Escolar Documentos
Profissional Documentos
Cultura Documentos
TM
D E P LOY M E N T G U I D E
VMware View 4
Table of Contents
Abstract. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5
About this Guide . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5
Contents. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5
Intended Audience. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5
Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6
VMware View Components . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7
Network Scenarios. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12
Procedure. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17
Procedure. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19
Procedures. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27
More Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27
Deploying Scripts. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28
Deletion Scripts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29
More Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31
D E P LOY M E N T G U I D E / 2
VMware View 4
Procedure. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 34
More Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 40
Procedure. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 45
End-to-End Monitoring. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 45
Procedure. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 46
Technical Support . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 47
About Authors . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 47
D E P LOY M E N T G U I D E / 3
VMware View 4
D E P LOY M E N T G U I D E / 4
VMware View 4
Abstract
This guide provides supplemental information to the VMware View Manager Administration Guide to assist
in configuring and deploying VMware View 4. This document describes various deployment scenarios for
intermediate and advanced administrators planning to deploy VMware View 4.
Contents
This guide is organized by the following topics:
VMware View Components
VMware View with PCoIP
Worker Scenario and Types
VMware View Administration
Additional Resources
Intended Audience
This document is designed for information technology professionals who are responsible for deploying desktop
or application virtualization for their companies, such as systems administrators responsible for planning and
deploying the VMware View platform.
D E P LOY M E N T G U I D E / 5
VMware View 4
Introduction
Before advancing with the procedures referenced in this guide, ensure your organization meets the necessary
component prerequisites. Read the VMware View Manager Administration Guide to become familiar with
VMware View components.
View Manager is an umbrella name for general VMware View administration components. The key product
components included are:
View Agent in the guest desktop
View Connection Server served as a desktop broker service
View Client in the local endpoint as the access conduit
As you can see in Figure 1, VMware View features cover three areas, including:
User experience enhancement
Unified View management
Platform upgrade to VMware vSphere
D E P LOY M E N T G U I D E / 6
VMware View 4
DEFINITION
View Agent
View Client
View Administrator
View Composer
Note: this document will not cover View Portal, offline desktop, or other technical preview features.
D E P LOY M E N T G U I D E / 7
VMware View 4
Table 2 provides a brief description of the installation procedures and the corresponding components discussed
in this guide. Reviewing these descriptions will help to clarify the interaction of the components.
PROCEDURE
Domain Administrator
Local Machine Administrator
Reference the XP Deployment Guide:
http://www.vmware.com/files/pdf/XP_guide_vdi.pdf
Domain Administrator
Local Machine Administrator
Make sure you join the virtual machine to the domain and execute
ipconfig/release prior to converting the virtual machine to a template.
You can also use GPO scripting during the Linked Clone process.
Domain Administrator
Local Machine Administrator
Domain Administrator
Local Machine Administrator
Domain Administrator
Local Machine Administrator
D E P LOY M E N T G U I D E / 8
VMware View 4
a. vCenter
b. View Connection Server, optional Replica or Security Server (Note the View Connection Server cannot
be installed within vCenter)
d. Identify Domain Name Server and Active Directory as VMware View 4 continues the tight integration
with ADAM
D E P LOY M E N T G U I D E / 9
VMware View 4
Datacenter
Network
Rack
Workstations
Knowledge
worker
Blade PCs
PCoIP portals
PCoIP enabled
displays
VMware View
w/ PCoIP Protocol
PCoIP Hardware
1:n
Task worker
Virtual
Desktop
VMware View
w/ PCoIP Protocol
D E P LOY M E N T G U I D E / 1 0
VMware View 4
To launch View Client in fully scripted modethat is, with all connection, user, and, desktop criteria provided
enter the following:
C:\Program Files\VMware\VMware View\Client\bin\wswc -serverURL <server> -userName
<username> -password <password> -domainName <domain> -desktopName <desktop>
The SSO vendor can invoke the direct connection by embedding the commands.
With VMware View, users can access entitled desktops, applications, data, and user settings regardless the
location they connect fromin either WAN or LAN scenarios.
Mobile Worker Scenario
Mobile workers or road warriors travel most of the time and are usually accessing from outside the corporate
network. Mobile workers need to be able to connect to the corporate network on demand.
