How To Use VMware - Part 1

Installation and Administration Guide
VMware Virtual Desktop Manager 2.0
Installation and Administration Guide Revision: 20080501 Item: VDM-ENG-Q108-450
You can find the most up-to-date technical documentation on our Web site at http://www.vmware.com/support/ The VMware Web site also provides the latest product updates. If you have comments about this documentation, submit your feedback to: docfeedback@vmware.com
2008 VMware, Inc. All rights reserved. Protected by one or more of U.S. Patent Nos. 6,397,242, 6,496,847, 6,704,925, 6,711,672, 6,725,289, 6,735,601, 6,785,886, 6,789,156, 6,795,966, 6,880,022, 6,944,699, 6,961,806, 6,961,941, 7,069,413, 7,082,598, 7,089,377, 7,111,086, 7,111,145, 7,117,481, 7,149,843, 7,155,558, 7,222,221, 7,260,815, 7,260,820, 7,269,683, 7,275,136, 7,277,998, 7,277,999, 7,278,030, 7,281,102, and 7,290,253; patents pending. VMware, the VMware boxes logo and design, Virtual SMP and VMotion are registered trademarks or trademarks of VMware, Inc. in the United States and/or other jurisdictions. All other marks and names mentioned herein may be trademarks of their respective companies.
VMware, Inc. 3401 Hillview Ave. Palo Alto, CA 94304 www.vmware.com

2 VMware, Inc.
Contents
AboutThisBook
5 7
VDMQuickStartGuide
Introduction 7 HardwareRequirements 7 Prerequisites 8 PreinstallationChecklist 9 PrepareDesktopVirtualMachines 9 InstallingtheVDMConnectionServer 10 SingleServerInstallation 10 OneTimeConfiguration 11 CreatingDesktops 12 CreatinganIndividualDesktop 12 EntitlingaDesktop 13 ConnectingtoDesktops 14
VDMIntroductionandSystemRequirements
VDMOverview 17 SystemRequirements 19 VDMConnectionServer 19 VDMClient 20 SupportedThinClientDevices 20 VDMWebAccess 21 VDMAgentVirtualDesktop 21 Prerequisites 21
17
InstallingandConfiguringVDM
23
PrepareDesktopVirtualMachines 24 UsingtheVDMAgentonVirtualMachineswithMultipleNICs 25 InstallingtheVDMConnectionServer 26 SingleServerInstallation 26 MultiserverInstallation 27 OneTimeConfiguration 29

VMware, Inc. 3
EndtoEndConfiguration 29 ConfigurationforaPooledDesktop 31 EntitlingaDesktop 38 ConnectingtoDesktops 39 VDMAdministratorUserInterface 41 InventoryPage 42 ConfigurationPage 43 EventsPage 44 SearchingDesktopsandEntitledUsersandGroups 44 WorkingwithActiveSessions 45 GlobalConfigurationSettings 46 ViewingEvents 47 RSASecurID 48 DeletingVDMObjects 49 InstallingSSLCertificates 50 CreatingtheCSR 51 VDMLoadBalancing 54 LoadBalancinginaNonDMZDeployment 54 SessionSetupandLoadBalancing 55 DNSRequirementsforaLoadBalancedSolution 56 LoadBalancingSolution 56 VDMDMZDeployment 57 DMZinstallation 57 LoadBalancinginaDMZDeployment 59 ConfiguringFirewallPortsforDMZDeployments 59 BackingupandRestoringADAMData 59 TroubleshootingVDM 60
Appendix:VDMClientAdvancedActiveDirectoryRDPSettings 61
UsingActiveDirectoryGroupPoliciesforAdvancedSettings 63
Glossary Index 69
65
VMware, Inc.
About This Book
Thismanual,theInstallationandAdministrationGuideprovidesinformationabout settingup,installing,andconfiguringVMwareVirtualDesktopManager(VDM), includinghowtoinstallthevarioussoftwarecomponents,howtodeployservers,and howtoconfigureandconnecttovirtualdesktops.Italsodescribeshowtosetupload balancing,security,andgivesinformationaboutsupportedoperatingsystemsandthin clientdevices. Thischaptercoversthesetopics: IntendedAudienceonpage 5 DocumentFeedbackonpage 5 TechnicalSupportandEducationResourcesonpage 6
Intended Audience
Thismanualisintendedforanyonewhowantstoinstall,administrate,orconfigure VDM.TheinformationinthismanualiswrittenforexperiencedWindowsorLinux systemadministratorswhoarefamiliarwithvirtualmachinetechnologyand datacenteroperations.
Document Feedback
VMwarewelcomesyoursuggestionsforimprovingourdocumentation.Ifyouhave comments,sendyourfeedbackto: docfeedback@vmware.com
VMware, Inc.
Technical Support and Education Resources

Thefollowingsectionsdescribethetechnicalsupportresourcesavailabletoyou.You canaccessthemostcurrentversionsofthismanualandotherbooksbygoingto: http://www.vmware.com/support/pubs
Online and Telephone Support

Useonlinesupporttosubmittechnicalsupportrequests,viewyourproductand contractinformation,andregisteryourproducts.Goto http://www.vmware.com/support. Customerswithappropriatesupportcontractsshouldusetelephonesupportforthe fastestresponseonpriority1issues.Goto http://www.vmware.com/support/phone_support.html.
Support Offerings
FindouthowVMwaresupportofferingscanhelpmeetyourbusinessneeds.Goto http://www.vmware.com/support/services.
VMware Education Services

VMwarecoursesofferextensivehandsonlabs,casestudyexamples,andcourse materialsdesignedtobeusedasonthejobreferencetools.Formoreinformationabout VMwareEducationServices,gotohttp://mylearn1.vmware.com/mgrreg/index.cfm.
VMware, Inc.
VDM Quick Start Guide
ThischapterprovidesabriefoverviewoftheVMwareVirtualDesktopManager (VDM)administratoruserinterfaceandbasicVDMinstallationinstructions.It providesgeneralguidelinestoperformbasicconfigurationandtocreatevirtual desktops.Itprovidesabriefintroductiontobasicadministrationtasksandprovides pointerstomoredetailedinformationinotherchapters.
Introduction
VDMispartoftheVMwareVirtualDesktopInfrastructurewhichenablesenterprises tohostdesktopvirtualmachinesintheirdatacenterusingVMwaresoftwareand provideusersaccessfromaPCorthinclientusingaremotedisplayprotocol.VDM providesthesoftwaretoolsforsettingupandconfiguringyourvirtualdesktop environment.
Hardware Requirements
VDMrequiresadedicatedphysicalorvirtualserverwithfollowingspecificationsfor runningVDM.

Asaminimum,aPentiumIV2.0Ghzprocessor.Dualprocessorsareecommended. Asaminimum,2GBRAM.3GBRAMisrecommendedfordeploymentsof 50ormoredesktops. Aminimumofone10/100MbpsNIC.1GbpsNICisrecommend.
ForDMZdeployments,VDMrequiresanadditionaldedicatedhardwareorsoftware serverwithsimilarspecifications.
VMware, Inc.
Forhighavailabilitydeployments,eachVDMConnectionServerrequiresadedicated hardwareorsoftwareserverwithsimilarspecifications.
Prerequisites
VDMConnectionServerhasthefollowingprerequisites:
VMwareInfrastructure3(currentversionsofESXServerandVirtualCenter)with atleastoneESXhostandoneVirtualCenterinstance ServersrunningVDMConnectionServerstandardorreplicainstancesthatare joinedtoanActiveDirectorydomain NOTEVDMConnectionServerdoesnotmakenorrequireanyschemaor configurationupdatestoActiveDirectory.
IfyouareusingVI3guestcustomization,MicrosoftSyspreptoolsinstalledonyour VCServer AcustomizationspecificationthatpermitsclonedvirtualmachinestojointheAD domain(optional) AvalidlicensekeyforVDM
TheVDMAgent,VDMClient,andVDMWebAccesshavethefollowingprerequisites:
ForWindowsguestdesktopsandWindowsclients,youmusthaveadministrative privilegestoinstalltheVDMClientandtheVDMAgent. TheuseofActiveXcontrolsandInternetExplorer6orabovearerequiredfor WindowsclientuserswhoaccesstheirdesktopsusingVDMWebAccess. WebAccessusingLinuxorMacOSXrequiresJavaJREversion1.5.0or1.6.0. MicrosoftRemoteDesktopConnection6.0recommended(notrequired) ItisrecommendedthatyouupgradeVDMClientmachinestouseMicrosoft RemoteDesktopConnection(RDC)6.0.Thisrecommendationappliestomachines runningWindowsXPandWindowsXPe.Windows2000doesnotsupportRDC 6.0.WindowsVistacomeswithRDC6.0installed. RDC6.0canbedownloadedatthefollowingURL: http://www.microsoft.com/downloads/details.aspx?FamilyId=26F11F0C0D1843 06ABCFD4F18C8F5DF9&displaylang=en

VMware, Inc.
Chapter 1 VDM Quick Start Guide
IfconnectingtoaWindowsVistadesktopusingaLinuxclient,youmustinstallthe rdesktopremotedesktopprotocolclientversion1.5.0,whichyoucandownload fromthefollowingURL: http://www.rdesktop.org/ Afteryoudownloadrdesktop,followtheinstructionsinthereadmefile.
Preinstallation Checklist
BeforeyouinstallVDM,usethefollowingchecklisttomakesureyouarereadyto performtheinstallation.
MakesurethemachinethatistoactastheconnectionserverisintheWindows domain. MakesuretheconnectionserverhasonlyoneNIC. MakesureyoucanpingtheFQDNoftheconnectionserver. UninstallanypreviousversionsofVDM.

Prepare Desktop Virtual Machines

BeforeyouinstalltheVDMsoftware,preparedesktopvirtualmachinesforuse.Where changesinVirtualCenterarerequired,seethelatestVirtualCenterdocumentationfor specificsteps. Makesurethatthefollowingprerequisitesareinplace:
Identifythebasedesktopvirtualmachinetodeploytousers,andinstallthelatest operatingsystemandapplicationServicePacksandpatches.ForWindowsXP desktopvirtualmachines,ensurethatthefollowingMicrosoftpatchthatVDM requiresisinstalled: http://support.microsoft.com/kb/323497

ThelatestVMwareToolsareinstalled(providedwithVI3). Makesurethatnetworkingsettings(proxies,andsoforth)areproperlyconfigured inthedesktopvirtualmachine. VMwareVDMAgentisinstalled.
VMware, Inc.
NOTEVDMAgentsoftwareisnotautomaticallyupdatedandmustbemanually uninstalledandreplacedwithanewversion.ForautomatedupdatingofVDM Agentinlargeenvironments,VMwarerecommendsusingstandardWindows updatemechanismssuchasAltiris,SMS,LanDesk,BMC,orothersystems managementsoftware.

Makesurethatyouhaveadministrativerightstothedesktopvirtualmachine.
To install VMware VDM Agent 1 DownloadtheVDMinstallerfilefromtheVMwaresecureWebsitetoalocaldrive. ForinformationaboutthelocationofthesecureWebsite,contactyourVMware representative. 2 RunVMware-vdmagent-2.0.0-<xxx>.exe xxxisthebuildnumberofthesoftwarecomponentyouareinstallinginthe desktopvirtualmachine. TheVMwareInstallationwizardopens. 3 4 5 6 7 8 ClickNext. AccepttheVMwarelicensetermsandclickNext. Chooseyourcustomsetupoptions. AcceptorchangethedestinationfolderandclickNext. ClickInstalltobegintheinstallationprocess. ClickFinish.
Installing the VDM Connection Server

TheVDMconnectionservermustberunningWindows2003Serverandbeeithera physicalserverdedicatedtoconnectionbrokeringorastandalonevirtualmachine. Optionally,youcanobtainanSSLcertificatetouseforthatserver.
Single-Server Installation
Themostbasictypeofdeploymentissingleserverdeployment.Figure 11showsa singleserverdeploymentwithaclientdevice,aconnectionserver,Webbased administration,ActiveDirectory,andVMwareVirtualInfrastructure.
10
VMware, Inc.
Figure 1-1. VDM Single Server Deployment

VMware Infrastructure VirtualCenter
Remote Users VDM Connection Server
ESX Servers (virtual desktops)
Active Directory
To perform a single server installation 1 RunVMware-vdmconnectionserver-2.0.0-<xxx>.exe onthemachinethatis toactastheconnectionserver. xxxisthebuildnumberofthesoftwarecomponentyouareinstalling. TheVMwareInstallationwizardopens. 2 3 4 5 6 ClickNext. AccepttheVMwarelicensetermsandclickNext. AcceptorchangethedestinationfolderandclickNext. ChoosetheStandarddeploymentoption. ClickNext>Install>Finish.
FormoreinformationaboutinstallingtheVDMConnectionServer,seeInstallingthe VDMConnectionServeronpage 26.
One-Time Configuration
PerformaonetimeconfigurationonyourVDMConnectionServersothatitissetup toperformdeploymenttasks.
VMware, Inc. 11
To perform a one-time configuration 1 Gotohttps://<hostname or ipaddress>/admintolaunchVDMAdministrator. <hostname_or_ipaddress>isthehostnameorIPaddressoftheVDMConnection Server,orloadbalancer. 2 Loginusingtheappropriatecredentials. Initially,alldomainuserswhoaremembersofthelocaladministratorsgroupon theVDMConnectionServerareallowedtologintotheVDMadministratoruser interface.YoucanusetheinterfacetochangethelistofVDMadministratorslater. Thefirsttimeyoulogin,theConfigurationpageappears.Afteryouenterthe licenseinformation,theInventorypagedisplayswhenyoulogin. 3 ClicktheConfigurationbuttontochangetotheConfigurationpageifitisnot displayedatlogin.OntheConfigurationpage,performthefollowingactions: a b InAccessandSecuritySettings,entertheVMwareVDMlicensekey. InVirtualCenterServers,clickAddandcompletethedetailsforthe VirtualCenterstousewithVDM. VDMdoesnotperformaDNSlookuptoverifywhetheranotherserveris usingtheIPaddressyouenterintotheserveraddressfield.Theconflictmight ariseifaVirtualCenterserverwasaddedbyenteringitsDNSnameorURLin theserveraddressfield. c GrantAdministrativerightstoADuserswhohaveloginaccesstoVDM Administrator.
Creating Desktops
AfteryouhaveinstalledtheVDMconnectionserver,createthevirtualdesktopsand entitleuserstoaccessthem.
Creating an Individual Desktop

CreatedesktopssothatenduserscanaccesstheVDMservice. To create an individual desktop 1 2 3 4
12
ClicktheInventorytab. InAllDesktops,clicktheDesktopstabandclickAdd. InSelectdesktoptype,clickIndividualdesktopandclickNext. EntertheDesktopIDandtheDesktopDisplayName.

