Manager
You can find the most up-to-date technical documentation on our Web site at
http://www.vmware.com/support/
The VMware Web site also provides the latest product updates.
If you have comments about this documentation, submit your feedback to:
docfeedback@vmware.com
2008 VMware, Inc. All rights reserved. Protected by one or more of U.S. Patent Nos. 6,397,242,
6,496,847, 6,704,925, 6,711,672, 6,725,289, 6,735,601, 6,785,886, 6,789,156, 6,795,966, 6,880,022,
6,944,699, 6,961,806, 6,961,941, 7,069,413, 7,082,598, 7,089,377, 7,111,086, 7,111,145, 7,117,481,
7,149,843, 7,155,558, 7,222,221, 7,260,815, 7,260,820, 7,269,683, 7,275,136, 7,277,998, 7,277,999,
7,278,030, 7,281,102, and 7,290,253; patents pending.
VMware, the VMware boxes logo and design, Virtual SMP and VMotion are registered trademarks or
trademarks of VMware, Inc. in the United States and/or other jurisdictions. All other marks and names
mentioned herein may be trademarks of their respective companies.
VMware, Inc.
3401 Hillview Ave.
Palo Alto, CA 94304
www.vmware.com
2
VMware, Inc.
Contents
Contents
IntroductiontoVirtualDesktopManager 3
Introduction 3
Features 4
VDMOverview 5
VDMUserAuthentication 9
VDMExtendedUSBDeviceRedirection 11
VDMSecureAccess 12
VDMVirtualDesktopPoolManagement 13
VDMHighAvailabilityandScalability 15
VDMConnectionServerDMZDeployment 17
VDMConnectionServerComponents 21
VDMBroker 22
VDMSecureGatewayServer 22
VDMLDAP 23
VDMMessaging 24
VDMSecurityServer 24
Glossary
VMware, Inc.
27
VMware, Inc.
VMwareVirtualDesktopManager2(VDM)isakeycomponentintheVMwareVirtual
DesktopInfrastructure(VDI)solution.VDMisanenterpriseclassvirtualdesktop
managerthatsecurelyconnectsauthorizeduserstocentralizedvirtualdesktops.It
workswithVMwareVirtualInfrastructure3toprovideacomplete,endtoendVDI
solutionthatimprovescontrolandmanageabilityandprovidesafamiliardesktop
experience.
ThebenefitsofVDIwithVDMincludethefollowing:
ControlandmanageabilityinasingleproductAdministratorscanmoreeasily
provision,manage,andmaintaindesktopsbecausethedesktopsarerunninginthe
datacenter.
FamiliarenduserexperienceUsersgetflexibleaccesstoapersonalized,virtual
desktopthatbehavesjustliketheirPCdesktops.
VMwareInfrastructure3integrationVDIextendsthebenefitsofVMware
Infrastructure3tothedesktopbyleveragingthebackup,failover,anddisaster
recoverycapabilitiesofVMwareInfrastructure3.
Lowertotalcostofownership(TCO)Byreducingadministrationandenergy
costsandextendingtheusefullifeofPCs,VDIdeliverslowerTCO.
VMware, Inc.
Features
ThefeaturesofVDMinVDIincludethefollowing:
EnterpriseclassconnectionbrokeringVDMmanagestheconnectionsbetween
usersandtheirvirtualdesktops.WhenuserslogintoVDM,thevirtualdesktops
theyareauthorizedtoaccessappears.Afterconnectingtoavirtualdesktop,users
accesstheirapplicationsasiftheapplicationsarerunninglocally.
USBclientdevicesupportUSBdevicescanbelocallyconnectedtoclientsand
accessedthroughavirtualdesktop.
WebbasedmanagementuserinterfaceAWebbasedmanagementconsole
allowsvirtualdesktopstobemanagedfromanylocation.
SmartpoolingcapabilitiesArangeofpersistentandnonpersistentpooling
capabilitiessimplifiestheprovisioningandmanagementofcentralizeddesktops.
SecureaccessOptionalsecureencapsulationcapabilitiesallowallnetwork
connectionstobeencrypted.
IntegrationwithMicrosoftActiveDirectoryConnectiontoActiveDirectory,
whichallowsyoutolocateuserandusergroupaccountsandusethe
authenticationfeaturesinActiveDirectorytocontrolwhichuserscanaccess
virtualdesktops.
