Home > Articles > Operating Systems, Server

This chapter is from the book

Configuring the View Connection Server

As mentioned in Chapter 1, “Virtual Desktop Infrastructure Overview,” there are two versions of VMware View: Enterprise and Premier. Premier includes local mode and View Composer. If you apply a Premier license, you see View Composer and local mode VMs as options. After logging in, you need to add the license. Click Edit License, as shown in Figure 3.64.

Figure 3.64

Figure 3.64. Add the license.

Enter the VMware View Serial Number in the provided field (see Figure 3.65).

Figure 3.65

Figure 3.65. Enter the license key.

Premier licenses enable View Composer and local mode, as shown in Figure 3.66.

Figure 3.66

Figure 3.66. Premier enables View Composer and local mode.

You now have to add vCenter Server, but you should ensure the View Composer service is running first. View Composer supports both 32-bit and 64-bit versions of SQL and Oracle. In addition, VMware View 5.1 can be installed on a separate server, or with vCenter. In View 5.1, View Composer creates a self-signed certificate during installation, so a certificate exchange is done when configuring View to communicate with View Composer. It is also a good idea to ensure you can resolve the vCenter hostname from the Connection Server. You should do a forward-and-reverse lookup using the hostname and then IP. This can easily be done by running nslookup from the command prompt.

To install View Composer on vCenter, follow these steps:

  1. Click Next on the installation wizard screen.
  2. Click Next on the end user patent agreement.
  3. Accept the license agreement and click Next.
  4. Accept the default path for the installation and click Next.
  5. Type in the name of the ODBC connection you created, as shown in Figure 3.67. You have the option of specifying a username and password. By default, the connection uses Windows NT integrated security. You should avoid hard-coding a password and ID because doing so creates a major security weakness.

    Figure 3.67

    Figure 3.67. Specify the DSN connection.

  6. Accept the default port and have the installer create an SSL certificate, as shown in Figure 3.68.

    Figure 3.68

    Figure 3.68. SOAP port.

  7. Click Install to install the View Composer service, as shown in Figure 3.69, and click Finish when it is complete.

    Figure 3.69

    Figure 3.69. Click Install.

Adding vCenter Server

You are now ready to add vCenter Server to the View Connection Server. Under View Configuration and Servers in the right pane, click the Add button to configure your vCenter Server connection, as shown in Figure 3.70.

Figure 3.70

Figure 3.70. Add vCenter Server.

Specify the Fully Qualified Domain Name (FQDN) of your vCenter Server and the VMware View Service Account name created in Chapter 2, “VMware View Architecture.” Enable View Composer because you have verified that the Composer service is running on the vCenter Server, as shown in Figure 3.71. It is important for View Composer connectivity that you use the format [Domain\User Name], but the vCenter connectivity accepts User Name only. For consistency, it is best to use the same format in both.

Figure 3.71

Figure 3.71. Add vCenter Server.

Click Add under Domains in the View Composer Settings, as shown in Figure 3.71. Then add the domain information in the Add Domain box, as shown in Figure 3.72. This enables the management of computer accounts in the Active Directory. Click OK and OK again to save the configuration.

Figure 3.72

Figure 3.72. Enter domain information.

You should now see the vCenter Server and your first Connection Server as part of the configuration, as shown in Figure 3.73.

Figure 3.73

Figure 3.73. vCenter Server is added.

To ensure reliability, you should install a second View Server. For a PoC, you could use any one of the methods discussed to ensure a single connection broker such as VMware FT or vSphere VM HA is highly available. Keep in mind that VMware FT is limited to a single vCPU at this point in time. VMware recommends that two vCPUs be used for a View Connection Server, so it would not be suitable for a production deployment. For production, you want at least two View Servers that use an appliance-based load balancer such as F5. The process to install the second View Server is identical to the first, except that the second server is a Replica Server. The second Replica Server points to the first View Connection Server, as you can see in Figure 3.74.

Figure 3.74

Figure 3.74. Adding a second View Connection Server.

Configuring the Transfer Server

If you intend to use local mode VMs, you need to set up a Transfer Server and image repository. After setting up a Transfer Server and repository, you publish a desktop for offline mode. The publishing process copies the base image into the image repository.

