145
CONNECTION BROKERS . . . . . . . . . . . . . . . . . . . . . . . . . . 150

Add Connection Broker Servers ..................................... 151 Set Connection Broker Properties .................................. 152 Remove Connection Broker Servers ............................... 152
TERMINAL SERVERS . . . . . . . . . . . . . . . . . . . . . . . . . . . . 153

Add Terminal Servers .................................................. 153 Set Terminal Server Properties ..................................... 157 Remove Terminal Servers ............................................ 157
DESKTOPS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 157
Set Desktops Properties ............................................... 158
OTHER SERVERS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 158

Add Other Servers ...................................................... 158 Set Other Servers Properties ........................................ 159
CHAPTER 8 VWORKSPACE DESKTOPS . . . . . . . . . . . . . . . . . . . . . . . . . . . 161 ABOUT DESKTOPS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 162 COMPUTER GROUPS . . . . . . . . . . . . . . . . . . . . . . . . . . . . 163 COMPUTER GROUP PROPERTIES . . . . . . . . . . . . . . . . . . 164 VIEW MANAGED COMPUTER GROUPS . . . . . . . . . . . . . . . 169
View Summary Information .......................................... 169 View Managed Computers ............................................ 169 View Tasks for a Computer Group ................................. 170 View Logs for a Computer Group ................................... 170 Modify the Properties of a Computer Group..................... 170 Delete a Computer Group............................................. 170
Task Automation . . . . . . . . . . . . . . . . . . . . . . . . . . . 171

Schedule Tasks using the Automated Task Wizard ........... 171
MANAGED COMPUTER GROUP CUSTOMIZATIONS . . . . . . . . . 172 MANAGED COMPUTERS . . . . . . . . . . . . . . . . . . . . . . . . . . . 173

v
PROPERTIES OF A MANAGED COMPUTER . . . . . . . . . . . . . 174

General . . . . . . . . . . . . . . . . . . . . . . . . . Computer Administrative Account. . . . . . . Enable/Disable . . . . . . . . . . . . . . . . . . . . Client Assignment. . . . . . . . . . . . . . . . . . Access Timetable . . . . . . . . . . . . . . . . . . User Privileges . . . . . . . . . . . . . . . . . . . . Inactivity Timeout . . . . . . . . . . . . . . . . . Session Auto-Logoff . . . . . . . . . . . . . . . . Configuration (VMware System Type only) Logoff Action (VMware System Type only) . Automated Tasks . . . . . . . . . . . . . . . . . . Session Protocol . . . . . . . . . . . . . . . . . . . Bandwidth Optimization . . . . . . . . . . . . . Permissions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 174 175 176 177 179 180 181 182 183 184 185 186 187 188
SYSPREP CUSTOMIZATION WIZARD . . . . . . . . . . . . . . . . 188

Create Sysprep Customizations for New Computers ......... 189
VIEW MANAGED COMPUTERS . . . . . . . . . . . . . . . . . . . . 192

View View View View Summary Information .......................................... 192 Tasks for a Managed Computers ............................ 192 Logs for a Managed Computers ............................. 193 a Session by Remote Control................................. 193
DESKTOPS PROPERTIES . . . . . . . . . . . . . . . . . . . . . . . . . . 194 INITIALIZE COMPUTER . . . . . . . . . . . . . . . . . . . . . . . . . . . 195 INITIALIZATION TRIGGERS. . . . . . . . . . . . . . . . . . . . . . 196

Microsoft Active Directory Group Policy Settings . . . . . . 197
PNTOOLS. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 198 DATA COLLECTOR SERVICE . . . . . . . . . . . . . . . . . . . . . 199 UNIVERSAL PRINT DRIVER. . . . . . . . . . . . . . . . . . . . . . 199 ACCELERATED MULTIMEDIA PLAYBACK . . . . . . . . . . . . . . . 200 USB DEVICE REDIRECTION . . . . . . . . . . . . . . . . . . . . . 200 USER PROFILE ACCELERATION . . . . . . . . . . . . . . . . . . . 200 INSTALLATION . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 201 CHAPTER 9 MANAGE APPLICATIONS . . . . . . . . . . . . . . . . . . . . . . . . . . . . 203 OVERVIEW . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 204 ABOUT MICROSOFT TERMINAL SERVER . . . . . . . . . . . . . . . . . 204
vi
ABOUT MANAGED COMPUTERS . . . . . . . . . . . . . . . . . . . . . . 205 ABOUT VIRTUALIZED APPLICATIONS . . . . . . . . . . . . . . . . . . . 205 NEW APPLICATION TOOL. . . . . . . . . . . . . . . . . . . . . . . . . . 206
Start New Applications using Terminal Servers Node ........ 206 Start New Applications using the Desktops Node ............. 206 Start New Applications from the Resources Node ............. 207
PUBLISH TERMINAL SERVER APPLICATIONS . . . . . . . . . . . . . . . 207

Publish an Application Hosted on Terminal Server............ 207 Publish Terminal Server Desktops.................................. 215
PUBLISH A MANAGED DESKTOP. . . . . . . . . . . . . . . . . . . . . . 216

Publish a Desktop to a Managed Computer Group ............ 216
PUBLISH MANAGED APPLICATIONS . . . . . . . . . . . . . . . . . . . . 217

Publish an Application .................................................. 217
PUBLISH CONTENT . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 219 WORK WITH PUBLISHED APPLICATIONS . . . . . . . . . . . . . . . . . 220

Add Published Applications to a Terminal Server.............. 220 Add Published Applications to a Computer Group ............. 221 Modify Published Applications with Terminal Servers Node 222 Modify Published Applications with Desktops Node ........... 222 Modify Published Applications on the Resources Node....... 223 Duplicate a Published Application .................................. 223 Delete a Published Application ...................................... 224
CHAPTER 10 APPLICATION COMPATIBILITY ENHANCEMENTS . . . . . . . . . . . . . 225 ABOUT APPLICATION COMPATIBILITY ENHANCEMENTS . . . . . . . . 226 HOW REDIRECT-IT WORKS . . . . . . . . . . . . . . . . . . . . . . . . 226 INSTALLATION . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 227
Create a Registry Redirection Rule................................. 227 Create a File Redirection Rule ....................................... 228 Create a Folder Redirection Rule ................................... 229 View a Redirection Rule ............................................... 230 Edit a Redirection Rule................................................. 230
CHAPTER 11 VIRTUAL IP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 231 ABOUT VIRTUAL IP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 232 INSTALLATION . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 232

Enable Virtual IP on a Terminal Server ........................... 232 Configure Virtual IP Address Ranges .............................. 233 Configure Applications ................................................. 235
vii
CHAPTER 12 VWORKSPACE ADDITIONAL COMPONENTS . . . . . . . . . . . . . . . . 237 OVERVIEW . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 238 PASSWORD RESET SERVICE . . . . . . . . . . . . . . . . . . . . . . . . 238
Install the Password Reset Service ................................ 238 Configure the Password Reset Service............................ 239 Configure Password Management in AppPortal ................ 239 Configure Password Management in Web Access ............. 241
PROXY-IT . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 241
Install Proxy-IT........................................................... 242 Configure Proxy-IT ...................................................... 242
PROXY-IT WITH SESSION DIRECTORY SERVICES . . . . . . . . 244

Proxy-IT Prerequisites . . . . . . . . . . . . . . . . . . . . . . . . 244 Install Proxy-IT . . . . . . . . . . . . . . . . . . . . . . . . . . . . 245
Enable Session Directory Service................................... 245 Enable Session Directory on Terminal Services ................ 245 Using Group Policies .................................................... 245 Using Terminal Services ............................................... 246
CHAPTER 13 VIRTUALIZATION SERVERS . . . . . . . . . . . . . . . . . . . . . . . . . . 249 OVERVIEW . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 250 VIRTUALIZATION SERVERS. . . . . . . . . . . . . . . . . . . . . . . . . 251

Add Virtualization Server Connections ............................ 252
CHAPTER 14 VMWARE INTEGRATION . . . . . . . . . . . . . . . . . . . . . . . . . . . . 259 OVERVIEW . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 260 CONNECT TO VMWARE VIRTUALCENTER SERVERS . . . . . . . . . . 260 DISK AND MEMORY PERSISTENCE . . . . . . . . . . . . . . . . . . . . 260 DATA CENTERS . . . . . . . . . . . . . . . . . . . . . . . . . . . . 262
Add a Data Center using the Datacenter Wizard .............. 262
COMPUTER GROUPS . . . . . . . . . . . . . . . . . . . . . . . . . . . . 266

Add Computer Groups to a VMware Type........................ 270 Add Computers to a Computer Group for VMware ............ 276
IMPORT EXISTING COMPUTERS INTO A GROUP . . . . . . . . . . 278

Import Existing Computers into a Group......................... 279
Monitor the Process . . . . . . . . . . . . . . . . . . . . . . . . . 280
POWER MANAGEMENT . . . . . . . . . . . . . . . . . . . . . . . . . . . 280
viii
CHAPTER 15 VIRTUAL IRON INTEGRATION . . . . . . . . . . . . . . . . . . . . . . . . 283 OVERVIEW . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 284 DATA CENTERS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 284
Add a Data Center using the Datacenter Wizard .............. 284
COMPUTER GROUPS . . . . . . . . . . . . . . . . . . . . . . . . . . . . 287

Add Computer Groups to a Virtual Iron Type................... 290 Add Computers to a Computer Group for Virtual Iron ....... 295
IMPORT EXISTING DESKTOPS INTO A GROUP . . . . . . . . . . 297

Import Existing Desktops into a Group ........................... 298
Monitor the Process . . . . . . . . . . . . . . . . . . . . . . . . . 298
POWER MANAGEMENT . . . . . . . . . . . . . . . . . . . . . . . . . . . 299 CHAPTER 16 MICROSOFT HYPER-V INTEGRATION . . . . . . . . . . . . . . . . . . . . 301 OVERVIEW . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 302 HYPER-V BROKER HELPER SERVICE . . . . . . . . . . . . . . . . . . . 302 INSTALLATION TIPS . . . . . . . . . . . . . . . . . . . . . . . . . . 302 HOSTS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 303
Add a Host using the Hyper-V Host Wizard ..................... 303
COMPUTER GROUPS . . . . . . . . . . . . . . . . . . . . . . . . . . . . 307

Add Computer Groups to a Microsoft Hyper-V Type.......... 309

Import Existing Desktops into a Group ........................... 313
POWER MANAGEMENT . . . . . . . . . . . . . . . . . . . . . . . . . . . 314 CHAPTER 17 PARALLELS VIRTUOZZO INTEGRATION . . . . . . . . . . . . . . . . . . . 315 OVERVIEW . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 316 ABOUT PARALLELS VIRTUOZZO . . . . . . . . . . . . . . . . . . . . . . 316
Import Virtuozzo Slave Nodes ....................................... 317 Add Independent Virtuozzo Nodes ................................. 321
COMPUTER GROUPS . . . . . . . . . . . . . . . . . . . . . . . . . . . . 325

Add Computer Groups to a Parallels Virtuozzo Type ......... 327 Add Computers to a Computer Group for Parallels Virtuozzo330

Import Existing Computers into a Group......................... 333
POWER MANAGEMENT . . . . . . . . . . . . . . . . . . . . . . . . . . . 334
ix
CHAPTER 18 NON-POWER MANAGED DATA CENTERS . . . . . . . . . . . . . . . . . . 335 OVERVIEW . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 336 COMPUTER GROUPS . . . . . . . . . . . . . . . . . . . . . . . . . . . . 336
Add Computer Groups to Other/Physical Type ................. 338
ADD COMPUTERS TO A COMPUTER GROUP . . . . . . . . . . . . 340 POWER MANAGEMENT . . . . . . . . . . . . . . . . . . . . . . . . . . . 343

VWORKSPACE
CHAPTER 19
CLIENT . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 345 CLIENT OVERVIEW . . . . . . . . . . . . . . . . . . . . 346 CLIENT INTERFACES . . . . . . . . . . . . . . . . . . . . 346
ABOUT THE APPPORTAL INTERFACE . . . . . . . . . . . . . . . . 346 ABOUT WEB ACCESS . . . . . . . . . . . . . . . . . . . . . . . . . 347

VWORKSPACE
CLIENT PACKAGES . . . . . . . . . . . . . . . . . . . . . 347
ABOUT THE VAS CLIENT 32 . . . . . . . . . . . . . . . . . . . . 348 ABOUT THE VAS CLIENT 32T . . . . . . . . . . . . . . . . . . . 348
vWorkspace Client Executables . . . . . . . . . . . . . . . . . 349
VWORKSPACE
CLIENT CONFIGURATION . . . . . . . . . . . . . . . . . 349
FIRST TIME START CONFIGURATION . . . . . . . . . . . . . . . . 350

Create a New Farm Connection ..................................... 350
MULTIPLE MONITOR SUPPORT . . . . . . . . . . . . . . . . . . . . . . 351 MANAGE APPPORTAL CONNECTIONS . . . . . . . . . . . . . . . . . . . 352 ABOUT THE CONNECTION PROPERTIES . . . . . . . . . . . . . . 352
Connectivity Settings . . . . . . . . Firewall/Proxy Traversal Setting . Credentials Settings . . . . . . . . . Display Settings . . . . . . . . . . . . Local Resources Settings . . . . . . User Experience Settings . . . . . . Password Management Settings . Desktop Integration Settings . . . Auto-Launch Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 353 355 357 358 360 362 364 365 366
APPPORTAL IN DESKTOP INTEGRATED MODE . . . . . . . . . . . 367

Start the AppPortal in Desktop Integrated Mode .............. 367
APPPORTAL ACTIONS MENU OPTIONS . . . . . . . . . . . . . . . 367 APPPORTAL SETTINGS MENU OPTIONS . . . . . . . . . . . . . . 369 ABOUT THE PNTRAY . . . . . . . . . . . . . . . . . . . . . . . . . . . . 369 CHAPTER 20 VWORKSPACE USER SESSIONS . . . . . . . . . . . . . . . . . . . . . . . . 373 OVERVIEW OF USER ACCESS . . . . . . . . . . . . . . . . . . . . . . . 374 MANAGE TERMINAL SERVER SESSIONS . . . . . . . . . . . . . . . . . 374
View View View View View Users Connected to Terminal Servers ..................... 375 Terminal Server Sessions ..................................... 376 Client Information for an Active Session ................. 378 Terminal Server Processes .................................... 379 Terminal Server Applications ................................. 380
USER ACCESS OPTIONS IN THE RESOURCES NODE . . . . . . . . . . 381 ADDITIONAL CUSTOMIZATIONS . . . . . . . . . . . . . . . . . . . 381
Create New Additional Customization Settings................. 381
APPLICATION RESTRICTIONS . . . . . . . . . . . . . . . . . . . . 383

Installation . . . . . . . . . . . . . . . . . . . . . How Application Restrictions Work . . . . . Application Restrictions Properties . . . . . Application Access Control Server Groups Properties of an Application Restriction . . Assign an Application List to Clients . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 384 384 385 386 387 389
Assign Clients to the Client List ..................................... 390 Unassign Clients from the Client List .............................. 390 View Client Properties .................................................. 390 Schedule Access Hours ................................................ 390
COLOR SCHEMES . . . . . . . . . . . . . . . . . . . . . . . . . . . 391

Assign a Color Scheme ................................................ 391
DRIVE MAPPINGS . . . . . . . . . . . . . . . . . . . . . . . . . . . 391

Create a New Drive Mapping......................................... 392
ENVIRONMENT VARIABLES . . . . . . . . . . . . . . . . . . . . . . 393

Create a New Environment Variable............................... 393
HOST RESTRICTIONS . . . . . . . . . . . . . . . . . . . . . . . . . 394

Create Host Restrictions............................................... 394 Modify Host Access Applications .................................... 395
REGISTRY TASKS . . . . . . . . . . . . . . . . . . . . . . . . . . . 396

Modify a Registry Tasks Key ......................................... 396 Modify a Registry Tasks Value....................................... 397
xi
SCRIPTS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 398
Assign a Script............................................................ 399
TIME ZONES . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 399

Assign a Time Zone ..................................................... 399
USER POLICIES . . . . . . . . . . . . . . . . . . . . . . . . . . . . 400

View User Policies Properties ........................................ 400 Create User Policies..................................................... 401 Modify User Policies ..................................................... 402
USER PROFILES . . . . . . . . . . . . . . . . . . . . . . . . . . . . 402 CLIENT SETTINGS . . . . . . . . . . . . . . . . . . . . . . . . . . . 402

Define Client Settings Properties ................................... 405
WALLPAPERS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 405
Assign Wallpapers ....................................................... 405 Change Wallpaper Properties ........................................ 406 Add New Wallpaper ..................................................... 407
CHAPTER 21 USER PROFILES . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 409 OVERVIEW OF USER PROFILES . . . . . . . . . . . . . . . . . . . . . . 410 HOW USER PROFILES WORK . . . . . . . . . . . . . . . . . . . . 411 USER PROFILES PROPERTIES . . . . . . . . . . . . . . . . . . . . . . . 411 GENERAL . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 412 STORAGE SERVERS . . . . . . . . . . . . . . . . . . . . . . . . . . 413 SILOS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 415 PERMISSIONS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 416 CONFIGURE USER PROFILES . . . . . . . . . . . . . . . . . . . . . . . 416
Configure User Profiles Properties.................................. 416
MANDATORY USER PROFILE . . . . . . . . . . . . . . . . . . . . . . . . 418 ASSIGN MANDATORY USER PROFILES . . . . . . . . . . . . . . . 419

Modify a Users Profile Path in Active Directory ................ 419
DEFINE USER PROFILES . . . . . . . . . . . . . . . . . . . . . . . . . . 420

Define a Registry Key in User Profiles............................. 422
DEFINE SPECIAL FOLDER USER PROFILES . . . . . . . . . . . . 423

Define a Special Folder User Profile Element ................... 424
xii
CHAPTER 22 VWORKSPACE WEB ACCESS . . . . . . . . . . . . . . . . . . . . . . . . . . 427 ABOUT WEB ACCESS . . . . . . . . . . . . . . . . . . . . . . . . . . . . 428 INSTALLATION . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 429
Install Web Access ...................................................... 430
WEB ACCESS MANAGEMENT CONSOLE . . . . . . . . . . . . . . . . . 430 GLOBAL SETTINGS . . . . . . . . . . . . . . . . . . . . . . . . . . 431 FARM SETTINGS . . . . . . . . . . . . . . . . . . . . . . . . . . . . 432 CONFIGURATION . . . . . . . . . . . . . . . . . . . . . . . . . . . 432
Configure Farms . . . . . . . . . . . . . . . . . . . . . . . . . . . . 433
Add or Remove a Farm ................................................ 433
Configure the Connectivity Settings . . . . . . . . . . . . . . 433

Set Connection Brokers by Farm ................................... 434 Set Firewall/SSL VPN by Farm....................................... 435 Set Proxy Server Settings by Farm ................................ 436
Configure the Authentication Settings . . . . . . . . . . . . . 437

Set Set Set Set Set Windows Domain................................................... 437 Two-Factor Authentication ...................................... 438 Credentials Pass-Through ....................................... 439 Password Management........................................... 440 Client Identification................................................ 440
Configure the User Experience Settings. . . . . . . . . . . . 441

Set Local Resources .................................................... 441 Set Display ................................................................ 442 Set Performance ......................................................... 444
Configure the User Interface Settings . . . . . . . . . . . . . 445

Set Set Set Set Set Content Layout Options .......................................... 446 Look & Feel Options ............................................... 448 Messages Options.................................................. 450 Downloads Options ................................................ 451 Miscellaneous Options ............................................ 451
Configure the Web Access Application . . . . . . . . . . . . . 452

Set the General Options ............................................... 453
USE WEB ACCESS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 453 INTEGRATION WITH JUNIPER NETWORKS SECURE ACCESS . . . . . . 460
Create Custom Headers ............................................... 460
WEB ACCESS AND SMART CARDS . . . . . . . . . . . . . . . . . . . . 463

Configure Web Access for Smart Cards .......................... 464
xiii
CHAPTER 23 VWORKSPACE AND THE SSL GATEWAY . . . . . . . . . . . . . . . . . . 467 ABOUT THE SSL GATEWAY . . . . . . . . . . . . . . . . . . . . . . . . 468 INSTALLATION . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 468
Install the SSL Gateway ............................................... 469
SSL GATEWAY CONFIGURATION . . . . . . . . . . . . . . . . . . . . . 469 CONFIGURATION OPTIONS . . . . . . . . . . . . . . . . . . . . . . 472

Configure AppPortal Access .......................................... 473 Configure the Web Interface ......................................... 476 Configure AppPortal and Web Interface .......................... 479
CHAPTER 24 UNIVERSAL PRINTING . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 483 ABOUT PRINT-IT . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 484 PRINT-IT COMPONENTS . . . . . . . . . . . . . . . . . . . . . . . . . . 485 UNIVERSAL PRINT DRIVER. . . . . . . . . . . . . . . . . . . . . . 485 UNIVERSAL NETWORK PRINT SERVICES . . . . . . . . . . . . . . 485 UNIVERSAL PRINT DRIVER OPTIONS . . . . . . . . . . . . . . . . . . . 486 UNIVERSAL NETWORK PRINTER AUTO-CREATION OPTION . . . 486 UNIVERSAL CLIENT PRINTER AUTO-CREATION OPTION . . . . . 488 PRINT-IT PROPERTIES . . . . . . . . . . . . . . . . . . . . . . . . 489
Print-IT Client Properties . . . . . . . . . . . . . . . . . . . . . . 501
UNIVERSAL NETWORK PRINT SERVICES OPTIONS . . . . . . . . . . . 503 UNIVERSAL NETWORK PRINT SERVER EXTENSIONS OPTION . . 503
Setup Print-IT Printers ................................................. 504 Add Network Printers................................................... 504 Assign Printers to Clients.............................................. 505
UNIVERSAL PRINT RELAY SERVICE FOR REMOTE SITES OPTION506

Configure Universal Print Relay Service for Remote Sites .. 507
Manage Relay Servers. . . . . . . . . . . . . . . . . . . . . . . . 509

Add Print-IT Remote Relay Servers................................ 509 Import Remote Printers ............................................... 510 Assign Remote Printers to Clients .................................. 510
PRINTERS WINDOW IN VWORKSPACE MANAGEMENT CONSOLE . . . 511 PRINT-IT PRINTER PROPERTIES . . . . . . . . . . . . . . . . . . 512
View and Edit Print-IT Printer Properties......................... 512
xiv
CHAPTER 25 USB DEVICES . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 515 ABOUT USB DEVICES . . . . . . . . . . . . . . . . . . . . . . . . . . . 516 USB REDIRECTION . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 516
Requirements. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 516
USB REDIRECTION CLIENT . . . . . . . . . . . . . . . . . . . . . 516

USB Redirection Client Applet . . . . . . . . . . . . . . . . . . 517 USB Redirection Client System Tray . . . . . . . . . . . . . . 518 USB Redirection Client Services . . . . . . . . . . . . . . . . . 519
USB REDIRECTION SERVER . . . . . . . . . . . . . . . . . . . . . 519

USB Redirection Server Applet . . . . . . . . . . . . . . . . . . 520 USB Redirection Server System Tray . . . . . . . . . . . . . 521 USB Redirection Server Services . . . . . . . . . . . . . . . . 521
Manage USB Devices ................................................... 522
USB-IT . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 522 HOW USB-IT WORKS . . . . . . . . . . . . . . . . . . . . . . . . 523

Configure USB-IT ........................................................ 523
CHAPTER 26 WORKLOAD MANAGEMENT AND PERFORMANCE OPTIMIZATION . . 525 ABOUT WORKLOAD MANAGEMENT . . . . . . . . . . . . . . . . . . . . 526 HOW WORKLOAD MANAGEMENT WORKS . . . . . . . . . . . . . 526 WORKLOAD MANAGEMENT ON TERMINAL SERVERS . . . . . . . 529 WORKLOAD EVALUATOR GUIDELINES . . . . . . . . . . . . . . . 529
Create Workload Evaluators.......................................... 530 Assign Workload Evaluators to Servers .......................... 531 Assign Workload Evaluators to Managed Applications ....... 531
PERFORMANCE OPTIMIZATION. . . . . . . . . . . . . . . . . . . . . . . 532 ABOUT CPU UTILIZATION MANAGEMENT . . . . . . . . . . . . . 532 ABOUT VIRTUAL MEMORY OPTIMIZATION . . . . . . . . . . . . . 533
Install CPU and Memory Optimization . . . . . . . . . . . . . 535 Enable CPU and Memory Optimization. . . . . . . . . . . . . 535
MAX-IT MASTER POLICY SETTINGS . . . . . . . . . . . . . . . . 536

Max-IT Server Policy . . . . . . . . . . . . . . . . . . . . . . . . . 543
Set the Max-IT Policy for Specific Servers....................... 543
xv
VIEW VM OPTIMIZATION RESULTS . . . . . . . . . . . . . . . . . . . 544

View Session Summary Information .............................. 545 View Results for a Specific Session ................................ 545 View Results per Application ......................................... 545
MANUALLY APPLY OPTIMIZATIONS . . . . . . . . . . . . . . . . . 546 APPENDIX A . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 547 BEST PRACTICES . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 547

General . . . . . . . . . . . . . . . . . . . vWorkspace Management Console Services . . . . . . . . . . . . . . . . . . Connection Broker . . . . . . . . . . . Sysprep Template. . . . . . . . . . . . VirtualCenter Server . . . . . . . . . . VirtualCenter Templates . . . . . . . Failover Protection . . . . . . . . . . . High Availability . . . . . . . . . . . . . Other Protections . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 547 547 548 548 548 549 549 552 553 553
APPENDIX B . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 555 ABOUT THE CONFIG.XML FILE . . . . . . . . . . . . . . . . . . . . . . 555 LOCATION SECTION OF CONFIG.XML. . . . . . . . . . . . . . . . 563 GLOSSARY . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 565 INDEX . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 571
xvi
Whats New in vWorkspace 6.0

Information about the new features in the Quest vWorkspace version 6.0 release are included in this chapter. Read the material to familiarize yourself with the new features, and use the blue links to review further information about them in the vWorkspace Administration Guide.
Our name has changed!

As you might have already noticed, the first new item in this release is our name change. Provision Networks Virtual Access Suite is now Quest vWorkspace. While the name change is effective with this release and the new name is used in the application as well as all the documentation, some areas have not been completely updated at this time.
Upgrade Considerations
The following consideration needs to be reviewed prior to completing an upgrade to Quest vWorkspace version 6.0.
Any versions of PNTools that are previous to the vWorkspace 6.0 release must be removed before proceeding with the installation of vWorkspace 6.0.
Features
Parallels Virtuozzo Containers Integration Experience Optimized Protocol Features Geographic Locations vWorkspace Web Access Interface HP Remote Graphics Software Remote Control Sessions for VDI User Profiles Enhancements and Support for Desktops
Microsoft Windows Vista and Server 2008 Support Security Enhancements Persistent Disks and Memory for VMware Bandwidth Optimization
Parallels Virtuozzo Containers Integration

With this release, Parallels Virtuozzo and vWorkspace are offering a bundled VDI solution. This combination of Parallels Virtuozzo Containers server virtualization and vWorkspace desktop brokering and management solutions enables a VDI infrastructure to be built with high density that maximizes management efficiency. See Parallels Virtuozzo Integration for more information.
Experience Optimized Protocol Features

The following features have been added to the Experience Optimized Protocol with the vWorkspace 6.0 release: Multimedia Redirection Enables the redirection of Microsoft Windows Media content from the VDI or Windows Terminal Session through an RDP Virtual Channel to the client where it is played using the local compression/decompression (CODEC) technology. Graphics Acceleration Reduces bandwidth consumption and dramatically improves user experiences, making RDP usable over WAN connections.
Settings for the optimization features can be enabled so that users can automatically connect to the features at logon. See Experience Optimized Protocol for more information.
Geographic Locations vWorkspace

This new feature dynamically changes the way administrators organize the vWorkspace Management Console using geographic locations to organize Connection Brokers, Terminal Servers, Desktops, and Other Servers. See vWorkspace Locations for more information.
xviii
Web Access Interface

This release features a completely rewritten Web Access interface that provides a better look and feel. See vWorkspace Web Access for more information.
HP Remote Graphics Software

Hewlett-Packard Remote Graphics Software (HP RGS) protocol is now supported with this version of vWorkspace. HP RGS enables users to view and interact with 2-D and 3-D graphics over a secure, remote connection. An option is available for computer group and computer properties to indicate if RGS is to be utilized, as well as on the Quest vWorkspace Remote Desktop Connection, General tab.
xix
Remote Control Sessions for VDI

The ability to use remote control functioning to shadow VDI sessions is available with this release. Previously, the same functionality was available only for Terminal Server sessions. The remote control functioning can be used from the User Session sectioning of licensing, or by right-clicking on a virtual machine and selecting Remote Control Session. See User Sessions for more information about accessing this option from the Licensing menu, or View a Session by Remote Control on how to access this option from the Desktops node.
Assignment of VM
The ability to assign a virtual machine to client type of Users, Groups, Device Addresses, Device Names, or Organizational Units is available with this release. Clients can be assigned to a specific computer based on User, Device Name, Device Address, Organizational Unit, or Group by using the Computer Group wizard. These assignments are made on the Client Assignment window of the Computer Group wizard. See Client Assignment in the vWorkspace Management Console chapter for more information.
User Profiles Enhancements and Support for Desktops

With this release, User Profiles support VDI and physical desktops. See the User Profiles chapter for more information.
Microsoft Windows Vista and Server 2008 Support

With this release, vWorkspace now delivers some supported features for Microsoft Windows Vista and Microsoft Windows Server 2008 host operating systems. User Profiles, USB, and Multimedia Redirection are currently not supported for Microsoft Windows 64-bit, and Max-IT is not currently supported in Microsoft Windows Server 2008.
Security Enhancements
Enhancements have been made to add additional security to PIT files when using a launch application method.
xx
Persistent Disks and Memory for VMware

This new feature enables administrators to configure VMware virtual machines for persistent disks and memory one of the following ways: Manually on one or more computers. Manually for all computers in a computer group. Automatically using the Automated Task feature for a computer or computer group. Configure during the create/clone process.
See Disk and Memory Persistence for more information.
USB Redirection
The ability to use virtually any USB connected device (PDAs, local printers, scanners, cameras, headsets) in conjunction with VDI is included in this release. Users can connect multiple USB devices and then decide which devices to share. See USB Redirection for more information.
Bandwidth Optimization
Integration with quality of service (QoS) and bandwidth compression devices, where RDP settings are automatically configured to allow the QoS devices to further compress and cache RDP content, has been added with this release. See Computer Group Properties for more information.
Whats Changed
Listed below are some of the features that have changed in vWorkspace 6.0: An additional column has been added to the vWorkspace Management Console to identify if computers are disabled or enabled. With this change, disabled computers can be easily identified. A wizard is available to assist with publishing multiple App-V/SoftGrid applications at the same time. Virtual Channel Policy has been renamed to Client Settings. Microphone, Local Text Echo, Graphics Acceleration, and Multimedia Redirection has been added to the Client Settings.
xxi
VMware icons have been changed from the standard VMware icon to the VirtualCenter Server icon. Properties for Connection Brokers, Terminal Servers, Desktops, and Other Servers are now configured on the Managed Computers Properties window, located under Properties, from the Locations context menu. A new Ticket Expiration setting has been added to the Communications Settings of the Connection Brokers Properties. Locations | Properties | Communication Settings The seamless windows logic is now disabled during logon, replaced by a progress window that includes a Detail button that enables users to view any problems that might occur during logon. Once the application is started, the progress window closes and all windows display seamlessly. Previous references to the computer assignment label of Permanent has been changed to Persistent. Previous references to USB Handhelds has been renamed to USB Devices. A new step, Install Files Path, has been added to the Advanced Settings of the Sysprep process for new and imported sypreps for VMware machines. This step can be used if you are using VMware update 3, as with the update 3 release an InstallFilesPath entry needs to be added in the sysprep information in order for the VM to be joined to a domain. The ability to select Remote Control has been added to the Processes tab function for Terminal Servers.
xxii
About This Guide

Overview Conventions About Quest Software vWorkspace Resources Contact Support
Overview
The Quest vWorkspace Administration Guide is designed to assist administrators with tasks pertaining to deploying, managing, and using the Quest vWorkspace. It assumes familiarity with: Microsoft Windows XP Professional and Microsoft Windows Server 2003 Virtual Iron Version 3.x VMware Virtual Infrastructure 3 and VirtualCenter 2 Microsoft Hyper-V Parallels Virtuozzo Containers
It is recommended that you review the table of contents to familiarize yourself with the topics of discussion.
Conventions
In order to help you get the most out of this guide, we have used specific formatting conventions. These conventions apply to procedures, icons, keystrokes, and cross-references:
ELEMENT Select Bolded text Italic text Bold Italic text Blue text CONVENTION This word refers to actions such as choosing or highlighting various interface elements, such as files and radio buttons. Interface elements that appear in Quest Software products, such as menus and commands. Used for comments. Used for emphasis. Indicates a cross-reference. When viewed in Adobe Reader, this format can be used as a hyperlink. Used to highlight additional information pertinent to the process being described. Used to provide Best Practice information. A best practice details the recommended course of action for the best result.
xxiv
ELEMENT
CONVENTION Used to highlight processes that should be performed with care.
+ |
A plus sign between two keystrokes means that you must press them at the same time. A pipe sign between elements means that you must select the elements in that particular sequence.
About Quest Software

Quest Software, Inc., a leading enterprise systems management vendor, delivers innovative products that help organizations get more performance and productivity from their applications, databases, Windows infrastructure and virtual environments. Through a deep expertise in IT operations and a continued focus on what works best, Quest helps more than 90,000 customers worldwide meet higher expectations for enterprise IT. Quest provides customers with client management as well as server and desktop virtualization solutions through its subsidiaries, ScriptLogic, Vizioncore and Provision Networks. Quest's Foglight application management solution unifies IT services with end users and the business, resolves problems faster to reduce downtime, and lowers the operating cost of managing applications. Quest Software can be found in offices around the globe and at www.quest.com.
Contact Quest Software

Email Mail info@quest.com Quest Software, Inc. World Headquarters 5 Polaris Way Aliso Viejo, CA 92656 USA www.quest.com
Web site
Refer to our Web site for regional and international office information.
xxv
vWorkspace Resources
The Quest vWorkspace home page is found at http://www.vWorkspace.com. The following resources are available from the vWorkspace web site: Software downloads Select the Download link and log in. Downloadable files include the vWorkspace product, hotfixes, prerequisites, and documentation. Technical support Select the Support link and log in. Free 60-day support (from the purchase date) is available directly from Quest vWorkspace. Online knowledgebase Select the Support | Knowledgebase link to view technical articles with answers to frequently asked questions, troubleshooting tips, and white papers. Discussion forums Select the Forums link and log in to participate in discussions with other vWorkspace users about technical matters related to Quest vWorkspace software products. Technical Training Select the Education link to review course schedules and enroll in certification classes. Blog The Quest vWorkspace official blog can be found at: http://blogs.inside.quest.com/provision
Contact Support
Quest vWorkspace support is available to customers who have a trial version of our product, or who have purchased a commercial version and have a valid support contract. Contact Quest vWorkspace support at support@provisionnetworks. com or visit our Web site at http://www.vworkspace.com and click on the Support link.
Document Feedback
We would like to hear from you. Please e-mail any comments or suggestions about our documentation to pndocfeedback@quest.com.
xxvi
1
Introduction to vWorkspace
Overview Product Suites Enterprise Edition Desktop Services Edition Power Tools Suite for Terminal Servers Standard Edition Licensing
Overview
Welcome to the Quest vWorkspace, a comprehensive presentation and desktop virtualization solution. Our solutions embrace and extend the Microsoft Terminal Services platform and virtualization infrastructure platforms from VMware, Virtual Iron, and Citrix XenSource, Microsoft Hyper-V, and Parallels Virtuozzo Containers delivering resilient, scalable, and dynamic on-demand desktop deployment and application delivery for enterprises worldwide. vWorkspace leverages virtual machine technologies, as well as PC blade technologies from vendors such as IBM, Hewlett-Packard Company, and others. More than a traditional connection broker, vWorkspace empowers desktop infrastructures with extensive management and monitoring capabilities, as well as a myriad desktop and application access features. Organizations can implement vWorkspace to deliver full-featured desktops from a central infrastructure comprised of virtual and physical machines, running a Windows desktop or server operating system such as Microsoft Windows XP Professional, Windows Vista, Microsoft Windows Server 2003, or Microsoft Windows Server 2008. Throughout the enterprise, users gain access to desktop resources by using thin client terminals or repurposed PCs running a Web browser and the vWorkspace client. Mobile and home users can gain single, secure access point to the same vWorkspace-enabled infrastructure via the built-in SSL gateway or various third-party SSL VPN appliances. vWorkspace offers desktop management and client access methodologies very similar to those found in Windows Terminal Server environments. Desktop workspaces are provisioned and managed in groups that are functionally similar to Terminal Server silos. These desktop groups are referred to in the vWorkspace as managed computer groups. A managed computer group is a logical grouping of virtual or physical machines that share common attributes and adhere to common policies. A managed computer group often mirrors a departmental function or task, a geographical location, or an outsourced entity. A vWorkspace-enabled hosted desktop infrastructure consists of a farm of managed computer groups. Similar to Windows Terminal Server environments, the workspace experience is delivered to the client in the form of a published desktop, or as a set of individually published applications which are preinstalled onto each desktop or streamed on demand.
2
Product Suites
Several product suites are available: Hosted Desktops and Terminal Servers (Enterprise Edition) This product builds a unified infrastructure comprised of Windows Terminal Servers and standard Windows desktops. Some of the features include: Application Publishing Load Balancing Seamless Windows Connections Web Access SSL Gateway Universal Print Driver User Profile Acceleration
3
USB Redirection Performance Optimization Virtual IP Session Configuration and Lockdown File and Registry Redirection Concurrent User Licensing
Hosted Desktops Only (Desktop Services Edition) This product builds and manages infrastructures comprised of standard Windows desktops running on physical PCs or in a virtualized environment. Some of the features include: Integration with VMware VirtualCenter, Virtual Iron, Microsoft Hyper-V, and Parallels Virtuozzo. Sysprep-based Desktop Provisioning Power State Management Application Publishing Seamless Windows Connections Web Access SSL Gateway Universal Print Driver USB Redirection Concurrent User Licensing
Power Tools Suite for Terminal Servers (Standard Edition) This product empowers your existing Terminal Server infrastructure with additional features, which include: Universal Print Driver User Profile Acceleration USB Redirection Performance Optimization Virtual IP Session Configuration and Lockdown File and Registry Redirection Concurrent User Licensing
Standalone Power Tools for Terminal Servers This product allows you to license specific power tools, but not the entire suite. Licensing is on a per server basis.
Enterprise Edition
vWorkspace Hosted Desktops and Terminal Servers (Enterprise Edition) includes all the functional modules included with the Standard and Desktop Services Editions. In addition, it includes Terminal Services Enhancements (Provision-IT) that extend the inherent capabilities of Windows Terminal Server with such important features as application publishing, load balancing, seamless windows, Web Interface, and SSL Gateway.
Terminal Services Enhancements

Provision-IT
Provision-IT enhances Microsoft Windows Terminal Server with advanced features such as application publishing, load balancing, seamless windows, session sharing, and credentials pass-through. Provision-IT published applications can also be accessed through a Web interface and started over secure SSL connections, eliminating the need to compromise firewall security using Web Access and Secure-IT. Non-Win32 RDP-capable client devices, such as Macs, thin clients, and other devices running proprietary or third-party RDP client software, can leverage Proxy-IT to connect to a load-balanced Provision-IT Terminal Server farm without requiring additional client software. See vWorkspace Additional Components for more information on Proxy-IT.
Secure-IT
Secure-IT is a Secure Sockets Layer (SSL) gateway designed to simplify the deployment of business-critical applications via the Internet, securely and cost-effectively. With Secure-IT, RDP connections from client workstations to the Secure-IT server are encrypted using SSL, and sent through the firewall on TCP port 443. Once received by the Secure-IT server, the SSL traffic is then decrypted and forwarded to the Provision-IT Terminal Servers on TCP port 3389, which is the standard RDP port. Outbound RDP traffic passing through the Secure-IT server is encrypted and forwarded to the client workstations.
5
Web Access
Web Access extends Provision-IT functionality by enabling Win32 clients to access published applications using a standard Web browser. With Web Access, traditional client and server applications can be instantly deployed over the Web, eliminating the need to rewrite Web-specific versions of these applications.
Desktop Services Edition

Quest vWorkspace Hosted Desktops Only (Desktop Services Edition) is a comprehensive desktop management framework that transforms conventional desktop computers into on-demand computing services. vWorkspace leverages virtual machine technologies such as those from Virtual Iron and VMware, as well as PC blade technologies. More than a traditional connection broker, the vWorkspace empowers desktop infrastructures with extensive management and monitoring capabilities, as well as desktop and application access features. Organizations can implement the vWorkspace to deliver full-featured desktops from a central infrastructure comprised of virtual and physical machines running a Windows desktop or server operating system such as Microsoft Windows XP, Windows Vista, Microsoft Windows Server 2003, or Microsoft Windows Server 2008. Throughout the enterprise, users gain access to desktop resources by using thin client terminals or repurposed PCs running a Web browser and the vWorkspace client. Mobile and home users can gain single point, secure access to the same vWorkspace-enabled infrastructure via the built-in SSL Gateway or various third-party SSL VPN appliances.
vWorkspace offers desktop management and client access methodologies very similar to those found in Windows Terminal Server environments. Desktop workspaces are provisioned and managed in groups that are functionally similar to Terminal Server silos. These desktop groups are referred to in vWorkspace as managed computer groups. A managed computer group is a logical grouping of virtual or physical machines that share common attributes and adhere to common policies. A managed computer group often mirrors a departmental function or task, a geographical location, or an outsourced entity. A vWorkspace-enabled hosted desktop infrastructure consists of a farm of managed computer groups. Also, the vWorkspace experience is delivered to the client in the form of a published desktop, or as a set of individually published applications which are preinstalled onto each desktop or streamed on demand.
Application streaming is a software distribution methodology used to enhance the management and flexibility of a desktop infrastructure by making the need to pre-install (manually or by using conventionally software distribution tools) the applications onto each desktop unnecessary.
Desktop Services Edition Anatomy and Features

There are three major components in vWorkspace Desktop Services: Connection Broker
Single Access Infrastructure User Experience and Last-Mile Enhancements
About the Connection Broker

The Quest vWorkspace Connection Broker Service is a highly scalable Windows service capable of provisioning, managing, and brokering connections to virtual and physical machines running Windows XP, Windows Vista, and Windows Server 2003. The Connection Broker Service also offers extensive support for Windows Terminal Servers when using vWorkspace Enterprise Edition. Connection Broker responsibilities include: desktop status and heartbeat; as well as fault management, policy enforcement, and client connectivity arbitration.
About Single Access Infrastructure

A sophisticated access portal including a Web Interface and SSL Gateway enable any PC or thin client to securely connect and access a vWorkspace infrastructure or Windows-based managed computers and applications.
About User Experience and Last-Mile Enhancements

On-demand access to desktop workspaces by way of published desktops and applications. Using a Web browser or the AppPortal client (an optional component of the vWorkspace client), users gain access to full-featured desktop workspaces or individually published applications. Additional user experience features include seamless windows, multi-monitor support, single sign-on, credentials pass-through, smart card authentication, USB PDA redirection, and universal print driver.
Key Features
The following key features and aspects of the Desktop Services Edition are described below: Connection Broker Virtual Machine Management Tasks Desktop Group and Individual Desktop Policies Desktop and Application Publishing Access Control Lists Resource Management and High Availability Client Connectivity User Experience Enhancements / Last-Mile Features
Connection Broker
The Connection Broker offers the following features: Highly scalable Windows service. Integrates with Virtual Iron Virtualization Manager and VMware VirtualCenter Server to provision and customize new desktop workspaces, and to perform a broad set of power management tasks. Multiple Virtual Iron Virtualization Manager servers and VMware VirtualCenter servers are supported simultaneously. Multiple Connection Brokers are allowed per infrastructure. Installation can be inside a virtual appliance. Responds to client connectivity requests and redirects each client to the appropriate desktop. Communicates with the Data Collector service running inside each managed computer.
9
Virtual Machine Management Tasks

VMware vWorkspace Desktop Services offers the following features to assist and enhance managing desktop computers hosted in a VMware Virtual Infrastructure 2.x or newer. Wizard-based VM provisioning capability allowing the administrator to specify the following parameters: Number of virtual machines in a group. Target resource pool for creating virtual machines. Distribute virtual machines across multiple datastores. Target folder for categorizing virtual machines. Desired template for deploying new virtual machines. Customization parameters. Date and time to start the virtual machine creation process.
Virtual machine deletion. Virtual machine suspension and resumption. Virtual machine power-off and power-on. Virtual machine status monitoring (powered off, powered on, suspended). Desktop operating system event reporting (logged on, logged off, disconnected offline).
Virtual Iron vWorkspace Desktop Services offers the following features to assist and enhance managing desktop computers hosted in a Virtual Iron Infrastructure 4.x or newer. Wizard-based VM provisioning capability allowing the administrator to specify the following parameters: Number of virtual machines in a group. Distribute virtual machines across multiple datastores. Desired template for deploying new virtual machines.
Virtual machine status monitoring (power off and power on). Desktop operating system event reporting (logged on, logged off, disconnected offline).
10
Microsoft Hyper-V vWorkspace Desktop Services offers the following features to assist and enhance managing desktop computers hosted in a Microsoft Hyper-V environment. Wizard-based VM provisioning capability allowing the administrator to specify the following parameters: Number of virtual machines in a group. Target resource pool for creating virtual machines. Distribute virtual machines across multiple datastores. Target folder for categorizing virtual machines. Desired template for deploying new virtual machines. Customization parameters. Date and time to start the virtual machine creation process.
Virtual machine deletion. Virtual machine suspension and resumption. Virtual machine power-off and power-on. Virtual machine status monitoring (powered off, powered on, suspended). Desktop operating system event reporting (logged on, logged off, disconnected offline).
Parallels Virtuozzo Containers vWorkspace Desktop Services offers the following features to assist and enhance managing desktop computers hosted in a Parallels Virtuozzo Containers environment. Wizard-based VM provisioning capability allowing the administrator to specify the following parameters: Number of virtual machines in a group. Import master nodes and add independent nodes. Target folder for categorizing virtual machines. Desired template for deploying new virtual machines. Customization parameters. Date and time to start the virtual machine creation process.
Virtual machine deletion. Virtual machine suspension and resumption.

11
Virtual machine power on and shut down os. Virtual machine status monitoring.
Desktop Group and Individual Desktop Policies

Desktop group and individual desktop policies desktops can be assigned to users prior to the first logon. Alternatively, the Connection Broker can automatically assign persistent or non-persistent desktops to users upon first logon. Policy settings can be specified per desktop, overriding the parent group policy settings. Access to desktops can be confined to certain days of the week and hours of the day. Virtual machine based desktops can be automatically suspended if idle. Users can be dynamically added to the Power Users or Administrators group on their assigned desktops.
Desktop and Application Publishing

Full desktops and individual applications can be published. Desktops and applications are published on desktop groups. Access is granted or denied to applications using Access Control Lists.
Access Control Lists

Access Control Lists (ACL) are containers of user accounts, groups, organizational units, and client devices, which are specified by name and IP address. They are used to grant or deny access to managed computer groups and published resources.
Resource Management and High Availability

For any reason, if the users persistent desktop fails to respond, the user is temporarily assigned a free desktop from the same group. If the original desktop becomes available on future log on attempts, the user is automatically redirected to it.
Client Connectivity
The following client devices are supported:
12
Microsoft Windows 2000 Pro/XP/Vista Microsoft Windows CE (version 5.0 and later)
Linux Java Linux-based PXE boot Wyse Thin OS
User Experience Enhancements / Last-Mile Features

Seamless Windows Individual published applications running inside the hosted desktop appear on the user's screen as if they are running locally. This feature is supported on computers running Windows 2000 Pro/XP/Vista, as well as on thin client terminals running Windows XP Professional and Windows CE. Session Sharing Applications published on the same managed computer group all share the same desktop. High Screen Resolution Support for screen resolutions up to 4096 x 2048 lines. Multi-Monitor Support Support for multiple monitors with different resolution attached to the client device. When used in conjunction with seamless windows, desktop based application windows can be moved to, resized, and maximized on any monitor. Kerberos-based Credentials Pass-Through Users locally cached domain credentials or Kerberos ticket is re-used for vWorkspace authentication. This feature is useful when the end-user devices, such as thin clients running Windows XPe or repurposed Windows PCs, are joined to a Windows domain. This feature also works in the presence of smart cards and other Windows-compatible authenticators. AppPortal Client Windows client GUI enables users to access their desktop-based published desktops and applications. AppPortal (Desktop-Integrated) A GUI-less operational mode in which AppPortal runs in the system tray. Published desktops and applications are propagated to the users local Desktop and Start Menu. Web Access Enables users to log on and access their published desktops and applications using a standard Web browser. This feature works on computers running Windows 2000 Pro/XP/Vista, as well as thin client terminals running Windows XPe and Windows CE. RDP-over-SSL connectivity Enables users to access their published desktops and applications using the Secure Sockets Layer (SSL) protocol.
13
Universal Print Driver Eliminates the need to install vendor-specific print drivers into the desktops. Driverless printers are autocreated inside each desktop using a single EMF-based universal print driver, regardless of printer make and model. USB Redirection Enables USB-based devices to be redirected over RDP connections and used in conjunction with the BlackBerry Desktop, HotSync, and ActiveSync software running inside the hosted desktops. This feature currently works in conjunction with Windows 2000 Pro/XP/Vista. Remote Password Reset Allows users to reset their expired Windows domain passwords prior to logging on. Experience Optimized Protocol (EOP) Addresses the user experience challenges of Virtual Desktop Infrastructure (VDI) by provisioning seamless, reliable, high-performance enhancements over Microsoft Remote Desktop Protocol (RDP). These enhancements ensure that a VDI deployment can deliver on the promise of virtualization and a true local-desktop experience.
How Desktop Services Edition Works

This section provides an architectural overview of the vWorkspace Desktop Services Edition, how it works, and how client connectivity is established. vWorkspace Desktop Services Edition supports the deployment of desktop workspaces from both PC blades and virtual infrastructures. It features sophisticated desktop provisioning and management capabilities, as well as flexible and intuitive connectivity options from multiple client platforms.
vWorkspace Database
The vWorkspace infrastructure is database-driven, requiring a shared or dedicated Microsoft SQL Server 2000 or 2005 to store its configuration information in a database referred to as the Provision or vWorkspace database. For small- to medium-size environments (up to 2,500 desktops), Microsoft SQL Server 2005 Express database management system can be used. Please note that a single vWorkspace infrastructure can encompass multiple Virtual Iron Virtualization Manager servers and VMware VirtualCenter servers, each managing several hosts.
14
Connection Broker
At the heart of vWorkspace is the Connection Broker, a highly scalable Windows service that runs on a Windows XP Professional or Windows Server 2003 computer. The Connection Broker is tasked with provisioning and managing desktops running on physical computers, such as PC blades, as well as inside virtual machines. The Connection Broker integrates with virtualization platforms from Virtual Iron and VMware using their respective Software Developer Kits (SDK) for the purpose of provisioning fully customized desktop workspaces encapsulated inside virtual machines, and, when necessary, to perform power management tasks such as Power Off, Power On, Suspend, and Resume. The Connection Broker is also responsible for client connectivity arbitration, such as determining the proper desktop to which the user will connect. For scalability and high availability, multiple Connection Brokers can coexist in a single vWorkspace infrastructure, and the computers running the Connection Broker service can either be virtual or physical. It is also possible, though not recommended for very large environments, to host the vWorkspace database on one of these computers along with the Connection Broker.
Hosted Desktops
Hosted desktops are the physical and virtual machines that run on an operating system such as Windows XP Professional and Windows Server 2003. They must be configured to accept remote desktop connections using the RDP protocol. In addition, the PNTools must be installed onto these machines, enabling them to communicate back and forth with the Connection Brokers. Specifically, the Data Collector service running on each desktop communicates with the Connection Broker to send it a heartbeat signal, as well as events such as logon, logoff, or disconnect, logon status, and connection readiness information. It also receives from the Connection Broker pre-logon configuration data, allowing the desktop to be preconfigured according to established policies, shortly prior to the user logging on. The PNTools also extends the capabilities of each desktop with user experience enhancements and last-mile features such as application publishing, seamless windows, universal print driver, and USB-based PDA redirection.
Microsoft Vista host machines require Microsoft Vista SP1 or higher to work with PNTools.
15
TCP Port Requirements
The TCP/IP port number requirements for vWorkspace services are listed below. Data Collector Service It listens for Connection Broker service connections on 5203. This is a Windows service that runs inside each managed computer and vWorkspace-enabled Terminal Server and communicates back and forth with the Connection Broker. When the PNTools is installed onto a desktop, a Windows Firewall port exception rule is automatically added to allow incoming connections on this port. Connection Broker It listens for Data Collector service connections on 5201. It also listens for incoming client connection requests on a configurable port, using 8080 as the default. Optionally, the Connection Broker can be configured to require SSL encryption using 443 as the default. This service communicates back and forth with the Data Collector running inside each managed computer or vWorkspace-enabled Terminal Server.
16
Password Management Service This service accepts SSL-protected client password reset requests on a configurable port, using 443 as the default. Web Interface The Web Interface, being a web service, uses HTTP and HTTPS application protocols. Although the default port numbers are 80 and 443 respectively, any ports can be used. SSL Gateway The Quest vWorkspace SSL Gateway acts as an SSL proxy for Connection Broker, Web Interface, and RDP communications, and by default listens on 443. RDP RDP listens on 3389 by default. Microsoft RDP (Remote Desktop Protocol) is used for connections from vWorkspace clients to Terminal Servers or managed computer.
Client Connectivity
The Quest vWorkspace is available for various Windows and non-Windows platforms using the AppPortal or Web Access view. The following platforms are available: Microsoft Windows Windows CE Thin Client Terminals vWorkspace Linux Client Thin Client Devices
AppPortal View
17
Web Access View
Microsoft Windows
In order to establish remote connections to vWorkspace managed computers, the vWorkspace client software must be installed onto the users Windows computer which could be a conventional or repurposed PC, laptop, or a Windows XPe thin client terminal. In all cases, users initiate a remote connection by using the AppPortal or a Web browser. Upon successful authentication, the authorized list of published desktops and applications are sent to the client device. Remote connections can then be initiated by clicking the desired desktop or application shortcut inside AppPortal or the Web browser. The following Microsoft Window client platforms are supported: Microsoft Windows 2000 Pro Microsoft Windows XP Microsoft Window Vista
Windows CE Thin Client Terminals

Windows-based terminals running Windows CE 5 are also fully supported, provided the manufacturer has already embedded or is willing to embed the vWorkspace client software for Windows CE onto the device. Windows CE terminals built with the taskbar component may also use the Web Interface, as well as start published applications in seamless windows mode.
18
vWorkspace Linux Client

The vWorkspace Linux client is available the following ways: A GUI client is available from the Quest vWorkspace FTP site. The vWorkspace client software is embedded on to a thin client device, providing the manufacturer has already embedded or is willing to embed the software on to the device. The Linux source code is available to be compiled on any version of Linux.
Upon successfully connecting to and authenticating with a Connection Broker, a Linux-based client receives back a list of published desktops and applications, that can be selected and started. Upon starting a published desktop or application, the client receives from the Connection Broker the IP address of the desktop that has been assigned to the user. Lastly, the RDESKTOP client is started to initiate a direct RDP connection to the desktop. The vWorkspace Networks Linux client offers the following features: Application publishing Desktop publishing Mapping of local drives Mapping of local audio Mapping of smart cards NAT for firewall traversal RDP over SSL Window size and colors Local printer ports Local COM ports RDP printers Experience options
There is no support for USB-IT or Print-IT in this version of the client. The source code is freely available for compiling on different versions of Linux. The vWorkspace Live clients (PXE/TFTPBoot and LiveCD) are based on Debian GNU/Linux.
19
Thin Client Devices

The Quest vWorkspace client is offered on a variety of platforms, including thin clients. Thin clients typically come in one of three types, Microsoft Windows Embedded CE, Linux, and Microsoft Windows XP Embedded. Other manufactures have developed their own operating systems, such as the Wyse Thin OS (WTOS).
Wyse Thin OS
vWorkspace supports Wyse Thin OS (WTOS), and the configuration of it is controlled by DHCP and INI files on the Connection Broker. The following steps must be followed for configuration.
Configuration
DHCP option 188 is used to list the addresses of each Connection Broker, and the XML Communication Port. DHCP option 161 lists the servers that hold updated WTOS Firmware. Since Connection Brokers can do both of these, once may configure either or both options.
20
On the Connection Broker, browse to %ProgramFiles%\Provision Networks\Wyse. Create a subdirectory named WNOS (case sensitive). In the WNOS directory, create two sub-directories, ini and bitmap. Use Notepad to create the two ini files listed in the WNOS directory: wnos.ini contents: signon=1 autoload=1 autosignoff=yes privilege=High Domainlist=YourDomainName rdp.ini contents: Fullscreen=yes Colors=high Encryption=128 Experience=15 Lowband=no Autoconnect=1 To update the WTOS Firmware, copy the new firmware (RCA_wnos) to the WNOS directory, and set autoload=1 on the wnos.ini file. The basic configuration is completed to connect a WTOS Thin Client to a Connection Broker. If one has multiple Connection Brokers, list them in the DHCP options, and copy the contents of the Wyse Directory to each additional Connection Broker.
For users who connect using version 5.9 or lower, Compatibility Mode can be used. Please note that this delivers using a less secure PIT file. To place a Connection Broker in to Compatibility Mode, create the following registry value on all the Connection Brokers in a farm: You can put a broker into Compatibility Mode by creating the following registry value on all brokers in a farm: HKLM\Software\Provision Networks\Common\Load And License Manager CompatibilityMode = 1 REG_DWORD
For more detailed information, please refer to Wyse documentation.
21
Benefits of vWorkspace-Enabled Desktop Services

Listed here are some benefits of vWorkspace-enabled Desktop Services: Outsourcing Organizations are decentralizing and outsourcing critical business functions to reduce operational costs and remain competitive. However, outsourcing should not necessitate decentralization. A vWorkspace-enabled desktop infrastructure allows organizations to: Return previously decentralized applications and data to the corporate data center. Centrally control and manage all off-site access to these sensitive applications and data. Extend the corporate network security policies to off-site facilities.
Compliance Organizations need to contain desktop proliferation and build standardized, centrally managed computer environments that exhibit tight adherence to corporate security policies and regulatory compliance guidelines including: HIPAA Sarbanes-Oxley Gramm-Leach-Bliley
Disasters Organizations must quickly recover, reprovision, and reestablish user access to complete desktop environments to ensure business continuity. The Desktop Services Edition is deployed in conjunction with virtual machine technology such as Virtual Iron or VMware, each desktop environment is encapsulated inside a separate virtual machine. If a virtual machine becomes unrecoverable for any reason, a new one can be instantly deployed from an existing template. A virtual machine is hardware independent; it is simply files that can be instantly recovered or redeployed to an alternate data center in the event of a major disaster.
Alternative Workspace Organizations must have contingency plans in place to accommodate: Work from home employees. Employees who are quarantined due to a pandemic.
22
Isolation Unlike shared server solutions, Desktop Services Edition offers the following isolation benefits: Each desktop environment is encapsulated inside a separate virtual machine, completely isolated from other virtual machines. If a virtual machine crashes due to a faulty device driver or application, or if anything goes seriously wrong with a virtual machines, other virtual machines remain fully operational. There are no application servers that must be restarted in the event of an anomaly.
Standard OS Unlike shared server solutions, Desktop Services Edition promotes the use of standard desktop operating systems, such as Windows XP, Vista, or Windows Server 2003, and thus offers the following benefits: One machine = One user. Therefore, limited-user access (non-admin) problems or conflicts resulting from concurrent access to HKLM, common files, and other shared data structures are a thing of the past. No custom application repackaging required. No lack of support from ISVs. Does not require additional or complex IT training. Applications are installed and executed without modifications. Manage using standard desktop management tools.
Other Desktop Services Edition can reduce the costs associated with the following: Squandering of computing resources typically observed with severely under-utilized physical PCs. It is a fact that PC resource usage is typically around five percent. Mobile workers requiring additional solutions to satisfy their remote access needs. Test and validation of multiple PC hardware configurations prior to deployment. Need to support a geographically dispersed PC infrastructure with limited to no IT skills at the branch offices. Loss or theft of corporate data assets when physical PCs are stolen.
23
Power Tools Suite for Terminal Servers Standard Edition

