Introduction To Vmware View Manager

Introduction to VMware View Manager
View Manager 3.0
Introduction to VMware View Manager Item: EN-000091-00
You can find the most up-to-date technical documentation on the VMware Web site at: http://www.vmware.com/support/ The VMware Web site also provides the latest product updates. If you have comments about this documentation, submit your feedback to: docfeedback@vmware.com
2008 VMware, Inc. All rights reserved. Protected by one or more U.S. Patent Nos. 6,397,242, 6,496,847, 6,704,925, 6,711,672, 6,725,289, 6,735,601, 6,785,886, 6,789,156, 6,795,966, 6,880,022, 6,944,699, 6,961,806, 6,961,941, 7,069,413, 7,082,598, 7,089,377, 7,111,086, 7,111,145, 7,117,481, 7,149,843, 7,155,558, 7,222,221, 7,260,815, 7,260,820, 7,269,683, 7,275,136, 7,277,998, 7,277,999, 7,278,030, 7,281,102, 7,290,253, 7,356,679, 7,409,487, 7,412,492, 7,412,702, 7,424,710, 7,428,636, 7,433,951, 7,434,002, and 7,447,854; patents pending. VMware, the VMware boxes logo and design, Virtual SMP, and VMotion are registered trademarks or trademarks of VMware, Inc. in the United States and/or other jurisdictions. All other marks and names mentioned herein may be trademarks of their respective companies.
VMware, Inc. 3401 Hillview Ave. Palo Alto, CA 94304 www.vmware.com

2 VMware, Inc.
Contents
Contents
IntroductiontoVMwareViewManager
Features 6 VMwareViewOverview 7 ViewUserAuthentication 11 ViewExtendedUSBDeviceRedirection 13 ViewSecureAccess 14 ViewVirtualDesktopPoolManagement 14 ViewHighAvailabilityandScalability 16 ViewConnectionServerDMZDeployment 17 ViewConnectionServerComponents 20 ViewBroker 22 ViewSecureGatewayServer 22 ViewLDAP 23 ViewMessaging 24 ViewSecurityServer 24 DeploymentOptions 26 OfflineDesktop 26 LinkedClones 27 UnifiedAccess 28
Glossary
31
VMware, Inc.
VMware, Inc.
VMwareViewisanenterpriseclassvirtualdesktopmanagerthatsecurelyconnects authorizeduserstocentralizedvirtualdesktops.Itprovidesacomplete,endtoend solutionthatimprovescontrolandmanageabilityandprovidesafamiliardesktop experience. ThebenefitsofVMwareViewincludethefollowing: ControlandmanageabilityinasingleproductAdministratorscanmoreeasily provision,manage,andmaintaindesktopsbecausethedesktopsarerunninginthe datacenter. FamiliarenduserexperienceUsersgetflexibleaccesstoapersonalized,virtual desktopthatbehavesjustliketheirPCdesktops. VMwaredesktopintegrationViewextendsthebenefitsofvirtualizationtothe desktopbyleveragingthebackup,failover,anddisasterrecoverycapabilitiesof VMwareInfrastructure3. Lowertotalcostofownership(TCO)Byreducingadministrationandenergy costsandextendingtheusefullifeofPCs,VMwareViewManagerdeliverslower TCO.
VMware, Inc.
Features
ThefeaturesofVMwareViewincludethefollowing: EnterpriseclassconnectionbrokeringVMwareViewManagermanagesthe connectionsbetweenusersandtheirvirtualdesktops.WhenuserslogintoView Manager,thevirtualdesktopstheyareauthorizedtoaccessappears.After connectingtoavirtualdesktop,usersaccesstheirapplicationsasifthe applicationsarerunninglocally. USBclientdevicesupportUSBdevicescanbelocallyconnectedtoclientsand accessedthroughavirtualdesktop. WebbasedmanagementuserinterfaceAWebbasedmanagementconsole allowsvirtualdesktopstobemanagedfromanylocation. SmartpoolingcapabilitiesArangeofpersistentandnonpersistentpooling capabilitiessimplifiestheprovisioningandmanagementofcentralizeddesktops. SecureaccessOptionalsecureencapsulationcapabilitiesallowallnetwork connectionstobeencrypted. IntegrationwithMicrosoftActiveDirectoryConnectiontoActiveDirectory, whichallowsyoutolocateuserandusergroupaccountsandusethe authenticationfeaturesinActiveDirectorytocontrolwhichuserscanaccess virtualdesktops. SupportfortwofactorauthenticationWithRSASecurID,accesscontrolis strengthened. SeamlessintegrationwithVMwareVirtualInfrastructure3Workscloselywith VMwareVirtualCentertoprovideadvancedvirtualdesktopmanagement capabilities,suchasautomaticsuspendandresume,whichreducesthememory andprocessingpowerrequiredtohostvirtualdesktops.Byleveragingthe capabilitiesofVMwareVirtualInfrastructure3,desktopscanrunevenwhen serverhardwarefailsandrecoverquicklyfromunplannedoutageswithout duplicatehardware. FlexibledeploymentoptionsCriticalcomponentscanbedeployedinavariety ofconfigurationsandtodifferentpartsofthenetwork,whichimprovesecurity, scalability,andreliability.MultipleVirtualCenterserversaresupported,and VMwareViewcanscaletosupportmanyvirtualdesktops. HighavailabilityServerscanbeclusteredforhighavailabilityandscalability withautomaticfailover.Theseserverscanalsoleverageindustrystandard loadbalancingsolutions.
VMware, Inc.
VMwareViewComposerDramaticallyreducestheamountofstorage consumed.Imagescanbeprovisionedinafewsecondsandinafullyautomated mannerbyViewManagerforrapidrolloutsorasanimmediateresponseto everydaysupportissues. SupportfornonVIsystemsphysicalmachinesorterminalservicessystemscan bealsomanagedbyViewManager,ensuringaseamlessintegrationofexisting architecturesintotheViewenvironment. Scalablevirtualinfrastructurelinkedclonetechnologyallowsmultipledesktops tobedeployedfromasinglebaseimage.Subsequentchangestothisimagecanbe automaticallyproliferatedamongstalldesktopsinlinkedclonepool. SimplifiedPrintingEnablesViewClientandViewPortaluserstoprintusing anyprinterconfiguredforusebytheViewClientorViewPortalhost.
VMware View Overview

