Administrator’s Manual
VMware, Inc. 3145 Porter Drive Palo Alto, CA 94304 www.vmware.com Please note that you will always find the most up-to-date technical documentation on our Web site at http://www.vmware.com/support/. The VMware Web site also provides the latest product updates. Copyright © 1998-2006 VMware, Inc. All rights reserved. Protected by one or more of U.S. Patent Nos. 6,397,242, 6,496,847, 6,704,925, 6,711,672, 6,725,289, 6,735,601, 6,785,886, 6,789,156 and 6,795,966; patents pending.
Table of Contents Introduction and System Requirements ____________________________9 About VMware ACE _____________________________________________ 10 Ensure Safe Access to Enterprise Resources ________________________ 10 Secure Data on Enterprise PCs __________________________________ 10 Standardize and Secure PC Environments _________________________ 10 Key Features of VMware ACE ___________________________________ 11 The VMware ACE Software _____________________________________ 11 Host System Requirement
Making Project Settings _______________________________________ Checklist: Creating a Project ______________________________________ Adding a Virtual Machine to a Project _______________________________ Adding an Existing Virtual Machine ______________________________ Adding a New Virtual Machine __________________________________ Checklist: Adding a Virtual Machine ________________________________ 46 49 51 51 53 63 Setting Policies and Customizing VMware ACE ____________________ 69 Setting Policies for a
Creating Packages to Deploy to Users ___________________________ 131 Creating a Package ____________________________________________ 132 Contents of the Package ________________________________________ 136 Deploying and Maintaining Packages ___________________________ Deploying Packages ___________________________________________ Installing a Package Silently______________________________________ Updating Virtual Machines ______________________________________ Distributing Software Updates _________________
Disk Performance in Windows NT Guests on Multiprocessor Hosts _______ 178 Improving Performance ______________________________________ 178 Preserving the State of a Virtual Machine ________________________ Using Suspend and Resume _____________________________________ Using the Snapshot ____________________________________________ What Is Captured by the Snapshot? _____________________________ Removing the Snapshot ______________________________________ Ways of Using the Snapshot ___________________________
Installation in Guest Operating Systems __________________________ Special Notes for the Iomega Zip Drive __________________________ Using Serial Ports ______________________________________________ Using a Serial Port on the Host Computer ________________________ Using a File on the Host Computer______________________________ Connecting an Application on the Host to a Virtual Machine _________ Connecting Two Virtual Machines ______________________________ Special Configuration Options for Advanced Users __
Using Advanced Network Quarantine _____________________________ Defining Zones _____________________________________________ Defining Host Policies ________________________________________ Defining Guest Policies _______________________________________ Writing Plug-In Policy Scripts_____________________________________ Authentication Plug-Ins ______________________________________ Renewal Plug-Ins ___________________________________________ Device Connection Plug-Ins ___________________________________ Netw
CHAPTER Introduction and System Requirements 1 Welcome to VMware ACE.
VMware ACE Administrator’s Manual About VMware ACE VMware ACE is an enterprise solution for IT desktop managers who want to rapidly provision standardized and secure PC environments throughout the extended enterprise. VMware ACE installs easily, improving the manageability, security and costeffectiveness of any industry-standard PC.
C H A P T E R 1 Introduction and System Requirements specific images for PCs. Ensure compliance with IT policies while maintaining end user freedom. Key Features of VMware ACE Manageability • Design once, deploy anywhere. Create standardized hardware-independent PC environments and deploy them to any PC throughout the extended enterprise. • Virtual Rights Management interface. Control VMware ACE lifecycle, security settings, network settings, system configuration and user interface capabilities.
VMware ACE Administrator’s Manual Host System Requirements for VMware ACE Manager What do you need to get the most out of VMware ACE Manager? Take the following list of requirements as a starting point. Remember that the virtual machines running under VMware ACE Manager are like physical computers in many ways — and, like physical computers, they generally perform better if they have faster processors and more memory.
C H A P T E R 1 Introduction and System Requirements space needs are approximately the same as those for installing and running the guest operating system and applications on a physical computer • Additional disk space for building packages; temporary files require about as much space as those of the virtual machine included in the package • IDE or SCSI hard drives, CD-ROM and DVD-ROM drives supported Local Area Networking (Optional) • Any Ethernet controller supported by the host operating system • Non-Et
VMware ACE Administrator’s Manual Host System Requirements for End Users What systems do your end users need to get the most out of VMware ACE? Take the following list of requirements as a starting point. Remember that the virtual machines running under VMware ACE are like physical computers in many ways — and, like physical computers, they generally perform better if they have faster processors and more memory.
C H A P T E R 1 Introduction and System Requirements • IDE or SCSI hard drives, CD-ROM and DVD-ROM drives supported Local Area Networking (Optional) • Any Ethernet controller supported by the host operating system • Non-Ethernet networks supported using built-in network address translation (NAT) Windows Host Operating Systems • Windows Server 2003 Web Edition, Windows Server 2003 Standard Edition, Windows Server 2003 Enterprise Edition • Windows XP Professional and Windows XP Home Edition with Service Pack
VMware ACE Administrator’s Manual Virtual Machine Specifications Each virtual machine created with VMware ACE Manager provides a platform that includes the following devices that your guest operating system can see. Processor • Same processor as that on host computer Note: A 64-bit processor runs in 32-bit legacy mode inside the virtual machine.
C H A P T E R 1 Introduction and System Requirements Serial (COM) Ports • Up to four serial (COM) ports • Output to serial ports, Windows or Linux files, or named pipes Parallel (LPT) Ports • Up to two bidirectional parallel (LPT) ports • Output to parallel ports or host operating system files USB ports • Two-port USB 1.
VMware ACE Administrator’s Manual Supported Guest Operating Systems The operating systems listed here have been tested in VMware ACE virtual machines and are officially supported. For notes on installing the most common guest operating systems, see the VMware Guest Operating System Installation Guide, available from the VMware Web site or from the Help menu. Operating systems that are not listed are not supported for use in a VMware ACE virtual machine.
C H A P T E R 1 Introduction and System Requirements • SLES 7, 7 patch 2, 8 • Turbolinux Server 7.0, Enterprise Server 8, Workstation 8 Novell NetWare • NetWare 5.1, 6, 6.5 FreeBSD • FreeBSD 4.0–4.6.2, 4.8, 5.0 Note: If you use SCSI virtual disks larger than 2GB with FreeBSD 4.0–4.3, there are known problems, and the guest operating system does not boot. To work around this issue, see the VMware Guest Operating System Installation Guide, available from the VMware Web site or from the Help menu.
VMware ACE Administrator’s Manual Technical Support Resources Documentation on the Web Full documentation for VMware ACE, including the latest updates to this manual, can be found on the VMware Web site at www.vmware.com/support/. VMware Knowledge Base You can find troubleshooting notes and tips for advanced users in the knowledge base on the VMware Web site at www.vmware.com/kb.
C H A P T E R 1 Introduction and System Requirements If you did not install the program in the default directory, use the appropriate drive letter and substitute the appropriate path in the cd command above. 3. Run the support script. cscript vm-support.vbs 4. After the script runs, it displays the name of the directory where it has stored its output. Use a file compression utility such as WinZip or PKZIP to zip that directory and include the zip file with your support request.
VMware ACE Administrator’s Manual 22 www.vmware.
CHAPTER 2 Learning the Basics of VMware ACE Manager The following sections provide an overview of how to use VMware ACE Manager to create and deploy virtual machines for your end users.
VMware ACE Administrator’s Manual Setting Up Your Administrative Workstation As an administrator, you need to install the VMware ACE Manager software on your workstation, referred to in this manual as your host computer. You can then run the VMware ACE Manager, your tool for creating and managing the virtual machines you distribute to your end users. For details on how to install the VMware ACE Manager software, see Installing and Configuring VMware ACE Manager on page 29.
C H A P T E R 2 Learning the Basics of VMware ACE Manager Virtual Machines. To change the default location, go to Edit > Preferences > Workspace. When you create a new virtual machine, you can specify a location for that virtual machine’s files that is different from the default. • Package files — The package files created by VMware ACE Manager may be quite large. The default location for the package files is a folder named Package inside the project’s folder.
VMware ACE Administrator’s Manual Creating Packages to Distribute to Users Using the VMware ACE Manager, you create projects that include • One or more virtual machines • An application to run the virtual machines • A set of policies to control the capabilities of the virtual machines You then create packages, based on the projects, to distribute to your users.
C H A P T E R 2 Learning the Basics of VMware ACE Manager 4. Install guest operating systems, VMware Tools and other software in the virtual machines. For information on installing VMware Tools, see Installing an Operating System and Applications in the Virtual Machine on page 112. For notes on installing particular guest operating systems, see the VMware Guest Operating System Installation Guide, available from the VMware Web site or from the Help menu. 5. Create packages to deploy to your users.
VMware ACE Administrator’s Manual For information on these topics, see Deploying and Maintaining Packages on page 137. Troubleshooting Users’ Problems Your users may need help with lost passwords, expired virtual machines or copyprotected virtual machines that they have moved to a different location. You can use the hot fix feature to respond to these problems. For information on using the hot fix feature, see Hot Fix Policy on page 74 and Responding to Hot Fix Requests on page 150.
CHAPTER Installing and Configuring VMware ACE Manager 3 The following sections guide you through installing VMware ACE Manager on your administrative workstation: • Installing VMware ACE Manager on page 30 • Installing on a Computer with a Different VMware Product on page 30 • Installation Steps on page 30 • Installing VMware ACE Manager Silently on page 33 • Uninstalling VMware ACE Manager on page 35 • Setting Preferences for VMware ACE Manager • Using Shared Folders in VMware ACE Manager on page 40 29
VMware ACE Administrator’s Manual Installing VMware ACE Manager Before you begin installing VMware ACE Manager, be sure you have • A computer and host operating system that meet the system requirements for running VMware ACE Manager. See Host System Requirements for VMware ACE Manager on page 12. • The VMware ACE Manager installation software. If you bought the packaged distribution of VMware ACE Manager, the installation software is on the CD in your package.
C H A P T E R 3 Installing and Configuring VMware ACE Manager the installer. (The filename is similar to VMware-ACE-.exe, where is a series of numbers representing the version and build numbers.) 3. The Welcome dialog box appears. Click Next. 4. Acknowledge the end user license agreement (EULA). Select the Yes, I accept the terms in the license agreement option, then click Next. 5. Choose the directory in which to install VMware ACE Manager.
VMware ACE Administrator’s Manual drive. If the directory you specify does not exist, the installer creates it for you. Click Next. Note: Windows and the Microsoft Installer limit the length of a path to a folder on a local drive to 255 characters. If the path to the VMware ACE Manager program folder exceeds this limit, an error message appears. You must select or enter a shorter path. 6. Select which shortcuts you want the installer to create. 7.
C H A P T E R 3 Installing and Configuring VMware ACE Manager 9. If you wish, enter your name, company name and serial number, then click Next. The serial number is on the registration card in your package. The user and company information you enter here is then made available in the About box (Help > About VMware ACE Manager). If you skip this step, you are prompted to enter your serial number the first time you run VMware ACE Manager. 10. Click Finish. The VMware ACE Manager software is installed. 11.
VMware ACE Administrator’s Manual is the full path to the folder where you want to store the administrative installation image. 2. Run a silent installation using msiexec and the administrative installation image you extracted in the previous step: msiexec -i "\VMware ACE.msi" [INSTALLDIR=""] ADDLOCAL=ALL [REMOVE=] /qn Enter the command on one line.