VMware View Features
Deploy View Security Server with RDP
Deploy SSL VPN for VMware View
Mobile access using Wyse Pocket Cloud iPhone application to access Security Server
VMware View provides a connection to the corporate network with direct access to the desktop via SSL with
AES 128bit encryption of corporate data. Security server and SSL VPN provide SSL offload. Mobile workers can
access their desktops from anywhere.
Contractor Worker Scenario
Contractors often work through unmanaged endpoints with unrestricted access to the corporate system.
VMware View Features
Tag-based entitlement
USB device usage and network access control
Smart card deployment with certificate authentication
Useful Group Policy (GPO) to ensure data security
Work At Home Scenario
Home workers have a similar requirement to workers on the road. The enterprise allows users to access all data
and applications through a VPN or SSL VPN using a two factor authentication device.
VMware View Features
For connection to the corporate environment through Remote Desktop Protocol (RDP), VMware View
supports protocol choice: Microsoft RDP, VMware View with PCoIP, HP RGS, and so on. The choice is
configured during desktop provisioning and can be modified after provisioning to fit the user profile.
RSA Authentication Manager and SecurID token (both hard and software tokens).
SSL VPN router configuration for PCoIP and RDP.
D E P LOY M E N T G U I D E / 1 1
VMware View 4
Network Scenarios
The deployment samples covered in this session are not intended to be used as an official recommendation
or a set solution. Real-world deployments will vary depending on your hardware and system configurations.
You may require additional machines to run certain components as the network grows and Internet requests
increase. More powerful machines may be needed for higher traffic.
In general, one standalone vCenter can service 2,000 desktops in the best system configuration scenario. One
Connection Server might scale from 500 to 1,000 desktops. On the server host end, the ESX server scales to
about four to five desktops per core in conservative terms. This will vary based on your physical host architecture
and hardware configurations. For a state of the art configuration like Intel Nehalem and vSphere, you might see
8-15 desktops per core. Note the numbers used in this document are for deployment reference only.
D E P LOY M E N T G U I D E / 1 2
VMware View 4
Figure 4 shows a sample deployment setup for a network of 500 desktops. Each Security Server in the DMZ
has a matching Connection Server. To ensure high availability, you can deploy a redundant Security Server
along with VMware HA or other HA software to ensure the service is always up and running.
D E P LOY M E N T G U I D E / 1 3
VMware View 4
If your deployment is for outsourced or remote office locations, you can consider putting Active Directory outside
of all the datacenters and make sure it is trusted and can be synchronized by the Connection Server instances.
D E P LOY M E N T G U I D E / 1 4
VMware View 4
Note the network core load balances incoming requests across View Connection Server instances. Support for
a redundancy and failover mechanism, usually at the network level, prevents the load balancer from becoming
a single point of failure. For example, the Virtual Router Redundancy Protocol (VRRP) communicates with the
load balancer to add redundancy and failover capability. This information is also available in the VMware View
Architecture Planning Guide.
If a View Connection Server instance fails or becomes unresponsive during an active session, users do not lose
data. Desktop states are preserved in the virtual machine desktop so that users can connect to a different View
Connection Server instance and their desktop session resumes from where it was when the failure occurred.
D E P LOY M E N T G U I D E / 1 5
VMware View 4
This sample environment has four connection servers, two security servers, and one View composer. Two
connection brokers are load-balanced via F5 load balancers for internal user connections. The remaining two
are paired with two load-balanced security servers for users connecting through the external cloud using RSA
authentication.
D E P LOY M E N T G U I D E / 1 6
VMware View 4
Procedure
Upgrade
The upgrade should be performed during periods of low system usage. To determine when that might be, check
the monitor for your host usage and find a time period when it is used the least. Note that during the upgrade,
you should not provision or clone any virtual machines.
Take the snapshot of all seven servers (View Composer, CS1 CS4, SS1, and SS2).
Upgrade View Composer first.
Configure LB1 so that all connections go through only SS2. Upgrade CS1 and then upgrade SS1. Test by
directing client directly to SS1. (You might not need this step. For example, when an SS is shutdown, LB will
figure out that one SS is down and send all the requests through the other SS.)
Now configure LB1 so that all connections go through only SS1. Upgrade CS2 and then upgrade SS2. Test
by directing client directly to SS2.
Restore LB1s original configuration.
Configure LB2 so that all connections go through only CS4. Upgrade CS3. Test by directing client directly
to CS3.