VMwareViewincludesthefollowingkeycomponents: ViewConnectionServer ViewAgent ViewClient ViewClientwithOfflineDesktop ViewPortal ViewAdministrator ViewComposer
VMware, Inc.
Figure 1showsthephysicaltopologyofVMwareViewinfrastructureandshowsthe relationshipbetweenthemainVMwareViewcomponents. Figure 1. Physical Topology of VMware View Infrastructure

Windows View Client Linux View Portal Mac View Portal Thin Client
network network
View Administrator (browser)
View Connection Server
Microsoft Active Directory
VMware VirtualCenter Management Server
virtual desktops VM desktop OS app app app VM VM ESX host View Agent virtual machine VM VM VM ESX hosts running Virtual Desktop VMs
VMware, Inc.
View Connection Server Thiscomponentistheconnectionbrokerthatmanagessecureaccesstovirtualdesktops andworkswithVirtualCentertoprovideadvancedmanagementcapabilities.Itisinstalled onaMicrosoftWindowsServer2003serverthatispartofanActiveDirectorydomain. ViewConnectionServerisinstalledasoneofthefollowinginstances: StandardThisinstanceappearsinFigure 1.Itprovidesstandalonefunctionality andisusedastheonlyViewConnectionServer(orthefirstofagroupofView ConnectionServersthatactaspartofahighavailability,fullyreplicatedgroup). ReplicaThisinstanceisinstalledasasecondorsubsequentViewConnection Serverinahighavailabilitygroup.Configurationdataisinitializedfroman existingViewConnectionServerserverandisautomaticallyreplicatedbetween Viewgroupmembers. SecurityServerThisinstanceimplementsasubsetoftheViewConnectionServer functionalityandisusedinademilitarizedzone(DMZ)deployment.AView SecurityServerdoesnotneedtobeinanActiveDirectorydomain.TheStandard andReplicainstancesautomaticallyincludetheSecurityServerfunctionality. TheinstancetypeisselectedduringViewConnectionServerinstallation. HighavailabilityandDMZdeploymentsofViewConnectionServerusingReplicaand SecurityServerinstancesaredescribedinViewConnectionServerDMZDeployment. ConfigurationdataisstoredinanembeddedLDAPdirectoryoneachStandardand Replicainstance. View Agent Thiscomponentrunsoneachvirtualdesktopandisusedforsessionmanagementand singlesignon.WithViewClient,thiscomponentsupportsoptionalUSBdevice redirection.Thisagentcanbeinstalledonavirtualmachinetemplatesothatvirtual desktopscreatedfromthattemplateautomaticallyincludetheViewAgent. PlacevirtualdesktopsinanActiveDirectorydomainthatisoneofthefollowing: ThesamedomaintowhichtheViewConnectionServersarejoined AdomainwithatrustagreementwiththeViewConnectionServerdomain Whenusersconnecttotheirvirtualdesktops,theyareautomaticallyloggedinusing thesamecredentialstheyusetologintotheirdomain.Thesinglesignoncapabilitycan bedisabledinViewAgentwhichmeandthatusersarealwaysrequiredtologontothe virtualdesktopmanually.Ifthevirtualdesktopisnotpartofadomainorispartofa domainwithwhichnotrustagreementexists,singlesignonisnotavailable,andthe usermustmanuallylogintothevirtualdesktop.
VMware, Inc. 9
View Client ThiscomponentrunsonaWindowsPCasanativeWindowsapplicationandallows userstoconnecttotheirvirtualdesktopsthroughView.Thiscomponentconnectstoa ViewConnectionServerandallowstheusertologonusinganyofthesupported authenticationmechanisms.Afterloggingin,userscanselectfromthelistofvirtual desktopsforwhichtheyareauthorized.Thisstepprovidesremoteaccesstotheir virtualdesktopandprovidesuserswithafamiliardesktopexperience. ViewClientalsoworkscloselywithViewAgenttoprovideenhancedUSBsupport. BasicUSBsupport(suchasUSBdrivesandUSBprinters)issupportedwithoutView USBsupport,butViewextendsthissupporttoincludeadditionalUSBdevices.Youcan specifyViewUSBsupportinViewClientduringtheinstallation. View Client with Offline Desktop OfflineDesktopoffersmobileuserstheabilitytocheckoutaclonedinstanceofcertain typesofViewManagerdesktopontoalocalsystemsuchasalaptop.Oncecheckedout, thelocalcopybehaveslikeastandalonedesktopsystemandcanbeusedwithor withoutanetworkconnection;thedesktopisnowconsideredtobeoffline. Oncedownloaded,Offlinedesktopsbehaveinthesamewayastheironlineequivalents yetcantakeadvantageoflocalresources;latencyisminimizedandperformanceis enhanced.Thepresenceofadownloadedvirtualmachinehasnoeffectontheexisting operatingsystemoftheclientsystem,whichuserscancontinuetoutilizeiftheywish. View Portal ThiscomponentissimilartoViewClientbutprovidesaViewuserinterfacethrougha Webbrowser.ViewPortalisincludedautomaticallyduringtheViewConnection Serverinstallation.ViewPortalissupportedonLinuxandMacOS/X,butthisWeb accessdoesnotsupportViewUSBextensions.AllnecessaryViewsoftwareisinstalled automaticallyontheclientthroughtheWebbrowser.ViewPortalonLinuxuses rdesktopandonMacOS/XusesMicrosoftRemoteDesktopConnectionClientforMac. ViewPortalcanalsobeusedonaWindowsclientwithViewClient.Auserobtainsthe requiredsoftwareontheirclientdevicebyaccessingaViewConnectionServerwitha Webbrowser.IftheViewClientsoftwareisinstalledwithUSBsupportbyauserwith administrativerights,ViewPortalonWindowshascompleteViewUSBsupport. View Administrator ThiscomponentprovidesViewadministrationthroughaWebbrowser.Itisusedby Viewadministratorstodothefollowing: Makeconfigurationsettings ManagevirtualdesktopsandentitlementsofdesktopsofWindowsusersandgroups
10 VMware, Inc.
ViewAdministratoralsoprovidesaninterfacetomonitorlogeventsandisinstalled withViewConnectionServer.MoreinformationabouttheViewConnectionServer componentsandtheirrelationshipwithotherViewcomponents,seeViewConnection ServerComponents. View Composer ViewComposerisusedbyViewtocreateanddeploylinkedclonedesktopsfrom VirtualCenter.ThelinkedclonefeatureenablesViewadministratorstorapidlyclone anddeploymultipledesktopsfromasinglecentralizedbaseimage,calledaParentVM. Oncethedesktopshavebeencreatedtheyremainindirectlylinkedtoasnapshot residingontheParentVM. Thelinkisindirectbecausethefirsttimeoneormoredesktopclonesarecreated,a uniquelyidentifiedcopyoftheParentVMcalledareplicaisalsocreated.Allthe desktopclonesareanchoreddirectlytothereplicaandnottotheParentVM.
View User Authentication