VMware, Inc.
ThedesktopIDisthenamethatVDMusestoidentifythedesktop.Thedesktop displaynameiswhattheenduserseeswhenloggingintothedesktop.The desktopIDmustbeuniqueforeachdesktop,butthedisplaynamedoesnotneed tobeunique.ThedesktopIDanddisplaynameshouldcorrelatetosomething withinyourenvironment(departmentnameorlocation,forexample).Ifyoudo notspecifyadisplaynameusersseethedesktopID. 5 6 ClickNext. Setthedesktopparameters.

SettheDesktopstatetoeitherEnabledorDisabled. SettingittoEnabledmeansthatthedesktopisautomaticallyenabledafterit iscreated.SettingittoDisabledmeansthatyoumustmanuallychangethe settingtoEnabledinordertoactivatethedesktopafteritiscreated. SelectRemainonifyouwantthedesktoptoalwaysremainon.SelectAlways poweredonifyouwantthedesktoptoremainpoweredon. SelectSuspendwhennotinuseifyouwantthedesktoptobesuspended whentheuserisnotloggedin.SelectPoweroffwhennotinuseifyouwant todesktoptopoweroffwhennotinuse.
7 8 9
ClickNext. FromthelistofVirtualCenterservers,selecttheVirtualCenterserverthatthe desktopistouseandclickNext. InthetableontheVirtualMachineSelectionpage,selectthevirtualmachinethat thedesktopistouse. Allavailablevirtualmachinesthatarerunningasupportedguestoperating systemandthatanothervirtualdesktopisnotusingappearinthetable,including thosethataresuspendedornotpoweredon.
10 11 12
ClickNext. ReviewtheinformationinReadytoCompleteandclickFinishtoacceptitorBack tomakecorrections. ClickFinish.
Forinformationaboutcreatingdesktoppools,seeConfigurationforaPooled Desktoponpage 31.
Entitling a Desktop
Afteranindividualorpooleddesktophasbeenadded,entitleittoADusersorgroups.
VMware, Inc. 13
To entitle a desktop to an AD user or group 1 2 3 4 5 InAllDesktopsontheInventorytab,selectthedesktopthatyouwanttoentitle. ClickEntitle. ClickAdd. IntheSelectobjecttypesection,selectUsersand/orGroups. Chooseadomainwheretheobjectyouareentitlingresidesorselect EntireDirectorytosearchacrosstheentireActiveDirectorydomainforest. Youcansearchbynameordescription. 6 7 8 Selecttheobjecttoaddtotheentitlement. ClickOK. Inentitlement,clickOK.
Connecting to Desktops
VDMprovidestwooptionsforconnectingtothedesktopvirtualmachine:youcanuse theVDMClientorVDMWebAccess. To connect to desktops using the VDM Client
1
2
Makesureyouhaveadministrativerightstotheclientmachine.
DownloadandrunVMware-vdmclient-2.0.0-<xxx>.exe.
xxxisthebuildnumberofthesoftwarecomponentyouareinstalling. TheVMwareInstallationwizardopens.
3 4 5 6 7 8 9 10
ClickNext. AccepttheVMwarelicensetermsandclickNext. AcceptorchangethedestinationfolderandclickNext. ConfigureshortcutsfortheVDMClientor,ifyoudonotwanttouseshortcuts, deselectallchoices. ClickNext. ClickInstall. ClickFinish. StarttheVMwareVDMClient.
14
VMware, Inc.
11 12 13 14
IntheVDMServerdropdownmenu,enterthehostnameorIPaddressofthe VDMServer. ClickConnect. Enterentitleduserscredentials,selectthedomainandclickLogin. ChoosetheentitleddesktopandclickOK. Thedesktopvirtualmachineisconnected.
To connect to desktops using VDM Web Access 1 StartthebrowserandgototheVDMConnectionServerURL. Forexample:https://<hostnameoripaddress>,where<hostnameoripaddress>is thehostnameorIPaddressoftheVDMConnectionServer. 2 3 4 Enterentitledusersnameandpasswordandmakesurethatyouselectthecorrect domainfromthedropdownmenu. ClickLogin. WhenAccessStatusisReady,selectadesktopfromthelistandclickConnect. Thedesktopisconnected.
VMware, Inc.
15
16
VMware, Inc.
VDM Introduction and System Requirements
ThischapterintroducesVDManddescribesthesystemrequirementsforinstallingand runningit.VDMisaconnectionbrokerforVMwareVirtualDesktopInfrastructure.It connectsuserstovirtualdesktopsrunningonVMwareVirtualInfrastructure,and playsacriticalroleinsecurity,accesscontrol,andoveralldesktopmanagement. Thischapterdiscussesthesetopics:

VDMOverviewonpage 17 SystemRequirementsonpage 19 Prerequisitesonpage 21
VDM Overview
VDMintegrateswithActiveDirectoryandVMwareVirtualCentertomanageand deploydesktopstoendusers.VDMalsoprovidesaclientthatenablesuserstoconnect tovirtualdesktopsusingeitheraWindowsPC,thinclient,Linuxdesktop,orMacintosh computer.VDMprovidesasecureenvironmentfordeployingandaccessingvirtual desktopsandusesexistingActiveDirectoryfunctionalityforauthenticationanduser andusergroupmanagement. VDMhasthefollowingmaincomponents:
VDMClientUserfacingcomponentthatconnectstoVDMConnectionServerto connecttovirtualdesktops.Itisafeaturerich,nativewindowsapplication. VDMWebAccessUserfacingcomponentthatconnectstoVDMConnection Servertoconnecttovirtualdesktops.VDMWebAccessinstallstheclientthefirst timeyouconnectandconnectstovirtualdesktopsusingaWebbrowser.
VMware, Inc.
17
VDMAdministratorWebapplicationthatistheprimarymechanismfor configuringVDMandmanagingusersanddesktops. VDMConnectionServerSoftwarethatactsasaconnectionbrokerandprovides managementanduserauthenticationforvirtualdesktops.TheVDMConnection Serverdirectsincomingremotedesktopuserrequeststotheappropriatevirtual desktopandenhancestheuserexperience. VDMAgentSoftwarethatinstallsondesktopvirtualmachinesandenables featuressuchasRDPconnectionmonitoring,remoteUSBsupport,andsinglesign on.Allguests(desktopvirtualmachines)requiretheagenttobeinstalledtorun VDM.
VDMusesexistingADinfrastructureforauthenticationandusermanagement.VDM integrateswithVMwareVirtualCentertomanagevirtualdesktopsrunningon VMwareESXservers. Figure 21showsahighlevelviewofaVDMenvironmentanditsmaincomponents. Thesecomponentsaredescribedinmoredetailinlatersectionsofthisbook. Figure 2-1. High-Level View of a VDM Environment
VMware Infrastructure VirtualCenter Remote Users VDM Web Access VDM Administrator
VDM Connection Server Active Directory VDM Client
18
VMware, Inc.
Chapter 2 VDM Introduction and System Requirements
System Requirements
ThefollowingsectionsdescribethehardwarerequirementsfortheVDMconnection server,supportedthinclientdevicesfortheVDMclient,andsupportedoperating systemsfortheVDMConnectionServer,theVDMClient,andtheVDMAgent.
VDM Connection Server

TheVDMConnectionServerrequiresthefollowinghardwareandsoftware.
Connection Server Hardware Requirements

TheVDMConnectionServerrequiresthefollowinghardware:
Dedicatedphysicalorvirtualserverwithfollowingspecificationsforrunning VDM.
Asaminimum,aPentiumIV2.0Ghzprocessor.Dualprocessorsare recommended. Asaminimum2GBRAM.3GBRAMisrecommendedfordeploymentsof50 ormoredesktops. Aminimumofone10/100MbpsNIC.1GbpsNICisrecommended.
ForDMZdeployments,VDMrequiresanadditionaldedicatedserverwithsimilar specifications.FormoreinformationaboutDMZdeployments,seeDMZ Deploymentonpage 64. Forhighavailabilitydeployments,eachVDMConnectionServerrequiresadedicated serverwithsimilarspecifications. NOTEVDMConnectionServerisnotsupportedonserversthathavetheWindows TerminalServerroleinstalled.RemovetheWindowsTerminalServerrolefromany serveronwhichyouwillbeinstallingVDMConnectionServer.
Connection Server Supported Operating Systems

TheVDMConnectionServersupportsthefollowingoperatingsystems(Englishonly):

WindowsServer2003R2StandardEdition,SP2 WindowsServer2003StandardEdition,SP2 WindowsServer2003R2EnterpriseEdition,SP2 WindowsServer2003EnterpriseEdition,SP2
VMware, Inc.
19
VDM Client
TheVDMClientsupportsthefollowingoperatingsystemsanddevices:
VDM Client Supported Operating Systems

TheVDMClientsupportsthefollowingoperatingsystems:

Windows2000Professional,SP4 WindowsXPProfessional,SP1,SP2 WindowsXPHome,SP2 WindowsVistaHome WindowsVistaHomePremium WindowsVistaBusiness WindowsVistaUltimate
Supported Thin Client Devices

ThefollowingthinclientdeviceshavebeentestedtoconnecttoVDM2.0:

HPCompaqt5730ThinClient HPCompaqt5735ThinClient HPCompaq6720tMobileThinClient HPNeowarec50(XPe) WyseS10VDIEdition WyseV10L WyseV90 WyseV90L
NOTEForinformationaboutconfiguringWysethinclientdevices,seetheVMware technoteatthefollowingURL: http://www.vmware.com/info?id=347
20
VMware, Inc.
Chapter 2 VDM Introduction and System Requirements
VDM Web Access

VDMWebAccesssupportsthefollowingoperatingsystems:

WindowsXPProfessionalSP1,SP2(requiresIE6SP1orhigher) WindowsXPHomeSP2(requiresIE6SP2orhigher) WindowsVistaHome(requiresIE7) WindowsVistaHomePremium(requiresIE7) WindowsVistaBusiness(requiresIE7) WindowsVistaUltimate(requiresIE7) RHEL4.0,Update4(requiresJavaJRE1.5.0or1.6.0andFirefox1.5or2.0) SLES10(requiresJavaJRE1.5.0or1.6.0andFirefox1.5or2.0) Ubuntu7.04(requiresJavaJRE1.5.0or1.6.0andFirefox2.0) MacOS/XTiger(experimental,requiresJavaJRE1.5.0,RDC1.0,andSafari) MacOS/XPanther(experimental,requiresJavaJRE1.5.0,RDC1.0,andSafari)
VDM Agent Virtual Desktop

TheVDMAgentsupportsthefollowingoperatingsystemsforvirtualdesktops:

WindowsXPProfessional,SP2(32bit) WindowsVistaBusinessEdition(32bit) WindowsBusinessUltimateEdition(32bit)
Prerequisites
VDMConnectionServerhasthefollowingprerequisites:
VMwareInfrastructure3(currentversionsofESXServerandVirtualCenter)with atleastoneESXhostandoneVirtualCenterinstance ServersrunningVDMConnectionServerstandardorreplicainstancesthatare joinedtoanActiveDirectorydomain NOTEVDMConnectionServerdoesnotmakenorrequireanyschemaor configurationupdatestoActiveDirectory.
VMware, Inc.
21
IfyouareusingVI3guestcustomization,MicrosoftSyspreptoolsinstalledonyour VCServer AcustomizationspecificationthatpermitsclonedvirtualmachinestojointheAD domain(optional) AvalidlicensekeyforVDM
TheVDMAgent,VDMClient,andVDMWebAccesshavethefollowingprerequisites:
ForWindowsguestdesktopsandWindowsclients,youmusthaveadministrative privilegestoinstalltheVDMClientandtheVDMAgent. TheuseofActiveXcontrolsandInternetExplorer6orabovearerequiredfor WindowsclientuserswhoaccesstheirdesktopsusingVDMWebAccess. WebAccessusingLinuxorMacOSXrequiresJavaJREversion1.5.0or1.6.0. MicrosoftRemoteDesktopConnection6.0recommended(notrequired) ItisrecommendedthatyouupgradeVDMClientmachinestouseMicrosoft RemoteDesktopConnection(RDC)6.0.Thisrecommendationappliestomachines runningWindowsXPandWindowsXPe.Windows2000doesnotsupportRDC 6.0.WindowsVistacomeswithRDC6.0installed. RDC6.0canbedownloadedatthefollowingURL: http://www.microsoft.com/downloads/details.aspx?FamilyId=26F11F0C0D1843 06ABCFD4F18C8F5DF9&displaylang=en

IfconnectingtoaWindowsVistadesktopusingaLinuxclient,youmustinstallthe rdesktopremotedesktopprotocolclientversion1.5.0,whichyoucandownload fromthefollowingURL: http://www.rdesktop.org/ Afteryoudownloadrdesktop,followtheinstructionsinthereadmefile.
VDMWebAccessrequiresthatyouinstallthefullVDMClienttousetheUSB redirectionfeature. IfusingUSBredirection,makesureyouinstalltheUSBredirectionfeaturewhen youinstalltheVDMClient.
22
VMware, Inc.
Installing and Configuring VDM
VDMinstallationconsistsofinstallingVDMsoftwarecomponentsandpreparationsin VirtualCenter.ThisdocumentdescribesindetailhowtoinstallVDMcomponentsbut assumesthattheadministratorisfamiliarwithVMwareVirtualInfrastructure administration.VMwarerecommendsthatadministratorsrunanendtoendtest beforedeployingVDMtoendusers. BeforeinstallingVDM,seeChapter 2,VDMIntroductionandSystemRequirements, onpage 17toobtainsystemrequirementsandhardwareanddevicesupport.This chaptercoversthesetopics:

PrepareDesktopVirtualMachinesonpage 24 InstallingtheVDMConnectionServeronpage 26 OneTimeConfigurationonpage 29 EndtoEndConfigurationonpage 29 VDMAdministratorUserInterfaceonpage 41 SearchingDesktopsandEntitledUsersandGroupsonpage 44 GlobalConfigurationSettingsonpage 46 ViewingEventsonpage 47 RSASecurIDonpage 48 DeletingVDMObjectsonpage 49 InstallingSSLCertificatesonpage 50 VDMLoadBalancingonpage 54
VMware, Inc.
23

