Installing a basic View 3 environment is a fairly straight forward process.

 

Make sure that you are at U3 across the board, ie U3 or ESX and vCenter.  If not you will not be able to utilise any of the newer features like Offline Desktops or Linked Clones.

Overview of View Connection Server

First a little bit of revision, View Connection Server communicates with vCenter in order to provide management of virtual desktops over and above what is available in vCenter.   This includes things such as virtual desktop creation, pool management and power operations, such as automatic suspend and resume.

View Connection Server also performs the following functions:

  • User authentication
  • User desktop entitlements with View LDAP
  • Virtual desktop session management
  • Coordination of the secure connection establishment, virtual desktop connection, and single sign‐on
  • Administration server used by View Administrator Web client
  • Virtual desktop pool management.

So all in all it is a pretty busy beast.   That and the View Agent and Client make up the View Management suite.   There is also desktop composer but that is for a later post.

View Connection Server Instances

The Connection server is installed on a MS Windows Server 2003 this can be either a virtual server or a Phyiscal server dedicated to brokering View Manager connections.   The host system must be joined to an Active Directory Domain and cannot be a Domain Controller.  what this means is do not install any other role on the server.

The user account used to install View Connection Server must have local administrator privileges on target server.  The View Connection Server administrator also must possess administrative credentials for the vCenter server.

The server can be installed either as a standard, replica or Security Server – the instance type is selected during the installation process, I will dig deeper into each installation type as we go on.

First a bit about the architecture.

As already stated, View installs the Connection Broker on Windows 2003 R2, an agent on the Desktop, this can currently be Windows XP or Vista. and either a full client on a Windows based OS or a Browser based client on other Desktops.

View LDAP

View keeps itself sync’d by the use of a  ADAM database, this is a type of embedded  LDAP (Lightweight Directory Access Protocol).   The directory serves as the data repository for all View Manager configuration information, and uses Microsoft Active Directory Application Mode (ADAM) for windows 2003 or Active Directory Lightweight Directory Service (AD LDS) for Windows Server 2008 as its datastore.  On View Connection Servers running on Windows 2003 ADAM is an embedded LDAP directory provided as part of the installation.

View LDAP contains the following components that are used within View Manager:

  • Specific View Manager schema definitions
  • Directory information tree (DIT) definitions
  • Access control lists (ACLs)

It also contains entities that represent the following View Manager objects:

  • Virtual desktop entries that represent each accessible virtual desktop – these contains references to the Foreign Security Principle (FSP) entries of Windows users and Windows user groups in Active Directory that are authorised to utilised a particular desktop
  • Virtual desktop pool entries that represent multiple virtual desktops managed together
  • Virtual machine entries that represent each virtual desktop.
  • View Manager component configuration entries used to store configuration settings

View LDAP also includes a set of View Manager plug-in DLLs that provide automation and notification services for other View Manager components.
Note: – Security server instances do not contain the View LDAP component.

Preparing for Installation

View Manager uses ephemeral ports in order to establish TCP connections between the View Connection server and the desktops it administers. An ephemeral (short-lived) port is one that is automatically created by the operating system when a programme requests any available user port. The port is drawn from a predefined range typically between 1024 and 65535 and is released once it has served its purpose.

The default maximum number of ephemeral ports that can be created simultaneously on Windows 2003 Server is 5000. If an environment greater than 1000 concurrent client is likely, it is recommended that the number of available ephemeral ports in increased.

To increase the maximum number of ports
Start Regedit from a command prompt

Locate the following subkey in the registry, and then click Parameters

HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesTcpipParameters

On the Edit Menu, click New, and then add the following registry entry:

Value Name: MaxUserPort
Value Type: DWORD
Value data: 65534
Valid Range: 5000-65534 (decimal)
Default: 0x1388 (5000 decimal)

Exit Registry Editor and then restart the system.