UsersneedtologintoViewfirstinordertoprovetheiridentityandtogainaccessto theirvirtualdesktops.Normally,theydothisbyenteringtheirWindowscredentialsat theloginprompt. Asanaddedlevelofsecurity,ViewcanbeconfiguredtorequireRSASecurID authentication.ThisrequirestheuseofaSecurIDtokenforeachuser.Aspartofthe loginprocess,usersmustentertheirSecurIDusernamestogetherwiththeirSecurID PINsandtokencodes.AftersuccessfulverificationoftheSecurIDdetailsentered,users arepromptedfortheirWindowscredentials.
Active Directory Authentication

EachViewConnectionServermustbejoinedtoanActiveDirectorydomain.This allowsuserauthenticationforViewagainstActiveDirectoryforthejoineddomainand foradditionaluserdomainswithwhichatrustagreementexists.Forexample,ifView ConnectionServerisamemberofDomainA,andatrustagreementexistsbetween DomainAandDomainB,usersfromeitherdomaincanlogintoView. ByauthenticatingusersagainstanexistingActiveDirectory,anorganizationcan simplifytheoperationalmanagementofViewbyensuringthatthemanagementofuser accountsishandledinoneplace.IfauseraccountisdisabledinActiveDirectory,that usercannotlogintoView.Policies,suchasrestrictingpermittedhoursofloginandthe expirationdateforpasswords,arealsohandledthroughexistingActiveDirectory operationalprocedures.
VMware, Inc.
11
RSA SecurID Authentication

ViewiscertifiedthroughtheRSASecurIDReadyprogramtooperatewithRSA SecurIDauthenticationtechnology.IndividualViewConnectionServerscanbeenabled forRSASecurIDauthentication.UserswhoaccessaViewConnectionServerthatis enabledforRSASecurIDauthenticationarepromptedfortheirRSASecurIDuser namesandpasscodes(PINsandtokencodes).AfterauthenticatingagainstanRSA AuthenticationManager,userscancontinuetologin. UsingRSASecurIDprovidesenhancedsecuritywithtwofactorauthentication.This requiresknowledgeoftheusersPINandtokencode,whichisonlyavailableonthe physicalSecurIDtoken.AsrequiredforRSASecurIDcertification,Viewsupportsthe fullrangeofSecurIDcapabilities,includingNewPINMode,NextTokenCodeMode, RSAAuthenticationManager,loadbalancing,andsoon. Figure 2showsthephysicaltopologydiagramforViewwithanadditionalserverused toauthenticateRSASecurIDusers.TheRSAAuthenticationManagerisshownasa singleserver,butforhighavailabilitydeployments,youneedmultipleservers. Figure 2. View RSA SecurID Authentication with RSA Authentication Manager
View Client
network
View Administrator
View Connection Server
RSA Authentication Manager
Microsoft Active Directory ESX hosts running Virtual Desktop virtual machines
VirtualCenter Management Server
12
VMware, Inc.
WhenusersentertheirRSASecurIDcredentials,ViewConnectionServer communicateswithRSAAuthenticationManagertoverifytheinformation.Afterthe credentialsareverified,ViewConnectionServerrequestsActiveDirectorydomain credentialsfromtheuserandcommunicateswithActiveDirectorytocontinuethe authenticationprocess.
View Extended USB Device Redirection

ViewallowstheredirectionofavarietyoflocallyattachedUSBdevicesforsoftware thatrunonausersvirtualdesktop.Suitabledevices,whenattached,canbeselected fromadynamicdropdownmenuinViewClient.Devicesattachedafterthevirtual desktopsessionstartswillappearinthemenuandareavailableforredirectionafter beinginitialized. Somedevices,suchasprinters,localUSBflashdrives,andsmartcards,canbe forwardedtothevirtualdesktopusingstandardMicrosoftRemoteDesktopProtocol (RDP).ButViewClientUSBredirectionextendstherangeofusabledevicesandthe functionalityofsomedevicesbeyondthatprovidedbyRDP.Forexample,soundcanbe broughttothelocalmachineusingRDP,butdisablingthisfeatureandusingViewUSB redirectionallowsyoutouseVoIPdevices. ViewUSBredirectionisinitiatedaftertheuserisauthenticated.Becauseofthis,smart cardforwardingislimitedtoRDPfunctionalitysothatsmartcardscanbeusedto authenticatethevirtualdesktopsession.Asaresult,thesedevicesdonotappearinthe ViewClientdevicesmenu.Humaninterfacedevices(HIDs),suchasakeyboardora mouse,arealsofilteredfromtheUSBdevicelistbecausethesedevicesarerequired locallyandfunctionwithoutbeingforwardedorredirected. RDPforwardingandViewUSBredirectioncanbegovernedthroughActiveDirectory GroupPolicyandViewAdministrator.UsingViewUSBredirectionrequiresView Client,ViewAgent,andtheusertohaveadministrationrightsontheViewClientand theViewAgentoperatingsystems.
VMware, Inc.
13
View Secure Access

