VMware View Manager 3.0
I recently had to setup VMware View Manger 3.0 (formely Virtual Desktop Manager 2.0) in our demo environment for showing to our clients and showing the benefits of Virtual Desktop solutions. When I setup the our first demo environment on VMware Virtual Desktop Manager 2.0 (now called View Manager 3.0) I was very impressed with the simplicity of the solution (if you already had VMware ESX and Virtual Center deployed). It was missing certain features that other Virtual Desktop solutions had but you knew VMware was going to be working on them (and you know the other Virtual Desktops are adding new features and trying to catch up in other areas). So here are some of the lessons learned from the VMware View Manager 3.0 demo environment I built.
First we will start with the basics of the solution:
- View Standard Connection Server - Server that manages and controls the desktop environment (desktop pools, persistent vs non-persistent, storage location, provisioning, entitlements). This is the 1st server you have to setup.
- View Replica Connection Server - A copy of the Connection Server for redundancy. Not required but recommended for any production rollout.
- View Security Server - The remote access portion of the View solution. Not required but recommended for any environment that requires remote access to the virtual desktop infrastructure.
- ESX server - Hypervisor to virtualize the desktop images. (Read New Features section for more information)
- vCenter Server (formely Virtual Center) - Manages and control templates, snapshots, folders, resource pools, and virtual machines.
- Desktops - Virtual desktops, physical desktops and terminal servers are now supported for deployement (Read New Features section for more information)
- View Composer - Support for Linked Clones in the storage of the Virtual Desktop on ESX. Linked Clones save on storage, provide faster provisioning and support persistent desktops (users who need to change the desktop environment) while keeping disk space requirements low.
New Features in View 3.0
- View Composer - Enables Linked Clones of Virtual Disk Files. This is pretty interesting. It saves on disk space first of all by using a single base snapshot and then each desktop gets its own differential file. I haven't tested it yet but supposedly you could update the base VM with a Windows Update, then have the base snapshot apply to the VMs without messing up the apps or anything else the user may have installed. Very cool.
- Offline Desktops - This feature allows you to download a copy of the VM to your local PC. Now I know there are some use cases for this but I think Application Virtualization/Streaming is more compelling. The download of 8-16 images and then uploading them when they are done is pretty crazy. I know users want offline apps, but mostly users want Outlook offline and that can be accomplished in so many other ways. Still a very cool feature.
- Unified Access - support for multiple sources of desktops not provided via Virtual Desktops on VMware ESX.
- Hypervisor - No longer does VMware require you to use their hypervisor for the virtual desktops. HOWEVER the features they support on other hypervisors is very different and my affect how you deploy desktops on other hypervisors. An example, VMware can't power on or power off Virtual Machines on other hypervisors.
- Physical or Virtual - Virtual machines running on ESX are fully supported. Virtual Machines on other hypervisors are treated as unmanaged desktops. Physical Desktops are also treated as unmanaged desktops also. Unmanaged desktops doesn't support power on or power off capabilities.
- Terminal Server Support - Terminal Servers are supported as unmanaged desktops. Terminal Server sessions can also be accessed externally via the View Security Server
- Enhanced Policies for offline policies, Single Sign On, authentication, USBredirection, multimedia redirection,etc.
- Usage Console (Configuration Tab) - Look at the current and highest user count of Virtual Desktops for licensing and planning.
Lessons learned from the installation and configuration
- Virtual Center 2.5 (now going to be called vCenter Server) needs to be at 2.5 Update 3.
- ESX 3.5 must also be at 3.5 update 3 if you plan on taking advantage of View Composer.
- Vista on ESX
- Vista by default will put itself into Sleep mode after 1 hr. Not fun for virtual desktops.So make sure to set your templates, snapshots and any Vista VM running on ESX to not sleep after 1 hr.
- Open the Control Panel -> (enable Classic Mode if not done already) -> Power Options -> Change when the computer sleeps -> Never -> Save.
Note: Vista on Microsoft Hyper-V and Citrix XenServer do not require this. - View Composer
- Must be installed on the vCenter Server (AKA VirtualCenter Server)
- Requres a seperate database to enable.
- The account used to configure View Composer during the install, must have permissions to join users to the domain and must have permissions into vCenter Server (see admin guide). Also during the install, check in the event logs if you have errors connecting the database since it could require you to give DOMAIN\vCenterServerNAME$ to the database as a DB_Owner.
- The necessary license is also required to be installed in the View Manager Web Administration tool to enable View Composer.
- The vCenter Server defined in the View Manager Web Administration must have View Composer enabled with the account has rights to join workstations to the domain.
- Requires a desktop with the following requirements
- Virtual Machine should be on DHCP.
