VMware View Architecture Planning View 5.0 View Manager 5.0 View Composer 2.7 This document supports the version of each product listed and supports all subsequent versions until the document is replaced by a new edition. To check for more recent editions of this document, see http://www.vmware.com/support/pubs.
VMware View Architecture Planning You can find the most up-to-date technical documentation on the VMware Web site at: http://www.vmware.com/support/ The VMware Web site also provides the latest product updates. If you have comments about this documentation, submit your feedback to: docfeedback@vmware.com Copyright © 2009–2012 VMware, Inc. All rights reserved. This product is protected by U.S. and international copyright and intellectual property laws.
Contents VMware View Architecture Planning 5 1 Introduction to VMware View 7 Advantages of Using VMware View 7 VMware View Features 9 How the VMware View Components Fit Together 9 Integrating and Customizing VMware View 13 2 Planning a Rich User Experience 15 Feature Support Matrix 15 Choosing a Display Protocol 17 Using View Persona Management to Retain User Data and Settings Benefits of Using View Desktops in Local Mode 19 Accessing USB Devices Connected to a Local Computer 21 Printing from a View D
VMware View Architecture Planning Using Group Policy Settings to Secure View Desktops 57 Implementing Best Practices to Secure Client Systems 58 Assigning Administrator Roles 58 Preparing to Use a Security Server 58 Understanding VMware View Communications Protocols 63 6 Overview of Steps to Setting Up a VMware View Environment 69 Index 71 4 VMware, Inc.
VMware View Architecture Planning VMware View Architecture Planning provides an introduction to VMware View™, including a description of its major features and deployment options and an overview of how VMware View components are typically set up in a production environment.
VMware View Architecture Planning 6 VMware, Inc.
Introduction to VMware View 1 With VMware View, IT departments can run virtual desktops in the datacenter and deliver desktops to employees as a managed service. End users gain a familiar, personalized environment that they can access from any number of devices anywhere throughout the enterprise or from home. Administrators gain centralized control, efficiency, and security by having desktop data in the datacenter.
VMware View Architecture Planning Figure 1-1. Administrative Console for View Manager Showing the Dashboard View Another feature that increases convenience is the VMware remote display protocol PCoIP. PCoIP (PC-overIP) display protocol delivers an end-user experience equal to the current experience of using a physical PC: n On LANs, the display is faster and smoother than traditional remote displays.
Chapter 1 Introduction to VMware View VMware View Features Features included in VMware View support usability, security, centralized control, and scalability. The following features provide a familiar experience for the end user: n On Microsoft Windows client devices, print from a virtual desktop to any local or networked printer that is defined on the Windows client device.
VMware View Architecture Planning Figure 1-2.
Chapter 1 Introduction to VMware View n Assigning applications packaged with VMware ThinApp to specific desktops and pools n Managing local and remote desktop sessions n Establishing secure connections between users and desktops n Enabling single sign-on n Setting and applying policies Inside the corporate firewall, you install and configure a group of two or more View Connection Server instances.
VMware View Architecture Planning View Portal To use View Portal, end users on a Windows or Mac PC or laptop open a Web browser and enter the URL of a View Connection Server instance. View Portal provides a link for downloading the installer for the full View Client for Windows or the Mac. View Agent You install the View Agent service on all virtual machines, physical systems, and Terminal Service servers that you use as sources for View desktops.
Chapter 1 Introduction to VMware View View Transfer Server This software manages and streamlines data transfers between the datacenter and View desktops that are checked out for use on end users' local systems. View Transfer Server is required to support desktops that run View Client with Local Mode (formerly called Offline Desktop). Several operations use View Transfer Server to send data between the View desktop in vCenter Server and the corresponding local desktop on the client system.
VMware View Architecture Planning n Query the state of View services. You can use the cmdlets in conjunction with the vSphere PowerCLI cmdlets, which provide an administrative interface to the VMware vSphere product. For more information, see the VMware View Integration document. Modifying LDAP Configuration Data in View When you use View Administrator to modify the configuration of VMware View, the appropriate LDAP data in the repository is updated.
Planning a Rich User Experience 2 VMware View provides the familiar, personalized desktop environment that end users expect. End users can access USB and other devices connected to their local computer, send documents to any printer that their local computer can detect, authenticate with smart cards, and use multiple display monitors. VMware View includes many features that you might want to make available to your end users.
VMware View Architecture Planning Table 2-1.