ViewConnectionServerwithViewClientandViewPortalprovidessecurityforthe desktopprotocolsbetweentheclientdeviceandtheViewConnectionServer. Viewencapsulatesallprotocols,suchastheextendedRDPinanHTTPSconnection, whichoffersthefollowingadvantages: TheRDPProtocolistunneledthroughHTTPSandisencryptedusingSSL Thisisapowerfulsecurityprotocolandisconsistentwiththesecurityprovidedby othersecureWebsiteslikethoseusedforonlinebanking,creditcardpayments, andsoon. OneHTTPSconnectionisusedforallclientservercommunicationMultiple desktopconnectionsaremultiplexedoverthisHTTPSconnection,whichreduces theoverallprotocoloverheads. ViewcontrolsbothendsofthisHTTPSconnection,sothereliabilityofthe underlyingprotocolsissignificantlyimprovedIfausertemporarilylosesa networkconnection,afteritisrestored,theHTTPSconnectionisreestablishedand theRDPconnectionsautomaticallyresumewithouthavingtoreconnectandlogin again. ViewisaccessedusingstandardWebprotocols,soitcanbeeasilyaccessed throughcorporateproxiesInastandarddeploymentofjustViewConnection Servers,theHTTPSsecureconnectionterminatesattheViewConnectionServer andinaDMZdeployment,attheViewSecurityServer.SeeViewConnection ServerDMZDeployment. ViewConnectionServercanbeconfiguredtonotuseasecureconnection,sothatRDP communicationisdirectfromtheclientdevicetothevirtualdesktop.
View Virtual Desktop Pool Management

Viewincludesintegratedvirtualdesktoppoolmanagementcapabilitiesthatleverage thecontrolprovidedbyVirtualCentertoprovisionandmanagethevirtualdesktops. Viewprovidesthefollowingtypesofdesktops: IndividualdesktopsTheseareexistingvirtualdesktopsthatareavailablethrough View.Thepoolmanagercancontrolthepowerstateofthesevirtualdesktops. PersistentdesktoppoolThistypeisapoolofvirtualdesktopswhoselifecycle andpowerstateiscontrolledbythepoolmanager.Persistentvirtualdesktopsare assignedtotheiruseronthefirstuse,sotheuserreturnseachtimetothesame virtualdesktop.Thistypeofpoolisusedwhenuserswanttocustomizetheir desktopsbyinstallingadditionalapplicationsandstoringlocaldata.
14 VMware, Inc.
NonpersistentdesktoppoolSimilartoapersistentdesktoppool,exceptinthis casethevirtualdesktopsarenotpermanentlyassignedtousers.Whenasessionis finished,thevirtualdesktopisreturnedtothepoolandmadeavailableforother users. Bydeletingthevirtualdesktopsaftereachuse,thistypeofpoolensuresthateach userreceivesanewlyprovisionedvirtualdesktopeachtimetheuserconnects (optional).Usethistypeofpoolwhereacleanmachineisneededforeachuser sessionorinhighlycontrolledenvironmentsthathasnorequirementfor customizationtobestoredonthevirtualdesktop. Thetwopooldesktopsaresizedusingthefollowingparameters: MinimumTheminimumnumberofvirtualdesktopstobecreatedwhenthepool isfirstcreated.Thepoolmanagercontinuestocreatevirtualdesktopsuntilthis minimumcountisreached.Thisprocessensuresthatapoolisappropriatelysized whenauserpopulationismovedtoView. MaximumThemaximumnumberofvirtualdesktopsthatcanexistinthepool. Usethisparametertolimitthenumberofvirtualdesktopsinthepooltoavoid overusingavailableresources. AvailableThenumberofvirtualdesktopsthatareavailableforimmediateuse. Forpersistentpools,thisparameterrelatesonlytotheunassignedvirtual desktops.Thisisusedtoensurethatthepoolmanagercreatesenoughvirtual desktopsinadvancetocopewithdemand.Useahighernumberformorevolatile environments. Whenapoolcontainstoofewvirtualdesktops,themanagerprovisionsnewvirtual desktopsfromadesignatedtemplate.Thesevirtualdesktopscanalsobeautomatically customized(forexample,namedandbecomepartofanActiveDirectorydomain)orbe leftforanadministratortomanuallyconfigure. PowermanagementisappliedtoallvirtualdesktopsunderViewcontrol,andthe followingpoliciesaresupported: Donothing(VMremainson)VMsthatarepoweredoffwillbestartedwhen requiredandwillremainon,evenwhennotinuse,untiltheyareshutdown. EnsureVMisalwayspoweredonAllVMsinthepoolremainpoweredon,even whentheyarenotinuse.Iftheyareshutdown,theywillimmediatelyrestart. SuspendAllVMsinthepoolenterasuspendedstatewhennotinuse. PoweroffAllVMsinthepoolshutdownwhennotinuse..
VMware, Inc.
15
ViewsupportsindividualandpooleddesktopsonmultipleVirtualCenterinstances. A poolcannotspanVirtualCenters,butViewcanmanagemultiplepoolsacross multipleVirtualCenters.Viewlimitsthenumberofprovisioningandpoweroperations thatcanbeconcurrentlyactiveforeachVirtualCentertoensurethattherateof operationsisnotexcessive.Theselimitsareappliedacrossallpoolsanddesktopsfor eachVirtualCenter.Inamultibrokerenvironment,theViewConnectionServers cooperatewitheachothertoenforcetheselimitsandtoperformthepoolmanagement operations.
View High Availability and Scalability