Now configure LB2 so that all connections go through only CS3. Upgrade CS4. Test by directing client directly
to CS4.
Restore LB2s original configuration.
Upgrade the Agents
For linked-clone poolsCreate a snapshot of the master virtual machine. Install the new agent and then
recompose all the virtual machines in the pool with this new snapshot.
For full clone poolsUse any third party management software to upgrade the agent on all the desktops.
Upgrade the Client
The user should update the client accordingly. The user can download the latest View Client executables from
a Web site and then upgrade the client. Note users will be prompted to confirm installing a USB virtual driver
during installation. Select confirm and continue to finish the installation.
D E P LOY M E N T G U I D E / 1 7
VMware View 4
D E P LOY M E N T G U I D E / 1 8
VMware View 4
Procedure
Set up a domain CA
Promote and install the IIS Web server in the domain CA. In the demo deployment, we use view4ca as
the name of the CA.
Add templates as shown in the following screenshot. You can install a new template by right-clicking
Certificate Template and selecting New to add a template you dont see in your list.
D E P LOY M E N T G U I D E / 1 9
VMware View 4
The above cernew.cer is the CA certificate. You can download it from http://<CA>/certsrv/cartcarc.asp within
the View Connection Server.
D E P LOY M E N T G U I D E / 2 0
VMware View 4
Once the trust.key is created from the keytool command, the introduction between CA and Connection Server
is almost complete. Copy the trust.key to C:/VMare/VMware View/sslgateway/conf directory and manually
create a locked.properties file in the same directory.
Ensure there are no typographical errors in the locked.properties when you type them manually.
D E P LOY M E N T G U I D E / 2 1
VMware View 4
Issue a user certificate on behalf of the other user in the domain as an administrator. This step could have
been done at the same time you created the enrollment agent earlier. Make sure your smart card reader has a
direct connection to the enrollment agent so you can issue and install the certificate direct to the card.
Configure View Manager to accept smart card as the authentication method. Log in to View Manager with
Administrator credential. Under the Configuration tab, select Servers, and then go to the View Connection
Server instance where smart card authentication is required.
If you have multiple View Connection Servers that share the same trust.key and locked.properties, you
can duplicate the keytool command in each server or copy those two files over to the <View Installation
directory>/sslgateway/conf directory as mentioned earlier.
D E P LOY M E N T G U I D E / 2 2
VMware View 4
D E P LOY M E N T G U I D E / 2 3
VMware View 4
3. A challenge dialog box is presented for the PIN or password if this is the initial login event within some
defined window of time.
When the client reconnects to a virtual session, the SSO agent (within the virtual session) is responsible for
running the location awareness scripts. The location awareness scripts propagate the updated hostname of the
device to applications that change behavior, based on where the user logs in fromsuch as printers or patient
lists in a healthcare settings.
Desktop Lock/Unlock
The desktop for a virtual session can be manually locked and unlocked by using either a hot key, tapping the
same card to the reader, or through a SSO policy trigger. The SSO agent within the client responds to the hot
key input as well as card reader input to lock the desktop, but leaves View Client connected. The Client is in
standby mode ready for either the same user to return it or for a reconnection from a different client. If the
virtual session is pulled to another device, the client is automatically locked and left in its initial kiosk login state.
View Client
View Client uses a proprietary Simple Object Access Protocal (SOAP) to communicate with the View Manager.
View Client starts a new session or reconnects to an existing session within the ESX host and seamlessly logs in
through the View Agent. View Agent enforces the policy settings and configuration set by the View Manager to
deny direct logins to a session. This protects running sessions from being accessed over the network unless the
user is authenticated first by View Manager.
D E P LOY M E N T G U I D E / 24
VMware View 4
Session Startup
Figure 11 displays the SSO implementation flow:
When the system starts up, the client machine automatically logs into a local account and launches the SSO
Client (0).
The kiosk login dialog box indicates that the SSO software is monitoring attached devices and is ready to
accept user logins. Once a user has logged in successfully (using whatever modality is allowed), the Session
Management scripts (2) control the process of obtaining the users Active Directory (AD) credentials from the
SSO Appliance (1) and passes them to the View Client (3) via the command line.
The View Client uses the AD credentials to authenticate and allow View Manager (4) to obtain the default or
list of desktops together with their status if they are already running.
With View Manager, the View Client can connect to either a newly started session (if none exists for the user)
or a previously running persistent session (7).
