VMware View Architecture Planning Guide View 4.5 View Manager 4.5 View Composer 2.5 This document supports the version of each product listed and supports all subsequent versions until the document is replaced by a new edition. To check for more recent editions of this document, see http://www.vmware.com/support/pubs.
VMware View Architecture Planning Guide You can find the most up-to-date technical documentation on the VMware Web site at: http://www.vmware.com/support/ The VMware Web site also provides the latest product updates. If you have comments about this documentation, submit your feedback to: docfeedback@vmware.com Copyright © 2009, 2010 VMware, Inc. All rights reserved. This product is protected by U.S. and international copyright and intellectual property laws.
Contents About This Book 5 1 Introduction to VMware View 7 Advantages of Using VMware View 7 VMware View Features 9 How the VMware View Components Fit Together 9 Integrating and Customizing VMware View 13 2 Planning a Rich User Experience 15 Feature Support Matrix 15 Choosing a Display Protocol 16 Using a View Desktop Without a Network Connection 18 Accessing USB Devices Connected to a Local Computer 19 Printing from a View Desktop 20 Streaming Multimedia to a View Desktop 20 Using Single Sign-On for L
VMware View Architecture Planning Guide Implementing Best Practices to Secure Client Systems 55 Assigning Administrator Roles 55 Preparing to Use a Security Server 55 Understanding VMware View Communications Protocols 60 6 Overview of Steps to Setting Up a VMware View Environment 67 Index 69 4 VMware, Inc.
About This Book The VMware View Architecture Planning Guide provides an introduction to VMware View™, including a description of its major features and deployment options and an overview of how VMware View components are typically set up in a production environment.
VMware View Architecture Planning Guide Technical Support and Education Resources The following technical support resources are available to you. To access the current version of this book and other books, go to http://www.vmware.com/support/pubs. Online and Telephone Support To use online support to submit technical support requests, view your product and contract information, and register your products, go to http://www.vmware.com/support.
Introduction to VMware View 1 With VMware View, IT departments can run virtual desktops in the datacenter and deliver desktops to employees as a managed service. End users gain a familiar, personalized environment that they can access from any number of devices anywhere throughout the enterprise or from home. Administrators gain centralized control, efficiency, and security by having desktop data in the datacenter.
VMware View Architecture Planning Guide Figure 1-1. Administrative Console for View Manager Showing the Dashboard View Another feature that increases convenience is the VMware remote display protocol PCoIP. PCoIP (PC-overIP) display protocol delivers an end-user experience equal to the current experience of using a physical PC: n On LANs, the display is faster and smoother than traditional remote displays.
Chapter 1 Introduction to VMware View VMware View Features Features included in VMware View support usability, security, centralized control, and scalability. The following features provide a familiar experience for the end user: n Print from a virtual desktop to any local or networked printer that is defined on the client device, or use the location-based printing feature to map to printers that are physically near the client system.
VMware View Architecture Planning Guide Figure 1-2.
Chapter 1 Introduction to VMware View n Assigning applications packaged with VMware ThinApp to specific desktops and pools n Managing local and remote desktop sessions n Establishing secure connections between users and desktops n Enabling single sign-on n Setting and applying policies Inside the corporate firewall, you install and configure a group of two or more View Connection Server instances.
VMware View Architecture Planning Guide View Agent You install the View Agent service on all virtual machines, physical systems, and Terminal Service servers that you use as sources for View desktops. This agent communicates with View Client to provide features such as connection monitoring, virtual printing, and access to locally connected USB devices.
Chapter 1 Introduction to VMware View View Transfer Server This software manages and streamlines data transfers between the datacenter and View desktops that are checked out for use on end users' local systems. View Transfer Server is required to support desktops that run View Client with Local Mode (formerly called Offline Desktop). Several operations use View Transfer Server to send data between the View desktop in vCenter Server and the corresponding local desktop on the client system.
VMware View Architecture Planning Guide n Sample the usage of specific desktops or desktop pools over time. n Query the event database. n Query the state of View services. You can use the cmdlets in conjunction with the vSphere PowerCLI cmdlets, which provide an administrative interface to the VMware vSphere product. For more information, see the VMware View Integration Guide.
2 Planning a Rich User Experience VMware View provides the familiar, personalized desktop environment that end users expect. End users can access USB and other devices connected to their local computer, send documents to any printer that their local computer can detect, authenticate with smart cards, and use multiple display monitors. VMware View includes many features that you might want to make available to your end users.
