VMware View Architecture Planning View 5.1 View Manager 5.1 View Composer 3.0 This document supports the version of each product listed and supports all subsequent versions until the document is replaced by a new edition. To check for more recent editions of this document, see http://www.vmware.com/support/pubs.
VMware View Architecture Planning You can find the most up-to-date technical documentation on the VMware Web site at: http://www.vmware.com/support/ The VMware Web site also provides the latest product updates. If you have comments about this documentation, submit your feedback to: docfeedback@vmware.com Copyright © 2009–2012 VMware, Inc. All rights reserved. This product is protected by U.S. and international copyright and intellectual property laws.
Contents VMware View Architecture Planning 5 1 Introduction to VMware View 7 Advantages of Using VMware View 7 VMware View Features 9 How the VMware View Components Fit Together 10 Integrating and Customizing VMware View 14 2 Planning a Rich User Experience 17 Feature Support Matrix 17 Choosing a Display Protocol 19 Using View Persona Management to Retain User Data and Settings Benefits of Using View Desktops in Local Mode 23 Accessing USB Devices Connected to a Local Computer 25 Printing from a View
VMware View Architecture Planning Using Group Policy Settings to Secure View Desktops 61 Implementing Best Practices to Secure Client Systems 62 Assigning Administrator Roles 62 Preparing to Use a Security Server 62 Understanding VMware View Communications Protocols 68 6 Overview of Steps to Setting Up a VMware View Environment 73 Index 75 4 VMware, Inc.
VMware View Architecture Planning ® VMware View Architecture Planning provides an introduction to VMware View™, including a description of its major features and deployment options and an overview of how VMware View components are typically set up in a production environment.
VMware View Architecture Planning 6 VMware, Inc.
Introduction to VMware View 1 With VMware View, IT departments can run virtual desktops in the datacenter and deliver desktops to employees as a managed service. End users gain a familiar, personalized environment that they can access from any number of devices anywhere throughout the enterprise or from home. Administrators gain centralized control, efficiency, and security by having desktop data in the datacenter.
VMware View Architecture Planning Convenience The unified management console is built for scalability on Adobe Flex, so that even the largest View deployments can be efficiently managed from a single View Manager interface. Wizards and dashboards enhance the workflow and facilitate drilling down to see details or change settings. Figure 1-1 provides an example of the browser-based user interface for View Administrator. Figure 1-1.
Chapter 1 Introduction to VMware View Hardware Independence Virtual machines are hardware-independent. Because a View desktop runs on a server in the datacenter and is only accessed from a client device, a View desktop can use operating systems that might not be compatible with the hardware of the client device. For example, although Windows 7 can run only on Windows 7-enabled PCs, you can install Windows 7 in a virtual machine and use that virtual machine on a PC that is not Windows 7-enabled.
VMware View Architecture Planning n Configure View Connection Server to broker connections between end users and the virtual desktops that they are authorized to access. n Use View Composer to quickly create desktop images that share virtual disks with a master image. Using linked clones in this way conserves disk space and simplifies the management of patches and updates to the operating system.
Chapter 1 Introduction to VMware View Figure 1-2.
VMware View Architecture Planning n Assigning applications packaged with VMware ThinApp to specific desktops and pools n Managing local and remote desktop sessions n Establishing secure connections between users and desktops n Enabling single sign-on n Setting and applying policies Inside the corporate firewall, you install and configure a group of two or more View Connection Server instances.
Chapter 1 Introduction to VMware View View Agent You install the View Agent service on all virtual machines, physical systems, and Terminal Service servers that you use as sources for View desktops. On virtual machines, this agent communicates with View Client to provide features such as connection monitoring, virtual printing, View Persona Management, and access to locally connected USB devices.