Tosupporthighavailabilityandscalabilityrequirements,Viewcanbedeployedusing multipleViewConnectionServers.ThefirstViewConnectionServertobedeployedis installedasaStandardinstance.Inthiscase,anewinstanceoftheLDAPdirectoryis installedandtheViewConnectionServersupportsfullfunctionalityusingitslocal LDAPdirectory. Toextendtheenvironment,asecondservercanbeinstalledasaReplicainstance. Duringthisinstallation,theuserreferencesanexistingViewConnectionServerandthe ReplicainstanceisjoinedtotheStandardinstancetoformaViewConnectionServer group.TheLDAPViewconfigurationdatafromtheStandardinstanceiscopiedtothe Replicainstance.AtwowayreplicationagreementisestablishedsothatView configurationchangesoneitherserverareautomaticallyandimmediatelymadeonthe other. Bothserversofferidenticalfunctionalityandintheeventofserverfailure,theother servercancontinuetooperatealone.Whenthefailedserverresumes,anychanged LDAPViewconfigurationdataisreflectedontheresumedserversothatbothservers remainuptodate.AddingathirdandsubsequentViewConnectionServerstothe groupisdonebyinstallingadditionalReplicainstances.DuringtheReplicainstance installation,theusercanreferenceanyexistinggroupmembertojointhenewserverto thegroup. Afterinstallation,nodifferencesexistbetweenaReplicainstanceandaStandard instance.IfthefirstStandardinstanceisdecommissioned,additionalReplicascanbe addedtothegroupbyreferencinganyactiveViewConnectionServerinthegroup.All ViewconfigurationdatacanbebackedupbybackinguptheLDAPdirectoryinstance. Figure 3showstwoViewConnectionServersoperatingasagroup.Toautomatically usebothViewConnectionServersandsupporthighavailabilityandscalabilityneeds, deployloadbalancing.Thisensuresthatloadisbalancedevenlyacrosstheavailable ViewConnectionServersandthatfailedserversareautomaticallyavoided.View ConnectionServerdoesnotprovideloadbalancingfunctionalitybutworkswith standardthirdpartyloadbalancingsolutions.
16 VMware, Inc.
Figure 3. Multiple View Connection Servers

View Client
network
load balancing
View Connection Servers
TheloadbalancingrequirementsforViewConnectionServeraretosupportstandard HTTPandHTTPSloadbalancingwithsessionaffinity.Loadbalancingsolutionsfor ViewConnectionServercanincludeMicrosoftNetworkLoadBalancing(NLB), standardhardwarebasedloadbalancers,orvirtualapplianceloadbalancersthatcan operateonESXServer. UsersinaloadbalancedViewConnectionServerenvironmentusealoadbalanced URLtomaketheconnection.ThisisanaliasURLusedbytheloadbalancertodirect theconnectiontoanyoftheavailableViewConnectionServersinthegroup.
View Connection Server DMZ Deployment

Insecureenvironments,particularlywhenViewisbeingaccessedfromaninsecure networksuchastheInternet,itiscommonpracticetodeployserversinaDMZ.
VMware, Inc.
17
ViewConnectionServerfunctionalityissplitbetweenserversinthesecurenetwork andtheDMZ.ViewConnectionServersthatoperateinaDMZareknownasView SecurityServersandareinstalledusingtheViewConnectionServerinstallerand specifyingaSecurityServerinstancetype.ViewSecurityServersintheDMZoperate withViewConnectionServers(StandardorReplica)inthesecurenetwork. Figure 4showsahighavailabilityenvironmentcomprisingtwoloadbalancedView SecurityServersintheDMZworkingwithtwofullViewConnectionServers(Standard andReplicainstance)inthesecurenetwork. Figure 4. DMZ Deployment with Multiple View Connection Servers
remote View Client
external network
DMZ load balancing
View Security Servers
18
VMware, Inc.
ViewSecurityServersdonotcontainanLDAPconfigurationrepositoryanddonot accessanyauthenticationrepositories(ActiveDirectoryorRSAAuthentication Manager).WhenremoteusersconnectusingaViewSecurityServer,theymust successfullyauthenticatebeforeasecureconnectionisestablished.Thismeansthey cannotattempttoaccessanyvirtualdesktopsuntiltheyaresuccessfullyauthenticated. WithappropriatefirewallrulesonbothsidesoftheDMZ,thistypeofdeploymentis suitableforaccessingvirtualdesktopsfromInternetlocatedclientdevices. TosupportremoteViewClientandViewPortalconnectingtotheenvironmentusing HTTPSfromanexternalnetwork,theonlyTCPportthatmustbeallowedintheDMZ istheHTTPSport(TCPport443).ViewSecurityServersdonotneedtobepartofan ActiveDirectorydomain,andnocommunicationoccursbetweenViewSecurity ServersandActiveDirectory. AlthoughFigure 4showsaonetoonerelationshipbetweenViewSecurityServersand ViewConnectionServers,multipleViewSecurityServerscanbeconnectedtoeach ViewConnectionServer.ADMZdeploymentcanbecombinedwithastandard deploymenttoofferViewaccessforinternalusersandexternalusers. Figure 5showsamorecomplexenvironmentwherefourViewConnectionServersact asonegroupwiththeserversintheinternalnetworkdedicatedtotheusersofthat network,andtheserversintheexternalnetworkdedicatedtousersofthatnetwork. TheserversontherightcanbeenabledforRSASecurIDauthentication,sothatall externalnetworkusersarerequiredtoauthenticateusingRSASecurIDtokens.
VMware, Inc.
19
Figure 5. DMZ Deployment with Internal Network Access

remote View Client
external network
DMZ load balancing
View Client
View Security Servers
internal network
load balancing
View Connection Server Components

Figure 6showstheViewConnectionServercomponentsandtheirrelationshipwiththe otherViewcomponentsandtheprotocolsusedforcommunicationbetweenthe components. ThefollowingdefaultTCPportsareusedforeachprotocol: JMS4001 HTTP80
20
VMware, Inc.
HTTPS443 RDP3389 SOAP80or443 Figure 6. View Components

Windows Client Linux and Mac Client Thin Client
browser thin client operating system RDP Client View Client RDP Client View Secure GW Client
HTTP(S) HTTP(S) HTTP(S)
HTTP(S)
HTTP(S)
RDP
Admin Console View Administrator