VMware View Architecture Planning Guide Table 2-1. Features Supported on Windows Clients (Continued) Feature Windows XP Home/Pro SP3, 32-bit Windows Vista SP1, SP2, 32-bit Windows 7, 32-bit and 64-bit RSA SecurID X X X Single sign-on X X X Multiple monitors X X X Local Mode X X X Editions of Windows Vista include Windows Vista Home, Enterprise, Ultimate, and Business. Editions of Windows 7 include Home, Professional, Enterprise, and Ultimate. Table 2-2.
Chapter 2 Planning a Rich User Experience VMware View with PCoIP PCoIP is a new high-performance remote display protocol provided by VMware. This protocol is available for View desktops that are sourced from virtual machines, Teradici clients, and physical machines that have Teradici-enabled host cards. PCoIP can compensate for an increase in latency or a reduction in bandwidth, to ensure that end users can remain productive regardless of network conditions.
VMware View Architecture Planning Guide HP RGS Protocol RGS is a display protocol from HP that allows users to access the desktop of a remote physical computer over a standard network. You can use HP RGS as the display protocol when connecting HP Blade PCs, HP Workstations, and HP Blade Workstations. Connections to virtual machines that run on VMware ESX servers are not supported. HP RGS provides the following features: n You can use multiple monitors in span mode.
Chapter 2 Planning a Rich User Experience Although a local desktop can take advantage of local resources, a Windows 7 or Windows Vista View desktop that is created on an ESX 3.5 host cannot produce 3D and Windows Aero effects. This limitation applies even when the desktop is checked out for local use on a Windows 7 or Windows Vista host. Windows Aero and 3D effects are available only if the View desktop is created using vSphere 4.x.
VMware View Architecture Planning Guide USB devices that do not appear in the menu, but are available in a View desktop, include smart card readers and human interface devices such as keyboards and pointing devices. The View desktop and the local computer use these devices at the same time. This feature has the following limitations: n When you access a USB device from a menu in View Client and use the device in a View desktop, you cannot access the device on the local computer.
Chapter 2 Planning a Rich User Experience SSO is implemented as an optional component that you can select when you install the View Agent on a desktop source. This feature includes the Graphical Identification and Authentication (GINA) dynamic-link library for Windows XP and a credential provider dynamic-link library for Windows Vista. Using Multiple Monitors with a View Desktop Regardless of the display protocol, you can use multiple monitors with a View desktop.
VMware View Architecture Planning Guide 22 VMware, Inc.
Managing Desktop Pools from a Central Location 3 You can create pools that include one or hundreds of virtual desktops. As a desktop source, you can use virtual machines, physical machines, and Windows Terminal Services servers. Create one virtual machine as a base image, and VMware View can generate a pool of virtual desktops from that image. You can easily install or stream applications to pools with VMware ThinApp.
VMware View Architecture Planning Guide n If using vSphere 4.1, specify whether to use a Microsoft Sysprep customization specification or QuickPrep from VMware. Sysprep generates a unique SID and GUID for each virtual machine in the pool. n Specify whether the View desktop can or must be downloaded and run on a local client system. In addition, using desktop pools provides many conveniences.
Chapter 3 Managing Desktop Pools from a Central Location Reducing Storage Requirements with View Composer Because View Composer creates desktop images that share virtual disks with a base image, you can reduce the required storage capacity by 50 to 90 percent. View Composer uses a base image, or parent virtual machine, and creates a pool of up to 512 linked-clone virtual machines.
VMware View Architecture Planning Guide Deploying Applications and System Updates with View Composer Because linked-clone desktop pools share a base image, you can quickly deploy updates and patches by updating the parent virtual machine. The recompose feature allows you to make changes to the parent virtual machine, take a snapshot of the new state, and push the new version of the image to all, or a subset of, users and desktops.
Chapter 3 Managing Desktop Pools from a Central Location Using Existing Processes for Application Provisioning With VMware View, you can continue to use the application provisioning techniques that your company currently uses. Two additional considerations include managing server CPU usage and storage I/O and determining whether users are permitted to install applications.
VMware View Architecture Planning Guide 28 VMware, Inc.
Architecture Design Elements and Planning Guidelines 4 A typical VMware View architecture design uses a building block strategy to achieve scalability. Each building block definition can vary, based on hardware configuration, View and vSphere software versions used, and other environment-specific design factors. This chapter describes a validated example building block that consists of components that support up to 2,000 virtual desktops using vSphere 4.1.