SupportfortwofactorauthenticationWithRSASecurID,accesscontrolis
strengthened.
SeamlessintegrationwithVMwareVirtualInfrastructure3Workscloselywith
VMwareVirtualCentertoprovideadvancedvirtualdesktopmanagement
capabilities,suchasautomaticsuspendandresume,whichreducesthememory
andprocessingpowerrequiredtohostvirtualdesktops.Byleveragingthe
capabilitiesofVMwareVirtualInfrastructure3,desktopscanrunevenwhen
serverhardwarefailsandrecoverquicklyfromunplannedoutageswithout
duplicatehardware.
FlexibledeploymentoptionsCriticalcomponentscanbedeployedinavariety
ofconfigurationsandtodifferentpartsofthenetwork,whichimprovesecurity,
scalability,andreliability.MultipleVirtualCenterserversaresupported,andVDM
canscalehorizontallytosupportmanyvirtualdesktops.
HighavailabilityServerscanbeclusteredforhighavailabilityandscalability
withautomaticfailover.Theseserverscanalsoleverageindustrystandard
loadbalancingsolutions.
VMware, Inc.
VDM Overview
VDMincludesthefollowingkeycomponents:
VDMConnectionServer
VDMAgent
VDMClient
VDMWebAccess
VDMAdministrator
VMware, Inc.
Figure 1showsthephysicaltopologyofaVDIinfrastructurewithVDMandshowsthe
relationshipbetweenthemainVDMcomponents.
Figure 1. Physical Topology of VMware VDI Infrastructure with VDM
Windows
VDM Client
Linux
VDM Web Access
Mac
VDM Web Access
Thin Client
network
network
VDM
Administrator
(browser)
VDM
Connection
Server
Microsoft
Active Directory
VirtualCenter
Management Server
virtual desktops
VM
VM
VM
VM
VM
VM
desktop OS
app
app
app
VMware, Inc.
StandardThisinstanceappearsinFigure 1.Itprovidesstandalonefunctionality
andisusedastheonlyVDMConnectionServer(orthefirstofagroupofVDM
ConnectionServersthatactaspartofahighavailability,fullyreplicatedgroup).
ReplicaThisinstanceisinstalledasasecondorsubsequentVDMserverina
highavailabilitygroup.ConfigurationdataisinitializedfromanexistingVDM
serverandisautomaticallyreplicatedbetweenVDMgroupmembers.
SecurityServerThisinstanceimplementsasubsetoftheVDMConnection
Serverfunctionalityandisusedinademilitarizedzone(DMZ)deployment.A
VDMSecurityServerdoesnotneedtobeinanActiveDirectorydomain.The
StandardandReplicainstancesautomaticallyincludetheSecurityServer
functionality.
TheinstancetypeisselectedduringVDMConnectionServerinstallation.
HighavailabilityandDMZdeploymentsofVDMConnectionServerusingReplicaand
SecurityServerinstancesaredescribedinVDMConnectionServerDMZDeployment.
ConfigurationdataisstoredinanembeddedLDAPdirectoryoneachStandardand
Replicainstance.
VMware, Inc.
VDM Agent
Thiscomponentrunsoneachvirtualdesktopandisusedforsessionmanagementand
singlesignon.WithVDMClient,thiscomponentsupportsoptionalUSBdevice
redirection.Thisagentcanbeinstalledonavirtualmachinetemplatesothatvirtual
desktopscreatedfromthattemplateautomaticallyincludetheVDMAgent.
PlacevirtualdesktopsinanActiveDirectorydomainthatisoneofthefollowing:
ThesamedomaintowhichtheVDMConnectionServersarejoined
AdomainwithatrustagreementwiththeVDMConnectionServerdomain
Whenusersconnecttotheirvirtualdesktops,theyareautomaticallyloggedinusing
thesamecredentialstheyusetologintotheirdomain.Thesinglesignoncapabilitycan
bedisabledinVDMAgentwhichmeandthatusersarealwaysrequiredtologontothe
virtualdesktopmanually.Ifthevirtualdesktopisnotpartofadomainorispartofa
domainwithwhichnotrustagreementexists,singlesignonisnotavailable,andthe
usermustmanuallylogintothevirtualdesktop.