HTTP(S)
RDP
View Secure GW Server
View Manager Messaging View Connection Server
View Broker & Admin Server
SOAP
VirtualCenter Server VMware VirtualCenter
View Manager LDAP
JMS RDP RDP
View Agent
Virtual Desktop VM
VMware, Inc.
21
View Broker
TheViewConnectionBrokeristhecoreofViewConnectionServer.Itisresponsiblefor alluserinteractionbetweentheclient(ViewClient,ViewPortal,andThinClient)and theViewConnectionServer. ViewBrokerprovidesthefollowing: Userauthentication UserdesktopentitlementswithViewLDAP Virtualdesktopsessionmanagement Coordinationofthesecureconnectionestablishment,virtualdesktop connection,andsinglesignon AdministrationserverusedbyViewAdministratorWebclient Virtualdesktoppoolmanagement ViewBrokeroperatescloselywithVirtualCentertoprovideadvancedmanagementof virtualdesktops.Thisincludesvirtualdesktopcreationaspartofpoolmanagement andpoweroperations,suchasautomaticsuspendandresume.
View Secure Gateway Server

ViewSecureGatewayServerprovidestheserversidecomponentforthesecureHTTPS connectionbetweentheViewClient(orViewSecureGatewayClient)andtheView ConnectionServer.Aftertheuserisauthenticated,asecureHTTPSconnectionis establishedbetweentheclientandtheViewConnectionServer.ForaWindowsclient, thisconnectionisinitiatedbythenativeWindowsViewClient.OnLinuxorMacOS/X, itisinitiatedbytheJavaViewSecureGatewayClientusingJavaWebStarttechnology. Afterthissecureconnectionisestablished,virtualdesktopprotocols(RDP)can securelyandreliablyconnect. WhentheViewSecureGatewayServerseesanincomingRDPconnectionthroughthe HTTPSconnection,itforwardsthisconnectiontotheappropriatevirtualdesktop.To ensurethatallvirtualdesktopsareonlyaccessedthroughViewConnectionServer, firewallrulescanbeappliedtoeachvirtualdesktopsothatallRDPconnections originatefromaViewConnectionServer.Thisway,directaccesstovirtualdesktops bypassingViewConnectionServerisnotpossiblebecauseViewConnectionServeracts asgatekeeperforallvirtualdesktopaccess.WithVDM2.1andnewer,theViewAgent canbeconfiguredsothatdirectincomingRDPconnectionstovirtualdesktopsarenot allowed.Thisensuresthatallremoteaccesstovirtualdesktopsmustpassthrougha ViewConnectionServer
22
VMware, Inc.
ViewSecureGatewayServerisalsoresponsibleforforwardingotherWebtraffic(such asauthenticationtraffic,userdesktopselectiontraffic,andsoon)totheViewbroker fromtheViewclients.ViewAdministratorWebtrafficispassedbyViewSecure GatewayServertotheViewBroker.
View LDAP
ViewLDAPisanembeddedLDAPdirectoryoneachViewConnectionServerStandard andReplicainstances.ItisusedastheconfigurationrepositoryforallView configurationdata.ViewLDAPforWindowsServer2003usesMicrosoftActive DirectoryApplicationMode(ADAM).ThisisanembeddedLDAPdirectorybundled withView.ItinstallsthefollowingcomponentsthatareappropriateforView: SpecificViewschemadefinitions Directoryinformationtree(DIT)definitions Accesscontrollists(ACLs) ViewLDAPalsoincludesasetofViewpluginDLLstoprovideautomationand notificationservicesforotherViewcomponents. ViewLDAPcontainsentriestorepresentthefollowingconfigurationitems: VirtualdesktopentriesthatrepresenteachaccessiblevirtualdesktopThis containsreferencestoForeignSecurityPrincipalentriesofWindowsusersand WindowsusergroupsinActiveDirectorywhoareauthorizedtousethisdesktop. VirtualDesktopPoolentriesthatrepresentmultiplevirtualdesktopsmanaged together Virtualmachineentriesthatrepresenteachvirtualdesktop Viewcomponentconfigurationentriesusedtostoreconfigurationsettings WhenaStandardinstanceisinstalledduringViewConnectionServerinstallation,a new,localstandaloneADAMinstanceiscreated.Theschemadefinitions,DIT definition,ACLs,andsoonareloadedandinitialdataisadded.Configurationdatain ViewLDAPismainlymaintainedfromViewAdministrator,althoughViewBrokeralso managessomepartsautomatically.
VMware, Inc.
23
WhenaViewConnectionServerReplicainstanceisinstalled,anADAMinstanceisalso createdlocally,buttheinitialdataisretrievedfromanexistinginstance.Thismeans thattheinitialdataisacopyofanexistinginstancethatincludesallconfiguration settings.DuringaReplicainstanceinstallation,areplicationagreementissetupsothat allViewConnectionServersinthegroupsharethesameconfigurationdata.LDAP changesonanyserverarereplicatedtoallotherservers.Thisreplicationfunctionality isprovidedbyADAM,whichusesthesamereplicationtechnologyasActiveDirectory.
View Messaging
ThiscomponentprovidesthemessagingrouterforcommunicationbetweenView ConnectionServercomponentsandbetweenViewAgentandViewConnectionServer. ItsupportstheJavaMessageService(JMS)API,whichisusedformessaginginView.
View Security Server

ViewSecurityServerisaninstancetypethatisselectedwhenViewConnectionServer isinstalled.IthasasubsetofthefunctionalityofafullViewConnectionServerandis usedinaDMZdeployment.Figure 7showsaViewSecurityServerandshowsthe relationshipwithallotherViewcomponentsandtheprotocolsusedforcommunication betweenthecomponents. ThefollowingdefaultTCPportsareusedforeachprotocol: JMS4001 AJP138009 HTTP80 HTTPS443 RDP3389 SOAP80or443
24
VMware, Inc.
Figure 7. View Component Diagram with Security Server

Windows Client Linux and Mac Client Thin Client
browser thin client operating system RDP Client View Client RDP Client View Secure GW Client
HTTP(S) HTTP(S) HTTP(S)
HTTP(S)
HTTP(S)
RDP
View Security Server
RDP JMS AJP13
Admin Console View Administrator

