vWorkspace 7.5
Transcription
vWorkspace 7.5
vWorkspace 7.5 Administration Guide © 2012 Quest Software, Inc. ALL RIGHTS RESERVED. This guide contains proprietary information protected by copyright. The software described in this guide is furnished under a software license or nondisclosure agreement. This software may be used or copied only in accordance with the terms of the applicable agreement. No part of this guide may be reproduced or transmitted in any form or by any means, electronic or mechanical, including photocopying and recording for any purpose other than the purchaser's personal use without the written permission of Quest Software, Inc. If you have any questions regarding your potential use of this material, contact: Quest Software World Headquarters LEGAL Dept 5 Polaris Way Aliso Viejo, CA 92656 USA www.quest.com email: [email protected] Refer to our Web site for regional and international office information. Patents This product includes patent pending technology. Trademarks Quest, Quest Software, the Quest Software logo, and MessageStats are trademarks and registered trademarks of Quest Software, Inc in the United States of America and other countries. For a complete list of Quest Software's trademarks, please see http://www.quest.com/legal/trademark-information.aspx. Other trademarks and registered trademarks are property of their respective owners. Disclaimer The information in this document is provided in connection with Quest products. No license, express or implied, by estoppel or otherwise, to any intellectual property right is granted by this document or in connection with the sale of Quest products. EXCEPT AS SET FORTH IN QUEST'S TERMS AND CONDITIONS AS SPECIFIED IN THE LICENSE AGREEMENT FOR THIS PRODUCT, QUEST ASSUMES NO LIABILITY WHATSOEVER AND DISCLAIMS ANY EXPRESS, IMPLIED OR STATUTORY WARRANTY RELATING TO ITS PRODUCTS INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTY OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, OR NON-INFRINGEMENT. IN NO EVENT SHALL QUEST BE LIABLE FOR ANY DIRECT, INDIRECT, CONSEQUENTIAL, PUNITIVE, SPECIAL OR INCIDENTAL DAMAGES (INCLUDING, WITHOUT LIMITATION, DAMAGES FOR LOSS OF PROFITS, BUSINESS INTERRUPTION OR LOSS OF INFORMATION) ARISING OUT OF THE USE OR INABILITY TO USE THIS DOCUMENT, EVEN IF QUEST HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. Quest makes no representations or warranties with respect to the accuracy or completeness of the contents of this document and reserves the right to make changes to specifications and product descriptions at any time without notice. Quest does not make any commitment to update the information contained in this document. Quest vWorkspace Administration Guide Updated - January 2012 Software Version - 7.5 CONTENTS ABOUT THIS GUIDE . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . XIII OVERVIEW . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . XIV CONVENTIONS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . XIV ABOUT QUEST SOFTWARE . . . . . . . . . . . . . . . . . . . . . . . . . . XV CONTACT QUEST SOFTWARE . . . . . . . . . . . . . . . . . . . . . XV VWORKSPACE RESOURCES . . . . . . . . . . . . . . . . . . . . . . . . . XV CONTACT QUEST SUPPORT . . . . . . . . . . . . . . . . . . . . . . . . XVI CHAPTER 1 INTRODUCTION TO VWORKSPACE . . . . . . . . . . . . . . . . . . . . . . . . 1 VWORKSPACE OVERVIEW . . . . . . . . . . . . . . . . . . . . . . . . . . 2 BENEFITS OF VWORKSPACE . . . . . . . . . . . . . . . . . . . . . . 4 VWORKSPACE COMPONENTS . . . . . . . . . . . . . . . . . . . . . . . . 5 VWORKSPACE CORE COMPONENTS . . . . . . . . . . . . . . . . . . 5 VWORKSPACE PERIPHERAL COMPONENTS . . . . . . . . . . . . . . 7 vWorkspace Reporting Database Web Access . . . . . . . . . . . . . . . Secure Gateway . . . . . . . . . . . . Password Reset Service. . . . . . . Proxy IT . . . . . . . . . . . . . . . . . VWORKSPACE . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .7 .8 .8 .8 .8 ENABLING COMPONENTS . . . . . . . . . . . . . . . 8 Virtual Desktop Extensions (PNTools) Hyper-V Catalyst . . . . . . . . . . . . . . Instant Provisioning . . . . . . . . . . . . Quick Start Wizard . . . . . . . . . . . . . Broker Helper Service . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .9 .9 .9 10 10 COMPONENTS FOR VIRTUAL WORKSPACE MANAGEMENT . . . . .10 Application Restrictions . . . . . . . . . . . . . . . . . Virtual Computer Management Tasks . . . . . . . Desktop Group and Individual Desktop Policies Desktop and Application Publishing . . . . . . . . . User Environment Control . . . . . . . . . . . . . . . Performance Optimization . . . . . . . . . . . . . . . Virtual User Profiles . . . . . . . . . . . . . . . . . . . Universal Printer Driver . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11 11 11 11 12 12 12 12 i vWorkspace Administration Guide Application Compatibility Enhancements . . . . . . . . . . . . 13 Time Zones . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13 Virtual IP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13 USER EXPERIENCE ENHANCEMENTS . . . . . . . . . . . . . . . . .13 EXPERIENCE OPTIMIZATION PROTOCOL . . . . . . . . . . . . . . . . . .15 VWORKSPACE CONNECTORS. . . . . . . . . . . . . . . . . . . . . . . . .16 CHAPTER 2 INSTALLATION OF VWORKSPACE . . . . . . . . . . . . . . . . . . . . . . . 19 OVERVIEW . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .20 TCP PORT REQUIREMENTS . . . . . . . . . . . . . . . . . . . . . . . . .22 INSTALL USING THE SIMPLE METHOD . . . . . . . . . . . . . . . . . . .23 INSTALL USING THE ADVANCED METHOD . . . . . . . . . . . . . . . . .25 LICENSING . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .31 INSTALLATION REFERENCE . . . . . . . . . . . . . . . . . . . . . . .33 INSTALLING WEB ACCESS . . . . . . . . . . . . . . . . . . . . . . . . . .34 Upgrading Web Access . . . . . . . . . . . . . . . . . . . . . . . . 35 INSTALL THE REPORTING AND LOGGING ROLE . . . . . . . . . . . . . .35 SCRIPTED INSTALLATION . . . . . . . . . . . . . . . . . . . . . . . . . .41 EXAMPLES . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .43 VWORKSPACE CONNECTORS. . . . . . . . . . . . . . . . . . . . . . . . .44 VWORKSPACE RD CONNECTION BROKER SUPPORT . . . . . . . .45 INSTALL RD BROKER SUPPORT . . . . . . . . . . . . . . . . . . . .46 ADD AN RD CONNECTION BROKER TO VWORKSPACE. . . . . . .50 APPPORTAL. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .53 QUEST VWORKSPACE CONNECTOR SILENT INSTALLATION . . . . . . . . . . . . . . . . . . . . . . . . .56 VASCLIENT32 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 56 VASCLIENT32T. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 58 UPGRADE VWORKSPACE . . . . . . . . . . . . . . . . . . . . . . . . . . .59 CHAPTER 3 VWORKSPACE MANAGEMENT CONSOLE . . . . . . . . . . . . . . . . . . . 67 OVERVIEW . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .68 VWORKSPACE ii MANAGEMENT CONSOLE INTERFACE . . . . . . . . . . .68 QUICK START WIZARD . . . . . . . . . . . . . . . . . . . . . . . . . . . .71 DESKTOP CLOUD . . . . . . . . . . . . . . . . . . . . . . . . . . . .73 VIRTUAL DESKTOPS . . . . . . . . . . . . . . . . . . . . . . . . . .74 REMOTE DESKTOP SESSION HOST . . . . . . . . . . . . . . . . . .74 BLADE PCS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .75 VWORKSPACE VWORKSPACE WELCOME WINDOW . . . . . . . . . . . . . . . . . .75 MENU OPTIONS AND ICONS . . . . . . . . . . . . . . . .76 FILE MENU OPTIONS . . . . . . . . . . . . . . . . . . . . . . . . . .78 Current User Sessions . . Administration . . . . . . . Licensing . . . . . . . . . . . Database Configuration . VWORKSPACE . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 78 82 87 89 OBJECT NODES . . . . . . . . . . . . . . . . . . . . . . .92 FARM . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .93 LOCATIONS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .97 TARGETS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .98 Target Types . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 98 Define Advanced Targets . . . . . . . . . . . . . . . . . . . . . . 102 RESOURCES . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 105 PACKAGED APPLICATIONS . . . . . . . . . . . . . . . . . . . . . . 108 App-V Node . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 108 MSI Packages. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 114 PERFORMANCE OPTIMIZATION. . . . . . . . . . . . . . . . . . . . 117 VIRTUAL IP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 118 FILE AND REGISTRY REDIRECTION . . . . . . . . . . . . . . . . . 118 LOAD BALANCING . . . . . . . . . . . . . . . . . . . . . . . . . . . 118 WEBSITES . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 118 LOCATIONS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 118 LOCATIONS NODE OPTIONS . . . . . . . . . . . . . . . . . . . . . 119 Virtualization Management Servers. New Location . . . . . . . . . . . . . . . . Delete a Location . . . . . . . . . . . . . Locations Properties . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 120 120 127 127 CONNECTION BROKERS . . . . . . . . . . . . . . . . . . . . . . . 132 iii vWorkspace Administration Guide DESKTOPS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 137 Computer Groups . . . . . . . . . . . . . . Managed Computers . . . . . . . . . . . . Operating System Customizations . . Initialize Computer . . . . . . . . . . . . . Virtual Desktop Extensions (PNTools) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 138 153 172 186 188 SESSION HOSTS . . . . . . . . . . . . . . . . . . . . . . . . . . . 190 Session Host Management . . . . . . . . . . . . . . . . . . . . . 195 Provisioning Session Hosts. . . . . . . . . . . . . . . . . . . . . 202 CHAPTER 4 VIRTUALIZATION PLATFORM INTEGRATION . . . . . . . . . . . . . . . 209 OVERVIEW . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 210 Virtualization Management Servers. . . . . . . . . . . . . . . 210 Network Storage Management Servers . . . . . . . . . . . . 210 MANAGEMENT SERVERS WINDOW . . . . . . . . . . . . . . . . . 211 ADD MANAGEMENT SERVERS . . . . . . . . . . . . . . . . . . . . 213 VIRTUALIZATION HOSTS . . . . . . . . . . . . . . . . . . . . . . . . . . 220 MICROSOFT HYPER-V INTEGRATION . . . . . . . . . . . . . . . . . . . 225 VWORKSPACE DATA COLLECTOR . . . . . . . . . . . . . . . . . . 225 HYPER-V CATALYST . . . . . . . . . . . . . . . . . . . . . . . . . 226 PROVISION-TIME LOAD BALANCING . . . . . . . . . . . . . . . . 227 CONNECTION-TIME LOAD BALANCING . . . . . . . . . . . . . . . 227 HYPER-V HOST CONTEXT MENU . . . . . . . . . . . . . . . . . . 227 HYPER-V HOST PROPERTIES . . . . . . . . . . . . . . . . . . . . 227 DESKTOP CLOUD MAINTENANCE . . . . . . . . . . . . . . . . . . 229 ADD COMPUTERS . . . . . . . . . . . . . . . . . . . . . . . . . . . 230 MICROSOFT SCVMM INTEGRATION . . . . . . . . . . . . . . . . . . . 233 CONNECT TO MICROSOFT SCVMM . . . . . . . . . . . . . . . . 233 MICROSOFT DIFFERENCING DISKS . . . . . . . . . . . . . . . . . 234 REPROVISION COMPUTERS . . . . . . . . . . . . . . . . . . . . . 234 Add Computers . . . . . . . . . . . . . . . . . . . . . . . . . . . . 235 VIDEO ADAPTER AND STATIC/DYNAMIC MEMORY . . . . . . . . 243 HYPER-V BROKER HELPER SERVICE . . . . . . . . . . . . . . . . 247 iv VCENTER INTEGRATION . . . . . . . . . . . . . . . . . . . . . . . . . . 247 RAPID PROVISIONING . . . . . . . . . . . . . . . . . . . . . . . . 248 NetApp FlexClone . . . . . . . . . . . . . . . . . . . . . . . . . . . 248 VMware Linked Clones . . . . . . . . . . . . . . . . . . . . . . . 250 VMWARE VNETWORK DISTRIBUTED SWITCH . . . . . . . . . . . 253 REPROVISION COMPUTERS . . . . . . . . . . . . . . . . . . . . . 253 DISK PERSISTENCE AND MEMORY . . . . . . . . . . . . . . . . . 256 UPGRADING AND CHANGING NONPERSISTENT DISKS . . . . . . 257 COMPUTER GROUPS . . . . . . . . . . . . . . . . . . . . . . . . . 258 ADD COMPUTERS . . . . . . . . . . . . . . . . . . . . . . . . . . . 260 PARALLELS VIRTUOZZO CONTAINERS INTEGRATION . . . . . . . . . . 271 PARALLELS VIRTUOZZO NODES . . . . . . . . . . . . . . . . . . . 271 RD SESSION HOST INTEGRATION . . . . . . . . . . . . . . . . . . . . 274 REMOTEAPP SUPPORT . . . . . . . . . . . . . . . . . . . . . . . . 275 RD CONNECTION BROKER INTEGRATION . . . . . . . . . . . . . . . . 275 IMPORTING EXISTING COMPUTERS INTO A GROUP . . . . . . . . . . 276 MONITORING OPERATIONS . . . . . . . . . . . . . . . . . . . . . 279 CHAPTER 5 MANAGING THE VIRTUAL WORKSPACE . . . . . . . . . . . . . . . . . . 281 OVERVIEW . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 282 POWER MANAGEMENT . . . . . . . . . . . . . . . . . . . . . . . . . . . 282 TWO-FACTOR AUTHENTICATION . . . . . . . . . . . . . . . . . . . . . 284 MANAGED APPLICATIONS . . . . . . . . . . . . . . . . . . . . . . . . . 289 MICROSOFT RD SESSION HOSTS . . . . . . . . . . . . . . . . . 289 MANAGED COMPUTERS . . . . . . . . . . . . . . . . . . . . . . . . 290 VIRTUALIZED APPLICATIONS . . . . . . . . . . . . . . . . . . . . 291 MANAGED APPLICATIONS PROPERTIES . . . . . . . . . . . . . . . 291 Graphics Acceleration . . . . . . . . . . . . . . . . . . . . . . . . 292 Custom Properties . . . . . . . . . . . . . . . . . . . . . . . . . . 292 Permissions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 293 NEW APPLICATION TOOL. . . . . . . . . . . . . . . . . . . . . . . 293 PUBLISH RD SESSION HOST APPLICATIONS . . . . . . . . . . . 295 PUBLISH A MANAGED DESKTOP . . . . . . . . . . . . . . . . . . 303 PUBLISH MANAGED APPLICATIONS . . . . . . . . . . . . . . . . . 305 v vWorkspace Administration Guide PUBLISH CONTENT . . . . . . . . . . . . . . . . . . . . . . . . . . 306 PUBLISHED APPLICATIONS TASKS . . . . . . . . . . . . . . . . . 308 INTERNET EXPLORER COMPATIBILITY . . . . . . . . . . . . . . . 311 Typical Deployment . . . . . . . . . . . . . . . . . . . . . . . . . 313 VWORKSPACE CONNECTORS. . . . . . . . . . . . . . . . . . . . . . . . 315 VWORKSPACE CONNECTOR INTERFACES . . . . . . . . . . . . . . 315 AppPortal Interface . . . . . . . . . . . . . . . . . . . . . . . . . . 315 Web Access Interface . . . . . . . . . . . . . . . . . . . . . . . . 316 VWORKSPACE CONNECTOR FOR WINDOWS PACKAGES . . . . . 317 VAS Client 32. . . . . . . . . . . . . . . . VAS Client 32T . . . . . . . . . . . . . . . VAS Client 32TS . . . . . . . . . . . . . . vWorkspace Connector Executables Additional Registry Settings . . . . . . VWORKSPACE . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 317 317 318 318 318 CONNECTOR CONFIGURATION . . . . . . . . . . . 320 FIRST TIME START CONFIGURATION . . . . . . . . . . . . . . . . 320 MULTIPLE MONITOR SUPPORT . . . . . . . . . . . . . . . . . . . 322 MANAGE APPPORTAL CONNECTIONS . . . . . . . . . . . . . . . . 324 Farm Type . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Connectivity Settings . . . . . . . . . . . . . . . . . . . . . . Firewall/Proxy Traversal (vWorkspace CB type only) . RD Gateway (RD Connection Broker type only) . . . . Credentials Settings . . . . . . . . . . . . . . . . . . . . . . . Display Settings . . . . . . . . . . . . . . . . . . . . . . . . . . Local Resources Settings . . . . . . . . . . . . . . . . . . . . Experience Settings . . . . . . . . . . . . . . . . . . . . . . . Password Management Settings . . . . . . . . . . . . . . . Desktop Integration Settings . . . . . . . . . . . . . . . . . Auto-Launch Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 325 326 327 329 330 331 333 335 337 338 339 APPPORTAL IN DESKTOP INTEGRATED MODE . . . . . . . . . . . 340 APPPORTAL ACTIONS MENU OPTIONS . . . . . . . . . . . . . . . 340 APPPORTAL SETTINGS MENU OPTIONS . . . . . . . . . . . . . . 342 PNTRAY . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 342 VWORKSPACE U3 APPPORTAL CONNECTOR. . . . . . . . . . . . 345 U3 AppPortal Client Modes. . . . . . . . . . . . . . . . . . . . . 345 Use the U3 AppPortal . . . . . . . . . . . . . . . . . . . . . . . . 345 vi CENTRAL CONFIGURATION OF APPPORTAL . . . . . . . . . . . . 346 Location Section of Config.xml . . . . . . . . . . . . . . . . . . 356 RESOURCES . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 357 ADDITIONAL CUSTOMIZATIONS . . . . . . . . . . . . . . . . . . . 358 APPLICATION RESTRICTIONS . . . . . . . . . . . . . . . . . . . . 361 How Application Restrictions Work . . . . . . . . . . . . . . . 361 APPLICATION RESTRICTION PROPERTIES . . . . . . . . . . . . . 362 Application Restrictions General Properties Application Restrictions Server Groups . . . Properties of an Application Restriction List Assign an Application List to Clients . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 363 365 366 368 CONNECTION POLICIES . . . . . . . . . . . . . . . . . . . . . . . 370 COLOR SCHEMES . . . . . . . . . . . . . . . . . . . . . . . . . . . 375 DRIVE MAPPINGS . . . . . . . . . . . . . . . . . . . . . . . . . . . 375 ENVIRONMENT VARIABLES . . . . . . . . . . . . . . . . . . . . . . 377 HOST RESTRICTIONS . . . . . . . . . . . . . . . . . . . . . . . . . 378 REGISTRY TASKS . . . . . . . . . . . . . . . . . . . . . . . . . . . 379 SCRIPTS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 382 TIME ZONES . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 383 USER POLICIES . . . . . . . . . . . . . . . . . . . . . . . . . . . . 384 VIRTUAL USER PROFILES . . . . . . . . . . . . . . . . . . . . . . 386 WALLPAPERS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 386 SECURE GATEWAY . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 388 INSTALLATION REQUIREMENTS . . . . . . . . . . . . . . . . . . . 389 Secure Gateway Certificate . . . . . . . . . . . . . . . . . . . . 390 SECURE GATEWAY CONFIGURATION . . . . . . . . . . . . . . . . 391 DEPLOYMENT OPTIONS . . . . . . . . . . . . . . . . . . . . . . . . 396 WEB ACCESS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 407 WEB ACCESS TOOLS . . . . . . . . . . . . . . . . . . . . . . . . . 407 vWorkspace Web Access Site Manager . . . . . . . . . . . . 407 vWorkspace Management Console Websites Node . . . . 409 CONFIGURATION . . . . . . . . . . . . . . . . . . . . . . . . . . . 409 Define vWorkspace Websites . . . . . . . . . . . . . . . . . . . 409 Connection Properties . . . . . . . . . . . . . . . . . . . . . . . . 409 Firewall/Secure Gateway . . . . . . . . . . . . . . . . . . . . . . 410 vii vWorkspace Administration Guide Domain/Login Settings Downloads/Connectors Experience. . . . . . . . . Browser Interface . . . . Other Settings . . . . . . Additional Farms . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 411 414 415 419 420 420 UPDATE SITE . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 421 VWORKSPACE CONNECTOR PACKAGES. . . . . . . . . . . . . . . 421 Other vWorkspace Connectors . . . . . . . . . . . . . . . . . . 422 INTEGRATION . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 422 Juniper Secure Access . . . . . . . F5 Firepass . . . . . . . . . . . . . . SharePoint. . . . . . . . . . . . . . . Citrix XenApp and XenDesktop . VWORKSPACE . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 422 431 436 438 REPORTING . . . . . . . . . . . . . . . . . . . . . . . . . 439 VWORKSPACE REPORTING COMPONENTS . . . . . . . . . . . . . 440 Sample Report Viewer. . . . . . . . . . . . . . . . . . . . . . . . 440 DATABASES . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 446 vWorkspace Farm Database. . . . . . . . . . . . . . . . . . . . 446 vWorkspace Reporting Database . . . . . . . . . . . . . . . . 446 REPORTING SCHEMA . . . . . . . . . . . . . . . . . . . . . . . . . 447 Virtual Machines and Virtual Machine Pools View Column Definitions . . . . . . . . . . . . . Actions . . . . . . . . . . . . . . . . . . . . . . . . . Applications and Application Restrictions . . Clients, Folders, and Locations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 447 449 451 457 463 DEFAULT REPORTS . . . . . . . . . . . . . . . . . . . . . . . . . . 467 Historical Reports . Real-Time Reports Audits . . . . . . . . . Custom Reporting. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 468 469 470 470 CHAPTER 6 MANAGING THE USER EXPERIENCE . . . . . . . . . . . . . . . . . . . . . 477 OVERVIEW . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 478 UNIVERSAL PRINTING . . . . . . . . . . . . . . . . . . . . . . . . . . . 479 UNIVERSAL PRINTER COMPONENTS . . . . . . . . . . . . . . . . 480 UNIVERSAL PRINT DRIVER. . . . . . . . . . . . . . . . . . . . . . 480 viii UNIVERSAL CLIENT PRINTER AUTO-CREATION OPTION . . . . . 480 UNIVERSAL NETWORK PRINTER AUTO-CREATION OPTION . . . 481 UNIVERSAL PRINTER PROPERTIES . . . . . . . . . . . . . . . . . 483 Universal Printer Client Properties. . . . . . . . . . . . . . . . 497 UNIVERSAL NETWORK PRINT SERVICES . . . . . . . . . . . . . . 499 Universal Network Print Server Extensions Option . . . . 500 Universal Print Relay Service for Remote Sites . . . . . . . 502 Manage Relay Servers. . . . . . . . . . . . . . . . . . . . . . . . 506 PRINTERS WINDOW IN VWORKSPACE MANAGEMENT CONSOLE 508 UNIVERSAL PRINTER PROPERTIES . . . . . . . . . . . . . . . . . 509 Network Printer Properties . . . . . . . . . . . . . . . . . . . . . 511 VIRTUAL USER PROFILE MANAGEMENT . . . . . . . . . . . . . . . . . 512 HOW VIRTUAL USER PROFILES WORK. . . . . . . . . . . . . . . 513 VIRTUAL USER PROFILES PROPERTIES . . . . . . . . . . . . . . . 514 GENERAL . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 515 STORAGE SERVERS . . . . . . . . . . . . . . . . . . . . . . . . . . 516 SILOS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 517 PERMISSIONS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 520 CONFIGURE VIRTUAL USER PROFILES . . . . . . . . . . . . . . . . . . 520 MANDATORY VIRTUAL USER PROFILE . . . . . . . . . . . . . . . 523 ASSIGN MANDATORY VIRTUAL USER PROFILES . . . . . . . . . 523 DEFINE VIRTUAL USER PROFILES . . . . . . . . . . . . . . . . . 524 Manually Configure User Profiles. . . . . . . . . . . . . . . . . 525 Import and Export User Profiles . . . . . . . . . . . . . . . . . 532 EOP (EXPERIENCE OPTIMIZATION PROTOCOL) . . . . . . . . . . . . 534 OPTIMIZATION SETTINGS . . . . . . . . . . . . . . . . . . . . . . 535 EOP AUDIO . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 536 EOP TEXT ECHO . . . . . . . . . . . . . . . . . . . . . . . . . . . 541 EOP MULTIMEDIA ACCELERATION . . . . . . . . . . . . . . . . . 543 Media Player Redirection . . . . . . . . . . Flash Redirection . . . . . . . . . . . . . . . Flash Redirection Windowless Support Flash Redirection Setup . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 543 543 544 544 ix vWorkspace Administration Guide EOP GRAPHICS ACCELERATION . . . . . . . . . . . . . . . . . . 548 EOP Graphics Acceleration Implementation . . . . . . . . . 548 EOP Graphics Acceleration Registry Settings . . . . . . . . 549 EOP Graphics Acceleration Setup . . . . . . . . . . . . . . . . 550 EOP XTREAM . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 555 Latency Effectiveness . . . . . . . . . . . . . . . . . . . . . . . . 556 Firewall Considerations . . . . . . . . . . . . . . . . . . . . . . . 556 Configure Quest EOP Xtream . . . . . . . . . . . . . . . . . . . 556 USB DEVICES . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 560 vWorkspace Virtual USB Hub Requirements. . . . . . . . . . . vWorkspace Virtual USB Hub vWorkspace Virtual USB Hub vWorkspace Virtual USB Hub vWorkspace Virtual USB Hub vWorkspace Virtual USB Hub vWorkspace Virtual USB Hub vWorkspace Virtual USB Hub vWorkspace Virtual USB Hub Smart Card USB Redirection Client . . . . . . . . . . ............... Client . . . . . . . . . . Client Applet. . . . . . Client System Tray . Client Services . . . . Server . . . . . . . . . . Server Applet . . . . . Server System Tray Server Services . . . ............... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 561 561 561 562 565 565 566 566 567 568 570 USB-IT . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 571 How USB-IT Works . . . . . . . . . . . . . . . . . . . . . . . . . . 572 LOAD BALANCING . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 573 LOAD BALANCING RULES . . . . . . . . . . . . . . . . . . . . . . 573 HOW LOAD BALANCING WORKS . . . . . . . . . . . . . . . . . . 574 LOAD BALANCING ON SESSION HOSTS . . . . . . . . . . . . . . 577 LOAD BALANCING GUIDELINES . . . . . . . . . . . . . . . . . . . 577 PERFORMANCE OPTIMIZATION. . . . . . . . . . . . . . . . . . . . . . . 581 CPU UTILIZATION MANAGEMENT . . . . . . . . . . . . . . . . . . 581 VIRTUAL MEMORY OPTIMIZATION . . . . . . . . . . . . . . . . . 582 Enable CPU and Memory Optimization. . . . . . . . . . . . . 584 MAX-IT MASTER POLICY SETTINGS . . . . . . . . . . . . . . . . 584 Max-IT Server Policy . . . . . . . . . . . . . . . . . . . . . . . . . 589 VIEW VM OPTIMIZATION RESULTS . . . . . . . . . . . . . . . . 589 MANUALLY APPLY OPTIMIZATIONS . . . . . . . . . . . . . . . . . 591 x APPLICATION COMPATIBILITY ENHANCEMENTS . . . . . . . . . . . . . 591 How Application Compatibility Enhancements Work . . . 592 Create Redirection Rules . . . . . . . . . . . . . . . . . . . . . . 592 VIRTUAL IP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 597 Virtual IP Configuration . . . . . . . . . . . . . . . . . . . . . . . 597 ADDITIONAL COMPONENTS . . . . . . . . . . . . . . . . . . . . . . . . 601 VWORKSPACE PASSWORD RESET SERVICE . . . . . . . . . . . . 601 PROXY-IT . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 604 Proxy-IT with Session Directory Services. . . . . . . . . . . 606 APPENDICES . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 609 APPENDIX A . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 609 CONFIGURABLE REGISTRY SETTINGS . . . . . . . . . . . . . . . 609 Active Setup . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 609 PNTSC. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 609 InitialAppWaitTime . . . . . . . . . . . . . . . . . . . . . . . . . . 610 APPENDIX B . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 611 SENTILLION INTEGRATION . . . . . . . . . . . . . . . . . . . . . . 611 INDEX . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 613 xi vWorkspace Administration Guide xii About This Guide • Overview • Conventions • About Quest Software • vWorkspace Resources • Contact Quest Support vWorkspace Administration Guide Overview The Quest vWorkspace Administration Guide is designed to assist administrators with tasks pertaining to installing Quest vWorkspace. It is intended for network administrators, consultants, analysts, and any other IT professionals using the product. Conventions In order to help you get the most out of this guide, we have used specific formatting conventions. These conventions apply to procedures, icons, keystrokes, and cross-references: ELEMENT CONVENTION Select This word refers to actions such as choosing or highlighting various interface elements, such as files and radio buttons. Bolded text Interface elements that appear in Quest Software products, such as menus and commands. Italic text Used for comments. Bold Italic text Used for emphasis. Blue text Indicates a cross-reference. When viewed in Adobe® Reader®, this format can be used as a hyperlink. Used to highlight additional information pertinent to the process being described. Used to provide Best Practice information. A best practice details the recommended course of action for the best result. Used to highlight processes that should be performed with care. xiv + A plus sign between two keystrokes means that you must press them at the same time. | A pipe sign between elements means that you must select the elements in that particular sequence. About Quest Software Quest Software simplifies and reduces the cost of managing IT for more than 100,000 customers worldwide. Our innovative solutions make solving the toughest IT management problems easier, enabling customers to save time and money across physical, virtual and cloud environments. For more information about Quest go to www.quest.com. Contact Quest Software Email [email protected] Mail Quest Software, Inc. World Headquarters 5 Polaris Way Aliso Viejo, CA 92656 USA Web site www.quest.com Refer to our Web site for regional and international office information. vWorkspace Resources The Quest vWorkspace home page is found at http://www.quest.com/vworkspace. The following resources are available from the vWorkspace web site: • Software downloads - Select the Download link and log in. Downloadable files include the vWorkspace product, hotfixes, prerequisites, and documentation. • Technical Training - Select the Education link to review course schedules and enroll in classes. • Licensing - Select the Licensing link to view and generate vWorkspace licenses. • Support - Select the Support link to be redirected to the Quest SupportLink website, where you can download the latest releases, documentation, and patches; enter new support cases and manage existing cases via the Case Management option, and search the knowledgebase. • Community - Select the Community link, or use the following URL: http://communities.quest.com/community/vworkspace xv vWorkspace Administration Guide Contact Quest Support Quest Support is available to customers who have a trial version of a Quest product or who have purchased a Quest product and have a valid maintenance contract. Quest Support provides unlimited 24x7 access to SupportLink, our self-service portal. Visit SupportLink at http://support.quest.com/. From SupportLink, you can do the following: • Retrieve thousands of solutions from our online Knowledgebase • Download the latest releases and service packs • Create, update and review Support cases View the Global Support Guide for a detailed explanation of support programs, online services, contact information, and policy and procedures. The guide is available at: http://support.quest.com/. xvi 1 Introduction to vWorkspace • vWorkspace Overview • vWorkspace Components • Experience Optimization Protocol • vWorkspace Connectors vWorkspace Administration Guide vWorkspace Overview Welcome to Quest vWorkspace. Quest vWorkspace is an enterprise level virtual desktop delivery and management system that transforms the desktop infrastructure into an on-demand service; providing management, provisioning, and brokering of virtual desktops, while optimizing the experience for users connecting over the LAN and WAN. Quest vWorkspace provides enterprise class management of a virtual desktop infrastructure and Remote Desktop Session Hosts by centralizing the user’s computing workspace in the data center and managing them as a whole from a single console. The vWorkspace Management Console is an integrated console and is the primary interface for administering a vWorkspace farm. The vWorkspace Management Console allows you to manage users’ connections to the virtual infrastructure, and provides embedded tools for creating, sustaining and removing virtual desktops and session hosts; enabling end-to-end life cycle management. Quest vWorkspace delivers virtual applications and desktops through a single access point, hosted from a plethora of platforms including multiple hypervisors, Remote Desktop Session Hosts and blade PCs. The Experience Optimized Protocol (EOP) addresses the user experience challenges of Virtual Desktop Infrastructures (VDI) and Remote Desktop Session Hosts by provisioning seamless, reliable, high-performance enhancements over traditional remote desktop software. These enhancements ensure that your VDI and Remote Desktop Session Host deployment can deliver on the promise of virtualization and a true local-desktop experience. 2 Quest vWorkspace delivers a management platform for desktop virtualization that consolidates multiple desktop virtualization techniques and technologies. Quest vWorkspace delivers simplicity to the organization comprised of: one user access point, one management console, excellent user and administrator experience, and the lowest cost for virtual desktop and application delivery. Quest vWorkspace delivers five levels of independence, enabling organizations to deliver desktops and applications with the most cost-effective combination of virtualization technologies for the needs of each user classification. 3 vWorkspace Administration Guide Desktops are logical groupings of virtual or physical computers that share common attributes and adhere to common policies. Desktops often mirror a departmental function or task, a geographical location, or an outsourced entity. A vWorkspace-enabled hosted desktop infrastructure consists of a farm of desktops. A vWorkspace experience can be delivered to the client in the form of a published desktop, or as a set of individually published applications which are pre-installed onto each desktop or streamed on demand. Application streaming is a software distribution methodology used to enhance the management and flexibility of a desktop infrastructure by making the need to pre-install (manually or by using conventional software distribution tools) the applications onto each desktop unnecessary. Benefits of vWorkspace • Simplify Management with an Integrated Console vWorkspace provides an integrated console for the management of desktops and applications across VDI, Remote Desktop Session Hosts, and blade PCs, while automating tasks such as desktop provisioning and user environment configuration. 4 vWorkspace Components • Improve Security and Business Continuity through Centralization Two-factor authentication, a Secure Gateway, and comprehensive delegation of administrator privileges ensure secure remote access and safe management of centralized desktops. Fault tolerance, rapid recovery, and one-click desktop reprovisioning deliver high system availability. • Increase Workforce Productivity with Dynamic Delivery Mix and match desktop and application delivery from multiple virtualization platforms to provide dynamic and location-independent access for users. Platform independence provides the flexibility to change providers and blend old and new virtualization investments. • Ease Adoption with an Optimized User Experience The vWorkspace Experience Optimized Protocol (EOP) drives employee adoption by accelerating images and multimedia content, delivering high-quality bidirectional audio and universal support for USB devices so that the virtual desktop looks and feels like a physical one. vWorkspace Components The vWorkspace solution consists of multiple components that enable a flexible, centralized and optimized virtual workspace. There are certain components that are required to enable the virtual workspace, whereas others are peripheral and can be incorporated into the solution based upon the requirements of an organization. • vWorkspace Core Components • vWorkspace Peripheral Components • vWorkspace Enabling Components • User Experience Enhancements vWorkspace Core Components • vWorkspace Database • Connection Broker • Virtual Workspace Platform • Data Collector Service • Management Console 5 vWorkspace Administration Guide vWorkspace Database The vWorkspace database is the central store for configuration and connection information for a vWorkspace farm: • Required for the vWorkspace infrastructure to store configuration information. • A dedicated or shared Microsoft SQL Server is required. For small to medium-size environments, a Microsoft SQL Server Express database management system can be used. Connection Broker The vWorkspace Connection Broker is a highly scalable Windows service and offers the following features: • Integrates with virtualization platforms to provision and customize new desktop workspaces, and to perform a broad set of power management tasks. • Multiple virtualization servers are supported simultaneously. • Multiple Connection Brokers are allowed per infrastructure. • Responds to client connectivity requests and redirects each client to the appropriate virtual workspace. • Communicates with the Data Collector service running inside each managed computer. Virtual Workspace Platform The virtual workspace is defined as the environment in which the user’s applications are executed and displayed. Quest vWorkspace manages and brokers connections to the virtual workspace and can do this from multiple platforms. The platforms from which vWorkspace can host applications and desktops are listed below: 6 • Microsoft Hyper-V - Hyper-V hypervisors are imported individually and managed by vWorkspace. • Microsoft System Center Virtual Machine Manager (SCVMM) Virtual machines hosted on Hyper-V Hypervisors managed by SCVMM. • VMware ESX (vCenter) - ESX Hypervisors managed by vCenter. vWorkspace Components • Parallels Virtuozzo Containers (master node) - PVC slave nodes managed by a master node. • Parallels Virtuozzo Containers (independent node) - PVC nodes managed by vWorkspace. • Other/Physical - Any physical computer or virtual machine not hosted on a managed hypervisor. • Microsoft Remote Desktop Session Host - 32-bit or 64-bit Windows Server 2003 or 2008/R2 Data Collector Service The Data Collector service runs on each managed desktop host operating system, as well as Hyper-V hosts, and communicates with the Connection Broker. The Data Collector sends the Connection broker a heartbeat signal, as well as events such as logon, logoff, disconnect, logon status, and connection readiness information. It also receives prelogon configuration data from the Connection Broker, allowing the desktop to be preconfigured according to established policies, prior to the user logging on. Management Console The vWorkspace Management Console is the central management tool for a vWorkspace farm. All day-to-day operations for managing the virtual workspace are performed from within the vWorkspace Management Console. vWorkspace Peripheral Components • vWorkspace Reporting Database • Web Access • Secure Gateway • Password Reset Service • Proxy IT vWorkspace Reporting Database Quest vWorkspace Reporting allows organizations to create real-time and historical reports leveraging data gathered by vWorkspace. By utilizing the reporting features of vWorkspace, administrators gain greater understanding of how the vWorkspace farm is being managed and utilized. 7 vWorkspace Administration Guide Web Access Quest vWorkspace Web Access is a web application for vWorkspace Farms that enable users to retrieve their list of allowed applications and desktops using a web browser. Secure Gateway Quest vWorkspace Secure Gateway is designed to secure the presentation of applications over the Internet. The purpose of the Secure Gateway is to act as a checkpoint (proxy) to prevent direct access to the internal vWorkspace resources of an organization. Password Reset Service The Password Reset Service facilitates SSL-protected password reset requests from client access devices to Active Directory by way of the Web Access Portal or the AppPortal client. This service requires an SSL Certificate and listens on port 443 (by default). Proxy IT Proxy-IT is designed to deliver more connectivity options for accessing Microsoft Windows Terminal Servers\Remote Desktop Session Hosts from legacy, non-Win32, open source, or third-party RDP devices, with no differences for the make or the model. vWorkspace Enabling Components 8 • Virtual Desktop Extensions (PNTools) • Hyper-V Catalyst • Instant Provisioning • Quick Start Wizard • Broker Helper Service vWorkspace Components Virtual Desktop Extensions (PNTools) PNTools is an optional, but important, component of a vWorkspace infrastructure. It is responsible for many of the end user experience optimizations that Quest vWorkspace provides. PNTools can be installed onto managed desktops, and is necessary to support many optimization features and management functions. • Installed on all computers, virtual or physical, that are members of a managed computer group. Virtual Desktop Extensions include features such as Flash Redirection, USB Redirection, and seamless windows display mode. A display protocol must be enabled on the managed desktops. Microsoft’s RDP and Hewlett Packard’s RGS can be used with managed desktop groups. Remote Desktop Session Hosts do not support RGS. PNTools is designed for a specific purpose. Only install on managed computers that are members of a vWorkspace computer group. Installing on vWorkspace farm servers, such as Session Hosts or Connection Brokers, can cause undesirable results. Hyper-V Catalyst Hyper-V Catalyst is a suite of technologies, integrated with Microsoft’s Hyper-V hypervisor, that dramatically increases performance and decreases cost of a virtual desktop infrastructure. Hyper-V Catalyst consists of two components: • HyperCache • HyperDeploy Instant Provisioning Instant Provisioning is a mechanism for customizing virtual machines during the cloning process. Instant Provisioning can be used in place of SysPrep and is 80% faster. This, along with Hyper Deploy, causes deployments of virtual machines to take a fraction of the time it takes with other virtual desktop products. 9 vWorkspace Administration Guide Quick Start Wizard The Quick Start Wizard is designed to step an administrator through the configuration of one of four infrastructure types with simplicity and ease. Administrators can use the Quick Start Wizard to configure the following infrastructure types: • Desktop Cloud • VDI • RDSH • Blade PC Broker Helper Service The Broker Helper Service is installed onto Hyper-V hypervisors to enable the vWorkspace Connection Broker to issue management tasks to virtual machines hosted there, or on Microsoft SCVMM servers, to enable the vWorkspace Connection Broker to issue management tasks to the virtual machines. Components for Virtual Workspace Management Quest vWorkspace includes many tools/features that streamline the management of the virtual workspace. These tools and features are listed and summarized below. 10 • Application Restrictions • Virtual Computer Management Tasks • Desktop Group and Individual Desktop Policies • Desktop and Application Publishing • User Environment Control • Performance Optimization • Virtual User Profiles • Universal Printer Driver • Application Compatibility Enhancements • Time Zones • Virtual IP vWorkspace Components Application Restrictions Application Restrictions extends the security of a Remote Desktop Session Host environment by adding session-based Application Restrictions (Application Access Control) and Network Access Restrictions (Host Access Control). Virtual Computer Management Tasks vWorkspace Management Tasks consist of the following items: • Manage virtual computer power states. • Task scheduling and automation. • Automated virtual machine and Session Host provisioning. • Policy driven desktop configuration. Desktop Group and Individual Desktop Policies Desktop Polices can be applied to virtual machines within a vWorkspace computer group through the properties of the group or the individual managed virtual machine. • Individual desktops can be persistently assigned to users prior to the first logon. Alternatively, the Connection Broker can be configured to assign the virtual machine to a user as persistent upon first logon (the default behavior is temporary desktop assignment). • Policy settings can be specified per desktop, overriding the parent group policy settings. • Access to desktops can be confined to certain days of the week and hours of the day. • Virtual computer based desktops can be automatically suspended if idle. • Users can be dynamically added to the Power Users or Administrators group of their assigned desktops. Desktop and Application Publishing The desktop or applications of a managed computer are published from a vWorkspace platform to users, groups, access devices, etc.; a crucial step in configuring a vWorkspace farm. End users connect to the virtual workspace by way of a remote display protocol, such as Microsoft’s Remote Desktop protocol, and are presented with their aggregate set of available desktops and/or applications. 11 vWorkspace Administration Guide Full desktops and individual applications can be published. • Desktops are published from computer groups or Session Hosts. • Seamless windowed applications are published from computer groups or Session Hosts. • Access is granted or denied to applications using Access Control Lists. User Environment Control User Environment Control boasts several powerful features designed to fully automate various time-consuming session configuration tasks within the virtual workspace. These important features include the ability to create application shortcuts, set backgrounds and color schemes, map drive letters to network shares, connect to shared network printers, execute scripts, manipulate the user's HKCU registry hive, set per-user environment variables, and lock down the user's virtual workspace using the most stringent policy settings and hard-to-find hacks. Performance Optimization Performance Optimization improves application response times and increases overall server capacity by streamlining and optimizing the use of virtual memory and CPU resources. Virtual User Profiles Virtual User Profiles accelerates logon times and eliminates profile corruption and management issues associated with roaming profiles. A Virtual User Profile combines the persistence of a conventional roaming profile with the speed and robustness of a mandatory profile in order to achieve unprecedented logon speeds and stability levels. Administrators can even implement multiple Virtual User Profiles per user account to satisfy multifarm and server silo requirements. Universal Printer Driver Universal Printer Driver is a single-driver printing solution that satisfies both client side and network printing needs in a vWorkspace environment. In addition to its driver independent approach to printing, benefits also include: 12 • Dramatic reduction in network bandwidth utilization. • Ability to inherit the properties of the manufacturer specific print drivers such as supported trays, paper sizes, and margins. vWorkspace Components Application Compatibility Enhancements Application Compatibility Enhancements is a sophisticated registry and file system redirection engine designed to eliminate a wide range of multi-user conflicts arising from application design limitations. Time Zones Time Zones is a per session time zone assignment module. Time Zones allows administrators to specify a unique time zone by user name, group membership, OU, or client device property (client name or IP address). With Time Zones, users can execute their time and date sensitive applications in their own time zones, completely independent of the virtual workspace time zone settings. Virtual IP Virtual IP enables each user instance of a legacy application to be bound to a unique IP address for identification purposes, allowing many legacy client server designed applications to run correctly in a multi-user environment. User Experience Enhancements Management of the virtual workspace goes a long way in simplifying an administrator’s job, but the experience must meet the demands of the end user. Quest vWorkspace provides many extensions to Microsoft’s Remote Desktop Protocol. Some of the user experience enhancements are: • Seamless Windows — Individual published applications running inside the server hosted desktop appear on the user's screen as if they are running locally. • Session Sharing — Applications published from the same managed computer group all share the same desktop. • Multimonitor Support — Support for multiple monitors with different resolutions while connected to the virtual worksapce. When used in conjunction with seamless windows, desktop based application windows can be moved to, resized, and maximized on any monitor. 13 vWorkspace Administration Guide • Kerberos-based Credentials Pass-Through — User’s locally cached domain credentials or Kerberos ticket is re-used for vWorkspace authentication. This feature is useful when end user devices, such as thin clients running Windows Embedded Standard 7 or a Windows PCs, are joined to a Windows domain. This feature also works with smart cards and other Windows compatible authenticators. Kerberos pass through authentication is supported for Microsoft Server 2008 and Microsoft Vista hosts. Microsoft Vista does not support Kerberos pass through authentication with UAC enabled, so if UAC is enabled on Microsoft Vista, CredSPP authentication support is used. CredSPP authentication is only used when supported by both the VM server and client. Supported clients are Microsoft Windows XP SP3, Microsoft Vista, or Microsoft Server 2008. Supported servers are Microsoft Vista or Microsoft Server 2008. 14 • AppPortal (Desktop-Integrated) — A GUI-less operational mode in which the vWorkspace Connector runs in the system tray. Published desktops and applications are propagated to the user’s local Desktop and Start Menu. • RDP-over-SSL connectivity — Enables users to access their published desktops and applications using the Secure Sockets Layer (SSL) protocol. • Universal Printer Driver — Eliminates the need to install vendor specific print drivers into the desktops. Driverless printers are autocreated inside each desktop using a single EMF-based universal print driver, regardless of printer make and model. • Password Reset Service — Allows users to reset their expired Windows domain passwords prior to connecting to the virtual workspace. • Experience Optimized Protocol (EOP) — Addresses the user experience challenges of presenting applications and desktops via a remote display protocol by providing seamless, reliable, high-performance enhancements to Microsoft’s Remote Desktop Protocol. These enhancements ensure that your VDI and RD Session Host deployment can deliver on the promise of desktop virtualization and a true local-desktop experience. • Virtual USB Hub — Enables the use of virtually any USB connected device (PDAs, local printers, scanners, cameras, headsets) to be used in conjunction with VDI. • Bidirectional Audio — Allows users to redirect their microphone devices to Remote Desktop Session Host sessions. Experience Optimization Protocol Experience Optimization Protocol The Experience Optimized Protocol (EOP) components address the user experience challenges of presenting applications and desktops via a remote display protocol by providing seamless, reliable, high-performance enhancements to Microsoft’s Remote Desktop Protocol. These enhancements ensure that your VDI and RD Session Host deployment can deliver on the promise of desktop virtualization and a true local-desktop experience. The following features are available through the Experience Optimized Protocol: • EOP Xtream — Accelerates RDP and EOP traffic on wide area networks (WANs). This provides for an improved user experience by providing faster RDP screen responses and improved performance of all EOP features. • EOP MultiMon — Enables support for multiple monitors and is monitor aware. • EOP Audio (Bidirectional Audio) — Enables support for applications that require the use of a microphone, such as dictation, collaboration, and certain VOIP applications such as Office Communicator. • EOP Text Echo — Enhances the user experience when typing, if users are connecting over a high latency network connection. A client Control Panel applet is used to adjust settings of this feature. • EOP Multimedia Acceleration (Media Player Redirection) — Enables the redirection of Flash content and Microsoft DirectShow content (anything that can be played in Microsoft Windows Media Player) from the VDI or Windows RDSH Session through an RDP Virtual Channel to the client access device, where it is played using the local compression/decompression technology (CODEC). • EOP Graphics Acceleration — Reduces bandwidth consumption and dramatically improves the user experience, making RDP usable over WAN connections. These features can be assigned to Users, Groups, OU, Client IP, Client Device Name or Advanced boolean targets. Experience Optimization Protocol is discussed in more detail in the EOP (Experience Optimization Protocol) section of the Managing the User Experience chapter. 15 vWorkspace Administration Guide vWorkspace Connectors The Quest vWorkspace Connectors are client access device software that support the management and user experience extensions provided by vWorkspace. A Connector enables the delivery of a virtual workspace to remote workers; allowing the centralization of desktop management, increase in security and decrease of cost. Quest vWorkspace provides connectors for the following client platforms: Windows, Macintosh, Linux, Ipad and the Android OS. Quest vWorkspace also provides a platform independent java connector. The vWorkspace Connector supports two interfaces for defining connections to, and accessing, the virtual workspace: the Connector’s native shell and Web Access. The interactive native shell allows users, upon successful authentication, to receive a list of authorized desktops and applications. Users can subsequently start remote connections to published desktops and applications by selecting the corresponding shortcuts. The Windows Connector’s native shell is called AppPortal and can be started in Desktop-Integrated mode where the default native shell is suppressed and an icon appears in the Windows system tray. Application icon shortcuts are placed on the user’s Desktop, Start Menu, or All Programs menu, depending on preferences. vWorkspace Web Access allows users to retrieve their list of allowed applications or desktops using a web browser. A Web Access web server must be available to use this interface. 16 vWorkspace Connectors AppPortal View Web Access View 17 vWorkspace Administration Guide 18 2 Installation of vWorkspace • Overview • TCP Port Requirements • Install using the Simple Method • Install Using the Advanced Method • Licensing • Installing Web Access • Install the Reporting and Logging Role • Scripted Installation • vWorkspace Connectors • Upgrade vWorkspace vWorkspace Administration Guide Overview The prime installable components of vWorkspace are called roles. Each role is listed below: • Connection Broker role • Management Console role • Web Access role • Terminal Server / RD Session Host role • User Profile Management Storage role • Secure Gateway role • Universal Print Server role • Remote Site Relay role • Password Reset role • Proxy-IT role • Reporting & Logging role There are two types of installations, a Simple installation and an Advanced installation. Simple installation will install a preset list of roles while Advanced installation provides a choice of roles to install. A Simple installation provides administrators with an easy installation process that installs the components that are most used in creating and managing a vWorkspace farm. A Simple installation will install the following vWorkspace roles: • Connection Broker role • Management Console role • Web Access role • User Profile Management Storage Server role The Simple type of installation is designed to be used for testing or Proof of Concept (POC) installations, and not for production environments. 20 Installation of vWorkspace When using a Simple type of vWorkspace install, Microsoft SQL Server Express 2008 is automatically installed with the following set values: MANAGEMENT DATABASE CONFIGURATION FIELD VALUE SQL Server Name <computername>\vWorkspace Note: <computername> is the computer that vWorkspace is being installed on. SA User Name sa SA Password Password1 Database Name vWorkspace_Database vWorkspace Login Name pnadmin vWorkspace Login Password Password1 vWorkspace installer adds a default Web Access Management Console link and Web Access user links in the Start | All Programs | Quest Software | vWorkspace folder and desktop shortcuts. A default Web Access configuration is completed during the Simple type of vWorkspace installation, allowing you to immediately start to use the Web Access feature. If you install using the Simple type of installation, port 5206 is used for the User State Management Storage Service and the User Profile Management Storage Role is fully configured, including a silo. The Advanced installation provides administrators with the ability to specify the vWorkspace components that are to be installed. This type of installation is recommended for production environments. 21 vWorkspace Administration Guide The Advanced installation type should be used when installing vWorkspace on a Remote Desktop Session Host, by selection of the Terminal Server\ RD Session Host Role. Administrators also have the ability to select the type of Management Database setup, such as connect to an existing database or create a new database on an existing SQL server. TCP Port Requirements The TCP/IP port number requirements for vWorkspace services are listed below: • Data Collector Service — It listens for Connection Broker service connections on 5203. This is a Windows service that runs inside each managed computer or vWorkspace enabled Remote Desktop Session Host, and communicates back and forth with the Connection Broker. When PNTools is installed onto a desktop, a Windows Firewall port exception rule is automatically added to allow incoming connections on this port. 22 Installation of vWorkspace • Connection Broker — It listens for Data Collector service connections on 5201. It also listens for incoming client connection requests on a configurable port, using 8080 as the default. Optionally, the Connection Broker can be configured to require SSL encryption using 443 as the default. This service communicates with the Data Collector running inside each managed computer or vWorkspace enabled Remote Desktop Session Host. • Password Management Service — This service accepts SSL protected client password reset requests on a configurable port, using 443 as the default. • Web Access — vWorkspace Web Access, being a web service, uses HTTP and HTTPS application protocols. Although the default port numbers are 80 and 443 respectively, any ports can be used. • Secure Gateway — The Quest vWorkspace Secure Gateway (Secure-IT) acts as an SSL proxy for Connection Broker, Web Access, and RDP communications, and by default listens on 443. • RDP — RDP listens on 3389 by default. Microsoft RDP (Remote Desktop Protocol) is used for connections from vWorkspace connector to Remote Desktop Session Host or a managed computer. • Universal Printer Service — This service listens on port 5204 on UP Printer Servers only. • Registry Service — This service listens for registry messages on port 5205 on Remote Desktop Session Host and broker computers. • User Profile Management Storage — This service listens on port 5206. Install using the Simple Method Use the following steps to complete a Simple type installation of vWorkspace. The following steps show an installation completed on a Microsoft Windows Server 2008 R2 computer. The steps may differ slightly if installing on a Microsoft Windows Server 2003 computer. 1. Download the appropriate version of the vWorkspace installation. 2. Run start.exe on the target computer. 23 vWorkspace Administration Guide 3. Click Install on the vWorkspace window. Use the other buttons to review vWorkspace documentation, the License agreement, or browse the installation CD. 4. License Agreement Use this option to review the contents of the license agreement. Install Use this option to initiate the installation process. Browse CD Use this option to browse the contents. Exit Use this option to exit the install. A message displays indicating that any prerequisites (Windows Installer 4.5 or Microsoft .NET Framework) will be installed. Click Install to start the process. During the installation process, the computer may need to be restarted. Use the same credentials to log on to the computer after the reboot. The installation process resumes upon logon. 24 5. Click Next on the Welcome window for the vWorkspace installer. 6. Select the accept the License agreement option, and then click Next. 7. Enter the appropriate information on the Customer Information window, and then click Next. 8. Select Simple on the Setup Type window, and then click Next. Installation of vWorkspace 9. Click Yes on the information window to continue the simple install. 10. Click Install on the Ready to Install the Program window. The vWorkspace components are installed in addition to Microsoft SQL Server Express 2008, which may take several minutes. The Microsoft SQL Server 2008 setup windows are displayed during the installation. 11. Click Finish on the InstallShield Wizard Completed window. 12. Click Yes to restart the computer, if necessary. Install Using the Advanced Method Use the following steps to complete an Advanced type installation of vWorkspace. The following steps show an installation completed on a Microsoft Windows Server 2008 R2 computer. The steps may differ slightly if installing on a Microsoft Windows Server 2003 computer. 1. Download the appropriate version of the vWorkspace installation. 2. Run start.exe on the target computer. 3. Click Install on the vWorkspace window. Use the other buttons to review vWorkspace documentation, the License agreement, or browse the installation CD. 25 vWorkspace Administration Guide 4. License Agreement Use this option to review the contents of the license agreement. Install Use this option to initiate the installation process. Browse CD Use this option to browse the contents. Exit Use this option to exit the install. A message displays indicating any prerequisites (Windows Installer 4.5 or Microsoft .NET Framework) that need to be installed. Click Install to start the process. During the installation process, the computer may need to be restarted. Use the same credentials to log on to the computer after the reboot. The installation process resumes upon logon. 26 5. Click Next on the Welcome window for the vWorkspace installer. 6. Select the accept the License agreement option, and then click Next. 7. Enter the appropriate information on the Customer Information window, and then click Next. 8. Select Advanced on the Setup Type window, and then click Next. Installation of vWorkspace 9. Select the options that are to be installed on this computer. If you want to change the default installation folder location, click Change and complete the information on the Change Current Destination Folder. By default, no roles are selected on the Custom Setup window. See vWorkspace Components for more information about the vWorkspace roles. 10. Select one of the following options on the Management Database Setup window, and then click Next. If you are installing just the Secure Gateway Role or the Web Access Role, the Management Database Setup, Password Management, Proxy-IT and Remote Site Relay windows are not displayed. • Connect to an existing database — Select this option to connect this computer to an existing management database. See step 11 to continue the install. • Create a new database on an existing SQL Server — Select this option to create a new management database on an existing SQL server. See step 12 to continue the install. 27 vWorkspace Administration Guide • Install SQL Server Express Edition on this computer and create a new database — Select this option to install SQL Server Express and create a new management database. See step 13 to continue the install. • Do nothing at this time — Select this option to skip the configuration during the install, and manually configure the management database. See the Database Configuration section in the vWorkspace Management Console chapter for more information on how to configure the database from the vWorkspace Management Console. 28 Installation of vWorkspace 11. If you selected Connect to an existing database, complete the necessary information on the Management Database Configuration window, and then click Next. 12. If you selected Create a new database on an existing SQL Server, complete the necessary information on the Management Database Configuration window, and then click Next. 29 vWorkspace Administration Guide 13. If you selected Install SQL Server Express Edition on this computer and create a new database, complete the necessary information on the Management Database configuration window, and then click Next. The SA password and vWorkspace login password need to meet password complexity policies. If they do not contain at least eight characters, with at least one nonalphanumeric or numeric character, a vWorkspace message is presented indicating that your password has not met the requirements. The SQL Server Name and SQL User Name are grayed out and the information in these fields are not able to be changed. 14. The vWorkspace installer installs the features that were selected. If you chose to install Microsoft SQL Server Express, that is installed at this time as well. The installation of Microsoft SQL Server Express 2008 occurs now, which may take several minutes. 15. Click Finish on the InstallShield Wizard Completed window. 16. Click Yes to restart the computer, if necessary. 30 Installation of vWorkspace Licensing You may encounter the vWorkspace Licensing window when you launch the vWorkspace Management Console for the first time. The Licensing window appears if there are no references to licenses in the vWorkspace database. If your vWorkspace database has references to licenses, you can manage your licenses from the vWorkspace Management Console. See Licensing in the vWorkspace Management Console for more information. The following describes the process for completing the Licensing window. The process is the same for both a Simple or Advanced vWorkspace installation. 1. After the restart following the vWorkspace installation, open the vWorkspace Management Console from the shortcut. 31 vWorkspace Administration Guide 2. Click OK on the message window, then select the Licensing option from the left pane of the Licensing window. 3. If you are using licenses generated from Quest in the form of ASC files, do the following: a) Open the Current Licenses tab, and click Add License. b) Browse to the location of your Quest Licenses ASC file. c) Select the file and click Open. d) Click OK on the message window stating the license has been added. 4. If you are using licenses that have already been generated from the vWorkspace web site that need to be added (licenses can no longer be obtained this way), do the following: a) Select the Other Licenses tab on the Licenses window. b) Click Add License. c) Enter your license information and click OK. 5. 32 Click Close, and the vWorkspace Management Console opens. Installation of vWorkspace Installation Reference If the option Connect to an Existing database is selected when installing a vWorkspace role the administrator may be queried whether to Keep the existing database configuration or Configure a new database connection. If the option Keep the existing database configuration is selected, and the database version is older than the version being installed, the administrator will be prompted to approve the upgrade of the database. OPTION DESCRIPTION Keep the existing database configuration. This option is selected if you want to keep your existing database configuration, as displayed in the fields of Data Source Name, Database Version, SQL Server Name, and Database Name, on this window. 33 vWorkspace Administration Guide OPTION DESCRIPTION Configure a new database connection. This option is used if you want to configure a new database connection. The Management Database Setup window is presented after this option is selected. You then can select from the following options on that window: • Connect to an existing database. • Create a new database on an existing SQL Server. • Install SQL Server Express Edition on this computer and create a new database. • Do nothing at this time. Installing Web Access The vWorkspace installer must be run on a Windows server. When installing the Web Access Role the Microsoft IIS role is installed, if it is not already. It is recommended that you use the Secure Gateway in conjunction with Web Access to protect sensitive data, such as passwords. The following is a list of requirements for vWorkspace Web Access. Web Access can be placed in the DMZ or a secured subnet. Hardware • Server class hardware that meets the minimum requirements of the selected operating system. • One or more 100 Mbps or 1000 Mbps Ethernet adapters. • Implemented as a virtual machine is an option. 34 Installation of vWorkspace Optional • Microsoft Network Load Balancing • Third-party load balancing appliance • X.509 server certificate (if the Web site requires SSL encryption) • X.509 trusted root certificate (if used with vWorkspace SSL Gateway) In Web Access, if you are using Microsoft Vista and Internet Explorer 7+ and in the unique instance that the certificate revocation list is unavailable to the user, you may need to unselect the Internet Explorer option, Check for server certificate revocation. This option can be found at the following path: Internet Explorer| Tools | Internet Options | Advanced. It is important to note that this may not be a secure situation, because the Certificate Revocation List is updated regularly to account for the possibility that a certificate that has not yet expired may no longer be secure for a variety of reasons. This will not stop your session from being secured by the certificate, it just keeps the browser from returning an error when it does not find a Certificate Revocation List. To remedy this situation, please consult your server's documentation on how to publish a Certificate Revocation List. Upgrading Web Access vWorkspace Web Access 7.5 has been re-architected to provide improved performance, scalability, and maintainability. The new architecture allows for easier deployment on multiple instances of Web Access without the need to reconfigure each one individually. As a result of the redesign, Web Access sites from previous versions to 7.5 cannot be upgraded to 7.5. Therefore, you need to manually document your settings, and then reconfigure Web Access 7.5 in the vWorkspace Management Console. Install the Reporting and Logging Role The Reporting and Logging Role enables you to generate detailed reports on both the real-time and historical state of your desktops, servers, and application permissions, as well as actions performed by administrators within the vWorkspace Management Console. 35 vWorkspace Administration Guide How to ... Install vWorkspace Reporting vWorkspace Reporting is not installed as part of the standard install and has to be enabled separately. The reporting database has to be on the same SQL Server as the vWorkspace database. 1. 36 Open the vWorkspace Management Console and go to File | Database Configuration. Installation of vWorkspace 2. Click Database Configuration on the Configure vWorkspace Database window. 3. The Database Configuration wizard appears. Select Enable vWorkspace Reporting on the Action window. 37 vWorkspace Administration Guide 4. Enter a name for the new reporting database, and then click Next. The reporting database has to be on the same SQL Server as the vWorkspace database. 5. Do the following on the Credentials window: a) Enter the log in name and password of an existing SQL Admin. These are needed to install the reporting capability. b) Enter a log in name and password for a read-only user in the Report viewer login section. This user will have read-only access to both the reporting database and the vWorkspace database. Quest recommends using a read-only user to run reports, to assist in preventing accidental deletions or alterations the database. Quest recommends using this read-only user in the Sample Report Viewer, which is a bundled utility for executing the built-in reports and displaying their results. For more information on the Sample Report View, see Sample Report Viewer. 38 Installation of vWorkspace c) Click Finish. 6. Click Yes, and then click Finish on the Credentials window to complete the process. 39 vWorkspace Administration Guide Disable vWorkspace Reporting Disabling the vWorkspace reporting does the following: • Keeps your current historical data, but no more data will be added. • Continues to allow you to run real time reports that will correctly show the current state of the system. Complete the following steps to disable the vWorkspace Reporting role. 40 1. Open the vWorkspace Management Console and go to File | Database Configuration. 2. Click Database Configuration on the Configure vWorkspace Database window. 3. Select Disable vWorkspace Reporting on the Action window. 4. Click Finish. Installation of vWorkspace Scripted Installation vWorkspace supports scripted installs. Setup.exe can be executed with switches that provide answers to the dialogue prompts of a vWorkspace install. The section below outlines the commands and switches used to perform a scripted (silent) install. setup.exe /s /v”/qn ADDLOCAL=<Role Codes> <Database Options>” Role Codes Core Must always be specified CB Connection Broker Role1,2 MC Management Console Role1 WA Web Access Role TS Terminal Server\ RD Session Host Role1,2 UPS User Profile Management Storage Role1,2 SG Secure Gateway Role PRT Universal Print Server Role1,2 RSR Remote Site Relay Role PR Password Reset Role PI Proxy-IT Role RL Reporting and Logging Role 1 requires Database Options (see below) 2 this role requires the MC role to additionally be installed. To specify more than one role code, delimit role codes with commas without spaces. For instance, to specify the connection broker and management console roles, use the syntax below: ADDLOCAL=Core,CB,MC 41 vWorkspace Administration Guide Database Options Specifies how to setup the database connection DBOPTION 1=Connect to existing SQL Server 2=Create new DB on existing SQL Server DATASOURCENAME ODBC data source name (DSN name) SQLSERVERNAME SQL Server name DATABASENAME vWorkspace_Database SQLLOGINACCOUNT vWorkspace administrator name (pnadmin account) SQLLOGINPASSWORD vWorkspace administrator password SAUSERNAME sa * SAPASSWORD SA Password * * only required for DBOPTION=2 Any values specified that contain spaces must be surrounded by \” characters. For instance, to set the DATABASENAME options to vWorkspace Database, use the syntax: DATASOURCENAME=\"vWorkspace Database\" Additional switches REBOOT=\"ReallySuppress\" When a vWorkspace install is started, certain software prerequisites must be met. If they are not met, the requisite software will be installed. They are listed below: • Microsoft .NET Framework 3.5 SP1 • Microsoft Windows Installer 4.5 • J2SE Runtime Environment 5.0 Update 11 • Microsoft ASP .NET 2.0 AJAX Extensions 1.0 • • 42 Only when CB role is selected Only when WA role is selected Installation of vWorkspace Examples To install the Web Access role only: setup.exe /s /v"/qn ADDLOCAL=Core,WA" To install the Management Console and Terminal Server\ RD Session Host roles, and connect to an existing database: setup.exe /s /v"/qn ADDLOCAL=Core,CB,MC DBOPTION=1 SQLSERVERNAME=\"SQLSERVER01\" DATASOURCENAME=\"vWorkspace Database\" DATABASENAME=\"vWorkspace_Database\" SQLLOGINACCOUNT=\"pnadmin\" SQLLOGINPASSWORD=\"Password1\"" To install the Management Console and Broker roles, and create a new database: setup.exe /s /v"/qn ADDLOCAL=Core,CB,MC DBOPTION=2 SQLSERVERNAME=\"<servername\instancename" DATASOURCENAME=\"vWorkspace Database\" SAUSERNAME=\"sa\" SAPASSWORD=\"Password1\" DATABASENAME=\"vWorkspace_Database\" SQLLOGINACCOUNT=\"pnadmin\" SQLLOGINPASSWORD=\"Password1\"" 43 vWorkspace Administration Guide vWorkspace Connectors To enable users to connect to managed applications and desktops in a vWorkspace infrastructure, a vWorkspace Connector must be installed onto their client device. The following is a list of available packages: VASCLIENT32 — These packages include AppPortal and Web Access. • VASCLIENT32.EXE — MSI-based installation with EXE bootstrapper. The MSI Engine (2.0 or higher) must already be installed onto the target client workstations. • VASCLIENT32.MSI — MSI-based installation without EXE bootstrapper. The MSI Engine (2.0 or higher) must already be installed onto the target client workstations. • VASCLIENT32.CAB — CAB-based installation for automatic deployment via the Web Access. VASCLIENT32T — Web Access access only; these packages do not include the AppPortal GUI. • VASCLIENT32T.EXE — MSI-based installation with EXE bootstrapper. The MSI Engine (2.0 or higher) must already be installed onto the target client workstations. • VASCLIENT32T.MSI — MSI-based installation without EXE bootstrapper. The MSI Engine (2.0 or higher) must already be installed onto the target client workstations. • VASCLIENT32T.CAB — CAB-based installation for automatic deployment via the Web Access. VASCLIENT32TS — These packages are for automated, silent installations of the Windows client using Group Policy where a minimal set of functionality is required. 44 • VASCLIENT32TS.cab — CAB installation for automatic deployment through Web Access, as a silent installation. The files are located at C:\Inetpub\wwwroot\Provision\web-it\clients. • VASCLIENT32TS.MSI — MSI-based installation for automatic deployment through Web Access, as a silent installation. Installation of vWorkspace How to ... Install the vWorkspace Connector 1. Download the appropriate package. 2. Execute the connector file. 3. Click Next at the Welcome window of the vWorkspace Connector InstallShield wizard. 4. Accept the terms of the License Agreement, and then click Next. 5. Enter the appropriate information on the Customer Information window, and select one of the options to whom this client package is to be installed. Click Next. 6. Click Next on the Destination Folder window to accept the default location, or click Change to change the location. 7. Select the option Enable Credentials Pass-Through, as appropriate, and then click Next. This option should only be selected if the client computer is joined to the domain and you want to reuse the user domain credentials on the client computer to authenticate with the vWorkspace-enabled desktop infrastructure without having to retype them every time. This option is only for computers that do not support Kerberos. This is an optional step. 8. Select the desired shortcuts on the Shortcut Options window, and then click Next. This window is only available if you are installing a client option that includes AppPortal. 9. Click Install to begin the installation, on the Ready to Install the Program window. 10. Click Finish when the InstallShield wizard has completed. You may be prompted to restart your system after the installation of the vWorkspace connector has completed. vWorkspace RD Connection Broker Support The vWorkspace RD Connection Broker Support software needs to be installed on your Microsoft Windows Server 2008 R2 server. The software detects if the appropriate roles have been installed, and if not, installs the appropriate roles. There are two RD Broker Support files, an EXE and MSI file. 45 vWorkspace Administration Guide You do not need to install any of the role services onto this server, as the Quest vWorkspace Extensions for the RD Connection Broker installs all of the necessary roles of Remote Desktop Session Host in VM redirector mode, Remote Desktop Connection Broker, and the Remote Desktop Web. If you choose to install the Remote Desktop Session Host (in VM Redirector mode), Remote Desktop Connection Broker, and the Remote Desktop Web Access on separate Microsoft Windows Server 2008 R2 servers, you must refer to Microsoft documentation best practices on how to install and configure these components. Prior to installing the Quest vWorkspace Extensions for the RD Connection Broker on the Remote Desktop Connection Broker, we require that the Remote Desktop Services environment be fully functional and that virtual desktops can be successfully launched from Remote Desktop Web Access. Instructions on Remote Desktop Services in Windows Server 2008 R2, specifically the sections detailing Deploying Virtual Desktop Pools by using Remote Desktop Web Access Step-by-Step Guide and Deploying Virtual Desktop Pools by Using RemoteApp and Desktop Connection Step-by-Step Guide can be found at the following: http://technet.microsoft.com/en-us/library/dd647502(WS.10).aspx Install RD Broker Support The following details two installation scenarios; the first one an installation where there are no role services installed, and the second one an installation where the RD Connection Broker, RD Session Host in VM Redirector mode, and an associated RD Web Server role services are configured. • vWorkspace Extensions Without Role Services Installed • vWorkspace Extensions with Role Services Installed vWorkspace Extensions Without Role Services Installed The following steps detail an installation on a Microsoft Windows Server 2008 R2 computer that does not have any of the role services installed. 1. 46 Download the EXE or MSI file from the MS_CONNECTIONBROKER folder from vWorkspace (64-bit Edition). Installation of vWorkspace 2. Double-click on the file. 3. Click Yes on the allow the program to make changes to the computer window. 4. Click Next on the vWorkspace Extensions for the RD Connection Broker Welcome window. 5. Click Accept on the License Agreement window, and then click Next. 47 vWorkspace Administration Guide 6. Select Yes on the Configure Computer For Desktop Brokering window, and then click Next. By choosing Yes, the listed roles are installed onto the computer. 7. The installation may take a few minutes to complete. 8. Click Finish on the InstallShield Wizard Completed window. You must restart the computer. Click Yes to restart it now, or No to restart it later. vWorkspace Extensions with Role Services Installed The following steps detail an installation on a Microsoft Windows Server 2008 R2 computer installed as an RD Connection Broker configured to use an RD Session Host in VM Redirector mode, and an associated RD Web Server configured to use the RD Connection Broker. 48 1. Download the EXE or MSI file from the MS_CONNECTIONBROKER folder from vWorkspace (64-bit Edition). 2. Double-click on the file. Installation of vWorkspace 3. Click Yes on the allow the program to make changes to the computer window. 4. Click Next on the vWorkspace Extensions for the RD Connection Broker Welcome window. 5. Click Accept on the License Agreement window, and then click Next. 49 vWorkspace Administration Guide 6. The installer inspects your system configuration, and then installs the vWorkspace Extensions for the RD Connection Broker. 7. Click Finish on the InstallShield Wizard Completed window. You must restart the computer. Click Yes to restart it now, or No to restart it later. Add an RD Connection Broker to vWorkspace Use the following steps to add a Microsoft RD Connection Broker to the vWorkspace Management Console. 50 1. Open the vWorkspace Management Console, and expand the Locations node. 2. Expand the required location. 3. Right-click on Connection Brokers and select New Connection Broker. 4. Click Next on the Welcome window of the Server wizard. Installation of vWorkspace 5. Enter the server name (NetBIOS), and then click Next. Use the ellipsis to browse for the server. The text box is limited to 15 characters, the maximum allowed in NetBIOS naming conventions. 51 vWorkspace Administration Guide 6. 52 Select Microsoft Remote Desktop Connection Broker (RD Broker), and click Next. Installation of vWorkspace 7. Enter the credentials, on the Administrative Account window, for a user account that has administrative privileges, and then click Next. This step is mandatory. Use the ellipsis, if necessary, to find the appropriate user account. The check mark by the Password field can be used to verify the user name and password entered. 8. Click Next on the Logging window without selecting any options. Typically, logging is only used as assisted by the Quest Support Services Department. 9. Click Finish on the Permissions window. AppPortal You can use the vWorkspace AppPortal to specify Microsoft RD Connection Broker properties. Use the following steps to create a new RD Connection Broker Farm Connection. Create a New RD Connection Broker Farm Connection 1. Start AppPortal from the desktop or select Start | Programs | Quest Software| vWorkspace | vWorkspace Client| AppPortal. 53 vWorkspace Administration Guide 2. Select Actions | Manage Connections. The Farm Connections wizard opens. 3. Click Create a new farm, and then click Next. 4. Select Allow me to manually specify all configuration parameters on the Configuration Source window, and then click Next. 5. Select Microsoft Remote Desktop Connection Broker as the Farm Type, and then click Next. 6. Enter the location and server information on the Connectivity window, and then click Next. 7. Select the appropriate connection settings on the RD Gateway window, and then click Next. RD GATEWAY SETTINGS FIELD DESCRIPTION CONNECTION SETTINGS These settings are used to specify secure network communications. 54 Installation of vWorkspace RD GATEWAY SETTINGS FIELD DESCRIPTION Automatically detect RD Gateway server settings Select if you want the RD Gateway server settings automatically detected. Use these RD Gateway server settings Select if you want to use the entered Server name and Logon method as the RD Gateway server settings. Do not use an RD Gateway server Select if you do not want to use an RD Gateway server. 8. Specify the credentials for connection to this farm, and then click Next. 9. Select the appropriate options on the Display window, and then click Next. 10. Specify remote audio, keyboard, and local devices on the Local Resources window, and then click Next. 11. Specify use experience options, and then click Next. 55 vWorkspace Administration Guide 12. Enter password management server information, as appropriate, and then click Next. 13. Select any desktop integrated mode options, as appropriate, and then click Next. Specify any applications that are to be automatically launched, and then click Finish. Quest vWorkspace Connector Silent Installation This document describes the unattended setup (silent) procedures for each of the following connector packages. • VASCLIENT32 • VASCLIENT32T See vWorkspace Connector for Windows Packages for more information. VASCLIENT32 As an InstallShield package, vasclient.exe can accept a number of command line arguments. Command line options that require a parameter must be specified with no spaces between the option and its parameter. If you run a normal installation using vasclient32.exe, InstallShield extracts and then executes the included vasclient32.msi package. The file, msiexec.exe, begins the installation and queries the user four times. The user is asked whether to install For All Users or Just Myself, to Enable Single Sign-On or not, to To Launch in Desktop Integrated Mode or not, and to Place a shortcut on the Desktop or not. These four user dialogs are represented by MSIEXEC switches of: 56 • ALLUSERS=\"1\" or ALLUSERS=\"\" • ENABLESSO=\"1\" or ENABLESSO=\"\" • STARTUPSHORTCUT=\"1\" or STARTUPSHORTCUT=\"\" • DESKTOPSHORTCUT=\"1\" or DESKTOPSHORTCUT=\"\" • \"1\" is Yes. • \"\" is No (Null). Installation of vWorkspace The InstallShield switch to pass parameters to msiexec is the /v switch. There can be no spaces between the /v switch and its parameters so that the command will look initially like this following. vasclient32.exe/v"<options>" The <options> are the msiexec parameters. For msiexec, the /q option is used to set the user interface level along with any of the following flags. MSIEXEC SILENT OR NEAR SILENT SWITCHES /q No user interface. /qn No user interface. /qn+ No user interface. /qb Basic user interface. /qb+ Basic user interface. A dialog box is displayed at the end of the installation. If you cancel the installation, a dialog box is not displayed. /qb- Basic user interface. No dialog boxes are displayed. /qr Reduced user interface. A dialog box is displayed a the end of the installation. If you want to hide the initial vWorkspace splash screen, add the /s option and the installation displays only the installation progress bar dialog. To silently install the vasclient32.exe, issue the setup instruction: vasclient32.exe/s/v"/qn ENABLESSO=\"\" ALLUSERS=\"1\" The /s suppresses the splash screen. The /v passes everything within the quotes to msiexec. The msiexec /qn switch provides a no dialog, silent install. If you want just the progress dialogs shown for user feedback so that they know something is happening, then issue the following command. vasclient32.exe/s/v"/qr ENABLESSO=\"\"ALLUSERS=\"1\" The /s suppresses the splash screen, the /v passes everything within the quotes to msiexec. The/qr switch shows a reduced user interface with only the progress bar dialog. 