Author: Craig

Knowledge

• Configure virtual machine hardware
• Perform installation of VMware Tools
• Update drivers
• Perform OS optimizations
• Perform installation of View Agent
• Create snapshots
• Create customization specifications

Configure Virtual Machine Hardware

So let’s look at the hardware on our base Windows 7 VM

Hard Disk – Thin Provisioned

Video Card – Auto Detect Settings

Memory – 2GB

vCPU – 1

SCSI Controller – LSI Logic SAS

CD/DVD Drive – Remove

Floppy Drive – Remove

NIC – VMXNET3

Hardware Level – VMX-09

TOP TIP: You won’t be able to use this Windows 7 desktop for ‘Local Mode’ with VMX-09 hardware version

Perform Installation Of VMware Tools

Err, I’m sure we all know how to do that so let’s crack on!

Update Drivers

Over on the SMB Blog, there is an excellent article by Jeremy Hall, which goes into making specific changes to the mouse and display drivers.  I highly recommend you follow this not only for your VDI environment but also for your vSphere environment.

The article is called Improving Windows 2008/Windows 7 OS Mouse & Video Performance on ESXi

Perform OS Optimizations

This is a critical area as we want our Windows 7 baseline VM to be as lean as possible, disabling any unnecessary services and features.

Not wanting to reinvent the wheel, VMware have created an excellent guide called VMware View Optimization Guide for Windows 7

Perform View Agent Installation

The View Agent is installed in the virtual desktop to provide additional VDI features, I like to think of it as ‘VMware Tools’ little brother.  It can be installed on:

• Virtual Desktop
• Physical Desktop
• Terminal Server

Essentially, the View agent talks back to the View Connection Server to allow the creation of automated pools.  It’s a busy busy chap and also informs the View Connection Server about the availability of desktops.

Perhaps one of the most important features from an end user perspective is that the View Agent enables single sign-on through the View Connection Server.

Lastly, the View Agent is the piece of the puzzle that enables features such as printing and USB redirection.  So to summarize, the View Agent is a very busy chap!

View Agent Installation

The View Agent needs to be downloaded from here.  As at the time of this blog post the most recent version is VMware-viewagent-x86_64-5.1.2-928164 For this installation, I have created a customized version of Windows 7 which we covered earlier on.

So let’s get too it. Launch the View Agent installer on your Windows 7 desktop and click Next

Click to Accept the EULA and Click Next again

We want to accept the Custom Setup (unless you are using Smart Card Readers) and Click Next

This is quick and easy, Click Install

Hit Finish

Finally, give your Windows 7 desktop a reboot and job ‘a good ‘un

Create Snapshots

Part of the process to create our Linked Clone desktops is to perform a Snapshot of our awesome new Windows 7 VM.

Not going to teach you to suck eggs on this, here is one I created earlier.

Create Customization Specifications

A few things to mention here, firstly I would recommend testing joining your new Windows 7 VM to the domain.  The format for this is shown below.

As we will be ‘spinning up’ loads of Linked Clones, we need to make sure these desktops go to the right OU in Active Directory to inherit the correct Group Policy Objects.

I use two main ways of doing this:

1. Pre stage all computer accounts in Active Directory using DSADD Computer
2. Redirect computers to a specific Organizational Unit rather than the default Computers OU.

I normally go for the second option and pre stage server accounts in Active Directory.

Lastly, you need to test, test, test your Windows 7 VM to make sure it works in your environment.

Knowledge

• Import certificates
• Turn on certificate based authentication
• Identify RSA instance
• Identify authentication requirements for RSA and Smart Cards

You may have noticed you have a couple of errors on your Events Dashboard every time you log into View Administrator.  This is due to  using the default Self Signed Certificates.

Not a problem you say, it doesn’t really concern me, however when we role out too production, your users might get slightly annoyed that they have to click on ‘continue’ constantly when connecting to the the View Security/Connection Server.

We could just turn off the SSL by turning checking ‘do not verify server identify certificates’.  However this isn’t very elegant and can pose a security risk.

