25-07-14

VCAP-DTA Section 8 – Secure a View Implementation

Objective 8.1 – Configure and Deploy Certificates

Section 8 assumes we now have a fully upgraded and working View 5.2 pod and end users are happy as we’ve sorted out their clients. Now we have to circle back and look at ways of locking down and securing the View pod against unauthorised access.

  • Configure 2 Factor/Smart Card Authentication including truststore – 2 Factor authentication is configured on a per Connection Server basis. So go into View Administrator, select View Configuration, Servers and then the Connection Server tab. Select the Connection Server you want to configure for two factor authentication and select Edit. Click the Authentication tab and you’ll see the dialog as shown below.
    • You must first obtain the root Certificate Authority certificate from the CA being used to sign the certificates on the smart cards
    • Use the keytool utility to import the CA certificate into the server truststore file using the command syntax keytool -import -alias alias -file root_certificate -keystore truststorefile.key
    • Copy the truststore file into the sslgateway folder on either the Connection or Security Server, depending on the scenario. This is typically located at %PROGRAMFILES%\VMware\VMware View\Server\sslgateway\conf\
    • Smartcard authentication has three options in the drop down, Not Allowed, Optional, Required. Choose the appropriate option. You can also check the box to disconnect sessions on smart card removal, for added security.

2factor

 

 

  • In the Advanced Authentication section, choose whether 2 Factor authentication is Disabled, RSA SecurID or RADIUS. For exam purposes, I’m assuming it will be RADIUS as this is not a proprietary solution.

radius

  • With RADIUS selected, choose whether to Enforce 2-factor and Windows user name matching and/or Use the same user name and password for RADIUS and Windows authentication.
    • In the Authenticator drop box, choose Create New Authenticator and fill out the RADIUS server details similar to below:-

radius-server

 

  • Complete the wizard to finish the setup of RADIUS.

 

  • Configure and deploy View certificates - By default, View Connection and Security Servers use self signed certificates. This in itself is fine and will work, but you will see warnings in View Administrator to say these certificates aren’t trusted as they weren’t issued by a trusted Certificate Authority. In order to secure your Connection and Security servers, you will need to perform the following process:-
    • Create a Certificate Signing Request (CSR) from the server you wish to  add a trusted certificate to (you can use Windows certreq tool to do this). The View documentation has a request.inf file you can re-use for this purpose (certificate must be in PKCS12 format)
    • Obtain a signed certificate from the issuing CA
    • Verify the CSR and the private key are stored in the local computer’s certificate store by running certmgr.msc and looking in the Certificate Enrolment Request folder
    • Import the certificate into the local store using certreq -accept cert.cer
    • Once the certificate is imported, in Certificate Management, add the friendly name of vdm to the certificate and install the root CA and intermediate (if appropriate) certificate into the certificate store
    • Restart the Connection, Security or Composer Services for the changes to take effect
  • Configure certificate revocation checking using the locked.properties file - Certificate Revocation is another security step which prevents SSL certificates that have been listed as revoked by the issuer to be reused for secure services. In order to configure View to use certificate revocation lists (CRL), you need to amend the locked.properties file which can be found in %PROGRAMFILES%\VMware\VMware View\Server\sslgateway\conf\ with the following lines:-
    • enableRevocationChecking=true
      enableOCSP=true
      allowCertCRLs=true
      ocspSigningCert=te-ca.signing.cer
      ocspURL=http://te-ca.lonqa.int/ocsp
    • Where ocspURL is the URL of the OCSP Responder. Note the above is used for smartcard certificate checking, View server certificates have CRL checking built in.
    • If you are using your own CA and cannot include CRL information in the certificate, amend the CertificateRevocationCheckType registry key under HKLM\Software\VMware, Inc.\VMware VDM\Security and set the appropriate level as below:-
      • 1 – Do not perform CRL checking
      • 2 – Only check the server certificate, don’t check any other certificates in the chain
      • 3 – Check all certificates in the chain
      • 4 – Check all certificates except the root (default)
  • Perform a certificate replacement using sviconfig - Adding a certificate to  View Composer follows pretty much the same steps as above (Create CSR, get signed certificate, import certificate) but with one additional step. Stop the View Composer service and run the command sviconfig -operation=ReplaceCertificate -delete=false  to use the new certificate added to the local certificate store. The delete=false option is mandatory and false will not delete the old certificate from the Windows certificate store. Enter the number of the certificate you wish to use and then finally restart the View Composer service for all changes to take effect.