The Power Tools Suite for Terminal Servers (Standard Edition) is designed for environments running Citrix XenApp or other third-party add-ons offering similar functionality. The following features are available in both Standard Edition and Enterprise Edition. They are also available individually and may be licensed on a per-server basis. The standard features include: Application and Host Restrictions (Block-IT) Server Configuration and Lockdown (Manage-IT) CPU and Virtual Memory Optimization (Max-IT) User Profile Acceleration (MetaProfiles-IT) Universal Print Driver (Print-IT) Application Compatibility Enhancements (Redirect-IT) Time Zone Management (TimeZones-IT) PDA Redirection (USB-IT) Virtual-IP (VIP-IT)
Application and Host Restrictions (Block-IT)

Block-IT extends the security of a Terminal Server environment by adding session-based Application Access Control (AAC) and Host Access Control (HAC) capabilities.
Server Configuration and Lockdown (Manage-IT)

Manage-IT boasts several powerful features designed to fully automate various time-consuming session configuration tasks in a Terminal Server environment. These important features include the ability to create application shortcuts, set backgrounds and color schemes, map drive letters to network shares, connect to shared network printers, execute scripts, manipulate the user's HKCU registry hive, set per-user environment variables, and lock down the user's Terminal Server session using the most stringent policy settings and hard-to-find hacks.
24
CPU and Virtual Memory Optimization (Max-IT)

Max-IT improves application response times and increases overall server capacity by streamlining and optimizing the use of virtual memory and CPU resources.
User Profile Acceleration (MetaProfiles-IT)

MetaProfiles-IT accelerates logon times and eliminates profile corruptions and management headaches associated with Terminal Server roaming profiles. A MetaProfile combines the persistence of a conventional roaming profile with the speed and robustness of a mandatory profile in order to achieve unprecedented logon speeds and stability levels. Administrators can even implement multiple MetaProfiles per user account to satisfy multi-farm and server silo requirements.
Universal Print Driver (Print-IT)

Print-IT is a single-driver printing solution that satisfies both client side and network printing needs in a Terminal Server environment. In addition to its driver-independent approach to printing, benefits also include the dramatic reduction in network bandwidth utilization and the ability to inherit the properties of the manufacturer-specific print drivers such as supported trays, paper sizes, margins, and many others.
Application Compatibility Enhancements (Redirect-IT)

Redirect-IT is a sophisticated registry and file system redirection engine designed to eliminate a wide range of multi-user conflicts arising from application design limitations.
Time Zone Management (TimeZones-IT)

TimeZones-IT is a per-session time zone assignment module designed exclusively for Terminal Server and Citrix MetaFrame environments. TimeZones-IT allows administrators to specify a unique time zone by user name, group membership, OU, or client device property (client name or IP address). With TimeZones-IT, users can execute their time-and-date sensitive applications in their own time zones, completely independent of the Terminal Servers systemwide time zone setting.
25
PDA Redirection (USB-IT)

USB-IT enables Terminal Services and Citrix MetaFrame clients to seamlessly access their USB-based Palm OS and BlackBerry handhelds over RDP and ICA connections. With USB-IT, users can start the BlackBerry Desktop Manager or Palm Desktop software program from within their sessions, and instantly gain access to their handhelds for the purpose of synchronizing e-mail, calendar, contacts and other personal information with back-end messaging and collaboration systems such as Microsoft Exchange and Lotus Domino.
Virtual-IP (VIP-IT)
VIP-IT enables each user instance of a legacy application to be bound to a unique IP address for identification purposes, allowing many legacy client-server designed applications to run correctly in a multi-user environment.
Licensing
There are two types of licensing: Concurrent User Licensing Per-Server Licensing
vWorkspace Enterprise, Standard, and Desktop Services editions are all licensed on a concurrent user basis. Any number of servers can belong to the vWorkspace infrastructure using this model. For the Enterprise edition, two separate licenses are issued; one for Terminal Services Enhancements and another for Desktop Services. Each license has a user count associated with it indicating the maximum number of concurrent users that can connect and use the respective services. Each of the Power Tools for Terminal Services modules can be purchased and licensed separately. In this case, a license is needed for each server on to which a component is installed. An optional add-on, Experience Optimized Protocol, contains the following features: Bidirectional Audio Enables support for applications that require the use of a microphone.
26
Latency Reduction Enables instant echo of keystrokes when connecting over a latent network connection. A client Control Panel applet is used to adjust settings of this feature. Multimedia Redirection Enables the redirection of Microsoft Direct Show content (anything that can be played in Microsoft Windows Media Player) from the VDI or Windows Terminal Session through an RDP Virtual Channel to the client, where it is played using the local compression/decompression technology (CODEC). Graphics Acceleration Reduces bandwidth consumption and dramatically improves user experiences, making RDP usable over WAN connections.
27
You can access the Licensing windows from the File menu option in the vWorkspace Management Console, or by selecting the Licensing icon from the toolbar. There are three parts to licensing: Customer Information Licenses User Sessions
Customer Information
The Customer Information licensing window is used to enter demographic information, including an address and contact information. Once information is entered it should not be edited, as this may result in existing user licenses for the specified farm to be rendered invalid.
28
Licenses
The Licenses window enables administrators to view current licenses and to add new licenses.
29
User Sessions
The User Sessions window enables administrators to view active user sessions and license and product usage. Select User Sessions to view current user sessions.
By selecting Remote Control Session from the Sessions window, administrators are able to shadow active user sessions. Administrators can set the key command used to end the remote session on the Remote Control window. Remote control can only be accomplished when initiated from one RDP session to another. You may receive a warning message indicating that this functionality is not available to you.
30
2
Deployment Planning
Considerations
Considerations
Use the following information to become acquainted with and plan for, your implementation of vWorkspace. Storage Adequate storage space for virtual machines. A storage area network (SAN) is strongly recommended. vWorkspace Database Shared or dedicated Microsoft SQL Server 2000 or 2005. Small- to medium-size deployments (up to 2,500 virtual machines) can also use the free Microsoft SQL Server 2005 Express. Connection Broker One or more computers are needed for hosting the Connection Broker service. These computers can either be physical or virtual machines running Windows XP Professional or Windows Server 2003. Web Interface One or more computers are needed for hosting the Web Interface and SSL Gateway. These computers can either be physical or virtual machines running Windows XP Professional or Windows Server 2003. Secured Communications One or more SSL certificates for the Web Interface and Secure Gateway servers. These certificates are generated by an internal Certificate Authority (CA) or a trusted Certificate Authority such as Verisign, Entrust, and others. VMware Environment A VMware Virtual Infrastructure consisting of one or more VMware ESX 2.5 or newer servers, as well as one or more VirtualCenter 2.x or newer servers. Virtual Iron Environment A Virtual Iron infrastructure consisting of one or more Virtual Iron 4.x or newer servers. Microsoft Hyper-V Environment A Microsoft Hyper-V infrastructure consisting of a Microsoft Windows Server 2008. Parallels Virtuozzo Containers A Parallels Virtuozzo Containers infrastructure consisting of Parallels Virtuozzo Containers 4 environment.
32
Deployment Planning
FEATURE Connection Broker
TARGET COMPUTER Preferably dedicated Windows XP Professional or Windows Server. Physical or virtual machine.
DMZ? No. It must reside in the corporate network.
SSL CERTIFICATE Only if SSL connectivity is required, and SSL Gateway is not present.
OTHER Must be joined to Windows domain in order to authenticate users.
Web Interface
Windows XP Professional or Windows Server. Physical or virtual machine. Can co-exist with SSL Gateway on same computer.
Optional.
Only if SSL connectivity is required, and SSL Gateway is not present.
Internet Information Services. Microsoft .NET Framework 2.0 or higher.
SSL Gateway
Windows XP Professional or Windows Server. Physical or virtual machine. Can co-exist with Web Interface on same computer.
Optional.
Yes.
Password Reset Service
Must be installed onto computer in Windows domain.
No. It must reside in the corporate network.
Yes.
33
34
3
Installation
Installation Requirements VirtualCenter SSL Certificate Microsoft SQL Server
Installation Requirements
The following requirements apply to vWorkspace infrastructures supporting either Terminal Servers or managed computers: Shared or dedicated Microsoft SQL Server 2000 or 2005. Small to medium size deployments can use the Microsoft SQL Server 2005 Express or MSDE 2000. One or more computers for hosting the Connection Broker service. These computers can either be physical or virtual machines running Windows XP Professional or Windows Server.
The following requirements apply to vWorkspace infrastructures using Hosted Desktops: For VMware environments, a VMware Virtual Infrastructure consisting of one or more VMware ESX 2.5 or newer servers, as well as one or more VirtualCenter 2.x or newer servers. This computer can either be physical or virtual machines running Windows XP Professional or Windows Server. At least one computer hosting the Connection Broker service and the VMware VirtualCenter Integration extension. For Virtual Iron environments, a Virtual Iron infrastructure consisting of one or more Virtual Iron 4.x or newer servers. Adequate storage space for virtual machines. A storage area network (SAN) is strongly recommended.
The following requirement applies to vWorkspace infrastructures using Terminal Servers: One or more computers with Microsoft Terminal Services installed in application server mode. These computers can either be physical or virtual machines running Windows XP Professional, Windows Server 2003, or Windows Server 2008.
Some optional items for vWorkspace infrastructures for Terminal Servers and Hosted Desktops include: One or more computers for hosting the vWorkspace Web Interface. These computers can either be physical or virtual machines running Windows XP Professional or Windows Server 2003 with Microsoft.NET Framework 2.0 or higher installed on them.
36
Installation
One or more computers for hosting the vWorkspace SSL Gateway. These computers can either by physical or virtual machines running Windows XP Professional or Windows Server. If password management is used, one or more computers for hosting vWorkspace Password Manager. An SSL server certificate for each deployed Connection Broker server if SSL encryption is required for their communications. An SSL server certificate for each vWorkspace Password Manager server, if being used. An SSL server certificate for the Web Interface and Secure Gateway servers. These certificates are generated by an internal Certificate Authority (CA) or trusted Certificate Authority, such as VeriSign or Entrust.
37
Various software prerequisites need to be in place depending on which vWorkspace components and features are installed.
COMPONENT Connection Broker Service with VMware and Virtual Iron Integration REQUIREMENTS Java 2 Platform Standard Edition Runtime Environment 5.0 (update 7,8,9,10, or 11) is automatically installed when this subfeature is selected to be installed. Note: Java does not show up in Control Panel | Add/Remove Programs. Microsoft SQL Server Database Engine The database for vWorkspace Enterprise Edition must be hosted on a Microsoft SQL Server. Microsoft SQL Server 2000 or Microsoft SQL Server 2005 for medium to large sized infrastructures. Microsoft SQL Sever 2005 Express Edition (requires .NET Framework 2.0) or MSDE 2000 for small and some medium sized infrastructures. Note: There is an option to have Microsoft SQL Server 2005 Express automatically installed during vWorkspace installation. See vWorkspace Installation for more information. VMware Keystore VirtualCenter server certificates must be imported into a keystore file on each Connection Broker server in the vWorkspace infrastructure if managed computers are going to be hosted in a VMware VirtualCenter environment. Note: There is an option to have the VirtualCenter server certificates automatically installed during vWorkspace installation. See vWorkspace Installation for more information. Terminal Services Terminal Services needs to be installed before vWorkspace Terminal Services Provision-IT and Power Tools for Terminal Services is installed on a server.
38
Installation
COMPONENT Microsoft .NET Framework 2.0 or higher
REQUIREMENTS Microsoft .NET Framework 2.0 or higher (with 3.0 support) is required on any computer that has vWorkspace Web Interface installed. Note: During vWorkspace installation, the wizard checks to see if the correct versions of Microsoft .NET Framework are installed, and if they are not, an automatic installation occurs. See vWorkspace Installation for more information.
ASP.NET and Internet Information Services
Microsoft ASP.NET and Internet Information Services is required on any computer that has vWorkspace Web Interface installed. The minimal IIS installation would include the following on a Windows Server 2003 computer: Application Server ASP.NET Enable network COM+ access Internet Information Services Common Files Internet Information Services Manager World Wide Web Service
VirtualCenter SSL Certificate

The following instructions outline the processes that automate machine level authentication of the VMware VirtualCenter servers certificate, which must be imported into a keystore on each Connection Broker.
The option to have the VirtualCenter certificate automatically installed during vWorkspace installation is available. The below steps only need to be completed if you choose to manually install the certificate. See vWorkspace Installation for more information.
How to ...
Export the SSL Certificate Import the SSL Certificate Copy to Other Connection Brokers
39
Export the SSL Certificate Perform the following steps on the first designated Connection Broker in your environment. If you are installing an additional Connection Broker, refer to Copy to Other Connection Brokers. 1. Create a directory to store the keystore. This directory is commonly named VMware-Certs, for example: C:\VMware-Certs. 2. 3. Start your web browser. Enter https://VirtualCenter_server or an IP address. A Security Alert dialog box is displayed. The VirtualCenter_server name is the host name or IP address of the VirtualCenter server. 4. 5. 6. 7. 8. 9. Click View Certificate. A Certificate window is displayed. Click Install Certificate. The Certificate Import Wizard is displayed. Click Next, and the click Next again. Click Finish. A Security Warning dialog box is displayed. Click Yes to install the certificate. A Certificate Import Wizard window is displayed. Click OK.
10. Click OK in the Certificate window. 11. Click Yes in the Security Alert window. The server home page is displayed in the browser. 12. Select Tools | Internet Options. The Internet Options window is displayed. 13. Select the Content tab. 14. Click Certificates. The Certificates window is displayed. 15. Select the Trusted Root Certification Authorities tab. 16. Scroll down towards the bottom until you locate the certificate issued to and by VMware. Perform the following steps: a) Select the certificate. b) Click Export. The Certificate Export Wizard is displayed. c) Click Next. d) Click Next. e) Enter a file name C:\VMware-Certs\servername.cer. For example: C:\VMware-Certs\virtualcenter1.cer. f) Click Next.
40
Installation
g) Click Finish. 17. Click Close to close the Certificates window. 18. Click Cancel to close the Internet Options window. 19. Repeat the above steps for every VirtualCenter server you plan to use in conjunction with vWorkspace. Import the SSL Certificate For each exported certificate, you need to perform the following steps. If you are in the process of installing an additional Connection Broker, please skip directly to the section entitled Copy to Other Connection Brokers. 1. 2. 3. 4. Make sure the Java SDK tools are in your path (i.e., C:\Program Files\Java\jre1.5.0_09\bin). Open a Command Prompt. Change to the C:\VMware-Certs directory (cd C:\VMware-Certs). For each certificate you want to import, perform the following: a) Enter the following command: keytool -import -file certificate-filename -alias servername -keystore vmware.keystore Example: keytool -import -file vc-server1.cer -alias virtualcenter1 -keystore vmware.keystore b) Enter the desired password for the keystore. c) Enter Yes to trust and import the certificate.
If vWorkspace has already been installed prior to executing the previous steps, simply restart the Connection Broker service to enable it to read the root certificate store, vmware.keystore.
View or Modify Keystore Registry Entries 1. 2. 3. 4. 5. 6. Log on to the Connection Broker using an account that has administrative rights. Open the Registry Editor. Navigate to HKEY_LOCAL_MACHINE\SOFTWARE\Provision Networks\VDI. To view the current value, locate and select the REG_SZ value named TrustStore. To modify the current value, locate and double-click the REG_SZ value named TrustStore. Enter the path and file name into the Value Data box, and then click OK to save and close the Edit String window.
41
7.
Close the Registry Editor.

The Connection Broker service must be restarted when the TrustStore registry value is modified.
Copy to Other Connection Brokers Use the following instructions to copy the VMware certificates to additional Connection Brokers. 1. Copy the C:\VMware-Certs folder from the first Connection Broker in your environment to the additional designated Connection Brokers.
If vWorkspace has already been installed prior to copying the C:\VMware-Certs folder from another Connection Broker, simply restart the Connection Broker service to enable it to read the root certificate store, vmware.keystore.
Microsoft SQL Server

This section discusses the steps for installing Microsoft SQL Server 2005 Express. If you already have an existing Microsoft SQL Server 2000 or 2005, you may want to take advantage of it to create the vWorkspace database. Or, if you plan to install a new database server using the full edition of Microsoft SQL Server, please follow Microsofts installation guidelines. If you plan to install or use an existing SQL Server, its security mode must be configured to enable SQL Server authentication. Specify this authentication mode during the installation process, or, for existing installations, edit the properties of the SQL Server and verify that SQL Server and Windows Authentication Security is enabled.
The option to have the Microsoft SQL Server 2005 Express automatically installed during vWorkspace installation is available. The below steps only need to be completed if you choose to manually install. See vWorkspace Installation for more information.
42
Installation
How to ...
Install Microsoft SQL Server 2005 Express vWorkspace supports Microsoft SQL Server 2000 and 2005, as well as Microsoft SQL Server 2005 Express. The database engine can reside on any machine near the Connection Broker. Though it is not recommended for very large environments, such as those over 2,500 desktops, the SQL Server can be installed onto the same machine hosting the Connection Broker service. Use the following steps to install the Microsoft SQL Server 2005 Express. 1. Download Microsoft SQL Server 2005 Express. The setup file SQLEXPR.EXE can be downloaded from Quest vWorkspace Web site, http://www.vWorkspace.com, Download link. An account name and password is required to access downloads from the Quest vWorkspace Web site. 2. 3. Extract SQLEXPR.EXE into a temporary directory by executing SQLEXPR.EXE/x. From the temporary directory, execute the following command to automatically install an instance of SQL Server 2005 Express named PROVISION. You can specify a different SA password (SAPWD) than the one suggested below. SETUP.EXE /qb ADDLOCAL=SQL_Engine,SQL_Data_Files INSTANCENAME="PROVISION" SECURITYMODE=SQL SAPWD="Provision" DISABLENETWORKPROTOCOLS=0 4. SQL Server 2005 Express is installed in unattended mode and only displays basic setup dialogs. Error screens, if any, are displayed, and log files are written to the %ProgramFiles%\Microsoft SQL Server\90\Setup Bootstrap\LOG folder. Additional command line setup options can be found at: http://msdn2.microsoft.com/en-us/library/ms144259.aspx. Download and install Microsoft SQL Server Management Studio Express setup file, SQLServer2005_SSMSEE.msi, from Quest vWorkspace Web site http://www.vWorkspace.com. Management Studio includes the functions of SQL Server 2000 Enterprise Manager, Analysis Manager, and SQL Query Analyzer in one tool.
5.
43
44
4
vWorkspace Installation
Download vWorkspace Install the Connection Broker vWorkspace Terminal Servers vWorkspace Connectivity Features vWorkspace Peripheral Server Extensions vWorkspace Additional Components Installation Reference
Download vWorkspace
This chapter describes the steps that must be performed to install various components of vWorkspace.
An account name and password is required to access the Download link on the Quest vWorkspace Web site.
The Quest vWorkspace Download page provides links to the various vWorkspace component categories, as described in the following table. Only the current and one previous version of the vWorkspace client are available for download.
COMPONENT vWorkspace Clients
DESCRIPTION The vWorkspace client for Windows Terminal Services and Computer Services.
46
COMPONENT Power Tools Clients Infrastructure Components Managed Computer Components
DESCRIPTION The Power Tools clients for Windows Terminal Services, including Print-IT and USB-IT. This package enables you to install the entire vWorkspace from a single MSI-based package. The PNTools for managed virtual machines and PC Blades running Windows XP, Vista (must be Vista SP1 or higher), and Server 2003. PNTools is an optional set of components that deliver added functionality and user experience enhancements such as the ability to: Start published applications Seamless windows Multiple monitor support 4096x2048 display resolution Universal print driver Kerberos/credentials pass-through USB based redirection Note: Any versions of PNTools that are previous to the vWorkspace 6.0 release must be removed before proceeding with the installation of vWorkspace 6.0.
Hotfixes Documentation Miscellaneous
The latest hotfixes and patches. Documentation and user guides. Additional components and prerequisites to accompany your installation. The Broker Helper Service for Hyper-V, which is required to be installed on to every Microsoft Hyper-V server, is located under this component.
Use the following steps to download the vWorkspace software. 1. 2. 3. Enter the URL http://www.vworkspace.com. Click the Download link at the top of the page. Enter your user login and password, and then click Enter. If you do not have a user account, you can create one by selecting New Users Register Here.
47
Select the link for the component category you want to download on the Downloads page.
Install the Connection Broker

The Connection Broker can be installed on one or more dedicated computers, either physical or virtual, or it can coexist with other vWorkspace components such as Password Manager servers or Terminal Servers.
Installing the Connection Broker service on machines that reside in the DMZ network, such as a Web Interface or SSL Gateway is never recommended.
The following steps should be performed on all the designated Connection Brokers. 1. 2. Execute the start.exe installer program. Review the options on the vWorkspace window, and then click Install to start the installation process.
48
Whats New Release Notes Licenses
Use this option to review what is new with this release. Use this option to review release notice for this release version. Use this option to review the contents of the license agreement. Use this option to initiate the installation process. Use this option to browse the contents. Use this option to exit the install.
Install Browse CD Exit
3. 4. 5. 6. 7.
Click Next on the Welcome window. Accept the License agreement. Select an option on the Licensing Mode window. Select Connection Broker Service from the list of available features on the Custom Setup window. Do one of the following: Select the Integration with VMware VI3 and Virtual Iron subfeature if you plan to use vWorkspace in conjunction with VMware or Virtual Iron and then click Next.
OR
Select the Integration with Microsoft Hyper-V subfeature if you plan to use vWorkspace in conjunction with Microsoft Hyper-V servers, and then click Next.
OR
Select the Integration with Parallels Virtuozzo subfeature if you plan to use vWorkspace in conjunction with Parallels Virtuozzo Containers, and then click Next.
49
8.
If Microsoft .NET version 2.0 or higher is not detected on your system, the following window appears:
50
9.
Do one of the following on the Microsoft .NET Framework Prerequisite window: a) Click Back to return to the Custom Setup window and unselect features so that you can proceed with the install without installing Microsoft .NET Framework. b) Click Next to have the Microsoft .NET Framework installed. Follow the installation instructions on the Microsoft .NET Framework windows. c) Click Cancel to stop the installation process. Items that have been chosen to be installed appear in black font, and items that have not been selected to be installed appear in gray font.
10. Select one of the following options on the Management Database Setup window, and then click Next: Connect to an existing database Select this option to connect this computer to an existing management database. See step 11 to continue the install. Create a new database on an existing SQL Server Select this option to create a new management database on an existing SQL server. See step 12 to continue the install. Install SQL Server Express Edition on this computer and create a new database Select this option to install SQL Server Express and create a new management database. See step 13 to continue the install.
51
Do nothing at this time Select this option to skip the configuration during the install, and manually configure the management database.
See Manual Database Configuration for more information on how to configure the database from the vWorkspace Management Console.
11. If you selected Connect to an existing database, do the following: a) Complete the necessary information on the Management Database Configuration window.
12. If you selected Create a new database on an existing SQL Server, do the following: a) Complete the necessary information on the Management Database Configuration window.
52
13. If you selected Install SQL Server Express Edition on this computer and create a new database, do the following: a) Complete the necessary information on the Management Database configuration window. The SQL Server Name and SQL User Name are grayed out and the information in these fields are not able to be changed.
b) The Microsoft SQL Server Installation wizard appears. Follow the installation instructions on the wizard windows, and then click Install. 14. If you are using VMware, complete the information on the VMware Keystore File Creation window by selecting one of the following options, and then click Next. If you are not using VMware, click Next. Do nothing at this time. Create a new keystore file. Copy the keystore file from an existing Connection Broker.
15. If you are using a Virtual Iron server, complete the information on the Virtual Iron Jar Libraries window. If you are not using a Virtual Iron server, click Next.
53
16. Complete the information on the Add Server to Management Database window, and then click Next.
OR
Click Skip to add the server to the management database manually in the vWorkspace Management Console.
17. Click Finish to complete the install.

See Installation Reference for more information on the installation windows that appear during the setup process.
54
vWorkspace Terminal Servers

vWorkspace-enabled Terminal Servers provide an enhanced multi-user environment allowing applications, desktops, and content to be published and easily accessed using the vWorkspace client. If Terminal Services is enabled prior to running the vWorkspace installer program, the options to install Terminal Services Enhancements (Provision-IT) and Power Tools Suite for Terminal Servers is made available.
55
FEATURE Terminal Services Enhancements (Provision-IT)
DESCRIPTION This feature leverages and extends the features of Windows Terminal Services and Remote Desktop Protocol (RDP) by enhancing deployments with core enterprise features that include: Application publishing Load Balancing Seamless window connections Session sharing Credentials pass-through Extended screen resolutions Multiple monitor support
POWER TOOLS SUITE FOR TERMINAL SERVERS Universal Print Drive (Print-IT) This feature enables driver independent printing to client side printers as well as LAN and WAN based network printers. Two subfeatures include: Universal Client Printer Auto-Creation Universal Network Printer Auto-Creation CPU and Virtual Memory Optimization (Max-IT) This feature improves application response times, enhances end-user experience, and increases Terminal Server capacity by optimizing the use of virtual memory and managing CPU utilization. Two subfeatures include: Virtual Memory Optimization CPU Utilization Management PDA Redirection (USB-IT) This feature enables seamless redirection of USB based Palm, BlackBerry, and PocketPC handheld devices in Terminal Server sessions. This feature combines the persistence of roaming profiles with the speed and stability of mandatory local profiles. This feature enables each user instance of legacy applications to be bound to a distinct IP address for identification purposes.
User Profile Acceleration (MetaProfiles-IT) Virtual IP (VIP-IT)
56
FEATURE Application and Host Restrictions (Block-IT)
DESCRIPTION This feature enhances Terminal Server security by protecting against unauthorized access to sensitive software programs and network resources. Two subfeatures include: Application Access Control (AAC) Protects against unauthorized access to sensitive software programs from within a Terminal Server session. Host Access Control (HAC) Prevents programs running from within Terminal Server sessions from gaining access to unauthorized network resources.
Session Configuration and Lockdown (Manage-IT) Application Compatibly Enhancements (Redirect-IT)
This feature automates several time-consuming session configuration and lock-down tasks that are applied when users log in to a Terminal Server. This feature eliminates many conflicts that can occur when running applications in a multi-user environment such as Terminal Server by creating user specific instances of HKLM registry keys and files or folders stored in common system areas. This feature enables Terminal Server users to execute time sensitive applications using their respective time zones rather than the time zone of the Terminal Server to which they connect.
Time Zone Management (TimeZones-IT)
How to ...
Install Terminal Server Components Use the following steps to install the appropriate components onto all designated Terminal Servers. 1. 2. 3. 4. 5. 6. 7. Execute the start.exe installer program. Click Next on the Welcome window. Accept the License agreement. Select Hosted Desktops and Terminal Servers (Enterprise Edition) on the Custom Setup window. Select Terminal Servers Enhancements (Provision-IT). Expand the Power Tools for Terminal Servers option, and select the options that are to be installed, and then click Next. Click Install.
57
vWorkspace Connectivity Features

vWorkspace SSL Gateway
The SSL Gateway allows external users to connect securely to servers and managed computers in the vWorkspace infrastructure by acting as an SSL proxy for Connection Broker, Web Interface, and RDP network traffic. The SSL Gateway is installed on a dedicated physical or virtual machine and can be placed in the DMZ or internal network. SSL Gateway servers can be load-balanced using a load-balancing appliance. The SSL Gateway can coexist with the Web Interface, but should not be combined with any other vWorkspace components. The SSL Gateway requires the following: Microsoft Windows 2000 Server (Standard or Advanced) Microsoft Windows Server 2003 (Standard or Enterprise) One or more X.509 web server certificates (depending upon configuration) Trusted root certificate from the issuing CA installed into the Windows machine store of the SSL Gateway for certificates that have been installed on the Web Interface or Connection Broker servers.
Before the SSL Gateway can be configured, an X.509 digital web server certificate must be obtained and installed into the Windows machine store.
How to ...
Install the SSL Gateway 1. 2. 3. Execute the start.exe installation program. Select SSL Gateway (Secure-IT) from Connectivity Features on the Custom Setup window. Click Next and complete the installation.
58
vWorkspace Peripheral Server Extensions

The two options under Peripheral Server Extensions are: Universal Network Print Services Simplifies network printer manageability in Terminal Server and hosted desktop environments by autocreating shared network printers throughout a distributed enterprise using a single universal print driver. Two subfeatures of Universal Network Print Services are: Universal Network Print Server Extensions eliminates the need for installing model specific print drivers on Terminal Server and hosted desktops. Universal Print Relay Service for Remote Sites includes bandwidth management and does not require trust relationships between domains or forests for remote sites.
User Profile Storage Service Enhances the management, performance, and storage efficiency of user profiles in Terminal Server environments.
How to ...
Install Peripheral Server Extensions 1. 2. 3. 4. Execute the start.exe installation program. Click Next on the Welcome window. Accept the License agreement. Select Hosted Desktops and Terminal Servers (Enterprise Edition), and then Peripheral Server Extensions.
59
5. 6.
Select the appropriate features. Click Next and complete the installation.
vWorkspace Additional Components

The features that are available in the Additional Components option are: Password Reset Service vWorkspace Management Console
60

The Password Reset Service can be installed on any Windows computer, physical or virtual, that is joined to a domain, trusted by the domain containing the accounts of the users connecting in to the vWorkspace infrastructure.
The Password Reset Service should never be installed on a computer that is in the DMZ network.
How to ...
Install the Password Reset Service 1. 2. 3. 4. 5. 6. Execute the start.exe installation program. Click Next on the Welcome window. Accept the License agreement. Select Hosted Desktops and Terminal Servers (Enterprise Edition), and then Additional Components. Select the appropriate features. Click Next and complete the installation.
vWorkspace Management Console

The vWorkspace Management Console is required for the configuration and administration of the vWorkspace infrastructure. It is automatically installed when any vWorkspace feature requiring database connectivity is selected. The vWorkspace Management Console can be installed by itself on a management workstation or laptop, but with limited functionality.
See vWorkspace Management Console for more information.
How to ...
Install the vWorkspace Management Console 1. 2. 3. Execute the start.exe installation program. Click Next on the Welcome screen. Accept the License agreement.
61
4. 5. 6.
Select Hosted Desktops and Terminal Servers (Enterprise Edition), and then Additional Components. Select vWorkspace Management Console. Click Next and complete the installation.
vWorkspace Client
To enable users to connect to managed applications and desktops in a vWorkspace infrastructure, a vWorkspace client must be installed onto their client device. The following is a list of available client packages: VASCLIENT32 This package includes the AppPortal GUI, but can also be used with the Web Interface. It is referred to as the vWorkspace Client or AppPortal. VASCLIENT32.EXE MSI-based installation with EXE bootstrapper. The MSI Engine (2.0 or higher) must already be installed onto the target client workstations. VASCLIENT32.MSI MSI-based installation without EXE bootstrapper. The MSI Engine (2.0 or higher) must already be installed onto the target client workstations. VASCLIENT32.CAB CAB-based installation for automatic deployment via the Web Interface. VASCLIENT32T Web Interface access only; this package does not include the AppPortal GUI. It is referred to as the vWorkspace Web Client. VASCLIENT32T.EXE MSI-based installation with EXE bootstrapper. The MSI Engine (2.0 or higher) must already be installed onto the target client workstations. VASCLIENT32T.MSI MSI-based installation without EXE bootstrapper. The MSI Engine (2.0 or higher) must already be installed onto the target client workstations. VASCLIENT32T.CAB CAB-based installation for automatic deployment via the Web Interface.
62
How to ...
Install the vWorkspace Client Perform the following steps to install the vWorkspace Client on Windows computers, laptops, and XP embedded thin client terminals. 1. 2. 3. 4. 5. 6. 7. Download vasclient32.xxx or vasclient32t.xxx. The xxx denotes EXE or MSI. Execute vasclient32.xxx or vasclient32t.xxx and follow the setup instructions. Click Next at the Welcome window. Accept the terms of the License Agreement, and then click Next. Click Next at the Customer Information window. Click Next at the Destination Folder window. Select the option Enable Credentials Pass-Through, and then click Next. This option should only be selected if the client computer is joined to the domain and you want to reuse the users domain credentials on the client computer to authenticate with the vWorkspace-enabled desktop infrastructure without having to retype them every time. This is an optional step.
8.
Select the desired shortcuts on the Shortcut Options window, and then click Next. This window is not available with VASCLIENT32T.
63
9.
Click Install to begin the installation. You may be prompted to restart your system after the installation of the vWorkspace client has completed.
10. Click Finish.
vWorkspace Web Interface

The Web Interface allows users to log into the vWorkspace infrastructure, obtain their application set, and start connections to managed applications and desktops using a web browser interface. The Quest vWorkspace Web Interface is installed on an existing or new physical or virtual machine. It can be placed in the DMZ or internal network and can coexist with the SSL Gateway. Multiple Web Interface servers can be load-balanced using Microsoft NLB or a third-party load-balancing appliance.
64
The following are a list of prerequisites for the Web Interface: Microsoft .NET Framework 2.0 Microsoft ASP.NET Internet Information Services (IIS)
Multiple versions of the.NET Framework can coexist on the same machine. To determine whether one or both versions are already installed, check for the presence of one or both directories, namely, v1.1.4322 and v2.0.xxxxx, under %SYSTEMROOT%\Microsoft.NET\Framework. To reinstall the.NET Framework, execute ASPNET_REGIIS.EXE i from either the v1.1.4322 or v2.0.xxxxx folder. This may be necessary if the ASP.NET Web Server Extension is not present in Internet Information Services (IIS) Manager. This is often the case if the administrator has previously uninstalled the.NET Framework (ASPNET_REGIIS.EXE u).
How to ...
Install the Web Interface 1. Ensure the following has been completed before installing the Web Interface: a) ASP.NET and Internet Information Services (IIS) subcomponents of the Application Server are installed. b) Word Wide Web Service subcomponent of Internet Information Services (IIS) is installed. c) Microsoft.NET Framework version 2.0 is installed. d) ASP.NET Web Service Extension is allowed in the Internet Information Services (IIS) Manager. 2. 3. Execute start.exe. Select Web Interface (Web-IT) from Connectivity Features on the Custom Setup window.
This feature is only available for installation if the WWW service is already installed.
4.
Click Next and complete the installation.
65
Installation Reference
This section references some of the vWorkspace installation windows and descriptions of the options.
VMware Keystore File Creation
OPTION Do nothing at this time.
DESCRIPTION This option is selected if you do not want to create a new keystore or copy one from an existing Connection Broker. This option is selected to create a new keystore file, select this option and then click Next. The Keystore File Management window is displayed. See Keystore File Management for more information. This option is selected to copy a keystore file from an existing Connection Broker, select this option. The fields of Existing Broker, Windows Admin Name, and Admin Password are enabled and need to be completed.
Create a new keystore file.
Copy the keystore file from an existing Connection Broker.
66
OPTION Existing Broker Windows Admin Name
DESCRIPTION This box is where you specify the broker from which the keystore file is to be copied. This box is for the admin name of an account with Windows administrative rights on the remote broker. You can leave this box blank to reuse your credentials.
Admin Password
This box is for the admin password of the account entered in the Windows Admin Name box. You can leave this box blank to reuse your credentials.
Keystore File Management
OPTION Keystore File Password
DESCRIPTION This box is used to identify a keystore file password. At least one VMware VirtualCenter server certificate to the keystore. The password needs to be at least six (6) characters in length. 67
OPTION VirtualCenter Server
DESCRIPTION This box is used to identify the host name or IP address of your VirtualCenter Server. If you are using a host name, make sure it is resolvable.
Windows Admin Name
This box is for the admin name of an account with Windows administrative rights on the remote broker. You can leave this box blank to reuse your credentials.
Admin Password
This box is for the admin password of the account entered in the Windows Admin Name box. You can leave this box blank to reuse your credentials.
Skip button
This button is used to continue without importing a VirtualCenter server certificate.
Virtual Iron Jar Libraries
OPTION Virtual Iron Server Download
DESCRIPTION This field is used to identify the server This button is to be selected after you have entered your Virtual Iron server information.
68
OPTION Protocol
DESCRIPTION This field is used to define the protocol as used in your Virtual Iron setup. The default is http.
Port
This field is for the port that is used in your Virtual Iron setup. The default is 80.
Current Database Configuration
OPTION Keep the existing database configuration.
DESCRIPTION This option is selected if you want to keep your existing database configuration, as displayed in the fields of Data Source Name, Database Version, SQL Server Name, and Database Name, on this window.
69
OPTION Configure a new database connection.
DESCRIPTION This option is used if you want to configure a new database connection. The Management Database Setup window is presented after this option is selected. You then can select from the following options on that window: Connect to an existing database. Create a new database on an existing SQL Server. Install SQL Server Express Edition on this computer and create a new database. Do nothing at this time.
Add Server to Management Database
OPTION Password
DESCRIPTION This box must have a password, for existing installations, if you are prompted by the vWorkspace Management Console for a password at startup.
70
OPTION Next
DESCRIPTION This button needs to be selected to verify if the server that was selected previously exists in the management database. If it does not exist, it is automatically added. The Skip button can be used to move forward and to not verify that the selected server exists in the management database. If you choose to skip this step, you need to manually add the selected database to thevWorkspace Management Console.
71
72
5
Experience Optimized Protocol
Overview Requirements Optimization Settings Bidirectional Audio Latency Reduction Multimedia Redirection
Overview
The Experience Optimized Protocol (EOP) addresses the user experience challenges of Virtual Desktop Infrastructure (VDI) by provisioning seamless, reliable, high-performance enhancements over remote desktop software. These enhancements ensure that your VDI and Terminal Server deployment can deliver on the promise of virtualization and a true local-desktop experience. One of the key features of the EOP is the ability to improve the remoting of graphic intensive applications, including Internet browser content and support multimedia content such as webcasts and web-based training. The following features are available through the Experience Optimized Protocol license: Bidirectional Audio Enables support for applications that require the use of a microphone, such as dictation, collaboration, and certain VOIP applications. Latency Reduction Enhances the user experience when typing, if they are connecting over a high latency network connection. A client Control Panel applet is used to adjust settings of this feature. Multimedia Redirection Enables the redirection of Microsoft DirectShow content (anything that can be played in Microsoft Windows Media Player) from the VDI or Windows Terminal Session through an RDP Virtual Channel to the client, where it is played using the local compression/decompression technology (CODEC). Graphics Acceleration Reduces bandwidth consumption and dramatically improves user experiences, making RDP usable over WAN connections.
These features can be assigned to Users, Groups, OU, Client IP or Client Device Name, so you can choose to license specific clients for this, as necessary.
Requirements
To use the features included in the EOP, the following requirements need to be met: The Experience Optimized Pack license needs to be acquired and added to the Licenses in the vWorkspace Management Console. The same version of vWorkspace needs to be used, that is the version, including the vWorkspace client and PNTools.
74
Optimization Settings
The EOP features are only available for the following: Hosts (servers): Microsoft Windows XP Professional Microsoft Windows Server 2003 Clients: Microsoft Windows XP Professional Microsoft Vista Microsoft Windows XP Embedded
The Microsoft Remote Desktop Connection needs to be at version 5.2 or higher. Microsoft Windows Media Player version 10 on the server side. The EOP functionality can be used for only the 32- bit applications that are on a 64-bit platform.
Optimization Settings
The features of EOP are installed via the vWorkspace installer, along with valid license. Administrators can limit to whom and which features are automatically presented to users during the log on process. The optimizations settings of Graphics Acceleration, Local Text Echo, and Multimedia Redirection can be found at the following locations. The options are set to disable by default. Quest vWorkspace Remote Desktop Connection | Experience tab | Optimizations section vWorkspace AppPortal | Actions | Manage Connections | User Experience Optimizations section Web Access (Admin) | User Experience | Performance | Optimizations section
Bidirectional Audio
This feature enables users to redirect their microphone devices to Terminal Servers and hosted desktops for use with applications involving dictation and for certain VOIP applications.
75
Microphone sound quality is best with sufficient bandwidth, at least 25 to 30 Kbps, to support the audio channels.
The Client Settings, Remote Computer Sound option overrides the setting for Remote computer sound on the Local Resources window in the AppPortal setup, as well as the Local Resource Settings window in the Web Access setup.
76
Bidirectional Audio
Bidirectional audio for the AppPortal client can be setup several different ways: Manage Connections | Local Resources Quest vWorkspace Remote Desktop Connection | Local Resources
If you use the setup option of the Manage Connections, you need to set Remote computer sound to Bring to Local Computer and select the Microphone option. Once completed, you need to click OK.
77
If you use the setup option, Quest vWorkspace Remote Desktop Connection, set the Remote computer sound option to Bring to this computer, and select the Microphone option.
The setup option for this feature for the Web Access client is Remote computer sound, of the Local Resources option.
78
Latency Reduction
Latency Reduction
This feature enables a local presentation of keystrokes when a user is connecting over a high latency network connection. The user can type at full speed without waiting for the keystrokes to appear, as the text appears in a bubble as it is typed. It is important to note that most password fields are not displayed in a text bubble when connecting over a high latency network.
79
A client Control Panel applet, Local Text Echo Client, is used to change the default settings, such as the bubble size and latency speed.
A server Control Panel applet, Local Text Echo Server, is used to set a list of application exclusions for text echo.
80
Multimedia Redirection
This feature redirects Microsoft Windows Media content through an RDP virtual channel to the client, where it is played using the local compression/decompression (CODEC) technology. This enables support for full fidelity playback of Microsoft Windows Media content. Multimedia Redirection accelerates the delivery of multimedia content such as recorded webcasts and web-based training from remote virtualized desktops and applications. The requirements for multimedia redirection include: Microsoft Windows Media Player version 10 installed on the virtual host (server). All vWorkspace components, including PNTools and the vWorkspace client need to be on the same version. Microsoft Windows Media Player 10 and proper CODEC to decode the required media format needs to be installed on the client.
After obtaining the EOP license, no other setup is required with multimedia redirection.
Graphics Acceleration
This feature reduces bandwidth consumption and improves user experiences when viewing complex graphics or animations, and allows RDP protocol to be usable over WAN connections.
81
82
6
About the vWorkspace Management Console vWorkspace Management Console Window vWorkspace Menu Options and Icons vWorkspace Object Nodes Farm Locations Clients Resources Packaged Applications Performance Optimization Virtual IP File and Registry Redirection Workload Evaluators
About the vWorkspace Management Console

The vWorkspace Management Console provides management and administrative functions to vWorkspace administrators. All database management tasks are performed by the vWorkspace Management Console. The vWorkspace Management Console can be installed and used on any number of workstations or laptop computers for management purposes, as long as connectivity to the vWorkspace database can be established. Remote Procedure Call (RPC) connections to other vWorkspace servers at times may also be required for full management functionality. Most functions performed by the vWorkspace Management Console can be done from any machine, but Registry tasks or applying virtual memory optimizations must be performed by the vWorkspace Management Console from the console of the effected server. Any hotfixes that effect the vWorkspace Management Console need to be applied to all installed instances. Failure to do so can lead to unreliable results when using the vWorkspace Management Console.
Multiple instances of the vWorkspace Management Console can be opened simultaneously. Administrators need to be aware that their changes may interfere with changes made by another administrator.
vWorkspace Management Console Window

The vWorkspace Management Console presents a graphical user interface that includes a menu bar, toolbar, navigation pane, and an information pane.
84
Menu Bar
Navigation Pane
Information /Detail Pane
Toolbar
Object Nodes
Status Bar
OBJECT NODE Farm
DESCRIPTION This node represents the entire vWorkspace infrastructure. From this node you can: Assign a name to the farm. Enable database caching. Assign administrative rights.
Locations
This node is used to organize groups of users based on geographical locations, within a vWorkspace infrastructure.
85
OBJECT NODE Clients
DESCRIPTION This node is used to identify vWorkspace clients. Once defined in the vWorkspace database, they can be used in Access Control Lists associated with various objects. Clients are identified by: User name Group membership IP address Device name Active Directory Organizational Units
Resources
This node contains the list of items that can be assigned to clients using Client Assignment. A toolbar option, Toggle Client Assignment List Display, allows the client assignment to be displayed at the bottom of the window, the right-side of the window, or not at all.
Packaged Applications
This node is used to identify Microsoft Application Virtualization (App-V) servers and their hosted application packages, as well as MSI packages. This node is used to configure CPU Utilization and Virtual Memory Optimization policies, and to view the results of these policies. This node is used to provide special configuration options for applications running in a multi-user environment that require unique IP addresses for identification. This node provides mechanisms that allow applications to work properly in a multi-user environment. This node is used to configure workload evaluators when published applications are hosted on multiple Terminal Servers. A workload evaluator can be assigned to either the published application or the Terminal Servers.
Performance Optimization
Virtual IP
File & Registry Redirection
Workload Evaluators
86
vWorkspace Menu Options and Icons

The vWorkspace menu options consist of the following: The File options are: Current User Sessions This option opens the Current User Sessions window. A remote control session can be initiated from this window as well. See User Sessions for more information. Administration This option opens the Administration window. See Administration for more information. Change User This open opens the Login window. Licensing This option opens the Licensing window. See Licensing for more information. Database Configuration This option opens the Configure Database window. See Manual Database Configuration for more information. New Location This option opens the New Location wizard. See vWorkspace Locations for more information. Properties This option opens the Managed Computer Properties window. See Location Properties for more information. Virtualization Servers This option opens the Virtualization Servers window. See Virtualization Servers for more information. Refresh This option refreshes the view.
The Actions options are:
The Help option, About, displays information about the Quest vWorkspace product, including the version number.
The vWorkspace icons are as follows:

ICON DESCRIPTION This icon is used to exit the console.
87
ICON
DESCRIPTION This icon is used to access Current User Session and the Remote Control Session options.
This icon is used to access the Administration options.
This icon is used to access Licensing information.
This icon is used to access Location Properties.
This icon is used to collapse the tree in the navigation pane of the console.
Administration
The Administration option of the vWorkspace Management Console is used to identify users or groups of users and how administrative tasks are delegated to them. Once users or groups of users have been added as administrators, permissions can then be set. It is important to note that not every administrator needs to be added to the vWorkspace Management Console, they just need to be a member of a Windows group that has been added. So, you could create a Windows group in your domain, add all the administrators to that group and then add that group to the vWorkspace Management Console.
88
If you choose not to use the Administration feature, administrations have full access rights to the vWorkspace Management Console. The vWorkspace Management Console does check to ensure that the current Windows user is also a Windows administrator prior to granting access to the vWorkspace Management Console. Users and groups of users who are selected as system administrators have implicit allow permissions for all actions, and may add and remove other system administrators. The first administrator defined in the system is automatically defined as a system administrator, and the last administrator to be removed from the system must be a system administrator. This selection cannot be modified, as it is designed to prevent inadvertent lock out situations. Once one or more administrators are defined, a Login window is displayed during the vWorkspace Management Console startup.
If checkbox, Login as the current Windows user is selected, the user and password fields are filled out automatically, and the fields are disabled. If the checkbox is unselected, the user must enter their user name and password. The Login window is also presented when a user selects the menu option, Change User, to allow the user to enter different credentials.
Permissions
Permissions enable administrators to allow or deny actions for activities within the vWorkspace Management Console. An administrator does not have the ability to set their own permissions or permission of a group to which they belong. However, a system administrator can modify permissions for any user or group.
89
The Permissions structure is a hierachy; that is, there are a lot of parent-child relationships. For example, there is a permission named Modify Resources at the Resource node level; a permission named Modify Managed Applications a the Managed Applications level; and a permission named Modify Managed Application for an individual application. Any child permission may be undefined, or not explicitly set by an administrator. The parent permission in this example is Modify Resources, so all of the other child permission levels of Allow or Deny is inherited from the parent permission. Permission checkboxes may be one of the following:
Enabled, permission not set. Checkbox has white background. Enabled, explicit permission set. Checkbox has white background. Enabled, inherited permission set. Checkbox has white background. Disabled, permission not set. Checkbox has gray background. Disabled, explicit permission set. Checkbox has gray background. Disabled, inherited permission set. Checkbox has gray background.
The gray checkmarks indicate that the permission is inherited from its parent. Permissions that are disabled can not be modified by the current administrator, as the administrator does not have sufficient permissions to change it.
90
How to ...
Add a New Administrator Edit Administration Settings Remove an Administrator Set Permission at the Object Level
Add a New Administrator 1. 2. 3. 4. 5. Open the vWorkspace Management Console. Select File | Administration. To add users or a group of users, click Add User/Group. The Administrator wizard appears. Click Next on the Welcome window. Select User or Group, and then enter Domain\User or Domain\Group in to the dialog box. Use the ellipses to assist in selecting users or groups. 6. Select the checkbox if this user or group is to be a system administrator, and then click Next. System administrators have implicit allow permissions for all actions, and may add and remove other system administrators. 7. Select one of the default permission settings, Deny All, Allow All, or Copy from, and then click Next. Use Copy from to quickly set the initial permissions of a new administrator to those of an existing non-system administrator, administrator. 8. Make any changes to the Allow and Deny columns on the Permissions window, and then click Finish. The Administrators window appears.
91
9.
Highlight the user or group that you just added, and then select Settings.
10. Specify the administration settings, Allow or Deny, on the Settings window, and then click Apply to save your settings. 11. Select Permissions to specify administrator permission. 12. Click Apply to save your changes, and OK to close the window. Edit Administration Settings 1. 2. 3. Open the vWorkspace Management Console. Select File | Administration. Edit as appropriately, and click Apply to save your changes, and OK to close the window.
Remove an Administrator 1. 2. 3. 4. 5. 6. Open the vWorkspace Management Console. Select File | Administration. Highlight the user or group name from the list. Click Remove. Verify by selecting Yes on the confirmation window. Click OK to close the window and save your changes, or Apply to save your changes without closing the window.
Set Permission at the Object Level 1. 2. Open the vWorkspace Management Console. Highlight the object to which the permission is to be set. Permissions are inherited from the parent permission, unless the level is set separately.
Manual Database Configuration

When the vWorkspace Management Console is started, it looks to the Windows Registry for a pointer to a System Data Source Name (DSN) and uses the settings contained in the DSN to connect to the vWorkspace database. The Configure vWorkspace Database window is presented when the vWorkspace Management Console is started for the first time, or if the data in the DSN is invalid.
92
How to ...
Create a New Database and DSN Connect to an Existing Database Change a Servers Database Configuration
Create a New Database and DSN 1. 2. 3. Start the vWorkspace Management Console on one of the Connection Brokers or an administrative computer. Click New Data Source on the Configure vWorkspace Database window. Select Create new database and DSN on the New vWorkspace Data Source window.
93
4.
Specify the following parameters:

Server & Database Enter the Server Name of the SQL server where the database is to be created. If you are using MSDN or SQL Express, use the format:
server_name\instance_name
Enter a New Database name, or accept the default name, vWorkspace_Database. Existing SQL Admin Login Enter the Name for the SQL admin account, or accept the default, sa. Enter a password for the SQL admin account. New vWorkspace SQL Login Enter a Name or accept the default, PNADMIN for the SQL user account. Enter a Password for the SQL user account. New Data Source (DSN) Enter a Name for the DSN or accept the default name, Provision Database. Enter a Description for the DSN or accept the default description, Provision Database.
5. 6. 7. 8. 9.
Click Create. Confirm the password of the SQL admin and new Provision SQL logins. Click Yes to set the current main vWorkspace database to the newly created database. Enter your company and contact information, and click Save. Click Close.
94
Connect to an Existing Database Once the vWorkspace database is created, all servers with vWorkspace components requiring database connectivity must have DSNs configured. 1. 2. 3. 4. Start the vWorkspace Management Console from the additional Connection Broker or administrative computer. Click New Data Source on the Configure vWorkspace Database window. Select Create DSN only for existing database on the New vWorkspace Data Source window. Specify the following parameters:
Server & Database Enter the Server Name of the SQL server where the database is to be created. If you are using MSDN or SQL Express, use the format:
server_name\instance_name
Enter the name of the Existing Database. Existing vWorkspace SQL Login Enter the Name of the SQL user account. Enter the Password for the SQL user account. New Data Source (DSN) Enter a Name for the DSN or accept the default name, vWorkspace Database. Enter a Description for the DSN or accept the default description, vWorkspace Database.
5. 6. 7.
Click Create. Confirm the password of the vWorkspace SQL login. Click Yes to set the current main vWorkspace database to the newly created database.
95
Change a Servers Database Configuration A servers infrastructure can be changed without reinstalling the software. Use the following steps to change the database configuration.
A vWorkspace server can belong to one vWorkspace infrastructure at a time.
1. 2. 3. 4. 5. 6.
Log on to the desktop of the server that is to be changed. Open the vWorkspace Management Console. Select File | Database Configuration. Click New Data Source. Select either Create new database and DSN or Create DSN only for existing database. Complete the remaining boxes of the New vWorkspace Datasource window as appropriate, and then click Create.
vWorkspace Object Nodes

