vWorkspaceAdminGuide_72MR1

Quest® vWorkspace Administration Guide

Version 7.2 MR1

© 2011 Quest Software, Inc.ALL RIGHTS RESERVED.Patents Pending.

This guide contains proprietary information protected by copyright. The software described in this guide is furnished under a software license or nondisclosure agreement. This software may be used or copied only in accordance with the terms of the applicable agreement. No part of this guide may be reproduced or transmitted in any form or by any means, electronic or mechanical, including photocopying and recording for any purpose other than the purchaser's personal use without the written permission of Quest Software, Inc.

The information in this document is provided in connection with Quest products. No license, express or implied, by estoppel or otherwise, to any intellectual property right is granted by this document or in connection with the sale of Quest products. EXCEPT AS SET FORTH IN QUEST'S TERMS AND CONDITIONS AS SPECIFIED IN THE LICENSE AGREEMENT FOR THIS PRODUCT, QUEST ASSUMES NO LIABILITY WHATSOEVER AND DISCLAIMS ANY EXPRESS, IMPLIED OR STATUTORY WARRANTY RELATING TO ITS PRODUCTS INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTY OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, OR NON-INFRINGEMENT. IN NO EVENT SHALL QUEST BE LIABLE FOR ANY DIRECT, INDIRECT, CONSEQUENTIAL, PUNITIVE, SPECIAL OR INCIDENTAL DAMAGES (INCLUDING, WITHOUT LIMITATION, DAMAGES FOR LOSS OF PROFITS, BUSINESS INTERRUPTION OR LOSS OF INFORMATION) ARISING OUT OF THE USE OR INABILITY TO USE THIS DOCUMENT, EVEN IF QUEST HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. Quest makes no representations or warranties with respect to the accuracy or completeness of the contents of this document and reserves the right to make changes to specifications and product descriptions at any time without notice. Quest does not make any commitment to update the information contained in this document.

If you have any questions regarding your potential use of this material, contact:

Quest Software World HeadquartersLEGAL Dept5 Polaris WayAliso Viejo, CA 92656www.quest.comemail: [email protected]

Refer to our Web site for regional and international office information.

Patents

This product includes patent pending technology.

Trademarks

Quest, Quest Software, the Quest Software logo are trademarks and registered trademarks of Quest Software, Inc in the United States of America and other countries. For a complete list of Quest Software's trademarks, please see http://www.quest.com/legal/trademark-information.aspx. Other trademarks and registered trademarks are property of their respective owners.

Quest vWorkspace Administration Guide — Updated April 2011 — Software Version - 7.2 MR1

http://www.quest.com/legal/trademark-information.aspx

http://www.quest.com/legal/trademark-information.aspx

http://www.quest.com/

mailto:[email protected]

CONTENTS

ABOUT THIS GUIDE . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . XVII

OVERVIEW . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . XVIII

CONVENTIONS . . . . . . . . . . . . . . . . . . . . . . . . . . . . XVIII

ABOUT QUEST SOFTWARE . . . . . . . . . . . . . . . . . . . . . . . . . XIX

CONTACT QUEST SOFTWARE . . . . . . . . . . . . . . . . . . . . XIX

VWORKSPACE RESOURCES . . . . . . . . . . . . . . . . . . . . . . . . XIX

CONTACT QUEST SUPPORT . . . . . . . . . . . . . . . . . . . . . . . . . XX

DOCUMENT FEEDBACK . . . . . . . . . . . . . . . . . . . . . . . . . XX

CHAPTER 1INTRODUCTION TO VWORKSPACE . . . . . . . . . . . . . . . . . . . . . . . . 1

OVERVIEW . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2BENEFITS OF VWORKSPACE . . . . . . . . . . . . . . . . . . . . . . 4

VWORKSPACE COMPONENTS . . . . . . . . . . . . . . . . . . . . . . . . 4VWORKSPACE KEY FEATURES . . . . . . . . . . . . . . . . . . . . . 5

DESKTOPS ENHANCEMENTS . . . . . . . . . . . . . . . . . . . . . . 5

TERMINAL SERVICES ENHANCEMENTS . . . . . . . . . . . . . . . . 6

Secure Gateway . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6

REMOTE DESKTOP SESSION HOST EXTENSIONS. . . . . . . . . . 7

Application Restrictions . . . . . . . . . . . . . . . . . . . . . . . . . 7User Environment Control . . . . . . . . . . . . . . . . . . . . . . . 7Performance Optimization . . . . . . . . . . . . . . . . . . . . . . . 8Virtual User Profiles . . . . . . . . . . . . . . . . . . . . . . . . . . . 8Universal Printer Driver . . . . . . . . . . . . . . . . . . . . . . . . . 8Application Compatibility Enhancements . . . . . . . . . . . . . 8Time Zones . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8PDA Redirection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9Virtual IP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9

USER EXPERIENCE ENHANCEMENTS . . . . . . . . . . . . . . . . . 9

TCP PORT REQUIREMENTS . . . . . . . . . . . . . . . . . . . . . . . . .11VWORKSPACE CONNECTORS. . . . . . . . . . . . . . . . . . . . . . . . .12

CHAPTER 2VWORKSPACE MANAGEMENT CONSOLE . . . . . . . . . . . . . . . . . . . 15

ABOUT THE VWORKSPACE MANAGEMENT CONSOLE . . . . . . . . . . .16

i

vWorkspace Administration Guide

VWORKSPACE MANAGEMENT CONSOLE WINDOW . . . . . . . . . . . .16VWORKSPACE WELCOME WINDOW. . . . . . . . . . . . . . . . . .19

VWORKSPACE MENU OPTIONS AND ICONS . . . . . . . . . . . . . . . .19ADMINISTRATION . . . . . . . . . . . . . . . . . . . . . . . . . . . .21

Permissions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22Add a New Administrator................................................ 24Edit Administration Settings ........................................... 25Remove an Administrator ............................................... 25Set Permission at the Object Level .................................. 25

LICENSING . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .25

LICENSES. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .26

USER SESSIONS . . . . . . . . . . . . . . . . . . . . . . . . . . . .27

REMOTE CONTROL . . . . . . . . . . . . . . . . . . . . . . . . . . .28View a Session by Remote Control................................... 29

MANUAL DATABASE CONFIGURATION . . . . . . . . . . . . . . . .30Create a New Database and DSN .................................... 32Connect to an Existing Database ..................................... 33

VWORKSPACE OBJECT NODES . . . . . . . . . . . . . . . . . . . . . . .34FARM . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .35

LOCATIONS. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .38

CLIENTS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .39

Client Types. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 40Define Clients by Users .................................................. 40Define Clients by Groups................................................ 41Define Clients by Device Address..................................... 42Define Clients by Device Name........................................ 42Define Clients by Organizational Unit ............................... 43

RESOURCES . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .43View the Resources Assigned to a Client........................... 45

PACKAGED APPLICATIONS . . . . . . . . . . . . . . . . . . . . . . .46

App-V Node . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 46Establish a New Server Connection.................................. 47Edit the Properties of an App-V Server ............................. 48Import App-V Applications.............................................. 49View/Edit Imported App-V Application Properties ............... 51

MSI Packages. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 51Add a New MSI Package................................................. 52

PERFORMANCE OPTIMIZATION. . . . . . . . . . . . . . . . . . . . .54

VIRTUAL IP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .55

ii

FILE AND REGISTRY REDIRECTION . . . . . . . . . . . . . . . . . .55

LOAD BALANCING . . . . . . . . . . . . . . . . . . . . . . . . . . . .55

CHAPTER 3VWORKSPACE QUICK START WIZARD . . . . . . . . . . . . . . . . . . . . 57

OVERVIEW . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .58

CHAPTER 4VWORKSPACE LOCATIONS . . . . . . . . . . . . . . . . . . . . . . . . . . . . 61

ABOUT LOCATIONS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .62LOCATIONS NODE OPTIONS. . . . . . . . . . . . . . . . . . . . . . . . .62NEW LOCATION . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .63

Add a Location.............................................................. 63VMware Datacenters...................................................... 71Virtuozzo Slave Nodes ................................................... 75Independent Microsoft Hyper-V Host................................ 79Independent Virtuozzo Node........................................... 83SCVMM Host Groups or Clusters...................................... 86

DELETE A LOCATION . . . . . . . . . . . . . . . . . . . . . . . . . . . . .90Delete a Location .......................................................... 90

LOCATION PROPERTIES. . . . . . . . . . . . . . . . . . . . . . . . . . . .90GLOBAL VIRTUALIZATION SERVERS . . . . . . . . . . . . . . . . . . . .94CONNECTION BROKERS . . . . . . . . . . . . . . . . . . . . . . . . . . .94

Add Connection Broker Servers....................................... 95Set Connection Broker Properties .................................... 98Remove Connection Broker Servers ................................. 98

TERMINAL SERVERS . . . . . . . . . . . . . . . . . . . . . . . . . . . . .98Add Terminal Servers .................................................... 99Set Terminal Server Properties ..................................... 103Remove Terminal Servers ............................................ 104

DESKTOPS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .104Set Desktops Properties ............................................... 104

OTHER SERVERS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .105Add Other Servers ...................................................... 105Set Other Servers Properties ........................................ 106

CHAPTER 5VWORKSPACE DESKTOPS . . . . . . . . . . . . . . . . . . . . . . . . . . . 107

ABOUT DESKTOPS . . . . . . . . . . . . . . . . . . . . . . . . . . . . .108COMPUTER GROUPS . . . . . . . . . . . . . . . . . . . . . . . . . . . .109

COMPUTER GROUP PROPERTIES . . . . . . . . . . . . . . . . . .110

iii


VIEW MANAGED COMPUTER GROUPS . . . . . . . . . . . . . . .115View Summary Information .......................................... 116View Managed Computers ............................................ 116View Tasks for a Computer Group ................................. 117View Logs for a Computer Group ................................... 117Modify the Properties of a Computer Group..................... 117Delete a Computer Group............................................. 118

Computer Group Column Options . . . . . . . . . . . . . . . . 118Memory Column Color Coding . . . . . . . . . . . . . . . . . . 118

Arrange Information Pane Column Order and Sort Order .. 118Resize Columns .......................................................... 118Select Columns........................................................... 119

Task Automation . . . . . . . . . . . . . . . . . . . . . . . . . . . 120Schedule Tasks using the Automated Task Wizard ........... 120

MANAGED COMPUTERS . . . . . . . . . . . . . . . . . . . . . . . . . . .121PROPERTIES OF A MANAGED COMPUTER . . . . . . . . . . . . .122

General . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 123Administrative Account . . . . . . . . . . . . . . . . . . . . . . . 124Enable/Disable . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 125Client Assignment. . . . . . . . . . . . . . . . . . . . . . . . . . . 126Access Timetable . . . . . . . . . . . . . . . . . . . . . . . . . . . 128User Privileges . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 129Inactivity Timeout . . . . . . . . . . . . . . . . . . . . . . . . . . 130Session Auto-Logoff . . . . . . . . . . . . . . . . . . . . . . . . . 131Configuration (VMware System Type only) . . . . . . . . . 132Configuration (SCVMM System Type only) . . . . . . . . . . 133Logoff Action . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 134Session Protocol . . . . . . . . . . . . . . . . . . . . . . . . . . . . 135Experience Optimization . . . . . . . . . . . . . . . . . . . . . . 136Enhanced Audio . . . . . . . . . . . . . . . . . . . . . . . . . . . . 137Automated Tasks . . . . . . . . . . . . . . . . . . . . . . . . . . . 138Permissions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 139

SYSPREP CUSTOMIZATIONS . . . . . . . . . . . . . . . . . . . . . . . .140About Sysprep Files . . . . . . . . . . . . . . . . . . . . . . . . . 141

Create Sysprep Customizations— Windows XP/2003 ........ 142Create Sysprep Customizations— Vista/Win7/Server2008. 146

VIEW MANAGED COMPUTERS . . . . . . . . . . . . . . . . . . . . . . .152View Summary Information .......................................... 153View Tasks for Managed Computers............................... 153View Logs for Managed Computers ................................ 153

DESKTOPS PROPERTIES . . . . . . . . . . . . . . . . . . . . . . . . . .154

iv

INITIALIZE COMPUTER . . . . . . . . . . . . . . . . . . . . . . . . . . .154INITIALIZATION TRIGGERS. . . . . . . . . . . . . . . . . . . . . .156

Microsoft Active Directory Group Policy Settings. . . . . . 157

VIRTUAL DESKTOP EXTENSIONS (PNTOOLS). . . . . . . . . . . . . .158DATA COLLECTOR SERVICE . . . . . . . . . . . . . . . . . . . . .158

UNIVERSAL PRINT DRIVER. . . . . . . . . . . . . . . . . . . . . .159

MEDIA PLAYER REDIRECTION . . . . . . . . . . . . . . . . . . . .159

USB DEVICE REDIRECTION . . . . . . . . . . . . . . . . . . . . .159

USER PROFILE ACCELERATION . . . . . . . . . . . . . . . . . . .160

FLASH REDIRECTION . . . . . . . . . . . . . . . . . . . . . . . . .160

INSTALLATION . . . . . . . . . . . . . . . . . . . . . . . . . . . . .160

CHAPTER 6EXPERIENCE OPTIMIZED PROTOCOL . . . . . . . . . . . . . . . . . . . . 163

OVERVIEW . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .164OPTIMIZATION SETTINGS . . . . . . . . . . . . . . . . . . . . . . . . .164EOP AUDIO . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .165EOP TEXT ECHO . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .169EOP MULTIMEDIA ACCELERATION . . . . . . . . . . . . . . . . . . . .171

MEDIA PLAYER REDIRECTION . . . . . . . . . . . . . . . . . . . .171

FLASH REDIRECTION . . . . . . . . . . . . . . . . . . . . . . . . .171

Flash Redirection Windowless Support . . . . . . . . . . . . 172

FLASH REDIRECTION SETUP. . . . . . . . . . . . . . . . . . . . .172Define Connection Policies............................................ 172Enable Flash Redirection in AppPortal............................. 174Set Flash Redirection in Web Access .............................. 175

EOP GRAPHICS ACCELERATION . . . . . . . . . . . . . . . . . . . . .176EOP GRAPHICS ACCELERATION IMPLEMENTATION. . . . . . . .177

EOP GRAPHICS ACCELERATION REGISTRY SETTINGS. . . . . .177

EOP GRAPHICS ACCELERATION SETUP . . . . . . . . . . . . . .178Enable EOP Graphics Acceleration Globally...................... 178Disable EOP Graphics Acceleration by Managed Applications179Define Connection Policies............................................ 180Enable EOP Graphics Acceleration in AppPortal ................ 182Set EOP Graphics Acceleration in Web Access ................. 183

EOP XTREAM . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .184LATENCY EFFECTIVENESS . . . . . . . . . . . . . . . . . . . . . .185

v


FIREWALL CONSIDERATIONS . . . . . . . . . . . . . . . . . . . .185

CONFIGURE QUEST EOP XTREAM . . . . . . . . . . . . . . . . .185

CHAPTER 7MANAGE APPLICATIONS . . . . . . . . . . . . . . . . . . . . . . . . . . . . 191

OVERVIEW . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .192MICROSOFT RD SESSION HOSTS/TERMINAL SERVER. . . . . .192

MANAGED COMPUTERS . . . . . . . . . . . . . . . . . . . . . . . .193

VIRTUALIZED APPLICATIONS . . . . . . . . . . . . . . . . . . . .193

MANAGED APPLICATIONS PROPERTIES. . . . . . . . . . . . . . . . . .193NEW APPLICATION TOOL. . . . . . . . . . . . . . . . . . . . . . . . . .195

Start New Applications using Terminal Servers Node........ 196Start New Applications using the Desktops Node ............. 196Start New Applications from the Resources Node............. 196

PUBLISH RD SESSION HOST/TERMINAL SERVER APPLICATIONS . .197Publish an Application Hosted on Terminal Server............ 197Publish Terminal Server Desktops.................................. 204

PUBLISH A MANAGED DESKTOP. . . . . . . . . . . . . . . . . . . . . .204Publish a Desktop to a Managed Computer Group............ 204

PUBLISH MANAGED APPLICATIONS . . . . . . . . . . . . . . . . . . . .206Publish an Application.................................................. 206

PUBLISH CONTENT . . . . . . . . . . . . . . . . . . . . . . . . . . . . .207WORK WITH PUBLISHED APPLICATIONS . . . . . . . . . . . . . . . . .209

Add Published Applications to a Terminal Server.............. 209Add Published Applications to a Computer Group............. 210Modify Published Applications with Terminal Servers Node 211Modify Published Applications with Desktops Node ........... 211Modify Published Applications on the Resources Node....... 212Duplicate a Published Application .................................. 212Delete a Published Application ...................................... 212

CHAPTER 8APPLICATION COMPATIBILITY ENHANCEMENTS . . . . . . . . . . . . . 213

ABOUT APPLICATION COMPATIBILITY ENHANCEMENTS . . . . . . . .214HOW APPLICATION COMPATIBILITY ENHANCEMENTS WORK . . . . .214CREATE REDIRECTION RULES . . . . . . . . . . . . . . . . . . . . . . .215

Create a Registry Redirection Rule................................. 215Create a File Redirection Rule ....................................... 217Create a Folder Redirection Rule ................................... 218View a Redirection Rule ............................................... 219Edit a Redirection Rule................................................. 219

vi

CHAPTER 9VIRTUAL IP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 221

ABOUT VIRTUAL IP . . . . . . . . . . . . . . . . . . . . . . . . . . . . .222VIRTUAL IP CONFIGURATION . . . . . . . . . . . . . . . . . . . . . . .222

Enable Virtual IP on a RD Session Host/Terminal Server ... 222Configure Virtual IP Address Ranges .............................. 223Configure Applications ................................................. 226

CHAPTER 10VWORKSPACE ADDITIONAL COMPONENTS . . . . . . . . . . . . . . . . 227

OVERVIEW . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .228VWORKSPACE PASSWORD RESET SERVICE . . . . . . . . . . . . . . .228

Configure the vWorkspace Password Reset Service .......... 229Configure vWorkspace Password Management in AppPortal229Configure vWorkspace Password Management in Web Access230

PROXY-IT . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .231Configure Proxy-IT ...................................................... 232

PROXY-IT WITH SESSION DIRECTORY SERVICES . . . . . . . .233

Proxy-IT Prerequisites. . . . . . . . . . . . . . . . . . . . . . . . 233Enable Session Directory Service................................... 234Enable Session Directory on Terminal Services................ 234Using Group Policies Editor ........................................... 234Using Terminal Services............................................... 235

CHAPTER 11MANAGEMENT SERVERS . . . . . . . . . . . . . . . . . . . . . . . . . . . . 237

OVERVIEW . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .238VIRTUALIZATION SERVERS . . . . . . . . . . . . . . . . . . . . .238

NETWORK STORAGE SERVERS . . . . . . . . . . . . . . . . . . .239

REQUIREMENTS . . . . . . . . . . . . . . . . . . . . . . . . . . . .241

IMPLEMENTATION . . . . . . . . . . . . . . . . . . . . . . . . . . .241

ABOUT THE MANAGEMENT SERVERS WINDOW . . . . . . . . . . . . .242ADD MANAGEMENT SERVERS . . . . . . . . . . . . . . . . . . . . . . .244

Add Virtualization Server Connections............................ 244Add Network Storage Servers ....................................... 249

CHAPTER 12VMWARE INTEGRATION . . . . . . . . . . . . . . . . . . . . . . . . . . . . 253

OVERVIEW . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .254VMWARE LINKED CLONES . . . . . . . . . . . . . . . . . . . . . . . . .254

vii


VMWARE VNETWORK DISTRIBUTED SWITCH . . . . . . . . . . .257

REPROVISION COMPUTERS. . . . . . . . . . . . . . . . . . . . . . . . .257DISK PERSISTENCE AND MEMORY . . . . . . . . . . . . . . . . . . . .259

UPGRADING/CHANGING NONPERSISTENT DISKS. . . . . . . . .261

VIRTUALIZATION SERVER . . . . . . . . . . . . . . . . . . . . . . . . .261DATA CENTERS . . . . . . . . . . . . . . . . . . . . . . . . . . . .261

Add a VMware VirtualCenter as a Virtualization Server ..... 262

COMPUTER GROUPS . . . . . . . . . . . . . . . . . . . . . . . . . . . .266Add Computer Groups to a VMware Type........................ 270

ADD COMPUTERS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .275Add Computers using the Standard Clone Method............ 277Add Computer using the NetApp FlexClone Method .......... 279Add Computers using the VMware Linked Clone Method ... 282

IMPORT EXISTING COMPUTERS INTO A GROUP. . . . . . . . . .287Import Existing Computers into a Group......................... 289

Monitor the Process . . . . . . . . . . . . . . . . . . . . . . . . . 290

POWER MANAGEMENT . . . . . . . . . . . . . . . . . . . . . . . . . . .290

CHAPTER 13MICROSOFT REMOTE DESKTOP SERVICES INTEGRATION . . . . . . . 293

OVERVIEW . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .294ABOUT THE RD CONNECTION BROKER . . . . . . . . . . . . . . . . .294REMOTEAPP SUPPORT . . . . . . . . . . . . . . . . . . . . . . . . . . .295INSTALLATION . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .295

INSTALL RD BROKER SUPPORT. . . . . . . . . . . . . . . . . . .296vWorkspace Extensions Without Role Services Installed.... 296vWorkspace Extensions with Role Services Installed ........ 299

ADD AN RD CONNECTION BROKER TO VWORKSPACE. . . . . . . . .301APPPORTAL. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .303

Create a New RD Connection Broker Farm Connection...... 303

CHAPTER 14MICROSOFT SCVMM INTEGRATION . . . . . . . . . . . . . . . . . . . . 307

OVERVIEW . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .308CONNECT TO MICROSOFT SCVMM . . . . . . . . . . . . . . . . . . .308MICROSOFT DIFFERENCING DISKS . . . . . . . . . . . . . . . . . . . .309REPROVISION COMPUTERS. . . . . . . . . . . . . . . . . . . . . . . . .309VIRTUALIZATION SERVER . . . . . . . . . . . . . . . . . . . . . . . . .310

viii

HOST GROUPS. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .311Add Microsoft SCVMM as a Virtualization Server .............. 311

COMPUTER GROUPS . . . . . . . . . . . . . . . . . . . . . . . . . . . .316Add Computer Groups to a Microsoft SCVMM Type........... 318

ADD COMPUTERS . . . . . . . . . . . . . . . . . . . . . . . . . . .322Add Computers using Standard Clone Method ................. 323Add Computers using Rapid Provisioning Clone Method .... 327


Monitor the Process . . . . . . . . . . . . . . . . . . . . . . . . . 332

VIDEO ADAPTER AND STATIC/DYNAMIC MEMORY . . . . . . . . . . .333Reconfigure SCVMM Computers .................................... 334


CHAPTER 15MICROSOFT HYPER-V INTEGRATION . . . . . . . . . . . . . . . . . . . . 339

OVERVIEW . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .340HYPER-V BROKER HELPER SERVICE . . . . . . . . . . . . . . . . . . .340HOSTS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .340

Add a Host using the Hyper-V Host Wizard ..................... 340

COMPUTER GROUPS . . . . . . . . . . . . . . . . . . . . . . . . . . . .344Add Computer Groups to a Microsoft Hyper-V Type.......... 346

IMPORT EXISTING COMPUTERS INTO A GROUP. . . . . . . . . .349Import Existing Desktops into a Group ........................... 351


CHAPTER 16PARALLELS VIRTUOZZO INTEGRATION. . . . . . . . . . . . . . . . . . . 353

OVERVIEW . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .354VWORKSPACE AND PARALLELS SUPPORT . . . . . . . . . . . . . . . .354ABOUT PARALLELS VIRTUOZZO . . . . . . . . . . . . . . . . . . . . . .354

Import Virtuozzo Slave Nodes....................................... 356Add Independent Virtuozzo Nodes ................................. 360

COMPUTER GROUPS . . . . . . . . . . . . . . . . . . . . . . . . . . . .364Add Computer Groups to a Parallels Virtuozzo Type ......... 366Add Computers to a Computer Group ............................ 369



ix


CHAPTER 17NON-POWER MANAGED DATA CENTERS. . . . . . . . . . . . . . . . . . 375

OVERVIEW . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .376COMPUTER GROUPS . . . . . . . . . . . . . . . . . . . . . . . . . . . .376

Add Computer Groups to Other/Physical Type ................. 378

ADD COMPUTERS TO A COMPUTER GROUP . . . . . . . . . . . .380


CHAPTER 18VWORKSPACE CONNECTORS . . . . . . . . . . . . . . . . . . . . . . . . . 387

OVERVIEW . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .388VWORKSPACE CONNECTOR INTERFACES. . . . . . . . . . . . . . . . .388

ABOUT THE APPPORTAL INTERFACE . . . . . . . . . . . . . . . .388

ABOUT WEB ACCESS . . . . . . . . . . . . . . . . . . . . . . . . .389

VWORKSPACE CONNECTOR FOR WINDOWS PACKAGES . . . . . . . .390ABOUT THE VAS CLIENT 32 . . . . . . . . . . . . . . . . . . . .390

ABOUT THE VAS CLIENT 32T . . . . . . . . . . . . . . . . . . .390

ABOUT THE VAS CLIENT 32TS . . . . . . . . . . . . . . . . . .391

vWorkspace Client Executables . . . . . . . . . . . . . . . . . 391

ADDITIONAL REGISTRY SETTINGS . . . . . . . . . . . . . . . . . . . .391VWORKSPACE CONNECTOR CONFIGURATION . . . . . . . . . . . . . .393

FIRST TIME START CONFIGURATION. . . . . . . . . . . . . . . .393Create a New Farm Connection ..................................... 394

MULTIPLE MONITOR SUPPORT . . . . . . . . . . . . . . . . . . . . . .395

MANAGE APPPORTAL CONNECTIONS . . . . . . . . . . . . . . . . . . .397vWorkspace Connection Broker . . . . . . . . . . . . . . . . . 398Farm Type . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 398Connectivity Settings . . . . . . . . . . . . . . . . . . . . . . . . 399Firewall/Proxy Traversal Setting . . . . . . . . . . . . . . . . . 400Credentials Settings . . . . . . . . . . . . . . . . . . . . . . . . . 402Display Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . 403Local Resources Settings . . . . . . . . . . . . . . . . . . . . . . 405User Experience Settings. . . . . . . . . . . . . . . . . . . . . . 407Password Management Settings . . . . . . . . . . . . . . . . . 409Desktop Integration Settings . . . . . . . . . . . . . . . . . . . 410Auto-Launch Settings . . . . . . . . . . . . . . . . . . . . . . . . 411Microsoft Remote Desktop Connection Broker . . . . . . . 412

x

Farm Type . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 413Connectivity Settings . . . . . . . . . . . . . . . . . . . . . . . . 414RD Gateway. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 415Credentials Settings . . . . . . . . . . . . . . . . . . . . . . . . . 416Display Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . 417Local Resources Settings . . . . . . . . . . . . . . . . . . . . . . 419User Experience Settings. . . . . . . . . . . . . . . . . . . . . . 421Password Management Settings . . . . . . . . . . . . . . . . . 423Desktop Integration Settings . . . . . . . . . . . . . . . . . . . 424Auto-Launch Settings . . . . . . . . . . . . . . . . . . . . . . . . 425

APPPORTAL IN DESKTOP INTEGRATED MODE. . . . . . . . . . .426Start the AppPortal in Desktop Integrated Mode .............. 426

APPPORTAL ACTIONS MENU OPTIONS . . . . . . . . . . . . . . .426

APPPORTAL SETTINGS MENU OPTIONS . . . . . . . . . . . . . .428

ABOUT THE PNTRAY . . . . . . . . . . . . . . . . . . . . . . . . . . . .430

CHAPTER 19VWORKSPACE USER SESSIONS. . . . . . . . . . . . . . . . . . . . . . . . 433

OVERVIEW OF USER ACCESS . . . . . . . . . . . . . . . . . . . . . . .434MANAGE RD SESSION HOST/TERMINAL SERVER SESSIONS. . . . .434

Manage Users Connected to RD Session Host/Terminal Servers435View RD Session Host/Terminal Server Sessions.............. 436View Client Information for an Active Session ................. 438Manage RD Session Host/Terminal Server Processes........ 439View RD Session Host/Terminal Server Applications ......... 440

USER ACCESS OPTIONS IN THE RESOURCES NODE . . . . . . . . . .441

ADDITIONAL CUSTOMIZATIONS . . . . . . . . . . . . . . . . . . .441Create New Additional Customization Settings................. 442

APPLICATION RESTRICTIONS . . . . . . . . . . . . . . . . . . . .444

How Application Restrictions Work . . . . . . . . . . . . . . . 444

APPLICATION RESTRICTION PROPERTIES . . . . . . . . . . . . .445

Application Restrictions General Properties . . . . . . . . . 446Application Restrictions Server Groups . . . . . . . . . . . . 448Properties of an Application Restriction List . . . . . . . . . 449Assign an Application List to Clients . . . . . . . . . . . . . . 451

Assign Clients to the Client List ..................................... 452Unassign Clients from the Client List .............................. 452View Client Properties.................................................. 452Schedule Access Hours ................................................ 452

CONNECTION POLICIES . . . . . . . . . . . . . . . . . . . . . . .453

xi


Define New Connection Policy Properties ........................ 454

COLOR SCHEMES . . . . . . . . . . . . . . . . . . . . . . . . . . .457Assign a Color Scheme ................................................ 457

DRIVE MAPPINGS . . . . . . . . . . . . . . . . . . . . . . . . . . .457Create a New Drive Mapping......................................... 458

ENVIRONMENT VARIABLES . . . . . . . . . . . . . . . . . . . . . .459Create a New Environment Variable............................... 459

HOST RESTRICTIONS . . . . . . . . . . . . . . . . . . . . . . . . .460Create Host Restrictions............................................... 460

REGISTRY TASKS . . . . . . . . . . . . . . . . . . . . . . . . . . .461Modify a Registry Tasks ............................................... 462

SCRIPTS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .464Assign a Script............................................................ 465

TIME ZONES . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .466Assign a Time Zone ..................................................... 466

USER POLICIES . . . . . . . . . . . . . . . . . . . . . . . . . . . .466View User Policies Properties ........................................ 467Create User Policies..................................................... 467Modify User Policies..................................................... 468

VIRTUAL USER PROFILES . . . . . . . . . . . . . . . . . . . . . .469

WALLPAPERS. . . . . . . . . . . . . . . . . . . . . . . . . . . . . .469Assign Wallpapers ....................................................... 469Change Wallpaper Properties ........................................ 469Add New Wallpaper ..................................................... 470

CHAPTER 20VIRTUAL USER PROFILES . . . . . . . . . . . . . . . . . . . . . . . . . . . 473

OVERVIEW OF VIRTUAL USER PROFILES . . . . . . . . . . . . . . . .474HOW VIRTUAL USER PROFILES WORK. . . . . . . . . . . . . . .475

VIRTUAL USER PROFILES PROPERTIES. . . . . . . . . . . . . . . . . .476GENERAL . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .477

STORAGE SERVERS . . . . . . . . . . . . . . . . . . . . . . . . . .478

SILOS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .479

PERMISSIONS . . . . . . . . . . . . . . . . . . . . . . . . . . . . .482

CONFIGURE VIRTUAL USER PROFILES . . . . . . . . . . . . . . . . . .482Configure Virtual User Profiles Properties........................ 483

MANDATORY VIRTUAL USER PROFILE . . . . . . . . . . . . . . . . . .485ASSIGN MANDATORY VIRTUAL USER PROFILES . . . . . . . . .485

xii

Modify a User’s Profile Path in Active Directory ................ 486

DEFINE VIRTUAL USER PROFILES . . . . . . . . . . . . . . . . . . . .486Define a Registry Key in User Profiles............................. 489

DEFINE SPECIAL FOLDER USER PROFILES . . . . . . . . . . . .491Define a Special Folder User Profile Element ................... 492

CHAPTER 21VWORKSPACE AND SECURE GATEWAY . . . . . . . . . . . . . . . . . . . 495

ABOUT SECURE GATEWAY . . . . . . . . . . . . . . . . . . . . . . . . .496INSTALLATION . . . . . . . . . . . . . . . . . . . . . . . . . . . . .497

About the Secure Gateway Certificate . . . . . . . . . . . . . 497

SECURE GATEWAY CONFIGURATION . . . . . . . . . . . . . . . . . . .499DEPLOYMENT OPTIONS. . . . . . . . . . . . . . . . . . . . . . . .503

Configure AppPortal Access .......................................... 507Configure AppPortal and Web Access ............................. 510

CHAPTER 22UNIVERSAL PRINTING . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 513

ABOUT PRINT-IT . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .514PRINT-IT COMPONENTS . . . . . . . . . . . . . . . . . . . . . . . . . .515UNIVERSAL PRINT DRIVER. . . . . . . . . . . . . . . . . . . . . . . . .515

UNIVERSAL NETWORK PRINTER AUTO-CREATION OPTION . . .515

UNIVERSAL CLIENT PRINTER AUTO-CREATION OPTION. . . . .517

UNIVERSAL PRINTER PROPERTIES . . . . . . . . . . . . . . . . .518

Universal Printer Client Properties. . . . . . . . . . . . . . . . 532

UNIVERSAL NETWORK PRINT SERVICES . . . . . . . . . . . . . . . . .534

UNIVERSAL NETWORK PRINT SERVER EXTENSIONS OPTION . .535Setup Print-IT Printers ................................................. 535Add Network Printers................................................... 536Assign Printers to Clients.............................................. 537

UNIVERSAL PRINT RELAY SERVICE FOR REMOTE SITES . . . .537Configure Universal Print Relay Service for Remote Sites .. 538

Manage Relay Servers. . . . . . . . . . . . . . . . . . . . . . . . 541Add Print-IT Remote Relay Servers................................ 541Import Remote Printers ............................................... 542

PRINTERS WINDOW IN VWORKSPACE MANAGEMENT CONSOLE . . .543Assign Remote Printers to Clients .................................. 544

PRINT-IT PRINTER PROPERTIES . . . . . . . . . . . . . . . . . .544

Universal Printer Properties . . . . . . . . . . . . . . . . . . . . 544

xiii


View and Edit Universal Printer Properties ...................... 544

Network Printer Properties. . . . . . . . . . . . . . . . . . . . . 546View and Edit Network Printer Properties........................ 546

CHAPTER 23USB DEVICES. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 547

ABOUT USB DEVICES . . . . . . . . . . . . . . . . . . . . . . . . . . .548VWORKSPACE VIRTUAL USB HUB CLIENT . . . . . . . . . . . . . . .548

Requirements. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 548

VWORKSPACE VIRTUAL USB HUB CLIENT . . . . . . . . . . . .549

Virtual USB Hub Client Applet . . . . . . . . . . . . . . . . . . 549Virtual USB Hub Client System Tray . . . . . . . . . . . . . . 552Virtual USB Hub Client Services . . . . . . . . . . . . . . . . . 552

VWORKSPACE VIRTUAL USB HUB SERVER . . . . . . . . . . . .553

Virtual USB Hub Server Applet . . . . . . . . . . . . . . . . . . 553Virtual USB Hub Server System Tray . . . . . . . . . . . . . 554Virtual USB Hub Server Services . . . . . . . . . . . . . . . . 555

Manage USB Devices ................................................... 555Autoexclude any USB Device ........................................ 556

SMART CARD USB REDIRECTION . . . . . . . . . . . . . . . . .557

USB-IT . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .558HOW USB-IT WORKS . . . . . . . . . . . . . . . . . . . . . . . .559

Configure USB-IT ........................................................ 559

CHAPTER 24VWORKSPACE REPORTING. . . . . . . . . . . . . . . . . . . . . . . . . . . 561

OVERVIEW . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .562REPORTING COMPONENTS . . . . . . . . . . . . . . . . . . . . . . . . .563

SAMPLE REPORT VIEWER . . . . . . . . . . . . . . . . . . . . . .563

Sample Report Viewer Setup . . . . . . . . . . . . . . . . . . . 563Using Report Viewer . . . . . . . . . . . . . . . . . . . . . . . . . 565

Changing the Setup..................................................... 565Open and Run Report Queries....................................... 565Temporarily Change the Number of Rows to Return ......... 566Export Report Data ..................................................... 567Copy SQL Text............................................................ 567

DATABASES . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .568

vWorkspace Farm Database. . . . . . . . . . . . . . . . . . . . 568vWorkspace Reporting Database . . . . . . . . . . . . . . . . 568

REPORTING SCHEMA . . . . . . . . . . . . . . . . . . . . . . . . .569

xiv

Virtual Machines and Virtual Machine Pools . . . . . . . . . 569Applications and Application Restrictions . . . . . . . . . . . 581Clients, Folders and Locations . . . . . . . . . . . . . . . . . . 588

REPORTS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .593

Historical Reports . . . . . . . . . . . . . . . . . . . . . . . . . . . 593Real Time Reports . . . . . . . . . . . . . . . . . . . . . . . . . . 594Audits . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 595Custom Reporting. . . . . . . . . . . . . . . . . . . . . . . . . . . 596

CHAPTER 25LOAD BALANCING AND PERFORMANCE OPTIMIZATION . . . . . . . . 601

ABOUT LOAD BALANCING . . . . . . . . . . . . . . . . . . . . . . . . .602LOAD BALANCING RULES . . . . . . . . . . . . . . . . . . . . . .602

HOW LOAD BALANCING WORKS . . . . . . . . . . . . . . . . . .603

LOAD BALANCING ON TERMINAL SERVERS . . . . . . . . . . . .606

LOAD BALANCING GUIDELINES . . . . . . . . . . . . . . . . . . .606Create Load Balancing ................................................. 607Assign Load Balancing to Servers .................................. 608Assign Load Balancing to Managed Applications............... 609Assign Load Balancing to SCVMM Managed Computer Groups609

PERFORMANCE OPTIMIZATION. . . . . . . . . . . . . . . . . . . . . . .610ABOUT CPU UTILIZATION MANAGEMENT . . . . . . . . . . . . .610

ABOUT VIRTUAL MEMORY OPTIMIZATION . . . . . . . . . . . . .611

Install CPU and Memory Optimization . . . . . . . . . . . . . 613Enable CPU and Memory Optimization. . . . . . . . . . . . . 613

MAX-IT MASTER POLICY SETTINGS . . . . . . . . . . . . . . . .614

Max-IT Server Policy. . . . . . . . . . . . . . . . . . . . . . . . . 621Set the Max-IT Policy for Specific Servers....................... 621

VIEW VM OPTIMIZATION RESULTS . . . . . . . . . . . . . . . . . . .622View Session Summary Information .............................. 623View Results for a Specific Session ................................ 623View Results per Application ......................................... 623

MANUALLY APPLY OPTIMIZATIONS . . . . . . . . . . . . . . . . .624

APPENDIX A . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 625

BEST PRACTICES . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .625General . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 625vWorkspace Management Console . . . . . . . . . . . . . . . 625Services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 626Connection Broker . . . . . . . . . . . . . . . . . . . . . . . . . . 626

xv


Sysprep Template. . . . . . . . . . . . . . . . . . . . . . . . . . . 626VirtualCenter Server . . . . . . . . . . . . . . . . . . . . . . . . . 627VirtualCenter Templates . . . . . . . . . . . . . . . . . . . . . . 628NetApp Integration . . . . . . . . . . . . . . . . . . . . . . . . . . 631Failover Protection . . . . . . . . . . . . . . . . . . . . . . . . . . 631High Availability . . . . . . . . . . . . . . . . . . . . . . . . . . . . 632Other Protections . . . . . . . . . . . . . . . . . . . . . . . . . . . 632

APPENDIX B . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 633

ABOUT THE CONFIG.XML FILE . . . . . . . . . . . . . . . . . . . . . .633LOCATION SECTION OF CONFIG.XML. . . . . . . . . . . . . . . .643

APPENDIX C . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 645

GINA CHAINING . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .645NOVELL GINA TROUBLESHOOTING . . . . . . . . . . . . . . . .645

APPENDIX D. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 647

SENTILLION INTEGRATION . . . . . . . . . . . . . . . . . . . . . . . . .647APPENDIX E . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 649

INTERNET EXPLORER REDIRECTION . . . . . . . . . . . . . . . . . . .649APPENDIX F . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 651

Wyse Thin OS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 651Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 651

APPENDIX G. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 653

VMWARE VCENTER SERVER CERTIFICATE. . . . . . . . . . . . . . . .653Create the Keystore by the Script Procedure ................... 653View or Modify Keystore Registry Entries........................ 653Copy to Other Connection Brokers................................. 654

APPENDIX H. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 655

CONFIGURABLE REGISTRY SETTINGS . . . . . . . . . . . . . . . . . .655ACTIVE SETUP . . . . . . . . . . . . . . . . . . . . . . . . . . . . .655

PNTSC . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .655

PHNS. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .655

GLOSSARY . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 657INDEX . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 673

xvi

About This Guide

• Overview

• Conventions

• About Quest Software

• Contact Quest Support

• Contact Quest Support


OverviewThe Quest vWorkspace Administration Guide is designed to assist administrators with tasks pertaining to installing Quest vWorkspace. It is intended for network administrators, consultants, analysts, and any other IT professionals using the product.

Conventions

In order to help you get the most out of this guide, we have used specific formatting conventions. These conventions apply to procedures, icons, keystrokes, and cross-references:

ELEMENT CONVENTION

Select This word refers to actions such as choosing or highlighting various interface elements, such as files and radio buttons.

Bolded text Interface elements that appear in Quest Software products, such as menus and commands.

Italic text Used for comments.

Bold Italic text Used for emphasis.

Blue text Indicates a cross-reference. When viewed in Adobe® Reader®, this format can be used as a hyperlink.

Used to highlight additional information pertinent to the process being described.

Used to provide Best Practice information. A best practice details the recommended course of action for the best result.

Used to highlight processes that should be performed with care.

+ A plus sign between two keystrokes means that you must press them at the same time.

| A pipe sign between elements means that you must select the elements in that particular sequence.

xviii

About Quest SoftwareNow more than ever, organizations need to work smart and improve efficiency. Quest Software creates and supports smart systems management products — helping our customers solve everyday IT challenges faster and easier. Visit www.quest.com for more information.

Contact Quest SoftwareEmail [email protected]

Mail Quest Software, Inc.World Headquarters5 Polaris WayAliso Viejo, CA 92656USA

Web site www.quest.com

Refer to our Web site for regional and international office information.

vWorkspace ResourcesThe Quest vWorkspace home page is found at http://www.quest.com/vworkspace. The following resources are available from the vWorkspace web site:

• Software downloads - Select the Download link and log in. Downloadable files include the vWorkspace product, hotfixes, prerequisites, and documentation.

• Technical Training - Select the Education link to review course schedules and enroll in classes.

• Licensing - Select the Licensing link to view and generate vWorkspace licenses.

• Support - Select the Support link to be redirected to the Quest SupportLink website, where you can download the latest releases, documentation, and patches; enter new support cases and manage existing cases via the Case Management option, and search the knowledgebase.

• Community - Select the Community link, or use the following URL:

http://communities.quest.com/community/vworkspace

xix

http://www.quest.com


http://www.quest.com

http://communities.quest.com/community/vworkspace


Contact Quest SupportQuest Support is available to customers who have a trial version of a Quest product or who have purchased a Quest product and have a valid maintenance contract. Quest Support provides unlimited 24x7 access to SupportLink, our self-service portal. Visit SupportLink at http://support.quest.com/.

From SupportLink, you can do the following:

• Retrieve thousands of solutions from our online Knowledgebase

• Download the latest releases and service packs

• Create, update and review Support cases

View the Global Support Guide for a detailed explanation of support programs, online services, contact information, and policy and procedures. The guide is available at: http://support.quest.com/.

Document Feedback

We would like to hear from you. Please e-mail any comments or suggestions about our documentation to [email protected].

xx


http://support.quest.com/

http://support.quest.com/

1

Introduction to vWorkspace

• Overview

• vWorkspace Components

• vWorkspace Key Features

• Remote Desktop Session Host Extensions

• TCP Port Requirements


OverviewWelcome to Quest vWorkspace. Quest vWorkspace manages, provisions, and brokers connections, transforming the desktop infrastructure into an on-demand service with optimized user experience for LAN and WAN. Quest vWorkspace delivers virtual applications and desktops from multiple hypervisors, Remote Desktop Session Hosts and blade PCs through a single user access point and management center.

The Experience Optimized Protocol (EOP) addresses the user experience challenges of Virtual Desktop Infrastructure (VDI) and desktop virtualization by provisioning seamless, reliable, high-performance enhancements over remote desktop software. These enhancements ensure that your VDI and Remote Desktop Session Host deployment can deliver on the promise of virtualization and a true local-desktop experience.

Organizations can implement vWorkspace to deliver full-featured desktops from a central infrastructure comprised of virtual and physical computers. Mobile and home users gain a single, secure access point to the same vWorkspace-enabled infrastructure through the built-in Secure Gateway or various third-party SSL VPN appliances.

Quest vWorkspace delivers a management platform for desktop virtualization that consolidates multiple desktop virtualization techniques and technologies

2

and delivers simplicity: one user access point, one management console, excellent user and administrator experience, and the lowest cost for virtual desktop and application delivery.

vWorkspace delivers five levels of independence enabling organizations to deliver desktops and applications with the most cost-effective combination of virtualization technologies for the needs of each category of users.

Desktops are logical groupings of virtual or physical computers that share common attributes and adhere to common policies. Desktops often mirror a departmental function or task, a geographical location, or an outsourced entity. A vWorkspace-enabled hosted desktop infrastructure consists of a farm of desktops.

Hosted desktops must be configured to accept remote desktop connections using the Microsoft RDP protocol. In addition, PNTools must be installed onto these computers, enabling them to communicate back and forth with the Connection Broker.

The Data Collector service running on each desktop communicates with the Connection Broker sending it a heartbeat signal, as well as events such as logon, logoff, disconnect, logon status, and connection readiness information. It also receives prelogon configuration data from the Connection Broker, allowing the desktop to be preconfigured according to established policies, prior to the user logging on.

3


A vWorkspace experience can be delivered to the client in the form of a published desktop, or as a set of individually published applications which are preinstalled onto each desktop or streamed on demand.

Benefits of vWorkspace• Simplify Management with a Single Console

vWorkspace provides a single console for the management of desktops and applications across VDI, Remote Desktop Session Hosts, and blade PCs, while automating tasks such as desktop provisioning and user environment configuration.

• Improve Security and Business Continuity through Centralization

Two-factor authentication, a Secure Gateway, and comprehensive delegation of administrator privileges ensure secure remote access and safe management of centralized desktops. Fault tolerance, rapid recovery, and one-click desktop reprovisioning deliver high system availability.

• Increase Workforce Productivity with Dynamic Delivery

Mix and match desktop and application delivery from multiple virtualization platforms to provide dynamic and location independent access for users. Platform independence provides the flexibility to change providers and blend old and new virtualization investments.

• Ease Adoption with an Optimized User Experience

The vWorkspace Experience Optimized Protocol (EOP) drives employee adoption by accelerating images and multimedia content, delivering high-quality bidirectional audio and universal support for USB devices so that the virtual desktop looks and feels like a physical one.

vWorkspace ComponentsThe vWorkspace product has both virtual desktop infrastructure (VDI) and Remote Desktop Session Host components that are described in the following sections.

• vWorkspace Key Features

• Desktops Enhancements

Application streaming is a software distribution methodology used to enhance the management and flexibility of a desktop infrastructure by making the need to pre-install (manually or by using conventional software distribution tools) the applications onto each desktop unnecessary.

4

• Terminal Services Enhancements

• Remote Desktop Session Host Extensions

• User Experience Enhancements

vWorkspace Key Features

Connection Broker

The Connection Broker offers the following features:

• Highly scalable Windows service.

• Integrates with virtualization platforms to provision and customize new desktop workspaces, and to perform a broad set of power management tasks.

• Multiple virtualization servers are supported simultaneously.

• Multiple Connection Brokers are allowed per infrastructure.

• Installation can be inside a virtual appliance.

• Responds to client connectivity requests and redirects each client to the appropriate desktop.

• Communicates with the Data Collector service running inside each managed computer.

vWorkspace Database

• Required for the vWorkspace infrastructure to store configuration information.

• Dedicated or shared Microsoft SQL Server is used. For small to medium size environments, Microsoft SQL Server Express database management system can be used.

Desktops Enhancements

Virtual Computer Management Tasks

• Manage virtual computer power states.

• Tasks scheduling and automation.

• Automated virtual desktop and server provisioning.

• Active Directory integration.

• Policy driven desktop configuration.

Desktop Group and Individual Desktop Policies

5


• Desktop group and individual desktops can be assigned to users prior to the first logon. Alternatively, the Connection Broker can automatically assign persistent or non-persistent desktops to users upon first logon.

• Policy settings can be specified per desktop, overriding the parent group policy settings.

• Access to desktops can be confined to certain days of the week and hours of the day.

• Virtual computer based desktops can be automatically suspended if idle.

• Users can be dynamically added to the Power Users or Administrators group on their assigned desktops.

Desktop and Application Publishing

• Full desktops and individual applications can be published.

• Desktops and applications are published on desktop groups.

• Access is granted or denied to applications using Access Control Lists.

Virtual Desktop Extensions (PNTools)

• Provides features and management functionality for managed computers.

• Installed on all computers, virtual or physical, that are being managed.

• Includes features such as Flash Redirection, USB Redirection, and seamless windows display mode.

Terminal Services Enhancements

vWorkspace enhances Microsoft Windows Terminal Server with advanced features such as application publishing, load balancing, seamless windows, session sharing, credentials pass-through, multiple monitor support, and Flash Redirection.

Published applications can also be accessed through vWorkspace Web Access and started over secure SSL connections, eliminating the need to compromise firewall security using Web Access and Secure Gateway (Secure-IT).

Secure Gateway

vWorkspace Secure Gateway is a Secure Sockets Layer (SSL) gateway designed to simplify the deployment of business-critical applications through the Internet, securely and cost-effectively. With Secure Gateway, RDP connections from client workstations to the Secure Gateway server are encrypted using SSL,

6

and sent through the firewall on TCP port 443. Once received by the Secure Gateway server, the SSL traffic is then decrypted and forwarded to the Remote Desktop Session Hosts on TCP port 3389, which is the standard RDP port. Outbound RDP traffic passing through the Secure Gateway server is encrypted and forwarded to the client workstations.

Remote Desktop Session Host Extensions

The features include:

• Application Restrictions

• User Environment Control

• Performance Optimization

• Virtual User Profiles

• Universal Printer Driver

• Application Compatibility Enhancements

• Time Zones

• PDA Redirection

• Virtual IP

Application Restrictions

Application Restrictions extends the security of a Remote Desktop Session Host environment by adding session-based Application Restrictions (Application Access Control) and Network Access Restrictions (Host Access Control) capabilities.

User Environment Control

User Environment Control boasts several powerful features designed to fully automate various time-consuming session configuration tasks in a Remote Desktop Session Host environment. These important features include the ability to create application shortcuts, set backgrounds and color schemes, map drive letters to network shares, connect to shared network printers, execute scripts, manipulate the user's HKCU registry hive, set per-user environment variables, and lock down the user's Remote Desktop Session Host session using the most stringent policy settings and hard-to-find hacks.

7


Performance Optimization

Performance Optimization improves application response times and increases overall server capacity by streamlining and optimizing the use of virtual memory and CPU resources.

Virtual User Profiles

Virtual User Profiles accelerates logon times and eliminates profile corruptions and management issues associated with Remote Desktop Session Host roaming profiles. A MetaProfile combines the persistence of a conventional roaming profile with the speed and robustness of a mandatory profile in order to achieve unprecedented logon speeds and stability levels. Administrators can even implement multiple MetaProfiles per user account to satisfy multifarm and server silo requirements.

Universal Printer Driver

Universal Printer Driver is a single-driver printing solution that satisfies both client side and network printing needs in a Remote Desktop Session Host environment. In addition to its driver independent approach to printing, benefits also include the dramatic reduction in network bandwidth utilization and the ability to inherit the properties of the manufacturer specific print drivers such as supported trays, paper sizes, and margins.

Application Compatibility Enhancements

Application Compatibility Enhancements is a sophisticated registry and file system redirection engine designed to eliminate a wide range of multi-user conflicts arising from application design limitations.

Time Zones

Time Zones is a per session time zone assignment module. Time Zones allows administrators to specify a unique time zone by user name, group membership, OU, or client device property (client name or IP address). With Time Zones, users can execute their time and date sensitive applications in their own time zones, completely independent of the Remote Desktop Session Host systemwide time zone setting.

8

PDA Redirection

PDA Redirection enables Remote Desktop Session Host clients to seamlessly access certain USB-based Palm OS and BlackBerry handhelds over RDP connections. With PDA Redirection, users can start the BlackBerry Desktop Manager or Palm Desktop software program from within their sessions, and instantly gain access to their handhelds for the purpose of synchronizing e-mail, calendar, contacts, and other personal information with back-end messaging and collaboration systems.

Virtual IP

Virtual IP enables each user instance of a legacy application to be bound to a unique IP address for identification purposes, allowing many legacy client server designed applications to run correctly in a multi-user environment.

User Experience Enhancements

Some of the user experience enhancements are:

• Seamless Windows — Individual published applications running inside the hosted desktop appear on the user's screen as if they are running locally.

• Session Sharing — Applications published on the same managed computer group all share the same desktop.

• Multimonitor Support — Support for multiple monitors through the RDP session with different resolution attached to the client device. When used in conjunction with seamless windows, desktop based application windows can be moved to, resized, and maximized on any monitor.

• Kerberos-based Credentials Pass-Through — User’s locally cached domain credentials or Kerberos ticket is re-used for vWorkspace authentication. This feature is useful when end user devices, such as thin clients running Windows XPe or repurposed Windows PCs, are joined to a Windows domain. This feature also works in the presence of smart cards and other Windows compatible authenticators.

Kerberos pass through authentication is supported for Microsoft Server 2008 and Microsoft Vista hosts. Microsoft Vista does not support Kerberos pass through authentication with UAC enabled, so if UAC is enabled on Microsoft Vista, CredSPP authentication support is used. CredSPP authentication is only used when supported by both the VM server and client. Supported clients are Microsoft Windows XP SP3, Microsoft Vista, or Microsoft Server 2008. Supported servers are Microsoft Vista or Microsoft Server 2008.

9


• AppPortal Client — A client GUI enables users to access their desktop-based published desktops and applications.

• AppPortal (Desktop-Integrated) — A GUI-less operational mode in which AppPortal runs in the system tray. Published desktops and applications are propagated to the user’s local Desktop and Start Menu.

• Web Access — Enables users to log on and access their published desktops and applications using a standard Web browser.

• RDP-over-SSL connectivity — Enables users to access their published desktops and applications using the Secure Sockets Layer (SSL) protocol.

• Universal Printer Driver — Eliminates the need to install vendor specific print drivers into the desktops. Driverless printers are autocreated inside each desktop using a single EMF-based universal print driver, regardless of printer make and model.

• Password Reset Service — Allows users to reset their expired Windows domain passwords prior to logging on.

• Experience Optimized Protocol (EOP) — Addresses the user experience challenges of Virtual Desktop Infrastructure (VDI) by provisioning seamless, reliable, high-performance enhancements over Microsoft Remote Desktop Protocol (RDP). These enhancements ensure that a VDI deployment can deliver on the promise of virtualization and a true local-desktop experience.

• Virtual USB Hub Client — Enables the use of virtually any USB connected device (PDAs, local printers, scanners, cameras, headsets) to be used in conjunction with VDI.

• Bidirectional Audio — Allows users to redirect their microphone devices to Remote Desktop Session Host sessions.

• Delegated Administration — Delegate administrative responsibility among multiple levels of IT staff, conforming to security and compliance best practices, and providing control over administrative access.

10

TCP Port Requirements

The TCP/IP port number requirements for vWorkspace services are listed below.

• Data Collector Service — It listens for Connection Broker service connections on 5203.

This is a Windows service that runs inside each managed computer or vWorkspace enabled Remote Desktop Session Host, and communicates back and forth with the Connection Broker. When PNTools is installed onto a desktop, a Windows Firewall port exception rule is automatically added to allow incoming connections on this port.

• Connection Broker — It listens for Data Collector service connections on 5201. It also listens for incoming client connection requests on a configurable port, using 8080 as the default. Optionally, the Connection Broker can be configured to require SSL encryption using 443 as the default.

11


This service communicates with the Data Collector running inside each managed computer or vWorkspace enabled Remote Desktop Session Host.

• Password Management Service — This service accepts SSL protected client password reset requests on a configurable port, using 443 as the default.

• Web Access — vWorkspace Web Access, being a web service, uses HTTP and HTTPS application protocols. Although the default port numbers are 80 and 443 respectively, any ports can be used.

• Secure Gateway — The Quest vWorkspace Secure Gateway (Secure-IT) acts as an SSL proxy for Connection Broker, Web Access, and RDP communications, and by default listens on 443.

• RDP — RDP listens on 3389 by default.

Microsoft RDP (Remote Desktop Protocol) is used for connections from vWorkspace connector to Remote Desktop Session Host or a managed computer.

• Universal Printer Service — This service listens on port 5204 on UP Printer Servers only.

• Registry Service — This service listens for registry messages on port 5205 on Remote Desktop Session Host and broker computers.

• User Profile Management Storage — This service listens on port 5206.

vWorkspace ConnectorsThe Quest vWorkspace Connectors that are available for Microsoft Windows user access devices are AppPortal and Web Access.