 

Objective 8.2 – Harden View Components and View Desktops

  • Open firewall ports used by View components – Regardless of whether you need to change the server or client end firewall settings, this is done via Firewall.cpl or Windows Firewall, depending on how you prefer to run these things. By default during View component installation, if the installer detects Windows Firewall is running, it will attempt to make the required firewall changes to allow View to operate, so ports such as 80, 443 (HTTP(s) for authentication), 1472 (PCoIP), 3389 (RDP), 32111 (USB redirection), 9427 (MMR), 4001 (JMS), 50002 (PCoIP). Verify these ports are enabled at both ends where appropriate and ensure the correct protocol is used (UDP or TCP). Chances are in the exam you’ll be asked to add a firewall rule to facilitate a connection. Also don’t forget there are three firewall profiles – domain, private and public networks. Make sure this doesn’t catch you out. To make changes to the Windows Firewall, select Allow a program or feature through Windows Firewall. All installed VMware services should be listed, add a tick box to which services you want to allow through, as shown below:-

Firewall

  • Disable Windows services - View has several services it uses in the normal course of operations, including:-
    • VMware View Connection Server
    • VMware View Framework Component
    • VMware View Script Host
    • VMwareVDMDS
  • Typically only the services required will be started automatically, but in the exam there may be a case of a service started that shouldn’t be, or vice versa. At  a glance, the prime suspect would appear to be VMware View Script host, which is usually disabled but must be enabled  if scripts are to be run against the server. To enable and disable services, go to Start | Run | services.msc. All View services are prefixed with “VMware”, so they’re all pretty easy to spot in the services list. Whichever service you wish to configure, right click and go Properties and change the Startup Type to Disabled, Manual or Automatic. You can also stop a service from this dialog.

services

 

  • Configure appropriate message security mode - Message security mode assigns security to JMS messages, which the method that View components use to communicate with each other. By default, this setting is enabled so all JMS messages that are not signed correctly are rejected. This can be amended to disabled or mixed, where message security is enabled but not enforced. Generally this setting is only required with legacy versions of View (3.0 or earlier). To configure this setting, go to View Administrator and then View Configuration | Global Settings | Security Pane Edit  and choose the required mode from the drop box as shown below:-

securitymode

  • Configure SSL for appropriate View functions - By default, View uses HTTPS redirection already for View client and administration traffic, in addition to Local Mode SSL encryption. As this is already enabled by default, I can only surmise that it will have been disabled somewhere for the purposes of the exam. Also, ensure the link to vCenter goes over port 443 and the View Composer port is 18443 by default, which is also secure. All of this is configured from View Administrator, under View Configuration | Servers. Select the vCenter Server or Connection Server you wish to configure and select Edit to make the required changes. The Local Mode settings are under the Connection Server under the Local Mode tab.
  • Configure secure tunneling - Secure tunneling is used when additional security or direct connections to the virtual desktops are not possible or desirable. All three protocol methods (RDP, PCoIP and HTML/Blast) have their own secure gateway tunnel and this is configured from within View Administrator. Go to View Configuration | Servers | Connection Servers and click Edit. From here, the General tab lists all gateways where they can be enabled/disabled and configured. Simply check the box next to the gateway to enable it and change any URLs/ports as required, as shown below. Remember the PCoIP Secure Tunnel URL Is always an IP address!

tunnels

 

  • Configure security settings in the View Agent Configuration Template - To configure security settings for the View Agent, you need to add the ADM template file into Group Policy Management (or you can add it in locally to your master image). The file is called vdm_agent.adm and can be found on the Connection Server under %PROGRAMFILES%\VMware\VMware View\Server\extras\GroupPolicyFiles. Once added into Group Policy Management, various options can be set as shown below, including:-
    • USB Configuration (allow/disallow USB device types, models etc.)
    • Agent Configuration (Commands to run on connect/reconnect etc.)
    • Agent Security (allow unencrypted connections from older legacy devices)

viewagent

 

 

VCAP-DTA Section 9 – Configure Persona Management for a View Implementation

 

Objective 9.1 – Deploy a Persona Management Solution

  • Create a Persona Management repository - To create a View Persona Management (VPM) respository, simply create a regular file share on a Windows server on the network. This can be a NAS device or a Windows Server, it doesn’t really matter. When creating the VPM share, note the following guidelines from the View Persona Management guide:-
    • The shared folder does not have to be in the same domain as View Connection Server
    • The shared folder must be in the same Active Directory forest as the users who store profiles in the shared folder
    • You must use a shared drive that is large enough to store the user profile information for your users. To support a large View deployment, you can configure separate repositories for different desktop pools
      • If users are entitled to more than one pool, the pools that share users must be configured with the same profile repository. If you entitle a user to two pools with two different profile repositories, the user cannot access the same version of the profile from desktops in each pool
    • You must create the full profile path under which the user profile folders will be created. If part of the path does not exist, Windows creates the missing folders when the first user logs in and assigns the user’s security restrictions to those folders. Windows assigns the same security restrictions to every folder it creates under that path
      • For example, for user1 you might configure the View Persona Management path \\server\VPRepository\profiles\user1. If you create the network share \\server\VPRepository, and the profiles folder does not exist, Windows creates the path \profiles\user1 when user1 logs in. Windows restricts access to the \profiles\user1 folders to the user1 account. If another user logs in with a profile path in\\server\VPRepository\profiles, the second user cannot access the repository and the user’s profile fails to be replicated
  • Implement optimized Persona Management GPOs - To add VPM group policies, you first need to add in the ADM template file to Group Policy Management. You can add it locally to a parent image, but then you will lose management control. To enable management domain wide, adding the template into Group Policy Management and linking it to an OU in Active Directory is preferred. The ADM template is called ViewPM.adm and can be found on a Connection Server under %PROGRAMFILES%\VMware\VMware View\Server\extras\GroupPolicyFiles. Once added into Group Policy Management, the following settings folders are available:-
    • Roaming and synchronization
    • Folder redirection
    • Desktop UI
    • Logging
  • There are dozens of different settings available to VPM in the group policy, so the exam will probably have some specific requirements on you to configure. Two settings you will need are the first settings in the Roaming and synchronization folder, Manage User Persona and Persona Repository Location. Set the first setting to Enabled to switch on VPM, and here you can change the default synch period from 10 minutes to something else. For Persona Repository Location, set this to Enabled and configure the UNC path to the share you previously configured, \\dc01.beckett.local\VPRepository for example.

