VMware View 4

TM

D E P LOY M E N T G U I D E

VMware View 4

Table of Contents
Abstract. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5
About this Guide . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5

Contents. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5

Intended Audience. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5

For More Information. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5

Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6
VMware View Components . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7

System-Wide Requirements for VMware View . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9

Running VMware View 4 Setup. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9

VMware View with PCoIP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10

Worker Types and Scenarios. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10

Network Scenarios. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12

Small Networks: 1-500 Desktops . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12

Medium Networks: 500 - 2500 Desktops. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14

Enterprise Network: 5,000 10,000 desktops. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15

Migrating Users from a Physical Workstation to VMware View. . . . . . . . . . . . . . . . . . . . 16

Upgrading VMware View 3 to VMware View 4 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16

Before You Begin. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17

Procedure. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17

Deploying in a Mixed ESX 3.5 and vSphere Environment. . . . . . . . . . . . . . . . . . . . . . . . . 18

Certificate Authentication Deployment . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19

Before You Begin. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19

Procedure. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19

Deploy Single Sign-on (SSO). . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23

Examine Current Workflows. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23

Virtual Session Workflow. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24

Deploying Group Policy Objects (GPOs) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26

Procedures. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27

More Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27

Deploying Scripts. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28

Before You Begin. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29

Deletion Scripts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29

Example Deletion Script. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 30

More Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31

D E P LOY M E N T G U I D E / 2

VMware View 4

Using Thin-Provisioning with VMware View and NAS. . . . . . . . . . . . . . . . . . . . . . . . . . . . 32

Before You Begin. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33

Procedure. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 34

More Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 40

Deploy VMware View 4 with VMsafe . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 41

Before You Begin. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 41

For More Information. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 44

How to Configure View Security Server Using SSL VPN Router. . . . . . . . . . . . . . . . . . . 44

Before You Begin. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 44

Procedure. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 45

For More Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 45

End-to-End Monitoring. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 45

Before You Begin. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 45

Procedure. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 46

For More Information. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 47

Technical Support . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 47
About Authors . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 47

D E P LOY M E N T G U I D E / 3

VMware View 4

D E P LOY M E N T G U I D E / 4

VMware View 4

Abstract
This guide provides supplemental information to the VMware View Manager Administration Guide to assist
in configuring and deploying VMware View 4. This document describes various deployment scenarios for
intermediate and advanced administrators planning to deploy VMware View 4.

About this Guide

VMware View 4 allows you to consolidate virtual desktops on datacenter servers and manage operating
systems, applications, and data independently over any network. Whether you are deploying a new VMware
View instance or upgrading from a previous version, this document will provide preliminary guidelines to help
your deployment process.
This document validates recommended VMware View configurations and describes deployment scenarios
for intermediate and advanced administrators planning to deploy VMware View. You can customize these
configurations for your environment.
This document is designed to be used as a companion to other published materials such as the VMware View
Getting Started Guide, the VMware View Manager Administration Guide, and the VMware View Upgrade Guide.
It should not be used as a reference architecture or a product recommendation regarding the third party
products mentioned here.
Download the VMware View Architecture and Planning Guide or additional VMware View 4 documentation at:
http://www.vmware.com/support/pubs/view_pubs.html

Contents
This guide is organized by the following topics:
VMware View Components
VMware View with PCoIP
Worker Scenario and Types
VMware View Administration
Additional Resources

Intended Audience
This document is designed for information technology professionals who are responsible for deploying desktop
or application virtualization for their companies, such as systems administrators responsible for planning and
deploying the VMware View platform.

For More Information

For detailed product information, refer to the VMware View Administration Guide and related release
documentation at: http://www.vmware.com/support/pubs/view_pubs.html
Or, access the self-serve knowledge base on VMware View at: http://kb.vmware.com/selfservice

D E P LOY M E N T G U I D E / 5

VMware View 4

Introduction
Before advancing with the procedures referenced in this guide, ensure your organization meets the necessary
component prerequisites. Read the VMware View Manager Administration Guide to become familiar with
VMware View components.
View Manager is an umbrella name for general VMware View administration components. The key product
components included are:
View Agent in the guest desktop
View Connection Server served as a desktop broker service
View Client in the local endpoint as the access conduit
As you can see in Figure 1, VMware View features cover three areas, including:
User experience enhancement
Unified View management
Platform upgrade to VMware vSphere

Figure 1: VMware View Infrastructure Diagram

D E P LOY M E N T G U I D E / 6

VMware View 4

VMware View Components

Table 1 provides a brief description of the VMware View components discussed in this guide.
COMPONENT

DEFINITION

View Agent

View Agent is a required component installed on all guest virtual machines,

physical systems, or terminal servers to allow them to be managed by View
Manager. View Agent provides features such as connection monitoring, a
PCoIP Portal, Virtual Printing, USB support, and Single Sign-on (SSO).
The directory service must be Windows-based (Active Directory) to filter
the users according to particular policies assigned to users or groups.

View Connection Server

View Connection Server is software installed in a Windows server that acts

as a connection broker for endpoint client connections by authenticating
and then directing incoming remote desktop user requests to the
appropriate virtual desktop, physical desktop, or terminal server.

View Client

View Client is software locally installed at the endpoint system (such as a

thin client, laptop, PC, and so on) that communicates with the View
Connection Server to allow users to connect to their desktops. In VMware
View 4, the PCoIP client is included in a single View Client installation and
the new single sign-on feature, Login as the Currently Logged-in User, is
added to the user dialog box.

View Administrator

View Administrator is a Web application. With View Administrator,

you can configure the View Connection Server by entering your URL
https://localhost/admin or the View Connection Server IP address/admin
to view, deploy, and manage desktops, control user authentication, initiate
and examine system events and group policy, and carry out basic reporting
activities.

View Composer

View Composer, a.k.a. SVI, is a software service that is installed on the

vCenter Server so that View Manager can rapidly deploy multiple linked
clone desktops from a single centralized base image. The linked clone SVI
used in VMware View 4 is compatible with vSphere.

Table 1: VMware View components

Note: this document will not cover View Portal, offline desktop, or other technical preview features.

D E P LOY M E N T G U I D E / 7

VMware View 4

Table 2 provides a brief description of the installation procedures and the corresponding components discussed
in this guide. Reviewing these descriptions will help to clarify the interaction of the components.
PROCEDURE

Prepare Microsoft Windows 2003

or 2008 Servers

REQUIRED COMPONENTS OR ROLES

Active Directory and DNS

vCenter or VirtualCenter can either be a physical or virtual machine
View Connection Server, Replica Server, or Security Server
Certificate Authority if smart card authentication is required
RSA Authentication Server 6.x or up
http://www.rsa.com/rsasecured/guides/imp_pdfs/RSA%20
SecurID%20Ready%20Implementation%20Guide-View%20
Manager%203.pdf
S
 QL Server, if a large (1,000+) desktop deployment is required.
Or, for a small proof of concept deployment, you can use the SQL
Server Express Edition included in vCenter installation.
You must have domain and local administrator rights and roles
across the server components.