Local mode allows users to check out, check in, roll back, and back up the local mode VM. When the user checks out a VM, a copy of the base image is copied out of the image repository on the Transfer Server and placed on the user’s local desktop hard drive. The virtual desktops are made up of a base image and a delta file. All changes are recorded in the delta file, and it is this file that is used to facilitate the functionality of the other three options. When the virtual desktop is checked out, the base and delta files are downloaded to the user’s desktop and disk files are locked within the vCenter Server so that no changes can be made to the original source files.

Local mode can be a good option for roaming users who need to get work done both online and offline. It also is ideal if you have a remote branch with slow access to the datacenter. Local mode does enable you to copy any changes back the centralized VMware View environment to ensure that the local VM and locked VM stay in sync.

Checking in synchronizes the delta files stored locally to the one located in the VMware View environment and then deletes the base image on the local desktop and unlocks the files within the virtualization environment for use.

Rolling back does not synchronize; it simply deletes both files on the local user drive and unlocks the files within the virtualization environment for use.

Backing up synchronizes the delta files stored locally and the ones located in the View environment; however, it does not unlock the centrally stored files because a backup allows the local mode VM to keep running or remain primary for the user.

The process for setting up the Transfer Server is similar to the installation of the Connection Server. There are a few things to keep in mind if you are planning on using a virtual machine as the Transfer Server. Each Transfer Server can handle a maximum of 20 check-in or check-out requests according to VMware (http://pubs.vmware.com/view-50/index.jsp?topic=/com.vmware.view.installation.doc/GUID-1A3719FC-C75A-4ED9-B5D3-70334150BD39.html). After they are added to the View Configuration, they are disabled from DRS. In addition, the servers are configured with an additional three SCSI LSI Logic Parallel controllers to allow them to handle more user requests, as shown in Figure 3.75.

Figure 3.75

Figure 3.75. Three additional LSI Logic SCSI controllers are added for a total of four.

If you are deploying the Transfer Server as a new VM, select the LSI Logic adapter, as shown in Figure 3.76.

Figure 3.76

Figure 3.76. You must use the LSI Logic adapter.

To install the Transfer Server, follow these instructions

  1. Launch the Connection Server Installer and click Next.
  2. Click Next on the patent agreement screen.
  3. Accept the license agreement and click Next.
  4. Accept the default location and click Next.
  5. Select View Transfer Server and click Next.
  6. On the Transfer Server Configuration screen, provide the name of the domain, server, and email address of the administrator.
  7. If the firewall is enabled, select Configure Firewall Automatically; otherwise, skip this step.
  8. Click Install and then Finish.

Adding the Transfer Server

To add a Transfer Server, you must first add the Transfer Server and then add the virtual machine storage repository as follows:

  1. Log in to the View Connection Server using the View Administrator Console.
  2. Under View Configuration, select Server and select Add Transfer Server.
  3. Ensure your vCenter Server is listed as the source for the Transfer Server and click Next.
  4. The utility queries the inventory of VMs, or you can manually enter the name.
  5. Select your Transfer Server and click Finish.

Adding the Image Repository

After adding the Transfer Server, you need to add an image repository. The image repository is the place where VMDKs are copied and stored so that they are available for check-out.

To add a storage repository, complete the following steps:

  1. Log in to the View Connection Server using the View Administrator Console.
  2. Under Transfer Server Repository, click Edit to add the image repository information. You can specify a repository stored locally on a Transfer Server or on a centralized file share.

Publishing Virtual Machine for Offline Mode

To publish a VM for offline mode, you need to create a desktop virtual machine and take a snapshot to create the delta disk. After creating the snapshot, you can publish this virtual desktop for use as a local mode VM as follows:

  1. Log in to the View Connection Server using the View Administrator Console.
  2. Under Transfer Server Repository and under Content, select Publish.
  3. Select Snapshot Created Off Your Base Image.