vpmsync

  • Implement optimized Windows Roaming Profiles with Persona Management - There may be some cases whereby you do not want to constantly sync parts of the user profile every 10 minutes using VPM. Perhaps there is an application dependency. What you can do within the GPO is set some folders to be exempt from the ongoing sync process and only sync the changes to the VPM repository when a user logs off. To do this, go to your VPM group policy and set folder exceptions as shown below:-

syncexceptions

 

Objective 9.2 – Migrate a Windows Profile

 

  • Ensure pre-requisites are met for a profile migration - The pre-requisites from the View Admin guide are listed below:-
    • Run the migration utility on a Windows 7 or Windows 8 physical computer or virtual machine
    • Log in to the Windows 7 or Windows 8 system as a local administrator
    • Verify that the system on which you run the utility has network access to the CIFS network shares that contain the source V1 path and destination V2 path
    • Verify that the user account that runs the utility is a local administrator on the destination CIFS network share
    • If the user account that runs the utility does not have full ownership of the user profiles that are migrated, specify the /takeownership option with the utility
      • This option passes ownership of the user profile folders to the utility during the migration. Ownership is returned to the users after the migration is completed
    • Ensure that the users whose profiles are being migrated are not logged in to their Windows XP systems when you initiate the migration
      • If a user is in an active session during the migration, the migration might fail
    • Ensure that users do not start using their Windows 7 or Windows 8 desktops before the migration is completed
      • When users start using their View desktops, View Persona Management creates V2 profiles for the users. If a V2 profile already exists before the migration runs, the utility leaves the existing V2 profile in place and does not migrate the legacy V1 profile
  • Perform profile migration using migprofile.exe - The migprofile.exe utility is installed with the View Agent and can be found under %PROGRAMFILES%\VMware\VMware View\Agent\bin or can be installed standalone. The utility can be used to migrate V1 profiles (Windows XP) en masse from a shared repository to another repository in V2 format, or used on a piecemeal basis to upgrade a user at a time, if required. The examples below are taken from the View Persona Management guide:-
    • migprofile.exe /s:\\file01\profiles\* /takeownership performs an in-place upgrade of profiles on a network share from V1 format to V2. The latter have the .V2 extension added to the profile folder

    • The following example migrates the V1 profile for the user ts115 on the computer devvm-winxp to the remote path \\file01\profiles. The utility takes ownership of the user profiles during the migration:

      migprofile.exe /s:\\devvm-winxp\c$\documents and settings\ts115 /t:\\file01\profiles\ /takeownership

  • Modify migration configuration file - The migprofile.exe utility can also apply settings from a settings file written in XML. This file uses XML tags to pre-populate migration settings and can be named anything as long as it has an XML extension. Using this settings file is specified on the command line when running the migration utility and for full details on the XML file format, please refer to VMware’s online guide. Typical tags include:-
    • <source> <profilepath>source_profile_path</profilepath> </source>

    • <target> <profilepath>target_profile_path</profilepath> </target>

    • <includefolders>Personal, Desktop, Start Menu, NetHood</includefolders> (Migrates only specified folders instead of all except Cache, History and Local AppData, by default)

  • To run the migration utility with a settings.xml file, use the following syntax:-
    • migprofile.exe migsettings.xml (where the latter file name is your settings file)

 

Section 10 – Troubleshoot a View Implementation

 

Objective 10.1 – Troubleshoot View Pool creation and administration issues

 

Interestingly, the exam blueprint doesn’t give you any real pointers as to what skills and abilities are being measured for this objective, so let’s have fun and speculate on some things that might occur that we need to troubleshoot during pool creation and administrative tasks:-

  • Pool provisioning fails
    • Check storage space
    • Storage overcommit on linked clones
    • View Agent is installed properly
    • DNS resolution is working
    • Windows Firewall issues
    • View Composer service is available
    • Users have entitlements to the pool
    • User creating the pool has the correct permissions in View Administrator
    • Drill into the pool in View Administrator and check the Events tab for hints as to what’s wrong
  • Administration Issues
    • Check the View Connection Server service is running
    • Check Adobe Flash is installed in the browser
    • Check the user has appropriate permissions
    • Check the web browser is supported (chances are remote, but you never know)
    • Check View Administrator session timeout (default is 30 minutes)
    • Dashboard not updating – check Enable Automatic Status Updates is enabled in View Administrator
    • Red lights in View Administrator dashboard – drill into them to get the events view to see what is wrong
    • Verify vCenter permissions for any service accounts used for vCenter access, Composer provisioning etc.

