Introduction to Virtual Desktop

Manager

Introduction to Virtual Desktop Manager

Introduction to Virtual Desktop Manager

Revision: 20080527
Item: VDM-ENG-Q108-451

You can find the most up-to-date technical documentation on our Web site at
http://www.vmware.com/support/
The VMware Web site also provides the latest product updates.
If you have comments about this documentation, submit your feedback to:
docfeedback@vmware.com

2008 VMware, Inc. All rights reserved. Protected by one or more of U.S. Patent Nos. 6,397,242,
6,496,847, 6,704,925, 6,711,672, 6,725,289, 6,735,601, 6,785,886, 6,789,156, 6,795,966, 6,880,022,
6,944,699, 6,961,806, 6,961,941, 7,069,413, 7,082,598, 7,089,377, 7,111,086, 7,111,145, 7,117,481,
7,149,843, 7,155,558, 7,222,221, 7,260,815, 7,260,820, 7,269,683, 7,275,136, 7,277,998, 7,277,999,
7,278,030, 7,281,102, and 7,290,253; patents pending.
VMware, the VMware boxes logo and design, Virtual SMP and VMotion are registered trademarks or
trademarks of VMware, Inc. in the United States and/or other jurisdictions. All other marks and names
mentioned herein may be trademarks of their respective companies.

VMware, Inc.
3401 Hillview Ave.
Palo Alto, CA 94304
www.vmware.com
2

VMware, Inc.

Contents

Contents

IntroductiontoVirtualDesktopManager 3
Introduction 3
Features 4
VDMOverview 5
VDMUserAuthentication 9
VDMExtendedUSBDeviceRedirection 11
VDMSecureAccess 12
VDMVirtualDesktopPoolManagement 13
VDMHighAvailabilityandScalability 15
VDMConnectionServerDMZDeployment 17
VDMConnectionServerComponents 21
VDMBroker 22
VDMSecureGatewayServer 22
VDMLDAP 23
VDMMessaging 24
VDMSecurityServer 24

Glossary

VMware, Inc.

27

Introduction to Virtual Desktop Manager

VMware, Inc.

Introduction to Virtual Desktop

Manager

VMwareVirtualDesktopManager2(VDM)isakeycomponentintheVMwareVirtual
DesktopInfrastructure(VDI)solution.VDMisanenterpriseclassvirtualdesktop
managerthatsecurelyconnectsauthorizeduserstocentralizedvirtualdesktops.It
workswithVMwareVirtualInfrastructure3toprovideacomplete,endtoendVDI
solutionthatimprovescontrolandmanageabilityandprovidesafamiliardesktop
experience.
ThebenefitsofVDIwithVDMincludethefollowing:

ControlandmanageabilityinasingleproductAdministratorscanmoreeasily
provision,manage,andmaintaindesktopsbecausethedesktopsarerunninginthe
datacenter.

FamiliarenduserexperienceUsersgetflexibleaccesstoapersonalized,virtual
desktopthatbehavesjustliketheirPCdesktops.

VMwareInfrastructure3integrationVDIextendsthebenefitsofVMware
Infrastructure3tothedesktopbyleveragingthebackup,failover,anddisaster
recoverycapabilitiesofVMwareInfrastructure3.

Lowertotalcostofownership(TCO)Byreducingadministrationandenergy
costsandextendingtheusefullifeofPCs,VDIdeliverslowerTCO.

VMware, Inc.

Introduction to Virtual Desktop Manager

Features
ThefeaturesofVDMinVDIincludethefollowing:

EnterpriseclassconnectionbrokeringVDMmanagestheconnectionsbetween
usersandtheirvirtualdesktops.WhenuserslogintoVDM,thevirtualdesktops
theyareauthorizedtoaccessappears.Afterconnectingtoavirtualdesktop,users
accesstheirapplicationsasiftheapplicationsarerunninglocally.

USBclientdevicesupportUSBdevicescanbelocallyconnectedtoclientsand
accessedthroughavirtualdesktop.

WebbasedmanagementuserinterfaceAWebbasedmanagementconsole
allowsvirtualdesktopstobemanagedfromanylocation.

SmartpoolingcapabilitiesArangeofpersistentandnonpersistentpooling
capabilitiessimplifiestheprovisioningandmanagementofcentralizeddesktops.

SecureaccessOptionalsecureencapsulationcapabilitiesallowallnetwork
connectionstobeencrypted.

IntegrationwithMicrosoftActiveDirectoryConnectiontoActiveDirectory,
whichallowsyoutolocateuserandusergroupaccountsandusethe
authenticationfeaturesinActiveDirectorytocontrolwhichuserscanaccess
virtualdesktops.

SupportfortwofactorauthenticationWithRSASecurID,accesscontrolis
strengthened.

SeamlessintegrationwithVMwareVirtualInfrastructure3Workscloselywith
VMwareVirtualCentertoprovideadvancedvirtualdesktopmanagement
capabilities,suchasautomaticsuspendandresume,whichreducesthememory
andprocessingpowerrequiredtohostvirtualdesktops.Byleveragingthe
capabilitiesofVMwareVirtualInfrastructure3,desktopscanrunevenwhen
serverhardwarefailsandrecoverquicklyfromunplannedoutageswithout
duplicatehardware.

FlexibledeploymentoptionsCriticalcomponentscanbedeployedinavariety
ofconfigurationsandtodifferentpartsofthenetwork,whichimprovesecurity,
scalability,andreliability.MultipleVirtualCenterserversaresupported,andVDM
canscalehorizontallytosupportmanyvirtualdesktops.

