VMware ACE Administrator’s Manual VMware ACE 2.
VMware ACE Administrator’s Manual VMware ACE Administrator’s Manual Revision: 20071019 Item: ACE-ENG-Q207-008 You can find the most up-to-date technical documentation on our Web site at http://www.vmware.com/support/ The VMware Web site also provides the latest product updates. If you have comments about this documentation, submit your feedback to: docfeedback@vmware.com ©2004–2007 VMware, Inc. All rights reserved. Protected by one or more of U.S. Patent Nos.
Contents About This Book 13 1 Introduction and System Requirements 17 About VMware ACE 2 17 Ensure Safe Access to Enterprise Resources 18 Simplified End‐User Interface 18 Standardize and Secure PC Environments 18 Key Features of ACE 2 19 Manageability 19 Security 19 Usability 19 ACE Option Pack for Workstation 6 19 Key Concepts of ACE 2 20 Hardware and Software Recommendations for This Release Workstation ACE Edition (ACE Administrator) 24 PC Hardware 25 Display 25 Disk Drives 25 Local Area Networking (O
VMware ACE Administrator’s Manual External Databases Web Browsers 32 32 2 Learning the Basics of Workstation ACE Edition 33 Terminology for This Chapter 33 Setting Up Your Administrative Workstation 34 Overview of the Workstation ACE Edition Window 35 Accessing Commands in the Workstation ACE Edition Window 36 Workstation ACE Edition Window Elements 37 ACE Master Icons in the Sidebar 37 Adding ACE Masters to ACE 2 Management Servers 38 Viewing ACE Masters in the Sidebar 38 Using the ACE Icons on the Home
Contents 4 Installing and Configuring the ACE 2 Management Server 53 ACE 2 Management Server Setup Options 54 System Requirements for the ACE 2 Management Server 55 Hardware 55 Display 55 Disk Drives 55 Local Area Networking 55 Operating Systems 56 Supported Windows Host Systems 56 Supported Linux Host Systems 56 External Databases 56 Web Browsers 56 Features of the ACE 2 Management Server 57 Components of the ACE 2 Management Server 59 Database Options 59 About Database Backup 60 Integrating the ACE 2 Man
VMware ACE Administrator’s Manual Using the ACE 2 Management Server 87 Unblocking Port Traffic and Changing Port Assignments 87 If Your ACE Instance on a Linux Host Computer Cannot Contact the ACE 2 Management Server 87 If You Need to Change the Port Assignment for the Server 88 5 Creating and Configuring ACE Masters 91 Creating an ACE Master 91 Creating a New ACE Master 92 Cloning an ACE Master from an Existing ACE Master 99 Cloning an ACE Master from an Existing Virtual Machine 100 Cloning a Virtual Mac
Contents Setting Network Access Policies 126 Before You Begin: Read These Notes About Host Policies 127 Getting Started with Setting Network Access 128 Using the Network Access Wizard to Configure Network Access 129 Using the Zone, Ruleset, and Rule Editors to Configure Network Access 132 Using the Zone Editor to Set Up and Configure Network Zones 132 Using the Ruleset and Rule Editors to Configure Host and Guest Access 136 Network Properties Packaging 141 Understanding the Interaction of Host Access and G
VMware ACE Administrator’s Manual 7 Package Settings 169 Custom EULA 170 Instance Customization 170 Benefits of Instance Customization 171 Overview of the Instance Customization Process 171 Before You Specify Instance Customization Settings, Perform These Tasks 173 Downloading the Microsoft Sysprep Deployment Tools 174 Specifying Package Settings for Instance Customization 174 Placeholder Values to Use in Instance Customization 177 Packaging with Instance Customization Enabled 178 Specifying Additional Lic
Contents Pre‐Deployment End‐to‐End Test 202 Post‐Deployment End‐to‐End Test 203 10 Pocket ACE 207 Portable Devices Requirements 207 Space Requirements for Your Pocket ACE 208 Creating an ACE Package for Portable Devices 208 Policies and Package Settings That Do Not Apply to Pocket ACEs 208 Steps for Creating a Pocket ACE Package 209 Deploying the ACE Package on a Portable Device 211 Running the Pocket ACE Instance 213 11 Installing and Using VMware Player and ACE Instances 215 Installing the ACE Package
VMware ACE Administrator’s Manual Taking Snapshots in VMware Player 229 Using Shared Folders 230 Printing from VMware Player 230 Troubleshooting Problems 230 Requesting a Hot Fix 231 Resetting and Powering Off 232 Reverting to the Reimage Snapshot 232 About the Enter Administrator Mode Command on the Troubleshoot Menu 233 Troubleshooting Tools 233 ACE Tools: vmware‐acetool Command‐Line Tool 234 Password Prompts 234 Expiration Dates 235 Examples 235 Responding to Hot Fix Requests 235 Using the VMware Help D
Contents Glossary 267 Index 273 Updates for the VMware ACE Administrator’s Manual 283 Updates for Running a Pocket ACE Instance 283 VMware, Inc.
VMware ACE Administrator’s Manual 12 VMware, Inc.
About This Book This manual, the VMware ACE Administrator’s Manual, provides information about installing and using Workstation ACE Edition. Revision History This manual is revised with each release of the product or when necessary. A revised version can contain minor or major changes. Table 1 summarizes the significant changes in each version of this manual. Table 1. Revision History Revision Description 20071019 Updated for ACE 2.0.2 release. 20070920 Updated for ACE 2.0.1 release.
VMware ACE Administrator’s Manual developers, QA engineers, trainers, salespeople who run demos, and anyone who wants to create virtual machines. Document Feedback VMware welcomes your suggestions for improving our documentation. If you have comments, send your feedback to: docfeedback@vmware.com Conventions Table 2 illustrates the typographic conventions used in this manual. Table 2.
About This Book For more information about the VMware Technology Network, go to http://www.vmware.com/community/index.jspa. Online and Telephone Support Use online support to submit technical support requests, view your product and contract information, and register your products. Go to http://www.vmware.com/support. Customers with appropriate support contracts should use telephone support for the fastest response on priority 1 issues. Go to http://www.vmware.com/support/phone_support.html.
VMware ACE Administrator’s Manual 16 VMware, Inc.
1 Introduction and System Requirements 1 Welcome to VMware ACE 2. This section covers the following topics: “About VMware ACE 2” on page 17 “Key Concepts of ACE 2” on page 20 “Hardware and Software Recommendations for This Release” on page 24 About VMware ACE 2 VMware ACE 2 is a software solution that delivers enhanced management, security, and usability to standard desktop virtualization products.
VMware ACE Administrator’s Manual ACE 2 is used across an organization to: Ensure secure, controlled access to enterprise resources from a standardized PC environment called an ACE Provide a simplified end‐user interface designed specifically for nontechnical users Provide policy‐based controls including access, network, and device rights Ensure Safe Access to Enterprise Resources Reduce the threat from unmanaged and unsecured PCs used by telecommuters, partners and offshore workers to access e
Chapter 1 Introduction and System Requirements Key Features of ACE 2 The following sections describe the key features of ACE 2. Manageability Design once, deploy anywhere. Create standardized hardware‐independent PC environments and deploy them to any PC throughout the extended enterprise. Virtual rights management interface. Control ACE 2 lifecycle, security settings, network settings, system configuration and user interface capabilities. Instance tracking.
VMware ACE Administrator’s Manual The ACE Option Pack is a license enablement that turns an existing copy of Workstation 6 into Workstation 6 ACE Edition. There are no new software downloads required. As an ACE administrator you install Workstation 6 software and then the ACE Option Pack license key.
Chapter 1 Introduction and System Requirements database quickly. You can customize the Instance View by adding searchable custom fields. The web‐based ACE 2 Management Server Help Desk Application is designed to deliver a reduced set of administrative functionality through role‐based access from any browser. See “Using the VMware Help Desk Web Application” on page 237 for more information. The server uses the Apache 2.0 web server.
VMware ACE Administrator’s Manual Instance Customization The instance customization feature automates Microsoft Sysprep deployment tools actions and streamlines the process of customizing instances after they have been deployed to user machines. This feature makes it easier for you to deploy and customize a single package for many users.
Chapter 1 Introduction and System Requirements without having the instances contact the ACE 2 Management Server for policy updates. VMware, Inc. Removable devices – This policy allow you to control whether users can connect and disconnect removable devices from their ACE instances. USB devices – This policy allows you to specify in detail which USB devices and device classes can be accessed by ACE instances created from a specific ACE master.
VMware ACE Administrator’s Manual license‐agreement message that the user must see and accept before the instance can be run for the first time. Package lifetime package setting – This package setting allows you to specify a time period during which an ACE package can be installed. Troubleshooting tools The vmware‐acetool command‐line program and the hot fix feature are available for use by administrators to fix users’ common problems on standalone ACE instances.
Chapter 1 Introduction and System Requirements PC Hardware Standard PC 1000MHz or faster compatible x86 and x86‐64 architecture processor (recommended; 600MHz minimum) Compatible processors include: Intel: Celeron, Pentium II, Pentium III, Pentium 4, Pentium M (including computers with Centrino mobile technology), Xeon (including “Prestonia”), AMD, Athlon, Athlon MP, Athlon XP, Duron, Opteron, AMD64 Opteron, Athlon 64 Multiprocessor systems supported Experimental support for Intel IA‐32e CPU
VMware ACE Administrator’s Manual Windows Host Operating Systems (32-bit) Windows Vista Windows XP Home Edition, SP1, SP2 Windows XP Professional, SP1, SP2 (Listed versions are also supported with no service pack.
Chapter 1 Introduction and System Requirements Supported Host Operating Systems VMware Player is available for both Windows and Linux host operating systems.
VMware ACE Administrator’s Manual Linux Host Operating Systems (32-Bit) Supported distributions and kernels are listed below. Workstation might not run on systems that do not meet these requirements. NOTE As newer Linux kernels and distributions are released, VMware modifies and tests its products for stability and reliability on those host platforms.
Chapter 1 Introduction and System Requirements SUSE Linux Enterprise Server 10 SUSE Linux Enterprise Server 9 SP4 (Beta) SUSE Linux Enterprise Server 9, 9 SP1, 9 SP2, 9 SP3 (Listed versions are also supported with no service pack.) SUSE Linux Enterprise Server 8, stock 2.4.19 openSUSE 10.2 (formerly known as SUSE Linux 10.2) SUSE Linux 10.1 SUSE Linux 10 SUSE Linux 9.3 SUSE Linux 9.2, SP1) SUSE Linux 9.1 — stock 2.6.4‐52 SUSE Linux 9.0 — stock 2.4.21‐99 SUSE Linux 8.2 — stock 2.4.20 Ubuntu Linux 6.
VMware ACE Administrator’s Manual Red Hat Enterprise Linux 5.0 Red Hat Enterprise Linux 4.5 Red Hat Enterprise Linux AS 4.0, updates 3, 4 Red Hat Enterprise Linux ES 4.0, updates 3, 4 Red Hat Enterprise Linux WS 4.0, updates 3, 4 Red Hat Enterprise Linux AS 3.0, stock 2.4.21, updates 2.4.21‐15, 6, 7, 8 Red Hat Enterprise Linux ES 3.0, stock 2.4.21, updates 2.4.21‐15, 6, 7, 8 Red Hat Enterprise Linux WS 3.0, stock 2.4.21, updates 2.4.
Chapter 1 Introduction and System Requirements ACE 2 Management Server The following sections describe the ACE 2 Management Server system requirements.
VMware ACE Administrator’s Manual Linux Operating Systems Red Hat Enterprise Linux Advanced Server 4.0 with Update 4. SUSE Linux Enterprise Server 9 Service Pack 3 External Databases The SQLite database engine is embedded in the ACE 2 Management Server. In addition, you can use external databases, through ODBC connectivity: For Windows‐based servers: Microsoft SQL Server 2000 or higher; Oracle Database 10g For Linux‐based servers: PostgreSQL 7.4 or higher.
2 Learning the Basics of Workstation ACE Edition 2 The following sections provide an overview of how to use Workstation ACE Edition to create and deploy virtual machines for your users.