 

Objective 10.2 – Troubleshoot View administration management framework issues

  • Potential Framework Issues
    • Can’t access View Administrator – check View Component Framework is running
    • Can’t access View Administrator – check View Web Component service is running
    • No Events being logged to the Events Database – check the Event Configuration is correct in View Administrator and SQL is up
    • View not sending messages to Syslog server – check Syslog configuration under Event Configuration section

Objective 10.3 – Troubleshoot end user access

 

  • Potential End User Issues
    • Check Windows Firewall at both ends that ports 80,443,4172,3389 are open as a minimum
    • Check the pairing between the Security and Connection Servers if appropriate
    • Check tagging and that tag matching is providing the expected result
    • Check certificate verification on the View Client is set appropriately
    • Perform connectivity tests such as ping, nslookup etc
    • Check the Connection Server service is running
    • Check user entitlements to pools and desktops
    • Check power settings and the user desktop has not gone into suspend mode or hibernation
    • Check there are spare desktops provisioned and ready in a pool
    • Verify display protocols are correctly matched at each end (PCoIP, RDP etc)

Objective 10.4 – Troubleshoot network, storage, and vSphere infrastructure related to View

 

  • Potential Infrastructure Related Issues
    • Check alarms in vCenter for any hardware issues
    • Check access to vCenter for the Connection Server and View Composer
    • Check vCenter permissions for service accounts, if they’re used
    • Check host contention on ESXi hosts
    • Check disk latencies on datastores if desktops are slow
    • Verify connectivity between Connection Servers and Security Servers and ensure 1Gbps links between all
    • Check SQL is healthy
    • Check vSwitch settings are correct and there are no typos (VLAN numbers, Port Group names etc.)
    • Check all vSwitch uplinks are working correctly
    • Check for restrictions placed on virtual desktops by resource pool settings, DRS/HA etc not artificially constraining desktops
    • Check Storage or Network I/O Control policies are not slowing the infrastructure down

 

 

24-07-14

VCAP-DTA Section 7 – Configure and Optimize View Endpoints

Objective 7.1 – Perform View Client Installations

  • Perform manual installation for desktop clients – I don’t think I’m stretching it by saying that I don’t think you’ll be asked to install the client to an Android or iOS device during the exam (after all, how can the moderators check that?). That then takes us to Mac, Linux and Windows. Again, as the EULA says you can’t install a virtual Mac, seems unlikely that will appear. That leaves Linux and Windows and as there aren’t typically that many Linux users around, I’d expect to just have to deploy the client on Windows. To install the Windows client manually, you typically go to the Connection Server from a web browser from the device you want to install the client on, and the browser should detect if you have the client or not. As the download link redirects you to vmware.com, it’s likely the installation files will have been staged in advance to save time.

viewlcinert

  • Once the client has been downloaded, run the client executable and click next to continue.
    • Accept the EULA and click Next.
    • Choose which client features you want, by default both USB Redirection and Login as current User are checked (the exam may ask you to disable some of these features).
    • Optionally enter the DNS name or IP address of the View Connection Server you want to connect to. Click Next.
    • Select single sign on behaviour, such as Show in Connection Dialog and Set Default Option to Login as Current User.
    • Click Next, choose where to place shortcuts (if required).
    • Click Next and click Install to complete.

 

  • Configure silent installation options for desktop clients – To install the Windows client silently, execute the command line below, noting ADDLOCAL=CORE is mandatory!VMware-viewclient-y.y.y-xxxxxx.exe /s /v”/qn REBOOT=ReallySuppress VDM_SERVER=cs1.companydomain.com ADDLOCAL=Core,TSSO,USB”
  •  Configure options for various clients – I’m not really sure what more can be added here. The View Client is generally a fairly simple beast, so really all I can think you may be asked to perform is to disable certificate checking (Options | Configure SSL). There is also a View Client ADM template you can import and use, and various settings can be configured here if you want to lock things down. There’s a good chance you’ll be asked to check something on the exam, so worth knowing what it’s capabilities are. The template settings guide is here, some example settings are shown below:-
    • Connect all USB devices to the desktop on launch (useful when the user has a couple of USB printers, scanners or smart card readers)
    • Server URL – Issues a default View Connection Server URL for the View Client
    • Certificate verification mode – Configures SSL certificate checking as noted above
    • Enable multi-media acceleration – Enables MMR on the client
  • There aren’t that many admin template options to configure, so hopefully any exam question on this topic won’t hold you back too long. Just remember that some settings are for RDP only, so again watch out for sly tricks from the exam people!

 

Objective 7.2 – Upgrade View Clients

Again I’d expect that you’ll probably only be asked to play around with Windows View Clients, as other platforms in my experience make up the minority of users. Also, setting up non Windows platforms in a lab environment is probably a bit of a pain for VMware Education. As such, we’ll just focus on the Windows Client upgrades.