HighavailabilityServerscanbeclusteredforhighavailabilityandscalability
withautomaticfailover.Theseserverscanalsoleverageindustrystandard
loadbalancingsolutions.

VMware, Inc.

Introduction to Virtual Desktop Manager

VDM Overview
VDMincludesthefollowingkeycomponents:

VDMConnectionServer

VDMAgent

VDMClient

VDMWebAccess

VDMAdministrator

VMware, Inc.

Introduction to Virtual Desktop Manager

Figure 1showsthephysicaltopologyofaVDIinfrastructurewithVDMandshowsthe
relationshipbetweenthemainVDMcomponents.
Figure 1. Physical Topology of VMware VDI Infrastructure with VDM
Windows
VDM Client

Linux
VDM Web Access

Mac
VDM Web Access

Thin Client

network
network

VDM
Administrator
(browser)

VDM
Connection
Server

Microsoft
Active Directory

VirtualCenter
Management Server

virtual desktops
VM

VM

VM

VM

VM

VM

desktop OS
app

app

app

ESX Server hosts running

Virtual Desktop VMs

ESX Server host

VDM Agent
virtual machine

VMware, Inc.

Introduction to Virtual Desktop Manager

VDM Connection Server

ThiscomponentistheVDIconnectionbrokerthatmanagessecureaccesstovirtual
desktopsandworkswithVirtualCentertoprovideadvancedmanagementcapabilities.
ItisinstalledonaMicrosoftWindowsServer2003serverthatispartofanActive
Directorydomain.
VDMConnectionServerisinstalledasoneofthefollowinginstances:

StandardThisinstanceappearsinFigure 1.Itprovidesstandalonefunctionality
andisusedastheonlyVDMConnectionServer(orthefirstofagroupofVDM
ConnectionServersthatactaspartofahighavailability,fullyreplicatedgroup).

ReplicaThisinstanceisinstalledasasecondorsubsequentVDMserverina
highavailabilitygroup.ConfigurationdataisinitializedfromanexistingVDM
serverandisautomaticallyreplicatedbetweenVDMgroupmembers.

SecurityServerThisinstanceimplementsasubsetoftheVDMConnection
Serverfunctionalityandisusedinademilitarizedzone(DMZ)deployment.A
VDMSecurityServerdoesnotneedtobeinanActiveDirectorydomain.The
StandardandReplicainstancesautomaticallyincludetheSecurityServer
functionality.

TheinstancetypeisselectedduringVDMConnectionServerinstallation.
HighavailabilityandDMZdeploymentsofVDMConnectionServerusingReplicaand
SecurityServerinstancesaredescribedinVDMConnectionServerDMZDeployment.
ConfigurationdataisstoredinanembeddedLDAPdirectoryoneachStandardand
Replicainstance.

VMware, Inc.

Introduction to Virtual Desktop Manager

VDM Agent
Thiscomponentrunsoneachvirtualdesktopandisusedforsessionmanagementand
singlesignon.WithVDMClient,thiscomponentsupportsoptionalUSBdevice
redirection.Thisagentcanbeinstalledonavirtualmachinetemplatesothatvirtual
desktopscreatedfromthattemplateautomaticallyincludetheVDMAgent.
PlacevirtualdesktopsinanActiveDirectorydomainthatisoneofthefollowing:

ThesamedomaintowhichtheVDMConnectionServersarejoined

AdomainwithatrustagreementwiththeVDMConnectionServerdomain

Whenusersconnecttotheirvirtualdesktops,theyareautomaticallyloggedinusing
thesamecredentialstheyusetologintotheirdomain.Thesinglesignoncapabilitycan
bedisabledinVDMAgentwhichmeandthatusersarealwaysrequiredtologontothe
virtualdesktopmanually.Ifthevirtualdesktopisnotpartofadomainorispartofa
domainwithwhichnotrustagreementexists,singlesignonisnotavailable,andthe
usermustmanuallylogintothevirtualdesktop.
VDM Client
ThiscomponentrunsonaWindowsPCasanativeWindowsapplicationandallows
userstoconnecttotheirvirtualdesktopsthroughVDM.Thiscomponentconnectstoa
VDMConnectionServerandallowstheusertologonusinganyofthesupported
authenticationmechanisms.Afterloggingin,userscanselectfromthelistofvirtual
desktopsforwhichtheyareauthorized.Thisstepprovidesremoteaccesstotheir
virtualdesktopandprovidesuserswithafamiliardesktopexperience.
VDMClientalsoworkscloselywithVDMAgenttoprovideenhancedUSBsupport.
BasicUSBsupport(suchasUSBdrivesandUSBprinters)issupportedwithoutVDM
USBsupport,butVDMextendsthissupporttoincludeadditionalUSBdevices.You
canspecifyVDMUSBsupportinVDMClientduringtheinstallation.
VDM Web Access
ThiscomponentissimilartoVDMClientbutprovidesaVDMuserinterfacethrougha
Webbrowser.VDMWebAccessisincludedautomaticallyduringtheVDM
ConnectionServerinstallation.VDMWebAccessissupportedonLinuxandMacOS/X,
butthisWebaccessdoesnotsupportVDMUSBextensions.AllnecessaryVDM
softwareisinstalledautomaticallyontheclientthroughtheWebbrowser.VDMWeb
AccessonLinuxusesrdesktopandonMacOS/XusesMicrosoftRemoteDesktop
ConnectionClientforMac.

VMware, Inc.