C H A P T E R 3 Installing and Configuring VMware ACE Manager Property Effect of the Property SERIALNUMBER Automatically enters the serial number Default For information on installing a VMware ACE package silently on an end user’s computer, see Installing a Package Silently on page 139. Uninstalling VMware ACE Manager To uninstall VMware ACE Manager, use the Add/Remove Programs control panel. Select the entry for VMware ACE Manager, then click Remove. Follow the onscreen instructions.
VMware ACE Administrator’s Manual Setting Preferences for VMware ACE Manager The Preferences dialog box allows you to change a number of settings that apply to VMware ACE Manager itself, no matter what virtual machine you are running. The settings on the Workspace, Input and Hot Keys tabs apply to the user currently logged on to the host computer. They do not affect settings made by any other user on the computer.
C H A P T E R 3 Installing and Configuring VMware ACE Manager Manager. A virtual machine is considered opened if both of the following conditions are true: • The virtual machine was left open. • The virtual machine was powered on and off, or powered on and suspended. Use the Check for software updates drop-down list to determine how often VMware ACE Manager checks to see if new versions of the product are available.
VMware ACE Administrator’s Manual Hot keys — The Hot Key tab lets you change the key combination that determines whether certain combinations of keys are passed to the guest operating system or intercepted by VMware ACE Manager. Note: Because Ctrl-Alt is the key combination used to tell VMware ACE Manager to release (ungrab) mouse and keyboard input, combinations that include Ctrl-Alt are not passed to the guest operating system.
C H A P T E R 3 Installing and Configuring VMware ACE Manager Process priorities — The Priority tab lets you determine the priority that the Windows process scheduler gives to your virtual machines when mouse and keyboard input are going to a particular virtual machine and when input is not going to that virtual machine. You can adjust these settings to improve overall system performance based on the relative priority of work you are doing in various virtual machines and on the host computer.
VMware ACE Administrator’s Manual Using Shared Folders in VMware ACE Manager With shared folders, you can easily share files among virtual machines and the host computer. To use shared folders, you must have the current version of VMware Tools installed in the guest operating system and you must use the virtual machine settings editor to specify which directories are to be shared.
C H A P T E R 3 Installing and Configuring VMware ACE Manager In a Windows virtual machine, shared folders appear in My Network Places (Network Neighborhood in a Windows NT virtual machine) under VMware Shared Folders. For example, if you specify the name Test files for one of your shared folders, you can navigate to it by opening My Network Places > VMware Shared Folders > .host > Shared Folders > Test files. You can also go directly to the folder using the UNC path \\.host\Shared Folders\Test files.
VMware ACE Administrator’s Manual • Expiration options for the shared folder. You can specify that the folder is always enabled or that it is enabled only during the current working session. If you select Disable after this session, the shared folder is disabled when you suspend or power off the virtual machine. To change the settings for a shared folder on the list, click the folder’s name to highlight it, then click Properties. The Properties dialog box appears.
CHAPTER Creating Projects 4 The following sections guide you through the steps needed to create a project and add virtual machines to the project: • Creating a Project on page 44 • Checklist: Creating a Project on page 49 • Adding a Virtual Machine to a Project on page 51 • Adding an Existing Virtual Machine on page 51 • Adding a New Virtual Machine on page 53 • Checklist: Adding a Virtual Machine on page 63 43
VMware ACE Administrator’s Manual Creating a Project A project contains one or more virtual machines and an application used to run those virtual machines. A wizard guides you through the steps you must take to create a project. After you create the project, add one or more virtual machines to the project and set policies for the virtual machines and for the application.
C H A P T E R 4 Creating Projects company information you enter here is made available in the About box (Help > About VMware ACE Manager). Click the New Project icon to start the New Project Wizard. 2. Click Next to enter the wizard. The Name the Project panel appears. Enter a name for the project in the Project Name field. The name should be unique and should make it easy for you to identify the project.
VMware ACE Administrator’s Manual 3. Click Next. The Ready to Complete panel appears Select Open the Add Virtual Machine Wizard if you want to go directly to the Add Virtual Machine Wizard and add a virtual machine to the project. Deselect Open the Add Virtual Machine Wizard if you do not want to add a virtual machine to the project at this time. Click Finish to complete the New Project Wizard. Making Project Settings To specify general settings for the project, choose Project > Settings.
C H A P T E R 4 Creating Projects On the Policies Domain tab, you may choose an Active Directory domain to use for storing policies for the project. On the Offline Policies tab, you may specify whether virtual machines in this project are allowed to cache policy settings.
VMware ACE Administrator’s Manual On the Recovery Key tab, you may specify the public key to be used for access to encrypted virtual machines. If you specify password protection for a virtual machine and want to be able to reset the password for a deployed virtual machine, you must specify a recovery key before you create the package that includes the virtual machine. Select Use recovery key to configure a recovery key.
C H A P T E R 4 Creating Projects Checklist: Creating a Project You may find it helpful to photocopy this checklist and use it to collect the information you should have available when you create a new project.
VMware ACE Administrator’s Manual that protects the new private key.You need the password that protects the private key in order to reset an end user’s password. _______________________________________________________________ 50 www.vmware.
C H A P T E R 4 Creating Projects Adding a Virtual Machine to a Project In VMware ACE Manager, you create a project first, then create a virtual machine within the project. You cannot create a new virtual machine outside the context of a project. Once a virtual machine exists, you may add it to as many projects as you wish. You may also add virtual machines created with certain other VMware products.
VMware ACE Administrator’s Manual 1. Click Next to enter the wizard. The Add New or Existing Virtual Machine panel appears. Select Existing virtual machines and click Next. 2. The Select Virtual Machines panel appears. Click Browse and navigate to the configuration (.vmx) file for the virtual machine you want to add to the project. You may add one or more virtual machines to the project.
C H A P T E R 4 Creating Projects • Nondefault working directory; the default is no directory specified, which means the virtual machine directory is used as the working directory • Locked snapshot present If the wizard warns you about any of these settings, you must open the virtual machine in the application used to create it and make the appropriate changes. You may then add the virtual machine to the project. 3. The Ready to Complete panel appears.
VMware ACE Administrator’s Manual Select A new virtual machine and click Next. 2. The New Virtual Machine Wizard starts. Click Next to create a new virtual machine with the wizard. Select the method you want to use for configuring your virtual machine.
C H A P T E R 4 Creating Projects 3. Select a guest operating system. This panel asks which operating system you plan to install in the virtual machine. Select both an operating system and a version. The Add Virtual Machine Wizard uses this information to select appropriate default values, such as the amount of memory needed. The wizard also uses this information when it names associated virtual machine files.
VMware ACE Administrator’s Manual Each virtual machine should have its own folder. All associated files, such as the configuration file and the disk file, are placed in this folder. The default folder for this Windows XP Professional virtual machine is C:\Documents and Settings\\My Documents\My Virtual Machines\Windows XP Professional. 5. If you selected Typical as your configuration path, skip to step 6.
C H A P T E R 4 Creating Projects 6. Configure the networking capabilities of the virtual machine. If the package is to be installed on a host computer that is on a network and a separate IP address is available for the virtual machine (or it can get one automatically from a DHCP server), select Use bridged networking. This setting is most likely to be appropriate if the package is to be installed on a computer connected to an office network.
VMware ACE Administrator’s Manual a BusLogic or an LSI Logic SCSI adapter. The default for your guest operating system is already selected. All guests except Windows Server 2003, Red Hat Enterprise Linux 3 and NetWare default to the BusLogic adapter. The LSI Logic adapter has improved performance and works better with generic SCSI devices. The choice of which SCSI adapter to use is separate from the choice to make the virtual disk an IDE or SCSI disk.
C H A P T E R 4 Creating Projects 10. Select whether to create an IDE or SCSI disk. The wizard recommends the best choice based on the guest operating system you selected. All Linux distributions you can select in the wizard use SCSI virtual disks by default, as do Windows NT, Windows 2000, Windows Server 2003 and Longhorn.
VMware ACE Administrator’s Manual You may also specify whether you want the virtual disk created as one large file or split into a set of 2GB files. You should split your virtual disk if it may be stored on a FAT32 file system. Note: Because the Microsoft installer cannot install files larger than about 4.3GB, you should also split the virtual disk if the disk is larger than 4GB. You may wish to split the virtual disk even if it is smaller than 4GB.
C H A P T E R 4 Creating Projects 12. If you selected Typical as your configuration path, click Finish and the wizard sets up the files needed for the virtual machine. If you selected Custom as you configuration path, continue with the next step, specifying the location of the virtual disk’s files. If you want to specify which device node should be used by your SCSI or IDE virtual disk, click Advanced. On the Specify Advanced Options panel, you can also specify a disk mode.
VMware ACE Administrator’s Manual You have the following options for an independent disk: • Persistent — changes are immediately and permanently written to the disk. • Nonpersistent — changes to the disk are discarded when you power off the virtual machine. When you have set the filename and location you want to use and have made any selections you want to make on the advanced settings panel, click Finish. 13. When you click Finish, the wizard sets up the files needed for your virtual machine. 14.
C H A P T E R 4 Creating Projects Checklist: Adding a Virtual Machine You may find it helpful to photocopy this checklist and use it to collect the information you should have available when you add virtual machines to a project. Do you plan to add an existing virtual machine or create a new one? ! Existing What is the path to the configuration (.vmx) file for this virtual machine? _______________________________________________________________ If you plan to add an existing virtual machine, stop here.
VMware ACE Administrator’s Manual Do you need to run Sysprep in the virtual machine? If you plan to run Sysprep from a CD, be sure to have the CD available. If you plan to run Sysprep from the network, be sure to enable networking when you create the virtual machine and note the path to Sysprep below.
C H A P T E R 4 Creating Projects What’s the path to the location where you plan to store this virtual machine? _______________________________________________________________ Be sure you have enough free space at that location to store the files. If you are following the custom path, you have an option at a later stage in the wizard to specify a separate location for the virtual disk files.
VMware ACE Administrator’s Manual Custom path only: What kind of disk do you want to use in the virtual machine? ! New virtual disk This is the best selection in most cases. ! Existing virtual disk If you want to reuse an existing virtual disk, select this option. You may want to select this option if you are creating a virtual machine with the same operating system and applications as one you created before but you want to apply different policies.
C H A P T E R 4 Creating Projects By default, the virtual disk files are stored in the same directory as the virtual machine’s other files — for example, the configuration file. If you plan to store the virtual disk files in a different location, note the path below. _______________________________________________________________ Custom path only: Do you need to specify a particular IDE or SCSI device node to be used by the virtual disk? In most cases, you should accept the default.
VMware ACE Administrator’s Manual 68 www.vmware.
CHAPTER 5 Setting Policies and Customizing VMware ACE The following sections guide you through the steps to set policies for a project, prepare your virtual machine, customize the VMware ACE interface and run the virtual machine in the VMware ACE interface: • Setting Policies for a Project on page 71 • Setting Policies for VMware ACE on page 74 • Setting Policies for Virtual Machines on page 81 • Setting Authentication Policies on page 81 • Setting Expiration Policies on page 83 • Setting Copy Protection
VMware ACE Administrator’s Manual • Installing an Operating System and Applications in the Virtual Machine on page 112 • Customizing the VMware ACE Interface on page 123 • Running the Completed Virtual Machine on page 129 • Checking the Configuration before Creating a Package on page 129 70 www.vmware.