View Client over the Remote Desktop Protocol (RDP) (5) interfaces with the View Agent (6) running within
the session to SSO into the session, bypassing the need for users to enter their AD credentials again.
SSO Agent (8) chains into the View Agent to obtain the user authentication data and to log in to the SSO
server appliance (1).
Each time the View Client connects or reconnects to the session, the SSO Agent is responsible for launching
startup scripts that run the location awareness scripts. These scripts update relevant environment variables or
calling functions to notify applications of the change in client location.
Session Locking
Session locking can result from direct user action (for example, pressing the hot key), inactivity at the client,
movement away from the field of view of the secure walk-away camera, or when the active session roams to
another client machine. These events are monitored by the SSO client on the client machine and result in the
locking of the client machine but not termination of the VMware View session. This leaves the client machine
ready to quickly unlock and redisplay the virtual desktop should the same user return and re-authenticate.
Note: In the initial VMware View 4 release, a new smart card removal policy is available. In the View
Administration console, set the View Client to disconnect from the Connection Server when the smart card is
removed during the session. If the user logs back in within the alloted period of time, the Connection Server will
connect the user back to the existing session. This is only applicable to RDP.
When an active session roams to another client, the session manager detects the active View Client session is
terminating and the desktop automatically locks. This automatic desktop lock ensures a client machine cannot
be left with an open session if the user reconnects to it from somewhere else.
Depending on the policy in effect and whether secure walk-away is enabled, re-authentication can entail either:
1. Presentation of login credentials (password, OTP, proximity card, smart card, or fingerprint)
2. Presentation of the proximity card alone if the authentication grace-period is allowed
3. Return of the same user to the secure walk-away camera
To prevent the SSO agent within the virtual session from locking the desktop due to user inactivity, disable
inactivity locking for virtual sessions. Otherwise, the user could encounter a situation where the SSO Client
locks the desktop and the desktop for the virtual session as well.
D E P LOY M E N T G U I D E / 2 5
VMware View 4
Session Switching
When a different user attempts to use a client with an active View Session, the SSO Client authenticates
the user and uses the Session Management scripts to manage the transition. The script establishes if the
authenticated user is the same as the user with the active session and whether to launch a new View Client
session for the new user. To prevent the new user from seeing the active View Client, the script immediately
hides the screen and then launches another View Client for the new user while terminating the previous
View Client. With this script, the transition can occur quickly, smoothly, and with no possible bleed through
between sessions.
Location Awareness
Each time a user reconnects to a persistent session, View Client launches a script within the hosted session
to notify the applications and the system of the change in the client location (or hostname). Typically the
CLIENTNAME environment variable is updated with the host or MAC address of the VMware View Client.
Note: A Microsoft hot fix is required to make sure the CLIENTNAME variable is updated following a disconnect/
reconnect. The location aware script is responsible for registering the current client location and tracking the
changes between reconnects to update applications that are location aware.
The above SSO information describes the Follow Me Desktop demo shown at VMworld 2009. The vendor
solution used for that demo was Imprivatas OneSign Single Sign-on. VMware View offers a platform that
can be easily implemented by major SSO partners. If you implement a basic username and password (AD
credentials) to log in to a virtual session, you can configure Login as the currently logged-in user during the
View Client and View Agent installations.
References
Imprivata http://www.imprivata.com/
Healthcast http://www.gohealthcast.com/
Sentilion http://www.sentillion.com/
CA http://www.ca.com/us/products/product.aspx?ID=166
Cerner http://www.cerner.com/public/
D E P LOY M E N T G U I D E / 2 6
VMware View 4
The template files that accompany View Manager are described below:
vdm_agent.adm contains properties relating to the authentication and environmental components of a client
desktop controlled by View Agent
vdm_client.adm contains properties relating to the configuration parameters of View Client
vdm_server.adm contains properties relating to View Connection Server
vdm_common.adm contains properties relating to all components of View Manager
Procedures
The GPO template files are stored in the following location:
C:\Program Files\VMware\VMware View\Server\Extras\GroupPolicyFiles
Microsoft TechNet provides detailed guidance on how to load GPO templates directly into Active Directory:
http://technet.microsoft.com/en-us/library/cc728217.aspx
Note: The above information is abstracted from the VMware View Manager Administration Guide. Go to page
190 for configuration properties that you can use with GPO.