Introduction to Virtual Desktop Manager

VDMWebAccesscanalsobeusedonaWindowsclientwithVDMClient.Auser
obtainstherequiredsoftwareontheirclientdevicebyaccessingaVDMConnection
ServerwithaWebbrowser.IftheVDMClientsoftwareisinstalledwithUSBsupport
byauserwithadministrativerights,VDMWebAccessonWindowshascomplete
VDMUSBsupport.
VDM Administrator
ThiscomponentprovidesVDMadministrationthroughaWebbrowser.Itisusedby
VDMadministratorstodothefollowing:

Makeconfigurationsettings

ManagevirtualdesktopsandentitlementsofdesktopsofWindowsusersand
groups

VDMAdministratoralsoprovidesaninterfacetomonitorlogeventsonaVDMServer
andisinstalledwithVDMConnectionServer.MoreinformationabouttheVDM
ConnectionServercomponentsandtheirrelationshipwithotherVDMcomponents,
seeVDMConnectionServerComponents.

VDM User Authentication

UsersneedtologintoVDMfirstinordertoprovetheiridentityandtogainaccessto
theirvirtualdesktops.Normally,theydothisbyenteringtheirWindowscredentialsat
theloginprompt.
Asanaddedlevelofsecurity,VDMcanbeconfiguredtorequireRSASecurID
authentication.ThisrequirestheuseofaSecurIDtokenforeachuser.Aspartofthe
loginprocess,usersmustentertheirSecurIDusernamestogetherwiththeirSecurID
PINsandtokencodes.AftersuccessfulverificationoftheSecurIDdetailsentered,users
arepromptedfortheirWindowscredentials.

Active Directory Authentication

EachVDMConnectionServermustbejoinedtoanActiveDirectorydomain.This
allowsuserauthenticationforVDMagainstActiveDirectoryforthejoineddomainand
foradditionaluserdomainswithwhichatrustagreementexists.Forexample,ifVDM
ConnectionServerisamemberofDomainA,andatrustagreementexistsbetween
DomainAandDomainB,usersfromeitherdomaincanlogintoVDM.

VMware, Inc.

Introduction to Virtual Desktop Manager

ByauthenticatingusersagainstanexistingActiveDirectory,anorganizationcan
simplifytheoperationalmanagementofVDMbyensuringthatthemanagementof
useraccountsishandledinoneplace.IfauseraccountisdisabledinActiveDirectory,
thatusercannotlogintoVDM.Policies,suchasrestrictingpermittedhoursoflogin
andtheexpirationdateforpasswords,arealsohandledthroughexistingActive
Directoryoperationalprocedures.

RSA SecurID Authentication

VDMiscertifiedthroughtheRSASecurIDReadyprogramtooperatewithRSA
SecurIDauthenticationtechnology.IndividualVDMConnectionServerscanbe
enabledforRSASecurIDauthentication.UserswhoaccessaVDMConnectionServer
thatisenabledforRSASecurIDauthenticationarepromptedfortheirRSASecurID
usernamesandpasscodes(PINsandtokencodes).AfterauthenticatingagainstanRSA
AuthenticationManager,userscancontinuetologin.
UsingRSASecurIDprovidesenhancedsecuritywithtwofactorauthentication.This
requiresknowledgeoftheusersPINandtokencode,whichisonlyavailableonthe
physicalSecurIDtoken.AsrequiredforRSASecurIDcertification,VDMsupportsthe
fullrangeofSecurIDcapabilities,includingNewPINMode,NextTokenCodeMode,
RSAAuthenticationManager,loadbalancing,andsoon.

10

VMware, Inc.

Introduction to Virtual Desktop Manager

Figure 2showsthephysicaltopologydiagramforVDMwithanadditionalserverused
toauthenticateRSASecurIDusers.TheRSAAuthenticationManagerisshownasa
singleserver,butforhighavailabilitydeployments,youneedmultipleservers.
Figure 2.

VDMRSASecurIDAuthenticationwithRSAAuthenticationManager
Client

network

VDM
Administrator

VDM
Connection
Server

Microsoft
Active Directory

RSA
Authentication
Manager

VirtualCenter
Management Server

ESX Server hosts running

Virtual Desktop virtual machines

WhenusersentertheirRSASecurIDcredentials,VDMConnectionServer
communicateswithRSAAuthenticationManagertoverifytheinformation.Afterthe
credentialsareverified,VDMConnectionServerrequestsActiveDirectorydomain
credentialsfromtheuserandcommunicateswithActiveDirectorytocontinuethe
authenticationprocess.

VDM Extended USB Device Redirection

VDMallowstheredirectionofavarietyoflocallyattachedUSBdevicesforsoftware
thatrunonausersvirtualdesktop.Suitabledevices,whenattached,canbeselected
fromadynamicdropdownmenuinVDMClient.Devicesattachedafterthevirtual
desktopsessionstartswillappearinthemenuandareavailableforredirectionafter
beinginitialized.

VMware, Inc.