Chapter 2 Planning a Rich User Experience Choosing a Display Protocol A display protocol provides end users with a graphical interface to a View desktop that resides in the datacenter. You can use PCoIP (PC-over-IP), which VMware provides, or Microsoft RDP (Remote Desktop Protocol). You can set policies to control which protocol is used or to allow end users to choose the protocol when they log in to a desktop.
VMware View Architecture Planning n You can copy and paste text and system objects such as folders and files between the local system and the View desktop. n RDP supports 32-bit color. n RDP supports 128-bit encryption. n You can use this protocol for making secure, encrypted connections to a View security server in the corporate DMZ. Using View Persona Management to Retain User Data and Settings View Persona Management retains changes that users make to their profiles.
Chapter 2 Planning a Rich User Experience n Specify which files and folders to download in the background after a user logs in to the desktop. Within a folder, you can also specify files to exclude. n Specify which files and folders within a user's persona to manage with Windows roaming profiles functionality instead of View Persona Management. Within a folder, you can also specify files to exclude. As with Windows roaming profiles, you can configure folder redirection.
VMware View Architecture Planning View desktops in local mode behave in the same way as their remote desktop equivalents, yet can take advantage of local resources. Latency is eliminated, and performance is enhanced. Users can disconnect from their local View desktop and log in again without connecting to the View Connection Server. After network access is restored, or when the user is ready, the checked-out virtual machine can be backed up, rolled back, or checked in.
Chapter 2 Planning a Rich User Experience The data on each local system is encrypted with AES. 128-bit encryption is the default, but you can configure 192-bit or 256-bit encryption. The desktop has a lifetime controlled through policy. If the client loses contact with View Connection Server, the maximum time without server contact is the period in which the user can continue to use the desktop before the user is refused access.
VMware View Architecture Planning Printing from a View Desktop The virtual printing feature allows end users with View Client on Windows systems to use local or network printers from a View desktop without requiring that additional print drivers be installed in the View desktop. The location-based printing feature allows you to map View desktops to the printer that is closest to the endpoint client device.
Chapter 2 Planning a Rich User Experience Using Multiple Monitors with a View Desktop Regardless of the display protocol, you can use multiple monitors with a View desktop. If you use PCoIP, the display protocol from VMware, you can adjust the display resolution and rotation separately for each monitor. PCoIP allows a true multiple-monitor session rather than a span mode session. A span mode remote session is actually a single-monitor session.
VMware View Architecture Planning 24 VMware, Inc.
Managing Desktop Pools from a Central Location 3 You can create pools that include one or hundreds of virtual desktops. As a desktop source, you can use virtual machines, physical machines, and Windows Terminal Services servers. Create one virtual machine as a base image, and VMware View can generate a pool of virtual desktops from that image. You can easily install or stream applications to pools with VMware ThinApp.
VMware View Architecture Planning n Specify whether the View desktop can or must be downloaded and run on a local client system. In addition, using desktop pools provides many conveniences. Dedicated-assignment pools Each user is assigned a particular View desktop and returns to the same virtual desktop at each login. Users can personalize their desktops, install applications, and store data.
Chapter 3 Managing Desktop Pools from a Central Location When you create a linked-clone desktop pool, a full clone is first made from the parent virtual machine. The full clone, or replica, and the clones linked to it can be placed on the same data store, or LUN (logical unit number). If necessary, you can use the rebalance feature to move the replica and linked clones from one LUN to another.
VMware View Architecture Planning n Adding applications n Adding virtual devices n Changing other virtual machine settings, such as available memory You can create a View Composer persistent disk that contains user settings and other user-generated data. This persistent disk is not affected by a recompose operation. When a linked clone is deleted, you can preserve the user data. When an employee leaves the company, another employee can access the departing employee's user data.
Chapter 3 Managing Desktop Pools from a Central Location If your company allows users to install applications, you can continue your current policies, but you cannot take advantage of View Composer features such as refreshing and recomposing the desktop. With View Composer, if an application is not virtualized or otherwise included in the user's profile or data settings, that application is discarded whenever a View Composer refresh, recompose, or rebalance operation occurs.
VMware View Architecture Planning 30 VMware, Inc.
Architecture Design Elements and Planning Guidelines 4 A typical VMware View architecture design uses a pod strategy that consists of components that support up to 10,000 virtual desktops using a vSphere 4.1 or later infrastructure. Pod definitions can vary, based on hardware configuration, View and vSphere software versions used, and other environment-specific design factors. This architecture provides a standard, scalable design that you can adapt to your enterprise environment and special requirements.