VDMDMZDeploymentonpage 57 LoadBalancinginaDMZDeploymentonpage 59 BackingupandRestoringADAMDataonpage 59 TroubleshootingVDMonpage 60
Prepare Desktop Virtual Machines

BeforeyouinstalltheVDMsoftware,preparedesktopvirtualmachinesforuse.Where changesinVirtualCenterarerequired,seethelatestVirtualCenterdocumentationfor specificsteps. Makesurethatthefollowingprerequisitesareinplace:
Identifythebasedesktopvirtualmachinetodeploytousers,andinstallthelatest operatingsystemandapplicationServicePacksandpatches.ForWindowsXP desktopvirtualmachines,ensurethatthefollowingMicrosoftpatchthatVDM requiresisinstalled: http://support.microsoft.com/kb/323497

ThelatestVMwareToolsareinstalled(providedwithVI3). Makesurethatnetworkingsettings(proxies,andsoforth)areproperlyconfigured inthedesktopvirtualmachine. VMwareVDMAgentisinstalled. NOTEVDMAgentsoftwareisnotautomaticallyupdatedandmustbemanually uninstalledandreplacedwithanewversion.ForautomatedupdatingofVDM Agentinlargeenvironments,VMwarerecommendsusingstandardWindows updatemechanismssuchasAltiris,SMS,LanDesk,BMC,orothersystems managementsoftware.
Makesurethatyouhaveadministrativerightstothedesktopvirtualmachine.
To install VMware VDM Agent 1 DownloadtheVDMinstallerfilefromtheVMwaresecureWebsitetoalocaldrive. ForinformationaboutthelocationofthesecureWebsite,contactyourVMware representative. 2 RunVMware-vdmagent-2.0.0-<xxx>.exe xxxisthebuildnumberofthesoftwarecomponentyouareinstallinginthe desktopvirtualmachine.
24 VMware, Inc.
Chapter 3 Installing and Configuring VDM
TheVMwareInstallationwizardopens. 3 4 5 6 7 8 ClickNext. AccepttheVMwarelicensetermsandclickNext. Chooseyourcustomsetupoptions. AcceptorchangethedestinationfolderandclickNext. ClickInstalltobegintheinstallationprocess. ClickFinish.
To Create a desktop virtual machine template 1 InVirtualCenter,convertthedesktopvirtualmachinetoatemplate. YoumustcreateadesktopvirtualmachinetemplatetousedesktoppoolsinVDM. 2 (Optional)InVirtualCenter,createaguestcustomizationspecification. UseDHCPforthespecificationandsetthecomputernametothevirtualmachine name.ClonedvirtualmachinesalsoneedtobeabletojoinADdomainsiftheVDM singlesignonfeatureisrequired. 3 Asatest,deployavirtualmachinefromthetemplatetovalidatethat customizationissuccessful. MakesurethatADdomainjoinandauthenticationworks. 4 Ifafolderwasnotautomaticallycreated,createoneintheVirtualMachinesand TemplatesInventoryview.
Using the VDM Agent on Virtual Machines with Multiple NICs

ForGuestVirtualMachineswithmorethanonevirtualNIC,youneedtoconfigurethe subnetthattheVDMAgentwilluse.ThisdetermineswhichnetworkaddresstheVDM AgentprovidestotheVDMServerforclientRDPconnections.Toconfigurethissubnet, createthefollowingREG_SZregistryvalueinthevirtualmachineonwhichtheVDM Agentisinstalled: HKLM\Software\VMware, Inc.\VMware VDM\Node Manager\subnet = n.n.n.n/m (REG_SZ) Intheregistryvalue,n.n.n.nistheTCP/IPsubnetandmisthenumberofbitsinthe subnetmask.
VMware, Inc.
25
Installing the VDM Connection Server

TheVDMConnectionServermustberunningonWindows2003Server(Englishonly) andbelocatedoneitheraphysicalorvirtualserverdedicatedtoconnectionbrokering. Donothavetheconnectionserverperformanyotherfunctionsorroles(forexample, donotdesignatethesameservertobetheVirtualCenterserver).Theconnectionserver mustbejoinedtothedomain(butcannotbeadomaincontroller)andeachconnection servermusthaveastaticIPaddressassignedtoit.Thedomainuseraccountusedto installtheconnectionservermusthaveadministrativeprivilegesonthatserver.The connectionserveradministratoralsoneedstoknowtheVirtualCentercredentials.Itis recommendedthatyouobtainanSSLcertificatetouseforthatserver.Formore informationaboutSSLcertificateinstallation,seeInstallingSSLCertificateson page 50.
Single-Server Installation
Themostbasictypeofdeploymentissingleserverdeployment.Thefollowingdiagram showsasingleserverdeploymentwithaclientdevice,aconnectionserver,Webbased administration,ActiveDirectory,andVMwareVirtualInfrastructure. Figure 3-1. VDM Single Server Deployment
VMware Infrastructure VirtualCenter
Remote Users VDM Connection Server
Active Directory
26
VMware, Inc.
To perform a single server installation 1 RunVMware-vdmconnectionserver-2.0.0-<xxx>.exe onthemachinethatis toactastheconnectionserver. xxxisthebuildnumberofthesoftwarecomponentyouareinstalling. TheVMwareInstallationwizardopens. 2 3 4 5 6 ClickNext. AccepttheVMwarelicensetermsandclickNext. AcceptorchangethedestinationfolderandclickNext. ChoosetheStandarddeploymentoption. ClickNext>Install>Finish.
Multiserver Installation
VDMConnectionServercanalsobedeployedinamultiserverconfigurationforhigh availabilityandloadbalancing.Thefollowinghighleveldiagramshowsamultiserver deployment,connectionservers,aloadbalancer,Webbasedadministration,Active Directory,andVMwareVirtualInfrastructure(whichincludesESXservershostingthe virtualdesktops).
VMware, Inc.
27
Figure 3-2. VDM Multiserver Deployment

VMware Infrastructure VirtualCenter Remote Users VDM Connection Servers
ThirdParty Load Balancer
Active Directory
Local Users
NOTEMultiserverinstallationassumesthatoneotherinstanceofVDMConnection Serverisinstalledusingthestandarddeploymentoption.Multiserverinstallationis performedonsecond,orsubsequent,servers. To perform a multiserver installation 1 RunVMware-vdmconnectionserver-2.0.0-<xxx>.exe onthemachinethatis toactastheconnectionserver. xxxisthebuildnumberofthesoftwarecomponentyouareinstalling. TheVMwareInstallationwizardopens. 2 3 4 5 6 ClickNext. AccepttheVMwarelicenseterms,andclickNext. Acceptorchangethedestinationfolder,andclickNext. ChoosetheReplicadeploymentoption. EnterthehostnameorIPaddressoftheexistingconnectionserverthatyou replicate.
28
VMware, Inc.
7 8 9
ClickNext. ClickInstall. ClickFinish.
One-Time Configuration
PerformaonetimeconfigurationonyourVDMConnectionServersothatitissetup toperformdeploymenttasks. To perform a one-time configuration 1 Gotohttps://<hostname or ipaddress>/admintolaunchVDMAdministrator. <hostname_or_ipaddress>isthehostnameorIPaddressoftheVDMConnection Server,orloadbalancer. 2 Loginusingtheappropriatecredentials. Initially,alldomainuserswhoaremembersofthelocaladministratorsgroupon theVDMConnectionServerareallowedtologintotheVDMadministratoruser interface.YoucanusetheinterfacetochangethelistofVDMadministratorslater. Thefirsttimeyoulogin,theConfigurationpageappears.Afteryouenterthe licenseinformation,theInventorypagedisplayswhenyoulogin. 3 ClicktheConfigurationbuttontochangetotheConfigurationpageifitisnot displayedatlogin.OntheConfigurationpage,performthefollowingactions: a b InAccessandSecuritySettings,entertheVMwareVDMlicensekey. InVirtualCenterServers,clickAddandcompletethedetailsforthe VirtualCenterstousewithVDM. VDMdoesnotperformaDNSlookuptoverifywhetheranotherserveris usingtheIPaddressyouenterintotheserveraddressfield.Theconflictmight ariseifaVirtualCenterserverwasaddedbyenteringitsDNSnameorURLin theserveraddressfield. c GrantAdministrativerightstoADuserswhohaveloginaccesstoVDM Administrator.
End-to-End Configuration
Performanendtoendconfigurationonnewinstallationstoensurethatinstallation andconfigurationissuescanbeeasilyresolved.Thissectionreferstobothindividual andpooleddesktops.
VMware, Inc.
29
To perform a configuration for an individual desktop 1 2 3 4 ClicktheInventorytab. InAllDesktops,clicktheDesktopstabandclickAdd. InSelectdesktoptype,clickIndividualdesktopandclickNext. EntertheDesktopIDandtheDesktopDisplayName. ThedesktopIDisthenamethatVDMusestoidentifythedesktop.Thedesktop displaynameiswhattheenduserseeswhenloggingintothedesktop.The desktopIDmustbeuniqueforeachdesktop,butthedisplaynamedoesnotneed tobeunique.ThedesktopIDanddisplaynameshouldcorrelatetosomething withinyourenvironment(departmentnameorlocation,forexample).Ifyoudo notspecifyadisplaynameusersseethedesktopID. 5 6 ClickNext. Setthedesktopparameters.
SettheDesktopstatetoeitherEnabledorDisabled. SettingittoEnabledmeansthatthedesktopisautomaticallyenabledafterit iscreated.SettingittoDisabledmeansthatyoumustmanuallychangethe settingtoEnabledinordertoactivatethedesktopafteritiscreated.
SelectRemainonifyouwantthedesktoptoalwaysremainon.SelectAlways poweredonifyouwantthedesktoptoremainpoweredon. SelectSuspendwhennotinuseifyouwantthedesktoptobesuspended whentheuserisnotloggedin.SelectPoweroffwhennotinuseifyouwant todesktoptopoweroffwhennotinuse.
7 8 9
ClickNext. FromthelistofVirtualCenterservers,selecttheVirtualCenterserverthatthe desktopistouseandclickNext. InthetableontheVirtualMachineSelectionpage,selectthevirtualmachinethat thedesktopistouse. Allavailablevirtualmachinesthatarerunningasupportedguestoperating systemandthatanothervirtualdesktopisnotusingappearinthetable,including thosethataresuspendedornotpoweredon.
10 11
ClickNext. ReviewtheinformationinReadytoCompleteandclickFinishtoacceptitorBack tomakecorrections.
30
VMware, Inc.
12
ClickFinish. Afteradesktopisadded,entitleittoanADuserorgroup.SeeEntitlinga Desktoponpage 38. Forinformationabouttestingthedesktoplaunch,seeConnectingtoDesktops onpage 39.
Configuration for a Pooled Desktop

Performaconfigurationonnewinstallationstoensurethatinstallationand configurationissuescanbeeasilyresolved.Deployasinglevirtualmachinefromthe templatetomakesurevirtualmachinescandeployfromthistemplate. Beforeyoudeploypooleddesktops,createatemplateandacustomizationspecification (ifusingcustomization)inVirtualCenter.Makesureyoucanmanuallycreatevirtual machinesandcustomizethembyusingthecustomizationspecification.Toensurethat singlesign(SSO)functions,thecustomizationspecificationmustusedynamicaddress assignment(specifically,DHCP),thecomputernameneedstobesettothevirtual machinenameandthevirtualmachineautomaticallyjoinedtothedomain.For informationaboutcreatingtemplatesandcustomizationspecifications,seethemost recentVirtualCenterdocumentation. Afteryoucompletethesetemplateandcustomizationspecificationitems,ensurethat thevirtualmachinesuccessfullyjoinedthedomain.Finally,makesurethatallguest virtualmachinenames,includingthosedeployedfromthetemplateforthepooled desktop,areregisteredinDNS.BecauseyouareusingdynamicallyassignedIP addresses,useADintegratedDNSandlettheDHCPclientregistervirtualmachines withthedynamicDNS. NOTETestindividualdesktopsbeforetestingpools.
VirtualCenter Permissions for VDM