VMware ACE Administrator’s Manual ACE 2 Management Server – A server that can optionally be installed and used by the ACE administrator for activating and tracking ACE instances and for hosting dynamic policies for ACE instances. ACE master – A virtual machine template created by the ACE administrator. The master can be configured with various policies and devices and package settings and then used as the basis for creating any number of packages to be sent to ACE users.
Chapter 2 Learning the Basics of Workstation ACE Edition networking in a virtual machine, see the Workstation User’s Manual. If you need to use an installer on a local drive, you can use the virtual machine’s networking capabilities. You need to provide adequate disk space for two types of files: Virtual machine files – The files for each virtual machine can be quite large, sometimes as large as several gigabytes. The default location for these files is C:\Documents and Settings\\My Documents\
VMware ACE Administrator’s Manual If you set up one or more ACE 2 Management Servers in Workstation ACE Edition as part of your ACE setup, you also use the controls and options in the Workstation ACE Edition window to manage the ACE masters that you associate to those servers.
Chapter 2 Learning the Basics of Workstation ACE Edition Workstation ACE Edition Window Elements The Workstation ACE Edition window differs only slightly from the standard Workstation window. Like that window, it incorporates: Home page, Summary view, and Console view Toolbars Sidebar For details of the standard Workstation window, including how to use and customize those window elements, see “Overview of the Workstation Window” in the VMware Workstation User’s Manual.
VMware ACE Administrator’s Manual Adding ACE Masters to ACE 2 Management Servers If you have installed and configured one or more ACE 2 Management Servers, you can associate ACE masters to those servers and then use the servers to activate instances, track instances, and dynamically update policies, instance customization data, and other per‐ACE‐instance data.
Chapter 2 Learning the Basics of Workstation ACE Edition The parts of the ACE master summary view are: Header – Contains the ACE master name, the date the ACE master was last modified, the directory containing the .vmxa file, and the name of the ACE 2 Management Server (if any) used with this ACE master.
VMware ACE Administrator’s Manual New Pocket ACE Package – Starts the Pocket ACE Package Wizard. See Chapter 10, “Pocket ACE,” on page 207. ACE Server – Opens the ACE Server dialog box, which allows you to choose, for a managed ACE master, a different ACE 2 Management Server than the one with which it is currently associated. See “ACE Server Settings” on page 103. Clone – Starts the Clone ACE Master Wizard. See “Cloning an ACE Master from an Existing ACE Master” on page 99.
Chapter 2 Learning the Basics of Workstation ACE Edition Create Pocket ACE package – Opens the Pocket ACE Package Wizard. See “Creating an ACE Package for Portable Devices” on page 208 for information about using the wizard. Preview in Player – Allows you to run an ACE instance as it will run on the user’s machine as well as view the effects of changed policies as they will appear on the user’s machine.
VMware ACE Administrator’s Manual Operating System Installation Guide, available from the VMware Web site or from the Help menu. 3 Set policies for the ACE master. Use policies to control what your users can do with their ACE instances—for example, what network access they have from the ACE instances and what devices on their host computers they may use in the instances. See Chapter 6, “Setting and Using Policies and Customizing VMware Player,” on page 107.
Chapter 2 Learning the Basics of Workstation ACE Edition Troubleshooting Users’ Problems Your users might need help with lost passwords, expired ACE instances, or copy‐protected ACE instances that they have moved to a different location. For managed ACE instances, you can fix those problems by using the Instance View in Workstation ACE Edition or by using the Help Desk Web application.
VMware ACE Administrator’s Manual 44 VMware, Inc.
3 Installing, Configuring, and Upgrading Workstation ACE Edition 3 For information about installing, uninstalling, and configuring Workstation ACE Edition on your workstation as well as related installation, licensing, and upgrade topics, see: “ACE Option Pack and ACE Client Licenses” on page 45 “Setting Preferences for Workstation ACE Edition” on page 48 “Installing ACE Instances on User Machines” on page 48 “Upgrading from VMware ACE 1.
VMware ACE Administrator’s Manual a serial number‐based license key that must be entered upon powering on an ACE (if no license key is detected) or by choosing VMware Player > Enter ACE Client License. The ACE client license is tied to the device itself whether that device is a PC, laptop, or a portable media device such as a USB flash drive (storing a Pocket ACE). ACE Volume Licensing Key ACE 2 introduces a volume license key as well.
Chapter 3 Installing, Configuring, and Upgrading Workstation ACE Edition To enter an ACE Volume Licensing Key 1 Obtain the serial number for your ACE volume license key. 2 Start up the Workstation application. 3 Chose Help > Enter Serial Number. 4 Type the serial number in the appropriate field and enter your name and the organization name in the dialog box. 5 Click OK. 6 Shut down the Workstation application and then restart it.
VMware ACE Administrator’s Manual ACE 2 Management Server Licenses The optional ACE 2 Management Server requires its own license. See information about how to enter that license in Step 3 on page 78 under “Configuring the ACE 2 Management Server.” NOTE If you do not configure the server and enter the license in the server setup Web application, you can’t connect to the server in Workstation ACE Edition.
Chapter 3 Installing, Configuring, and Upgrading Workstation ACE Edition instances from different vendors and that are governed by different policies, all on one system. Uninstalling Individual ACE Instances and Workstation ACE Edition ACE 2 allows you or ACE users to uninstall individual ACE instances and Workstation ACE Edition independently of each other. This flexibility enables ACE users to uninstall individual ACE instances or Workstation ACE Edition while leaving other ACE instances installed.
VMware ACE Administrator’s Manual Connection to a VMware ACE 2 Management Server, if you choose this option during the part of the upgrade that occurs on the administrator machine Authentication password and revert to original installed ACE environment (RTI) snapshot – If these options were included in the VMware ACE 1.x machine, they will be carried over during the upgrade.
Chapter 3 Installing, Configuring, and Upgrading Workstation ACE Edition 7 Complete the rest of the pages of the wizard (see “Cloning an ACE Master from an Existing Virtual Machine” on page 100 for detailed instructions on using the wizard). On the ACE Server page, choose whether or not to manage this ACE master with an ACE 2 Management Server.
VMware ACE Administrator’s Manual 6 Click the shortcut for the installed ACE package on the desktop to run the ACE virtual machine. Policies and the virtual hardware version are upgraded at the first run. If the ACE 1.x virtual machine had a password, you are prompted to enter that password before the ACE instance is activated. NOTE A reimage snapshot is not taken following the completion of the upgrade procedure. Manually take a snapshot after you have performed the upgrade.
4 Installing and Configuring the ACE 2 Management Server 4 The ACE 2 Management Server allows you to manage ACE instances in real time. By including the ACE 2 Management Server in your system setup, you can: Manage activation of ACE packages (determine who can deploy a package). Manage authentication of those activated packages (determine who can run managed ACE instances). Dynamically deliver policy updates to managed ACE instances.
VMware ACE Administrator’s Manual “Using Event Logs” on page 85 “Stopping and Starting the Apache Service Manually” on page 85 “Logging On to the ACE 2 Management Server” on page 86 “Using the ACE 2 Management Server” on page 87 “Unblocking Port Traffic and Changing Port Assignments” on page 87 ACE 2 Management Server Setup Options NOTE Make sure the clock on the host system that has ACE 2 Management Server installed or running the ACE 2 Management server appliance is synchronized with
Chapter 4 Installing and Configuring the ACE 2 Management Server You must have access to a Web browser (Mozilla 1.52 or higher or Internet Explorer 6.0 or higher) to change network settings or obtain updates for the appliance. NOTE You must have TLS configured on your Web browser to operate the ACE 2 Management Server. If you are using Internet Explorer, choose Tools > Internet Options > Advanced and scroll down to Security. Make sure the Use TLS 1.0 check box is selected. Then click OK.
VMware ACE Administrator’s Manual Local Area Networking Any Ethernet controller supported by the operating system Operating Systems The following sections describe the supported operating systems for the ACE 2 Management Server.
Chapter 4 Installing and Configuring the ACE 2 Management Server The Mozilla Firefox 1.52 or higher Web browser Internet Explorer 6.0 or higher Web browser NOTE Make sure that TLS is enabled on your browser. Features of the ACE 2 Management Server The ACE 2 Management Server has the following features: VMware, Inc. Scalability and reliability You can increase capacity by adding network resources such as load balancers and extra server hardware.
VMware ACE Administrator’s Manual Database Options Flexible database options allow use of an embedded database or external RDBMS’s to store ACE instance data and policies. (See “Database Options” on page 59 for details.) Simple Installation and Configuration The server uses off‐the‐shelf software components: Apache Web server 2.
Chapter 4 Installing and Configuring the ACE 2 Management Server Components of the ACE 2 Management Server The components of the server are: The ACE 2 Management Server platform, based on the Apache 2.0 web server Backing store technology – Database layer for the server component (See “Database Options,” the next topic, for details.) Active Directory integration Permits joining an operating system that is running an ACE instance to the domain remotely.
VMware ACE Administrator’s Manual Some common benefits of using an external database with the ACE 2 Management Server are: Online backup: You don’t have to shut down the ACE 2 Management Server to back up the database. Enhanced security model: You can fine‐tune permissions to access sensitive data. The SQLite database engine provides file‐system based security. Performance fine‐tuning. Ability to use external database management and reporting tools.
Chapter 4 Installing and Configuring the ACE 2 Management Server an alternative location from which you will do the backup, and then (3) restart the server. Other alternatives for backing up an open database, as recommended by members of an SQLite community, as discussed in this forum thread, are noted below: http://marc.10east.com/?l=sqlite‐users&m=111487876701133&w=2 Log in to the SQLite database using the sqlite3 command‐line tool. Use the .
VMware ACE Administrator’s Manual to everyone and the private key is known only to the message recipient. URLs that require an SSL connection start with https. The following is a description of how the ACE 2 Management Server uses SSL. At ACE 2 Management Server installation, two files are created: An RSA 1024‐bit key (file name: server.key) – This is the private key. A self‐signed certificate (file name: server.
Chapter 4 Installing and Configuring the ACE 2 Management Server NOTE If you change the custom SSL certificate for your ACE 2 Management Server, you need to update the Resource directory for all of your existing ACE instances. You can do this by creating and distributing a custom package that contains only Resources. See Chapter 8, “Creating Packages and Deploying Them to Users,” on page 187 for more information.
VMware ACE Administrator’s Manual To set up your own self-signed certificates, third-party signed certificates or certificates from an internal certificate authority 1 Ensure that you have configured the ACE 2 Management Server through the server configuration Web application. 2 Create or provide the needed files: a For your own self‐signed certificate, use openssl to create a new self‐signed certificate.
Chapter 4 Installing and Configuring the ACE 2 Management Server Configuring Multiple ACE 2 Management Servers to Use SSL The following describes various scenarios in which you might configure multiple ACE 2 Management Servers to use SSL. VMware, Inc. Multiple servers behind one or more proxy servers Each server can have its own SSL key/certificate (ACE 2 Management Server and proxy server).
VMware ACE Administrator’s Manual Installing the ACE 2 Management Server Follow the instructions provided below for installing the server on your Windows or Linux system or for installing the ACE 2 Management Server Appliance. NOTE Before you can create a managed ACE master, you must have an ACE 2 Management Server set up and configured. The New ACE Master Wizard requires connection to an ACE 2 Management Server before creation of an ACE master can be successfully completed.
Chapter 4 Installing and Configuring the ACE 2 Management Server NOTE If you have another Web server installed that uses any of these default ports, you might need to resolve the conflict. See “Unblocking Port Traffic and Changing Port Assignments” on page 87.
VMware ACE Administrator’s Manual Before you install the ACE 2 Management Server on a Linux system: You must have a working installation of Apache 2.0 on the system. (The rpm for a Web server comes with your RHEL4 or SLES9 installation.) Verify that the Apache Web service is operating normally and is receiving requests for SSL http. You must have the mod_ldap and mod_ssl modules available on your system.
Chapter 4 Installing and Configuring the ACE 2 Management Server Installing the ACE 2 Management Server Appliance To install the ACE 2 Management Server Appliance 1 Download the zipped file for the appliance from the ACE 2 release download page: VMware-ACE-Management-Server-Appliance-2.0.0-.zip where is the ACE build number. 2 Extract the zipped files to the directory where you want to have the server located.