Standard Server Installation

A standard server deployment creates a single standalone View Connection Server. This server can later become the first instance within a replicated View Connection Server group. When a standard instance is created during the installation routine a new local View LDAP instance in created. The schema definitions, DIT definition ACLs and so on are loaded and the data is initialised.
Note – Most configuration data in View LDAP is maintained from View Administartor, although View Connection Server manages some entries automatically.
To install a standard Server
To install a standard server

    1. Run the following executable on the system that will host the View Connection Server, where xxx is the build number of the file:

VMware-viewconnectionserver-xxx.exe

  1. The VMware Installation wizard is displayed. Click Next.
  2. Accept the VMware license terms and click Next.
  3. Accept or change the destination folder and click Next.
  4. Choose the Standard deployment option.
  5. Click Next > Install > Finish.

Replica Server Installation

For resliance you need to add Replica servers these are additional View Connection Server instances that are installed in order to provide high-availability and load balancing.   When a replica server is installed, a local ADAM instance is also created however the View LDAP data on the replica server is initialised from an existing View Connection Server.  During replica installation, an agreement is established that ensures every View Connection Server in the replicated group shares the same configuration data. Whenever a change is made to View LDAP data on one system, the updated information is automatically updated across every other replica serve within the group.

The replication functionality provided by ADAM is the same replication technology as Active Directory.

In order to install a replica, there must be at least one View Connection Server instance already present on the network. Replica server can use either a standard server or another replica server to initialise the LDAP datastore, once initialised, the behaviour and functionality of the server is identical to that of a standard server and offers identical functionality.

In the event of a server failure, the other servers in the replicated group will continue to operate. If the failed server resumes activity, its configuration data is automatically updated to reflect any changes that may have taken place during the outage.

Multiple Replica Servers

To further enhance the high-availability and scalability requirement of your VDI environment, you will need to implement a load balancing solution, this will ensure that connections are evenly distributed across the available View Connection Servers, and that failed or inaccessible servers are automatically excluded from the replicated group

Remember View Connection Server does not provide load-balancing functionality but needs to work with standard third party load-balancing solutions such as WNLB.

To install a replica server

    1. Run the following executable on the system that will host the View Connection Server, where xxx is the build number of the file:

VMware-viewconnectionserver-xxx.exe

  1. The VMware Installation wizard is displayed. Click Next.
  2. Accept the VMware license terms, and click Next.
  3. Accept or change the destination folder, and click Next.
  4. Choose the Replica deployment option.
  5. Enter the host name of IP address of the existing View Connection Server that this instance will be replicated with. If the target system is not part of the same domain as the main server, local administrative rights will be required on the target serve to do this.
  6. Click Next > Install > Finish.

Security Server Installation

A demilitarised zone (DMZ) is a semi-protected sub-network that exists between a secure internal network and an insecure external network. Services that exist within this space are exposed to both networks and provide an entry point for external users to access application that reside within the internal secure network.
View Connection Server security servers are installed in the DMZ in order to add an additional layer of network protection; they ensure that only authenticated users can connect with the internal network from external locations by providing a single point of access. Because the inbound communications from DMZ services can be strictly controlled via firewall policy and access controls the risk of the internal network being compromised is significantly reduced.

Remeber in a LAN based deployments, where no additional security layers are required users can directly connect with any View Connection Server from within the secure internal network as the standard installation included the Secruity Server proxying function.

When remote users connect via a security server, they must successfully authenticate before they can access any virtual desktops.   With appropriate firewall rules on both sides of the DMZ, this type of deployment is suitable for accessing virtual desktops from Internet-located client devices.  Multiple security servers can be connected to each standard or replica View Connection Server, A DMZ deployment can be combined with a standard deployment to offer access fro internal and external users.

Security Servers implement a subset of View Connection Server functionality, and do not need to reside within an Active Directory Domain. In addition, Security servers do not contain a View LDAP configuration datastore and do not access any other authentication stores, such as Active Directory or RSA Authentication manager.  Therefore a Security sever is in reality nothing more that a proxy server

Firewall Configuration
Figure 3-4 shows a security server deployment and illustrates the relationships between the security server and all the other components including the protocols each component utilises.

