vcp5-dt study guide pdf - professionalvmware
TRANSCRIPT
VCP5 – DT Study Notes Resources: The notes herein are compiled from my own testing as well as below references:
- VMware View 5.0 Documentation/Whitepapers/Communities DOCs here - Other References used are noted in the Section/Objective they’re used in - Since this is DT, I assume you are already familiar with most vSphere tasks; as such, I don’t go into great
detail about some vSphere tasks needed as pre-requisites to some DT tasks - Last but not least - *LAB*!!! Pretty much all of below I did in my lab. Highly recommend having one
SECTION 1 INSTALL VIEW SERVER COMPONENTS 1.1 – Install View Composer Identify Minimum Hardware & Software Requirements for Installation
Hardware: 1. Same as vCenter Server requirements 2. CPU – Two 2GHz 64bit 3. RAM – 4GB 4. Disk – 4GB
Software: 1. Must be installed on same server as vCenter Server 2. vCenter Server guest OS
a. Windows Server 2008 R2, 64bit only b. vCenter Server version
1) 4.0U3 & later 2) 4.1U1 & later 3) 5.0 & later
3. Database a. Must reside on or be available to the vCenter Server b. SQL or Oracle (versions):
1) 2005 Express 2) 2005 SP3 & later, Ent and Std, 32bit and 64bit 3) 2008 R2 Express 4) 2008 SP1 & later, Ent and Std, 32bit and 64bit 5) Windows auth (or “trusted”) mode only supported if DB installed on same server as vCenter 6) 10g R2 7) 11g R2, with 11.2.0.1 Patch5, 32bit and 64bit
Describe Composer Database & Connectivity
The Composer DB must reside on or be available to the vCenter Server
DB must be separate from the vCenter DB; can be local or remote on Linux, UNIX, or Windows server OSs
Each Composer instance must have its own DB (multiple Composer instances can’t share same DB)
DB stores the following connections (pg. 27, View Install Guide): 1. vCenter Server connections 2. AD connections 3. Linked-Clone desktops deployed by Composer 4. Replicas created by Composer
Describe Composer Service & Dependencies
Composer is an optional component installed on vCenter Server that’s used to support Linked-Clone pools
Composer is a service install & requires a DB separate from the vCenter Server DB
Navigate Composer Installation Wizard (pg. 33, View Install Guide)
Fairly straightforward process; only needed info during install is the Composer DB DSN and DB user & pwd
The default SOAP port: 18443
The default install path is: C:\Program Files (x86)\VMware\VMware View Composer\
1.2 – Install View Standard & Replica Connection Servers Identify Minimum Hardware & Software Requirements for Installation
Hardware (also applies for Replica and Security Server instances): 1. CPU – one 2GHz or higher 2. RAM – 4GB (2K8 x64 OS) or 2GB (2K3 R2 x32 OS) 3. NIC – 10/100Mbps 4. Must have static IP
Software: 1. Windows Server 2008 R2 (No SP or SP1), Ent or Std, 64bit 2. Windows Server 2003 R2 SP2, Ent or Std, 32bit 3. NOTE: If PCoIP Secure Gateway component is used, OS must be Windows Server 2008 R2 64bit
a. A W2K8 R2 Security (PCoIP) Server can be paired with a 2K3 Connection Server 4. If a Load Balancer is used in front of multiple Security Servers, all must use same OS 5. Supported vSphere versions
a. 4.0U3 & later b. 4.1U1 & later c. 5.0 & later d. ESX or ESXi
6. Supported Browsers for View Administrator a. IE 7, 8, & 9 b. Firefox 3.0 & 3.5 c. Microsoft-specific fonts required if running on non-Windows OSs
7. AD – 2000, 2003, & 2008
Network 1. For Replicated instances, configure them in the same location over a high-performance LAN
a. May experience performance, latency, or consistency issues among Connection Server instances
Identify Required Firewall Rules (pg. 39, View Install Guide)
Installing on Windows Server 2008 allows for auto-configuration of Windows firewall; if installing on Windows Server 2003, the firewall must be configured manually
Ports IN: 1. TCP 80, 443, 4001, 4100, 4172, 8009
Ports IN & OUT: 1. UDP 4172
Navigate Connection Server Installation Wizard
Must be installed on its own dedicated machine, physical or VM
Must not be installed on a DC or a server with the TS role; or any other function (i.e. vCenter Server)
Must have static IP
Must run installer with domain account having Admin privileges on the server installing on
Initial or Standard Install (pg. 36-37, View Install Guide) 1. Select View Standard Server for initial or “standalone” instance install
2. Enter recovery password & (opt) reminder 3. Choose how to configure firewall, if installing on Windows Server 2008 4. Default file path: C:\Program Files\VMware\VMware View\Server\ 5. Verify options, then Install 6. Once install is complete, configure Connection Server (pg. 10-16, View Admin Guide) 7. Install Licenses; add vCenter Server, Composer Services, & Security Servers; set External URLs for
external clients (desktops), & configure SSL certificates for Connection & Security Server 8. Connection Server installs the following services upon install completion:
Replicated Instance (pg. 40, View Install Guide) 1. Provides HA and load balance for Connection Servers 2. View Manager maintains identical View LDAP config data on all Connection Server instances 3. Replication functionality is provided by View LDAP
a. Uses same technology as AD 4. Use the same installer file as used for Initial/Standard install 5. Select View Replica Server during the install (2
nd item in the list from the screenshot above)
6. The rest of the install is the same as Standard; no configuration is needed as it will be replicated from initial Connection Server instance
1.3 – Install View Transfer Server Identify Minimum Hardware & Software Requirements for Installation
Transfer Server is an optional View component used to support checking in & out and replication of local-mode run desktops
Must be installed in a virtual machine managed by the vCenter Server that manages local desktops
Does not have to be on the domain (i.e. can be in a WORKGROUP)
Must use a static IP
Must be installed on a dedicated server; cannot share server with other View components
Hardware:
1. 2 vCPUs 2. RAM – 4GB for Windows Server 2008 R2; 2GB for Windows Server 2003 SP2 3. LSI Logic Parallel SCSI Controller; SAS and Paravirtual Controllers are not supported
Software: 1. Windows 2008 R2, Ent or Std, 64bit 2. Windows 2003 R2 SP2, Ent or Std, 32bit
Storage 1. VMDK housing the repository on the Transfer Server must have enough space to store static
Composer base images 2. Host running the Transfer Server must have access to Datastores that store desktop disks to be
transferred 3. Maximum number of concurrent disk transfers per Transfer Server is 20
a. With 4 SCSI Controllers allowed, theoretical max transfers is 60
NOTE: When Transfer Server is added to View Manager, DRS is set to manual effectively disabling DRS
Identify Required Firewall Rules (pg. 71, View Install Guide)
Installing on Windows Server 2008 allows for auto-configuration of Windows firewall; installing on Windows Server 2003, the firewall must be configured manually
Ports IN: 2. TCP 80, 443