Prepare and install Microsoft

Windows XP or the supported OS
in the virtual machine joined to
the domain

Domain Administrator
Local Machine Administrator
Reference the XP Deployment Guide:
http://www.vmware.com/files/pdf/XP_guide_vdi.pdf

Prepare a template and snapshot

if you plan to use View Composer
with the linked clone

Domain Administrator
Local Machine Administrator
Make sure you join the virtual machine to the domain and execute
ipconfig/release prior to converting the virtual machine to a template.
You can also use GPO scripting during the Linked Clone process.

Install View Connection Server on

the first server in a domain

Domain Administrator
Local Machine Administrator

Install View Security Server on the

second server in a DMZ or
Demilitarized Zone

Domain Administrator
Local Machine Administrator

Install Replica Server on the

second server in a domain

Domain Administrator
Local Machine Administrator

Table 2: Installation procedures and corresponding components

D E P LOY M E N T G U I D E / 8

VMware View 4

System-Wide Requirements for VMware View

Refer to Page 16 in the VMware View Manager Administration Guide for detailed system requirements.
If you plan on deploying PCoIP, the requirements are as follows:
Client Side
CPU: 1Ghz or higher
Memory: 512MB or higher
Guest Desktop
PCoIP does not impact sever virtual machine density, so you can continue to use the same virtual machine by
reinstalling or upgrading the View Agent where PCoIP Portal is included in the software.

Running VMware View 4 Setup

Refer to the VMware View Manager Administration Guide for detailed installation instructions, as this document
does not repeat the same content. The basic installation procedure is as follows:
1. Prepare a vSphere U1 build
2. Prepare an infrastructure virtual machine resource group:

a. vCenter

b. View Connection Server, optional Replica or Security Server (Note the View Connection Server cannot
be installed within vCenter)

c. SQL Server (SQL Server Express, Standard or Enterprise Editions)

d. Identify Domain Name Server and Active Directory as VMware View 4 continues the tight integration
with ADAM

3. Install View Agent in the guest virtual machine or physical machine

4. Install View Client in the local endpoint systems where corporate users will interface physically
5. Prepare the server and virtual machine to minimize the impact of the desktop provisioning

D E P LOY M E N T G U I D E / 9

VMware View 4

VMware View with PCoIP

Traditionally, accessing data and applications with a wider array of devices and from an increasing range of
locations over Remote Desktop Protocol (RDP) has been a challenge. In VMware View 4, the major release
feature is VMware View with PCoIP, a software-to-software implantation of PCoIP. It is designed and built
for desktops that suit various worker profiles. With the concerns of integrity of the corporate network and
business data types, PCoIP promises a comparable LAN and WAN experience while preserving security and
administrative control.

Scalable host solutions

1:1
Analyst artist
designer

Datacenter
Network

Flexible client options

Distributed
Network

PCoIP Networking General

Tower
Workstations

Rack
Workstations
Knowledge
worker

Blade PCs

Uses IPv4 (IPv6 optional) for LAN and WAN

Dynamic image quality adjustments to t bandwidth
Responsiveness maintained during congestion
Uses less bandwidth on constrained networks
Local mouse pointer to mask latency
Ecient image build to loss-less state
Virtual channels for extended capabilities (MMR,
printing, device re-direction, VOIP, etc.)
UDP used for ecient BW use and to avoid TCP
bandwidth limits. Reliability layer in PCoIP
intelligently decides on retransmission
(USB yes, imaging maybe)
TCP used for connection management (session
connection, USB permissions, bandwidth or image
quality settings, etc.)

PCoIP portals

PCoIP enabled
displays

VMware View
w/ PCoIP Protocol

PCoIP Hardware
1:n
Task worker

Virtual
Desktop

Integrated trac shaping and network acceleration

IPSEC encryption and authentication
(128-bit AES, or SALSA)

VMware View
w/ PCoIP Protocol

Figure 2: PCoIP system flow (Diagram Source: Teradici)

Worker Types and Scenarios

To help you address the complex needs of different types of end users in an organization, below are worker
scenarios ranging from financial analysts, power users or media intense designers, to artists dealing with
multimedia content, knowledge workers, and typical task workers.
Office Worker Scenario
Office workers use applications such as Microsoft Office, customer relationship management (CRM)
applications, hosted Internet applications, Microsoft SharePoint, Enterprise Resource Planning (ERP), and line
of business (LOB) applications. Business operations require them to roam from one desktop to another and
require their desktops to follow them.
VMware View Features
VMware View provides the base framework for Single Sign-on (SSO), Follow Me Desktop.
View Client has a number of startup options that can be invoked when launching the application from a
command prompt. Options are preceded by a hyphen (-) or a forward slash (/), are case insensitive, and can
be abbreviated down to their shortest unique form. For example, to display the full list of commands, enter the
following:
C:\Program Files\VMware\VMware View\Client\bin\wswc /?

D E P LOY M E N T G U I D E / 1 0

VMware View 4

To launch View Client in fully scripted modethat is, with all connection, user, and, desktop criteria provided
enter the following:
C:\Program Files\VMware\VMware View\Client\bin\wswc -serverURL <server> -userName
<username> -password <password> -domainName <domain> -desktopName <desktop>

The SSO vendor can invoke the direct connection by embedding the commands.
With VMware View, users can access entitled desktops, applications, data, and user settings regardless the
location they connect fromin either WAN or LAN scenarios.
Mobile Worker Scenario
Mobile workers or road warriors travel most of the time and are usually accessing from outside the corporate
network. Mobile workers need to be able to connect to the corporate network on demand.
VMware View Features
Deploy View Security Server with RDP
Deploy SSL VPN for VMware View
Mobile access using Wyse Pocket Cloud iPhone application to access Security Server
VMware View provides a connection to the corporate network with direct access to the desktop via SSL with
AES 128bit encryption of corporate data. Security server and SSL VPN provide SSL offload. Mobile workers can
access their desktops from anywhere.
Contractor Worker Scenario
Contractors often work through unmanaged endpoints with unrestricted access to the corporate system.
VMware View Features
Tag-based entitlement
USB device usage and network access control
Smart card deployment with certificate authentication
Useful Group Policy (GPO) to ensure data security
Work At Home Scenario
Home workers have a similar requirement to workers on the road. The enterprise allows users to access all data
and applications through a VPN or SSL VPN using a two factor authentication device.
VMware View Features
For connection to the corporate environment through Remote Desktop Protocol (RDP), VMware View
supports protocol choice: Microsoft RDP, VMware View with PCoIP, HP RGS, and so on. The choice is
configured during desktop provisioning and can be modified after provisioning to fit the user profile.
RSA Authentication Manager and SecurID token (both hard and software tokens).
SSL VPN router configuration for PCoIP and RDP.