View Manager Component Diagram, (taken from the View Admin Document).

The recommended security configuration for a DMZ based security server deployment is a dual firewall. In this configuration, an external network facing “front-end” firewall protects both the DMZ and the internal network, and a “back-end” firewall between the DMZ and the internal network provides a second tier of security. The front-end firewall is configured to allow network traffic to reach the DMZ, whereas the backend firewall is configured only to accept traffic that originates from the services withing the DMZ. This configuration is shown below.

To allow external client devices to connect to a security server within the DMZ, the front-end firewall must allow inbound traffic on TCP ports 80 and 443.   To allow the security server to communicate with each standard or replica server that resides within the internal, the back-end firewall must allow inbound traffic on TCP port 8009 for AJP13 forwarded web traffic, TCP port 4001 for Java Message Service (JMS) traffic, and TCP port 3389 for RDP traffic.
Behind the back-end firewall, internal firewalls must be similarly configured in order to allow the View Manager desktops and View Connection Server instances to communicate with each other. Port 3389 (RDP) is used for traffic originating from a standard or replica server that is directed at a guest system. Port 4001 is used for JMS traffic originating from either the View Agent component installed on each View Manager desktop or from a security server in the DMZ, and is directed at standard or replica Connection Server instances
The Back end and front end fire wall rules are summarised in the below Table.

Firewall Type TCP Port Protocol Source Destination
Front End 80 HTTP Any Security Server
443 HTTPS
Back End 3389 RDP Security Server Any Desktop Machine
4001 JMS Standard or Replica Server
8009
4001

External URL
By default, the FDQN of the host is required by View client in order to establish a connection with the View Connection Server.   This information will not be available to clients who attempt to contact the server from outside the corporate network environment.
Refer to “client connections from the Internet for information on how to add an external URL to a security server to make it accessible form the internet
Offline Desktop
If there is an intention to utilise the offline desktop feature, port 902 must be accessible on the ESX /ESXi server, this port is used to establish the TCP connection through which the offline desktop data is downloaded and uploaded.
RDP
When View Agent is installed on a desktop virtual machine or an unmanaged desktop source, the application installed configures the local firewall rules for inbound RDP connections to match the current RPD port of the host operating system – in the vast majority of cases this will be 3389.  If an administrator subsequently changes the RDP port number, the associated firewall rules for both the desktop VM and or the unmanaged desktop

So now that we have the Firewall ports sorted lets install a Security Server.

Installing a Security Server

    1. Run the following executable on the system that will host the security server, where xxx is the build number of the file:

VMware-viewconnectionserver-xxx.exe

  1. The Installation wizard is displayed. Click Next.
  2. Accept the license terms and click Next.
  3. Accept or change the destination folder and click Next.
  4. Choose Security Server.
  5. Each security server is paired with a View Connection Server and forwards all traffic to that server. Enter the FQDN of the standard or replica server with which the security server is to communicate.
  6. Click ext > Install > Finish.

Right thats the easy pat done, now lets sort out some permission in vCenter you do not want to be giving ever Tom Dick and Harry admin access rights :D

vCenter Permissions for View Manager Users
To use vCenter with View Manager, administrators must have permission to carry out certain operations in vCenter. These permissions are granted by creating and assigning vCenter roles to a View Manager user from within the vCenter,  as I have already alluded to vCenter Adminstrative users all the requisite permissions enabled by default.

Admin Rights are required to manage View however assign them at the Datacenter or Cluster level where VDI Guest pools will be created so that they can make the required changes.