VDM Client
ThiscomponentrunsonaWindowsPCasanativeWindowsapplicationandallows
userstoconnecttotheirvirtualdesktopsthroughVDM.Thiscomponentconnectstoa
VDMConnectionServerandallowstheusertologonusinganyofthesupported
authenticationmechanisms.Afterloggingin,userscanselectfromthelistofvirtual
desktopsforwhichtheyareauthorized.Thisstepprovidesremoteaccesstotheir
virtualdesktopandprovidesuserswithafamiliardesktopexperience.
VDMClientalsoworkscloselywithVDMAgenttoprovideenhancedUSBsupport.
BasicUSBsupport(suchasUSBdrivesandUSBprinters)issupportedwithoutVDM
USBsupport,butVDMextendsthissupporttoincludeadditionalUSBdevices.You
canspecifyVDMUSBsupportinVDMClientduringtheinstallation.
VDM Web Access
ThiscomponentissimilartoVDMClientbutprovidesaVDMuserinterfacethrougha
Webbrowser.VDMWebAccessisincludedautomaticallyduringtheVDM
ConnectionServerinstallation.VDMWebAccessissupportedonLinuxandMacOS/X,
butthisWebaccessdoesnotsupportVDMUSBextensions.AllnecessaryVDM
softwareisinstalledautomaticallyontheclientthroughtheWebbrowser.VDMWeb
AccessonLinuxusesrdesktopandonMacOS/XusesMicrosoftRemoteDesktop
ConnectionClientforMac.
VMware, Inc.
VDMWebAccesscanalsobeusedonaWindowsclientwithVDMClient.Auser
obtainstherequiredsoftwareontheirclientdevicebyaccessingaVDMConnection
ServerwithaWebbrowser.IftheVDMClientsoftwareisinstalledwithUSBsupport
byauserwithadministrativerights,VDMWebAccessonWindowshascomplete
VDMUSBsupport.
VDM Administrator
ThiscomponentprovidesVDMadministrationthroughaWebbrowser.Itisusedby
VDMadministratorstodothefollowing:
Makeconfigurationsettings
ManagevirtualdesktopsandentitlementsofdesktopsofWindowsusersand
groups
VDMAdministratoralsoprovidesaninterfacetomonitorlogeventsonaVDMServer
andisinstalledwithVDMConnectionServer.MoreinformationabouttheVDM
ConnectionServercomponentsandtheirrelationshipwithotherVDMcomponents,
seeVDMConnectionServerComponents.
VMware, Inc.
ByauthenticatingusersagainstanexistingActiveDirectory,anorganizationcan
simplifytheoperationalmanagementofVDMbyensuringthatthemanagementof
useraccountsishandledinoneplace.IfauseraccountisdisabledinActiveDirectory,
thatusercannotlogintoVDM.Policies,suchasrestrictingpermittedhoursoflogin
andtheexpirationdateforpasswords,arealsohandledthroughexistingActive
Directoryoperationalprocedures.
10
VMware, Inc.
Figure 2showsthephysicaltopologydiagramforVDMwithanadditionalserverused
toauthenticateRSASecurIDusers.TheRSAAuthenticationManagerisshownasa
singleserver,butforhighavailabilitydeployments,youneedmultipleservers.
Figure 2.
VDMRSASecurIDAuthenticationwithRSAAuthenticationManager
Client
network
VDM
Administrator
VDM
Connection
Server
Microsoft
Active Directory
RSA
Authentication
Manager
VirtualCenter
Management Server
WhenusersentertheirRSASecurIDcredentials,VDMConnectionServer
communicateswithRSAAuthenticationManagertoverifytheinformation.Afterthe
credentialsareverified,VDMConnectionServerrequestsActiveDirectorydomain
credentialsfromtheuserandcommunicateswithActiveDirectorytocontinuethe
authenticationprocess.
VMware, Inc.
11
Somedevices,suchasprinters,localUSBflashdrives,andsmartcards,canbe
forwardedtothevirtualdesktopusingstandardMicrosoftRemoteDesktopProtocol
(RDP).ButVDMClientUSBredirectionextendstherangeofusabledevicesandthe
functionalityofsomedevicesbeyondthatprovidedbyRDP.Forexample,soundcan
bebroughttothelocalmachineusingRDP,butdisablingthisfeatureandusingVDM
USBredirectionallowsyoutouseVoIPdevices.