The following example is a sample script deployment of GPO used to join a virtual machine to a particular
Organizational Unit (OU).
1. Create a non-persistent pool with 10 virtual machines to be automatically created and made available.
2. Prepare the template using customization specifications. Go to vCenter > Edit > Customization
Specifications.
a. Make sure the computer name uses the virtual machine name.
b. Run the batch or visual basic script once at login and copy it to local drive C:\ or the template so you
can reference it as C:\script.bat or C:\script.vbs For example, you can have a script function that
moves the computer object to the desired OU.
3. When each virtual machine is cloned from the template, the GPO can move the virtual machine into a
particular OU within Active Directory.
More Information
Matt Broadstock Blog
http://www.blogcastrepository.com/blogcasts/folders/scripts/entry768.aspx
Active Directory GPO for automated provisioned machines and script sample
http://communities.vmware.com/message/860235#860235
How to use sysprep to automate successful deployment of Windows XP
http://support.microsoft.com/kb/302577
D E P LOY M E N T G U I D E / 2 7
VMware View 4
Deploying Scripts
In View Manager 3.1 release and later, there is an option on the QuickPrep page when you create desktop pools
to run a power-off script using command shell or PowerShell scripts. When using View Composer, it is likely you
will be doing a recompose and refresh operation that affects the linked clones off of the C: drive. View Manager
requires domain administrator credentials for the target domain.
<screen enter credentials>
You can deploy scripts to perform the following sample functions:
Create file share
Join the computer to the domain
Push certain ThinApp executables to a certain directory or file share
Select the domain name and user name from the QuickPrep domain drop-down menu.
You can specify these credentials when you add or edit your VirtualCenter server settings.
If you want a script to run on the desktops before they are powered off, you can enter the path to a batch or
command script on the parent virtual machine in the power-off script field when you provision a desktop pool.
D E P LOY M E N T G U I D E / 2 8
VMware View 4
Note the scripts are not validated by View Composer. It is recommended you deploy the script in one sample
virtual machine before large-scale deployment. Enter the Active Directory container relative distinguished name
(for example, CN=Computers).
In some circumstances, the View Composer Agent may need to initiate a reboot of the clone immediately after
the clone was created, refreshed, or recomposed. In this situation, the power-off script may be executed.
Deletion Scripts
Deletion scripts, introduced in VMware View 4, are invoked when a virtual machine is deleted. This enables you
to run scripts to remove Active Directory or database entries that reference the deleted machine. The script can
be executed at the user account level rather than system-wide.
The registry configuration needs to be set to invoke a script. The script key name in the registry path is
VDMREGPATH\\ScriptEvents\\<value>. For the virtual machine deletion invocation, value should be set to
DeleteVm.
The script event registry key under VDMREGPATH\\ScriptEvents\\<value> should contain a string value for
each script to run. The name is used for event logging only, the value is the command line script to invoke.
D E P LOY M E N T G U I D E / 2 9
VMware View 4
The default value on the VDMREGPATH\\ScriptEvents can be set to a numeric value to specify script timeout
in minutes for all script events. The default value of the ScriptEventName level can also be used to specify/
override the timeout.
When a virtual machine is deleted, upon completion of the pending operation, a service request will be sent to
the Queue Scripts with the hint ScriptEvent. The parameter property bag will contain:
ScriptEventName = DeleteVm
ScriptEnvironmentParams = A property bag containing:
VmName - The name of the virtual machine being deleted
VmDn - The DN (distinguished name) of the virtual machine being deleted
Other variables as available
The scripts will run in an environment where the following variables are provided by the Connection Server that
is available for deletion of scripting calls.
DELETION SCRIPT VARIABLES
SYNTAX
VDM_DeleteVm_VmName
VDM_DeleteVm_VmDnsName
VDM_DeleteVm_VmDn
VDM_DeleteVm_VmPath
VDM_DeleteVm_PoolDn
VDM_DeleteVm_VcDn
VDM_DeleteVm_VmMac.<index>
VDM_DeleteVm_Error
D E P LOY M E N T G U I D E / 3 0
VMware View 4
Script invocation will be handled by a new VMware View service called VMware View Script Host. By default,
this service is disabled. IT administrators will be required to enable the service when using the deletion script
feature. You will be advised to provide an appropriate account for this service to run.