Navigate Connection Server Installation Wizard
See Connection Server install procedure in Objective 1.2 as they are the same, except to choose Transfer Server during install & Apache Web Server install
Typically, the default Apache Web Server values provided by the installer are used
1.4 – Install Security Server Identify Minimum Hardware & Software Requirements for Installation
See Connection Server requirements as they are the same
A Security Server is basically just a Connection Server that provides an additional layer of security between the Internet & the internal network
One or more Security Servers can be connected to a single Connection Server instance
Static IPs are required
Connection Server 4.6 or later cannot be paired with an earlier (older) version of Security Server
Identify Required Firewall Rules
See Connection Server rules as they are the same
Identify Security Server Pairing Password (pg. 42-43, View Install Guide)
Before Security Server can be installed, Pairing Password must be configured
Permits a Security Server to be paired with a Connection Server instance during install
The password becomes invalid after providing it during install or if timeout period is reached
Configure: 1. In View Administrator (https://ConnectionServer/admin), select View Configuration > Servers 2. Select Connection Servers tab, click a Connection Server to pair with, then from the More
Commands drop-down click Specify Security Server Pairing Password 3. Click OK after the information is entered 4. NOTE: You can specify Minutes or Hours timeout
Navigate Connection Server Installation Wizard
See Connection Server install procedure (Obj. 1.2) as they are the same, except for the following: 1. Select Security Server during install 2. In the Server text box, enter FQDN or IP of Connection Server instance to pair with 3. Enter the Pairing Password created within View Administrator 4. Enter the External URL of the Security Server for remote clients that use RDP display protocol
with SSL (e.g. https://view.lab.local:443 ; can use either FQDN or IP) a. URL must contain the protocol, client-resolvable Hostname or IP, and port number
5. Enter the External URL of the Security Server for remote clients that use PCoIP display protocol a. URL must use IP with port number (e.g. https://100.200.300.400:4172 ) b. Can only be used if a PCoIP Secure Gateway is installed on the Security Server
1.5 – Prepare Active Directory for Installation Describe Characteristics of Required AD Domain Accounts (e.g. Permissions)
Create an AD account to be used by vCenter Server & Composer with the following permissions: 1. Create Computer Objects 2. Delete Computer Objects 3. Write All Properties 4. Adding the above assigns all the below permissions to the AD account used by Composer
a. List Contents b. Read All Properties c. Write All Properties d. Read Permissions e. Create Computer Objects f. Delete Computer Objects
Use this account to add vCenter & Composer in View Administrator
This account must be added to the local Admin group on the vCenter Server if using Composer
Use this account when deploying Linked-Clone pools
Add a Role in vCenter with appropriate privileges to manage View Manager, Composer, & run Local Mode (see pg. 50-52, View Install Guide) 1. Add this Role to the AD user created above & assign this permission (user + role) at the vCenter
Server level 2. NOTE: If any of the optional components aren’t used (Composer or Local Mode) then vSphere
privileges for those components are not required
Describe Characteristics of Required AD Groups
It is recommended to create a View Users and View Admins group in AD (pg. 22, View Install Guide)
Identify & Describe the GPO Template Files
ADM files are in the Connection Server install directory after installing Connection Server
Location: C:\Program Files\VMware\VMware View\Server\Extras\GroupPolicyFiles
Add Template files in Group Policy Management by selecting Computer or User Configuration > Policies, then rt-clicking on Admin Templates > Add/Remove Templates, then browse to the .adm file(s) 1. NOTE: For ViewPM.adm, add at Computer Configuration layer not User Configuration 2. Enable Loopback Processing in GP so Computer settings can be applied as if they were User settings
There are Templates for: 1. View Agent 2. View Client 3. View Server (i.e. Connection Server) 4. View Common (i.e. common to all View components) 5. PCoIP 6. Persona Management
I highly recommend reviewing all Template policies on pg. 143-166, View Admin Guide; I’ll review some below: 1. vdm.agent.adm items (not all policies are listed; just what I thought may be important):
a. AllowDirectRDP – enabled by default; defines whether non-View Clients can connect directly to desktops with RDP (i.e. Mac OS X)
b. AllowSingleSignon – determines if a user has to reauthenticate (i.e. to the View desktop) after initially authenticating to the Connection Server
c. Connect Using DNS – determines whether the Connection Server uses DNS instead of IP of the host when connecting
d. ConnectionTicketTimeout – used by View Clients for verification & SSO when connecting to View Agent (default = 900 seconds [15mins])
e. Disable Time Zone Synchronization – between View desktop & the host client
2. vdm.client.adm items: a. Brokers Trusted for Delegation – specifies a Connection Server instance to accept user credential
info; if not set, all instances can be used b. Certification Verification Mode – No Security, Warn But Allow (default), Full Security c. Default Value as Log In As Current User – overrides value specified when installing View Client;
credentials supplied by a user when logging into the client passes to the Connection Server instance & View desktop
d. Display Option to Log In As Current User – display checkbox for this option or not e. Enable Single Sign On for Smart Card – View Client stores smart card PIN in temporary memory if
enabled f. Several SSL Certificate policies g. RDP settings
1) Audio Redirection 2) Bitmap caching 3) Desktop display items – Color Depth, Desktop Background, Themes 4) Redirect clipboard, Redirect drives, Redirect Printers
h. Always On Top – whether View Client windows is topmost displayed window on the client host i. Default Exit Mode for Local Mode – default is Shutdown j. Disable Toast Notification – what makes this important is if you enable this, the user does not see
5min logoff warning when session timeout is active 3. vdm.server.adm – Recursive Enumeration of Trusted Domains: basically determines whether every
domain trusted by the domain the Connection Server resides in is enumerated 4. vdm.common.adm
a. Log retention & directory location policies b. Performance – specifies CPU & Memory thresholds to log info
5. pcoip.adm – for Computer Configuration only a. Clipboard Redirection – Enable Client to Server (client to desktop; is default), Enable Both
Directions, Disable Both Directions, Enable Server to Client b. PCoIP Image Quality Levels – Minimum Image Quality, Maximum Initial Image Quality between