TouseVirtualCenterwithVDM,VDMadministratorsmusthavepermissionsfor certainoperationsinVirtualCenter.Thesepermissionsaregrantedbycreatingand assigningVirtualCenterrolestotheVDMadministrator.AssignVDMadministrators theroleofadministratorforadatacenterorclusterwherepoolswillbecreatedsothat theycanmaketherequiredchanges.Assignarolethatwillallowthemtoreadglobal customizationspecifications.ThesepermissionsarerequiredforVDMtoworkwith VirtualCenter.
VMware, Inc.
31
To create the VDM administrator role for VirtualCenter 1 2 3 4 5 InVirtualCenter,Admin. Ifitisnotalreadyselected,clicktheRolestabandclickAddRole. Enteranamefortherole(VDMAdministrator,forexample). InthelistofPrivileges,expandFolderandselectCreateFolderandDeleteFolder. ExpandVirtualMachineandperformthefollowingsteps: a b c d 6 7 ExpandInventoryandselectCreateandRemove. ExpandInteractionandclickPowerOn,PowerOff,Suspend,andReset. ExpandConfigurationandselectAddnewdisk,AddorRemoveDevice, ModifyDeviceSettingsandAdvanced. ExpandProvisioningandselectCustomize,DeployTemplate,andRead CustomizationSpecifications.
ExpandResourceandselectAssignVirtualMachinetoResourcePool. ClickOK. Thenewroleappearsinthelistofroles.
To assign the administrator or VDM administrator VirtualCenter roles 1 2 3 4 5 6 7 8 9 InVirtualCenter,selectthedatacenterorclustertoassigntheadministratorroleto. ClickthePermissionstab. RightclickonthepageanywherebelowthelistofUsersandGroups. ClickAddPermission. InUsersandGroups,clickAdd. IntheDomaindropdownmenu,selecttheadministratorsdomain. InUsersandGroups,selecttheadministratorfromthelist. ClickAddandclickOK. InAssignedRole,selecttherolethatyouwanttoassign. SelectAdministratortogivefullcontroloverthedatacenterorcluster.The AdministratorroleispreconfiguredinVirtualCenter. SelectVDMAdministratortogivetheuserthemorerestrictiveaccessand permissionsthattheVDMAdministratorrolethatyoucreated.
32
VMware, Inc.
10
ClickOK.
To create a VirtualCenter role for reading customization specifications 1 2 3 4 5 6 InVirtualCenter,clickAdmin. ClicktheRolestabandclickAddRole. Enteranamefortherole(forexample,ReadOnlyCustomizationSpecifications). Inthelistofprivileges,selectVirtualMachine. ExpandProvisioning,andselectReadCustomizationSpecifications. ClickOK.
To assign VirtualCenter roles for VDM 1 2 3 4 5 6 7 8 9 10 InVirtualCenter,intheInventoryview,clickHostsandClusters. ClickthePermissionstab. RightclickonthepageanywherebelowthelistoflistofUsersandGroups. ClickAddPermission. InUsersandGroups,clickAdd. IntheDomaindropdownmenu,selecttheadministratorsdomain. InUsersandGroups,selecttheadministratorfromthelist. ClickAdd. ClickOK. InAssignedRole,selectGlobalReadOnlyCustomSpecandclickOK.
NOTETestindividualdesktopsbeforetestingpools. To perform a configuration for a pooled desktop 1 2 3 ClicktheInventorytab. InDesktops,clicktheDesktopstabandclickAdd. InSelectdesktoptype,clickeitherDesktoppoolpersistentorDesktop poolnonpersistent. Persistentdesktoppoolsallowuserstologintothesamedesktopeverytime. Userscansavedocumentsandfilesonpersistentdesktopsbecausetheyreturnto thesamedesktop.
VMware, Inc.
33
Nonpersistentpoolsareavailabletouserswhentheyloginbutarereturnedtothe poolwhenuserslogoff.Userslogintoadifferentdesktopeachtimeandshould notsavedocumentsorfilesonthedesktop. 4 5 ClickNext. EntertheDesktopIDandtheDesktopDisplayName. ThedesktopIDisthenamethatVDMusestoidentifythedesktopTheusersees thedesktopdisplaynamewhenloggingintothedesktop.ThedesktopIDmustbe uniqueforeachdesktop,butthedisplaynamedoesnotneedtobeunique.The desktopIDanddisplaynamedonotneedtocorrelatetoanythingspecificwithin yourenvironment.Ifyoudonotspecifyadisplayname,usersseethedesktopID. 6 7 ClickNext. Setupthedesktopparameters:
DesktopstateEnabledmeansthatthepoolisautomaticallyenabledafterit iscreatedandreadyforusebyendusers.Disabledmeansthatyoumust manuallychangethesettingtoEnabledtoactivatethepoolafteritiscreated. Disabledisusedforsuchthingsasupgradingvirtualmachinesortaking desktopsofflinetoperformmaintenance. ProvisionEnabledmeansthatvirtualmachinesarecreatedforthepoolas soonasyoufinishthestepsaddapooleddesktop.Disabledmeansthatyou mustmanuallychangethesettingtoEnabledtocreatevirtualmachinesfor thepoolafterthepooliscreated. PoolsizeSettothenumberofdesiredvirtualdesktops. StopprovisioningonerrorStopstheprovisioningofvirtualmachineswhen anerrorisdetected. VirtualmachinepowerpolicyRemainonsetsthevirtualmachinesto alwaysremainon.Alwayspoweredonsetstheassignedvirtualmachinesto remainpoweredon.Suspendwhennotinusesetsthevirtualmachinestobe suspendedwhentheuserisnotloggedin.Poweroffwhennotinusesets virtualmachinestopoweroffwhennotinuse. PrefixforvirtualmachinenamesSetthistoavalueforeachpoolthat identifiesvirtualmachinesaspartofthatpool.Virtualmachinescreatedfor thispoolhavenamesthatbeginwiththisprefix. Poweroffanddeletevirtualmachineafterfirstuse(fornonpersistentpools only)Deletesthevirtualmachinewhentheuserlogsoutafterfirstuse.If necessary,anewvirtualmachineisclonedtomaintainaspecificpoolsizeafter virtualmachinesaredeleted.
VMware, Inc.

34
8 9
ClickNext. FromthelistofVirtualCenterservers,selecttheVirtualCenterserverthatthe desktopistouseandclickNext. IfyouhavemultipleVirtualCenterserversrunninginyourenvironment,make surethatanotherVirtualCenterserverisnotusingtheVirtualCenteruniqueID.By default,anIDvalueisrandomlygeneratedbutitiseditable.Fordetailsabout editingVirtualCenteruniqueIDvalues,seethelatestVirtualCenter documentation.
10 11
TemplateSelection,chooseatemplatefromwhichtodeployvirtualmachinesfor thedesktoppool. Selectthevirtualmachinefolderlocation. VDMcreatesafolderwiththesamenameasthedesktopIDandputsthenewly createdvirtualmachinesinthefolder.
12 13 14 15 16 17
Selectahostorclusteronwhichtorunthevirtualmachinesthatthisdesktopuses andclickNext. Selectaresourcepoolinwhichtorunthevirtualmachinesthatthisdesktopuses, andclickNext. ChooseadatastoretostorethevirtualmachinefilesandclickNext. Selectacustomizationspecificationtocustomizetheguestoperatingsystemfor VirtualMachinesusedinthisdesktopandclickNext. ReviewtheinformationinReadytoCompleteandclickNexttoacceptitorBack tomakerevisions. ClickFinish. Afterthepooleddesktopisadded,entitleittoanADuserorgroup.SeeEntitling aDesktoponpage 38. Forinformationabouttestingthedesktoplaunch,seeConnectingtoDesktops onpage 39.
Advanced Pool Settings

VDMadvancedpoolsettingsallowyoutooverridethedefaultpoolsettingsandto determinehowyourpooleddesktopsaredeployedandmanaged.Theadvancedpool settingsareanoptionwhenyouarecreatingeitherapersistentornonpersistentpool intheDesktopSettingsintheAddDesktopwizard.
VMware, Inc.
35
WhenyouareconfiguringDesktopSettings,accessandenabletheadvancedsettings byexpandingAdvancedSettingsandselectingEnableAdvancedPoolSettings.The advancedpoolsettingsincludethefollowingoptions:

MinimumnumberofvirtualmachinesOverridesthedefaultminimumnumber ofvirtualmachinesavailableforapool.Setthisnumbertotheminimumnumber ofanticipatedvirtualmachinesuponfirstdeployment. MaximumnumberofvirtualmachinesOverridesthedefaultmaximumnumber ofvirtualmachinesavailableforapool.Setthisnumbertothemaximumnumber ofvirtualmachinesthataretobedeployedinthepoolatanypoint.Thissettingis necessarytopreventoverburdeningofhardwareresources. NumberofavailablevirtualmachinesOverridesthedefaultnumberofavailable virtualmachinesforapool.Thissettingdetermineshowmanyvirtualmachines willbeavailableforimmediateuse.Ifthepowerpolicydictates,availablevirtual machinesoverthislimitwillbesuspendedorpoweredoffasneeded.For nonpersistentpools,thissettingdetermineshowmanyvirtualmachinesare provisioned(added)asnewuserslogintovirtualdesktops.Forpersistentpools, thissettingmustmatchtherateatwhichusersareaddedtotheenvironment(in otherwords,ifyouaddtwousersaday,setthisnumberto2forpersistentpools).
Youcanfurtherspecifyvirtualmachinebehaviorfordesktopsthatuseaspecific VirtualCenterServerusingtheadvancedVirtualCentersettingsontheConfiguration page.Onthatpage,youcancontrolthemaximumnumberofconcurrentprovisioning (desktopvirtualmachinecreation)operationsandthemaximumnumberofconcurrent poweroperations.
Advanced Pooling Example Scenarios

VDMpoolingisflexibleandoffersmanypossiblecombinationsofsettings.The followingexamplescenariosshowsomepossiblecombinationsofsettingsand illustratehowVDMrespondsorbehaves. Pooling Example 1 Poolingexample1hasthefollowingsettings:

TypeofpoolNonpersistent Minimumnumberofvirtualmachines100 Maximumnumberofvirtualmachines200 Numberofavailablevirtualmachines20 VirtualmachinepowerpolicySuspendwhennotinuse
36
VMware, Inc.
Inthisexample,thepoolinitiallyclonesandcustomizes100virtualmachines.After20 virtualmachines,avirtualmachinewouldbesuspendedforeachnewclonedvirtual machinesothattheavailablecount(inotherwords,poweredupandreadyforuse)did notexceed20.Theminimumandmaximumvaluesonlyaffectthecloningandnotthe numberofavailablevirtualmachines. Asuserslogin,thenumberofavailablevirtualmachinessettingwouldpowerupmore virtualmachinestokeepthemattherightlevel.Whenthe80thuserlogsin,thesetting wouldinitiateacloningoperation.Asuserslogout,virtualmachinesaresuspended (basedonthepowerpolicy)tokeeptheavailablenumberofvirtualmachinesdown. Pooling Example 2 Poolingexample2hasthefollowingsettings:

TypeofpoolPersistent Minimumnumberofvirtualmachines100 Maximumnumberofvirtualmachines200 Numberofavailablevirtualmachines20 VirtualmachinepowerpolicySuspendwhennotinuse
ThesameasthenonpersistentcaseinExample1,exceptthatwhenuserslogoff,their virtualmachinesaresuspended.Theusedvirtualmachinesarenotreturnedtothepool becausetheyarenowassigned. Pooling Example 3 Poolingexample3hasthefollowingsettings:

TypeofpoolNonpersistent Minimumnumberofvirtualmachines100 Maximumnumberofvirtualmachines200 Numberofavailablevirtualmachines20 VirtualmachinepowerpolicyRemainon
Thepoolinitiallyclonesandcustomizes100virtualmachines.Thesevirtualmachines areleftrunning.Astheeightiethandsubsequentuserslogin,theavailablecount restartscloningtomaintainthecapacity.
VMware, Inc.
37
Pooling Example 4 Poolingexample4hasthefollowingsettings:

TypeofpoolNonpersistent Minimumnumberofvirtualmachines200 Maximumnumberofvirtualmachines200 Numberofavailablevirtualmachines20 VirtualmachinepowerpolicyRemainon
Thepoolclones200virtualmachines.Nomorevirtualmachinesareevercloned.The powerpolicymeansthatvirtualmachinesarenotpoweredoff. Pooling Example 5 Poolingexample5hasthefollowingsettings:

TypeofpoolNonpersistent Minimumnumberofvirtualmachines200 Maximumnumberofvirtualmachines200 Numberofavailablevirtualmachines20 VirtualmachinepowerpolicySuspendwhennotinuse
Thepoolclones200virtualmachines.Afterthetwentiethclone,thepoolmanagerstarts tosuspendvirtualmachinestomaintaintheavailablecountat20.Asuserslogin, virtualmachinesareresumedtomaintainthesparecount.
Entitling a Desktop
Afteranindividualorpooleddesktopisadded,entitleADusersorgroupstoit. To entitle a desktop to an AD user or group 1 2 3 4 InAllDesktopsontheInventorytab,selectthedesktopthatyouwanttoentitle. ClickEntitle>Add. InSelectobjecttype,selectUsersorGroups. Choosethedomainwheretheobjectyouareentitlingreside,orselect EntireDirectorytosearchacrosstheentireActiveDirectorydomainforest. Youcansearchbynameordescription. 5
38
Selecttheobjecttoaddtotheentitlement.
VMware, Inc.
Youcanentitlemultipleusersandgroupstoadesktop.Ifyouentitlemultipleusers orgroupstoadesktop,thedesktopbehaveslikeanonpersistentpool.For informationaboutnonpersistentpools,seeConfigurationforaPooledDesktop onpage 31. 6 7 ClickOK. Inentitlement,clickOK.
Connecting to Desktops
VDMprovidestheVDMClientorVDMWebAccessforconnectingtothedesktop virtualmachine. NOTEMakesureyouhaveadministrativerightstotheclientmachine. To connect to desktops using the VDM Client 1 DownloadandrunVMware-vdmclient-2.0.0-<xxx>.exe. xxxisthebuildnumberofthesoftwarecomponentyouareinstalling. TheVMwareInstallationwizardopens. 2 3 4 5 6 7 8 9 10 11 ClickNext. AccepttheVMwarelicensetermsandclickNext. AcceptorchangethedestinationfolderandclickNext. ConfigureshortcutsfortheVDMClientor,ifyoudonotwanttouseshortcuts, deselectallchoices. ClickNext>Install>Finish. StarttheVMwareVDMClient. IntheVDMServerdropdownmenu,enterthehostnameorIPaddressofthe VDMServer. ClickConnect. Entertheentitleduserscredentials,selectthedomainandclickLogin. ChoosetheentitleddesktopandclickOK. Thedesktopvirtualmachineisconnected.
VMware, Inc.
39
To connect to desktops using VDM Web Access 1 StartthebrowserandgototheVDMConnectionServerURL. Forexample:https://<hostnameoripaddress>,where<hostnameoripaddress>is thehostnameorIPaddressoftheVDMConnectionServer. 2 3 4 Entertheentitledusersnameandpasswordandmakesurethatyouselectthe correctdomainfromthedropdownmenu. ClickLogin. WhentheAccessStatusisReady,selectadesktopfromthelistandclickConnect. Thedesktopisconnected.
Setting an Externally Resolvable Name on a Connection Server

IfVDMclientscannotdirectlyaccessaVDMConnectionServerbyusing https://<hostname>where<hostname>isthehostnameoftheVDMConnectionServer, youmustspecifyanexternallyresolvablenamefortheVDMConnectionServer.Ifthe VDMConnectionServerisaccessedfromtheInternet,setthenametosomethingthat resolvesontheInternet.Thisnamecanbesomethinglike https://vdmservername.mycompany.com.Wheneverthissituationarises,youmustset thenameforeachVDMConnectionServerthatisunresolvable. Theprocessofsettingthenameisnotthesameforallinstallationtypes.Forstandard orreplicainstallations,youcansetthenamebyusingtheAdministratoruserinterface. Forasecurityserverinstallation,youmusteditorcreateafilewiththesettingsandsave itonthesecurityserver. To set the name on a standard or replica installation 1 2 3 4 5 OntheConfigurationpage,inVDMServers,selecttheVDMConnectionServerto setthenamefor. ClickEdit. EnterthenameintheExternalURLfield. ClickOK. RestarttheVDMConnectionServerservicesothatthechangestakeeffect.Click Start>AdministrativeTools>ServicesandselecttheVMwareVDMConnection Serverfromthelistofservices.Iftheserviceisrunning,clickRestarttheservice. Iftheserviceisnotrunning,clickStarttheservice.
40
VMware, Inc.
To set the name on a security server installation 1 Createoreditthepropertiesfile(locked.properties)sothatitcontainsentriesfor theexternallyresolvablenameofthesecurityserver,theportnumberandthe clientprotocol. Thepropertiesfileisatextfile.Ifitalreadyexists,itislocatedatC:\Program Files\VMware\VMwareVDM\Server\sslgateway\conf\locked.properties. alwayssavethisfileinthesameplace,whetheritalreadyexistsornot. Asanexample,ifthesecurityserversexternallyresolvablenameis vdmservername.mycompany.com,theportnumberis443,andtheclientprotocol ishttps,youuseatexteditortoeditorcreatethepropertiesfilewiththefollowing entries:

clientHost=vdmservername.mycompany.com clientPort=443 clientProtocol=https
Ifapropertiesfilealreadyexistscontainingentrieswiththesekeywords,replace theentrieswithnewentriesfromthislist. 2 3 Savethefile. RestarttheVDMSecurityServerservicesothatthechangestakeeffect.Click Start>AdministrativeTools>ServicesandselecttheVMwareVDMSecurity Serverfromthelistofservices.Iftheserviceisrunning,clickRestarttheservice. Iftheserviceisnotrunning,clickStarttheservice.
VDM Administrator User Interface