The AppPortal is a component of the vWorkspace Connector with an intuitive, interactive user interface shell allowing users, upon successful authentication, to receive a list of authorized desktops and applications. Users can subsequently start remote connections to published desktops and applications by selecting the corresponding shortcuts.

AppPortal can also be started in Desktop-Integrated mode where the user interface shell is suppressed and it appears in the Windows system tray. Application icon shortcuts are placed on the user’s Desktop, Start Menu, or All Programs menu, depending on preferences.

vWorkspace Web Access allows users to retrieve their list of allowed applications or desktops using a web browser. A Web Access web server must be available to use this interface.

12

AppPortal View

Web Access View

13


14

2

vWorkspace Management Console

• About the vWorkspace Management Console

• vWorkspace Management Console Window

• vWorkspace Menu Options and Icons

• vWorkspace Object Nodes

• Farm

• Locations

• Clients

• Resources

• Packaged Applications


• Virtual IP

• File and Registry Redirection

• Load Balancing


About the vWorkspace Management ConsoleThe vWorkspace Management Console provides management and administrative functions to vWorkspace administrators. All database management tasks are performed by the vWorkspace Management Console.

The vWorkspace Management Console can be installed and used on any number of workstations or laptop computers for management purposes, as long as connectivity to the vWorkspace database can be established. Remote Procedure Call (RPC) connections to other vWorkspace servers at times may also be required for full management functionality. Most functions performed by the vWorkspace Management Console can be done from any computer, but Registry tasks or applying virtual memory optimizations must be performed by the vWorkspace Management Console from the console of the effected server.

Any hotfixes that affect the vWorkspace Management Console need to be applied to all installed instances. Failure to do so can lead to unreliable results when using the vWorkspace Management Console.

vWorkspace Management Console WindowThe vWorkspace Management Console presents a graphical user interface that includes a menu bar, toolbar, navigation pane, and an information pane.

Multiple instances of the vWorkspace Management Console can be opened simultaneously. Administrators need to be aware that their changes may interfere with changes made by another administrator.

16


The vWorkspace infrastructure is displayed in a treeview format in the Navigation pane. It includes the following nodes.

NODE DESCRIPTION

Farm This top node represents the entire vWorkspace infrastructure. From this node you can:

• Assign a name to the farm.

• Enable database caching.

• Configure other settings such as Reset all pop-up messages and Clear recent items list.

Locations This node is used to organize groups of users based on geographical locations, within a vWorkspace infrastructure.

Status Bar

Toolbar

Menu Bar Navigation PaneInformation /Detail Pane

Object Nodes

17


Clients This node is used to identify vWorkspace clients. Once defined in the vWorkspace database, they can be used in Access Control Lists associated with various objects.

Clients are identified by:

• User name

• Group membership

• IP address

• Device name

• Active Directory Organizational Units

Resources This node contains the list of items that can be assigned to clients using Client Assignment.

A toolbar option, Toggle Client Assignment List Display, allows the client assignment to be displayed at the bottom of the window, the right-side of the window, or not at all.

Packaged Applications This node is used to identify Microsoft Application Virtualization (App-V) servers and their hosted application packages, as well as MSI packages.

Performance Optimization This node is used to configure CPU Utilization and Virtual Memory Optimization policies, and to view the results of these policies.

Virtual IP This node is used to provide special configuration options for applications running in a multi-user environment that require unique IP addresses for identification.

File & Registry Redirection This node provides mechanisms that allow applications to work properly in a multi-user environment.

Load Balancing This node is used to configure load balancing when published applications are hosted on multiple RD Session Host/Terminal Servers. A load balance can be assigned to either the published application or the RD Session Host/Terminal Servers.

NODE DESCRIPTION

18


vWorkspace Welcome Window

The Welcome window is displayed when opening the vWorkspace Management Console. From this window you can access Quick Start Guides and the System Requirements Guide in CHM file format; open the documentation folder containing the complete vWorkspace document library; jump to recent items in the console; and link to home pages such as vWorkspace and Quest SupportLink.

vWorkspace Menu Options and IconsThe vWorkspace menu options consist of the following:

• The File menu options are:

• Current User Sessions — This option opens the Current User Sessions window. A remote control session can be initiated from this window as well. See User Sessions for more information on using the remote control option.

• Administration — This option opens the Administration window. See Administration for more information.

19


• Change User — This option opens the Login window.

• Licensing — This option opens the Licensing window. See for Licensing more information.

• Database Configuration — This option opens the Configure Database window. See Manual Database Configuration for more information.

• The Actions menu options depend on the item selected in the management console. Some of the items include:

• New <Location> — This option opens the wizard to start a new process, such as a location.

• Properties — This option opens the Managed Computer Properties window. See Location Properties for more information.

• Management Servers — This option opens the Virtualization Servers window. See Management Servers for more information.

• Refresh — This option refreshes the view.

• The Help option, About, displays information about the Quest vWorkspace product, including the version number.

The vWorkspace icons are as follows:

ICON DESCRIPTION

This icon is used to exit the console.

This icon is used to access Current User Session and the Remote Control Session options.

This icon is used to access the Administration options.

This icon is used to access Licensing information.

20


Administration

The Administration option of the vWorkspace Management Console is used to identify users or groups of users and how administrative tasks are delegated to them. Once users or groups of users have been added as administrators, permissions can then be set.

It is important to note that not every administrator needs to be added to the vWorkspace Management Console, they just need to be a member of a Windows group that has been added. So, you could create a Windows group in your domain, add all the administrators to that group and then add that group to the vWorkspace Management Console.

Administrators have full access rights to the vWorkspace Management Console if you choose to not use the Administration feature. The vWorkspace Management Console does check to ensure that the current Windows user is also a Windows administrator prior to granting access to the vWorkspace Management Console.

This icon is used to access Properties of the highlighted item.

This icon is used to access a New Wizard for the highlighted item.

This icon is used to access Management Servers.

This icon is used to access the vWorkspace welcome window, and collapses the treeview in the navigation pane of the console.

This icon is used to refresh the window.

ICON DESCRIPTION

21


Users and groups of users who are selected as system administrators have implicit allow permissions for all actions, and may add and remove other system administrators.

The first administrator defined in the system is automatically defined as a system administrator, and the last administrator to be removed from the system must be a system administrator. This selection cannot be modified, as it is designed to prevent inadvertent lock out situations.

Once one or more administrators are defined, a Login window is displayed during the vWorkspace Management Console startup.

If check box, Login as the current Windows user is selected, the user and password fields are filled out automatically, and these fields are disabled. If the check box is unselected, the user must enter their user name and password.

The Login window is also accessible from the vWorkspace management console menu option, File | Change User.

Permissions

Permissions enable administrators to allow or deny actions for activities within the vWorkspace Management Console. An administrator does not have the ability to set their own permissions or permissions of a group to which they belong. However, a system administrator can modify permissions for any user or group.

The Permissions structure is a hierachy; that is, there are a lot of parent-child relationships. For example, there is a permission named Modify Resources at the Resource node level; a permission named Modify Managed Applications a the Managed Applications level; and a permission named Modify Managed Application for an individual application. Any child permission may be undefined, or not explicitly set by an administrator.

22


The parent permission in this example is Modify Resources, so all of the other child permission levels of Allow or Deny is inherited from the parent permission.

Permission checkboxes may be one of the following:

The gray checkmarks indicate that the permission is inherited from its parent. Permissions that are disabled cannot be modified by the current administrator, as the administrator does not have sufficient permissions to change it.

Enabled, permission not set.

Checkbox has white background.

Enabled, explicit permission set.


Enabled, inherited permission set.


Disabled, permission not set.

Checkbox has gray background.

Disabled, explicit permission set.


Disabled, inherited permission set.


23


How to ...

• Add a New Administrator

• Edit Administration Settings

• Remove an Administrator

• Set Permission at the Object Level

Add a New Administrator

1. Open the vWorkspace Management Console.

2. Select File | Administration.

3. To add users or a group of users, click Add User/Group on the Administrators settings window.

4. Click Next on the Welcome to the Administrator window.

5. Select User or Group on the User/Group Name window, and then enter Domain\User or Domain\Group in to the dialog box.

Use the ellipsis to assist in selecting users or groups.

6. On the User/Group Name window, select the check box if this user or group is to be a system administrator, and then click Next.

System administrators have implicit allow permissions for all actions, and may add and remove other system administrators.

7. Select one of the default permission settings, Deny All, Allow All, or Copy from, and then click Next.

Use Copy from to quickly set the initial permissions of a new administrator to those of an existing non-system administrator, administrator.

8. Make any changes to the Allow and Deny columns on the Permissions window, and then click Finish. The Administrators window appears.

9. Highlight the user or group that you just added, and then select Settings.

10. Specify the administration settings, Allow or Deny, on the Settings window, and then click Apply to save your settings.

11. Select Permissions to specify administrator permission.

12. Click Apply to save your changes, and OK to close the window.

24


Edit Administration Settings



3. Edit as appropriately, and click Apply to save your changes, and OK to close the window.

Remove an Administrator



3. Highlight the user or group name from the list.

4. Click Remove.

5. Verify by selecting Yes on the confirmation window.

6. Click OK to close the window and save your changes, or Apply to save your changes without closing the window.

Set Permission at the Object Level


2. Highlight the object to which the permission is to be set.

Permissions are inherited from the parent permission, unless the level is set separately.

Licensing

vWorkspace is licensed on a concurrent user basis. Any number of servers can belong to the vWorkspace infrastructure using this model.

Each license has a user count associated with it indicating the maximum number of concurrent users that can connect and use the respective services.

Currently, there are three types of vWorkspace licenses available:

• Enterprise Edition — This edition enables both VDI and RD Session Host/Terminal Server integration with vWorkspace.

• Desktop Edition — This edition enables VDI integration with vWorkspace.

• EOP Xtream Edition — This edition only includes the EOP Xtream feature to be used with the vWorkspace Connector software. An EOP Xtream Edition license will display as an Enterprise license in the license manager.

25


You can access the Licensing window from the File menu option in the vWorkspace Management Console, or by selecting the Licensing icon from the toolbar. There are two parts to licensing:

• Licenses

• User Sessions

Licenses

The Licenses section enables administrators to view current licenses and to add new licenses.

The Current License tab is used for adding licenses that have been acquired from the Quest licensing management system. These licenses are ASC files. All new licenses are received in this file format.

The Other Licenses tab is used for adding existing licenses that have been previously acquired from the vWorkspace web site. You can no longer acquire licenses from www.vworkspace.com.

26


User Sessions

The User Sessions section allows administrators to view active user sessions, and license and product usage. To view user sessions, do one of the following:

• Select User Sessions in the left pane of the Licensing window.

• Select File | Current User Sessions from the menu bar.

• Click the Current User Sessions icon on the toolbar.

27


Remote Control

By selecting Remote Control Session from the Sessions window, administrators are able to shadow active user sessions. Remote control can only be accomplished when initiated from one RDP session to another.

Remote Control is only supported with Windows XP and Windows 2003 (in any combination of Access Device or Virtual Desktop), and Win7 (but only in conjunction with Windows Server 2008 R2).

In order to enable remote control, you must select the option, Enable RDP remote administration control, from Location| Properties | RDP Connection Restrictions settings.

Administrators can set the key command used to end the remote session on the Remote Control window.The last selection that is entered into the Remote Control key combination is saved.

28


Once the remote control settings have been completed, you can access remote control from two different places in the management console.

• Current User Session window, Remote Control session button

• Select the Desktops group and then select the Computers tab in the information pane. The Remote Control Session option is available by selecting it from a specific computer context menu.

How to ...

View a Session by Remote Control


2. Navigate to the computer group to which the computer belongs, and highlight the computer group.

3. Select the Computers tab in the information pane, and then right-click on the computer.

29


4. Select Remote Control Session.

This option is grayed out for inactive sessions.

Remote control can only be accomplished when initiated from one RDP session to another. You may receive a warning message indicating that this functionality is not available to you.

5. Specify the command to be used to end the remote session on the Remote Session window, and then click OK.

The Remote Control key combination that is entered is saved.

Manual Database Configuration

When the vWorkspace Management Console is started, it looks to the Windows Registry for a pointer to a System Data Source Name (DSN) and uses the settings contained in the DSN to connect to the vWorkspace database.

30


The Configure vWorkspace Database window opens when the vWorkspace Management Console is started for the first time, or if the data in the DSN is invalid.

31


How to ...

• Create a New Database and DSN

• Connect to an Existing Database

Create a New Database and DSN

1. Start the vWorkspace Management Console on one of the Connection Brokers or an administrative computer.

2. Click Database Configuration on the Configure vWorkspace Database window.

3. Select the Create new vWorkspace database on the Action window, and then click Next.

32


4. Specify the following parameters on the Database Information window, and then click Next.

5. Enter an existing SQL admin login for the specified server, and a new vWorkspace SQL login. Click Finish.

Connect to an Existing Database

Once the vWorkspace database is created, all servers with vWorkspace components requiring database connectivity must have DSNs configured.

1. Start the vWorkspace Management Console from the additional Connection Broker or administrative computer.

2. Select File | Database Configuration from the menu bar of the vWorkspace Management Console.

3. Click Connect to an existing vWorkspace database on the Action window, and then click Next.

New database • Enter the Server name of the SQL server where the database is to be created.

If you are using MSDN or SQL Express, use the format:

server_name\instance_name

• Enter a Database name, or accept the default name, vWorkspace_Database.

New data source (DSN) • Enter a Name for the DSN or accept the default name, Provision Database.

• Enter a Description for the DSN or accept the default description, Provision Database.

33


4. Specify the following parameters on the Database Information window, and then click Next.

5. Enter the existing vWorkspace SQL login name and password on the Credentials window, and click Finish.

vWorkspace Object NodesThe next section describes the object nodes that are located on the left-pane of the vWorkspace Management Console window.

• Farm

• Locations

• Clients

• Resources

• Packaged Applications

• Virtual IP

• File and Registry Redirection

• Load Balancing

Existing database • Enter the Server Name of the SQL server where the database is to be created.

If you are using MSDN or SQL Express, use the format:


• Enter the name of the database.

New data source name (DSN)

• Enter a Name for the DSN.

• Enter a Description for the DSN.

34


Farm

The first node in the navigation pane represents the vWorkspace infrastructure. Properties of this node can be used to:

• Assign a name to the infrastructure.

• Enable or disable database caching.

• Specify various settings for the reporting database.

• Set other miscellaneous settings.

To access the Farm Properties window, right-click on the Farm node and select Farm Properties or select the Properties icon from the toolbar.

The following setting can be defined on the General window.

FIELD DESCRIPTION

Name This is the name that is assigned to the vWorkspace infrastructure. This name is stored as a record in the vWorkspace database and requires no configuration changes to member servers.

It can be changed at any time and is automatically passed on by the Connection Broker servers to the vWorkspace clients.

35


The following settings can be defined on the Database Cache window.

FIELD DESCRIPTION

Create local host cache on all servers

If selected, this check box enables the use of database caching. If enabled, all servers work from their local cache.

For mid to large size infrastructures, the use of database caching can reduce the number of open database connections.

Cache update Interval (minutes) The number of minutes that the local cache is updated.

36


The following settings can be defined on the Reporting Database window.

See the Reporting chapter for more information on the Reporting Database.

FIELD DESCRIPTION

Data Expiration (days) The age at which reporting data is automatically purged.

Purge Interval (hours) How often expired data is purged from the reporting database.

37


The following settings can be defined on the Other Settings window.

Locations

The Locations node represents a location that groups one or more data centers and the desktops within those data centers. Administrators define Connection Brokers, RD Session Host/Terminal Servers, desktops, and other servers for each defined location, which can only be defined after a new location has been established.

See vWorkspace Locations for more information.

FIELD DESCRIPTION

Reset all pop-up messages If selected, this check box resets all of the pop-up message tips, please do not show me this message again check boxes, so that they reappear if necessary.

Clear recent items list If selected, this check box to reset the list of recent items on the welcome screen.

38


Clients

The Clients node on the vWorkspace Management Console is used to define the list of clients that can be used in client assignments. The vWorkspace uses client assignments to assign managed applications, managed computers, and other resources to user sessions when connected to servers and managed computers in the infrastructure.

It is possible that a given user might belong to more than one client definition. By design, client assignments are cumulative, meaning they receive the assignment of all of the client definitions they are members of, except for when a conflict exists. In this case, the client with the highest priority wins the conflict.

Client priority can be modified by selecting the Client node, and using the Move Up or Move Down options from the toolbar, Actions menu, or by right-clicking on the Client node. Client types at the top of the list have higher priority than those lower in the list and the settings Yes, No, and Defer to End User have priority over Undefined. When applying certain resources to clients, this client order is taken into account for conflicting settings. So, when an end user logs on to AppPortal or the Web Access client and resolves to more than one client, the topmost connection property item with a Yes, No, or Defer to End User setting is the one that is applied.

For example, the Windows domain users and domain administrators global groups might be defined as clients, with domain administrators being higher in priority. Domain administrators have an application restriction that allows them to run registry editing tools. Domain users have an application restriction that denies them the ability to run registry editing tools. However, members of domain administrators are also members of domain users.

Since there is a conflict in assignments, and the domain administrators client definition has higher priority, any user who logs on as a member of domain administrators is able to run registry editing tools.

39


Client Types

The following table lists the client types, along with a description.

How to ...

• Define Clients by Users

• Define Clients by Groups

• Define Clients by Device Address

• Define Clients by Device Name

• Define Clients by Organizational Unit

Define Clients by Users

1. Expand the Clients node in the navigation pane of the vWorkspace Management Console.

2. Right-click on the Users node, and select New User(s).

3. To add users by selecting them from a domain, do the following:

a) Click the Users tab on the Add Client(s) window.

b) Select a Windows domain or computer from the Domain list.

c) Type the user name in the Enter the User(s) field, or select the user from the list in Select the User(s).

d) Click OK to complete the task.

4. To add users by selecting them from Active Directory, do the following:

a) Click the Active Directory tab on the Add Client(s) window.

b) Select the Windows domain from the Domain list.

c) Select Organizational Units, Users, or both in the Display section.

TYPE DESCRIPTION

Users Any trusted Windows domain or local user account.

Groups Any trusted Windows domain or local group account.

Device Addresses IP address assigned to the client hardware device.

Device Names NetBIOS name of the client device.

Organizational Units Active Directory Organizational Unit containing the user, group, or computer account.

40


d) Enter a specific or partial name in the Filter field. You can also enter an asterisk (*) as a wildcard.

e) Click Refresh and the system displays a list of organizational units or users in the bottom pane.

f) Select one or more of the items, and then click OK.

Define Clients by Groups


2. Right-click on the Groups node, and select New Group(s).

3. To add groups by selecting them from a domain, do the following:

a) Click the Groups tab on the Add Client(s) window.

b) Select a Windows domain or computer from the Domain list.

c) Type the user name in the Enter the Group(s) field, or select the group from the list in Select the Group(s).

d) Click OK to complete the task.

4. To add groups by selecting them from Active Directory, do the following:

a) Click the Active Directory tab on the Add Client(s) window.

b) Select the Windows domain from the Domain list.

c) Select Organizational Units, Groups, or both in the Display section.

d) Enter a specific or partial name in the Filter field. You can also enter an asterisk (*) as a wildcard.

e) Click Refresh and the system displays a list of organization units or groups in the bottom pane.

f) Select one or more of the items, and then click OK.

41


Define Clients by Device Address


2. Right-click on the Device Addresses node, and select New Device Address(es).

3. Click the Device IP Addresses tab and enter a Starting Address and Ending Address to define the client IP address or a range of addresses.

4. Click OK.

Define Clients by Device Name


2. Right-click on the Device Names node, and select New Device Name(s).

3. Enter the device names on the Device Names tab, separated by a semicolon (;). To enclose a range, use square brackets ([]). For example W2K3-[0-10].

4. Complete the information on the Active Directory tab, as follows.

a) Select the Windows domain from the Domain list.

b) Select Organizational Units, Computers/Client Names, or both in the Display section.

c) Enter a specific or partial name in the Filter field. You can also enter an asterisk (*) as a wildcard.

d) Click Refresh and the system displays a list of organization units or groups in the bottom pane.

e) Select one or more of the items.

5. Click OK.

42


Define Clients by Organizational Unit


2. Right-click on the Organizational Units node, and select New Organizational Unit(s).

3. Select the Domain from the list.

4. Select Organization Units in the Display section.

5. Enter a specific or partial name in the Filter field. You can also enter an asterisk (*) as a wildcard.

6. Click Refresh and the system displays a list of organizational units in the bottom pane.

7. Select one or more of the organization units, and then click OK.

Resources

The Resources node allows administrators control over aspects of a user session when connected to managed applications and desktops within the vWorkspace infrastructure.

See User Access Options in the Resources Node for the Resources node customization setup information.

43


The following table provides a list of the available Resources options and a description of each.

RESOURCE NAME DESCRIPTION

Additional Customizations The ability to customize items relating to the Windows Desktop, Start Menu, drive mappings, and network mappings.

Application Restrictions The ability to explicitly or implicitly restrict what applications are allowed or denied for assigned clients.

Connection Policies The ability to preconfigure the local device resources that are available, and under what conditions they are available.

See Connection Policies for more information.

Color Schemes The ability to assign standard Window color schemes.

Drive Mappings The ability to assign network drive mappings to clients without logon scripts or Active Directory Group Policy.

Environment Variables The ability to assign user environment variables that are automatically created and removed.

Host Restrictions The ability to act as a per-session firewall allowing Web and network access restrictions to be enforced.

Managed Applications The ability to assign to clients applications, desktops, and content hosted from either Terminal Servers or Desktop Services.

Printers The ability to assign shared printers on LAN or WAN based Windows print servers by using either the Quest vWorkspace Universal or Windows native print drivers.

Registry Tasks The ability to assign per-session modifications to user’s HKCU registry hive.

Scripts The ability to assign scripts on a per-session basis to vWorkspace clients without having to modify Terminal Server’s complex logon script sequence or the Active Directory Group Policy.

44


How to ...

View the Resources Assigned to a Client


2. Click on the node of the desired client type, such as Users or Groups.

3. Do one of the following:

a) Select the client that is to be viewed from the list in the information pane. The system displays the assigned items for the selected client in the additional pane, if Toggle Configuration Display is activated.

– OR –

a) Right-click on the client to view from the list of clients in the left pane of the Details window and select Properties.

b) Click on the Assigned Resources tab to view the resources.

Time Zones The ability to assign time zones on a per-session basis.

User Policies The ability to assign user level policies on a per-session basis.

User Profiles The ability to create a managed user profile.

See Virtual User Profiles for more information.

Wallpapers The ability to assign Windows wallpaper to vWorkspace clients.

RESOURCE NAME DESCRIPTION

45


Packaged Applications

The Packaged Application node allows users to identify Microsoft Application Virtualization (App-V) servers and their hosted application packages, and MSI Packages in the vWorkspace Management Console.

App-V Node

Microsoft Application Virtualization (App-V) provides the capability for applications to be available to computers without having to install the applications directly on those computers. Tasks such as managing multiple versions of applications and updating application packages are simplified by not having to install the applications on to the computers.

The App-V node on the vWorkspace management console allows administrators to import, update, and publish their App-V applications.

46


How to ...

Establish a New Server Connection


2. Expand the Packaged Applications node, and highlight App-V.

3. Select the App-V Servers tab in the information pane, and then click on the New App-V Server icon on the toolbar.

4. Click Next on the Welcome window.

5. Enter the appropriate information for the new App-V server on the Server Name & URL window, and then click Next.

47


6. Enter the appropriate credentials for the new App-V server on the Credentials window, and then click Next.

7. Specify any permissions that are to be used with this App-V server, and then click Finish.

Edit the Properties of an App-V Server


2. Expand the Packaged Applications node, and then expand the App-V node.

3. Do one of the following to access the App-V server Properties:

a) Right-click on the specified server, and then select App-V Server Properties.

b) Highlight the App-V node, and then highlight the specified server in the information pane, and click Server Properties.

Server Name Enter the server name.

Server URL Click in this field, and it is populated with the path to the App-V Management virtual directory.

If the Server Name field is DNS unresolvable, the path needs to be corrected to have the DNS name or IP address of the server.

Note: Multiple connections can be made to the same server by entering different friendly names in the Server Name field.

Account Enter the user name for the App-V Administrator.

Use the ellipsis to browse to the user in the directory.

Password Enter the password for the App-V Administrator.

Use the check mark to check the password.

48


c) Highlight the specified server in the navigation pane (under the App-V node) and then click Server Properties in the information pane.

4. Edit the properties on the App-V Server Properties window as appropriate, and click OK.

Import App-V Applications


2. Expand the Packaged Applications node, and then highlight the App-V node.

3. Select the server in the right pane, and then click Import/Update Applications.

– OR –

Right-click on the server in the navigation pane and select Import/Update Applications.

4. Select Next on the Welcome window of the App-V Import wizard.

The Welcome window is presented only if this is the first time that you have imported applications to the specified server.

5. Click Refresh to refresh the list.

6. Do one of the following on the Select Applications window:

a) To import all the applications, click Select All.

b) To import specific applications, select them on the list by pressing CTRL and using a left-click.

c) Click Next or Apply.

If importing for the first time, Next is the option to move to the next window. If you are updating applications, Apply is used to save your changes on the current window, and OK is used to close the wizard.

7. On the Create Access Groups window, do the following:

a) Select the access groups that are to be imported, and click Yes.

b) Select the access groups that are not to be imported, and click No.

c) Click Select All to import all the groups.

d) Click Next or OK.

8. On the Launch Location window, do one of the following:

a) To choose all the applications from the list, click Select All, and then select either Client or Server.

49


b) Select individual applications and the select the Launch Location of Client or Server.

c) Click Next or OK.

9. To publish the application on a Terminal Server, do the following on the Publish On window:

a) To publish all on the same RD Session Host/Terminal Servers, click Select All, or to select the specific applications by using CTRL + left-click.

b) Click Terminal Server.

c) Select the RD Session Host/Terminal Server from the Publish On window, and then click OK.

10. To publish the application on a desktop group, do the following on the Publish On window:

a) To publish all on the same desktop group, click Select All, or to select the specific applications by using CTRL + left-click.

b) Click Desktop Group.

c) Select the desktop group from the Publish On window, and then click OK.

11. Click Next or OK on the Publish On window.

12. On the Launch Location window, select one or more of the applications and then specify if the content is to be launched on the client or the server.

13. On the vWorkspace Folders window, select one or more application, and then click Folder(s) to define the folders in which the application or applications selected should be assigned. Click Manage Folders to add or change the folders listed.

Applications with a launch location of client may only be assigned to vWorkspace client folders.

14. On the Load Balance window, click Select All or the specific applications by using CTRL + left-click to specify the applications for load balancing, and then click the Load Balance Wizard to choose the load balancing rule evaluator for the selected applications.

If you do not want to use load balancing, click Next.

15. On the Desktop Integrations Settings window, specify the location of the shortcuts on the vWorkspace client host when using AppPortal in desktop integrated mode by doing the following:

a) Select specific applications, or use the Select All button.

a) Click Desktop Integration.

50


b) Select one or more of the options, Desktop, Start Menu, Start Menu\Programs, and click OK.

c) Click Next or OK on the Desktop Integration Settings window.

16. Review the selections on the Summary window and click Back to make changes or click Finish.

View/Edit Imported App-V Application Properties


2. Expand Resources, and click on Managed Applications.

3. View the App-V applications in the right pane. The applications are listed by server name, and their Type is Content on Server or Content on Client.

4. View or edit the properties by right-clicking on the application or select the application and select the Properties icon.

Properties can be edited, except for the executable Path and the Type, which are grayed out and unaccessible.

MSI Packages

The MSI Packages node is used to define MSI packages that can be deployed, as well as used in the Task Automation feature.

The MSI Packages option is also available from the context menu of a computer group in the vWorkspace Management Console. Once the MSI Packages option is selected, the established MSI packages display in the information pane and the MSI Package wizard is available by selecting New from the information pane toolbar.

51


How to ...

Add a New MSI Package


2. Expand Packaged Applications, and then select MSI Packages.

3. Click New in the information pane to open the MSI Package Wizard.


5. Enter a Name for the MSI package on the MSI Package Name window, and then click Next.

This is the name that is displayed in the vWorkspace Management Console.

6. Enter the MSI source file or click the ellipsis to browse on the Source File window, and then click Next.

7. Do one of the following on the Run Location window, and then click Next.

a) Select Execute the MSI file directly from the source location.

– OR –

a) Select the Copy the MSI file to each computer before executing.

b) Enter the full path and file name of the destination file in the Destination file field.

52


8. Enter the credentials necessary to access the source MSI file on the Credentials window, and then click Next.

9. On the Parameters window, complete the following information, and then click Next.

Enter the parameters necessary for a new installation:

Enter the necessary parameters.

Enter the upgrade code for this MSI package.

Enter the upgrade code.

Use Retrieve to get the upgrade code from the MSI file.

Enter the parameters necessary to perform an update:

Enter the parameter necessary to perform an update.

Enter the parameters necessary to uninstall:

Enter the parameter necessary to complete an uninstall.

Help Select this button for assistance with the installer parameters.

53


10. On the Timeout Period window, do one of the following, and then click Next.

a) Select the option, Select the timeout value, and then specify the Timeout after value by using the list.

– OR –

b) Select the option, Execute the MSI operation and continue.

11. Specify MSI Package permissions, if appropriate, on the Permissions window, and then click Finish.

Performance Optimization

The Performance Optimization node on the vWorkspace Management Console is used with Terminal Servers to improve application response time and increase overall server capacity by streamlining and optimizing the use of virtual memory and CPU resources in a multi-user environment.

See the Load Balancing and Performance Optimization chapter for more information.

54


Virtual IP

The Virtual IP node on the vWorkspace Management Console enables each user instance of a legacy application to be bound to a distinct IP address. This allows many legacy applications to run concurrently and reliably on Terminal Servers.

See the Virtual IP chapter for more information.

File and Registry Redirection

The File & Registry Redirection node is used to define a registry and file system redirection engine, which is designed to eliminate conflicts in a Terminal Services environment.

See the chapter, Application Compatibility Enhancements, for more information.

Load Balancing

The Load Balancing node is used to create and manage load balancing rules used in the load balancing process.

See the chapter, Load Balancing and Performance Optimization, for more information.

55


56

3

vWorkspace Quick Start Wizard

• Overview


OverviewThe vWorkspace Quick Start Wizard enables administrators to set up a vWorkspace environment through a guided process. You just need to choose the type of environment you want to set up, and the wizard navigates you through the process from setting up Connection Brokers to configuring end user environments.

The types of environments that can be configured using the Quick Start Wizard are:

• Virtual Desktops

• Remote Desktop Session Host

• Blade PCs (or other physical computers)

58

vWorkspace Quick Start Wizard

The Quick Start Wizard can be opened by doing any of the following:

• Open the vWorkspace Management Console. There is an option to select to not automatically show the wizard every time you open the vWorkspace Management Console.

• Click on the home icon in the toolbar of the vWorkspace Management Console.

• Select the link from the Getting Started section on the Welcome page of the vWorkspace Management Console.

As you progress through the Quick Start Wizard, the steps are validated to ensure your system is configured correctly. Information entered into the Quick Start Guide is saved and can be used in future setups, such as already configured Connection Brokers. However, you always have the option to add a new one.

Not all of the steps of the Quick Start Wizard are mandatory for completion, such as configuring Connection Policies or Universal Printing options.

59


60

4

vWorkspace Locations

• About Locations

• Locations Node Options

• New Location

• Delete a Location

• Location Properties

• Global Virtualization Servers

• Connection Brokers

• Terminal Servers

• Desktops

• Other Servers


About LocationsLocations give organizational structure to your vWorkspace farm; a way to specify a location that groups one or more data centers and the computers within those data centers.

Locations are heterogeneous containers of objects that include:

• Virtual data centers.

• Individual virtualization hosts not managed by a central management server.

Locations contain Connection Brokers, Terminal Servers, Desktops, and Other Servers that are associated with it. For example, you can name a location based on an office site, and then associate the Connection Brokers, Terminal Servers, and Desktops to that location.

Locations Node OptionsThe following menu options are available from the Locations node by either right-clicking on Locations, or from the icons in the toolbar when Locations is selected.

• New Location — Select to open the New Location wizard used to add new locations.

• Properties — Select to display the properties of the Connection Brokers, Terminal Servers, Desktops, and Other Servers.

62


• Management Servers — Select to open the Management Server window and the Virtualization Server Wizard, which is used to add virtualization servers.

• Refresh — Select to refresh the Locations node view.

New LocationUse the following steps to add and delete locations to the vWorkspace Management Console.

How to ...

• Add a Location

• Delete a Location

Add a Location

These processes can also be completed by using the Quick Start Wizard, which can be accessed from the Welcome page of the vWorkspace management console.


2. Do one of the following to start the New Location wizard:

Right-click on the Locations node, and select New Location.

– OR –

Click the New Location icon from the toolbar.

3. Click Next on the Welcome window of the New Location wizard.

63


4. Enter the name for the location on the Location Name window, and then click Next. This is the name that is displayed in the vWorkspace Management Console.

5. On the Add Servers window, you can add Connection Brokers and Terminal Servers to this location.

To add a vWorkspace Connection Broker, go to step 6.

To add a RD Session Host/Terminal Server, go to step 7.

6. To add a Connection Broker:

64


a) Click on Add Connection Broker.

b) Click Next on the Welcome window of the Server wizard.

c) Enter the name or IP address of the server on the Server Name window, and then click Next. Use the ellipsis to browse for the server.

65


d) Specify the role or roles for the server on the Server Role window, and then click Next.

This new server may perform more than one role; a vWorkspace Connection Broker and Microsoft Remote Desktop Connection Broker (RD Broker).

e) Specify or view the certificate that is to be used on this server on the Certificate window, and then click Next.

f) Select if trace logging is to be enabled on this server on the Logging window, and then click Next.

Typically, logging is only used as assisted by the Quest Support Services Department.

g) If you selected the Microsoft Remote Desktop Connection Broker (RD Broker) option on the Server Role window, complete the next two steps. If not, then continue to step j to specify Permissions for this server.

h) Specify an administrative account and password for the RD Broker on the Administrative Account, and then click Next.

i) Select if publishing and resource plug-in logging is to be enabled on this server on the Logging window, and then click Next.


66


j) Specify any permissions for this server on the Permissions window, and then click Finish.

In order to assign permissions, you must first add users or groups using the New Administrator wizard located at File| Administration.

k) Click Next on the Add Servers window to advance to the next window, or click Add Terminal Servers, if appropriate.

7. To add a RD Session Host/Terminal Server:

a) Click Add Terminal Server.

b) Click Next on the Welcome window of the Server wizard.

c) Enter the name or IP address of the server on the Server name window, and then click Next. Use the ellipsis to browse for the server.

d) Select Terminal Server on the Server Role window, and then click Next.

e) Specify the folder for this RD Session Host/Terminal Server on the Folder window, if appropriate. Click New Folder to create a new folder. Click Next when completed.

Folders are for organization and display; it does not change the operation of the servers.

f) Specify the load balancing rule on the Load Balancing Rule Wizard window, and then click Next.

This is an optional step.

67


g) Select the setting for Session Auto-Logoff on the Session Auto-Logoff window, as appropriate, and then click Next.

68


h) Define the following information on the Connectivity window, and then click Next.

i) Specify the performance optimizations options, on the Optimization window, that are to be enabled on this server, and then click Next:

Virtual Memory OptimizationsCPU Utilization Management

j) Specify if the bandwidth optimization is to be Enabled or Disabled on this server on the Experience optimization window, and then click Next.

Connections Select Accept least busy connection requests check box if you want the server to participate in load balancing.

Alternative IP Address Enter an alternative IP address.

RDP Connection Restrictions Select Inherit global settings or Only allow RDP connections to vWorkspace managed applications.

69


k) Specify if bidirectional audio is to be Enabled or Disabled on this server on the Enhanced Audio window, and then click Next.

l) Specify the Virtual IP settings for this server, as appropriate, and then click Next.

m) Review the information on the Licensing window, and then click Next.

n) Specify any permissions for this server on the Permissions window, and then click Finish.


8. Datacenters, hosts, nodes, host groups, or clusters are associated to this location by using the Add Entities option on the Virtualization Entities window.

If you choose to not assign them at this time, click Next and go to the next step. Virtualization Entities can be added later by right-clicking on the specific location, and then selecting the Properties option and completing the information in the Virtualization Entities section.

Use the following links for more information about adding virtualization entities.

• VMware Datacenters

70


• Virtuozzo Slave Nodes

• Independent Microsoft Hyper-V Host

• Independent Virtuozzo Node

• SCVMM Host Groups or Clusters

9. On the Administrative Account window, select Specify default administrative account and enter an account and password if you want to specify a default administrative account for new computer groups that are created in this location.


10. Use the Permissions window to assign permissions to users or groups.

Users and groups must be added using the New Administrator wizard. See Administration for more information.

11. Click Finish to save the changes made in the New Location wizard.

VMware Datacenters

1. On the Virtualization Entities window of the New Location wizard, click Add Entities and select VMware Datacenters.

2. Click Next on the Welcome window of the Datacenter wizard.

3. Click Edit Virtualization Servers. The Virtualization Server wizard opens.

4. Click Next on the Welcome window of the Virtualization Server wizard.

71


5. Enter the appropriate information on the Name and System Type window, and then click Next.

Name Enter the friendly name that is used when referring to the virtualization server.

System Type Select the VMware VirtualCenter Server option.

72


6. Enter the appropriate information on the Server & Credentials window, and then click Next.

Server URL Enter the URL path to the virtualization server.

• https://servername or IP Address/sdk

User Name Enter the name of a user account that has the required access permissions to the target server specified in the Server URL field.

For a Windows domain account, use:

DomainName\UserName

Click the ellipsis to the right of this field to open the Select User window.

73


7. Enter the appropriate information on the Other Settings window, and then click Finish.

Password Enter the case sensitive password.

The check mark to the right of the field is used to verify the entered credentials, if the computer is part of the domain.

Test connection to server

Click to test the server connection.

Shutdown Guest OS Use the list to specify the number of guest operation system shutdown commands that can be sent to the virtualization server from the Connection Broker at one time.

Restart Guest OS Use the list to specify the number of guest operation system restart commands that can be sent to the virtualization server from the Connection Broker at one time.

Update PNTools Use the list to specify the number of Update PNTools commands that can be sent to the virtualization server from the Connection Broker at one time.

Initialize Use the list to specify the number of Initialize Computer commands that can be sent to the virtualization server from the Connection Broker at one time.

Connection Timeout Use the list to specify the amount of time that the Connection Broker waits for a response from the virtualization server.

Default option is 30 Seconds.

For medium to large production environments where the virtualization server is busy, you may need to set the Connection Timeout to two or three minutes.

Note: A Connection Timeout error does not necessarily mean that the task requested by the Connection Broker has failed. It may be that the virtualization server is too busy to report the successful completion of the operation in a timely manner.

74


8. You are returned to the New Locations wizard. See step 10 to complete the process.

Virtuozzo Slave Nodes

1. Select Virtuozzo Slave Nodes from the Add Entities option on the Virtualization Entities window of the New Location wizard.

2. Click Next on the Welcome window of the Import Virtuozzo Nodes wizard.

3. Click Edit Virtualization Servers on the Master Node window. The Virtuozzo Master Node wizard is presented.

4. Click Next on the Virtuozzo Master Node Wizard Welcome window.


Power On Use the list to specify the number of virtual computer power on commands that can be sent to the virtualization server from the Connection Broker at one time.

Power Off Use the list to specify the number of virtual computer power off commands that can be sent to the virtualization server from the Connection Broker at one time.

Suspend Use the list to specify the number of guest operation system suspend commands that can be sent to the virtualization server from the Connection Broker at one time.

Resume Use the list to specify the number of guest operation system resume commands that can be sent to the virtualization server from the Connection Broker at one time.

Reset Use the list to specify the number of guest operation system reset commands that can be sent to the virtualization server from the Connection Broker at one time.

Delete Use the list to specify the number of delete virtual computer operations that can be sent to the virtualization server from the Connection Broker at one time.

Clone Use the list to specify the number of clone virtual computer operations that can be sent to the virtualization server from the Connection Broker at one time.

75




System Type Select the Parallels Virtuozzo option.

76




• https://servername:port



DomainName\UserName






77













78


9. Select slave nodes to be imported, and then click Finish.


Independent Microsoft Hyper-V Host

1. On the Virtualization Entities window of the New Location wizard, click Add Entities and select Independent Microsoft Hyper-V Host.

2. Click Next on the Welcome window of the Hyper-V Host wizard.




79




System Type Select the Microsoft Hyper-V option.


• net.tcp://servername or IP Address:port

Note: The default port for Microsoft Hyper-V is 9000.

80





DomainName\UserName










81













82


Independent Virtuozzo Node

1. On the Virtualization Entities window of the New Location wizard click Add Entities and select Independent Virtuozzo Nodes.

2. Click Next on the Welcome window of the Independent Virtuozzo Node wizard.



System Type Select the Parallels Virtuozzo option.

83







DomainName\UserName






84













85



SCVMM Host Groups or Clusters

1. On the Virtualization Entities window of the New Location wizard, click Add Entities and select SCVMM Host Groups or Clusters.

2. Click Next on the Welcome window of the Import Host Groups & Clusters wizard.

3. Click Edit Virtualization Servers. The Virtualization Server window is presented.





86



SCVMM Name or IP address

Enter the server name of IP address to connect to the server.



DomainName\UserName

Click the ellipsis to the right of this field top open the Select User window.

87











88


8. Highlight the SCVMM Server from the list on the SCVMM Server window, and then click Next.











89


9. On the Host Groups & Clusters window, click on the plus sign in front of the SCVMM Server to import host groups and clusters that are to be imported.


Delete a LocationLocations can only be deleted after Connection Brokers, Terminal Servers, Desktops, and Other Servers associated with the location are deleted as well.

Delete a Location


2. In the navigation pane, right-click on the location that is to be deleted.

3. Select Delete Location.

4. Click Yes on the confirmation message.

Location PropertiesLocation properties are defined for Connection Brokers, Terminal Servers, Desktops, and Other Servers. Location properties are the same for all the locations within a farm.

To access Location properties, highlight the Locations node and then do one of the following:

• Select the Properties option from the context menu.

• Click on the Properties icon in the toolbar.

• Select Actions | Properties.

90


91


The following properties are available:

LOCATION PROPERTY DESCRIPTION

Connection Brokers

Communication Settings Specify the TCP/IP port number that is to be used when listening for inbound connection requests.

Any port number can be used if it is available on all servers with the Connection Broker.

Default values are:

• HTTP: 8080

• HTTPS: 443

The HTTP and HTTPS protocols can be used simultaneously. The use of the HTTPS requires an X.509 digital certificate containing the server’s FQDN to be installed into the Windows computer store of each Connection Broker.

Bypass proxy settings when communicating with the connection brokers — If selected, proxy settings are not used when communicating with Connection Brokers.

This setting is selected by default.

The Ticket Expiration setting is used to specify the expiration time for tickets that are sent to the Connection Broker when applications are launched.

The default for the Ticket Expiration setting is 1 minute.

License Pool Enter a number of minutes to define update interval, which is the number of minutes the Connection Broker servers update license usage information.

Terminal Servers

Session Auto-Logoff Enter a module name for a process. If the process with the module name persists after the session has been closed, then the session is automatically logged off.

To add a process, click Add.

To delete a process from the use, highlight the process and click the red X.

92


RDP Connection Restrictions Only allow RDP connections to vWorkspace managed applications — Select this option to restrict users to only use RDP connections when connecting to managed applications.

Enable RDP remote administration control — Select this option to enable remote administration control.

Note: Remote control is only supported with Microsoft Windows XP and Microsoft Windows Server 2003 (in any combination of Access Device or Virtual Desktop).

Desktops and Other Servers

Broker Timing Settings Heartbeat Interval — Specifies how often the Data Collector Service on managed computers sends status information to the Connection Broker.

Offline Count — Specifies the number of missed heartbeats before a managed computer is considered offline.

Offline Retry — Specifies how often the Connection Broker attempts to contact an offline managed computer.

Inactivity Timeout — Specifies how long a managed computer is logged off before it is considered inactive and automatically placed into a suspend state.

Sysprep Period — Specifies how long the system waits during the Sysprep operation before attempting to initialize the computer.

Task & Log Settings Task History — Age at which completed task records are automatically deleted.

Task Display Expiration — Age at which the current or most recently executed task on a managed computer is no longer displayed in the desktop list.

Log History — Age at which log records are automatically deleted.

Display — Time format for tasks and log entries.


93


Global Virtualization ServersA Global Virtualization Server is a Windows or Linux based computer system used to centrally manage one or more physical servers enabled with computer virtualization technology, and the virtual computers being hosted and executed on them.

Virtualization servers can be added, deleted, or modified from this node, or during the process of adding a new location. Settings to limit the number of concurrent operations can also be completed for virtualization servers.

See the Management Servers chapter for more information.

Connection Brokers Connection Brokers need to be identified and their roles need to be specified in the vWorkspace database before they can be managed and participate in the vWorkspace infrastructure.

Other Settings Do not save ’Delete’ credentials — Select to prevent vWorkspace from saving the credentials used when deleting computers from Active Directory.

Permissions

Permissions Enter users or groups and then set permissions to Allow or Deny for the following:

• Add Locations

• Add Virtualization Servers

• Delete Locations

• Delete Virtualization Servers

• Modify Locations

• Modify Virtualization Servers


94


Connection Brokers can be added during the New Location wizard process, or by selecting New Connection Broker from the context menu of the Connection Brokers node.

How to ...

• Add Connection Broker Servers

• Set Connection Broker Properties

• Remove Connection Broker Servers

Add Connection Broker Servers

1. Open the vWorkspace Management Console, and expand the Locations node, and then the location that the Connection Broker is to be added.

2. Right-click on Connection Brokers, and then select New Connection Broker.

3. Click Next on the Welcome window of the Server Properties wizard.

Servers need to have the appropriate vWorkspace components installed on them, and configured to connect to the vWorkspace database before they are added.

95


4. Enter the server name (NetBIOS) on the Server name window, and then click Next. Use the ellipsis to browse for the server.

The text box is limited to 15 characters, the maximum allowed in NetBIOS naming conventions.

96


5. Specify the role or roles for the server on the Server Role window, and then click Next.

A server can perform more than one role; for example, a vWorkspace Connection Broker and Microsoft Remote Desktop Connection Broker (RD Broker).

6. If you selected vWorkspace Connection Broker role on the Server Roles window, then on the Certificate window, specify or view the certificate that is to be used on this server, and then click Next.

7. Select if trace logging is to be enabled on this server on the Logging window, and then click Next.


8. If you selected Microsoft Remote Desktop Connection Broker (RD Broker), complete the next two steps. If not, then continue to step 11 to specify Permissions for this server.

9. Specify an administrative account and password for the RD Broker on the Administrative Account window, and then click Next.

10. Select if publishing and resource plug-in logging is to be enabled on this server on the Logging window, and then click Next.


97


11. Specify any permissions for this server on the Permission window, and then click Finish.


Set Connection Broker Properties

Once Connection Brokers have been added to a location, set permissions, as appropriate.

1. Right-click on the Connection Brokers node under the location in which you want to add the permission and select Properties.

2. Select the Permissions tab on the Connection Broker Properties window.

3. Highlight the user or group, and then set the permissions to Allow or Deny, by selecting the check box, as appropriate.

4. Click Apply to save your changes, and then OK to close the window.

Remove Connection Broker Servers

Use the following steps to remove a Connection Broker from inclusion in the vWorkspace infrastructure. Removing a Connection Broker deletes its associated records within the vWorkspace database, but it does not uninstall any of the vWorkspace components or any other software on the server, nor does it change its database configuration (DSN).

1. Expand the Connection Brokers node in the navigation pane of the vWorkspace Management Console, and select the Connection Broker sever that is to be removed.

2. Click the Delete Server icon from the navigation pane toolbar, or right-click on the Connection Broker, and select Delete Server from the context menu.

3. Click Yes to complete the removal.

Terminal Servers Terminal Servers need to be identified and their roles specified in the database before they can be managed and participate in the vWorkspace infrastructure.

Servers need to have the appropriate vWorkspace components installed on them, and configured to connect to the vWorkspace database before they are added.

98


How to ...

• Add Terminal Servers

• Set Terminal Server Properties

• Remove Terminal Servers

Add Terminal Servers

1. Open the vWorkspace Management Console, and then expand to the location where the RD Session Host/Terminal Server is to be added.

2. Right-click on Terminal Servers, and then select New Terminal Server.

3. If the New Server window opens, select New Server on the Add Terminal Server window, and click OK.

4. Click Next on the Welcome window of the Server wizard.

5. Enter the server name (NetBIOS) on the Server Name window, and then click Next. Use the ellipsis to browse for the server.


99


6. Specify Terminal Server on the Server Role window, and then click Next.

7. Specify the folder for this RD Session Host/Terminal Server on the Folder window. Click New Folder to create a new folder. Click Next when completed.

Folders are for organization and display; it does not change the operation of the servers.

8. Specify the load balance rule on the New Load Balance Rule window, and then click Next.


100


9. Select the setting for Session Auto-Logoff, as appropriate, and then click Next.

101


10. Complete the following information on the Connectivity window, and then click Next.

11. Specify the performance optimizations options that are to be enabled on this server on the Performance Optimization window, and then click Next. The two options are:

• Virtual Memory Optimizations

• CPU Utilization Management

12. Specify the experience optimization settings for this server on the Experience Optimization window, and then click Next.

For more information about EOP Xtream, see the EOP Xtream section.

Connections Select the Accept least busy connection requests check box if you want the server to participate in load balancing.

Alternative IP Address Enter an alternative IP address.

RDP Connection Restrictions These options are grayed out, and not available for selection at this time.

102


13. Specify as to if bidirectional audio is to be Enabled or Disabled on this server on the Enhanced Audio window, and then click Next.

14. Specify the Virtual IP settings for this server, as appropriate, and then click Next.

15. Specify licenses on the Licensing window, and then click Next.

16. Specify any permissions for this server, and then click Finish.


Set Terminal Server Properties

Once Terminal Servers have been added, you can set properties to apply to all servers in the vWorkspace farm that have the Terminal Server role.

1. Right-click on the Terminal Servers node under the location in which you want to add the permission, and then select Properties.

2. Highlight the user or group on the Terminal Server Properties window, and then change the permissions to Allow or Deny, by selecting the check box, as appropriate.

For more information on permissions, see Permissions.


103


Remove Terminal Servers

Use the following steps to remove a Terminal Server from inclusion in the vWorkspace infrastructure. Removing a Terminal Server deletes its associated records within the vWorkspace database, but it does not uninstall any of the vWorkspace components or any other software on the server nor does it change the database configuration (DSN).

1. Expand the Terminal Servers node in the navigation pane of the vWorkspace Management Console, and select the Terminal Server that is to be removed.

2. Click the Delete Server icon from the navigation pane toolbar, or right-click on the server and select Delete Server from the context menu.

3. Click Yes on the confirmation window to complete the removal.

Desktops The Desktops node on the vWorkspace Management Console is used to define computer groups and managed computers. The computers within a group can be either physical or virtual, and typically have the same version operating system and service pack level, a common set of installed applications, and are used by individuals with similar job tasks and responsibilities.

See vWorkspace Desktops for more information.

How to ...

Set Desktops Properties

Once Desktops have been added to a location, you can set the properties.

1. Right-click on the Desktops node under the location in which you want to add the permission.

2. Select Properties.

3. Highlight the user or group on the Desktops Properties window, and then change the permissions to Allow or Deny, by selecting the check box, as appropriate.



104


Other Servers The Other Servers node is used to add servers that are managed through the vWorkspace management console, but are not going to be logged on to by users. Typical management tasks performed on these computers would include managing power states, managing MSI packages, copying files, or executing scripts. The types of servers might include file and print servers, web servers, database servers, and mail servers.

The Quest Data Collector Service is automatically installed on any computer added to a computer group under Other Servers, just like desktops. However, since the intent is to not have users logon to these computers, there is no menu option to install Virtual Desktop Extensions (PNTools).

How to ...

• Add Other Servers

• Set Other Servers Properties

Add Other Servers

1. Open the vWorkspace Management Console, and then expand to the location where the Other Server is to be added.

2. Right-click on the Other Servers node, and select New Computer Group, or click on the New Computer Group icon on the navigation pane toolbar.

3. Click Next on the Welcome window of the New Computer Group wizard.

4. Enter the name for the server on the Computer Group window, and then click Next. This is the name that is displayed in the console.

5. Select Other/Physical on the System Type window, and then click Next.

6. Enter administrative account information on the Computer Administrative Account window, and then click Next.

7. Specify as to if bidirectional audio is to be Enabled or Disabled on this server, and then click Next.

8. Complete task automation information, as appropriate to schedule tasks to be completed at specified times, and then click Next.

See Task Automation for more information.

9. Specify user and group permissions on the Permissions window, as appropriate, and then click Next.

10. On the Finish window, select to either add computers to this group now or to add them later, and then click Finish.

105


Set Other Servers Properties

Once Other Servers have been added to a location, you can set the properties.

1. Right-click on the Other Servers node under the location in which you want to add the permission, and then select Properties.

2. Highlight the user or group, and then change the permissions to Allow or Deny, by selecting the check box, as appropriate.



106

5

vWorkspace Desktops

• About Desktops

• Computer Groups

• Managed Computers

• Sysprep Customizations

• Initialize Computer

• Virtual Desktop Extensions (PNTools)


About DesktopsThe following is an overview of the concepts and terminologies associated with the Desktops node of vWorkspace.

• Computer Groups — Containers for managing a group of desktop computers as a single entity. One or more computer groups may be created for each system type.

See Computer Groups for more information.

• Managed Computers — Objects in the vWorkspace database that represent the desktop computers that are to be managed by vWorkspace. These desktops are installed on physical devices, such as PC blades, or virtual computers.

See Managed Computers for more information.

• Initialize Computer — Managed computers need to be able to communicate properly with the vWorkspace enabled Connection Brokers, when added to a computer group. The Initialize Computer task is the process that enables this communication, and is the responsibility of the Connection Broker.

See Initialize Computer for more information.

• Virtual Desktop Extensions (PNTools) — Set of executables, dynamic link libraries, and device drivers that provide features and management functionality for managed computers in a vWorkspace infrastructure. Virtual Desktop Extensions can be installed on all computers, virtual or physical, which are being managed using the Desktops node.

See Virtual Desktop Extensions (PNTools) for more information.

• Publish Managed Desktops and Applications — Managed desktops must be published before users can connect to their assigned applications or managed computer. Once published, icons representing the managed desktop appear in the application set of the AppPortal or Web Access client, allowing the user to click on an icon to initiate the program.

See Publish a Managed Desktop and Publish Managed Applications for more information.

108

vWorkspace Desktops

• Power Management — Managed computers are considered to be power managed computers if the power state can be changed automatically by the Connection Broker, or manually by an administrator using the vWorkspace Management Console. See the Power Management sections in the various integration chapters for more information on power managing with VMware, Microsoft Hyper-V, Microsoft SCVMM, Parallels Virtuozzo, and Non-Power Managed Data Centers.

Computer GroupsOnce locations are established, administrators can add computer groups to them. There are no limitations as to how many computer groups can exist in each location.

The Computer Group wizard is used to add computer groups to an existing location. Some options on the Computer Group wizard may be unavailable, based upon the System Type you use when creating the group. After the System Type is selected, only the parameters relevant to that type are presented.

The System Types are:

• Microsoft Hyper-V

• Microsoft SCVMM

• VMware VirtualCenter Server

• Parallels Virtuozzo

• Other/Physical

Administrators can activate the Computer Group wizard from the vWorkspace, Desktops node any of the following ways:

• Expand the location to which the computer group is to be added, right-click on the Desktops node, and then select New Computer Group.

– OR –

• Expand the location to which the computer group is to be added, and highlight the Desktops node. Select New Computer Group from one of the following:

• Actions menu on the toolbar in the navigation pane.

109


• New Computer Group icon in the toolbar of the navigation pane.

• Actions menu on the Desktops information pane.

• Open the Quick Start Wizard from the vWorkspace Management Console welcome page. See the vWorkspace Quick Start Wizard chapter for more information.

For specific information on completing the Computer Group wizard based on System Type, refer to one of the following sections: VMware Integration; Microsoft Hyper-V Integration;Microsoft SCVMM Integration; Parallels Virtuozzo Integration; or Non-Power Managed Data Centers.

Computer Group Properties

The properties associated with computer groups are described below:

PROPERTY DESCRIPTION APPLIES TO:

Group Name Name of the managed desktop group.



• Microsoft SCVMM


• Other/Physical

System Type System type for the computers in this group.



• Microsoft SCVMM


• Other/Physical

Datacenter Datacenter in which the computers in this group belong.


110

vWorkspace Desktops

Administrative Account

Name of the user account that is used when performing administrative tasks on the desktop computers within this group.



• Microsoft SCVMM


• Other/Physical

Enable/Disable Connection requests to computers in this group may be temporarily suspended, if disabled.



• Microsoft SCVMM


• Other/Physical


111


Client Assignment Used to permanently assign users to specific computers.

The two types of user assignment are:

• Persistent— A permanent desktop is assigned to the user.

• Temporary — A free desktop is assigned on a temporary basis to the user, and then is available to be used again at user logoff.

A client type can be assigned to the computers in the group based on the following:

• User

• Device Name

• Device Address

• Organizational Unit

• Group

Note: Since users can be in more than one group or organization unit, administrators must manually assign individual computers to users if client assignment is based on Group or Organizational Unit.

Assign computers using the Client Assignment window for the specified computer. See Managed Computers for more information on this window.