The Event Database

The Event Database was introduced in VMware View 4.5 to allow you to store any event that occurs in the View environment to an external database. Adding an Event Database is optional but highly recommended. It is difficult to manage the Connection Server without the Event Database, which can be a key source of information when you are troubleshooting issues. The database is supported on Microsoft SQL Server or the Oracle database. You can create an Event Database by first creating the database in SQL and then configuring the connection within VMware View. With the Event Database, unlike other database configurations, you don’t need to create an ODBC connection. You simply add the connection information to View. The Event Database requires local SQL authentication, so the first step is to create a local SQL account and ensure it has the appropriate access to the Event Database. You can create a local SQL account using the following procedure:

  1. Open SQL Management Studio and connect to your database instance.
  2. Open the Security and then the Logins modules.
  3. Right-click Login and select New Login.
  4. Under the General Settings, ensure SQL Server authentication.
  5. Provide a login name such as svc_Events and provide a password. Note: SQL 2008 requires this to be a complex password, so stay away from any dictionary words.
  6. Retype the password to confirm it.
  7. Because this is a service account, deselect the following:

    • Enforce Password Policy
    • Enforce Password Expiration
    • User Must Change Password at the Next Login
  8. Under the default database, select your Event Database, such as vEvents.
  9. Select the User Mapping page.
  10. Select db_owner in addition to the default public access and click OK.

After creating the local SQL account, you can then add the Event Database from the View Administrator Console. Under View Configuration select Event Configuration.

Provide the name of your database server, the type, and a user ID in the fields shown in Figure 3.77 to connect. The table prefix ensures that the Event Database can be unique to this collection of VMware View Servers. If you have another site, both can use the same database service because the table prefix is unique. You have to provide a prefix, however, if you have only a single site for VMware View Servers.

Figure 3.77

Figure 3.77. Add an Event Database.

After you connect the Event Database, you can set the period in which events appear in the console and the duration in which events are considered new, as shown in Figure 3.78. After you have the settings configured, click OK.

Figure 3.78

Figure 3.78. Set the event display options.

Persona Management

Persona Management, which is new to VMware View 5, allows you to deliver, synchronize, and manage user profiles. Persona Management came from a licensing and co-development agreement with RTO Software (http://www.vmware.com/company/news/releases/rto-vmworld09.html). It can be used as a replacement or an enhancement to Windows profiles. The difference between Persona Management and Windows profiles is that only the registry information that is required for the user to log in is downloaded, not the entire profile. As the user opens additional applications, the remaining files are downloaded. The minimalistic approach to data at the start keeps the user logon process quick and streamlined. Like Windows profiles, this feature uses a file server or CIFS share to ensure the user data is centralized. Persona Management also gives you finer control of the synchronization of data between the local user session and the storage repository. By default, this happens every 10 minutes but can be adjusted.

Prior to Persona Management, VMware View offered user data disks, which have now become persistent attached disks. A persistent attached disk is a second VMDK where any user writes (including the profile) could be stored. The only challenge with a secondary drive approach is that the information is local and associated with a virtual desktop versus centrally available. You can now use both of these technologies to essentially provide a local user cache. You can use the user persistent disk to provide a local user repository for linked clones or Composer-created View desktops and Persona to make sure the changes are synced centrally so that they are preserved in case the virtual machine drives are lost. You should ensure the local Persona persists between logoffs, so do not enable the Remove Local Persona at Log Off setting in this case. We review this topic more in Chapter 6.

The nice thing about Persona Management is that it applies to both physical and virtual desktops as of VMware View 5.1. Keep in mind that if you are using shared server-based desktops (TS Servers), Persona Management is not supported. If you have users accessing View desktops using Persona Management and Windows roaming profiles on regular desktops, the best solution prior to 5.1 was to separate them. Now you can use a single Persona profile. If you are using a combination of Windows and View profiles, the View desktops can be configured to override an existing Windows profile in the configuration settings. This ensures that the Windows roaming profiles don’t overwrite Persona profile settings when the user logs out.

Outside the file server requirement, Persona Management does not require any additional infrastructure because it can be installed with the View Agent on the virtual or physical desktop. The configuration of Persona Management is managed through an Active Directory Administrative template, which can be imported into the OU that you are deploying the virtual machines to or the local policy settings of the virtual desktop. The Administrative template is located on the View Connection Server:

<install_directory>\VMware\VMwareView\Server\extras\GroupPolicyFiles\ViewPM.adm

To import these policies into the AD, follow these steps:

  1. Open your Group Policy Management Console.
  2. Right-click your View Desktop OU and create or link a GPO policy.
  3. Enter a name such as View Persona Management Policy.
  4. Right-click the new policy and select Edit.
  5. Browse to Administrative Templates and select Add/Remove Templates.
  6. Click Add again, browse to the location on the View Server, and select the ViewPM.adm template.
  7. Expand Administrative Templates and VMware View Agent Configuration and Persona Management.