D E P LOY M E N T G U I D E / 1 1

VMware View 4

Network Scenarios
The deployment samples covered in this session are not intended to be used as an official recommendation
or a set solution. Real-world deployments will vary depending on your hardware and system configurations.
You may require additional machines to run certain components as the network grows and Internet requests
increase. More powerful machines may be needed for higher traffic.

Small Networks: 1-500 Desktops

Before You Begin
Review page 32 of the VMware View Architecture Planning Guide. It briefly describes the concept of a VMware
View pod theVMware View building blocks and components needed on servers, storage, networks, and so on.

Figure 3: VMware View building blocks

In general, one standalone vCenter can service 2,000 desktops in the best system configuration scenario. One
Connection Server might scale from 500 to 1,000 desktops. On the server host end, the ESX server scales to
about four to five desktops per core in conservative terms. This will vary based on your physical host architecture
and hardware configurations. For a state of the art configuration like Intel Nehalem and vSphere, you might see
8-15 desktops per core. Note the numbers used in this document are for deployment reference only.

D E P LOY M E N T G U I D E / 1 2

VMware View 4

Figure 4: VMware View building components for small networks

Figure 4 shows a sample deployment setup for a network of 500 desktops. Each Security Server in the DMZ
has a matching Connection Server. To ensure high availability, you can deploy a redundant Security Server
along with VMware HA or other HA software to ensure the service is always up and running.

D E P LOY M E N T G U I D E / 1 3

VMware View 4

Medium Networks: 500 - 2500 Desktops

As described in the VMware View Architecture Planning Guide, each VMware View building block serves 1,000
desktops. You can deploy three Connection Servers as shown in the following sample configuration.

Figure 5: VMware View building components for medium networks

If your deployment is for outsourced or remote office locations, you can consider putting Active Directory outside
of all the datacenters and make sure it is trusted and can be synchronized by the Connection Server instances.

Figure 6: Configure directory service to allow consistent replication

D E P LOY M E N T G U I D E / 1 4

VMware View 4

Enterprise Network: 5,000 10,000 desktops

If your global enterprise has multiple datacenter deployments, you can configure them as clusters containing
multiple View pods. The basic configuration rules are consistent with previous planning. If you have SSL VPN in
place at your network, you can leverage the existing settings instead of Security Server instances.

Figure 7: Two sample remote clusters configured to serve 10,000 desktops

Note the network core load balances incoming requests across View Connection Server instances. Support for
a redundancy and failover mechanism, usually at the network level, prevents the load balancer from becoming
a single point of failure. For example, the Virtual Router Redundancy Protocol (VRRP) communicates with the
load balancer to add redundancy and failover capability. This information is also available in the VMware View
Architecture Planning Guide.
If a View Connection Server instance fails or becomes unresponsive during an active session, users do not lose
data. Desktop states are preserved in the virtual machine desktop so that users can connect to a different View
Connection Server instance and their desktop session resumes from where it was when the failure occurred.

D E P LOY M E N T G U I D E / 1 5

VMware View 4

Migrating Users from a Physical Workstation to

VMware View
To migrate users from their physical workstations to a VMware View environment, follow this procedure:
Install View Agent on their current desktop and migrate it to the datacenter
Configure the direct desktop connection
Install View Client in new thin clients or managed thick clients
Or, use P2V conversion to migrate the physical desktop to the virtual desktop

Upgrading VMware View 3 to VMware View 4

This section illustrates the VMware View upgrade from VMware View 3.x to the current release and the upgrade
on ESX and vCenter.

Figure 8: [NEED TITLE]

This sample environment has four connection servers, two security servers, and one View composer. Two
connection brokers are load-balanced via F5 load balancers for internal user connections. The remaining two
are paired with two load-balanced security servers for users connecting through the external cloud using RSA
authentication.

D E P LOY M E N T G U I D E / 1 6

VMware View 4

The upgrade should be conducted in a two-phase process:

Phase I - Upgrade the infrastructure components
To upgrade vCenter, mount the new program ISO image and run the installation. ESX hosts can be upgraded by
using the ESX Server Host Update Utility program installed with Virtual Infrastructure Client.
Phase II Upgrade the VMware View setup
To set up virtual machines for the upgrade, take a snapshot. For physical machines, take a backup of the
database, configuration, and file system before the upgrade.
Pre-upgrade Procedures
Capture the configuration of one of the Connection Servers. To capture this, go to the Configuration tab of the
ESX Administration UI, and particularly focus on Servers and Global Settings
Capture the summary of each pool
Take the backup of ADAM to a network location by running the vdmexport > N:\myVDMConfig_timestamp.ldf

Procedure
Upgrade
The upgrade should be performed during periods of low system usage. To determine when that might be, check
the monitor for your host usage and find a time period when it is used the least. Note that during the upgrade,
you should not provision or clone any virtual machines.
Take the snapshot of all seven servers (View Composer, CS1 CS4, SS1, and SS2).
Upgrade View Composer first.
Configure LB1 so that all connections go through only SS2. Upgrade CS1 and then upgrade SS1. Test by
directing client directly to SS1. (You might not need this step. For example, when an SS is shutdown, LB will
figure out that one SS is down and send all the requests through the other SS.)
Now configure LB1 so that all connections go through only SS1. Upgrade CS2 and then upgrade SS2. Test
by directing client directly to SS2.
Restore LB1s original configuration.
Configure LB2 so that all connections go through only CS4. Upgrade CS3. Test by directing client directly
to CS3.
Now configure LB2 so that all connections go through only CS3. Upgrade CS4. Test by directing client directly
to CS4.
Restore LB2s original configuration.
Upgrade the Agents
For linked-clone poolsCreate a snapshot of the master virtual machine. Install the new agent and then
recompose all the virtual machines in the pool with this new snapshot.
For full clone poolsUse any third party management software to upgrade the agent on all the desktops.
Upgrade the Client
The user should update the client accordingly. The user can download the latest View Client executables from
a Web site and then upgrade the client. Note users will be prompted to confirm installing a USB virtual driver
during installation. Select confirm and continue to finish the installation.