The next section describes the object nodes that are located on the left-pane of the vWorkspace Management Consolewindow. Farm Locations Clients Resources Packaged Applications Virtual IP File and Registry Redirection Workload Evaluators
Farm
The first node in the navigation pane represents the vWorkspace infrastructure. Properties of this node can be used to:
96
Assign a name to the infrastructure.
Enable or disable database caching. Change the administrative service account information.
To access the Farm Properties window, right-click on the Farm node.
FIELD Name
DESCRIPTION This is the name that is assigned to the vWorkspace infrastructure. This name is stored as a record in the vWorkspace database and requires no configuration changes to member servers. It can be changed at any time and is automatically passed on by the Connection Broker servers to the vWorkspace clients.
Create local host cache on all servers
If selected, this checkbox enables the use of database caching. If enabled, all Provision-IT servers work from their local cache. For mid to large size infrastructures, the use of database caching can reduce the number of open database connections.
Cache update Interval (minutes)
The number of minutes that the local cache is updated.
97
Locations
The Locations node represents a location that groups one or more data centers and the desktops within those data centers. Administrators define Connection Brokers, Terminal Servers, desktops, and other servers for each defined location, which can only be defined after a new location has been established. See vWorkspace Locations for more information.
Clients
The Clients node on the vWorkspace Management Console is used to define the list of clients that can be used in client assignments. The vWorkspace uses client assignments to assign managed applications, managed computers, and other resources to user sessions when connected to servers and managed computers in the infrastructure. It is possible that a given user might belong to more than one client definition. By design, client assignments are cumulative, meaning they receive the assignment of all of the client definitions they are members of, except for when a conflict exists. In this case, the client with the highest priority wins the conflict. Client priority can be modified by selecting the desired Client node, and using Move Up or Move Down. Client types at the top of the list have higher priority than those lower in the list. For example, the Windows domain users and domain administrators global groups might be defined as clients, with domain administrators being higher in priority. Domain administrators has an application restriction that allows them to run registry editing tools. Domain users have an application restriction that denies them the ability to run registry editing tools. However, members of domain administrators are also members of domain users. Since there is a conflict in assignments, and the domain administrators client definition has higher priority, any user who logs on as a member of domain administrators is able to run registry editing tools.
98
Client Types
The following table lists the client types, along with a description.
TYPE Users Groups Device Addresses Device Names Organizational Units DESCRIPTION Any trusted Windows domain or local user account. Any trusted Windows domain or local group account. IP address assigned to the client hardware device. NetBIOS name of the client device. Active Directory Organizational Unit containing the user, group, or computer account.
How to ...
Define Clients by Users Define Clients by Groups Define Clients by Device Address Define Clients by Device Name Define Clients by Organizational Unit
Define Clients by Users 1. 2. 3. Expand the Clients node in the navigation pane of the vWorkspace Management Console. Right-click on the Users node, and select New User(s). To add users by selecting them from a domain, do the following: a) Click the Users tab on the Add Client(s) window. b) Select a Windows domain or computer from the Domain drop-down. c) Type the user name in the Enter the User(s) field, or select the user from the list in Select the User(s). d) Click OK to complete the task. 4. To add users by selecting them from Active Directory, do the following: a) Click the Active Directory tab on the Add Client(s) window. b) Select the Windows domain from the Domain drop-down.
99
c) Select Organizational Units, Users, or both in the Display section. d) Enter a specific or partial name in the Filter field. You can also enter an asterisk (*) as a wildcard. e) Click Refresh and the system displays a list of options in the bottom pane. f) Select one or more of the options, and then click OK. Define Clients by Groups 1. 2. 3. Expand the Clients node in the navigation pane of the vWorkspace Management Console. Right-click on the Groups node, and select New Group(s). To add users by selecting them from a domain, do the following: a) Click the Groups tab on the Add Client(s) window. b) Select a Windows domain or computer from the Domain drop-down. c) Type the user name in the Enter the Group(s) field, or select the user from the list in Select the Group(s). d) Click OK to complete the task. 4. To add users by selecting them from Active Directory, do the following: a) Click the Active Directory tab on the Add Client(s) window. b) Select the Windows domain from the Domain drop-down. c) Select Organizational Units, Groups, or both in the Display section. d) Enter a specific or partial name in the Filter field. You can also enter an asterisk (*) as a wildcard. e) Click Refresh and the system displays a list of options in the bottom pane. f) Select one or more of the options, and then click OK. Define Clients by Device Address 1. 2. Expand the Clients node in the navigation pane of the vWorkspace Management Console. Right-click on the Device Addresses node, and select New Device Address(es).
100
3.
Click the Device IP Addresses tab and enter a Starting Address and Ending Address to define the client IP address or a range of addresses. The Active Directory tab is currently not being used. Click OK.
4.
Define Clients by Device Name 1. 2. 3. Expand the Clients node in the navigation pane of the vWorkspace Management Console. Right-click on the Device Names node, and select New Device Name(s). Click the Device Names tab and enter the device names, separated by a semicolon (;). To enclose a range, use square brackets ([]). For example W2K3-[0-10]. Click OK.
4.
Define Clients by Organizational Unit 1. 2. 3. 4. 5. 6. 7. Expand the Clients node in the navigation pane of the vWorkspace Management Console. Right-click on the Organizational Units node, and select New Organizational Unit(s). Select the Domain from the drop-down list. Select Organization Units in the Display section. Enter a specific or partial name in the Filter field. You can also enter an asterisk (*) as a wildcard. Click Refresh and the system displays a list of options in the bottom pane. Select one or more of the options, and then click OK.
Resources
The Resources node allows administrators control over aspects of a user session when connected to managed applications and desktops within the vWorkspace infrastructure. The following table provides a list of the available Resources options and a description of each. See User Access Options in the Resources Node for the Resources node customization setup information.
101
RESOURCE NAME Additional Customizations
DESCRIPTION The ability to customize items relating to the Windows Desktop, Start Menu, drive mappings, and network mappings. The ability to explicitly or implicitly restrict what applications are allowed or denied for assigned clients. The ability to assign standard Window color schemes. The ability to assign network drive mappings to clients without logon scripts or Active Directory Group Policy. The ability to assign user environment variables that are automatically created and removed. The ability to act as a per-session firewall allowing Web and network access restrictions to be enforced. The ability to assign to clients applications, desktops, and content hosted from either Terminal Servers or Desktop Services. The ability to assign shared printers on LAN or WAN based Windows print servers by using either the Quest vWorkspace Universal or Windows native print drivers. The ability to assign per-session modifications to users HKCU registry hive.
Application Restrictions
Color Schemes Drive Mappings
Environment Variables Host Restrictions
Managed Applications
Printers
Registry Tasks
102
RESOURCE NAME Scripts
DESCRIPTION The ability to assign scripts on a per-session basis to vWorkspace clients without having to modify Terminal Servers complex logon script sequence or the Active Directory Group Policy. The ability to assign time zones on a per-session basis. The ability to assign user level policies on a per-session basis. The ability to simulate roaming profiles during user logon and logoff. See User Profiles for more information.
Time Zones User Policies User Profiles
Client Settings
The ability to preconfigure the local device resources that are available, and under what conditions they are available. See Client Settings for more information.
Wallpapers
The ability to assign Windows wallpaper to vWorkspace clients.
How to ...
View the Resources Assigned to a Client 1. 2. 3. Expand the Clients node in the navigation pane of the vWorkspace Management Console. Click on the node of the desired client type, such as Users or Groups. Do one of the following: a) Select the client that is to be viewed from the list in the information pane. The system displays the assigned items for the selected client the additional pane, if Toggle Configuration Display is activated.
OR
a) Right-click on the client to view from the list of clients in the left pane of the Details window and select Properties. b) Click on the Assigned Resources tab to view the resources.
103
Packaged Applications
The Packaged Application node allows users to identify Microsoft Application Virtualization (formerly Microsoft SoftGrid Application Virtualization) servers and their hosted application packages, and MSI Packages in the vWorkspace Management Console.
App-V/Softgrid Node
Microsoft Application Virtualization applications are published as the type of Content. There are two choices when publishing content: Client This content starts the application on the vWorkspace client host, which is the computer onto which the vWorkspace client is installed and where the RDP connection originates. The vWorkspace Management Console manages an icon with a pointer to a local executable. The Application Virtualization Client for Windows Desktops must be installed on the vWorkspace client host. Server This content starts an RDP connection to a Terminal Server or managed computer. The binary is started as a published application with an argument pointing to the appropriate.osd file. The Application Virtualization Client for Windows Desktops needs to be installed on each managed computer hosting the Application Virtualization applications or Application Virtualization for Terminal Servers on each of the Terminal Servers hosting the applications.
How to ...
Establish a New Server Connection 1. 2. Open the vWorkspace Management Console. Expand the Packaged Applications node, and then double-click on App-V/Softgrid.
104
3.
Select the App-V/Softgrid Servers tab in the information pane, and then click on the New App-V/SoftGrid Server icon on the toolbar. Complete the following information on the New App-V/SoftGrid Server window, and then click OK. Once the information is completed, the system displays the SoftGrid Server connection in the right pane of the vWorkspace Management Console.
4.
Server Name Server URL
Enter the server name. Click in this field, and it is populated with the path to the SoftGrid Management virtual directory. If the Server Name field is DNS unresolvable, the path needs to be corrected to have the DNS name or IP address of the server. Note: Multiple connections can be made to the same server by entering different friendly names in the Server Name field.
Username (domain\account)
Enter the user name for the SoftGrid Administrator.
105
Password
Enter the password for the SoftGrid Administrator. Confirm the password as directed.
Edit the Properties of an App-V/SoftGrid Server 1. 2. 3. Open the vWorkspace Management Console. Expand the Packaged Applications node, and then expand the App-V/SoftGrid node. Do one of the following to access the App-V/Softgrid server Properties: a) Right-click on the specified server, and then select App-V/Softgrid Server Properties. b) Highlight the App-V/SoftGrid node, and then highlight the specified server in the information pane, and click Server Properties. c) Highlight the specified server in the navigation pane (under the App-V/SoftGrid node) and then click Server Properties in the information pane. 4. Edit the properties on the App-V/SoftGrid Server Properties window as appropriate, and click OK.
Import App-V/SoftGrid Applications 1. 2. 3. Open the vWorkspace Management Console. Expand the Packaged Applications node, and then highlight the App-V/SoftGrid node. Select the server in the right pane, and then click Import/Update Applications.
OR
Right-click on the server in the navigation pane and select Import/Update Applications. 4. Select Next on the Welcome window of the App-V/SoftGrid Import wizard. The Welcome window is presented only if this is the first time that you have imported applications to the specified server. 5. 6. Click Refresh to refresh the list. Do one of the following on the Select Applications window: a) To import all the applications, click Select All.
106
b) To import specific applications, select them on the list by pressing CTRL and using a left-click. c) Click Next or Apply. If importing for the first time, Next is the option to move to the next window. If you are updating applications, Apply is used to save your changes on the current window, and OK is used to close the wizard. 7. On the Create Access Groups window, do the following: a) Select the access groups that are to be imported, and click Yes. b) Select the access groups that are not to be imported, and click No. c) Select All to import all the groups. d) Click Next or OK. 8. On the Launch Location window, do one of the following: a) To choose all the applications from the list, click Select All, and then select either Client or Server. b) Select individual applications and the select the Launch Location of Client or Server. c) Click Next or OK. 9. To publish the application on a Terminal Server, do the following on the Publish On window: a) To publish all on the same Terminal Server, click Select All, or to select the specific applications by using CTRL + left-click. b) Click Terminal Server. c) Select the Terminal Server from the Publish On window, and then click OK. 10. To publish the application on a computer group, do the following on the Publish On window: a) To publish all on the same computer group, click Select All, or to select the specific applications by using CTRL + left-click. b) Click Desktop Group. c) Select the desktop group from the Publish On window, and then click OK. 11. Click Next or OK on the Publish On window.
107
12. On the Workload Evaluator window, click Select All or the specific applications by using CTRL + left-click to specify the applications for load balancing, and then click Workload Evaluator. If you do not want to use load balancing, click Next. 13. Select the appropriate workload evaluator, and then click OK. 14. Click Next or OK on the Workload Evaluator window. 15. On the vWorkspace Client Folders window, do the following and then click Next or OK. a) Select specific applications, or use the Select All button. b) Click Folder(s). c) Highlight the appropriate folder or folders from the list, or click Manage Folders to add or change folders, and then click OK. 16. On the Desktop Integrations Settings window, specify the location of the shortcuts on the vWorkspace client host when using AppPortal in desktop integrated mode by doing the following: a) Select specific applications, or use the Select All button. a) Click Desktop Integration. b) Select one or more of the options, Desktop, Start Menu, Start Menu\Programs, and click OK. c) Click Next or OK on the Desktop Integration Settings window.
108
17. Review the selections on the Summary window and click Back to make changes or click Finish. View/Edit Imported App-V/SoftGrid Application Properties 1. 2. 3. Open the vWorkspace Management Console. Expand Resources, and click on Managed Applications. View the App-V/SoftGrid applications in the right pane. The applications are listed by server name, and their Type is Content on Server or Content on Client. View or edit the properties by right-clicking on the application or select the application and select the Properties icon. Properties can be edited, except for the executable Path and the Type, which are grayed out and unaccessible.
4.
MSI Packages
The MSI Packages node is used to define MSI packages that can be deployed, as well as used in the Task Automation feature. MSI Packages is also available from the context menu of a computer group in the vWorkspace Management Console. Once MSI Packages is selected, established MSI packages display in the information pane and the MSI Package wizard is available by selecting New from the information pane toolbar.
How to ...
Add a New MSI Package 1. 2. Open the vWorkspace Management Console. Expand Packaged Applications, and then select MSI Packages.
109
3. 4. 5.
Click New in the information pane. The MSI Package Wizard Welcome window appears. Click Next. Enter a Name for the MSI package, and then click Next. This is the name that is displayed in the vWorkspace Management Console.
6. 7.
Enter the MSI source file or click the ellipses to browse on the Source File window, and then click Next. Select one of the following on the Run Location window, and then click Next. a) Execute the MSI file directly from the source location.
OR
a) Copy the MSI file to each computer before executing. b) Enter the full path and file name of the Destination File
8. 9.
Enter the credentials necessary to access the source MSI file, and then click Next. On the Parameters window, complete the following information, and then click Next.
110
Enter the parameters necessary for a new installation: Enter the upgrade code for this MSI package.
Enter the necessary parameters.
Enter the upgrade code. Use Retrieve to get the upgrade code from the MSI file. Enter the parameter necessary to perform an update. Enter the parameter necessary to complete an uninstall. Select this button for assistance with the installer parameters.
Enter the parameters necessary to perform an update: Enter the parameters necessary to uninstall: Help
111
10. On the Timeout Period window, do one of the following, and then click Next. a) Select the first option, Select the timeout value..., and then specify the Timeout after value by using the drop-down list.
OR
b) Select the second option, Execute the MSI operation and continue.
11. Specify MSI Package permissions, if appropriate, on the Permissions window, and then click Finish.
The Performance Optimization node on the vWorkspace Management Console is used with Terminal Servers to improve application response time and increase overall server capacity by streamlining and optimizing the use of virtual memory and CPU resources in a multi-user environment. See the Workload Management and Performance Optimization chapter for more information.
112
Virtual IP
The Virtual IP node on the vWorkspace Management Console enables each user instance of a legacy application to be bound to a distinct IP address. This allows many legacy applications to run concurrently and reliably on Terminal Servers. See the Virtual IP chapter for more information.
File and Registry Redirection

The File & Registry Redirection node is used to define a registry and file system redirection engine, which is designed to eliminate conflicts in a Terminal Services environment. See the chapter, Application Compatibility Enhancements, for more information.
Workload Evaluators
The Workload Evaluators node is used to define servers used in workload evaluation process. See the chapter, Workload Management and Performance Optimization, for more information.
113
114
7
vWorkspace Locations
About Locations Locations Node Options New Location Location Properties Virtualization Servers Connection Brokers Terminal Servers Desktops Other Servers
About Locations
Locations give organizational structure to your vWorkspace farm; a way to specify a location that groups one or more data centers and the machines within those data centers. Locations are heterogeneous containers of objects that include: Virtual data centers, such as VMware VirtualCenter and Virtual Iron. Individual virtualization hosts not managed by a central management server, such as Microsoft Hyper-V and Parallels Virtuozzo.
Locations contain Connection Brokers, Terminal Servers, Desktops, and Other Servers that are associated with it. For example, you can name a location based on an office site, and then associate the Connection Brokers, Terminal Servers, and Desktops to that location.
Locations Node Options

The following menu options are available from the Locations node by either right-clicking on Locations, or from the icons in the toolbar when Locations is selected.
116
New Location Select to open the New Location wizard used to add new locations. Properties Select to display the properties of the Connection Brokers, Terminal Servers, Desktops, and Other Servers.
Virtualization Servers Select to open the Virtualization Server wizard, which is used to add virtualization servers. Refresh Select to refresh the Locations node.
New Location
Use the following steps to add and delete locations to the vWorkspace Management Console.
How to ...
Add a Location Delete a Location
Add a Location 1. 2. Open the vWorkspace Management Console. Do one of the following to start the New Location wizard: Right-click on the Locations node, and select New Location.
OR
Click the New Location icon from the toolbar. 3. 4. Click Next on the Welcome window of the New Location wizard. Enter the name for the location, and then click Next. This is the name that appears in the vWorkspace Management Console.
117
5.
On the Add Servers window, you can add Connection Brokers and Terminal Servers to this location. To add a Connection Broker: a) Click on Add Connection Broker. b) Click Next on the Welcome window of the Server wizard. c) Enter the name or IP address of the server, and then click Next. Use the ellipses to browse for the server.
118
d) Specify the role for the server, Connection Broker, on the Server Role window, and then click Next. e) Specify or view the certificate that is to be used on this server, and then click Next. f) Select to enable trace logging on this server, and then click Next. Typically, logging is only used as assisted by the Quest Support Services Department. g) Specify any permissions for this server, and then click Finish. In order to assign permissions, you must first add users or groups using the New Administrator wizard located at File| Administration. h) Click Next on the Add Servers window to advance to the next window, or click Add Terminal Servers, if appropriate. To add a Terminal Server: a) Click Add Terminal Server. b) Click Next on the Welcome window of the Server wizard. c) Enter the name or IP address of the server, and then click Next. Use the ellipses to browse for the server. d) Specify the role for the server, Terminal Server, on the Server Role window, and then click Next.
119
e) Specify the folder for this Terminal Server, if appropriate. Click New Folder to create a new folder. Click Next when completed. Folders are for organization and display; it does not change the operation of the servers. f) Specify the workload evaluator on the Workload Management window, and then click Next. This is an optional step. g) Select the setting for Session Auto-Logoff as appropriate, and then click Next.
h) Complete the following information on the Connectivity window, and then click Next.
120
Connections
Select Accept least busy connection requests checkbox if you want the server to participate in workload management. Enter an alternative IP address. Select Inherit global settings or Only allow RDP connections to vWorkspace managed applications.
Alternative IP Address RDP Connection Restrictions
i) Specify the performance optimizations options that are to be enabled on this server, and then click Next: Virtual Memory Optimizations CPU Utilization Management j) Specify if the bandwidth optimization is to be Enabled or Disabled on this server, and then click Next. k) Specify the Virtual IP settings for this server, as appropriate, and then click Next.
121
l) Review the information on the Licensing window, and then click Next. m) Specify any permissions for this server, and then click Finish. In order to assign permissions, you must first add users or groups using the New Administrator wizard located at File| Administration. 6. Datacenters, hosts, and nodes are associated to this location by using the Import/Add option on the Virtualization Entities window. If you choose to not assign them at this time, click Next and go to the next step. Use the following sections to Import/Add virtualization entities. 7. Import VMware Datacenters Import Virtual Iron Datacenters Import Virtuozzo Slave Nodes Add Microsoft Hyper-V Hosts Add Independent Virtuozzo Nodes
Use the Permissions window to assign permissions to users or groups. Users and groups must be added using the New Administrator wizard. See Administration for more information.
8.
122
Click Finish to save the changes made in the New Location wizard.
Import VMware Datacenters 1. 2. 3. 4. 5. Select Import VMware Datacenter from the Import/Add option on the Virtualization Entities window of the New Location wizard. Click Next on the Welcome window. Click Edit Virtualization Servers. The Virtualization Server wizard is presented. Click Next on the Welcome window. Enter the appropriate information on the Name and System Type window, and then click Next.
Name System Type
Enter the friendly name that is used when referring to the virtualization server. Select VMware VirtualCenter Server.
6.
Enter the appropriate information on the Server URL/Name and Credentials window, and then click Next.
123
Server URL
Enter the URL path to the virtualization server. https://servername or IP Address/sdk
Name
Enter the name of a user account that has the required access permissions to the target server specified in the Server URL field. For a Windows domain account, use: DomainName\UserName
Password Confirm Password
Enter the case sensitive password. Confirm the previously entered password.
7.
Enter the appropriate information on the Other Settings window, and then click Finish.
Shutdown Guest OS Use the drop-down list to specify the number of guest operation system shutdown commands that can be sent to the virtualization server from the Connection Broker at one time.
124
Restart Guest OS
Use the drop-down list to specify the number of guest operation system restart commands that can be sent to the virtualization server from the Connection Broker at one time. Use the drop-down list to specify the number of Update PNTools commands that can be sent to the virtualization server from the Connection Broker at one time. Use the drop-down list to specify the number of Initialize Computer commands that can be sent to the virtualization server from the Connection Broker at one time. Use the drop-down to specify the amount of time that the Connection Broker waits for a response from the virtualization server. Default option is 30 Seconds. For medium to large production environments where the virtualization server is busy, you may need to set the Connection Timeout to two or three minutes. Note: A Connection Timeout error does not necessarily mean that the task requested by the Connection Broker has failed. It may be that the virtualization server is too busy to report the successful completion of the operation in a timely manner.
Update PNTools
Initialize
Connection Timeout
Power On
Use the drop-down list to specify the number of virtual machine power on commands that can be sent to the virtualization server from the Connection Broker at one time. Use the drop-down list to specify the number of virtual machine power off commands that can be sent to the virtualization server from the Connection Broker at one time.
Power Off
125
Suspend
Use the drop-down list to specify the number of guest operation system suspend commands that can be sent to the virtualization server from the Connection Broker at one time. Use the drop-down list to specify the number of guest operation system resume commands that can be sent to the virtualization server from the Connection Broker at one time. Use the drop-down list to specify the number of guest operation system reset commands that can be sent to the virtualization server from the Connection Broker at one time. Use the drop-down list to specify the number of delete virtual machine operations that can be sent to the virtualization server from the Connection Broker at one time. Use the drop-down list to specify the number of clone virtual machine operations that can be sent to the virtualization server from the Connection Broker at one time.
Resume
Reset
Delete
Clone
8.
You are returned to the New Locations wizard. See step 7 to complete the process.
Import Virtual Iron Datacenters 1. Select Import Virtual Iron Datacenter from the Import/Add option on the Virtualization Entities window of the New Location wizard. Click Next on the Welcome window. Click Edit Virtualization Servers. The Virtualization Server wizard is presented. Click Next on the Welcome window. Enter the appropriate information on the Name and System Type window, and then click Next.
2. 3. 4. 5.
126
Name System Type
Enter the friendly name that is used when referring to the virtualization server. Select Virtual Iron.
6.
127
Server URL
Enter the URL path to the virtualization server. http://servername or IP Address OR tcp://servername or IP Address
Name
Enter the name of a user account that has the required access permissions to the target server specified in the Server URL field. For a Windows domain account, use: DomainName\UserName Note: For a system type of Virtual Iron that is installed on Linux, the user names are case sensitive.
128
7.
Shutdown Guest OS Use the drop-down list to specify the number of guest operation system shutdown commands that can be sent to the virtualization server from the Connection Broker at one time. Use the drop-down list to specify the number of guest operation system restart commands that can be sent to the virtualization server from the Connection Broker at one time. Use the drop-down list to specify the number of Update PNTools commands that can be sent to the virtualization server from the Connection Broker at one time. Use the drop-down list to specify the number of Initialize Computer commands that can be sent to the virtualization server from the Connection Broker at one time. Use the drop-down to specify the amount of time that the Connection Broker waits for a response from the virtualization server. Default option is 30 Seconds. For medium to large production environments where the virtualization server is busy, you may need to set the Connection Timeout to two or three minutes. Note: A Connection Timeout error does not necessarily mean that the task requested by the Connection Broker has failed. It may be that the virtualization server is too busy to report the successful completion of the operation in a timely manner.
Restart Guest OS
Update PNTools
Initialize
Connection Timeout
8.
129
Import Virtuozzo Slave Nodes 1. 2. 3. 4. 5. 6. Select Import Virtuozzo Slave Nodes from the Import/Add option on the Virtualization Entities window of the New Location wizard. Click Next on the Import Virtuozzo Nodes Welcome window. Click Edit Virtualization Servers on the Master Node window. The Virtuozzo Master Node wizard is presented. Click Next on the Virtuozzo Master Node Wizard Welcome window. Click Next on the Welcome window. Enter the appropriate information on the Name and System Type window, and then click Next.
Name System Type
Enter the friendly name that is used when referring to the virtualization server. Select Parallels Virtuozzo.
7.
130
Server URL
Enter the URL path to the virtualization server. https://servername:port
Name
8.
131
Restart Guest OS
Update PNTools
Initialize
Connection Timeout
Power On
Power Off
132
Suspend
Resume
Reset
Delete
Clone
9.
Select slave nodes to be imported, and then click Finish.
10. You are returned to the New Locations wizard. See step 7 to complete the process. Add Microsoft Hyper-V Hosts 1. 2. 3. Select Add Microsoft Hyper-V Host from the Import/Add option on the Virtualization Entities window of the New Location wizard. Click Next on the Welcome window. Enter the appropriate information on the Name and System Type window, and then click Next.
133
Name System Type
Enter the friendly name that is used when referring to the virtualization server. Select Microsoft Hyper-V.
4.
134
Server URL
Enter the URL path to the virtualization server. net.tcp://servername or IP Address:port Note: The default port for Microsoft Hyper-V is 9000.
Name
135
5.
Shutdown Guest OS Use the drop-down list to specify the number of guest operation system shutdown commands that can be sent to the virtualization server from the Connection Broker at one time. Use the drop-down list to specify the number of guest operation system restart commands that can be sent to the virtualization server from the Connection Broker at one time. Use the drop-down list to specify the number of Update PNTools commands that can be sent to the virtualization server from the Connection Broker at one time. Use the drop-down list to specify the number of Initialize Computer commands that can be sent to the virtualization server from the Connection Broker at one time. Use the drop-down to specify the amount of time that the Connection Broker waits for a response from the virtualization server. Default option is 30 Seconds. For medium to large production environments where the virtualization server is busy, you may need to set the Connection Timeout to two or three minutes. Note: A Connection Timeout error does not necessarily mean that the task requested by the Connection Broker has failed. It may be that the virtualization server is too busy to report the successful completion of the operation in a timely manner. Power On Use the drop-down list to specify the number of virtual machine power on commands that can be sent to the virtualization server from the Connection Broker at one time.
Restart Guest OS
Update PNTools
Initialize
Connection Timeout
136
Power Off
Use the drop-down list to specify the number of virtual machine power off commands that can be sent to the virtualization server from the Connection Broker at one time. Use the drop-down list to specify the number of guest operation system suspend commands that can be sent to the virtualization server from the Connection Broker at one time. Use the drop-down list to specify the number of guest operation system resume commands that can be sent to the virtualization server from the Connection Broker at one time. Use the drop-down list to specify the number of guest operation system reset commands that can be sent to the virtualization server from the Connection Broker at one time. Use the drop-down list to specify the number of delete virtual machine operations that can be sent to the virtualization server from the Connection Broker at one time.
Suspend
Resume
Reset
Delete
6.
Add Independent Virtuozzo Nodes 1. Select Add Independent Virtuozzo Nodes from the Import/Add option on the Virtualization Entities window of the New Location wizard. Click Next on the Welcome window. Enter the appropriate information on the Name and System Type window, and then click Next.
2. 3.
137
Name System Type
4.
138
Server URL
Name
5.
Shutdown Guest OS Use the drop-down list to specify the number of guest operation system shutdown commands that can be sent to the virtualization server from the Connection Broker at one time. 139
Restart Guest OS
Update PNTools
Initialize
Connection Timeout
Power On
Power Off
140
Suspend
Resume
Reset
Delete
Clone
6.
Delete a Location 1. 2. 3. Open the vWorkspace Management Console. Right-click on the location that is to be deleted. Select Delete Location. The Location can only be deleted after Connection Brokers, Terminal Servers, Desktops, and Other Servers associated with the location are deleted as well.
Location Properties
Location properties are defined for Connection Brokers, Terminal Servers, Desktops, and Other Servers. Location properties are the same for all the locations within a farm.
141
To access Location properties, highlight the Locations node and then select the Properties option, either from the context menu or by selecting the Properties icon in the toolbar.
142
LOCATION PROPERTY Connection Brokers Communication Settings
DESCRIPTION
Specify the TCP/IP port number that is to be used when listening for inbound connection requests. Any port number can be used if it is available on all servers with the Connection Broker. Default values are: HTTP: 8080 HTTPS: 443 The HTTP and HTTPS protocols can be used simultaneously. The use of the HTTPS requires an X.509 digital certificate containing the servers FQDN to be installed into the Windows machine store of each Connection Broker. Bypass proxy settings when communicating with the connection brokers If selected, proxy settings are not used when communicating with Connection Brokers. This setting is selected by default. The Ticket Expiration setting is used to specify the expiration time for tickets that are sent to the Connection Broker when applications are launched. The default for the Ticket Expiration setting is 1 minute.
License Pool
Enter a number of minutes, which is the number of minutes the Connection Broker servers update license usage information.
Terminal Servers Logoff Exclusion List Enter a module name for a process, which if it persists after the session has been closed, then the session is automatically logged off. To add a process, click Add. To delete a process from the use, highlight the process and click the red X.
143
LOCATION PROPERTY RDP Connection Restrictions
DESCRIPTION Select this checkbox to restrict users to only use RDP connections when connecting to managed applications.
Desktops and Other Servers Timing and Other Settings Heartbeat Interval Specifies how often the Data Collector Service on managed computers sends status information. Offline Count Specifies the number of missed heartbeats before a managed computer is considered offline. Offline Retry Specifies how often the Connection Broker attempts to contact an offline managed computer. Inactivity Timeout Specifies how long a managed computer is logged off before it is considered inactive and automatically placed into a suspend state. Sysprep Period Specifies how long the system waits during the sysprep operation before attempting to initialize the computer. Task & Log Settings Task History Age at which completed task records are automatically deleted. Task Display Expiration Age at which the current or most recently executed task on a managed computer is no longer displayed. Log History Age at which log records are automatically deleted. Display Time format for tasks and log entries. Computer Naming Conventions Enforce unique computer machine names across datacenters Select to ensure computer name uniqueness across all data centers.
144
LOCATION PROPERTY Permissions Permissions
DESCRIPTION
Enter users or groups and then set permissions to Allow or Deny for the following: Add Locations Add Virtualization Servers Delete Locations Delete Virtualization Servers Modify Locations Modify Virtualization Servers
Virtualization Servers
A Virtualization Server is a Windows or Linux based computer system used to centrally manage one or more physical servers enabled with computer virtualization technology, and the virtual machines being hosted and executed on them. Virtualization servers can be added, deleted, or modified from this node, or during the process of adding a new location for VMware, Virtual Iron or Parallels Virtuozzo. Settings to limit the number of concurrent operations can also be completed for virtualization servers. See the Virtualization Servers chapter for more information.
How to ...
Add Virtualization Server Connections The Virtualization Server wizard is used to add new entries to the virtualization server connections. Use the following information to complete the Virtualization Server wizard. 1. Open the vWorkspace Management Console and right-click on the Locations node, and select Virtualization Servers. The Virtualization Server wizard appears. If you have previously added virtualization servers, the Virtualization Servers window appears. To add a new virtualization server, click on the green plus sign (+), and the Virtualization Server wizard is presented.
145
2.
Enter the appropriate information on the Name and System Type window, and then click Next.
Name System Type
Enter the friendly name that is used when referring to the virtualization server. Select the virtualization server type of Virtual Iron, VMWare VirtualCenter Server or Parallels Virtuozzo.
3.
146
Server URL
Enter the URL path to the virtualization server. For Virtual Iron, the URL must be in the format: http://servername or IP Address OR tcp://servername or IP Address For VMware VirtualCenter Server, the URL must be in the format: https://servername or IP Address/sdk For Parallels Virtuozzo, the URL must be in the format: https://servername:port
147
Name
4.
Shutdown Guest OS Use the drop-down list to specify the number of guest operation system shutdown commands that can be sent to the virtualization server from the Connection Broker at one time. Use the drop-down list to specify the number of guest operation system restart commands that can be sent to the virtualization server from the Connection Broker at one time. Use the drop-down list to specify the number of Update PNTools commands that can be sent to the virtualization server from the Connection Broker at one time. Use the drop-down list to specify the number of Initialize Computer commands that can be sent to the virtualization server from the Connection Broker at one time.
Restart Guest OS
Update PNTools
Initialize
148
Connection Timeout
Use the drop-down to specify the amount of time that the Connection Broker waits for a response from the virtualization server. Default option is 30 Seconds. For medium to large production environments where the virtualization server is busy, you may need to set the Connection Timeout to two or three minutes. Note: A Connection Timeout error does not necessarily mean that the task requested by the Connection Broker has failed. It may be that the virtualization server is too busy to report the successful completion of the operation in a timely manner.
The following options are only supported on virtualization servers with the type of VMware VirtualCenter Server and Parallels Virtuozzo, except where noted. Power On Use the drop-down list to specify the number of virtual machine power on commands that can be sent to the virtualization server from the Connection Broker at one time. Use the drop-down list to specify the number of virtual machine power off commands that can be sent to the virtualization server from the Connection Broker at one time. Use the drop-down list to specify the number of guest operation system suspend commands that can be sent to the virtualization server from the Connection Broker at one time. Use the drop-down list to specify the number of guest operation system resume commands that can be sent to the virtualization server from the Connection Broker at one time.
Power Off
Suspend
Resume
149
Reset
Use the drop-down list to specify the number of guest operation system reset commands that can be sent to the virtualization server from the Connection Broker at one time. Use the drop-down list to specify the number of delete virtual machine operations that can be sent to the virtualization server from the Connection Broker at one time. This function is only available with the system type of VMware VirtualCenter Server. Use the drop-down list to specify the number of clone virtual machine operations that can be sent to the virtualization server from the Connection Broker at one time.
Delete
Clone
Connection Brokers
Connection Brokers need to be identified and their roles specified in the vWorkspace database before they can be managed and participate in the vWorkspace infrastructure. Connection Brokers can be added during the New Location wizard process, or by selecting New Connection Broker from the context menu of the Connections Brokers node.
Servers need to have the appropriate vWorkspace components installed on them, and configured to connect to the vWorkspace database before they are added.
How to ...
Add Connection Broker Servers Set Connection Broker Properties Remove Connection Broker Servers
150
Add Connection Broker Servers 1. Open the vWorkspace Management Console, and expand the Locations node, and then the location that the Connection Broker is to be added. Right-click on Connection Brokers, and then select New Connection Broker. Click Next on the Welcome window of the Server wizard. Enter the name or IP address of the server, and then click Next. Use the ellipses to browse for the server.
2. 3. 4.
5. 6. 7.
Specify the role for the server, Connection Broker, on the Server Role window, and then click Next. Specify or view the certificate that is to be used on this server, and then click Next. Select to enable trace logging on this server, and then click Next. Typically, logging is only used as assisted by the Quest Support Services Department.
8.
Specify any permissions for this server, and then click Finish. In order to assign permissions, you must first add users or groups using the New Administrator wizard located at File| Administration.
151
Set Connection Broker Properties Once Connection Brokers have been added to a location, set permissions, as appropriate. 1. 2. 3. 4. Right-click on the Connection Brokers node under the location in which you want to add the permission and select Properties. Select the Permissions tab. Highlight the user or group, and then set the permissions to Allow or Deny, by selecting the checkbox, as appropriate. Click Apply to save your changes, and then OK to close the window.
Remove Connection Broker Servers Use the following steps to remove a Connection Broker from inclusion in the vWorkspace infrastructure. Removing a Connection Broker deletes its associated records within the vWorkspace database, but it does not uninstall any of the vWorkspace components or any other software on the server, nor does it change its database configuration (DSN). 1. Expand the Connection Brokers node in the navigation pane of the vWorkspace Management Console, and select the Connection Broker sever that is to be removed.
152
2.
Click the Delete Server icon from the navigation pane toolbar, or right-click on the Connection Broker, and select Delete Server from the context menu. Click Yes to complete the removal.
3.
Terminal Servers
Terminal Servers need to be identified and their roles specified in the database before they can be managed and participate in the vWorkspace infrastructure.
Servers need to have the appropriate vWorkspace components installed on them, and configured to connect to the vWorkspace database before they are added.
How to ...
Add Terminal Servers Set Terminal Server Properties Remove Terminal Servers
Add Terminal Servers 1. 2. 3. Open the vWorkspace Management Console, and then expand to the location where the Terminal Server is to be added. Right-click on Terminal Servers, and then select New Terminal Server. If the New Server window is presented, select New Server on the Add Terminal Server window, and click OK.
153
4. 5. 6. 7. 8. 9.
Click Next on the Welcome window of the Server wizard. Enter the name or IP address of the server, and then click Next. Use the ellipses to browse for the server. Specify the role for the server, Terminal Server, on the Server Role window, and then click Next. Specify the folder to this Terminal Server. Click New Folder to create a new folder. Click Next when completed. Folders are for organization and display; it does not change the operation of the servers. Specify the workload evaluator on the Workload Management window, and then click Next.
10. This is an optional step. 11. Select the setting for Session Auto-Logoff as appropriate, and then click Next.
154
12. Complete the following information on the Connectivity window, and then click Next.
155
Connections
Select Accept least busy connection requests checkbox if you want the server to participate in workload management. Enter an alternative IP address. Select Inherit global settings or Only allow RDP connections to vWorkspace managed applications.
Alternative IP Address RDP Connection Restrictions
13. Specify the performance optimizations options that are to be enabled on this server, and then click Next: Virtual Memory Optimizations CPU Utilization Management
14. Specify as to if the bandwidth optimization is to be Enabled or Disabled on this server, and then click Next. 15. Specify the Virtual IP settings for this server, as appropriate, and then click Next.
16. Specify licenses on the Licensing window, and then click Next.
156
17. Specify any permissions for this server, and then click Finish. In order to assign permissions, you must first add users or groups using the New Administrator wizard located at File| Administration. Set Terminal Server Properties Once Terminal Servers have been added, you can set properties to apply to all servers in the vWorkspace farm that have the Terminal Server role. 1. 2. Right-click on the Terminal Servers node under the location in which you want to add the permission, and then select Properties. Highlight the user or group, and then change the permissions to Allow or Deny, by selecting the checkbox, as appropriate. For more information on permissions, see Permissions. 3. Click Apply to save your changes, and then OK to close the window.
Remove Terminal Servers Use the following steps to remove a Terminal Server from inclusion in the vWorkspace infrastructure. Removing a Terminal Server deletes its associated records within the vWorkspace database, but it does not uninstall any of the vWorkspace components or any other software on the server nor does it change the database configuration (DSN). 1. Expand the Terminal Servers node in the navigation pane of the vWorkspace Management Console, and select the Terminal Server that is to be removed. Click the Delete Server icon from the navigation pane toolbar, or right-click on the server and select Delete Server from the context menu. Click Yes to complete the removal.
2.
3.
Desktops
The Desktop node on the vWorkspace Management Console is used to define computer groups and managed computers. The desktop computers within a group can be either physical or virtual, and typically have the same version operating system and service pack level, a common set of installed applications, and are used by individuals with similar job tasks and responsibilities. See vWorkspace Desktops for more information.
157
How to ...
Set Desktops Properties Once Desktops have been added to a location, you can set the properties. 1. 2. 3. Right-click on the Desktops node under the location in which you want to add the permission. Select Properties. Highlight the user or group, and then change the permissions to Allow or Deny, by selecting the checkbox, as appropriate. For more information on permissions, see Permissions. 4. Click Apply to save your changes, and then OK to close the window.
Other Servers
The Other Servers node is used to identify general purpose servers, such as Max-IT servers.
How to ...
Add Other Servers Set Other Servers Properties
Add Other Servers 1. 2. Open the vWorkspace Management Console, and then expand to the location where the Other Server is to be added. Right-click on the Other Servers node, and select New Computer Group, or click on the New Computer Group icon on the navigation pane toolbar. Click Next on the Welcome window of the New Computer Group wizard. Enter the name for the server, and then click Next. This is the name that appears in the console. Select Other/Physical on the System Type window, and then click Next. Enter administrative account information on the Computer Administrative Account window, and then click Next.
3. 4. 5. 6.
158
7.
Complete task automation information, as appropriate to schedule tasks to be completed at specified times, and then click Next. See Task Automation for more information. Specify the session protocol on the Session Protocol window, and then click Next. Select Enabled or Disabled on the Bandwidth Optimization window, and then click Next.
8. 9.
10. Specify user and group permissions, as appropriate, and then click Next. 11. Select the appropriate option on the Finish window, and then click Finish. Set Other Servers Properties Once Other Servers have been added to a location, you can set the properties. 1. 2. Right-click on the Other Servers node under the location in which you want to add the permission, and then select Properties. Highlight the user or group, and then change the permissions to Allow or Deny, by selecting the checkbox, as appropriate. For more information on permissions, see Permissions. 3. Click Apply to save your changes, and then OK to close the window.
159
160
8
vWorkspace Desktops
About Desktops Computer Groups Managed Computers Initialize Computer PNTools
About Desktops
The following is an overview of the concepts and terminologies associated with the Desktops node of vWorkspace. Computer Groups Containers for managing a group of desktop computers as a single entity. One or more computer groups may be created for each datacenter. See Computer Groups for more information. Managed Computers Objects in the vWorkspace database that represent the Windows desktop computers that are to be managed by vWorkspace. These desktops are installed on physical devices, such as PC blades, or virtual machines. See Managed Computers for more information. Initialize Computer Managed computers need to be able to communicate properly with the vWorkspace enabled Connection Brokers, when added to a managed computer group. The Initialize Computer task is the process that enables this communication, and is the responsibility of the Connection Broker. See Initialize Computer for more information. PNTools Set of executables, dynamic link libraries, and device drivers that provide features and management functionality required for managed computers in a vWorkspace infrastructure. PNTools must be installed on all computers, virtual or physical, which are being managed using Desktops. See PNTools for more information. Publish Managed Desktops and Applications Managed desktops must be published before users can connect to their assigned applications or managed computer. Once published, icons representing the managed desktop appear in the application set of the AppPortal or Web Interface client, allowing the user to click on an icon to initiate the program. See Publish a Managed Desktop and Publish Managed Applications for more information.
162
vWorkspace Desktops
Power Management Managed computers are considered to be power managed computers if the power state can be changed automatically by the Connection Broker, or manually by an administrator using the vWorkspace Management Console. See the Power Management sections in the various integration chapters for more information on power managing with VMware, Virtual Iron, Microsoft Hyper-V, Parallels Virtuozzo, and Non-Power Managed Data Centers.
Computer Groups
Once locations are established, administrators can add computer groups to them. There are no limitations as to how many computer groups can exist in each location. The Computer Group wizard is used to add computer groups to an existing data center. Some options on the Computer Group wizard may be unavailable, based upon the System Type you use when creating the group. After the System Type is selected, only the parameters relevant to that type are presented. The System Types are: Microsoft Hyper-V Virtual Iron VMware VirtualCenter Server Parallels Virtuozzo Other/Physical
Administrators can activate the Computer Group wizard from the vWorkspace, Desktops node any of the following ways: Expand the location to which the computer group is to be added, right-click on the Desktops node, and then select New Computer Group.
OR
Expand the location to which the computer group is to be added, and highlight the Desktops node. Select New Computer Group from the Actions menu on the toolbar in the navigation pane, from the New Computer Group icon in the toolbar of the navigation pane, or from the Actions menu on the Desktops information pane.
163
For specific information on completing the Computer Group wizard based on System Type, refer to one of the following sections: VMware Integration;Virtual Iron Integration; Microsoft Hyper-V Integration; Parallels Virtuozzo Integration; or Non-Power Managed Data Centers.
Computer Group Properties

The properties associated with a computer groups are described below:
PROPERTY Group Name DESCRIPTION Name of the managed desktop group. APPLIES TO: Microsoft Hyper-V Virtual Iron VMware VirtualCenter Server Parallels Virtuozzo Other System Type System type for the computers in this group. Microsoft Hyper-V Virtual Iron VMware VirtualCenter Server Parallels Virtuozzo Other Datacenter Datacenter in which the computers in this group belong. Virtual Iron VMware VirtualCenter Server
164
vWorkspace Desktops
PROPERTY Computer Administrative Account
DESCRIPTION Name of the user account that is used when performing administrative tasks on the desktop computers within this group.
APPLIES TO: Microsoft Hyper-V Virtual Iron VMware VirtualCenter Server Parallels Virtuozzo Other
Enable/Disable
Connection requests to computers in this group my be temporarily suspended, if enabled.
Microsoft Hyper-V Virtual Iron VMware VirtualCenter Server Parallels Virtuozzo Other
165
PROPERTY Client Assignment
DESCRIPTION Used to permanently assign users to specific computers. The two types of user assignment are: Persistent A permanent desktop is assigned to the user. Temporary A free desktop is assigned on a temporary basis to the user, and then is available to be used again at user logoff. A client type can be assigned to the computers in the group based on the following: User Device Name Device Address Organizational Unit Group Note: Since users can be in more than one group or organization unit, administrators must manually assign individual computers to users if client assignment is based on Group or Organizational Unit. Assign computers using the Client Assignment window for the specified computer. See Managed Computers for more information on this window.
Access Timetable
Used to restrict access to the computers in this group based on day and time.
166
vWorkspace Desktops
PROPERTY User Privileges
DESCRIPTION Automatically assigns users to local security groups. This policy is useful when provisioning desktop workspaces to users that require elevated privileges.
Session Auto-Logoff
Automatically logs off user sessions. This policy is for users that start published applications and not full desktops. If enabled, vWorkspace automatically logs off when the last published application is closed. This eliminates the potential issue of applications remaining in memory, thus never really terminating.
Inactivity Timeout
Automatically suspends computers in the group when they are inactive.
Microsoft Hyper-V VMware VirtualCenter Server Parallels Virtuozzo
Logoff Action
Automatically resets the computers in this group when the user logs off. Automatically expands the group to accommodate an increase in users to ensure there is always a minimum number of free computers available at all times.
VMware VirtualCenter Server Virtual Iron VMware VirtualCenter Server Parallels Virtuozzo
Auto-Expand
167
PROPERTY Task Automation
DESCRIPTION Tasks can be scheduled to be completed at specified times. See Task Automation for more information.
Session Protocol
Specify the protocol for remote user sessions for this group, either RDP or RGS.
Specify if bandwidth optimization is enabled or disabled for this computer group.
Permissions
Specify permissions for this computer group.
168
vWorkspace Desktops
PROPERTY Finish
DESCRIPTION Select from the options available as to the finish process for this group.
View Managed Computer Groups

Administrators have the ability to view summary information as well as delete computer groups. A computer group can be deleted from vWorkspace only if it is empty.
How to ...
View Summary Information View Managed Computers View Tasks for a Computer Group View Logs for a Computer Group Modify the Properties of a Computer Group Delete a Computer Group
View Summary Information 1. 2. 3. Open the vWorkspace Management Console. Highlight the managed desktop group. Select the Summary tab in the information pane.
View Managed Computers 1. 2. 3. Open the vWorkspace Management Console. Navigate to the Desktops node of the computer group that you want to view, and highlight the computer group. Select the Computers tab in the information pane.
169
View Tasks for a Computer Group 1. 2. 3. 4. Open the vWorkspace Management Console. Navigate to the Desktops node of the computer group that you want to view the tasks, and highlight the computer group. Select the Summary tab in the information pane. Click the Toggle Lower Pane button on the toolbar of the information pane. This enables the lower pane. 5. Select the Tasks tab to view.
View Logs for a Computer Group 1. 2. 3. 4. Open the vWorkspace Management Console. Navigate to the Desktops node of the computer group that you want to view the logs, and highlight the computer group. Select the Summary tab in the information pane. Click the Toggle Lower Pane button on the toolbar of the information pane. This enables the lower pane. 5. Select the Log tab to view.
Modify the Properties of a Computer Group 1. 2. 3. 4. Open the vWorkspace Management Console. Navigate to the Desktop node that includes the computer group that you want to modify. Right-click on the managed desktop group, and select Properties. Change the properties as appropriate, and then click OK.
Delete a Computer Group 1. 2. 3. Open the vWorkspace Management Console. Navigate to the Desktops node of the computer group that is to be deleted. Right-click on the computer group, and then select Delete Group. If the group is not empty, a message appears stating that all managed computers from the group need to be removed prior to deleting the group. 4. Click Yes to delete the group.
170
vWorkspace Desktops
Task Automation
The ability to schedule the execution of a vWorkspace supported operation on a vWorkspace managed virtual or physical machine is available through the Automated Task Wizard. Some of the scheduled tasks include: Power management. Deletion of virtual machines, including the ability to delete machines that have been inactive for a specified number of days. Installation of MSI packages. Installation and update of PNTools. Program and script execution.
How to ...
Schedule Tasks using the Automated Task Wizard 1. 2. 3. Open the vWorkspace Management Console. Expand the Desktops node for the location to which you want to add the scheduled task. Do one of the following to open the Computer Group Properties window: a) Right-click on the computer group, and select Properties. b) Highlight the computer group, and then select Actions | Properties from the navigation pane toolbar. c) Highlight the computer group. Select the Summary tab in the navigation pane, then Actions | Properties. Scheduled tasks can also be identified by computer. See Automated Tasks for more information, and use the below steps to add a new scheduled task, using the Automated Task Wizard, to a specific computer. 4. 5. 6. 7. 8.
+ plus sign. The Automated Task wizard appears.

Click Next on the Welcome window. Enter a Name for the task, and then click Next.
Select Task Automation in the left pane, and then click on the green
Select the task from the list on the Task window, and then click Next. On the Task Parameters window, complete the information as appropriate, and then click Next. The fields on the Task Parameters window change based upon the Task selected.
171
9.
Complete the information on the Schedule window, as appropriate, and then click Finish.
Managed Computer Group Customizations

Computer groups belonging to VMware or Virtual Iron system types have the ability to quickly add and provision multiple new desktop computers into the group by using a preconfigured template through a cloning process. When a clone of a virtual machine is made, the vWorkspace administrator must make certain decisions such as where the new desktop computers are stored and how they are named. These decisions are made separately for each managed desktop group and are stored for later reuse. Depending on the data center type, they are collectively referred to as VMware Customizations or Virtual Iron Customizations. See VMware Integration or Virtual Iron Integration for more information.
172
vWorkspace Desktops
Managed Computers
Managed Computers are objects in the vWorkspace database that represent the Windows desktop computers that are to be managed by vWorkspace. These desktops are installed on virtual machines or on physical devices, such as PC blades. Managed computers have properties that control their creation and use. The properties that are available depend upon the type of group in which the managed computer exists. When a desktop computer is added or imported into a managed desktop group, it inherits the property settings of the group. Computers are added to a managed desktop group by using the Add Computers tool. There are several methods available for accessing this tool. The method chosen is based upon if the managed desktop group exists or if it is being created. The controls and inputs available on the Add Computers tool are based upon the System type of the selected computer group. Access the Add Computers tool by one of the following methods: Select the Create new desktops from a master template on the Add Desktops page of the Managed Computer Group wizard.
OR
Select the computer group from the vWorkspace Management Console and do one of the following: a) Right-click on the computer group and select Add Computers. b) Select the Add Computers icon from the navigation pane toolbar. c) Select Add Computers from the Actions menu from the navigation pane. d) Select Add Computers from the Actions menu on the information pane of the data center. For more information on how to use the Add Computers tool based upon data center type, refer to one of the following sections: VMware Integration; Virtual Iron Integration;Microsoft Hyper-V Integration;Parallels Virtuozzo Integration; or Non-Power Managed Data Centers.
173
Properties of a Managed Computer

General
COMPUTER NAME WINDOW Name DNS Name NetBIOS Name
DESCRIPTION The Windows computer name. The Domain Name System name. The NetBIOS name. The first 15 characters of the Windows computer name is assigned automatically by Windows setup and can not be modified. The TCP/IP address last assigned to the managed computer. The Media Access Control address assigned to the managed computers network interface card.
IP Address MAC Address
174
vWorkspace Desktops
COMPUTER NAME WINDOW This computer may be power-managed (suspended, reset, etc.) through the vWorkspace management console.
DESCRIPTION Unselecting this checkbox disables the ability to use the vWorkspace Management Console to control the power state, if an applicable option, of the managed computer.
Computer Administrative Account
COMPUTER ADMINISTRATIVE ACCOUNT WINDOW Override Group Properties
DESCRIPTION Selecting this checkbox allows a different administrative account and password to be assigned to the managed computer from the ones being used by the group. This field is used to specify the name of a user account that has local administrative rights. This field is used for the password of the user account specified by Account. 175
Account
Password/Confirm Password
Enable/Disable
ENABLE/DISABLE WINDOW Override group properties Enabled or Disabled
DESCRIPTION Selecting this checkbox allows this computer to have a different property than the group. Select one of the options for this computer. If Disabled is selected, the Connection Broker does not redirect incoming connection requests to this computer.
176
vWorkspace Desktops
Client Assignment
CLIENT ASSIGNMENT WINDOW Current User
DESCRIPTION Displays the name of the user account currently logged on to the managed desktop computer. If a user is not logged on, a value of None is displayed.
Permanent User
Displays the name of the user account permanently assigned to the managed desktop computer. If a user is not logged on, a value of None is displayed.
177
CLIENT ASSIGNMENT WINDOW Select a user to whom this desktop should be permanently assigned
DESCRIPTION Use this option to select a user account that is permanently assigned to the managed desktop computer. This option is available if a user is currently not logged on to the desktop. Note: If a User Assignment policy for the desktop group is set to Temporary, it is overridden for this desktop computer only. Note: If the User Assignment policy for the desktop group is set to Persistent, this setting can be used to pre-assign a user account to the managed computer.
Permanently assign the current user to this desktop
Use this option to assign the currently logged on user account to the managed computer. This option is available if a user is currently not logged on to the desktop. Note: If a User Assignment policy for the desktop group is set to Temporary, it is overridden for this desktop computer only.
Remove the current permanent assignment
Use this option to remove the current permanent assignment from the managed computer. Note: If a User Assignment policy for the desktop group is set to Temporary, the managed computer is available for automatic, permanent assignment. Note: If the User Assignment policy for the desktop group is set to Persistent, this setting can be used to pre-assign a user account to the managed computer. However, the vWorkspace administrator can still choose to pre-assign the desktop to a user.
178
vWorkspace Desktops
Access Timetable
ACCESS TIMETABLE WINDOW Override group policy
DESCRIPTION If selected, you can specify a different access timetable setting than that of a desktop group. Click on the green grid to set a time schedule. If selected, choose from the following: Grant Permission Specifies the days of the week and the hours of the day when logons to the desktop computer are allowed. Deny Permission Specifies the days of the week and the hours of the day when logons to the desktop computer are not allowed.
179
User Privileges
USER PRIVILEGES WINDOW Override group policy
DESCRIPTION If selected, you can specify a different level of user privileges for the users that log on to this desktop computer. At logon, the user is added to the desktop computers built-in Power Users local group. At logon, the user is added to the desktop computers built-in Administrators local group. At logon, the user is added to the desktop computers built-in Users local group.
Power User Administrator None
180
vWorkspace Desktops
Inactivity Timeout
INACTIVITY TIMEOUT WINDOW
DESCRIPTION
Desktops can be automatically suspended when idle for a specified amount of time. Override group policy If selected, you can specify a different inactivity timeout setting than that of the parent desktop group. Select to enable automatic suspension of the desktop computer when inactive (user is logged off, but computer is still powered on), or if offline. Select to disable automatic suspension of the desktop computer when inactive (user is logged off, but computer is still powered on), or if offline.
Automatically suspend
Do not automatically suspend
181
Session Auto-Logoff
SESSION AUTO-LOGOFF WINDOW Override group policy
DESCRIPTION If selected, you can specify a different session auto-logoff setting than that of a desktop group. Enter the Module Name, and then click Add.
Module Name Add Remove button
Enter the name, such as wuauclt.exe. Select after entering a name in the Module Name box. Select to remove items from the list.
182
vWorkspace Desktops
Configuration (VMware System Type only)
CONFIGURATION WINDOW Reconfigure button Refresh button
DESCRIPTION Enables administrators to modify the current memory and virtual disks configuration. Refreshes the current view of the window.
183
Logoff Action (VMware System Type only)
LOGOFF ACTION WINDOW Automatically reset the computer when the user logs off Do not automatically reset the computer
DESCRIPTION If selected, this computer with a nonpersistent disks is automatically reset. If selected, this computer is not automatically reset.
184
vWorkspace Desktops
Automated Tasks
AUTOMATED TASKS WINDOW Name Task Schedule New button
DESCRIPTION Identifies the name of the task. Identifies the task that is to be completed. Indentifies the schedule to which the task is to be completed. Select to add a new scheduled task. See Schedule Tasks using the Automated Task Wizard for more information.
185
Session Protocol
SESSION PROTOCOL WINDOW RDP RGS
DESCRIPTION Remote session protocol for this computer is set to RDP. Remote session protocol for this computer is set to RGS.
186
vWorkspace Desktops
BANDWIDTH OPTIMIZATION WINDOW Enabled Disabled
DESCRIPTION Enables support for bandwidth optimization for this computer. Disables support for bandwidth optimization for this computer.
187
Permissions
PERMISSIONS WINDOW User/Groups
DESCRIPTION Lists users and groups who have permission to perform administrative tasks on this computer. Select a user or group to view their permissions.
Permissions
Lists permission for this computer and if they are allowed or denied for the selected user or group. For more information on permissions, see Permissions.
Sysprep Customization Wizard

The Sysprep Customization wizard creates the sysprep information for new computers. This wizard can be accessed during the Add Computers tool, Sysprep Customizations window by selecting the New icon.
188
vWorkspace Desktops
How to ...
Create Sysprep Customizations for New Computers 1. 2. 3. 4. From the Syprep Customizations window on the Add Computers wizard, select the New icon (green plus sign). Click Next on the Welcome to the Sysprep Customization Wizard window. Enter a Name for this sysprep customization, and then click Next. Complete the information on the Import window, if you want to import an existing sysprep.inf file, and then click Next.
OR
If you do not want to import an existing file, click Next.
5. 6. 7.
Specify the Windows operating system on the Operating System window, and then click Next. Enter the Windows registration information of Owner and Organization on the Registration window, and then click Next. Select a Time Zone that is to be used when configuring Windows on the Time Zone window, and then click Next.
189
8.
Select one of the following on the Product Key window, and then click Next. a) Specify a single product key. b) Retrieve product keys from a text file. Use the ellipses to browse.
9.
Select either Per Server or Per Device or Per User on the Licensing Mode page, and then click Next.
10. Enter the Password for the administrator account for the desktops created in this group, on the Administrator Password window, and then click Next. 11. Select Workgroup or Domain where the computers are to be added on the Domain or Workgroup window. If you select Domain, you need to specify a user account that has permission to add a computer to the domain.
12. Enter the Active Directory Organization Unit Path to which the computers are to be added on the Active Directory Path, and then click Next. 13. Enter the path to the folder where the installation files are located. If you do not want a folder specified, you must delete the default value in the Path field. This is an optional step. The default is c:\sysprep\i386. You can change the value, or if you remove the entry, a value does not appear in the sysprep.
190
vWorkspace Desktops
14. Select one of the following options on the Regional Settings window, and then click Next: a) Use the default regional settings for the Windows version you are installing. b) Specify the regional settings. You need to select a default value for the language. 15. On the Languages window, select a different language in which the users can view the content, and then click Next. 16. Use the Run Once window to configure Windows to automatically run a command the first time a user logs on. a) Enter the command in the Command box, and click Add. b) Click Next when you are finished. 17. Enter an Identification String, which is written to the registry of the computer to assist in determining which sysprep object was used to customize a computer. Click Next. 18. Alter custom sysprep entries on the Custom Sysprep Entries window. This is an optional step. Click Next to go to the next window.
191
19. Review your entries on the Summary window and do one of the following: a) Click Back to make changes. b) Click Finish to create the desktops. c) Click Cancel to exit without saving the settings or creating the desktops.
View Managed Computers

Administrators have the ability to view summary information as well as delete managed desktop computers from the vWorkspace Management Console. Administrators also have the ability to remote into a users active session by using the Remote Control Session option.
How to ...
View Summary Information View Tasks for a Managed Computers View Logs for a Managed Computers View a Session by Remote Control
View Summary Information 1. 2. 3. 4. Open the vWorkspace Management Console. Navigate to the computer group to which the computer belongs, and highlight the computer group. Select the Computers tab in the information pane, and then highlight the computer. Click the Toggle Lower Pane button from the toolbar of the information pane. This enables the lower pane with three tabs, Summary, Tasks, and Log. 5. Select the Summary tab to view property information.
View Tasks for a Managed Computers 1. 2. 3. Open the vWorkspace Management Console. Navigate to the computer group to which the computer belongs, and highlight the computer group. Select the Computers tab in the information pane, and then highlight the computer.
192
vWorkspace Desktops
4.
Click the Toggle Lower Pane button on the toolbar of the information pane. This enables the lower pane with three tabs, Summary, Tasks, and Log.
5.
Select the Tasks tab to view.
View Logs for a Managed Computers 1. 2. 3. 4. Open the vWorkspace Management Console. Navigate to the computer group to which the computer belongs, and highlight the computer group. Select the Computers tab in the information pane, and then highlight the computer. Click the Toggle Lower Pane button on the toolbar of the information pane. This enables the lower pane with three tabs, Summary, Tasks, and Log. 5. Select the Log tab to view.
View a Session by Remote Control 1. 2. 3. 4. Open the vWorkspace Management Console. Navigate to the computer group to which the computer belongs, and highlight the computer group. Select the Computers tab in the information pane, and then right-click on the computer. Select Remote Control Session. This option is grayed out for inactive sessions. Remote control can only be accomplished when initiated from one RDP session to another. You may receive a warning message indicating that this functionality is not available to you.
193
5.
Specify the command to be used to end the remote session on the Remote Session window, and then click OK.
Desktops Properties
The Properties option is used to set user and groups access permissions for the Desktops node. Permissions enable administrators to allow or deny actions for activities within the vWorkspace Management Console. Users and groups of users who are selected as system administrators have implicit allow permissions for all actions, and may add and remove other system administrators. See Administration for more on setting up permissions.
194
vWorkspace Desktops
Initialize Computer
When a managed computer (virtual or physical) is added to a computer group, the vWorkspace Data Collector Service must be installed to allow the managed computer to communicate properly with the vWorkspace enabled Connection Brokers. The process that accomplishes this is called the Initialize Computer task, and is initiated and executed by the Connection Broker. The Initialize Computer task is accomplished as follows: 1. The Connection Broker checks for the IP address of the computer to be initialized by querying the server (for power-managed computers), and for non-power managed computers, it checks for the issuing DNS or NetBIOS name resolution queries. Once the IP address of the target computer has been retrieved, the Connection Broker attempts to connect to the Data Collector service on that computer using TCP port 5203. If successful, it queries for the version of the Data Collector service. If the Connection Broker is unable to connect to the Data Collector service, or if the version of the Data Collector service on the target computer is older than that running on the Connection Broker, the Connection Broker attempts to install the newer version of the service by remotely connecting to the Windows Service Control Manager and system drive of the target desktop computer. It then stops the Data Collector service if it is running and copies the newer version of PNDCSVC.exe to the Windows\System32 folder. Once the file has been copied, the Connection Broker issues a remote command to start the Data Collector service. 4. Once the newly installed Data Collector service has been successfully started on the target computer, the Connection Broker again attempts to contact the Data Collector service on TCP port 5203. If the connection is successful, the Connection Broker passes the following information to the Data Collector service: List of all available Connection Brokers. Informs the Data Collector service to use TCP port 5201 when initiating connections to a Connection Broker. Encrypt the connections. Configured heartbeat interval (the interval at which the Data Collector service is to send status updates to the Connection Brokers).
2.
3.
195
License Mode for the vWorkspace infrastructure. Public Key to use for SSL encryption. Unique Computer ID assigned to that managed computer.
When an Initialize Computer task is unsuccessful, the Connection Broker considers the desktop unusable and marks it offline, making it unavailable to users. Some common causes of a failure include: Firewalls are blocking the communications between the Connection Broker and the managed computer. Name resolution issues. Insufficient privileges held on the managed computer. You need to be able to connect to the administrator file shares and have the privilege to create a service on the managed computer. The privilege is set in the Properties of the computer group, in Computer Administrative Account.
Initialization Triggers
The following events can trigger the Initialize Computer task: Successful Clone operation (VMware and Virtual Iron) Add/Import Desktops Missed Heartbeats
The ability to manually initialize a computer or multiple computers is available through the context menu option of the highlighted computers. Select the computer group under the Desktops node on the vWorkspace Management Console, and then highlight the computers that are to be initialized from the Computers tab of the information pane and right-click to select the Initalize option.
196
vWorkspace Desktops
Microsoft Active Directory Group Policy Settings

In order that Computer Services work properly, certain Microsoft Group Policy settings need to be implemented. These Group Policy settings can be implemented at the local system level and in Active Directory.
MICROSOFT GROUP POLICY SETTINGS Restricted Groups
DESCRIPTION Use this policy setting to automatically control membership into the Remote Desktop Users group. This is especially helpful when adding new managed computers hosted in the VMware environment.
197
MICROSOFT GROUP POLICY SETTINGS Always wait for the network at computer startup and logon
DESCRIPTION Use this policy to allow the network components of Windows to fully initialize and process Active Directory policy settings before allowing users to log on. Some communications between the managed computer and the Connection Broker may fail if this policy is not enabled. Use the following path to set this policy: Computer Configuration | Administrative Templates | System | Logon
Windows Firewall Settings
Several firewall settings must be enabled and configured as both a domain profile and a standard profile. Use this path to set the following policies: Computer Configuration | Administrative Templates | Network | Network Connections | Windows Firewall Allow Remote Desktop Exception This policy must be enabled so that users can connect remotely. Allow File and Printer Sharing Exception This policy must be enabled so that PNTools can be installed remotely. Define Port Exceptions This policy must be enabled so that the vWorkspace Connection Broker can communicate with managed computers on TCP port 5203.
PNTools
PNTools is a set of executables, dynamic link libraries, and device drivers that provide features and management functionality required for managed computers in a vWorkspace infrastructure. PNTools must be installed on all computers, virtual or physical, which are being managed using Desktops.
198
vWorkspace Desktops
PNTools provides the following: Data Collector. Seamless window display mode. Up to 4096 x 2048 screen resolution. Quest vWorkspace Universal Print Driver. Quest vWorkspace USB Redirection. Accelerated Multimedia Playback. Full-fledged desktop or published application sessions. Multi-monitor support (only with seamless windows).
Microsoft Vista host machines require Microsoft Vista SP1 or higher to work with PNTools.
Data Collector Service