A few prerequisites before we crack on:

• Any Connection/Security Servers /Load Balancers which are client facing require an SSL certificate
• If you use a load balancer which has an SSL certificate and you enable secure tunnel, then the Security Server or Connection Server requires an SSL certificate as well as the View Client makes a secondary tunnel directly to the Security/Connection Server.
• Local Mode, if you enable SSL for this, you also require an SSL certificate

Generally speaking you would want to use a Trusted Root Certificate Authority such as Verisign or Thwarte for any Security Servers and/or Load Balancers which are public facing.

If you have a PKI infrastructure internally, with an Enterprise Certificate Authority then you can use these to replace your Self Signed Certificate on your Connection Servers.

In this particular blog post, we aren’t going to cover generating a certificate request from a Trusted Root Authority as VMware have kindly written an excellent KB entitled Using Microsoft Certreq to generate and import a signed certificate into View 5.1

Import Certificates

To enable the creation of a PKI infrastructure on my home lab, I have added the role ‘Active Directory Certificate Services’ to my domain controller VMF-DC01.

We will be using the Web Server certificate for server authentication, however by default we won’t be able to enroll any servers using this as they won’t be trusted.

After you have installed the Active Directory Certificate Services role, run the command ‘certtmpl.msc’ which loads up the default certificate templates.

We want to create a duplicate of the Web Server certificate, by Right Clicking and selecting Duplicate

Give it the name VMware View (I know very original) and go to the Request Handling Tab and select ‘Allow private key to be exported’

Next onto the Security Tab, I have created a Security Group called ‘View Servers’ and entered the computer accounts VMF-CON01 and VMF-TR01 which are my Connection and Transfer Server.

I have then granted the Read and Enroll rights to the Security Group ‘View Servers’  This is really important as without this when we go to request a Certificate, you won’t have access to any templates.

Onto our Connection Server VMF-CON01 and click Start > Run and enter MMC.  Add a Snap In and Choose Certificates and Computer Account > Local Computer

We want to expand Personal and Select Certificates

I have already deleted my Self Signed Certificate, I’m feeling that confident!

Right Click Certificates > All Tasks > Request New Certificate

Click Next

Select Active Directory Enrollment Policy and hit next

Select VMware View and click on ‘More information is required to enroll this certificate.  Click here to configure settings’.

Select Command Name from Type and enter your NetBios name, in my case VMF-CON01 and Add this to the request.

I also recommend adding in the Subject Alternate Names as well, you can achieve this by selecting DNS under ‘Alternative Name’ and entering your FQDN, in my case VMF-CON01.vmfocus.local

Note this needs to match the URL and Server Name in your Connection Server Settings.

Just a side note if you don’t follow these settings and enter the FQDN in Common Name and NetBios in the Alternate Name, you will get ‘Server’s certificate does not match the URL’ in View.

Click on the General Tab and enter vdm which is a name that View continues to lookup.

Hit OK to apply and then Click Enroll

After you click Finish you will see the installed Certificate

To ensure the View Connection Server uses this Certificate we can either restart the Connection Server or restart the ‘VMware View Connection Server’ service.

I have opted to restart the service, so let’s check the View Administrator Dashboard.  Happy days our Connection Server is green with no problems reported.

Turn On Certificate Based Authentication

By default Certificate Based Authentication is enabled for Client Connections.

This can be changed by going to View Configuration > Global Settings > Edit

TOP TIP If you change this setting then all Client Connections are dropped

Identify RSA Instance

Err, I don’t really know what VMware mean by this, I presume it is in relation to Two Factor Authentication.

To identify if you are using Two Factor Authentication, go into View Configuration > Servers > Connection Servers > Edit > Authentication Tab

Identify Authentication Requirements for RSA and Smart Cards

The authentication requirements for RSA are:

• Disabled
• RSA SecurID
• RADIUS

The authentication requirements for Smart Cards are:

• Not allowed
• Optional
• Required

Felt this objective was a strange one, as it pulls experience and understanding from PKI and Two Factor Authentication which may not be in every View Administrators arsenal.