57 vWorkspace Administration Guide VASCLIENT32T As an InstallShield package, vasclient.exe can accept a number of command line arguments. Command line options that require a parameter must be specified with no space between the option and its parameter. If you run a normal installation using vasclient32t.exe, InstallShield extracts and then executes the included vasclient32t.msi package. The msiexec.exe begins the installation, and queries the user two times. The user is asked whether to install For All Users or Just Myself and to Enable Single Sign-On or not. The web client does not use the Desktop Integrated mode, so there is not a query for the placement of a shortcut on the desktop. The two user dialogs which are represented by MSIEXEC switches are: • ALLUSERS=\"1\" or ALLUSERS=\"\" • ENABLESSO=\"1\" or ENABLESSO=\"\" • \"1\" is Yes. • \"\" is No (Null). The InstallShield switch to pass parameters to msiexec is the /v switch. There can be no spaces between the /v switch and its parameters so that the command will look like the following. vasclient32.exe/v"<options>" The <options> are our msiexec parameters. For msiexec, the /q option is used to set the user interface level along with the following flags. To silently install the vasclient32t.exe, one would issue the following setup instruction. vasclient32t.exe/s/v"/qn ENABLESSO=\"\"ALLUSERS=\"1\"" If you want just the progress dialogs shown for user feedback so that they know something is happening, then issue the following command. vasclient32t.exe/s/v"qr ENABLESSO=\"\" ALLUSERS=\"1\"" 58 Installation of vWorkspace Upgrade vWorkspace The following outlines recommended procedures for upgrading your vWorkspace environment. While these procedures are our recommendation, it is your responsibility to have a current backup of configuration components, such as the database, and a plan to minimise the impact of the upgrade on your environment. Recommendations: • Backup your SQL database for vWorkspace before starting the upgrade process. • Install in a test environment where there are no production impacts. It is important that you complete the steps in the presented order; completing all the activities before moving to the next step. However, some of the upgrade steps may not be applicable to your environment, and if so, you may skip over them. 1. Upgrade the Connection Brokers 2. Upgrade the Terminal Servers/ RD Session Hosts 3. Upgrade the User Profiles Management Storage Role 4. Upgrade the Universal Print Server Role 5. Upgrade the Secure Gateway Role 6. Upgrade the Web Access Role 7. Upgrade the Password Reset Role 8. Upgrade the Broker Helper Service 9. Upgrade PNTools on VDI Computers 10. Upgrade the vWorkspace Connector for Windows 11. Update the vWorkspace Connector for Web Access vWorkspace Web Access 7.5 has been re-architected to provide improved performance, scalability, and maintainability. The new architecture allows for easier deployment on multiple instances of Web Access without the need to reconfigure each one individually. As a result of the redesign, Web Access sites from previous versions to 7.5 cannot be upgraded to 7.5. Therefore, you need to manually document your settings, and then reconfigure Web Access 7.5 in the vWorkspace Management Console. 59 vWorkspace Administration Guide Upgrade the Connection Brokers Prior to starting this upgrade, ensure that database caching is not enabled. Open the vWorkspace Management Console, right-click on the top node (Farm name), and select Farm Properties. Select Database Cache and make sure the Create local host cache on all servers setting is unselected. Click OK to save the change. 1. From the downloaded vWorkspace file, click on start.exe to start the installer program. 2. Click Install on the vWorkspace home window to start the installation process. 3. Accept the License agreement, and then click Next. 4. Click Upgrade on the Previous Version Detected window. 5. Click Yes to restart your computer. 6. Click Next on the Welcome window. 7. Accept the License agreement, and then click Next. 8. Enter the appropriate information on the Customer Information window, and then click Next. 9. Select Connection Broker Role from the list of available features on the Custom Setup window and click Next. 10. Click Install to continue the installation process. 60 Installation of vWorkspace 11. Select Keep the existing database configuration from the options on the Current Database Configuration window, and then click Next. 12. Click Next on the Database Schema Upgrade window. 13. Click Finish to complete the installation. 14. Complete the upgrade process on all of your Connection Brokers. 61 vWorkspace Administration Guide Upgrade the Terminal Servers/ RD Session Hosts 1. From the downloaded vWorkspace file, click start.exe to start the installer program. 2. Click Next on the Welcome window. 3. Click to Accept the license agreement. 4. Select Upgrade on the Previous Version Detected window. 5. The upgrade process begins. Click Yes when asked to reboot the server. 6. After rebooting login to the server. The upgrade process automatically continues. 7. Click Next on the Welcome window. 8. Click to Accept the license agreement. 9. Click Next on the Customer Information window. 10. Review and click OK on the previous Terminal Servers features window. 11. On the Custom Setup window select Terminal Server/RD Session Host Role, and click Next. 12. Select Keep the existing database configuration from the options on the Current Database Configuration window, and then click Next. 13. Click Next on the Database Schema Upgrade window. The upgrade process continues. 14. Click Finish to complete the installation, then click Yes to reboot. 15. Complete the upgrade process on all of your Terminal Servers/RD Session Hosts. Upgrade the User Profiles Management Storage Role 62 1. From the downloaded vWorkspace file, click start.exe to start the installer program. 2. Click Next on the Welcome window. 3. Click to Accept the license agreement. 4. Select Upgrade on the Previous Version Detected window. 5. The upgrade process begins. Click Yes when asked to reboot the server. 6. After rebooting login to the server. The upgrade process automatically continues. 7. Click Next on the Welcome window. 8. Click to Accept the license agreement. 9. Click Next on the Customer Information window. Installation of vWorkspace 10. On the Custom Setup window, select User Profile Management Storage Role, and click Next. 11. Select Keep the existing database configuration from the options on the Current Database Configuration window, and then click Next. 12. Click Next on the Database Schema Upgrade window. 13. Click Install to begin the installation. 14. Click Finish. This version of vWorkspace User Profile Storage Service uses TCP port 5206. In versions of vWorkspace prior to 7.2, the User Profile Storage Service was configured for TCP port 80. When upgrading to this version of vWorkspace from a version prior to 7.2, TCP port 80 will continue to be used. Upgrade the Universal Print Server Role 1. From the downloaded vWorkspace file, click start.exe to start the installer program. 2. Click Next on the Welcome window. 3. Click to Accept the license agreement. 4. Select Upgrade on the Previous Version Detected window. 5. The upgrade process begins. Click Yes when asked to reboot the server. 6. After rebooting login to the server. The upgrade process automatically continues. 7. Click Next on the Welcome window. 8. Click to Accept the license agreement. 9. Click Next on the Customer Information window. 10. On the Custom Setup window, select Universal Print Server Role, and then click Next. 11. Select Keep the existing database configuration from the options on the Current Database Configuration window, and then click Next. 12. Click Next on the Database Schema Upgrade window. 13. Click Install to being the installation. 14. Click Finish. Upgrade the Secure Gateway Role 1. From the downloaded vWorkspace file, click start.exe to start the installer program. 2. Click Next on the Welcome window. 3. Click to Accept the license agreement. 63 vWorkspace Administration Guide 4. Select Upgrade on the Previous Version Detected window. 5. The upgrade process begins. Click Yes when asked to reboot the server. 6. After rebooting login to the server. The upgrade process automatically continues. 7. Click Next on the Welcome window. 8. Click to Accept the license agreement. 9. Click Next on the Customer Information window. 10. On the Custom Setup window, select Secure Gateway Role, and then click Next. 11. Click Install to begin the installation. 12. Click Finish. Upgrade the Web Access Role 1. From the downloaded vWorkspace file, click start.exe to start the installer program. 2. Click Next on the Welcome window. 3. Click to Accept the license agreement. 4. Select Upgrade on the Previous Version Detected window. 5. The upgrade process begins. Click Yes when asked to reboot the server. 6. After rebooting login to the server. The upgrade process automatically continues. 7. Click Next on the Welcome window. 8. Click to Accept the license agreement. 9. Click Next on the Customer Information window. 10. On the Custom Setup window, select Web Access Role, and then click Next. 11. Click Next and complete the installation. Upgrade the Password Reset Role 64 1. From the downloaded vWorkspace file, click start.exe to start the installer program. 2. Click Next on the Welcome window. 3. Click to Accept the license agreement. 4. Select Upgrade on the Previous Version Detected window. 5. The upgrade process begins. Click Yes when asked to reboot the server. 6. After rebooting login to the server. The upgrade process automatically continues. Installation of vWorkspace 7. Click Next on the Welcome window. 8. Click to Accept the license agreement. 9. Click Next on the Customer Information window. 10. On the Custom Setup window, select Password Reset Role, and then click Next. 11. Click Install to begin the installation. 12. Click Finish. Upgrade the Broker Helper Service 1. From the downloaded vWorkspace file, open the Broker_Helper folder. 2. Select brokerhelper.exe to start the installation. 3. Click Next on the welcome window of the Quest Broker Helper Service. 4. Click to accept the terms on the License agreement window, and then click Next. 5. Enter a User Name and Organization on the Customer Information window, and then click Next. 6. Click Install to start the installation. 7. Click Finish to complete the installation. Upgrade PNTools on VDI Computers 1. Open the vWorkspace Management Console. 2. Expand Locations, and then the location of the specified desktop group. 3. Expand the Desktops node, and then highlight the computer group where the computers are located. 4. Select the Desktops tab in the right-pane. 5. Highlight the computer or computers in which PNTools is to be upgraded. 6. Right-click on one of the highlighted computers, and then use the following path: PNTools & Other MSI Packages | PNTools | Install/Update 7. Follow the instructions to complete the upgrade. Upgrade the vWorkspace Connector for Windows 1. From the downloaded vWorkspace package, open the Connectors folder, and then open the Windows folder. 2. Select the appropriate vasclient32 executable. 3. Click Next on the Welcome window. 65 vWorkspace Administration Guide 4. Accept the terms of the license agreement, and then click Next. 5. Enter the appropriate information on the Customer Information window, and select one of the installation options. Click Next. 6. Click Next to install to the listed folder, or click Change to change the folder to which the AppPortal is installed. 7. Click Install. 8. Click Finish. Update the vWorkspace Connector for Web Access vWorkspace Web Access 7.5 has been re-architected to provide improved performance, scalability, and maintainability. The new architecture allows for easier deployment on multiple instances of Web Access without the need to reconfigure each one individually. As a result of the redesign, Web Access sites from previous versions to 7.5 cannot be upgraded to 7.5. Therefore, you need to manually document your settings, and then reconfigure Web Access 7.5 in the vWorkspace Management Console. 1. 66 From the downloaded vWorkspace package, open the Connectors \ Windows folder. 2. Select the vasclient32t executable. 3. Click Next on the Welcome window. 4. Accept the terms of the license agreement, and then click Next. 5. Enter the appropriate information on the Customer Information window, and select one of the installation options. Click Next. 6. Click Next to install to the listed folder, or click Change to change the folder to which the Connector for Web Access is installed. 7. Select Enable Credentials Pass-Through, if appropriate, and then click Next. 8. Click Install. 9. Click Finish. 3 vWorkspace Management Console • Overview • vWorkspace Management Console Interface • Quick Start Wizard • vWorkspace Menu Options and Icons • vWorkspace Object Nodes • Locations vWorkspace Administration Guide Overview The vWorkspace Management Console provides management and administrative functions to vWorkspace administrators. All database management tasks are performed by the vWorkspace Management Console. The vWorkspace Management Console can be installed and used on any number of workstations or laptop computers for management purposes, as long as connectivity to the vWorkspace database can be established. Remote Procedure Call (RPC) connections to other vWorkspace servers at times may also be required for full management functionality. Most functions performed by the vWorkspace Management Console can be done from any computer, but Registry tasks or applying virtual memory optimizations must be performed by the vWorkspace Management Console from the console of the affected server. Any hotfixes that affect the vWorkspace Management Console need to be applied to all installed instances. Failure to do so can lead to unreliable results when using the vWorkspace Management Console. Multiple instances of the vWorkspace Management Console can be opened simultaneously. Administrators need to be aware that their changes may interfere with changes made by another administrator. vWorkspace Management Console Interface The vWorkspace Management Console presents a graphical user interface that includes a menu bar, toolbar, navigation pane, and an information pane. 68 vWorkspace Management Console Menu Bar Navigation Pane Information /Detail Pane Toolbar Object Nodes Status Bar The vWorkspace infrastructure is displayed in a treeview format in the Navigation pane. It includes the following nodes. NODE DESCRIPTION Farm This top node represents the entire vWorkspace infrastructure. From this node you can: • Assign a name to the farm. • Enable database caching. • Configure other settings such as Reset all pop-up messages and Clear recent items list. Locations This node is used to organize groups of users based on geographical locations, within a vWorkspace infrastructure. 69 vWorkspace Administration Guide NODE DESCRIPTION Targets This node is used to set the criteria for which Resource is applied and when it is applied to a remote session. Once targets are defined in the vWorkspace database, they can be used in Access Control Lists associated with various Resource objects. Targets are identified by: • User name • Group membership • IP address • Device name • Active Directory Organizational Units • Advanced (Boolean) Resources This node contains the list of items that can be assigned to clients using Client Assignment. A toolbar option, Toggle Client Assignment List Display, allows the client assignment to be displayed at the bottom of the window, the right-side of the window, or not at all. Packaged Applications This node is used to identify Microsoft Application Virtualization (App-V) servers and their hosted application packages, as well as MSI packages. Performance Optimization This node is used to configure CPU Utilization and Virtual Memory Optimization policies, and to view the results of these policies. Virtual IP This node is used to provide special configuration options for applications running in a multi-user environment that require unique IP addresses for identification. 70 vWorkspace Management Console NODE DESCRIPTION File & Registry Redirection This node provides mechanisms that allow applications to work properly in a multi-user environment. Load Balancing This node is used to configure load balancing when published applications are hosted on multiple RD Session Hosts. A load balance can be assigned to either the published application or the RD Session Hosts. Websites This node is used to define and manage Web Access web sites. The configuration for Web Access web sites is stored in the vWorkspace Management Console. Quick Start Wizard The vWorkspace Quick Start Wizard enables administrators to set up a vWorkspace environment through a guided process. You just need to choose the type of environment you want to set up, and the wizard navigates you through the process from setting up connection brokers to configuring end user environments. The types of environments that can be configured using the Quick Start Wizard are: • Desktop Cloud • Virtual Desktops • Remote Desktop Session Host • Blade PCs (or other physical and virtual computers) 71 vWorkspace Administration Guide The Quick Start Wizard can be opened by doing one of the following: • Open the vWorkspace Management Console. There is an option to select to not automatically show the wizard every time you open the vWorkspace Management Console. • Click on the home icon in the toolbar of the vWorkspace Management Console. • Select the link from the Getting Started section on the Welcome page of the vWorkspace Management Console. As you progress through the Quick Start Wizard, the steps are validated to ensure your system is configured correctly. Information entered into the Quick Start Guide is saved and can be used in future setups, such as already configured connection brokers. However, you always have the option to add a new one. Not all of the steps of the Quick Start Wizard are mandatory for completion, such as configuring Connection Policies or Universal Printing options. 72 vWorkspace Management Console Examples of commonly used user profile applications and Microsoft Windows settings are available as the optional step, Managed User Profiles. Selecting one of the sample settings enable you to quickly access the predefined set of applications. It is important to note that any checked profile items in the Quick Start Wizard are set as global items. Upon logoff, the profile is deleted and only the checked items are retained. Be cautious if you are importing desktops with a local profile that you want to retain. Desktop Cloud Quest vWorkspace has created a platform from which desktops can be provisioned quickly and effortlessly. Computer Groups are created through the Quick Start Wizard and are automatically configured with provision-time and connection-time load balancing, as well as auto-size and virtual desktops deleted at logoff. Along with HyperCache, HyperDeploy and Instant Provisioning these Hyper-V computer groups provide a platform where desktops can be moved in and out of the cloud in a near instant. The Desktop Cloud wizard can be launched from the Quick Start Wizard. The Desktop Cloud requires certain parameters to be set, which are listed below and are included in the wizard. Required Steps • Connection Broker • Virtualization Hosts • Desktop Cloud • Desktop Cloud Size • Provisioning Settings 73 vWorkspace Administration Guide Virtual Desktops From the Virtual Desktops Quick Start Wizard, you can add virtual desktops by creating new virtual computers, publish applications and desktops, and configure user environments by selecting Virtual Desktops. The Virtual Desktops Quick Start Wizard supports provisioning of new virtual computers on Microsoft Hyper-V, Microsoft SCVMM, VMware vCenter Server, and Parallels Virtuozzo virtualization platforms. After completing the required steps, you can set up optional user settings such as managed user profiles, printers, and automated tasks. Required Steps • Connection Broker • Virtualization Platform • Virtualization Server • Virtualization Host • Managed Desktop Group • Add/Import Computers Remote Desktop Session Host The Remote Desktop Session Host Quick Start Wizard allows you to configure a session host environment from one wizard. Administrators can publish applications and desktops, configure access control, experience optimization, and manage user profiles. From the Remote Desktop Session Host wizard, you can also set up optional features such as user profiles, printers, and connection policies. Each step of the wizard validates the information entered, allowing administrators to have an valid session host environment upon completion. Required Steps 74 • Connection Broker • Remote Desktop Session Host • Managed Applications vWorkspace Management Console Blade PCs With the Blade PCs Quick Start Wizard, you can build an environment for managing session hosts on blade PCs or other physical computers. The wizard presents the steps for this process in a logical order, validating the configuration for each step. The Blade PCs Quick Start Wizard allows administrators to also set up optional setting such as network drive mappings, automated tasks, and printers. Required Steps • Connection Broker • Managed Desktop Group • Add Computers vWorkspace Welcome Window The Welcome window is displayed when opening the vWorkspace Management Console. From this window you can access Quick Start Guides and the System Requirements Guide in CHM file format; open the documentation folder containing the complete vWorkspace document library; jump to recent items in the console; and link to home pages such as vWorkspace and Quest SupportLink. 75 vWorkspace Administration Guide vWorkspace Menu Options and Icons The vWorkspace menu options consist of the following: • • • The File menu options are: • Current User Sessions — This option opens the Current User Sessions window. A remote control session can be initiated from this window as well. See Database Configuration for more information on using the remote control option. • Administration — This option opens the Administration window. See Administration for more information. • Change User — This option opens the Login window. • Licensing — This option opens the Licensing window. See for Licensing more information. • Database Configuration — This option opens the Configure Database window. See Database Configuration for more information. The Actions menu options depend on the item selected in the vWorkspace Management Console. Some of the items include: • New <Location> — This option opens the wizard to start a new process, such as a location. • Properties — This option opens the Managed Computer Properties window. See Locations Properties for more information. • Management Servers — This option opens the Virtualization Servers window. See Virtualization Platform Integration for more information. • Refresh — This option refreshes the view. The Help option, About, displays information about the Quest vWorkspace product, including the version number. The vWorkspace icons are as follows: ICON DESCRIPTION This icon is used to exit the console. 76 vWorkspace Management Console ICON DESCRIPTION This icon is used to access Current User Session and the Remote Control Session options. This icon is used to access the Administration options. This icon is used to access Licensing information. This icon is used to access Properties of the highlighted item. This icon is used to access a New Wizard for the highlighted item. This icon is used to access Management Servers. This icon is used to access the vWorkspace welcome window, and collapses the treeview in the navigation pane of the console. This icon is used to refresh the window. 77 vWorkspace Administration Guide File Menu Options The File menu contains several options that play an important part in managing a vWorkspace farm and can only be accessed from the File menu. These options are defined below: • Current User Sessions • Administration • Licensing • Database Configuration Current User Sessions The User Sessions section allows administrators to view active user sessions, license, and product usage. To view user sessions, do one of the following: 78 • Select User Sessions in the left pane of the Licensing window. • Select File | Current User Sessions from the menu bar. • Click the Current User Sessions icon on the toolbar. vWorkspace Management Console Remote Control By right clicking a User session and selecting Remote Control Session, administrators are able to shadow active user sessions. Remote control of a user session can also be achieved through the properties of a managed computer. Remote control can only be accomplished when initiated from one RDP session to another. The table below displays the circumstances under which Remote Control is supported. 79 vWorkspace Administration Guide In order to enable remote control, you must select the option, Enable RDP remote administration control, from Location| Properties | RDP Connection Restrictions settings. Administrators can set the key command used to end the remote session on the Remote Control window.The last selection that is entered into the Remote Control key combination is saved. 80 vWorkspace Management Console Once the remote control settings have been completed, you can access remote control from two different places in the vWorkspace Management Console. • Current User Session window, Remote Control session button. • Select the Desktops group, and then select the Computers tab in the information pane. The Remote Control Session option is available by selecting it from a specific computer context menu. How to ... View a Session by Remote Control 1. Open the vWorkspace Management Console. 2. Navigate to and highlight the Session host or computer group to which the computer belongs. 3. Select the Computers tab in the information pane, and right-click on the computer. – OR – 4. Select the Users tab, and then right-click the user name. 81 vWorkspace Administration Guide 5. Select Remote Control. This option is grayed out for inactive sessions. Remote control can only be accomplished when initiated from one RDP session to another. You may receive a warning message indicating that this functionality is not available to you. 6. Specify the command to be used to end the remote session on the Remote Session window, and then click OK. The Remote Control key combination that is entered is saved. Administration The Administration option, from the File menu of the vWorkspace Management Console, is used to identify users or groups of users as vWorkspace administrators and to delegate administrative tasks to them. Once users or groups of users have been added as administrators, object permissions can then be set. 82 vWorkspace Management Console Not every administrator needs to be added to the vWorkspace Management Console individually, they can be a member of a Microsoft Windows group that has been added as an administrative account. So, you could create a Windows group in your domain, add all the console user accounts to that group, and add that group as an administrative account to the vWorkspace Management Console. All users of the vWorkspace Management Console have full access rights to the console until an administrative account is added. Prior to granting access to the vWorkspace Management Console, the vWorkspace Management Console does check to ensure that the current Microsoft Windows user is also a local Microsoft Windows administrator. Users and groups of users who are selected as system administrators have implicit allow permissions for all actions within the console, and may add and remove other system administrators. The first administrator defined in the system is automatically defined as a system administrator, and the last administrator to be removed from the system must be a system administrator. This selection cannot be modified, as it is designed to prevent inadvertent lock out situations. Once one or more administrators are defined, a Login window will display during startup of the vWorkspace Management Console. If the check box, Login as the current Windows user is selected, the User and Password fields are disabled and filled in automatically. If the check box is unselected, the user must enter an administrative user name and password to open the console. The Login window is also accessible from the vWorkspace Management Console menu option, File | Change User. 83 vWorkspace Administration Guide Permissions When configuring delegation of administration, you set permissions at the object level by using the Administration option on the File menu. You can assign permissions to administrators to enable them to allow or to deny actions in the vWorkspace Management Console. Non-system administrators cannot set their own permissions or the permissions of a group to which they belong. However, a system administrator can modify permissions for any user or group. Permissions are defined as object-action combinations. For example, on an object such as Targets, the action can be defined as Delete Target. When you assign a user as an administrator, you can assign one of the three initial permissions: Allow All, Deny All, or Copy From Existing. These permissions can be changed afterward. The permissions structure is hierarchical and follows a parent-child relationship model. Child objects inherit permissions from the parent if the permissions for the child object are not set explicitly. For example, if the Delete Resources permission is set to Deny for the Helpdesk Admins group on the Resources node in the console, the child node Scripts inherits the Delete scripts permission for the Helpdesk Admins group. An administrator can be assigned conflicting permissions. This can happen if an administrator belongs to more than one group and the groups have been assigned conflicting allow/deny permissions for the same object. The resolution of these conflicts is governed by the Settings page of the vWorkspace Administration dialog box. You can choose whether to allow or deny the permission when a conflict occurs. Permission checkboxes may be one of the following: Enabled, permission not set. Checkbox has white background. Enabled, explicit permission set. Checkbox has white background. Enabled, inherited permission set. Checkbox has white background. 84 vWorkspace Management Console Disabled, permission not set. Checkbox has gray background. Disabled, explicit permission set. Checkbox has gray background. Disabled, inherited permission set. Checkbox has gray background. The gray checkmarks indicate that the permission is inherited from its parent if set. Permissions that are disabled for an administrator cannot be modified by that administrator, as the administrator does not have sufficient permissions to change it. How to ... • Add a New Administrator • Edit Administration Settings • Remove an Administrator • Set Permission at the Object Level 85 vWorkspace Administration Guide Add a New Administrator 1. Open the vWorkspace Management Console. 2. Select File | Administration. 3. To add users or a group of users, click Add User/Group on the Administrators settings window. 4. Click Next on the Welcome to the Administrator window. 5. Select User or Group on the User/Group Name window, and then enter Domain\User or Domain\Group in to the dialog box. Use the ellipsis to assist in selecting users or groups. 6. On the User/Group Name window, select the check box if this user or group is to be a system administrator, and then click Next. System administrators have implicit allow permissions for all actions, and may add and remove other system administrators. 7. Select one of the default permission settings, Deny All, Allow All, or Copy from, and then click Next. Use Copy from to quickly set the initial permissions of a new administrator to those of an existing non-system administrator, administrator. 8. Make any changes to the Allow and Deny columns on the Permissions window, and then click Finish. The Administrators window appears. 9. Highlight the user or group that you just added, and then select Settings. 10. Specify the administration settings, Allow or Deny, on the Settings window, and then click Apply to save your settings. 11. Select Permissions to specify administrator permission. 12. Click Apply to save your changes, and OK to close the window. Edit Administration Settings 86 1. Open the vWorkspace Management Console. 2. Select File | Administration. 3. Edit as appropriate, and then click Apply to save your changes, and OK to close the window. vWorkspace Management Console Remove an Administrator 1. Open the vWorkspace Management Console. 2. Select File | Administration. 3. Highlight the user or group name from the list. 4. Click Remove. 5. Verify by selecting Yes on the confirmation window. 6. Click OK to close the window and save your changes, or Apply to save your changes without closing the window. Set Permission at the Object Level 1. 2. Open the vWorkspace Management Console. Highlight the object to which the permission is to be set. Permissions are inherited from the parent permission, unless the level is set separately. Licensing vWorkspace is typically licensed on a concurrent user basis. However, it can be also licensed on a per device and subscription basis. Any number of servers can belong to the vWorkspace infrastructure using any of these models. With the concurrent user model, each license has a user count associated with it indicating the maximum number of concurrent users that can connect and use the respective services. There are two types of vWorkspace licenses available: • Enterprise Edition — This edition enables both VDI and Session Host integration with vWorkspace. • Desktop Edition — This edition enables VDI integration with vWorkspace. You can access the Licensing window from the File menu option in the vWorkspace Management Console, or by selecting the Licensing icon from the toolbar. There are two parts to licensing: • Licenses • Database Configuration 87 vWorkspace Administration Guide Licenses The Licenses section enables administrators to view current licenses and to add new licenses. The License 1 and License 2 license tabs are used for adding licenses that have been acquired from the Quest Licensing Management System (LMS). Licenses retrieved from Quest LMS are ASC files. All new licenses are received in this file format. The Licensing page allows for up to two ASC files to be added. This is helpful when different numbers of vWorkspace licensing is required. For example, a customer wants 5000 licenses of Enterprise Edition to support Remote Desktop Session Hosts for the majority of their applications, but they also want 1000 licenses of vWorkspace Desktop Edition to host a legacy line of business applications on a Microsoft Hyper-V platform. The Other Licenses tab is used for adding existing licenses that have been previously acquired from the vWorkspace web site. You can no longer acquire licenses from www.vworkspace.com. See Licensing in the vWorkspace Installation chapter for more information. 88 vWorkspace Management Console Database Configuration Database configuration is handled by the vWorkspace installation process, but there are occasions when additional database connections need to be defined. When the vWorkspace Management Console is started, it looks to the Windows Registry for a pointer to a System Data Source Name (DSN) and uses the settings contained in the DSN to connect to the vWorkspace database. The Configure vWorkspace Database window opens when the vWorkspace Management Console is started and a DSN has not been defined, or if the data in the DSN is invalid. 89 vWorkspace Administration Guide How to ... • Create a New Database and DSN • Connect to an Existing Database Create a New Database and DSN 90 1. Start the vWorkspace Management Console on one of the vWorkspace Connection Brokers or an administrative computer. 2. Click Database Configuration on the Configure vWorkspace Database window. 3. Select the Create new vWorkspace database on the Action window, and then click Next. vWorkspace Management Console 4. Specify the following parameters on the Database Information window, and then click Next. New database • Enter the Server name of the SQL server where the database is to be created. If you are using MSDN or SQL Express, use the format: server_name\instance_name • Enter a Database name, or accept the default name, vWorkspace_Database. New data source (DSN) • Enter a Name for the DSN or accept the default name, Provision Database. • Enter a Description for the DSN or accept the default description, Provision Database. 5. Enter an existing SQL admin login for the specified server, and a new vWorkspace SQL login. 6. Click Finish. Connect to an Existing Database Once the vWorkspace database is created, all servers with vWorkspace components requiring database connectivity must have DSNs configured. 1. Start the vWorkspace Management Console from the additional Connection Broker or administrative computer. 2. Select File | Database Configuration from the menu bar of the vWorkspace Management Console. 3. Click Connect to an existing vWorkspace database on the Action window, and then click Next. 91 vWorkspace Administration Guide 4. Specify the following parameters on the Database Information window, and then click Next. Existing database • Enter the Server Name of the SQL server where the database is to be created. If you are using MSDN or SQL Express, use the format: server_name\instance_name • Enter the name of the database. New data source name (DSN) 5. • Enter a Name for the DSN. • Enter a Description for the DSN. Enter the existing vWorkspace SQL login name and password on the Credentials window, and click Finish. vWorkspace Object Nodes The navigation pane of the console contains a tree structure that organizes the multiple management tools. Each node of the tree addresses a different management need of the virtual workspace. This section introduces each of the parent, or top level, nodes in the navigation pane of the vWorkspace Management Console. 92 • Farm • Locations • Targets • Resources • Packaged Applications • Virtual IP • File and Registry Redirection • Load Balancing • Websites vWorkspace Management Console Farm The first node in the navigation pane represents the vWorkspace infrastructure. Properties of this node can be used to: • Assign a name to the infrastructure. • Enable or disable database caching. • Specify various settings for the reporting database. • Enable or disable two-factor authentication. • Set other miscellaneous settings. To access the Farm Properties window, right-click on the Farm node and select Farm Properties or select the Properties icon from the toolbar. 93 vWorkspace Administration Guide The following setting can be defined on the General window. FIELD DESCRIPTION Name This is the name that is assigned to the vWorkspace infrastructure. This name is stored as a record in the vWorkspace database and requires no configuration changes to member servers. It can be changed at any time and is automatically passed on by the vWorkspace Connection Broker servers to the vWorkspace clients. The following settings can be defined on the Database Cache window. FIELD DESCRIPTION Create local host cache on all servers If selected, this checkbox enables the use of database caching. If enabled, all vWorkspace farm servers work from a local cache. For mid to large size infrastructures, the use of database caching can reduce the number of open database connections. 94 vWorkspace Management Console FIELD DESCRIPTION Cache update Interval (minutes) The number of minutes that the local cache is updated. The following settings can be defined on the Reporting Database window. FIELD DESCRIPTION Data Expiration (days) The age at which reporting data is automatically purged. Purge Interval (hours) How often expired data is purged from the reporting database. See vWorkspace Reporting for more information. 95 vWorkspace Administration Guide The following settings can be defined on the Two-Factor Authentication window. FIELD DESCRIPTION Enable RADIUS Enables the RADIUS dialogue. Server name or IP addr Name or IP address of a RADIUS server. Port Listening port of the RADIUS server. Secret key Shared password used to communicate with RADIUS server. Authentication type Specify whether encrypted (CHAP Challenge-Handshake Authentication Protocol) or unencrypted (PAP - Password Authentication Protocol) Password Layout Controls the order the AD and OTP passwords are entered by the user. One-time password length Inform the Connection Broker the length of the OTP. Require all users to be two-factor authenticated Sets two-factor authentication as required for all users. Overrides all other vWorkspace policies. 96 vWorkspace Management Console The following settings can be defined on the Other Settings window. FIELD DESCRIPTION Reset all pop-up messages If selected, this checkbox resets all of the pop-up message tips, including the please do not show me this message again checkboxes, so that they reappear if necessary. Clear recent items list If selected, this checkbox to reset the list of recent items on the welcome screen. Locations The Locations node represents a group of one or more data centers and the desktops within those data centers. Administrators define Connection Brokers, Session Host, Virtualization Hosts, and desktops for each defined location. Multiple locations can be defined and are typically configured for delegation of administration purposes. See Locations for more information. 97 vWorkspace Administration Guide Targets The Targets node on the vWorkspace Management Console is used to define the list of accounts and definitions that can be used in target assignments of a resource. vWorkspace uses target assignments to assign resources such as managed applications, connection polices, and other resources to user sessions when connected to a virtual workspace. It is possible that a given user might belong to more than one target definition. By design, target assignments are cumulative; users receive the assignments of all of the target definitions they are members of, except when a conflict exists. In this case of a conflict, the client with the highest priority takes precedence. Target priority can be modified by selecting the Target node, and using the green Move Up or Move Down options from the toolbar, or from the context menu of the target name. Target types at the top of the list have higher priority than those lower in the list, and the settings Yes, No, and Defer to End User have priority over Undefined. When applying certain resources to targets, the order of the targets is taken into account for conflicting settings. So, when an end user logs on to a farm from AppPortal or the Web Access connector and resolves to more than one target definition, the topmost connection property item with a Yes, No, or Defer to End User setting is the one that is applied. For example, the Microsoft Windows domain users and domain administrators global groups might be defined as targets, with domain administrators listed higher in priority. Domain administrators have an application restriction that allows them to run registry editing tools. Domain users have an application restriction that denies them the ability to run registry editing tools. However, members of domain administrators are also members of domain users and which causes a permission conflict. Since there is a conflict in assignments, and the domain administrators target definition has higher priority, any user who logs on as a member of domain administrators is able to run registry editing tools. Target Types The following table lists the target types, along with a description. TYPE DESCRIPTION Users Any trusted Windows domain or local user account. Groups Any trusted Windows domain or local group account. Device Addresses IP address assigned to the client hardware device. 98 vWorkspace Management Console TYPE DESCRIPTION Device Names NetBIOS name of the client device. Organizational Units Active Directory Organizational Unit containing the user, group, or computer account. Advanced Allows multiple target criteria to be set and combined using Boolean logic. How to ... • Define Targets by Users • Define Targets by Groups • Define Targets by Device Address • Define Targets by Device Name • Define Targets by Organizational Unit Define Targets by Users 1. Expand the Targets node in the navigation pane of the vWorkspace Management Console. 2. Right-click on the Users node, and select New User(s). 3. To add users by selecting them from a domain, do the following: a) Click the Users tab on the Add Targets(s) window. b) Select a Windows domain or computer from the Domain list. c) Type the user name in the Enter the User(s) field, or select the user from the list in Select the User(s). d) Click OK to complete the task. 4. To add users by selecting them from Active Directory, do the following: a) Right-click on the Users node, and then select New User(s). b) Click the Active Directory tab on the Add Targets(s) window. c) Select the Windows domain from the Domain list. d) Select Organizational Units, Users, or both in the Display section. e) Enter a specific or partial name in the Filter field. You can also enter an asterisk (*) as a wildcard. 99 vWorkspace Administration Guide f) Click Refresh and the system displays a list of organizational units or users in the bottom pane. g) Select one or more of the items, and then click OK. Define Targets by Groups 1. Expand the Targets node in the navigation pane of the vWorkspace Management Console. 2. Right-click on the Groups node, and then select New Target(s). 3. To add groups by selecting them from a domain, do the following: a) Click the Groups tab on the Add Targets(s) window. b) Select a Windows domain or computer from the Domain list. c) Type the user name in the Enter the Group(s) field, or select the group from the list in Select the Group(s). d) Click OK to complete the task. 4. To add groups by selecting them from Active Directory, do the following: a) Right-click on the Groups node, and select New Target(s). a) Click the Active Directory tab on the Add Target(s) window. b) Select the Windows domain from the Domain list. c) Select Organizational Units, Groups, or both in the Display section. d) Enter a specific or partial name in the Filter field. You can also enter an asterisk (*) as a wildcard. e) Click Refresh and the system displays a list of organization units or groups in the bottom pane. f) Select one or more of the items, and then click OK. 100 vWorkspace Management Console Define Targets by Device Address 1. Expand the Targets node in the navigation pane of the vWorkspace Management Console. 2. Right-click on the Device Addresses node, and then select New Device Address(es). 3. Click the Device IP Addresses tab and enter a Starting Address and Ending Address to define the client IP address or a range of addresses. 4. Click OK. Define Targets by Device Name 1. Expand the Targets node in the navigation pane of the vWorkspace Management Console. 2. Right-click on the Device Names node, and then select New Device Name(s). 3. Enter the device names on the Device Names tab, separated by a semicolon (;). To enclose a range, use square brackets ([]). For example W2K3-[0-10]. 4. Complete the information on the Active Directory tab, as follows. a) Select the Windows domain from the Domain list. b) Select Organizational Units, Computers/Client Names, or both in the Display section. c) Enter a specific or partial name in the Filter field. You can also enter an asterisk (*) as a wildcard. d) Click Refresh and the system displays a list of organization units or groups in the bottom pane. e) Select one or more of the items. 5. Click OK. 101 vWorkspace Administration Guide Define Targets by Organizational Unit 1. Expand the Targets node in the navigation pane of the vWorkspace Management Console. 2. Right-click on the Organizational Units node, and then select New Organizational Unit(s). 3. Select the Domain from the list. 4. Select Organization Units in the Display section. 5. Enter a specific or partial name in the Filter field. You can also enter an asterisk (*) as a wildcard. 6. Click Refresh and the system displays a list of organizational units in the bottom pane. 7. Select one or more of the organization units, and then click OK. Define Advanced Targets Advanced Targets allow for the creation of target groupings based on logical criteria. With vWorkspace Advanced Targets, organizations can granularly limit the scope of a resource assignment. Multiple conditions can be combined into a single target that is assigned to a resource such as a printer, a connection policy or a managed application. A condition is defined by providing a Target field, a function, and a value. 102 vWorkspace Management Console For example, the Target field can be set to Device Name, the function can be set to Matches Pattern and the value can be set to win??? or win*. Users connecting to a virtual workspace from a client access device with a name that matches the wild card pattern would meet that condition. Additional conditions can be created. Logical operators AND and OR can be applied between each condition. Conditions can also be grouped. Within each group a logical operator can be applied, and separate logical operators can be applied between multiple condition groups or between single conditions and condition groups. For example, one condition can be created that defines the Human Resources group, a separate condition that sets two factor authentication as required. These two can be grouped together and separated by an OR operator from an additional condition the sets a Trusted Entry Point.The following table shows the combinable components of a condition. TARGET FIELD DESCRIPTION User Account The end user’s account in the format: domain\user. User Group The end user’s group in the format: domain\group. Organizational Unit The end user OU. Device Address The device address of the end user’s access device. Trusted Entry Point The last hop IP address of the end user’s connection to the connection broker, such as Quest Secure Gateway or Web Access. Device Name The name of the end user’s access device. Day of the Week - UTC The day of the week based on Coordinated Universal Time (UTC). Day of the Week - Client Local The day of the week based on the time zone of the end user’s access device. Time of Day - UTC The time of day based on Coordinated Universal Time (UTC). Time of Day - Client Local The time of day based on the time zone of the end user’s access device. Date - UTC The date based on Coordinated Universal Time (UTC). 103 vWorkspace Administration Guide TARGET FIELD DESCRIPTION Date - Client Local The date based on the time zone of the end user’s access device. Two-factor Authentication The client two-factor authentication. FUNCTIONS DESCRIPTION Is equal to Returns true if the target field is equal to the specified value. Is not equal to Returns true if the target field is not equal to the specified value. Is greater than Returns true if the target field is greater than the specified value. Is greater than or equal to Returns true if the target field is greater than or equal to the specified value. Is less than Returns true if the target field is less than the specified value. Is less than or equal to Returns true if the target field is less than or equal to the specified value. Matches pattern Returns true if the target field matches the specified wildcard pattern value. Does not match pattern Returns true if the target field does not match the specified wildcard pattern value. Is in the list Returns true if the target field matches at least one item in the specified list of values. Is not in the list Returns true if the target field does not match any items in the specified list of values. Is in the range Returns true if the target field is between the specified from/to values (inclusive). Is not in the range Returns true if the target field is not between the specified from/to values. Is required Enforces the Target Field parameter. 104 vWorkspace Management Console Value Values are dependent on the type of Target field. For example, setting the target field to Device Address presents the administrator with an IP address input field. Selecting Day of the week - UTC presents a drop-down list with days of the week. Other Target fields, such as Two-factor Authentication, have no value assignment. How to ... Define Advanced Targets 1. Expand the Targets node in the navigation pane of the vWorkspace Management Console. 2. Right-click the Advanced node and then select New Target(s). 3. Type a name for the target in the Target name: field. 4. Select -Click here to add a condition-. 5. Select one of the Fields, such as User Account or Trusted Entry Point, in the list, and then click Next. 6. Select one of the Functions, such as Is equal to or Matches pattern, and then click Next. Certain fields have a Finished option, as no value is required. 7. Specify an appropriate Value, and then click Finish. Resources The Resources node includes a list of child nodes that provide for the creation of objects that are assignable to Targets within the vWorkspace Management Console. Each child node manages a specific component of the virtual workspace and allows administrators control over aspects of a user’s session when connected to the vWorkspace infrastructure. 105 vWorkspace Administration Guide The following table provides a list of the available Resources options and a description of each. RESOURCE NAME DESCRIPTION Additional Customizations The ability to customize items relating to the Windows Desktop, Start Menu, drive mappings, and network mappings. Application Restrictions The ability to explicitly or implicitly restrict what applications are allowed or denied for assigned clients. Connection Policies The ability to preconfigure the local device resources that are available, and under what conditions they are available. See Connection Policies for more information. Color Schemes The ability to assign standard Window color schemes. Drive Mappings The ability to assign network drive mappings to clients without logon scripts or Active Directory Group Policy. Environment Variables The ability to assign user environment variables that are automatically created and removed. Host Restrictions The ability to act as a per-session firewall allowing Web and network access restrictions to be enforced. 106 vWorkspace Management Console RESOURCE NAME DESCRIPTION Managed Applications The ability to assign to clients applications, desktops, and content hosted from either Session Hosts or Desktop Services. Printers The ability to assign shared printers on LAN or WAN based Windows print servers by using either the Quest vWorkspace Universal or Windows native print drivers. Registry Tasks The ability to assign per-session modifications to user’s HKCU registry hive. Scripts The ability to assign scripts on a per-session basis to vWorkspace clients without having to modify Session Host’s complex logon script sequence or the Active Directory Group Policy. Time Zones The ability to assign time zones on a per-session basis. User Policies The ability to assign user level policies on a per-session basis. User Profiles The ability to create a managed user profile. See Virtual User Profile Management for more information. Wallpapers The ability to assign Windows wallpaper to vWorkspace clients. How to ... View the Resources Assigned to a Target 1. Expand the Target node in the navigation pane of the vWorkspace Management Console. 2. Click on the node of the desired Target type, such as Users or Groups. 107 vWorkspace Administration Guide 3. Do one of the following: a) Select the target that is to be viewed from the list in the information pane. The system displays the assigned items for the selected client in the additional pane, if Toggle Configuration Display is activated. – OR – a) Right-click on the target to view from the list of targets in the left pane of the Details window, and then select Properties. b) Click on the Assigned Resources tab to view the resources. Packaged Applications The Packaged Application node allows administrators to identify Microsoft Application Virtualization (App-V) servers, their hosted application packages, and MSI Packages in the vWorkspace Management Console. App-V Node Microsoft Application Virtualization (App-V) provides the capability for applications to be available to computers without having to install the applications directly on those computers. Tasks such as managing multiple versions of applications and updating application packages are simplified by not having to install the applications on to the computers. The App-V node on the vWorkspace Management Console allows administrators to import, update, and publish their App-V applications. 108 vWorkspace Management Console How to ... Establish a New Server Connection 1. Open the vWorkspace Management Console. 2. Expand the Packaged Applications node, and highlight App-V. 3. Select the App-V Servers tab in the information pane, and then click on the New App-V Server icon on the toolbar. 4. Click Next on the Welcome window. 5. Enter the appropriate information for the new App-V server on the Server Name & URL window, and then click Next. 109 vWorkspace Administration Guide Server Name Enter the server name. Server URL Click in this field, and it is populated with the path to the App-V Management virtual directory. If the Server Name field is DNS unresolvable, the path needs to be corrected to have the DNS name or IP address of the server. Note: Multiple connections can be made to the same server by entering different friendly names in the Server Name field. 6. Enter the appropriate credentials for the new App-V server on the Credentials window, and then click Next. Account Enter the user name for the App-V Administrator. Use the ellipsis to browse to the user in the directory. Password Enter the password for the App-V Administrator. Use the check mark to check the password. 7. Specify any permissions that are to be used with this App-V server, and then click Finish. Edit the Properties of an App-V Server 110 1. Open the vWorkspace Management Console. 2. Expand the Packaged Applications node, and then expand the App-V node. vWorkspace Management Console 3. Do one of the following to access the App-V server Properties: a) Right-click on the specified server, and then select App-V Server Properties. b) Highlight the App-V node, and then highlight the specified server in the information pane, and click Server Properties. c) Highlight the specified server in the navigation pane (under the App-V node) and then click Server Properties in the information pane. 4. Edit the properties on the App-V Server Properties window as appropriate, and click OK. Import App-V Applications 1. Open the vWorkspace Management Console. 2. Expand the Packaged Applications node, and then highlight the App-V node. 3. Select the server in the right pane, and then click Import/Update Applications. – OR – Right-click on the server in the navigation pane and select Import/Update Applications. 4. Select Next on the Welcome window of the App-V Import wizard. The Welcome window is presented only if this is the first time that you have imported applications to the specified server. 5. Click Refresh to refresh the list. 6. Do one of the following on the Select Applications window: a) To import all the applications, click Select All. b) To import specific applications, select them on the list by pressing CTRL and using a left-click. c) Click Next or Apply. If importing for the first time, Next is the option to move to the next window. If you are updating applications, Apply is used to save your changes on the current window, and OK is used to close the wizard. 111 vWorkspace Administration Guide 7. On the Create Access Groups window, do the following: a) Select the access groups that are to be imported, and click Yes. b) Select the access groups that are not to be imported, and click No. c) Click Select All to import all the groups. d) Click Next or OK. 8. On the Launch Location window, do one of the following: a) To choose all the applications from the list, click Select All, and then select either Client or Server. b) Select individual applications and the select the Launch Location of Client or Server. c) Click Next or OK. 9. To publish the application on a Session Host, do the following on the Publish On window: a) To publish all on the same Session Host, click Select All, or to select the specific applications by using CTRL + left-click. b) Click Session Host. c) Select the Session Host from the Publish On window, and then click OK. 10. To publish the application on a desktop group, do the following on the Publish On window: a) To publish all on the same desktop group, click Select All, or to select the specific applications by using Ctrl + left-click. b) Click Desktop Group. c) Select the desktop group from the Publish On window, and then click OK. 11. Click Next or OK on the Publish On window. 12. On the Launch Location window, select one or more of the applications and then specify if the content is to be launched on the client or the server. 13. On the vWorkspace Folders window, select one or more application, and then click Folder(s) to define the folders in which the application or applications selected should be assigned. Click Manage Folders to add or change the folders listed. Applications with a launch location of client may only be assigned to vWorkspace client folders. 112 vWorkspace Management Console 14. On the Load Balance window, click Select All or the specific applications by using CTRL + left-click to specify the applications for load balancing, and then click the Load Balance Wizard to choose the load balancing rule evaluator for the selected applications. If you do not want to use load balancing, click Next. 15. On the Desktop Integrations Settings window, specify the location of the shortcuts on the vWorkspace client host when using AppPortal in desktop integrated mode by doing the following: a) Select specific applications, or use the Select All button. a) Click Desktop Integration. b) Select one or more of the options, Desktop, Start Menu, Start Menu\Programs, and click OK. c) Click Next or OK on the Desktop Integration Settings window. 16. Review the selections on the Summary window and click Back to make changes or click Finish. View/Edit Imported App-V Application Properties 1. Open the vWorkspace Management Console. 2. Expand Resources, and click on Managed Applications. 3. View the App-V applications in the right pane. The applications are listed by server name, and their Type is Content on Server or Content on Client. 4. View or edit the properties by right-clicking on the application or select the application and select the Properties icon. Properties can be edited, except for the executable Path and the Type, which are grayed out and unaccessible. 113 vWorkspace Administration Guide MSI Packages The MSI Packages node is used to define MSI packages that can be deployed, as well as used in the Task Automation feature. The MSI Packages option is also available from the context menu of a computer group in the vWorkspace Management Console. Once the MSI Packages option is selected, the established MSI packages display in the information pane and the MSI Package wizard is available by selecting New from the information pane toolbar. How to ... Add a New MSI Package 1. Open the vWorkspace Management Console. 2. Expand Packaged Applications, and then select MSI Packages. 3. Click New in the information pane to open the MSI Package Wizard. 4. Click Next on the Welcome window. 5. Enter a Name for the MSI package on the MSI Package Name window, and then click Next. This is the name that is displayed in the vWorkspace Management Console. 6. 114 Enter the MSI source file or click the ellipsis to browse on the Source File window, and then click Next. vWorkspace Management Console 7. Do one of the following on the Run Location window, and then click Next. a) Select Execute the MSI file directly from the source location. – OR – a) Select the Copy the MSI file to each computer before executing. b) Enter the full path and file name of the destination file in the Destination file field. 8. Enter the credentials necessary to access the source MSI file on the Credentials window, and then click Next. 115 vWorkspace Administration Guide 9. 116 On the Parameters window, complete the following information, and then click Next. Enter the parameters necessary for a new installation: Enter the necessary parameters. Enter the upgrade code for this MSI package. Enter the upgrade code. Enter the parameters necessary to perform an update: Enter the parameter necessary to perform an update. Enter the parameters necessary to uninstall: Enter the parameter necessary to complete an uninstall. Help Select this button for assistance with the installer parameters. Use Retrieve to get the upgrade code from the MSI file. vWorkspace Management Console 10. On the Timeout Period window, do one of the following, and then click Next. a) Select the option, Select the timeout value, and then specify the Timeout after value by using the list. – OR – a) Select the option, Execute the MSI operation and continue. 11. Specify MSI Package permissions, if appropriate, on the Permissions window, and then click Finish. Performance Optimization The Performance Optimization node on the vWorkspace Management Console is used with Session Hosts to improve application response time and increase overall server capacity by streamlining and optimizing the use of virtual memory and CPU resources in a multi-user environment. See Performance Optimization for more information. 117 vWorkspace Administration Guide Virtual IP The Virtual IP node on the vWorkspace Management Console enables each user instance of a legacy application to be bound to a distinct IP address. This allows many legacy applications to run concurrently and reliably on Session Hosts. See Virtual IP for more information. File and Registry Redirection The File & Registry Redirection node is used to define a registry and file system redirection engine, which is designed to eliminate conflicts in a Terminal Services environment. See Application Compatibility Enhancements for more information. Load Balancing The Load Balancing node is used to create and manage load balancing rules used in the load balancing process for Session Hosts, Microsoft Hyper-V computer groups, and Microsoft SCVMM computer groups. See Load Balancing for more information. Websites The Websites node is used to define and manage vWorkspace Web Access web sites. Web Access is a web application for vWorkspace Farms that enable users to retrieve their list of allowed applications and desktops using a web browser. See Web Access for more information. Locations Locations give organizational structure to your vWorkspace farm; a way to specify a location that groups one or more data centers and the computers within those data centers. 118 vWorkspace Management Console Locations are containers of heterogeneous objects that include: • Connection Brokers • Session Hosts • Virtualization Hosts/Management Servers • Desktop groups Locations can be used to group items based upon location or for other management purposes such as departmental organization and delegated administration. For example, you can name a location based on an office site, and then associate the connection brokers, Session Hosts, Virtualization Hosts and Desktops to that location. Locations Node Options The following menu options are available from the Locations node by either right-clicking on Locations, or from the icons in the toolbar when Locations is selected. • Management Servers — Select to open the Management Server window and the Virtualization Server Wizard, which is used to add virtualization management servers such as Microsoft SCVMM or VMware vCenter. • New Location — Select to open the New Location wizard used to add a new location. • Properties — Select to display the Locations properties which includes central settings for Connection Brokers, Session Hosts, Virtualization Hosts, and Other Settings. • Refresh — Select to refresh the Locations node view. 119 vWorkspace Administration Guide Virtualization Management Servers A Virtualization Management Server is a computer system used to centrally manage one or more physical servers enabled with computer virtualization technology, and the virtual computers being hosted and executed on them. An example of a virtualization server is a Microsoft SCVMM server, a VMware vCenter server, or a Parallels Virtuozzo master node. Virtualization Management Servers are defined at the location node and can be added, deleted, or modified from this node, or during the process of adding a new location. Settings to limit the number of concurrent operations can also be completed for virtualization servers. See Virtualization Platform Integration for more information. New Location Use the following steps to add and delete locations in the vWorkspace Management Console. How to ... • Add a Location • Delete a Location Add a Location These processes can also be completed by using the Quick Start Wizard, which can be accessed from the Welcome page of the vWorkspace Management Console. Connection Brokers and Session Hosts can be defined when adding a Location. 1. Open the vWorkspace Management Console. 2. Select the Locations node. 3. Do one of the following to start the New Location wizard: Right-click on the Locations node, and select New Location. – OR – Click the New Location icon from the toolbar. 4. 120 Click Next on the Welcome window of the New Location wizard. vWorkspace Management Console 5. Enter the name for the location on the Location Name window, and then click Next. This is the name that is displayed in the vWorkspace Management Console. 6. On the Add Servers window, you can add Connection Brokers and Session Hosts to this location. To add a vWorkspace Connection Broker, go to step 7. To add a Session Host, go to step 8. 7. To add a Connection Broker: a) Click on Add Connection Broker. b) Click Next on the Welcome window of the Server wizard. c) Enter the name or IP address of the server on the Server Name window, and then click Next. Use the ellipsis to browse for the server. 121 vWorkspace Administration Guide d) Specify the role or roles for the server on the Server Role window, and then click Next. This new server may perform more than one role; a vWorkspace Connection Broker and Microsoft Remote Desktop Connection Broker (RD Broker). e) Optionally, specify or view the certificate that is to be used on this server on the Certificate window, and then click Next. f) Select if trace logging is to be enabled on this server on the Logging window, and then click Next. Typically, logging is only used as assisted by the Quest Support Services Department. g) If you selected the Microsoft Remote Desktop Connection Broker (RD Broker) option on the Server Role window, complete the next two steps. If not, then continue to step j to specify Permissions for this server. h) Specify an administrative account and password for the RD Broker on the Administrative Account, and then click Next. 122 vWorkspace Management Console i) Select if publishing and resource plug-in logging is to be enabled on this server on the Logging window, and then click Next. Typically, logging is only used as assisted by the Quest Support Services Department. j) Specify any permissions for this server on the Permissions window, and then click Finish. In order to assign permissions, you must first add users or groups using the New Administrator wizard located at File| Administration. k) Click Next on the Add Servers window to advance to the next window, or click Add Session Hosts, if appropriate. 8. To add a Session Host: a) Click Add Session Host. b) Click Next on the Welcome window of the Server wizard. c) Enter the name or IP address of the server on the Server name window, and then click Next. Use the ellipsis to browse for the server. d) Select Session Host on the Server Role window, and then click Next. e) Specify the folder for this Session Host on the Folder window, if appropriate. Click New Folder to create a new folder. Click Next when completed. Folders are for organization and display; it does not change the operation of the servers. f) Specify the load balancing rule on the Load Balancing Rule Wizard window, and then click Next. This is an optional step. 123 vWorkspace Administration Guide g) Select the setting for Session Auto-Logoff on the Session Auto-Logoff window, as appropriate, and then click Next. 124 vWorkspace Management Console h) Define the following information on the Connectivity window, and then click Next. Connections Select Accept Proxy-IT least busy connection requests check box if you want the server to participate in load balancing Proxy-IT connection requests. Alternative IP Address Enter an alternative IP address. RDP Connection Restrictions Select Inherit global settings or Only allow RDP connections to vWorkspace managed applications. i) Specify the performance optimizations options, on the Optimization window, that are to be enabled on this server, and then click Next. Virtual Memory Optimizations CPU Utilization Management 125 vWorkspace Administration Guide j) Specify if the bandwidth optimization is to be Enabled or Disabled on this server on the Experience optimization window, and then click Next. k) Specify if bidirectional audio is to be Enabled or Disabled on this server on the Enhanced Audio window, and then click Next. l) Specify the Virtual IP settings for this server, as appropriate, and then click Next. m) Review the information on the Licensing window, and then click Next. n) Specify any permissions for this server on the Permissions window, and then click Finish. In order to assign permissions, you must first add users or groups using the New Administrator wizard located at File| Administration. 126 vWorkspace Management Console 9. Datacenters, hosts, nodes, host groups, or clusters are associated to this location by using the Add Entities option on the Virtualization Entities window. If you choose to not assign them at this time, click Next and go to the next step. Virtualization Hosts can be added later by right-clicking on the specific location, and then selecting the Properties option and completing the information in the Virtualization Hosts section. See Add Virtualization Server Connections for more information about adding virtualization hosts. 10. On the Administrative Account window, select Specify default administrative account and enter an account and password if you want to specify a default administrative account for new computer groups that are created in this location. This is an optional step. 11. Use the Permissions window to assign permissions to users or groups. Users and groups must be added using the New Administrator wizard. See Administration for more information. 12. Click Finish to save the changes made in the New Location wizard. Delete a Location Locations can only be deleted after Connection Brokers, Session Hosts, Desktops, and Virtualization Hosts associated with the location are deleted as well. 1. Open the vWorkspace Management Console. 2. In the navigation pane, right-click on the location that is to be deleted. 3. Select Delete Location. 4. Click Yes on the confirmation message. Locations Properties Locations properties are defined for Connection Brokers, Session Hosts, Virtualization Hosts, and Other Settings. Location properties are the same for all the locations within a farm. 127 vWorkspace Administration Guide To access Locations properties, highlight the Locations node and then do one of the following: 128 • Select the Properties option from the context menu. • Click on the Properties icon in the toolbar. • Select Actions | Properties. vWorkspace Management Console The following properties are available: LOCATIONS PROPERTY DESCRIPTION Connection Brokers Communication Settings Specify the TCP/IP port number that is to be used when listening for inbound connection requests. Any port number can be used if it is available on all servers with the Connection Broker. Default values are: • HTTP: 8080 • HTTPS: 443 The HTTP and HTTPS protocols can be used simultaneously. The use of the HTTPS requires an X.509 digital certificate containing the server’s FQDN to be installed into the Windows computer store of each Connection Broker. Bypass proxy settings when communicating with the connection brokers — If selected, proxy settings are not used when communicating with Connection Brokers. This setting is selected by default. The Ticket Expiration setting is used to specify the expiration time for tickets that are sent to the Connection Broker when applications are launched. The default for the Ticket Expiration setting is 1 minute. License Pool Enter a number of minutes to define update interval, which is the number of minutes the Connection Broker servers update license usage information. 129 vWorkspace Administration Guide LOCATIONS PROPERTY DESCRIPTION Session Hosts Session Auto-Logoff This policy is for users that start published applications and not full desktops. If enabled, vWorkspace automatically logs off when the last published application is closed. This eliminates the potential issue of applications remaining in memory, and never really terminating. Enter a module name for a process. If the process with the module name persists after the session has been closed, then the session is automatically logged off. To add a process, click Add. To delete a process from the use, highlight the process and click the red X. RDP Connection Restrictions Enable RDP remote administration control — Select this option to enable remote administration control. this is farm wide and is disabled by default. Hyper-V Hyper-V Catalyst HyperDeploy Approximate bandwidth usage — Select an approximate bandwidth to be used by HyperDeploy when copying parent VHDs to local hosts. HyperCache Enable parent VHD caching for new parent VHDs is set by default. Deselect to disable. Default cache size (MB) sets the default cache size for a parent VHD, and can get overridden for individual parent VHDs. Note: Disabling Parent VHD caching and to change the cache size of a parent VHD can be done on a per Hyper-V host basis from the properties of a Hyper-V host in the vWorkspace Management Console. Diff Disk Storage Optimizations 130 Select a setting for overcommitting diff disk storage. vWorkspace Management Console LOCATIONS PROPERTY DESCRIPTION MAC Address Management Allow vWorkspace to manage virtual machine MAC addresses — Select this option to generate and assign MAC addresses for Hyper-V virtual computers. Base address — Specify the base MAC address to use as the starting point for new computers. Auto-Size Settings Limit the number of new computers per auto-size iteration — Select this option to specify the maximum number of computers that vWorkspace creates in a single iteration of auto-sizing a group. Number of computers — Select the appropriate number of computers. Other Settings Computer Timing Settings Heartbeat Interval — Specifies how often the Data Collector Service on managed computers sends status information to the Connection Broker. Offline Count — Specifies the number of missed heartbeats before a managed computer is considered offline. Offline Retry — Specifies how often the Connection Broker attempts to contact an offline managed computer. Inactivity Timeout — Specifies how long a managed computer is logged off before it is considered inactive and automatically placed into a suspend state. Sysprep Period — Specifies how long the system waits during the Sysprep operation before attempting to initialize the computer. Host Timing Settings Heartbeat Interval - How often hosts send status information to the Connection Broker. Offline Count - Number of missed heartbeats before a host is considered offline by the Connection Broker Offline Retry - How often the Connection Broker attempts to contact an offline host. 131 vWorkspace Administration Guide LOCATIONS PROPERTY DESCRIPTION Task & Log Settings Task History — Age at which completed task records are automatically deleted. Task Display Expiration — Age at which the current or most recently executed task on a managed computer is no longer displayed in the desktop list. Log History — Age at which log records are automatically deleted. Active Directory Credentials Specify global delete credentials — Use this setting to add administrative credentials that can be used to delete a computer from Active Directory. Enter account and password credentials that are to be used to remove computers from Active Directory. Note: If a computer cannot be removed from Active Directory using these credentials, then the system attempts to use the computer group administrative credentials. Permissions Permissions Enter users or groups and then set permissions to Allow or Deny for the following: • Add Locations • Add Virtualization Servers • Delete Locations • Delete Virtualization Servers • Modify Locations • Modify Virtualization Servers Connection Brokers The Connection Broker, along with the vWorkspace Management Database, is a central component in a vWorkspace farm. A connection broker does much more than just broker connections and must be added to a farm before any connections to the virtual workspace can be made. The list that follows outlines some of the responsibilities of the vWorkspace Connection Broker. 132 • Manages most communication within a farm. • Runs as a highly scalable Windows service. vWorkspace Management Console • Integrates with virtualization platforms to provision and manage new workspaces. • Performs a broad set of management tasks. • Provides native load-balancing. • Brokers connections from vWorkspace connectors to the vWorkspace infrastructure and responds to client connectivity requests and redirects the client to an appropriate virtual workspace. Connection Brokers can be added during the New Location wizard process, or by selecting New Connection Broker from the context menu of the Connection Brokers node. To add a vWorkspace Connection Broker server to the Management Console, the vWorkspace Connection Broker role must be installed and configured to communicate with the farm management database. How to ... • Add Connection Broker Servers • Set Connection Broker Properties • Remove Connection Broker Servers Add Connection Broker Servers 1. Open the vWorkspace Management Console, and expand the Locations node, and then the location that the Connection Broker is to be added. 2. Right-click on Connection Brokers, and then select New Connection Broker. 3. Click Next on the Welcome window of the Server Properties wizard. 133 vWorkspace Administration Guide 4. Enter the server name (NetBIOS) on the Server name window, and then click Next. Use the ellipsis to browse for the server. The text box is limited to 15 characters, the maximum allowed in NetBIOS naming conventions. 134 vWorkspace Management Console 5. Specify the role or roles for the server on the Server Role window, and then click Next. A server can perform more than one role; for example, a vWorkspace Connection Broker and Microsoft Remote Desktop Connection Broker (RD Broker). 6. If you selected vWorkspace Connection Broker role on the Server Roles window, then on the Certificate window, specify or view the certificate that is to be used on this server, and then click Next. 7. Select if trace logging is to be enabled on this server on the Logging window, and then click Next. Typically, logging is only used as assisted by the Quest Support Services Department. 8. If you selected Microsoft Remote Desktop Connection Broker (RD Broker), complete the next two steps. If not, then continue to step 11 to specify Permissions for this server. 9. Specify an administrative account and password for the RD Broker on the Administrative Account window, and then click Next. 135 vWorkspace Administration Guide 10. Select if publishing and resource plug-in logging is to be enabled on this server on the Logging window, and then click Next. Typically, logging is only used as assisted by the Quest Support Services Department. 11. Specify any permissions for this server on the Permission window, and then click Finish. In order to assign permissions, you must first add users or groups using the New Administrator wizard located at File| Administration. Set Connection Broker Properties Once Connection Brokers have been added to a location, set properties, as appropriate. 1. Right-click on the Connection Brokers node under the location in which you want to add the permission and select Properties. 2. Select the Permissions tab on the Connection Broker Properties window. 3. Highlight the user or group, and then set the permissions to Allow or Deny, by selecting the check box, as appropriate. 4. Click Apply to save your changes, and then OK to close the window. Remove Connection Broker Servers Use the following steps to remove a Connection Broker from inclusion in the vWorkspace infrastructure. Removing a Connection Broker deletes its associated records within the vWorkspace database, but it does not uninstall any of the vWorkspace components or any other software on the server, nor does it change its database configuration (DSN). 136 1. Expand the Connection Brokers node in the navigation pane of the vWorkspace Management Console, and select the Connection Broker sever that is to be removed. 