• Microsoft SCVMM


• Other/Physical

Access Timetable Used to restrict access to the computers in this group based on day and time.



• Microsoft SCVMM


• Other/Physical


112

vWorkspace Desktops

Load Balancing Used to specify a load balancing rule for the group, if appropriate. Load Balancing Rules that are created using the vWorkspace Management Console, Load Balancing node are presented as load balancing rule options.

• Microsoft SCVMM

User Privileges Automatically assigns users to local security groups.

This policy is useful when provisioning desktop workspaces to users that require elevated privileges.



• Microsoft SCVMM


• Other/Physical

Session Auto-Logoff Automatically logs off user sessions.

This policy is for users that start published applications and not full desktops. If enabled, vWorkspace automatically logs off when the last published application is closed. This eliminates the potential issue of applications remaining in memory, and never really terminating.



• Microsoft SCVMM


• Other/Physical

Inactivity Timeout Automatically suspends computers in the group when they are inactive.



• Microsoft SCVMM

Logoff Action Automatically resets the computers in this group when the user logs off.


• Microsoft SCVMM


113


Session Protocol Specify the protocol for remote user sessions for this group, either RDP or RGS.



• Microsoft SCVMM


• Other/Physical

Experience Optimization

Specify if user experience optimizations are to be enabled or disabled for this computer group.

This includes the settings for bandwidth optimization appliances and EOP Xtream.



• Microsoft SCVMM


• Other/Physical

Enhanced Audio Enable support for enhanced bidirectional audio.



• Microsoft SCVMM


• Other/Physical

Auto-Expand Automatically expands the group to accommodate an increase in users to ensure there is always a minimum number of free computers available at all times.



• Microsoft SCVMM


114

vWorkspace Desktops

View Managed Computer Groups

Administrators have the ability to view summary information as well as delete computer groups from the vWorkspace management console. A computer group can only be deleted from vWorkspace if it is empty.

Task Automation Tasks can be scheduled to be completed at specified times.

See Task Automation for more information.



• Microsoft SCVMM


• Other/Physical

Permissions Specify permissions for this computer group.



• Microsoft SCVMM


• Other/Physical

Finish Select from the options available as to the finish process for this group.



• Microsoft SCVMM


• Other/Physical


115


The Desktops or Other Servers sections, Computers, Tasks, and Logs tabs of the vWorkspace Management Console, display the warning message, Not all log entries have been displayed if the allowed maximum row view is attained. From this warning message, administrators can select the option to set a different maximum row amount.

How to ...

• View Summary Information

• View Managed Computers

• View Tasks for a Computer Group

• View Logs for a Computer Group

• Modify the Properties of a Computer Group

• Delete a Computer Group

View Summary Information


2. Select Desktops for the location, and highlight the computer group.

3. Select the Summary tab in the information pane.

View Managed Computers


2. Navigate to the Desktops node of the computer group that you want to view, and highlight the computer group.

3. Select the Computers tab in the information pane.

4. In the Find field, enter the text of the search term for the desired information; for example "Powered On" to locate powered on computers in the Power State column.

5. Click the Find Next icon to highlight the next computer satisfying that criteria. Click the Select All Matching icon to highlight all computers satisfying that criteria.

116

vWorkspace Desktops

6. If the criteria is not found a message box displays stating "[criteria] not found."

View Tasks for a Computer Group


2. Navigate to the Desktops node of the computer group that you want to view the tasks, and highlight the computer group.


4. Click Toggle Lower Pane on the toolbar of the information pane.

This enables the lower pane.

5. Select the Tasks tab to view.

6. In the Find field, enter the text of the search term for the desired information, for example "Reconfigure" to locate reconfigured computers in the Task Item column.


View Logs for a Computer Group


2. Navigate to the Desktops node of the computer group that you want to view the logs, and highlight the computer group.



This enables the lower pane.

5. Select the Log tab to view.

6. In the Find field, enter the text of the search term for the desired information.


Modify the Properties of a Computer Group


2. Navigate to the Desktop node that includes the computer group that you want to modify.

3. Right-click on the computer group, and select Properties.

4. Change the properties as appropriate, and then click OK.

117


Delete a Computer Group


2. Navigate to the Desktops node of the computer group that is to be deleted.

3. Right-click on the computer group, and then select Delete Group.

If the group is not empty, a message appears stating that all managed computers from the group need to be removed prior to deleting the group.

4. Click Yes on the confirmation window to delete the group.

Computer Group Column Options

In a computer group’s information pane, administrators have the ability to configure column options.

Memory Column Color Coding

The Memory Demand (Status), Assigned Memory (MB), and Memory Demand (MB) columns have a feature where the computer’s current status is not only indicated by a value but the cell background is color-coded indicating a relative status for memory use: green for adequate (OK), yellow for marginal and red to indicate the computer is in danger of exhausting its memory.

How to ...

Arrange Information Pane Column Order and Sort Order

Columns are grouped and ordered according to computer group type. In the Column Options window, the Grouped checkbox indicates if the selected column is part of a group and its order is determined by its position in the Selected Columns pane, with the top column on the far left of the Information pane.

1. To arrange columns in the Information pane, click and hold down the mouse button in the column heading, and drag the column to the desired location.

2. To sort information within a column, click the column heading to toggle the ascending or descending arrowhead, or right-click in the column heading and select Sort Ascending or Sort Descending from the drop-down context menu.

Resize Columns

1. Right-click in a column heading and select Size Column to Fit from the drop-down context menu to fit a column to its contents.

118

vWorkspace Desktops

2. Right-click in a column heading and select Auto Size All Columns to Fit to automatically fit all the columns in the Information pane to their contents.

Select Columns


2. Navigate to and select a computer group.

3. Select the Computers tab in the information pane.

4. Right-click within a column heading.

5. Select Column Options... in the context menu.

6. In the Column Options window, use the right arrow to move columns from the Available Columns pane to the Selected Columns pane, or the left arrow to move columns back to the Available columns pane.

7. In the Selected Columns pane, highlight a column name and click the up or down arrows to adjust its position. Click OK.

119


8. To display all the available columns, right-click in an information pane column heading and choose Show All Columns from the drop-down context menu.

Task Automation

The ability to schedule the execution of a vWorkspace supported operation on a vWorkspace managed virtual or physical computer is available through the Automated Task Wizard. Some of the scheduled tasks include:

• Power management.

• Deletion of virtual computers, including the ability to delete computers that have been inactive for a specified number of days.

• Installation of MSI packages.

• Installation and update of PNTools.

• Program and script execution.

How to ...

Schedule Tasks using the Automated Task Wizard


2. Expand the Desktops node for the location to which you want to add the scheduled task.

3. Do one of the following to open the Computer Group Properties window:

a) Right-click on the computer group, and select Properties.

b) Highlight the computer group, and then select Actions | Properties from the main menu.

c) Highlight the computer group, and select the Properties icon from the toolbar.

d) Highlight the computer group. Select the Summary tab in the navigation pane, then Actions | Properties.

Scheduled tasks can also be identified by computer. See Automated Tasks for more information, and use the below steps to add a new scheduled task, using the Automated Task Wizard, to a specific computer.

4. Select Task Automation in the left pane of the Computers Properties window, and then click New (green + plus sign). The Automated Task wizard appears.


120

vWorkspace Desktops

6. Enter a Name for the task, and then click Next.

7. Select the task from the list on the Task window, and then click Next.

8. On the Task Parameters window, complete the information as appropriate, and then click Next.

The fields on the Task Parameters window change based upon the Task selected.

9. Complete the information on the Schedule window, as appropriate, and then click Finish.

Managed ComputersManaged Computers are objects in the vWorkspace database that represent the desktop computers that are to be managed by vWorkspace. These desktops are installed on virtual computers or on physical devices, such as PC blades.

Managed computers have properties that control their creation and use. The properties that are available depend upon the type of group in which the managed computer exists. When a desktop computer is added or imported into a managed desktop group, it inherits the property settings of the group.

121


Computers are added to a managed desktop group by using the Add Computers tool. There are several methods available for accessing this tool. The method chosen depends on if the managed desktop group exists or if it is being created.

The inputs available on the Add Computers tool are based on the System type of the selected computer group.

Access the Add Computers tool by one of the following methods:

Select the Create new desktops from a master template on the Finish page of the Managed Computer Group wizard, when create a new computer group.

– OR –

Select the computer group from the vWorkspace Management Console and do one of the following:

a) Right-click on the computer group and select Add Computers.

b) Select the Add Computers icon from the navigation pane toolbar.

c) Select Add Computers from the Actions menu from the navigation pane.

d) Select Actions | Add Computers from the information pane of the computer group.

For more information on how to use the Add Computers tool based upon data center type, refer to one of the following sections: VMware Integration; Microsoft Hyper-V Integration; Microsoft SCVMM Integration; Parallels Virtuozzo Integration; or Non-Power Managed Data Centers.

Properties of a Managed Computer

The following section describes each property window of the managed computer.

122

vWorkspace Desktops

General

GENERAL WINDOW DESCRIPTION

Name The computer name.

DNS Name The Domain Name System name.

NetBIOS Name The NetBIOS name. The first 15 characters of the Windows computer name are assigned automatically by Windows setup and cannot be modified.

IP Address The TCP/IP address last assigned to the managed computer.

MAC Address The Media Access Control address assigned to the managed computer’s network interface card.

Note: Only one active physical or virtual network interface is supported on a VM, physical PC, or blade PC.

123


Administrative Account

This computer may be power-managed (suspended, reset, etc.) through the vWorkspace management console.

Selecting this option allows the vWorkspace management console to control the power state of the managed computer, if it is an applicable option.

ADMINISTRATIVE ACCOUNT WINDOW

DESCRIPTION

Override Group Properties Selecting this option allows a different administrative account and password to be assigned to the managed computer from the ones being used by the group.

Account This field is used to specify the name of a user account that has local administrative rights.

User the ellipsis to browse to the account.

GENERAL WINDOW DESCRIPTION

124

vWorkspace Desktops

Enable/Disable

Password/Confirm Password This field is used for the password of the user account specified by Account.

ENABLE/DISABLE WINDOW DESCRIPTION

Override group properties Selecting this option allows this computer to have a different property than the group.

Enabled or Disabled Select one of the options for this computer.

If Disabled is selected, the Connection Broker does not redirect incoming connection requests to this computer.

ADMINISTRATIVE ACCOUNT WINDOW

DESCRIPTION

125


Client Assignment

CLIENT ASSIGNMENT WINDOW

DESCRIPTION

Current User Displays the name of the user account currently logged on to the managed desktop computer.

If a user is not logged on, a None value is displayed.

Permanent User Displays the name of the user account permanently assigned to the managed desktop computer.

If a user is not logged on, a value of None is displayed.

126

vWorkspace Desktops

Select a user to whom this desktop should be permanently assigned

Use this option to select a user account that is permanently assigned to the managed desktop computer.

This option is available if a user is currently not logged on to the desktop.

Note: If a Client Assignment policy for the desktop group is set to Temporary, it is overridden for this desktop computer only.

Note: If the Client Assignment policy for the desktop group is set to Persistent, this setting can be used to pre-assign a user account to the managed computer.

Persistently assign the current user to this desktop

Use this option to assign the currently logged on user account to the managed computer.

This option is available if a user is currently not logged on to the desktop.

Note: If a Client Assignment policy for the desktop group is set to Temporary, it is overridden for this desktop computer only.

Remove the current permanent assignment

Use this option to remove the current permanent assignment from the managed computer.

Note: If a Client Assignment policy for the desktop group is set to Temporary, the managed computer is available for automatic, permanent assignment.

Note: If the Client Assignment policy for the desktop group is set to Persistent, this setting can be used to pre-assign a user account to the managed computer. However, the vWorkspace administrator can still choose to pre-assign the desktop to a user.

CLIENT ASSIGNMENT WINDOW

DESCRIPTION

127


Access Timetable

ACCESS TIMETABLE WINDOW

DESCRIPTION

Override group properties If selected, you can specify a different access timetable setting than that of a desktop group.

Click on the green grid to set a time schedule.

If selected, choose from the following:

Grant Permission — Specifies the days of the week and the hours of the day when logons to the desktop computer are allowed (marked in green).

Deny Permission — Specifies the days of the week and the hours of the day when logons to the desktop computer are not allowed (marked in red).

128

vWorkspace Desktops

User Privileges

USER PRIVILEGES WINDOW DESCRIPTION

Override group properties If selected, you can specify a different level of user privileges for the users that log on to this desktop computer.

Power User At logon, the user is added to the desktop computer’s built-in Power Users local group.

Administrator At logon, the user is added to the desktop computer’s built-in Administrators local group.

None At logon, the user is added to the desktop computer’s built-in Users local group.

129


Inactivity Timeout

INACTIVITY TIMEOUT WINDOW

DESCRIPTION

Desktops can be automatically suspended when idle for a specified amount of time.

Override group properties If selected, you can specify a different inactivity timeout setting than that of the parent desktop group.

Automatically suspend Select to enable automatic suspension of the desktop computer when inactive (user is logged off, but computer is still powered on), or if offline.

Do not automatically suspend

Select to disable automatic suspension of the desktop computer when inactive (user is logged off, but computer is still powered on), or if offline.

130

vWorkspace Desktops

Session Auto-Logoff

SESSION AUTO-LOGOFF WINDOW

DESCRIPTION

Override group properties If selected, you can specify a different session auto-logoff setting than that of a desktop group.

Module Name Enter the name, such as wuauclt.exe.

Add Select after entering a name in the Module Name box.

Remove Select to remove items from the list.

131


Configuration (VMware System Type only)

CONFIGURATION WINDOW DESCRIPTION

Reconfigure Enables administrators to modify the current memory and virtual disks configuration.

Refresh Refreshes the current view of the window.

132

vWorkspace Desktops

Configuration (SCVMM System Type only)

See the Microsoft SCVMM Integration chapter How to... Reconfigure SCVMM Computers section for more information.

CONFIGURATION WINDOW DESCRIPTION

Reconfigure Enables administrators to modify the current video adapter, memory and memory priority configuration.

Refresh Refreshes the current view of the window.

133


Logoff Action

LOGOFF ACTION WINDOW DESCRIPTION

Override group properties If selected, you can specify a different logoff action setting than that of a desktop group.

Nothing If selected, no actions are performed at logoff.

Reset If selected, this computer is reset when the user logs off.

Reprovision If selected, this computer is reprovisioned at log off.

Note: It is recommended that you install Virtual Desktop Extensions (PNTools) onto your VMware template if you are using the reprovision functionality.

134

vWorkspace Desktops

Session Protocol

SESSION PROTOCOL WINDOW

DESCRIPTION

Override group properties If selected, you can specify a different session protocol setting than that of a desktop group.

RDP Remote session protocol for this computer is set to RDP.

RGS Remote session protocol for this computer is set to RGS.

135


Experience Optimization

EXPERIENCE OPTIMIZATION WINDOW

DESCRIPTION

Enable support for bandwidth optimization appliances

Enables or disables support for bandwidth optimization for this computer.

Override group properties — If selected, you can specify a different bandwidth optimization setting than that of a desktop group.

136

vWorkspace Desktops

Enhanced Audio

Enable support for WAN acceleration (EOP Xtream)

Override group properties — If selected, you can specify a different EOP Xtream setting than that of a desktop group.

Enabled — Enables support for EOP Xtream.

Enable RDP pass-through mode — Enables EOP Xtream to use the RDP port, eliminating the need to configure extra firewall settings.

EOP Xtream Port Number — The default port number is 33389.

Maximum number of connections — Enter a maximum number of connections.

Disabled — Disables support for EOP Xtream.

EXPERIENCE OPTIMIZATION WINDOW

DESCRIPTION

137


Automated Tasks

ENHANCED AUDIO WINDOW DESCRIPTION

Override group properties If selected, you can specify a different enhanced audio setting than that of a desktop group.

Enabled Enables support for enhanced audio for this computer.

Disabled Disables support for enhanced audio for this computer.

TASK AUTOMATION WINDOW

DESCRIPTION

Name Identifies the name of the task.

Task Identifies the task that is to be completed.

Schedule Indentifies the schedule to which the task is to be completed.

138

vWorkspace Desktops

Permissions

New Select to add a new scheduled task.

See Schedule Tasks using the Automated Task Wizard for more information.

PERMISSIONS WINDOW DESCRIPTION

User/Groups Lists users and groups who have permission to perform administrative tasks on this computer.

Select a user or group to view their permissions.

Permissions Lists permission for this computer and if they are allowed or denied for the selected user or group.


TASK AUTOMATION WINDOW

DESCRIPTION

139


Sysprep Customizations The Sysprep Customization wizard creates the Sysprep information for VMware SCVMM, and Parallels Virtuozzo type computers. This wizard can be accessed from the Sysprep Customizations window of the Add Computers wizard by selecting the New icon (green plus sign).

You are able to select one of the following Sysprep types based on the system type:

• Microsoft Windows XP, Server 2003 (sysprep.inf) — For VMware, SCVMM, and Parallels Virtuozzo system types.

• Microsoft Vista, Windows 7, Server 2008 (unattend.xml) — For VMware (both VMware vSphere and VirtualCenter 2.5) and SCVMM system types.

You can also import an existing sysprep.inf or unattend.xml file, and then make further customizations to the file through the Sysprep Customizations wizard.

Alternative Sysprep Mode

An Alternative Sysprep mode is available for provisioning virtual computers (Microsoft Vista and later operating systems are not supported) on VMware platforms. To use this feature, PNTools must be installed into the virtual computer template, as it uses PNTools to push and execute Sysprep on the virtual computer.

To enable this feature, you must select Direct on the Execution Mode window of the Sysprep Customizations wizard.

140

vWorkspace Desktops

Quest recommends using this mode if:

• The virtual computer being created is going to be added to an Active Directory OU as part of the Sysprep process.

• The virtual computers fail to join the domain using the default vWorkspace Sysprep mode.

About Sysprep Files

Using an imported sysprep.inf file provides you with more customization than using the Sysprep Customization wizard. For example, you can configure TCP/IP and networking options. However, if you choose to import a sysprep.inf file, you must include the following sections, or the Sysprep process pauses and awaits user interaction.

[Unattended]OemSkipEula=YesOemPreinstall=YesInstallFilesPath=c:\sysprep\i386

[GuiUnattended]OEMSkipRegional=1OEMSkipWelcome=1EncryptedAdminPassword=No

141


[Networking]InstallDefaultComponents=Yes

If you are using a VMware platform, you can also use the Alternative Sysprep method. See Alternative Sysprep Mode for more information.

How to ...

• Create Sysprep Customizations— Windows XP/2003

• Create Sysprep Customizations— Vista/Win7/Server2008

Create Sysprep Customizations— Windows XP/2003

1. From the Syprep Customizations window on the Add Computers wizard, select the New icon (green plus sign).

2. Click Next on the Welcome window of the Sysprep Customization Wizard.

3. Enter a Name for this Sysprep customization, and then click Next.

4. Select the Sysprep type, Windows XP/2003 (sysprep.inf), or this Sysprep customization.

142

vWorkspace Desktops

5. Complete the information on the Import window, if you want to import an existing sysprep.inf file, and then click Next.

– OR –

If you do not want to import an existing file, click Next.

See About Sysprep Files for more information about importing an existing sysprep.inf file.

6. Specify the Windows operating system on the Operating System window, and then click Next.

The choices are:

• Windows XP Professional

• Windows XP Professional (64 bit)

• Windows Server 2003

• Windows Server 2003 (64 bit)

7. Enter the Windows registration information of Owner and Organization on the Registration window, and then click Next.

8. Select a Time Zone that is to be used when configuring Windows on the Time Zone window, and then click Next.

143


9. Select one of the following on the Product Key window, and then click Next.

a) Specify a single product key.

b) Retrieve product keys from a text file. Use the ellipsis to browse.

10. Select one of the options on the Execution Mode window when you are Syspreping VMware type computers, and then click Next.

If you choose Native, then VMware’s Sysprep is used.

If you select Direct, then the vWorkspace Sysprep process is used.

These options are only used when the system type is VMware.

11. Select either Per Server or Per Device or Per User on the Licensing Mode window, and then click Next.

12. Enter the Password for the administrator account for the desktops created in this group, on the Administrator Password window, and then click Next.

13. Select Workgroup or Domain where the computers are to be added on the Domain or Workgroup window, and click Next.

If you select Domain, you need to specify a user account that has permission to add a computer to the domain.

144

vWorkspace Desktops

14. Enter the Active Directory Organization Unit Path to which the computers are to be added on the Active Directory Path window, and then click Next.

15. Enter the path to the folder where the installation files are located, and then click Next.

If you do not want a folder specified, you must delete the default value in the Path field.

This is an optional step. The default is c:\sysprep\i386.

16. Select one of the following options on the Regional Settings window, and then click Next:

a) Use the default regional settings for the Windows version you are installing.

b) Specify the regional settings. Select a default value for the language.

17. On the Languages window, select a different language in which the users can view the content, and then click Next.

145


18. Use the Run Once window to configure Windows to automatically run a command the first time a user logs on.

a) Enter the command in the Command box, and click Add.

b) Use the green arrows to define the commands order.

c) Click Next when you are finished.

19. Enter an Identification String, which is written to the registry of the computer to assist in determining which Sysprep object was used to customize a computer. Click Next.

20. Alter custom Sysprep entries on the Custom Sysprep Entries window. This is an optional step. Click Next to go to the next window.

21. Review your entries on the Summary window and do one of the following:

a) Click Back to make changes.

b) Click Finish to create the desktops.

c) Click Cancel to exit without saving the settings or creating the desktops.

22. Complete the Add Computers wizard in the usual way.

Create Sysprep Customizations— Vista/Win7/Server2008

1. From the Syprep Customizations window on the Add Computers wizard, select the New icon (green plus sign).

2. Click Next on the Welcome to the Sysprep Customization Wizard window.

3. Enter a Name for this Sysprep customization, and then click Next.

146

vWorkspace Desktops

4. Select the Sysprep type of Windows Vista, Windows 7, Server 2008 (unattend.xml) for this Sysprep customization, and then click Next.

147


5. If you want to use an existing unattend.xml file, click Select file on the Import window, and browse to the location of your answer file template.

Click Edit to use notepad or a shell application to edit the file.

If you have modified the file outside of vWorkspace or have used the Edit option to modify the file, click Re-import to reimport the file.

Click Next to continue.

This is an optional step, and is used if you have an existing unattend.xml file that you want to use in the Sysprep process.

6. Select the operating system and the processor architecture for this customization, and then click Next.

7. Enter the Windows registration information of Owner and Organization on the Registration window, and then click Next.

8. Select a Time Zone that is to be used when configuring Windows on the Time Zone window, and then click Next.

148

vWorkspace Desktops

9. Select one of the following on the Product Key window, and then click Next.

a) Select Specify a product key and then select Specify a single product key. Enter the specified product key.

• The entered product key replaces the Product key value and elements in the unattend.xml file if you have imported an existing unattend.xml file.

b) Select Specify a product key and then select Retrieve product keys from a text file. Enter the file or browse to its location.

c) Unselect Specify a product key.

• The Product key values and elements are specified in the imported unattend.xml file (if you have imported an existing unattend.xml file) will be used in the Sysprep process.

• If there are no Product key values or elements specified in the unattend.xml file, a message is displayed warning that the Sysprep might fail.

The need for a product license key is based upon Microsoft’s license scheme for their products. For example, if you are using Microsoft Windows 7 Enterprise edition, you do not need to enter a product key, as licensing is supported through a key management server.

149


10. Select Workgroup or Domain to identify how the desktops will participate in the network.

If you select Domain, you must enter a user account that has permission to add a computer to the domain.

Click Next.

11. Specify the Active Directory Organization Unit path into which the computers are to be added, and then click Next.

150

vWorkspace Desktops

12. Specify a local administrator account on the Local Account window if you are using Microsoft Vista or Microsoft Windows 7, and then click Next.

151


13. Select to enable or disable the firewall for the public profile, domain profile, and private profile, and then click Next.

14. Specify the regional settings, as appropriate, and then click Next.

15. Use the Run Once window to configure Windows to automatically run a command the first time a user logs on.

a) Enter the command in the Command box, and click Add.

b) Use the green arrows to define the commands order.

c) Click Next when you are finished.

16. Enter an Identification String, which is written to the registry of the computer to assist in determining which Sysprep object was used to customize a computer.

17. Click Finish to complete the Sysprep Customization wizard process.

18. Complete the Add Computers wizard in the usual way.

View Managed ComputersAdministrators have the ability to view summary information as well as delete managed desktop computers from the vWorkspace Management Console.

152

vWorkspace Desktops

Administrators also have the ability to remote into a user’s active session. See Remote Control for more information on this option.

How to ...

• View Summary Information

• View Tasks for Managed Computers

• View Logs for Managed Computers

View Summary Information


2. Navigate to the computer group in Desktops to which the computer belongs, and highlight the computer group.

3. Select the Computers tab in the information pane, and then highlight the computer.

4. Click Toggle Lower Pane from the toolbar of the information pane.

This enables the lower pane with three tabs, Summary, Tasks, and Log.

5. Select the Summary tab to view property and status information.

View Tasks for Managed Computers






5. Select the Tasks tab to view tasks performed on the selected computer. Use the Actions menu and toolbar of the tasks pane to refresh information or cancel tasks.

View Logs for Managed Computers




153




5. Select the Log tab to view log information.

Desktops PropertiesThe Properties option is used to set user and groups access permissions for the Desktops node.

Permissions enable administrators to allow or deny actions for activities within the vWorkspace Management Console. Users and groups of users who are selected as system administrators have implicit allow permissions for all actions, and may add and remove other system administrators.

See Administration for more on setting up permissions.

Initialize ComputerWhen a managed computer (virtual or physical) is added to a computer group, the vWorkspace Data Collector Service must be installed to allow the managed computer to communicate properly with the vWorkspace enabled Connection Brokers. The process that accomplishes this is called the Initialize Computer task, and is initiated and executed by the Connection Broker.

The Initialize Computer task is accomplished as follows:

1. The Connection Broker checks for the IP address of the computer to be initialized by querying the server (for power-managed computers), and for non-power managed computers, it checks for the issuing DNS or NetBIOS name resolution queries.

2. Once the IP address of the target computer has been retrieved, the Connection Broker attempts to connect to the Data Collector service on that computer using TCP port 5203. If successful, it queries for the version of the Data Collector service.

154

vWorkspace Desktops

3. If the Connection Broker is unable to connect to the Data Collector service, or if the version of the Data Collector service on the target computer is older than that running on the Connection Broker, the Connection Broker attempts to install the newer version of the service by remotely connecting to the Windows Service Control Manager and system drive of the target desktop computer.

It then stops the Data Collector service if it is running and copies the newer version of PNDCSVC.exe to the Windows\System32 folder. Once the file has been copied, the Connection Broker issues a remote command to start the Data Collector service.

4. Once the newly installed Data Collector service has been successfully started on the target computer, the Connection Broker again attempts to contact the Data Collector service on TCP port 5203. If the connection is successful, the Connection Broker passes the following to the Data Collector service:

• List of all available Connection Brokers.

• Informs the Data Collector service to use TCP port 5201 when initiating connections to a Connection Broker.

• Request to encrypt the connections.

• Configured heartbeat interval (the interval at which the DataCollector service is to send status updates to the Connection Brokers).

• Information about the License Mode for the vWorkspace infrastructure.

• Information about the Public Key to use for SSL encryption.

• Assigned Unique Computer ID for the computer.

When an Initialize Computer task is unsuccessful, the Connection Broker considers the desktop unusable and marks it offline, making it unavailable to users. Some common causes of a failure include:

• Firewalls are blocking the communications between the Connection Broker and the managed computer.

• Name resolution issues.

• Insufficient privileges held on the managed computer. You need to be able to connect to the administrator file shares and have the privilege to create a service on the managed computer. The privilege is set in the Properties of the computer group, in Computer Administrative Account.

155


Initialization Triggers

The following events can trigger the Initialize Computer task:

• Successful Clone operation.

• Add/Import Desktops.

• Missed Heartbeats.

To manually initialize a computer or multiple computers:

1. Open the vWorkspace management console.

2. Select the computer group under Desktops.

3. Highlight the computers that are to be initialized from the Computers tab of the information pane.

4. Right-click to select the Initialize option or select Actions | Initialize from the information pane toolbar.

The ability to manually initialize a computer or multiple computers is available through the context menu option of the highlighted computers. Select the computer group under the Desktops node on the vWorkspace Management Console, and then highlight the computers that are to be initialized from the Computers tab of the information pane and right-click to select the Initalize option.

156

vWorkspace Desktops

Microsoft Active Directory Group Policy Settings

In order that Desktops work properly, certain Microsoft Group Policy settings need to be implemented. These Group Policy settings can be implemented at the local system level and in Active Directory.

MICROSOFT GROUP POLICY SETTINGS

DESCRIPTION

Restricted Groups Use this policy setting to automatically control membership into the Remote Desktop Users group.

Always wait for the network at computer startup and logon

Use this policy to allow the network components of Windows to fully initialize and process Active Directory policy settings before allowing users to log on.

Some communications between the managed computer and the Connection Broker may fail if this policy is not enabled.

Use the following path to set this policy:

Computer Configuration | Administrative Templates | System | Logon

Windows Firewall Settings Several firewall settings must be enabled and configured as both a domain profile and a standard profile. Use this path to set the following policies:

Computer Configuration | Administrative Templates | Network | Network Connections | Windows Firewall

• Allow Remote Desktop Exception — This policy must be enabled so that users can connect remotely.

• Allow File and Printer Sharing Exception — This policy must be enabled so that PNTools can be installed remotely.

• Define Port Exceptions — This policy must be enabled so that the vWorkspace Connection Broker can communicate with managed computers on TCP port 5203.

157


Virtual Desktop Extensions (PNTools)Virtual Desktop Extensions (PNTools) is a set of executables, dynamic link libraries, and device drivers that provide features and management functionality for managed computers in a vWorkspace infrastructure. Virtual Desktop Extensions can be installed on all computers, virtual or physical, which are being managed using Desktops.

Virtual Desktop Extensions provides the following:

• Data Collector

• Seamless window display mode

• Up to 4096 x 2048 screen resolution

• Quest vWorkspace Universal Print Driver

• Quest vWorkspace USB Redirection

• Media Player Redirection

• User Profile Management

• Flash Redirection

• Full-fledged desktop or published application sessions

• Multi-monitor support (only with seamless windows)

Data Collector Service

The Data Collector service is also installed onto each virtual computer. The Data Collector sends a heartbeat signal to the Connection Broker, informing it of the logon status of the virtual computer and its readiness to accept connections.

The Connection Broker communicates with the virtual computer through the Data Collector service, sending it pre-logon policy configuration data prior to redirecting the user with the pending logon request to that virtual computer.

Any versions of Virtual Desktop Extensions that are previous to the vWorkspace release must be removed before proceeding with the installation of vWorkspace.

158

vWorkspace Desktops

Universal Print Driver

The Universal Print Driver enables users to access their printers without the need to install manufacturer specific print drivers on to the virtual computer. This EMF-based print driver is designed to impersonate the original print driver by inheriting its properties and capabilities from the client computer or print server.

The Universal Print Driver supports remotely connected and network attached Windows PCs and laptops, as well as non-Windows clients and thin client terminals by means of print server software extensions. Both local and remote users can gain access to a vWorkspace-enabled desktop infrastructure from any type of client device.

The Quest vWorkspace Print-IT Control Panel applet is installed on each virtual computer, allowing administrators to configure printer autocreation settings for Windows PC and laptop users. To support non-Windows clients and thin client terminals, the Print-IT print server extensions must be installed onto existing or dedicated print servers, and managed using the vWorkspace Management Console.

See Universal Printing for more information on Print-IT.

Media Player Redirection

This feature provides multimedia playback in hosted desktop environments. Media Player Redirection is optimized to deliver a near physical desktop experience, including rich multimedia content, full fidelity sound, and comprehensive format capabilities.

Users experience multimedia graphics and animation without irregular displays, long load times, and choppy transitions.

USB Device Redirection

From headsets to mobile devices, USB devices are frequently used, but can sometimes be problematic when used in a virtualized environment. However, with the vWorkspace features of USB Redirection and USB-IT, USB device integration issues can be solved.

For more information on USB Redirection and USB-IT, see USB Devices.

159


User Profile Acceleration

User Profiles is an alternative to roaming profiles. User Profiles eliminate potential profile corruption and accelerate logon and logoff times by combining the use of a mandatory profile with a custom persistence layer designed to preserve user profile settings between sessions.


Flash Redirection

vWorkspace Flash Redirection allows for the playing of Flash content.

vWorkspace Flash Redirection option needs to be selected as an installation option. Adobe Flash Player version 9 or 10 needs to be installed on the server and client in which the vWorkspace Flash Redirection feature is to be installed.

See Flash Redirection for more information.

Installation

The installation program for Virtual Desktop Extensions is located in the following folder on all Connection Brokers:

%ProgramFiles%\Provision Networks\PNTools\pntools.msi

There are several ways to install, upgrade, or uninstall Virtual Desktop Extensions:

• Use the PNTools | Install/Update from the context menu of a specific managed desktop group or managed desktop computer on the vWorkspace Management Console.

• Use the MSI Packages option from the Packaged Applications node of the vWorkspace Management Console to define a package for PNTools. See MSI Packages for more information.

160

vWorkspace Desktops

• Use the Automated Tasks option. See Task Automation for more information.

• Manually install Virtual Desktop Extensions into the virtual computer template.

• Use third-party software distributions.

161


162

6

Experience Optimized Protocol

• Overview

• Optimization Settings

• EOP Audio

• EOP Text Echo

• EOP Multimedia Acceleration

• EOP Graphics Acceleration

• EOP Xtream


OverviewThe Experience Optimized Protocol (EOP) components address the user experience challenges of Virtual Desktop Infrastructure (VDI) by provisioning seamless, reliable, high-performance enhancements over remote desktop software. These enhancements ensure that your VDI and RD Session Host/Terminal Server deployment can deliver on the promise of virtualization and a true local-desktop experience.

The following features are available through the Experience Optimized Protocol license:

• EOP Xtream — Accelerates RDP and EOP traffic on wide area networks (WANs). This provides for an improved user experience by providing faster RDP screen responses and improved performance of all EOP features.

• EOP MultiMon — Enables support for multiple monitors.

• EOP Audio (Bidirectional Audio) — Enables support for applications that require the use of a microphone, such as dictation, collaboration, and certain VOIP applications.

• EOP Text Echo — Enhances the user experience when typing, if they are connecting over a high latency network connection. A client Control Panel applet is used to adjust settings of this feature.

• EOP Multimedia Acceleration (Media Player Redirection) — Enables the redirection of Flash content and Microsoft DirectShow content (anything that can be played in Microsoft Windows Media Player) from the VDI or Windows Terminal Session through an RDP Virtual Channel to the client, where it is played using the local compression/decompression technology (CODEC).

• EOP Graphics Acceleration — Reduces bandwidth consumption and dramatically improves user experiences, making RDP usable over WAN connections.

These features can be assigned to Users, Groups, OU, Client IP or Client Device Name.

Optimization SettingsThe features of EOP are installed via the vWorkspace installer. Administrators can limit to whom and which features are automatically presented to users during the log on process.

164

EOP Audio

The optimizations settings of Graphics Acceleration, Flash Redirection, Local Text Echo, and Media Player Redirection can be found at the following locations. The options are set to disabled by default.

• Quest vWorkspace Remote Desktop Connection | Experience tab | Optimizations section

• vWorkspace AppPortal | Actions | Manage Connections | User Experience Optimizations section

• Web Access (Admin) | User Experience | Performance | Optimizations section

EOP AudioThis feature enables users to redirect their audio devices to RD Session Host/Terminal Servers and hosted desktops to use with applications involving dictation and for certain VOIP applications. These settings are disabled by default.

This feature does not support Windows COM-based audio API found in some Windows Vista, Win7, and Win2008 applications. This means that the software does not work with applications using COM-based API.

• In the case of upstream audio, the result is the inability of the application to detect the microphone.

• In the case of downstream audio, the result is that the sound is transmitted to the Client computer through the Microsoft RDP audio drive without using the Quest downstream audio driver.

Microphone sound quality is best with sufficient bandwidth, at least 25 to 30 Kbps, to support the audio channels.

The Connection Policies, Remote Computer Sound option overrides the setting for Remote computer sound on the Local Resources window in the AppPortal setup, as well as the Local Resource Settings window in the Web Access preferences.

165


EOP Audio for the AppPortal can be setup several different ways:

• Manage Connections | Local Resources

• Quest vWorkspace Client Remote Desktop Connection | Local Resources

If you use the setup option of Manage Connections, you need to set Remote computer sound to Bring to Local Computer and select the Microphone option.

166

EOP Audio

If you use Quest vWorkspace Remote Desktop Connection, set the Remote computer sound option to Bring to this computer, and select the Microphone option.

The setup option for this feature for the Web Access client is Remote computer sound, of the Local Resources option.

167


There are additional client side settings in the Quest vWorkspace Bidirectional Audio, Control Panel applet. Use these settings to further define quality, network buffering, and microphone settings.

168

EOP Text Echo

EOP Text EchoThe EOP Text Echo (Local Text Echo) feature enables a local presentation of keystrokes when a user is connecting over a high latency network connection. The user can type at full speed without waiting for the keystrokes to appear, as the text appears in a bubble as it is typed.

When a password field is selected and EOP Text Echo opens to show the text being typed, characters can be shown in clear text revealing a user’s password. EOP Text Echo does not automatically detect every known password field. For applications where password fields are not detected, an Enhancement Request (contact Quest Support) can be made to make sure the specific password field is enabled in the EOP Text Echo code.Note that there are some instances where the password fields cannot be enabled in EOP Text Echo, such as when using a Telnet application through the Command Prompt.

169


A client Control Panel applet, Local Text Echo Client, is used to change the default settings, such as the bubble size and latency speed.

A server Control Panel applet, Local Text Echo Server, is used to set a list of application exclusions for text echo.

170

EOP Multimedia Acceleration

EOP Multimedia AccelerationThis feature includes the components of Media Player Redirection and Flash Redirection.


This feature redirects Microsoft Windows Media content through an RDP virtual channel to the client, where it is played using the local compression/decompression (CODEC) technology. This enables support for full fidelity playback of Microsoft Windows Media content.

Media Player Redirection accelerates the delivery of multimedia content such as recorded webcasts and web-based training from remote virtualized desktops and applications.

The requirements for media player redirection include:

• Microsoft Windows Media Player version 10 installed on the virtual host (server).

• All vWorkspace components, including PNTools and the vWorkspace client need to be on the same version.

• Microsoft Windows Media Player 10 and proper CODEC to decode the required media format needs to be installed on the client.

If you are experiencing problems with Media Player Redirection, you may consider installing a bundle of codecs, such as K-Lite Code Pack.

Flash Redirection

vWorkspace Flash Redirection allows playing of Flash content.

vWorkspace Flash Redirection option needs to be selected as an installation option. Adobe Flash Player version 9 or 10 needs to be installed on the server and client in which the vWorkspace Flash Redirection feature is to be installed.

The client Adobe Flash player version must match the version (major versions) that is installed on the server.If the versions do not match, then the flash content plays without Flash Redirection, through RDP.

171


Flash Redirection Windowless Support

This enhancement, Flash Redirection Windowless support, allows for flash web sites that do not use windows to position the flash content to be played with the vWorkspace Flash Redirection. With Flash Redirection Windowless support enabled,

Flash Redirection Windowless support is enabled by default. To disable this feature, you need to change the following registry value.

HKLM\System\CurrentControlSet\Control\Terminal Server\ AddIns\PNFlash

Wndless (Type="integer")=1

Values:

0 = no windowless mode support

1 = windowless mode supported

Flash Redirection Setup

The following outlines the steps for using vWorkspace Flash Redirection.

Define Connection Policies

1. Open the vWorkspace Management Console and expand Resources.

2. Highlight the Connection Policies node, and do one of the following:

• Right-click and select New Connection Policy....

• Click on the New Connection Policy icon on the main toolbar or the information pane toolbar.

• Select Actions | New Connection Policy... Setting from the main menu.

3. Click Next on the Welcome window of the New Connection Policy wizard.

4. Enter a name in the Name field, and then click Next.

5. Define Remote Computer Sound by selecting one of the following options, and then click Next.

• Bring to Local Computer

• Leave at Remote Computer

• Do Not Play

• Defer Setting to End User

172


• Undefined

6. Specify the Local Devices settings, and then click Next.

173


7. Specify the performance optimizations settings on the Experience Optimizations window, and then click Next.

Set the options for Flash Redirection as appropriate.

The options for selection are: Yes, No, Defer to End User, or Undefined.

8. Assign users to this connection policy property on the Client Assignments window, and then click Next.

9. Set permissions, as appropriate, on the Permissions window, and then click Finish.

Enable Flash Redirection in AppPortal

1. Open the AppPortal.

2. Select Actions | Manage Connections to open the Farm Connections wizard.

174


3. On the User Experience window, select Flash Redirection in the Optimizations section, and then click OK.

Set Flash Redirection in Web Access

1. Open the Web Access Management Console.

2. Select a specific farm or all farms to which graphics acceleration is to be enabled.

175


3. Select Performance in the User Experience settings section.

4. Select Flash Redirection, and then click Save Changes.

EOP Graphics AccelerationvWorkspace EOP Graphics Acceleration adds additional compression to Microsoft Remote Desktop Protocol (RDP) to dramatically reduce bandwidth consumption and improve end user experience, making RDP usable over WAN connections. EOP Graphic Acceleration can be assigned to Users, Groups, OU, Client IP or Client Device Name.

EOP Graphics Acceleration performs better with applications and documents that contain a high degree of graphics, and may not perform as well with text based applications. It is recommended that EOP Graphics Acceleration be thoroughly tested with each application before implementing in a production environment.

Enabling the vWorkspace EOP Graphics Acceleration feature for specified applications ensures the benefits of this feature to the end users.

176

EOP Graphics Acceleration

EOP Graphics Acceleration Implementation

In this section, recommended procedures for implementing and using vWorkspace EOP Graphics Acceleration are discussed. Appropriate testing for compatibility and performance before implementing into a production environment is a recommended practice.

After the vWorkspace EOP Graphics Acceleration feature has been enabled on the appropriate managed application, you can set a Connection Policies Property that is used to define access to graphics acceleration. Connection Policies Properties are defined by using Connection Policies in the vWorkspace Management Console Resources section. The following are the available Connection Policies.

• User

• Group


• Client IP/IP Range

• Client Name/Naming Convention

EOP Graphics Acceleration Registry Settings

Below are two registry settings for EOP Graphics Acceleration that can be used to set progressive image display and compression quality that can be set per application.

Altering registry settings should only be completed by an administrator who understands these types of settings, and your environment should be backed up prior to changing any registry setting.

HKLM\Software\Provision Networks\Image Acceleration

Note: Progressive Image Display is disabled by default.

ProgressiveUpdate (REG_DWORD): 0 disable progressive update, 1 enable

Jpeg Quality (REG_DWORD): Jpeg quality 20-100 [Note: this overrides Quality when present]

Jpeg Subsampling (REG_DWORD): 0 4:4:4, 1 4:1:1 (default), 2 4:2:2

177


Jpeg RGB (REB_DWORD): 1 using RGB instead YCbCr

ExcludedWindows: REG_MULTI-SZ (the window class names to be excluded in GA)

HKLM\Software\Provision Networks\Terminal Server

Note: EOP Graphics Acceleration can be enabled or disabled and set compression quality per application.

HKLM\Software\Provision Networks\Image Acceleration\AppList\<executable name>

– OR –

HKCU\Software\Provision Networks\Image Acceleration\AppList\<executable name>

Enabled (REG_DWORD): 1 Enable GA for this executable, 0 Disable GA

Jpeg Quality (REG_DWORD): compression quality (20-100)

Note: EOP Graphics Acceleration checks the HKCU AppList first, if the executable is not on the list, it checks the HKLM settings. If the executable is not on the HKLM AppList setting, EOP Graphics Acceleration uses the global setting, HKLM\Software\Provision Networks\Image Acceleration.

EOP Graphics Acceleration Setup

The following procedures outline the steps for using vWorkspace EOP Graphics Acceleration.

• Enable EOP Graphics Acceleration Globally

• Disable EOP Graphics Acceleration by Managed Applications

• Define Connection Policies

• Enable EOP Graphics Acceleration in AppPortal

• Set EOP Graphics Acceleration in Web Access

Enable EOP Graphics Acceleration Globally


2. Highlight on Managed Applications, and then select Properties.

178


3. Do the following on the Graphics Acceleration window:

a) Select Enabled on the Graphics Acceleration window.

b) Select one of the image quality options, and then click Apply.

4. Click OK to close the window.

Disable EOP Graphics Acceleration by Managed Applications


2. Expand Resources, and then select Managed Applications.

For the purposes of this procedure we are going to disable Graphics Acceleration on the managed application called Command Prompt.

3. Select Command Prompt from the list of managed applications.

4. Open the Managed Applications Properties window by doing one of the following:

a) Highlight Command Prompt, and then right-click and select Properties.

– OR –

b) Highlight Command Prompt, and then select the Properties icon from the information pane.

179


5. On the EOP Graphics Acceleration window of the Command Prompt, Managed Application, set graphics acceleration to Disabled.

6. Click Apply to save the change.


Define Connection Policies


2. Highlight the Connection Policies node and do one of the following:

• Right-click and select New Conection Policy.

• Click on the New Connection Policy icon (green plus sign) on the toolbar or the information pane toolbar.

• Select Actions | New Connection Policy... from the main menu.

3. Click Next on the Welcome window of the New Connection Policy wizard.

4. Enter a name on the Name window, and then click Next.

5. Define Remote Computer Sound by selecting one of the following options, and then click Next.


• Leave at Remote Computer

180


• Do Not Play


• Undefined

6. Specify the Local Devices settings, and then click Next.

181



Set the options for Graphics Acceleration as appropriate.

The options for selection are: Yes, No, Defer to End User, or Undefined.

8. Assign users to this connection policy property on the Client Assignments window, and then click Next.


Enable EOP Graphics Acceleration in AppPortal

1. Open the AppPortal.

2. Select Manage Connections.

182


3. On the User Experience window, select Graphics Acceleration in the Optimizations section, and then click OK.

Set EOP Graphics Acceleration in Web Access

1. Open the Web Access Management Console.

2. Select a specific farm or all farms to which graphics acceleration is to be enabled.

183


3. Select Performance in the User Experience settings section.

4. Select Graphics Acceleration, and then click Save Changes.

EOP XtreamThe patent-pending technology, Quest EOP Xtream, accelerates RDP and EOP traffic on wide area networks (WANs). This provides for an improved user experience by providing faster RDP screen responses and improved performance of all EOP features.

Quest EOP Xtream is specifically designed for users on WAN links with modest to high round trip latency. For example, the typical amount of latency that is common when connecting from the United States to Europe. Quest EOP Xtream is also effective on WAN links that are much closer, such as a VPN link from a home to a corporate office in the same city.

Quest EOP Xtream operates transparently to the users. Quest EOP Xtream is enabled in RDP pass-through mode by default.

184

EOP Xtream

Latency Effectiveness

Quest EOP Xtream is specifically designed for users on WAN links with modest to high round trip latency. Quest EOP Xtream is not recommended for LAN traffic or WAN traffic with low latency. The recommended network conditions listed below are guidelines. Network type, packet loss, and other factors impact the effective useful range of Quest EOP Xtream.

• Typical effective round trip latency: 30ms-400ms.

Firewall Considerations

The Quest EOP Xtream Server listens on TCP port 3389 (RDP port). No additional configuration is needed, as the Windows firewall port 3389 is automatically opened.

Configure Quest EOP Xtream

Quest EOP Xtream is enabled in RDP pass through mode by default.

Quest EOP Xtream settings can be altered on the Experience Optimization window of the computer group or the individual computer Properties window.

Any changes made to the default options require a reboot. The reboot is automatic in a VDI environment, but requires a manually reboot in an RD Session Host/Terminal Servers environment.

Quest EOP Xtream is designed to improve performance of screen updates and other EOP features. Quest EOP Xtream is not designed to reduce the effect of keystroke latency (echo) commonly observed on WAN links that exceed 200ms of latency. The Quest vWorkspace EOP feature, EOP Text Echo, is designed to lessen this effect.

185


QUEST EOP XTREAMSETTING

DESCRIPTION

Enable RDP pass-through mode Selecting this option allows EOP Xtream to use the RDP port, eliminating the need to configure additional firewall settings.

EOP Xtream Port Number Enter a port number to be used, if other than the default number, which is 3389.

Note: Any changes made to the default options require a reboot. The reboot is automatic in a VDI environment, but requires a manually reboot in an RD Session Host/Terminal Servers environment.

Maximum number of connections

Enter a maximum number of connections.

186

EOP Xtream

There is also a Connection Policy, WAN Acceleration (EOP Xtream), in the vWorkspace Management Console. Connection policies are used to define automatic device connection and optimizations when users log on to a remote computer. Connection policies can be configured, and assignments and permissions defined. Connection policies are set to Undefined by default.

187


You can also enable EOP Xtream from the following settings:

• vWorkspace AppPortal, User Experience settings

• vWorkspace Web Access, Performance settings

188

EOP Xtream

• vWorkspace Client Remote Desktop Connection, Experience settings

A configurable client side timeout is available for the EOP Xtream. The default timeout is 5 seconds, if no other value is stated in the registry entry.

The registry value that needs to be set is:

HKLM\Sortware\Provision Networks\PNDNACLI"ConnectTimeout" (REG_DWORD) = "15"

Settings defined in Connection Policies override any settings made in AppPortal and Web Access.

189


190

7

Manage Applications

• Overview

• Managed Applications Properties

• New Application Tool

• Publish RD Session Host/Terminal Server Applications

• Publish a Managed Desktop

• Publish Managed Applications

• Publish Content

• Work with Published Applications


OverviewBefore an application can be published and accessed by users, it first must be installed on the hosting computer. In a Quest vWorkspace infrastructure, the hosting computer can be any of the following:

• Microsoft RD Session Hosts/Terminal Server

• Managed Computers

• Virtualized Applications

Microsoft RD Session Hosts/Terminal Server

Applications installed and published on Microsoft RD Session Hosts/Terminal Servers are sometimes referred to as shared or multi-user applications. This is because a single installation of the application can be used simultaneously by multiple connected users.

When Terminal Services is enabled on Microsoft Windows Servers, you must ensure the application is installed properly. Consider these suggestions and guidelines:

• Terminal Servers need to be in the install mode when installing applications intended for multi-use. This is done automatically when Control Panel Add |Remove Programs is used, but can also be started from a command prompt using the following command: Change User / Install.

• Users should not be logged on to the system when installing applications.

• Review all available documentation for any issues that might exist when installing and using an application with Terminal Services. Some applications have special procedures or command line switches that must be used for installation on Terminal Servers.

• Restrictions such as support for the full feature set or license restrictions may be applicable when used on Terminal Servers.

• Applications, such as Computer Aided Design or scientific modeling and analysis programs, may not be good candidates for Terminal Server based deployments. These types of applications place an increased demand on the physical resources of a computer.

192

Manage Applications

Managed Computers

A major benefit of hosting applications on vWorkspace enabled managed computers is that no special considerations have to be taken into account; you install the application as it would be done for a Windows computer. The applications can be installed manually, or pushed to the managed computer using third-party tools such as Microsoft Active Directory Group Policy (Software Installation) or Microsoft SMS.

Some considerations when installing applications on managed computers are:

• Install all the applications a user might need on to the same managed computer, when practical. This helps to reduce the number of remote sessions needed for a user to accomplish their work.

• Use managed computers for special purpose applications that do not need to be made widely available.

• Use managed computers for applications that are too resource intensive to be installed on Terminal Servers.

• Use managed computers, especially when implemented as virtual computers, for applications being created and tested in a software development environment.

Virtualized Applications

Many application deployment solutions exist to simplify and accelerate the process of deploying line-of-business applications to the user desktop. These same tools are ideal for use in a vWorkspace enabled desktop infrastructure.

Managed Applications PropertiesThe Managed Applications Properties option allows administrators to enable or disable Graphics Acceleration globally for managed and unmanaged applications, and set Permissions for users for all managed applications.

Managed application properties are accessed by doing one of the following:

• Select Properties from the context menu of Managed Applications in the vWorkspace management console. Managed Applications is listed under Resources in the vWorkspace management console.

• Selection Actions | Properties from the main menu on the vWorkspace Management Console.

193


• Select the Properties icon on the toolbar.

Graphics Acceleration

The Graphics Acceleration setting in Managed Applications Properties is used to globally set graphics acceleration for all managed and unmanged applications. You can also set the Image Quality for the graphic accelerated application in Properties.

194

Manage Applications

The ability to set graphics acceleration for individual managed applications, is completed by the Properties settings for the specified application, or by setting the Graphics Acceleration setting during the process of adding a Managed Application.

Permissions

Managed Applications Properties is also used to enable administrators to allow or deny actions for activities within the vWorkspace Management Console. For more information on Permissions, see Administration in the vWorkspace Management Console chapter.

New Application ToolThe New Application command is used to publish an application, desktop, or content. It can be opened from the following locations within the vWorkspace Management Console.

• Terminal Servers node

• Desktops node

• Resources node

195


How to ...

• Start New Applications using Terminal Servers Node

• Start New Applications using the Desktops Node

• Start New Applications from the Resources Node

Start New Applications using Terminal Servers Node


2. Expand Locations and then the location name where the Terminal Sever is located.

3. Highlight the Terminal Servers node.

4. Select the Applications tab in the information pane.

5. Select New Applications from either the toolbar or by the context menu which can be accessed by right-clicking in a blank area of the information pane.

Start New Applications using the Desktops Node


2. Expand Locations, and then the location name where the computer group is located.

3. Expand the Desktops node.

4. Select the computer group into which the application is to be published.

5. Right-click on desktop group, and select New Application.

– OR –

In the information pane, click on the Managed Applications tab and select Actions | New Application in Group.

Start New Applications from the Resources Node


2. Expand the Resource node, and highlight Managed Applications.

3. Right-click the Managed Applications node, and then select New Managed Application.

– OR –

In the Managed Applications information pane, select New from either the Actions or the context menu.

196

Manage Applications

Publish RD Session Host/Terminal Server ApplicationsThe most direct way to publish applications hosted on RD Session Hosts/Terminal Servers is to start New Application from either the Terminal Servers or Resources nodes (see New Application Tool for more information). The system displays the Managed Application Wizard. Complete the information contained in the various windows as appropriate.

Publish an Application Hosted on Terminal Server

1. Open the Managed Application Wizard.

2. Click Next on the Welcome window of the Managed Application Wizard.

3. On the Application Name window, specify a friendly name for the application in the Name box, and then click Next.

Published application friendly names are limited to 150 characters. If any names are longer than 150 characters, they get truncated, and any duplicates are suffixed with a numeric value to ensure uniqueness.

4. On the Application Type window, select the type of application, and then click Next.

197


5. On the Publishing window, select Terminal Server(s) and select the servers on which to publish the application for a specified location, and then select Next.

6. Complete the following information on the Defaults window, and then click Next:

a) If the application to be published is a virtualized application package stored on a App-V server, click Select App-V Application.

b) Enter a Path, or select the ellipsis to browse.

198

Manage Applications

c) Enter any arguments that you want to have passed to the application when started in the Arguments box.

d) If the application requires a working directory, type its path in the Working Dir box.

199


7. On the Server Specific window, enter server specific program specifications, as appropriate. Click Next.

8. On the Display Name window, enter a Display Name if you want the name that is displayed to the user to be different than what is in the Name box on the Application Name window. Click Next.

200

Manage Applications

9. On the Icon window, select an icon for the application, and then click Next.

10. Specify the application window state for this application, including seamless window mode settings, and then click Next.

11. Select the appropriate option (Desktop, Start Menu, Start Menu \Programs) for clients using AppPortal in desktop integrated mode on the Desktop Integration window, and then click Next.

201


12. Select the appropriate option on the Graphics Acceleration window, and then click Next.

The Use default option refers to the default Graphics Acceleration option setting on the Managed Applications Properties window. See Managed Applications Properties for more information.

13. Select Enabled or Disabled on the Enable/Disable window, and then click Next.

If you select Disabled, the application is not displayed in client application lists.

202

Manage Applications

14. Complete the information, as appropriate, on the Load Balancing window, and then click Next.

The Enable this application to share on active session option must not be selected if you are using Web Access with published applications where multiple users use the same computer, such as a kiosk or other semipublic user.

15. Specify any application restriction settings for this application, and then click Next.

16. Select the Virtual-IP settings for this application, as appropriate, and click Next.

The settings are: Virtual IP, Client IP, and Virtual Loopback.

17. Use the Client Assignment window to assign this application to clients, and then click Next.

18. Set Permissions as appropriate, and then click Finish.

203


Publish Terminal Server Desktops

The steps for publishing a shared Windows desktop hosted on a Terminal Server is exactly the same as that for publishing a shared application, except for the following exceptions:

1. The Application Type is set to Desktop. When this is done, no path, arguments, or working directory are needed, and the fields for these are not presented.

2. The Defaults and Server-Specific options are not available.

3. The Startup section is not available.

The Startup option is only available if the Type is Program.

Publish a Managed DesktopYou can publish a desktop to the managed computer group using the New Managed Application wizard.

How to ...

Publish a Desktop to a Managed Computer Group


2. Expand the Desktops node at the required location.

3. Navigate to the computer group where the desktop is to be published.

4. Select New Application from the context menu.



6. On the Application Type window, select the type of application, Desktop, and then click Next.

204

Manage Applications

7. On the Publishing window, select the Managed Computer Group option, and then select the managed computer group from your location on which to publish the application. Click Next.