Knowledge

• Configure the profile store
• Configure Virtual Profile GPOs
• Configure View Media Services for Clipboard Support

VMware introduced Persona Management  to replace Roaming Profiles, which are the bane of every Server Admins life, can you count how many times you have .old a roaming profile and told the user to login again to receive a new profile due to corruption?.  In fact when I deploy Microsoft infrastructure solutions we no longer use Roaming Profiles, instead we redirect My Documents and Desktop Icons so that the users data is safe and they have a consistent desktop, albeit they may not be able to run all the applications on every workstation they log into.

Anyhow, VMware’s Persona Management is different, in a couple of ways:

1. When a user logs in, Persona Management only instantly downloads the parts of the profile required.  Everything else is streamed on demand, think of a 10MB PowerPoint presentation on the desktop from a year ago, it doesn’t really need to be downloaded every time someone logs in.
2. Changes are synced back to the ‘persona repository’ every ten minutes so when a user logs off, it’s much quicker.

Configure The Profile Store

I wasn’t entirely sure what VMware means by this, I can only assume they mean the shared network location in which we are gong to store the Persona Data.

Persona Management relies on the same requirements as Roaming Profiles, I use this Folder Redirection KB to verify the permissions.

I have created a folder on VMF-TR01 called Persona and applied the share permissions above to this.

Configure Virtual Profile GPOs

To enable Persona Management we need to configure the Group Policy.  We need to import the ADM from the View Connection Server, I covered this in VMware View Objective 1.5 – Prepare Active Directory for installation under Templates.

Edit the GPO and go to Computer Configuration > Policies > Administrative Templates > Classic Administrative Template > VMware View Agent Configuration > Persona Management > Roaming & Synchronization > Manage User Persona > Enabled

Now that we have Persona Management enabled we need to configure the UNC path for the Persona Repository.

Computer Configuration > Policies > Administrative Templates > Classic Administrative Template > VMware View Agent Configuration > Persona Management > Roaming & Synchronization > Persona Repository Location > \VMFTR01Persona

We do have loads more GPO settings that can be configured, these are outside the scope of this blog post.  I have however linked the GPO to my View Desktops and created a Test Text File on my Desktop and a Test Documents Folder in My Documents

I then timed this and after 11 minutes, I checked my Persona share and voila!

Configure View Media Services for Clipboard Support

The good old copy and paste between your Physical Desktop and the View Desktop.

This is controlled by Group Policies contained in the PCoIP Group Policy, again from the ADM located on your View Connection Server.

The GPO setting is located underComputer Configuration > Policies > Administrative Templates > Classic Administrative Template > VMware View Agent Configuration > PCoIP Session Variables > Overridable Administrator Defaults/Not Overridable Administrator Defaults > Configure Clipboard Redirection.

We have a number of choices, all of which are straight forward.

• Disable both directions
• Enabled both directions
• Enabled client to server only
• Enabled server to client only

Knowledge

• Create ThinApp applications
• Create or identify supported file share
• Assign permissions to the share
• Verify MSI streaming setting in the package.ini files
• Identify necessary ThinApp package components to put on the share
• Assign ThinApp applications to pools

Create ThinApp Applications

As with a few of the other topics, I like to start with what ThinApp is.  ThinApp provides a virtualisation bubble between the Operating System and Application, meaning that they are isolated from each other.  This allows us to recompose a View Desktop without affecting the applications which run on it.

I mentioned the word ‘bubble’ earlier.  When the application is started a ‘bubble’ is created that contains all of the file system and registry.  These settings can either replace or merge with the Operating System file system or registry.   I like to think of it as the merge or replace using Group Policy for Terminal Servers.

