VMware View Architecture Planning View 4.6 View Manager 4.6 View Composer 2.6 This document supports the version of each product listed and supports all subsequent versions until the document is replaced by a new edition. To check for more recent editions of this document, see http://www.vmware.com/support/pubs.
VMware View Architecture Planning You can find the most up-to-date technical documentation on the VMware Web site at: http://www.vmware.com/support/ The VMware Web site also provides the latest product updates. If you have comments about this documentation, submit your feedback to: docfeedback@vmware.com Copyright © 2009–2011 VMware, Inc. All rights reserved. This product is protected by U.S. and international copyright and intellectual property laws.
Contents VMware View Architecture Planning 5 1 Introduction to VMware View 7 Advantages of Using VMware View 7 VMware View Features 9 How the VMware View Components Fit Together 9 Integrating and Customizing VMware View 13 2 Planning a Rich User Experience 15 Feature Support Matrix 15 Choosing a Display Protocol 17 Benefits of Using View Desktops in Local Mode 18 Accessing USB Devices Connected to a Local Computer 20 Printing from a View Desktop 20 Streaming Multimedia to a View Desktop 21 Using Singl
VMware View Architecture Planning Implementing Best Practices to Secure Client Systems 56 Assigning Administrator Roles 56 Preparing to Use a Security Server 57 Understanding VMware View Communications Protocols 61 6 Overview of Steps to Setting Up a VMware View Environment 67 Index 69 4 VMware, Inc.
VMware View Architecture Planning VMware View Architecture Planning provides an introduction to VMware View™, including a description of its major features and deployment options and an overview of how VMware View components are typically set up in a production environment.
VMware View Architecture Planning 6 VMware, Inc.
Introduction to VMware View 1 With VMware View, IT departments can run virtual desktops in the datacenter and deliver desktops to employees as a managed service. End users gain a familiar, personalized environment that they can access from any number of devices anywhere throughout the enterprise or from home. Administrators gain centralized control, efficiency, and security by having desktop data in the datacenter.
VMware View Architecture Planning Figure 1-1. Administrative Console for View Manager Showing the Dashboard View Another feature that increases convenience is the VMware remote display protocol PCoIP. PCoIP (PC-overIP) display protocol delivers an end-user experience equal to the current experience of using a physical PC: n On LANs, the display is faster and smoother than traditional remote displays.
Chapter 1 Introduction to VMware View VMware View Features Features included in VMware View support usability, security, centralized control, and scalability. The following features provide a familiar experience for the end user: n Print from a virtual desktop to any local or networked printer that is defined on the client device, or use the location-based printing feature to map to printers that are physically near the client system.
VMware View Architecture Planning Figure 1-2.
Chapter 1 Introduction to VMware View n Assigning applications packaged with VMware ThinApp to specific desktops and pools n Managing local and remote desktop sessions n Establishing secure connections between users and desktops n Enabling single sign-on n Setting and applying policies Inside the corporate firewall, you install and configure a group of two or more View Connection Server instances.
VMware View Architecture Planning View Agent You install the View Agent service on all virtual machines, physical systems, and Terminal Service servers that you use as sources for View desktops. This agent communicates with View Client to provide features such as connection monitoring, virtual printing, and access to locally connected USB devices.
Chapter 1 Introduction to VMware View View Transfer Server This software manages and streamlines data transfers between the datacenter and View desktops that are checked out for use on end users' local systems. View Transfer Server is required to support desktops that run View Client with Local Mode (formerly called Offline Desktop). Several operations use View Transfer Server to send data between the View desktop in vCenter Server and the corresponding local desktop on the client system.
VMware View Architecture Planning n Query the event database. n Query the state of View services. You can use the cmdlets in conjunction with the vSphere PowerCLI cmdlets, which provide an administrative interface to the VMware vSphere product. For more information, see the VMware View Integration document. Modifying LDAP Configuration Data in View When you use View Administrator to modify the configuration of VMware View, the appropriate LDAP data in the repository is updated.
