This is the second part in a series on the basics of VMware View.
- Connection Server
- Client (with off-line desktop support)
The VMware View Connection Server is VMware's term for a broker – and it actually comes as two types of server, a security server which can safely be placed in a DMZ, and the connection server which sits inside your private network and requires access to your Active Directory environment.
The Security Server and Connection Server are linked together to allow seamless and secure traversal of your firewall – whilst at the same time delivering corporate services such as email. Both Connection and Security server encrypt the network link between the client and virtual desktop – essentially wrapping a SSL tunnel around the relatively non-secure RDP communication. However, only the Security server is safe to be placed in a DMZ as it does not need to be a member of you Windows domain – and can be "hardened" using standard procedures such as disabling unwanted windows services.
All in all the experience for the end-user is like sitting on a trusted network at the corporate office - remotely. The composer is a piece of software that manages your templates which are used to create many virtual desktops – specially allowing the functionality of creating a "master" virtual desktop from which all end-user virtual desktops are created – changes to this "master" virtual desktop are proliferated to all the associated virtual machines.
It is possible to have more than one Connection Server and Security Server for fault-tolerance. VMware use Microsoft ADAM as the method of making sure that all the connection servers share the same configuration data by replicating this configuration information in a multiple-master model which is exactly like Microsoft's Active Directory service.
However, VMware do not currently offer a method to balance the load dynamically across the Connection Server and Security Server. This will mean you will have to invest in some method that ensures an even distribution of user connections across them. For example in the old Virtual Desktop Manager course I used to use the free load-balancing virtual appliance called "Hercules" as a load-balancer. In this guide I am going to use Microsoft's Network Load-Balancing (NLB), however if you are really serious about IP based load-balancing then I would recommend sourcing a dedicated appliance that can do that for you.
Install a Connection Server
Installing the Connection Server is a breeze, and most of the real work happens in the post-configuration stage which is carried out using a web-page based administration tool. VMware recommends a minimum of at least 1-vCPU for the connection server together with 2GB of RAM.
- Create a new Windows 2003 VM and join it to your Active Directory Domain
- Double click at the VMware-viewconnectionserver-N.N.N-NNNNNN.exe file
- Accept the usual suspects on the Welcome Screen, EULA and the install path for the software
- Select Standard from the list
The Standard option, which is selected in Figure 1 below, is always used to create the first Connection Server, whereas Replica is used to add a second or third connection server. Security is used to add the Security Server.
As shown in Figure 2, during the process, the installation will create a Microsoft ADAM instance, and you will receive messages about importing a schema using a .LDF file – at no stage is the Schema Master of the Active Directory Domain modified.
Post configuration of Connection Server The Connection Server administration webpages are very simple and easy to understand. In many respects the management of the Connection Server could even be carried out by a very able desktop support person. Perhaps you could set up the system, but hand it over to one of your desktop support personnel to manage on a day-to-day basis. The webpage administration tool only has four main views, shown in Figure 3:
The Desktop and Pools page allows you to create virtual desktops and pools and assign them to the appropriate users. The Users and Groups page simply allows you to see which users have access to which desktops – and manage their sessions. The Configuration Page is used in the primary set up of the system. The Events page, of course, is an event log of tasks carried out with the VMware View administration pages.
The post-configuration tasks contain two primary steps – firstly licensing the Connection Server, and then secondly configuring it so it can communicate with your vCenter.
- Open up IE on the desktop of the Connection Server
- Type: https://localhost/admin and accept the untrusted certificate warning message
- At the login prompt type your administrator account and password and click Login
The default user group used in VMware View is the built-in "administrators" group on the local server. As Domain Admins is added from the domain it is added into the local administrators group when you add a Windows server to a domain – this effectively means any Domain Administrator can manage the Connection Server until you change this default. In many respects this is just how vCenter handles default administration rights and privileges.
- In the Configuration View, select the link Edit License, as shown in Figure 4:
- In the Product Licensing pop-page type in your license number.
- Next supply the vCenter information by clicking the Add button in the VirtualCenter Servers section of the configuration page. This VirtualCenter Settings page allows you to configure which vCenter system the connection server will use to locate virtual desktops.
Install the agent to the virtual desktop
You will need to create a VM which runs either Windows XP Professional, or any of the non-home editions of Windows Vista or Windows 7; you can do this using an existing template or manually. This virtual machine will be the one that end users connect with to view their physical machine. The "Home Editions" of Windows do not support RDP connections and cannot be added to the Microsoft Active Directory Domain. Both of these "features" are requirements for VMware View to work. As you can tell VMware View is really about delivering a corporate desktop to corporate users wherever they are on the network – be it at home or work.