D E P LOY M E N T G U I D E / 1 7

VMware View 4

Deploying in a Mixed ESX 3.5 and

vSphere Environment
In a typical upgrade scenario, production upgrades do not occur on every server at one time. In scenarios like
this, the upgrade process will follow these steps:
1. vCenter is upgraded from 2.5 to vSphere
2. The View Composer server installed in vCenter is upgraded from 1.x to 2.0
3. The View Connection Server (or View Manager) is upgraded to VMware View 4
4. View Agent is upgraded to VMware View 4 in the Master virtual machine(s) and new snapshots are taken
5. Up to this point, the View Manager still tells View Composer to keep using the previous vCenter 2.5
interface for creating and synchronizing clones
6. The ESX host hosting the master virtual machine(s) is upgraded to vSphere using the Host Update Utility
in the Virtual Infrastructure Client or vSphere Client
If you experience any issues, refer to the vSphere Upgrade Guide
http://www.vmware.com/pdf/vsphere4/r40/vsp_40_upgrade_guide.pdf
In the View Manager Web console, a vSphere Mode checkbox option will appear while provisioning a linked
clone. If all ESX hosts are upgraded to 4.x, then you can check the vSphere mode box to enable the use of the
new View Composer system API. If the mixed environment exists, leave the box unchecked. See figure 9.

Figure 9: [NEED TITLE]

D E P LOY M E N T G U I D E / 1 8

VMware View 4

Certificate Authentication Deployment

This section outlines the steps for smart card or certification authentication in VMware View. If you are
looking for instructions on how to deploy SSL certificates in VMware View for outbound facing servers such
as Connection Servers, Replica, or Security servers, refer to the KB article, Guidelines for generating and
importing an SSL certificate for Virtual Desktop Manager:
http://kb.vmware.com/selfservice/microsites/search.do?language=en_US&cmd=displayKC&externa
lId=1008705

Before You Begin

There is no change in the certificate setup in VMware View 4. Before you perform the procedure in this section,
review the following resources:
Smart card and certificate authentication tech notes:
http://www.vmware.com/resources/techresources/10024
The Smart Card Authentication section in the VMware View Manager Administration Guide for more
descriptive information
The video clip, Certificate/Smart Card Configuration for VMware View, at:
http://www.vimeo.com/7127297
Gemalto certificate authority setup paper to get you started with your CSR
https://www.netsolutions.gemalto.com/download/070520%20WP%20Gemalto%20.NET%20Certificate%20
Enrollment%20using%20MSFT%20Certificate%20Services.pdf
Make sure you have a Windows Server 2003 or 2008 Server virtual machine provisioned for Certificate
Authority (CA) joined to the domain use.

Procedure
Set up a domain CA
Promote and install the IIS Web server in the domain CA. In the demo deployment, we use view4ca as
the name of the CA.
Add templates as shown in the following screenshot. You can install a new template by right-clicking
Certificate Template and selecting New to add a template you dont see in your list.

D E P LOY M E N T G U I D E / 1 9

VMware View 4

Create a certificate enrollment agent

This enrollment agent can be configured from a physical or virtual machine joined to the domain. This
demo uses one of the XP-SP3 virtual machines as the enrollment agent. The enrollment agent acts as the
delegate to issue certificates for CA.

Associate the domain CA with Connection Server

Once the CA is created, introduce the CA to the Connection Server, so that the Connection Server can
understand the certificates issued by the CA. VMware View uses keytool from the command line to add
the certificate into the keystore. The keytool command is located at C:\Program Files\VMware\VMware
VDM\Server\jre\bin. You can add it to the system PATH for deployment convenience.

The above cernew.cer is the CA certificate. You can download it from http://<CA>/certsrv/cartcarc.asp within
the View Connection Server.

D E P LOY M E N T G U I D E / 2 0

VMware View 4

Once the trust.key is created from the keytool command, the introduction between CA and Connection Server
is almost complete. Copy the trust.key to C:/VMare/VMware View/sslgateway/conf directory and manually
create a locked.properties file in the same directory.

Ensure there are no typographical errors in the locked.properties when you type them manually.

D E P LOY M E N T G U I D E / 2 1

VMware View 4

Issue a user certificate on behalf of the other user in the domain as an administrator. This step could have
been done at the same time you created the enrollment agent earlier. Make sure your smart card reader has a
direct connection to the enrollment agent so you can issue and install the certificate direct to the card.
Configure View Manager to accept smart card as the authentication method. Log in to View Manager with
Administrator credential. Under the Configuration tab, select Servers, and then go to the View Connection
Server instance where smart card authentication is required.

If you have multiple View Connection Servers that share the same trust.key and locked.properties, you
can duplicate the keytool command in each server or copy those two files over to the <View Installation
directory>/sslgateway/conf directory as mentioned earlier.

D E P LOY M E N T G U I D E / 2 2

VMware View 4

Deploy Single Sign-on (SSO)

This section provides information on how the VMware View infrastructure offers a platform for basic SSO or
advanced strong authentication through a partner solution on session startup, Windows login, session roaming,
application SSO and using two factor authentication for applications.
In a VMware View environment, users interact with desktops served by the View Connection Server. When a
connection broker is used, an additional layer of authentication and authorization is added to the workflow
associated with the initial Windows login. In VMware View 4, you can reduce the extra Windows login for the
user by configuring login as the currently logged-in user to trigger View Client to cache the Active Directory
credential. The Connection Broker can be configured to SSO the users domain credentials as part of the RDP or
PCoIP session startup.

Figure 10: View Client Auto connect to View Connection Server

Examine Current Workflows

Before you implement an SSO partner solution, it is recommended that you examine the ideal workflow for
maximum user productivity, convenience, reliability, and security. Workflow considerations are described below.
System Startup
When the client machine initially powers up, it automatically logs into a local service account using biometrics,
a smart card, or a proximity ID card depending on the authentication policy set for the computer. Use the third
party SSO administrator console to select which devices can be used for user authentication, and to set the
number of retries, lockout times, and so on.
Session Startup
The user walks up to a client machine and uses one of the allowed authentication methods to initiate the
connection to a virtual session. This can include presenting a finger to a reader, tapping a proximity card to the
reader, or entering a password or one time password (OTP) in the login dialog box.
Three different operational scenarios are possible if the desktop is locked:
1. The desktop unlocks for the same returning user (with no additional challenge for the PIN).
2. The desktop unlocks for a new user with no additional challenge (if the user had previously logged in with
a card + PIN).