TheVDMadministratoruserinterfaceiswhereyouperformalloftheconfiguration, deployment,andadministrativetasksforVDM.TheInventory,Configuration,and EventsbuttonsalwaysappearatthetopoftheAdministratoruserinterface.These buttonsallowyoutonavigatetootherareasoftheinterfaceandperform administrationandconfigurationtasks.Thissectiondescribesthepagesthateach buttonopensandtheoptionsassociatedwiththem. Whenyouclickabuttonintheadministratoruserinterfaceandyouselectatabonthe pagethatopens,thebackgroundbecomeswhite.Tabsthatarenotselectedhavea purplebackground.
VMware, Inc.
41
Inventory Page
TheInventorypageopenswhenyoulogintotheVDMAdministratoruserinterface (exceptthefirsttimeyoulogin,whentheConfigurationpageopens).TheInventory pageiswhereyouaccessallofyourvirtualmachinesanddeployandmakechangesto virtualdesktops.TheShowdropdownmenuallowsyoutochangebetweenthe DesktopsandEntitledUsersandGroupsviews. TheInventorypageallowsyoutosearchandfilterinformationaboutdesktops,virtual machines,andactivesessionsandtoscrollbetweenpagesifmultiplepagesexist(each pagecontains200objects).
DesktopsviewChooseamongtheDesktops,VirtualMachines,orActive Sessionstabs.OntheDesktopstab,youcanadd,edit,entitle,enable,disable,or deletedesktopsordesktoppools.OntheVirtualMachinestab,youcanviewand deletevirtualmachines.OntheActiveSessionstab,youcanview,disconnect,or rebootactivesessions. Youcanfiltertheinformationinthetablesthatareassociatedwitheachtab.You canalsochoosewhichcolumnstofilterandsearchwhentheDesktopsviewis selected.

DesktopstabFilterandsearchtheDesktopIDorTypecolumns. VirtualMachinestabFilterandsearchtheVirtualMachineName,IP Address,User,orStatuscolumns. ActiveSessionstabFilterandsearchtheUserorDesktopcolumns.
WhenyouareintheDesktopsview,youcanchoosebetweentheInventoryand Searchtabsontheleftsideofthepage.
InventoryAllofthedesktopsappearinalistonthattab.Selectingadesktop fromthelistdisplaysinformationaboutthatdesktopontherightsideofthe page.TherightsideofthepagealsodisplaystheSummary,Usersand Groups,VirtualMachines,andActiveSessionstabs. SearchTheSearchforDesktopsfieldappears.Youcanentersearchtextin thisfieldtosearchfordesktops.YoucanusetheInthesecategoriescheck boxestochoosethesearchcriteria.Selectingadesktopfromthelistdisplays informationaboutthatdesktopontherightsideofthepage.Inaddition,the rightsideofthepagedisplaystheSummary,UsersandGroups,Virtual Machines,andActiveSessionstabs.
42
VMware, Inc.
TheInventorypageusesadifferenticonsforeachtypeofdesktop.Individual desktopiconshaveasolidbordercontainingonebluesquare,persistentpool desktopiconshaveasolidbordercontainingtwobluesquares,and nonpersistentpooldesktopiconshaveadottedbordercontainingtwoblue squares.

EntitledUsersandGroupsview IntheEntitledUsersandGroupsview,youcanchoosebetweentheEntitledUsers andGroupsandActiveSessionstabs.Youcanviewtheentitledusersandgroups forvirtualdesktopsorpoolsofdesktopsanddisconnectactivesessionshere. Youcanfiltertheinformationinthetablesthatareassociatedwitheachtab.You canalsochoosewhichcolumnstofilterandsearchwhenthetabsintheEntitled UsersandGroupsviewareselected:

OntheEntitledUsersandGroupstab,youcanchoosetofilterandsearchthe DisplayNameorDomaincolumns. OntheActiveSessionstab,youcanchoosetofilterandsearchtheUseror Desktopcolumns.
WhenyouareintheEntitledUsersandGroupsview,youcanchoosebetweenthe InventoryandSearchtabsontheleftsideoftheInventorypage.
WhenyouselecttheInventorytab,alloftheentitledusersandgroupsappear inalistonthetab.Selectingauserorgroupfromthelistdisplaysinformation aboutthatuserorgroupontherightsideofthepage.Inaddition,theright sideofthepagedisplaysthreetabs:Summary,Desktops,andActive Sessions.
WhenyouselecttheSearchtab,theSearchforDesktops:fielddisplays.Youcanenter searchtextinthisfieldtosearchforusersorgroups.Youcanchoosethesearchcriteria usingthecheckboxesinInthesecategories.
Configuration Page
TheConfigurationpageopenswhenyoulogintotheVDMAdministratoruser interfaceforthefirsttime(beforeaddingyourlicenseinformation).Itisthesamepage thatisopenedwhenyouclickConfiguration.TheConfigurationpagecontainsthe followingfields:

AccessandSecuritySettingsEditlicenseserialnumberinformation. VirtualCenterServersAdd,edit,ordeleteVirtualCenterserversforthe connectionservertouse.
VMware, Inc.
43
VDMServersEnableordisableVDMservers(VDMConnectionServers)and editVDMserversettings,andenableRSASecurID. GlobalSettingsEnabledirectconnectiontovirtualdesktopssothatconnections todesktopsaremadedirectlyfromtheclienttothevirtualmachine,enableUSB redirection,whichallowsyoutousealocallyconnectedUSBdevicesonavirtual desktop,setSSLforsecurityserverthatdeterminesifyouuseHTTPorHTTPSfor communicationbetweentheclientandtheVDMConnectionServer,andsetthe sessiontimeouttodeterminehowlongasessionisallowedtobeidlebeforetiming out. AdministratorsAddordeleteadministratorsfortheconnectionserverand searchActiveDirectoryforusersorgroupsandaddthemasadministrators.
Events Page
UsetheEventspagetovieweventsthatanindividualconnectionservergenerates.You canentertextintheContainsfieldandsearchbytypeofmessage,thetimeofthe messageorthemessagetextitself.Youcanalsodeterminethenumberofdaysof messagestodisplay.
Searching Desktops and Entitled Users and Groups

UsetheInventorypagetosearchforinformationaboutdesktopsandentitledusersand groups.Youcaneithersearchbyusingthecolumnsinthetablesthatappearontheright sideofthepageorsearchbyusingthecategoriesthatappearontheleftsideofthepage. To search columns in the Desktops Inventory view 1 2 3 4 5 OntheInventorypage,selectDesktopsfromtheShow:menu. IntheDesktopsfield(ontherightsideofthepage),clicktheDesktops,Virtual Machines,orActiveSessionstab. Clickthearrowaftercontainsandselectthecolumnstosearchbyclickingthe appropriatecheckboxes. ClickDone. EntersearchtextintothetextfieldandclickGo.
To search categories in the Desktops Search view 1 2 OntheInventorypage,selectDesktopsfromtheShowmenu. IntheSearchfordesktopsfield(ontheleftsideofthepage),entersearchtextinto thetextfield.

VMware, Inc.
44
3 4
InInthesecategories,selectDisplayName,DesktopID,Type,User,orVirtual CenterNametosearchthatcategory. ClickSearch.
To search columns in the Entitled Users and Groups Inventory view 1 2 3 4 5 OntheInventorypage,selectEntitledUsersandGroupsfromtheShowmenu. IntheEntitledUsersandGroupsfield(ontherightsideofthepage),clickthe EntitledUsersandGroupsorActiveSessionstab. ClickthearrowafterContainsandselectthecolumnstosearchbyclickingthe appropriatecheckboxes. ClickDone. EntersearchtextintothetextfieldandclickGo.
To search categories in the Entitled Users and Groups Search view: 1 2 3 4 OntheInventorypage,selectEntitledUsersandGroupsfromtheShowmenu. IntheSearchforusersfield(ontheleftsideofthepage),entersearchtext. InInthesecategories,selectCommonname,GivenName,Description,Email, DisplayName,orDomainNametosearchthatcategory. ClickSearch.
Working with Active Sessions

Afteryouconnecttoavirtualdesktopordesktoppool,activesessionsareinthe inventory.YoucanaccessactivesessionsontheInventorypage. To view, disconnect, or reboot active sessions 1 2 ClicktheInventorytab. InDesktops,clickActiveSessions. Youcanviewtheuser,desktopID,DNSnameoftheVM,starttime,duration,and serverstate(connectedordisconnected)foreachactivesession. 3 Clickanywhereinanactivesession. TheDisconnectSessionandRestartVirtualMachineoptionsbecomeavailable. 4 ClickDisconnectSessionwanttodisconnecttheselectedactivesessionorclick RestartVirtualMachinewanttorestarttheactivesession.
VMware, Inc.
45
Global Configuration Settings

VDMprovidesseveralglobalconfigurationsettingsthatallowyoutosetVDM behavior,dependingonyourspecificrequirements.Table 31liststheglobal configurationsettings. Table 3-1. Global Configuration Settings
Option Sessiontimeout(inminutes) Description Overallsessiontimelimitfromwhenauserlogsontothe connectionservertowhenthesessionterminatesbecause ofinactivity. IfRequireSSLforclientconnectionsisselected,HTTPS orHTTPisusedasthecommunicationprotocolbetween theclientandtheVDMConnectionServer. ChangestothissettingrequirethattheVDMConnection Serverberestartedtotakeeffect. Directconnectiontovirtual desktop Ifselected,remotedesktopsessionsareestablished directlybetweentheVDMClientandthedesktopvirtual machine,bypassingtheVDMConnectionServer(inother words,theydonotusetunneledconnection). TheinitialconnectionisstillmadetotheVDM ConnectionServerforuserstoauthenticateandselect appropriatedesktopstheyareentitledto. Thisoptionisappropriateonlyfordeploymentsinsidea corporatenetwork,becauseRDPtrafficissent unencryptedovertheconnectionbetweentheclientand desktopvirtualmachine. Thissettingisdisabledbydefault. Changestothissettingtakeeffectforeachuseruponthe nextlogin.
RequireSSLforclientconnections
46
VMware, Inc.
Table 3-1. Global Configuration Settings (Continued)

Option USBredirection Description Ifselected,causesthenativeclienttodisableallUSB functionalitywhenactivated. Changestothissettingtakeeffectforeachuseruponthe nextdesktoplaunch. Reauthenticateafternetwork interruption Ifselected,determineswhetherornotusercredentials needtobereauthenticatedafteranetworkinterruption. Whenthissettingisselected,usersneedtoreentertheir credentialsandhavethemreauthenticatedagainstActive Directory.ThissettingisnotavailablewhentheDirect connectiontovirtualdesktopsettingisselected. Ifthissettingenabled,theclientterminatesandtheuser mustlogonagaintotheVDMConnectionServer(session remainsinDisconnectedstate). RequiresarestartoftheVMwareVDMConnectionServer totakeeffect.
To configure global settings 1 2 (Optional)InGlobalSettingsontheConfigurationtab,clickedit. (Optional)Selectacommunicationsprotocol. SelectSSLforSecurityServertoenableHTTPSasthecommunicationprotocol betweentheclientandtheconnectionserver.Uncheckthecheckboxtoenable HTTP. 3 4 5 (Optional)SelectDirectConnecttoVirtualDesktoptoenableconnections directlyfromtheclienttothevirtualmachine. (Optional)SelectUSBRedirectiontocausethenativeclienttodisableallUSB functionality. (Optional)SelectReauthenticateafternetworkinterruptiontoforceusersof virtualdesktopstoreentertheirActiveDirectorycredentialsafteranetwork interruption. ClickOK.
Viewing Events
VDMprovidesapageforviewingeventsforanindividualconnectionserver.Youcan usetheinformationontheEventspagefordiagnosingproblemsorviewingactivityon theserver.
VMware, Inc.
47
To view events ClickEvents. TheEventspageopensandliststhenameoftheserverfortheeventsthataredisplayed. To search events 1 2 3 4 5 Clickthearrowaftercontainsandselectthecolumnstosearch(Messages,Time, Type). Fromthelist,choosethenumberofdaysofmessagestoshowintheEventstable. ClickDone. Entersearchtextinthetextbox. ClickGo. YoursearchresultsappearintheEventstable.Click(more)attheendofeach messagetodisplaymoredetailsabouttheevent.
RSA SecurID
VDMsupportsRSASecurIDasanadditionalmethodforuserauthentication.RSA SecurIDprovidesstrong,twofactorauthenticationwhenyouaccessvirtualdesktops, inadditiontotheauthenticationprovidedwhenusingADcredentials. IfyouareusingRSASecurID,youmustfirstenableitbyeditingyourVDMserver settings.AfteryouinstalltheRSASecurIDsoftwareonyourVDMservers,youcanedit RSAsettingsintheVDMadministratoruserinterface. To enable or edit RSA SecurID 1 2 3 ClicktheConfigurationtab. InVDMServers,clickEdit. IntheRSASecurIDdialogbox,configurethedesiredRSAsettings:
EnabledenablesRSASecurIDauthenticationforendusersaccessingvirtual desktops. EnforceSecurIDandWindowsusernamematchingSecurIDchecksnames againstWindowsusernamesanddeniesaccesstonamesthatdonotmatch. ClearnodesecretreferstothenodesecretontheVDMAgent. Formoreinformationaboutthissetting,seetheRSAAuthenticationManager userdocumentation.
48
VMware, Inc.
IntheUploadRSAauthenticationagentconfigurationfile(sdconf.rec)field, enterthelocationofthesdconf.recfileorclickBrowsetosearchforthefile. Formoreinformationaboutthesdconf.recfile,refertotheRSAAuthentication Manageruserdocumentation.
ClickOK.
Deleting VDM Objects