2. Click the Delete Server icon from the navigation pane toolbar, or right-click on the Connection Broker, and select Delete Server from the context menu. 3. Click Yes to complete the removal. vWorkspace Management Console Desktops The Desktops node in the vWorkspace Management Console is used to define computer groups which, in turn, are used to create and contain managed computers. The managed computers within a group can be either physical or virtual, and typically have the same version operating system and service pack level, a common set of installed applications, and are used by individuals with similar job tasks and responsibilities. How to ... Set Desktops Properties Once Desktops have been added to a location, you can set the properties. 1. From the vWorkspace Management Console, right-click on the Desktops node under the location that you want to add the permission. 2. Select Properties. 3. Highlight the user or group on the Desktops Properties window, and then change the permissions to Allow or Deny, by selecting the checkbox, as appropriate. For more information on permissions, see Permissions. 4. Click Apply to save your changes, and then OK to close the window. The following is an overview of the concepts and terminologies associated with the Desktops node of vWorkspace. • Computer Groups — Containers for managing a group of desktop computers as a single entity. One or more computer groups may be created for each system type. See Computer Groups for more information. • Managed Computers — Objects in the vWorkspace database that represent the desktop computers that are managed by vWorkspace. These desktops are installed on virtual computers or physical devices, such as PC blades. See Managed Computers for more information. 137 vWorkspace Administration Guide • Initialize Computer — Managed computers and Microsoft Hyper-V Virtualization Hosts need to be able to communicate properly with the Connection Brokers. The Initialize task is the process that enables this communication, and is the responsibility of the Connection Broker. See Initialize Computer for more information. • Virtual Desktop Extensions (PNTools) — Set of executables, dynamic link libraries, and device drivers that provide features and management functionality for managed computers in a vWorkspace infrastructure. PNTools can be installed on all computers, virtual or physical, which are being managed using the Desktops node. See Virtual Desktop Extensions (PNTools) for more information. • Publish Managed Desktops and Applications — Managed desktops must be published before users can connect to their assigned applications or managed computer. Once published, icons representing the managed desktop appear in the application set of the AppPortal or Web Access client, allowing the user to click on an icon to initiate the program. See Publish a Managed Desktop and Publish Managed Applications for more information. • Power Management — Managed computers are considered to be power managed computers if the power state can be changed automatically by the Connection Broker, or manually by an administrator using the vWorkspace Management Console. See Power Management for more information. Computer Groups Once locations are established and are configured with at least one Connection Broker and Virtualization Host, administrators can add computer groups to the Desktops node in the Location. There are no limitations as to how many computer groups can exist in each location. The Computer Group wizard is used to add computer groups to an existing location. Some options on the Computer Group wizard may be unavailable, based upon the System Type you use when creating the group. After the System Type is selected, only the parameters relevant to that type are presented. 138 vWorkspace Management Console The System Types are: • Microsoft Hyper-V • Microsoft SCVMM • VMware vCenter Server • Parallels Virtuozzo • Other/Physical Administrators can activate the Computer Group wizard from the vWorkspace, Desktops node any of the following ways: • Expand the location to which the computer group is to be added, right-click on the Desktops node, and then select New Computer Group. – OR – • Expand the location to which the computer group is to be added, and highlight the Desktops node. Select New Computer Group from one of the following: • Actions menu on the toolbar in the navigation pane. • New Computer Group icon in the toolbar of the navigation pane. • Actions menu on the Desktops information pane. • Open the Quick Start Wizard from the vWorkspace Management Console welcome page. See the Quick Start Wizard section for more information. For specific information on completing the Computer Group wizard based on System Type, refer to the appropriate section in the Virtualization Platform Integration chapter. 139 vWorkspace Administration Guide Computer Group Properties The properties associated with computer groups are described below: PROPERTY DESCRIPTION Group Name Name of the managed desktop group. APPLIES TO: • Microsoft Hyper-V • VMware vCenter Server • Microsoft SCVMM • Parallels Virtuozzo • Other/Physical Group Mode Configures the Computer Group for either Cloud mode or Traditional mode. • Microsoft Hyper-V System Type System type for the computers in this group. • Microsoft Hyper-V • VMware vCenter Server • Microsoft SCVMM • Parallels Virtuozzo • Other/Physical Datacenter Datacenter in which the computers in this group belong. • VMware vCenter Server Administrative Account Name of the user account that is used when performing administrative tasks on the desktop computers within this group. • Microsoft Hyper-V • VMware vCenter Server • Microsoft SCVMM • Parallels Virtuozzo • Other/Physical 140 vWorkspace Management Console PROPERTY DESCRIPTION Auto-Size Automatically adjusts the number of virtual computers in the computer group based on user demand. Enable auto-size turns on Auto-sizing and requires that the following values be set: Minimum number of computers specifies the minimum number of virtual computers to be maintained in the group. APPLIES TO: • Microsoft Hyper-V • VMware vCenter Server • Parallels Virtuozzo • Microsoft SCVMM Demand buffer computers specifies the number of virtual computers that should be powered on and available at all times. Maximum number of computers specifies the maximum number of virtual computers allowed in the group. Provisioning Settings Provisioning Settings define the parameters used to generate virtual machines that will become members of the computer group. The following parameters are set: Template Hosts - all hosts or selected hosts Naming convention • Microsoft Hyper-V • VMware vCenter Server • Parallels Virtuozzo • Microsoft SCVMM Sysprep customization - Native, Quick and Direct. Configure Computers - Video Adapter, Memory and Network Adapter Enable/Disable Connection requests to computers in this group may be temporarily suspended, if disabled. • Microsoft Hyper-V • VMware vCenter Server • Microsoft SCVMM • Parallels Virtuozzo • Other/Physical 141 vWorkspace Administration Guide PROPERTY DESCRIPTION APPLIES TO: Client Assignment Used to permanently assign users to specific computers. • Microsoft Hyper-V The two types of user assignment are: • VMware vCenter Server • Persistent— A permanent desktop is assigned to the user. • Microsoft SCVMM • Temporary — A free desktop is assigned on a temporary basis to the user, and then is available to be used again at user logoff. • Parallels Virtuozzo • Other/Physical A client type can be assigned to the computers in the group based on the following: • User • Device Name • Device Address • Organizational Unit • Group • Advanced Note: Since users can be in more than one group or organization unit, administrators must manually assign individual computers to users if client assignment is based on Group or Organizational Unit. Assign computers using the Client Assignment window for the specified computer. See Managed Computers for more information on this window. Access Timetable Used to restrict access to the computers in this group based on day and time. • Microsoft Hyper-V • VMware vCenter Server • Microsoft SCVMM • Parallels Virtuozzo • Other/Physical 142 vWorkspace Management Console PROPERTY DESCRIPTION Load Balancing Used to specify a load balancing rule for the group, if appropriate. Load Balancing Rules that are created using the Load Balancing node in the vWorkspace Management Console, are presented as load balancing rule options. APPLIES TO: • Microsoft Hyper-V • Microsoft SCVMM Note: Hyper-V Load Balancing is configured from the properties of the Hyper-V host. User Privileges Automatically assigns users to local security groups. • Microsoft Hyper-V This policy is useful when provisioning desktop workspaces to users that require elevated privileges. • VMware vCenter Server • Microsoft SCVMM • Parallels Virtuozzo • Other/Physical Session Auto-Logoff Automatically logs off user sessions. This policy is for users that start published applications and not full desktops. If enabled, vWorkspace automatically logs off when the last published application is closed. This eliminates the potential issue of applications remaining in memory, and never really terminating. Enter a module name for a process. If the process with the module name persists after the session has been closed, then the session is automatically logged off. • Microsoft Hyper-V • VMware vCenter Server • Microsoft SCVMM • Parallels Virtuozzo • Other/Physical To add a process, click Add. To delete a process from the use, highlight the process and click the red X. 143 vWorkspace Administration Guide PROPERTY DESCRIPTION Inactivity Timeout Automatically suspends computers in the group when they are inactive. APPLIES TO: • Microsoft Hyper-V • VMware vCenter Server • Microsoft SCVMM Logoff Action Session Protocol Can be set to automatically reset, reprovision or delete a computer in this group when the user logs off. • VMware vCenter Server Specify the protocol for remote user sessions for this group, either Microsoft’s Remote Desktop Protocol or Hewlett Packard’s RGS. • Microsoft Hyper-V • Microsoft SCVMM • VMware vCenter Server • Microsoft SCVMM • Parallels Virtuozzo • Other/Physical Experience Optimization Specify if user experience optimizations are to be enabled or disabled for this computer group. This includes the settings for bandwidth optimization appliances and EOP Xtream. • Microsoft Hyper-V • VMware vCenter Server • Microsoft SCVMM • Parallels Virtuozzo • Other/Physical Enhanced Audio Enable support for enhanced bidirectional audio. • Microsoft Hyper-V • VMware vCenter Server • Microsoft SCVMM • Parallels Virtuozzo • Other/Physical 144 vWorkspace Management Console PROPERTY Task Automation DESCRIPTION APPLIES TO: Tasks can be scheduled to be completed at specified times. • Microsoft Hyper-V See Task Automation for more information. • VMware vCenter Server • Microsoft SCVMM • Parallels Virtuozzo • Other/Physical Permissions Specify permissions for this computer group. • Microsoft Hyper-V • VMware vCenter Server • Microsoft SCVMM • Parallels Virtuozzo • Other/Physical Finish Select from the options available as to the finish process for this group. • Microsoft Hyper-V • VMware vCenter Server • Microsoft SCVMM • Parallels Virtuozzo • Other/Physical How to ... Add a Computer Group The settings presented differ based upon the system type, such as VMware or Microsoft SCVMM. Review the previous table to view which property applies to which type. Virtualization servers and virtualization hosts must be added prior to adding computer groups. See the Virtualization Platform Integration chapter for more information on the set up of virtualization servers and hosts. 145 vWorkspace Administration Guide 1. Open the vWorkspace Management Console. 2. Open the Computer Group wizard from the, Desktops node one of the following ways: • Expand the location to which the computer group is to be added, right-click on the Desktops node, and then select New Computer Group. • Expand the location to which the computer group is to be added, and highlight the Desktops node. Select New Computer Group from the Actions menu on the toolbar in the navigation pane, from the New Computer Group icon in the toolbar of the navigation pane, or from the Actions menu on the Desktops information pane. 3. Click Next on the Welcome window of the Computer Group wizard. 4. Enter the name of the computer group in the Group Name field on the Group Name window, and then click Next. 5. Select the system type for the group on the System Type window, and then click Next. 6. Complete the following settings, as appropriate, based on the selected system type. Click Next to advance to the next setting. 7. On the Finish window, do one of the following: a) Select the Create new computers from a master template to add new desktops to the group and enter the number of desktops to create. Complete the process using the Add Computers tool. See the Virtualization Platform Integration chapter for more information on the Add Computers tool. b) Select Import existing computers to add computers by importing existing virtual computers and complete the process using Importing Existing Computers into a Group. c) Select Do nothing. I will create or import computers later to create the desktops at a later time. 8. Click Finish. Once managed computer groups are established, their properties can be viewed and modified from the vWorkspace Management Console by right-clicking on the managed computer group, and selecting Properties. View Managed Computer Groups Administrators have the ability to view summary information as well as delete computer groups from the vWorkspace Management Console. A computer group can only be deleted from vWorkspace if it is empty. 146 vWorkspace Management Console The Desktops and Session Hosts, Provisioning nodes, Computers, Tasks, and Logs tabs of the vWorkspace Management Console, display the warning message, Not all log entries have been displayed if the allowed maximum row view is attained. From this warning message, administrators can select the option to set a different maximum row amount. How to ... • View Summary Information • View Managed Computers • View Tasks for a Computer Group • View Logs for a Computer Group • Modify the Properties of a Computer Group • Delete a Computer Group View Summary Information 1. Open the vWorkspace Management Console. 2. Select Desktops for the location, and highlight the computer group. 3. Select the Summary tab in the information pane. View Managed Computers 1. Open the vWorkspace Management Console. 2. Navigate to the Desktops node of the computer group that you want to view, and highlight the computer group. 3. Select the Computers tab in the information pane. 4. Enter the text of the search term in the Find field. For example, enter Powered On to locate powered on computers in the Power State column. 147 vWorkspace Administration Guide 5. Do one of the following: • To highlight the next computer meeting the search criteria, click the Find Next icon. • To highlight all computers meeting the search criteria, click the Select All Matching icon. If the criteria is not found a message box displays stating [criteria] not found. View Tasks for a Computer Group 1. Open the vWorkspace Management Console. 2. Navigate to the Desktops node of the computer group that you want to view the tasks, and highlight the computer group. 3. Select the Summary tab in the information pane. 4. Click Toggle Lower Pane on the toolbar of the information pane. This enables the lower pane. 5. Select the Tasks tab to view. 6. Enter the text of the search term in the Find field. For example, enter Reconfigure to locate reconfigured computers in the Task Item column. 7. Do one of the following: • To highlight the next computer meeting the search criteria, click the Find Next icon. • To highlight all computers meeting the search criteria, click the Select All Matching icon. View Logs for a Computer Group 1. Open the vWorkspace Management Console. 2. Navigate to the Desktops node of the computer group that you want to view the logs, and highlight the computer group. 3. Select the Summary tab in the information pane. 4. Click Toggle Lower Pane on the toolbar of the information pane. This enables the lower pane. 148 5. Select the Log tab to view. 6. Enter the text of the search term in the Find field. 7. Do one of the following: • To highlight the next computer meeting the search criteria, click the Find Next icon. • To highlight all computers meeting the search criteria, click the Select All Matching icon. vWorkspace Management Console Modify the Properties of a Computer Group 1. Open the vWorkspace Management Console. 2. Navigate to the Desktop node that includes the computer group that you want to modify. 3. Right-click on the computer group, and select Properties. 4. Change the properties as appropriate, and then click OK. Delete a Computer Group 1. Open the vWorkspace Management Console. 2. Navigate to the Desktops node of the computer group that is to be deleted. 3. Right-click on the computer group, and then select Delete Group. If the group is not empty, a message appears stating that all managed computers from the group need to be removed prior to deleting the group. 4. Click Yes on the confirmation window to delete the group. Computer Group Column Options In a computer group’s information pane, administrators have the ability to configure column options. Memory Column Color Coding The Memory Demand (Status), Assigned Memory (MB), and Memory Demand (MB) columns have a feature where the computer’s current status is not only indicated by a value, but the cell background is color-coded indicating a relative status for memory use: green for adequate (OK), yellow for marginal, and red to indicate the computer is in danger of exhausting its memory. Volume Column The column, Volume, shows the volume on which a given desktop is running. This column is only available for Hyper-V computers. Template Column The Template column displays the current template of each virtual desktop. For Hyper-V and Parallels, this is the template version; for SCVMM, the template; and for VMware, the snapshot. The Template column makes it simple to identify any inconsistencies of template usage among desktops in a group at a glance. 149 vWorkspace Administration Guide How to ... • Arrange Information Pane Column Order and Sort Order • Resize Columns • Select Columns Arrange Information Pane Column Order and Sort Order Columns are grouped and ordered according to computer group type. In the Column Options window, the Grouped checkbox indicates if the selected column is part of a group and its order is determined by its position in the Selected Columns pane, with the top column on the far left of the Information pane. 1. To arrange columns in the Information pane, click and hold down the mouse button in the column heading, and drag the column to the desired location. 2. To sort information within a column, click the column heading to toggle the ascending or descending arrowhead, or right-click in the column heading and select Sort Ascending or Sort Descending from the drop-down context menu. Resize Columns 1. Right-click in a column heading and select Size Column to Fit from the drop-down context menu to fit a column to its contents. 2. Right-click in a column heading and select Auto Size All Columns to Fit to automatically fit all the columns in the Information pane to their contents. Select Columns 150 1. Open the vWorkspace Management Console. 2. Navigate to and select a computer group. 3. Select the Desktops tab in the information pane. 4. Right-click within a column heading. 5. Select Column Options in the context menu. vWorkspace Management Console 6. In the Column Options window, use the right arrow to move columns from the Available Columns pane to the Selected Columns pane, or the left arrow to move columns back to the Available columns pane. 7. In the Selected Columns pane, highlight a column name and click the up or down arrows to adjust its position. Click OK. 8. To display all the available columns, right-click in an information pane column heading and choose Show All Columns from the drop-down context menu. Task Automation The Task Automation property of a managed computer group provides the ability to schedule execution of a vWorkspace supported operation on a vWorkspace managed virtual or physical computer or Session host is available through the Automated Task Wizard. Some of the scheduled tasks include: • Power management. • Deletion of virtual computers, including the ability to delete computers that have been inactive for a specified number of days. • Installation of MSI packages. • Installation and update of PNTools. • Program and script execution. 151 vWorkspace Administration Guide How to ... Schedule Tasks using the Automated Task Wizard 1. Open the vWorkspace Management Console. 2. Expand the Desktops node for the location to which you want to add the scheduled task. 3. Do one of the following to open the Computer Group Properties window: a) Right-click on the computer group, and select Properties. b) Highlight the computer group, and then select Actions | Properties from the main menu. c) Highlight the computer group, and select the Properties icon from the toolbar. d) Highlight the computer group. Select the Summary tab in the navigation pane, then Actions | Properties. Scheduled tasks can also be identified by computer. See Automated Tasks for more information, and use the below steps to add a new scheduled task, using the Automated Task Wizard, to a specific computer. 4. Select Task Automation in the left pane of the Computers Properties window, and then click New (green + plus sign). The Automated Task wizard appears. 5. Click Next on the Welcome window. 6. Enter a Name for the task, and then click Next. 7. Select the task from the list on the Task window, and then click Next. 8. On the Task Parameters window, complete the information as appropriate, and then click Next. The fields on the Task Parameters window change based upon the Task selected. 152 vWorkspace Management Console 9. Complete the information on the Schedule window, as appropriate, and then click Finish. Managed Computers Managed Computers are objects in the vWorkspace database that represent the desktop computers and Session Hosts that are members of a managed computer group. These desktops and session hosts are virtual machines or physical devices. Virtual machines can be provisioned from template or parent VHD or imported into a computer group. Physical machines must be imported into a computer group. Managed computers have properties that control their creation and use. The properties that are available depend upon the type of group in which the managed computer exists. When a computer is added or imported into a managed computer group, it inherits the property settings of the group. Computers are added to a managed computer group by using the Add Computers tool. There are several methods available for accessing this tool. The method chosen depends on if the managed computer group already exists in the vWorkspace Management Console, or if it is being created. The inputs available on the Add Computers tool are based on the System type of the selected computer group. 153 vWorkspace Administration Guide Access the Add Computers tool by one of the following methods: Select the Create new computers from a master template on the Finish page of the New Computer Group wizard, when creating a new computer group. – OR – Select an exisitng computer group from the vWorkspace Management Console and do one of the following: a) Right-click on the computer group and select Add Computers. b) Select the Add Computers icon from the navigation pane toolbar. c) Select Add Computers from the Actions menu from the navigation pane. d) Select Actions | Add Computers from the information pane of the computer group. For more information on how to use the Add Computers tool based upon data center type, refer to the Virtualization Platform Integration chapter. 154 vWorkspace Management Console Properties of a Managed Computer The following section describes each property listed of a managed computer. Summary SUMMARY WINDOW DESCRIPTION Name The computer name. DNS Name The Domain Name System name. NetBIOS Name The NetBIOS name. The first 15 characters of the Windows computer name are assigned automatically by Windows setup and cannot be modified. IP Address The TCP/IP address last assigned to the managed computer. MAC Address The Media Access Control address assigned to the managed computer’s network interface card. Note: Only one active physical or virtual network interface is supported on a VM, physical PC, or blade PC. 155 vWorkspace Administration Guide SUMMARY WINDOW DESCRIPTION Allow power-management (suspended, reset, etc.) through the vWorkspace management console. Selecting this option allows the vWorkspace Management Console to control the power state of the managed computer, if it is an applicable option. Administrative Account ADMINISTRATIVE ACCOUNT WINDOW DESCRIPTION Override Group Properties Selecting this option allows a different administrative account and password to be assigned to the managed computer from the ones being used by the group. Account This field is used to specify the name of a user account that has local administrative rights. User the ellipsis to browse to the account. Password/Confirm Password 156 This field is used for the password of the user account specified by Account. vWorkspace Management Console Enable/Disable ENABLE/DISABLE WINDOW DESCRIPTION Override group properties Selecting this option allows this computer to have a different property than the group. Enabled or Disabled Select one of the options for this computer. If Disabled is selected, the Connection Broker does not redirect incoming connection requests to this computer. 157 vWorkspace Administration Guide Client Assignment See Temporary Client Assignment for more details. CLIENT ASSIGNMENT WINDOW Current User DESCRIPTION Displays the name of the user account currently logged on to the managed desktop computer. If a user is not logged on, a None value is displayed. Permanent User Displays the name of the user account permanently assigned to the managed desktop computer. If a user is not logged on, a value of None is displayed. 158 vWorkspace Management Console CLIENT ASSIGNMENT WINDOW DESCRIPTION Select a user to whom this desktop should be permanently assigned Use this option to select a user account that is permanently assigned to the managed desktop computer. This option is available if a user is currently not logged on to the desktop. Note: If a Client Assignment policy for the desktop group is set to Temporary, it is overridden for this desktop computer only. Note: If the Client Assignment policy for the desktop group is set to Persistent, this setting can be used to pre-assign a user account to the managed computer. Persistently assign the current user to this desktop Use this option to assign the currently logged on user account to the managed computer. This option is available if a user is currently not logged on to the desktop. Note: If a Client Assignment policy for the desktop group is set to Temporary, it is overridden for this desktop computer only. Remove the current permanent assignment Use this option to remove the current permanent assignment from the managed computer. Note: If a Client Assignment policy for the desktop group is set to Temporary, the managed computer is available for automatic, permanent assignment. Note: If the Client Assignment policy for the desktop group is set to Persistent, this setting can be used to pre-assign a user account to the managed computer. However, the vWorkspace administrator can still choose to pre-assign the desktop to a user. 159 vWorkspace Administration Guide Access Timetable ACCESS TIMETABLE WINDOW Override group properties DESCRIPTION If selected, you can specify a different access timetable setting than that of a desktop group. Click on the green grid to set a time schedule. If selected, choose from the following: Grant Permission — Specifies the days of the week and the hours of the day when logons to the desktop computer are allowed (marked in green). Deny Permission — Specifies the days of the week and the hours of the day when logons to the desktop computer are not allowed (marked in red). 160 vWorkspace Management Console User Privileges USER PRIVILEGES WINDOW DESCRIPTION Override group properties If selected, you can specify a different level of user privileges for the users that log on to this desktop computer. Power User At logon, the user is added to the desktop computer’s built-in Power Users local group. Administrator At logon, the user is added to the desktop computer’s built-in Administrators local group. None At logon, the user is added to the desktop computer’s built-in Users local group. 161 vWorkspace Administration Guide Power Savings (SCVMM and Hyper-V) INACTIVITY TIMEOUT WINDOW DESCRIPTION Desktops can be automatically suspended when idle for a specified amount of time. Override group properties If selected, you can specify a different power savings setting than that of the parent desktop group. Automatically suspend Select to enable automatic suspension of the desktop computer when inactive (user is logged off, but computer is still powered on), or if offline. Do not automatically suspend Select to disable automatic suspension of the desktop computer when inactive (user is logged off, but computer is still powered on), or if offline. 162 vWorkspace Management Console Power Savings (VMware) POWER SAVINGS WINDOW DESCRIPTION Override group properties If selected, you can specify a different power saving than that of a desktop group. To conserve computing resources, automatically suspend computers in the group that are inactive Inactive status is marked when the managed computer has been logged off, disconnected or goes offline. Computers to remain powered on Number of computers in the computer group that will not be suspended. This parameter ensures that a connecting user is logged into the virtual workspace quickly. Values: none - 500 163 vWorkspace Administration Guide Session Auto-Logoff SESSION AUTO-LOGOFF WINDOW DESCRIPTION Override group properties If selected, you can specify a different session auto-logoff setting than that of a desktop group. Module Name Enter the name, such as wuauclt.exe. Add Select after entering a name in the Module Name box. Remove Select to remove items from the list. 164 vWorkspace Management Console Configuration (VMware System Type only) CONFIGURATION WINDOW DESCRIPTION Reconfigure Enables administrators to modify the current memory and virtual disks configuration. Refresh Refreshes the current view of the window. 165 vWorkspace Administration Guide Configuration (Hyper-V and SCVMM System Type) CONFIGURATION WINDOW DESCRIPTION Reconfigure Enables administrators to modify the current video adapter, memory, memory priority and network adapter configuration. Refresh Refreshes the current view of the window. 166 vWorkspace Management Console Logoff Action LOGOFF ACTION WINDOW DESCRIPTION Override group properties If selected, you can specify a different logoff action setting than that of a desktop group. Nothing If selected, no actions are performed at logoff. Reset If selected, this computer is reset when the user logs off. Reprovision If selected, this computer is reprovisioned at log off. Note: It is recommended that you install Virtual Desktop Extensions (PNTools) onto your VMware template if you are using the reprovision functionality. 167 vWorkspace Administration Guide Session Protocol SESSION PROTOCOL WINDOW DESCRIPTION Override group properties If selected, you can specify a different session protocol setting than that of a desktop group. RDP Remote session protocol for this computer is set to RDP. RGS Remote session protocol for this computer is set to RGS. 168 vWorkspace Management Console Experience Optimization EXPERIENCE OPTIMIZATION WINDOW DESCRIPTION Enable support for bandwidth optimization appliances Enables or disables support for bandwidth optimization for this computer. Enable support for WAN acceleration (EOP Xtream) Override group properties — If selected, you can specify a different EOP Xtream setting than that of a desktop group. Override group properties — If selected, you can specify a different bandwidth optimization setting than that of a desktop group. Enabled — Enables support for EOP Xtream. Enable RDP pass-through mode — Enables EOP Xtream to use the RDP port, eliminating the need to configure extra firewall settings. EOP Xtream Port Number — The default port number is 33389. Maximum number of connections — Enter a maximum number of connections. Disabled — Disables support for EOP Xtream. 169 vWorkspace Administration Guide Enhanced Audio ENHANCED AUDIO WINDOW DESCRIPTION Override group properties If selected, you can specify a different enhanced audio setting than that of a desktop group. Enabled Enables support for enhanced audio for this computer. Disabled Disables support for enhanced audio for this computer. 170 vWorkspace Management Console Automated Tasks TASK AUTOMATION WINDOW DESCRIPTION Name Identifies the name of the task. Task Identifies the task that is to be completed. Schedule Indentifies the schedule to which the task is to be completed. New Select to add a new scheduled task. See Schedule Tasks using the Automated Task Wizard for more information. 171 vWorkspace Administration Guide Permissions PERMISSIONS WINDOW DESCRIPTION User/Groups Lists users and groups who have permission to perform administrative tasks on this computer. Select a user or group to view their permissions. Permissions Lists permission for this computer and if they are allowed or denied for the selected user or group. For more information on permissions, see Permissions. Operating System Customizations The Operating System Customization wizard creates the operating system customization information for Hyper-V, SCVMM, VMware and Parallels Virtuozzo type computers. This wizard can be accessed from the Customize Operating System window of the Add Computers wizard by selecting the New icon (green plus sign). 172 vWorkspace Management Console You are able to select one of the following Sysprep types based on the system type: • Windows XP, Server 2003 (sysprep.inf) • Vista, Windows 7, Server 2008 (unattend.xml) You can also import an existing sysprep.inf or unattend.xml file, and then make further customizations to the file through the Operating System Customizations wizard. Operating System Customizations Quest vWorkspace supports three operating system customization types: Native, Instant, and Direct. • Instant mode is available for provisioning virtual computers on Hyper-V and VMware platforms and uses Quest’s Instant Provisioning mechanism, which is the fastest way to customize a computer. The Instant Provisioning method requires the master template be configured as follows: • vWorkspace Instant Provisioning tools (TEMPLATE_TOOLS\InstantProvisioning.exe) must be pre-installed. • Joined to the target domain. 173 vWorkspace Administration Guide • Microsoft Sysprep uses the virtualization system’s native sysprep execution and passes all the customizations to the virtualization system (Hyper-V, SCVMM, VMware vCenter). • Direct Sysprep method invokes sysprep directly after the clone operation is complete. This is the slowest of available sysprep mechanisms. Direct sysprep method requires the master template be configured as follows: • Quest Virtual Desktop Extensions (PNTools) must be pre-installed. Instant Provisioning can be configured to run custom commands once the provisioning process is complete. On the template locate the folder %programfiles%\Quest Software\Instant Provisioning\vbscripts. Any .vbs files in this folder are run at the end of the Instant Provisioning process. The following table shows which sysprep execution mode is compatible with each virtualization platform and operating system. MICROSOFT SYSPREP INSTANT DIRECT SYSPREP Hyper-V Win XP, Win 7 Win XP, Win 7 n/a SCVMM Win XP, Win 7 n/a n/a VMware Win XP, Win 7 Win XP, Win 7 Win XP Parallels n/a n/a Win XP, Win 7 Win XP = Windows XP and Windows Server 2003 Win 7 = Windows Vista, Windows 7 and Windows Server 2008 174 vWorkspace Management Console About Sysprep Files Using an imported sysprep.inf file provides you with more customization than using the Operating System Customization wizard. For example, you can configure TCP/IP and networking options. However, if you choose to import a sysprep.inf file, you must include the following sections, or the customization process pauses and awaits user interaction. [Unattended] OemSkipEula=Yes OemPreinstall=Yes InstallFilesPath=c:\sysprep\i386 [GuiUnattended] OEMSkipRegional=1 OEMSkipWelcome=1 EncryptedAdminPassword=No [Networking] InstallDefaultComponents=Yes How to ... • Create Operating System Customizations Windows XP/2003 • Create Operating System Customizations Vista/Win7/Server2008 Create Operating System Customizations Windows XP/2003 1. From the Customize Operating System setting on the Add Computers wizard, select the New icon (green plus sign). 2. Click Next on the Welcome window of the Operating System Customization Wizard. 3. Enter a Name for this customization, and then click Next. 4. Select the platform type, Windows XP/2003 (sysprep.inf), for this operating system customization. 175 vWorkspace Administration Guide 5. Complete the information on the Import window, if you want to import an existing sysprep.inf file, and then click Next. – OR – If you do not want to import an existing file, click Next. See About Sysprep Files for more information about importing an existing sysprep.inf file. 6. Specify the Windows operating system on the Operating System window, and then click Next. The choices are: 176 • Windows XP Professional • Windows XP Professional (64-bit) • Windows Server 2003 • Windows Server 2003 (64-bit) 7. Enter the Windows registration information of Owner and Organization on the Registration window, and then click Next. 8. Select a Time Zone that is to be used when configuring Windows on the Time Zone window, and then click Next. vWorkspace Management Console 9. Select one of the following on the Product Key window, and then click Next. a) Specify a single product key. b) Retrieve product keys from a text file. Use the ellipsis to browse. 10. Select one of the options, Instant, Microsoft Sysprep, or Direct Sysprep, on the Customizations Type window, and then click Next. 11. If Windows Server 2003 or Windows Server 2003 (64-bit) was selected as the Operating System, select either Per Server or Per Device or Per User on the Licensing Mode window, and then click Next. 12. Enter the Password for the administrator account for the desktops created in this group, on the Administrator Password window, and then click Next. 13. Select Domain or Workgroup where the computers are to be added on the Domain or Workgroup window, and click Next. If you select Domain, you need to specify a user account that has permission to add a computer to the domain. 14. Enter the Active Directory Organization Unit Path to which the computers are to be added on the Active Directory Path window, and then click Next. 177 vWorkspace Administration Guide 15. Enter the path to the folder where the installation files are located, and then click Next. If you do not want a folder specified, you must delete the default value in the Path field. This is an optional step. The default is c:\sysprep\i386. 16. Select one of the following options on the Regional Settings window, and then click Next: a) Use the default regional settings for the Windows version you are installing. b) Specify the regional settings. Select a default value for the language. 17. On the Languages window, select the language in which the users can view the content, and then click Next. 18. Use the Run Once window to configure Windows to automatically run a command the first time a user logs on. a) Enter the command in the Command box, and click Add. b) Use the green arrows to define the commands order. c) Click Next when you are finished. 178 vWorkspace Management Console 19. Enter an Identification String, which is written to the registry of the computer to assist in determining which customization object was used to customize a computer. Click Next. 20. Alter customization entries on the Custom Entries window. This is an optional step. Click Next to go to the next window. 21. Review your entries on the Summary window and do one of the following: a) Click Back to make changes. b) Click Finish to create the desktops. c) Click Cancel to exit without saving the settings or creating the desktops. 22. Complete the Add Computers wizard in the usual way. Create Operating System Customizations Vista/Win7/Server2008 1. From the Custom Operating System setting on the Add Computers wizard, select the New icon (green plus sign). 2. Click Next on the Welcome to the Operating System Customizations Wizard window. 3. Enter a Name for this operating system customization, and then click Next. 4. Select the Platform type, Windows Vista, Windows 7, Server 2008 (unattend.xml) for this customization, and then click Next. 179 vWorkspace Administration Guide 5. If you want to use an existing unattend.xml file, click Select file on the Import window, and browse to the location of your answer file template. Click Edit to use notepad or a shell application to edit the file. If you have modified the file outside of vWorkspace or have used the Edit option to modify the file, click Re-import to reimport the file. Click Next to continue. This is an optional step, and is used if you have an existing unattend.xml file that you want to use in the Sysprep process. 180 6. Select the operating system and the processor architecture for this customization, and then click Next. 7. Enter the Windows registration information of Owner and Organization on the Registration window, and then click Next. 8. Select a Time Zone that is to be used when configuring Windows on the Time Zone window, and then click Next. vWorkspace Management Console 9. Select one of the following on the Product Key window, and then click Next. a) Select Specify a product key and then select Specify a single product key. Enter the specified product key. • The entered product key replaces the Product key value and elements in the unattend.xml file if you have imported an existing unattend.xml file. b) Select Specify a product key and then select Retrieve product keys from a text file. Enter the file or browse to its location. c) Unselect Specify a product key. • The Product key values and elements are specified in the imported unattend.xml file (if you have imported an existing unattend.xml file) will be used in the operating system customization process. • If there are no Product key values or elements specified in the unattend.xml file, a message is displayed warning that the operating system customization might fail. The need for a product license key is based upon Microsoft’s license scheme for their products. For example, if you are using Microsoft Windows 7 Enterprise edition, you do not need to enter a product key, as licensing is supported through a key management server. 181 vWorkspace Administration Guide 10. Select one of the options, Instant, Microsoft Sysprep, or Direct Sysprep, on the Customizations Type window, and then click Next. 11. Select Domain or Workgroup to identify how the desktops will participate in the network. If you select Domain, you must enter a user account that has permission to add a computer to the domain. Click Next. 12. Specify the Active Directory Organization Unit path into which the computers are to be added, and then click Next. 182 vWorkspace Management Console 13. Specify a local administrator account on the Local Account window if you are using Microsoft Vista, Microsoft Windows 7, or Microsoft Server 2008, and then click Next. 183 vWorkspace Administration Guide 14. Select to enable or disable the firewall for the public profile, domain profile, and private profile, and then click Next. 15. Specify the regional settings, as appropriate, and then click Next. 16. Use the Run Once window to configure Windows to automatically run a command the first time a user logs on. a) Enter the command in the Command box, and click Add. b) Use the green arrows to define the commands order. c) Click Next when you are finished. 17. Enter an Identification String, which is written to the registry of the computer to assist in determining which Sysprep object was used to customize a computer. 18. Click Finish to complete the Operating System Customizations wizard process. 19. Complete the Add Computers wizard in the usual way. View Managed Computers Administrators have the ability to view summary information managed desktops from the vWorkspace Management Console. Administrators can also remote into a user’s active RDP session. See Remote Control for more information on this option. 184 vWorkspace Management Console How to ... • View Summary Information • View Tasks for Managed Computers • View Logs for Managed Computers View Summary Information 1. Open the vWorkspace Management Console. 2. Navigate to the computer group in Desktops or Session Hosts to which the computer belongs, and highlight the computer group. 3. Select the Computers tab in the information pane, and then highlight the computer. 4. Click Toggle Lower Pane from the toolbar of the information pane. This enables the lower pane with three tabs, Summary, Tasks, and Log. 5. Select the Summary tab to view property and status information. View Tasks for Managed Computers 1. Open the vWorkspace Management Console. 2. Navigate to the computer group to which the computer belongs, and highlight the computer group. 3. Select the Computers tab in the information pane, and then highlight the computer. 4. Click Toggle Lower Pane on the toolbar of the information pane. This enables the lower pane with three tabs, Summary, Tasks, and Log. 5. Select the Tasks tab to view tasks performed on the selected computer. Use the Actions menu and toolbar of the tasks pane to refresh information or cancel tasks. View Logs for Managed Computers 1. Open the vWorkspace Management Console. 2. Navigate to the computer group to which the computer belongs, and highlight the computer group. 3. Select the Computers tab in the information pane, and then highlight the computer. 4. Click Toggle Lower Pane on the toolbar of the information pane. This enables the lower pane with three tabs, Summary, Tasks, and Log. 5. Select the Log tab to view log information. 185 vWorkspace Administration Guide Initialize Computer When a managed computer (virtual or physical) is added to a computer group, the vWorkspace Data Collector Service must be installed to allow the managed computer to communicate properly with vWorkspace Connection Brokers. This process is accomplished using the Initialize Computer task, which is initiated and executed by the Connection Broker. The Initialize Computer task is accomplished as follows: 1. The Connection Broker checks for the IP address of the computer to be initialized by querying the Virtualization Host. For other/physical system type computers, it checks for the issuing DNS or NetBIOS name resolution queries. 2. Once the IP address of the target computer has been retrieved, the Connection Broker attempts to connect to the Data Collector service on that computer using TCP port 5203. If successful, it queries for the version of the Data Collector service. 3. If the Connection Broker is unable to connect to the Data Collector service, or if the version of the Data Collector service on the target computer is older than that running on the Connection Broker, the Connection Broker attempts to install the newer version of the service by remotely connecting to the Windows Service Control Manager and system drive of the target managed computer. It then stops the Data Collector service if it is running and copies the newer version of PNDCSVC.exe to the Windows\System32 folder. Once the file has been copied, the Connection Broker issues a remote command to start the Data Collector service. 4. 186 Once the Data Collector service has been successfully started on the target computer, the Connection Broker again attempts to contact the Data Collector service on TCP port 5203. If the connection is successful, the Connection Broker passes the following to the Data Collector service: • List of all available Connection Brokers. • Informs the Data Collector service to use TCP port 5201 when initiating connections to a Connection Broker. • Request that subsequent connections be encrypted, and provides the public key to use for SSL encryption, if configured. vWorkspace Management Console • Configured heartbeat interval (the interval at which the Data Collector service will send status updates to the Connection Brokers). • Information about the License Mode for the vWorkspace infrastructure. • Assigned Unique Computer ID for the computer. When an Initialize Computer task is unsuccessful, the Connection Broker considers the desktop unusable and marks it offline, making it unavailable to users. Some common causes of a failure include: • Firewalls are blocking the communications between the Connection Broker and the managed computer. • Name resolution issues. • Insufficient privileges held on the managed computer. You need to be able to connect to the administrator file shares and have the privilege to create a service on the managed computer. The privilege is set in the Properties of the computer group, in Computer Administrative Account. Initialization Triggers The following events can trigger the Initialize Computer task: • Successful clone operation • Add/Import desktops • Missed heartbeats To manually initialize a computer or multiple computers: 1. Open the vWorkspace Management Console. 2. Select the computer group under Desktops or Session Hosts. 3. Highlight the computers that are to be initialized from the Computers tab of the information pane. 4. Right-click to select the Initialize option or select Actions | Initialize from the information pane toolbar. 187 vWorkspace Administration Guide The ability to manually initialize a computer or multiple computers is available through the context menu option of the highlighted computers. Select the computer group under the Desktops or Session Hosts node on the vWorkspace Management Console, and then highlight the computers that are to be initialized from the Computers tab of the information pane and right-click to select the Initalize option. Virtual Desktop Extensions (PNTools) Virtual Desktop Extensions (PNTools) is a set of executables, dynamic link libraries, and device drivers that provide features and management functionality for managed computers in a vWorkspace infrastructure. PNTools can be installed on all computers, virtual or physical, which are members of a computer group in the Desktops node. PNTools provides the following: 188 • Data Collector • Universal Print Driver • Seamless window display mode • Up to 4096 x 2048 screen resolution • Quest vWorkspace Universal Print Driver • Quest vWorkspace USB Redirection vWorkspace Management Console • User Profile Management • Full-fledged desktop or published application sessions • Experience Optimized Protocol How to ... Install Virtual Desktop Extensions The installation program for PNTools is located in the following folder on all Connection Brokers: ProgramFiles(x86)\Quest Software\vWorkspace\PNTools\pntools.msi There are several ways to install, upgrade, or uninstall PNTools: • Use the PNTools | Install/Update from the context menu of a specific managed computer group or managed computer on the vWorkspace Management Console. • Use the MSI Packages option from the Packaged Applications node of the vWorkspace Management Console to define a package for PNTools. See MSI Packages for more information. • Use the Automated Tasks option. See Task Automation for more information. • Manually install PNTools.msi into the virtual computer template. • Use third-party software distributions. 189 vWorkspace Administration Guide Session Hosts Session Hosts need to have the Remote Desktop Services role installed and configured to communicate with the vWorkspace Management Database before it can be added to the vWorkspace Management Console. To add a vWorkspace Session Host to the Management Console, the vWorkspace Remote Desktop Services role must be installed and configured to communicate with the farm management database. How to ... • Add Session Hosts • Set Session Host Properties • Remove Session Hosts Add Session Hosts 190 1. Open the vWorkspace Management Console, and then expand the Session Hosts node. 2. Right-click on Management, and then select New Session Host. 3. In the Add Session Host window, select <New Server> and click OK. 4. Click Next on the Welcome window of the Server wizard. vWorkspace Management Console 5. Enter the server name (NetBIOS) on the Server Name window, and then click Next. Use the ellipsis to browse for the server. The text box is limited to 15 characters, the maximum allowed in NetBIOS naming conventions. 6. Specify Session Host on the Server Role window, and then click Next. 7. Specify the folder for this Session Host on the Folder window. Click New Folder to create a new folder. Click Next when complete. Folders are for organization and display; it does not change the operation of the servers. 8. Accept the default load balancing rule or select to specify a custom load balancing rule on the Load Balancing window, and then click Next. Additional custom load balancing rules can be created from the Load Balancing node of the vWorkspace Management Console. 191 vWorkspace Administration Guide 9. 192 Click Next to inherit the global exception list for Session Auto-logoff, or select Specify the exclusion list to create an exclusion list specific to this Session Host, and then click Next. vWorkspace Management Console 10. Complete the following information on the Connectivity window, and then click Next. Connections Select the Accept least busy connection requests check box if you want the server to participate in load balancing. Alternative IP Address Enter an alternative IP address. RDP Connection Restrictions These options are grayed out, and not available for selection at this time. 11. Specify the performance optimizations options that are to be enabled on this server on the Performance Optimization window, and then click Next. The two options are: • Virtual Memory Optimizations • CPU Utilization Management 12. Specify the experience optimization settings for this server on the Experience Optimization window, and then click Next. For more information about EOP Xtream, see the EOP Xtream section. 193 vWorkspace Administration Guide 13. Specify whether bidirectional audio should be Enabled or Disabled on this server in the Enhanced Audio window, and then click Next. 14. Specify the Virtual IP settings for this server, as appropriate, and then click Next. 15. Specify licenses on the Licensing window, and then click Next. 16. Specify any permissions for this server, and then click Finish. In order to assign permissions, you must first add users or groups using the New Administrator wizard located at File| Administration. Set Session Host Properties Once Session Hosts have been added, you can set properties to apply to all servers in the vWorkspace farm that have the Session Host role. 1. Right-click on the Session Hosts node under the location in which you want to add the permission, and then select Properties. 2. Highlight the user or group on the Session Host Properties window, and then change the permissions to Allow or Deny, by selecting the check box, as appropriate. For more information on permissions, see Permissions. 3. 194 Click Apply to save your changes, and then OK to close the window. vWorkspace Management Console Remove Session Hosts Use the following steps to remove a Session Host from inclusion in the vWorkspace infrastructure. Removing a Session Host deletes its associated records within the vWorkspace database, but it does not uninstall any of the vWorkspace components or any other software on the server nor does it change the database configuration (DSN). 1. Expand the Session Hosts node in the navigation pane of the vWorkspace Management Console, and select the Session Host that is to be removed. 2. Click the Delete Server icon from the navigation pane toolbar, or right-click on the server and select Delete Server from the context menu. 3. Click Yes on the confirmation window to complete the removal. Session Host Management • Manage Users Connected to Session Hosts • View Session Hosts Sessions • View Client Information for an Active Session • Manage Session Host Processes • View Session Host Applications Manage Users Connected to Session Hosts 1. To view connected users: a) Open the vWorkspace Management Console. b) Expand the Locations node. c) Expand the location to which the Session Host is located. d) Expand the Session Hosts node. e) Expand the Management node. f) Double-click the Session Host. g) Select the Users tab. The following information can be viewed: Server The NetBIOS name of the Session Host to which the user is connected. Domain The NetBIOS name of the Windows domain to which the user’s account belongs. 195 vWorkspace Administration Guide Session The name of the user’s session as assigned by the Session host. User The user account name used to log on to the session. Session ID The numerical session ID assigned to the user’s session by the Session Host. State The state of the Session Host session. The options are: • Active • Disconnected • Idle • Down 2. Idle Time The amount of time no activity has occurred between the client and the Session host. Logon Time The date and time the session was logged on. To connect to a specific Session Host: a) Within the Management node, double-click on a Session Host object. 3. To connect to all Session Hosts: a) Double-click on each Session Host object, or right-click on the Session Hosts node and select Connect All. 4. To issue a command to a Session Host: a) Right-click a server session. Administrators can perform the following actions: Disconnect If a session state is active, it can be placed into a disconnected state. Disconnecting a session causes the network connection between the client device and the Session Host to be closed, releasing memory and CPU threads. The working state of the session is persisted by writing to the Session Host’s page file, allowing the user to reconnect to the session, with no loss of data. Send Message 196 An administrator can send a message to the selected user if the session is active. vWorkspace Management Console Remote Control An administrator can connect to the user’s active session, and depending on the policy settings, view and interact with the session. Note: See Database Configuration for more information on this feature. Reset An administrator can reset a session which disconnects the session in a non-graceful way. Note: All unsaved data is lost. Log Off An administrator can gracefully log a user off from a Session Host session. The user is prompted to save any unsaved data. View Session Hosts Sessions 1. Open the vWorkspace Management Console. 2. Expand the Locations node, and then the expand location to which the Session Host is located. 3. Expand the Session Hosts node. 4. Highlight the Management node. 5. To view a session on a specific Session Host: a) Double-click on the Session Host object. b) Click on the Sessions tab in the Session Hosts information pane. 6. To view sessions for all Session Hosts: a) Double-click on each Session Host object, or right-click on the Session Hosts node and then select Connect All. b) Click on the Session Hosts node. c) Click on the Sessions tab in the Session Hosts information pane. The following information can be viewed: Domain The NetBIOS name of the Windows domain to which the user’s account belongs. Session The name of the user’s session as assigned by the Session Host. User The user account name used to log on to the session. Session ID The numerical session ID assigned to the user’s session by the Session Host. 197 vWorkspace Administration Guide State The state of the Session Host session. The options are: • Active • Disconnected • Idle • Down Type The connection type. The options are: • Console • RPD 7. Client Name The NetBIOS name of the vWorkspace client device. Idle Time The amount of time no activity has occurred between the client and the Session Host. Logon Time The date and time the session was logged on. Comment Not used. Select a user session. Administrators can perform the following actions: Disconnect If a session state is active, it can be placed into a disconnected state. Disconnecting a session causes the network connection between the client device and the Session Host to be closed, releasing memory and CPU threads. The working state of the session is persisted by writing to the Session Host’s page file, allowing the user to reconnect to the session, with no loss of data. Send Message An administrator can send a message to the selected user if the session is active. Note: The only administrative action allowed for the Console session is Send Message. Remote Control An administrator can connect to the user’s active session, and depending on the policy settings, view and interact with the session. Note: See Database Configuration for more information on this feature. 198 vWorkspace Management Console Reset An administrator can reset a session which ends the session in a non-graceful way. Note: All unsaved data is lost. The session with Session Name of RDP-TCP and Session ID 65536 is the Session Host’s RDP listening port. The only administrative action allowed is Reset. Log Off An administrator can gracefully log a user off from a Session Host session. The user is prompted to save any unsaved data. View Client Information for an Active Session 1. Open the vWorkspace Management Console. 2. Expand the Locations node, and then expand the location to which the Session Host is located. 3. Highlight the Session Hosts node. 4. Double-click on the Session Host object. 5. Expand the Session Host container object, and click on the active session. 6. Click on the Information tab in the information pane. The following information can be viewed: User Name The name of the user. Client Name The NetBIOS name of the CAS Client device. Client Build Number The vWorkspace internal build number of the vWorkspace client software installed on the client device. Client Directory The complete directory path to which the vWorkspace client software was installed. Client Product ID The vWorkspace internal identification number of the vWorkspace client software. Client Hardware Not used. Client Address The IP address of the vWorkspace client device. Client Color Depth The color depth used in the session. Client Resolution The height and width, expressed in pixels, used in the session. 199 vWorkspace Administration Guide Manage Session Host Processes 1. Open the vWorkspace Management Console. 2. Expand the Locations node, and then expand the location to which the Session Host is located. 3. Expand the Session Hosts node. 4. Highlight the Management node. 5. To view a session on a specific Session Host: a) Double-click on the Session Host object. b) Click on the Processes tab in the Session Hosts information pane. 6. To view sessions for all Session Hosts: a) Double-click on each Session Host object, or right-click on the Management node and then select Connect All. b) Click on the Session Hosts node. c) Click on the Processes tab in the Session Hosts information pane. The following information can be viewed: Domain The NetBIOS name of the user’s Windows domain that owns the process. Processes running in the console session are listed as Unspecified. 200 Session The name of the Session Host session in which the process is running. User The name of the user account that owns the process. Session ID The numerical session ID the process is running in, on the Session Host. Process ID The assigned process ID by the Windows operating system when the process is started. Process The file name of the process. vWorkspace Management Console 7. Select a user process. Administrators can perform the following actions: End Process An administrator can end the process. Note: Certain system processes, such as winlogon.exe and lsass.exe cannot be terminated, even by an administrator. Remote Control An administrator can connect to the user’s active session, and depending on the policy settings, view and interact with the session. Note: See Database Configuration for more information on this feature. View Session Host Applications 1. Open the vWorkspace Management Console. 2. Expand the Locations node, and then expand the location to which the Session Host is located. 3. Highlight the Session Hosts node. 4. To view a session on a specific Session Host: a) Double-click on the Session Host object. b) Click on the Applications tab in the Session Hosts information pane. 5. To view sessions for all Session Hosts: a) Double-click on each Session Host object. b) Click on the Session Hosts node. c) Click on the Applications tab in the Session Hosts information pane. The following information can be viewed: Name The name of the published application. Type The published application type. 201 vWorkspace Administration Guide Status The status of the application. The options are: • Enabled • Disabled App-V Server The name of the App-V server. Published On The name of the Session Host that it is published on. Provisioning Session Hosts The Provisioning node of Session Hosts allows administrators to create computers groups from which can be created Session Host servers. Session Host computer groups are created in a similar way that computer groups are created from Desktops node. Session Hosts that are members of a computer group can be managed and can be classified as a managed computer. Session Hosts can also be created in computer groups using the Add Computers wizard. PNTools & other MSI packages The option category PNTools & MSI packages appears on the properties menu of a Session Host computer group and on the properties of a Managed Session Host, but the option to deploy MSIs to a session host is the only option available. Installation of PNTools on to a Session Host is not recommended. The PNTools & MSI packages can be used to deploy MSI packages that have been defined within the Packaged Applications node of the Management Console. Session Host Computer Groups Computer groups created within the Provisioning node of Session Hosts have properties similar to computer groups created in the desktops node. The table below details the attributes of a Session Host computer group. 202 vWorkspace Management Console PROPERTY DESCRIPTION Group Name Name of the managed desktop group. APPLIES TO: • Microsoft Hyper-V • VMware vCenter Server • Microsoft SCVMM • Parallels Virtuozzo • Other/Physical System Type System type for the computers in this group. • Microsoft Hyper-V • VMware vCenter Server • Microsoft SCVMM • Parallels Virtuozzo • Other/Physical Datacenter Datacenter in which the computers in this group belong. • VMware vCenter Server Administrative Account Name of the user account that is used when performing administrative tasks on the desktop computers within this group. • Microsoft Hyper-V • VMware vCenter Server • Microsoft SCVMM • Parallels Virtuozzo • Other/Physical 203 vWorkspace Administration Guide PROPERTY DESCRIPTION Provisioning Settings Provisioning Settings define the parameters used to generate virtual machines that will become members of the computer group. The following parameters are set: Template Hosts - all hosts or selected hosts Naming convention APPLIES TO: • Microsoft Hyper-V • VMware vCenter Server • Parallels Virtuozzo • Microsoft SCVMM Sysprep customization - Native, Quick and Direct. Configure Computers - Video Adapter, Memory and Network Adapter Load Balancing Used to specify a load balancing rule for the group, if appropriate. Load Balancing Rules that are created using the Load Balancing node in the vWorkspace Management Console, are presented as load balancing rule options. • Microsoft Hyper-V • Microsoft SCVMM Note: Hyper-V Load Balancing is configured from the properties of the Hyper-V host. Enhanced Audio Enable support for enhanced bidirectional audio. • Microsoft Hyper-V • VMware vCenter Server • Microsoft SCVMM • Parallels Virtuozzo • Other/Physical 204 vWorkspace Management Console PROPERTY Task Automation DESCRIPTION APPLIES TO: Tasks can be scheduled to be completed at specified times. • Microsoft Hyper-V See Task Automation for more information. • VMware vCenter Server • Microsoft SCVMM • Parallels Virtuozzo • Other/Physical Permissions Specify permissions for this computer group. • Microsoft Hyper-V • VMware vCenter Server • Microsoft SCVMM • Parallels Virtuozzo • Other/Physical The following System Types are supported for creation of a Session Host computer group: • Microsoft Hyper-V • Microsoft SCVMM • VMware vCenter • Parallels Virtuozzo • Other/Physical For more information on Computer Groups see Computer Groups. Managed Session Hosts A Session Host that is a a member of a computer group are considered managed Session Hosts. The table below details the properties of a available on a managed Session Host. 205 vWorkspace Administration Guide PROPERTY DESCRIPTION System Type System type for the computers in this group. APPLIES TO: • Microsoft Hyper-V • VMware vCenter Server • Microsoft SCVMM • Parallels Virtuozzo • Other/Physical Datacenter Datacenter in which the computers in this group belong. • VMware vCenter Server Administrative Account Name of the user account that is used when performing administrative tasks on the desktop computers within this group. • Microsoft Hyper-V • VMware vCenter Server • Microsoft SCVMM • Parallels Virtuozzo • Other/Physical Provisioning Settings Provisioning Settings define the parameters used to generate virtual machines that will become members of the computer group. The following parameters are set: Template Hosts - all hosts or selected hosts Naming convention Sysprep customization - Native, Quick and Direct. Configure Computers - Video Adapter, Memory and Network Adapter 206 • Microsoft Hyper-V • VMware vCenter Server • Parallels Virtuozzo • Microsoft SCVMM vWorkspace Management Console PROPERTY DESCRIPTION Load Balancing Used to specify a load balancing rule for the group, if appropriate. Load Balancing Rules that are created using the Load Balancing node in the vWorkspace Management Console, are presented as load balancing rule options. APPLIES TO: • Microsoft Hyper-V • Microsoft SCVMM Note: Hyper-V Load Balancing is configured from the properties of the Hyper-V host. Enhanced Audio Enable support for enhanced bidirectional audio. • Microsoft Hyper-V • VMware vCenter Server • Microsoft SCVMM • Parallels Virtuozzo • Other/Physical Task Automation Tasks can be scheduled to be completed at specified times. • Microsoft Hyper-V See Task Automation for more information. • VMware vCenter Server • Microsoft SCVMM • Parallels Virtuozzo • Other/Physical Permissions Specify permissions for this computer group. • Microsoft Hyper-V • VMware vCenter Server • Microsoft SCVMM • Parallels Virtuozzo • Other/Physical 207 vWorkspace Administration Guide How to ... Provision a Session Host Use the following steps to configure a template that is used to create virtual machine within a Session Host computer group. 1. Join the server to the domain you are using if you are using instant provisioning. 2. Create a Windows Server with the Remote Desktop Services role enabled. 3. Install vWorkspace using the advanced installer option, and select the vWorkspace RD Session Host role. Select Do nothing at this time during the Management Database Setup in the Installation wizard. Do not join this vWorkspace installation to a farm. 4. Install the Instant Provisioning components to the template. The Instant Provisioning components are located in the vWorkspace download in a folder named Template Tools. Make sure you select the correct version (x86/x64). When Session Host managed computers are deployed from this template, they are initialized in a manner similar to how virtual desktops are initialized. The difference is that the Session Host initialization process knows this is an RDSH and automatically provides the RDSH with the correct database information. 208 4 Virtualization Platform Integration • Overview • Microsoft Hyper-V Integration • Microsoft SCVMM Integration • vCenter Integration • Parallels Virtuozzo Containers Integration • RD Session Host Integration • RD Connection Broker Integration • Importing Existing Computers into a Group vWorkspace Administration Guide Overview A Virtualization Management Server is a Microsoft Windows-based computer system used to centrally manage one or more physical servers enabled with computer virtualization technology and the virtual machines they are hosting. The following are categories of vWorkspace Management Servers. Management Servers can be added from the Locations node properties by right-clicking and selecting Management Servers. • Virtualization Management Servers • Network Storage Management Servers Virtualization Management Servers vWorkspace Connection Brokers integrate with virtualization management servers through APIs provided by the vendors. All the necessary prerequisites to communicate with a virtualization management server are installed with vWorkspace. To enable vWorkspace Connection Brokers to communicate with virtualization servers, the path to the management server and an administrator account must be known. See the Installation of vWorkspace chapter for further instructions. Network Storage Management Servers Quest vWorkspace integrates with NetApp FlexClone for VMware type virtual computer groups, making it easy to manage virtual desktops and increase performance. Through this integration you can: • Accelerate deployment and provisioning. • Eliminate duplicate data on virtual desktops, user directories, and backup and disaster recovery copies. • Reduce your total cost of ownership. Management Servers extend management functionality within the farm, as the vWorkspace Connection Broker passes commands and queries to them to be processed, thus leveraging the features of third party management servers from Microsoft and VMware, for example. In Quest vWorkspace, support for the following virtualization management servers is offered: VMware vCenter Server, Microsoft System Center Virtual Machine Manager, and Parallels Virtuozzo Containers (master nodes). 210 Virtualization Platform Integration Quest vWorkspace also integrates with Microsoft RD Session Host, Microsoft RD Connection Brokers and Hyper-V. This chapter describes those integrations, including features and integration processes. • Microsoft SCVMM Integration • vCenter Integration • Parallels Virtuozzo Containers Integration • RD Session Host Integration • RD Connection Broker Integration Management Servers Window Connections to management servers are configured using the Management Servers window. The Management Server option can be opened from the vWorkspace Management Console in one of the following ways: • Select the Management Server icon from the toolbar. • Select Action | Management Server from the toolbar. • Right-click on Locations and select Management Server. • Right-click on a specific location and select Management Server. If virtualization servers have not been defined, the Virtualization Server Wizard is presented so that a management server can be defined. After a management server has been defined, the Management Server window is opened when the Management Server option is selected. The following information is included on the Management Servers window. 211 vWorkspace Administration Guide New This option opens the Virtualization Server wizard so that new virtualization server connections can be added. Properties This option allows the vWorkspace administrator to make changes to the configuration of the selected virtualization server. Delete This option deletes the virtualization server’s record from the database. Test Connection This option allows you to test the connection to the server. Refresh This option updates the display list of virtualization server connection entries. Virtualization Servers Options Name The alias name of the management server. URL/Server Name The Uniform Resource Locator (URL) path or server name used by the Connection Broker to communicate with the virtualization server. 212 Virtualization Platform Integration Type The type of the management server is displayed in this column. The types are: • VMware vCenter Server • Microsoft SCVMM • Parallels Virtuozzo Network Storage Servers Options Name The alias name of the network storage server is displayed in this column. Type The type of management server. The type is: • NetApp Server The server IP address is displayed in this column. Use Default Credentials This column displays if the Use Default Credentials check box has been selected on the Credentials window for the network storage server. Add Management Servers How to ... • Add Virtualization Server Connections • Add Network Storage Servers Add Virtualization Server Connections The Virtualization Server wizard is used to add new entries to the virtualization server connections. Use the following information to complete the Virtualization Server wizard. 1. Open the vWorkspace Management Console and do one of the following: • Right-click on the Locations node, and then select Management Servers. • Select the Management Servers icon from the toolbar. • Right-click on a defined location, and then select Management Servers. If you have not previously added virtualization servers, the Virtualization Server wizard is presented. 213 vWorkspace Administration Guide If you have previously added virtualization servers, the Virtualization Servers window appears. To add a new virtualization server, click on the green plus sign (+), and the Virtualization Server wizard opens. 214 2. Click Next on the Virtualization Server Wizard Welcome window. 3. Enter the appropriate information on the Name and System Type window, and then click Next. Name Enter the friendly name that is used when referring to the virtualization server. System Type Select one of the virtualization server types. Virtualization Platform Integration 4. Enter the appropriate information on the Server & Credentials window, and then click Next. Server URL or SCVMM Server Name or IP address Enter the URL path to the virtualization server. For Microsoft SCVMM, enter the SCVMM server name or IP address. For VMware vCenter Server, the URL must be in the format: • https://servername or IP Address/sdk For Parallels Virtuozzo, the URL must be in the format: • https://servername:port 215 vWorkspace Administration Guide User Name Enter the name of a user account that has the required access permissions to the target server specified in the Server URL field. For a Windows domain account, use: DomainName\UserName Click the ellipsis to the right of this field, and the Select User window is presented. Password Enter the case sensitive password. The check mark to the right of the field is used to verify the entered credentials if the computer is part of the domain. Test Connection 5. Click to test the server connection. Enter the appropriate information on the Other Settings window, and then click Finish. The options presented on the Other Settings window are based upon the supported features of the System Type selected, so some options may be grayed out. 216 Shutdown Guest OS Use the list to specify the number of guest operation system shutdown commands that can be sent to the virtualization server from the Connection Broker at one time. Restart Guest OS Use the list to specify the number of guest operation system restart commands that can be sent to the virtualization server from the Connection Broker at one time. Update PNTools Use the list to specify the number of Update PNTools commands that can be sent to the virtualization server from the Connection Broker at one time. Initialize Use the list to specify the number of Initialize Computer commands that can be sent to the virtualization server from the Connection Broker at one time. Power On Use the list to specify the number of virtual computer power on commands that can be sent to the virtualization server from the Connection Broker at one time. Virtualization Platform Integration Power Off Use the list to specify the number of virtual computer power off commands that can be sent to the virtualization server from the Connection Broker at one time. Suspend Use the list to specify the number of guest operation system suspend commands that can be sent to the virtualization server from the Connection Broker at one time. Resume Use the list to specify the number of guest operation system resume commands that can be sent to the virtualization server from the Connection Broker at one time. Reset Use the list to specify the number of guest operation system reset commands that can be sent to the virtualization server from the Connection Broker at one time. Delete Use the list to specify the number of delete virtual computer operations that can be sent to the virtualization server from the Connection Broker at one time. Clone Use the list to specify the number of clone virtual computer operations that can be sent to the virtualization server from the Connection Broker at one time. Note: The Clone option does not apply to Microsoft Hyper-V. Connection Timeout Use the list to specify the amount of time that the Connection Broker waits for a response from the virtualization server. Default option is 30 Seconds. For medium to large production environments where the virtualization server is busy, you may need to set the Connection Timeout to two or three minutes. Note: A Connection Timeout error does not necessarily mean that the task requested by the Connection Broker has failed. It may be that the virtualization server is too busy to report the successful completion of the operation in a timely manner. 217 vWorkspace Administration Guide Add Network Storage Servers 1. Open the vWorkspace Management Console and do one of the following: • Right-click on the Locations node, and then select Management Servers. • Select the Management Servers icon from the toolbar. • Right-click on a defined location, and then select Management Servers. If you have previously not added virtualization servers, the Virtualization Server wizard is presented. If you have previously added virtualization servers, the Virtualization Servers window appears. To add a new virtualization server, click on the green plus sign (+), and the Virtualization Server wizard opens. 218 2. Click Network Storage Servers, and then click New. 3. Click Next on the Welcome window of the Network Storage Server Wizard. 4. Enter a name for the new network storage server, and then click Next. Virtualization Platform Integration 5. Specify the System Type of the network storage server, and then enter the IP address for the network storage server. 6. Click Next on the Server window. 219 vWorkspace Administration Guide 7. Enter the credentials for this network storage server, and then click Finish. The Use Default Credentials option can be used if you have specified credentials on the Default Credentials window. Virtualization Hosts After a Virtualization Management server is defined, Virtualization Hosts must be added to support cloning operations and the creation of computer groups. Virtualization Hosts are the server platforms in which virtual machines reside. The following types of hosts can be added: • Microsoft Hyper-V hosts Microsoft Hyper-V hosts are added using the Hyper-V node under Virtualization hosts. Once Hyper-V hosts are added, the initialization process is started as well as the installation of the Data Collector and Hyper-V Catalyst components. If the Hyper-V host is removed from the console, the Data Collector and Hyper-V Catalyst components are automatically uninstalled. 220 Virtualization Platform Integration • Microsoft SCVMM host groups and clusters Microsoft SCVMM host groups or clusters must be added to the SCVMM node to enable the creation of SCVMM type computer groups. vWorkspace leverages features of SCVMM when hosting virtual desktops on Hyper-V to enable technologies such as clustering for Fault Tolerance and Live Migration. • VMware datacenters VMware datacenters are groupings of ESX or ESXi hosts and must be imported as objects in the vWorkspace database, just as SCVMM Host groups or Hyper-V hosts, before creating VMware type computer groups. • Parallels Virtuozzo independent and slave nodes Parallels Virtuozzo independent or slave nodes must be added to the Parallels node of the Management Console to enable the creation of Parallels type computer groups. vWorkspace utilizes Virtualization Management Servers when communicating with virtual machines managed by SCVMM, VMware vCenter or a Parallels Virtuozzo master node. To add a Virtualization Host for any of these platforms a Virtualization Management server must first be added to the vWorkspace farm. This can be done from the context menu of the Locations node, or by selecting Edit Virtualization Servers when adding a Virtualization Host. For Hyper-V hosts and Parallels Virtuozzo Independent Nodes, vWorkspace communicates directly with the Virtualization Host. Therefore, no additional management servers need to be defined when using these types of hosts. How to... Define SCVMM/VMware/Virtuozzo Slave Nodes System Types 1. Expand the Locations node in the vWorkspace Management Console. 2. Expand the location to which you want to add the virtualization host. 3. Expand the Virtualization Hosts node, and right-click on one of the following: SCVMM — Add host groups or clusters VMware — Add datacenters Parallels — Add a Virtuozzo slave nodes 4. Click Next on the Welcome window. 221 vWorkspace Administration Guide 5. Enter a descriptive name for the host, and then click Next. The system type is selected. 6. Do one of the following on the specified window: SCVMM Server window — If an SCVMM server has already been added as a Virtualization Management Server, select the appropriate SCVMM server, and then click Next. Click Edit Virtualization Servers if an SCVMM Virtualization Management Server needs to be added. VMware vCenter Server window — If a VMware vCenter server has already been added as a Virtualization Management Server, select the appropriate vCenter server, and then click Next. Click Edit Virtualization Servers if a VMware Virtualization Management Server needs to be added. Parallels Master Node window — If a Parallels Master Node has already been added as a Virtualization Management Server, select the appropriate Master node, and then click Next. Click Edit Virtualization Servers if a Virtuozzo Master Node Virtualization Management Server needs to be added. 7. Do one of the following based on the system type selected: SCVMM — Expand the SCVMM server and select a host group or cluster from the list. Click Finish. VMware — Select a datacenter from the list, and then click Finish. Parallels — Select a slave node from the list, and then click Finish. Define Hyper-V Hosts 1. 