0:
Install, Configure, Manage
Student Guide
(1 of 2)
HL273S A.00
Student Guide
(1 of 2)
HL273S A.00
These materials, developed and copyrighted by VMWare, Inc., are licensed to Hewlett-Packard
Company for customer delivery. Restrictions on use and reproduction are described on the VMWare
legal page.
The information contained herein is subject to change without notice. The only warranties for HP
products and services are set forth in the express warranty statements accompanying such products
and services. Nothing herein should be construed as constituting an additional warranty. HP shall
not be liable for technical or editorial errors or omissions contained herein.
UNIX is a registered trademark of The Open Group.
Export Compliance Agreement
Export Requirements. You may not export or re-export products subject to this agreement in violation
of any applicable laws or regulations.
Without limiting the generality of the foregoing, products subject to this agreement may not be
exported, re-exported, otherwise transferred to or within (or to a national or resident of) countries
under U.S. economic embargo and/or sanction including the following countries:
Cuba, Iran, North Korea, Sudan and Syria.
This list is subject to change.
In addition, products subject to this agreement may not be exported, re-exported, or otherwise
transferred to persons or entities listed on the U.S. Department of Commerce Denied Persons List;
U.S. Department of Commerce Entity List (15 CFR 744, Supplement 4); U.S. Treasury Department
Designated/Blocked Nationals exclusion list; or U.S. State Department Debarred Parties List; or to
parties directly or indirectly involved in the development or production of nuclear, chemical, or
biological weapons, missiles, rocket systems, or unmanned air vehicles as specified in the U.S.
Export Administration Regulations (15 CFR 744); or to parties directly or indirectly involved in the
financing, commission or support of terrorist activities.
By accepting this agreement you confirm that you are not located in (or a national or resident of)
any country under U.S. embargo or sanction; not identified on any U.S. Department of Commerce
Denied Persons List, Entity List, US State Department Debarred Parties List or Treasury Department
Designated Nationals exclusion list; not directly or indirectly involved in the development or
production of nuclear, chemical, biological weapons, missiles, rocket systems, or unmanned air
vehicles as specified in the U.S. Export Administration Regulations (15 CFR 744), and not directly or
indirectly involved in the financing, commission or support of terrorist activities.
Printed in US
VMware View 5.0: Install, Configure, Manage
Student guide part 1
January 2012
VMware View:
Install, Configure, Manage
Student Manual Volume 1
View 5.0
VMware View:
Install, Configure, Manage
View 5.0
Part Number EDU-ENG-VICM5-LEC1-STU
Student Manual Volume 1
Revision A
Copyright/Trademark
Copyright 2011 VMware, Inc. All rights reserved. This manual and its accompanying
materials are protected by U.S. and international copyright and intellectual property laws.
VMware products are covered by one or more patents listed at http://www.vmware.com/go/
patents. VMware is a registered trademark or trademark of VMware, Inc. in the United States
and/or other jurisdictions. All other marks and names mentioned herein may be trademarks of
their respective companies.
The training material is provided as is, and all express or implied conditions,
representations, and warranties, including any implied warranty of merchantability, fitness for
a particular purpose or noninfringement, are disclaimed, even if VMware, Inc., has been
advised of the possibility of such claims. This training material is designed to support an
instructor-led training course and is intended to be used for reference purposes in conjunction
with the instructor-led training course. The training material is not a standalone training tool.
Use of the training material for self-study without class attendance is not recommended.
These materials and the computer programs to which it relates are the property of, and
embody trade secrets and confidential information proprietary to, VMware, Inc., and may not
be reproduced, copied, disclosed, transferred, adapted or modified without the express
written approval of VMware, Inc.
www.vmware.com/education
TA B L E
OF
C ONTENTS
MODULE 1
Course Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1
Importance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .2
Learner Objectives. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .3
You Are Here . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .4
Typographical Conventions. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .5
Housekeeping Items . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .6
MODULE 2
MODULE 3
MODULE 4
ii
iii
iv
MODULE 5
Contents
MODULE 6
vi
vii
viii
MODULE 1
Cou se
Slide 1-1
Course Introduction
t oduct o
Course Introduction
Module 1
Importance
Slide 1-2
Learner Objectives
Slide 1-3
Course Introduction
Course Introduction
Introduction to View
Local-Mode Desktops
VMware ThinApp
Typographical Conventions
Slide 1-5
Course Introduction
Monospace bold
Boldface
Italic
<filename>
Placeholders:
<ESXi_host_name>
You can find course timing suggestions in the file View5ICM_class_timings_RevA.xlsx. An estimated time for each lab
exercise is also included as an instructor note at the end of the lab.
Housekeeping Items
Slide 1-6
Sign-in sheet
Daily start and end times
R t
Restrooms
Fire exits
Meals
Class introductions
Questions
MODULE 2
Slide 2-1
ae
Module 2
2
Introduction to VMware View
Course Introduction
Introduction to View
Local-Mode Desktops
VMware ThinApp
Importance
Slide 2-3
Learner Objectives
Slide 2-4
10
VMware vSphere
Slide 2-5
Existing Applications
VMware vSphere:
VMware ESX/ESXi
App
App
App
App
App
Security
App
VMware vSphere
Availability
Scalability
App
Features:
App
Future Applications
Availability
Application
Services
vMotion
Storage vMotion
HA
Fault Tolerance
Data Recovery
Compute
Infrastructure
Services
Security
vShield Zones
VMSafe
Storage
VMFS
Thin Provisioning
Storage I/O
Control
Scalability
DRS
Hot Add
Network
Distributed
Switch
Network I/O
Control
Public Cloud
The VMware vSphere product family is designed for building and managing virtual
infrastructures. It consists of VMware ESX/ESXi and VMware vCenter Server (used for
configuration and management). Many features that are essential for a virtual desktop infrastructure
are available in vCenter Server. For example, the vCenter Server system is used to manage the
deployment of virtual machines by using templates and cloning. Cloning is a key feature for virtual
desktop deployment.
11
VMware View:
VMware View is different than VMware Virtual Desktop Infrastructure, but it relies on many
aspects of VDI operating on the vSphere platform.
Major characteristics of VDI include:
Any guest operating system that is supported by ESX/ESXi can be used as a desktop. As a
result, if your enterprise uses Windows, Ubuntu, Red Hat, or Solaris x86 desktops, you can use
those in a virtual environment.
A vCenter Server system can manage resources and help deploy desktops. Components like
vSphere Distributed Resource Scheduler (DRS), vSphere High Availability, and VMware
vSphere vMotion are available for resource management, load balancing, and high
availability. vCenter Server features like templates can be used to help deploy virtual desktops.
Various connection brokers can be used. A connection broker (also called a connection server)
automates the connection of client PCs to a virtual desktop. Some connection brokers can allow
a user to connect to any one of several identical desktops in a pool of desktops. This situation is
ideal for environments like help desks, kiosks, and departments where everyone needs the same
desktop.
Any remote protocol can be used: Virtual Network Computing (VNC), Remote Desktop
Protocol (RDP), Independent Computing Architecture (ICA), or X Window System. Anything
12
that is built on the TCP/IP protocol can be used to connect a remote client to a virtual desktop.
Windows systems normally use Microsoft RDP. Citrix systems use ICA. UNIX and Linux
systems can use SSH, VNC, or X Window System (sometimes in combination).
View is the VMware solution for a virtual desktop infrastructure. As such, it relies on VDI elements
but necessarily focuses on certain features and capabilities. Major features include:
View offers two display protocols for remote access: PCoIP and RDP.
13
What Is View?
Slide 2-7
Unmanaged desktops
Local Mode
The term universal client describes a new desktop or personal computing model. Users want to
access applications, data, and workspaces in a personalized and dedicated manner, from anywhere,
anytime, using any device. The old model of tightly coupled applications, operating systems, and
hardware is not efficient, secure, or adaptable. And end users want applications that can be accessed
from multiple devices anywhere, anytime. Enterprises need to provide access to applications and
data that are independent of devices or location, in a secure and controlled model.
End users want MyView: a single familiar view of all their applications and data, independent of
the device.
View is a universal client solution that enables you to manage operating systems, hardware,
applications, and users independently of one another, wherever they might reside. View streamlines
desktop and application management, reduces costs, and increases data security through
centralization, resulting in greater end-user flexibility and IT control. By encapsulating the operating
system, applications, and user data into isolated layers, View enables IT staff to change, update, and
deploy each layer independently for greater business agility. View enables customers to extend the
value of vSphere and its enterprise-class features (high availability, disaster recovery, and business
continuity) to the desktop.
14
With View, you get vSphere software, which includes vCenter Server. A View Premier bundle
includes:
View Connection Server
View Composer
View Connection Server is an enterprise-class desktop management server that securely connects
users to desktops running on vSphere virtual machines, physical PCs, blade PCs, or Microsoft
Terminal Services. With View Connection Server, rolling out desktops and applications to existing
users, new users, or groups is fast. It is done from a single Web-based management console in a
centralized location.
View Composer works with View Connection Server and vCenter Server. View Composer enables
scalable management of virtual desktops that are provisioned from a single master image. It reduces
storage cost by using VMware linked-clone technology. It streamlines desktop management by
enabling automatic updating and patching of hundreds of images from the master image.
vShield Endpoint enables offloading and centralizing antivirus and antimalware solutions for
desktops. It also provides the ability to integrate with antivirus solutions from third-party partners.
(vShield Endpoint is not a View component, but it is included with a View Premier license.)
View Client with Local Mode works with View Connection Server. It provides designated end users
the ability to download (or check out) their virtual desktop onto a Windows desktop or laptop,
update files locally, and check the desktop back in to the datacenter for resynchronization.
Administrators have the ability to extend the security and encryption policies of the datacenter to the
end users local computer.
Application virtualization with ThinApp further streamlines the management of applications.
ThinApp enables organizations to create fewer desktop images by developing a basic image and
allowing after-the-fact deployment of applications into those images, with no retesting needed of
those images. Fewer View desktop images means fewer images to configure, test, and maintain.
(ThinApp is not a View component but is available as part of a View Premier license bundle.)
Additional components that are necessary for a View deployment are a vCenter Server system and
Microsoft Active Directory (AD), both of which are shown on the slide.
The slide is key because it is the only one that shows all the View components and ThinApp in context. The
relationships among the components is confusing the first time through, so spend adequate time explaining each and
their interaction. Recommendation: Discuss the elements on the slide, but defer details until later slides. After you
have discussed the major components, return to the slide and talk through a few possible scenarios. Examples
include (1) creating a desktop using templates, (2) creating desktops using linked clones, (3) accessing a desktop from
a client, (4) managing desktops or pools, and (5) using ThinApp to virtualize an application.
15
ThinApp
Key Benefits
Slide 2-8
Creates an individual,
personal view of all of a
users applications and data
on any device
d i ffrom any
location
Unmanaged desktops
Local Mode
Decreased power
consumption
View enables IT organizations to decouple a desktop from specific physical devices or locations.
View creates a universal client that has an individual, personal view of a users applications and
data. The client devices can be Windows and Mac laptops or desktops, Apple iPads, and Androidbased tablets, usable from any location.
This capability enables IT organizations to reduce the overall cost of desktop computing by
centralizing management, administration, and resources.
Another key benefit is increasing security by:
Understanding and mitigating risk of data loss by maintaining all data within the corporate
firewall
Enabling all corporate desktops to be at the highest level of patching and antivirus updates
Providing secure access to View desktops for both PCoIP and RDP through security server
Using the View Client with Local Mode virtual rights management and centrally managed
security policies
16
Managing all desktops centrally in the datacenter instead of at distributed, remote sites
Provisioning desktops instantly to new users and new departments and facilitating office moves
Managing large numbers of desktops as one entity
Using the View Composer ability to create clones from a central image that automatically join
the domain
Using View Connection Server to create dynamic pools of desktops for quick provisioning and
rapid updating
Using the ThinApp application sync and application link utilities to dynamically and
automatically update applications without the need for an agent
Integrating with AD so that no schema changes are needed
Another key benefit is increased business agility and user flexibility:
View provides flexibility in regard to the changing needs of the business by providing
consistent desktops to all users from any network connection.
View provides flexibility to manage business reorganizations, office moves, and expansion into
new territories or changing work patterns.
View provides user access from the same desktop from any location, from any device.
ThinApp agentless deployment allows users to install applications on locked-down PCs.
View also provides implicit business continuity and disaster recovery. An alternative work site that
has network connectivity can be a recovery site. View guarantees business continuity because the
same desktop that is accessed during a disaster recovery scenario is also accessed in the normal
workplace. View takes advantage of key components of the vSphere platform, such as vMotion,
vSphere HA, and DRS.
View offers decreased power consumption by reducing financial and carbon costs of desktop power
used with thin clients, which typically use one-tenth the power of a PC.
17
View Features
Slide 2-9
View is built around vSphere and View Connection Server. View has many significant features:
vSphere integration View uses the vCenter Server system and ESX/ESXi hosts to create an
end-to-end virtual desktop solution.
Enterprise-class connection brokering Enterprises use connection brokering to connect their
remote clients to their centralized virtual desktops. Connection brokering is also used by
administrators for managing View Connection Servers and configuring virtual desktops.
Web-based management user interface Designed for a desktop administrator, View
Administrator provides a user-friendly interface that enables central administration of desktops
from any location.
Full AD integration View connects to the AD infrastructure to find user and user group
accounts. It uses the authentication features of AD to control which users can access virtual
desktops.
Support for existing desktops as well as pools of new desktops Manual pools contain existing
virtual or physical desktops that have users manually assigned. Users and desktops have a oneto-one relationship. Automated desktop pools provision either dedicated-assignment or floatingassignment virtual desktops. Dedicated desktops mean that users log in to the same desktop
every time. Floating desktops are returned to the pool when a user logs out.
18
Advanced pool management features View pool management features enable you to use the
desktop cloning features in vCenter Server and View Composer and save power by suspending
desktops that are not in use. Suspending desktops this way also frees memory and processing
power on the ESX/ESXi host.
Ability to cluster connection servers together for high availability and redundancy Creating a
high availability environment avoids a single point of failure. And it adds scalability that eases
expanding the environment to support a larger number of users.
Support for RSA SecurID and smart cards Both provide strong, two-factor authentication for
added security for end users accessing virtual desktops from clients.
View Persona Management Dynamically associates a user persona to virtual desktops. You
can deploy easier-to-manage stateless floating desktops to more use cases while enabling user
personalization to persist between sessions.
19
Support for USB client devices and multimedia redirection USB devices can be locally
connected to clients and accessed through the virtual desktop.
Flexible deployment options This flexibility enables deploying critical components of View to
different parts of the network to improve security and scalability of the environment.
Internationalization
Slide 2-10
View Client and online help for View Client are available in the
following languages:
Japanese
French
German
Simplified Chinese
Korean
View Client and online help for View Client are available in Japanese, French, German, Simplified
Chinese, and Korean.
Documents that is available in these languages include VMware View Administration, VMware View
Installation, VMware View Upgrades, and VMware View Architecture Planning. All documents are
available at http://www.vmware.com/support/pubs.
20
Use Cases
Slide 2-11
Offshore development
Remote office and telecommuting
C ll centers
Call
t
Introduction to VMware View
Office hotelling
Desktop
p replacement
p
Brokerage firms
Health care industry
Business continuity and disaster recovery
Any scenario where cost savings, centralized management, security,
user flexibility, and green computing are drivers
Many use cases appropriate are for View. Only two are discussed in detail here.
One use case is to use View to relocate development and operational functions outside the country.
In this use case, View:
Provides centralized, static desktops and test systems while eliminating the risk of data
movement or loss
Simplifies the provisioning process for users traveling between locations
Improves application performance and data movement by moving client systems closer to the
servers and data typically accessed and supported
A View implementation involves the following:
View virtual desktops are provided to remote users.
Data and applications are moved to servers and storage arrays in the corporate datacenter. Data
containment features then prevent data and applications from leaving the datacenter.
Users moving between locations are served by one of the standard desktop images, with data
serviced in the datacenter.
21
Business continuity (BC) and disaster recovery (DR) planning is required to support users offsite
from alternative offices and home computers. Comprehensive BC/DR plans achieve:
Reduction in support effort and hardware cost to support exception scenarios
Consolidation of work effort, support, and cost of BC, DR, and production requirements into a
single computing model
Simplification of client computing by providing a single interface and access to all applications
regardless of location or scenario
Stateless devices provisioned to reduce setup complexity and reduce support effort and cost
A View implementation enables the following:
BC/DR sites can be provisioned ahead of time with appropriate network access.
Thin client devices can be provisioned at BC/DR sites much less expensively than traditional
(thick) clients.
Thin client setup is much faster than setup of a standard PC.
Virtual desktops can be migrated or failed over from exception sites, if adequate resources are
available at a DR site.
The ability to deploy virtual desktops from a single virtual machine instance reduces virtual
desktop setup time.
22
View Components
Slide 2-12
Local Mode
Secure, offline desktop capability
View Composer
Thi
ThinApp
A
Application virtualization
View Administrator can
assign and install
ThinApp MSI packages.
Virtual Printing
Universal print driver
23
LAN delivery
WAN delivery
High
Hi h b
bandwidth
d idth
PC experience
Low
L
b
bandwidth
d idth
Productivity desktop
RDP
RDP
Task
T k worker
k
Knowledge worker
Developers
2-D, 3-D, Flash, multimedia
Power user
Designer
High resolution 3-D
RDP
virtual desktops
blade PCs
IT departments are faced with many deployment options and use cases. As the slide shows, the
display protocols are designed to solve specific challenges for specific use cases.
View Connection Server using PCoIP is designed to provide a flexible solution that is capable of
addressing the broad set of use cases and deployment scenarios shown on the slide.
24
Windows 7
Windows XP
Windows Vista
View Connection Server can run on either a physical or a virtual machine, although running View
Connection Server on a virtual machine has many advantages.
View Connection Server works with vCenter Server systems to manage virtual desktops. Desktops
can be individual virtual machines that are dedicated to a user. The desktops can also be members of
an automated pool that is deployed on demand. An automated pool can deploy dedicated-assignment
or floating-assignment desktops:
Dedicated-assignment desktop Users are allocated a desktop that retains all of their
documents, applications, and settings between sessions. The desktop is statically assigned the
first time that the user connects and is then used for all subsequent sessions. No other user is
permitted access to the desktop.
Floating-assignment desktop Users might be connected to different desktops from the pool
each time that they connect. Environmental or user data does not persist between sessions.
View Connection Server supports the use of a virtual desktop that operates on a physical client
system. This capability is called local-mode desktops. First, you check out a vCenter Server virtual
desktop, which moves the desktop image to your client system. You can then disconnect from View
Connection Server and use the desktop in local mode until you are ready to upload all changes and
reconnect to the online version.
Module 2 Introduction to VMware View
25
Desktops, whether virtual machines or physical machines, must be Windows 7, Windows XP, or
Windows Vista systems. View Connection Server also manages desktops from a Microsoft Terminal
Services server.
For DMZ deployments, View Connection Server provides a security server. The security server can
be deployed using RDP as the remote display protocol.
For high availability deployments, more View Connection Servers can be deployed. They are called
replica instances of a View Connection Server. All View servers use a replicated database to remain
coordinated.
View Administrator, a Web-based management interface, enables View administrators to perform all
the configuration, deployment, and administrative tasks for View.
26
View Client for Windows, Mac systems, iPad, Android tablets, and certain
tthin client
c e t devices
de ces
View Client with Local Mode for Windows client systems
View API Embedded in certain thin client devices
Access:
27
Synchronization of desktops
Policy enforcement
View Connection Server
View Client with Local Mode addresses the challenge of providing continuous access that is implicit
in any online desktop solution. Through circumstance or choice, users might find themselves in
environments where network availability is limited or absent.
Local mode offers mobile users the ability to check out a cloned instance of certain types of View
desktops onto a local physical system, such as a laptop, that is running Windows. After the local
copy has been checked out, it behaves like a standalone desktop system and can be used with or
without a network connection. The virtual desktop is now considered to be offline. When the user is
ready, the updated instance of the desktop can be checked in and the user can then access the online
virtual desktop. Only the changes are uploaded to the online version.
28
View Composer
Slide 2-17
Disk savings
Supports tiered storage
base
image
read-only
Replicates
R
li t changes
h
quickly
i kl across
dependent virtual machines
parent
desktop B
delta
disk B
desktop A
Retains user-specific
user specific data
Image separation:
desktop A
delta
disk A
desktop B
persistent
disk
persistent
disk
View Composer enables View Connection Server administrators to rapidly clone and deploy
multiple desktops from a single centralized base image, called a parent virtual machine. After the
desktops have been created, they remain indirectly linked to a snapshot residing on the parent virtual
machine. View Composer is a separate Windows service that must be installed on the same system
that hosts vCenter Server. It is a colocated service.
The link is indirect because the first time a desktop clone is created, a uniquely identified copy of
the parent virtual machine (called a replica) is also created. All the desktop clones are anchored to
the replica, not to the parent virtual machine. Desktops of this type are called linked-clone desktops.
Because all the linked-clone desktops in this environment are connected to a common source (the
replica virtual machine), View Composer permits the centralized management of desktops while
maintaining a seamless user experience. Tasks like resetting each system to its default configuration,
balancing storage, installing software, and applying service packs are greatly accelerated by this
type of deployment.
When a View administrator configures an automated dedicated pool that uses linked-clone
technology, an option is to attach a persistent user data disk to the clone. The user data disk retains
user-specific data and is never affected by normal centralized-update operations.
29
View Composer will use either the VMware QuickPrep process or Microsoft Sysprep to personalize
each deployed desktop. Although QuickPrep is similar to Microsoft Sysprep and is much faster, it
does not generate a new system ID for each linked-clone desktop.
View Composer must be installed on the same system that hosts vCenter Server. Using vCenter
Server Appliance with View Composer is not supported.
30
ThinApp:
Virtualizes and encapsulates applications:
Decouples
D
l applications
li ti
and
dd
data
t ffrom th
the operating
ti system
t
Allows one copy of application to be run by multiple users
Virtual Printing:
31
SVM
AV
VM
VM
VM
persona
app
OS
persona
app
OS
persona
app
OS
kernel
BIOS
OS
hardened
kernel
BIOS
kernel
BIOS
introspection
Enables comprehensive
desktop virtual machine
protection
vShield Endpoint delivers an introspection-based antivirus solution. vShield Endpoint uses the
hypervisor to scan guest virtual machines from the outside without a bulky agent. vShield Endpoint
is efficient in avoiding resource bottlenecks while optimizing memory use.
vShield Endpoint installs as a hypervisor module and security virtual machine from a third-party
antivirus vendor (VMware partners) on an ESX/ESXi host.
The vShield Endpoint thin agent must be installed on each guest virtual machine to be protected.
Virtual machines with the thin agent installed are automatically protected whenever they are started
on an ESX/ESXi host that has the security solution installed. That is, protected virtual machines
keep the security protection through shutdowns and restarts and even after a vMotion migration to
another ESX/ESXi host with the security solution installed.
Centralization of an antivirus solution through vShield Endpoint eliminates agent sprawl across
desktop virtual machines. Centralization also helps eliminate the antivirus storm issues that are
typically associated with antivirus services distributed across virtual machines.
vShield Endpoint requires vCenter Server 4.1 or later.
32
Third-party management tools can be used to manage the View environment. View includes
automation and integration with Windows PowerShell and integration with Microsoft System Center
Operations Manager (SCOM).
View PowerCLI provides Windows PowerShell cmdlets to administer View from the command line.
Windows PowerShell uses the Microsoft .NET object model and provides administrators with
management and automation capabilities. As with any console environment, you work with
Windows PowerShell by running commands, which are called cmdlets.
View Connection Server includes more than 45 Windows PowerShell-based cmdlets. You can use
these cmdlets with the VMware vSphere PowerCLI cmdlets. You can also use the View cmdlets to
examine the configuration of vCenter Server systems and management of licensing, global
configuration, connection brokers, pools, entitlements, and desktop-user assignment. This
enhancement allows for automation and scripting and provides extensibility to administration tasks.
View PowerCLI is installed during the View Connection Server installation.
For more about using View PowerCLI, see VMware View Integration at http://www.vmware.com/
support/pubs.