To create the View Manager role for vCenter user

    1. In VirtualCenter, click the Administration button.
    2. If it is not already selected, click the Roles tab and click Add Role.
    3. Enter a name for the role (View Administrator, for example).
    4. In the list of Privileges, expand Folder and select Create Folder and Delete Folder.
    5. Expand Virtual Machine and perform the following steps:

a. Expand Inventory and select Create and Select Remove
b. Expand Interaction and click Power On, Power Off, Suspend and Reset.
c. Expand Configuration and select Add new disk, Add or Remove Device, Modify Device Settings, and Advanced.
d. Expand Provisioning and select Customise, Deploy Template, and Read Customisation Specifications.

  1. Expand Resource and select Assign Virtual Machine to Resource Pool.
  2. Click OK. The new role appears in the list of roles.

OK now lets get it working :D

Initial View Manager Configuration
Now that you have installed one or more installation of View Connection Server you must carry out an initial configuration so that the servers are ready to carry out administrative tasks.   This configuration is carried out from within View Administrator, the Web-based administrative component of View Manager.   remember that this functin is only available in Connection Servers and Replica servers

To perform an Initial Configuration
Open a browser supported by View Administrator, and enter the following URL where is the hostname or IP address of a standard or replica View Connection Server instance

 HTTPS:///admin

This is important so please take notice. If View Administrator is accessed through a SSL connection.   The first time you connect, your browser may present you with an intermediary page that warns you that the security certificate associated with the address is not issued by a trusted certificate authority,  this is expected behaviour because the default root certificate supplied with View connection server is self signed.

Log in using the appropriate credentials.  this is usually the Domain or Local Admin user, Remember, all domain users who are members of the Local administrators group on the View connection server are allowed to login to the View Administrator. This can be changed later.  The first time login occurs, the configuration view is shown.   After the product has been licensed the Desktop View is displayed.

Within the configuration view, do the following:

  • Under Product Licensing, click Edit License and enter the View Manager license key in the field provided. Click OK
  • Under VirtualCenter Servers (vCenter), click Add and complete the details for one of more vCenter Servers to use with View Manager.
  • Enter the FQDN or IP address of the vCenter server the is going to communicate in the Server Address text box

A point of Caution here, if you enter a Server using the DNS name or a URL,  View will not preform a DNS lookup to verify that the entry has not been previously entered using its IP address.  A conflict will arise if a vCenter server is entered by both its IP address and DNS name.

    • Enter the username of a vCenter user or administrator in the User Name text box. If the User name entered is not an “Administrator” then make sure that it has the requisite level of authority. Revisit VirtualCenter Permissions for View Manager Users
    • Enter the password that corresponds to the username entered above in the Password text Box
    • (Optional) Enter a description for this vCenter server in the Description text box.
    • If connection to the vCenter server will be made via a SSL link verify that the “Connect using SSL Checkbox is checked”. This is the default setting.
    • Enter the TCP port number on the Port text box. The default is 443
    • (Optional) If the advanced button is clicked the following may also be configured:

♦  The maximum number of concurrent provisioning operations – This is the maximum number of virtual machine that will be simultaneously created by View Manager in the vCenter at any given time.
♦  Maximum number of concurrent power operations – This is the maximum number of concurrent power operations (startup. Shutdown, suspend etc) that will take place in View Manager managed virtual machine within vCenter at any given time.

Click OK to store the vCenter Settings.

  • Under Administrators, click Add and user the form provided to grant administrative rights to the AD users who will require access to View Administrator. Once completed click OK to complete

 

Categories: VMWare

Leave a Reply

Your email address will not be published. Required fields are marked *

Related Posts

Microsoft

Microsoft Virtual Academy- Microsoft Virtualization for VMware Professionals – VDI

http://www.microsoftvirtualacademy.com/training-courses/microsoft-virtualization-for-vmware-professionals-vdi

VMWare

VMWare Support: vSphere Command-Line Interface Documentation

https://www.vmware.com/support/developer/vcli/

VMWare

VMWare KB- Installing ESX 4.0 and vCenter 4.0 best practices

On the vCenter Server Make sure your hardware and operating system requirements are compliant: