Mirage Administrators Guide

VMware Mirage Administrator's Guide
Mirage 5.6
This document supports the version of each product listed and

supports all subsequent versions until the document is
replaced by a new edition. To check for more recent editions
of this document, see http://www.vmware.com/support/pubs.
EN-001973-00
You can find the most up-to-date technical documentation on the VMware Web site at:
http://www.vmware.com/support/
The VMware Web site also provides the latest product updates.
If you have comments about this documentation, submit your feedback to:
docfeedback@vmware.com
Copyright 2015 VMware, Inc. All rights reserved. Copyright and trademark information.
VMware, Inc.
3401 Hillview Ave.
Palo Alto, CA 94304
www.vmware.com
VMware, Inc.
Contents
Mirage Administration 9
1 Mirage System Components 11

2 Activating Endpoints 17
Centralizing Endpoints 17
Working with Upload Policies 19
Working with CVD Collections 23
Working with Archived CVDs 24
3 End User Operations 29
Access the Client Status 29

File-Level Restoration 29
Directory-Level Restore 30
Suspend and Reactivate Synchronization 31
4 Configuring the File Portal 33
Allow Access to CVD Files 33

Configure User CVD Mapping 34
Browse and View Files with the File Portal 34
Download Folders and Files from the File Portal 35
5 Protecting the Mirage File Portal 37

6 Configuring the Mirage System 41
Configure the System Settings 41

Managing Bandwidth Limitation Rules 41
License Settings 43
Import USMT Library and Settings 43
Authenticating the Mirage Gateway Server 44
Branch Reflector Settings 44
Configure File Portal Settings 44
Enable CVD Auto Creation 44
Configuring User Access to the File Portal 45
General System Settings 45
CVD Snapshot Generation and Retention 46
Configuring Secure Socket Layer Communication
47
7 VMware Mirage Customer Experience Improvement Program 49

Data Collected for the Customer Experience Improvement Program
Joining the Customer Experience Improvement Program 51
VMware, Inc.
49
Stop Sending Data to VMware
51
8 Introduction to Mirage PowerCLI 53
Using Mirage PowerCLI 54

Install the Mirage PowerCLI 54
Run vSphere PowerCLI and Mirage PowerCLI in a Single PowerShell Session 54
Mirage PowerCLI Cmdlets 55
Displaying Help for a Mirage PowerCLI cmdlet 55
Centralize Endpoints using Mirage PowerCLI 56
Migrate an Endpoint OS by Using the Mirage PowerCLI 58
Provision Pending Devices by Using the Mirage PowerCLI 61
Assign a Base Layer to a CVD Using the Mirage PowerCLI 64
Update App Layers Assigned to a CVD Using Mirage PowerCLI 66
9 Managing the Mirage Gateway Server 69
Configuring the Mirage Gateway Server 70

Update a Certificate for the Mirage Gateway Server Using a Command Line 71
Update a Certificate for the Mirage Gateway Server Using the Web Console 71
Register the Mirage Gateway Server Manually 71
Protecting the Mirage Gateway Server 71
Configuration Files for the Mirage Gateway Server 75
Using Log Files to Troubleshoot the Mirage Gateway Server 75
Remove the Mirage Gateway Server from the Mirage Management Console 77
Re-Register the Mirage Gateway Server When the Status is Down in the Mirage Management
Console 77
10 Managing the Driver Library 79

Driver Library Architecture 79
Managing Driver Folders 80
Managing Driver Profiles 82
11 Deploying Multiple Storage Volumes 85

View Storage Volume Information 85
Storage Volume Parameters 86
Add Storage Volumes 86
Edit Storage Volume Information 87
Remove or Unmount Storage Volumes 87
Mount Storage Volumes 88
Block Storage Volumes 88
Unblock Storage Volumes 88
Maintain Storage Volumes 89
12 Managing Branch Reflectors 91
Branch Reflector Matching Process 91

Select Clients To Be Branch Reflectors 92
Enable Branch Reflectors 92
Configure Defaults for Branch Reflectors 93
Configure Specific Branch Reflector Values 93
VMware, Inc.
Contents
Disable Branch Reflectors
94
Reject or Accept Peer Clients 94

Suspend or Resume Server Network Operations
Monitoring Branch Reflector Activity 95
95
13 Deploying Additional Mirage Servers 99

Using Multiple Servers 99
View Server Information 100
Mirage Servers Window Information 101
Add New Servers 101
Stop or Start the Server Service 101
Remove Servers 102
Integrating a Load Balancing Framework 102
14 Image Management Overview 105
Base Layers and App Layers 105

Layer Management Life Cycle 105
Hardware Considerations with Base Layers
Image Management Planning 107
107
15 Preparing a Reference Machine for Base Layer Capture 111

Set Up the Reference Machine 111
Reference Machine Data Considerations 112
Reference Machine Software and Settings 112
Recreate a Reference Machine from a Base Layer 113
16 Capturing Base Layers 115
Working with Base Layer Rules 115

Applying a Base Layer Override Policy 117
Capture Base Layers 119
Post-Base Layer Assignment or Provisioning Script 120
17 Capturing App Layers 123
App Layer Capture Steps Overview 123

Prepare a Reference Machine for App Layer Capture
Performing the App Layer Capture 125
What You Can Capture in an App Layer 128
Capturing OEM App Layers 129
Capture Multiple Layers on a Virtual Machine 130
Create a Post-App Layer Deployment Script 130
124
18 Assigning Base Layers 131
Detect Potential Effects of the Layer Change 131

Testing the Base Layer Before Distributing it to Endpoints 134
Assign a Base Layer to CVDs 135
Assign a Previous Layer Version 137
Monitor Layer Assignments 137
Correct Software Conflicts By Using a Transitional Base Layer 138
VMware, Inc.
Fix Broken Layers on Endpoints (Enforce Layers) 138

Provisioning a Layer for an Endpoint 139
19 Assigning App Layers 141
Detect Potential Effects of the App Layer Change 141

Testing App Layers Before Distributing it to Endpoints
Assign an App Layer to CVDs 142
Monitor App Layer Assignments 143
141
20 Create a WinPE Image for Mirage 145

21 Installing the Windows Deployment Service 147
Install the Windows Deployment Service Using the Windows Server Manager. 147
Install the Windows Deployment Service by Using Microsoft PowerShell 148
22 Add the WinPE Boot Images to the Windows Deployment Service Server 149
23 Provision a Device with Mirage by Using a WinPE Image 151
24 Mirage Validations for Bare Metal Provisioning 153
25 Provisioning a Device by Using the Self-Service Provisioning Tool 155
Create a Mirage Layer Group Configuration File 155
Import Mirage Layer Groups 156
Export Mirage Layer Groups 156
Provision a Device by Using the Self-Service Provisioning Tool 156
26 Endpoint Disaster Recovery 159
Restore a Device to a CVD Snapshot 159

Restoring to a CVD After Hard Drive Replacement or Device Loss 160
Restoring Windows 8 Devices 163
Working with Bootable USB Drives 164
Reconnect a Device to a CVD 168
End User Experience with Restore Processes 168
27 Migrating Users to Different Hardware 171

Reassign a CVD to a Different Device 171
Perform a Mass Hardware Migration 173
28 Windows OS Migration 175
Performing a Windows OS In-Place Migration 176

Migrating to Windows OS Replacement Devices 179
Monitor the Windows OS Migration 180
Applying Windows OS Post-Migration Scripts 180
29 Monitoring System Status and Operations 181

Using the System Dashboard
181
VMware, Inc.
Contents
Using Transaction Logs 183
30 Working with Reports for Mirage Operations 185

Layer Dry Run Reports 186
CVD Integrity Report 187
31 VMware Mirage Security Reference 189

Ports and Protocols Used by Mirage
Protecting Mirage Resources 191
Mirage Log Files 192
Mirage Accounts 193
189
32 Maintaining the Mirage System 195
Server and Management Server Operations 195

Upgrading from Previous Mirage Versions 197
33 Troubleshooting 201
CVD Events History Timeline 201

Problematic CVDs 201
Using Event and Other System Logs 202
Customize the Minimal Restore set 202
Generate System Reports 203
Generate System Reports Remotely 204
34 Advanced Administration Topics 207
Mirage and SCCM 207

Setting Up the SSL Certificate in Windows Server 208
Using Microsoft Office in a Layer 210
Managing Role-Based Access Control and Active Directory Groups 210
Macros in Upload Policy Rules 213
35 Managing View Desktops with VMware Mirage 217

Index
VMware, Inc.
219
VMware, Inc.
Mirage Administration
The VMware Mirage Administrator's Guide provides information about how to deploy Mirage to your
endpoints and configure the Mirage system. With Mirage, you can manage base layer and app layer images,
desktop operations such as disaster recovery and hardware and operating system migrations, and
monitoring, reporting, and troubleshooting.
Intended Audience
This information is intended for the Mirage administrator. The information is written for experienced
Windows system administrators who are familiar with typical Windows Data Center environments such as
Active Directory, SQL, and MMC.
VMware, Inc.
10
VMware, Inc.
Mirage System Components
Mirage software centralizes the entire desktop contents in the data center for management and protection
purposes, distributes the running of desktop workloads to the endpoints, and optimizes the transfer of data
between them.
The Mirage components integrate into a typical distributed infrastructure, with the following relationships
between the system components:
n
Mirage clients connect to a Mirage server, either directly or through a load balancer.
The administrator connects to the system through the Mirage Management server.
Mirage servers and the Mirage Management server share access to the back end Mirage database and
storage volumes. Any server can access any volume.
VMware, Inc.
11
Figure 11. System Components

Data Center
Remote Branch Site

Load
balancer
Branch
reflector
MongoDB
WAN
Mirage
database,
storage
volumes
LAN
Mirage clients
LAN
Mirage
server
cluster
Local site
Mirage clients
DMZ
Mirage
Management
server with
file portal
Internet
Mirage Gateway
server
Mobile users
Mirage clients
Mirage Management
console/Web Manager
Mirage Client
The Mirage client software runs on the base operating system and makes sure the images at the endpoint
and the CVD are synchronized. The client does not create or emulate a virtual machine. No virtual machines
or hypervisors are required. The Mirage client software can run on any Type 1 or Type 2 hypervisor.
Mirage Management Server

The Mirage Management server, located in the data center, is the component that controls and manages the
Mirage server cluster. Installing multiple Mirage Management servers increases Mirage availability in the
event that a Mirage Management server fails.
12
VMware, Inc.
Chapter 1 Mirage System Components
MongoDB File Database

Mirage uses the MongoDB file database to store system data and small files, reducing IOPS and upload
time. A MongoDB instance is installed with each Mirage Management server that you install.
NOTE VMware recommends that you replicate the file database by installing an additional Mirage
Management server to achieve a fault tolerance deployment.
If your configuration has only one Mirage Management Server, the Web Manager displays a red banner
with the following message:
Your system only has a single active Management Server. Set up multiple Management Servers to
prevent data loss in case the Management Server fails.
After you install two Mirage Management servers Mirage creates a replica of the MongoDB database.
Verify that you have a dedicated drive with at least 250GB of free disk space for the MongoDB database
files. If you cannot designate a local drive or SAN for the MongoDB database files, designate a dedicated
NAS volume on higher-end storage with lower latency to minimize disconnects between MongoDB and the
MongoDB files.
As an administrator, you can move the MongoDB data of a selected Mirage Management Server to a
different location. This feature is enabled only after installing more than one Mirage Management Server. In
your Web Manager, click Servers > Management Servers > Configure. In the Configure Mirage
Management Server dialog, enter the name of the location where you move the MongoDB data and click
OK.
Mirage Management Console

The Mirage Management console is the graphical user interface used for scalable maintenance,
management, and monitoring of deployed endpoints.
The administrator can use the Mirage Management console to configure and manage Mirage clients, base
layers, app layers, and reference machines. The administrator uses the Mirage Management console to
update and restore CVDs.
NOTE VMware recomments to set up multiple Management Servers to prevent data loss in case the
Management Server fails. A message pops up in the Mirage Management Console whenever you connect to
a server inside a cluster with only one enabled Mirage Management server.
Mirage Web Manager

The MirageWeb Manager lets help desk personnel respond to service queries, and lets the Protection
Manager role ensure that user devices are protected. The Web Manager mirrors Mirage Management
console functionality. For more information, see the VMware Mirage Web Manager Guide.
Mirage Server
The Mirage servers, located in the data center, synchronize data between the Mirage client and the
datacenter. The Mirage servers also manage the storage and delivery of base layers, app layers, and CVDs to
clients, and consolidate monitoring and management communications. You can deploy multiple servers as a
server cluster to manage endpoint devices for large enterprise organizations. It is good practice to keep the
server on a dedicated machine or a virtual machine. However, a server can run on the same machine as the
Mirage Management server.
The server machine must be dedicated for the Mirage server software to use. The server machine must not
be used for other purposes.
VMware, Inc.
13
Centralized Virtual Desktop

CVDs represent the complete contents of each PC. This data is migrated to the Mirage server and becomes
the copy of the contents of each PC. You use the CVD to centrally manage, update, patch, back up,
troubleshoot, restore, and audit the desktop in the data center, regardless of whether the endpoint is
connected to the network. A CVD comprises several components.
Table 11. CVD Components
Component
Defined By (Role)
Description
Base layer
Administrator
The base layer includes the operating

system (OS) image and core
applications such as antivirus, firewall,
and Microsoft Office. A base layer is
used as a template for desktop content,
cleared of specific identity information,
and made suitable for central
deployment to a large group of
endpoints.
App layers
Administrator
App layers include sets of one or more

departmental or line-of-business
applications, and any updates or
patches for already installed
applications. App layers are suitable
for deployment to a large number of
endpoints.
Driver profile
Administrator
The driver profile specifies a group of

drivers for use with specific hardware
platforms. These drivers are applied to
devices when the hardware platforms
match the criteria that the
administrator defines in the driver
profile.
User-installed applications and

machine state
End users
User-installed applications and

machine state can include a unique
identifier, host name, any
configuration changes to the machine
registry, DLLs, and configuration files.
Mirage Reference Machine

A Mirage reference machine is used to create a standard desktop base layer for a set of CVDs. This layer
usually includes OS updates, service packs, patches, corporate applications for all target end users to use,
corporate configurations, and policies. A reference machine is also used to capture app layers, which contain
departmental or line-of-business applications and any updates or patches for already installed applications.
You can maintain and update reference machines regularly over the LAN or WAN, using a Mirage
reference CVD in the data center. You can use the reference CVD at any time as a source for base and app
layer capture.
Mirage Branch Reflector

A Mirage branch reflector is a peering service role that you can enable on any endpoint device. A branch
reflector can then serve adjacent clients in the process of downloading and updating base or app layers on
the site, instead of the clients downloading directly from the Mirage server cluster. A branch reflector can
significantly reduce bandwidth use in several situations, such as during mass base or app layer updates. The
branch reflector also assists in downloading hardware drivers.
14
VMware, Inc.
Chapter 1 Mirage System Components
Mirage File Portal

End users can use appropriate Mirage login credentials and the Mirage file portal to access their data from
any Web browser. The back-end component runs on the Management server.
Distributed Desktop Optimization

The Distributed Desktop Optimization mechanism optimizes transport of data between the Mirage server
and clients, making the ability to support remote endpoints feasible regardless of network speed or
bandwidth. Distributed Desktop Optimization incorporates technologies that include read-write caching,
file and block-level deduplication, network optimization, and desktop streaming over the WAN.
Mirage Gateway Server

The Mirage Gateway server is the secure gateway server that is deployed outside the Mirage data center
environment, but should be within the datacenter. The Mirage Gateway server meets the enterprise security
and firewall requirements and provides a better user experience for Mirage clients that access the Mirage
servers through the Internet. The Mirage Gateway server seamlessly integrates with the Mirage system with
minor modifications to the Mirage system and protocol.
VMware, Inc.
15
16
VMware, Inc.
Activating Endpoints
The Mirage client software runs in the base operating system and verifies that the images at the endpoint
and the CVD are synchronized. To prepare an endpoint for centralized management of the device data, you
install the Mirage client on the device and activate the device by synchronizing it to a CVD on the Mirage
server.
You must define upload policies, which determine which files to synchronize, before endpoints are
activated. The activation process selects an existing upload policy for the endpoint.
The client does not create or emulate a virtual machine. No virtual machines or hyper visors are required.
The client can run on physical machines, Type 1 or Type 2 hypervisors.
This chapter includes the following topics:
n
Centralizing Endpoints, on page 17
Working with Upload Policies, on page 19
Working with CVD Collections, on page 23
Working with Archived CVDs, on page 24
Centralizing Endpoints
After you install the Mirage client, you centralize the device. Centralization activates the endpoint in the
Mirage Management console and synchronizes it with, or assigns it to, a CVD on the Mirage server so that
you can centrally manage the device data.
When you first introduce Mirage to your organization, you must back up each device, creating a copy of it
on the server, in the form of a Centralized Virtual Desktop (CVD) . You can then centrally manage the
device.
The endpoint with the client installed appears in the Mirage Management console as Pending Assignment,
and is pending activation in the system. You can also reject a device that you do not want to manage in the
system.
End User Centralization with CVD Autocreation Procedure

After you install the Mirage client, users can start the centralization of their own endpoint by logging in.
When a user logs in for the first time, Mirage centralizes the users endpoint.
Prerequisites
Verify that the administrator enabled CVD autocreation. CVD autocreation is disabled by default. See
Enable CVD Auto Creation, on page 44.
VMware, Inc.
17
Procedure
1
The user logs in using DOMAIN\user or user@DOMAIN.
The user provides user credentials.
If the prompt is closed or cancelled, the user can restart this process by right-clicking the Mirage icon in
the notification area and selecting Create New CVD.
CVD autocreation starts.
Administrator Centralization Procedure

After the Mirage client is installed, the administrator can centralize the endpoint. Centralization performed
by the administrator provides more control over the process, for example, allows a choice of upload policy,
placement of CVDs on different volumes, and whether to assign a base layer.
You might want to add devices to a collection. A collection is a folder that aggregates CVDs that share a
logical grouping, for example, Marketing CVDs. You can then implement relevant base layer changes with a
single action on all CVDs in the collection. See Working with CVD Collections, on page 23.
Prerequisites
The devices to centralize must be in the Pending Devices queue.
Procedure
1
In the Mirage Management console, select Common Wizards > Centralize Endpoint.
a
Use Search or filter to find the device or devices you want to assign and click Next.
All devices in the filtered list are included in the centralization procedure.
Select the upload policy to use and click Next.

If you do not make a selection, a default policy applies, as specified in the general system settings.
Select whether you want to add a base layer to the endpoint and click Next.
Select one or more app layers to which you want to add to the device and click Next.
This step only appears when you have selected a base layer from the previous step.
Select a target storage volume to where you want to store the endpoint base layer and app layers
and click Next. Alternatively, you can have Mirage choose the volume according to the sizes of the
base layer and app layers by selecting Automatically choose a volume.
The Compatibility Check window displays whether or not the assigned CVDs connected to the
endpoint passed the compatibility validation check. When the endpoint passes the validation, you
can click Next to proceed.
n
When there are potential problems with the CVDs, a warning window appears. You can select
each item in the Mismatch List and the validation details and resolution are displayed on the
bottom of the window. You can either fix the problem, or click Ignore to bypass the problem.
Alternatively, you can click Ignore All to bypass all warning messages.
When there are fatal errors that must be resolved to centralize the endpoint, a blocking
window appears. You can select an error from the Mismatch List to view the Validation
Details on the bottom of the window. You must resolve these issues before continuing. The
Ignore and Ignore All buttons are unavailable.
Click Finish.
The client starts the scanning phase according to the policy defined during the installation.
After the scanning finishes, the device appears in the All CVDs panel.
18
VMware, Inc.
Chapter 2 Activating Endpoints
(Optional) You can monitor the centralization progress.

The notification area icon changes to show that the initialization process has started, and the console
shows that the client has started an upload. When the initialization process finishes and server
synchronization starts, the notification area icon shows the progress of the upload. The console also
shows the upload progress in the Progress column of the CVD inventory list. The user can also view the
detailed status of the upload operation by clicking the Mirage icon in the notification area.
Reject Pending Devices

You can reject a client device that is pending assignment that you do not want Mirage to manage.
The server does not honor communication requests from rejected devices. After a device is rejected it moves
from the Pending Devices list to the Rejected list.
Procedure
1
In the Mirage Management console, expand the Inventory node and click Pending Devices.
Right-click the pending device to remove and select Reject.
Click Yes to confirm.
Reinstate Rejected Devices

You can remove a device from the Rejected list at any time to reinstate it.
If you remove a device from the Rejected list to reinstate it, the device's configuration remains valid. The
device connects to the server and appears in the Pending list the next time the client connects.
Procedure
u
Right-click the device that is in the Rejected list, and select Remove.
Working with Upload Policies

An upload policy determines which files and directories to upload from the user endpoint to the CVD in the
data center. You must define upload policies before you activate endpoints because the activation process
selects an existing upload policy for the endpoint.
A CVD is assigned only one upload policy at a time.
You can create upload policies by defining whether files are unprotected or local to the endpoint, or
protected. Protected files are uploaded to the Mirage server in the data center.
To simplify the task, you identify only files and directory names or patterns that are not uploaded to the
CVD. The remaining files are considered part of the CVD and are protected.
The list of files that are not protected is defined by a set of rules and exceptions.
You define two upload policy areas that the system uses according to the relevant system flow.
VMware, Inc.
19
Table 21. Upload Policy Areas

Upload Policy Area
Description
Unprotected area
Lists files and directories on the endpoint device that are not protected, but with a subset
of exceptions defined as protected. By default, Mirage protects all other files and
directories.
User area
Lists end-user files and directories, such as document files, that are excluded from the
restoration and that are kept on the endpoint devices in their current state when the
Restore System Only option is used to revert a CVD. See Restore a Device to a CVD
Snapshot, on page 159
Additionally, the user area is used to filter out information from the base and app layers.
The user area cannot be downloaded or viewed by the end user.
The upload policy that is applied to the CVD consists of various items.
n
A selected built-in factory policy that VMware provides to assist the administrator with first time
deployment
Administrator modifications to that policy to address specific backup and data protection needs
The built-in factory policy is a reference for further customization and includes all the mandatory rules that
the system needs to function. The administrator cannot modify the mandatory rules.
Before you use a built-in policy, evaluate it to be sure it meets backup policy and data protection needs. The
built-in policies, for example, do not upload .MP3 and .AVI files to the CVD.
You can use one of the following customizable built-in upload policies, to help manage mixed Mirage and
View systems:
Mirage default upload
policy
Use on Mirage servers that manage CVDs on distributed physical devices.
View optimized upload

policy
Use on Mirage servers that manage CVDs on virtual machines. This upload
policy is provided for convenience. It is identical to the Mirage default
upload policy, except that the Optimize for Horizon View check box is
selected.
View Upload Policies

You can view an upload policy to review its content and parameters.
Procedure
1
In the Mirage Management console, expand the System Configuration node and click CVD Policies.
Double-click the policy to view the policy contents and parameters.
Upload Policy Parameters

Upload policies have various parameters that you can view, configure, and edit.
Table 22. Upload Policy Parameters
20
Parameter
Description
Name and Description
Name and description of the policy.
Upload change interval
Denotes how frequently the client attempts to synchronize with the server. The
default is every 60 minutes. End users can override the policy in effect at an
endpoint. See Suspend and Reactivate Synchronization. The Upload change
interval affects the frequency of automatic CVD snapshot creation. See CVD
Snapshot Generation and Retention.
VMware, Inc.
Table 22. Upload Policy Parameters (Continued)

Parameter
Description
Protected volumes
Denotes which volumes to centralize from the endpoint to the CVD in the server.
All fixed volumes are protected by default. You can select to protect only the
system volumes and add more volumes by using the assigned drive letters.
Optimize for Horizon View check

box
Optimizes performance on servers that use Horizon View to manage virtual

machines.
Unprotected Area tab
Defines the rules to unprotect files and directories.

Rules list
Paths that are explicitly unprotected by Mirage.
Rule Exceptions
list
Paths that are exceptions to unprotect rules in the Rules

list. Mirage protects exceptions to unprotect rules.
User Area tab
Defines the rules to unprotect files and directories defined as user files. These rules
are used instead of Unprotected Area rules when certain system flows specifically
refer to user files.
The tab contains Rules and Rule Exception areas, used in the same way as in the
Unprotected Area tab.
Advanced Options tab
Provides advanced policy options for optimization of the CVD policy.
Show Factory Rules check box
Shows the Factory upload policy settings in the rules list, the Mirage mandatory
settings that the administrator cannot change. The factory rules are dimmed in the
rules list.
Export button
Exports policy rules to an XML file for editing and backup. Mirage factory rules
are not exported, even if they appear in the policy window.
Import button
Imports policy rules from an XML file.
Add New Upload Policies

When you add a new upload policy, the new policy is added to the respective node.
Procedure
1
In the Mirage Management console, expand the System Configuration node, right-click Upload
Policies, and click Add an Upload Policy.
Type the policy name, description, and policy data.
Click OK to save the policy.
Edit Upload Policies

You can edit an upload policy in the Mirage Management console and distribute the revised policy.
You can also use an external editor to edit the policy. You export the policy file, edit it, and import it back to
the Mirage Management console.
The new policy takes effect at the next update interval in which the client queries the server. The default
update interval time is one hour, and requires a full-disk scan.
Before you distribute the revised policy to a group of CVDs, it is good practice to test it on a sample
desktop.
Procedure
1
In the Mirage Management console, expand the System Configuration node, and Upload Policies, and
double-click an upload policy.
Edit the policy data and click OK.
VMware, Inc.
21
Indicate the scope of the update by selecting a minor version, for example, 1.1, or a major version, for
example, 2.0, and click OK.
The new policy is added to the Mirage Management console with the new version number.
(Optional) To distribute the changed policy, right-click the policy with this policy version and select
Update CVDs.
Add or Edit Upload Policy Rules

You can add or edit a policy rule or a rule exception in a policy. A rule defines directories or files that are
not protected, and a rule exception defines entities within the scope of the rule that are protected.
When you formulate policy rules, you can use macros to assist specification of various Mirage directory
paths addressed by the rules. For example, macros allow Mirage and the administrator to handle cases
when some endpoints have Windows in c:\windows and some in d:\windows. Using macros and
environment variables makes sure Mirage backups important files regardless of their specific location. For
information about the macro specifications, see Macros in Upload Policy Rules, on page 213.
Procedure
1
In the Mirage Management console, expand the System Configuration node, select CVD Policies , and
double-click the required upload policy.
Click Add or Edit next to the required Rule or Rule Exception area.
Type the directory path or select it from the drop-down menu.

IMPORTANT Do not type a backslash (\) at the end of the path.
Specify a filter for this directory or a pattern for matching files under this directory.
For example, to add a rule not to protect Windows search index files for all the users on the desktop,
add the following rule:
%anyuserprofile%\Application Data\Microsoft\Search\*
Click OK.
Using the CVD Policies Advanced Options

You can set the several advanced options to the CVD policy to provide better performance of the CVD.
The CVD policy advanced options let you provide better performance and optimization for CVDs.
You can access the Advanced Options tab when editing policy rules. See Add or Edit Upload Policy
Rules, on page 22
Table 23. CVD Policy Advanced Options
22
Option
Description
Optimize for VMware Horizon
Select this option to indicate that each CVD assigned to this policy is a View
desktop. Mirage limits the number of concurrent layer updates currently
assigned in the System Configuration settings. When this option is selected,
the Layer assignment only and the Optimize for LAN environments options
are automatically enabled.
Layer assignment only
Select this option to prevent data from the client to be uploaded to the Mirage
server. The client is used as an image management tool without the full
backup of the client. This option is automatically enabled when the Optimize
for VMware Horizon View option is selected.
VMware, Inc.
Table 23. CVD Policy Advanced Options (Continued)

Option
Description
Optimize for LAN environments
Select this option to deactivate compression and block-level deduplication on

each CVD to which the policy is assigned. This provides a faster
centralization process Mirage in LAN environments and lowers the resources
consumed on the endpoint and Mirage server. When this option is enabled,
the restore streaming functionality is disabled. This option is automatically
enabled when the Optimize for VMware Horizon option is selected.
Disable client throttling
Select this option to disable the client and network throttling between the
Mirage client and the Mirage server, giving priority to Mirage operations.
Protect EFS files
Select this option to restore Encrypted File System (EFS) files to their original
encrypted state after files are downloaded in a CVD restore or file-level
restore. This option is unavailable when either the Optimize for VMware
Horizon option, or the Layer Management Only policy are enabled.
Working with CVD Collections

You can group in a collection folder CVDs that share a logical relation to other CVDs. Additionally, you can
change an upload policy to a CVD collection with a single action.
For example, you can aggregate all CVDs of users in the marketing department to a folder under a collection
called Marketing. Then you can change with a single action the upload policy that all the Marketing CVDs
share.
Mirage supports static and dynamic collections. You manually assign CVDs to a static collection, while CVD
assignments to dynamic collections are calculated based on predefined filters every time an operation is
applied to a collection.
A CVD can be a member of multiple collections. If different base layers or policies are applied to different
collections and a CVD belongs to more than one, the last change applied takes effect.
Add Static Collections

You can add a static collection folder to the Collections node, to which you can add CVDs manually.
Procedure
1
In the Mirage Management console, expand the Inventory node, right-click Collections, and select Add
a Collection.
Type a name and description for the collection.
Select Static Collection.
Click OK.
Add CVDs to Static Collections

You can move CVDs to existing collection folders to organize them in logical groupings.
Procedure
1
In the Mirage Management console, expand the Inventory node and select All CVDs.
To select the Mirage clients to move to the collection, right-click, and select Manage CVD > Manage
Collections.
Select the collection to which to move the CVDs.
Click OK.
VMware, Inc.
23
Add Dynamic Collections

You can add a dynamic collection. CVD assignments to the dynamic collection are calculated based on
predefined filters every time an operation is applied to the collection. You can define an unlimited number
of rules for a dynamic collection.
Procedure
1
In the Mirage Management console, expand the Inventory node, right-click Collections, and select Add
a Collection.
a
Type the name and description for this dynamic collection.
Select the Dynamic collection option.
Select the filter to define the dynamic collection from the Column drop-down list.
You might have to select a condition and value for the filter that you select.
Click Apply to view the CVDs filtered into the collection.

These CVDs appear in the lower pane.
Click OK.
Add Dynamic Collections by Using Active Directory

You can use Active Directory (AD) to add a dynamic CVD collection. You can add CVDs to the collection by
Active Directory group, organizational unit, or domain. You can create a filter for multiple Active Directory
elements.
The Active Directory is updated whenever a device is authenticated. Active Directory information might
change if the Active Directory is updated for that user or device.
Procedure
1
In the Mirage Management console tree, expand the Inventory node, right-click Collections, and select
Add a Collection.
a
Type the name and description for this dynamic collection.
Select Dynamic Collection.
In the Column drop-down menu, set the filter to define the dynamic collection by Active Directory
group, Active Directory organizational unit, or Active Directory domain.
You can select additional filters from the Column drop-down menu.
d
2
Click Apply to view the CVDs filtered to the collection. These CVDs appear in the lower pane.
Click OK.
Working with Archived CVDs

You can archive a CVD to preserve its data, snapshots, and operational history for long-term retention. You
can also reinstate an archived CVD and assign it to another endpoint. You can delete archived CVDs that are
no longer required to free up space.
After you archive a CVD, it does not require a Mirage license.
24
VMware, Inc.
Archive CVDs
You can transfer a CVD that is not immediately required to the CVD archive.
Procedure
1
In the Mirage Management console tree, expand the Inventory node, and select All CVDs.
Right-click the CVD that you want to archive, and select Manage CVD > Archive.
Confirm that you want to archive the CVD.

The CVD is transferred to the CVD Archive.
View CVDs in the Archive

You can view a list of the CVDs that you archived.
Procedure
u
In the Mirage Management console tree, expand the Inventory node and select Archive.
Delete CVDs from the Archive

Archiving CVDs can take up disc space. You can delete archived CVDs that you do not need.
Procedure
1
Select the archived CVD you want to delete.
Click the Delete from Inventory icon on the CVD Archive toolbar.
Move Archived CVDs to Another Volume

You can move a CVD to another storage volume, according to your disc organization requirements.
Procedure
1
Right-click the archived CVD you want to move and select Move to a different volume.
Select the volume selection option.
Option
Description
Automatically choose a volume
Mirage selects the volume.
Manually choose a volume
You select where to move the archived CVD, and then select the volume.
Click OK.
Assign an Archived CVD to a Device

You can reinstate an archived CVD to assign it to an endpoint device, for example, when an employee
returns to the company from leave.
The device can be the original endpoint device or a new device that is a replacement for the original device.
The procedure is the same as for reassigning a CVD to a different device. See Reassign a CVD to a Different
Device, on page 171.
VMware, Inc.
25
Prerequisites
Install the Mirage client on the client machine. See the VMware Mirage Installation Guide.
Verify that the drive letters of the new endpoint and the CVD in the data center are compatible. If the drive
letters are different, the system does not allow the restore operation to proceed.
Perform Sync Now on the endpoint before migrating it to a new client machine. This ensures that all data is
saved to the data center before the migration takes place. See Suspend and Reactivate Synchronization, on
page 31.
Select a domain for this endpoint to join after the restore operation . If you want to use the same credentials
each time, perform the following steps:
1
In the Mirage Management console tree, right-click System Configuration and select Settings.
On the General tab, type the credentials you want to use for domain joining.
The join domain account must meet the appropriate security privilege requirements. See General
System Settings, on page 45.
Procedure
1
Right-click the archived CVD and select Assign to a Device.
Select the device where you want to migrate the CVD and click Next.
Only devices compatible with the selected CVD are listed.
Select a restore option.

a
Select a restore option for the selected CVD and device.

Restore Option
Description
Full System Restore
This option includes restoring the OS, applications, user data, and user settings.
Use this option for systems with Windows volume licenses or Windows OEM
SLP licenses.
The entire CVD is restored to the replacement device, including OS,
applications, and user files. Any existing files on the replacement device are lost
or overwritten.
If you select this option, you must select a base layer during the migration
procedure.
Restore Applications, User

Data and Settings
Use this option only when replacing a device that has a different Windows
OEM license.
The OS of the replacement device must be the same as that of the CVD.
Only applications and user data are restored to the replacement device. The
existing OS and applications installed on the replacement device are retained.
Only Restore User Data and

Settings
Use this option to migrate users from Windows XP, Windows Vista, and
Windows 7 machines to new Windows 7 machines, or Windows 7 to Windows
8.1 machines.
The OS of the replacement device must be the same as or newer than that of the
CVD.
Only user data and settings are restored to the replacement device. The existing
OS and applications installed on the replacement device are retained.
You can maintain the current layer, if one applies, select a new base layer from the list, or proceed
without a base layer.
b
26
Click Next.
VMware, Inc.
(Optional) Type a name for the CVD and specify the domain options.
a
Change or define the host name for a device being restored.
Select a domain for this endpoint to join after the restore operation.
The current domain is shown by default.
Type the OU and Domain or select them from the drop-down menus.
The drop-down menus are populated with all known domains in the system. Each text box shows
the required syntax pattern.
d
6
Option
Description
OU
Verify that the OU is in standard open LDAP format. For example,

OU=Notebooks, OU=Hardware, DC=VMware, DC=com.
Join Domain account
The join domain account must meet the appropriate security privilege
requirements as defined in the system general settings.
The account must have access to join the domain. This is not validated.
Click Next.
Use the validation summary to compare the target device with the CVD.
This summary alerts you to any potential problems that require additional attention. You can proceed
only after all blocking problems are resolved.
Click Next and click Finish.

The CVD is moved from the CVD Archive to the All CVDs view.
The migration process proceeds and takes place in two phases. See End User Experience with Restore
Processes, on page 168.
VMware, Inc.
27
28
VMware, Inc.
End User Operations
End users can perform certain operations, independently of the administrator, such as accessing client status
information, restoring files or directories from the CVD, and temporarily suspending or resuming the client
to server synchronization process.
n
Access the Client Status, on page 29
File-Level Restoration, on page 29
Directory-Level Restore, on page 30
Suspend and Reactivate Synchronization, on page 31
Access the Client Status

You can view information about the client, including the client's version information, current connection
status and current action.
Procedure
u
Right-click the Mirage icon in the notification area and select Show Status.
File-Level Restoration
Users can restore a previous version of an existing file or a deleted file from snapshots stored on the Mirage
server.
The restore is based on files and directories included in CVD snapshots, in accordance with the upload
policies currently in effect. See Working with Upload Policies, on page 19.
When the CVD contains Encrypted File System (EFS) files, the files are recovered in their original encrypted
form. Only EFS files that the recovering user encrypted are restored from the CVD. Unauthorized files are
filtered from the restore.
The file restore operation generates an audit event on the Mirage server for management and support
purposes.
Files are restored with their original Access Control Lists (ACLs).
VMware, Inc.
29
Restore a Previous File Version

You can restore a previous version of an existing file.
Prerequisites
Verify that you have access permissions for the location to which to write. If you do not, you are redirected
to My Documents.
Procedure
1
Right-click a file in Windows Explorer and select Restore previous versions.
Select the archive file version to restore.

If the file exists, the File size and Modify time are updated with the files archive information.
Click Restore.
Browse to the required location and save the file.

The default path is the original file location.
Restore a Deleted File from the Mirage Recycle Bin

You can restore a deleted file from the Mirage Recycle Bin.
For example, you can restore a file that was deleted from the My Documents folder. The file is reinstated at a
location that you select.
Prerequisites
Verify that you have access permissions for the location to which to write. If you do not, you are redirected
to My Documents.
Procedure
1
In Windows Explorer, right-click the parent directory from where the file was deleted and select
Mirage Recycle Bin.
Select the archive date from which to restore the file.

Mirage downloads the archive information and searches for the available deleted files.
Double-click the archive file to restore.
Click Restore.

Directory-Level Restore
Users can recover entire directories back to their endpoint. The recovery includes all files and subfolders
that the directory contains.
Prerequisites
30
Verify that the directories to be recovered exist in a snapshot saved in the data center.
Verify that you have access permissions for the location to which you want to write. If you do not, you
are redirected to My Documents.
VMware, Inc.
Chapter 3 End User Operations
Procedure
1
In Windows Explorer, right-click the parent directory from which the folder was deleted and select
Restore previous versions.
Select the archive date from which to restore the folder.

Mirage downloads the archive information and searches for the available deleted folders.
Double-click the archive folder to restore.
Click Restore.

Suspend and Reactivate Synchronization

The Mirage client synchronizes the endpoint with the Mirage server at defined intervals. A user might want
to override the defined interval and synchronize immediately, or temporarily suspend the client's
synchronization activities.
The client uses the endpoint processing power to synchronize the endpoint with the server and keep it up to
date. This synchronization occurs at intervals that the upload policy upload change interval parameter
defines. See Working with Upload Policies, on page 19.
The client uses a network client throttle mechanism to regulate the data transfer. When the client senses user
activity, it reduces or suspends its synchronization process until the endpoint is idle.
A user can use the Sync Now feature to start synchronization outside the defined intervals. For example,
when important changes are made to documents and the user wants to verify that they are backed up to the
CVD.
A user who is operating over a limited or metered network link can use the Snooze feature to temporarily
suspend the client's background synchronization activities. Using Snooze to override the clients
synchronization with the server affects the timing of scheduled CVD snapshots. For more information about
automatic snapshot creation, see CVD Snapshot Generation and Retention, on page 46.
Procedure
u
Synchronize the endpoint or temporarily suspend the synchronization.

Option
Action
Sync Now
Right-click the Mirage icon in the notification area and select Sync Now.
Suspend Synchronization
VMware, Inc.
To activate Snooze, right-click the Mirage icon in the notification area

and select Snooze. You can snooze the client for 15 minutes, 2 hours,
or 4 hours. After this time elapses, regularly scheduled
synchronizations that the network client throttle mechanism regulates
resume.
To exit the Snooze state, right-click the Mirage icon in the notification
area and select Sync Now. This reactivates the automatic
synchronization mechanism.
31
32
VMware, Inc.
Configuring the File Portal
Users can use the Mirage file portal to browse and view files in their CVD.
In some situations, for example in an MSP environment, user devices cannot access the corporate domain.
To enable users to access their files, an administrator maps a CVD that is centralized in the system to specific
domain users. Users who are not on the domain can access their files through the file portal by using their
domain account.
Users access these files from the data center directly, not from the endpoint, so the endpoint does not need
to be accessible for file portal purposes.
n
Allow Access to CVD Files, on page 33
Configure User CVD Mapping, on page 34
Browse and View Files with the File Portal, on page 34
Download Folders and Files from the File Portal, on page 35
Allow Access to CVD Files

The administrator can enable or block user access to CVD files in the Mirage file portal.
The Show File Portal icon in the users notification area indicates that a file portal URL is defined.
Users cannot access the file portal if any of the following conditions are present:
n
The file portal feature is disabled.
The CVD is blocked for Web Access.
The device is assigned as a reference CVD.
The assigned user is in a workgroup, not in a domain, and a domain user account was not mapped to
the workgroup.
Procedure
1
In the Mirage Management console tree, expand the Inventory node and select All CVDs.
Right-click a CVD, and select File Portal.
Select a Web access option.
VMware, Inc.
Option
Action
To allow Web access
Select Allow File Portal.
To block Web access
Select Block File Portal.
33
Configure User CVD Mapping

In some situations, such as MSP environments, user's devices cannot access the corporate domain. An
administrator can manually map a CVD that is centralized with Mirage to specific domain users. Users who
are not on the domain can then access their files through the file portal by using their domain account.
Procedure
1
Right-click the required CVD and select Properties.
Click the File Portal tab.
Type the user domain account in the text box to the right of the relevant Local User cell.
Click Save.
Browse and View Files with the File Portal

End users can use the file portal to browse and view directories on their local drive and profile-related files
in their CVD, such as Desktop, My Documents, My Pictures, and so on.
End users access the files from the data center, not from the endpoint, so the endpoint does not need to be
accessible for the file portal purposes.
End users have read only access to the files and cannot modify or upload them.
End users can select files from any available CVD snapshot, which means they can access files that were
previously deleted, or can access earlier versions of files from their snapshots.
NOTE When the CVD contains Encrypted File System (EFS) files, only EFS files that the accessing user
encrypted are visible on the CVD. Non-authorized files are filtered from the view.
You can view the set of user files and directories that can be excluded from restoration, as defined in the
upload policies User area. See Working with Upload Policies, on page 19.
Prerequisites
n
Verify that a file portal URL is configured in the Mirage Management server.
Verify that the administrator configured the file portal.
End users must have permission to access the file portal by the administrator . See Allow Access to
CVD Files, on page 33.
If you are using Internet Explorer, you must use Internet Explorer 9 or later.
Procedure
1
Access the file portal login page.

a
In the notification area of an endpoint that has the Mirage client installed, right-click and select
Show File Portal
If a file portal URL is not configured in the Management server, you can also access it at https://mirageserver-address/Explorer/.
34
VMware, Inc.
Chapter 4 Configuring the File Portal
Log in to the file portal for your environment and type the required information.
Option
Description
Enterprise
Your corporate Active Directory login.
Hosted MSP (with domain)
Your corporate Active Directory profile is automatically mapped to your

MSP login as part of file portal activation. This happens the first time you
login to a computer with an active Mirage client.
Hosted MSP (without domain)
If you are not a member of a domain, the local profile on the client is
manually mapped to the MSP login. This configuration is similar to the
Hosted MSP with domain option. The administrator can perform the
mapping manually using the Mirage Management console.
You can browse and open your files.
Download Folders and Files from the File Portal

Mirage administrators and Mirage client users can download multiple folders and files from the current
CVD or from archived CVDs in the File Portal to restore files that have been deleted or corrupted.
Prerequisites
n
Ensure that the Mirage end-user is allowed to browse the File Portal. See Allow Access to CVD Files,
on page 33.
Verify that a file portal URL is configured in the Management server.
Procedure
1
Access the file portal login page.

a
In the notification area of an endpoint that has the Mirage client installed, right-click and select
Show File Portal
If a file portal URL is not configured in the Management server, you can also access it at https://mirageserver-address/Explorer/.
2
Log in to the file portal for your environment and type the required information.
Option
Description
Enterprise
Your corporate Active Directory login.
Hosted MSP (with domain)
Your corporate Active Directory profile is automatically mapped to your

MSP login as part of file portal activation. This happens the first time you
login to a computer with an active Mirage client.
Hosted MSP (without domain)
If you are not a member of a domain, the local profile on the client is
manually mapped to the MSP login. This configuration is similar to the
Hosted MSP with domain option. The administrator can perform the
mapping manually using the Mirage Management console.
Navigate to the required folder of file to download.

To navigate to the archived CVDs, click the Other Archives link.
Select the folder or file you want to download.

You can select other folders or files by navigating through the CVD in the file portal.
When finished, click Download.
VMware, Inc.
35
36
VMware, Inc.
Protecting the Mirage File Portal
The Mirage file portal runs on Windows Server 2008 or later. You must protect this host from normal OS
vulnerabilities.
Use spyware filters, intrusion detection systems, and other security measures mandated by your enterprise
policies.
Ensure that all security measures are up-to-date, including OS patches.
Table 51. Protection Configuration for Code MFP01
Configuration Element
Description
Code
MFP01
Name
Keeps the Mirage file portal properly patched.
Description
By staying up-to-date on OS patches, OS vulnerabilities are

mitigated.
Risk or control
If an attacker gains access to the system and reassigns

privileges on the Mirage file portal, the attacker can access
all files transferring through the Mirage file portal.
Recommended level
Enterprise
Condition or steps
Employs a system to keep the Mirage file portal up -to-date

with patches, in accordance with industry-standard
guidelines, or internal guidelines where applicable.

Description
Code
MFP02
Name
Provide OS protection on the Mirage file portal host.
Description
By providing OS-level protection, vulnerabilities to the OS

are mitigated. This protection includes antivirus, antimalware, and other similar measures.
Risk or control

privileges on the Mirage file portal, the attacker can access
all files transferring through the Mirage file portal.
Recommended level
Enterprise
Condition or steps
Provides OS protection, such as antivirus, in accordance

with industry-standard guidelines, or internal guidelines
where applicable.
VMware, Inc.
37

Description
Code
MFP03
Name
Restrict privilege user login.
Description
The number of privilege users with permission to log in to

the Mirage file portal as an administrator should be
minimal.
Risk or control
If an unauthorized privilege user gains access to the Mirage

file portal then the system is vulnerable to unauthorized
modification of downloading files.
Recommended level
Enterprise
Condition or steps
Create specific privilege login accounts for individuals.

Those accounts should be part of the local administrators'
group.

Description
Code
MFP04
Name
Implement an administrative password policy.
Description
Set a password policy for all Mirage file portal. The

password should include certain parameters.
n A minimum password length
n Require special character types
n Require periodic change of the password
Risk or control

file portal then the system is vulnerable to unauthorized
modification.
Recommended level
Enterprise
Condition or steps
Set a password policy for the Mirage file portal.

Description
Code
MFP05
Name
Remove unnecessary network protocol.
Description
The Mirage file portal only uses IPv4 communication. You

should remove other services, such as file and printer
sharing of NFS, Samba server, Novell IPX, and so on.
Risk or control
If unnecessary protocols are enabled, the Mirage file portal

is more vulnerable to network attacks.
Recommended level
Enterprise
Condition or steps
In the Control Panel or the administrative tool of the

Mirage file portal operating system, remove or uninstall
unnecessary protocols.
38
Description
Code
MFP06
Name
Disable unnecessary services.
VMware, Inc.
Chapter 5 Protecting the Mirage File Portal
Table 56. Protection Configuration for Code MFP06 (Continued)

Description
Description
The Mirage file portal requires a minimal number of

services for the OS. When you disable unnecessary services
you enhance security. This prevents the services from
automatically starting at boot time.
Risk or control
If unnecessary services are running, the Mirage file portal

is more vulnerable to network attack.
Recommended level
Enterprise.
Condition or steps
Verify that no server roles are enabled. Disable any services

that are not required. There are various Windows services
on Server 2008 that start by default and are not required.
You should disable these services.
n Application Experience
n Application Management
n Certificate Propagation
n Com+ Event System
n DHCP Client
n Distributed Link Tracking Client
n Distributed Transaction Coordinator
n Diagnostic Policy Service
n IPsec Policy Agent
n Print Spooler
n System Event Notification
The Mirage file portal is generally deployed in a DMZ or an internal data center to control browser access
and user data over potentially hostile network, such as the Internet. In a DMZ or internal data center it is
important that you use a firewall to control network protocol access.
Description
Code
MFP07
Name
Use an external firewall in the DMZ to control network

access.
Description
The Mirage file portal is usually deployed in a DMZ. You

must control which protocols and network ports are
permitted so that communication with Mirage file portal is
restricted to the required minimum. Mirage file portal
automatically sends requests to .Mirage Management
servers within a data center and ensure that all forwarded
traffic is on behalf of authenticated users.
Risk or control
Allowing unnecessary protocols and ports might increase

the possibility of an attack by a malicious user, especially
for protocols and ports for network communication from
the Internet.
VMware, Inc.
39
Table 57. Protection Configuration for Code MFP07 (Continued)

Description
Recommended level
Configure a firewall on either side of the Mirage file portal

to restrict protocols and network ports to the minimum set
required between browsers and Mirage data storage.
You should deploy the Mirage file portal on an isolated
network to limit the scope of frame broadcasts. This
configuration can help prevent a malicious user on the
internal network from monitoring communication between
the Mirage file portal and the Mirage Management server.
You might want to use advanced security features on your
network switch to prevent malicious monitoring of Mirage
Gateway communication with Mirage servers, and to
guard against monitoring attacks, such as ARP Cache
Poisoning.
Parameter or objects configuration
For more information about the firewall rules that are

required for a DMZ deployment, see the VMware Mirage
Installation Guide.
40
Description
Code
MFP08
Name
Do not use default, self-signed server certificates on

theMirage file portal.
Description
When you first install the Mirage file portal, the HTTPS
server is unable to work until signed certificates are
prepared. The Mirage file portal and the HTTPS server
require SSL server certificates signed by a commercial
Certificate Authority (CA) or an organizational CA.
Risk or control
Using self-signed certificates leaves the SSL/TSL connection

more vulnerable to man-in-the-middle attacks. Applying
certificates to trusted CA signed certificates mitigates the
potential for these attacks.
Recommended level
Enterprise
Condition or steps
For more information about setting up Mirage file portal

certificates, see the VMware Mirage Installation Guide.
Test
Use a vulnerability scanning tool to connect the Mirage file

portal. Verify that it is signed by the appropriate CA.
VMware, Inc.
Configuring the Mirage System
You can apply settings to your Mirage installation that the administrator can configure, including the
retention policy for snapshots. You can also configure the system to use Secure Sockets Layer (SSL)
communication between the Mirage client and server.
n
Configure the System Settings, on page 41
Managing Bandwidth Limitation Rules, on page 41
License Settings, on page 43
Import USMT Library and Settings, on page 43
Authenticating the Mirage Gateway Server, on page 44
Branch Reflector Settings, on page 44
Configure File Portal Settings, on page 44
Enable CVD Auto Creation, on page 44
Configuring User Access to the File Portal, on page 45
General System Settings, on page 45
CVD Snapshot Generation and Retention, on page 46
Configuring Secure Socket Layer Communication, on page 47
Configure the System Settings

The administrator can configure Mirage system settings.
Procedure
1
In the Mirage Management console, right-click System Configuration and select Settings.
Make the required changes and click OK.

The system configuration takes effect immediately.
Managing Bandwidth Limitation Rules

You can set an upper limit on Mirage traffic so that Mirage does not consume all of the bandwidth of a site
or subnet. When you use bandwidth limitation, you allocate your network resources more efficiently.
A bandwidth limitation rule contains parameters to set the limitations.
VMware, Inc.
41
Table 61. Bandwidth Limitation Parameters

Parameter
Description
SubnetMaskV4
Uses the format IPaddress/bitmask, for example,

100.100.10.100/20.
For site-based rules, leave this parameter blank.
Site
Site or domain name of the group of clients for which to

limit the bandwidth. The site is the DNS name.
Site names cannot contain special characters or non-English
characters.
For subnet-based rules, leave this parameter blank.
Download limit
Maximum number of KBps that you can download from

the server to the client.
Upload limit
Maximum number in KBps that you can upload from the

client to the server.
Start Time
Time that the rule is applied, for example, 7:00 AM. The
time is the local time of the endpoint. It can take up to five
minutes after the start time for the rule to be applied.
End Time
Time that the rule is no longer applicable, for example, 9:00

PM. The time is the local time of the endpoint. It can take
up to five minutes after the end time to revoke the rule.
Days of Week Time
The days of the week that the rule is valid, for example,
Monday, Thursday, and Friday. The day is calculated
according to the local time of the endpoint.
You write the rules in the format SubnetMaskV4,Site,Download Limit,Upload Limit, Start Time, End
Time, Days of Week.
After you write rules, you import the rules to Mirage. You can also export existing rules to edit it, and
import the edited rules to Mirage.
You can add a global limit rule that applies to all clients in the Mirage environment. For example,
0.0.0.0/0,,OutgoingKBps,UploadKBps.
To access the Bandwidth Limitation tab, in the Mirage Management console select System Configuration >
Settings. Click Sample rules to view sample rules.
To add a rule using the Mirage Web manager, click Add and edit the bandwidth limiting parameters. To
edit a rule that you created, double-click the rule and edit the bandwidth limiting parameters.
You write the rules in a .csv file and import the file using the Mirage Web manager. You write the rules in
the format SubnetMaskV4,Site,Download Limit,Upload Limit, Start Time, End Time, Days of Week. Click
Sample Rules to view a sample rule.
After you write rules, you import the rules by using the Mirage Web manager. You can also export existing
rules to edit the rules, and import the edited rules to the Mirage Web manager. Imported rules replace and
overwrite existing rules.
You can add a global limit rule that applies to all clients in the Mirage environment. For example,
0.0.0.0/0,,OutgoingKBps,UploadKBps.
Table 62. Rule Constraints and Limitations
42
Constraints
Rule LImitations
No time constraint specified.
No time limit. Rule is applicable 24 hours on the days

specified.
No day constraint specified.
No day limit. Rule is applicable every day on the time

specified.
VMware, Inc.
Chapter 6 Configuring the Mirage System
Table 62. Rule Constraints and Limitations (Continued)

Constraints
Rule LImitations
No time or day constraint specified.
Always applicable.
Blank.
Unlimited.
Zero (0).
Blocked.
License Settings
License settings are used to add a license to Mirage or view existing licenses.
For the relevant procedures, see the VMware Mirage Installation Guide.
Import USMT Library and Settings

You can import the Microsoft User State Migration Tools (USMT) files that are required for various base
layer operations.
You can import multiple USMT file versions for each operating system that is running in your environment.
Mirage supports USMT 4 and USMT 5 for Windows XP and Windows 7, USMT 6.3 for Windows 8.1, and
USMT 10 for Windows 10.
USMT files are used for the following base layer operations:
n
Migration to Windows 7, Windows 8.1, or Windows 10 from another Windows version.
Cross-hardware Windows 7 and Windows 8.1 migration.
User profile and data-only restore operations for Windows 7 and Windows 8.1.
To import a USMT library, click the gear icon in the upper-right corner and click USMT. Type the USMT
folder path and click the Validate button to verify that you typed a valid folder path. Click OK to complete
the import procedure. The USMT folder path must be a valid UNC path. The user that is performing the
import procedure must have reader access to this folder.
Procedure
1
Find the USMT folder in the directories installed with the Windows Automated Installation Kit (AIK)
software.
You can download this software free of charge from Microsoft.
Copy the USMT folder and all subdirectories to your Mirage server.
Right-click the System Configuration node and click Settings.
Click the USMT tab.
Click Import USMT Folder.
Navigate to the location of the USMT folders and click OK.
After the Mirage Management console imports the USMT file for the specific operating system, a check
mark is displayed next to each USMT version.
VMware, Inc.
43
Authenticating the Mirage Gateway Server

You can create a custom message that end users receive when they log on to the Mirage system using the
Mirage Gateway server.
To create a custom message for end users, click the gear icon in the upper-right corner, click Gateway
Authentication, select the Enable Gateway Customization Log-on Messagecheck box, and type the custom
message.
Branch Reflector Settings

Branch reflector settings include default values of parameters governing the behavior of branch reflectors.
For the relevant procedures, see Chapter 12, Managing Branch Reflectors, on page 91.
Configure File Portal Settings

File portal settings are used to enable the VMware file portal.
Procedure
1
Click the File Portal tab and configure the file portal.
a
Select the Enable File Portal check box.
Type the path to the file portal in the Enable File Portal text box.
For example, https://<address>/Explorer, where <address> is the host where the Mirage file portal
is installed.
c
3
In the User message text box, enter the user message that a user sees when prompted to activate
the file portal.
Click OK.
Enable CVD Auto Creation

You can enable end users to create a new CVD for their machine, so that the administrator need not
intervene in the critical first phase of adding the machine to the Mirage system. This setting is global for all
newly discovered endpoints that communicate to the Mirage server after installation of the Mirage clients.
You can also define the message that the end user sees when the operation takes place. After this is
configured, any device that connects to the Mirage system for the first time prompts the end user to add
their CVD.
NOTE An end user can also initiate the CVD creation by right-clicking the Mirage icon in their notification
area.
Prerequisites
When enabling the automatic CVD creation, you must select a default CVD policy in the General tab.
Procedure
44
Click the CVD Auto Creation tab.
VMware, Inc.
Select Enable automatic CVD creation.

You can change the user message as needed.
Click OK.
Configuring User Access to the File Portal

You can create a custom message that is displayed to end users to access the file portal. You can also enable
access to the file portal for end users.
To provide users access to the file portal, select the Enable File Portal check box and type the file portal URL
in the File Portal URL text box.
To create a custom message that is displayed to end users to access the file portal, type the message in the
text box.
General System Settings

You can define the standard configurations for the Mirage system.
You access these options through the system settings General tab. See Configure the System Settings, on
page 41.
Table 63. General System Settings
Option
Description
Snapshots kept
The number of CVD snapshots the system must keep available for restoration, at hour, day,
week, and month intervals. For more information about how these values are used in snapshot
retention.
See CVD Snapshot Generation and Retention, on page 46.
Volumes
This section configures the threshold percentages of data stored on a volume, which when
reached, trigger a warning
This section configures the threshold percentages of data stored on a volume, which when
reached, trigger a warning or critical events in the Events log.
For more information about using multiple volumes, see Chapter 11, Deploying Multiple
Storage Volumes, on page 85.
n Volume capacity - warning threshold (%): Type the threshold percentage of data stored on
a volume, which triggers a warning event when reached.
n Volume capacity - critical threshold (%): Type the threshold percentage of data stored on a
volume, which triggers a critical event when reached.
n Volume capacity check interval (seconds): Type the elapsed time interval (in seconds) at
which the system rechecks the level of data stored on the volume against the thresholds.
n Driver Library and USMT files volume: To select the volume to be addressed by the
threshold checks, click Change and select the required volume.
CVDs
n
n
CVD size warning threshold (MB): Type the maximum CVD size. An event is generated in
the Event Log when that size is reached.
Default Upload Policy: To choose the default upload policy used when an end user adds
their CVD to the Mirage system, click Change and select the required policy.
Branch Reflector
See Chapter 12, Managing Branch Reflectors, on page 91
Report
Specify the report server URL. For more information, see Chapter 30, Working with Reports
for Mirage Operations, on page 185
Join Domain Account
User and Password: Account that authorizes joining the domain. The join domain account is
used during migration operations. Note: The join domain account must have the following
permissions - Reset Password, Write all properties, Delete, Create computer objects, and Delete
computer objects. Permissions are set using the Advanced Security Settings for Computers
dialog box for this object and all descendant objects.
VMware, Inc.
45
Table 63. General System Settings (Continued)

Option
Description
Bandwidth Limiting
You can set an upper limit on Mirage traffic so that Mirage does not consume all of the
bandwidth of a site or subnet. When you use bandwidth limitation, you allocate your network
resources more efficiently. A bandwidth limitation rule contains parameters to set the
limitations.
You can import rules, export rules, and view sample rules, and create new rules by specifying
several parameters. See Managing Bandwidth Limitation Rules, on page 41.
License
You can specify a license key or a license file, and view license information.
CVD Snapshot Generation and Retention

A CVD snapshot is a centrally retained point-in-time image of CVD content, including OS, applications and
user data, that enables complete restoration of a specific endpoint or a specific file. The Mirage server
generates snapshots and keeps generations of snapshots available according to a retention policy.
Automatic Snapshot Generation

After the first successful CVD upload to a device, the Mirage server attempts to synchronize with the device
at regular intervals, and to create a CVD snapshot when the synchronization is successful. The frequency of
the attempts is defined by the Upload Change Interval parameter, for example every 60 minutes. See
Working with Upload Policies, on page 19.
The success of a synchronization, and the snapshot creation, depends on the server being able to access the
device at the scheduled intervals. This is not always possible since the device might be closed or the Snooze
feature might be in effect. See Suspend and Reactivate Synchronization, on page 31.
Snapshots can also be generated independently of the Upload Change Interval timing, in the following
cases:
n
Before a base layer update. This allows an administrator to revert to the CVD state before the update if
the update fails or is problematic, or after any migration.
Before reverting to a snapshot. This keeps the current endpoint state available in case a rollback is
required.
Whenever the administrator performs a forced upload. See Reconnect a Device to a CVD, on
page 168.
According to these circumstances, the interval between specific snapshots can be longer or shorter than the
time defined by the Upload Change Interval parameter.
Snapshot Retention Policy

The system keeps historical snapshots according to a retention policy, and can be used to restore files on the
device.
You define the snapshot retention in the Snapshots kept area of the System Configuration General tab. See
General System Settings, on page 45. The system keeps a maximum number of CVD snapshots at hourly,
daily, weekly, and monthly intervals.
46
VMware, Inc.
Table 64. Categories for Kept Snapshots

Retention category
Description
Number of snapshots
at 1 hour intervals
Number of consecutively generated snapshots that the system keeps.

For example, the value 8 means that the system always keeps the latest 8 successful CVD
snapshots in this category.
Historical snapshots older than the latest 8 are discarded. However, if daily snapshot retention is
defined, whenever a first snapshot of a new day is created, the oldest snapshot in the Hourly
category becomes a candidate as the newest daily snapshot.
The default number of Hourly snapshots is zero, meaning new snapshots are not kept as they
are created. You can change this value.
Number of snapshots
at 1 day intervals
Number of snapshots that the system keeps in the Daily category.

For example, the value 7, the default, means that the system always keeps the earliest-created
snapshot in each new calendar day, up to 7 snapshots in this category.
If hourly snapshots are defined, the oldest snapshot in the hourly category becomes the newest
daily snapshot.
Historical snapshots older than the latest 7 in the daily category are discarded. However, if
weekly snapshot retention is defined, whenever a first snapshot of a new week is created, the
oldest daily snapshot becomes the newest weekly snapshot.
Number of snapshots
at 1 week intervals
Number of snapshots that the system keeps in the Weekly category.

snapshot in each new calendar week, up to 3 snapshots in this category. Other aspects of the
weekly snapshot retention follow the same pattern as daily snapshot retention.
Number of snapshots
at 1 month intervals
Number of snapshots that the system keeps in the Monthly category.

snapshot in each new calendar month, up to 11 snapshots in this category. Other aspects of the
monthly snapshot retention follow the same pattern as daily or weekly snapshot retention.
The intervals between snapshots retained in each category depend on the factors described in Automatic
Snapshot Generation, on page 46, and how device availability affects the retention rollover timing. For this
reason, the snapshots in the daily, weekly, and monthly retention categories can typically have time
intervals of at least a day, week, or month between them.
Automatic snapshots taken before a base layer update, before reverting to a snapshot, or forced uploads are
counted against the snapshot retention capacity. They cause the number of regular snapshots retained to
decrease.
Configuring Secure Socket Layer Communication

Mirage supports Secure Socket Layer (SSL) communication between the Mirage client and server.
The SSL setup is included as part of the server installation process. If for any reason this operation was
disabled, you can perform the SSL setup at any time as described in this procedure.
For environments with multiple Mirage servers, you must enable SSL and install the SSL certificate for each
server. See Setting Up the SSL Certificate in Windows Server, on page 208.
The setup involves the following steps:
1
Installing the SSL server certificate. See Install an SSL Server Certificate for the Mirage Server, on
page 48.
Configuring servers for SSL. See Configure Mirage Servers for SSL, on page 48.
If you enable SSL on the server, you must also enable SSL on clients.
VMware, Inc.
47
Install an SSL Server Certificate for the Mirage Server

To set up SSL on the Mirage server, you must obtain SSL certificate values and configure them on the server.
SSL certificates is a Windows feature.
The Mirage server uses the local computer store.
Prerequisites
n
Ensure that the certificates are installed in the local Computer Trust Store. If you do not have a
certificate, you can create one with tools such as the Microsoft MakeCert. You must then import the
result into the Certificate Manager.
Verify that you can export the private key.
Procedure
1
Open the Windows Management Console, add the Certificates snap-in, and select the local computer
account.
To navigate to your certificate, select Certificates > Personal > Certificates.
Note the Certificate Subject and Certificate Issuer values.
Configure Mirage Servers for SSL

After you install the SSL Server certificate, you configure the Mirage server maximum CVD connections and
transport settings.
Allocate a larger number of concurrent CVDs for high-end servers, or a smaller number for low-end servers.
For more information about this modification, contact VMware Support.
Procedure
1
In the Mirage Management console tree, expand the System Configuration node and select Servers.
Right-click the required server and select Configure.
Enter the appropriate configuration options.
48
Option
Action
Max Connections
Type the maximum number of concurrent CVD connections. The range is

from 1 to 2500.
Port
Change the port used for client-server communication. Either use the
default port of 8000 or change the port. Changing the port might require
adding firewall rules to open the port.
TCP or SSL
Change the connection type to SSL to have clients communicate with the
server using SSL encryption. This is a global change.
(Optional) If you selected SSL, enter the Certificate subject and Issuer values.
Option
Description
Certificate Subject
Typically the FQDN of the Mirage server.
Certificate Issuer
Usually a known entity like VeriSign. Leave this blank if only one
certificate is on this server.
Click OK.
VMware, Inc.
VMware Mirage Customer Experience

Improvement Program
You can configure Mirage to collect data to help improve your user experience with VMware products. The
following section contains important information about the Customer Experience Improvement Program.
The goal of the Customer Experience Improvement Program is to quickly identify and address issues that
might be affecting your experience. If you choose to participate in the VMware Customer Experience
Improvement Program, Mirage regularly sends encrypted data to VMware. VMware uses the collected data
for product development and troubleshooting purposes. Mirage anonymizes and encrypts the collected data
from your systems or servers before securely transferring the data to VMware.
n
Data Collected for the Customer Experience Improvement Program, on page 49
Joining the Customer Experience Improvement Program, on page 51
Stop Sending Data to VMware, on page 51
Data Collected for the Customer Experience Improvement Program

To provide the benefits of the Customer Experience Improvement Program, Mirage collects technical data
and transfers the data to VMware on a daily basis.
The Customer Experience Improvement Program collects data in several categories.
Table 71. General Information
Property
Description
Vertical
Predefined vertical business list.
Geography
Geographic area where your headquarters are located.
Mirage version
Version of Mirage you are using.
Device number
Total number of devices that Mirage is managing.
Pending device number
Number of devices with the status "pending device".
Base layer number
Total number of base layers that have been captured.
App layer number
Total number of app layers that have been captured.
Subnet number
Total number of subnets that Mirage is managing.
Mirage collects information about storage volumes, such as size and the number of CVDs stored in the
volume.
VMware, Inc.
49
Table 72. Volume Information

Property
Description
Size
Size of one storage volume.
CVD number
Number of CVDs stored in the volume.
Dedup Ratio
Dedup ratio of data stored in the volume.
Average IOPS
Average IOPS of the volume.
Mirage collects information about CVDs, such as CVD size and the OS type on the CVD.
Table 73. CVD Information
Property
Description
OS type
Type of operating system.
Size
Size of the CVD.
App layer number
Number of app layers deployed in the CVD.
Mirage collects information about Mirage operations, such as operation type and the role of the
administrator performing the operation.
Table 74. Operation Information
Property
Description
Time
Start time of the operation.
Duration
How long the operation took to complete.
Type
Type of operation.
Size
Relevant data size of the operation, for example, the size of

the base layer that was captured.
Operator
Role of the administrator who is performing the operation,

for example, the Helpdesk role.
Invocation point
Where the administrator initiated the operation, for

example, the common wizard.
Mirage collects information about Mirage servers and Mirage Gateway servers, such as network traffic, and
memory use and availability.
Table 75. Server Information
Property
Description
Time
Time when the data collection is complete.
Server type
Server type, either a Mirage server or a Mirage Gateway

server.
CPU
Amount of CPU use.
Physical memory
Amount of physical memory on the server.
Free memory
Amount of physical memory on the server that is available.
Concurrent connection
Number of concurrent connections.
In traffic
Incoming traffic from the network.
Out traffic
Outgoing traffic to the network.
Mirage collects information about layers, such as layer size and layer type.
50
VMware, Inc.
Chapter 7 VMware Mirage Customer Experience Improvement Program
Table 76. Layer Information

Property
Description
Type
Layer type, either base layer or app layer.
Capture date
Date the layer is captured.
OS type
Operating system type of the layer.
Size
Size of the captured layer.
Assigned CVD
Number of CVDs that this layer is assigned to.
Joining the Customer Experience Improvement Program

You can join the Customer Experience Improvement Program when you install the Mirage system, or any
time after you install the Mirage system by using the Mirage Web console.
When you install the Mirage Management server, you are prompted with the Customer Experience
Improvement Program window. The I agree to join the Mirage Customer Experience Improvement
Program check box is selected by default. Click OK to join the Customer Experience Improvement Program.
If you do not want to join the Customer Experience Improvement Program, clear the I agree to join the
Mirage Customer Experience Improvement Program check box and click OK. See the VMware Mirage
Installation Guide.
See the VMware Mirage Web Manager Guide.
Stop Sending Data to VMware

If you no longer want to participate in the Customer Experience Improvement Program, you can
discontinue the transfer of anonymized trace data to VMware.
Prerequisites
Verify that the Mirage Web Manager is installed.
Procedure
1
Click the gear icon in the upper-right corner on the Mirage Web Manager.
Clear the I agree to join the Mirage Customer Experience Improvement Program check box and click
OK.
Mirage stops sending technical data to VMware.
VMware, Inc.
51
52
VMware, Inc.
Introduction to Mirage PowerCLI
Windows PowerShell is a command-line and scripting environment that is designed for Microsoft
Windows. PowerShell uses the .NET object model and provides administrators with management and
automation capabilities. You work with PowerShell by running commands, which are called cmdlets in
PowerShell.
Mirage includes several Mirage PowerCLI cmdlets.
The command-line syntax for the Mirage PowerCLI cmdlets is the same as generic PowerShell syntax. For
more information about using PowerShell, see the Microsoft documentation.
n
Using Mirage PowerCLI on page 54

Mirage PowerCLI provides an easy-to-use PowerShell interface to Mirage.
Install the Mirage PowerCLI on page 54

VMware Mirage PowerCLI provides an easy-to-use Windows PowerShell interface for command-line
access to administration tasks.
Run vSphere PowerCLI and Mirage PowerCLI in a Single PowerShell Session on page 54
You can write scripts that combine vSphere PowerCLI cmdlets and Mirage PowerCLI cmdlets in a
single PowerShell session.
Mirage PowerCLI Cmdlets on page 55

You can use Mirage PowerCLI cmdlets to administer Mirage.
Displaying Help for a Mirage PowerCLI cmdlet on page 55

You can display all Mirage PowerCLI cmdlets, view examples of cmdlets usage, and view full
descriptions for each cmdlet.
Centralize Endpoints using Mirage PowerCLI on page 56

You can centralize endpoints in the Mirage PowerCLI.
Migrate an Endpoint OS by Using the Mirage PowerCLI on page 58

You can migrate existing Windows XP or Windows Vista endpoints to Windows 7, and existing
Windows 7 endpoints to Windows 8.1 or Windows 10 by using the Mirage PowerCLI.
Provision Pending Devices by Using the Mirage PowerCLI on page 61

You can provision pending devices using the Mirage PowerCLI.
Assign a Base Layer to a CVD Using the Mirage PowerCLI on page 64

You can assign a base layer to a CVD using the Mirage PowerCLI.
Update App Layers Assigned to a CVD Using Mirage PowerCLI on page 66

You can
VMware, Inc.
53
Using Mirage PowerCLI

Mirage PowerCLI provides an easy-to-use PowerShell interface to Mirage.
You can use the Mirage PowerCLI cmdlets to perform various administration tasks from the command line
or from scripts instead of using the Mirage Management console.
You can write scripts that combine vSphere PowerCLI cmdlets and Mirage PowerCLI cmdlets in a single
PowerShell session.
Install the Mirage PowerCLI

VMware Mirage PowerCLI provides an easy-to-use Windows PowerShell interface for command-line access
to administration tasks.
The .msi installation file is located in the Mirage installation package.
The Mirage PowerCLI client is intended for standalone use (Mirage only). If you use PowerCLI to
administer other VMware products and want to use Mirage cmdlets, see the VMware Mirage Installation
Guiide.
Prerequisites
n
Verify that you installed Microsoft PowerShell 3.0.
Verify that you installed .NET 4.5.1 or later.
Procedure
1
Double-click the VMwarePowerCLIForMirage.buildnumber.msi file to start the installation wizard.
When prompted with the Execution Policy window, access Windows PowerShell as an administrator,
and run the Set-ExecutionPolicy RemoteSigned command.
Type Y and press Enter to accept the execution policy change, and close the Windows PowerShell
window.
Follow the prompts to complete the installation wizard.
Run vSphere PowerCLI and Mirage PowerCLI in a Single PowerShell

Session
You can write scripts that combine vSphere PowerCLI cmdlets and Mirage PowerCLI cmdlets in a single
PowerShell session.
Procedure
1
Install vSphere PowerCLI
Unzip the Mirage_PowerCLI.zip file to the vSphere PowerCLI module directory. .

The default directory path is C:\Program Files (x86)\VMware\Infrastructure\vSphere
PowerCLI\Modules, and the folder is VMware.Mirage.Cmds.
Access Microsoft PowerShell and import the necessary modules.

The Import-Module VMware.Mirage.Cmds command imports the Mirage PowerShell module.
The Import-Module VMware.VimAutomation.Core command imports the vSphere PowerShell module.
54
VMware, Inc.
Chapter 8 Introduction to Mirage PowerCLI
Mirage PowerCLI Cmdlets

You can use Mirage PowerCLI cmdlets to administer Mirage.
Table 81. Mirage PowerCLI Cmdlets Ordered by Verb
Cmdlet
Description
Apply-MirageAssignment
Applies the Mirage download only assignment.
Apply-MirageOsMigration
Applies download only migrations.
Archive-MirageCvd
Archives the CVD.
Connect-MirageServer
Sets up a connection to the Mirage server.
Disconnect-MirageServer
Disconnects from the Mirage server.
Get-MirageAppLayer
Retrieves the Mirage app layers from the Mirage system.
Get-MirageAssignment
Retrieves the assignment from the Mirage system.
Get-MirageBaseLayer
Retrieves the Mirage base layers from the Mirage system.
Get-MirageCvd
Retrieves the CVDs from the Mirage system.
Get-MirageCvdCollection
Retrieves the collections from the Mirage system.
Get-MirageOsMigration
Retrieves the download only migrations from the Mirage

system.
Get-MiragePendingDevice
Retrieves the pending devices from the Mirage system.
Get-MiragePolicy
Retrieves the policies from the Mirage system.
Get-MirageVolume
Retrieves the volumes from the Mirage system.
New-MirageCvd
Creates a new CVD with the specified device, policy, and

volume, in Mirage.
New-MirageOsMigration
Migrates the CVD with the specified base layer, app layer,
and related information in the Mirage system.
Remove-MirageCvd
Removes the CVD.
Set-MirageCvd
Updates the CVD with the specified policy or base layer.
Set-MirageCvdAppLayer
Updates the CVD with the specified app layers.
Sync-MirageCvd
Synchronizes the device information for the CVD.
Displaying Help for a Mirage PowerCLI cmdlet

You can display all Mirage PowerCLI cmdlets, view examples of cmdlets usage, and view full descriptions
for each cmdlet.
To list all Mirage PowerCLI cmdlets, type the Get-VICommand command in the PowerCLI console .
You can get help for a specific cmdlet by using the Get-Help cmdlet in the PowerCLI console. For example,
to get help on the Connect-MirageServer cmdlet, type the Get-Help Connect-MirageServer command in the
PowerCLI console.
To view a sample of how the cmdlet is used, type the Get-Help Command -Examples command in the
PowerCLI console, where Command is the cmdlet, for example, Connect-MirageServer.
To view basic descriptions for a cmdlet, including command description, parameter description, and sample
usage, type the Get-Help Command -Detailed command in the PowerCLI console, where Command is the
cmdlet, for example, Connect-MirageServer.
VMware, Inc.
55
To view the full descriptions for a cmdlet, including the command description, parameter description, and
sample usage, type the Get-Help Command -full command in the PowerCLI console, where Command is the
cmdlet, for example, Connect-MirageServer.
Centralize Endpoints using Mirage PowerCLI

You can centralize endpoints in the Mirage PowerCLI.
Procedure
1
Run the Connect-MirageServer cmdlet to connect to the Mirage server.

Connect-MirageServer ServerIPAddress Username Password -TrustUnknownCertificate
ServerIPAddress is the IP address of the Mirage server, and Username and Password are the log-in
credentials of the privileged user for the Mirage server.
2
Select a Mirage policy for the CVD.

a
Run the Get-MiragePolicy cmdlet to retrieve the Mirage policies, and note the name of the Mirage
policy to assign to the CVD.
Run the $policy = Get-MiragePolicy 'PolicyName'| Select-Object -First 1 command

policy is the name you select for this variable, and PolicyName is the name of the Mirage policy that
you selected for the CVD.
Select a Mirage volume for the CVD.

a
Run the Get-MirageVolume cmdlet to retrieve the Mirage volumes, and note the name of the Mirage
volume to assign to the CVD.
Run the $volume = Get-MirageVolume 'VolumeName' | Select-Object -First 1 command

volume is the name you select for this variable, and VolumeName is the name of the volume that you
selected for the CVD.
Designate one or more pending devices for the CVD.

a
Run the Get-MiragePendingDevice cmdlet to retrieve the pending devices, and note the names of
the pending devices to assign to the CVD.
Assign the pending devices to the $device variable.
Option
Action
Assign one pending device to the

CVD
Run the $device = Get-MiragePendingDevice | Select-Object First 1 command to retrieve the pending device.
Assign one or more pending device

to the CVD
Run the $device = Get-MiragePendingDevice DeviceFilters

command.
DeviceFilters are the filters for the devices to include in the CVD, to retrieve
the pending devices.
Create a CVD.
Option
Action
Create new CVD using a variable
Run the $cvd = $device | New-MirageCVD -Policy $policy Volume $volume command.
Create new CVD without using a

variable
Run the New-MirageCVD -Policy $policy -Volume $volume -Device

$device command.
If volume is not specified, the volume for the new CVD is selected automatically.
56
VMware, Inc.
If you create a CVD using a variable, you can reuse the variable in other Mirage PowerCLI procedures.
The new CVD is created.
Sample Script for Centralizing Endpoints with the Mirage PowerCLI

This is a sample script that is written in the Mirage PowerCLI. It details the procedure for centralizing
endpoints in the Mirage PowerCLI.
param($server, $username, $password, $volumename, $policyname)
"--------Connect-MirageServer-------"
Connect-MirageServer $server $username $password -TrustUnknownCertificate
"----------Get-MirageVolume---------"
$volume = Get-MirageVolume $volumename | Select-Object -First 1
if (!$volume)
{
"Cannot retrieve volume with name $volumename."
return
}
$volume
"----------Get-MiragePolicy---------"
$policy = Get-MiragePolicy $policyname | Select-Object -First 1
if (!$policy)
{
"Cannot retrieve policy with name $policyname."
return
}
$policy
"------Get-MiragePendingDevice------"
$device = Get-MiragePendingDevice | Select-Object -First 1
if (!$device)
{
"There is no pending device on Mirage server."
return
}
$device
"--------------CEFlow---------------"
$cvd = $device | New-MirageCvd -Policy $policy -Volume $volume
if(!$cvd)
{
"CE flow failed"
return
}
"CE flow starts"
while ($cvd.OperationProgress -ne 100 -or $cvd.State -ne 'Idle')
{
Start-Sleep -s 20
VMware, Inc.
57
$cvd = Get-MirageCvd -Device $device

}
$cvd
"CEflow successful."
Migrate an Endpoint OS by Using the Mirage PowerCLI

You can migrate existing Windows XP or Windows Vista endpoints to Windows 7, and existing Windows 7
endpoints to Windows 8.1 or Windows 10 by using the Mirage PowerCLI.
Procedure
1

2
Select a CVD to migrate.

a
Run the Get-MirageCvd cmdlet to retrieve the Mirage CVDs, and note the name of the MirageCVD
for which to migrate the OS.
Run the $cvd = Get-MirageCvd 'cvdname' | Select-Object -First 1 command.

cvd is the name you select for this variable, and cvdname is the name of the CVD that you selected.
Select a base layer for the CVD.

a
Run the Get-MirageBaseLayer cmdlet to retrieve the Mirage base layers, and note the name of the
base layer to apply to the CVD.
Run the $baselayer = Get-MirageBaseLayer 'baselayername' | Select-Object -First 1

command.
baselayer is the name you select for this variable, and baselayername is the name of the base layer that
Migrate the OS on the specified CVD.

a
Run the New-MirageOsMigration cmdlet to migrate the OS on the specified CVD.

Option
Action
Download only migration for the

OS on the specified CVD with
domain join
Run the $migration = New-MirageOsMigration -CVD $cvd BaseLayer $baselayer -Domain $domain -User $domainuser Password $domainpassword -DownloadOnly -Force | SelectObject -First 1 command.
Full migration for the OS on the

specified CVD with domain join
Run the $migration = New-MirageOsMigration -CVD $cvd BaseLayer $baselayer -Domain $domain -User $domainuser Password $domainpassword -Force | Select-Object -First 1
command.
Download only migration for the

OS on the specified CVD with a
work group
Run the $migration = New-MirageOsMigration -CVD $cvd BaseLayer $baselayer -WorkGroup $workgroup -DownloadOnly
-Force | Select-Object -First 1 command.
Full migration for the OS on the

specified CVD with a work group
Run the $migration = New-MirageOsMigration -CVD $cvd BaseLayer $baselayer -WorkGroup $workgroup -Force |
Select-Object -First 1 command.
migration is the name you select for this variable. domain is the name of the domain that the
migrated CVD is joining. domainuser and domainpassword are the login credentials for the domain
that the migrated CVD is joining. workgroup is the name of the work group that you want the CVD
to join.
58
VMware, Inc.
If you selected the download only migration option, apply the download only migration.
a
Run the Apply-MirageOsMigration cmdlet to apply the migration.

Run this command after completing the download only migration.
Run the $cvd = Apply-MirageOsMigration $migration | Select-Object -First 1 command.

cvd is the name you select for this variable, and migration is the variable returned by the previous
download only migration.
The CVD is migrated with the base layer that you specified in the New-MirageOsMigration command.
Sample Mirage PowerCLI Script for Migrating Endpoint OS

This is a sample script that is written the Mirage PowerCLI. It details the procedure for migrating an
endpoint OS in the Mirage PowerCLI.
param($server, $username, $password, $cvdname, $baselayername, $domain, $domainuser,
$domainpassword)
"--------Connect-MirageServer--------"
"--------Get-MirageCvd--------"
$cvd = Get-MirageCvd $cvdname | Select-Object -First 1
if (!$cvd)
{
"Can not get cvd with name $cvdname."
return
}
$cvd
"--------Get-MirageBaseLayer--------"
$baselayer = Get-MirageBaseLayer $baselayername | Select-Object -First 1
if (!$baselayer)
{
"Can not get base layer with name $baselayername."
return
}
$baselayer
"--------New-MirageOsMigration--------"
$migration = New-MirageOsMigration -CVD $cvd -BaseLayer $baselayer -Domain $domain -User
$domainuser -Password $domainpassword -DownloadOnly -Force | Select-Object -First 1
if (!$migration)
{
"Fail to start download only OS migration."
return
}
$migration
"--------Wait for BI download complete--------"
$success = $false
$maxRetries = 100
$retryCount = 0
while (!$success)
{
VMware, Inc.
59
Start-Sleep -s 20
$migration = Get-MirageOsMigration -Id $cvd.Id
if($migration.Status -eq 'DownloadComplete')
{
$success = $true
}
elseif($migration.Status -eq 'DownloadCancelled')
{
"Download only migration cancelled"
return
}
else
{
$retryCount++
if($retryCount -gt $maxRetries)
{
"Download only migration is not completed, retry times: $retryCount"
return
}
}
}
$migration
"--------Apply-MirageOsMigration--------"
$cvd = Apply-MirageOsMigration $migration
if(!$cvd)
{
"Fail to apply download only migration."
return
}
"OS migration starts"
$maxRetries = 100
$retryCount = 0
while ($true)
{
Start-Sleep -s 20
$assignment = Get-MirageAssignment -CVD $cvd -TaskType 'Migration'
if($assignment)
{
if($assignment.Status -eq 'Failed')
{
"OS migration flow fails"
return
}
if($assignment.Status -eq 'Completed')
{
Get-MirageCvd -Id $cvd.Id
"OS migration flow succeeds."
return
}
}
$retryCount++
60
VMware, Inc.
{
"Migration assignment is not created/completed, retry times: $retryCount"
return
}
}
Provision Pending Devices by Using the Mirage PowerCLI

You can provision pending devices using the Mirage PowerCLI.
Procedure
1

2
Select a Mirage volume for the CVD.

a
Run the Get-MirageVolume cmdlet to retrieve the Mirage volumes, and note the name of the Mirage
volume to assign to the CVD.
Run the $volume = Get-MirageVolume 'VolumeName' | Select-Object -First 1 command

volume is the name you select for this variable, and VolumeName is the name of the volume that you
selected for the CVD.
Select a Mirage policy for the CVD.

a
Run the Get-MiragePolicy cmdlet to retrieve the Mirage policies, and note the name of the Mirage
policy to assign to the CVD.
Run the $policy = Get-MiragePolicy 'PolicyName'| Select-Object -First 1 command

policy is the name you select for this variable, and PolicyName is the name of the Mirage policy that

a

command.
VMware, Inc.
Designate one or more pending devices for the CVD.

a
Run the Get-MiragePendingDevice cmdlet to retrieve the pending devices, and note the names of
the pending devices to assign to the CVD.
Assign the pending devices to the $device variable.
Option
Action
Assign one pending device to the

CVD
Run the $device = Get-MiragePendingDevice | Select-Object First 1 command to retrieve the pending device.
Assign one or more pending device

to the CVD
Run the $device = Get-MiragePendingDevice $devicefilters

command.
devicefilters are the filters for the devices to include in the CVD to retrieve
the pending devices.
61
Provision the pending device.

Option
Action
Provision the device with domain

join
Run the $cvd = $device | New-MirageCVD -Policy $policy Volume $volume -BaseLayer $baselayer -Domain $domain -User
$domainuser -Password $domainpassword -Provision -Force
command.
Provision the device with a work

group
Run the $cvd = $device | New-MirageCVD -Policy $policy Volume $volume -BaseLayer $baselayer -WorkGroup $workgroup
-Force command.
Provision the device with domain

join and changing device's machine
name
Run the $cvd = $device | New-MirageCVD -Policy $policy Volume $volume -BaseLayer $baselayer -Domain $domain -User
$domainuser -Password $domainpassword -MachineNamePrefix
$nameprefix -MachineNameStartIndex $nameindex -Provision Force This cmd will provision the devices and change the machine name
with parameter MachineNamePrefix and MachineNameStartIndex. For
example, if MachineNamePrefix is newmachine- and
MachineNameStartIndex is 100, the new machine names would be
newmachine-100, newmachine-101, etc.
If Volume is not specified, the volume for the new CVD is selected automatically.
cvd is the name you select for this variable. domain is the name of the domain that the migrated CVD is
joining. domainuser and domainpassword are the login credentials for the domain that the migrated CVD
is joining. workgroup is the name of the work group that you want the CVD to join.
The new CVD is created with the base layer that you specified in the New-MirageCvd command.
Sample Mirage PowerCLI Script for Provisioning Pending Devices

This is a sample script that is written in the Mirage PowerCLI. It details the procedure for provisioning
pending devices in the Mirage PowerCLI.
param($server, $username, $password, $volumename, $policyname, $baselayername, $domain,
$domainuser, $domainpassword)
"--------Connect-MirageServer-------"
"----------Get-MirageVolume---------"
$volume = Get-MirageVolume $volumename | Select-Object -First 1
if (!$volume)
{
"Can not get volume with name $volumename."
return
}
$volume
"----------Get-MiragePolicy---------"
$policy = Get-MiragePolicy $policyname | Select-Object -First 1
if (!$policy)
{
"Can not get policy with name $policyname."
return
}
$policy
"---------Get-MirageBaseLayer--------"
62
VMware, Inc.

if (!$baselayer)
{
return
}
$baselayer
"------Get-MiragePendingDevice------"
$device = Get-MiragePendingDevice | Select-Object -First 1
if (!$device)
{
"There's no pending device on Mirage server."
return
}
$device
"-----------ProvisionFlow-----------"
$cvd = $device | New-MirageCvd -Policy $policy -Volume $volume -BaseLayer $baselayer -Domain
$domain -User $domainuser -Password $domainpassword -Provision -Force
if(!$cvd)
{
"Provision flow fails"
return
}
"Provision flow starts"
$maxRetries = 100
$retryCount = 0
while ($true)
{
Start-Sleep -s 60
$assignment = Get-MirageAssignment -CVD $cvd -TaskType 'DeviceProvision'
if($assignment)
{
{
"Provision flow fails"
return
}
{
Get-MirageCvd -Device $device
"Provision flow succeeds."
return
}
}
$retryCount++
{
"Provision assignment is not created/completed, retry times: $retryCount"
return
}
}
VMware, Inc.
63
Assign a Base Layer to a CVD Using the Mirage PowerCLI

You can assign a base layer to a CVD using the Mirage PowerCLI.
Procedure
1

2
Select a CVD to assign the base layer.

a
Run the Get-MirageCvd cmdlet to retrieve the Mirage CVDs, and note the name of the Mirage CVD
for which to assign base layer.
Run the $cvd = Get-MirageCVD 'cvdname'| Select-Object -First 1 command.

cvd is the name you select for this variable, cvdname is the name of the CVD that you selected.

a

command.
Assign the base layer to the CVD.

a
Run the Set-MirageCvd cmdlet to assign the base layer to the specified CVD.
Option
Action
Download only assign base layer

to the CVD
Run the $cvd = Set-MirageCvd -CVD $cvd -BaseLayer

$baselayer -IgnoreWarnings -Force -DownloadOnly command.
Full assign base layer
Run the $cvd = Set-MirageCvd -CVD $cvd -BaseLayer

$baselayer -IgnoreWarnings -Force command.
(Optional) If you selected the download only assign option, query and apply the download only base
layer assignment.
a
Run the Get-MirageAssignment cmdlet to retrieve the download only assignment.
Run the Apply-MirageAssignment cmdlet to apply the assignment.
Sample Mirage PowerCLI Script for Assigning a Base Layer to a CVD

This is a sample script that is written in the Mirage PowerCLI. It details the procedure for assigning a base
layer to a CVD in the Mirage PowerCLI.
param($server, $username, $password, $cvdname, $baselayername)
"--------Get-MirageCvd--------"
64
VMware, Inc.
if (!$cvd)
{
return
}
$cvd
"--------Get-MirageBaseLayer--------"
if (!$baselayer)
{
return
}
$baselayer
"--------Set-MirageCvd -BaseLayer--------"
$cvd = Set-MirageCvd -CVD $cvd -BaseLayer $baselayer -IgnoreWarnings -Force -DownloadOnly
if (!$cvd)
{
"Fail to start download base layer."
return
}
$cvd
"--------Get-MirageAssignment--------"
$success = $false
$maxRetries = 10
$retryCount = 0
while (!$success)
{
Start-Sleep -s 20
$assignment = Get-MirageAssignment -CVD $cvd -TaskType 'DownloadOnlyBaseLayerAssignment'
if($assignment)
{
$success = $true
}
else
{
$retryCount++
{
"Download only base layer assignment is not created, retry times: $retryCount"
return
}
}
}
$assignment
"--------Apply-MirageAssignment--------"
$maxRetries = 100
$retryCount = 0
Apply-MirageAssignment -Assignment $assignment -Force
while($true)
{
VMware, Inc.
65
Start-Sleep -s 20
$assignment = Get-MirageAssignment -CVD $cvd -Type 'BaseLayerAssignment'
if($assignment)
{
{
"Assign base layer flow fails"
return
}
{
"Assign base layer flow succeeds."
return
}
}
$retryCount++
{
"Apply layer assignment is not created/completed, retry times: $retryCount"
return
}
}
Update App Layers Assigned to a CVD Using Mirage PowerCLI

You can
Procedure
1

2
Select a CVD that you want to update the app layers assigned to it.
a
Run the Get-MirageCvd cmdlet to retrieve the Mirage CVDs, and note the name of the Mirage CVD
for which to assign base layer.
Run the $cvd = Get-MirageCVD 'cvdname'| Select-Object -First 1 command.

cvd is the name you select for this variable, cvdname is the name of the CVD that you selected.
Select an app layer for the CVD.

a
Run the Get-MirageAppLayer cmdlet to retrieve the Mirage app layers, and note the name of the
app layer to assign to the CVD.
Run the $applayer = MirageAppLayer 'applayername' | Select-Object -First 1 command.

applayer is the name you select for this variable, and applayername is the name of the app layer that
66
VMware, Inc.
Update the app layers on the selected CVD.

Option
Action
Download only update app layers

on the CVD
Run the $cvd = Set- MirageCvdAppLayer -CVD $cvd -AddLayer

$addlayer -RemoveLayer $removelayer -IgnoreWarnings -Force
-DownloadOnly command.
Full update app layer
Run the $cvd = Set- MirageCvdAppLayer -CVD $cvd -AddLayer

$addlayer -RemoveLayer $removelayer -IgnoreWarnings -Force
command.
(Optional) If you selected the download only update option, query and apply the download only app
layer assignment.
a
Run the Get-MirageAssignment cmdlet to retrieve the download only assignment.
Run the Apply-MirageAssignment cmdlet to apply the assignment.
Sample Mirage PowerCLI Script for Updating an App Layer on a CVD

This is a sample script that is written in the Mirage PowerCLI. It details the procedure for updating an app
layer on a CVD in the Mirage PowerCLI.
param($server, $username, $password, $cvdname, $applayername)
"--------Get-MirageCvd--------"
if (!$cvd)
{
return
}
$cvd
"--------Get-MirageAppLayer--------"
$applayer = Get-MirageAppLayer $applayername | Select-Object -First 1
if (!$applayer)
{
"Can not get app layer with name $applayername."
return
}
$applayer
"--------Set-MirageCvdAppLayer--------"
$cvd = Set-MirageCvdAppLayer -CVD $cvd -AddLayer $applayer -IgnoreWarnings -Force -DownloadOnly
if (!$cvd)
{
"Fail to start download app layer."
return
}
$cvd
$success = $false
$maxRetries = 10
$retryCount = 0
VMware, Inc.
67
while (!$success)
{
Start-Sleep -s 20
$assignment = Get-MirageAssignment -CVD $cvd -TaskType 'DownloadOnlyAppLayerAssignment'
if($assignment)
{
$success = $true
}
else
{
$retryCount++
{
"Download only app layer assignment is not created, retry times: $retryCount"
return
}
}
}
$assignment
"--------Apply-MirageAssignment--------"
$maxRetries = 100
$retryCount = 0
Apply-MirageAssignment -Assignment $assignment -Force
while($true)
{
Start-Sleep -s 20
$assignment = Get-MirageAssignment -CVD $cvd -Type 'AppLayerAssignment'
if($assignment)
{
{
"Update app layer flow fails"
return
}
{
"Update app layer flow succeeds."
return
}
}
$retryCount++
{
"Apply layer assignment is not created/completed, retry times: $retryCount"
return
}
}
68
VMware, Inc.
Managing the Mirage Gateway Server
The Mirage Gateway server is the secured gateway server that is deployed outside the Mirage datacenter
environment. The Mirage Gateway server lets end users who have installed the Mirage client communicate
securely with the Mirage servers over the Internet without using VPN configurations.
The Mirage Gateway server meets enterprise security and firewall requirements, and integrates with the
Mirage system with minor modifications to the Mirage system and protocol.
You can start, stop, restart, or generate the status of the Mirage Gateway server.
You run the sudo service mirage-gateway-service start command to start the Mirage Gateway server.
You run the sudo service mirage-gateway-service stop command to stop the Mirage Gateway server.
You run the sudo service mirage-gateway-service restart command to restart the Mirage Gateway
server.
You run the sudo service mirage-gateway-service status command to generate the status of the Mirage
Gateway server.
n
Configuring the Mirage Gateway Server on page 70

You can configure the Mirage Gateway server to communicate with the Mirage servers and the
Corporate Directory Service.
Update a Certificate for the Mirage Gateway Server Using a Command Line on page 71
When a certificate expires, or if you want to use a different certificate, you can update the certificate
for the Mirage Gateway server.
Update a Certificate for the Mirage Gateway Server Using the Web Console on page 71
You can update a certificate for the Mirage Gateway server using the Web console.
Register the Mirage Gateway Server Manually on page 71

The Mirage Gateway server might fail to register on the Mirage server during installation. You can
register the Mirage Gateway server manually.
Protecting the Mirage Gateway Server on page 71

The Mirage Gateway server runs on Linux. You must protect this host from normal OS vulnerabilities.
Configuration Files for the Mirage Gateway Server on page 75

You can view and edit the configuration file for the Mirage Gateway server. The configuration file for
the Mirage Gateway server is stored in the sub-folder etc within the installation directory.
Using Log Files to Troubleshoot the Mirage Gateway Server on page 75

Log files are an important component for troubleshooting attacks on the Mirage Gateway server, and
for obtaining status information for the Mirage Gateway server.
VMware, Inc.
69
Remove the Mirage Gateway Server from the Mirage Management Console on page 77
You can remove a Mirage Gateway server from the Mirage Management console.
Re-Register the Mirage Gateway Server When the Status is Down in the Mirage Management Console
on page 77
The Mirage Gateway server might have the status of down in the Mirage Management console.
Configuring the Mirage Gateway Server

You can configure the Mirage Gateway server to communicate with the Mirage servers and the Corporate
Directory Service.
You can configure the Mirage Gateway server from the Mirage Management console or the Web
configuration portal.
To configure the Mirage Gateway server from the Mirage Management console, click System Configuration
> Mirage Gateways > Configure.
To configure the Mirage Gateway server from the Web configuration portal, navigate to the Web
configuration portal and click a configuration parameter. See the VMware Mirage Installation Guide.
You can import and export the Mirage Gateway server configuration settings by using the Mirage Gateway
Web configuration portal. You export the settings of the current Mirage Gateway server and import the
settings when you install the Mirage Gateway server on a different machine. There are common scenarios
when you install the Mirage Gateway server on a different machine.
n
Server maintenance
Disaster recovery
Upgrading the Mirage Gateway server
Table 91. Mirage Gateway Server Configuration Parameters
70
Parameter
Description
Mirage server
IP address or FQDN of the Mirage server.
Port
Port number of the Mirage Gateway server.
Token expiration time (in hours)
Login token expiration time. The token expiration time

determines the frequency with which end users are
required to log in to the Mirage Gateway server to
communicate with the Mirage servers.
Use LDAPS
Check box selected when using a secured LDAP server

with TLS/SSL.
LDAP Authentication Server
IP address or FQDN and port number of the LDAP

authentication server.
LDAP User DN
LDAP user DN in the format: cn=username, cn=users,

dc=domain, dc=com. For example, CN=Administrator,
CN=USERS, DC=MIRAGEDOMAIN, DC=COM
Password
LDAP bind user password.
VMware, Inc.
Chapter 9 Managing the Mirage Gateway Server
Update a Certificate for the Mirage Gateway Server Using a Command

Line
When a certificate expires, or if you want to use a different certificate, you can update the certificate for the
Prerequisites
n
Generate a certificate signing request. See the VMware Mirage Installation Guide.
Verify that you submitted the certificate request. See the VMware Mirage Installation Guide.
Verify that you converted the certificate file extension. See the VMware Mirage Installation Guide.
Procedure
1
Run the sudo /opt/MirageGateway/bin/cert_manage.sh command.
When prompted, enter the name of the certificate in the

format /opt/MirageGateway/etc/newcertname.pfx or /opt/MirageGateway/etc/newcertname.pem, where
newcertname is the name of the new certificate.
When prompted, enter the certificate private key password and press Enter.
This is the password you created as part of the certificate export procedure.
Update a Certificate for the Mirage Gateway Server Using the Web
Console
You can update a certificate for the Mirage Gateway server using the Web console.
You can upload a new certificate for the Mirage in the Web console.
To upload a new certificate, navigate to the Web console and select the Certificate tab.
Register the Mirage Gateway Server Manually

The Mirage Gateway server might fail to register on the Mirage server during installation. You can register
the Mirage Gateway server manually.
Procedure
1
Run the sudo /opt/MirageGateway/bin/reg.sh command.
When prompted, enter the Mirage server address, Mirage server port, and Mirage Gateway activation
code.
Protecting the Mirage Gateway Server

The Mirage Gateway server runs on Linux. You must protect this host from normal OS vulnerabilities.
Use spyware filters, intrusion detection systems, and other security measures mandated by your enterprise
policies.
Ensure that all security measures are up-to-date, including OS patches.
The protection configuration codes are executed during the deployment of the OVA template.
VMware, Inc.
71
Table 92. Protection Configuration for Code MEG01

Description
Code
MEG01
Name
Keeps the Mirage Gateway system properly patched.
Description
By staying up-to-date on OS patches, OS vulnerabilities are

mitigated.
Risk or control

privileges on the Mirage Gateway system, the attacker can
access all CVD transferring through the Mirage Gateway
server.
Recommended level
Enterprise
Condition or steps
Employs a system to keep the Mirage Gateway system up to-date with patches, in accordance with industry-standard
guidelines, or internal guidelines where applicable.

Description
Code
MEG02
Name
Provide OS protection on the Mirage Gateway server host.
Description
By providing OS-level protection, vulnerabilities to the OS

are mitigated. This protection includes anti-malware, and
other similar measures.
Risk or control

privileges on the Mirage Gateway system, the attacker can
access all CVD transferring through the Mirage Gateway
server.
Recommended level
Enterprise
Condition or steps
Provides OS protection, such as anti-malware, in

accordance with industry-standard guidelines, or internal
guidelines where applicable.
72
Description
Code
MEG03
Name
Restrict privilege user login.
Description
The number of privilege users with permission to log in to

the Mirage Gateway system as an administrator should be
minimal.
Risk or control

Gateway system then the system is vulnerable to
unauthorized modification.
Recommended level
Enterprise
Condition or steps
Create specific privilege log-in accounts for individuals.

Those accounts should be part of the local administrators'
group. There should not be a shell to the account that the
account cannot log in, and provide an invalid password for
the account.
VMware, Inc.

Description
Code
MEG04
Name
Implement an administrative password policy.
Description
Set a password policy for all Mirage Gateway systems. The

password should include the following parameters:
n A minimum password length
n Require special character types
n Require periodic change of the password
Risk or control

Gateway system then the system is vulnerable to
Recommended level
Enterprise
Condition or steps
Set a password policy on each Mirage Gateway system.

Description
Code
MEG05
Name
Remove unnecessary network protocol.
Description
Mirage Gateway only uses IPv4 communication. You

should remove other services, such as file and printer
sharing, NFS, sendmail, bind or NIC, and so on.
Risk or control

Gateway system then the system is more vulnerable to
Recommended level
Enterprise
Condition or steps
Run yast on the Mirage Gateway Suse OS. Disable all

network protocols under the Security and Users setting,
and the Firewall setting. Retain the following three ports:
n Mirage Gateway- default tcp 8000
n Management- default tcp 8080
n
SSH- default tcp 22

Description
Code
MEG06
Name
Disable unnecessary services.
Description
Mirage Gateway requires a minimal number of services for

the OS. When you disable unnecessary services you
enhance security. This prevents the services from
automatically starting at boot time.
Risk or control
If unnecessary services are running, the Mirage Gateway

system is more vulnerable to network attack.
Recommended level
Enterprise.
Condition or steps
Disable any services that are not required. Run yast on the
Mirage Gateway Suse OS. Disable all network services
except those related to SSHD and iSCSI under the Network
Services drop-down menu.
VMware, Inc.
73

Description
Code
MEG07
Name
Use an external firewall in the DMZ to control
Description
Mirage Gateway servers are usually deployed in a DMZ.

You must control which protocols and network ports are
permitted so that communication with Mirage Gateway is
restricted to the required minimum. Mirage Gateway
automatically does TCP forwarding to Mirage servers
within a datacenter, and ensures that all forwarded traffic
is directed from authenticated users.
Risk or control
Allowing unnecessary protocols and ports might increase

the possibility of an attack by a malicious user, especially
for protocols and ports for network communication from
the Internet.
Recommended level
Configure a firewall on either side of the Mirage Gateway

server to restrict protocols and network ports to the
minimum set required between Mirage clients and the
Mirage Gateway servers.
You should deploy the Mirage Gateway server on an
isolated network to limit the scope of frame broadcasts.
This configuration can help prevent a malicious user on the
internal network from monitoring communication between
the Mirage Gateway servers and the Mirage server
instances.
You might want to use advanced security features on your
network switch to prevent malicious monitoring of Mirage
Gateway communication with Mirage servers, and to
guard against monitoring attacks, such as ARP Cache
Poisoning.
Parameter or objects configuration
For more information about the firewall rules that are

required for a DMZ deployment, see the VMware Mirage
Installation Guide.
74
Description
Code
MEG08
Name
Do not use the default, self-signed server certificates on a

Description
When you first install the Mirage Gateway server, the SSL
server is unable to work until signed certificates are
prepared. The Mirage Gateway server and the SSL server
require SSL server certificates signed by a commercial
Certificate Authority (CA) or an organizational CA.
Risk or control
Using self-signed certificates leaves the SSL connection

more vulnerable to man-in-the-middle attacks. Applying
certificates to trusted CA signed certificates mitigates the
potential for these attacks.
Recommended level
Enterprise
Condition or steps
For more information about setting up Mirage Gateway

SSL certificates, see the VMware Mirage Installation Guide.
Test
Use a vulnerability scanning tool to connect the Mirage

Gateway. Verify that it is signed by the appropriate CA.
VMware, Inc.
Configuration Files for the Mirage Gateway Server

You can view and edit the configuration file for the Mirage Gateway server. The configuration file for the
Mirage Gateway server is stored in the sub-folder etc within the installation directory.
The name of the configuration file is /opt/MirageGateway/etc/MirageGateway.conf.
The log files and the process ID file are saved within the logs sub-folder within the same installation
directory.
Read/Write privileges to these files are only given to the default Mirage user who is running the Mirage
Gateway server.
You can protect all files to limit access privileges.
Table 910. Protected Files
File
Default Path
MirageGateway
/opt/MirageGateway/bin
cert_manage.sh
export.sh
gws
install.sh
ptool
GatewayStat.sh
GatewayStatTimer.sh
reg.sh
sysreport_as_system.sh
sysreport_full
sysreport_logs
MirageGateway.conf
/opt/MirageGateway/etc
MirageGateway.pem
config.txt
gws.pid
mirage_gateway_service.log
/opt/MirageGateway/logs
error.log
mirage_gateway_backend.log
mirage_gateway_stat.log
mirage_gateway.log
User data
/home/mirage/.mirage-gateway/
mirage-gateway-service
/etc/init.d
Using Log Files to Troubleshoot the Mirage Gateway Server

Log files are an important component for troubleshooting attacks on the Mirage Gateway server, and for
obtaining status information for the Mirage Gateway server.
Log files for the Mirage Gateway server are located in the /opt/MirageGateway/logs/ directory.
VMware, Inc.
75
To increase security of the Mirage Gateway server, the log file must only grant access to the user who is
running the Mirage Gateway process.
The format for a Mirage Gateway log is:
Date Time [Severity]: Component: Event Type: Description
This is an example of a log:

2014-04-15 03:26:33:
2014-04-16 23:12:38:
2014-04-16 23:12:38:
2014-04-16 23:12:38:
2014-04-16 23:12:38:
2014-04-16 23:12:38:
10.117.37.154)
[Error]:
[Debug]:
[Debug]:
[Debug]:
[Debug]:
[Debug]:
Auth Connector: Send: failed to send data to auth server (auth:)

Gateway: Connect: coming new connection from (ip: 10.117.37.154)
Gateway: Authenticate: started auth for (ip: 10.117.37.154)
Auth Connector: Connect: ssl connection from (ip: 10.117.37.154)
Auth Connector: Receive: reading client info from (10.117.37.154)
Auth Connector: Authenticate: reading tcp auth from (ip:
Table 911. Log File Properties

Property
Description
Date
The date that the event generated a log entry. The date is in
the local time zone of the Mirage Gateway server.
The format of the date is YYYY-MM-DD.
Time
The time that the event generated a log entry. The time is in
the local time zone of the Mirage Gateway server.
The format of the time is HH:MM:SS
Severity
The severity of the event. The

Verbose
n Trace
n Debug
n Info
n Warn
n Error
n Fatal
n
76
Component
The sub-component of the Mirage Gateway server that

generated the event. For some events, the Component
property might not be logged.
The components are:
n TCP Config Parser- The parser of TCP related
configurations, for example, TCP Timeout.
n Gateway Config Parser- The parser of Gateway
forwarding related configurations, for example, Mirage
server addresses and load balancing strategies.
n Auth Connector- The component that connects to the
directory server for authentication.
n Gateway- The gateway function that accepts the
connection from the Mirage client and performs all
read and write actions.
n Upstream- The gateway function that connects with
the Mirage server and performs all read and write
actions.
Event Type
The action that the Component attempted to perform. For

some events, the Event property might not be logged.
Description
A detailed explanation of the event. It may retain the

information of other endpoints.
VMware, Inc.
Table 912. Log Event Type

Event Type
Description
Resource Allocate
Resource allocation, such as memory.
Parse
Parse meaningful data, such as the configuration file.
IO
Common IO events, such as port binding or duplicate

connections.
Connect
Connect to, or accept a connection.
Close
Close a network connection.
Receive
Receive or read from a connection.
Send
Send or write to a connection.
Save
Save to a file or storage location.
Load
Load from a file or storage location.
Forward
Forward information.
Authenticate
Valid date, such as certificates.
Validate
Validate data, such as certificates.
Control
Set parameters, such as TCP no delay.
Table 913. Remote Entity

Remote Entity Type
Description
ip
The Mirage client.
srv
The Mirage server.
auth
The authentication server, for example, Active Directory.
gw
The Mirage Gateway server.
Remove the Mirage Gateway Server from the Mirage Management

Console
You can remove a Mirage Gateway server from the Mirage Management console.
Procedure
1
In the Mirage Management console, click the System Configuration node and click Gateway Servers.
Right-click the Mirage Gateway server you want to remove and click Remove.
In the confirmation message, click Yes.
Re-Register the Mirage Gateway Server When the Status is Down in

the Mirage Management Console
The Mirage Gateway server might have the status of down in the Mirage Management console.
Cause
The Mirage Gateway server was registered more than once.
VMware, Inc.
77
Solution
1
Remove the Mirage Gateway server that has a down status from the Mirage Management console.
a
In the Mirage Management console, select System Configuration > Mirage Gateways.
Right-click the Mirage Gateway server that has a down status and select Remove.
Navigate to https://MirageGWIPaddress:8443/WebConsole.
MirageGWIPaddress is the IP address of the Mirage Gateway server.
When prompted, provide the login credentials.

The default username is mirage, and the default password is vmware.
Click the Mirage Server tab and enter the Mirage server address and port.
The Mirage Gateway server is registered and available in the Mirage Management console.
78
VMware, Inc.
Managing the Driver Library
10
You use the driver library to manage hardware-specific drivers in a separate repository, organized by
hardware families.
You add drivers with an import wizard and view them in the driver librarys console.
You can configure the system to add the necessary driver library to the relevant endpoints based on
matching profiles between the library and the endpoint configuration.
The driver handling is unconnected to layers. Not having to include drivers in the layer results in smaller
and more generic layers.
Mirage does not install the drivers. Mirage delivers the driver to the endpoint and Windows determines
whether to install the driver.
n
Driver Library Architecture, on page 79
Managing Driver Folders, on page 80
Managing Driver Profiles, on page 82
Driver Library Architecture

The driver library copies drivers from the Mirage system to the endpoint. When Windows scans for
hardware changes, these copied drivers are used by the Windows Plug and Play (PnP) mechanism, and the
appropriate drivers are installed as required.
This diagram illustrates the driver library architecture and how rules associate drivers to endpoints.
VMware, Inc.
79
Figure 101. Driver Library Architecture
Drivers
Profile A
Endpoint
Folder 1
List of
folders
Rules match
machines
Drivers
Endpoint
Folder 2
Profile B
Endpoint
Drivers
List of
folders
Rules match
machines
Folder n
Endpoint
Profile A contains drivers from driver folder 1 and 2. When the profile is analyzed, the drivers from
those folders are applied to two endpoints.
Profile B contains drivers only from driver folder 2, which is also used by profile A. When the profile is
analyzed, the drivers from that folder are applied to only one endpoint.
The Mirage system can have multiple driver folders, multiple driver profiles, and many endpoints.
A driver profile can contain drivers from multiple driver folders and multiple driver profiles can use a
driver folder.
You can apply a driver profile to one, many, or no endpoints.
The driver library is used during the following operations:
n
Centralization
Migration
Hardware migration and restore
Machine cleanup
Base layer update
Set driver library
Endpoint provisioning
Managing Driver Folders

Hardware drivers are imported and stored in driver folders in the Mirage system.
You can add driver folders to the root All folder, or create subfolders. You can also have Mirage mirror your
current Driver Store folder structure.
The driver library has the following capabilities:
80
You can group drivers by folder, for example, by common model. You can associate a driver with
several folders.
A folder can contain other folders, in a recursive hierarchy.
You can enable or disable drivers within a folder, without deleting them.
VMware, Inc.
Chapter 10 Managing the Driver Library
To view a device drivers details, right-click any driver and select Properties.
NOTE For best results, obtain drivers directly from vendor Web sites, or restore media.
Create Driver Folders

You can create folders to hold related hardware drivers.
Procedure
1
In the Mirage Management console tree, expand the Driver Library node.
Right-click Folders or any driver folder and select Add folder.
Type a folder name and click OK.
Change Driver Folders

You can rename or remove folders, or add hardware drivers to folders.
When you remove a folder, the drivers remain intact. The folder is a logical grouping of drivers that are
stored on the system.
Procedure
1
In the Mirage Management console tree, and expand the Driver Library node.
Right-click any driver folder and select the appropriate folder option.
Option
Action
Rename the folder
Click Rename Folder, type the new name and click OK.
Remove the folder
Click Remove Folder, and click Yes to confirm.
Add drivers to the folder
Click Add drivers, select a driver and click OK.
Import Drivers to Folders

You can import hardware drivers to driver folders to assist organization and accessibility.
Prerequisites
n
Verify that the Mirage Management server has access to the UNC path where the drivers are stored.
Verify that you extracted drivers from the archive.
Procedure
1
To select a driver import option, right-click any driver folder and select Import drivers.
VMware, Inc.
Option
Description
UNC path
The UNC path where the drivers are stored. The path is scanned
recursively.
Keep original folder hierarchy
Recreates the folder structure on your driver store in the Mirage system.
Click OK.
81
Add Drivers from the All Folder

The All folder in the driver library contains all the drivers in the library. You can add selected drivers from
the All folder to one or more selected folders.
Procedure
1
Select the Folders > All.
Right-click one or more drivers, and select Add drivers to folder.
Select individual folders in the tree.
Click OK.
Managing Driver Profiles

The driver library also contains driver profiles. A driver profile is used to select the driver folders to publish
to a particular hardware model or set.
A driver profile can select one or more driver folders.
Driver profile rules check if a driver applies to a particular hardware, and can select one or more matching
driver profiles for a device.
Create or Edit Driver Profiles

You can define driver profiles and the rules that apply to them. The rules are used during Mirage operations
to validate the endpoints that use the profiles and check which profiles to apply to specific hardware.
Procedure
1
In the Mirage Management console tree, expand the Driver Library node, right-click Profiles, and
select Add.
On the General tab, type a profile name and select the check boxes of drivers to apply in this profile.
For example, if you are building a profile for a Dell Latitude E6410, select all the driver folders that
apply to that hardware family.
On the Rules tab, use the drop-down menus to create specific rules for hardware families.
For example, set the Vendor to Dell, and select the appropriate OS type.
Click Apply to test the result set that is returned by these rules.
Continue to fine-tune the rules until the result set is accurate.
Click OK.
What to do next
After you define rules, no more work is necessary for them to function. If devices that meet these criteria
already exist in the Mirage system, you must start a driver profile update on those systems.
Apply Driver Profiles

You can apply newly created rules and profiles to already centralized endpoints.
The drivers are stored in one of the Mirage storage volumes in the MirageStorage directory, and
deduplication is applied. If you have multiple volumes, you can change the volume where the driver library
is stored by editing the system configuration settings.
82
VMware, Inc.
Chapter 10 Managing the Driver Library
This operation is not needed for clients added to the Mirage system after the driver library was configured.
It is performed on those clients when an operation is performed that can use the driver library, including
image updates, CVD restores, and so on.
Procedure
1
In the Mirage Management console tree, expand the Inventory node and click All CVDs.
Right-click one or more CVDs, or a collection, and select Apply Driver Library.
(Optional) Right-click a CVD and select Properties to view the assigned driver profiles of a CVD.
The driver library download progress appears in the desktop status window, the task list of the
Management console, and the transaction logs.
A profile is selected for each device according to the rules.
Devices that match more than one profile receive a driver store that contains a merged view of all the
matching profiles.
A warning or event, or both, is generated for devices that have no matching driver store.
VMware, Inc.
83
84
VMware, Inc.
Deploying Multiple Storage Volumes
11
Mirage provides multiple storage volume support to help manage volume congestion.
Each storage volume can contain base layers, app layers, and CVDs. CVDs are assigned to a storage volume
when they are created. The storage volumes must be shared by the servers where Network-attached storage
(NAS) permissions must be in place.
For more information about the relation between multiple servers and storage volumes, see Using Multiple
Servers, on page 99
n
View Storage Volume Information, on page 85
Storage Volume Parameters, on page 86
Add Storage Volumes, on page 86
Edit Storage Volume Information, on page 87
Remove or Unmount Storage Volumes, on page 87
Mount Storage Volumes, on page 88
Block Storage Volumes, on page 88
Unblock Storage Volumes, on page 88
Maintain Storage Volumes, on page 89
View Storage Volume Information

You can view information about all the storage volumes connected to the Mirage Management system.
You can view certain information about each storage volume, such as volume state, location, description,
metrics, and status.
Procedure
u
In the Mirage Management console tree, expand the System Configuration node and select Volumes.
For more information about storage volume parameters, see Storage Volume Parameters, on
page 86
VMware, Inc.
85
Storage Volume Parameters

You can access the storage volume parameters from the Mirage Management console.
Table 111. Mirage Storage Volume Parameters
Parameter
Description
ID
Unique volume identification number set by the Mirage Management system.
Name
Volume name assigned when the volume was added.
Volume State
Current state of the storage volume.

Mounted. Volume is reachable and accessible.
n Malfunctioned. Volume is currently unreachable and inaccessible. CVDs and base layers
on this volume cannot be accessed or used until the volume status is restored to
Mounted. A manual action is needed to correct the problem.
n
n
n
Run an SIS volume integrity check before returning the volume to the active state. See
Maintain Storage Volumes, on page 89.
Unmounted. Volume was temporarily disconnected by the administrator using the
Unmount Volume function. See Remove or Unmount Storage Volumes, on page 87.
Removing. Volume is in the process of removal from the system.
Volume Type
Indicates the type of contents the volume has (Standard Volume - if it contains only CVDs
and USMT & Driver Library if it contains USMT& Driver library but not limited to CVDs).
Path
UNC or local path where the volume resides.
Description
Description of the storage volume assigned when the volume was added. You can edit the
volume information. See Edit Storage Volume Information, on page 87.
Capacity (GB)
Storage volume capacity in gigabytes.
Free Space (GB)
Amount of free space in gigabytes available on the storage volume.
Number of CVDs
Number of CVDs stored on the storage volume.
Number of Base Layers
Number of base layers and base layer versions stored on the storage volume.
Status
Status of the storage volume.

(blank). The storage volume is available.
n Blocked. The storage volume is not used when creating new CVDs and base layers, but
continues to serve existing stored entities. See Block Storage Volumes, on page 88.
n
Add Storage Volumes

You can add storage volumes to the Mirage system.
When you add a new volume,Mirage verifies the specified path, that the volume is empty, and that the
volume supports alternative data streams.
Prerequisites
Verify that the following conditions are met:
86
The user account that manages the Mirage system has access permissions to the new volume.
The volume has sufficient privileges for the Mirage Management server and the Mirage server cluster to
access the required volume.
The server service accesses the volume using the user credentials. In a CIFS (clustered) environment,
the volume must be shared and accessible to all Mirage servers.
VMware, Inc.
Chapter 11 Deploying Multiple Storage Volumes
Procedure
1
In the Mirage Management console tree, expand the System Configuration node, right-click Volumes
and select Add a Volume.
Option
Action
Name
Type the name of the storage volume.
Path
Type the server UNC path of the volume where the volume resides.
Description
Type a description of the storage volume.
The volume path must contain only ASCII characters.

2
Click OK.
Edit Storage Volume Information

You can edit the volume name, description, and the UNC path in the storage volume information.
Procedure
1
Right-click the required volume and select Edit Volume Info.
Option
Action
Name
Edit the volume name and the UNC path as needed.
Description
Type a description of the volume, if needed.
Click OK.
Remove or Unmount Storage Volumes

You can remove a storage volume from the Mirage system or unmount it.
Removing a volume deletes a storage volume from the system.
Unmounting a volume places the volume in a non-operational status but retains the CVD and base layer
data on the volume. Verify that the volume is unmounted before you perform maintenance operations such
as integrity checks. The Volume State in the Volumes window is Unmounted.
Prerequisites
Verify that the selected volume is empty and does not contain CVDs or base layers. The remove operation
fails if CVDs or base layers still reside on the volume.
Procedure
1
Right-click the required volume and select Remove Volume or Unmount Volume.
VMware, Inc.
87
Mount Storage Volumes

You can activate an unmounted storage volume that is ready for reactivation.
Prerequisites
If the volume is in the Malfunctioned state, run the SIS integrity check before starting. See Maintain Storage
Volumes, on page 89.
When using a CIFS (clustered) environment, the mounted volume must be shared and accessible to all
Mirage servers.
Procedure
1
Right-click the required volume and select Mount.

The Mount option is available when the Volume state is Unmounted.
Block Storage Volumes

You can block a storage volume to prevent it from being used when new CVDs or base layers are being
created.
Blocking a storage volume is useful when the volume reaches a volume capacity threshold or to stop
populating it with new CVDs or base layers. Blocking a volume does not affect access or updates to existing
CVDs and base layers on the volume.
IMPORTANT You cannot move a CVD or a base layer to a blocked volume. You can move a CVD or a base
layer from a blocked volume.
Procedure
1
Right-click the required volume and select Block.

The Volume Status column in the Volumes window shows Blocked.
Unblock Storage Volumes

You can unblock a volume that is currently blocked. The volume can then accept new CVDs and base layers
and existing data can be updated.
Procedure
88
Right-click the required volume and select Unblock.
VMware, Inc.
Chapter 11 Deploying Multiple Storage Volumes
Maintain Storage Volumes

When a storage volume reaches a certain capacity, Mirage blocks operations such as writing to a storage
volume.
When this occurs, you can:
n
Increase the storage capacity by adding additional storage volumes to the MirageManagement console.
Click System Configuration > Volumes to add storage volumes.
Change the storage capacity of existing volumes in the Mirage Management console. Click System
Configuration > Volumes to manage storage volumes.
Delete CVDs from a storage volume.
Move CVDs to another storage volume.
You can configure Mirage system settings for storage volume thresholds and alerts to enable you to trigger
events in the events log. For more information, see Configure the System Settings, on page 41.
Additionally, inconsistencies may occur after a volume malfunction, such as following a network disconnect
or storage access error. Performing a Single-Instance Storage (SIS) integrity procedure may help find and fix
them.
When a volume state has changed to Malfunctioned, such as following a network disconnect or a storage
access error, it is good practice to schedule a Single-Instance Storage (SIS) integrity procedure before
mounting the volume on the system.
This procedure might take several hours to complete depending on the number of files on the volume.
CVDs residing on the volume are suspended and base layers stored on the volume are not accessible during
that time.
The SIS integrity procedure can also be run from C:\Program Files\Wanova\Mirage Server.
Prerequisites
Verify that the volume is unmounted before performing any maintenance operations such as integrity
checks. See Remove or Unmount Storage Volumes, on page 87.
Procedure
1
Unmount the volume using the Unmount option.
Run the SIS Integrity script from a Mirage server.

a
Open the command window.
Type
C:\Program Files\Wanova\Mirage Server>Wanova.Server.Tools.exe

SisIntegrity -full volume path
For example:
SisIntegrity -full \\apollo\vol100\MirageStorage
An SIS integrity check summary appears when the SIS Integrity script is completed.
VMware, Inc.
89
90
VMware, Inc.
Managing Branch Reflectors
12
Using Mirage branch reflectors promotes efficient distribution to branch offices and remote sites where
multiple users share the WAN link to the data center. You can enable the branch reflector peering service on
endpoint devices that are installed with a Mirage client.
The branch reflector downloads base layer images, app layers, driver files, and USMT files from the Mirage
server and makes them available for transfer to other Mirage clients in the site. Only files that reside on the
branch reflector machine's disk are transferred and files are not requested from the Mirage server at all.
In this way, files are downloaded to the branch reflector only once, and common files across base layers
become readily available to other clients without duplicate downloads.
n
Branch Reflector Matching Process, on page 91
Select Clients To Be Branch Reflectors, on page 92
Enable Branch Reflectors, on page 92
Configure Defaults for Branch Reflectors, on page 93
Configure Specific Branch Reflector Values, on page 93
Disable Branch Reflectors, on page 94
Reject or Accept Peer Clients, on page 94
Suspend or Resume Server Network Operations, on page 95
Monitoring Branch Reflector Activity, on page 95
Branch Reflector Matching Process

You can enable one or more branch reflectors per site. Client endpoints detect enabled branch reflectors on
the same or different sites.
The Mirage IP detection and proximity algorithm finds a matching branch reflector using the following
process:
1
The algorithm first verifies that a potential branch reflector is in the same subnet as the client.
If the branch reflector is in a different subnet, the algorithm checks if the branch reflector is configured
to service the client subnet.
VMware, Inc.
91
See Configure Specific Branch Reflector Values, on page 93.

Alternatively, the algorithm can use the client site information to check that the branch reflector is in the
same Active Directory site as the client.
See Configure Defaults for Branch Reflectors, on page 93.
3
The algorithm checks that the latency between the branch reflector and the client is within the
threshold.
See Configure Defaults for Branch Reflectors, on page 93.
If a client and branch reflector match is found that satisfies these conditions, the client connects to the
branch reflector to download a base layer. Otherwise, the client repeats the matching process with the
next branch reflector.
If no match is found or all suitable branch reflectors are currently unavailable, the client connects to the
server directly.
Alternatively, to keep network traffic as low as possible, you can select Always Prefer Branch Reflector
to force clients to continually repeat the matching process until a suitable branch reflector becomes
available. See Configure Defaults for Branch Reflectors, on page 93.
In this case, the client connects to the Mirage server only if no branch reflectors are defined for the
specific endpoint.
You can see the results of the Mirage IP detection and proximity algorithm for a selected CVD. See Show
Potential Branch Reflectors, on page 97.
Select Clients To Be Branch Reflectors

You can select any Mirage client endpoint to function as a branch reflector, in addition to serving a user.
Alternatively, you can designate a branch reflector to a dedicated host to support larger populations. A
branch reflector can run on any operating system compatible with Mirage clients.
Prerequisites
Clients that serve as branch reflectors must satisfy the following conditions:
n
Connect the device that will serve as a branch reflector to a switched LAN rather than to a wireless
network.
Verify that enough disk space is available to store the base layers of the connected endpoint devices.
Verify that port 8001 on the branch reflector host is open to allow incoming connections from peer
endpoint devices.
If the branch reflector endpoint also serves as a general purpose desktop for an interactive user, use a
dual-core CPU and 2GB RAM.
To determine if an endpoint has an eligible branch reflector, click the CVD Inventory tab, select a CVD, and
click Show Potential Branch Reflectors.
Enable Branch Reflectors

You enable branch reflectors to make them available to be selected by the Mirage IP detection and proximity
algorithm for distribution to clients.
You can disable an enabled branch reflector. See Disable Branch Reflectors, on page 94.
Procedure
1
92
In the Mirage Management console tree, expand the Inventory node and select Assigned Devices.
VMware, Inc.
Chapter 12 Managing Branch Reflectors
Right-click an endpoint device and select Branch Reflector > Enable Branch Reflector.
When a device is enabled as a branch reflector, it is listed in the Branch Reflectors window, as well as
remaining on the Device Inventory window.
(Optional) Select System Configuration > Branch Reflectors to view which devices are enabled as
branch reflectors.
Configure Defaults for Branch Reflectors

You can set default values of parameters that govern the behavior of branch reflectors.
The current Maximum Connections and Cache Size values apply to newly defined branch reflectors. You
can correct them individually for selected branch reflectors. See Configure Specific Branch Reflector
Values, on page 93.
Other parameters in this window apply system-wide to all branch reflectors, existing or new.
Prerequisites
Verify that the branch reflector endpoint has enough disk space to support the Default Cache Size value, in
addition to its other use as a general purpose desktop.
Procedure
1
In the Mirage Management console tree, right-click System Configuration and click Settings.
Click the Branch Reflector tab and configure the required default values.
Option
Action
Default Maximum Connections
Type the maximum number of endpoint devices that can simultaneously

connect to the branch reflector.
Default Cache Size (GB)
Type the cache size that the branch reflector allocated.
Required Proximity (msec)
Type the maximum time, for example 50 ms, for a branch reflector to
answer a ping before an endpoint considers downloading through the
branch reflector. The endpoint downloads from the server if no branch
reflectors satisfy the specified proximity.
Use Active Directory Sites
Mirage uses subnet and physical proximity information to choose branch

reflectors. Select this check box to use Active Directory site information to
determine to which branch reflector to connect.
Always Prefer Branch Reflector
To keep network traffic as low as possible, select this option to force clients
to continually repeat the matching process until a suitable branch reflector
becomes available. In this case, a client connects to the Mirage server only
if no branch reflectors are defined. If the option is not selected, and no
match is found or suitable branch reflectors are currently unavailable, the
client connects to the Mirage server directly as a last resort.
Click OK.
Configure Specific Branch Reflector Values

Newly created branch reflectors are assigned default parameter values. You can adjust some of these values
for individual branch reflectors.
Default values apply to the Maximum Connections, Cache Size, and Additional Networks parameters for
newly created branch reflectors. See Configure Defaults for Branch Reflectors, on page 93. You can adjust
these values for a selected branch reflector.
VMware, Inc.
93
Prerequisites
Verify that the branch reflector endpoint has enough disk space for the indicated cache size, in addition to
its other use as a general purpose desktop.
Procedure
1
In the Mirage Management console tree, expand the System Configuration node and click the Branch
Reflectors tab.
Right-click the branch reflector device and select Branch Reflector > Configure.
Option
Action
Maximum Connections
Type the maximum number of endpoint devices that can connect to the
branch reflector at the same time.
Cache Size (GB)
Type the cache size in gigabytes that the branch reflector has allocated.
Additional Networks
Type the networks where the branch reflector is authorized to service

client endpoints in addition to its own local subnets.
Click OK.
The branch reflector configuration settings take effect immediately. You do not need to restart the
branch reflector client.
Disable Branch Reflectors

You can disable the branch reflector peering service at any time.
When a branch reflector is disabled, the device is deleted from the Branch Reflectors list. But it continues to
be available because an endpoint device remains as a regular Mirage endpoint in the device inventory.
When a branch reflector is disabled, its base layer cache is deleted.
Procedure
1
In the Mirage Management console tree, expand the System Configuration node and click the Branch
Reflectors node.
Right-click the branch reflector device and select Branch Reflector > Disable Branch Reflector.
Reject or Accept Peer Clients

When the branch reflector is operating slowly or is using excessive bandwidth, you can stop providing
service to its peer clients. You can resume providing service to the peer clients of a paused branch reflector
at any time.
When you use the Reject Peers feature, the branch reflector is not deleted from the Branch Reflectors list. The
branch reflector cache is preserved.
You can use the Accept Peers feature to resume providing service to the peer clients of a paused branch
reflector.
Procedure
1
94
In the Mirage Management console tree, right-click System Configuration, select Settings, and click the
Branch Reflectors tab.
VMware, Inc.
Right-click the branch reflector device and reject or accept the peer clients.
Option
Action
Reject peer clients
Select Branch Reflector > Reject Peers.

The branch reflector service status is set to Paused.
Accept peer clients
Select Branch Reflector > Accept Peers.

The branch reflector status is set to Enabled.
Suspend or Resume Server Network Operations

You can suspend network communications with the Mirage server for the branch reflectors and for regular
endpoint devices. Suspending network operations for a branch reflector still allows peer clients to download
layer files from the branch reflector cache, but the branch reflector cannot download new files from the
server.
When you resume network operations, the branch reflector or the individual endpoint device can
communicate with the Mirage server cluster.
Procedure
1
In the Mirage Management console tree, right-click System Configuration, select Settings, and click the
Branch Reflectors tab.
Right-click the branch reflector device and select Suspend Network Operations or Resume Network
Operations.
(Optional) Select Connection State from the column headings drop-down menu to view which branch
reflectors are connected or suspended in the Branch Reflectors window.
Monitoring Branch Reflector Activity

You can monitor branch reflector and associated peer client base layer download activity. You can also show
which branch reflectors are potentially available to a client, and the branch reflector to which it is currently
connected, if any.
View CVD Activity and Branch Reflector Association

You can view the CVD current activity and associated upload and download progress and transfer speed.
The All CVDs window shows the following information.
n
CVD current activity
Percent completed of associated upload and download progress
Rate of transfer speed in KBps
For more information, see Show Potential Branch Reflectors, on page 97.
Procedure
1
Right-click a CVD in the list and select Device > Go to Branch Reflectors.
VMware, Inc.
95
View Branch Reflector and Peer Client Information

You can view information about branch reflectors and their connected peer clients.
The Branch Reflectors window shows the following information about peer client activity.
Downloading Peers
Shows how many peer clients connected to a branch reflector are

downloading the base layer from this branch reflector.
Waiting Peers
Shows how many peer clients connected to a branch reflector are waiting to
download.
Endpoints in excess of the maximum number of simultaneously downloading client peers allowed for this
branch reflector are rejected and receive their download from another branch reflector or directly from the
server. If you observe that the number of downloading peers is constantly close to the Maximum
Connections, consider either increasing the Maximum Connections value or configuring another client in
the site as a branch reflector.
The Connected Peers window shows the following information about connected peers clients:
n
Peer client identifiers
Peer client current activity, for example, waiting and downloading, and the progress of that activity.
Procedure
1
In the Mirage Management console tree, right-click System Configuration, and select Settings, and
click the Branch Reflectors tab.
Click on a branch reflector and select Branch Reflector > Show Connected Peers.
Monitor Branch Reflector and Peer Client Transactions

You can track branch reflector and peer client activity related to a base layer, and how much data was
acquired from a branch reflector by a peer client.
The Transaction Log window shows the following branch reflector and peer client activity related to base
layer download.
n
A branch reflector downloading the base layer.
An endpoint in which a peer client has updated its image. The properties of the Update Base Layer
transaction show how much data was downloaded from the branch reflector and how much data was
downloaded directly from the Mirage server.
The Transaction Properties window shows how much data was acquired from a branch reflector by a peer
client, for example, how much data the endpoint transaction downloaded from the branch reflector, and
how much from the server.
Procedure
96
To view the Transaction log, in the Mirage Management console tree, expand the Logs node and select
Transaction Log.
To view transaction properties, right-click a transaction line and select Update Base Layer transaction >
Properties.
VMware, Inc.
Show Potential Branch Reflectors

You can show which branch reflectors are potentially available to a selected client.
The Potential Branch Reflector window lists the branch reflectors that can potentially serve a selected client,
in the order defined by the Mirage IP detection and proximity algorithm. See Branch Reflector Matching
Process, on page 91. It also provides information about the branch reflector to which the CVD is currently
connected.
Table 121. Potential Branch Reflectors Window Information
Parameter
Description
Serving column
Green V denotes the branch connector is currently selected for the

CVD by the Mirage IP Selection and Proximity algorithm.
Connection Status icon
Branch reflector's connection status with the server, and whether

the branch reflector is currently connected, disconnected,
suspended, or resumed.
Connected Peers and Waiting Peers
See View Branch Reflector and Peer Client Information, on

page 96
Maximum Connections
Maximum connections to peer devices defined for the branch

reflector. See Configure Specific Branch Reflector Values, on
page 93
Last Connection Time
A branch reflector's last connection time to the server.
The Show Branch Reflectors View button opens the Branch Reflectors window with the potential branch
reflectors for the CVD filtered in. See View Branch Reflector and Peer Client Information, on page 96.
Procedure
1
In the Mirage Management console tree, expand the Inventory node and select Assigned Devices.
Right-click a CVD in the list and select Branch Reflector > Show Potential Branch Reflectors.
VMware, Inc.
97
98
VMware, Inc.
Deploying Additional Mirage Servers
13
Mirage provides multiple server volume support. Enterprise organizations with large numbers of endpoint
devices can add servers to the system, providing better access and efficiency where a single server is not
sufficient to keep up with data storage requirements.
n
Using Multiple Servers, on page 99
View Server Information, on page 100
Mirage Servers Window Information, on page 101
Add New Servers, on page 101
Stop or Start the Server Service, on page 101
Remove Servers, on page 102
Integrating a Load Balancing Framework, on page 102
Using Multiple Servers

You can use the Mirage Management server and the console to control and manage the multiple servers.
An enterprise data center can configure multiple servers in a cluster. Each Mirage server, or cluster node,
supports up to 1500 CVDs, depending on its actual system specifications. You can control the number of
CVDs permitted on each server with the server configuration Maximum Connections option. See
Configure Mirage Servers for SSL, on page 48.
Load balancers are used in conjunction with the Mirage system to direct client connections to available
servers. For more information about load balancing in the Mirage system, see Integrating a Load Balancing
Framework, on page 102. Any server that uses the Mirage file portal requires an IIS 7.0 installation.
Every server connects to every storage volume and the Mirage database. Network-attached storage (NAS)
permissions must be in place.
The diagram shows how multiple servers in a cluster connect to clients via the system and load balancers.
Each server shares all storage volumes and the Mirage database.
VMware, Inc.
99
Figure 131. Multiple Servers and Storage Volumes

Mirage clients
Mirage
Management console
WAN
Load balancer
MongoDB
MongoDB
Mirage servers
Mirage
Management
servers
Mirage database
Mirage storage volumes
View Server Information

You can view information about the servers connected to the Mirage Management system.
Procedure
u
100
VMware, Inc.
Chapter 13 Deploying Additional Mirage Servers
Mirage Servers Window Information

Mirage server information is available from the Mirage Management console.
The Servers window provides information about servers in the system.
Table 131. Mirage Servers Window Information
Parameter
Description
ID
Unique server identification number configured by the Mirage Management system.
Status
Status of the server. Up Indicates the server is available and running. Down indicates
that the server is not available.
Name
Name of the server machine.
Status duration
Amount of time that the server has been in the same status.
Connections
Number of endpoints currently connected to the server.
Max Connections
Maximum number of concurrent CVD connections allowed on the server. You can use
the server configuration to configure this setting. See Configure Mirage Servers for
SSL, on page 48.
Use the default setting. Different server specifications allow changing this setting. For
best results, consult with VMware Support before changing the default settings.
Use SSL
Indicates if this server is configured to have clients connect using SSL. This is a global
configuration.
Port:
Port over which the Mirage server is configured to communicate with clients.
CPU
Average percentage of CPU running for this server over a 15 minute period.
Used memory (committed)
Average amount of memory in megabytes used for the server over a 15 minute period.
Physical Memory
Amount of physical memory allocated for the server.
Add New Servers

You can install multiple Mirage servers on the Mirage Management system. When the server is installed, it
registers itself with the Mirage Management server and appears in the servers list.
See the VMware Mirage Installation Guide.
Procedure
1
Double-click the Mirage.server.x64.buildnumber.msi file.

The server installation starts.
Repeat the process for each server to install on the Mirage Management system.
Stop or Start the Server Service

When you need to perform server maintenance or backup, you can stop and start a server service.
See also Suspend or Resume Server Network Operations, on page 95.
VMware, Inc.
101
Procedure
u
Option
Action
To stop the server service
Right-click the server and select Stop Server Service. Click Yes to confirm.
To start the server service
Right-click the server and select Start Server Service. The server status is
Up.
Remove Servers
You can remove a Mirage server from the Mirage Management system.
Removing a server does not uninstall the server, but removes only the server from the system. It does not
remove CVD data from the shared storage volumes. You must uninstall a server manually.
Procedure
1
Right-click the server to remove and select Remove.
Integrating a Load Balancing Framework

Administrators can use a load balancing framework, called VMware Watchdog, to integrate with existing
load balancer servers and communicate state changes to them.
The VMware Watchdog service periodically checks if a specific server is running and can receive new
connections.
Table 132. Mirage Server States
State
Description
Alive
Signals that a server is running and is available to receive new client connections.
Full
Signals that a server has reached the maximum number of concurrent connections. The
service is still running, but new client connections are not accepted.
Dead
Signals that a VMware Mirage server service is not responding or is not operational.
When the server state changes, VMware Watchdog calls an external command to communicate the state
change to the load balancer. You can customize and configure the command to match the particular type of
load balancer deployed in the data center. See VMware Watchdog Service Configuration, on page 102
By default, the Watchdog service is initially disabled. You must start the service for it to function.
The Watchdog log file is located at C:\ProgramData\Wanova Mirage\Watchdog\Watchdog.txt.
VMware Watchdog Service Configuration

You can configure which service and port the VMware Watchdog service monitors, the time interval (in
milliseconds), and the load balancing command to run when switching to any state.
You do this in the Watchdog configuration file, Wanova Watchdog.exe.xml, located in the C:\Program
Files\Wanova\Mirage server directory.
You use a default script, called NLBControl.vbs, to work with the Microsoft Network Load Balancer (NLB).
This script configures Microsoft Cluster (NLB) according to the system state. It contains a list of actions for
enabling or disabling traffic for a specific server.
102
VMware, Inc.
Chapter 13 Deploying Additional Mirage Servers
You then use the Watchdog configuration file Wanova Watchdog.exe.xml to configure the Mirage server host
use the NLBControl.vbs script.
For each Mirage server, replace the IP address with the dedicated IP address of the server node as registered
with the cluster manager.
Some NLB parameters are configurable through the XML file. The PollTimeMs, ServiceName, and ListenPort
commands are relevant for all load balancing scripts.
After you edit XML file settings, you must restart the VMware Watchdog service.
NOTE Any time that you configure an NLB port rule, you must configure it to listen on all the cluster virtual
IP (VIP) addresses and not just on a specific VIP address. This configuration is required for the default script
to work.
Table 133. NBL Parameters in the Watchdog.exe XML File
Command
Description
Syntax
PollTimeMs
Polling frequency (in milliseconds)
<setting name="PollTimeMs" serializeAs="String">

<value>5000</value>
ServiceName
VMware server service name
<setting name="ServiceName" serializeAs="String">

<value>VMware Mirage Server Service</value>
ListenPort
Listening port
<setting name="ListenPort" serializeAs="String">

<value>8000</value>
OnAliveProc
ess
Commands to run when the Mirage server

is open to receive new connections
<setting name="OnAliveProcess" serializeAs="String">

<value>cscript.exe</value>
OnAliveArgs
Arguments used for the OnAliveProcess

commands
<setting name="OnAliveArgs" serializeAs="String">

<value>nlbcontrol.vbs 10.10.10.10 enable -1 </value>
OnDeadProc
ess

is down
<setting name="OnDeadProcess" serializeAs="String">

OnDeadArgs
Arguments used for the OnDeadProcess

commands
<setting name="OnDeadArgs" serializeAs="String">

<value>NlbControl.vbs 10.10.10.10 disable -1</value>
OnFullProce
ss

cannot receive new connections
<setting name="OnFullProcess" serializeAs="String">

OnFullArgs
Arguments used for the OnFullProcess

commands
<setting name="OnFullArgs" serializeAs="String">

<value>NlbControl.vbs 10.10.10.10 drain -1</value>
VMware, Inc.
103
104
VMware, Inc.
Image Management Overview
14
Mirage extends the image layer concept to image updates. Layers are not implemented just once during
initial deployment. Separate app layers are used to distribute more specialized applications to specific
groups of users.
The Mirage approach to image management involves a layer life cycle, which includes base layer and app
layer preparation, capture, update, and assignment processes used to synchronize endpoints.
n
Base Layers and App Layers, on page 105
Layer Management Life Cycle, on page 105
Hardware Considerations with Base Layers, on page 107
Image Management Planning, on page 107
Base Layers and App Layers

A base layer is a template for common desktop content, cleared of specific identity information and made
suitable for mass deployment to endpoints. You can also define app layers, separate from the common base
layer, to distribute more specific applications to groups of users.
The base layer includes the operating system, service packs and patches, as well as core enterprise
applications and their settings.
An app layer can include a single application, or a suite of applications. You can deploy app layers with
other app layers on any compatible endpoint.
App layers require a base layer to be present on an endpoint, but the base layer and any app layers can be
updated independently of each other.
The app layer assignment process is wizard driven and similar to base layer assignment. App layer options
are listed under separate nodes in CVD views, in parallel with base layer action nodes.
The base layer can still include applications directly. App layers are not needed in organizations where
everyone uses the same applications.
Layer Management Life Cycle

The base layer or app layer life cycle begins with a reference machine, where the administrator creates and
maintains the layer content.
The layer management life cycle involves layer capture from a reference machine, layer assignment to
endpoints, and CVD synchronization.
VMware, Inc.
105
Figure 141. Layer Management Life Cycle
Reference
machine
Revise
content
Layer
capture
Base layer
or
app layer
Distribute
layer
CVD
Endpoint
CVD
Endpoint
CVD
Endpoint
Sync
CVD
Layer
swapping
You manage and revise the base layer and app layer contents on a reference machine, through
operations such as adding core or specific applications or patching the OS. See Chapter 15, Preparing a
Reference Machine for Base Layer Capture, on page 111.
You perform a base layer or app layer capture from the reference machine using the Mirage
Management console. Mirage collects the data from the reference machine to create the layer, which is
generalized for mass deployment. You give the layer a name and version. You can make multiple
captures from the same reference machine, and store them in the Mirage servers layer repositories. See
Chapter 16, Capturing Base Layers, on page 115, and Chapter 17, Capturing App Layers, on
page 123.
The resulting changes in an endpoint are propagated back to the endpoints CVD on the server. After
the CVD is synchronized with the latest changes, the layer update operation for that endpoint is
completed.
Each endpoint operates at its own pace, and this phase ends at different times for different desktops
depending on network connectivity and whether the desktop is online or offline.
You initiate base layer or app layer assignment, or update, from the Mirage Management console.
n
This operation first distributes and stores the revised layer at each endpoint, ready to be applied.
It then swaps the old base or app layer on the endpoint with the new one, thereby assigning the
layer to that endpoint. The base layer, or specific applications in the app layer, are instantiated on
the endpoint.
See Assign a Base Layer to CVDs, on page 135 and Assign an App Layer to CVDs, on page 142.
When you next update the base layer or an app layer, the process begins again by generating a new version
of the layer.
The management life cycle for base layers is policy driven. For example, the Upload policy that belongs to
the reference CVD contains system rules that determine which elements of the reference machine are not
included in the base layer. Similarly, the Base Layer Rules policy determines which elements of the base
layer are not downloaded to endpoints. Both policies contain system-defined defaults, which are typically
sufficient for standard deployments. You can also add custom rules to the policy. See Working with Base
Layer Rules, on page 115.
106
VMware, Inc.
Chapter 14 Image Management Overview
Hardware Considerations with Base Layers

You can create generic base layers for use on hardware families with the Mirage driver library feature. You
can maintain a minimum number of generic base layers and use driver profiles to apply the appropriate
hardware drivers.
Virtual Machine Support

A common Mirage situation is reassigning a CVD from a physical machine to a virtual machine, and the
reverse. You can then download a CVD to a workbench virtual machine at the data center for
troubleshooting purposes.
Most virtualization platforms include integration components to enhance the experience of working on a
virtual machine, for example, VMware Tools. These components are also part of a virtual machine base
layer.
Use a separate base layer for the virtual machine, especially if the integration features are part of the base
layer, for example, VMware Tools.
Special Case Hardware Drivers

Certain hardware drivers include installation programs that make them incompatible for pre-installation in
a base layer, for example, Bluetooth Driver installation and Wireless-over-USB. You can install these drivers
using a special script that Mirage starts after a base layer is applied. Mirage then reports failures to the
management service at the data center.
Image Management Planning

When you build a reference machine, you must select the core software to include in the base layer carefully,
as this software is distributed with the base layer to all end users.
Software considerations apply for image management and special instructions for specific software
categories. See Reference Machine Software and Settings, on page 112.
System-Level Software
For best results, include the following applications in the base layer:
n
Antivirus and security products
VPN or other connectivity software, such as iPass
Firewalls
Windows components and frameworks, such as .NET and Java
Global Windows configuration and settings changes
System-level software is sensitive to conflicting software. Endpoints must not receive conflicting software
through other distribution methods. If a certain type of system-level software, for example an antivirus, is
distributed with a base layer, do not distribute different versions of the same software or conflicting
software through other software distribution mechanisms, and the reverse.
Include the organization VPN, antivirus, firewall applications, and the driver store in the minimal restore
set.
VMware, Inc.
107
Software Licensing
The base layer generally includes core applications that an organization uses, while more specialized
applications are typically distributed with app layers. Verify that the software is suitable for mass
distribution and uses a volume license that does not require machine-specific identification or individual
manual activation.
Certain applications are protected by hardware-based identification methods or a unique license key that
resides on the endpoint, for example, in a license file, and must not be distributed with the base or app layer
or installed on the reference machine. The user can still install these applications on the endpoint or through
software distribution solutions that target individual endpoints.
Most enterprise software is protected by a floating or volume license that eliminates this problem.
User-Specific Software
On the reference machine, install software as an administrator, and if the option exists, install software for
all users. Exclude user profiles on the reference machine from the base layer so that you do not distribute
them. Do not distribute software installed exclusively for a specific user, because it might not function
properly.
For example, the Google Chrome default installation is to the current user profile. Make sure you install it
for All Users if it is to be included in the base layer.
To ensure the presence of an application shortcut on the end users desktop or Programs menu, verify that
the shortcut is correctly created when the application is installed on the reference machine. If it is not, create
the shortcut manually in the All Users profile.
Applications that set up and use local user accounts or local groups, or both, might not function well on
endpoints when the base layer is applied to them. Consequently, you must exclude definitions of local user
accounts and local groups from the base layer.
OEM Software
Many hardware vendors include special software to enhance the user experience of their platforms. These
applications can support specific hardware buttons, connection management capabilities, power
management capabilities, and so on.
To include special software as part of the base layer, use the base layer only for compatible hardware. Do
not preinstall hardware-specific software on a single base layer that you want to use for multiple hardware
platforms.
Use App layering for OEM software.
Endpoint Security Software

Mirage does not distribute software that changes the Master Boot Record (MBR). Full disk encryption
software usually modifies the MBR, so this type of software cannot be delivered with a base layer. Such
software can still be installed on individual endpoints through an external delivery mechanism or during
first-time provisioning.
Examples of disk encryption software that use pre-boot authentication are Checkpoint Full Disk Encryption,
PGPDisk, Sophos SafeGuard, and McAfee Endpoint Encryption.
NOTE Mirage requires certain full disk encryption applications to be pre-configured before performing a
Windows 7, Windows 8.1, or Windows 10 migration.
108
VMware, Inc.
Chapter 14 Image Management Overview
Certain security software products take measures to protect their software and do not allow other processes
to modify their files. Software of this type cannot be updated through Mirage. Instead, you must use the
update process recommended by the security vendor to implement central control and management of that
software. Mirage does not interfere with or manipulate the operation of these security products, and does
not override the security measures they provide.
BitLocker Support
Microsoft BitLocker, in Windows 7, Windows 8.1, and Windows 10, performs full disk encryption and is
fully compatible with Mirage. The state of BitLocker is maintained and managed on each endpoint and does
not propagate to the Mirage CVD in the data center.
After you use Boot USB to perform a bare metal restore, the BitLocker state is not preserved and the
machine is not encrypted.
You can use BitLocker scenarios:
n
If BitLocker is enabled on the target endpoint. BitLocker remains enabled after Mirage restore, base
layer update, or rebase operations, regardless of the BitLocker configuration in the original endpoint on
which the CVD was running, or on the reference machine from which the base layer was captured.
If BitLocker is disabled on the target endpoint, it remains disabled after Mirage restore, base layer
update, or rebase operations.
IMPORTANT When you build a Windows 7, Windows 8.1, or Windows 10 base layer for migration purposes,
verify that BitLocker is disabled on the reference machine. Otherwise the migration operations cannot be
completed.
VMware, Inc.
109
110
VMware, Inc.
Preparing a Reference Machine for

Base Layer Capture
15
A reference machine is used to create a standard desktop base layer for a set of CVDs. A base layer on the
reference machine usually includes operating system updates, service packs and patches, corporate
applications for all target users to use, and corporate configuration and policies.
The reference machine used for app layer capture does not generally require advance preparation. Certain
guidelines apply for special circumstances. A base layer does not have to be present on the reference
machine for app layer capture purposes. For more information, see Prepare a Reference Machine for App
Layer Capture, on page 124 and Recreate a Reference Machine from a Base Layer, on page 113.
n
Set Up the Reference Machine, on page 111
Reference Machine Data Considerations, on page 112
Reference Machine Software and Settings, on page 112
Recreate a Reference Machine from a Base Layer, on page 113
Set Up the Reference Machine

You assign a pending device as a reference CVD and configure it with applications and settings for a base
layer that applies to a set of endpoints. After the reference machine is built and configured, the installed
Mirage client uploads its content to an assigned reference CVD, which is used to capture a base layer.
NOTE If you are managing Point of Sale devices, set up physical reference machines for layer capture
operations.
A pending device that is assigned as a reference machine is moved from the Pending Devices list to the
Reference CVDs view.
CAUTION Files and settings from the reference machine are captured in the base layer, and are then
distributed to a large number of endpoint desktops. To avoid unintended consequences, make sure the
configuration is appropriate for mass distribution.
Procedure
1
In the Mirage Management console tree, expand the Inventory node and select Pending Devices.
Right-click the reference machine to be assigned and select Create a new Reference CVD.
Select the required upload policy and click Next.
VMware, Inc.
111
Select a base layer and click Next.

Option
Description
Dont Use a Base Layer
For first-time use, when no base layer exists.
Select Base Layer from List
You select an existing base layer to apply updates and modify content.
Select a volume and click Next.
Click Finish.
The device is moved from the Pending Devices list to the Reference CVDs view.
After the reference machine is configured with applications and settings for a base layer, you can use it to
capture a base layer.
Reference Machine Data Considerations

A base layer consists of all the files in the reference CVD, excluding a list of files and registry entries
specified in the Base Layer Rules policy. The excluded items are the factory policy combined with usercustomized base layer rules.
All the data placed on the reference machine is downloaded as part of a base layer. Keep the following
considerations in mind when you use reference machines.
n
Directories that reside directly under the root (C:\) are by default included in the base layer. Do not
leave directories in the root that you do not want in the base layer.
Avoid storing unnecessary data on the reference machine. Unnecessary data can consume excessive
disk space on the endpoints.
Verify that the Documents and Settings directory does not contain abandoned user profile directories. If
an old user directory exists under the Documents and Settings directory and no user profile is
registered for it in the system, the system considers it a regular directory and treats it as part of the base
layer.
The base layer captures the power options of the reference machine. Verify that the selected power
options are supported on the target devices.
You can exclude specific areas of the reference machine from the base layer. See Working with Base Layer
Rules, on page 115.
Reference Machine Software and Settings

The software installed on the reference machine becomes part of the base layer that you capture. When you
deploy the base layer to other endpoints, those software and settings are delivered to those endpoints as
well.
Software Considerations
Consider the following items before you decide on the software to include in your base layers:
112
Do not include software that is licensed specifically to individual pieces of hardware, or whose licenses
are tied to the hardware.
If the reference machine contains OEM software, you can deploy that base layer only to endpoints of
the same hardware family. This restriction is because OEM software is tied to specific hardware
vendors, makes and models.
VMware, Inc.
Chapter 15 Preparing a Reference Machine for Base Layer Capture
The following items are examples of core corporate software that is typically the most commonly
included software in a base layer:
n
Antivirus
VPN client
Microsoft Office
Corporate applications to be used by all target users

Departmental applications should generally be distributed through app layers.
You can install disk encryption software on the reference machine, but it must not be part of the
base layer. Always deploy disk encryption software to the endpoints after.
It is recommended that you include in the base layer all .NET Framework versions that might be
required by target endpoints. For example, some users might have applications that require .NET
Framework 3.5, and some users might have applications that require .NET Framework 4.0. Include
both .NET Framework versions in the base layer.
For additional software considerations, see Image Management Planning, on page 107.
System-Wide Settings
System-wide settings are transferred from the reference machine to all machines that receive the base layer.
n
Check which settings are required and configure them accordingly.
In special cases, you can add specific exclusion rules to the Base Layer Rules policy. See Working with
Base Layer Rules, on page 115.
For more detailed control outside the base layer configuration, you can use Active Directory Group
Policy Objects (GPOs) to configure settings.
Disable automatic updates of Windows Store Applications on reference machines. If automatic updates
of Windows Store Applications is enabled on reference machines, base layers or app layers might be
captured in the middle of an update.
Examples of settings in the reference machine are power management, remote desktop settings, and service
startup options.
Domain Membership and Login Settings

If the target endpoints assigned to the base layer are members of a domain, verify that the following
conditions are in place:
n
The reference machine used for this base layer is a member of the same domain. Otherwise, users of the
target endpoints are prevented from logging in to the domain and only local users can log in.
The Net Login service is set to start automatically.
To keep the reference machine clear of user-specific information, ensure that you do not log in to the
reference machine using a Mircrosoft liveID account.
Recreate a Reference Machine from a Base Layer

When you want to update a base layer, but the reference machine that was used to create the original base
layer is not available, you can recreate the original reference machine from the existing base layer.
Procedure
1
In the Mirage Management console, expand the Image Composer node and select the Base Layers tab.
Right-click the base layer and select Create Reference CVD from layer.
VMware, Inc.
113
Select a pending device and click Next.
Select an upload policy and click Next.
Click Finish.
What to do next
Use a Mirage restore operation to download and apply the image of the original reference machine to a
selected device to serve as a new reference machine. See Restoring to a CVD After Hard Drive Replacement
or Device Loss, on page 160. You then update or install core applications and apply security updates on
the new reference machine before you capture a new base layer using the existing reference CVD.
114
VMware, Inc.
Capturing Base Layers
16
After you set up the base layer for a reference machine, you can capture a base layer from it so that
endpoints can be updated with that content.
The base layer capture process creates a point-in-time snapshot of the data and state of the live reference
machine, generalized for mass deployment.
A similar process is employed to capture app layers.
You can use a custom post-base layer script called post_core_update.bat to perform certain actions after the
base layer update.
n
Working with Base Layer Rules, on page 115
Applying a Base Layer Override Policy, on page 117
Capture Base Layers, on page 119
Post-Base Layer Assignment or Provisioning Script, on page 120
Working with Base Layer Rules

By default, the base layer is applied to the endpoints. You can define rules to exclude specific content in the
base layer from being applied and include specified subsets of that content.
The system employs a built-in default rule set for production use. You can define a draft rule set, or edit a
rule set. You can test a draft rule set, and when you are satisfied, define it as the default. Only the rule set
currently defined as the default applies for base layer capture purposes.
When a draft rule set is being tested, only the selected CVD is affected. Other CVDs still use the default rule
set, so the production environment is not affected.
You can also define Override policies to prevent specific endpoint content from being overwritten by the
base layer. See Applying a Base Layer Override Policy, on page 117.
View Layer Rule Sets

You can select a rule set to view the details of the rule set.
Procedure
1
In the Mirage Management console, expand the Image Composer node and select Layer Rules.
Right-click a layer rule set and select Properties.
A read-only Layer Rules Details window displays the rule details.
VMware, Inc.
115
Create a Rule Set based on an Existing Rule Set

You can create a copy of a selected rule set with its original details and a new name. You can edit the
contents of the rule set. A new Draft layer rule set is listed in the Layer Rules list.
Procedure
1
Right-click a layer rule set and select Clone.
(Optional) Select the Show factory rules checkbox if you want to view the Mirage mandatory settings
that the administrator cannot change. Factory rules are dimmed in the rules list.
Configure Do Not Download rules and rule exceptions.

Option
Description
Rules list
Defines the files and directories on the reference machine that must not be
applied to the CVD.
Rule Exceptions list
Lists specific files and directories within the directories to be excluded that
must be applied.
For example:
C:\Windows\* in the Rules list will exclude all Windows directories and files.
You can then apply only certain system DLLs in C:\Windows by typing specific paths in the Rule
Exceptions list, such as: c:\Windows\system32\myapp.dll.
All files not matching a rule in the Rules list are applied to the CVD.
Option
Action
Add a new rule or a rule exception
a
b
Click Add next to the relevant list.

Type the rule or exception details, and click OK.
Edit a rule or rule exception
a
b
c
Select the rule or rule exception line.

Click Edit next to the relevant list.
Correct the rule or exception details, and click OK.
Remove a rule or exception
Select the rule or exception line and click Remove next to the relevant list.
When you are finished working with this rule set, click OK.
What to do next
Consider whether override policies are needed to prevent specific problems. See Applying a Base Layer
Override Policy, on page 117.
Test the rule set as a draft on several base layers. See Test a Draft Layer Rule Set on a Test Machine, on
page 116.
When you are satisfied with the changes, you can define the new layer rule set as the Default rule set. See
Set the Default Rule Set, on page 117.
Test a Draft Layer Rule Set on a Test Machine

It is good practice to test a rule set as a draft on several base layers.
When a draft rule set is being tested, only the selected CVD is affected. Other CVDs still use the default rule
set, so the production environment is not affected.
116
VMware, Inc.
Chapter 16 Capturing Base Layers
Prerequisites
You can only test rule sets with Draft status. To test changes to the Default rule set, first create a clone of that
rule set with the changes you want for testing purposes, then define that new rule set as the Default if the
testing is satisfactory. See Create a Rule Set based on an Existing Rule Set, on page 116.
Procedure
1
Right-click the layer rule set to test and select Test Rules Draft.
Select the CVD on which you want to test the selected layer rules and click Next.
Select the base layer to use for the test.
Click Finish.
Test the Default Rule Set

You can only test rule sets with Draft status. To test changes to the Default rule set, first create a clone of that
rule set with the changes you want for testing purposes, then define that new rule set as the Default if the
testing is satisfactory.
Set the Default Rule Set

When you make changes to a rule set or create a rule set and you are satisfied with the changes, you can
define the new layer rule set as the Default rule set.
Procedure
1
Right-click a Draft rule set and select Set As Default.

The rule set has the status Default and replaces the previous default rule set for base layer capture
purposes.
Applying a Base Layer Override Policy

You can define an override policy that allows the base layer to distribute a file only if the file does not exist
in the CVD. You can also define an override policy for registry values and registry keys.
An override policy overcomes problems that can arise when base layers are updated, making it possible for
certain CVD files to remain the same across base layer updates.
Add a Base Layer Override Rule Set

You can add a Do Not Override by Layer rule. This rule allows the base layer to distribute a file only if it
does not exist in the CVD, and makes it possible for certain CVD files to remain the same across base layer
updates.
The same syntax apply as for layer rule sets. See Create a Rule Set based on an Existing Rule Set, on
page 116.
Procedure
1
Select a base layer rule set.

The same syntax for layer rule sets applies to a base layer rule set.
VMware, Inc.
117
Scroll to and configure the Do Not Override By Layer rules and rule exceptions.
Option
Description
Rules list
Defines the files and directories on the reference machine that must not be
applied to the CVD.
Rule Exceptions list
Lists specific files and directories within the directories to be excluded that
must be applied.
All files not matching a rule in the Rules list are applied.
Option
Action
Add a new rule or a rule exception
a
b
Click Add next to the relevant list.

Type the rule or exception details, and click OK.
Edit a rule or rule exception
a
b
c
Select the rule or rule exception line.

Click Edit next to the relevant list.
Correct the rule or exception details, and click OK.
Remove a rule or exception
Select the rule or exception line and click Remove next to the relevant list.
When you are finished working with this rule set, click OK.
Base Layer Override Examples

You can construct base layer override policies to address issues that might occur when base layers are
updated.
Avoid Incompatibility When CVD and Base Layer Applications Share a Component
A base layer update can cause a shared component to be unusable by an application that does not support
the new component version.
Microsoft Office and Microsoft Visual Studio have a common shared component. Office is part of the base
layer but Visual Studio is user-installed and part of the layer that maintains user-installed applications and
user machine information.
Microsoft Visual Studio includes a newer version of the shared component that is backwards compatible
with Office, but the Microsoft Office component version is too outdated for Microsoft Visual Studio.
Without an override policy, every base layer update that occurs after Microsoft Visual Studio is installed
might corrupt the Microsoft Visual Studio installation.
Procedure
1
Add the path of the component to the Do Not Override By Layer policy section.
The following behavior is enforced:
118
If the user first installs Microsoft Visual Studio and then receives Microsoft Office with a base layer
update, Mirage recognizes that the component file already exists and does not override it, leaving the
newer version.
If the user first receives the base layer update, the component file does not exist and is downloaded as
part of Microsoft Office. If the user then installs Microsoft Visual Studio, the newer version of the
shared file is installed, and Microsoft Office and Microsoft Visual Studio function properly.
VMware, Inc.
Avoid Losing Customizations at Initial Provisioning of a Global Configuration File

A base layer update can cause local customization of shared files to be lost.
Lotus Notes has a configuration file that is placed under the Program Files directory that is shared across all
users. The base layer must initially provision the file for Lotus Notes to function properly. However, the file
is then modified locally to maintain the user configuration.
Without a base layer override policy, each base layer update or Enforce All Layers operation causes user
customization to be lost.
Procedure
1
Add the configuration file path to the Do Not Override By Layer policy section.
The base layer version of the file is provisioned to users who receive Lotus Notes for the first time, but is not
delivered to existing Lotus Notes users.
Overriding Registry Values and Keys

You can apply a base layer override policy for setting registry values and registry keys.
Overriding Registry Values

Registry values behave similarly to files.
n
If a registry value exists, it is not overwritten.
If the registry value does not exist, its content is distributed with the base layer.
Overriding Registry Keys

Registry keys behave uniquely.
n
If a registry key path is included in the Do Not Override By Layer policy section, and the key exists in
the CVD and the base layer, the key, including its subkeys and values, is skipped entirely in the base
layer update.
If the key does not exist in the CVD, it is handled normally and delivered with all of its subkeys and
values with the base layer.
Capture Base Layers

After the reference machine is centralized to a reference CVD on the Mirage server, you can capture a new
base layer from that reference CVD. You can capture the base layer from either an existing reference CVD,
or a new reference CVD as a new source of layer capture.
Prerequisites
When you create a base layer to be used in a Windows 7, Windows 8.1, or Windows 10 migration, make
sure the Windows base layer migration requirements are satisfied.
Procedure
1
VMware, Inc.
In the Mirage Management console, select Common Wizards > Capture Base Layer.
119
Select the capture type, and an existing CVD or pending device, and click Next.
Option
Action
Use an existing reference CVD
a
b
Select to capture a base layer from an existing CVD.

Select the reference CVD from which you want to capture the base
layer.
Create a new reference CVD
a
b
Select this to create a new source of layer capture.

Select the pending device and the upload policy to use for this
reference CVD.
Select the base layer capture action to perform and click Next.
Option
Action
Create a new layer
Select this option and specify the new base layer details.
Update an existing layer
Select this option and the base layer to update.
Fix validation problems, click Refresh to make sure they are resolved, and click Next.
(Optional) If Microsoft Office 2010 or Microsoft 2013 is installed on the reference machine, specify your
Microsoft Office 2010 or Microsoft Office 2013 license keys and click Next.
Click Finish to start the capture process.
Click Yes to switch to the task list view where you can monitor the progress of the capture task.
When the task is finished, the base layer is moved to the Base Layers list under the Image Composer node
and you can apply the capture to endpoints. See Chapter 18, Assigning Base Layers, on page 131.
Post-Base Layer Assignment or Provisioning Script

You can include a custom post-base layer script in the base layer capture. This script perform certain actions
required after a base layer update, such as installing software that must be run on the individual endpoint,
or updating or removing hardware drivers that might already exist on the endpoint. You can also use a
post-base layer script following a layer provisioning operation.
Software required to be run on the individual end point can include hardware-specific software that is
compatible with only certain endpoints.
The client installation includes a default sample script that does not perform post-base layer script actions.
The client continues to run the post-base layer script at every startup, until the first upload following the
base layer update is finished. This ensures that the state of the CVD on the server includes the result of the
post-base layer script. This process is also done for every enforce base layer operation.
CAUTION The script must include the relevant checks and conditional clauses so that any parts that require
one-time execution are not run again.
Prerequisites
The post-base layer script file and auxiliary files used or called by the script are captured as part of the base
layer and distributed to the endpoints. Verify that the auxiliary files are placed in the same directory as the
script or another directory that is captured in the base layer.
120
VMware, Inc.
Procedure
1
After a base layer update operation, create a file called post_core_update.bat under the %ProgramData
%\Wanova\Mirage Service directory.
OR
After a layer provisioning operation, create a file called post_provisioning.bat under the %ProgramData
%\Wanova\Mirage Service directory.
2
Edit the file on the reference machine to perform the required post-deployment actions on the endpoint.
To monitor the execution of the post-base layer script, the client reports events to the central management
service if the script returns an error value other than zero.
VMware, Inc.
121
122
VMware, Inc.
Capturing App Layers
17
You can provide sets of more specialized applications to specific users through app layers, independent of
the core applications that are generally distributed with the common base layer.
You can capture an app layer that contains a single application, or a suite of applications from the same
vendor. You can create app layers to include applications relevant for a specific department or group. You
can combine app layers with other app layers and deploy them on any compatible endpoint.
You define and deliver app layers by capturing an app layer and then assigning them to endpoints. See
Assigning App Layers.
The app layer capture process creates a snapshot of designated applications installed on a live reference
machine, which is generalized for mass deployment.
You can use a CVD as the reference CVD for app layer purposes. A base layer does not need to be present
on the reference machine.
See Base Layers and App Layers and Layer Management Life Cycle.
n
App Layer Capture Steps Overview, on page 123
Prepare a Reference Machine for App Layer Capture, on page 124
Performing the App Layer Capture, on page 125
What You Can Capture in an App Layer, on page 128
Capturing OEM App Layers, on page 129
Capture Multiple Layers on a Virtual Machine, on page 130
Create a Post-App Layer Deployment Script, on page 130
App Layer Capture Steps Overview

Capturing a single app layer involves several procedures.
For information about capturing multiple app layers, see Capture Multiple Layers on a Virtual Machine,
on page 130.
Prepare the Reference Machine

A standard reference machine is required for capturing an app layer. A virtual machine is suitable for
capturing most applications.
See Prepare a Reference Machine for App Layer Capture, on page 124.
VMware, Inc.
123
Capture the Pre-install State

After the reference machine is ready, capture the pre-installation state of the machine.
See Start an App Layer Capture, on page 125.
Install the Applications

When the pre-installation state of the machine is captured, you install the applications to be captured, apply
any application updates and patches, and customize global settings or configurations.
n
Install Applications on the Reference Machine, on page 126
What You Can Capture in an App Layer, on page 128
Capturing OEM App Layers, on page 129
Application Upgrades, on page 124
Capture the Post-Install State

After applications are installed, updated and configured, complete the capture. This process uploads the
app layer to the Mirage server and adds it to the list of available app layers in the Management console. For
more information, see Post-Scan and Layer Creation, on page 127.
Test the App Layer Deployment

Before you deploy app layers to many endpoints, test each captured app layer by deploying it to a selected
sample of target endpoints to verify that the applications work as expected on these endpoints after
deployment.
Deploy the App Layer

After testing is completed, the app layer is ready for deployment to any selected collection of target
endpoints. See Chapter 19, Assigning App Layers, on page 141.
Application Upgrades
When a new version of an application is available, you can replace the existing app layer with a new layer.
1
Capture the upgraded application in an app layer, together with any other applications or updates
required at that time. As described in this procedure, start with a clean reference machine and capture
the installed new application.
After you have a new app layer, update the layers to replace the old app layer with the new app layer.
See Chapter 19, Assigning App Layers, on page 141.
Prepare a Reference Machine for App Layer Capture

The reference machine for app layer capture should have a standard installation of the required operating
system. Other advance preparation is not required. Certain guidelines apply for special circumstances.
Prerequisites
Verify that the following conditions exist for special circumstances:
124
A virtual machine is created for capturing all except hardware-specific app layers.
The reference machine has a standard installation of the required OS, for example, Windows XP,
Windows 7 32-bit or Windows 7 64-bit, Windows 8.1 32-bit or Windows 8.1 64-bit, or Windows 10 (64bit).
VMware, Inc.
Chapter 17 Capturing App Layers
App layers are deployed to compatible OS versions. You must capture app layers separately for
Windows XP, Windows 7 32-bit, Windows 7 64-bit, Windows 8.1 32-bit, Windows 8.1 64-bit, Windows
10 (64-bit). An app layer captured on Windows 7 cannot be deployed on a Windows 8.1 (32-bit or 64bit) machine, and the reverse. An app layer captured on Windows 8.1 32-bit cannot be deployed to
Windows 8.1 64-bit, and the reverse.
Avoid software in the standard state of the reference machine that have the following characteristics:
n
Can cause changes to be made to the machine while you are installing the applications.
Is auto-updating. If you cannot avoid auto-updating software, try to disable the auto-update
feature of any pre-existing software. For example, turn off automatic Windows Update installation
and automatic anti-virus definition updates.
If you plan to capture a .NET-based application that uses a version of .NET not included in the standard
Windows OS you installed, install the required .NET Framework in the clean reference machine before
you start the capture and install your application. Deliver the .NET Framework itself through the base
layer, if possible.
Verify that the standard reference machine is similar in content to the base layers used throughout the
organization, for example, with the same Windows service pack version and .NET Framework version
as the base layer.
Disable automatic updates of Windows Store Applications on reference machines. If automatic updates
of Windows Store Applications is enabled on reference machines, base layers or app layers might be
captured in the middle of an update.
Procedure
1
Install the Mirage client on the reference machine.

The virtual machine device state is Pending Assignment in the Mirage Management console.
Restart the reference machine.

Restarting assures best scan performance when you are capturing app layers.
What to do next
Continue to capture the pre-install state of the machine. See Start an App Layer Capture, on page 125.
Performing the App Layer Capture

The app layer capture process starts with a pre-scan of the reference machine, installing the applications,
and a post-scan.
n
The pre-scan creates an image of the reference machine before the required applications are installed.
See Start an App Layer Capture, on page 125.
The application installation installs the required applications on the reference machine that was selected
in the pre-scan. See Install Applications on the Reference Machine, on page 126.
The post-scan creates an image of the reference machine after the required applications are installed.
The system then detects all changes following the installation and starts the capture process. See PostScan and Layer Creation, on page 127.
Start an App Layer Capture

The pre-scan step creates an image of the reference machine before the required applications are installed.
Follow the prompts to remove any validation warnings or errors.
VMware, Inc.
125
Prerequisites
You can use any CVD as the reference CVD for app layer purposes.
The Mirage client is installed on a clean reference machine.
A base layer does not need to be present on the reference machine.
Procedure
1
In the Mirage Management console, select Common Wizards > Capture App Layer.
Select a pending device from which to capture an app layer and click Next.
Select an upload policy and click Next.

If you do not make an Upload policy selection, a default upload policy value applies.
Follow the prompts to remove validation warnings or errors and click Next.
The validations ensure that the machine is ready for capture.
Click Finish to start the pre-scan capture process.

A message appears asking if you want to switch to the task list view to follow the progress of the
capture task in the Task list.
When the task is complete, the app layer is moved to the App Layers list under the Image Composer node.
The pre-scan processing starts. A progress window shows the Pre-Install State Capture progress. Alerts
show the process stage.
The Task Monitoring window shows a Capture App Layer task, from which you can monitor the operation
progress and status.
NOTE If you miss the message, check that the red recording icon appears on the Mirage icon before you
start installing applications.
What to do next
When the Finished capturing pre-installation system state message appears, you can install
applications to the reference machine. See Install Applications on the Reference Machine, on page 126.
Install Applications on the Reference Machine

The application installation step installs the required applications on a reference machine.
After the pre-scan step is completed, the client notifies you that you can install applications.
CAUTION Any file or registry change that you make inside the captured area will be part of the app layer
and applied to endpoints when you deliver the app layer. The Mirage policy can configure this area. Avoid
putting sensitive information in the reference machine used for capturing app layers that you do not want to
distribute to other devices.
See What You Can Capture in an App Layer, on page 128.
Prerequisites
n
126
Mirage does not capture application installations or configuration changes made for specific user
profiles for an app layer. Whenever applications such as Google Chrome give options to install or set
shortcuts for either a specific user or globally for all users, always choose the all users option so that
these installations and configurations are captured as part of the app layer.
VMware, Inc.
When you install applications, do not make any changes that are not wanted in the capture. For
example:
n
Avoid installing software updates or applications that you do not want to capture.
Avoid launching other applications or Windows components that the installation process of the
application you want to capture does not require.
Avoid hardware changes, domain membership changes, and other configurations that are not
required.
Avoid GPO scripts running on the machine during the recording phase.
To reduce conflicts between vendors, install applications of the same vendor in the same single-app
layer.
Whenever possible, install software that can be volume-licensed and does not require hardware-bound
licensing and activation. Delivering hardware-bound licensed applications through app layers usually
triggers reactivation of the software on the endpoints.
Procedure
u
Install all of the applications required to be captured for the app layer on the reference machine.
This process includes applying application updates and patches to the installed applications, and
customizing global settings and configurations.
The CVD remains in a Recording mode until processing is started, which signals that application
installations were completed.
If the reference machine is restarted for any reason, the console reminds you that recording is still in
progress and that you should complete application installation.
What to do next
After all the required applications are installed, run each application one time to ensure that the applications
were installed correctly. After you run the applications, you can perform a post scan and create a layer. See
Post-Scan and Layer Creation, on page 127.
Post-Scan and Layer Creation

After the scan, you create an image of the reference machine, after the required applications are installed.
The process then detects all changes following the installation and starts the final capture.
Prerequisites
All application, update, and configuration changes must be successfully finished, including machine restarts
that the application installer requires.
Procedure
1
In a Reference CVD view, select the reference CVD where you installed the applications to be captured.
Right-click the reference CVD and select Finalize App Layer Capture.
Verify the list of applications to be captured and click Next.
(Optional) Select the Show Updates checkbox to display hot fixes for Windows that were installed in
the recording phase.
VMware, Inc.
127
Select the type of capture and click Next.

Option
Action
Create a new layer
Specify the new app layer details.
Update an existing layer
Select the app layer to update. Selected by default if the installed

application upgrade codes indicate the new app layer is an update of an
existing App Layer. You can change the selection.
Follow the prompts to remove validation warnings or errors and click Next.
If Microsoft Office 2010 or Microsoft Office 2013 is installed, define your Microsoft Office license keys
and click Next.
Click Next again and click Finish to start the capture conclusion processing.
The Mirage client indicates the progress of the post-scan.
The Task list shows that the task is completed. The new app layer appears in the App Layers list.
What to do next
You can now apply the capture to endpoints. See Chapter 19, Assigning App Layers, on page 141.
What You Can Capture in an App Layer

You can capture a wide range of entities as part of an app layer.
Supported Entities
An app layer can contain the following entities:
n
A single application or a set of applications
Any updates or patches related to the installed applications
Global application configurations and settings
Any custom set of files and registry entries
For example, an app layer can contain Adobe Reader, Microsoft Visio 2010 or the entire Microsoft Office
2010 suite. An app layer can also be used to capture OEM software, such as the Dell software suite,
including drivers and utilities.
NOTE When an update, patch, or service pack becomes available for an application in the app layer, you
must capture a new complete app layer with the original application and the update installed in the
application software.
VMware Mirage can additionally contain the following elements:
128
Windows services
Kernel drivers
Shell integration components or shell extensions
Browser plug-ins
COM objects
Global .NET assemblies
OS language packs
VMware, Inc.
Unsupported Entities
The following components are not supported for delivery as part of VMware Mirage app layers:
n
User accounts and groups, both local and domain users, and user-specific changes
OS components or OS-bundled applications, for example, the .NET framework, Windows updates,
Internet Explorer, and Windows Media Player
Windows license
NOTE You can deliver OS components or OS-bundled applications and the Windows license as part of a
base layer instead.
Partially Supported Entities

The following applications are partially supported for delivery as app layers:
n
Disk encryption software
Applications that make changes to the Master Boot Record or to disk blocks
Kaspersky Internet Security
Microsoft SQL Server
Recommended for Base Layer Only

Install the following applications in the base layer and not in app layers:
n
Windows security applications, for example anti-virus, anti-malware, and firewalls
VPN or other connectivity software, such as iPass
Windows components and frameworks, for example .NET, Java
Global Windows configuration and settings changes
Capturing OEM App Layers

You must follow certain guidelines when you capture hardware-specific software.
Follow these guidelines to successfully capture hardware-specific software, such as Dell or HP application
and driver suite.
n
Some vendors provide a single OEM application suite that is compatible with many or most of their
hardware models. Use this suite for the OEM layer capture.
If the vendor only provides an OEM suite that is relevant for a specific hardware model or model line,
install the OEM software on the hardware model for which it is intended or on a compatible model.
Mirage provides the following ways to deliver OEM device drivers to target endpoints.
VMware, Inc.
Through the driver library. For more information about how to deliver device drivers to specific
hardware models in a rule-based manner, see Chapter 10, Managing the Driver Library, on
page 79.
Through base or app layers. In this method, you either install or place all relevant device driver
packages in the reference machine, in a path that is also defined in the Windows DevicePath
registry value. You can also install the corresponding OEM applications in the same reference
machine. You then capture a base or app layer from the reference machine. You can use this layer
to deploy OEM applications and drivers to any endpoint of the matching hardware models.
129
Capture Multiple Layers on a Virtual Machine

When you need to capture multiple app layers, it is useful to use a single virtual machine.
Procedure
1
Create a standard reference machine on a virtual machine, install the Mirage client, and centralize the
device to a reference CVD.
In the Management console, use the Start App Layer Capture option to take a snapshot of the clean preinstall state.
Install the applications.
In the Management console, use the Finalize App Layer Capture option to complete the creation of the
app layer.
Wait until the app layer appears in the App Layers view of the Management console.
Revert the virtual machine to the Clean State snapshot.
Wait for the device status to become Pending Assignment.
Repeat Step 3 to Step 7 to capture the next app layer.
Create a Post-App Layer Deployment Script

In rare cases, you might need the client to run a custom script after the app layer is deployed, for example,
to apply a specific application license after it is installed through an app layer. This script is captured as part
of the app layer.
Procedure
1
Start the App Layer Capture wizard to complete a prescan of the reference machine.
Install the application you want to capture.
Give your script a unique name with this pattern: post_layer_update_*.bat

For example: post_layer_update_myappv2_license.bat
Copy the script to %programdata%\Wanova\Mirage Service.

This path usually translates to:
c:\ProgramData\Wanova\Mirage Service (Windows 7)
c:\Documents and Settings\All Users\Application Data\Wanova\Mirage Service (Windows XP)
130
Run the Finalize App Layer Capture wizard to complete the postscan and the creation of the app layer.
After the app layer is deployed to an endpoint, Mirage starts your script.
VMware, Inc.
Assigning Base Layers
18
After a base layer capture is completed, the revised base layer is distributed and stored at each endpoint
desktop, and then assigned at each endpoint .
Assigning a base layer to an endpoint, or collection of endpoints, applies the contents of the base layer to the
designated endpoints. Any applications, updates, or patches built in the base layer also reside on the
endpoint device. See Assign a Base Layer to CVDs.
Processes similar to assigning a base layer are employed to assign applications associated with app layers to
endpoints. See Assign an App Layer to CVDs.
For more information about the base layer deployment process, see Layer Management Life Cycle.
For more information, see the VMware Mirage Administrator's Guide.
n
Detect Potential Effects of the Layer Change, on page 131
Testing the Base Layer Before Distributing it to Endpoints, on page 134
Assign a Base Layer to CVDs, on page 135
Assign a Previous Layer Version, on page 137
Monitor Layer Assignments, on page 137
Correct Software Conflicts By Using a Transitional Base Layer, on page 138
Fix Broken Layers on Endpoints (Enforce Layers), on page 138
Provisioning a Layer for an Endpoint, on page 139
Detect Potential Effects of the Layer Change

Before you apply a new base layer or replacing app layers, or both, for a CVD or collection of CVDs, you can
run a report that describes the potential effects of the layer changes on the CVDs. This report can help you
plan the layer update process and resolve in advance conflicts that might result from mismatches in layer
contents on the selected CVDs.
The Comparison report is generated in HTML format and opened in your default Web browser. You can use
Microsoft Excel to view the report and filter data. See Comparison Report Format, on page 133.
VMware, Inc.
131
Procedure
1
Select at least one base layer to use in the analysis and click Next.
Option
Description
No change to the target base layer
Analyzes only app layer changes.
Select Base Layer from list
a Select to apply a new base layer to all the selected CVDs.

b Select the required base layer.
If the selected CVDs have different base layers, this option standardizes
the base layer over all the CVDs.
Select at least one app layers to use in the analysis.

Option
Description
Available Layers panel
Lists the available app layers that are not currently used by any of the
selected CVDs. When Show only latest layers is selected, older versions of
any software are suppressed from the view.
Assigned layers panel
Lists the app layers currently used by some or all the selected CVDs. Black
lines denote app layers used by all the CVDs, gray lines denote app layers
used by only some of the CVDs.
Select what to analyze.

Option
Description
Analyze only a base layer change

without app layer changes:
Click Finish without making any changes in this page.
Add app layers to all the selected

CVDs:
Select lines in the Available Layers panel and click the right arrow.
Remove app layers from all the

selected CVDs where they are used:
Click Finish.
The HTML report is generated and opened in your default Web browser.
What to do next
Review the listed changes and adjust the reference machine to avoid unintended consequences. In the case
of downgrades, consider upgrading the relevant software to avoid software being downgraded on
endpoints or CVDs excluded from the assignment.
Compare Base Layers to Each Other

You can produce a comparison report that compares one or more base layers with another base layer.
The comparison report describes the differences between the contents of one or more base layers and a
selected base layer. This report uses the same format as in Detect Potential Effects of the Layer Change, on
page 131, but in terms of base layers instead of CVDs.
Procedure
1
132
Select one or more base layers in the base layers view, right-click, and select Compare Programs with
Layer.
VMware, Inc.
Chapter 18 Assigning Base Layers
Select at least one base layer to use in the analysis and click Next.
Option
Description
No change to the target base layer
Analyzes only app layer changes.
Select Base Layer from list
a Select to apply a new base layer to all the selected CVDs.

b Select the required base layer.
If the selected CVDs have different base layers, this option standardizes
the base layer over all the CVDs.
Select at least one app layers to use in the analysis.

Option
Description
Available Layers panel
Lists the available app layers that are not currently used by any of the
selected CVDs. When Show only latest layers is selected, older versions of
any software are suppressed from the view.
Assigned layers panel
Lists the app layers currently used by some or all the selected CVDs. Black
lines denote app layers used by all the CVDs, gray lines denote app layers
used by only some of the CVDs.
Select what to analyze.

Option
Description
Analyze only a base layer change

without app layer changes:
Click Finish without making any changes in this page.
Add app layers to all the selected

CVDs:
Remove app layers from all the

selected CVDs where they are used:
Click Finish.
The HTML report is generated and opened in your default Web browser.
What to do next
Review the listed changes and adjust the reference machine to avoid unintended consequences. In the case
of downgrades, consider upgrading the relevant software to avoid software being downgraded on
endpoints or CVDs excluded from the assignment.
Comparison Report Format

The Comparison report summarizes the changes in the programs installed on the selected endpoints
resulting from planned changes in their assigned layers.
You run the Comparison report for a selection of CVDs, pending devices, or a collection, as described in
Detect Potential Effects of the Layer Change, on page 131,
The report lists the layering operations to be performed and simulates the resulting user program list
changes. The layering operations can include the following operations, in any combination:
n
Base layer change or assignment
Single or multiple app layer assignments or removals
Enforcement or reinstallation of the current layers
Enforcement with removal of user installed applications
VMware, Inc.
133
This report is one of several Layer Dry-Run reports available from the Management Console Reports
feature. See Layer Dry Run Reports, on page 186.
The report includes general information, user-installed application conflicts, and managed application
changes sections.
General Information
Table 181. General Information Section Parameters
Parameter
Description
Generated By
Username of the administrator who generated the report.
New Base Layer
Base layer requested to be assigned, if any.
Added App Layers
App layers requested to be assigned, if any.
Removed App Layers
App layers requested to be removed, if any.
Enforced
Indicates whether the administrator asked to enforce the content of the layers.
User Installed Application Conflicts

User-installed application conflicts generate tables that summarize any conflict that the layer operation
would involve, such as upgrade or downgrade, on programs installed or changed by users. Tables vary
according to scope of changes. These conflicts cannot be anticipated from previous layering operations.
Table 182. User Installed Application Conflicts Tables
Table
Description
Installed
Programs to be installed. Applies to Managed Application Changes section only.
Removed
Programs to be removed.
Downgraded
Programs to be downgraded.
Upgraded
Programs to be installed or upgraded to a new version.
Managed Application Changes

Managed application changes tables summarize the changes resulting from the layer operation on programs
managed with Mirage layers. Tables vary according to scope of changes.
Table 183. Managed Application Changes Tables
Table
Description
Installed
Programs to be installed. Applies to Managed Application Changes section only.
Removed
Programs to be removed.
Downgraded
Programs to be downgraded.
Upgraded
Programs to be installed or upgraded to a new version.
Testing the Base Layer Before Distributing it to Endpoints

Because base layer updates include operating system and other critical component updates, test a new base
layer before distributing it to endpoints.
After you capture a base layer, select a sample group of endpoints and distribute the base layer to them to
verify that no problems exist.
134
VMware, Inc.
If the base layer is used with multiple hardware platforms, test one sample per platform. Also do a test
distribution of a base layer to a typical user machine with user-installed applications to verify that the
overall update results are satisfactory before you distribute to multiple endpoints.
The Base Layer Rules policy is used during first-time deployment to identify the parts of the endpoint that
the base layer manages, and the parts to be left unmanaged at the endpoint. In an initial distribution, no
previous base layer exists to compare against, so Mirage does not remove existing software from the
endpoints before applying the base layer.
Assign a Base Layer to CVDs

After a base layer is updated at the server and tested on at least one CVD, you can assign it to individual or
multiple CVDs.
If collections are defined, you can assign the new base layer to all the CVDs in a collection in one step. See
Working with CVD Collections, on page 23.
The download to the endpoint transfers only new files and incremental changes to existing files of the target
endpoint.
When a file exists in a base layer, it overwrites the corresponding file in the target endpoint, unless one of
the following conditions apply:
n
The file is defined in the Do Not Download rules in the Layer Rules.
The file is defined in the Unprotected Area in the CVD Policy Details.
When software or system registry keys and values exist in the base layer, they overwrite the corresponding
registry keys in the target endpoint, unless the registry entry is defined in the Registry Keys To Exclude in
the System Hive or Software Hive tabs in the Layer Rules.
User profiles, for example c:\users\john, and any corresponding user registry hives are not overwritten by
the base layer update operation.
The process swaps the old base layer with the new one, assigning the base layer to the endpoint and
instantiating the endpoint. The changes in an endpoint are propagated back to the endpoint CVD on the
server.
Before a new or updated base layer is applied, the VMware Mirage server takes a CVD snapshot so that it
can roll back in case of post-update problems.
Before and during base layer download, VMware Mirage verifies that enough disk space is available to
proceed with the operation.
The same interfaces are used to apply or modify a base layer for multiple CVDs, or a collection.
You can upgrade an existing base layer or app layers to all CVDs that are already assigned with previous
versions of those layers. See Assign a Previous Layer Version, on page 137.
During the assignment process, certain system aspects are validated.
Table 184. Assignment Validations
System Aspect
Validation Description
Operating System
The system checks that the CVD and the new base layer have the same OS and type
(32- or 64-bit). If they are different, the system blocks those CVDs from receiving
the base layer.
Computer Type
The system checks that the CVDs and the base layer share the same computer type
(for example, laptop versus desktop). A warning appears if they are different. If the
base layer was prepared to support both desktops and laptops, you can approve
and continue.
VMware, Inc.
135
Table 184. Assignment Validations (Continued)

System Aspect
Validation Description
Vendor and Model Name
The system checks that the base layer and the CVDs are from the same computer
vendor. A warning appears if they are different. If the base layer was prepared to
support the different vendor types, you can approve and continue.
Drive Letters
The system checks that the CVDs include the required drive letter in the base layer.
If the CVDs do not have the appropriate drive letters, the system blocks these
CVDs from receiving the base layer.
Prerequisites
Assign a base layer to a CVD only after endpoint centralization is completed for that CVD and its content is
protected in the server. You can revert to the previous CVD state.
Procedure
1
In the VMware Mirage Management console tree, select Common Wizards > Assign Base Layer
Select individual or multiple CVDs, or a collection of CVDs to update, click Select and click Next when
you are finished.
The selected CVD details appear in the bottom pane.
Select the base layer with which you want to update the CVDs and click Next.
The details of a base layer appear in the bottom pane.
Correct mismatches between the base layer and the selected CVDs if needed.
Ignore any warnings that are not applicable. The following system aspects are validated.
Click Finish.
An update task is created. The client periodically checks the server for updates to download as part of
its regular processing.
The administrator procedure is finished.

When the client next connects, download and swap operations take place, which ask the user to restart.
Allow some time for the changes to download.
Cancel a Base Layer Assignment in Progress

You can discontinue a base layer assignment that is not yet finished.
Procedure
1
In the Mirage Management console tree, expand the Inventory node and select All CVDs or
Collections.
Right-click the CVD or collection for which you want to cancel the base layer update.
Select Layers > Cancel Pending Layers.
Monitor the Layer Assignment Progress

After a layer is assigned to a number of CVDs, you can monitor the update process.
The layer deployment view displays the current status of the layer deployment progress.
136
VMware, Inc.
Table 185. Assignment Progress States

Progress State
Description
Pending
The layer was assigned to the CVD, but has not begun downloading to the endpoint.
Throttled
The endpoint tried to download the layer from the Mirage server and was rejected because
of server resource throttling.
Downloading
The endpoint is downloading the layer.
Committing
The layer was downloaded and installed successfully by the endpoint and the client is now
updating the CVD with the new content.
Blocked
The layer was blocked, and was not downloaded to the endpoint.
Canceled
The layer download process was canceled by the administrator.
Rejected
The layer was downloaded to the endpoint and failed the validation check on the endpoint.
Done
The layer update operation was completed.
Procedure
1
In the Mirage Management console, select the Task Monitoring node.
Right-click the specific layer task, and select View assignments.

The specific layer update or assignment view appears.
Assign a Previous Layer Version

You can upgrade an existing base layer or app layers in all CVDs to which previous versions of those layers
are already assigned. Programs in a CVD that are at the same version as in the layer are not reinstalled and
not enforced.
The operation status is Update Layer, similar to a regular Update Layers operation.
Procedure
1
In the Mirage Management console tree, expand the Image Composer node and select Base Layers or
App Layers.
Select the base layer or app layers with which you want to update all CVDs with previous versions of
those layers.
Right-click and select Update CVDs to this layer version.
Monitor Layer Assignments

You can view and monitor which endpoints have certain layers assigned to them.
You can monitor layer assignment progress through the Layer Assignments window. The Task Monitoring
window shows the overall status and the task progress.
Procedure
u
VMware, Inc.
From the Mirage Management console, select a monitoring method.