More Information
For additional details, download the Extending Virtual Machine Deletion with Scripts technical note at:
http://www.vmware.com/resources/techresources/.
D E P LOY M E N T G U I D E / 3 1
VMware View 4
VM1
VM2
VM3
VM1
VM2
VM3
VM1
VM2
VM3
Disk0
Data1
Data2
Disk0
Data1
Data2
Disk0
Data1
Data2
Virtual Server
EVS
192.18.13.32
SJCEVS
192.18.13.29
SFOEVS
192.18.13.30
OAKEVS
192.18.13.31
SJC-SFO-OAK
Virtual Server
SJC
Secure Virtual Server
SFO
Secure Virtual Server
OAK
Secure Virtual Server
NFS SJCOAK-SFO
Storage Pool
SJC-OAK-SFO
Data
Data
NFS
SJC
NFS
SFO
NFS
OAK
Storage Pool
Storage Pool
Storage Pool
SJC
SFO
OAK
Data
Data
Data
Data
Data
Data
Data
Data
VMware vSphere
Silicon File
System
Storage Pool
System Drive
Figure 14: Sample deployment using security NAS to control branch office VMware View desktop access
D E P LOY M E N T G U I D E / 3 2
VMware View 4
In this deployment, you can leverage thin provisioning during the virtual desktop template configuration.
vStorage in vSphere features thin-provisioned disks with simple clicks. With thin-provisioned disks, you dont
lose the unused space because the space is not seen as used by VMware until the guest actually writes to it.
VMware View 4 is tightly integrated with backend host features. With View Composer you can create thin
provisioning pools.
Note this sample deployment is not an instruction guide on how to use third party vendor or partner solutions.
It is to be used as a high-level proof of concept only.
D E P LOY M E N T G U I D E / 3 3
VMware View 4
Procedure
Set up the BlueArc network configuration
D E P LOY M E N T G U I D E / 3 4
VMware View 4
Create the NFS, configure the access policy, and export to the host server
D E P LOY M E N T G U I D E / 3 5
VMware View 4
D E P LOY M E N T G U I D E / 3 6
VMware View 4
D E P LOY M E N T G U I D E / 37
VMware View 4
In the vSphere host, prepare a new virtual machine template to use thin provisioning. The checkbox option is
available in the provisioning process
In the vSphere host, take a snapshot of the virtual machine template for later linked clone use
D E P LOY M E N T G U I D E / 3 8
VMware View 4
VMware linked clones are valuable as they are tightly integrated into View Manager and View Composer and
can reduce initial storage capacity by 90%.
In View Manager, create and add a persistent or non-persistent desktop pool to enable thin provisioning
during linked clone creation. For details on how to create desktops or pools, refer to the details in the
VMware View Manager Administration Guide.
Select NAS storage for the desktop creation. You can select the same datastore or an alternative datastore
for the user data disk. In a non-permanent desktop type, user data is required to reside either in network
attached home directory storage or a VMware datastore.
D E P LOY M E N T G U I D E / 3 9
VMware View 4
The simplified procedure shown above highlights the use of combined solutions and the flexibility of creating a
large standalone desktop deployment for distributed locations using one NAS storage.
More Information
VMware vSphere product page
http://www.vmware.com/products/vsphere/
BlueArc NAS
http://www.bluearc.com/
VMware vSphere Thin Provisioning
http://gestaltit.com/all/tech/storage/craig/vmware-vsphere-thin-provisioning/
Comprehensive Virtual Desktop Deployment with NetApp
http://www.vmware.com/files/pdf/partners/netapp-vmware-view-wp.pdf
Why run VMware over NAS?
http://blogs.netapp.com/dave/2007/09/why-run-vmware-.html
D E P LOY M E N T G U I D E / 4 0
VMware View 4
Sometimes, when deploying anti-virus protection in a large enterprise network, even the scanning
activities are distributed, and the malware pattern update, download, and scanning tend to increase
network resource overhead.
The VMsafe API is adopted by McAfee and Trend Micro. This test exercise uses Trend Micro Core Protection for
Virtual Machines to monitor all activities in your VMware virtual environment. Virtual machines with real-time
agents monitor file read/write activity and check for file infections. The scanning agent performs on-demand
and scheduled scanning of target virtual machines for file infections.