The Use default option refers to the default Graphics Acceleration option setting defined in the Managed Applications Properties.

12. Select Enabled or Disabled to specify if this application is displayed on the client application list.

13. Use the Client Assignment window to assign this application to clients, and then click Next.

14. Set Permissions as appropriate on the Permissions window, and then click Next.

205


Publish Managed ApplicationsPublishing an application hosted on a managed desktop is similar to that of RD Session Host/Terminal Servers. The major differences are that the Load Balancing, Application Restrictions, and Virtual IP options are not available for managed desktops.

How to ...

Publish an Application


2. Expand the Desktops node for the required location.

3. Navigate to the computer group where the desktop is to be published.

4. Start New Application by selecting the New Application icon from the toolbar or Actions | New Applications.

5. Click Next on the Welcome window of the Managed Application Wizard.



The following characters cannot be used in application names that are to be published for Web Access: <, >, /,\, *, ", ’.

7. On the Application Type window, select the type of application, Program, and then click Next.

8. On the Publishing window, select Managed Computer Group, and then select the managed computer group from your location on which to publish the application. Click Next.

9. Complete the following information on the Defaults window, and then click Next:

a) If the application to be published is a virtualized application package stored on a App-V server, click Select App-V Application.

b) Enter a Path, or select the ellipsis to browse.

c) Enter any arguments that you want to have passed to the application when started in the Arguments box.

206

Manage Applications

d) If the application requires a working directory, type its path in the Working Dir box.



12. Specify the application window state when started, on the Startup window, and then click Next.



The Use default option refers to the default Graphics Acceleration option setting of Managed Applications Properties.

15. Select Enabled or Disabled to specify if this application is displayed on the client application list.

16. Select Client Assignments to specify the clients that are to have access to this application and assign this application to them, and then click Next.

17. Set permissions on the Permissions window, as appropriate, and then click Finish.

Publish ContentTraditionally in Windows networks, users have relied on network drive mappings, browsing, or corporate Web sites to get information. As networks grow in size and complexity these methods have become less efficient.

Web based resources that are not located on the corporate network can require users to remember numerous and sometimes long URLs, or to know how to build efficient and effective search queries. Published content provides an easier way for users to access the information they need. When an administrator publishes content, the complete path to the resource is specified and is associated with an icon. This path can be in Universal Naming Convention (UNC) format or web based formats, such as http, https, ftp, ldap. The icon representing the content is passed down to the vWorkspace Client in the same manner as application and desktop icons.

207


To access the content, the user simply clicks on the icon. The content path is passed to an application, based on Windows file type associations, capable of opening that type of content. For example, content using a UNC path would be opened with Windows Explorer, while content using http would be opened with Internet Explorer. The administrator has the option of specifying whether the application used resides on the client device or on a remote device.

If you are using an application deployment solution such as Application Virtualization, applications are published using the type Content.

The process of publishing content is exactly the same as publishing an application hosted on a RD Session Host/Terminal Server or desktop with the following exceptions:

• Type — Select Content on the Application Type window of the Managed Application Wizard, and then select where the content is to be published (Server or Client).

• Publishing— Select Terminal Server(s) if you want the content to be opened with an application installed on a RD Session Host/Terminal Server, and then select which RD Session Host/Terminal Servers to use.

Select Managed Computer Group if you want the content to be opened with an application installed on the client device. When this is chosen, the Server-Specific, Application Restrictions, Virtual IP, and Load Balancing windows are unavailable as they do not apply to desktops.

• Path — Enter the path to the content on the Defaults window. A UNC path can be either to a shared folder or a file within a shared folder.

If you want users to have multiple sessions to the same server, the Restrict each user to one session setting at the following path must be set to No.Administrative Tools | Terminal Services Configuration | Server Settings

Share, NTFS, and web permissions all apply when users try to access the content. Therefore, even though clients are listed in the published content’s access control list, the client may still be denied access because of other permissions.

208

Manage Applications

Work with Published ApplicationsOnce applications have been published on either Terminal Servers or desktops, additional applications can be added, modified, duplicated, and deleted.

The Select Applications to Publish menu option is a way to add existing published applications, desktops, or content to either a Terminal Server or computer group when new RD Session Host/Terminal Servers or computer groups have been added to the vWorkspace infrastructure.

All properties of published applications, desktops, or content can be modified after they are created. An existing published application can be duplicated and then modified, but the duplicate needs to be given a unique name.

When a published resource is no longer needed, it can be deleted from the database. Deleting a published application, desktop, or content does not remove the application from the hosting computer nor does it delete the actual desktop or content.

How to ...

• Add Published Applications to a Terminal Server

• Add Published Applications to a Computer Group

• Modify Published Applications with Desktops Node

• Modify Published Applications on the Resources Node

• Duplicate a Published Application

• Delete a Published Application

Add Published Applications to a Terminal Server



3. Click on the Terminal Servers node in which to add the existing published resources.

4. In the information pane on the right, click on the Applications tab for the selected RD Session Host/Terminal Server.

209


5. Click on the Published Applications icon from the navigation pane toolbar or the information pane toolbar, or select Actions | Publish Applications. A list of published resources is presented.

6. Select each published resource you want to add to the server. To select a published resource, select the box to the left of the Application.

7. Click Apply to make the changes without closing the window, or click OK to make the changes and to close the window.

Add Published Applications to a Computer Group


2. Expand Locations and then the location name where the computer group is located.

3. Expand the Desktops node and highlight the computer group.

4. Use one of the following to open the Select Applications to Publish:

a) Right-click on the computer group.

b) Select the Managed Applications tab in the information pane, and then Actions| Select Applications to Publish in the information pane.

c) Select Actions| Select Applications to Publish from the navigation pane.

210

Manage Applications

d) Click the Select Applications to Publish icon from the navigation pane toolbar.

5. Select each published resource you want to add. To select all published resources, select the box to the left of Applications.


Modify Published Applications with Terminal Servers Node



3. Click on the Terminal Servers node in which to modify the existing published resources.

4. Click on the Applications tab located in the Terminal Servers information pane.

5. Highlight the published resource to be modified, and then select Properties from the context menu, or click on the Properties icon on the information pane toolbar.

6. On the Managed Application Properties window, navigate through the various windows to make the necessary changes.


Modify Published Applications with Desktops Node


2. Expand Locations and then the location name where the computer group is located.

3. Expand the Desktops node (you can also navigate to a specific datacenter or computer group).

4. Click on the Managed Applications tab in the information pane.

5. Highlight the published resource to be modified, and then select Properties from the context menu, or select Actions | Properties on the information pane.

6. On the Managed Application Properties window, navigate through the various tabs to make the changes, as appropriate.


211


Modify Published Applications on the Resources Node


2. Expand the Resources node, and then click on the Managed Applications node.

3. Highlight the published resource to be modified, and then select Properties from the context menu, or select the Properties icon from the information pane.

4. On the Managed Application Properties window, navigate through the various tabs to make the changes, as appropriate.


Duplicate a Published Application


2. Navigate to the desired published application under the Terminal Servers, Desktops, or Resources node.

3. Right-click on the published application, and select Duplicate from the context menu.

4. Make the necessary changes using the appropriate windows on the Managed Applications Properties window.


Delete a Published Application


2. Navigate to the desired published application under the Terminal Servers, Desktops, or Resources node.

3. Click the Delete on the toolbar or from the context menu.

4. After reviewing the warning message, click Yes to delete or No to cancel.

212

8


• About Application Compatibility Enhancements

• How Application Compatibility Enhancements Work

• Create Redirection Rules


About Application Compatibility EnhancementsMany applications store user specific data and configuration settings in systemwide locations, such as the HKey_Local_Machine (HKLM) or common files and folders. In multi-user environments such as Terminal Server, the storage of information can lead to such issues as data corruption, access conflicts, and the inability to customize application settings by user.

Application Compatibility Enhancements (Redirect-IT) is a registry and file system redirection engine designed to eliminate these conflicts in a Terminal Services environment. Application Compatibility Enhancements intercept an application’s request for common subkeys and files by creating private instances of these in the user’s registry hive (HKCU) or home directory. All application requests to these common subkeys or files are redirected to the user’s private instances.

The vWorkspace administrator uses the vWorkspace Management Console to create redirection rules. The types of rules include:

• Registry

• File

• Folder

How Application Compatibility Enhancements WorkApplication Compatibility Enhancements (Redirect-IT) operates in the background using an Application Compatibility Enhancements (ACE) engine. Application Compatibility Enhancements perform the following corrective steps:

1. Intercepts registry and file operations targeting the common data, such as HKLM subkeys and common files and folders specified in the redirection rules.

2. Copies the common data from their original locations to the user private locations, such as HKCU or the home folder as specified in the redirection rules. This step is only performed if user private instances of the common data does not already exist.

3. Performs the registry and file operations on the user private instances of the data.

214


Application Compatibility Enhancements (Redirect-IT) can only be installed on Microsoft Windows servers with Terminal Services installed in Application Server mode.

Create Redirection RulesHow to ...

• Create a Registry Redirection Rule

• Create a File Redirection Rule

• Create a Folder Redirection Rule

• View a Redirection Rule

• Edit a Redirection Rule

Create a Registry Redirection Rule

1. Start the vWorkspace Management Console.

It is recommended that you open the vWorkspace Management Console from the Terminal Server where the application is installed, so that file is available.

2. Right-click File & Registry Redirection from the navigation pane, and select New Redirection Rule.

– OR –

Select File & Registry Redirection from the navigation pane, and click the green + on the toolbar in the right pane.

3. Enter a new name for the rule in the Rule Name field on the General window.

215


4. Select the Redirection Type Registry on the New Redirection Role window.

5. Type a new category or select an existing category from the list in the Category box on the General window, and then click Next.

6. Complete the following information on the Values window for the redirection rule, and then click Next.

a) Type a path and file name of the executable, or click the ellipsis to browse to the executable in the Program field.

b) Type the location of the registry key location that is to be redirected, or click the ellipsis to browse to the location in the Original Registry Key field.

c) Type the new path and file name, or click the ellipsis to browse to the location where the key should be redirected in the New Registry Key field.


216


Create a File Redirection Rule




– OR –


3. On the General window, specify the following settings for the redirection rule, and then click Next.

a) Enter a new name for the rule in the Rule Name field.

b) Select the Redirection Type, File.

c) Type a new category, or select an existing category from the list in the Category field.

4. On the Values window, complete the following values for the redirection rule, and then click Next.


b) Type the path and file name of the existing location of the file, or click the ellipsis to browse to the file in the Original File field.

217


c) Type the path and file name, or click the ellipsis to browse to the location where the file is to be redirected in the New File field.

d) Select Copy original file(s) to new folder if it doesn’t already exist, if appropriate.


Create a Folder Redirection Rule




– OR –


3. On the General window, specify the following settings for the redirection rule, and then click Next.

a) Enter a new name for the rule in the Rule Name field.

218


b) Select the Redirection Type, Folder.

c) Type a new category, or select an existing category from the list in the Category field.

4. On the Values window, complete the following values for the redirection rule, and then click Next.


b) Type the path and file name of the existing location of the file, or click the ellipsis to browse to the file in the Original Folder field.

c) Type the path and file name, or click the ellipsis to browse to the location where the file is to be redirected in the New Folder field.

d) Select Copy original file(s) to new folder if it doesn’t already exist, if appropriate.


View a Redirection Rule



2. Select File & Registry Redirection from the navigation pane.

3. View the details on the information pane.

Edit a Redirection Rule



2. Select File & Registry Redirection from the navigation pane.

3. On the information pane, right-click on the Redirection rule that is to be changed, and then select Properties.

4. Edit the redirection rule as appropriate.

219


220

9

Virtual IP

• About Virtual IP

• Virtual IP Configuration


About Virtual IPVirtual IP (VIP-IT) enables each user instance of a legacy application to be bound to a distinct IP address. This allows many legacy applications to run concurrently and reliably on RD Session Hosts/Terminal Servers. The following features are supported by Virtual IP:

• Virtual IP — Assigns a unique IP address to each instance of a configured application running on RD Session Hosts/Terminal Servers.

• Client IP — Uses the client device IP address as a unique identifier for each instance of a configured application running on RD Session Hosts/Terminal Servers.

• Virtual Loopback — Assigns a unique loopback address to each instance of a configured application running on RD Session Hosts/Terminal Servers.

• Logging — Enables logging of Virtual IP activity on a RD Session Hosts/Terminal Server.

Virtual IP ConfigurationHow to ...

• Enable Virtual IP on a RD Session Host/Terminal Server

• Configure Virtual IP Address Ranges

• Configure Applications

Enable Virtual IP on a RD Session Host/Terminal Server

You can enable Virtual IP on RD Session Hosts/Terminal Servers by doing one of the following procedures, either using Terminal Server Properties or Virtual IP Server Configuration.

To enable Virtual IP through Terminal Server Properties


2. Expand Locations, and then expand the location where the RD Session Host/Terminal Server is located.

3. Expand Terminal Servers and right-click on the selected Terminal Server, and then select Properties.

4. Select the Virtual IP tab on the Terminal Server’s Properties window.

222

Virtual IP

5. Select the Virtual IP features to be enabled, and then click OK.

6. Repeat the above steps for each Terminal Server.

To enable Virtual IP through Virtual IP Server Configuration


2. Expand Virtual IP, and then click Server Configuration.

3. Click Show only Virtual IP Enabled Servers or Show All Servers on the information pane.

Your selection controls which servers appear in the server list.

4. Select the Virtual IP features to be enabled (check the box in the Virtual IP column), by server, and then click Update Virtual IP Servers.

Configure Virtual IP Address Ranges

Each RD Session Host/Terminal Server must be configured with an appropriate range of IP addresses. Follow these guidelines when configuring Virtual IP address ranges:

• Virtual IP address ranges must be compatible with the IP subnet to which the Terminal Server is attached.

223


• Do not include IP addresses that are already statically assigned to other computers on the network.

• Do not include IP addresses that are part of existing DHCP server scopes.

• Do include enough IP addresses in the range to account for the maximum number of concurrent instances expected for a configured application.

To add a Master Range, do the following:


2. Expand the Virtual IP node, and click Address Range.

3. Click Add on the information pane. The Virtual IP Address Ranges window opens.

4. Enter the appropriate values for Starting Address, Ending Address, and Subnet Mask.

5. Click OK.

To add a Server to a Master Range, do the following:



224

Virtual IP

3. On the information pane, click on the ellipsis at the end of the Master IP Range or right-click on it and select Add Server(s) to Master Range from the context menu.

4. In the list of servers presented in the window, select the boxes associated with the servers to be added to the master range and click OK.

5. Enter the number of addresses to allocate to each selected server and click OK.

To modify Address Range Allocations, do the following:



3. On the information pane, right-click the Terminal Server that is to be modified, and then select the appropriate option.

The options include:

• Remover Server — Removes the server from the Master IP range.

• Allocation for Server — Defines the number of IP addresses to allocate to the server.

• Set Allocations for All Servers in Master Range to — Defines the number of IP addresses to allocate to each server in the master range.

225


• Equally Allocate Addresses to All Servers in Master Range — Sets the number of IP addresses to allocate to each server in the master range to the maximum of one.

• Manually Edit Ranges — Opens the Edit IP Address window to edit address ranges for each server manually.

Configure Applications


2. Expand the Virtual IP node, and then select Application Configuration.

3. Click Show All Applications on the information pane.

4. Select Virtual IP, Client IP, or Virtual Loopback for each application, as appropriate.

5. Click Update Virtual IP Servers.

226

10

vWorkspace Additional Components

• Overview

• vWorkspace Password Reset Service

• Proxy-IT


OverviewThe vWorkspace installation Additional Components features consist of the following:

• vWorkspace Management Console

• Password Reset Service

• RDP Gateway (Proxy-IT)

The vWorkspace Management Console is discussed in detail in the vWorkspace Management Console chapter. The other features are discussed in this chapter.

vWorkspace Password Reset ServiceThe Quest vWorkspace Password Reset Service facilitates SSL-protected password reset requests from clients, to allow them to reset their Active Directory Credentials via the Web Access Portal or the AppPortal client. This service requires an SSL Certificate and listens on port 443 (by default).

The vWorkspace Password Reset Service can be installed on any Windows computer, physical or virtual, that is joined to a domain trusted by the domain containing the accounts of the users connecting in to the vWorkspace infrastructure.

How to ...

• Configure the vWorkspace Password Reset Service

• Configure vWorkspace Password Management in AppPortal

• Configure vWorkspace Password Management in Web Access

The vWorkspace Password Reset Service should never be installed on a computer that is in the DMZ network.

228


Configure the vWorkspace Password Reset Service

Use the following steps to configure the vWorkspace Password Reset Service.

1. Use the following path to open the Quest Password Manager Control Panel applet.

Start | Control Panel | Quest Password Manager

2. On the General tab, enter the TCP Port.

3. Click the Lock icon by Certificate Name.

4. Select the certificate on the Select Certificate window, and then click OK.

5. If you want to use logging, select the Logging tab and then Enable trace logging to the specified file.

6. Enter the path and file name for the log file, or use the folder button to browse to it.

7. Click OK on the Quest Management Properties window.

Configure vWorkspace Password Management in AppPortal

1. Open the AppPortal client.

2. Use the following path to open the Farm Connections window.

Actions | Manage Connections

3. If you are configuring Password Management on an existing farm, do the following:

a) Select Modify existing farm on the Select Farm window, and then select the farm that is to be edited from the list.

229


b) Select Password Management from the left pane, and complete the information as appropriate.

c) Click OK.

4. If you are configuring Password Management on a new farm, do the following:

a) Select Create new farm on the Select Farm window.

b) Complete the information on the Farm Connections windows as appropriate.

Configure vWorkspace Password Management in Web Access

This option can only be configured as a global setting.

1. Select Password Management under the Authentication options on the Web Access Management Console.

230


2. Enter a Domain using the NetBIOS name of the Password Management server.

3. Enter the Server (FQDN).

The host name, NetBIOS name, or IP address can be used in this field.

4. Enter a Port number, and then click Add.

The usual number to use is 443.

5. Repeat the above steps to add multiple Password Management servers.

6. Click Save Changes.

Proxy-ITProxy-IT is designed to deliver more connectivity options for accessing Microsoft Windows Terminal Servers from legacy, non-Win32, open source, or third-party RDP devices, with no differences for the make or the model. Multiple Proxy-IT servers can be clustered using Microsoft Network Load Balancing (NLB) or another third-party load balancing switch.

Proxy-IT listens for client requests on a configured TCP port, which is port 3389 by default.

It is recommended that the current version of Proxy-IT be used with Microsoft Session Directory to enable users to reconnect to their disconnected sessions.

231


How to ...

Configure Proxy-IT

1. Open the Quest Proxy-IT applet from the Control Panel.

2. Complete the information on the Quest Proxy-IT Properties window as appropriate, and then click Apply.

Accept connections on this TCP port

Enter the TCP port.

The default is 3389.

Inactivity timeout (minutes) Enter a number of minutes.

A value of 0 indicates that connections never time out.

Connection Broker Settings Use Add Server to add the IP addresses or host names.

Connect to broker on this TCP port

Enter the TCP port associated with the Connection Broker settings.

Connect to broker using SSL Select if connecting using SSL.

Enable NAT support for firewall traversal

Select if network address translation is being used.

232


Proxy-IT with Session Directory Services

Proxy-IT can be used in conjunction with Session Directory Services. By using Proxy-IT and Session Directory Services, users can be reconnected to their disconnected session, should the session be dropped.

Proxy-IT Prerequisites

The following items are required:

• All Proxy-IT servers cannot be configured for the multi-users application mode.

• Proxy-IT uses RDP port 3389 for its service, making it impossible to administer the server remotely. However, you can remap the local RDP listener to alternative port, such as 3390 or 2290 to allow for remote administration.

• Administrators can connect to this server using mstsc.exe by adding the alternative port.

• The RDP port needs to be remapped in the following registry location:

HKLM\SYSTEM\CurrentControlSet\Control\TerminalServer\ WinStation \RDP-TCP

1. Value: PortNumber

2. Type: REG_DWORD

3. Data: 0x000003d3 (3389) — Change this value to something else, such as 3390 or 2290.

4. Reboot the server.

Use the following steps to use Proxy-IT with Session Directory Service.

Server Logging Select to enable trace logging, and then enter the file name or use the folder button to browse to the file.

233


Enable Session Directory Service

To enable Session Directory Services, you must enable the service on all of your Proxy-IT servers. Use the following steps to complete this task:

1. Open up the Services tool by selecting Start | Run, and then type Services.msc

2. Scroll to the Terminal Services Session Directory and set it to automatic.

3. Start the service.

These steps need to be completed on all of your Proxy-IT servers.

Enable Session Directory on Terminal Services

Use the following steps to enable Session Directory Services on all of your RD Session Host/Terminal Servers:

1. Open the Terminal Services Configuration tool, and go to the Server Settings Node.

2. On the details pane, right-click on the Session Directory and select Enable.

These steps need to be completed on all of your RD Session Host/Terminal Servers.

Setup Group Policies

There are two ways to setup Group Policies, using Group Policies or using the Terminal Services Configuration. It is recommended that you use the Group Policies method.

Using Group Policies Editor

1. Open the Group Policy Editor. To do this, select Start | Run and then type gpedit.msc.

2. Enable Join Session Directory in the following:

Computer Configuration/Administration Templates/Windows Components/Terminal Services/Session Directory

3. Click Session Directory Server. In the Session Directory Server Properties window, select the Enabled option, and then in the Session Directory Server field, type the name of the server where the Terminal Server Session Directory service is running. Click OK.

234


4. Click Session Directory Cluster Name. In the Session Directory cluster Name Properties window, select the Enabled option, and then in the Session Directory Cluster Name field, type the name of the cluster to which the RD Session Host/Terminal Server belongs. Click OK.

5. Optionally, enable the Terminal Server IP Address Redirection setting.

This policy should only be applied to the RD Session Host/Terminal Servers, so you may need to create a separate Organizational Units (OU) for them to reside.

Using Terminal Services

1. Open Terminal Services Configuration by using the following path:

Start | Control Panel | Administrative Tools | Terminal Services Configuration

2. Click Server Settings in the console tree.

3. Right-click Session Directory in the details pane, and then click Properties.

4. Select the Join session directory option in the Session Directory Settings window.

5. In Cluster name, type the name of the RD Session Host/Terminal Server cluster.

6. In Session directory server name, type the DNS name or IP address of the domain server where the Terminal Services Session Directory service is running.

The server name must be a valid server name, and cannot be left blank.

7. Select an IP address and network adapter form the Network adapter and IP address session directory should redirect users to list.

8. Optionally, unselect the IP address redirection (uncheck for routing token redirection) to have client devices reconnect to disconnected sessions by using the virtual IP address of the RD Session Host/Terminal Server cluster.

This option is selected by default, which enables clients to reconnect by using the individual IP addresses for the RD Session Host/Terminal Servers in the Session Directory.

You should unselect this option if clients have visibility only to the virtual IP address of the cluster and cannot connect to the IP address of an individual RD Session Host/Terminal Server.

235


236

11

Management Servers

• Overview

• Virtualization Servers

• Network Storage Servers

• About the Management Servers Window

• Add Management Servers


OverviewQuest vWorkspace is able to provide a comprehensive list of provisioning, brokering, management, access, and security solutions, especially when implementing desktops that are to be managed as virtual computers.

In order to provide this comprehensive functionality, the vWorkspace Connection Broker passes commands and queries to the Management Servers.

The following are the types of vWorkspace Management Servers:

• Virtualization Servers

• Network Storage Servers

Virtualization Servers

A Virtualization Server is a Windows based computer system used to centrally manage one or more physical servers enabled with computer virtualization technology, and the virtual computers being hosted and executed on them. In Quest vWorkspace, support for the following virtualization server systems is offered: VMware VirtualCenter Server, Microsoft System Center Virtual Machine Manager, and Parallels Virtuozzo Containers (master nodes).

vWorkspace Connection Brokers integrate with virtualization servers by Software Developer Kits (SDK) provided by the vendor. The APIs are exposed as a Web service on virtualization servers that are accessed using the J2SE components installed on Connection Brokers. This Web site is protected using Secure Socket Layer (SSL) with VMware VirtualCenter Server requiring the virtualization server’s digital server certificate to be placed into a keystore on the Connection Broker. Communication attempts fail without this keystore being placed on the Connection Broker.

To enable vWorkspace Connection Brokers to work with virtualization servers, the following configuration steps must be completed.

1. Install the Integration with VMware VI3, Integration with Microsoft SCVMM/Hyper-V, or the Integration with Parallels Virtuozzo subfeature on all Connection Brokers in the vWorkspace farm.

238

Management Servers

2. If HTTPS is being used as the communication protocol between the Connection Broker and the virtualization server, a Java keystore containing the virtualization server, server certificate must be created on each Connection Broker in the vWorkspace farm.

This is required for VMware VirtualCenter Server.

3. Add the virtualization server connections using the vWorkspace Management Console using the Virtualization Server wizard.

See the Quest vWorkspace Installation Guide for further instructions.

Network Storage Servers

Quest vWorkspace is integrated with NetApp storage for VMware type virtual computers, making it easy to manage your desktops. Through this integration you can:

• Accelerate deployment and provisioning.

• Reduce your total cost of ownership.

• Eliminate duplicate data on virtual desktops, user directories, and backup and disaster recovery copies.

239


The Rapid Provisioning option can be used to clone a VMware virtual computer quickly, and can assist in saving storage space by using the NetApp FlexClone technology on a storage server. This option is available on the Add Computers wizard, Clone Method window. Refer to the VMware Integration chapter for more information.

To enable vWorkspace Connection Brokers to work with network storage servers, your NetApp servers must be added using the Network Storage Servers wizard in the vWorkspace Management Console.

Before importing templates when using the Rapid Provisioning option, the templates must be on the NetApp storage server and the template’s virtual disks need to be in the same directory.

240

Management Servers

Requirements

The following are requirements for the integration of vWorkspace and NetApp storage for VMware type virtual computers.

• vWorkspace version 6.2 or later.

• NetApp Storage Controller needs to be the virtual computer’s datastore.

• NetApp Storage Controller version needs to be Data ONTAP version 7.3.1 or later.

• NetApp NFS and FlexClone licenses need to be enabled for the controller.

• Virtual computer templates, when using the Rapid Provisioning option, must be on the NetApp storage server and the template’s virtual disks need to be in the same directory.

• Refer to NetApp documentation for specific information about their requirements.

Implementation

After you have met all of the requirements, complete the following list of implementation procedures.

• VMware VirtualCenter network and the NetApp network needs to be setup. Review the documentation from NetApp for this integration information.

• VMkernel ports need to be added on ESX servers.

• A large flex volume needs to be created on NetApp for NFS share.

• A NFS export needs to be created on the NetApp storage server, and then the ESX VMkernel ports IP addresses need to be added to the NFS root access IP addresses.

• The NFS datastore of the NetApp NFS export needs to be added to the VMware VirtualCenter and it needs to be defined with an IP address, not a FQDN host name.

• Write a file or folder to the datastore of the VirtualCenter to verify the write permission.

If it fails, verify the VMkernel IP addresses and NFS root IP addresses are correct.

• Create or clone a virtual computer as a golden image on the NFS datastore through the VirtualCenter.

241


• Convert the virtual computer to a VM template.

• Complete the vWorkspace import procedure as outlined in Add Network Storage Servers.

Also, refer to the VMware Integration chapter for further information.

About the Management Servers WindowConnections to management servers are configured using the Management Servers window. The Management Server option can be opened from the vWorkspace Management Console one of the following ways:

• Select the Management Server icon from the toolbar.

• Select Action | Management Server from the toolbar.

• Right-click on Locations and select Management Server.

• Right-click on a specific location and select Management Server.

If virtualization servers have not been defined, the Virtualization Server Wizard is presented so that a management server can be defined. After a management server has been defined, the Management Server window is opened when the Management Server option is selected.

The following information is included on the Management Servers window.

242

Management Servers

New This option opens the Virtualization Server wizard so that new virtualization server connections can be added.

Properties This option allows the vWorkspace administrator to make changes to the configuration of the selected virtualization server.

Delete This option deletes the virtualization server’s record from the database.

Test Connection This option allows you to test the connection to the server.

Refresh This option updates the display list of virtualization server connection entries.

Virtualization Servers Options

Name The alias name of the management server.

URL/Server Name The Uniform Resource Locator (URL) path or server name used by the Connection Broker to communicate with the virtualization server.

243


Add Management ServersHow to ...

• Add Virtualization Server Connections

• Add Network Storage Servers

Add Virtualization Server Connections

The Virtualization Server wizard is used to add new entries to the virtualization server connections. Use the following information to complete the Virtualization Server wizard.

1. Open the vWorkspace Management Console and do one of the following:

• Right-click on the Locations node, and then select Management Servers.

• Select the Management Servers icon from the toolbar.

• Right-click on a defined location, and then select Management Servers.

If you have not previously added virtualization servers, the Virtualization Server wizard is presented.

Type The type of the management server is displayed in this column. The types are:


• Microsoft SCVMM


Network Storage Servers Options

Name The alias name of the network storage server is displayed in this column.

Type The type of management server. The type is:

• NetApp

Server The server IP address is displayed in this column.

Use Default Credentials This column displays if the Use Default Credentials check box has been selected on the Credentials window for the network storage server.

244

Management Servers

If you have previously added virtualization servers, the Virtualization Servers window appears. To add a new virtualization server, click on the green plus sign (+), and the Virtualization Server wizard opens.



System Type Select one of the virtualization server types.

245



Server URL or SCVMM Server Name or IP address

Enter the URL path to the virtualization server.

For Microsoft SCVMM, enter the SCVMM server name or IP address.

For VMware VirtualCenter Server, the URL must be in the format:


For Parallels Virtuozzo, the URL must be in the format:


For Microsoft Hyper-V, the URL must be in the format:


• The default port for Microsoft Hyper-V is 9000.

246

Management Servers


The options presented on the Other Settings window are based upon the supported features of the System Type selected.



DomainName\UserName


Test Connection Click Test Connection to test the server connection.





247









248

Management Servers

Add Network Storage Servers

1. Open the vWorkspace Management Console, and do one of the following:

• Right-click on the Locations node, and then select Management Servers.

• Select the Management Servers icon from the toolbar.

• Right-click on a defined location, and then select Management Servers.

If you have previously not added virtualization servers, the Virtualization Server wizard is presented.

If you have previously added virtualization servers, the Virtualization Servers window appears. To add a new virtualization server, click on the green plus sign (+), and the Virtualization Server wizard opens.

2. Click Network Storage Servers, and then click New.





Note: The Clone option does not apply to Microsoft Hyper-V.

249


3. Click Next on the Welcome window of the Network Storage Server wizard.

4. Enter a name for the new network storage server, and then click Next.

250

Management Servers

5. Specify the System Type of the network storage server, and then enter the IP address for the network storage server.

6. Click Next on the Server window.

251


7. Enter the credentials for this network storage server, and then click Finish.

The Use Default Credentials option can be used if you have specified credentials on the Default Credentials window.

252

12

VMware Integration

• Overview

• VMware Linked Clones

• Reprovision Computers

• Disk Persistence and Memory

• Virtualization Server

• Computer Groups

• Power Management


OverviewThe following VMware integrated features are available in vWorkspace:

• Import Datacenters.


• Automated desktop and server provisioning using VMware VirtualCenter templates.

• Guest Windows OS customization.

• Distribute managed computers and servers across multiple resource pools and datastores.

• Configure memory and disk persistence.

VMware Linked ClonesVMware Linked Clones are copies of virtual computers that share virtual disks with a parent virtual computer. Linked Clones are created from a snapshot of the parent computer. However, changes made to the parent computer or the linked clone computer do not affect each other; the linked clone is a clone of the parent computer at the time that it is created.

Linked clones need to be able to access their parent computer, and are disabled if they cannot access the parent computer.

You are also able to reprovision the linked clone, which enables administrators to change a users’s virtual computer to a linked clone of a new snapshot after the master has been updated or patched.

A parent VM might need to be unlocked, for example if you remove the template from the vWorkspace Management Console to edit it. You can unlock the template by right-clicking on it and selecting Unlock VM.

254

VMware Integration

You can complete the unlock process two different ways, by using the Add Computers wizard or through the computer Reprovision settings.

• Add Computer wizard — Right-click on the desktop group for the computer, and then select Add Computers. Click Next on the Welcome window, and then select Parent Virtual Machine. Right-click on the parent virtual machine and select Unlock VM.

255


• Reprovision settings — Select the computer from the vWorkspace Management Console. Right-click and select the Reprovision option. On the Reprovision Computers window, select New Snapshot for the VMware Linked Clones option, and then click the ellipsis. Right-click on the parent virtual machine and select Unlock VM.

VMware Linked Clone Setup

If you are creating a linked clone of a Microsoft Windows 7, or Microsoft Windows Server 2008, you need to install VMTools onto the VMware template and set the template to Microsoft Vista.

The only datatstores that are displayed and can be used on the Resource Pools/Datastores window on the Add Computers wizard, are the datastores of the parent virtual machine.

See Add Computers using the VMware Linked Clone Method for more information on using the Add Computers wizard to create VMware Linked Clones.

256

VMware Integration

VMware vNetwork Distributed Switch

In VMware environments, linked clones can be configured to use vNetwork Distributed Switches (vDS). VMware Linked Clones and NetApp FlexClones configured to use vDS are supported in a vWorkspace environment.

When configuring Vmware VirtualCenter, before starting linked clones (both VMware Linked Clones and NetApp FlexClones) that will connect to vDS, you need to note the following:

• The vDS port group needs to be configured as Ephemeral- no binding, per the VMware Knowledge Base article, 1021193, before any VMs are connected to it.

• The parent VM needs to be configured to connect to a vDS port group.

Refer to VMware product documentation for more information on vNetwork Distributed Switches (vDS).

Reprovision ComputersThe vWorkspace Management Console, Reprovision Computers option, allows for VMware clones to be reprovisioned based on administrator settings.

To reprovision VMware clones, do one of the following:

• Right-click on the VMware desktop group and select Reprovision.

• Select computers from the information pane, and then select Reprovision Computers from the Actions menu options.

• Select computers from the information pane, and then select Reprovision from the context menu of the selected computers.

257


258

Once the Reprovision Computers option is selected, the Reprovision Computers window opens. The options on this window allow you to set the action that is to be performed by clone type. You can also select for the reprovisioning to be completed once users have logged off.

VMware Integration

The Clone Types, which represent the types of VMware virtual computers for the selected desktop group, are:

• Standard Clones

• NetApp FlexClones

• VMware Linked Clones

• Unknown Clone Type

The Reprovisioning Using options are:

• Existing Template — This option reprovisions the computer using the stated template or snapshot.

• New Template — This option reprovisions the computer using a different template or snapshot than the one used to create the clone.

• Do Not Reprovision — This option does not reprovision the computer.

The ellipsis button is used to browse for the appropriate template or snapshot for the specified clone.

Disk Persistence and MemoryVMware virtual computers can be configured for disk persistence and memory from the vWorkspace Management Console. Disk persistence and memory is configurable for individual computers, as well as computer groups. There are three virtual disk modes available:

• Persistent

• Independent and Persistent

• Independent and Nonpersistent

If you are using the reprovision functionality, it is recommended that you install PNTools onto your VMware templates that are being used for reprovisioning.

259


To configure disk persistence and memory for an individual computer, do one of the following:

• Set the options on the Configuration window of the Computer Properties wizard. This window can be opened by selecting Properties for a computer, or when creating a new computer.

• Highlight the computer group in the navigation pane, and then click on the Summary tab in the information pane.

Select Actions | Reconfigure.

• Highlight the computer group in the navigation pane, and then click on the Computers tab in the information pane. Right-click on the computer and select Reconfigure from the context menu.

• Set the Logoff Action properties of the Computer Properties wizard for the computer, as appropriate. The Logoff Action property, if enabled, resets the computer when a user logs off. See Managed Computers for more information.

To configure disk persistence and memory for a computer group, do one of the following:

• Right-click on the computer group in the navigation pane, and then select Reconfigure Computers.

• Highlight Desktops, and then select the Groups tab.

Select Actions | Reconfigure Computers.

260

VMware Integration

• Highlight the computer group in the navigation pane and click on the Summary tab in the information pane.


• Set the Logoff Action properties for the computer group, as appropriate. The Logoff Action property, if enabled, resets the computers in the group when users log off. See Computer Groups for more information.

Upgrading/Changing Nonpersistent Disks

If you have set your VM disks to be nonpersistent disks, use the following process if you need to upgrade or make any other changes to them.

1. Change the disk configuration for the virtual computer to Independent and Persistent.

If the Independent check box is not selected, any changes you make are lost after the next logoff or reset of the virtual computer.

2. Apply the upgrade or make any other necessary changes.

3. Change the disk configuration for the virtual computer back to Independent and Nonpersistent.

Virtualization ServerIn order to integrate vWorkspace with VMware, you must first add a VMware server as a virtualization server.

Data Centers

Data centers are used to organize and manage, as a single entity, datastores, templates, and virtual computers that are hosted on VMware ESX servers. Multiple data centers can exist in a single Vmware VirtualCenter Infrastructure. In order to manage the desktops hosted in the VMware VirtualCenter environment, the data centers must be imported into the vWorkspace database.

261


How to ...

Add a VMware VirtualCenter as a Virtualization Server


2. Select the specific location and then select Management Servers from the Actions menu or by right-clicking.

3. If there is no virtualization server, the Virtualization Server wizard opens. If management servers have already been defined, click New.

4. Click Next on the Virtualization Server Welcome window.

5. Click Edit Virtualization Servers. The Virtualization Server wizard is presented.




System Type Select VMware VirtualCenter Server.

262

VMware Integration

8. Enter the appropriate information on the Server URL/Name and Credentials window, and then click Next.





DomainName\UserName

Click the ellipsis to the right of this field, and the Select User window is presented.





263



An error in the connection with a VMware VirtualCenter server is usually related to an incorrect VMware VirtualCenter connection configuration, or the absence of a keystore file on the computer in which you are running the Virtualization Server wizard.If an error occurs, check the VMware VirtualCenter connection configuration. If that is correct, check for a keystore file on this computer, at the following location:C:\Program Files\Quest Software\vWorkspace\VMware-Certs





264

VMware Integration












265


Computer GroupsComputer groups are containers of desktops that can be managed together. The following computer groups properties are associated with VMware VirtualCenter Server.

VMWARE MANAGED COMPUTER GROUP PROPERTY

DESCRIPTION



Datacenter Datacenter in which the computers in this group belong.

Administrative Account Name of the user account that is used when performing administrative tasks on the desktop computers within this group.

Enable/Disable Connection requests to computers in this group my be temporarily suspended, if enabled.

266

VMware Integration






• User

• Device Name

• Device Address


• Group





This policy is useful when provisioning desktop workspace to users that require elevated privileges.


This policy is for users that start published applications and not full desktops. If enabled, vWorkspace automatically logs off when the last published application is closed. This eliminates the potential issue of applications remaining in memory, thus never really terminating.



DESCRIPTION

267


VMware customizations, available from the Managed Computer Group wizard, enable administrators to specify items such as where new computers are stored and how they are named. The following customization settings can be specified for each managed computer group that belongs to a VMware type data center.


The option, Reprovision, can be used to reprovision computers when the user logs off. The computers are reprovisioned with their existing template.


Experience Optimization Specify if user experience optimizations are enabled or disabled for this computer group.

Enhanced Audio Specify if enhanced bidirectional audio is to enabled or disabled for this computer group.


Task Automation Schedule tasks to be completed at specified times.


VMWARE CUSTOMIZATION SETTING

DESCRIPTION

Template Indicates the name of the virtual computer template in the VirtualCenter inventory that is used when adding new managed computers to the group.

Folder Indicates the name of the folder in the VirtualCenter inventory where newly created managed desktop computers are located.


DESCRIPTION

268

VMware Integration

Datastore Distribution Method

Specifies how newly created managed virtual computers are distributed among the available datastores in VirtualCenter. The options are:

• Equal — The desktops are distributed equally across the selected datastores.

• Free Space — The desktops are distributed across the selected datastores proportion to the available free space on the datastores.

• Weighted — The desktops are distributed across the selected datastores based on the percentages specified.

• Manual — The desktops to be created are specified for each datastore.

Datastore(s) Indicates the names of the Resource Pools and Datastores and the allocation percentages of the VirtualCenter inventory selected for storage of newly created managed computers within this group.

Naming Conventions Base Name — Indicates the base name that is used when constructing the Windows computer name that is assigned to the newly created managed desktop computers added to the group.

Base Name Start Value — Indicates the starting numeric value that is added to the base name when constructing the Windows computer name that is assigned to the newly created managed desktop computers added to the group.

Base Name Increment — Indicates the numeric value by which subsequent Windows computer names are incremented when new managed desktop computers are added to the group.

Re-use Names — Indicates whether previously generated Windows computer names can be reused if the managed desktop computer has been deleted.

Configure Memory Specifies the memory configuration used with this computer group.

Configure Disk Specifies how the disk is configured for this computer group.

VMWARE CUSTOMIZATION SETTING

DESCRIPTION

269


How to ...

Add Computer Groups to a VMware Type


2. Open the Computer Group wizard from the, Desktops node one of the following ways:

• Expand the location to which the computer group is to be added, right-click on the Desktops node, and then select New Computer Group.

• Expand the location to which the computer group is to be added, and highlight the Desktops node. Select New Computer Group from the Actions menu on the toolbar in the navigation pane, from the New Computer Group icon in the toolbar of the navigation pane, or from the Actions menu on the Desktops information pane.

3. Click Next on the Welcome window of the Computer Group wizard.

4. Enter the name of the computer group in the Group Name field on the Group Name window, and then click Next.

5. Select VMWare VirtualCenter Server on the System Type window, and then click Next.

6. Select the datacenter from the Datacenter window that this computer group belongs, and then click Next.

If there are no datacenters listed, click Import and the Datacenter wizard is presented. Complete the wizard as follows:

a) Click Next on the Welcome window of the Datacenter wizard.

b) Select the datacenter from the list on the Virtualization Server window, and then click Next.

If there are no datacenters listed, click Edit Virtualization Servers, and the VirtualCenter Server wizard appears.

c) Click Next on the Welcome window of the VirtualCenter server wizard.

d) Enter a name for the server on the Name and System Type window, and then click Next.

270

VMware Integration

e) Enter the necessary information in the following format on the Server & Credentials window, and then click Next.

f) Enter the appropriate information on the Other Settings window, and then click Finish.

Server URL https://servername or IP Address/sdk

Name Enter the name of a user account that has the required access permissions to the target server specified in the Server URL field.


DomainName\UserName










271












272

VMware Integration

g) Highlight the newly added server, and then click Close on the Virtualization Servers window. You are returned to the Datacenter wizard, Virtualization Server window. Highlight the server, and then click Next.

h) Select the datacenter to import, and then click Finish to complete the Datacenter wizard.

7. Do the following on the Administrative Account window:

a) Specify an Account on the Desktop Administrative Account window. Use the ellipsis to browse for the user.

This account is used to perform administrative tasks. It must be a member of the local administrators group on the desktops.

b) Enter the Password and then click Next. The check mark to the right of the field is used to verify the entered credentials, if the computer is part of the domain.

8. On the Enable/Disable window, select Enabled or Disabled to specify if connection requests to computers in this group may be temporarily suspended, and then click Next.

9. On the Client Assignment window, select Persistent or Temporary to specify how free computers are assigned at logon.

If a client type is to be assigned to the computers in this group, select one of the following, and then click Next.

• User

• Device Name

• Device Address


• Group

Since users can be in more than one group or organization unit, administrators must manually assign individual computers to users if client assignment is based on Group or Organizational Unit.Assign computers manually by using the Client Assignment window for the specified computer. See Managed Computers for more information on this window.

273


10. On the Access Timetable window, click on the green grid to restrict access to the computers in this group. The Edit Timetable window appears.

a) Click on the days and times, and then click Grant Permission or Deny Permission, as appropriate.

b) Click OK.

c) Click Next on the Access Timetable window.

11. Select Power Users, Administrators, or None to automatically add the users to one of those groups on the User Privileges window, and then click Next.

12. On the Session Auto-Logoff window, enter processes that if found to be running after the user closes all published applications, results in an automatic user session log off, and then click Next.

13. Select the option to automatically suspend computers in this group that are inactive, on the Inactivity Timeout window, and then click Next.

14. On the Logoff Action window, select one of the following options:

a) Nothing — No actions are executed upon logoff.

b) Reset — Automatically reset computers when a user logs off.

If this option is enabled for computers with nonpersistent disks, the disks are reverted to their original state at user log off.

c) Reprovision — Reprovisions computers, using the computer’s existing template, at logoff.

15. Select the appropriate session protocol, either RDP or RGS for this computer group on the Session Protocol window, and then click Next.

16. Specify if experience optimizations are to Enable or Disabled on the Experience Optimization window, and then click Next. Bandwidth optimization appliances are disabled by default, but the EOP Xtream support with RDP pass-through mode is enabled by default.

17. Specify if enhanced bidirectional audio is to be Enabled or Disabled on the Enhanced Audio window, and then click Next.

18. To automatically expand the group based on a number of users, do the following on the Auto-Expand window:

a) Select Enable auto-expansion.

b) Enter a number of minimum computers to be available at all times.

c) Enter a number of maximum computers to be available to this group.

d) Click Next.

274

VMware Integration

19. On the Task Automation window, select New to start the Automated Task Wizard, or click Next to move to the next window without completing any automated tasks.

20. Click Next on the Welcome to the Automated Task Wizard.

21. Complete the Automated Task Wizard:

a) Enter a Name for this scheduled task, and then click Next.

b) Select the Task, and then click Next.

c) Select one of the parameters used to complete this task, and then click Next.

d) Specify the schedule for this task to be completed, and then click Finish.

22. Specify computer permissions for this group, as appropriate, and then click Next on the Permissions window.

23. On the Finish window, do one of the following:

a) Select the Create new computers from a master template to add new desktops to the group and enter the number of desktops to create. Complete the process using the Add Computers tool. See Add Computers.

b) Select Import existing computers from VMware VirtualCenter to add computers by importing existing virtual computers and complete the process using Import Existing Computers into a Group.

c) Select Do nothing. I will create or import computers later to create the desktops at a later time.

24. Click Finish.

Once managed computer groups are established, their properties can be viewed and modified from the vWorkspace Management Console by right-clicking on the managed computer group, and selecting Properties.

Add ComputersFor VMware type computer groups, there are three different clone methods that can be used:

• Standard — Using this method, each virtual computer becomes a complete, independent copy of the original template.

275


• Rapid Provisioning NetApp FlexClone — Using this method, you can clone a VMware virtual computer quickly, and can assist in saving storage space by using the NetApp FlexClone technology on a storage server.

• Rapid Provisioning VMware Linked Clone — Using this method, you can create a clone from a snapshot of a parent. Changes to the disks of either the linked clone or the parent do not affect each other.

How to ...

• Add Computers using the Standard Clone Method

• Add Computer using the NetApp FlexClone Method

• Add Computers using the VMware Linked Clone Method

276

VMware Integration

Add Computers using the Standard Clone Method

1. Start the Add Computers tool by doing one of the following:

a) Select the Create new desktops from a master template on the Finish window of the Computer Group wizard.

– OR –

b) Select the computer group from the vWorkspace Management Console and do one of the following:

• Right-click on the managed computer group and select Add Computers.

• Select the Add Computers icon from the navigation pane toolbar.

• Select Add Computers from the Actions menu on the navigation pane.

• Select Add Computers from the Actions menu on the information pane of the datacenter.

2. Click Next on the Welcome window of the Add Computers Wizard.

3. Type a number into the Enter the number of computers to create field on the Number of Computers to Create window, and then click Next.

4. Select the clone method, Standard, on the Clone Method window, and then click Next.

5. Select a template from the list on the Template window, and click Next. If there are no templates listed or to update the list, click Import.

6. Select a folder in which the new computers are placed on the Folder window, and click Next. If the list is empty or to update the list, click Import.

7. Select one or more resource pools and datastores on the Resource Pools/Datastores window. This is where the virtual computer disk files are to be stored. If the list is empty or to update the list, click Import.

a) To change the distribution method, click the Distribution button on the toolbar above the list of datastores. Complete the information on the Datastore Distribution Method window as appropriate.

b) Click Next.

277


8. Select the method for assigning a computer name to the new desktop computers in Source on the Naming Conventions window.

If Specify the base name is selected, do the following:

a) Type the text string in the Base Name field.

b) Select a value from the Start numeric value at and increment by fields.

c) Select Re-use the names of deleted desktops, if appropriate.

If Specify a text file containing names is selected, do the following:

a) Type the path and file name of the text file containing the list of computer names in the Names File field.

b) Enter a text string that is prepended to the beginning of computer names in the Prefix field, if appropriate.

c) Enter a text string that is appended to the end of computer names in the Suffix field, if appropriate.

9. Click Next.

10. On the Sysprep Customizations window, do one of the following, and then click Next:

a) To use Microsoft System Preparation tools, select Specify sysprep customizations. The computers in this group will be powered on after they are created.

b) Select a sysprep from the list, or click New to create a new sysprep. See Create Sysprep Customizations— Windows XP/2003 or Create Sysprep Customizations— Vista/Win7/Server2008 for more information.

c) To not use Microsoft System Preparation tools, select Do not specify sysprep customizations. The desktops in this group will not be powered on after they are created.

11. Select the check box to reconfigure the computer’s memory and disk persistence after the cloning on the Configure Computers window, if appropriate, then do the following:

a) Select Reconfigure Memory, and move the slider or enter a number to adjust for the memory value.

b) Select Wait for users to log off before reconfiguring the computer, if appropriate.

278

VMware Integration

c) Select the Virtual Disks tab, and select Reconfigure Virtual Disks, and select First disk only or All disks. Select the Disk Mode, and set it to one of the following:

• Persistent



12. Select either Start Immediately or Schedule for (and enter a date and time) on the Options window, and then click Next.

13. Review and confirm the information on the Finish window, and do one of the following:




Red text is displayed as a reminder to administrators to not create more virtual computers than their infrastructure is designed to support.

Add Computer using the NetApp FlexClone Method



– OR –








279


4. Select the clone method, Rapid Provisioning NetApp FlexClone, on the Clone Method window, and then click Next.


If your network storage servers have been setup, the templates from your network storage servers are displayed. If you are creating more than 15 VMware NetApp clones, a warning dialog window is displayed as a reminder to administrators to not create more virtual computers than their infrastructure is designed to support.




b) Click Next.






Before importing templates when using the Rapid Provisioning option, the templates must be on the NetApp storage server and the template’s virtual disks need to be in the same directory.

280

VMware Integration





9. Click Next.











281


Add Computers using the VMware Linked Clone Method



– OR –








4. Select the clone method, Rapid Provisioning VMware Linked Clone, on the Clone Method window, and then click Next.

282

VMware Integration

5. Click Import, on the Parent Virtual Machine window, to import the parent virtual machines. The Import/Refresh Parent Virtual Machines wizard opens.

283


6. Specify the tasks that are to be performed on the Options window of Import/Refresh Parent Virtual Machines, and then click Next.

• Import parent virtual machines.

• Remove orphaned parent virtual machines.

7. On the Inventory window, select one or more virtual computers that are to be imported or updated, and then click Finish.

8. Highlight the parent virtual machine that you just imported, and then click Next.

284

VMware Integration

9. Select the appropriate snapshot on the Snapshot window, and then click Next.



The only datatstores that can be used and are displayed in the list are the datastores of the parent virtual machine.


b) Click Next.

285











13. Click Next.





15. Select the check box to reconfigure the computer’s memory and disk persistence after the cloning on the Configure Computers window, if appropriate, then do the following:

a) Select Reconfigure Memory, and move the slider or enter a number to adjust for the memory value.

b) Select Wait for users to log off before reconfiguring the computer, if appropriate.

286

VMware Integration

c) Select the Virtual Disks tab, and select Reconfigure Virtual Disks, and select First disk only or All disks. Select the Disk Mode, and set it to one of the following:

• Persistent









Import Existing Computers into a Group

You can import existing computers from VirtualCenter to an existing computer group. You would do this when physical PCs have already been converted into virtual computers and are ready to be redeployed from the virtual infrastructure to their original owners.

287


Several controls are available to assist with importing and resynchronizing (Import/Re-sync Computers tool) desktop computers.

The items on the window are described below:

OPTION DESCRIPTION

Options

Import computers into group [managed_desktop_group_ name]

If selected, virtual computers that have previously been imported into other managed computer groups in the vWorkspace data center are prevented from being imported into the current managed desktop group.

Remove orphaned desktops If selected, managed desktop computers are removed from the selected managed desktop group if they no longer exist in the VMware VirtualCenter inventory.

Inventory

Folders\Computers This displays a list of folders and virtual computers available in the VMware VirtualCenter data center inventory.

Expand the nodes to view the computers.

288

VMware Integration

How to ...



2. Select the group to which the import is to be added, and do one of the following:

• Right-click on the computer group and select Import/Re-sync computers.

• Click the Import/Re-sync computers icon from the toolbar in the navigation pane.

• Select Actions | Import/Re-sync computers from the menu on the navigation pane.

• Select Import/Re-sync computers from the Actions menu on the computer group’s information pane.

• Select Import existing desktops from VMware from the Finish window of the Computer Group wizard, and then click Finish, if you are completing the Computer Group wizard.

3. Complete the Import/Re-sync Desktops Options as appropriate, and then click Next.

4. Select the appropriate View option (New or Existing) on the Inventory window.

View:New If selected, displays a list of virtual computers that have not yet been imported into the managed desktop group.

View:Existing If selected, displays a list of virtual computers that have previously been imported into the managed desktop group.

Finish If selected, the chosen virtual computers are imported into the current managed desktop group as managed desktop computers.

The Initialize Computer task is automatically started for each desktop computer successfully imported.

Cancel If selected, the Import/Re-sync selections are discarded, and the window is closed.

OPTION DESCRIPTION

289


5. Select the computers that are to be imported on the Inventory window.

6. Click Finish to start the import.

Monitor the Process

You can monitor the clone operation process by using the middle and bottom panes of the vWorkspace Management Console. The middle pane on the vWorkspace Management Console displays the overall progress. You can use Refresh to update the view. The bottom pane on the vWorkspace Management Console uses the Tasks tab to display the status of the tasks to complete the process, and a Log tab to display more detailed status information.

To cancel a task, select it from the list of tasks and choose Cancel from the Actions menu, or right-click on the task and select Cancel.

Power ManagementManaged computers that are members of VMware enabled data centers are considered to be power managed computers. This means that the power state can be changed, either automatically by the Connection Broker or manually by an administrator using the vWorkspace Management Console.

vWorkspace Connection Brokers periodically query their configured VMware VirtualCenter servers for the current power state of managed computers running as virtual computers, using calls and functions provided by the VMware SDK.

vWorkspace Connection Brokers can also submit commands to change the power state of a given virtual computer. For example, when a user attempts to connect to a managed computer running as a virtual computer and that virtual computer is powered off, the Connection Broker automatically sends a command to VirtualCenter to power on the computer. Once the virtual computer is powered on and the operating system has loaded, the user is then connected to the desktop and log on.

PNTools is a required component for managed computers in the vWorkspace infrastructure. If you did not install PNTools as part of the template for the new desktops, it needs to be installed.

290

VMware Integration

The power states of VMware based virtual computers that can be manipulated with the vWorkspace Management Console are:

• Power On — Powers the virtual computer on in the same way as using the power switch on a physical computer.

• Power Off — Powers the virtual computer off in the same way as using the power switch on a physical computer.

• Reset — Powers the virtual computer off and then on again in the same way as using the reset switch on a physical computer.

• Resume — Reawakens a virtual computer that has been in a suspended state.

• Suspend — Suspend saves the system state and working set of the virtual computer to disk before powering off. When resumed, the computer is returned to the state it was in before being suspended. This option is faster since the operating system does not have to go through the complete load and initialization process.

• Shut Down OS — Gracefully shuts down the guest operating system in the same way as using the Shut Down function in Windows.

• Restart OS — Same as the Restart option in Windows.

• Log Off User — Logs the user off in a graceful manner. The user is prompted to save any unsaved data.

• Reset Session — Closes all programs that are running and deletes the session from the server that is running Terminal Services. This can be used if a session is not functioning correctly, or if the session has stopped responding.

291


292

13

Microsoft Remote Desktop Services Integration

• Overview

• About the RD Connection Broker

• RemoteApp Support

• Installation

• Add an RD Connection Broker to vWorkspace

• AppPortal


OverviewThis chapter describes features offered by vWorkspace integration with Microsoft Remote Desktop Services using Microsoft Windows Server 2008 R2.

Microsoft Remote Desktop Services (RDS), formerly Terminal Services, enables users to be presented with an entire desktop environment or individual applications that are running from a datacenter, but appear to the user as a local application.

The integration between vWorkspace and Microsoft Remote Desktop Services enables the following features:

• Support for publishing applications and desktops using Microsoft RemoteApp Start menu integration in Microsoft Windows 7 and Microsoft RD Web Access.

• Support for publishing individual applications using Microsoft’s built-in RemoteApp technology for seamless windows for Microsoft Hyper-V virtual desktops and RD Session Hosts/Terminal Servers.

• Support for Remote Desktop Gateway for secure Internet access.

• Support for the addition of Microsoft Remote Desktop Connection Brokers to the vWorkspace Management Console.

• Support in AppPortal for connectivity to Microsoft Remote Desktop Connection Broker and Remote Desktop Gateway.