11

Introduction to Virtual Desktop Manager

Somedevices,suchasprinters,localUSBflashdrives,andsmartcards,canbe
forwardedtothevirtualdesktopusingstandardMicrosoftRemoteDesktopProtocol
(RDP).ButVDMClientUSBredirectionextendstherangeofusabledevicesandthe
functionalityofsomedevicesbeyondthatprovidedbyRDP.Forexample,soundcan
bebroughttothelocalmachineusingRDP,butdisablingthisfeatureandusingVDM
USBredirectionallowsyoutouseVoIPdevices.
VDMUSBredirectionisinitiatedaftertheuserisauthenticated.Becauseofthis,smart
cardforwardingislimitedtoRDPfunctionalitysothatsmartcardscanbeusedto
authenticatethevirtualdesktopsession.Asaresult,thesedevicesdonotappearinthe
VDMClientdevicesmenu.Humaninterfacedevices(HIDs),suchasakeyboardora
mouse,arealsofilteredfromtheUSBdevicelistbecausethesedevicesarerequired
locallyandfunctionwithoutbeingforwardedorredirected.
RDPforwardingandVDMUSBredirectioncanbegovernedthroughActiveDirectory
GroupPolicyandVDMAdministrator.UsingVDMUSBredirectionrequiresVDM
Client,VDMAgent,andtheusertohaveadministrationrightsontheVDMClientand
theVDMAgentoperatingsystems.

VDM Secure Access

VDMConnectionServerwithVDMClientandVDMWebAccessprovidessecurityfor
thedesktopprotocolsbetweentheclientdeviceandtheVDMConnectionServer.
VDMencapsulatesallprotocols,suchastheextendedRDPinanHTTPSconnection,
whichoffersthefollowingadvantages:

12

TheRDPProtocolistunneledthroughHTTPSandisencryptedusingSSL
Thisisapowerfulsecurityprotocolandisconsistentwiththesecurityprovidedby
othersecureWebsiteslikethoseusedforonlinebanking,creditcardpayments,
andsoon.

OneHTTPSconnectionisusedforallclientservercommunicationMultiple
desktopconnectionsaremultiplexedoverthisHTTPSconnection,whichreduces
theoverallprotocoloverheads.

VDMcontrolsbothendsofthisHTTPSconnection,sothereliabilityofthe
underlyingprotocolsissignificantlyimprovedIfausertemporarilylosesa
networkconnection,afteritisrestored,theHTTPSconnectionisreestablishedand
theRDPconnectionsautomaticallyresumewithouthavingtoreconnectandlogin
again.

VMware, Inc.

Introduction to Virtual Desktop Manager

VDMisaccessedusingstandardWebprotocols,soitcanbeeasilyaccessed
throughcorporateproxiesInastandarddeploymentofjustVDMConnection
Servers,theHTTPSsecureconnectionterminatesattheVDMConnectionServer
andinaDMZdeployment,attheVDMSecurityServer.SeeVDMConnection
ServerDMZDeployment.

VDMConnectionServercanbeconfiguredtonotuseasecureconnection,sothatRDP
communicationisdirectfromtheclientdevicetothevirtualdesktop.

VDM Virtual Desktop Pool Management

VDMincludesintegratedvirtualdesktoppoolmanagementcapabilitiesthatleverage
thecontrolprovidedbyVirtualCentertoprovisionandmanagethevirtualdesktops.
VDMprovidesthefollowingtypesofdesktops:

IndividualdesktopsTheseareexistingvirtualdesktopsthatareavailable
throughVDM.Thepoolmanagercancontrolthepowerstateofthesevirtual
desktops.

PersistentdesktoppoolThistypeisapoolofvirtualdesktopswhoselifecycle
andpowerstateiscontrolledbythepoolmanager.Persistentvirtualdesktopsare
assignedtotheiruseronthefirstuse,sotheuserreturnseachtimetothesame
virtualdesktop.Thistypeofpoolisusedwhenuserswanttocustomizetheir
desktopsbyinstallingadditionalapplicationsandstoringlocaldata.

NonpersistentdesktoppoolSimilartoapersistentdesktoppool,exceptinthis
casethevirtualdesktopsarenotpermanentlyassignedtousers.Whenasessionis
finished,thevirtualdesktopisreturnedtothepoolandmadeavailableforother
users.
Bydeletingthevirtualdesktopsaftereachuse,thistypeofpoolensuresthateach
userreceivesanewlyprovisionedvirtualdesktopeachtimetheuserconnects
(optional).Usethistypeofpoolwhereacleanmachineisneededforeachuser
sessionorinhighlycontrolledenvironmentsthathasnorequirementfor
customizationtobestoredonthevirtualdesktop.

VMware, Inc.

13

Introduction to Virtual Desktop Manager

Thetwopooldesktopsaresizedusingthefollowingparameters:

MinimumTheminimumnumberofvirtualdesktopstobecreatedwhenthepool
isfirstcreated.Thepoolmanagercontinuestocreatevirtualdesktopsuntilthis
minimumcountisreached.Thisprocessensuresthatapoolisappropriatelysized
whenauserpopulationismovedtoVDM.

MaximumThemaximumnumberofvirtualdesktopsthatcanexistinthepool.
Usethisparametertolimitthenumberofvirtualdesktopsinthepooltoavoid
overusingavailableresources.

AvailableThenumberofvirtualdesktopsthatareavailableforimmediateuse.
Forpersistentpools,thisparameterrelatesonlytotheunassignedvirtual
desktops.Thisisusedtoensurethatthepoolmanagercreatesenoughvirtual
desktopsinadvancetocopewithdemand.Useahighernumberformorevolatile
environments.

Whenapoolcontainstoofewvirtualdesktops,themanagerprovisionsnewvirtual
desktopsfromadesignatedtemplate.Thesevirtualdesktopscanalsobeautomatically
customized(forexample,namedandbecomepartofanActiveDirectorydomain)orbe
leftforanadministratortomanuallyconfigure.
PowermanagementisappliedtoallvirtualdesktopsunderVDMcontrol,andthe
followingpoliciesaresupported:

14

RemainonAfterbeingstarted,VDMdoesnotpowerthemachinedown.Ifa
virtualdesktopispowereddown,forexampleusingtheVirtualCenterclient,
VDMautomaticallystartsitwhenitisneeded.