C H A P T E R 5 Setting Policies and Customizing VMware ACE Setting Policies for a Project Policies give you control over many aspects of the virtual machines you distribute to your end users. You can, for example • Permit the virtual machine to be used only by certain users and groups defined in your Active Directory domains. • Specify which network resources your users may access from the virtual machine.
VMware ACE Administrator’s Manual If you attempt to make a policy setting that requires an Active Directory domain and you have not yet specified the domain, a dialog box notifies you that you need to set up the domain. Click Yes to open a second dialog box that allows you to specify the policies domain. If you click No, you can specify the domain at any time in the project settings editor (Project > Settings). Choose the appropriate domain name from the Policies domain drop-down list.
C H A P T E R 5 Setting Policies and Customizing VMware ACE • None — No restrictions are imposed. • Password — Users must log on with a password. • Users and groups — Specified users or members of specified groups defined in your Active Directory service have permission to take the action. Click Add to add a user or group to the list. To remove a name from the list, select the name of a user or group in the list, then click Remove.
VMware ACE Administrator’s Manual Setting Policies for VMware ACE To set policies for VMware ACE, click the + sign beside VMware ACE policies to show the categories of settings, then edit the settings as described below. Hot Fix Policy Select Hot fix to specify that users are allowed to request hot fixes for specific problems.
C H A P T E R 5 Setting Policies and Customizing VMware ACE • Use email to submit hot fix request — The Hot Fix Request Wizard on the end user’s computer attempts to use a MAPI email client on the host operating system to send the hot fix request as an attachment to an email message. The message uses the email address and subject line that you specify here. • Save the request to a file — The end user saves the script, then must submit it to an administrator manually.
VMware ACE Administrator’s Manual computer. For more information, see Using Administrator Access on the End User’s Computer on page 152. Troubleshooting Policies Select Troubleshooting to specify which items appear under Troubleshooting on the VMware ACE menu. Under Power commands, you may select Enable Reset and Power Off commands.
C H A P T E R 5 Setting Policies and Customizing VMware ACE Easy Printer Setup Policies Select Easy printer setup to specify whether to give end users access to a command that simplifies printer setup for a Windows virtual machine. Select Enable Add Printer command to provide an Add Printer item on the VMware ACE menu. End users can use this menu item to set up a printer available on the host for use in the virtual machine. Easy printer setup relies on network printer sharing.
VMware ACE Administrator’s Manual VMware ACE Window Policies Select VMware ACE Window to specify the appearance of VMware ACE on the end user’s computer. Under VMware ACE Window, you may select Always run maximized. If you select this policy, VMware ACE fills the full screen when it starts, hiding the host operating system. You may find this useful, for example, to avoid user confusion about the differences between the two environments.
C H A P T E R 5 Setting Policies and Customizing VMware ACE User Preferences Policies Select Preferences to specify what settings are available to end users in the VMware ACE Preferences dialog box (VMware ACE > Preferences). You may select Allow users to modify the exit behavior of the application. If you do, the exit behavior settings are available in the Preferences dialog box, as shown below.
VMware ACE Administrator’s Manual user runs the virtual machine, it resumes operation from the point at which it was suspended. • Power off the virtual machine when exiting — VMware ACE powers off the virtual machine. The next time the end user launches VMware ACE, the virtual machine starts from a powered off state and the guest operating system boots. 80 www.vmware.
C H A P T E R 5 Setting Policies and Customizing VMware ACE Setting Policies for Virtual Machines In the policy editor, you can edit policies for each virtual machine in the project. To set policies for an individual virtual machine in your project, click the + sign beside the name of the virtual machine.
VMware ACE Administrator’s Manual You must specify an authentication method if you want the installer to encrypt the virtual machines. If you select Encrypt data and configuration files when this virtual machine is installed, you cannot select None as the authentication method. If you encrypt the virtual machine, its configuration files are automatically protected against viewing and tampering.
C H A P T E R 5 Setting Policies and Customizing VMware ACE If you attempt to make a policy setting that requires an Active Directory domain and you have not yet specified the domain, a dialog box notifies you that you need to set up the domain. Click Yes to open a second dialog box that allows you to specify the policies domain. If you click No, you can specify the domain at any time in the project settings editor (Project > Settings).
VMware ACE Administrator’s Manual • Never — The virtual machine does not expire. • After x days from installation — The virtual machine runs for the specified number of days after the package is installed, then cannot be used. • On this date — The virtual machine runs until and on the specified date. It cannot be used after the specified date. If the virtual machine is set to expire, you may also specify a script used to renew the virtual machine.
C H A P T E R 5 Setting Policies and Customizing VMware ACE Setting Device Connection Policies Click the + sign to open the Device connection folder, then select a device to specify who is allowed to connect and disconnect that device. The list for a specific virtual machine shows only the devices actually configured for that virtual machine. To add devices, use the virtual machine settings editor (VM > Settings).
VMware ACE Administrator’s Manual • Require that users have up-to-date virtual machines in order to access network resources. • Temporarily block virtual machine access to network resources to control a virus outbreak. For more information, see Network Quarantine Policies on page 230. Select Network quarantine to control whether the virtual machine has normal network access or restricted access on the basis of rules you specify.
C H A P T E R 5 Setting Policies and Customizing VMware ACE When you click Initial Setup, the Network Quarantine Options panel appears. Select the type of network quarantine you want to apply to the virtual machine, then click Next to continue through the wizard. • Static quarantine — You specify a single list of approved networks and machines or of networks and machines that are off-limits. The list is stored with the virtual machine and distributed as part of the package.
VMware ACE Administrator’s Manual For guidelines on how to write custom quarantine scripts, see Writing Plug-In Policy Scripts on page 244. Static Quarantine 1. The Access panel appears. Select the way you want to specify network access. • Allow access to selected networks and machines — Specify a whitelist of networks and machines with which the virtual machine may communicate.
C H A P T E R 5 Setting Policies and Customizing VMware ACE To specify a subnet, enter the starting IP address for the subnet, select Subnet mask and enter the mask in the corresponding field in dotted quad format. When the list is complete, click Next. 3. If you specified networks and machines that are allowed, the Network Traffic panel appears. If you specified networks and machines that are denied, skip to the next step.
VMware ACE Administrator’s Manual 4. The Summary panel appears. This panel displays a summary of the settings you have made using the wizard. Review the settings to be sure they are correct. To modify settings, click Back until you reach the appropriate panel to make the needed change. If all settings are correct, click Finish. The wizard closes and returns you to the policy editor. Dynamic Quarantine 1. The Policy Lookup panel appears.
C H A P T E R 5 Setting Policies and Customizing VMware ACE dialog box that gives you the option of setting the domain at this time. Click Yes to open the Policies Domain dialog box. • Web server — Select this option if you plan to store the network quarantine list on a Web server. Enter the URL of the file where you plan to store the list. Be sure to include the filename in the URL. The wizard creates this file for you at the end of the process.
VMware ACE Administrator’s Manual 3. The Networks and Machines panel appears. Enter the IP address or the fully qualified host name for each network or machine that should be on the whitelist or blacklist, then click Add. If you enter a host name, the wizard resolves the name and displays both the host name and the IP address in the list. To specify a single machine, you may also enter its IP address.
C H A P T E R 5 Setting Policies and Customizing VMware ACE • Printer access — Select this option to be sure a Windows virtual machine can use local and network printers available on the host. Be sure to select this option if you configure the virtual machine to allow easy printer setup. Easy printer setup uses network sharing to connect the virtual machine to a printer configured on the host computer.
VMware ACE Administrator’s Manual 6. The Summary panel appears. This panel displays a summary of the settings you have made using the wizard. Review the settings to be sure they are correct. To modify settings, go to the appropriate panel to make the needed change. To continue to the Deploy Policy panel, click Next. To set the policy without deploying it, click Finish. 7. If you selected Web server, the Deploy Policy panel that appears looks like this.
C H A P T E R 5 Setting Policies and Customizing VMware ACE If you selected Active Directory, the Deploy Policy panel that appears looks like this. Select Deploy the network quarantine policy to your Active Directory server. When you click Finish, the wizard deploys the new policies, which take effect immediately. Version-Based Quarantine Network access restrictions are based on the virtual machine’s version number.
VMware ACE Administrator’s Manual • Active Directory — Select this option if you plan to store the network quarantine policy on your Active Directory server. The wizard adds this information to your Active Directory server for you. Note: In order to use the directory service option, you must choose an Active Directory domain in the project settings editor.
C H A P T E R 5 Setting Policies and Customizing VMware ACE 3. If you are specifying a whitelist or blacklist, the Networks and Machines panel appears. Enter the IP address or the fully qualified host name for each network or machine that should be on the whitelist or blacklist if this virtual machine qualifies for normal access, then click Add. If you enter a host name, the wizard resolves the name and displays both the host name and the IP address in the list.
VMware ACE Administrator’s Manual that subnet. At this time, you are making these settings for the virtual machine if it qualifies for normal access. • Printer access — Select this option to be sure a Windows virtual machine can use local and network printers available on the host. Be sure to select this option if you configure the virtual machine to allow easy printer setup. Easy printer setup uses network sharing to connect the virtual machine to a printer configured on the host computer.
C H A P T E R 5 Setting Policies and Customizing VMware ACE 6. The Networks and Machines panel appears again. Enter the IP address or the fully qualified host name for each network or machine that this virtual machine may access if it does not qualify for normal access, then click Add. If you enter a host name, the wizard resolves the name and displays both the host name and the IP address in the list. To specify a single machine, you may also enter its IP address.
VMware ACE Administrator’s Manual that subnet. At this time, you are making these settings for the virtual machine if it does not qualify for normal access. • Printer access — Select this option to be sure a Windows virtual machine can use local and network printers available on the host. Be sure to select this option if you configure the virtual machine to allow easy printer setup. Easy printer setup uses network sharing to connect the virtual machine to a printer configured on the host computer.
C H A P T E R 5 Setting Policies and Customizing VMware ACE 9. The Messages panel appears. You may enter a custom message that end users see when the virtual machine has restricted access. If you select Display message when update is available, enter the message you want end users to see when the virtual machine has normal access but a more recent version is available. Click Next to continue. 10. The Summary panel appears. This panel displays a summary of the settings you have made using the wizard.
VMware ACE Administrator’s Manual 11. If you selected Web server, the Deploy Policy panel that appears looks like this. Select Mark this policy as deployed and save it to a network quarantine policy file to capture your policy changes. You may type the path and filename for the policy file or click Browse to navigate to the location where you want to save the file. Be sure to copy the updated policy file to the URL shown in this panel.
C H A P T E R 5 Setting Policies and Customizing VMware ACE 1. The Custom Quarantine Script panel appears. Click Set to specify the plug-in script you want to use. 2. The Set Custom Script dialog box appears. Enter the path to the script file you want to use or click Browse to navigate to the file. The script should be in the Project Resources folder under the project folder for the current project. Make any necessary changes to the command line shown in the Command line field.
VMware ACE Administrator’s Manual 3. The Policy Lookup panel appears. Select the type of server you want to use to store the network quarantine policy. VMware ACE checks the list on this server to determine what network access is approved for the virtual machine. • Active Directory — Select this option if you plan to store the network quarantine policy on your Active Directory server. The wizard adds this information to your Active Directory server for you.