Planning a Rich User Experience 2 VMware View provides the familiar, personalized desktop environment that end users expect. End users can access USB and other devices connected to their local computer, send documents to any printer that their local computer can detect, authenticate with smart cards, and use multiple display monitors. VMware View includes many features that you might want to make available to your end users.
VMware View Architecture Planning Table 2-1.
Chapter 2 Planning a Rich User Experience Table 2-3. Features Supported on Mac Clients (Continued) Feature Mac OS X (10.5,6) Mac OS X (10.6) RSA SecurID X X Single sign-on X X Smart cards Multiple monitors Local Mode In addition, several VMware partners offer thin client devices for VMware View deployments. The features that are available for each thin client device are determined by the vendor and model and the configuration that an enterprise chooses to use.
VMware View Architecture Planning Microsoft RDP Remote Desktop Protocol is the same protocol many people already use to access their work computer from their home computer. RDP provides access to all the applications, files, and network resources on a remote computer. Microsoft RDP provides the following features: n You can use multiple monitors in span mode.
Chapter 2 Planning a Rich User Experience View desktops in local mode behave in the same way as their remote desktop equivalents, yet can take advantage of local resources. Latency is eliminated, and performance is enhanced. Users can disconnect from their local View desktop and log in again without connecting to the View Connection Server. After network access is restored, or when the user is ready, the checked-out virtual machine can be backed up, rolled back, or checked in.
VMware View Architecture Planning The data on each local system is encrypted with AES. 128-bit encryption is the default, but you can configure 192-bit or 256-bit encryption. The desktop has a lifetime controlled through policy. If the client loses contact with View Connection Server, the maximum time without server contact is the period in which the user can continue to use the desktop before the user is refused access.
Chapter 2 Planning a Rich User Experience Streaming Multimedia to a View Desktop Wyse MMR (multimedia redirection) enables full-fidelity playback when multimedia files are streamed to a View desktop. The MMR feature supports the media file formats that the client system supports, because local decoders must exist on the client. File formats include MPEG2, WMV, AVI, and WAV, among others.
VMware View Architecture Planning 22 VMware, Inc.
Managing Desktop Pools from a Central Location 3 You can create pools that include one or hundreds of virtual desktops. As a desktop source, you can use virtual machines, physical machines, and Windows Terminal Services servers. Create one virtual machine as a base image, and VMware View can generate a pool of virtual desktops from that image. You can easily install or stream applications to pools with VMware ThinApp.
VMware View Architecture Planning n If using vSphere 4.1, specify whether to use a Microsoft Sysprep customization specification or QuickPrep from VMware. Sysprep generates a unique SID and GUID for each virtual machine in the pool. n Specify whether the View desktop can or must be downloaded and run on a local client system. In addition, using desktop pools provides many conveniences.
Chapter 3 Managing Desktop Pools from a Central Location Reducing Storage Requirements with View Composer Because View Composer creates desktop images that share virtual disks with a base image, you can reduce the required storage capacity by 50 to 90 percent. View Composer uses a base image, or parent virtual machine, and creates a pool of up to 512 linked-clone virtual machines.
VMware View Architecture Planning Deploying Applications and System Updates with View Composer Because linked-clone desktop pools share a base image, you can quickly deploy updates and patches by updating the parent virtual machine. The recompose feature allows you to make changes to the parent virtual machine, take a snapshot of the new state, and push the new version of the image to all, or a subset of, users and desktops.
Chapter 3 Managing Desktop Pools from a Central Location Using Existing Processes for Application Provisioning With VMware View, you can continue to use the application provisioning techniques that your company currently uses. Two additional considerations include managing server CPU usage and storage I/O and determining whether users are permitted to install applications.
VMware View Architecture Planning 28 VMware, Inc.
Architecture Design Elements and Planning Guidelines 4 A typical VMware View architecture design uses a building block strategy to achieve scalability. Each building block definition can vary, based on hardware configuration, View and vSphere software versions used, and other environment-specific design factors. This chapter describes a validated example building block that consists of components that support up to 2,000 virtual desktops using vSphere 4.1.
VMware View Architecture Planning n Estimating Memory Requirements for Virtual Desktops on page 31 RAM costs more for servers than it does for PCs. Because the cost of RAM is a high percentage of overall server hardware costs and total storage capacity needed, determining the correct memory allocation is crucial to planning your desktop deployment.