YoucandeleteVDMobjects(VirtualCenter,VDMservers,anddesktops)byusingthe administratoruserinterface.Youcanchoosetodeletetheobject. To remove a VirtualCenter server from a VDM server 1 2 ClicktheConfigurationtab. InVirtualCenterServers,clickRemove. IfdesktopsareusingthisVirtualCenterserver,anerrormessagetellsyouthatyou mustfirstdeletethedesktopsusingthisVirtualCenterbeforeyoucandeletethe VirtualCenter. IfnodesktopsareusingthisVirtualCenterserver,awarningmessagetellsyouthat youcannolongeraccessvirtualmachinesmanagedbythisvirtualcenter. 3 ClickOK. TheVirtualCenterserverisdeleted. To delete a desktop from a VDM server 1 2 3 ClicktheInventorytab. InAllDesktops,clicktheDesktopstab. SelectthedesktoptodeleteandclickDelete. Youaregiventheoptiontoremovethevirtualmachinesfromtheconnection brokeronly,whichmeanstheyarestillvisibleinVirtualCenter,ortodeletethem fromdisk,whichmeanstheyarenolongervisibleinVirtualCenter. Ifthedesktophasactivesessionsforthedesktop,youaregiventheoptionto disconnecttheusers,whichmeansuserslosetheirconnecteddesktops,ortoleave theusersconnected,whichmeansusersdonotlosetheirconnecteddesktops.
VMware, Inc.
49
To delete a virtual machine from a VDM desktop 1 2 3 4 ClicktheInventorytab. InAllDesktops,selecttheDesktopcontainingthevirtualmachinetodelete. ClicktheVirtualMachinestab. ClickDelete. Youaregiventheoptiontoremovethevirtualmachinesfromtheconnection brokeronly,whichmeanstheyarestillvisibleinVirtualCenter,ortodeletethem fromdisk,whichmeanstheyarenolongervisibleinVirtualCenteranddeleted fromthedatastore. Ifthedesktophasactivesessionsforthedesktop,youaregiventheoptionto disconnecttheusers(ifremovefromtheconnectionbrokerischosen),which meansuserslosetheirconnecteddesktops,ortoleavetheusersconnected,which meansusersdonotlosetheirconnecteddesktops.
Installing SSL Certificates

TheVDMConnectionServerincludesaselfsignedSSLcertificatethatyoucanuseto connectwithforthefirsttime.Thiscertificateisnottrustedbyclientsanddoesnothave thecorrectnamefortheservice,butitdoesallowconnectivity. Replacetheseinitialcertificateswithproperlyconstructedcertificatesfortheservice. Thisremovesthecertificatecheckmessagesthatusersseeandallowsthinclientdevices toconnect. ThissectionprovidesthestepsforinstallingSSLcertificates.Toinstallcertificates,you mustdothefollowing:

CreateasuitableCertificateSigningRequest(CSR). SubmittherequesttoyourCertificateAuthority(CA)andreceivethenew certificate. ImportthecertificateintothekeystorefortheVDMConnectionServer. ConfiguretheVDMConnectionServertousethisnewcertificate.

50
VMware, Inc.
Creating the CSR

DecidingwhatnametobindtoaCSRisanimportantconsideration.Acertificatebinds thenameoftheservicetoacryptographickeypairand,indoingso,assumes ownershipoftheserviceandkeys.Theclientcantrusttheserver(anditscryptographic key)becausetheCAindependentlydeterminedthattheorganizationthatisclaiming ownershiprequestedthekey. ThemostimportantpartoftheCSRistheCommonName(CN)attribute.Usethename theclientcomputerusestoconnecttotheVDMConnectionServer.Inasingleserver environment,thenameistypicallythenameoftheserver.Ifloadbalancingisbeing used,usetheloadbalancedname. To create the CSR 1 UsingtheWindowscommandprompt,createanewkeystorecontaininga publicprivatekeypair:
%JAVA_HOME%\bin\keytool -genkey -keyalg "RSA" -keystore keys.p12 -storetype pkcs12 -storepass secret -validity 360
Answerthefollowingquestions:
Whatisyourfirstandlastname? ThisistheCNattribute.Entertheservernameorloadbalancedname,for example,server.vmware.com.
Whatisthenameofyourorganizationalunit? Thisisinformationaboutwhereinyourorganizationthisserverisbeing deployed.YourCAmighthaverequirementsforcompletingthisfield.For example,itmightrequirethecompanysdomainname(forinstance, vmware.com).
Whatisthenameofyourorganization? Thismightbeyourdepartmentorcompanyname.
WhatisthenameofyourCityorLocality? Enteryourlocationorleaveblank(Unknown).
WhatisthenameofyourStateorProvince? Enteryourstateinformationorleaveblank(Unknown).
Whatisthetwolettercountrycodeforthisunit? Enteryourcountrycode(GB,forexample).
VMware, Inc.
51
Confirmthefullname,enterYesandpressEnter. Thekeys.p12fileiscreatedinthecurrentdirectory.
UsethefollowingkeypairtocreateaCSR:
%JAVA_HOME%\bin\keytool -certreq -keyalg "RSA" -file certificate.csr -keystore keys.p12 -storetype pkcs12 -storepass secret
Thecertificate.csrfileiscreatedinthesamelocation.Thecontentsofthefile looklikethefollowingexample:
-----BEGIN NEW CERTIFICATE REQUEST----MIIBuDCCASECAQAweDELMAkGA1UEBhMCR0IxEDAOBgNV BAgTB1Vua25vd24xEDAOBgNVBAcTB1Vua25vd24xFDAS BgNVBAoTC1ZNd2FyZSBJbmMuMRMwEQYDVQQLEwp2bXdh cmUuY29tMRowGAYDVQQDExFzZXJ2ZXIudm13YXJlLmNv bTCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEA85iM 2G4J695Nh3LfU0S7eAdXHG51MtRcfR397jj0sjFk2THO T8Xkeue6pCAg0E9vsRSKiFZiMQLOTSkg0Vwd+bYDMzMx Uam/baSq7z7JF8irTHXYB/1PXDWdykUI7jYSRVxhjbHm XU8/2jEUL5DocLDLnygsUD2g7cUMYdz/HeECAwEAAaAA MA0GCSqGSIb3DQEBBQUAA4GBALq2e5FWHQIE26J0lIdR FLQqlsu78IsuGF19nvJSxrdnHFUpUvTaTA3auGsz+UJG /vdHqFt49oSIrIhd7NALLumBoOq4tEywvE3vq0ytUvIE imJCKsAiAeyWZUydJps+zhVKKhiscgFh60AZp1bmTJgu AeHnsPs7a1Q0JH6OZvdU -----END NEW CERTIFICATE REQUEST-----
(Optional)Backupthekeys.p12 fileafterthecertificateisimportedintoitincase youneedtorebuildtheconfigurationfortheserveratsomepoint.
To submit the CSR and import the certificate 1 2 ContactyourCAandprovidetherelevantinformationandacopyoftheCSR generatedinTocreatetheCSRonpage 51. RequestacertificateinPKCS#7format. Fortestingpurposes,ThawteprovidesafreeCAat https://www.thawte.com/cgi/server/try.exethatgeneratesa21daySSLcertificate basedonanuntrustedroot.Thisisslightlybetterthanthegetyoustarted certificatesuppliedwithVDMbecauseitnowusesthecorrectname.However, clientsstillissuewarningsthattheserviceisnottrusted. 3 Copythecontentsofthegeneratedfileintoatexteditorandsaveitas certificate.p7.
52
VMware, Inc.
Thefilelookslikethefollowingexample:
-----BEGIN PKCS7----MIIF+AYJKoZIhvcNAQcCoIIF6TCCBeUCAQExADALBgkqhkiG9w0BBwGgggXNMIID LDCCApWgAwIBAgIQTpY7DsV1n1HeMGgMjMR2PzANBgkqhkiG9w0BAQUFADCBhzEL ... i7coVx71/lCBOlFmx66NyKlZK5mObgvd2dlnsAP+nnStyhVHFIpKy3nsDO4JqrIg EhCsdpikSpbtdo18jUubV6z1kQ71CrRQtbi/WtdqxQEEtgZCJO2lPoIWMQA= -----END PKCS7-----
Importthecertificateintothekeystoreusingthefollowingcommand(changethe passwordandreplacesecretwithanotherpassword):
%JAVA_HOME%\bin\keytool -import -keystore keys.p12 -storetype pkcs12 -storepass secret -keyalg "RSA" -trustcacerts -file certificate.p7
Thisoperationmightgeneratethefollowingmessage:
... is not trusted. Install reply anyway?
Ifthismessageisgenerated,itimpliesthattherootcertificategiventoyouisnot trustedbyJavabecauseitisatestcertificateandnotforproductionuse(inother words,youreceivethismessageifyouusethetestCAreferencedabove).Installing thiscertificateisallowedbutmightnotprovideabetteruserexperiencethanthe getyoustartedcertificate. To configure the VDM Connection Server to use the certificate 1 PlaceanewcertificatefileinthefollowinglocationoneachVDMConnection Server(standard,replica,orsecurityserver): C:\Program Files\VMware\VMware VDM\Server\sslgateway\conf 2 Create(oredit)thefollowingfileoneachserver: C:\ProgramFiles\VMware\VMwareVDM\Server\sslgateway\conf\ locked.properties 3 Addthefollowingproperties: keyfile=keys.p12 keypass=secret Thischangesthevaluesasneededtomatchwhatyoucreatedinthepreviousstep. 4 RestarttheVDMservice.
VMware, Inc.
53
AssumingyourenvironmentisconfiguredtouseSSL,alogmessagelikethe followingappears:
13:57:40,676 INFO <Thread-1> [NetHandler] Using SSL certificate store: keys.p12 with password of 6 characters
Thismessageindicatesthattheconfigurationisinuse.
VDM Load Balancing

WhenyousetupandconfigureserversforVDM,loadbalancingisanimportantdesign consideration.Loadbalancingprovidesthehighestlevelofscalabilityandhelpsavoid anysinglepointsoffailure.Loadbalancingaddressesthescalingandfaulttoleranceof yourVDMsolution. TheVDMConnectionServeristhecorecomponentofVDM.YoucandeploytheVDM ConnectionServeraseitheraconnectionserverorasasecurityserver.VDM ConnectionServersprovidesessionmanagementandhandleallincomingclient requestsanddirectthemtotheappropriatevirtualdesktopsession.TheVDMSecurity ServersensuresecurecommunicationbetweentheclientdevicesandtheVDM ConnectionServers. Youmightalreadyhaveanexistingloadbalancingsolutioninplacesupporting currentbusinessapplicationsandservices.Youcanleverageexistingloadbalancing servicescanbecausetheloadthatVDMusesontheloadbalancinginfrastructureis minimal.Inadditiontotypicalhardwarebasedloadbalancingappliances,inexpensive (orfree)softwarebasedproductscanalsobeconsideredaspossibleloadbalancing solutions. YoucandeployloadbalancingwhetheryouareusingaDMZdeploymentwithsecurity serversdeployedinsideaDMZ,oranonsecurityserverdeploymentwithendusers connectingdirectlytoVDMConnectionServers.Forinformationaboutloadbalancing insideaDMZdeployment,seeLoadBalancinginaDMZDeploymentonpage 59.
Load Balancing in a Non-DMZ Deployment

Insomecases,suchasLANbaseddeployments,userscanconnectdirectlytoVDM ConnectionServers.Inthiscase,noVDMSecurityServersaredeployed.Youcanuse tunneledornontunneleddeploymentavailableforLANbasedconnections.When tunnelingisenabled,allVDMtrafficisencryptedandtunneledthroughaVDM ConnectionServer.Whentunnelingisnotenabled,sessiontrafficisnotroutedthrough theVDMConnectionServersandthereforeisnotSSLencrypted.Afteraclient connectstothevirtualdesktopthatituses,allcommunicationisbetweentheclientand thevirtualdesktop.
54
VMware, Inc.
Session Setup and Load Balancing

Toconfigureloadbalancing,itisimportanttounderstandhowsessionsaresetupand howconnectioninformationpassesbetweentheclientandtheconnectionservers. TheinitialHTTP/HTTPSTCPsessionisestablishedbetweentheclientandVDM SecurityServerorVDMConnectionServer.Theuserisauthenticatedduringtheinitial connection.Ifauthenticationissuccessful,controlinformationisreturnedtotheclient. Thecontrolinformationincludesalistofvirtualdesktopsthattheuserisentitledto connecttoandthefullyqualifieddomainname(FQDN)oftheVDMConnectionServer orVDMSecurityServer. Aftertheclientreceivesconnectioninformation,itinitiatesasecondTCPsessionforthe tunneltotheFQDNreceived(theFQDNoftheconnectionserver)duringtheinitial connection.ThesecondTCPsessionisanSSLtunnelbetweentheclientandthesecurity serverorVDMConnectionServer.AfterthisTCPsessionstarts,theRDPclientonthe clientmachineconnectstothelocalhostlistenerandtrafficisroutedthroughthetunnel tothesecurityserverandthenontothevirtualdesktop. TheVDMsecureconnectionisusedforcommunicationinanRDPsession.Whena clientisreadytoestablishanRDPsessionwiththeselectedvirtualdesktop,theclient startsalocalTCPlistener.Afteritisstarted,aTCPsessionisestablishedbetweenthe VDMConnectionServerandthevirtualdesktoprunningontheESXserver.TheRDP clientontheclientmachinethenconnectstothelocalhost,andcommunicationis handledbyusingtheVDMsecureconnectionpreviouslyestablished. Inaloadbalancedconfiguration,whenaclientestablishesaTCPsession,theTCP sessioncanbeestablishedwithdifferenthosts.Forexample,theclientsfirstconnection fromtheclienttotheloadbalancermightbetoaglobalDNSnamesuchas https://vdiyourcompany.com.Theloadbalancinginfrastructurethenforwardsthe requesttohttps://vdm1.example.com,oneoftheserversintheVDMSecurityServer farm.Youcanuseoneofseveralcommonloadbalancingmethods(proxy,httpredirect, NLBcluster,roundrobinDNS,andsoforth)todecidewhichVDMserveristohandle thesession AftertheVDMclientauthenticateswiththeVDMserver,itreceivesspecific instructionstoconnectdirectlytohttps://vdm1.example.comandestablishanSSL tunnel.
VMware, Inc.
55
DNS Requirements for a Load Balanced Solution