VMware View Architecture Planning Guide n Estimating Memory Requirements for Virtual Desktops on page 31 RAM costs more for servers than it does for PCs. Because the cost of RAM is a high percentage of overall server hardware costs and total storage capacity needed, determining the correct memory allocation is crucial to planning your desktop deployment.
Chapter 4 Architecture Design Elements and Planning Guidelines Estimating Memory Requirements for Virtual Desktops RAM costs more for servers than it does for PCs. Because the cost of RAM is a high percentage of overall server hardware costs and total storage capacity needed, determining the correct memory allocation is crucial to planning your desktop deployment. If the RAM allocation is too low, storage I/O can be negatively affected because too much memory swapping occurs.
VMware View Architecture Planning Guide ESX swap file This file, which has a .vswp extension, is created if you reserve less than 100 percent of a virtual machine's RAM. The size of the swap file is equal to the unreserved portion of guest RAM. For example, if 50 percent of guest RAM is reserved and guest RAM is 2GB, the ESX swap file is 1GB. This file can be stored on the local datastore on the ESX host or cluster. ESX suspend file This file, which has a .
Chapter 4 Architecture Design Elements and Planning Guidelines Estimating CPU Requirements for Virtual Desktops When estimating CPU, you must gather information about the average CPU utilization for various types of workers in your enterprise. In addition, calculate that another 10 to 25 percent of processing power is required for virtualization overhead and peak periods of usage. NOTE This topic addresses issues regarding CPU requirements when accessing View desktops remotely.
VMware View Architecture Planning Guide The amount of storage space required must take into account the following files for each virtual desktop: n The ESX suspend file is equivalent to the amount of RAM allocated to the virtual machine. n The Windows page file is equivalent to 150 percent of RAM. n Log files take up approximately 100MB for each virtual machine. n The virtual disk, or .vmdk file, must accommodate the operating system, applications, and future applications and software updates.
Chapter 4 Architecture Design Elements and Planning Guidelines Desktop Pools for Specific Types of Workers VMware View provides many features to help you conserve storage and reduce the amount of processing power required for various use cases. Many of these features are available as pool settings. The most fundamental question to consider is whether a certain type of user needs a stateful desktop image or a stateless desktop image.
VMware View Architecture Planning Guide Pools for Task Workers You can standardize on stateless desktop images for task workers so that the image is always in a well-known, easily supportable configuration and so that workers can log in to any available desktop. Because task workers perform repetitive tasks within a small set of applications, you can create stateless desktop images, which help conserve storage space and processing requirements.
Chapter 4 Architecture Design Elements and Planning Guidelines Pools for Mobile Users These users can check out a View desktop and run it locally on their laptop or desktop even without a network connection. View Client with Local Mode provides benefits for both end users and IT administrators. For administrators, local mode allows View security policies to extend to laptops that have previously been unmanaged.
VMware View Architecture Planning Guide n Do not turn on SSL for provisioning or downloading local mode desktops. n If the performance of View Connection Server is affected by the number of local desktops, set the heartbeat interval to be less frequent. The heartbeat lets View Connection Server know that the local desktop has a network connection. The default interval is five minutes.
Chapter 4 Architecture Design Elements and Planning Guidelines Table 4-2.
VMware View Architecture Planning Guide vCenter and View Composer Virtual Machine Configuration and Desktop Pool Maximums You install both vCenter Server and View Composer on the same virtual machine. Because this virtual machine is a server, it requires much more memory and processing power than a desktop virtual machine. View Composer can create and provision up to 512 desktops per pool. View Composer can also perform a recompose operation on up to 512 desktops at a time.
Chapter 4 Architecture Design Elements and Planning Guidelines View Connection Server Cluster Design Considerations You can deploy multiple replicated View Connection Server instances in a group to support load balancing and high availability. Groups of replicated instances are designed to support clustering within a LANconnected single-datacenter environment.
VMware View Architecture Planning Guide Storage and Bandwidth Requirements for View Transfer Server Several operations use View Transfer Server to send data between the View desktop in vCenter Server and the corresponding local desktop on the client system. When a user checks in or checks out a desktop, View Transfer Server transfers the files between the datacenter and the local desktop.
Chapter 4 Architecture Design Elements and Planning Guidelines Example 4-1. Cluster Configuration Example The settings listed in Table 4-9 are VMware View-specific. For information about limits of HA clusters in vSphere, see the VMware vSphere Configuration Maximums document. Table 4-9. HA Cluster Example Item Example Nodes (ESX servers) 8 (including 1 hot spare) Cluster type DRS (Distributed Resource Scheduler)/HA Networking component Standard ESX 4.