Chapter 4 Architecture Design Elements and Planning Guidelines Estimating Memory Requirements for Virtual Desktops RAM costs more for servers than it does for PCs. Because the cost of RAM is a high percentage of overall server hardware costs and total storage capacity needed, determining the correct memory allocation is crucial to planning your desktop deployment. If the RAM allocation is too low, storage I/O can be negatively affected because too much memory swapping occurs.
VMware View Architecture Planning deleted when the virtual machines are powered off. Disposable page-file redirection saves storage, slowing the growth of linked clones and also can improve performance. Although you can adjust the size from within Windows, doing so might have a negative effect on application performance. Windows hibernate file for laptops This file can equal 100 percent of guest RAM.
Chapter 4 Architecture Design Elements and Planning Guidelines Estimating CPU Requirements for Virtual Desktops When estimating CPU, you must gather information about the average CPU utilization for various types of workers in your enterprise. In addition, calculate that another 10 to 25 percent of processing power is required for virtualization overhead and peak periods of usage. NOTE This topic addresses issues regarding CPU requirements when accessing View desktops remotely.
VMware View Architecture Planning The amount of storage space required must take into account the following files for each virtual desktop: n The ESX suspend file is equivalent to the amount of RAM allocated to the virtual machine. n The Windows page file is equivalent to 150 percent of RAM. n Log files take up approximately 100MB for each virtual machine. n The virtual disk, or .vmdk file, must accommodate the operating system, applications, and future applications and software updates.
Chapter 4 Architecture Design Elements and Planning Guidelines Desktop Pools for Specific Types of Workers VMware View provides many features to help you conserve storage and reduce the amount of processing power required for various use cases. Many of these features are available as pool settings. The most fundamental question to consider is whether a certain type of user needs a stateful desktop image or a stateless desktop image.
VMware View Architecture Planning Pools for Task Workers You can standardize on stateless desktop images for task workers so that the image is always in a well-known, easily supportable configuration and so that workers can log in to any available desktop. Because task workers perform repetitive tasks within a small set of applications, you can create stateless desktop images, which help conserve storage space and processing requirements.
Chapter 4 Architecture Design Elements and Planning Guidelines Pools for Mobile Users These users can check out a View desktop and run it locally on their laptop or desktop even without a network connection. View Client with Local Mode provides benefits for both end users and IT administrators. For administrators, local mode allows View security policies to extend to laptops that have previously been unmanaged.
VMware View Architecture Planning n Do not turn on SSL for provisioning or downloading local mode desktops. n If the performance of View Connection Server is affected by the number of local desktops, set the heartbeat interval to be less frequent. The heartbeat lets View Connection Server know that the local desktop has a network connection. The default interval is five minutes.
Chapter 4 Architecture Design Elements and Planning Guidelines Table 4-2.
VMware View Architecture Planning vCenter and View Composer Virtual Machine Configuration and Desktop Pool Maximums You install both vCenter Server and View Composer on the same virtual machine. Because this virtual machine is a server, it requires much more memory and processing power than a desktop virtual machine. View Composer can create and provision up to 512 desktops per pool. View Composer can also perform a recompose operation on up to 512 desktops at a time.
Chapter 4 Architecture Design Elements and Planning Guidelines View Connection Server Cluster Design Considerations You can deploy multiple replicated View Connection Server instances in a group to support load balancing and high availability. Groups of replicated instances are designed to support clustering within a LANconnected single-datacenter environment.
VMware View Architecture Planning Table 4-8. View Transfer Server Virtual Machine Example (Continued) Item Example Virtual network adapter E1000 (the default) 1 NIC 1 Gigabit Storage and Bandwidth Requirements for View Transfer Server Several operations use View Transfer Server to send data between the View desktop in vCenter Server and the corresponding local desktop on the client system.
Chapter 4 Architecture Design Elements and Planning Guidelines For example, in an 8-host cluster, where each host is capable of running 128 desktops, and the goal is to tolerate a single server failure, make sure that no more than 128 * (8 - 1) = 896 desktops are running on that cluster. You can also use VMware DRS (Distributed Resource Scheduler) to help balance the desktops among all 8 hosts. You get full use of the extra server capacity without letting any hot-spare resources sit idle.