VMware ACE Administrator’s Manual settings by using the Appliance Management and Configuration application, as follows: a Leave the ACE 2 Management Server Appliance running. b Browse to: https://:8080/ 7 c In the connection dialog box, type “root” in the user name field and your network/root password in the password field. d Click the Network link on the first page of the Appliance Configuration and Management Web application to open the Network Configuration page.
Chapter 4 Installing and Configuring the ACE 2 Management Server Browse to the ACE 2 Management Server Setup Web application: https://:8000/ 9 Click Configuration to open the Web application. Continue with the next topic, “Configuring the ACE 2 Management Server.” Configuring the ACE 2 Management Server After you have installed the ACE 2 Management Server, you must use the ACE 2 Management Server Setup Web application to configure the server.
VMware ACE Administrator’s Manual able to complete the configuration. As a result, the ACE 2 Management Server functionalities will not be available. These functionalities include but are not limited to connecting to the server from Workstation ACE Edition, assigning masters to be managed by the server, and using the Help Desk Web application. See Step 3 on page 78 for information about how to enter the serial number for your ACE 2 Management Server in the server setup Web application.
Chapter 4 Installing and Configuring the ACE 2 Management Server The external database does not have to be installed on the same server as the ACE 2 Management Server. NOTE The ACE 2 Management Server will create the database schema automatically, provided proper access rights are granted. 2 Configure a database. Make sure you have a dedicated database (see the Note below) and a user account that has full access to this database, including rights to create tables.
VMware ACE Administrator’s Manual be ignored. You will provide a user name and password when configuring your ACE 2 Management Server using the Web Setup application. NOTE Ensure that you create a System DSN and not a User DSN. If you were to create a User DSN, it would be visible only to your user account. The ACE 2 Management Server runs under the local system account, so a User DSN would not be visible to and therefore not usable by the server.
Chapter 4 Installing and Configuring the ACE 2 Management Server Because libodbc is a shared library that implements industry‐standard ODBC APIs, the ACE 2 Management Server application is not sensitive to the particular version of the unixODBC package installed on your Linux system, but we recommend that you update the package to the latest version released for your specific Linux distribution.
VMware ACE Administrator’s Manual the same time, so that the ACE 2 Management Server would require at least as many database connections available for its use. If the server runs out of database connections, the clients might start receiving connection errors. To ensure smooth operation of the server with an external database option, ensure that the server has a sufficient amount of database connections available for it.
Chapter 4 Installing and Configuring the ACE 2 Management Server Enable Database Connection Pooling If Not Already Enabled A useful performance optimization tip for servers on Linux platforms is to enable database connection pooling in the ODBC Driver Manager (it is disabled by default). To enable database connection pooling on Linux platforms 1 Start the ODBCConfig utility as a root user. 2 Click the Advanced tab. 3 Select the checkbox for Connection Pooling.
VMware ACE Administrator’s Manual These steps ensure that “postgres_dsn” will appear in the dropdown box on the Database tab in the server setup application. Using the ACE 2 Management Server Setup Application Ensure that you have completed any necessary pre‐configuration tasks. See “Tasks to Complete Before You Configure the Server” on page 71.
Chapter 4 Installing and Configuring the ACE 2 Management Server 4 c Enter the serial number (if you are not changing the serial number at this reconfiguration, enter the existing number). d Click Apply and then click Restart or Later. If you click Later, you will need to restart the server manually. See “Stopping and Starting the Apache Service Manually” on page 85.
VMware ACE Administrator’s Manual Specify credentials that the ACE 2 Management Server will use to connect to and query the domain controller: Host Name – Enter the host name of the LDAP server, using the name you created during the procedure in “Using Active Directory Integration (Using LDAP)” on page 72. Query User UPN – Enter the UPN (User Principal Name) for the LDAP server. Together with the Query User Password, this parameter will be used by the Management Server to connect to the LDAP server.
Chapter 4 Installing and Configuring the ACE 2 Management Server option is not enabled, then anyone who logs in to the Help Desk application must be a member of the ACE Administrators group. 6 Still on the Access Control page: If you select Local Account (you do not plan to use an Active Directory service), specify the password for ACE 2 Management Server administrators. Administrators must enter this password before they can modify the server’s configuration.
VMware ACE Administrator’s Manual Continue with the server configuration in one of the following ways: 4 If this is the initial configuration of the server, click Next. If you are reconfiguring the server, click Apply and then click Restart or Later. If you click Later, you will need to the server manually. See “Stopping and Starting the Apache Service Manually” on page 85.
Chapter 4 Installing and Configuring the ACE 2 Management Server The backup files are in the ACE 2 Management Server directory, with the filename appended with the date and time; for example, server.crt.20070216-095344. Save the file in the correct location as ssl/.crt. Then restart the Apache server manually to complete the restoration process and to bring up the VMware ACE 2 Management Server Setup Web application again and continue the configuration. e Click Close to close the summary page.
VMware ACE Administrator’s Manual traffic—policy update requests from active instances. Failed instance verifications are only logged at the debug level. Authentication – Logs events for every authentication request. Administration or helpdesk authentication attempts (at the normal level), instance authentication (at the informational level), and remote LDAP password change.
Chapter 4 Installing and Configuring the ACE 2 Management Server NOTE At this point, the new configuration has been written. The system must be restarted for the ACE 2 Management Server to use the configuration. 7 On the Login page, type your admin password. Then click Login. 8 The Welcome page reappears, this time displaying a success message. Close the window. Using Event Logs At this release, the server collects log entries for events that change the database.
VMware ACE Administrator’s Manual To restart the Apache service manually on an ACE 2 Management Server appliance On the ACE 2 Management Server appliance: 1 Log in to your host console. 2 As root, type the following command: /etc/init.d/apache2 stop /etc/init.d/apache2 start Logging On to the ACE 2 Management Server Communications between Workstation ACE Edition and the ACE 2 Management Server take place over a secure SSL connection.
Chapter 4 Installing and Configuring the ACE 2 Management Server Table 4-2. Logon Options for ACE 2 Management Servers with Active Directory Service (Continued) Logon Notes NETBIOS DOMAIN NAME\username + password The NetBIOS name is a short name for domains that is registered in the NetBIOS Name Service (WINS). Leave the domain field blank. username + password + NETBIOS DOMAIN NAME The NetBIOS name is a short name for domains that is registered in the NetBIOS Name Service (WINS).
VMware ACE Administrator’s Manual If You Need to Change the Port Assignment for the Server The ACE 2 Management Server is a module running on the Apache 2.0 platform. If you need to change the port that the server listens on, you must manually edit the Apache configuration file. To change the port that the ACE 2 Management Server listens on 1 Using a text editor, open the ACE 2 Management Server component http configuration file, which is located at On a Windows host server: C:\Program Files\VMware\VMware
Chapter 4 Installing and Configuring the ACE 2 Management Server When you create an ACE master, you can specify which port is to be used to talk to the ACE 2 Management Server. VMware, Inc.
VMware ACE Administrator’s Manual 90 VMware, Inc.
5 Creating and Configuring ACE Masters 5 This chapter discusses how to create and configure ACE masters.
VMware ACE Administrator’s Manual an ACE master from an existing virtual machine option. Then follow the instructions in the Clone to ACE Master Wizard. Clone an ACE Master. Select an ACE master in the Favorites list or choose File > Open and select the ACE master, then choose ACE > Clone. You can clone virtual machines created with certain other VMware products and convert the clones into ACE masters.
Chapter 5 Creating and Configuring ACE Masters NOTE Choose the Create a new ACE master optimized for Pocket ACE option if you intend to use this ACE master as a Pocket ACE and store it on a portable device. This option chooses appropriate values for the virtual machine configuration, policies, and package settings so that the ACE master you create can be easily used as a Pocket ACE. This option allows you to specify the guest operating system, name and location, and specify the disk size.
VMware ACE Administrator’s Manual Allocation of space for the disk Splitting the disk into 2GB files Specifying an ACE 2 Management Server if you want to manage the ACE master’s instances with a server Select Custom if you want to: Make a different version of virtual machine than what is specified in the preferences editor (from the Workstation menu bar, choose Edit > Preferences, and see the setting for Default hardware compatibility).
Chapter 5 Creating and Configuring ACE Masters If the operating system you plan to use is not listed, select Other for both guest operating system and version. Click Next. The remaining steps assume you plan to install a Windows XP Professional guest operating system. You can find detailed installation notes for this and other guest operating systems in the VMware Guest Operating System Installation Guide, available on the VMware Web site or from the Help menu.
VMware ACE Administrator’s Manual master (or it can get one automatically from a DHCP server), select Use bridged networking. This setting is most likely to be appropriate if the package is to be installed on a computer connected to an office network. If the package is to be installed where no separate IP address is available for the ACE instance but the ACE instance must be able to connect to the Internet, select Use network address translation (NAT).
Chapter 5 Creating and Configuring ACE Masters 11 Select the disk you want to use with the ACE master. Create a new virtual disk. Virtual disks are appropriate for any ACE masters distributed in a package. By default, virtual disks start as small files on the host computer’s hard drive, then expand as needed—up to the size you specify in a later step. That step also allows you to allocate all the disk space when the virtual disk is created, if you wish. Click Next to continue.
VMware ACE Administrator’s Manual If you wish, select Allocate all disk space now. Allocating all the space at the time you create the virtual disk gives somewhat better performance, but it requires as much disk space as the size you specify for the virtual disk. If you do not select this option, the virtual disk’s files start small and grow as needed, but they can never grow larger than the size you set here.
Chapter 5 Creating and Configuring ACE Masters 18 If you selected a server that is integrated with an Active Directory service, the Active Directory page appears. Select whether to use Active Directory with this ACE master. Then click Next. CAUTION When you choose an ACE 2 Management Server with Active Directory integration during ACE master creation, ensure that your Workstation ACE Edition administrator machine is in the same domain as that server.
VMware ACE Administrator’s Manual 5 On the ACE Management Server page, choose whether you want to use the ACE 2 Management Server to manage the instances created from this ACE master. Select Use server to have an ACE 2 Management Server manage the instances created from this ACE master. Then enter the server name and port or choose the server from the dropdown list of previously chosen servers.The port assigned to that server appears in the Port box. Click Next.
Chapter 5 Creating and Configuring ACE Masters Click Next. 3 On the Clone Type page, select Create a linked clone or Create a full clone. Click Next. NOTE Deployed instances of this master will always include a complete copy of the virtual machine. 4 Select a name and folder for the ACE master on the Name of the New ACE Master page. Each ACE master should have its own folder. All associated files, such as the configuration file and the disk file, are placed in this folder.
VMware ACE Administrator’s Manual Cloning a Virtual Machine from an ACE Instance You might need to convert an ACE instance into a standard virtual machine for troubleshooting or repair purposes. All the ACE policies that were on the ACE instance will be removed on the cloned virtual machine. You must have Administrator Mode configured to clone a virtual machine from an ACE instance. If your package is tamper resistant or encrypted you must also have a recovery key.
Chapter 5 Creating and Configuring ACE Masters The virtual machine clone has been created from the ACE instance. Networking ACE Instances In the ACE instances you create for your users, you are most likely to use NAT or bridged networking with an IP address provided by a DHCP server. For details on networking, see the Workstation User’s Manual. ACE Master Settings See “ACE Menu” on page 39 for a complete list of ACE master settings and descriptions of how to apply the settings.
VMware ACE Administrator’s Manual Reassigning an ACE Master to a Server When the Master’s Record Cannot Be Retrieved When you open a managed ACE master, VMware Workstation ACE Edition will contact the management server that the ACE master is using to retrieve this ACE masterʹs record. If Workstation ACE Edition cannot contact the management server, the ACE master record cannot be retrieved and the ACE master cannot be opened.
Chapter 5 Creating and Configuring ACE Masters Why Would You Need to Reassign an ACE Master to a Different Server Address? Every time you open a managed ACE master, Workstation ACE Edition looks up the ACE master’s record on the ACE 2 Management Server and downloads the master’s policies and other information from the server. If Workstation ACE Edition fails to contact the server or cannot find a record for the ACE master, it cannot open the master and the master becomes unusable.