- Ipconfig /release should be run in the VM.
- The Virtual Machine must then be shutdown. (A powered-on snapshot won't work)
- A snapshot must then be run on the Virtual Machine. (the snapshot must be of a powered-down VM or you will not be able to see the Snapshot in the View Manager)
A Desktop Pool without a linked clone requires a template and a specification which is different then the snapshot requirement of a linked clone virtual machine. - Group Policy Preferences should be used to add Users to the Remote Desktop Users group (much easier than a script and starts getting you used to GPPs)
- Desktop Pools that are created from a template need to have a group or user added to the Remote Desktop Users group of the VM. When there are issues with this, you will see Access Denied or session access is denied.
- Using a Vista or Windows 2008 Server in the domain, edit the GPO that applies to the desktops OU.
- Computer Configuration -> Preferences -> Control Panel Settings -> Local users and Groups.
- Create a Preference.
- Select the Action as Update.
- Select the Group Name "Remote Desktop Users (built-in)"
- Click the Add button and add the groups or users you wish to have in the group.
- If necessary, click on the Common tab and click on the Item-Level Targeting option. Then click the Targeting button to create the rules to the machines you want this policy to apply.
- Apply the preference and click Ok.
- Install the Group Policy Preferences via Windows Update -> Optional Updates.
Note: Very critical that you ensure the Group Policy Preferences Extensions are updated on all XP, and Vista workstations. Run Windows Update and then click on Optional Updates. Then enable the update of Group Policy Preference Extensions. Without this the policy will not apply. - GPPs can also be used to build the desktop with shortcuts or files for VMware ThinApp.
- Security Server Configuration
- Once the Security Server has been installed and the necessary external NATing, DNS and Firewall rules have been configured, you need to add the Security Server Configuration.
- In the Configuration Tab, click on Add under Security Servers
- Add the actual FQDN of the Security Server (may require Hosts file or DNS modification since it will more then likely be in the DMZ)
- Enter the external URL and port used by the users outside the company and click OK.
- Select on Create Configuration File and save the file to the C:\
- Copy the file you just saved to C:\Program Files\VMware\VMware View\Server\sslgateway\conf on the Security Server.
- Restart the Security Server to enable this feature.
Without this, connections from the outside will look they are going to work but then error out with error messages concerning the internal FQDN of the Standard Server - Virtual Desktop Basic Setup
- Install OS
- License/Activate the OS
- Install VMware Tools
- Name the workstation accordingly
- Set the VMs for DHCP (Static is possible but might be more to manage).
- Join the domain
- Run Windows Update a few times to make sure the VM is all the way up to date
- Install the View Agent
- Install the Group Policy Extensions (Optional Update in Windows Update)
- Reboot (take a snapshot for backup purposes and copy to Template) or Shutdown (if using linked clones)
- Virtual Desktop Advanced Setup (some of these are from VMworld 2008 VDI Presentations)
- Give enough RAM to the desktops so they don't have to swap that much.
- Use the LSI Logic cards for XP and Vista
- For Linked Clones, Add a D:\ Drive (move pagefiles and temp files here)
- Disable AV Updates (might not work for all)
- Disable System Restore ( http://support.microsoft.com/kb/310405)
- Disable Boot Optimization (http://www.theeldergeek.com/automatic_boot_disk_optimization_%5Bdefrag%5D.htm)
- DRS Pool for different desktop levels (Execs may get one DRS Pool, while task workers get access to less resources)
- Don't mix servers and desktops on the same hosts (unless this is a very small environment)
- Load Balance Security Servers and Connection Servers (Standard and Replicas)
Overall, I am impressed with the new features and the admin interfaces. The user inferface is very clean which is great but doesn't have a WOW factor. It is very easy to setup but documentation isn't all the way up to speed (which is why I wrote this article).
Some suggestions for later revisions of View Manager for the time being are mostly cosmetic for now until I get some more use out of the solution. Overall, a good product. Good job guys and girls at VMware.
- Make the certificate replacement of the Security Server SSL Cert easier.
- Give admins the ability to upload different graphics, logos or color schemes to the Web Site for clients.
- Granular control of administrators that allow certain admins to view and reset desktops, while others get full access.
- Policies should be based on user or group rather than global policies. There are lots of times we want to enable USB for some users and not others. Sometimes we want them to access USB on one VM but not on another VM.
- Historical Reports of who used VMs and where the accessed it from. We want to know who accessed the VM externally or from the internal client IP address. This can be for security or troubleshooting purposes. Also historical reporting to know when they accessed the desktop and for how long. Top 10, 100, 1000 user reports. Stuff like that.
No comments:
Post a Comment