VMware View Architecture Planning n Estimating CPU Requirements for Virtual Desktops on page 35 When estimating CPU, you must gather information about the average CPU utilization for various types of workers in your enterprise. In addition, calculate that another 10 to 25 percent of processing power is required for virtualization overhead and peak periods of usage.
Chapter 4 Architecture Design Elements and Planning Guidelines Estimating Memory Requirements for Virtual Desktops RAM costs more for servers than it does for PCs. Because the cost of RAM is a high percentage of overall server hardware costs and total storage capacity needed, determining the correct memory allocation is crucial to planning your desktop deployment. If the RAM allocation is too low, storage I/O can be negatively affected because too much memory swapping occurs.
VMware View Architecture Planning deleted when the virtual machines are powered off. Disposable page-file redirection saves storage, slowing the growth of linked clones and also can improve performance. Although you can adjust the size from within Windows, doing so might have a negative effect on application performance. Windows hibernate file for laptops This file can equal 100 percent of guest RAM.
Chapter 4 Architecture Design Elements and Planning Guidelines A good starting point is to allocate 1GB for Windows XP desktops and 32-bit Windows Vista and Windows 7 desktops and 2GB for 64-bit Windows 7 desktops. During a pilot, monitor the performance and disk space used with various types of workers and make adjustments until you find the optimal setting for each pool of workers.
VMware View Architecture Planning n Use centralized file shares or a View Composer persistent disk for user-generated content and userinstalled applications. The amount of storage space required must take into account the following files for each virtual desktop: n The ESX/ESXi suspend file is equivalent to the amount of RAM allocated to the virtual machine. n The Windows page file is equivalent to 150 percent of RAM. n Log files take up approximately 100MB for each virtual machine.
Chapter 4 Architecture Design Elements and Planning Guidelines Desktop Pools for Specific Types of Workers VMware View provides many features to help you conserve storage and reduce the amount of processing power required for various use cases. Many of these features are available as pool settings. The most fundamental question to consider is whether a certain type of user needs a stateful desktop image or a stateless desktop image.
VMware View Architecture Planning Pools for Task Workers You can standardize on stateless desktop images for task workers so that the image is always in a well-known, easily supportable configuration and so that workers can log in to any available desktop. Because task workers perform repetitive tasks within a small set of applications, you can create stateless desktop images, which help conserve storage space and processing requirements.
Chapter 4 Architecture Design Elements and Planning Guidelines n For power users and knowledge workers who must install their own applications, which adds data to the operating system disk, create full virtual machine desktops. n If knowledge workers do not require user-installed applications except for temporary use, you can create View Composer linked-clone desktops. The desktop images share the same base image and use less storage space than full virtual machines.
VMware View Architecture Planning Use the following recommendations to reduce the amount of bandwidth and I/O operations required by each virtual machine and maximize the number of virtual machines on an ESX/ESXi host. n Set a View policy so that end users must use their View desktops in local mode only. With this setting, the virtual machines in the datacenter remain locked and powered off.
Chapter 4 Architecture Design Elements and Planning Guidelines Desktop Virtual Machine Configuration Because the amount of RAM, CPU, and disk space that virtual desktops require depend on the guest operating system, separate configuration examples are provided for Windows XP, Windows Vista, and Windows 7 virtual desktops. The example settings for virtual machines such as memory, number of virtual processors, and disk space are VMware View-specific.
VMware View Architecture Planning Table 4-4. Desktop Virtual Machine Example for Windows 7, on an ESX/ESXi 4.1 or Later Host (Continued) Item Example Virtual SCSI adapter type LSI Logic SAS (the default) Virtual network adapter VMXNET 3 (To use this adapter, you must install Microsoft hotfix patch http://support.microsoft.com/kb/2550978 for Windows 7 SP1 or http://support.microsoft.com/kb/2344941 for previous versions.
Chapter 4 Architecture Design Elements and Planning Guidelines View Connection Server Maximums and Virtual Machine Configuration When you install View Connection Server, the View Administrator user interface is also installed. This server requires more memory and processing resources than a vCenter Server instance. View Connection Server Configuration Although you can install View Connection Server on a physical machine, this example uses a virtual machine with the specifications listed in Table 4-6.