VMware ACE Administrator’s Manual Allowed users (if using Active Directory based access control) Domain join password (if instance customization and domain join are enabled) Remote domain join password (if instance customization and remote domain join are enabled) What Does Reassigning an ACE Master to a New Server Address Do? Note that reassigning the ACE master to a new server address only copies the record for the ACE master. The records for the ACE instances are not copied.
6 Setting and Using Policies and Customizing VMware Player 6 The following sections guide you through the steps for setting policies for an ACE master and ACE instances and customize the VMware Player interface: “Taking Advantage of Policies” on page 107 “Using the Policy Editor” on page 108 “Setting Policies” on page 108 “Writing Plug‐In Policy Scripts” on page 158 “Customizing the VMware Player Interface” on page 163 Taking Advantage of Policies Policies give you control over many a
VMware ACE Administrator’s Manual For ACE masters managed by the ACE 2 Management Server, you can dynamically change some policies and deploy those changes to the ACE instances on the users’ machines. Using the Policy Editor You set policies using the policy editor. You can start the policy editor in any of the following ways: Click the ACE master in the Sidebar, then choose ACE > Policies. Click the ACE master in the Sidebar, then click Edit Policies in the summary view.
Chapter 6 Setting and Using Policies and Customizing VMware Player For information about encrypting ACE packages and instances, see “Encryption” on page 181. Setting Access Control Policies – Activation and Authentication Set activation and authentication policies to control access to installed ACE packages and the instances created from those packages.
VMware ACE Administrator’s Manual Activation and Authentication for Managed Instances with Active Directory Service If you are using a managed ACE master with a server that is integrated with Active Directory, use the following information to set activation and authentication policies: The user must enter Active Directory user credentials each time the ACE instance is run. Only the user who activates the instance can authenticate (run) the instance.
Chapter 6 Setting and Using Policies and Customizing VMware Player Active Directory Password Change Proxying You can provide additional security for your ACE instances by integrating with Active Directory. You can specify password expiration and change requirements, set up the domain to expire passwords, and require password changes periodically. These settings are in addition to ACE access control policy settings.
VMware ACE Administrator’s Manual 5 If you are enabling the power‐on script after you have already deployed packages with this ACE master, provide the script to the user using a policy/server update package or a custom package with ACE Resources. NOTE The script is signed before deployment to prevent tampering. See page 125 for more information about resource signing.
Chapter 6 Setting and Using Policies and Customizing VMware Player my @grepNames = grep(/$username/, @white_list); if (@grepNames == 1) { print "TRUE"; exit(0); } print "FALSE"; exit(0); NOTE Scripts can be in any language. A script provides Workstation ACE Edition with a command line executable or a script file (for example, .bat on Windows operating systems, perl or sh on Linux operating systems) in the ACE Resource directory.
VMware ACE Administrator’s Manual Activation key – The user must enter a key that is in the key list you have created for this ACE instance. Click Set key list to open the Activation keys dialog box. NOTE Activation keys are essentially serial numbers that can be tracked as used or unused by the server. The admin can enter the keys they want to use in the dialog or import them into the dialog from a text file.
Chapter 6 Setting and Using Policies and Customizing VMware Player character types for the password, click Set password policies to open the Password Policies dialog box. Choose one, two, or all three of: Enforce minimum length. Type the number or choose it from the drop‐down list. Restrict password content. Select one to four options for character type. Enforce password lockout.
VMware ACE Administrator’s Manual If the deployment platform setting in package settings is set to Both Windows and Linux, then the Set Custom Script dialog contains text fields for both Windows and Linux. 116 3 Browse to the script file and click Open. 4 Type the command for running the script. Include the script file in the command line, as well as any needed executable for running the script and any arguments to the script.
Chapter 6 Setting and Using Policies and Customizing VMware Player 6 Click OK. 7 If you are enabling an authentication script after you have already deployed packages with this ACE master, provide the script to the user using a policy/server update package or a custom package with ACE Resources. NOTE The script is signed before deployment to prevent tampering. See page 125 for more information about resource signing.
VMware ACE Administrator’s Manual Authentication The authentication step is performed whenever the user runs the instance, unless Authentication is set to None. Under Authentication, select one authentication type: None – No password is required; any user can run this instance after it has been activated. User‐specified password – Select this option to specify that the instance does not run until the user enters the correct password.
Chapter 6 Setting and Using Policies and Customizing VMware Player d Enter a name and location for the key pair. e Enter and confirm the password to protect the private key. f Click OK to generate the keys. It takes several seconds to generate the keys. When the keys are generated and saved, the Create New Recovery Key dialog box disappears and the newly generated public key is listed in the field on the Recovery Key tab.
VMware ACE Administrator’s Manual If the deployment platform setting in package settings is set to Both Windows and Linux, then the Set Custom Script dialog contains text fields for both Windows and Linux. 120 3 Browse to the script file and click Open. 4 Type the command for running the script. Include the script file in the command line, as well as any needed executable for running the script and any arguments to the script.
Chapter 6 Setting and Using Policies and Customizing VMware Player 7 If you are enabling this script for an ACE master that you have already deployed, include the script in the update package you distribute to your users, so that existing instances can be updated to use the new authentication script. NOTE The script is signed before deployment to prevent tampering. See page 125 for more information about resource signing.
VMware ACE Administrator’s Manual Setting Expiration Policies Select Expiration from the Policy Editor window to set an expiration date for the ACE instance. When an instance expires, the files remain on the user’s computer, but the instance cannot be used. You can select one of the following options for expiration: Never – The instance does not expire.
Chapter 6 Setting and Using Policies and Customizing VMware Player The expiration message appears when the instance has expired. You can customize the text of this message as well, adding your text after the gray text, which cannot be edited. When the expiration message appears, the instance cannot be powered on. With a standalone ACE instance, the fixed expiration date or the fixed date range is established at activation time. Each time the user powers on the instance, the date/date range is checked.
VMware ACE Administrator’s Manual Copy Protection Policies for Standalone ACE Instances To apply copy protection to a standalone ACE instance, click Copy Protection in the left pane of the policy editor. Select Allow moving and copying of the instance files to enable users to run their instances after moving or copying the instances. Select Do not allow moving or copying of the instance files to restrict users from moving or copying instance files.
Chapter 6 Setting and Using Policies and Customizing VMware Player If the user moves or copies the instance and tries to run the instance from that new location but either moves or moves and copies are not allowed without approval, VMware Player displays an error message that tells the user that this action is not allowed.
VMware ACE Administrator’s Manual want to set the resource signing option to verify scripts only or no verification because signature checking could take a long time. Setting Network Access Policies Network access policies give you fine‐grained and flexible control over the network access you provide to users of your ACE instances. Using a packet filtering firewall, the network access feature of ACE 2 lets you specify exactly which machines or subnets an ACE instance or its host system may access.
Chapter 6 Setting and Using Policies and Customizing VMware Player Before You Begin: Read These Notes About Host Policies Keep these facts in mind as you set host policies: CAUTION A host machine for ACE instances can have only one host policy file. If you try to install an ACE package with a host policy file on a machine that already has a host policy file and the new package is from an ACE master that is different from the one already installed, the package install fails.
VMware ACE Administrator’s Manual If you are setting up a managed ACE master, then you must allow the host to access the ACE 2 Management Server, communicating through TCP over the appropriate port that you configure. Host policies do not apply to Pocket ACE instances. If you specify a restricted host policy for an ACE master and then attempt to create a Pocket ACE package with that master, the package will be created but the host policy will not be included in the package.
Chapter 6 Setting and Using Policies and Customizing VMware Player Using the Network Access Wizard to Configure Network Access 1 Click Quick Setup Wizard to start the Network Access Wizard. Click Next on the welcome page. 2 On the Network Configuration Type page, select one of the following options and then click Next: 3 Desktop Configuration – Select this option to set network access for ACE instances on host machines that connect indirectly to the corporate network.
VMware ACE Administrator’s Manual b 4 130 The summary of the settings appears in the table on the Finish page. Click Back if you want to make any changes to the access you just configured. When you are satisfied with the configuration, click Finish. If you selected Laptop Configuration: a On the Define Internal Zone page, specify the conditions that identify your internal (corporate) network. You specify this internal zone by IP address and range and/or by domain/subdomain.
Chapter 6 Setting and Using Policies and Customizing VMware Player machine to access in addition to the default DNS, DHCP, and ICMP protocols and ports and then click Next. VMware, Inc. c On the Everywhere Else – ACE Instance Access page, type host names or IP addresses for locations that this ACE instance can access—in addition to the default DNS, DHCP, and ICMP protocols and ports—when the instance is outside the internal network. Then click Next.
VMware ACE Administrator’s Manual access settings you have chosen appears in the table on the Network Access policy page. You have finished setting up network access for the ACE instance and its host. The current settings for all zones, with the labels you have applied, appears on the Network Access policy page. If you want to, click on the links and buttons in the policy page to open the zone, ruleset, and rule editors and then to reconfigure and fine‐tune the access settings.
Chapter 6 Setting and Using Policies and Customizing VMware Player the host computer to see if there is a match for all the criteria for any adapter in any of the zone definitions. The zones are checked in the order they appear in the network access table, from the top down. When the host connects to a network, checking begins to see whether the network matches the conditions for a zone.
VMware ACE Administrator’s Manual Another point to consider is that the addresses or names of certain servers can change over time. Such changes can also introduce detection issues. Using a smaller set of information—for example, using only the network address and the subnet mask—in a zone description lessens the chance that the detection mechanism fails to restrict a host or guest that should be restricted, but it also increases the chance that a false positive or misidentification can occur.
Chapter 6 Setting and Using Policies and Customizing VMware Player DHCP servers – Specifies one or more IP addresses or host names for DHCP servers on the network. A network adapter matches this condition if it is using at least one of these servers. Gateway servers – Specifies one or more IP addresses or host names for default gateways on the network. A network adapter matches this condition if it is using at least one of these gateways.
VMware ACE Administrator’s Manual NOTE Because there are multiple methods for assigning DNS domain names to a Linux host, using just the DNS domain name to define a zone can be error‐prone. We recommend that you use criteria in addition to the DNS domain name to define a zone for Linux hosts. 6 When you have finished making your zone condition selections, click OK.
Chapter 6 Setting and Using Policies and Customizing VMware Player Before You Begin Configuring Rulesets and Rules: Details on Filtering Action Network access policies are applied by filtering on the IP address, the protocol number from the IP header, the direction of traffic, and TCP and UDP port values. The filtering does not involve deep packet inspection. For DNS and DHCP access, the TCP and UDP ports on which those services traditionally reside are opened.
VMware ACE Administrator’s Manual 2 If you want to change the name of the ruleset, enter the new name in the Ruleset Name box. 3 By default, DNS, DHCP, and ICMP are included in the network access setup. Generally, we recommend that you keep DHCP and DNS selected, as they are important for zone detection, for both host and instance access. Deselect them if you do not want them included in the access setting.
Chapter 6 Setting and Using Policies and Customizing VMware Player The rule editor appears. 5 To change the action for this rule, select the new action, Allow or Block, as appropriate. 6 To change the direction of traffic for the rule, select the option you want from the drop‐down list under Direction. 7 To add a host name or IP address for the rule, click the link in the table under Addresses and type the new name or address. The wildcard setting for all IP addresses is 0.0.0.0/0.
VMware ACE Administrator’s Manual Select Custom if you want to allow or block communication for a specific protocol. The protocols are defined by their protocol numbers, which range from 0 through 255. The number is in the packet. If that number matches the number supplied in the Custom field, the packet is allowed or blocked as specified by the rule. Type the protocol’s number in the Protocol number box. You can find the protocol number with the protocol’s RFC at http://www.ietf.org/rfc.
Chapter 6 Setting and Using Policies and Customizing VMware Player Packet-to-Rule Comparison The rules in the ruleset editor are listed in the order in which they are to be evaluated. When a network traffic packet arrives or is to be sent from the host or guest, it is compared with each rule in the ruleset, in order from the top down.
VMware ACE Administrator’s Manual Understanding the Interaction of Host Access and Guest Access Filters With Tunneling Protocols Host access and guest access filters can differ in their interactions with tunneling protocols. A host network access filter sees traffic before packets have been encapsulated in the tunneling protocol (for example, VPN), but a guest network access filter sees traffic after the packets have been encapsulated in the tunneling protocol.