30-100; default = 90), & Maximum Frame Rate (1-120; default = 30) c. PCoIP Client Image Cache – default = 250MB (can be 50MB-300MB) d. PCoIP Session Encryption Algorithm – SALSA20-256 or AES-128 e. Configure PCoIP USB Allow or Unallow – up to 10 devices allowed/unallowed (default = all USB
allowed) f. Virtual Channel – item that enables/disables copy & paste (i.e. clipboard operation) g. Enable Session Through vSphere (Client) Console h. PCoIP session MTU – default = 1300; max can be 1500; helps reduce packet fragmentation i. Turn Off Build-to-Lossless – recommended to enable (i.e. to disable Losslessness) for bandwidth
savings j. Use Alternate Key For Sending Secure Attention Sequence (SAS) – i.e. enabled to use
CTL+ALT+DEL within a View desktop 6. ViewPM.adm (see pg. 186-190, View Admin Guide for more detail about Persona Mgmt policies) –
add into the Computer Configuration > Admin Templates only (not User Config) a. Manage User Persona – this essentially “turns on” View Persona Mgmt capability b. Persona Repository Location – the network share used for user profiles; default = AD path used c. Files & Folders to Preload (or Exclude) – specify general directory path; do not use drive in path d. Show Progress When Downloading Large Files e. Show Critical Errors via Tray Icon f. Log information can be configured → filename (default = vmwvvp.txt), destination, flags
Describe OUs for Machine Accounts & Kiosk Mode Client Accounts
It is recommended to create a separate OU for View Desktops, Linked-Clones, & Kiosks
This helps segregate policy management from regular workstations and/or servers
Verify Trust Relationships
A trust relationship is needed for an org that has multiple domains and needing to add users in a different domain than the Connection Server to be able to log into a desktop or to manage View
SECTION 2 CONFIGURE VIEW ENVIRONMENT 2.1 – Configure View Composer Identify Default Composer Port Settings
The default SOAP port is 18443
Identify Domain Accounts Used for QuickPrep
The account used for QuickPrep is the same account used when enabling Composer within the vCenter Server settings in View Administrator
Identify the vCenter Server System
In View Configuration > Servers tab, select the vCenter Server tab
Identify Necessary Account Domain Permissions & Domain Trust Relationships
This was discussed in Objective 1.5
Enable Composer From View Administrator & Add Domain Accounts
View Administrator > Servers, click the vCenter Server tab, then either Add or Edit
2.2 – Configure View Event Database Explain the Purpose of the Event Database
The purpose of the Event Database is to record information about View Manager events
The DB contains more info than what is documented in log files on the Connection Server
Identify the Minimum Requirements for the Event Database
See the Composer DB requirements from Objective 1.1, as they are the same for Events
No ODBC Connection is required
Identify Which Database Server Is Being Used (Oracle or SQL)
Typically, whatever DB server is used for Composer, can also be used for the Event DB
View Configuration > Event Configuration in left pane, then click the Edit button under Event Settings
Determine Port Number
Defaults: 1. SQL: 1433 2. Oracle: 1521
Configure Event Database Settings
View Configuration > Event Configuration in left pane, then click the Edit button under Event Settings
Click OK after entering required information (see below):
Configure Connection to the Event Database
View Configuration > Event Configuration in left pane, then click the Edit button
Click OK after entering required information (see below):
Select Monitoring > Events in left pane to verify connection to the DB is successful
2.3 – Configure Standard & Replica Connection Servers Identify Connection Server Backup Settings
In View Administrator > View Configuration > Servers in left pane, then select Connection Servers tab
Select a server in the list, then the Edit button
Click the Backup tab and modify the settings; click OK when done
The path to the backup files on the Connection Server: C:\ProgramData\VMware\VDM\backups
Identify View Global Settings (pg. 18-19, View Admin Guide)
General: 1. Session timeout – for client sessions that are connected to a Connection Server 2. View Administrator session timeout – for users logged into the View Administrator Web UI 3. Enable Automatic Status Updates – determines if View Manager updates the Global Status &
Dashboard panes (i.e. auto-refreshes web UI) 4. Display Pre-Login Message – to client user when they log in to a desktop 5. Display Warning Before Forced Logoff – for client users before updates or refresh to desktops 6. Log Off after x Minutes – time to wait after warning message before user is forced to log off
Security: 1. Reauthenticate Secure Tunnel Connection After Network Interruption – for client access to desktops
using secure tunnel connections a. No effect if direct connection is used
2. Message Security Mode – determines if signing & verification of the JMS messages passed between View Manager components takes place
3. Use IPsec for Security Server Connections – determines if IPsec is used between Security & Connection Server instances
4. Disable Single Sign-On for Local Mode Operations 5. Change Data Recovery Password – required when restoring View LDAP configuration from backup
Identify the Account to Connect to vCenter
This was discussed in Objective 1.5; an AD account should be created, then added in vCenter with specific privileges encapsulated in a custom vCenter Role
Account should be added to the local Administrators group on vCenter for administration of Composer
Add View License Settings
View Administrator > View Configuration, Product Licensing & Usage in left pane, then click Edit License
Modify Global Policies
View Administrator > Policies, Global Policies in left pane, then click Edit Policies button for below items: 1. View Policies:
a. MMR Redirection b. USB Access c. Remote Mode d. PCoIP Hardware Acceleration
2. Local Mode Policies: a. Local Mode b. User-Initiated Rollback c. Max Time Without Server Contact d. Target Replication Frequency e. User Deferred Replication f. Disks Replicated g. User-Initiated Check-In & User-Initiated Replication
Configure External URL Settings
This is done in one of 2 places, depending on the View implementation architecture: 1. View Configuration > Servers in left pane, Connection Servers tab, then Edit a Connection Server 2. View Configuration > Servers in left pane, Security Servers tab, then Edit a Security Server
Identify Connection Server General Settings
I think this is the General tab when editing a Connection Server in View Administrator 1. Tags – used to restrict which pools can be accessed through Connection Server 2. Secure (HTTPS) Tunnel – enable or disable & provide URL 3. PCoIP Secure Gateway – enable or disable & provide URL
Identify Default Roles, Custom Roles, & What Permissions Are Available