D E P LOY M E N T G U I D E / 2 3

VMware View 4

3. A challenge dialog box is presented for the PIN or password if this is the initial login event within some
defined window of time.
When the client reconnects to a virtual session, the SSO agent (within the virtual session) is responsible for
running the location awareness scripts. The location awareness scripts propagate the updated hostname of the
device to applications that change behavior, based on where the user logs in fromsuch as printers or patient
lists in a healthcare settings.
Desktop Lock/Unlock
The desktop for a virtual session can be manually locked and unlocked by using either a hot key, tapping the
same card to the reader, or through a SSO policy trigger. The SSO agent within the client responds to the hot
key input as well as card reader input to lock the desktop, but leaves View Client connected. The Client is in
standby mode ready for either the same user to return it or for a reconnection from a different client. If the
virtual session is pulled to another device, the client is automatically locked and left in its initial kiosk login state.
View Client
View Client uses a proprietary Simple Object Access Protocal (SOAP) to communicate with the View Manager.
View Client starts a new session or reconnects to an existing session within the ESX host and seamlessly logs in
through the View Agent. View Agent enforces the policy settings and configuration set by the View Manager to
deny direct logins to a session. This protects running sessions from being accessed over the network unless the
user is authenticated first by View Manager.

Virtual Session Workflow

Figure 11: SSO implementation flow

D E P LOY M E N T G U I D E / 24

VMware View 4

Session Startup
Figure 11 displays the SSO implementation flow:
When the system starts up, the client machine automatically logs into a local account and launches the SSO
Client (0).
The kiosk login dialog box indicates that the SSO software is monitoring attached devices and is ready to
accept user logins. Once a user has logged in successfully (using whatever modality is allowed), the Session
Management scripts (2) control the process of obtaining the users Active Directory (AD) credentials from the
SSO Appliance (1) and passes them to the View Client (3) via the command line.
The View Client uses the AD credentials to authenticate and allow View Manager (4) to obtain the default or
list of desktops together with their status if they are already running.
With View Manager, the View Client can connect to either a newly started session (if none exists for the user)
or a previously running persistent session (7).
View Client over the Remote Desktop Protocol (RDP) (5) interfaces with the View Agent (6) running within
the session to SSO into the session, bypassing the need for users to enter their AD credentials again.
SSO Agent (8) chains into the View Agent to obtain the user authentication data and to log in to the SSO
server appliance (1).
Each time the View Client connects or reconnects to the session, the SSO Agent is responsible for launching
startup scripts that run the location awareness scripts. These scripts update relevant environment variables or
calling functions to notify applications of the change in client location.
Session Locking
Session locking can result from direct user action (for example, pressing the hot key), inactivity at the client,
movement away from the field of view of the secure walk-away camera, or when the active session roams to
another client machine. These events are monitored by the SSO client on the client machine and result in the
locking of the client machine but not termination of the VMware View session. This leaves the client machine
ready to quickly unlock and redisplay the virtual desktop should the same user return and re-authenticate.
Note: In the initial VMware View 4 release, a new smart card removal policy is available. In the View
Administration console, set the View Client to disconnect from the Connection Server when the smart card is
removed during the session. If the user logs back in within the alloted period of time, the Connection Server will
connect the user back to the existing session. This is only applicable to RDP.
When an active session roams to another client, the session manager detects the active View Client session is
terminating and the desktop automatically locks. This automatic desktop lock ensures a client machine cannot
be left with an open session if the user reconnects to it from somewhere else.
Depending on the policy in effect and whether secure walk-away is enabled, re-authentication can entail either:
1. Presentation of login credentials (password, OTP, proximity card, smart card, or fingerprint)
2. Presentation of the proximity card alone if the authentication grace-period is allowed
3. Return of the same user to the secure walk-away camera
To prevent the SSO agent within the virtual session from locking the desktop due to user inactivity, disable
inactivity locking for virtual sessions. Otherwise, the user could encounter a situation where the SSO Client
locks the desktop and the desktop for the virtual session as well.

D E P LOY M E N T G U I D E / 2 5

VMware View 4

Session Switching
When a different user attempts to use a client with an active View Session, the SSO Client authenticates
the user and uses the Session Management scripts to manage the transition. The script establishes if the
authenticated user is the same as the user with the active session and whether to launch a new View Client
session for the new user. To prevent the new user from seeing the active View Client, the script immediately
hides the screen and then launches another View Client for the new user while terminating the previous
View Client. With this script, the transition can occur quickly, smoothly, and with no possible bleed through
between sessions.
Location Awareness
Each time a user reconnects to a persistent session, View Client launches a script within the hosted session
to notify the applications and the system of the change in the client location (or hostname). Typically the
CLIENTNAME environment variable is updated with the host or MAC address of the VMware View Client.
Note: A Microsoft hot fix is required to make sure the CLIENTNAME variable is updated following a disconnect/
reconnect. The location aware script is responsible for registering the current client location and tracking the
changes between reconnects to update applications that are location aware.
The above SSO information describes the Follow Me Desktop demo shown at VMworld 2009. The vendor
solution used for that demo was Imprivatas OneSign Single Sign-on. VMware View offers a platform that
can be easily implemented by major SSO partners. If you implement a basic username and password (AD
credentials) to log in to a virtual session, you can configure Login as the currently logged-in user during the
View Client and View Agent installations.
References
Imprivata http://www.imprivata.com/
Healthcast http://www.gohealthcast.com/
Sentilion http://www.sentillion.com/
CA http://www.ca.com/us/products/product.aspx?ID=166
Cerner http://www.cerner.com/public/

Deploying Group Policy Objects (GPOs)

Group policy provides centralized management and configuration of computers and remote users in an Active
Directory environment. Policy properties are contained within entities called Group Policy Objects (GPOs) and
can be configured by using the Group Policy editor features provided by Active Directory. VMware View is
tightly integrated with Active Directory.
Thus, GPOs can be applied to View Manager Components at a domain-wide level to provide granular control
over various areas of the View Manager environment.
Once the group policies are applied, GPO properties are stored in the local Windows registry of the
specified component.
To minimize the administrative overhead of creating custom made polices, a number of component-specific
GPO templates are provided with View Connection Server that can be imported into Active Directory.