33
View Licensing
Slide 2-21
View is sold in two editions, Enterprise and Premier, either as a bundled solution that includes
vSphere or as a desktop add-on to a separate or existing vSphere purchase. View Enterprise offers
the View desktop management product. View Premier includes several additional components to
substantially lower the costs of managing applications and desktops.
For further information, see VMware View 4.5 FAQ: Pricing, Licensing and Support at
http://www.vmware.com/technical-resources/products/view.html.
34
vSphere Desktop edition is designed for licensing vSphere in VDI deployments. vSphere Desktop
licensing is based on the total number of powered-on desktop virtual machines.
vSphere Desktop edition provides all the capabilities of vSphere Enterprise Plus, as well as an
unlimited vRAM entitlement.
vSphere Desktop edition can be used for only VDI deployments. It can also be used with View and
third-party VDI connection brokers.
35
ESX/ESXi hosts
vCenter Server system
S ft
Software:
vCenter Server
systems
View requires vSphere 5.0, vSphere 4.1, or vSphere 4.0. Current versions of ESX/ESXi hosts must
be present and managed by current vCenter Server instances.
If Sysprep is used for template-based Windows desktop deployment or linked-clone deployment, the
vCenter Server system must have Microsoft Sysprep tools installed. All Sysprep customization
requires a vCenter Server customization specification that permits cloned virtual machines to join an
AD domain.
Requirements for View Connection Server:
vSphere 5.0 or later
vSphere 4.1 Update 1 or later
vSphere 4.0 Update 3 or later
36
Required AD Components
Slide 2-24
Required components:
AD domain controllers
DNS with both forward and reverse lookup zones
DHCP
View Connection Server relies on Active Directory for authentication. The virtual desktops and the
View Connection Servers (standard and replica instances) must be members of a domain. But
domain membership is not required for vCenter Server, View clients, or View security servers.
To add users to a different AD domain, you must establish a two-way trust relationship between the
domain and the domain in which View Connection Server is located.
37
38
Key Points
Slide 2-26
vSphere integration
39
40
MODULE 3
Slide 3-1
Co
ect o Se e
Module 3
3
View Connection Server
41
Course Introduction
Introduction to View
Local-Mode Desktops
42
VMware ThinApp
Importance
Slide 3-3
3
View Connection Server
43
Module Lessons
Slide 3-4
Lesson 1:
Lesson 2:
44
Lesson 1:
Installing View Connection Server
45
Learner Objectives
Slide 3-6
46
a. C
Create
t one or more domain
d
i global
l b l groups ffor Vi
View users.
b. Add these groups to Remote Desktop Users group.
c. Identify and add existing users to the appropriate domain users group.
3. Configure
C f
DNS
S and DHCP
C services to support View.
The View Transfer Server does not need to be a member of the domain. You might want to omit this detail here
because the View Transfer Server and its function have not been discussed. The View Connection Server instance in
this case is the standard connection server, the first connection server that is installed.
47
5.
48
View
Administrator
VMware vCenter
Server systems
virtual desktops
with View Agents
thin client
VMware ESX
/ESXi hosts
View Client with
Local Mode
View
Connection
Server
View Client
AD domain controllers
49
Hardware:
View
Connection Server
Memory:
Minimum of 10/100Mbps
p NIC
Operating systems:
Requirements for a computer that is running the VMware View Connection Server include:
Dedicated physical or virtual server
Minimum Pentium IV 2.0GHz CPU (dual processors recommended)
Minimum 4GB of RAM (at least 10GB recommended for deployments of 50 or more View
desktops) for a Windows 2008 R2 64-bit host
Minimum 2GB of RAM (at least 3GB recommended for deployments of 50 or more View
desktops) for a Windows 2003 R2 32-bit host
Minimum 10/100Mbps network interface card (NIC) (1Gbps NIC recommended)
None of these hardware requirements are checked before installation. View Connection Server can
be installed on the following operating systems:
Windows Server 2008 R2 Standard Edition, 64-bit
Windows Server 2008 R2 Enterprise Edition, 64-bit
Windows Server 2008 R2 Standard Edition with SP1, 64-bit
Windows Server 2008 R2 Enterprise Edition with SP1, 64-bit
50
3
View Connection Server
51
Host systems that are running View Connection Server must be members of
an AD domain, which can be:
For linked-clone desktop deployments, View Composer must reside on the same system as
vCenter Server.
A valid license key for View.
The View Transfer Server does not have to be a member of the domain. You might want to omit this detail here
because the View Transfer Server and its function have not been discussed. The View Connection Server instance
referenced here performs the broker functions.
3
View Connection Server
53
Not secure
Prone to allow untrusted
parties
ti tto intercept
i t
t the
th data
d t traffic
t ffi
Data is secure
The organizations server is not intercepted by untrusted parties
54
Preinstallation Checklist
Slide 3-13
An AD domain controller
A Microsoft IIS server or any other Web server using port 80 or 443
A vCenter Server instance
A Microsoft Terminal Services server
Another View component
You must check several things before installing View Connection Server.
Make sure that you pick the right Windows 2003 R2 or Windows 2008 R2 system. The system can
be a physical machine or a virtual machine, but the system cannot be one of the following:
An AD domain controller
A Microsoft Internet Information Services (IIS) server (or any other Web server using port 80
or 443)
A vCenter Server instance
A Microsoft Terminal Services server
Other requirements include:
The View Connection Server system must be a member of the Windows domain. The View
Connection Server system must be a member of an AD domain. To add users to a different
domain, a two-way trust must exist between the two domains. It is possible to limit the domains
that are searched by using domain filtering, a feature that is discussed later.
55
The host system should have only one network interface. You can install View Connection
Server on a system with multiple NICs, but View Connection Server will use only one NIC and
the NIC cannot be specified.
The host system must use a static IP address.
Systems elsewhere in the network must be able to resolve the fully qualified domain name
(FQDN) of the connection server host system. That is, the connection server system must be
reachable.
You must be able to browse to http://localhost on this system.
56
Begin the installation of the View Connection Server by downloading and running VMwareviewconnectionserver-<build>.exe (32-bit systems) or VMwareviewconnectionserver-x86_64-<build>.exe (64-bit systems).
You are prompted to select the destination folder for the software. This folder is only the destination
of binaries. Data that is used by View is stored in the vCenter Server database, AD, and an
Lightweight Directory Access Protocol (LDAP) directory. The LDAP directory is an embedded
directory that serves as the LDAP data repository for all View Connection Server configuration
information. The LDAP directory is created when the View Connection Server is installed.
57
Four types of View Connection Server are possible. If this is your first View Connection Server,
select View Standard Server. The other three options:
View Replica Server A connection server that operates as a peer to the standard connection
server
View Security Server A version of View Connection Server that operates as a security
gateway for desktop access from the public network
View Transfer Server A version of View Connection Server that handles the transfers of
virtual desktops for local-mode access
These three options are discussed later in the course.
58
Active Directory Application Mode (ADAM) is a Microsoft product for Windows 2003 that is an
LDAP extension of AD. AD Lightweight Directory Service (LDS) is the name of the same product
for Windows 2008. It allows user software (in this case, View Connection Server) to store LDAP
data in a database that has the same basic structure as AD. But because this is a separate LDAP
directory, View Connection Server does not have to change the AD schema. ADAM and AD LDS
share the same code base as AD but have smaller resource requirements.
For a View Connection Server running on a Windows 2003 R2 or Windows 2008 R2 server system,
ADAM or AD LDS is an embedded LDAP directory that is created during the connection server
installation.
The View LDAP directory contains the following components that are used in View Connection
Server:
Specific View Connection Server schema definitions
Directory information tree (DIT) definitions
Access control lists (ACLs)
59
View LDAP contains entries that represent the following View Connection Server objects:
Virtual desktop entries that represent each accessible virtual desktop
Virtual desktop pool entries that represent multiple virtual desktops managed together
Virtual machine entries that represent each virtual desktop
View Connection Server component configuration entries that are used to store configuration
settings
You use the ADSI Edit utility to modify View LDAP. The ADSI Edit utility is installed with View Connection Server.
When you change the View LDAP directory on a View Connection Server instance, the change is propagated to all
replicated View Connection Server instances.
See the Microsoft TechNet Web site for information about using the ADSI Edit utility.
After starting ADSI Edit (Start > Programs > ADAM > ADAM ADSI Edit), select or connect to DC=vdi,
DC=vmware, DC=int. See VMware View Manager Configuration Data Export and Import at http://
www.vmware.com/pdf/viewmanager_data_exp_imp.pdf for a few details on the View LDAP directory. The document
was written for View Manager 3.0 and, as of December 2011, has not been updated.
60
For Windows Server 2008 R2, the installation program can configure
the required Windows firewall rules.
For Windows
F
Wi d
Server
S
2003 R2
R2, you mustt configure
fi
th
the required
i d
Windows firewall rules manually and open these incoming ports:
80 for HTTP
By default, Windows 2003 R2 and Windows 2008 R2 servers have the Windows Firewall service
active.
When you install View Connection Server on Windows Server 2008 R2, the installation program
can configure the required Windows firewall rules for you. But when you install View Connection
Server on Windows Server 2003 R2, you must configure the required Windows firewall rules
manually.
The incoming TCP ports that must be opened on the firewall for View Connection Server instances
and security servers are:
Port 80 HTTP is used by the standard, replicated, and security servers.
Port 443 HTTPS is used by the standard, replicated, and security servers.
Port 4172 PCoIP is used by the standard and security servers.
Port 4001 JMS (Java Message Service) is used by the standard and replicated servers.
Port 4100 JMSIR (Java Message Service Internode Router) is used by the standard and
replicated servers.
Port 8009 AJP13 (Apache JServ Protocol) is used by the standard and replicated servers.
Module 3 View Connection Server
61
62
Lesson 2:
Configuring View Connection Server
63
Learner Objectives
Slide 3-20
64
Perform
P
f
an initial
i iti l llogin.
i
Enter the license key.
Establish vCenter Server associations.
C fi
Configure
access to the
h events d
database.
b
https://<FQDN_of_connection_server>/admin
3
View Connection Server
Supported browsers:
65
Log in to View Administrator. Initially, all domain users who are members of the local
administrators group on the View Connection Server are allowed to log in to View Administrator
(BUILTIN/Administrators group). You can change the list of View Connection Server
administrators later.
66
Initial Login
Slide 3-23
3
View Connection Server
The slide shows what the View Administrator looks like on first login. Navigation links in the left
pane are organized by object category and then by type of object:
Inventory Contains information about pools, desktops, persistent disks, and VMware
ThinApp applications.
Monitoring Contains events, remote sessions, and local sessions information.
Policies Global policies are configured from this selection.
View Configuration:
Servers goes to a page to configure vCenter Server systems, View Connection Servers,
security servers, and View Transfer Servers.
Product Licensing and Usage displays the page shown on the slide.
Global Settings enables View administrators to modify settings that apply to this
connection server.
Registered Desktop Sources displays details about Microsoft Terminal Services, physical
machines, and virtual machines that are not running on ESX/ESXi hosts. These sources are
registered with a specific View Connection Server when View Agent is installed.
Module 3 View Connection Server
67
68
3
View Connection Server
License your View Connection Server and verify that the proper View components are enabled. A
single serial number can also license View Composer and View Client with Local Mode. Although
many configuration operations can be performed without a license, including the addition of
desktops and pools, a client connection to a desktop requires a license.
69
S
Select
View Configuration
C f
> Servers
S
to add a vCenter
C
S
Server system.
To configure vCenter Server associations, select View Configuration > Servers in the navigation
pane on the left. The panels display the four kinds of servers that can be used in a View deployment:
View Connection Servers The connection server appearing in this panel is the standard View
Connection Server that was installed. This View Administrator session is supported by this
connection server.
vCenter Servers This panel shows all the vCenter Server systems that are associated with
this connection server group. Click Add to add a vCenter Server system.
Security Servers This panel shows the optional View security servers that are paired with this
connection server instance. Security servers are discussed in a later module.
Transfer Servers View Transfer Server is an optional View Connection Server component
that supports check-in, checkout, and replication of desktops that run in local mode. View
Transfer Server is discussed in a later module.
70
Add the
th vCenter
C t Server
S
systems
t
that
th t are managing
i
the
th virtual
it l
desktops.
Add the vCenter Server systems. You associate a vCenter Server system with this View Connection
Server by entering the FQDN of the vCenter Server system. This vCenter Server system must be the
system that is managing the ESX/ESXi hosts that will be hosting the virtual desktops. View does not
require that the vCenter Server system be a member of the domain.
If a View administrator is not an administrator in vCenter Server, you must assign a vCenter Server
role that allows View Connection Server to perform its operations. The vCenter Server role (named
ViewAdministrator, for example) that is assigned to the user name (viewadmin, in the screenshot)
must, at a minimum, have these privileges assigned:
Folder group:
Select Create Folder.
Select Delete Folder.
Virtual Machine group:
Inventory Select Create and Remove.
Interaction Select Power On, Power Off, Suspend, and Reset.
71
Configuration Select Add new disk, Add or Remove Device, Modify Device Settings,
and Advanced.
Provisioning Select Customize, Deploy Template, and Read Customization
Specifications.
Resource group:
Select Assign Virtual Machine to Resource Pool.
The Advanced link sets the number of virtual desktops to power on and clone at any one time for
pools. During the initial setup, you do not need to configure these limits.
72
Database user must have permission to create tables and views, and
permission to read and write to these objects.
View uses an event database to record information about View Connection Server events. The View
event database should be configured on first login to ensure that detailed event information is
captured for all View Connection Server activities.
The event database stores information about View events as records in a database rather than in a
log file. If you choose not to configure an event database, you must look in the log file to get
information about events. The log file contains limited information.
You create an event database by adding it to an existing database server. In addition to reviewing
events with View Administrator, you can also use enterprise reporting software to analyze the events
in the database. The database server for the event database can reside on a View Connection Server
host or on a dedicated server. Or you can use an existing database server, such as the server that
hosts a View Composer database. You cannot use an ODBC data source for this database. View
Connection Server uses the appropriate database server API, instead.
To establish an event database:
1. Add a database to the database server and give it a descriptive name like ViewEventsDB.
2. Add a user for this database who has permission to create tables, views, and, in Oracle, triggers
and sequences, as well as permission to read from and write to these objects.
Module 3 View Connection Server
73
For a Microsoft SQL Server database, you must use the SQL Server authentication method of
authentication. The Integrated Windows Authentication security model method of
authentication is not supported by View Connection Server.
After the database is created, the schema is installed when you configure the database in View
Administrator.
Before you can use View Administrator to configure an event database on Microsoft SQL Server,
you must configure the TCP/IP properties and verify that the server uses SQL Server authentication:
1. Open SQL Server Configuration Manager and expand SQL Server
<YYYY_network_configuration>.
2. Select Protocols for <server_name>.
3. In the list of protocols, right-click TCP/IP and select Properties.
4. Set Enabled property to Yes.
5. Verify that a port is assigned or, if necessary, assign one. The default port for SQL Server is port
1433.
For information about the static and dynamic ports and how to assign them, see the online help
for the SQL Server Configuration manager.
6. Verify that this port is not blocked by a firewall.
At the time this course was developed there were no guidelines available for sizing the event database. The historical
tables are not capped, so the growth must be monitored.
Open Database Connectivity (ODBC) is a widely accepted API for database access. ODBC is designed for maximum
interoperability. It allows a single application to access different database management systems with the same source
code. If an application is to support various database systems, ODBC simplifies application development. vCenter
Server and View Composer use ODBC because both support nearly the same choice of databases. View
Connection Server supports only two database servers and uses the appropriate API. So ODBC and a data system
name are not necessary when configuring the event database.
74
After the configured period of time has elapsed for an event, the event
is deleted from the event and event
event_data
data tables
tables.
75
76
To configure the aging settings for events in View Administrator, click Edit in the Event Settings
window. Change the length of time to show events (1 week to 6 months) and the number of days to
classify events as new (1, 2, or 3 days), and click OK.
These settings pertain to the length of time the events are listed in the View Administrator interface.
The events are never deleted from the database.
The Event Database panel displays the current configuration of the event database.
Select Monitoring > Events in the navigation pane to verify that the connection to the event
database is successful. If the connection is unsuccessful, an error message appears. If you are using
SQL Express or if you are using a named instance of SQL Server, you might need to determine the
correct port number, as described earlier.
To improve performance, View Administrator displays only the most recent 2000 events from the
event and event_data tables. You can change this limit by adjusting the value of an attribute in
ADAM. If you increase the limit, View Administrator requires more time and system resources to
fetch and display the records. For more details, see VMware knowledge base article 1026196 at
http://kb.vmware.com/kb/1026196.
77
Lab Environment
Slide 3-31
cs-<ESX/ESXi_host_name>
ESX/ESXi h t
Connection
C
ti server
sec-<ESX/ESXi_host_name> Security server
Each ESX/ESXi host is preinstalled with seven virtual machines and two networks.
The virtual machines that are used as the View infrastructure systems in this course are Windows
2003 R2 and Windows 2008 R2 machines. You install the appropriate View Connection Server
component on each machine:
cs-<ESX/ESXi_host_name> Connection server
rs-<ESX/ESXi_host_name> Replica server
sec-<ESX/ESXi_host_name> Security server
Three Windows XP SP3 virtual machines are preinstalled:
cla-<ESX/ESXi_host_name> Client A system. This machine is cloned to create a second
client system (client B) after View Client is installed.
dt1-<ESX/ESXi_host_name> Desktop 1 system. After View Agent is installed on this system,
a template is created, which becomes the source for all other Windows XP desktop systems.
cnb-<ESX/ESXi_host_name> Capture-and-build machine for ThinApp. This virtual machine
is used to create the ThinApp project so that it can be deployed to one of the desktop systems.
78
One Windows 7 virtual machine is preinstalled. It will be the parent virtual machine for the linked
clones.
The two networks are:
Privnet Mimics an internal network. All virtual machines are connected to this port group.
Public Mimics an external network. The security server is connected to this port group.
3
View Connection Server
79
Lab 1
Slide 3-32
In this lab, you will install and configure the View Connection Server.
1. Add an ESXi host to the vCenter Server inventory.
2. Confirm setup of the virtual machine to be used as the connection
server.
3. Install View Connection Server software.
4. License View Manager.
5. Associate a vCenter Server system with the View Connection Server.
6 Configure an event database
6.
database.
80
1.
1
2.
3.
4
4.
81
Key Points
Slide 3-34
82
MODULE 4
View Desktops
Slide 4-1
Module 4
4
View Desktops
83
Course Introduction
Introduction to View
Local-Mode Desktops
84
VMware ThinApp
Importance
Slide 4-3
4
View Desktops
85
Module Lessons
Slide 4-4
Lesson 1:
Lesson 2:
Lesson 3:
View Agent
Lesson 4:
86
Lesson 1:
Configuring
g
g Virtual Machines as
Desktops
4
View Desktops
87
Learner Objectives
Slide 4-6
88
Multiple vCPUs
Slide 4-7
View Desktops
Most desktops operate well with only a single virtual CPU (vCPU). But sometimes a power
desktop user with CPU-intensive applications might perform better with multiple CPUs. Windows
7, Windows XP, and Windows Vista virtual machines are limited to two virtual sockets. Each virtual
socket can have multiple cores. A vCPU equates to a CPU socket.
Using multiple vCPUs per virtual machine might cause problems on VMware ESX/ESXi hosts
that have a limited number of physical CPU cores. All of a virtual machines vCPUs must be
scheduled at the same time on physical cores. So a multi-vCPU virtual machine might spend more
CPU cycles swapped out on a busy system.
Each version of VMware vSphere (4.0, 4.1, or 5.0) has different maximums for the number of
vCPUs that are supported per ESX/ESXi host and for the number of virtual machines. Even if
enough vCPUs are available, the maximum number of virtual machines might impose a limit.
VMware strongly recommends that you consult the appropriate documentation at http://
www.vmware.com/support/pubs for the latest information about configuration maximums and
installation requirements.
Assign a single vCPU for all Windows desktops. Dual virtual CPUs are recommended for computeintensive tasks and use cases and for Windows 7 desktops that need to play 720p video using the
PCoIP display protocol.
Module 4 View Desktops
89
RAM
Slide 4-8
When you create a virtual machine, you define its RAM size. The RAM size is a maximum memory
that the virtual machine receives. Arbitrarily creating virtual machines with high RAM might cause
other problems because virtual machines with more RAM are by default given higher priority. The
default values assigned to virtual machines are based on the choice of operating system. Windows
XP virtual machines are assigned 256MB. Windows Vista virtual machines are assigned 512MB.
Windows 7 virtual machines are assigned 1GB. Each use case should be analyzed to determine the
best memory allocation, but a good starting point is to allocate 1GB for Windows XP, Windows
Vista, and 32-bit Windows 7. A 64-bit Windows 7 system should be allocated 2GB of RAM.
ESX/ESXi and VMware vCenter Server have a large number of tuning features, such as resource
pools, limits, and shares, that can improve overall use and performance.
90
View Desktops
Begin by creating a virtual machine (or deploy a virtual machine from a gold template). Select the
appropriate Windows guest operating system in the Create New Virtual Machine wizard. The
following versions of Windows are supported by VMware View Connection Server for View
Agent:
Windows 7 32-bit and 64-bit versions of Windows Enterprise and Professional, without a
service pack or with Service Pack 1 (SP1)
Windows Vista 32-bit versions of Windows Vista Business or Enterprise, either SP2 or SP3
Windows XP Professional SP3
After creating the virtual machine, install Windows.
91
The volume-activation
volume activation technology requires a volume license key
key.
To make sure that View Composer properly activates Windows 7 and Windows Vista operating
systems on linked-clone desktops, you must use Microsoft volume activation on the parent virtual
machine. The volume activation technology requires a volume license key.
To activate Windows 7 or Windows Vista with volume activation, you use Key Management Service
(KMS), which requires a KMS license key. See your Microsoft dealer to acquire a volume license
key and configure volume activation.
The activation procedures for linked clones are discussed more later.
92
Windows 7 Sysprep
Slide 4-11
4
View Desktops
Windows Vista and Windows 7 come with Sysprep already present in the operating system. No
additional steps are necessary.
93
For Windows 7 and Windows Vista virtual machines that are going to be virtual desktops, you
should not enable power options. Instead, allow View Connection Server to suspend the virtual
machine when it is not in use. The suspend option must be enabled when the desktop pool is
configured. If a Windows system is in a sleep or hibernation state, View Connection Server is unable
to manage it.
94
Depending
p
g on the number of virtual desktops
p on each ESX/ESXi host,,
you might need to increase these values.
View Desktops
The default number of ports for a virtual switch on an ESX/ESXi host is:
120 ports for the vSphere 5.0 platform
120 ports for the vSphere 4.1 platform
56 ports for the vSphere 4.0 platform
A maximum of 56 or 120 virtual desktops can connect to a switch.
Desktops that cannot get a connection still power on, but customization fails if you have specified
automatic joining of an Active Directory (AD) domain. Without a network connection, the virtual
machine is useless in a virtual desktop environment because no user can connect to it.
95
Select a high
high-performance
performance power option.
Do not specify a sleep timer, standby, hibernation, or any other power
option that might make the desktop unreachable.
For more about desktop performance issues, see Windows XP Deployment Guide and VMware View
Optimization Guide for Windows 7 at http://www.vmware.com/technical-resources/products/
view.html.
For Windows 7 and Windows Vista systems, WinSAT periodically auto-tunes the system by
enabling or disabling features and services, based on the Windows Experience Index (WEI) score.
Some of the performance tuning steps that are suggested here might be reversed by WinSAT, so
consider disabling it. To disable WinSAT, from the Task Scheduler, select Task Scheduler Library
> Microsoft > Windows > Maintenance. Right-click WinSAT, select Properties, and make the
change.
96
View Desktops
97
98
No CPU/RAM reservation
reservation, low shares
shares. Virtual machines have 512MB
defined.
View Desktops
Another way to improve virtual desktop performance is to assign virtual desktops to resource pools.