VDMUSBredirectionisinitiatedaftertheuserisauthenticated.Becauseofthis,smart
cardforwardingislimitedtoRDPfunctionalitysothatsmartcardscanbeusedto
authenticatethevirtualdesktopsession.Asaresult,thesedevicesdonotappearinthe
VDMClientdevicesmenu.Humaninterfacedevices(HIDs),suchasakeyboardora
mouse,arealsofilteredfromtheUSBdevicelistbecausethesedevicesarerequired
locallyandfunctionwithoutbeingforwardedorredirected.
RDPforwardingandVDMUSBredirectioncanbegovernedthroughActiveDirectory
GroupPolicyandVDMAdministrator.UsingVDMUSBredirectionrequiresVDM
Client,VDMAgent,andtheusertohaveadministrationrightsontheVDMClientand
theVDMAgentoperatingsystems.
12
TheRDPProtocolistunneledthroughHTTPSandisencryptedusingSSL
Thisisapowerfulsecurityprotocolandisconsistentwiththesecurityprovidedby
othersecureWebsiteslikethoseusedforonlinebanking,creditcardpayments,
andsoon.
OneHTTPSconnectionisusedforallclientservercommunicationMultiple
desktopconnectionsaremultiplexedoverthisHTTPSconnection,whichreduces
theoverallprotocoloverheads.
VDMcontrolsbothendsofthisHTTPSconnection,sothereliabilityofthe
underlyingprotocolsissignificantlyimprovedIfausertemporarilylosesa
networkconnection,afteritisrestored,theHTTPSconnectionisreestablishedand
theRDPconnectionsautomaticallyresumewithouthavingtoreconnectandlogin
again.
VMware, Inc.
VDMisaccessedusingstandardWebprotocols,soitcanbeeasilyaccessed
throughcorporateproxiesInastandarddeploymentofjustVDMConnection
Servers,theHTTPSsecureconnectionterminatesattheVDMConnectionServer
andinaDMZdeployment,attheVDMSecurityServer.SeeVDMConnection
ServerDMZDeployment.
VDMConnectionServercanbeconfiguredtonotuseasecureconnection,sothatRDP
communicationisdirectfromtheclientdevicetothevirtualdesktop.
IndividualdesktopsTheseareexistingvirtualdesktopsthatareavailable
throughVDM.Thepoolmanagercancontrolthepowerstateofthesevirtual
desktops.
PersistentdesktoppoolThistypeisapoolofvirtualdesktopswhoselifecycle
andpowerstateiscontrolledbythepoolmanager.Persistentvirtualdesktopsare
assignedtotheiruseronthefirstuse,sotheuserreturnseachtimetothesame
virtualdesktop.Thistypeofpoolisusedwhenuserswanttocustomizetheir
desktopsbyinstallingadditionalapplicationsandstoringlocaldata.
NonpersistentdesktoppoolSimilartoapersistentdesktoppool,exceptinthis
casethevirtualdesktopsarenotpermanentlyassignedtousers.Whenasessionis
finished,thevirtualdesktopisreturnedtothepoolandmadeavailableforother
users.
Bydeletingthevirtualdesktopsaftereachuse,thistypeofpoolensuresthateach
userreceivesanewlyprovisionedvirtualdesktopeachtimetheuserconnects
(optional).Usethistypeofpoolwhereacleanmachineisneededforeachuser
sessionorinhighlycontrolledenvironmentsthathasnorequirementfor
customizationtobestoredonthevirtualdesktop.
VMware, Inc.
13
Thetwopooldesktopsaresizedusingthefollowingparameters:
MinimumTheminimumnumberofvirtualdesktopstobecreatedwhenthepool
isfirstcreated.Thepoolmanagercontinuestocreatevirtualdesktopsuntilthis
minimumcountisreached.Thisprocessensuresthatapoolisappropriatelysized
whenauserpopulationismovedtoVDM.
MaximumThemaximumnumberofvirtualdesktopsthatcanexistinthepool.
Usethisparametertolimitthenumberofvirtualdesktopsinthepooltoavoid
overusingavailableresources.
AvailableThenumberofvirtualdesktopsthatareavailableforimmediateuse.
Forpersistentpools,thisparameterrelatesonlytotheunassignedvirtual
desktops.Thisisusedtoensurethatthepoolmanagercreatesenoughvirtual
desktopsinadvancetocopewithdemand.Useahighernumberformorevolatile
environments.