What are ThinApp requirements:

• 32 Bit run on Windows NT (yeah right) or later 
• 64 Bit run on Windows XP or later
• 16 Bit applications can only run on 32 Bit versions of Windows
• 32 Bit applications can run on 32 Bit or 64 Bit versions of Windows

What are ThinApp Limitations

• If the Application doesn’t work on the Operating System it won’t work on ThinApp
• Anti Virus software
• VPN Clients
• Printer Drivers
• 64 Bit applications cannot be virtualised

To create a ThinApp Application we need to start of with a blank/clean Operating System install.  I’m going to use Windows 7 32 Bit for my base OS called VMF-THIN01 with 1GB RAM and a 1 vCPU.  The overall process is:

• Pre-scan in which all file system and registry are collected
• Install the application and test, test and err test
• Post-scan in which all file system and registry are collected
• Comparison is made between ‘pre-scan’ and ‘post-scan’.
• Configure the ThinApp package
• Copy’s the different files to a ‘Project’ directory
• Build ThinApp package

After applying Windows updates, the first thing I’m going to do is take a Snapshot of VMF-THIN01 as this is our base installation which we can revert back to if required.

After taking the Snapshot we need to download ThinApp 4.7.3 to install on VMF-THIN01.  The latest version at the time of this blog post is VMware-ThinApp-Enterprise-4.7.3-891762.exe 

Launch the .exe and Click Next on Patents List

Accept the EULA and Click Next

Don’t worry at this point, you will think is it installing or not for about five seconds, then you will see the Enter License key Screen. Pop your license key in and then a name that will mean something to you for the ‘License display name’.

Awesome that’s ThinApp installed.

Next, I’m going to take another snapshot, for after the ThinApp installation.

Cool, you will notice a VMware folder on your Start Menu and we want to launch ThinApp Setup Capture (I have created a shortcut on my desktop for easy reference).

We are going to click Next to perform a Prescan of our system.  A Prescan creates a baseline of your clean installation, checking the status of hard drive and registry files.

Click Prescan to launch

This process will take some time, so it might be worthwhile getting a brew.

Cool, so now we need to install the application which we want to be packaged.

I’m going to install with Firefox which I have downloaded to the C: drive of VMF-THIN01.  Nothing special here, I have just installed Firefox as you would on any computer.

Now that Firefox is installed, I’m going to run a Postscan by clicking the Postscan icon.

You will notice that once the Postscan has finished, ThinApp will compare the Prescan and Postscan.

Now that’s finished we need to select the ‘Entry Point’ this is a fancy word that really just means the shortcut to launch the application.  In my case ThinApp knows I have installed Firefox and that the ‘Entry Point’ is Mozilla Firefox.exe

We aren’t going to be using Horizon Application Manager or updating an existing ThinApp Package so click Next

Next you can select the Active Directory Security Groups who can run the application.  I have chose View Sales users and we can also define a ‘Access Denied Message’ for users who don’t have access.

The next choice is about Isolation modes.  What the heck are they? Well the Isolation level made determines the amount of interaction the application can have with the OS.

As Firefox is a well known application which has been written properly, i’m going to select ‘Full write access to non-system directories (Merged Isolation Mode)’

Next we have to decide on our Sandbox location.  The Sandbox captures any changes made to the application such as customization’s   We are going to use the defaults.

Err, I don’t want to send VMware any information, so hit Next

Now this part is really cool, ThinApp allows us to use ThinDirect which plugs in to Internet Explorer so that when a specific website is launched it will open in Firefox.  I’m going to enter http://www.vmfocus.com

Now we need to enter the Inventory Name, shows up in Add/Remove Programs and is shown in the Sandbox Folder. The Project Location is where all the files that make up our Firefox ThinApp package are located.

Next we get to choose our Primary Data Container, this holds all the information to run our ThinApp Package.  For me, I’m going to use Entry Point, generally speaking ThinApp makes the right decision, so I will leave mine as Mozilla Firefox.exe

I’m also going to select MSI Package Generation so that ThinApp will create an ‘msi’ version of Firefox for me.  This means I could use Group Policy to deploy the ThinApp package down to regular desktops, now that is pretty wicked.

In this occasion, we aren’t going to compress the virtual package.