VMware View Architecture Planning Guide Figure 4-1. VMware View Building Block 2000 users shared storage 8 hosts 8 hosts 2 VMware ESX clusters VMware vCenter Server Shared Storage for View Building Blocks Storage design considerations are one of the most important elements of a successful View architecture. The decision that has the greatest architectural impact is whether to use View Composer desktops, which use linked-clone technology.
Chapter 4 Architecture Design Elements and Planning Guidelines You can minimize these storm workloads through operational best practices, such as staggering updates to different virtual machines. You can also test various log-off policies during a pilot phase to determine whether suspending or powering off virtual machines when users log off causes an I/O storm.
VMware View Architecture Planning Guide The following examples show how PCoIP can be expected to perform in various WAN scenarios: Work from home Mobile user A user with a dedicated cable or DSL connection with 4-8MB download and less than 300ms latency can expect excellent performance under the following conditions: n Two monitors (1920x1080) n Microsoft Office applications n Light use of Flash-embedded Web browsing n Periodic use of multimedia n Light printing with a locally connected USB prin
Chapter 4 Architecture Design Elements and Planning Guidelines Table 4-11. Example of a VMware View Pod Item Number View building blocks 5 View Connection Servers 7 (1 for each building block and 2 spares) 10Gb Ethernet module 1 Modular networking switch 1 Load-balancing module 1 VPN for WAN 1 (optional) The network core load balances incoming requests across View Connection Server instances.
VMware View Architecture Planning Guide 48 VMware, Inc.
Planning for Security Features 5 VMware View offers strong network security to protect sensitive corporate data. For added security, you can integrate VMware View with certain third-party user-authentication solutions, use a security server, and implement the restricted entitlements feature.
VMware View Architecture Planning Guide n Direct Client Connections with PCoIP and HP RGS on page 50 Administrators can configure View Connection Server settings so that View desktop sessions are established directly between the client system and the View desktop virtual machine, bypassing the View Connection Server host. This type of connection is called a direct client connection.
Chapter 5 Planning for Security Features View Client with Local Mode Client Connections View Client with Local Mode offers mobile users the ability to check out View desktops onto their local computer. View Client with Local Mode supports both tunneled and nontunneled communications for LAN-based data transfers. With tunneled communications, all traffic is routed through the View Connection Server host, and you can specify whether to encrypt communications and data transfers.
VMware View Architecture Planning Guide Administrators can use the vdmadmin command-line interface to configure domain filtering, which limits the domains that a View Connection Server instance searches and that it displays to users. See the VMware View Administrator's Guide for more information. Policies, such as restricting permitted hours to log in and setting the expiration date for passwords, are also handled through existing Active Directory operational procedures.
Chapter 5 Planning for Security Features Log In as Current User Feature When View Client users select the Log in as current user check box, the credentials that they provided when logging in to the client system are used to authenticate to the View Connection Server instance and to the View desktop. No further user authentication is required. To support this feature, user credentials are stored on both the View Connection Server instance and on the client system.
VMware View Architecture Planning Guide External users cannot see the desktop pools tagged as Internal because they log in through the View Connection Server tagged as External, and internal users cannot see the desktop pools tagged as External because they log in through the View Connection Server tagged as Internal. Figure 5-1 illustrates this configuration. Figure 5-1.
Chapter 5 Planning for Security Features Implementing Best Practices to Secure Client Systems You should implement best practices to secure client systems. n Make sure that client systems are configured to go to sleep after a period of inactivity and require users to enter a password before the computer awakens. n Require users to enter a username and password when starting client systems. Do not configure client systems to allow automatic logins.
VMware View Architecture Planning Guide Because users can connect directly with any View Connection Server instance from within their internal network, you do not need to implement a security server in a LAN-based deployment. NOTE View clients that use PCoIP can connect to View security servers, but PCoIP sessions with the virtual desktop ignore the security server. PCoIP uses the User Datagram Protocol (UDP) for streaming audio and video. Security servers support only TCP.
Chapter 5 Planning for Security Features Figure 5-2. Load-Balanced Security Servers in a DMZ remote View Client external network DMZ load balancing View Security Servers View Connection Servers Microsoft Active Directory vCenter Management Server ESX hosts running Virtual Desktop virtual machines When remote users connect to a security server, they must successfully authenticate before they can access View desktops.