Regardlessoftheloadbalancingmechanismorsolutionyouuse,aclientmustbeable toconnectwitheachVDMserverbyitsFQDNdirectly.Theclientmustbypasstheload balancingaltogether.IncaseswhereVDMSecurityServersaredeployedinsidethe DMZorwhenVDMConnectionServersareaccessedfromalocalareanetwork,all serversshouldhavevalidDNSnames. TheloadbalancermakestheinitialdecisionaboutwhichVDMConnectionServeristo handletheclientsessionbydirectingthefirstTCPsessiontothechosenVDM ConnectionServer.Thesecuretunnelconnectionismadedirectlyfromtheclienttothe VDMConnectionServerandasaresultdoesnotusetheloadbalancinginfrastructure forthisconnection,whichcarriesthebulkofnetworktrafficbetweenclientandserver.
Load Balancing Solution

Youcantakeseveralapproacheswhenyouimplementaloadbalancingsolutionfor VDMservers.Forexample,roundrobinDNS,whiletechnicallythemostsimpleload balancingsolutiontoimplement,hasasignificantdisadvantagefromafailover perspective.Ifoneoftheserversfails,itmustberemovedfromtheDNSlistofrecords correspondingtotheloadbalanceddomainname.Anotherissuewitharoundrobin DNSapproachisintheremoteaccessusecasewhereVDMclientsareaccessingtheir virtualdesktopsacrosstheInternet,throughtheVDMSecurityServers.Inthiscase,the responsesofthemasterDNSserverarecachedinupstreamDNSservers.Itcantake severalhoursforaremovedDNSnametobereplicatedtoallInternetDNSservers.If aserverisoutofservice,clientconnectionscanfailiftheyaredirectedtothatserver duringthetimeittakesforthecachedrecordtoexpireacrosstheInternetDNSservers. Supportforaredundancyandfailovermechanism,typicallyatthenetworklevel, preventstheloadbalancerfrombecomingasinglepointoffailure.Forexample,using theVirtualRouterRedundancyProtocol(VRRP)tocommunicatewiththeload balanceraddsredundancyandfailover.Ifthemainloadbalancerfails,anotherload balancerinthegroupautomaticallystartshandlingconnections. Toprovideadegreeoffaulttolerance,aloadbalancingsolutionmustbeabletoremove failedVDMservernodesfromtheloadbalancedgroup.Thewayinwhichfailednodes aredetectedvariesfromsolutiontosolution.Regardlessofthemethodusedtoremove orblacklistanunresponsiveVDMserver,thesolutionmustensurethatnewincoming sessionsarenotdirectedtotheunresponsiveserver. IfaVDMserverfailsorbecomesunresponsiveduringanactivesession,usersdonot losedataanddesktopstatesarepreservedinthevirtualdesktop.Whenusersreconnect toadifferentVDMserverinthegroup,theirdesktopsessionscontinueexactlywhere theywerewhenthefailureoccurred.
56
VMware, Inc.
TheloadbalancingsolutionyouchoosemustsupportWebsessionaffinitybetweenthe clientandVDMConnectionServer.WebsessionaffinitymeansthataparticularWeb sessionisalwaysdirectedtothesameserver. Manyinexpensiveandfreeloadbalancingsolutionsareavailablethatyoucanusewith VMwareVDM.Anystandardsbasedloadbalancerthatsupportssessionaffinityis acceptable. TwoexamplesofsoftwarebasedloadbalancersareHerculesandWindowsNetwork LoadBalancing(NLB).HerculesisafreeLinuxbasedvirtualappliancethatdelivers theopensourceloadbalancercalledPen.WindowsNLBisafeatureavailablewith WindowsServer2003.
VDM DMZ Deployment

VDMalsosupportsDMZ(securityserver)deployment,whichallowsgreatersecurity whenaccessingvirtualdesktopsfromtheInternet.ServerswithintheDMZruna subsetofthefullVDMConnectionServer.DMZdeploymentaddsanadditionallayer ofsecurityandensuresthatonlyauthenticateduserscanattemptaconnectiontothe internalnetworkfromtheInternet.
DMZ installation
DMZdeploymenthasthefollowingentitiesorlocations:theInternet,theDMZ,andthe internalnetwork.ClientswhoneedaccesstothevirtualdesktopsresideontheInternet. Thevirtualdesktopsarelocatedontheinternalnetworkalongwiththerestofthe componentsthatcomprisethevirtualdesktopinfrastructure.TheDMZsitsbetween theInternetandtheinternalnetworkandreducestheriskoftheinternalnetworkbeing compromised. Dependingonyourparticularserverconfiguration,loadbalancingmightberequired. Youneedeitherahardwareorsoftwareloadbalancingsolutionifyouhavemorethan onesecurityserver. Whenyouconsiderfirewalls,thestrongerapproachistousetwofirewalls,wherethe DMZisbetweenandconnectedtobothfirewalls.Inthisconfiguration,onefirewallis connectedtotheinternalnetworkandtheothertotheexternalnetwork. Figure 33showsaDMZdeploymentthatallowsuserstoaccesstheirdesktopsfrom theInternet.ItincludesaloadbalancerandfirewallsoneachsideoftheDMZ.
VMware, Inc.
57
Figure 3-3. VDM DMZ Deployment

DMZ client devices thirdparty load balancer VDM security servers VDM connection servers VMware Infrastructure VirtualCenter
firewall
firewall
Active Directory
To perform a DMZ installation for a security server 1 RunVMware-vdmconnectionserver-2.0.0-<xxx>.exe. xxxisthebuildnumberofthesoftwarecomponentyouareinstalling. TheVMwareInstallationwizardopens. 2 3 4 5 6 ClickNext. AccepttheVMwarelicensetermsandclickNext. AcceptorchangethedestinationfolderandclickNext. ChooseSecurityServer. EntertheFQDNoftheconnectionserver(eitherstandardorreplica)withwhich thesecurityserveristocommunicate. NOTEEachsecurityserverispairedwithaVDMConnectionServerandforwards alltraffictothatserver. 7 ClickNext>Install>Finish.
58
VMware, Inc.
Load Balancing in a DMZ Deployment

WhenyoudeployaVDMSecurityServerinsideaDMZ,alinkisestablishedwitha dedicatedVDMConnectionServerduringtheinstallationprocess.WhenVDM SecurityServersaredeployedinsidetheDMZ,theymustbeloadbalancedinsidethe DMZtoprovidescalabilityandfaulttolerance.
Configuring Firewall Ports for DMZ Deployments

WhenyousetupfirewallsinaDMZdeployment,youmustconfigurethefirewallrules sothattheTCPprotocoltrafficthatneedstopassthroughthefirewallcan.Thesettings describedinthissectionarebasedonaDMZdeploymentwherefirewallrulesare configuredfromanexternalnetwork(theInternet,forexample)andfromtheDMZto theinternalnetwork.ThesettingsalsoassumethatclientsaccessVDMfromanexternal networkandconnectbyusingVDMSecurityServerslocatedwithintheDMZandthat VDMissetupusingdefaultTCPportsforeachprotocol. ToaccessaDMZfromanexternalnetworkandtoallowclientdevicestoconnectto VDMSecurityServerswithintheDMZ,allowTCPportsto80and443. IfyouconnecttotheinternalnetworkfromaDMZusingVDMSecurityServersinthe DMZtoconnecttoVDMConnectionServers(standardorreplicainstances)inthe internalnetwork,allowTCPport8009forAJP13forwardedWebtrafficandallowTCP port4001forJMSmessagingtraffic. ToconnecttotheinternalnetworkfromaDMZusingVDMSecurityServerstoconnect todesktopvirtualmachines,allowTCPport3389forVDMsecuredRDPtraffic.
Backing up and Restoring ADAM Data

ActiveDirectoryApplicationMode(ADAM)storesallofyourVDMconfiguration data.TheinformationinADAMincludesalloftheconfigurationdataenteredinthe VDMAdministrator.TorestoreyourVDMenvironment,performabackupofthe ADAMdatasothatyoudonothavetoreenteryourconfigurationinformation. BecauseADAMincludesalloftheconfigurationdata,VMwarerecommendsthatyou backupthisdataregularly.TobackuporrestoreyourADAMdata,youneedtoknow thenameoftheADAMinstanceyouarebackingup.ForVMwareVDMdirectory services,thisinstanceiscalledVMwareVDMDSwhichmeansthatallofthedataand logsarestoredintheC:\ProgramFiles\MicrosoftADAM\VMwareVDMDSfolder.
VMware, Inc.
59
RefertotheMicrosoftTechNetarticleatthefollowingURLfordetailsabouthowto backupandrestoreADAMdata: http://technet2.microsoft.com/windowsserver/en/library/7616644b9a2d4fa09635260 b97f385e71033.mspx?mfr=true
Troubleshooting VDM
ThefollowingURLsforVMwareKnowledgeBase(KB)articlescontaintroubleshooting informationforVDM.TheKBarticlesarecontinuallyupdatedwithnew troubleshootinginformation.
UsethefollowingURLfortroubleshootingenduserconnectionissues: http://www.vmware.com/info?id=342
UsethefollowingURLfortroubleshootingpoolingissues: http://www.vmware.com/info?id=343
UsethefollowingURLfortroubleshootingUSBissues: http://www.vmware.com/info?id=346
60
VMware, Inc.
Appendix: VDM Client Advanced Active Directory RDP Settings
ThedefaultconfigurationsettingsusedintheVDMClientaresuitableformost situations.However,youcanconfiguresomeadvancedsettingsintheregistryofthe clientcomputerthataffectthebehavioroftheVDMClient,particularlyadvancedRDP connectionsettings. Youcanmanagethesesettingsintheclientcomputerregistryinseveralways.Ifthe settingsarenotpresent,thedefaultvalueistakenforthatsetting.Inmostajorityof situations,noregistryupdatesareeverrequired. Table A1describesthesettingsthatyoucandefineintheHKEY_CURRENT_USER directorytooverridethedefaultbehavior.Theregistrysettingnamescorrespondtothe Microsoftsettingname.Formoreinformationaboutthesesettings,seetheMicrosoft TechNetarticles Table A-1. Client Registry Settings for the Client
.
Name Software\VMware,Inc.\VMware VDM\Client\EnableShade Software\VMware,Inc.\VMware VDM\Client\InitialPinState Software\VMware,Inc.\VMware VDM\Client\DisableSpanChecks Software\VMware,Inc.\VMware VDM\Client\RDPSettings\ColorDepth Software\VMware,Inc.\VMware VDM\Client\RDPSettings\DisableWallpaper
Type REG_SZ REG_SZ REG_SZ REG_SZ REG_SZ
Description trueorfalse. trueorfalse. trueorfalse. Definedinbits.8, 15,16,24or32. trueorfalse.
VMware, Inc.
61
Table A-1. Client Registry Settings for the Client (Continued)

Name Software\VMware,Inc.\VMware VDM\Client\RDP Settings\DisableFullWindowDrag Software\VMware,Inc.\VMware VDM\Client\RDP Settings\DisableMenuAnimations Software\VMware,Inc.\VMware VDM\Client\RDP Settings\EnableEnhancedGraphics Software\VMware,Inc.\VMware VDM\Client\RDP Settings\DisableCursorShadow Software\VMware,Inc.\VMware VDM\Client\RDPSettings\FontSmoothing Software\VMware,Inc.\VMware VDM\Client\RDP Settings\DesktopComposition Software\VMware,Inc.\VMware VDM\Client\RDP Settings\AudioRedirectionMode Software\VMware,Inc.\VMware VDM\Client\RDPSettings\RedirectDrives Software\VMware,Inc.\VMware VDM\Client\RDPSettings\RedirectPrinters Software\VMware,Inc.\VMware VDM\Client\RDPSettings\RedirectPorts Software\VMware,Inc.\VMware VDM\Client\RDP Settings\RedirectSmartcards Software\VMware,Inc.\VMware VDM\Client\RDPSettings\RedirectClipboard Software\VMware,Inc.\VMware VDM\Client\RDP Settings\RedirectPlugAndPlayDevices Software\VMware,Inc.\VMware VDM\Client\RDPSettings\BitmapPersistence Type REG_SZ Description trueorfalse.
REG_SZ
trueorfalse.
REG_SZ
trueorfalse.
REG_SZ
trueorfalse.
REG_SZ REG_SZ
trueorfalse. trueorfalse.
REG_SZ
0=Redirectto Client1=Playin VM2=Disable audio trueorfalse. trueorfalse. trueorfalse. trueorfalse.
REG_SZ REG_SZ REG_SZ REG_SZ
REG_SZ REG_SZ
trueorfalse. trueorfalse.
REG_SZ
trueorfalse.
62
VMware, Inc.
Appendix: VDM Client Advanced Active Directory RDP Settings
Table A-1. Client Registry Settings for the Client (Continued)

Name Software\VMware,Inc.\VMware VDM\Client\RDPSettings\ShadowBitmap Software\VMware,Inc.\VMware VDM\Client\RDP Settings\CachePersistenceActive Software\VMware,Inc.\VMware VDM\Client\RDP Settings\EnableCompression Software\VMware,Inc.\VMware VDM\Client\RDP Settings\KeyboardHookMode Type REG_SZ REG_SZ Description trueorfalse. trueorfalse.
REG_SZ
trueorfalse.
REG_SZ
0=Applykey combinations locally.1=Send keycombinations toVM. SizeinKB. Between1and32. SizeinKB. Between1and32. SizeinKB. Between1and32. SizeinKB. Between1and32. SizeinKB. Between1and32.
Software\VMware,Inc.\VMware VDM\Client\RDPSettings\BitmapCacheSize Software\VMware,Inc.\VMware VDM\Client\RDP Settings\BitmapVirtualCacheSize Software\VMware,Inc.\VMware VDM\Client\RDP Settings\BitmapVirtualCache16BppSize Software\VMware,Inc.\VMware VDM\Client\RDP Settings\BitmapVirtualCache24BppSize Software\VMware,Inc.\VMware VDM\Client\RDP Settings\BitmapVirtualCache32BppSize
REG_SZ REG_SZ
REG_SZ
REG_SZ
REG_SZ
Using Active Directory Group Policies for Advanced Settings