D E P LOY M E N T G U I D E / 2 6

VMware View 4

The template files that accompany View Manager are described below:
vdm_agent.adm contains properties relating to the authentication and environmental components of a client
desktop controlled by View Agent
vdm_client.adm contains properties relating to the configuration parameters of View Client
vdm_server.adm contains properties relating to View Connection Server
vdm_common.adm contains properties relating to all components of View Manager

Procedures
The GPO template files are stored in the following location:
C:\Program Files\VMware\VMware View\Server\Extras\GroupPolicyFiles
Microsoft TechNet provides detailed guidance on how to load GPO templates directly into Active Directory:
http://technet.microsoft.com/en-us/library/cc728217.aspx
Note: The above information is abstracted from the VMware View Manager Administration Guide. Go to page
190 for configuration properties that you can use with GPO.
The following example is a sample script deployment of GPO used to join a virtual machine to a particular
Organizational Unit (OU).
1. Create a non-persistent pool with 10 virtual machines to be automatically created and made available.
2. Prepare the template using customization specifications. Go to vCenter > Edit > Customization
Specifications.

a. Make sure the computer name uses the virtual machine name.

b. Run the batch or visual basic script once at login and copy it to local drive C:\ or the template so you
can reference it as C:\script.bat or C:\script.vbs For example, you can have a script function that
moves the computer object to the desired OU.

3. When each virtual machine is cloned from the template, the GPO can move the virtual machine into a
particular OU within Active Directory.

More Information
Matt Broadstock Blog
http://www.blogcastrepository.com/blogcasts/folders/scripts/entry768.aspx
Active Directory GPO for automated provisioned machines and script sample
http://communities.vmware.com/message/860235#860235
How to use sysprep to automate successful deployment of Windows XP
http://support.microsoft.com/kb/302577

D E P LOY M E N T G U I D E / 2 7

VMware View 4

Deploying Scripts
In View Manager 3.1 release and later, there is an option on the QuickPrep page when you create desktop pools
to run a power-off script using command shell or PowerShell scripts. When using View Composer, it is likely you
will be doing a recompose and refresh operation that affects the linked clones off of the C: drive. View Manager
requires domain administrator credentials for the target domain.
<screen enter credentials>
You can deploy scripts to perform the following sample functions:
Create file share
Join the computer to the domain
Push certain ThinApp executables to a certain directory or file share
Select the domain name and user name from the QuickPrep domain drop-down menu.
You can specify these credentials when you add or edit your VirtualCenter server settings.

Figure 12: [NEED TITLE]

If you want a script to run on the desktops before they are powered off, you can enter the path to a batch or
command script on the parent virtual machine in the power-off script field when you provision a desktop pool.

D E P LOY M E N T G U I D E / 2 8

VMware View 4

Figure 13: [NEED TITLE]

Note the scripts are not validated by View Composer. It is recommended you deploy the script in one sample
virtual machine before large-scale deployment. Enter the Active Directory container relative distinguished name
(for example, CN=Computers).
In some circumstances, the View Composer Agent may need to initiate a reboot of the clone immediately after
the clone was created, refreshed, or recomposed. In this situation, the power-off script may be executed.

Before You Begin

This guide assumes you have some knowledge of command shell, PowerShell or Visual Basic scripting.

Deletion Scripts
Deletion scripts, introduced in VMware View 4, are invoked when a virtual machine is deleted. This enables you
to run scripts to remove Active Directory or database entries that reference the deleted machine. The script can
be executed at the user account level rather than system-wide.
The registry configuration needs to be set to invoke a script. The script key name in the registry path is
VDMREGPATH\\ScriptEvents\\<value>. For the virtual machine deletion invocation, value should be set to
DeleteVm.
The script event registry key under VDMREGPATH\\ScriptEvents\\<value> should contain a string value for
each script to run. The name is used for event logging only, the value is the command line script to invoke.

D E P LOY M E N T G U I D E / 2 9

VMware View 4

The default value on the VDMREGPATH\\ScriptEvents can be set to a numeric value to specify script timeout
in minutes for all script events. The default value of the ScriptEventName level can also be used to specify/
override the timeout.
When a virtual machine is deleted, upon completion of the pending operation, a service request will be sent to
the Queue Scripts with the hint ScriptEvent. The parameter property bag will contain:
ScriptEventName = DeleteVm
ScriptEnvironmentParams = A property bag containing:
VmName - The name of the virtual machine being deleted
VmDn - The DN (distinguished name) of the virtual machine being deleted
Other variables as available
The scripts will run in an environment where the following variables are provided by the Connection Server that
is available for deletion of scripting calls.
DELETION SCRIPT VARIABLES

SYNTAX

Name of the virtual machine

VDM_DeleteVm_VmName

DNS name of the virtual machine

VDM_DeleteVm_VmDnsName

DN of the virtual machine

VDM_DeleteVm_VmDn

The path in the VC for the virtual machine

VDM_DeleteVm_VmPath

The DN for the pool containing the virtual machine

VDM_DeleteVm_PoolDn

The DN for the VC managing the virtual machine

VDM_DeleteVm_VcDn

The MAC address for the virtual machine on the

interface given by index.

VDM_DeleteVm_VmMac.<index>

If set, indicates there was a problem while deleting

the virtual machine

VDM_DeleteVm_Error

Example Deletion Script

Dim objFileSystem, objOutputFile
Dim strOutputFile
strOutputFile = c:\outputfile.txt
Set objFileSystem = CreateObject(Scripting.fileSystemObject)
Set objOutputFile = objFileSystem.CreateTextFile(strOutputFile, TRUE)
objOutputFile.WriteLine(Script was called at ( & Now & ))
Dim shell
set shell = WScript.CreateObject( WScript.Shell )
strData = shell.ExpandEnvironmentStrings(%VDM_DeleteVm_PoolDn%)

D E P LOY M E N T G U I D E / 3 0

VMware View 4

objOutputFile.WriteLine(DN for pool of VM: & strData)

strData = shell.ExpandEnvironmentStrings(%VDM_DeleteVm_VcDn%)
objOutputFile.WriteLine(DN for VC managing VM: & strData)
strData = shell.ExpandEnvironmentStrings(%VDM_DeleteVm_VmDn%)
objOutputFile.WriteLine(DN for deleted vm: & strData)
strData = shell.ExpandEnvironmentStrings(%VDM_DeleteVm_VmDnsName%)
objOutputFile.WriteLine(DNS Name for vm: & strData)
strData = shell.ExpandEnvironmentStrings(%VDM_DeleteVm_VmMac.0%)
objOutputFile.WriteLine(MAC address (intf 0) of vm: & strData)
strData = shell.ExpandEnvironmentStrings(%VDM_DeleteVm_VmName%)
objOutputFile.WriteLine(Name of deleted vm: & strData)
strData = shell.ExpandEnvironmentStrings(%VDM_DeleteVm_VmPath%)
objOutputFile.WriteLine(Path of deleted vm: & strData)
objOutputFile.Close
set objShell = wscript.createObject(wscript.shell)
objShell.Run cmd.exe /C set > c:\out.txt
Set objFileSystem = Nothing
WScript.Quit(0)

This can be saved as c:\sample.vbs and then would be configured with:

Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SOFTWARE\VMware, Inc.\VMware VDM\ScriptEvents]
@=435445235

[HKEY_LOCAL_MACHINE\SOFTWARE\VMware, Inc.\VMware VDM\ScriptEvents\DeleteVm]

@=0
script=cscript c:\\sample.vbs

Script invocation will be handled by a new VMware View service called VMware View Script Host. By default,
this service is disabled. IT administrators will be required to enable the service when using the deletion script
feature. You will be advised to provide an appropriate account for this service to run.