VMware View Architecture Planning Guide Figure 5-3. Multiple Security Servers remote View Client external network View Client internal network DMZ load balancing View Security Servers load balancing View Connection Servers vCenter Management Server Microsoft Active Directory ESX hosts running Virtual Desktop virtual machines You must implement a hardware or software load balancing solution if you install more than one security server.
Chapter 5 Planning for Security Features Figure 5-4. Dual Firewall Topology View Client View Client HTTPS traffic firewall fault-tolerant load balancing mechanism HTTPS traffic DMZ View Security Server View Security Server firewall internal network View Connection Server View Connection Server VMware vCenter Active Directory VMware ESX servers Firewall Rules for DMZ-Based Security Servers DMZ-based security servers require certain firewall rules on the front-end and back-end firewalls.
VMware View Architecture Planning Guide Table 5-2. Back-End Firewall Rules Source Protocol Port Destination Notes Security server AJP13 8009 View Connection Server Security servers use port 8009 to transmit AJP13-forwarded Web traffic to View Connection Server instances. Security server JMS 4001 View Connection Server Security servers use port 4001 to transmit Java Message Service (JMS) traffic to View Connection Server instances.
Chapter 5 Planning for Security Features Figure 5-5.
VMware View Architecture Planning Guide Figure 5-6.
Chapter 5 Planning for Security Features Table 5-3. Default Ports (Continued) Protocol Port SOAP TCP port 80 or 443 PCoIP TCP port 4172 from View Client to the View desktop. PCoIP also uses UDP port 4172 in both directions. For USB redirection, TCP port 32111 is used alongside PCoIP from the client to the View desktop.
VMware View Architecture Planning Guide Firewall Rules for View Connection Server Certain incoming TCP ports must be opened on the firewall for View Connection Server instances and security servers. When you install View Connection Server on Windows Server 2008, the installation program can optionally configure the required Windows firewall rules for you. When you install View Connection Server on Windows Server 2003, you must configure the required Windows firewall rules manually. Table 5-4.
Chapter 5 Planning for Security Features Firewall Rules for Active Directory If you have a firewall between your VMware View environment and your Active Directory server, you must make sure that all of the necessary ports are opened. For example, View Connection Server must be able to access the Active Directory Global Catalog and Lightweight Directory Access Protocol (LDAP) servers.
VMware View Architecture Planning Guide 66 VMware, Inc.
Overview of Steps to Setting Up a VMware View Environment 6 Complete these high-level tasks to install VMware View and configure an initial deployment. Table 6-1. View Installation and Setup Check List Step Task 1 Set up the required administrator users and groups in Active Directory. Instructions: VMware View Installation Guide and vSphere documentation 2 If you have not yet done so, install and set up VMware ESX servers and vCenter Server.
VMware View Architecture Planning Guide 68 VMware, Inc.
Index A Active Directory 9, 27, 51 ADM template files 54 Administration Server 63 administrator roles 55 Adobe Flash 23 agent, View 12 AJP13 protocol 59, 60 application virtualization and provisioning 25–27 architectural design elements 29 B back-end firewall configuring 58 rules 59 bandwidth 44, 45 base image for virtual desktops 24, 25 browsers, supported 11 Business Intelligence software 13 C check list for setting up VMware View 67 client connections direct 50 tunnel 50 client systems, best practices
VMware View Architecture Planning Guide H P HA cluster 40, 42 HP RGS 15, 18, 50 parent virtual machine 25, 26 PCoIP 7, 9, 15, 17, 50, 55 persistent disks 25 physical PCs 40 policies, desktop 27 pools desktop 25, 35 kiosk users 38 knowledge workers 36 local mode users 37 task workers 36 pools, desktop 12, 23 power users 30 printers 15 printing, virtual 20 processing requirements 33 professional services 5 provisioning desktops 7 I I/O storms 44 iSCSI SAN arrays 24 J Java Message Service 63 Java Message
Index streaming applications 26 streaming multimedia 20 suspend files 31, 33 swap files 31 T task workers 30, 31, 36 TCP ports Active Directory 65 View Agent 64 View Client with Local Mode 65 View Connection Server 64 technical support 5 templates, GPO 27 terminal servers 40 thin client support 10, 15 ThinApp 26 tunnel connection 40, 50 tunneled communications 51, 63 U Unified Access 40 USB devices, using with View desktops 9, 15, 19 USB redirection 19, 20 user authentication Active Directory 51 methods
VMware View Architecture Planning Guide 72 VMware, Inc.