Whenapoolcontainstoofewvirtualdesktops,themanagerprovisionsnewvirtual
desktopsfromadesignatedtemplate.Thesevirtualdesktopscanalsobeautomatically
customized(forexample,namedandbecomepartofanActiveDirectorydomain)orbe
leftforanadministratortomanuallyconfigure.
PowermanagementisappliedtoallvirtualdesktopsunderVDMcontrol,andthe
followingpoliciesaresupported:
14
RemainonAfterbeingstarted,VDMdoesnotpowerthemachinedown.Ifa
virtualdesktopispowereddown,forexampleusingtheVirtualCenterclient,
VDMautomaticallystartsitwhenitisneeded.
AlwayspoweredonVDMensuresthatanyvirtualdesktopwiththispolicy
appliedispoweredonallthetime.Ifavirtualdesktopispowereddown,VDM
immediatelypowersitupagain.
SuspendwhennotinuseIfavirtualdesktopisnotrequired,itissuspended.
Thispolicyisappliedtoindividualandassignedpersistentvirtualdesktopswhen
theuserlogsoff.Itisalsoappliedtononpersistentvirtualdesktopswhenthereare
toomanyavailablevirtualdesktops.Forexample,thiscanbetriggeredbyavirtual
desktopbeingreturnedtothepoolwhenauserlogsout.
VMware, Inc.
PoweroffwhennotinuseIfavirtualdesktopisnotrequired,itispoweredoff.
ThisisjustliketheSuspendwhennotinusepolicy,exceptthatthevirtual
desktopiscompletelypoweredoff.
VDMsupportsindividualandpooleddesktopsonmultipleVirtualCenterinstances.A
poolcannotspanVirtualCenters,butVDMcanmanagemultiplepoolsacrossmultiple
VirtualCenters.VDMlimitsthenumberofprovisioningandpoweroperationsthatcan
beconcurrentlyactiveforeachVirtualCentertoensurethattherateofoperationsisnot
excessive.TheselimitsareappliedacrossallpoolsanddesktopsforeachVirtualCenter.
Inamultibrokerenvironment,theVDMConnectionServerscooperatewitheachother
toenforcetheselimitsandtoperformthepoolmanagementoperations.
VMware, Inc.
15
Figure 3showstwoVDMConnectionServersoperatingasagroup.Toautomatically
usebothVDMConnectionServersandsupporthighavailabilityandscalabilityneeds,
deployloadbalancing.Thisensuresthatloadisbalancedevenlyacrosstheavailable
VDMConnectionServersandthatfailedserversareautomaticallyavoided.VDM
ConnectionServerdoesnotprovideloadbalancingfunctionalitybutworkswith
standardthirdpartyloadbalancingsolutions.
Figure 3.
MultipleVDMConnectionServers
Client
network
load balancing
VDM
Connection
Servers
Microsoft
Active Directory
VirtualCenter
Management Server
16
VMware, Inc.
TheloadbalancingrequirementsforVDMConnectionServeraretosupportstandard
HTTPandHTTPSloadbalancingwithsessionaffinity.Loadbalancingsolutionsfor
VDMConnectionServercanincludeMicrosoftNetworkLoadBalancing(NLB),
standardhardwarebasedloadbalancers,orvirtualapplianceloadbalancersthatcan
operateonESXServer.
UsersinaloadbalancedVDMConnectionServerenvironmentusealoadbalanced
URLtomaketheconnection.ThisisanaliasURLusedbytheloadbalancertodirect
theconnectiontoanyoftheavailableVDMConnectionServersinthegroup.
VMware, Inc.
17
Figure 4showsahighavailabilityenvironmentcomprisingtwoloadbalancedVDM
SecurityServersintheDMZworkingwithtwofullVDMConnectionServers(Standard
andReplicainstance)inthesecurenetwork.
Figure 4. DMZDeploymentwithMultipleVDMConnectionServers
Remote
Client
external network
DMZ
load balancing
VDM
Security
Servers
VDM
Connection
Servers
Microsoft
Active Directory
VirtualCenter
Management Server
18
VMware, Inc.