A windows service known as the Data Collector service is also installed on to each virtual machine. The Data Collector sends a heartbeat signal to the Connection Broker, informing it of the logon status of the virtual machine and its readiness to accept connections. The Connection Broker communicates with the virtual machine through the Data Collector service, sending it pre-logon policy configuration data prior to redirecting the user with the pending logon request to that virtual machine.
Universal Print Driver

The Universal Print Driver enables users to access their printers without the need to install manufacturer specific print drivers on to the virtual machine. This EMF-based print driver is designed to impersonate the original print driver by inheriting its properties and capabilities from the client computer or print server. The Universal Print Driver supports remotely connected and network attached Windows PCs and laptops, as well as non-Windows clients and thin client terminals by means of print server software extensions. Both local and remote users can gain access to a vWorkspace-enabled desktop infrastructure from any type of client device.
199
The Quest vWorkspace Print-IT Control Panel applet is installed on each virtual machine, allowing administrators to configure printer autocreation settings for Windows PC and laptop users. To support non-Windows clients and thin client terminals, the Print-IT print server extensions must be installed onto existing or dedicated print servers, and managed using the vWorkspace Management Console. See Universal Printing for more information on Print-IT.
Accelerated Multimedia Playback

This feature provides multimedia playback in hosted desktop environments. Accelerated Multimedia Playback is optimized to deliver a near physical desktop experience, including rich multimedia content, full fidelity sound, and comprehensive format capabilities. Users experience multimedia graphics and animation without irregular displays, long load times, and choppy transitions.
USB Device Redirection

From headsets to mobile devices, USB devices are frequently used, but can sometimes be problematic when used in a virtualized environment. However, with the vWorkspace features of USB Redirection and USB-IT, USB device integration issues can be solved. This feature enables Windows PC and laptop users to access their Palm, BlackBerry, and Pocket PC handhelds, using Palm Desktop (HotSync), BlackBerry Desktop Manager, and ActiveSync software running on the remote virtual machine. For more information on USB Redirection and USB-IT, see USB Devices.
User Profile Acceleration

User Profiles is an alternative to roaming profiles. User Profiles eliminate potential profile corruption and accelerate logon and logoff times by combining the use of a mandatory profile with a custom persistence layer designed to preserve user profile settings between sessions. See User Profiles for more information.
200
vWorkspace Desktops
Installation
The installation program for PNTools is located in the following folder on all Connection Brokers: %ProgramFiles%\Provision Networks\PNTools\pntools.msi There are several ways to install, upgrade, or uninstall PNTools: Use the PNTools | Install/Update from the context menu of a specific managed desktop group or managed desktop computer on the vWorkspace Management Console. Use the MSI Packages option from the Packaged Applications node of the vWorkspace Management Console to define a package for PNTools. See MSI Packages for more information. Use the Automated Tasks option. See Task Automation for more information. Manually install PNTools into the VMware virtual machine template. Use third-party software distributions.
201
202
9
Manage Applications
About Microsoft Terminal Server About Managed Computers About Virtualized Applications New Application Tool Publish Terminal Server Applications Publish a Managed Desktop Publish Managed Applications Publish Content Work with Published Applications
Overview
Before an application can be published and accessed by users, it first must be installed on the hosting machine. In a Quest vWorkspace infrastructure, the hosting machine can be any of the following: Microsoft Windows Terminal Server. Managed computer running Microsoft Windows XP or Vista. Virtualized application package stored on a Microsoft Application Virtualization server.
About Microsoft Terminal Server

Applications installed and published on Microsoft Windows Terminal Servers are sometimes referred to as shared or multi-user applications. This is because a single installation of the application can be used simultaneously by multiple connected users. When Terminal Services is enabled on Microsoft Windows 2000 or 2003 servers, you must ensure the application is installed properly. Consider these suggestions and guidelines: Terminal Servers need to be in install mode when installing applications intended for multi-use. This is done automatically when Control Panel Add |Remove Programs is used, but can also be started from a command prompt using the following command: Change User / Install. Users should not be logged on to the system when installing applications. Review all available documentation for any issues that might exist when installing and using an application with Terminal Services. Some applications have special procedures or command line switches that must be used for installation on Terminal Servers. Restrictions such as support for the full feature set or license restrictions may be applicable when used on Terminal Servers. Applications, such as Computer Aided Design or scientific modeling and analysis programs, may not be good candidates for Terminal Server based deployments. These types of applications place an increased demand on the physical resources of a computer.
204
Manage Applications
About Managed Computers

A major benefit of hosting applications on vWorkspace-enabled managed computers is that no special considerations have to taken into account; you install the application as it would be done for a Windows computer. The applications can be installed manually, or pushed to the managed computer using third-party tools such as Microsoft Active Directory Group Policy (Software Installation) or Microsoft SMS. Some considerations when installing applications on managed computers are: Install all the applications a user might need on to the same managed computer, when practical. This helps to reduce the number of remote sessions needed for a user to accomplish their work. Use managed computer for special purpose applications that do not need to be made widely available. Use managed computers for applications that are too resource intensive to be installed on Terminal Servers. Use managed computers, especially when implemented as virtual machines, for applications being created and tested in a software development environment.
About Virtualized Applications

Many application deployment solutions exist to simplify and accelerate the process of deploying line-of-business applications to the user desktop. These same tools are ideal for use in a vWorkspace-enabled desktop infrastructure. The following are some solutions: Microsoft Application Virtualization An application virtualization and streaming platform which eases the burden of application deployment and management. In addition to application streaming, SoftGrid also integrates with Microsoft SMS, the most widely used platform for deploying applications to Windows desktops. Altiris Software Virtualization Software A software virtualization solution that places applications into managed units called Virtual Software Packages that allows instant activation, deactivation, or resetting applications. Conflicts between applications are completely avoided without altering the base Windows operating system.
205
New Application Tool

The New Application command is used to publish an application, desktop, or content. It can be opened from the following locations within the vWorkspace Management Console. Terminal Servers node Computer Services node Resources node
How to ...
Start New Applications using Terminal Servers Node Start New Applications using the Desktops Node Start New Applications from the Resources Node
Start New Applications using Terminal Servers Node 1. 2. 3. 4. 5. Open the vWorkspace Management Console. Expand Locations and then the location name where the Terminal Sever is located. Highlight the Terminal Servers node. Select the Applications tab in the right-hand window. Select New Applications from either the toolbar or by the context menu which can be accessed by right-clicking in a blank area of the information pane.
Start New Applications using the Desktops Node 1. 2. 3. 4. 5. Open the vWorkspace Management Console. Expand Locations and then the location name where the computer group is located. Expand the Desktops node. Select the Managed Computer Group into which the application is to be published. Right-click on Managed Computer Group, and select New Application.
OR
In the details window pane on the right, click on the Managed Applications tab and select Actions | New Application in Group.
206
Manage Applications
Start New Applications from the Resources Node 1. 2. 3. Open the vWorkspace Management Console. Expand the Resource node, and click on Managed Applications. Right-click the Managed Applications node, and then select New Managed Application.
OR
In the Resources Managed Applications details window pane on the right, select New from either the Actions or the context menu.
Publish Terminal Server Applications

The most direct way to publish applications hosted on Terminal Servers is to start New Application from either the Terminal Servers or Resources nodes (see New Application Tool for more information). The system displays the Managed Application Wizard. Complete the information contained in the various tabs as appropriate. Publish an Application Hosted on Terminal Server 1. 2. 3. Open the Managed Application Wizard. Click Next on the Welcome to the Managed Application Wizard window. On the Application Name window, specify a friendly name for the application in the Name box, and then click Next.
207
4.
On the Application Type window, select the type of application, and then click Next.
5.
On the Publishing window, select Terminal Server(s) and select the servers on which to publish the application for a specified location, and then select Next.
208
Manage Applications
6.
Complete the following information on the Defaults window, and then click Next: a) If the application to be published is a virtualized application package stored on a SoftGrid server, click Select App-V/SoftGrid Application. b) Enter a Path, or select the ellipses to browse. c) Enter any arguments that you want to have passed to the application when started in the Arguments box. d) If the application requires a working directory, type its path in the Working Dir box.
209
7.
On the Server Specific window, enter server specific program specifications, as appropriate. Click Next.
210
Manage Applications
8.
On the Display Name window, enter a Display Name if you want the name that is displayed to the user to be different that what is in the Name box on the Application Name window. Click Next. On the Icon window, select an icon for the application, and then click Next.
9.
10. Specify the applications window state when started, on the Startup window, and then click Next.
211
11. Select the appropriate option (Desktop, Start Menu, Start Menu \Programs) for clients using AppPortal in desktop integrated mode on the Desktop Integration window, and then click Next. 12. Select the appropriate option on the Graphics Acceleration window, and then click Next. The Use default option refers to the default Graphics Acceleration option setting on the Managed Applications Properties window.
212
Manage Applications
13. Select Disabled on the Status tab if you do not want users to be able to connect to the application until a later time on the Enable/Disable window, and then click Next. 14. Complete the information, as appropriate, on the Workload Management window, and then click Next.
213
15. Specify any application restriction settings for this application, and then click Next.
214
Manage Applications
16. Select the Virtual-IP settings for this application, as appropriate, and click Next. The settings are: Virtual IP, Client IP, and Virtual Loopback. 17. Use the Client Assignment window to assign this application to clients, and then click Next.
18. Set Permissions as appropriate, and then click Finish. Publish Terminal Server Desktops The steps for publishing a shared Windows desktop hosted on a Terminal Server is exactly the same as that for publishing a shared application, except for the following exceptions: 1. The Application Type is set to Desktop. When this is done, no path, arguments, or working directory are needed, and the fields for these are not presented. The Startup section is not present. The Startup option is only available if the Type is Program. The Defaults and Server-Specific options are not available.
2. 3.
215
Publish a Managed Desktop

The most direct way to publish a desktop is to start New Application from the node of the managed computer group to which the desktop is to be published or New Application in Group from the Actions menu on the detail pane of the managed computer group. The system displays the Managed Application Wizard window. Complete the information contained in the various tabs as appropriate.
How to ...
Publish a Desktop to a Managed Computer Group 1. 2. 3. 4. 5. Navigate to the compute group where the desktop is to be published. Start the New Application from the context menu. On the Application Name window, specify a friendly name for the application in the Name box, and then click Next. On the Application Type window, select the type of application (Desktop), and then click Next. On the Publishing window, select Managed Computer Group, and then select the managed computer group from your location on which to publish the application. Click Next.
216
Manage Applications
6.
On the Display Name window, enter a Display Name if you want the name that is displayed to the user to be different that what is in the Name box on the Application Name window. Click Next. On the Icon window, select an icon for the application, and then click Next. Select the appropriate option (Desktop, Start Menu, Start Menu \Programs) for clients using AppPortal in desktop integrated mode on the Desktop Integration window, and then click Next. Select the appropriate option on the Graphics Acceleration window, and then click Next. The Use default option refers to the default Graphics Acceleration option setting on the Managed Applications Properties window.
7. 8.
9.
10. Select Enabled or Disabled to specify if this application is displayed on the client application list. 11. Use the Client Assignment window to assign this application to clients, and then click Next. 12. Set Permissions as appropriate and the Permissions window, and then click Next.
Publish Managed Applications

Publishing an application hosted on a managed desktop is similar to that of Terminal Servers. The major differences are that the Workload Management, Application Restrictions, and Virtual IP options are not available for managed desktops.
How to ...
Publish an Application 1. 2. 3. 4. 5. Navigate to the computer group where the desktop is to be published. Start New Application. Click Next on the Welcome to the Managed Application Wizard window. On the Application Name window, specify a friendly name for the application in the Name box, and then click Next. On the Application Type window, select the type of application (Program), and then click Next.
217
6.
On the Publishing window, select Managed Computer Group, and then select the managed computer group from your location on which to publish the application. Click Next. Complete the following information on the Defaults window, and then click Next: a) If the application to be published is a virtualized application package stored on a SoftGrid server, click Select SoftGrid Application. b) Enter a Path, or select the ellipses to browse. c) Enter any arguments that you want to have passed to the application when started in the Arguments box. d) If the application requires a working directory, type its path in the Working Dir box.
7.
8.
On the Display Name window, enter a Display Name if you want the name that is displayed to the user to be different that what is in the Name box on the Application Name window. Click Next. On the Icon window, select an icon for the application, and then click Next.
9.
10. Specify the applications window state when started, on the Startup window, and then click Next. 11. Select the appropriate option (Desktop, Start Menu, Start Menu \Programs) for clients using AppPortal in desktop integrated mode on the Desktop Integration window, and then click Next. 12. Select the appropriate option on the Graphics Acceleration window, and then click Next. The Use default option refers to the default Graphics Acceleration option setting on the Managed Applications Properties window. 13. Select Enabled or Disabled to specify if this application is displayed on the client application list. 14. Select Client Assignments to specific the clients that are to have access to this application. 15. Use the Client Assignment window to assign this application to clients, and then click Next. 16. Set permissions on the Permissions window, as appropriate and then click Finish.
218
Manage Applications
Publish Content
Traditionally in Windows networks, users have relied on network drive mappings, browsing, or corporate Web sites to get information. As networks grow in size and complexity these methods have become less efficient. Web based resources that are not located on the corporate network can require users to remember numerous and sometimes long URLs, or how to build efficient and effective search queries. Published content provides an easier way for users to access the information they need. When an administrator publishes content, the complete path to the resource is specified and is associated with an icon. This path can be in Universal Naming Convention (UNC) format or web based formats, such as http, https, ftp, ldap. The icon representing the content is passed down to the vWorkspace Client in the same manner as application and desktop icons. To access the content, the user simply clicks on the icon. The content path is passed to an application, based on Windows file type associations, capable of opening that type of content. For example, content using a UNC path would be opened with Windows Explorer, while content using http would be opened with Internet Explorer. The administrator has the option of specifying whether the application used resides on the client device or on a remote device. If you are using application deployment solution such as SoftGrid or Altiris, applications are published using the type Content. The process of publishing content is exactly the same as publishing an application hosted on a Terminal Server or desktop with the following exceptions: Type Select Content on the Application Type window of the Managed Application Wizard. Publishing Select Server if you want the content to be opened with an application installed on a Terminal Server. Use the Publishing window to select which Terminal Servers to use. Select Managed Computer Group if you want the content to be opened with an application installed on the client device. When this is chosen, the Application Restrictions, Virtual IP, and Workload Management windows are unavailable as they do not apply to desktops.
219
Path Enter the path to the content on the Defaults window. A UNC path can be either to a shared folder or a file within a shared folder.
Share, NTFS, and web permissions all apply when users try to access the content. Therefore, even though clients are listed in the published contents access control list, the client may still be denied access because of other permissions.
Work with Published Applications

Once applications have been published on either Terminal Servers or desktops, additional applications can be added, modified, duplicated, and deleted. Using the Select Applications to Publish menu option is a way to add existing published applications, desktops, or content to either a Terminal Server or managed computer group when new Terminal Servers or managed computer groups have been added to the vWorkspace infrastructure. All properties of published applications, desktops, or content can be modified after they are created. An existing published application can be duplicated and then modified, but the duplicate needs to be given a unique name. When a published resource is no longer needed, it can be deleted from the database. Deleting a published application, desktop, or content does not remove the application from the hosting machine nor does it delete the actual desktop or content.
How to ...
Add Published Applications to a Terminal Server Add Published Applications to a Computer Group Modify Published Applications with Desktops Node Modify Published Applications on the Resources Node Duplicate a Published Application Delete a Published Application
Add Published Applications to a Terminal Server 1. 2. Open the vWorkspace Management Console. Expand Locations and then the location name where the Terminal Sever is located.
220
Manage Applications
3. 4. 5.
Click on the Terminal Servers node in which to add the existing published resources. In the information pane on the right, click on the Applications tab for the selected Terminal Server. Activate Select Applications to Publish on [Terminal_Server] from either the information pane toolbar, or the Publish Applications icon from the navigation pane toolbar, or from the context menu of the selected Terminal Server. A list of published resources is presented.
6.
Select each published resource you want to add to the server. To select a published resource, select the box to the left of Applications. Click Apply to make the changes without closing the window, or click OK to make the changes and to close the window.
7.
Add Published Applications to a Computer Group 1. 2. 3. 4. 5. Open the vWorkspace Management Console. Expand Locations and then the location name where the computer group is located. Expand the Desktops node. Select the name of the managed computer group. Use one of the following to activate the Select Applications to Publish: a) Right-click on the managed computer group.
221
b) Select the Managed Applications tab in the information pane, and then Actions| Select Applications to Publish in the information pane. c) Actions| Select Applications to Publish from the navigation pane. d) Click the Select Applications to Publish icon from the navigation pane. 6. 7. Select each published resource you want to add. To select all published resources, select the box to the left of Applications. Click Apply to make the changes without closing the window, or click OK to make the changes and to close the window.
Modify Published Applications with Terminal Servers Node 1. 2. 3. 4. 5. 6. 7. Open the vWorkspace Management Console. Expand Locations and then the location name where the Terminal Sever is located. Click on the Terminal Servers node in which to add the existing published resources. Click on the Applications tab located in the Terminal Servers information window pane. Right-click on the published resource to be modified, and then click Properties from the context menu. Navigate through the various windows to make the necessary changes. Click Apply to make the changes without closing the window, or click OK to make the changes and to close the window.
Modify Published Applications with Desktops Node 1. 2. 3. 4. 5. 6. 7. Open the vWorkspace Management Console. Expand Locations and then the location name where the computer group is located. Expand the Desktops node (you can also navigate to a specific datacenter or managed computer group). Click on the Managed Applications tab located in the Computer Services information pane. Right-click on the published resource to be modified, and then click Properties from the context menu. Navigate through the various tabs to make the changes, as appropriate. Click Apply to make the changes without closing the window, or click OK to make the changes and to close the window.
222
Manage Applications
Modify Published Applications on the Resources Node 1. 2. 3. 4. 5. Open the vWorkspace Management Console. Expand the Resources node, and then click on the Managed Applications node. Right-click on the published resource to be modified in the information pane, and then click Properties from the context menu. Navigate through the various tabs to make the changes, as appropriate. Click Apply to make the changes without closing the window, or click OK to make the changes and to close the window.
Duplicate a Published Application 1. 2. 3. 4. Open thevWorkspace Management Console. Navigate to the desired published application. Right-click on the published application, and select Duplicate from the context menu. Make the necessary changes using the appropriate windows.
5.
Click Apply to make the changes without closing the window, or click OK to make the changes and to close the window.
223
Delete a Published Application 1. 2. 3. 4. Open the vWorkspace Management Console. Navigate to the desired published application. Click the Delete on the toolbar or from the context menu. After reviewing the warning message, and then click Yes to delete or No to cancel.
224
10
Application Compatibility Enhancements
About Application Compatibility Enhancements How Redirect-IT Works Installation
About Application Compatibility Enhancements

Many applications store user specific data and configuration settings in systemwide locations, such as the HKey_Local_Machine (HKLM) or common files and folders. In multi-user environments such as Terminal Server, the storage of information can lead to such issues as data corruption, access conflicts, and the inability to customize application settings by user. Application Compatibility Enhancements (Redirect-IT) is a registry and file system redirection engine designed to eliminate these conflicts in a Terminal Services environment. Redirect-IT intercepts an applications request for common subkeys and files by creating private instances of these in the users registry hive (HKCU) or home directory. All application requests to these common subkeys or files are redirected to the users private instances. The vWorkspace administrator uses the vWorkspace Management Console to create redirection rules. The types of rules include: Registry File Folder
How Redirect-IT Works

Redirect-IT operates in the background using an Application Compatibility Enhancements (ACE) engine. Redirect-IT performs the following corrective steps: 1. Intercepts registry and file operations targeting the common data, such as HKLM subkeys and common files and folders specified in the redirection rules. Copies the common data from their original locations to the user private locations, such as HKCU or the home folder as specified in the redirection rules. This step is only performed if user private instances of the common data does not already exist. Performs the registry and file operations on the user private instances of the data.
2.
3.
226
Installation
Redirect-IT can only be installed on Microsoft Windows servers with Terminal Services installed in Application Server mode. The vWorkspace installer program installs Application Compatibility Enhancements (Redirect-IT) from the Power Tools for Terminal Servers features.
How to ...
Create a Registry Redirection Rule Create a File Redirection Rule Create a Folder Redirection Rule View a Redirection Rule Edit a Redirection Rule
Create a Registry Redirection Rule 1. Start the vWorkspace Management Console. It is best to run the vWorkspace Management Console from the Terminal Server where the application is installed, so that registry keys are available. 2. Right-click File & Registry Redirection from the navigation pane, and select New Redirection Rule.
OR
Select File & Registry Redirection from the navigation pane, and click the green + on the toolbar in the right pane.
227
3.
Select the Redirection Type Registry on the New Redirection Role window.
4. 5. 6. 7.
Type a new category or select an existing category from the drop-down list in the Category box. Enter a new name for the rule in the Rule Name box. Type a path and file name of the executable, or click the ellipses to browse to the executable in the Program box. Type the location of the registry key location that is to be redirected, or click the ellipses to browse to the location in the Original Registry Key box. Type the new path and file name, or click the ellipses to browse to the location where the key should be redirected in the New Registry Key box. Click OK.
8.
9.
Create a File Redirection Rule 1. Start the vWorkspace Management Console. It is best to run the vWorkspace Management Console from the Terminal Server where the application is installed, so that file is available.
228
2.
Right-click File & Registry Redirection from the navigation pane, and select New Redirection Rule.
OR
Select File & Registry Redirection from the navigation pane, and click the green + on the toolbar in the right pane. 3. 4. 5. 6. 7. 8. 9. Select the Redirection Type File on the New Redirection Role window. Type a new category, or select an existing category from the drop-down list in the Category box. Enter a new name for the rule in the Rule Name box. Type a path and file name of the executable, or click the ellipses to browse to the executable in the Program box. Type the path and file name of the existing location of the file, or click the ellipses to browse to the file in the Original File box. Type the path and file name, or click the ellipses to browse to the location where the file is to be redirected in the New File box. Select Copy original file(s) to new folder if it doesnt already exist, if appropriate.
10. Click OK. Create a Folder Redirection Rule 1. Start the vWorkspace Management Console. It is best to run the vWorkspace Management Console from the Terminal Server where the application is installed, so that file is available. 2. Right-click File & Registry Redirection from the navigation pane, and select New Redirection Rule.
OR
Select File & Registry Redirection from the navigation pane, and click the green + on the toolbar in the right pane. 3. 4. 5. 6. Select the Redirection Type Folder on the New Redirection Role window. Type a new category, or select an existing category from the drop-down list in the Category box. Enter a new name for the rule in the Rule Name box. Type a path and file name of the executable, or click the ellipses to browse to the executable in the Program box.
229
7. 8. 9.
Type the path and file name of the existing location of the folder, or click the ellipses to browse to the file in the Original Folder box. Type the path and file name, or click the ellipses to browse to the location where the folder is to be redirected in the New Folder box. Select Copy original file(s) to new folder if it doesnt already exist, if appropriate.
10. Click OK. View a Redirection Rule 1. Start the vWorkspace Management Console. It is best to run the vWorkspace Management Console from the Terminal Server where the application is installed, so that file is available. 2. 3. Select File & Registry Redirection from the navigation pane. View the details on the information pane.
Edit a Redirection Rule 1. Start the vWorkspace Management Console. It is best to run the vWorkspace Management Console from the Terminal Server where the application is installed, so that file is available. 2. 3. 4. Select File & Registry Redirection from the navigation pane. On the information pane, right-click on the Redirection rule that is to be changed, and then select Properties. Edit the redirection rule as appropriate.
230
11
Virtual IP
About Virtual IP Installation
About Virtual IP
Virtual IP enables each user instance of a legacy application to be bound to a distinct IP address. This allows many legacy applications to run concurrently and reliably on Terminal Servers. The following features are supported by Virtual IP: Virtual IP Assigns a unique IP address to each instance of a configured application running on Terminal Servers. Client IP Uses the client device IP address as a unique identifier for each instance of a configured application running on Terminal Servers. Virtual Loopback Assigns a unique loopback address to each instance of a configured application running on Terminal Servers. Logging Enables logging of Virtual IP activity on a Terminal Server.
Installation
Virtual IP can only be installed on Microsoft Windows servers with Terminal Services installed in Application Server mode. The vWorkspace installer program installs Virtual IP from the Power Tools for Terminal Servers features.
How to ...
Enable Virtual IP on a Terminal Server Configure Virtual IP Address Ranges Configure Applications
Enable Virtual IP on a Terminal Server You can enable Virtual IP on Terminal Servers by doing one of the following procedures, either using Terminal Server Properties or Virtual IP Server Configuration. Terminal Server Properties 1. 2. 3. Start the vWorkspace Management Console. Expand Locations, and then expand the location in which the Terminal Server is located. Expand Terminal Servers and right-click on the selected Terminal Server, and then select Properties.
232
Virtual IP
4. 5. 6. 1. 2.
Select the Virtual IP tab on the Terminal Servers Properties window. Select the Virtual IP features to be enabled, and then click OK. Repeat the above steps for each Terminal Server. Start the vWorkspace Management Console. Expand Virtual IP, and then click Server Configuration.
Virtual IP Server Configuration
3.
Click Show only Virtual IP Enabled Servers or Show All Servers. Your selection controls which servers appear in the server list. Select the Virtual IP features to be enabled, by server, and then click Update Virtual IP Servers.
4.
Configure Virtual IP Address Ranges Each Terminal Server must be configured with an appropriate range of IP addresses. Follow these guidelines when configuring Virtual IP address ranges: Virtual IP address ranges must be compatible with the IP subnet to which the Terminal Server is attached.
233
Do not include IP addresses that are already statically assigned to other computers on the network. Do not include IP addresses that are part of existing DHCP server scopes. Do include enough IP addresses in the range to account for the maximum number of concurrent instances expected for a configured application. Start the vWorkspace Management Console. Expand the Virtual IP node, and click Address Range. Click Add in the Virtual IP Address Ranges pane.
Add a Master Range 1. 2. 3.
4. 5. 1.
Enter the appropriate values for Starting Address, Ending Address, and Subnet Mask. Click OK. On the Virtual IP Address Ranges pane, click on the ellipses at the end of the Master Range or right-click on Master IP Range.
Add a Server to a Master Range
234
Virtual IP
2.
Right-click the Master Range, and select Add Server(s) to Master Range from the context menu.
3.
In the list of servers presented in the window, select the boxes associated with the servers to be added to the master range and press OK. Enter the number of addresses to allocate to each selected server and press OK. Right-click the Terminal Server that is to be modified from the Virtual IP Address Ranges pane, and then select the appropriate option. The options include: Remover Server Allocation for Server Set Allocations for All Servers in Master Range to Equally Allocate Addresses to All Servers in Master Range Manually Edit Ranges
4.
Modify Address Range Allocations 1.
Configure Applications 1. 2. Expand the Virtual IP node, and then select Application Configuration. Click Show All Applications on the Virtual IP Applications pane.
235
3.
Select Virtual IP, Client IP, or Virtual Loopback for each application, as appropriate.
4.
Click Update Virtual IP Servers.
236
12
Overview Password Reset Service Proxy-IT
Overview
The vWorkspace installation Additional Components features consist of the following: vWorkspace Management Console Password Reset Service RDP Gateway (Proxy-IT)
The vWorkspace Management Console is discussed in detail in the vWorkspace Management Console chapter. The other features are discussed in this chapter.

The Password Reset Service facilitates SSL-protected password reset requests from clients, to allow them to reset their Active Directory Credentials via the Web Access Web Interface Portal or the AppPortal client. This service requires an SSL Certificate and listens on port 443 (by default). The Password Reset Service can be installed on any Windows computer, physical or virtual, that is joined to a domain trusted by the domain containing the accounts of the users connecting in to the vWorkspace infrastructure.
The Password Reset Service should never be installed on a computer that is in the DMZ network.
How to ...
Install the Password Reset Service Configure the Password Reset Service Configure Password Management in AppPortal Configure Password Management in Web Access
Install the Password Reset Service 1. 2. 3. 4.

238
Execute the start.exe installation program. Click Next on the Welcome window. Accept the License agreement. Select Hosted Desktops and Terminal Servers (Enterprise Edition), and then Additional Components.
5. 6.
Select Password Reset Service. Click Next and complete the installation.
Configure the Password Reset Service Use the following steps to configure the Password Reset Service. 1. Use the following path to open the Password Manager Control Panel applet. Start | Control Panel | Provision Networks Password Manager 2. 3. On the General tab, enter the TCP Port. Click the Lock icon by Certificate Name.
4. 5. 6. 7. 8.
Select the certificate on the Select Certificate window, and then click OK. If you want to use logging, select the Logging tab and select Enable trace logging to the specified file. Enter the path and file name for the log file. Click OK on the Password Management Properties window. Start the vWorkspace Password Management Service.
Configure Password Management in AppPortal 1. 2. Open the AppPortal client. Use the following path to open the Farm Connections window: Actions | Manage Connections
239
3.
If you are configuring Password Management on an existing farm, do the following: a) Select Modify existing farm on the Select Farm window, and then select the farm that is to be edited from the list. b) Select Password Management from the left pane, and complete the information as appropriate. c) Click OK.
4.
If you are configuring Password Management on a new farm, do the following: a) Select Create new farm on the Select Farm window. b) Select Password Management from the left pane, and complete the information as appropriate. c) Click OK when you have entered the farm information as appropriate. Selecting OK closes the Select Farm window.
240
Configure Password Management in Web Access This option can only be configured as a global setting. 1. 2. Select Password Management under the Authentication options on the Web Access Management Console. Enter a Domain using the NetBIOS name of the Password Management server.
3. 4. 5. 6.
Enter the Server (FQDN). The host name, NetBIOS name, or IP address can be used in this field. Enter a Port number, and then click Add. The usual number to use is 443. Repeat the above steps to add multiple Password Management servers. Click Save Changes.
Proxy-IT
Non-Win32 RDP-capable client devices, such as a Mac, thin clients, or other devices running proprietary, open source, or third-party RDP client software, can leverage Proxy-IT to connect to a load-balanced Provision-IT Terminal Server farm without requiring additional client software. Proxy-IT is designed to deliver more connectivity options for accessing Microsoft Windows Terminal Servers from legacy, non-Win32, open source, or third-party RDP devices, with no differences for the make or the model. Multiple Proxy-IT servers can be clustered using Microsoft Network Load Balancing (NLB) or another third-party load balancing switch.
241
Proxy-IT listens for client requests on a configured TCP port, which is port 3389 by default.
It is recommended that the current version of Proxy-IT be used with Microsoft Session Directory to enable users to reconnect to their disconnected sessions.
How to ...
Install Proxy-IT 1. 2. 3. 4. 5. Execute the start.exe installation program. Click Next on the Welcome window. Accept the License agreement. Select the appropriate option on the Licensing Mode window. Select Additional Components, and then select RDP Gateway (Proxy-IT). If vWorkspace installation program detects an application Terminal Server, the Proxy-IT option is not available for selection. 6. Click Next and complete the installation.
Configure Proxy-IT 1. Open the vWorkspace Proxy-IT applet from the Control Panel.
242
2.
Complete the information on the Proxy-IT Properties window as appropriate, and then click Apply.
Accept connections on this TCP port Inactivity timeout (minutes)
Enter the TCP port. The default is 3389. Enter a number of minutes. A value of 0 indicates that connections never time out.
Connection Broker Settings Connect to broker on this TCP port Connect to broker using SSL Enable NAT support for firewall traversal Server Logging
Use Add Server to add the IP addresses or host names. Enter the TCP port associated with the Connection Broker settings. Select if connecting using SSL. Select if network address translation is being used. Select to enable trace logging, and then enter the file name or use the folder button to browse to the file.
243
Proxy-IT with Session Directory Services

Proxy-IT can be used in conjunction with Session Directory Services. By using Proxy-IT and Session Directory Services, users can be reconnected to their disconnected session, should the session be dropped.
Proxy-IT Prerequisites
The following items are required: All Proxy-IT servers must be Microsoft Windows Enterprise Server 2003 and they can not be configured for the multi-users application mode. Proxy-IT uses RDP port 3389 for its service, making it impossible to administer the server remotely. However, you can remap the local RDP listener to alternative port, such as 3390 or 2290 to allow for remote administration. Administrators can connect to this server using mstsc.exe by adding the alternative port.
The RDP port needs to be remapped in the following registry location: HKLM\SYSTEM\CurrentControlSet\Control\TerminalServer\ WinStation \RDP-TCP
1. 2. 3. 4.
Value: PortNumber Type: REG_DWORD Data: 0x000003d3 (3389) Change this value to something else, such as 3390 or 2290. Reboot the server.
244
Install Proxy-IT
Install Proxy-IT according to the licensing scheme that you purchased. If the option for RDP Gateway (Proxy-IT) is not available, you have Terminal Services application mode installed. You must uninstall Terminal Services application mode before installing Proxy-IT. Use the following steps to use Proxy-IT with Session Directory Service. Enable Session Directory Service To enable Session Directory Services, you must enable the service on all of your Proxy-IT servers. Use the following steps to complete this task: 1. 2. 3. Open up the Services plug-in: Start | Run| Services.msc Scroll to the Terminal Services Session Directory and set it to automatic. Start the service. These steps need to be completed on all of your Proxy-IT servers. Enable Session Directory on Terminal Services Use the following steps to enable Session Directory Services on all of your Terminal Servers: 1. 2. Open the Terminal Services Configuration plug-in, and go to the Server Settings Node. Right-click on the Session Directory and select Enable. These steps need to be completed on all of your Terminal Servers.
Setup Group Policies

There are two ways to setup Group Policies, using Group Policies or using the Terminal Services Configuration. It is recommended that you use the Group Policies method. Using Group Policies 1. 2. Open Group Policy. Enable Join Session Directory in the following: Computer Configuration/Administration Templates/Windows Components/Terminal Services/Session Directory
245
3.
Enable the Session Directory Server setting, and then in Session Directory Server, type the name of the server where the Terminal Server Session Directory service is running. Enable the Session Directory Cluster Name setting, and then in Session Directory Cluster Name, type the name of the cluster to which the Terminal Server belongs. Optionally, enable the Terminal Server IP Address Redirection setting. This policy should only be applied to the Terminal Servers, so you may need to create a separate OU for them to reside.
4.
5.
Using Terminal Services 1. Open Terminal Services Configuration by using the following path: Start | Control Panel | Administrative Tools | Terminal Services Configuration 2. 3. 4. 5. 6. Click Server Settings in the console tree. Right-click Session Directory in the details pane, and then click Properties. Select the Join session directory checkbox. In Cluster name, type the name of the Terminal Server cluster. In Session directory server name, type the DNS name or IP address of the domain server where the Terminal Services Session Directory service is running. The server name must be a valid server name, and cannot be left blank. 7. Select an IP address and network adapter form the Network adapter and IP address session directory should redirect users to list.
246
8.
Optionally, unselect the IP address redirection (uncheck for routing token redirection) to have client devices reconnect to disconnected sessions by using the virtual IP address of the terminal server cluster. This option is selected by default, which enables clients to reconnect by using the individual IP addresses for the terminal servers in the Session Directory. You should unselect this option if clients have visibility only to the virtual IP address of the cluster and cannot connect to the IP address of an individual terminal server.
247
248
13
Overview Virtualization Servers
Overview
Quest vWorkspace is able to provide a comprehensive list of provisioning, brokering, management, access, and security solutions, especially when implementing desktops that are to be managed as virtual machines. In order to provide this comprehensive functionality, the vWorkspace Connection Broker uses methods provided in the vendors Software Developer Kit (SDK) to pass commands and queries to the Virtualization Servers. A Virtualization Server is a Windows or Linux based computer system used to centrally manage one or more physical servers enabled with computer virtualization technology, and the virtual machines being hosted and executed on them. In Quest vWorkspace, support for the following virtualization server systems is offered: VMware VirtualCenter Server, Virtual Iron Virtualization Manager, and Parallels Virtuozzo Containers (master nodes). vWorkspace Connection Brokers integrate with virtualization servers by Software Developer Kits (SDK) provided by the vendor. The APIs are exposed as a Web service on virtualization servers that are accessed using the J2SE components installed on Connection Brokers. This Web site is protected using Secure Socket Layer (SSL) with VMware VirtualCenter Server requiring the virtualization servers digital server certificate to be placed into a keystore on the Connection Broker. Communication attempts fail without this keystore being placed on the Connection Broker. To enable vWorkspace Connection Brokers to work with virtualization servers, the following configuration steps must be completed. 1. Install the Integration with VMware VI3 and Virtual Iron, Integration with Microsoft Hyper-V, or the Integration with Parallels Virtuozzo subfeature on all Connection Brokers in the vWorkspace farm. If HTTPS is being used as the communication protocol between the Connection Broker and the virtualization server, a Java keystore containing the virtualization server, server certificate must be created on each Connection Broker in the vWorkspace farm. This is required for VMware VirtualCenter Server, but optional for Virtual Iron. 3. Add the virtualization server connections using the vWorkspace Management Console using the Virtualization Server wizard.
2.
See VirtualCenter SSL Certificate for further instructions.
250
Connections to virtualization servers are configured using the Virtualization Servers wizard located in the vWorkspace Management Console, a context menu option for Locations, or by selecting the Virtualization Servers icon from the toolbar. Once the Virtualization Servers option is selected, the system opens the Virtualization Servers window, if other virtualization servers have been defined, or the Virtualization Server wizard if no server have been defined. The following information is included on the Virtualization Servers window.
Type
The type of the virtualization server. The types are: Virtual Iron VMware VirtualCenter Server Parallels Virtuozzo
Name URL/Server Name
The alias name of the virtualization server. The Uniform Resource Locator (URL) path used by the Connection Broker to communicate with the virtualization server. This option opens the Virtualization Server wizard so that new virtualization server connections can be added.
New
251
Properties
This option allows the vWorkspace administrator to make changes to the configuration of the selected virtualization server. This option deletes the virtualization servers record from the database. This option updates the display list of virtualization server connection entries.
Delete Refresh
How to ...
Add Virtualization Server Connections The Virtualization Server wizard is used to add new entries to the virtualization server connections. Use the following information to complete the Virtualization Server wizard. 1. Open the vWorkspace Management Console and right-click on the Locations node and then select Virtualization Servers or, select the Virtualization Servers icon from the toolbar. The Virtualization Server wizard appears. If you have previously added virtualization servers, the Virtualization Servers window appears. To add a new virtualization server, click on the green plus sign (+), and the Virtualization Server wizard is presented. 2. Enter the appropriate information on the Name and System Type window, and then click Next.
252
Name System Type
Enter the friendly name that is used when referring to the virtualization server. Select one of the virtualization server types.
3.
253
Server URL
Enter the URL path to the virtualization server. For Virtual Iron, the URL must be in the format: http://servername or IP Address OR tcp://servername or IP Address For VMware VirtualCenter Server, the URL must be in the format: https://servername or IP Address/sdk For Parallels Virtuozzo, the URL must be in the format: https://servername:port
254
Name
4.
Restart Guest OS
Update PNTools
Initialize
255
Connection Timeout
The following options are only supported on virtualization servers with the type of VMware VirtualCenter Server, Microsoft Hyper-V, and Parallels Virtuozzo. Note: The Clone option does not apply to Microsoft Hyper-V. Power On Use the drop-down list to specify the number of virtual machine power on commands that can be sent to the virtualization server from the Connection Broker at one time. Use the drop-down list to specify the number of virtual machine power off commands that can be sent to the virtualization server from the Connection Broker at one time. Use the drop-down list to specify the number of guest operation system suspend commands that can be sent to the virtualization server from the Connection Broker at one time. Use the drop-down list to specify the number of guest operation system resume commands that can be sent to the virtualization server from the Connection Broker at one time.
Power Off
Suspend
Resume
256
Reset
Use the drop-down list to specify the number of guest operation system reset commands that can be sent to the virtualization server from the Connection Broker at one time. Use the drop-down list to specify the number of delete virtual machine operations that can be sent to the virtualization server from the Connection Broker at one time. Use the drop-down list to specify the number of clone virtual machine operations that can be sent to the virtualization server from the Connection Broker at one time. Note: The Clone option does not apply to Microsoft Hyper-V.
Delete
Clone
257
258
14
VMware Integration
Overview Connect to VMware VirtualCenter Servers Disk and Memory Persistence Data Centers Computer Groups Power Management
Overview
The following VMware integrated features are available in vWorkspace: Import Datacenters from VirtualCenter. Manage virtual machine power states. Automated desktop and server provisioning using VMware VirtualCenter templates. Guest Windows OS customization. Distribute managed computers and servers across multiple resource pools and datastores. Configure memory and disk persistence.
Connect to VMware VirtualCenter Servers

The vWorkspace Connection Broker needs to communicate with the VMware VirtualCenter server before computers running as virtual machines can be managed using vWorkspace. The following conditions must be met before this communication occurs. VMware VirtualCenter server must be running version 2.x or higher. VMware Virtual Infrastructure Web Access must be installed on the VirtualCenter server. VMware VirtualCenter Integration component needs to be installed on the Quest vWorkspace Connection Brokers. VMware keystore needs to be configured on each Connection Broker. Communication parameters for each VMware VirtualCenter server must be added to the vWorkspace database. See Add Virtualization Server Connections for instructions.
Disk and Memory Persistence

VMware virtual machines can be configured for disk and memory persistence from the vWorkspace Management Console. Disk and memory persistence is configurable for individual computers, as well as computer groups. There are three virtual disk modes available:
260
VMware Integration
Persistent Independent and Persistent Independent and Nonpersistent
To configure disk and memory persistence for an individual computer, do one of the following: Set the options on the Configuration window, which is located on the Computer Properties window. This window is presented when selecting Properties for a computer, or when creating a new computer. Highlight the computer group in the navigation pane, and then click on the Summary tab in the information pane. Select Actions | Reconfigure. Highlight the computer group in the navigation pane, and then click on the Computers tab in the information pane. Right-click on the computer and select Reconfigure from the context menu. Set the Logoff Action properties for the computer, as appropriate. The Logoff Action property, if enabled, resets the computer when a user logs off.See Managed Computers for more information.
To configure disk and memory persistence for a computer group, do one of the following: Right-click on the computer group in the navigation pane, and then select Reconfigure Computers.
261
Highlight Desktops, and then select the Groups tab. Select Actions | Reconfigure Computers.
Highlight the computer group in the navigation pane and click on the Summary tab in the information pane. Select Actions | Reconfigure Computers.
Set the Logoff Action properties for the computer group, as appropriate. The Logoff Action property, if enabled, resets the computers in the group when users log off. See Computer Groups for more information
Data Centers
Data centers are used to organize and manage, as a single entity, datastores, templates, and virtual machines that are hosted on VMware ESX servers. Multiple data centers can exist in a single Vmware VirtualCenter Infrastructure. In order to manage the desktops hosted in the VMware VirtualCenter environment, the data centers must be imported into the vWorkspace database.
How to ...
Add a Data Center using the Datacenter Wizard 1. 2. 3. 4. From the Datacenter wizard Welcome window, click Next. Click Edit Virtualization Servers. The Virtualization Server wizard is presented. Click Next on the Welcome window. Enter the appropriate information on the Name and System Type window, and then click Next.
262
VMware Integration
Name System Type
Enter the friendly name that is used when referring to the virtualization server. Select VMware VirtualCenter Server.
5.
263
Server URL
Enter the URL path to the virtualization server. https://servername or IP Address/sdk
Name
An error in the connection with a VMware VirtualCenter server is usually related to an incorrect VMware VirtualCenter connection configuration, or the absence of a keystore file on the machine in which you are running the Datacenter wizard. If an error occurs, check the VMware VirtualCenter connection configuration. If that is correct, check for a keystore file on this machine, at the following location: C:\Program Files\Quest Software\vWorkspace\VMware-Certs
6.
Shutdown Guest OS Use the drop-down list to specify the number of guest operation system shutdown commands that can be sent to the virtualization server from the Connection Broker at one time. Use the drop-down list to specify the number of guest operation system restart commands that can be sent to the virtualization server from the Connection Broker at one time. Use the drop-down list to specify the number of Update PNTools commands that can be sent to the virtualization server from the Connection Broker at one time.
Restart Guest OS
Update PNTools
264
VMware Integration
Initialize
Use the drop-down list to specify the number of Initialize Computer commands that can be sent to the virtualization server from the Connection Broker at one time. Use the drop-down to specify the amount of time that the Connection Broker waits for a response from the virtualization server. Default option is 30 Seconds. For medium to large production environments where the virtualization server is busy, you may need to set the Connection Timeout to two or three minutes. Note: A Connection Timeout error does not necessarily mean that the task requested by the Connection Broker has failed. It may be that the virtualization server is too busy to report the successful completion of the operation in a timely manner.
Connection Timeout
Power On
Use the drop-down list to specify the number of virtual machine power on commands that can be sent to the virtualization server from the Connection Broker at one time. Use the drop-down list to specify the number of virtual machine power off commands that can be sent to the virtualization server from the Connection Broker at one time. Use the drop-down list to specify the number of guest operation system suspend commands that can be sent to the virtualization server from the Connection Broker at one time. Use the drop-down list to specify the number of guest operation system resume commands that can be sent to the virtualization server from the Connection Broker at one time.
Power Off
Suspend
Resume
265
Reset
Use the drop-down list to specify the number of guest operation system reset commands that can be sent to the virtualization server from the Connection Broker at one time. Use the drop-down list to specify the number of delete virtual machine operations that can be sent to the virtualization server from the Connection Broker at one time. Use the drop-down list to specify the number of clone virtual machine operations that can be sent to the virtualization server from the Connection Broker at one time.
Delete
Clone
Computer Groups
Computer groups are containers of desktops that can be managed together. The following computer groups properties are associated with VMware VirtualCenter Server.
VMWARE MANAGED COMPUTER GROUP PROPERTY Group Name System Type Datacenter Computer Administrative Account Enable/Disable
DESCRIPTION
Name of the managed desktop group. System type for the computers in this group. Datacenter in which the computers in this group belong. Name of the user account that is used when performing administrative tasks on the desktop computers within this group. Connection requests to computers in this group my be temporarily suspended, if enabled.
266
VMware Integration
VMWARE MANAGED COMPUTER GROUP PROPERTY Client Assignment
DESCRIPTION
Used to permanently assign users to specific computers. The two types of user assignment are: Persistent A permanent desktop is assigned to the user. Temporary A free desktop is assigned on a temporary basis to the user, and then is available to be used again at user logoff. A client type can be assigned to the computers in the group based on the following: User Device Name Device Address Organizational Unit Group Note: Since users can be in more than one group or organization unit, administrators must manually assign individual computers to users if client assignment is based on Group or Organizational Unit. Assign computers using the Client Assignment window for the specified computer. See Managed Computers for more information on this window.
Access Timetable User Privileges
Used to restrict access to the computers in this group based on day and time. Automatically assigns users to local security groups. This policy is useful when provisioning desktop workspace to users that require elevated privileges.
Session Auto-Logoff
Inactivity Timeout
Automatically suspends computers in the group when they are inactive. 267
VMWARE MANAGED COMPUTER GROUP PROPERTY Logoff Action Auto-Expand
DESCRIPTION
Automatically resets the computers in this group when the user logs off. Automatically expands the group to accommodate an increase in users to ensure there is always a minimum number of free computers available at all times. Schedule tasks to be completed at specified times. Specify the protocol for remote user sessions for this group, either RDP or RGS. Specify if bandwidth optimization is enabled or disabled for this computer group. Specify permissions for this computer group. Select from the options available as to the finish process for this group.
Task Automation Session Protocol Bandwidth Optimization Permissions Finish
VMware customizations, available from the Managed Computer Group wizard, enable administrators to specify items such as where new computers are stored and how they are named. The following customization settings can be specified for each managed computer group that belongs to a VMware type data center.
VMWARE CUSTOMIZATION SETTING Template
DESCRIPTION Indicates the name of the virtual machine template in the VirtualCenter inventory that is used when adding new managed computers to the group. Indicates the name of the folder in the VirtualCenter inventory where newly created managed desktop computers are located.
Folder
268
VMware Integration
VMWARE CUSTOMIZATION SETTING Datastore Distribution Method
DESCRIPTION Specifies how newly created managed virtual machines are distributed among the available datastores in VirtualCenter. The options are: Equal The desktops are distributed equally across the selected datastores. Free Space The desktops are distributed across the selected datastores proportion to the available free space on the datastores. Weighted The desktops are distributed across the selected datastores based on the percentages specified. Manual The desktops to be created are specified for each datastore.
Datastore(s)
Indicates the names of the Resource Pools and Datastores and the allocation percentages of the VirtualCenter inventory selected for storage of newly created managed computers within this group. Base Name Indicates the base name that is used when constructing the Windows computer name that is assigned to the newly created managed desktop computers added to the group. Base Name Start Value Indicates the starting numeric value that is added to the base name when constructing the Windows computer name that is assigned to the newly created managed desktop computers added to the group. Base Name Increment Indicates the numeric value by which subsequent Windows computer names are incremented when new managed desktop computers are added to the group. Re-use Names Indicates whether previously generated Windows computer names can be reused if the managed desktop computer has been deleted.
Naming Conventions
Configure Memory Configure Disk
Specifies the memory configuration used with this computer group. Specifies how the disk is configured for this computer group.
269
How to ...
Add Computer Groups to a VMware Type 1. Administrators can activate the Computer Group wizard from the vWorkspace, Desktops node any of the following ways: Expand the location to which the computer group is to be added, right-click on the Desktops node, and then select New Computer Group.
OR
Expand the location to which the computer group is to be added, and highlight the Desktops node. Select New Computer Group from the Actions menu on the toolbar in the navigation pane, from the New Computer Group icon in the toolbar of the navigation pane, or from the Actions menu on the Desktops information pane. 2. 3. 4. 5. Click Next on the Welcome to the Computer Group wizard. Enter the name of the computer group in the Group Name field on the Group Name window, and then click Next. Select VMWare VirtualCenter Server on the System Type window. Select the datacenter from the Datacenter window that this computer group belongs, and then click Next. If there are no datacenters listed, click Import and the Datacenter wizard is presented. Complete the wizard as follows: a) Click Next on the Welcome window of the Datacenter wizard. b) Select VMware VirtualCenter Server on the Virtualization Type window, and then click Next. c) Select the datacenter from the list on the Virtualization Server window, and then click Next. If there are no datacenters listed, click Edit Virtualization Servers, and the Virtualization Servers window appears. d) Click New on the Virtualization Servers window. e) Click Next on the Welcome window. f) Enter a name for the server and select VMware VirtualCenter Server on the Name and System Type window, and then click Next.
270
VMware Integration
g) Enter necessary information in the following format on the Server URL/Name and Credentials window, and then click Next.
Server URL Name https://servername or IP Address/sdk Enter the name of a user account that has the required access permissions to the target server specified in the Server URL field. For a Windows domain account, use: DomainName\UserName Password Confirm Password Enter the case sensitive password. Confirm the previously entered password.
h) Enter the appropriate information on the Other Settings window, and then click Finish.
Shutdown Guest OS Use the drop-down list to specify the number of guest operation system shutdown commands that can be sent to the virtualization server from the Connection Broker at one time. Use the drop-down list to specify the number of guest operation system restart commands that can be sent to the virtualization server from the Connection Broker at one time. Use the drop-down list to specify the number of Update PNTools commands that can be sent to the virtualization server from the Connection Broker at one time. Use the drop-down list to specify the number of Initialize Computer commands that can be sent to the virtualization server from the Connection Broker at one time. Use the drop-down list to specify the number of virtual machine power on commands that can be sent to the virtualization server from the Connection Broker at one time.
Restart Guest OS
Update PNTools
Initialize
Power On
271
Power Off
Use the drop-down list to specify the number of virtual machine power off commands that can be sent to the virtualization server from the Connection Broker at one time. Use the drop-down list to specify the number of guest operation system suspend commands that can be sent to the virtualization server from the Connection Broker at one time. Use the drop-down list to specify the number of guest operation system resume commands that can be sent to the virtualization server from the Connection Broker at one time. Use the drop-down list to specify the number of guest operation system reset commands that can be sent to the virtualization server from the Connection Broker at one time. Use the drop-down list to specify the number of delete virtual machine operations that can be sent to the virtualization server from the Connection Broker at one time. This function is only available with the system type of VMware VirtualCenter Server. Use the drop-down list to specify the number of clone virtual machine operations that can be sent to the virtualization server from the Connection Broker at one time.
Suspend
Resume
Reset
Delete
Clone
272
VMware Integration
Connection Timeout
i) Highlight the newly added server, and then click Close on the Virtualization Servers window. You are returned to the Datacenter wizard, Virtualization Server window. Highlight the server, and then click Next. j) Select the datacenter to import, and then click Finish to complete the Datacenter wizard. 6. Do the following on the Computer Administrative Account window: a) Specify an Account on the Desktop Administrative Account window. This account is used to perform administrative tasks. It must be a member of the local administrators group on the desktops. b) Enter the Password and then enter it again to confirm the administrative user account password, and then click Next. 7. On the Enable/Disable window, select Enabled or Disabled to specify if connection requests to computers in this group may be temporarily suspended, and then click Next. On the Client Assignment window, select Persistent or Temporary to specify how free computers are assigned at logon. If a client type is to be assigned to the computers in this group, select one of the following, and then click Next. User Device Name Device Address
273
8.
Organizational Unit Group
Since users can be in more than one group or organization unit, administrators must manually assign individual computers to users if client assignment is based on Group or Organizational Unit. Assign computers manually by using the Client Assignment window for the specified computer. See Managed Computers for more information on this window.
9.
On the Access Timetable window, click on the green grid to restrict access to the computers in this group. The Edit Timetable window appears. a) Click on the days and times, and then click Grant Permission or Deny Permission, as appropriate. b) Click OK. c) Click Next on the Access Timetable window.
10. Select Power Users, Administrators, or None to automatically add the users to one of those groups on the User Privileges window, and then click Next. 11. On the Session Auto-Logoff window, enter processes that if found to be running after the user closes all published applications, results in an automatic user session log off, and then click Next. 12. Select the option to automatically suspend computers in this group that are inactive, on the Inactivity Timeout window, and then click Next. 13. Select the checkbox on the Logoff Action window to automatically reset computers when a user logs off. If this option is enable for computers with nonpersistent disks, the disks are reverted to their original state at user log off. 14. To automatically expand the group based on a number of users, do the following on the Auto-Expand window: a) Select Enable auto-expansion. b) Enter a number of minimum computers to be available at all times. c) Enter a number of maximum computers to be available to this group. d) Click Next. 15. On the Task Automation window, select New. The Automated Task Wizard appears, or click Next to move to the next window without completing any automated tasks. 16. Click Next on the Welcome to the Automated Task Wizard.
274
VMware Integration
17. Complete the Automated Task Wizard: a) Enter a Name for this scheduled task, and then click Next. b) Select the Task, and then click Next. c) Select one of the parameters used to complete this task, and then click Next. d) Specify the schedule for this task to be completed, and then click Finish. 18. Select the appropriate session protocol, either RDP or RGS for this computer group on the Session Protocol window, and then click Next. 19. Specify if bandwidth optimization is to Enable or Disabled on the Bandwidth Optimization window, and then click Next. 20. Specify computer permissions for this group, as appropriate, and then click Next on the Permissions window. 21. On the Finish window, do one of the following: a) Select the Create new computers from a master template to add new desktops to the group and enter the number of desktops to create. Complete the process using the Add Computers tool. See Add Computers to a Computer Group for VMware. b) Select Import existing computers from VMware VirtualCenter to add computers by importing existing virtual machines and complete the process using Import Existing Computers into a Group. c) Select Do nothing. I will create or import computers later to create the desktops at a later time. 22. Click Finish. Once managed computer groups are established, their properties and policies can be viewed and modified from the vWorkspace Management Console simply by right-clicking on the managed computer group, and selecting Properties.
275
Add Computers to a Computer Group for VMware 1. Start the Add Computers tool by doing one of the following: a) Select the Create new desktops from a master template on the Finish window of the Computer Group wizard.
OR
b) Select the computer group from the vWorkspace Management Console and do one of the following: 2. 3. Right-click on the managed computer group and select Add Computers. Select the Add Computers icon from the navigation pane toolbar. Select Add Computers from the Actions menu on the navigation pane. Select Add Computers from the Actions menu on the information pane of the datacenter.
Click Next on the Welcome to the Add Computers Wizard window. Type a number into the Enter the number of computers to create field on the Number of Computers to Create window, and then click Next. Select a template from the list on the Template window, and click Next. If there are no templates listed or to update the list, click Import. Select a folder to which the new computers are placed on the Folder window, and click Next. If the list is empty or to update the list, click Import. Select one or more resource pools and datastores on the Resource Pools/Datastores window. This is where the virtual machine disk files are to be stored. If the list is empty or to update the list, click Import. a) To change the distribution method, click the Distribution button on the toolbar above the list of datastores. Complete the information on the Datastore Distribution Method window as appropriate. b) Click Next.
4.
5.
6.
7.
Select the method for assigning a computer name to the new desktop computers in Source on the Naming Conventions window. If Specify the base name is selected, do the following: a) Type the text string in the Base Name field.
276
VMware Integration
b) Select a value from the Start numeric value at and increment by fields. c) Select Re-use the names of deleted desktops, if appropriate. If Specify a text file containing names is selected, do the following: a) Type the path and file name of the text file containing the list of computer names in the Names File field. b) Enter a text string that is prepended to the beginning of computer names in the Prefix field, if appropriate. c) Enter a text string that is appended to the end of computer names in the Suffix field, if appropriate. 8. 9. Click Next. On the Sysprep Customizations window, do one of the following, and then click Next: a) To use Microsofts System Preparation tools, select Specify sysprep customizations. The computers in this group will be powered on after they are created. b) Select a sysprep from the list, or click New to create a new sysprep. See Create Sysprep Customizations for New Computers for more information. c) To not use Microsofts System Preparation tools, select Do not specify sysprep customizations. The desktops in this group will not be powered on after they are created. 10. Select the checkbox to reconfigure the computers memory and disk persistence after the cloning on the Configure Computers window, if appropriate, then do the following: a) Select Reconfigure Memory, and mover the slider to adjust for the memory value. b) Select Wait for users to log off before reconfiguring the computer, if appropriate. c) Select the Virtual Disks tab, and select Reconfigure Virtual Disks, and select First disk only or All disks. Select the Disk Mode, and set it to one of the following: Persistent Independent and Persistent Independent and Nonpersistent
11. Select either Start Immediately or Schedule for (and enter a date and time) on the Options window, and then click Next.
277
12. Review and confirm the information on the Finish window, and do one of the following: a) Click Back to make changes. b) Click Finish to create the desktops. c) Click Cancel to exit without saving the settings or creating the desktops.
Import Existing Computers into a Group

You can import existing computers from VirtualCenter to an existing computer group. You would do this when physical PCs have already been converted into virtual machines and are ready to be redeployed from the virtual infrastructure to their original owners. Several controls are available to assist with importing and resynchronizing (Import/Re-sync Desktops tool) desktop computers.
278
VMware Integration
The items on the window are described below:

CONTROL Import/update the desktops selected below into group [managed_desktop_group_na me] Remove orphaned desktops DESCRIPTION If selected, virtual machines that have previously been imported into other managed computer groups in the vWorkspace data center are prevented from being imported into the current managed desktop group. If selected, managed desktop computers are removed from the selected managed desktop group if they no longer exist in the VMware VirtualCenter inventory. This control displays a list of folders and virtual machines available in the VMware VirtualCenter data center inventory. If selected, displays a list of virtual machines that have not yet been imported into the managed desktop group. If selected, displays a list of virtual machines that have previously been imported into the managed desktop group. If selected, the chosen virtual machines are imported into the current managed desktop group as managed desktop computers. The Initialize Computer task is automatically started for each desktop computer successfully imported. Cancel If selected, the Import/Re-sync selections are discarded, and the window is closed.
VMware Inventory
View:New
View:Existing
OK
How to ...
Import Existing Computers into a Group 1. 2. Open the vWorkspace Management Console. Select the computer to which the import is to be added, and start the Computer Group wizard by doing one of the following: Right-click on the computer group and select Import/Re-sync computers. Click the Import/Re-sync computers icon from the toolbar in the navigation pane.
279
Select Actions | Import/Re-sync computers from the menu on the navigation pane. Select Import/Re-sync computers from the Actions menu on the computer groups information pane. Select Import existing desktops from VMware from the Finish window of the Computer Group wizard, and then click Finish, if you are completing the Computer Group wizard.
3. 4. 5. 6. 7.
Complete the Import/Re-sync Desktops control options as appropriate. Select the appropriate options on the Select Action frame. Select the appropriate View option (New or Existing) on the VMware Inventory frame. Select the virtual machines that are to be imported on the VMware Inventory frame. Click OK to start the import.
Monitor the Process