C H A P T E R 5 Setting Policies and Customizing VMware ACE 4. The Normal Access panel appears. Select the way you want to specify network access. • Full access — No restrictions are imposed. • Allow access to selected networks and machines — Specify a whitelist of networks and machines with which the virtual machine may communicate. • Deny access to selected networks and machines — Specify a blacklist of networks and machines with which the virtual machine is not allowed to communicate.
VMware ACE Administrator’s Manual To specify a subnet, enter the starting IP address for the subnet, select Subnet mask and enter the mask in the corresponding field in dotted quad format. When the list is complete, click Next. 6. If you specified networks and machines that are allowed, the Network Traffic panel appears. If you specified networks and machines that are denied, skip to the next step.
C H A P T E R 5 Setting Policies and Customizing VMware ACE 7. The Restricted Access panel appears. Select the way you want to specify network access. • Allow access to selected networks and machines — Specify a whitelist of networks and machines with which the virtual machine may communicate. • Deny access to selected networks and machines — Specify a blacklist of networks and machines with which the virtual machine is not allowed to communicate. • No access — Block all network access.
VMware ACE Administrator’s Manual To specify a subnet, enter the starting IP address for the subnet, select Subnet mask and enter the mask in the corresponding field in dotted quad format. When the list is complete, click Next. 9. If you specified networks and machines that are allowed, the Network Traffic panel appears. If you specified networks and machines that are denied, skip to the next step.
C H A P T E R 5 Setting Policies and Customizing VMware ACE 10. The Messages panel appears. Enter the message you want end users to see when this virtual machine has restricted access. Click Next to continue. 11. The Summary panel appears. This panel displays a summary of the settings you have made using the wizard. Review the settings to be sure they are correct. To modify settings, go to the appropriate panel to make the needed change. To continue to the Deploy Policy panel, click Next.
VMware ACE Administrator’s Manual 12. If you selected Web server, the Deploy Policy panel that appears looks like this. Select Mark this policy as deployed and save it to a network quarantine policy file to capture your policy changes. You may type the path and filename for the policy file or click Browse to navigate to the location where you want to save the file. Be sure to copy the updated policy file to the URL shown in this panel.
C H A P T E R 5 Setting Policies and Customizing VMware ACE Configuring the Virtual Machines and Installing Software To finish preparing your project, review the configuration of all virtual machines and be sure that the appropriate operating system and software are installed in each virtual machine. Reviewing the Configuration of a Virtual Machine Select a virtual machine in the project list. The display shows the virtual machine overview.
VMware ACE Administrator’s Manual you plan to run this virtual machine have the physical devices needed to support those virtual devices — for example, CD-ROM drives, floppy disks, Ethernet adapters, USB controllers and audio devices. Policies The Policies list provides an overview of the policies set for this virtual machine. To change the policies for the virtual machine, click Edit virtual machine policies in the Commands list, then change the settings as needed.
C H A P T E R 5 Setting Policies and Customizing VMware ACE 1. Start VMware ACE. 2. Insert the installation CD-ROM or floppy disk for your guest operating system. Note: In some host configurations, the virtual machine is not able to boot from the installation CD-ROM. You can work around that problem by creating an ISO image file from the installation CD-ROM. Use the Virtual Machine Control Panel to connect the virtual machine’s CD drive to the ISO image file, then power on the virtual machine. 3.
VMware ACE Administrator’s Manual 1. Power on the virtual machine. 2. When the guest operating system starts, prepare your virtual machine to install VMware Tools. Choose VM > Install VMware Tools. The remaining steps take place inside the virtual machine. Note: You must log on to a Windows NT, Windows 2000, Windows XP, Windows Server 2003 or Longhorn guest operating system as an administrator in order to install VMware Tools.
C H A P T E R 5 Setting Policies and Customizing VMware ACE The remaining steps take place inside the virtual machine. 3. You may install VMware Tools in text mode or from a terminal in an X window session. 4. As root (su -), mount the VMware Tools virtual CD-ROM image, change to a working directory (for example, /tmp), uncompress the installer, then unmount the CD-ROM image.
VMware ACE Administrator’s Manual Starting VMware Tools Automatically in a Linux Guest Operating System You may find it helpful to configure your guest operating system so VMware Tools starts when you start your X server. The steps for doing so vary depending on your Linux distribution and your desktop environment. Check your operating system documentation for the appropriate steps to take. For example, in a Red Hat Linux 7.1 guest using GNOME, follow these steps. 1.
C H A P T E R 5 Setting Policies and Customizing VMware ACE cd vmware-tools-distrib ./vmware-install.pl 6. Log off of the root account. exit 7. Start X and your graphical environment if they are not already running. Note: If this is the first time you have installed VMware Tools in this virtual machine, you must restart X to activate graphics and mouse features in the VMware Tools package. 8. In an X terminal, launch the VMware Tools application in the background.
VMware ACE Administrator’s Manual LOAD CD9660.NSS 4. When the driver finishes loading, you can begin installing VMware Tools. In the system console, type vmwtools:\setup.ncf When the installation finishes, the message VMware Tools for NetWare are now running appears in the Logger screen (NetWare 6.5 and NetWare 6.0 guests) or the Console screen (NetWare 5.1 guests). 5. Restart the guest operating system.
C H A P T E R 5 Setting Policies and Customizing VMware ACE Under some circumstances, the virtual machine may synchronize time with the host even though this item is not selected. If you want to disable time synchronization completely, open the virtual machine's configuration file (.vmx) in a text editor and set the following options to FALSE. tools.syncTime tools.synchronize.restore time.synchronize.resume.disk time.synchronize.continue time.synchronize.
VMware ACE Administrator’s Manual The Shared Folders tab provides information on where to find your shared folders. For more information on shared folders, see Using Shared Folders in VMware ACE Manager on page 40. The Shrink tab gives you access to the controls you need if you wish to reclaim unused space in a virtual disk. In some configurations, it is not possible to shrink virtual disks.
C H A P T E R 5 Setting Policies and Customizing VMware ACE Each command in the following table must be entered into the system console after the VMware Tools command vmwtool. Use the following format: vmwtool vmwtool Command Definition help Displays a summary of VMware Tools commands and options in a NetWare guest. partitonlist Displays a list of all disk partitions in the virtual disk and whether or not a partition can be shrunk. shrink Shrinks the listed partitions.
VMware ACE Administrator’s Manual Installing Application Software If you plan to distribute application software in the virtual machine, be sure the correct software is installed. You may install application software in the virtual machine just as you would on a physical computer — using a CD or an installer file on a network server, for example.
C H A P T E R 5 Setting Policies and Customizing VMware ACE Customizing the VMware ACE Interface You may customize several aspects of the VMware ACE user interface, including the text that appears in the title bar and the way removable devices are represented in the interface. You save these customizations in a text file and identify that text file, called the skin file, by adding a line to the preferences.ini file in the project folder.
VMware ACE Administrator’s Manual Customizing the Title Bar Text You may specify what text appears in the VMware ACE title bar. You may also specify the font and font size used to display the text. The text displayed in the title bar consists of three sections — a prefix, the virtual machine name and a suffix. The parameters listed here allow you to set any prefix and suffix, or to omit the prefix, the suffix or both. They also allow you to include or omit the virtual machine name.
C H A P T E R 5 Setting Policies and Customizing VMware ACE You may customize the display for each removable device configured in the virtual machine.
VMware ACE Administrator’s Manual Parameter Type Default Controls filename Icon representing this type of device Custom icon file when device is connected; copy icon file to the Project Resources folder under the project folder player.deviceBar.iconDisconnected filename (optional) Normal icon Custom icon file when device is disconnected player.deviceBar..
C H A P T E R 5 Setting Policies and Customizing VMware ACE When listing a key plus a modifier, type the virtual key code for the key followed by a comma, then type the value for the modifier key or keys. For example, the value entry for Ctrl-Shift-F1 is 0x70,0x6. Note: Keep the following limitations in mind when defining shortcut keys: • Do not use the Pause key with the Ctrl key. You may use the Pause key with other modifier keys. • If you use F12, you must use one or more modifier keys.
VMware ACE Administrator’s Manual Sample Skin File player.title.prefix = "Our Company <<" player.title.suffix = ">> Environment" # player.title.useVMName = FALSE # player.deviceBar.toplevel = TRUE player.deviceBar.floppy0.buttonStyle = "icon" player.deviceBar.floppy0.buttonText = "First Floppy Drive" player.deviceBar.floppy0.shortcutKey = "0x30,0x7" player.deviceBar.floppy0.icon = "custom-floppy.ico" player.deviceBar.floppy0.tooltip = "Click to disconnect" player.deviceBar.floppy0.
C H A P T E R 5 Setting Policies and Customizing VMware ACE Running the Completed Virtual Machine Before you create a package for deployment, you may wish to run the virtual machines in your project. There are two ways to run a virtual machine from VMware ACE Manager. You can power on the virtual machine directly in the VMware ACE Manager interface. Or you can click Run in VMware ACE to view a virtual machine as your end users will see it, running in the VMware ACE interface.
VMware ACE Administrator’s Manual 130 www.vmware.
CHAPTER Creating Packages to Deploy to Users 6 The following sections guide you through the process of creating a package to deploy to your end users: • Creating a Package on page 132 • Contents of the Package on page 136 131
VMware ACE Administrator’s Manual Creating a Package After you have created a project and applied policies to the virtual machines in the project, you create packages to deploy those virtual machines to end users. A package includes an installer and the additional files needed to install a virtual machine and the VMware ACE application that runs the virtual machine. You may deploy a package over a network or on DVD or CD.
C H A P T E R 6 Creating Packages to Deploy to Users Note: Be sure the version of VMware Tools provided with VMware ACE is installed in the guest operating system. A number of key features in VMware ACE are provided by the VMware Tools package. 4. Under Commands, click Create package for distribution to end users. This starts the New Package Wizard. 5. Click Next to enter the wizard. The Name the Package panel appears. Enter a name for the package in the Package name field.
VMware ACE Administrator’s Manual To include only some of the items, click the + signs to expand the tree, then select only those items you want to include. Click Next. 7. The wizard checks the items you want to include. If it finds any problems, the Validate Package panel appears. Click OK, cancel the wizard, correct the problems, then start the wizard again. 8. The Package Files panel appears. For network distribution, select Network image.
C H A P T E R 6 Creating Packages to Deploy to Users Note: When you use multiple discs, be sure that the disc label you enter in your disc burning software for each disc is the same as the name of the folder the wizard creates to hold that disc’s contents (for example, DISC1, DISC2). Note: When the package wizard creates a package, it needs a substantial amount of working space for temporary files. The total is about twice the combined sizes of all the components of the package.
VMware ACE Administrator’s Manual Contents of the Package The following files and folders are in a package: • autorun.inf — This file, included in packages for distribution on removable media, automatically starts the package installation process when the host operating system scans the first CD or DVD in the installation set. • setup.exe — Use this file to start the package installation process if the installer is not launched automatically by an autorun.inf file. • instmsiw.