VMware View Architecture Planning View Transfer Server This software manages and streamlines data transfers between the datacenter and View desktops that are checked out for use on end users' local systems. View Transfer Server is required to support desktops that run View Client with Local Mode (formerly called Offline Desktop). Several operations use View Transfer Server to send data between the View desktop in vCenter Server and the corresponding local desktop on the client system.
Chapter 1 Introduction to VMware View n Query the state of View services. You can use the cmdlets in conjunction with the vSphere PowerCLI cmdlets, which provide an administrative interface to the VMware vSphere product. For more information, see the VMware View Integration document. Modifying LDAP Configuration Data in View When you use View Administrator to modify the configuration of VMware View, the appropriate LDAP data in the repository is updated.
VMware View Architecture Planning 16 VMware, Inc.
Planning a Rich User Experience 2 VMware View provides the familiar, personalized desktop environment that end users expect. End users can access USB and other devices connected to their local computer, send documents to any printer that their local computer can detect, authenticate with smart cards, and use multiple display monitors. VMware View includes many features that you might want to make available to your end users.
VMware View Architecture Planning Table 2-1.
Chapter 2 Planning a Rich User Experience Choosing a Display Protocol A display protocol provides end users with a graphical interface to a View desktop that resides in the datacenter. You can use PCoIP (PC-over-IP), which VMware provides, or Microsoft RDP (Remote Desktop Protocol). You can set policies to control which protocol is used or to allow end users to choose the protocol when they log in to a desktop.
VMware View Architecture Planning Video Quality 480p-formatted video You can play video at 480p or lower at native resolutions when the View desktop has a single virtual CPU. If the operating system is Windows 7 and you want to play the video in high-definition Flash or in full screen mode, the desktop requires a dual virtual CPU. 720p-formatted video You can play video at 720p at native resolutions if the View desktop has a dual virtual CPU.
Chapter 2 Planning a Rich User Experience Microsoft RDP Remote Desktop Protocol is the same multichannel protocol many people already use to access their work computer from their home computer. Microsoft Remote Desktop Connection (RDC) uses RDP to transmit data. Microsoft RDP provides the following features: n With RDP 6, you can use multiple monitors in span mode. RDP 7 has true multiple monitor support, for up to 16 monitors.
VMware View Architecture Planning n Windows registry entries configured by user applications. To facilitate these abilities, View Persona Management requires storage on a CIFS share equal or greater than the size of the user's local profile. Minimizing Logon and Logoff Times View Persona Management minimizes the time it takes to log on to and off of desktops. n View takes recent changes in the profile on the View desktop and copies them to the remote repository at regular intervals.
Chapter 2 Planning a Rich User Experience To configure a remote repository to store personas, you can use either a network share or an existing Active Directory user profile path that you configured for Windows roaming profiles. The network share can be a folder on a server, a network-attached storage (NAS) device, or a network server. To support a large View deployment, you can configure separate repositories for different desktop pools. With View 5.
VMware View Architecture Planning Although a local desktop can take advantage of local resources, a Windows 7 or Windows Vista View desktop that is created on an ESX/ESXi 3.5 host cannot produce 3D and Windows Aero effects. This limitation applies even when the desktop is checked out for local use on a Windows 7 or Windows Vista host. Windows Aero and 3D effects are available only if the View desktop is created using vSphere 4.x or later.
Chapter 2 Planning a Rich User Experience n For security reasons, you cannot access the host CD-ROM from within the View desktop. n Also for security reasons, you cannot copy and paste text or system objects such as files and folders between the local system and the View desktop. Accessing USB Devices Connected to a Local Computer Administrators can configure the ability to use USB devices, such as thumb flash drives, VoIP (voice-over-IP) devices, and printers, from a View desktop.
VMware View Architecture Planning Streaming Multimedia to a View Desktop Wyse MMR (multimedia redirection) enables full-fidelity playback when multimedia files are streamed to a View desktop. The MMR feature supports the media file formats that the client system supports, because local decoders must exist on the client. File formats include MPEG2, WMV, AVI, and WAV, among others.