GroupPolicysettingsdefinethecomponentsoftheusersdesktopenvironmentthata systemadministratorneedstomanage.Theadvancedoptionsarestoredintheregistry oftheclientcomputersandyoucanmanagethembyusingGroupPolicysettingsin ActiveDirectory.
VMware, Inc.
63
VDMConnectionServerincludesanAdministrativeTemplatefile(vdm_client.adm) thatyoucanloadintoActiveDirectorytosimplifythemanagementofGroupPolicy settingsoneachVDMClientcomputer.ThisfileislocatedoneachVDMConnection serverinC:\Program Files\VMware\VMware VDM\Server\ADM. TheMicrosoftTechNetarticleatthefollowingURLprovidesinformationaboutadding thisadministrativetemplateinActiveDirectory: http://technet2.microsoft.com/windowsserver/en/library/b9546edf751f4a09835af33 97caef2361033.mspx?mfr=true
64
VMware, Inc.
Glossary
ActiveDirectory AMicrosoftdirectoryservicethatstoresinformationaboutthenetworkoperating systemandprovidesservices.ActiveDirectoryconfiguresandmanagesusersand groupsandenablesadministratorstosetsecuritypolicies,controlresources,and deployprogramsacrossanenterprise. ADAM(ActiveDirectoryApplicationMode) AnLDAPimplementationbasedonActiveDirectory. activesession AliveconnectionfromaclientorWebAccessusertoavirtualdesktop.An establishedconnectiontoavirtualdesktopthathasnottimedout. administratoruserinterface TheWebbasedadministratoruserinterfaceusedtoperformconfigurationand managementtasksinVDM.AlsoknownastheVDMAdministrator. agent SeeVMwareVDMAgent.
broker Alsoknownasaconnectionbroker.TheVDMConnectionServerisatypeof connectionbroker.SeealsoVMwareVDMConnectionServer. client SeeVMwareVDMClient.
VMware, Inc.
65
connectionbroker Aserverthatallowsconnectionsbetweenremoteusersandvirtualdesktopsand providesauthenticationandsessionmanagement.TheVDMConnectionServeris atypeofconnectionbroker.SeealsoVMwareVDMConnectionServer. connectionserver SeeVMwareVDMConnectionServer.
datastore Virtualrepresentationsofcombinationsofunderlyingphysicalstorageresources inthedatacenter.Adatastoreisthestoragelocation(forexample,aphysicaldisk, aRAID,oraSAN)forvirtualmachinefiles. desktop Seevirtualdesktop. desktopvirtualmachine Seevirtualdesktop. desktoppool Apoolofvirtualmachinesthatanadministratordesignatesforusersorgroupsof users.Seealsopersistentdesktoppool,nonpersistentdesktoppool. DMZ(demilitarizedzone) Alogicalorphysicalsubnetworkthatconnectsinternalserverstoalarger, untrustednetwork(usuallytheInternet)andprovidesanadditionallayerof securityandgivesadministratorsmorecontroloverwhocanaccessnetwork resources. DNS(DomainNameSystem) AnInternetdataqueryservicethattranslateshostnamesintoIPaddresses.Also calledDomainNameServerorDomainNameService.
FQDN(fullyqualifieddomainname) Thenameofahost,includingboththehostnameandthedomainname.Forexample, theFQDNofahostnamedesx1inthedomainvmware.comisesx1.vmware.com.
guest Seeguestoperatingsystem.
66
VMware, Inc.
Glossary
guestoperatingsystem Anoperatingsystemthatrunsinsideavirtualmachine.
highavailability Asystemdesignapproachthatensuresadegreeofoperationalcontinuity. loadbalancing Atechniqueusedfordistributingprocessesacrossserverssothatthetrafficloadis spreadmoreevenlyandserversdonotbecomeoverloaded. nonpersistentdesktoppool Adesktoppoolinwhichusersarenotassignedtoaspecificdesktop.Whenusers logofforaretimedoutofadesktop,theirdesktopsarereturnedtothepooland madeavailabletootherusers.Usersshouldnotsavedataorfilestotheirdesktops whenusinganonpersistentpool. persistentdesktoppool Adesktoppoolinwhichusersareassignedtoaspecificdesktop.Userslogonto thesamedesktopeverytimeandtheirdataispreservedwhentheylogoff.Users cansavedataandfilestotheirdesktopswhenusingapersistentpool. RDP(remotedesktopprotocol) Amultichannelprotocolthatallowsausertoconnecttoacomputerremotely. RSASecurID AproductfromRSAthatprovidesstrongtwofactorauthenticationusinga passwordandanauthenticator.
securityserver AVDMConnectionServerdeploymentthataddsalayerofsecuritybetweenthe Internetandtheinternalnetwork.SecurityServerisanoptionthatyouchoose duringVDMconnectionserverinstallation.SeealsoDMZ(demilitarizedzone). thinclient Adevicethatallowsausertoaccessvirtualdesktopsbutrequireslittlememoryor diskdrivespace.Applicationsoftware,data,andCPUpowerresidesonanetwork computerandnotontheclientdevice.
VMware, Inc.
67
VMwareVDMAgent Installedontheguest,theVDMAgentenablescommunicationbetweenthe desktopvirtualmachine,theVDMConnectionServer,andenduserswhoaccess virtualdesktopsbyusingVDMWebAccessorVDMClients. VMwareVDMClient AWindowsbasedapplicationusedforaccessingvirtualdesktops. VMwareVDMConnectionServer Aconnectionbrokerthatprovidesmanagementanduserauthenticationforvirtual desktops.TheVDMConnectionServerdirectsincomingremotedesktopuser requeststotheappropriatevirtualdesktop. VMwareVDMWebAccess Webbrowserbasedapplicationforaccessingvirtualdesktops.Enduserswhorun supportedWindows,Linux,orMacintoshoperatingsystemscanaccessvirtual desktopsbyusingVDMWebAccess. virtualdesktop Adesktopoperatingsystemthatrunsonavirtualmachine.Avirtualdesktopis indistinguishablefromanyothercomputerrunningthesameoperatingsystem. VMwareVirtualDesktopInfrastructure TheVMwaredesktopinfrastructuresolutionthatconsistsofVMwareESXServer, VMwareVirtualCenter,andVMwareVirtualDesktopManager.VDIprovidesan endtoendvirtualdesktopsolutionthatallowsadministratorstoeasilydeploy andmanagevirtualdesktopenvironments.
webaccess SeeVMwareVDMWebAccess.
68
VMware, Inc.
Index
A
active sessions 45 ADAM, backing up and restoring data 59
G
global configuration settings 46 direct connection to virtual desktop 46 reauthenticate after network interruption 47 require SSL for client connections 46 session timeout 46 usb redirection 47 global settings configuring 47
B
backing up and restoring ADAM data 59
C
configuration end-to-end 29 individual desktop 30 one-time 12, 29 pooled desktop 31 customization specification 25
H
high availability 27
D
desktop virtual machines preparing 9 desktop virtual machines, preparing 24 desktops connecting to 39 connecting using the VDM Client 39 connecting using VDM Web Access 15, 40 entitling 38 DMZ firewall ports 59
I
installation DMZ 57 multi-server 28 multiserver 27 single server 10, 11, 26, 27 VMware Agent 10, 24 VMware Tools 9, 24 installing SSL certificates 50
L
load balancing 54 DNS requirements 56 non-DMZ deployment 54
E
events 47, 48 viewing 48
R
RSA SecurID 48
VMware, Inc.
69
enabling 48
S
searching desktops 44 entitled users and groups 44 SSL certificate creating the certificate signing request 51 importing 52 installing 50 using 53 supported thin clients 20
from a VDM server 49 VirtualCenter template 25
T
template, desktop virtual machine 25 templates, creating 25 thin clients 20 troubleshooting 60
V
VDM Administrator Configuration page 43 Events page 44 Inventory page 42 user interface 44 VDM agent with multiple NICs 25 VDM connection server installing 26 SSL certificate 26, 50 VDM Objects 49 VDM objects deleting a desktop from a VDM server 49 deleting a virtual machine from a VDM desktop 50 removing a VirtualCenter server
70
VMware, Inc.

How To Use VMware - Part 1

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

How To Use VMware - Part 1

Uploaded by

Copyright:

Available Formats

Installation and Administration Guide

VMware Virtual Desktop Manager 2.0

Installation and Administration Guide

Installation and Administration Guide Revision: 20080501 Item: VDM-ENG-Q108-450

VMware, Inc. 3401 Hillview Ave. Palo Alto, CA 94304 www.vmware.com

PrepareDesktopVirtualMachines 24 UsingtheVDMAgentonVirtualMachineswithMultipleNICs 25 InstallingtheVDMConnectionServer 26 SingleServerInstallation 26 MultiserverInstallation 27 OneTimeConfiguration 29

Installation and Administration Guide

About This Book

Installation and Administration Guide

Technical Support and Education Resources

Online and Telephone Support

VMware Education Services

VDM Quick Start Guide

Asaminimum,aPentiumIV2.0Ghzprocessor.Dualprocessorsareecommended. Asaminimum,2GBRAM.3GBRAMisrecommendedfordeploymentsof 50ormoredesktops. Aminimumofone10/100MbpsNIC.1GbpsNICisrecommend.

Installation and Administration Guide

IfyouareusingVI3guestcustomization,MicrosoftSyspreptoolsinstalledonyour VCServer AcustomizationspecificationthatpermitsclonedvirtualmachinestojointheAD domain(optional) AvalidlicensekeyforVDM

Chapter 1 VDM Quick Start Guide

IfconnectingtoaWindowsVistadesktopusingaLinuxclient,youmustinstallthe rdesktopremotedesktopprotocolclientversion1.5.0,whichyoucandownload fromthefollowingURL: http://www.rdesktop.org/ Afteryoudownloadrdesktop,followtheinstructionsinthereadmefile.

MakesurethemachinethatistoactastheconnectionserverisintheWindows domain. MakesuretheconnectionserverhasonlyoneNIC. MakesureyoucanpingtheFQDNoftheconnectionserver. UninstallanypreviousversionsofVDM.

Prepare Desktop Virtual Machines

Identifythebasedesktopvirtualmachinetodeploytousers,andinstallthelatest operatingsystemandapplicationServicePacksandpatches.ForWindowsXP desktopvirtualmachines,ensurethatthefollowingMicrosoftpatchthatVDM requiresisinstalled: http://support.microsoft.com/kb/323497

ThelatestVMwareToolsareinstalled(providedwithVI3). Makesurethatnetworkingsettings(proxies,andsoforth)areproperlyconfigured inthedesktopvirtualmachine. VMwareVDMAgentisinstalled.

Installation and Administration Guide

NOTEVDMAgentsoftwareisnotautomaticallyupdatedandmustbemanually uninstalledandreplacedwithanewversion.ForautomatedupdatingofVDM Agentinlargeenvironments,VMwarerecommendsusingstandardWindows updatemechanismssuchasAltiris,SMS,LanDesk,BMC,orothersystems managementsoftware.

Installing the VDM Connection Server

Chapter 1 VDM Quick Start Guide

Figure 1-1. VDM Single Server Deployment

Remote Users VDM Connection Server

ESX Servers (virtual desktops)

FormoreinformationaboutinstallingtheVDMConnectionServer,seeInstallingthe VDMConnectionServeronpage 26.

Installation and Administration Guide

Creating an Individual Desktop

ClicktheInventorytab. InAllDesktops,clicktheDesktopstabandclickAdd. InSelectdesktoptype,clickIndividualdesktopandclickNext. EntertheDesktopIDandtheDesktopDisplayName.

Chapter 1 VDM Quick Start Guide

ClickNext. ReviewtheinformationinReadytoCompleteandclickFinishtoacceptitorBack tomakecorrections. ClickFinish.

Forinformationaboutcreatingdesktoppools,seeConfigurationforaPooled Desktoponpage 31.

Installation and Administration Guide

ClickNext. AccepttheVMwarelicensetermsandclickNext. AcceptorchangethedestinationfolderandclickNext. ConfigureshortcutsfortheVDMClientor,ifyoudonotwanttouseshortcuts, deselectallchoices. ClickNext. ClickInstall. ClickFinish. StarttheVMwareVDMClient.

Chapter 1 VDM Quick Start Guide

IntheVDMServerdropdownmenu,enterthehostnameorIPaddressofthe VDMServer. ClickConnect. Enterentitleduserscredentials,selectthedomainandclickLogin. ChoosetheentitleddesktopandclickOK. Thedesktopvirtualmachineisconnected.

Installation and Administration Guide

VDM Introduction and System Requirements

VDMOverviewonpage 17 SystemRequirementsonpage 19 Prerequisitesonpage 21

Installation and Administration Guide

ESX Servers (virtual desktops)

VDM Connection Server Active Directory VDM Client

Chapter 2 VDM Introduction and System Requirements

VDM Connection Server

Connection Server Hardware Requirements

Asaminimum,aPentiumIV2.0Ghzprocessor.Dualprocessorsare recommended. Asaminimum2GBRAM.3GBRAMisrecommendedfordeploymentsof50 ormoredesktops. Aminimumofone10/100MbpsNIC.1GbpsNICisrecommended.

Connection Server Supported Operating Systems

WindowsServer2003R2StandardEdition,SP2 WindowsServer2003StandardEdition,SP2 WindowsServer2003R2EnterpriseEdition,SP2 WindowsServer2003EnterpriseEdition,SP2

Installation and Administration Guide

VDM Client Supported Operating Systems

Windows2000Professional,SP4 WindowsXPProfessional,SP1,SP2 WindowsXPHome,SP2 WindowsVistaHome WindowsVistaHomePremium WindowsVistaBusiness WindowsVistaUltimate

Supported Thin Client Devices

HPCompaqt5730ThinClient HPCompaqt5735ThinClient HPCompaq6720tMobileThinClient HPNeowarec50(XPe) WyseS10VDIEdition WyseV10L WyseV90 WyseV90L

NOTEForinformationaboutconfiguringWysethinclientdevices,seetheVMware technoteatthefollowingURL: http://www.vmware.com/info?id=347

Chapter 2 VDM Introduction and System Requirements

VDM Web Access

VDM Agent Virtual Desktop

WindowsXPProfessional,SP2(32bit) WindowsVistaBusinessEdition(32bit) WindowsBusinessUltimateEdition(32bit)

Installation and Administration Guide