Option
Action
To monitor all of your current layer

assignments
Expand the Image Composer node and select Layer Assignments.
To monitor the progress of a layer

provisioning download to a specific
device
Expand the Image Composer node, select Layer Assignments, right-click a

CVD, and select Layers > View assignments.
137
Option
Action
To monitor the progress or status

of a specific layer
Expand the Image Composer node, select Base layer or App Layer, rightclick a layer, and select View assignments.
To monitor the progress of a layer

assignment task
For example, you sent a layer to 100 CVDs. From the Mirage Management
console tree root, select Task Monitoring, right-click the task and select
View assignments.
Correct Software Conflicts By Using a Transitional Base Layer

Before you apply a base layer, verify that software to be deployed by the base layer does not conflict with
locally installed software, for example, an antivirus product on the base layer and on an endpoint are
different.
You can perform an ad-hoc cleanup using a transitional base layer to remove conflicting software.
Procedure
1
Use the problematic endpoint as a reference machine to capture a temporary transitional base layer
with the conflicting software.
Apply the transitional base layer to the endpoint and any similar endpoints.
Replace the temporary base layer by applying the base layer of choice, which replaces the conflicting
software.
The initial rollout flow with a transitional base layer includes the following aspects:
1
Any application that is included in the transition base layer becomes a managed application when the
transition base layer is assigned.
Managed applications undergo an update or removal process upon subsequent base layer update
operations.
New base layers are constructed and endpoints are updated with the new base layer.
Fix Broken Layers on Endpoints (Enforce Layers)

Users and applications might make changes to files and registry settings that were provisioned through a
base layer or app layer. Sometimes these changes create problems with the desktop operation. In most cases,
you can resolve the problem by enforcing the layer originally assigned to the CVD.
The Mirage client downloads only the relevant files and registry settings required to realign the CVD with
the original layer. User profiles, documents, and installed applications that do not conflict with the layer
content are preserved.
Enforcing all layers can also be set to remove user-installed applications residing in the machine area of the
CVD. This ability is useful, for example, for fixing a problematic CVD in which all layer applications do not
function because of overwritten or corrupted system files. Removing user applications deletes machine area
files and registry keys that are not in the current base layer, with the exception of files defined in the User
Area policy.
Procedure
138
Right-click the relevant CVD and select Enforce All Layers.
VMware, Inc.
Select an enforce option.

Option
Description
Preserve user applications
Keeps the user-installed applications on the CVD.
Remove user applications
Deletes user-installed applications from the CVD.
Click OK.
Provisioning a Layer for an Endpoint

When Mirage is already implemented, you can prepare new devices to be part of the organization using
layer provisioning.
The layer provisioning process first cleans up the device files and applies an existing base layer and app
layers, if you selected app layers, as a common template. The device is then freshly imaged, and assigned to
and synchronized with a newly created CVD.
After the Mirage client is installed on the new device, the Pending Devices panel shows the device as
pending assignment.
The user can use the desktop as usual, performing offline work and network transitions, after the
centralization processing associated with the provisioning operation starts. The Mirage client monitors user
activities and adjusts its operation to optimize the user experience and performance.
After the server synchronization is completed, the transaction log shows a successful provisioning entry.
The desktop is protected and you can centrally manage the desktop at the data center.
You can use the post_provisioning.bat custom post-base layer script to perform certain actions after layer
provisioning.
VMware, Inc.
139
140
VMware, Inc.
Assigning App Layers
19
After an app layer capture is completed, you can distribute and assign the revised app layer to each
endpoint desktop.
When you assign app layers to an endpoint, their contents are applied to the endpoint, so that all the
changes or modifications to the applications reside on the endpoint devices. See Assign an App Layer to
CVDs.
For more information about app layers, see Base Layers and App Layers.
For more information about the layer deployment process, see Layer Management Life Cycle.
For more information, see the VMware Mirage Mirage Administrator's Guide.
n
Detect Potential Effects of the App Layer Change, on page 141
Testing App Layers Before Distributing it to Endpoints, on page 141
Assign an App Layer to CVDs, on page 142
Monitor App Layer Assignments, on page 143
Detect Potential Effects of the App Layer Change

Before applying a new base layer or app layers, or both, to a CVD or collection of CVDs, you can view the
potential effects of the base layer or app layer changes on the CVD contents.
The Comparison report can help you plan the layer update process and resolve in advance conflicts that
might result from mismatches in the layer contents on the selected CVDs.
For more information, see Detect Potential Effects of the Layer Change, on page 131 and Comparison
Report Format, on page 133.
Testing App Layers Before Distributing it to Endpoints

It is good practice to verify that an app layer was captured properly and all intended settings are in place
before you distribute an app layer widely.
Before distributing to multiple endpoints, test-distribute an app layer to some sample user machines with
user-installed applications to verify that the overall update results are satisfactory.
VMware, Inc.
141
Assign an App Layer to CVDs

After an app layer is updated at the server and tested on at least one CVD, you can assign it to individual or
multiple CVDs.
If Collections are defined, you can assign the new app layer to all the CVDs in a collection in one step. See
Working with CVD Collections, on page 23.
The assignment process swaps the old app layer with the new one, thereby assigning the app layer to the
endpoint and instantiating the applications to the endpoint. The changes in the endpoint are propagated
back to the endpoints CVD on the server.
The download to the endpoint transfers only new files and incremental changes to existing files of the target
endpoint.
Before a new or updated app layer is applied, the Mirage server takes a CVD snapshot so that it can roll
back if any post-update problem arises.
Before and during app layer download, the system verifies that enough disk space is available to proceed
with the operation.
The same interfaces are used to apply or modify app layers for multiple CVDs, or a collection.
You can upgrade an existing base layer or app layers to all CVDs that are already assigned with previous
versions of those layers. See Assign a Previous Layer Version, on page 137.
Prerequisites
Verify that endpoint centralization is completed for that CVD and its content is protected in the server. You
can revert to the previous CVD state.
Verify that the software to be deployed by the app layer does not conflict with locally installed applications.
See Correct Software Conflicts By Using a Transitional Base Layer, on page 138.
App layer assignment requires a base layer to be present on the endpoints.
Procedure
1
In the Mirage Management console, select Common Wizards > Update App Layer.
Select individual or multiple CVDs, or a collection of CVDs that you want to update, and click Select.
When you finish selecting CVDs or a CVD collection, click Next.
Select the app layers with which you want to update the CVDs.
The app layer details appear in the bottom pane.
You select a layer in the Available Layers pane and click the right arrow to move it to the Assigned
Layers pane. To remove a layer, select it in the Assigned Layers pane and click the left arrow.
Layers shown in gray indicate that they are already assigned to some CVDs.
142
VMware, Inc.
Chapter 19 Assigning App Layers
Correct mismatches between the app layer and the selected CVDs if needed. The following system
aspects are validated. Ignore any warnings that are not applicable.
Table 191. System Aspect Validations
System Aspect
Validation
Operating System
The system verifies that the CVD and the new app layer have the same OS and type
(32- or 64-bit). If they are different, the system blocks those CVDs from receiving the
app layer.
Drive Letters
The system verifies that the CVDs include the required drive letter in the app layer. If
the CVDs do not have the appropriate drive letters, the system blocks these CVDs
from receiving the app layer.
Click Finish.
An update task is created. The Mirage client periodically checks the server for updates to download as
part of its regular processing.
This completes the administrator procedure.

When the client next connects, download and swap operations take place, which ask the user to restart.
Allow some time for the changes to download.
Cancel an App Layer Assignment in Progress

You can discontinue an app layer update that is not yet completed.
Procedure
1
In the Mirage Management console tree, expand the Inventory node and select All CVDs or
Collections.
Right-click the CVD or collection for which you want to cancel the app layer update.
Select Layers > Cancel Pending Layers.
Monitoring the App Layer Assignment Progress

After an app layer has been assigned to a number of CVDs, you can monitor the update process through the
App Layer Deployment view.
The same method applies as for base layer assignment monitoring. See Monitor the Layer Assignment
Progress, on page 136.
Monitor App Layer Assignments

You can see which endpoints have certain layers assigned to them. There are several ways to review and
monitor currently running assignments.
The same methods apply as for base layer monitoring. See Monitor Layer Assignments, on page 137.
VMware, Inc.
143
144
VMware, Inc.
Create a WinPE Image for Mirage
20
You can use a WinPE image to provision a device that does not have an operating system installed.
Mirage supports running only the WinPE creation script in the English (United States) region. You can stop
the WinPE creation script at any point by pressing CTRL+C. The next time you run the WinPE creation
process, the previous operation leftovers are cleared.
If you change the output directory of the WinPE image to a path in the network, the script fails to run.
Create a new WinPE image for each new version of Mirage. You do not have to recapture the base layers
and app layers.
Prerequisites
n
Install the Windows Assessment and Deployment Kit (ADK) for Windows 8.1 update to the default
location. Windows ADK is supported only on Windows Vista and later.
Select the Windows Preinstall Environment option when you install the Windows ADK.
Verify that you have administrator privileges.
Procedure
1
Double-click the file for your environment to extract the WinPE creation environment.
Option
Description
64-bit
Mirage.WinPE.x64.buildnumber.zip
32-bit
The WinPE version must match the capabilities of the processor. If the processor is 32-bit use a WinPE
32-bit image. If the processor is 64-bit use a WinPE 32-bit or WinPE 64-bit image.
VMware, Inc.
145
Edit the BuildMirageWinPE.cmd file.

a
Right-click the BuildMirageWinPE.cmd file and select an editing program.
Configure the connection to the Mirage server.

Option
Description
Mirage server address
Address of the Mirage server.
Mirage server port
Port of the Mirage server.
Use SSL to connect to the Mirage

server
Must be TRUE or FALSE.
Directory to which the WinPE

creation binaries are compiled
Directory to which the WinPE creation binary files are saved.
Mirage log level when running in

the WinPE environment
Can be DEBUG, TRACE, INFO, WARN, or VERBOSE.
Do not use a space before and after the equals sign, for example, SERVER_PORT=12345.
3
Add the drivers for the WinPE image to the Drivers directory.
Add the certificates for the WinPE image to the Certificates directory.
Mirage supports .cer, .crt, and .pfx certificate formats.
a
Export the corporate CA server certificate in .cer format and copy it to the certificates directory to
enable secure communication between the Mirage WinPE client and the Mirage server.
Access the command prompt as an administrator and run the BuildMirageWinPE.cmd command from
the extracted directory.
For example, if you extracted the file to your desktop,
desktopdir\WinPeCreation.version\BuildMirageWinPe.cmd.
An .iso file for CDs, DVDs, or USB, and a .wim file for a PXE server are created. The location where these
files are stored appears at the end of the process.
What to do next
Load the .wim file to the PXE server or burn the .iso file to a CD, DVD, or USB. You can reuse the WinPE
image that you create.
146
VMware, Inc.
Installing the Windows Deployment

Service
21
You can use the Windows Deployment Service (WDS) to deploy Windows operating systems over the
network.
You can install the WDS by using either the Windows server manager or Microsoft PowerShell.
If you want the PXE boot to work across VLANs in your organization, configure DHCP options. You access
the DHCP options from the DHCP management console. After you configure the DHCP options, you can
perform a PXE boot to the Mirage environment.
Table 211. DHCP Options
Option
Description
066 Boot Server Host Name
Boot server host name and the IP address or FQDN of the

server on which you installed WDS.
067 Boot File Name
Default value for the boot file name. Do not change this
value.

n
Install the Windows Deployment Service Using the Windows Server Manager., on page 147
Install the Windows Deployment Service by Using Microsoft PowerShell, on page 148
Install the Windows Deployment Service Using the Windows Server

Manager.
You install the Windows Deployment Service before adding boot files to the PXE server.
Procedure
n
Access the Server Manager on the server that you are installing the Windows Deployment Service
(WDS).
Right-click Server Roles in the left panel, select Windows Deployment Service, and click Next.
On the Role Services page verify that the Windows Server Deployment and Transport Server roles are
selected and click Next.
The Windows Deployment Service is installed.

What to do next
Add the boot files to the PXE server.
VMware, Inc.
147
Install the Windows Deployment Service by Using Microsoft

PowerShell
You install the Windows Deployment Service before adding boot files to the PXE server.
Prerequisites
Ensure that you have administrator privileges for Microsoft PowerShell.
Procedure
u
Run the ServerManagerCmd -install WDS cmdlet in Microsoft PowerShell.
The Windows Deployment Service is installed.

What to do next
Add the boot files to the PXE server.
148
VMware, Inc.
Add the WinPE Boot Images to the

Windows Deployment Service Server
22
You add the WinPE boot images to provision a device with that image.
Install the Windows Deployment Service on the server that you are loading the boot images.
Procedure
1
Select Start > Administrative Tools > Windows Deployment Serviceson the machine that has the
Mirage server.
Expand the Servers node, right-click the Windows Deployment Services server, and select Configure
Server.
Verify the system requirements and click Next.
Select the remote installation folder that contains the boot images and installation images.
Verify that the drive meets the space requirements.
On the PXE Server Initial Settings page select Respond to all client computers (known and unknown),
and click Next.
On the Operation Complete page, clear the Add images to the server now check box and click Next.
On the Windows Deployment Services window right-click Boot Images and select Add Boot Image....
Select the appropriate .wim boot image and click Open.
Follow the prompts to install the boot image.
VMware, Inc.
149
150
VMware, Inc.
Provision a Device with Mirage by

Using a WinPE Image
23
You can use the WinPE image to provision a device that does not have a Mirage client installed or to
provision a device that does not have an operating system installed.
The image that you create with WinPE runs on memory, not on the hard disk.
On the WinPE image you can only perform provisioning procedures and generate sysreports.
Mirage supports provisioning into legacy systems and EFI systems. In some cases, such as when the disk is
not Windows ready, or when there is insufficient space on the existing volumes, Mirage might re-partition
the disks. Re-partitioning creates a single partition for the whole disk that is selected by Mirage. Repartitioning only succeeds on EFI machines if they are configured to boot in legacy mode.
If WinPE reboots during a provisioning procedure, the device reconnects and is identified as a new pending
device. Previous provisioning orders on the device are not applied and you must restart the provisioning
process.
When the image boots, two command prompt windows appear. One command prompt window is for
troubleshooting. The other command prompt window runs Mirage in the WinPE environment.
IMPORTANT WinPE stops running the shell and restarts after 72 hours of continuous use.
You can provision a device with Mirage by using a base layer with the following operating systems.
POSReady 2009
Windows 7
Windows 8.1
Procedure
1
Boot the device using the appropriate WinPE image.

n
The .wim file.
The .iso file.
When the Mirage status window appears, note the host name of the device.
A host name is generated during each reboot.
VMware, Inc.
151
Provision the device using the WinPE image.

Option
Action
Mirage Web manager
a
b
Mirage Management console
a
b
Navigate to the Mirage Web console and click the Pending Devices
tab.
Select the device with the host name that you noted and click
Provision Endpoint.
Navigate to the Mirage Management console and select Inventory >
Pending Devices.
Right-click the WinPE device and select Device Provisioning.
After you provision the device, the device boots with the provisioned operating system.
152
VMware, Inc.
Mirage Validations for Bare Metal

Provisioning
24
Mirage runs validations for bare metal provisioning operations to determine if repartitioning is required for
the provisioned device. The validation that Mirage runs is determined by which operating system the
machine had installed before the bare metal provisioning operation.
Machines with Windows
OS
Mirage locates the system drive and determines if sufficient space exists on
the drive for the selected base layer. If sufficient space exists, the drive is
formatted. If the drive does not contain sufficient space for the specified base
layer, then Mirage displays a warning validation message that the disk will
be repartitioned to carry the selected base layer. If the hard drive does not
contain sufficient space, then Mirage displays a blocking validation for
insufficient disk space and the user is prompted to replace the disk.
Mirage checks the boot mode of the device. If the boot mode is UEFI and the
system disk partition layout is MBR, Mirage displays a blocking validation
message. Change the boot mode to legacy boot.
Machines with new HDD

or non-Windows OS
machines that are being
provisioned to run
Windows.
Mirage determines if sufficient space exists on the disk to download the

selected base layer, and displays a disk partitioning message validation. If
the hard drive does not contain sufficient space, then Mirage displays a
blocking validation message for insufficient disk space and the user is
prompted to replace the disk.
Mirage checks the boot mode of the device. If the boot mode is UEFI and the
system disk partition layout is MBR, Mirage displays a blocking validation
message. Change the boot mode to legacy boot.
Mirage checks for boot mode and disk partition layout mismatches. Mirage displays a blocking validation if
the boot modes of the machines do not support its boot disk partitioning layout.
MBR on UEFI boot mode
n
n
VMware, Inc.
GPT on legacy boot mode
153
154
VMware, Inc.
Provisioning a Device by Using the

Self-Service Provisioning Tool
25
Users with the Image Manager role or Administrator role can provision new laptops and desktops directly
from the device using the self-service provisioning interface.
1
Create a Mirage Layer Group Configuration File on page 155

You use layer groups to centrally manage layers that are used in self-service provisioning procedures.
You create Mirage layer groups in a CSV file.
Import Mirage Layer Groups on page 156

After you create layer groups that have base layers and app layers, you import the layer groups to the
Mirage system by using a server tool. You assign the layer group to a WinPE machine during a selfservice provisioning procedure..
Export Mirage Layer Groups on page 156

You export a layer group file to edit the file. After you edit the layer group file, you import it to the
Mirage system.
Provision a Device by Using the Self-Service Provisioning Tool on page 156

You provision new laptops and desktops directly from the device using the self-service provisioning
interface.
Create a Mirage Layer Group Configuration File

You use layer groups to centrally manage layers that are used in self-service provisioning procedures. You
create Mirage layer groups in a CSV file.
Procedure
1
Access the layergroup_template.csv file from the Server.Tools.buildnumber.zip file.
Edit the layergroup_template.csv file with the necessary values.

Layer Group Name,Description,BaseLayer,AppLayers,
G1,description1,win8.1X64 - 1(1.0),Win8.1x64 - AL - 1(1.0),Win8.1x64 - AL - 3(1.0)
G2,description2,win8.1X64 - 2(1.0),Win8.1x64 - AL - 2(1.0),Win8.1x64 - AL - 3(1.0)
Layer Group Name is the name you select for the layer group. Description is the description you provide
for the layer group. BaseLayer is the base layer and version. AppLayers is the app layers and version.
3
VMware, Inc.
Save the CSV file.
155
Import Mirage Layer Groups

After you create layer groups that have base layers and app layers, you import the layer groups to the
Mirage system by using a server tool. You assign the layer group to a WinPE machine during a self-service
provisioning procedure..
Prerequisites
n
Verify that you created layer groups in a CSV file.
Procedure
1
Access the command prompt.
Run the Wanova.Server.Tools.exe ImportLayerGroup ManagementServerAddress CsvFilePath command.

ManagementServerAddress is the IP address or host address of the Mirage Management server.
CsvFilePath is the file path of the layer group file you created.
The layer groups are available to use in a self-service provisioning procedure.
Export Mirage Layer Groups

You export a layer group file to edit the file. After you edit the layer group file, you import it to the Mirage
system.
Prerequisites
Procedure
1
Access the command prompt.
Run the Wanova.Server.Tools.exe ExportLayerGroup ManagementServerAddress CsvFilePath

command.
ManagementServerAddress is the IP address or host address of the Mirage Management server.
CsvFilePath is the file path where you export the layer group file.
Provision a Device by Using the Self-Service Provisioning Tool

You provision new laptops and desktops directly from the device using the self-service provisioning
interface.
Prerequisites
n
156
Verify that you have Image Manager role or Administrator role permissions.
VMware, Inc.
Chapter 25 Provisioning a Device by Using the Self-Service Provisioning Tool
Procedure
1
Copy the root certificate authority (CA) .

a
Double-click the file for your environment to extract the WinPE creation environment.
Option
Description
64-bit
32-bit
The WinPE version must match the capabilities of the processor. If the processor is 32-bit use a
WinPE 32-bit image. If the processor is 64-bit use a WinPE 32-bit or WinPE 64-bit image.
b
Copy the root CA from the VMware Mirage Management Web Site to the
Mirage.WinPE.version.buildnumber\Certificates\Browser folder.
version is the WinPE version that you selected.

2
Edit the parameters in the BuildMirageWinPE.cmd file.
Access a command prompt and run the BuildMirageWinPE.cmd command to build the WinPE image.
The WinPE machine starts, and when the status of the Mirage client changes to Pending Assignment,
the self-service tool starts.
Set default values for the Join Domain Name .

a
Access the IIS manager, expand Sites > VMware Mirage Management Web Siteand select ssp >
Application Settings .
Double-click DefaultJoinDomainName and enter a value for the DefaultJoinDomainName

parameter in the text box.
Set default values for the Join Domain OU .

a
Application Settings .
Double-click DefaultJoinDomainOU and enter a value for the DefaultJoinDomainOU parameter in

the text box.
(Optional) Configure the self-service provisioning tool to enable the Skip Steps feature.
a
Application Settings.
Double-click SspSkipSteps and type Volume;Policy in the Value text box. When you enable the
Skip Steps feature, the self-service provisioning wizard skips the steps to select a volume and a
policy. To disable the Skip Steps feature, clear the Value text box.
(Optional) Configure the self-service provisioning tool to enable the Remember Last Value feature.
a
Application Settings.
Right-click RememberLastValues and type SelfProvision in the Value text box.
When you enable the Remember Last Values feature, the Mirage self-service provisioning tool
remembers the values that you entered and applies them as the default values when you perform the
self-service provisioning procedure. To disable this feature, clear the Value text box.
VMware, Inc.
157
Set a default policy and domain account.

a
Access the Mirage Web manager console with the Image Manager role or the Administrator role.
Users with the Administrator role can set the default policy and domain account. Users with the
Image Manager role can set the default policy.
158
Click the gear icon and select CVDs in the left panel.
Click Change and select a default policy.
Click OK to exit the Update Policy window.
Click Domain Account in the left panel and enter the log-in credentials in the text box.
Start the WinPE machine and when the Self-Service Provisioning console appears, enter log-in
credentials for the Image Manager role or Administrator role.
10
Follow the steps to complete the self-service provisioning procedure.
VMware, Inc.
Endpoint Disaster Recovery
26
You can restore device files to an earlier CVD snapshot, or restore a device from a CVD after hard-drive
replacement, file corruption, format operation, or device replacement.
Mirage provides two modes of disaster recovery:
n
Restore files or the entire desktop to a previous CVD snapshot on an existing device. Files and
directories are included in CVD snapshots in accordance with the active upload policies.
Restore the hard drive on an existing or a replacement device:

n
Restore a CVD to the same device after a hard-drive replacement, file corruption, or format
operation.
Restore the CVD to a replacement device.
When the CVD contains Encrypted File System (EFS) files, the files are recovered in their original encrypted
form.
NOTE For better deduplication in the revert-to snapshot, the end user must be logged in during the restore
Prefetch operation if the CVD contains EFS files.
n
Restore a Device to a CVD Snapshot, on page 159
Restoring to a CVD After Hard Drive Replacement or Device Loss, on page 160
Restoring Windows 8 Devices, on page 163
Working with Bootable USB Drives, on page 164
Reconnect a Device to a CVD, on page 168
End User Experience with Restore Processes, on page 168
Restore a Device to a CVD Snapshot

You can use a CVD snapshot to restore a specific file or a complete endpoint on an existing device.
Mirage automatically creates CVD snapshots at regular intervals, preserves them based on a retention
policy, and makes them available for restoration as needed. See CVD Snapshot Generation and Retention,
on page 46.
You can use a selected CVD snapshot to restore a specific file or a complete endpoint on an existing device.
Restoring a specific file is the same process as restoring a previous file version. To restore a specific file from
a CVD snapshot, see Restore a Previous File Version, on page 30.
VMware, Inc.
159
You can restore a complete device from a CVD snapshot between the same operating system, for example,
Windows 8.1 to Windows 8.1, or cross-operating systems, for example, Windows 7 to Windows XP or
Windows Vista. However, you cannot revert a Windows XP CVD snapshot to a Windows 7 or Windows 8.1
device.
Procedure
1
In the Mirage Management console tree, expand the Inventory node and select the All CVDs node.
Right-click the CVD that you want to restore to an earlier snapshot and click Revert to Snapshot.
Select the revert options.

a
Select the snapshot date to which you want to revert.
Select whether you want to only restore the system and click Next.
The Restore System Only check box is selected by default. Select This restores system files only,
including the base layer, user-installed applications and user machine settings. The user area
content is not affected and any new files in the user area are not erased.
User data in this option pertains to files and directories listed in the upload policies User area.
The option behavior depends if the reversion you are performing is to the same OS or cross-OS.
Option
Action
If to the same OS, for example,

Windows 8.1 to Windows 8.1:
Clear this check box if you want to restore the entire CVD, including
the User area, from the CVD snapshot.
If the checkbox is cleared, any application, setting, or document in the
current CVD that does not exist in the snapshot is erased from the
endpoint.
If to a different OS, for example,

Windows 8.1 to Windows 7:
This checkbox is not selected so the entire CVD, including the User
area, is always restored from the CVD snapshot.
Verify the snapshot details and click Finish.
Restoring to a CVD After Hard Drive Replacement or Device Loss

If the hard drive on an endpoint is replaced, corrupted, or formatted, or if the user machine is lost and a new
machine is supplied, you must restore the CVD to the device or a replacement device.
You must set up the device with at least a basic OS image that complies with Mirage software requirements.
See Software Requirements in the VMware Mirage Installation Guide.
When replacing the hard drive, you do not have to specifically identify the endpoint and locate the CVD in
the console. The server recognizes the endpoints GUID in the device BIOS and finds the associated CVD.
Use one of the following restore procedures to restore a CVD:
n
Restore to CVD After Hard Drive Replacement, Corruption, or Format
Restore a CVD to a Replacement Device
Restore to CVD After Hard Drive Replacement, Corruption, or Format

You can restore a CVD after hard-drive replacement, file corruption, or format operation.
Prerequisites
Procedure
1
160
In the Mirage Management console, select Common Wizards > Disaster Recovery.
VMware, Inc.
Chapter 26 Endpoint Disaster Recovery
Select Replace Hard Disk and click OK.
Select the device you want to use for the restore operation and click Next.
Only devices that are recognized as connected to CVDs and are pending restore are listed.
Select a restore option and click Next.

u
To restore system files only, including the base layer, user-installed applications and user machine
settings, select the Restore System Only check box.
The user area content is not affected, and new files in the user area are not erased. User data in this
option pertains to files and directories listed in the upload policies user area. See Working with
Upload Policies, on page 19
To restore the entire CVD, including the user area, from the CVD snapshot, deselect the Restore
System Only check box.
Any application, setting, or document in the current CVD that does not exist in the snapshot is
erased from the endpoint.
Click Finish.
Restore a CVD to a Replacement Device

You can restore a CVD to a replacement device.
When a CVD is restored from Windows XP or Windows Vista to Windows 7 or Windows 7 to Windows 8.1,
the system streams down to the endpoint after the CVD has been restored so that the end user can resume
work without waiting for all of the user data to be downloaded first. If a Windows 7 endpoint is selected to
be restored to a Windows XP or Vista CVD, that Windows 7 endpoint becomes a Windows XP or Windows
Vista device.
You can also restore users from Windows XP or Windows 7 machines to new Windows 7, or from Windows
7 machines to Windows 8.1 machines. See Migrating to Windows OS Replacement Devices, on page 179.
In this case, select Only Restore User Data and Settings as the restore option .
Prerequisites
1
Procedure
1
In the Mirage Management console, select Common Wizards > Disaster Recovery.
Select Replace the user machine and click OK.
Select the device where you want to restore the CVD and click Next.
Only devices to which the CVD can be restored are listed.
VMware, Inc.
161

a

Restore Option
Description
Full System Restore
SLP licenses.
or overwritten.
procedure.

Data and Settings
OEM license.

Settings
8.1 machines.
CVD.
b
5
Click Next.
a
d
6
Option
Description
OU

Join Domain account
Click Next.
Use the information on the Validation Summary page to compare the target device with the CVD and
click Next.
The summary alerts you to any potential problems that require additional attention. You cannot
proceed until blocking problems are resolved.
162
Click Finish to complete the restore procedure..
VMware, Inc.
The migration process takes place in two phases. See End User Experience with Restore Processes, on
page 168.
Restoring Windows 8 Devices

Mirage supports restoring Windows 8 devices for endpoint disaster recovery. You can perform a full-system
restore between Windows 8 devices or revert to an earlier Windows 8 CVD snapshot.
Mirage supports Windows 8 and Windows 8.1, Professional and Enterprise Editions.
NOTE You can only restore Windows 8 devices within the same operating system version, for example,
Windows 8.0 to Windows 8.0 or Windows 8.1 to Windows 8.1.
Restore a Windows 8 Device

You can restore a Windows 8 CVD to a Windows 8 device.
Prerequisites
Install the Mirage client on the client machine. See the VMware Mirage Installation Guide..
The procedure enables you to select a domain for this endpoint to join after the restore operation. If you
want to use the same credentials each time, perform the following:
1
Select the General tab and then type the credentials you want to use for domain joining.
Procedure
1
In the Management console, select Common Wizards > Disaster Recovery.
Select Replace the user machine and click OK.
Select the device where you want to restore the CVD and click Next.
Only devices to which the CVD can be restored are listed.
Select a restore option for the selected CVD and device and Next.
VMware, Inc.
Option
Description
Full System Restore
This option includes OS, applications, user data, and user settings.
Use this option for systems with Windows volume licenses or Windows
OEM SLP licenses.
applications, and user files. Any existing files on the replacement device
are lost or overwritten.
This option requires you to select a base layer.

Settings
Use this option to migrate users from Windows 8 machines to Windows 8

machines.
The OS of the replacement device must be the same as or newer than that
of the CVD.
Only user data and settings are restored to the replacement device. The
existing OS and applications installed on the replacement device are
retained.
163
(Optional) Specify CVD naming and domain options.

a
Change or define the hostname for a device being restored.
Select a domain for this endpoint to join after the restore operation. The current domain is shown
by default.
c
6
Option
Description
OU

Join Domain account
Click Next.
Use the validation summary to compare the target device with the CVD. This summary alerts you to
any potential problems that require additional attention.
You cannot proceed until blocking problems are resolved.
The migration process starts and takes place in two phases. See End User Experience with Restore
Working with Bootable USB Drives

VMware Mirage bootable USB media can assist you with recovery operations and system imaging. After the
bootable USB drive is created, it contains a clean install of Windows 7 Professional or Enterprise Edition, or
Windows 8.1 Professional or Enterprise Edition. The VMware Mirage client is also installed and
preconfigured to connect to your VMware Mirage server when the client machine restarts.
NOTE VMware Mirage supports creating bootable USB keys for Windows 7 and Windows 8.1 only.
You can customize the bootable USB key to accommodate different hardware platforms and additional
Windows pre- and post-installation actions, for example, joining the new system to the required domain or
renaming the system. The following are the most common use scenarios:
n
Restoring a device that can no longer boot to Windows
Restoring or reimaging a remote device in the field
Provisioning or imaging a new Windows installation on an existing machine quickly
Deploying the Windows image with the VMware Mirage bootable USB key generally takes 15 to 30 minutes.
The following components are required:
n
Windows 7 or Windows 8.1 Professional or Enterprise Edition machine.

This is represented in this guide as drive C.
VMware Mirage bootable USB Scripts provided by VMware.
Windows 7 or Windows 8.1 Professional or Enterprise Edition DVD or ISO file.

This is represented in this guide as drive D.
164
VMware, Inc.
A USB Drive with at least 8 GB available disk space

This is represented in this guide as drive U.
VMware Mirage client MSI installer file x86 or x64 version.

You can find current clients on the VMware Mirage support downloads page.
(Optional) Drivers for the end point hardware.

n
Network drivers are highly recommended.
NOTE You can access all other drivers with the Driver Library feature within the VMware Mirage server.
Limitations of the Bootable USB Drive

n
The Windows installation is not activated and does not include a product key. Windows installation
allows you to work with a non-activated machine for a few days. You can work around this limitation
by editing the autounattend.xml file.
Some antivirus products (for example, Trend Micro) are known to prevent copying autorun.inf to
removable disks . As the process of creating a bootable USB disk requires copying such a file, you must
disable the antivirus application while creating the USB disk using this utility.
If you attempt to install VMware Mirage with an SSL-enabled server, the newly deployed client
machine might not be able to connect to the server, as it is not yet a member of the domain. In such a
case, add a custom action on the USB disk to add the client machine to the domain.
Windows XP Bootable USB Keys

VMware Mirage does not support a bootable USB key for Windows XP. To restore a bare metal Windows
XP device, use your Windows 7 bootable USB drive, and then use VMware Mirage to restore the device to a
previous Windows XP snapshot.
Create the Bootable USB Key

You can create a folder, drive, or virtual drive on a USB disk containing the Windows 7 or Windows 8.1
installation folders.
IMPORTANT The process formats the entire USB drive!
Prerequisites
n
The drive letter U:\ must be available to create the bootable USB disk. The creation scripts do not warn
you if it is already in use.
When using a .ISO file for Windows installation, extract the content of the .ISO file by one of the
following methods:
n
Use .ISO image file software to download and save the .ISO image file to a CD-R or a DVD-R.
Virtually mount and access .ISO files as a virtual device.
Extract the .ISO files to your hard drive.
Procedure
1
On your workstation, create the folder C:\BootUSB.
Create two subdirectories in C:\BootUSB. One called Drivers and one called MirageClient.
Extract the VMware Boot USB Scripts from the BootUSB.zip file to the root of the C:\BootUSB folder.
Do not modify the file structure or add subdirectories.
VMware, Inc.
165
Open the C:\BootUSB\MirageClient folder and copy the Mirage client installation MSI to this folder.
Find any hardware drivers you need for the new hardware and copy them to the C:\BootUSB\Drivers
folder.
Insert the Windows installation DVD to your DVD drive.

Alternatively, you can mount your Windows ISO file. This speeds up bootable USB key creation.
Insert the USB Key and wait until Plug and Play detection completes.
Open a Command Prompt window as an administrator and run cd C:\BootUSB.
Select the command you want to run and press Enter.

Boot USB OS
Command
Windows 7
win7usb.cmd
Windows 8.1
win8usb.cmd
A list of the available disks and their disk number is displayed. Look for the disk number of your USB
drive, which you can identify by the size value.
10
Run the complete command with the following syntax:

n
Windows 7: win7usb.cmd [win7 dvd path] [msi path] [server address] [use ssl transport
(true/false)] [usb disk number] [Drivers folder (optional)]
Windows 8.1: win8usb.cmd [win8 dvd path] [msi path] [server address] [use ssl transport
(true/false)] [usb disk number] [Drivers folder (optional)]
Option
Description
win7/win8 dvd path
The path to the Windows 7 or Windows 8.1 DVD or folder containing the
Windows installation files (folder containing the contents of the Windows
DVD).
msi path
The path of a Mirage client MSI.
server address
The IP address for your Mirage server for client devices to connect.
Use SSL transport
A flag that indicates whether this client uses SSL. Use true or false.
NOTE The Mirage server must already be configured for the SSL for this to
be enabled.
usb disk number
This is the number of the USB disk to be formatted. A list of connected disk
numbers is displayed upon invocation of the batch file that do not have
any parameters.
Drivers folder
The location where any hardware drivers required on your new device are
stored, from which you can add them to the bootable USB key. This
parameter is optional.
The exact string for each endpoint is different.

Table 261. Example of a Typical Command String
Operating System
Command String
Windows 7
C:\BootUSB>win7usb.cmd D:\ C:\BootUSB\MirageClient\MirageClient.msi

192.168.11.203 false 2 C:\BootUSB\Drivers
Windows 8.1
C:\BootUSB>win8usb.cmd D:\ C:\BootUSB\MirageClient\MirageClient.msi

192.168.11.203 false 2 C:\BootUSB\Drivers
The USB disk is prepared. When the USB key creation is completed, you can customize it in additional
ways. For example, you can have it install additional software, or embed hardware drivers.
166
VMware, Inc.
Install Windows with the Bootable USB Key

You can use the bootable USB key to install Windows on a device.
Procedure
1
Insert the USB disk.

Do not unplug the USB disk until this process is fully completed and you have Windows and Mirage
installed on your Windows 7 or Windows 8 system.
Perform a one-time boot from the USB disk by choosing the correct option in the startup menu.
For example, most Dell laptops use the F12 key. Windows begins loading.
Install Windows.
Prompts might vary according to the version of Windows you are installing and Windows installations,
if any, currently on the endpoint.
Option
Action
Version of Windows
Select a Professional or Enterprise edition. Mirage does not support Home

editions.
Upgrade and custom (advanced)
Select the Custom (advanced) option.
Partition
Select a partition in which to install the new copy of Windows. Formatting

the partition is optional.
NOTE VMware software does not modify any existing partition tables.
Windows now installs. No further user intervention is required.

4
Log in with the following information:

Option
Description
User name
TEST.
Password
password
Administrator password
passwd1!
NOTE You can change these passwords by editing the account values in the autounattend.xml file
found on the USB Key. You can use the System Image Manager (SIM) tool that comes with the
Windows Automated Installation Kit (AIK) to do this.
After you log in for the first time, the target machine is ready to use but might perform additional Windows
operations in the background.
Customize Your Bootable USB Key

After the bootable USB is created, you can customize and configure it to suit your site or location.
You can use a number of files that for this purpose without having to rebuild the Bootable USB key in the
process. Unless specified otherwise, these files are located in: USB_ROOT\sources\$oem$\$$\setup\Wanova\:
Table 262. Customization Files
File Name
Description
InstallClient.cmd
The file that controls the command that runs the Mirage installer. You can modify the
commands here, including the server Mirage connects to, using SSL or not, and any MSI
switches you want to use during installation.
SetupComplete.cmd
The batch file called automatically when the Windows deployment is completed. You can
add more commands to this file as needed (install VPN client, for example).
VMware, Inc.
167
Table 262. Customization Files (Continued)

File Name
Description
MirageClient.msi
Mirage client installed on the new Windows machine. Make sure the client version matches
the Mirage server version.
Autounattend.xml
An answer file for the unattended Windows installation that you can edit to customize the
deployed Windows installation. This file is found in the root of the USB drive.
Procedure
1
(Optional) Add Boot-critical drivers to the Bootable USB by putting them in USB drive:\$WinPEDrivers
$.
Do this only if the Windows installation cannot proceed due to missing a critical driver, for example, a
missing disk controller, preventing the installation from detecting the hard drive.
2
Copy the contents of USB drive:\sources\$oem$\$1\MirageDrivers\ to the local folder
C:\MirageDrivers.
The Windows installation searches for and uses drivers located in the MirageDrivers folder on the root
of any drive.
3
(Optional) Customize the Windows installation further.

a
Copy the contents of USB drive:\sources\$oem$\$$ to the Windows folder on the installation drive,
e.g. C:\Windows.
Copy the contents of USB drive:\sources\$oem$\$1 to the installation drive, e.g. C:\.
Reconnect a Device to a CVD

You can reconnect a device that has lost its synchronization for any reason to its CVD. After the Force
Upload operation, you can then continue backing up incremental changes as before.
You can connect an Assignment Pending device to an existing CVD and upload the current device data to
the CVD through a Force Upload process.
Procedure
1
In the Mirage Management console, expand the Inventory node and select Pending Devices.
Select the device, right-click and select Force Upload.
The device then synchronizes all its data to the CVD. Local client changes take precedence (win) over
CVD changes.
End User Experience with Restore Processes

End users can start working as soon as a subset of data is resident on their endpoints. An end user or
application request for a file that is not yet downloaded, takes priority over background transfers. When the
file finishes downloading, the system notifies the end user that the file is available.
Restore processes take place in two phases: Restore Prefetch and Restore Streaming.
Restore Prefetch
The server downloads the minimal set of files and configuration required for the endpoint to boot to the
CVD and connect to the network. This is called the Minimal Restore Set. End users can start working as soon
as this subset of data is resident on their endpoints.
168
VMware, Inc.
Restore Streaming
After the Minimal Restore Set is downloaded and reboot is completed, the server begins streaming the
remaining CVD content to the endpoint in the background while the end user works. If the user or
application request a file that is not yet downloaded, this request takes priority over background transfers.
The end user can view the streaming status of each downloading file by right-clicking the Mirage icon in the
notification area and clicking Show Streaming Status.
When an end user opens a file which is not yet fully downloaded, the system notifies the user that the file is
currently downloading. When the file finishes downloading, the system notifies the end user that the file is
available.
The system might advise the end user to wait until the connection is reestablished.
CVD files which have not yet been streamed to the endpoint appear in Windows Explorer with the Offline
icon overlay. This indicates that the files exist on a remote storage medium and that accessing them involves
a network download delay.
VMware, Inc.
169
170
VMware, Inc.
Migrating Users to Different

Hardware
27
You can move a user from one device to another, for example, when new hardware is purchased. You can
migrate users one at a time or as a mass hardware migration, which includes many user machines.
n
Reassign a CVD to a Different Device, on page 171
Perform a Mass Hardware Migration, on page 173
Reassign a CVD to a Different Device

You can reassign a CVD to a different device.
Prerequisites
Verify that the drive letters of the new endpoint and the CVD in the data center are compatible. If the drive
letters are different, the system does not allow the restore operation to proceed.
Perform Sync Now on the endpoint before migrating it to a new client machine. This ensures that all data is
saved to the data center before the migration takes place. See Suspend and Reactivate Synchronization, on
page 31.
1
When a CVD is restored from Windows XP or Windows Vista to Windows 7 or from Windows 7 to
Windows 8.1, the system streams down to the endpoint after the CVD has been restored so that the end user
can resume work without waiting for all of their user data to be downloaded first. If a Windows 8.1
endpoint is selected to be restored to a Windows 7 CVD, that Windows 8.1 endpoint becomes a Windows 7
device.
Procedure
1
In the Mirage Management console, select Common Wizards > Hardware Migration.
Select the CVD you want to migrate and click Next.
Select the device where you want to migrate the CVD and click Next.
Only devices compatible with the selected CVD are listed.
VMware, Inc.
171

a

Restore Option
Description
Full System Restore
SLP licenses.
or overwritten.
procedure.