Chapter 6 Setting and Using Policies and Customizing VMware Player NOTE Rule application and precedence: Access control is applied at the most granular level, and the most restrictive rule is always applied. That is, if a rule exists for a specific device, then that rule overrides any rules set for device classes in which the device belongs. In the same way, specific device class settings override the default setting for all other device classes.
VMware ACE Administrator’s Manual NOTE You can copy and share the database. Note, however, that it is not write‐protected. The default location for the file is C:\Documents and Settings\All Users\Application Data\VMware\VMware Workstation\usbhistory.ini. You can add devices to the list in two ways: (1) Plug in the device and click Refresh to add it.
Chapter 6 Setting and Using Policies and Customizing VMware Player To make changes to the details of a device in the list: To edit a device name, click Add in the USB Devices policy page. The USB Device List dialog box appears. Double‐click the device to select it. The name is highlighted in its own editable text box. Edit the name. To alter the Vendor or Product IDs for a device already in the list, click Add in the USB Device List dialog box.
VMware ACE Administrator’s Manual NOTE A specific USB device can have more than one interface (for example, a device might include both a fax function and a print function) and therefore can belong to more than one class. As noted earlier, the most restrictive rule is always applied. For the example just given, if one rule blocks a fax device but another rule allows a print device, then a combination fax/print device is blocked.
Chapter 6 Setting and Using Policies and Customizing VMware Player only add or remove this serial port by enabling or disabling the option in the Virtual Printer policy. NOTE If the ACE master already has four serial ports, you won’t be able to add another serial port for the virtual printer. To enable the virtual printer, delete an existing serial port. The user will be able to print to any of the host printers that are available in the printer selection list from the Print dialog box.
VMware ACE Administrator’s Manual If you select Always run in appliance view, the ACE instance will open in Appliance mode and the user will not have the option of running the instance in Console mode. NOTE You must enable the appliance view in virtual machine settings (VM > Settings > Options > Appliance) for this runtime option to work.
Chapter 6 Setting and Using Policies and Customizing VMware Player The enhanced keyboard filter provides an alternate method for the way a Windows host system ordinarily processes keyboard input. The filter provides a solution to these problems: Certain key combinations are reserved by Windows operating systems and are processed at a very low level.
VMware ACE Administrator’s Manual Setting Snapshot Policies You can set policy options for two types of snapshots: Reimage snapshots – The program automatically takes a reimage snapshot of an ACE instance when the ACE is created. It takes the snapshot after all the required instance setup steps are complete (including, if applicable, encryption, instance customization, and domain join). The snapshot is taken while the ACE instance is powered off.
Chapter 6 Setting and Using Policies and Customizing VMware Player To select options for the user snapshot Choose the options you want the user to have: Take the user snapshot Revert to the user snapshot If you select either or both of those options, the Snapshot command appears in the VMware Player menu when the instance is powered on.
VMware ACE Administrator’s Manual You might want to give the user the ability to replace the reimage snapshot. Because the reimage snapshot is taken when the ACE instance is created, any changes that have been made to the ACE instance after instance creation are lost if the user reverts to that reimage snapshot. If the ACE instance has been updated and this option is enabled, you can tell the user to replace the reimage snapshot so that it will include those changes.
Chapter 6 Setting and Using Policies and Customizing VMware Player Administrator Mode. Enter and confirm the password to be used for administrator access. Then choose the appropriate commands as follows: To edit virtual machine settings from the user’s machine (on Windows systems only), select VMware Player > Troubleshoot > Virtual Machine Settings. To use the user snapshot commands, select them from the Snapshot menu (VMware Player > Snapshot).
VMware ACE Administrator’s Manual Setting Hot Fix Policies You can use the hot fix policy to specify that users can request hot fixes for specific problems. NOTE Hot fixes can be used only with standalone ACE instances. You can use the Help Desk Web application or the Instance View in Workstation ACE Edition to fix problems with managed instances.
Chapter 6 Setting and Using Policies and Customizing VMware Player To enable the hot fix feature, select Allow users to request a hot fix. The hot fix request is a file that the user must submit to an administrator for action. After enabling the hot fix feature, you must select the preferred way for the user to submit the hot fix request.
VMware ACE Administrator’s Manual NOTE This policy applies only to managed ACE instances. Policy updates for standalone ACE instances are applied as policy update packages. Policy changes are applied when the instance is started up after the update package has been installed. 156 VMware, Inc.
Chapter 6 Setting and Using Policies and Customizing VMware Player To set the policy update frequency 1 2 In Policy Update Frequency, select one of: Every [x] [time_unit] – Set x to the number of minutes, hours, or days and set time_unit to minutes, hours, or days that the ACE instance can run before it must connect to the server and retrieve any updated policies. Only when the ACE instance powers on – The instance connects to the server at power on and retrieves any updated policies.
VMware ACE Administrator’s Manual Policy updates take effect while the instance is running, with these exceptions: Authentication policies – User and group lists, passwords, and scripts can be updated. Changes take effect the next time the instance is powered on. Policy update frequency policies – If Policy Update Frequency is set to Only when the ACE instance powers on, changes take effect the next time the instance is powered on.
Chapter 6 Setting and Using Policies and Customizing VMware Player All scripts run each time the end user launches VMware Player or resets the virtual machine. Some may run more often. For example, an expiration script is run once each 24 hours. The sample scripts presented in “Sample Scripts” on page 139 are installed with VMware Player. The default location is C:\Program Files\VMware\VMware Player\Samples.
VMware ACE Administrator’s Manual Table 6-2. Writing Authentication Scripts (Continued) Question Explanation Where should the output of the script go? The script should send its output to StdOut. What should the exit code of the script be? If access is granted, the exit code should be 0. If access is denied, the exit code should be nonzero. Note: This is a reference to the exit code, not the output value. Sample Scripts The following sections contain sample policy scripts.
Chapter 6 Setting and Using Policies and Customizing VMware Player # # # # # # # Notes: If the script returns success, its output will be used to create a key. Therefore, it is important that the output of this script be unique for each user, and that there is enough data to make a meaningful key (at least 16 bytes).
VMware ACE Administrator’s Manual # Input to script: # None. # # Returns: # 0 if successful. # # Expected output: # Set of acceptable key/value pairs where the values are fetched from the environment variables. # These values can be retrieved from within the Guest operating system using the VMware Tools. # my $machine_name = $ENV{TEST_MACHINENAME}; my $asset_tag = $ENV{TEST_ASSETTAG}; my $host_mac = $ENV{TEST_MACHINEMAC}; if (defined $machine_name) { print "machine.id = " . $machine_name . "\n"; } if (defi
Chapter 6 Setting and Using Policies and Customizing VMware Player # (a ficticious environment variable used for this sample) and returns TRUE if the user # is allowed to run, and FALSE otherwise. # # Input to script: # None. # # Returns: # TRUE if username is on white list. # FALSE if username is not on white list or is undefined.
VMware ACE Administrator’s Manual The parameters, acceptable values and defaults are listed in tables in this section. Save the skin file with any filename you wish. Save the skin file in the Project Resources folder under the project folder for the project to which it applies. To specify a skin file 1 Use a text editor to open the preferences.ini file in the project folder and add the following line: vmplayer.
Chapter 6 Setting and Using Policies and Customizing VMware Player Customizing the Removable Device Display Table 6-3. VMware Player Title Text Parameters Parameter Type Default Controls player.title.prefix string ʺʺ Title bar prefix player.title.useVMName boolean (TRUE or FALSE) TRUE Is virtual machine name displayed? player.title.suffix string ʺʺ Title bar suffix player.title.font.face string ʺMS Shell Dlgʺ Name of font (font must be on userʹs computer) player.title.font.
VMware ACE Administrator’s Manual ide0:0, ide0:1, ide1:0, ide1:1 (IDE CD‐ROM or hard drives) scsi0:0‐scsi0:7 (SCSI CD‐ROM or hard drives) Substitute the appropriate device name for in the parameters in Table 6‐5. Table 6-5. Removable Devices Parameters Parameter Type Default Controls player.deviceBar..buttonStyle string (text, icon, texticon) Appearance of toolbar button or menu item player.deviceBar..
Chapter 6 Setting and Using Policies and Customizing VMware Player For details on the values for keySpec, see the section below. Shortcut Key Values The shortcut key entries described in this section require you to enter a virtual key code as part of the value for an option. Virtual key codes are entered in hexadecimal format — as a hexadecimal number preceded by 0x. For example, to use the virtual key code of 5A as a value, type 0x5A.
VMware ACE Administrator’s Manual Sample Skin File player.title.prefix = "Our Company <<" player.title.suffix = ">> Environment" # player.title.useVMName = FALSE # player.deviceBar.toplevel = TRUE player.deviceBar.floppy0.buttonStyle = "icon" player.deviceBar.floppy0.buttonText = "First Floppy Drive" player.deviceBar.floppy0.shortcutKey = "0x30,0x7" player.deviceBar.floppy0.icon = "custom-floppy.ico" player.deviceBar.floppy0.tooltip = "Click to disconnect" player.deviceBar.floppy0.
7 Package Settings 7 Package settings enable you to configure package characteristics, such as instance customization and encryption, and then apply those settings to as many packages as you choose. The ability to set these package characteristics and then apply them to every package you create saves you the time and effort required to set each of these details every time you create a package.
VMware ACE Administrator’s Manual Custom EULA You can provide a custom EULA (end‐user license agreement) that appears when an ACE instance is activated. You can use this feature to display a custom license‐agreement message that the user must see and accept before the instance can be run for the first time. To specify a custom EULA 1 Create a text file for the custom EULA and save it in the ACE Resources directory for the ACE master. NOTE The file format can be either .txt or .
Chapter 7 Package Settings For detailed information on closely related topics, see: “Setting Up a Remote Domain Join” on page 183 “Creating a Package” on page 188 Benefits of Instance Customization The instance customization feature enhances and streamlines the preparation and deployment of ACE instances. The instance customization process is built around the standard Microsoft Sysprep deployment tools.
VMware ACE Administrator’s Manual 4 The guest operating system shuts down (this is visible, of course). NOTE If the guest operating system does not shut down, the problem might be that the Sysprep tools were not in place. If the guest operating system fails to shut down promptly—after approximately 10 minutes, generally—the operation is cancelled and an error message tells you that instance customization failed. See “Downloading the Microsoft Sysprep Deployment Tools” on page 174.
Chapter 7 Package Settings Before You Specify Instance Customization Settings, Perform These Tasks NOTE Instance customization is available for both managed and standalone ACE instances. You don’t have to use an ACE 2 Management Server to take advantage of the feature.
VMware ACE Administrator’s Manual Downloading the Microsoft Sysprep Deployment Tools NOTE Microsoft Sysprep deployment tools are automatically installed with the Windows Vista operating system installation, so you do not need to download Sysprep tools if your guest operating system is a Windows Vista system. To ensure that the tools are on your admin machine when you need them 1 Go to http://www.microsoft.com and search for Sysprep deployment tools.
Chapter 7 Package Settings 3 On the Instance Customization page: a Select Enable instance customization. b Type the product ID for the guest operating system software you have installed in the ACE master. The Instance Customization sub‐pages are disabled and cannot be accessed if the Enable instance customization option is not selected. Similarly, you cannot type in the Product ID box if the Enable option is not selected.
VMware ACE Administrator’s Manual e 5 Select Sync the guest time zone with the host time zone if you want to have that synchronization take place automatically. On the Initialization Scripts page, type the additional commands to run scripts in the guest operating system at the end of the Mini‐Setup process on the ACE user’s machine. See the Microsoft deployment tools documentation for information about additional commands. CAUTION Specify the path to the batch file without using quotation marks.
Chapter 7 Package Settings a Remote Domain Join” on page 183 for more information about joining remote ACE instances to a domain. NOTE If the ACE master is managed, then passwords and commands specified on this page are stored on the ACE 2 Management Server. If the ACE master is standalone, then passwords and commands are stored with the package. If the ACE master is not managed, you should encrypt the package and ACE since the passwords are kept inside the virtual machine.