222 Expand the Locations node in the vWorkspace Management Console. 2. Expand the location to which you want to add the virtualization host. 3. Expand the Virtualization Hosts node, and right-click on Hyper-V — Add host. 4. Click Next on the Welcome window. 5. On the Root Node Credentials window, specify the credentials for the Hyper-V root node, and then click Next. 6. On the Hyper-V Host window, enter a name for the Hyper-V host that properly resolves to an IP address. Click the ellipse to browse for a host. Virtualization Platform Integration 7. Complete the following information on the Credentials window, as appropriate. a) Click Next to use default credentials. – OR – b) Select Override parent credentials to use separate credentials. Click Next after adding the user name and password for the new credentials. 8. On the Connection Load Balancing window, do one of the following: a) Click Next to accept the values inherited from the Hyper-V node (parent node). – OR – a) Select Override parent settings, and then select one of the following options: • Use the default load balancing rule. Click View to see the default load balancing rule. • Specify a custom load balancing rule Three load balancing rules are included with the vWorkspace installation. For more information on the rules or how to create them see Load Balancing. b) Click Next. 9. Do one of the following on the Provisioning Load Balancing window. a) Click Next to accept the values inherited from the Hyper-V node (parent node). – OR – a) Select Override parent settings, and then select one of the following options: • Use the default load balancing rule. Click View to see the default load balancing rule. • Specify a custom load balancing rule Three load balancing rules are included with the vWorkspace installation. For more information on the rules or how to create them see Load Balancing. 223 vWorkspace Administration Guide 10. Complete the settings on the Other Settings window, as appropriate, and then click Finish. Too many operations at once will cause the Virtualization host to perform poorly. The default value for all concurrent operations is five (5). For Hyper-V hosts the settings can be inherited from the parent Hyper-V node. • • • • • • • • • • • • Shutdown Guest OS Restart Guest OS Update PNTools Initialize Power On Power Off Suspend Resume Reset Delete Clone Connection Timeout Define Parallels Independent Hosts 1. Expand the Locations node in the vWorkspace Management Console. 2. Expand the location to which you want to add the virtualization host. 3. Expand the Virtualization Hosts node, and right-click on Parallels — Add independent Virtuozzo node. 4. Click Next on the Welcome window. 5. On the Parallels Name and System Type window, enter a descriptive name for the host, and then click Next. The system type is selected. 6. On the Parallels Server & Credentials window enter the name and the IP Address of the Virtuozzo independent node, and then enter a Virtuozzo administrative user account name and password. Click Next. 7. Complete the settings on the Other Settings window, as appropriate, and then click Finish. Too many operations at once will cause the Virtualization host to perform poorly. The default value for all concurrent operations is five (5). • • • • 224 Shutdown Guest OS Restart Guest OS Update PNTools Initialize Virtualization Platform Integration • • • • • • • • Power On Power Off Suspend Resume Reset Delete Clone Connection Timeout Microsoft Hyper-V Integration Quest vWorkspace communicates directly with Microsoft Hyper-V hypervisors to manage, provision, and optimize virtual machines hosted on Hyper-V. To do this, Quest has developed direct integration with the Hyper-V platform, as well as a set of unique tools called Hyper-V Catalyst. The Connection Broker communicates directly with Hyper-V hypervisors for provisioning, brokering, load balancing, and other management tasks. The integration with Hyper-V, along with Hyper-V Catalyst and other management options, provide support for Desktop Clouds. Below is a list of Hyper-V integrations. • vWorkspace Data Collector • Hyper-V Catalyst • Provision-time Load Balancing • Connection-time Load Balancing vWorkspace Data Collector The vWorkspace Data Collector communicates the following information to the Connection Broker. • Heartbeat • Performance metrics The Data Collector is pushed from the vWorkspace console to Hyper-V hosts once they have been added to the Virtualization Hosts node. This process is called initialization, which also installs the Hyper-V Catalyst components. 225 vWorkspace Administration Guide Hyper-V Catalyst Hyper-V Catalyst is a set of tools that increases the scalability and performance of virtual machines on Hyper-V Hosts. HyperCache — Provides read IOPS savings and improves virtual desktop performance through selective RAM caching of parent VHDs. This is achieved through the following: • Read requests to the parent VHD are directed to the parent VHD cache. • Requested data that is not in cache is obtained from disk and then copied into the parent VHD cache. • Child VMs requesting the same data find it in the parent VHD cache, which provides a faster virtual desktop experience. • Requests are processed until the parent VHD cache is full. The default size is 800 MB, but can be changed through the Hyper-V virtualization host property. The HyperCache Report details HyperCache statistics, such as data cached and read requests cached. The HyperCache report is available by doing the following: 1. From the vWorkspace Management Console, expand Locations and then the Location of the Hyper-V group. 2. Expand Virtualization Hosts. 3. Expand Hyper-V Hosts, if appropriate. 4. Select the Hyper-V group, and then click on the Parent VHDs tab in the lower right-side pane. 5. Click HyperCache Report. HyperDeploy — Manages parent VHD deployment to relevant Hyper-V hosts and enables instant cloning of Hyper-V virtual machines. HyperDeploy uses the following techniques to minimize time to deploy of a virtual machine. • Smart copying that only copies to the Hyper-V hosts the parent VHD data that is needed. • Instant provisioning allows the child VHDs to be cloned while the parent VHD is still being copied to the Hyper-V host. HyperDeploy is a core component and requires no configuration. 226 Virtualization Platform Integration Provision-time Load Balancing Provision-time load balancing distributes virtual machines across Hyper-V hypervisors during cloning operations. See Load Balancing for more information. Connection-time Load Balancing Connection-time load balancing distributes user connection requests to a managed computer on the least busy Hyper-V hypervisor. See Load Balancing for more information. Hyper-V Host Context Menu The following options are available from the context menu (right-click) of a Hyper-V host in the vWorkspace Management Console by doing the following: 1. From the vWorkspace Management Console, expand Locations. 2. Select and expand the location node where the Hyper-V host resides. 3. Expand the Virtualization Hosts node. 4. Expand the Hyper-V node, and then right-click on the appropriate Hyper-V host. The following options are presented: • Disable provisioning — Disables provisioning of virtual machines to this host. Is also referred to as removing the host from the cloud. • Remove — Removes the host from the console that causes the Data Collector and Hyper-V Catalyst components to uninstall. • Properties — Controls settings for the Hyper-V host. • Initialize — Checks and, if needed, updates the Data Collector and Hyper-V Catalyst components on the Hyper-V Host. Hyper-V Host Properties This section describes the Volumes and Parent VHD Settings of a Hyper-V Host. For information on the Credentials, Connection Load Balancing, Provisioning Load Balancing, and Other Settings refer to the Virtualization Hosts section. 227 vWorkspace Administration Guide The properties of a Hyper-V host are displayed when Properties is selected from the context menu of a Hyper-V host. The properties of a Hyper-V host are listed in the following table. HYPER-V HOST PROPERTY DESCRIPTION Click Volumes The Volumes dialogue displays the local volumes of the Hyper-V host and allows for the specification of placement volumes. There are two types of volumes: • Template - used to store parent VHDs and there can be only one template volume per host. • Placement - used to store virtual machines. Multiple volumes can be selected and virtual machines are distributed across them based on the available space of the volume. Volume List This property displays volumes, volume type assignment Priority, Free space and Capacity. Selecting the Priority field displays a drop-down arrow, used to change the priority to one of the following: • Normal • Medium • High • Maximum Click Parent VHD Parent VHD settings control caching of Parent VHDs. The global default setting is set from the Hyper-V Settings dialogue of the Locations properties. • To prevent caching on newly created parent VHDs, click Disable caching for new parent VHDs. • To disable caching on an individual basis, click the Caching field for a Parent VHD and select disabled from the drop-down box. • To set the cache size for each parent VHD, click the Cache Size (MB) field for a parent VHD, then click the ellipse and set the new size. 228 Virtualization Platform Integration Desktop Cloud Maintenance The Desktop Cloud Maintenance settings are used to maintain your desktop clouds. When using the setting Maintenance mode on, you can maintain templates, clear out VMs, and delete the cloud. The Desktop Cloud Maintenance window can be opened by doing one of the following: • Right-click on the desktop cloud group, and then select Cloud maintenance. • Highlight the desktop cloud group, and use the Actions menu’s Cloud maintenance setting. • Highlight the desktop cloud group, and select Cloud maintenance from the right-side pane. When maintenance mode is turned on, auto-size is disabled and new connections are not accepted. The option Drain the desktop cloud(s) can be used to delete all of the computers in the specified cloud that are not in use and are not persistently assigned. Once you have completed cloud maintenance, you need to turn maintenance mode off by selecting Maintenance mode off from the Desktop Cloud Maintenance window. 229 vWorkspace Administration Guide Add Computers Add Computers to a Hyper-v Computer group 1. Start the Add Computers tool by doing one of the following: a) Select the Create new desktops from a master template on the Finish window of the Computer Group wizard. – OR – b) Select the computer group from the vWorkspace Management Console and do one of the following: • Right-click on the managed computer group and select Add Computers. • Select the Add Computers icon from the navigation pane toolbar. • Select Add Computers from the Actions menu on the navigation pane. • Select Add Computers from the Actions menu on the information pane of the datacenter. 2. Click Next on the Welcome window of the Add Computers Wizard. 3. Type a number into the Enter the number of computers to create field on the Number of Computers to Create window, and then click Next. 4. On the Add Computers Template window, select the template that will be used to create virtual machine clones. and click Next. a) Click Import to import new templates from the Hyper-V host(s).(this will launch the Import Templates wizard) b) Click Update to check for newer versions of the existing templates. c) Click Remove to remove the highlighted template from the list. 5. On the Host Options window, select one of the two options below and click Next: a) All Hosts - New virtual machines created in the computer group will be distributed across all Hyper-V virtualization hosts defined for the location. b) Selected Hosts - New virtual machines created in the computer group will be distributed across selected hosts only. 230 Virtualization Platform Integration 6. On the Hosts window, select the Hyper-V hosts where virtual machines will be distributed and click Next. If All Hosts is selected in the previous window, the option to select a host will be grayed out. a) Click Distribution to set the distribution logic for the clone operation. b) Click Add Hosts to launch the Hyper-v host Wizard. 7. Select the method for assigning a computer name to the new desktop computers in Source on the Naming Conventions window. If Specify the base name is selected, do the following: a) Type the text string in the Base Name field. b) Select a value from the Start numeric value at and increment by fields. c) Select Re-use the names of deleted desktops, if appropriate. If Specify a text file containing names is selected, do the following: a) Type the path and file name of the text file containing the list of computer names in the Names File field. b) Enter a text string that is prepended to the beginning of computer names in the Prefix field, if appropriate. c) Enter a text string that is appended to the end of computer names in the Suffix field, if appropriate. 8. Click Next. 9. On the Customize Operating System window, do one of the following, and then click Next: a) To use the operating system customization tools, select Specify operating system customizations. The computers in this group will be powered on after they are created. b) To create a new customization, select a customization from the list, or click New. See Operating System Customizations for more information. c) To not use Microsoft System Preparation tools, select Do not specify operating system customizations. The desktops in this group will not be powered on after they are created. 10. On the Configure Computers window, click the Video Adapter tab, and do one of the following: a) To use the template, select Use template settings. b) To use the standard adapter, select Standard video adapter. 231 vWorkspace Administration Guide c) To use the Microsoft RemoteFX 3D video adapter, select Microsoft RemoteFX 3D video adapter. Select a value for maximum number of monitors from the Maximum number of monitors field and select a value for Maximum monitor resolution from the Maximum monitor resolution field. 11. On the Configure Computers window, click the Memory tab, and do one of the following: a) To use the template, select Use template settings. b) To use static memory, select Static memory. Select a value for virtual machine memory from the Virtual machine memory field. c) To use Dynamic memory, select Dynamic memory. Select a value for startup memory from the Startup memory field, select a value for maximum memory from the Maximum memory field, and select a value for memory buffer percentage from the Memory buffer (%) field. 12. On the Configure Computers window, click the Network Adaptor tab, do one of the following, and then click Next: a) To use the template settings for the virtual network name, select Use template settings. To specify a network name select Specify network name, and type the appropriate name in the Network Name input field. b) To use the VLAN ID from the settings of the template, select Use Template settings under Virtual LAN Identification. Select Disable VLAN ID to disable the use of VLANS for the cloned virtual machines in this operation. To enable a custom VLAN ID, select Enable VLAN ID and type the appropriate VLAN ID number in the VLAN ID input field (supported values 1- 4094). 13. Select either Now or At a specific time (and enter a date and time) on the Options window, and then click Next. 14. Review and confirm the information on the Finish window, and do one of the following: a) Click Back to make changes. b) Click Finish to create the desktops. c) Click Cancel to exit without saving the settings or creating the desktops. Red text is displayed to remind administrators not to create more virtual computers than their infrastructure is designed to support. 232 Virtualization Platform Integration Microsoft SCVMM Integration vWorkspace is integrated with Microsoft System Center Virtual Machine Manager (SCVMM) to provide management functionality to Hyper-V virtual computers. The following Microsoft SCVMM integrated features are available in vWorkspace: • Import Host Groups from SCVMM. • Manage virtual computer power states. • Use SCVMM Intelligent Placement to automate desktop and server provisioning using templates. • Customize guest Microsoft Windows operating system. • Distribute managed desktops across multiple storage locations. • Import existing computers from SCVMM to an existing computer group. • Managed computers that are members of SCVMM enabled Host Groups are considered to be power managed computers. This means that the power state can be changed, either automatically by the Connection Broker or manually by an administrator, using the vWorkspace Management Console. Connect to Microsoft SCVMM The vWorkspace Connection Broker needs to communicate with Microsoft SCVMM before computers running as virtual computers can be managed using vWorkspace. The following conditions must be met before this communication occurs. • Microsoft SCVMM Integration component needs to be installed on the Quest vWorkspace Connection Brokers. • Communication parameters for each Microsoft SCVMM server must be added to the vWorkspace database. See Add Virtualization Server Connections for instructions. In order to configure a Microsoft SCVMM server, the administrator must have VMM Administrator credentials. • Quest vWorkspace Broker Helper Service needs to be installed on the Microsoft SCVMM server. 233 vWorkspace Administration Guide Microsoft Differencing Disks The Add Computers wizard can be used to create, add, and manage Microsoft differencing disks computers through the vWorkspace Management Console. Microsoft differencing disks are virtual hard disks that can be used to isolate changes to a virtual hard disk or guest operating systems by storing them in a separate file. The virtual hard disk is referred to as the parent disk, and the differencing disk is the child disk. You are also able to reprovision the clone, which enables administrators to change a virtual computer to a clone of a new snapshot after the parent has been updated or patched. Reprovision Computers The vWorkspace Management Console Reprovision Computers option allows for SCVMM clones to be reprovisioned based upon administrator settings. The Reprovision Computers option is available from one of the following ways: • Right-clicking on the SCVMM desktop group. • Selecting computers from the information pane, and then selecting Reprovision Computers from the Action menu options. • Selecting computers from the information pane, and then selecting Reprovision Computers from the context menu options of the selected computer. • Selecting the SCVMM desktop group, selecting Properties from the context menu options, selecting Task Automation from the Computer Group Properties window, then selecting the New button on the Task Automation window. In the Automated Task Wizard, name the new task, then select Reprovision from the Task list. Set the task parameters in the Task Parameters window, then set the schedule and finish. Apply the task in the Automated Task Wizard. For more information, see Schedule Tasks using the Automated Task Wizard. Once the Reprovision Computers option is selected, the Reprovision Computer window opens. The options on this window allow you to set the action to be performed by clone type. You can also select for reprovisioning to occur once users have logged off. 234 Virtualization Platform Integration The Clone Types, which represent the type of clones for virtual computers of the selected desktop group, are: • Standard Clones • Differencing Disks Clones The Reprovisioning Using options are: • Existing Parent VHD — This option reprovisions the computer using the stated virtual hard disk. • New Parent VHD — This option reprovisions the computer using a different virtual hard disk than the one used to create the clone. • Do Not Reprovision — This option does not reprovision the computer. Add Computers For SCVMM type computer groups, there are two different clone methods that can be used: • Standard — Using this method, each virtual computer becomes a complete, independent copy of the original template. 235 vWorkspace Administration Guide • Rapid Provisioning — This method uses differencing disks to create virtual computers with minimal overhead and reduced storage space. How to ... • Add Computers using Standard Clone Method • Add Computers using Rapid Provisioning Clone Method Add Computers using Standard Clone Method 1. Start the Add Computers tool by doing one of the following: a) Select the Create new desktops from a master template on the Finish window of the Computer Group wizard. – OR – b) Select the computer group from the vWorkspace Management Console and do one of the following: 236 • Right-click on the managed computer group and select Add Computers. • Select the Add Computers icon from the navigation pane toolbar. Virtualization Platform Integration • Select Add Computers from the Actions menu on the navigation pane. • Select Add Computers from the Actions menu on the information pane of the datacenter. 2. Click Next on the Welcome window of the Add Computers Wizard. 3. Type a number into the Enter the number of computers to create field on the Number of Computers to Create window, and then click Next. 4. Select Standard as the clone method that is to be used when adding computers to this group on the Clone Method window, and then click Next. 237 vWorkspace Administration Guide 5. Select a Microsoft SCVMM server and the host group or cluster, as appropriate, on the Host Groups & Clusters window. Click Next. 6. Select a template from the list on the Template window, and then click Next. If there are no templates listed, or to update the list, click Import. 7. Select the method for assigning a computer name to the new desktop computers in Source on the Naming Conventions window. If Specify the base name is selected, do the following: a) Type the text string in the Base Name field. b) Select a value from the Start numeric value at and increment by fields. c) Select Re-use the names of deleted desktops, if appropriate. If Specify a text file containing names is selected, do the following: a) Type the path and file name of the text file containing the list of computer names in the Names File field. b) Enter a text string that is prepended to the beginning of computer names in the Prefix field, if appropriate. c) Enter a text string that is appended to the end of computer names in the Suffix field, if appropriate. 238 Virtualization Platform Integration 8. Click Next. 9. On the Customize Operating System window, do one of the following, and then click Next: a) To use the operating system customization tools, select Specify operating system customizations. The computers in this group will be powered on after they are created. b) Select a customization from the list, or click New to create a new customization. See Operating System Customizations for more information. c) To not use Microsoft System Preparation tools, select Do not specify operating system customizations. The desktops in this group will not be powered on after they are created. 10. On the Configure Computers window, click the Video Adapter tab, and do one of the following: a) To use the template, select Use template settings. b) To use the standard adapter, select Standard video adapter. c) To use the Microsoft RemoteFX 3D video adapter, select Microsoft RemoteFX 3D video adapter. Select a value for maximum number of monitors from the Maximum number of monitors field and select a value for Maximum monitor resolution from the Maximum monitor resolution field. 11. On the Configure Computers window, click the Memory tab, and do one of the following: a) To use the template, select Use template settings. b) To use static memory, select Static memory. Select a value for virtual machine memory from the Virtual machine memory field. c) To use Dynamic memory, select Dynamic memory. Select a value for startup memory from the Startup memory field, select a value for maximum memory from the Maximum memory field, and select a value for memory buffer percentage from the Memory buffer (%) field. 12. On the Configure Computers window, click the Memory Priority tab, perform one of the following, and then click Next: a) To use the template, select Use template settings. b) To allocate dynamic memory resources, select one of the High, Medium, Low, or Custom buttons. If Custom is selected, select a value for memory priority in the Custom field. 13. Select either Start Immediately or Schedule for (and enter a date and time) on the Options window, and then click Next. 239 vWorkspace Administration Guide 14. Review and confirm the information on the Finish window, and do one of the following: a) Click Back to make changes. b) Click Finish to create the desktops. c) Click Cancel to exit without saving the settings or creating the desktops. Red text is displayed to remind administrators not to create more virtual computers than their infrastructure is designed to support. Add Computers using Rapid Provisioning Clone Method 1. Start the Add Computers tool by doing one of the following: a) Select the Create new desktops from a master template on the Finish window of the Computer Group wizard. – OR – b) Select the computer group from the vWorkspace Management Console and do one of the following: 240 • Right-click on the managed computer group and select Add Computers. • Select the Add Computers icon from the navigation pane toolbar. • Select Add Computers from the Actions menu on the navigation pane. • Select Add Computers from the Actions menu on the information pane of the datacenter. 2. Click Next on the Welcome window of the Add Computers Wizard. 3. Type a number into the Enter the number of computers to create field on the Number of Computers to Create window, and then click Next. 4. Select Rapid Provisioning on the Clone Method window as the clone method that is to be used when adding computers to this group. Click Next. 5. On the Add Computers Parent Virtual Hard Disk window, click New to create a new parent virtual hard disk. Virtualization Platform Integration 6. The Parent Virtual Hard Disk Wizard displays. Click Next on the Welcome window. a) Select the SCVMM server where the template that is to be used to create the parent virtual hard disk resides. Click Next. b) Select the template that is to be used for the parent virtual hard disk. You may need to click Import. c) Click Next. d) Select the host group or cluster that is to be used for the parent virtual hard disk, and then click Next. e) Select the volume on to which the parent virtual hard disk file is to be stored. Click Next. f) Enter a description for the parent virtual hard disk. This is an optional step. g) Click Finish. You are returned to the Add Computers wizard. 7. Select the volume or volumes on to which the computers should be created. You may need to click Import to refresh the list. Click Next. 241 vWorkspace Administration Guide 8. Select the method for assigning a computer name to the new desktop computers in Source on the Naming Conventions window. If Specify the base name is selected, do the following: a) Type the text string in the Base Name field. b) Select a value from the Start numeric value at and increment by fields. c) Select Re-use the names of deleted desktops, if appropriate. If Specify a text file containing names is selected, do the following: a) Type the path and file name of the text file containing the list of computer names in the Names File field. b) Enter a text string that is prepended to the beginning of computer names in the Prefix field, if appropriate. c) Enter a text string that is appended to the end of computer names in the Suffix field, if appropriate. 9. Click Next. 10. On the Customize Operating System window, do one of the following, and then click Next: a) To use the operating system customization tools, select Specify operating system customizations. The computers in this group will be powered on after they are created. b) To create a new customization, click New, or select a customization from the list. See Operating System Customizations for more information. c) To not use Microsoft System Preparation tools, select Do not specify operating system customizations. The desktops in this group will not be powered on after they are created. 11. On the Configure Computers window, click the Video Adapter tab, and do one of the following: a) To use the template, select Use template settings. b) To use the standard adapter, select Standard video adapter. c) To use the Microsoft RemoteFX 3D video adapter, select Microsoft RemoteFX 3D video adapter. Select a value for maximum number of monitors from the Maximum number of monitors field and select a value for Maximum monitor resolution from the Maximum monitor resolution field. 242 Virtualization Platform Integration 12. On the Configure Computers window, click the Memory tab, and do one of the following: a) To use the template, select Use template settings. b) To use static memory, select Static memory. Select a value for virtual machine memory from the Virtual machine memory field. c) To use Dynamic memory, select Dynamic memory. Select a value for startup memory from the Startup memory field, select a value for maximum memory from the Maximum memory field, and select a value for memory buffer percentage from the Memory buffer (%) field. 13. On the Configure Computers window, click the Memory Priority tab, do one of the following, and then click Next: a) To use the template, select Use template settings. b) To allocate dynamic memory resources, select one of the High, Medium, Low, or Custom buttons. If Custom is selected, select a value for memory priority in the Custom field. 14. Select either Start Immediately or Schedule for (and enter a date and time) on the Options window, and then click Next. 15. Review and confirm the information on the Finish window, and do one of the following: a) Click Back to make changes. b) Click Finish to create the desktops. c) Click Cancel to exit without saving the settings or creating the desktops. Red text is displayed to remind administrators not to create more virtual computers than their infrastructure is designed to support. Video Adapter and Static/Dynamic Memory Microsoft SCVMM virtual computers can be reconfigured for Microsoft RemoteFX or regular RDP (via video adapter) and static or dynamic memory settings from the vWorkspace Management Console. To reconfigure the video adapter and static/dynamic memory for an individual computer, do one of the following: • Set the options on the Configuration window of the Computer Properties wizard. This window can be opened by selecting Properties for a computer, or when creating a new computer. 243 vWorkspace Administration Guide • Highlight the computer group in the navigation pane, and then click on the Summary tab in the information pane. Select Actions | Reconfigure. • Highlight the computer group in the navigation pane, and then click on the Computers tab in the information pane. Right-click on the computer and select Reconfigure from the context menu. • Set the Logoff Action properties of the Computer Properties wizard for the computer, as appropriate. The Logoff Action property, if enabled, resets the computer when a user logs off. See Managed Computers for more information. To reconfigure the video adapter and static/dynamic memory for a computer group, do one of the following: • Right-click on the computer group in the navigation pane, and then select Reconfigure Computers. • Highlight Desktops, and then select the Groups tab. Select Actions | Reconfigure Computers. • Highlight the computer group in the navigation pane and click on the Summary tab in the information pane. Select Actions | Reconfigure Computers. • 244 Set the Logoff Action properties for the computer group, as appropriate. The Logoff Action property, if enabled, resets the computers in the group when users log off. See Computer Groups for more information. Virtualization Platform Integration How to... Reconfigure Microsoft SCVMM Computers 1. Navigate to the Reconfigure Computers window. 2. On the Video Adapter tab, do the following: a) Enable the Reconfigure Video Adapter checkbox. b) Select either the Standard Video adapter or the Microsoft Remote FX 3D video adapter option. If you selected Microsoft Remote FX 3D video adapter, you must also set a Maximum number of monitors and a Maximum monitor resolution. 245 vWorkspace Administration Guide 3. On the Memory tab of the Reconfigure Computers window, do the following: a) Enable Reconfigure memory checkbox. b) Select one of the following: Static memory — If you selected this option, set a value for the Virtual machine inventory. Dynamic memory — If you selected this option, set values for Startup memory, Maximum memory, and Memory buffer (%). 4. On the Memory Priority tab of the Reconfigure Computers window, do the following: a) Select the Reconfigure memory priority checkbox. b) Select either High, Medium, Low, or Custom values to further define memory priority. c) Enable the Wait for users to log off before reconfiguring the computer checkbox and 246 Virtualization Platform Integration 5. Click OK to save your selections. Hyper-V Broker Helper Service To enable this support, the Hyper-V Broker Helper Service must be installed on each Hyper-V server. The Connection Broker delegates to the Broker Helper Service the responsibility of executing various administrative tasks on the Hyper-V server where it is running. Such tasks include the enumeration and power management of virtual computers. In order for the Connection Broker to communicate with the Broker Helper Service, the Microsoft .NET Framework must be installed on both computers. Refer to the vWorkspace System Requirements Guide for information on the version required for Microsoft .NET Framework. vCenter Integration The following VMware integrated features are available in vWorkspace: • Import Datacenters. • Manage virtual computer power states. • Automated desktop and server provisioning using VMware vCenter templates. • Guest Windows OS customization. 247 vWorkspace Administration Guide • Distribute managed computers and servers across multiple resource pools and datastores. • Configure memory and disk persistence. Rapid Provisioning The Rapid Provisioning option, in the Add Computers wizard of a computer group, can be used to clone a VMware virtual computer quickly while reducing storage space. This can be achieved by using the NetApp FlexClone technology on a storage server or through VMware Linked Clones. This option is available on the Add Computers wizard, Clone Method window. Before importing templates when using the NetApp FlexClone Rapid Provisioning option, the templates must be on the NetApp storage server and the template’s virtual disks need to be in the same directory. NetApp FlexClone To enable vWorkspace Connection Brokers to work with network storage servers, your NetApp servers must be added using the Network Storage Servers wizard in the vWorkspace Management Console. 248 Virtualization Platform Integration Requirements The following are requirements for the integration of vWorkspace and NetApp storage for VMware type virtual computers. • vWorkspace version that is currently fully supported. • NetApp Storage Controller needs to be the virtual computer’s datastore. • NetApp Storage Controller version needs to be Data ONTAP version 7.3.1 or later. • NetApp NFS and FlexClone licenses need to be enabled for the controller. • Virtual computer templates, when using the Rapid Provisioning option, must be on the NetApp storage server and the template’s virtual disks need to be in the same directory. • Refer to NetApp documentation for specific information about their requirements. Implementation After you have met all of the requirements, complete the following list of implementation procedures. • VMware vCenter network and the NetApp network needs to be setup. Review the documentation from NetApp for this integration information. • VMkernel ports need to be added on ESX servers. • Create a large flex volume on NetApp for NFS share. • Create a NFS export on the NetApp storage server, and then the ESX VMkernel ports IP addresses need to be added to the NFS root access IP addresses. • Add the NFS datastore of the NetApp NFS export to the VMware vCenter and it needs to be defined with an IP address, not a FQDN host name. • Write a file or folder to the datastore of the vCenter to verify the write permission. If it fails, verify the VMkernel IP addresses and NFS root IP addresses are correct. 249 vWorkspace Administration Guide • Create or clone a virtual computer as a golden image on the NFS datastore through the vCenter. • Convert the virtual computer to a VM template. • Complete the vWorkspace import procedure as outlined in Add Network Storage Servers. VMware Linked Clones VMware Linked Clones are copies of virtual computers that share virtual disks with a parent virtual computer. Linked Clones are created from a snapshot of the parent computer. However, changes made to the parent computer or the linked clone computer do not affect each other; the linked clone is a clone of the parent computer at the time that it is created. Linked clones need to be able to access their parent computer, and are disabled if they cannot access their parent computer. You are also able to reprovision the linked clone. Administrators can redeploy a user’s virtual computer from a new linked clone snapshot after the parent VM has been updated or patched. A parent VM might need to be unlocked, for example, when a parent VM is removed from the vWorkspace Management Console for editing. You can unlock the template by right-clicking it and selecting Unlock VM. 250 Virtualization Platform Integration You can complete the unlock process two different ways: by using the Add Computers wizard or through the computer Reprovision settings. • Add Computer wizard — Right-click on the desktop group for the computer, and then select Add Computers. Click Next on the Welcome window, and then select Parent Virtual Machine. Right-click on the parent virtual machine and select Unlock VM. 251 vWorkspace Administration Guide • Reprovision settings — Select the computer from the vWorkspace Management Console. Right-click and select the Reprovision option. On the Reprovision Computers window, select New Snapshot for the VMware Linked Clones option, and then click the ellipsis. Right-click on the parent virtual machine and select Unlock VM. VMware Linked Clone Setup VMware linked clone desktops can be deployed to any datastore. Performance of provisioned linked clones might be increased when using a different datastore than the datastore where the parent virtual computer is hosted. It is important to note that the datastores are not validated from the vCenter servers, therefore administrators must be sure that each host has access to that shared datastore. See Add Computers using the VMware Linked Clone Method for more information on using the Add Computers wizard to create VMware Linked Clones. 252 Virtualization Platform Integration VMware vNetwork Distributed Switch In VMware environments, linked clones can be configured to use vNetwork Distributed Switches (vDS). VMware Linked Clones and NetApp FlexClones configured to use vDS are supported in a vWorkspace environment. When configuring VMware vCenter, before starting linked clones (both VMware Linked Clones and NetApp FlexClones) that will connect to vDS, you need to note the following: • The vDS port group needs to be configured as Ephemeral- no binding, per the VMware Knowledge Base article, 1021193, before any VMs are connected to it. • The parent VM needs to be configured to connect to a vDS port group. Refer to VMware product documentation for more information on vNetwork Distributed Switches (vDS). Reprovision Computers The vWorkspace Management Console, Reprovision Computers option, allows for VMware clones to be reprovisioned based on administrator settings. To reprovision VMware clones, do one of the following: • Right-click on the VMware desktop group and select Reprovision. • Select computers from the information pane, and then select Reprovision Computers from the Actions menu options. • Select computers from the information pane, and then select Reprovision from the context menu of the selected computers. 253 vWorkspace Administration Guide Once the Reprovision Computers option is selected, the Reprovision Computers window opens. The options of this window allow you to set the action that is to be performed by clone type. You can also select for reprovisioning to be completed once users have logged off. 254 Virtualization Platform Integration The Clone Types, which represent the types of VMware virtual computers for the selected desktop group, are: • Standard Clones • NetApp FlexClones • VMware Linked Clones • Unknown Clone Type The Reprovisioning Using options are: • Existing Template — This option reprovisions the computer using the stated template or snapshot. • New Template — This option reprovisions the computer using a different template or snapshot than the one used to create the clone. • Do Not Reprovision — This option does not reprovision the computer. The ellipsis button is used to browse for the appropriate template or snapshot for the specified clone. If you are using the reprovision functionality, it is recommended that you install PNTools onto your VMware templates that are being used for reprovisioning. 255 vWorkspace Administration Guide Disk Persistence and Memory VMware virtual computers can be configured for disk persistence and memory from the vWorkspace Management Console. Disk persistence and memory is configurable for individual computers, as well as computer groups. There are three virtual disk modes available: • Persistent • Independent and Persistent • Independent and Nonpersistent To configure disk persistence and memory for an individual computer, do one of the following: • Set the options on the Configuration window of the Computer Properties wizard. This window can be opened by selecting Properties for a computer, or when creating a new computer. • Highlight the computer group in the navigation pane, and then click on the Summary tab in the information pane. Select Actions | Reconfigure. 256 Virtualization Platform Integration • Highlight the computer group in the navigation pane, and then click on the Computers tab in the information pane. Right-click on the computer and select Reconfigure from the context menu. • Set the Logoff Action properties of the Computer Properties wizard for the computer, as appropriate. The Logoff Action property, if enabled, resets the computer when a user logs off. See Managed Computers for more information. To configure disk persistence and memory for a computer group, do one of the following: • Right-click on the computer group in the navigation pane, and then select Reconfigure Computers. • Highlight Desktops, and then select the Groups tab. Select Actions | Reconfigure Computers. • Highlight the computer group in the navigation pane and click on the Summary tab in the information pane. Select Actions | Reconfigure Computers. • Set the Logoff Action properties for the computer group, as appropriate. The Logoff Action property, if enabled, resets the computers in the group when users log off. See Computer Groups for more information. Upgrading and Changing Nonpersistent Disks If you have set your VM disks to be nonpersistent disks, use the following process if you need to upgrade or make any other changes to them. 1. Open the Configuration section in the properties of a virtual machine. 2. From the Virtual Disk tab, highlight the intended virtual disk and click Reconfigure. 257 vWorkspace Administration Guide 3. Change the disk configuration for the virtual computer to Independent and Persistent. If the Independent check box is not selected, any changes you make are lost after the next logoff or reset of the virtual computer. 4. Apply the upgrade or make any other necessary changes. 5. Change the disk configuration for the virtual computer back to Independent and Nonpersistent. Computer Groups Computer groups are containers of desktops that can be managed together. The following computer groups properties are associated with VMware vCenter Server. VMware customizations, available from the Managed Computer Group wizard, enable administrators to specify items such as where new computers are stored and how they are named. The following customization settings can be specified for each managed computer group that belongs to a VMware type data center. VMWARE CUSTOMIZATION SETTING DESCRIPTION Template Indicates the name of the virtual computer template in the vCenter inventory that is used when adding new managed computers to the group. Folder Indicates the name of the folder in the vCenter inventory where newly created managed desktop computers are located. 258 Virtualization Platform Integration VMWARE CUSTOMIZATION SETTING Datastore Distribution Method DESCRIPTION Specifies how newly created managed virtual computers are distributed among the available datastores in vCenter. The options are: • Equal — The desktops are distributed equally across the selected datastores. • Free Space — The desktops are distributed across the selected datastores proportion to the available free space on the datastores. • Weighted — The desktops are distributed across the selected datastores based on the percentages specified. • Manual — The desktops to be created are specified for each datastore. Resource Pools/Datastore(s) Indicates the names of the Resource Pools and Datastores and the allocation percentages of the vCenter inventory selected for storage of newly created managed computers within this group. Naming Conventions Base Name — Indicates the base name that is used when constructing the Windows computer name that is assigned to the newly created managed desktop computers added to the group. Base Name Start Value — Indicates the starting numeric value that is added to the base name when constructing the Windows computer name that is assigned to the newly created managed desktop computers added to the group. Base Name Increment — Indicates the numeric value by which subsequent Windows computer names are incremented when new managed desktop computers are added to the group. Re-use Names — Indicates whether previously generated Windows computer names can be reused if the managed desktop computer has been deleted. Configure Memory Specifies the memory configuration used with this computer group. Configure Disk Specifies how the disk is configured for this computer group. 259 vWorkspace Administration Guide Add Computers For VMware type computer groups, there are three different clone methods that can be used: • Standard — Using this method, each virtual computer becomes a complete, independent copy of the original template. • Rapid Provisioning NetApp FlexClone — Using this method, you can clone a VMware virtual computer quickly, and can assist in saving storage space by using the NetApp FlexClone technology on a storage server. • Rapid Provisioning VMware Linked Clone — Using this method, you can create a clone from a snapshot of a parent VM. Changes to the disks of either the linked clone or the parent do not affect each other. How to ... 260 • Add Computers using the Standard Clone Method • Add Computer using the NetApp FlexClone Method • Add Computers using the VMware Linked Clone Method Virtualization Platform Integration Add Computers using the Standard Clone Method 1. Start the Add Computers tool by doing one of the following: a) Select the Create new desktops from a master template on the Finish window of the Computer Group wizard. – OR – b) Select the computer group from the vWorkspace Management Console and do one of the following: • Right-click on the managed computer group and select Add Computers. • Select the Add Computers icon from the navigation pane toolbar. • Select Add Computers from the Actions menu on the navigation pane. • Select Add Computers from the Actions menu on the information pane of the datacenter. 2. Click Next on the Welcome window of the Add Computers Wizard. 3. Type a number into the Enter the number of computers to create field on the Number of Computers to Create window, and then click Next. 4. On the Clone method window, select Standard as the clone method, and then click Next. 5. Select a template from the list on the Template window, and click Next. If there are no templates listed or to update the list, click Import. 6. Select a folder in which the new computers are placed on the Folder window, and click Next. If the list is empty or to update the list, click Import. 7. Select one or more resource pools and datastores on the Resource Pools/Datastores window. This is where the virtual computer disk files are to be stored. If the list is empty or to update the list, click Import. a) To change the distribution method, click the Distribution button on the toolbar above the list of datastores. Complete the information on the Datastore Distribution Method window as appropriate. b) Click Next. 261 vWorkspace Administration Guide 8. Select the method for assigning a computer name to the new desktop computers in Source on the Naming Conventions window. If Specify the base name is selected, do the following: a) Type the text string in the Base Name field. b) Select a value from the Start numeric value at and increment by fields. c) Select Re-use the names of deleted desktops, if appropriate. If Specify a text file containing names is selected, do the following: a) Type the path and file name of the text file containing the list of computer names in the Names File field. b) Enter a text string that is prepended to the beginning of computer names in the Prefix field, if appropriate. c) Enter a text string that is appended to the end of computer names in the Suffix field, if appropriate. 9. Click Next. 10. On the Customize Operating System window, do one of the following, and then click Next: a) To use Microsoft System Preparation tools, select Specify operating system customizations. The computers in this group will be powered on after they are created. b) Select a customization from the list, or click New to create a new customization. See Create Operating System Customizations Windows XP/2003 or Create Operating System Customizations Vista/Win7/Server2008 for more information. c) To not use Microsoft System Preparation tools, select Do not specify operating system customizations. The desktops in this group will not be powered on after they are created. 11. Select the check box to reconfigure the computer’s memory and disk persistence after the cloning on the Configure Computers window, if appropriate, then do the following: a) Select Reconfigure Memory, and move the slider or enter a number to adjust for the memory value. b) Select Wait for users to log off before reconfiguring the computer, if appropriate. 262 Virtualization Platform Integration c) Select the Virtual Disks tab, and select Reconfigure Virtual Disks, and select First disk only or All disks. Select the Disk Mode, and set it to one of the following: •Persistent •Independent and Persistent •Independent and Nonpersistent 12. Select either Start Immediately or Schedule for (and enter a date and time) on the Options window, and then click Next. 13. Review and confirm the information on the Finish window, and do one of the following: a) Click Back to make changes. b) Click Finish to create the desktops. c) Click Cancel to exit without saving the settings or creating the desktops. Red text is displayed as a reminder to administrators to not create more virtual computers than their infrastructure is designed to support. Add Computer using the NetApp FlexClone Method 1. Start the Add Computers tool by doing one of the following: a) Select the Create new desktops from a master template on the Finish window of the Computer Group wizard. – OR – b) Select the computer group from the vWorkspace Management Console and do one of the following: • Right-click on the managed computer group and select Add Computers. • Select the Add Computers icon from the navigation pane toolbar. • Select Add Computers from the Actions menu on the navigation pane. • Select Add Computers from the Actions menu on the information pane of the datacenter. 2. Click Next on the Welcome window of the Add Computers Wizard. 3. Type a number into the Enter the number of computers to create field on the Number of Computers to Create window, and then click Next. 263 vWorkspace Administration Guide 4. On the Clone method window, select Rapid Provisioning NetApp FlexClone as the clone method, and then click Next. 5. Select a template from the list on the Template window, and click Next. If there are no templates listed or to update the list, click Import. If your network storage servers have been set up, the templates from your network storage servers are displayed. If you are creating more than 15 VMware NetApp clones, a warning dialog window is displayed as a reminder to administrators to not create more virtual computers than their infrastructure is designed to support. Before importing templates when using the Rapid Provisioning option, the templates must be on the NetApp storage server and the template’s virtual disks need to be in the same directory. 6. Select a folder in which the new computers are placed on the Folder window, and click Next. If the list is empty or to update the list, click Import. 7. Select one or more resource pools and datastores on the Resource Pools/Datastores window. This is where the virtual computer disk files are to be stored. If the list is empty or to update the list, click Import. a) To change the distribution method, click the Distribution button on the toolbar above the list of datastores. Complete the information on the Datastore Distribution Method window as appropriate. b) Click Next. 8. Select the method for assigning a computer name to the new desktop computers in Source on the Naming Conventions window. If Specify the base name is selected, do the following: a) Type the text string in the Base Name field. b) Select a value from the Start numeric value at and increment by fields. c) Select Re-use the names of deleted desktops, if appropriate. 264 Virtualization Platform Integration If Specify a text file containing names is selected, do the following: a) Type the path and file name of the text file containing the list of computer names in the Names File field. b) Enter a text string that is prepended to the beginning of computer names in the Prefix field, if appropriate. c) Enter a text string that is appended to the end of computer names in the Suffix field, if appropriate. 9. Click Next. 10. On the Customize Operating System window, do one of the following, and then click Next: a) To use Microsoft System Preparation tools, select Specify operating system customizations. The computers in this group will be powered on after they are created. b) Select a customization from the list, or click New to create a new customization. See Create Operating System Customizations Windows XP/2003 or Create Operating System Customizations Vista/Win7/Server2008 for more information. c) To not use Microsoft System Preparation tools, select Do not specify operating system customizations. The desktops in this group will not be powered on after they are created. 11. Select either Start Immediately or Schedule for (and enter a date and time) on the Options window, and then click Next. 12. Review and confirm the information on the Finish window, and do one of the following: a) Click Back to make changes. b) Click Finish to create the desktops. c) Click Cancel to exit without saving the settings or creating the desktops. Red text is displayed as a reminder to administrators not to create more virtual computers than their infrastructure is designed to support. 265 vWorkspace Administration Guide Add Computers using the VMware Linked Clone Method 1. Start the Add Computers tool by doing one of the following: a) Select the Create new desktops from a master template on the Finish window of the Computer Group wizard. – OR – b) Select the computer group from the vWorkspace Management Console and do one of the following: 266 • Right-click on the managed computer group and select Add Computers. • Select the Add Computers icon from the navigation pane toolbar. • Select Add Computers from the Actions menu on the navigation pane. • Select Add Computers from the Actions menu on the information pane of the datacenter. 2. Click Next on the Welcome window of the Add Computers Wizard. 3. Type a number into the Enter the number of computers to create field on the Number of Computers to Create window, and then click Next. 4. On the Clone method window, select Rapid Provisioning VMware Linked Clone as the clone method, and then click Next. Virtualization Platform Integration 5. Click Import, on the Parent Virtual Machine window, to import the parent virtual machines. The Import/Refresh Parent Virtual Machines wizard opens. 267 vWorkspace Administration Guide 6. 268 Specify the tasks that are to be performed on the Options window of Import/Refresh Parent Virtual Machines, and then click Next. • Import parent virtual machines. • Remove orphaned parent virtual machines. 7. On the Inventory window, select one or more virtual computers that are to be imported or updated, and then click Finish. 8. Highlight the parent virtual machine that you just imported, and then click Next. Virtualization Platform Integration 9. Select the appropriate snapshot on the Snapshot window, and then click Next. 10. Select a folder in which the new computers will be placed on the Folder window, and click Next. If the list is empty, or to update the list, click Import. 11. Select one or more resource pools and datastores on the Resource Pools/Datastores window. This is where the virtual computer disk files are to be stored. If the list is empty, or to update the list, click Import. You are not limited to using the datastore of the parent virtual computer. Using a different datastore than the parent virtual computer might increase provisioning performance. a) To change the distribution method, click the Distribution button on the toolbar above the list of datastores. Complete the information on the Datastore Distribution Method window as appropriate. b) Click Next. 269 vWorkspace Administration Guide 12. Select the method for assigning a computer name to the new desktop computers in Source on the Naming Conventions window. If Specify the base name is selected, do the following: a) Type the text string in the Base Name field. b) Select a value from the Start numeric value at and increment by fields. c) Select Re-use the names of deleted desktops, if appropriate. If Specify a text file containing names is selected, do the following: a) Type the path and file name of the text file containing the list of computer names in the Names File field. b) Enter a text string that is prepended to the beginning of computer names in the Prefix field, if appropriate. c) Enter a text string that is appended to the end of computer names in the Suffix field, if appropriate. 13. Click Next. 14. On the Customize Operating System window, do one of the following, and then click Next: a) To use Microsoft System Preparation tools, select Specify operating system customizations. The computers in this group will be powered on after they are created. b) Select a customization from the list, or click New to create a new customization. See Create Operating System Customizations Windows XP/2003 or Create Operating System Customizations Vista/Win7/Server2008 for more information. c) To not use Microsoft System Preparation tools, select Do not specify operating system customizations. The desktops in this group will not be powered on after they are created. 15. Select the check box to reconfigure the computer’s memory and disk persistence after the cloning on the Configure Computers window, if appropriate, then do the following: a) Select Reconfigure Memory, and move the slider or enter a number to adjust for the memory value. b) Select Wait for users to log off before reconfiguring the computer, if appropriate. 270 Virtualization Platform Integration c) Select the Virtual Disks tab, and select Reconfigure Virtual Disks, and select First disk only or All disks. Select the Disk Mode, and set it to one of the following: • Persistent • Independent and Persistent • Independent and Nonpersistent 16. Select either Start Immediately or Schedule for (and enter a date and time) on the Options window, and then click Next. 17. Review and confirm the information on the Finish window, and do one of the following: a) Click Back to make changes. b) Click Finish to create the desktops. c) Click Cancel to exit without saving the settings or creating the desktops. Red text is displayed as a reminder to administrators not to create more virtual computers than their infrastructure is designed to support. Parallels Virtuozzo Containers Integration This section describes the range of desktop management and provisioning features offered by vWorkspace for Parallels Virtuozzo Containers environments. Parallels Virtuozzo Nodes Parallels Virtuozzo nodes can be imported to the vWorkspace Management Console as either independent hosts or as part of a group. A Virtuozzo group can contain master and slave nodes that are associated with each other. However, a Virtuozzo host cannot simultaneously be an independent host and part of a group. A location can contain both slave nodes and independent nodes. If you do not have independent nodes a master node must be defined as a management server for the location to support slave nodes. When a location is added, slave nodes can be imported from any of the virtualization server master nodes, and are associated with the location. 271 vWorkspace Administration Guide Virtuozzo independent nodes are added to a location, rather than imported, as is the case with Virtuozzo slave nodes. When setting up the Parallels Virtuozzo Containers in the vWorkspace Management Console, once a location has been defined, the following steps must be completed: • Associate virtualization hosts, independent nodes and/or slave nodes, to the location. Virtuozzo Slave Nodes — Use this option to import master nodes and select slave nodes that are to be imported. Independent Virtuozzo Nodes — Use this option to add the independent nodes to the location. • Computer groups can be added to locations by selecting Desktops from the location in the vWorkspace Management Console. See Computer Groups in the vWorkspace Management Console chapter for more information. • Add computers to the established computer groups by using the Add Computers wizard. See the vWorkspace Management Console chapter for more information. Parallels Virtuozzo Containers disable the startup of certain Microsoft Windows services by default, including ones that are required for vWorkspace. You need to set the type to Enterprise, to prevent the disabling of certain Window services. Please also refer to the Parallels Virtuozzo knowledge base article, http://kb.parallels.com/1007, for more information. Add Computers to a Computer Group 1. Start the Add Computers tool by doing one of the following: a) Select the Create new desktops from a master template on the Finish window of the Computer Group wizard. – OR – b) Select the computer group from the vWorkspace Management Console and do one of the following: 272 • Right-click on the managed computer group and select Add Computers. • Select the Add Computers icon from the navigation pane toolbar. Virtualization Platform Integration • Select Add Computers from the Actions menu on the navigation pane. • Select Add Computers from the Actions menu on the information pane of the datacenter. 2. Click Next on the Welcome to the Add Computers Wizard window. 3. Type a number into the Enter the number of computers to create field on the Number of Computers to Create window, and then click Next. 4. Select a template from the list on the Template window, and click Next. If there are no templates listed or to update the list, click Import. 5. Select one or more Virtuozzo network devices from the Nodes/Network Devices window. This is where the computers should be created. If the list is empty or to update the list, click Import. a) To change the distribution method, click Distribution on the toolbar above the list of datastores. Complete the information on the Datastore Distribution Method window as appropriate. b) Click Next. 6. Select the method for assigning a computer name to the new desktop computers in Source on the Naming Conventions window. If Specify the base name is selected, do the following: a) Type the text string in the Base Name field. b) Select a value from the Start numeric value at and increment by fields. c) Select Re-use the names of deleted desktops, if appropriate. If Specify a text file containing names is selected, do the following: a) Type the path and file name of the text file containing the list of computer names in the Names File field. b) Enter a text string that is prepended to the beginning of computer names in the Prefix field, if appropriate. c) Enter a text string that is appended to the end of computer names in the Suffix field, if appropriate. 7. Click Next. 273 vWorkspace Administration Guide 8. On the Customize Operating System window, do one of the following, and then click Next: a) To use Microsoft System Preparation tools, select Specify operating system customizations. The computers in this group will be powered on after they are created. b) Select a customization from the list, or click New to create a new customization. It is important that you make sure your operating system customization configuration is accurate and works on a computer that is visible to you. If the customization information is incorrect, you may have a computer that requires user input, but you will have no way of connecting to it. c) To not use Microsoft System Preparation tools, select Do not specify operating system customizations. The desktops in this group will not be powered on after they are created. 9. Select either Start Immediately or Schedule for (and enter a date and time) on the Options window, and then click Next. 10. Review and confirm the information on the Finish window, and do one of the following: a) Click Back to make changes. b) Click Finish to create the desktops. c) Click Cancel to exit without saving the settings or creating the desktops. Red text is displayed as a reminder to administrators to not create more virtual computers than their infrastructure is designed to support. RD Session Host Integration This section describes features offered by vWorkspace to integrate with Microsoft Remote Desktop Services using Microsoft Windows Server 2008 R2. Microsoft Remote Desktop Services (RDS), formerly Terminal Services, presents users with an entire desktop environment or individual applications that are running from within a datacenter, but appear to the user as a local application. 274 Virtualization Platform Integration The integration between vWorkspace and Microsoft Remote Desktop Services enables the following features: • Support for publishing applications and desktops using Microsoft RemoteApp Start menu integration in Microsoft Windows 7 and Microsoft RD Web Access. • Support for publishing individual applications using Microsoft’s built-in RemoteApp technology for seamless windows for Microsoft Hyper-V virtual desktops and RD Session Hosts. • Support for Remote Desktop Gateway for secure Internet access. • Support for the addition of Microsoft Remote Desktop Connection Brokers to the vWorkspace Management Console. • Support in AppPortal for connectivity to Microsoft Remote Desktop Connection Broker and Remote Desktop Gateway. RemoteApp Support RemoteApp support for Hyper-V virtual desktops and RD Session Host enables the publishing of individual applications using Microsoft's RemoteApp technology on access devices. When using RemoteApp with Microsoft XP or Microsoft Vista, you need to install one of the following hotfixes from Microsoft. Update package for Microsoft Windows XP SP3: http://www.microsoft.com/downloads/details.aspx?FamilyID=2f376f53-83cf-4 e5b-9515-2cb70662a81b&displaylang=en Update package for Microsoft Vista SP1 or later: http://www.microsoft.com/downloads/details.aspx?familyid=097B7478-31504D0D-A85A-6451F32C459C&displaylang=en RD Connection Broker Integration There are some differences in functionality between the Microsoft RD Connection Broker and the vWorkspace Connection Broker. The following is a list of limitations when using the Microsoft RD Connection Broker with vWorkspace instead of the vWorkspace Connection Broker. 275 vWorkspace Administration Guide • Filtering of which applications and desktops are published based on client name/IP can only be done through vWorkspace Connection Broker. • Folders for published applications and desktop are not visible in RD Web Access and the Start Menu. AppPortal will show folders when connected to RD Connection Broker. • Connections through RD Web Access and the Start Menu always use the RDP client, not the EOP client, so the EOP features cannot be used. However, you can use Quest AppPortal on Windows to connect to the RD Connection Broker, but not Quest Web Access. • Mac, Linux, or Java connectors (clients) cannot be launched from RD Web Access. • Mac and Linux AppPortals do not yet support RD Connection Broker. • Auto-logoff does not work using RemoteApp through RD Web Access or RemoteApp in Start menu (with the RDP client): • Auto-logoff (PNStart) does not work for individual applications published from virtual desktops, which is the same behavior as you get using RemoteApp, without vWorkspace. The workaround is to use GPO to force a logoff after a period of time disconnected. This only affects individual applications from virtual desktops, whole desktops are fine. • Auto-logoff (PNStart) does not work for applications launched from RD Session Host through RemoteApp. The workaround is to use GPO to force a logoff after a period of time disconnected. Importing Existing Computers into a Group You can import existing computers from a virtualization host to an existing computer group. After computers have been successfully imported, the task Initialize Computer is automatically created. This process establishes the relationship between the farm and the virtual desktop and must be completed successfully. See Initialize Computer for more information on this process. Several controls are available to assist with importing and resynchronizing (Import/Re-sync Computers tool) desktop computers. For more information about adding computers, refer to the specific integration components in this chapter. 276 Virtualization Platform Integration The options on the Import/Re-sync Computers windows are described below. The options presented are dependent upon the type of computers that are being imported. OPTION DESCRIPTION Options Import computers into group [managed_desktop_group_ name] If selected, virtual computers that have previously been imported into other managed computer groups in the vWorkspace data center are prevented from being imported into the current managed desktop group. Remove orphaned desktops If selected, managed desktop computers are removed from the selected managed desktop group if they no longer exist in the VMware VirtualCenter inventory. Inventory Folders\Computers This displays a list of folders and virtual computers available in the VMware VirtualCenter data center inventory. Expand the nodes to view the computers. 277 vWorkspace Administration Guide OPTION DESCRIPTION Microsoft Hyper-V Inventory This control displays a list of folders and virtual computers available in the Microsoft Hyper-V data center inventory. Expand the nodes to view the computers. Nodes This displays a list of folders and virtual computers available in the Parallels Virtuozzo Host inventory. Expand the nodes to view the computers. View:New If selected, displays a list of virtual computers that have not yet been imported into the managed desktop group. View:Existing If selected, displays a list of virtual computers that have previously been imported into the managed desktop group. Finish If selected, the chosen virtual computers are imported into the current managed desktop group as managed desktop computers. The Initialize Computer task is automatically started for each desktop computer successfully imported. Cancel If selected, the Import/Re-sync selections are discarded, and the window is closed. How to ... Import Existing Computers into a Group 278 1. Open the vWorkspace Management Console. 2. Select the group on which the import will be performed, and do one of the following: • Right-click on the computer group and select Import/Re-sync computers. • Click the Import/Re-sync computers icon from the toolbar in the navigation pane. • Select Actions | Import/Re-sync computers from the menu on the navigation pane. Virtualization Platform Integration • Select Import/Re-sync computers from the Actions menu on the computer group’s information pane. • Select Import existing desktops from VMware from the Finish window of the Computer Group wizard, and then click Finish, if you are completing the Computer Group wizard. 3. Complete the Import/Re-sync Computers Options as appropriate, and then click Next. 4. Select the appropriate View option (New or Existing) on the Inventory window. 5. Select the computers that are to be imported on the Inventory window. 6. Click Finish to start the import. Monitoring Operations You can monitor an operation by using the middle and bottom panes of the vWorkspace Management Console. The middle pane on the vWorkspace Management Console displays the overall progress. You can use Refresh to update the view. The bottom pane on the vWorkspace Management Console uses the Tasks tab to display the status of the tasks to complete the process, and a Log tab to display more detailed status information. To cancel a task, select it from the list of tasks and choose Cancel from the Actions menu, or right-click on the task and select Cancel. PNTools is a required component for managed computers in the vWorkspace infrastructure. If you did not install PNTools as part of the template for the new desktops, it needs to be installed. 279 vWorkspace Administration Guide 280 5 Managing the Virtual Workspace • Overview • Power Management • Two-Factor Authentication • Managed Applications • vWorkspace Connectors • Resources • Secure Gateway • Web Access • vWorkspace Reporting vWorkspace Administration Guide Overview Virtual workspace is a term used to encompass all of the technologies and platforms Quest vWorkspace uses to host the end user's computing environment. The virtual workspace consists of the applications, data, settings, and operating system subsystems required to provide a functional desktop computing environment. For example, a user can launch three seamless windowed applications, but each is hosted on a separate platform. One is hosted on an RDSH server, the other on a Microsoft Hyper-V hypervisor, and the third hosted on a high Blade. However, this is all transparent to the end user. With workspace virtualization, you can facilitate the execution of a user's productivity applications from a data center with the flexibility to host these applications on multiple platforms. Managing the virtual workspace involves many facets. Traditional PC computing involves many components such as applications, application configuration, USB devices, printers, and user profiles, to name a few. Quest vWorkspace is designed to centralize the execution of desktop computing, but also to centralize its management. And in centralizing desktop computing execution, other areas of management arise, which vWorkspace provides tools for as well. This chapter will inform you of the different tools vWorkspace provides for managing the virtual workspace. Power Management Managed computer power states can be changed, either automatically by the Connection Broker or manually by an administrator using the vWorkspace Management Console. vWorkspace Connection Brokers periodically query their configured virtualization entity servers for the current power state of managed computers running as virtual computers. vWorkspace Connection Brokers can also submit commands to change the power state of a given virtual computer. For example, when a user attempts to connect to a managed computer running as a virtual computer and that virtual computer is powered off, the Connection Broker automatically sends a command to power on the computer. Once the virtual computer is powered on and the operating system has loaded, the user is then connected to the desktop and log on. 282 Managing the Virtual Workspace The power states and virtualization entities that can be manipulated with vWorkspace are as follows. POWER STATE Power On — Powers the virtual computer on in the same way as using the power switch on a physical computer. VIRTUALIZATION ENTITY • VMware • Microsoft Hyper-V • Microsoft SCVMM • Parallels Virtuozzo Power Off — Powers the virtual computer off in the same way as using the power switch on a physical computer. • VMware Reset — Powers the virtual computer off and then on again in the same way as using the reset switch on a physical computer. • VMware Resume — Reawakens a virtual computer that has been in a suspended state. • VMware Suspend — Suspend saves the system state and working set of the virtual computer to disk before powering off. When resumed, the computer is returned to the state it was in before being suspended. This option is faster since the operating system does not have to go through the complete load and initialization process. • VMware Shut Down OS — Gracefully shuts down the guest operating system in the same way as using the Shut Down function in Windows. • VMware • Microsoft Hyper-V • Microsoft SCVMM • Microsoft Hyper-V • Microsoft SCVMM • Microsoft Hyper-V • Microsoft SCVMM • Microsoft Hyper-V • Microsoft SCVMM • Microsoft Hyper-V • Microsoft SCVMM • Parallels Virtuozzo • Other/Physical (Blade PCs) Restart OS — Same as the Restart option in Windows. • VMware • Microsoft Hyper-V • Microsoft SCVMM • Other/Physical (Blade PCs) 283 vWorkspace Administration Guide POWER STATE Log Off User — Logs the user off in a graceful manner. The user is prompted to save any unsaved data. VIRTUALIZATION ENTITY • VMware • Microsoft Hyper-V • Microsoft SCVMM • Other/Physical (Blade PCs) Reset Session — Closes all programs that are running and deletes the session from the server that is running Remote Desktop Services. This can be used if a session is not functioning correctly, or if the session has stopped responding. • VMware • Microsoft Hyper-V • Microsoft SCVMM • Other/Physical (Blade PCs) Two-Factor Authentication There are two different ways of enabling Two Factor Authentication (TFA) in vWorkspace, either from the vWorkspace Management Console or Web Access. Two-factor authentication can also be enabled in both the vWorkspace Management Console and Web Access. You are able to setup TFA in any vWorkspace Connector. You need the following information from your Radius server: • IP address, FQDN or NetBIOS name. • Radius Authentication port (default is 1812). • Secret Key (Check with your Radius admin if you do not know this key.) • CHAP or PAP, which one is being used. • Length of the one-time password. It is usually either 6 or 8 characters. The examples in this section use Quest Defender. How to ... 284 • Set up TFA in the vWorkspace Management Console • Set up TFA in Web Access • Set up TFA in the vWorkspace Management Console and Web Access Managing the Virtual Workspace Set up TFA in the vWorkspace Management Console 1. Open the vWorkspace Management Console. 2. Right-click on the Farm node and select Farm Properties or select the Properties icon from the toolbar. 3. Select Two-Factor Authentication, select to enable Radius, and then complete the information on the window. FIELD DESCRIPTION Timeout (seconds) This setting reports back a timeout if the allotted time has been exceeded in trying to authenticated. Default is 30 seconds. Password Layout This setting defines how a user authenticates, either by entering their AD password and their OTP, or by entering their OTP and their AD password combined. Require all users to be two-factor authenticated The setting, if selected, mandates that all vWorkspace users need to enter their AD\OTP or OPT\AD in the password field. 285 vWorkspace Administration Guide If you choose not to enforce TFA for all applications then you can set up Advanced Targets and assign this to published applications, as in the below image. If you have assigned applications to an advanced target requiring the use of TFA, when authenticated, these applications are visible to the end user. If a user does not enter their TFA credentials, then only those applications assigned to them through Targets are available to them. 286 Managing the Virtual Workspace Set up TFA in Web Access 1. Open Web Access Site properties from the vWorkspace Management Console. 2. Select Two-Factor Authentication, and complete the information on the window as appropriate. 3. Click Apply. If you choose not to enforce TFA for all applications then you can set up Advanced Targets and assign to specific published applications. 287 vWorkspace Administration Guide If you set up Advanced Targets, then you need to set your advanced target to allow access to that application(s) based on your trusted entry point. Your trusted endpoint in the above case would be your Web Access Server. Set up TFA in the vWorkspace Management Console and Web Access If you decide to have TFA enabled on both your vWorkspace Management Console and on Web Access, then you need to have an Advanced Target setup like the below image. One of the reasons that you would want to set up TFA on both the vWorkspace Management Console and on Web Access is if you use AppPortal Connector internally and your end users also access vWorkspace through Web Access externally, or if you are in the process of doing a migration from either a pre-7.5 vWorkspace version farm or a Citrix deployment. 288 Managing the Virtual Workspace Managed Applications Before an application can be published and accessed by users, it first must be installed on the hosting computer. In a Quest vWorkspace infrastructure, the hosting computer can be any of the following: • Microsoft RD Session Hosts • Managed Computers • Virtualized Applications Microsoft RD Session Hosts Applications installed and published on Microsoft RD Session Hosts are sometimes referred to as shared or multi-user applications. This is because a single installation of the application can be used simultaneously by multiple connected users. When Remote Desktop Services is enabled on Microsoft Windows Servers, you must ensure the application is installed properly. 289 vWorkspace Administration Guide Consider these suggestions and guidelines: • Session Hosts need to be in the install mode when installing applications intended for multi-use. This is done automatically when the Control Panel, Add |Remove Programs is used, but can also be started from a command prompt using the following command: Change User / Install. • Users should not be logged on to the system when installing applications. • Review all available documentation for any issues that might exist when installing and using an application with Remote Desktop Services. Some applications have special procedures or command line switches that must be used for installation on Remote Desktop Services. • Restrictions such as support for the full feature set or license restrictions may be applicable when used on Session Hosts. • Applications, such as Computer Aided Design or scientific modeling and analysis programs, may not be good candidates for Session Host based deployments. These types of applications place an increased demand on the physical resources of a computer. Managed Computers A major benefit of hosting applications on vWorkspace enabled managed computers is that no special considerations have to be taken into account; you install the application as it would be done for a Microsoft Windows computer. The applications can be installed manually, or pushed to the managed computer using third-party tools such as Microsoft Active Directory Group Policy (Software Installation) or Microsoft SMS. Some considerations when installing applications on managed computers are: 290 • Install all the applications a user might need on to the same managed computer, when practical. This helps to reduce the number of remote sessions needed for a user to accomplish their work. • Use managed computers for special purpose applications that do not need to be made widely available. • Use managed computers for applications that are too resource intensive to be installed on Session Hosts. • Use managed computers, especially when implemented as virtual computers, for applications being created and tested in a software development environment. Managing the Virtual Workspace Virtualized Applications Many application deployment solutions exist to simplify and accelerate the process of deploying line-of-business applications to the user desktop. These same tools are ideal for use in a vWorkspace enabled desktop infrastructure. Managed Applications Properties The Managed Applications Properties option allows administrators to enable or disable Graphics Acceleration globally for managed and unmanaged applications, set Custom Properties, and set Permissions for users for all managed applications. Managed application properties are accessed by doing one of the following: • Select Properties from the context menu of Managed Applications in the vWorkspace Management Console. Managed Applications is listed under Resources in the vWorkspace Management Console. • Selection Actions | Properties from the main menu on the vWorkspace Management Console. • Select the Properties icon on the toolbar. 