Data and Settings
OEM license.

Settings
8.1 machines.
CVD.
b
5
Click Next.
a
d
6
Option
Description
OU

Join Domain account
Click Next.
Use the validation summary to compare the target device with the CVD.
This summary alerts you to any potential problems that require additional attention. You can proceed
only after all blocking problems are resolved.
The migration process starts and takes place in two phases. See End User Experience with Restore
172
VMware, Inc.
Chapter 27 Migrating Users to Different Hardware
Perform a Mass Hardware Migration

You can migrate a mass of old user machines, for example, in the thousands, to new hardware models. The
OS version is not changed in this process.
You use a CSV-based input file that defines the set of transitions needed, including source machine,
destination machine, and parameters. This is performed using Mirage command line tools.
Table 271. CSV File Information
Parameter
Description
Source CVD name
Windows name of the CVD
New CVD name
Following the rebase - machine name + OU
Target device name
Windows name of the device
Optional note per machine
Appears in the Management console
Identifier
Identifier of the target base layer (rebase) or no target base layer (universal
restore)
Credentials for the domain join account
Username, password, and domain
Server address
URL of the server
Procedure
1
Centralize the source machines to the Mirage server.
Assign these CVDs to a specific collection.
Connect the new machines to the network with an initial Windows system and deploy the Mirage client
to them. You can use mass deployment tools to deploy the client. There are several ways to do this:
n
Use the Mirage bootable USB or LAN to deploy the initial image.
Deploy an image using third party solutions, for example, PXE or MDT.
Ask the hardware vendor to integrate the Mirage client in the Windows image deployed on the
machines.
After the Mirage client is deployed, the new client machines appear in the Inventory > Pending
Devices queue.
Create a CSV file mapping of source machine names to target machine names.
The target machine names are the desired names of the machines after the migration. Existing names
are not used as these are sometimes randomly generated by the hardware vendor.
Optionally, you can import this mapping from XML.
Provide the Mirage Management console with a domain join account, with username and password.
This account is used to rejoin the machines to the domain.
Select the pending devices to be used as target machines.

The number of target and source machines must be the same.
VMware, Inc.
Choose from the following base layer options:

n
Maintain the base layer from the source machines, which removes extraneous applications, such as
OEM applications, from the target machines.
Apply a new base layer to the target machines to apply additional applications to the target
devices.
173
The following migration processes take place:

n
For each source CVD, an available pending device is selected.
The source CVD is assigned to the selected pending target device, along with the base layer for the
target model, if any.
The migration operation starts, including automatic boots whenever necessary.
The migration task is marked as done only when an upload was completed.
What to do next
After the process is completed, the previous CVDs are migrated to the new machines.
174
VMware, Inc.
Windows OS Migration
28
You can migrate existing Windows XP or Windows Vista endpoints to Windows 7, and existing Windows 7
endpoints to Windows 8.1 and Windows 10. The migrations can be either in-place, on the same devices, or
to replacement devices (For migration from Windows 7 to Windows 10, only in-place migration on the same
device is supported10).
The migration installs a Windows 7, Windows 8.1, or Windows 10 base layer on each target endpoint while
preserving user profile data and settings through the Microsoft User State Migration Tool (USMT v4.0,
USMT v5.0 for Windows XP to Windows 7 migration, USMT v6.3 for Windows 7 to Windows 8.1 migration,
and USMT v10.0 for Windows 7 to Windows 10 migration).
Unlike base layer updates, the migration process installs a complete OS image, including local user profiles
as configured on the reference machine when the base layer was captured. You can use this to set up a local
administrator and default user account.
The migration moves existing content of a target endpoint to the C:\Windows.Old directory, which is then
processed by USMT. Application settings and data that are not handled by USMT are kept in the
C:\Windows.Old directory. You can manually restore this data, or delete it when you do not need it.
OS migration with Mirage retains the original computer name but requires rejoining the domain to create a
Windows 7, Windows 8.1, or Windows 10 machine account. You define this account in the Mirage system
configuration.
Custom boot loaders on the target machine are removed by the migration. If an endpoint includes multiple
operating systems, the migration overwrites only the one on the active OS partition and does not provide
boot options for the others. You can manually restore other boot options after booting to the new OS.
NOTE Mirage requires certain Full Disk Encryption applications to be pre-configured before performing an
OS migration. For more information about supported Full Disk Encryption software, contact VMware
technical support.
Prerequisites
n
You must be an advanced administrator and familiar with system operations and the functional
behavior of Mirage to proceed with this operation.
To reduce bandwith during OS migration in a small or remote office, use the Mirage branch reflector
feature. In particular, a Windows 7, Windows 8.1, or Windows 10 test machine configured as a branch
reflector can share its OS files with client endpoints to assist in the migration process.
USMT does not migrate applications installed on Windows XP or Windows Vista to Windows 7, or
applications installed on Windows 7 to Windows 8.1, or Windows 10.
Make sure to remove any sensitive data from the reference machine. All user data on the reference
machine is applied to the target as part of the migration process.
VMware, Inc.
175
Windows OS Migration End User Experience

After the migration base layer download is completed, the system requests a reboot. A swap is made and
Windows 7, Windows 8.1, or Windows 10 boots.
Login is disabled until the system completes the migration process. The new OS is loaded and Plug-andPlay hardware is installed and configured. This process might take a few minutes, during which the
computer is busy.
You can monitor the progress in the Windows login screen. When the process is completed, the system
restarts the PC and you can then login.
The post-migration script runs the USMT and then rejoins the domain. The PC must be connected to the
corporate network to be assigned a network address.
NOTE To rejoin the domain, the PC must have network access to the Mirage server and the domain
controller. End users cannot login using their domain credentials until the domain join is complete.
n
Performing a Windows OS In-Place Migration, on page 176
Migrating to Windows OS Replacement Devices, on page 179
Monitor the Windows OS Migration, on page 180
Applying Windows OS Post-Migration Scripts, on page 180
Performing a Windows OS In-Place Migration

You can perform an in-place migration of existing Windows XP or Windows Vista endpoints to Windows 7,
and existing Windows 7 endpoints to Windows 8.1, on the same equipment.
You can perform the OS in-place migration in two ways.
n
You can download and apply the Windows base layer in one step. Each endpoint is migrated as soon as
Windows 7, Windows 8.1 or Windows 10 image is downloaded to the endpoint. Each CVD starts the
migration process as soon as the image is downloaded to the endpoint.
Alternatively, you can download the base layer first and apply it to selected or all CVDs at a later time.
This gives you control over when the new OS is applied to specific endpoints. As the amount of time it
takes to download might vary by endpoint, you might want to migrate certain endpoints that have
finished downloading in advance of the others.
In both cases, you start with a basic procedure, where you can apply CVDs immediately, or can download
and apply them later. See Perform Basic Windows OS In-Place Migration, on page 177.
If you choose to only download a CVD, after the initial procedure is finished, you can complete the
migration procedure by performing the steps described in Download First and Apply in Stages, on
page 178.
To perform a migration to different hardware, see Migrating to Windows OS Replacement Devices, on
page 179.
176
VMware, Inc.
Chapter 28 Windows OS Migration
Perform Basic Windows OS In-Place Migration

In the basic procedure, the CVDs act independently and the migration operation starts on each endpoint as
soon as the image completed the download, regardless of the state of the other CVDs in the task.
Alternatively, for more control, you can choose to download first and apply to selected or all CVDs at a later
time.
Prerequisites
1
Procedure
1
In the Mirage Management console tree, select Common Wizards > Windows OS Migration.
Choose one or more CVDs to update and click Select and click Next.
You can either choose individual or multiple CVDs from the CVD List pane, or a collection from the
Collections tab.
Select the base layer image for the migration.

a
Select Download and Apply Base Layer or Only Download Base layer.
Option
Description
Download and Apply Base Layer
This performs the migration in one step. The CVDs act independently
and the migration operation starts on each endpoint as soon as the
image completed the download, regardless of the state of the other
CVDs in the task.
Only Download Base Layer
This performs only the Download stage, allowing you to selectively

migrate CVDs that have completed downloading as a separate
operation.
In this case, after the Wizard procedure is finished, you can start to
migrate certain endpoints that finished downloading.
Select the Windows OS base layer image for migration.
Click Next.
Select one or more available app layers to assign to the endpoint, move them to the Assigned layers list
and click Next.
NOTE When performing Windows OS migration with app layers, Mirage is only able to deliver driver
packages as part of the Mirage driver library mechanism. In this scenario, Mirage will not deploy driver
packages which were recorded as part of the app layers.
a
VMware, Inc.
177
d
6
Option
Description
OU

Join Domain account
Click Next.
Use the validation page to resolve any compatibility problems between the base layer and selected
CVDs.
You cannot proceed until blocking problems are resolved.
Click Next and Finish.
After the operation is completed, one task is created that contains all the CVDs that you selected.
What to do next
If you chose Download and Apply Base Layer, the migration proceeds and you can now monitor the
migration progress. See Monitor the Windows OS Migration, on page 180.
If you chose Only Download Base Layer, after the basic procedure is finished, you can start to migrate
certain endpoints that finished downloading. See Download First and Apply in Stages, on page 178.
Download First and Apply in Stages

If you completed the basic Windows OS in-place migration procedure using the Only Download Base
Layer option, you can now apply the base layer to downloaded CVDs.
The basic migration operation that you ran with the Only Download Base Layer option created a Migration
Download task that contains the CVDs you selected. At the end of that operation, the Windows 7, Windows
8.1, or Windows 10 image that downloaded to individual endpoints is either ongoing or completed. See
Perform Basic Windows OS In-Place Migration, on page 177, but applying the CVDs is not started.
You must now apply the image to the endpoints.
You can apply all the CVDs that have finished downloading, or you can select specific CVDs to apply first.
You can then apply the remaining CVDs in additional cycles.
If not all the CVDs in the task, or in your selection of CVDs, are finished downloading, you can additionally
choose to wait until all CVDs are downloaded, or apply the ones that have finished. You can then apply the
remaining CVDs in additional cycles as they finish downloading.
Procedure
1
178
Select Task Monitoring in the Mirage Management console tree.
VMware, Inc.
Chapter 28 Windows OS Migration
(Optional) Download all the CVDs in the task.

a
Right-click the Migration Download task and select Start Migration.
If downloads were not completed on at least one of the CVDs in the task, select:
Option
Description
Yes
Apply migration to the CVDs that have finished downloading so far.

The not-yet-downloaded CVDs continue to download and are left in
the Migration Download task.
No
Wait for the downloading to finish on all CVDs in the task and apply
migration automatically to all the CVDs at that time.
The migration starts on the eligible CVDs according to the selected option.
c
3
Continue to step 4.
(Optional) Download specific CVDs in the task.

a
Right-click the Migration Download task and select View Assignments.
To view the CVDs in the task, select Image Composer Layer Assignments.
Select the CVDs that you want to migrate, right-click, and select Start Migration.
The Status panel displays how many CVDs were downloaded. Multiple statuses are shown while
downloading is in progress. If downloads were not completed on at least one of the selected CVDs,
a warning appears concerning these assignments.
Select on of the following options.

Option
Description
Yes
Apply migration to the selected CVDs that have finished downloading

so far. The not-yet-downloaded CVDs continue to download and are
left in the Migration Download task.
No
Wait for the downloading to finish on all the selected CVDs and apply
migration automatically on all the CVDs at that time.
The migration starts on the eligible CVDs according to the selected option.
4
You can repeat the procedure as more CVDs complete downloading.
The migration operation starts on the eligible CVDs, according to the option you selected.
What to do next
You can monitor the progress of the migration. See Monitor the Windows OS Migration, on page 180.
You can repeat the procedure as more CVDs complete downloading.
Migrating to Windows OS Replacement Devices

You can migrate end users from Windows XP, Windows Vista, or Windows 7 machines to new Windows 7
machines, or from Windows 7 machines to Windows 8.1 machines. This is relevant for smaller customers
that use Windows OEM SLP licenses, and supports both disaster recovery and hardware refresh scenarios.
You can use the migrate to Windows OS replacement devices operation for the following operating systems:
n
Windows XP 32-bit to Windows 7 32-bit or 64-bit
Windows Vista 32-bit to Windows 7 32-bit or 64-bit
Windows Vista 64-bit to Windows 7 64-bit
Windows 7 32-bit to Windows 7 32-bit or 64-bit
VMware, Inc.
179
Windows 7 64-bit to Windows 7 64-bit
Windows 7 32-bit to Windows 8 32 bit or 64-bit
Windows 7 32-bit to Windows 8.1 32 bit or 64-bit
Windows 7 64-bit to Windows 8.1 64-bit
Windows 8 32-bit to Windows 8 32-bit or 64-bit
Windows 8.1 32-bit to Windows 8.1 32-bit or 64-bit
Windows 8.1 64-bit to Windows 8.1 64-bit
Migration to a different device requires restoring only user data and settings, see Restore a CVD to a
Replacement Device, on page 161.
NOTE In-place migration for Windows OS described in Chapter 28, Windows OS Migration, on page 175
is not suitable for migration to replacement devices.
Monitor the Windows OS Migration

You can monitor the detailed progress of all the CVDs in the migration by viewing the task progress.
Procedure
1
In the Mirage Management console tree, select Task Monitoring.
Right-click the required task and select View Assignments.

The Status panel shows how many CVDs were downloaded. Multiple statuses are shown while
downloading is in progress.
Applying Windows OS Post-Migration Scripts

You can create a custom post-migration script to perform certain actions after the migration update, such as
install software or add or remove drivers.
A custom post-migration script is required in cases such as:
n
Install software requiring execution on the individual endpoint. This can include hardware-specific
software that is compatible only with certain endpoints.
Update or remove hardware drivers that might already exist on the endpoint.
This file and any auxiliary files used or called by the script are captured as part of the base layer and
distributed to the various endpoints. It is important to verify that the auxiliary files are placed in the same
directory as the script or another directory that is captured in the base layer.
Procedure
u
Create a file called post_migration.bat under the %ProgramData%\Wanova\Mirage Service directory.

You must edit the file on the reference machine.
NOTE The Mirage client installation includes a default sample script that does not perform any postmigration script actions.
The Mirage client monitors the post-migration script execution and reports events to the Mirage central
management service if the script returns an error value other than zero.
180
VMware, Inc.
Monitoring System Status and

Operations
29
The system dashboard assists you to monitor the system status and operations. The transaction log lets you
monitor the progress of updates coming from and to the Mirage server.
n
Using the System Dashboard, on page 181
Using Transaction Logs, on page 183
Using the System Dashboard

The system dashboard provides at-a-glance monitoring of system component status and operations, such as
statistics about system activities, alerts, and indications of actions the administrator must carry out, as well
as centralization and backup processes. It also assists the Protection Manager role to ensure that user devices
are protected.
Most dashboard information is refreshed automatically every three minutes. You can also refresh key
information indicators, such as system status, server status, and capacity use, by pressing F5.
System Status
The System Status area shows the number of unacknowledged events by severity (Critical, Warning, or Info)
and source (Server or Clients).
System events are propagated from clients, the server, and the management service on the server. Warning
and Info events provide advice or instructions that do not require urgent attention. You can click an event
button to open the Event log view filtered according to the selected severity and source.
Servers
The Server area shows the Up or Down status of Mirage servers. The icon also reflects the server status.
Capacity Status
The Capacity Status area shows the number of devices according to the following statuses:
Table 291. Device Statuses
Status
Description
Pending
Number of devices pending restore or activation, irrespective of their connection status.
Online
Number of activated devices that are online, excluding online devices pending restore.
Offline
Number of activated devices that are offline, excluding offline devices pending restore.
VMware, Inc.
181
You can click the Pending label or counter to link to the Pending Devices window where you can view the
pending devices and apply relevant actions.
An exclamation mark icon indicates license depletion. This occurs if the total number of pending plus online
devices is greater than the licensed capacity.
Update Progress
The Update Progress area histogram shows the number of clients currently downloading updates or
involved in restore activities, for example, following base layer assignment, enforcement, or update, and
CVD restore. The information is presented in percentage progress ranges, from just started (0-20%) to almost
completed (80-100%).
Totals of desktops finished downloading or currently downloading are also provided.
Table 292. Totals of Desktops Finished Downloading or Currently Downloading
Statistic
Description
Total Ready
Number of desktops that have finished downloading (reached 100%), or that have no pending
download.
Total in Progress
Total number of desktops that are currently downloading or have an incomplete download
pending network reconnection.
Data Protection
The Data Protection meter indicates the total protection level of the desktop deployment.
The gauge shows the ratio of total desktop content stored and protected at the server versus total desktop
data at the endpoint in the process of synchronization. The gauge reflects information provided by online
devices. Offline devices report the next time they connect.
Core Image Compliance

The Core Image Compliance meter indicates the total compliance level of your endpoints.
The gauge represents the percentage compliance of managed endpoints with their IT-approved base layer.
Based on this information, you can enforce the base layer for one or many endpoints to bring them back into
compliance and decrease the likelihood of end user problems.
Efficiency Benchmarks
The Efficiency Benchmarks area shows the actual traffic between the desktops and the server over the last 24
hours as a histogram.
Table 293. Efficiency Benchmark Histograms
Histogram
Description
Network Usage (In)
Shows upload traffic from desktops to server.
Network Usage (Out)
Shows the download traffic from server to desktops.
Each bar shows the total data for one hour. The bar representing the current hour shows total traffic from
the start of the hour to the last dashboard refresh time.
Table 294. Information Provided in Each Histogram
182
Element
Description
Y axis
Data size in bytes, KB, MB, or GB, according to the maximum data transferred in the 24-hour span.
X axis
Time in hours, where each bar represents one hour.
VMware, Inc.
Chapter 29 Monitoring System Status and Operations
Table 294. Information Provided in Each Histogram (Continued)

Element
Description
Total
Total traffic in the last 24 hours.
Average
Hourly traffic average in the last 24 hours.
Peak
Hourly traffic peak in the last 24 hours.
Using Transaction Logs

A transaction is a logical operation between the Mirage server and the Mirage client. You can use the
transaction log to monitor the progress of updates coming from and to the server.
Each transaction is built from a collection of sub-transactions, each representing a network session between
the client and server. Sub-transactions are reported only when a session is either complete (succeeded) or
terminated (failed due to a network disconnect or other specified reason).
Table 295. Transaction Types in the Transaction Log
Transaction Type
Description
Centralize Endpoint
First time upload of the end user machine to the server.
Upload Incremental Changes
Synchronizing ongoing changes from the end user machine to the server.
Update Base Layer
End user machine is updated with the assigned base layer
Update App Layer
End user machine is updated with the assigned app layer.
Base Layer Caching
The branch reflector downloads a base layer.
Base Layer Verification
Base layer download is verified prior to being applied.
Restore Prefetch
Client downloads the minimum file set required from the CVD to allow the
endpoint to boot the restored CVD and allow network access to complete restore
through background streaming.
Restore Streaming
Client streams the remainder of the restored CVD to the endpoint while the user
works normally online.
NOTE More than one sub-transaction appears when one or more attempts to complete the parent
transaction failed. The sub-transaction status reported is final and does not change.
Transaction Entry Properties

Table 296. Transaction Log Information for Each Entry
Parameter
Description
CVD
Number of the CVD
CVD Name
Name of the CVD
Type
Type of operation being performed, such as Centralize Endpoint or Upload

Incremental Changes
Status
Status of the transaction, for example Success.
Layer
Base Layer ID and version, if applicable
Changed Files
Total number of changed files
Unique Files
Total number of files to be transferred, after duplicate files are eliminated
Size (MB)
Total Data size of the files to be transferred, after duplicate files are
eliminated
VMware, Inc.
183
Table 296. Transaction Log Information for Each Entry (Continued)

Parameter
Description
Size After File Dedup (MB)
Data Size After Dedup, meaning the total size of file and metadata to be
transferred after it is reduced by intra-file and inter-file block level
deduplication, but before LZ compression
Size After Block Dedup (MB)
Before Compression size, which is the total network transfer as seen over
WAN, before applying LZ compression
Data Transferred (MB)
The total network transfer that took place.
Branch Reflector Transfer (MB)
The amount of data that was sent from the branch reflector to the endpoint
(instead of from the Mirage server directly to clients).
Savings
Transfer Savings, meaning the ratio of the total size of the changed files and
actual transfer size
Start Time
Start time of the transaction
End Time
End time of the transaction
Duration
Duration opf the transaction
Search and Filter Results Specification

Whenever a search or filter query is initiated in any list window, the first page of results appears in the view
area. The number of pages of qualifying records appears under the Search text box and you can scroll to the
next or previous page by clicking arrow icons. For improved query response time, when the number of
records retrieved is very large, the associated page count is not calculated and is replaced by three dots (...).
Total Transaction Record Limits

The system implements transaction record limits to prevent log files from becoming too large:
Table 297. Transaction Record Limit by Record type
184
Transaction Record Type
Cleaned up after:
Steady State (SS) transactions
30 days
Layer transactions
180 days
All other transactions
365 days
VMware, Inc.
Working with Reports for Mirage

Operations
30
You can generate and view reports on demand. Reports display the status of various Mirage operations.
You access, generate, import, and export reports from the Reports tab in the Mirage Web Manager.
You can preview a report as a PDF. The preview displays in a new tab of the Web browser. Ensure that you
disable pop-up blocker.
The maximum number of records that you can include in a report by default is 2,000. If the report includes
more than 2,000 records, the report fails to generate. When you generate a report that contains more than
200 records, you receive a warning message that the procedure might take some time to generate. You can
configure these parameters by editing the configuration files located in C:\Program Files\Wanova\Mirage
Web Management\web.config.
n
<add key="ReportRecordCriticalThreshold" value="0"/>
<add key="ReportRecordWarnThreshold" value="0"/>
Centralization Progress
You generate the Centralization Progress report during the first phase of the Mirage deployment to view the
progress of CVDs being centralized. The Centralization Progress report displays the centralization status of
CVDs and the average time, average CVD size, and average data transfer size of completed CVDs during
the specified time frame for the report.
OS Migration Process
The OS Migration Process report displays the number of CVDs that have started, are still pending, and have
completed an OS migration procedure.
Endpoint Provisioning Progress Report

You generate the Endpoint Provisioning report to view the CVDs that are being provisioned and the CVDs
that have completed provisioning during the specified time frame for the report.
Data Protection Status

You generate the Data Protection Status report to view the percentage of users' systems that are backed up.
The Data Protection Status report displays the data protection status of CVDs and lists the CVDs and users
for whom an upload procedure is incomplete.
Custom Report
You can create a custom report based on your organization's requirements.
VMware, Inc.
185

n
Layer Dry Run Reports, on page 186
CVD Integrity Report, on page 187
Layer Dry Run Reports

You can run a Layer Dry Run report to compare the content of the layers and the CVD before applying a
layer update to a CVD or collection of CVDs. This report provides a method to detect unforeseen effects,
and resolves conflicts that might result from any mismatch between the CVD and the layers content.
Table 301. Types of Conflict Described in the Report
Conflict Type
Description
Base Layer Application Downgrades a user

installed application
An application installed in the base layer uses an older version of

shared components than another user installed application uses.
Base Layer Application Downgrades OS component
An application installed in the base layer downgrades OS

components.
Base Layer OS Components downgrades user

installed application
OS components in the base layer downgrades shared components

that are used by a user installed application.
You can generate this report in two ways:

Table 302. Types of Layer Dry Run Report
Report Type
Description
Application-level report
Describes projected applications that are added to, updated in, or deleted from to an
endpoint device when the selected layer changes are applied. It compares the
applications installed on the layers and the CVD and provides a general view of the
result for the change in layers. For more information, see 16.2 Comparison Report
between Base Layer and CVD.
Program Executable (PE) level

report
Analyzes the outcome of removing or updating a PE file. It projects affected software

modules, such as .DLL files, when a base layer is downloaded to an endpoint device
client, and details whether each affected module is downgraded.
NOTE Depending on the number of CVDs selected, running the report might take some time.
Procedure
1
In the VMware Mirage Management console tree, under the Reports tree, click the report type that you
want to generate or view.
To generate a dry run report:

a
Click the Generate Report icon on the report toolbar.
Type a report name in the Report Name text box.
Select a CVD and click Select , and click Next.

To deselect a CVD, click Remove. To deselect all CVDs, click Clear.
Select a base layer option.

Select No change to target base layer, or Select Base layer from list and select a base layer, and
click Next.
186
VMware, Inc.
Chapter 30 Working with Reports for Mirage Operations
Select app layers to be included in the report.
Click Finish.
The report is generated. You can view the report when the status is Done.
To view a report that was generated:

u
Click the View Report icon on the report list toolbar.

The report appears as an HTML page.
To delete a report:
a
On the report list, select the report you want to delete.
Click the Delete icon on the report console toolbar.
CVD Integrity Report

You generate the CVD Integrity report if a system event warns that a CVD might have inconsistencies.
The CVD Integrity report verifies that a CVD is consistent and free of corruption, and can continue to reside
in the system and be used for restore and other purposes.
Procedure
1
In the Mirage Management console tree, expand the Reports node and select the CVD Integrity report.
To generate a report:
a
Click the Generate Report icon on the report toolbar.
Type a report name in the Report Name text box. If none is given, the default name format is
applied (CVD_Integrity_{User's environment name}_{Short date}).
Select a CVD in the CVD List area, and click Next.
Select a report option:
e
3
Option
Description
Check Only
Generates only the CVD Integrity report, which checks for errors on the
selected CVD. No repair actions are performed.
Fix For Upload
Use this report option if you were performing a non-restore process

(for example, periodic upload) when you encountered a problem with
the CVD. Corrupted files are re-uploaded so that the interrupted
process can resume.
Fix For Restore
Use this report option if you were performing a restore process when
you encountered a problem with the CVD. Corrupted files are repaired
so that the interrupted process can resume.
To view a report that was generated:

u
Click the View Report icon on the report list toolbar.

The report appears as an HTML page.
VMware, Inc.
To delete a report:
n
On the report list, select the report you want to delete.
Click the Delete icon on the report console toolbar.
187
188
VMware, Inc.
VMware Mirage Security Reference
31
When you configure a secure Mirage environment, you can change settings and make adjustments in
several areas to protect your systems.
n
Ports and Protocols Used by Mirage, on page 189
Protecting Mirage Resources, on page 191
Mirage Log Files, on page 192
Mirage Accounts, on page 193
Ports and Protocols Used by Mirage

The Mirage system and clients use default communication ports. Make sure that the correct ports and
protocols are selected for the system.
The Mirage Management server and Mirage servers use external communications to communicate with the
Mirage clients or the Mirage Management console, and internal communications to communicate with each
other.
Table 311. Ports and Protocols for Mirage Components
Component
Commun
ications
Port
Protocol
Notes
Mirage service
External
8000
TCP/IP or
SSL/TLS
The only port required for communications between

Mirage clients and servers.
NOTE SSL/TLS is optional and can be enabled. See Install
an SSL Server Certificate for the Mirage Server, on
page 48.
Mirage Branch
Reflector
External
8001
TCP/IP
Used for communication between the branch reflector and

the local peers at the remote site.
Mirage Management
service
External
8443 ,
1443
TCP/IP
Used for communication between the Mirage Management

console and the Mirage Management service. SOAP
Message-level Security is applied.
Mirage Server service
Internal
135,
445
TCP/IP
Used for control communication between the Mirage

Management service and the Mirage server.
NOTE You can limit access to this port to incoming
connections from the Mirage Management service host.
File portal
Internal
6080,
6443
TCP/IP
Used to access the file portal.
Mirage Web Manager
Internal
7080,
7443
TCP/IP
Used to access the Web Manager.
VMware, Inc.
189
Table 311. Ports and Protocols for Mirage Components (Continued)

Commun
ications
Port
Protocol
Notes
Internal
8000
TCP/IP
Used for communication between the Mirage Gateway

server and the Mirage server.
NOTE The port must have DNS update access.
Internal
389,
636
TCP/IP
LDAP or
LDAPS
Used for communications between the Mirage Gateway

server and the LDAP servers.
Internal
8080 /8
443
TCP/IP
Used for communications between the Mirage Gateway

server and the Mirage Management server.
Used for the Mirage Gateway Web console.
External
8000
TLS/SSL
Used for communication between the Mirage client and

the Mirage Gateway server.
Internal
8093
TCP/IP
Used for communication for Mirage Gateway

authentication service.
Mirage API
Internal
7443
HTTPS
MongoDB File
Database
Internal
27017,
27018
TCP/IP
Component
Mirage Gateway
server
190
Used to communicate with the MongoDB nodes located on

each Mirage server and Mirage Management server.
VMware, Inc.
Chapter 31 VMware Mirage Security Reference
Protecting Mirage Resources

Mirage includes several configuration files and similar resources that must be protected.
Table 312. Mirage Resources
Resource
Location
Protection
Configuration files
web.config
app.config
Mirage Gateway server:
Configurations are automatically access protected

from other computers. User passwords are
scrambled in the database.
/opt/MirageGateway/etc/Mi
rageGateway.conf
/opt/MirageGateway/apache
-tomcat-7.0.54/conf
Mirage Web Manager:
/opt/MirageGateway/apache
tomcat-7.0.54/webapps/Web
Console/WEBINF/classes/log4j.propert
ies
Customer Experience
Improvement Program:
%Program Files
%\Wanova\Mirage
Management
Server\Ceip\conf\ceip.pro
p
%Program Files
%\Wanova\Mirage
Management
Server\Ceip\conf\CEIPTime
Control.prop
%Program Files
%\Wanova\Mirage
Management
Server\Ceip\conf\Customer
.conf
%Program Files
%\Wanova\Mirage
Management
Server\Ceip\conf\DataAcce
ss.cfg.xml
%Program Files
%\Wanova\Mirage
Management
Server\Ceip\conf\JoinCEIP
.conf
%Program Files
%\Wanova\Mirage
Management
Server\Ceip\conf\log4j.pr
operties
Mirage API configuration files:
%\Program Files
%\Wanova\Mirage
API\log4net.config
Mirage Management server:
VMware, Inc.
191
Table 312. Mirage Resources (Continued)

Resource
Location
Protection
%Program Files
%\Wanova\Mirage
API\web.config
%Program Files
%\Wanova\Mirage
Management
Server\Wanova.Management.
Service.exe.config
Mirage server:
%Program Files
%\Wanova\Mirage
Server\Wanova.Server.Serv
ice.exe.config
Log files
See Mirage Log Files, on

page 192
Protected by access control.
Mirage client log files
%ProgramFiles
%\Wanova\MirageService\Lo
gs
These files are accessible to all users
Mirage Log Files

Mirage creates log files that record the installation and operation of its components.
NOTE Mirage log files are intended for use by VMware Support. Configure and use the event database to
monitor Mirage.
Table 313. Mirage Log Files
Mirage Component
File Paths
Mirage server
%Program Files%\Wanova\Mirage Server\server.log

%Program Files%\Wanova\Mirage Management
Server\mgmtservice.log
Mirage Management server
%Program Files%\Wanova\Mirage Server\server.log

%Program Files%\Wanova\Mirage Management
Server\mgmtservice.log
Mirage client
%ProgramFiles%\Wanova\MirageService\Logs
Mirage Web Manager
Web Manager log files:

%ProgramData%\Wanova Mirage\Web
Management\logs\webapp.log
Customer Experience Improvement Program log files:
Error log. Ceip\logs\MirageCEIPerror.log
Data collection log. Ceip\logs\MirageCEIPlog.log
Service log. Ceip\logs\MirageCEIPService.log
192
VMware, Inc.
Chapter 31 VMware Mirage Security Reference
Table 313. Mirage Log Files (Continued)

Mirage Component
File Paths
Mirage API
%ProgramData%\Wanova Mirage\Web
Management\logs\mirage_api.log
Mirage Gateway server
/opt/MirageGateway/logs/error.log
/opt/MirageGateway/logs/mirage_gateway.log
/opt/MirageGateway/logs/mirage_gateway_backend.
log
/opt/MirageGateway/logs/mirage_gateway_current_
stat.log
/opt/MirageGateway/logs/mirage_gateway_service.
log
/opt/MirageGateway/logs/mirage_gateway_stat.log
/opt/MirageGateway/apache-tomcat-7.0.54/logs/
MirageGateway.log
Mirage Accounts
You set up system and database accounts to administer Mirage components.
You must set up system and database accounts to administer Mirage system components.
Table 314. Mirage System Accounts
Mirage Component
Required Accounts
Mirage server
The domain group is created during installation and

administrator roles are created in the Mirage Management
console.
Mirage Management server
The domain group is created during installation and

administrator roles are created in the Mirage Management
console.
Mirage client
Not applicable.
Mirage Web Manager
Configure user accounts in Active Directory, and assign

users to an Active Directory group. In the Mirage
Management console, assign roles, such as protection
manager or help desk, to the Active Directory group.
VMware recommends that you limit log-in privileges to the
designated administrator group.
Mirage API and Mirage PowerCLI
Use NT account credentials.
The default username is Mirage and the default password is

vmware.
VMware, Inc.
193
194
VMware, Inc.
Maintaining the Mirage System
32
You can perform maintenance operations on Mirage servers and the Management server, including backup,
restore, and upgrade from previous Mirage versions.
n
Server and Management Server Operations, on page 195
Upgrading from Previous Mirage Versions, on page 197
Server and Management Server Operations

You can perform maintenance operations on Mirage servers and the Mirage Management server, including
backup and restore.
Back up a Server or the Management Server

You can back up a Mirage server or the Mirage Management server. Server state backup involves the
backup of all storage volumes and the database.
IMPORTANT Configure your server backup software to stop the Mirage server cluster and the Mirage
Management server during the snapshot and database backup time. Back up the SIS and the database using
a point-in-time representation so that the backup is consistent across all the volumes and the database.
Contact VMware support for assistance with this procedure.
Prerequisites
Copy the Mirage storage volumes to the backup location, preferably through a snapshot mechanism, and
also back up the database.
If storage snapshots are not used, verify that the Mirage servers and the Management server are stopped for
the full duration of the backup.
Restore the Mirage Management Server

You can restore the Mirage Management server, without reference to Mirage servers.
When you need to restore the Mirage Management server, you need to reinstall only the Mirage
Management server. For detailed instructions on installing a Mirage Management server, see the
VMware Mirage Installation Guide.
VMware, Inc.
195
Use the same fully-qualified name of the original Mirage Management server so that existing Mirage servers
can locate the Management server and connect to it.
IMPORTANT Restore all Mirage storage volumes and the database at the same time, even if only a single
volume or only the Mirage database needs to be restored.
Procedure
1
Restore the complete server system from a full disk image.
Start the server in Windows Safe Mode.
Set the VMware Server Service and VMware Management Service start type to Disabled.
Start the server normally.
Run the following command: Wanova.Server.Tools.exe ResetPendingBI .

The ResetPendingBIIcommand stops the CVDs from downloading the pending base layers.
Set the VMware Server Service and VMware Management Service start type to Automatic.
Start the VMware server service and VMware management service.
Restore a Mirage Server

You can restore a Mirage server, without reference to the Mirage Management server.
When only a single server needs to be restored and no Mirage storage or database is installed on this
machine, you need to reinstall only the Mirage server and point it to the Mirage Management server.
If the Mirage Management server was installed on the same machine, you need to reinstall the Mirage
Management server before reinstalling the server.
For more information about installing the Mirage server and Management server, see the VMware Mirage
Installation Guide.
Restore Mirage Storage Volumes and Database

You can restore the Mirage storage volumes and database in a standalone or clustered environment, where
the volumes and database are not co-hosted on the same server as the Mirage Management server.
Prerequisites
You must obtain the Server.Tools.zip package prior to installing the Mirage server. For information about
obtaining the package, contact VMware Support.
Procedure
1
Verify that all Mirage servers and the Mirage Management server are stopped.
Restore all the storage volumes and the database from backup.
Make sure to restore to original UNC paths.
Copy the Server.Tools.zip to the server machine, extract the zip file, and run the following command
from any server machine: Wanova.Server.Tools.exe ResetPendingBI.
Start the Mirage Management server and all servers.
What to do next
If the UNC path was changed on any of the volumes, you must change the UNC path in the Edit Volume
dialog box and mount the volume. See Edit Storage Volume Information, on page 87.
196
VMware, Inc.
Chapter 32 Maintaining the Mirage System
Restore a Standalone Server

Restoring a standalone Mirage server is suitable for small-scale, standalone server setups where the
database, storage and Mirage services are all co-hosted on the same server.
The procedure restores the complete Mirage server system from backup, including OS image, server
software, storage and database.
Procedure
1
Restore the complete server system from a full disk image.
Start the server in Windows Safe Mode.
Set the VMware Server Service and VMware Management Service start type to Disabled.
Start the server normally.
Run the following command: Wanova.Server.Tools.exe ResetPendingBI .

The ResetPendingBIIcommand stops the CVDs from downloading the pending base layers.
Set the VMware Server Service and VMware Management Service start type to Automatic.
Start the VMware server service and VMware management service.
Upgrading from Previous Mirage Versions

You can upgrade the Mirage system from earlier Mirage versions.
Upgrading the Mirage servers does not remove data from storage volumes that were connected to the
Mirage system.
Before You Start to Upgrade Mirage

Before you begin the upgrade process, you must perform certain pre-upgrade steps.
Mirage uses a MongoDB database to store system data and small files, which improves performance. The
MongoDB files are created and stored on a dedicated path. Unlike previous Mirage versions, 5.3 and earlier,
loss of system data stored in the MongoDB database can impact the entire system, including CVDs. VMware
recommends that after you upgrade Mirage, you install an additional Mirage Management server.
If you are upgrading from Mirage 5.3 or earlier, when you install the Mirage Management server, you are
prompted to specify a path for the MongoDB database files.
If you are upgrading from Mirage 5.4, when you install the Mirage Management server, you are not
prompted to specify a path for the MongoDB database files. After you upgrade from Mirage 5.4, VMware
recommends that you install an additional Mirage Management server to ensure data availability.
Prerequisites
Verify that you have the following information available from the server config file.
n
Database server name
Credentials for the database server
Mirage server cache directory location
Cache size
Procedure
1
VMware, Inc.
Stop Mirage services.
197
Back up the Mirage database.

n
Double-click the C:\Program Files\Wanova\Mirage Management Server\sysreport_full.cmd file to

run a full sysreport in Mirage
Use SQL Server Management Studio.
Take snapshots of all Mirage storage volumes.