To import these policies into the local user policy, follow these steps:

  1. Open Local Security Policy.
  2. Right-click Administrative Templates and click Add\Remove Templates.
  3. Click Add again, browse to the location on the View Server, and select the ViewPM.adm template.
  4. Expand Administrative Templates and VMware View Agent Configuration and Persona Management.

Security Servers

Security Servers are another type of View Server but designed to be deployed to simplify remote access. Because they are usually deployed in a DMZ situation, they are not required to be part of the Active Directory. They reduce the number of connections that are required to be open on the forward-facing firewall of a DMZ (demilitarized zone) and corporate or internal firewall. Each Security Server is paired with a specific Connection Server, so if you are load balancing two Security Servers in the DMZ, you require two View Servers deployed internally.

New in VMware View 5 is the capability to proxy PCoIP. Prior to version 5, only the Remote Desktop Protocol (RDP) was available through a Security Server. To work, the connections must be tunneled through the Security Servers. Typically, the Security Servers are deployed in a DMZ and should be load balanced behind an appliance-based firewall such as F5, as shown in Figure 3.79. If you are load balancing the Security Servers, you should not load balance the connectivity from the Security Servers to the Connection Servers because there is a one-to-one relationship between Security Servers and Connection Servers.

Figure 3.79

Figure 3.79. Security Servers are deployed in the DMZ.

Firewall Rules

To allow the traffic to pass through the external firewall to your Security Server, you should translate the external IP to the internal IP and ensure the required ports are open using NAT. You can find a detailed network flow diagram in the View 5 Architecture planning guide starting on page 61; it is downloadable from http://pubs.vmware.com/view-50/topic/com.vmware.ICbase/PDF/view-50-architecture-planning.pdf. The following ports need to be open:

  1. PCoIP traffic between the View Client and Security Server (External)

    1. TCP 443 for the website
    2. TCP 4172 from Client to Security Server
    3. UDP 4172 between client and security server in both directions

    To allow the traffic to pass, you must set the following rules on the internal firewall.

  2. PCoIP traffic between the View Security Server and Virtual Desktop (Internal)

    1. TCP 4172 from Security Server to virtual desktop
    2. UDP 4172 from Security Server to virtual desktop in both directions

You must set up several things for the Security Server to work properly. The first consideration is the external URL. If you are going to provide access to a View environment remotely, you must register a public-facing IP address and register it in DNS. Let’s use the example of access.virtualguru.org. The DNS name is important because during the configuration of the Security Server, you configure it to respond to this external URL versus its own hostname. Although we discuss straight installation in this chapter, it is not typical that remote access is offered with single-factor authentication. It should always be combined with a two-factor authentication method such as RSA.

Adding the Security Servers

The first thing you should do is define a pairing password, which you do from the View Connection Server, not the Security Server.

First, log in to the View Connection Server. Then, under View Connection Servers, select the More Commands button, as shown in Figure 3.80.

Figure 3.80

Figure 3.80. Add the Security Server.

Specify the Security Server pairing password, confirm the password and set the password timeout. You should specify a short amount of time for security reasons and also ensure that the Security Server pairing is done before the expiry.

Now you can install your Security Server using the following steps:

  1. Launch the Connection Server Installer and click Next.
  2. Click Next on the patent agreement screen.
  3. Accept the license agreement and click Next.
  4. Accept the default location and click Next.
  5. Select View Security Server and click Next.
  6. Provide the IP or hostname of the Connection Server to which this Security Server will be associated and click Next.
  7. Provide the pairing password you configured in the View Server and click Next.
  8. Specify the external URL that this Security Server should respond to—for example, access.virtualguru.org—and also the IP address that this DNS name is registered to for PCoIP connections. Then click Next.
  9. Allow the installer to automatically configure the firewall. I recommend that you definitely leave the firewall intact when deploying the Security Server Security Server in the DMZ and click Next.
  10. Click Install and then Finish.