The example shows three resource pools under the root resource pool. The Low-Priority and
Medium-Priority resource pools might contain virtual desktops for general use. Desktops in a
public-kiosk environment might be assigned to the Low-Priority resource pool. The MediumPriority resource pool might be used for individual desktops that are assigned to average users.
The High-Priority resource pool might be reserved for individual desktops that are assigned to
power users.
View desktop pools (discussed later in the course) are different from resource pools. The slide refers
only to resource pools.
The example is relatively elaborate, to convey what can be done. Practically, one might create a couple of resource
pools: one for higher-priority desktops and one for the rest.
99
Use Group Policy objects (GPOs) to enforce where users store their
data.
Group Policy objects (GPOs) and roaming profiles should be used to enforce where users store data.
A roaming profile can specify a home drive for all users that stores data in a file servers shared
directory. You learn more about Views roaming profiles feature, View Persona Management, in a
later module.
100
4
View Desktops
Disabling the Themes service on virtual desktops can boost performance. If you disable the Themes
service from an administrator account and build a template from these settings, users cannot
reactivate Themes. Disabling the Themes service is also less performance-intensive than stopping
the Themes service with a GPO.
101
102
Lesson 2:
Remote Display Protocols
4
View Desktops
103
Learner Objectives
Slide 4-22
104
PCoIP
PC
IP
Microsoft Remote Desktop Protocol (RDP)
Outline the steps to enable a desktop for remote access from View
Cli t
Client.
List the ports that must be opened in the desktops firewall for View
operations.
PCoIP is a protocol that is suitable for the task worker through the
designer use cases.
PCoIP is designed for use in both the LAN and the WAN:
View Desktops
105
At the desktop, PCoIP applies the correct imaging codec to the correct
pixels. The encoded pixels are delivered to the client system to be displayed.
icons
motion video
text
photos
graphics
PCoIP assures high performance partly due to its choice of codec for the information that is being
transferred. Choosing a codec for each type of information is important because the codec is
optimized for that type of data and will minimize the bandwidth and latency constraints.
This intelligent capability is important because images can be encoded individually, instead of as
part of an entire screen image. The benefit is that the pixel encoding is optimized for each image
type. This optimization results in superior image quality for the available bandwidth when compared
with protocols with only a single imaging codec.
With PCoIP, all pixels are rendered and encoded in the desktop agent. Encoded pixels are then
transmitted to the client device, for example, View Client, which is installed on a PC.
Host rendering has several distinct advantages:
Independence from network latency and bandwidth.
No application dependencies. Future applications work because client side rendering (which
requires specific codecs) is not needed.
Application performance is not affected.
106
PCoIP offers many advantages over client-rendered protocols like Citrix HDX and Microsoft
RDP:
Similar or superior experience over any network.
Always builds to lossless quality, unless this feature is disabled.
No application dependencies.
WAN optimizations built into the protocol.
Simple, stateless, secure zero-management clients are possible.
4
View Desktops
107
A significant characteristic of the PCoIP display protocol is its progressive build operation. The
image quality that is displayed to the user at the client system progressively improves. A progressive
build is especially important for Web applications because the user can take an action, such as
clicking a link, before the image is fully downloaded. Often, the initial frame gives the user enough
of the content to enable a decision about moving on or waiting for the image to complete. Other
display protocols force the user to wait until the image is fully formed before responding to the
mouse action.
Key attributes of progressive build:
Dynamic image quality adjustment
Automatically reduces image quality on congested networks
Responsiveness is maintained by reducing screen update latency.
Resumes maximum image quality when network is no longer congested
Experience similar or superior for same network constraints
108
2.
1.
3.
3. Lossless
2 Perceptually
2.
lossless
Built over a few frames
High quality picture
Lossless text
1 3 bits/pixel
13
View Desktops
1 Initial image
1.
Built as BW permits
Lossless picture
Lossless text
515
5
15 bits/pixel
The images on the slide show the progressive stages in a PCoIP display at the client system. The
initial image is grainy, although you can easily see what the general content is. The second image is
called perceptually lossless because it is a high-quality image that most people would rate as
satisfactory. It is not a perfect reproduction of the original image. The last image is lossless, which is
as good as it can be. The source image is no better than the lossless version. The downloaded image
can be only as good as the source.
The text is always lossless. It matches the text on the remote desktop.
By default, PCoIP always builds to lossless images. You can disable the build-to-lossless setting to
change the default policy.
109
PCoIP soft
clients
rack workstations
with Teradici host cards
PCoIP soft
clients
virtual desktops
with soft PCoIP
PCoIP-enabled
clients
PCoIP-enabled
displays
VM
VMware
Vi
View
Connection Server
blade PCs
with Teradici host cards
View has a combined software and hardware PCoIP solution available, all managed by View
Connection Server. View Connection Server can broker Teradici hardware-based solutions for the
most-demanding users while also providing a software PCoIP solution and uncompromised user
experience for virtual desktops for less-demanding users.
VMware supplies the software versions of PCoIP in View Client and View Agent. If you have a
physical system that is going to be a View desktop, you must install a Teradici host card to use
PCoIP.
PCoIP-enabled displays are often called zero clients. A Teradici chipset or Teradici microcode
supports PCoIP. Zero clients are discussed in more detail later in this module.
110
PCoIP Architecture
Slide 4-28
PCoIP
server
RDP virtual
channel server
service
redirectors
PCoIP portal
USB
driver
VMware
Tools
View
Agent
View
printing
Service
service
Redirectors
redirectors
remote MKS
View Client
View Desktops
virtual
it l
audio
PCoIP client
RDP virtual
channel client
SVGA
driver
PCoIP
client
View
printing
The diagram shows the components that are embedded in the PCoIP server and client software.
Support for video, audio, USB, and RDP channels are always present in PCoIP. This integration
allows PCoIP to optimize their performance.
On the client system (PCoIP client, on the right), the PCoIP feature is always installed. The PCoIP
software client is built in to the client system and is installed with the other View Client files.
On the virtual desktop (PCoIP server, on the left), PCoIP is an optional component. It is installed by
default. If you install the PCoIP server, new SVGA and audio drivers are installed, with several
PCoIP server files.
111
This slide and the next two outline benefits that PCoIP offers. PCoIP is bundled with View.
The PCoIP protocol is optimized for delivery of images, audio, and video content. It provides the
following features:
You can use up to four monitors and adjust the resolution for each monitor separately, up to
2560x1600 resolution per display. PCoIP also supports monitor pivot and autofit, which allows
automatic adjustment of the display image if the monitor is rotated. You can, for example, have
one monitor in a landscape orientation and a second monitor in a portrait orientation.
32-bit color is supported.
You can copy and paste text between the local system and the View desktop. But you cannot
copy and paste system objects, such as folders and files, between systems.
Multimedia redirection is integrated, so videos, for example, can be streamed from the desktop
to the client system.
You can configure the amount of bandwidth that is used by Adobe Flash content and thereby
improve the overall Web browsing experience and make other applications more responsive.
112
Device redirection:
Video streaming
USB redirection Mass storage and human interface devices
RDP virtual channel compatibility
p
y
Bidirectional audio
Windows systems with the View Agent, View Client, or View Client with
Local Mode
View Client for Mac and Apple iPad
Teradici host card compatibility for physical desktop systems
113
View Desktops
User experience:
100250ms of latency
.5 percent packet loss
50150Kbps of bandwidth per session
PCoIP is an adaptive bandwidth protocol that dynamically adjusts both to bandwidth and to latency
constraints. Performance across a LAN rivals a direct desktop experience, as if the user were sitting
at the remote desktop. WAN performance might not be as good, because of bandwidth, latency, and
jitter constraints. But even with latency reaching 250 milliseconds, the performance is still
satisfactory.
PCoIP always encrypts traffic. The Salsa20-256round12 and AES-128-GCM (Galois/Counter
Mode) algorithms are available for negotiation between the endpoints. Encryption cannot be
disabled even if the client-desktop connection is a direct connection.
Two choices are available for more secure connections. One choice is to use PCoIP over your
companys Virtual Private Network. The VPN should handle User Datagram Protocol traffic. UDP
is the protocol that is used by PCoIP. The second choice is to use the View security server.
When users connect to View desktops with the PCoIP display protocol, View Client can make a
further connection to the PCoIP Secure Gateway on the View Connection Server or security server
host. The PCoIP Secure Gateway ensures that only authenticated users can communicate with View
desktops over PCoIP.
114
Video settings are inherited from View pool configuration and can be
used with Adobe Flash settings.
PCoIP uses the standard USB framework
framework.
PCoIP can use MMR with Windows XP and Windows Vista clients and
some thin clients.
4
View Desktops
Video settings are inherited from the desktop and pool settings. PCoIP can be used with the Adobe
Flash optimization settings, but it performs well without them.
PCoIP uses the standard USB framework to support HID and USB storage devices.
Multimedia redirection (MMR) can be used with Windows XP and Windows Vista systems and
some thin clients. MMR enables full-fidelity playback when multimedia files are streamed to a View
desktop. File formats include MPEG2, WMV, AVI, and WAV. For best quality, use Windows Media
Player 10 or later. Install Windows Media Player on both the local computer, or client access device,
and the View desktop. PCoIP renders the image and data at the virtual desktop and transmits the
encoded pixels to the client system, where they are displayed. MMR transmits (redirects) the files
from the desktop to the client system. The client system then renders the images for display. Fullfidelity playback at any screen size is assured.
MMR is not supported on Windows 7 virtual desktops or Windows 7 clients. But if the Windows 7
desktop has 1GB of RAM and two vCPUs, you can use PCoIP to play 480p and 720p videos at
native resolutions. For 1080p video, you might have to make the window smaller than full screen to
improve the image quality.
115
Configuration is by:
Use case
User expectations
Network requirements
Configuring the PCoIP optimization controls can result in a 75 percent reduction in bandwidth
usage.
Optimizing PCoIP also improves scalability on WAN links and increases user density on WAN
connections.
PCoIP optimization controls enable you to configure the user experience based on the use case, user
expectations, and network requirements.
116
Active Directory
The virtual machine that will be the parent or template for a desktop pool
View Desktops
The PCoIP Administrative template (pcoip.adm) file contains settings related to the authentication
and environmental components of View Agent. By configuring the pcoip.adm group policy
settings, a significant reduction in bandwidth utilization can be achieved.
You must import the pcoip.adm template into the environment where you will configure the View
PCoIP settings. You can configure pcoip.adm group policies in one of the following ways:
In AD You choose to configure the PCoIP group policy settings in AD when one of the
following is true:
You want to apply the policies to the desktop pools.
You want to apply the policies to the entire View environment.
In the individual virtual machine that will be the parent or template for the desktop pool You
choose to configure the PCoIP group policy settings on an individual virtual machine when you
want to apply the policies to one desktop pool.
The pcoip.adm template is installed on the host system where you install View Connection Server
at <installation_directory>\VMware\VMware
View\Server\extras\GroupPolicyFiles\pcoip.adm.
You configure the View PCoIP policy settings after installing the ADM template.
Module 4 View Desktops
117
You can tune PCoIP settings in several ways to optimize PCoIP performance when the network
bandwidth is constrained.
VMware recommends that you configure the following PCoIP settings in the pcoip.adm template
to reduce bandwidth usage:
Turn off the build-to-lossless feature.
Adjust the PCoIP client image cache size setting.
Enable the PCoIP session audio bandwidth limit setting.
Other advanced settings that you can configure in the pcoip.adm template include:
PCoIP image quality levels
Maximum PCoIP session bandwidth
PCoIP session bandwidth floor
The default values for these settings have been carefully selected to give maximum performance in
most environments. VMware recommends that you do not change these settings unless you have
carefully determined that the overall effect will be beneficial. These settings should be configured
only in certain specialized use cases.
118
F users who
For
h wantt tto maximize
i i b
bandwidth
d idth reduction,
d ti
di
disable
bl th
the b
build-toild t
lossless feature.
Vi
View
caches
h iimages and
d portions
ti
off th
the d
desktop
kt composition
iti tto minimize
i i i
retransmission of pixel information across the network.
View Desktops
Using the settings described on this and later slides, the average
bandwidth usage per desktop can be tuned to 50Kbps.
The PCoIP optimization controls reduce bandwidth by:
Disabling the Build-to-Lossless policy setting:
By default, the Build-to-Lossless setting is enabled, thus providing a rich user experience. All
images are built to a lossless stage. Disabling the setting means that images are built only to the
perceptually lossless stage, which is satisfactory for most users and applications. The total
bandwidth that is required is much less.
Configuring client-side caching:
PCoIP caches image content on the View client system to minimize retransmission of pixel
information across the network. The cache captures both spatial and temporal redundancy in the
screen updates. You can disable the setting or enable it and configure the amount of cache that
can be used.
Configuring the audio compression bandwidth limit:
The lower the bandwidth assigned for audio, the higher the compression and the lower the
quality. Audio compression is normally automatically controlled, with the best audio quality
provided for the given network bandwidth that is available. If a limit is set, the audio quality is
reduced to fit within the bandwidth limit.
Module 4 View Desktops
119
The PCoIP text codec uses an efficient lossless compression algorithm that has been developed with
text compression as a key consideration in order to minimize both bandwidth and CPU utilization.
120
View Desktops
The build-to-lossless feature in PCoIP gives high quality, precise images that are suitable for the
medical imaging and graphics professions. The images are built to lossless by default.
The build-to-lossless feature provides the following characteristics:
Dynamically adjusts image quality
Reduces image quality on congested networks
Maintains responsiveness by reducing screen update latency
Resumes maximum image quality when the network is no longer congested
Most users do not require this image quality and cannot differentiate perceptually lossless from fully
lossless. VMware recommends that you disable the build-to-lossless feature for all users except
those who require great precision of images. For example, medical technicians and illustrators need
fully lossless images.
You can configure the build-to-lossless setting in the Turn off Build-to-Lossless feature policy
setting in the pcoip.adm template. Disabling the build-to-lossless feature yields a significant
reduction in bandwidth usage.
121
To enable this setting, you must click Enabled and then click I accept to turn off the Build-toLossless feature. This agreement confirms that you understand that images and desktop content are
never built to a lossless state.
122
You can further reduce the bandwidth usage by adjusting the View
client cache size.
size
4
View Desktops
You can reduce the bandwidth usage by adjusting the cache size on the View client. The Configure
PCoIP client image cache size policy setting allows you to adjust the clients cache size.
Client-side image caching stores portions of transmitted image content on the client system to avoid
retransmission. Image caching reduces bandwidth usage. You can set a cache size between 50 and
300MB, if you enable the setting. A large cache size reduces bandwidth usage but requires more
memory on the client. A small cache size results in more bandwidth usage. The default value for the
cache size in the pcoip.adm template is 250MB if the setting is Not Configured or Disabled.
Client-side caching applies only to Windows and Linux clients when View Client, View Agent, and
View Connection Server are a View 5.0 or later release.
123
In this example
example, the limit
has been set to 250Kbps.
The PCoIP session audio bandwidth limit policy setting specifies the maximum bandwidth that
can be used for the audio stream. To allow for uncompressed high-quality stereo audio, set this value
to higher than 1600Kbps. A value of 450Kbps and higher allows for stereo, high-quality,
compressed audio. A value between 50Kbps and 450Kbps results in audio that ranges between FM
radio and phone-call quality. A value below 50Kbps might result in no audio playback.
This setting applies to the server only. You must enable audio on both endpoints before this setting
has any effect. This setting has no effect on USB audio.
If the audio bandwidth limit is configured, then PCoIP recognizes only the amount of available
bandwidth and the audio quality is reduced until the audio bandwidth limit is respected. The audio
quality is reduced by changing the compression algorithm.
If the PCoIP session audio bandwidth limit setting is disabled or not configured, a default audio
bandwidth limit of 500Kbps is configured to constrain the audio compression algorithm selected.
This setting applies to View 4.6 and later. It has no effect on earlier versions of View.
124
The PCoIP image quality levels policy setting allows you to control
how PCoIP renders images during periods of network congestion,
particularly
p
y over a WAN.
Configuring PCoIP image quality levels allows you to adjust the
following values:
Minimum Image
g Quality
Q
y
View Desktops
The PCoIP Image Quality Levels policy controls how PCoIP renders images during periods of
network congestion. PCoIP Image Quality Levels includes the following three key settings:
Minimum Image Quality Use this setting to balance the image quality and frame rate for
limited bandwidth scenarios. The default value for this setting is 50. You can specify a value
between 30 and 100.
A lower value allows higher frame rates but with potentially lower image quality display. A
higher value provides a higher image quality but with potentially lower frame rates when
network bandwidth is constrained.
When network bandwidth is not constrained, PCoIP maintains maximum quality regardless of
the value that you have specified for the Minimum Image Quality setting.
Maximum Initial Image Quality Use this setting to reduce the network bandwidth peaks
that are required by PCoIP by limiting the initial quality of the changed regions of the display
image. The default value for this setting is 90. You can specify a value between 30 and 100.
A lower value reduces the image quality of content changes and decreases peak bandwidth
requirements. A higher value increases the image quality of content changes and increases peak
bandwidth requirements. A value of 90 or lower best uses the available bandwidth.
Module 4 View Desktops
125
The unchanged regions of the image progressively build to lossless quality regardless of the
value specified for Maximum Initial Image Quality setting.
Maximum Frame Rate Use this setting to manage the average bandwidth consumed per user
by limiting the number of screen updates per second. The default value for Maximum Frame
Rate is 30. You can specify a value between 1 and 120 frames per second.
A lower Maximum Frame Rate value uses less bandwidth but results in more jitter. A higher
value uses more bandwidth but reduces the jitter, which allows smoother transitions in fastchanging images, such as videos.
When these setting are disabled or not configured, the default values are used.
126
View Desktops
Total
T
t l bandwidth
b d idth dropped
d
d
from 10Mbps to 3Mbps.
The use case in this example is a live presentation by the chief executive officer of a company to all
employees. To the employees, the session appears similar to a YouTube playback. The objective is
to minimize the concurrent bandwidth demand without losing visual and audio fidelity. The
following settings were made:
The Maximum Image Quality remains at 50.
The Maximum Initial Image Quality is reduced to 70.
The Maximum Frame Rate is reduced to 18. For smooth perception, a minimum of 1516
frames per second is necessary, so 18FPS is good.
The PCoIP session audio bandwidth limit is reduced from 500Kbps to 250Kbps, which is FM
quality.
The total bandwidth demand for each session dropped from 10Mbps to 3Mbps.
127
Imaging
Audio
Virtual channels
USB data
PCoIP control
The Maximum PCoIP Session Bandwidth policy setting specifies the maximum bandwidth, in
kilobits per second, in a PCoIP session. The Maximum PCoIP Session Bandwidth value includes
all imaging, audio, virtual channel, USB, and PCoIP control traffic.
Setting this value prevents the server from attempting to transmit at a higher rate than the link
capacity. You can set this value equal to the overall capacity of the link. For example, for a client
that connects through a 4Mbps Internet connection, set this value to 4Mbps, or 10 percent less than
this value.
You can set the Maximum PCoIP Session Bandwidth value between 0 and 1,000,000Kbps
(1Gbps). A value of 0Kbps specifies no maximum bandwidth constraint. The default Maximum
PCoIP Session Bandwidth setting value is 1,000,000Kbps (1Gbps). This setting applies to both the
server and the client.
When this setting is disabled or not configured, bandwidth is not constrained.
128
Ensure that the sum of bandwidth floors for all connections does not
exceed the network capacity.
View Desktops
The PCoIP Session Bandwidth Floor setting specifies the lower limit, in kilobits per second, for
the bandwidth that is reserved for a PCoIP session. This setting configures the minimum-expected
bandwidth transmission rate from the endpoint (client or server). When you use this setting to
reserve bandwidth for an endpoint, the user does not have to wait for bandwidth to become
available, which improves session responsiveness.
The default PCoIP Session Bandwidth Floor setting value is 0Kbps, which means that no
minimum bandwidth is reserved. You can set this value between 0 and 100,000Kbps (100Mbps).
When this setting is disabled or not configured, no minimum bandwidth is reserved.
While setting the PCoIP Session Bandwidth Floor value for different connections, you must
ensure that the sum of bandwidth floors for all connections in your configuration does not exceed
the network capacity.
129
Device
D
i communication
i ti
Presentation data from the server
Encrypted client mouse and keyboard data
S
Sound,
d d
drive,
i
port,
t and
d network
t
k printer
i t redirection
di ti
encrypted
t d keyboard
k b
d and
d mouse
video
sound
local disk drives
printer redirection
shared clipboard
RDP is a multichannel protocol that provides separate channels for different devices and types of
communication between the client (left side of graphic) and the RDP virtual channel server (right
side). The server converts the video display into rendering information that is sent over the network
to the client. On the client, the video data is converted into corresponding Microsoft Win32 graphics
device interface API calls.
130
Always use the latest version that is available for your operating system.
4
View Desktops
If you use Microsoft RDP display protocol, you must have Microsoft Remote Desktop Connection
6.0 or higher installed in the View desktop to have multimonitor support.
131
For a user to make a connection to a Windows computer, two requirements must be met:
The user must be a member of the built-in AD group called Remote Desktop Users. This
requirement exists even if only PCoIP is used because View Connection Server uses RDP.
The user must individually (or as a member in a group) be added to the Remote Users on the
Remote tab of My Computer properties of the virtual desktop.
One way to satisfy these requirements is to create a global group in the AD domain, named
something like ViewUsers. Then do the following steps:
1. Make the ViewUsers group a member of the built-in Remote Desktop Users group.
2. Add users who will be allowed to use View desktops to the ViewUsers group.
3. Add this group with the Select Remote Users button (Windows XP) or the Select Users
(Windows 7 or Windows Vista) button on the Remote tab of My Computer properties for the
virtual desktop system.
Alternatively, and more efficiently, use GPO Restricted Groups to populate the Built-in group rather
than doing it for each virtual machine.
132
Firewall Ports
Slide 4-47
4
View Desktops
Most Windows operating systems come with internal firewalls. After you have enabled a computer
to receive connections from remote desktops and install View Agent, the ports should automatically
be opened for incoming traffic. The screenshot shows the Windows Firewall in Windows 7 and
Windows Vista.
Windows Firewall is included with Windows XP, but Windows Firewall is not enabled by default.
Windows Firewall firewall can be accessed from the Advanced tab on the local network interface
properties.
You should not have to adjust the firewall settings on the desktop system, because the View Agent
automatically creates the appropriate rules. For example, View Agent creates a rule for the PCoIP
Server process (pcoip_server_win32.exe), so the exact port does not have to be known.
If you change domain membership after installing the client or agent, you lose the firewall rules
because Windows reapplies firewall policies configured for your domain.
133
134
PCoIP
PC
IP
RDP
Outline the steps to enable a desktop for remote access from View
Cli t
Client.
List the ports that must be opened in the desktops firewall for View
operations.
Lesson 3:
View Agent
4
View Desktops
135
Learner Objectives
Slide 4-50
136
View Desktops
Before you install the View agent, prepare the virtual desktops:
1. Create a virtual machine that you can use as a desktop template. Now is a good time to create
and test a template that is suitable for View Connection Server to use to automatically provision
full-clone desktops.
2. Install the latest version of VMware Tools.
3. Select a time-synchronization method appropriate for your environment and policies.
4. Join the virtual machine to the AD domain.
5. Disable Windows time synchronization if you choose to use VMware time synchronization.
This step is necessary because joining the domain in the previous step activates Windows Time
Service.
6. Install your standard application set. Tune your desktop for optimal performance as a View
desktop.
7. Enable Remote Connections to the desktop.
8. Patch systems so that they can be used as View desktops.
137
hardware:
Disk
Network
RAM
CPU
floppy drive
drive.
Plan carefully your virtual machines virtual hardware. A great deal of performance gain can be
realized by setting the proper combination of disks, networking, RAM, and CPU.
Then install the supported operating system (Windows 7, Windows XP, or Windows Vista).
Disconnect the CD-ROM drive when the installation is complete. Remove any virtual hardware that
will not be used.
138
4
View Desktops
Time synchronization for virtual desktops is extremely critical. If you fail to synchronize all of your
desktops and your domain controllers, login authentication fails.
For information about time-synchronization practices, see VMware knowledge base article 1318 at
http://kb.vmware.com/kb/1318.