  • Upgrade clients to support View server component upgrades  – Typically the back end components are upgraded first, so Connection and Security Servers, vCenter/ESXi if appropriate and the View Agent in the virtual desktop. Once that has been done, the focus changes to the end user’s View Client. This process is very quick and is simply a case of downloading the new client (either from the View Portal or elsewhere, I’m guessing it will be pre-staged for you) and running the installer. As we’ve all done client installers before and there are no gotchas here, I’m not going to document it blow by blow.
  • Identify which clients are supported by VMware or OEMs – Again another pretty straight forward skill being tested. The rule of thumb here is that if the client is a “fat” device (so Windows, Linux or Mac desktop or iOS/Android mobile device) then the administrator can upgrade the client by using the appropriate installation mechanism (Windows Installer, RPM, iTunes etc.). If the client is a thin or zero client, updates to the client will generally come from the manufacturer in the form of firmware updates. I’m not entirely sure how this skill can be effectively tested in a practical environment, but there you go.
  • Identify which clients are administrator or user downloadable – The View Portal is the place for end users to get the View Client and these links will usually send the end user to vmware.com to download the latest and greatest. So again, “fat” clients are generally user upgradable with appropriate permissions (administrator on Windows, for example) and thin clients where updates are performed by firmware updates are something only an administrator would do.
  • Perform View Local Mode Client upgrade – Upgrading the View Client with Local Mode option is more or less the same as upgrading the regular View Client with a couple of exceptions. Firstly, you need to ensure the user has checked in their desktop before upgrading the client. If the end user has a View Client version 4.6.0 or earlier, they must check in their desktop first, remove the old client and then install the 5.2 client fresh once the back end desktop infrastructure has been upgraded.

 

23-07-14

VCAP-DTA Objective 6.3 – Analyze PCoIP Metrics for Performance Optimization

Skills and abilities being tested :-

  • Interpret PCoIP WMI counters – When you install the View Agent on a virtual desktop, additional WMI (Windows Management Interface) counters are added to the Windows virtual desktop. Amongst other things, it allows you to add in statistics for PCoIP performance which can come in very handy when troubleshooting performance issues. To do this, go to the virtual desktop and go Start | Run | perfmon.exe and once Performance Monitor starts, click on the green plus button and add in your required counters. You can choose from the following areas:-
    • PCoIP Session Audio Statistics
    • PCoIP Session General Statistics
    • PCoIP Session Imaging Statistics
    • PCoIP Session Network Statistics
    • PCoIP Session USB Statistics

   The key point here is not to add all the counters and get blinded by lines shooting around all over the place, and remember that the PCoIP server needs to be active in order to generate statistics. That means if you       connect to a virtual desktop via RDP, you will see counters all flatlined and wonder what all the fuss is about! The View Integration Guide has some really good guidance on how to interpret the metrics here and worth a read to help make sense of the perfmon statistics. This is worth a read to get the equations on how to calculate bandwidth used for audio and video etc. If you are having performance issues, it may be that you have set an aggressive group policy that throttles bandwidth too low and the connection is maxing out it’s assigned bandwidth. Remember you do have the View PDFs to hand in the exam, so you can open the Integration guide and go straight to this section to save you from having to remember how to compute bandwidth values.

  • Interpret PCoIP log files – PCoIP log files are stored under %PROGRAMDATA%\VMware\VDM\logs and Simon Long has an excellent blog post on how to interpret PCoIP log files, so take a look at that before the exam. It mainly discusses the PCoIP Log Viewer, which to the best of my knowledge you won’t have access to in the exam but all of the relevant metrics to look out for are there in the text. The Log Viewer just puts it in a more friendly format. That being said, if you have a look at Andre Leibovici’s guide, for the sake of the exam it’s worth remembering key words or phrases and then searching the log files for those key words. Remember, time in the exam is a luxury you don’t have! Look out for the following:-
    • Registry setting parameter pcoip.max_link_rate 
    • Loss= (signifies packet loss on the network)
    • Plateau (maximum bandwidth used by PCoIP)

    Andre has another article on key word searches in log files here, well worth a read.

22-07-14

VCAP-DTA Objective 6.2 – Configure Group Policies for PCoIP and RDP

  • Identify and resolve group policy conflicts – One of the great things about group policies is that there are so many settings you can configure and lock down that sooner or later you’ll end up doing something that means different group policies treading on each other’s toes. There are a couple of ways to check group policy inheritance:-
    • gpresult.exe – a command line tool that can be used to generate a RSoP report (Resultant Set of Policies). This is a quick way of looking at what’s been applied, what has been filtered and which AD groups a user is a member of, which can help troubleshooting. The command syntax for a RSoP style report is gpresult.exe /r and you’ll get something similar to below:-

Microsoft (R) Windows (R) Operating System Group Policy Result tool v2.0
Copyright (C) Microsoft Corp. 1981-2001

Created On 22/07/2014 at 20:34:43
RSOP data for BECKETT\Administrator on DC01 : Logging Mode
———————————————————–

OS Configuration: Primary Domain Controller
OS Version: 6.1.7600
Site Name: Default-First-Site-Name
Roaming Profile: N/A
Local Profile: C:\Users\Administrator
Connected over a slow link?: No
COMPUTER SETTINGS
——————
CN=DC01,OU=Domain Controllers,DC=beckett,DC=local
Last time Group Policy was applied: 22/07/2014 at 20:34:10
Group Policy was applied from: DC01.beckett.local
Group Policy slow link threshold: 500 kbps
Domain Name: BECKETT
Domain Type: Windows 2000

Applied Group Policy Objects
—————————–
Default Domain Controllers Policy
Default Domain Policy
ThinPrint

The following GPOs were not applied because they were filtered out
——————————————————————-
Local Group Policy
Filtering: Not Applied (Empty)