291 vWorkspace Administration Guide Graphics Acceleration The Graphics Acceleration setting in Managed Applications Properties is used to globally set graphics acceleration for all managed and unmanged applications. You can also set the Image Quality for the graphic accelerated application in Properties. The ability to set graphics acceleration for individual managed applications, is completed by the Properties settings for the specified application, or by setting the Graphics Acceleration setting during the process of adding a Managed Application. Custom Properties Managed applications can have up to five custom properties, which allows managed applications more flexibility and better organization. You can label managed applications, for example, by customer. In the list under Property Name, enter the names of the custom properties you want to assign to the managed applications. These names appear in the column headers in the applications view. 292 Managing the Virtual Workspace To enter custom property values for an application, edit the properties of that application, or right-click on an application in the application view and select Custom properties. Permissions Managed Applications Properties is also used to enable administrators to allow or deny actions for activities within the vWorkspace Management Console. For more information on Permissions, see Administration in the vWorkspace Management Console chapter. New Application Tool The New Application command is used to publish an application, desktop, or content. It can be opened from the following locations within the vWorkspace Management Console. • Sessions Hosts node • Desktops node • Resources node 293 vWorkspace Administration Guide How to ... • Start New Applications using Session Hosts Node • Start New Applications using the Desktops Node • Start New Applications from the Resources Node Start New Applications using Session Hosts Node 1. Open the vWorkspace Management Console. 2. Expand Locations and then the location name where the Session Host is located. 3. Highlight the Session Hosts node. 4. Select either Management or Provisioning. 5. Select the Applications tab in the information pane. 6. Select New Applications from either the toolbar or by the context menu which can be accessed by right-clicking in a blank area of the information pane. Start New Applications using the Desktops Node 1. Open the vWorkspace Management Console. 2. Expand Locations, and then the location name where the computer group is located. 3. Expand the Desktops node. 4. Select the computer group into which the application is to be published. 5. Right-click on desktop group, and then select New application in group. – OR – In the information pane, click on the Managed Applications tab and select Actions | New Application in Group. 294 Managing the Virtual Workspace Start New Applications from the Resources Node 1. Open the vWorkspace Management Console. 2. Expand the Resource node, and highlight Managed Applications. 3. Right-click the Managed Applications node, and then select New Managed Application. – OR – In the Managed Applications information pane, select New from either the Actions or the context menu. Publish RD Session Host Applications The most direct way to publish applications hosted on RD Session Hosts is to start New Application from either the Session Hosts or Resources nodes (see New Application Tool for more information). The system displays the Managed Application Wizard. Publish an Application Hosted on Session Hosts 1. Open the Managed Application Wizard. 2. Click Next on the Welcome window of the Managed Application Wizard. 3. On the Application Name window, do the following: a) Specify a friendly name for the application in the Name box, and then click Next. Published application friendly names are limited to 150 characters. If any names are longer than 150 characters, they get truncated, and any duplicates are suffixed with a numeric value to ensure uniqueness. b) Enter the names of the custom properties you want to assign to the managed applications. These names appear in the column headers in the applications view, which can assist with searching and sorting. 295 vWorkspace Administration Guide 4. 296 On the Application Type window, select the type of application, and then click Next. Managing the Virtual Workspace 5. On the Publishing window, select Session Host(s) and select the servers on which to publish the application for a specified location, and then select Next. 6. Complete the following information on the Defaults window, and then click Next: a) If the application to be published is a virtualized application package stored on a App-V server, click Select App-V Application. b) Enter a Path, or select the ellipsis to browse. 297 vWorkspace Administration Guide c) Enter any arguments that you want to have passed to the application when started in the Arguments box. d) If the application requires a working directory, type its path in the Working Dir box. 298 Managing the Virtual Workspace 7. On the Server Specific window, enter server specific program specifications, as appropriate. Click Next. 8. On the Display Name window, enter a Display Name if you want the name that is displayed to the user to be different than what is in the Name box on the Application Name window. Click Next. 299 vWorkspace Administration Guide 9. On the Icon window, select an icon for the application, and then click Next. 10. Specify the application window state for this application, including seamless window mode settings, and then click Next. 11. Select the appropriate option (Desktop, Start Menu, Start Menu \Programs) for clients using AppPortal in desktop integrated mode on the Desktop Integration window, and then click Next. 300 Managing the Virtual Workspace 12. Select the appropriate option on the Graphics Acceleration window, and then click Next. The Use default option refers to the default Graphics Acceleration option setting on the Managed Applications Properties window. See Managed Applications Properties for more information. 13. Select Enabled or Disabled on the Enable/Disable window, and then click Next. If you select Disabled, the application is not displayed in client application lists. 301 vWorkspace Administration Guide 14. Complete the information, as appropriate, on the Load Balancing window, and then click Next. The Enable this application to share on active session option must not be selected if you are using Web Access with published applications where multiple users use the same computer, such as a kiosk or other semipublic user. 15. Specify any application restriction settings for this application, and then click Next. 16. Select the Virtual IP settings for this application, as appropriate, and click Next. The settings are: Virtual IP, Client IP, and Virtual Loopback. 17. Use the Client Assignment window to assign this application to targets, and then click Next. 18. Set Permissions as appropriate, and then click Finish. 302 Managing the Virtual Workspace Publish Session Host Desktops The steps for publishing a shared Windows desktop hosted on a Session Host are exactly the same as that for publishing a shared application, except for the following exceptions: 1. The Application Type is set to Desktop. When this is done, no path, arguments, or working directory are needed, and the fields for these are not presented. 2. The Defaults and Server-Specific options are not available. 3. The Startup section is not available. The Startup option is only available if the Type is Program. Publish a Managed Desktop You can publish a desktop to the managed computer group using the New Managed Application wizard. How to ... Publish a Desktop to a Managed Computer Group 1. Open the vWorkspace Management Console. 2. Expand the Desktops node at the required location. 3. Navigate to the computer group where the desktop is to be published. 4. Select New Application from the context menu. 5. Click Next on the welcome window of the Managed Application Wizard. 6. On the Application Name window, do the following: a) Specify a friendly name for the application in the Name box, and then click Next. Published application friendly names are limited to 150 characters. If any names are longer than 150 characters, they get truncated, and any duplicates are suffixed with a numeric value to ensure uniqueness. b) Enter the names of the custom properties you want to assign to the managed applications. These names appear in the column headers in the applications view, which can assist with searching and sorting. 7. On the Application Type window, select the type of application, Desktop, and then click Next. 303 vWorkspace Administration Guide 8. On the Publishing window, select the Managed Computer Group option, and then select the managed computer group from your location on which to publish the application. Click Next. 9. On the Display Name window, enter a Display Name if you want the name that is displayed to the user to be different than what is in the Name box on the Application Name window. Click Next. 10. On the Icon window, select an icon for the application, and then click Next. 11. Select the appropriate option (Desktop, Start Menu, Start Menu \Programs) for clients using AppPortal in desktop integrated mode on the Desktop Integration window, and then click Next. 12. Select the appropriate option on the Graphics Acceleration window, and then click Next. The Use default option refers to the default Graphics Acceleration option setting defined in the Managed Applications Properties. 13. Select Enabled or Disabled to specify if this application is displayed on the client application list. 14. Use the Client Assignment window to assign this application to targets, and then click Next. 15. Set Permissions as appropriate on the Permissions window, and then click Finish. 304 Managing the Virtual Workspace Publish Managed Applications Publishing an application hosted on a managed desktop is similar to that of RD Session Host. The major differences are that the Load Balancing, Application Restrictions, and Virtual IP options are not available for managed desktops. How to ... Publish an Application 1. Open the vWorkspace Management Console. 2. Expand the Desktops node for the required location. 3. Navigate to the computer group where the desktop is to be published. 4. Start New Application by selecting the New Application icon from the toolbar or Actions | New Applications. 5. Click Next on the welcome window of the Managed Application Wizard. 6. On the Application Name window, do the following: a) Specify a friendly name for the application in the Name box, and then click Next. Published application friendly names are limited to 150 characters. If any names are longer than 150 characters, they get truncated, and any duplicates are suffixed with a numeric value to ensure uniqueness. The following characters cannot be used in application names that are to be published for Web Access: <, >, /,\, *, y ’. b) Enter the names of the custom properties you want to assign to the managed applications. These names appear in the column headers in the applications view, which can assist with searching and sorting. 7. On the Application Type window, select the type of application, Program, and then click Next. 8. On the Publishing window, select Managed Computer Group, and then select the managed computer group from your location on which to publish the application. Click Next. 9. Complete the following information on the Defaults window, and then click Next: a) If the application to be published is a virtualized application package stored on a App-V server, click Select App-V Application. 305 vWorkspace Administration Guide b) Enter a Path, or select the ellipsis to browse. c) Enter any arguments that you want to have passed to the application when started in the Arguments box. d) If the application requires a working directory, type its path in the Working Dir box. 10. On the Display Name window, enter a Display Name if you want the name that is displayed to the user to be different than what is in the Name box on the Application Name window. Click Next. 11. On the Icon window, select an icon for the application, and then click Next. 12. Specify the application window state when started, on the startup window, and then click Next. 13. Select the appropriate option (Desktop, Start Menu, Start Menu \Programs) for clients using AppPortal in desktop integrated mode on the Desktop Integration window, and then click Next. 14. Select the appropriate option on the Graphics Acceleration window, and then click Next. The Use default option refers to the default Graphics Acceleration option setting of Managed Applications Properties. 15. Select Enabled or Disabled to specify if this application is displayed on the client application list. 16. Select Client Assignments to specify the targets that are to have access to this application and assign this application to them, and then click Next. 17. Set permissions on the Permissions window, as appropriate, and then click Finish. Publish Content Traditionally in Windows networks, users have relied on network drive mappings, browsing, or corporate Web sites to get information. As networks grow in size and complexity these methods have become less efficient. Web based resources that are not located on the corporate network can require users to remember numerous and sometimes long URLs, or to know how to build efficient and effective search queries. Published content provides an easier way for users to access the information they need. When an administrator publishes content, the complete path to the resource is specified and is associated with an icon. This path can be in Universal Naming Convention (UNC) format or web based formats, such as http, https, ftp, ldap. The icon representing the content is passed down to the vWorkspace Client in the same manner as application and desktop icons. 306 Managing the Virtual Workspace To access the content, the user simply clicks on the icon. The content path is passed to an application, based on Windows file type associations, capable of opening that type of content. For example, content using a UNC path would be opened with Windows Explorer, while content using http would be opened with Internet Explorer. The administrator has the option of specifying whether the application used resides on the client device or on a remote device. If you want users to have multiple sessions to the same server, the Restrict each user to one session setting at the following path must be set to No. Administrative Tools | Terminal Services Configuration | Server Settings If you are using an application deployment solution such as Application Virtualization, applications are published using the type Content. The process of publishing content is exactly the same as publishing an application hosted on a RD Session Host or desktop with the following exceptions: • Type — Select Content on the Application Type window of the Managed Application Wizard, and then select where the content is to be published (Server or Client). • Publishing— Select Terminal Server(s) if you want the content to be opened with an application installed on a RD Session Host, and then select which RD Session Host to use. Select Managed Computer Group if you want the content to be opened with an application installed on the client device. When this is chosen, the Server-Specific, Application Restrictions, Virtual IP, and Load Balancing windows are unavailable as they do not apply to desktops. • Path — Enter the path to the content on the Defaults window. A UNC path can be either to a shared folder or a file within a shared folder. Share, NTFS, and web permissions all apply when users try to access the content. Therefore, even though clients are listed in the published content’s access control list, the client may still be denied access because of other permissions. 307 vWorkspace Administration Guide Published Applications Tasks Once applications have been published on either Session Hosts or desktops, additional applications can be added, modified, duplicated, and deleted. The Select Applications to Publish menu option is a way to add existing published applications, desktops, or content to either a Session Host or computer group when new Session Host or computer groups have been added to the vWorkspace infrastructure. All properties of published applications, desktops, or content can be modified after they are created. An existing published application can be duplicated and then modified, but the duplicate needs to be given a unique name. When a published resource is no longer needed, it can be deleted from the database. Deleting a published application, desktop, or content does not remove the application from the hosting computer nor does it delete the actual desktop or content. How to ... • Add Published Applications to a Session Host • Add Published Applications to a Computer Group • Modify Published Applications with Session Hosts Node • Modify Published Applications with Desktops Node • Modify Published Applications on the Resources Node • Duplicate a Published Application • Delete a Published Application Add Published Applications to a Session Host 308 1. Open the vWorkspace Management Console. 2. Expand Locations and then the location name where the Session Host is located. 3. Click on the Session Hosts node in which to add the existing published resources. 4. Double-click on Management or Provisioning. 5. In the information pane on the right, click on the Applications tab for the selected Session Host. Managing the Virtual Workspace 6. Click on the Published Applications icon from the navigation pane toolbar or the information pane toolbar, or select Actions | Publish Applications. A list of published resources is presented. 7. Select each published resource you want to add to the server. To select a published resource, select the box to the left of the Application. 8. Click Apply to make the changes without closing the window, or click OK to make the changes and to close the window. Add Published Applications to a Computer Group 1. Open the vWorkspace Management Console. 2. Expand Locations and then the location name where the computer group is located. 3. Expand the Desktops node and highlight the computer group. 4. Use one of the following to open the Select Applications to Publish: a) Right-click on the computer group. b) Select the Managed Applications tab in the information pane, and then Actions| Select Applications to Publish in the information pane. 309 vWorkspace Administration Guide c) Select Actions| Select Applications to Publish from the navigation pane. d) Click the Select Applications to Publish icon from the navigation pane toolbar. 5. Select each published resource you want to add. To select all published resources, select the box to the left of Applications. 6. Click Apply to make the changes without closing the window, or click OK to make the changes and to close the window. Modify Published Applications with Session Hosts Node 1. Open the vWorkspace Management Console. 2. Expand Locations and then the location name where the Session Host is located. 3. Click on the Session Hosts node in which to modify the existing published resources. 4. Double-click on either Management or Provisioning. 5. Click on the Applications tab located in the Session Hosts information pane. 6. Highlight the published resource to be modified, and then select Properties from the context menu, or click on the Properties icon on the information pane toolbar. 7. On the Managed Application Properties window, navigate through the various windows to make the necessary changes. 8. Click Apply to make the changes without closing the window, or click OK to make the changes and to close the window. Modify Published Applications with Desktops Node 310 1. Open the vWorkspace Management Console. 2. Expand Locations and then the location name where the computer group is located. 3. Expand the Desktops node (you can also navigate to a specific datacenter or computer group). 4. Click on the Managed Applications tab in the information pane. 5. Highlight the published resource to be modified, and then select Properties from the context menu, or select Actions | Properties on the information pane. 6. On the Managed Application Properties window, navigate through the various tabs to make the changes, as appropriate. 7. Click Apply to make the changes without closing the window, or click OK to make the changes and to close the window. Managing the Virtual Workspace Modify Published Applications on the Resources Node 1. Open the vWorkspace Management Console. 2. Expand the Resources node, and then click on the Managed Applications node. 3. Highlight the published resource to be modified, and then select Properties from the context menu, or select the Properties icon from the information pane. 4. On the Managed Application Properties window, navigate through the various tabs to make the changes, as appropriate. 5. Click Apply to make the changes without closing the window, or click OK to make the changes and to close the window. Duplicate a Published Application 1. Open the vWorkspace Management Console. 2. Navigate to the desired published application under the Session Hosts, Desktops, or Resources node. 3. Right-click on the published application, and select Duplicate from the context menu. 4. Make the necessary changes using the appropriate windows on the Managed Applications Properties window. 5. Click Apply to make the changes without closing the window, or click OK to make the changes and to close the window. Delete a Published Application 1. Open the vWorkspace Management Console. 2. Navigate to the desired published application under the Session Hosts, Desktops, or Resources node. 3. Click the Delete on the toolbar or from the context menu. 4. After reviewing the warning message, click Yes to delete or No to cancel. Internet Explorer Compatibility Quest vWorkspace Internet Explorer Compatibility is a set of features that allow an alternate version of Internet Explorer to be delivered to a Windows Client running the vWorkspace Connector, or to a Windows Server with the vWorkspace Session Host or Terminal Server Role. 311 vWorkspace Administration Guide vWorkspace Internet Explorer Compatibility seamlessly presents vWorkspace managed applications from Windows Terminal Servers or Session Hosts to a Windows Client desktop when applications that require a specific version of Internet Explorer are different than the version on the Windows Client operating system. A user’s local Internet Explorer browser can be set to hook specific URLs, and launch them with associated vWorkspace managed applications. From a server, the user's hosted Internet Explorer browser can be configured by vWorkspace to redirect back to the client's local Internet Explorer instance when the user browses to specific URLs, or when the user browses to sites that are not configured for use with the hosted browser. Internet Explorer Compatibility consists of the following components: 312 • vWorkspace Connector Settings Group Policy Admin Template (vworkspace.adm or .admx) — This template is used to configure the vWorkspace Connector, such as Broker Type, Broker Name, XML Port, and Authentication Settings. This can be used as an alternative to the config.xml file. • Config.xml — This XML file is used to configure the vWorkspace Connector, such as Broker Type, Broker Name, XML Port, and Authentication Settings. It can be used instead of the vWorkspace Connector Settings Group Policy Administrative Template. • vWorkspace Connector Internet Explorer URL Redirection Browser Add-On (pnurlhook.dll) — This add on is used to launch the vWorkspace Connector AppPortal in Desktop Integrated mode and display the managed application associated with the URL. • vWorkspace Session Host or Terminal Server Internet Explorer URL Redirection Browser Add-On (pnurlhook.dll) — This add on is used to send a user to their local Internet Explorer browser when the user browses to sites that are not configured for use with the hosted browser. • vWorkspace Client URL Redirection Group Policy Admin Template (ClientSide IE.adm or .admx) — This User Configuration Group Policy Administrative template is used to configure the URLs that should be redirected to a vWorkspace managed application. This template is applied in a GPO that is linked to the OUs where the target user accounts exist. Managing the Virtual Workspace • vWorkspace Server URL Redirection Group Policy Admin Template (ServerSide IE.adm or .admx) — This Computer Configuration Group Policy Administrative template is used to configure the URLs that should be redirected back to the client's local instance of Internet Explorer. This template is applied in a GPO that is linked to the OUs where the vWorkspace Session Hosts/Terminal Servers exists. Typical Deployment A typical deployment of vWorkspace Internet Explorer Compatibility consists of: • One or more Hyper-V servers running vWorkspace Hyper-V Catalyst components for hosting vWorkspace Terminal Server or Session Host virtual machines. • One Terminal Server or Session Host virtual machine for every 20-25 expected concurrent users of Internet Explorer. Each virtual machine is typically configured for 2 vCPUs and 1024-4096MB of dynamic memory. • Two or more vWorkspace Connection Brokers for user authentication and provisioning of the vWorkspace Terminal Server or Session Host virtual machines. • System Center Configuration Manager or Group Policy to deploy the vWorkspace Connector. • Group Policy to configure the client redirection URLs. • Group Policy to configure the server redirection URLs. • vWorkspace Connectors configured in Desktop Integrated Mode. If deploying the vWorkspace Connector Settings through Group Policy, the following must be completed: 1. Configure AppPortal in Desktop Integrated mode. Although the Client URL Redirection Plug-In dynamically launches AppPortal in Desktop Integrated mode, farm authentication fails if AppPortal does not launch in Desktop Integrated mode at least once before it is used to redirect a URL. 2. Configure the following vWorkspace Connector Group Policy Administrative Template settings. a) vWorkspace Connector\Delete Entries\Version\Enabled\ Version = Checked b) vWorkspace Connector\Delete Entries\ Encrypted\Enabled\Encrypted = Checked 313 vWorkspace Administration Guide c) vWorkspace Connector\Farm Type\Farm Settings\Enabled\ Select Farm Type = vWorkspace Connection Broker d) vWorkspace Connector\Connectivity\Location 1\ vWorkspace Connection Settings\Enabled\ Protocol = http, TCP Port = 8080, Connection Broker(s) =ListBrokerNamesHere, Broker1,Broker2,Broker3 e) vWorkspace Connector\Credentials\ Cached Credentials = Enabled, User Supplied Credentials = Enabled, Allow User Supplied Credentials = Checked 3. Set the following in the GPO that applies to the Terminal Servers/Session Hosts OU, so that Computer Group Policies are enforced the first time the Terminal Server’s Computer Account authenticates with Active Directory. Computer Configuration\Administrative Templates\ System\Logon\Always wait for the network at computer startup and logon = Enabled 4. Disable Shutdown Event Tracker. Failure to do this prevents a managed application from successfully launching, without manually switching to desktop view to enter the reason for an unexpected shutdown. Computer Configuration\Administrative Templates\System\ Display Shutdown Event Tracker = Disabled 5. Apply the hotfix referenced in Microsoft KB article 942610, if using Microsoft Server 2003 R2. http://support.microsoft.com/kb/942610 In addition, the following registry entry needs to exist on the Terminal Servers so user’s Remote Display Settings are not reduced to 8-bit when their screen resolution is higher than 1600x1200. HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\ Terminal Server Registry entry: AllowHigherColorDepth Type: REG_DWORD Value: 1 314 Managing the Virtual Workspace vWorkspace Connectors The following sections describe the process of connecting to managed applications and desktops in a vWorkspace Windows infrastructure. Users have the option of either connecting to full-featured desktops or individual applications based upon administrative setup. These items are discussed in greater detail in the following section: • vWorkspace Connector Interfaces • vWorkspace Connector for Windows Packages • vWorkspace Connector Configuration vWorkspace Connector Interfaces There are two primary interfaces available, AppPortal and Web Access. AppPortal Interface The AppPortal is a version of the vWorkspace Connector with an intuitive, interactive user interface allowing users, upon successful authentication, to receive a list of authorized desktops and applications in a vWorkspace infrastructure. Users can subsequently start remote connections to published desktops and applications by selecting the corresponding shortcuts. AppPortal can also be started in Desktop-Integrated mode where the user interface shell is suppressed and it appears in the Windows system tray. Application icons shortcuts are placed on the user’s Desktop, Start Menu, or All Programs menu, depending on preferences. 315 vWorkspace Administration Guide The AppPortal must be installed and configured before users are able to connect to their vWorkspace infrastructure. Web Access Interface vWorkspace Web Access allows users to retrieve their list of allowed applications or desktops using a web browser. A Web Access web server must be available to use this interface. Refer to the vWorkspace Web Access section in this guide for more information. 316 Managing the Virtual Workspace vWorkspace Connector for Windows Packages The vWorkspace Connector for Windows is supported on Microsoft Windows computers, laptops, and Microsoft Windows Embedded thin client terminals, and is available in various packages. The vWorkspace packages available are: • VASCLIENT32 — Includes AppPortal and the Web Access. • VASCLIENT32T — Includes the Web Access, but not the AppPortal. • VASCLIENT32TS — Includes a silent install for Web Access. VAS Client 32 This package is available in the following formats: • VASCLIENT32.exe — MSI installation with EXE bootstrapper. An MSI engine (2.0 or later) must be installed on the target client workstations. • VASCLIENT32.msi — MSI installation without the EXE bootstrapper. An MSI engine (2.0 or later) must be installed on the target client workstations. • VASCLIENT32.cab — CAB installation for automatic deployment through Web Access. VAS Client 32T This package is available in the following formats, and does not include the AppPortal interface: • VASCLIENT32T.exe — MSI installation with EXE bootstrapper. An MSI engine (2.0 or later) must be installed on the target client workstations. • VASCLIENT32T.msi — MSI installation without the EXE bootstrapper. An MSI engine (2.0 or later) must be installed on the target client workstations. • VASCLIENT32T.cab — CAB installation for automatic deployment through Web Access. 317 vWorkspace Administration Guide VAS Client 32TS This package is available in the following format for the Web Access client: • VASCLIENT32TS.cab — CAB installation for automatic deployment through Web Access, as a silent installation. The files are located at \\Inetpub\wwwroot\Provision\web-it\clients. vWorkspace Connector Executables The executable file, PNapp32.exe, provides the shell and functionality of the AppPortal interface, forwarding users credentials to the vWorkspace Connection Brokers for authentication, retrieving a list of authorized applications and desktops, and dynamically retrieving the connectivity settings needed to successfully connect to a requested application or desktop. The executable file, PNtsc.exe, establishes the remote connection to applications and desktops that are hosted in the vWorkspace enabled infrastructure, and is included on all packages of the vWorkspace Connector. It is a modified version of the Microsoft Remote Desktop Connection client. PNTray.exe is an executable that runs from the taskbar when an application or desktop is connected, and is included on all packages of the vWorkspace Connector. The PNTray provides a context menu for access to various applets used in managing connections, sessions, and printing options. See PNTray for more information. Additional Registry Settings There are several additional features that can be enabled by enabling registry key entries: • Deferred Authentication • Optional One-session-per-user within a Farm Deferred Authentication Deferred Authentication is an optional mode to retrieve applications and desktops through AppPortal and Web Access, even by users whose passwords have expired or needs to be changed. 318 Managing the Virtual Workspace PasswordExpiredPassthruMode When this feature is enabled, it allows the user, who has entered an expired password or the password that needs to be changed, to get to the Windows logon screen to change the expired password. When enabled, if LogonUser() returns the following error code, the vWorkspace Connection Broker enumerates the groups and OUs for the user and returns ERROR_SUCCESS (0). ERROR_PASSWORD_EXPIRED (1330) and ERROR_PASSWORD_MUST_CHANGE (1907) This feature is controlled through the following registry key. The default is 0. HKLM\SOFTWARE\Provision Networks\Common\ Load and License Manager PasswordExpiredPassthruMode REG_DWORD (0=disabled 1=enabled) AccountLockedPassthruMode When this feature is enabled, it allows the user, whose account appears to be locked, to get to the Windows logon screen to unlock the account. You must have a third party password reset application to use this setting. When enabled, if LogonUser() returns the following error code, the vWorkspace Connection Broker enumerates the groups and OUs for the user and returns ERROR_SUCCESS (0). ERROR_ACCOUNT_LOCKED_OUT (1909) This feature is controlled though the following registry key. The default is 0. HKLM\SOFTWARE\Provision Networks\Common\ Load and License Manager AccountLockedPassthruMode REG_DWORD (0=disabled 1=enabled) Optional One-session-per-user within a Farm This option allows users to move between stations without disconnecting their session. The setting would be useful in a health care environment. 319 vWorkspace Administration Guide SessionRoamingMode When enabled, the vWorkspace Connection Broker looks for both active and disconnected sessions when a user issues a launch request. This enforces one user session per farm, and allows a user to roam, being able to return to their active session from any terminal. The default setting is 0. HKLM\SOFTWARE\Provision Networks\Common\Load and License Manager SessionRoamingMode REG_DWORD (0=disabled 1=enabled) vWorkspace Connector Configuration The AppPortal retrieves information about published applications, desktops, and other assigned resources available from a vWorkspace infrastructure by communicating with the Connection Broker for the infrastructure. AppPortal must be configured so that it knows how to communicate with the Connection Brokers. This process is referred to as managing or configuring connections. An AppPortal command line parameter, /autodelete, is available. This command line parameter removes all farm definitions and desktop integrated shortcuts upon exiting AppPortal, so that any autoload farms are reloaded. First Time Start Configuration When a user starts AppPortal for the first time, AppPortal attempts to configure itself automatically. It does this by locating and reading a file named config.xml using the following order of locations: • http://vworkspace.<FQDN> • http://provision.<FQDN> • https://vWorkspace.<FQDN> • https://provision.<FQDN> If a config.xml is not located using the default URL, AppPortal displays a message telling the user to create a new connection. If the Farm Type is specified as RDBroker, the following attributes do not display a warning if they are missing: 320 • EnableKerberos • KerberosMode Managing the Virtual Workspace • TCPPort (location specific) • Protocol (location specific) • RDPonSSL (location specific) • EnableNAT (location specific) • UseProxy (location specific) • ProxyServer (location specific) • ProxyBypassList (location specific) How to ... Create a New Farm Connection 1. Start AppPortal from the desktop. – OR – Start | Programs | Quest Software| vWorkspace | vWorkspace Client 2. Select Actions | Manage Connections. The Farm Connection window opens. 3. Click Create a new farm, and then click Next. 4. Do one of the following: a) To manually create a farm, select the Allow me to manually specify all configuration parameters option, and then click Next. The system displays the Connectivity window. See Manage AppPortal Connections for information on completing this process. – OR – b) To download the configuration file, select Download the configuration file from a central server, and then click Next. The New Configuration window appears. c) Complete the following fields on the New Configuration window, and then click OK. • Select the Protocol of HTTP, HTTPS, or File. • Enter the URL. • Verify the File field is config.xml. • Select one of the Proxy Server options. 321 vWorkspace Administration Guide 5. Complete any further information on the property windows, and then click Finish. Some information is grayed out and unavailable to be changed. Multiple Monitor Support vWorkspace Enhanced Multimonitor (version 2.0) support is available, providing true multimonitor support to the virtual workspace. The previous version of vWorkspace Multimonitor (version 1.0) support enabled desktop sessions to span multiple monitors. Whereas, Enhanced Multimonitor is monitor aware. Users can have up to four monitors with a total maximum resolution of 4096 x 2048. However, the total resolution height and width needs to be able to be exactly divided by four for enhanced multimonitor. If the total resolution is not exactly divided by four, the previous version of vWorkspace multimonitor runs. The color can be set at 24-bit for Microsoft Windows XP and Microsoft Server 2003, and at 32-bit for Microsoft Vista and Microsoft Server 2008. The task bar is confined to the primary monitor, along with the Start menu. • Enhanced Multimonitor (2.0) does not support 8-bit or lower color. If 8-bit or lower color is detected, the Multimonitor 1.0 support is enabled and the enhanced Multimonitor support is disabled. • If the resolution is 1600x1200 or higher on a Microsoft Windows Server 2003 Terminal Server, it reverts to Multimonitor 1.0 and the Terminal Server reverts to 8-bit color. Since resolutions can vary by screen, a started application in non-maximized, normal Window mode can open into a nonviewable area of the screen. If you are using applications where you cannot maximize or resize the window, or you plan to use mixed resolution, it is recommended that your monitors be the same resolution. A top bottom multimonitor configuration may present an aesthetic defect in the presentation if you are using Multimonitor 1.0 and not the enhanced Multimonitor 2.0. Multimonitor is supported on Microsoft Windows 7 and Microsoft Windows Server 2008 R2 if you are using the RDC 7 client or RDC 6 client with GA enabled on the client. Microsoft RDC 5 is not supported for Microsoft Windows 7 and Microsoft Windows Server 2008 R2. 322 Managing the Virtual Workspace Multiple monitor support is setup for the AppPortal client from the Display window by selecting the option Span multiple monitors when in full screen mode. See Display Settings for more information. The taskbar may, intermittently, span both monitors, if you are using Multimonitor 1.0. Multiple monitor support is setup for the Web Access client by selecting the Span multiple monitors when in full screen mode option from the Display Settings window. See Web Access for more information. You also need to select the Quest vWorkspace Remote Desktop Connection Display tab option Span multiple monitors when in full screen mode. To access this setting, use the following path: Start | All Programs | Quest Software| vWorkspace | Remote Desktop Connection 323 vWorkspace Administration Guide Manage AppPortal Connections AppPortal connections can be created manually by using the following options on the Farm Connection window. There are two types of AppPortal connections, vWorkspace Connection Broker and Microsoft Remote Desktop Connection Broker. The properties on the windows may vary based on the type of connection that is selected. The connection properties for the AppPortal connections are found in the following tabs on the Farm Connections window: 324 • Farm Type • Connectivity Settings • Firewall/Proxy Traversal (vWorkspace CB type only) • RD Gateway (RD Connection Broker type only) • Credentials Settings • Display Settings • Local Resources Settings • Experience Settings • Password Management Settings • Desktop Integration Settings • Auto-Launch Settings Managing the Virtual Workspace Farm Type FARM TYPE SETTINGS FIELD DESCRIPTION vWorkspace Connection Broker Select this option to connect to a vWorkspace Connection Broker. Microsoft Remote Desktop Connection Broker Select this option to connect to a Microsoft Remote Desktop Connection Broker. 325 vWorkspace Administration Guide Connectivity Settings CONNECTIVITY SETTINGS FIELD Location DESCRIPTION Three separate connection locations are available from the list. Use Rename to specify the location name, such as Office or Home. Test Connection Use to test the connectivity settings for a location. PROPERTIES FOR LOCATION These settings are used to communicate with the Connection Broker, and are configured separately for each Location. Protocol Use either HTTP or HTTPS. TCP Port Use to specify the port in which the Connection Broker listens on for inbound connection requests. 326 Managing the Virtual Workspace CONNECTIVITY SETTINGS FIELD Connection Brokers DESCRIPTION Use Add to enter the host name, FQDN or IP address for a Connection Broker. Use the arrow buttons to change the order in which the connections are attempted. Remote desktop connection broker server name or URL: Enter the RD Connection Broker server name or URL. Firewall/Proxy Traversal (vWorkspace CB type only) FIREWALL/PROXY TRAVERSAL SETTINGS FIELD DESCRIPTION CONNECTION OPTIONS FOR LOCATION These settings are used to specify secure network communications. 327 vWorkspace Administration Guide FIREWALL/PROXY TRAVERSAL SETTINGS FIELD DESCRIPTION Enable NAT Support for Firewall Traversal Use this when vWorkspace enabled Session Hosts are located behind a firewall that is using Network Address Translation and Alternative Addressing. Enable RDP over SSL/TLS Use SSL/TLS encryption of RDP session traffic is used. SSL Gateway Server Use this to enter the FQDN or IP address of the Quest vWorkspace Secure Gateway server. This option is only available when Enable RDP over SSL/TLS is selected. PROXY SERVER FOR LOCATION These settings are used when the vWorkspace client device is located behind a NAT enabled firewall and Socks Proxy Servers are used to gain access to the outside network. Use the default from the system internet settings Use if the proxy settings are the same as those used by Internet Explorer. Do not use a proxy server Use if you do not want to set a proxy server. Enter an address manually Use to indicate the address as entered. The address must be entered in the following format: proxy_serve_rname:port proxy_serve_rname = host name, FQDN, or IP address of the Socks Proxy Server. port = TCP port number the Socks Proxy Server is listening on. Do not use proxy server for addresses beginning with: 328 Use to list proxy server exclusions. Use semicolons (;) to separate the entries. Managing the Virtual Workspace RD Gateway (RD Connection Broker type only) RD GATEWAY SETTINGS FIELD DESCRIPTION CONNECTION SETTINGS These settings are used to specify secure network communications. Automatically detect RD Gateway server settings Select if you want RD Gateway server settings automatically detected. Use these RD Gateway server settings Select if you want to use the entered Server name and Logon method as the RD Gateway server settings. Do not use an RD Gateway server Select if you do not want to use an RD Gateway server. 329 vWorkspace Administration Guide Credentials Settings CREDENTIALS SETTINGS FIELD Use Cached credentials DESCRIPTION Uses credentials from the Windows credentials cache on the client device. To use this option, Enable Credentials Pass-Through (Settings | Authentication) must be enabled. User Kerberos credentials Uses the Kerberos authentication protocols. To use this option, the client device must be a member of Microsoft Windows Active Directory domain and the user must log onto the device using their domain user account and password. 330 Managing the Virtual Workspace CREDENTIALS SETTINGS FIELD Use the following credentials DESCRIPTION Uses the NT LAN Manager authentication protocols. The Username, Password, and Domain information is entered, and the user is not prompted for this information during a connection attempt. The Save credentials (encrypted) option allows the AppPortal to read the cached credentials from disk, and does not prompt users for them. This option is only available if the Use the following credentials option is selected. Display Settings DISPLAY SETTINGS FIELD DESCRIPTION Display Configuration Sets the remote session window size during a non-seamless window connection. 331 vWorkspace Administration Guide DISPLAY SETTINGS FIELD DESCRIPTION Colors Sets the remote session color depth during a non-seamless window connection. Display the connection bar when in full screen mode Displays a connection bar when the session is in full screen mode. Pin Connection Bar option disables the connection bar auto-hide feature. Span multiple monitors when in full screen mode Sets the add-on feature to enable multiple monitor display. Enable Smart Sizing Smart Sizing is functional when connecting to a managed computer. The session screen size and color depth are automatically adjusted to settings in the guest operating system. Smart sizing resizes the desktop, rather than creating scroll bars. Display remote applications seamlessly on local desktop Enables the remote application window size and color depth to be dynamically adjusted to match those of the client device, allowing the remote application to have the same look and feel as if it were installed on the client device. This setting also enables session sharing, which allows multiple remote applications to run through a single session, given those applications are installed on the same Session Host or Managed Computer. 332 Managing the Virtual Workspace Local Resources Settings LOCAL RESOURCES SETTINGS FIELD Remote audio DESCRIPTION Bring to Local Computer — runs sound files in your Remote Desktop session and plays them on your local computer. Leave at Remote Computer — runs sound files in your remote desktop session and plays them only on the remote computer. Don’t play — disables all sounds in remote desktop sessions. 333 vWorkspace Administration Guide LOCAL RESOURCES SETTINGS FIELD Keyboard DESCRIPTION These options apply to Windows shortcut key combinations, such as Alt+Tab. On the local computer — configures your connection so that Windows shortcut keys always apply to your local desktop. On the remote computer — configures your connection so that Windows shortcut keys always apply to the desktop of the remote computer. In full screen mode only — configures your connection so that Windows shortcut keys apply to the remote computer only when the connection is in full screen mode. LOCAL DEVICES These settings determine which client side devices are available to the remote applications or desktops. Disk drives Local disk drives. Serial ports Local serial ports. Printers Local printers. Standard Window print drives are used for printing, so the appropriate drivers need to be installed on both the client devices and the remote computer. Smart cards Smart card connections for authentication. USB Devices Devices that are attached to a USB port on a client device can synchronize with applications running in a remote session. Universal Printers Remote printing using a single print driver. Clipboard Enables redirection of copy and paste functionality. Microphone Enables support for applications that require the use of a microphone. This option is part of the Experience Optimization Package. See EOP Audio for more information. 334 Managing the Virtual Workspace Experience Settings EXPERIENCE SETTINGS FIELD Choose your connection speed to optimize performance DESCRIPTION The options are: • Modem (28.8 Kbps) • Modem (56 Kbps) • Low-Speed broadband (256 Kbps - 2 Mbps) • Satellite (2 Mbps - 16 Mbps with high latency) • High-Speed broadband (2 Mbps - 10 Mbps) • WAN (10 Mbps or higher with high latency) • LAN (10 Mbps or higher) 335 vWorkspace Administration Guide EXPERIENCE SETTINGS FIELD Allow the following: DESCRIPTION These options are used to create a custom setting: • Desktop background • Font Smoothing • Desktop Composition • Visual Styles • Show contents of window while dragging • Menu and window animation • Persistent Bitmap caching Note: If Desktop Composition (Windows Aero) is enabled, Graphics Acceleration is disabled. Note: Bitmap caching can assist in reducing bandwidth requirements. The other features require additional bandwidth. Experience Optimized Protocol (EOP) These options are used to automatically enable optimizations when logged on to the remote computer: • Graphics Acceleration • Local Text Echo • Media Player Redirection • Flash Redirection • WAN Acceleration (EOP Xtream) Reconnect if connection is dropped 336 This option allows for automatic reconnection if connection is dropped. Managing the Virtual Workspace Password Management Settings PASSWORD MANAGEMENT SETTINGS FIELD DESCRIPTION Server Name or IP Address The FQDN of the Quest vWorkspace Password Management Server. Port The TCP port to which the Quest vWorkspace Password Management Server has been configured. This is usually 443. 337 vWorkspace Administration Guide Desktop Integration Settings DESKTOP INTEGRATION SETTINGS FIELD Allow Client Shortcuts on: DESCRIPTION This option controls where the placement of shortcut icons occurs when the AppPortal is started in Desktop Integration mode: • Desktop • Start Menu • Start Menu \ Programs Note: The placement of shortcuts when either Start Menu or Start Menu \ Programs are selected depends on whether Windows is using the Standard or Classic start menu. 338 Managing the Virtual Workspace Auto-Launch Settings AUTO-LAUNCH SETTINGS FIELD Auto-Launch Application DESCRIPTION This option is used to specify applications that are to be launched automatically when AppPortal is started. This option is for AppPortal in desktop integrated mode, or if a farm is connected to automatically at startup. Note: Only the first application found is automatically launched. 339 vWorkspace Administration Guide AppPortal in Desktop Integrated Mode AppPortal also has an option to be started in Desktop Integrated Mode where the user interface shell is suppressed. Instead, AppPortal runs from the Windows system tray area. Applications icon shortcuts are placed on the user’s Desktop, Start Menu, or All Programs menu, depending on your settings. On a Windows XP computer, the placement of shortcuts depends on whether Windows is using the Start menu or Classic Start menu. How to ... Start the AppPortal in Desktop Integrated Mode 1. Use one of the following options: Start | All Programs |Quest Software| vWorkspace | AppPortal (Desktop-Integrated) – OR – Start | Run and then type C:\Program Files\ Quest Software\vWorkspace\pnap32.exe/di The AppPortal is an icon on the Windows toolbar status area. AppPortal Actions Menu Options The AppPortal Actions menu on the toolbar contains the following commands: 340 • Manage Connections • Change Current Location • Logon as a Different User • Change Password • Refresh Application Set • Close Managing the Virtual Workspace ACTIONS MENU OPTION DESCRIPTION Manage Connections Select to start the Farm Connections window to create new or modify existing infrastructure connections. Change Current Location Select when a connection to the currently selected farm needs to be made using different location settings. Logon as a Different User Select when the user wants to log into the selected farm using a different set of credentials. Change Password Select to submit a password change request to the Quest vWorkspace Password Management Server. Refresh Application Set Select to have the AppPortal update the list of applications in the user’s application set. Close Select to exit AppPortal. This option does not close any sessions the user might have to a Session Host or a managed computer. 341 vWorkspace Administration Guide AppPortal Settings Menu Options The Settings menu option located in the toolbar of the AppPortal provides users with access to settings that control how application set icons are displayed and how authentication to the infrastructure is performed. SETTINGS MENU OPTION DESCRIPTION Menu Bar If selected, the Menu Bar displays links to the Action, Settings, and Help menus. Tool Bar If selected, the Tool Bar displays icons of actions. Find Bar If selected, the Find Bar displays to search for applications. Status Bar If selected, the Status Bar displays the connection status. Always on Top If selected, the AppPortal window is always placed in front of other application windows. Hide When Minimized If selected, the AppPortal window moves to the Windows Notification area when minimized. If not selected, a minimized AppPortal window is placed in the Windows taskbar. Personalize... If selected, displays the Personalization dialogue window to configure the window style, colors and fonts, which can be saved as Themes. PNTray The vWorkspace system tray applet (PNTray) is available when the AppPortal is started, or when a connection to a managed computer or a managed computer application is active. The PNTray is displayed in the Windows system tray as the vWorkspace context menu. The commands that are available depend on the AppPortal mode and if there is an active connection. 342 Managing the Virtual Workspace • Manage Connections • Open Session Status Use this option to view the sessions that are active on Session Hosts, and the applications that are running in each session. Session Host sessions, when selected, can then be changed using the buttons of Disconnect, Logoff, and Full Screen. Applications can be terminated by using Terminate, without logging off from the session. • Change Current Location • Logon as Different User • Change Password • Authentication • Enable Credentials Pass-Through • Refresh Application Set • Restore AppPortal Client • Close AppPortal Client The following options are available from the Universal Printer section of the PNTray, when the AppPortal is in normal mode: • PDF Publisher Options • Save PDF File • E-mail PDF File • Preview before printing • Apply Additional Printer Properties • • Native printer options, such as finishing and stapling are presented when this option is selected. Client Properties The following options are available if the AppPortal is in Desktop Integrated Mode. These options replace the Action and Settings AppPortal menu options. See Manage AppPortal Connections for more information on the AppPortal menu options. 343 vWorkspace Administration Guide FARM CONNECTIONS OPTION DESCRIPTION Farm The display name of the farm. Status The connection status. Location The name of the location settings used to make the connection. User The user name that is logged in. Shortcuts Exist? If Yes, application set icon shortcuts have been configured. If No, application set icon shortcuts have not been configured. Connect/Refresh Shortcuts Connects to or refreshes a selected farm. Disconnect/Remove Shortcuts Disconnects and removes application set icon shortcuts from the client’s Desktop, Start Menu, or Start Menu \ Programs. Logon as a Different User Allows the user to log on to a selected farm using a different set of credentials. 344 Managing the Virtual Workspace FARM CONNECTIONS OPTION DESCRIPTION Change Current Location Allows the user to connect to the selected farm using different location settings. Change Password Allows the user to submit a password change request using the Quest vWorkspace Password Management Server. View Existing Shortcuts Presents users with a display listing the name and location of their application set icon shortcuts. vWorkspace U3 AppPortal Connector The vWorkspace U3 AppPortal does not require an installation and can be used without registering any files or registry entries for configuration settings. It is an AppPortal client that be used on any Microsoft Windows computer. It functions and appears to the end users the same as the installed version of the AppPortal client. U3 AppPortal Client Modes The U3 version of the AppPortal client provides administrators with several batch files that can execute the AppPortal in several different modes. The following is a list of available modes: • usb — Used in conjunction with a a USB device. • lock — User settings are not accessible to the end user. • di — AppPortal is present in desktop integrated mode. • autodelete — All farms are removed and shortcuts are deleted when AppPortal is closed. Combinations of these modes are available for use, that is, you could use diusblockmode to have AppPortal presented in desktop integrated mode from a USB device with user settings inaccessible to end users. Use the U3 AppPortal The U3 AppPortal client functions are the same as the installed AppPortal. See AppPortal Actions Menu Options, AppPortal Settings Menu Options, PNTray, and Manage AppPortal Connections for more information. 345 vWorkspace Administration Guide Central Configuration of AppPortal The config.xml file controls connection policies on the AppPortal. If you choose to configure this file, there are a few items that need to be considered. A template file is located in the following folder on your Connection Broker Server: \Program Files\Quest Software\vWorkspace\Provision-IT. It is also located on your Web Access server at: \Inetpub\wwwroot\Provision\Web-IT. One of the following methods need to be completed for autoconfiguration of the file. Method One 1. Create a DNS Entry (A record or CNAME) and assign the name provision or optionally, vworkspace, which is actually a Web Server located on your network. 2. Place the configured config.xml file in the root of the Web Server: IIS: \Inetpub\wwwroot Apache: edit the 000-default file and look for DocumentRoot (found in /etc/apache2). Method Two 1. Create a login script or push out a Registry Setting to your client computers. The registry setting is: HKLM\Software\Provision Networks\Provision-IT Client Value: AutoConnectURL Type: REG_SZ Data: http://www.domain.com 346 Managing the Virtual Workspace 2. If you have multiple config.xml files for multiple farms, use the following registry key: HKLM\Software\Provision Networks\Provision-IT Client Value: AutoConnectURL Type: REG_MULTI_SZ Data: (One Per Line) http://www.domain1.com/config.xml http://www.domain1.com/provconf/myconfig.xml https://ssl.domain.com/config.xml 3. Install the Quest vWorkspace Client. 4. Start the client. The following table lists the config.xml file settings, a description of some of the settings, and associated values. CONFIG.XML FILE SETTING VALUES DESCRIPTION FarmName Default = New Farm Connection Farm Name can be anything, but once connected, it takes the name of the actual farm set in the vWorkspace Management Console. OverrideFarmName 0=Off Use this setting to override the way in which the Farm Name is presented to users in AppPortal. 1=On Default = 0 PromptForLocation Integer 0= Off 1= On Default = 1 Tells the vWorkspace Client to prompt for a location, such as Office or Home. This is specified in the Locations section of the config.xml file. See Location Section of Config.xml. 347 vWorkspace Administration Guide CONFIG.XML FILE SETTING VALUES DESCRIPTION DefaultLocation 1|2|3 Three different locations for a farm connection are supported. The one selected in this setting is the default location. Default =1 (if PromptForLocation is 0) SeamlessMode 0 = Off 1 = On Default = 1 DesktopWidth 640 to 4096 Default = 800 DesktopHeight 480 to 2048 Default = 600 FullScreen Custom width for connections. Does not apply if SeamlessMode is set to 1 (on). Custom height for connections. Does not apply if SeamlessMode is set to 1 (on). 0 = Not enabled 1 = Enabled Default = 0 SpanMonitors 0 = Not enabled 1 = Enabled Default = 0 ColorDepth 8 to 32 Default = 8 AudioMode 0 = Sound on local computer. 1 = Do not play sound. 2 = Sound on remote computer. Default = 0 348 Set the default color quality of the desktop connection/Provision applications. Managing the Virtual Workspace CONFIG.XML FILE SETTING VALUES KeyboardHook 0 = On local computer. DESCRIPTION 1 = On remote computer. 2 = Full screen mode only. Default = 0 RedirectDrives 0 = Do not redirect local drives. 1 = Redirect local drives. Default = 0 RedirectPrinters 0 = Do not redirect local printers. (This is not Universal Printers.) 1 = Redirect local printers. Default = 0 RedirectComPorts 0 = Do not redirect local COM ports. 1 = Redirect local COM ports. Default = 0 RedirectSmartCards 0 = Do not redirect SmartCards. 1 = Redirect SmartCards. Default = 0 RedirectHandhelds 0 = Do not redirect local handheld devices. 1 = Redirect local handheld devices. Applies to the USB-IT feature in Remote Desktop Services and the USB Redirection support for desktop connections. Default = 0 349 vWorkspace Administration Guide CONFIG.XML FILE SETTING VALUES RedirectUniversalPrinters 0 = Do not redirect local Universal Printers. 1 = Redirect local Universal Printers. Default = 0 RedirectMicroPhone 0 = Do not redirect the microphone. 1 = Redirect the microphone. Default = 0 RedirectClipBoard 0 = Do not redirect the Clipboard. 1 = Redirect the Clipboard. Default = 0 EnableWallpaper 0 = Do not enable local wallpaper. 1 = Enable local wallpaper. Default = 0 EnableFullWindowDrag 0 = Do not enable windows content while dragging. 1 = Enable windows content while dragging. Default = 0 EnableAnimation 0 = Do not enable animations. 1 = Enable animations. Default = 0 350 DESCRIPTION Managing the Virtual Workspace CONFIG.XML FILE SETTING VALUES EnableThemes 0 = Do not enable themes. DESCRIPTION 1 = Enable themes. Default = 0 EnableBitmapCaching 0 = Do not enable Bitmap caching. 1 = Enable Bitmap caching. Default = 0 EnableDesktopComposition 0 = Do not enable Desktop composition. If Desktop Composition is enabled, Graphics Acceleration is disabled. 1 = Enable Desktop composition. Default = 0 EnableFontSmoothing 0 = Do not enable Font smoothing. 1 = Enable Font smoothing. Default = 0 HideSettings 0 = Do not hide the Provision Connection policies. 1 = Hide the Provision Connection policies. Used to control whether users can see the settings for their vWorkspace Client. Default = 0 EnableSSO 0 = Do not enable SSO. 1 = Enable SSO. Used for cached credentials, not Kerberos authentication. Default = 0 351 vWorkspace Administration Guide CONFIG.XML FILE SETTING VALUES DESCRIPTION EnableKerberos 0 = Do not enable Kerberos ticket authentication. Setting takes precedence over EnableSSO. 1 = Enable Kerberos ticket authentication. Default = 0 KerberosMode 0 = All authentication. Used with EnableKerberos. 1 = Initial authentication only (logon). Default = 0 DisallowSaveCredentials 0 = Allow clients to save their credentials within the vWorkspace Client. 1 = Do not allow clients to save their credentials within the vWorkspace Client. Default = 0 PasswordManagement Server String Fully qualified domain name or SSL certificate name of the Password Management Server. Do not include https or port numbers. For example: pwdmgr.domain.com PasswordManagement Port 1 to 65535 Default = 443 AllowPassword Management 0 = Do not use Password Management Server. 1 = Use Password Management Server. Default = 0 352 Port to use for Password Management Server. Password Management Server must be setup and functional on a member server of the domain. Managing the Virtual Workspace CONFIG.XML FILE SETTING VALUES DIShortcutLocations 1 = Desktop DESCRIPTION 2 = StartMenu 4 = Start Menu\Programs EnableSmartSizing 0 = Do not use smart sizing on desktop connections. 1 = Use smart sizing on desktop connections. Default = 0 AutoReconnect 0 = Do not auto reconnect to a session if disconnected or dropped. 1 = Auto reconnect to a session if it is disconnected or dropped. Default = 0 DisplayConnectionBar 0 = Do not display the connection bar when using full screen. 1 = Display the connection bar when using full screen. Default = 0 PinConnectionBar 0 = Do not pin the connection bar. 1 = Pin the connection bar. Default = 0 EnableLocalTextEcho 0=Disable 1=Enable Default = 0 353 vWorkspace Administration Guide CONFIG.XML FILE SETTING VALUES EnableGraphicsAcceleration 0=Disable DESCRIPTION 1=Enable Default = 0 EnableMultimediaRedirection 0=Disable 1=Enable Default = 0 EnableFlashRedirection 0=Disable 1=Enable Default = 0 AutoLaunchAppN AppName, N = 1 to 10 A total of 10 autolaunched applications are available, but the data is the name of the managed application within the vWorkspace Management Console, Resources | Managed Applications. Note: The vWorkspace Client only starts the first application found; it does not start multiple applications. FarmType 0=vWorkspace 1=RDBroker Default=0 EnableWANAcceleration 0=No 1=Yes Default=0 354 Managing the Virtual Workspace CONFIG.XML FILE SETTING VALUES NetworkConnectionType 0=Modem28 DESCRIPTION 1=Modem56 2=Low speed broadband 3=Satellite 4=High speed broadband 5=WAN 6=LAN Default=4 RDGatewayMode Auto Specify None Default=Auto RDGatewayServer <Server name or IP address> RDGatewayLogonMethod Any Password Smartcard Default=Any RDGatewayBypass 0=No 1=Yes Default=1 355 vWorkspace Administration Guide Location Section of Config.xml CONFIG.XML LOCATION SECTION VALUES DESCRIPTION Number 1 Use to identify the location you created. 2 3 TCPPort 1 to 65535 Default = 1 ServerList For example: broker1.domain.com,xxx. xxx.xxx.xxx, pnbroker TCP port of the Connection Broker. Comma separated string of Connection Broker severs, FQDN, IP, NetBIOS name. Name String Name of the connection, such as Internal, External, Secure. Protocol 0 = http Use 1 if using Secure Gateway. If only using this for internal connections, you can use 0. 1 = https RDPonSSL 0 = No RDP over SSL 1 = Use RDP over SSL (Protocol must be set to 1 and SSLGateway set). RDP over SSL Secure Gateway connection. Default = 0 SSLGateway String For example: broker1.domain.com, pnbroker 356 Secure Gateway server listed as FQDN or NetBIOS name, depending on SSL Certificate name. Managing the Virtual Workspace CONFIG.XML LOCATION SECTION EnableNAT VALUES DESCRIPTION 0 = Do not enable NAT translation for firewall connections. Only for Session Hosts. An alternative IP address must be set in the vWorkspace Management Console for each Session Host. 1 = Enable NAT translation for firewall connections Default = 0 To set an alternative IP address, use the following path: Infrastructure | Servers | Terminal Servers Right-click on the Session Host and select Properties. Select the Connectivity tab, IP Address. ProxyServer String IP: port of proxy server to use for connections. ProxyServerBypassList String Refer to Microsoft documentation for proxy exceptions. Resources Administrators can use the vWorkspace Management Console to view user sessions, Session Host sessions, and processes running on the Session Hosts in the vWorkspace infrastructure to assist with troubleshooting. Administrators can also access vWorkspace user options located in the Resources node of the vWorkspace Management Console. The following options are available in a RD Session Host or VDI environment, and include: • Additional Customizations • Application Restrictions (RD Session Host only) • Connection Policies • Color Schemes • Drive Mappings • Environment Variables • Host Restrictions (RD Session Host only) 357 vWorkspace Administration Guide • Registry Tasks • Scripts • Time Zones • User Policies • Wallpapers Additional Customizations The Additional Customizations node gives administrators control over the configuration of the Windows Desktop and Start Menu, visibility of drive letters, and existing network drive and printer mappings. Default Customizations are a set of customizations configured with settings commonly used in Session Host and VDI environments, which can be assigned to vWorkspace clients. Default Customizations cannot be modified, but they can be duplicated and used to create new customized settings. How to ... Create New Additional Customization Settings 358 1. Open the vWorkspace Management Console. 2. Expand Resources, and then select Additional Customizations. 3. If necessary, click on the Toggle Client Assignment List Display button to change the display view, as appropriate. 4. Do one of the following: • Activate New (green plus sign) from the toolbar of the information pane. • Right-click on the Additional Customizations node to activate it. • Select Actions | New Additional Customizations. 5. Click Next on the Welcome window of the new Additional Customizations wizard. 6. Enter a name for the customization on the Name window, then click Next. Managing the Virtual Workspace 7. Select the appropriate settings on the Desktop/Start Menu Items window, and then click Next. 8. Specify the drive letters that should not be visible to users on the Drive Restrictions window, and then click Next. 359 vWorkspace Administration Guide 9. Select Delete pre-existing Network Drive Mappings and Delete pre-existing Network Printer Connections on the Network Resource Cleanup window, as appropriate, and then click Next. 10. Complete the Client Assignment window to assign the application restriction, and then click Next. a) Click the plus (+) sign to select targets, and the Select Targets window opens. b) On the Select Targets window, use the green plus (+) sign to add targets that are not included in the Select Targets window. c) Select users from the list. Use CTRL to select more than one user to assign. d) Click OK to close the window and save your assignments. 11. Specify permissions, if appropriate, on the Permissions window, and then click Finish. 360 Managing the Virtual Workspace Application Restrictions vWorkspace Application Restrictions (Block-IT) is an access control system that allows administrators to increase the overall security, reliability, and integrity of their Session Host environments. Some of the advantages include: • Guard against application spoofing. • Fight against virus infections. • Prevent users from executing unauthorized programs. • Grant access to applications by time and day. • Lock down the Session Host. The Application Restrictions feature is not currently supported in a VDI environment. How Application Restrictions Work With AAC, a list of program executables and program modules (dynamic link libraries) are organized into an Application List, enabling administrators to grant or deny access to entire software suites, not just individual executables. The Application List is then associated with a group of Session Hosts, known as an Application Access Control Server group. Additional settings such as application termination, hash checking, and full path checking can also be configured for the Application List. The Application List can then be assigned to one or more vWorkspace clients. Hash Checking For each individual executable or module in the Application List, a unique binary hash is computed and stored in the vWorkspace database. A binary hash is like a fingerprint; it is used to verify the authenticity of a program executable at start time. Enabling hash checking prevents users from renaming the files associated with a restricted program. Hash checking can be disabled for a particular Application List. Disabling hash checking is often practical for a systemwide application update. For example, if an update to an application is being installed to one RD Session Host at a time, hash checking can be temporarily disabled until the update has been installed to all the servers and the application version has been made consistent across the entire farm. Once new hashes are computed for the updated program executables, then hash checking can be reenabled. 361 vWorkspace Administration Guide Path Checking Path checking restricts users from copying files to a new location. Path checking can be disabled for various purposes. For example, if the same application is installed to different target folders on different RD Session Host, full path checking may fail depending on which RD Session Host the user logs on to. However, this particular scenario can be mitigated by maintaining multiple file groups for the same application, where each file group is associated with a particular target folder. Termination You can choose to automatically terminate applications if they are still running outside of the access hours, even if they were started during an allowed time slot. Application Restriction Properties To define these settings, select the Application Restrictions under the Resources node in the vWorkspace Management Console, and then do one of the following: 362 • Right-click and select App restrictions global properties. • Click on the Properties icon on the toolbar. • Select Actions | App restrictions global properties. Managing the Virtual Workspace Application Restrictions General Properties Use Application Restriction properties to configure infrastructure settings and defaults for application restrictions. The settings are explained below. APPLICATION RESTRICTION GENERAL PROPERTIES DESCRIPTION Application restrictions update interval (minutes) This property determines the intervals at which vWorkspace checks for possible changes to application restrictions. Block access to apps excluded from all application lists, as well as apps included in multiple client-assigned application lists having conflicting access settings. If selected, this property allows access only to those applications and desktops that are published on Session Hosts, – OR – have been defined on the Application List with a permission of Allow. Note: If an application is listed twice with different permissions (allow and deny), users are denied access to the application. 363 vWorkspace Administration Guide APPLICATION RESTRICTION GENERAL PROPERTIES Deny Message Default assignments DESCRIPTION This property allows administrators to edit the message that appears when a user is denied access to a program. This property allows administrators to configure the default assignment when creating new Application List entries. The options are Allow or Deny. Hash settings This property determines the default setting for hash checking when creating new Application List entries. The options are Unconfigured, Use Hash, or Ignore Hash. Path settings This property determines the default setting for path checking when creating new Application List entries. The options are Unconfigured, Use Full Path, or Ignore Full Path. 364 Managing the Virtual Workspace Application Restrictions Server Groups Application Restrictions Server Groups define a group of one or more Session Hosts in the vWorkspace infrastructure to which Application Restrictions are applied. APPLICATION RESTRICTIONS SERVER GROUPS PROPERTIES DESCRIPTION New This button adds a new group name to the list of groups. Delete This button removes a group of servers. Group The names of the defined server groups are listed. To edit, select the group name, and then click the ellipsis. Servers in Group The names of the Session Hosts that are members of the group are displayed. To edit, select the group of servers, and then click the ellipsis. 365 vWorkspace Administration Guide Properties of an Application Restriction List Each Application Restriction entry is displayed in the vWorkspace Management Console in the details window pane of the Application Restrictions node. To create a new Application Restriction entry, do one of the following: • Select New (green plus sign) from the toolbar of the information pane. • Right-click on the Application Restriction, and then select New Application Restriction. • Select Actions | New Application Restriction. To edit the properties of an existing entry, double-click on its name in the list of Application Restrictions, or select Properties from the context menu. The following properties are available. 366 Managing the Virtual Workspace APPLICATION RESTRICTIONS LIST PROPERTIES DESCRIPTION General Name This field is the user friendly name for the application. Description This field is used to provide descriptive details about the application restriction being created. This field is optional. Category This field is used to group multiple applications into a single category. For example, if an accounts payable, accounts receivable, and payroll applications are written as separate programs, they can be grouped into a category of Accounting. Server Group Server Group This field is for the Application Access Control Server Group to which the Application Restriction is assigned. Options Automatically terminate application(s) if still running outside access hours This checkbox, if selected, terminates applications that are running outside of the access hours. Ignore Hashes This checkbox, if selected, disables using use hash checking. See Termination for more information. See Hash Checking for more information. Ignore Full Paths This checkbox, if selected, disables using full path checking. See Path Checking for more information. Applications Show Full Paths This checkbox, if selected, displays complete paths to the listed files. Add File This button adds files to the list. Add Folder This button adds all files contained in the folder. 367 vWorkspace Administration Guide APPLICATION RESTRICTIONS LIST PROPERTIES Remove DESCRIPTION This button removes files that are selected from the listed files. Client Assignments Add (+) This button adds targets that can then be assigned to this application restriction. Permissions Users/Groups Specify permissions for this application restriction list. Assign an Application List to Clients Each Application List entry has a Client Assignment that determines which vWorkspace targets are assigned to the Application List. To define targets for a new Application List entry, use one of the following methods. • Define targets in the Client Assignment section of the New Application List wizard. • Modify the targets of an existing Application List entry in the Client Assignment section of the Properties window for the Application List entry. • Modify Client Assignments directly from the information pane. • Modify Client Assignments directly from the Client Assignments list displayed for each application, in the information pane. How to ... 368 • Assign Clients to the Client List • Unassign Clients from the Client List • View Client Properties • Schedule Access Hours Managing the Virtual Workspace Assign Clients to the Client List 1. Click the + (Assign to) from the toolbar of the Application Restrictions information window pane. 2. Select from the list of available clients on the Select Clients window. Use Ctrl or Shift to make multiple selections. Use the + (plus sign) to add clients that are not in the list. Unassign Clients from the Client List 1. Do one of the following: • Select clients in the list on the Client Assignments window, or Client assignments list in the information pane, and then click the - from the toolbar. • Click on the blue - icon on the toolbar of the information pane for Applications Restrictions, and then select from the list of available clients on the Select Clients window. Use Ctrl or Shift to make multiple selections. View Client Properties 1. Click on Properties to view details about the selected client. Schedule Access Hours 1. Click on the Schedule icon to edit Application List access. A separate schedule can be defined for each client in the list. Schedule options include: Allow All Select this option to allow unlimited access to the Application List Deny All Select this option to deny unlimited access to the Application List. Edit Schedule Select this option to specify the exact hours of the days and the days of the week to allow access to the applications in the Application List. 369 vWorkspace Administration Guide Connection Policies Connection policies are used to define automatic device connection and optimizations when users log on to a remote computer. Connection policies can be configured, and assignments and permissions defined. Connection policies are set to Undefined by default. To set Connection policies, open the Connection Policy Wizard one of the following ways: • Expand the Resources node and highlight the Connection Policies node, and then select Actions | New Connection Policy from the toolbar or the information pane. • Expand the Resources node and right-click on Connection Policies, and then select New Connection Policy. • Expand the Resources node and highlight the Connection Policies node, and then select Actions | New Connection Policy from the toolbar. The following options can be defined: CONNECTION POLICY PROPERTY Name Remote Computer Sound OPTIONS This name is used for organizational purposes and is displayed on the vWorkspace Management Console. • Undefined • Bring to Local Computer • Do Not Play • Defer Setting to End User 370 Managing the Virtual Workspace CONNECTION POLICY PROPERTY OPTIONS Local Devices Disk Drives • Undefined Printers • Yes USB Devices • No • Defer to End User Serial Ports Smart Cards Universal Printers Clipboard Microphone Experience Optimizations Graphics Acceleration • Undefined Local Text Echo • Yes Media Player Redirection • No Flash Redirection • Defer to End User WAN Acceleration (EOP Xtream) Client Assignments • Specify the targets to which the connection policy should be assigned. Permissions • Specify permissions for the connection policy. How to ... Define New Connection Policy Properties 1. Open the vWorkspace Management Console. 2. Expand the Resources node, and do one of the following to open the Connection Policy Wizard window: • Highlight Connection Policies and then click New (green + sign) on the toolbar of the information pane. • Highlight Connection Policies and then click the green plus sign from the toolbar. • Right-click on Connection Policies and then select New Connection Policy. • Highlight Connection Policies, and then select Actions | New Connection Policy. 371 vWorkspace Administration Guide 372 3. Click Next on the Welcome window of the Connection Policy Wizard. 4. Enter a name for the connection property on the Name window, and then click Next. This is the name that appears on the vWorkspace Management Console. 5. Define the settings on the Remote Computer Sound window, and then click Next. 6. Define the local device settings, and then click Next. Managing the Virtual Workspace 7. Specify the performance optimizations settings on the Experience Optimizations window, and then click Next. 373 vWorkspace Administration Guide 8. Assign targets to this connection property on the Client Assignments window by doing the following: a) To add targets, click on the blue plus sign. b) Select a target from the list, or click the green plus sign to add a target. c) Browse for the user on the Add Target(s) window, and then click OK. d) Select the added target or targets from the Select Targets window, and then click OK. 9. Click Next on the Client Assignments window. 10. Enter permissions, as appropriate, on the Permissions window, and then click Finish. 374 Managing the Virtual Workspace Color Schemes A color scheme can be assigned to vWorkspace clients by administrators. The color scheme is used when connecting to applications or desktops hosted from vWorkspace enabled Session Hosts and VDI computers. When assigning color schemes through the vWorkspace Management Console, a color scheme is not loaded for Microsoft Vista or later. How to ... Assign a Color Scheme 1. Open the vWorkspace Management Console. 2. Expand Resources, and then select Color Schemes. 3. Click on the Toggle Client Assignment List Display button to change the display view, as appropriate. 4. To select a color scheme, do one of the following: a) Right-click on the color, and then select Assign to. b) Click the Assign to icon (+) from the toolbar. Color schemes are listed in alphabetical order. 5. Add or remove clients in the Select Targets window. 6. Click OK. Drive Mappings Administrators can assign network drive mappings to vWorkspace clients to use when they are connecting to applications and desktops hosted from vWorkspace enabled Session Hosts and VDI computers. Assigning drive mappings through the vWorkspace Management Console has the following advantages: • Domain administrative rights are not required. • Knowledge of scripting languages or command line syntax is not required. • Drive mappings are only applied when connecting to vWorkspace enabled Session Hosts or desktops. • More flexibility in how mappings are assigned. 375 vWorkspace Administration Guide How to ... Create a New Drive Mapping 1. Open the vWorkspace Management Console. 2. Expand Resources. 3. Do one of the following: a) Select Drive Mappings, and then click on the + on the toolbar in the information pane. b) Right-click Drive Mappings, and select New Drive Mappings. 4. Click Next on the Welcome window of the New Drive Mapping wizard. 5. Select the values for this drive mapping on the Values window, and then click Next. The values associated with drive mappings are listed below: Command Type Use NET USE when creating a traditional network drive mapping. Use SUBST when a drive letter substitution is required. 376 Managing the Virtual Workspace Network Path The Universal Naming Convention (UNC) path to the shared network resource. Drive Letter The letter to be used for mapping. 6. Enter alternative credentials to be used when mapping this drive, if appropriate, and then click Next. 7. Complete the Client Assignment window to assign the application restriction, and then click Next. a) Click the plus (+) sign to select targets, and the Select Targets window opens. b) On the Select Targets window, use the green plus (+) sign to add targets that are not included in the Select Targets window. c) Select users from the list. Use CTRL to select more than one user to assign. d) Click OK to close the window and save your assignments. 8. Specify permissions, if appropriate, on the Permissions window, and then click Finish. Environment Variables Administrators can assign environment variables to vWorkspace clients when connecting to applications or desktops hosted from vWorkspace enabled Session Hosts or VDI computers. These environment variables are created automatically when the user logs on, and are cleared when the user logs off. How to ... Create a New Environment Variable 1. Open the vWorkspace Management Console. 2. Expand the Resources node. 3. Do one of the following: a) Select Environment Variables, and then click the + on the toolbar in the information pane. b) Right-click on Environment Variables, and select New Environment Variables. 4. Click Next on the Welcome window of the New Environment Variable wizard. 377 vWorkspace Administration Guide 5. Enter a name and value for the environment variable, and then click Next. 6. Complete the Client Assignment window to assign the application restriction, and then click Next. a) Click the plus (+) sign to select targets, and the Select Targets window opens. b) On the Select Targets window, use the green plus (+) sign to add targets that are not included in the Select Targets window. c) Select users from the list. Use CTRL to select more than one user to assign. d) Click OK to close the window and save your assignments. 