Once we hit Save, ThinApp then performs all the tasks we have requested and Packages Firefox.

Verify MSI Streaming Setting in The package.ini Files

Awesome, we are not at the point where we can Verify MSI Package File, to do this we can click on Edit Package.ini

You will see the MSI Parameters and many other settings that can be customised/altered if required.

I’m happy with all of these settings, so I’m going to Build the Firefox Pacakge.

The Build takes a little while, so it might be an idea to grab another cup of tea!

Excellent news, all finished and Firefox is packaged.

If we access the Project Executable by going to C:Program FilesVMwareVMware ThinAppCapturesMozilla Firefox 18.0.1bin you will see our two files, Firefox Application and the MSI

Create Or Identify Supported File Share & Assign Permissions To The Share

On my Transfer Server VMF-TR01 I have created a Windows File Share called ThinAppPackage with the following permissions:

Domain Computers – Read

Domain Users – Read & Execute

Identify Necessary ThinApp Package Components To Put On The Share

Now we have the packaged Firefox we need to copy all the project files onto VMF-THIN01

Source: C:Program FilesVMwareVMware ThinAppCapturesMozilla Firefox 18.0.1

Destination: \VMF-TR01ThinAppProjectMozilla Firefox 18.0.1

We are also going to copy our package files (Firefox Application and the MSI) onto VMF-TR01

Source: C:Program FilesVMwareVMware ThinAppCapturesMozilla Firefox 18.0.1bin

Destination: \VMF-TR01ThinAppPackageMozilla Firefox 18.0.1

Before we move on, it’s a good idea to test our Firefox installation.  To do this, I have reverted VMF-THIN01 back to a state before we installed ThinApp so that we have a clean Windows 7 desktop again.

I’m going to login to VMF-LM01 as Sales01 as the View Sales Users has access to Mozilla Firefox.  This user has no special rights and is a normal Domain User.

I have created a shortcut on the desktop to \VMF-TR01ThinAppPackageMozilla Firefox 18.0.1 so that I can launch the application. Let’s see if it works.

Voila we have success!

Assign ThinApp Applications To Pools

This seems like a really long blog post, however we are on the final hurdle, which is assigning ThinApp Applications to pools.  Seems like we haven’t been into View Administrator in a long time.

Let’s jump into View Configuration > ThinApp Configuration > Add Repository

This is where we tell ThinApp to find ‘msi’ packages.  Which for me is under \VMF-TR01ThinAppPackage

Next we are going to jump up to Inventory > ThinApps > Scan New ThinApps

Select your ThinApp Repository and I recommend using the Top Level Folder so that you scan all sub folders

Choose your MSI file to scan, in my case I only have Mozilla Firefox 18.0.1.msi

If all goes well then your MSI should be ‘added’

Let’s get this ThinApp assigned to a pool shall we.  Select your ThinApp and choose Add Assignment > Assign Pool

Choose which Pool you want to assign the ThinApp too, I’m rolling with VMF_Local_Mode and hit OK

Excellent our Mozilla Firefox MSI is now ready for use.

Let’s login to a View Desktop as Sales01 and see what we find.

Awesome, we have a Mozilla Firefox shortcut, the browser works and it’s in Programs/Features.

ThinApp Resources

ThinApp is such a broad part of View, that we can’t really cover all aspects in a blog post.  However, I do recommend you use the following resources for extra study aides:

ThinApp Users Guide 4.7

ThinApp Blog

ThinApp 4.7 Package.ini Parameters Guide

Knowledge

• Utilize vdmadmin (e.g., enable/disable Kiosk Mode, assign client to desktop, etc.)
• Identify client device’s identification mechanism (MAC, custom name, etc.)

Before we crack on with Kiosk Mode, what’s the point in it? Well Kiosk Mode is for environments where people don’t login, but need access to some data.  An example of this would be my Doctors Surgery.  You go in and enter some details on a touch screen to verify you are who you say you are.  If you get the details right, you are checked in for your appointment.