More Information
For additional details, download the Extending Virtual Machine Deletion with Scripts technical note at:
http://www.vmware.com/resources/techresources/.

D E P LOY M E N T G U I D E / 3 1

VMware View 4

Using Thin-Provisioning with VMware View

and NAS
Global enterprises with business-critical, heterogeneous, file-based data will need to adopt file and storage
virtualization on some level. In VMware View 4, the platform is compatible with the vSphere host.
For this sample deployment, three separate VMware View pods were created to simulate branch offices in San
Jose, Oakland, and San Francisco. By allocating three secure segments from a single network-attached storage
(NAS), branch offices can have their own isolated and dedicated NAS storage, while a global NAS can be
divided for global file sharing among the different offices.
The sample storage deployment used in this section is provided by BlueArc NAS. You can deploy any other type
of NAS for similar use-cases. The advantage of NAS arrays is that they are self-contained and preconfigured for
easy deployment. With their dedicated storage capacity and file systems, they can be easily managed.

View SJC Pod

View SFO Pod

View OAK Pod

VM1

VM2

VM3

VM1

VM2

VM3

VM1

VM2

VM3

Disk0

Data1

Data2

Disk0

Data1

Data2

Disk0

Data1

Data2

Virtual Server

EVS
192.18.13.32

SJCEVS
192.18.13.29

SFOEVS
192.18.13.30

OAKEVS
192.18.13.31

SJC-SFO-OAK
Virtual Server

SJC
Secure Virtual Server

SFO
Secure Virtual Server

OAK
Secure Virtual Server

NFS SJCOAK-SFO

Storage Pool
SJC-OAK-SFO

Data

Data

NFS
SJC

NFS
SFO

NFS
OAK

Storage Pool

Storage Pool

Storage Pool

SJC

SFO

OAK

Data

Data

Data

Data

Data

Data

Data

Data

VMware vSphere

Silicon File
System

Storage Pool

System Drive

Figure 14: Sample deployment using security NAS to control branch office VMware View desktop access

D E P LOY M E N T G U I D E / 3 2

VMware View 4

In this deployment, you can leverage thin provisioning during the virtual desktop template configuration.
vStorage in vSphere features thin-provisioned disks with simple clicks. With thin-provisioned disks, you dont
lose the unused space because the space is not seen as used by VMware until the guest actually writes to it.
VMware View 4 is tightly integrated with backend host features. With View Composer you can create thin
provisioning pools.

Before You Begin

If you have a cluster configured for ESX or vSphere hosts, you must make sure all ESX hosts in the same
cluster can see the storageeither SAN or NAS. This is a basic requirement for View Manager to provision
desktop or pools.
You can combine the deployment with tag-based entitlements for each VMware View pod where the
connection broker is set to allow access to desktop or pools with the matching tag. For example, you can
configure certain desktop pools to only be available to users on the internal private network. The same user
would not be able to access that desktop pool from the Internet.
If you have two Connection Servers supporting internal network users and two Connection Servers supporting
Internet access users, then configure these tags per the connection server. For example, tag the external ones
as Internet and internal ones as Internal. Then mark certain pools as being available only to Internal users.

Figure 15: [NEED TITLE]

Note this sample deployment is not an instruction guide on how to use third party vendor or partner solutions.
It is to be used as a high-level proof of concept only.

D E P LOY M E N T G U I D E / 3 3

VMware View 4

Procedure
Set up the BlueArc network configuration

D E P LOY M E N T G U I D E / 3 4

VMware View 4

Create the NFS, configure the access policy, and export to the host server

D E P LOY M E N T G U I D E / 3 5

VMware View 4

D E P LOY M E N T G U I D E / 3 6

VMware View 4

Add NAS storage as storage in the vSphere host

D E P LOY M E N T G U I D E / 37

VMware View 4

In the vSphere host, prepare a new virtual machine template to use thin provisioning. The checkbox option is
available in the provisioning process
In the vSphere host, take a snapshot of the virtual machine template for later linked clone use

D E P LOY M E N T G U I D E / 3 8

VMware View 4

VMware linked clones are valuable as they are tightly integrated into View Manager and View Composer and
can reduce initial storage capacity by 90%.
In View Manager, create and add a persistent or non-persistent desktop pool to enable thin provisioning
during linked clone creation. For details on how to create desktops or pools, refer to the details in the
VMware View Manager Administration Guide.
Select NAS storage for the desktop creation. You can select the same datastore or an alternative datastore
for the user data disk. In a non-permanent desktop type, user data is required to reside either in network
attached home directory storage or a VMware datastore.

D E P LOY M E N T G U I D E / 3 9

VMware View 4

The simplified procedure shown above highlights the use of combined solutions and the flexibility of creating a
large standalone desktop deployment for distributed locations using one NAS storage.

More Information
VMware vSphere product page
http://www.vmware.com/products/vsphere/
BlueArc NAS
http://www.bluearc.com/
VMware vSphere Thin Provisioning
http://gestaltit.com/all/tech/storage/craig/vmware-vsphere-thin-provisioning/
Comprehensive Virtual Desktop Deployment with NetApp
http://www.vmware.com/files/pdf/partners/netapp-vmware-view-wp.pdf
Why run VMware over NAS?
http://blogs.netapp.com/dave/2007/09/why-run-vmware-.html

D E P LOY M E N T G U I D E / 4 0

VMware View 4

Deploy VMware View 4 with VMsafe

VMware VMsafe is a new security technology in vSphere for virtualized environments that can help to
protect your virtual infrastructure in ways previously not possible with physical machines. With VMware
View 4 supporting vSphere, VMsafe can provide a unique capability for virtualized environments through an
application program interface (API)-sharing program that enables select partners to develop security products
for VMware environments. The result is an open approach to security that provides customers with the most
secure platform on which they can virtualize their business-critical applications.

Before You Begin

Before you implement this solution, review the licensing terms with your existing anti-virus vendors. The
scanning agent requires Microsoft SQL Server at installation.