You can monitor the clone operation process by using the middle and bottom panes of the vWorkspace Management Console. The middle pane on the vWorkspace Management Console displays the overall progress. You can use Refresh to update the view. The bottom pane on the vWorkspace Management Console uses the Tasks tab to display the status of the tasks to complete the process, and a Log tab to display more detailed status information. To cancel a task, select it from the list of tasks and choose Cancel from the Actions menu, or right-click on the task and select Cancel.
PNTools is a required component for managed computers in the vWorkspace infrastructure. If you did not install PNTools as part of the template for the new desktops, it needs to be installed.
Power Management
Managed computers that are members of VMware enabled data centers are considered to be power managed computers. This means that the power state can be changed, either automatically by the Connection Broker or manually by an administrator using the vWorkspace Management Console. vWorkspace Connection Brokers periodically query their configured VMware VirtualCenter servers for the current power state of managed computers running as virtual machines, using calls and functions provided by the VMware SDK.
280
VMware Integration
vWorkspace Connection Brokers can also submit commands to change the power state of a given virtual machine. For example, when a user attempts to connect to a managed computer running as a virtual machine and that virtual machine is powered off, the Connection Broker automatically sends a command to VirtualCenter to power on the machine. Once the virtual machine is powered on and the operating system has loaded, the user is then connected to the desktop and log on. The power states of VMware based virtual machines that can be manipulated with the vWorkspace Management Console are: Power On Powers the virtual machine on in the same way as using the power switch on a physical computer. Power Off Powers the virtual machine off in the same way as using the power switch on a physical computer. Reset Powers the virtual machine off and then on again in the same way as using the reset switch on a physical computer. Resume Reawakens a virtual machine that has been in a suspended state. Suspend Suspend saves the system state and working set of the virtual machine to disk before powering off. When resumed, the computer is returned to the state it was in before being suspended. This option is faster since the operating system does not have to go through the complete load and initialization process. Shut Down OS Gracefully shuts down the guest operating system in the same way as using the Shut Down function in Windows. Restart OS Same as the Restart option in Windows. Log Off User Logs the user off in a graceful manner. The user is prompted to save any unsaved data. Reset Session Closes all programs that are running and deletes the session from the server that is running Terminal Services. This can be used if a session is not functioning correctly, or if the session has stopped responding.
281
282
15
Virtual Iron Integration
Overview Data Centers Computer Groups Import Existing Desktops into a Group Power Management
Overview
This section describes the range of desktop management and provisioning features offered by vWorkspace for Virtual Iron environments.
Data Centers
Data centers are used to organize and manage as a single entity, datastores, templates, and virtual machines that are hosted on Virtual Iron servers. Multiple data centers can exist in a single Virtual Iron Infrastructure. In order to manage the desktops hosted in the Virtual Iron environment, the data centers must be imported into the vWorkspace database.
How to ...
Add a Data Center using the Datacenter Wizard 1. 2. 3. 4. From the Datacenter wizard Welcome window, click Next. Click Edit Virtualization Servers. The Virtualization Server wizard is presented. Click Next on the Welcome window. Enter the appropriate information on the Name and System Type window, and then click Next.
284
Name System Type
Enter the friendly name that is used when referring to the virtualization server. Select Virtual Iron.
5.
Server URL
Enter the URL path to the virtualization server. http://servername or IP Address OR tcp://servername or IP Address
285
Name
6.
Restart Guest OS
Update PNTools
Initialize
286
Connection Timeout
Computer Groups
Computer groups are containers of desktops that can be managed together. Computer groups are containers of desktops that can be managed together. The following computer groups properties are associated with Virtual Iron.
VIRTUAL IRON MANAGED COMPUTER GROUP PROPERTY Group Name System Type Datacenter Computer Administrative Account Enable/Disable
DESCRIPTION
Name of the managed desktop group. System type for the computers in this group. Datacenter in which the computers in this group belong. Name of the user account that is used when performing administrative tasks on the desktop computers within this group. Connection requests to computers in this group my be temporarily suspended, if enabled.
287
VIRTUAL IRON MANAGED COMPUTER GROUP PROPERTY Client Assignment
DESCRIPTION
Used to permanently assign users to specific computers. The two types of user assignment are: Persistent A permanent desktop is assigned to the user. Temporary A free desktop is assigned on a temporary basis to the user, and then is available to be used again at user logoff. A client type can be assigned to the computers in the group based on the following: User Device Name Device Address Organizational Unit Group Note: Since users can be in more than one group or organization unit, administrators must manually assign individual computers to users if client assignment is based on Group or Organizational Unit. Assign computers using the Client Assignment window for the specified computer. See Managed Computers for more information on this window.
Used to restrict access to the computers in this group based on day and time. Automatically assigns users to local security groups. This policy is useful when provisioning desktop workspaces to users that require elevated privileges.
Session Auto-Logoff
288
VIRTUAL IRON MANAGED COMPUTER GROUP PROPERTY Auto-Expand
DESCRIPTION
Automatically expands the group to accommodate an increase in users to ensure there is always a minimum number of free computers available at all times. Schedule tasks to be completed at specified times. Specify the protocol for remote user sessions for this group, either RDP or RGS. Specify if bandwidth optimization is enabled or disabled for this computer group. Specify permissions for this computer group. Select from the options available as to the finish process for this group.
Virtual Iron customizations enable administrators to specify items such as where new desktop computers are stored and how they will be named. The following customization settings can be specified for each managed computer group that belongs to a Virtual Iron type data center.
VIRTUAL IRON CUSTOMIZATION SETTING Disk Group Distribution Method
DESCRIPTION Specifies how newly created managed virtual machines are distributed among the available disk groups in Virtual Iron datacenters. The options are: Equal The desktops are distributed equally across the selected datastores. Free Space The desktops are distributed across the selected datastores proportion to the available free space on the datastores. Weighted The desktops are distributed across the selected datastores based on the percentages specified. Manual The desktops to be created are specified for each datastore.
Disk Group(s)
Indicates the names and allocation of percentages of the disk groups in the Virtual Iron inventory selected for storage of newly created managed computers within this group. 289
VIRTUAL IRON CUSTOMIZATION SETTING Template
DESCRIPTION Indicates the name of the virtual machine template in the Virtual Iron inventory that is used when adding new managed computers to the group. Indicates the base name that is used when constructing the Windows computer name that is assigned to the newly created managed desktop computers added to the group. Indicates the starting numeric value that is added to the base name when constructing the Windows computer name that is assigned to the newly created managed desktop computers added to the group. Indicates the numeric value by which subsequent Windows computer names are incremented when new managed desktop computers are added to the group. Indicates whether previously generated Windows computer names can be reused if the managed desktop computer has been deleted.
Base Name
Base Name Start Value
Base Name Increment
Re-Use Names
How to ...
Add Computer Groups to a Virtual Iron Type Add Computers to a Computer Group for Virtual Iron
Add Computer Groups to a Virtual Iron Type 1. Administrators can activate the Computer Group wizard from the vWorkspace, Desktops node any of the following ways: Expand the location to which the computer group is to be added, right-click on the Desktops node, and then select New Computer Group.
OR
Expand the location to which the computer group is to be added, and highlight the Desktops node. Select New Computer Group from the Actions menu on the toolbar in the navigation pane, from the New Computer Group icon in the toolbar of the navigation pane, or from the Actions menu on the Desktops information pane.
290
2. 3. 4. 5.
Click Next on the Welcome to the Computer Group wizard. Enter the name of the computer group in the Group Name field on the Group Name window, and then click Next. Select Virtual Iron on the System Type window. Select the datacenter from the Datacenter window that this computer group belongs, and then click Next. If there are no datacenters listed, click Import and the Datacenter wizard is presented. Complete the wizard as follows: a) Click Next on the Welcome window of the Datacenter wizard. b) Select Virtual Iron on the Virtualization Type window, and then click Next. c) Select the datacenter from the list on the Virtualization Server window, and then click Next. If there are no datacenters listed, click Edit Virtualization Servers, and the Virtualization Servers window appears. d) Click New on the Virtualization Servers window. e) Click Next on the Welcome window. f) Enter a name for the server and select Virtual Iron on the Name and System Type window, and then click Next. g) Enter necessary information in the following format on the Server URL/Name and Credentials window, and then click Next.
Server URL Name https://servername or tcp://servername Enter the name of a user account that has the required access permissions to the target server specified in the Server URL field. For a Windows domain account, use: DomainName\UserName Password Confirm Password Enter the case sensitive password. Confirm the previously entered password.
291
h) Enter the appropriate information on the Other Settings window, and then click Finish.
Shutdown Guest OS Use the drop-down list to specify the number of guest operation system shutdown commands that can be sent to the virtualization server from the Connection Broker at one time. Use the drop-down list to specify the number of guest operation system restart commands that can be sent to the virtualization server from the Connection Broker at one time. Use the drop-down list to specify the number of Update PNTools commands that can be sent to the virtualization server from the Connection Broker at one time. Use the drop-down list to specify the number of Initialize Computer commands that can be sent to the virtualization server from the Connection Broker at one time. Use the drop-down to specify the amount of time that the Connection Broker waits for a response from the virtualization server. Default option is 30 Seconds. For medium to large production environments where the virtualization server is busy, you may need to set the Connection Timeout to two or three minutes. Note: A Connection Timeout error does not necessarily mean that the task requested by the Connection Broker has failed. It may be that the virtualization server is too busy to report the successful completion of the operation in a timely manner.
Restart Guest OS
Update PNTools
Initialize
Connection Timeout
i) Highlight the newly added server, and then click Close on the Virtualization Servers window. You are returned to the Datacenter wizard, Virtualization Server window. Highlight the server, and then click Next.
292
j) Select the datacenter to import, and then click Finish to complete the Datacenter wizard. 6. Do the following on the Computer Administrative Account window: a) Specify an Account on the Desktop Administrative Account window. This account is used to perform administrative tasks. It must be a member of the local administrators group on the desktops. b) Enter the Password and then enter it again to confirm the administrative user account password, and then click Next. 7. On the Enable/Disable window, select Enabled or Disabled to specify if connection requests to computers in this group may be temporarily suspended, and then click Next. On the Client Assignment window, select Persistent or Temporary to specify how free computers are assigned at logon. If a client type is to be assigned to the computers in this group, select one of the following, and then click Next. User Device Name Device Address Organizational Unit Group
8.
9.
10. Select Power Users, Administrators, or None to automatically add the users to one of those groups on the User Privileges window, and then click Next.
293
11. On the Session Auto-Logoff window, enter processes that if found to be running after the user closes all published applications, results in an automatic user session log off, and then click Next. 12. To automatically expand the group based on a number of users, do the following on the Auto-Expand window: a) Select Enable auto-expansion. b) Enter a number of minimum computers to be available at all times. c) Enter a number of maximum computers to be available to this group. d) Click Next. 13. On the Task Automation window, select New. The Automated Task Wizard appears, or click Next to move to the next window without completing any automated tasks. 14. Click Next on the Welcome to the Automated Task Wizard. 15. Complete the Automated Task Wizard: a) Enter a Name for this scheduled task, and then click Next. b) Select the Task, and then click Next. c) Select one of the parameters used to complete this task, and then click Next. d) Specify the schedule for this task to be completed, and then click Finish. 16. Select the appropriate session protocol, either RDP or RGS for this computer group on the Session Protocol window, and then click Next. 17. Specify if bandwidth optimization is to Enable or Disabled on the Bandwidth Optimization window, and then click Next. 18. Specify computer permissions for this group, as appropriate, and then click Next on the Permissions window. 19. Do one of the following on the Finish window: a) Select the Create new computers from a master template to add new computers to the group and enter the number of desktops to create. Complete the process using the Add Computers tool. See Add Computers to a Computer Group for Virtual Iron. b) Select Import existing computers from Virtual Iron to add desktops by importing existing virtual machines and complete the process using Import Existing Desktops into a Group. c) Select Do nothing. I will create or import computers later to create the desktops at a later time.
294
20. Click Finish. Once managed computer groups are established, their properties and policies can be viewed and modified from the vWorkspace Management Console simply by right-clicking on the managed computer group, and selecting Group Properties. Add Computers to a Computer Group for Virtual Iron 1. Start the Add Computers tool by doing one of the following: a) Select the Create new desktops from a master template on the Finish window of the Computer Group wizard.
OR
Click Next on the Welcome to the Add Computers Wizard window. Type a number into the Enter the number of computers to create field on the Number of Computers to Create window, and then click Next. Select a template from the list on the Template window, and click Next. If there are no templates listed or to update the list, click Import. Select a disk group or groups to which the new computers are placed on the Disk Groups window, and click Next. If the list is empty or to update the list, click Import. a) To change the distribution method, click the Distribution button on the toolbar above the list of datastores. Complete the information on the Datastore Distribution Method window as appropriate. b) Click Next.
4.
5.
6.
Select the method for assigning a computer name to the new desktop computers in Source on the Naming Conventions window.
295
If Specify the base name is selected, do the following: a) Type the text string in the Base Name field. b) Select a value from the Start numeric value at and increment by fields. c) Select Re-use the names of deleted desktops, if appropriate. If Specify a text file containing names is selected, do the following: a) Type the path and file name of the text file containing the list of computer names in the Names File field. b) Enter a text string that is prepended to the beginning of computer names in the Prefix field, if appropriate. c) Enter a text string that is appended to the end of computer names in the Suffix field, if appropriate. 7. 8. Click Next. On the Sysprep Customizations window, do one of the following, and then click Next: a) To use Microsofts System Preparation tools, select Specify sysprep customizations. The computers in this group will be powered on after they are created. b) Select a sysprep from the list, or click New to create a new sysprep. See Create Sysprep Customizations for New Computers for more information. c) To not use Microsofts System Preparation tools, select Do not specify sysprep customizations. The desktops in this group will not be powered on after they are created. 9. Select either Start Immediately or Schedule for (and enter a date and time) on the Options window, and then click Next.
10. Review and confirm the information on the Finish window, and do one of the following: a) Click Back to make changes. b) Click Finish to create the desktops. c) Click Cancel to exit without saving the settings or creating the desktops.
296
Import Existing Desktops into a Group

You can import existing desktops from Virtual Iron to an existing managed computer group. You would do this when physical PCs have already been converted into virtual machines and are ready to be redeployed from the virtual infrastructure to their original owners. Several controls are available to assist with importing and resynchronizing (Import/Re-sync Desktops tool) desktop computers. The controls are listed below:
CONTROL Import/update the desktops selected below into group [managed_desktop_group_na me] Remove orphaned desktops DESCRIPTION If selected, virtual machines that have previously been imported into other managed computer groups in the vWorkspace data center are prevented from being imported into the current managed desktop group. If selected, managed desktop computers are removed from the selected managed desktop group if they no longer exist in the Virtual Iron inventory. This control displays a list of folders and virtual machines available in the Virtual Iron data center inventory. If selected, displays a list of virtual machines that have not yet been imported into the managed desktop group. If selected, displays a list of virtual machines that have previously been imported into the managed desktop group. If selected, the chosen virtual machines are imported into the current managed desktop group as managed desktop computers. The Initialize Computer task is automatically started for reach desktop computer successfully imported. Cancel If selected, the Import/Re-sync selections are discarded, and the window is closed.
Virtual Iron Inventory
View:New
View:Existing
OK
297
Import Existing Desktops into a Group 1. 2. Open the vWorkspace Management Console. Select the computer to which the import is to be added, and start the Computer Group wizard by doing one of the following: Right-click on the computer group and select Import/Re-sync computers. Click the Import/Re-sync computers icon from the toolbar in the navigation pane. Select Actions | Import/Re-sync computers from the menu on the navigation pane. Select Import/Re-sync computers from the Actions menu on the computer groups information pane. Select Import existing desktops from Virtual Iron from the Finish window of the Computer Group wizard, and then click Finish, if you are completing the Computer Group wizard.
3. 4. 5. 6. 7.
Complete the Import/Re-sync Desktops control options as appropriate. Select the appropriate options on the Select Action frame. Select the appropriate View option (New or Existing) on the VMware Inventory frame. Select the virtual machines that are to be imported on the Virtual Iron Inventory frame. Click OK to start the import.
Monitor the Process

You can monitor the clone operation process by using the middle and bottom panes of the vWorkspace Management Console. The middle pane on the vWorkspace Management Console displays the overall progress. You can use Refresh to update the view. The bottom pane on the vWorkspace Management Console uses the Tasks tab to display the status of the tasks to complete the process, and a Log tab to display more detailed status information. To cancel a task, select it from the list of tasks and choose Cancel from the Actions menu, or right-click on the task and select Cancel.
PNTools is a required component for managed computers in the vWorkspace infrastructure. If you did not install PNTools as part of the template for the new desktops, it needs to be installed.
298
Power Management
Managed computers that are members of Virtual Iron data centers are considered to be power-managed computers. This means that the power state can be changed, either automatically by the Connection Broker or manually by an administrator using the vWorkspace Management Console. Power On Powers the virtual machine on in the same way as using the power switch on a physical computer. Power Off Powers the virtual machine off in the same way as using the power switch on a physical computer. Reset Powers the virtual machine off and then on again in the same way as using the reset switch on a physical computer. Shut Down OS Gracefully shuts down the guest operating system in the same way as using the Shut Down function in Windows. Restart OS Same as the Restart option in Windows. Log Off User Logs the user off in a graceful manner. The user is prompted to save any unsaved data. Reset Session Closes all programs that are running and deletes the session from the server that is running Terminal Services. This can be used if a session is not functioning correctly, or if the session has stopped responding.
299
300
16
Microsoft Hyper-V Integration
Overview Hyper-V Broker Helper Service Hosts Computer Groups Power Management
Overview
Virtual machines running on Microsoft Hyper-V servers are supported in vWorkspace. Virtual machines can be added from Hyper-V servers, and their power states controlled directly from the vWorkspace Management Console.
Hyper-V Broker Helper Service

To enable this support, the Hyper-V Broker Helper Service must be installed on each Hyper-V server. The Connection Broker delegates to the Broker Helper Service the responsibility of executing various administrative tasks to the Hyper-V server on which it is running. Such tasks include the enumeration and power management of virtual machines. In order for the Connection Broker to communicate with the Broker Helper Service, the Microsoft .NET Framework 3.0 must be installed on both computers. Windows Communication Foundation (WCF), a component of the Microsoft .NET Framework 3.0, is used to enable the Connection Broker to gain authenticated access to the Hyper-V server through the Broker Helper Service. The Broker Helper Service is a design choice that enables future versions of vWorkspace to implement management features not inherent to Microsoft Hyper-V. The details of such features are to be included with future versions of vWorkspace. The Broker Helper Service is available for download from the Quest vWorkspace web site from the Miscellaneous section, Download | Miscellaneous, and it must be installed on each Hyper-V server.
Installation Tips
If you plan to install and use the vWorkspace Connection Broker in conjunction with Microsoft Hyper-V, Microsoft .NET Framework 3.0 or higher and Windows PowerShell must be installed on the target computer. Otherwise, the setup program warns of the .NET 3.0 prerequisite, requiring you to install it before proceeding. Some vWorkspace releases offer the option to install .NET Framework 3.0 as part of the setup process. For Hyper-V servers, please note that the .NET Framework 3.0 and Windows PowerShell are standard features with Windows Server 2008. To enable it, run Server Manager and select the Features node. In the right pane, select Add Features.
302
The Broker Helper Service for Hyper-V listens on TCP port 9000, by default, for requests from the Connection Broker. An inbound rule must be created to allow for successful communication if the Windows Firewall with Advanced Security is enabled. Create a rule by using the Windows Firewall with Advanced Security management console from the start menu, or by entering the following command in an elevated command prompt.
Hosts
Hosts are used to organize and manage, as a single entity, datastores, templates, and virtual machines that are hosted on Microsoft Hyper-V servers. Multiple hosts can exist in a single infrastructure. In order to manage the desktops hosted in the Microsoft Hyper-V environment, the hosts must be added into the vWorkspace database. Add a Host using the Hyper-V Host Wizard 1. 2. From the Hyper-V Host wizard Welcome window, click Next. Enter the appropriate information on the Name and System Type window, and then click Next.
303
Name System Type
Enter the friendly name that is used when referring to the virtualization server. Select Microsoft Hyper-V.
3.
304
Server URL
Enter the URL path to the virtualization server. net.tcp://servername or IP Address:port Note: The default port for Microsoft Hyper-V is 9000.
Name
305
4.
Shutdown Guest OS Use the drop-down list to specify the number of guest operation system shutdown commands that can be sent to the virtualization server from the Connection Broker at one time. Use the drop-down list to specify the number of guest operation system restart commands that can be sent to the virtualization server from the Connection Broker at one time. Use the drop-down list to specify the number of Update PNTools commands that can be sent to the virtualization server from the Connection Broker at one time. Use the drop-down list to specify the number of Initialize Computer commands that can be sent to the virtualization server from the Connection Broker at one time. Use the drop-down to specify the amount of time that the Connection Broker waits for a response from the virtualization server. Default option is 30 Seconds. For medium to large production environments where the virtualization server is busy, you may need to set the Connection Timeout to two or three minutes. Note: A Connection Timeout error does not necessarily mean that the task requested by the Connection Broker has failed. It may be that the virtualization server is too busy to report the successful completion of the operation in a timely manner. Power On Use the drop-down list to specify the number of virtual machine power on commands that can be sent to the virtualization server from the Connection Broker at one time.
Restart Guest OS
Update PNTools
Initialize
Connection Timeout
306
Power Off
Use the drop-down list to specify the number of virtual machine power off commands that can be sent to the virtualization server from the Connection Broker at one time. Use the drop-down list to specify the number of guest operation system suspend commands that can be sent to the virtualization server from the Connection Broker at one time. Use the drop-down list to specify the number of guest operation system resume commands that can be sent to the virtualization server from the Connection Broker at one time. Use the drop-down list to specify the number of guest operation system reset commands that can be sent to the virtualization server from the Connection Broker at one time. Use the drop-down list to specify the number of delete virtual machine operations that can be sent to the virtualization server from the Connection Broker at one time.
Suspend
Resume
Reset
Delete
Computer Groups
Computer groups are containers of desktops that can be managed together. The following computer groups properties are associated with Microsoft Hyper-V.
HYPER-V MANAGED DESKTOP GROUP PROPERTY Group Name System Type Computer Administrative Account Enable/Disable
DESCRIPTION
Name of the managed desktop group. System type for the computers in this group. Name of the user account that is used when performing administrative tasks on the desktop computers within this group. Connection requests to computers in this group my be temporarily suspended, if enabled. 307
HYPER-V MANAGED DESKTOP GROUP PROPERTY Client Assignment
DESCRIPTION
Used to permanently assign users to specific computers. The two types of user assignment are: Persistent A permanent desktop is assigned to the user. Temporary A free desktop is assigned on a temporary basis to the user, and then is available to be used again at user logoff. A client type can be assigned to the computers in the group based on the following: User Device Name Device Address Organizational Unit Group Note: Since users can be in more than one group or organization unit, administrators must manually assign individual computers to users if client assignment is based on Group or Organizational Unit. Assign computers using the Client Assignment window for the specified computer. See Computer Groups for more information on this window.
Used to restrict access to the computers in this group based on day and time. Automatically assigns users to local security groups. This policy is useful when provisioning desktop workspace to users that require elevated privileges. The options are: Power Users Administrators None
308
HYPER-V MANAGED DESKTOP GROUP PROPERTY Session Auto-Logoff
DESCRIPTION
Inactivity Timeout Task Automation Session Protocol Bandwidth Optimization Permissions Finish
Automatically suspends computers in the group when they are inactive. Schedule tasks to be completed at specified times. Specify the protocol for remote user sessions for this group, either RDP or RGS. Specify if bandwidth optimization is enabled or disabled for this computer group. Specify permissions for this computer group. Select from the options available as to the finish process for this group.
How to ...
Add Computer Groups to a Microsoft Hyper-V Type 1. Administrators can activate the Computer Group wizard from the vWorkspace, Desktops node any of the following ways: Expand the location to which the computer group is to be added, right-click on the Desktops node, and then select New Computer Group.
OR
Expand the location to which the computer group is to be added, and highlight the Desktops node. Select New Computer Group from the Actions menu on the toolbar in the navigation pane, from the New Computer Group icon in the toolbar of the navigation pane, or from the Actions menu on the Desktops information pane. 2. 3. Click Next on the Welcome to the Computer Group wizard. Enter the name of the computer group in the Group Name field on the Group Name window, and then click Next.
309
4. 5.
Select Microsoft Hyper-V on the System Type window. Do the following on the Computer Administrative Account window: a) Specify an Account on the Desktop Administrative Account window. This account is used to perform administrative tasks. It must be a member of the local administrators group on the desktops. b) Enter the Password and then enter it again to confirm the administrative user account password, and then click Next.
6.
On the Enable/Disable window, select Enabled or Disabled to specify if connection requests to computers in this group may be temporarily suspended, and then click Next. On the Client Assignment window, select Persistent or Temporary to specify how free computers are assigned at logon. If a client type is to be assigned to the computers in this group, select one of the following, and then click Next. User Device Name Device Address Organizational Unit Group
7.
8.
9.
Select Power Users, Administrators, or None to automatically add the users to one of those groups on the User Privileges window, and then click Next.
310
10. On the Session Auto-Logoff window, enter processes that if found to be running after the user closes all published applications, results in an automatic user session log off, and then click Next. 11. Select the option to automatically suspend computers in this group that are inactive, on the Inactivity Timeout window, and then click Next. 12. On the Task Automation window, select New. The Automated Task Wizard appears, or click Next to move to the next window without completing any automated tasks. 13. Click Next on the Welcome to the Automated Task Wizard. 14. Complete the Automated Task Wizard: a) Enter a Name for this scheduled task, and then click Next. b) Select the Task, and then click Next. c) Select one of the parameters used to complete this task, and then click Next. d) Specify the schedule for this task to be completed, and then click Finish. 15. Select the appropriate session protocol, either RDP or RGS for this computer group on the Session Protocol window, and then click Next. 16. Specify if bandwidth optimization is to Enable or Disabled on the Bandwidth Optimization window, and then click Next. 17. Specify computer permissions for this group, as appropriate, and then click Next on the Permissions window. 18. On the Finish window, do one of the following: a) Select Import existing computers from Hyper-V hosts to add computers by importing existing virtual machines and complete the process using Import Existing Computers into a Group. b) Select Do nothing. I will create or import computers later to create the desktops at a later time. 19. Click Finish. Once managed computer groups are established, their properties and policies can be viewed and modified from the vWorkspace Management Console simply by right-clicking on the managed computer group, and selecting Properties.
311

You can import existing computers from a Microsoft Hyper-V data center in to an existing managed computer group. This can be completed when physical PCs have already been converted into virtual machines and are ready to be redeployed from the virtual infrastructure to their original owners. After computers have been successfully imported, the task Initialize Computer is automatically created. This process establishes the relationship between the Connection Broker and the virtual desktop and must be completed successfully. See Initialize Computer for more information on this process. Several controls are available to assist with importing and resynchronizing (Import/Re-sync Desktops tool) desktop computers.

CONTROL Import/update the desktops selected below into group [managed_desktop_group_na me] DESCRIPTION If selected, virtual machines that have previously been imported into other managed computer groups in the vWorkspace data center are prevented from being imported into the current managed desktop group.
312
CONTROL Remove orphaned desktops
DESCRIPTION If selected, managed desktop computers are removed from the selected managed desktop group if they no longer exist in the data center. This control displays a list of folders and virtual machines available in the Microsoft Hyper-V data center inventory. If selected, displays a list of virtual machines that have not yet been imported into the managed desktop group. If selected, displays a list of virtual machines that have previously been imported into the managed desktop group. If selected, the chosen virtual machines are imported into the current managed desktop group as managed desktop computers. The Initialize Computer task is automatically started for each desktop computer successfully imported.
Microsoft Hyper-V Inventory
View:New
View:Existing
OK
Cancel
If selected, the Import/Re-sync selections are discarded, and the window is closed.
How to ...
Import Existing Desktops into a Group 1. 2. Open the vWorkspace Management Console. Select the computer to which the import is to be added, and start the Computer Group wizard by doing one of the following: 3. 4. Right-click on the computer group and select Import/Re-sync computers. Click the Import/Re-sync computers icon from the toolbar in the navigation pane. Select Actions | Import/Re-sync computers from the menu on the navigation pane. Select Import/Re-sync computers from the Actions menu on the computer groups information pane.
Complete the Import/Re-sync Desktops control options as appropriate. Select the appropriate options on the Select Action frame.
313
5. 6. 7.
Select the appropriate View option (New or Existing) on the VMware Inventory frame. Select the virtual machines that are to be imported on the Microsoft Hyper-V Inventory frame. Click OK to start the import.
Power Management
The power states of Microsoft Hyper-V based virtual machines that can be manipulated with vWorkspace are: Power On Powers the virtual machine on in the same way as using the power switch on a physical computer. Power Off Powers the virtual machine off in the same way as using the power switch on a physical computer. Reset Powers the virtual machine off and then on again in the same way as using the reset switch on a physical computer. Resume Reawakens a virtual machine that has been in a suspended state. Suspend Suspend saves the system state and working set of the virtual machine to disk before powering off. When resumed, the computer is returned to the state it was in before being suspended. This option is faster since the operating system does not have to go through the complete load and initialization process. Shut Down OS Gracefully shuts down the guest operating system in the same way as using the Shut Down function in Windows. Restart OS Same as the Restart option in Windows. Log Off User Logs the user off in a graceful manner. The user is prompted to save any unsaved data. Reset Session Closes all programs that are running and deletes the session from the server that is running Terminal Services. This can be used if a session is not functioning correctly, or if the session has stopped responding.
314
17
Parallels Virtuozzo Integration
Overview About Parallels Virtuozzo Computer Groups Power Management
Overview
This section describes the range of desktop management and provisioning features offered by vWorkspace for Parallels Virtuozzo Containers version 4.0 environments.
About Parallels Virtuozzo

Parallels Virtuozzo nodes can be both independent hosts or part of a group, which are master and slave nodes that are associated with each other, but they cannot be both independent hosts and part of a group at the same time. You can import slave nodes from a master and add independent nodes to the same location. If you do not have independent nodes, then you define virtualization servers that represent the master node or nodes. When you add a location, you import slave nodes from any of the virtualization server master nodes, and associate the imported nodes with the location. If you have Virtuozzo independent nodes, you can add them to the location. When setting up the Parallels Virtuozzo Containers in the vWorkspace Management Console, once a location has been defined, the following steps must be completed: Associate virtualization entities, independent nodes and slave nodes, to the location. Import Virtuozzo Salve Nodes Use this option to import master nodes and select slave nodes that are to be imported. Add Independent Virtuozzo Nodes Use this option to add the independent nodes to the location.
316
Computer groups can be added to locations by selecting Desktops from the location in the vWorkspace Management Console. For more information on Parallel Virtuozzo computer groups, see Computer Groups. Add computers to the established computer groups by using the Add Computers wizard. See Add Computers to a Computer Group for Parallels Virtuozzo for more information.
Parallels Virtuozzo Containers disables the startup of certain Microsoft Windows services by default, including ones that are required for vWorkspace. You need to set the type to Enterprise, to prevent the disabling of certain Window services. Please also refer to the Parallels Virtuozzo knowledge base article, http://kb.parallels.com/1007, for more information.
How to ...
Import Virtuozzo Slave Nodes Add Independent Virtuozzo Nodes
Import Virtuozzo Slave Nodes 1. 2. 3. Click Next on the Import Virtuozzo Nodes Welcome window. Click Edit Virtualization Servers on the Master Node window. The Virtuozzo Master Node wizard is presented. Click Next on the Virtuozzo Master Node Wizard Welcome window.
317
4. 5.
Click Next on the Welcome window. Enter the appropriate information on the Name and System Type window, and then click Next.
Name System Type
6.
318
Server URL
Name
7.
319
Restart Guest OS
Update PNTools
Initialize
Connection Timeout
Power On
Power Off
320
Suspend
Resume
Reset
Delete
Clone
Add Independent Virtuozzo Nodes 1. 2. Click Next on the Virtuozzo Independent Node Wizard Welcome window. Enter the appropriate information on the Name and System Type window, and then click Next.
321
Name System Type
3.
322
Server URL
Name
4.
Shutdown Guest OS Use the drop-down list to specify the number of guest operation system shutdown commands that can be sent to the virtualization server from the Connection Broker at one time. 323
Restart Guest OS
Update PNTools
Initialize
Connection Timeout
Power On
Power Off
324
Suspend
Resume
Reset
Delete
Clone
Computer Groups
Computer groups are containers of computers that can be managed together. The following managed computer groups properties are associated with Parallels Virtuozzo.
PARALLELS VIRTUOZZO MANAGED COMPUTER GROUP PROPERTY Group Name System Type Computer Administrative Account
DESCRIPTION
Name of the managed desktop group. System type for the computers in this group. Name of the user account that is used when performing administrative tasks on the desktop computers within this group.
325
PARALLELS VIRTUOZZO MANAGED COMPUTER GROUP PROPERTY Enable/Disable Client Assignment
DESCRIPTION
Connection requests to computers in this group my be temporarily suspended, if enabled. Used to permanently assign users to specific computers. The two types of user assignment are: Persistent A permanent desktop is assigned to the user. Temporary A free desktop is assigned on a temporary basis to the user, and then is available to be used again at user logoff. A client type can be assigned to the computers in the group based on the following: User Device Name Device Address Organizational Unit Group Note: Since users can be in more than one group or organization unit, administrators must manually assign individual computers to users if client assignment is based on Group or Organizational Unit. Assign computers using the Client Assignment window for the specified computer. See Managed Computers for more information on this window.
Used to restrict access to the computers in this group based on day and time. Automatically assigns users to local security groups. This policy is useful when provisioning desktop workspace to users that require elevated privileges.
Session Auto-Logoff
326
PARALLELS VIRTUOZZO MANAGED COMPUTER GROUP PROPERTY Inactivity Timeout Auto-Expand
DESCRIPTION
Automatically suspends computers in the group when they are inactive. Automatically expands the group to accommodate an increase in users to ensure there is always a minimum number of free computers available at all times. Schedule tasks to be completed at specified times. Specify the protocol for remote user sessions for this group, either RDP or RGS. Specify if bandwidth optimization is enabled or disabled for this computer group. Specify permissions for this computer group. Select from the options available as to the finish process for this group.
How to ...
Add Computer Groups to a Parallels Virtuozzo Type 1. Administrators can activate the Computer Group wizard from the vWorkspace, Desktops node any of the following ways: Expand the location to which the computer group is to be added, right-click on the Desktops node, and then select New Computer Group.
OR
Expand the location to which the computer group is to be added, and highlight the Desktops node. Select New Computer Group from the Actions menu on the toolbar in the navigation pane, from the New Computer Group icon in the toolbar of the navigation pane, or from the Actions menu on the Desktops information pane. 2. 3. 4. Click Next on the Welcome to the Computer Group wizard. Enter the name of the computer group in the Group Name field on the Group Name window, and then click Next. Select Parallels Virtuozzo on the System Type window.
327
5.
Do the following on the Computer Administrative Account window: a) Specify an Account on the Desktop Administrative Account window. This account is used to perform administrative tasks. It must be a member of the local administrators group on the desktops. b) Enter the Password and then enter it again to confirm the administrative user account password, and then click Next.
6.
7.
8.
9.
Select Power Users, Administrators, or None to automatically add the users to one of those groups on the User Privileges window, and then click Next.
10. On the Session Auto-Logoff window, enter processes that if found to be running after the user closes all published applications, results in an automatic user session log off, and then click Next.
328
11. Select the option to automatically suspend computers in this group that are inactive, on the Inactivity Timeout window, and then click Next. 12. To automatically expand the group based on a number of users, do the following on the Auto-Expand window: a) Select Enable auto-expansion. b) Enter a number of minimum computers to be available at all times. c) Enter a number of maximum computers to be available to this group. d) Click Next. 13. On the Task Automation window, select New. The Automated Task Wizard appears, or click Next to move to the next window without completing any automated tasks. 14. Click Next on the Welcome to the Automated Task Wizard. 15. Complete the Automated Task Wizard: a) Enter a Name for this scheduled task, and then click Next. b) Select the Task, and then click Next. c) Select one of the parameters used to complete this task, and then click Next. d) Specify the schedule for this task to be completed, and then click Finish. 16. Select the appropriate session protocol, either RDP or RGS for this computer group on the Session Protocol window, and then click Next. 17. Specify if bandwidth optimization is to Enable or Disabled on the Bandwidth Optimization window, and then click Next. 18. Specify computer permissions for this group, as appropriate, and then click Next on the Permissions window.
329
19. On the Finish window, do one of the following: a) Select the Create new computers from a master template to add new desktops to the group and enter the number of desktops to create. Complete the process using the Add Computers tool. See Add Computers to a Computer Group for Parallels Virtuozzo. b) Select Import existing computers from Virtuozzo nodes to add computers by importing existing virtual machines and complete the process using Import Existing Computers into a Group. c) Select Do nothing. I will create or import computers later to create the desktops at a later time. 20. Click Finish. Once managed computer groups are established, their properties and policies can be viewed and modified from the vWorkspace Management Console simply by right-clicking on the managed computer group, and selecting Properties. Add Computers to a Computer Group for Parallels Virtuozzo 1. Start the Add Computers tool by doing one of the following: a) Select the Create new desktops from a master template on the Finish window of the Computer Group wizard.
OR
Click Next on the Welcome to the Add Computers Wizard window. Type a number into the Enter the number of computers to create field on the Number of Computers to Create window, and then click Next. Select a template from the list on the Template window, and click Next. If there are no templates listed or to update the list, click Import.
4.
330
5.
Select a folder to which the new computers are placed on the Folder window, and click Next. If the list is empty or to update the list, click Import. Select one or more Virtuozzo network devices from the Nodes/Network Devices window. This is where the computers should be created. If the list is empty or to update the list, click Import. a) To change the distribution method, click the Distribution button on the toolbar above the list of datastores. Complete the information on the Datastore Distribution Method window as appropriate. b) Click Next.
6.
7.
Select the method for assigning a computer name to the new desktop computers in Source on the Naming Conventions window. If Specify the base name is selected, do the following: a) Type the text string in the Base Name field. b) Select a value from the Start numeric value at and increment by fields. c) Select Re-use the names of deleted desktops, if appropriate. If Specify a text file containing names is selected, do the following: a) Type the path and file name of the text file containing the list of computer names in the Names File field. b) Enter a text string that is prepended to the beginning of computer names in the Prefix field, if appropriate. c) Enter a text string that is appended to the end of computer names in the Suffix field, if appropriate.
8. 9.
Click Next. On the Sysprep Customizations window, do one of the following, and then click Next: a) To use Microsofts System Preparation tools, select Specify sysprep customizations. The computers in this group will be powered on after they are created. b) Select a sysprep from the list, or click New to create a new sysprep. See Create Sysprep Customizations for New Computers for more information.
It is important that you make sure your sysprep configuration is accurate and works on a machine that is visible to you. If the sysprep information is incorrect, you may have a machine that requires user input, but you will have no way of connecting to it. 331
c) To not use Microsofts System Preparation tools, select Do not specify sysprep customizations. The desktops in this group will not be powered on after they are created. 10. Select either Start Immediately or Schedule for (and enter a date and time) on the Options window, and then click Next. 11. Review and confirm the information on the Finish window, and do one of the following: a) Click Back to make changes. b) Click Finish to create the desktops. c) Click Cancel to exit without saving the settings or creating the desktops.

You can import existing computers from Parallels Virtuozzo host to an existing computer group. You would do this when physical PCs have already been converted into virtual machines and are ready to be redeployed from the virtual infrastructure to their original owners. Several controls are available to assist with importing and resynchronizing (Import/Re-sync Desktops tool) desktop computers.
332

CONTROL Import/update the desktops selected below into group [managed_desktop_group_na me] Remove orphaned desktops DESCRIPTION If selected, virtual machines that have previously been imported into other managed computer groups in the vWorkspace data center are prevented from being imported into the current managed desktop group. If selected, managed desktop computers are removed from the selected managed desktop group if they no longer exist in the VMware VirtualCenter inventory. This control displays a list of folders and virtual machines available in the Parallels Virtuozzo Host inventory. If selected, displays a list of virtual machines that have not yet been imported into the managed desktop group. If selected, displays a list of virtual machines that have previously been imported into the managed desktop group. If selected, the chosen virtual machines are imported into the current managed desktop group as managed desktop computers. The Initialize Computer task is automatically started for each desktop computer successfully imported. Cancel If selected, the Import/Re-sync selections are discarded, and the window is closed.
Parallels Virtuozzo Inventory
View:New
View:Existing
OK
How to ...
Import Existing Computers into a Group 1. 2. Open the vWorkspace Management Console. Select the computer to which the import is to be added, and start the Computer Group wizard by doing one of the following: Right-click on the computer group and select Import/Re-sync computers. Click the Import/Re-sync computers icon from the toolbar in the navigation pane.
333
Select Actions | Import/Re-sync computers from the menu on the navigation pane. Select Import/Re-sync computers from the Actions menu on the computer groups information pane. Select Import existing desktops from VMware from the Finish window of the Computer Group wizard, and then click Finish, if you are completing the Computer Group wizard.
3. 4. 5. 6. 7.
Complete the Import/Re-sync Desktops control options as appropriate. Select the appropriate options on the Select Action frame. Select the appropriate View option (New or Existing) on the VMware Inventory frame. Select the virtual machines that are to be imported on the Parallels Virtuozzo Inventory frame. Click OK to start the import.
Power Management
The power states of Parallels Virtuozzo managed computers that can be manipulated with vWorkspace are: Power On Powers the virtual machine on in the same way as using the power switch on a physical computer. Shut Down OS Gracefully shuts down the guest operating system in the same way as using the Shut Down function in Windows.
334
18
Non-Power Managed Data Centers
Overview Computer Groups Computer Groups Add Computers to a Computer Group Power Management
Overview
This chapter describes in detail the broad range of desktop management and provisioning features offered by vWorkspace for the type Other/Physical (non-power managed computers), which are managed computers that are hosted on physical hardware, such as PC blades or high-end engineering workstations.
Computer Groups
Computer groups are containers of desktops that can be managed together. The following managed computer groups properties are associated with Other/Physical type (non-power managed data centers).
OTHER TYPE MANAGED COMPUTER GROUP PROPERTY Group Name System Type Computer Administrative Account Enable/Disable
DESCRIPTION
Name of the managed desktop group. System type for the computers in this group. Name of the user account that is used when performing administrative tasks on the desktop computers within this group. Connection requests to computers in this group my be temporarily suspended, if enabled.
336
OTHER TYPE MANAGED COMPUTER GROUP PROPERTY Client Assignment
DESCRIPTION
Used to permanently assign users to specific computers. The two types of user assignment are: Persistent A permanent desktop is assigned to the user. Temporary A free desktop is assigned on a temporary basis to the user, and then is available to be used again at user logoff. A client type can be assigned to the computers in the group based on the following: User Device Name Device Address Organizational Unit Group Note: Since users can be in more than one group or organization unit, administrators must manually assign individual computers to users if client assignment is based on Group or Organizational Unit. Assign computers using the Client Assignment window for the specified computer. See Computer Groups for more information on this window.
Used to restrict access to the computers in this group based on day and time. Automatically assigns users to local security groups. This policy is useful when provisioning desktop workspaces to users that require elevated privileges.
Session Auto-Logoff
Task Automation
Schedule tasks to be completed at specified times.
337
OTHER TYPE MANAGED COMPUTER GROUP PROPERTY Session Protocol Bandwidth Optimization Permissions Finish
DESCRIPTION
Specify the protocol for remote user sessions for this group, either RDP or RGS. Specify if bandwidth optimization is enabled or disabled for this computer group. Specify permissions for this computer group. Select from the options available as to the finish process for this group.
How to ...
Add Computer Groups to Other/Physical Type 1. Administrators can activate the Computer Group wizard from the vWorkspace, Desktops node any of the following ways: Expand the location to which the computer group is to be added, right-click on the Desktops node, and then select New Computer Group.
OR
Expand the location to which the computer group is to be added, and highlight the Desktops node. Select New Computer Group from the Actions menu on the toolbar in the navigation pane, from the New Computer Group icon in the toolbar of the navigation pane, or from the Actions menu on the Desktops information pane. 2. 3. 4. 5. Click Next on the Welcome to the Computer Group wizard. Enter the name of the computer group in the Group Name field on the Group Name window, and then click Next. Select Other/Physical on the System Type window. Do the following on the Computer Administrative Account window: a) Specify an Account on the Desktop Administrative Account window. This account is used to perform administrative tasks. It must be a member of the local administrators group on the desktops. b) Enter the Password and then enter it again to confirm the administrative user account password, and then click Next.
338
6.
7.
8.
9.
Select Power Users, Administrators, or None to automatically add the users to one of the groups on the User Privileges window, and then click Next.
10. On the Session Auto-Logoff window, enter processes that if found to be running after the user closes all published applications, results in an automatic user session log off, and then click Next. 11. On the Task Automation window, select New. The Automated Task Wizard appears. 12. Click Next on the Welcome to the Automated Task Wizard. 13. Complete the Automated Task Wizard: a) Enter a Name for this scheduled task, and then click Next. b) Select the Task, and then click Next.
339
c) Select one of the parameters used to complete this task, and then click Next. d) Specify the schedule for this task to be completed, and then click Finish. 14. Select the appropriate session protocol, either RDP or RGS for this computer group on the Session Protocol window, and then click Next. 15. Specify if bandwidth optimization is to Enable or Disabled on the Bandwidth Optimization window, and then click Next. 16. Specify computer permissions for this group, as appropriate, and then click Next on the Permissions window. 17. On the Finish window, select one of the following: a) Add computers to this group now. b) Do nothing now. I will add computers later. 18. To complete the process, do one of the following: a) Click Back to make changes. b) Click Finish to create the desktops.
Add Computers to a Computer Group

Computer groups in vWorkspace of the type Other/Physical (non-power managed) can contain computers that are physical, virtual, or a combination of the two. To be added to this type of group, the following must be met: The computer hardware (physical or virtual) must be installed and configured. A supported operating system must be installed. The computer must be powered on. Network connectivity must exist between the vWorkspace Management Console and the desktop computer that is to be added.
Because vWorkspace computer groups with the type of Other/Physical (non-power managed) do not use or communicate with virtual management servers, one of the following methods must be provided to identify the computers that are to be added to a computer group during the Add Computers process.
340
Browse Enter Name Enter IP Address Range
Browse
OPTION Browse Network
DESCRIPTION Locates computers to be added by browsing the Microsoft Windows Network. Multiple items can be selected by using Ctrl+Shift+Click or Shift+Up/Down. Locates computers to be added by sending a filtered query, using Active Directory Services Interface (ADSI) to Active Directory. User must specify the following: Domain The name of the Windows domain that the query is to be sent. Display The object type to display, Organizational Units, Computers, or both. Filter The specified name or partial name using a wildcard (*).
Browse Active Directory
341
Enter Name
OPTION Computer Name
DESCRIPTION Locates computers to be added by specifying the Windows computer name or IP address. Type the Windows Computer name or IP address of the computer to be added, and click Add. The Connection Broker attempts to resolve the name to an IP address. This is the name that is displayed on the vWorkspace Management Console.
342
Enter IP Address Range
OPTION Enter IP Address Range
DESCRIPTION Locates computers to be added by specifying a range of IP addresses. The user enters a starting IP address in the From field and ending one in the To field. The name that is displayed on the vWorkspace Management Console is: Computer_www.xxx.yyy.zzz (which is the address range entered.)
Power Management
The power states of non-power managed computers that can be manipulated with vWorkspace are: Stand By Machines are partially powered down to save energy, and only critical components received power.
343
Wake Up Only for machines that are configured to listen for Wake on LAN (WOL) packets, the Connection Broker sends the machine a WOL packet. Shut Down OS Gracefully shuts down the guest operating system in the same way as using the Shut Down function in Windows. Restart OS Same as the Restart option in Windows. Log Off User Logs the user off in a graceful manner. The user is prompted to save any unsaved data. Reset Session Closes all programs that are running and deletes the session from the server that is running Terminal Services. This can be used if a session is not functioning correctly, or if the session has stopped responding.
344
19
vWorkspace Client
vWorkspace Client Overview vWorkspace Client Interfaces vWorkspace Client Packages vWorkspace Client Configuration Multiple Monitor Support Manage AppPortal Connections
vWorkspace Client Overview

The following sections describe the process of connecting to managed applications and desktops in a vWorkspace infrastructure. Users have the option of either connecting to full-featured desktops or individual applications based upon administrative setup. These items are discussed in greater detail in the following section: vWorkspace Client Interfaces vWorkspace Client Packages vWorkspace Client Configuration
vWorkspace Client Interfaces

There are two primary interfaces available, AppPortal and Web Access.
About the AppPortal Interface

The AppPortal is a version of the vWorkspace client with an intuitive, interactive user interface shell allowing users, upon successful authentication, to receive a list of authorized desktops and applications in a vWorkspace infrastructure. Users can subsequently start remote connections to published desktops and applications by selecting the corresponding shortcuts. AppPortal can also be started in Desktop-Integrated mode where the user interface shell is suppressed and it appears in the Windows system tray. Application icons shortcuts are placed on the users Desktop, Start Menu, or All Programs menu, depending on preferences.
346
vWorkspace Client
The AppPortal must be installed and configured before users are able to connect to their vWorkspace infrastructure.
About Web Access

Web Access vWorkspace client allows users to retrieve their list of allowed applications or desktops using a web browser. A Web Interface web server must be available to use this interface.
vWorkspace Client Packages

The vWorkspace client is supported on 32-bit Windows computers, laptops, and XP embedded thin client terminals, and is available in various client packages for download from the Quest vWorkspace Web site.
347
Quest vWorkspace also offers a full-functioning version of the vWorkspace Client for Windows CE 5.0 for use on Windows CE based thin client terminals. To enable thin client users to connect to a vWorkspace enabled infrastructure, Windows-based terminal manufacturers must embed the vWorkspace Client on to their devices. The vWorkspace packages available are: VASCLIENT32 Includes AppPortal and the Web Access. VASCLIENT32T Includes the Web Access, but not the AppPortal.
About the VAS Client 32

This package is available in the following formats: VASCLIENT32.exe MSI installation with EXE bootstrapper. An MSI engine (2.0 or higher) must be installed on the target client workstations. VASCLIENT32.msi MSI installation without the EXE bootstrapper. An MSI engine (2.0 or higher) must be installed on the target client workstations. VASCLIENT32.cab CAB installation for automatic deployment via the Web Interface.
About the VAS Client 32T

This package is available in the following formats, and does not include the AppPortal interface: VASCLIENT32T.exe MSI installation with EXE bootstrapper. An MSI engine (2.0 or higher) must be installed on the target client workstations. VASCLIENT32T.msi MSI installation without the EXE bootstrapper. An MSI engine (2.0 or higher) must be installed on the target client workstations. VASCLIENT32T.cab CAB installation for automatic deployment via the Web Interface.
348
vWorkspace Client
vWorkspace Client Executables

The executable file, PNapp32.exe, provides the shell and functionality of the AppPortal interface, forwarding users credentials to the vWorkspace Connection Brokers for authentication, retrieving a list of authorized applications and desktops, and dynamically retrieving the connectivity settings needed to successfully connect to a requested application or desktop. The executable file, PNtsc.exe, establishes the remote connection to applications and desktops that are hosted in the vWorkspace enabled infrastructure, and is included on all packages of the vWorkspace client. It is a modified version of the Microsoft Remote Desktop Connection client, and includes the following enhancements: Seamless Windows connections Session sharing Support for Universal Printing Support for USB Handheld devices
PNTray.exe is an executable that runs from the taskbar when an application or desktop is connected, and is included on all packages of the vWorkspace client. The PNTray provides a context menu for access to various applets used in managing connections, sessions, and printing options. See About the PNTray on page 369 for more information.
vWorkspace Client Configuration

The AppPortal retrieves information about a users published applications, desktops, and other assigned resources available from a vWorkspace infrastructure by communicating with the Connection Broker for the infrastructure. AppPortal must be configured so that it knows how to communicate with the Connection Brokers. This process is referred to as managing or configuring connections.
349
First Time Start Configuration

When a user starts AppPortal for the first time, AppPortal attempts to configure itself automatically. It does this by locating and reading a file named config.xml using the following URL: http://provision.domain_name (domain_name is the DNS domain of the client computer) If a config.xml is not located using the default URL, AppPortal displays a message telling the user to create a new connection.
How to ...
Create a New Farm Connection 1. Start AppPortal from the desktop.
OR
Start | Programs | Quest Software| vWorkspace | vWorkspace Client 2. 3. 4. Select Actions | Manage Connections. The Select Farm window appears. Click Create a new farm, and then click Next. Do one of the following: a) To manually create a farm, select the manual option, and then click Next. The system displays the Connectivity window. See Manage AppPortal Connections for information on completing this process.
OR
b) To download the configuration file, select Download the configuration file from a central server, and then click Next. The New Configuration window appears. c) Complete the following fields on the New Configuration window.
350
Select the Protocol of HTTP, HTTPS, or File. Enter the URL. Verify the File field is config.xml. Select one of the Proxy Server options. Click OK.
vWorkspace Client
5.
Complete any further information on the property windows, and then click Finish. Some information is grayed out and unavailable to be changed.
Multiple Monitor Support

This feature enables desktop sessions to span multiple monitors. Users can have any number of monitors with a total maximum resolution of 4096 x 2048 at 24 bit color. The task bar is confined to the primary monitor, along with the Start menu. Since resolutions can vary by screen, a started application in non-maximized, normal Window mode can open into a nonviewable area of the screen. If you are using applications where you can not maximize or resize the window, or you plan to use mixed resolution, it is recommended that your monitors be the same resolution. Multiple monitor support is setup for the AppPortal client from the Display window by selecting the option Span multiple monitors when in full screen mode. See Display Settings for more information. Multiple monitor support is setup for the Web Access client by selecting the Span multiple monitors when in full screen mode option from the Display Settings window. See Set Display in the vWorkspace Web Access chapter for more information. You also need to select the Quest vWorkspace Remote Desktop Connection Display tab option Span multiple monitors when in full screen mode. To access this setting, use the following path: Start | All Programs | Quest Software| vWorkspace | Remote Desktop Connection
351
Manage AppPortal Connections

AppPortal connections can be created manually by using the following options on the Farm Connection window.
About the Connection Properties

The connection properties for the AppPortal are found in the following tabs on the Farm Connections window: Connectivity Settings Firewall/Proxy Traversal Setting Credentials Settings Display Settings Local Resources Settings User Experience Settings Password Management Settings Desktop Integration Settings Auto-Launch Settings
352
vWorkspace Client
Connectivity Settings
CONNECTIVITY SETTINGS FIELD Location
DESCRIPTION Three separate connection locations are available from the drop-down list. Use Rename to specify the location name, such as Office or Home.
Test Connection PROPERTIES FOR LOCATION
Use to test the connectivity settings for a location.
These settings are used to communicate with the Connection Broker, and are configured separately for each Location. Protocol TCP Port Use either HTTP or HTTPS. Use to specify the port in which the Connection Broker listens on for inbound connection requests.
353
CONNECTIVITY SETTINGS FIELD Connection Brokers
DESCRIPTION Use Add to enter the host name, FQDN or IP address for a Connection Broker. Use the arrow buttons to change the order in which the connections are attempted.
CONNECTION OPTIONS These settings are used to specify secure network communications. Enable NAT Support for Firewall Traversal Use this when vWorkspace enabled Terminal Servers are located behind a firewall that is using Network Address Translation and Alternative Addressing. Use SSL/TLS encryption of RDP session traffic is used. Use this to enter the FQDN or IP address of the Quest vWorkspace SSL Gateway server. This option is only available when Enable RDP over SSL/TLS is selected. PROXY SERVER These settings are used when the vWorkspace client device is located behind a NAT enabled firewall and Socks Proxy Servers are used to gain access to the outside network. Use the default from the system internet settings Enter an address manually Use if the proxy settings are the same as those used by Internet Explorer. Use to indicate the address as entered. The address must be entered in the following format:
Enable RDP over SSL/TLS SSL Gateway Server
proxy_serve_rname:port proxy_serve_rname = host name, FQDN, or IP

address of the Socks Proxy Server.
port = TCP port number the Socks Proxy Server is listening on.
354
vWorkspace Client
Firewall/Proxy Traversal Setting
FIREWALL/PROXY TRAVERSAL SETTINGS FIELD
DESCRIPTION
CONNECTION OPTIONS FOR LOCATION These settings are used to specify secure network communications. Enable NAT Support for Firewall Traversal Use this when vWorkspace enabled Terminal Servers are located behind a firewall that is using Network Address Translation and Alternative Addressing. Use SSL/TLS encryption of RDP session traffic is used. Use this to enter the FQDN or IP address of the Quest vWorkspace SSL Gateway server. This option is only available when Enable RDP over SSL/TLS is selected.
Enable RDP over SSL/TLS SSL Gateway Server
355
FIREWALL/PROXY TRAVERSAL SETTINGS FIELD PROXY SERVER FOR LOCATION
DESCRIPTION
These settings are used when the vWorkspace client device is located behind a NAT enabled firewall and Socks Proxy Servers are used to gain access to the outside network. Use the default from the system internet settings Do not use a proxy server Enter an address manually Use if the proxy settings are the same as those used by Internet Explorer. Use if you do not want to set a proxy server. Use to indicate the address as entered. The address must be entered in the following format:
proxy_serve_rname:port proxy_serve_rname = host name, FQDN, or IP address of the Socks Proxy Server. port = TCP port number the Socks Proxy Server is listening on.
Do not use proxy server for addresses beginning with: Use to list proxy server exclusions. Use semicolons (;) to separate the entries.
356
vWorkspace Client
Credentials Settings
CREDENTIALS SETTINGS FIELD Use Cached credentials
DESCRIPTION Uses credentials from the Windows credentials cache on the client device. To use this option, Enable Credentials Pass-Through (Settings | Authentication) must be enabled.
User Kerberos credentials
Uses the Kerberos authentication protocols. To use this option, the client device must be a member of Microsoft Windows Active Directory domain and the user must log onto the device using their domain user account and password.
357
CREDENTIALS SETTINGS FIELD Use the following credentials
DESCRIPTION Uses the NT LAN Manager authentication protocols. The Username, Password, and Domain information is entered, and the user is not prompted for this information during a connection attempt. The Save credentials (encrypted) option allows the AppPortal to read the cached credentials from disk, and does not prompt users for them. This option is only available if the Use the following credentials option is selected.
Display Settings
DISPLAY SETTINGS FIELD Remote desktop size
DESCRIPTION Sets the remote session window size during a non-seamless window connection.
358
vWorkspace Client
DISPLAY SETTINGS FIELD Colors Display the connection bar when in full screen mode
DESCRIPTION Sets the remote session color depth during a non-seamless window connection. Displays a connection bar when the session is in full screen mode. Pin Connection Bar option disables the connection bars auto-hide feature.
Span multiple monitors when in full screen mode Enable Smart Sizing
Sets the add-on feature to enable multiple monitor display. Smart Sizing is functional when connecting to a Managed Computer. The session screen size and color depth are automatically adjusted to settings in the guest operating system. Enables the remote applications window size and color depth to be dynamically adjusted to match those of the client device, allowing the remote application to have the same look and feel as if it were installed on the client device. This setting also enables session sharing, which allows multiple remote applications to run through a single session, given those applications are installed on the same Terminal Server or Managed Computer.
Display remote applications seamlessly on local desktop
359
Local Resources Settings
LOCAL RESOURCES SETTINGS FIELD Remote computer sound
DESCRIPTION Bring to Local Computer runs sound files in your Remote Desktop session and plays them on your local computer. Leave at Remote Computer runs sound files in your remote desktop session and plays them only on the remote computer. Dont play disables all sound in remote desktop sessions.
360
vWorkspace Client
LOCAL RESOURCES SETTINGS FIELD Keyboard
DESCRIPTION These options apply to Windows shortcut key combinations, such as Alt+Tab. On the local computer configures your connection so that Windows shortcut keys always apply to your local desktop. On the remote computer configures your connection so that Windows shortcut keys always apply to the desktop of the remote computer. In full screen mode only configures your connection so that Windows shortcut keys apply to the remote computer only when the connection is in full screen.
LOCAL DEVICES These settings determine which client side devices are available to the remote applications or desktops. Disk drives Serial ports Printers Local disk drives. Local serial ports. Local printers. Standard Window print drives are used for printing, so the appropriate drivers need to be installed on both the client devices and the remote computer. Smart card connections for authentication. Devices that are attached to a USB port on a client device can synchronize with applications running in a remote session. Remote printing using a single print driver. Enables redirection of copy and paste functionality. Enables support for applications that require the use of a microphone. This option is part of the Experience Optimization Package. See Bidirectional Audio for more information.
Smart cards USB Devices
Universal Printers Clipboard Microphone
361
User Experience Settings
USER EXPERIENCE SETTINGS FIELD Choose your connection speed to optimize performance
DESCRIPTION The options are: Modem 28 Kbps Modem 56 Kbps Broadband (128 Kbps - 1.5 Mbps) LAN (10 Mbps or higher) Custom
362
vWorkspace Client
USER EXPERIENCE SETTINGS FIELD Allow the following:
DESCRIPTION These options are used to create a custom setting: Bitmap caching Desktop background Menu and window animation Show contents of window while dragging Themes Note: Bitmap caching can assist in reducing bandwidth requirements. The other features require additional bandwidth.
Optimizations
These options are used to automatically enable optimizations when logged on to the remote computer: Graphics Acceleration Local Text Echo Multimedia Redirection
Reconnect if connection is dropped
This option allows for automatic reconnection if connection is dropped.
363
Password Management Settings
PASSWORD MANAGEMENT SETTINGS FIELD Server Name or IP Address Port
DESCRIPTION The FQDN or IP address of the Quest vWorkspace Password Management Server. The TCP port to which the Quest vWorkspace Password Management Server has been configured. This is usually 443.
364
vWorkspace Client
Desktop Integration Settings
DESKTOP INTEGRATION SETTINGS FIELD Allow Client Shortcuts on:
DESCRIPTION This option controls where the placement of shortcut icons occurs when the AppPortal is started in Desktop Integration mode: Desktop Start Menu Start Menu \ Programs Note: The placement of shortcuts when either Start Menu or Start Menu \ Programs are selected depends on whether Windows is using the Standard or Classic start menu.
365
Auto-Launch Settings
AUTO-LAUNCH SETTINGS FIELD Auto-Launch Application
DESCRIPTION This option is used to specify applications that are to be launched automatically when AppPortal is started. This option is for AppPortal in desktop integrated mode, or if a farm is connected to automatically at startup. Note: Only the first application found is automatically launched.
366
vWorkspace Client
AppPortal in Desktop Integrated Mode