AlwayspoweredonVDMensuresthatanyvirtualdesktopwiththispolicy
appliedispoweredonallthetime.Ifavirtualdesktopispowereddown,VDM
immediatelypowersitupagain.

SuspendwhennotinuseIfavirtualdesktopisnotrequired,itissuspended.
Thispolicyisappliedtoindividualandassignedpersistentvirtualdesktopswhen
theuserlogsoff.Itisalsoappliedtononpersistentvirtualdesktopswhenthereare
toomanyavailablevirtualdesktops.Forexample,thiscanbetriggeredbyavirtual
desktopbeingreturnedtothepoolwhenauserlogsout.

VMware, Inc.

Introduction to Virtual Desktop Manager

PoweroffwhennotinuseIfavirtualdesktopisnotrequired,itispoweredoff.
ThisisjustliketheSuspendwhennotinusepolicy,exceptthatthevirtual
desktopiscompletelypoweredoff.

VDMsupportsindividualandpooleddesktopsonmultipleVirtualCenterinstances.A
poolcannotspanVirtualCenters,butVDMcanmanagemultiplepoolsacrossmultiple
VirtualCenters.VDMlimitsthenumberofprovisioningandpoweroperationsthatcan
beconcurrentlyactiveforeachVirtualCentertoensurethattherateofoperationsisnot
excessive.TheselimitsareappliedacrossallpoolsanddesktopsforeachVirtualCenter.
Inamultibrokerenvironment,theVDMConnectionServerscooperatewitheachother
toenforcetheselimitsandtoperformthepoolmanagementoperations.

VDM High Availability and Scalability

Tosupporthighavailabilityandscalabilityrequirements,VDMConnectionServercan
bedeployedusingmultipleVDMConnectionServers.ThefirstVDMConnection
ServertobedeployedisinstalledasaStandardinstance.Inthiscase,anewinstanceof
theLDAPdirectoryisinstalledandtheVDMConnectionServersupportsfull
functionalityusingitslocalLDAPdirectory.
Toextendtheenvironment,asecondservercanbeinstalledasaReplicainstance.
Duringthisinstallation,theuserreferencesanexistingVDMConnectionServerandthe
ReplicainstanceisjoinedtotheStandardinstancetoformaVDMConnectionServer
group.TheLDAPVDMconfigurationdatafromtheStandardinstanceiscopiedtothe
Replicainstance.AtwowayreplicationagreementisestablishedsothatVDM
configurationchangesoneitherserverareautomaticallyandimmediatelymadeonthe
other.
Bothserversofferidenticalfunctionalityandintheeventofserverfailure,theother
servercancontinuetooperatealone.Whenthefailedserverresumes,anychanged
LDAPVDMconfigurationdataisreflectedontheresumedserversothatbothservers
remainuptodate.AddingathirdandsubsequentVDMConnectionServerstothe
groupisdonebyinstallingadditionalReplicainstances.DuringtheReplicainstance
installation,theusercanreferenceanyexistinggroupmembertojointhenewserverto
thegroup.
Afterinstallation,nodifferencesexistbetweenaReplicainstanceandaStandard
instance.IfthefirstStandardinstanceisdecommissioned,additionalReplicascanbe
addedtothegroupbyreferencinganyactiveVDMConnectionServerinthegroup.All
VDMconfigurationdatacanbebackedupbybackinguptheLDAPdirectoryinstance.

VMware, Inc.

15

Introduction to Virtual Desktop Manager

Figure 3showstwoVDMConnectionServersoperatingasagroup.Toautomatically
usebothVDMConnectionServersandsupporthighavailabilityandscalabilityneeds,
deployloadbalancing.Thisensuresthatloadisbalancedevenlyacrosstheavailable
VDMConnectionServersandthatfailedserversareautomaticallyavoided.VDM
ConnectionServerdoesnotprovideloadbalancingfunctionalitybutworkswith
standardthirdpartyloadbalancingsolutions.
Figure 3.

MultipleVDMConnectionServers
Client

network

load balancing

VDM
Connection
Servers

Microsoft
Active Directory

VirtualCenter
Management Server

ESX Server hosts running

Virtual Desktop virtual machines

16

VMware, Inc.

Introduction to Virtual Desktop Manager

TheloadbalancingrequirementsforVDMConnectionServeraretosupportstandard
HTTPandHTTPSloadbalancingwithsessionaffinity.Loadbalancingsolutionsfor
VDMConnectionServercanincludeMicrosoftNetworkLoadBalancing(NLB),
standardhardwarebasedloadbalancers,orvirtualapplianceloadbalancersthatcan
operateonESXServer.
UsersinaloadbalancedVDMConnectionServerenvironmentusealoadbalanced
URLtomaketheconnection.ThisisanaliasURLusedbytheloadbalancertodirect
theconnectiontoanyoftheavailableVDMConnectionServersinthegroup.

VDM Connection Server DMZ Deployment

Insecureenvironments,particularlywhenVDMisbeingaccessedfromaninsecure
networksuchastheInternet,itiscommonpracticetodeployserversinaDMZ.
VDMConnectionServerfunctionalityissplitbetweenserversinthesecurenetwork
andtheDMZ.VDMConnectionServersthatoperateinaDMZareknownasVDM
SecurityServersandareinstalledusingtheVDMConnectionServerinstallerand
specifyingaSecurityServerinstancetype.VDMSecurityServersintheDMZoperate
withVDMConnectionServers(StandardorReplica)inthesecurenetwork.