If you use VMware Tools to synchronize a virtual machine, remember that VMware Tools cannot
move the virtual machines clock backward. It can synchronize only by moving the virtual machine
clock forward. Set the virtual machine time to a little behind the ESX/ESXi host and then enable
synchronization. The virtual machine synchronizes within 60 seconds.
139
In Windows 7:
1. Click Start.
2. Right-click Computer.
3. Select Properties.
4. Under Computer
p
name,, domain,,
and workgroup settings,
select Change Settings.
140
Do not just stop the Windows Time Service. Use the Registry editor to
make a permanent change:
Go to HKLM\SYSTEM\CurrentControlSet\Services\W32Time\
Parameters.
Set Type to NoSync.
4
View Desktops
If you are synchronizing your virtual machine to the ESX/ESXi host, disable Windows time after
joining the domain (joining the domain enables Windows Time Service). This approach is the best
practice for a virtual machine. Although time synchronization is crucial, having both
synchronization strategies active is not a good idea. In Windows virtual machines, do not merely
stop or disable the Windows Time Service. Instead, make the change in the Registry. Open the
Registry Editor and navigate to
HKEY LOCAL MACHINE\SYSTEM\CurrentControlSet\Services\W32Time\Parameters
Look for the Type subkey and set it to NoSync (case-sensitive). NoSync means that the time service
does not synchronize with other time sources.
141
Now install your standard applications, such as Microsoft Office. You should also install all the
latest patches to your Windows operating system and to all applications.
Some environments use local GPOs. Setting GPOs in the domain is a best practice.
Virtual desktops perform better without screen savers and special desktop backgrounds. But if your
company mandates them, set them up.
142
4
View Desktops
After the operating system and applications are installed and the desktop is tuned, you enable remote
connections. You enable Remote Desktop in System Properties. The View Agent installer enables
Remote Desktop by default, but sometimes you might want to enable Remote Desktop manually.
Users should be members of the Remote Desktop Users group in order to use a remote display
protocol. But they also must be authorized for View. Under Remote Desktop Users, select Select
Users and specify the users. You can also specify groups as well as users.
Unlike Windows XP, Windows 7 and Windows Vista have multiple Remote Desktop settings. If you
have a mixed environment (not all Windows 7 or Windows Vista computers), it is best not to require
Network Level Authentication (NLA). Select Allow connections from computers running any
version of Remote Desktop (less secure), instead. But this configuration is vulnerable to man-inthe-middle attacks.
143
Begin your installation by running the installer file named VMware-viewagent-4.5.0xxxxxx.exe or VMware-viewagent-x86_64-4.5.0-xxxxxx.exe, where xxxxxx is the build
number. The 32-bit version of the installer is used for the 32-bit versions of Windows 7, Windows
XP, and Windows Vista. The 64-bit version of the installer is used for the 64-bit version of
Windows 7.
144
Custom Setup
Slide 4-59
View Desktops
Several View features are installed during the View Agent installation. The screenshot shows the
default settings. All features except the support for smart cards with PCoIP will be installed. You
can change the default installation directory on this page.
USB Redirection is optional. It gives users access to locally connected USB devices on their
desktops.
USB redirection means that a user can plug a USB device into the client system and the virtual
desktop can access the device. USB redirection is also available for most thin clients. A USB device
that is present when View Client is started is visible to the virtual desktop.
View Composer Agent is necessary if linked-clone virtual desktops are deployed from this desktop.
Virtual Printing is strongly recommended because it enables seamless printing from a virtual
desktop to a printer that is accessible from the client device.
PCoIP Server is strongly recommended. This feature enables users to connect to the View desktop
with the PCoIP display protocol. A process that handles all display communication from and to the
View Client (pcoip_server_win32) is installed on the desktop system.
145
Installing the PCoIP Server feature disables sleep mode on Windows 7 and Windows Vista desktops
and standby mode on Windows XP desktops. When a user navigates to either the Power Options
menu or the Shut Down menu, sleep mode or standby mode is not an option.
PCoIP Smartcard must be installed if you intend to use smart cards with PCoIP. Smart-card support
with RDP is automatically installed.
View Persona Management synchronizes the user profile on the desktop with a remote profile
repository, so that users have access to their profiles whenever they log in to a desktop.
146
If Remote Desktop capability has not already been enabled, the View
Agent installer will request that you enable it now.
Vi
View
Connection
C
ti
Server
S
requires
i
remote
t desktop
d kt
access.
4
View Desktops
If Remote Desktop has not already been enabled, the View Agent requests that you enable it now.
View requires the Remote Desktop capability. If Remote Desktop has already been enabled, you will
not see this page.
147
Determine which network address the View Agent provides to the View
Connection Server for client connections.
In the Registry subkey:
HKLM\S ft
HKLM\Software\VMware,
\VM
I
Inc.\VMware
\VM
VDM\Node
VDM\N d M
Manager,
set the Subnet subkey to n.n.n.n/m, where:
n.n.n.n is the IP subnet
m is the number of bits in the subnet mask
Example:
For desktop systems with more than one virtual network interface, View Agent needs to know which
interface should be used. You must configure the guest operating system to use the correct subnet.
The interface that you configure determines which network address the View Agent provides to the
View Connection Server for client PCoIP or RDP connections. To configure the correct access,
create the following Registry subkey in the virtual machine on which the View Agent is installed:
HKLM\Software\VMware, Inc.\VMware VDM\Node Manager\Subnet
The Subnet subkey should have a REG_SZ value of n.n.n.n/m, where n.n.n.n is the IP subnet
and m is the number of bits in the subnet mask.
VMware VDM is the correct node name. This name is a legacy from a View predecessor.
148
Lab 2
Slide 4-62
In this lab, you will install the View Agent in a Windows XP desktop.
1. Create a vCenter Server resource pool for View desktop pools.
2. Prepare the Windows XP desktop.
3. Install the View Agent.
4. Establish a Remote Desktop
p Connection to the virtual desktop.
p
4
View Desktops
149
150
Lesson 4:
Manual Pool Deployment
y
and
Entitlement
4
View Desktops
151
Learner Objectives
Slide 4-65
152
Windows Vista.
Vista
2. Install required service packs.
3. Install appropriate applications.
4. Enable remote desktop connections.
5. Join the domain.
View Desktops
Begin by creating a standard desktop for the pool. Install all of your standard applications. (If you
have a gold master template for a desktop, use it to deploy this virtual machine.) Enable remote
desktop connections. (You might have to authorize individual or groups to be remote desktop users.)
Join the domain and then install View Agent. Joining the domain and installing as a domain
administrator ensures that all GPOs are executed. Finally, make any changes, such as local policies
or performance customizations.
Your virtual machine might have more than one network adapter. If so, you should connect the
network adapters to the proper virtual networks in the correct order. Although you might have more
than one adapter, all of them must receive IP addresses through DHCP.
After you finish configuring your virtual machine, remove it from the domain and power it off.
Why join the virtual machine to the domain, only to remove it? You must verify that the domain join
has no problems before you use this virtual machine as a template or desktop.
153
If you have a virtual machine that is suitable for automatic provisioning in an automated pool, now
would be a good time to create a template.
Convert the new virtual machine to a template. If you clone the virtual machine to a template, store
it in normal format instead of compact format. Although the compact format requires less space, it
takes more time to deploy a virtual desktop.
A customization specification must exist for automatic desktop provisioning. You can create one
directly in the VMware vSphere Client. Or you can create one during the deployment of a
virtual machine from the template. Configure the following in your customization:
1. Set the computer name to the virtual machine name.
2. Enter the Microsoft Windows volume license key. If you do not enter it, Windows will require it
on the first power-on, which makes the virtual machine difficult to use in a View pool.
3. Enter a password for the administrator account. But do not log in automatically as
Administrator. If anyone is logged in to this virtual machine when it powers on, it will not be
available for connection to a View client.
4. Use typical network settings. DHCP should be used.
154
5. Join the AD domain automatically. You must include a user name and password in the
customization that has the authority to join the computer to the domain.
6. Generate a new security identifier. A unique SID is not required by View. If you are creating
full-clone desktops, as in this example, an SID should be created. Without the SID, you might
have problems joining the desktops to the domain, especially with Windows XP virtual
machines.
7. Save the customization specification.
Delete existing local user accounts. All logins in View are done through the AD domain. Local user
accounts cannot be used.
4
View Desktops
155
customization specification.
2 Confirm that the new virtual machine:
2.
Successfully deploys
Automatically joins the AD domain
Is registered in the DNS forward and reverse zones
creating
ti a manuall pool.
l
Now you have:
Deploy a new virtual machine from the template using the new customization specification. This
step ensures that the template and specification are both valid.
After the virtual machine is deployed, confirm the following:
Does the virtual machine successfully deploy? Can you power it on and log in? (As part of the
customization process, you have to wait until the virtual machine finishes the Sysprep process
before you can log in.)
Did the virtual machine properly join the AD domain? If you can, log in to the domain
controller and review AD Users and Computers under Computers. Is this virtual machine now
listed? Go to the DNS management tool. Is this virtual machine listed in both the forward and
reverse zones?
Test the virtual machine as a View desktop. Use the View Administrator to create a manual pool
with this virtual desktop. You must entitle it for a test user or test group. Then power it on and see
whether you can access it from View Client.
156
https://FQDN of View_Connection_Server/admin
Main steps:
1. Start the Add Pool wizard.
After you have confirmed that the virtual machine is suitable as a virtual desktop, you can create a
manual pool.
You must explicitly select existing desktops for a manual pool. A manual pool can contain a single
desktop or many desktops. A manual pool is the easiest type of pool to set up.
View Connection Server provisions desktops in an automated pool. The number that can be
provisioned is configured in the Add Pool wizard. A template is used to provision full-clone
desktops in an automated pool. If linked-clone desktops are deployed in an automated pool, a parent
virtual machine is used as the anchor for all linked clones.
A pool is configured in View Administrator. Use a browser to access View Administrator at
https://FQDN of View_Connection_Server/admin. Log in with your View administrator credentials.
The Add Pool wizard requests various parameters that are used to configure the pool.
157
View Desktops
2. Specify desktop and pool parameters, such as the unique identifier and
vCenter Server system.
system
Set up your first manual pool. In the left navigation pane, select Inventory > Pools to open the
Pools pane. Click the Add link to start the Add Pool wizard.
158
Pool definition:
Services Pool)
Pool).
2. Determine how desktop assignment will occur.
3. Select whether desktops are managed by vCenter Server.
4. Select the vCenter Server instance, if desktops are managed.
Settings:
View Desktops
protocol.
3 Select
3.
S l t th
the d
desktops
kt
tto add
dd tto th
the pool.
l
4. Review and accept the pool configuration.
The Add Pool wizard proceeds through several pages that request configuration information and
parameters. The pages are grouped into pool definition pages and pages that configure the pool
settings.
159
The Add Pool wizard begins by presenting options for three types of pools:
Automated Pool A pool that contains one or more dynamically generated desktops that are
automatically created and customized by View Connection Server from a vCenter Server virtual
machine template. Another option is to use View Composer to deploy linked clones. Desktops are
provisioned automatically.
Manual Pool A manual desktop pool provides access to a set of virtual machines, physical
computers, or blade PCs. Multiple users can be mapped to multiple desktops. A desktop can have
only one active user at a time. Desktops are not provisioned automatically. Virtual machines that are
managed by a vCenter Server instance are called managed desktop sources. Virtual machines that
are not managed by vCenter Server (for example, machines that are managed by VMware Server),
physical computers, and blade PCs are called unmanaged desktop sources.
Terminal Services Pool A pool of terminal server desktop sources that are served by one or more
terminal servers. A terminal server desktop source can deliver multiple desktops.
160
4
View Desktops
You select how the desktop will be assigned to a user on the User Assignment page. The assignment
type applies to both an existing desktop in a manual pool or a provisioned desktop in an automated
pool. If the desktop is to be used by only one user, select Dedicated. If the desktop can be used by
multiple users, select Floating. A floating desktop can be used by only one user at a time.
If the desktops are dedicated desktops, you have the option of assigning desktops to specific users or
allowing the system to make the assignment on a first-come, first-served basis. For example, you
might assign a specific desktop to a specific user if a desktop has unique applications, databases,
files, or capabilities.
161
Desktops in a manual pool must already exist. They can be vCenter Server virtual machines
(managed systems) or other types, such as physical systems or virtual machines from other
hypervisor systems (unmanaged systems). In this case, the existing virtual machines were created
through the vSphere Client, so accept the default option, vCenter virtual machines.
162
Select the vCenter Server instance that will control this virtual desktop.
Each
E
h virtual
it ld
desktop
kt can b
be managed
db
by only
l a single
i l vCenter
C t S
Server
instance.
4
View Desktops
Select the vCenter Server instance that will manage this virtual desktop. View Connection Servers
can use multiple vCenter Server instances. Each individual virtual desktop can be managed by only
a single vCenter Server instance.
163
You must uniquely identify the pool to View Connection Server and the users. Create two names:
ID Visible only to users of the vCenter Server system and View Administrator
Display name Visible to users as a selection option when they log in to the View Connection
Server from View Client
Both names are alphanumeric: they can be composed of uppercase and lowercase letters, the digits
09, the hyphen, and the underscore. Other symbols are not allowed.
164
4
View Desktops
The screenshot shows all the options for desktop settings for individual desktops and automated
pools. Each of the panels shown is discussed in the next pages:
General Determines the initial state of the deployed desktop. Connection Server
restrictions enables the View administrator to restrict user access to pools that are associated
with specific View Connection Servers. This option is discussed in a later module.
Remote Settings Determines what View Connection Server should do when the virtual
desktop is not in use and whether to allow users to reset their desktops. These settings are called
remote settings because they refer to the online virtual desktops, not desktops running in local
mode with View Client with Local Mode.
Remote Display Protocol Determines which remote display protocol is to be used between
the desktop and client and its configuration.
Adobe Flash Settings for Remote Sessions Allows the View administrator to control the
bandwidth consumed by Adobe Flash objects.
The slide is an introductory slide. Refrain from describing all the options, because they are detailed in later slides.
Mention the four panels. Note the default settings for PCoIP and allowing the user to select the protocol.
165
You must specify the general settings for desktop and the settings that control the virtual desktops.
These settings can be changed after the desktop or pool has been created. For now, you will use
Enabled and Take no power action when the virtual machine is not in use. And a disconnect from
the desktop will never automatically log out the user.
If you want to allow users to reset their desktops, select Yes, as shown on the slide. This option is set
to No by default. If the option is enabled, the user can select Reset Desktop in the desktop menu bar
for the active virtual desktop.
166
4
View Desktops
You can select a default display protocol for the user and choose to give the user the option to
change it and to modify the monitor parameters. PCoIP, highlighted in the drop-down menu, is the
users default.
When would you want to give the user a protocol choice? This option would be necessary if, for
example, a user accesses a desktop in the corporate network with PCoIP but occasionally needs to
connect through a security server, which requires RDP.
If you plan to use 3-D applications like Windows Aero themes or Google Earth, you must enable the
Windows 7 3D Rendering option. This option is available only with vSphere 5.0 or later. Your
Windows 7 View desktop must have virtual hardware version 8 enabled for 3-D rendering to work.
Windows 7 3D Rendering is a graphics feature that is not hardware-accelerated. This feature enables
you to run DirectX9 and OpenGL 2.1 applications without requiring a physical graphics processing
unit (GPU).
167
Multimonitor configurations:
Max number of monitors Select the maximum number of monitors on which users can
display the desktop. You must power off and then power on existing virtual machines for this
setting to take effect.
Resolution of each monitor Select the pixel dimensions of the highest resolution monitor.
You must power off and then power on existing virtual machines for this setting to take effect.
168
Different timings are possible for the video, but audio quality is not
affected.
affected
Settings can be for an entire pool or a single desktop.
View Desktops
You can reduce the amount of bandwidth used by Adobe Flash content that runs in PCoIP and RDP
desktop sessions. This reduction can improve the overall browsing experience and make other
applications running in the desktop more responsive.
Adobe Flash content is common:
Flash-embedded video Users want Flash video movies (for example, YouTube videos).
Flash animation Users want Flash animations commonly found on Web sites.
Interactive Flash Users want interactive Flash animations such as training material.
The bandwidth demand from Adobe Flash content can be reduced without significantly degrading
the level of user experience. Audio quality is independent of the video and is not affected.
Generally, PCoIP performs well without the bandwidth reduction parameters for Adobe Flash. But if
the parameters are configured, PCoIP observes them.
169
Adobe Flash bandwidth reduction is available for Internet Explorer versions 8 and 9 for Adobe
Flash versions 9 and 10 over PCoIP and RDP sessions. Also, to make use of Adobe Flash bandwidth
reduction settings, Adobe Flash must not be running in full-screen mode.
The Internet Explorer plug-in that handles the bandwidth reduction can be viewed through the
Internet Explorer add-on manager. The plug-in is listed as VMware Adobe Flash Optimizer.
When Internet Explorer starts, and is running in the RDP session, the Adobe Flash optimization
mode is enabled. Otherwise, the optimization is not applied.
The Registry settings for both Adobe Flash throttling and quality:
HKEY_LOCAL_MACHINE\SOFTWARE\VMware, Inc.\VMware Adobe Flash
Optimizer\FlashThrottling
Possible values are 0 (default: use the settings from content provider), 2 (low) 3 (medium), and
4 (high).
170
The content creator has the option to make available different qualities
of the Flash presentation.
presentation
View administrators can limit the quality, and therefore the bandwidth,
through View Administrator.
4
View Desktops
The Adobe Flash quality is set by the content creator, and different quality levels might be available.
You can specify a maximum allowable level of quality for Adobe Flash content that overrides Web
page settings. If Adobe Flash quality for a given Web page is higher than the maximum level
allowed, quality is reduced to the specified maximum. Lower quality results in greater bandwidth
savings.
If no maximum level of quality is specified, the system defaults to a value of low.
171
Adobe Flash uses timer services to update what is displayed on the screen at a given time. A typical
timer interval value for Adobe Flash is 450 milliseconds. Adobe Flash Throttling determines the
frame rate of Adobe Flash movies. If you enable this setting, you can reduce or increase the number
of frames displayed per second by selecting an aggressiveness level. By throttling, or prolonging,
the interval, you can reduce the frame rate and thereby reduce bandwidth. The available throttling
settings:
Disabled Adobe Flash content throttling is disabled. The timer interval is not modified.
Conservative Timer interval is 100 milliseconds. This setting results in the lowest number of
dropped frames.
Moderate Timer interval is 500 milliseconds.
Aggressive Timer interval is 2,500 milliseconds. The setting results in the highest number of
dropped frames.
Except in disabled mode, audio speed remains constant, regardless of the throttling mode.
Adobe Flash quality limits and throttling are disabled if the content is displayed in full-screen mode.
172
Depending on the Adobe Flash settings, the user might see low
playback quality.
When the
Wh
th user moves the
th pointer
i t into
i t the
th Ad
Adobe
b Flash
Fl h content
t t area,
the display quality improves.
When the user moves the pointer out of the Adobe Flash content
area, bandwidth reduction returns and quality can be affected.
When the user double-clicks in the Adobe Flash content area, the
user p
permanently
y cancels the throttling
g for this object.
j
View Desktops
By moving the pointer, a user can override Adobe Flash content display settings.
Depending on how Adobe Flash settings are configured, the user might notice dropped frames or
low playback quality in Internet Explorer:
When the user moves the pointer into the Adobe Flash content while it is playing, the display
quality is improved while the pointer remains in the Adobe Flash content.
The user can keep the improvement in quality by double-clicking in the Adobe Flash content.
But refreshing the Web page reactivates the bandwidth optimization.
173
The Pool Settings page of the Add Pool or Edit Pool wizard enables View administrators to set the
Adobe Flash settings. On the slide, The drop-down menu options are shown for both the quality and
throttling settings.
The following Adobe Flash render-quality modes are available:
Do not control Quality is determined by Web page settings.
Low
Medium
High
As discussed earlier, the following throttling modes are available:
Disabled No throttling is performed.
Conservative Timer interval is 100 milliseconds.
Moderate Timer interval is 500 milliseconds.
Aggressive Timer interval is 2,500 milliseconds.
174
4
View Desktops
You now select the desktop, which should be the virtual machine that you have already created. For
the virtual machine to be included in the virtual machine list, it must meet the following criteria:
It must be managed by the vCenter Server instance that you selected earlier.
It must have the View Agent installed.
Virtual machines that are already in the pool do not appear in the list. You can add existing machines
to an existing manual pool by using the Edit Pool wizard and selecting the new desktops on this
page.
175
After reviewing the summary, click the Finish button to complete the wizard sequence.
176
Pool is present, but no users are entitled yet to use the desktops.
4
View Desktops
The manual pool is now displayed in the Pools inventory. But desktops in the pool cannot be used
until the pool is entitled. Entitlement enables View administrators to specify which users or groups
are allowed to connect to this desktop. Unless a user is entitled to connect, the pool does not appear
in the list of available desktops when the user starts View Client.
177
1. Select the virtual desktop to highlight it, which activates the links.
2. Click Entitlements.
Select the pool (anywhere in the row) to highlight it and click the Entitlements link.
The ID (in this case, Payroll-XP) is a link and is highlighted in blue. Clicking the ID opens a detail
pane for that pool.
178
1. In the Entitlements dialog box, click Add. The default is to find Users
and Groups.
2 (Optional) Narrow search.
2.
search
both.
View Desktops
Click Add in the Entitlements window to begin adding users or groups or both. A new window
opens (shown in the slide) to help you find users or groups to entitle to this pool.
The Domain box enables you to narrow the search if you have multiple AD domains.
You can use the Name/User name box, the Description box, or both to find users and groups.
When a list of users or groups is displayed, click the ones that you want to entitle. You do not have
to use the Control key or Shift key as you select or deselect users or groups.
When you have finished, click the OK button.
179
The entitled users are now displayed on the Entitlements page. This example shows a pool with a
group entitled to use it. Desktops are like physical PCs. A single individual is assigned to an
individual desktop (a dedicated desktop). But you might want more than one person to share a single
virtual desktop but at different times (a floating desktop), for example, people who work on different
shifts. Multiple users can use this desktop but only one user at a time.
You can also entitle a single user to use multiple desktops.
180
Pool Is Entitled
Slide 4-92
4
View Desktops
181
Physical systems:
Blade PCs
Desk side servers
Desk-side
Virtual systems:
Enterprises use a mix of physical PCs, server-based desktops or applications that are published using
Microsoft Terminal Services, virtual desktops, and blade PCs. Users requiring access to more than
one platform must use several interfaces. View provides a consistent interface to users. Users can
access desktops that are delivered by multiple back-end systems.
182
PC IP requires
PCoIP
i
a Teradici
T di i h
hostt card.
d
View Desktops
183
Chooses the terminal server that has the least number of active sessions
A Terminal Services pool is a pool that has one or more terminal servers.
A pool that includes terminal servers has the following characteristics:
Least-session-count-based load balancing: View Connection Server load-balances connection
requests across terminal servers in a pool by choosing the terminal server that has the least
number of active sessions on it.
The View administrator entitles the entire pool to users or user groups.
View administrators should deploy a roaming profile solution to enable user settings and
personalization to be propagated to the currently accessed desktop.
An example use case: Multiple users needing access to applications compatible with Terminal
Services (for example, Microsoft Office). Using Terminal Services results in a higher number of
users served per hardware unit. Moreover, fewer copies of the applications have to be upgraded or
patched.
Although View supports Terminal Servers, VMware does not encourage their use, because of the limited flexibility
and exclusive use of RDP.
184
View Desktops
Each unmanaged desktop must meet certain criteria before the View Agent can be installed and the
desktop can be added to a manual pool. The requirements are:
The desktop source must be reachable by View Connection Server. Otherwise, the desktop
cannot be contacted.
As necessary, the appropriate display protocol must be enabled. If the desktop source is a
physical system and PCoIP is to be used, a Teradici card must be installed and configured.
The operating system that is running on the desktop must be a supported version.
The desktop must be a member of the same AD forest as View Connection Server, but it does
not have to be in the same domain.
Remote access must be enabled on the unmanaged desktop so that users can connect to the desktop.