AppPortal also has an option to be started in Desktop Integrated Mode where the user interface shell is suppressed. Instead, AppPortal runs from the Windows system tray area. Applications icon shortcuts are placed on the users Desktop, Start Menu, or All Programs menu, depending on your settings.
On a Windows XP machine, the placement of shortcuts depends on whether Windows is using the Start menu or Classic Start menu.
How to ...
Start the AppPortal in Desktop Integrated Mode 1. Use one of the following options: Start | All Programs |Quest Software| vWorkspace | AppPortal (Desktop-Integrated)
OR
Start | Run and then type C:\Program Files\ Quest Software\vWorkspace\pnap32.exe/di The AppPortal is an icon on the Windows toolbar status area.
AppPortal Actions Menu Options

The AppPortal Actions menu on the toolbar contains the following commands: Manage Connections Change Current Location Logon as a Different User Change Password Refresh Application Set Close
367
ACTIONS MENU OPTION Manage Connections Change Current Location Logon as a Different User Change Password Refresh Application Set Close
DESCRIPTION Select to start the Farm Connections window to create new or modify existing infrastructure connections. Select when a connection to the currently selected farm needs to be made using different location settings. Select when the user wants to log into the selected farm using a different set of credentials. Select to submit a password change request to the Quest vWorkspace Password Management Server. Select to have the AppPortal update the displayed list of applications in the users application set. Select to exit AppPortal. This option does not close any sessions the user might have to a Terminal Server or a managed computer.
368
vWorkspace Client
AppPortal Settings Menu Options

The Settings menu option located in the toolbar of the AppPortal provides users with access to settings that control how application set icons are displayed and how authentication to the infrastructure is performed.
Display option Multi-column If selected, icons are arranged in multiple columns. The number of columns is automatically adjusted depending on the number of icons and the sizing of the AppPortal window. If selected, text labels associated with each icon is centered below the icon. If selected, large icons are displayed. If selected, the AppPortal window is always placed in front of other application windows. If selected, the AppPortal window moves to the Windows Notification area when minimized. If not selected, a minimized AppPortal window is placed in the Windows taskbar. Restore Default Size Authentication option Enable Credentials Pass-Through If selected, the same credentials used to log on to their client device is used when logging on to their vWorkspace infrastructure. Enabling this feature requires that the user log off their client device and log in again. When AppPortal is started, the users credentials automatically are forwarded to the Connection Broker and the user is not prompted for them again. If selected, the AppPortal window is restored to its initial size.
Center Align Captions Large Icons Always on Top Hide When Minimized
About the PNTray

The vWorkspace system tray applet (PNTray) is available when the AppPortal is started, or when a connection to a managed computer or a managed computer application is active. The PNTray displays in the Windows system tray as the vWorkspace context menu. The commands that are available depend on the
369
AppPortal mode and if there is an active connection.
The following options are available from the vWorkspace section of the PNTray, when the AppPortal is in normal mode: Manage Connections Open Session Status Use this option to view the sessions that are active on Terminal Servers, and the applications that are running in each session. Terminal Server sessions, when selected, can then be changed using the buttons of Disconnect, Logoff, and Full Screen. Applications can be terminated by using Terminate, without logging off from the session. Change Current Location Logon as Different User Change Password Authentication Enable Credentials Pass-Through Refresh Application Set Restore AppPortal Client Close AppPortal Client
The following options are available from the Print-IT section of the PNTray, when the AppPortal is in normal mode: PDF Publisher Options Save PDF File E-mail PDF File
370
vWorkspace Client
Preview before printing Apply Additional Printer Properties Native printer options, such as finishing and stapling are presented when this option is selected.
Client Properties
The following options are available the AppPortal is in Desktop Integrated Mode. This option replaces the Action and Settings AppPortal menu options. See Manage AppPortal Connections for more information on the AppPortal menu options.
FARM CONNECTIONS OPTION Farm Status Location User Shortcuts Exist?
DESCRIPTION The display name of the farm. The connection status. The name of the location settings used to make the connection. The user name that is logged in. If Yes, application set icon shortcuts have been configured. If No, application set icon shortcuts have not been configured.
371
FARM CONNECTIONS OPTION Connect/Refresh Shortcuts Disconnect/Remove Shortcuts Logon as a Different User Change Current Location Change Password
DESCRIPTION Connects or to refreshes a selected farm. Disconnects and removes application set icon shortcuts from the clients Desktop, Start Menu, or Start Menu \ Programs. Allows the user to log on to a selected farm using a different set of credentials. Allows the user to connect to the selected farm using different location settings. Allows the user submit a password change request using the Quest vWorkspace Password Management Server. Presents users with a display listing the name and location of their application set icon shortcuts.
View Existing Shortcuts
372
20
vWorkspace User Sessions
Overview of User Access Manage Terminal Server Sessions User Access Options in the Resources Node
Overview of User Access

Administrators can use the vWorkspace Management Console, Terminal Servers nodes, to view user sessions, Terminal Server sessions, and processes running on the Terminal Servers in the vWorkspace infrastructure to assist with troubleshooting. Administrators can also access vWorkspace user options located in the Resources node of the vWorkspace Management Console. The options include: Additional Customizations (Terminal Server only) Application Restrictions (Terminal Server only) Color Schemes (Terminal Server only) Drive Mappings (Terminal Server only) Environment Variables (Terminal Server only) Host Restrictions (Terminal Server only) Registry Tasks (Terminal Server only) Scripts (Terminal Server only) Time Zones (Terminal Server only) User Policies (Terminal Server and VDI) Client Settings (Terminal Server and VDI) Wallpapers (Terminal Server only)
Manage Terminal Server Sessions

The vWorkspace Management Console can be used by administrators to do the following: View Users Connected to Terminal Servers View Terminal Server Sessions View Client Information for an Active Session View Terminal Server Processes View Terminal Server Applications
374
View Users Connected to Terminal Servers 1. 2. 3. 4. Open the vWorkspace Management Console. Expand the Locations node, and then the expand location to which the Terminal Server is located. Highlight the Terminal Servers node. To connect to a specific Terminal Server: a) Double-click on the Terminal Server object. b) Click on the Users tab in the Terminal Servers information pane. 5. To connect to all Terminal Servers: a) Double-click on each Terminal Server object. b) Click on the Terminal Servers node. c) Click on the Users tab in the Terminal Servers information pane. 6. The following information can be viewed:
Server Domain Session User Session ID State The NetBIOS name of the Terminal Server to which the user is connected. The NetBIOS name of the Windows domain to which the users account belongs. The name of the users session as assigned by the Terminal Server. The user account name used to log on to the session. The numerical session ID assigned to the users session by the Terminal Server. The state of the Terminal Server session. The options are: Active Disconnected Idle Down
375
7.
Select a user session. Administrators can perform the following actions:

Disconnect If a session state is active, it can be placed into a disconnected state. Disconnecting a session causes the network connection between the client device and the Terminal Server to be closed, releasing memory and CPU threads. The working state of the session is persisted by writing to the Terminal Servers page file, allowing the user to reconnect to the session, with no loss of data. Send Message Remote Control Reset An administrator can send a message to the selected user if the session is active. An administrator can connect to the users active session, and depending on the policy settings, view and interact with the session. An administrator can reset a session which disconnects the session in a non-graceful way. All unsaved data is lost. Log Off An administrator can gracefully log a user off from a Terminal Server session. The user is prompted to save any unsaved data.
View Terminal Server Sessions 1. 2. 3. 4. Open the vWorkspace Management Console. Expand the Locations node, and then the expand location to which the Terminal Server is located. Highlight the Terminal Servers node. To view a session on a specific Terminal Server: a) Double-click on the Terminal Server object. b) Click on the Sessions tab in the Terminal Servers information pane. 5. To view sessions for all Terminal Servers: a) Double-click on each Terminal Server object. b) Click on the Terminal Servers node. c) Click on the Sessions tab in the Terminal Servers information pane.
376
6.
The following information can be viewed:

Domain Session User Session ID State The NetBIOS name of the Windows domain to which the users account belongs. The name of the users session as assigned by the Terminal Server. The user account name used to log on to the session. The numerical session ID assigned to the users session by the Terminal Server. The state of the Terminal Server session. The options are: Active Disconnected Idle Down Type The connection type. The options are: Console RPD ICA Client Name Idle Time Logon Time Comment The NetBIOS name of the vWorkspace client device. The amount of time no activity has occurred between the client and the Terminal Server. The date and time the session was logged on. Not used.
377
7.
Select a user session. Administrators can perform the following actions:

Disconnect If a session state is active, it can be placed into a disconnected state. Disconnecting a session causes the network connection between the client device and the Terminal Server to be closed, releasing memory and CPU threads. The working state of the session is persisted by writing to the Terminal Servers page file, allowing the user to reconnect to the session, with no loss of data. Send Message An administrator can send a message to the selected user if the session is active. Note: The only administrative action allowed for the Console session is Send Message. Remote Control An administrator can connect to the users active session, and depending on the policy settings, view and interact with the session. An administrator can reset a session which ends the session in a non-graceful way. All unsaved data is lost. The session with Session Name of RDP-TCP and Session ID 65536 is the Terminal Servers RDP listening port. The only administrative action allowed is Reset. Log Off An administrator can gracefully log a user off from a Terminal Server session. The user is prompted to save any unsaved data.
Reset
View Client Information for an Active Session 1. 2. 3. 4. 5. 6. 7. Open the vWorkspace Management Console. Expand the Locations node, and then the expand location to which the Terminal Server is located. Highlight the Terminal Servers node. Double-click on the Terminal Server object. Expand the Terminal Server container object. Click on the active session. Click on the Information tab in the information pane.
378
8.

User Name Client Name Client Build Number Client Directory Client Product ID Client Hardware Client Address Client Color Depth Client Resolution The name of the user. The NetBIOS name of the CAS Client device. The vWorkspace internal build number of the vWorkspace client software installed on the client device. The complete directory path to which the vWorkspace client software was installed. The vWorkspace internal identification number of the vWorkspace client software. Not used. The IP address of the vWorkspace client device. The color depth used in the session. The height and width, expressed in pixels, used in the session.
View Terminal Server Processes 1. 2. 3. 4. Open the vWorkspace Management Console. Expand the Locations node, and then the expand location to which the Terminal Server is located. Highlight the Terminal Servers node. To view a session on a specific Terminal Server: a) Double-click on the Terminal Server object. b) Click on the Processes tab in the Terminal Servers information pane. 5. To view sessions for all Terminal Servers: a) Double-click on each Terminal Server object. b) Click on the Terminal Servers node. c) Click on the Processes tab in the Terminal Servers information pane.
379
6.

Domain The NetBIOS name of the users Windows domain that owns the process. Processes running in the console session are listed as Unspecified. Session User Session ID Process ID Process The name of the Terminal Server session in which the process is running. The name of the user account that owns the process. The numerical session ID the process is running in, on the Terminal Server. The assigned process ID by the Windows operating system when the process is started. The file name of the process.
7.
Select a user process. Administrators can perform the following actions:

End Process An administrator can end the process. Note: Certain system processes, such as winlogon.exe and lsass.exe cannot be terminated, even by an administrator. Remote Control An administrator can connect to the users active session, and depending on the policy settings, view and interact with the session.
View Terminal Server Applications 1. 2. 3. Open the vWorkspace Management Console. Expand the Locations node, and then the expand location to which the Terminal Server is located. Highlight the Terminal Servers node.
380
4.
To view a session on a specific Terminal Server: a) Double-click on the Terminal Server object. b) Click on the Applications tab in the Terminal Servers information pane.
5.
To view sessions for all Terminal Servers: a) Double-click on each Terminal Server object. b) Click on the Terminal Servers node. c) Click on the Applications tab in the Terminal Servers information pane.
User Access Options in the Resources Node

Additional Customizations
The Additional Customizations node gives administrators control over the configuration of the Windows Desktop and Start Menu, visibility of Terminal Server drive letters, and existing network drive and printer mappings. Default Customizations are a set of customizations configured with settings commonly used in Terminal Server environments, which can be assigned to vWorkspace clients. Default Customizations can not be modified, but they can be duplicated and used to create new customized settings.
How to ...
Create New Additional Customization Settings 1. 2. 3. 4. Open the vWorkspace Management Console. Expand Resources, and then select Additional Customizations. Click on the Toggle Client Assignment List Display button to change the display view, as appropriate. Activate New (green plus sign) from the toolbar of the information pane, or right-click on the Additional Customizations node to activate it. Enter a name for the customization in the Name box on the General tab of the New Additional Customizations Properties window.
5.
381
6.
Select the appropriate setting on the Desktop/Start Menu tab.
7.
To specify the drive letters that should not be visible to users, select Hide Specified Drive Letter on the Drive Restrictions tab, and then click Drive Letters.
382
8.
Select the Network Resources tab and choose Delete pre-existing Network Drive Mappings and Delete pre-existing Network Printer Mappings, as appropriate.
9.
Click OK.
10. Click the Client Assignment tab to assign the application restriciton. 11. Click the plus (+) sign to assign, and the Client Assignment window appears. 12. Select from the list, and then click OK. Use the green plus (+) sign to add clients that are not included in the Client Assignment window. Use CTRL to select more than one client to assign. 13. Click OK to close the window and save your assignments.
Application Restrictions
vWorkspace Application Restrictions is an access control system that allows administrators to increase the overall security, reliability, and integrity of their Terminal Server environments. Some of the advantages include: Guards against application spoofing. Fights against virus infections. Prevents users from executing unauthorized programs.
383
Grants access to applications by time and day. Locks down the Terminal Server.
Installation
The Application Access Control (ACC) module is installed using the vWorkspace installation program, and is a subfeature of Application and Host Restrictions (Block-IT). Application and Host Restrictions (Block-IT) can be installed on a Microsoft Windows Server where Terminal Services, Application Server Mode, has been enabled. Application and Host Restrictions (Block-IT) is not currently supported for vWorkspace Managed Computers.
How Application Restrictions Work

With AAC, a list of program executables and program modules (dynamic link libraries) are organized into an Application List, enabling administrators to grant or deny access to entire software suites, not just individual executables. The Application List is then associated with a group of Terminal Servers, known as an Application Access Control Server group. Additional settings such as application termination, hash checking, and full path checking can also be configured for the Application List. The Application List can then be assigned to one or more vWorkspace clients.
Hash Checking
For each individual executable or module in the Application List, a unique binary hash is computed and stored in the vWorkspace database. A binary hash is like a fingerprint; it is used to verify the authenticity of a program executable at start time. Enabling hash checking prevents users from renaming the files associated with a restricted program. Hash checking can be disabled for a particular Application List. Disabling hash checking is often practical for a systemwide application update. For example, if an update to an application is being installed to one Terminal Server at a time, hash checking can be temporarily disabled until the update has been installed to all the servers and the application version has been made consistent across the entire farm. Once new hashes are computed for the updated program executables, the can hash checking be reenabled.
384
Path Checking
Path checking restricts users from copying files to a new location. Path checking can be disabled for various purposes. For example, if the same application is installed to different target folders on different Terminal Servers, full path checking may fail depending on which Terminal Server the user logs on to. However, this particular scenario can be mitigated by maintaining multiple file groups for the same application, where each file group is associated with a particular target folder.
Termination
You can choose to automatically terminate applications if they are still running outside of the access hours, even if they were started during an allowed time slot.
Application Restrictions Properties

Use Application Restriction properties to configure infrastructure settings and defaults for application restrictions. These settings are explained below.
385
APPLICATION RESTRICTION Application restrictions update interval (minutes) Deny access to unmanaged apps, as well as apps belonging to conflicting file groups
DESCRIPTION This property determines the intervals at which the vWorkspace client checks for possible changes to application restrictions. If selected, this property allows access only to those applications and desktops that are published and on Terminal Servers, OR Have been defined on the Application List with a permission of Allow. If an application is listed twice with different permissions (allow and deny), users are denied access to the application.
Set Deny Message
This property allows administrators to edit the message that appears when a user is denied access to a program. This property allows administrators to configure the default assignment when creating new Application List entries. The options are Allow or Deny.
Default assignments
Hash settings
This property determines the default setting for hash checking when creating new Application List entries. The options are Unconfigured, Use Hash, or Ignore Hash.
Path settings
This property determines the default setting for path checking when creating new Application List entries. The options are Unconfigured, Use Full Path, or Ignore Full Path.
Application Access Control Server Groups

Application Access Control Server Groups define a group of one or more Terminal Servers in the vWorkspace infrastructure to which Application Restrictions are applied. To start this tool, click Edit Application Restrictions Server Groups found on the toolbar of the information pane when the Application Restrictions node is selected.
386
APPLICATION ACCESS CONTROL SERVER GROUPS PROPERTIES Add Group Remove Group Group
DESCRIPTION
This button adds a new group name to the list of groups. This button removes a group of servers. The name of the defined server groups are listed. To edit, select the group name, and then click the ellipses.
Servers in Group
The names of the Terminal Servers that are members of the group are displayed. To edit, select the group of servers, and then click the ellipses.
Properties of an Application Restriction

Each Application Access Control entry is displayed in the vWorkspace Management Console in the details window pane of the Application Restrictions node. To create a new Application Access Control entry, use the New Application List tool by selecting the New located on the toolbar of the information pane, or from the context menu. To edit the properties of an existing entry, double-click on its name in the list of Application Restrictions, or select Properties from the context menu. The layout and controls available on the windows are the same for both functions.
387
APPLICATION RESTRICTIONS PROPERTIES Category
DESCRIPTION This field is used to group multiple applications into a single category. For example, if an accounts payable, accounts receivable, and payroll applications are written as separate programs, they can be grouped into a category of Accounting.
Application List Name Description
This field is the user friendly name for the application. This field is used to provide descriptive details about the application restriction being created. This field is optional.
Server Group
This field is for the Application Access Control Server Group to which the Application Restriction is assigned.
388
APPLICATION RESTRICTIONS PROPERTIES Automatically terminate application(s) if still running outside access hours Ignore Hashes
DESCRIPTION This checkbox, if selected, terminates applications that are running outside of the access hours. SeeTermination for more information. This checkbox, if selected, does not use hash checking. See Hash Checking for more information.
Ignore Full Paths
This checkbox, if selected, does not use full path checking. See Path Checking for more information.
Application List This section identifies which files are to be associated with the Application Restriction. Show Full Paths Add Files Add Folder Remove This checkbox, if selected, displays complete paths to the listed files. This button adds files to the list. This button adds all files contained in the folder. This button removes files that are selected from the listed files.
Assign an Application List to Clients

Each Application List entry has an Client Assignment that determines which vWorkspace clients are assigned to the Application List. To modify the client assignment of an Application List, use the Client Assignment section of either the New Application List tool, or edit the Properties of the Application List entry.
How to ...
Assign Clients to the Client List Unassign Clients from the Client List View Client Properties Schedule Access Hours
389
Assign Clients to the Client List 1. 2. Click the + from the toolbar of the Application Restrictions information window pane. Select from the list of available clients on the Select Clients window. Use Ctrl or Shift to make multiple selections.
Unassign Clients from the Client List 1. 2. Click the - from the toolbar of the Application Restrictions information window pane. Select from the list of available clients on the Select Clients window. Use Ctrl or Shift to make multiple selections.
View Client Properties 1. Click on Client Properties to view details about the selected client.
Schedule Access Hours 1. Click on the Schedule icon to edit Application List access.
A separate schedule can be defined for each client in the list. Schedule options include:
Allow All Deny All Edit Schedule Select this option to allow unlimited access to the Application List Select this option to deny unlimited access to the Application List. Select this option to specify the exact hours of the days and the days of the week to allow access to the Application List.
390
Color Schemes
A Windows color scheme can be assigned to vWorkspace clients by administrators. The color scheme is used when connecting to applications or desktops hosted from vWorkspace enabled Terminal Servers.
How to ...
Assign a Color Scheme 1. 2. 3. 4. Open the vWorkspace Management Console. Expand Resources, and then select Color Schemes. Click on the Toggle Client Assignment List Display button to change the display view, as appropriate. To select a color scheme, and do one of the following: a) Right-click on the color, and then select Assign to. b) Click the Assign to icon (the icon with the blue circle and a white plus sign) from the toolbar. Color schemes are listed in alphabetical order. 5. 6. Add or remove clients in the Select Clients window. Click OK.
Drive Mappings
Administrators can assign network drive mappings to vWorkspace clients for use when they are connecting to applications and desktops hosted from vWorkspace enabled Terminal Servers. Assigning drive mappings through the vWorkspace Management Console has the following advantages: Domain administrative rights are not required. Knowledge of scripting languages or command line syntax is not required. Drive mappings are only applied when connecting to vWorkspace enabled Terminal Servers and do not take effect when connecting to other computers. More flexibility in how mappings are assigned.
391
How to ...
Create a New Drive Mapping 1. 2. 3. Open the vWorkspace Management Console. Expand Resources. Do one of the following: a) Select Drive Mappings, and then activate the New Drive Mappings command by clicking + on the toolbar in the information pane. b) Right-click Drive Mappings, and select New Drive Mappings.
4.
The properties associated with drive mappings are listed below:

Mapping Type Use NET USE when creating a traditional network drive mapping. Use SUBST when a drive letter substitution is required. Network Path The Universal Naming Convention (UNC) path to the shared network resource. The letter to be used for mapping.
Drive Letter
392
Use Alternative Credentials
Use if specific credentials are required and are different from those of the user. Note: This option is not available if the Mapping Type is set to SUBST.
Client Assignments tab
Use to assign or unassign mapping to vWorkspace clients.
Environment Variables
Administrators can assign environment variables to vWorkspace clients when connecting to applications or desktops hosted from vWorkspace enabled Terminal Servers. These environment variables are created automatically when the users session is logged on, and are cleared when the user logs off.
How to ...
Create a New Environment Variable 1. 2. 3. Open the vWorkspace Management Console. Expand the Resources node. Do one of the following: a) Select Environment Variables, and then select the New Environment Variables command by clicking + on the toolbar in the information pane. b) Right-click on Environment Variables, and then select New Environment Variables. 4. The properties associated with environment variables are listed below:
Name Value Client Assignments tab The name for the environment variable. The desired value for the environment variable. Use to assign or unassign environment variables to vWorkspace clients.
393
Host Restrictions
The Host Restrictions tool allows administrators to assign access control rules to restrict user access to IP based network hosts. Host Restrictions work at the network layer, intercepting requests from applications to connect to particular IP addresses on particular TCP ports. The Host Restrictions allows or denies connections by parsing the access control rules table maintained in system memory. Host Restrictions rules apply only to those specified by the administrator; they do not apply to all program executables running on the Terminal Server.
How to ...
Create Host Restrictions 1. 2. 3. Open the vWorkspace Management Console. Expand the Resources node, and then select Host Restrictions. Select + on the toolbar in the information pane, or the context menu of the Host Restrictions node.
394
4. 5. 6. 7.
Use the drop-down list to select a Category on the General tab on the New Host Restriction Properties window. If the restriction is by host name or FQDN, select Name as the Host Type, and enter the host name or FQDN in the Host Name box. If the restriction is by IP address, select IP Address as the Host Type, and enter the target IP address in the Host IP Addr: box. Enter the port or ports to be used in the Ports box. Separate multiple port numbers with commas, a hyphen for a range of ports, and an asterisk (*) for all ports.
8.
If the Host Type is Name and the IP address or addresses associated with the name are known, click Add and enter the IP address on the Enter IP Address window. Repeat as needed. If the Host Type is Name and the IP address or addresses associated with the name are unknown, click Resolve to IP Address(es), and then select Auto-Resolve to repeat name resolution.
9.
10. Click Apply. 11. Select the Client Assignments tab to assign the restriction. 12. Click OK. Modify Host Access Applications 1. 2. 3. 4. Open the vWorkspace Management Console. Expand the Resources node, and then select Host Restrictions. Click the Toggle Client Assignment List Display icon on the toolbar of the information pane to change the view, as appropriate. Click the Edit Host Restrictions Applications icon on the toolbar of the information pane.
5.
Enter a file name for the executable of the application in the Executable Name box on the Host Access Control Applications window, and then click Add. Repeat the above step as appropriate to add all executables. Click OK.
6. 7.
395
Registry Tasks
The Registry Tasks tool allows administrators to add, delete, or modify registry keys in the HKEY_CURRENT_USER registry hive without manually loading and editing each users ntuser.dat registry hive, or writing complex registry editing scripts.
The vWorkspace Management Console should be started from a Terminal Server when working with Registry Tasks. A non-Terminal Server computer may not have the registry keys and hives that need to be manipulated.
How to ...
Modify a Registry Tasks Key 1. 2. 3. Open the vWorkspace Management Console. Expand the Resources node, and then select Registry Tasks. Click the Toggle Client Assignment List Display icon on the information pane to change the view, as appropriate.
396
4.
Select + on the toolbar of the information pane, or the context menu of the Registry Tasks node.
5. 6. 7. 8. 9.
Type a description in the Description field on the General tab of the New Registry Task window. Select the appropriate task, Add Key or Delete Key, in the Action section. Navigate to the appropriate key or subkey in the Browse for Registry Key or Value section. If you are adding a key, enter the name in the Key field. Click Apply.
10. Select the Client Assignments tab, and use Assign or Unassign to select the appropriate vWorkspace clients. 11. Click OK. Modify a Registry Tasks Value 1. 2. Open the vWorkspace Management Console. Expand the Resources node, and then select Registry Tasks.
397
3. 4. 5. 6. 7.
Click the Toggle Client Assignment List Display icon on the information pane to change the view, as appropriate. Select + on the toolbar of the information pane, or the context menu of the Registry Tasks node. Type a description in the Description field on the General tab of the New Registry Task window. Select the appropriate task, Add Value or Delete Value, in the Action section. Navigate to the appropriate key or subkey in the Browse for Registry Key or Value section. a) If you are deleting a value, select it from the list, and then click OK. b) If you are adding a value, enter the name in the Value Name box. c) If you are modifying an existing value, select the value from the list of values in the right-hand pane, and then change the Value Name, Value Type, or Value boxes as appropriate.
8. 9.
Select the type of registry value from the Value Type box, and then click Apply. Select the Client Assignments tab, and use Assign or Unassign to select the appropriate vWorkspace clients.
10. Click OK.
Scripts
Scripts are files that are used to automate repetitive tasks. They can be simple text files or more complex written in a specific programming language. vWorkspace administrators can easily assign scripts to vWorkspace clients using the Scripts option in the vWorkspace Management Console. Some advantages include: Administrators do not need to have domain administrative rights. Editing the registry on each Terminal Server is not necessary. Modifying the usrlogon.cmd command script on each Terminal Server is not necessary. Use any Windows executable to write the script, such as bat, cmd, or exe. Increased flexibility and control over how the scripts are assigned.
398
The following considerations should be used when working with scripts on vWorkspace enabled Terminal Servers: It is best to use a singe method to start the script. Troubleshooting can be difficult if scripts are started using different methods. The scripts used in the vWorkspace Management Console and scripts started using other methods should not interfere with each other. The simplest form of a script should be used for the task. Do not write a complex script to carry out a task that can be accomplished using a command line script.
How to ...
Assign a Script 1. 2. 3. 4. Open the vWorkspace Management Console. Expand the Resources node, and then select Scripts. Click the Toggle Client Assignment List Display icon on the information pane to change the view, as appropriate. Do one of the following: a) Click the + on the toolbar of the information pane. b) Right-click on the Scripts node, and then select New Script. 5. 6. 7. Type the complete path and file name in the Script box on the New Script Properties window, or use the ellipses to browse to the script. Select the Client Assignments tab and add or remove clients as appropriate. Click OK.
Time Zones
A date and time stamp that is placed on opened files, messages, and scheduled meetings is based upon an application location, which can be a Terminal Server in a time zone that is different from the user. The Time Zones tool allows administrators to assign appropriate time zones to users.
How to ...
Assign a Time Zone 1. 2. Open the vWorkspace Management Console. Expand the Resources node, and then select Time Zones.
399
3. 4. 5.
Click the Toggle Client Assignment List Display icon on the information pane to change the view, as appropriate. Select the appropriate time zone from the alphabetical list. Do one of the following: Right-click on the time zone and select Assign to.
OR
Click the Assign to icon (the icon with the blue circle and a white plus sign) from the toolbar in the information pane. 6. 7. Add or remove users in the Select Clients window. Click OK.
User Policies
The User Policies tool provides a way for vWorkspace administrators to better control user desktop environments connected to Terminal Servers. The following settings can be controlled with User Policies: Windows Components Windows Explorer, and Help and Support Center Start Menu and Taskbar Control Panel and Display System Ctrl+Alt+Del options and Logon
The Properties option of User Policies allow administrators to select which policy template is used to create new user policies. Two user policies are provided with vWorkspace, Default Admin and Default User, which contain settings that are commonly implemented for administrators and users. These policies can be modified and duplicated as appropriate. vWorkspace administrators can also add new policy templates.
How to ...
View User Policies Properties Create User Policies Modify User Policies
View User Policies Properties 1. 2. 3.

400
Open the vWorkspace Management Console. Expand the Resources node. Right-click User Policies, and then select Properties.
4. 5.
Select the policies that are to be used as the default templates for new user policies. Click Policy Templates to import or remove policy templates.
Create User Policies 1. 2. 3. 4. Open the vWorkspace Management Console. Expand the Resources node, and then click User Policies. Click on the Toggle Client Assignment List Display button in the information pane to change the display view, as appropriate. Select + on the toolbar of the information pane, or right-click on User Policies, and then select New User Policy.
5. 6.
Enter a Name for the new user policy on the General tab of the Properties window. Select the appropriate policy settings on the Policy Settings tab. The boxes associated with each setting are three-way toggles; checked enables the setting, unchecked disables the setting, gray indicates the setting is not influenced by this policy.
7.
Select the Templates tab and click Policy Templates, and then select Import, Remove, or Rename policy templates.
401
8. 9.
Select the Client Assignments tab to Assign or Unassign the user policies. Click OK.
Modify User Policies 1. 2. 3. 4. 5. Open the vWorkspace Management Console. Expand the Resources node, and then click User Policies. Click on the Toggle Client Assignment List Display button on the information pane to change the display view, as appropriate. Double-click the policy that is to be modified. Change the entries, as appropriate, on the Policy Settings tab in the General tab. The boxes associated with each setting are three-way toggles: checked enables the setting, unchecked disables the setting, gray indicates the setting is not influenced by this policy. 6. 7. 8. Select the Templates tab and click Policy Templates, and then select Import, Remove, or Rename policy templates. Select the Client Assignments tab to Assign or Unassign the user policies. Click OK.
User Profiles
User Profiles (MetaProfiles-IT) is an alternative to roaming profiles. User Profiles eliminate potential profile corruption and accelerates logon and logoff times by combining the use of a mandatory profile with a custom persistence layer designed to preserve user profile settings between sessions. See User Profiles for more information.
Client Settings
Client settings are used to define automatic device connection and optimizations when users log on to a remote computer. Client settings can be configured and assignments and permissions defined. Client settings are set to Undefined by default. The following properties and settings are defined on the Client Settings Properties window.
402
CLIENT SETTING PROPERTY Name
OPTIONS This name is used for organizational purposes and is displayed on the vWorkspace Management Console. Undefined Bring to Local Computer Do Not Play Defer Setting to End USer
Remote Computer Sound
Local Devices Disk Drives Undefined Yes No Defer to End User
403
CLIENT SETTING PROPERTY Printers
OPTIONS Undefined Yes No Defer to End User
USB Devices
Undefined Yes No Defer to End User
Serial Ports
Smart Cards
Universal Printers
Clipboard
Microphone
Optimizations Graphics Acceleration Undefined Yes No Defer to End User 404
CLIENT SETTING PROPERTY Local Text Echo
OPTIONS Undefined Yes No Defer to End User
How to ...
Define Client Settings Properties 1. 2. Open the vWorkspace Management Console. Expand the Resources node, and do one of the following to open the Client Settings Properties window: 3. 4. 5. Highlight Client Settings and click New (green + sign) on the information pane. Highlight Client Settings and click New Client Settings from the toolbar of the navigation pane. Right-click on Client Settings and select New Client Settings.
Enter a name for these settings. The name is for administrative purposes, and is displayed on the vWorkspace Management Console. Select the settings, as appropriate, and then click Apply. Click OK to close the window.
Wallpapers
A Windows wallpaper can be assigned to vWorkspace clients by administrators. The wallpaper is used when connecting to applications or desktops hosted from vWorkspace enabled Terminal Servers.
How to ...
Assign Wallpapers 1. 2. Open the vWorkspace Management Console. Expand Resources, and then select Wallpapers.
405
3. 4.
Click on the Toggle Client Assignment List Display button on the information pane to change the display view, as appropriate. To select a wallpaper, do one of the following: a) Right-click on the style, and then select Assign to. b) Click the Assign to icon (the icon with the blue circle and a white plus sign) from the toolbar.
5. 6.
Add or remove clients in the Select Clients window. Click OK.
Change Wallpaper Properties Wallpaper properties are available via their context menu. 1. 2. 3. 4. Open the vWorkspace Management Console. Expand Resources, and then select Wallpapers. Right-click on the selected wallpaper, and select Properties. Change the property as appropriate.
Wallpaper Full Path The full path and file name of the wallpaper. Note: Each Terminal Server must have a copy of the bit-mapped image file for the defined wallpapers. It needs to be in the same location as the one displayed here. Three options: Centered Tiled Stretched Client Assignments tab A list of vWorkspace clients to whom the wallpaper is assigned. You can assign or unassign wallpaper from this list.
Default Style
406
Add New Wallpaper 1. 2. 3. Open the vWorkspace Management Console. Expand Resources. Right-click on the Wallpaper node, and then select New Wallpaper.
OR
Select the green plus sign (+) from the toolbar.
407
408
21
User Profiles
Overview of User Profiles User Profiles Properties Configure User Profiles Mandatory User Profile Define User Profiles
Overview of User Profiles

Quest vWorkspace User Profiles (MetaProfiles-IT) is an alternative to roaming profiles. User Profiles eliminate potential profile corruption and accelerate logon and logoff times by combining the use of a mandatory profile with a custom persistence layer designed to preserve user profile settings between sessions. The following is a list of the features and benefits of User Profiles: Assign User Profiles for both Terminal Servers and computer groups. Combines the persistence of a conventional roaming profile with the speed and robustness of a mandatory profile. Achieves unprecedented logon speeds and stability levels (time to load mandatory profile + 1- 2 seconds). Multiple profile data sets per user account to satisfy multi-farm and server silo requirements. Data sets can include HKCU registry subkeys and special folders. Data sets can be merged into mandatory profiles, synchronously or asynchronously. Data set sizes are typically around 50-200KB. Users do not require access permissions to the file servers storing the data sets. Temporarily use with local or roaming profiles, which is useful if current profiles contain user settings that must be preserved upon permanently switching to mandatory profiles. No scripting required. Relies on Windows events such as Logon, Logoff, Connect, and Disconnect. Database driven management console.
User Profiles may be temporarily used in conjunction with existing local and roaming profiles until the relevant data has been completely exported from these profiles. Users whose data has been exported can then be reconfigured to use a mandatory profile. User Profiles is a subfeature of Power Tools for Terminal Servers and is only available for both Terminal Services (Application Server Mode) is installed on a Windows server, and VDI environments.
410
User Profiles
User Profiles is also a subfeature of PNTools for the Managed Desktop. See PNTools for more information on installation.
How User Profiles Work

The following describes how User Profiles simulates roaming profiles during user logon and logoff. 1. User accounts are reconfigured to use a small-size mandatory profile. This mandatory profile is typically stored locally on each Terminal Server. One or more file servers are designated as storage servers for storing user data sets, subset of HKCU and non-redirected shell folders. These file servers run a very low overhead service dubbed the User Profiles Storage Service. All Terminal Servers must run the User Profiles Agent Service. A Terminal Server running the Agent Service is typically referred to as an Agent Server. Using the vWorkspace Management Console, the administrator specifies all the relevant HKCU subkeys and non-redirected special folders that must persist from one logon to the next. Additional properties are also set to specify the scope of the subkey or folder to either Global or Silo specific. When a user logs off, the User Profiles Agent Service exports all the relevant subkeys and folders specified by the administrator. The Agent Service then compresses the exported data and sends one or two compressed files (global, silo, or both) to the Storage Server. When a user logs on again, the Agent Service requests the previously exported data from the Storage Server. It then decompresses the data and merges the subkeys and folders into the mandatory profile. Compressed files are stored on the Storage Server and named according to the users account SID.
2.
3.
4.
5.
6.
7.
User Profiles Properties

User Profiles Properties are used to define such things as storage servers, assign compression levels, define silos, and assign permissions to users so that they can be allowed to or denied access to adding, modifying, or deleting User Profiles.
411
User Profile properties can be configured after components have been installed on the appropriate servers. User Profiles can be accessed by expanding the Resources node of the vWorkspace Management Console. Then, the Properties menu option is available one of the following ways: Highlight User Profiles and click on the Properties icon in the toolbar. Right-click on User Profiles and select Properties.
The following is a list of properties that can be configured. General Storage Servers Silos Permissions
General
412
User Profiles
GENERAL PROPERTY Compression Level
DESCRIPTION The level of compression used when storing user profile element data to the storage server. The options are: High Medium Low None
Log Level
The level of logging that takes place inside of the profile. The options are: Detailed Basic
Refresh Interval
The interval, in minutes, that checks are made for User Profiles configuration changes.
Storage Servers
A Storage Server is a Windows file server running the Quest vWorkspace User Profiles Storage Service. This service receives and stores the users compressed data subset from the Quest vWorkspace User Profiles Agent service running on the Terminal Servers when the user logs off. It also retrieves the users compressed data subset and sends it to the Quest vWorkspace User Profiles Agent service when the user logs on. The User Profiles data subsets are typically in the range of 50 to 200 KB per user. User Profiles Storage Service should be installed on a Windows server that is configured and optimized as a file server. This service is unavailable for installation if the vWorkspace installation program detects that Terminal Services (Application Server Mode) is installed on a Windows server. The Quest vWorkspace User Profile Storage Service is listed under Peripheral Server Extensions in the list of features during setup.
413
STORAGE SERVER PROPERTIES Server Name
DESCRIPTION The NetBIOS name of the computer which vWorkspace User Profile Storage Service has been installed. Note: The storage server name can not include: , \ * + = | : ; ? < > " <space>.
Base Folder
The root or base folder where the user profile element data is stored. The specified folder is created if it does not already exist. Default value is C:\MetaProfiles.
Global Folder
The name of the folder where the profile elements defined as global is copied. This folder is created as a subfolder of the Base Folder. Default is Global.
TCP Port
The TCP listening port that the vWorkspace User Profile Storage Server is configured to listen on. Default value is 80.
414
User Profiles
Silos
A silo is a logical group of Terminal Servers that have a common role or purpose, and have User Profiles installed on them. Exportable registry subkeys and shell folders can be marked for the Scope of either Global or Silo specific. If registry subkeys and folders are only located on a few specified servers, then those servers should be grouped together into a single silo, the registry subkey should be marked Silo. For example, if Microsoft Office is only installed on some Terminal Servers in the farm, then it makes sense to only import and export the registry subkey HKCU\Software\Microsoft\Office when users access those servers. Or, if registry subkeys and folders are located on every server, such as if Adobe Acrobat Reader is installed on all the Terminal Servers, then it makes sense to always import and export the registry subkey HKCU\Software\Adobe\Acrobat Reader and select Global as the Scope.
Before a Terminal Server can participate in a silo, the User Profiles component must be installed on the server.
Silo properties can be edited from the User Profiles | Properties option, as well as from an individual User Profile by using the Edit Silos button.
415
Permissions
Permissions enable administrators to allow or deny actions for activities within the vWorkspace Management Console. Users and groups of users who are selected as system administrators have implicit allow permissions for all actions, and may add and remove other system administrators. See Administration for more information on using permissions.
Configure User Profiles

The following items must be configured to use User Profiles: User Profiles Properties Mandatory User Profile Mandatory User Profile
How to ...
Configure User Profiles Properties 1.
416
Open the vWorkspace Management Console.
User Profiles
2. 3.
Expand the Resources node, and then highlight User Profiles. Do one of the following to open the User Profiles Properties window: Right-click on User Profiles and select Properties. Highlight the User Profiles option, and then select the Properties icon from the toolbar.
4. 5.
Define the Compression level, Log level, and Refresh interval as appropriate on the General window and then click Next. Define Storage Servers by clicking New on the Storage Server window and then do the following: a) Enter a name for the Storage Server, and then click OK. b) Click in the columns on the ellipses to change the Base Folder, Global Folder, and TCP Port settings. Base Folder is to where the profiles are saved. It should be a local path on the server. Global Folder is the name of the folder for Global settings/profiles. TCP Port is set to 80 as the default, but it is recommended that it be changed.
6.
Setup Silos by clicking New on the Members window, and then do the following: a) Click Next on the Welcome window of the Silo wizard.
417
b) Enter a name for this silo group, and then click Next. c) Click Add Terminal Servers or Add Computer Groups to define the silo. Select the appropriate Terminal Server or computer group from the Select window, and then click OK. Terminal Servers and computer groups can only be added to one silo at a time. d) Click Next on the Members window. e) Select the User Profile Storage Server from the list, and then click Finish. The silo you just added appears on the list. f) Click Next on the Silos window.
7.
Specify Permissions, as appropriate, and then click Finish.
Mandatory User Profile

It is recommended that you use mandatory user profiles in conjunction with User Profiles. When creating a mandatory user profile, consider the following:
418
Use a specialized local or domain user account for purposes of profile management.
User Profiles
Create the mandatory user profile in which users are logging in to on one of the Terminal Servers. Make the mandatory user profile as generic as possible. Use the User Profiles, Manage-IT, and other management features within the vWorkspace Management Console to control user profiles. Remember to rename ntuser.dat to ntuser.man to make the HKCU registry hive mandatory (read-only). Use the System Control Panel applet to copy the mandatory user profile to the target Terminal Servers and set Permitted to Use to Everyone. Add a MAN extension to the root folder name of the mandatory user profile to make it read-only (use folder redirection user profile elements with User Profiles to give users write access to needed folders). Assign the mandatory user profile to the appropriate user accounts in Active Directory.
Assign Mandatory User Profiles

After the mandatory profile has been created and copied to all servers in the Terminal Server group, it then must be assigned to the appropriate user accounts. When specifying the profile path keep the following in mind: The path should be expressed as a local file system path, not a UNC path. Variables such as %SystemDrive% can be used. Do not add the user account name or %username% at the end of the path. Use the Terminal Services Profile tab rather than the Profile tab of User Properties. Path cannot be set using Active Directory Group Policy as it requires using a UNC path and automatically appends %username% to end of path.
How to ...
Modify a Users Profile Path in Active Directory 1. 2. 3. Open Active Directory Users and Computers MMC snap-in. Locate the user object that is to be modified using Browse or Find. Right-click on the user object, and then select Properties.
419
4.
Click on the Terminal Services Profile tab. The Terminal Services Profile path can be set via Active Directory Group policy if the domain controllers are Windows Server 2003 Service Pack 1 and appropriate hotfixes have been applied.
5. 6.
In the Profile Path box, enter the local file system path to the mandatory user profile. Click OK.
Visual Basic scripting can be used to automatically modify the profile path for existing users. The sample below is from Microsoft TechNet Script Center Library.
Define User Profiles

User Profile Elements determine which keys in the HKEY_CURRENT_USER registry hive are exported and saved on the User Profile Management Storage Server. Normally, when using a mandatory user profile, a user or applications being used can not save changes to ntuser.man, the file that makes up the users HKEY_CURRENT_USER registry hive. User preferences and other user specific application settings are not saved. However, the user and applications being used by the user can modify any of the keys that have been exported. It is important for the vWorkspace administrator to accurately determine all the HKEY_CURRENT_USER keys the user might need to modify, and then define them as User Profile Elements to be exported. Each User Profile element has properties associated with it, as follows.
420
User Profiles
USER PROFILE ELEMENT PROPERTY Category Type Registry Key/Special Folder Logon Processing
DESCRIPTION The user definable name used to associate one or more elements with each other. The User Profile element being configured as a Registry Key or a Special Folder. The input box used to specify which registry key or special folder is to be exported. If this setting is Synchronous, all elements must be retrieved and merged before the users Window desktop is presented. If this setting is Asynchronous, not all registry keys, files, and folders need to be present prior to the presentation of the users Window desktop.
421
USER PROFILE ELEMENT PROPERTY Scope
DESCRIPTION This setting specifies if the User Profile element is applied on a Global or a Silo basis. Global is all Terminal Servers in the vWorkspace infrastructure. Silo is only those that are members of a specified Terminal Server group. If Silo is selected, a Silo input box appears. See User Profiles Properties for more information on defining Silos.
How to ...
Define a Registry Key in User Profiles 1. Open the vWorkspace Management Console from the desktop of a Terminal Server that is known to have the appropriate body of registry keys. Expand the Resources node, and then select the User Profiles. Select New User Profile from the context menu of User Profiles, or click the New icon, which is the green plus sign (+) in the information pane toolbar. Type a new Category name or select an existing one from the list. This is used only for organization within the console. 5. 6. 7. 8. In the Type box, make sure Registry Key is selected. Type the desired Registry Key path and name or use the registry icon to browse to it. Select Asynchronous or Synchronous in the Logon Processing field. Select Global or Silo in the Scope box. If Silo is selected, use the Silo box to identify the group that will use this profile element or Edit Silos to add a new silo. See User Profiles Properties for more information on adding silos.
2. 3.
4.
422
User Profiles
9.
To assign this User Profile to a user, complete the Client Assignments tab as appropriate.
10. To assign permissions to this User Profile, complete the Permissions tab as appropriate. 11. Click OK to save your changes and close the window, or click Apply to save your changes and move to another tab.
Define Special Folder User Profiles

Special Folder User Profiles determine which folders within the users profile are exported and saved on the User Profile Storage Server. As with registry keys, any folders or applications being used need change permissions to be exported. This mechanism offers control over a broader selection of folders, and higher levels of compression for increased performance and reduced storage requirements.
423
How to ...
Define a Special Folder User Profile Element 1. Open the vWorkspace Management Console from the desktop of a Terminal Server that is known to have the appropriate body of registry keys. Expand the Resources node, and then highlight the User Profiles node in the navigation pane. Select New User Profile from the context menu of User Profiles, or click the New icon, which is the green plus sign (+) in the information pane toolbar. Type a new Category name or select an existing one from the list. In the Type box, make sure Special Folder is selected. Type the desired Special Folder path and name, or use the folder icon to browse to it. Select Global or Silo in the Scope box. If Silo is selected, use the Silo box to identify the group that will use this profile element or Edit Silos to add a new silo. See User Profiles Properties for more information on adding silos 8. To assign this User Profile to a user, complete the Client Assignments tab as appropriate. a) Click the green plus (+) button. The Select Groups window appears. To add a group, do the following: a) Select the Groups tab. b) Select a Domain by using the drop-down list. c) Select the group or groups (use Ctrl to multi-select) in the Select the Group(s) section. d) Click OK. To add a user, do the following: a) Select the Active Directory tab. b) Select a Domain by using the drop-down list. c) Select the appropriate options under the Display section. d) Enter a specific name or a partial name in the Filter section. If you only use an asterisk (*), all possible options are presented. e) Click Refresh. f) Select your options from the list. (Use Ctrl to multi-select).
424
2. 3.
4. 5. 6. 7.
User Profiles
g) Click OK. 9. To assign permissions to this User Profile, complete the Permissions tab as appropriate.
10. Click OK to save your changes and close the window, or click Apply to save your changes and move to another tab.
425
426
22
vWorkspace Web Access
About Web Access Installation Web Access Management Console Use Web Access Integration with Juniper Networks Secure Access Web Access and Smart Cards
About Web Access

Web Access is a vWorkspace client that enables users to retrieve their list of allowed applications and desktops using a web browser. One or more vWorkspace Web Interface servers must be available to use this interface. Other than personalization settings, no client side configuration is needed making this a very user-friendly option. Users simply start their Internet browser and enter the address of the Web Interface server. After successful authentication, the users published desktops and applications display in the web browser.
You can not run the Web Access Management Console and a Web Access user session simultaneously in the same browser instance of Microsoft Internet Explorer 7, either as two separate tabs or by navigating between the Web Access Management console and the Web Access user session. This issue is due to a Microsoft Internet Explorer 7 tab session sharing issue. However, it is possible to run the Web Access Management console and a Web Access user session simultaneously, in two separate browser instances.
428
Installation
The following is a list of requirements for vWorkspace Web Access. Web Access can be placed in the DMZ or a secured subnet.
Hardware Server class hardware that meets the minimum requirements of selected operating system. One or more 100 Mbps or 1000 Mbps Ethernet adapters. Implemented as a virtual machine is an option. Operating System Windows 2000 Server (Standard or Advanced) Windows Server 2003 (Web, Standard, or Enterprise) Microsoft .NET Framework Optional Windows Components Version 2.0.50727 (with 3.0 support) ASP.NET Enable network COM+ access Internet Information Services (Common Files, Internet Information Services Manager, World Wide Web Service) Optional Microsoft Network Load Balancing Third-party load balancing appliance X.509 server certificate (if the Web site requires SSL encryption) X.509 trusted root certificate (if used with vWorkspace SSL Gateway)
429
How to ...
Install Web Access The following steps need to be completed on all designated Web Access servers. 1. 2. 3. Ensure all the required software components are installed. Execute start.exe, and select Web Access. Click Next and complete the installation.
Web Access Management Console

Web Access uses a web browser based management console. It is accessed by entering the URL: http://servername/Provision/Web-IT/Admin Servername is replaced with the host name, FQDN, or IP address of your web server. The vWorkspace Web Access is used with one or more vWorkspace infrastructures or farms. Through Global and Farm settings, administrators can specify settings by individual farms or for all of the farms. Some settings can be overridden by personal user settings if the administrator selects Allow the user to override in the vWorkspace Management Console.
430
Global Settings
The following settings can be specified on a global basis:
Authentication Windows Domains Two-Factor Authentication Credentials Pass-Through Password Management Client Identification User Experience Local Resources Display Performance
431
User Interface
Content/Layout Look & Feel Messages Downloads Miscellaneous
Configuration Settings
General
Farm Settings
Farm settings can also inherit their settings from the global settings. This is done by selecting Inherit the global settings. The following settings can be specified by Farm:
Authentication Windows Domain Two-Factor Authentication Credentials Pass-Through Connectivity Connection Broker Firewall/VPN Proxy Server User Experience Local Resources Display/Performance
Configuration
Complete the following configuration tasks in the presented order. Configure Farms Configure the Connectivity Settings Configure the Authentication Settings Configure the User Experience Settings Configure the User Interface Settings Configure the Web Access Application
432
Configure Farms
How to ...
Add or Remove a Farm 1. Click Add/Remove Farms in the left pane of the Web Access Management Console. Use the following URL to display the Web Access Management Console. Servername is replaced with the host name, FQDN, or IP address of your web server: http://servername/Provision/Web-IT/Admin 2. Enter the name of the infrastructure in the Farm field.
3. 4. 5. 6.
Click Add, and then Save Changes. Repeat the above steps until you have added all of the farms. Use the Up and Down arrows to move the added farms. Farms are displayed to users in the order they appear on this list. Select Log users on to all configured farms if users log on to all the defined farms using the same credentials. Users are not presented with a list of farms to choose from if this option is selected.
Configure the Connectivity Settings

The Connectivity settings include Connection Brokers and Firewall/SSL VPN. The Connectivity settings must be configured separately for each farm. Web Access uses the Connection Broker to process user logon requests, to retrieve the list of allowed managed applications and desktops, and to obtain connectivity parameters.
433
The Firewall/SSL VPN settings are used to determine the way in which users connect to Terminal Servers and managed computers. There are three address translation options that can be used, and which one is used depends upon server side firewalls, if network address translation is being used, as well as SSL encryption. The options are:
Normal Address vWorkspace clients connect to the vWorkspace Terminal Servers and managed computers using their IP address. No address translation occurs and the target computers IP address is visible. Use this option if there are no firewalls between the client and target servers, and Network Address Translation is not being used. Alternative Address vWorkspace clients are assigned an alias IP address that is routeable across the Internet. Firewall rules are constructed to allow inbound connections using the alternative address. The firewall then forwards the packets to the target servers using their real IP addresses. The private IP addresses used by the servers is not exposed to the Internet. Use this option for connections to Provision-IT Terminal Servers and the servers are protected by a firewall with Network Address Translation enabled. SSL Gateway Use this option to encrypt the RDP session traffic. Note: If you are using SSL Gateway in conjunction with Web Access, you must specify both the internal and external Web Access access URLs on the Firewall/SSL VPN section of the Web Access Management console. See Set Firewall/SSL VPN by Farm for more information.
How to ...
Set Connection Brokers by Farm Set Firewall/SSL VPN by Farm Set Proxy Server Settings by Farm
Set Connection Brokers by Farm 1. Do one of the following: a) Click Manage Farms in the left-hand pane, and then select Connection Brokers from the right-hand pane.
434
b) Select the farm from the drop-down list in the left-hand pane, and then select Connection Brokers from the left-hand pane from the appropriate farms setting.
2.
Enter the host name, FQDN, or IP address of the Connection Broker in the Server List field, and then click Add. Use FQDN when using https protocol. Repeat step 2 to add other Connection Brokers as appropriate. You need to use multiple Connection Brokers if you are using fault tolerance or load balancing.
3.
4. 5. 6. 7. 8.
Click Up or Down in the Server List field to move the order of the Connection Brokers. Enter the port number in the XML Port field. Select HTTP or HTTPS from the drop-down list in the Protocol field. Click Save Changes. Repeat this process for each farm that has been added.
Set Firewall/SSL VPN by Farm 1. Do one of the following: a) Click Manage Farms in the left-hand pane, and then select Firewall/SSL VPN from the right-hand pane. b) Select the farm from the drop-down list in the left-hand pane, and then select Firewall/SSL VPN from the left-hand pane.
435
2. 3.
Select the Default Address Translation Setting. Use this option when the IP addresses for users is unknown. Enter information pertaining to Custom Address Translation Settings. Use this option when the IP addresses for users is known. Enter SSL Gateway Settings. Select the Enable NAT support for firewall traversal if Network Address Translation is being used on a firewall that is between the SSL Gateway and vWorkspace Terminal Servers. Enter the external URL used to access Web Access remotely in the Web Access Access URL (external users) box. For example: https://webit.mycompany.com
4.
5.
436
6.
Enter internal URL used to access Web Access locally in the Web Access Access URL (internal users) box. For example: http://webit.mycompany.com
If you are using SSL Gateway in conjunction with Web Access, you must specify both the internal and external Web Access access URLs on the Firewall/SSL VPN section of the Web Access Management console.
7.
Click Save Changes.
Set Proxy Server Settings by Farm 1. Do one of the following: a) Select Use default from the system internet settings. b) Select Do not use a proxy server. c) Select Enter an address manually and complete the following: Enter the Proxy Server and Port. Enter any addresses that are not to be used for the proxy server.
2.
Click Save Changes.
Configure the Authentication Settings

The Authentication options can be configured globally or by individual farms. The settings include: Windows Domains; Two-Factor Authentication; Credentials Pass-Through; Password Management (this option can only be configured using a global setting); and Client Identification (this option can only be configured using a global setting).
437
How to ...
Set Windows Domain Set Two-Factor Authentication Set Credentials Pass-Through Set Password Management Set Client Identification
Set Windows Domain 1. Select Allow user to choose from the list of domains for users to choose a domain. If this checkbox is not selected, the domain field is not displayed to users, and the user is logged on to the first domain in the list. Enter the NetBIOS form of the Windows domain name in the Domain field, and click Add. Use the Up and Down arrows to move the domains. The order in which the domains display is the order in which they appear on the Web Interface Logon page. 4. Click Save Changes.
2. 3.
Set Two-Factor Authentication 1. Select Use two-factor authentication, if applicable.
2.
Select one of the two, third-party options: a) Secure Computing PremierAccess
OR
b) RADIUS (RSA ACE/Server, Secure Computing RemoteAccess)
438
3.
If you selected Secure Computing PremierAccess, complete the following information: Specify the path and file name to the Secure Computing PremierAccess configuration file in the Configuration File Location box.
4.
If you selected RADIUS (RSA ACE/Server, Secure Computing RemoteAccess), complete the following information: RADIUS Server RADIUS Port RADIUS Secret Key Use Encrypted authentication (CHAP) or Use Unencrypted Authentication (PAP)
5.
Click Save Changes.
Set Credentials Pass-Through This setting allows users to automatically log in to their vWorkspace farm using the same credentials as their client device. This setting should only be used in environments where network security is not a concern, such as with LAN users.
439
To use this setting, Enable Integrated Windows Authentication must be turned on in Advanced Internet Options of Internet Explorer, and the Microsoft IIS web server must be a member of a domain in the Active Directory forest containing the users account. 1. Select Enable credentials pass-through to use Integrated Windows Authentication with the Web Interface.
2.
Enter the part of the IP address that is common to all client devices on a subnet in the Intranet Address Prefix field, and then click Add. Repeat step 2 to add all subnets. Use the Up and Down arrows to arrange the display of the Intranet Address Prefixes. Enter Excluded Prefixes to deny the use of credentials pass-through to client devices having a specified IP address. Repeat step 5 to add all IP addresses. Use the Up and Down arrows to arrange the display of the Excluded Prefixes. Click Save Changes.
3. 4. 5. 6. 7. 8.
Set Password Management This option can only be configured as a global setting. 1. 2. Enter a Domain using the NetBIOS name of the Password Management server. Enter the Server (FQDN). The host name, NetBIOS name, or IP address can be used in this field.
440
3. 4. 5.
Enter a Port number, and then click Add. The usual number to use is 443. Repeat the above steps to add multiple Password Management servers. Click Save Changes.
Set Client Identification This option can be configured only as a global setting. 1. Select Query client name and IP address if the name and IP address of the client can be queried and sent to the Connection Broker. Once sent to the Connection Broker the published desktops and applications that are assigned to the client based on Device Name or Device IP Address can be presented. 2. Click Save Changes.
Configure the User Experience Settings