VMware ACE Administrator’s Manual name to 15, then set to 12. Your entry in the Computer Name field in System Options would be %host_name(12)%%random_alpha_digit(3)%. Including (n) in the placeholder is optional. If you don’t use it (that is, you use %host_name%) or if you set to zero (that is, you use %host_name(0)%), the placeholder will resolve to the full actual computer host name.
Chapter 7 Package Settings 3 If the ACE master you are creating is a standalone ACE master, the Password page of the wizard will appear. Enter any passwords for domain join and, if needed, for the VPN connection. 4 On the Package Summary page, click Next to begin the packaging process. 5 Finish the steps for the New Package Wizard (for details, see “Creating a Package” on page 188).
VMware ACE Administrator’s Manual If this file is not found in the directory, a default is used: AutoMode is set to PerServer with 5 client licenses. If you choose to supply this file, you wonʹt see any change to the license portion of the Mini‐Setup process during preview. Even if you supplied AutoMode=PerSeat, you will still see AutoMode=PerServer and AutoUsers=5 in the Mini‐Setup user interface. This is the expected behavior.
Chapter 7 Package Settings see a message saying that the machine is going to be restarted, next the login screen will appear, and then the system will reboot. No user interaction is required at any point. Package Lifetime You can specify a time period during which an ACE package is installable. If a user attempts to install a package outside of this time period, an error message appears and the package will not be installed. The default setting for package lifetime is Always.
VMware ACE Administrator’s Manual NOTE You can choose to encrypt the package while leaving the ACE instance files unencrypted or to encrypt instance files while leaving the package unencrypted. The Workstation ACE Edition software applies encryption settings to the package and files by using defaults that are determined by the settings in place for the activation and authentication policies.
Chapter 7 Package Settings Deployment Platform If you want to change the platform that your ACE package is deployed to, select the Deployment Platform setting. The default setting is Windows. To change the platform to which an ACE package is deployed 1 Select the ACE master whose Deployment Platform setting you want to change. 2 Choose ACE > Package Settings to open the package settings editor. 3 Click the Deployment Platform setting in the left‐hand pane.
VMware ACE Administrator’s Manual To specify remote domain join settings in the package settings editor 1 In the package settings editor, enable instance customization. 2 On the Workgroup or Domain page, enter the domain name, the user name for an account that can join a new computer to the domain, and the account password. 3 On that same page, select the Enable remote domain join option and enter the command that will execute the script.
Chapter 7 Package Settings Troubleshooting Setup Issues If you or your ACE users have problems with logging back into a domain after invoking the Revert to Installed snapshot or with domain validation and name resolution, see if the following descriptions and resolutions are applicable to those problems: Problem: The ACE user canʹt log the ACE instance back into a domain after the Revert to Installed snapshot has been invoked.
VMware ACE Administrator’s Manual 186 VMware, Inc.
8 Creating Packages and Deploying Them to Users 8 The following sections guide you through the process of creating a package to deploy to your users: “Reviewing the Configuration of the ACE Master and Installing Software” on page 187 “Creating a Package” on page 188 “Viewing Package Properties” on page 196 “Deploying Packages” on page 197 Reviewing the Configuration of the ACE Master and Installing Software To finish preparing your ACE master and its files before packaging, review its con
VMware ACE Administrator’s Manual Review Package Settings Review the package settings for this ACE master. To change the package settings, click Edit package settings in the summary view, then change the settings as needed. Review Virtual Machine Settings Review the devices and options configured for this ACE master and make any needed changes.
Chapter 8 Creating Packages and Deploying Them to Users Management Server and server usage for a managed ACE master. A Custom package allows you to choose specific items to deploy. The components for a Pocket ACE package vary slightly from those for the Full package. For information about the Pocket ACE package, see “Creating an ACE Package for Portable Devices” on page 208.
VMware ACE Administrator’s Manual CAUTION Ensure that you have downloaded the current Sysprep deployment tools from Microsoft Corporation’s Web site and copied them to your machine as described in “Downloading the Microsoft Sysprep Deployment Tools” on page 174 before packaging with instance customization enabled begins. If the tools are not available at packaging time, the operation fails during the packaging process.
Chapter 8 Creating Packages and Deploying Them to Users 3 Ensure that the guest operating system and VMware Tools are installed in the ACE master. NOTE Ensure the version of VMware Tools provided with Workstation ACE Edition is installed in the guest operating system. A number of key features in ACE 2 are provided by the VMware Tools package.
VMware ACE Administrator’s Manual 8 192 Select a package type on the Package Type page and then click Next. Full – Packages default package contents, including the ACE master configuration file, virtual disk files, and policies; Player applications per the selected platform; package installer; and Resources files for the ACE master. Policy Update / Server Update— Packages the policies for this ACE master. If this is a managed ACE master, this option reads “Server Update”.
Chapter 8 Creating Packages and Deploying Them to Users NOTE This page does not appear for any packages that are being deployed only to Linux host machines. If you plan to distribute the package through network distribution, select Network image. Then click Next. If you plan to distribute the package on CD or DVD, select Multiple folders for creating DVDs or CDs. When you select the multiple files option, you must choose the type of media you plan to use.
VMware ACE Administrator’s Manual 11 12 If passwords are required for activation for a standalone ACE instance; domain join; or VPN connection, the Package Password page appears. The page might request one, two, or three passwords, depending on the access control policy setting and instance customization package setting for domain and remote domain join that you have configured for this ACE master. The three password types that might be included are described below.
Chapter 8 Creating Packages and Deploying Them to Users Policy Update/Server Update package: Custom package: CAUTION The Caution text shown at the bottom of the Package Summary page only appears if instance customization is enabled for this package. See the information in the Caution on page 190 for details about obtaining the Microsoft Sysprep deployment tools and why it is important to have them in place before package creation begins. VMware, Inc.
VMware ACE Administrator’s Manual Review the summary information. If you need to make changes, click Back. If the information is correct, click Next to begin package creation. 13 The Package Creation page appears and displays a progress bar. It can take quite some time to complete this step, especially for packages that include large virtual machines or instance customization settings. (See “Instance Customization” on page 170 for detailed information about instance customization.
Chapter 8 Creating Packages and Deploying Them to Users The Package Properties dialog box has three tabbed pages: Summary page – Displays the package name, creation date, deployment media, package type, size, location, and components. You cannot edit information on this page. Settings page – Displays values for package settings that have been applied to this package. You cannot edit information on this page. Notes page – Displays and allows you to edit notes for this package.
VMware ACE Administrator’s Manual 198 VMware, Inc.
9 Preview, Save, Test, Publish 9 Before you deploy a new or updated ACE package or updated policy, you might want to test it. This section describes test options that allow you to see the ACE instance working exactly as the ACE user will see it. NOTE You can run any ACE master directly in Workstation ACE Edition to be sure the guest operating system and applications perform as expected.
VMware ACE Administrator’s Manual Preview – A mode that allows you to run the ACE instance as it will run on the user’s machine as well as see the effects of changed policies as they will appear on the ACE user’s machine without your having to package and install them. (The Preview mode displays the working copy of the policies.) See a full description of the Preview mode on page 200.
Chapter 9 Preview, Save, Test, Publish You click the Preview in Player icon in the toolbar to create a preview instance. A package based on a linked clone is created in a new directory, Preview Deployment, inside the ACE master’s directory on your administrator machine. The snapshot for the linked clone is taken of the ACE master’s current state. Unlike a package that is deployed to an ACE user’s machine, this package is not installed.
VMware ACE Administrator’s Manual 5 Test the change in the running ACE instance to ensure that it is the one you want to make. 6 For managed ACE masters only: After you are satisfied that the change is correct, click Publish Policies to Server. A pop‐up dialog box tells you that the policy has been published. Pre-Deployment End-to-End Test You can run an end‐to‐end test on a new ACE package before you deploy it to ACE users.
Chapter 9 Preview, Save, Test, Publish 5 Start up VMware Player and then use it to activate and run the ACE instance. Verify that the ACE instance is configured as you had intended and runs as you had planned. 6 In the Workstation ACE Edition interface, select the ACE master in the server location where you tested it and then choose ACE > ACE Server to open the ACE Server dialog box. 7 Choose the original server for the ACE master from the server history list, and click OK.
VMware ACE Administrator’s Manual For standalone ACE masters – Package the ACE master, install it on another computer, and test it there. See “To run an end‐to‐end post‐deployment test on another computer” on page 205 for details. NOTE This test might take a long time because packaging and encryption processes can be lengthy.
Chapter 9 Preview, Save, Test, Publish To run an end-to-end post-deployment test on another computer 1 Open the ACE master that you made changes to and want to test, click Create New Package to start the New Package Wizard, and then follow the wizard steps to create the package. (See details in “Creating a Package” on page 188). 2 Install the package on your test system and start up setup.exe to open the Installation Wizard. Follow the wizard steps to install the package.
VMware ACE Administrator’s Manual 206 VMware, Inc.
10 Pocket ACE 10 The Pocket ACE feature allows you to store ACE instances on portable devices such as USB keys (flash memory drives), Apple iPod mobile digital devices, and portable hard drives. Your ACE users attach these portable devices to x86 host computers, run their ACE instances with VMware Player, and then detach the portable devices. The next time they need access to their ACE instances, they can attach the devices to the same host computers or to different ones.
VMware ACE Administrator’s Manual Hard drive‐based Apple iPod mobile digital device Portable hard drives NOTE Use USB2 high‐speed devices only. Space Requirements for Your Pocket ACE When you create a new ACE master that you will use it to create a Pocket ACE package, make sure that the removable device you intend to use to store your Pocket ACE has enough space to store the virtual disk’s total capacity, memory, and approximately 300MB for overhead.
Chapter 10 Pocket ACE Steps for Creating a Pocket ACE Package To create a Pocket ACE package 1 Start Workstation ACE Edition and open the ACE master you want to use as the basis for the package. 2 Ensure that the guest operating system and VMware Tools are installed in the ACE master. NOTE Ensure the version of VMware Tools provided with Workstation ACE Edition is installed in the guest operating system. A number of key features in ACE 2 are provided by the VMware Tools package.
VMware ACE Administrator’s Manual CAUTION When you select the Location on the Name the Package page, note that you are choosing a location, usually on the administrator machine, in which to store the package. Do NOT select the portable device to which the package will be deployed. If you do that, the package will not work. You will deploy the package to the device at a later time; see the instructions under “Deploying the ACE Package on a Portable Device” on page 211 for details.
Chapter 10 Pocket ACE The Completing the Pocket ACE Package Wizard page appears when the process has finished. If you want to deploy the package immediately, select Deploy to a portable device now. Whenever you’re ready to deploy the package, you can navigate to the package location (the one you specified in the Name the Package page) on your machine and then follow the instructions in “Deploying the ACE Package on a Portable Device.
VMware ACE Administrator’s Manual To bulk deploy packages 1 Change directories to your bulk deployment directory. For example, cd C:\Documents and Settings\Administrator\My Documents\ My Virtual Machines\My ACE Master\Packages\ Pocket ACE Package\ 2 In the command line interface, enter the bulk deploy command and specify the necessary parameters (see Table 10‐1): bulkDeploy.exe Table 10-1. Bulk Deploy Command Parameters Parameter Usage ‐p Deployment password.
Chapter 10 Pocket ACE Running the Pocket ACE Instance The following steps describe what happens when the user runs the ACE instance from the portable device. NOTE Tell your users that the host computers that they move Pocket ACEs among must have their clocks set to the correct time. If they move a Pocket ACE from one host computer to another and the clock of the second host is behind that of the first, the Pocket ACE will not run. 1 The user plugs the portable device into the host computer.
VMware ACE Administrator’s Manual 3 Both disk and checkpoint caches are initialized. If the Pocket ACE has a session on this host, that session continues. Otherwise a new session is started. (The checkpoint state and virtual disk are cached on the host during use and synced back to the portable device later. The checkpoint state and virtual disk are protected with the same encryption level used for the ACE instance on the portable device.
11 Installing and Using VMware Player and ACE Instances 11 This chapter describes how to install and run VMware Player and ACE instances on ACE user machines.