7. Specify permissions, if appropriate, on the Permissions window, and then click Finish. Host Restrictions The Host Restrictions tool allows administrators to assign access control rules to restrict user access to IP based network hosts. Host Restrictions work at the network layer, intercepting requests from applications to connect to particular IP addresses on particular TCP ports. Host Restrictions allows or denies connections by parsing the access control rules table maintained in system memory. Host Restrictions rules apply only to those specified by the administrator; they do not apply to all program executables running on the Session Host. How to ... Create Host Restrictions 1. Open the vWorkspace Management Console. 2. Expand the Resources node, and then select Host Restrictions. 3. Select + on the toolbar in the information pane, or the context menu of the Host Restrictions node. 4. Click Next on the Welcome window of the Host Restrictions wizard. 5. Enter a name for this host restriction. Optionally, you can also enter a category. Click Next. 6. Specify the Host Type, and then click Next. If the restriction is by host name or FQDN, select Name as the Host Type. If the restriction is by IP address, select IP Address. 378 Managing the Virtual Workspace 7. Enter the host name or FQDN, or the target Host IP Address, and then click Next. 8. Enter the port or ports to be used on the Ports window, and then click Next. Separate multiple port numbers with commas, use a hyphen for a range of ports, and an asterisk (*) for all ports. 9. Complete the Client Assignment window to assign the application restriction, and then click Next. a) Click the plus (+) sign to select targets, and the Select Targets window opens. b) On the Select Targets window, use the green plus (+) sign to add targets that are not included in the Select Targets window. c) Select users from the list. Use CTRL to select more than one user to assign. d) Click OK to close the window and save your assignments. 10. Specify permissions, if appropriate, on the Permissions window, and then click Finish. Registry Tasks The Registry Tasks tool allows administrators to add, delete, or modify registry keys in the HKEY_CURRENT_USER registry hive without manually loading and editing each user’s ntuser.dat registry hive, or writing complex registry editing scripts for RD Session Host or VDI environments. The vWorkspace Management Console should be started from a Session Host when working with Registry Tasks. A non-Session Host computer may not have the registry keys and hives that need to be manipulated. How to ... Modify a Registry Tasks 1. Open the vWorkspace Management Console. 2. Expand the Resources node, and then select Registry Tasks. 3. Click the Toggle Client Assignment List Display icon on the information pane to change the view, as appropriate. 379 vWorkspace Administration Guide 4. Select + on the toolbar of the information pane, or New Registry Task from the context menu of the Registry Tasks node. 5. Click Next on the Welcome window of the Registry Task wizard. 6. Enter a name for the registry task on the Name window, and then click Next. 7. Select the appropriate Registry Action from the following options: • • • • Add Key Delete Key Add Value Delete Value 8. Enter the key or value parameters, or use Browse to find the appropriate parameters. 9. Do one of the following: a) If you are adding a key, enter the name in the Key field. b) If you are deleting a value, select it from the list, and then click OK. c) If you are adding a value, enter the corresponding parameters in the fields. d) If you are modifying an existing value, change the Value Name, Value Type, or Value fields as appropriate. e) Select the type of registry value from the Value Type field. 380 Managing the Virtual Workspace 10. Click Next. 11. Complete the Client Assignment window to assign the application restriction, and then click Next. a) Click the plus (+) sign to select targets, and the Select Targets window opens. b) On the Select Targets window, use the green plus (+) sign to add targets that are not included in the Select Targets window. c) Select users from the list. Use CTRL to select more than one user to assign. d) Click OK to close the window and save your assignments. 12. Specify permissions, if appropriate, on the Permissions window, and then click Finish. 381 vWorkspace Administration Guide Scripts Scripts are files that are used to automate repetitive tasks. They can be simple text files or more complex written in a specific programming language. vWorkspace administrators can easily assign scripts to vWorkspace clients using the Scripts option in the vWorkspace Management Console. Some advantages include: • Administrators do not need to have domain administrative rights. • Editing the registry on each Session Host is not necessary. • Modifying the usrlogon.cmd command script on each Session Host is not necessary. • Use any Windows executable to write the script, such as bat, cmd, or exe. • Increased flexibility and control over how the scripts are assigned. The following considerations should be used when working with scripts on vWorkspace enabled Session Hosts: • It is best to use a single method to start the script. Troubleshooting can be difficult if scripts are started using different methods. • The scripts used in the vWorkspace Management Console and scripts started using other methods should not interfere with each other. • The simplest form of a script should be used for the task. Do not write a complex script to carry out a task that can be accomplished using a command line script. The scripts do not execute in interactive mode, so Pause, Echo, and any other outputs are not displayed. How to ... Assign a Script 1. Open the vWorkspace Management Console. 2. Expand the Resources node, and then select Scripts. 3. Click the Toggle Client Assignment List Display icon on the information pane to change the view, as appropriate. 4. Do one of the following: a) Click the + on the toolbar of the information pane. b) Right-click on the Scripts node, and then select New Script. 382 Managing the Virtual Workspace 5. Click Next on the Welcome window of the Scripts wizard. 6. Type the complete path and file name in Script File on the Script File window, or use the ellipsis to browse to the script. Click Next. The script must be on a network share. If you are typing a path name, it would look like, \\servername\sharename\script.bat. 7. Complete the Client Assignment window to assign the application restriction, and then click Next. a) Click the plus (+) sign to select targets, and the Select Targets window opens. b) On the Select Targets window, use the green plus (+) sign to add targets that are not included in the Select Targets window. c) Select users from the list. Use CTRL to select more than one user to assign. d) Click OK to close the window and save your assignments. 8. Specify permissions, if appropriate, on the Permissions window, and then click Finish. Time Zones A date and time stamp that is placed on opened files, messages, and scheduled meetings is based upon an application location, which can be a Session Host in a time zone that is different from the user. The Time Zones tool allows administrators to assign appropriate time zones to users in a Session Host or VDI environment. How to ... Assign a Time Zone 1. Open the vWorkspace Management Console. 2. Expand the Resources node, and then select Time Zones. 3. Click the Toggle Client Assignment List Display icon on the information pane to change the view, as appropriate. 4. Select the appropriate time zone from the alphabetical list. 5. Do one of the following: Right-click on the time zone and select Assign to. – OR – Click the Assign to icon (the icon with the blue circle and a white plus sign) from the toolbar in the information pane. 383 vWorkspace Administration Guide 6. Add or remove clients in the Select Targets window. 7. Click OK. User Policies The User Policies tool provides a way for vWorkspace administrators to better control user desktop environments. The following settings can be controlled with User Policies: • Windows Components — Windows Explorer, and Help and Support Center • Start Menu and Taskbar— Control Panel and Display • System — Ctrl+Alt+Del options and Logon The Properties option of User Policies allow administrators to select which policy template is used to create new user policies. Two user policies are provided with vWorkspace, Default Admin and Default User, which contain settings that are commonly implemented for administrators and users. These policies can be modified and duplicated as appropriate. vWorkspace administrators can also add new policy templates. How to ... • View User Policies Properties • Create User Policies • Modify User Policies View User Policies Properties 384 1. Open the vWorkspace Management Console. 2. Expand the Resources node. 3. Highlight User Policies, and do one of the following: • Right-click, and then select Properties. • Select Actions | User policies properties. • Click on the Properties icon on the toolbar. 4. Select the policies that are to be used as the default templates for new user policies. 5. Click Policy Templates on the Templates window to import or remove policy templates. Managing the Virtual Workspace Create User Policies 1. Open the vWorkspace Management Console. 2. Expand the Resources node, and then click User Policies. 3. Click on the Toggle Client Assignment List Display button in the information pane to change the display view, as appropriate. 4. Select + on the toolbar of the information pane, or right-click on User Policies, and then select New User Policy. 5. Click Next on the Welcome window of the User Policy wizard. 6. Enter a Name for the new user policy on the Name window, and then click Next. 7. Click Policy Templates on the Templates window, and then select Import, Remove, or Rename policy templates on the Policy Templates window. Click Close. 8. Click Next on the Templates window. 9. Select the appropriate policy settings on the Policy Settings window, and then click Next. The boxes associated with each setting are three-way toggles; checked enables the setting, unchecked disables the setting, gray indicates the setting is not influenced by this policy. 385 vWorkspace Administration Guide 10. Complete the Client Assignment window to assign the application restriction, and then click Next. a) Click the plus (+) sign to select targets, and the Select Targets window opens. b) On the Select Targets window, use the green plus (+) sign to add targets that are not included in the Select Targets window. c) Select users from the list. Use CTRL to select more than one user to assign. d) Click OK to close the window and save your assignments. 11. Specify permissions, if appropriate, on the Permissions window, and then click Finish. Modify User Policies 1. Open the vWorkspace Management Console. 2. Expand the Resources node, and then click User Policies. 3. Click Toggle Client Assignment List Display on the information pane to change the display view, as appropriate. 4. Double-click the policy that is to be modified. 5. Change the entries, as appropriate, on the User Policy Properties window. 6. Click Apply to make the change, and click OK to close the window. Virtual User Profiles Virtual User Profiles (MetaProfiles-IT) is an alternative to roaming profiles. Virtual User Profiles eliminate potential profile corruption and accelerates logon and logoff times by combining the use of a mandatory profile with a custom persistence layer designed to preserve user profile settings between sessions. See Virtual User Profile Management for more information. Wallpapers A wallpaper can be assigned to vWorkspace clients by administrators. The wallpaper is used when connecting to applications or desktops hosted from vWorkspace enabled Session Hosts and VDI computers. 386 Managing the Virtual Workspace How to ... Assign Wallpapers 1. Open the vWorkspace Management Console. 2. Expand Resources, and then select Wallpapers. 3. Click on the Toggle Client Assignment List Display button on the information pane to change the display view, as appropriate. 4. To select a wallpaper, do one of the following: a) Right-click on the style, and then select Assign to. b) Click the Assign to icon (the icon with the blue circle and a white plus sign) from the toolbar. 5. Add or remove clients in the Select Targets window. 6. Click OK. Change Wallpaper Properties Wallpaper properties are available through their context menu. 1. Open the vWorkspace Management Console. 2. Expand Resources, and then select Wallpapers. 3. Right-click on the selected wallpaper, and select Properties. 4. Change the property as appropriate. Wallpaper File The full path and file name of the wallpaper. Note: Each Session Host must have a copy of the bit-mapped image file for the defined wallpapers. It needs to be in the same location as the one displayed here. Default Style Three options: • Centered • Tiled • Stretched Client Assignments A list of vWorkspace targets to whom the wallpaper is assigned. You can assign or unassign wallpaper from this list. Permissions The user or groups with permissions for this wallpaper are specified here. 387 vWorkspace Administration Guide Add New Wallpaper 1. Open the vWorkspace Management Console. 2. Expand Resources. 3. Right-click on the Wallpaper node, and then select New Wallpaper. – OR – Select the green plus sign (+) from the toolbar. 4. Click Next on the Welcome window of the Wallpaper wizard. 5. Enter the full path and file name for the wallpaper file and select the Default Style on the General window, and then click Next. 6. Complete the Client Assignment window to assign the application restriction, and then click Next. a) Click the plus (+) sign to select targets, and the Select Targets window opens. b) On the Select Targets window, use the green plus (+) sign to add targets that are not included in the Select Targets window. c) Select users from the list. Use CTRL to select more than one user to assign. d) Click OK to close the window and save your assignments. 7. Specify permissions, if appropriate, on the Permissions window, and then click Finish. Secure Gateway Quest vWorkspace Secure Gateway is designed to simplify the deployment of applications over the Internet, securely and cost-effectively. The purpose of the Secure Gateway is to act as a checkpoint (proxy) to prevent direct access to the internal vWorkspace resources of an organization. Secure Gateway can proxy connections to three vWorkspace components: vWorkspace Web Access, vWorkspace Connection Broker, and the RDP listener on a vWorkspace virtual desktop or RD session host. 388 Managing the Virtual Workspace Requests sent to either a Web Access server, a vWorkspace Connection Broker, or a vWorkspace remote host are SSL encrypted at the client end point and sent through the corporate firewall on TCP port 443 to the Secure Gateway. Once received by the Secure Gateway, the data is decrypted and forwarded to the destination on the appropriate port. Outbound responses from the vWorkspace resource pass back through the Secure Gateway and are encrypted and forwarded to the client web browser or vWorkspace Connector, depending on the proxy. Connections to Web Access can be direct, and not through the Web Interface Proxy. However, this will require a separate SSL certificate. Below is an example of the basic steps taken in communicating through the Secure Gateway’s RDP proxy. 1. RDP connections are SSL-encrypted at client end points and sent through the corporate firewall on TCP port 443. 2. Once received by the Secure Gateway, the data is decrypted and forwarded to the destination virtual computer on TCP port 3389. 3. Outbound RDP traffic passing through the Secure Gateway is encrypted and forwarded to the client end point. Installation Requirements The Secure Gateway requires the following for installation: • One or more X.509 web server certificates • For SSL certificates that have been installed on Web Access or Connection Broker servers, the trusted root certificate for the issuing Certificate Authority (CA) must be installed into the Windows certificate store of the Secure Gateway and the certificate store of the connecting client end point. Microsoft IIS can exist with the Secure Gateway, but it is not required. 389 vWorkspace Administration Guide The following are recommended and supported configurations for the Secure Gateway • The Secure Gateway should be placed in a DMZ network or a protected internal network. • The Secure Gateway can installed on either a physical or virtual computer. • The Secure Gateway can be used with or without Web Access. • The Secure Gateway can be used in conjunction with third-party load balancing appliances. The Secure Gateway should not be installed on Session Hosts. The only exception would be for proof of concept purposes. Secure Gateway Certificate The following are suggested best practices for your Secure Gateway certificate. 390 • Your certificate should have the same Issued To and Friendly Name. • The certificate should be an RSA (1024) certificate, not an AES certificate. (4096-bit certificates have been successfully tested.) • You should have a private key that corresponds to the certificate. Managing the Virtual Workspace • On the Certificate Properties window, General tab, Server Authentication should be listed and selected. Secure Gateway Configuration The Secure Gateway is configured using the Quest Secure-IT applet, located in the Windows Control Panel. The Secure-IT applet allows the management of three separate proxies. Each proxy secures communication to a separate vWorkspace component. • RDP Proxy - The RDP Proxy functionality provides the ability for users on a public network, like the Internet, to connect to virtual desktops or Remote Desktop Session Hosts that are managed by vWorkspace and located on a private network. The connection to this proxy is always SSL encrypted. • Web Interface Proxy - The Web Interface Proxy functionality provides the ability for users on a public network, like the Internet, to connect to Quest vWorkspace Web Access through the Secure Gateway. The connection to this proxy can optionally be SSL encrypted. • Connection Broker Proxy - Provides the ability for users on a public network, like the Internet, to connect to a Quest vWorkspace Connection Broker that is located on a private network. 391 vWorkspace Administration Guide The connection to this proxy can optionally be SSL encrypted. PROXIES TAB FIELDS DESCRIPTION RDP Proxy Local IP Address This checkbox enables SSL encryption of RDP session traffic between the vWorkspace connector and vWorkspace enabled Remote Desktop Session Hosts and virtual desktops. The IP address for the Secure Gateway for inbound requests is selected from the list. Local Port The TCP port number to be used for SSL encryption of RDP session traffic. Default is 443. Note: If Microsoft IIS exists on the Secure Gateway, the port 443 might already be in use. 392 Managing the Virtual Workspace PROXIES TAB FIELDS Certificate Name DESCRIPTION This field is for selection of the web server certificate that is to be used by the Secure Gateway for inbound SSL-encrypted RDP session traffic. Note: Only certificates installed in the Windows computer store are recognized. Web Interface Proxy Local IP Address This checkbox enables secure web browser traffic between the vWorkspace connector and the Web Access web server. The IP address for the Secure Gateway for inbound Web Access SSL requests is selected from the list. Local Port The TCP port number to be used for SSL encryption of the Web Access session traffic. Default is 443. Note: If Microsoft IIS exists on the Secure Gateway, the port 443 might already be in use. Destination Host(s) The Secure Gateway forwards requests through the IP address, host name, or FQDN of the Web Access web server. Use commas to separate entries. Dest. Port The TCP port number that the Web Access web server listens on. Default is 80. Enable SSL This checkbox decrypts and then forwards packets. Unselect this check box, and the packet is sent without being decrypted. Certificate Name This field is for selection of the web server certificate that is to be used by the Secure Gateway for inbound SSL-encrypted RDP session traffic. This field is only for use if the Enable SSL check box is selected. Note: Only certificates installed in the Windows machine store are recognized. 393 vWorkspace Administration Guide PROXIES TAB FIELDS DESCRIPTION Connection Brokers Proxy Local IP Address This checkbox indicates secure traffic between the vWorkspace connector and the Connection Broker servers. The IP address for the Secure Gateway for inbound Connection Broker SSL requests is selected from the list. Local Port The TCP port number for SSL encryption of Connection Broker traffic. Default is 443. Note: If Microsoft IIS exists on the Secure Gateway, the port 443 might already be in use. Destination Host(s) The Secure Gateway forwards requests through the IP address, host name, or FQDN of the Connection Broker server. Use commas to separate entries. Dest. Port The TCP port number that the Connection Broker servers listen on. Default is 80. Enable SSL If this checkbox is selected, the Secure Gateway decrypts inbound SSL packets before forwarding them to the Connection Broker servers. If this check box is not selected the Secure Gateway does not encrypt SSL packets for inbound Connection Broker servers. Certificate Name This field is for selection of the web server certificate that is to be used by the Secure Gateway for inbound SSL-encrypted RDP session traffic. This field is only for use if the Enable SSL check box is selected. Note: Only certificates installed in the Windows machine store are recognized. 394 Managing the Virtual Workspace OPTIONS TAB FIELDS DESCRIPTION Connections Settings Inactivity Timeout This number is the amount of time a session can be inactive before the Secure Gateway terminates it. Default is 0 (no time out). Server Logging Enable to Trace login to the specified file If this checkbox is selected, logging for troubleshooting is enabled. The name and location for this file is entered into the text box. You can also use Browse. Log files have a maximum size of 10 MB. Once the maximum is reached a new log file will be generated appended with the date and time. Thus, when not troubleshooting, logging should be disabled. 395 vWorkspace Administration Guide Deployment Options The following deployment options discussed in this section are: • Web Access • AppPortal Access • AppPortal and Web Access Web Access Web Access acts as a web based portal to a vWorkspace farm. To summarize its function, Web Access validates vWorkspace users, through successful authentication to Active Directory by way of the vWorkspace broker, and directs vWorkspace connectors to the appropriate virtual desktop. In order to use Web Access in conjunction with the Secure Gateway, Web Access must be configured properly. Complete the following steps to configure Quest vWorkspace Web Access to use Quest vWorkspace Secure Gateway: • Browse to the Web Access Admin page: • • 396 http://<webaccess_servername>/provision/web-it/admin Select the Firewall/SSL VPN link on the left side of the page. Managing the Virtual Workspace Default Address Translation Settings The Default Address Translation Settings controls the default connections for clients connecting to a vWorkspace farm through Web Access. If the Secure Gateway is to be the default connection, this setting should be set to vWorkspace Secure Gateway. Custom Address Translation Settings When there is a need for exceptions to the Default Address Translation Settings, the Custom Address Translation Settings should be used. A good example is when Web Access is used to connect from inside the company (those that are on a LAN/private network) as well as by users who connect from outside of the company (those that connect over a public network like the Internet). Those users connecting over a public network should use the Quest vWorkspace Secure Gateway to ensure maximum security, but those connecting from inside the company might not need that level of security and could connect directly to a virtual desktop/RD session host. 397 vWorkspace Administration Guide To connect directly to a virtual desktop or RD session host and override the Default Address Translation, the Custom Address Translation Settings section needs to be set to Normal Address, and the network subnet of the excepted client end points needs to be entered into the Client Address Prefix list. This is done by entering the subnet and clicking Add. Please note that the network subnet notation needs to end with a . (dot). The custom address translation setting would override the default setting, which, in this case, is Secure Gateway. As demonstrated below, all connections would be routed to the Secure Gateway unless the client prefix is equal to 10.1.1. 398 Managing the Virtual Workspace SSL Gateway Settings In the Secure Gateway section of Quest vWorkspace Web Access, the connectivity information for the Quest vWorkspace Secure Gateway being used needs to be provided. The graphic below shows a configured Web Access Secure Gateway page. The setting are defined in the following table. 399 vWorkspace Administration Guide FORM FIELDS DESCRIPTION SSL Gateway External SSL Gateway FQDN/IP Address This setting controls the Quest vWorkspace Secure Gateway addressing for Quest vWorkspace Web Access. This setting needs to be the exact name that the SSL Certificate for Quest vWorkspace Secure Gateway was issued to. If the Certificate was issued to an IP address, then the IP address should be in this section, if the Certificate was issued to a Fully Qualified Domain Name (FQDN), it should be set here. TCP Port TCP Port should be set to mirror the setting for the local port of the RDP proxy in the Quest vWorkspace Secure Gateway applet. SSL Gateway/Local Address (IP) Enter the IP address of the Quest vWorkspace Secure Gateway server, and then click Add. SSL Gateway/Local Address List Shows what Quest vWorkspace Secure Gateway servers are configured for communicating with this Web Access instance. Enable NAT support for Firewall Traversal If the Secure Gateway server is located in a Demilitarized Zone (DMZ) this box may need to be checked, but only if Network Address Translating (NAT) is in effect between the DMZ and the Internal Network. Web Access URL (external users) This is the URL which users on the outside of the network will be connecting to. Web Access URL (internal users) If the URL is different than the external users, this should be filled in with the proper link for Internal Users AppPortal Access This configuration is used when a secure single point of entry is needed for users connecting from external networks, but the connections are managed by AppPortal, rather than Web Access. In this scenario, the vWorkspace Connection Broker proxy and the RDP proxy are the two Secure Gateway proxies enabled. 400 Managing the Virtual Workspace The Secure Gateway is the only access point to the vWorkspace infrastructure. Remote clients gain access to the system using a single FQDN. Only one firewall access rule is required to permit inbound connections to the Secure Gateway on TCP port 443. A valid 128-bit SSL certificate must be installed on the Secure Gateway. The Secure Gateway, if situated in the DMZ, may require additional firewall rules to allow the Secure Gateway to communicate with the Connection Brokers and the virtual desktops on the internal network. How to ... Configure AppPortal Access 1. Use the following path to access the applet: Control Panel | Quest Secure-IT 2. Complete the RDP Proxy section as follows: a) Select Local IP Address, and then select an IP address from the list. b) Enter the Local Port. 401 vWorkspace Administration Guide c) Click the Lock icon to select the web server certificate used by the Secure Gateway for inbound SSL-encrypted RDP session traffic. Only certificates installed in the Windows machine store are recognized. 3. Complete the Connection Broker Proxy section as follows: a) Select Local IP Address, and then select an IP address from the list. b) Enter the Local Port. c) Enter the IP address, host name, or FQDN of the Web Access web server that the Secure Gateway forwards requests. Use commas to separate entries. d) Click the Lock icon to select the web server certificate used by the Secure Gateway for inbound SSL-encrypted RDP session traffic. Only certificates installed in the Windows machine store are recognized. Both the RDP and the Connection Broker proxies can share the same IP address and TCP port. 4. From the AppPortal Interface at the client end point, a) Configure a farm connection using AppPortal | Manage Connections, or by right-clicking on the farm from the vWorkspace Management Console. b) Enter the FQDN of the Connection Broker proxy in the Server List on the Connectivity tab. c) Select Enable RDP over SSL/TLS, and then enter the FQDN of the RDP proxy in the SSL Gateway Server field. 402 Managing the Virtual Workspace AppPortal and Web Access This option describes a setup where the vWorkspace connector is accessed by AppPortal and Web Access. The Secure Gateway and Web Access, if situated in the DMZ, require additional firewall rules to permit the Secure Gateway to communicate with the virtual desktops and the Connection Broker, and for Web Access to communicate with the Connection Broker. If you are using Secure Gateway in conjunction with Web Access, you must specify both the internal and external Web Access access URL’s on the Firewall/SSL VPN section of the Web Access Management console. See Web Access for more information. 403 vWorkspace Administration Guide There are two possible ways to configure the use of the AppPortal and Web Access. One option allows all three proxies to share the same IP address and SSL certificate, but the Web Access and the Connection Broker proxies have different TCP ports. This allows the Secure Gateway to distinguish HTTP connections going to Web Access from HTTP connections going to the Connection Broker. A second option is for all three proxies to use the same TCP port, but the Connection Broker has a different IP address and SSL certificate. How to ... Configure AppPortal and Web Access 1. Use the following path to access the applet: Windows Control Panel | Quest Secure-IT 2. To configure using the same IP address and SSL certificate: a) Enter the same IP address in the RDP Proxy, Web Access Proxy, and Connection Broker Proxy fields. b) Enter the same Local Port for RDP Proxy and Web Access Proxy, and a different Local Port for the Connection Broker Proxy. 404 Managing the Virtual Workspace 3. Complete the other fields as appropriate, and then click Apply to make the changes without closing the window, or click OK to make the changes and to close the window. . a) Configure a farm connection using AppPortal | Manage Connections, or by right-clicking on the farm from the vWorkspace Management Console. b) Enter the FQDN of the Connection Broker proxy in the Server List on the Connectivity tab. c) Select Enable RDP over SSL/TLS, and then enter the FQDN of the RDP proxy in the SSL Gateway Server field, and then click OK. Both proxies may share the same FQDN, but the Connection Broker proxy is set to a different TCP port. 405 vWorkspace Administration Guide 4. To configure using the same TCP port: a) Enter the same TCP Port number in the RDP Proxy, Web Access Proxy, and Connection Broker Proxy fields. b) Complete the other fields as appropriate, and then click OK. c) Configure a farm connection using AppPortal | Manage Connections, or by right-clicking on the farm from the vWorkspace Management Console. d) Enter the FQDN of the Connection Broker proxy in the Server List. e) Enter the FQDN of the RDP Proxy in the SSL Gateway Server field. f) Click OK. The RDP and Web Access proxies can share the same IP Address, TCP Port, and Certificate Name. The Connection Broker Proxy is bound to a different IP Address and Certificate Name. 406 Managing the Virtual Workspace Web Access Quest vWorkspace Web Access is a web application for vWorkspace Farms that enable users to retrieve their list of allowed applications and desktops using a web browser. One or more vWorkspace Web Access servers, configured to communicate with a vWorkspace farm, must be available to use the Web Access browser interface. No client side configuration is needed; users simply start their Internet browser and enter the address of the Web Access server. After successful authentication, the user’s published desktops and applications display in the web browser. A vWorkspace Connector must be installed, and personalization settings of the Internet browser can be configured. vWorkspace Web Access 7.5 has been re-architected to provide improved performance, scalability, and maintainability. The new architecture allows for easier deployment on multiple instances of Web Access without the need to reconfigure each one individually. As a result of the redesign, Web Access sites from previous versions to 7.5 cannot be upgraded to 7.5. Therefore, you need to manually document your settings, and then reconfigure Web Access 7.5 in the vWorkspace Management Console. Web Access Tools Web Access includes tools that allow you to configure a Web Access web site. The Web Access Site Manager (WASM) interfaces with Microsoft Internet Information Services (IIS) to create and prepare IIS web sites for Web Access. The Websites node of the vWorkspace Management Console is used to create Web Access configurations that can be pushed to a Web Access web site prepared by the WASM. vWorkspace Web Access Site Manager Previously, hosting multiple Web Access sites on vWorkspace Web Access was a difficult task. The vWorkspace Web Access Site Manager simplifies the generation of multiple Web Access sites. Quest vWorkspace Web Access is an ASP.Net application that installs as a virtual directory within an IIS default web site. The initial Web Access site can be created during installation or by using the WASM. In both cases, an IIS virtual directory is created with the proper folder structure to host a Web Access site. However, the new site has no configuration. A Web Access configuration must be created in the vWorkspace Management Console and exported to the Web Access site. 407 vWorkspace Administration Guide One Web Access server can host multiple Web Access sites; each providing a user access interface to a separate vWorkspace farm. The WASM can be used to aggregate multiple Web Access sites into a federated site. A federated site provides a hyper-linked list of Web Access sites to the end user. How to ... Create a New Web Access Site The WASM allows you to view, create, edit, and delete vWorkspace Web Access Sites. Once a Web Access Site has been created the vWorkspace Management Console can be used to configure settings for the site and have the configuration pushed to the Web Access web site. 1. Start the Web Access Site Manager one of the following ways: a) From the Start menu of the Web Access server. b) From the desktop icon of the Web Access server. 2. Click New on the Web Access Site Manager window. 3. Click Next on the Create a New Web Access Site wizard. 4. Enter a Friendly Name and Virtual Directory Name, as appropriate. Friendly Name - Type the name that will be displayed in the vWorkspace Management Console. Virtual Directory Name - Type the name of the virtual directory used to access the Web Access site. The Virtual Directory Name cannot be edited once the Web Access Site has been created. The site must be deleted and a new one created. Description - type an optional description. Icon - to change the default image of the Web Access Site click the vWorkspace icon. Any alternate icon image is required to be 32 pixels by 32 pixels in size. 5. Click Finish to complete the process. After completing a new Web Access site, you must complete an update to the web server with the site configuration. See Update Site for more information. Once the site is created it can be edited or deleted from this interface. 408 Managing the Virtual Workspace vWorkspace Management Console Websites Node vWorkspace Web Access is managed from a node in the vWorkspace Management Console, named Websites. The Websites node allows an administrator to define multiple Web Access sites for separate vWorkspace farms. Administrators can also set Web Access properties such as Website Information, Firewall/Secure Gateway, and Experience settings. These settings are similar to settings in a vWorkspace Connector. However, with Web Access, the configuration is being defined centrally, rather than at each client access device. Configuration Define vWorkspace Websites After vWorkspace Web Access has been installed and the Web Access site has been created, either during installation or with the WASM, the properties of the Web Access site are managed through the vWorkspace Management Console. A new site must be defined as an object in the Websites node. The following properties can be set for a Web Access web site in the vWorkspace Management Console. • Connection Properties • Firewall/Secure Gateway • Domain/Login Settings • Downloads/Connectors • Experience • Browser Interface Connection Properties Connection Properties define the connection properties of a vWorkspace Web Access website. To establish a connection to Web Access, specify the display name and URL path used to connect to the Web Access web site. Multiple Web Access sites can be added. 409 vWorkspace Administration Guide Firewall/Secure Gateway The Firewall/Secure Gateway property is used to inform the Workspace Connector how to communicate with the vWorkspace farm when a connection is attempted. The Firewall/Secure Gateway property has five settings: • Default Rule • Custom Rules • Secure Gateway • Advanced Settings • Proxy Server Default Rule The Default Rule is the default addressing type that should be used when accessing remote sessions. This default setting applies to all connecting clients, unless specifically overridden by custom addressing rules. The Default Rule options are: • Internal Address • Alternative Address • vWorkspace Secure Gateway Custom Rules Custom rules are exceptions to the default addressing rule. Any client address that does not match a custom rule, access remote sessions using the default rule. Custom Rules can be used to specify an addressing type and an associated IP address specification that is added to the Custom Address Rules list. Any client IP address or outside interface address of a firewall or proxy server that matches the rule uses the corresponding addressing type. The Custom Rules Addressing types are: 410 • Internal — Web Access refers the connecting access device to make a direct connection to the remote RDP host. • Alternate — Web Access refers the connecting access device to make a connection to the remote RDP host using the configured alternate address associated with the RDP host (RDSH only). Managing the Virtual Workspace • Secure Gateway — Web Access refers the connecting access device to make a connection to the remote RDP host via Quest Secure Gateway. Secure Gateway and the Secure Gateway setting must be installed and configured for this setting to take effect. Secure Gateway The Secure Gateway setting is used to define the path to the Secure Gateway. Web Access uses the information in this setting to direct a connecting device to Secure Gateway. The typically port number for a Secure Gateway service is 443. Advanced Settings Advanced Settings can be used to enable NAT for firewall traversal. This is helpful when your Web Access server and Secure Gateway are separated by a NAT enabled firewall. Proxy Server Web Access can be configured to inform vWorkspace Connectors which proxy server to use when connecting to a vWorkspace farm. Generally, proxy server settings are used for internal offices, where the vWorkspace Web Access server is in a DMZ and the internal office is using a proxy server to connect. The Proxy Server options are: • Do not use a proxy server (This is the default setting.) • Use default from the system internet settings • Enter an address manually Domain/Login Settings Domain/Login Settings define what access control methods are used when authenticating connecting users. The Domain setting must be defined in order for authentication to the farm to succeed. The other Domain/Login settings are optional and can be used to further secure access to your vWorkspace farm. 411 vWorkspace Administration Guide The Domain/Login settings are: • User Domains • Password Management • Credentials Pass-Through • Two-Factor Authentication • Client Device Identification • Auto-Launch User Domains A Web Access site passes user credentials to a vWorkspace Connection Broker for authentication and validation. The vWorkspace Connection Broker must belong to a Microsoft Active Directory domain for this to work successfully. The User Domains settings can be used to prepopulate the user domain field, and authenticate the user account across multiple domains. Quest vWorkspace allows the use of User Principal Names (UPN) during logon. For example, [email protected]. Password Management The Password Management setting is used to configure a Web Access site to leverage Quest Password Management Service. Multiple password management servers can be specified and must be associated with a domain defined in the User Domains setting. If more than one Password Management Server is listed in the Password management servers field, users are prompted for which server to use to change their password. Credentials Pass-Through Credentials Pass-Through allows the use of locally cached or Kerberos domain credentials to login to a vWorkspace farm. This is helpful when the user is connecting to a vWorkspace farm from a client access device that is a member of a trusted domain. 412 Managing the Virtual Workspace To use this setting with Microsoft Internet Explorer, you must configure the following before enabling this feature: • If you are using credentials pass-through and there are multiple farms in which users need to log in to using credentials pass-through, then you must also select the option, Log Users on to all configured farms in the Farm settings. Credentials pass-through is not currently supported when allowing users to select a farm. • Enable Integrated Windows Authentication must be turned on in Advanced Internet Options of Internet Explorer, and the Microsoft IIS web server must be a member of a domain in the Active Directory forest containing the user’s account. • Web Access site needs to be added to the list in both Trusted Sites and Local Intranet. Credentials pass-through is not supported in the vWorkspace Connector for Java. If you are using Mozilla Firefox and credentials pass-through, you must configure Firefox to use Integrated Windows authentication by completing the following steps: 1. Open Firefox. 2. Type about:config in the address bar. 3. Type network.automatic in the filter box once the config page loads. 4. Modify network.automatic-ntlm-auth.trusted-uris by double-clicking the row, and enter www.mydomain.com. Multiple URIs must be separated by comas. To configure Firefox to use Integrated Windows authentication for multiple Firefox installs, complete the following steps: 1. Use a decompression tool, such as WinZip, the extract Firefox Setup 2.x.x.exe. 2. Extract browser.xpi from the setup. 3. Edit all.js contained in browser.xpi in \bin\jreprefs. 4. Modify network.automatic-ntlm-auth.trusted-uris by double-clicking the row, and enter www.mydomain.com. Multiple URIs must be separated by comas. 5. Repackage browser.xpi, and use the extracted setup to install Firefox. 413 vWorkspace Administration Guide Two-Factor Authentication The Two-Factor Authentication setting allows for the integration of a two factor authentication product such as Secure Computing PremierAccess or using RADIUS to communicate with other 2FA solutions such as Quest Defender or RSA ACE/Server. Client Device Identification When connecting to a vWorkspace farm, the end user's local IP address and device name may be sent to the connection broker. This allows vWorkspace resources to be assigned by IP address or device name for users who connect through Web Access. This feature is only supported when using Internet Explorer with ActiveX controls enabled. Auto-Launch When a user logs onto a vWorkspace farm a managed application can be launched automatically, rather than having the user select the application. The Auto-Launch options are: • Do not automatically launch an application • Single Application • Specified Application Downloads/Connectors Downloads/Connectors is a group of settings that define whether the vWorkspace Connector, or other files, are downloadable from the Web Access user interface. The Downloads/Connectors settings are: 414 • General Settings • vWorkspace Connectors • Other Downloads Managing the Virtual Workspace To install the vWorkspace Connector for Windows you must have administrative rights on the device where the connector is to be installed. General Settings The General Settings control whether a download tab is added to the user interface of Web Access. After enabling the Download page, the link for the page can be displayed in two locations: • On the Web Access login page. • On the main page after the user logs in. vWorkspace Connectors The vWorkspace Connectors setting can be used to deliver the vWorkspace Connector for Windows or the vWorkspace Connector for Java to client access devices which do not have the Connector installed or have an outdated vWorkspace Windows Connector. The vWorkspace Windows Connector can be automatically downloaded if it is not installed or an older version is detected. A link can also be placed on the Downloads page to allow users to download the Windows Connector manually. If you want to use the vWorkspace Connector for Java as a downloadable connector from Web Access, the Java Connector must be installed on the Web Access server. This is detailed in the Quest vWorkspace Connector for Java Administration Guide. Other Downloads Other Downloads allows for the addition of custom download links to the download page. This is helpful in situations where a resource is needed to allow connections to a vWorkspace farm, such as a root SSL certificate for a private certificate authority. Experience The Experience settings control Microsoft or Quest RDP virtual channels, such as Desktop Composition and EOP Graphics Acceleration. Some settings display two tabs, a Default Settings tab and a User Overrides tab. The Default Settings tab provides the configuration of the specific category unless the properties of a connection are set to override. The User Overrides tab defines which values can be overridden by the user. 415 vWorkspace Administration Guide The Experience settings are: • Local Resources • Performance/EOP • Display Local Resources The Local Resources settings control the following aspects of a user connection: • Remote Audio • Keyboard • Devices and Features Each of the Local Resources settings can be set to allow user override by enabling Allow users to override the default local resource settings on the User Overrides tab and selecting the override options to present to the user in the Web Access client. LOCAL RESOURCES SETTING DESCRIPTION Remote Audio Remote audio playback • Play on the end user’s computer (this is the typical setting) • Do not play • Play on the remote computer - this is useful when audio is being redirected via vWorkspace USB Redirection. Keyboard Apply Windows key combinations • On the end user’s computer (default setting) • On the remote computer • On the end user’s computer only when using full screen Devices and resources Disk Drives Select if users need access to the disk drives on their access device. Printers Select if users need to print to autocreated access device printers using native print drivers. 416 Managing the Virtual Workspace LOCAL RESOURCES SETTING DESCRIPTION Serial Ports Select if users need access to devices attached to serial ports on their physical device. Smart Cards Select if users are required to log on to their session using a Smart Card attached to their physical device. USB Devices Select if users need to make use of USB devices when connected to the virtual workspace. Universal Printers Select if users need to print by autocreated access device printers using the Universal Printer driver. Microphone Select if users need to redirect the local computer microphone when connecting to the virtual workspace. Clipboard Select if users need to redirect the local computer clipboard when connecting to the virtual workspace. Performance/EOP The Performance/EOP settings control the following aspects of a user connection: • Connection Speed • • • • • • • Modem (28.8 Kbps) Modem (56 Kbps) Low-speed broadband (256 Kbps - 2 Mbps) Satellite (2 Mbps - 16 Mbps with high latency) High-speed broadband (2 Mbps - 10 Mbps) WAN (10 Mbps or higher with high latency) LAN (10 Mbps or higher) Selecting a connection speed defines which of the following performance options are enabled. For example, if LAN is selected all of the performance options listed under Connection speed are selected. If High-speed broadband is selected, only Desktop composition, Persistent bitmap caching, and Visual styles are selected. 417 vWorkspace Administration Guide • Experience Optimized Protocol (EOP) • • • • • • EOP EOP EOP EOP EOP Flash Redirection Graphics Acceleration Text Echo Xtream Multimedia Acceleration Session Options The Session options section supports the feature to reconnect sessions after they have dropped. Display The Display settings provide control of the display configuration, color depth, and other settings, such as Smart Sizing. • Display Configuration Display Configuration sets the default screen resolution for users when connecting to a remote host. • • • Full screen (includes the option to span multiple monitors) Specific resolution Custom resolution (pixel height and width) Screen resolution only applies when connected to a seamless windowed application. • Colors Specify the color depth of the remote session. • Other settings • • • • 418 Display connection bar when in full screen mode Pin connection bar Enable Smart Sizing - Smart Sizing resizes the remote sessions screen resolution to fit the resolution of the client access device when a connection is made to a disconnected session on a remote host. Display remote applications seamlessly on remote desktop This setting enables the remote session screen size and color depth to match the settings of the client access device, when connecting to a managed application. Managing the Virtual Workspace Browser Interface The Browser Interface setting defines the appearance of the Web Access client interface. The Web Access client interface can be executed in Internet Explorer, Mozilla Firefox, or Google Chrome. The Browser Interface settings are: • Messages • Layout • Themes Messages The Messages settings allow for the modification of the messages that users see in the Web Access client interface. Layout The Layout setting controls how application icons are displayed in the Web Access client Interface. Each of the parameters in Layout can be set to allow user override by enabling Allow users to override the default local resource settings on the User Overrides tab and selecting the override options to present to the user in the Web Access client interface. The Layout options are: • Default view for application icons: • • • • • Icon View Details View List View Split View Icon Split View Details When the view is set to Icon View, pixel spacing between the application icons can be set. The default spacing is 5. Themes The Themes settings allow the colors and images in the Web Access client interface to be customized. 419 vWorkspace Administration Guide The following items can have their color set: • Background • Foreground • Button • Header Text • Header • Text • Login Text • Link Text • Login Box • Highlight Text The Header Image and Logon Image can both be replaced with custom images. Other Settings The Other Settings groups several miscellaneous settings. The settings are: • Provide an application search box • Display user names and statistics on the main page after login • Display detailed Windows error messages • Enable debug logging • Specify the web session timeout (in minutes) • Specify the VDI retry interval (in seconds) Additional Farms The Additional Farms settings can be used to aggregate the application sets of multiple vWorkspace and Citrix farms. The setting options are: • Farm type: • • 420 vWorkspace Farm Citrix Managing the Virtual Workspace • Farm name • Connection brokers (multiple brokers can be delimited by comas) This is a mandatory step. • Broker TCP port Update Site The Update Site settings are used to push the Website configuration in the vWorkspace Management Console to a Web Access site. The Site Manager utility is used to generate the site structure and the Update website utility is used to create the Web Access site’s configuration. The configuration can be pushed to the site using the Update website utility or exported to an XML file, named WebSettings.xml, which can then be manually copied into the config folder of the specific Web Access site. How to ... Update a Site in Web Access 1. From the vWorkspace Management Console, expand the Websites node. 2. Right-click on website that needs to be updated, and select Update Website. The dialogue will also appear at the end of the New Website Wizard once Finish is clicked. 3. Select one of two options: • Contact the Web Access site directly and update it’s configuration — If this option is selected a prompt will appear asking for the path to the Web Access site. • Save the configuration to a file and manually update the Web Access Site — If this option is selected a prompt will appear asking for the location to save the WebSettings.xml file. The .xml file needs to be copied to the following location: \Inetpub\wwwroot\<virtual folder name>\Config vWorkspace Connector Packages vWorkspace Connectors are supported on multiple end point devices. The vWorkspace Connector for Windows installation packages are included with a Web Access installation and can be made available for download from the vWorkspace Web Access User page. 421 vWorkspace Administration Guide When the Connector is selected in the Downloads settings in Web Access, a version and location can be specified. In this case, it checks whether the vWorkspace Connector for Windows is installed on the end point device. If the specified version or later version is not installed, it attempts to automatically download and install the Connector, from the specified location, using Microsoft ActiveX. ActiveX must be enabled on the user’s browser for client installation checking to work. This feature is not supported for browsers other than Internet Explorer. The vWorkspace Connector packages available are: • VASCLIENT32 — Includes AppPortal and the Web Access. • VASCLIENT32T — Includes Web Access support, but not AppPortal. • VASCLIENT32TS — Includes a silent install for Web Access support. See vWorkspace Connectors for more information. Other vWorkspace Connectors vWorkspace Web Access supports both Linux, Apple Mac, Android, and Apple iPad as client connectors. These, however, must be installed through their respective methods. Web Access cannot be automatically installed on these platforms. Integration Web Access integrates with several third-party products to extend secure access and productivity for a vWorkspace farm. Web Access provides integration for the following products. • Juniper Secure Access • F5 Firepass • SharePoint • Citrix XenApp and XenDesktop Juniper Secure Access Web Access and Juniper Networks Secure Access SSL VPN can be integrated to be used as a single sign-on solution by using custom headers created by the Juniper Secure Access Central Manager. 422 Managing the Virtual Workspace Prerequisites • Secure Access Device must be running at least System Version 7.0 R0. • Authentication Realm must be setup and configured for the correct Active Directory domain. • SSO License has to be installed on the SA Device, if SSO is required. • vWorkspace provides integration with WSAM and Network Connect. • vWorkspace Web Access server configured properly. Configure Secure Access 1. Create a new Role, for example, vWorkspace_Users. 2. Select the SAM tab. 3. Click Add Application, and then select PNTSC, which is the Quest connection tool. 423 vWorkspace Administration Guide 4. Do the following on the Custom Application window, and then click Save Changes. a) Enter a Name. b) Add a description, if needed. c) Enter Filename as pntsc.exe. 424 Managing the Virtual Workspace 5. If you are using the Quest Connector, AppPortal through the SA device, do the following on the Custom Application window, and then click Save Changes. a) Enter a Name. b) Add a description, if needed. c) Enter the Filename as pntsc32.exe. 425 vWorkspace Administration Guide 6. Do the following on the Allowed Server window, and then click Save Changes. a) Enter a Name. b) Add a description, if needed. c) Add a server. In this example, a subnet is used for the vWorkspace environment. d) Set the appropriate ports, such as 80 (Web), 8080 (Broker), and 3389 (Terminal Services). 426 Managing the Virtual Workspace 7. From the vWorkspace Role, select the SAM tab, and then select Options. 8. Complete the following on the Options settings. a) Select Windows SAM. b) Set appropriate Windows SAM options for this role. c) Click Save Changes. 427 vWorkspace Administration Guide 9. Select the Web tab, and do the following: a) Create a bookmark for the vWorkspace Web Access Server. For vWorkspace version 7.2: http://server/provision/web-it/default.aspx For vWorkspace version 7.5: http://server/<identity> 428 Managing the Virtual Workspace 10. From the main system menu, go to Users | Resource Policies | Secure Application Manager Policies. See step 12 if SSO is required. 429 vWorkspace Administration Guide 11. Add a new policy or modify an existing policy by doing the following: a) Enter a Name for the policy. b) Enter Resources to which this WSAM role is allowed to access. For example, 10.1.1.1/25:80,8080,3389. c) Select Policy applies to SELECTED roles. d) Select the vWorkspace role created previously. e) Select Allow socket access. f) Click Save Changes. 430 Managing the Virtual Workspace 12. If SSO is required, from the main menu screen go to Resource Policies |Headers/Cookies Policies, select the SSO tab, and then select Headers/Cookies. 13. Select New Policy on the Headers/Cookies Policies window, and do the following: a) Enter a Name. b) Add a description, if needed. c) Enter a Resource, which is the direct link to the vWorkspace Web Access site. For vWorkspace version 7.2: http://server/provision/web-it/* For vWorkspace version 7.5: http://server/<identity> d) Set the role to which it applies. e) Select Append headers as defined below. f) Create three headers to write during the request process: • • • PN_Username<User> PN_Password<Password> PN_Domain NetBIOS Domain F5 Firepass Web Access and F5 FirePass SSL VPN can be integrated to be used as a single sign-on solution by creating tunnels in the FirePass Administrator Console. 431 vWorkspace Administration Guide Prerequisites • F5 FirePass must be running at least version 7.0.0. • F5 FirePass Authentication must be configured for the appropriate Active Directory domain. • vWorkspace Web Access server must be installed and configured properly, if configuring connections to a Web Access server. F5 Firepass can be configured to tunnel connections to a vWorkspace Connection Broker or a vWorkspace Web Access server. All settings are configured under the Application Access node of the system menu. How to ... 432 • Tunnel to a Connection Broker • Tunnel to Web Access Managing the Virtual Workspace Tunnel to a Connection Broker 1. Select Application Access. 2. Do the following in the Application Tunnels tab. a) Click Add New Favorite. b) Select Favorite as the Type. c) Enter a Name. d) Enter servers, IPs, and networks along with ports for the vWorkspace infrastructure in Allow list. • Ports are 8080 (Broker default) and 3389 (Terminal Services). e) Click Add Favorite. 433 vWorkspace Administration Guide 3. Click Add New Dynamic Tunnel, and do the following: a) Enter a Name for the application, such as PNTSC or AppPortal. b) Set the proper path to the pntsc.exe file. Note that x86 and x64 versions are different paths and locations. c) Click Update. 4. 434 Repeat the process for each application required. Managing the Virtual Workspace Tunnel to Web Access 1. Select the Web Application Tunnels tab. 2. Click Add New Favorite, and do the following: a) Select Favorite as the Type. b) Enter a Name. c) Enter one of the following URLs. Web Access version 7.2: http://server/provision/web-it/default.aspx Web Access version 7.5: http://server/<identity>/Login/F5 d) Enter URL variables. This is used if SSO is wanted to automatically sign in to the Web Access server with the credentials which were used to login to the F% FirePass device. For example: uname=%username%&pass=%password%&dom= <NetBIOS_Domain_Name> 435 vWorkspace Administration Guide e) Select Use POST for URL variables. f) Enter servers, IPs, and networks along ports for the vWorkspace infrastructure in Allow list. g) Enter information into the Endpoint Protection required field, as appropriate. h) Click Add New. i) Repeat this process for each Web Access server. SharePoint vWorkspace Web Access can be integrated with a SharePoint server, allowing users to access Web Access from a link on the SharePoint site. Microsoft SharePoint 2010 was used in the following step process. Integrate Web Access and SharePoint 436 1. Log in to SharePoint. 2. Navigate to the project or directory where Web Access is to be integrated. 3. Select Site Actions | More Options. Managing the Virtual Workspace 4. Open Web Part Page. 5. Do the following on the New Web Part Page window, and then click Create. a) Enter a Name for the Web Part Page. b) Select Full Page, Vertical as the Layout Template. c) Select the Document Library where the page is to be saved. 6. Click Add a Web Part. 7. Do the following on the next screen, and then click Add. a) Select Media and Content in the Categories section. b) Select Page Viewer in the Web Parts section. c) Select Full Page in the About the Web Part section. 437 vWorkspace Administration Guide 8. Click open the tool pane in the Page Viewer section, and then do the following. a) Enter the URL to the Quest vWorkspace Web Access site in the Link field. Click on Test Link to verify the link. b) Expand the Appearance node and enter the Height and Width for the page. c) Click Apply. 9. Click Stop Editing. The Web Access site is now integrated and available to users at the specified location. Citrix XenApp and XenDesktop Web Access can send user credentials to both vWorkspace Connection Brokers and servers running the Citrix Program Neighborhood Agent (pnagent). Web Access will take the data returned from each solution and aggregate it into the user’s application set. Therefore, the user can access one interface to connect to presentation hosts from either solution, seamlessly. 438 Managing the Virtual Workspace Web Access can integrate with the following Citrix products: • XenApp 5.0 • Presentation Server 4.0 and 4.5 • XenDesktop 4.0, 5.0 and 5.5 To achieve this, a PNagent server must be configured to communicate with a Citrix farm and the Web Access server must be configured with the URL of the PNagent server. vWorkspace Reporting Quest vWorkspace Reporting allows organizations to create real time and historical reports leveraging data gathered by vWorkspace. By utilizing the reporting features of vWorkspace, administrators gain a greater understanding of how the vWorkspace farm is being managed and utilized. 439 vWorkspace Administration Guide The Reporting feature in vWorkspace includes an easy to use tool, the Sample Report Viewer, which allows vWorkspace administrators to run pre configured or custom SQL queries against the vWorkspace reporting database. The query results can be used to generate reports within the Sample Report Viewer, or exported to CSV files for manipulation using the administrator’s tool of choice. vWorkspace Reporting uses SQL triggers to export certain data from the vWorkspace database to the Reporting database. The Reporting database can be used to run historical reports using vWorkspace Sample Report Viewer or a third party tool. vWorkspace Reporting Components The primary vWorkspace Reporting components are: • Sample Report Viewer • Databases • Reporting Schema • Default Reports Sample Report Viewer vWorkspace Sample Report Viewer comes with a number of preconfigured SQL scripts. These scripts can be run to obtain real time and historical reports of an organization's virtual desktops, applications, Session Hosts, and Blade PCs managed by vWorkspace. This allows easy reporting of information, such as currently logged users and users logged on each month. 440 Managing the Virtual Workspace Sample Report Viewer Setup The vWorkspace Sample Report Viewer window is used to configure the connection to the reporting database and the maximum number of rows to return from a report query. This window is displayed at application start up if no connection settings exist, typically the first time the application is started. It can also be opened from the main vWorkspace Sample Report Viewer window from File | Setup. The following fields are provided in the vWorkspace Reporting Setup window. FIELD DESCRIPTION SQL Server Name or IP Enter the server name of the SQL server of the vWorkspace Reporting database. Use the following format: server_name\instance_name Database Name Enter the reporting database name. For example: vWorkspaceReporting_Database User Name Enter the name for the SQL account. Note: This account only needs read access to the vWorkspace Reporting database. We recommend that you only give read access to this account. Password Enter the password of the SQL account. 441 vWorkspace Administration Guide FIELD DESCRIPTION Max Number of Reporting Rows to Return Enter the default maximum number of rows to return for a report run. The default number is 1000. Note: This default can be can be changed on a per query basis from the main vWorkspace Report Viewer window. Save Click to save the settings. Saving automatically validates the settings. Validate Settings Click to validate the settings without saving. Validation includes checking that the database connection information is valid by creating a connection to the reporting database and reporting an error if this connection attempt is unsuccessful. Close Click to close the setup window. Clear Click to clear all of the settings on the window. How to ... Setup the Sample Report Viewer 1. Enter the appropriate information in the fields of the Sample Report Viewer window. 2. To validate the settings without saving them, click Validate Settings. If the settings are correct, the vWorkspace Sample Report Viewer Setup Validation Successful window displays to confirm the settings. 3. 442 Click Save, and then click Close. Managing the Virtual Workspace Using Sample Report Viewer The setup can be changed and reports can be run from the Report Viewer window. Report data is returned to the results pane in the vWorkspace Report Viewer window. The SQL pane shows the query that will be run. How to ... • Change the Setup • Open and Run Report Queries • Temporarily Change the Number of Rows to Return • Export Report Data • Copy SQL Text Change the Setup 1. To reconfigure settings, click File | Setup or use the shortcut, Ctrl + S to open the vWorkspace Reporting Setup window. 443 vWorkspace Administration Guide Open and Run Report Queries 1. Do one of the following to open the Open Report window: Select File | Open. – OR – Click Ctrl + O. 2. To open a report query file, select the file and then click Open, or double-click on the report query file. The query opens and includes the name, description, results table, and SQL information. 444 Managing the Virtual Workspace 3. Click Run for the report results. The number of rows in the result is displayed below the results table. Temporarily Change the Number of Rows to Return The application default number of rows to return can be changed using the vWorkspace Reporting Setup window. 1. This value can be temporarily changed by setting the value in the field, Max Rows to Return, and then click Run. 2. To reset the value back to the default, click Set to Default by the field, Max Rows to Return. Some notes about the Max Rows to Return field: • If the number of rows returned is less than the number of rows in the full rest set, a warning message is displayed under the results table. • When the SQL used to run the report contains the Union operator, all rows are returned. The message, This report requires that all rows be returned, is displayed. • If you make the value for the Max Rows to Return field too high, you may experience performance issues. Export Report Data When data is present in the results table, you can export it to a CSV file which can be loaded into a spreadsheet application, such as Microsoft Excel. 1. To export the data to a CSV file, do one of the following: • • • 2. Click Export of the vWorkspace Report Viewer window. All of the data in the table is exported. Right-click in the table, and select Export All. All of the data in the table is exported. Right-click in the table and select Export Selected. Only the selected rows are exported. Save the exported data by entering a File name and selecting the appropriate directory, then click Save. 445 vWorkspace Administration Guide Copy SQL Text The SQL used to run the report can be copied to the windows clipboard from the vWorkspace Report Viewer window. This makes it easier to reuse the SQL in your own reports. 1. Select the text to copy. 2. Right-click in the SQL text area. 3. Select Copy. Databases vWorkspace Reporting pulls data from two separate databases, the vWorkspace Farm database for real time metrics and the Reporting Database for historical metrics. vWorkspace Farm Database The vWorkspace Farm Database is the central repository for all information relative to a vWorkspace Farm. The vWorkspace Farm Database is required and must be available for any administrative function. The vWorkspace Farm Database stores three classifications of data: • Farm configuration data • Farm administrative tasks and results • Data regarding client connections to virtual desktops and RDSH The data in the vWorkspace Farm Database is used for real-time reporting. vWorkspace Reporting Database The Reporting Database is the core database in the vWorkspace Reporting architecture. Whenever an activity is carried out in the vWorkspace environment, such as the creation of a virtual machine or the logging on of a user, it is written to the vWorkspace farm database. SQL triggers in the vWorkspace database populate changes to the Reporting Database, so tables in the Reporting Database contain the history of all important activities in the vWorkspace Farm. SQL Views in the vWorkspace Reporting Database are designed to provide both historical and real-time views. 446 Managing the Virtual Workspace The vWorkspace Farm Reporting database tracks a large amount of information, and as a result, a large amount of data is collected in the vWorkspace Reporting Database. It is important to balance retaining history with data volume. To ease the management of the data, a data purge mechanism is installed with the vWorkspace Reporting Database. There are two controls, both accessible from the vWorkspace Reporting Database field of the farm properties: • Frequency of data expiry • Age of data expiry In order to ensure that minimal disk space is consumed, the defaults are very aggressive. • Purge Interval (data expiry task) in the Farm properties, is set to run every six (6) hours. • Data Expiration in the Farm properties, is set to expire data if it is older than fourteen (14) days. We would expect most customers to make the data expiry age value much longer than the default value, but the defaults are there to avoid unnecessary database bloat for customers who do not want to worry about changing the defaults. The reporting Database is recommended to be set at an initial size of four (4) GB with a 10% growth rate. If reporting is disabled, historical data is no longer added to the reporting database but real time reports still function. Reporting Schema Virtual Machines and Virtual Machine Pools The vWorkSpace Reporting tool provides history and real-time information of virtual machine activity. Administrators can access the VirtualMachinesRealtime View for historical information and VirtualMachinePoolsRealtime View for real-time information about the virtual machines. Users can also combine the information with the RemoteDesktopLogRealtime View to find more specific information with appropriate log messages. 447 vWorkspace Administration Guide Virtual machines are key components within a virtual desktop infrastructure. They allow concurrent operation of multiple, heterogeneous operating systems and applications within an enterprise with consolidated physical hardware and increased reliability. Quest’s vWorkspace reporting tool allows you access information about virtual machines and virtual machine pools using Report Queries. Real-time Views Schema Diagram The schema diagram below depicts the relationship between the real-time views: VirtualMachineRealtime, VirtualMachinePoolsRealtime, and RemoteDesktopLogRealtime. ReportGUID acts like a primary key of the tables for all of the views. VirtualMachinePoolGUID acts like the foreign key for the VirtualMachinePoolsRealtime view. VirtualMachineRecordGUID of RemoteDesktopLogRealtime acts like a foreign key for the VirtualMachineRealtime view. The historical views are: VirtualMachinesHistory, VirtualMachinePoolsHistory, and RemoteDesktopLogHistory. The historical data has the repetition of RecordGuid, ID is used as the unique field for each record, and acts as a primary key. The additional columns used in historical views are ChangedStatus and TimeStamp. Users can combine historical views with real-time ones to get a historical status of virtual machines. 448 Managing the Virtual Workspace View Column Definitions The following tables explain the columns used in the views. VirtualMachinesRealtime COLUMN RETURNED MEANING VirtualMachineName Name of the virtual machine. DNSName DNS Name of the virtual machine. ClientLogoOnState Log on status of present client. CurrentUser Current user of the virtual machine. CurrentState Current status of the virtual machine. LastTimeLoggedIn Last login time of user of virtual machine. CurrentClientDevice Name of current client device. VirtualMachineIPAddress IP address of virtual machine. PNToolsVersion Version of PNTools. MachineType Type name of virtual machine. PowerManaged Power managed virtual machine (True/False). VirtualMachineMACAddress MAC address of virtual machine. VirtualMachineOS Operating System of Virtual Machine VirtualMachineOSServicePack Service pack information of OS. CloneType Name of clone type of virtual machine. ExpirationAction Information on expiration action of virtual machine (Use Default/Suspend/Power Down/Delete/Shutdown Guest/Disable/None). InactivityAction Information on inactivity action of virtual machine (Use Default/Suspend/None). 449 vWorkspace Administration Guide NetworkOptimizationMaxConnections Number of max connections for network optimization. RDPPort Remote Desktop Protocol (RDP) port number. VirtualMachinePoolsRealtime COLUMN RETURNED MEANING PoolName Name of the pool in which the VM exists. PoolType Type of virtual machine pool. LogoffAction Information on log off action of pool (Use Default/Reset/Suspend/Reprovision Refresh). ExpirationAction Information on expiration action of pool (Use Default/Suspend/Power Down/Delete/Shutdown Guest/Disable/None). PowerManaged Power managed VM pool (True/False). StaticClientType Static client type of VM pool (User/Group/IP Address/ Client Name/ OU). RemoteDesktopLogRealtime COLUMN RETURNED MEANING Timestamp Time stamp of occurrence. RecordGUID Unique record ID. VirtualMachineRecordGUID Unique ID which relates to the VirtualMachinesRealtime view. MessageTime Occurrence time of log message. MessageText Description text of log message. MessageType_AsInteger Integer value used for message type. MessageType Type of log message (Success/Failure/Warning/Information). HostType_AsInteger Integer value used for host type. HostType Name of host type (RDSH(TS)/VDI). 450 Managing the Virtual Workspace Actions The vWorkspace Reporting tool provides historical and real time information of actions run on virtual desktops. Actions are the administrative tasks done on virtual desktops. These actions include powering up virtual desktops, taking a snapshot, MSI updates, Sysprep, and reprovisioning. These actions are from sources such as User and MSI Package. The Action views provide current and historical action status such as, name of the action, group name of action, action types, source of action, percentage completion, and virtual desktop details. Some examples of useful Action report queries are: • Locate all the historic actions on a particular virtual machine. • Obtain the status of actions on all virtual machines. • Define which VMs are currently running particular actions. The following views are used to retrieve the Action related from vWorkspace: • ActionsRealtime • ActionGroupsRealtime • ActionDetailsRealtime • ActionQueueRealtime • ActionSchedulesRealtime Users can combine the Action view information with VirtualMachineRealtime views to find the actions running on specified virtual machines. Actions View Schema Diagram The schema diagram below depicts the relationship between the ActionsRealtime, ActionGroupsRealtime, ActionDetailsRealtime, ActionQueueRealtime, ActionSchedulesRealtime, and VirtualMachineRealtime. Historical action details can be queried using the historical views provided by the vWorkSpace Reporting tool. These include ActionsHistory, ActionGroupsHistory, ActionDetailsHistory, ActionQueueHistory and ActionSchedulesHistory. 451 vWorkspace Administration Guide The historical data has the repetition of RecordGuid, ID is used as the unique field for each record, and acts as a primary key. The additional columns used in historical views are ChangedStatus and TimeStamp. In all of the views, RecordGUID acts as the primary key of the tables. All the views are related to each other in the following manner. 452 ActionQueueRealtime is connected to VirtualMachineRealtime through the VirtualMachineGUID. ActionQueueRealtime View is connected to ActionGroupsRealtime through ActionGroupGUID. ActionGroupGUID in ActionsRealtime connects both ActionGroupsRealtime and ActionsRealtime. ActionDetailGUID in ActionsRealtime connects ActionDetailsRealtime to ActionsRealtime. Managing the Virtual Workspace Actions Views Definitions The following tables explain the columns used in the views. ActionsRealtime COLUMN RETURNED MEANING RecordGUID Unique record ID. ActionDetailGUID Connects the records to ActionDetailsRealtime view. ActionGroupGUID Connects the records to ActionGroupRealtime view. TimeStamp Time stamp of occurrence. ActionGroupsRealtime COLUMN RETURNED MEANING GroupName Name of the group of action. RecordGUID Unique record ID. TimeStamp Time stamp of occurrence. ActionDetailsRealtime COLUMN RETURNED MEANING Timestamp Time stamp of occurrence. RecordGUID Unique record ID. ActionName Name of the action. ActionType_AsInteger Integer value of action type. ActionType Type of action. ActionSource_AsInteger Integer value of action source. ActionSource Source of action. 453 vWorkspace Administration Guide The following table explains all Action Types and Action Sources used in ActionDetailsRealtime. Action Types 454 KEY ACTION TYPE 0 None 1 Clone 2 Delete 3 Power up 4 Power down 5 Suspend 6 Resume 7 Restart guest 8 Take snapshot 9 Revert to snapshot 10 Reset 11 Shutdown guest 12 Remove from group 13 Standby 14 Copy file to virtual machine 15 Shell command 16 Initialize 17 Cancel 18 Log off user 19 Reset sessions 20 MSI updates 21 MSI uninstall 22 Enable or disable set 23 Wake up Managing the Virtual Workspace KEY ACTION TYPE 24 Configure virtual machine 25 Sysprep 26 Set bandwidth OPT 27 Reprovision Action Source ACTIONSOURCE_ASINTEGER ACTION SCOURCE 0 Built in 1 MSI package 2 User 455 vWorkspace Administration Guide ActionQueueRealtime COLUMN RETURNED MEANING RecordGUID Unique record ID. TimeStamp Time stamp of occurrence. ActionGroupGUID Connects the records to ActionGroupsRealtime view. CurrentActionGUID Connects the records to ActionsRealtime view. Status_AsInteger Integer value of current status of action. Status Current status of action. StartTime Start time of action. PercentComplete Percentage completion of action. CompletedTime Completion time of action. Message Descriptive message of action. PostedTime Action posted time. BrokerName Name of the broker. ActionQueue Status STATUS_ASINTEGER STATUS 0 None 1 Pending 2 In progress 3 Failed 4 Succeeded 5 Canceled 456 Managing the Virtual Workspace Applications and Application Restrictions The vWorkspace Reporting tool provides historical and real time information about applications and Application Restrictions. The real time views follow: • ApplicationPermissionsRealtime • ApplicationPermissionGroupsRealtime • ClientsApplicationPermissionsRealtime • ProgramsRealtime Applications are the programs installed on the hosting machines and can be published and accessed by clients (users). In the vWorkspace infrastructure, applications are installed on the following hosting machines: • Microsoft Windows Remote Desktop Session Hosts • Virtual desktops running Microsoft Windows XP/Vista/Windows 7 • Virtualized application packages stored on a Microsoft Application Virtualization Server. The vWorkspace user can also report on clients connecting to applications through a remote presentation services protocol (RDP or RGS) called Managed Applications. Application Restrictions is one of the important features used to manage applications in a vWorkspace infrastructure. It is the access control system that allows administrators to increase the overall security, reliability, and integrity of their Session Host environments. Some advantages of Application Restrictions are: • Guards against application spoofing. • Fights against virus infections. • Prevents users from executing unauthorized programs. • Grants access to applications by time and day. • Locks down the Session Host. In Application Restrictions, a list of program executables and program modules are organized into an application list, enabling administrators to grant or deny access to entire software suites, not just individual executables. The Application List is then associated with a group of Session Hosts, known as an Application Access Control Server Group. The Application List can then be assigned to one or more vWorkspace clients. 457 vWorkspace Administration Guide Schema Diagram The Schema Diagram below depicts the relationship between the views ApplicationPermissionsRealtime, ApplicationPermissionGroupsRealtime, ClientsApplicationPermissionsRealtime, and ProgramsRealtime. In all of the Views: RecordGUID acts as a primary key of the tables. ApplicationgroupGUID of ApplicationPermissionsRealtime view acts like the Foreign Key for ApplicationPermissionGroupsRealtime view. ApplicationgroupGUID of ClientsApplicationPermissionsRealtime view acts as a foreign key for ApplicationPermissionGroupsRealtime view. These real time views give users all the real time information and users can access the historical information using Historical Views corresponding to the previous views. The available built-in historical views are as follows: 458 • ApplicationPermissionsHistory • ApplicationPermissionGroups • History Managing the Virtual Workspace • ClientsApplicationPermissions • History • ProgramsHistory Since historical data has repetition of RecordGUID, ID is used as the unique field for each record, allowing ID to act as a primary key. The additional columns used in historical views, Changed Status and TimeStamp, keep track of all the records changed with the timestamp. Schema Description The following tables explain the columns used in the views. ApplicationPermissionsRealtime COLUMN RETURNED MEANING Timestamp Time stamp of occurrence. RecordGUID Unique record ID. ApplicationGroupGUID Unique ID that relates the view to ApplicationPermissionGroupsRealtime View. ApplicationPath Path of application. ApplicationPermissionGroupsRealtime COLUMN RETURNED MEANING Timestamp Time stamp of occurrence. RecordGUID Unique record ID. ApplicationGroupName Name of the group that application belongs. ApplicationGroupDescription Short description of application group. Category Category of application Group that is used to group multiple applications into a single category. TerminateApplications True or false value that confirms the termination of applications that are running outside of the access hours. TerminateApplications_AsInteger Integer value (0 or 1) used for TerminateApplications field. 459 vWorkspace Administration Guide ClientsApplicationPermissionsRealtime COLUMN RETURNED MEANING Timestamp Time stamp of occurence. RecordGUID Unique record ID. ApplicationGroupGUID Unique ID that relates the view to ApplicationPermissionGroupsRealtime view. ClientGUID Unique ID which relates the view to ClientsRealtime view. Programs Realtime COLUMN RETURNED MEANING RecordGUID Unique record ID. TimeStamp Time stamp of occurrence. ProgramName Name of the application used in the vWorkspace Management Console that is displayed in the AppPortal and Web-IT clients. Path Path of the program or application. Arguments Any argument that can be passed while starting the application. WorkingDirectory Path of working directory of application entered by a user. IconFile Each program having an icon file associated that is displayed on the vWorkspace Management Console, AppPortal, and Web-IT clients. IconIndex Index of icon file. ShowCommand ServerList Disabled Specifies whether an application is enabled or disabled. Disabled applications are not displayed in the client application list. Disabled_AsInteger Integer value 0 (enabled) or 1 (disabled). AppPortalDisabledMessage 460 Managing the Virtual Workspace Shortcut Application short cut (Desktop or Start Menu or Start Menu/Programs). SessionSharing ApplicationSourceServer Source server of application. IconSourceServer Source server of application icon. IsDesktop Defines if the application short cut is Desktop. IsDesktop_AsInteger Integer value IsDesktop field (0 or 1). FileExtensions File extension of programs. ApplicationType Type of application: 0 – None 1 - Application 2 – Desktop 3 – Content 4 – Content client VIPEnabled Specifies if Virtual IP features are enabled for the application. VIPEnabled_AsInteger Integer value VIPEnabled field: 0 - Disabled 1 - Virtual IP 2 - Virtual Loopback 3 - Client IP DesktopShortcutLocation Integer value of application shortcut location. ApplicationPermissionsGroup GUID Unique ID that relates the view to ApplicationPermissionGroupsRealtime view. ApplicationHostType Host Type of Application: 0 – Session Host 1 - Virtual Desktop VirtualMachinePoolGUID Unique ID which relates the view to VirtualMachinePoolsRealtime view. BitmapAcceleration Specifies the Graphic Acceleration setting options of Enabled, Disabled, or User Default. 