185
Local Administrator
Installing View Agent on a physical machine or on a terminal server is nearly identical to installing
the View Agent on a virtual machine. The differences are:
The View Composer Agent cannot be installed, which is logical because an unmanaged system
cannot be a linked clone.
You must enter the connection servers FQDN or IP address so that View Agent can explicitly
register the physical system with the View Connection Server.
The Register with View Connection Server window prompts you to enter the FQDN of the View
Connection Server (either the standard or a replica instance). You must also provide administratorlevel authentication credentials. The installation on the slide was started after logging in as local
Administrator, so it can be authenticated with the currently logged-in user.
You are not prompted for the View Connection Server address when installing View Agent on a
virtual machine that is managed by vCenter Server. vCenter Server can provide the DNS name and
IP address of the virtual desktops to View Connection Server.
186
Lab 3
Slide 4-98
In this lab, you will create a desktop virtual machine from a template
and entitle it.
1. Clone a Windows XP virtual machine to a template.
2. Modify the customization specification that will be used to clone
Windows XP desktops.
3 Deploy a second Windows XP desktop virtual machine from the
3.
template.
4. Confirm correct deployment of the virtual machine.
5 Create ttwo
5.
o man
manual
al pools,
pools each with
ith one desktop virtual
irt al machine
machine.
6. Entitle the manual pools.
View Desktops
187
188
Key Points
Slide 4-100
View supports Terminal Services, physical PCs, blade PCs, and other
systems that are not managed by vCenter Server.
View Desktops
Vi
View
provides
id a uniform
if
user iinterface
t f
ffor allll b
back-end
k d systems
t
(desktops and sessions).
189
190
MODULE 5
Module 5
5
View Client Options
191
Course Introduction
Introduction to View
Local-Mode Desktops
192
VMware ThinApp
Importance
Slide 5-3
VMware View Client, View Client with Local Mode, or a thin client
can be used to access View desktops. In each case, the client must
be properly configured.
configured Failure to correctly configure the client will
prevent connecting to the desktops.
5
View Client Options
193
Module Lessons
Slide 5-4
Lesson 1:
View Client
Lesson 2:
194
Lesson 1:
View Client
5
View Client Options
195
Learner Objectives
Slide 5-6
196
All models of Apple iPad 1 and iPad 2 with iOS 4.2 or later
Users run the VMware View Client to connect to their View desktops. You must install View
Client or View Client with Local Mode on a supported operating system.
The client software for accessing View desktops runs either on a Windows or a Mac PC as a native
application or on a thin client system from VMware partners.
View Client is also available for Android-based tablets and Apple iPads. View Client can be
installed on Android-based tablets that run on the Android 3.0 or later operating system. Cisco Cius
tablets support View Client even though they run on the Android 2.2 operating system. View Client
is also available for Apple iPads that run on iOS 4.2 or later.
View Client with Local Mode is a version of View Client that allows users to download virtual
desktops and use them on their local systems. Users can run the local-mode desktop regardless of
whether they have a network connection.
View Client with Local Mode is supported only on Windows systems and only on physical client
systems. To use the feature, your VMware license must include View Client with Local Mode.
A thin client runs a trimmed version of an operating system for the purpose of connecting to other
computers. A new option is a zero client, which uses a firmware version of an operating system. The
operating system initializes the network, begins the networking protocol, and handles the display of
the virtual desktops output. Many zero clients support PCoIP directly.
Module 5 View Client Options
197
client system.
View Client is the software that allows a physical desktop to access a virtual desktop in the View
system. The client software must be installed on any system that will be used to access View
desktops. The steps to install View Client include:
1. Begin your installation by selecting the appropriate installer file that came with the View
package: VMware-viewclient-x86_64-4.5.x-xxxxxx or VMware-viewclient-4.5.xxxxxxx.exe. The same software is used on Windows 7, Windows XP, and Windows Vista.
If you do not want users to access locally connected USB devices through their View
desktops, deselect USB Redirection. USB redirection does not work if the USB
Redirection component was not installed by View Agent on the View desktop.
If you want to require all users to provide identity and credential information to log in to a
View Connection Server and again to access a View desktop, deselect Log in as current
user.
If smart-card authentication is set to Required on View Connection Server, users who
select the Log in as current user check box must still reauthenticate with their smart card
and PIN.
198
3. You are given the option of setting a default View Connection Server during View Client
installation. Preconfiguring the fully qualified domain name (FQDN) of the connection server
saves time when you open View Client the first time to connect to the connection server. If you
do not set the FQDN, you are prompted for it when View Client starts. You can change the
default FQDN at any time.
4. Select the default login behavior for the user of View Client. The options are discussed on the
next slide.
5
View Client Options
199
Select the default action for logging in as the current user on the
client system.
If you chose to install the Log in as current user feature, you can further configure the default
behavior when a user logs in using View Client:
Select Show in connection dialog to display the Log in as current user option in the View
Client connection dialog box. When the option is selected, the users login identity and
credential information is passed to the View Connection Server and ultimately to the View
desktop. If the client system is not a member of the domain, the user does not see the Log in as
current user check box.
Select Set default option to login as current user to make the Log in as current user check
box selected by default in the View Client connection dialog box.
When View Client users select Log in as current user, their login credentials are used to authenticate
to the View Connection Server and to the View desktop. No further user authentication is required.
To support logins as the current user, user credentials are stored on both the View Connection Server
instance and the client system.
On the View Connection Server instance, user credentials are encrypted and stored in the user
session with the user name, domain, and optional UPN. The credentials are added when
authentication occurs and they are purged when the session object is destroyed. The session object is
destroyed when the user logs out, the session times out, or authentication fails. The session object
200
resides in volatile memory and is not stored in Active Directory Application Mode (ADAM)/AD
Lightweight Directory Service (AD LDS) or in a disk file.
On the client system, user credentials are encrypted and stored in a table in the Authentication
Package, which is a component of View Client. The credentials are added to the table when the user
logs in and are removed from the table when the user logs out. The table resides in volatile memory.
The Log In as Current User feature requires that the primary DNS suffix portion of the client
computers FQDN be the same as the name of the Active Directory (AD) domain that the client
computer belongs to.
5
View Client Options
201
User prerequisites:
Before the client can be used to access a View desktop, the desktop must authorize Remote Desktop
access. In addition, remote users or groups must be specifically authorized.
A user can be a member of a group that is specifically entitled to connect to a virtual desktop. But
the user must also be a member of Remote Desktop Users, either as an individual or as a member of
a group, such as the AD Remote Desktop Users group. The group must be a domain global group.
202
You can select Autoconnect to save the View Connection Server information to make future
connections easier. The dialog box is skipped when the View Client is next started.
View Client displays a security message every time that it attempts a connection with View
Connection Server. The security message states that View cannot verify the identity of the View
Connection Server IP address. You must select Continue to allow View Client to connect to the
View Connection Server. A connection is established between View Client and View Connection
Server that is not secure.
A self-signed certificate for View Connection Server connection to View Clients is included with
View. The security message is displayed when the client attempts to connect with the View
Connection Server. You may ignore the security message and allow the client to establish
connection with View Connection Server. However, a self-signed SSL certificate can allow
untrusted parties to intercept traffic by masquerading as the organizations server. The organization
should create a CA-signed certificate.
Module 5 View Client Options
203
Enter the FQDN or IP address of the View Connection Server. Leave Port blank, unless the View
Connection Server was set to use a different port. Use SSL by default. Whether SSL is used to
connect to View Connection Server is configured in Inventory > Global Settings in View
Administrator. The option is Require SSL for client connections and View Administrator and it
is enabled by default.
A security message is not displayed with CA-signed certificates. Also, with CA-signed certificates
the data is secure and not prone to interception from untrusted parties.
More details about View Clients SSL configuration are discussed on the next slide.
204
If the Require SSL for client connections and View Administrator global
setting in View Administrator is enabled, View Client verifies the SSL
certificate when the user connects to View Connection Server.
A group policy setting can force verification, warn the user, or omit the
verification.
This version of the dialog box is displayed because the Group Policy
object (GPO) is not installed.
5
A group policy setting can be configured to allow users to view the selected certificate verification
mode in View Client but not configure the setting. The SSL configuration dialog box informs users
that the administrator has locked the setting.
When the group policy setting is not configured or is disabled, View Client users can configure SSL
and select a certificate verification mode. The user sees what is shown on the slide. The choices for
the user are:
Reject the unverifiable connection Enforces the presence of a valid certificate.
Warn if the connection may be insecure The default setting. As shown on the previous
slide, the dialog box is displayed and the user must click Continue to proceed.
Allow the unverifiable connection Allows connections even if the connection might be
compromised. If the connection is to a security server, rather than a connection server, the
option must selected. The default option is valid only for connections to a connection server.
205
View Client performs certificate checking if you have selected the Require SSL for client
connections and View Administrator global setting in View Administrator.
If the Group Policy object (GPO) is installed, you can select one of these modes in the group policy
setting. The user cannot override the setting.
Full Security If any type of certificate error occurs, the user cannot connect to View
Connection Server. View displays certificate errors to the user.
Warn But Allow (default value) When the following server certificate issues occur, a
warning is displayed, but the user can continue to connect to View Connection Server:
A self-signed certificate is provided by View. In this case, it is acceptable if the certificate
name does not match the View Connection Server name provided by the user in View
Client.
A verifiable certificate that was configured in your deployment has expired or is not yet
valid. If any other certificate error condition occurs, View displays an error message and
prevents the user from connecting to View Connection Server.
No Security View does not perform certificate checking.
206
Enter your authentication information, which must be for the AD domain user account that you are
going to use to access the virtual desktop. The user principal name (UPN) format of
username@domain is also accepted in User name. In the example, the UPN would be
viewuser01a@vmeduc.com.
The dialog box is immediately displayed if you chose Autoconnect the first time you started the
View Client (shown on the previous slide). To change the default View Connection Server, click
Cancel to return to the first dialog box.
207
The connection between View Client and View Connection Server is not secure. This state is
visually confirmed by a red line that overstrikes https in the View Connection Server FQDN.
Users can be entitled to multiple desktops. But even if they only have a single desktop, they must
still select it and click Connect (unless they have specified automatic connection to the desktop at
startup).
The Display drop-down menu allows the user to preset the size of the window that will display the
remote desktop. The user selects Multimonitor if PCoIP is the display protocol and he or she has
multiple monitors at the client system. Up to four monitors are supported. The number allowed is
controlled by the View administrators in the Desktop/Pools Settings dialog box when they add an
individual desktop or an automated pool.
208
209
As the View Client connects for the first time, you might get a warning from Windows Firewall. If
so, unblock the firewall or examine the open ports and make adjustments. The View Client opens all
necessary ports during installation, but the firewall settings might have been reset because of other
activities in the client system.
An error message is displayed if the virtual desktop is already in use. Before it can be used by you,
the other user must log out, including users who have logged in from the remote console on the
VMware vSphere Client.
You must be entitled to at least one pool of desktops. A message saying that you are not entitled to
use the system is displayed if you are not entitled to any pools. Even a domain administrator account
receives the message unless the pool is specifically entitled through View Administrator.
All View users should already be in the domain global group Remote Desktop Users. A user must be
specifically authorized, or be a member of a group that is specifically authorized, as a Remote
Desktop User.
210
Login Successful
Slide 5-17
211
The desktop has an image as wallpaper for contrast. The recommendation is to use a plain, singlecolor wallpaper to improve performance.
Menu Bar
Slide 5-18
desktop display
name
desktop options
USB devices
After the remote desktop window has opened, a menu bar is displayed at the top of the window. The
menu bar can be locked or set to auto-hide by clicking the push pin in the left corner. The menu bar
contains the following elements:
The display name that is assigned to the desktop.
The Options menu, which has the following items:
Help Opens a browser window to online documentation.
Support Information Displays product, host, and connection information for this
session. The option also allows you to collect and bundle extensive information that can be
forwarded to VMware Support.
About VMware View Client Displays information about the version of View Client.
Switch Desktop If you have more than one desktop open at a time, you can switch
between them.
Autoconnect to this Desktop Whether autoconnect is available depends on the type of
desktop. The variations are discussed later in the course.
212
Send Ctrl-Alt-Delete Sends the key combination to the desktop. The client machine
itself intercepts the key combination when it is entered at the keyboard.
Reset Desktop The user can reset the desktop if the View Administrator has granted the
right in the Pool Settings page.
Disconnect or Disconnect and Log Off Gives the user the choice of disconnecting but
leaving the desktop logged in or of disconnecting and logging out.
The Connect USB Device menu, which is discussed on a later slide.
5
View Client Options
213
The Connect USB Device option allows users to select USB devices.
Administrators can configure the ability to use USB devices, such as thumb flash drives and
printers, from a View desktop. The feature is called USB redirection. The drivers for the USB
devices that a user accesses must be preinstalled on the desktop image.
When you use the feature, most USB devices that are attached to the local client system become
available from a menu in the View Client. You use the menu to connect and disconnect the devices.
Multiple devices can be connected and in use at one time. All available USB devices on the client
system can be connected to the desktop after user identification. USB devices can also be connected
to the desktop when they are plugged in to the client system.
USB devices that do not appear in the menu, but are available in a View desktop, include smart card
readers and human interface devices such as keyboards and pointing devices. The View desktop and
the local computer use these devices at the same time.
The feature has the following limitations:
When you access a USB device from a menu in the View Client and use the device in a View
desktop, you cannot access the device on the local computer.
214
USB redirection is not supported on Windows 2000 systems or for View desktops sourced from
Microsoft Terminal Servers.
On the virtual desktop menu bar, click Connect USB Devices. The first option in the menu is
whether to autoconnect USB devices to the desktop. Two types of automatic USB redirection are
available:
Automatically redirecting all devices upon connection to a desktop
Automatically redirecting an inserted device to the current desktop, which is the desktop in the
foreground window
The list of available devices is also displayed. Select the device that you want to use. The device is
loaded into the virtual desktop. The process can take up to 20 seconds. The first time the desktop is
connected to the device, drivers might be installed.
In the middle screenshot, you see the message that is displayed if a user is authorized and the
software is enabled but no devices are present.
In the bottom screenshot, you see the message that is displayed if the View administrator has
disabled the use of USB devices.
5
View Client Options
215
support for
up to four
monitors
monitor pivot
support
2560x1600
resolution per
monitor
variable
resolution
per monitor
Clear Type
font support
32-bit color
View with PCoIP can support up to four monitors simultaneously. Each monitor can support a
resolution up to 2560x1600 and each supports Clear Type fonts. Clear Type fonts help improve the
appearance of text.
Monitor pivot enables monitors to be used in landscape (horizontal) or portrait (vertical) mode. The
orientation can be changed in real time.
Variable resolution per monitor allows simultaneous monitors to be set to different resolutions. With
support for up to four monitors, each monitor can be a different physical size and set to a different
resolution.
32-bit color provides the ability to reproduce true color images for up to 4.2 billion distinct colors
per pixel.
216
Session Disconnect
Slide 5-21
Disconnect:
You remain
Y
i llogged
d iin. N
No one else
l can use th
the d
desktop.
kt
Programs continue to run.
You log out. Other users can now use this desktop.
Disconnect You stay logged in and any programs that you were running continue to run. No
one else (except for an Administrator) can connect to the desktop.
Even though you are still logged in, the virtual desktop is no longer available in the Switch
Desktop item. But you can reconnect from the View Client by selecting that desktop after you
log in to View Manager.
You can also reconnect to a disconnected virtual desktop through Remote Desktop Connection
(RDC).
Disconnect and Log Off You log out, and now other users can use the desktop. Clicking the
Close button in the upper-right corner of the window also disconnects and logs you out the
desktop.
Other disconnect options:
Click the close box in the upper-right corner of the desktop window. The action is equivalent to
selecting Options > Disconnect.
Select Start > Log off in the desktop. The action is equivalent to selecting Options >
Disconnect and Log Off.
Module 5 View Client Options
217
To end your virtual desktop session, use one of the disconnect items on the Options menu:
5
The SSO timeout limit is set in minutes. The SSO time-limit counter starts when the user logs in to
View Connection Server.
When you configure the SSO timeout, you configure a time limit after which the users SSO
credentials are no longer valid. For example, if you set a SSO timeout time limit as 10 minutes, then
the users SSO credentials are invalidated 10 minutes after the user logs in to View Connection
Server.
You configure the SSO timeout limit by setting a value in View LDAP. When you change View
LDAP on a View Connection Server instance, the change is propagated to all replicated View
Connection Server instances. For more details about setting up SSO timeout value in View LDAP,
see VMware View Administration at http://www.vmware.com/support/pubs.
On remote desktops, the new SSO timeout limit takes effect immediately. You do not have to restart
the View Connection Server service or the client computer.
Module 5 View Client Options
219
By default, when a user logs in to View Connection Server from View Client, single sign-on (SSO)
is enabled. During the desktop session, the user can leave the desktop or allow it to become inactive.
The SSO timeout configuration ensures that when the user returns to the desktop, the user has to
authenticate the credentials again. The timeout reduces the risk of someone else using the desktop
while the user has left the desktop unattended.
View Portal
Slide 5-24
An expedient way of installing the View Client or View Client with Local Mode application is to
open a browser and go to the View Portal Web page. You can use View Portal to download the full
View Client installer for both Windows and Mac client computers. The download choices are
tailored to your client system. View Portal does not support Linux. A native client for Linux is
available only through certified VMware partners.
Internet Explorer can determine whether an upgrade is available. Firefox and Safari cannot. Also, in
the list of installers, Internet Explorer lists 32-bit installers if the client has a 32-bit system and lists
64-bit installers if the client has a 64-bit system. Firefox lists both 32-bit and 64-bit installers.
If the version available from View Connection Server is newer than that installed on the client
system, you can choose to upgrade. If the version is the same as that on the client device, View
Portal starts the View Client installed on the client computer.
220
5
For Windows clients, the information is made available by using the Registry in the remote desktop.
Third-party tools can be used to create custom scripts, such as to map local printers to devices at
login and reconnect. Details are held in Windows Registry keys for which you can set a GPO.
The information sent to the guest machine agent includes:
ViewClient_IP_Address The IP address of the client device.
ViewClient_MAC_Address The MAC address of the client device.
ViewClient_Machine_Name The machine name of the client device.
ViewClient_Machine_Domain The domain of the client device.
ViewClient_LoggedOn_Username The user name of the user logged in to the client
device.
ViewClient_LoggedOn_Domainname The domain of the user logged in to the client
device.
221
The View Client passes information about the client machine and the method by which the user
entered the View session to the remote desktop.
ViewClient_Type The thin client name or operating system type of the client device.
ViewClient_Broker_DNS_Name The DNS name of the connection server (broker).
ViewClient_Broker_URL The connection server URL.
ViewClient_Broker_Tunneled The tunnel status of the connection server. The value is
either true or false.
ViewClient_Broker_Tunnel_URL If the broker tunnel status is true, the URL of the
tunnel.
ViewClient_Broker_Remote_IP_Address The remote IP address of the client.
ViewClient_TimeOffset_GMT The time offset from GMT, expressed as HH:MM.
222
5
From Mac and Windows laptops and PCs, end users open the View Client to display their View
desktop. Thin client devices use View thin client software and can be configured so that the only
application that users can start directly on the device is the View Client. Repurposing a legacy PC
into a thin client desktop can extend the life of the hardware by three to five years. For example, by
using View on a thin desktop, you can use a newer operating system such as Windows 7 on older
desktop hardware.
223
A thin client is typically a hardware terminal. Thin clients are low cost and designed to be centrally
managed. They have no CD-ROM drive and usually no hard disk. They are designed not to be
customized by the user. In many ways, they are ideal for giving users access to virtual desktops.
Wyse-P20
Through the View Client, View supports software-enabled devices like PCs, laptops, netbooks, and
thin clients. View also supports Teradici hardware-based endpoints. The Teradici hardware-based
endpoints are known as zero clients because they have no Windows or Linux operating system
resident. Zero clients have several significant advantages:
No operating system patches are required.
No antivirus or antispyware is required.
No local device drivers exist.
Zero clients have a longer life cycle because there is less software to update and less demand on
the hardware.
Zero clients allow a reduced number of devices on the desktop (in the case of the flat-panel zero
client).
These benefits are important because they lead to simpler deployments and lower cost of ownership.
Zero clients come in two basic versions:
A version that is integrated into a flat-panel display
A version that looks like a thin client and drives external monitors
224
Chip PC
DevonIT
HP
Igel
g
PanoLogic
Sun Microsystems
W
Wyse
225
Several VMware partners offer thin client devices for View deployments. The features that are
available for each thin client device are determined by the vendor and model and the configuration
that an enterprise chooses to use. For information about the vendors and models for thin client
devices, see View Compatibility Guide at http://www.vmware.com/resources/compatibility/
search.php.
Make sure that the virtual desktop is powered on, not suspended.
If the desktop is powered on, take these steps:
V if that
Verify
th t the
th desktop
d kt is
i nott hibernating
hib
ti or sleeping.
l
i
Open a VMware vSphere Client remote console to verify the state of the
desktop.
Power states can cause several problems when users are trying to connect to virtual desktops. Here
are some troubleshooting procedures:
Use the vSphere Client to confirm that the virtual machine is powered on and not in a
suspended state.
If the virtual machine is powered on, try to connect either by a remote console from the Sphere
Client or directly, using RDC. Connecting by RDC is the best test to determine whether the
desktop is reachable and you can log in. If you can log in with RDC, look at either the client or
the connection server to determine the source of the problem.
If you can log in with an administrative account, the user will be logged out.
Only one user at a time can be logged in to a virtual desktop.
226
Lab 4
Slide 5-30
In this lab, you will install the View Client and connect to a virtual
desktop.
1 Install the View Client
1.
Client.
2. Connect to a virtual desktop.
3. Clone a second client virtual machine.
5
View Client Options
227
228
Lesson 2:
Virtual Printing with View Clients
5
View Client Options
229
Learner Objectives
Slide 5-33
230
DSSOLFDWLRQ
SULQWHU
virtual
i t l desktop
d kt with
ith
Virtual Printing
component
UHQGHULQJ
The application running on the virtual desktop generates print data, which is passed over a PCoIP or
RDP channel to the client system. The Virtual Printing component on the client machine renders the
print images and directs them to a locally accessible print resource.
231
Virtual Printing uses a client-server architecture. A print server component is installed on the
desktop when the View Agent is installed. A print client component is installed on the View Client
system when View Client software is installed.
232
The user might connect to the desktop from different locations and use
diff
different
t printers.
i t
Large print jobs might consume considerable network bandwidth:
5
View Client Options
233
client system
View desktop
The slide shows what the choice of printers looks like on the client system and the virtual desktop.
234
Bandwidth control
Conversion of print data to a common data format
Encryption
Compression
Virtual printer driver,
driver which replaces the need for individual printer drivers
and enables driver-free printing
5
View Client Options
The Virtual Printing components on the virtual desktop perform these functions:
Control the consumption of bandwidth
Convert the print data from the application to a common data format
Encrypt and compress the print data
Use a single virtual printer driver, which then communicates with the client side of the data path
The Virtual Printing components that are installed on the View Client machine, the one that is
hosting the print resources, perform these functions:
Receive the print data from the Virtual Printing component running in the virtual desktop
Decompress and decrypt the data flow
Convert the common data format into whatever format the locally accessible printer resource
requires
Send the data to the print resource
235
Virtual Printing supports both online and offline (local-mode) desktops. But the data exchange path
is different. A PCoIP or RDP channel is used for the online desktop and View Client exchange. A
virtual serial port is used for the exchange between an offline desktop and the client machine. The
local-mode image is running on the local machine, so the virtual serial port is local and not across
the network. The printing operation occurs locally.
Every 30 seconds, the two Virtual Printing components determine whether new print resources have
been installed on the View Client.
The technology that is used in the Virtual Printing feature is licensed from Cortado, a company that
has been providing proven virtual printing capabilities for some time under the ThinPrint name.
VMware Fusion also uses ThinPrint technology.
The URL http://www.thinprint.com takes you to the ThinPrint page on the Cortado Web site.
236
PCoIP or RDP
Initialized by
View Client
5
TPOG ThinPrint Output Gateway is a printer driver for virtualizing printer on Windows hosts.