Chapter 2 Planning a Rich User Experience n If you use a View desktop in local mode, no remote display protocol is used. You can use up to 2 monitors in span mode. VMware, Inc.
VMware View Architecture Planning 28 VMware, Inc.
Managing Desktop Pools from a Central Location 3 You can create pools that include one or hundreds of virtual desktops. As a desktop source, you can use virtual machines, physical machines, and Windows Terminal Services servers. Create one virtual machine as a base image, and VMware View can generate a pool of virtual desktops from that image. You can easily install or stream applications to pools with VMware ThinApp.
VMware View Architecture Planning n Specify whether the View desktop can or must be downloaded and run on a local client system. In addition, using desktop pools provides many conveniences. Dedicated-assignment pools Each user is assigned a particular View desktop and returns to the same virtual desktop at each login. Users can personalize their desktops, install applications, and store data.
Chapter 3 Managing Desktop Pools from a Central Location n You can deploy a desktop pool on a cluster that contains up to 32 ESXi hosts, but you must store the replica disks on NFS datastores. Although replica disks must be stored on NFS datastores, OS disks and persistent disks can be stored on NFS or VMFS datastores.
VMware View Architecture Planning Using local datastores is most likely to work well if the View desktops in your environment are stateless. For example, you might use local datastores if you deploy stateless kiosks or classroom and training stations. If you intend to take advantage of the benefits of local storage, you must carefully consider the following limitations: n You cannot use VMotion, VMware High Availability (HA), or vSphere Distributed Resource Scheduler (DRS).
Chapter 3 Managing Desktop Pools from a Central Location You can create a View Composer persistent disk that contains user settings and other user-generated data. This persistent disk is not affected by a recompose operation. When a linked clone is deleted, you can preserve the user data. When an employee leaves the company, another employee can access the departing employee's user data. A user who has multiple desktops can consolidate the user data on a single desktop.
VMware View Architecture Planning If users have firm requirements for installing their own applications and having those applications persist for the lifetime of the virtual desktop, instead of using View Composer for application provisioning, you can create full persistent desktops and allow users to install applications.
Architecture Design Elements and Planning Guidelines 4 A typical VMware View architecture design uses a pod strategy that consists of components that support up to 10,000 virtual desktops using a vSphere 4.1 or later infrastructure. Pod definitions can vary, based on hardware configuration, View and vSphere software versions used, and other environment-specific design factors. This architecture provides a standard, scalable design that you can adapt to your enterprise environment and special requirements.
VMware View Architecture Planning n Estimating CPU Requirements for Virtual Desktops on page 39 When estimating CPU, you must gather information about the average CPU utilization for various types of workers in your enterprise. In addition, calculate that another 10 to 25 percent of processing power is required for virtualization overhead and peak periods of usage.
Chapter 4 Architecture Design Elements and Planning Guidelines Estimating Memory Requirements for Virtual Desktops RAM costs more for servers than it does for PCs. Because the cost of RAM is a high percentage of overall server hardware costs and total storage capacity needed, determining the correct memory allocation is crucial to planning your desktop deployment. If the RAM allocation is too low, storage I/O can be negatively affected because too much memory swapping occurs.
VMware View Architecture Planning deleted when the virtual machines are powered off. Disposable page-file redirection saves storage, slowing the growth of linked clones and also can improve performance. Although you can adjust the size from within Windows, doing so might have a negative effect on application performance. Windows hibernate file for laptops This file can equal 100 percent of guest RAM.
Chapter 4 Architecture Design Elements and Planning Guidelines A good starting point is to allocate 1GB for Windows XP desktops and 32-bit Windows Vista and Windows 7 desktops and 2GB for 64-bit Windows 7 desktops. During a pilot, monitor the performance and disk space used with various types of workers and make adjustments until you find the optimal setting for each pool of workers.