Additionally, it is worth stating that at the time of writing there is no official support from VMware for the 64-bit edition of Windows as virtual desktops. In my own tests I was able to make the VMware Agent work with the 64-bit edition of Windows 7, but only by not installing the VMware USB Redirection Service. Finally, it is possible to store virtual desktops on local storage – but doing so clearly stops features such as VMotion, DRS and HA. If you need to upgrade the ESX server software and you use local storage – then you will be unable to move your virtual desktops to another ESX server without affecting the end-users.
Prior to installing the VMware View Agent confirm the following:
- The virtual desktop is joined to the domain
- RDP has been enabled. I would recommend that if you are using Vista or Windows 7 that you use low-security for RDP. This will mean any physical client will be able to connect without security errors occurring. It will mean a Windows XP physical client will be able to connect to a Windows 7 virtual desktop. The higher level security offered by RDP Vista and Windows 7 are incompatible with older editions of Windows and may cause problems with "dumb" terminals. The screen grab below shows me enabling RDP on Windows 7 (Beta) and allowing the members of a group I called "Virtual Desktop Users" in Active Directory the privilege of Remote Access.
- Confirm you can connect to the virtual desktop by using Microsoft RDP Client and an ordinary user account from the Active Directory Domain. The most common reason for this failing is simply forgetting to put the user accounts that will access the virtual desktops in the right group!
- Optimize your virtual desktop. This series isn't really the place to discuss the "perfect" Windows XP/Vista/7 build. But before you make this virtual desktop a potential template to be used with your virtual desktop pools, you might want to think about how to harden and optimize your Windows builds for performance and security such as disabling services, or running a defragment or perhaps using the "shrink" feature to reduce the storage penalty of a VM. Some people go so far as using tools such as nLite and vLite which strip-out unwanted or unneeded components from the source Windows XP or Vista CD. Whilst these tools can be useful they invalidate your support and if they are used too aggressively they can cause applications or services to fail because of missing components. Although you will hear people online sing the praises of such tools – beware of unforeseen consequences. As ever there is a tension between "optimizing" Windows and breaking Windows.
- To install the VMware Agent, double-click the VMware-viewagent-N.N.N-NNNNNN.exe
- After a short time you will presented with the Custom Setup component for the VMware View Agent
The VDM Secure Authentication component allows for the VMware View Client to "pass-through" the logon details from the client to the agent. Incidentally, it does not pass-through the credentials gained from the Ctrl+Alt+Del logon process from the physical client which is a bit of a disappointment and a limitation currently in the product. The USB redirection component allows the end-user to plug a USB device into the physical machine and have this detected and recognized by the virtual desktop. Finally, the VMware View Composer Agent is a part of the Composer feature and required if you want to use this VM to be the basis of all your future VMs, acting as a "master" from which all VMs are created. Personally, I like to install ALL these features so I don't have any hardcoded limitations, and so there is no need to revisit the installer of the agent because of a missing component. Remember the USB Redirection Service is currently incompatible with Windows 7 64-bit. Additionally, I have found that the "pass-through" authentication and virtual printing does not currently work with Windows 7 Beta.
Install the off-line client to a physical desktop
There are actually three different clients for VMware View currently available. There is an ActiveX client which is installed if users login to the Connection Server via a web-browser. There is a standard 32-bit client, and a 32-bit client that supports the new "offline desktop" feature. Personally, I like to install the client with the most functionality as the full client will still allow a user to login via a webpage as well as directly to the Connection Server.
- On the end-user's physical machine login with your administrative account
- Install the VMware View Offline-Client by running the VMware-viewclientwithoffline-N.N.N-NNNNNN.exe
- As with the VMware View Agent, there is also a USB Client and Offline Desktop Component to the Custom Setup dialog box
- Optionally, during the install you are able to pre-set the Connection Server that the client will use by default
In the next section, learn about publishing an individual virtual desktop.
Mike Laverick is a professional instructor with 15 years experience in technologies such as Novell, Windows and Citrix, and he has been involved with the VMware community since 2003. Laverick is a VMware forum moderator and member of the London VMware User Group Steering Committee. In addition to teaching, Laverick is the owner and author of the virtualization website and blog RTFM Education, where he publishes free guides and utilities aimed at VMware ESX/VirtualCenter users. In 2009, Laverick received the VMware vExpert award and helped found the Irish and Scottish user groups. Laverick has had books published on VMware Virtual Infrastructure 3, VMware vSphere4 and VMware Site Recovery Manager.
This was first published in November 2009