About the RD Connection Broker There are some differences in functionality between the Microsoft RD Connection Broker and the vWorkspace Connection Broker. The following is a list of limitations when using the Microsoft RD Connection Broker with vWorkspace instead of the vWorkspace Connection Broker.

• Filtering of which applications and desktops are published based on client name/IP can only be done through vWorkspace Connection Broker.

• Folders for published applications and desktop are not visible in RD Web Access and the Start Menu. AppPortal will show folders when connected to RD Connection Broker.

• Connections through RD Web Access and the Start Menu always use the RDP client, not the EOP client, so the EOP features cannot be used. However, you can use Quest AppPortal on Windows to connect to the RD Connection Broker, but not Quest Web Access.

294


• Mac, Linux, or Java connectors (clients) cannot be launched from RD Web Access.

• Mac and Linux AppPortals do not yet support RD Connection Broker.

• Auto-logoff does not work using RemoteApp through RD Web Access or RemoteApp in Start menu (with the RDP client):

• Auto-logoff (PNStart) does not work for individual applications published from virtual desktops, which is the same behavior as you get using RemoteApp, without vWorkspace. The workaround is to use GPO to force a logoff after a period of time disconnected. This only affects individual applications from virtual desktops, whole desktops are fine.

• Auto-logoff (PNStart) does not work for applications launched from RD Session Host/Terminal Server through RemoteApp. The workaround is to use GPO to force a logoff after a period of time disconnected.

RemoteApp Support RemoteApp support for Hyper-V virtual desktops and RD Session Host/Terminal Server enables the publishing of individual applications using Microsoft's RemoteApp technology on access devices.

When using RemoteApp with Microsoft XP or Microsoft Vista, you need to install one of the following hotfixes from Microsoft.

Update package for Microsoft Windows XP SP3:

http://www.microsoft.com/downloads/details.aspx?FamilyID=2f376f53-83cf-4e5b-9515-2cb70662a81b&displaylang=en

Update package for Microsoft Vista SP1 or later:

http://www.microsoft.com/downloads/details.aspx?familyid=097B7478-3150-4D0D-A85A-6451F32C459C&displaylang=en

InstallationThe vWorkspace RD Broker Support software needs to be installed on your Microsoft Windows Server 2008 R2 server. The software detects if the appropriate roles have been installed, and if not, installs the appropriate roles. There are two RD Broker Support files, an EXE and MSI file.

295






You do not need to install any of the role services onto this server, as the Quest vWorkspace Extensions for the RD Connection Broker installs all of the necessary roles of Remote Desktop Session Host in VM redirector mode, Remote Desktop Connection Broker, and the Remote Desktop Web.

Instructions on Remote Desktop Services in Windows Server 2008 R2, specifically the sections detailing Deploying Virtual Desktop Pools by using Remote Desktop Web Access Step-by-Step Guide and Deploying Virtual Desktop Pools by Using RemoteApp and Desktop Connection Step-by-Step Guide can be found at the following:

http://technet.microsoft.com/en-us/library/dd647502(WS.10).aspx

Install RD Broker Support

The following details two installation scenarios; the first one an installation where there are no role services installed, and the second one an installation where the RD Connection Broker, RD Session Host in VM Redirector mode, and an associated RD Web Server role services are configured.

• vWorkspace Extensions Without Role Services Installed

• vWorkspace Extensions with Role Services Installed

vWorkspace Extensions Without Role Services Installed

The following steps detail an installation on a Microsoft Windows Server 2008 R2 computer that does not have any of the role services installed.

1. Download the EXE or MSI file from the MS_CONNECTIONBROKER folder from vWorkspace (64-Bit Edition).

If you choose to install the Remote Desktop Session Host (in VM Redirector mode), Remote Desktop Connection Broker, and the Remote Desktop Web Access on separate Microsoft Windows Server 2008 R2 servers, you must refer to Microsoft documentation best practices on how to install and configure these components.

Prior to installing the Quest vWorkspace Extensions for the RD Connection Broker on the Remote Desktop Connection Broker, we require that the Remote Desktop Services environment be fully functional and that virtual desktops can be successfully launched from Remote Desktop Web Access.

296

http://technet.microsoft.com/en-us/library/dd647502(WS.10).aspx


2. Double-click on the file.

3. Click Yes on the allow the program to make changes to the computer window.

4. Click Next on the vWorkspace Extensions for the RD Connection Broker Welcome window.

297


5. Click Accept on the License Agreement window, and then click Next.

6. Select Yes on the Configure Computer For Desktop Brokering window, and then click Next.

By choosing Yes, the listed roles are installed onto the computer.

7. The installation may take a few minutes to complete.

8. Click Finish on the InstallShield Wizard Completed window.

You must restart the computer. Click Yes to restart it now, or No to restart it later.

298


vWorkspace Extensions with Role Services Installed

The following steps detail an installation on a Microsoft Windows Server 2008 R2 computer installed as an RD Connection Broker configured to use an RD Session Host in VM Redirector mode, and an associated RD Web Server configured to use the RD Connection Broker.

1. Download the EXE or MSI file from the MS_CONNECTIONBROKER folder from vWorkspace (64-Bit Edition).

2. Double-click on the file.

3. Click Yes on the allow the program to make changes to the computer window.

4. Click Next on the vWorkspace Extensions for the RD Connection Broker Welcome window.

299


5. Click Accept on the License Agreement window, and then click Next.

6. The installer inspects your system configuration, and then installs the vWorkspace Extensions for the RD Connection Broker.

7. Click Finish on the InstallShield Wizard Completed window.

You must restart the computer. Click Yes to restart it now, or No to restart it later.

300


Add an RD Connection Broker to vWorkspaceUse the following steps to add a Microsoft RD Connection Broker to the vWorkspace Management Console.

1. Open the vWorkspace Management Console, and expand the Locations node.

2. Expand the required location.

3. Right-click on Connection Brokers and select New Connection Broker.

4. Click Next on the Welcome window of the Server wizard.

5. Enter the server name (NetBIOS), and then click Next. Use the ellipsis to browse for the server.


301


6. Select Microsoft Remote Desktop Connection Broker (RD Broker), and click Next.

302


7. Enter the credentials, on the Administrative Account window, for a user account that has administrative privileges, and then click Next.

This step is mandatory. Use the ellipsis, if necessary, to find the appropriate user account.

The check mark by the Password field can be used to verify the user name and password entered.

8. Click Next on the Logging window without selecting any options.


9. Click Finish on the Permissions window.

AppPortalYou can use the vWorkspace AppPortal to specify Microsoft RD Connection Broker properties. Use the following steps to create a new RD Connection Broker Farm Connection.

Create a New RD Connection Broker Farm Connection

1. Start AppPortal from the desktop or select Start | Programs | Quest Software| vWorkspace | vWorkspace Client| AppPortal.

303


2. Select Actions | Manage Connections. The Farm Connections wizard opens.

3. Click Create a new farm, and then click Next.

4. Select Allow me to manually specify all configuration parameters on the Configuration Source window, and then click Next.

5. Select Microsoft Remote Desktop Connection Broker as the Farm Type, and then click Next.

6. Enter the location and server information on the Connectivity window, and then click Next.

7. Select the appropriate connection settings on the RD Gateway window, and then click Next.

RD GATEWAY SETTINGS FIELD

DESCRIPTION

CONNECTION SETTINGS

These settings are used to specify secure network communications.

304


8. Specify the credentials for connection to this farm, and then click Next.

9. Select the appropriate options on the Display window, and then click Next.

10. Specify remote audio, keyboard, and local devices on the Local Resources window, and then click Next.

11. Specify use experience options, and then click Next.

Automatically detect RD Gateway server settings

Select if you want the RD Gateway server settings automatically detected.

Use these RD Gateway server settings

Select if you want to use the entered Server name and Logon method as the RD Gateway server settings.

Do not use an RD Gateway server

Select if you do not want to use an RD Gateway server.


DESCRIPTION

305


12. Enter password management server information, as appropriate, and then click Next.

13. Select any desktop integrated mode options, as appropriate, and then click Next.

14. Specify any applications that are to be automatically launched, and then click Finish.

306

14

Microsoft SCVMM Integration

• Overview

• Connect to Microsoft SCVMM

• Microsoft Differencing Disks

• Reprovision Computers

• Virtualization Server

• Host Groups

• Computer Groups

• Video Adapter and Static/Dynamic Memory



OverviewvWorkspace is integrated with Microsoft System Center Virtual Machine Manager (SCVMM) to provide management functionality to Hyper-V virtual computers. The following Microsoft SCVMM integrated features are available in vWorkspace:

• Import Host Groups from SCVMM.


• Use SCVMM Intelligent Placement to automate desktop and server provisioning by the use of templates.

• Guest Windows OS customization.

• Distribute managed desktops across multiple storage locations.

• Import existing computers from SCVMM to an existing computer group.

• Managed computers that are members of SCVMM enabled Host Groups are considered to be power managed computers. This means that the power state can be changed, either automatically by the Connection Broker or manually by an administrator using the vWorkspace Management Console.

Connect to Microsoft SCVMMThe vWorkspace Connection Broker needs to communicate with Microsoft SCVMM before computers running as virtual computers can be managed using vWorkspace. The following conditions must be met before this communication occurs.

• Microsoft SCVMM Integration component needs to be installed on the Quest vWorkspace Connection Brokers.

• Communication parameters for each Microsoft SCVMM server must be added to the vWorkspace database. See Add Virtualization Server Connections for instructions.

• The Quest vWorkspace Broker Helper Service needs to be installed on the Microsoft SCVMM server.

308


Microsoft Differencing DisksThe Add Computers wizard can be used to create, add, and manage Microsoft differencing disks computers through the vWorkspace Management Console.

Microsoft differencing disks are virtual hard disks that can be used to isolate changes to a virtual hard disk or guest operating systems by storing them in a separate file. The virtual hard disk is referred to as the parent disk, and the differencing disk is the child disk.

You are also able to reprovision the clone, which enables administrators to change a virtual computer to a clone of a new snapshot after the parent has been updated or patched.

Reprovision ComputersThe vWorkspace Management Console, Reprovision Computers option, allows for SCVMM clones to be reprovisioned based on administrator settings. The Reprovision Computers option is available one of the following ways:

• Right-clicking on the SCVMM desktop group.

• Selecting computers from the information pane and then selecting Reprovision Computers from the Action menu options.

• Selecting computers from the information pane and then selecting Reprovision Computers from the context menu options of the selected computer.

• Selecting the SCVMM desktop group, selecting Properties from the context menu options, selecting Task Automation from the Computer Group Properties window, then selecting the New... button on the Task Automation window. In the Automated Task Wizard, name the new task, then select Reprovision from the Task list. Set the task parameters in the Task Parameters window, then set the schedule and finish. Apply the task in the Automated Task Wizard. For more information, see Schedule Tasks using the Automated Task Wizard in the vWorkspace Desktops chapter.

Once the Reprovision Computers option is selected, the Reprovision Computer window opens. The options on this window allow you to set the action that is to be performed by clone type. You can also select for the reprovisioning to be completed once users have logged off.

309


The Clone Types, which represent the types of clones for the virtual computers for the selected desktop group, are:

• Standard Clones

• Differencing Disks Clones

The Reprovisioning Using options are:

• Existing Parent VHD — This option reprovisions the computer using the stated virtual hard disk.

• New Parent VHD — This option reprovisions the computer using a different virtual hard disk than the one used to create the clone.

• Do Not Reprovision — This option does not reprovision the computer.

Virtualization ServerIn order to integrate vWorkspace with Microsoft SCVMM, you must first add the Microsoft SCVMM server as a virtualization server.

In order to configure a Microsoft SCVMM server, the administrator must possess VMM Administrator credentials.

310


Host GroupsHost groups are used to organize and manage, as a single entity, hosts, templates, and virtual computers that are hosted on Microsoft SCVMM. Multiple host groups can exist in a single Microsoft SCVMM infrastructure. In order to manage the desktops hosted in a Microsoft SCVMM environment, the host groups must be imported into the vWorkspace database.

How to ...

Add Microsoft SCVMM as a Virtualization Server



• Select the Locations node and then select the Management Servers icon from the toolbar.

• Right-click on the Locations node and select Management Servers.

• Right-click on a specified location and select Management Servers.

• Select the Locations node and then select Actions | Management Servers.

3. If there is no virtualization server, the Virtualization Server wizard opens. If management servers have already been defined, click New.

4. Click Next on the Virtualization Server wizard Welcome window.

5. Click Edit Virtualization Servers. The Virtualization Server wizard is presented.

If Virtualization Servers have already been added, the Global Virtualization Servers window is presented. Click New


311


312



System Type Select Microsoft SCVMM.



SCVMM Name or IP address

Enter the server name of IP address to connect to the server.



DomainName\UserName

Click the ellipsis to the right of this field, and the Select User window is presented.

313









314













315


Computer GroupsComputer groups are containers of desktops that can be managed together. The following computer groups properties are associated with Microsoft SCVMM.

MICROSOFT SCVMM MANAGED COMPUTER GROUP PROPERTY

DESCRIPTION


Computer Role The role of the computers in this group; the type of computers that will be managed.

• Desktops

• Servers



316







• User

• Device Name

• Device Address


• Group




Load Balancing Specify a load balancing rule for the group, if appropriate. Load Balancing Rules that are created using the vWorkspace Management Console, Load Balancing node are presented as load balancing options.

The default load balancing rule used is called Default, which uses the counter Number of Users. If you do not want a load balancing rule assigned, you must select <Not Specified>.

See Load Balancing and Performance Optimization for more information on creating load balancing rules.


DESCRIPTION

317


How to ...

Add Computer Groups to a Microsoft SCVMM Type


2. Expand the location to which the computer group is to be added, and highlight the Desktops node.















DESCRIPTION

318


3. Do one of the following ways:

• Right-click on the Desktops node, and then select New Computer Group.

• Select Actions | New Computer Group from the main menu.

• Select the New Computer Group icon in the toolbar of the navigation pane.

• Select Actions | New Computer Group on the information pane.



6. Select Microsoft SCVMM on the System Type window, and then click Next.


a) Specify an Account on the Desktop Administrative Account window.


b) Enter the Password. The check mark to the right of this field is used to verify the entered credentials, if the computer is part of the domain.

c) Click Next.


319




• User

• Device Name

• Device Address


• Group

10. On the Access Timetable window, click on the green grid to restrict access to the computers in this group. The Edit Timetable window opens.


b) Click OK.


11. On the Load Balancing window, specify data as appropriate, and then click Next.




15. On the Logoff Action window, select one of the following options:

a) Nothing — No actions are executed upon logoff.

b) Reset — Automatically reset computers when a user logs off.

c) Reprovision — Reprovisions computers, using the computer’s existing template, at logoff.


320



17. Specify if experience optimizations are to Enable or Disabled on the Experience Optimization window, and then click Next. Bandwidth optimization appliances are disabled by default, but the WAN Acceleration (EOP Xtream) support with RDP pass-through mode is enabled by default.






d) Click Next.


21. Click Next on the Welcome window of the Automated Task Wizard.







321



a) Select the Create new computers from a master template to add new desktops to the group and enter the number of desktops to create. Complete the process using the Add Computers tool. See Add Computers using Standard Clone Method.

b) Select Import existing computers from the SCVMM Configuration Manager to add computers by importing existing virtual computers and complete the process using Import Existing Computers into a Group.


25. Click Finish.

Once managed computer groups are established, their properties and policies can be viewed and modified from the vWorkspace Management Console simply by right-clicking on the managed computer group, and selecting Properties.

Add Computers

For SCVMM type computer groups, there are two different clone methods that can be used:

• Standard — Using this method, each virtual computer becomes a complete, independent copy of the original template.

• Rapid Provisioning — Using this method, you use differencing disks to create virtual computers using minimal overhead and storage space.

322


How to ...

• Add Computers using Standard Clone Method

• Add Computers using Rapid Provisioning Clone Method

Add Computers using Standard Clone Method



– OR –




323






4. Select Standard as the clone method that is to be used when adding computers to this group on the Clone Method window, and then click Next.

324


5. Select a Microsoft SCVMM server and then the host group or cluster, as appropriate on the Host Groups & Clusters window. Click Next.

6. Select a template from the list on the Template window, and then click Next. If there are no templates listed or to update the list, click Import.










325


8. Click Next.


a) To use Sysprep tools, select Specify sysprep customizations. The computers in this group will be powered on after they are created.

b) Select a sysprep from the list, or click New to create a new sysprep. See Sysprep Customizations for more information.


10. On the Configure Computers window, click the Video Adapter tab, and do one of the following:

a) To use the template, select Use template settings.

b) To use the standard adapter, select Standard video adapter.

c) To use the Microsoft RemoteFX 3D video adapter, select Microsoft RemoteFX 3D video adapter. Select a value for maximum number of monitors from the Maximum number of monitors field and select a value for Maximum monitor resolution from the Maximum monitor resolution field.

11. On the Configure Computers window, click the Memory tab, and do one of the following:


b) To use static memory, select Static memory. Select a value for virtual machine memory from the Virtual machine memory field.

c) To use Dynamic memory, select Dynamic memory. Select a value for startup memory from the Startup memory field, select a value for maximum memory from the Maximum memory field, and select a value for memory buffer percentage from the Memory buffer (%) field.

12. On the Configure Computers window, click the Memory Priority tab, do one of the following, and then click Next:


b) To allocate dynamic memory resources, select one of the High, Medium, Low, or Custom buttons. If Custom is selected, select a value for memory priority in the Custom field.


326







Add Computers using Rapid Provisioning Clone Method



– OR –








4. Select Rapid Provisioning as the clone method that is to be used when adding computers to this group on the Clone Method window, and then click Next.

5. On the Add Computers Parent Virtual Hard Disk window, click New to create a new parent virtual hard disk.

6. The Parent Virtual Hard Disk Wizard displays. Click Next on the Welcome window.

a) Select the SCVMM server where the template that is to be used to create the parent virtual hard disk resides. Click Next.

327


b) Select the template that is to be used for the parent virtual hard disk. You may need to click Import.

c) Click Next.

d) Select the host group or cluster that is to be used for the parent virtual hard disk, and then click Next.

e) Select the volume on to which the parent virtual hard disk file is to be stored. Click Next.

f) Enter a description for the parent virtual hard disk. This is an optional step.

g) Click Finish. You are returned to the Add Computers wizard.

7. Select the volume or volumes on to which the computers should be created. You may need to click Import to refresh the list. Click Next.






328






9. Click Next.


a) To use Sysprep tools, select Specify sysprep customizations. The computers in this group will be powered on after they are created.

b) Select a sysprep from the list, or click New to create a new sysprep. See Sysprep Customizations for more information.


11. On the Configure Computers window, click the Video Adapter tab, and do one of the following:


b) To use the standard adapter, select Standard video adapter.

c) To use the Microsoft RemoteFX 3D video adapter, select Microsoft RemoteFX 3D video adapter. Select a value for maximum number of monitors from the Maximum number of monitors field and select a value for Maximum monitor resolution from the Maximum monitor resolution field.

12. On the Configure Computers window, click the Memory tab, and do one of the following:


b) To use static memory, select Static memory. Select a value for virtual machine memory from the Virtual machine memory field.

c) To use Dynamic memory, select Dynamic memory. Select a value for startup memory from the Startup memory field, select a value for maximum memory from the Maximum memory field, and select a value for memory buffer percentage from the Memory buffer (%) field.

329


13. On the Configure Computers window, click the Memory Priority tab, do one of the following, and then click Next:


b) To allocate dynamic memory resources, select one of the High, Medium, Low, or Custom buttons. If Custom is selected, select a value for memory priority in the Custom field.








You can import existing computers from Microsoft SCVMM to an existing computer group. You would do this when physical PCs have already been converted into virtual computers and are ready to be redeployed from the virtual infrastructure to their original owners.

Several options are available to assist with importing and resynchronizing (Import/Re-sync Desktops tool) desktop computers.

330



CONTROL DESCRIPTION

Options

Import/update the desktops selected below into group [managed_desktop_group_name]


Inventory



331


How to ...



2. Select the computer group to which the computers are to be added, and do one of the following:





3. Complete the Import/Re-sync Desktops control options as appropriate.

4. Select the appropriate View option (New or Existing) on the Microsoft SCVMM Inventory window.

5. Select the computers that are to be imported.


Monitor the Process

You can monitor the clone operation process by using the middle and bottom panes of the vWorkspace Management Console. The middle pane on the vWorkspace Management Console displays the overall progress. You can use Refresh to update the view. The bottom pane on the vWorkspace Management Console uses the Tasks tab to display the status of the tasks to complete the process, and a Log tab to display more detailed status information.




CONTROL DESCRIPTION

332


To cancel a task, select it from the list of tasks and choose Cancel from the Actions menu, or right-click on the task and select Cancel.

Video Adapter and Static/Dynamic MemorySCVMM virtual computers can be reconfigured for RemoteFX or regular RDP (via video adapter) and static or dynamic memory settings from the vWorkspace Management Console.

To reconfigure the video adapter and static/dynamic memory for an individual computer, do one of the following:

• Set the options on the Configuration window of the Computer Properties wizard. This window can be opened by selecting Properties for a computer, or when creating a new computer.

• Highlight the computer group in the navigation pane, and then click on the Summary tab in the information pane.

Select Actions | Reconfigure.

• Highlight the computer group in the navigation pane, and then click on the Computers tab in the information pane. Right-click on the computer and select Reconfigure from the context menu.

• Set the Logoff Action properties of the Computer Properties wizard for the computer, as appropriate. The Logoff Action property, if enabled, resets the computer when a user logs off. See Managed Computers for more information.

To reconfigure the video adapter and static/dynamic memory for a computer group, do one of the following:

• Right-click on the computer group in the navigation pane, and then select Reconfigure Computers.

• Highlight Desktops, and then select the Groups tab.


PNTools is a required component for managed computers in the vWorkspace infrastructure. If you did not install PNTools as part of the template for the new desktops, it needs to be installed.

333


• Highlight the computer group in the navigation pane and click on the Summary tab in the information pane.


• Set the Logoff Action properties for the computer group, as appropriate. The Logoff Action property, if enabled, resets the computers in the group when users log off. See Computer Groups for more information.

How to...

Reconfigure SCVMM Computers

1. On the Video Adapter tab, enable the Reconfigure Video Adapter checkbox. and select the Standard video adapter or the Microsoft RemoteFX 3D video adapter radio button. If selecting the latter, select the maximum number of monitors and maximum monitor resolution values.

2. On the Memory tab, enable the Reconfigure memory checkbox and check either the Static memory or Dynamic memory radio button. For static memory, select the virtual machine memory value and for Dynamic memory, select the Startup memory, Maximum memory, and Memory buffer (%) values.

334


3. On the Memory Priority tab, enable the Reconfigure memory priority checkbox and select either the High, Normal, Low, or Custom memory priority radio button. For Custom, select the custom memory priority value.

4. Enable the Wait for users to log off before reconfiguring the computer checkbox and click OK.

335


Power ManagementManaged computers that are members of Microsoft SCVMM enabled host groups are considered to be power managed computers. This means that the power state can be changed, either automatically by the Connection Broker or manually by an administrator using the vWorkspace Management Console.

vWorkspace Connection Brokers periodically query their configured Microsoft SCVMM servers for the current power state of managed computers running as virtual computers, using calls and functions.

vWorkspace Connection Brokers can also submit commands to change the power state of a given virtual computer. For example, when a user attempts to connect to a managed computer running as a virtual computer and that virtual computer is powered off, the Connection Broker automatically sends a command to the SCVMM server to power on the computer. Once the virtual computer is powered on and the operating system has loaded, the user is then connected to the desktop and log on.

The power states of Microsoft SCVMM based virtual computers that can be manipulated with the vWorkspace Management Console are:









336



337


338

15

Microsoft Hyper-V Integration

• Overview

• Hyper-V Broker Helper Service

• Hosts

• Computer Groups



OverviewVirtual computers running on Microsoft Hyper-V servers are supported in vWorkspace. Virtual computers can be added from Hyper-V servers, and their power states controlled directly from the vWorkspace Management Console.

Hyper-V Broker Helper ServiceTo enable this support, the Hyper-V Broker Helper Service must be installed on each Hyper-V server. The Connection Broker delegates to the Broker Helper Service the responsibility of executing various administrative tasks to the Hyper-V server on which it is running. Such tasks include the enumeration and power management of virtual computers.

In order for the Connection Broker to communicate with the Broker Helper Service, the Microsoft .NET Framework must be installed on both computers. Refer to the vWorkspace System Requirements Guide for information on the version required for Microsoft .NET Framework.

HostsHosts are used to organize and manage, as a single entity, datastores, templates, and virtual computers that are hosted on Microsoft Hyper-V servers. Multiple hosts can exist in a single infrastructure. In order to manage the desktops hosted in the Microsoft Hyper-V environment, the hosts must be added into the vWorkspace database.

Add a Host using the Hyper-V Host Wizard


2. Select the specific location node and then select Properties. Select Independent Microsoft Hyper-V Host from the Add Entities list on the Virtualization Entities window.

3. On the Welcome window of the Hyper-V Host wizard, click Next.

340




System Type Select Microsoft Hyper-V.

341





Note: The default port for Microsoft Hyper-V is 9000.


For a Windows domain account, you must use:

DomainName\UserName

342















343


Computer GroupsComputer groups are containers of desktops that can be managed together. The following computer groups properties are associated with Microsoft Hyper-V.







HYPER-V MANAGED DESKTOP GROUP PROPERTY

DESCRIPTION





344







• User

• Device Name

• Device Address


• Group





The options are:

• Power Users

• Administrators

• None




DESCRIPTION

345


How to ...

Add Computer Groups to a Microsoft Hyper-V Type


2. Expand the location in which the computer group is to be added, and highlight the Desktops node.





• Select Actions | New Computer Group from the information pane.



6. Select Microsoft Hyper-V on the System Type window, and then click Next.









DESCRIPTION

346





b) Enter the Password. The check mark to the right of the field is used to verify the entered credentials, if the computer is part of the domain.

c) Click Next.




• User

• Device Name

• Device Address


• Group



b) Click OK.




347








a) Click Next on the Welcome window of the Automated Task Wizard.

b) Complete the Automated Task Wizard:

• Enter a Name for this scheduled task, and then click Next.

• Select the Task, and then click Next.

• Select one of the parameters used to complete this task, and then click Next.

• Specify the schedule for this task to be completed, and then click Finish.



a) Select Import existing computers from Hyper-V hosts to add computers by importing existing virtual computers and complete the process using Import Existing Computers into a Group.

b) Select Do nothing. I will create or import computers later to create the desktops at a later time.

20. Click Finish.


348



You can import existing computers from a Microsoft Hyper-V data center into an existing managed computer group. This can be completed when physical PCs have already been converted into virtual computers and are ready to be redeployed from the virtual infrastructure to their original owners.

After computers have been successfully imported, the task Initialize Computer is automatically created. This process establishes the relationship between the Connection Broker and the virtual desktop and must be completed successfully. See Initialize Computer for more information on this process.

Several options are available to assist with importing and resynchronizing (Import/Re-sync Computer tool) desktop computers.

349



CONTROL DESCRIPTION

Options



Remove orphaned desktops If selected, computers are removed from the selected managed desktop group if they no longer exist in the data center.

Inventory

Microsoft Hyper-V Inventory This control displays a list of folders and virtual computers available in the Microsoft Hyper-V data center inventory.







350


How to ...

Import Existing Desktops into a Group









5. Select the virtual computers that are to be imported on the Microsoft Inventory window.


Power ManagementThe power states of Microsoft Hyper-V based virtual computers that can be manipulated with vWorkspace are:





351







352

16

Parallels Virtuozzo Integration

• Overview

• About Parallels Virtuozzo

• Computer Groups



OverviewThis section describes the range of desktop management and provisioning features offered by vWorkspace for Parallels Virtuozzo Containers environments.

vWorkspace and Parallels SupportThe following items are supported in vWorkspace:

• Parallels Virtuozzo Containers (PVC) 4.0 and 4.5 running Microsoft Windows Server 2003 and Microsoft Windows Server 2003 R2 containers, both x86 and x64.

• All EOP features in Microsoft Windows Server 2003 and Microsoft Windows Server 2003 R2 containers, both x86 and x64.

• Support for USB Redirection on Microsoft Windows Server 2003 and Microsoft Windows Server 2003 R2 x64 containers.

• Provisioning of Microsoft Windows Server 2003 and Microsoft Windows Server 2003 R2 (both x86 and x64) containers in PVC 4.0 and PVC 4.5 from the vWorkspace Management Console using PIM 4.0.

• Provisioning of Microsoft Windows Server 2003 and Microsoft Windows Server 2003 R2 (both x86 and x64) containers in PVC 4.0 and PVC 4.5 from the vWorkspace Management Console using PVA 4.5, but only for Virtual Environment Templates stored locally on the PVC server, not in the PVA Resource Library.

• Importing Virtuozzo containers provisioned outside of vWorkspace into the vWorkspace Management Console.

• Power Management of Virtuozzo containers.

The following items are currently not supported in vWorkspace:

• Microsoft Windows Server 2008 R1 or Microsoft Windows Server 2008 R2 (both x86 and x64).

About Parallels VirtuozzoParallels Virtuozzo nodes can be both independent hosts or part of a group, which are master and slave nodes that are associated with each other, but they cannot be both independent hosts and part of a group at the same time.

354


You can import slave nodes from a master and add independent nodes to the same location.

If you do not have independent nodes, then you define virtualization servers that represent the master node or nodes. When you add a location, you import slave nodes from any of the virtualization server master nodes, and associate the imported nodes with the location.

If you have Virtuozzo independent nodes, you can add them to the location.

When setting up the Parallels Virtuozzo Containers in the vWorkspace Management Console, once a location has been defined, the following steps must be completed:

• Associate virtualization entities, independent nodes and slave nodes, to the location.

Virtuozzo Slave Nodes — Use this option to import master nodes and select slave nodes that are to be imported.

Independent Virtuozzo Nodes — Use this option to add the independent nodes to the location.

• Computer groups can be added to locations by selecting Desktops from the location in the vWorkspace Management Console. For more information on Parallel Virtuozzo computer groups, see Computer Groups.

355


• Add computers to the established computer groups by using the Add Computers wizard. See Add Computers to a Computer Group for more information.

How to ...

• Import Virtuozzo Slave Nodes

• Add Independent Virtuozzo Nodes

Import Virtuozzo Slave Nodes


2. Select the location for the Virtuozzo Slave nodes are to be imported.

3. Right-click and select Properties, or select Actions| Properties, or click on the Properties icon in the toolbar.

4. On the Virtualization Entities window, select Virtuozzo Slave Node from the Add Entities drop-down list.

5. Click Next on the Welcome window for the Import Virtuozzo Nodes wizard.

6. Click Edit Virtualization Servers on the Master Node window. The Virtuozzo Master Node wizard is presented.

7. Click Next on the Virtuozzo Master Node Wizard Welcome window.

8. Click Next on the Welcome window of the Virtuozzo Master Node wizard.

Parallels Virtuozzo Containers disable the startup of certain Microsoft Windows services by default, including ones that are required for vWorkspace. You need to set the type to Enterprise, to prevent the disabling of certain Window services. Please also refer to the Parallels Virtuozzo knowledge base article, http://kb.parallels.com/1007, for more information.

356

http://kb.parallels.com/1007




Note: You should give the Master Node a friendly name and not use the computer name, as you may not be able to access the Other Settings of the Master Node.

System Type Select Parallels Virtuozzo.

357







DomainName\UserName





358













359


12. Click Next on the Master Node window.

Confirm that the correct virtualization server is highlighted.

13. Select the Slave Nodes that are to be imported, and then click Finish.

Use Ctrl+click to select multiple nodes to be imported.

14. Click OK to close the Locations Properties window, or select Permissions to complete permission information.

Add Independent Virtuozzo Nodes


2. Select the location in which the Virtuozzo Slave Nodes are to be imported.

3. Right-click and select Properties, or select Actions | Properties, or click on the Properties icon in the toolbar.

4. On the Virtualization Entities window, select Virtuozzo Slave Node from the Add Entities list.

5. Click Next on the Virtuozzo Independent Node Wizard Welcome window.



360




System Type Select Parallels Virtuozzo.

361







DomainName\UserName





362













363


Computer GroupsComputer groups are containers of computers that can be managed together. The following managed computer groups properties are associated with Parallels Virtuozzo.



PARALLELS VIRTUOZZO MANAGED COMPUTER GROUP PROPERTY

DESCRIPTION





364







• User

• Device Name

• Device Address


• Group










DESCRIPTION

365


How to ...

Add Computer Groups to a Parallels Virtuozzo Type


2. Expand the location in which the computer group is to be added, and highlight the Desktop node.








6. Select Parallels Virtuozzo on the System Type window, and then click Next.

Bandwidth Optimization Specify if user experience optimizations are enabled or disabled for this computer group.







DESCRIPTION

366



a) Specify an Account on the Administrative Account window.


b) Enter the Password. The check mark to the right of this field is used to verify the entered credentials, if the computer is part of the domain. Click Next.




• User

• Device Name

• Device Address


• Group



b) Click OK.





367









d) Click Next.









368



a) Select the Create new computers from a master template to add new desktops to the group and enter the number of desktops to create. Complete the process using the Add Computers tool. See Add Computers to a Computer Group.

b) Select Import existing computers from Virtuozzo nodes to add computers by importing existing virtual computers and complete the process using Import Existing Computers into a Group.


22. Click Finish.


Add Computers to a Computer Group



– OR –






2. Click Next on the Welcome to the Add Computers Wizard window.



369


5. Select one or more Virtuozzo network devices from the Nodes/Network Devices window. This is where the computers should be created. If the list is empty or to update the list, click Import.

a) To change the distribution method, click Distribution on the toolbar above the list of datastores. Complete the information on the Datastore Distribution Method window as appropriate.

b) Click Next.










7. Click Next.



b) Select a sysprep from the list, or click New to create a new sysprep. See Create Sysprep Customizations— Windows XP/2003 for more information.


It is important that you make sure your sysprep configuration is accurate and works on a computer that is visible to you. If the sysprep information is incorrect, you may have a computer that requires user input, but you will have no way of connecting to it.

370









You can import existing computers from a Parallels Virtuozzo host to an existing computer group. You would do this when physical PCs have already been converted into virtual computers and are ready to be redeployed from the virtual infrastructure to their original owners.

Several options are available to assist with importing and resynchronizing (Import/Re-sync Computers tool) desktop computers.

371



CONTROL DESCRIPTION

Options



Remove orphaned desktops If selected, computers are removed from the selected managed desktop group if they no longer exist in the Parallels Virtuozzo inventory.

Inventory

Nodes This displays a list of folders and virtual computers available in the Parallels Virtuozzo Host inventory.







372


How to ...








• Select Import existing desktops from Parallels from the Finish window of the Computer Group wizard, and then click Finish, if you are completing the Computer Group wizard.



5. Select the virtual computers that are to be imported on the Inventory window.


Power ManagementThe power states of Parallels Virtuozzo managed computers that can be manipulated with vWorkspace are:



373


374

17

Non-Power Managed Data Centers

• Overview

• Computer Groups

• Add Computers to a Computer Group



OverviewThis chapter describes in detail the broad range of desktop management and provisioning features offered by vWorkspace for the type Other/Physical (non-power managed computers), which are managed computers that are hosted on physical hardware, such as PC blades or high-end engineering workstations.

Computer GroupsComputer groups are containers of desktops that can be managed together. The following managed computer groups properties are associated with Other/Physical type (non-power managed data centers).

OTHER TYPE MANAGED COMPUTER GROUP PROPERTY

DESCRIPTION





376







• User

• Device Name

• Device Address


• Group




This policy is useful when provisioning desktop workspaces to users that require elevated privileges.






DESCRIPTION

377


How to ...

Add Computer Groups to Other/Physical Type


2. Expand the location in which the computer group is to be added, and highlight the Desktops node.








6. Select Other/Physical on the System Type window, and then click Next.




b) Enter the Password. The check mark to the right of this field is used to verify the entered credentials, if the computer is part of the domain. Click Next.






DESCRIPTION

378





• User

• Device Name

• Device Address


• Group



b) Click OK.


11. Select Power Users, Administrators, or None to automatically add the users to one of the groups on the User Privileges window, and then click Next.





379











20. On the Finish window, select one of the following:

a) Add computers to this group now.

b) Do nothing now. I will add computers later.

21. To complete the process, do one of the following:



Add Computers to a Computer Group

Computer groups in vWorkspace of the type Other/Physical (non-power managed) can contain computers that are physical, virtual, or a combination of the two. To be added to this type of group, the following must be met:

• The computer hardware (physical or virtual) must be installed and configured.

• A supported operating system must be installed.

• The computer must be powered on.

• Network connectivity must exist between the vWorkspace Management Console and the desktop computer that is to be added.

380


To add computers to the group, do one of the following:

a) Select the Add computers to a group now option on the Finish window of the Computer Group wizard.

– OR –






Because vWorkspace computer groups with the type of Other/Physical (non-power managed) do not use or communicate with virtual management servers, one of the following methods must be provided to identify the computers that are to be added to a computer group during the Add Computers process.

• Browse

• Enter Name

• Enter IP Address Range

381


Browse

OPTION DESCRIPTION

Browse Network Locates computers to be added by browsing the Microsoft Windows Network. Multiple items can be selected by using Ctrl+Shift+Click or Shift+Up/Down.

Browse Active Directory Locates computers to be added by sending a filtered query, using Active Directory Services Interface (ADSI) to Active Directory. User must specify the following:

• Domain — The name of the Windows domain that the query is to be sent.

• Display — The object type to display, Organizational Units, Computers, or both.

• Filter — The specified name or partial name using a wildcard (*).

382


Enter Name

OPTION DESCRIPTION

Computer Name Locates computers to be added by specifying the Windows computer name or IP address.

Type the Windows Computer name or IP address of the computer to be added, and click Add. The Connection Broker attempts to resolve the name to an IP address.

This is the name that is displayed on the vWorkspace Management Console.

383


Enter IP Address Range

OPTION DESCRIPTION

Enter IP Address Range Locates computers to be added by specifying a range of IP addresses. The user enters a starting IP address in the From field and ending one in the To field.

The name that is displayed on the vWorkspace Management Console is: Computer_www.xxx.yyy.zzz (which is the address range entered.)

384


Power ManagementThe power states of non-power managed computers that can be manipulated with vWorkspace are:

• Stand By — Computers are partially powered down to save energy, and only critical components received power.

• Wake Up — Only for computers that are configured to listen for Wake on LAN (WOL) packets, the Connection Broker sends the computer a WOL packet.





385


386

18

vWorkspace Connectors

• Overview

• vWorkspace Connector Interfaces

• vWorkspace Connector for Windows Packages

• vWorkspace Connector Configuration

• Multiple Monitor Support

• Manage AppPortal Connections


OverviewThe following sections describe the process of connecting to managed applications and desktops in a vWorkspace Windows infrastructure. Users have the option of either connecting to full-featured desktops or individual applications based upon administrative setup.

These items are discussed in greater detail in the following section:

• vWorkspace Connector Interfaces

• vWorkspace Connector for Windows Packages

• vWorkspace Connector Configuration

vWorkspace Connector InterfacesThere are two primary interfaces available, AppPortal and Web Access.

About the AppPortal Interface

The AppPortal is a version of the vWorkspace Connector with an intuitive, interactive user interface allowing users, upon successful authentication, to receive a list of authorized desktops and applications in a vWorkspace infrastructure. Users can subsequently start remote connections to published desktops and applications by selecting the corresponding shortcuts.

AppPortal can also be started in Desktop-Integrated mode where the user interface shell is suppressed and it appears in the Windows system tray. Application icons shortcuts are placed on the user’s Desktop, Start Menu, or All Programs menu, depending on preferences.

388


The AppPortal must be installed and configured before users are able to connect to their vWorkspace infrastructure.

About Web Access

vWorkspace Web Access allows users to retrieve their list of allowed applications or desktops using a web browser. A Web Access web server must be available to use this interface.

For more information on Web Access, see the vWorkspace Web Access Guide.

389


vWorkspace Connector for Windows PackagesThe vWorkspace Connector is supported on Windows computers, laptops, and XP embedded thin client terminals, and is available in various client packages.

The vWorkspace packages available are:

• VASCLIENT32 — Includes AppPortal and the Web Access.

• VASCLIENT32T — Includes the Web Access, but not the AppPortal.

• VASCLIENT32TS — Includes a silent install for Web Access.

About the VAS Client 32

This package is available in the following formats:

• VASCLIENT32.exe — MSI installation with EXE bootstrapper. An MSI engine (2.0 or later) must be installed on the target client workstations.

• VASCLIENT32.msi — MSI installation without the EXE bootstrapper. An MSI engine (2.0 or later) must be installed on the target client workstations.

• VASCLIENT32.cab — CAB installation for automatic deployment through Web Access.

About the VAS Client 32T

This package is available in the following formats, and does not include the AppPortal interface:

• VASCLIENT32T.exe — MSI installation with EXE bootstrapper. An MSI engine (2.0 or later) must be installed on the target client workstations.

• VASCLIENT32T.msi — MSI installation without the EXE bootstrapper. An MSI engine (2.0 or later) must be installed on the target client workstations.

• VASCLIENT32T.cab — CAB installation for automatic deployment through Web Access.

390


About the VAS Client 32TS

This package is available in the following format for the Web Access client:

• VASCLIENT32TS.cab — CAB installation for automatic deployment through Web Access, as a silent installation. The files are located at \\Inetpub\wwwroot\Provision\web-it\clients.

vWorkspace Client Executables

The executable file, PNapp32.exe, provides the shell and functionality of the AppPortal interface, forwarding users credentials to the vWorkspace Connection Brokers for authentication, retrieving a list of authorized applications and desktops, and dynamically retrieving the connectivity settings needed to successfully connect to a requested application or desktop.

The executable file, PNtsc.exe, establishes the remote connection to applications and desktops that are hosted in the vWorkspace enabled infrastructure, and is included on all packages of the vWorkspace Connector. It is a modified version of the Microsoft Remote Desktop Connection client.

PNTray.exe is an executable that runs from the taskbar when an application or desktop is connected, and is included on all packages of the vWorkspace Connector.

The PNTray provides a context menu for access to various applets used in managing connections, sessions, and printing options. See About the PNTray for more information.

Additional Registry SettingsThere are several additional features that can be enabled by enabling registry key entries:

• Deferred Authentication

• Optional One-session-per-user within a Farm

391


Deferred Authentication

Optional mode to retrieve applications and desktops through AppPortal and Web Access, even by users whose passwords have expired or needs to be changed.

PasswordExpiredPassthruMode

When this feature is enabled, it allows the user, who has entered the expired password or the password that needs to be changed, to get to the Windows logon screen to change the expired password.

When enabled, if LogonUser() returns the error code ERROR_PASSWORD_EXPIRED (1330) and ERROR_PASSWORD_MUST_CHANGE (1907), the broker will enumerate the groups and OUs for the user and return ERROR_SUCCESS (0).

This feature is controlled via the following registry key (defaults to 0=disabled):

HKLM\SOFTWARE\Provision Networks\Common\ Load and License Manager

PasswordExpiredPassthruMode REG_DWORD (0=disabled 1=enabled)

AccountLockedPassthruMode

When this feature is enabled, it allows the user, whose account appears to be locked, to get to the Windows logon screen to unlock the account.

When enabled, if LogonUser() returns the error code ERROR_ACCOUNT_LOCKED_OUT (1909) the broker will enumerate the groups and OUs for the user and return ERROR_SUCCESS (0).

You must have a third party password reset application to use this setting. This feature is controlled via the following registry key (defaults to 0=disabled):

HKLM\SOFTWARE\Provision Networks\Common\ Load and License Manager

AccountLockedPassthruMode REG_DWORD (0=disabled 1=enabled)

Optional One-session-per-user within a Farm

This is important in healthcare for moving between stations without disconnecting the session.

SessionRoamingMode

When enabled, the connection broker looks for both active and disconnected sessions when a user issues a launch request.

392


This enforces one user session per farm and allows a user to roam, being able to get back to their active session from any terminal (defaults to 0=disabled):

HKLM\SOFTWARE\Provision Networks\Common\Load and License Manager

SessionRoamingMode REG_DWORD (0=disabled 1=enabled)

vWorkspace Connector ConfigurationThe AppPortal retrieves information about published applications, desktops, and other assigned resources available from a vWorkspace infrastructure by communicating with the Connection Broker for the infrastructure. AppPortal must be configured so that it knows how to communicate with the Connection Brokers. This process is referred to as managing or configuring connections.

First Time Start Configuration

When a user starts AppPortal for the first time, AppPortal attempts to configure itself automatically. It does this by locating and reading a file named config.xml using the following order of locations:

• http://vworkspace.<FQDN>

• http://provision.<FQDN>

• https://vWorkspace.<FQDN>

• https://provision.<FQDN>

If a config.xml is not located using the default URL, AppPortal displays a message telling the user to create a new connection.

If the Farm Type is specified as RDBroker, then the following attributes will not display a warning if they are missing:

• EnableKerberos

• KerberosMode

• TCPPort (location specific)

• Protocol (location specific)

An AppPortal command line parameter, /autodelete, is available. This command line parameter removes all farm definitions and desktop integrated shortcuts upon exiting AppPortal, so that any autoload farms are reloaded.

393


• RDPonSSL (location specific)

• EnableNAT (location specific)

• UseProxy (location specific)

• ProxyServer (location specific)

• ProxyBypassList (location specific)

How to ...

Create a New Farm Connection

1. Start AppPortal from the desktop.

– OR –

Start | Programs | Quest Software| vWorkspace | vWorkspace Client

2. Select Actions | Manage Connections. The Farm Connection window opens.

3. Click Create a new farm, and then click Next.


a) To manually create a farm, select the Allow me to manually specify all configuration parameters option, and then click Next. The system displays the Connectivity window. See Manage AppPortal Connections for information on completing this process.

– OR –

b) To download the configuration file, select Download the configuration file from a central server, and then click Next. The New Configuration window appears.

c) Complete the following fields on the New Configuration window, and then click OK.

• Select the Protocol of HTTP, HTTPS, or File.

• Enter the URL.

• Verify the File field is config.xml.

• Select one of the Proxy Server options.

5. Complete any further information on the property windows, and then click Finish.

Some information is grayed out and unavailable to be changed.

394


Multiple Monitor SupportvWorkspace Enhanced Multimonitor (version 2.0) support is available, providing true multimonitor support. The previous version of vWorkspace Multimonitor (version 1.0) support enabled desktop sessions to span multiple monitors.

Users can have up to four monitors with a total maximum resolution of 4096 x 2048. However, the total resolution height and width needs to be able to be exactly divided by four for enhanced multimonitor. If the total resolution is not exactly divided by four, the previous version of vWorkspace multimonitor runs.

The color can be set at 24 bit for Microsoft Windows XP and Microsoft Server 2003, and at 32 bit for Microsoft Vista and Microsoft Server 2008. The task bar is confined to the primary monitor, along with the Start menu.

Since resolutions can vary by screen, a started application in non-maximized, normal Window mode can open into a nonviewable area of the screen. If you are using applications where you cannot maximize or resize the window, or you plan to use mixed resolution, it is recommended that your monitors be the same resolution.

Multimonitor is supported on Microsoft Windows 7 and Microsoft Windows Server 2008 R2 if you are using the RDC 7 client or RDC 6 client with GA enabled on the client. Microsoft RDC 5 is not supported for Microsoft Windows 7 and Microsoft Windows Server 2008 R2.

• Enhanced Multimonitor (2.0) does not support 8-bit or lower color. If 8-bit or lower color is detected, the Multimonitor 1.0 support is enabled and the enhanced Multimonitor support is disabled.

• If the resolution is 1600x1200 or higher on a Microsoft Windows Server 2003 Terminal Server, it reverts to Multimonitor 1.0 and the Terminal Server reverts to 8-bit color.

A top bottom multimonitor configuration may present an aesthetic defect in the presentation if you are using Multimonitor 1.0 and not the enhanced Multimonitor 2.0.

395


Multiple monitor support is setup for the AppPortal client from the Display window by selecting the option Span multiple monitors when in full screen mode. See Display Settings for more information.

Multiple monitor support is setup for the Web Access client by selecting the Span multiple monitors when in full screen mode option from the Display Settings window. See the vWorkspace Web Access Guide for more information.

SERVERS

CLIENTS

Microsoft XP/Server 2003/Vista/Server 2008

(file signature is supported)

Microsoft XP/Server 2003/Vista/Server 2008

(file signature is not supported)

Microsoft Windows XP or Vista with RDC <7 (mstscax <6.1)

GA Disabled

Enhanced version of vWorkspace multimonitor

Previous version of vWorkspace multimonitor

Microsoft Windows XP or Vista with RDC <7 (mstscax <6.1)

GA Enabled



Microsoft Windows XP/Server 2003/Vista/Server 2008 with RDC >=7 (mstscax >= 6.1)



Microsoft Windows 7



The taskbar may, intermittently, span both monitors, if you are using Multimonitor 1.0.

396


You also need to select the Quest vWorkspace Remote Desktop Connection Display tab option Span multiple monitors when in full screen mode. To access this setting, use the following path:

Start | All Programs | Quest Software| vWorkspace | Remote Desktop Connection

Manage AppPortal ConnectionsAppPortal connections can be created manually by using the following options on the Farm Connection window.

The AppPortal connection properties differ based on the Farm Type selected. Use the following links to view the settings found on the Farm Connections window for each Farm Type:

• vWorkspace Connection Broker

• Microsoft Remote Desktop Connection Broker

397


vWorkspace Connection Broker

The connection properties for the Farm Type, vWorkspace Connection Broker, are found in the following tabs on the Farm Connections window:

• Farm Type

• Connectivity Settings

• Firewall/Proxy Traversal Setting

• Credentials Settings

• Display Settings

• Local Resources Settings

• User Experience Settings

• Password Management Settings

• Desktop Integration Settings

• Auto-Launch Settings

Farm Type

398


Connectivity Settings

FARM TYPE SETTINGS FIELD DESCRIPTION

vWorkspace Connection Broker Select this option to connect to a vWorkspace Connection Broker.

CONNECTIVITY SETTINGS FIELD

DESCRIPTION

Location Three separate connection locations are available from the list.

Use Rename to specify the location name, such as Office or Home.

Test Connection Use to test the connectivity settings for a location.

399


Firewall/Proxy Traversal Setting

PROPERTIES FOR LOCATION

These settings are used to communicate with the Connection Broker, and are configured separately for each Location.

Protocol Use either HTTP or HTTPS.

TCP Port Use to specify the port in which the Connection Broker listens on for inbound connection requests.

Connection Brokers Use Add to enter the host name, FQDN or IP address for a Connection Broker.

Use the arrow buttons to change the order in which the connections are attempted.


DESCRIPTION

400


FIREWALL/PROXY TRAVERSAL SETTINGS FIELD

DESCRIPTION

CONNECTION OPTIONS FOR LOCATION


Enable NAT Support for Firewall Traversal

Use this when vWorkspace enabled Terminal Servers are located behind a firewall that is using Network Address Translation and Alternative Addressing.

Enable RDP over SSL/TLS Use SSL/TLS encryption of RDP session traffic is used.

SSL Gateway Server Use this to enter the FQDN or IP address of the Quest vWorkspace Secure Gateway server.

This option is only available when Enable RDP over SSL/TLS is selected.

PROXY SERVER FOR LOCATION

These settings are used when the vWorkspace client device is located behind a NAT enabled firewall and Socks Proxy Servers are used to gain access to the outside network.

Use the default from the system internet settings

Use if the proxy settings are the same as those used by Internet Explorer.

Do not use a proxy server Use if you do not want to set a proxy server.

Enter an address manually Use to indicate the address as entered.

The address must be entered in the following format:

proxy_serve_rname:port

proxy_serve_rname = host name, FQDN, or IP address of the Socks Proxy Server.

port = TCP port number the Socks Proxy Server is listening on.

Do not use proxy server for addresses beginning with:

Use to list proxy server exclusions.

Use semicolons (;) to separate the entries.

401


Credentials Settings

CREDENTIALS SETTINGS FIELD

DESCRIPTION

Use Cached credentials Uses credentials from the Windows credentials cache on the client device.

To use this option, Enable Credentials Pass-Through (Settings | Authentication) must be enabled.

User Kerberos credentials Uses the Kerberos authentication protocols.

To use this option, the client device must be a member of Microsoft Windows Active Directory domain and the user must log onto the device using their domain user account and password.

402


Display Settings

Use the following credentials Uses the NT LAN Manager authentication protocols.

The Username, Password, and Domain information is entered, and the user is not prompted for this information during a connection attempt.

The Save credentials (encrypted) option allows the AppPortal to read the cached credentials from disk, and does not prompt users for them. This option is only available if the Use the following credentials option is selected.

DISPLAY SETTINGS FIELD DESCRIPTION

Display Configuration Sets the remote session window size during a non-seamless window connection.


DESCRIPTION

403


Colors Sets the remote session color depth during a non-seamless window connection.

Display the connection bar when in full screen mode

Displays a connection bar when the session is in full screen mode.

Pin Connection Bar option disables the connection bar auto-hide feature.

Span multiple monitors when in full screen mode

Sets the add-on feature to enable multiple monitor display.

Enable Smart Sizing Smart Sizing is functional when connecting to a managed computer. The session screen size and color depth are automatically adjusted to settings in the guest operating system.

Smart sizing resizes the desktop, rather than creating scroll bars.

Display remote applications seamlessly on local desktop

Enables the remote application window size and color depth to be dynamically adjusted to match those of the client device, allowing the remote application to have the same look and feel as if it were installed on the client device.

This setting also enables session sharing, which allows multiple remote applications to run through a single session, given those applications are installed on the same Terminal Server or Managed Computer.


404


Local Resources Settings

LOCAL RESOURCES SETTINGS FIELD

DESCRIPTION

Remote audio Bring to Local Computer — runs sound files in your Remote Desktop session and plays them on your local computer.

Leave at Remote Computer — runs sound files in your remote desktop session and plays them only on the remote computer.

Don’t play — disables all sounds in remote desktop sessions.

405


Keyboard These options apply to Windows shortcut key combinations, such as Alt+Tab.

On the local computer — configures your connection so that Windows shortcut keys always apply to your local desktop.

On the remote computer — configures your connection so that Windows shortcut keys always apply to the desktop of the remote computer.

In full screen mode only — configures your connection so that Windows shortcut keys apply to the remote computer only when the connection is in full screen mode.

LOCAL DEVICES

These settings determine which client side devices are available to the remote applications or desktops.

Disk drives Local disk drives.

Serial ports Local serial ports.

Printers Local printers. Standard Window print drives are used for printing, so the appropriate drivers need to be installed on both the client devices and the remote computer.

Smart cards Smart card connections for authentication.

USB Devices Devices that are attached to a USB port on a client device can synchronize with applications running in a remote session.

Universal Printers Remote printing using a single print driver.

Clipboard Enables redirection of copy and paste functionality.

Microphone Enables support for applications that require the use of a microphone.

This option is part of the Experience Optimization Package. See EOP Audio for more information.


DESCRIPTION

406


User Experience Settings

USER EXPERIENCE SETTINGS FIELD

DESCRIPTION

Choose your connection speed to optimize performance

The options are:

• Modem (28.8 Kbps)

• Modem (56 Kbps)

• Low-Speed broadband (256 Kbps - 2 Mbps)

• Satellite (2 Mbps - 16 Mbps with high latency)

• High-Speed broadband (2 Mbps - 10 Mbps)

• WAN (10 Mbps or higher with high latency)

• LAN (10 Mbps or higher)

407


Allow the following: These options are used to create a custom setting:

• Desktop background

• Font Smoothing

• Desktop Composition

• Visual Styles

• Show contents of window while dragging

• Menu and window animation

• Persistent Bitmap caching

Note: If Desktop Composition (Windows Aero) is enabled, Graphics Acceleration is disabled.

Note: Bitmap caching can assist in reducing bandwidth requirements. The other features require additional bandwidth.

Experience Optimized Protocol (EOP)

These options are used to automatically enable optimizations when logged on to the remote computer:

• Graphics Acceleration

• Local Text Echo



• WAN Acceleration (EOP Xtream)

Reconnect if connection is dropped

This option allows for automatic reconnection if connection is dropped.


DESCRIPTION

408


Password Management Settings

PASSWORD MANAGEMENT SETTINGS FIELD

DESCRIPTION

Server Name or IP Address The FQDN of the Quest vWorkspace Password Management Server.

Port The TCP port to which the Quest vWorkspace Password Management Server has been configured.

This is usually 443.

409


Desktop Integration Settings

DESKTOP INTEGRATION SETTINGS FIELD

DESCRIPTION

Allow Client Shortcuts on: This option controls where the placement of shortcut icons occurs when the AppPortal is started in Desktop Integration mode:

• Desktop

• Start Menu

• Start Menu \ Programs

Note: The placement of shortcuts when either Start Menu or Start Menu \ Programs are selected depends on whether Windows is using the Standard or Classic start menu.

410


Auto-Launch Settings

AUTO-LAUNCH SETTINGS FIELD

DESCRIPTION

Auto-Launch Application This option is used to specify applications that are to be launched automatically when AppPortal is started.

This option is for AppPortal in desktop integrated mode, or if a farm is connected to automatically at startup.

Note: Only the first application found is automatically launched.

411


Microsoft Remote Desktop Connection Broker

The connection properties for the Farm Type, Microsoft Remote Desktop Connection Broker, are found in the following tabs on the Farm Connections window:

• Farm Type

• Connectivity Settings

• RD Gateway

• Credentials Settings

• Display Settings

• Local Resources Settings

• User Experience Settings

• Password Management Settings

• Desktop Integration Settings

• Auto-Launch Settings

412


Farm Type

FARM TYPE SETTINGS FIELD DESCRIPTION

Microsoft Remote Desktop Connection Broker

Select this option to connect to a Microsoft Remote Desktop Connection Broker.