Default Roles 1. Administrators 2. Administrators (Read Only) 3. Agent Registration Administrators 4. Global Configuration & Policy Administrators 5. Global Configuration & Policy Administrators (Read Only) 6. Inventory Administrators 7. Inventory Administrators (Read Only) 8. NOTE: Default roles are not editable
Custom Roles 1. View Configuration > Administrators in left pane, Roles tab then Add Role button 2. Provide a name and select appropriate privileges
Available Permissions (suggest reading pg. 37-39, View Admin Guide for common tasks & associated privilege):
Describe the Use of Folders Within the Connection Server (pg. 26, View Admin Guide)
By default, desktop pools are created in the (system default) / or Root folder
As within vCenter, subfolders can be created to assist in delegating administration among different pools
Maximum folders allowed: 100, including the Root folder (so 99 additional folders)
Global only privileges assigned to a custom role cannot be applied to folders 1. The following default roles cannot be applied to folders: Agent Registration Administrators, Global
Configuration & Policy Administrators, & Global Configuration & Policy Administrators (Read Only)
2.4 – Configure View Security Server Configure Connection Server Backup Settings
See first item in Objective 2.3; Security Servers do not have backups configured..only Connection Servers
Identify External URL Settings
Reference Objective 2.3, Configure External URL Settings item
Identify PCoIP Secure Gateway
Reference Objective 2.3, Configure External URL Settings item
This is configured for clients that use the PCoIP protocol
Identify Connection Server General Settings
See Objective 2.3 (same item heading, except no Tag)
Edit Security Server Settings
View Configuration > Servers in left pane, Security Servers tab, then Edit a Security Server
Only items editable are the Secure Tunnel & PCoIP Secure Gateway URLs
Be aware of the Security Server services on the server:
2.5 – Configure View Transfer Server Identify Transfer Server Repository
View Administrator > View Configuration > Servers in left pane, then select Transfer Servers tab
In the bottom Transfer Server Repository pane, click the Edit button to add/modify the repository
It is recommended to use a Network Share all Transfer Servers have access to
Identify vCenter Server That Contains the Transfer Server
View Administrator > View Configuration > Servers in left pane, then select Transfer Servers tab
The vCenter Server housing the Transfer Server is displayed as a column in the Transfer Servers (top) pane
Identify the Transfer Server VM
I think this is self-explanatory; click on the Transfer Servers tab to see all Transfer Servers added to View
2.6 – Configure Advanced Display Protocol Settings Reference GPO Templates
See below for ADM file location on the Connection Server
For PCoIP display settings, use the pcoip.adm template in the Computer Configuration of GP
For RDP display settings, use the vdm_client.adm in the User Configuration of GP
Describe RDP Requirements (pg. 18-19, View Install Guide)
RDC versions: 1. RDC 6.x → Windows XP/Embedded, Vista (RDC 7 recommended for Vista)
a. For XP systems, a RDC patch is required or a Windows Sockets Failed error may appear on the client PC
2. RDC 7 → Windows 7 (SP1 comes with RDC 7.1)
Multiple monitors require RDC 6.0 and later
128MB RAM
Locate ADM Template Files
Located on a Connection Server instance: C:\Program Files\VMware\VMware View\Server\Extras\GroupPolicyFiles
Explain GPO Settings
RDP: 1. The RDP Settings in the Client ADM Template basically configures Windows display & RDP app
settings (color depth, background, font smoothing, redirect drives & clipboard, etc.)
PCoIP: 1. Configure policies such as MTU size, max session bandwidth, enable/disable audio, etc. 2. Build to Lossless – a feature of PCoIP that initially compresses images (makes them lossy), then
progressively builds image to full intended fidelity (uncompresses or makes them in a lossless state) 3. Cache Size – image cache on clients to reduce amount of transmitted data
a. Configure between 50MB-300MB b. Default = 250MB
Identify Maximum Number of Monitors & Resolution (pg. 17-19, View Install Guide; pg. 108, View Admin Guide)
RDP – 2 monitors
PCoIP: 1. Maximum of 4 monitors with resolution configurable for each 2. Maximum resolution: 2560x1600
a. If 3D is enabled → maximum of 2 monitors with a resolution of 1920x1200
Configure Flash Quality & Throttling (pg. 210, View Admin Guide)
Flash Quality – web page quality
Flash Throttling – reducing frame rates, prolonging frame intervals
Both help reduce Adobe bandwidth & increase user browsing experience in the desktop
Adobe must be running in full screen mode
Configure: 1. View Administrator > Inventory > Pools in left pane 2. Select a pool & click Edit 3. Click Pool Settings tab and select a Quality & Throttling mode; click OK when done 4. Settings take affect when a user logs off then reconnects to the desktop with the View Client
Configure Software 3D Rendering Capabilities (pg. 109, View Admin Guide)
Requirements: 1. ESXi & vCenter 5.0 or later 2. Hardware 8 3. Windows 7 4. PCoIP display protocol 5. VRAM – VRAM configured in View overrides a VM configuration within vSphere
a. Maximum = 128MB; default = 64MB
Maximum monitors to use is 2, and resolution of 1920x1200
Configuration: 1. Settings configured when creating a desktop pool (pool creation wizard)
2.7 – Enable RSA/Smart Card
Import Certificates
On a Connection Server, use keytool to add (import) the Root Certificate to the Server Trustore File: 1. keytool -import -alias alias -file root_certifcate -keystore
truststorefile.key 2. Copy the trustore file to the SSL gateway configuration folder: C:\Program
Files\VMware\VMware View\Server\sslgateway\conf\truststorefile.key
Root Cert: 1. Trusted Root Authority import – Group Policy > Computer Config > Windows Settings > Security
Settings > Public Key, then rt-click Trusted Root Certification Authorities and select Import 2. Enterprise NTAuth Store Import – on a DC, open a cmd prompt and enter: certutil -dspublish
-f path_to_cert NTAuthCA
Intermediate Cert (if used): 1. Group Policy > Computer Config > Windows Settings > Security Settings > Public Key, then rt-click
Intermediate Certification Authorities and select Import
Turn On Certificate Based Authentication
View Administrator: 1. View Configuration > Servers > Connection Servers tab, select a server then Edit 2. In the Authentication tab, click the drop-down next to Smart Card Authentication and select Required 3. Restart the Connection Server service
Create a locked.properties file in the C:\Program Files\VMware\VMware View\Server\sslgateway\conf\ directory & add the following to the file (example shown):
1. NOTE: the .key name shown above is the name of your truststorefile.key file 2. This setting is only needed for Connection Servers, not Security Servers
Identify RSA Instance
Not sure what VMware wants here, but you can review RSA SecurID info pg. 133-134, View Admin Guide