The computer is a part of the following security groups
——————————————————-
BUILTIN\Administrators
Everyone
BUILTIN\Pre-Windows 2000 Compatible Access
BUILTIN\Users
Windows Authorization Access Group
NT AUTHORITY\NETWORK
NT AUTHORITY\Authenticated Users
This Organization
DC01$
Domain Controllers
NT AUTHORITY\ENTERPRISE DOMAIN CONTROLLERS
Denied RODC Password Replication Group
System Mandatory Level

USER SETTINGS
————–
CN=Administrator,CN=Users,DC=beckett,DC=local
Last time Group Policy was applied: 22/07/2014 at 20:33:40
Group Policy was applied from: DC01.beckett.local
Group Policy slow link threshold: 500 kbps
Domain Name: BECKETT
Domain Type: Windows 2000

Applied Group Policy Objects
—————————–
N/A

The following GPOs were not applied because they were filtered out
——————————————————————-
Default Domain Policy
Filtering: Not Applied (Empty)

ThinPrint
Filtering: Not Applied (Empty)

Local Group Policy
Filtering: Not Applied (Empty)

The user is a part of the following security groups
—————————————————
Domain Users
Everyone
BUILTIN\Administrators
BUILTIN\Users
BUILTIN\Pre-Windows 2000 Compatible Access
NT AUTHORITY\INTERACTIVE
CONSOLE LOGON
NT AUTHORITY\Authenticated Users
This Organization
LOCAL
Group Policy Creator Owners
Domain Admins
Schema Admins
Enterprise Admins
Denied RODC Password Replication Group
High Mandatory Level

  • RSoP (Resultant Set of Policies) is basically a graphical representation of what you see above, which is actually quite helpful when you have a specific issue you want to troubleshoot. To run the report, go to Start | Run | rsop.msc and after the report has been generated, you kind of get a read only group policy view with details of policy settings.

rsop

 

  • Group Policy Management - One other thing to check is the Group Policy Management MMC tool. This can be accessed by going to Administrative Tools | Group Policy Management. Once within this tool, select a particular OU that you want to troubleshoot and click the Group Policy Inheritence tab. This displays which GPOs are in place and what their priorities are.

gpo

 

  • Implement PCoIP and RDP Group Policy templates – As discussed in a previous article, PCoIP can be managed by importing the pcoip.adm policy template from the C:\Program Files\VMware\VMware View\Server\extras\GroupPolicyFiles folder into the Group Policy Management  MMC view.
    • RDP can be managed via Group Policy from Group Policy Management under  Computer Configuration\Policies\Administrative Templates\Windows Components\Remote Desktop Services. From here, configure which settings you want to enable or disable etc, as shown below:-

RDP-GPO

 

 

21-07-14

VCAP-DTA Section 6 – Configure and Optimize View Display Protocols

Section 5 and dealing with ThinApp is now behind us, and now we turn to the networking stack. As you may know if you’ve done a bit of light reading, PCoIP is the protocol of choice for connecting to virtual desktops hosted by View. It’s a protocol proprietary to Teradici, so it’s not strictly an “in house” technology to VMware, but it has been in View for many years (since View 4, I think), so it’s a very mature and robust protocol.

One of the cool things about PCoIP is that it can do a level of auto tuning when there is congestion on the network. The VCAP-DTA blueprint has three sections for troubleshooting and configuration of PCoIP with just a couple of skills and abilities being measured per objective.

Objective 6.1 – Configure PCoIP and RDP for Varying Network Conditions

  • Determine appropriate configuration parameters based on network performance - It’s typical that on a slow link you will want to tune PCoIP to be a little less aggressive with the bandwidth it uses. This can be done by using the PCoIP group policy template pcoip.adm which comes with the Connection Server in C:\Program Files\VMware\VMware View\Server\extras\GroupPolicyFiles folder. Import this template into your Group Policy Management MMC view and you are then able to configure PCoIP settings.
  • Configure QoS and CoS settings for PCoIP

pcoipadm

Once imported, go to Computer Configuration | Administrative Templates | Classic Administrative Templates | PCoIP Session Variables to configure PCoIP settings.

pcoipvariables

Typically, you will need to alter the following values to reduce bandwidth on a slow link :-

      • Turn off Build-To-Lossless feature – Enabled
      • Configure the maximum PCoIP session bandwidth - 10% less than WAN link speed 
      • Configure PCoIP image quality levels -
        • Minimum Image Quality default is 50 and can be from 30-100, reduce this value to reduce bandwidth at the expense of user graphics experience
        • Maximum Initial Image Quality default is 90 and can be from 30-100. Reduce this value to reduce the initial screen “burst” as it is drawn.
        • Maxium Frame Rate  default is 30, this can be between 1-120 but if you reduce the value you reduce bandwidth but increase video jitter.
        • PCoIP session bandwidth floor by default is 0 (unset) but this value tells PCoIP the least amount of bandwidth it can expect for an end user and reserves this amount of bandwidth
        • Client image cache size policy is useful when the View Client end has some local storage it can cache to. For example, thin clients and regular PCs (tablets too, I guess) can cache regularly used images to help improve performance. This setting is probably useless on a zero client because it has no local storage, so watch out you don’t get a curveball there on the exam!