VMware View Architecture Planning n Use centralized file shares or a View Composer persistent disk for user-generated content and userinstalled applications. The amount of storage space required must take into account the following files for each virtual desktop: n The ESX/ESXi suspend file is equivalent to the amount of RAM allocated to the virtual machine. n The Windows page file is equivalent to 150 percent of RAM. n Log files take up approximately 100MB for each virtual machine.
Chapter 4 Architecture Design Elements and Planning Guidelines Desktop Pools for Specific Types of Workers VMware View provides many features to help you conserve storage and reduce the amount of processing power required for various use cases. Many of these features are available as pool settings. The most fundamental question to consider is whether a certain type of user needs a stateful desktop image or a stateless desktop image.
VMware View Architecture Planning Pools for Task Workers You can standardize on stateless desktop images for task workers so that the image is always in a well-known, easily supportable configuration and so that workers can log in to any available desktop. Because task workers perform repetitive tasks within a small set of applications, you can create stateless desktop images, which help conserve storage space and processing requirements.
Chapter 4 Architecture Design Elements and Planning Guidelines n Use vStorage thin provisioning so that at first, each desktop uses only as much storage space as the disk needs for its initial operation. n For power users and knowledge workers who must install their own applications, which adds data to the operating system disk, create full virtual machine desktops.
VMware View Architecture Planning Additional Recommendations Targeting Minimal Capital Expenditure You can reduce the number of ESX/ESXi hosts required for your local mode pool if you increase the number of virtual machines per ESX/ESXi host. An ESX/ESXi 4.1 host can accommodate up to 500 virtual machines if most are not powered on at the same time, as is frequently the case for local mode pools.
Chapter 4 Architecture Design Elements and Planning Guidelines n Use an Active Directory GPO (group policy object) to configure location-based printing, so that the desktop uses the nearest printer. For a complete list and description of the settings available through Group Policy administrative (ADM) templates, see the VMware View Administration document.
VMware View Architecture Planning Table 4-4. Desktop Virtual Machine Example for Windows 7, on an ESX/ESXi 4.
Chapter 4 Architecture Design Elements and Planning Guidelines For the system requirements of a standalone View Composer instance, installed on a separate server from vCenter Server, see the system requirements topic in the VMware View Installation document. IMPORTANT VMware recommends that you place the database to which vCenter and View Composer connect on a separate virtual machine.
VMware View Architecture Planning Table 4-7. View Desktop Connections (Continued) Connection Servers per Deployment Connection Type Maximum Simultaneous Connections 1 Connection Server Unified Access to physical PCs 100 1 Connection Server Unified Access to terminal servers 200 PCoIP Secure Gateway connections are required if you use security servers for PCoIP connections from outside the corporate network.
Chapter 4 Architecture Design Elements and Planning Guidelines vSphere Clusters VMware View deployments can use VMware HA clusters to guard against physical server failures. With View 5.1 and later and vSphere 5 and later, if you use View Composer and store replica disks on NFS datastores, the cluster can contain up to 32 servers, or nodes. VMware vSphere and vCenter provide a rich set of features for managing clusters of servers that host View desktops.
VMware View Architecture Planning Table 4-9. HA Cluster Example (Continued) Item Example Networking component Standard ESXi 5.0 cluster network Switch ports 80 NOTE With View 5.1 and later and vSphere 5 and later, if you use View Composer and store replica disks on NFS datastores, the cluster can contain up to 32 ESXi hosts. For more information, see the chapter about creating desktop pools, in the VMware View Administration document.
Chapter 4 Architecture Design Elements and Planning Guidelines Shared Storage for View Architectures Storage design considerations are one of the most important elements of a successful View architecture. The decision that has the greatest architectural impact is whether to use View Composer desktops, which use linked-clone technology.