461 vWorkspace Administration Guide BitmapAcceleration _AsInteger Integer value of Bitmap acceleration field: 0 – Enabled 1 - Disabled 2 - User Default Application Type KEY APPLICATION TYPE 0 None 1 Application 2 Desktop 3 Content 4 Content client VIPEnabled KEY MEANING VIPEnabled_AsInteger VIPEnabled 0 Disabled 1 Virtual IP 2 3 462 Virtual Loopback Client IP Managing the Virtual Workspace DesktopShortcutLocation KEY DESKTOPSHORTCUTLOCATION 0 None 1 Desktop 2 Start Menu 4 Start Menu/Programs DesktopShortcutLocation is a multi-value field. When more than one value is selected, value of application type will be the sum of the individual values. For example: a value of 7 indicates that all 3 options are selected for the application. Application Host Type KEY APPLICATIONHOSTTYPE 0 Session Host 1 Virtual Desktop Clients, Folders, and Locations The vWorkSpace Reporting tool provides historical and real time information about clients, folders and geographic locations. The following views are included: • ClientsRealtime • ClientsHistory • FoldersRealtiime • FoldersHistory • ClientFoldersRealtimne • ClientsFoldersHistory • GeoLocationsRealtime • GeoLocationsHistory 463 vWorkspace Administration Guide Clients are the end users of vWorkspace infrastructure. The type of clients follows: • Users: Any trusted Windows domain or local user account. • Groups: Any trusted Windows domain or local user account. • Device Addresses: IP address assigned to the client hardware device. • Device Names: NetBIOS name of the client device. • Organizational Units: Active Directory Organizational Unit containing the user, group, or computer account. Geographic Location is used to specify the location of one or more data centers and the computers and servers within those data centers. For example, we can name the location based on the office site. Schema Diagram The schema diagram below depicts the relationship between the views ClientsRealtime, FoldersRealtime, ClientFoldersRealtime, and GeoLocationsRealtime. In all the Views: 464 RecordGUID acts as a primary key of the views. FolderGUID and ClientGUID of ClientFoldersRealtime view act like the Foreign Key for FoldersRealtime view and ClientsRealtime view, respectively. Managing the Virtual Workspace GeoLocationGUID of FoldersRealtime view acts as a foreign key for the GeoLocationsRealtime view. Since historical data has repetition of RecordGUID, ID is used as the unique field for each record, acting as a primary key. The additional columns used in historical views are Changed Status and TimeStamp to keep track of all the records changed with the timestamp. 465 vWorkspace Administration Guide Schema Description The following tables explain the columns used in the views. ClientsRealtime COLUMN RETURNED MEANING Timestamp Time stamp of occurrence RecordGUID Unique Record ID ClientName Name of the Client ClientType Type of the Client ClientType_AsChar Integer value of client type TimeZoneName Name of the time zone. Client Type KEY CLIENT TYPE U User G Group I IP Address C Client Name O OU FoldersRealtime COLUMN RETURNED MEANING Timestamp Time stamp of occurrence. RecordGUID Unique record ID FolderType Type application folder type. FolderType_AsInteger Integer value of folder type. FolderName Name of the folder. GeoLocationGUID Unique ID that relates the view to GeoLocationsRealtime view. 466 Managing the Virtual Workspace Folder Type FOLDERTYPE_ASINTEGER FOLDERTYPE 0 AppPortal 1 Shell 2 Server ClientFoldersRealtime COLUMN RETURNED MEANING Timestamp Time stamp of occurrence. RecordGUID Unique record ID. ClientGUID Unique ID that relates the view to ClientsRealtime View. ProgramGUID Unique ID that relates the view to ProgramsRealtime View. FolderGUID Unique ID that relates the view to FoldersRealtime View. GeoLocationsRealtime COLUMN RETURNED MEANING Timestamp Time stamp of occurrence RecordGUID Unique Record ID GeoLocationName Geographical location name with one or more data centers. Default Reports vWorkspace Reporting includes a set of default reports that include: • Historical Reports • Real-Time Reports • Audits • Custom Reporting 467 vWorkspace Administration Guide Historical Reports The following default historical reports are available using the vWorkspace Report Viewer. REPORT NAME DESCRIPTION Failed Action Details in Last 24 Hours This report shows the details of failed actions (tasks) in the past 24 hours. It can be used to help identify what might be causing problems. Many failed actions highlight possible environment issues. If Virtual Machine Pools are deleted they do not appear in this report. Failed Action in Last 24 Hours by Pool Use this report to find the number of failed actions by pool in the past 24 hours. This report can be used to help identify what actions might be causing problems. Many failed actions highlight possible environment setup issues. If Virtual Machine Pools are deleted they do not appear in this report. Users Logged on Each Month This report shows the number of users who use vWorkspace each month. This is useful to monitor Virtual Desktop Take-up. This query only gets the information for virtual machine based virtual desktops and applications. Information for Session Hosts based applications and desktops is available in the RemoteDesktopLog table. Users Logged on in Last 24 Hours This report lists the pools that each user has logged in to in the past 24 hours. To create a report for a specific user, the script can be manually modified. For more details, open the report with the viewer and see the description. If Virtual Machine Pools are deleted they do not appear in this report. 468 Managing the Virtual Workspace Real-Time Reports The following default real time reports are available using the vWorkspace Report Viewer. REPORT NAME DESCRIPTION Assigned Applications by Application This report lists all assigned applications. Also listed are any application restrictions that have been applied. This is useful for determining whether appropriate applications have been assigned and if any restrictions in place are correct. Assigned Applications by User This report lists all assigned applications by client type and client. Also listed are any application restrictions that have been applied. Current Action Backlog by Pool This report shows the number of pending actions (tasks) in each pool. It can be used to help determine if there is a large backlog of pending actions (tasks). A large backlog may be the cause of other performance related issues. Current Action Backlog Details This report returns all current pending action (task) details. It can be used to help determine the details of a large backlog of pending actions (tasks). A large task backlog may be the cause of other performance related issues. Current TS EOP Config by Server This report gives the current EOP configuration for each Session Host. It provides a glance check to see if the appropriate EOP settings have been applied. Current VM EOP Config by Server This report gives the current EOP configuration for each VM Pool. Note that where overrides have been configured for a specific VM, the report shows that VM's individual settings. It provides a glance check to see if the appropriate EOP settings have been applied. Number of Users Logged On Now by Virtual Machine Pool This report finds the number of users logged into each pool at the time the report is run. Users Logged on Now by Pool This report finds the number of users logged into each pool at the moment the report is run. This report can be used to help determine the impact of a change, for example, who is affected by unplanned maintenance. 469 vWorkspace Administration Guide REPORT NAME DESCRIPTION Number of Queued Actions by Pool This report is used to find the number of pending actions per virtual machine pool. A large action backlog typically indicates either configuration or load distribution issues. Audits The following default audits are available using the vWorkspace Report Viewer. REPORT NAME DESCRIPTION Count of Requested Actions by Pool Past 24 Hours This report shows the total number of actions requested by an administrator by pool in the past 24 hours. Count of Requested Admin Actions on Virtual Machines in Last 24 Hours Grouped by Administrator This report lists, by Administrator, all admin actions on virtual machines within the last 24 hours. Count of total requested admin actions on Virtual Machines in last 24 Hours This report lists a total number of actions requested by an administrator on virtual machines in the past 24 hours. Failed Action Details in Last 24 hours This report lists the failed actions in the past 24 hours with details, including the administrator who initiated the action. List of completed actions in Last 24 hours This report lists all administrator requested actions in the past 24 hours which have completed (success or failure), with details including the administrator who initiated the action. Successful Action Details in Last 24 hours This report lists the successful actions in the past 24 hours with details, including the administrator who initiated the action. Custom Reporting Custom reporting involves creating SQL scripts that can be run against the farm database or the Reporting database. Listed below is a series of sample SQL scripts. 470 Managing the Virtual Workspace The following is an example of a report query that uses the schema described above. This query can be run in vWorkspace Report Viewer to generate a report which gives the number of users logged into each virtual desktop at present. This report can be used to determine the impact of an infrastructure change, for example, due to unplanned maintenance. SELECT PoolName as [Pool Name], COUNT(DISTINCT CurrentUser) AS [Number of Users] FROM VirtualMachinesRealTime JOIN VirtualMachinePoolsRealTime ON VirtualMachinePoolGUID = VirtualMachinePoolsRealtime.RecordGUID GROUP BY PoolName The following is an example of a report query that uses the schema described above. This query can be run in vWorkspace Report Viewer to find all current pending action details. This report can be used to help determine the details of a large backlog of pending actions. SELECT DISTINCT PostedTime AS [Posted], PoolName AS [Pool Name], VirtualMachineName AS [Computer], ActionName AS [Task Item], ISNULL(CAST(StartTime as CHAR), '<As soon as possible>') AS [Start Time], ISNULL(Message, '') AS [Message] 471 vWorkspace Administration Guide FROM ActionQueueRealTime JOIN ActionsRealTime ON ActionsRealTime.RecordGUID = ActionQueueRealTime.CurrentActionGUID JOIN ActionDetailsRealTime ON ActionDetailsRealTime.RecordGUID = ActionsRealTime.ActionDetailGUID JOIN VirtualMachinesRealTime ON VirtualMachinesRealTime.RecordGUID = ActionQueueRealTime.VirtualMachineGUID JOIN VirtualMachinePoolsRealTime ON VirtualMachinePoolsRealTime.RecordGUID = VirtualMachinesRealTime.VirtualMachinePoolGUID WHERE ActionQueueRealTime.Status = 'Pending' The following is an example of a report query that uses the schema described above. This query can be run in vWorkspace Report Viewer to List all assigned applications and its restrictions. This report is useful for determining whether appropriate applications have been assigned. SELECT LOWER(Path) AS [Path], ProgramName, ClientType,ClientName,'' AS [Restrictions] FROMClientFoldersRealtime JOIN 472 ClientsRealtime Managing the Virtual Workspace ON ClientsRealtime.RecordGUID = ClientFoldersRealtime.ClientGUID JOIN ON ProgramsRealtime ProgramsRealtime.RecordGuid = ProgramGUID UNION SELECT LOWER(ApplicationPath), ApplicationGroupName, ClientType, ClientName,ClientsApplicationPermissionsRealTime.Schedule FROM JOIN ClientsApplicationPermissionsRealtime ClientsRealtime ON ClientsRealtime.RecordGUID = ClientsApplicationPermissionsRealtime.ClientGUID JOIN ON ApplicationPermissionGroupsRealtime ApplicationPermissionGroupsRealtime.RecordGUID = ClientsApplicationPermissionsRealtime.ApplicationGroupGUID JOIN ON = ApplicationPermissionsRealTime ApplicationPermissionsRealTime.ApplicationGroupGUID ClientsApplicationPermissionsRealtime.ApplicationGroupGUID 473 vWorkspace Administration Guide WHERE ClientsApplicationPermissionsRealtime.Schedule <> 'Allow All' ORDER BY Path, ClientType, ClientName The following is an example of a report query that uses the schema described above. This query can be run in vWorkspace Report Viewer to list all assigned applications by client details and its restrictions. SELECT ClientType,ClientName, LOWER(Path) AS [PATH],ProgramName, '' AS [Restrictions] FROM ClientFoldersRealtime JOIN ClientsRealtime ON ClientsRealtime.RecordGUID = ClientFoldersRealtime.ClientGUID JOIN ProgramsRealtime ON ProgramsRealtime.RecordGuid = ProgramGUID UNION SELECT ClientType, ClientName, ApplicationPath, ApplicationGroupName, ClientsApplicationPermissionsRealTime.Schedule FROM ClientsApplicationPermissionsRealtime JOIN ClientsRealtime ON ClientsRealtime.RecordGUID = ClientsApplicationPermissionsRealtime.ClientGUID 474 Managing the Virtual Workspace JOIN ApplicationPermissionGroupsRealtime ON ApplicationPermissionGroupsRealtime.RecordGUID = ClientsApplicationPermissionsRealtime.ApplicationGroupGUID JOIN ON ApplicationPermissionsRealTime ApplicationPermissionsRealTime.ApplicationGroupGUID = ClientsApplicationPermissionsRealtime.ApplicationGroupGUID WHERE ClientsApplicationPermissionsRealtime.Schedule <> 'Allow All' ORDER BY ClientType, ClientName, Path 475 vWorkspace Administration Guide 476 6 Managing the User Experience • Overview • Universal Printing • Virtual User Profile Management • EOP (Experience Optimization Protocol) • USB Devices • Load Balancing • Performance Optimization • Application Compatibility Enhancements • Virtual IP • Additional Components vWorkspace Administration Guide Overview What end users think of an applied IT solution can go a long way in increasing the likelihood of a successful project. Quest vWorkspace includes features that help organizations provide users, connected to a virtual workspace, with an experience similar to working on a physical desktop. You can optimize and manage the end-user experience by utilizing these tools within the vWorkspace farm, and by providing seamless and reliable access to resources such as network drives, registry keys, user profiles, and printers. vWorkspace offers a single-driver printing solution that supports printer mapping in user sessions and helps you configure user access to client-side, network, and remote-site printers. User Profile Management components can be utilized to help you centrally store user profile settings and retrieve them when a user logs on to a virtual workspace. Connections to Remote Desktop Session Hosts and virtual machines hosted on Hyper-V hypervisors can be grouped and managed so that the workload is equally distributed and balanced across the group of servers. Farm utilization and management and be tracked and reported using vWorkspace Reporting. This chapter discusses the following components and optimizing extensions of the vWorkspace solution: 478 • Universal Printing • Virtual User Profile Management • EOP (Experience Optimization Protocol) • Load Balancing • Performance Optimization • Application Compatibility Enhancements • Virtual IP • vWorkspace Password Reset Service • Proxy-IT Managing the User Experience Universal Printing Quest vWorkspace Universal Printer is a single driver printing solution that satisfies both client-side and network printing needs in a vWorkspace environment. In addition to its driver-independent approach to printing, benefits include: • Support for both EMF and PDF modes of printing. • No requirement for Adobe Acrobat Reader on the client. • No requirement for the server side fonts to be preinstalled on the client. • Size optimized print streams. • Adaptive compression technology (multiple compression algorithms for color and black and white images). • Bandwidth usage control and intelligent font embedding (only fonts that do not exist on the client are embedded inside the print stream). • Partial font embedding (only the used portion of fonts are embedded inside the print stream). • Excellent print quality. • Incredible print performance and reliability. • Page level streaming for instant printing of large size documents. • Support for native printer features, such as bins, paper sizes, margins, and print quality. • Support for private printer features, such as manufacturer specific features of stapling and watermarks. • Support for the RAW data type. • Multiple printer naming options. • Synchronous or asynchronous printer creation, which ensures the creation of at least one printer before the server side application is started. • Clientless support for LAN connected print servers. • Clientless support for remote site print servers in situated and distributed environments. • Support for virtually any printer make and model. 479 vWorkspace Administration Guide Universal Printer Components The primary Universal Printer components are: • Universal Print Driver • Universal Network Print Services Universal Print Driver Universal Print Driver enables driver-independent, universal printing to client-side printers, corporate, and remote site printers in a distributed enterprise. The options of Universal Network Printer Auto-Creation and Universal Client Printer Auto-Creation enable users to access printers, either network or client without the need for printer specific drivers to be installed on the RD Session Host. • Universal Client Printer Auto-Creation — Enables users to autocreate and print to their client side printers using a single universal print driver, eliminating the need to install printer specific drivers on RD Session Host. • Universal Network Printer Auto-Creation — Enables users to connect and print to shared network printers using a single universal print driver, eliminating the need to install printer-specific drivers on RD Session Host. Universal Client Printer Auto-Creation Option The Universal Network Printer Auto-Creation option enables client side printers to be autocreated during logon for each user session. For each client printer, Universal Printers autocreates and configures a server side printer using the universal print driver that has the same printer features as the client printer. Client printer autocreation relies on a custom virtual channel driver to transfer the print job from the server to the client. This mode of operation requires the universal print driver client software to be installed on the client computers. Administrators specify what types of client printers to autocreate, as well as allowing users to choose which printers that can be autocreated.The types of client printers that can be autocreated include: 480 Managing the User Experience • Local printers • Network printer connections • Only the default printer • All the printers and printer connections Administrators can also configure several preferences and performance parameters including the printer naming convention, print bandwidth upper limit, and compression options. To enable the autocreation of client printers, the following criteria must be met: • The Universal Client Printer Auto-Creation feature must be installed on to every Session Host to which users connect. • The Client Printer Auto-Creation options, at least one, must be enabled on every Session Host to which users connect. • The universal print driver software must be installed on the client device, which is installed as part of the vWorkspace Client installation. • The Auto-Creation options, at least one, must be enabled in the client. • The Universal Printers virtual channel must be enabled on the client. To print to an autocreated client printer, the user simply selects the Print command, and a list of printers is presented to them. Print preview is also available by selecting the Preview before printing from the PNTray menu. Universal Network Printer Auto-Creation Option Shared network printers can be autocreated for vWorkspace clients when logging on to a Session Host session using Windows native print drivers, the vWorkspace Universal Print driver, or both. When installed on a traditional Windows network print server, printers are auto-created and shared using the universal print driver. These printers have the same features as the original network printer. Once the Universal Printers have been created and shared, they can be assigned to the appropriate clients using the vWorkspace Management Console, or if appropriate, scripted logic. Printer connections are established successfully because the same driver is also installed on the servers. Because the connections are to the universal print driver printers and not the original printers, the manufacturer-specific print drivers do not need to be present on the server, leaving them driver-free. 481 vWorkspace Administration Guide When the universal print driver does not support a specialized feature of a printer or the driver is not compatible with a print device, autocreated printers can be assigned to clients using the native driver for that printing device. The network printer autocreation mode is a clientless mode; it does not require installing the universal print driver client software on the client supporting devices. Auto-creating shared network printers for vWorkspace clients using the vWorkspace Universal Print Driver involves the following items: 482 • Install vWorkspace Universal Network Print Server Extensions on to the Windows-based print servers. • Install and share the desired printers on the Windows based print servers as normal. • Add the Windows based print servers as print servers in the vWorkspace Management Console. • Select the printers to be defined as universal print driver printers in the vWorkspace Management Console. • Assign the printers to the appropriate vWorkspace clients from the vWorkspace Management Console. Managing the User Experience Universal Printer Properties When the Universal Client Printer Auto-Creation or Universal Network Printer Auto-Creation options are installed on an RD Session Host, the vWorkspace Universal Printer Properties Control Panel applet is used to control the server’s print settings. Below is a description of the tabs and options that are available. General Tab UNIVERSAL PRINTER PROPERTIES GENERAL TAB DESCRIPTION Print Data Format The options are PDF or EMF. Note: It is recommended that you use EMF, as it is a more robust printing mechanism. 483 vWorkspace Administration Guide UNIVERSAL PRINTER PROPERTIES GENERAL TAB Client Printer Auto-Creation Options DESCRIPTION • Auto-create default printer — Creates a printer mapping only to the default printer on the client device. Note: By selecting the Auto-create default printer option, any other Client Printer Auto-Creation options that are also selected do not apply. • Auto-create local printers — Creates a printer mapping for all of the local printers defined on the client device. • Auto-create network printers — Creates a printer mapping for every network printer defined on the client device. • Inherit auto-creation settings from client — Autocreates printers based on the properties set on the client device. Client Printer Auto-Creation Wait Mode • Auto create only default printer synchronously — Requires the mapping to the client’s default printer to be completed before presenting the application or desktop window to the user. • Auto create all printers synchronously — Requires every printer on the client device to be mapped before presenting the application or desktop window to the user. This is the slowest method for login. • Auto create all printers asynchronously — Allows the presentation of the application or desktop window to the user without requiring printer mappings to be made first. This allows for the fastest login. 484 Managing the User Experience UNIVERSAL PRINTER PROPERTIES GENERAL TAB Advanced Options DESCRIPTION • Auto-create printers with full permissions — Elevates user permissions to Full Control for all mapped printers. This is sometimes a requirement for printing with certain legacy applications. • Delete auto-created printers when sessions disconnect — Causes all mapped printers to be deleted from the server if a user’s session is disconnected. Enabling this feature can improve the reliability of printing in a multi-user environment. • Synchronize default printer on client and server — Enables synchronizing the settings of the default printer in the user’s Session Host session with those of the default printer of the session running on the client device. Compression Tab Controls when and to what extent compression is applied to the printer output. The options on the window depend on the Print Data Format, either PDF or EMF, that is chosen on the General tab. 485 vWorkspace Administration Guide EMF Format 486 Managing the User Experience UNIVERSAL PRINTER PROPERTIES COMPRESSION TAB EMF Format DESCRIPTION Data Compression controls the level of compression used for text. Level choices include: • No compression • Minimum (best speed) • Low • Medium • High • Maximum (smallest size) JPEG Image Compression controls the level of compression used for graphic images. Selectable Level options are: • No compression • Minimum (best quality) • Low • Medium • High • Maximum (smallest size) 487 vWorkspace Administration Guide PDF Format 488 Managing the User Experience UNIVERSAL PRINTER PROPERTIES COMPRESSION TAB PDF Format DESCRIPTION Black & White Image Compression controls the algorithm used for compressing text and graphics. Algorithm choices include: • Default compression • CCITT Fax Group 4 Color Image Compression controls the algorithm and quality level of compression used for color images. Selectable Algorithm options are: • Automatic (recommended) • Default compression • 256 compression • JPEG compression Selectable options for Quality Level are: • Maximum (largest file size) • High • Medium • Low • Minimum (smallest file size) Remove duplicate images, if selected, embeds the image once inside the print stream for the purpose of minimizing the use of bandwidth. For example, an image of a logo embedded in a header would only be embedded once. 489 vWorkspace Administration Guide Naming Tab The Naming tab is used to control which client printer naming convention to use when naming autocreated client printers. UNIVERSAL PRINTER PROPERTIES NAMING TAB Client Printer Naming Convention DESCRIPTION • Printer Name [Session #] • Printer Name [Client Name:Session #] • Printer Name [User Name:Session #] • [Client Name:Session #] Printer Name • [User Name:Session #] Printer Name • Printer Name [User Name] • [User Name] Printer Name Use UNC names to client network printers 490 Select if you want to use UNC names. Managing the User Experience Bandwidth Tab Use the bandwidth control slider to limit the amount of bandwidth consumed for printing purposes with each user session on the RD Session Host. The range is between 5 Kbps and 2 Mbps. 491 vWorkspace Administration Guide Upgrade Tab Auto Client Upgrade Options can be used to upgrade older versions of the universal print driver on the client device with a newer one. To enable this capability, select Automatically upgrade clients to new version, and enter the path and file name of the Universal Printers client installer package in the input box, or browse to it by clicking the folder icon. This location needs to be the same on the local computer of each server running the server. You should not select this option if you are using vWorkspace Enterprise or Desktop Services editions, as the universal print driver is already built into the vWorkspace client. 492 Managing the User Experience Logging Tab The settings on this tab are used to enable trace logging for universal print driver printers and the Print Monitor. If options are enabled, use the input boxes to enter or browse to identify the path and file name of log files. This tab is primarily used by Quest vWorkspace Support to assist in troubleshooting. 493 vWorkspace Administration Guide License Tab The License tab is only used when the universal print driver has been purchased on a per server basis and is not using concurrent user licensing modes. 494 Managing the User Experience Server Farm Tab The Server Farm tab is used to propagate property settings to other servers within your server farm. UNIVERSAL PRINTER PROPERTIES SERVER FARM TAB Server Types DESCRIPTION Filters the display of servers by type. Available types include: • Terminal Servers • vWorkspace Servers • Custom Server List Propagate When selected, the universal printer settings are propagated to all the servers that were selected. 495 vWorkspace Administration Guide Notification Tab The Notification tab is used when administrators want a customized print notification to be sent to user sessions. UNIVERSAL PRINTER PROPERTIES NOTIFICATION TAB DESCRIPTION Display notification below when printing Select this option for a printing notification message. Title Type the text that is to be displayed on the title bar of the message window. Message Type the text for the print notification message. 496 Managing the User Experience PDF Publisher This option enables the creation of a PDF file of any print job that is sent to the PDF printer. UNIVERSAL PRINTER PROPERTIES PDF PUBLISHER DESCRIPTION Create the Universal Printer PDF Publisher on this server When selected, autocreates a PDF Publisher printer for each user session on this server. Show Universal Printer PDF Publisher menu items on client When selected, a PDF publisher options menu item is added to the Universal Printers section of the PNTray context menu. Universal Printer Client Properties The Universal Printer Client Properties is installed as part of the client installation and is used to set various printing options. The Universal Printer Client properties apply only to autocreated client printers, and not to Universal Printers assigned by the vWorkspace Management Console. 497 vWorkspace Administration Guide The Universal Printer Client Properties can be accessed in Control Panel, from the Start option, or from the PNTray as a context menu option once a session to a RD Session Host has been established. The tabs and options available on the Universal Printer Client Properties window are described below. UNIVERSAL PRINTER CLIENT PROPERTIES GENERAL TAB Auto-Create Options • Auto-create default printer only— Creates a printer mapping to the default printer only, on the client device. • Auto-create local printers — Creates a printer mapping for each local printer defined on the client device. • Auto-create network printers — Creates a printer mapping for each network printer defined on the client device. • Auto-create specified printers only — Creates only the printers selected by the user. 498 Managing the User Experience Performance Options • Use Printer Properties Cache — Allows printer properties from previous sessions to be cached and used, instead of having to reenumerate them each time a session is set up. UNIVERSAL PRINTER CLIENT PROPERTIES BANDWIDTH TAB Enables the user to specify the amount of bandwidth available for printing. UNIVERSAL PRINTER CLIENT PROPERTIES LOGGING TAB Enables logging for troubleshooting purposes. Universal Network Print Services Universal Network Print Services enhances the user’s print experience and simplifies network printer manageability in vWorkspace environments by automatically creating shared network printer mappings throughout a distributed enterprise, using a single universal print driver. The following Universal Network Print Services printing options are available for installation on Windows based network print servers: • Universal Network Print Server Extensions — Installs on existing dedicated Windows network print servers. Eliminates the need of installing large numbers of drivers on Remote Desktop Session Hosts and managed computers by using a single universal print driver to create shared network printers. Also improves network print performance by taking advantage of the highly efficient compression engine found in the vWorkspace Universal Print Driver. • Universal Print Relay Service for Remote Sites — Installs on remote site and branch office network print servers and works in conjunction with Universal Network Print Server Extensions to extend the benefits of the universal printing architecture across the enterprise. Includes encryption, compression, and bandwidth usage control for high performance and security. These options enable file servers to efficiently store user profile settings and enhance the accessibility to corporate and remote site print servers through autocreating and sharing network printers using a single universal printer. 499 vWorkspace Administration Guide Universal Network Print Server Extensions Option The Universal Network Print Server Extensions option is used to install the universal print driver onto Microsoft Windows print servers. This option eliminates the need for brand specific print drivers to be installed onto RD Session Host and hosted desktops; instead using a single, universal print driver. This option can also be used along with the Universal Print Relay Service for Remote Sites to further optimize the printing process. How to ... • Setup Universal Printers • Add Network Printers • Assign Printers to Clients • Universal Print Relay Service for Remote Sites Setup Universal Printers 500 1. Open the vWorkspace Management Console. 2. Expand the Resources node, and then click Printers. 3. Click Manage Print-IT Printers on the toolbar of the information pane. It is the computer icon with the letter U. 4. Click Add on the Print-IT Servers on the Manage Print-IT Printers window. 5. Type the NetBIOS name or IP address of the Windows print server or browse to it by using the ellipsis on the Add Print Server window. Managing the User Experience 6. Click Add below the Print-IT Printers section to select printers to be created as Print-IT printers. 7. Browse to the Microsoft Windows Network and select the printer or printers in the Select Network Printer window. You may select printers shared from any Windows server, not just those with Print-IT installed on them. Use Ctrl to make multiple selections. 8. Click Close to complete the task. Add Network Printers If a device or print feature is incompatible with Universal Printers, use the following steps to configure autocreation of network printers using their native drivers. 1. Open the vWorkspace Management Console. 2. Expand the Resources node, and then click Printers. 3. Click Manage Network Printers on the toolbar of the information pane. It is the computer icon with the letter N. 4. Click Add on the Print Server frame on the Manage Network Printers window. 5. Type the NetBIOS name of the Windows print server or use the ellipsis to browse to it, on the Add Print Server window. 6. To select printers to be autocreated, select the desired server from the list in Print Servers. 7. Select each print to be autocreated in Shared Printers on. 501 vWorkspace Administration Guide 8. Click Close to complete the task. Printers created using native Microsoft Windows print drivers are named using the names that appear in the Printer and Faxes folder of the client device. However, once they are added to the vWorkspace database, the name can be changed. Assign Printers to Clients Universal printers and Network Printers must be assigned to vWorkspace clients before they can be autocreated. 1. Open the vWorkspace Management Console. 2. Expand the Resources node, and then click Printers. 3. Click Toggle Client Assignment List Display on the toolbar of the information pane to change the layout. 4. Select a printer or printers from the list of Network Printers or Universal Printers. You may select printers shared from any Windows server, not just those with Universal Printers installed on them. 5. Use Assign to assign the printers to clients. 6. Click OK to close the Select Clients window. Universal Print Relay Service for Remote Sites Universal Print Relay Service for Remote Sites is a WAN-optimized adaptation of the vWorkspace Universal Network Print Services. Organizations with geographically disbursed offices containing one or more local print servers can use Universal Print Relay Service for Remote Sites to allow their branch office users to access and print from server based applications hosted at the central office. Application service providers (ASP) might also use this service to deliver bandwidth efficient printing capabilities to their customers over private links, Internet, and VPN connections. The advantages of using Universal Print Relay Service for Remote Sites include: • 502 Clientless printing — The client software does not need to be installed on the remote clients; only Universal Print Relay Service for Remote Sites needs to be installed on the remote site print servers. Managing the User Experience • Bandwidth management — The print streams are sent on a WAN link at a preset rate, specified in Kbps, to prevent a print job from consuming all the available bandwidth. • Size optimization — The print streams produce as small as 10 percent of the size of conventional PCL or Postscript print jobs using techniques such as intelligent/partial font embedding, duplicate image removal, and dynamic compression. The process of deploying the Universal Print Relay Service for Remote Sites involves the following items: • Install the Universal Print Relay Service for Remote Sites on the print servers at each remote site. • Use the Universal Printer Site Relay Control Panel applet to configure network communication parameters and identify the printers that are to be exported to vWorkspace clients when connecting to a vWorkspace RD Session Host. • Import the exported network printers from each remote site. Each imported printer is created as a universal printer and shared from a designated print server. • Assign the printers to the appropriate vWorkspace clients. Mutual machine level authentication can be configured using an assigned shared pass phrase. Once authenticated, the Universal Printer Site Relay server and Universal Network Print server can encrypt the print data before it is passed across the WAN link, eliminating the requirement for complex Windows or Kerberos trust relations and obtaining commercial server certificates. Universal Print Relay Service for Remote Sites can be configured to use any port that security administrators allow to be open on the firewalls. How to ... • Configure Universal Print Relay Service for Remote Sites • Add Remote Relay Servers • Import Remote Printers 503 vWorkspace Administration Guide Configure Universal Print Relay Service for Remote Sites 1. Open the Quest Universal Printer Site Relay applet from the Control Panel. The system opens the Universal Printer Site Relay Properties window. 2. Complete the following information on the General tab. Remote Site Relay Information This section is used to configure the network communication protocol and security used by Universal Print Relay Service for Remote Sites on this server. TCP Port Enter a port number. Default is 82. Secret Pass Phrase Enter a secret pass phrase for mutual machine level authentication when Use Encryption is selected. A maximum of 20 alphanumeric characters is allowed. 504 Managing the User Experience Use Encryption Select for encryption between the Universal Printer Site Relay server and the Universal Printers print server. Bandwidth Control Select the maximum amount of network bandwidth allowed for passing print data to an exported printer on the Universal Printer Site Relay server from a server. The bandwidth limit is set on a per exported printer basis, allowing each printer to receive the maximum bandwidth limit. 3. Complete the following information on the Export List tab. a) Select the printer or printers to be exported. The list of printers that appear here are the ones that have been installed and shared on the Universal Printer Site Relay server. b) Select Properties to set printing preferences for each printer. c) Select Use Printer Properties Cache, if appropriate. 505 vWorkspace Administration Guide 4. Complete the Logging tab if you need to enable trace logging for troubleshooting. 5. Click OK. After making configuration changes using the Universal Printer Site Relay Control Panel applet, it may be necessary to restart the vWorkspace Universal Printer Site Relay service for the changes to be implemented. Manage Relay Servers Once Universal Printer Site Relay servers have been configured, their exported printers can be imported into the vWorkspace infrastructure database. In addition to creating a database object representing each printer, the import process also creates and shares a new printer using the universal print driver on the designated print server. Add Remote Relay Servers 506 1. Open the vWorkspace Management Console. 2. Expand the Resources node, and then select Printers. 3. Click the Manage Print-IT Printers icon from the toolbar of the information pane. 4. Click Site Relay on the Manage Print-IT Printers window. 5. Select the Manage Relay Servers tab. 6. Click Add. 7. Enter the name or IP address of the Universal Printer Site Relay server to be added or browse to select it using the ellipsis, and then click OK. Managing the User Experience 8. Select Add new site on the Add Relay Server window, and then click OK. 9. Enter the name for the new site on the New Printer Relay Site window, and then click OK. 10. Enter the two letter suffix to be used to identify the site, and then click OK. 11. Enter and confirm the secret Pass Phrase to be used for authentication to the Print-IT Remote Site Relay server, and then click OK. 12. Set the TCP Port number to the appropriate value. 13. Set the Bandwidth limit for printing. The bandwidth value that is the lowest, either on the relay server or the print server, is the value that is used. 14. Repeat step 6 to step 11 for each additional remote Universal Printer Site Relay servers. 15. Click OK to complete the task. Import Remote Printers 1. Open the vWorkspace Management Console. 2. Expand the Resources node, and then select Printers. 3. Click the Manage Print-IT Printers icon from the toolbar of the details window. 4. Click Site Relay on the Manage Print-IT Printers window. 5. Select the Import Remote Printers tab. 6. Select the Universal Printer Site Relay server that is to be used to import the Relay Sites and Relay Servers listed. 7. Select the server from the list of Print-IT Servers in which the imported printers are to be created. 8. Click Import Now to start the import process. 9. Review the message box confirming the import process has been initiated, and then click OK. 10. Click Close to close the Print-IT Relay Servers window. 11. Click Close on the Manage Print-IT Printers window. 507 vWorkspace Administration Guide Printers Window in vWorkspace Management Console Once printers have been added to the vWorkspace Management Console, you can change the printer properties, assign printers to users, and view the printers by using the following path: vWorkspace Management Console| Resources |Printers The Printers window in the details pane includes information such as: • Listing of the network printers, as well as the universal printers. • Naming conventions for the printers are as follows: • 508 • Universal printers are designated with a (U) after their name. • Printer names that are relay site related appear with the administrator designated two digit suffix. Printer properties for the printers can be viewed and edited by right-clicking on the printer. Managing the User Experience Assign Remote Printers to Clients Printers imported from Universal Printer Site Relay servers are assigned to vWorkspace clients in the same manner as Universal Printers and Network Printers. Imported printers are listed under Universal Printers on the details pane of the Resource | Printers section of the vWorkspace Management Console, and have the two letter remote site suffix appended to their names. 1. Open the vWorkspace Management Console. 2. Expand Resources, and then click Printers. 3. Do one of the following: a) Right-click on the printer in the navigation pane to which users are to be assigned, and select Assign option. b) Highlight the printer in the navigation pane, and then click the Assign icon, which is the plus sign inside a blue circle. 4. Select the client or clients for the assignment from the list, and then click OK. You can multiselect by using the Ctrl button. Universal Printer Properties The properties for a Universal printer can be set by the vWorkspace administrator. View and Edit Universal Printer Properties 1. Open the vWorkspace Management Console. 2. Expand the Resources node, and then click Printers. 3. Click Toggle Client Assignment List Display on the toolbar of the information pane to change the layout. 4. Right-click the printer from the list of Universal Printers. 5. Select Properties from the context menu to view and edit the properties. 6. On the General window, change the printer name, as appropriate, and then click Apply. 7. Select PDF or EMF on the Data Format window, and then click Apply. 509 vWorkspace Administration Guide 8. Select the image compression options of the Performance Options window, and then select Apply. The options presented depend on the Print Data Format selected. For PDF format the available options are: • B & W Image Compression • Color Image Compression • Color Image Quality Level • Duplicate Images Removal For EMF format, the available options are: 9. • Data Compression Level • JPEG Image Compression Level Change the client assignments, as appropriate, and then click Apply. 10. Change permissions as appropriate, and then click Apply. 11. Click OK to complete the task and save changes. – OR – Click Cancel to close without saving the changes. 510 Managing the User Experience Network Printer Properties The properties for a Network printer can be set by the vWorkspace administrator. View and Edit Network Printer Properties 1. Open the vWorkspace Management Console. 2. Expand the Resources node, and then click Printers. 3. Click Toggle Client Assignment List Display on the toolbar of the information pane to change the layout. 4. Right-click the printer from the list of Network Printers. 5. Select Properties from the context menu to view and edit the properties. 6. Change the client assignments, as appropriate, and then click Apply. 7. Change permissions as appropriate, and then click Apply. 8. Click OK to complete the task and save changes. – OR – Click Cancel to close without saving the changes. 511 vWorkspace Administration Guide Virtual User Profile Management Quest vWorkspace Virtual User Profiles (MetaProfiles-IT) is an alternative to roaming profiles. Virtual User Profiles eliminate potential profile corruption and accelerate logon and logoff times by combining the use of a mandatory profile with a custom persistence layer designed to preserve user profile settings between sessions. The following is a list of the features and benefits of Virtual User Profiles: • Assign Virtual User Profiles for both RD Session Host and computer groups. • Combines the persistence of a conventional roaming profile with the speed and robustness of a mandatory profile. • Achieves unprecedented logon speeds and stability levels (time to load mandatory profile + 1- 2 seconds). • Multiple profile data sets per user account to satisfy multifarm and server silo requirements. • Data sets can include HKCU registry subkeys and special folders. • Data sets can be merged into mandatory profiles, synchronously or asynchronously. • Data set sizes are typically around 50-200KB. • Users do not require access permissions to the file servers storing the data sets. • Temporarily use with local or roaming profiles, which is useful if current profiles contain user settings that must be preserved upon permanently switching to mandatory profiles. • No scripting required. • Relies on Windows events such as Logon, Logoff, Connect, and Disconnect. • Database driven management console. Virtual User Profiles may be temporarily used in conjunction with existing local and roaming profiles until the relevant data has been completely exported from these profiles. Users whose data has been exported can then be reconfigured to use a mandatory profile. Virtual User Profiles does not support roaming between different generations of Microsoft Windows. For example, a user cannot roam from an Microsoft Windows XP computer, and then log on to a Microsoft Vista computer and have their profile follow them, as XP and Vista are not the same generation. 512 Managing the User Experience There are three components of Virtual User Profiles: • User Profile Storage Server — This option is part of the Peripheral Server Extensions and is only available if RD Session Host is not detected. • User Profile (Agent for Session Hosts) — This option installs on Session Hosts. Once installed, it creates the Quest User Profile Agent service. • User Profile (Agent for Desktops) — This option installs on Desktops, using Virtual Desktop Extensions (PNTools). See Virtual Desktop Extensions (PNTools) for more information. How Virtual User Profiles Work The following describes how Virtual User Profiles simulates roaming profiles during user logon and logoff. 1. User accounts are reconfigured to use a small-size mandatory profile. This mandatory profile is typically stored locally on each Remote Desktop Session Host. 2. One or more file servers are designated as storage servers for storing user data sets, subset of HKCU and non-redirected shell folders. These file servers run a very low overhead service dubbed the User State Management Storage Service (User Profiles Storage Service). 3. All Session Hosts must run the User Profiles Agent Service. A RD Session Host running the Agent Service is typically referred to as an Agent Server. 4. Using the vWorkspace Management Console, the administrator specifies all the relevant HKCU subkeys and non-redirected special folders that must persist from one logon to the next. Additional properties are also set to specify the scope of the subkey or folder to either Global or Silo specific. A Global setting is to be used when the registry subkey or folders are located on every server. A Silo setting is to be used when the registry subkey or folders are only located on a few specified servers, and those servers are grouped together to create a silo. 5. When a user logs off, the User Profiles Agent Service exports all the relevant subkeys and folders specified by the administrator. The Agent Service then compresses the exported data and sends one or two compressed files (global, silo, or both) to the storage server. 513 vWorkspace Administration Guide 6. When a user logs on again, the Agent Service requests the previously exported data from the storage server. It then decompresses the data and merges the subkeys and folders into the mandatory profile. 7. Compressed files are stored on the storage server and named according to the user’s account SID. Virtual User Profiles Properties Virtual User Profiles Properties are used to define such things as storage servers, assign compression levels, define silos, and assign permissions to users so that they can be allowed to or denied access to adding, modifying, or deleting Virtual User Profiles. Virtual User Profile properties can be configured after components have been installed on the appropriate servers. User Profiles can be accessed by expanding the Resources node of the vWorkspace Management Console. Then, the Properties menu option is available one of the following ways: • Highlight User Profiles and click on the Properties icon in the toolbar. • Right-click on User Profiles and select Properties. The following is a list of properties that can be configured. 514 • General • Storage Servers • Silos • Permissions Managing the User Experience General GENERAL PROPERTY DESCRIPTION Compression Level The level of compression used when storing user profile element data to the storage server. The options are: • High • Medium • Low • None Log Level The level of logging that takes place inside of the profile. The options are: • Detailed • Basic Refresh Interval The interval, in minutes, that checks are made for User Profiles configuration changes. 515 vWorkspace Administration Guide Storage Servers A Storage Server is a Windows file server running the Quest vWorkspace User State Management Storage Service (User Profiles Storage Service). This service receives and stores the user’s compressed data subset from the Quest vWorkspace User Profiles Agent service running on the Session Host when the user logs off. It also retrieves the user’s compressed data subset and sends it to the Quest vWorkspace User Profiles Agent service when the user logs on. The User Profiles data subsets are typically in the range of 50 to 200 KB per user. User State Management Storage Service should be installed on a Windows server that is configured and optimized as a file server. This service is unavailable for installation if the vWorkspace installation program detects that Session Host (Application Server Mode) is installed on a Windows server. 516 Managing the User Experience STORAGE SERVER PROPERTIES DESCRIPTION Server Name The NetBIOS name of the computer which vWorkspace User State Management Storage Service has been installed. Note: The storage server name cannot include: , \ * + = | : ; ? < > " <space>. Base Folder The root or base folder where the user profile element data is stored. The specified folder is created if it does not already exist. Default value is C:\UserProfiles. Global Folder The name of the folder where the profile elements defined as global is copied. This folder is created as a subfolder of the Base Folder. Default is Global. TCP Port The TCP listening port that the vWorkspace User State Management Storage Service is configured to listen on. Default value is 5206 if you installed using the Simple type of installation. Silos A silo is a logical group of Session Hosts that have a common role or purpose, and have Virtual User Profiles installed on them. Exportable registry subkeys and shell folders can be marked for the Scope of Silo specific. At least one Silo must be defined, or profile storage fails. The Silo Wizard is used to create silo groups. To open the Silo Wizard, do one of the following: • Expand Resources in the vWorkspace Management Console, and then right-click on User Profiles and select Properties. Click Silos from the left pane, and then click New. 517 vWorkspace Administration Guide • Expand Resources in the vWorkspace Management Console, and then highlight User Profiles. Select the green plus icon from the toolbar or the information pane to open the Registry Key Properties window. Change Scope to Silo, and then click the Edit Silos. Before a Session Host can participate in a silo, the Virtual User Profiles component must be installed on the server. To complete the Silo wizard, do the following: 1. Click Next on the welcome window. 2. Enter a name for the Silo on the Silo Name window, and then click Next. 3. To add Session Hosts: a) Click Add Session Hosts. b) Expand the location and select the Session Host or Session Hosts that are to be added to this silo, and then click OK. c) Click Next on the Members window to continue the Silo wizard. Session Hosts can only be added to one silo at a time. 4. To add computer groups: a) Click Add Computer Groups. b) Expand the location and select the computer group or groups that are to be added to this silo, and then click OK. c) Click Next on the Members window to continue the Silo wizard. Computer groups can only be added to one silo at a time. 5. 518 Specify the User State Management Storage Service from the list, and then click Finish. Managing the User Experience Silo properties can be edited from the User Profiles | Properties option, as well as from an individual Virtual User Profile by using the Properties button. 519 vWorkspace Administration Guide Permissions Permissions enable administrators to allow or deny actions for activities within the vWorkspace Management Console. Users and groups of users who are selected as system administrators have implicit allow permissions for all actions, and may add and remove other system administrators. See Administration for more information on using permissions. Configure Virtual User Profiles The following items must be configured to use Virtual User Profiles: 520 • Virtual User Profiles Properties • Mandatory Virtual User Profile Managing the User Experience How to ... Configure Virtual User Profiles Properties 1. Open the vWorkspace Management Console. 2. Expand the Resources node, and then highlight User Profiles. 3. Do one of the following to open the User Profiles Properties window: • Right-click on User Profiles and select Properties. • Highlight the User Profiles option, and then select the Properties icon from the toolbar. 4. Define the Compression level, Log level, and Refresh interval as appropriate on the General window, and then click Next. 5. Define Storage Servers by clicking New on the Storage Server window and then do the following: a) Enter a name for the Storage Server, and then click OK. b) Click in the columns on the ellipsis to change the Base Folder, Global Folder, and TCP Port settings. Base Folder is to where the profiles are saved. It should be a local path on the server. Global Folder is the name of the folder for Global settings/profiles. 521 vWorkspace Administration Guide 6. Setup Silos by clicking New on the Members window, and then do the following: a) Click Next on the Welcome window of the Silo wizard. b) Enter a name for this silo group, and then click Next. c) Click Add Session Hosts or Add Computer Groups to define the silo. Select the appropriate Terminal Server or computer group from the Select window, and then click OK. Session Hosts and computer groups can only be added to one silo at a time. d) Click Next on the Members window. e) Select the User Profile Storage Server from the list, and then click Finish. The silo you just added appears on the list. f) Click Next on the Silos window. 7. 522 Specify the Auto-Save setting, as appropriate, and then click Finish to close the Silo Wizard and return to the User Profile Properties window. Managing the User Experience Mandatory Virtual User Profile It is recommended that you use mandatory virtual user profiles in conjunction with Virtual User Profiles. When creating a mandatory virtual user profile, consider the following: • Use a specialized local or domain user account for purposes of profile management. • Create the mandatory virtual user profile in which users are logging in to on one of the Session Hosts. • Make the mandatory virtual user profile as generic as possible. • Use Virtual User Profiles, User Environment Control (Manage-IT), and other management features within the vWorkspace Management Console to control user profiles. • Remember to rename ntuser.dat to ntuser.man to make the HKCU registry hive mandatory (read-only). • Use the System Control Panel applet to copy the mandatory user profile to the target Session Hosts and set Permitted to Use to Everyone. • Add a MAN extension to the root folder name of the mandatory user profile to make it read-only (use folder redirection user profile elements with Virtual User Profiles to give users write access to needed folders). • Assign the mandatory virtual user profile to the appropriate user accounts in Active Directory. Assign Mandatory Virtual User Profiles After the mandatory profile has been created and copied to all servers in the Session Host group, it then must be assigned to the appropriate user accounts. When specifying the profile path keep the following in mind: • The path should be expressed as a local file system path, not a UNC path. • Variables such as %SystemDrive% can be used. • Do not add the user account name or %username% at the end of the path. 523 vWorkspace Administration Guide • Use the Terminal Services Profile tab rather than the Profile tab of User Properties. • Path cannot be set using Active Directory Group Policy as it requires using a UNC path and automatically appends %username% to end of path. How to ... Modify a User’s Profile Path in Active Directory 1. Open Active Directory Users and Computers MMC snap-in. 2. Locate the user object that is to be modified using Browse or Find. 3. Right-click on the user object, and then select Properties. 4. Click on the Terminal Services Profile tab. The Terminal Services Profile path can be set via Active Directory Group policy if the domain controllers are Windows Server 2003 Service Pack 1 and appropriate hotfixes have been applied. 5. In the Profile Path box, enter the local file system path to the mandatory user profile. 6. Click OK. Visual Basic scripting can be used to automatically modify the profile path for existing users. The sample below is from Microsoft TechNet Script Center Library. Define Virtual User Profiles Virtual User Profile Elements determine which keys in the HKEY_CURRENT_USER registry hive are exported and saved on the User State Management Storage Service. 524 Managing the User Experience Normally, when using a mandatory user profile, a user or applications being used cannot save changes to ntuser.man, the file that makes up the user’s HKEY_CURRENT_USER registry hive. User preferences and other user specific application settings are not saved. However, the user and applications being used by the user can modify any of the keys that have been exported. It is important for the vWorkspace administrator to accurately determine all the HKEY_CURRENT_USER keys the user might need to modify, and then define them as User Profile Elements to be exported. If registry subkeys and folders are only located on a few specified servers, then those servers should be grouped together into a single silo and the registry subkey should be marked Silo. For example, if Microsoft Office is only installed on some Session Hosts in the farm, then it makes sense to only import and export the registry subkey HKCU\Software\Microsoft\Office when users access those servers. Or, if registry subkeys and folders are located on every server, such as if Adobe Acrobat Reader is installed on all the Session Hosts, then it makes sense to always import and export the registry subkey HKCU\Software\Adobe\Acrobat Reader and select Global as the Scope. There are two ways to configure user profiles in vWorkspace: • Manually Configure User Profiles • Import and Export User Profiles The vWorkspace Management Console is used to add, edit, and remove user profile items. There are default profile items for some commonly used profile items to assist administrators in getting started setting up user profiles. Manually Configure User Profiles In the vWorkspace Management Console, the Resources | User Profile node can be used to configure user profiles. Select the green plus sign to start the User Profile Wizard and complete the user profile elements. You can also right-click on any of the default user profiles and assign them to the appropriate targets. Special Folder User Profiles determine which folders within the user’s profile are exported and saved on the User State Management Storage Server. As with registry keys, any folders or applications being used need change permissions to be exported. 525 vWorkspace Administration Guide This mechanism offers control over a broader selection of folders, and higher levels of compression for increased performance and reduced storage requirements. Each User Profile element has the following properties associated with it. USER PROFILE ELEMENT PROPERTY DESCRIPTION Category A user definable name used to associate one or more user profile elements with each other. Type & Location This setting is used to define the User Profile element being configured as either a Registry Key or a Special Folder. The Registry Key input box used to specify which registry key or special folder is to be exported. 526 Managing the User Experience USER PROFILE ELEMENT PROPERTY Logon Processing DESCRIPTION If this setting is Synchronous, all elements must be retrieved and merged before the user’s Window desktop is presented. If this setting is Asynchronous, not all registry keys, files, and folders need to be present prior to the presentation of the user’s Window desktop. Profile Persistence This setting is used to specify when the user profile service saves modified profile data to the storage servers. • At a specified interval (auto-save) — Data is periodically save to the storage servers based on a specified interval. The interval used is specified in the silo properties. • At logoff only Scope This setting specifies if the User Profile element is applied on a Global or a Silo basis. • Global is all Session Hosts in the vWorkspace infrastructure. • Silo is only those that are members of a specified Session Host group. If Silo is selected, a Silo input box appears. See Silos for more information on defining Silos. Client Assignments This setting is used to specify the clients to which the user profile is to be assigned. Permissions This setting is used to specify permissions for this user profile item. How to ... • Define a Registry Key in User Profiles • Define a Special Folder User Profile Element 527 vWorkspace Administration Guide Define a Registry Key in User Profiles 1. Open the vWorkspace Management Console from the desktop of a Session Host that is known to have the appropriate body of registry keys. 2. Expand the Resources node, and then select the User Profiles. 3. Right-click User Profiles, and then select New User Profile. Alternatively, you can select the New icon, which is the green plus sign (+) in the information pane or the toolbar, or from the Actions menu item. 4. Click Next on the welcome window of the User Profile wizard. 5. Type a new Category name or select an existing one from the list, and then click Next. This is used only for organization within the console. If there are no categories in the database, the drop-down list is empty. Once you create a category, it becomes available from the list. 528 Managing the User Experience 6. On the Type & Location window, select Registry Key, and then enter the desired Registry Key path and name or use the ellipsis to browse to it. Click Next. 7. Select Asynchronous or Synchronous in the Logon Processing window, and then click Next. 8. Select one of the settings to specify when modified profile data is to be saved on the Profile Persistence window, and then click Next. 529 vWorkspace Administration Guide 9. Select Global or Silo on the Scope window. If Silo is selected, use the Silo field to identify the group that will use this profile element or click Edit Silos to add a new silo. See Silos for more information on adding silos. 10. To assign this User Profile to a user, complete the Client Assignments window as appropriate, and then click Next. 11. To assign permissions to this User Profile, complete the Permissions window as appropriate, and then click Finish. Define a Special Folder User Profile Element 530 1. Open the vWorkspace Management Console from the desktop of a Session Host that is known to have the appropriate body of registry keys. 2. Expand the Resources node, and then highlight the User Profiles node in the navigation pane. 3. Select New User Profile from the context menu of User Profiles, or click the New icon, which is the green plus sign (+) in the information pane toolbar. 4. Click Next on the welcome window of the User Profiles wizard. Managing the User Experience 5. Type a new Category name or select an existing one from the list, and then click Next. This is used only for organization within the console. If there are no categories in the database, the drop-down list is empty. Once you create a category, it becomes available from the list. 6. On the Type & Location window, select Special Folder, and then enter the desired Special Folder path and name or use the ellipsis to browse to it. 7. Click Next. 8. Select Asynchronous or Synchronous in the Logon Processing window, and then click Next. 9. Select one of the settings to specify when modified profile data is to be saved on the Profile Persistence window, and then click Next. 531 vWorkspace Administration Guide 10. Select Global or Silo on the Scope window. If Silo is selected, use the Silo field to identify the group that will use this profile element or click Edit Silos to add a new silo. See Silos for more information on adding silos. 11. To assign this User Profile to a user, complete the Client Assignments window as appropriate, and then click Next. To assign permissions to this User Profile, complete the Permissions window as appropriate, and then click Finish. Import and Export User Profiles vWorkspace administrators can use an XML file to import and export profile items. The ability to import and export through an XML file allows the vWorkspace community to share profile items that can be used for specific purpose with other administrators. Administrators must have User Profile add permissions to import XML files, but no special permissions are necessary to export an XML file. To import or export an XML file, locate User Profiles under the Resources node in the vWorkspace Management Console. You can select the import or export XML icon from the right-pane, or by right-clicking on a profile item and select Import from XML or Export to XML from the menu options. 532 Managing the User Experience Import an XML File After selecting to import an XML file, you need to confirm that you are about to import user profile items. Once the import process has completed, another window displays the number items found and the number items imported. The default folder location for the XML file is My Documents. Export to an XML File After selecting to export an XML file, the default location, My Documents folder, opens and includes the default file name, UserProfileItems.xml. By default, version number attributes are not written to the export file. To add a version to an export file item, select SHIFT+CTRL and Export to XML at the same time. XML File Format In addition to the default user profiles that are found in the vWorkspace Management Console, administrators can also manually add items to an XML file. The user profile settings of Scope and Profile Persistence are not exported. During the import process, the value for Scope defaults to Global, and the value for Profile Persistence defaults to Logoff only. These settings can be manually set after importing. The following table displays the XML format used in user profiles. <vWorkspace> <UserProfiles> <ProfileItem version="1" type="1" synchronous="1" autosave="0"> <Path>HKCU\Software\Adobe</Path> <Category>Adobe Reader</Category> </ProfileItem> </UserProfiles> </vWorkspace> ITEM TYPE VALUE(S) REQUIRED COMMENTS vWorkspace Element N/A Yes Contains the UserProfiles element. UseProfiles Element N/A Yes Contains the ProfileItem elements. 533 vWorkspace Administration Guide ITEM TYPE VALUE(S) REQUIRED COMMENTS ProfileItem Element N/A Yes Represents a profile item. Type Attribute Reg key = 1 No, default is 1. File path = 2 Synchronous Attribute Yes = 1 No = 0 Autosave Attribute Yes = 1 No = 0 No, default is 0. No, default is 0. Path Element Contains the profile item folder or reg key. Yes Category Element User defined category for this item. No Version Attribute <integer 1 to 9999> No Reg keys must begin with HKCU\. Internal use only, for auto-load of default profile items. EOP (Experience Optimization Protocol) The Experience Optimized Protocol (EOP) components address the user experience challenges of presenting applications and desktops via a remote display protocol by providing seamless, reliable, high-performance enhancements to Microsoft’s Remote Desktop Protocol. These enhancements ensure that your VDI and RD Session Host deployment can deliver on the promise of virtualization and a true local-desktop experience. The following features are available through the Experience Optimized Protocol: 534 • EOP Xtream — Accelerates RDP and EOP traffic on wide area networks (WANs). This provides for an improved user experience by providing faster RDP screen responses and improved performance of all EOP features. • EOP MultiMon — Enables support for multiple monitors which is monitor aware. Managing the User Experience • EOP Audio (Bidirectional Audio) — Enables support for applications that require the use of a microphone, such as dictation, collaboration, and certain VOIP applications such as Office Communicator. • EOP Text Echo — Enhances the user experience when typing, if they are connecting over a high latency network connection. A client Control Panel applet is used to adjust settings of this feature. • EOP Multimedia Acceleration (Media Player Redirection) — Enables the redirection of Flash content and Microsoft DirectShow content (anything that can be played in Microsoft Windows Media Player) from the VDI or Windows RDSH Session through an RDP Virtual Channel to the client access device, where it is played using the local compression/decompression technology (CODEC). • EOP Graphics Acceleration — Reduces bandwidth consumption and dramatically improves the user experience, making RDP usable over WAN connections. These features can be assigned to Users, Groups, OU, Client IP, Client Device Name or Advanced boolean targets. Optimization Settings The features of EOP are installed by deploying Virtual Desktop Extensions to a virtual desktop or by installing the vWorkspace Session Host role on a Remote Desktop Session Host. In the vWorkspace Management Console, administrators can manage which features govern a user’s connection to the virtual workspace. The optimizations settings of Graphics Acceleration, Flash Redirection, Local Text Echo, and Media Player Redirection can be found at the following locations. The options are set to disabled by default. • Using the Quest vWorkspace Remote Desktop Connection • Using vWorkspace AppPortal • • • Experience tab | Optimizations section Actions | Manage Connections | User Experience Optimizations section Using Web Access • In the properties of a Web Site| Performance /EOP section 535 vWorkspace Administration Guide EOP Audio The EOP Audio feature enables users to redirect their audio devices to RD Session Hosts and hosted desktops to use with applications involving dictation and for certain VOIP applications. These settings are disabled by default. This feature does not support Windows COM-based audio API found in some Windows Vista, Win7, and Win2008 applications. This means that the software does not work with applications using COM-based API. • In the case of upstream audio, the result is the inability of the application to detect the microphone. • In the case of downstream audio, the result is that the sound is transmitted to the Client computer through the Microsoft RDP audio drive without using the Quest downstream audio driver. Microphone sound quality is best with sufficient bandwidth, at least 25 to 30 Kbps, to support the audio channels. The Connection Policies, Remote Computer Sound option overrides the setting for Remote computer sound on the Local Resources window in the AppPortal setup, as well as the Local Resource Settings window in the Web Access preferences. 536 Managing the User Experience EOP Audio for the AppPortal can be setup several different ways: • Manage Connections | Local Resources • Quest vWorkspace Client Remote Desktop Connection | Local Resources If you use the setup option of Manage Connections, you need to set Remote computer sound to Bring to Local Computer and select the Microphone option. 537 vWorkspace Administration Guide If you use Quest vWorkspace Remote Desktop Connection, set the Remote computer sound option to Bring to this computer, and select the Microphone option. 538 Managing the User Experience The setup option for this feature for the Web Access client is Remote computer sound, of the Local Resources option. 539 vWorkspace Administration Guide There are additional client side settings in the Quest vWorkspace Bidirectional Audio, Control Panel applet. Use these settings to further define quality, network buffering, and microphone settings. 540 Managing the User Experience EOP Text Echo The EOP Text Echo (Local Text Echo) feature enables a local presentation of keystrokes when a user is connecting over a high latency network connection. The user can type at full speed without waiting for the keystrokes to appear, as the text appears in a bubble as it is typed. When a password field is selected and EOP Text Echo opens to show the text being typed, characters can be shown in clear text revealing a user’s password. EOP Text Echo does not automatically detect every known password field. For applications where password fields are not detected, an Enhancement Request (contact Quest Support) can be made to make sure the specific password field is enabled in the EOP Text Echo code. Note that there are some instances where the password fields cannot be enabled in EOP Text Echo, such as when using a Telnet application through the Command Prompt. 541 vWorkspace Administration Guide A client Control Panel applet, Local Text Echo Client, is used to change the default settings, such as the bubble size and latency speed. A server Control Panel applet, Local Text Echo Server, is used to set a list of application exclusions for text echo. 542 Managing the User Experience EOP Multimedia Acceleration This feature includes the components of Media Player Redirection and Flash Redirection. Media Player Redirection This feature redirects Microsoft Windows Media content through an RDP virtual channel to the client, where it is played using the local compression/decompression (CODEC) technology. This enables support for full fidelity playback of Microsoft Windows Media content. Media Player Redirection accelerates the delivery of multimedia content such as recorded webcasts and web-based training from remote virtualized desktops and applications. The requirements for media player redirection include: • Microsoft Windows Media Player installed on the virtual host (server). • All vWorkspace components, including PNTools and the vWorkspace client need to be on the same version. • Microsoft Windows Media Player and proper CODEC to decode the required media format needs to be installed on the client. If you are experiencing problems with Media Player Redirection, you may consider installing a bundle of codecs, such as K-Lite Code Pack. Flash Redirection vWorkspace Flash Redirection allows playing of Flash content. vWorkspace Flash Redirection option needs to be selected as an installation option. Adobe Flash Player version needs to be installed on the server and client access device. The client Adobe Flash player version must match the version (major versions) that is installed on the server. If the versions do not match, then the flash content plays without Flash Redirection. vWorkspace Flash Redirection supports websites that use asynchronous Java script for their content. 543 vWorkspace Administration Guide Flash Redirection Windowless Support Flash Redirection Windowless support allows web sites that use windowless Flash content to be played properly with vWorkspace Flash Redirection. Flash Redirection Windowless support is enabled by default. To disable this feature, you need to change the following registry value. HKLM\System\CurrentControlSet\Control\Terminal Server\ AddIns\PNFlash Wndless (Type="integer")=1 Values: 0 = no windowless mode support 1 = windowless mode supported Flash Redirection Setup The following outlines the steps for using vWorkspace Flash Redirection. Define Connection Policies 1. Open the vWorkspace Management Console and expand Resources. 2. Highlight the Connection Policies node, and do one of the following: 3. 544 • Right-click and select New Connection Policy. • Click on the New Connection Policy icon on the main toolbar or the information pane toolbar. • Select Actions | New Connection Policy Setting from the main menu. Click Next on the Welcome window of the New Connection Policy wizard. 4. Enter a name in the Name field, and then click Next. 5. Define Remote Computer Sound by selecting one of the following options, and then click Next. • Bring to Local Computer • Leave at Remote Computer • Do Not Play • Defer Setting to End User • Undefined Managing the User Experience 6. Specify the Local Devices settings, and then click Next. 545 vWorkspace Administration Guide 7. Specify the performance optimizations settings on the Experience Optimizations window, and then click Next. Set the options for Flash Redirection as appropriate. The options for selection are: Yes, No, Defer to End User, or Undefined. 8. Assign users to this connection policy property on the Client Assignments window, and then click Next. 9. Set permissions, as appropriate, on the Permissions window, and then click Finish. Enable Flash Redirection in AppPortal 546 1. Open the AppPortal. 2. Select Actions | Manage Connections to open the Farm Connections wizard. Managing the User Experience 3. On the Experience window, select Flash Redirection in the Optimizations section, and then click OK. Set Flash Redirection in Web Access 1. Open the Web Access Management Console. 2. Select a specific farm or all farms to which graphics acceleration is to be enabled. 547 vWorkspace Administration Guide 3. Select Performance in the User Experience settings section. 4. Select Flash Redirection, and then click Save Changes. EOP Graphics Acceleration vWorkspace EOP Graphics Acceleration adds additional compression to Microsoft’s Remote Desktop Protocol (RDP) to dramatically reduce bandwidth consumption and improve end user experience, making RDP usable over WAN connections. EOP Graphic Acceleration can be assigned to Users, Groups, OU, Client IP or Client Device Name. EOP Graphics Acceleration performs better with applications and documents that contain a high degree of graphics, and may not perform as well with text based applications. It is recommended that EOP Graphics Acceleration be thoroughly tested with each application before implementing in a production environment. Enabling the vWorkspace EOP Graphics Acceleration feature for specified applications ensures the benefits of this feature to the end users. EOP Graphics Acceleration Implementation In this section, recommended procedures for implementing and using vWorkspace EOP Graphics Acceleration are discussed. Appropriate testing for compatibility and performance before implementing into a production environment is a recommended practice. 548 Managing the User Experience After the vWorkspace EOP Graphics Acceleration feature has been enabled on the appropriate managed application, you can set a Connection Policies property to manage the enabling or disabling of graphics acceleration. Connection Policies Properties are defined by using Connection Policies in the vWorkspace Management Console Resources section. The following are the available Connection Policies. • User • Group • Organizational Unit • Client IP/IP Range • Client Name/Naming Convention EOP Graphics Acceleration Registry Settings Below are two registry settings for EOP Graphics Acceleration that can be used to set progressive image display and compression quality that can be set per application. Altering registry settings should only be completed by an administrator who understands these types of settings, and your environment should be backed up prior to changing any registry setting. HKLM\Software\Provision Networks\Image Acceleration Note: Progressive Image Display is disabled by default. ProgressiveUpdate (REG_DWORD): 0 disable progressive update, 1 enable Jpeg Quality (REG_DWORD): Jpeg quality 20-100 [Note: this overrides Quality when present] Jpeg Subsampling (REG_DWORD): 0 4:4:4, 1 4:1:1 (default), 2 4:2:2 Jpeg RGB (REB_DWORD): 1 using RGB instead YCbCr ExcludedWindows: REG_MULTI-SZ (the window class names to be excluded in GA) 549 vWorkspace Administration Guide HKLM\Software\Provision Networks\Terminal Server Note: EOP Graphics Acceleration can be enabled or disabled and set compression quality per application. HKLM\Software\Provision Networks\Image Acceleration\AppList\<executable name> – OR – HKCU\Software\Provision Networks\Image Acceleration\AppList\<executable name> Enabled (REG_DWORD): 1 Enable GA for this executable, 0 Disable GA Jpeg Quality (REG_DWORD): compression quality (20-100) Note: EOP Graphics Acceleration checks the HKCU AppList first, if the executable is not on the list, it checks the HKLM settings. If the executable is not on the HKLM AppList setting, EOP Graphics Acceleration uses the global setting, HKLM\Software\Provision Networks\Image Acceleration. EOP Graphics Acceleration Setup The following procedures outline the steps for using vWorkspace EOP Graphics Acceleration. • Enable EOP Graphics Acceleration Globally • Disable EOP Graphics Acceleration by Applications • Define Connection Policies • Enable EOP Graphics Acceleration in AppPortal • Set EOP Graphics Acceleration in Web Access Enable EOP Graphics Acceleration Globally 550 1. Open the vWorkspace Management Console and expand Resources. 2. Highlight on Managed Applications, and then select Properties. Managing the User Experience 3. Do the following on the Graphics Acceleration window: a) Select Enabled on the Graphics Acceleration window. b) Select one of the image quality options, and then click Apply. 4. Click OK to close the window. Disable EOP Graphics Acceleration by Applications 1. Open the vWorkspace Management Console. 2. Expand Resources, and then select Managed Applications. For the purposes of this procedure we are going to disable Graphics Acceleration on the managed application called Command Prompt. 3. Select Command Prompt from the list of managed applications. 4. Open the Managed Applications Properties window by doing one of the following: a) Highlight Command Prompt, and then right-click and select Properties. – OR – b) Highlight Command Prompt, and then select the Properties icon from the information pane. 551 vWorkspace Administration Guide 5. On the EOP Graphics Acceleration window of the Command Prompt, Managed Application, set graphics acceleration to Disabled. 6. Click Apply to save the change. 7. Click OK to close the window. Define Connection Policies 552 1. Open the vWorkspace Management Console and expand Resources. 2. Highlight the Connection Policies node and do one of the following: • Right-click and select New Connection Policy. • Click on the New Connection Policy icon (green plus sign) on the toolbar or the information pane toolbar. • Select Actions | New Connection Policy from the main menu. 3. Click Next on the Welcome window of the New Connection Policy wizard. 