HTTP(S)
View Messaging View Connection Server
View Broker & Admin Server

SOAP
VirtualCenter Server VMware VirtualCenter
View Manager LDAP
JMS RDP RDP
View Agent
Virtual Desktop VM
FormoreinformationaboutViewdeploymentwithinaDMZ,seeViewConnection ServerDMZDeployment.
VMware, Inc.
25
Deployment Options
VMwareViewoffersseveraldeploymentoptions. OfflineDesktop ViewComposer UnifiedAccess
Offline Desktop
OfflineDesktopoffersmobileuserstheabilitytocheckoutaclonedinstanceofcertain typesofViewdesktopontoalocalsystemsuchasalaptop.Oncecheckedout,thelocal copybehaveslikeastandalonedesktopsystemandcanbeusedwithorwithouta networkconnection;thedesktopisnowconsideredtobeoffline. Oncedownloaded,Offlinedesktopsbehaveinthesamewayastheironlineequivalents yetcantakeadvantageoflocalresources;latencyisminimizedandperformanceis enhanced.Thepresenceofadownloadedvirtualmachinehasnoeffectontheexisting operatingsystemoftheclientsystem,whichuserscancontinuetoutilizeiftheywish. AconsistentuserexperienceisensuredthroughuseoftheViewClientapplicationfor bothonlineandofflinesessions.Inaddition,userscandisconnectfromtheiroffline desktopandthenloginagainwithoutconnectingtotheViewConnectionServer. Oncenetworkaccessisrestored(orwhentheuserisready)thecheckedoutVMcanbe: Backeduptheonlinesystemisupdatedwithallnewdataandconfigurations, buttheofflinedesktopremainscheckedoutonthelocalsystemandtheonlinelock remainsinplace. Rolledbacktheofflinedesktopisdiscardedandtheonlinelockisreleased. Futureclientconnectionswillbedirectedtotheonlinesystemuntilthedesktopis checkedoutagain Checkedintheofflinedesktopisuploadedtotheonlinehostandtheonlinelock released.Futureclientconnectionswillbedirectedtotheonlinesystemuntilthe desktopischeckedoutagain. Theabilityofuserstodownloadanonlinedesktopforuseontheirlocalsystemis conferredthroughViewentitlementandOfflineVDIaccesspolicy.Whileadesktopis checkedout,Viewadministratorsarestillabletoaccesstheonlinesystemwhile monitoringtheofflineequivalent
26
VMware, Inc.
Linked Clones
TheLinkedClonefeatureenablesViewadministratorstocloneanddeploymultiple desktopsfromasinglecentralizedbaseimage,calledaMasterVM.Oncethedesktops havebeencreatedtheyremainindirectlylinkedtoasnapshotresidingonthismaster image. Thelinkisindirectbecausethefirsttimeoneormoredesktopclonesarecreated,a uniquelyidentifiedcopyoftheMasterVMcalledareplicaisalsocreated.Allthe desktopclonesareanchoreddirectlytothereplicaandnottotheMasterVM. TheMasterVMcanbeupdatedorreplacedwithoutdirectlyaffectingtheanchored clonesandcanthereforecanbeviewedasastandaloneVM.Thissetofrelationshipsis illustratedinFigure 8. Figure 8. Master VM, Linked Replica, and Desktop Clones
parent VM can be on a different datastore base image + snapshot
clone 1 replica
clone 2
OS data disk
user data disk
OS data disk
user data disk
Becauseallclonesinthisenvironmentareconnectedtoacommonsource,LinkedClone permitsthecentralizedmanagementofdesktopswhilemaintainingaseamlessuser experience.Taskssuchasresettingeachsystemtoitsdefaultconfiguration,balancing storage,installingsoftwareandapplyingservicepacksaregreatlyacceleratedbythis typeofdeployment.
VMware, Inc.
27
Viewadministratorscansimultaneouslyupdate(orchange)theoperatingsystemsof alldesktops,installorupdateclientapplications,ormodifythedesktophardware settingsbycarryingouttheseactivitiesontheMasterVMandthenanchoringthe desktopclonestoanewsnapshotofthisconfiguration.Thisactioniscalleddesktop recomposition. NOTEDesktopclonescanalsobeanchoredtoacompletelydifferentMasterVM. AdministratorscanalsoreturntheOSdataofeachdesktop,whichmayhaveexpanded throughongoingusage,toitsoriginalstate(thatoftheMasterVM)bycarryingoutan actioncalleddesktoprefresh. TheadministrativeinterfaceprovidedbyViewdeliversahighleveloverviewofwhat actionsarebeingcarriedout.Policiescancontrolwhatactionsareexecutedandatwhat timeinordertominimizedisruptiontotheuserbase.Connecteduserscanbenotified withcustommessagesifanupdatethatwillaffecttheirsessionisabouttotakeplace.
Unified Access
LargeenterprisesuseamixofphysicalPCs,serverbaseddesktopsorapplicationsthat arepublishedusingterminalservices;virtualdesktops;andbladePCs.Usersrequiring accesstomorethanoneplatformmustuseseveraldifferentinterfaces.UnifiedAccess enablesViewtoprovideaunifiedinterfacethroughwhichuserscanaccesstheir desktopsbeingdeliveredbymultiplebackends. Thedesktopdeploymentparadigminlargeenterprisesisamixofvariousbackend platforms.Viewsupportforbackendplatformshasbeenlimitedtovirtualmachines managedbytheVCserver.UnifiedAccessenablesViewtodeliverandmanagevirtual machinesthatarenotmanagedbytheVCserver. Thetermdesktopsourcereferstoanindividualdesktopresourceprovidedtopool users.Thiscanbeaprovisionedornonprovisionedvirtualmachine,aterminalserver sessionoraphysicalcomputer. UnifiedAccesssupportsdifferentdesktopdeliverymodelswhichcharacterizetheway adesktopiscreated,entitled,delivered,andused.Thedesktopdeliverymodels supportedbyVieware: IndividualDesktopadesktopthatallowsasingle,preexistingbackendsource andcanbeentitledtomanyusersorgroups. ManualPoolamanuallyprovisionedpoolofdesktopsourcesthatallows multipleuserstobemappedtomultipledesktops.