VMware View Architecture Planning With the PCoIP display protocol, if you have an enterprise LAN with 100Mb or a 1Gb switched network, your end users can expect excellent performance under the following conditions: n Two monitors (1920x1080) n Heavy use of Microsoft Office applications n Heavy use of Flash-embedded Web browsing n Frequent use of multimedia with limited use of full screen mode n Frequent use of USB-based peripherals n Network-based printing This information was excerpted from th
Chapter 4 Architecture Design Elements and Planning Guidelines n WAN accelerators also compress network traffic between client and server, but this compression is usually limited to 2:1 compression ratios. PCoIP is able to provide compression ratios of up to 100:1 for images and audio. For information about the controls introduced with View 5 that you can use to adjust the way PCoIP consumes bandwidth, see “Optimization Controls Available with PCoIP,” on page 52.
VMware View Architecture Planning VMware View Pod A VMware View pod integrates five 2,000-user building blocks into a View Manager installation that you can manage as one entity. A pod is a unit of organization determined by VMware View scalability limits. Table 4-11 lists the components of a View pod. Table 4-11.
Planning for Security Features 5 VMware View offers strong network security to protect sensitive corporate data. For added security, you can integrate VMware View with certain third-party user-authentication solutions, use a security server, and implement the restricted entitlements feature.
VMware View Architecture Planning n Tunneled Client Connections with Microsoft RDP on page 56 When users connect to a View desktop with the Microsoft RDP display protocol, View Client can make a second HTTPS connection to the View Connection Server host. This connection is called the tunnel connection because it provides a tunnel for carrying RDP data.
Chapter 5 Planning for Security Features n Because VMware View manages the HTTPS connection, the reliability of the underlying protocols is significantly improved. If a user temporarily loses a network connection, the HTTP connection is reestablished after the network connection is restored and the RDP connection automatically resumes without requiring the user to reconnect and log in again.
VMware View Architecture Planning The desktop has a lifetime controlled through policy. If the client loses contact with View Connection Server, the maximum time without server contact is the period in which the user can continue to use the desktop before the user is refused access. On the client side, this expiration policy is stored in a file that is encrypted by a key that is built into the application.
Chapter 5 Planning for Security Features Using Two-Factor Authentication You can configure a View Connection Server instance so that users are required to use RSA SecurID authentication or RADIUS (Remote Authentication Dial-In User Service) authentication. With View 5.1 and later releases, RADIUS support has been added to the two-factor authentication feature included with VMware View: n RADIUS support offers a wide range of alternative two-factor token-based authentication options.
VMware View Architecture Planning Using the Log In as Current User Feature When View Client users select the Log in as current user check box, the credentials that they provided when logging in to the client system are used to authenticate to the View Connection Server instance and to the View desktop. No further user authentication is required. To support this feature, user credentials are stored on both the View Connection Server instance and on the client system.
Chapter 5 Planning for Security Features n Assign the tag "External" to the View Connection Server instance that is paired with the security server and supports your external users. n Assign the "Internal" tag to the desktop pools that should be accessible only to internal users. n Assign the "External" tag to the desktop pools that should be accessible only to external users.
VMware View Architecture Planning n Prevent non-View client systems from using RDP to connect to View desktops. You can set this policy so that connections must be View-managed, which means that users must use View Client to connect to View desktops. See the VMware View Administration document for information on using View Client group policy settings. Implementing Best Practices to Secure Client Systems You should implement best practices to secure client systems.
Chapter 5 Planning for Security Features Because users can connect directly with any View Connection Server instance from within their internal network, you do not need to implement a security server in a LAN-based deployment. NOTE As of View 4.6, security servers include a PCoIP Secure Gateway component so that clients that use the PCoIP display protocol can use a security server rather than a VPN.
VMware View Architecture Planning Figure 5-2. Load-Balanced Security Servers in a DMZ remote View Client external network DMZ load balancing View Security Servers View Connection Servers Microsoft Active Directory vCenter Management Server ESX hosts running Virtual Desktop virtual machines When remote users connect to a security server, they must successfully authenticate before they can access View desktops.