VMware View Architecture Planning Figure 4-1. VMware View Building Block 2000 users shared storage 8 hosts 8 hosts 2 VMware ESX clusters VMware vCenter Server Shared Storage for View Building Blocks Storage design considerations are one of the most important elements of a successful View architecture. The decision that has the greatest architectural impact is whether to use View Composer desktops, which use linked-clone technology.
Chapter 4 Architecture Design Elements and Planning Guidelines You can minimize these storm workloads through operational best practices, such as staggering updates to different virtual machines. You can also test various log-off policies during a pilot phase to determine whether suspending or powering off virtual machines when users log off causes an I/O storm.
VMware View Architecture Planning The following examples show how PCoIP can be expected to perform in various WAN scenarios: Work from home Mobile user A user with a dedicated cable or DSL connection with 4-8MB download and less than 300ms latency can expect excellent performance under the following conditions: n Two monitors (1920x1080) n Microsoft Office applications n Light use of Flash-embedded Web browsing n Periodic use of multimedia n Light printing with a locally connected USB printer A
Chapter 4 Architecture Design Elements and Planning Guidelines Table 4-11. Example of a VMware View Pod Item Number View building blocks 5 View Connection Servers 7 (1 for each building block and 2 spares) 10Gb Ethernet module 1 Modular networking switch 1 Load-balancing module 1 VPN for WAN 1 (optional) The network core load balances incoming requests across View Connection Server instances.
VMware View Architecture Planning 48 VMware, Inc.
Planning for Security Features 5 VMware View offers strong network security to protect sensitive corporate data. For added security, you can integrate VMware View with certain third-party user-authentication solutions, use a security server, and implement the restricted entitlements feature.
VMware View Architecture Planning n Tunneled Client Connections with Microsoft RDP on page 51 When users connect to a View desktop with the Microsoft RDP display protocol, View Client can make a second HTTPS connection to the View Connection Server host. This connection is called the tunnel connection because it provides a tunnel for carrying RDP data.
Chapter 5 Planning for Security Features Tunneled Client Connections with Microsoft RDP When users connect to a View desktop with the Microsoft RDP display protocol, View Client can make a second HTTPS connection to the View Connection Server host. This connection is called the tunnel connection because it provides a tunnel for carrying RDP data. The tunnel connection offers the following advantages: n RDP data is tunneled through HTTPS and is encrypted using SSL.
VMware View Architecture Planning View Client with Local Mode Client Connections View Client with Local Mode offers mobile users the ability to check out View desktops onto their local computer. View Client with Local Mode supports both tunneled and nontunneled communications for LAN-based data transfers. With tunneled communications, all traffic is routed through the View Connection Server host, and you can specify whether to encrypt communications and data transfers.
Chapter 5 Planning for Security Features Active Directory Authentication Each View Connection Server instance is joined to an Active Directory domain, and users are authenticated against Active Directory for the joined domain. Users are also authenticated against any additional user domains with which a trust agreement exists.
VMware View Architecture Planning Administrators can enable individual View Connection Server instances for smart card authentication. Enabling a View Connection Server instance to use smart card authentication typically involves adding your root certificate to a truststore file and then modifying View Connection Server settings. Client connections that use smart card authentication must be SSL enabled.
Chapter 5 Planning for Security Features Restricting View Desktop Access You can use the restricted entitlements feature to restrict View desktop access based on the View Connection Server instance that a user connects to. With restricted entitlements, you assign one or more tags to a View Connection Server instance. Then, when configuring a desktop pool, you select the tags of the View Connection Server instances that you want to be able to access the desktop pool.
VMware View Architecture Planning You can also use restricted entitlements to control desktop access based on the user-authentication method that you configure for a particular View Connection Server instance. For example, you can make certain desktop pools available only to users who have authenticated with a smart card. The restricted entitlements feature only enforces tag matching.