CHAPTER Deploying and Maintaining Packages 7 The following section describes the key tasks involved in deploying and maintaining VMware ACE packages: • Deploying Packages on page 138 • Installing a Package Silently on page 139 • Updating Virtual Machines on page 141 • Distributing Software Updates on page 141 • Creating Update Packages on page 141 • Updating Network Quarantine Versions on page 142 • Using nq-set to Update Network Quarantine Versions on page 146 • Deploying Update Packages on page 149 • R
VMware ACE Administrator’s Manual Deploying Packages The first time you deploy a new package, the process is quite straightforward. If you use CDs or DVDs to deploy the package, be sure the discs are clearly labeled so your users can insert them in the proper order. The setup.exe file is on the first disc in the set. For installation instructions, see Installing a VMware ACE Package on page 154. If you deploy the package over a network, be sure your end users know where to find the installer.
C H A P T E R 7 Deploying and Maintaining Packages Installing a Package Silently If you are installing a VMware ACE package on a number of Windows host computers, you may want to use the silent installation features of the Microsoft Windows Installer. Before installing a VMware ACE package silently, you must ensure that the host computers have version 2.0 or higher of the MSI runtime engine. This version of the installer is available in versions of Windows beginning with Windows XP.
VMware ACE Administrator’s Manual Option Description INSTALLDIR (Sets the root installation directory for the VMware ACE application APP_PROPERTIES Passes information to the application installer; useful for setting the application directory for the VMware ACE application You can also install an upgrade silently. An upgrade is always installed in the same directory or directories as the previous package. 140 www.vmware.
C H A P T E R 7 Deploying and Maintaining Packages Updating Virtual Machines From time to time, you may need to update your end users’ virtual machines. In general, there are two ways of providing updates. • You may need to update the guest operating system or provide an update to a program running in the guest operating system. • You may need to update either the virtual machine itself or policies applied to the virtual machine or add a new virtual machine to the package.
VMware ACE Administrator’s Manual or change the policies applied to the virtual machines. For details, see Creating Projects on page 43. You can update most polices by distributing a package that contains the new policies. However, you should note the following exceptions: • Reimage virtual machine — You may change this setting at any time, but the change affects only virtual machines that are installed or reinstalled after you make the change.
C H A P T E R 7 Deploying and Maintaining Packages Take the following steps to update the network quarantine version: 1. Start VMware ACE Manager, open the project and click the name of the virtual machine in the project contents list to show the virtual machine summary. In the Commands section, click Edit network quarantine policy. 2. The policy editor opens. Click the Manage Versions link.
VMware ACE Administrator’s Manual 3. The Manage Versions panel appears. To add a new version to the list, click Add. 4. The Add New Version dialog box appears. You can change the name for the new version of the virtual machine and add a description if you wish. The dialog box displays the nq-set command needed to update the version number for the virtual machine. You may copy the command from the dialog box and paste it into a text file for later use.
C H A P T E R 7 Deploying and Maintaining Packages 5. The Manage Version panel now shows the new version in the list. Click and drag the slider at the left of the versions list to specify which versions have normal access and which versions have restricted access. Versions above the red line have normal access, as defined in your network quarantine policies. Versions below the red line have restricted access. Click Next to continue. 6. The Messages panel appears.
VMware ACE Administrator’s Manual 8. The Deploy Policy panel appears. The options available on the panel depend on the type of network quarantine you are using and whether you are storing your policies on an Active Directory server or on a Web server. Make the appropriate selections, then click Finish. You have completed the process for updating the network quarantine version stored on your Web server or Active Directory server.
C H A P T E R 7 Deploying and Maintaining Packages Enter the entire command on a single line. In the commands above, -n is an optional flag that instructs the host to verify the validity of the new descriptor but not save it. Return Values The exit value of the command is 0 if the descriptor is valid, or 1 if it is invalid.
VMware ACE Administrator’s Manual quarantine identifier. You can verify whether a nq-set command would succeed by passing the -n flag to the command. Using nq-set with Custom Network Quarantine The network quarantine descriptor can store an arbitrary string that describes the patch level of the guest operating system and other software. Your custom plug-in script should verify that arbitrary string, then decide whether to grant the virtual machine normal network access or restricted network access.
C H A P T E R 7 Deploying and Maintaining Packages Deploying Update Packages You deploy update packages the same way you deploy original packages. If you use CDs or DVDs to deploy the package, be sure the discs are clearly labeled so your users can insert them in the proper order. The setup.exe file is on the first disc in the set. For installation instructions, see Installing a VMware ACE Package on page 154.
VMware ACE Administrator’s Manual Responding to Hot Fix Requests If you have enabled the hot fix feature, end users can easily request help to resolve the following problems: • Lost or forgotten password • Expired VMware ACE environment • Copy protected VMware ACE environment run from a new location The end user runs the Hot Fix Request Wizard, which generates a hot fix request file. The end user may submit this file to you as an email attachment or in some other way.
C H A P T E R 7 Deploying and Maintaining Packages • Denied request — The dialog box provides a field in which you can enter a message to the end user. 5. Select the method for sending the response. Then click OK. If you selected Automatically email to user, the hot fix is sent automatically when you click OK. If you saved a hot fix file, you must locate that file and send it to the end user. 6. If you saved a file to send manually, send the hot fix (.vmhf ) file to the end user. 7.
VMware ACE Administrator’s Manual Using Administrator Access on the End User’s Computer For some troubleshooting tasks, you may find it useful to work at the end user’s computer with the ability to modify the configuration of the virtual machine. This might be helpful, for example, if an end user has an unusually configured host computer and you need to make changes in the way the virtual machine’s devices are mapped to the host hardware.
CHAPTER 8 Installing and Running VMware ACE The following sections describe how to install packages and use VMware ACE: • Installing a VMware ACE Package on page 154 • Running VMware ACE on page 156 • Starting VMware ACE on page 156 • Quitting VMware ACE on page 157 • Enlarging VMware ACE to Fill the Screen on page 159 • Understanding VMware ACE Status Indicators on page 159 • Controlling Devices Attached to VMware ACE on page 160 • Setting VMware ACE Preferences on page 161 • Printing from VMware ACE on
VMware ACE Administrator’s Manual Installing a VMware ACE Package You may install a VMware ACE package from a location on the network or from one or more CDs or DVDs. In either case, take the following steps: 1. Log on to your Microsoft Windows host as the Administrator user or as a user who is a member of the Windows Administrators group. Caution: Do not install VMware ACE on a Windows NT Server 4.0 system that is configured as a primary or backup domain controller.
C H A P T E R 8 Installing and Running VMware ACE All packages installed on your computer must come from the same source (known to your system administrator as a VMware ACE Manager project). Among other things, this means that you cannot install packages provided by more than one organization on the same computer.
VMware ACE Administrator’s Manual Running VMware ACE This section provides an overview of the most used features of VMware ACE. You may not see all these features in the VMware ACE installed on your computer. Certain features are available only if the administrator who created the package included them. Starting VMware ACE To start VMware ACE, double-click its icon on the desktop or launch it from the Start menu.
C H A P T E R 8 Installing and Running VMware ACE If the operating system inside your VMware ACE environment asks you to press CtrlAlt-Del to log on, press Ctrl-Alt-Ins instead. Click inside the VMware ACE window to begin using the guest operating system and the applications installed in the VMware ACE environment. In general, you use the operating system and applications just as you would if they were running directly on a physical computer.
VMware ACE Administrator’s Manual If your system administrator has enabled the appropriate controls, you may change the exit behavior in the Preferences dialog box (VMware ACE > Preferences). You may specify the following: • Confirm before exiting the application — When you give the command to exit VMware ACE, either from the menu or by clicking the X in the upper right corner of the window or toolbar, a dialog box appears.
C H A P T E R 8 Installing and Running VMware ACE Enlarging VMware ACE to Fill the Screen Click the maximize button on the VMware ACE window to run your VMware ACE environment in full screen mode. The desktop expands to fill the full screen, leaving a small toolbar visible at the top of the screen. After a few seconds with no use, the toolbar hides. To make it visible again, move the mouse pointer to the top edge of the screen. To pin the toolbar so it is always visible, click the pushpin on the toolbar.
VMware ACE Administrator’s Manual near the upper right corner of the VMware ACE window or near the right end of the toolbar. While your VMware ACE environment is running, the activity indicator is animated. The status icon tray is at the bottom right of the VMware ACE window or immediately left of the activity indicator on the toolbar. The status icon tray may display one or both of the following icons: • The network quarantine indicator is a shield-shaped icon.
C H A P T E R 8 Installing and Running VMware ACE To disconnect and reconnect the devices from the Connect menu, click the name of a device to toggle it off and on. A check beside the name of a device indicates that it is connected. If there is no check mark, the device is disconnected. Note: Only one machine — either the host computer or the VMware ACE environment — may use floppy disk drives and USB devices at any one time.
VMware ACE Administrator’s Manual • Power off the virtual machine when exiting — VMware ACE powers off the virtual machine. The next time you launch VMware ACE, the virtual machine starts from a powered off state and the guest operating system boots. The device connection interface preferences let you specify how you connect and disconnect devices such as floppy disk drives, CD or DVD drives, Ethernet adapters and sound devices available for use in VMware ACE.
C H A P T E R 8 Installing and Running VMware ACE ACE package was created. Select that entry, then click Remove. Follow the onscreen instructions. Troubleshooting Problems If you encounter problems while running your VMware ACE environment, contact your system administrator for assistance. Requesting a Hot Fix When certain problems occur, VMware ACE provides a simplified method for contacting your system administrator — a wizard that lets you request a hot fix for your problem.
VMware ACE Administrator’s Manual If your system administrator approves your hot fix request, the administrator gives you a new temporary password. After applying the hot fix, use that temporary password to run your VMware ACE environment. You should then choose VMware ACE > Change Password to set a password of your choice.
C H A P T E R 8 Installing and Running VMware ACE If you do revert to the original state, you lose all changes made to your VMware ACE environment since you installed it — including any data you have saved in the environment, any new software you have installed and any configuration changes. Thus in most cases you should not take this action unless your system administrator recommends it.
VMware ACE Administrator’s Manual 166 www.vmware.
CHAPTER Using Virtual Disks 9 The following sections provide information on configuring your virtual machine’s hard disk storage so it best meets your needs: • Configuring Hard Disk Storage in a Virtual Machine on page 168 • Virtual Disk Basics on page 168 • File Locations on page 169 • Defragmenting and Shrinking Virtual Disks on page 171 • Adding Drives to a Virtual Machine on page 173 • Adding Virtual Disks to a Virtual Machine on page 173 • Adding DVD or CD Drives to a Virtual Machine on page 174 • A
VMware ACE Administrator’s Manual Configuring Hard Disk Storage in a Virtual Machine Like a physical computer, a VMware ACE virtual machine stores its operating system, programs and data files on one or more hard disks. The New Virtual Machine Wizard creates a virtual machine with one disk drive.
C H A P T E R 9 Using Virtual Disks Note: To use SCSI disks in a Windows XP or Windows Server 2003 virtual machine, you need a special SCSI driver available from the download section of the VMware Web site at www.vmware.com/download. Follow the instructions on the Web site to use the driver with a fresh installation of Windows XP or Server 2003. A virtual disk of either type can be stored on either type of physical hard disk.
VMware ACE Administrator’s Manual The first .vmdk file for each disk is small and contains pointers to the other files that make up the virtual disk. The other .vmdk files contain data stored by your virtual machine and use a small amount of space for virtual machine overhead. If you chose to allocate space for the virtual disk in advance, the file sizes are fixed, and most of the files are 2GB. As mentioned above, the first file is small. The last file in the series may also be smaller than 2GB.