413


Connectivity Settings


DESCRIPTION

Location Three separate connection locations are available from the list.

Use Rename to specify the location name, such as Office or Home.

Test Connection Use to test the connectivity settings for a location.

Use this as the default location when connecting.

Select to use as the default location when connecting.

Always prompt for location before connecting.

Select to be prompted for a location before connecting.

414


RD Gateway

PROPERTIES FOR LOCATION

This setting is used to communicate with the RD Connection Broker, and is configured separately for each Location.

Remote desktop connection broker server name or URL:

Enter the RD Connection Broker server name or URL.


DESCRIPTION

CONNECTION SETTINGS


Automatically detect RD Gateway server settings

Select if you want RD Gateway server settings automatically detected.


DESCRIPTION

415


Credentials Settings

Use these RD Gateway server settings

Select if you want to use the entered Server name and Logon method as the RD Gateway server settings.

Do not use an RD Gateway server

Select if you do not want to use an RD Gateway server.


DESCRIPTION

Use Cached credentials Uses credentials from the Windows credentials cache on the client device.

To use this option, Enable Credentials Pass-Through (Settings | Authentication) must be enabled.


DESCRIPTION

416


Display Settings

Use the following credentials Uses the NT LAN Manager authentication protocols.

The Username, Password, and Domain information is entered, and the user is not prompted for this information during a connection attempt.

The Save credentials (encrypted) option allows the AppPortal to read the cached credentials from disk, and does not prompt users for them. This option is only available if the Use the following credentials option is selected.


Display Configuration Sets the remote session window size during a non-seamless window connection.


DESCRIPTION

417


Colors Sets the remote session color depth during a non-seamless window connection.

Display the connection bar when in full screen mode

Displays a connection bar when the session is in full screen mode.

Pin Connection Bar option disables the connection bar auto-hide feature.

Span multiple monitors when in full screen mode

Sets the add-on feature to enable multiple monitor display.

Enable Smart Sizing Smart Sizing is functional when connecting to a managed computer. The session screen size and color depth are automatically adjusted to settings in the guest operating system.

Smart sizing resizes the desktop, rather than creating scroll bars.

Display remote applications seamlessly on local desktop

Enables the remote application window size and color depth to be dynamically adjusted to match those of the client device, allowing the remote application to have the same look and feel as if it were installed on the client device.

This setting also enables session sharing, which allows multiple remote applications to run through a single session, given those applications are installed on the same Terminal Server or Managed Computer.


418


Local Resources Settings


DESCRIPTION

Remote audio Bring to Local Computer — runs sound files in your Remote Desktop session and plays them on your local computer.

Leave at Remote Computer — runs sound files in your remote desktop session and plays them only on the remote computer.

Don’t play — disables all sounds in remote desktop sessions.

419


Keyboard These options apply to Windows shortcut key combinations, such as Alt+Tab.

On the local computer — configures your connection so that Windows shortcut keys always apply to your local desktop.

On the remote computer — configures your connection so that Windows shortcut keys always apply to the desktop of the remote computer.

In full screen mode only — configures your connection so that Windows shortcut keys apply to the remote computer only when the connection is in full screen mode.

LOCAL DEVICES

These settings determine which client side devices are available to the remote applications or desktops.

Disk drives Local disk drives.

Serial ports Local serial ports.

Printers Local printers. Standard Windows print drives are used for printing, so the appropriate drivers need to be installed on both the client devices and the remote computer.

Smart cards Smart card connections for authentication.

USB Devices Devices that are attached to a USB port on a client device can synchronize with applications running in a remote session.

Universal Printers Remote printing using a single print driver.

Clipboard Enables redirection of copy and paste functionality.

Microphone Enables support for applications that require the use of a microphone.

This option is part of the Experience Optimization Package. See EOP Audio for more information.


DESCRIPTION

420


User Experience Settings


DESCRIPTION

Choose your connection speed to optimize performance

The options are:

• Modem (28.8 Kbps)

• Modem (56 Kbps)

• Low-Speed broadband (256 Kbps - 2 Mbps)

• Satellite (2 Mbps - 16 Mbps with high latency)

• High-Speed broadband (2 Mbps - 10 Mbps)

• WAN (10 Mbps or higher with high latency)

• LAN (10 Mbps or higher)

421


Allow the following: These options are used to create a custom setting:

• Desktop background

• Font Smoothing

• Desktop Composition

• Visual Styles

• Show contents of window while dragging

• Menu and window animation

• Persistent Bitmap caching

Note: If Desktop Composition (Windows Aero) is enabled, Graphics Acceleration is disabled.

Note: Bitmap caching can assist in reducing bandwidth requirements. The other features require additional bandwidth.

Experience Optimized Protocol (EOP)

These options are used to automatically enable optimizations when logged on to the remote computer:

• Graphics Acceleration

• Local Text Echo



• WAN Acceleration (EOP Xtream)

Reconnect if connection is dropped

This option allows for automatic reconnection if connection is dropped.


DESCRIPTION

422


Password Management Settings

PASSWORD MANAGEMENT SETTINGS FIELD

DESCRIPTION

Server Name or IP Address The FQDN or IP address of the Quest vWorkspace Password Management Server.

Port The TCP port to which the Quest vWorkspace Password Management Server has been configured.

This is usually 443.

423


Desktop Integration Settings

DESKTOP INTEGRATION SETTINGS FIELD

DESCRIPTION

Allow Client Shortcuts on: This option controls where the placement of shortcut icons occurs when the AppPortal is started in Desktop Integration mode:

• Desktop

• Start Menu

• Start Menu \ Programs

Note: The placement of shortcuts when either Start Menu or Start Menu \ Programs are selected depends on whether Windows is using the Standard or Classic start menu.

424


Auto-Launch Settings

AUTO-LAUNCH SETTINGS FIELD

DESCRIPTION

Auto-Launch Application This option is used to specify applications that are to be launched automatically when AppPortal is started.

This option is for AppPortal in desktop integrated mode, or if a farm is connected to automatically at startup.

Note: Only the first application found is automatically launched.

425


AppPortal in Desktop Integrated Mode

AppPortal also has an option to be started in Desktop Integrated Mode where the user interface shell is suppressed. Instead, AppPortal runs from the Windows system tray area. Applications icon shortcuts are placed on the user’s Desktop, Start Menu, or All Programs menu, depending on your settings.

How to ...

Start the AppPortal in Desktop Integrated Mode

1. Use one of the following options:

Start | All Programs |Quest Software| vWorkspace | AppPortal (Desktop-Integrated)

– OR –

Start | Run and then type C:\Program Files\ Quest Software\vWorkspace\pnap32.exe/di

The AppPortal is an icon on the Windows toolbar status area.

AppPortal Actions Menu Options

The AppPortal Actions menu on the toolbar contains the following commands:

• Manage Connections

• Change Current Location

• Logon as a Different User

• Change Password

• Refresh Application Set

• Close

On a Windows XP computer, the placement of shortcuts depends on whether Windows is using the Start menu or Classic Start menu.

426


ACTIONS MENU OPTION DESCRIPTION

Manage Connections Select to start the Farm Connections window to create new or modify existing infrastructure connections.

Change Current Location

Select when a connection to the currently selected farm needs to be made using different location settings.

Logon as a Different User

Select when the user wants to log into the selected farm using a different set of credentials.

Change Password Select to submit a password change request to the Quest vWorkspace Password Management Server.

Refresh Application Set Select to have the AppPortal update the list of applications in the user’s application set.

Close Select to exit AppPortal. This option does not close any sessions the user might have to a Terminal Server or a managed computer.

427


AppPortal Settings Menu Options

The Settings menu option located in the toolbar of the AppPortal provides users with access to settings that control how application set icons are displayed and how authentication to the infrastructure is performed.

Display settings

Behavior

Menu Bar If selected, the Menu Bar displays links to the Action, Settings, and Help menus.

Tool Bar If selected, the Tool Bar displays icons of actions.

Find Bar If selected, the Find Bar displays to search for applications.

Status Bar If selected, the Status Bar displays the connection status.

Always on Top If selected, the AppPortal window is always placed in front of other application windows.

Hide When Minimized If selected, the AppPortal window moves to the Windows Notification area when minimized.

If not selected, a minimized AppPortal window is placed in the Windows taskbar.

Personalize...

If clicked, displays the Personalization dialogue window to configure the window style.

Theme Specify the AppPortal window style theme.

Style Specify the AppPortal window style.

Header/Folder Style Specify the folder style, border width, and spacing for the various AppPortal folders.

Restore to Defaults If selected, the AppPortal window parameters are restored to their initial values.

Icons in Multiple columns If selected, icons are arranged in multiple columns. The number of columns is automatically adjusted depending on the number of icons and the sizing of the AppPortal window.

Center Align Captions If selected, text labels associated with each icon is centered below the icon.

Large Icons If selected, large icons are displayed.

428


Multiple Open Folders If selected, multiple open folders are displayed.

Word Wrap If selected, wraps text to the left margin.

Colors Specify the colors for various AppPortal elements.

Fonts Specify the fonts for the various AppPortal folders.

Authentication option

Enable Credentials Pass-Through

If selected, the same credentials used to log on to their client device is used when logging on to their vWorkspace infrastructure.

Enabling this feature requires that the user log off their client device and log in again. When AppPortal is started, the user’s credentials automatically are forwarded to the Connection Broker and the user is not prompted for them again.

429


About the PNTrayThe vWorkspace system tray applet (PNTray) is available when the AppPortal is started, or when a connection to a managed computer or a managed computer application is active. The PNTray is displayed in the Windows system tray as the vWorkspace context menu. The commands that are available depend on the AppPortal mode and if there is an active connection.

• Manage Connections

• Open Session Status

Use this option to view the sessions that are active on Terminal Servers, and the applications that are running in each session. Terminal Server sessions, when selected, can then be changed using the buttons of Disconnect, Logoff, and Full Screen. Applications can be terminated by using Terminate, without logging off from the session.

• Change Current Location

• Logon as Different User

• Change Password

• Authentication

• Enable Credentials Pass-Through

• Refresh Application Set

• Restore AppPortal Client

• Close AppPortal Client

The following options are available from the Print-IT section of the PNTray, when the AppPortal is in normal mode:

• PDF Publisher Options

• Save PDF File

• E-mail PDF File

430


• Preview before printing

• Apply Additional Printer Properties

• Native printer options, such as finishing and stapling are presented when this option is selected.

• Client Properties

The following options are available if the AppPortal is in Desktop Integrated Mode. These options replace the Action and Settings AppPortal menu options. See Manage AppPortal Connections for more information on the AppPortal menu options.

FARM CONNECTIONS OPTION

DESCRIPTION

Farm The display name of the farm.

Status The connection status.

Location The name of the location settings used to make the connection.

User The user name that is logged in.

Shortcuts Exist? If Yes, application set icon shortcuts have been configured.

If No, application set icon shortcuts have not been configured.

431


Connect/Refresh Shortcuts Connects to or refreshes a selected farm.

Disconnect/Remove Shortcuts

Disconnects and removes application set icon shortcuts from the client’s Desktop, Start Menu, or Start Menu \ Programs.

Logon as a Different User Allows the user to log on to a selected farm using a different set of credentials.

Change Current Location Allows the user to connect to the selected farm using different location settings.

Change Password Allows the user to submit a password change request using the Quest vWorkspace Password Management Server.

View Existing Shortcuts Presents users with a display listing the name and location of their application set icon shortcuts.

FARM CONNECTIONS OPTION

DESCRIPTION

432

19

vWorkspace User Sessions

• Overview of User Access

• Manage RD Session Host/Terminal Server Sessions

• User Access Options in the Resources Node


Overview of User AccessAdministrators can use the vWorkspace Management Console to view user sessions, RD Session Host/Terminal Server sessions, and processes running on the RD Session Host/Terminal Servers in the vWorkspace infrastructure to assist with troubleshooting.

Administrators can also access vWorkspace user options located in the Resources node of the vWorkspace Management Console. The following options are available in a RD Session Host/Terminal Server or VDI environment, and include:

• Additional Customizations

• Application Restrictions (RD Session Host/Terminal Server only)

• Connection Policies

• Color Schemes (not available for computers with Microsoft Vista or later operating systems)

• Drive Mappings

• Environment Variables

• Host Restrictions (RD Session Host/Terminal Server only)

• Registry Tasks

• Scripts

• Time Zones

• User Policies

• Wallpapers

Manage RD Session Host/Terminal Server SessionsThe vWorkspace Management Console can be used by administrators to do the following:

• Manage Users Connected to RD Session Host/Terminal Servers

• View RD Session Host/Terminal Server Sessions

• View Client Information for an Active Session

• Manage RD Session Host/Terminal Server Processes

• View RD Session Host/Terminal Server Applications

434


Manage Users Connected to RD Session Host/Terminal Servers


2. Expand the Locations node, and then the expand location to which the RD Session Host/Terminal Server is located.


4. To connect to a specific RD Session Host/Terminal Server:

a) Double-click on the RD Session Host/Terminal Server object.

b) Click on the Users tab in the RD Session Host/Terminal Servers information pane.

5. To connect to all RD Session Host/Terminal Servers:

a) Double-click on each RD Session Host/Terminal Server object, or right-click on the Terminal Servers node and select Connect All.

b) Click on the Terminal Servers node.

c) Click on the Users tab in the RD Session Host/Terminal Servers information pane.

6. The following information can be viewed:

Server The NetBIOS name of the RD Session Host/Terminal Server to which the user is connected.

Domain The NetBIOS name of the Windows domain to which the user’s account belongs.

Session The name of the user’s session as assigned by the RD Session Host/Terminal Server.

User The user account name used to log on to the session.

Session ID The numerical session ID assigned to the user’s session by the RD Session Host/Terminal Server.

State The state of the RD Session Host/Terminal Server session. The options are:

• Active

• Disconnected

• Idle

• Down

435


7. Select a server session. Administrators can perform the following actions:

View RD Session Host/Terminal Server Sessions




4. To view a session on a specific RD Session Host/Terminal Server:


Idle Time The amount of time no activity has occurred between the client and the RD Session Host/Terminal Server.

Logon Time

The date and time the session was logged on.

Disconnect If a session state is active, it can be placed into a disconnected state. Disconnecting a session causes the network connection between the client device and the RD Session Host/Terminal Server to be closed, releasing memory and CPU threads.

The working state of the session is persisted by writing to the RD Session Host/Terminal Server’s page file, allowing the user to reconnect to the session, with no loss of data.

Send Message An administrator can send a message to the selected user if the session is active.

Remote Control

An administrator can connect to the user’s active session, and depending on the policy settings, view and interact with the session.

Note: See Remote Control for more information on this feature.

Reset An administrator can reset a session which disconnects the session in a non-graceful way.

Note: All unsaved data is lost.

Log Off An administrator can gracefully log a user off from a RD Session Host/Terminal Server session. The user is prompted to save any unsaved data.

436


b) Click on the Sessions tab in the RD Session Host/Terminal Servers information pane.

5. To view sessions for all RD Session Host/Terminal Servers:



c) Click on the Sessions tab in the RD Session Host/Terminal Servers information pane.


Domain The NetBIOS name of the Windows domain to which the user’s account belongs.

Session The name of the user’s session as assigned by the RD Session Host/Terminal Server.

User The user account name used to log on to the session.

Session ID The numerical session ID assigned to the user’s session by the RD Session Host/Terminal Server.

State The state of the RD Session Host/Terminal Server session. The options are:

• Active

• Disconnected

• Idle

• Down

Type The connection type. The options are:

• Console

• RPD

Client Name

The NetBIOS name of the vWorkspace client device.

Idle Time The amount of time no activity has occurred between the client and the RD Session Host/Terminal Server.

Logon Time

The date and time the session was logged on.

Comment Not used.

437


7. Select a user session. Administrators can perform the following actions:

View Client Information for an Active Session




4. Double-click on the RD Session Host/Terminal Server object.

5. Expand the RD Session Host/Terminal Server container object, and click on the active session.

Disconnect If a session state is active, it can be placed into a disconnected state. Disconnecting a session causes the network connection between the client device and the RD Session Host/Terminal Server to be closed, releasing memory and CPU threads.

The working state of the session is persisted by writing to the RD Session Host/Terminal Server’s page file, allowing the user to reconnect to the session, with no loss of data.

Send Message An administrator can send a message to the selected user if the session is active.

Note: The only administrative action allowed for the Console session is Send Message.

Remote Control An administrator can connect to the user’s active session, and depending on the policy settings, view and interact with the session.


Reset An administrator can reset a session which ends the session in a non-graceful way.

Note: All unsaved data is lost.

The session with Session Name of RDP-TCP and Session ID 65536 is the RD Session Host/Terminal Server’s RDP listening port. The only administrative action allowed is Reset.

Log Off An administrator can gracefully log a user off from a RD Session Host/Terminal Server session. The user is prompted to save any unsaved data.

438


6. Click on the Information tab in the information pane.


Manage RD Session Host/Terminal Server Processes






b) Click on the Processes tab in the RD Session Host/Terminal Servers information pane.




c) Click on the Processes tab in the RD Session Host/Terminal Servers information pane.

User Name The name of the user.

Client Name The NetBIOS name of the CAS Client device.

Client Build Number

The vWorkspace internal build number of the vWorkspace client software installed on the client device.

Client Directory The complete directory path to which the vWorkspace client software was installed.

Client Product ID The vWorkspace internal identification number of the vWorkspace client software.

Client Hardware Not used.

Client Address The IP address of the vWorkspace client device.

Client Color Depth

The color depth used in the session.

Client Resolution The height and width, expressed in pixels, used in the session.

439



7. Select a user process. Administrators can perform the following actions:

View RD Session Host/Terminal Server Applications




Domain The NetBIOS name of the user’s Windows domain that owns the process.

Processes running in the console session are listed as Unspecified.

Session The name of the RD Session Host/Terminal Server session in which the process is running.

User The name of the user account that owns the process.

Session ID The numerical session ID the process is running in, on the RD Session Host/Terminal Server.

Process ID The assigned process ID by the Windows operating system when the process is started.

Process The file name of the process.

End Process An administrator can end the process.

Note: Certain system processes, such as winlogon.exe and lsass.exe cannot be terminated, even by an administrator.

Remote Control An administrator can connect to the user’s active session, and depending on the policy settings, view and interact with the session.


440




b) Click on the Applications tab in the RD Session Host/Terminal Servers information pane.


a) Double-click on each RD Session Host/Terminal Server object.


c) Click on the Applications tab in the RD Session Host/Terminal Servers information pane.


User Access Options in the Resources Node

Additional Customizations

The Additional Customizations node gives administrators control over the configuration of the Windows Desktop and Start Menu, visibility of drive letters, and existing network drive and printer mappings.

Default Customizations are a set of customizations configured with settings commonly used in RD Session Host/Terminal Server and VDI environments, which can be assigned to vWorkspace clients. Default Customizations cannot be modified, but they can be duplicated and used to create new customized settings.

Name The name of the published application.

Type The published application type.

Status The status of the application. The options are:

• Enabled

• Disabled

App-V Server The name of the App-V server.

Published On The name of the Terminal Server that it is published on.

441


How to ...

Create New Additional Customization Settings


2. Expand Resources, and then select Additional Customizations.

3. If necessary, click on the Toggle Client Assignment List Display button to change the display view, as appropriate.


• Activate New (green plus sign) from the toolbar of the information pane.

• Right-click on the Additional Customizations node to activate it.

• Select Actions | New Additional Customizations.

5. Click Next on the Welcome window of the new Additional Customizations wizard.

6. Enter a name for the customization on the Name window, then click Next.

7. Select the appropriate settings on the Desktop/Start Menu Items window, and then click Next.

442


8. Specify the drive letters that should not be visible to users on the Drive Restrictions window, and then click Next.

9. Select Delete pre-existing Network Drive Mappings and Delete pre-existing Network Printer Connections on the Network Resource Cleanup window, as appropriate, and then click Next.

443


10. Complete the Client Assignment window to assign the customization, and then click Next.

a) Click the plus (+) sign to select clients, and the Select Clients window opens.

b) Use the green plus (+) sign to add clients that are not included in the Client Assignment window.

c) Select clients from the list. Use CTRL to select more than one client to assign.

d) Click OK to close the window and save your assignments.

11. Specify permissions, if appropriate, on the Permissions window, and then click Finish.

Application Restrictions

vWorkspace Application Restrictions (Block-IT) is an access control system that allows administrators to increase the overall security, reliability, and integrity of their RD Session Host/Terminal Server environments.

Some of the advantages include:

• Guard against application spoofing.

• Fight against virus infections.

• Prevent users from executing unauthorized programs.

• Grant access to applications by time and day.

• Lock down the RD Session Host/Terminal Server.

The Application Restrictions feature is not currently supported in a VDI environment.

How Application Restrictions Work

With AAC, a list of program executables and program modules (dynamic link libraries) are organized into an Application List, enabling administrators to grant or deny access to entire software suites, not just individual executables.

The Application List is then associated with a group of RD Session Host/Terminal Servers, known as an Application Access Control Server group. Additional settings such as application termination, hash checking, and full path checking can also be configured for the Application List. The Application List can then be assigned to one or more vWorkspace clients.

444


Hash Checking

For each individual executable or module in the Application List, a unique binary hash is computed and stored in the vWorkspace database. A binary hash is like a fingerprint; it is used to verify the authenticity of a program executable at start time. Enabling hash checking prevents users from renaming the files associated with a restricted program.

Hash checking can be disabled for a particular Application List. Disabling hash checking is often practical for a systemwide application update. For example, if an update to an application is being installed to one RD Session Host/Terminal Server at a time, hash checking can be temporarily disabled until the update has been installed to all the servers and the application version has been made consistent across the entire farm. Once new hashes are computed for the updated program executables, then hash checking can be reenabled.

Path Checking

Path checking restricts users from copying files to a new location. Path checking can be disabled for various purposes. For example, if the same application is installed to different target folders on different RD Session Host/Terminal Servers, full path checking may fail depending on which RD Session Host/Terminal Server the user logs on to. However, this particular scenario can be mitigated by maintaining multiple file groups for the same application, where each file group is associated with a particular target folder.

Termination

You can choose to automatically terminate applications if they are still running outside of the access hours, even if they were started during an allowed time slot.

Application Restriction Properties

To define these settings, select the Application Restrictions under the Resources node in the vWorkspace Management Console, and then do one of the following:

• Right-click and select Properties.

• Click on the Properties icon on the toolbar.


445


Application Restrictions General Properties

Use Application Restriction properties to configure infrastructure settings and defaults for application restrictions. The settings are explained below.

APPLICATION RESTRICTION GENERAL PROPERTIES

DESCRIPTION

Application restrictions update interval (minutes)

This property determines the intervals at which vWorkspace checks for possible changes to application restrictions.

Block access to apps excluded from all application lists, as well as apps included in multiple client-assigned application lists having conflicting access settings.

If selected, this property allows access only to those applications and desktops that are published on RD Session Host/Terminal Servers,

– OR –

have been defined on the Application List with a permission of Allow.

Note: If an application is listed twice with different permissions (allow and deny), users are denied access to the application.

446


Deny Message This property allows administrators to edit the message that appears when a user is denied access to a program.

Default assignments This property allows administrators to configure the default assignment when creating new Application List entries.

The options are Allow or Deny.

Hash settings This property determines the default setting for hash checking when creating new Application List entries.

The options are Unconfigured, Use Hash, or Ignore Hash.

Path settings This property determines the default setting for path checking when creating new Application List entries.

The options are Unconfigured, Use Full Path, or Ignore Full Path.

APPLICATION RESTRICTION GENERAL PROPERTIES

DESCRIPTION

447


Application Restrictions Server Groups

Application Restrictions Server Groups define a group of one or more RD Session Host/Terminal Server in the vWorkspace infrastructure to which Application Restrictions are applied.

APPLICATION RESTRICTIONS SERVER GROUPS PROPERTIES

DESCRIPTION

New This button adds a new group name to the list of groups.

Delete This button removes a group of servers.

Group The names of the defined server groups are listed.

To edit, select the group name, and then click the ellipsis.

Servers in Group The names of the RD Session Host/Terminal Servers that are members of the group are displayed.

To edit, select the group of servers, and then click the ellipsis.

448


Properties of an Application Restriction List

Each Application Restriction entry is displayed in the vWorkspace Management Console in the details window pane of the Application Restrictions node. To create a new Application Restriction entry, do one of the following:

• Select New (green plus sign) from the toolbar of the information pane.

• Right-click on the Application Restriction, and then select New Application Restriction.

• Select Actions | New Application Restriction.

To edit the properties of an existing entry, double-click on its name in the list of Application Restrictions, or select Properties from the context menu. The following properties are available.

449


APPLICATION RESTRICTIONS LIST PROPERTIES

DESCRIPTION

General

Name This field is the user friendly name for the application.

Description This field is used to provide descriptive details about the application restriction being created.

This field is optional.

Category This field is used to group multiple applications into a single category.

For example, if an accounts payable, accounts receivable, and payroll applications are written as separate programs, they can be grouped into a category of Accounting.

Server Group

Server Group This field is for the Application Access Control Server Group to which the Application Restriction is assigned.

Options

Automatically terminate application(s) if still running outside access hours

This check box, if selected, terminates applications that are running outside of the access hours.

See Termination for more information.

Ignore Hashes This check box, if selected, disables using use hash checking.

See Hash Checking for more information.

Ignore Full Paths This check box, if selected, disables using full path checking.

See Path Checking for more information.

Applications

Show Full Paths This check box, if selected, displays complete paths to the listed files.

Add File This button adds files to the list.

450


Assign an Application List to Clients

Each Application List entry has a Client Assignment that determines which vWorkspace clients are assigned to the Application List. To define the client assignment of a new Application List entry, use one of the following methods.

• Define client assignments in the Client Assignment section of the New Application List wizard.

• Modify the client assignment of an existing Application List entry in the Client Assignment section of the Properties window for the Application List entry.

• Modify Client Assignments directly from the information pane.

• Modify Client Assignments directly from the Client Assignments list displayed for each application, in the information pane.

How to ...

• Assign Clients to the Client List

• Unassign Clients from the Client List

• View Client Properties

• Schedule Access Hours

Add Folder This button adds all files contained in the folder.

Remove This button removes files that are selected from the listed files.

Client Assignments

Add (+) This button adds clients that can then be assigned to this application restriction.

Permissions

Users/Groups Specify permissions for this application restriction list.

APPLICATION RESTRICTIONS LIST PROPERTIES

DESCRIPTION

451


Assign Clients to the Client List

1. Click the + from the toolbar of the Application Restrictions information window pane.

2. Select from the list of available clients on the Select Clients window. Use Ctrl or Shift to make multiple selections.

Use the + (plus sign) to add clients that are not in the list.

Unassign Clients from the Client List


• Select clients in the list on the Client Assignments window, or Client assignments list in the information pane, and then click the - from the toolbar.

• Click on the blue - icon on the toolbar of the information pane for Applications Restrictions, and then select from the list of available clients on the Select Clients window.

Use Ctrl or Shift to make multiple selections.

View Client Properties

1. Click on Client Properties to view details about the selected client.

Schedule Access Hours

1. Click on the Schedule icon to edit Application List access.

A separate schedule can be defined for each client in the list. Schedule options include:

Allow All Select this option to allow unlimited access to the Application List

Deny All Select this option to deny unlimited access to the Application List.

Edit Schedule Select this option to specify the exact hours of the days and the days of the week to allow access to the applications in the Application List.

452


Connection Policies

Connection policies are used to define automatic device connection and optimizations when users log on to a remote computer. Connection policies can be configured, and assignments and permissions defined. Connection policies are set to Undefined by default.

To set Connection policies, open the Connection Policy Wizard one of the following ways:

• Expand the Resources node and highlight the Connection Policy node, and then select Actions | New Connection Policy... from the toolbar or the information pane.

• Expand the Resources node and right-click on the Connection Policies, and then select New Connection Policy....

• Expand the Resources node and highlight the Connection Policy node, and then select Actions | New Connection Policy... from the toolbar.

The following options can be defined:

CONNECTION POLICY PROPERTY

OPTIONS

Name This name is used for organizational purposes and is displayed on the vWorkspace Management Console.

Remote Computer Sound • Undefined


• Do Not Play


Local Devices

453


How to ...

Define New Connection Policy Properties


2. Expand the Resources node, and do one of the following to open the Connection Policy Wizard window:

• Highlight Connection Policies and then click New (green + sign) on the toolbar of the information pane.

• Highlight Connection Policies and then click the green plus sign from the toolbar.

• Right-click on Connection Policies and then select New Connection Policy.

• Highlight Connection Policies, and then select Actions | New Connection Policy.

3. Click Next on the Welcome window of the Connection Policy Wizard.

4. Enter a name for the connection property on the Name window, and then click Next. This is the name that appears on the vWorkspace Management Console.

Disk Drives

Printers

USB Devices

Serial Ports

Smart Cards

Universal Printers

Clipboard

Microphone

• Undefined

• Yes

• No

• Defer to End User

Experience Optimizations

Graphics Acceleration

Local Text Echo


Flash Redirection

EOP Xtream

• Undefined

• Yes

• No

• Defer to End User

CONNECTION POLICY PROPERTY

OPTIONS

454


5. Define the settings on the Remote Computer Sound window, and then click Next.

6. Define the local device settings, and then click Next.


455


8. Assign clients to this connection property on the Client Assignments window by doing the following:

a) To add clients, click on the blue plus sign.

b) Select a client from the list, or click the green plus sign to add a client or clients.

c) Browse for the user on the Add Clients window, and then click OK.

d) Select the added client or clients from the Select Clients window, and then click OK.

9. Click Next on the Client Assignments window.

10. Enter permissions, as appropriate, on the Permissions window, and then click Finish.

456


Color Schemes

A color scheme can be assigned to vWorkspace clients by administrators. The color scheme is used when connecting to applications or desktops hosted from vWorkspace enabled RD Session Host/Terminal Servers and VDI computers.

How to ...

Assign a Color Scheme


2. Expand Resources, and then select Color Schemes.

3. Click on the Toggle Client Assignment List Display button to change the display view, as appropriate.

4. To select a color scheme, do one of the following:

a) Right-click on the color, and then select Assign to.

b) Click the Assign to icon (+) from the toolbar.

Color schemes are listed in alphabetical order.

5. Add or remove clients in the Select Clients window.

6. Click OK.

Drive Mappings

Administrators can assign network drive mappings to vWorkspace clients to use when they are connecting to applications and desktops hosted from vWorkspace enabled RD Session Host/Terminal Servers and VDI computers.

Assigning drive mappings through the vWorkspace Management Console has the following advantages:

• Domain administrative rights are not required.

• Knowledge of scripting languages or command line syntax is not required.

When assigning color schemes through the vWorkspace Management Console, a color scheme is not loaded for Microsoft Vista or later.

457


• Drive mappings are only applied when connecting to vWorkspace enabled RD Host Sessions/RD Session Host/Terminal Servers or managed desktops. Drive mappings do not take effect when connecting to systems in the Other Servers node.

• More flexibility in how mappings are assigned.

How to ...

Create a New Drive Mapping


2. Expand Resources.


a) Select Drive Mappings, and then click on the + on the toolbar in the information pane.

b) Right-click Drive Mappings, and select New Drive Mappings.

4. Click Next on the Welcome window of the New Drive Mapping wizard.

5. Select the values for this drive mapping on the Values window, and then click Next.

458


The values associated with drive mappings are listed below:

6. Enter alternative credentials to be used when mapping this drive, if appropriate, and then click Next.

7. Complete the Client Assignment window to assign the drive mapping to the clients, and then click Next.

a) Click the plus (+) sign to select clients, and the Select Clients window appears.

b) Use the green plus (+) sign to add clients that are not included in the Select Clients window.

c) Use CTRL to select more than one client to assign.



Environment Variables

Administrators can assign environment variables to vWorkspace clients when connecting to applications or desktops hosted from vWorkspace enabled RD Session Host/Terminal Servers or VDI computers. These environment variables are created automatically when the user logs on, and are cleared when the user logs off.

How to ...

Create a New Environment Variable


2. Expand the Resources node.

Command Type Use NET USE when creating a traditional network drive mapping.

Use SUBST when a drive letter substitution is required.

Network Path The Universal Naming Convention (UNC) path to the shared network resource.

Drive Letter The letter to be used for mapping.

459



a) Select Environment Variables, and then click the + on the toolbar in the information pane.

b) Right-click on Environment Variables, and select New Environment Variables.

4. Click Next on the Welcome window of the New Environment Variable wizard.

5. Enter a name and value for the environment variable, and then click Next.

6. Complete the Client Assignment window to assign the application restriciton, and then click Next.



c) Select clients from this list. Use CTRL to select more than one client to assign.



Host Restrictions

The Host Restrictions tool allows administrators to assign access control rules to restrict user access to IP based network hosts.

Host Restrictions work at the network layer, intercepting requests from applications to connect to particular IP addresses on particular TCP ports. Host Restrictions allows or denies connections by parsing the access control rules table maintained in system memory.

Host Restrictions rules apply only to those specified by the administrator; they do not apply to all program executables running on the RD Session Host/Terminal Server.

How to ...

Create Host Restrictions


2. Expand the Resources node, and then select Host Restrictions.

460


3. Select + on the toolbar in the information pane, or the context menu of the Host Restrictions node.

4. Click Next on the Welcome window of the Host Restrictions wizard.

5. Enter a name for this host restriction. Optionally, you can also enter a category. Click Next.

6. Specify the Host Type, and then click Next.

If the restriction is by host name or FQDN, select Name as the Host Type. If the restriction is by IP address, select IP Address.

7. Enter the host name or FQDN, or the target Host IP Address, and then click Next.

8. Enter the port or ports to be used on the Ports window, and then click Next.

Separate multiple port numbers with commas, use a hyphen for a range of ports, and an asterisk (*) for all ports.

9. Complete the Client Assignment window to assign the host restrictions to the clients, and then click Next.

a) Click the plus (+) sign to select clients, and the Select Clients window appears.





Registry Tasks

The Registry Tasks tool allows administrators to add, delete, or modify registry keys in the HKEY_CURRENT_USER registry hive without manually loading and editing each user’s ntuser.dat registry hive, or writing complex registry editing scripts for RD Session Host/Terminal Server or VDI environments.

The vWorkspace Management Console should be started from a RD Session Host/Terminal Server when working with Registry Tasks. A non-RD Session Host/Terminal Server computer may not have the registry keys and hives that need to be manipulated.

461


How to ...

Modify a Registry Tasks


2. Expand the Resources node, and then select Registry Tasks.

3. Click the Toggle Client Assignment List Display icon on the information pane to change the view, as appropriate.

4. Select + on the toolbar of the information pane, or New Registry Task from the context menu of the Registry Tasks node.

5. Click Next on the Welcome window of the Registry Task wizard.

6. Enter a name for the registry task on the Name window, and then click Next.

7. Select the appropriate Registry Action from the following options:• Add Key• Delete Key• Add Value• Delete Value

8. Enter the key or value parameters, or use Browse to find the appropriate parameters.

462



a) If you are adding a key, enter the name in the Key field.

b) If you are deleting a value, select it from the list, and then click OK.

c) If you are adding a value, enter the corresponding parameters in the fields.

d) If you are modifying an existing value, change the Value Name, Value Type, or Value fields as appropriate.

e) Select the type of registry value from the Value Type field.

10. Click Next.

463


11. Complete the Client Assignment window to assign the registry tasks to the clients, and then click Next.

a) Click the plus (+) sign to assign, and the Select Clients window appears.





Scripts

Scripts are files that are used to automate repetitive tasks. They can be simple text files or more complex written in a specific programming language. vWorkspace administrators can easily assign scripts to vWorkspace clients using the Scripts option in the vWorkspace Management Console. Some advantages include:

• Administrators do not need to have domain administrative rights.

• Editing the registry on each RD Session Host/Terminal Server is not necessary.

• Modifying the usrlogon.cmd command script on each RD Session Host/Terminal Server is not necessary.

• Use any Windows executable to write the script, such as bat, cmd, or exe.

• Increased flexibility and control over how the scripts are assigned.

The following considerations should be used when working with scripts on vWorkspace enabled RD Session Host/Terminal Servers:

• It is best to use a single method to start the script. Troubleshooting can be difficult if scripts are started using different methods.

464


• The scripts used in the vWorkspace Management Console and scripts started using other methods should not interfere with each other.

• The simplest form of a script should be used for the task. Do not write a complex script to carry out a task that can be accomplished using a command line script.

How to ...

Assign a Script


2. Expand the Resources node, and then select Scripts.



a) Click the + on the toolbar of the information pane.

b) Right-click on the Scripts node, and then select New Script.

5. Click Next on the Welcome window of the Scripts wizard.

6. Type the complete path and file name in Script File on the Script File window, or use the ellipsis to browse to the script. Click Next.

The script must be on a network share. If you are typing a path name, it would look like, \\servername\sharename\script.bat.

7. Complete the Client Assignment window to assign the scrip to the clients, and then click Next.

a) Click the plus (+) sign to assign, and the Select Clients window appears.


c) Select the clients from the list. Use CTRL to select more than one client to assign.



The scripts do not execute in interactive mode, so Pause, Echo, and any other outputs are not displayed.

465


Time Zones

A date and time stamp that is placed on opened files, messages, and scheduled meetings is based upon an application location, which can be a RD Session Host/Terminal Server in a time zone that is different from the user. The Time Zones tool allows administrators to assign appropriate time zones to users in a RD Session Host/Terminal Server or VDI environment.

How to ...

Assign a Time Zone


2. Expand the Resources node, and then select Time Zones.


4. Select the appropriate time zone from the alphabetical list.


Right-click on the time zone and select Assign to.

– OR –

Click the Assign to icon (the icon with the blue circle and a white plus sign) from the toolbar in the information pane.


7. Click OK.

User Policies

The User Policies tool provides a way for vWorkspace administrators to better control user desktop environments. The following settings can be controlled with User Policies:

• Windows Components — Windows Explorer, and Help and Support Center

• Start Menu and Taskbar— Control Panel and Display

• System — Ctrl+Alt+Del options and Logon

466


The Properties option of User Policies allow administrators to select which policy template is used to create new user policies. Two user policies are provided with vWorkspace, Default Admin and Default User, which contain settings that are commonly implemented for administrators and users. These policies can be modified and duplicated as appropriate. vWorkspace administrators can also add new policy templates.

How to ...

• View User Policies Properties

• Create User Policies

• Modify User Policies

View User Policies Properties


2. Expand the Resources node.

3. Highlight User Policies, and do one of the following:

• Right-click, and then select Properties.


• Click on the Properties icon on the toolbar.

4. Select the policies that are to be used as the default templates for new user policies.

5. Click Policy Templates on the General window to import or remove policy templates.

Create User Policies


2. Expand the Resources node, and then click User Policies.

3. Click on the Toggle Client Assignment List Display button in the information pane to change the display view, as appropriate.

4. Select + on the toolbar of the information pane, or right-click on User Policies, and then select New User Policy.

5. Click Next on the Welcome window of the User Policy wizard.

6. Enter a Name for the new user policy on the Name window, and then click Next.

7. Click Policy Templates on the Templates window, and then select Import, Remove, or Rename policy templates on the Policy Templates window. Click Close.

8. Click Next on the Templates window.

467


9. Select the appropriate policy settings on the Policy Settings window, and then click Next.

The boxes associated with each setting are three-way toggles; checked enables the setting, unchecked disables the setting, gray indicates the setting is not influenced by this policy.







Modify User Policies


2. Expand the Resources node, and then click User Policies.

3. Click Toggle Client Assignment List Display on the information pane to change the display view, as appropriate.

468


4. Double-click the policy that is to be modified.

5. Change the entries, as appropriate, on the User Policy Properties window.

6. Click Apply to make the change, and click OK to close the window.


Virtual User Profiles (MetaProfiles-IT) is an alternative to roaming profiles. Virtual User Profiles eliminate potential profile corruption and accelerates logon and logoff times by combining the use of a mandatory profile with a custom persistence layer designed to preserve user profile settings between sessions.


Wallpapers

A wallpaper can be assigned to vWorkspace clients by administrators. The wallpaper is used when connecting to applications or desktops hosted from vWorkspace enabled RD Session Host/Terminal Servers and VDI computers.

How to ...

Assign Wallpapers


2. Expand Resources, and then select Wallpapers.

3. Click on the Toggle Client Assignment List Display button on the information pane to change the display view, as appropriate.

4. To select a wallpaper, do one of the following:

a) Right-click on the style, and then select Assign to.

b) Click the Assign to icon (the icon with the blue circle and a white plus sign) from the toolbar.


6. Click OK.

Change Wallpaper Properties

Wallpaper properties are available through their context menu.


2. Expand Resources, and then select Wallpapers.

3. Right-click on the selected wallpaper, and select Properties.

469


4. Change the property as appropriate.

Add New Wallpaper


2. Expand Resources.

3. Right-click on the Wallpaper node, and then select New Wallpaper.

– OR –

Select the green plus sign (+) from the toolbar.

4. Click Next on the Welcome window of the Wallpaper wizard.

5. Enter the full path and file name for the wallpaper file and select the Default Style on the General window, and then click Next.

Wallpaper File The full path and file name of the wallpaper.

Note: Each RD Session Host/Terminal Server must have a copy of the bit-mapped image file for the defined wallpapers. It needs to be in the same location as the one displayed here.

Default Style Three options:

• Centered

• Tiled

• Stretched

Client Assignments

A list of vWorkspace clients to whom the wallpaper is assigned.

You can assign or unassign wallpaper from this list.

Permissions The user or groups with permissions for this wallpaper are specified here.

470








471


472

20


• Overview of Virtual User Profiles

• Virtual User Profiles Properties

• Configure Virtual User Profiles

• Mandatory Virtual User Profile

• Define Virtual User Profiles


Overview of Virtual User ProfilesQuest vWorkspace Virtual User Profiles (MetaProfiles-IT) is an alternative to roaming profiles. Virtual User Profiles eliminate potential profile corruption and accelerate logon and logoff times by combining the use of a mandatory profile with a custom persistence layer designed to preserve user profile settings between sessions.

The following is a list of the features and benefits of Virtual User Profiles:

• Assign Virtual User Profiles for both RD Session Host/Terminal Servers and computer groups.

• Combines the persistence of a conventional roaming profile with the speed and robustness of a mandatory profile.

• Achieves unprecedented logon speeds and stability levels (time to load mandatory profile + 1- 2 seconds).

• Multiple profile data sets per user account to satisfy multifarm and server silo requirements.

• Data sets can include HKCU registry subkeys and special folders.

• Data sets can be merged into mandatory profiles, synchronously or asynchronously.

• Data set sizes are typically around 50-200KB.

• Users do not require access permissions to the file servers storing the data sets.

• Temporarily use with local or roaming profiles, which is useful if current profiles contain user settings that must be preserved upon permanently switching to mandatory profiles.

• No scripting required.

• Relies on Windows events such as Logon, Logoff, Connect, and Disconnect.

• Database driven management console.

Virtual User Profiles may be temporarily used in conjunction with existing local and roaming profiles until the relevant data has been completely exported from these profiles. Users whose data has been exported can then be reconfigured to use a mandatory profile.

Virtual User Profiles does not support roaming between different generations of Microsoft Windows. For example, a user cannot roam from an Microsoft Windows XP computer, and then log on to a Microsoft Vista computer and have their profile follow them, as XP and Vista are not the same generation.

474


There are three components of Virtual User Profiles:

• User Profile Storage Server — This option is part of the Peripheral Server Extensions and is only available if RD Session Host/Terminal Services is not detected.

• User Profile (Agent for Terminal Server) — This option installs on Terminal Servers. Once installed, it creates the Quest User Profile Agent service.

• User Profile (Agent for Desktops) — This option installs on Desktops, using Virtual Desktop Extensions (PNTools). See Virtual Desktop Extensions (PNTools) for more information.

How Virtual User Profiles Work

The following describes how Virtual User Profiles simulates roaming profiles during user logon and logoff.

1. User accounts are reconfigured to use a small-size mandatory profile. This mandatory profile is typically stored locally on each Remote Desktop Session Host/RD Session Host/Terminal Server.

2. One or more file servers are designated as storage servers for storing user data sets, subset of HKCU and non-redirected shell folders. These file servers run a very low overhead service dubbed the User State Management Storage Service (User Profiles Storage Service).

3. All RD Session Host/Terminal Servers must run the User Profiles Agent Service. A RD Session Host/Terminal Server running the Agent Service is typically referred to as an Agent Server.

4. Using the vWorkspace Management Console, the administrator specifies all the relevant HKCU subkeys and non-redirected special folders that must persist from one logon to the next. Additional properties are also set to specify the scope of the subkey or folder to either Global or Silo specific.

A Global setting is to be used when the registry subkey or folders are located on every server.

A Silo setting is to be used when the registry subkey or folders are only located on a few specified servers, and those servers are grouped together to create a silo.

5. When a user logs off, the User Profiles Agent Service exports all the relevant subkeys and folders specified by the administrator. The Agent Service then compresses the exported data and sends one or two compressed files (global, silo, or both) to the storage server.

475


6. When a user logs on again, the Agent Service requests the previously exported data from the storage server. It then decompresses the data and merges the subkeys and folders into the mandatory profile.

7. Compressed files are stored on the storage server and named according to the user’s account SID.

Virtual User Profiles PropertiesVirtual User Profiles Properties are used to define such things as storage servers, assign compression levels, define silos, and assign permissions to users so that they can be allowed to or denied access to adding, modifying, or deleting Virtual User Profiles.

Virtual User Profile properties can be configured after components have been installed on the appropriate servers. User Profiles can be accessed by expanding the Resources node of the vWorkspace Management Console. Then, the Properties menu option is available one of the following ways:

• Highlight User Profiles and click on the Properties icon in the toolbar.

• Right-click on User Profiles and select Properties.

The following is a list of properties that can be configured.

• General

• Storage Servers

• Silos

• Permissions

476


General

GENERAL PROPERTY

DESCRIPTION

Compression Level

The level of compression used when storing user profile element data to the storage server.

The options are:

• High

• Medium

• Low

• None

Log Level The level of logging that takes place inside of the profile.

The options are:

• Detailed

• Basic

Refresh Interval The interval, in minutes, that checks are made for User Profiles configuration changes.

477


Storage Servers

A Storage Server is a Windows file server running the Quest vWorkspace User State Management Storage Service (User Profiles Storage Service). This service receives and stores the user’s compressed data subset from the Quest vWorkspace User Profiles Agent service running on the RD Session Host/Terminal Server when the user logs off.

It also retrieves the user’s compressed data subset and sends it to the Quest vWorkspace User Profiles Agent service when the user logs on. The User Profiles data subsets are typically in the range of 50 to 200 KB per user.

User State Management Storage Service should be installed on a Windows server that is configured and optimized as a file server. This service is unavailable for installation if the vWorkspace installation program detects that RD Session Host/Terminal Server (Application Server Mode) is installed on a Windows server.

478


Silos

A silo is a logical group of RD Session Host/Terminal Servers that have a common role or purpose, and have Virtual User Profiles installed on them. Exportable registry subkeys and shell folders can be marked for the Scope of Silo specific.

The Silo Wizard is used to create silo groups. To open the Silo Wizard, do one of the following:

• Expand Resources in the vWorkspace Management Console, and then right-click on User Profiles and select Properties. Click Silos from the left pane, and then click New.

STORAGE SERVER PROPERTIES DESCRIPTION

Server Name The NetBIOS name of the computer which vWorkspace User State Management Storage Service has been installed.

Note: The storage server name cannot include: , \ * + = | : ; ? < > " <space>.

Base Folder The root or base folder where the user profile element data is stored. The specified folder is created if it does not already exist.

Default value is C:\MetaProfiles.

Global Folder The name of the folder where the profile elements defined as global is copied. This folder is created as a subfolder of the Base Folder.

Default is Global.

TCP Port The TCP listening port that the vWorkspace User State Management Storage Service is configured to listen on.

Default value is 5206 if you installed using the Simple type of installation.

At least one Silo must be defined, or profile storage fails.

479


• Expand Resources in the vWorkspace Management Console, and then highlight User Profiles. Select the green plus icon from the toolbar or the information pane to open the Registry Key Properties window. Change Scope to Silo, and then click the Edit Silos.

To complete the Silo wizard, do the following:

1. Click Next on the welcome window.

2. Enter a name for the Silo on the Silo Name window, and then click Next.

3. To add RD Session Host/Terminal Servers:

a) Click Add Terminal Servers.

b) Expand the location and select the RD Session Host/Terminal Server or RD Session Host/Terminal Servers that are to be added to this silo, and then click OK.

c) Click Next on the Members window to continue the Silo wizard.

RD Session Host/Terminal Servers can only be added to one silo at a time.

4. To add computer groups:

a) Click Add Computer Groups.

b) Expand the location and select the computer group or groups that are to be added to this silo, and then click OK.

c) Click Next on the Members window to continue the Silo wizard.

Computer groups can only be added to one silo at a time.

5. Specify the User State Management Storage Service from the list, and then click Finish.

Before a RD Session Host/Terminal Server can participate in a silo, the Virtual User Profiles component must be installed on the server.

480


Silo properties can be edited from the User Profiles | Properties option, as well as from an individual Virtual User Profile by using the Properties button.

481


Permissions

Permissions enable administrators to allow or deny actions for activities within the vWorkspace Management Console. Users and groups of users who are selected as system administrators have implicit allow permissions for all actions, and may add and remove other system administrators.

See Administration for more information on using permissions.

Configure Virtual User ProfilesThe following items must be configured to use Virtual User Profiles:

• Virtual User Profiles Properties



482


How to ...

Configure Virtual User Profiles Properties


2. Expand the Resources node, and then highlight User Profiles.

3. Do one of the following to open the User Profiles Properties window:

• Right-click on User Profiles and select Properties.

• Highlight the User Profiles option, and then select the Properties icon from the toolbar.

4. Define the Compression level, Log level, and Refresh interval as appropriate on the General window, and then click Next.

5. Define Storage Servers by clicking New on the Storage Server window and then do the following:

a) Enter a name for the Storage Server, and then click OK.

b) Click in the columns on the ellipsis to change the Base Folder, Global Folder, and TCP Port settings.

Base Folder is to where the profiles are saved. It should be a local path on the server.

Global Folder is the name of the folder for Global settings/profiles.

483


6. Setup Silos by clicking New on the Members window, and then do the following:

a) Click Next on the Welcome window of the Silo wizard.

b) Enter a name for this silo group, and then click Next.

c) Click Add Terminal Servers or Add Computer Groups to define the silo. Select the appropriate Terminal Server or computer group from the Select window, and then click OK.

RD Session Host/Terminal Servers and computer groups can only be added to one silo at a time.

d) Click Next on the Members window.

e) Select the User Profile Storage Server from the list, and then click Finish.

The silo you just added appears on the list.

f) Click Next on the Silos window.

7. Specify Permissions, as appropriate, and then click Finish.

484


Mandatory Virtual User ProfileIt is recommended that you use mandatory virtual user profiles in conjunction with Virtual User Profiles. When creating a mandatory virtual user profile, consider the following:

• Use a specialized local or domain user account for purposes of profile management.

• Create the mandatory virtual user profile in which users are logging in to on one of the RD Session Host/Terminal Servers.

• Make the mandatory virtual user profile as generic as possible.

• Use Virtual User Profiles, User Environment Control (Manage-IT), and other management features within the vWorkspace Management Console to control user profiles.

• Remember to rename ntuser.dat to ntuser.man to make the HKCU registry hive mandatory (read-only).

• Use the System Control Panel applet to copy the mandatory user profile to the target RD Session Host/Terminal Servers and set Permitted to Use to Everyone.

• Add a MAN extension to the root folder name of the mandatory user profile to make it read-only (use folder redirection user profile elements with Virtual User Profiles to give users write access to needed folders).

• Assign the mandatory virtual user profile to the appropriate user accounts in Active Directory.

Assign Mandatory Virtual User Profiles

After the mandatory profile has been created and copied to all servers in the RD Session Host/Terminal Server group, it then must be assigned to the appropriate user accounts. When specifying the profile path keep the following in mind:

• The path should be expressed as a local file system path, not a UNC path.

• Variables such as %SystemDrive% can be used.

• Do not add the user account name or %username% at the end of the path.

485


• Use the Terminal Services Profile tab rather than the Profile tab of User Properties.

• Path cannot be set using Active Directory Group Policy as it requires using a UNC path and automatically appends %username% to end of path.

How to ...

Modify a User’s Profile Path in Active Directory

1. Open Active Directory Users and Computers MMC snap-in.

2. Locate the user object that is to be modified using Browse or Find.

3. Right-click on the user object, and then select Properties.

4. Click on the Terminal Services Profile tab.

The Terminal Services Profile path can be set via Active Directory Group policy if the domain controllers are Windows Server 2003 Service Pack 1 and appropriate hotfixes have been applied.

5. In the Profile Path box, enter the local file system path to the mandatory user profile.

6. Click OK.

Visual Basic scripting can be used to automatically modify the profile path for existing users. The sample below is from Microsoft TechNet Script Center Library.

Define Virtual User ProfilesVirtual User Profile Elements determine which keys in the HKEY_CURRENT_USER registry hive are exported and saved on the User State Management Storage Service.

486


Normally, when using a mandatory user profile, a user or applications being used cannot save changes to ntuser.man, the file that makes up the user’s HKEY_CURRENT_USER registry hive. User preferences and other user specific application settings are not saved. However, the user and applications being used by the user can modify any of the keys that have been exported.

It is important for the vWorkspace administrator to accurately determine all the HKEY_CURRENT_USER keys the user might need to modify, and then define them as User Profile Elements to be exported.

If registry subkeys and folders are only located on a few specified servers, then those servers should be grouped together into a single silo and the registry subkey should be marked Silo. For example, if Microsoft Office is only installed on some RD Session Host/Terminal Servers in the farm, then it makes sense to only import and export the registry subkey HKCU\Software\Microsoft\Office when users access those servers.

Or, if registry subkeys and folders are located on every server, such as if Adobe Acrobat Reader is installed on all the RD Session Host/Terminal Servers, then it makes sense to always import and export the registry subkey HKCU\Software\Adobe\Acrobat Reader and select Global as the Scope.

Each User Profile element has the following properties associated with it.

487


USER PROFILE ELEMENT PROPERTY

DESCRIPTION

Category A user definable name used to associate one or more user profile elements with each other.

Type & Location This setting is used to define the User Profile element being configured as either a Registry Key or a Special Folder.

The Registry Key input box used to specify which registry key or special folder is to be exported.

Logon Processing If this setting is Synchronous, all elements must be retrieved and merged before the user’s Window desktop is presented.

If this setting is Asynchronous, not all registry keys, files, and folders need to be present prior to the presentation of the user’s Window desktop.

Scope This setting specifies if the User Profile element is applied on a Global or a Silo basis.

• Global is all RD Session Host/Terminal Servers in the vWorkspace infrastructure.

• Silo is only those that are members of a specified RD Session Host/Terminal Server group. If Silo is selected, a Silo input box appears.

See Silos for more information on defining Silos.

Client Assignments This setting is used to specify the clients to which the user profile is to be assigned.

Permissions This setting is used to specify permissions for this user profile item.

488


How to ...

Define a Registry Key in User Profiles

1. Open the vWorkspace Management Console from the desktop of a RD Session Host/Terminal Server that is known to have the appropriate body of registry keys.

2. Expand the Resources node, and then select the User Profiles.

3. Right-click User Profiles, and then select New User Profile. Alternatively, you can select the New icon, which is the green plus sign (+) in the information pane or the toolbar, or from the Actions menu item.

4. Click Next on the welcome window of the User Profile wizard.

5. Type a new Category name or select an existing one from the list, and then click Next.

This is used only for organization within the console.

If there are no categories in the database, the drop-down list is empty. Once you create a category, it becomes available from the list.

489


6. On the Type & Location window, select Registry Key, and then enter the desired Registry Key path and name or use the ellipsis to browse to it. Click Next.

7. Select Asynchronous or Synchronous in the Logon Processing window, and then click Next.

490


8. Select Global or Silo on the Scope window. If Silo is selected, use the Silo field to identify the group that will use this profile element or click Edit Silos to add a new silo.

See Silos for more information on adding silos.

9. To assign this User Profile to a user, complete the Client Assignments window as appropriate, and then click Next.

10. To assign permissions to this User Profile, complete the Permissions window as appropriate, and then click Finish.

Define Special Folder User Profiles

Special Folder User Profiles determine which folders within the user’s profile are exported and saved on the User State Management Storage Server. As with registry keys, any folders or applications being used need change permissions to be exported.

This mechanism offers control over a broader selection of folders, and higher levels of compression for increased performance and reduced storage requirements.

491


How to ...

Define a Special Folder User Profile Element

1. Open the vWorkspace Management Console from the desktop of a Terminal Server that is known to have the appropriate body of registry keys.

2. Expand the Resources node, and then highlight the User Profiles node in the navigation pane.

3. Select New User Profile from the context menu of User Profiles, or click the New icon, which is the green plus sign (+) in the information pane toolbar.

4. Click Next on the welcome window of the User Profiles wizard.

5. Type a new Category name or select an existing one from the list, and then click Next.

This is used only for organization within the console.

If there are no categories in the database, the drop-down list is empty. Once you create a category, it becomes available from the list.

492


6. On the Type & Location window, select Special Folder, and then enter the desired Special Folder path and name or use the ellipsis to browse to it.

7. Click Next.

8. Select Asynchronous or Synchronous in the Logon Processing window, and then click Next.

493


9. Select Global or Silo on the Scope window. If Silo is selected, use the Silo field to identify the group that will use this profile element or click Edit Silos to add a new silo.