Identify Authentication Requirements for RSA & Smart Cards (pg. 20, View Install Guide)
View Client Local Mode is not supported with View Administrator
Smart Card with a user certificate 1. Certificate issued by computer on the domain 2. Certificate must have a 1024-bit or 2048-bit key size (512-bit not supported)
Smart Card Reader – support only for PKCS#11 or Microsoft CryptoAPI provider
Smart Card Middleware
Product-Specific Application Driver – for client & desktop
AD Requirements: 1. Add UPNs to Smart Card users – [email protected] 2. Add (Import) Root Certificate to Trusted Root Authority – in Group Policy 3. Add Intermediate Certificate to Intermediate Certificate Authority (if used) – in Group Policy 4. Add (Import) Root Certificate to Enterprise NTAuth Store – using certutil
a. certutil -dspublish -f path_to_cert NTAuthCA 5. RSA requires uploading a sdconf.rec file
2.8 – Configure Role-Based Administrators Identify Required Folders
I think this is more about deciding the following:
1. What pools will be created 2. Who will manage those pools 3. What privileges will be needed to manage those pools 4. Create a custom role or use a system role and assign to a user 5. Create Folders based off what pools will be created 6. Assign a user to a given folder to manage a given pool
Create View Folders For Delegated Administration & Roles
View Administrator > View Configuration > Administrators in left pane, then Folders tab
Click Add Folder
Set Permissions On a Folder
In the Folders tab, click a folder then the Add Permission button
Add a user & role to the Folder, then click OK through the wizard when done
Review pg.33-39, View Admin Guide to see default Roles, privileges, and other info
Create the Administrator Roles
View Administrator > View Configuration > Administrators in left pane, then Roles tab
Click the Add Role button and create a custom role by giving the Role a name and select privileges
Assign Folders & Roles to User Or Groups
Folders – see Set Permissions On A Folder item
Roles: 1. In Administrators & Users tab, click Add User or Group, add a user, assign a role, then choose the
folder(s) the user has permissions on
2.9 – Configure Remote or Location-Based Printing for Desktops Describe ThinPrint Architecture
There really isn’t much in the Install, Admin, or Architecture Guides on this
ThinPrint? This is more about Location-Based Printing really – basically, you register the thinprint .dll file on a DC to have access to the Group Policy used to configure printing to a network printer located near desktops (see screenshot a few items below)
You enable the Policy, then enter mapping details for the client devices and the printers
Identify ThinPrint Services
When the View Agent is installed, there is a Thinprint service installed as well
Register .dll File
Copy the TPVMGPoACmap.dll file from C:\Program Files\VMware\VMware View\Server\extras\GroupPolicyFiles\ThinPrint and paste to a location on a DC
Open a cmd prompt on the DC and run: regsvr32 “C:\pathToDLL\TPVMGPoACmap.dll”
Configure GPO
Computer Configuration > Policies > Software Settings > AutoConnect Map Additional Printers
Double-click the Configure AutoConnect Map Additional Printers on the right pane and click Enable
Click the 1st
toolbar icon to add a row to the Policy and enter the appropriate info (see screenshot below) 1. Check to make this printer the Windows Default printer (i.e. Set as Default) 2. Enter IP Ranges of Client devices (not the desktop VMs), beit thin/zero clients or PCs, that will be
allowed to print to “this” printer (syntax = 10.10.10.10-10.10.10.20 or 10.10.10.10/24) 3. Client Name, MAC Address, & User/Group columns not required if IP Range is selected (NOTE: Only 1
of the 4 columns are explicitly needed; place an asterisk in the remaining ones not used)
4. Printer Name – this can be anything, but recommend using printer name that’s listed on the print server for consistency; this name is what shows in Printers & Devices (i.e. an alias type name)
5. Printer Driver – IMPORTANT; the driver of the printer must match/be consistent between the VM desktop and the print server; syntax, including spaces & case sensitivity must match the driver name
6. Enter the Port used by the printer (i.e. IP_10.10.10.30)
Import Location Printing ADM File
There is a Redirect Printers setting in RDP Settings of the User Config > View Client ADM template
To import templates, simply rt-click on Admin Templates > Add/Remove, then browse to the path on the Connection Server housing the ADM files: C:\Program Files\VMware\VMware View\Server\extras\GroupPolicyFiles
2.10 – Configure Environment for Local Mode Publish Linked-Clone Replica to Transfer Server Repository (pg. 254, View Admin Guide)
View Configuration > Transfer Server Repository, select the Repository then Publish button
Identify Local Mode Policies
See next item below
Configure Local Mode Policies
View Administrator > Policies > Global Policies > Local Mode Policies; See configurable policies below
Ensure Client Device Meets Local Mode Requirements (Proper Client Version, Hardware, Disk Space, End Device Resource Req’s, etc.) (Pg. 14-15, View Install Guide)
The Desktop to be checked out must use Virtual Hardware 7; ver 8 is not supported
Client (Host) Requirements: 1. Multi-CPUs are supported, greater than a P4 (Intel) or Athlon (AMD) 2. RAM – enough to house client & desktop 3. Win7 Aero support – an nVideo GeForce 8800GT & above or ATI Radeon HD 2600 & above 4. Disk – enough space to accommodate the usable desktop storage plus snapshots
NOTE: For CPU & RAM client host resources, the local desktop VM will change its resources to utilize a minimum of what it was configured for up to a maximum of 8GB RAM (32bit) or 32GB (64bit), but most likely ½ the client host resources; for CPU, the VM desktop can use at most 2 CPUs 1. The default behavior for resource consumption by the local desktop can be changed by modifying
registry settings on the desktop source, then recomposing the pool; pg. 266-270, View Admin Guide
Verify Transfer Server Configuration (pg. 251-258, View Admin Guide)
The “general” requirements (CPU, RAM, etc.) were covered in Objective 1.3
See below for remaining configurations: 1. Transfer Server Repository
a. This is only needed if using Composer-based Linked-Clones b. Recommended to use network storage and share it between all Transfer Servers, as opposed to
configuring a local disk on the Transfer Server VM c. Enough storage is needed to accommodate all Composer base image disks of the parent VM for
each desktop pool that will be used for Local Mode 2. Add the Transfer Server to View Manager (Administrator) 3. Publish Composer package files (i.e. base images) in the Transfer Server Repository (all Transfer
Servers must first be in Maintenance Mode; exit Maintenance Mode when complete)
2.11 – Configure Environment for Kiosk Mode Utilize vdmadmin (e.g. Enable/Disable Kiosk Mode, Assign Client to Desktop, Etc.)