If you are going to tunnel PCoIP, you must tell the View Server paired with the Security Server to use PCoIP Secure Gateway for PCoIP to desktop. Under the View Server, select Edit and ensure User PCoIP Secure Gateway for PCoIP Connections to Desktop is selected. The Use Secure Tunnel Connection to Desktop setting is the default and should be left as is, as shown in Figure 3.81. The External URL and PCoIP External URL point to themselves for the internal View Server, which is fine. Only the Security Server needs to respond to the external IP addresses.

Figure 3.81

Figure 3.81. Enable the PCoIP Secure Gateway.

After the gateway is properly installed, if you refresh the View Administrator Console under Security Servers, you should see your server there, as shown in Figure 3.82.

Figure 3.82

Figure 3.82. View your Security Servers.

If you need to change the External URL or IP for tunneling PCoIP, you can click Edit on the Security Server.

InformIT Promotional Mailings & Special Offers

I would like to receive exclusive offers and hear about products from InformIT and its family of brands. I can unsubscribe at any time.

Overview


Pearson Education, Inc., 221 River Street, Hoboken, New Jersey 07030, (Pearson) presents this site to provide information about products and services that can be purchased through this site.

This privacy notice provides an overview of our commitment to privacy and describes how we collect, protect, use and share personal information collected through this site. Please note that other Pearson websites and online products and services have their own separate privacy policies.

Collection and Use of Information


To conduct business and deliver products and services, Pearson collects and uses personal information in several ways in connection with this site, including:

Questions and Inquiries

For inquiries and questions, we collect the inquiry or question, together with name, contact details (email address, phone number and mailing address) and any other additional information voluntarily submitted to us through a Contact Us form or an email. We use this information to address the inquiry and respond to the question.

Online Store

For orders and purchases placed through our online store on this site, we collect order details, name, institution name and address (if applicable), email address, phone number, shipping and billing addresses, credit/debit card information, shipping options and any instructions. We use this information to complete transactions, fulfill orders, communicate with individuals placing orders or visiting the online store, and for related purposes.

Surveys

Pearson may offer opportunities to provide feedback or participate in surveys, including surveys evaluating Pearson products, services or sites. Participation is voluntary. Pearson collects information requested in the survey questions and uses the information to evaluate, support, maintain and improve products, services or sites, develop new products and services, conduct educational research and for other purposes specified in the survey.

Contests and Drawings

Occasionally, we may sponsor a contest or drawing. Participation is optional. Pearson collects name, contact information and other information specified on the entry form for the contest or drawing to conduct the contest or drawing. Pearson may collect additional personal information from the winners of a contest or drawing in order to award the prize and for tax reporting purposes, as required by law.

Newsletters

If you have elected to receive email newsletters or promotional mailings and special offers but want to unsubscribe, simply email information@informit.com.

Service Announcements

On rare occasions it is necessary to send out a strictly service related announcement. For instance, if our service is temporarily suspended for maintenance we might send users an email. Generally, users may not opt-out of these communications, though they can deactivate their account information. However, these communications are not promotional in nature.

Customer Service

We communicate with users on a regular basis to provide requested services and in regard to issues relating to their account we reply via email or phone in accordance with the users' wishes when a user submits their information through our Contact Us form.

Other Collection and Use of Information


Application and System Logs

Pearson automatically collects log data to help ensure the delivery, availability and security of this site. Log data may include technical information about how a user or visitor connected to this site, such as browser type, type of computer/device, operating system, internet service provider and IP address. We use this information for support purposes and to monitor the health of the site, identify problems, improve service, detect unauthorized access and fraudulent activity, prevent and respond to security incidents and appropriately scale computing resources.

Web Analytics

Pearson may use third party web trend analytical services, including Google Analytics, to collect visitor information, such as IP addresses, browser types, referring pages, pages visited and time spent on a particular site. While these analytical services collect and report information on an anonymous basis, they may use cookies to gather web trend information. The information gathered may enable Pearson (but not the third party web trend services) to link information with application and system log data. Pearson uses this information for system administration and to identify problems, improve service, detect unauthorized access and fraudulent activity, prevent and respond to security incidents, appropriately scale computing resources and otherwise support and deliver this site and its services.