Chapter 5 Planning for Security Features An administrator can create folders to subdivide desktop pools and delegate the administration of specific desktop pools to different administrators in View Administrator. An administrator configures administrator access to the resources in a folder by assigning a role to a user on that folder. Administrators can only access the resources that reside in folders for which they have assigned roles.
VMware View Architecture Planning Security Server Topologies You can implement several different security server topologies. The topology illustrated in Figure 5-2 shows a high-availability environment that includes two load-balanced security servers in a DMZ. The security servers communicate with two View Connection Server instances inside the internal network. Figure 5-2.
Chapter 5 Planning for Security Features Figure 5-3. Multiple Security Servers remote View Client external network View Client internal network DMZ load balancing View Security Servers load balancing View Connection Servers vCenter Management Server Microsoft Active Directory ESX hosts running Virtual Desktop virtual machines You must implement a hardware or software load balancing solution if you install more than one security server.
VMware View Architecture Planning Figure 5-4.
Chapter 5 Planning for Security Features Back-End Firewall Rules To allow a security server to communicate with each View Connection Server instance that resides within the internal network, the back-end firewall must allow inbound traffic on certain TCP ports. Behind the back-end firewall, internal firewalls must be similarly configured to allow View desktops and View Connection Server instances to communicate with each other. Table 5-2 summarizes the back-end firewall rules. Table 5-2.
VMware View Architecture Planning Figure 5-5.
Chapter 5 Planning for Security Features Figure 5-6.
VMware View Architecture Planning Table 5-3. Default Ports (Continued) Protocol Port SOAP TCP port 80 or 443 PCoIP TCP port 4172 from View Client to the View desktop. PCoIP also uses UDP port 4172 in both directions. For USB redirection, TCP port 32111 is used alongside PCoIP from the client to the View desktop.
Chapter 5 Planning for Security Features View LDAP View LDAP is an embedded LDAP directory in View Connection Server and is the configuration repository for all VMware View configuration data. View LDAP contains entries that represent each View desktop, each accessible View desktop, multiple View desktops that are managed together, and View component configuration settings. View LDAP also includes a set of View plug-in DLLs to provide automation and notification services for other VMware View components.
VMware View Architecture Planning Table 5-5. TCP Ports Opened During View Agent Installation (Continued) Protocol Ports PCoIP 4172 (TCP and UDP) HP RGS 42966 The View Agent installation program configures the local firewall rule for inbound RDP connections to match the current RDP port of the host operating system, which is typically 3389. If you change the RDP port number, you must change the associated firewall rules.
Overview of Steps to Setting Up a VMware View Environment 6 Complete these high-level tasks to install VMware View and configure an initial deployment. Table 6-1. View Installation and Setup Check List Step Task 1 Set up the required administrator users and groups in Active Directory. Instructions: VMware View Installation and vSphere documentation 2 If you have not yet done so, install and set up VMware ESX/ESXi hosts and vCenter Server.
VMware View Architecture Planning 68 VMware, Inc.
Index Symbols .
VMware View Architecture Planning front-end firewall configuring 59 rules 60 N G O gateway server 64 GPOs, security settings for View desktops 56 H HA cluster 40, 42 HP RGS 15, 18, 51 I I/O storms 44 iSCSI SAN arrays 24 J Java Message Service 65 Java Message Service protocol 60 JMS protocol 60, 61 K kiosk mode 38 knowledge workers 30, 31, 36 L latency 45 LDAP configuration data 13 LDAP directory 10, 65 legacy PCs 10 linked clones 12, 25, 26, 40, 44 Linux clients 11 load balancing, View Connection
Index setup, VMware View 67 shared storage 24, 44 single sign-on (SSO) 12, 21, 54 smart card authentication 53 smart card readers 20, 53 snapshots 26 software provisioning 26, 27 storage, reducing, with View Composer 24, 25 storage bandwidth 44 storage configurations 44 streaming applications 26 streaming multimedia 21 suspend files 31, 33 swap files 31 T task workers 30, 31, 36 TCP ports Active Directory 66 View Agent 65 View Client with Local Mode 66 View Connection Server 65 technical support 5 templat
VMware View Architecture Planning 72 VMware, Inc.