Figure 16: VMSafe API architecture overiew

Sometimes, when deploying anti-virus protection in a large enterprise network, even the scanning
activities are distributed, and the malware pattern update, download, and scanning tend to increase
network resource overhead.
The VMsafe API is adopted by McAfee and Trend Micro. This test exercise uses Trend Micro Core Protection for
Virtual Machines to monitor all activities in your VMware virtual environment. Virtual machines with real-time
agents monitor file read/write activity and check for file infections. The scanning agent performs on-demand
and scheduled scanning of target virtual machines for file infections.

D E P LOY M E N T G U I D E / 41

VMware View 4

If it finds that a file is infected, it sends notification messages to pre-defined recipients and takes action on the
virus according to the third party security product configuration. The activity log records all of the activities of
the system. You can design personal scanning profiles, which saves you from having to reconfigure frequently
needed settings. You can even assign multiple scanning options to a profile, and use the profile for special
circumstances, for example, scanning incoming files only.
In this deployment, the test deploys two Windows Server 2003 R2 virtual machines (AV1 and AV2).
Virtual machine AV1 Scanning Agent
Virtual machine AV2 Management Console

D E P LOY M E N T G U I D E / 4 2

VMware View 4

Figure 17: The management console points to vCenter to obtain the complete virtual machine list

Figure 18: Deploy real-time agents or scanning agents onto virtual machines

D E P LOY M E N T G U I D E / 4 3

VMware View 4

You can protect offline snapshot images by installing the scanning agent on the AV1 virtual machine. AV1 will
perform agent-less scanning on the offline images. If you are concerned about real-time malware activities, you
can use a real-time agent deployment to protect needed scanning. It offers the virtual environment security
protection and central management consistent with your virtual desktop deployment.

For More Information

VMsafe
http://www.vmware.com/technology/security/vmsafe.html?source=hp&q=VMsafe&aq=f&oq=&aqi=g-s10
Trend Micro Core Protection for Virtual Machine
http://us.trendmicro.com/imperia/md/content/us/flv/enterprise/endpointsecurity/ds01cpvm_090622us.pdf
McAfee VMsafe Integration
http://www.mcafee.com

How to Configure View Security Server Using

SSL VPN Router
Customers running a VMware View environment dont just want secure access for virtual desktop sessions
they want convenience as well. The typical security scenario is to deploy View Security Server in the DMZ.
Alternatively, you can deploy a SSL VPN Appliance to extend the security deployment by brokering connections
to virtual machines and providing SSO when users access their assigned virtual desktops. The SSL VPN
appliance can be a virtual or physical appliance from vendors like Juniper Networks or Barracuda Networks.

Before You Begin

Deploy and install three virtual machines
SSL VPN Demo Client (Windows XP) used as external user system
SSL VPN Appliance Server (Linux)
??

Figure 19: [NEED TITLE]

D E P LOY M E N T G U I D E / 4 4

VMware View 4

Procedure
Deploy and Configure the View Connection Server
1. Install the View Connection Server.
2. Once installed, log in to the View Manager administration console and configure vCenter to load
virtual machines from your existing environment. Security Server is one of the options during the View
Connection Server installation. It acts as the SSL offload. If you deploy for a quick proof of concept, use
SSL VPN for the security and single sign-on use.

For More Information

Juniper Networks has detailed information on the proper configuration for their products.
http://www.juniper.net/us/en/local/pdf/app-notes/3500148-en.pdf

End-to-End Monitoring
For desktop virtualization, define the virtual hardware, and then encapsulate data by importing your operating
systems, application sets, and user data into the virtual desktop. The virtual desktop is stored in the datacenter
storage arrays. The experience from physical endpoints (View Client) to virtual guest desktop (View Agent)
demonstrates the desktop virtualization deployment integrity including desktop, user data management,
storage, application usage, and network latency.

Before You Begin

This sample deployment focuses on VMware PCoIP performance. For quick monitoring of network activities,
consider using a network protocol analyzer like WireShark www.wireshark.org as a promiscuous mode, or
another appliance solution like Liquidware Labs or Xangati for virtual desktop and network visibility.

Figure 20: PCoIP traffic is visible in the appliance through the port mirror on the switch

D E P LOY M E N T G U I D E / 4 5

VMware View 4

Procedure
VMware View with PCoIP is a software implementation that leverages both TCP and UDP. The protocol
intelligently chooses the right codec for the right region on the desktop context:
Lossy compression is used for multimedia and streaming audio/video
Lossless compression is used for text and data
For the test setup, you can deploy a typical workload using an automation script such as AutoIT
http://www.autoitscript.com/autoit3/ that runs standard applications like Microsoft Office, Acrobat PDF,
Windows Media Player with WMV or MPEG contents, YouTube video, or QuickTime movies.
Using a third party application monitor, you can see the traffic between the client and the virtual desktop as
well as the end-to-end delay between the two, and where the network delay is in the infrastructure.

Figure 21: PCoIP communicates through Port 50002

PCoIP deploys virtual channels for extended capabilities (MMR, printing, USB device re-direction, and so on).
UDP is used for efficient bandwidth and avoids TCP bandwidth limits.
The reliability layer in PCoIP intelligently decides on retransmission by using TCP for connection management
such as session connection, USB permissions, bandwidth or image quality settings, and so on.

Figure 22: Identify ports to monitor for PCoIP

D E P LOY M E N T G U I D E / 4 6

VMware View 4

Figure 23: Broker Port List

For More Information

Port configuration information is available on page 47 of the VMware View Architecture Planning Guide
Xangati http://www.xangati.com
WireShark http://www.wireshark.org
Liquidware Labs http://www.liquidwarelabs.com

Technical Support
As it is impossible to cover all deployment scenarios in this guide, for further proof of concept or technical
assistance, contact desktop-tm@vmware.com or go to the VMware View product page
http://www.vmware.com/products/view/ for community assistance.

About Authors
Cynthia Hsieh, Senior Technical Marketing Manager, Enterprise Desktop, VMware, Inc.
Rahul Dey, Senior Member of Technical Staff, Enterprise Desktop, VMware, Inc.
Collectively, we also like to express our appreciations to Mike Pryor, Keith Johnston, Robert Noth, David Ting,
Jim Zhang, and David Messina.

VMware, Inc. 3401 Hillview Avenue Palo Alto CA 94304 USA Tel 877-486-9273 Fax 650-427-5001 www.vmware.com
Copyright 2009 VMware, Inc. All rights reserved. This product is protected by U.S. and international copyright and intellectual property laws. VMware products are covered by one or more patents listed at
http://www.vmware.com/go/patents. VMware is a registered trademark or trademark of VMware, Inc. in the United States and/or other jurisdictions. All other marks and names mentioned herein may be
trademarks of their respective companies. Item No: VMW_09Q3_DG_VIEW4_USLET_EN_P47_R1