VMware ACE Administrator’s Manual Installing VMware Player on a Windows Host Computer Only a user with administrator privileges can install and uninstall VMware Player. To install VMware Player on a Windows host computer, log on with administrator privileges and then follow the instructions for installing an ACE instance. The installation program installs VMware Player before it installs the virtual machine files if VMware Player is not already on the machine.
Chapter 11 Installing and Using VMware Player and ACE Instances Installing an ACE Package Silently on a Windows Host Computer If you are installing a VMware ACE package on a number of Windows host computers, you might want to use the silent installation features of the Microsoft Windows Installer. Before installing a VMware ACE package silently, you must ensure that the host computers have version 2.0 or higher of the MSI runtime engine.
VMware ACE Administrator’s Manual Option Description DESKTOP_SHORTCUTS When set to 0, skips installation of the ACE instance shortcut on the desktop. The default is 1. INSTALLDIR Sets the root installation directory for the ACE instance. PLAYER_INSTALLDIR Sets the root installation directory for the VMware Player application. You can also install an upgrade silently. An upgrade is always installed in the same directory or directories as the previous package.
Chapter 11 Installing and Using VMware Player and ACE Instances Installing the ACE Package on a Linux Host Computer and Running the ACE Instance The administrator creates an ACE package, which includes the ACE instance and VMware Player. The ACE package must be accessible to the Linux user machines for installation. NOTE If this is the first installation of an ACE instance on the user machine, then an administrator must install VMware Player before the ACE user can install and run ACE instances.
VMware ACE Administrator’s Manual 5 Unpack the archive: tar zxf VMware-player-i386.tar.gz Or tar zxf VMware-player-x86_64.tar.gz 6 Change to the installation directory: cd vmware-player-distrib 7 Run the installation program: ./vmware-install.pl Accept the default directories for the binary files, library files, manual files, documentation files, and the initiation script. 8 Select Yes when prompted to run vmware-config.pl and accept the default values for the remaining prompts.
Chapter 11 Installing and Using VMware Player and ACE Instances Installing an ACE Package Silently on a Linux Host Computer The following installs an ACE package and the VMware Player as an automated (default) install: /tmp/path/to/package/ACE_Pkg/vmware-install.pl --default Uninstalling an ACE Instance from a Linux Host Computer ACE users can only uninstall their own ACE instances. Only the root user can uninstall others’ ACE instances.
VMware ACE Administrator’s Manual To control which virtual machines and ACEs can be run on a host on which you have deployed an ACE instance, edit the following entries in the aceMaster.dat file: NOTE The aceMaster.dat file is located in the same directory as the configuration file (.vmxa) for your ACE master. allowVMs = "0" or "1". This entry corresponds to a host policy that controls whether non‐ACE virtual machines can be run on the host.
Chapter 11 Installing and Using VMware Player and ACE Instances text editor. After you have finished editing the aceMaster.dat file, reopen the ACE master in the Workstation ACE Edition interface. If the ACE master is managed and the policy values have changed, then the “needs publish” warning should appear. The policies will need to be published before the changes can take effect. Apply changes to standalone instances by using an update package.
VMware ACE Administrator’s Manual “Setting VMware Player Preferences” on page 228 “Taking Snapshots in VMware Player” on page 229 “Using Shared Folders” on page 230 “Printing from VMware Player” on page 230 “Troubleshooting Problems” on page 230 See also the VMware Player online help for general information on using the Player. Starting VMware Player To start VMware Player, double‐click the ACE icon on the desktop or single‐click an ACE instance in the Start menu.
Chapter 11 Installing and Using VMware Player and ACE Instances After the ACE has started running, you can change a password that you created by choosing Player > Change Password and typing in a new password. Entering a Client License in VMware Player for an ACE Instance If the Enter Serial Number dialog box appears when you attempt to power on an ACE instance, enter the serial number provided by your ACE administrator, or click Get Serial Number.
VMware ACE Administrator’s Manual After a few seconds with no use, the toolbar disappears if it is unpinned. To make it visible again, move the mouse pointer to the top edge of the screen. To pin the toolbar so it is always visible, click the pushpin on the toolbar. To release the toolbar so it can hide again, click the pushpin a second time. To reduce the VMware Player display so it is running in a window again, click the restore button on the toolbar.
Chapter 11 Installing and Using VMware Player and ACE Instances Host Network Access Info dialog box, which displays a summary of the host network access status. On Linux, you can use the following commands to set the log level and to see the current zone and log level. Usage: vmnet-detect [-d] -d : daemon mode -l : set the log level -g:get the current zone and log level Valid log levels are mute, terse, normal, and verbose.
VMware ACE Administrator’s Manual Viewing Messages, Notifications, and the ACE Information Dialog Box VMware Player displays pop‐up notifications about changes in network access settings and other status information. Those notification messages appear in the lower‐right corner of the Player window when you start up the ACE. You can close the messages by clicking the X in the upper‐right corner of the message box.
Chapter 11 Installing and Using VMware Player and ACE Instances The exit behavior preferences allow you to specify the following: Confirm before exiting the application — If selected, when you give the command to exit VMware Player, a dialog box appears. You can confirm the intention to exit VMware Player or click Cancel to continue using VMware Player. Suspend the virtual machine when exiting — If selected, VMware Player suspends the ACE and closes.
VMware ACE Administrator’s Manual You can also replace an existing user snapshot. Choose Player > Snapshot > Take Snapshot and choose Yes in the message dialog that appears asking if you want to replace the previous snapshot. If the administrator has enabled the option to revert to the user snapshot, you can revert the ACE to the existing snapshot by choosing Player > Snapshot > Revert to Snapshot. If you are permitted to take a user snapshot, you can also remove it.
Chapter 11 Installing and Using VMware Player and ACE Instances Requesting a Hot Fix NOTE This feature is available only if your system administrator has enabled the feature. When certain problems occur, VMware Player provides a simplified method for contacting your system administrator—a wizard that lets you request a hot fix for your problem.
VMware ACE Administrator’s Manual request an extension of the time you are authorized to run the ACE, click the Request Hot Fix button in the error dialog box. This starts the Hot Fix Request Wizard. Copy-Protected ACE Run from a New Location – If your system administrator has applied copy protection to your ACE, it runs only from the location where it is installed by the package installer.
Chapter 11 Installing and Using VMware Player and ACE Instances These menu items are available only if your system administrator has enabled them. About the Enter Administrator Mode Command on the Troubleshoot Menu If the administrator mode has been enabled for your ACE, the Enter Administrator Mode command appears in the Troubleshoot menu. The command is for use by administrators, allowing them to: Edit virtual machine settings for your ACE (on Windows systems only).
VMware ACE Administrator’s Manual ACE Tools: vmware-acetool Command-Line Tool The vmware‐acetool command‐line program is a troubleshooting tool that allows ACE administrators to fix a limited set of problems for standalone ACE instances directly on an ACE user’s system. NOTE You can actually use the vmware‐acetool program to reset passwords and fix expiration dates on another machine, but you must have the .vmx, .vmpl, and ace.dat files from the user all set up in the same directory.
Chapter 11 Installing and Using VMware Player and ACE Instances Expiration Dates The new expiration date can be passed as one of: A number of days from the current date An absolute date in the format YYYY-MM-DD A start date and an end date in the format YYYY-MM-DD YYYY-MM-DD The special value "never", so that the instance will never expire The special value "expired", so that the instance expires immediately Examples vmware-acetool setPassword myACE.vmx recKey.
VMware ACE Administrator’s Manual To respond to the hot fix request, take the following steps 1 Save the file to a location you can reach easily from the computer on which you are running Workstation ACE Edition. 2 In Workstation ACE Edition, open the ACE master for the instance requiring the hot fix. 3 Choose File > Open. 4 Navigate to the location of the hot fix request file and click Open. A hot fix tab opens in the Workstation ACE Edition window.
Chapter 11 Installing and Using VMware Player and ACE Instances Using the VMware Help Desk Web Application The VMware Help Desk Web application allows help desk assistants or administrators to view ACE instances that are managed by a particular VMware ACE 2 Management Server and to provide some fixes requested by users of those instances.
VMware ACE Administrator’s Manual Set Up Queries to Search for Instances You can use the advanced search function in the VMware Help Desk to query the ACE 2 Management Server database to find one or more particular ACE instances. To search for an ACE instance 1 Click Search in the upper left of the Instances page. The Search window appears. 2 Specify the criteria to be included when the database is queried. Type your entries in the fields that you want to query.
Chapter 11 Installing and Using VMware Player and ACE Instances If you select the option Exact match only for a search category, only instances with values that are exact matches of the value specified in that category field are listed in the search results. Exact‐match values are case‐sensitive. Specify dates in the format MM/DD/YYYY. Search criteria are joined with AND, not OR, operations. You can save a search by entering a name in the Save as field in the Advanced Search dialog box.
VMware ACE Administrator’s Manual Sort Instances by Column Heading You can re‐order the instances in the table and change column widths as follows: Re‐order the list alphabetically or numerically, depending on the selected column’s contents, in ascending or descending order. Click to the right of the column heading that you want to sort the column. Click again to re‐sort in the opposite (ascending or descending) order.
Chapter 11 Installing and Using VMware Player and ACE Instances Reset the Instance Expiration Date You can reset the expiration date by selecting or deselecting Use the date range specified for the ACE master, typing in Valid From and Valid Until dates, and selecting or deselecting Never expire. You must click the Save button in the upper left of the page to institute the changed expiration date.
VMware ACE Administrator’s Manual Preserving the State of an ACE Instance ACE 2 offers two ways to preserve the state of an ACE instance: Suspend and Resume Snapshots See the Workstation User’s Manual for information on these features. 242 VMware, Inc.
12 Instance View 12 The Instance View provides you with a central management point for all instances managed by a particular ACE 2 Management Server. A summary table provides instance status (activated, deactivated, or blocked by policy violation) and validity dates (expiration) for the instances, as well as many details such as who the instance was activated by, ACE master for this instance, package name, guest name and IP address, and host name.
VMware ACE Administrator’s Manual Opening a View of All Instances Managed by a Server To open a view of all instances managed by a server, click the server in the Sidebar. An example of an Instance View appears below. An instance has one of three status types: Active – The instance is active. It is available for immediate use. Blocked by policies – The instance is still active but is blocked (cannot be run) due to a violation of a policy such as expiration or copy protection.
Chapter 12 Instance View Valid ACE Master Name Package Name Host Name Host IP Address Guest Name The Guest Name, which is the computer name resolved on the userʹs machine during instance customization (a feature for Windows systems only), is always shown in the Instance View as 15 characters or less. The NetBIOS name is reported here, and it is a maximum of 15 characters in length.
VMware ACE Administrator’s Manual To clear a query 1 Click Search in the Instance View. 2 Click Reset in the Advanced Search dialog box. 3 Click Search. Showing, Hiding, Moving, and Resizing Columns in the Instances Table You can show, hide, and move columns that appear in the Instance View table. You can also resize the width of a column. NOTE The column setup – the visible columns and their positions – is saved for each server view you work with.
Chapter 12 Instance View To add a custom column 1 Right‐click anywhere in the column heading row and choose Add Custom Column. The Custom Column Name dialog box appears. 2 Type a name for the new column in the Name text box and click OK. NOTE If you have added nine custom columns, the Add Custom command in the right‐click menu is dimmed and you can’t select it. You must delete one of the nine existing custom columns before you can add another one.
VMware ACE Administrator’s Manual Deactivating and Reactivating Instances from the Instance View To deactivate an active instance 1 Click the instance in the right pane of the view, so that the instance row is highlighted. 2 Click the Deactivate icon at the top left of the view. 3 Verify that the icon is dimmed. To reactivate a deactivated instance 1 Click the instance in the right pane of the view, so that the instance row is highlighted. 2 Click the Reactivate icon at the top left of the view.
Chapter 12 Instance View General Details View The General details view shows statistics for this instance, including: Instance number, activated by, and activation status ACE master name and package name Activation and deactivation dates Expiration date/range Guest Name, IP address, and MAC address Host name and IP address VMware, Inc.
VMware ACE Administrator’s Manual To activate or deactivate the instance or reset the expiration date 1 To activate or deactivate the instance, press the Reactivate or Deactivate button. 2 To reset the expiration date for the instance, check or uncheck Use the date range specified for the ACE master or select dates in the Valid from and Valid until dropdown lists. Check No expiration if you do not want the instance to expire. 3 When you are finished making changes, click OK.