VDMSecurityServersdonotcontainanLDAPconfigurationrepositoryanddonot
accessanyauthenticationrepositories(ActiveDirectoryorRSAAuthentication
Manager).WhenremoteusersconnectusingaVDMSecurityServer,theymust
successfullyauthenticatebeforeasecureconnectionisestablished.Thismeansthey
cannotattempttoaccessanyvirtualdesktopsuntiltheyaresuccessfullyauthenticated.
WithappropriatefirewallrulesonbothsidesoftheDMZ,thistypeofdeploymentis
suitableforaccessingvirtualdesktopsfromInternetlocatedclientdevices.
TosupportremoteVDMClientandVDMWebAccessconnectingtotheenvironment
usingHTTPSfromanexternalnetwork,theonlyTCPportthatmustbeallowedinthe
DMZistheHTTPSport(TCPport443).VDMSecurityServersdonotneedtobepart
ofanActiveDirectorydomain,andnocommunicationoccursbetweenVDMSecurity
ServersandActiveDirectory.
AlthoughFigure 4showsaonetoonerelationshipbetweenVDMSecurityServersand
VDMConnectionServers,multipleVDMSecurityServerscanbeconnectedtoeach
VDMConnectionServer.ADMZdeploymentcanbecombinedwithastandard
deploymenttoofferVDMaccessforinternalusersandexternalusers.
Figure 5showsamorecomplexenvironmentwherefourVDMConnectionServersact
asonegroupwiththeserversintheinternalnetworkdedicatedtotheusersofthat
network,andtheserversintheexternalnetworkdedicatedtousersofthatnetwork.
TheserversontherightcanbeenabledforRSASecurIDauthentication,sothatall
externalnetworkusersarerequiredtoauthenticateusingRSASecurIDtokens.
VMware, Inc.
19
Figure 5.
DMZDeploymentwithInternalNetworkAccess
remote
Client
external network
DMZ
load balancing
Client
VDM
Security
Servers
internal network
load balancing
VDM
Connection
Servers
Microsoft
Active Directory
VirtualCenter
Management Server
20
VMware, Inc.
JMS4001
HTTP80
HTTPS443
RDP3389
SOAP80or443
VMware, Inc.
21
Figure 6. VDMComponents
Windows Client
Thin Client
browser
thin client
operating system
RDP
Client
VDM Client
VDM Secure
GW Client
RDP
Client
HTTP(S)
HTTP(S)
HTTP(S)
HTTP(S)
HTTP(S)
RDP
Admin Console
VDM
Administrator
VDM Secure
GW Server
RDP
VDM
Messaging
HTTP(S)
VirtualCenter
Server
VirtualCenter
VDM LDAP
JMS
RDP
RDP
VDM Agent
Virtual Desktop VM
22
VMware, Inc.
VDM Broker
VDMBrokeristhecoreofVDMConnectionServer.Itisresponsibleforalluser
interactionbetweentheclient(VDMClient,VDMWebAccess,andThinClient)andthe
VDMConnectionServer.
VDMBrokerprovidesthefollowing:
Userauthentication
UserdesktopentitlementswithVDMLDAP
Virtualdesktopsessionmanagement
Coordinationofthesecureconnectionestablishment,virtualdesktop
connection,andsinglesignon
AdministrationserverusedbyVDMAdministratorWebclient
Virtualdesktoppoolmanagement
VDMBrokeroperatescloselywithVirtualCentertoprovideadvancedmanagementof
virtualdesktops.Thisincludesvirtualdesktopcreationaspartofpoolmanagement
andpoweroperations,suchasautomaticsuspendandresume.
VMware, Inc.
23
VDMSecureGatewayServerisalsoresponsibleforforwardingotherWebtraffic(such
asauthenticationtraffic,userdesktopselectiontraffic,andsoon)totheVDMbroker
fromtheVDMclients.VDMAdministratorWebtrafficispassedbyVDMSecure
GatewayServertotheVDMBroker.
VDM LDAP
VDMLDAPisanembeddedLDAPdirectoryoneachVDMConnectionServer
StandardandReplicainstances.ItisusedastheconfigurationrepositoryforallVDM
configurationdata.VDMLDAPforWindowsServer2003usesMicrosoftActive
DirectoryApplicationMode(ADAM).ThisisanembeddedLDAPdirectorybundled
withVDM.ItinstallsthefollowingcomponentsthatareappropriateforVDM:
SpecificVDMschemadefinitions
Directoryinformationtree(DIT)definitions
Accesscontrollists(ACLs)
VDMLDAPalsoincludesasetofVDMpluginDLLstoprovideautomationand
notificationservicesforotherVDMcomponents.