TPOGPS ThinPrint Output Gateway PostScript is a printer driver for virtualizing printers on
Linux or Mac hosts.
TPVMMon.dll ThinPrint PORT VMware monitor.
TPVMW32 Protocol adapter to serial port.
TPRDPW32 Protocol adapter to RDP.
TPAutoConnect Creates, tracks and deletes virtualized printers.
The Virtual Printing components on the client system side:
TPInVM and TPCIntRDP Redirect .print Server commands from the virtual desktop to the
client protocol interpreter
TPCInt Keeps track of real printer configuration changes and receiving and printing print
jobs
TPView Interprets (converts from common data format) TPOG-generated print jobs
Module 5 View Client Options
237
For the client system, Virtual Printing client components are always
installed on the client system by the View Client installer if the USB
Redirection feature is selected.
For the desktop, Virtual Printing server components are installed on
the desktop if:
The default installation of the View Client always installs the Virtual Printing components. If you
deselect the USB redirection feature, the Virtual Printing components are not installed.
The default installation of the View Agent on the desktop template, parent virtual machine (for
linked clones), or unmanaged desktops installs the Virtual Printing feature, as shown on the slide.
238
C:\Program
\
Files\VMware\VMware
\
\
Tools\TPAutoConnect
\
d
2.
3.
Printers are seen. Be patient. The operation might take a few minutes.
5
View Client Options
To make the virtual desktop refresh its inventory of virtual printers, log in to the desktop as an
administrator, open a Command Prompt window, and do the following:
1. Remove all printers by typing C:\Program Files\VMware\VMware
Tools\TPAutoConnect d.
2. Stop the connection service by typing net stop TPAutoConnSvc.
3. Restart the connection service by typing net start TPAutoConnSvc.The restart might take a
few minutes.
239
1.
2
2.
3.
4.
5.
To reinstall Virtual Printing on a desktop or the desktop template or parent virtual machine that is
used for automated pools:
1. Remove all printers.
2. Stop the connection service.
3. Use Add or Remove Programs to remove the View Agent and VMware Tools.
4. Install VMware Tools.
5. Install the View Agent.
240
You must install the View Client with USB redirection for Virtual
Printing to work:
5
View Client Options
241
Available options:
Page Setup:
Resolution
R
l ti
B/W or color
Advanced:
Preview
Adjustment:
Scale to fit
Adjust margins
Virtual Printing supports the common configuration options for a printer resource. The Thinprint
Output Gateway on the desktop adopts the printer properties (for example, paper trays, duplex,
color/black-and-white, punching or stapling) from the original driver.
You can then configure these options at the virtual desktop, but the options require administrator
privileges. The best way to change the printer properties is to change them at the client, where the
printer is located.
242
243
The compression level for the print data stream between the virtual desktop and the client system
can be adjusted at the desktop. But the user must have at least Manage Printer permissions to change
the setting. The compression ratio, in particular, affects system performance. During compression,
the print job is divided into its components. Different compression methods are applied to text and
images to ensure that an optimal, very small file can be sent.
Location-Based Printing
Slide 5-47
Each row in the table identifies a specific printer and defines a set of
translation rules for that printer.
When a user connects to a View desktop,
p, View compares
p
the client system
y
to the translation rules associated with each printer in the table.
Translation rules are based on the client systems IP address, name, and
MAC address, and on the users name and group.
The location-based printing feature maps printers that are physically near client systems to View
desktops, enabling users to print to their local and network printers from their View desktops. For
example, as a health professional moves from room to room in a hospital, each time the person
prints a document, the print job is sent to the nearest printer.
You set up location-based printing by configuring the AD group policy setting AutoConnect
Location-based Printing for VMware View. The group policy is in the Microsoft Group Policy
Object Editor in the Software Settings folder under Computer Configuration.
AutoConnect Location-based Printing for VMware View is a computer-specific policy.
Computer-specific policies apply to all View desktops, regardless of who connects to the desktop. In
the example, either a doctor or nurse could use a mobile client workstation and anything that is
printed by either user would be directed to the printer at the nurses station.
AutoConnect Location-based Printing for VMware View is implemented as a name translation
table. You use each row in the table to identify a specific printer and define a set of translation rules
for that printer. The translation rules determine whether the printer is mapped to the View desktop
for a particular client system.
When a user connects to a View desktop, View compares the client system to the translation rules
associated with each printer in the table. If the client system meets all of the translation rules set for
244
a printer, View maps the printer to the View desktop during the users session. If a printer has no
translation rules, it is mapped to the desktop.
You can define translation rules based on the client systems IP address, name, and MAC address,
and on the users name and group. You can specify one translation rule, or a combination of several
translation rules, for a specific printer.
5
View Client Options
245
View Manager provides 32-bit and 64-bit versions of TPVMGPoACmap.dll in the directory
<installation_directory>\VMware\VMware
View\Server\Extras\GroupPolicyFiles\ThinPrint on the connection server host.
systems for each printer. These entries become the translation rules that View uses to determine
which printer the View desktop should use.
For more details, see VMware View Administration at http://www.vmware.com/support/pubs.
246
U th
Use
the ttable
bl iin th
the AutoConnect
A t C
tM
Map Additi
Additionall Printers
Pi t
for
f
VMware View policy setting to define the printer mappings.
The network printer in the first row is mapped to a desktop for any client
system.
system
The network printer in the second row is mapped to a desktop only if the
client system has an IP address in the range 10.112.116.140
10.112.116.145.
Because print jobs are sent directly from the View desktop to the printer,
the HP printer driver must be installed on the desktop.
Print jobs are sent from the View desktop to a network printer, so the appropriate print drivers must
already be installed in the desktop.
247
The network printer specified in the first row is mapped to a View desktop for any client system
because asterisks appear in all of the translation rule columns. The network printer specified in the
second row is mapped to a View desktop only if the client system has an IP address in the range
10.112.116.14010.112.116.145.
Lab 5
Slide 5-50
In this lab, you will configure desktops and clients to use the Virtual
Printing feature.
1 Install and use a virtual printer
1.
printer.
2. Configure a virtual printer instance on the virtual desktop.
Virtual Printing
248
5
View Client Options
249
Key Points
Slide 5-52
250
MODULE 6
View Administrator
Slide 6-1
Module 6
6
View Administrator
251
Course Introduction
Introduction to View
Local-Mode Desktops
252
VMware ThinApp
Importance
Slide 6-3
6
View Administrator
253
Module Lessons
Slide 6-4
Lesson 1:
Lesson 2:
Lesson 3:
Automated Pools
Lesson 4:
Lesson 5:
254
Lesson 1:
Initial View Configuration
6
View Administrator
255
Learner Objectives
Slide 6-6
256
Tunneling
Smart-card authentication
RSA authentication
Internet Explorer 7, 8, 9
Firefox 3.0 or 3.5
https://<View_Connection_Server_FQDN>/admin
After VMware View Administrator has been set up, you can log in from anywhere with a
browser. Use Internet Explorer (version 7, 8, or 9) or Firefox (version 3.0 or 3.5).
The page name admin must be in lowercase. Choose a user name that is in the Active Directory
(AD) domain and that has been granted View administration rights on the View server. Initially,
anyone who has Administrator privileges on the View Connection Server has View administration
rights.
The first few slides in the module are included for completeness. These slides were briefly discussed in an earlier
module when setting up a manual pool.
257
View Administrator
Begin by entering your View license key. Select View Configuration > Product Licensing and
Usage, click Edit License, and enter the key.
258
Servers Panes
Slide 6-9
The servers panes enable you to manage the VMware vCenter Server instances, View security
servers, View Connection Servers, and Transfer Servers.
View Administrator
259
Add
Edit
Remove
The vCenter Servers pane enables you to add, edit, or remove the vCenter Server instances that this
View Connection Server cluster uses to manage vCenter Server virtual machines.
260
View Composer
p
Settings:
g
The TCP port that the View Connection Server uses to connect to the vCenter Server system can be
modified if necessary. If you modify that port here, you must also modify the port in the vCenter
Server instance. The modification might affect other vCenter Server operations.
If you select Enable View Composer, you must confirm the port to be used between View
Connection Server and View Composer. You must also enter credentials for View administrators
who have the necessary permissions for View Connection Server to work with the specified vCenter
Server instance and with AD. View Composer is discussed in more detail in a later module.
261
View Administrator
SSL is the default communication protocol between this View Connection Server and this vCenter
Server system. SSL provides a secure end-to-end tunnel.
After you select Add or Edit in the vCenter Servers pane, the Edit vCenter Server dialog box is
displayed. The dialog box enables you to specify or update the user name and password that View
Connection Server uses to authenticate with the vCenter Server system. (Click Advanced for the
advanced view.)
The vCenter Server Settings advanced dialog box adds two important fields:
Max concurrent provisioning operations Determines the largest number of concurrent
requests that View Connection Server can make to provision full virtual machines in this
vCenter Server instance. The default value is 8. The setting does not control linked-clone
provisioning.
Max concurrent power operations Determines the largest number of concurrent power
operations (startup, shutdown, suspend, and so on) that can take place simultaneously on virtual
machines that are managed by View Connection Server in this vCenter Server instance. The
default value is 5. The setting controls power operations for full virtual machines and linked
clones.
262
Enter free-form
free form tag labels for configuring restricted entitlements
entitlements.
Set up external URLs for client access from the Internet.
Disable secure tunnel
connections to the desktop.
To access the settings page:
In the General tab, you can set an external URL, which is used by a View Client that is outside the
corporate network. The fully qualified domain name (FQDN) in the URL must be resolvable by the
View Client system for connection to a desktop. Setting the external URL is a required step if you
plan to access the View Connection Server with systems from an external network. The option is
explained in more detail in a later module that discusses View security.
You have the option of defining restricted entitlement tags for this connection server. Restricted
entitlements are discussed on the next slides. In the example, two tags are defined for the connection
server: InternalUsers and Contractors.
The Use secure tunnel connection to desktop option enables you to specify per View server
whether client-to-desktop connections are to use SSL or not. The option is enabled by default. If the
Module 6 View Administrator
263
View Administrator
In View Administrator, select View Configuration > Servers, select the connection server whose
configuration you want to change, and click Edit. The Edit View Connection Server Settings dialog
box has four tabs: General, Local Mode, Authentication, and Backup. Backup and Local Mode
options are discussed in a later module.
Some configuration settings apply to each specific connection server, rather than to the entire group.
One example is the authentication requirements that are necessary when connecting to the
connection server.
option is deselected, clients and desktops communicate in direct connection mode. Although direct
connection has higher performance because of lower overhead, it should be used only if the clients
and desktops are on a secure network behind the corporate firewalls. The option is discussed in
more detail in the View security module.
The Local Mode tab and its options are discussed in a later module that is devoted to the Local
Mode feature.
The authentication options are discussed on the following slides.
The backup options are discussed in a later module about View backup capabilities.
264
Restricted Entitlements
Slide 6-14
The user can access a desktop in a pool only if the user is entitled for the
desktop and is connected to the correct connection server.
The same tag label is assigned both to a pool and to a connection server.
View Client displays only pools whose tags match the connection
servers tag.
If a user logs in to a connection server and has not been entitled to any
gg p
pools, an error message
g is g
generated.
of the tagged
A tagged pool must match at least one connection server with
the same tag.
You can use the restricted entitlements feature to restrict View desktop access based on the View
Connection Server instance that a user connects to.
A tagged pool must have at least one connection server with the same tag. A View administrator is
not allowed to remove from the connection server the last tag that is associated with a pool.
Otherwise, there would be no tag match and no user would be able to access the desktops in the
pool.
265
View Administrator
With restricted entitlements, you assign one or more tags (alphanumeric character strings) to a View
Connection Server instance. Then, when configuring a desktop pool, you select the tags that are
associated with the View Connection Servers that you want to match with the pool. When users log
in to a tagged View Connection Server, they can access only the desktop pools that have at least one
matching tag or desktops pools that have no tags assigned.
connection servers
Internal and
External tags
External tag
2
pools
Internal tag
External tag
Assume, as an example, a health-care deployment that includes two View Connection Server
instances to support doctors (the user icon on the right) and nurses (the icon on the left).
The connection server on the right (connection server B) supports both sets of users in the hospital.
The connection server on the left (A) is paired with a security server and supports doctors who
might need to access their desktops from their offices, which are outside the hospital. The nurse
population is not allowed to access their desktops unless they are on hospital premises. To control
access, set up restricted entitlements as follows:
Use the normal entitlement process to entitle the nurse population to use desktops in pool 1.
Use the normal entitlement process to entitle the doctor population to use desktops in pool 2.
Assign the tags Internal and External to View Connection Server instance B. Anyone logging in
to that connection server can access a desktop in his or her entitled pool.
Assign the tag External to the View Connection Server instance that is paired with the security
server and supports authorized external users. That is connection server A.
Assign the Internal tag to pool 1 and the External tag to pool 2.
266
If either a nurse or a doctor logs in to connection server B, he or she can connect to a desktop in the
appropriate pool. If a doctor logs in to the security server, he or she will be connected to a desktop
because the External tag is common to both connection server A and pool 2. But if a nurse attempts
to log in to the security server, the connection will be refused because no tags match between
connection server A and either of the pools, even though the user is entitled to pool 1.
Other pools, for other categories of users, can also be tagged with the Internal and External tags.
After the tags have been defined in any connection server, they are available for assignment to any
pool.
The restricted entitlements feature only enforces tag matching. You must design your network
topology to force certain clients to connect through a particular View Connection Server instance.
6
View Administrator
267
268
Tagging a Pool
Slide 6-17
269
View Administrator
When you click Browse, next to Connection server restrictions, the Connection Server
Restrictions dialog box is displayed. No Restrictions is the default. When Restricted to these tags
is selected, a list of tags associated with all connection servers is shown. Selecting one or more tags
defines which connection servers can be used to access this pool. If a user connects to a connection
server with a selected tag, then and only then will the user have access to the desktops in this pool.
For a desktop connection to occur:
The slide shows how to entitle a pool to work with a tagged connection server. A pool is available
through all connection servers in a connection server group because of Active Directory Application
Mode (ADAM) replication, unless restricted entitlements are configured. The tags for a pool are set
in the Pool Settings page of the Add Pool or Edit Pool wizard. When a user logs into the assigned
connection server, the server first determines which pools the user is entitled to use. Then, if the
connection server has tags, the tags are used to further limit which pools the user can access.
Tag-Matching Rules
Slide 6-18
Connection server
Pool
Access permitted?
No tags
No tags
Yes
No tags
No*
No
No tags
Yes
*If a pool has a tag, then at least one connection server must
have the same tag.
At a basic level, tag matching determines whether a user connecting to a View Connection Server
instance that has a specific tag can access a pool. The user can access the pool only if the pool has
the same tag as the connection server.
The absence of tag assignments can also affect whether a View Connection Server instance can
access a pool. For example, View Connection Server instances that do not have tags can access only
pools that do not have tags.
The table shows how the restricted entitlement feature determines when a user connecting to a View
Connection Server can access a desktop pool.
270
With smart-card authentication, the user inserts a smart card into a smart card reader attached to the
client system and enters a personal identification number (PIN). Smart-card authentication provides
two-factor authentication by verifying both what the user has (the smart card) and what the user
knows (the PIN).
When a user inserts a smart card into a smart-card reader, the user certificates on the smart card are
copied to the local certificates store on the client system. These stored certificates are available to all
applications running on the client system.
271
View Administrator
A smart card is a small plastic card that contains a computer chip. The chip contains secure storage
for data that includes private key and public key certificates.
Many organizations require personnel to pass multiple stages of authentication before allowing them
to connect to their systems. View provides support for high-security environments by offering
smart-card authentication of client sessions.
a smart-card PIN.
4 View
4.
Vi
Client
Cli t sends
d the
th user certificate
tifi t to
t View
Vi
Connection
C
ti Server
S
or the
th
security server.
5. View Connection Server or the security server verifies the certificate by
Smart-card authentication works by presenting a trusted set of client credentials (a user certificate)
to View Connection Server. A user certificate is an encrypted set of authentication credentials that
includes the digital signature of the trusted root certificate authority (CA) that issued the certificate.
The user certificate is stored on the smart card and can be retrieved and passed to the server only
after the user has verified ownership by entering a PIN. Certificates are then authenticated by using
a public key to verify the included digital signature. The expected digital signature is contained in a
trusted CA certificate that is stored on View Connection Server.
When a user initiates a connection to a View Connection Server or a security server instance that is
configured for smart-card authentication, the following sequence occurs:
1. Upon card insertion, View Connection Server or the security server sends a list of trusted
Typically, users can successfully authenticate if their user certificate is signed and valid. But when
certificate revocation checking is configured, users who have revoked user certificates are prevented
from authenticating.
6
View Administrator
273
Smart-Card Requirements
Slide 6-21
Client systems that use smart cards for user authentication must
have the following software and hardware installed:
View Client
A Windows-compatible smart-card reader
Smart-card middleware
Product-specific application drivers
View supports
pp
smart cards and smart-card readers that use PKCS#11
or Microsoft CryptoAPI provider.
Client systems that use smart cards for authentication must meet certain requirements. Each client
system must have the following software and hardware installed:
View Client
A Windows-compatible smart-card reader
Smart-card middleware Smart-card middleware is an application layer between the smart card
and the client system. The application layer allows the client-system hardware to communicate
with the smart-card hardware.
Product-specific application drivers You must install product-specific application drivers on
the View desktop.
Smart-card authentication is not supported by View Client for Mac or View Administrator.
View supports smart cards and smart-card readers that use a PKCS#11 or Microsoft CryptoAPI
provider. You can install the ActivIdentity ActivClient software suite, which provides tools for
interacting with smart cards.
Users that authenticate with smart cards must have a smart card or USB smart-card token. Each
smart card must contain a user certificate.
274
To install certificates on a card, you must set up a computer that meets the following criteria:
Has the authority to issue smart cards for users
Is a member of the domain for which you are issuing certificates
6
View Administrator
275
trusted users to a servers truststore file. You perform this action so that View Connection
Server and security server instances can authenticate smart-card users and connect them to their
View desktops. (A truststore file is a key database file that contains public keys.)
3. Modify View Connection Server configuration properties. To enable smart-card authentication,
you must modify View Connection Server configuration properties on your View Connection
Server and security server host.
4. Configure smart-card settings in View Administrator. You must select the Require SSL for
Client connections in View Administrator check box in the Global Settings dialog box in
View Administrator.
276
5. Prepare Active Directory for smart-card authentication. When you implement smart-card
Smart-card logins rely on UPNs. So the AD accounts of users that use smart cards to
authenticate in View must have valid UPNs.
Add the root certificate to Enterprise NTAuth Store and Trusted Root Certification
Authorities.
If you use a CA to issue smart-card login or domain controller certificates, you must add
the root certificate to the Enterprise NTAuth Store. The root certificate must also be added
to the Trusted Root Certification Authorities group policy in AD.
Add an intermediate certificate to the Intermediate Certification Authorities. If you use an
intermediate certification authority to issue smart-card login and domain controller
certificates, you must add the intermediate certificate to the Intermediate Certification
Authorities group policy in AD.
6
View Administrator
277
Leaves an organization
Loses a smart card
Moves from one department to another
Vi
View
supports
t certificate
tifi t revocation
ti checking
h ki with:
ith
You can prevent users with revoked certificates from authenticating with smart cards. To do so,
configure certificate revocation checking on a View Connection Server or security server instance.
User certificates are revoked when the user leaves the organization, loses a smart card, or moves
from one department to another in the same organization.
View supports certificate revocation with certificate revocation lists (CRLs) and Online Certificate
Status Protocol (OCSP).
A CRL is a list of revoked certificates published by the CA that issued the certificates.
OCSP is a certification validation protocol that is used to get the revocation status of X.509
certificates.
278
Select Disconnect user session on smart card removal if you want users to be disconnected
from the View Connection Server instance when they remove their smart cards. Users must then
reauthenticate to gain access to their View desktops.
The smart-card removal policy does not apply to users who connect to View Connection Server with
the Log on as a current user check box selected. The policy does not apply even if users log in to
their client system with a smart card.
You must restart the View Connection Server service for changes to smart-card settings to take
effect. Users currently logged in are not affected by changes to smart-card settings.
279
View Administrator
Deselect Disconnect user session on smart card removal to allow users to remain connected
to their View Connection Server instance when they remove their smart cards. Users can start
new View desktop sessions without reauthenticating. The option is not enabled by default.
If smart-card authentication is enabled, you configure the smart-card removal policy in one of two
ways:
You can configure a View Connection Server instance so that the users are required to use RSA
SecurID authentication before entering their AD credentials. For example, you might configure RSA
SecurID authentication only for users who access View desktops remotely over the Internet.
Because RSA SecurID authentication works with RSA Authentication Manager, an RSA
Authentication Manager server is required. The RSA Authentication Manager server must be
directly accessible from the View Connection Server host.
To use RSA SecurID authentication, each user must have a SecurID token that is registered with the
RSA Authentication Manager. An RSA SecurID token is a piece of hardware or software that
generates an authentication code at fixed intervals.
RSA SecurID provides a two-factor authentication by requiring the knowledge of a PIN and an
authentication code. The authentication code is available only on the RSA SecurID token.
See the RSA Authentication Manager documentation for more information.
280
Select Enable if you want to require RSA SecurID authentication for users to access
desktops.
Select Enforce SecurID and Windows user name matching if you want RSA SecurID to
check names against Windows user names and deny access to those that do not match.
Select Clear node secret when the states of the View Agent and the RSA Authentication
Manager are not synchronized. When you select the check box, ADAM clears the node
secret on the View Agent and resets the Lightweight Directory Access Protocol (LDAP)
value.
3. Upload the sdconf.rec file into View Administrator from RSA Authentication Manager.
281
View Administrator
You can add or remove View administrators. Initially, only an administrator who is a member of
BUILTIN\Administrators can log in to View Administrator. After you are logged in, you can add
anyone in the AD domain as a View administrator. For these administrator credential to be usable by
View Connection Server, vCenter Server, or View Composer, certain vCenter Server and AD
permissions must be assigned to the user name. The specific permissions are discussed later.
282
Global Settings
Slide 6-28
Require SSL for client connections and View Administrator Determines whether SSL is
used to create a secure communication channel between the View Connection Server and the
client and between a browser user and View Administrator. By default, the option is enabled for
both types of connections. It can be overridden per individual View server. Changing this
option requires a restart of the View Connection Server service. In a group of replicated View
Connection Server instances, you must restart the View Connection Server service on all
instances in the connection server group. You do not have to restart the Windows host systems.
283
View Administrator
Session timeout Determines how long (in minutes) users are allowed to keep sessions open
after they log in to the View Connection Server. The setting does not control the session interval
for a session between a client and desktop. The field must contain a value, and the default is
600. When 5 minutes are left before the user is logged out, View Connection Server sends a
pop-up message: The secure connection to the View Connection Server will time out in 5
minutes. The message is not the warning message that is configured on the Global Settings
page. The five-minute warning is not configurable.
The Global Settings dialog box controls all View servers in the domain. In View Administrator,
select View Configuration > Global Settings. You can set the following options in the dialog box:
284
Tunneling
Smart-card authentication
RSA authentication
6
View Administrator
285
Lesson 2:
Managing Users and Groups
286
Learner Objectives
Slide 6-31
Describe how information in the Users and Groups page can be used
to control and monitor View users.
users
Explain the hierarchy of global policies, pool-level policies, and userlevel policies.
Li t th
List
the Vi
View G
Group P
Policy
li administrative
d i i t ti (ADM) template
t
l t files.
fil
6
View Administrator
287
You manage users on the Users and Groups page in View Administrator. Select Users and Groups
in the navigation pane to display the Users and Groups page. The page enables you to access pools
and desktops from the perspective of the users who access the desktops.
For example, you can review the desktop pools that a user or group is entitled to and you can
determine a users active desktops. Double-clicking the entry in the User Name column opens a
page that displays the pools, entitlements and desktops for that group or user.
Click Update General User Information to update View Connection Server with the current user
information that is stored in AD. The name, phone, email, user name, and default Windows domain
are updated. The trusted external domains are also updated.