VMware View Architecture Planning PCoIP Secure Gateway connections are required if you use security servers for PCoIP connections from outside the corporate network. Tunneled connections are required if you use security servers for RDP connections from outside the corporate network and for USB and multimedia redirection (MMR) acceleration with a PCoIP Secure Gateway connection. You can pair multiple security servers to a single connection server.
Chapter 4 Architecture Design Elements and Planning Guidelines In very large VMware View deployments, vCenter performance and responsiveness can be improved by having only one cluster object per datacenter object, which is not the default behavior. By default, VMware vCenter creates new clusters within the same datacenter object.
VMware View Architecture Planning Table 4-10. Example of a LAN-Based View Building Block Item Example vSphere clusters 2 or more (with up to 8 ESX/ESXi hosts in each cluster) 80-port network switch 1 Shared storage system 1 vCenter Server with View Composer 1 (can be run in the block itself) Database MS SQL Server or Oracle database server (can be run in the block itself) VLANs 3 (a 1Gbit Ethernet network for each: management network, storage network, and VMotion network) With vCenter 4.
Chapter 4 Architecture Design Elements and Planning Guidelines You can also reduce operating system disk space by using View Composer persistent disks or a shared file server as the primary repository for the user profile and user documents. Because View Composer lets you separate user data from the operating system, you might find that only the persistent disk needs to be backed up or replicated, which further reduces storage requirements.
VMware View Architecture Planning Optimization Controls Available with PCoIP If you use the PCoIP display protocol from VMware, you can adjust several elements that affect bandwidth usage. n You can adjust the size of the image cache on Windows and Linux client systems, from 50MB to 300MB. Image caching reduces the amount of display data that must be retransmitted. n You can configure the image quality level and frame rate used during periods of network congestion.
Chapter 4 Architecture Design Elements and Planning Guidelines n 400 to 600Kbps average bandwidth for virtual desktops utilizing multiple monitors, 3D, Aero, and Office 2010. n 500Kbps to 1Mbps minimum peak bandwidth to provide headroom for bursts of display changes. In general, size your network using the average bandwidth, but consider peak bandwidth to accommodate bursts of imaging traffic associated with large screen changes.
VMware View Architecture Planning Table 4-11. Example of a VMware View Pod (Continued) Item Number Modular networking switch 1 Load-balancing module 1 VPN for WAN 1 (optional) The network core load balances incoming requests across View Connection Server instances. Support for a redundancy and failover mechanism, usually at the network level, prevents the load balancer from becoming a single point of failure.
Planning for Security Features 5 VMware View offers strong network security to protect sensitive corporate data. For added security, you can integrate VMware View with certain third-party user-authentication solutions, use a security server, and implement the restricted entitlements feature.
VMware View Architecture Planning n Tunneled Client Connections with Microsoft RDP on page 52 When users connect to a View desktop with the Microsoft RDP display protocol, View Client can make a second HTTPS connection to the View Connection Server host. This connection is called the tunnel connection because it provides a tunnel for carrying RDP data.
Chapter 5 Planning for Security Features n Because VMware View manages the HTTPS connection, the reliability of the underlying protocols is significantly improved. If a user temporarily loses a network connection, the HTTP connection is reestablished after the network connection is restored and the RDP connection automatically resumes without requiring the user to reconnect and log in again.
VMware View Architecture Planning The desktop has a lifetime controlled through policy. If the client loses contact with View Connection Server, the maximum time without server contact is the period in which the user can continue to use the desktop before the user is refused access. On the client side, this expiration policy is stored in a file that is encrypted by a key that is built into the application.
Chapter 5 Planning for Security Features RSA SecurID Authentication RSA SecurID provides enhanced security with two-factor authentication, which requires knowledge of the user's PIN and token code. The token code is only available on the physical SecurID token. Administrators can enable individual View Connection Server instances for RSA SecurID authentication by installing the RSA SecurID software on the View Connection Server host and modifying View Connection Server settings.
VMware View Architecture Planning n On the client system, user credentials are encrypted and stored in a table in the Authentication Package, which is a component of View Client. The credentials are added to the table when the user logs in and are removed from the table when the user logs out. The table resides in volatile memory. Administrators can use View Client group policy settings to control the availability of the Log in as current user check box and to specify its default value.
Chapter 5 Planning for Security Features Figure 5-1.