VMware, Inc.

17

Introduction to Virtual Desktop Manager

Figure 4showsahighavailabilityenvironmentcomprisingtwoloadbalancedVDM
SecurityServersintheDMZworkingwithtwofullVDMConnectionServers(Standard
andReplicainstance)inthesecurenetwork.
Figure 4. DMZDeploymentwithMultipleVDMConnectionServers
Remote
Client

external network

DMZ
load balancing

VDM
Security
Servers

VDM
Connection
Servers

Microsoft
Active Directory

VirtualCenter
Management Server

ESX Server hosts running

Virtual Desktop virtual machines

18

VMware, Inc.

Introduction to Virtual Desktop Manager

VDMSecurityServersdonotcontainanLDAPconfigurationrepositoryanddonot
accessanyauthenticationrepositories(ActiveDirectoryorRSAAuthentication
Manager).WhenremoteusersconnectusingaVDMSecurityServer,theymust
successfullyauthenticatebeforeasecureconnectionisestablished.Thismeansthey
cannotattempttoaccessanyvirtualdesktopsuntiltheyaresuccessfullyauthenticated.
WithappropriatefirewallrulesonbothsidesoftheDMZ,thistypeofdeploymentis
suitableforaccessingvirtualdesktopsfromInternetlocatedclientdevices.
TosupportremoteVDMClientandVDMWebAccessconnectingtotheenvironment
usingHTTPSfromanexternalnetwork,theonlyTCPportthatmustbeallowedinthe
DMZistheHTTPSport(TCPport443).VDMSecurityServersdonotneedtobepart
ofanActiveDirectorydomain,andnocommunicationoccursbetweenVDMSecurity
ServersandActiveDirectory.
AlthoughFigure 4showsaonetoonerelationshipbetweenVDMSecurityServersand
VDMConnectionServers,multipleVDMSecurityServerscanbeconnectedtoeach
VDMConnectionServer.ADMZdeploymentcanbecombinedwithastandard
deploymenttoofferVDMaccessforinternalusersandexternalusers.
Figure 5showsamorecomplexenvironmentwherefourVDMConnectionServersact
asonegroupwiththeserversintheinternalnetworkdedicatedtotheusersofthat
network,andtheserversintheexternalnetworkdedicatedtousersofthatnetwork.
TheserversontherightcanbeenabledforRSASecurIDauthentication,sothatall
externalnetworkusersarerequiredtoauthenticateusingRSASecurIDtokens.

VMware, Inc.

19

Introduction to Virtual Desktop Manager

Figure 5.

DMZDeploymentwithInternalNetworkAccess
remote
Client

external network

DMZ
load balancing

Client

VDM
Security
Servers

internal network

load balancing

VDM
Connection
Servers

Microsoft
Active Directory

VirtualCenter
Management Server

ESX Server hosts running

Virtual Desktop virtual machines

20

VMware, Inc.

Introduction to Virtual Desktop Manager

VDM Connection Server Components

Figure 6showstheVDMConnectionServercomponentsandtheirrelationshipwith
theotherVDMcomponentsandtheprotocolsusedforcommunicationbetweenthe
components.
ThefollowingdefaultTCPportsareusedforeachprotocol:

JMS4001

HTTP80

HTTPS443

RDP3389

SOAP80or443

VMware, Inc.

21

Introduction to Virtual Desktop Manager

Figure 6. VDMComponents
Windows Client

Linux and Mac Client

Thin Client

browser
thin client
operating system
RDP
Client

VDM Client

VDM Secure
GW Client

RDP
Client

HTTP(S)

HTTP(S)

HTTP(S)
HTTP(S)

HTTP(S)

RDP

Admin Console
VDM
Administrator

VDM Secure
GW Server

RDP

VDM
Messaging

HTTP(S)

VDM Broker &

Admin Server
SOAP

VDM Connection Server

VirtualCenter
Server
VirtualCenter

VDM LDAP

JMS
RDP

RDP

VDM Agent

Virtual Desktop VM

22

VMware, Inc.

Introduction to Virtual Desktop Manager

VDM Broker
VDMBrokeristhecoreofVDMConnectionServer.Itisresponsibleforalluser
interactionbetweentheclient(VDMClient,VDMWebAccess,andThinClient)andthe
VDMConnectionServer.
VDMBrokerprovidesthefollowing:

Userauthentication

UserdesktopentitlementswithVDMLDAP

Virtualdesktopsessionmanagement

Coordinationofthesecureconnectionestablishment,virtualdesktop
connection,andsinglesignon

AdministrationserverusedbyVDMAdministratorWebclient

Virtualdesktoppoolmanagement

VDMBrokeroperatescloselywithVirtualCentertoprovideadvancedmanagementof
virtualdesktops.Thisincludesvirtualdesktopcreationaspartofpoolmanagement
andpoweroperations,suchasautomaticsuspendandresume.