Use the update option if you modify the list of trusted external domains in AD, especially if the
altered trust relationships between domains affect user permissions in View Connection Server. The
update option scans AD for the latest user information and refreshes the View Connection Server
configuration.
288
Double-click the group entry in the User Name column to open the <group> page, which displays
the pool entitlements and sessions for the group.
The Summary tab displays basic information about the AD group and the pools for which the group
is entitled. In the example, the group is entitled for four pools.
View Administrator
289
You can review the desktop pools that a group is entitled to:
In View Administrator, select Users and Groups and click the name of a group.
Select the Entitlement tab.
The page lists the pools that the user or group is entitled to and information about each pool. Click a
pool name to open the page for that pool.
The Sessions tab displays the active sessions for users in the group.
290
The <user> page displays information unique for this user: group
memberships,
b
hi
entitlements,
titl
t assigned
i
d desktops,
d kt
and,
d if linked-clone
li k d l
desktops, the names of the persistent disks.
You can review the pools, desktops, and other information that pertains to a user to. In View
Administrator, select Users and Groups and click the name of the user.
291
View Administrator
Click the name of the persistent disk in the <user> page to display information about the disk. You
can quickly identify the disk and the datastore on which it is stored.
292
Click the Sessions tab to display desktops that are active for this
user.
This tab
Thi
t b allows
ll
a View
Vi
administrator
d i i t t to
t quickly
i kl access and
d manage a
users desktop if a user reports a problem.
Click the Sessions tab to display all desktops assigned to the user. After you select a desktop, the
buttons that perform the standard operations are active.
View Administrator
293
Global Policies
Slide 6-38
In View Administrator, select Policies > Global Policies to display the Global Policies page. Global
policies re applied to all desktops and pools that are managed by all View Connection Servers in the
group. These policies can be overridden for any pool or desktop. Select a pool in the Pools page
(select Inventory > Pools) and click the Policies tab in the <pool_ID> page.
Global View policies:
Multimedia redirection (MMR) Determines whether MMR is enabled for client systems.
MMR is a Microsoft DirectShow filter that forwards multimedia data from specific codecs on
View desktops directly through a TCP socket to the client system. The data is then decoded
directly on the client system, where it is played. The default value is Allow. If client systems
have insufficient resources to handle local multimedia decoding, change the setting to Deny.
USB access Determines whether desktops can use USB devices connected to the client
system. The default value is Allow. To prevent the use of external devices for security reasons,
change the setting to Deny.
Remote mode Determines whether users can connect to and use desktops running on vCenter
Server instances. If the policy is set to Deny, users must check out the desktop on their local
computers and run the desktop only in local mode. Restricting users to running desktops only in
294
local mode reduces the costs associated with CPU, memory, and network bandwidth
requirements of running the desktop on a back-end server. The default value is Allow.
6
View Administrator
295
Double-click the pool ID in the Pools pane and click the Policies tab.
Click Edit Policies to override each set of policies.
296
Click Edit Policies and change USB access to Deny. The USB
access policy does not allow any user of a desktop in this pool to use a
y
USB device from the client system.
The applied policy for USB access changes to Deny, overriding the global policy. All other policies
are unchanged.
297
View Administrator
In the example, you can set a policy for the SalesDesks pool not to allow any user to access a USB
device on the client system. The global policy is to allow USB access, but you can override the
policy at the pool level, which will apply to all desktops in the pool.
overrides.
overrides
3. Apply the overrides for each user.
You can configure user-level policies to affect specific users. User-level policy settings take
precedence over the equivalent global and pool-level policy settings. To override a pool policy for
one or more individuals, click User Overrides and change one or more policies. The procedure is
more involved than changing a pool-level policy:
1. Click User Overrides and click Add User.
2. To find a user, click Add, enter the name or description of the user, and click Find.
3. Select one or more users from the list, click OK, and click Next. The Add Individual Policy
The policy overrides are not directly displayed. To determine the policy changes requires reviewing
the user list that is displayed by clicking User Overrides.
In the example, the selected user has been allowed USB access. Regardless of the pool-level or
global policy settings, the user will always be able to use USB devices for the client system.
298
Policies are applied at desktop startup and when users log in.
The ADM template files are installed on each View Connection Server
host in:
<installation_directory>\VMware\VMware View\Server\Extras\GroupPolicyFiles
The View ADM template files contain both Computer Configuration and User Configuration group
policies.
The Computer Configuration policies set policies that apply to all View desktops, regardless of who
connects to the desktop.
The User Configuration policies set policies that apply to all users, regardless of the View desktop
they connect to. User Configuration policies override equivalent Computer Configuration policies.
View applies policies at View desktop startup and when users log in.
The View ADM template files are installed in the
<installation_directory>\VMware\VMware View\Server\Extras\GroupPolicyFiles
directory on your View Connection Server host.
Module 6 View Administrator
299
View Administrator
The Group Policy Object Editor is a Microsoft Management Console (MMC) snap-in. The MMC is
part of the Microsoft Group Policy Management Console (GPMC). See the Microsoft TechNet Web
site for information on installing and using the GPMC.
View includes several component-specific Group Policy administrative (ADM) template files. You
can optimize and secure View desktops by adding the policy settings in these ADM template files to
a new or existing Group Policy object (GPO) in AD.
Template name
Template file
Description
vdm agent.adm
vdm_agent.adm
Vi
View
Cli
Clientt C
Configuration
fi
ti
vdm_client.adm
d
li t d
P li settings
Policy
tti
related
l t d tto
View Client
vdm_server.adm
vdm_common.adm
pcoip.adm
ViewPM.adm
The View Agent Configuration ADM template file (vdm_agent.adm) contains policy settings
related to the authentication and environmental components of View Agent. The template contains
both Computer Configuration and User Configuration settings. The User Configuration setting
overrides the equivalent Computer Configuration setting.
The View Client Configuration ADM template file (vdm_client.adm) contains policy settings
related to the View Client configuration. The settings include scripting definition settings, security
settings, Remote Desktop Protocol (RDP) settings, and general settings. The template provides
Computer Configuration and User Configuration settings.
The View Server Configuration ADM template file (vdm_server.adm) contains policy settings
related to all View Connection Server instances. The template contains only Computer
Configuration settings.
The View Common Configuration ADM template file (vdm_common.adm) contains policy settings
common to all View components. The settings include log configuration settings, performance alarm
settings, and general settings. The template contains only Computer Configuration settings.
The View PCoIP Session Variables ADM template file (pcoip.adm) contains policy settings related
to the PCoIP display protocol, including the tuning parameters.
300
The View Persona Management ADM template file (ViewPM.adm) contains policy settings that you
add to the group policy configuration individual systems or an AD server. After the policy settings
have been added, View Persona Management can be enabled and configured. View Persona
Management is discussed in a later module.
For more details about each of the ADM template files, see VMware View Administration at
http://www.vmware.com/support/pubs/view_pubs.html.
6
View Administrator
301
Lab 6
Slide 6-44
a virtual desktop.
4. Retrieve information about specific users.
5. Examine recent connection server events.
302
Describe how information in the Users and Groups page can be used
to control and monitor View users.
users
Explain the hierarchy of global policies, pool-level policies, and userlevel policies.
Li t th
List
the Vi
View G
Group P
Policy
li administrative
d i i t ti (ADM) template
t
l t files.
fil
6
View Administrator
303
Lesson 3:
Automated Pools
304
Learner Objectives
Slide 6-47
6
View Administrator
305
Users can save documents and files on dedicated desktops because they
always return to the same desktop.
Use case: An employee is assigned a desktop for exclusive use.
A floating
floating-assignment
assignment desktop pool contains stateless desktops:
The desktop returns to the pool when the user logs out.
A user might be logged in to a different desktop each time and should not
save documents or files on the desktop.
Multiple users can access the same desktop (but not concurrently).
Use cases:
When desktops are deployed, they are permanently assigned to a single user or are assigned
dynamically to any authorized user who requests a desktop. Permanently assigned desktops are
called dedicated-assignment desktops. Dynamically assigned desktops are called floatingassignment desktops.
306
Desktops in a Pool
Slide 6-49
View Composer
p
can create linked-clone desktops
p on demand.
View supports two options for deploying virtual desktops in pools: template-based desktop
deployment and linked-clone desktops.
307
View Administrator
To create a template-based pool, you must have a template and customization specification ready.
The desktops in the pool are created on demand by the vCenter Server system or are provisioned all
at once. The virtual desktop is deployed from the template and is a full, normal clone of the original
virtual machine. The clone operation uses the Sysprep process.
Linked-clone desktops are created on demand by View Composer, which is running on the same
host system as the vCenter Server system. Linked-clone provisioning differs from the templatebased deployment in the following ways:
Neither a template nor a customization specification is used. Instead, a virtual machine that has
a snapshot, called the parent virtual machine, is used as the base image for every linked-clone
desktop in the automated desktop pool.
A linked-clone virtual desktop uses much less disk space than is required by a template-based
full clone.
The time to provision a linked-clone virtual desktop is a fraction of the time required for
template-based deployment. Typically, a linked-clone desktop can be deployed in a matter of
minutes, irrespective of the size of the parent virtual machines system disk.
The new linked-clone desktop is customized by a special VMware process called QuickPrep
or by Sysprep. The choice of customization is configured when the automated pool is created.
308
Dedicated-Assignment Pools
Slide 6-50
Best practices:
309
View Administrator
Dedicated-assignment desktops are ideal for work environments where everyone must start with the
same desktop configuration and the same tools. Users have the freedom to customize their desktop
within their assigned limits and permissions. But if a user has a problem with a desktop, a new
desktop can be easily and quickly provisioned.
Dedicated-assignment desktop pools assign a user to the same desktop each time he or she connects
to the pool. It is like having a PC on the desk. The virtual desktop becomes a PC that is permanently
assigned to the user. Users can save documents and files on persistent desktops because they return
to the same desktop.
310
To start the Add Pool wizard, in View Administrator, select Inventory > Pools button and click the
Add link.
Adding an automate pool is similar to adding a manual pool, the steps for which were discussed
earlier in the course. Many of the pages in the wizard are identical.
View Administrator
311
Automated desktop pools contain one or more dynamically generated desktops that are
automatically created and customized by View Connection Server from a vCenter Server virtual
machine template. Desktop pools of this type can be either dedicated or floating desktops.
Automated pools can also use the linked-clone feature to rapidly deploy desktops from a single
parent virtual machine.
A manual pool provides access to an existing set of virtual machines, physical computers, or blade
PCs. Each entitled user is connected to an appropriate desktop when he or she logs in.
A Terminal Services pool provides Terminal Services sessions as desktops to View users. Terminal
Services sessions are managed by View Connection Server in the same way as virtual machine
desktops.
312
You can also manually assign desktop names and users. You input a list of desktop name and user
name combinations. When a specified user tries to connect the first time, the desktop is provisioned
with the name and is assigned to the user. More details about option are discussed in later pages.
313
View Administrator
If the desktops are dedicated, View Connection Server can automatically assign the desktops on first
connection. Because all desktops in the pool are identically configured, any desktop is suitable for
first assignment. After a user has connected to a desktop, it is dedicated to that user. Subsequent
connection requests from the user are always directed to the dedicated desktop. A user can have
only one desktop assigned. The names of the desktops are generated by View Connection Server,
according to a naming pattern that you assign later in the wizard.
Each View Connection Server can connect to multiple vCenter Server instances. A vCenter Server
instance handles the deployment and management of virtual desktops, all on request from View
Connection Server. The number of View Connection Servers and vCenter Server instances depends
on the desktop deployment throughout the organization.
The Add Pool wizard needs to know which vCenter Server system will be handling the virtual
machine deployments for the automated pool. Only one vCenter Server instance can handle the
management of the virtual machines for each automated pool.
If linked-clone desktop deployment is the choice for this automated pool, the View Composer
linked clones option must be enabled. For the option to be active, View Composer must be
installed, and you must explicitly configure the View Composer settings for this vCenter Server
instance. Do the configuration in the vCenter Servers pane of the Servers page of View
Administrator (View Configuration > Servers).
314
ID:
Display name:
View folder
Enter the ID, the display name, and the description in the fields. Select a View folder in which to
place the pool of desktops.
The ID is unique for each pool in the entire View Connection Server inventory. The inventory of
desktops that is managed by all the View Connection Servers using the same LDAP database.
The display name does not have to be unique. A View administrator can reuse display names, if
necessary, but should ensure uniqueness for any one user. The ID and display name should correlate
to something meaningful in your environment. From the View Client, the user is connecting to a
single desktop, and a pool name might not be helpful. A display name suggesting a single desktop in
the users assigned area would be useful.
Select a View folder in which to place the pool or leave the pool in the default root folder. If you use
View folders, you can delegate managing pool to specific administrators with a specific role. Folders
are a way to partition pool management. A folder must already exist for the selection to be made
here. A pool can also be assigned to a folder any time after the pool is configured and operating.
315
View Administrator
The ID is the name that is used by View Connection Server to identify the desktop. The desktop
display name is what the end user sees when connecting to a View Connection Server. After the user
has been authenticated, the user sees a list of all the desktops that he or she is entitled to use.
View folders are different from vCenter Server folders that store desktop virtual machines. You
select a vCenter Server folder later in the wizard with other vCenter Server settings.
316
Pool Settings
Slide 6-57
Setting the pool to Enabled means that the pool is automatically enabled after it is created.
Setting it to Disabled means that you must manually change the setting to Enabled to activate
the pool after it is created. By default, the desktop is enabled as soon as you create it.
Connection server restrictions The pool is being tagged to match one or more View
Connection Servers. Users are allowed to connect to desktops in the pool if they log in to a
connection server that has the Consultant tag or the InternalUsers tag. The tags are configured
in the View Administrator Edit dialog box for a View Connection Server. The tags determine
which pools users can access when they log in to a specific connection server.
Remote Desktop Power Policy Determines how a virtual machine behaves when the user
logs out of the associated desktop. The virtual machines that are powered off will be started
when required and will remain on, even when not in use, until they are shut down.
Module 6 View Administrator
317
View Administrator
State If the pool is not enabled, desktops are not available for immediate use. The disabled
state enables you to create a desktop and configure it, including who is entitled to use it. But
because the desktop is not enabled, no one can use it until it is enabled.
The Desktop/Pools Setting window controls desktop and pool settings, which for an automated pool
that uses full clones is identical to the pool settings for a manual pool. The following parameters
were selected for the pool:
Take no power action (default) means that View Connection Server does not enforce a power
policy after a user logs out. For example, if a user shuts down the virtual machine, the virtual
machine remains powered off. If a user out off without shutting down, the virtual machine
remains powered on. The virtual machine restarts when a user connects to the desktop.
Ensure desktops are always powered on means that all virtual machines in the pool remain
powered on, even when they are not in use. If they are shut down, they will immediately restart.
Select Suspend if you want the desktop to enter a suspended state when the user logs out, but
not when a user disconnects.
Select Power off if you want all virtual machines in the pool to shut down when the user logs
out but not when the user disconnects.
A best practice is to select Suspend. A suspended virtual machine returns to service faster than
one that is powered off, but it still conserves CPU, network, and RAM resources on the
VMware ESX/ESXi host.
Automatically logoff after disconnect Immediately means that users are logged out as soon
as they disconnect. Never means that users are never logged out. Selecting After pops up a
request to enter the wait time in minutes.
Allow users to reset their desktops Users are allowed to reset their desktops. The default
value is No.
Remote Display Protocol The default values are accepted. Connections between a View
Client and a desktop default to use the PCoIP display protocol. Users can change that protocol
to RDP. If PCoIP is used, the number of monitors and the resolution for each are the default
values.
Windows 7 3D Rendering If you plan to use 3-D graphics applications, such as Windows
Aero themes, Microsoft Office 2010, or Google Earth, you should turn on the option in the Pool
Settings window. The option is available only with vSphere 5.0 or later when Windows 7 virtual
machines use virtual hardware version 8. The pool must use PCoIP as the default display
protocol and users cannot be allowed to select their protocol.
When you select this feature, you can configure the amount of VRAM that is assigned to
desktops in the pool. You can select at most two monitors for your View desktops. The
maximum resolution of any one monitor is set to 1920x1200 pixels. You cannot configure this
value.
You must power off and power on existing virtual machines for this setting to take effect.
Restarting a virtual machine does not cause the setting to take effect.
Windows 7 3D Rendering is a graphics feature that is not hardware-accelerated. It enables you
to run DirectX9 and OpenGL 2.1 applications without requiring a physical graphics processing
unit (GPU).
Adobe Flash Settings for Remote Sessions The default values are accepted.
318
Available Desktops
Slide 6-58
Y can control
You
t l th
the size
i off your reserve.
319
View Administrator
If the desktops are provisioned on demand, View Connection Server can create a reserve of
available desktops when the pool is created. The reserve reduces the wait time for the user. As
additional desktops are placed into service, more desktops are created so that the prescribed reserve
of available desktops is always ready. The behavior continues until the maximum pool size is
reached. These provisioning parameters can be overridden when the pool is created. They can be
edited after pool creation.
Pool desktops can be created on demand or provisioned all at once. If a user requests a desktop from
a pool and it is not available, View Connection Server requests that the vCenter Server system create
one, if the provisioning parameters allow the action. The desktop creation process consists of the
vCenter Server system cloning a new virtual machine from a template and customizing it.
Depending on the size of the virtual desktop hard drives and the speed of your system, the
deployment time varies. Meanwhile, the View Client continues to wait until the virtual desktop has
been created and powered on and is ready for use.
Provisioning Settings
Slide 6-59
Pool Sizing:
Provisioning can be enabled or disabled. Selecting the Enable provisioning setting means that
desktops in the pool are immediately created on completion of deployment or after a desktop is
deleted, depending on the pool-sizing parameters. Deselecting the setting means that the desktops in
the pool are not immediately created on completion of deployment or after a desktop is deleted.
Provisioning is suspended. Enable provisioning is selected by default.
Stop provisioning on error is selected by default. If a problem occurs when a virtual desktop is
being created for the pool, all provisioning in the pool stops. The Enable provisioning check box is
deselected. A View administrator has to investigate the problem, such as lack of storage space for
new virtual machines. The administrator then has to manually select Enable Provisioning.
You select whether you want to manually specify machine names or want View Connection Server
to use a naming pattern in the Virtual Machine Naming panel. The process to specify names
manually is described on the next slide.
The pattern you enter in the Naming Pattern box determines the actual name of each virtual
machine when it is provisioned by the vCenter Server system. A constant prefix is used to identify
all desktops in a pool as part of the same group. The prefix can be up to 13 characters in length. By
default, a numeric suffix is appended to the entry to distinguish each desktop from others in the
same pool.
320
You can override the behavior by entering a name that contains a token representing the pool
number. The token can appear anywhere in the name. For example, you could type amber-{n}desktop. After deployment {n} is replaced with the number of the desktop.
Fixed-length tokens can be entered with the n:fixed= construction. For example, type amber{n:fixed=3}. After deployment, {n:fixed=3} is replaced with a fixed-length pool number for each
desktop: amber-001, amber-002, amber-003, and so forth.
A 15-character limit applies to names that contain a token but only to the replaced form where the
token length is fixed. For example, my-view-system{n:fixed=1} would be acceptable. The pattern is
25 characters, but the final virtual machine name would be only 15 characters (for example, myview-system1). Virtual machine names would vary from my-view-system1 to my-view-system9,
and then provisioning would halt, regardless of the number that should be provisioned. After a
virtual machine has been deleted, another would be created to reuse an available virtual machine
name.
Where the token length is not fixed, a buffer of 1 is applied to the token, so the maximum replaced
length is 14 characters. Example: a-view-system{n}. If more than 99 desktops are created, duplicate
computer names will exist.
The Pool Sizing panel offers greater control over the number of desktops to create in the pool:
Max number of desktops Specify the total number of virtual machines that can be
provisioned for the pool. Set this number to the maximum number of virtual machines that are
to be deployed in the pool at any point. The setting is necessary to prevent overburdening
hardware resources.
321
View Administrator
Min number of desktops If you use a naming pattern and provision desktops on demand,
specify a minimum number of desktops in the pool. If you provision desktops on demand, View
Connection Server creates desktops as users connect to the pool for the first time. View
Connection Server creates the minimum number of desktops when you create the pool.
Number of spare (powered on) desktops Specify the number of desktops that View
Connection Server keeps available and powered on for new users. The setting should match the
rate at which users are added to the environment. If you add two users per day, the number
should be set to 2 for dedicated-assignment pools.
322
In the example on the slide, five desktops are specified and three of them are associated with a user
name. The list was entered into a Notepad file and copied and pasted into the box in the Enter
Desktop Names dialog box. When the list is complete, click Next and the Add pool wizard verifies
each AD user name. Errors are identified with the red diamond. An error is shown in the example.
There was a mistake in one of the user names. After you correct the list, the wizard returns to the
Provisioning Settings page and displays the number of desktops in the list.
In a floating-assignment pool, you cannot associate user names with desktop names. The desktops
are not dedicated to the associated users. In a floating-assignment pool, all desktops that are not
currently in use remain accessible to any user who logs in.
6
View Administrator
323
Most of the vCenter Server components that are necessary for an automated pool are configured
from the vCenter Settings page. The selections for the template, the virtual machine folder, the host
or cluster, the vCenter Server resource pool, and the datastores are configured in the Add Pool
wizard page. The selections are discussed on the following slides.
You cannot change vCenter Server settings for existing virtual machines. You can change vCenter
Settings settings in the Edit <pool_name> dialog box, but the values affect only new virtual
machines that are created after the settings are changed. Effectively, the pool can have a
combination of settings for each component, which might be confusing.
324
Selecting a Template
Slide 6-62
To select a template:
1. On the vCenter Server page, click Browse to the right of the Template
The Add Pool wizard sequence is for an automated pool that creates full-clone desktops, so a
template must be selected for the vCenter Server system to use.
1. On the vCenter Server page, click the Browse button to the right of the Template box. By
default, a list of templates that are compatible with supported desktop Windows systems are
displayed. For example, Windows 2003 and Windows 2008 templates would not appear in the
list.
2. Select a template that has been tested.
325
View Administrator
To select a template:
Create vCenter Server folders for virtual machines and templates that
will be used for virtual desktops.
327
View Administrator
In the case of an automated pool that uses template-based deployment, the number of virtual
desktops that you can run per host varies greatly. The number depends on the host hardware
configuration, use of resource management, and the size and requirements of the virtual desktop.
Select a host or cluster on which to run the virtual machines that will be deployed in this pool. A
vSphere Distributed Resource Scheduler (DRS) cluster adds resource management and loadbalancing capabilities, which improves desktop performance. A vSphere High Availability cluster
gives you ESX/ESXi host failover. You can have up to 32 hosts per DRS/HA cluster. If linked-clone
desktops are specified, the maximum number of hosts in a cluster is eight.
The use of resource pools and other resource management tools in ESX/ESXi and the vCenter
Server system can dramatically improve the performance of virtual desktops and the use of
resources on the host.
If you have created resource pools, you must select the resource pool that the desktop pool will run
in. Even if you have resource pools created, you do not have to run virtual desktops in them. But it
is a best practice to configure resource pools for your virtual desktops.
The screenshot on the right is from the VMware vSphere Client, which is displaying the current
setting in the Payroll Virtual Desktops resource pool. Resource pool settings cannot be accessed by
the View Administrator.
Do not confuse resource pools and View desktop pools. A resource pool is used by ESX/ESXi hosts
and DRS clusters to manage CPU and RAM resources on ESX/ESXi hosts. A desktop pool is a
group of virtual desktops grouped together for management and deployment purposes.
328
Selecting a Datastore
Slide 6-66
You can specify a default virtual machine swap file location on each ESX/ESXi host. In this case,
the default swap file location is used.
If you specify that the virtual desktop pool should store virtual machine files on local ESX/ESXi
host storage, you cannot use VMware vMotion with the virtual desktops. So, in the case shown
in the screenshot, you can use vMotion on any virtual machine stored on any of the datastores
except datastore1 (the local datastore).
329
View Administrator
If multiple datastores are selected, View Connection Server distributes the virtual desktops across
the datastores. Any single virtual machine is placed on only one datastore.