C H A P T E R 9 Using Virtual Disks If those two conditions are true, the virtual machine can safely remove the stale lock. If either of those conditions is not true, a dialog box appears, warning you that the virtual machine cannot be powered on. If you are sure it is safe to do so, you may delete the lock files manually. When created by VMware products on Windows hosts, the filenames of the lock files end in .lck.
VMware ACE Administrator’s Manual 1. Run a disk defragmentation utility inside the virtual machine. 2. Use the VMware ACE defragmentation tool. Go to VM > Settings, click the listing for the virtual disk you want to defragment, then click Defragment. 3. Run a disk defragmentation utility on the host computer. 172 www.vmware.
C H A P T E R 9 Using Virtual Disks Adding Drives to a Virtual Machine VMware ACE virtual machines can use up to four IDE devices and up to seven SCSI devices. Any of these devices can be a virtual hard disk or DVD or CD-ROM drive. A virtual machine can read data from a DVD-ROM disc. VMware ACE does not support playing DVD movies in a virtual machine. Adding Virtual Disks to a Virtual Machine Virtual disks are stored as files on the host computer or on a network file server.
VMware ACE Administrator’s Manual You may also specify whether you want the virtual disk created as one large file or split into a set of 2GB files. You should split your virtual disk if it may be stored on a FAT32 file system. 6. Accept the default filename and location for the virtual disk file or change it, if you want to use a different name or location. To find a different folder, click Browse. If you want to specify a device node for your virtual disk, click Advanced.
C H A P T E R 9 Using Virtual Disks Adding a DVD or CD Drive 1. Open the virtual machine settings editor (VM > Settings) and click Add to start the Add Hardware Wizard. 2. Click DVD/CD-ROM Drive, then click Next. 3. Select Use physical drive if you want to connect the virtual machine’s drive to a physical drive on the host computer. Select Use ISO Image if you want to connect the virtual machine’s drive to an ISO image file. 4.
VMware ACE Administrator’s Manual Legacy Emulation for DVD and CD Drives The virtual machine settings editor (VM > Settings) provides a Legacy emulation option for DVD and CD drives attached to the virtual machine. If you encounter problems using your DVD or CD drive, try selecting Legacy emulation. Note that in legacy emulation mode, you can read from data discs in the DVD or CD drive, but some other functions are not available.
C H A P T E R 9 Using Virtual Disks If you selected Create a blank floppy image, use the default path and filename or type in a new one. To navigate to a location, click Browse. When the field contains the path and filename you want to use for the new floppy image file, click Finish. Note: By default, only one floppy drive is enabled in the virtual machine’s BIOS.
VMware ACE Administrator’s Manual Disk Performance in Windows NT Guests on Multiprocessor Hosts Some users have seen slower than expected disk input and output performance when running Windows NT guest operating systems. They see the problem in a virtual machine using IDE virtual disks on a multiprocessor host computer. The I/O issue is especially noticeable when the virtual machine is booting.
CHAPTER 10 Preserving the State of a Virtual Machine VMware ACE offers two ways to preserve the state of a virtual machine.
VMware ACE Administrator’s Manual Using Suspend and Resume The suspend and resume feature is available to you when you are running a virtual machine in VMware ACE Manager. You should not include a suspended virtual machine in a package for distribution to end users. The suspend and resume feature is most useful when you want to save the current state of your virtual machine, then pick up work later with the virtual machine in the same state it was when you stopped.
C H A P T E R 1 0 Preserving the State of a Virtual Machine upper-right corner. The virtual machine is resumed automatically when the end user launches VMware ACE again.
VMware ACE Administrator’s Manual Using the Snapshot The snapshot feature is available to you when you are running a virtual machine in VMware ACE Manager. You may not include a virtual machine with a snapshot in a package for distribution to end users. The snapshot feature is most useful when you want to preserve the state of the virtual machine so you can return to the same state repeatedly.
C H A P T E R 1 0 Preserving the State of a Virtual Machine When you revert to the snapshot, you return all these items to the state they were in at the time you took the snapshot. Removing the Snapshot You can remove the snapshot any time the virtual machine is powered off. Removing the snapshot does not destroy any data in the virtual machine. You keep all changes made since you took the snapshot. For example, changes made to data stored on the virtual hard disk are written to the virtual disk files.
VMware ACE Administrator’s Manual Starting a Virtual Machine Repeatedly in the Same State You can configure the virtual machine to revert to the snapshot any time it is powered off. To do so, choose VM > Settings > Options > Snapshot. Under When powering off, select Revert to the snapshot. If you want the virtual machine to be suspended when you launch it, suspend the virtual machine before taking the snapshot.
C H A P T E R 1 0 Preserving the State of a Virtual Machine server. If you revert to the snapshot, communications between the virtual machine and the server are confused and the file transfer fails. Or consider a case in which you take a snapshot while an application in the virtual machine is sending a transaction to a database on a separate machine.
VMware ACE Administrator’s Manual 186 www.vmware.
CHAPTER 11 Networking Virtual Machines VMware ACE provides virtual networking components that let you create a wide range of configurations. If you select the Typical setup path in the New Virtual Machine Wizard when you create a virtual machine, the wizard sets up bridged networking for the virtual machine. You can choose any of the common configurations — bridged networking, network address translation (NAT) or host-only networking — by selecting the Custom setup path.
VMware ACE Administrator’s Manual This section covers the following topics: • Components of the Virtual Network on page 189 • Common Networking Configurations on page 191 • Bridged Networking on page 191 • Network Address Translation (NAT) on page 192 • Host-Only Networking on page 193 • Changing the Networking Configuration on page 195 • Adding and Modifying Virtual Network Adapters on page 195 • Understanding NAT on page 196 • Using NAT on page 196 • The Host Computer and the NAT Network on page 196 • DH
C H A P T E R 1 1 Networking Virtual Machines Components of the Virtual Network Virtual switch — Like a physical switch, a virtual switch lets you connect other networking components together. Virtual switches are created as needed by the VMware ACE software, up to a total of nine switches. You can connect one or more virtual machines to a switch. A few of the switches and the networks associated with them are, by default, used for special named configurations. The bridged network normally uses VMnet0.
VMware ACE Administrator’s Manual DHCP server — The DHCP (dynamic host configuration protocol) server provides IP network addresses to virtual machines in configurations that are not bridged to an external network — for example, NAT configurations. Packet filter — A packet filter supports the network quarantine feature of VMware ACE, making it possible for you to specify exactly which machines or subnets a virtual machine may access.
C H A P T E R 1 1 Networking Virtual Machines Common Networking Configurations The following sections illustrate the networking configurations that are set up for you automatically when you choose the standard networking options in the New Virtual Machine Wizard or virtual machine settings editor. Only one virtual machine is shown in each example, but multiple virtual machines can be connected to the same virtual Ethernet switch.
VMware ACE Administrator’s Manual If you use bridged networking, the virtual machine is a full participant in the network. It has access to other machines on the network and can be contacted by other machines on the network as if it were a physical computer on the network. If you make some other selection in the New Virtual Machine Wizard and later decide you want to use bridged networking, you can make that change in the virtual machine settings editor (VM > Settings).
C H A P T E R 1 1 Networking Virtual Machines If you select NAT, the virtual machine can use many standard TCP/IP protocols to connect to other machines on the external network. For example, you can use HTTP to browse Web sites, FTP to transfer files and Telnet to log on to other computers. In the default configuration, computers on the external network cannot initiate connections to the virtual machine.
VMware ACE Administrator’s Manual Routing and Connection Sharing If you install the proper routing or proxy software on your host computer, you can establish a connection between the host virtual Ethernet adapter and a physical network adapter on the host computer. This allows you, for example, to connect the virtual machine to a Token Ring or other non-Ethernet network.
C H A P T E R 1 1 Networking Virtual Machines Changing the Networking Configuration Using the virtual machine settings editor (VM > Settings), you can add virtual Ethernet adapters to your virtual machine and change the configuration of existing adapters. Adding and Modifying Virtual Network Adapters To add a new virtual Ethernet adapter, follow these steps. 1. Select the virtual machine to which you want to add the adapter and be sure it is powered off. 2.
VMware ACE Administrator’s Manual Understanding NAT Network address translation — or NAT — provides a simple way for virtual machines to use most client applications over almost any type of network connection available to the host. The only requirement is that the network connection must support TCP/IP. NAT is useful when you have a limited supply of IP addresses or are connected to the network through a non-Ethernet network adapter.
C H A P T E R 1 1 Networking Virtual Machines the NAT device can dynamically obtain their IP addresses by sending out DHCP requests. The DHCP server on the NAT network, which is also used in host-only networking configurations, dynamically allocates IP addresses in the range of .128 through .254, where is the network number assigned to your NAT network. VMware ACE always uses a Class C address for NAT networks. IP addresses .3 through .127 can be used for static IP addresses.
VMware ACE Administrator’s Manual Before any such communication can occur, the NAT device must set up a mapping between the virtual machine’s address on the private NAT network and the host’s network address on the external network. When a virtual machine initiates a network connection with another network resource, this mapping is created automatically. The operation is perfectly transparent to the user of the virtual machine on the NAT network.
C H A P T E R 1 1 Networking Virtual Machines domain from the virtual machine. You can then access file shares known by the WINS server in the domain. To use NetLogon, you need to know how WINS servers and Windows domain controllers work. This section explains how to set up the virtual machine to use NetLogon. The setup process is similar to the way you set up a physical computer on one LAN that is using a domain controller on another LAN.
VMware ACE Administrator’s Manual 3. In the Properties dialog box, select Internet Protocol (TCP/IP), then click Properties. 4. In the TCP/IP Properties dialog box, click Advanced. 5. Click the WINS tab, then click Add. 6. In the TCP/IP WINS Server dialog box, enter the IP address for the WINS server in the WINS server field, then click OK. The IP address of the WINS server appears in the WINS addresses list on the WINS tab.
CHAPTER 12 Configuring Video and Sound The following sections provide information on configuring the video display and sound for VMware ACE.
VMware ACE Administrator’s Manual Setting Screen Color Depth in a Virtual Machine The number of screen colors available in the guest operating system depends on the screen color setting of the host operating system.
C H A P T E R 1 2 Configuring Video and Sound Follow the normal process for changing screen colors in your guest operating system. In a Windows guest, the Display Properties control panel offers only those settings that are supported. In a Linux or FreeBSD guest, you must change the color depth before you start the X server or restart the X server after making the changes.
VMware ACE Administrator’s Manual Configuring Sound VMware ACE provides a sound device compatible with the Sound Blaster AudioPCI and supports sound in Windows 95, Windows 98, Windows Me, Windows NT, Windows 2000, Windows XP, Windows Server 2003 and Linux guest operating systems. The VMware ACE sound device is enabled by default. Sound support includes PCM (pulse code modulation) output and input. For example, you can play .wav files, MP3 audio and Real Media audio.
CHAPTER 13 Connecting Devices to Virtual Machines The following sections describe how to use various devices with a virtual machine: • Using Parallel Ports on page 207 • Parallel Ports on page 207 • Installation in Guest Operating Systems on page 207 • Special Notes for the Iomega Zip Drive on page 208 • Using Serial Ports on page 209 • Using a Serial Port on the Host Computer on page 209 • Using a File on the Host Computer on page 209 • Connecting an Application on the Host to a Virtual Machine on page
VMware ACE Administrator’s Manual • Connecting USB Devices on page 214 • Using USB with a Windows Host on page 215 • Replacing USB 2.0 Drivers on a Windows 2000 Host on page 215 • Installing USB Devices as a Non-Administrator on page 216 • Who Has Control over a USB Device? on page 216 • Disconnecting USB Devices from a Virtual Machine on page 217 • Human Interface Devices on page 217 206 www.vmware.