VDMLDAPcontainsentriestorepresentthefollowingconfigurationitems:
VirtualdesktopentriesthatrepresenteachaccessiblevirtualdesktopThis
containsreferencestoForeignSecurityPrincipalentriesofWindowsusersand
WindowsusergroupsinActiveDirectorywhoareauthorizedtousethisdesktop.
VirtualDesktopPoolentriesthatrepresentmultiplevirtualdesktopsmanaged
together
Virtualmachineentriesthatrepresenteachvirtualdesktop
VDMcomponentconfigurationentriesusedtostoreconfigurationsettings
WhenaStandardinstanceisinstalledduringVDMConnectionServerinstallation,a
new,localstandaloneADAMinstanceiscreated.Theschemadefinitions,DIT
definition,ACLs,andsoonareloadedandinitialdataisadded.Configurationdatain
VDMLDAPismainlymaintainedfromVDMAdministrator,althoughVDMBroker
alsomanagessomepartsautomatically.
24
VMware, Inc.
WhenaVDMConnectionServerReplicainstanceisinstalled,anADAMinstanceis
alsocreatedlocally,buttheinitialdataisretrievedfromanexistinginstance.This
meansthattheinitialdataisacopyofanexistinginstancethatincludesall
configurationsettings.DuringaReplicainstanceinstallation,areplicationagreement
issetupsothatallVDMConnectionServersinthegroupsharethesameconfiguration
data.LDAPchangesonanyserverarereplicatedtoallotherservers.Thisreplication
functionalityisprovidedbyADAM,whichusesthesamereplicationtechnologyas
ActiveDirectory.
VDM Messaging
ThiscomponentprovidesthemessagingrouterforcommunicationbetweenVDM
ConnectionServercomponentsandbetweenVDMAgentandVDMConnection
Server.ItsupportstheJavaMessageService(JMS)API,whichisusedformessagingin
VDM.
JMS4001
AJP138009
HTTP80
HTTPS443
RDP3389
SOAP80or443
VMware, Inc.
25
Figure 7. VDMComponentDiagramwithSecurityServer
Windows Client
Thin Client
browser
thin client
operating system
RDP
Client
VDM Client
VDM Secure
GW Client
RDP
Client
HTTP(S)
HTTP(S)
HTTP(S)
HTTP(S)
HTTP(S)
RDP
VDM Secure
GW Server
RDP
JMS
AJP13
VDM
Administrator
VDM Secure
GW Server
VDM
Messaging
Admin Console
HTTP(S)
VirtualCenter
Server
VirtualCenter
VDM LDAP
JMS
RDP
RDP
VDM Agent
Virtual Desktop VM
FormoreinformationaboutVDMdeploymentwithinaDMZ,seeVDMConnection
ServerDMZDeployment.
26
VMware, Inc.
Glossary
A
ActiveDirectory
AMicrosoftdirectoryservicethatstoresinformationaboutthenetworkoperating
systemandprovidesservices.ActiveDirectoryconfiguresandmanagesusersand
groupsandenablesadministratorstosetsecuritypolicies,controlresources,and
deployprogramsacrossanenterprise.
ADAM(ActiveDirectoryApplicationMode)
AnLDAPimplementationbasedonActiveDirectory.
activesession
AliveconnectionfromaclientorWebAccessusertoavirtualdesktop.An
establishedconnectiontoavirtualdesktopthathasnottimedout.
administratoruserinterface
TheWebbasedadministratoruserinterfaceusedtoperformconfigurationand
managementtasksinVDM.AlsoknownastheVDMAdministrator.
agent
SeeVMwareVDMAgent.
broker
Alsoknownasaconnectionbroker.TheVDMConnectionServerisatypeof
connectionbroker.SeealsoVMwareVDMConnectionServer.
VMware, Inc.