Select the datastore in which to store your virtual desktops files. Normally, it is possible to create a
virtual machine with multiple virtual disk drives and to specify that each virtual disk be stored in a
different location. But with virtual desktops that are created from a template, all virtual disks must
be on the same datastore. You can have multiple virtual disks, but all must reside on the same
datastore.
The screenshot shows the vCenter Settings page with all components configured.
330
The final vCenter Server component that must be specified is the type of customization to perform
on a new desktop.
The default selection is to use an existing customization specification. The same customization
specification can be used with multiple pools and multiple templates, if the templates are based on
the same operating system that the customization is based on. The customization selected here is
WinXP Spec file. A good description on the customization would have helped identify the correct
file to use.
View Administrator
Customization specifications that do not specify DHCP for network configuration cannot be used
and are not shown. The IP address for each desktop must be dynamically assigned.
331
information on the
Ready to Complete
page.
2 If the information is
2.
The slide shows the summary page. View is now ready to complete the definition for the pool.
Review the information and click Finish. Click Back to correct problems.
332
Apply a filter. All pools with sales in any column are displayed.
Entitle the new pool. The new pool cannot be used until it is entitled. The best practice is to entitle
an AD user group to use the pool.
If you have a large number of pools, you can quickly find the one that you want by filtering on the
pool ID or some other unique text.
View Administrator
333
When the pool is created and the desktops are set to Enabled, the
associated vCenter Server instance begins provisioning desktops.
As soon as a pool is enabled and set to provision, View Connection Server begins creating desktops.
The number of desktops that will be created concurrently is set in the Edit vCenter Server dialog
box. (Select View Configuration > Servers, select the vCenter Server instance, and click Edit.)
The top screenshot is from the Recent Tasks pane of the vSphere Client, which shows that cloning
has begun.
Each desktop that is created has to be powered on, customized, and then restarted to join the
domain. Desktops are not available until the process is complete. Users who try to access desktops
before the pool is ready are informed that the desktop is not available. After provisioning has
completed, the View Client connects to the virtual desktop.
334
The desktop pool is now visible in the View Client. A user does not
know that it is a pool, not a desktop.
The user sees the
Th
th display
di l name that
th t you entered
t
d on the
th Pool
P l
Identification page of the Add Pool wizard.
335
View Administrator
The display name of the pool is displayed in the View Client for all users who are entitled to use it.
The user does not know anything about a desktop pool, so it is prudent to use display names that are
meaningful to the user. For example, a display name like Windows XP desktop might be more
meaningful than WinXP-pool. If a display name is not entered in the Pool ID page of the Add Pool
wizard, the pool ID is used.
Desktop Problems
Slide 6-73
View Connection
Vi
C
ti S
Server creates
t a new d
desktop
kt tto kkeep pooll sizing
i i correct.
t
Desktop is assigned to first new user who requests one.
336
Floating-Assignment Pools
Slide 6-74
Desktops are returned to the pool (or are deleted) when users log out
out.
A user might be logged in to a different desktop each time.
Users should not save documents or files on the desktop.
337
View Administrator
A floating-assignment pool makes desktops available to users when they log in. These desktops are
returned to the pool when users log out. Users might log in to a different desktop each time. Thus,
users should not save documents or files on the desktop and should not be able to customize the
desktop in any way. These changes would be present when the next user connects to the desktop. At
the View administrators option, a virtual desktop can be destroyed when the user logs out. If the
option is enabled, each user connects to a fresh copy of the desktop at each login.
T
Two
additional
dditi
l pooll settings
tti
are available
il bl for
f floating-assignment
fl ti
i
t
pools:
If Delete desktop after logoff is set to Yes, after a user logs out:
The virtual machine is powered off and deleted from the disk
A new desktop is provisioned to return the pool to its configured size
Lab 7
Slide 6-76
6
View Administrator
339
340
Lesson 4:
Role-Based Delegated Administration
6
View Administrator
341
Learner Objectives
Slide 6-79
342
The View
Th
Vi
access and
d control
t l system
t
is
i similar
i il to
t the
th vCenter
C t Server
S
access control system.
An administrator role is a collection of privileges that:
P i il
Privileges
are either
ith global
l b l or object-specific
bj t
ifi (f
(for example,
l inventory
i
t
objects like pools and desktops).
The ability to perform tasks in View Administrator is governed by an access control system that
consists of administrator roles and privileges. This system is similar to the vCenter Server access
control system.
An administrator role is a collection of privileges. Privileges grant the ability to perform specific
actions, such as entitling a user to a desktop pool. Privileges also control what an administrator can
see in View Administrator. For example, if an administrator lacks privileges to view or modify
global policies, the Global Policies setting is not visible in the navigation panel when the
administrator logs in to View Administrator.
Administrator privileges are either global or object-specific. Global privileges control system-wide
operations, such as viewing and changing global settings. Object-specific privileges control
operations on specific types of inventory objects, such as pools and desktops.
Module 6 View Administrator
343
View Administrator
Entitlements determine who can connect to a desktop in a pool. View Connection Server roles and
privileges apply only to administrators of the View environment when using View Administrator.
A key management task in a View environment is to determine who can use View Administrator and
which tasks that those users are authorized to do. With role-based delegated administration, you can
selectively assign administrative rights by assigning administrator roles to specific AD users and
groups.
Administrator roles typically combine all of the individual privileges required to perform a higherlevel administration task. View Administrator includes predefined roles that contain the privileges
required to do common administration tasks. You can assign these predefined roles to your
administrator users and groups, or you can create your own roles by combining selected privileges.
You cannot modify the predefined roles.
To create administrators, you select users and groups from your AD users and groups and assign
administrator roles. Administrators obtain privileges through their role assignments. You cannot
assign privileges directly to administrators. An administrator who has multiple role assignments
acquires the sum of all the privileges contained in those roles.
In addition to managing View privileges and permissions, you must manage vCenter Server
permissions and Windows permissions. For example, the permissions granted through the View
Administrator role does not extend to the vCenter Server Administrator role or the local Windows
Administrator permissions.
344
An administrator can access the pool resources that reside in the folder.
An administrator with multiple roles acquires the sum of all privileges.
Other considerations:
If a role is to apply to a folder, the role must contain at least one object-specific
privilege.
Roles that contain only global privileges cannot be applied to folders
folders.
A desktop inherits the folder from its pool. A persistent disk that is attached to a linked clone
inherits the folder from its desktop.
You configure administrator access to the resources in a folder by assigning a role to an
administrator on that folder. Administrators can access only the resources that reside in folders for
which they have assigned roles. The role that an administrator has on a folder determines the level
of access that the administrator has to the resources in that folder.
Because roles are inherited from the root folder, an administrator that has a role on the root folder
has that role on all folders. Administrators that have the Administrators role on the root folder are
super administrators because they have full access to all of the inventory objects in the system.
A role must contain at least one object-specific privilege to apply to a folder. Roles that contain only
global privileges cannot be applied to folders.
Module 6 View Administrator
345
View Administrator
By default, desktop pools are created in the root folder, which appears as / or Root(/) in View
Administrator. You can create folders under the root folder to subdivide your desktop pools and then
delegate the administration of specific desktop pools to different administrators. You can have a
maximum of 100 folders, including the root folder.
You can use View Administrator to create folders and to move existing pools to folders. You can
also select a folder when you create a desktop pool. If you do not select a folder during pool
creation, the pool is created in the root folder by default.
346
viewadmin1
Predefined roles:
Administrators
Inventory
Administrators
I
t
Ad i i t t
Global Configuration and
Policy Administrators
viewadmin2
i
d i 2
viewadmin2 has the Inventory Administrators privileges for only the
pools in the FinanceDesktops folder, but also has global configuration
and policy privileges
privileges.
347
View Administrator
The viewadmin2 user is assigned responsibility for the pools in the folder called FinanceDesktops,
so the Inventory Administrators role is assigned on the FinanceDesktops folder. Additionally, the
viewadmin2 user has global privileges that allow him or her to configure global settings (View
Configuration > Global Settings) and global policies (Policies > Global Policies).
In the example, three roles have been defined and each of three folders contains one or more pools.
To allocate the administrative responsibilities for the pools between two administrative users, the
viewadmin1 user is assigned the Inventory Administrators role on only the folder called
SalesDesktops. The Inventory Administrators role has all possible configuration privileges for
inventory objects pools, desktops, persistent disks, and ThinApp applications. The viewadmin1
user cannot read or change inventory objects associated with pools in either of the other folders.
For users and groups, for each administrator the role and folder are
displayed.
For folders, the assigned administrators and the role are displayed.
For roles, the assigned administrators and their assigned folders are
displayed.
displayed
For any one of the three elements that make up a permission, you
can quickly learn what the other two combinations are.
View Administrator presents the combination of a role, an administrator user or group, and a folder
as a permission. The role defines the actions that can be performed. The user or group indicates who
can perform the action. The folder contains the objects that are the target of the action.
Permissions appear differently in View Administrator depending on whether you select an
administrator user or group, a folder, or a role. Examples of permissions are shown on the next slide.
348
Examples of Permissions
Slide 6-84
The Roles tab shows all predefined and custom roles. If a role is part of a permission the other
two components are shown: the user or group and the assigned folder. You use the Roles tab to
add roles.
The Folders tab shows the user or group and role associated with each folder.
349
View Administrator
The Administrators and Groups tab shows all users and groups who have View permissions.
In this case the role and folder that are associated with each user or group is shown.
The Global Administrators View page has three tabs: Administrators and Groups, Roles, and
Folders. A View permission is the combination of a user or group name, a role, and a folder. The
left panel of each tab shows all items in the tabs category. The right panel shows the other two
components that are make up the permission for that item:
Predefined Roles
Slide 6-85
P f
Perform
allll administrative
d i i t ti ffunctions
ti
The predefined administrator roles combine all of the individual privileges required to do common
administration tasks. You cannot modify the predefined roles.
Administrators Perform all administrator operations, including creating additional administrator
users and groups. Administrators that have the Administrators role on the root folder are super
administrators because they have full access to all of the inventory objects in the system. Because
the Administrators role contains all privileges, you should assign it to a limited set of users. Initially,
members of the local Administrators group on your View Connection Server host are given this role
on the root folder. An administrator must have the Administrators role on the root folder to do the
following tasks:
Adding and deleting folders
Managing ThinApp applications and configuration settings in View Administrator
Viewing and modifying View Transfer Server instances and the Transfer Server repository
Using the vdmadmin and vdmimport commands
The Windows administrator who installs a replica connection server instance or a View Transport
Server instance must be a domain user and must have the View Administrators role. The installer for
350
View Connection Server verifies that the Windows administrator is an authorized View
administrator with the View Administrators role.
Administrators (Read only) The role can do the following:
View, but not modify, global settings and inventory objects.
View, but not modify, ThinApp applications and settings, View Transfer Server instances, and
the Transfer Server repository.
Use Windows PowerShell commands and command-line utilities, including vdmexport
command but excluding the vdmadmin and vdmimport commands.
When administrators have this role on a folder, they can only view the inventory objects in that
folder.
Agent Registration Administrators Allows this user to install View Agent on unmanaged
desktop sources like physical systems, standalone virtual machines, and terminal servers. During
View Agent installation, the user must provide administrator login credentials to register the
unmanaged desktop source with the View Connection Server instance. Not only must the user have
local administrator privileges to install View Agent, but the user must also have the View
Connection Server privilege to register the desktop.
Global Configuration and Policy Administrators View and modify global policies and
configuration settings except for administrator roles and permissions, ThinApp applications and
settings, View Transfer Server instances, and the Transfer Server repository.
351
View Administrator
Global Configuration and Policy Administrators (Read only) View and modify global policies
and configuration settings except for administrator roles and permissions, ThinApp applications and
settings, View Transfer Server instances, and the Transfer Server repository.
To create an administrator, you select a user or group from your AD users and groups in View
Administrator and assign an administrator role.
To create an administrative user:
1. In View Administrator, select View Configuration > Administrators.
2. On the Administrators and Groups tab, click Add User or Group.
3. In the Add User and Group dialog box, use Find to find the AD users or groups.
4. Select the AD user or group that you want to be an administrator user or group.
5. Select a role to assign to the administrator user or group. The Apply to Folder column indicates
whether a role applies to folders. Only roles that contain object-specific privileges apply to
folders. Roles that contain only global privileges do not apply to folders.
352
Adding Permissions
Slide 6-87
After a permission has been created, you can add permissions from
each of the three tabs on the Global Administrators View page (View
Configuration
g
> Administrators).
)
You can use View Administrator to add, delete, and review permissions for specific administrator
users and groups, for specific roles, and for specific folders.
You can add a permission that includes a specific administrator user or group, a specific role, or a
specific folder. You might want to add a permission in three cases:
View Administrator
353
Folder.
Folder
To delegate the administration of specific desktops or pools to different administrators, you must
create folders to subdivide your desktops or pools. If you do not create folders, all desktops and
pools reside in the root folder. You can have a maximum of 100 folders, including the root folder.
After you create a folder to subdivide your desktop pools, you must manually move desktop pools to
the new folder unless you assigned a folder during the Add Pool or Edit Pool wizard. If you decide
to change the way your desktop pools are subdivided, you can move existing pools from one folder
to another.
To create a folder:
1. In View Administrator, select Inventory > Pools.
2. From the Folder drop-down menu on the command bar, select New Folder.
3. Enter a name and description for the folder. The description is optional.
After you create a folder to subdivide your desktop pools, you must manually move desktop pools to
the new folder.
354
6
View Administrator
355
If the predefined administrator roles do not meet your needs, you can combine specific privileges to
create your own roles in View Administrator.
To add a role:
1. In View Administrator, select View Configuration > Administrators.
2. On the Roles tab, click Add Role.
3. Enter a name and description for the new role and select one or more privileges.
The new role is displayed in the left pane of the Global Administrators View page. An example is
shown on the next slide.
356
The right pane shows the type of each privilege: global or object-oriented.
The Contractors role must be applied to a folder.
In the Add Role dialog box, enter a name and description for the new role and select one or more
privileges.
357
View Administrator
After completing the dialog box, the new role is displayed in the left pane of the Global
Administrators View page. The role can be used to create a permission with a user or group name
and a folder. Because at least one of the privileges applies to an inventory object the role must be
assigned to a folder.
Avoid using Windows built-in groups or other groups that might contain
additional users or groups.
To increase the security and manageability of your View environment, you should follow best
practices when managing administrator users and groups.
Because the View Administrators role contains all privileges, assign it to a single user or to a
limited set of users.
Select a local Windows user or group to have the View Administrators role. A Windows
administrator must have the Administrators role in View to install a replica server instance on a
Windows Server host. Otherwise, the installation fails. A local administrator for an unmanaged
desktop must have at least the Agent Registration Administrators role to install View Agent and
register the desktop. View administrators must be domain user accounts.
Create user groups for administrators. Avoid using Windows built-in groups or other existing
groups that might contain additional users or groups.
Because it is highly visible and easily guessed, avoid using the name Administrator when
creating administrator users and groups.
Create folders to segregate sensitive desktops. Delegate the administration of those folders to a
limited set of users.
Create separate administrators that can modify global policies and View configuration settings.
358
Lab 8
Slide 6-92
View environment.
6 Remove all administrator permissions
6.
permissions.
6
View Administrator
359
360
Lesson 5:
Monitoring the View Deployment
6
View Administrator
361
Learner Objectives
Slide 6-95
362
Explain how the dashboard can be used to quickly focus on the details
of a problem.
problem
Show how to access the settings and status of a particular pool.
Show how to access the settings and status of a specific desktop and
the
h resources controlled
ll d b
by vCenter
C
S
Server that
h the
h d
desktop
k
uses.
Describe the types of PCoIP session statistics that you can monitor.
View components:
vSphere components:
Datastores
ESX/ESXi hosts
h t
vCenter Server instances
Domains
You can quickly survey the status of the View Connection Server and vSphere components in your
View deployment by using the View Administrator dashboard.
View Administrator displays monitoring information about View Connection Server instances, the
event database, security servers, View Composer services, transfer servers, datastores, ESX/ESXi
hosts, vCenter Server instances, and domains.
View Administrator
View Connection Server cannot determine status information about Kerberos domains. View
Administrator displays Kerberos domain status as unknown, even when a domain is configured and
working.
363
Dashboard Page
Slide 6-97
The dashboard shows on one page a visual status of each of the components in a View environment.
For example, in the upper-left portion of the window, the date and time of the last dashboard update
are displayed with indicators of the following:
Desktops with problems
Error events or warning events that should be evaluated
View or vCenter Server components that are either not functioning or are not available
Clicking the number next to the item opens a page that shows the components status.
The global status area in the upper-left corner is always visible.
If enabled, the global status area automatically updates every few minutes. The Dashboard page is
also updated every few minutes when the page is active.
Idle session timeouts for View Administrator do not occur when automatic updates are enabled,
causing View Administrator to remain active until the browser is closed or an explicit logout is
done. Allowing View Administrator to remain active indefinitely can be a security consideration.
364
Double-click the datastore name to see details of pools using the datastore.
View Administrator
365
The example shows how you can quickly determine the error condition with a problem desktop:
1. In the Desktop Status pane of the Dashboard page, expand the desktop categories.
2. Click the highlighted number, which is a link, that is next to the error state. This action opens
the Desktops page with the filter specification set to Error. Desktops with Error in the
database record are displayed in the list. Expect to see only one desktop.
3. Click the ellipsis icon in the Status column to see the error specifics.
Clicking the highlighted number to the right of Problem Desktops in the Dashboard Status pane
(upper-left corner of View Administrator) would show all desktops in any of the error states.
366
Events
E
t are stored
t d in
i a separate
t database.
d t b
Events can be filtered.
Display
p y the details of the local-mode desktop
p and session.
Roll back the local-mode desktop (discard the local desktop image).
Start a replication (backup) of the local-mode desktop.
Remote sessions Opens the Remote Sessions page, which shows all active remote sessions
that are prepared for use. Depending on the session state of each desktop, you can disconnect it,
log it out, reset the virtual machine (done by a vCenter Server instance), or send a message to
the desktop.
Local sessions Opens the Local Sessions page, which shows sessions that are checked-out
local-mode desktops. Depending on the session state of a local desktop you can rollback or
replicate the desktop. You can always display the details and status of the desktop.
The next slides show examples of each of these View Administrator pages.
The terms remote and local are from the perspective of the View Client.
367
View Administrator
Events Opens the Events page, which shows all events for a designated period. All events for
all View components are stored in an event database. The event database is configured through
View Configuration > Event Configuration. Events can be filtered.
Events Page
Slide 6-101
Filter on any text in the database record for a selected time period.
368
Remote Sessions
Slide 6-102
Remote sessions are View Client online sessions with either a vCenter Server version of a virtual
desktop, a physical desktop, or a virtual desktop from other sources.
The other desktop is disconnected but not logged out, so the only active options are to log out the
session or reset the virtual machine.
369
View Administrator
In the example, the Payroll-XP desktop is connected, so all four options are active. The desktop can
be disconnected, logged out, or reset. And, you can send a message to the user.
Local Sessions
Slide 6-103
Local sessions are local-mode desktops. View Client with Local Mode is connecting to a local
version of the desktop, which has been checked out. View Connection Server periodically monitors
the status of the local desktop. The Details dialog box shows session characteristics, such as the time
of last server contact and last backup (replication).
You can roll back the local-mode desktop, which discards the local version, or initiate a replication,
which copies changes that were made in the local version to the vCenter Server version. Replication
and backup perform the same operations.
Do not delve into Local Mode now. The content is here only for completeness and for comparison with remote
sessions information.
370
Monitoring a Pool
Slide 6-104
This desktop is a linked-clone desktop, so the Persistent Disks link is active and shows the
persistent disks that are attached to this desktop. Usually, only one persistent disk is attached. But it
is possible to have persistent disks attached that came from deleted linked-clone desktops.
The ThinApps link shows the ThinApp applications assigned to this desktop and status of each.
Each tab displays the name information as it applies to this pool.
Module 6 View Administrator
371
View Administrator
The More Commands menu is available only on the Inventory tab because most of these
commands apply to specific desktops.
You use View Administrator pages to perform View Connection Server or View Composer
operations on specific pools. You go to the page for a pool by selecting Inventory > Pools and
double-clicking the ID of row with the name of the pool. The first click selects the row. The second
click activates the link to the <pool_ID> page. The example shows the page for the XP-Desktops
pool. Every action from this page applies to only this pool or objects in this pool. For example,
Actions selected from the Inventory tab apply to only the selected desktops in the inventory. If the
pool is for linked clones, you can select View Composer to select a View Composer operation for
the highlighted desktops in the inventory. Although not shown, multiple desktops can be selected.
To perform a View Composer operation on all desktops in a pool you make a selection from the
View Composer menu in the Settings tab.
372
Displays the vCenter Server information for this desktop, such as the
virtual disks associated with this linked-clone desktop
373
View Administrator
Selecting the vCenter Settings tab in the <desktop_name> page displays vCenter Server settings
and resources that pertain to this desktop. In the example, the desktop is a linked-clone desktop, so
the virtual disk list shows four disks: a system disk, a disposable disk, a persistent disk, and the
internal disk.
The PCoIP session statistics are available for virtual desktops running
View Agent 5.0 and later.
With PCoIP session statistics, you can monitor performance and troubleshoot PCoIP sessions in a
VDI environment. The PCoIP session statistics capability delivers the detailed PCoIP metrics that
are needed by the IT management to ensure smooth network and easy troubleshooting.
The PCoIP session statistics that you can monitor include general session statistics, audio statistics,
imaging statistics, network statistics, and USB statistics.
The PCoIP session statistics are available for virtual desktops running View Agent 5.0 or later.
Availability of PCoIP session statistics, reduces reliance on log files for monitoring performance and
troubleshooting PCoIP sessions.
374
C#
C++
Windows PowerShell
VBScript
WMI Code Creator
VB .NET
Windows Management Instrumentation Command-line (WMIC)
Teradici offers the PCoIP Session Statistics Viewer program to display the PCoIP session statistics
that are retrieved from one or more virtual desktops. The program has two modes:
Graphing from real-time data
Graphing from PCoIP session server log files
In these graphing modes you can do the following:
Add and remove multiple virtual desktops
Switch views instantly
Set the sampling time
Set the graph duration
Module 6 View Administrator
375
View Administrator
WMI-based tools might include C#, C++, Windows PowerShell, VBScript, WMI Code Creator, VB
.NET, and Windows Management Instrumentation Command-line.
Tools supported by Windows Management Instrumentation (WMI) can be used to monitor PCoIP
session statistics. WMI-based tools can collect more than 20 session statistics for monitoring,
trending, and troubleshooting end-user support issues.
376
Definition
AudioRXBWkbitPersec
AudioTXBWkbitPersec
g g audio p
packets
Bandwidth for outgoing
averaged over the sampling period, in
kilobits per second
SessionDurationSeconds
ImagingEncodedFramesPersec
RoundTripLatencyms
What is the current audio receive and transmit bandwidth that is being used?
What is the network transmit and receive bandwidth?
What is the network latency?
What is the image encoding rate, in frames per second?
How long has the session been connected?
377
View Administrator
The PCoIP sessions statistics help monitor PCoIP's effect on the network and conversely how the
network is affecting PCoIP performance and user perception. Twenty-three individual statistics can
be collected into a WMI-based tool for monitoring, trending, and proactive troubleshooting. The
most commonly used statistics are shown on this slide and the next slide.
378
Definition
RXBWkbitP
RXBWkbitPersec
O
Overall
ll b
bandwidth
d idth ffor iincoming
i PC
PCoIP
IP
packets averaged over the sampling
period, in kilobits per second
TXBWkbitPersec
TXPacketLossPercent
RXPacketLossPercent
g of received p
packets lost
Percentage
during a sampling period
Explain how the dashboard can be used to quickly focus on the details
of a problem.
problem
Show how to access the settings and status of a particular pool.
Show how to access the settings and status of a specific desktop and
the
h resources controlled
ll d b
by vCenter
C
S
Server that
h the
h d
desktop
k
uses.
Describe the types of PCoIP session statistics that you can monitor.
6
View Administrator
379
Key Points
Slide 6-112
380