Chapter 12 Instance View The copy protection ID To reset the password for this ACE instance 1 Press Reset Password. The Password dialog box appears. 2 Type the password in the first text box and then retype it to confirm it in the second text box. Then click OK. VMware, Inc.
VMware ACE Administrator’s Manual To change the copy protection ID for this ACE instance 1 Select the alphanumeric string in the Copy Protection ID box. 2 Type the new ID over the old one. Then click OK. (Generally, the user provides the new alphanumeric string to you with a request to allow a moved or copied instance to run.) The Copy Protection ID field is always active, so you can change the ID whenever you want.
Chapter 12 Instance View In addition to using the Connect to ACE 2 Management Server command to open a server connection, you can open the connection by: Creating a new master and assigning it to the server Opening an existing master that is already assigned to the server Opening an existing virtual machine, cloning it to create a new master, and then assigning the master to the server See Chapter 5, “Creating and Configuring ACE Masters,” on page 91 for details about these tasks. VMware, Inc.
VMware ACE Administrator’s Manual 254 VMware, Inc.
Appendix: Using the VMware ACE 2 Management Server Database Schema and Querying the Audit Event Log Data Tables in the VMware ACE 2 Management Server database represent the major configuration objects of ACE 2 Management Server: Ace, Package, Instance, Access Policy, Runtime Policy, and User Data (which contains image customization settings and other per‐user data).
VMware ACE Administrator’s Manual The VMware ACE 2 Management Server Database Schema CAUTION The data stored in the database is protected by the RDBMS access control mechanism. Make sure that you do not allow the database user account used by your reporting tool to have a higher than necessary level of access to the data; otherwise you could compromise the security of your VMware ACE system. For example, reporting tools typically do not need write access to the database.
Appendix: Using the VMware ACE 2 Management Server Database Schema and Querying the Audit Event Log Data Figure A-1. Database Schema Diagram , VMware, Inc.
VMware ACE Administrator’s Manual The following is the Database Schema script. /* Name – value pairs of service information, e.g.
Appendix: Using the VMware ACE 2 Management Server Database Schema and Querying the Audit Event Log Data identityData VARCHAR(128), /* Internal representation, SID in AD */ /* case, token value goes here.
VMware ACE Administrator’s Manual insCustom1 VARCHAR(255), /* User-defined field */ insCustom2 VARCHAR(255), /* User-defined field */ insCustom3 VARCHAR(255), /* User-defined field */ insCustom4 VARCHAR(255), /* User-defined field */ insCustom5 VARCHAR(255), /* User-defined field */ insCustom6 VARCHAR(255), /* User-defined field */ insCustom7 VARCHAR(255), /* User-defined field */ insCustom8 VARCHAR(255), /* User-defined field */ insCustom9 VARCHAR(255), /* User-defined field */ PRIMARY KEY(instanceUID), F
Appendix: Using the VMware ACE 2 Management Server Database Schema and Querying the Audit Event Log Data hostPolicyDataExtKey VARCHAR(128), /* If too long store in LongField table */ expirationType INTEGER NOT NULL, /* Expiration Type (enum) */ expValue_1 VARCHAR(21) NOT NULL, /* Expiration value (depends on type) */ expValue_2 VARCHAR(21) NOT NULL, /* Expiration value (depends on type) */ cacheLifetime VARCHAR(21) NOT NULL, /* How long could work without server */ rtpInstType INTEGER NOT NULL, /* Instanti
VMware ACE Administrator’s Manual eventCategory INTEGER, /* Event Category as defined in EventType */ eventType INTEGER, /* Event Type as defined in EventType */ sessionID VARCHAR(128), /* Ace Server Session ID */ clientIP VARCHAR(128), /* IP Address of the client machine (resvd) */ serverIP VARCHAR(128), /* IP Address of the Ace Server (reserved) */ turnaroundTime VARCHAR(21), /* Server-side execution time in ms */ handlerName VARCHAR(128), /* Name of the ClientLib handler (debug) */ returnCodeText VARCHA
Appendix: Using the VMware ACE 2 Management Server Database Schema and Querying the Audit Event Log Data The Event Logging mechanism captures enough information to answer the questions like these: Who activated instance X? When was instance X activated? Who revoked instance X? Who turned off copy protection policy? What changes to policy were made on such a date? Who is failing to authenticate? VMware, Inc.
VMware ACE Administrator’s Manual The mechanism does not necessarily answer these questions directly, but provides enough data so that an administrator can view event logs and find answers to those questions. The data being logged meets the following requirements: Provide details of each transaction served. Centralize the gathering of event log data when multiple servers are used. Provide a means for administrators to select which type of transactions they care to log information about.
Appendix: Using the VMware ACE 2 Management Server Database Schema and Querying the Audit Event Log Data Message Parameters (tab separated list; see below) Previous event UUID to prevent unauthorized record deletion or insertion (log integrity) Event record hash with a server key to reveal modification of the record (log integrity) ACE, package, and instance UIDs and policy version provide “coordinates” of the log event in the space of ACE Server objects.
VMware ACE Administrator’s Manual The current list of event types is illustrated in Figure A‐2. This list might grow, as new functionality is added to the ACE Server. Figure A-2. Event Types , ACE Server event logging contains an experimental tamper evidence feature. Every record in the event log (except the first one) must have a unique reference to the previous event, further enforced by the database foreign key / unique constraint.
Glossary ACE instances The virtual machines that ACE administrators create, associate to virtual rights management (VRM) policies, and then package for deployment to users. In short form, an ACE instance is an ACE. ACE 2 Management Server A server that can optionally be installed and used by the ACE administrator for activating and tracking ACE instances and for hosting dynamic policies for ACE instances. ACE master A virtual machine template created by the ACE administrator.
VMware ACE Administrator’s Manual Bridged networking A type of network connection between an ACE instance and the rest of the world. Under bridged networking, an ACE instance appears as an additional computer on the same physical Ethernet network as the host. See also Host‐only networking. Configuration See Virtual machine configuration file. Full screen mode A display mode in which the ACE instance’s display fills the entire screen.
Glossary Live copy of policies The currently deployed policy set. The active ACE instances on the ACE users’ machines use this set. Managed ACE instance An ACE instance that is managed by an ACE 2 Management Server. See also ACE 2 Management Server. Network address translation (NAT) A type of network connection that allows you to connect your ACE instances to an external network when you have only one IP network address, and that address is used by the host computer.
VMware ACE Administrator’s Manual Pocket ACE An ACE feature that allows the ACE administrator to distribute an ACE instance on a removable device such as a USB key, Apple iPod mobile digital device, or portable hard drive. The user of a Pocket ACE instance can plug the device into a host computer, run the instance, save data from the session and close it, and then unplug the device. The user can then take the instance to another host computer and use it in that new location.
Glossary Suspend Save the current state of a running ACE instance. To return a suspended ACE instance to operation, use the resume feature. See also Resume. Virtual disk A file or set of files, usually on the host file system, that appears as a physical disk drive to a guest operating system. These files can be on the host machine or on a remote file system.
VMware ACE Administrator’s Manual VMware Player A simple application that allows an user to run an ACE instance. Workstation ACE Edition The program used by the administrator to create and deploy and update ACE packages and manage ACE instances. Formerly named “VMware ACE Manager.” VMware Tools A suite of utilities and drivers that enhances the performance and functionality of your guest operating system.
Index A access control policies Active Directory password change proxying 111 for managed ACE instance with no Active Directory 113 for managed ACE instances with Active Directory 110 setting 109 ACE 2 See VMware ACE 2 ACE instance access control policies for managed instance 113 access control policies for standalone instance 117 defined 33 device connection policy 142 encryption 181 installing 48 installing on a Linux host 220 installing on a Windows host 216 IP address 96 managed, update check 108 netwo
VMware ACE Administrator’s Manual installing 66 installing on Linux system 68 installing on Windows system 67 installment options 67 instance view 243 licensing 71 logging on 86 opening Instance View with Connect to ACE Management Server command 252 port 98, 100 querying the audit event log data 255 selecting for ACE master 98, 100 serial number 71 setting name 67 settings 103 stopping and starting manually 85 using 87 ACE master "reparenting" or reassigning to different server 104 associating with ACE Man
Index B bridged networking, defined 268 C caution about reassigning ACE master to new server 104 check server name when installing ACE Management Server 67 instance customization for Windows Vista guest operating system, ensure computer names work in MiniSetup 178 packaging, download Microsoft Sysprep deployment tools 190 CD package delivery 192 certificates, setting up 63 change the copy protection ID 241 changing deployment platform for an ACE master 183 clock synchronization (note) 54 Clone VM to ACE M
VMware ACE Administrator’s Manual DNS setup issues, troubleshooting 185 domain join providing passwords during packaging 194 remote, setting up 183 domain setting, in instance customization package settings 176 domain, problem with domain validation or name resolution 185 domain, problem with logging in after revert to installed 185 downloading Microsoft Sysprep deployment tools 174 DVD package delivery 192 E encryption ACE instance protection 181 package protection 181 package setting 181 enhanced keyboa
Index instance customization benefits 171 completion steps on end user’s machine 180 defined 268 enabled, packaging overview 178 finishing on user’s machine with Windows Vista guest operating system 180 guest operating systems for 173 initialization scripts 176 Microsoft Sysprep deployment tools 173 package settings, overview 170 placeholder values 177 specifying license information for Windows server products 179 specifying package settings 174 workgroup or domain setting 176 Instance Details page accessi
VMware ACE Administrator’s Manual network bridged networking, defined 268 host-only 268 NAT, defined 269 Virtual Network Editor 271 network access zone, ruleset, rules editors 132 network access policies 126 network access, viewing details for 241 network address translation, defined 269 network image package delivery 192 network quarantine defined 269 networking, ACE instances 103 networking, configuring for ACE master 95 New ACE Master wizard 269 New Package wizard 188 O offline usage of ACE instances,
Index package type, selecting 192 packaging burning files onto discs 196 checking VMware Tools version 191 choose package location 191, 209 creation progress 196 disk space required 193 download Microsoft Sysprep tools 190 package type, selecting 192 providing passwords 194 select distribution format 192 with instance customization enabled 178 password activation 194 lockout 115 Pocket ACE deployment 210 requesting 231 required at packaging 194 resetting 241 placeholder values in instance customization pac
VMware ACE Administrator’s Manual Preview in Player icon 201 preview mode overview 200 test 201 using to test configuration 191 viewing ACE instances before deployment 199 preview, defined 270 previewing packages 199 publish, defined 270 publishing policy changes 199 Q quarantine network, defined 269 quit, VMware Player 225 R reactivate or deactivate an instance 239 reactivating ACE instances from the instance view 248 reassigning ACE master to different server 104 registration of packages 196 reimage sn
Index snapshot defined 270 of an ACE instance 242 policies 150 reimage, reverting to 232 software recommendations for VMware ACE 2 24 software, installing in ACE master 188 sort instances 240 space needed for Pocket ACE 208 SQLite database for ACE Management server 59 SSL certification, using 61 SSL protocol, using 61 standalone ACE instance, defined 270 starting VMware Player 224 stopping and starting the Apache service manually 85 stopping VMware Player 225 summary view of ACE master 38 suspend, defined
VMware ACE Administrator’s Manual VMware ACE 2 components 20 described 17 hardware and software recommendations 24 key features 19 VMware ACE Management Server database schema event types 266 database schema script 258 database schema, illustrated 257 VMware community forums, accessing 14 VMware Player defined 272 fixing ACE Server connection problem on Linux host 87 hardware requirements 26 installing on a Linux host 219 installing on Windows host 216 quitting 225 running 223 setting preferences 228 start
VMware Update Updates for the VMware ACE Administrator’s Manual VMware ACE 2 Last Updated: October 19, 2007 This document provides updates to the VMware ACE 2.0.2 version of the VMware ACE Administrator’s Manual. Updated descriptions, procedures, and graphics are organized by page number so you can easily locate the areas of the guide that have changes. If the change spans multiple sequential pages, this document provides the starting page number only.
To set your Pocket ACE close behavior 1 Choose Edit Policies > Runtime Preferences.