Set Default Values for Clients in Kiosk Mode: 1. Ex: vdmadmin -Q -clientauth -setdefaults -ou OU=kiosk,ou=view,dc=lab,dc=local
-noexpirepassword -group kiosk_users
Assign/Add Accounts to Clients in Kiosk Mode: 1. Add: vdmadmin -Q -clientauth -add -clientid custom-terminal01 –domain lab –ou
OU=kiosk,ou=view,dc=lab,dc=local –group kiosk_users ( if wanting to add a custom pwd, add -password “password” after the -clientid param)
2. Remove: vdmadmin -Q -clientauth -remove -clientid custom-terminal01 –domain lab –ou OU=kiosk,ou=view,dc=lab,dc=local –group kiosk_users
Enable/Disable Authentication of Clients Kiosk Mode: 1. Enable w/o requiring a pwd: vdmadmin -Q –enable –s vconsrv01 2. Enable requiring a pwd: vdmadmin -Q –enable –s vconsrv01 -requirepassword 3. Disable: vdmadmin -Q –disable –s vconsrv01
After enabled, verify by: vdmadmin -Q -clientauth -list
Identify Client Device’s ID Mechanism (MAC, Custom Name, etc.) (pg. 349 & 353, View Admin Guide)
A Connection Server instance can be configured to authenticate Kiosks either by MAC Address or a username that starts with characters such as custom- or an alternate prefix string as defined in ADAM, or cm- followed by a MAC Address
The name cannot be more than 20 characters long
If a name is not specified, View Manager generates a name from the client MAC with cm- as its prefix
2.12 – Create ThinApp Applications & A ThinApp Repository Create ThinApp Applications
Before creating ThinApp packages, the following requirements must be met: 1. Must pkg as .msi 2. ThinApp 4.6 or later 3. Pkgs must be stored on a Windows network share that Connection Servers & desktops can access
a. Authentication & file permissions based on computer accounts b. Read File & Share permissions to Domain Computers group & Domain Controllers c. Read & Execute NTFS permission to Domain Users if allowing streaming
4. ThinApp pkgs can only be assigned to VMs
Configure: 1. Install ThinApp Capture on clean computer 2. Start Capture wizard & when prompted for project location, select Build MSI pkg
a. Set MSIStreaming=1 if plan to stream the app 3. Store the MSI on a network share 4. Add the ThinApp Repository in View Administrator: View Configuration > ThinApp Configuration, Add
Repository button; NOTE: IP for the server name is not supported
5. Add ThinApp Applications to View Administrator: Inventory > ThinApps, click Scan New ThinApps
Create Or Identify Supported File Share
Create a network share with requirements specified above
Add the Repository in View as specified above
Assign Permissions To The Share
Self-explanatory; set permissions based off requirements listed above
Verify MSI Streaming Settings In The Package.ini Files
If doing streaming, set MSIStreaming=1, otherwise =0
Identify Necessary ThinApp Package Components To Put On The Share
See #5 from Create ThinApp Applications above (adding Apps to View); for more detail, see pg. 226, View Admin Guide
Assign ThinApp Applications To Pools
Inventory > ThinApps
Select an Application, then Add Assignment drop-down and choose Pools
Choose a Pool (or multiple by CTL+CLICK), whether to do Stream or Full, then OK when done
2.13 – Manage User Configurations Configure The Profile Store
What I think VMware wants for this whole section are items related to Persona Management
For this Objective item, I think VMware is looking for creating a network share for personas to be stored (pg. 177-178, View Admin Guide) 1. Use a network server or NAS to create the share/repository 2. Share does not have to be in same domain as Connection Server; does have to be in same forest as
users who will be storing their profiles 3. You can configure separate repositories for different pools, but if a user is entitled to > 1 pool, make
sure he can access a single repository 4. Make sure the full path to the share is what you want, otherwise Windows will create the remaining
folders not added when an initial user logs in & creates security for that user, making the repository inaccessible to subsequent users
Configure Virtual Profile GPOs
Add the ViewPM ADM Template to Computer Configuration > Admin Templates (NOTE: do not add under User Configuration)
To ‘activate’ Persona Management, first install View Agent with Persona Management on a desktop source used for a pool, then enable the Manage User Persona policy in the ViewPM group policy template
If an AD path is not used for the repository location, configure the Persona Repository Location policy in the View PM group policy template
Persona Mgmt cannot be used on physical or Terminal Services machines, or Local Mode VMs
Review Policies for PM on pg. 186-190, View Admin Guide (see some listed in Objective 1.5)
Configure View Media Services For Clipboard Support
Configure Clipboard Redirection (PCoIP policy; pg. 158, View Admin Guide) 1. Enabled client to server only (this is default setting) 2. Disabled in both directions 3. Enabled in both directions 4. Enabled server to client only 5. NOTE: client = local host; server = view desktop
a. If virtual channel is disabled, Clipboard Redirection does not work (is enabled by default though)
SECTION 3 CREATE & CONFIGURE POOLS 3.1 – Configure Automated Pools Using Linked Clones Identify Floating Vs. Dedicated Assignments
Automated Pool – View Manager dynamically provisions (creates/deletes) desktop sources based on pool configuration settings 1. Floating – users receive a different desktop source each time they log in with View Client 2. Dedicated – users are assigned a specific desktop source and connect to that source with each log in
a. Automatic Assignment – View Manager assigns a desktop source to a user; if this isn’t selected, the Administrator must explicitly assign a desktop to a user
3. Linked-Clone
a. Snapshot – created on a parent VM in vCenter & used for Linked-Clone pools b. Can only be used if Composer Server is installed on vCenter
Identify Persistent Disk Settings
Persistent disks are disks that generally hold user data
Choose whether to store disks holding different data types to be on separate Datastores
Persistent disks can only be configured if using Dedicated Linked-Clone pools
Persistent disks can only be re-attached to a desktop with “like” OS (i.e. disk from an XP desktop re-attached to a newly created XP desktop..not Win7, etc.)