D E P LOY M E N T G U I D E / 41
VMware View 4
If it finds that a file is infected, it sends notification messages to pre-defined recipients and takes action on the
virus according to the third party security product configuration. The activity log records all of the activities of
the system. You can design personal scanning profiles, which saves you from having to reconfigure frequently
needed settings. You can even assign multiple scanning options to a profile, and use the profile for special
circumstances, for example, scanning incoming files only.
In this deployment, the test deploys two Windows Server 2003 R2 virtual machines (AV1 and AV2).
Virtual machine AV1 Scanning Agent
Virtual machine AV2 Management Console
D E P LOY M E N T G U I D E / 4 2
VMware View 4
Figure 17: The management console points to vCenter to obtain the complete virtual machine list
Figure 18: Deploy real-time agents or scanning agents onto virtual machines
D E P LOY M E N T G U I D E / 4 3
VMware View 4
You can protect offline snapshot images by installing the scanning agent on the AV1 virtual machine. AV1 will
perform agent-less scanning on the offline images. If you are concerned about real-time malware activities, you
can use a real-time agent deployment to protect needed scanning. It offers the virtual environment security
protection and central management consistent with your virtual desktop deployment.
D E P LOY M E N T G U I D E / 4 4
VMware View 4
Procedure
Deploy and Configure the View Connection Server
1. Install the View Connection Server.
2. Once installed, log in to the View Manager administration console and configure vCenter to load
virtual machines from your existing environment. Security Server is one of the options during the View
Connection Server installation. It acts as the SSL offload. If you deploy for a quick proof of concept, use
SSL VPN for the security and single sign-on use.
End-to-End Monitoring
For desktop virtualization, define the virtual hardware, and then encapsulate data by importing your operating
systems, application sets, and user data into the virtual desktop. The virtual desktop is stored in the datacenter
storage arrays. The experience from physical endpoints (View Client) to virtual guest desktop (View Agent)
demonstrates the desktop virtualization deployment integrity including desktop, user data management,
storage, application usage, and network latency.
Figure 20: PCoIP traffic is visible in the appliance through the port mirror on the switch
D E P LOY M E N T G U I D E / 4 5
VMware View 4
Procedure
VMware View with PCoIP is a software implementation that leverages both TCP and UDP. The protocol
intelligently chooses the right codec for the right region on the desktop context:
Lossy compression is used for multimedia and streaming audio/video
Lossless compression is used for text and data
For the test setup, you can deploy a typical workload using an automation script such as AutoIT
http://www.autoitscript.com/autoit3/ that runs standard applications like Microsoft Office, Acrobat PDF,
Windows Media Player with WMV or MPEG contents, YouTube video, or QuickTime movies.
Using a third party application monitor, you can see the traffic between the client and the virtual desktop as
well as the end-to-end delay between the two, and where the network delay is in the infrastructure.
PCoIP deploys virtual channels for extended capabilities (MMR, printing, USB device re-direction, and so on).
UDP is used for efficient bandwidth and avoids TCP bandwidth limits.
The reliability layer in PCoIP intelligently decides on retransmission by using TCP for connection management
such as session connection, USB permissions, bandwidth or image quality settings, and so on.
D E P LOY M E N T G U I D E / 4 6
VMware View 4
Technical Support
As it is impossible to cover all deployment scenarios in this guide, for further proof of concept or technical
assistance, contact desktop-tm@vmware.com or go to the VMware View product page
http://www.vmware.com/products/view/ for community assistance.
About Authors
Cynthia Hsieh, Senior Technical Marketing Manager, Enterprise Desktop, VMware, Inc.
Rahul Dey, Senior Member of Technical Staff, Enterprise Desktop, VMware, Inc.
Collectively, we also like to express our appreciations to Mike Pryor, Keith Johnston, Robert Noth, David Ting,
Jim Zhang, and David Messina.
VMware, Inc. 3401 Hillview Avenue Palo Alto CA 94304 USA Tel 877-486-9273 Fax 650-427-5001 www.vmware.com
Copyright 2009 VMware, Inc. All rights reserved. This product is protected by U.S. and international copyright and intellectual property laws. VMware products are covered by one or more patents listed at
http://www.vmware.com/go/patents. VMware is a registered trademark or trademark of VMware, Inc. in the United States and/or other jurisdictions. All other marks and names mentioned herein may be
trademarks of their respective companies. Item No: VMW_09Q3_DG_VIEW4_USLET_EN_P47_R1