C H A P T E R 1 3 Connecting Devices to Virtual Machines Using Parallel Ports VMware ACE supports a partial emulation of bidirectional PS/2-style ports. Parallel Ports Parallel ports are used by a variety of devices, including printers, scanners, dongles and disk drives. VMware ACE emulates the most commonly used functions of PS/2 hardware. However, interrupts requested by a device connected to the physical port are not passed to the virtual machine.
VMware ACE Administrator’s Manual In a Windows 95 or Windows 98 guest, after you add the port, run the guest operating system’s Add New Hardware Wizard (Start > Settings > Control Panel > Add New Hardware) and let Windows detect the new device. Special Notes for the Iomega Zip Drive On Windows 95 or Windows 98, use of older drivers for the Iomega Zip drive may cause the guest operating system to lock up intermittently at boot time or during installation of the guest operating system.
C H A P T E R 1 3 Connecting Devices to Virtual Machines Using Serial Ports A VMware ACE virtual machine can use up to four virtual serial ports. The virtual serial ports can be configured in several ways. • You can connect a virtual serial port to a physical serial port on the host computer. • You can connect a virtual serial port to a file on the host computer. • You can make a direct connection between two virtual machines or between a virtual machine and an application running on the host computer.
VMware ACE Administrator’s Manual program running in the virtual machine sends to the virtual serial port or if you need a quick way to transfer a file from the guest to the host. To install a virtual serial port that connects to a file on the host computer, take the following steps: 1. Open the virtual machine settings editor (VM > Settings). 2. Click Add to start the Add Hardware Wizard. 3. Select Serial Port, then click Next. 4. Select Output to file, then click Next. 5.
C H A P T E R 1 3 Connecting Devices to Virtual Machines 8. By default, the device status setting is Connect at power on. You may deselect this setting if you wish. Click Advanced if you want to configure this serial port to use polled mode. This option is of interest primarily to developers who are using debugging tools that communicate over a serial connection. For more information, see Special Configuration Options for Advanced Users on page 212. 9.
VMware ACE Administrator’s Manual 9. Click Finish, then click OK to close the virtual machine settings editor. In the client virtual machine 1. Open the virtual machine settings editor (VM > Settings). 2. Click Add to start the Add Hardware Wizard. 3. Select Serial Port, then click Next. 4. Select Use named pipe. 5. Use the default name, or enter another pipe name of your choice. The pipe name must follow the form \\.\pipe\ — that is, it must begin with \\.\pipe\.
C H A P T E R 1 3 Connecting Devices to Virtual Machines Changing the Input Speed of the Serial Connection To use the second option, power off the virtual machine and close the VMware ACE Manager window, then use a text editor to add the following line to your virtual machine’s configuration file: serial.pipe.charTimePercent = This option is useful if you want to squeeze every possible bit of speed from your serial connection over a pipe to the virtual machine.
VMware ACE Administrator’s Manual Using USB Devices in a Virtual Machine VMware ACE provides a two-port USB 1.1 controller. You can use up to two USB devices in your virtual machine if both your host operating system and your guest operating system support USB. If your host computer supports USB 2.0 devices, you can use those devices in the virtual machine.
C H A P T E R 1 3 Connecting Devices to Virtual Machines Choose VM > Removable Devices to connect specific USB devices to your virtual machine. You can connect up to two USB devices at a time. If the physical USB devices are connected to the host computer through a hub, the virtual machine sees only the USB devices, not the hub. There is a menu item for each of the USB ports.
VMware ACE Administrator’s Manual Take the following steps to check the provider of your driver: 1. Go to the Device Manager. Right-click My Computer, choose Properties, click the Hardware tab, then click Device Manager. 2. Expand the listing for Universal Serial Bus controllers. 3. Right-click the listing for the controller and choose Properties. 4. Click the Driver tab. If the driver provider shown on that page is Microsoft, you have the correct driver already.
C H A P T E R 1 3 Connecting Devices to Virtual Machines Under some circumstances, if a USB storage device is in use on the host (for example, one or more files stored on the device are open on the host), an error appears in the virtual machine when you try to connect to the device. You must let the host complete its operation or close any application connected to the device on the host, then connect to the device in the virtual machine again.
VMware ACE Administrator’s Manual 218 www.vmware.
CHAPTER Understanding Policies 14 Policies are at the heart of managed virtual machines. They give you control over many aspects of your end users’ experience. The following sections provide background information on how to determine which policy settings are appropriate for your environment and how to create your own plug-ins to apply custom policies.
VMware ACE Administrator’s Manual Taking Advantage of Policies With policies, you can specify what controls your end users see when they launch VMware ACE, how long they may run a particular virtual machine, what parts of your organization’s network they are allowed to use from the virtual machine and many other capabilities of the VMware ACE application and the virtual machine it runs for the end user. You set policies with the policy editor.
C H A P T E R 1 4 Understanding Policies and end users must log on to that domain so VMware ACE has access to the policies. Similarly if you set policies based on users and groups in your Active Directory domain, end users’ host computers must log on to a domain where those users and groups are defined. If you store policies on your Active Directory server, they are stored in a container called VMware directly under the top hierarchy of the domain controller container.
VMware ACE Administrator’s Manual Encryption and Authentication Policies Encryption policies control how a virtual machine’s files are stored. Authentication policies control who is allowed to use the virtual machine. Encrypting a Virtual Machine’s Files If you specify that the virtual machine should be encrypted, the VMware ACE installer encrypts the virtual machine’s files, including the configuration file and the virtual disk files, when it installs VMware ACE on the end user’s computer.
C H A P T E R 1 4 Understanding Policies If end users forget their passwords, they can create hot fix requests and send them to a designated administrator. The administrator can reset the password using VMware ACE Manager and provide the hot fix to the end user. The end user double-clicks the hot fix file to apply it, then runs VMware ACE and sets a new password. For more information on hot fixes, see Responding to Hot Fix Requests on page 150.
VMware ACE Administrator’s Manual Expiration Policies You can use expiration policies to limit the lifetime of a virtual machine. You may find this useful, for example, if you need to provide a computing environment for a contractor and want to be sure it can be used only for the duration of the contract. Setting a virtual machine to expire can also be useful if you want to provide a timelimited demonstration to potential customers.
C H A P T E R 1 4 Understanding Policies Copy Protection Policies Copy protection policies let you ensure that a virtual machine can run only from the location where the VMware ACE installer placed it. To apply this copy protection, select Copy protect this virtual machine as the copy protection policy in the policy editor. If you copy protect a virtual machine, it is still possible for the virtual machine’s files to be moved or copied.
VMware ACE Administrator’s Manual VMware ACE Policies VMware ACE policies apply to the VMware ACE application itself. These policies allow you to give end users more or less control over certain VMware ACE functions. There is also a policy that gives you privileged access to the virtual machine on the end user’s computer so you can change configuration settings. Troubleshooting Policies The troubleshooting policies determine whether certain options appear on the VMware ACE menu.
C H A P T E R 1 4 Understanding Policies be lost and urges the user to take this action only if advised to do so by a system administrator. Note: If the virtual machine uses password authentication, reverting to the installed environment returns the virtual machine to its state after the initial password was selected. If you enable this feature, you should also consider implementing hot fixes so you can respond easily if end users revert and have forgotten their original passwords.
VMware ACE Administrator’s Manual • You know in advance which printer the end user needs to use. If you configure the printer in the guest operating system before you create the package, the end user does not need to configure the printer. • The printer requires authentication and is not yet set up in the guest operating system. Easy printer setup does not work. The end user must follow the normal steps to set up a network printer in the guest operating system.
C H A P T E R 1 4 Understanding Policies • Power off the virtual machine — VMware ACE powers off the virtual machine. The next time the end user launches VMware ACE, the virtual machine starts from a powered off state and the guest operating system boots.
VMware ACE Administrator’s Manual Network Quarantine Policies Network quarantine policies give you fine-grained control over the network access you provide to users of your virtual machines. Using a packet filtering firewall, the network quarantine feature of VMware ACE lets you specify exactly which machines or subnets a virtual machine may access.
C H A P T E R 1 4 Understanding Policies and retrieves the list. If you need to make any changes in the future, you update the list stored on the server. Dynamic quarantine gives you the flexibility to modify the access list at any time you need to make changes. If you are using Active Directory and choose to store the access list in your Active Directory service, VMware ACE Manager stores your updates on the server for you.
VMware ACE Administrator’s Manual compliance detection software. For more information, see Writing Plug-In Policy Scripts on page 244. Note: VMware Tools provides services that are essential for custom quarantine. This means you cannot use custom quarantine with guest operating systems such as MS-DOS and Windows 3.1 Specifying Access to Networks and Machines You may allow a virtual machine unrestricted network access, or you may limit access to specified machines or parts of the network.
C H A P T E R 1 4 Understanding Policies • DHCP packets — Select this option if the virtual machine needs to get its IP address from a DHCP server that is not included in the access list. • DNS packets — Select this option if the virtual machine needs to resolve IP addresses using a DNS server that is not included in the access list. • ICMP packets — Select this option if you need support for the ping command — for example, to check network connectivity to and from the virtual machine.
VMware ACE Administrator’s Manual Using Advanced Network Quarantine Advanced network quarantine features allow you to control the host computer’s access to the network. This is useful if you want to give the virtual machine access to the network but block or restrict host computer access. You can apply different policies to the host computer based on the network to which the host is attached.
C H A P T E R 1 4 Understanding Policies connected to that network zone. These settings go in .vmpl in the affected virtual machine’s folder inside the project folder. For details, see Defining Guest Policies on page 240. Defining Zones Zone descriptions describe the characteristics of a network zone. VMware ACE examines the network or networks directly connected to network adapters on the host computer to see if there is a match for all the criteria in any of the zone definitions.
VMware ACE Administrator’s Manual zoneDescription..present = "1" zoneDescription..key = "" zoneDescription..name = "" The value of starts at zero and increments sequentially. The value of is a descriptive name of your choice. The first two zone descriptions might start with sections similar to the following: zoneDescription.0.present = "1" zoneDescription.0.key = "0" zoneDescription.0.
C H A P T E R 1 4 Understanding Policies using a comma-separated list with no spaces. A network adapter matches this condition if it is using at least one of these servers. zoneDescription..gateways = "" This parameter specifies one or more IP addresses for default gateways on the network, using a comma-separated list with no spaces. A network adapter matches this condition if it is using at least one of these gateways. zoneDescription..
VMware ACE Administrator’s Manual to use bridged networking. Or if you are using NAT networking, give the host access to the network resources required by the virtual machine. For example, you may want to allow the host — and thus the virtual machine — to connect to a VPN server. The VPN server then controls access to additional resources. In addition, if you have set authentication or device connection policies that require access to a particular server, you must allow host access to that server.
C H A P T E R 1 4 Understanding Policies This approach allows you to specify the host zones in a different order from that in the list of zone descriptions. Using the examples above, VMware ACE first searches for a match for the Eastern Regional Office zone description (zone.description.1 criteria in the zone descriptions). If it finds a match, it applies the host quarantine policies defined for host.zone.0. You may specify the following policies for each zone: host.zone..