VMware View Architecture Planning Implementing Best Practices to Secure Client Systems You should implement best practices to secure client systems. n Make sure that client systems are configured to go to sleep after a period of inactivity and require users to enter a password before the computer awakens. n Require users to enter a username and password when starting client systems. Do not configure client systems to allow automatic logins.
Chapter 5 Planning for Security Features Because users can connect directly with any View Connection Server instance from within their internal network, you do not need to implement a security server in a LAN-based deployment. NOTE As of View 4.6, security servers include a PCoIP Secure Gateway component so that clients that use the PCoIP display protocol can use a security server rather than a VPN.
VMware View Architecture Planning Figure 5-2. Load-Balanced Security Servers in a DMZ remote View Client external network DMZ load balancing View Security Servers View Connection Servers Microsoft Active Directory vCenter Management Server ESX hosts running Virtual Desktop virtual machines When remote users connect to a security server, they must successfully authenticate before they can access View desktops.
Chapter 5 Planning for Security Features Figure 5-3. Multiple Security Servers remote View Client external network View Client internal network DMZ load balancing View Security Servers load balancing View Connection Servers vCenter Management Server Microsoft Active Directory ESX hosts running Virtual Desktop virtual machines You must implement a hardware or software load balancing solution if you install more than one security server.
VMware View Architecture Planning Figure 5-4.
Chapter 5 Planning for Security Features Back-End Firewall Rules To allow a security server to communicate with each View Connection Server instance that resides within the internal network, the back-end firewall must allow inbound traffic on certain TCP ports. Behind the back-end firewall, internal firewalls must be similarly configured to allow View desktops and View Connection Server instances to communicate with each other. Table 5-2 summarizes the back-end firewall rules. Table 5-2.
VMware View Architecture Planning Figure 5-5.
Chapter 5 Planning for Security Features Figure 5-6.
VMware View Architecture Planning Table 5-3. Default Ports (Continued) Protocol Port PCoIP TCP port 4172 from View Client to the View desktop. PCoIP also uses UDP port 4172 in both directions. PCoIP or RDP For USB redirection, TCP port 32111 is used alongside PCoIP or RDP from the client to the View desktop.
Chapter 5 Planning for Security Features View LDAP View LDAP is an embedded LDAP directory in View Connection Server and is the configuration repository for all VMware View configuration data. View LDAP contains entries that represent each View desktop, each accessible View desktop, multiple View desktops that are managed together, and View component configuration settings. View LDAP also includes a set of View plug-in DLLs to provide automation and notification services for other VMware View components.
VMware View Architecture Planning Table 5-5. TCP Ports Opened During View Agent Installation (Continued) Protocol Ports MMR 9427 PCoIP 4172 (TCP and UDP) The View Agent installation program configures the local firewall rule for inbound RDP connections to match the current RDP port of the host operating system, which is typically 3389. If you change the RDP port number, you must change the associated firewall rules.
Overview of Steps to Setting Up a VMware View Environment 6 Complete these high-level tasks to install VMware View and configure an initial deployment. Table 6-1. View Installation and Setup Check List Step Task 1 Set up the required administrator users and groups in Active Directory. Instructions: VMware View Installation and vSphere documentation 2 If you have not yet done so, install and set up VMware ESX/ESXi hosts and vCenter Server.
VMware View Architecture Planning 70 VMware, Inc.
Index Symbols .
VMware View Architecture Planning G P gateway server 66 GPOs, security settings for View desktops 57 parent virtual machine 26, 27 PCoIP 7, 9, 15, 17, 53, 58, 66 PCoIP Secure Gateway connection 52, 58, 66 persistent disks 26 persona management, configuring and managing 18 Persona Management 9 physical PCs 43 policies, desktop 29 pools desktop 26, 37 kiosk users 40 knowledge workers 38 local mode users 39 task workers 38 pools, desktop 12, 25 power users 32 printers 15 printing, virtual 22 processing req
Index smart card authentication 55 smart card readers 21, 55 snapshots 27 software provisioning 28 storage, reducing, with View Composer 26 storage bandwidth 47 storage configurations 46 streaming applications 28 streaming multimedia 22 suspend files 33, 35 swap files 33 T task workers 32, 33, 38 TCP ports Active Directory 68 View Agent 67 View Client with Local Mode 68 View Connection Server 67 technical support 5 templates, GPO 29 terminal servers 43 thin client support 10, 15 ThinApp 28 tunnel connecti
VMware View Architecture Planning 74 VMware, Inc.