27
client
SeeVMwareVDMClient.
connectionbroker
Aserverthatallowsconnectionsbetweenremoteusersandvirtualdesktopsand
providesauthenticationandsessionmanagement.TheVDMConnectionServeris
atypeofconnectionbroker.SeealsoVMwareVDMConnectionServer.
connectionserver
SeeVMwareVDMConnectionServer.
desktop
Seevirtualdesktop.
desktopvirtualmachine
Seevirtualdesktop.
desktoppool
Apoolofvirtualmachinesthatanadministratordesignatesforusersorgroupsof
users.Seealsopersistentdesktoppool,nonpersistentdesktoppool.
DMZ(demilitarizedzone)
Alogicalorphysicalsubnetworkthatconnectsinternalserverstoalarger,
untrustednetwork(usuallytheInternet)andprovidesanadditionallayerof
securityandgivesadministratorsmorecontroloverwhocanaccessnetwork
resources.
DNS(DomainNameSystem)
AnInternetdataqueryservicethattranslateshostnamesintoIPaddresses.Also
calledDomainNameServerorDomainNameService.
FQDN(fullyqualifieddomainname)
Thenameofahost,includingboththehostnameandthedomainname.Forexample,
theFQDNofahostnamedesx1inthedomainvmware.comisesx1.vmware.com.
guest
Seeguestoperatingsystem.
guestoperatingsystem
Anoperatingsystemthatrunsinsideavirtualmachine.
28
VMware, Inc.
Glossary
highavailability
Asystemdesignapproachthatensuresadegreeofoperationalcontinuity.
loadbalancing
Atechniqueusedfordistributingprocessesacrossserverssothatthetrafficloadis
spreadmoreevenlyandserversdonotbecomeoverloaded.
nonpersistentdesktoppool
Adesktoppoolinwhichusersarenotassignedtoaspecificdesktop.Whenusers
logofforaretimedoutofadesktop,theirdesktopsarereturnedtothepooland
madeavailabletootherusers.Usersshouldnotsavedataorfilestotheirdesktops
whenusinganonpersistentpool.
persistentdesktoppool
Adesktoppoolinwhichusersareassignedtoaspecificdesktop.Userslogonto
thesamedesktopeverytimeandtheirdataispreservedwhentheylogoff.Users
cansavedataandfilestotheirdesktopswhenusingapersistentpool.
RDP(remotedesktopprotocol)
Amultichannelprotocolthatallowsausertoconnecttoacomputerremotely.
RSASecurID
AproductfromRSAthatprovidesstrongtwofactorauthenticationusinga
passwordandanauthenticator.
securityserver
AVDMConnectionServerdeploymentthataddsalayerofsecuritybetweenthe
Internetandtheinternalnetwork.SecurityServerisanoptionthatyouchoose
duringVDMconnectionserverinstallation.SeealsoDMZ(demilitarizedzone).
thinclient
Adevicethatallowsausertoaccessvirtualdesktopsbutrequireslittlememoryor
diskdrivespace.Applicationsoftware,data,andCPUpowerresidesonanetwork
computerandnotontheclientdevice.
VMwareVDMAgent
Installedontheguest,theVDMAgentenablescommunicationbetweenthe
desktopvirtualmachine,theVDMConnectionServer,andenduserswhoaccess
virtualdesktopsbyusingVDMWebAccessorVDMClients.
VMware, Inc.
29
VMwareVDMClient
AWindowsbasedapplicationusedforaccessingvirtualdesktops.
VMwareVDMConnectionServer
Aconnectionbrokerthatprovidesmanagementanduserauthenticationforvirtual
desktops.TheVDMConnectionServerdirectsincomingremotedesktopuser
requeststotheappropriatevirtualdesktop.
VMwareVDMWebAccess
Webbrowserbasedapplicationforaccessingvirtualdesktops.Enduserswhorun
supportedWindows,Linux,orMacintoshoperatingsystemscanaccessvirtual
desktopsbyusingVDMWebAccess.
virtualdesktop
Adesktopoperatingsystemthatrunsonavirtualmachine.Avirtualdesktopis
indistinguishablefromanyothercomputerrunningthesameoperatingsystem.
VMwareVirtualDesktopInfrastructure
TheVMwaredesktopinfrastructuresolutionthatconsistsofVMwareESXServer,
VMwareVirtualCenter,andVMwareVirtualDesktopManager.VDIprovidesan
endtoendvirtualdesktopsolutionthatallowsadministratorstoeasilydeploy
andmanagevirtualdesktopenvironments.
30
webaccess
SeeVMwareVDMWebAccess.
VMware, Inc.