See Silos for more information on adding silos.

10. To assign this User Profile to a user, complete the Client Assignments window as appropriate, and then click Next.

11. To assign permissions to this User Profile, complete the Permissions window as appropriate, and then click Finish.

494

21

vWorkspace and Secure Gateway

• About Secure Gateway

• Installation

• Secure Gateway Configuration

• Deployment Options


About Secure GatewayQuest vWorkspace Secure Gateway is designed to simplify the deployment of applications over the Internet, securely and cost-effectively. The purpose of the Secure Gateway is to act as a checkpoint (proxy) to prevent direct access to the internal vWorkspace resources of an organization. Secure Gateway can proxy connections to three vWorkspace components: vWorkspace Web Access, vWorkspace connection broker and the RDP listener on a vWorkspace virtual desktop/RD session host.

Requests destined to either a Web Access server, a vWorkspace connection broker or a vWorkspace remote host are SSL encrypted at the client end point and sent through the corporate firewall on TCP port 443 to the Secure Gateway. Once received by the Secure Gateway, the data is decrypted and forwarded to the destination on the appropriate port. Outbound responses from the vWorkspace resource pass back through the Secure Gateway and are encrypted and forwarded to the client end point’s web browser or vWorkspace connector, depending on the proxy.

Below is listed an example of the basic steps taken in communicating through the Secure gateway’s RDP proxy.

• RDP connections are SSL-encrypted at client end points and sent through the corporate firewall on TCP port 443.

• Once received by the Secure Gateway, the data is decrypted and forwarded to the destination virtual computer on TCP port 3389.

• Outbound RDP traffic passing through the Secure Gateway is encrypted and forwarded to the client end point.

Connections to Web Access can be direct, not through the Web Interface Proxy. However, this will require a separate SSL certificate.

496


Installation

The Secure Gateway requires the following for installation:

• One or more X.509 web server certificates

• For SSL certificates that have been installed on Web Access or Connection Broker servers, the trusted root certificate for the issuing Certificate Authority (CA) must be installed into the Windows certificate store of the Secure Gateway and the certificate store of the connecting client end point.

The following are recommended and supported configurations for the Secure Gateway

• The Secure Gateway should be placed in a DMZ network or a protected internal network

• The Secure Gateway can installed on either a physical or virtual computer.

• The Secure Gateway can be used with or without Web Access

• The Secure Gateway can be used in conjunction with third-party load balancing appliances.

About the Secure Gateway Certificate

The following are suggested best practices for your Secure Gateway certificate.

• Your certificate should have the same Issued To and Friendly Name.

• The certificate should be an RSA (1024) certificate, not an AES certificate. 4096-bit certificates have been tested successfully.

Microsoft IIS can exist with the Secure Gateway, but it is not required.

The Secure Gateway should not be installed on Terminal Servers. The only exception would be for proof of concept purposes.

497


• You should have a private key that corresponds to the certificate.

• On the Certificate Properties window, General tab, Server Authentication should be listed and selected.

498


Secure Gateway ConfigurationThe Secure Gateway is configured using the Quest Secure-IT applet, located in the Windows Control Panel. The Secure-IT applet allows the management of three separate proxies. Each proxy secures communication to a separate vWorkspace component.

• RDP Proxy - The RDP Proxy functionality provides the ability for users on a public network (like the internet) to connect to virtual desktops and/or Remote Desktop Session Hosts that are managed by vWorkspace and located on a private network.

• The connection to this proxy is always SSL encrypted

• Web Interface Proxy - The Web Interface Proxy functionality provides the ability for users on a public network (like the Internet) to connect to Quest vWorkspace Web Access through the Secure Gateway.

• The connection to this proxy can optionally be SSL encrypted. Under certain circumstances,

• Connection Broker Proxy - provides the ability for users on a public network (like the Internet) to connect to a Quest vWorkspace Connection Broker that is located on a private network.

• The connection to this proxy can optionally be SSL encrypted.

499


PROXIES TAB FIELDS DESCRIPTION

RDP Proxy

Local IP Address This check box enables SSL encryption of RDP session traffic between the vWorkspace connector and vWorkspace enabled Remote Desktop Session Hosts and virtual desktops.

The IP address for the Secure Gateway for inbound requests is selected from the list.

Local Port The TCP port number to be used for SSL encryption of RDP session traffic.

Default is 443.

Note: If Microsoft IIS exists on the Secure Gateway, the port 443 might already be in use.

Certificate Name This field is for selection of the web server certificate that is to be used by the Secure Gateway for inbound SSL-encrypted RDP session traffic.

Note: Only certificates installed in the Windows computer store are recognized.

Web Interface Proxy

Local IP Address This check box enables secure web browser traffic between the vWorkspace connector and the Web Access web server.

The IP address for the Secure Gateway for inbound Web Access SSL requests is selected from the list.

Local Port The TCP port number to be used for SSL encryption of the Web Access session traffic.

Default is 443.


Destination Host(s) The Secure Gateway forwards requests through the IP address, host name, or FQDN of the Web Access web server. Use commas to separate entries.

500


Dest. Port The TCP port number that the Web Access web server listens on.

Default is 80.

Enable SSL This check box decrypts and then forwards packets.

Unselect this check box, and the packet is sent without being decrypted.


This field is only for use if the Enable SSL check box is selected.

Note: Only certificates installed in the Windows machine store are recognized.

Connection Brokers Proxy

Local IP Address This check box indicates secure traffic between the vWorkspace connector and the Connection Broker servers.

The IP address for the Secure Gateway for inbound Connection Broker SSL requests is selected from the list.

Local Port The TCP port number for SSL encryption of Connection Broker traffic.

Default is 443.


Destination Host(s) The Secure Gateway forwards requests through the IP address, host name, or FQDN of the Connection Broker server. Use commas to separate entries.

Dest. Port The TCP port number that the Connection Broker servers listen on.

Default is 80.


501


Enable SSL If this check box is selected, the Secure Gateway decrypts inbound SSL packets before forwarding them to the Connection Broker servers.

If this check box is not selected the Secure Gateway does not encrypt SSL packets for inbound Connection Broker servers.


This field is only for use if the Enable SSL check box is selected.

Note: Only certificates installed in the Windows machine store are recognized.


502


Deployment Options

The following deployment options discussed in this section are:

• Web Access

• AppPortal Access

• AppPortal and Web Access

Web Access

Web Access acts as a web based portal to a vWorkspace farm. To summarize its function, Web Access validates vWorkspace users, through successful authentication to Active Directory by way of the vWorkspace broker, and directs vWorkspace connectors to the appropriate virtual desktop. In order to use Web Access in conjunction with the Secure Gateway, Web Access must be configured properly. This section discusses the relevant settings. These settings are also discussed in the Web Access Administration Guide

OPTIONS TAB FIELDS DESCRIPTION

Connections Settings

Inactivity Timeout This number is the amount of time a session can be inactive before the Secure Gateway terminates it.

Default is 0 (no time out).

Server Logging

Enable to Trace login to the specified file

If this check box is selected, logging for troubleshooting is enabled.

The name and location for this file is entered into the text box. You can also use Browse.

Log files have a maximum size of 10 MB. Once the maximum is reached a new log file will be generated appended with the date and time. Thus, when not troubleshooting, logging should be disabled.

503


Complete the following steps to configure Quest vWorkspace Web Access to use Quest vWorkspace Secure Gateway:

• Browse to the Web Access Admin page:

• HTTP://<webaccess_servername>/provision/web-it/admin

• Select the ‘Firewall/SSL VPN’ link on the left side of the page.

Default Address Translation Settings

The ‘Default Address Translation Settings’ section controls the default connection behavior for clients connecting to a vWorkspace farm through Web Access. If the Secure Gateway is to be the default connection, this setting should be set to ‘SSL Gateway’.

Custom Address Translation Settings

When there is a need for exceptions to the Default Address Translation Settings, the Custom Address Translation Settings should be used. A good example is when Web Access is used by users who connect from inside the company (those that are on a LAN/private network) as well as by users who connect from outside of the company (those that connect over a public network like the Internet).

Those users connecting over a public network should use the Quest vWorkspace Secure Gateway to ensure maximum security, but those connecting from inside the company might not need that level of security and could connect directly to a virtual desktop/RD session host. To achieve the later scenario and override the Default Address Translation, the ’Custom Address Translation Settings’ section needs to be set to “Normal Address”, and the network subnet of the excepted client end points needs to be entered into the “Client Address Prefix” list. This is done by entering the subnet and clicking “Add”. Please note that the network subnet notation needs to end with a “.” The custom address translation setting would override the default setting, which, in this case, is Secure Gateway. As demonstrated below, all connections would be routed to the Secure Gateway unless the client prefix is equal to "10.1.1.".

504


SSL Gateway Settings

In the SSL Gateway section of Quest vWorkspace Web Access, the connectivity information for the Quest vWorkspace Secure Gateway being used needs to be provided. Depicted below is a configured Web Access ‘SSL Gateway’ page. Each setting will be discussed below the image.

505


FORM FIELDS DESCRIPTION

SSL Gateway

External SSL Gateway FQDN/IP Address

This setting controls the Quest vWorkspace Secure Gateway addressing for Quest vWorkspace Web Access. This setting needs to be the exact name that the SSL Certificate for Quest vWorkspace Secure Gateway was issued to. If the Certificate was issued to an IP address, then the IP address should be in this section, if the Certificate was issued to a Fully Qualified Domain Name (FQDN), it should be set here.

TCP Port TCP Port should be set to mirror the setting for the local port of the RDP proxy in the Quest vWorkspace Secure Gateway applet.

SSL Gateway/Local Address (IP) Enter the IP address of the Quest vWorkspace Secure Gateway server and click the ‘Add’ button.

SSL Gateway/Local Address List Shows what Quest vWorkspace Secure Gateway servers are configured for communicating with this Web Access instance.

Enable NAT support for Firewall Traversal

If the Secure Gateway server is located in a Demilitarized Zone (DMZ) this box may need to be checked but only if Network Address Translating (NAT) is in effect between the DMZ and the Internal Network.

Web Access URL (external users) This is the URL which users on the outside of the network will be connecting to.

Web Access URL (internal users) If the URL is different than the external users, this should be filled in with the proper link for Internal Users

506


AppPortal Access

This configuration is used when a secure single point of entry is needed for users connecting from external networks, but the connections are managed by AppPortal, rather than Web Access. In this scenario, the Connection Broker proxy and the RDP proxy are the two Secure Gateway proxies enabled.

The Secure Gateway is the only access point to the vWorkspace infrastructure. Remote clients gain access to the system using a single FQDN. Only one firewall access rule is required to permit inbound connections to the Secure Gateway on TCP port 443.

The Secure Gateway, if situated in the DMZ, may require additional firewall rules to allow the Secure Gateway to communicate with the Connection Brokers and the virtual desktops on the internal network.

How to ...

Configure AppPortal Access

1. Use the following path to access the applet:

Control Panel | Quest Secure-IT

2. Complete the RDP Proxy section as follows:

a) Select Local IP Address, and then select an IP address from the list.

A valid 128-bit SSL certificate must be installed on the Secure Gateway.

507


b) Enter the Local Port.

c) Click the Lock icon to select the web server certificate used by the Secure Gateway for inbound SSL-encrypted RDP session traffic.

Only certificates installed in the Windows machine store are recognized.

3. Complete the Connection Broker Proxy section as follows:

a) Select Local IP Address, and then select an IP address from the list.

b) Enter the Local Port.

c) Enter the IP address, host name, or FQDN of the Web Access web server that the Secure Gateway forwards requests. Use commas to separate entries.

d) Click the Lock icon to select the web server certificate used by the Secure Gateway for inbound SSL-encrypted RDP session traffic.

Only certificates installed in the Windows machine store are recognized.

4. From the AppPortal Interface at the client end point,

a) Configure a farm connection using AppPortal | Manage Connections, or by right-clicking on the farm from the vWorkspace Management Console.

b) Enter the FQDN of the Connection Broker proxy in the Server List on the Connectivity tab.

c) Select Enable RDP over SSL/TLS, and then enter the FQDN of the RDP proxy in the SSL Gateway Server field.

Both the RDP and the Connection Broker proxies can share the same IP address and TCP port.

508


AppPortal and Web Access

This option describes a setup where the vWorkspace connector is accessed by AppPortal and Web Access.

The Secure Gateway and Web Access, if situated in the DMZ, require additional firewall rules to permit the Secure Gateway to communicate with the virtual desktops and the Connection Broker, and for Web Access to communicate with the Connection Broker.

If you are using Secure Gateway in conjunction with Web Access, you must specify both the internal and external Web Access access URL’s on the Firewall/SSL VPN section of the Web Access Management console. See Set Firewall/SSL VPN by Farm for more information.

509


There are two possible ways to configure the use of the AppPortal and Web Access.

One option allows all three proxies to share the same IP address and SSL certificate, but the Web Access and the Connection Broker proxies have different TCP ports. This allows the Secure Gateway to distinguish HTTP connections going to Web Access from HTTP connections going to the Connection Broker.

A second option is for all three proxies to use the same TCP port, but the Connection Broker has a different IP address and SSL certificate.

How to ...

Configure AppPortal and Web Access

1. Use the following path to access the applet:

Windows Control Panel | Quest Secure-IT

2. To configure using the same IP address and SSL certificate:

a) Enter the same IP address in the RDP Proxy, Web Access Proxy, and Connection Broker Proxy fields.

b) Enter the same Local Port for RDP Proxy and Web Access Proxy, and a different Local Port for the Connection Broker Proxy.

510


3. Complete the other fields as appropriate, and then click Apply to make the changes without closing the window, or click OK to make the changes and to close the window.

.

a) Configure a farm connection using AppPortal | Manage Connections, or by right-clicking on the farm from the vWorkspace Management Console.

b) Enter the FQDN of the Connection Broker proxy in the Server List on the Connectivity tab.

c) Select Enable RDP over SSL/TLS, and then enter the FQDN of the RDP proxy in the SSL Gateway Server field, and then click OK.

Both proxies may share the same FQDN, but the Connection Broker proxy is set to a different TCP port.

511


4. To configure using the same TCP port:

a) Enter the same TCP Port number in the RDP Proxy, Web Access Proxy, and Connection Broker Proxy fields.

b) Complete the other fields as appropriate, and then click OK.

c) Configure a farm connection using AppPortal | Manage Connections, or by right-clicking on the farm from the vWorkspace Management Console.

d) Enter the FQDN of the Connection Broker proxy in the Server List.

e) Enter the FQDN of the RDP Proxy in the SSL Gateway Server field.

f) Click OK.

The RDP and Web Access proxies can share the same IP Address, TCP Port, and Certificate Name. The Connection Broker Proxy is bound to a different IP Address and Certificate Name.

512

22

Universal Printing

• About Print-IT

• Print-IT Components

• Universal Print Driver

• Universal Network Print Services

• Printers Window in vWorkspace Management Console


About Print-ITQuest vWorkspace Print-IT is a single driver printing solution that satisfies both client side and network printing needs in a vWorkspace environment. In addition to its driver independent approach to printing, benefits include:

• Support for both EMF and PDF modes of printing.

• No requirement for Adobe Acrobat Reader on the client.

• No requirement for the server side fonts to be preinstalled on the client.

• Size optimized print streams.

• Adaptive compression technology (multiple compression algorithms for color and black and white images).

• Bandwidth usage control and intelligent font embedding (only fonts that do not exist on the client are embedded inside the print stream).

• Partial font embedding (only the used portion of fonts are embedded inside the print stream).

• Excellent print quality.

• Incredible print performance and reliability.

• Page level streaming for instant printing of large size documents.

• Support for native printer features, such as bins, paper sizes, margins, and print quality.

• Support for private printer features, such as manufacturer specific features of stapling and watermarks.

• Support for the RAW data type.

• Multiple printer naming options.

• Synchronous or asynchronous printer creation, which ensures the creation of at least one printer before the server side application is started.

• Clientless support for LAN connected print servers.

• Clientless support for remote site print servers in situated and distributed environments.

• Support for virtually any printer make and model.

514

Universal Printing

Print-IT ComponentsThe primary Print-IT components are:

• Universal Print Driver

• Universal Network Print Services

Universal Print DriverUniversal Print Driver (Print-IT) enables driver independent, universal printing to client side printers, corporate, and remote site printers in a distributed enterprise.

The options of Universal Network Printer Auto-Creation and Universal Client Printer Auto-Creation enable users to access printers, either network or client without the need for printer specific drivers to be installed on the RD Session Host/Terminal Server.

• Universal Client Printer Auto-Creation — Enables users to autocreate and print to their client side printers using a single universal print driver, eliminating the need to install printer specific drivers on RD Session Host/Terminal Servers.

• Universal Network Printer Auto-Creation — Enables users to connect and print to shared network printers using a single universal print driver, eliminating the need to install printer-specific drivers on RD Session Host/Terminal Servers.

Universal Network Printer Auto-Creation Option

Shared network printers can be autocreated for vWorkspace clients when logging on to a Terminal Server session using Windows native print drivers, the vWorkspace Universal Print driver, or both. When installed on a traditional Windows network print server, printers are autocreated and shared using the universal print driver. These printers have the same features as the original network printer.

515


Once the Print-IT printers have been created and shared, they can be assigned to the appropriate clients using the vWorkspace Management Console, or if appropriate, scripted logic. Printer connections are established successfully because the same driver is also installed on the servers. Because the connections are to the universal print driver printers and not the original printers, the manufacturer-specific print drivers do not need to be present on the server, leaving them driver-free.

When the universal print driver does not support a specialized feature of a printer or the driver is not compatible with a print device, autocreated printers can be assigned to clients using the native driver for that printing device.

The network printer auto-creation mode is a clientless mode; it does not require installing the universal print driver client software on the client supporting devices.

Autocreating shared network printers for vWorkspace clients using the vWorkspace Universal Print Driver involves the following items:

• Install vWorkspace Universal Network Print Server Extensions on to the Windows-based print servers.

• Install and share the desired printers on the Windows based print servers as normal.

516

Universal Printing

• Add the Windows based print servers as print servers using the Manage Print-IT Printers option on the vWorkspace Management Console.

• Select the printers to be defined as universal print driver printers using the Manage Print-IT Printers option on the vWorkspace Management Console.

• Assign the printers to the appropriate vWorkspace clients from the vWorkspace Management Console.

Universal Client Printer Auto-Creation Option

The Universal Network Printer Auto-Creation option enables client side printers to be autocreated during logon for each user session. For each client printer, Print-IT autocreates and configures a server side printer using the universal print driver that has the same printer features as the client printer.

Client printer autocreation relies on a custom virtual channel driver to transfer the print job from the server to the client. This mode of operation requires the universal print driver client software to be installed on the client computers.

Administrators specify what types of client printers to autocreate, as well as allowing users to choose which printers that can be autocreated.The types of client printers that can be autocreated include:

• Local printers

• Network printer connections

• Only the default printer

• All the printers and printer connections

Administrators can also configure several preferences and performance parameters including the printer naming convention, print bandwidth upper limit, and compression options.

To enable the autocreation of client printers, the following criteria must be met:

• The Universal Client Printer Auto-Creation feature must be installed on to every Terminal Server to which users connect.

• The Client Printer Auto-Creation options, at least one, must be enabled on every Terminal Server to which users connect.

• The universal print driver software must be installed on the client device, which is installed as part of the vWorkspace Client installation.

517


• The Auto-Creation options, at least one, must be enabled in the client.

• The Universal Printers virtual channel must be enabled on the client.

To print to an autocreated client printer, the user simply selects the Print command, and a list of printers is presented to them. Print preview is also available by selecting the Preview before printing from the PNTray menu.

Universal Printer Properties

When the Universal Client Printer Auto-Creation or Universal Network Printer Auto-Creation options are installed on an RD Session Host/Terminal Server, the vWorkspace Universal Printer Properties Control Panel applet is used to control the server’s print settings. Below is a description of the tabs and options that are available.

General Tab

518

Universal Printing

UNIVERSAL PRINTER PROPERTIES GENERAL TAB

DESCRIPTION

Print Data Format The options are PDF or EMF.

Note: It is recommended that you use EMF, as it is a more robust printing mechanism.

Client Printer Auto-Creation Options • Auto-create default printer — Creates a printer mapping only to the default printer on the client device.

Note: By selecting the Auto-create default printer option, any other Client Printer Auto-Creation options that are also selected do not apply.

• Auto-create local printers — Creates a printer mapping for all of the local printers defined on the client device.

• Auto-create network printers — Creates a printer mapping for every network printer defined on the client device.

• Inherit auto-creation settings from client — Autocreates printers based on the properties set on the client device.

519


Client Printer Auto-Creation Wait Mode

• Auto create only default printer synchronously — Requires the mapping to the client’s default printer to be completed before presenting the application or desktop window to the user.

• Auto create all printers synchronously — Requires every printer on the client device to be mapped before presenting the application or desktop window to the user.

This is the slowest method for login.

• Auto create all printers asynchronously — Allows the presentation of the application or desktop window to the user without requiring printer mappings to be made first.

This allows for the fastest login.

Advanced Options • Auto-create printers with full permissions — Elevates user permissions to Full Control for all mapped printers. This is sometimes a requirement for printing with certain legacy applications.

• Delete auto-created printers when sessions disconnect — Causes all mapped printers to be deleted from the server if a user’s session is disconnected. Enabling this feature can improve the reliability of printing in a multi-user environment.

• Synchronize default printer on client and server — Enables synchronizing the settings of the default printer in the user’s Terminal Server session with those of the default printer of the session running on the client device.

UNIVERSAL PRINTER PROPERTIES GENERAL TAB

DESCRIPTION

520

Universal Printing

Compression Tab

Controls when and to what extent compression is applied to the printer output. The options on the window depend on the Print Data Format, either PDF or EMF, that is chosen on the General tab.

EMF Format

521


UNIVERSAL PRINTER PROPERTIES COMPRESSION TAB

DESCRIPTION

EMF Format Data Compression controls the level of compression used for text. Level choices include:

• No compression

• Minimum (best speed)

• Low

• Medium

• High

• Maximum (smallest size)

JPEG Image Compression controls the level of compression used for graphic images. Selectable Level options are:

• No compression

• Minimum (best quality)

• Low

• Medium

• High

• Maximum (smallest size)

522

Universal Printing

PDF Format

523


UNIVERSAL PRINTER PROPERTIES COMPRESSION TAB

DESCRIPTION

PDF Format Black & White Image Compression controls the algorithm used for compressing text and graphics. Algorithm choices include:

• Default compression

• CCITT Fax Group 4

Color Image Compression controls the algorithm and quality level of compression used for color images. Selectable Algorithm options are:

• Automatic (recommended)

• Default compression

• 256 compression

• JPEG compression

Selectable options for Quality Level are:

• Maximum (largest file size)

• High

• Medium

• Low

• Minimum (smallest file size)

Remove duplicate images, if selected, embeds the image once inside the print stream for the purpose of minimizing the use of bandwidth. For example, an image of a logo embedded in a header would only be embedded once.

524

Universal Printing

Naming Tab

The Naming tab is used to control which client printer naming convention to use when naming autocreated client printers.

UNIVERSAL PRINTER PROPERTIES NAMING TAB

DESCRIPTION

Client Printer Naming Convention • Printer Name [Session #]

• Printer Name [Client Name:Session #]

• Printer Name [User Name:Session #]

• [Client Name:Session #] Printer Name

• [User Name:Session #] Printer Name

• Printer Name [User Name]

• [User Name] Printer Name

Use UNC names to client network printers

Select if you want to use UNC names.

525


Bandwidth Tab

Use the bandwidth control slider to limit the amount of bandwidth consumed for printing purposes with each user session on the RD Session Host/Terminal Server. The range is between 5 Kbps and 2 Mbps.

526

Universal Printing

Upgrade Tab

Auto Client Upgrade Options can be used to upgrade older versions of the universal print driver on the client device with a newer one. To enable this capability, select Automatically upgrade clients to new version, and enter the path and file name of the Print-IT client installer package in the input box, or browse to it by clicking the folder icon. This location needs to be the same on the local computer of each server running the server.

You should not select this option if you are using vWorkspace Enterprise or Desktop Services editions, as the universal print driver is already built into the vWorkspace client.

527


Logging Tab

The settings on this tab are used to enable trace logging for universal print driver printers and the Print Monitor. If options are enabled, use the input boxes to enter or browse to identify the path and file name of log files.

This tab is primarily used by Quest vWorkspace Support to assist in troubleshooting.

528

Universal Printing

License Tab

The License tab is only used when the universal print driver has been purchased on a per server basis and is not using concurrent user licensing modes.

529


Server Farm Tab

The Server Farm tab is used to propagate property settings to other servers within your server farm.

UNIVERSAL PRINTER PROPERTIES SERVER FARM TAB

DESCRIPTION

Server Types Filters the display of servers by type. Available types include:

• Terminal Servers

• vWorkspace Servers

• Custom Server List

Propagate When selected, the universal printer settings are propagated to all the servers that were selected.

530

Universal Printing

Notification Tab

The Notification tab is used when administrators want a customized print notification to be sent to user sessions.

UNIVERSAL PRINTER PROPERTIES NOTIFICATION TAB

DESCRIPTION

Display notification below when printing

Select this option for a printing notification message.

Title Type the text that is to be displayed on the title bar of the message window.

Message Type the text for the print notification message.

531


PDF Publisher

This option enables the creation of a PDF file of any print job that is sent to the PDF printer.

Universal Printer Client Properties

The Universal Printer Client Properties is installed as part of the client installation and is used to set various printing options. The Universal Printer Client properties apply only to autocreated client printers, and not to Print-IT printers assigned by the vWorkspace Management Console.

UNIVERSAL PRINTER PROPERTIES PDF PUBLISHER

DESCRIPTION

Create the Print-IT PDF Publisher on this server

When selected, autocreates a PDF Publisher printer for each user session on this server.

Show Print-IT PDF Publisher menu items on client

When selected, a PDF publisher options menu item is added to the Print-IT section of the PNTray context menu.

532

Universal Printing

The Universal Printer Client Properties can be accessed in Control Panel, from the Start option, or from the PNTray as a context menu option once a session to a RD Session Host/Terminal Server has been established.

The tabs and options available on the Universal Printer Client Properties window are described below.

UNIVERSAL PRINTER CLIENT PROPERTIES GENERAL TAB

Auto-Create Options • Auto-create default printer only— Creates a printer mapping to the default printer only, on the client device.

• Auto-create local printers — Creates a printer mapping for each local printer defined on the client device.

• Auto-create network printers — Creates a printer mapping for each network printer defined on the client device.

• Auto-create specified printers only — Creates only the printers selected by the user.

533


Universal Network Print ServicesUniversal Network Print Services enhances the user’s print experience and simplifies network printer manageability in vWorkspace environments by automatically creating shared network printer mappings throughout a distributed enterprise, using a single universal print driver.

The following Universal Network Print Services printing options are available for installation on Windows based network print servers:

• Universal Network Print Server Extensions — Installs on existing dedicated Windows network print servers. Eliminates the need of installing large numbers of drivers on Remote Desktop Session Hosts/Terminal Servers and managed computers by using a single universal print driver to create shared network printers. Also improves network print performance by taking advantage of the highly efficient compression engine found in the vWorkspace Universal Print Driver.

• Universal Print Relay Service for Remote Sites — Installs on remote site and branch office network print servers and works in conjunction with Universal Network Print Server Extensions to extend the benefits of the universal printing architecture across the enterprise. Includes encryption, compression, and bandwidth usage control for high performance and security.

These options enable file servers to efficiently store user profile settings and enhance the accessibility to corporate and remote site print servers through autocreating and sharing network printers using a single universal printer.

Performance Options • Use Printer Properties Cache — Allows printer properties from previous sessions to be cached and used, instead of having to reenumerate them each time a session is set up.

UNIVERSAL PRINTER CLIENT PROPERTIES BANDWIDTH TAB

Enables the user to specify the amount of bandwidth available for printing.

UNIVERSAL PRINTER CLIENT PROPERTIES LOGGING TAB

Enables logging for troubleshooting purposes.

534

Universal Printing

Universal Network Print Server Extensions Option

The Universal Network Print Server Extensions option is used to install the universal print driver onto Microsoft Windows print servers. This option eliminates the need for brand specific print drivers to be installed onto RD Session Host/Terminal Servers and hosted desktops; instead using a single, universal print driver.

This option can also be used along with the Universal Print Relay Service for Remote Sites to further optimize the printing process.

How to ...

• Setup Print-IT Printers

• Add Network Printers

• Assign Printers to Clients

• Universal Print Relay Service for Remote Sites

Setup Print-IT Printers


2. Expand the Resources node, and then click Printers.

3. Click Manage Print-IT Printers on the toolbar of the information pane. It is the computer icon with the letter U.

4. Click Add on the Print-IT Servers on the Manage Print-IT Printers window.

535


5. Type the NetBIOS name or IP address of the Windows print server or browse to it by using the ellipsis on the Add Print Server window.

6. Click Add below the Print-IT Printers section to select printers to be created as Print-IT printers.

7. Browse to the Microsoft Windows Network and select the printer or printers in the Select Network Printer window.

You may select printers shared from any Windows server, not just those with Print-IT installed on them.

Use Ctrl to make multiple selections.

8. Click Close to complete the task.

Add Network Printers

If a device or print feature is incompatible with Print-IT, use the following steps to configure autocreation of network printers using their native drivers.



3. Click Manage Network Printers on the toolbar of the information pane. It is the computer icon with the letter N.

4. Click Add on the Print Server frame on the Manage Network Printers window.

5. Type the NetBIOS name of the Windows print server or use the ellipsis to browse to it, on the Add Print Server window.

6. To select printers to be autocreated, select the desired server from the list in Print Servers.

7. Select each print to be autocreated in Shared Printers on.

536

Universal Printing

8. Click Close to complete the task.

Assign Printers to Clients

Universal printers and Network Printers must be assigned to vWorkspace clients before they can be autocreated.



3. Click Toggle Client Assignment List Display on the toolbar of the information pane to change the layout.

4. Select a printer or printers from the list of Network Printers or Universal Printers.

You may select printers shared from any Windows server, not just those with Print-IT installed on them.

5. Use Assign to assign the printers to clients.

6. Click OK to close the Select Clients window.

Universal Print Relay Service for Remote Sites

Universal Print Relay Service for Remote Sites is a WAN-optimized adaptation of the vWorkspace Universal Network Print Services.

Organizations with geographically disbursed offices containing one or more local print servers can use Universal Print Relay Service for Remote Sites to allow their branch office users to access and print from server based applications hosted at the central office.

Application service providers (ASP) might also use this service to deliver bandwidth efficient printing capabilities to their customers over private links, Internet, and VPN connections.

The advantages of using Universal Print Relay Service for Remote Sites include:

• Clientless printing — The client software does not need to be installed on the remote clients; only Universal Print Relay Service for Remote Sites needs to be installed on the remote site print servers.

Printers created using native Microsoft Windows print drivers are named using the names that appear in the Printer and Faxes folder of the client device. However, once they are added to the vWorkspace database, the name can be changed.

537


• Bandwidth management — The print streams are sent on a WAN link at a preset rate, specified in Kbps, to prevent a print job from consuming all the available bandwidth.

• Size optimization — The print streams produce as small as 10 percent of the size of conventional PCL or Postscript print jobs using techniques such as intelligent/partial font embedding, duplicate image removal, and dynamic compression.

The process of deploying the Universal Print Relay Service for Remote Sites involves the following items:

• Install the Universal Print Relay Service for Remote Sites on the print servers at each remote site.

• Use the Universal Printer Site Relay Control Panel applet to configure network communication parameters and identify the printers that are to be exported to vWorkspace clients when connecting to a vWorkspace RD Session Host/Terminal Server.

• Import the exported network printers from each remote site. Each imported printer is created as a universal printer and shared from a designated print server.

• Assign the printers to the appropriate vWorkspace clients.

Mutual machine level authentication can be configured using an assigned shared pass phrase. Once authenticated, the Universal Printer Site Relay server and Universal Network Print server can encrypt the print data before it is passed across the WAN link, eliminating the requirement for complex Windows or Kerberos trust relations and obtaining commercial server certificates.

Universal Print Relay Service for Remote Sites can be configured to use any port that security administrators allow to be open on the firewalls.

How to ...

• Configure Universal Print Relay Service for Remote Sites

• Add Print-IT Remote Relay Servers

• Import Remote Printers

Configure Universal Print Relay Service for Remote Sites

1. Open the Quest Universal Printer Site Relay applet from the Control Panel. The system opens the Universal Printer Site Relay Properties window.

2. Complete the following information on the General tab.

538

Universal Printing

Remote Site Relay Information

This section is used to configure the network communication protocol and security used by Universal Print Relay Service for Remote Sites on this server.

TCP Port Enter a port number.

Default is 82.

Secret Pass Phrase Enter a secret pass phrase for mutual machine level authentication when Use Encryption is selected.

A maximum of 20 alphanumeric characters is allowed.

Use Encryption Select for encryption between the Universal Printer Site Relay server and the Print-IT print server.

539


3. Complete the following information on the Export List tab.

a) Select the printer or printers to be exported.

The list of printers that appear here are the ones that have been installed and shared on the Universal Printer Site Relay server.

b) Select Properties to set printing preferences for each printer.

c) Select Use Printer Properties Cache, if appropriate.

Bandwidth Control Select the maximum amount of network bandwidth allowed for passing print data to an exported printer on the Universal Printer Site Relay server from a server.

The bandwidth limit is set on a per exported printer basis, allowing each printer to receive the maximum bandwidth limit.

540

Universal Printing

4. Complete the Logging tab if you need to enable trace logging for troubleshooting.

5. Click OK.

Manage Relay Servers

Once Universal Printer Site Relay servers have been configured, their exported printers can be imported into the vWorkspace infrastructure database. In addition to creating a database object representing each printer, the import process also creates and shares a new printer using the universal print driver on the designated print server.

Add Print-IT Remote Relay Servers


2. Expand the Resources node, and then select Printers.

3. Click the Manage Print-IT Printers icon from the toolbar of the information pane.

4. Click Site Relay on the Manage Print-IT Printers window.

5. Select the Manage Relay Servers tab.

6. Click Add.

7. Enter the name or IP address of the Universal Printer Site Relay server to be added or browse to select it using the ellipsis, and then click OK.

After making configuration changes using the Universal Printer Site Relay Control Panel applet, it may be necessary to restart the vWorkspace Universal Printer Site Relay service for the changes to be implemented.

541


8. Select Add new site on the Add Relay Server window, and then click OK.

9. Enter the name for the new site on the New Printer Relay Site window, and then click OK.

10. Enter the two letter suffix to be used to identify the site, and then click OK.

11. Enter and confirm the secret Pass Phrase to be used for authentication to the Print-IT Remote Site Relay server, and then click OK.

12. Set the TCP Port number to the appropriate value.

13. Set the Bandwidth limit for printing.

The bandwidth value that is the lowest, either on the relay server or the print server, is the value that is used.

14. Repeat step 6 to step 11 for each additional remote Universal Printer Site Relay servers.

15. Click OK to complete the task.

Import Remote Printers


2. Expand the Resources node, and then select Printers.

3. Click the Manage Print-IT Printers icon from the toolbar of the details window.

4. Click Site Relay on the Manage Print-IT Printers window.

5. Select the Import Remote Printers tab.

6. Select the Universal Printer Site Relay server that is to be used to import the Relay Sites and Relay Servers listed.

7. Select the server from the list of Print-IT Servers in which the imported printers are to be created.

8. Click Import Now to start the import process.

9. Review the message box confirming the import process has been initiated, and then click OK.

10. Click Close to close the Print-IT Relay Servers window.

11. Click Close on the Manage Print-IT Printers window.

542

Universal Printing

Printers Window in vWorkspace Management ConsoleOnce printers have been added to the vWorkspace Management Console, you can change the printer properties, assign printers to users, and view the printers by using the following path:

vWorkspace Management Console| Resources |Printers

The Printers window in the details pane includes information such as:

• Listing of the network printers, as well as the universal printers.

• Naming conventions for the printers are as follows:

• Universal printers are designated with a (U) after their name.

• Printer names that are relay site related appear with the administrator designated two digit suffix.

• Printer properties for the printers can be viewed and edited by right-clicking on the printer.

543


Assign Remote Printers to Clients

Printers imported from Universal Printer Site Relay servers are assigned to vWorkspace clients in the same manner as Universal Printers and Network Printers. Imported printers are listed under Universal Printers on the details pane of the Resource | Printers section of the vWorkspace Management Console, and have the two letter remote site suffix appended to their names.


2. Expand Resources, and then click Printers.


a) Right-click on the printer in the navigation pane to which users are to be assigned, and select Assign option.

b) Highlight the printer in the navigation pane, and then click the Assign icon, which is the plus sign inside a blue circle.

4. Select the client or clients for the assignment from the list, and then click OK.

You can multiselect by using the Ctrl button.

Print-IT Printer Properties

Universal Printer Properties

The properties for a Universal Print-IT printer can be set by the vWorkspace administrator.

View and Edit Universal Printer Properties




4. Right-click the printer from the list of Universal Printers.

5. Select Properties from the context menu to view and edit the properties.

6. On the General window, change the printer name, as appropriate, and then click Apply.

7. Select PDF or EMF on the Data Format window, and then click Apply.

544

Universal Printing

8. Select the image compression options of the Performance Options window, and then select Apply.

The options presented depend on the Print Data Format selected. For PDF format the available options are:

• B & W Image Compression

• Color Image Compression

• Color Image Quality Level

• Duplicate Images Removal

For EMF format, the available options are:

• Data Compression Level

• JPEG Image Compression Level

9. Change the client assignments, as appropriate, and then click Apply.

10. Change permissions as appropriate, and then click Apply.

11. Click OK to complete the task and save changes.

– OR –

Click Cancel to close without saving the changes.

545


Network Printer Properties

The properties for a Network printer can be set by the vWorkspace administrator.

View and Edit Network Printer Properties




4. Right-click the printer from the list of Network Printers.

5. Select Properties from the context menu to view and edit the properties.

6. Change the client assignments, as appropriate, and then click Apply.

7. Change permissions as appropriate, and then click Apply.

8. Click OK to complete the task and save changes.

– OR –

Click Cancel to close without saving the changes.

546

23

USB Devices

• About USB Devices

• vWorkspace Virtual USB Hub Client

• USB-IT


About USB DevicesFrom headsets to mobile devices, USB devices are frequently used, but can sometimes be problematic when used in a virtualized environment. However, with the vWorkspace features of vWorkspace Virtual USB Hub Client and USB-IT, USB device integration issues can be solved.

vWorkspace Virtual USB Hub ClientQuest vWorkspace Virtual USB Hub Client enables the use of virtually any USB connected device (PDAs, local printers, scanners, cameras, headsets) to be used in conjunction with VDI. Users can connect multiple USB devices, and then decide which devices to share.

The vWorkspace Virtual USB Hub does not generally support Composite USB devices that include a mouse or keyboard class device. A Composite USB device is a USB device that is not one entity, but two or more, such as a keyboard with an integrated mouse or a scanner/printer/fax device. It is important that you test all composite devices for vWorkspace compatibility on a case by case basis.

Requirements

The Virtual USB Hub needs to be installed on a VDI computer along with PNTools. An Enterprise or Desktop license is also required to use this feature.

When the Virtual USB Hub Auto-share check box is selected, a confirmation message box is displayed. The message warns users that auto-share disconnects devices from the local system, and that most USB keyboards and mice are automatically excluded from Auto-share.

However, some multi-interface (composite USB) keyboards might not be automatically excluded from auto-share. These types of devices should be manually excluded before enabling Auto-share.

548

USB Devices

vWorkspace Virtual USB Hub Client

The Virtual USB Hub client side contains the following components:

• Control Panel Applet

• System tray display

• Microsoft Windows Service component

Virtual USB Hub Client Applet

The vWorkspace Virtual USB Hub Client applet is available from the Control Panel setting. The client Control Panel applet appears as follows:

Devices Tab

Share Selecting this option makes the device available to the server. When a device is shared, it is unavailable to the client computer.

Unshare Selecting this option makes the device unavailable to the server, which makes it available to the client computer.

549


Exclude Selecting this option excludes this device from being shared.

See Note in Auto-connect devices.

Unexclude Selecting this option allows the device to automatically be shared.

Properties Selecting this option displays the USB Device Properties window. The ability to add an optional nickname for the device is included in the properties.

Information on this window includes:

• Nickname

• Name

• Location

• Serial Number

• Information

• Status

Auto-share devices Selecting this check box allows the connected devices to automatically be shared with the server.

Note: If a user is going to select this option and they are using a USB keyboard or mouse, they need to confirm that these devices have been excluded before selecting this check box. The keyboard and mouse might not function locally on the client while being shared.

Use Taskbar Icon Selecting this check box allows the system tray to be used.

550

USB Devices

Advanced Tab

Bandwidth Control Select Bandwidth Control, and then set the bandwidth control by moving the slider to the threshold amount.

Compression Set Compression Type to Zip compression, and then do the following:

• Move the slider to set the minimum packet size.

For example, if you set the compression to 1024 bytes, compression occurs only if the amount is greater than 1024 bytes.

• Enter a number from one to ten in the Settings field. The setting values are:

1 = best speed

10 = best compression

551


Virtual USB Hub Client System Tray

The client system tray becomes available when the Virtual USB Hub icon is selected.

Devices are listed with their name, current status, and if they are shared (indicated with a check mark) or excluded (indicated with an X).

To share a device using the system tray, click on it. To exclude a device using the system tray, use CTRL + left-click.

The option Advanced is used to display the Control Panel applet.

Virtual USB Hub Client Services

A Microsoft Windows Services option is available for the client side.

552

USB Devices

vWorkspace Virtual USB Hub Server

The Quest vWorkspace Virtual USB Hub server side contains the following components:

• Control Panel applet

• System tray display

• Microsoft Windows Service component

Virtual USB Hub Server Applet

The server Control Panel applet appears as follows:

Connect Selecting this option enables the device on the server.

Disconnect Selecting this option disables the device on the server.

Exclude Selecting this option excludes the device from being automatically connected.

See Auto-connect devices.

Unexclude Selecting this option allows the device to be automatically connected.

553


The Advanced tab on the server Control Panel applet allows you to set a priority for this service on the server. The setting options are Normal, Low, or High, and the default setting is Normal.

Virtual USB Hub Server System Tray

The server system tray becomes available when the USB Redirection icon is selected.

Devices are listed with their name, current status, and if they are shared (indicated with a check mark) or excluded (indicated with an X).

Properties Selecting this option displays the USB Device Properties window.

Auto-connect devices Selecting this check box allows devices to be automatically connected when they are available to the server.

Use Taskbar Icon Selecting this check box allows the system tray to be used.

554

USB Devices

To share a device using the system tray, click on it. To exclude a device using the system tray, use CTRL + left-click.

The option Advanced is used to display the Control Panel applet.

The server-side system tray appears like this:

Virtual USB Hub Server Services

A Microsoft Windows Services option is available for the server side.

How to ...

Manage USB Devices

The Quest vWorkspace Virtual USB Hub software needs to be installed on the virtual desktop, in addition to PNTools.

1. Open the Quest vWorkspace Virtual USB Hub Client Control Panel applet.

As devices are plugged in, they appear on the device list.

2. Highlight a device from the list and select one of the options, as appropriate.

If users are using a USB keyboard or mouse, prior to selecting the Auto-share devices check box, they need to exclude those devices, If those devices are not excluded on the list, they do not function on the client while being shared.

555


Autoexclude any USB Device

vWorkspace can be configured to autoexclude any USB device.

1. Install this Client version on the user access device. This install can be completed as a new installation, an upgrade from the previous Client version, or by uninstalling the previous client version and installing this client version.

2. Open the Quest vWorkspace Virtual USB Hub Client from the Control Panel.

3. Deselect the Auto-share devices check box, so that devices are not autoshared.

4. Plug in the USB device that is to be autoexcluded. The device will be displayed in the list of devices on the Quest vWorkspace Virtual USB Hub Client window.

5. Select the device, and click Properties.

6. From the USB Device Properties window, you need the following information:

• VendorID

• ProductID

• Revision

7. Create the following key in the registry:

HKEY_LOCAL_MACHINE\SOFTWARE\Quest Software, Inc.\Quest Software USB Virtual Hub\Excluded USB Devices

8. Create a sub key with a unique name under the Excluded USB Devices key. This key name can be any name.

9. In the sub key, create a value "Hardwareld" of type REG_BINARY.

10. Enter the hardware id information into this key in binary format.

You have the option to be more or less specific about the devices you want to autoexclude. Entering only the VendorID excludes all devices with that VendorID, which may exclude more devices than you want to exclude. Entering the VendorID, ProductID, and Revision information from the USB device allows you to be very specific with the excluded USB device.

The following table provides examples of a binary format:

556

USB Devices

For example, using the device information from the above table, the registry entries might be:

11. After changing the registry key, unplug the device.

12. Select the Auto-share devices check box, so that devices are autoshared.

13. Plug in the device.

The device should now be autoexcluded in the Quest vWorkspace Virtual USB Hub Client window.

Smart Card USB Redirection

You can redirect smart cards from a virtual desktop or RD Session Host session using USB Redirection. This feature allows you to use a Smart Card for authentication inside a virtual desktop rather than using it to log on.

The .dll to use this feature will be packaged with PNTools in the \Windows\System32 folder. In order to use this feature, you need to add to the following registry value and a list of the executables that are to be redirected. You may manually install this feature if desired. The installation steps are as follows:

1. Locate PNSCHOOK.DLL in the \windows\system32 directory.

2. Add PNSCHOOK.DLL to the AppInit_DLLs key.

USB DEVICE INFORMATION BINARY FORMAT

VendorID: 0x04f2 f2 04

ProductID: 0x0112 12 01

Revision: 0x0103 03 01

VendorID: f2 04

VendorID and ProductID:

f2 04 12 01

VendorID, ProductID, and Revision:

f2 04 12 01 03 01

557


3. Configure apps to hook in SCHookList registry value; that is, in the pathname HKLM\Software\Provision Networks\Provision-IT locate a REG_SZ value called SCHookList (which is a comma-delimited list of EXEs to be hooked).

USB-ITUSB-IT enables Remote Desktop Session Host clients to seamlessly access their USB-based handhelds over RDP connections. With USB-IT, the Blackberry Desktop Manager, the Palm Desktop, and the ActiveSync software can be installed and published on the server. Users can gain instant access to their handhelds for the purpose of synchronizing e-mail, calendar, contacts, and other personal information with back-end messaging and collaboration systems such as Microsoft Exchange and Lotus Domino.

USB-IT supports some BlackBerry models; Palm and OEM handhelds running Palm OS; and Windows CE-based Pocket PC devices. USB-IT requires a plug-in on the client, which when installed, registers automatically with RDC (Remote Desktop Connection) clients. Third-party WIN32 RDP clients capable of loading a virtual channel driver also can use USB-IT.

In order to take advantage of USB-IT, the appropriate components must be installed on the client devices and RD Session Host/Terminal Servers as follows:

• RD Session Host/Terminal Servers — USB-IT is installed onto RD Session Host/Terminal Servers by selecting the PDA Redirection (USB-IT) feature listed under Power Tools for Terminal Servers on the Custom Setup window.

• vWorkspace Client (AppPortal and Web Access) — PDA Redirection (USB-IT) is automatically installed when the vWorkspace client software is installed.

558

USB Devices

How USB-IT Works

USB-IT features a virtual USB hub controller that provides true USB support for three distinct handheld devices, BlackBerry, Palm, and Windows CE-based Pocket PC.

How to ...

Configure USB-IT

1. Start the USB-IT Control Panel applet (RD Session Host/Terminal Servers).

2. Select the Devices tab.

3. Select the class of handhelds.

4. Click Add.

559


5. Specify the maximum number of device instances that are to be supported simultaneously on the server.

6. Repeat the process for other handhelds, as appropriate.

7. Repeat process on all Terminal Servers as appropriate.

8. Select USB Handhelds in the vWorkspace client, AppPortal using the following path:

Manage Connections | Local Resources

560

24

vWorkspace Reporting

• Overview

• Reporting Components

• Sample Report Viewer

• Databases

• Reporting Schema

• Reports

• Custom Reporting


OverviewQuest vWorkspace Reporting allows organizations to create real time and historical reports leveraging data gathered by vWorkspace. By utilizing the reporting features of vWorkspace, administrators gain greater understanding of how the vWorkspace farm is being managed and/or utilized.

The new Reporting feature of vWorkspace includes a easy to use tool, the Sample Report Viewer, that allows vWorkspace administrators to run preconfigured or custom SQL queries against the vWorkspace reporting database. The query results can be used to generate reports within the Sample Report Viewer or exported to CSV files for manipulation within the administrator’s tool of choice.

The vWorkspace farm database contains configuration, administrative task and user connection data. This data is very useful for auditing but much of the data does not persist in the database for any period useful for historical reporting. Therefore, vWorkspace Reporting was created. vWorkspace Reporting uses SQL triggers to export certain data from the vWorkspace database to the Reporting database. The Reporting database can be then used to run historical reports using vWorkspace Sample Report Viewer or a third party tool.

562


Reporting ComponentsThe primary Reporting components are:

• Sample Report Viewer

• Databases

• Reporting Schema

• Reports

Sample Report Viewer

vWorkspace Sample Report Viewer comes with a number of preconfigured SQL scripts. These scripts can be run to obtain real-time and historical reports of an organization's virtual desktops, applications, Remote Desktop Session Hosts/Terminal Servers, and blade PCs managed by vWorkspace. This allows easy reporting of information, such as Currently Logged Users and Users logged on each Month.

Sample Report Viewer Setup

The vWorkspace Sample Report Viewer window is used to configure the connection to the reporting database and the maximum number of rows to return from a report query.

This window is displayed at application start up if no connection settings exist, typically the first time the application is started. Otherwise, it can be opened from the main vWorkspace Sample Report Viewer window from File | Setup.

563


The following fields are provided in the vWorkspace Reporting Setup window.

Enter the appropriate information in the SQL Server Name or IP, Database Name, User Name, Password, and Max Number of Report Rows to Return fields as displayed below. Click Save then click Close.

FIELD DESCRIPTION

SQL Server Name or IP Enter the server name of the SQL server of the vWorkspace Reporting database.

Use the following format:


Database Name Enter the reporting database name. For example:

vWorkspaceReporting_Database

User Name Enter the name for the SQL account.

Note: This account only needs read access to the vWorkspace Reporting database. We recommend that you only give read access to this account.

Password Enter the password of the SQL account.

Max Number of Reporting Rows to Return

Enter the default maximum number of rows to return for a report run.

The default number is 1000.

Note: This default can be can be changed on a per query basis from the main vWorkspace Report Viewer window.

Save button Click to save the settings.

Saving automatically validates the settings.

Validate Settings button Click to validate the settings without saving.

Validation includes checking that the database connection information is valid by creating a connection to the reporting database and reporting an error if this connection attempt is unsuccessful.

Close button Click to close the setup window.

Clear button Click to clear all of the settings on the window.

564


To validate the settings without saving them, click the Validate Settings button. If the settings are correct, the vWorkspace Sample Report Viewer Setup Validation Successful window displays to confirm the settings.

Using Report Viewer

The setup can be changed and reports can be run from the Report Viewer window. Report data is returned to the results pane in the vWorkspace Report Viewer window. The SQL pane shows the query that will be run.

Changing the Setup

To reconfigure settings, click File | Setup or use the shortcut, Ctrl + S to open the vWorkspace Reporting Setup window.

Open and Run Report Queries

• Do one of the following to open the Open Report window:

• Select File | Open.• Click Ctrl + O.

565


• To open a report query file, select the file and then click Open, or double-click on the report query file.

The query opens and includes the name, description, results table, and SQL information.

• Click Run for the report results.

The number of rows in the result is displayed below the results table.

Temporarily Change the Number of Rows to Return

The application default number of rows to return can be changed using the vWorkspace Reporting Setup window. This value can be temporarily changed on the vWorkspace Report Viewer window by changing the value in the field, Max Rows to Return, and then click Run.

566


To reset the value back to the default, click Set to Default by the field, Max Rows to Return.

Some notes about the Max Rows to Return field:

1. If the number of rows returned is less than the number of rows in the full rest set, a warning message is displayed under the results table.

2. When the SQL used to run the report contains the Union operator, all rows are returned. The message, "This report requires that all rows be returned", is displayed.

3. If you make the value for the Max Rows to Return field too high, you may experience performance issues.

Export Report Data

When data is present in the results table, you can export it to a CSV file which can be loaded into a spreadsheet application, such as Microsoft Excel.

To export the data to a CSV file, do one of the following:

• Click Export of the vWorkspace Report Viewer window. All of the data in the table is exported.

• Right-click in the table, and select Export All. All of the data in the table is exported.

• Right-click in the table and select Export Selected. Only the selected rows are exported.

After exporting the report data, the Save As window opens. Save the exported data by entering a File name and selecting the appropriate directory, then click Save.

Copy SQL Text

The SQL used to run the report can be copied to the windows clipboard from the vWorkspace Report Viewer window. This makes it easier to reuse the SQL in your own reports. Do the following to copy the SQL text.

1. Select the text to copy.

2. Right-click in the SQL text area.

3. Select Copy.

567


Databases

vWorkspace Reporting pulls data from two separate databases: the vWorkspace farm database for real-time metrics and the Reporting Database for historical metrics.

vWorkspace Farm Database

The Farm database is the central repository for all information relative to a vWorkspace farm. It is required and must be available for any administrative function to succeed.

The vWorkspace farm database stores three classifications of data:

• Farm configuration data

• Farm administrative tasks and results

• Data regarding Client connections to virtual Desktops and/or RDSH

The data in the farm database is used for real time reporting.

vWorkspace Reporting Database

The Reporting Database is the core database in the vWorkspace Reporting architecture. Whenever an activity is carried out in the vWorkspace environment, such as the creation of a virtual machine or the logging on of a user, it is written to the farm database. SQL Triggers in the vWorkspace database populate changes to the reporting database. Thus tables in the Reporting database contain the history of all important activities in the vWorkspace farm. SQL Views in the vWorkspace reporting database are designed to provide both historical and real-time views.

The farm reporting database tracks a large amount of information, and as a result, a large amount of data is collected in the reporting database. It is therefore important to balance retaining history with data volume. To ease the management of the data, a data purge mechanism is installed with the vWorkspace Reporting database. There are two controls, both accessible from the Reporting Database field of the farm properties:

• How frequently data expiry happens.

• The age at which data is expired.

In order to ensure that minimal disk space is consumed, the defaults are very aggressive.

568


• The data expiry task runs every 6 hours (labelled as "Purge Interval" in the farm properties).

• Data is expired if it is older than 14 days (labelled as "Data Expiration" in the farm properties).

We would expect most customers to make the data expiry age value much longer than this, but the defaults are there to avoid unnecessary database bloat for customers who don’t want to worry about changing the defaults.

To retain data for longer, increase the Data Expiration value. There should be no need to change the purge interval.

Reporting Schema

Virtual Machines and Virtual Machine Pools

Description

The vWorkSpace Reporting tool provides history and real time information of a

virtual machines’ activity. Administrators can access the VirtualMachinesRe-

altime View for historical information and VirtualMachinePoolsRealtime

View for real time information about the virtual machines. Users can also com-

bine the information with the RemoteDesktopLogRealtime View to find more

specific information with appropriate log messages.

Virtual machines are key components within a virtual desktop infrastructure.

They allow concurrent operation of multiple, heterogeneous operating systems

and applications within an enterprise with consolidated physical hardware and

The reporting Database is recommended to be set at an initial size of four (4) GB with a 10% growth rate.

If reporting is disabled, historical data is no longer added to the reporting database but real-time reports still function.

569


increased reliability. Quest’s vWorkSpace reporting tool will provide you the

freedom of accessing information about virtual machines and virtual machine

pools using Report Queries.

Schema Diagram

The Schema Diagram below depicts the relationship between the views Virtu-

alMachineRealtime, VirtualMachinePoolsRealtime and RemoteDeskto-

pLogRealtime. In all the Views ‘RecordGUID’ will behave like the Primary key

of the tables. ‘VirtualMachinePoolGUID’ will behave like the ‘Foreign Key’ for

VirtualMachinePoolsRealtime View. ‘VirtualMachineRecordGUID’ of ‘Remot-

eDesktopLogRealtime’ will behave as a foreign key for ‘VirtualMachineRe-

altime’ View.

These real-time views will give users all the real-time information and users can

access the historical information using Historical Views. The historical views are

VirtualMachinesHistory, VirtualMachinePoolsHistory and RemoteDesk-

topLogHistory. Since historical data will have repetition of ‘RecordGUID’, ‘ID’

is used as the unique field for each record. Hence ‘ID’ will act as a primary key.

The additional columns used in historical views are ‘Changed Status’ and ‘Time-

Stamp’ to keep track of all the records changed with the timestamp. Users can

combine historical views with real-time ones to get historical status of virtual

570


machines.

Schema Description

This section will explain all the columns used in the views. This description will

help the user to find out what columns are to be used for exact query results

for reporting.

571


VirtualMachinesRealtime

Column Returned Meaning

VirtualMachineName Name of the Virtual Machine

DNSName The DNS Name of the Virtual Machine

ClientLogoOnState Log On Status of present client.

CurrentUser Current User of the Virtual Machine

CurrentState Current Status of the Virtual Machine

LastTimeLoggedIn Last login time of user of Virtual Machine

CurrentClientDevice Name of Current Client Device

VirtualMachineIPAddress IP Address of Virtual Machine

PNToolsVersion Version of PN Tools.