Must run View Manager 4.5 or later
Identify The Disposable Disk Settings
Desktop source guest OS paging file
Desktop source guest OS temp file
Settings:
Identify Pool Settings (pg. 106-109, View Admin Guide)
General: 1. Pool State – i.e. Enable or Disable the Pool 2. Connection Server Restrictions – based off tags
Remote Settings: 1. Remote Desktop Power Policy – no action, always on, suspend, off 2. Automatically Log Off After Disconnect – never, immediately, after… (x minutes) 3. Allow User To Reset Desktop – yes, no 4. Allow Multiple Sessions – yes, no 5. Delete Desktop After Logoff – yes, no ; NOTE: Policy only for floating assignment; not for manual
naming
Remote Display Protocol 1. Default Display Protocol – PCoIP, RDP 2. Allow Users To Choose – yes, no 3. Windows 3D – enable, disable; configure… VRAM; NOTE: Only used for VM Hardware 8 4. Max Monitors – 1-4 ; NOTE: Max amt if 3D Rendering is enabled is 2 5. Max Resolution Per Monitor – NOTE: A power cycle (not restart) is required if this is changed
Adobe Flash Settings 1. Quality – no control, low, medium, high 2. Throttling – disabled, conservative, moderate, aggressive
Identify Provisioning Settings
Basic 1. Enable Provisioning 2. Stop Provisioning On Error
VM Naming 1. Specify Manually
a. Enter Names – one VM name per line, or assign user explicitly to a VM name on same line separated by a comma (e.g. vm01,lab.local\username)
b. Start Desktops in Main Mode c. # Of Unassigned Desktops Kept Powered On
2. Use Naming Pattern – e.g. vm{n:fixed=2}
Pool Sizing 1. Max Number Of Desktops 2. Number Of Spare Desktops (Powered On) 3. Provision On Demand – as users connect
a. Min Number Of Desktops 4. Provision All Up-Front – after pool is created
Identify Base Image & Snapshot
Snapshot (from parent linked-clone)
Go to Inventory > Pools, then select a pool in the list then click the Edit button
Select the vCenter Settings tab to view Snapshot info of the desktop source
Identify vCenter Server Resource Settings
See previous item as Resource Settings are in the same location as viewing desktop source info
Identify Guest Customization Settings (QuickPrep, Sysprep) (pg. 83-86, View Admin Guide)
QuickPrep – designed to work efficiently with Composer (Linked-Clone VM desktops)
Sysprep – vSphere Guest Customization configured in vCenter is used
See below for general differences between the two:
3.2 – Configure Automated Pools Using Full Clones Identify Floating Vs. Dedicated Assignments
Full VMs 1. Template – vCenter VM Template used for the full VM desktop source to create the pool
Identify Pool Settings
See Objective 3.1, same item
Identify Provisioning Settings
See Objective 3.1, same item
Identify Template
See Objective 3.1, same item as getting to this info is the same
Identify vCenter Server Resource Settings
See Objective 3.1, same item
Identify Guest Customization Settings
See Objective 3.1, same item
3.3 – Configure Manual Pools Identify Pool Settings
General: 1. State 2. Connection Server Restrictions
Remote Settings 1. Auto Logoff After Disconnect 2. Allow Multiple Sessions/User
Remote Display Protocol 1. Default Protocol
2. Allow User Choice
Adobe Flash 1. Quality 2. Throttling
Identify Desktop Sources
vCenter VMs
Other 1. VMware Server VMs 2. Other VM types 3. Physical 4. Blade PC
3.4 – Configure Local Mode Use Given A Customer Environment & Requirements, Apply Compatible Local Mode Pool Settings
Not really anything to add here; review Objective 2.10 then be able to configure based on customer requirements
3.5 – Build Desktop Sources Perform OS Optimizations
General OS optimizations → pg. 56-57, View Admin Guide
1. Also, delete hidden Uninstall ($NTUninstallKB######) files, Event Logs, Empty Recycle Bin, & perform a disk defrag
Optimizations specifically for Win7 → pg. 58-64, View Admin Guide
Update Drivers
Best way is to install latest patches & drivers on base/parent VM then disseminate update either by recompose (Linked-Clone), or creating a new pool with new Template
Perform Installation Of View Agent
Self-explanatory
Only thing here is if using Linked-Clone, make sure to select View Composer Agent; if using Persona Mgmt, install that item as well
Configure Virtual Machine Hardware
When creating a VM for desktop pool source, Edit Settings > Hardware tab and choose appropriate hardware
XP doesn’t support LSI SCSI Controller without driver install (need to attain driver from LSI)
Recommend enabling CPU/Memory Hot-plug feature for Win7 VMs
Perform Installation of VMware Tools
vSphere task; you should know how to do this already…will not cover this
Create Snapshots
vSphere task; you should know how to do this already…will not cover this
Create Customization Specifications
vSphere task; you should know how to do this already…will not cover this
SECTION 4 IMPLEMENTATION TROUBLESHOOTING 4.1 – Troubleshoot Composer Installation on vCenter Composer Provision Error Codes
0-20 – read pg. 317-318, View Admin Guide 1. A Code 0 means success & doesn’t appear in View Administrator 2. Code 6 is a ‘catch all’; i.e. error not covered by other codes, as such should look in guest OS logs
Error codes appear in the Desktop-Status column in View Administrator Potential Install Errors
Unable to add Firewall rules (W2K8) during install 1. Firewall enabled? 2. Have local (vCenter) Admin rights
Machine installing Composer on has other View component
4.2 – Troubleshoot Events Database
Some connectivity or other issues with the DB → maybe the SQL account pwd of the user used to add the DB to View has expired; set pwd to not expire
Verify correct ports opened based off DB type (i.e. SQL = 1433; Oracle = 1521)
4.3 – Troubleshoot Guest OS Customization Unable To Create A Pool Due To Guest Customization Failure
Guest Customization may not be seen (can’t be found) during pool provision 1. May have insufficient privileges to access the Guest Customization or to create a pool 2. Guest Customization may have been renamed or deleted
VMs Stuck In Customizing State
Not enough Datastores space to start a VM; a VM needs to start to get Customization 1. Delete VM 2. Free disk space & reclone
QuickPrep Customization Issues
Script times out – longer than 20 seconds; increase the time in registry on Parent or Template VM desktop
Verify script path is valid – if an ‘interpreter’ is needed for the script, start the script path with the interpreter then end with the script (e.g. C:\Windows\System32\cscript.exe C:\Scripts\myvb.vbs )