4. Enter a name on the Name window, and then click Next. Managing the User Experience 5. Define Remote Computer Sound by selecting one of the following options, and then click Next. • Bring to Local Computer • Leave at Remote Computer • Do Not Play • Defer Setting to End User • Undefined 6. Specify the Local Devices settings, and then click Next. 7. Specify the performance optimizations settings on the Experience Optimizations window, and then click Next. Set the options for Graphics Acceleration as appropriate. The options for selection are: Yes, No, Defer to End User, or Undefined. 8. Assign users to this connection policy property on the Client Assignments window, and then click Next. 9. Set permissions, as appropriate, on the Permissions window, and then click Finish. Enable EOP Graphics Acceleration in AppPortal 1. Open the AppPortal. 2. Select Manage Connections. 553 vWorkspace Administration Guide 3. On the User Experience window, select Graphics Acceleration in the Optimizations section, and then click OK. Set EOP Graphics Acceleration in Web Access 554 1. Open the Web Access Management Console. 2. Select a specific farm or all farms to which graphics acceleration is to be enabled. Managing the User Experience 3. Select Performance in the User Experience settings section. 4. Select Graphics Acceleration, and then click Save Changes. EOP Xtream The patent-pending technology, Quest EOP Xtream, accelerates RDP and EOP traffic on wide area networks (WANs). This provides for an improved user experience by providing faster RDP screen responses and improved performance of all EOP features. Quest EOP Xtream is specifically designed for users on WAN links with modest to high round trip latency. For example, the typical amount of latency that is common when connecting from the United States to Europe. Quest EOP Xtream is also effective on WAN links that are much closer, such as a VPN link from a home to a corporate office in the same city. Quest EOP Xtream operates transparently to the users. Quest EOP Xtream is enabled with RDP pass-through mode configured by default. 555 vWorkspace Administration Guide Latency Effectiveness Quest EOP Xtream is specifically designed for users on WAN links with modest to high round trip latency. Quest EOP Xtream is not recommended for LAN traffic or WAN traffic with low latency. The recommended network conditions listed below are guidelines. Network type, packet loss, and other factors impact the effective useful range of Quest EOP Xtream. • Typical effective round trip latency: 30ms-400ms. Quest EOP Xtream is designed to improve performance of screen updates and other EOP features. Quest EOP Xtream is not designed to reduce the effect of keystroke latency (echo) commonly observed on WAN links that exceed 200ms of latency. The Quest vWorkspace EOP feature, EOP Text Echo, is designed to lessen this effect. Firewall Considerations The Quest EOP Xtream Server listens on TCP port 3389 (RDP port). No additional configuration is needed, as the Windows firewall port 3389 is automatically opened. This functionality is enabled by RDP Pass-Through mode. Configure Quest EOP Xtream Quest EOP Xtream settings can be altered on the Experience Optimization window of the computer group or the individual computer Properties window. Any changes made to the default options require a reboot. The reboot is automatic in a VDI environment, but requires a manually reboot in an RD Session Host environment. 556 Managing the User Experience QUEST EOP XTREAM SETTING DESCRIPTION Enable RDP pass-through mode Selecting this option allows EOP Xtream to use the RDP port, eliminating the need to configure additional firewall settings. EOP Xtream Port Number Enter a port number to be used, if other than the default number, which is 3389. Note: Any changes made to the default options require a reboot. The reboot is automatic in a VDI environment, but requires a manually reboot in an RD Session Host environment. Maximum number of connections Enter a maximum number of connections. 557 vWorkspace Administration Guide There is also a Connection Policy, WAN Acceleration (EOP Xtream), in the vWorkspace Management Console. Connection policies are used to define automatic device connection and optimizations when users log on to the virtual workspace. Connection policies can be configured, and assignments and permissions defined. Connection policies are set to Undefined by default. 558 Managing the User Experience You can also enable EOP Xtream from the following settings: • vWorkspace AppPortal, User Experience settings • vWorkspace Web Access, Performance settings 559 vWorkspace Administration Guide • vWorkspace Client Remote Desktop Connection, Experience settings Settings defined in Connection Policies override any settings made in AppPortal and Web Access. A configurable client side timeout is available for the EOP Xtream. The default timeout is 5 seconds, if no other value is stated in the registry entry. The registry value that needs to be set is: HKLM\Software\Provision Networks\PNDNACLI "ConnectTimeout" (REG_DWORD) = "15" USB Devices From headsets to mobile devices, USB devices are frequently used, but can sometimes be problematic when used in a virtualized environment. However, with the vWorkspace features of vWorkspace Virtual USB Hub Client and USB-IT, USB device integration issues can be solved. 560 Managing the User Experience vWorkspace Virtual USB Hub Client Quest vWorkspace Virtual USB Hub Client enables the use of virtually any USB connected device, such as PDAs, local printers, scanners, cameras, and headsets to be used in conjunction with VDI. Users can connect multiple USB devices, and then decide which devices to share. When the Virtual USB Hub Auto-share check box is selected, a confirmation message box is displayed. The message warns users that auto-share disconnects devices from the local system, and that most USB keyboards and mice are automatically excluded from Auto-share. However, some multi-interface (composite USB) keyboards might not be automatically excluded from auto-share. These types of devices should be manually excluded before enabling Auto-share. The vWorkspace Virtual USB Hub does not generally support Composite USB devices that include a mouse or keyboard class device. A Composite USB device is a USB device that is not one entity, but two or more, such as a keyboard with an integrated mouse or a scanner/printer/fax device. It is important that you test all composite devices for vWorkspace compatibility on a case by case basis. Requirements The vWorkspace Virtual USB Hub is installed on managed computers as a component of Virtual Desktop Extensions (PNTools). An Enterprise or Desktop license is also required to use this feature. vWorkspace Virtual USB Hub Client The vWorkspace Virtual USB Hub client side contains the following components: • Control Panel Applet • System tray display • Microsoft Windows Service component 561 vWorkspace Administration Guide vWorkspace Virtual USB Hub Client Applet The vWorkspace Virtual USB Hub Client applet is available from the Control Panel setting. The client Control Panel applet appears as follows: Devices Tab Share Selecting this option makes the device available to the server. When a device is shared, it is unavailable to the client computer. Unshare Selecting this option makes the device unavailable to the server, which makes it available to the client computer. Exclude Selecting this option excludes this device from being shared. See Note in Auto-connect devices. Unexclude 562 Selecting this option allows the device to automatically be shared. Managing the User Experience Properties Selecting this option displays the USB Device Properties window. The ability to add an optional nickname for the device is included in the properties. Information on this window includes: • Nickname • Name • Location • Serial Number • Information • Status Auto-share devices Selecting this check box allows the connected devices to automatically be shared with the server. Note: If a user is going to select this option and they are using a USB keyboard or mouse, they need to confirm that these devices have been excluded before selecting this check box. The keyboard and mouse might not function locally on the client while being shared. Use Taskbar Icon Selecting this check box allows the system tray to be used. 563 vWorkspace Administration Guide Advanced Tab Bandwidth Control Select Bandwidth Control, and then set the bandwidth control by moving the slider to the threshold amount. Compression Set Compression Type to Zip compression, and then do the following: • Move the slider to set the minimum packet size. For example, if you set the compression to 1024 bytes, compression occurs only if the amount is greater than 1024 bytes. • Enter a number from one to ten in the Settings field. The setting values are: 1 = best speed 10 = best compression 564 Managing the User Experience vWorkspace Virtual USB Hub Client System Tray The client system tray becomes available when the vWorkspace Virtual USB Hub icon is selected. Devices are listed with their name, current status, and if they are shared (indicated with a check mark) or excluded (indicated with an X). To share a device using the system tray, click on it. To exclude a device using the system tray, use CTRL + left-click. The option Advanced is used to display the Control Panel applet. vWorkspace Virtual USB Hub Client Services A Microsoft Windows Services option is available for the client side. 565 vWorkspace Administration Guide vWorkspace Virtual USB Hub Server The Quest vWorkspace Virtual USB Hub server side contains the following components: • Control Panel applet • System tray display • Microsoft Windows Service component vWorkspace Virtual USB Hub Server Applet The server Control Panel applet appears as follows: Connect Selecting this option enables the device on the server. Disconnect Selecting this option disables the device on the server. Exclude Selecting this option excludes the device from being automatically connected. See Auto-connect devices. Unexclude 566 Selecting this option allows the device to be automatically connected. Managing the User Experience Properties Selecting this option displays the USB Device Properties window. Auto-connect devices Selecting this check box allows devices to be automatically connected when they are available to the server. Use Taskbar Icon Selecting this check box allows the system tray to be used. The Advanced tab on the server Control Panel applet allows you to set a priority for this service on the server. The setting options are Normal, Low, or High, and the default setting is Normal. vWorkspace Virtual USB Hub Server System Tray The server system tray becomes available when the USB Redirection icon is selected. Devices are listed with their name, current status, and if they are shared (indicated with a check mark) or excluded (indicated with an X). 567 vWorkspace Administration Guide To share a device using the system tray, click on it. To exclude a device using the system tray, use CTRL + left-click. The option Advanced is used to display the Control Panel applet. The server-side system tray appears like this: vWorkspace Virtual USB Hub Server Services A Microsoft Windows Services option is available for the server side. How to ... Manage USB Devices The Quest vWorkspace Virtual USB Hub software needs to be installed on the virtual desktop, in addition to PNTools. 1. Open the Quest vWorkspace Virtual USB Hub Client Control Panel applet. As devices are plugged in, they appear on the device list. 2. Highlight a device from the list and select one of the options, as appropriate. If users are using a USB keyboard or mouse, prior to selecting the Auto-share devices check box, they need to exclude those devices, If those devices are not excluded on the list, they do not function on the client while being shared. 568 Managing the User Experience Autoexclude any USB Device vWorkspace can be configured to autoexclude any USB device. 1. Install this Client version on the user access device. This install can be completed as a new installation, an upgrade from the previous Client version, or by uninstalling the previous client version and installing this client version. 2. Open the Quest vWorkspace Virtual USB Hub Client from the Control Panel. 3. Deselect the Auto-share devices check box, so that devices are not autoshared. 4. Plug in the USB device that is to be autoexcluded. The device will be displayed in the list of devices on the Quest vWorkspace Virtual USB Hub Client window. 5. Select the device, and click Properties. 6. From the USB Device Properties window, you need the following information: • VendorID • ProductID • Revision 7. Create the following key in the registry: HKEY_LOCAL_MACHINE\SOFTWARE\Quest Software, Inc.\Quest Software USB Virtual Hub\Excluded USB Devices 8. Create a sub key with a unique name under the Excluded USB Devices key. This key name can be any name. 9. In the sub key, create a value "Hardwareld" of type REG_BINARY. 10. Enter the hardware id information into this key in binary format. You have the option to be more or less specific about the devices you want to autoexclude. Entering only the VendorID excludes all devices with that VendorID, which may exclude more devices than you want to exclude. Entering the VendorID, ProductID, and Revision information from the USB device allows you to be very specific with the excluded USB device. 569 vWorkspace Administration Guide The following table provides examples of a binary format: USB DEVICE INFORMATION BINARY FORMAT VendorID: 0x04f2 f2 04 ProductID: 0x0112 12 01 Revision: 0x0103 03 01 For example, using the device information from the above table, the registry entries might be: VendorID: f2 04 VendorID and ProductID: f2 04 12 01 VendorID, ProductID, and Revision: f2 04 12 01 03 01 11. After changing the registry key, unplug the device. 12. Select the Auto-share devices check box, so that devices are autoshared. 13. Plug in the device. The device should now be autoexcluded in the Quest vWorkspace Virtual USB Hub Client window. Smart Card USB Redirection You can redirect smart cards from a virtual desktop or RD Session Host session using USB Redirection. This feature allows you to use a Smart Card for authentication inside a virtual desktop rather than using it to log on. The .dll to use this feature will be packaged with PNTools in the \Windows\System32 folder. In order to use this feature, you need to add to the following registry value and a list of the executables that are to be redirected. You may manually install this feature if desired. 570 Managing the User Experience The installation steps are as follows: 1. Locate PNSCHOOK.DLL in the \windows\system32 directory. 2. Add PNSCHOOK.DLL to the AppInit_DLLs key. 3. Configure apps to hook in SCHookList registry value; that is, in the pathname HKLM\Software\Provision Networks\Provision-IT locate a REG_SZ value called SCHookList (which is a comma-delimited list of EXEs to be hooked). USB-IT USB-IT enables Remote Desktop Session Host clients to seamlessly access their USB-based handhelds over RDP connections. With USB-IT, the Blackberry Desktop Manager, the Palm Desktop, and the ActiveSync software can be installed and published on the server. Users can gain instant access to their handhelds for the purpose of synchronizing e-mail, calendar, contacts, and other personal information with back-end messaging and collaboration systems such as Microsoft Exchange and Lotus Domino. USB-IT supports some BlackBerry models; Palm and OEM handhelds running Palm OS; and Windows CE-based Pocket PC devices. USB-IT requires a plug-in on the client, which when installed, registers automatically with RDC (Remote Desktop Connection) clients. Third-party WIN32 RDP clients capable of loading a virtual channel driver also can use USB-IT. In order to take advantage of USB-IT, the appropriate components must be installed on the client devices and RD Session Host as follows: • RD Session Host — USB-IT is installed onto RD Session Host automatically with the installation of the RD Session Host role. • vWorkspace Client (AppPortal and Web Access) — PDA Redirection (USB-IT) is automatically installed when the vWorkspace client software is installed. 571 vWorkspace Administration Guide How USB-IT Works USB-IT features a virtual USB hub controller that provides true USB support for three distinct handheld devices, BlackBerry, Palm, and Windows CE-based Pocket PC. How to ... Configure USB-IT 572 1. Start the USB-IT Control Panel applet (RD Session Host). 2. Select the Devices tab. 3. Select the class of handhelds. 4. Click Add. 5. Specify the maximum number of device instances that are to be supported simultaneously on the server. Managing the User Experience 6. Repeat the process for other handhelds, as appropriate. 7. Repeat process on all Session Hosts as appropriate. 8. Select USB Handhelds in the vWorkspace client, AppPortal using the following path: Manage Connections | Local Resources Load Balancing Load balancing can be enabled in a Quest vWorkspace infrastructure when published applications are hosted across multiple RD Session Hosts or multiple Hyper-V hypervisors. Load balancing rules are assigned SCVMM managed computer groups, Hyper-V managed computer groups or RD Session Hosts. Load Balancing Rules Load balancing rules dictate how to calculate user session workloads between session hosts, published applications, and SCVMM managed desktop groups. Load balancing rules are comprised of counters and associated values that set minimum and maximum parameters and well as assigned weight. To be effective, rules should use as few counters as possible, and the counters selected should be those that most closely reflect a server’s load. vWorkspace provides two default load balancing rules and three custom load balancing rules. Both Default and Custom rules can be duplicated, renamed, and used as a template to create new custom rules. The available load balancing rules are: LOAD BALANCING RULE DESCRIPTION Default Default RD Session Host (read-only) Load balances users over the available RD Session Hosts based on the amount of users already logged on. This default rule uses a maximum of 100 users per host (x86 users may need a lower maximum). Default VDI for SCVMM (read-only) Load balances users over the available Hyper-V hosts based on the users already on the hosts. This default rule uses a maximum of 75 users per host. 573 vWorkspace Administration Guide LOAD BALANCING RULE DESCRIPTION Custom Advanced RD Session Host Load balances users over the available RD Session Hosts based on a calculated average of: CPU Load, Disk Queue Length and Memory Load. This custom rule configures a maximum of 100 users per host. Advanced VDI for SCVMM Load balances users over the available Hyper-V hosts based on a calculated average of: CPU Load, Disk Queue Length and Memory Load. This custom rule configures a maximum of 75 users per host. RFX for SCVMM Load balances users over the available Hyper-V hosts based on an average GPU response time from capture. The user will connect to a virtual desktop that has the lowest GPU response time from capture, resulting in the best RemoteFX user experience. How Load Balancing Works Based on the load balance assigned, the server evaluates its current workload and reports that value to the Connection Broker. Connection Brokers maintain a memory table of the current workload index of each server on which load balancing has been enabled. When a Connection Broker receives a client request to connect to a published application, it queries the list of servers on which the application is hosted and determines which one currently has the lowest workload index value. The address of the least busy server is then returned to the vWorkspace client. When the vWorkspace client completes the connection to the least busy server, that server’s load is changed. The new workload is then reevaluated and reported to the Connection Broker. It is important to note that load balancing applies only when a vWorkspace client initiates a request for a new connection. If a vWorkspace client is already connected to an RD Session Host and requests to start another application that is available on that same server, the application is run through the existing session and load balancing is not applied. Multiple counters can be included in a load balance. Each counter within a load balance has an upper and lower threshold setting that is used to determine when the server is under maximum or minimum load based on that counter. Each counter can also be assigned a weight which can be used to adjust the relative importance of one counter over another. 574 Managing the User Experience The available counters are: COUNTER NAME DESCRIPTION Context Switches Per Second This counter measures the overall rate of switches from one thread to another. Thread switches can occur either inside a single process or across processes. A thread switch can be caused by one thread asking another for information, or by a thread being preempted by another higher priority thread. CPU Load This counter measures the percentage of time CPUs in the system are actively executing threads belonging to processes. This counter does not include the System Idle Process. CPU Queue Length This counter measures the number of threads in the processor queue. Unlike disk queue, processor queue length shows ready threads, not threads that are currently running. There is a single queue for processor time, even on systems with multiple processor cores and sockets. Therefore, if the system has multiple processors, you need to divide this value by the number of processors servicing the workload. A sustained processor queue of less than 10 threads per processor is usually acceptable. Disk Load This counter measures the percentage of time the disks in the system are active. Disk Queue Length This counter measures the average number of read and write requests that were queued for the selected disk during the sampling interval. GPU Response Time From Capture This counter measures the latency within RemoteFX Capture (in microseconds) for GPU operations to complete. 575 vWorkspace Administration Guide COUNTER NAME DESCRIPTION Interrupts Per Second This counter measures the average number of hardware interrupts that were received and serviced by the processor each second. Interrupts per second is an indirect indicator of the activity of hardware devices in the system that generate interrupt requests, such as the system clock, disk drives, and network interface cards. These devices generate interrupt requests when they complete a task or need attention from the processor. Each service interrupt request consumes CPU time, so an excessive amount can degrade system performance and can be an indicator of a malfunctioning device. Memory Load This counter measures the percentage of memory being used by the system. Memory Pool Pages Bytes This counter measures the size, in bytes, of the paged pool. The paged pool is an area of physical memory used by the system for objects that can be written to disk (paged) when they are not being actively used. Number of Powered-On Virtual Machines This counter measures the number of powered-on virtual computers currently running on the host. Number of Processes This counter measures the total number of process contexts currently running on the system. Number of Users This counter measures the total number of user sessions for which the operating system is currently storing computer state information. Number of Virtual Machines This counter measures the number of virtual computers defined on the client. Page Faults Per Second This counter measures the overall rate at which faulted pages are handled by the processor. This counter includes both hard faults (where the memory page has to be retrieved from disk) and soft faults (where the data is stored elsewhere in physical memory). A page fault occurs when a process requires code or data that is not in its space in physical memory. Most processors can handle large numbers of soft faults without consequence. However, hard faults can cause significant performance delays. 576 Managing the User Experience COUNTER NAME DESCRIPTION Pages Per Second This counter measures the number of pages written to or read from disk to resolve hard page faults. Redirector Current Commands This counter measures the number of requests to the redirector that are currently queued for service. If this counter is much larger than the number of NICs installed on the system, then network throughput is likely becoming a bottleneck. TDRs in Server GPUs This counter measures the Total number of times that the TDR times out in the GPU on the server. Load Balancing on Session Hosts To enable load balancing of vWorkspace enabled Session Hosts, the following conditions must be met: • The RD Session Host role must be installed on one or more Session Hosts in the vWorkspace infrastructure. • The setting Accept “least busy” connection requests must be enabled (it is by default) on each Session Host that participates in load balancing. This setting is found on the General tab of the Session Host properties under Roles. • The Session Host must host at least one of the configured managed applications. • A load balance must be assigned to either the server or a managed application hosted on the server. Load Balancing Guidelines Consider these guidelines when using load balancing: • Use as few counters as possible. Each counter used in a load balance requires additional processing. • Use the counters that are most likely to reflect the critical resources of the server. For example, a server with insufficient memory would likely need a load balance that uses the Memory Load and Pages Per Second counters. 577 vWorkspace Administration Guide • Avoid using extreme limits for counters that use percentages for minimum and maximum values. • Use a counter only if you understand its meaning and what values are appropriate. • Group Session Hosts by their hardware configuration and applications hosted on them. Load balances can be created and optimized for specific hardware or application groups. How to ... • Creating a Load Balancer • Assign Load Balancing to Session Hosts • Assign Load Balancing to SCVMM Computer Groups • Assign Load Balancing to Managed Applications Creating a Load Balancer The Number of Users counter is the default load balance assigned by the system, and its values cannot be modified. 1. Open the vWorkspace Management Console, highlight the Load Balancing node, and do one of the following: a) Select Actions | New Load Balancing Rule, or b) Right-click on the Load Balancing node, and then select New Load Balancing Rule, or c) Select the green plus sign icon from the information pane, or d) Select the green plus sign icon from the toolbar. 2. Click Next on the welcome window of the Load Balancing Rule Wizard. 3. Enter a name for the New Load Balancing Rule in the Name box, on the Name & Description window. 4. Enter a description for the New Load Balancing Rule in the Description box on the Name & Description window. This is optional. 5. Click Next on the Name & Description window. 6. Do the following on the Counters window: a) Select the counter to be used by clicking in the Assigned column. b) Set the minimum value for each counter selected by clicking on its current value in the Min Value column, and then type a new value in the input box. 578 Managing the User Experience c) Set the maximum value for each counter selected by clicking on its current value in the Max Value column, and then type a new value in the input box. d) Set the weight value for each counter selected by clicking on its current value in the Weight column, and then select a new value from the list. e) Select Report full load when at least one counter has reached its maximum value, if appropriate. f) Click Next. 7. Set permissions, as appropriate, and then click Finish to complete the task of creating a new load balancing rule. Assign Load Balancing to Session Hosts 1. Open the vWorkspace Management Console. 2. Expand the Locations node, and then expand the location in which the RD Session Host is located. 3. Expand the Session Hosts node, and then highlight the RD Session Host. 4. Activate the context menu for the server object to which the load balancing rule is to be assigned, (highlight the server and right-click) and select Properties. 579 vWorkspace Administration Guide 5. Highlight the Load Balancing item from the Server Properties window. 6. Click the Specify a custom load balancing rule: action button to enable the custom rules. Select the desired custom Load Balancing Rule from the custom load balancing rule list. Otherwise, the default load balancing rule will apply. 7. Click OK to complete the task. Assign Load Balancing to SCVMM Computer Groups 1. Open the vWorkspace Management Console. 2. Expand the Locations node, highlight the Desktops node, and right-click. 3. Select New Computer Group. 4. On the New Computer Group Wizard System Type window, select the Microsoft SCVMM box. This disables Load Balancing for all other system types. 5. On the New Computer Group Wizard Load Balancing window, do one of the following: • • • • Click the Do not specify a load balancing rule action button to disable load balancing rules. Click the Use the default load balancing rule action button to use the default SCVMM rule. Click the Specify a custom load balancing rule: action button to enable the custom rules. Select the desired custom Load Balancing Rule from the Load Balancing Rule list. Click the View button on any action button selection to view the rule properties. 6. Proceed through the windows to configure the New Computer Group. 7. Click Finish to complete the task. For more detail on adding new SCVMM computer groups, see the Microsoft SCVMM Integration section. Assign Load Balancing to Managed Applications You may need to assign load balancing to specific published applications if the number of instances of the application must be restricted due to licensing constraints or the application consumes a lot of system resources. 580 1. Open the vWorkspace Management Console. 2. Expand the Resources node, highlight the Managed Applications node, and right-click. 3. Open the Properties for the desired published application. Managing the User Experience 4. Click on Load Balancing on the Managed Applications Properties window. 5. Click the Specify a custom load balancing rule: action button to enable the custom rules. Select the desired custom Load Balancing Rule from the Load Balancing Rule list. 6. Click OK to complete the task. Performance Optimization CPU and Memory Optimization (Max-IT) is a Power Tool for Session Hosts used to improve application response time and increase overall server capacity by streamlining and optimizing the use of virtual memory and CPU resources in a multi-user environment. Max-IT should not be installed on the same computer as the Connection Broker. CPU Utilization Management CPU Utilization Management improves application response times by ensuring that users and programs receive CPU resources. The following is a list of issues pertaining to CPU scheduling in a multi-user environment: • Due to design limitations and programming techniques, many applications monopolize the server’s processors. Such applications are often referred to as rogue or runaway applications. A rogue or runaway application is one whose threads use up excessive amounts of CPU resources. In other words, they consistently remain in the running state for the entire lifetime of their allotted time slice. A time slice is often referred as quantum, and its value is typically 10 to 15 milliseconds (hardware-dependent). • Windows scheduler does not include a fair sharing mechanism. It does not prevent rogue applications from consuming all of the CPU time. • Priority boosting performed by Windows balance set manager does not effectively address the CPU issues caused by runaway applications, especially in Session Host environments. 581 vWorkspace Administration Guide • From a CPU management perspective, the thread priorities of interest are Waiting, Ready, and Running. In the case of a word processor, the latter could be waiting for user input. As soon as it receives input, it is ready to run, and as soon as the processor becomes free, it runs. • Given two threads in the Ready state, the scheduler always favors the process with the higher priority level over the other. CPU Utilization Management ensures that each running process receives CPU resources to enable it to run smoothly and coexist alongside CPU hungry and rogue applications by implementing the following: • A fixed share of CPU resources is reserved to NT Authority. By default, this share is 20 percent. • The target percent CPU time is then computed as follows, where Reserved is the percent CPU share reserved for NT Authority: (100 - Reserved) / (number of active processes) • The average percent CPU time is calculated for each active process. • Those processes whose average percent CPU time has fallen below the target percent CPU time have their priority levels set to Normal. • Those processes whose average percent CPU time has risen above the target percent CPU time have their priority levels set to Below Normal. • Those processes whose average percent CPU time has fallen to zero have their priority levels set to Above Normal. • The above process is then repeated every several hundred milliseconds. The default setting is 100 milliseconds. Virtual Memory Optimization Below is a list of background items to consider for memory management in a multi-user environment: 582 • Every executable and DLL module has a preferred base address which represents the ideal location where the module should get mapped inside the process’s address space. • When a software developer builds a DLL module, the linker sets the preferred base address at 0x10000000. Managing the User Experience • When two or more modules are loaded, each having the same preferred base address, a memory space conflict occurs. The operating systems memory manager has to resolve this conflict by relocating one of the conflicting modules into another base address. It then has to recalculate all the offset addresses defined within the module relative to this new base address. • Relocating DLLs and performing the necessary fix-up operations is taxing on system resources. The loader has to relocate hundreds of DLLs and modify a significant portion each code. This leads to more memory consumption, excessive copy on write operations, and additional CPU cycles. This runtime overhead can be very damaging to the performance of a system and should be avoided. When multiplied by the number of users on a Session Host, this overhead can have implications on performance and application response times. vWorkspace Virtual Memory Optimization significantly increases the performance and capacity of a Session Host by performing two optimization techniques: module rebasing and module rebinding. • Module Rebasing — A process by which colliding DLLs are identified and relocated to unique base addresses within the virtual memory spaces of their respective programs. This technique drastically reduces virtual memory requirements, page file usage, and I/O operations. • Module Binding — Fine-tunes the import section of a given module according to the new base addresses of the rebased DLLs. This technique accelerates application load times and yields further reductions in virtual memory requirements and page file usage. The Virtual Memory Optimization system continuously monitors which DLLs are being loaded by applications and identifies the DLLs that cause collisions. When a future request is made to load the module, it automatically loads in a new base address to avoid conflict. After collecting sufficient data, Virtual Memory Optimization can then further enhance performance by permanently rebasing the colliding DLLs and perform the necessary code fix-up operations. Some of the benefits include: • DLLs that have been optimized by Virtual Memory Optimization no longer require relocations or fixes by the loader. • Less physical memory is consumed. • Working set trimming no longer requires that working sets be swapped out to the paging file (copy on write) before the trimming can occur. 583 vWorkspace Administration Guide • Significant reductions in the overhead associated with relocation and fix-up operations. When multiplied by the number of users on a Session Host, the results can be an overall capacity increase of 25 to 30 percent. Enable CPU and Memory Optimization Virtual Memory Optimization and CPU Utilization Management are disabled by default even after being installed. To enable them, use the following steps: 1. Open the vWorkspace Management Console. 2. Expand the Locations node, and then expand the location in which the RD Session Host is located. 3. Expand the Session Hosts node, and then highlight the RD Session Host. 4. Open the Properties for the Session Host object that is to be enabled. 5. Select the Performance Optimization tab of the Server Properties window. 6. Select the option that is to be installed. 7. Click OK to close the window. Max-IT Master Policy Settings Max-IT Master Policy is used to set the default CPU Utilization and Virtual Memory Optimization settings used by all Session Hosts in the vWorkspace infrastructure. Max-IT Server Policy can then be configured to override master policy settings on a per server basis as needed. Max-IT Master Policy is accessed from the vWorkspace Management Console by expanding Performance Optimization in the navigation pane, and then selecting the Servers node. Max-IT Master Policy command is available from either the toolbar or the Servers node context menu. The Max-IT Master Policy window tabs are described as follows: 584 • General • VM Default Optimization • VM Exception Files • CPU Policy • Advanced Managing the User Experience General GENERAL TAB VIRTUAL MEMORY OPTIMIZATIONS Analysis Interval Specifies the sampling interval for detecting memory load address collisions. At the specified interval, Max-IT VM Optimization takes a snapshot of what applications are loaded into memory and detects any load address collisions. Applications that are started and then closed within the sampling interval are not included in the analysis. Optimization Time Specifies what time of day virtual memory optimizations are applied. The optimizations applied are based on the settings found on the VM Default Optimizations and VM Exception Files tabs. Applying virtual memory optimizations has the potential for consuming large amounts of system resources and should be performed at a time when user activity will be low. CPU Utilization Management Sampling Interval (Milliseconds) Determines how often process average calculations are performed and priority adjustments are made. Shorter intervals result in a more even distribution of processor time, but at the expense of higher system overhead. Sampling History Depth Determines the number of sampling points used when calculating average percent CPU time of processes. 585 vWorkspace Administration Guide VM Default Optimization VM DEFAULT OPTIMIZATION TAB Applications (EXE, etc.) The two optimization options available for applications are: • Allow applications to load rebased modules (rebasing). • Allow applications to be bound and to load bound modules (binding). Modules (DLL,OCX, etc.) The two optimization options available for modules are: • Allow modules to be rebased (rebasing). • Allow modules to be bound (binding). VM Exception Files Some applications and modules do not work properly when rebased or bound, such as any executable or module file that has been digitally signed. This is because the rebasing and binding information is written to the alternate data stream of the file. Because of this file modification, the binary hash the digital certificate was based on is no longer valid and the file is rendered unusable. These files must be excluded from rebasing and binding. The Applications and Modules tabs include a list of preconfigured executable and module files that are known to have problems with rebasing and binding. Use the Add, Remove, or Browse buttons to modify the list. After adding a file, select it from the list and use the buttons to the right to control the level of optimization to apply. The optimization option buttons are: 586 • Rebasing Only • Binding Only • Rebasing and Binding • No Optimizations Managing the User Experience CPU Policy The CPU Policy tab is used to control how CPU Utilization adjustments are applied. CPU POLICY TAB Policy Type Policy type is used to control how CPU allocation rules are applied. The three policy types are: • User/Group — CPU rules can be assigned based on any combination of user accounts, group accounts, or Active Directory Organizational Units. • OS CPU Allocation — OS CPU Allocation is used to guarantee the operating system will have a minimum percentage of the systems total CPU time. The default value is 20%. • Application — CPU utilization rules can be assigned to specific applications. User/Group Rules This tab is used to view or modify CPU Allocation when Policy Type is set to User/Group. The Add and Remove buttons are used for users, groups, and organizational units. The Up and Down arrow buttons are used to adjust priority for user entries who are also members of a listed group or OU. Entries higher in the list take precedence over lower ones. For each entry, use the CPU Allocation column to set the minimum guaranteed CPU time allotment. There are three ways CPU Allocation can be modified: 1. Double-click on the CPU Allocation column and select a value from the context menu. 2. Click on the ellipsis to the right of the CPU Allocation column and select a value from the context menu 3. Click on the existing value in the CPU Allocation column, and hold down the left mouse button, to drag and adjust the value. 587 vWorkspace Administration Guide CPU POLICY TAB Application Rules This tab is used to view or modify CPU Allocation when Policy Type is set to Application. Use the Add or Remove buttons to add or remove an application entry name. Use the CPU Allocation column to set minimum guaranteed CPU time allotment for the selected application. There are three ways CPU Allocation can be modified: 1. Double-click on the CPU Allocation column and select a value from the context menu. 2. Click on the ellipsis to the right of the CPU Allocation column and select a value from the context menu 3. Click on the existing value in the CPU Allocation column, and hold down the left mouse button, to drag and adjust the value. Application Executables This tab is used to build a list of executable program files and associate them with the appropriate application entries defined on the Application Rules tab when Policy Type is set to Application. Use the Add button to add an executable, identify its parent process (if any), and associate it with an application rule. Files may be entered individually or you can choose to select all the files contained in a specified folder. Use the Remove button to remove an application executable entry. Use the Up and Down arrow buttons to adjust priority for application executables that are included in multiple rules. Entries higher on the list take precedence over lower ones. Allocation Type This tab controls whether CPU allocation rules are based on percentages or shares. • Percentage — CPU allocation by percentage guarantees the user, group, or application a minimum percentage of the available CPU time. Available CPU time is 100% - OS CPU Allocation. • Shares — Each entry is given a percentage of CPU time based on the number of shares assigned to the entry divided by the total number of assigned shares. For example, if user A is assigned 25 shares and user B is assigned 50 shares, then user A is allocated 33.3% of the available CPU time and user B is allocated 66.7%. 588 Managing the User Experience Advanced This tab is used to reset the exception lists to the default values. Max-IT Server Policy By default, all Session Hosts in the vWorkspace infrastructure on which performance optimization has been enabled use the Max-IT Master Policy. However, it might be necessary to set the Max-IT policy on a per server basis. An example of this would be when the VM Exception Files list must be modified because a different set of applications are installed on one or more of the Session Hosts. How to ... Set the Max-IT Policy for Specific Servers 1. Open the vWorkspace Management Console. 2. Expand the Performance Optimization, and the Servers node. 3. Right-click on the server object, and select Max-IT Server Policy from the context menu. 4. Click on the tab associated with the portion of the policy that needs to be different from the Master Policy, and click Use these settings for server [server_name]. 5. Enter the changes as appropriate, and then click Apply for each tab that is changed. 6. Click OK to save the changes. View VM Optimization Results The results of virtual memory optimization can be viewed in various forms within the vWorkspace Management Console. Viewing these results can help the vWorkspace administrator fine-tune the virtual memory optimizations. Results can be viewed by session summary, for a specific session, or by application. How to ... • View Session Summary Information • View Results for a Specific Session • View Results per Application 589 vWorkspace Administration Guide View Session Summary Information 1. Open the vWorkspace Management Console. 2. Expand the Performance Optimization and Servers nodes. 3. Expand the desired server object. 4. Click on the Optimization Sessions container object. The Optimization Summary by Session graph is displayed in the information pane on the right. The vertical axis displays the cumulative amount (in megabytes) of memory savings. The horizontal axis displays the date and time of each optimization event. To avoid unnecessary recalculations by Max-IT, binding should be delayed until the graph is flat. View Results for a Specific Session 1. Open the vWorkspace Management Console. 2. Expand the Performance Optimization and Servers nodes. 3. Expand the desired server object. 4. Expand the Optimization Sessions container object. 5. Click on the appropriate date and time to display a graph showing the current (blue) and possible (green) virtual memory savings. Under the Optimization Sessions container object each optimization event is listed in chronological order by the date and time of its occurrence. View Results per Application 1. Open the vWorkspace Management Console. 2. Expand the Performance Optimization and Servers nodes. 3. Expand the desired server object. 4. Click on the Optimized Applications container object. The Per-Application Virtual Memory Usage and Savings graph is displayed in the right panel. 590 Vertical Axis Displays memory in kilobytes. Horizontal Axis Displays the name of the executables. Red bar Shows the amount of virtual memory used by the executable before rebasing. Managing the User Experience Yellow bar Shows the amount of virtual memory used by the executable after rebasing. Blue bar Represents the current memory savings as a result of optimization. Green bar Represents the possible memory savings as a result of optimization. Ideally, the blue and green bars for all executables should be equal. At this point it is safe to implement binding as long as no changes are made to the applications installed on the servers. Manually Apply Optimizations Virtual memory optimizations are automatically applied based on the Optimization Time setting of the Max-IT Masters Policy and Max-IT Server Policy. However, optimizations can also be applied manually by selecting Optimize Now. The Optimize Now icon is available from the toolbar of the information pane when a server object, or any object under the server object, is selected in the navigation pane under the Performance Optimization | Servers container. The context menu for the Optimization Sessions and Optimized Applications containers, and all objects under these containers, include the option Run Max-IT Optimizations, which can also be used to manually apply optimizations. Application Compatibility Enhancements Many applications store user specific data and configuration settings in systemwide locations, such as the HKey_Local_Machine (HKLM) or common files and folders. In multi-user environments such as Session Host, the storage of information can lead to such issues as data corruption, access conflicts, and the inability to customize application settings by user. 591 vWorkspace Administration Guide Application Compatibility Enhancements is a registry and file system redirection engine designed to eliminate these issues in Session Hosts environment. Application Compatibility Enhancements intercept an application’s request for common subkeys and files by creating private instances of these in the user’s registry hive (HKCU) or home directory. All application requests to these common subkeys or files are redirected to the user’s private instances. The vWorkspace administrator uses the vWorkspace Management Console to create redirection rules. The types of rules include: • Registry • File • Folder How Application Compatibility Enhancements Work Application Compatibility Enhancements (Redirect-IT) operates in the background using an Application Compatibility Enhancements (ACE) engine. Application Compatibility Enhancements perform the following corrective steps: 1. Intercepts registry and file operations targeting the common data, such as HKLM subkeys and common files and folders specified in the redirection rules. 2. Copies the common data from their original locations to the user private locations, such as HKCU or the home folder as specified in the redirection rules. This step is only performed if user private instances of the common data does not already exist. 3. Performs the registry and file operations on the user private instances of the data. Application Compatibility Enhancements (Redirect-IT) can only be installed on Microsoft Windows servers with Session Hosts installed in Application Server mode. Create Redirection Rules How to ... 592 • Create a Registry Redirection Rule • Create a File Redirection Rule Managing the User Experience • Create a Folder Redirection Rule • View a Redirection Rule • Edit a Redirection Rule Create a Registry Redirection Rule 1. Start the vWorkspace Management Console. It is recommended that you open the vWorkspace Management Console from the Session Host where the application is installed, so that file is available. 2. Right-click File & Registry Redirection from the navigation pane, and select New Redirection Rule. – OR – Select File & Registry Redirection from the navigation pane, and click the green + on the toolbar in the right pane. 3. Enter a new name for the rule in the Rule Name field on the General window. 4. Select the Redirection Type Registry on the New Redirection Role window. 5. Type a new category or select an existing category from the list in the Category box on the General window, and then click Next. 593 vWorkspace Administration Guide 6. Complete the following information on the Values window for the redirection rule, and then click Next. a) Type a path and file name of the executable, or click the ellipsis to browse to the executable in the Program field. b) Type the location of the registry key location that is to be redirected, or click the ellipsis to browse to the location in the Original Registry Key field. c) Type the new path and file name, or click the ellipsis to browse to the location where the key should be redirected in the New Registry Key field. 7. Set permissions, as appropriate, on the Permissions window, and then click Finish. Create a File Redirection Rule 1. Start the vWorkspace Management Console. It is recommended that you open the vWorkspace Management Console from the Session Host where the application is installed, so that file is available. 2. Right-click File & Registry Redirection from the navigation pane, and select New Redirection Rule. – OR – Select File & Registry Redirection from the navigation pane, and click the green + on the toolbar in the right pane. 3. On the General window, specify the following settings for the redirection rule, and then click Next. a) Enter a new name for the rule in the Rule Name field. b) Select the Redirection Type, File. c) Type a new category, or select an existing category from the list in the Category field. 4. On the Values window, complete the following values for the redirection rule, and then click Next. a) Type a path and file name of the executable, or click the ellipsis to browse to the executable in the Program field. b) Type the path and file name of the existing location of the file, or click the ellipsis to browse to the file in the Original File field. 594 Managing the User Experience c) Type the path and file name, or click the ellipsis to browse to the location where the file is to be redirected in the New File field. d) Select Copy original file(s) to new folder if it doesn’t already exist, if appropriate. 5. Set permissions, as appropriate, on the Permissions window, and then click Finish. Create a Folder Redirection Rule 1. Start the vWorkspace Management Console. It is recommended that you open the vWorkspace Management Console from the Session Host where the application is installed, so that file is available. 2. Right-click File & Registry Redirection from the navigation pane, and select New Redirection Rule. – OR – Select File & Registry Redirection from the navigation pane, and click the green + on the toolbar in the right pane. 595 vWorkspace Administration Guide 3. On the General window, specify the following settings for the redirection rule, and then click Next. a) Enter a new name for the rule in the Rule Name field. b) Select the Redirection Type, Folder. c) Type a new category, or select an existing category from the list in the Category field. 4. On the Values window, complete the following values for the redirection rule, and then click Next. a) Type a path and file name of the executable, or click the ellipsis to browse to the executable in the Program field. b) Type the path and file name of the existing location of the file, or click the ellipsis to browse to the file in the Original Folder field. c) Type the path and file name, or click the ellipsis to browse to the location where the file is to be redirected in the New Folder field. d) Select Copy original file(s) to new folder if it doesn’t already exist, if appropriate. 5. Set permissions, as appropriate, on the Permissions window, and then click Finish. View a Redirection Rule 1. Start the vWorkspace Management Console. It is recommended that you open the vWorkspace Management Console from the Session Host where the application is installed, so that file is available. 2. Select File & Registry Redirection from the navigation pane. 3. View the details on the information pane. Edit a Redirection Rule 1. Start the vWorkspace Management Console. It is recommended that you open the vWorkspace Management Console from the Session Host where the application is installed, so that file is available. 2. Select File & Registry Redirection from the navigation pane. 3. On the information pane, right-click on the Redirection rule that is to be changed, and then select Properties. Edit the redirection rule as appropriate. 596 Managing the User Experience Virtual IP Virtual IP enables each user instance of a legacy application to be bound to a distinct IP address. This allows many legacy applications to run concurrently and reliably on RD Session Hosts. The following features are supported by Virtual IP: • Virtual IP — Assigns a unique IP address to each instance of a configured application running on RD Session Hosts. • Client IP — Uses the client device IP address as a unique identifier for each instance of a configured application running on RD Session Hosts. • Virtual Loopback — Assigns a unique loopback address to each instance of a configured application running on RD Session Hosts. • Logging — Enables logging of Virtual IP activity on a RD Session Hosts. Virtual IP Configuration How to ... • Enable Virtual IP on a RD Session Host • Configure Virtual IP Address Ranges • Configure Applications Enable Virtual IP on a RD Session Host You can enable Virtual IP on RD Session Hosts by doing one of the following procedures, either using Terminal Server Properties or Virtual IP Server Configuration. 1. Start the vWorkspace Management Console. 2. Expand Locations, and then expand the location where the RD Session Host is located. 3. Expand Session Hosts and right-click on the selected Session Host, and then select Properties. 4. Select the Virtual IP tab on the Server Properties window. 5. Select the Virtual IP features to be enabled, and then click OK. 6. Repeat the above steps for each Session Host. 597 vWorkspace Administration Guide Enable Virtual IP through Virtual IP Server Configuration 1. Start the vWorkspace Management Console. 2. Expand Virtual IP, and then click Server Configuration. 3. Click Show only Virtual IP Enabled Servers or Show All Servers on the information pane. Your selection controls which servers appear in the server list. 4. Select the Virtual IP features to be enabled (check the box in the Virtual IP column), by server, and then click Update Virtual IP Servers. Configure Virtual IP Address Ranges Each RD Session Host must be configured with an appropriate range of IP addresses. Follow these guidelines when configuring Virtual IP address ranges: • Virtual IP address ranges must be compatible with the IP subnet to which the Session Host is attached. • Do not include IP addresses that are already statically assigned to other computers on the network. • Do not include IP addresses that are part of existing DHCP server scopes. • Do include enough IP addresses in the range to account for the maximum number of concurrent instances expected for a configured application. To add a Master Range, do the following: 598 1. Start the vWorkspace Management Console. 2. Expand the Virtual IP node, and click Address Range. Managing the User Experience 3. Click Add on the information pane. The Virtual IP Address Ranges window opens. 4. Enter the appropriate values for Starting Address, Ending Address, and Subnet Mask. 5. Click OK. To add a Server to a Master Range, do the following: 1. Start the vWorkspace Management Console. 2. Expand the Virtual IP node, and click Address Range. 3. On the information pane, click on the ellipsis at the end of the Master IP Range or right-click on it and select Add Server(s) to Master Range from the context menu. 599 vWorkspace Administration Guide 4. In the list of servers presented in the window, select the boxes associated with the servers to be added to the master range and click OK. 5. Enter the number of addresses to allocate to each selected server and click OK. To modify Address Range Allocations, do the following: 1. Start the vWorkspace Management Console. 2. Expand the Virtual IP node, and click Address Range. 3. On the information pane, right-click the Session Host that is to be modified, and then select the appropriate option. The options include: • Remover Server — Removes the server from the Master IP range. • Allocation for Server — Defines the number of IP addresses to allocate to the server. • Set Allocations for All Servers in Master Range to — Defines the number of IP addresses to allocate to each server in the master range. • Equally Allocate Addresses to All Servers in Master Range — Sets the number of IP addresses to allocate to each server in the master range to the maximum of one. • Manually Edit Ranges — Opens the Edit IP Address window to edit address ranges for each server manually. Configure Applications 600 1. Start the vWorkspace Management Console. 2. Expand the Virtual IP node, and then select Application Configuration. 3. Click Show All Applications on the information pane. Managing the User Experience 4. Select Virtual IP, Client IP, or Virtual Loopback for each application, as appropriate. 5. Click Update Virtual IP Servers. Additional Components The vWorkspace Additional Components features consist of the following: • Password Reset Service • RDP Gateway (Proxy-IT) vWorkspace Password Reset Service The Quest vWorkspace Password Reset Service facilitates SSL-protected password reset requests from clients, to allow them to reset their Active Directory Credentials via the Web Access Portal or the AppPortal Connector. This service requires an SSL Certificate and listens on port 443 (by default). The vWorkspace Password Reset Service can be installed on any Windows computer, physical or virtual, that is joined to a domain trusted by the domain containing the accounts of the users connecting in to the vWorkspace infrastructure. The vWorkspace Password Reset Service should never be installed on a computer that is in the DMZ network. 601 vWorkspace Administration Guide How to ... • Configure the vWorkspace Password Reset Service • Configure vWorkspace Password Management in AppPortal • Configure vWorkspace Password Management in Web Access Configure the vWorkspace Password Reset Service Use the following steps to configure the vWorkspace Password Reset Service. 1. Use the following path to open the Quest Password Manager Control Panel applet. Start | Control Panel | Quest Password Manager 602 2. On the General tab, enter the TCP Port. 3. Click the Lock icon by Certificate Name. 4. Select the certificate on the Select Certificate window, and then click OK. 5. If you want to use logging, select the Logging tab and then Enable trace logging to the specified file. 6. Enter the path and file name for the log file, or use the folder button to browse to it. 7. Click OK on the Quest Management Properties window. Managing the User Experience Configure vWorkspace Password Management in AppPortal 1. Open the AppPortal client. 2. Use the following path to open the Farm Connections window. Actions | Manage Connections 3. If you are configuring Password Management on an existing farm, do the following: a) Select Modify existing farm on the Select Farm window, and then select the farm that is to be edited from the list. b) Select Password Management from the left pane, and complete the information as appropriate. c) Click OK. 4. If you are configuring Password Management on a new farm, do the following: a) Select Create new farm on the Select Farm window. b) Complete the information on the Farm Connections windows as appropriate. 603 vWorkspace Administration Guide Configure vWorkspace Password Management in Web Access This option can only be configured as a global setting. 1. Select Password Management under the Authentication options on the Web Access Management Console. 2. Enter a Domain using the NetBIOS name of the Password Management server. 3. Enter the Server (FQDN). The host name, NetBIOS name, or IP address can be used in this field. 4. Enter a Port number, and then click Add. The usual number to use is 443. 5. Repeat the above steps to add multiple Password Management servers. 6. Click Save Changes. Proxy-IT Proxy-IT is designed to deliver more connectivity options for accessing Microsoft Windows Session Hosts from legacy, non-Win32, open source, or third-party RDP devices. Multiple Proxy-IT servers can be clustered using Microsoft Network Load Balancing (NLB) or another third-party load balancing switch. Proxy-IT listens for client requests on a configured TCP port, which is port 3389 by default. It is recommended that the current version of Proxy-IT be used with Microsoft Session Directory to enable users to reconnect to their disconnected sessions. How to ... Configure Proxy-IT 1. 604 Open the Quest Proxy-IT applet from the Control Panel. Managing the User Experience 2. Complete the information on the Quest Proxy-IT Properties window as appropriate, and then click Apply. Accept connections on this TCP port Enter the TCP port. Inactivity timeout (minutes) Enter a number of minutes. The default is 3389. A value of 0 indicates that connections never time out. Connection Broker Settings Use Add Server to add the IP addresses or host names. Connect to broker on this TCP port Enter the TCP port associated with the Connection Broker settings. Connect to broker using SSL Select if connecting using SSL. Enable NAT support for firewall traversal Select if network address translation is being used. Server Logging Select to enable trace logging, and then enter the file name or use the folder button to browse to the file. 605 vWorkspace Administration Guide Proxy-IT with Session Directory Services Proxy-IT can be used in conjunction with Session Directory Services. By using Proxy-IT and Session Directory Services, users can be reconnected to their disconnected session, should the session be dropped. Proxy-IT Prerequisites The following items are required: • All Proxy-IT servers cannot be configured for the multi-users application mode. • Proxy-IT uses RDP port 3389 for its service, making it impossible to administer the server remotely. However, you can remap the local RDP listener to alternative port, such as 3390 or 2290 to allow for remote administration. • Administrators can connect to this server using mstsc.exe by adding the alternative port. • The RDP port needs to be remapped in the following registry location: HKLM\SYSTEM\CurrentControlSet\Control\TerminalServer\ WinStation \RDP-TCP 1. Value: PortNumber 2. Type: REG_DWORD 3. Data: 0x000003d3 (3389) — Change this value to something else, such as 3390 or 2290. 4. Reboot the server. Use the following steps to use Proxy-IT with Session Directory Service. Enable Session Directory Service To enable Session Directory Services, you must enable the service on all of your Proxy-IT servers. Use the following steps to complete this task: 1. Open up the Services tool by selecting Start | Run, and then type Services.msc 2. Scroll to the Remote Desktop Services Session Directory and set it to automatic. 3. Start the service. These steps need to be completed on all of your Proxy-IT servers. 606 Managing the User Experience Enable Session Directory on Remote Desktop Services Use the following steps to enable Session Directory Services on all of your RD Session Hosts: 1. Open the Terminal Services Configuration tool, and go to the Server Settings Node. 2. On the details pane, right-click on the Session Directory and select Enable. These steps need to be completed on all of your RD Session Hosts. Setup Group Policies There are two ways to setup Group Policies, using Group Policies or using the Terminal Services Configuration. It is recommended that you use the Group Policies method. Using Group Policies Editor 1. Open the Group Policy Editor. To do this, select Start | Run and then type gpedit.msc. 2. Enable Join Session Directory in the following: Computer Configuration/Administration Templates/Windows Components/Terminal Services/Session Directory 3. Click Session Directory Server. In the Session Directory Server Properties window, select the Enabled option, and then in the Session Directory Server field, type the name of the server where the Terminal Server Session Directory service is running. Click OK. 4. Click Session Directory Cluster Name. In the Session Directory cluster Name Properties window, select the Enabled option, and then in the Session Directory Cluster Name field, type the name of the cluster to which the RD Session Host belongs. Click OK. 5. Optionally, enable the Terminal Server IP Address Redirection setting. This policy should only be applied to the RD Session Host, so you may need to create a separate Organizational Units (OU) for them to reside. Using Terminal Services 1. Open Terminal Services Configuration by using the following path: Start | Control Panel | Administrative Tools | Terminal Services Configuration 2. Click Server Settings in the console tree. 607 vWorkspace Administration Guide 3. Right-click Session Directory in the details pane, and then click Properties. 4. Select the Join session directory option in the Session Directory Settings window. 5. In Cluster name, type the name of the RD Session Host cluster. 6. In Session directory server name, type the DNS name or IP address of the domain server where the Terminal Services Session Directory service is running. The server name must be a valid server name, and cannot be left blank. 7. Select an IP address and network adapter form the Network adapter and IP address session directory should redirect users to list. 8. Optionally, unselect the IP address redirection (uncheck for routing token redirection) to have client devices reconnect to disconnected sessions by using the virtual IP address of the RD Session Host cluster. This option is selected by default, which enables clients to reconnect by using the individual IP addresses for the RD Session Host in the Session Directory. You should unselect this option if clients have visibility only to the virtual IP address of the cluster and cannot connect to the IP address of an individual RD Session Host. 608 Appendices • Configurable Registry Settings • Sentillion Integration Appendix A Configurable Registry Settings Active Setup This setting controls whether Active Setup is run on Windows 7 desktops during first time logins. PNShell on VDI will run Active Setup by default during a first-time login. If an administrator wishes to disable ActiveSetup on Windows 7 the following registry value should be created: HKLM\Software\Provision Networks\Provision-IT DisableActiveSetupOnWin7 REG_DWORD 0=run active setup(default) 1=don't run active setup PNTSC This setting controls whether a message box is displayed when PNTSC disconnects. By default PNTSC will display a message box on disconnect. To disable the message box on disconnect create the following registry value: HKLM\SOFTWARE\Provision Networks\Provision-IT TSClientShowMsgBoxOnDisconnect 1=show msgbox (default) REG_DWORD 0=don't show msgbox 609 vWorkspace Administration Guide InitialAppWaitTime This setting controls the default initial application wait time. The default wait time value is set to 10 seconds. To change the default wait time value to some other value create the following registry value. In the example below the initial wait time value is set to 15 seconds. HKLM\SOFTWARE\Provision Networks\Provision-IT "InitialAppWaitTime" (REG_SZ) = "15" This registry value needs to be placed in the SysWOW64 directory and Wow6432Node on a 64-bit platform. 610 Appendix B Sentillion Integration Sentillion markets numerous health care integration products that unify single sign-on (SSO), context management and strong authentication, into a fully integrated managed clinical workstation enabling caregivers to quickly access their applications and the associated patient data. Sentillion components install a custom Sentillion GINA that integrates with the clinical desktop to provide SSO services and chains to subsequent GINAs. Thus, the Sentillion components should be installed after Virtual Desktop Extensions (PNTools) to ensure proper GINA chaining with vWorkspace. This section describes the registry entry necessary for the integration of vWorkspace and Sentillion. Because of the Sentillion GINA, vWorkspace must properly initialize Windows Explorer and bypass the normal PNStart execution. With the following integration, you are able to complete a single sign-on to a virtual computer using the Sentillion solution. The following registry entry needs to be added to the client endpoint running AppPortal or PNTSC that is connecting to the Sentillion desktop. By setting this registry entry, pnstart.exe is bypassed, launching Explorer directly, allowing Sentillion to obtain credentials for further application logon pass thru. HKLM\Software\Provision Networks\Provision-IT "TSClientUsePNStart" (REG_DWORD) = "0" This setting is only effective for TS. PNStart is executed on VDI VMs using the registry value: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon Shell REG_SZ PNTools setup will set this value to ’PNSTART.EXE’. To disable PNSTART.EXE from running on VDI machines, change this value to ’EXPLORER.EXE’. 611 vWorkspace Administration Guide 612 INDEX A access control list scheduling access hours for users 369 action views definitions vWorkspace Reporting 453 Active Directory credentials setting in locations 132 add computers tool about 153 Microsoft SCVMM 236 Parallels Virtuozzo 272 VMware 260 adding new locations 120 additional components about 601 additional customizations Resources node 358 administration about 82 adding a new administrator 86 editing settings 86 removing an administrator 87 setting permissions 87 Advanced installation about 21 installing 25 Application Compatibility Enhancements (Redirect-IT) about 591 creating a file redirection rule 594 creating a folder redirection rule 595 creating a registry redirection rule 593 how it works 592 installing 592 application restrictions (Block-IT) about 11 application restrictions server groups 365 assigning clients to the client list 369 hash checking 361 how application restrictions work 361 path checking 362 properties 363 Resources node 361 scheduling access hours for users 369 termination of applications 362 unassigning clients to the access control list 369 application restrictions list properties 366 application restrictions server groups 365 AppPortal about 315 about desktop-integrated mode 315 actions menu 340 configuring new connection 321 configuring new RD Connection Broker connection 53 connectivity tab 326 credentials tab 330 desktop integration mode options 343 desktop integration tab 338 display tab 331 experience tab 335 farm type tab 325 local resources tab 333 managing connection properties 324 password management tab 337 PNTray 342 settings menu 342 App-V import wizard 111 App-V node about 108 editing imported application properties 113 editing properties 110 establishing server connections 109 importing applications 111 Assign Load Balancing to Managed Applications 580 613 vWorkspace Administration Guide C certificate Secure Gateway 390 clone types Microsoft SCVMM 235 clone types VMware 260 color schemes 375 computer group wizard 138 computer groups add computers tool 153 adding a group 145 adding published applications 309 modifying properties 149 ordering columns 150 properties 140 resizing columns 150 selecting columns 150 session protocol RGS option 144 task automation 151 viewing logs 148 viewing tasks 148 config.xml about 346 location section 356 connect to an existing database 91 Connection Brokers adding a new Connection Broker 133 load balancing 574 permissions 136 properties 127 removing 136 connection policies about 370 defining properties 371 Control Panel Universal Printer applet 497 create a new database and DSN 90 credentials pass-through using with Firefox 413 D data collector service about 7 Databases vWorkspace Reporting 446 deferred authentication 318 desktop cloud about 73 desktop cloud maintenance 229 Desktops modifying published applications 310 614 properties 127 setting properties 137 starting new applications 294 terminologies 137 differencing disks about 234 disabling vWorkspace Reporting 40 disk and memory persistence 256 documentation conventions xiv drive mappings 375 E environment variables 377 EOP Multimedia Acceleration 543 EOP Text Echo 541 EOP Xtream about 555 client side timeout 560 configuring 556 experience optimized protocol EOP Multimedia Acceleration 543 EOP Text Echo (local text echo) 541 graphics acceleration 548 optimization settings 535 overview 534 F F5 Firepass integration about 431 tunneling to a Connection Broker 433 Farm node 93 File & Registry Redirection node about 118 file redirection rule creating 594 flash redirection defining in connection policies 544 enabling in AppPortal 546 enabling in Web Access 547 EOP Multimedia Acceleration 543 setting up 544 folder redirection rule creating 595 G graphics acceleration about 548 defining in connection policies 552 disabling by application 551 enabling globally 550 enabling in AppPortal 553 enabling in Web Access 554 implementation 548 registry settings 549 setup 550 H hash checking 361 host restrictions about 378 creating 378 HyperCache report 226 Hyper-V catalyst about 226 HyperCache 226 HyperDeploy 226 I importing existing computers 276 initialize computer about 186 common failures 187 triggers 187 installation vWorkspace Connector 45 Web Access 34 Internet Explorer compatibility 311 J Juniper Secure Access integration about 422 configuring 423 K kerberos credentials pass-through 14 L latency reduction 541 licensing about 87 access in the Management Console 87 adding licenses 31 linked clones VMware 250 load balancing about 573 assigning load balancing to servers 579 counters 574 guidelines 577 how it works 574 terminal servers 577 Load Balancing node about 118 local text echo 541 locations about 118 Active Directory credentials setting 132 adding new locations 120 deleting 127 node options 119 properties 127 M managed applications overview 289 properties 291 session sharing 302 managed computer groups deleting 149 publishing a managed desktop 303 viewing 146 managed computers about 153 network interface card 155 properties 155 publishing an application 305 session protocol RGS option 168 viewing 184 viewing logs 185 viewing tasks 185 management servers about 210 adding network storage servers 218 adding virtualization servers 213 management servers window 211 mandatory virtual user profiles about 523 assigning 523 Max-IT See Performance Optimization media player redirection EOP Multimedia Acceleration 543 MetaProfiles-IT See Virtual User Profiles Microsoft Hyper-V about connection-time load balancing 227 about integration 225 615 vWorkspace Administration Guide about provision-time load balancing 227 broker helper service 247 desktop cloud maintenance 229 Hyper-V catalyst 226 Hyper-V host context menu 227 Hyper-V host properties 227 Microsoft RD Connection Broker about 274 add an RD Connection Broker 50 AppPortal 53 install 46 RemoteApp Support 275 Microsoft SCVMM about integration 233 adding computers using the standard clone method 236 clone types 235 reconfigure computers 245 video adapter and static/dynamic memory 243 module binding about 583 module rebasing about 583 monitor the cloning process 279 MSI Packages about 114 adding a new package 114 multiple monitor support 322 N network interface card 155 network storage servers about 210 adding servers 218 implementation 249 rapid provisioning 248 requirements 249 O operating system customization creating 175 creating for unattend.xml 179 importing sysprep.inf file 175 optimized settings 535 optional one-session-per-user within a farm 319 P Packaged Applications node about 108 616 Parallels Virtuozzo about 271 about independent and slave nodes 271 adding computers to a managed computer group 272 password reset service about 601 configuring 602 path checking 362 Performance Optimization (Max-IT) about 581 how it works 582 master policy settings 584 setting the policy for specific servers 589 permissions about 84 setting 87 user profiles properties 520 PNTray about 342 Universal Printer options 343 power management 282 progressive image display 549 Proxy-IT about 604 configuring 604 enable session directory service 606 using with session directory services 606 publish content about 306 published application deleting 311 duplicating 311 Q Quest vWorkspace contacting support xvi Quick Start Wizard about 71 blade PCs 75 desktop cloud 73 remote desktop session host 74 virtual desktops 74 R RDP vWorkspace remote computer sound 538 registry redirection rule creating 593 registry settings deferred authentication 318 optional one-session-per-user within a farm 318 registry tasks about 379 modifying 379 remote control session viewing from Computers tab 81 viewing from User Sessions 79 Report Viewer Setup 441 Reporting and Logging Role 34 Reporting installation installing 35 Reporting Schema vWorkspace Reporting 447 reprovision computers SCVMM 234 VMware 253 Resources node about 105 about the Printers window 508 additional customizations 358 application restrictions 361 color schemes 375 connection policies 370 drive mappings 375 environment variables 377 host restrictions 378 modifying published applications 311 registry tasks 379 scripts 382 starting new applications 295 time zones 383 user policies 384 wallpapers 386 RGS computer group property 144 managed computer property 168 S Sample Report Viewer about 440 using 443 sample report viewer setting up 442 Scripted Installation about 41 scripts about 382 assigning 382 Secure Gateway accessing by AppPortal and the Web Access 403 certificate 390 configuring 391 configuring AppPortal access 401 configuring for both AppPortal and Web Access access 404 installing 389 Sentillion Integration about 611 session directory service enabling 606 session hosts properties 127 Session Hosts node about 190 modifying published applications 310 starting new applications 294 session sharing application 302 silos about 517 Simple installation about 20 installing 23 storage servers about 516 special folder in user profiles 525 support contacting Quest vWorkspace xvi T Targets node about 98 about advanced targets 102 defining advanced targets 105 defining clients by device address 101 defining clients by device name 101 defining clients by groups 100 defining clients by organizational unit 102 defining clients by users 99 types 98 task automation about 151 617 vWorkspace Administration Guide adding 152 automated task wizard 152 TCP/IP ports requirements 22 terminal servers adding 190 adding permissions 194 adding published applications 308 assigning load balancing to servers 579 load balancing 577 removing 195 server wizard 190 setting properties 194 viewing applications 201 viewing processes 200 viewing sessions 197 viewing users connected 195 termination of applications 362 time zones assigning 383 overview 383 U U3 AppPortal client modes 345 Universal Client Printer Auto-Creation 480 Universal Network Print Server Extensions 500 adding network printers 501 assigning printers to clients 502 setting up Universal Printer printers 500 Universal Network Printer Auto-Creation 480 Universal Print Driver about 480 Universal Print Relay Service for Remote Sites 502 adding remote relay servers 506 assigning remote printers to clients 509 configuring 504 importing remote printers 507 Universal Printer 479 about the Control Panel applet 497 about Universal Network Print Server Extensions 499 about Universal Network Print Services 499 adding network printers 501 618 adding printers to remote relay servers 506 assigning printers to clients 502 assigning remote printers to clients 509 autocreating network printers 481 configuring remote site relay 504 Control Panel applet properties 483 importing remote printers 507 network printer properties 511 setting up Universal Printer printers 500 Universal Client Printer Auto-Creation 480 Universal Network Print Server Extensions 500 universal network printer auto-creation 480 Universal Print Relay Service for Remote Sites 502 universal printer properties 509 viewing and editing network printer properties 511 viewing and editing universal properties 509 Universal Printer properties bandwidth tab 491 compression tab 485 general tab 483 license tab 494 logging tab 493 naming tab 490 notification tab 496 PDF publisher tab 497 server farm tab 495 upgrade tab 492 unlock VM VMware 250 upgrading about 59 USB-IT about 571 configuring 572 how it works 572 user policies about 384 creating 385 modifying 386 viewing properties 384 user profile elements properties 526 User Profiles about special folders 525 configuring properties 521 defining a registry key 528 defining special folders 530 silo wizard 517 V VAS client 32 package 317 VAS client 32T package 317 VAS client 32TS package 318 video adapter and static/dynamic memory about 243 view column definitions vWorkspace Reporting 449 Virtual Desktop Extensions (PNTools) about 188 installing 189 Virtual IP about 597 adding a master range 598 configuring 597 configuring applications 600 configuring virtual IP address ranges 598 enabling 597 modifying address range allocations 600 virtual memory optimization about 582 benefits 583 manually applying 591 module binding 583 module rebasing 583 viewing results for a specific session 590 viewing results per application 590 viewing session summary information 590 Virtual USB Hub Client about 561 client applet 562 client components 561 client services 565 client system tray 565 requirements 561 Virtual USB Hub Server about 566 server applet 566 server services 568 server system tray 567 Virtual User Profiles about export and import 532 about registry elements 524 about silos 517 assigning mandatory user profiles 523 features and benefits 512 how it works 513 mandatory user profiles 523 manually configure profiles 525 overview 512 properties 514 storage servers 516 xml file format 533 Virtual User Profiles (MetaProfiles-IT) about 12 Virtualization Management Servers about 210 virtualization server wizard 213 virtualization servers adding connections 213 VMware about linked clones 250 adding computers using the NetApp FlexClone method 263 adding computers using the standard clone method 261 adding computers using the VMware linked clone method 266 clone types 260 customizations 258 disk and memory persistence 256 rapid provisioning 248 unlock VM 250 vWorkspace benefits 4 remote desktop connection 538 upgrading 59 vWorkspace Connector about 16 about silent installation 56 AppPortal 315 client packages 44 configuring 320 executable files 318 installation 45 overview 315 VAS client 32 package 317 VAS client 32T package 317 VAS client 32TS package 318 619 vWorkspace Administration Guide vWorkspace Management Console about 68 administration 82 connect to an existing database 91 create a new database and DSN 90 Farm node 93 first time use 89 icons 76 interface 68 menu options 76 monitoring the cloning process 279 Packaged Applications node 108 permissions 84 Resources node 105 Session Hosts node 190 Targets node 98 viewing and editing network printer properties 511 viewing and editing universal printer properties 509 viewing client information for an active session 199 viewing terminal server applications 201 viewing terminal server processes 200 viewing terminal server sessions 197 viewing users connected to terminal servers 195 vWorkspace RD Connection Broker Support about 45 vWorkspace Reporting actions views definitions 453 applications and application restrictions 457 Databases 446 disabling 40 overview 439 Reporting Schema 447 Sample Report Viewer 440 setting up the sample report Viewer 442 setup window 441 view column definitions 449 vWorkspace Welcome window about 75 W wallpapers about 386 620 adding new wallpaper 388 assigning 387 changing properties 387 Web Access about 407 about Websites node 409 connection properties 409 creating a new web access site 408 defining websites 409 firewall/secure gateway 410 installing 34 updating a site 421 upgrading 35 Web Access Site Manager about 407 Websites node about 409 wizards App-V import 111 automated task 152 computer group 138 MSI Packages 114 new locations 120 operating system customization 175 operating system customization unattend.xml 179 server wizard 133 silo 517 task automation 151 virtualization servers 213