Cookies and Related Technologies

This site uses cookies and similar technologies to personalize content, measure traffic patterns, control security, track use and access of information on this site, and provide interest-based messages and advertising. Users can manage and block the use of cookies through their browser. Disabling or blocking certain cookies may limit the functionality of this site.

Do Not Track

This site currently does not respond to Do Not Track signals.

Security


Pearson uses appropriate physical, administrative and technical security measures to protect personal information from unauthorized access, use and disclosure.

Children


This site is not directed to children under the age of 13.

Marketing


Pearson may send or direct marketing communications to users, provided that

  • Pearson will not use personal information collected or processed as a K-12 school service provider for the purpose of directed or targeted advertising.
  • Such marketing is consistent with applicable law and Pearson's legal obligations.
  • Pearson will not knowingly direct or send marketing communications to an individual who has expressed a preference not to receive marketing.
  • Where required by applicable law, express or implied consent to marketing exists and has not been withdrawn.

Pearson may provide personal information to a third party service provider on a restricted basis to provide marketing solely on behalf of Pearson or an affiliate or customer for whom Pearson is a service provider. Marketing preferences may be changed at any time.

Correcting/Updating Personal Information


If a user's personally identifiable information changes (such as your postal address or email address), we provide a way to correct or update that user's personal data provided to us. This can be done on the Account page. If a user no longer desires our service and desires to delete his or her account, please contact us at customer-service@informit.com and we will process the deletion of a user's account.

Choice/Opt-out


Users can always make an informed choice as to whether they should proceed with certain services offered by InformIT. If you choose to remove yourself from our mailing list(s) simply visit the following page and uncheck any communication you no longer want to receive: www.informit.com/u.aspx.

Sale of Personal Information


Pearson does not rent or sell personal information in exchange for any payment of money.

While Pearson does not sell personal information, as defined in Nevada law, Nevada residents may email a request for no sale of their personal information to NevadaDesignatedRequest@pearson.com.

Supplemental Privacy Statement for California Residents


California residents should read our Supplemental privacy statement for California residents in conjunction with this Privacy Notice. The Supplemental privacy statement for California residents explains Pearson's commitment to comply with California law and applies to personal information of California residents collected in connection with this site and the Services.

Sharing and Disclosure


Pearson may disclose personal information, as follows:

  • As required by law.
  • With the consent of the individual (or their parent, if the individual is a minor)
  • In response to a subpoena, court order or legal process, to the extent permitted or required by law
  • To protect the security and safety of individuals, data, assets and systems, consistent with applicable law
  • In connection the sale, joint venture or other transfer of some or all of its company or assets, subject to the provisions of this Privacy Notice
  • To investigate or address actual or suspected fraud or other illegal activities
  • To exercise its legal rights, including enforcement of the Terms of Use for this site or another contract
  • To affiliated Pearson companies and other companies and organizations who perform work for Pearson and are obligated to protect the privacy of personal information consistent with this Privacy Notice
  • To a school, organization, company or government agency, where Pearson collects or processes the personal information in a school setting or on behalf of such organization, company or government agency.

Links


This web site contains links to other sites. Please be aware that we are not responsible for the privacy practices of such other sites. We encourage our users to be aware when they leave our site and to read the privacy statements of each and every web site that collects Personal Information. This privacy statement applies solely to information collected by this web site.

Requests and Contact


Please contact us about this Privacy Notice or if you have any requests or questions relating to the privacy of your personal information.

Changes to this Privacy Notice


We may revise this Privacy Notice through an updated posting. We will identify the effective date of the revision in the posting. Often, updates are made to provide greater clarity or to comply with changes in regulatory requirements. If the updates involve material changes to the collection, protection, use or disclosure of Personal Information, Pearson will provide notice of the change through a conspicuous notice on this site or other appropriate way. Continued use of the site after the effective date of a posted revision evidences acceptance. Please contact us if you have questions or concerns about the Privacy Notice or any objection to any revisions.

Last Update: November 17, 2020