Chapter 5 Planning for Security Features Figure 5-3. Multiple Security Servers remote View Client external network View Client internal network DMZ load balancing View Security Servers load balancing View Connection Servers vCenter Management Server Microsoft Active Directory ESX hosts running Virtual Desktop virtual machines You must implement a hardware or software load balancing solution if you install more than one security server.
VMware View Architecture Planning Figure 5-4.
Chapter 5 Planning for Security Features Back-End Firewall Rules To allow a security server to communicate with each View Connection Server instance that resides within the internal network, the back-end firewall must allow inbound traffic on certain TCP ports. Behind the back-end firewall, internal firewalls must be similarly configured to allow View desktops and View Connection Server instances to communicate with each other. Table 5-2 summarizes the back-end firewall rules. Table 5-2.
VMware View Architecture Planning Understanding VMware View Communications Protocols VMware View components exchange messages by using several different protocols. Figure 5-5 illustrates the protocols that each component uses for communication when a security server is not configured. That is, the secure tunnel for RDP and the PCoIP secure gateway are not turned on. This configuration might be used in a typical LAN deployment. Figure 5-5.
Chapter 5 Planning for Security Features Figure 5-6.
VMware View Architecture Planning Table 5-3. Default Ports (Continued) Protocol Port PCoIP TCP port 4172 from View Client to the View desktop. PCoIP also uses UDP port 4172 in both directions. PCoIP or RDP For USB redirection, TCP port 32111 is used alongside PCoIP or RDP from the client to the View desktop.
Chapter 5 Planning for Security Features View LDAP View LDAP is an embedded LDAP directory in View Connection Server and is the configuration repository for all VMware View configuration data. View LDAP contains entries that represent each View desktop, each accessible View desktop, multiple View desktops that are managed together, and View component configuration settings. View LDAP also includes a set of View plug-in DLLs to provide automation and notification services for other VMware View components.
VMware View Architecture Planning Table 5-5. TCP Ports Opened During View Agent Installation (Continued) Protocol Ports MMR 9427 PCoIP 4172 (TCP and UDP) The View Agent installation program configures the local firewall rule for inbound RDP connections to match the current RDP port of the host operating system, which is typically 3389. If you change the RDP port number, you must change the associated firewall rules.
Overview of Steps to Setting Up a VMware View Environment 6 Complete these high-level tasks to install VMware View and configure an initial deployment. Table 6-1. View Installation and Setup Check List Step Task 1 Set up the required administrator users and groups in Active Directory. Instructions: VMware View Installation and vSphere documentation 2 If you have not yet done so, install and set up VMware ESX/ESXi hosts and vCenter Server.
VMware View Architecture Planning 74 VMware, Inc.
Index Symbols .
VMware View Architecture Planning H P HA cluster 46, 47, 49 hardware requirements, PCoIP 19 parent virtual machine 31, 32 PCoIP, hardware requirements 19 PCoIP Secure Gateway connection 56, 62, 70 persistent disks 31 persona management, configuring and managing 21 Persona Management 9 physical PCs 47 policies, desktop 34 pools desktop 31, 41 kiosk users 44 knowledge workers 42 local mode users 43 task workers 42 pools, desktop 13, 29 power users 36 printers 17 printing, virtual 25 processing requirement
Index overview 11 PCoIP Secure Gateway 70 setup, VMware View 73 shared storage 30, 51 single sign-on (SSO) 13, 26, 60 smart card authentication 59 smart card readers 25, 59 snapshots 32 software provisioning 33 storage, reducing, with View Composer 30, 31 storage bandwidth 51 storage configurations 51 streaming applications 33 streaming multimedia 26 suspend files 37, 39 swap files 37 T tablets 11 task workers 36, 37, 42 TCP ports Active Directory 72 View Agent 71 View Client with Local Mode 72 View Conne
VMware View Architecture Planning 78 VMware, Inc.