The User Experience settings can be configured globally or by individual farms. The settings include: Local Resources Provides control of client device resources, such as printers and microphones. Display Provides control of display properties, such as screen resolution. Performance Provides control of performance and optimization settings, such as local text echo and multimedia redirection.
Each setting has a checkbox that allows users to override the settings as configured by the Web Interface administrator.
How to ...
Set Local Resources Set Display
441
Set Local Resources 1. Select Local Resources from the User Experience section.
2. 3. 4. 5.
Select Allow user to override local resource settings, if appropriate, to allow users to personalize their own sessions. Complete the Remote Computer Sound options, as appropriate. Complete the Apply Windows key combinations options, as appropriate. Select the following options, as appropriate:
Redirect Drives Select if users need access to the disk drives on their physical device. Select if users needs to print to autocreated client printers using native print drivers. Select if users need access to devices attached to the serial ports on their physical device. Select if users are required to log on to their session using a Smart Card attached to their physical device. Select if users need access to USB devices.
Redirect Printers
Redirect Com Ports
Redirect Smart Cards
Redirect Devices
442
Redirect Universal Printers
Select if users need to print by autocreated client printers using the Universal print driver. Select if users need to redirect the local computer microphone when connecting to a Terminal Server. Select if users need to redirect the local computer clipboard when connecting to a Terminal Server.
Redirect Microphone
Redirect Clipboard
6.
Click Save Changes.
Set Display 1. Select Display from the User Experience section.
2.
Complete the Display Settings. a) Select Allow user to override the display settings, if appropriate. b) Complete the Screen Resolutions options, as appropriate.
Window Sizes These settings only apply when seamless window connections are used.
443
Display connection bar
This setting allows users to minimize, maximize, or close the session by use of a connection bar, when connecting in full screen mode. This setting is available when Full Screen is chosen for Screen Resolution. This setting pins the remote desktop connection bar.
Pin connection bar
Enable smart sizing
This setting is used when connection to managed computers that are VMware virtual machines. This setting enables the remote session screen size and color depth to match the settings of the physical client device, when connecting to managed applications hosted on vWorkspace enabled Windows Terminal Servers. This setting is available when Full Screen is chosen for Screen Resolution. This setting enables the display area to span across two monitors.
Enable seamless mode
Span multiple monitors when in full screen mode
c) Select a Color Depth option from the drop-down list. This setting is not used with seamless window connections. 3. Click Save Changes.
Set Performance 1. Select Performance from the User Experience section.
444
2.
Complete the Performance options. a) Select Allow user to override local resource settings, if appropriate, to allow the user to personalize their own sessions. b) Select the following options, as appropriate. Enable Enable Enable Enable Enable wallpaper full window drag animation themes bitmap caching
c) Select the following optimization options, as appropriate: 3. Enable local text echo Enable graphic acceleration Enable multimedia redirection
d) Select Reconnect if connection is dropped, as appropriate. Click Save Changes.
Configure the User Interface Settings

The User Interface settings can be configured globally or by individual farms. The settings include: Content Layout Controls how published applications, desktops, and content display in the users web browser. Look & Feel Controls color scheme, header logo, and content position.
445
Messages Controls the content of messages presented to the user. Downloads Controls the available download links as displayed in the Download Center. The downloads section is also used to specify which client to use, and whether to allow users to select which client to use. The options are as follows: Do not automatically download and install a client (normal operation). Allow the user to select which client to use (e.g. Windows or Java Client). Automatically download and install either the Windows client or the Java client.
When the Windows client is selected, a client version and location can be specified. In this case, it checks whether the vWorkspace Windows client is installed on this machine. If the specified version or later version is not installed, it attempts to automatically download the client from the specified location using Microsoft ActiveX. The autodownload operation only works on browsers that support ActiveX, and if ActiveX is enabled in Internet Options of the browser. Additionally, a static link can be displayed in the Web Access interface that allows the user to manually download and install the Windows client. Miscellaneous Controls the display of the IP address of the vWorkspace client device when a connection to the Web Interface server is made, and whether to automatically start a specified (or single) application when the user logs on successfully.
How to ...
Set Content Layout Options Set Look & Feel Options Set Messages Options Set Downloads Options Set Miscellaneous Options
446
Set Content Layout Options 1. Complete the following options, as appropriate.
a) Select Allow user to override the application set layout, if appropriate. b) Select Present apps in flat format (No folders) to display all the published resources on one page. c) Select the Default application layout style from the following options: Details Icons List Tree (The application search feature is unavailable to users with this view.) Accordion (The application search feature is unavailable to users with this view.) Content width (move the slider to display the appropriate pixels)
d) Enter a number of columns in the Divide apps evenly among field. The default is 3. e) Enter a number of columns in the Divide List view applications evenly among field, which is only applicable to the List application layout style. The default is 2. 2. Click Save Changes.
447
Set Look & Feel Options 1. Complete the following fields on the Color Scheme window as appropriate.
2.
Click Upload New Logo Graphic to change the current header logo.
448
a) Click Browse to open the file that is to be used for the new logo. b) Click Upload New Logo. 3. 4. 5. Select a Page Background Color from the Select Color drop-down list. Select a Color Scheme. There are 9 different color schemes available. Click Save Changes.
449
Set Messages Options 1. To modify a message, type new text or type additional text, and then click Save Changes. This section is used to modify text and messages that is displayed in various areas of Web Access.
450
Set Downloads Options 1. Complete the vWorkspace Client options, as appropriate.
a) Select Do not automatically download and install a client, if appropriate. b) Select Allow the user to select which client to use, if appropriate. c) Select Automatically download and install the following client: and choose the client, if appropriate. d) Select Always display a link to download and install the vWorkspace client for Windows and enter a File Path, as appropriate. e) Add up to five additional download links by entering the text string to be used as the display label in the Text field, and the location and file name in the Path field. 2. Click Save Changes.
Set Miscellaneous Options 1. Select Display source IP address on login page to display the IP address of the vWorkspace client device when connected to the Web Interface server. This is used for troubleshooting and support purposes.
451
2.
Complete the Application Auto-Launch section as follows: a) Select Launch Applications Automatically to start a published application or desktop at logon. b) If you selected Launch Applications Automatically, you can select one of the following options: Auto-Launch When There Is Only One Application Auto-Launch Specific Application, and enter the name in the Name Of Application field.
The name of the specified application to be started must match the exact name of the published application. 3. Click Save Changes.
Configure the Web Access Application

The Configuration settings can be configured globally, or by individual farms. The General settings include: Display detailed error messages Enables detailed messages to display to accelerate troubleshooting. If this setting is not specified, it uses a pre-set default value that is specified in web.config, a web-application configuration file which is automatically installed. The default is to not display detailed error messages. You can also select Enable error logging, as appropriate. It is recommended that this option is only selected as directed by Quest Software support personnel. User Session Time-Out Determines the length of time, in minutes, before the user is forced to reauthenticate. If this setting is not specified, it uses a pre-set default value that is specified in web.config, a web-application configuration file which is automatically installed.
452
VDI Retry Interval Defines the wait period between connection attempts of a virtual desktop that is powering up. If this setting is not specified, it uses a pre-set default value that is specified in web.config, a web-application configuration file which is automatically installed.
How to ...
Set the General Options 1. Complete the following: a) Select Display detailed error messages and Enable error logging, if appropriate. It is recommended that this option is only selected as directed by Quest Software support personnel. b) Enter a number of minutes in the User Session Time-Out field. c) Enter a number of seconds in the VDI Retry Interval field. 2. Click Save Changes.
Use Web Access

Users connect to the Web Interface by using the following URL: http://servername/Provision/Web-IT/ Servername is replaced with the host name, FQDN, or IP address of your web server.
If your Web Interface server requires an SSL connection, replace http with https. If your Web Interface is being used with an SSL Gateway, a slash mark (/) must be added to the end of the URL.
453
The information displayed on the Web Access Login window in the Login, Info Center, Downloads, and Preferences sections on the Web Access Login window depends upon the settings configured in the Web Access management console. Some examples of the Web Access login window are listed below:
Web Access Logon without Domain and Client Type Options
Web Access Login with Client Type
454
Web Access Login with Options of Domain and Client Type
Once a user successfully authenticates their log on, a list of published resources or application set, is presented. An application set is not presented if a user has not been assigned a published resource. The view of the application set is based upon settings made in the Web Access management console, Content Layout. A toolbar is accessible on the Application Set window that offers the following options:
Refresh
Change Password
Help
455
Application Set Searches

An application set search feature is available to users if their application layout style is one of the following: Details Icons List
The search feature is unavailable to users with the Tree or Accordion view. Users enter the search terms into the search box, and then click the search button. A list of possible applications are presented. The Clear option is used to clear the search results and return to the full set of applications.
Preferences
Users are permitted to change some settings in Web Access based upon the settings made by the Web Access administrator. Users can select the Preferences option, and they are presented with the following window with access to changing settings as indicated by the administrator.
456
TAB General
SETTINGS Change your layout: Default application layout style Content width Divide apps evenly among Divide List View applications evenly among Display apps in flat format (no folders) Remember farm selection for login Currently selected farm: Apply settings to: (specify settings for all farms or a specific farm)
457
TAB Display
SETTINGS Color Depth (These settings are not used when making seamless window connections.) Screen Resolution Disable connection bar This setting allows users, by use of a connection bar, to minimize, maximize, or close the session when connecting in full screen mode. Pin connection bar This setting pins the remote desktop connection bar. Enable smart sizing This setting is used when connected to managed computers that are VMware virtual machines. Enable seamless mode This setting enables the remote session screen size and color depth to match the settings of the physical client device when connecting to managed applications hosted on vWorkspace enabled Windows Terminal Servers. Span multiple monitors when in full screen mode This setting enables the display area to span across two monitors. Apply Settings to: (specify settings for all farms or a specific farm).
Local Resources
Remote computer sound Apply Windows key combinations Connect automatically to these devices when logged on to the remote computer: Drivers Printers Com Ports Smart Cards USB Devices Universal Printers Microphone Clipboard Apply Settings to: (specify settings for all farms or a specific farm).
458
TAB Performance
SETTINGS Allow the following: Desktop background Show contents of window while dragging Menu and window animation Themes Bitmap caching Optimizations: Enable local text echo Enable graphic acceleration Enable multimedia redirection Reconnect if connection is dropped Apply settings to: These setting can be applied to all farms, or a specified one.
Change Password
Users can securely change their password while connecting over the Internet. However, for security reasons, it is recommended that SSL encryption is required on the Web Access server if this feature is used across the Internet. The Web Access must be configured to use Password Management server. Users choose a domain if the administrator has specified any domains in the Password Management section of the Admin Console. If domains have not been specified by the administrator, users are not able to change their passwords.
459
Users will need to provide the following: Username Old Password New Password Confirm New Password Domain
Help
Users have access to a basic help menu. Help is available for the following topics: Authentication Logging On Logging Out Changing Your Password Configuring the Application Set
Using the Application Set
Integration with Juniper Networks Secure Access

Web Access and Juniper Networks Secure Access SSL VPN can be integrated to be used as a single, sign on solution by using custom headers created by the Juniper Secure Access Central Manager.
460
How to ...
Create Custom Headers 1. 2. 3. 4. 5. Open the Juniper Secure Access Central Manager. Under Resource Policies, select Web | SSO Cookies/Headers. Click New Policy. Enter a name for the policy. Specify your Web Access URL in the Resources section. For example: http://servername/provision/web-it/* Enter the host name, FQDN, or IP address of your web server in the above URL.
6.
Select the role to which the policy should apply in the Roles section. If you are not certain as to which policy or policies to apply, select Policy applies to All roles.
461
7.
Select Append headers as defined below as the Action.
8.
Enter each header name and value from the following table in the Headers and values section. Click Add after adding each header name and value.
HEADER NAME PN_Username PN_Password PN_Domain VALUE <USER> <PASSWORD> MYDOMAIN (use the relevant domain to which your users authenticate)
9.
Click Save Changes. If all configurations have been completed correctly (such as Secure Access roles, permissions), users are presented with their applications when using Web Access.
462
If your Web Access implementation has multiple farms that users can authenticate to and get applications from, there are two different ways this can be configured: 1. If users are to be presented with applications for all configured farms, select Log users on to all configured farms on the Farms window in the Web Access Management Console.
OR
2. If users can log in to only one specified farm, add that information to the Header and values section. See step 8 for more information. For example:
HEADER NAME PN_Farm VALUE MYFARM
a) If a farm has been previously selected and saved in the Web Access Custom User Settings, open the Settings window and unselect Remember farm selection for login. b) Your Juniper users are presented with applications only from that farm.
Web Access and Smart Cards

The following are requirements for using smart card authentication with Web Access: Internet Information Services (IIS) server must be joined to your domain.
463
IIS cannot be used in conjunction with Secure-IT, because the connection to Web Access is terminated by Secure-IT. See About the SSL Gateway for more information on Secure-IT.
IIS server must have an SSL web server certificate from Certificate Authority that has also issued the smart card certificate. Client machines that are not joined to your domain are prompted twice to authenticate; to authenticate to IIS and to authenticate when an application is started.
How to ...
Configure Web Access for Smart Cards 1. 2. Join the IIS server to your domain. Select Enable the Windows directory server mapper on the Web Sites Properties window, Directory Security tab. The Web Sites Properties window is found at the following path: Start | Administrative Tools | Internet Information Services | Web Sites folder | Properties (context menu) 3. Do the following to enable a web server certificate from the certificate authority: a) Open Properties for ssomain.aspx. by using the following path from your web server on the IIS Manager: Web Sites | Default Web Site | Provision | Web Access b) Open the File Security tab and click Edit under Secure communications. c) Select the following on the Secure Communications window: Require secure channel (SSL) Require 128-bit encryption Require client certificates Enable client certificate mapping
464
4.
Complete the following Credentials Pass-Through settings on the Web Access Management Console. These settings can be done at the Farm or Global level. a) Select Enable credentials pass-through. b) Select Use Kerberos authentication. c) Select Initial Authentication Only. d) Add an asterick (*) to the Intranet Address Prefix section to enable all IP addresses. e) Click Save Changes.
465
466
23
vWorkspace and the SSL Gateway
About the SSL Gateway SSL Gateway Configuration Installation Configuration Options
About the SSL Gateway

The Secure Sockets Layer (SSL) Gateway enables clients to access the Web Interface using https and virtual machine published desktops and applications using RDP over SSL. The SSL Gateway is designed to simplify the deployment of applications over the Internet, securely and cost-effectively. RDP connections are SSL-encrypted at client workstations and sent through the corporate firewall on TCP port 443. Once received by the SSL Gateway, the data is decrypted and forwarded to the destination virtual machine on TCP port 3389. Outbound RDP traffic passing through the SSL Gateway is encrypted and forwarded to the client workstation.
The SSL Gateway can also be used with the Web Interface. The web browser requests destined to the Web Interface server are SSL encrypted at the client workstations and sent through the corporate firewall on TCP port 443. Once received by the SSL Gateway, the data is decrypted and forwarded to the destination Web Interface server on TCP port 80. Outbound responses from the Web Interface server passing through the SSL Gateway are encrypted and forwarded to the clients web browser.
Installation
The SSL Gateway requires the following: Windows 2000 Server (Standard or Advanced) Windows Server 2003 (Standard or Enterprise) One or more X.509 web server certificates (depending upon configuration) Trusted root certificate from the issuing CA installed into the Windows machine store of the SSL Gateway for certificates that have been installed on the Web Interface or Connection Broker servers.
Microsoft IIS can exist with the SSL Gateway, but it is not required.
468
The SSL Gateway can be placed in the DMZ network or a protected internal network, and it can be installed on a physical or virtual machine. The SSL Gateway can exist with the Web Interface, and third-party balancing can be used.
The SSL Gateway should not be installed on Terminal Servers. The only exception would be for proof of concept purposes.
How to ...
Install the SSL Gateway 1. 2. 3. Execute the start.exe installer program. Select either Enterprise Edition or Desktop Services Addition licensing mode. Select Connectivity Features | SSL Gateway on the Custom Setup window.
SSL Gateway Configuration

The SSL Gateway is configured using the Secure-IT applet that is located in the Windows Control Panel.
469
PROXIES TAB FIELDS RDP Proxy Local IP Address
DESCRIPTION
This checkbox enables SSL encryption of RDP session traffic between the vWorkspace client and vWorkspace enabled Terminal Servers and Managed Computers. The IP address for the SSL Gateway for inbound requests is selected from the drop-down list.
Local Port
The TCP port number to be used for SSL encryption of RDP session traffic. Default is 443. Note: If Microsoft IIS exists on the SSL Gateway, the port 443 might already be in use.
Certificate Name
This field is for selection of the web server certificate that is to be used by the SSL Gateway for inbound SSL-encrypted RDP session traffic. Note: Only certificates installed in the Windows machine store are recognized.
Web Interface Proxy Local IP Address This checkbox enables secure web browser traffic between the vWorkspace client and the Web Interface web server. The IP address for the SSL Gateway for inbound Web Interface SSL requests is selected from the drop-down list. Local Port The TCP port number to be used for SSL encryption of the Web Interface session traffic. Default is 443. Note: If Microsoft IIS exists on the SSL Gateway, the port 443 might already be in use. Destination Host(s) The SSL Gateway forwards requests through the IP address, host name, or FQDN of the Web Interface web server. Use commas to separate entries.
470
PROXIES TAB FIELDS Dest. Port
DESCRIPTION The TCP port number that the Web Interface web server listens on. Default is 80.
Enable SSL
This checkbox decrypts and then forwards packets. Unselect this checkbox, and the packet is sent without being decrypted.
Certificate Name
This field is for selection of the web server certificate that is to be used by the SSL Gateway for inbound SSL-encrypted RDP session traffic. This field is only for use if the Enable SSL checkbox is selected. Note: Only certificates installed in the Windows machine store are recognized.
Connection Brokers Proxy Local IP Address This checkbox indicates secure traffic between the vWorkspace client and the Connection Broker servers. The IP address for the SSL Gateway for inbound Connection Broker SSL requests is selected from the drop-down list. Local Port The TCP port number for SSL encryption of Connection Broker traffic. Default is 443. Note: If Microsoft IIS exists on the SSL Gateway, the port 443 might already be in use. Destination Host(s) The SSL Gateway forwards requests through the IP address, host name, or FQDN of the Connection Broker server. Use commas to separate entries. The TCP port number that the Connection Broker servers listen on. Default is 80.
Dest. Port
471
PROXIES TAB FIELDS Enable SSL
DESCRIPTION If this checkbox is selected, the SSL Gateway decrypts inbound SSL packets before forwarding them to the Connection Broker servers. If this checkbox is not selected the SSL Gateway will not encrypt SSL packets for inbound Connection Broker servers.
Certificate Name
This field is for selection of the web server certificate that is to be used by the SSL Gateway for inbound SSL-encrypted RDP session traffic. This field is only for use if the Enable SSL checkbox is selected. Note: Only certificates installed in the Windows machine store are recognized.
OPTIONS TAB FIELDS Connections Settings Inactivity Timeout
DESCRIPTION
This number is the amount of time a session can be inactive before the SSL Gateway terminates it. Default is 0 (no time out).
Server Logging Enable to Trace login to the specified file If this checkbox is selected, logging for troubleshooting is enabled. The name and location for this file is entered into the text box. You can also use Browse.
Configuration Options
The following configuration options discussed in this section are: AppPortal Access Web Interface Access AppPortal and Web Access
472
AppPortal Access
This option describes a setup when a single point of entry is needed for users connecting from external networks, and the vWorkspace client is accessed by the AppPortal.
The SSL Gateway is the only access point to the vWorkspace infrastructure. Remote clients gain access to the system using a single FQDN. Only one firewall access rule is required to permit inbound connections to the SSL Gateway on TCP port 443.
A valid 128-bit SSL certificate must be installed on the SSL Gateway.
The SSL Gateway, if situated in the DMZ, requires additional firewall rules to allow the SSL Gateway to communicate with the Connection Brokers and the virtual machines.
How to ...
Configure AppPortal Access 1. 2. Use the following path to access the applet: Control Panel | Provision Networks Secure-IT Complete the RDP Proxy section as follows: a) Select Local IP Address, and then select an IP address from the drop-down list. b) Enter the Local Port.
473
c) Click the Lock icon to select the web server certificate used by the SSL Gateway for inbound SSL-encrypted RDP session traffic. Only certificates installed in the Windows machine store are recognized. 3. Complete the Connection Broker Proxy section as follows: a) Select Local IP Address, and then select an IP address from the drop-down list. b) Enter the Local Port. c) Enter the IP address, host name, or FQDN of the Web Interface web server that the SSL Gateway forwards requests. Use commas to separate entries. d) Click the Lock icon to select the web server certificate used by the SSL Gateway for inbound SSL-encrypted RDP session traffic. Only certificates installed in the Windows machine store are recognized.
Both the RDP and the Connection Broker proxies can share the same IP address and TCP port.
4.
Configure a farm connection using AppPortal | Manage Connections, or by right-clicking on the farm from the vWorkspace Management Console. Enter the FQDN of the Connection Broker proxy in the Server List on the Connectivity tab. Select Enable RDP over SSL/TLS, and then enter the FQDN of the RDP proxy in the SSL Gateway Server field.
5. 6.
474
Web Interface Access

This option describes a setup when a single point of entry is needed for users connecting from external networks, and the vWorkspace client is accessed by the Web Interface.
The Web Interface is configured with the FQDN of the SSL Gateway for any client devices whose IP address is not part of the corporate LAN. Remote clients gain access to the system using a single FQDN. Only one firewall access rule is required to permit inbound connections to the SSL Gateway on TCP port 443.
A valid 128-bit SSL certificate must be installed on the SSL Gateway.
The SSL Gateway, if situated in the DMZ, requires additional firewall rules that permit the SSL Gateway to communicate with the Web Interface and the virtual machines.
475
Alternatively, the SSL Gateway and the Web Interface can be in the DMZ. Additional rules are required to permit the SSL Gateway to communicate with the virtual machines, and the Web Interface to communicate with the Connection Broker.
If you are using SSL Gateway in conjunction with Web Access, you must specify both the internal and external Web Access access URLs on the Firewall/SSL VPN section of the Web Access Management console. See Set Firewall/SSL VPN by Farm for more information.
How to ...
Configure the Web Interface 1. 2. Use the following path to access the applet: Windows Control Panel | Provision Networks Secure-IT Complete the RDP Proxy section as follows: a) Select Local IP Address, and then select an IP address from the drop-down list. b) Enter the Local Port. c) Click the Lock icon to select the web server certificate used by the SSL Gateway for inbound SSL-encrypted RDP session traffic. Only certificates installed in the Windows machine store are recognized.
476
3.
Complete the Web Interface Proxy section as follows: a) Select Local IP Address, and then select an IP address from the drop-down list. b) Enter the Local Port. c) Enter the IP address, host name, or FQDN of the Web Interface web server that the SSL Gateway forwards requests. Use commas to separate entries. d) Select Enable SSL. e) Click the Lock icon to select the web server certificate used by the SSL Gateway for inbound SSL-encrypted RDP session traffic. Only certificates installed in the Windows machine store are recognized.
Both the RDP and the Connection Broker proxies can share the same IP address and TCP port.
4. 5. 6.
Click OK. Start the vWorkspace Web Access Management Console. Select the farm from the drop-down list, and then click Firewall/SSL VPN.
477
7.
Complete the fields on the Firewall/SSL VPN window:
a) Select SSL Gateway as the Default Address Translation Setting. The Custom Address Translation Settings are for internal, LAN based users. You can add address prefixes to prevent them from unnecessarily starting SSL encrypted RDP connections. b) Enter the SSL Gateway FQDN/IP Address. c) Enter the TCP Port.
478
d) Enter an Access URL for both external users and internal users. For example: Web Access Access URL (external users) https://webit.mycompany.com Web Access Access URL (internal users) http://webit.mycompany.com
8.
Click Save Changes.
AppPortal and Web Access

This option describes a setup where the vWorkspace client is accessed by AppPortal and Web Access.
479
The SSL Gateway and the Web Interface, if situated in the DMZ, require additional firewall rules to permit the SSL Gateway to communicate with the virtual machines and the Connection Broker, and for the Web Interface to communicate with the Connection Broker.
There are two possible ways to configure the use of the AppPortal and Web Interface. One option allows all three proxies to share the same IP address and SSL certificate, but the Web Interface and the Connection Broker proxies have different TCP ports. This allows the SSL Gateway to distinguish HTTP connections going to the Web Interface from HTTP connections going to the Connection Broker. A second option is for all three proxies to use the same TCP port, but the Connection Broker has a different IP address and SSL certificate.
How to ...
Configure AppPortal and Web Interface 1. Use the following path to access the applet: Windows Control Panel | Provision Networks Secure-IT
480
2.
To configure using the same IP address and SSL certificate: a) Enter the same IP address in the RDP Proxy, Web Interface Proxy, and Connection Broker Proxy fields. b) Enter the same Local Port for RDP Proxy and Web Interface Proxy, and a different Local Port for the Connection Broker Proxy.
3.
Complete the other fields as appropriate, and then click Apply to make the changes without closing the window, or click OK to make the changes and to close the window.
c) Configure a farm connection using AppPortal | Manage Connections, or by right-clicking on the farm from the vWorkspace Management Console. d) Enter the FQDN of the Connection Broker proxy in the Server List on the Connectivity tab. e) Select Enable RDP over SSL/TLS, and then enter the FQDN of the RDP proxy in the SSL Gateway Server field, and then click OK.
Both proxies may share the same FQDN, but the Connection Broker proxy is set to a different TCP port.
481
4.
To configure using the same TCP port: a) Enter the same TCP Port number in the RDP Proxy, Web Interface Proxy, and Connection Broker Proxy fields. b) Complete the other fields as appropriate, and then click OK.
c) Configure a farm connection using AppPortal | Manage Connections, or by right-clicking on the farm from the vWorkspace Management Console. d) Enter the FQDN of the Connection Broker proxy in the Server List. e) Enter the FQDN of the RDP Proxy in the SSL Gateway Server field. f) Click OK.
The RDP and Web Interface proxies can share the same IP Address, TCP Port, and Certificate Name. The Connection Broker Proxy is bound to a different IP Address and Certificate Name.
482
24
Universal Printing
About Print-IT Print-IT Components Universal Print Driver Options Universal Network Print Services Options Print-IT Printer Properties
About Print-IT
Quest vWorkspace Print-IT is a single driver printing solution that satisfies both client side and network printing needs in a Terminal Server environment. In addition to its driver independent approach to printing, benefits also include: A reduction in network bandwidth utilization. The ability to inherit the properties of manufacturer specific print drivers such as supported trays, paper sizes, and margins.
Print-IT is a universal print driver solution designed for Windows Terminal Servers and all versions of Citrix XenApp and Citrix Presentation Server. Print-IT features and benefits include: Support for both EMF and PDF modes of printing. No requirement for Adobe Acrobat Reader on the client. No requirement for the server side fonts to be preinstalled on the client. Size optimized print streams. Adaptive compression technology (multiple compression algorithms for color and black and white images). Bandwidth usage control and intelligent font embedding (only fonts that do not exist on the client are embedded inside the print stream). Partial font embedding (only the used portion of fonts are embedded inside the print stream). Excellent print quality. Incredible print performance and reliability. Page level streaming for instant printing of large size documents. Support for native printer features, such as bins, paper sizes, margins, and print quality. Support for private printer features, such as manufacturer specific features of stapling and watermarks. Support for the RAW data type. Multiple printer naming options. Synchronous or asynchronous printer creation, which ensures the creation of at least one printer before the server side application is started. Clientless support for LAN connected print servers.
484
Universal Printing
Clientless support for remote site print servers in situated and distributed environments. Support for virtually any printer make and model.
Print-IT Components
The primary Print-IT components are: Universal Print Driver Part of the Power Tools for Terminal Servers in Custom Setup. The option, Power Tools for Terminal Servers, only appears if Terminal Services is detected by the vWorkspace installer. Universal Network Print Services Part of the Peripheral Server Extension option in Custom Setup. The option, Peripheral Server Extension, only appears if Terminal Services is not detected by the vWorkspace installer.
Universal Print Driver

Universal Print Driver (Print-IT) enables driver independent, universal printing to client side printers, corporate, and remote site printers in a distributed enterprise. The following Universal Print Driver (Print-IT) printing options are available for installation on Terminal Servers: Universal Client Printer Auto-Creation Enables users to autocreate and print to their client side printers using a single universal print driver, eliminating the need to install printer specific drivers on Terminal Servers. Universal Network Printer Auto-Creation Enables users to connect and print to shared network printers using a single universal print driver, eliminating the need to install printer-specific drivers on Terminal Servers.
Universal Network Print Services

Universal Network Print Services enhances the users print experience and simplifies network printer manageability in Terminal Server and managed computer environments by automatically creating shared network printer mappings throughout a distributed enterprise, using a single universal print driver. The following Universal Network Print Services printing options are available for installation on Windows based network print servers:
485
Universal Network Print Server Extensions Installs on existing dedicated Windows network print servers. Eliminates the need of installing large numbers of drivers on Terminal Servers and managed computers by using a single universal print driver to create shared network printers. Also improves network print performance by taking advantage of the highly efficient compression engine found in the vWorkspace Universal Print Driver. Universal Print Relay Service for Remote Sites Installs on remote site and branch office network print servers and works in conjunction with Universal Network Print Server Extensions to extend the benefits of the universal printing architecture across the enterprise. Includes encryption, compression, and bandwidth usage control for high performance and security.
Universal Print Driver Options

The options of Universal Network Printer Auto-Creation and Universal Client Printer Auto-Creation enable users to access printers, either network or client, via Terminal Services without the need for printer specific drivers to be installed on the Terminal Server.
Universal Network Printer Auto-Creation Option

Shared network printers can be autocreated for vWorkspace clients when logging on to a Terminal Server session using Windows native print drivers, the vWorkspace Universal Print driver, or both. When installed on a traditional Windows network print server, Print-IT autocreates and shares printers using the Print-IT universal print driver. These Print-IT printers have the same features as the original network printer. Once the Print-IT printers have been created and shared, they can be assigned to the appropriate clients using the vWorkspace Management Console, or if appropriate, the Citrix Management Console (CMC) or scripted logic. Printer connections are established successfully because the same Print-IT driver is also installed on Terminal Servers or Citrix Presentation Servers. Because the connections are to the Print-IT printers and not the original printers, the manufacturer-specific print drivers do not need to be present on the Terminal Servers or Citrix Presentation Servers, leaving these servers driver-free.
486
Universal Printing
When the Print-IT universal print driver does not support a specialized feature of a printer or the driver is not compatible with a print device, autocreated printers can be assigned to clients using the native driver for that printing device. The network printer auto-creation mode is a clientless mode; it does not require installing the Print-IT client software on the client supporting devices of all types.
Autocreating shared network printers for vWorkspace clients using the vWorkspace Universal Print Driver involves the following items: Install vWorkspace Universal Network Print Server Extensions on to the Windows-based print servers. Install and share the desired printers on the Windows based print servers as normal. Add the Windows based print servers as Print-IT print servers using the Manage Print-IT Printers option on the vWorkspace Management Console. Select the printers to be defined as Print-IT printers using the Manage Print-IT Printers option on the vWorkspace Management Console. Assign the Print-IT printers to the appropriate vWorkspace clients from the vWorkspace Management Console.
487
Universal Client Printer Auto-Creation Option

The Universal Network Printer Auto-Creation option enables client side printers to be autocreated during logon for each user session on the Terminal Server. For each client printer, Print-IT autocreates and configures a server side printer using the Print-IT driver that has the same printer features as the client printer. Client printer autocreation relies on a custom virtual channel driver to transfer the print job from the server to the client. This mode of operation requires the Print-IT client software to be installed on the client computers. Print-IT enables the administrator to specify what types of client printers to autocreate, as well as allowing users to choose which printers that can be autocreated.The types of client printers that can be autocreated include: Local printers Network printer connections Only the default printer All the printers and printer connections
Administrators can also configure several preferences and performance parameters including the printer naming convention, print bandwidth upper limit, and compression options. To enable the autocreation of client printers, the following criteria must be met: The Universal Client Printer Auto-Creation feature must be installed on to every Terminal Server to which users connect. The Client Printer Auto-Creation options, at least one, must be enabled on every Terminal Server to which users connect. The Print-IT software must be installed on the client device, which is installed as part of the vWorkspace Client installation. The Auto-Creation options, at least one, must be enabled in the Print-IT client. The Universal Printers virtual channel must be enabled in the vWorkspace client, Microsoft Terminal Services client, or Citrix ICA client.
To print to an autocreated client printer, the user simply selects the Print command, and a list of printers is presented to them. Print preview is also available by selecting the Preview before printing from the PNTray menu.
488
Universal Printing
Print-IT Properties
When the Universal Client Printer Auto-Creation or Universal Network Printer Auto-Creation options of Print-IT are installed on a Terminal Server, the vWorkspace Print-IT Properties Control Panel applet is used to control the servers print settings. Below is a description of the tabs and options that are available.
General Tab
PRINT-IT PROPERTY GENERAL TAB Print Data Format
DESCRIPTION The options are PDF or EMF. Note: It is recommended that you use EMF, as it is a more robust printing mechanism.
489
PRINT-IT PROPERTY GENERAL TAB Client Printer Auto-Creation Options
DESCRIPTION Auto-create default printer Creates a printer mapping only to the default printer on the client device. Note: By selecting the Auto-create default printer option, any other Client Printer Auto-Creation options that are also selected do not apply. Auto-create local printers Creates a printer mapping for all of the local printers defined on the client device. Auto-create network printers Creates a printer mapping for every network printer defined on the client device. Inherit auto-creation settings from client Autocreates printers based on the Print-IT properties set on the client device.
Client Printer Auto-Creation Wait Mode
Auto create only default printer synchronously Requires the mapping to the clients default printer to be completed before presenting the application or desktop window to the user. Auto create all printers synchronously Requires every printer on the client device to be mapped before presenting the application or desktop window to the user. This is the slowest method for login. Auto create all printers asynchronously Allows the presentation of the application or desktop window to the user without requiring printer mappings to be made first. This allows for the fastest login.
490
Universal Printing
PRINT-IT PROPERTY GENERAL TAB Advanced Options
DESCRIPTION Auto-create printers with full permissions Elevates user permissions to Full Control for all mapped printers. This is sometimes a requirement for printing with certain legacy applications. Delete auto-created printers when sessions disconnect Causes all mapped printers to be deleted from the server if a users session is disconnected. Enabling this feature can improve the reliability of printing in a multi-user environment. Synchronize default printer on client and server Enables synchronizing the settings of the default printer in the users Terminal Server session with those of the default printer of the session running on the client device.
Compression Tab
Controls when and to what extent compression is applied to the printer output. The options on the window depend on the Print Data Format, either PDF or EMF, that is chosen on the General tab.
491
EMF Format
PMF Format
492
Universal Printing
PRINT-IT PROPERTY COMPRESSION TAB EMF Format
DESCRIPTION Data Compression controls the level of compression used for text. Level choices include: No compression Minimum (best speed) Low Medium High Maximum (smallest size) JPEG Image Compression controls the level of compression used for graphic images. Selectable Level options are: No compression Minimum (best quality) Low Medium High Maximum (smallest size)
493
PRINT-IT PROPERTY COMPRESSION TAB PDF Format
DESCRIPTION Black & White Image Compression controls the algorithm used for compressing text and graphics. Algorithm choices include: Default compression CCITT Fax Group 4 Color Image Compression controls the algorithm and quality level of compression used for color images. Selectable Algorithm options are: Automatic (recommended) Default compression 256 compression JPEG compression Selectable options for Quality Level are: Maximum (largest file size) High Medium Low Minimum (smallest file size) Remove duplicate images, if selected, embeds the image once inside the print stream for the purpose of minimizing the use of bandwidth. For example, an image of a logo embedded in a header would only be embedded once.
Naming Tab
The Naming tab is used to control which client printer naming convention to use when naming autocreated client printers.
494
Universal Printing
PRINT-IT PROPERTY NAMING TAB Client Printer Naming Convention
DESCRIPTION Printer Name [Session #] Printer Name [Client Name:Session #] Printer Name [User Name:Session #] [Client Name:Session #] Printer Name [User Name:Session #] Printer Name Printer Name [User Name] [User Name] Printer Name
Use UNC names to client network printers
Select if you want to use UNC names.
495
Bandwidth Tab
Use the bandwidth control slider to limit the amount of bandwidth consumed for printing purposes with each user session on the Terminal Server.The range is between 5 Kbps and 2 Mbps.
The maximum value set on the Terminal Server takes precedent; if there is a higher value set at Print-IT client properties.
496
Universal Printing
Upgrade Tab
Auto Client Upgrade Options can be used to upgrade older versions of Print-IT on the client device with a newer one. To enable this capability, select Automatically upgrade clients to new version, and enter the path and file name of the Print-IT client installer package in the input box, or browse to it by clicking the folder icon. This location needs to be the same on the local machine of each server running the Print-IT server.
You should not select this option if you are using vWorkspace Enterprise or Desktop Services editions, as Print-IT is already built into the vWorkspace client.
Logging Tab
The settings on this tab are used to enable trace logging for Print-IT printers and the Print-IT Print Monitor. If options are enabled, use the input boxes to enter or browse to identify the path and file name of log files. This tab is primarily used by Quest vWorkspace Support to assist in troubleshooting.
497
License Tab
The License tab is only used when Print-IT has been purchased on a per server basis and is not using concurrent user licensing modes.
Server Farm Tab

The Server Farm tab is used to propagate Print-IT property settings to other servers within your server farm.
498
Universal Printing
PRINT-IT PROPERTY SERVER FARM TAB Server Types
DESCRIPTION Filters the display of servers by type. Available types include: Terminal Servers Citrix MetaFrame Servers Provision Networks Servers Custom Server List
Propagate
When selected, Print-IT settings are propagated to all the servers that were selected.
Notification Tab
The Notification tab is used when administrators want a customized print notification to be sent to user sessions.
499
PRINT-IT PROPERTY NOTIFICATION TAB Display notification below when printing Title Message
DESCRIPTION Select this option when a printing notification message is desired. Type the text that is to be displayed on the title bar of the message window. Type the text for the print notification message.
PDF Publisher
This option enables the creation of a PDF file of any print job that is sent to the PDF printer.
500
Universal Printing
PRINT-IT PROPERTY PDF PUBLISHER Create the Print-IT PDF Publisher on this server Show Print-IT PDF Publisher menu items on client
DESCRIPTION When selected, autocreates a PDF Publisher printer for each user session on this server. When selected, a PDF publisher options menu item is added to the Print-IT section of the PNTray context menu.
Print-IT Client Properties

The Print-IT Client Properties is installed as part of the client installation and is used to set various printing options. The Print-It Client properties apply only to autocreated client printers, and not to Print-It printers assigned by the vWorkspace Management Console. The Print-IT Client Properties can be accessed in Control Panel, from the Start option, or from the PNTray as a context menu option once a session to a Terminal Server has been established. The tabs and controls available on the Print-IT Client Properties window are described below.
501
CLIENT PROPERTIES GENERAL TAB Auto-Create Options Auto-create default printer only Creates a printer mapping to the default printer only, on the client device. Auto-create local printers Creates a printer mapping for each local printer defined on the client device. Auto-create network printers Creates a printer mapping for each network printer defined on the client device. Auto-create specified printers only Creates only the printers selected by the user. Performance Options Use Printer Properties Cache Allows printer properties from previous sessions to be cached and used, instead of having to reenumerate them each time a session is set up.
502
Universal Printing
CLIENT PROPERTIES BANDWIDTH TAB Enables the user to specify the amount of bandwidth available for printing, however, the maximum amount of bandwidth is set on the Terminal Server Print-IT properties. CLIENT PROPERTIES LOGGING TAB Enables logging for troubleshooting purposes.
Universal Network Print Services Options

The Universal Network Print Services options of Universal Network Print Server Extensions Option and Universal Print Relay Service for Remote Sites Option exist under the Peripheral Server Extensions in vWorkspace Custom Setup. These options enable file servers to efficiently store user profile settings and enhance the accessibility to corporate and remote site print servers through autocreating and sharing network printers using a single universal printer.
Universal Network Print Server Extensions Option

The Universal Network Print Server Extensions option is used to install the universal print driver on to Microsoft Windows print servers. This option eliminates the need for brand specific print drivers to be installed on to Terminal Servers and hosted desktops; instead using a single, universal print driver. This option can also be used along with the Universal Print Relay Service for Remote Sites to further optimize the printing process.
How to ...
Setup Print-IT Printers Add Network Printers Assign Printers to Clients Universal Print Relay Service for Remote Sites Option
503
Setup Print-IT Printers 1. 2. 3. Open the vWorkspace Management Console. Expand the Resources node, and then click Printers. Click Manage Print-IT Printers on the toolbar of the information pane. It is the computer icon with the letter U.
4. 5. 6. 7.
Click Add on the Print-IT Servers on the Manage Print-IT Printers window. Type the NetBIOS name or IP address of the Windows print server or browse to it by using the ellipses on the Add Print Server window. Click Add on the Print-IT Printers on frame to select printers to be created as Print-IT printers. Browse to the Microsoft Windows Network and select the printer or printers in the Select Network Printer window. You may select printers shared from any Windows server, not just those with Print-IT installed on them. Use Ctrl to make multiple selections.
8.
Click Close to complete the task.
Add Network Printers If a device or print feature is incompatible with Print-IT, use the following steps to configure autocreation of network printers using their native drivers. 1. 2. Open the vWorkspace Management Console. Expand the Resources node, and then click Printers.
504
Universal Printing
3.
Click Manage Network Printers on the toolbar of the information pane. It is the computer icon with the letter N.
4. 5. 6. 7. 8.
Click Add on the Print Server frame on the Manage Network Printers window. Type the NetBIOS name of the Windows print server or use the ellipses to browse to it, on the Add Print Server window. To select printers to be autocreated, select the desired server from the list in the Print Servers frame. Select each print to be autocreated in the Shared Printers on frame. Click Close to complete the task.
Printers created using native Microsoft Windows print drivers are named using the names that appear in the Printer and Faxes folder of the client device. However, once they are added to the vWorkspace database, the name can be changed.
Assign Printers to Clients Print-IT and Network Printers must be assigned to vWorkspace clients before they can be autocreated. 1. 2. 3. 4. Open the vWorkspace Management Console. Expand the Resources node, and then click Printers. Click Toggle Client Assignment List Display on the toolbar of the information pane to change the layout. Select a printer or printers from the list of Network Printers or Universal Printers. You may select printers shared from any Windows server, not just those with Print-IT installed on them.
505
5. 6.
Use Assign to assign the printers to clients. Click OK to close the Select Clients window.
Universal Print Relay Service for Remote Sites Option

Universal Print Relay Service for Remote Sites is a WAN-optimized adaptation of the vWorkspace Universal Network Print Services. Organizations with geographically disbursed offices containing one or more local print servers can use Universal Print Relay Service for Remote Sites to allow their branch office users to access and print from server based applications hosted at the central office. Application service providers (ASP) might also use this service to deliver bandwidth efficient printing capabilities to their customers over private links, Internet, and VPN connections. The advantages of using Universal Print Relay Service for Remote Sites include: Clientless printing Print-IT client software does not need to be installed on the remote clients; only Universal Print Relay Service for Remote Sites needs to be installed on the remote site print servers. Bandwidth management Print-IT print streams are sent on a WAN link at a preset rate, specified in Kbps, to prevent a print job from consuming all the available bandwidth. Size optimization Print-IT produces print streams as small as 10 percent of the size of conventional PCL or Postscript print jobs using techniques such as intelligent/partial font embedding, duplicate image removal, and dynamic compression.
The process of deploying the Universal Print Relay Service for Remote Sites involves the following items: Install the Universal Print Relay Service for Remote Sites on the print servers at each remote site. Use the Print-IT Remote Site Relay Control Panel applet to configure network communication parameters and identify the printers that are to be exported to vWorkspace clients when connecting to a vWorkspace infrastructure Terminal Server.
506
Universal Printing
Import the exported network printers from each remote site. Each imported printer is created as a Print-IT printer and shared from a designated Print-IT print server. Assign the Print-IT printers to the appropriate vWorkspace clients.
Mutual machine level authentication can be configured using an assigned shared pass phrase. Once authenticated, the Print-IT Remote Site Relay server and Print-IT Network Print server can encrypt the print data before it is passed across the WAN link, eliminating the requirement for complex Windows or Kerberos trust relations and obtaining commercial server certificates. Universal Print Relay Service for Remote Sites can be configured to use any port that security administrators allow to be open on the firewalls.
How to ...
Configure Universal Print Relay Service for Remote Sites Add Print-IT Remote Relay Servers Import Remote Printers Assign Remote Printers to Clients
Configure Universal Print Relay Service for Remote Sites 1. Open the Print-IT Remote Site Relay applet from the Control Panel. The system opens the Print-IT Remote Site Relay Properties window. Complete the following information on the General tab.
Remote Site Relay Information This section is used to configure the network communication protocol and security used by Universal Print Relay Service for Remote Sites on this server. TCP Port Enter a port number. Default is 82. Secret Pass Phrase Enter a secret pass phrase for mutual machine level authentication when Use Encryption is selected. A maximum of 20 alphanumeric characters is allowed.
2.
507
Use Encryption
Select for encryption between the Print-IT Remote Site Relay server and the Print-IT print server. Select the maximum amount of network bandwidth allowed for passing print data to an exported printer on the Print-IT Remote Site Relay server from a Print-IT server. The bandwidth limit is set on a per exported printer basis, allowing each printer to receive the maximum bandwidth limit.
Bandwidth Control
3.
Complete the following information on the Export List tab. a) Select the printer or printers to be exported to the Print-IT print servers. The list of printers that appear here are the ones that have been installed and shared on the Print-IT Remote Site Relay server. b) Select Properties to set printing preferences for each printer. c) Select Use Printer Properties Cache, if appropriate.
4.
Complete the Logging tab if you need to enable trace logging for troubleshooting.
508
Universal Printing
5.
Click OK.
After making configuration changes using the Print-IT Remote Site Relay Control Panel applet, it may be necessary to restart the vWorkspace Print-IT Remote Site Relay service for the changes to be implemented.
Manage Relay Servers

Once Print-IT Remote Site Relay servers have been configured, their exported printers can be imported into the vWorkspace infrastructure database. In addition to creating a database object representing each printer, the import process also creates and shares a new printer using the Print-IT universal print driver on the designated Print-IT print server. Add Print-IT Remote Relay Servers 1. 2. 3. 4. 5. Open the vWorkspace Management Console. Expand the Resources node, and then select Printers. Click the Manage Print-IT Printers icon from the toolbar of the information pane. Click Site Relay on the Manage Print-IT Printers window. Select the Manage Relay Servers tab.
6. 7.
Click Add. Enter the name or IP address of the Print-IT Remote Site Relay server to be added or browse to select it using the ellipses, and then click OK. Select Add new site on the Add Relay Server window, and then click OK.
509
8.
9.
Enter the name for the new site on the New Printer Relay Site window, and then click OK.
10. Enter the two letter suffix to be used to identify the site, and then click OK. 11. Enter and confirm the secret Pass Phrase to be used for authentication to the Print-IT Remote Site Relay server, and then click OK. 12. Set the TCP Port number to the appropriate value. 13. Set the Bandwidth limit for printing. If a value selected here is higher than the limit defined on the Print-IT Remote Site Relay server, the relay servers value is used. 14. Repeat step 6 to step 11 for each additional remote Print-IT Remote Site Relay servers. 15. Click OK to complete the task. Import Remote Printers 1. 2. 3. 4. 5. 6. 7. 8. 9. Open the vWorkspace Management Console. Expand the Resources node, and then select Printers. Click the Manage Print-IT Printers icon from the toolbar of the details window. Click Site Relay on the Manage Print-IT Printers window. Select the Import Remote Printers tab. Select the Print-IT Remote Site Relay server that is to be used to import the Relay Sites and Relay Servers listed. Select the Print-IT server from the list of Print-IT Servers in which the imported printers are to be created. Click Import Now to start the import process. Review the message box confirming the import process has been initiated, and then click OK.
10. Click Close to close the Print-IT Relay Servers window. 11. Click Close on the Manage Print-IT Printers window. Assign Remote Printers to Clients Printers imported from Print-IT Remote Site Relay servers are assigned to vWorkspace clients in the same manner as Universal Printers and Network Printers. Imported printers are listed under Universal Printers on the details pane of the Resource | Printers section of the vWorkspace Management Console, and have the two letter remote site suffix appended to their names. 1. 2.
510
Open the vWorkspace Management Console. Expand Resources, and then click Printers.
Universal Printing
3.
Do one of the following: a) Right-click on the printer in the navigation pane to which users are to be assigned, and select Assign option. b) Highlight the printer in the navigation pane, and then click the Assign icon, which is the plus sign inside a blue circle.
4.
Select the client or clients for the assignment from the list, and then click OK. You can multiselect by using the Ctrl button.
Printers Window in vWorkspace Management Console

Once printers have been added to the vWorkspace Management Console, you can change the Print-IT printer properties, assign printers to users, and view the printers by using the following path: vWorkspace Management Console| Resources |Printers The Printers window in the details pane includes information such as: Listing of the network printers, as well as the universal printers. Naming conventions for the printers are as follows: Universal printers are designated with a (U) after their name. Printer names that are relay site related appear with the administrator designated two digit suffix.
Printer properties for Print-IT printers can be viewed and edited by right-clicking on the printer.
511
Print-IT Printer Properties

The properties for a Print-IT printer can be set by the vWorkspace administrator. View and Edit Print-IT Printer Properties 1. 2. 3. 4. 5. Open the vWorkspace Management Console. Expand the Resources node, and then click Printers. Click Toggle Client Assignment List Display on the toolbar of the information pane to change the layout. Right-click the printer from the list of Universal Printers. Select Properties from the context menu to view and edit the properties.
512
Universal Printing
Print-IT Server Print-IT Printer Name
Identifies the name of the Print-IT print server hosting this printer. This property is read-only. Displays the name of the Print-IT printer as it appears to the vWorkspace client. The Print-IT Printer Name can be changed.
List in Directory Print Data Format
Controls whether or not this printer is to be published in Active Directory. Choose between PDF and EMF.
513
Performance Options
Provides controls that influence printing performance. The specific controls depend on the Print Data Format selected. For PDF format the available controls are: B & W Image Compression Color Image Compression Color Image Quality Level Duplicate Images Removal For EMF format, the available controls are: Data Compression Level JPEG Image Compression Level
Client Assignments
Use to view or modify the list of vWorkspace clients to which this printer is assigned.
6.
Click OK to complete the task and save changes.
OR
Click Cancel to close without saving changes.
514
25
USB Devices
About USB Devices USB Redirection USB-IT
About USB Devices

From headsets to mobile devices, USB devices are frequently used, but can sometimes be problematic when used in a virtualized environment. However, with the vWorkspace features of USB Redirection and USB-IT, USB device integration issues can be solved.
USB Redirection
USB Redirection enables the use of virtually any USB connected device (PDAs, local printers, scanners, cameras, headsets) to be used in conjunction with VDI. Users can connect multiple USB devices and then decide which devices to share.
USB keyboards and mice are automatically excluded and are not shared. However, USB composite keyboards are not automatically excluded.
Requirements
USB Redirection needs to be installed on a VDI machine along with PNTools. An Enterprise, VDI, or Power Tools license is also required to use this feature.
USB Redirection Client

The USB Redirection client side contains the following components: Control Panel Applet System tray display Microsoft Windows Service component
516
USB Devices
USB Redirection Client Applet

The USB Redirection Client applet is available from the Control Panel setting. The client Control Panel applet appears as follows:
Share
Selecting this option makes the device available to the server. When a device is shared, it is unavailable to the client machine. Selecting this option makes the device unavailable to the server, which makes it available to the client machine. Selecting this option excludes this device from being shared. See Note in Auto-connect devices.
Unshare Exclude
Unexclude
Selecting this option allows the device to automatically be shared.
517
Properties
Selecting this option displays the USB Device Properties window. The ability to add an optional nickname for the device is included in the properties. Information on this window includes: Nickname Name Location Serial Number Information Status
Auto-share devices
Selecting this checkbox allows the connected devices to automatically be shared with the server. Note: If a user is going to select this option and they are using a USB keyboard or mouse, they need to exclude those devices before selecting this checkbox. The keyboard and mouse will not function locally on the client while being shared.
Use Taskbar Icon
Selecting this checkbox allows the system tray to be used.
USB Redirection Client System Tray

The client system tray becomes available when the USB Redirection icon is selected.
Devices are listed with their name, current status, and if they are shared (indicated with a checkmark) or excluded (indicated with an X). To share a device using the system tray, click on it. To exclude a device using the system tray, use CTRL + left-click.
518
USB Devices
The option Advanced is used to display the Control Panel applet.
USB Redirection Client Services

A Microsoft Windows Services option is available for the client side.
USB Redirection Server

The USB Redirection client side contains the following components: Control Panel Applet System tray display Microsoft Windows Service component
519
USB Redirection Server Applet

The server Control Panel applet appears as follows:
Connect Disconnect Exclude
Selecting this option enables the device on the server. Selecting this option disables the device on the server. Selecting this option excludes the device from being automatically connected. See Auto-connect devices.
Unexclude Properties Auto-connect devices
Selecting this option allows the device to be automatically connected. Selecting this option displays the USB Device Properties window. Selecting this checkbox allows devices to be automatically connected when they are available to the server. Selecting this checkbox allows the system tray to be used.
Use Taskbar Icon
520
USB Devices
USB Redirection Server System Tray

The server system tray becomes available when the USB Redirection icon is selected.
Devices are listed with their name, current status, and if they are shared (indicated with a checkmark) or excluded (indicated with an X). To share a device using the system tray, click on it. To exclude a device using the system tray, use CTRL + left-click. The option Advanced is used to display the Control Panel applet. The server-side system tray appears like this:
USB Redirection Server Services

A Microsoft Windows Services option is available for the server side.
521
How to ...
Manage USB Devices USB Redirection needs to be installed on the VDI machine, in addition to PNTools. 1. 2. Open the USB Redirection Control Panel applet. As devices are plugged in, they appear on the device list. Highlight a device from the list and select one of the options, as appropriate. If users are using a USB keyboard or mouse, prior to selecting the Auto-share devices checkbox, they need to exclude those devices, If those devices are not excluded on the list, they do not function on the client while being shared.
USB-IT
USB-IT enables Terminal Server and Citrix Presentation Server clients to seamlessly access their USB-based handhelds over RDP and ICA connections. With USB-IT, the Blackberry Desktop Manager, the Palm Desktop, and the ActiveSync software can be installed and published on the server. Users can instantly access to their handhelds for the purpose of synchronizing e-mail, calendar, contacts, and other personal information with back-end messaging and collaboration systems such as Microsoft Exchange and Lotus Domino. USB-IT supports all BlackBerry models; Palm and OEM handhelds running Palm OS; and Windows CE-based Pocket PC devices. USB-IT requires a plug-in on the client, which when installed, registers automatically with the ICA and RDC (Remote Desktop Connection) clients. Third-party WIN32 RDP clients capable of loading a virtual channel driver also can use USB-IT. In order to take advantage of USB-IT, the appropriate components must be installed on the client devices and Terminal Servers as follows: Terminal Servers USB-IT is installed onto Terminal Servers by selecting the PDA Redirection (USB-IT) feature listed under Power Tools for Terminal Servers. vWorkspace Client (AppPortal and Web Interface) PDA Redirection (USB-IT) is automatically installed when the vWorkspace client software is installed.
522
USB Devices
Citrix ICA and Microsoft RDP clients A separate installation package is available for download to install PDA Redirection (USB-IT) on client devices. The packages are available on the Quest vWorkspace Web site in the Power Tools Clients section of the Quest vWorkspace download Web site: pnusbcli.cab, pnusbcli.exe, or pnusbcli.msi.
How USB-IT Works

USB-IT features a virtual USB hub controller that provides true USB support for three distinct handheld devices, BlackBerry, Palm, and Windows CE-based Pocket PC.
How to ...
Configure USB-IT 1. Start the USB-IT Control Panel applet (Terminal Servers).
2. 3. 4.
Select the Devices tab. Select the class of handhelds. Click Add.
523
5. 6. 7. 8.
Specify the maximum number of device instances that are to be supported simultaneously on the server. Repeat the process for other handhelds, as appropriate. Repeat process on all Terminal Servers or Citrix Presentation Servers, as appropriate. Select USB Handhelds in the vWorkspace client, AppPortal using the following path: Manage Connections | Local Resources |
524
26
Workload Management and Performance Optimization
About Workload Management Performance Optimization View VM Optimization Results
About Workload Management

Workload management, also known as load-balancing, can be enabled in a Quest vWorkspace infrastructure when published applications are hosted on multiple Terminal Servers. Workload evaluators are assigned to either a published application or a Terminal Servers.
How Workload Management Works

Based on the workload evaluator assigned, the server evaluates its current workload and reports that value to the Connection Broker. Connection Brokers maintain a memory table of the current workload index of each server on which workload management has been enabled. When a Connection Broker receives a client request to connect to a published application, it queries the list of servers on which the application is hosted and determines which one currently has the lowest workload index value. The address of the least busy server is then returned to the vWorkspace client. When the vWorkspace client completes the connection to the least busy server, that servers load is changed. The new workload is then reevaluated and reported to the Connection Broker. It is important to note that workload evaluation applies only when a vWorkspace client initiates a request for a new connection. If a vWorkspace client is already connected to a Terminal Server and requests to start another application that is available on that same server, the application is run through the existing session and workload evaluation is not applied. Multiple counters can be included in a workload evaluator. Each counter within a workload evaluator has an upper and lower threshold setting that is used to determine when the server is under maximum or minimum load based on that counter. Each counter can also be assigned a weight which can be used to adjust the relative importance of one counter over another.
526
The available counters are:

COUNTER NAME Context Switches Per Second DESCRIPTION This counter measures the overall rate of switches from one thread to another. Thread switches can occur either inside a single process or across processes. A thread switch can be caused by one thread asking another for information, or by a thread being preempted by another higher priority thread. CPU Load This counter measures the percentage of time CPUs in the system are actively executing threads belonging to processes. This counter does not include the System Idle Process. CPU Queue Length This counter measures the number of threads in the processor queue. Unlike disk queue, processor queue length shows ready threads, not threads that are currently running. There is a single queue for processor time, even on systems with multiple processor cores and sockets. Therefore, if the system has multiple processors, you need to divide this value by the number of processors servicing the workload. A sustained processor queue of less than 10 threads per processor is usually acceptable. Disk Load Disk Queue Length This counter measures the percentage of time the disks in the system are active. This counter measures the average number of read and write requests that were queued for the selected disk during the sampling interval.
527
COUNTER NAME Interrupts Per Second
DESCRIPTION This counter measures the average number of hardware interrupts that were received and serviced by the processor each second. Interrupts per second is an indirect indicator of the activity of hardware devices in the system that generate interrupt requests, such as the system clock, disk drives, and network interface cards. These devices generate interrupt requests when they complete a task or need attention from the processor. Each serviced interrupt request consumes CPU time, so an excessive amount can degrade system performance and can be an indicator of a malfunctioning device.
Memory Load Memory Pool Pages Bytes
This counter measures the percentage of memory being used by the system. This counter measures the size, in bytes, of the paged pool. The paged pool is an area of physical memory used by the system for objects that can be written to disk (paged) when they are not being actively used.
Number of Processes Number of Users
This counter measures the total number of process contexts currently running on the system. This counter measures the total number of user sessions for which the operating system is currently storing computer state information. This counter measures the overall rate at which faulted pages are handled by the processor. This counter includes both hard faults (where the memory page has to be retrieved from disk) and soft faults (where the data is stored elsewhere in physical memory). A page fault occurs when a process requires code or data that is not in its space in physical memory. Most processors can handle large numbers of soft faults without consequence. However, hard faults can cause significant performance delays.
Page Faults Per Second
Pages Per Second
This counter measures the number of pages written to or read from disk to resolve hard page faults.
528
COUNTER NAME Redirector Current Commands
DESCRIPTION This counter measures the number of requests to the redirector that are currently queued for service. If this counter is much larger than the number of NICs installed on the system, then network throughput is likely becoming a bottleneck.
Workload Management on Terminal Servers