04-07-14

VCAP-DTA – Objective 5.3 – Compile and Deliver Full or Streaming Applications

So now the prep work has been done to get Active Directory ready for ThinApps, the next thing to do is to actually roll some! The recommendation is to have a clean vanilla install of the platform you want to virtualise on (so a clean Windows 7 machine for an app to be deployed to Windows 7). I’ve heard people say to virtualise on XP and then you can have an app on the lowest common denominator, but for the exam that’s a level of detail we’re not concerned with.

  • Build and modify a ThinApp project – The first task is to roll an application using the ThinApp packager by running the Setup Capture wizard either remotely or from a locally installed copy. This is a five step process which basically involves Prescan, Installation, Postscan, Configure and Build. It’s all wizard driven as per below :-

setup-capture

In the interests of time in the exam, I’m guessing you’ll be asked to package something reasonably cheesy and small, such as 7-Zip. Run the pre-scan task to get a “before” configuration snapshot. This doesn’t usually take longer than a couple of minutes. Once it’s done, you’ll be asked to run the installer, do this now. Always worth making sure you run the installer as an Administrator, that can sometimes cause odd things to happen to applications (and may well turn up in the exam). Once the install has completed, hit the postscan button to perform the “after” snapshot of the local filesystem and registry. You may get a warning to ensure the application has completely installed, so just double check this before you continue.

install

 

Once the post scan is complete, you’ll be asked to choose an entry point. This is basically the application executable. The wizard is usually pretty good at getting this right, but double check anyway. If you install a suite of products (say Office), you’ll need to add an entry point for each application such as Word, Excel, etc.

The next step chooses whether or not to manage the application via Horizon or if you’re updating an existing package. Choose as appropriate. The next step is to select which AD groups (if any) have access to the application. My guess is in the exam, you’ll be asked to restrict this app to a particular group and then test it.

groups

Next step is the application isolation mode. This is the kind of thing vendors love to test on exams. The default is merged isolation mode and allows the application access to read and write outside of the ThinApp sandbox. If I could dream up a test scenario for this, it would be that a virtualised app is playing up because it’s in WriteCopy isolation mode. This mode intercepts writes and stores them in the sandbox.  The use case for this is a highly locked down environment where you don’t want users writing to the local filesystem into system folders etc. The dialog is shown below:-

isolation-mode

 

The next choice is the sandbox location. This is typically left as the default of the user’s profile. This basically allows the user to roam and still have access to the application sandbox. There may be cases where a USB stick is appropriate, and it may be there is a scenario on the exam where you need to alter this from USB to Profile to fix a fault.

sandbox

Click Next and you’ll be asked if you want to send feedback to VMware. I highly doubt your exam score will have any bearing on what you choose here, but just in case it’s specified in the scenario… Then give the application an inventory name (AKA folder name in the Captures directory) and a path to store project files. If you’re running the Setup Capture from a network share, chances are this will be pre-filled for you, as below:-

project

Select the primary data container (which is the application you wish to run) and whether or not you want to build the ThinApp as an MSI and whether or not to add compression, as per below. Click Save when you’re done:-

pdc

You’re now at the final step before the build process kicks off. You still have the opportunity at this stage to edit the package.ini file with any last minute adjustments you need before you start. There is still time at this stage too to go back in the wizard if you forgot to check the MSI build option in the previous screen. If all is well at this point, hit the Build button as shown below:-

build

 

  • Configure MSI Streaming - This is a pretty easy task. Once you have a built ThinApp, open the package.ini file in the directory and open with Notepad or some other text editor. Find the section entitled [BuildOptions] (hint – it should be near the top!) and find the line that says MSIStreaming=0. Change this to MSIStreaming=1 and most important of all, don’t forget to rebuild the ThinApp with the new setting! To do this, run the build.bat file in the ThinApp package directory (i.e. the one with your ThinApped application files in). When the rebuild completes, copy the bin folder contents over to your ThinApp repo you previously defined.

msistreaming

 

You will also then need to add the application into the ThinApp dialog in View Administrator. Go to Inventory | ThinApps | Scan New ThinApps.. | Select the ThinApp repo | Select the folder to scan for new ThinApp(s) | Next | Select any detected applications you want to add | Click Scan | Click Finish.

  • Deploy ThinApp applications to desktop pools - Once you have one or more ThinApps created and then added to View Administrator, you need to configure usage. In the case of desktop pools, this is easy to do. From View Administrator, choose Inventory | ThinApps | Pick your ThinApp from the list | click on the Add Assignment spin button | select Assign Pools | select the required pool(s) in the dialog and click Add | if the ThinApp has been set for streaming, choose the Installation Type radio button for either Streaming or Full.
  • Configure ThinApp entitlement using View Administrator - To be honest, I don’t understand this objective. You can assign ThinApps by pool or by specific desktop, and that is the limit of what View Administrator can do. It may be that this objective is dealing with desktop specific assignment, if so, simply repeat the steps above but choose individual desktops instead of pools.