28
VMware, Inc.
AutomatedPoolanautomaticallyprovisionedpoolofdesktopsourcesthat allowsmultipleuserstobemappedtomultipledesktops. TerminalServerPoolapoolofterminalserver(TS)desktopsourcesservedby oneormoreterminalservers.Aterminalserverdesktopsourcecandeliver multipledesktops. Administratorsshoulddeployaroamingprofilesolutiontoenableusersettingsand personalizationtobepropagatedtothecurrentlyaccesseddesktop.
VMware, Inc.
29
30
VMware, Inc.
Glossary
A
ActiveDirectory AMicrosoftdirectoryservicethatstoresinformationaboutthenetworkoperating systemandprovidesservices.ActiveDirectoryconfiguresandmanagesusersand groupsandenablesadministratorstosetsecuritypolicies,controlresources,and deployprogramsacrossanenterprise. ADAM(ActiveDirectoryApplicationMode) AnLDAPimplementationbasedonActiveDirectory. activesession AliveconnectionfromaclientorViewPortalusertoavirtualdesktop.An establishedconnectiontoavirtualdesktopthathasnottimedout. administratoruserinterface TheWebbasedadministratoruserinterfaceusedtoperformconfigurationand managementtasksinView.AlsoknownastheViewAdministrator. agent SeeVMwareViewAgent.
broker Alsoknownasaconnectionbroker.TheViewConnectionServerisatypeof connectionbroker.SeealsoVMwareViewConnectionServer.
VMware, Inc.
31
client SeeVMwareViewClient. connectionbroker Aserverthatallowsconnectionsbetweenremoteusersandvirtualdesktopsand providesauthenticationandsessionmanagement.TheViewConnectionServeris atypeofconnectionbroker.SeealsoVMwareViewConnectionServer. connectionserver SeeVMwareViewConnectionServer.
desktop Seevirtualdesktop. desktopvirtualmachine Seevirtualdesktop. desktoppool Apoolofvirtualmachinesthatanadministratordesignatesforusersorgroupsof users.Seealsopersistentdesktoppool,nonpersistentdesktoppool. DMZ(demilitarizedzone) Alogicalorphysicalsubnetworkthatconnectsinternalserverstoalarger, untrustednetwork(usuallytheInternet)andprovidesanadditionallayerof securityandgivesadministratorsmorecontroloverwhocanaccessnetwork resources. DNS(DomainNameSystem) AnInternetdataqueryservicethattranslateshostnamesintoIPaddresses.Also calledDomainNameServerorDomainNameService.
FQDN(fullyqualifieddomainname) Thenameofahost,includingboththehostnameandthedomainname.Forexample, theFQDNofahostnamedesx1inthedomainvmware.comisesx1.vmware.com.
guest Seeguestoperatingsystem. guestoperatingsystem Anoperatingsystemthatrunsinsideavirtualmachine.
32
VMware, Inc.
Glossary
highavailability Asystemdesignapproachthatensuresadegreeofoperationalcontinuity. loadbalancing Atechniqueusedfordistributingprocessesacrossserverssothatthetrafficloadis spreadmoreevenlyandserversdonotbecomeoverloaded. nonpersistentdesktoppool Adesktoppoolinwhichusersarenotassignedtoaspecificdesktop.Whenusers logofforaretimedoutofadesktop,theirdesktopsarereturnedtothepooland madeavailabletootherusers.Usersshouldnotsavedataorfilestotheirdesktops whenusinganonpersistentpool. persistentdesktoppool Adesktoppoolinwhichusersareassignedtoaspecificdesktop.Userslogonto thesamedesktopeverytimeandtheirdataispreservedwhentheylogoff.Users cansavedataandfilestotheirdesktopswhenusingapersistentpool. RDP(remotedesktopprotocol) Amultichannelprotocolthatallowsausertoconnecttoacomputerremotely. RSASecurID AproductfromRSAthatprovidesstrongtwofactorauthenticationusinga passwordandanauthenticator.
securityserver AViewConnectionServerdeploymentthataddsalayerofsecuritybetweenthe Internetandtheinternalnetwork.SecurityServerisanoptionthatyouchoose duringViewconnectionserverinstallation.SeealsoDMZ(demilitarizedzone). thinclient Adevicethatallowsausertoaccessvirtualdesktopsbutrequireslittlememoryor diskdrivespace.Applicationsoftware,data,andCPUpowerresidesonanetwork computerandnotontheclientdevice. VMwareViewAgent Installedontheguest,theViewAgentenablescommunicationbetweenthe desktopvirtualmachine,theViewConnectionServer,andenduserswhoaccess virtualdesktopsbyusingViewViewPortalorViewClients.
VMware, Inc.
33
VMwareViewClient AWindowsbasedapplicationusedforaccessingvirtualdesktops. VMwareViewConnectionServer Aconnectionbrokerthatprovidesmanagementanduserauthenticationforvirtual desktops.TheViewConnectionServerdirectsincomingremotedesktopuser requeststotheappropriatevirtualdesktop. VMwareViewPortal Webbrowserbasedapplicationforaccessingvirtualdesktops.Enduserswhorun supportedWindows,Linux,orMacintoshoperatingsystemscanaccessvirtual desktopsbyusingViewPortal. virtualdesktop Adesktopoperatingsystemthatrunsonavirtualmachine.Avirtualdesktopis indistinguishablefromanyothercomputerrunningthesameoperatingsystem. VMwareVirtualDesktopInfrastructure TheVMwaredesktopinfrastructuresolutionthatconsistsofVMwareESXServer, VMwareVirtualCenter,andVMwareVirtualDesktopManager.VDIprovidesan endtoendvirtualdesktopsolutionthatallowsadministratorstoeasilydeploy andmanagevirtualdesktopenvironments.
34
VMware, Inc.

Introduction To Vmware View Manager

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Introduction To Vmware View Manager

Uploaded by

Copyright:

Available Formats

Introduction to VMware View Manager

View Manager 3.0