Most likely Kiosk Mode desktops are going to be heavily locked down, so with this in mind, I would recommend creating an specific Organisational Unit and Security Group in Active Directory for them.

I have created a Windows 7 Virtual Machine called VMF-KIOSK01 specifically to perform the View Kiosk function.

Kiosk Pool

I have created a Manual Floating Pool for VMF-KIOSK01 and granted the Security Group View Kiosk Users entitlement.

Before we go any further I want to test logging into VMF-KIOSK01 as user Kiosk01 to make sure everything is tickety boo.

Well that’s working fine.  Time to leave the GUI behind and head into CLI.

Utilize vdmadmin & Identify Client Device’s Identification Mechanism

vdmadmin is a tool built into the View Connection Server that allows you to perform administrative tasks in CLI such as scripting.

We need to utilize the vdmadmin tool to get our VMF-KIOSK01 working.  Specially we are going to use the -Q option to create kiosk accounts and set parameters in Active Directory.  The complete syntax is as follows (taken from VMware View Administration – View 5.0)

• vdmadmin -Q -clientauth -add [-b authentication_arguments] -domain domain_name-clientid client_id [-password “password” | -genpassword] [-ou DN] [-expirepassword | -noexpirepassword] [-group group_name | -nogroup] [-description “description_text”]
• vdmadmin -Q -disable [-b authentication_arguments] -s connection_server
• vdmadmin -Q -enable [-b authentication_arguments] -s connection_server [-requirepassword]
• vdmadmin -Q -clientauth -getdefaults [-b authentication_arguments] [-xml]
• vdmadmin -Q -clientauth -list [-b authentication_arguments] [-xml]
• vdmadmin -Q -clientauth -remove [-b authentication_arguments] -domain domain_name-clientid client_id
• vdmadmin -Q -clientauth -removeall [-b authentication_arguments] [-force]
• vdmadmin -Q -clientauth -setdefaults [-b authentication_arguments] [-ou DN] [ -expirepassword | -noexpirepassword ] [-group group_name | -nogroup]
• vdmadmin -Q -clientauth -update [-b authentication_arguments] -domain domain_name-clientid client_id [-password “password” | -genpassword] [-description “description_text”]

vdmadmin is located in C:Program FilesVMwareVMware ViewServertoolsbin by default

Run Command Prompt as a user with administrator rights and navigate into the folder locating vdmadmin.

The command we are going to run is

vdmadmin -Q -clientauth -setdefaults -ou (Organisational Unit) -group (Security Group) -noexpirepassword

Which equates too

vdmadmin -Q -clientauth -setdefaults -ou “OU=View Kiosk,OU=View Infrastructure,DC=vmfocus,DC=local” -group “View Kiosk Users” -noexpirepassword

This command ensures that the User Accounts that View will create for Kiosk mode won’t expire.

Now we need to get the MAC Address of the View Desktops, in my case VMF-KIOSK01.  The easiest way to do this is too ping VMF-KIOSK01 and run arp -a from the command line

The next command we are going to run is

vdmadmin -Q -clientauth -add -domain vmfocus -clientid 00:50:56:82:6a:43 -group “View Kiosk Users”

If we check Active Directory we have a new user created called cm-00_50_56_82_6a_43 who is a member of View Kiosk Users

Next we need to enable our View Connection Server to authenticate without needing a password, oh my!

The syntax for this is

vdmadmin -Q -enable -s VMF-CON01

From an administrator perspective, you might want to see which clients are enabled for Kiosk Mode without passwords.  To do this run the following syntax

vdmadmin -Q -clientauth -list

Last of all we need to tell the View Client on the physical hardware to access VMF-KIOSK01 using Kiosk mode.  VMware have included a handy little example batch file which can be found in C:Program FilesVMwareVMware ViewClientbinkiosk_mode.cmd

The easiest thing to do is run this script against the physical machine using a Windows GPO.

For this particular blog post, kudos to Barry Combs & Mike Laverick for the Building End-User Computing Solutions with VMware View