 

02-06-14

VMUG North West England meeting – 18th June

 

Logo

 

That time is upon us again and the next NW England VMUG meeting will be taking place as usual in the Crowne Plaza Hotel in Manchester on Wednesday 18th June. The agenda at time of writing is listed below :-

Morning Design Workshop – Darren Woollard, Xtravirt
Lunch
PernixData Presentation: Re-Think Storage Performance – James Smith
Community Presentation: Home Lab Storage and Lessons Learnt – James Kilby
Calyx MS Presentation: Hybrid Cloud and Calyx Silver Lining
Community Presentation: VMware Certification – Chris Beckett
vNews – Ashley Davies
Raffle and vBeers at Tiger Tiger Printworks

You may notice yours truly at the bottom of the agenda. It will be my VMUG debut as a presenter and my session will basically cover the VMware certification tracks, mainly focussing on the VCAP exam formats. My hope is that I can demystify it a little bit and offer some words of guidance on the best way to prepare for them as I’ve passed three of them now.

To register, please visit the VMUG group page. Looking forward to seeing you there!

 

16-04-13

VMware related offers of the week – be quick! Just another quick post to bring to your attention a couple of offers that might be of use to fellow virtualisation professionals. Firstly, the new book from Chris Wahl and Steve Pantol “Networking for VMware Administrators” is currently 50% off cover price at Pearson IT Certification. I haven’t read the book as yet, but you can read reviews from my friends Ather Beg and Seb Hakiel to see what it covers. Quite apart from anything else, it fills a notable gap in the market and should be a useful addition to anyone’s library. This offer expires this Sunday, 20th April. ShowCover The other deal is for VMUG Advantage membership. If you are already a “free” VMUG member, you can upgrade to VMUG Advantage status with a 20% discount when you use the code ADVSALE at the checkout. This offer expires a little sooner, at 12pm Central Time tomorrow. Don’t ask me what that is in “real money”, aka GMT ;-) nvvyrqmf As Maury Finkle would say – “Do it!”

03-04-14

vExpert 2014 Announcement

 

VMware-vExpert-2014-400x57

 

So Tuesday saw the announcement of the 2014 list of vExperts and I’m delighted to say that I made the cut this year (after checking of course it wasn’t an April Fool!). Actually, it’s the first time I’ve applied and looking down the list, it’s a “who’s who” of vRockstars from around the globe, including around a dozen or so of my ex-colleagues at Xtravirt  who continue to add a lot of value to the community.

A big thanks of course go to the team who make vExpert possible, getting through 700+ applications in a month can’t have been all that easy! Thanks too to Jason Gaudreau, our TAM at VMware, who suggested I should go for it in the first place. When I look back at the last year, I’ve done a lot – 3 VCAPs, a load of blog content, study guides, plus the work I’ve done with VMware PSO and the account management team since I’ve been at MMC.

You’d think that I might sit back now and rest on my laurels, but if anything, it’s actually making me want to do more. I’ve already offered to present at our local VMUG, I’m blogging as often as I can and there will be more VCAPs this year I’m sure, as I start on the vCloud path once I’ve got NetApp, VCAP-DTA and Hyper-V out of the way!

Looking forward now to getting started and continuing to spread the gospel of virtualisation. Congratulations to all 2014 vExperts both new and returning and thanks for making the community awesome!

 

02-04-14

VCAP-DTA – Objective 5.2 – Deploy ThinApp Applications using Active Directory

Once we have a repository configured for our ThinApps, we next continue the groundwork by preparing Active Directory. We can then harness Active Directory groups to control access to the ThinApps.

  • Create an Active Directory OU for ThinApp packages or groups – From your domain server, go to Administrative Tools and select Active Directory Users and Groups. From wherever in the hierarchy the exam asks you to, right click and select New, Organizational Unit. Give the OU a name and click OK.
  • Add users to individual ThinApp package OU or groups – Again not really a View skill as such, just some basic AD administration. Now you created your OU(s) as above, to create a user right click on the ThinApp OU, click New, User, fill out the appropriate details, click Next, enter password information and click Next and Finish. To add a group, right click on the appropriate OU, click New, Group, give the group a name and select the type and click OK. To add users to an existing group, double click the group, click Members, Add and enter the user names and click Check Names. Click OK twice.
  • Leverage AD GPOs for individual ThinApp MSIs – Group Policy can be used to publish an existing ThinApp MSI without the need for a repository, or in parallel. To configure this, go to Administrative Tools, Group Policy Management. Right click the OU in which you would like to create the GPO. Select Create a GPO in this domain, and link it here (for a new GPO, or select Link an existing GPO if asked).Name the GPO and click OK. Once the GPO is created, right click on it and select Edit. In either Computer Configuration or User Configuration select Policies and then Software Settings. Right click on Software Installation and select New, Package. Browse to the network location of the MSI and select the MSI and then Open. Accept the defaults to Assign the package to a user or computer or click Advanced for further settings. Click OK. If you select Advanced, use the tabs across the top to make changes as appropriate and click OK. You may need to run gpupdate.exe to refresh Group Policy.
  • Create and maintain a ThinApp login script – The ThinReg utility can be used in an existing login script to deploy ThinApps to users. For example, in the NETLOGON share, you can add a line or lines into the logon script to invoke thinreg.exe. In it’s simplest form, just add the line thinreg.exe \\server\share\application.exe /Q. The /Q switch just runs the command silently. It may well crop up as a specific requirement on the exam.