Use image-based block backup, not file-based backup.
If you cannot make a snapshot, create and run a backup job for each volume's directory using any
available backup program.
This process can take a significant amount of time to complete. The backup software must support
Alternate Data Streams (ADS). For best results, use block-based backup programs rather than file-level
backup using ADS.
Upgrade from a Previous Mirage Version

When you upgrade Mirage, it is important to upgrade Mirage in a specific order.
Use the .msi files from the Mirage installation package to upgrade to the latest version of Mirage.
Prerequisites
n
Ensure that you shut down the Mirage servers.
Change the name of volume paths that contain non-ASCII characters.
Procedure
1
To upgrade the Mirage Management server, double-click the mirage.management.server.

64x.buildnumber.msi file.
By default, the configuration settings you selected during the initial installation are applied. You can
change the configuration settings during the upgrade process.
To upgrade the Mirage server, double-click the mirage.server.64x.buildnumber.msi file.

To upgrade the Mirage Web Manager, double-click the
mirage.WebManagement.console.x64.buildnumber.msi file.
198
When prompted provide the necessary configuration information.
VMware, Inc.
Chapter 32 Maintaining the Mirage System
To upgrade the Mirage file portal, double-click the mirage.WebAccess.console.x64.buildnumber.msi

file.
a
Follow the prompts until you come to the Web Access Configuration page and provide the Web
access configuration information.
Option
Description
Web Access
Select Web Access to provide access to only an end-user's user files, as

defined by the administrator, across all CVD snapshots. The Mirage
client user can access the Web Access feature to only download their
files at http://server:6080/Explorer.
Admin Web Access
Select Admin Web Access to give the administrator full access to all
user CVDs across all CVD snapshots. The administrator can access the
Admin Web Access feature to download all files of any user at
http://server:6080/AdminExplorer.
By default, both the Web Access and Admin Web Access Web applications are configured for the
file portal. You can select not to configure either of these options by clicking the drop-down menu
and selecting Entire feature will be unavailable.
5
To upgrade the Mirage Management console, double-click the .msi file for your environment.
Option
Description
64-bit
mirage.management.console.x64.buildnumber.msi
32-bit
mirage.management.console.x86.buildnumber.msi
VMware, Inc.
199
200
VMware, Inc.
Troubleshooting
33
Various troubleshooting mechanisms are available, including the CVD History view, Event log, and other
system logs and reports.
n
CVD Events History Timeline, on page 201
Problematic CVDs, on page 201
Using Event and Other System Logs, on page 202
Customize the Minimal Restore set, on page 202
Generate System Reports, on page 203
Generate System Reports Remotely, on page 204
CVD Events History Timeline

To help you troubleshoot problems in a CVD, the Mirage Management console consolidates all the events
during a CVDs life in a common timeline.
The following events are displayed in the CVD history view:
n
Transaction log events
Audit events
Client system events
Procedure
1
Expand the Inventory node and select All CVDs.
Right-click the CVD name and select History > Timeline.
You can copy and paste information from the CVD History view for use elsewhere by using the
standard Windows key combinations Ctrl + C to copy, and Ctrl + V to paste.
Problematic CVDs
In the Mirage Management console you can view the CVDs that have open alarms.
There are five alarms that might be triggered for CVDs.
n
Vss alarm
Not enough disk space alarm (the Mirage client)
VMware, Inc.
201
Not enough volume disk space (the Mirage server)
Download failure alarm
Upload failure alarm
You can view a list of the CVDs with open alarms on the Problematic CVDs node in the Mirage
Management console. Alternatively, in the CVD Inventory grid view, CVDs with open alarms display a red
bell icon.
A CVD can only have one open alarm at a time.
Using Event and Other System Logs

The Mirage Management console provides a range of system logs, including the Event log, Transaction log,
and the Manager Journal, which records audit events.
The Mirage Management console includes the following logs:
Table 331. Management Console Logs
Log
Description
Event Log
Lists important system events as propagated from the server and clients.
Transaction Log
Records logical operations between the Mirage server and client. You can use the transaction
log to monitor the progress of updates coming from and to the server. See Using
Transaction Logs, on page 183.
Manager Journal
Collects and tracks audit event history.

An audit event is created for any administrator action that results in a system setting or
configuration change. This includes actions performed using the Management console or
through a CLI. Read-only actions do not create audit events. Audit events provide the
operation time, name, and details, and the user name.
Customize the Minimal Restore set

You can customize the minimal set of files that must be restored to an endpoint so that it can reboot to the
CVD and work online. The Minimal Restore set generally includes the organization VPN, antivirus, firewall
applications, and driver store.
Minimal restore sets can be static or dynamic.
Table 332. Minimal Restore Set Types
Minimal Restore Set Type
Description
Static Minimal Restore Set
A static list of files created by the administrator and placed in an XML file that
is fetched during the restore operation. The files restored provide the endpoint
with the minimum environment required to boot to a CVD. The static list is
used for all endpoint devices in the system.
Dynamic Minimal Restore Set
This is a CVD-specific list of files that is acquired during normal CVD use. The
list is built on each boot and captures the system, applications, and user files
over a short time period after booting. A separate dynamic restore set is
created for each CVD in the system and is used in conjunction with the static
minimal restore set when a restore is performed.
The procedure describes how to customize the minimal set.

You can remove the minimal set using this procedure with the command removeMinimalSet. When this
command is run, the entire CVD content is downloaded prior to the restore and online streaming is not
used.
202
VMware, Inc.
Chapter 33 Troubleshooting
You can revert to the original (default) VMware minimal set. The file is located at: C:\Program
Files\Wanova\Mirage Server\MinimalSet.xml.
You can used the same file as basis for further customization, such as adding the corporate antivirus and
VPN files.
IMPORTANT The procedure describes how to modify critical Mirage configurations using the CLI. Follow
these steps carefully, as serious problems can occur if the CLI is used incorrectly.
Prerequisites
You must be authenticated as a member of a group with access to the Mirage Management console. See
Managing Role-Based Access Control and Active Directory Groups, on page 210.
Procedure
1
On the Start menu, click Run, type cmd, and click OK.
In the Command window, type: cd Mirage Server program files path\

For example, C:\Program Files\Wanova\Mirage Server and then press Enter.
Type Wanova.Server.Cli.exe localhost and press Enter.

The Mirage server management console starts running.
To export the minimal restore set, type: getminimalset path to output file.
Edit the file using an XML editor.
Add the modified file to the minimal set, using the following command:
addMinimalSet path to XML file and press Enter.
NOTE Executing this command overrides any existing static minimal set.
A message appears confirming that the Static Minimal Set was added successfully.
To view the minimal set, type printMinimalSetand press Enter.
Type Exit and press Enter to exit the Command window.
Generate System Reports

You can use the System Report Utility to collect internal system log files, relevant registry entries, event
logs, system information, and configuration information to troubleshoot issues that you might run into.
You can generate several types of system reports.
Table 333. Available Report Types
Report
Description
Full report
Collects the most comprehensive set of system logs, registry information, and system
information. While helpful in troubleshooting confirmed problems, this report can be
very large (containing several hundreds of MB of data), and is used only by special
request from VMware Support.
Medium report
Used most frequently, this report type collects a limited set of system logs and system
information. It is faster to generate and more resource efficient than the full report.
Logs only report
Returns a minimal set of log entries. Usually used in early troubleshooting stages to
determine next steps.
Prerequisites
Log in as an administrator.
VMware, Inc.
203
Procedure
1
Run the report.

Option
Action
From a server
Run the sysreport batch file from the Mirage install directory, for
example: C:\Program Files\Wanova\Mirage Server, and run the
required script:
From a client
Full Report: sysreport_full.cmd
Medium report: sysreport_medium.cmd
Logs only report: sysreport_logs_only.cmd
Right-click the Mirage icon in the notifications area, select Tools, and
select the report you want.
The sysreport commands can be CPU-intensive, especially on the server, so an intermediate impact is
generally expected. A CAB file containing all the logs is created at c:\sysreport-MMDDYYYY-HHMMComputerName.cab.
2
Generate a system report for the Mirage Gateway server.

Option
Description
sudo /opt/MirageGateway/bin/sys
report_logs
Collects logs that include Mirage Gateway logs, and Mirage Gateway
performance logs.
sudo /opt/MirageGateway/bin/sys
report_full
Collects logs that include Mirage Gateway logs, Mirage Gateway

performance logs, and system logs.
A ZIP file containing all the logs is created at ComputerName.MMDDYYYY-HHMMSS-logs.zip.
Generate System Reports Remotely

You can save system reports from any device attached to the Mirage server.
The reports can be saved to a UNC path or sent to an FTP site.
IMPORTANT Consider your privacy and regulatory requirements before sending support data to VMware.
Log files, system reports and support data generated in order to obtain support from VMware may contain
sensitive, confidential or personal information, including file and folder names and information about
installed programs and user settings.
Procedure
204
Right-click the CVD for which you want to generate a report and select Device > Generate System
Report.
Select system report.

Option
Description
Full
Includes all logs and collectable information from this endpoint.
Medium
Includes the logs and some additional information.
Logs
Generates a report of only the basic logs for this client.
VMware, Inc.
Chapter 33 Troubleshooting
VMware, Inc.
Specify either the UNC path or FTP Server details.

Option
Action
UNC
Select the Remote Share radio button and type the UNC path.
FTP
Select FTP server and type the server name, user name, and password.
Click OK.
205
206
VMware, Inc.
Advanced Administration Topics
34
Advanced topics serve to supplement information provided in the VMware Mirage Administrator's Guide.
n
Mirage and SCCM, on page 207
Setting Up the SSL Certificate in Windows Server, on page 208
Using Microsoft Office in a Layer, on page 210
Managing Role-Based Access Control and Active Directory Groups, on page 210
Macros in Upload Policy Rules, on page 213
Mirage and SCCM

When you capture a base layer for Windows 7 or Windows 8.1 migration using Microsoft System Center
Configuration Manager (SCCM), certain preparatory steps must be performed.
The reference machine must not be rebooted, and the ccmexec service must not be restarted during the time
between performing the procedure and capturing the base layer.
Regular base layer updates do not require these steps, as this is already handled by Mirage.
Procedure
1
If SCCM client is not yet installed, manually install the client following the instructions at
http://technet.microsoft.com/en-us/library/bb693546.aspxhttp://.
Do not specify a SCCM site code for the client in the CCMSetup.execommand-line properties
(SMSSITECODE parameter).
Stop the SMS Agent Host service (net stop ccmexec).
Use ccmdelcert.exe to delete the SMS certificates. ccmdelcert.exe is available as part of the Systems
Management Server 2003 Toolkit, and is also attached to the wiki page.
Delete c:\windows\smscfg.ini if it exists.
Capture a base layer.

Do not reboot or start the ccmexec service. Otherwise you must repeat this procedure.
VMware, Inc.
207
Setting Up the SSL Certificate in Windows Server

For environments with multiple Mirage servers where SSL is required, you must enable SSL and install the
SSL certificate for each server.
Enabling SSL involves setting up the SSL certificate in Windows Server on Mirage servers, which includes
generating the certificate signing request (CSR), requesting the CSR, and installing the signed certificate.
In a multiserver setup, the SSL certificate setup for Windows Server must be repeated for each installed
Mirage server.
Generate the Certificate Signing Request

When you set up an SSL certificate, you must first generate the certificate signing request.
Procedure
1
Add and configure the Certificates snap-in:

a
On the server, open the Mirage Management console.
Select File > Add/Remove Snap-in.
Add Certificates.
Specify that the snap-in will manage certificates for the Computer account and click Next.
Verify that This snap-in will always manage Local computer is selected and click Finish.
Click OK.
Select the Certificates node in the console root, right-click Personal store and select All Tasks >
Advanced Operations > Create Custom Request.
Verify the information on the Custom Request page, select Proceed without enrollment policy.
a
On
Option
Description
Custom Request
Select Proceed without enrollment policy.
Template and Request Format
Accept the default settings for the CNG Key and PKCS #10 text boxes.
Certificate Information
Click Details for the Custom Request and click Properties.
Click the General tab and type a certificate-friendly name.

You can use the same name as the subject name.
208
Click the Subject tab, and in the Subject Name area, provide the relevant certificate information.
Option
Description
Common name, value
Server FQDN. This is the certificate subject name that is used in the Mirage
configuration to find the certificate. The FQDN must point to that server
and is validated by the client upon connection.
Organization, value
Company name, usually required by the CA.
Country, value
Two-letter standard country name, for example, US or UK. Usually

required by the CA.
State, value
(Optional) State name.
Locality, value
(Optional) City name.
VMware, Inc.
Chapter 34 Advanced Administration Topics
Click the Extensions tab and select the key use information from the drop-down menus.
Option
Description
Key Usage
Select Data Encipherment.
Extended Key Usage
Select Server Authentication.
Click the Private Key tab and select key size and export options.
Option
Description
Key Options
Select the required key size (usually 1024 or 2048).
Make Private Key Exportable
Select to export the CSR, and later the certificate, with the private key for
backup or server movement purposes.
Click OK to close the Certificate Properties window, and click Next in the Certificate Enrollment
wizard.
Leave the default file format (Base 64), and click Browse to select a filename and location of where to
save the CSR.
The certificate request is completed.
10
Click the Certificate Enrollment Requests & Certificates tab, and click Refresh.
You can export the CSR with the private key for backup purposes.
What to do next
After you generate the certificate signing request, you submit the certificate request. See Submit the
Certificate Request, on page 209
Submit the Certificate Request

After you generate the certificate signing request, you submit the request.
Procedure
1
Go to the external CA Web site and click Request a certificate.
On the Request a Certificate page, select advanced certificate request.
On the Advanced Certificate Request page, select Submit a certificate request using a base-64-encoded
CMC or PKCS #10 file or submit a renewal request by using a base-64-encoded PKCS #7 file.
Open the csr.req file with a text editor and copy the text.
Paste the CSR text in the Base-64-encoded certificate request text box.
Select Web Server from the Certificate Template drop-down menu and click Submit.
On the Certificate Issued page, select Base 64 encoded, and then click Download certificate.
When prompted, select Save As, type the file name, and save the certificate as a .p7b file.
Install the Signed Certificate

When the CA sends you the signed certificate file (.cer or .crt), go back to the certificates snap-in and
install the signed certificate.
Procedure
1
On the server, open the Mirage Management console.
Select the Certificates node in the console root, right-click Personal store and select All Tasks > Import.
VMware, Inc.
209
Browse to the signed certificate file and select it.
Select System Auto Selection or Personal Store for the certificate.
Follow the prompts to complete the import.
Click the Personal Certificates tab and click Refresh to load current details.
Open the certificate and verify that it states that you have the private key.
Click the Certification Path tab and check that you have all of the certificates in the chain and that no
validity warnings or missing certificates are present.
Using Microsoft Office in a Layer

You can capture Microsoft Office in a base layer or app layer, and deploy Microsoft Office as part of a base
layer or app layer.
You cannot deliver different versions of Microsoft Office in the same layer assignment.
When you deploy a base layer or app layer that has Microsoft Office, to a machine that already has one or
more versions of Microsoft Office installed, the base layer or app layer must include the Microsoft Office
shared components of the Microsoft Office versions that are already installed on the machine. Microsoft
Office shared components are Microsoft Office shared features and Microsoft Office tools. Each base layer or
app layer must have the shared features from all versions of Microsoft Office that exist in your organization.
When you prepare a reference machine, verify that you install the earlier versions of Microsoft Office before
the later versions.
If you upgrade to a later version of Microsoft Office, and end users have specific applications, such as
Microsoft Visio, installed on their endpoints, verify that those applications are also installed in the new
layers so that those applications function on the endpoints.
During the layer capture process, Mirage prompts you for the Microsoft Office 2010 or Microsoft 2013
license key, as well as licenses for every other activated Microsoft Office application on the reference
machine, such as Microsoft Visio, and Microsoft OneNote. When you deploy the layer to an endpoint, these
Microsoft Office keys are used when delivering Microsoft Office. This is done to preserve the licensing for
an existing version of Microsoft Office and helps prevent problems with Microsoft Office and Microsoft
Visio licensing.
Managing Role-Based Access Control and Active Directory Groups

An administrator can use dynamic role-based access control (RBAC) to define which users can perform
which operations in the system. You can grant a role to one or more Active Directory (AD) groups. The
Mirage server identifies users by AD group membership and automatically assigns them roles in the Mirage
system.
A user can have only one active role at a time. If the users group is assigned to more than one role, the user
inherits the superset privileges of all assigned roles.
Each role is mapped to a set of actions the user can perform in the system, such as managing CVDs, base
layers, users, groups, and events, as well as viewing the dashboard and other system information.
You can define additional custom roles to suit various company processes.
Role Definitions
You can define role-based access to specific users for several actions in the system.
210
VMware, Inc.
Table 341. System Actions for which Role-Based Access can be Defined for a User
Action
Description
View dashboard
View the dashboard.
View server status
View the server status node. If not applicable, the server status appears as an empty
list.
View tasks
View the tasks list in the Task Monitoring node.
Manage tasks
Delete running tasks.
View CVDs
View the CVD inventory.
Manage CVDs
Delete a CVD, assign a base layer to a CVD, enforce a base layer, assign a policy to a
CVD, and revert to snapshot.
Support CVDs
Enforce base layer, set driver libraries, revert CVDs. confirm restore, and edit CVD
comments.
Manage collections
Create and remove collections.
Manage collections CVDs
Add and remove CVDs from a collection.
View CVD policies
View CVD policies.
Manage CVD policies
Edit, create, and delete CVD policies. This role requires the view CVD policies role.
View devices
View the devices in the device inventory and the pending list.
Manage devices
Assign a device to a CVD, reject a device, restore a device, remove a device, suspend a
device, and synchronize the device with the CVD.
Support devices
Suspend and resume devices, collect sysreports, restart a device, and run the Sync
Now procedure on a device.
View layers
View the layers that are assigned to different devices.
Manage layers
Create layers, delete layers, cancel layer assignment , and update layer data (name,
details).
View ref CVDs
View the reference CVD inventory.
Manage ref CVDs
Assign a reference device to a reference CVD, assign a base layer to a reference CVD,
assign a policy to a reference CVD, and delete a reference CVD.
View base layer rules
View the image rules.
Manage base layer rules
Add new rules, remove rules, test base layer draft rules, and set new default base
layer rules.
View driver library
See the driver profiles and driver folders and their details in the driver library
Manage driver library
Add drivers to the driver folders and create new driver profiles, and modify existing
driver folders and libraries.
View reports
View the generated reports.
Manage reports
Create reports and delete reports.
View events
View the events under the Event log and Manager Journal.
Manage events
Delete, acknowledge, and reinstate events.
View transactions
View transactions.
View users and roles
View the Mirage users and their roles.
Manage security roles
Modify user access roles.
Manage security groups
Modify the security groups' settings.
View configuration
View system configuration settings, cluster configurations, server and volumes

configurations.
Manage configuration
Modify system configuration settings.
VMware, Inc.
211
Table 341. System Actions for which Role-Based Access can be Defined for a User (Continued)
Action
Description
Manage minimal restore set
Modify the minimal restore set.
Access CVDs via admin file

portal
View CVDs in the file portal.
Predefined User Roles

Mirage includes predefined Administrator, Desktop Engineer, and Helpdesk user roles.
Table 342. Predefined User Roles
User Role
Access Permission
Desktop Engineer role
Perform all system operations except base layer management, user management, and role
management. You can customize the default privilege set for the Desktop Engineer role.
Help Desk
Provides information about the Mirage client user device in order to respond to service
queries. Access with the Help Desk role displays the Select User and Device page by default..
Image Manager
Captures and assigns base layers and app layers to CVDs. The Image Manager role
provisions new devices with a specified image.
Protection Manager
Provides detailed information of the Mirage system. Users with the Protection Manager role
can update the Mirage system to protect Mirage end-user devices.
Administrator
A super-set of all Mirage operations.
Add a New User Role

You can add a new user role.
Procedure
1
In the Mirage Management console tree, right-click Users and Roles and select Add a Role.
Type the role name and description, and click OK.

By default, the new role does not have any privileges until they are assigned by the administrator.
Edit an Existing User Role

You can edit an existing user role.
Procedure
1
In the Mirage Management console tree, click Users and Roles.
Edit the role check boxes in the right pane as required and click Save.
Assign an Active Directory Group to a User Role

You can assign an Active Directory (AD) Group to a role.
A group cannot be added to two different roles.
The role view is not auto-refreshed.
Procedure
212
Expand the Users and Roles node, right-click the required user role, and select Add a Group.
Type the group name in the Group Name text box, using the following syntax: domain\group.
VMware, Inc.
Macros in Upload Policy Rules

Macros assist specification of various Mirage directory paths addressed by policy rules. For example,
macros allow Mirage and the administrator to handle cases when some endpoints have Windows in
c:\windows and some in d:\windows. Using macros and environment variables makes sure Mirage
backups important files regardless of their specific location.
For information about upload policy rule specification, see Add or Edit Upload Policy Rules, on page 22.
System Directories
The following macros are supported for system directory paths:
Table 343. System Directory Macros
Macro
Description
%systemvolume%
The system drive letter followed by a ":".
%systemtemp%
The Windows system temp directory.
%windows%
The Windows directory.
%Anyvolume%
Expands to multiple rules, one per drive letter.
%documentsandsettings%
Expands to one rule of the path that contains the user profiles.
%programfiles%
The program files directory, including support for localized Windows versions,
and the Program Files (x86) in 64-bit.
For example:
C:\Program Files
C:\Program Files (x86)
%systemdir%
The Windows system directory.
Profile Directories
The following macros are supported for profile directory paths:
Table 344. Profile Directory Macros
Macro
Description
%anyuserprofile%
Expands to multiple rules, one per any user profile, including both local user
profiles and domain user profiles.
For example:
C:\Windows\system32\config\systemprofile
C:\Windows\ServiceProfiles\LocalService
C:\Windows\ServiceProfiles\NetworkService
C:\Users\User1
%domainuserprofile%
Expands to multiple rules, one per any domain user profile.
%localuserprofile%
Expands to multiple rules, one per any local user profile.
VMware, Inc.
213
Table 344. Profile Directory Macros (Continued)

Macro
Description
%anyuserlocalappdata%
All the users local app data directories.

For example:
C:\Windows\system32\config\systemprofile\AppData\Local
C:\Windows\ServiceProfiles\LocalService\AppData\Local
C:\Windows\ServiceProfiles\NetworkService\AppData\Local
C:\Users\User1\AppData\Local
%anyusertemp%
All the users TEMP directories.

For example:
C:\Windows\system32\config\systemprofile\AppData\Local\Temp
C:\Windows\ServiceProfiles\LocalService\AppData\Local\Temp
C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp
C:\Users\User1\AppData\Local\Temp
Special Profile Directories

The following macros are supported for special profile directory paths, not included in the profile
directories:
Table 345. Special Profile Directory Macros
Macro
Description
%ProgramData%
The special Application data directory under the All Users directory.
%defaultuserprofile%
The special Default User directory.
%builtinuserprofile%
Expands to multiple rules, one for each built-in user profile (not including local
or domain users).
For example:
C:\Users\Public
C:\Windows\system32\config\systemprofile
C:\Windows\ServiceProfiles\LocalService
C:\Windows\ServiceProfiles\NetworkService
%localserviceprofile%
The special local service directory.
%Anyuserroamingappdata%
The roaming application data directory is calculated by appending the roaming

application data suffix to the user profile directory. This suffix is
AppData\Roaming in Windows 7 and Application Data in Windows XP.
For example:
C:\Windows\system32\config\systemprofile\AppData\Roaming
C:\Windows\ServiceProfiles\LocalService\AppData\Roaming
C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming
C:\Users\User1\AppData\Roaming
%Anyusertempinternetfiles%
All the user's temp internet directories on the machine.

For example:
C:\Windows\system32\config\systemprofile\AppData\Local\Microsof
t\Windows\Temporary Internet Files
C:\Windows\ServiceProfiles\LocalService\AppData\Local\Microsof
t\Windows\Temporary Internet Files
C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microso
ft\Windows\Temporary Internet Files
C:\Users\User1\AppData\Local\Microsoft\Windows\Temporary
Internet Files
214
%anydesktopshellpaths%
All the directories below.
%desktop%
All the users desktop directories in the machine.
VMware, Inc.
Table 345. Special Profile Directory Macros (Continued)

Macro
Description
%favorites%
All the user's favorites directories in the machine.
%videos%
All the user's Video directories in the machine.
%pictures%
All the user's pictures directories in the machine.
%documents%
All the user's documents directories in the machine.
%music%
All the user's music directories in the machine.
%skydrive%
All the user's Microsoft OneDrive directories in the machine.
VMware, Inc.
215
216
VMware, Inc.
Managing View Desktops with

VMware Mirage
35
Mirage lets administrators use Mirage base and app layering capabilities to manage full-clone, dedicated
assignment View desktop machines.
With Mirage, a View administrator of a large scale environment can automatically update operating system
and infrastructure software, add and remove application layers, and fix software problems. Users in View
persistent desktop pools with Mirage image management can preserve user data customizations and user
installed applications through Mirage image updates.
Desktop devices undergoing a Mirage layer update require more resources than usual. Mass image
management operations can affect user experience for users in an updated pool and in neighboring pools
with which it shares resources. To diminish this effect, Mirage must limit the level of concurrency when you
perform image management operations in the View pool. An administrator can control the concurrent level
through the concurrency value, which controls the effect Mirage has on the ESX resources.
Supported Configurations
Mirage supports the following View configurations.
n
Full-clone, dedicated assignment desktop pools
View Persona management is not supported with Mirage.
Supported Mirage Operations

The following Mirage operations are supported with View:
Table 351. Supported Mirage Operations in View
Mirage Operation
Supported with View
App layer assignment
Yes
Base layer assignment
Yes
Enforce layers
Yes
Apply driver library
Yes
Centralization
No
File Portal
No
HW migration
No
Layer provisioning
No
Restore
No
Revert to snapshot
No
VMware, Inc.
217
Table 351. Supported Mirage Operations in View (Continued)

Mirage Operation
Supported with View
Steady state uploads
No
Windows OS migration
No
Supporting View Agent Updates Using Mirage

You can update View Agent with the base layer or the app layer from Mirage. Only a single layer, either the
base layer or the app layer, can manage View Agent.
You cannot downgrade View Agent to an earlier version in a Mirage environment.
Behavior of Mirage CVDs with the View Policy

CVDs that use the View optimized policy have special characteristics.
218
No data protection
The corresponding devices do not upload files to the data center. You cannot
revert the devices to a Mirage snapshot or restore user files to previous
versions. Mirage only periodically uploads metadata about these devices, for
example the list of installed applications.
No WAN optimizations
To improve performance for managing View pools, Mirage disables most

WAN optimizations for these CVDs because they are generally hosted in the
same data center as the Mirage server.
VMware, Inc.
Index
A
about this guide 9
activating endpoints 17
Active Directory groups and role-based access
control 210, 212
advanced administration topics 207
app layer, capturing 123
app layer assignment
cancel assignment in progress 143
detect potential effects 141
monitor assignment progress 143
procedure 142
testing before distribution 141
app layer capture
capture overview 123
capture procedure 125
multiple layer capture 130
OEM software in app layer 129
post-app layer deployment script 130
procedure 125127
reference machine 124
what you can capture 128
app layer definition 105
app layers, Mirage PowerCLI 67
archive CVDs
assign to a device 25
manage CVDs in the archive 25
move to another volume 25
assigning a base layer, Mirage PowerCLI 64
assigning base layers, Mirage PowerCLI 64
audit events in Manager journal 202
authenticating, Mirage Gateway server 44
B
back up servers and Management server 195
bandwidth limitation, rules 41
bare metal provisioning, re-partitioning 153
base layer
and BitLocker support 107
and system-level software 107
and user-specific software 107
and endpoint security software 107
and OEM software 107
and software licensing 107
capturing 115
VMware, Inc.
hardware considerations 107

recreate reference machine from 113
base layer assignment
assign to a previous layer version 137
detect potential effects of layer
change 131133
enforce layers on endpoints 138
monitor assignments 137
software conflict correction 138
testing before distribution 134
base layer definition 105
base layer capture
capture procedure 119
override rule examples 118
override registry values and keys 119
post-base layer deployment script 120
rules 115
base layer assignment procedure
cancel assignment in progress 136
monitor progress 136
base layer capture rules
set default rule set 117
test 116, 117
view and create rules 115, 116
base layer capture override rules, add override
rule set 117
base layer override rule examples
avoid losing local customization 119
avoid shared component incompatibility 118
BitLocker support in base layers 107
boot images, PXE server 149
bootable USB keys
create 165
customize 167
how to use 167
branch reflectors
configurable values 93
configuration 93
default values 93
disable peering service 94
enable branch reflector 92
IP detection and proximity algorithm 91
matching process 91
pause 94
peer clients, accept or reject 94
select clients to be branch reflectors 92
219
server network operations 95

settings in system configuration 44
branch reflector download monitoring
connected peer clients 96
CVD associations 95
peer client transactions 96
show potential branch reflectors 97
C
centralization progress, report 185
centralize endpoints
by administrator 18
by end-user 17
certificate, updating 71
certificates, Mirage Gateway 71
client status, access 29
cmdlets 55
comparison report
base layer assignment 132, 133
potential effects of app layer 141
potential effects of base layer 131
configuration files
Mirage Gateway 75
protection 191
configure the system, See system settings
configuring, file portal 45
creating layer groups 155
Customer Experience Improvement Program
cancelling 51
data collection 49
joining 51
registering 49
CVD
archive, See archive CVDs
autocreation 44
events history timeline view 201
file portal end-user mapping 34
settings 45
snapshot generation and retention 46
view files in CVD with file portal 33
CVD Integrity report 185, 187
CVD collection
add dynamic collection 24
add dynamic using Active Directory 24
static collection management 23
CVDs, alarms 201
D
dashboard statistics 181
data protection status, report 185
database and volumes restore 196
desktop deployment monitoring 181
detect potential effects of layer change 131133
device provisioning, PowerCLI 61
220
directory-level restore 30
disaster recovery, See endpoint disaster
recovery
drivers
and base layers 107
and folder management 8082
driver library 79
driver library architecture 79
driver profile management 82
import drivers to folders 81
E
end-user operations
directory-level restore 30
file-level restore 29
Snooze to suspend synchronization 31
Sync Now to resume synchronization 31
view files in CVD with file portal 33
endpoint disaster recovery
bootable USB keys 164
reconnect a device to a CVD 168
restore process experience 168
restoring Windows 8 devices 163
endpoint disaster recovery, restore to a CVD
after device loss 160, 161
after hard drive replacement or format 160
specific files from a CVD snapshot 159
endpoints
activate 17
centralize by end-user 17
centralize by administrator 18
centralizing 56, 57
layer provisioning 139
enforce layers on endpoints 138
Event log 202
events history timeline for a CVD 201
exporting, layer groups 156
exporting bandwidth limitation rules 41
F
file portal
allow access to 33
configuration in system settings 44
configuring 45
download folders and files 35
end-user CVD mapping 34
securing 37
view files 34
file-level restore
deleted file from Recycle Bin 30
previous file version 30
VMware, Inc.
Index
layer dry run report 186

layer groups
creating 155
exporting 156
importing 156
layer management life cycle 105
layers, capturing base layers 115
layers provisioning 139
licenses for Mirage 43
licenses for Microsoft Office upgrade in
layer 210
load balancing framework 102
logs, See system logs
configuration files 191

log files 192
PowerCLI 53, 54
PowerCLI installation 54
security 189, 193
servers 101
Mirage Gateway
certificate 71
certificates 71
configation files 75
manual registration 71
protecting 71
authenticating 44
MMC 77
troubleshooting 75, 77
Mirage PowerCLI
assigning a base layer 64
centralizing endpoints 56, 57
cmdlets 55
migrating OS 58
provisioning 61
updating an app layer 67
updating app layers 66
monitor system status
dashboard statistics 181
Transaction log 183
mount volumes 88
multiple servers, See servers
multiple volume deployment, See volume
deployment
Gateway server
configuring 70
removing 77
H
hardware drivers, See drivers
I
image management overview 105
importing, layer groups 156
importing bandwidth limitation rules 41
IP detection and proximity algorithm 91
J
Join Domain Account settings 45
macros in upload policy rules 213

maintain the system
servers, Management server, and
volumes 195
upgrade Mirage version 197
Management server restore 195
Manager journal 202
managing View desktops, supported
configurations 217
Microsoft Office licenses in layer 210
Microsoft System Center Configuration Manager,
See SCCM
migrate to Windows OS, See Windows OS
migration
migrate users to different hardware
a user CVD to another device 171
many user CVDs 173
minimal restore set, customize 202
Mirage
accounts 193
administration 9
VMware, Inc.
network client throttle mechanism 31
O
OEM software
in app layer 129
in base layers 107
OS migration 58, 59
OS migration progress, report 185
P
pending assignment devices
reinstate using Remove 19
reject 19
ports and protocols 189
potential branch reflectors 97
PowerCLI
cmdlets 53, 54
installing 54
Mirage 54
vSphere 54
provision, bare metal 145, 151
221
provisioning, See layers provisioning

provisioning a device, self-service
provisioning 155, 156
R
reassign users to different hardware, See
migrate users to different hardware
reference machine for app layer capture 124
reference machine for base layer capture
data selection 112
recreate from a base layer 113
setup 111
software considerations and settings 112
registry value override in base layer capture 119
rejected devices, reinstating 19
reports
centralization progress 185
CVD integrity 185, 187
data protection status 185
layer dry run 186
OS migration progress 185
system reports 203, 204
restore
customize minimal restore set 202
Management server 195
restore process experience 168
servers 196
standalone server 197
storage volumes and database 196
restore device to a CVD
after device loss 160, 161
after hard drive replacement or format 160
restore files
deleted file from Recycle Bin 30
directories from a CVD 30
files from a CVD 29
previous file version 30
restoring, Windows 8 163
retention policy
CVD snapshots 46
transaction records 183
role-based access control (RBAC) 210
rules for base layer capture 115
S
SCCM client migration preparation 207
scripts for
post-app layer deployment operations 130
post-base layer deployment operations 120
post-Windows OS migration operations 180
secure socket layer communication, See SSL
secure sockets layer, See SSL
222
security, file portal 37

security settings 189
self-service provisioning 155, 156
server, Mirage Gateway 69
servers
add another server 101
information 101
load balancing integration 102
multiple server scenario 99
network operations with branch reflectors and
clients 95
parameters 100
remove from system 102
restore 196
restore standalone server 197
stop or start server service 101
VMware Watchdog service 102
servers and Management server
back up 195
maintenance 195
show potential branch reflectors 97
single-instance storage integrity, See SIS
SIS volume integrity procedure 89
snapshot generation and retention 46
snapshots kept 45
Snooze to suspend synchronization 31
software in base layers
conflict correction 138
endpoint security 107
licensing 107
OEM 107
system-level 107
user-specific 107
SSL
install the SSL certificate 48
server SSL configuration 48
SSL certificate setup 208, 209
storage volume, parameters 86
storage volumes, See volume deployment
Sync Now to resume synchronization 31
system dashboard 181
system monitoring, See monitor system status
system reports 203
system settings
access 41
branch reflector settings 44
CVD auto creation 44
file portal 44
general system settings 45
licenses for Mirage 43
SSL configuration 47
USMT setting import 43
VMware, Inc.
Index
system components 11
system logs
audit events in Manager journal 202
events 202
Transaction log 202
system maintenance, See maintain the system
system requirements, ports and protocols 189
T
testing
app layers before distribution 141
base layers before distribution 134
layer capture rules 116
Transaction log, record retention policy log 183
troubleshooting 201
W
Watchdog, See VMware Watchdog service
Windows 8, restoring 163
Windows 8 devices, restoring 163
Windows Deployment Service
installation 147, 148
Microsoft PowerShell 148
Windows server manager 147
Windows OS migration
in-place migration to same machine 176178
migration to replacement devices 179
monitor the migration process 180
post-migration operations using a script 180
WinPE image 145, 151
U
unblock volumes 88
unmount volumes 87
update app layer, See app layer assignment
update base layer, See base layer assignment
updating an app layer, Mirage PowerCLI 67
updating app layers, Mirage PowerCLI 66
upgrade Mirage version
before you start 197
upgrade procedure 198
upload policies
advanced options 22
parameters 20
upload policy management 20, 21
upload policy rule macros 213
upload policy rule management 22
USMT setting import 43
V
View desktops, managing with Mirage 217
virtual machine
and base layer 107
multiple app layer capture on 130
VMware Watchdog service, configuration 102
volume deployment
add volumes 86
block volumes 88
edit volume information 87
maintain volumes 89
mount volumes 88
remove volumes 87
restore volumes and database 196
SIS volume integrity procedure 89
unblock volumes 88
unmount volumes 87
volume information 85
volume settings 45
volume reactivation, See mount volumes
VMware, Inc.
223
224
VMware, Inc.

Mirage Administrators Guide

Uploaded by

Document Information

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Mirage Administrators Guide

Uploaded by

Copyright:

Available Formats

VMware Mirage Administrator's Guide

This document supports the version of each product listed and

VMware Mirage Administrator's Guide

1 Mirage System Components 11

3 End User Operations 29

Access the Client Status 29

4 Configuring the File Portal 33

Allow Access to CVD Files 33

5 Protecting the Mirage File Portal 37

Configure the System Settings 41

7 VMware Mirage Customer Experience Improvement Program 49

VMware Mirage Administrator's Guide

Stop Sending Data to VMware

8 Introduction to Mirage PowerCLI 53

Using Mirage PowerCLI 54

9 Managing the Mirage Gateway Server 69

Configuring the Mirage Gateway Server 70

10 Managing the Driver Library 79

11 Deploying Multiple Storage Volumes 85

12 Managing Branch Reflectors 91

Branch Reflector Matching Process 91

Disable Branch Reflectors

Reject or Accept Peer Clients 94

13 Deploying Additional Mirage Servers 99

14 Image Management Overview 105

Base Layers and App Layers 105

15 Preparing a Reference Machine for Base Layer Capture 111

16 Capturing Base Layers 115

Working with Base Layer Rules 115

17 Capturing App Layers 123

App Layer Capture Steps Overview 123

18 Assigning Base Layers 131

Detect Potential Effects of the Layer Change 131

VMware Mirage Administrator's Guide

Fix Broken Layers on Endpoints (Enforce Layers) 138

19 Assigning App Layers 141

Detect Potential Effects of the App Layer Change 141

20 Create a WinPE Image for Mirage 145

26 Endpoint Disaster Recovery 159

Restore a Device to a CVD Snapshot 159

27 Migrating Users to Different Hardware 171

28 Windows OS Migration 175

Performing a Windows OS In-Place Migration 176

29 Monitoring System Status and Operations 181

Using Transaction Logs 183

30 Working with Reports for Mirage Operations 185

31 VMware Mirage Security Reference 189

32 Maintaining the Mirage System 195

Server and Management Server Operations 195

CVD Events History Timeline 201

34 Advanced Administration Topics 207

Mirage and SCCM 207

35 Managing View Desktops with VMware Mirage 217

VMware Mirage Administrator's Guide

VMware Mirage Administrator's Guide

Mirage System Components

VMware Mirage Administrator's Guide

Figure 11. System Components

Remote Branch Site

Mirage Management Server

Chapter 1 Mirage System Components

MongoDB File Database

Mirage Management Console

Mirage Web Manager