To enable workload management of vWorkspace enabled Terminal Servers, the following conditions must be met: The Terminal Services Enhancements (Provision-IT) feature must be installed on one or more Terminal Servers in the vWorkspace infrastructure. The setting Accept least busy connection requests must be enabled (it is by default) on each Terminal Server that participates in workload management. This setting is found on the General tab of the Terminal Server properties under Roles. The Terminal Server must host at least one of the configured managed applications. A workload evaluator must be assigned to either the server or a managed application hosted on the server.
Workload Evaluator Guidelines

Consider these guidelines when using workload evaluators: Use as few counters as possible. Each counter used in a workload evaluator requires additional processing. Use the counters that are most likely to reflect the critical resources of the server. For example, a server with insufficient memory would likely need a workload evaluator that uses the Memory Load and Pages Per Second counters. Avoid using extreme limits for counters that use percentages for minimum and maximum values. Use a counter only if you understand its meaning and what values are appropriate.
529
Group Terminal Servers by their hardware configuration and applications hosted on them. Workload evaluators can be created and optimized for specific hardware or application groups.
How to ...
Create Workload Evaluators Assign Workload Evaluators to Servers Assign Workload Evaluators to Managed Applications
Create Workload Evaluators The Number of Users counter is the default workload evaluator assigned by the system, and its values can not be modified. 1. 2. Open the vWorkspace Management Console, and select the Workload Evaluators node. Start New Workload Evaluator by right-clicking on Workload Evaluators, or the green + icon on the toolbar of the navigation or information panes.
530
3. 4. 5. 6. 7.
Enter a name for the new workload evaluator in the Name box, on the New Workload Evaluator Properties window. Enter a description for the new workload evaluator in the Description box. This is optional. Select Report full load when at least one counter has reached its maximum value, if appropriate. Select the counter to be used by clicking in the Assigned column. Set the minimum value for each counter selected by clicking on its current value in the Min Value column, and then type a new value in the input box and click OK. Set the maximum value for each counter selected by clicking on its current value in the Max Value column, and then type a new value in the input box and click OK. Set the weight value for each counter selected by clicking on its current value in the Weight column, and then select a new value from the drop-down list.
8.
9.
10. Click OK to complete the task of creating a new workload evaluator. Assign Workload Evaluators to Servers 1. 2. 3. 4. 5. 6. 7. Open the vWorkspace Management Console. Expand the Locations node, and then expand the location in which the Terminal Server is located. Expand the Terminal Servers node, and then highlight the Terminal Server. Activate the context menu for the server object that the workload evaluator is to be assigned, and select Properties. Click the Workload Management tab from the [Server_name] Properties window. Select the desired workload evaluator from the Workload Evaluator drop-down list box. Click OK to complete the task.
Assign Workload Evaluators to Managed Applications You may need to assign workload evaluators to specific published applications if the number of instances of the application must be restricted due to licensing constraints or the application consumes a lot of system resources. 1. 2. 3. Open the vWorkspace Management Console. Expand the Resources node, and then Managed Applications node. Open the Properties for the desired published application.
531
4. 5. 6.
Click on Workload Management on the Managed Applications Properties window. Select the workload evaluator from the Workload Evaluator drop-down list. Click OK to complete the task.
CPU and Memory Optimization (Max-IT) is a Power Tools for Terminal Server used to improve application response time and increase overall server capacity by streamlining and optimizing the use of virtual memory and CPU resources in a multi-user environment.
Max-IT should not be installed on the same machine as the Connection Broker.
About CPU Utilization Management

CPU Utilization Management improves application response times by ensuring that users and programs receive CPU resources. The following is a list of issues pertaining to CPU scheduling in a multi-user environment: Due to design limitations and programming techniques, many applications monopolize the servers processors. Such applications are often referred to as rogue or runaway applications. A rogue or runaway application is one whose threads use up excessive amounts of CPU resources. In other words, they consistently remain in the running state for the entire lifetime of their allotted time slice. A time slice is often referred as quantum, and its value is typically 10 to 15 milliseconds (hardware-dependent). Windows scheduler does not include a fair sharing mechanism. It does not prevent rogue applications from consuming all of the CPU time. Priority boosting performed by Windows balance set manager does not effectively address the CPU issues caused by runaway applications, especially in Terminal Server environments.
532
From a CPU management perspective, the thread priorities of interest are Waiting, Ready, and Running. In the case of a word processor, the latter could be waiting for user input. As soon as it receives input, it is ready to run, and as soon as the processor becomes free, it runs. Given two threads in the Ready state, the scheduler always favors the process with the higher priority level over the other.
CPU Utilization Management ensures that each running process receives CPU resources to enable it to run smoothly and coexist alongside CPU hungry and rogue applications by implementing the following: A fixed share of CPU resources is reserved to NT Authority. By default, this share is 20 percent. The target percent CPU time is then computed as follows, where Reserved is the percent CPU share reserved for NT Authority: (100 - Reserved) / (number of active processes) The average percent CPU time is calculated for each active process. Those processes whose average percent CPU time has fallen below the target percent CPU time have their priority levels set to Normal. Those processes whose average percent CPU time has risen above the target percent CPU time have their priority levels set to Below Normal. Those processes whose average percent CPU time has fallen to zero have their priority levels set to Above Normal. The above process is then repeated every several hundred milliseconds. The default setting is 100 milliseconds.
About Virtual Memory Optimization

Below is a list of background items to consider for memory management in a multi-user environment: Every executable and DLL module has a preferred base address which represents the ideal location where the module should get mapped inside the processs address space. When a software developer builds a DLL module, the linker sets the preferred base address at 0x10000000.
533
When two or more modules are loaded, each having the same preferred base address, a memory space conflict occurs. The operating systems memory manager has to resolve this conflict by relocating one of the conflicting modules into another base address. It then has to recalculate all the offset addresses defined within the module relative to this new base address. Relocating DLLs and performing the necessary fix-up operations is taxing on system resources. The loader has to relocate hundreds of DLLs and modify a significant portion each code. This leads to more memory consumption, excessive copy on write operations, and additional CPU cycles. This runtime overhead can be very damaging to the performance of a system and should be avoided. When multiplied by the number of users on a Terminal Server, this overhead can have implications on performance and application response times.
vWorkspace Virtual Memory Optimization significantly increases the performance and capacity of a Terminal Server by performing two optimization techniques: module rebasing and module rebinding. Module Rebasing A process by which colliding DLLs are identified and relocated to unique base addresses within the virtual memory spaces of their respective programs. This technique drastically reduces virtual memory requirements, page file usage, and I/O operations. Module Binding Fine-tunes the import section of a given module according to the new base addresses of the rebased DLLs. This technique accelerates application load times and yields further reductions in virtual memory requirements and page file usage.
The Virtual Memory Optimization system continuously monitors which DLLs are being loaded by applications and identifies the DLLs that cause collisions. When a future request is made to load the module, it automatically loads in a new base address to avoid conflict. After collecting sufficient data, Virtual Memory Optimization can then further enhance performance by permanently rebasing the colliding DLLs and perform the necessary code fix-up operations. Some of the benefits include: DLLs that have been optimized by Virtual Memory Optimization no longer require relocations or fixes by the loader. Less physical memory is consumed. Working set trimming no longer requires that working sets be swapped out to the paging file (copy on write) before the trimming can occur.
534
Significant reductions in the overhead associated with relocation and fix-up operations. When multiplied by the number of users on a Terminal Server, the results can be an overall capacity increase of 25 to 30 percent.
Install CPU and Memory Optimization

CPU and Virtual Memory Optimization is a feature of Power Tools for Terminal Servers. It is available only when the vWorkspace installer package is executed on a Windows server with Terminal Services (Application Server Mode) installed. Virtual Memory Optimization and CPU Utilization Management are sufeatures of CPU and Virtual Memory Optimization allowing them to be installed independently.
Enable CPU and Memory Optimization

Virtual Memory Optimization and CPU Utilization Management are disabled by default even after being installed. To enable them, use the following steps: 1. 2. 3. 4. Open the vWorkspace Management Console. Expand the Locations node, and then expand the location in which the Terminal Server is located. Expand the Terminal Servers node, and then highlight the Terminal Server. Open the Properties for the Terminal Server object that is to be enabled.
535
5.
Select the Performance Optimization tab of the [Server_name] Properties window.
6. 7.
Select the option that is to be installed. Click OK to close the window.
Max-IT Master Policy Settings

Max-IT Master Policy is used to set the default CPU Utilization and Virtual Memory Optimization settings used by all Terminal Servers in the vWorkspace infrastructure. Max-IT Server Policy can then be configured to override master policy settings on a per server basis as needed. Max-IT Master Policy is accessed from the vWorkspace Management Console by expanding Performance Optimization in the navigation pane, and then selecting the Servers node. Max-IT Master Policy command is available from either the toolbar or the Servers node context menu. The Max-IT Master Policy window tabs are described as follows:
536
General VM Default Optimization VM Exception Files
CPU Policy Advanced
General
GENERAL TAB VIRTUAL MEMORY OPTIMIZATIONS Analysis Interval Specifies the sampling interval for detecting memory load address collisions. At the specified interval, Max-IT VM Optimization takes a snapshot of what applications are loaded into memory and detects any load address collisions. Applications that are started and then closed within the sampling interval are not included in the analysis.
537
GENERAL TAB Optimization Time Specifies what time of day virtual memory optimizations are applied. The optimizations applied are based on the settings found on the VM Default Optimizations and VM Exception Files tabs. Applying virtual memory optimizations has the potential for consuming large amounts of system resources and should be performed at a time when user activity will be low. CPU Utilization Management Sampling Interval (Milliseconds) Determines how often process average calculations are performed and priority adjustments are made. Shorter intervals result in a more even distribution of processor time, but at the expense of higher system overhead. Determines the number of sampling points used when calculating average percent CPU time of processes.
Sampling History Depth
VM Default Optimization
538
VM DEFAULT OPTIMIZATION TAB Applications (EXE, etc.) The two optimization options available for applications are: Allow applications to load rebased modules (rebasing). Allow applications to be bound and to load bound modules (binding). Modules (DLL,OCX, etc.) The two optimization options available for modules are: Allow modules to be rebased (rebasing). Allow modules to be bound (binding).
VM Exception Files
Some applications and modules do not work properly when rebased or bound, such as any executable or module file that has been digitally signed. This is because the rebasing and binding information is written to the alternate data stream of the file. Because of this file modification, the binary hash the digital certificate was based on is no longer valid and the file is rendered unusable. These files must be excluded from rebasing and binding.
539
The Applications and Modules tabs include a list of preconfigured executable and module files that are known to have problems with rebasing and binding. Use the Add, Remove, or Browse buttons to modify the list. After adding a file, select it from the list and use the buttons to the right to control the level of optimization to apply. The optimization option buttons are: Rebasing Only Binding Only Rebasing and Binding No Optimizations
CPU Policy
The CPU Policy tab is used to control how CPU Utilization adjustments are applied.
540
CPU POLICY TAB Policy Type Policy type is used to control how CPU allocation rules are applied. The three policy types are: User/Group CPU rules can be assigned based on any combination of user accounts, group accounts, or Active Directory Organizational Units. OS CPU Allocation OS CPU Allocation is used to guarantee the operating system will have a minimum percentage of the systems total CPU time. The default value is 20%. Application CPU utilization rules can be assigned to specific applications. User/Group Rules This tab is used to view or modify CPU Allocation when Policy Type is set to User/Group. The Add and Remove buttons are used for users, groups, and organizational units. The Up and Down arrow buttons are used to adjust priority for user entries who are also members of a listed group or OU. Entries higher in the list take precedence over lower ones. For each entry, use the CPU Allocation column to set the minimum guaranteed CPU time allotment. There are three ways CPU Allocation can be modified: 1. Double-click on the CPU Allocation column and select a value from the context menu. 2. Click on the ellipses to the right of the CPU Allocation column and select a value from the context menu 3. Click on the existing value in the CPU Allocation column, and hold down the left mouse button, to drag and adjust the value.
541
CPU POLICY TAB Application Rules This tab is used to view or modify CPU Allocation when Policy Type is set to Application. Use the Add or Remove buttons to add or remove an application entry name. Use the CPU Allocation column to set minimum guaranteed CPU time allotment for the selected application. There are three ways CPU Allocation can be modified: 1. Double-click on the CPU Allocation column and select a value from the context menu. 2. Click on the ellipses to the right of the CPU Allocation column and select a value from the context menu 3. Click on the existing value in the CPU Allocation column, and hold down the left mouse button, to drag and adjust the value. Application Executables This tab is used to build a list of executable program files and associate them with the appropriate application entries defined on the Application Rules tab when Policy Type is set to Application. Use the Add button to add an executable, identify its parent process (if any), and associate it with an application rule. Files may be entered individually or you can choose to select all the files contained in a specified folder. Use the Remove button to remove an application executable entry. Use the Up and Down arrow buttons to adjust priority for application executables that are included in multiple rules. Entries higher on the list take precedence over lower ones. Allocation Type This tab controls whether CPU allocation rules are based on percentages or shares. Percentage CPU allocation by percentage guarantees the user, group, or application a minimum percentage of the available CPU time. Available CPU time is 100% - OS CPU Allocation. Shares Each entry is given a percentage of CPU time based on the number of shares assigned to the entry divided by the total number of assigned shares. For example, if user A is assigned 25 shares and user B is assigned 50 shares, then user A is allocated 33.3% of the available CPU time and user B is allocated 66.7%.
542
Advanced
This tab is used to reset the exception lists to the default values.
Max-IT Server Policy

By default, all Terminal Servers in the vWorkspace infrastructure on which performance optimization has been enabled use the Max-IT Master Policy. However, it might be necessary to set the Max-IT policy on a per server basis. An example of this would be when the VM Exception Files list must be modified because a different set of applications is installed on one or more of the Terminal Servers.
How to ...
Set the Max-IT Policy for Specific Servers 1. 2. 3. Open the vWorkspace Management Console. Expand the Performance Optimization, and the Servers node. Right-click on the server object, and select Max-IT Server Policy from the context menu.
543
4.
Click on the tab associated with the portion of the policy that needs to be different from the Master Policy, and click Use these settings for server [server_name]. Enter the changes as appropriate, clicking Apply for each tab that is changed.
5.
6.
Click OK to save the changes.
View VM Optimization Results

The results of virtual memory optimization can be viewed in various forms within the vWorkspace Management Console. Viewing these results can help the vWorkspace administrator fine-tune the virtual memory optimizations. Results can be viewed by session summary, for a specific session, or by application.
How to ...
View Session Summary Information View Results for a Specific Session View Results per Application
544
View Session Summary Information 1. 2. 3. 4. Open the vWorkspace Management Console. Expand the Performance Optimization and Servers nodes. Expand the desired server object. Click on the Optimization Sessions container object. The Optimization Summary by Session graph is displayed in the information pane on the right. The vertical axis displays the cumulative amount (in megabytes) of memory savings. The horizontal axis displays the date and time of each optimization event.
To avoid unnecessary recalculations by Max-IT, binding should be delayed until the graph is flat.
View Results for a Specific Session 1. 2. 3. 4. 5. Open the vWorkspace Management Console. Expand the Performance Optimization and Servers nodes. Expand the desired server object. Expand the Optimization Sessions container object. Click on the appropriate date and time to display a graph showing the current (blue) and possible (green) virtual memory savings. Under the Optimization Sessions container object each optimization event is listed in chronological order by the date and time of its occurrence. View Results per Application 1. 2. 3. 4. Open the vWorkspace Management Console. Expand the Performance Optimization and Servers nodes. Expand the desired server object. Click on the Optimized Applications container object. The Per-Application Virtual Memory Usage and Savings graph is displayed in the right panel.
Vertical Axis Horizontal Axis Red bar Displays memory in kilobytes. Displays the name of the executables. Shows the amount of virtual memory used by the executable before rebasing. 545
Yellow bar
Shows the amount of virtual memory used by the executable after rebasing. Represents the current memory savings as a result of optimization. Represents the possible memory savings as a result of optimization.
Blue bar
Green bar
Ideally, the blue and green bars for all executables should be equal. At this point it is safe to implement binding as long as no changes are made to the applications installed on the servers.
Manually Apply Optimizations

Virtual memory optimizations are automatically applied based on the Optimization Time setting of the Max-IT Masters Policy and Max-IT Server Policy. However, optimizations can also be applied manually by selecting Optimize Now. The Optimize Now icon is available from the toolbar of the information pane when a server object, or any object under the server object, is selected in the navigation pane under the Performance Optimization | Servers container. The context menu for the Optimization Sessions and Optimized Applications containers, and all objects under these containers, include the option Run Max-IT Optimizations, which can also be used to manually apply optimizations.
546
Appendix A
Best Practices
Listed in this section are recommendations for best practice procedures.
General
Keep VDI naming conventions and workstation names to be created below 15 characters. Put in AV directory scanning exception for the locally cached database folder C:\Program Files\ Quest Software\vWorkspace\Database on the Connection Broker.

The Connection Broker does not constantly poll the VirtualCenter SDK interface for updates because this proves too taxing on the VirtualCenter resources. When checking power states of virtual machines, always run Summary | Update Power States of the managed computer group to easily update all virtual machines. When doing LDAP queries for new users, groups, OUs, or Computer/ Client Names (to add as a client resource) in a medium or large AD environment, you should not use * for the filter as this could result in an excessively long search time. Once licensing for Standard or Enterprise environments has been installed, do not edit the customer information because this will change the VMAC which invalidates the license. When running the Add Desktops wizard, always reimport Templates, Folders, and Resource Pools/ Datastores to ensure accurate values. As a general rule, set the inactivity timeout for idle desktops to something reasonable for your business requirements, such as 2 or more hours. The default of 15 minutes causes slower start times for users when connecting to a suspended desktop. To change this setting, right-click the Computer Services node in the vWorkspace Management Console, choose Properties | Connection Broker and set the Inactivity Timeout to 2 to 12 Hours.
547
Services
When manually starting vWorkspace services, always start the Provision Networks Database Manager service first. It retrieves configuration data stored in the database. This ensures the latest configuration settings are obtained. Next, start the Provision Networks Registry Service. It applies the configuration settings to the registry. The start order for the remaining services does not matter because those remaining services have the latest configuration. Set the recovery method to Restart the service for the first failure for the following services. Provision Networks Database Manager Service Provision Networks Registry Service Provision Networks Connection Broker Service
Connection Broker
The Connection Broker needs enough resources to support the login, authentication, and SQL query tasks that it must perform. A DuoCore processor with 2 GBs of RAM should suffice for a Connection Broker on a physical server (for a large farm). Dual processors and 2 GBs of RAM should suffice for a Connection Broker on a virtual machine. Turn on farm database caching once the farm is configured properly. This will speed up database information retrieval for Provision Networks services. When changing settings within the vWorkspace Management Console, all changes are done directly on the database. Set the virtual memory high and low threshold to be equal to prevent fragmentation of the pagefile.
Sysprep Template
VMware VirtualCenter places its sysprep files in the following location: InstallFilesPath=C:\sysprep\i386 Always use FQDN for the domain name. Always use the format domain\username when entering domain credentials.
548
VirtualCenter Server
If you encounter issues creating desktops, you should first restart the VirtualCenter server or, at the very least, restart the VMware VirtualCenter Server service. On your VirtualCenter server, be sure to populate the C:\Documents and Settings\All Users\Application Data\VMware\VMware VirtualCenter\sysprep\xp with the appropriate Windows XP Professional sysprep files. Do the same corresponding sysprep file setup for Windows Server 2003 if it is used for virtual machine creation. Prior to creating any virtual machines in a managed computer group, make sure that VirtualCenter can successfully deploy a virtual machine from the template using guest OS customizations. a) Set the Inventory view to Virtual Machines and Templates. b) Navigate to the template, right-click and select Deploy Virtual Machine from this Template. c) The Deploy Template Wizard starts. Mimic the responses that are to be used to create a virtual machine within the Add Desktops Wizard (in the vWorkspace Management Console). On the Select Guest Customization Option window, select Customize Using the Customization Wizard. Mimic the responses needed to create the sysprep template during the Add Desktops Wizard. d) It is a good idea to observe the sysprep mini-setup by opening a console to the newly cloned virtual machine. Information can be gleaned from the command prompt during the mini-setup for troubleshooting purposes by pressing Shift + F10 (while the screen focus is on the console). e) If you receive the error, Unable to communicate with the remote host, since it is disconnected, 30 seconds or so after creating a virtual machine through the Add Desktops Wizard, the template has been orphaned and needs to be reregistered in VirtualCenter. Restarting the VirtualCenter server may accomplish this task.
VirtualCenter Templates
Do not add the workstation to a domain to avoid group policies from being pushed down. Install the latest version of VMTools which is compatible with your VirtualCenter.
549
Some AV software prevents VMTools from installing VMwares version of the mouse, network, and display drivers. VMTools installation fails if this is the case. If CD autoplay features are disabled, VMTools fails because VirtualCenter loads VMTools as a CD prior to installing it.
Turn on Remote Desktop and Remote Assistance under System properties. If Remote Desktop is denied, the managed computer hangs on the Initialize task. To correct remove from group, enable Remote Desktop, and import into the group. Remote Assistance is enabled to allow shadowing.
If Windows Firewall is turned on, the following ports need to be opened. These firewall openings are best executed with GPOs. File and Print Sharing associated ports UDP 137, UDP 138, UDP 445, TCP 139, and TCP 445. Remote Administration ports TCP 139 and TCP 445. Remote Desktop TCP 3389. Connection Broker (communication to the Data Collector Service ) TCP 5203, TCP 5201.
Uninstall any out-of-date version of PNTools. (Optional) Install the latest version of PNTools. This enables the virtual machine to be ready for logon sooner (obviates the need to install PNTools from the console after virtual machine creation). When Print-IT or USB-IT needs to be configured differently than the default settings, you must install PNTools on the template, as it would be unwieldy to individually install and configure Print-IT or USB-IT on each managed virtual machine. If this method is used, four registry values need to be removed after installing PNTools on the template, if this managed computer has been added to a managed computer group. These values uniquely identify the virtual machine to the managed computer group and if left in place, prevent cloned virtual machines from joining the managed computer group. These registry values are listed below. HKLM\Software\Provision Networks\Common\ComputerID HKLM\Software\Provision Networks\Common\PublicKey HKLM\Software\Provision Networks\Common\VMStatusInterval HKLM\Software\Provision Networks\Common\LLMServerList
550
If USB PDA redirection is utilized, make sure to add the Handheld Device Redirection feature for the PNTools. It is not added with the default install of PNTools. Also, in Device Manager, see if the USB-IT Host Controller (under Universal Serial Bus Controllers) is working correctly. If not, the files usbd.sys and usbhub.sys may need to be added to the C:\Windows\system32\drivers directory prior to adding the Handheld Device Redirection feature. Disable unneeded services, like the Indexing Service, unless there is a strong reason to enable them. Install Antivirus software and keep it current. In todays world of viruses that are efficient at exploitation and replication, an OS installation routine has to merely initialize the network subsystem to be vulnerable to attack. By deploying virtual machines with up-to-date antivirus protection, this exposure is limited. Keep the antivirus software current every month by converting the templates to virtual machines, powering on, and updating the signature files. Ensure the Antivirus is configured so that it does not block the TCP ports: UDP 137, UDP 138, UDP 445, TCP 139, TCP 445, TCP 3389, TCP 5201,TCP 5203.
Install the latest operating system patches, and stay current with the latest releases. Operating system vulnerabilities can increase exposure to exploitation significantly, and current antivirus software isnt enough to keep exposure to a minimum. When updating antivirus software, apply any relevant OS patches and hotfixes. Use the template Notes field to store update records. This is a good way to keep information about the maintenance of the template in the template itself, and the Notes field is a great place to keep informal update records. Plan for VMware ESX Server capacity for template management. The act of converting a template to a virtual machine, powering it on, accessing the network to obtain updates, shutting down, and converting back to template requires available ESX Server resources. Make sure there are ample resources for this very important activity.
Use a quarantined network connection for updating templates. The whole point of keeping antivirus and operating systems current is to avoid exploitation, so leverage the ability of ESX Server to segregate different kinds of network traffic, and apply updates in a quarantined network.
551
Use the same datastore for storing and for powered on templates. During the process of converting templates to virtual machines, do not deploy the template to another datastore. It is faster and more efficient to keep the template files in the same place before and after the update. Install the VMware Tools in the template. The VMware Tools include optimized drivers for the virtualized hardware components that use fewer physical host resources. Installing the VMware Tools in the template saves time and reduces the chance that a sub optimally configured virtual machine will be deployed to your production ESX Server infrastructure. Use a standardized naming convention for templates. Some inventory panel views do not offer you the opportunity to sort by type, so create a standard prefix for templates to help you identify them by sorting by name. Also, be sure to include enough descriptive information in the template name to know what is contained in the template.
Defragment of the guest OS file system before converting to template is important. Most operating system installation programs create a highly fragmented file system even before the system begins its useful life. Remove Nonpresent Hidden Devices from Templates. This problem likely occurs only if you convert existing physical images to templates. Windows stores configuration information about certain devices, notably network devices, even after they are removed from the system. Refer to Microsoft TechNet article 269155 for removal instructions. Use Folders to organize and manage templates. Folders can be both an organizational and security container. Create Active Directory groups that map to VirtualCenter roles, rather than assign VirtualCenter roles to individual user accounts. Disable COM ports to decrease unnecessary context switches.
Failover Protection
On VMware VirtualCenter, a single cluster of available servers provides a larger pool of hardware to support the environment and provide better fault tolerance. Within this cluster, create at least two Resource Pools, one for Infrastructure (Servers/Brokers) and one for VDI. Create appropriate resource allocations for each. Employ at least two Connection Brokers in a farm. Make sure the vWorkspace clients are configured with all the Connection Brokers in the farm.
552
The Connection Broker directs a user to a temporary, permanently assigned desktop until the original is brought back online. Any user shell folders that need to be persisted should be redirected to a network location, such as Application Data, Personal (users home directory) and My Pictures subfolder, Desktop, Start Menu and its subfolders (Programs and Startup), Favorites, History, NetHood, PrintHood, SendTo, Cookies, and Templates. Redirection is done through GPOs or scripting.
High Availability
If two or more Connection Brokers are VMware virtual machines and DRS is utilized, a rule should be set to separate the brokers between physical ESX servers at all times. SQL database: SQL clustering may be implemented to achieve SQL HA. Maintain a reserve of managed computers (temporary) in case one ESX server fails and desktops are unavailable (assuming VMwares HA is not utilized). This excess capacity can easily be calculated by dividing the number of concurrent computers needed by the number of ESX servers housing the managed computers. For example, if you have business requirements for 100 concurrent managed computers implemented using 12 ESX servers hosting the virtual desktops, then divide 100 12 = 8 reserve desktops. Therefore, provision 100 + 8 = 108 desktops to ensure adequate desktop resources. Allocate those reserve desktops evenly among the ESX servers.
Other Protections
Create an SQL maintenance plan to backup the vWorkspace database regularly. Ensure that both the VirtualCenter and the vWorkspace Database are set for simple recovery within the SQL Management Console to minimize the maintenance and backup requirements.
553
554
Appendix B
About the Config.xml File
The config.xml file controls client settings on the AppPortal. If you choose to configure this file, there are a few items that need to be considered. A template file is located in the following folder on your Connection Broker Server: \Program Files\Provision Networks\Provision-IT. It is also located on your Web Access server at: \Inetpub\wwwroot\Provision\Web-IT. One of the following methods need to be done for autoconfiguration of the file. Method One 1. Create a DNS Entry (A record or CNAME) and assign the name provision or optionally, vworkspace, which is actually a Web Server located on your network. Place the configured config.xml file in the root of the Web Server: IIS: \Inetpub\wwwroot Apache: edit the 000-default file and look for DocumentRoot (found in /etc/apache2). Method Two 1. Create a login script or push out a Registry Setting to your client computers. The registry setting is: HKLM\Software\Provision Networks\Provision-IT Client Value: AutoConnectURL Type: REG_SZ Data: http://www.domain.com 2. If you have multiple config.xml files for multiple farms, use the following registry key: HKLM\Software\Provision Networks\Provision-IT Client Value: AutoConnectURL Type: REG_MULTI_SZ Data: (One Per Line)
2.
555
http://www.domain1.com/config.xml http://www.domain1.com/provconf/myconfig.xml https://ssl.domain.com/config.xml 3. 4. Install the Quest vWorkspace Client. Start the client.
The following table lists the config.xml file settings, a description of some of the settings, and associated values.
CONFIG.XML FILE SETTING FarmName VALUES Default = New Farm Connection DESCRIPTION Farm Name can be anything, but once connected, it takes the name of the actual farm set in the vWorkspace Management Console. Tells AppPortal to retrieve or not to retrieve the farm name from the server. Tells the Provision Client to prompt for a location, such as Office or Home. This is specified in the Locations section of the config.xml file. See Location Section of Config.xml. Three different locations for a farm connection are supported. The one selected in this setting is the default location.
OverrideFarmName
0=Off 1=On
PromptForLocation
Integer 0= Off 1= On Default = 1
DefaultLocation
1|2|3 Default =1 (if PromptForLocation is 0)
SeamlessMode
0 = Off 1 = On Default = 1
DesktopWidth
640 to 4096 Default = 800
Custom width for connections. Does not apply if SeamlessMode is set to 1 (on).
556
CONFIG.XML FILE SETTING DesktopHeight
VALUES 480 to 2048 Default = 600
DESCRIPTION Custom height for connections. Does not apply if SeamlessMode is set to 1 (on).
FullScreen
0 = Not enabled 1 = Enabled Default = 0
ColorDepth
8 to 32 Default = 8
Set the default color quality of the desktop connection/Provision applications.
AudioMode
0 = Sound on local computer. 1 = Do not play sound. 2 = Sound on remote computer. Default = 0
KeyboardHook
0 = On local computer. 1 = On remote computer. 2 = Full screen mode only. Default = 0
RedirectDrives
0 = Do not redirect local drives. 1 = Redirect local drives. Default = 0
RedirectPrinters
0 = Do not redirect local printers. (This is not Universal Printers.) 1 = Redirect local printers. Default = 0 557
CONFIG.XML FILE SETTING RedirectComPorts
VALUES 0 = Do not redirect local COM ports. 1 = Redirect local COM ports. Default = 0
DESCRIPTION
RedirectSmartCards
0 = Do not redirect SmartCards. 1 = Redirect SmartCards. Default = 0
RedirectHandhelds
0 = Do not redirect local handheld devices. 1 = Redirect local handheld devices. Default = 0
RedirectUniversalPrinters
0 = Do not redirect local Universal Printers. 1 = Redirect local Universal Printers. Default = 0
RedirectMicroPhone
0 = Do not redirect the microphone. 1 = Redirect the microphone. Default = 0
RedirectClipBoard
0 = Do not redirect the Clipboard. 1 = Redirect the Clipboard. Default = 0
558
CONFIG.XML FILE SETTING EnableWallpaper
VALUES 0 = Do not enable local wallpaper. 1 = Enable local wallpaper. Default = 0
DESCRIPTION
EnableFullWindowDrag
0 = Do not enable windows content while dragging. 1 = Enable windows content while dragging. Default = 0
EnableAnimation
0 = Do not enable animations. 1 = Enable animations. Default = 0
EnableThemes
0 = Do not enable themes. 1 = Enable themes. Default = 0
EnableBitmapCaching
0 = Do not enable Bitmap caching. 1 = Enable Bitmap caching. Default = 0
HideSettings
0 = Do not hide the Provision Client settings. 1 = Hide the Provision Client settings. Default = 0
Used to control whether users can see the settings for their vWorkspace Client.
559
CONFIG.XML FILE SETTING EnableSSO
VALUES 0 = Do not enable SSO. 1 = Enable SSO. Default = 0
DESCRIPTION Used for cached credentials, not Kerberos authentication.
EnableKerberos
0 = Do not enable Kerberos ticket authentication. 1 = Enable Kerberos ticket authentication. Default = 0
Setting takes precedence over EnableSSO.
KerberosMode
0 = Initial authentication only (logon). 1 = All authentication. Default = 0
Used with EnableKerberos.
DisallowSaveCredentials
0 = Allow clients to save their credentials within the vWorkspace Client. 1 = Do not allow clients to save their credentials within the vWorkspace Client. Default = 0
PasswordManagement Server
String
Fully qualified domain name or SSL certificate name of the Password Management Server. Do not include https or port numbers. For example: pwdmgr.domain.com
PasswordManagement Port
1 to 65535 Default = 443
Port to use for Password Management Server.
560
CONFIG.XML FILE SETTING AllowPassword Management
VALUES 0 = Do not use Password Management Server. 1 = Use Password Management Server. Default = 0
DESCRIPTION Password Management Server must be setup and functional on a member server of the domain.
DIShortcutLocations
1 = Desktop 2 = StartMenu 4 = Start Menu\Programs
EnableSmartSizing
0 = Do not use smart sizing on desktop connections. 1 = Use smart sizing on desktop connections. Default = 0
AutoReconnect
0 = Do not auto reconnect to a session if disconnected or dropped. 1 = Auto reconnect to a session if it is disconnected or dropped. Default = 0
DisplayConnectionBar
0 = Do not display the connection bar when using full screen. 1 = Display the connection bar when using full screen. Default = 0
561
CONFIG.XML FILE SETTING PinConnectionBar
VALUES 0 = Do not pin the connection bar. 1 = Pin the connection bar. Default = 0
DESCRIPTION
EnableLocalTextEcho
0=Disable 1=Enable
EnableGraphicsAcceleration
0=Disable 1=Enable
EnableMultimediaRedirection
0=Disable 1=Enable
AutoLaunchAppN
AppName, N = 1 to 10
A total of 10 autolaunched applications are available, but the data is the name of the managed application within the vWorkspace Management Console, Resources | Managed Applications. Note: The vWorkspace Client only starts the first application found; it does not start multiple applications.
562
Location Section of Config.xml

CONFIG.XML LOCATION SECTION Number VALUES 1 2 3 TCPPort 1 to 65535 Default = 1 ServerList For example: broker1.domain.com,xxx. xxx.xxx.xxx, pnbroker Name String TCP port of the Connection Broker. Comma separated string of Connection Broker severs, FQDN, IP, NetBIOS name. Name of the connection, such as Internal, External, Secure. Use 1 if using Secure-IT. If only using this for internal connections, you can use 0. RDP over SSL Secure-IT connection. DESCRIPTION Use to identify the location you are creating.
Protocol
0 = http 1 = https
RDPonSSL
0 = No RDP over SSL 1 = Use RDP over SSL (Protocol must be set to 1 and SSLGateway set). Default = 0
SSLGateway
String For example: broker1.domain.com, pnbroker
Secure-IT server listed as FQDN or NetBIOS name, depending on SSL Certificate name.
563
CONFIG.XML LOCATION SECTION EnableNAT
VALUES 0 = Do not enable NAT translation for firewall connections. 1 = Enable NAT translation for firewall connections Default = 0
DESCRIPTION Only for Terminal Servers. An alternative IP address must be set in the vWorkspace Management Console for each Terminal Server. To set an alternative IP address, use the following path: Infrastructure | Servers | Terminal Servers Right-click on the Terminal Server and select Properties. Select the Connectivity tab, IP Address.
ProxyServer ProxyServerBypassList
String String
IP: port of proxy server to use for connections. Refer to Microsoft documentation for proxy exceptions.
564
Glossary
This glossary contains some definitions that are from Microsoft and VMware publications.
A
ACE Access Control Entry An entry in an access-control list (ACL) that contains a set of access rights and a security identifier (SID) that identifies a trustee, such as a user or group, for whom the rights are allowed, denied, or audited. Access Control List A list of access-control entries (ACEs) that define the security protections on an object. There are two kinds of ACLs that can appear in an object's security descriptor: a discretionary ACL (DACL) that controls access to the object, and a system ACL (SACL) that controls auditing of attempts to access the object. The process required to log on to a computer locally. Authentication requires a valid user name and password. An access token is created if the information provided matches the account in the database.
ACL
Authentication
C
Client A software application that requests the services, data, or processing of another application or computer (known as the server).
Connection Broker (from VMware glossary) A server that allows connections between remote users and virtual desktops and provides authentication and session management.
D
Desktop See Virtual Desktop.
565
DMZ (demilitarized zone) (from the VMware glossary) A logical or physical subnetwork that connects internal servers to a larger, untrusted network (usually the Internet) and provides an additional layer of security and gives administrators more control over who can access network resources. DNS Domain Name System A hierarchical naming system used for locating domain names on the Internet and private TCP/IP networks. A domain is a logical collection of resources. It consists of computers, printers, computer accounts, user accounts, and other related objects.
Domain
F
Forest A collection of one or more Windows 2000 Active Directory trees, organized as peers and connected by two-way transitive trust relationships between the root domains of each tree. Fully Qualified Domain Name The complete domain name for a specific computer (host) on the Internet. It provides enough information so that it can be converted into a physical IP address. The FQDN consists of host name and domain name.
FQDN
G
Group Policy An administrators tool for defining and controlling how programs, network resources, and the operating system operate for users and computers in an organization.
H
Hot Fixes A software patch that repairs components without the user having to restart the computer.
Hosted Desktop or Desktop A virtual or physical computer, usually deployed inside a secure data center, running a Windows desktop or server operating system such as Windows XP, Windows Vista, or Windows Server 2003.
566
K
Kerberos Authentication Protocol The default authentication mechanism in most Active Directory forests.
L
LAN Local Area Network A computer network that connects computers in a small geographical area, such as in a building or on a campus. Lightweight Directory Access Protocol The standard Internet communications protocol used to communicate with Active Directory. The fine-tuning of a computer system, network or disk subsystem in order to more evenly distribute the data and processing across available resources.
LDAP
Load Balancing
O
OU Organizational Unit An Active Directory container object used within domains. An organizational unit is a logical container into which users, groups, computers, and other organizational units are placed. It can contain objects only from its parent domain. An organizational unit is the smallest scope to which a Group Policy object can be linked, or over which administrative authority can be delegated.
P
Physical Desktop A physical machine, such as a conventional PC or blade, running a desktop or server operating system such as Windows XP, Windows Vista, or Windows Server 2003.
R
RDP (remote desktop protocol) (from VMware glossary) A multichannel protocol that allows a user to connect to a computer remotely.
567
S
Scalability Refers to how much a system can be expanded. The term by itself implies a positive capability. For example, "the device is known for its scalability" means that it can be made to serve a larger number of users without breaking down or requiring major changes in procedure. A program or sequence of instructions that is interpreted by another program or application rather than by the computer processor. A computer in a network shared by multiple users.
Script
Server
T
Thin client (from VMware glossary) A device that allows a user to access virtual desktops but requires little memory or disk drive space. Application software, data, and CPU power resides on a network computer and not on the client device. A type of object within a process that runs program instructions. Using multiple threads allows concurrent operations within a process and enables one process to run different parts of its program on different processors simultaneously.
Thread
U
Universal Group A universal group can appear in access-control lists (ACLs) anywhere in the forest, and can contain other universal groups, global groups, and users from anywhere in the forest.
568
UNC
Universal Naming Convention In a network, it is used to identify a shared file in a computer without having to specify the specific storage device on which it is located. In Windows operating systems, the UNC can be used instead of the local naming system. The UNC name format is: \\servername\sharename\path\filename. The idea behind UNC is to provide a format so that each shared resource can be identified with a unique address.
V
vWorkspace Software for provisioning, managing, and delivering desktop workspaces from a central infrastructure. Provides automation of desktop management tasks such as auto-provisioning and power management of virtual machines. Also offers scalable and intelligent connection brokering capabilities, as well as multiple client connectivity options.
vWorkspace Management Console The vWorkspace Management Console provides management and administrative functions to vWorkspace administrators using a graphical user interface. Virtual Desktop (From VMware glossary) A desktop operating system that runs on a virtual machine. A virtual desktop is indistinguishable from any other computer running the same operating system.
vWorkspace enabled desktop infrastructure A desktop infrastructure consisting of virtual and/or physical desktops, and managed using vWorkspace. VM An acronym that denotes a virtual machine.
W
WAN Wide Area Network A computer network that connects computers across long distances.
569
570
INDEX
A access control list scheduling access hours for users 390 add computers tool about 173 Parallels Virtuozzo 330 VMware 276 adding new locations 117 additional components about 238 installation 60 additional customizations Resources node 381 administration about 88 adding a new administrator 91 editing settings 92 removing an administrator 92 setting permissions 92 application access control installing 384 properties 387 application access control server groups 386 application restrictions application access control server groups 386 assigning clients to the client list 390 hash checking 384 how application restrictions work 384 path checking 385 properties 385 Resources node 383 scheduling access hours for users 390 termination of applications 385 unassigning clients to the access control list 390 AppPortal about 346 actions menu 367 configuring new connection 350 connection properties 352 connectivity tab 353 credentials tab 357 desktop integration mode 371 desktop integration tab 365 display tab 358 experience tab 362 local resources tab 360 password management tab 364 PNTray 369 settings menu 369 using via the SSL Gateway 473 App-V/SoftGrid import wizard 106 App-V/SoftGrid node about 104 editing imported application properties 109 editing properties 106 establishing server connections 104 importing applications 106 authentication settings about 437 setting client identification 440 setting credentials pass-through 439 setting password management 440 setting two-factor authentication 438 setting Windows domain 437 B bidirectional audio 75 Block-IT about 24 installing application access control 384 C client connectivity about 17 Microsoft Windows 18 Windows CE thin client 18 client packages 62 client settings about 402 defining properties 405 Clients node about 98 client types 99 defining clients by device address 100 defining clients by device name 101 defining clients by groups 100 defining clients by organizational unit 101 defining clients by users 99
571
color schemes 391 computer group wizard 163 computer groups add computers tool 173 adding published applications 221 adding to Microsoft Hyper-V 309 adding to Parallels Virtuozzo 327 adding to Virtual Iron 290 adding to VMware 270 customizations 172 modifying properties 170 Parallels Virtuozzo 325 properties 164 property of other type 336 task automation 171 viewing logs 170 viewing tasks 170 Virtual Iron 287 config.xml about 555 location section 563 configuration settings about 452 setting general options 453 connect to an existing database 95 Connection Brokers about 8 adding a new Connection Broker 151 installation 48 node 150 permissions 152 properties 141 removing 152 setting by farm for Web Access 434 workload management 526 connectivity settings about 433 Control Panel Print-IT applet 501 CPU and Memory Optimization(Max-IT) about 532 how it works 533 installing 535 create a new database and DSN 93 D data centers about non-power managed 336 data collector service about 199
572
Desktops modifying published applications 222 node 157 properties 141 setting properties 158 starting new applications 206 terminologies 162 disk and memory persistence 260 documentation conventions xxiv feedback xxvi download page 46 drive mappings 391 E environment variables 393 experience optimized protocol about 26 bidirectional audio 75 graphics acceleration 81 latency reduction 79 multimedia redirection 81 optimization settings 75 overview 74 requirements 74 F Farm node 96 farm settings about 432 adding and removing 433 feedback document xxvi File & Registry Redirection node about 113 file redirection rule creating 228 folder redirection rule creating 229 G global settings about 431 H hash checking 384 host restrictions about 394 creating 394 modifying 395
hosted desktops and terminal servers (enterprise edition) about 5 hosted desktops only(desktop services edition) about 6 Hyper-V See Microsoft Hyper-V I initialize computer about 195 common failures 196 triggers 196 installation 64 additional components 60 application access control 384 CPU and Memory Optimization 535 peripheral server extensions 59 SQL server 42 SSL Gateway 58 terminal servers 55 vWorkspace client 63 Web Access 429 installation requirements about 36 desktop services 36 terminal services 36 L latency reduction 79 licensing about 26 experience optimized protocol 26 load-balancing about 526 locations about 116 adding new locations 117 deleting 141 node options 116 properties 141 Locations node about 98 M managed computer groups deleting 170 publishing a managed desktop 216 viewing 169 managed computers about 173
properties 174 publishing an application 217 viewing 192 viewing logs 193 viewing tasks 192 mandatory user profiles about 418 assigning 419 Max-IT about 532 how it works 533 master policy settings 536 setting the policy for specific servers 543 MetaProfiles-IT about 410 about silos 415 assigning mandatory user profiles 419 features and benefits 410 how it works 411 mandatory user profiles 418 storage servers 413 See User Profiles Microsoft Active Directory Group Policy settings about 197 Microsoft Hyper-V about 302 adding a host 303 adding computer groups 309 broker helper service 302 computer group properties 307 importing existing desktops 312 installing tips 302 power management 314 module binding about 534 module rebasing about 534 MSI Packages about 109 adding a new package 109 multimedia redirection 81 multiple monitor support 351
573
N non-power managed data centers about 336 adding a computer group 338 adding computers 340 power management 343 properties 336 O optimized settings 75 other servers adding 158 permissions 159 properties 141, 159 other/physical type about 336 See non-power managed data centers P Packaged Applications node about 104 Parallels Virtuozzo adding computer groups 327 adding computers to a managed computer group 330 adding independent nodes 321 computer groups 325 importing existing desktops 332 importing slave nodes 317 power management 334 password reset service about 238 configuring 239 installing 238 path checking 385 peripheral server extensions installation 59 permissions about 89 setting 92 user profiles properties 416 PNTools about 198 installing 201 PNTray about 369 Print-IT options 370 power management Microsoft Hyper-V 314 non-power managed data centers 343
574
Parallels Virtuozzo 334 Virtual Iron 299 VMware 280 power tools suite for terminal servers (standard edition) Block-IT 24 features 24 Manage-IT 24 Max-IT 25 MetaProfiles-IT 25 Print-IT 25 Redirect-IT 25 TimeZones-IT 25 USB-IT 26 VIP-IT 26 pre-installation checklist 33 Print-IT about 484 about the Control Panel applet 501 adding network printers 504 adding printers to remote relay servers 509 assigning printers to clients 505 assigning remote printers to clients 510 autocreating network printers 486 components Universal Network Print Services 485 Universal Print Driver 485 configuring remote site relay 507 Control Panel applet properties 489 features and benefits 484 importing remote printers 510 overview universal client printer auto-creation 485 Universal Network Print Server Extensions 486 universal network printer auto-creation 485 printer properties 512 setting up Print-IT printers 504 Universal Client Printer Auto-Creation 488 Universal Network Print Server Extensions 503 Universal Print Relay Service for Remote Sites 506 viewing and editing properties 512 Print-IT properties bandwidth tab 496
compression tab 491 general tab 489 license tab 498 logging tab 497 naming tab 494 notification tab 499 PDF publisher tab 500 server farm tab 498 upgrade tab 497 product suites hosted desktops and terminal services (enterprise edition) 3 hosted desktops only (desktop services edition) 4 power tools suite for terminal servers (standard edition) 4 standalone power tools for terminal servers 5 Proxy-IT about 241 configuring 242 installing 242 publish content about 219 published application deleting 224 duplicating 223 Q Quest vWorkspace contacting support xxvi download page 46 R Redirect-IT about 226 creating a file redirection rule 228 creating a folder redirection rule 229 creating a registry redirection rule 227 how Redirect-IT works 226 installing 227 registry redirection rule creating 227 registry tasks about 396 modifying 396 modifying a value 397 remote control session viewing from Computers tab 193 viewing from User Sessions 30
Resources node about 101 about the Printers window 511 additional customizations 381 application restrictions 383 assigning workload evaluators to managed applications 531 client settings 402 color schemes 391 drive mappings 391 environment variables 393 host restrictions 394 modifying published applications 223 registry tasks 396 scripts 398 starting new applications 207 time zones 399 user policies 400 wallpapers 405 S scripts about 398 assigning 399 Secure Sockets Layer Gateway about 468 See SSL Gateway silos about 415 SSL Gateway about 468 accessing by AppPortal 473 accessing by AppPortal and the Web Interface 478 accessing by the Web Interface 475 configuring 469 configuring AppPortal access 473 configuring for both AppPortal and Web Interface access 479 configuring the Web Interface access 476 installing 468 standard desktops only(desktop services edition) benefits 22 features 9 storage servers about 413 special folder in user profiles 423 support contacting Quest vWorkspace xxvi
575
sysprep customization about 188 creating 189 T task automation about 171 adding 171 automated task wizard 171 TCP/IP ports requirements 16 terminal servers adding 153 adding permissions 157 adding published applications 220 assigning workload evaluators to servers 531 installation 55 properties 141 removing 157 server wizard 154 setting properties 157 viewing applications 380 viewing processes 379 viewing sessions 376 viewing users connected 375 workload management 529 Terminal Servers node about 153 modifying published applications 222 starting new applications 206 terminal services enhancements Provision-IT 5 Secure-IT 5 Web Access 6 termination of applications 385 time zones about 399 assigning 399 U Universal Client Printer Auto-Creation 485, 488 Universal Network Print Server Extensions 503 adding network printers 504 assigning printers to clients 505 setting up Print-IT printers 504
Universal Network Printer Auto-Creation 485 Universal Print Driver about 199 Universal Print Relay Service for Remote Sites 506 adding remote relay servers 509 assigning remote printers to clients 510 configuring 507 importing remote printers 510 USB Redirection about 516 USB-IT about 522 configuring 523 how it works 523 user experience settings about 441 setting display 442 setting local resources 441 setting performance 444 user interface settings about 445 setting content layout options 446 setting download options 451 setting look & feel options 448 setting miscellaneous options 451 setting text options 450 user passwords changing in the Web Access 459 user policies about 400 creating 401 modifying 402 viewing properties 400 user profile elements properties 420 User Profiles about 410 about registry elements 420 about special folders 423 assigning mandatory user profiles 419 configuring properties 416 defining a registry key 422 defining special folders 424
576
features and benefits 410 how it works 411 mandatory user profiles 418 properties 411 silo wizard 417 silos 415 storage servers 413 V VAS client 32 package 348 VAS client 32T package 348 virtual access client VAS client 32 package 348 VAS client 32T package 348 Virtual IP about 232 adding a master range 234 configuring applications 235 configuring virtual IP address ranges 233 enabling 232 installing 232 modifying address range allocations 235 VIP-IT 26 Virtual IP node about 113 Virtual Iron adding a data center 284 adding computer groups 290 adding computers to a computer group 295 computer groups 287 creating data centers 284 customizations 289 importing existing desktops into a group 297 monitoring the cloning process 298 power management 299 virtual memory optimization about 533 benefits 534 manually applying 546 module binding 534 module rebasing 534 viewing results for a specific session 545 viewing results per application 545 viewing session summary information 545
Virtualization Server wizard 145, 252 virtualization servers about 145, 250 adding connections 145, 252 configuring 251 VMware adding a datacenter 262 adding computer groups 270 adding computers to a managed computer group 276 customizations 268 datacenters 262 disk and memory persistence 260 importing existing desktops 278 modifying keystore registry entries 41 monitoring the cloning process 280 power management 280 SSL certificate 39 viewing keystore registry entries 41 vWorkspace implementation considerations 32 pre-installation checklist 33 vWorkspace client AppPortal 346 client packages 62 configuring 349 executable files 349 installation 63 overview 346 Web Access 347 vWorkspace database about 14 vWorkspace Management Console about 84 administration 88 Clients node 98 connect to an existing database 95 Connections Brokers node 150 create a new database and DSN 93 Farm node 96 first time use 92 icons 87 installation 61 Locations node 98 menu options 87 monitoring the cloning process for Virtual Iron 298 monitoring the cloning process for VMware 280 object nodes 96
577
Packaged Applications node 104 permissions 89 Resources node 101 Terminal Servers node 153 viewing and editing Print-IT printer properties 512 viewing client information for an active session 378 viewing terminal server applications 380 viewing terminal server processes 379 viewing terminal server sessions 376 viewing users connected to terminal servers 375 W wallpapers about 405 adding new wallpaper 407 assigning 405 changing properties 406 Web Access about 428 adding and removing farm settings 433 application set searching 455 authentication settings 437 changing user passwords 459 changing user settings 456 configuration settings 452 configuring smart cards 464 connecting to the interface 453 connectivity settings 433 farm settings 432 global settings 431 installing 429 management console 430 setting client identification 440 setting connection brokers by farm 434 setting content layout options 446 setting credentials pass-through 439 setting display 442 setting download options 451 setting firewall/SSL VPN by farm 435 setting general options 453 setting local resources 441 setting look & feel options 448
578
setting miscellaneous options 451 setting password management 440 setting performance 444 setting text options 450 setting two-factor authentication 438 setting Windows domain 437 smart card authentication 463 user experience settings 441 user interface 445 using help 460 using via the SSL Gateway 475 Web Interface about 64 See Web-IT wizards App-V/SoftGrid import 106 automated task 171 certificate export 40 computer group 163 Microsoft Hyper-V Host 303 MSI Packages 109 new locations 117 server wizard 151 silo 417 sysprep customization 188 task automation 171 virtualization servers 145, 252 Workload Evaluators node about 113 workload management about 526 assigning workload evaluators to managed applications 531 assigning workload evaluators to servers 531 counters 526 creating workload evaluators 530 guidelines 529 how it works 526 terminal servers 529 Wyse Thin OS about 20 configuration 20

V Workspace 60

Încărcat de

Informații document

Descriere originală:

Titlu original

Drepturi de autor

Formate disponibile

Partajați acest document

Partajați sau inserați document

Opțiuni de partajare

Vi se pare util acest document?

Este necorespunzător acest conținut?

Drepturi de autor:

Formate disponibile

V Workspace 60

Încărcat de

Drepturi de autor:

Formate disponibile

Quest vWorkspace 6.

Copyright Quest Software, Inc. 2009. All rights reserved.

DESKTOP SERVICES EDITION . . . . . . . . . . . . . . . . . . . . . . . . 6

vWorkspace Administration Guide

DESKTOP SERVICES EDITION ANATOMY AND FEATURES . . . . . 7

LINUX CLIENT . . . . . . . . . . . . . . . . . . . . .19

THIN CLIENT DEVICES . . . . . . . . . . . . . . . . . . . . . . . . .20

MICROSOFT SQL SERVER . . . . . . . . . . . . . . . . . . . . . . . . . .42

CHAPTER 4 VWORKSPACE INSTALLATION . . . . . . . . . . . . . . . . . . . . . . . . . . 45 DOWNLOAD VWORKSPACE . . . . . . . . . . . . . . . . . . . . . . . . . .46

INSTALL THE CONNECTION BROKER . . . . . . . . . . . . . . . . . . . .48

TERMINAL SERVERS . . . . . . . . . . . . . . . . . . . . .55 CONNECTIVITY FEATURES . . . . . . . . . . . . . . . . .58 SSL GATEWAY . . . . . . . . . . . . . . . . . . . . .58

Install Terminal Server Components ................................ 57 VWORKSPACE VWORKSPACE VWORKSPACE

Install the SSL Gateway ................................................. 58

PERIPHERAL SERVER EXTENSIONS . . . . . . . . . . . .59 ADDITIONAL COMPONENTS . . . . . . . . . . . . . . . . .60

Install Peripheral Server Extensions................................. 59

PASSWORD RESET SERVICE . . . . . . . . . . . . . . . . . . . . . .61

MANAGEMENT CONSOLE . . . . . . . . . . . . . . .61

Install the vWorkspace Management Console .................... 61

CLIENT . . . . . . . . . . . . . . . . . . . . . . . . . . . .62 WEB INTERFACE . . . . . . . . . . . . . . . . . . . .64

Install the Web Interface................................................ 65

ABOUT THE VWORKSPACE MANAGEMENT CONSOLE . . . . . . . . . . .84

vWorkspace Administration Guide

MANUAL DATABASE CONFIGURATION . . . . . . . . . . . . . . . .92

OBJECT NODES . . . . . . . . . . . . . . . . . . . . . . .96

FARM . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .96 LOCATIONS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .98 CLIENTS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .98

PACKAGED APPLICATIONS . . . . . . . . . . . . . . . . . . . . . . . . . 104

MSI Packages. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 109

NEW LOCATION . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 117

LOCATION PROPERTIES . . . . . . . . . . . . . . . . . . . . . . . . . . . 141 VIRTUALIZATION SERVERS. . . . . . . . . . . . . . . . . . . . . . . . . 145

CONNECTION BROKERS . . . . . . . . . . . . . . . . . . . . . . . . . . 150

TERMINAL SERVERS . . . . . . . . . . . . . . . . . . . . . . . . . . . . 153

OTHER SERVERS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 158

Task Automation . . . . . . . . . . . . . . . . . . . . . . . . . . . 171

MANAGED COMPUTER GROUP CUSTOMIZATIONS . . . . . . . . . 172 MANAGED COMPUTERS . . . . . . . . . . . . . . . . . . . . . . . . . . . 173

vWorkspace Administration Guide

PROPERTIES OF A MANAGED COMPUTER . . . . . . . . . . . . . 174

SYSPREP CUSTOMIZATION WIZARD . . . . . . . . . . . . . . . . 188

VIEW MANAGED COMPUTERS . . . . . . . . . . . . . . . . . . . . 192

DESKTOPS PROPERTIES . . . . . . . . . . . . . . . . . . . . . . . . . . 194 INITIALIZE COMPUTER . . . . . . . . . . . . . . . . . . . . . . . . . . . 195 INITIALIZATION TRIGGERS. . . . . . . . . . . . . . . . . . . . . . 196

PUBLISH TERMINAL SERVER APPLICATIONS . . . . . . . . . . . . . . . 207

PUBLISH A MANAGED DESKTOP. . . . . . . . . . . . . . . . . . . . . . 216

PUBLISH MANAGED APPLICATIONS . . . . . . . . . . . . . . . . . . . . 217

PUBLISH CONTENT . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 219 WORK WITH PUBLISHED APPLICATIONS . . . . . . . . . . . . . . . . . 220

CHAPTER 11 VIRTUAL IP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 231 ABOUT VIRTUAL IP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 232 INSTALLATION . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 232

vWorkspace Administration Guide

PROXY-IT WITH SESSION DIRECTORY SERVICES . . . . . . . . 244

CHAPTER 13 VIRTUALIZATION SERVERS . . . . . . . . . . . . . . . . . . . . . . . . . . 249 OVERVIEW . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 250 VIRTUALIZATION SERVERS. . . . . . . . . . . . . . . . . . . . . . . . . 251

COMPUTER GROUPS . . . . . . . . . . . . . . . . . . . . . . . . . . . . 266

IMPORT EXISTING COMPUTERS INTO A GROUP . . . . . . . . . . 278

Monitor the Process . . . . . . . . . . . . . . . . . . . . . . . . . 280

POWER MANAGEMENT . . . . . . . . . . . . . . . . . . . . . . . . . . . 280

COMPUTER GROUPS . . . . . . . . . . . . . . . . . . . . . . . . . . . . 287

IMPORT EXISTING DESKTOPS INTO A GROUP . . . . . . . . . . 297

Monitor the Process . . . . . . . . . . . . . . . . . . . . . . . . . 298

COMPUTER GROUPS . . . . . . . . . . . . . . . . . . . . . . . . . . . . 307

IMPORT EXISTING COMPUTERS INTO A GROUP . . . . . . . . . . 312

COMPUTER GROUPS . . . . . . . . . . . . . . . . . . . . . . . . . . . . 325

IMPORT EXISTING COMPUTERS INTO A GROUP . . . . . . . . . . 332

POWER MANAGEMENT . . . . . . . . . . . . . . . . . . . . . . . . . . . 334

vWorkspace Administration Guide

ADD COMPUTERS TO A COMPUTER GROUP . . . . . . . . . . . . 340 POWER MANAGEMENT . . . . . . . . . . . . . . . . . . . . . . . . . . . 343

CLIENT . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 345 CLIENT OVERVIEW . . . . . . . . . . . . . . . . . . . . 346 CLIENT INTERFACES . . . . . . . . . . . . . . . . . . . . 346