VDM Secure Gateway Server

VDMSecureGatewayServerprovidestheserversidecomponentforthesecure
HTTPSconnectionbetweentheVDMClient(orVDMSecureGatewayClient)andthe
VDMConnectionServer.Aftertheuserisauthenticated,asecureHTTPSconnectionis
establishedbetweentheclientandtheVDMConnectionServer.ForaWindowsclient,
thisconnectionisinitiatedbythenativeWindowsVDMClient.OnLinuxorMacOS/X,
itisinitiatedbytheJavaVDMSecureGatewayClientusingJavaWebStarttechnology.
Afterthissecureconnectionisestablished,virtualdesktopprotocols(RDP)can
securelyandreliablyconnect.
WhentheVDMSecureGatewayServerseesanincomingRDPconnectionthroughthe
HTTPSconnection,itforwardsthisconnectiontotheappropriatevirtualdesktop.To
ensurethatallvirtualdesktopsareonlyaccessedthroughVDMConnectionServer,
firewallrulescanbeappliedtoeachvirtualdesktopsothatallRDPconnections
originatefromaVDMConnectionServer.Thisway,directaccesstovirtualdesktops
bypassingVDMConnectionServerisnotpossiblebecauseVDMConnectionServer
actsasgatekeeperforallvirtualdesktopaccess.WithVDM2.1andnewer,theVDM
AgentcanbeconfiguredsothatdirectincomingRDPconnectionstovirtualdesktops
arenotallowed.Thisensuresthatallremoteaccesstovirtualdesktopsmustpass
throughaVDMConnectionServer

VMware, Inc.

23

Introduction to Virtual Desktop Manager

VDMSecureGatewayServerisalsoresponsibleforforwardingotherWebtraffic(such
asauthenticationtraffic,userdesktopselectiontraffic,andsoon)totheVDMbroker
fromtheVDMclients.VDMAdministratorWebtrafficispassedbyVDMSecure
GatewayServertotheVDMBroker.

VDM LDAP
VDMLDAPisanembeddedLDAPdirectoryoneachVDMConnectionServer
StandardandReplicainstances.ItisusedastheconfigurationrepositoryforallVDM
configurationdata.VDMLDAPforWindowsServer2003usesMicrosoftActive
DirectoryApplicationMode(ADAM).ThisisanembeddedLDAPdirectorybundled
withVDM.ItinstallsthefollowingcomponentsthatareappropriateforVDM:

SpecificVDMschemadefinitions

Directoryinformationtree(DIT)definitions

Accesscontrollists(ACLs)

VDMLDAPalsoincludesasetofVDMpluginDLLstoprovideautomationand
notificationservicesforotherVDMcomponents.
VDMLDAPcontainsentriestorepresentthefollowingconfigurationitems:

VirtualdesktopentriesthatrepresenteachaccessiblevirtualdesktopThis
containsreferencestoForeignSecurityPrincipalentriesofWindowsusersand
WindowsusergroupsinActiveDirectorywhoareauthorizedtousethisdesktop.

VirtualDesktopPoolentriesthatrepresentmultiplevirtualdesktopsmanaged
together

Virtualmachineentriesthatrepresenteachvirtualdesktop

VDMcomponentconfigurationentriesusedtostoreconfigurationsettings

WhenaStandardinstanceisinstalledduringVDMConnectionServerinstallation,a
new,localstandaloneADAMinstanceiscreated.Theschemadefinitions,DIT
definition,ACLs,andsoonareloadedandinitialdataisadded.Configurationdatain
VDMLDAPismainlymaintainedfromVDMAdministrator,althoughVDMBroker
alsomanagessomepartsautomatically.

24

VMware, Inc.

Introduction to Virtual Desktop Manager

WhenaVDMConnectionServerReplicainstanceisinstalled,anADAMinstanceis
alsocreatedlocally,buttheinitialdataisretrievedfromanexistinginstance.This
meansthattheinitialdataisacopyofanexistinginstancethatincludesall
configurationsettings.DuringaReplicainstanceinstallation,areplicationagreement
issetupsothatallVDMConnectionServersinthegroupsharethesameconfiguration
data.LDAPchangesonanyserverarereplicatedtoallotherservers.Thisreplication
functionalityisprovidedbyADAM,whichusesthesamereplicationtechnologyas
ActiveDirectory.

VDM Messaging
ThiscomponentprovidesthemessagingrouterforcommunicationbetweenVDM
ConnectionServercomponentsandbetweenVDMAgentandVDMConnection
Server.ItsupportstheJavaMessageService(JMS)API,whichisusedformessagingin
VDM.

VDM Security Server

VDMSecurityServerisaninstancetypethatisselectedwhenVDMConnectionServer
isinstalled.IthasasubsetofthefunctionalityofafullVDMConnectionServerandis
usedinaDMZdeployment.Figure 7showsaVDMSecurityServerandshowsthe
relationshipwithallotherVDMcomponentsandtheprotocolsusedfor
communicationbetweenthecomponents.
ThefollowingdefaultTCPportsareusedforeachprotocol:

JMS4001

AJP138009

HTTP80

HTTPS443

RDP3389

SOAP80or443

VMware, Inc.

25

Introduction to Virtual Desktop Manager

Figure 7. VDMComponentDiagramwithSecurityServer
Windows Client

Linux and Mac Client

Thin Client

browser
thin client
operating system
RDP
Client

VDM Client

VDM Secure
GW Client

RDP
Client

HTTP(S)

HTTP(S)

HTTP(S)
HTTP(S)

HTTP(S)

RDP

VDM Secure
GW Server

VDM Security Server

RDP
JMS

AJP13

VDM
Administrator

VDM Secure
GW Server

VDM
Messaging

Admin Console

HTTP(S)

VDM Broker &

Admin Server
SOAP

VDM Connection Server

VirtualCenter
Server
VirtualCenter

VDM LDAP

JMS
RDP

RDP

VDM Agent

Virtual Desktop VM

FormoreinformationaboutVDMdeploymentwithinaDMZ,seeVDMConnection
ServerDMZDeployment.

26

VMware, Inc.