VMware ACE Administrator’s Manual Defining Guest Policies If you want to enforce different network quarantine policies in the guest operating system based on the network zone to which the host computer is attached, you must use a text editor to make changes in the virtual machine’s policy file — .vmpl in the affected virtual machine’s folder inside the project folder. Take the following steps: 1. Before editing .
C H A P T E R 1 4 Understanding Policies quarantine.showUpdatesAvailMsg quarantine.descriptor.Type quarantine.descriptor.custom.script Notice that quarantine.configurationBlock is followed by a very long string of parameters and settings. These are key quarantine settings; be careful not to modify those parameters and settings. 6. At the beginning of each line, add guest.zone.. Thus for zone 0, you change quarantine.configurationBlock to guest.zone.0.quarantine.configurationBlock and so on. 7.
VMware ACE Administrator’s Manual use bridged networking. For zones in which the host’s network access is unrestricted, you may prefer to use NAT networking. You can use advanced network quarantine policy options to specify the networking type for each zone. If you specify the network type for any zone, you should specify it for all zones. Make the following changes after you have defined guest policies for all zones as described in Defining Guest Policies on page 240: 1.
C H A P T E R 1 4 Understanding Policies In most cases, the default value for this disconnection period is appropriate to force renewal of DHCP leases. If you experience difficulties when using the default setting or if you are using Linux guests, which do not respond to the temporary disconnection, you can take the following steps to disable or configure this disconnection period: 1. Use a text editor to open .vmpl in the affected virtual machine’s folder inside the project folder.
VMware ACE Administrator’s Manual Writing Plug-In Policy Scripts You may write your own plug-ins to control certain policies in VMware ACE. You may use any language that is supported on the end user’s computer. For security reasons, plug-ins must be deployed as part of a package and installed by the package installer. They cannot be deployed separately to end users' computers and cannot be modified by the end user. Your plug-ins must write the appropriate values to StdOut.
C H A P T E R 1 4 Understanding Policies The sample scripts presented in Sample Scripts on page 250 are installed with VMware ACE Manager. The default location is C:\Program Files\VMware\VMware ACE Manager\Samples. The following descriptions give the format for the output that your plug-ins must write to StdOut to control various policies. Authentication Plug-Ins The following table outlines the basic information you need to write authentication plug-ins.
VMware ACE Administrator’s Manual Question Explanation What should the exit code of the script be? If access is granted, the exit code should be 0. If access is denied, the exit code should be nonzero. Note: This is a reference to the exit code, not the output value. Renewal Plug-Ins The following table outlines the basic information you need to write renewal plug-ins. Questions Explanation When does this script execute? This script executes every time the virtual machine is powered on or reset.
C H A P T E R 1 4 Understanding Policies Questions Explanation What should the exit code of the script be? It should be 0. Any nonzero exit code voids any output to StdOut. Note: Because the script runs each time the end user launches VMware ACE or resets the virtual machine, the current date is different each time the script runs. Take this changing reference point into account in your script.
VMware ACE Administrator’s Manual Network Quarantine Plug-Ins The following table outlines the basic information you need to write network quarantine plug-ins. Question Explanation When does this script execute? This script executes at power on, at reset and when a virtual machine sends a network quarantine descriptor update. What relevant environment variables are available to the script? VMWARE_NQ_DESCRIPTOR contains the string last set by a guest update.
C H A P T E R 1 4 Understanding Policies For details on using nq-set, see Using nq-set to Update Network Quarantine Versions on page 146.
VMware ACE Administrator’s Manual Sample Scripts Sample Authentication Script The following sample script is written in C. It is installed by VMware ACE Manager as sampleAuth.c. You may compile it with a C compiler if you want to run it. /* * * VMware Sample Script * * * This is a sample authentication script for VMware ACE.
C H A P T E R 1 4 Understanding Policies #include #include #include
VMware ACE Administrator’s Manual counter++; } /* No match found */ fprintf(stderr, "User (%s) not found in list\n", username); exit: return result; } Sample Renewal Script The following sample script is written in VB Script. It is installed by VMware ACE Manager as expire_on_fridays.vbs. ' ' ' ' ' ' ' ' ' ' ' ' ' ' VMware Sample Script This is a sample expiration/renewal script for VMware ACE This script returns a UTC time (number of seconds since 1/1/1970) for use in determining product expiration.
C H A P T E R 1 4 Understanding Policies StdOut.Write DateDiff("s", "1/1/1970", "1/1/2010") End If Sample Device Connection Script The following sample script is written in C. It is installed by VMware ACE Manager as sampleDevice.c. You may compile it with a C compiler if you want to run it. /* * VMware Sample Script * * This is a sample device policy script for VMware ACE.
VMware ACE Administrator’s Manual env_var = getenv("TEST_DEVICE"); if ((env_var == NULL) || (strlen(env_var) == 0)) { printf("NO"); } else { printf("YES"); } return 0; } Sample Network Quarantine Script 1 The following sample script is written in C. It is installed by VMware ACE Manager as sampleQuarantine.c. sYou may compile it with a C compiler if you want to run it.
C H A P T E R 1 4 Understanding Policies * * Setting the NQ descriptor: * To set the NQ descriptor from the guest os you must run the * following command (without the brackets around the new * descriptor): * * On a Linux guest: * (Binary located at /src/sbin) * vmware-guestd --cmd "nq-set [new descriptor]" * * On a Windows guest: * (Binary located at C:\Program Files\VMware\VMware Tools) * vmwareservice -cmd "nq-set [new descriptor]" * * (without the brackets around the new descriptor) * */ #include
VMware ACE Administrator’s Manual descriptor = getenv("VMWARE_NQ_DESCRIPTOR"); if (descriptor == NULL) { fprintf(stderr, "VMWARE_NQ_DESCRIPTOR not set\n"); goto exit; } result = 0; counter = 0; while (descriptorList[counter].descriptor != NULL) { if (strcmp(descriptorList[counter].descriptor, descriptor) == 0 { /* Found the right descriptor */ printf("%s", descriptorList[counter].
C H A P T E R 1 4 Understanding Policies # # Input to script: # Script examines the environment variable VMWARE_NQ_DESCRIPTOR # # Returns: # Returns 0 for success # # Expected output: # The script may output to stdout: # 'YES' - the descriptor is valid and up-to-date # 'NO' - the descriptor is valid and not up-to-date # 'REJECT' - the descriptor is not valid # # Setting the NQ descriptor: # To set the NQ descriptor from the guest os you must run the # following command: # # On a Linux guest: # (Binary loca
VMware ACE Administrator’s Manual if (/^$_[0]$/i) { return "NO"; } } return "REJECT"; } my $nqEnvName = 'VMWARE_NQ_DESCRIPTOR'; my $nqVal = $ENV{$nqEnvName}; print &find_match($nqVal); 258 www.vmware.
CHAPTER Glossary 15 Bridged networking — A type of network connection between a virtual machine and the rest of the world. Under bridged networking, a virtual machine appears as an additional computer on the same physical Ethernet network as the host. See also Host-only networking. Configuration — See Virtual machine configuration file. Full screen mode— A display mode in which the virtual machine’s display fills the entire screen.
VMware ACE Administrator’s Manual same network. See also Bridged networking, Custom networking and Network address translation. Host operating system — An operating system that runs on the host machine. See also Guest operating system. Hot fix — An installable file that resets a user’s password, renews an expired virtual machine or allows a cop-protected virtual machine to run from a new location.
C H A P T E R 1 5 Glossary host computer and one or more virtual machines. It provides a simple way of sharing files between host and guest or among virtual machines. In a Windows virtual machine, shared folders appear in My Network Places (Network Neighborhood in a Windows NT virtual machine) under VMware Shared Folders. In a Linux virtual machine, shared folders appear under a specified mount point.
VMware ACE Administrator’s Manual VMware ACE Manager — The program used by the administrator to create and update projects, virtual machines and packages. VMware Tools — A suite of utilities and drivers that enhances the performance and functionality of your guest operating system.
Index File extensions Bridge 189 .lck 171 Bridged networking defined 259 .REDO 184 .vmdk 169 .vmhf 151 .vmpl 220 .vmprj 150 .vmss 180 .
Copy protection policies 84, 225 requesting to run from a new location 164 CPU host requirement 12, 14 provided in virtual machine 16 Create floppy image file 177 named pipe 210, 211 new virtual machine 53 package 132 policies 71 policies for a virtual machine 81 policies for VMware ACE 74 project 44 Creative Labs 17, 204 Ctrl-Alt 38 D Date See Time Decrease See Shrink Defragment virtual disks 171 Deploy new package 138 update package 149 updates 141 virtual machine 132 Devices controlling with VMware ACE 1
F Files location of virtual disk files 54 redo log 184 Firewall 198 Floppy add drive to virtual machine 176 drives in virtual machine 16 image file 16, 177 Forums 20 FreeBSD supported guest operating systems 19 VMware Tools for 116 FTP 197 Full screen mode defined 259 setting for VMware ACE 159 G Grab keyboard and mouse input 37 Graphics See also Display support in virtual machine 16, 202 Guest operating system defined 259 H Host computer defined 259 restricting access to the network 234 Host operating syst
restricting host computer access 234 switch 189 Token Ring 192 virtual DHCP server 192, 193 virtual Ethernet adapter 190 Virtual Network Editor 261 virtual switch 189 zones for advanced quarantine 235 MIDI 204 Mode full screen 259 Modifier keys for full screen switch mode 126 Mouse sending input to virtual machine 37 USB 217 MP3 204 MS-DOS supported guest operating systems 18 Mylex 16 N Named pipe 210, 211 NAT and DHCP 196 and DNS 197 and the host computer 196 defined 260 external access from a NAT network
Ping 197 Q Pipe named 210, 211 Quarantine advanced 234 network, defined 260 Plug-in writing 244 Policies advanced network quarantine for guest 240 authentication 81, 222 copy protection 84, 225 encryption 222 expiration 83, 224 network quarantine 85, 230, 234 network quarantine for host 237 overview 220 removable devices 85 setting 71 setting for a virtual machine 81 setting for VMware ACE 74 using scripts 244 VMware ACE application 226 Policy defined 260 Power off VMware ACE 164 Preferences setting 36
SCSI devices in virtual machine 16 drivers 58 Security policies 222, 225 Serial connection between host application and virtual machine 210 between two virtual machines 211 to a serial port on the host 209 Serial port installing and using 209 Server DHCP 190, 196, 199 DNS 197 WINS 198 Set policies 71 policies for a virtual machine 81 policies for VMware ACE 74 preferences in VMware ACE 161 Set up custom interface for VMware ACE 123 hot keys 38 package 132, 154 parallel port 207, 209 preferences for VMware A
updating 141 updating version 142 viewing in VMware ACE interface 129 Troubleshooting requesting a hot fix 163 responding to hot fix requests 150 using administrator access 152 Virtual machine settings editor defined 261 U UI see Interface Uninstall on Windows host 35 See also Remove VMware ACE 162 Unplug USB devices 217 USB connecting devices 214 control of devices by host and guest 216 devices in a virtual machine 214 disconnecting devices 217 enabling and disabling the controller 214 keyboard and mous
Workspaces switching in Linux guest 38 X Xeon 12, 14 Z Zip drives on a parallel port 208 Zones network quarantine 234, 235 270 www.vmware.