Verify account running the script has appropriate permission to execute script
Windows XP Unable To Join Domain
If using W2K8 RODC, need to apply a patch to the parent XP VM; W2K8 RODC not backward compatible
4.4 – Troubleshoot Accounts & Permissions Unable To Create A Pool Due To Permissions
Check for appropriate permissions in vSphere: 1. Check permissions on vSphere Resource Pool, Template, ESXi Host, Cluster, or Datacenter
Unable To Create A Pool Due To Configuration Issue
View Administrator will display “configuration problem”
Verify Template: 1. Is not missing/deleted 2. Has not been moved 3. Has not been renamed
Unable To Provision A Pool Due To Datastore Issues
Verify permissions to access the Datastores the pool is trying to be created on
Check space on the Datastores; make sure it’s not full or almost full
4.5 – Troubleshoot Connectivity Between View Components Between View Client & Desktops
Static IP assigned to a desktop – make sure the parent/template (source) VM is configured to use DHCP
Unable To Provision A Pool Due to Connection Issue Between Connection Server & vCenter
Cannot log into vCenter at IP Address error
The status of vCenter at IP Address is unknown error 1. Check vCenter Web service (start it if it’s stopped) 2. Networking problem between vCenter & Connection Server 3. Port numbers & login details for vCenter or Composer have changed – verify in View Administrator
Unable To Provision A Pool Due To Overloaded vCenter
Provision error occurred... because of a timeout ... error 1. vCenter is overloaded with requests – in View Administrator, reduce max number of concurrent &
power operations for vCenter 2. Add additional vCenters
4.6 – Troubleshoot PCoIP Configuration Connection Issue Between View Client & PCoIP Gateway (great video on Eric Sloof’s blog here)
Verify Firewall on Connection/Security Server allows UDP port 4172 in/out & TCP port 4172 in – can result in a black screen if blocked
Verify PCoIP Gateway is enabled on Connection Server(s) in View Administrator (configuration not an option on Security Server..only Connection Server)
SVGA Driver issue 1. Check log on VM desktop: C:\Users\All Users\VMware\VDM\logs
Verify External URL is configured appropriately – https://IPofConnOrSecSrvr:4172 (not FQDN)
Check if Connection Server is paired with a Security Server using View 4.5 or earlier (must be v4.6 or later)
4.7 – Troubleshoot View Servers (Connection, Security, Transfer) Connection Issue Between View Client & Connection Server
Use a web browser to connect to the Connection Server (HTTP or HTTPS); if error, check DNS
Configure External URL to use IP instead of FQDN
If all else doesn’t work, try Connection Server reboot
Connection Issue Between Desktops & Connection Server
Verify DNS of the Connection Server – nslookup ConnSrvrFQDN
Verify Connection Server Firewall isn’t blocking port 3389 (RDP), 4001 (JMS; used by View Agent), or 8009 (AJP13) – telnet 4001
VMs Stuck In Provision State
Connection Server may have been restarted 1. Delete Clones & recreate/reclone
4.8 – Troubleshoot View Persona Management
Was Persona installed with the View Agent?
Is Persona being used with Local Mode (can be done, but is not supported)?
Correct licensing? (Premier)
Is Persona enabled in the ADM policy Manage User Persona?
If XP desktop sessions are not completely terminated, was UPHClean service installed?
NOTE: Recommend watching some bootcamp videos; one on troubleshooting here
SECTION 5 COMPONENT FEATURES & FUNCTIONS 5.1 – Describe & Differentiate Between Component Functions & Features at an In-Depth Level (What & How Work) NOTE: I will only give a high-level overview of the below items; re-review areas of the Blueprint in the above Objectives for more detail for each item listed Describe View Architecture
DB – vCenter & Composer
vCenter – a vSphere object really, but at heart & soul of View
Composer – optional; if not using Linked-Clones, not needed
Connection Server – required; has the View Administrator web UI
Security Server – optional; for secure external connections to internal network
Transfer Server – optional; VM used for View Client Local Mode
Architecture of all components:
Describe View Protocols (pg. 62-66, View Architecture Planning Guide)
HTTP
HTTPS
RDP
PCoIP
Identify Network Ports Required For View Protocols (review areas of View Security Guide)
80 – HTTP
443 – HTTPS
3389 – RDP
4001 – JMS
4100
4172 – PCoIP
8009 – AJP13; Security Server only (Apache?)
9247 – MMR
32111 – USB redirection
NOTE: A high-level overview of each component is given on pg. 7, View Integration Guide
Describe View Composer
A application/service installed on vCenter Server & used for Linked-Clone Pool creation capability
Describe View Connection Server (pg. 10-11, View Architecture & Planning Guide)
Broker
Has Administration interface
Used for authentication, entitles user to desktops/pools, & directs requests to appropriate desktops
Describe View Transfer Server
Used for Local Mode sessions
Used to transfer base images from datacenter to local (host) machine
Transfer repository only used for Linked-Clone VMs
Has compression/de-dup capabilities
Describe View Security Server
Enhanced security Connection Server typically deployed in a DMZ for secure communication between external View Clients & the internal datacenter where View Desktops reside
Typically used for
Describe RDP
Default remote display protocol used to connect View Client to View Desktops
Uses port 3389
Describe PCoIP
Display protocol providing enhanced features for performance, etc.
Describe ThinApp
Tool to package applications by decoupling from underlying OS & hardware
Describe Local Mode
Ability to download a desktop to a local device enhancing performance & mobility
Describe Kiosk Mode
Thin-down version of a View Desktop used for repetitive, singular type tasks (e.g. airline ticket print; job submission; etc.)
Describe View Client Access Options
Either via RDP or PCoIP
Describe Persona Management Options
Ability to retain user profiles in a network directory share so a user always has familiar & personalized desktop and application settings
Describe View Agent
Service installed on source desktops that is used to communicate View desktops with Connection Servers
Authored by: Shane Williford For Public Use, but give credit to author & bloggers where used in various areas of this document