Glossary

A
ActiveDirectory
AMicrosoftdirectoryservicethatstoresinformationaboutthenetworkoperating
systemandprovidesservices.ActiveDirectoryconfiguresandmanagesusersand
groupsandenablesadministratorstosetsecuritypolicies,controlresources,and
deployprogramsacrossanenterprise.
ADAM(ActiveDirectoryApplicationMode)
AnLDAPimplementationbasedonActiveDirectory.
activesession
AliveconnectionfromaclientorWebAccessusertoavirtualdesktop.An
establishedconnectiontoavirtualdesktopthathasnottimedout.
administratoruserinterface
TheWebbasedadministratoruserinterfaceusedtoperformconfigurationand
managementtasksinVDM.AlsoknownastheVDMAdministrator.
agent
SeeVMwareVDMAgent.

broker
Alsoknownasaconnectionbroker.TheVDMConnectionServerisatypeof
connectionbroker.SeealsoVMwareVDMConnectionServer.

VMware, Inc.

27

Introduction to Virtual Desktop Manager

client
SeeVMwareVDMClient.
connectionbroker
Aserverthatallowsconnectionsbetweenremoteusersandvirtualdesktopsand
providesauthenticationandsessionmanagement.TheVDMConnectionServeris
atypeofconnectionbroker.SeealsoVMwareVDMConnectionServer.
connectionserver
SeeVMwareVDMConnectionServer.

desktop
Seevirtualdesktop.
desktopvirtualmachine
Seevirtualdesktop.
desktoppool
Apoolofvirtualmachinesthatanadministratordesignatesforusersorgroupsof
users.Seealsopersistentdesktoppool,nonpersistentdesktoppool.
DMZ(demilitarizedzone)
Alogicalorphysicalsubnetworkthatconnectsinternalserverstoalarger,
untrustednetwork(usuallytheInternet)andprovidesanadditionallayerof
securityandgivesadministratorsmorecontroloverwhocanaccessnetwork
resources.
DNS(DomainNameSystem)
AnInternetdataqueryservicethattranslateshostnamesintoIPaddresses.Also
calledDomainNameServerorDomainNameService.

FQDN(fullyqualifieddomainname)
Thenameofahost,includingboththehostnameandthedomainname.Forexample,
theFQDNofahostnamedesx1inthedomainvmware.comisesx1.vmware.com.

guest
Seeguestoperatingsystem.
guestoperatingsystem
Anoperatingsystemthatrunsinsideavirtualmachine.

28

VMware, Inc.

Glossary

highavailability
Asystemdesignapproachthatensuresadegreeofoperationalcontinuity.

loadbalancing
Atechniqueusedfordistributingprocessesacrossserverssothatthetrafficloadis
spreadmoreevenlyandserversdonotbecomeoverloaded.

nonpersistentdesktoppool
Adesktoppoolinwhichusersarenotassignedtoaspecificdesktop.Whenusers
logofforaretimedoutofadesktop,theirdesktopsarereturnedtothepooland
madeavailabletootherusers.Usersshouldnotsavedataorfilestotheirdesktops
whenusinganonpersistentpool.

persistentdesktoppool
Adesktoppoolinwhichusersareassignedtoaspecificdesktop.Userslogonto
thesamedesktopeverytimeandtheirdataispreservedwhentheylogoff.Users
cansavedataandfilestotheirdesktopswhenusingapersistentpool.

RDP(remotedesktopprotocol)
Amultichannelprotocolthatallowsausertoconnecttoacomputerremotely.
RSASecurID
AproductfromRSAthatprovidesstrongtwofactorauthenticationusinga
passwordandanauthenticator.

securityserver
AVDMConnectionServerdeploymentthataddsalayerofsecuritybetweenthe
Internetandtheinternalnetwork.SecurityServerisanoptionthatyouchoose
duringVDMconnectionserverinstallation.SeealsoDMZ(demilitarizedzone).

thinclient
Adevicethatallowsausertoaccessvirtualdesktopsbutrequireslittlememoryor
diskdrivespace.Applicationsoftware,data,andCPUpowerresidesonanetwork
computerandnotontheclientdevice.

VMwareVDMAgent
Installedontheguest,theVDMAgentenablescommunicationbetweenthe
desktopvirtualmachine,theVDMConnectionServer,andenduserswhoaccess
virtualdesktopsbyusingVDMWebAccessorVDMClients.

VMware, Inc.

29

Introduction to Virtual Desktop Manager

VMwareVDMClient
AWindowsbasedapplicationusedforaccessingvirtualdesktops.
VMwareVDMConnectionServer
Aconnectionbrokerthatprovidesmanagementanduserauthenticationforvirtual
desktops.TheVDMConnectionServerdirectsincomingremotedesktopuser
requeststotheappropriatevirtualdesktop.
VMwareVDMWebAccess
Webbrowserbasedapplicationforaccessingvirtualdesktops.Enduserswhorun
supportedWindows,Linux,orMacintoshoperatingsystemscanaccessvirtual
desktopsbyusingVDMWebAccess.
virtualdesktop
Adesktopoperatingsystemthatrunsonavirtualmachine.Avirtualdesktopis
indistinguishablefromanyothercomputerrunningthesameoperatingsystem.
VMwareVirtualDesktopInfrastructure
TheVMwaredesktopinfrastructuresolutionthatconsistsofVMwareESXServer,
VMwareVirtualCenter,andVMwareVirtualDesktopManager.VDIprovidesan
endtoendvirtualdesktopsolutionthatallowsadministratorstoeasilydeploy
andmanagevirtualdesktopenvironments.

30

webaccess
SeeVMwareVDMWebAccess.

VMware, Inc.