MachineType Type name of Virtual Machine

PowerManagedWhether Virtual Machine is Power Managed(True/False).

VirtualMachineMACAddress MAC Address of Virtual Machine

VirtualMachineOS Operating System of Virtual Machine

VirtualMachineOSServicePack Service Pack information of OS

CloneType Name of Clone Type of Virtual Machine

ExpirationActionInformation on Expiration action of Virtual Machine(Use Default/Suspend/Power Down/Delete/Shutdown Guest/Disable/None)

InactivityActionInformation on Inactivity action of Virtual Machine(Use Default/Suspend/None)

NetworkOptimizationMaxConnections

Number of max connections for Network Optimization

RDPPortRemote Desktop Protocol(RDP) Port Number

572


VirtualMachinePoolsRealtime

RemoteDesktopLogRealtime


PoolName Name of the pool in which the VM exists

PoolType Type of Virtual Machine Pool.

LogoffActionInformation on Log off Action of Pool (Use Default/Reset/Suspend/Reprovision Refresh)

ExpirationActionInformation on Expiration Action of Pool (Use Default/Suspend/Power Down/Delete/Shutdown Guest/Disable/None)

PowerManaged Whether VM Pool is Power Managed (True/False).

StaticClientTypeStatic Client Type of VM Pool (User/Group/IP Address/ Client Name/ OU)


Timestamp Time stamp of occurrence

RecordGUID Unique Record ID

VirtualMachineRecordGUIDUnique ID which relates to the VirtualMachinesRealtime View

MessageTime Occurrence Time of Log Message

MessageText Description text of Log Message

MessageType_AsInteger Integer value used for Message Type

MessageTypeType of Log Message (Success/Failure/Warning/Information)

HostType_AsInteger Integer value used for Host Type

HostType Name of Host Type (RDSH(TS)/VDI)

573


Actions

Description

The vWorkSpace reporting tool provides historical and real time information of actions run on virtual desktops. The following views are used to retrieve the Action related from vWorkSpace.

• ActionsRealtime

• ActionGroupsRealtime

• ActionDetailsRealtime

• ActionQueueRealtime

• ActionSchedulesRealtime

Users can combine the information with VirtualMachineRealtime views to find the actions running on specific virtual machines.

These views provides the current and historical action status, name of the action, group name of action, action types, source of action, percentage completion and virtual desktop details etc. Examples of useful Report queries will be

• Find all the historic actions on particular virtual machine.

• What is the status of actions in all virtual machines?

• Which VMs are currently running the particular actions?

Actions are the administrative tasks done on virtual desktops. These actions include powering up virtual desktops, taking the snapshot, MSI Updates, Sys prep, reprovisioning etc. to name some of them. These actions are from the sources like ‘User’, ‘MSI Package’ or ‘Built In’.

574


Schema Diagram

The Schema Diagram below depicts the relationship between the ActionsRealtime, ActionGroupsRealtime, ActionDetailsRealtime, ActionQueueRealtime, ActionSchedulesRealtime and VirtualMachineRealtime.

Historical action details can be queried using the historical views provided by the vWorkSpace reporting tool. These include ActionsHistory, ActionGroupsHistory, ActionDetailsHistory, ActionQueueHistory and ActionSchedulesHistory. Since historical data will have repetition of ‘RecordGUID’, ‘ID’ is used as the unique field for each record. Hence ‘ID’ will act as a primary key. The additional columns used in historical views are ‘Changed Status’ and ‘TimeStamp’ to keep track of all the records changed with the timestamp.

575


In all the Views ‘RecordGUID’ will behave like the Primary key of the tables. All the views are related to each other in the following manner.

1. ActionQueueRealtime is connected to VirtualMachineRealtime through the ‘VirtualMachineGUID’.

2. ActionQueueRealtime View is connected to ‘ActionGroupsRealtime’ through ‘ActionGroupGUID’.

3. ‘ActionGroupGUID’ in ActionsRealtime connects both ActionGroupsRealtime and ActionsRealtime.

576


4. ‘ActionDetailGUID’ in ActionsRealtime connects ActionDetailsRealtime to ActionsRealtime.

Schema Description

This section will explain all the columns used in the views. This description will help the user to find out what columns to be used for exact query results for reporting.

ActionsRealtime

ActionGroupsRealtime

ActionDetailsRealtime



ActionDetailGUIDThis column connects the records to ActionDetailsRealtime View

ActionGroupGUIDThis column connects the records to ActionGroupsRealtime View

TimeStamp Time stamp of occurrence


GroupName Name of the Group of Action



577


The following table explains all Action Types and Action Sources used in ActionDetailsRealtime

Action Types




ActionName Name of the Action

ActionType_AsInteger Integer value of Action Type

ActionType Type of Action

ActionSource_AsInteger Integer value of action source

ActionSource Source of action

Key ActionType

0 None

1 Clone

2 Delete

3 Power Up

4 Power Down

5 Suspend

6 Resume

7 Restart Guest

8 Take Snapshot

9 Revert To Snapshot

10 Reset

578


Action Source

11 Shutdown Guest

12 Remove From Group

13 Standby

Key ActionType

14 Copy File To Virtual Machine

15 Shell Command

16 Initialize

17 Cancel

18 Log Off User

19 Reset Session

20 MSI Update

21 MSI Uninstall

22 Enable or Disable Set

23 Wake Up

24 Configure Virtual Machine

25 Sysprep

26 Set Bandwidth OPT

27 Reprovision

ActionSource_AsInteger Action Source

0 Built In

1 MSI Package

2 User

579


ActionQueueRealtime

ActionQueue Status




ActionGroupGUIDThis column connects the records to ActionGroupsRealtime View

CurrentActionGUIDThis column connects the records to ActionsRealtime View

Status_AsInteger Integer value of Current status of action

Status Current status of action

StartTime Start time of action

PercentComplete Percentage completion of action

CompletedTime Completion time of action

Message Descriptive message of action

PostedTime Action posted time

BrokerName Name of the Broker

Status_AsInteger Status

0 None

1 Pending

2 In Progress

3 Failed

580


Applications and Application Restrictions

Description

The vWorkSpace Reporting Tool provides historical and real time information about applications and Application Restrictions. The real time views follow:

• ApplicationPermissionsRealtime

• ApplicationPermissionGroupsRealtime

• ClientsApplicationPermissionsRealtime

• ProgramsRealtime

Applications are the programs installed on the hosting machines and can be published and accessed by Clients (Users). In the vWorkspace infrastructure, applications are installed on the following hosting machines:

• Microsoft Windows Remote Desktop Session Hosts

• Virtual desktops running Microsoft Windows XP/Vista/Windows 7

• Virtualized application packages stored on a Microsoft Application Virtualization Server.

The vWorkspace user can also report on clients connecting to their business line of applications via a remote presentation services protocol (RDP or RGS) called ‘Managed Applications’.

Application Restrictions is one of the important features used to manage applications in a vWorkspace infrastructure. It is the access control system that allows administrators to increase the overall security, reliability and integrity of their Terminal Server Environments. The advantages of Application Restrictions follow:

• guard against application spoofing

• fight against virus infections

• preventing users from executing unauthorized programs

• granting access to applications by time and day

• Lock down the terminal Server

4 Succeeded

5 Canceled

581


In Application Restrictions, a list of program executables and program modules are organized into an application list, enabling administrators to grant or deny access to entire software suites, not just individual executables. The Application List is then associated with a group of Terminal servers, known as an Application Access Control Server Group. The Application List can then be assigned to one or more vWorkspace clients.

Schema Diagram

The Schema Diagram below depicts the relationship between the views ApplicationPermissionsRealtime, ApplicationPermissionGroupsRealtime, ClientsApplicationPermissionsRealtime and ProgramsRealtime.

In all the Views ‘RecordGUID’ will act as Primary key of the tables. ‘ApplicationgroupGUID’ of ApplicationPermissionsRealtime view will behave like the ‘Foreign Key’ for ApplicationPermissionGroupsRealtime view. ‘ApplicationgroupGUID of ‘ClientsApplicationPermissionsRealtime view will behave as a foreign key for ‘ApplicationPermissionGroupsRealtime view.

These real time views will give users all the real time information and users can

582


access the historical information using Historical Views corresponding to the previous views. The available built-in historical views follow:

• ApplicationPermissionsHistory

• ApplicationPermissionGroups

• History

• ClientsApplicationPermissions

• History

• ProgramsHistory

Since historical data will have repetition of ‘RecordGUID’, ‘ID’ is used as the unique field for each record. Hence ‘ID’ will act as a primary key. The additional columns used in historical views are ‘Changed Status’ and ‘TimeStamp’ to keep track of all the records changed with the timestamp.

Schema Description

This section will explain all the columns used in the views. This description will help the user to find out what columns are to be used for exact query results for reporting.

ApplicationPermissionsRealtime

ApplicationPermissionGroupsRealtime




ApplicationGroupGUIDUnique ID which relates the view toApplicationPermissionGroupsRealtime View

ApplicationPath Path of Application



583



ApplicationGroupNameName of the group to which applicationbelongs to.

ApplicationGroupDescription Short Description of Application Group

CategoryCategory of Application Group which is usedto group multiple applications into a singlecategory.

TerminateApplicationsTrue/false value which confirms thetermination of applications that are runningoutside of the access hours.

TerminateApplications_AsIntegerInteger value (0 or 1) used for TerminateApplications field

584


ClientsApplicationPermissionsRealtime

Programs Realtime




ApplicationGroupGUIDUnique ID which relates the view toApplicationPermissionGroupsRealtime View

ClientGUIDUnique ID which relates the view to ClientsRealtime View




ProgramName

Name of the application used in management console which will also appear in AppPortal andWeb-IT clients.

Path Path of the program or application.

ArgumentsAny argument which can be passed while starting the application.

WorkingDirectoryPath of working Directory of application enteredby user

IconFile

Each program will be having Icon file associatedwhich will be displayed on Management Console, AppPortal and Web-IT clients.

IconIndex Index of Icon file

ShowCommand

585


ServerList

DisabledSpecifies whether application is enabled or disabled. Disabled applications will not displayin client application list.

Disabled_AsIntegerInteger value 0 or 1 used for enabled and disabled respectively.

AppPortalDisabledMessage

ShortcutApplication short cut (Desktop or Start Menu or Start Menu/Programs.

SessionSharing

ApplicationSourceServer Source Server of Application.

IconSourceServer Source Server of Application icon

IsDesktop Whether application short cut is Desktop

IsDesktop_AsInteger Integer value IsDesktop field (0 or 1).

FileExtensions File Extension of programs

ApplicationTypeType of Application (0 – None, 1 - application,2 – desktop, 3 – Content, 4 – Content Client)

VIPEnabledSpecifies whether Virtual IP features are enabled for the application.

VIPEnabled_AsIntegerInteger value VIPEnabled field (0 - disabled,1-Virtual IP, 2 - Virtual Loopback, 3 - Client IP)

DesktopShortcutLocation Integer value of application shortcut location

ApplicationPermissionsGroupGUID

Unique ID which relates the view to ApplicationPermissionGroupsRealtime View

ApplicationHostTypeHost Type of Application (0 – Terminal Server,1 - Virtual Desktop)

VirtualMachinePoolGUIDUnique ID which relates the view to VirtualMachinePoolsRealtime View

BitmapAccelerationSpecifies the Graphic Acceleration setting options (Enabled/Disabled/User Default)

BitmapAcceleration _AsIntegerInteger value of Bitmap acceleration field (0 – Enabled, 1- Disabled, 2 - User Default)

586


Application Type

VIPEnabled

Key ApplicationType

0 None

1 application

2 desktop

3 Content

4 Content Client

Key

VIPEnabled_AsInteger VIPEnabled

0 Disabled

1 Virtual IP

2 Virtual Loopback

3 Client IP

587


DesktopShortcutLocation

Application Host Type

Clients, Folders and Locations

Description

The vWorkSpace reporting tool provides historical and real time information about clients, folders and geographic locations. The following views are included:

Key DesktopShortcutLocation

0 None

1 desktop

2 Start Menu

4 Start Menu/Programs

DesktopShortcutLocation is a multi-value field. When more than one value is selected, value of application type will be the sum of the individual values. For example: a value of ‘7‘ indicates that all 3 options are selected for the application.

Key ApplicationHostType

0 Terminal Server

1 Virtual Desktop

588


• ClientsRealtime

• ClientsHistory

• FoldersRealtime

• FoldersHistory

• ClientFoldersRealtime

• ClientFoldersHistory

• GeoLocationsRealtime

• GeoLocationsHistory

Clients are the end users of vWorkspace infrastructure. The type of clients follows:

• Users: Any trusted Windows domain or local user account

• Groups: Any trusted Windows domain or local user account

• Device Addresses: IP address assigned to the client hardware device

• Device names: NetBIOS name of the client device

• Organisational Units: Active Directory Organizational Unit containing the user, group, or computer account.

Geographic Location is used to specify the location of one or more data centers and the machines and servers within those data centers. For example, we can name the location based on the office site.

Schema Diagram

The Schema Diagram below depicts the relationship between the views ClientsRealtime, FoldersRealtime, ClientFoldersRealtime and GeoLocationsRealtime

In all the Views ‘RecordGUID’ will act as Primary key of the views. ‘FolderGUID’ and ‘ClientGUID’ of ClientFoldersRealtime view will behave like the ‘Foreign Key’ for FoldersRealtime view and ClientsRealtime view respectively. ‘GeoLocationGUID’ of FoldersRealtime view will behave as a foreign key for ‘GeoLocationsRealtime view.

589


Since historical data will have repetition of ‘RecordGUID’, ‘ID’ is used as the unique field for each record. Hence ‘ID’ will act as a primary key. The additional columns used in historical views are ‘Changed Status’ and ‘TimeStamp’ to keep track of all the records changed with the timestamp.

Schema Description

This section will explain all the columns used in the views. This description will help the user to find out what columns are to be used for exact query results for reporting.

ClientsRealtime

Client Type

FoldersRealtime




ClientName Name of the Client

ClientType Type of the Client

ClientType_AsChar Integer value of client type

TimeZoneName Name of the time zone.

Key Client Type

U User

G Group

I IP Address

C Client Name

O OU

590


Folder Type




FolderType Type application folder type

FolderType_AsInteger

Integer Value of folder type.

FolderName Name of the folder.

GeoLocationGUIDUnique ID which relates the view to GeoLocationsRealtime View

FolderType_AsInteger FolderType

0 AppPortal

1 Shell

2 Server

591


ClientFoldersRealtime

GeoLocationsRealtime




ClientGUID Unique ID which relates the view to ClientsRealtime View

ProgramGUID Unique ID which relates the view to ProgramsRealtime View

FolderGUID Unique ID which relates the view to FoldersRealtime View




GeoLocationName Geographical location name with one or more data centers.

592


Reports

vWorkspace Reporting includes a set of prebuilt reports, which include:

• Historical Reports

• Real Time Reports

• Audits

• Custom Reporting

Historical Reports

The following prebuilt historical reports are available using the vWorkspace Report Viewer.

Failed Action Details in Last 24 Hours

This report shows the details of failed actions (tasks) in the past 24 hours. It can be used to help identify what might be causing problems. Many failed actions highlight possible environment issues.

If Virtual Machine Pools are deleted they will not appear in this report.

Failed Action in Last 24 Hours by Pool

Use this report to find the number of failed actions by pool in the past 24 hours. This report can be used to help identify what actions might be causing problems. Many failed actions will highlight possible environment setup issues.


Users Logged on Each Month

This report shows the number of users who used vWorkspace each month. This is useful to monitor Virtual Desktop Take-up.

This query only gets the information for Virtual Machine based Virtual Desktops and Applications. Information for Terminal Services Based applications and Desktops is available in the RemoteDesktopLog table.

Users Logged on in Last 24 Hours

This report lists the pools that each user has logged into in the past 24 hours. To create a report for a specific user the script can be manually modified. For more details open the report with the viewer and see the description.


593


Real Time Reports

The following prebuilt real time reports are available using the vWorkspace Report Viewer.

Assigned Applications by Application

This report lists all assigned applications. Also listed are any application restrictions that have been applied. This is useful for determining whether appropriate applications have been assigned and if any restrictions in place are correct.

Assigned Applications by User

This report lists all assigned applications by Client Type, and Client. Also listed are any application restrictions that have been applied.

Current Action Backlog by Pool

This report shows the number of pending actions (tasks) in each pool now. It can be used to help determine if there is a large backlog of pending actions (tasks). A large backlog may be the cause of other performance related issues.

Current Action Backlog Details

This report returns all current pending action (task) details. It can be used to help determine the details of a large backlog of pending actions (tasks). A large task backlog may be the cause of other performance related issues.

Current TS EOP Config by Server

This report gives the current EOP configuration for each Terminal Server. It provides an at a glance check to see if the appropriate EOP settings have been applied.

Current VM EOP Config by Server

This report gives the current EOP configuration for each VM Pool. Note that where overrides have been configured for a specific VM the report shows that VM's individual settings. It provides an at a glance check to see if the appropriate EOP settings have been applied.

Number of Users Logged On Now by Virtual Machine Pool

Use this report to find the number of users logged into each pool at the moment the report is run.

594


Users Logged on Now by Pool

Use this report to find the number of users logged into each pool at the moment the report is run. This report can be used to help determine the impact of a change, for example, seeing who will be affected by unplanned maintenance being undertaken now.

Number of Queued Actions by Pool

This report is used to find the number of pending actions per virtual machine pool. A large action backlog typically indicates either configuration or load distribution issues.

Audits

The following prebuilt audits are available using the vWorkspace Report Viewer.

Count of requested actions by Pool past 24 Hours

Use this report for a total number of actions requested by an administrator by pool in the past 24 hours.

Count of requested admin actions on Virtual Machines in last 24 Hours grouped by Administrator

Use this report to list by Administrator all admin actions on Virtual Machines within the last 24 hours

Count of total requested admin actions on Virtual Machines in last 24 Hours

Use this report for a total number of actions requested by an administrator on Virtual Machines in the past 24 hours.

Failed Action Details in Last 24 hours

A list of the failed actions in the past 24 hours with details, including the administrator who initiated the action.

List of completed actions in Last 24 hours

A list of all administrator requested actions in the past 24 hours which have completed (success or failure), with details including the administrator who initiated each.

Successful Action Details in Last 24 hours

A list of the successful actions in the past 24 hours with details, including the administrator who initiated the action.

595


Custom Reporting

Custom reporting involves creating SQL scripts that can be run against the farm database or the Reporting database. Listed below is a series of sample SQL scripts:

1. The following is an example of a report query which use the schema

described above. This query can be run in vWorkspace Report Viewer to gener-

ate a report which gives the number of users logged into each virtual desktop

at present.

SELECT PoolName as [Pool Name],

COUNT(DISTINCT CurrentUser) AS [Number of Users]

FROM VirtualMachinesRealTime

JOIN VirtualMachinePoolsRealTime

ON VirtualMachinePoolGUID = VirtualMachinePoolsReal-time.RecordGUID

GROUP BY PoolName

This report can be used to determine the impact of an infrastructure change, for example, due to unplanned maintenance.

2. The following is an example of a report query which use the schema described above. This query can be run in vWorkspace Report Viewer to find all current pending action details.

SELECT DISTINCT PostedTime AS [Posted],

PoolName AS [Pool Name],

VirtualMachineName AS [Computer],

ActionName AS [Task Item],

596


ISNULL(CAST(StartTime as CHAR), '<As soon as possi-ble>') AS [Start Time],

ISNULL(Message, '') AS [Message]

FROM ActionQueueRealTime

JOIN ActionsRealTime

ON ActionsRealTime.RecordGUID = ActionQueueRealTime.Cur-rentActionGUID

JOIN ActionDetailsRealTime

ON ActionDetailsRealTime.RecordGUID = ActionsReal-Time.ActionDetailGUID

JOIN VirtualMachinesRealTime

ON VirtualMachinesRealTime.RecordGUID = ActionQueueReal-Time.VirtualMachineGUID

JOIN VirtualMachinePoolsRealTime

ON VirtualMachinePoolsRealTime.RecordGUID = VirtualMa-chinesRealTime.VirtualMachinePoolGUID

WHERE ActionQueueRealTime.Status = 'Pending'

This report can be used to help determine the details of a large backlog of pending actions.

3. The following is an example of a report query which use the schema described above. This query can be run in vWorkspace Report Viewer to List all assigned applications and its restrictions.

SELECT LOWER(Path) AS [Path], ProgramName,

ClientType,ClientName,'' AS [Restrictions]

597


FROMClientFoldersRealtime

JOIN ClientsRealtime

ON ClientsRealtime.RecordGUID = ClientFoldersRealtime.Cli-entGUID

JOIN ProgramsRealtime

ON ProgramsRealtime.RecordGuid = ProgramGUID

UNION

SELECT LOWER(ApplicationPath), ApplicationGroupName, Cli-entType,

ClientName,ClientsApplicationPermissionsRealTime.Schedule

FROM ClientsApplicationPermissionsRealtime


ON ClientsRealtime.RecordGUID = ClientsApplicationPermis-sionsRealtime.ClientGUID

JOIN ApplicationPermissionGroupsRealtime

ON ApplicationPermissionGroupsRealtime.RecordGUID =

ClientsApplicationPermissionsRealtime.ApplicationGroup-GUID

JOIN ApplicationPermissionsRealTime

ON ApplicationPermissionsRealTime.ApplicationGroupGUID =


598


WHERE ClientsApplicationPermissionsRealtime.Schedule <> 'Allow All'

ORDER BY Path, ClientType, ClientName

This report is useful for determining whether appropriate applications have been assigned.

4. The following is an example of a report query which use the schema described above. This query can be run in vWorkspace Report Viewer to list all assigned applications by Client details and its restrictions.

SELECT ClientType,ClientName, LOWER(Path) AS [PATH],Pro-gramName, '' AS [Restrictions]

FROM ClientFoldersRealtime


ON ClientsRealtime.RecordGUID = ClientFoldersRealtime.Client-GUID

JOIN ProgramsRealtime

ON ProgramsRealtime.RecordGuid = ProgramGUID

UNION

SELECT ClientType, ClientName, ApplicationPath, Application-GroupName,

ClientsApplicationPermissionsRealTime.Schedule

FROM ClientsApplicationPermissionsRealtime


ON ClientsRealtime.RecordGUID = ClientsApplicationPermis-

599


sionsRealtime.ClientGUID

JOIN ApplicationPermissionGroupsRealtime

ON ApplicationPermissionGroupsRealtime.RecordGUID =


JOIN ApplicationPermissionsRealTime

ON ApplicationPermissionsRealTime.ApplicationGroupGUID =


WHERE ClientsApplicationPermissionsRealtime.Schedule <> 'Allow All'

ORDER BY ClientType, ClientName, Path

600

25

Load Balancing and Performance Optimization

• About Load Balancing


• View VM Optimization Results


About Load BalancingLoad balancing, also known as workload management, can be enabled in a Quest vWorkspace infrastructure when published applications are hosted on multiple RD Session Host/Terminal Servers. Load balances are assigned to published applications, SCVMM managed desktop groups, or RD Session Host/Terminal Servers.

Load Balancing Rules

Load balancing rules dictate how to calculate user session workloads between terminal servers, published applications, and SCVMM managed desktop groups. Load balancing rules contain counters, performance data parameters that define the rule, and indicate permissions for administrators and users. To be effective rules should use as few counters as possible, and counters should be selected that most closely reflect servers’ load. Assign load balancing rules to servers rather than managed applications. vWorkspace provides two default load balancing rules and three custom load balancing rules. Both Default and Custom rules can be duplicated, renamed and used as a template to create new custom rules.

The available load balancing rules are:

LOAD BALANCING RULE DESCRIPTION

Default

Default RD Session Host (read-only)

Load balances users over the available RD Session Hosts based on the amount of users already logged on. This default rule uses a maximum of 100 users per host (x86 users may need a lower maximum).

Default VDI for SCVMM (read-only)

Load balances users over the available Hyper-V hosts based on the users already on the hosts. This default rule uses a maximum of 75 users per host.

Custom

Advanced RD Session Host Load balances users over the available RD Session Hosts based on a calculated average of: CPU Load, Disk Queue Length and Memory Load. This custom rule configures a maximum of 100 users per host.

602


How Load Balancing Works

Based on the load balance assigned, the server evaluates its current workload and reports that value to the Connection Broker. Connection Brokers maintain a memory table of the current workload index of each server on which load balancing has been enabled.

When a Connection Broker receives a client request to connect to a published application, it queries the list of servers on which the application is hosted and determines which one currently has the lowest workload index value. The address of the least busy server is then returned to the vWorkspace client. When the vWorkspace client completes the connection to the least busy server, that server’s load is changed. The new workload is then reevaluated and reported to the Connection Broker.

It is important to note that load balancing applies only when a vWorkspace client initiates a request for a new connection. If a vWorkspace client is already connected to an RD Session Host/Terminal Server and requests to start another application that is available on that same server, the application is run through the existing session and load balancing is not applied.

Multiple counters can be included in a load balance. Each counter within a load balance has an upper and lower threshold setting that is used to determine when the server is under maximum or minimum load based on that counter. Each counter can also be assigned a weight which can be used to adjust the relative importance of one counter over another.

Advanced VDI for SCVMM Load balances users over the available Hyper-V hosts based on a calculated average of: CPU Load, Disk Queue Length and Memory Load. This custom rule configures a maximum of 75 users per host.

RFX for SCVMM Load balances users over the available Hyper-V hosts based on an average GPU response time from capture. The user will connect to a virtual desktop that has the lowest GPU response time from capture, resulting in the best RemoteFX user experience.

LOAD BALANCING RULE DESCRIPTION

603


The available counters are:

COUNTER NAME DESCRIPTION

Context Switches Per Second This counter measures the overall rate of switches from one thread to another. Thread switches can occur either inside a single process or across processes.

A thread switch can be caused by one thread asking another for information, or by a thread being preempted by another higher priority thread.

CPU Load This counter measures the percentage of time CPUs in the system are actively executing threads belonging to processes.

This counter does not include the System Idle Process.

CPU Queue Length This counter measures the number of threads in the processor queue. Unlike disk queue, processor queue length shows ready threads, not threads that are currently running.

There is a single queue for processor time, even on systems with multiple processor cores and sockets. Therefore, if the system has multiple processors, you need to divide this value by the number of processors servicing the workload.

A sustained processor queue of less than 10 threads per processor is usually acceptable.

Disk Load This counter measures the percentage of time the disks in the system are active.

Disk Queue Length This counter measures the average number of read and write requests that were queued for the selected disk during the sampling interval.

GPU Response Time From Capture

This counter measures the latency within RemoteFX Capture (in microseconds) for GPU operations to complete.

604


Interrupts Per Second This counter measures the average number of hardware interrupts that were received and serviced by the processor each second.

Interrupts per second is an indirect indicator of the activity of hardware devices in the system that generate interrupt requests, such as the system clock, disk drives, and network interface cards.

These devices generate interrupt requests when they complete a task or need attention from the processor. Each service interrupt request consumes CPU time, so an excessive amount can degrade system performance and can be an indicator of a malfunctioning device.

Memory Load This counter measures the percentage of memory being used by the system.

Memory Pool Pages Bytes This counter measures the size, in bytes, of the paged pool.

The paged pool is an area of physical memory used by the system for objects that can be written to disk (paged) when they are not being actively used.

Number of Powered-On Virtual Machines

This counter measures the number of powered-on virtual computers currently running on the host.

Number of Processes This counter measures the total number of process contexts currently running on the system.

Number of Users This counter measures the total number of user sessions for which the operating system is currently storing computer state information.

Number of Virtual Machines This counter measures the number of virtual computers defined on the client.

Page Faults Per Second This counter measures the overall rate at which faulted pages are handled by the processor. This counter includes both hard faults (where the memory page has to be retrieved from disk) and soft faults (where the data is stored elsewhere in physical memory).

A page fault occurs when a process requires code or data that is not in its space in physical memory. Most processors can handle large numbers of soft faults without consequence. However, hard faults can cause significant performance delays.


605


Load Balancing on Terminal Servers

To enable load balancing of vWorkspace enabled Terminal Servers, the following conditions must be met:

• The Terminal Services Enhancements feature must be installed on one or more Terminal Servers in the vWorkspace infrastructure.

• The setting Accept “least busy” connection requests must be enabled (it is by default) on each Terminal Server that participates in load balancing. This setting is found on the General tab of the Terminal Server properties under Roles.

• The Terminal Server must host at least one of the configured managed applications.

• A load balance must be assigned to either the server or a managed application hosted on the server.

Load Balancing Guidelines

Consider these guidelines when using load balancing:

• Use as few counters as possible. Each counter used in a load balance requires additional processing.

• Use the counters that are most likely to reflect the critical resources of the server. For example, a server with insufficient memory would likely need a load balance that uses the Memory Load and Pages Per Second counters.

Pages Per Second This counter measures the number of pages written to or read from disk to resolve hard page faults.

Redirector Current Commands

This counter measures the number of requests to the redirector that are currently queued for service.

If this counter is much larger than the number of NICs installed on the system, then network throughput is likely becoming a bottleneck.

TDRs in Server GPUs This counter measures the Total number of times that the TDR times out in the GPU on the server.


606


• Avoid using extreme limits for counters that use percentages for minimum and maximum values.

• Use a counter only if you understand its meaning and what values are appropriate.

• Group Terminal Servers by their hardware configuration and applications hosted on them. Load balances can be created and optimized for specific hardware or application groups.

How to ...

• Create Load Balancing

• Assign Load Balancing to Servers

• Assign Load Balancing to Managed Applications

• Assign Load Balancing to Managed Desktop Groups

Create Load Balancing

The Number of Users counter is the default load balance assigned by the system, and its values cannot be modified.

1. Open the vWorkspace Management Console, and highlight the Load Balancing node, and do one of the following:

a) Select Actions | New Load Balancing Rule..., or

b) Right-click on the Load Balancing node, and then select New Load Balancing Rule..., or

c) Select the green plus sign icon from the information pane, or

d) Select the green plus sign icon from the toolbar.

2. Click Next on the welcome window of the Load Balancing Rule Wizard.

3. Enter a name for the New Load Balancing Rule in the Name box, on the Name & Description window.

4. Enter a description for the New Load Balancing Rule in the Description box on the Name & Description window. This is optional.

5. Click Next on the Name & Description window.

6. Do the following on the Counters window:

a) Select the counter to be used by clicking in the Assigned column.

b) Set the minimum value for each counter selected by clicking on its current value in the Min Value column, and then type a new value in the input box.

607


c) Set the maximum value for each counter selected by clicking on its current value in the Max Value column, and then type a new value in the input box.

d) Set the weight value for each counter selected by clicking on its current value in the Weight column, and then select a new value from the list.

e) Select Report full load when at least one counter has reached its maximum value, if appropriate.

f) Click Next.

7. Set permissions, as appropriate, and then click Finish to complete the task of creating a new load balancing rule.

Assign Load Balancing to Servers


2. Expand the Locations node, and then expand the location in which the RD Session Host/Terminal Server is located.

3. Expand the Terminal Servers node, and then highlight the RD Session Host/Terminal Server.

4. Activate the context menu for the server object to which the load balancing rule is to be assigned, (highlight the server and right-click) and select Properties.

608


5. Highlight the Load Balancing item from the Server Properties window.

6. Click the Specify a custom load balancing rule: action button to enable the custom rules. Select the desired custom Load Balancing Rule from the custom load balancing rule list. Otherwise, the default load balancing rule will apply.


Assign Load Balancing to Managed Applications

You may need to assign load balancing to specific published applications if the number of instances of the application must be restricted due to licensing constraints or the application consumes a lot of system resources.


2. Expand the Resources node, highlight the Managed Applications node, and right-click.

3. Open the Properties for the desired published application.

4. Click on Load Balancing on the Managed Applications Properties window.

5. Click the Specify a custom load balancing rule: action button to enable the custom rules. Select the desired custom Load Balancing Rule from the Load Balancing Rule list.


Assign Load Balancing to SCVMM Managed Computer Groups


2. Expand the Locations node, highlight the Desktops node, and right-click.

3. Select New Computer Group.

4. On the New Computer Group Wizard System Type window, select the Microsoft SCVMM box. This disables Load Balancing for all other system types.

5. On the New Computer Group Wizard Load Balancing window, do one of the following:

• Click the Do not specify a load balancing rule action button to disable load balancing rules.

• Click the Use the default load balancing rule action button to use the default SCVMM rule.

• Click the Specify a custom load balancing rule: action button to enable the custom rules. Select the desired custom Load Balancing Rule from the Load Balancing Rule list.

• Click the View button on any action button selection to view the rule properties.

609


6. Proceed through the windows to configure the New Computer Group.

7. Click Finish to complete the task.

For more detail on adding new SCVMM computer groups, see How to Add Computer Groups to a SCVMM Type in the Microsoft SCVMM Integration chapter.

Performance OptimizationCPU and Memory Optimization (Max-IT) is a Power Tool for Terminal Server used to improve application response time and increase overall server capacity by streamlining and optimizing the use of virtual memory and CPU resources in a multi-user environment.

About CPU Utilization Management

CPU Utilization Management improves application response times by ensuring that users and programs receive CPU resources.

The following is a list of issues pertaining to CPU scheduling in a multi-user environment:

• Due to design limitations and programming techniques, many applications monopolize the server’s processors. Such applications are often referred to as rogue or runaway applications.

A rogue or runaway application is one whose threads use up excessive amounts of CPU resources. In other words, they consistently remain in the running state for the entire lifetime of their allotted time slice. A time slice is often referred as quantum, and its value is typically 10 to 15 milliseconds (hardware-dependent).

• Windows scheduler does not include a fair sharing mechanism. It does not prevent rogue applications from consuming all of the CPU time.

• Priority boosting performed by Windows balance set manager does not effectively address the CPU issues caused by runaway applications, especially in Terminal Server environments.

Max-IT should not be installed on the same computer as the Connection Broker.

610


• From a CPU management perspective, the thread priorities of interest are Waiting, Ready, and Running. In the case of a word processor, the latter could be waiting for user input. As soon as it receives input, it is ready to run, and as soon as the processor becomes free, it runs.

• Given two threads in the Ready state, the scheduler always favors the process with the higher priority level over the other.

CPU Utilization Management ensures that each running process receives CPU resources to enable it to run smoothly and coexist alongside CPU hungry and rogue applications by implementing the following:

• A fixed share of CPU resources is reserved to NT Authority. By default, this share is 20 percent.

• The target percent CPU time is then computed as follows, where Reserved is the percent CPU share reserved for NT Authority:

(100 - Reserved) / (number of active processes)

• The average percent CPU time is calculated for each active process.

• Those processes whose average percent CPU time has fallen below the target percent CPU time have their priority levels set to Normal.

• Those processes whose average percent CPU time has risen above the target percent CPU time have their priority levels set to Below Normal.

• Those processes whose average percent CPU time has fallen to zero have their priority levels set to Above Normal.

• The above process is then repeated every several hundred milliseconds. The default setting is 100 milliseconds.

About Virtual Memory Optimization

Below is a list of background items to consider for memory management in a multi-user environment:

• Every executable and DLL module has a preferred base address which represents the ideal location where the module should get mapped inside the process’s address space.

• When a software developer builds a DLL module, the linker sets the preferred base address at 0x10000000.

611


• When two or more modules are loaded, each having the same preferred base address, a memory space conflict occurs. The operating systems memory manager has to resolve this conflict by relocating one of the conflicting modules into another base address. It then has to recalculate all the offset addresses defined within the module relative to this new base address.

• Relocating DLLs and performing the necessary fix-up operations is taxing on system resources. The loader has to relocate hundreds of DLLs and modify a significant portion each code. This leads to more memory consumption, excessive copy on write operations, and additional CPU cycles.

This runtime overhead can be very damaging to the performance of a system and should be avoided. When multiplied by the number of users on a Terminal Server, this overhead can have implications on performance and application response times.

vWorkspace Virtual Memory Optimization significantly increases the performance and capacity of a Terminal Server by performing two optimization techniques: module rebasing and module rebinding.

• Module Rebasing — A process by which colliding DLLs are identified and relocated to unique base addresses within the virtual memory spaces of their respective programs. This technique drastically reduces virtual memory requirements, page file usage, and I/O operations.

• Module Binding — Fine-tunes the import section of a given module according to the new base addresses of the rebased DLLs. This technique accelerates application load times and yields further reductions in virtual memory requirements and page file usage.

The Virtual Memory Optimization system continuously monitors which DLLs are being loaded by applications and identifies the DLLs that cause collisions. When a future request is made to load the module, it automatically loads in a new base address to avoid conflict. After collecting sufficient data, Virtual Memory Optimization can then further enhance performance by permanently rebasing the colliding DLLs and perform the necessary code fix-up operations.

Some of the benefits include:

• DLLs that have been optimized by Virtual Memory Optimization no longer require relocations or fixes by the loader.

• Less physical memory is consumed.

• Working set trimming no longer requires that working sets be swapped out to the paging file (copy on write) before the trimming can occur.

612


• Significant reductions in the overhead associated with relocation and fix-up operations. When multiplied by the number of users on a Terminal Server, the results can be an overall capacity increase of 25 to 30 percent.

Install CPU and Memory Optimization

CPU and Virtual Memory Optimization is a feature of Power Tool for Terminal Servers. It is available only when the vWorkspace installer package is executed on a Windows server with Terminal Services (Application Server Mode) installed.

Virtual Memory Optimization and CPU Utilization Management are sufeatures of CPU and Virtual Memory Optimization allowing them to be installed independently.

Enable CPU and Memory Optimization

Virtual Memory Optimization and CPU Utilization Management are disabled by default even after being installed. To enable them, use the following steps:


2. Expand the Locations node, and then expand the location in which the RD Session Host/Terminal Server is located.

613


3. Expand the Terminal Servers node, and then highlight the RD Session Host/Terminal Server.

4. Open the Properties for the Terminal Server object that is to be enabled.

5. Select the Performance Optimization tab of the Server Properties window.

6. Select the option that is to be installed.


Max-IT Master Policy Settings

Max-IT Master Policy is used to set the default CPU Utilization and Virtual Memory Optimization settings used by all Terminal Servers in the vWorkspace infrastructure. Max-IT Server Policy can then be configured to override master policy settings on a per server basis as needed.

Max-IT Master Policy is accessed from the vWorkspace Management Console by expanding Performance Optimization in the navigation pane, and then selecting the Servers node. Max-IT Master Policy command is available from either the toolbar or the Servers node context menu.

The Max-IT Master Policy window tabs are described as follows:

614


• General

• VM Default Optimization

• VM Exception Files

• CPU Policy

• Advanced

General

GENERAL TAB

VIRTUAL MEMORY OPTIMIZATIONS

Analysis Interval Specifies the sampling interval for detecting memory load address collisions. At the specified interval, Max-IT VM Optimization takes a snapshot of what applications are loaded into memory and detects any load address collisions.

Applications that are started and then closed within the sampling interval are not included in the analysis.

615


VM Default Optimization

Optimization Time Specifies what time of day virtual memory optimizations are applied. The optimizations applied are based on the settings found on the VM Default Optimizations and VM Exception Files tabs.

Applying virtual memory optimizations has the potential for consuming large amounts of system resources and should be performed at a time when user activity will be low.

CPU Utilization Management

Sampling Interval (Milliseconds)

Determines how often process average calculations are performed and priority adjustments are made. Shorter intervals result in a more even distribution of processor time, but at the expense of higher system overhead.

Sampling History Depth Determines the number of sampling points used when calculating average percent CPU time of processes.

GENERAL TAB

616


VM Exception Files

Some applications and modules do not work properly when rebased or bound, such as any executable or module file that has been digitally signed. This is because the rebasing and binding information is written to the alternate data stream of the file.

Because of this file modification, the binary hash the digital certificate was based on is no longer valid and the file is rendered unusable. These files must be excluded from rebasing and binding.

VM DEFAULT OPTIMIZATION TAB

Applications (EXE, etc.) The two optimization options available for applications are:

• Allow applications to load rebased modules (rebasing).

• Allow applications to be bound and to load bound modules (binding).

Modules (DLL,OCX, etc.) The two optimization options available for modules are:

• Allow modules to be rebased (rebasing).

• Allow modules to be bound (binding).

617


The Applications and Modules tabs include a list of preconfigured executable and module files that are known to have problems with rebasing and binding. Use the Add, Remove, or Browse buttons to modify the list.

After adding a file, select it from the list and use the buttons to the right to control the level of optimization to apply. The optimization option buttons are:

• Rebasing Only

• Binding Only

• Rebasing and Binding

• No Optimizations

CPU Policy

The CPU Policy tab is used to control how CPU Utilization adjustments are applied.

618


CPU POLICY TAB

Policy Type Policy type is used to control how CPU allocation rules are applied. The three policy types are:

• User/Group — CPU rules can be assigned based on any combination of user accounts, group accounts, or Active Directory Organizational Units.

• OS CPU Allocation — OS CPU Allocation is used to guarantee the operating system will have a minimum percentage of the systems total CPU time. The default value is 20%.

• Application — CPU utilization rules can be assigned to specific applications.

User/Group Rules This tab is used to view or modify CPU Allocation when Policy Type is set to User/Group.

The Add and Remove buttons are used for users, groups, and organizational units.

The Up and Down arrow buttons are used to adjust priority for user entries who are also members of a listed group or OU. Entries higher in the list take precedence over lower ones.

For each entry, use the CPU Allocation column to set the minimum guaranteed CPU time allotment. There are three ways CPU Allocation can be modified:

1. Double-click on the CPU Allocation column and select a value from the context menu.

2. Click on the ellipsis to the right of the CPU Allocation column and select a value from the context menu

3. Click on the existing value in the CPU Allocation column, and hold down the left mouse button, to drag and adjust the value.

619


Application Rules This tab is used to view or modify CPU Allocation when Policy Type is set to Application.

Use the Add or Remove buttons to add or remove an application entry name.

Use the CPU Allocation column to set minimum guaranteed CPU time allotment for the selected application. There are three ways CPU Allocation can be modified:

1. Double-click on the CPU Allocation column and select a value from the context menu.

2. Click on the ellipsis to the right of the CPU Allocation column and select a value from the context menu

3. Click on the existing value in the CPU Allocation column, and hold down the left mouse button, to drag and adjust the value.

Application Executables

This tab is used to build a list of executable program files and associate them with the appropriate application entries defined on the Application Rules tab when Policy Type is set to Application.

Use the Add button to add an executable, identify its parent process (if any), and associate it with an application rule. Files may be entered individually or you can choose to select all the files contained in a specified folder.

Use the Remove button to remove an application executable entry.

Use the Up and Down arrow buttons to adjust priority for application executables that are included in multiple rules. Entries higher on the list take precedence over lower ones.

Allocation Type This tab controls whether CPU allocation rules are based on percentages or shares.

• Percentage — CPU allocation by percentage guarantees the user, group, or application a minimum percentage of the available CPU time. Available CPU time is 100% - OS CPU Allocation.

• Shares — Each entry is given a percentage of CPU time based on the number of shares assigned to the entry divided by the total number of assigned shares. For example, if user A is assigned 25 shares and user B is assigned 50 shares, then user A is allocated 33.3% of the available CPU time and user B is allocated 66.7%.

CPU POLICY TAB

620


Advanced

This tab is used to reset the exception lists to the default values.

Max-IT Server Policy

By default, all Terminal Servers in the vWorkspace infrastructure on which performance optimization has been enabled use the Max-IT Master Policy. However, it might be necessary to set the Max-IT policy on a per server basis.

An example of this would be when the VM Exception Files list must be modified because a different set of applications are installed on one or more of the Terminal Servers.

How to ...

Set the Max-IT Policy for Specific Servers


2. Expand the Performance Optimization, and the Servers node.

3. Right-click on the server object, and select Max-IT Server Policy from the context menu.

621


4. Click on the tab associated with the portion of the policy that needs to be different from the Master Policy, and click Use these settings for server [server_name].

5. Enter the changes as appropriate, and then click Apply for each tab that is changed.

6. Click OK to save the changes.

View VM Optimization ResultsThe results of virtual memory optimization can be viewed in various forms within the vWorkspace Management Console. Viewing these results can help the vWorkspace administrator fine-tune the virtual memory optimizations.

Results can be viewed by session summary, for a specific session, or by application.

How to ...

• View Session Summary Information

• View Results for a Specific Session

• View Results per Application

622


View Session Summary Information


2. Expand the Performance Optimization and Servers nodes.

3. Expand the desired server object.

4. Click on the Optimization Sessions container object.

The Optimization Summary by Session graph is displayed in the information pane on the right.

The vertical axis displays the cumulative amount (in megabytes) of memory savings. The horizontal axis displays the date and time of each optimization event.

View Results for a Specific Session




4. Expand the Optimization Sessions container object.

5. Click on the appropriate date and time to display a graph showing the current (blue) and possible (green) virtual memory savings.

Under the Optimization Sessions container object each optimization event is listed in chronological order by the date and time of its occurrence.

View Results per Application




4. Click on the Optimized Applications container object.

The Per-Application Virtual Memory Usage and Savings graph is displayed in the right panel.

To avoid unnecessary recalculations by Max-IT, binding should be delayed until the graph is flat.

Vertical Axis Displays memory in kilobytes.

Horizontal Axis Displays the name of the executables.

Red bar Shows the amount of virtual memory used by the executable before rebasing.

623


Manually Apply Optimizations

Virtual memory optimizations are automatically applied based on the Optimization Time setting of the Max-IT Masters Policy and Max-IT Server Policy. However, optimizations can also be applied manually by selecting Optimize Now.

The Optimize Now icon is available from the toolbar of the information pane when a server object, or any object under the server object, is selected in the navigation pane under the Performance Optimization | Servers container.

The context menu for the Optimization Sessions and Optimized Applications containers, and all objects under these containers, include the option Run Max-IT Optimizations, which can also be used to manually apply optimizations.

Yellow bar Shows the amount of virtual memory used by the executable after rebasing.

Blue bar Represents the current memory savings as a result of optimization.

Green bar Represents the possible memory savings as a result of optimization.

Ideally, the blue and green bars for all executables should be equal. At this point it is safe to implement binding as long as no changes are made to the applications installed on the servers.

624

Appendix A

Best PracticesListed in this section are recommendations for best practice procedures.

General

• Keep VDI naming conventions and workstation names to less than 15 characters.

• Put in AV directory scanning exception for the locally cached database folder C:\Program Files\ Quest Software\vWorkspace\Database on the Connection Broker.


• The Connection Broker does not constantly poll the VirtualCenter SDK interface for updates because this proves too taxing on the VirtualCenter resources. When checking power states of virtual computers, always run Actions | Update Power States of the managed computer group to easily update all virtual computers.

• When doing LDAP queries for new users, groups, OU’s, or Computer/ Client Names (to add as a client resource) in a medium or large AD environment, you should not use * for the filter as this could result in an excessively long search time.

• Once licensing for environments has been installed, do not edit the customer information because this will change the VMAC which invalidates the license.

• When running the Add Desktops wizard, always reimport Templates, Folders, and Resource Pools/ Datastores to ensure accurate values.

• As a general rule, set the inactivity timeout for idle desktops to something reasonable for your business requirements, such as 2 or more hours. The default of 15 minutes causes slower start times for users when connecting to a suspended desktop. To change this setting, right-click the Locations node in the vWorkspace Management Console, choose Properties | Timing and Other Settings and set the Inactivity Timeout to 2 to 12 Hours.

625


Services

• When manually starting vWorkspace services, always start the Quest Database Manager service first. It retrieves configuration data stored in the database. This ensures the latest configuration settings are obtained.

Next, start the Quest Registry Service. It applies the configuration settings to the registry. The start order for the remaining services does not matter because those remaining services have the latest configuration.

• Set the recovery method to Restart the service for the first failure for the following services.

• Quest Database Manager Service

• Quest Registry Service

• Quest Connection Broker Service

Connection Broker

• The Connection Broker needs enough resources to support the login, authentication, and SQL query tasks that it must perform. A DuoCore processor with 2 GB’s of RAM should suffice for a Connection Broker on a physical server (for a large farm). Dual processors and 2 GB’s of RAM should suffice for a Connection Broker on a virtual computer.

• Turn on farm database caching once the farm is configured properly. This will speed up database information retrieval for Quest vWorkspace services. When changing settings within the vWorkspace Management Console, all changes are done directly on the database.

• Set the virtual memory high and low threshold to be equal to prevent fragmentation of the pagefile.

Sysprep Template

• VMware VirtualCenter places its sysprep files in the following location:

InstallFilesPath=C:\sysprep\i386

• Always use FQDN for the domain name.

• Always use the format domain\username when entering domain credentials.

626

VirtualCenter Server

• If you encounter issues creating desktops, you should first restart the VirtualCenter server or, at the very least, restart the VMware VirtualCenter Server service.

• On your VirtualCenter server, be sure to populate the C:\Documents and Settings\All Users\Application Data\VMware\VMware VirtualCenter\sysprep\xp with the appropriate Windows XP Professional sysprep files. Do the same corresponding sysprep file setup for Windows Server 2003 if it is used for virtual computer creation.

• Prior to creating any virtual computers in a computer group, make sure that VirtualCenter can successfully deploy a virtual computer from the template using guest OS customizations.

a) Set the Inventory view to Virtual Machines and Templates.

b) Navigate to the template, right-click and select Deploy Virtual Machine from this Template.

c) The Deploy Template Wizard starts. Mimic the responses that are to be used to create a virtual computer within the Add Desktops Wizard (in the vWorkspace Management Console). On the Select Guest Customization Option window, select Customize Using the Customization Wizard. Mimic the responses needed to create the sysprep template during the Add Desktops Wizard.

d) It is a good idea to observe the sysprep mini-setup by opening a console to the newly cloned virtual computer.

Information can be gleaned from the command prompt during the mini-setup for troubleshooting purposes by pressing Shift + F10 (while the screen focus is on the console).

e) If you receive the error, Unable to communicate with the remote host, since it is disconnected, 30 seconds or so after creating a virtual computer through the Add Desktops Wizard, the template has been orphaned and needs to be reregistered in VirtualCenter. Restarting the VirtualCenter server may accomplish this task.

627


VirtualCenter Templates

• Do not add the workstation to a domain to avoid group policies from being pushed down.

• Install the latest version of VMTools which is compatible with your VirtualCenter.

• Some AV software prevents VMTools from installing VMware’s version of the mouse, network, and display drivers. VMTools installation fails if this is the case.

• If CD autoplay features are disabled, VMTools fails because VirtualCenter loads VMTools as a CD prior to installing it.

• Turn on Remote Desktop and Remote Assistance under System properties.

• If Remote Desktop is denied, the managed computer hangs on the Initialize task. To correct, remove from group, enable Remote Desktop, and import into the group.

• Remote Assistance is enabled to allow shadowing.

• If Windows Firewall is turned on, the following ports need to be opened. These firewall openings are best executed with GPO’s.

• File and Print Sharing associated ports — UDP 137, UDP 138, UDP 445, TCP 139, and TCP 445.

• Remote Administration ports — TCP 139 and TCP 445.

• Remote Desktop— TCP 3389.

• Connection Broker (communication to the Data Collector Service ) — TCP 5203, TCP 5201.

• Uninstall any out of date versions of PNTools.

• Install the latest version of PNTools. This enables the virtual computer to be ready for logon sooner (eliminates the need to install PNTools from the console after virtual computer creation).

• If you are using the Reprovision feature, it is important that you install PNTools onto the VMware templates that you are using for reprovisioning.

• When Print-IT or USB-IT needs to be configured differently than the default settings, you must install PNTools on the template, as it would be unwieldy to individually install and configure Print-IT or USB-IT on each managed virtual computer. If this method is used, four registry values need to be removed after installing PNTools on the template, if this managed computer has been added to a managed computer group.

628

• These values uniquely identify the virtual computer to the managed computer group and if left in place, prevent cloned virtual computers from joining the managed computer group. These registry values are listed below.

• HKLM\Software\Provision Networks\Common\ComputerID

• HKLM\Software\Provision Networks\Common\PublicKey

• HKLM\Software\Provision Networks\Common\VMStatusInterval

• HKLM\Software\Provision Networks\Common\LLMServerList

• If USB PDA redirection is utilized, make sure to add the Handheld Device Redirection feature for the PNTools. It is not added with the default install of PNTools. Also, in Device Manager, see if the USB-IT Host Controller (under Universal Serial Bus Controllers) is working correctly. If not, the files usbd.sys and usbhub.sys may need to be added to the C:\Windows\system32\drivers directory prior to adding the Handheld Device Redirection feature.

• Disable unneeded services, like the Indexing Service, unless there is a strong reason to enable them.

• Install Antivirus software and keep it current. In today’s world of viruses that are efficient at exploitation and replication, an OS installation routine has to merely initialize the network subsystem to be vulnerable to attack.

By deploying virtual computers with up-to-date antivirus protection, this exposure is limited. Keep the antivirus software current every month by converting the templates to virtual computers, powering on, and updating the signature files. Ensure the Antivirus is configured so that it does not block the TCP ports: UDP 137, UDP 138, UDP 445, TCP 139, TCP 445, TCP 3389, TCP 5201,TCP 5203.

• Install the latest operating system patches, and stay current with the latest releases. Operating system vulnerabilities can increase exposure to exploitation significantly, and current antivirus software isn’t enough to keep exposure to a minimum.

When updating antivirus software, apply any relevant OS patches and hotfixes. Use the template Notes field to store update records. This is a good way to keep information about the maintenance of the template in the template itself, and the Notes field is a great place to keep informal update records.

Plan for VMware ESX Server capacity for template management. The act of converting a template to a virtual computer, powering it on, accessing the network to obtain updates, shutting down, and converting back to template requires available ESX Server resources. Make sure there are ample resources for these very important activities.

629


• Use a quarantined network connection for updating templates. The whole point of keeping antivirus and operating systems current is to avoid exploitation, so leverage the ability of ESX Server to segregate different kinds of network traffic, and apply updates in a quarantined network.

• Use the same datastore for storing and for powered on templates. During the process of converting templates to virtual computers, do not deploy the template to another datastore. It is faster and more efficient to keep the template files in the same place before and after the update.

Install the VMware Tools in the template. The VMware Tools include optimized drivers for the virtualized hardware components that use fewer physical host resources. Installing the VMware Tools in the template saves time and reduces the chance that a sub optimally configured virtual computer will be deployed to your production ESX Server infrastructure.

Use a standardized naming convention for templates. Some inventory panel views do not offer you the opportunity to sort by type, so create a standard prefix for templates to help you identify them by sorting by name. Also, be sure to include enough descriptive information in the template name to know what is contained in the template.

• Defragment of the guest OS file system before converting it to a template is important. Most operating system installation programs create a highly fragmented file system even before the system begins its useful life.

• Remove Nonpresent Hidden Devices from Templates. This problem likely occurs only if you convert existing physical images to templates. Windows stores configuration information about certain devices, notably network devices, even after they are removed from the system. Refer to Microsoft TechNet article 269155 for removal instructions.

• Use Folders to organize and manage templates. Folders can be both an organizational and security container.

• Create Active Directory groups that map to VirtualCenter roles, rather than assign VirtualCenter roles to individual user accounts.

• Disable COM ports to decrease unnecessary context switches.

630

NetApp Integration

• File system alignment needs to be performed on the virtual computer template.

See http://www.netapp.com/us/library/technical-reports/tr-3747.html for more detailed information.

Failover Protection

• On VMware VirtualCenter, a single cluster of available servers provides a larger pool of hardware to support the environment and provide better fault tolerance. Within this cluster, create at least two Resource Pools, one for Infrastructure (Servers/Brokers) and one for VDI. Create appropriate resource allocations for each.

• Employ at least two Connection Brokers in a farm. Make sure the vWorkspace clients are configured with all the Connection Brokers in the farm.

• The Connection Broker directs a user to a temporary, permanently assigned desktop until the original is brought back online.

• Any user shell folders that need to be persisted should be redirected to a network location, such as Application Data, Personal (user’s home directory) and My Pictures subfolder, Desktop, Start Menu and its subfolders (Programs and Startup), Favorites, History, NetHood, PrintHood, SendTo, Cookies, and Templates. Redirection is done through GPO’s or scripting.

631

http://www.netapp.com/us/library/technical-reports/tr-3747.html

http://www.netapp.com/us/library/technical-reports/tr-3747.html


High Availability

• If two or more Connection Brokers are VMware virtual computers and DRS is utilized, a rule should be set to separate the brokers between physical ESX servers at all times.

• SQL database: SQL clustering may be implemented to achieve SQL HA.

• Maintain a reserve of managed computers (temporary) in case one ESX server fails and desktops are unavailable (assuming VMware’s HA is not utilized).

This excess capacity can easily be calculated by dividing the number of concurrent computers needed by the number of ESX servers housing the managed computers.

For example, if you have business requirements for 100 concurrent managed computers implemented using 12 ESX servers hosting the virtual desktops, then divide 100 ÷ 12 = 8 reserve desktops. Therefore, provision 100 + 8 = 108 desktops to ensure adequate desktop resources. Allocate those reserve desktops evenly among the ESX servers.

Other Protections

• Create an SQL maintenance plan to backup the vWorkspace database regularly.

• Ensure that both the VirtualCenter and the vWorkspace Database are set for simple recovery within the SQL Management Console to minimize the maintenance and backup requirements.

632

Appendix B

About the Config.xml FileThe config.xml file controls connection policies on the AppPortal. If you choose to configure this file, there are a few items that need to be considered.

A template file is located in the following folder on your Connection Broker Server: \Program Files\Quest Software\vWorkspace | Provision-IT. It is also located on your Web Access server at: \Inetpub\wwwroot\Provision\Web-IT.

One of the following methods need to be done for autoconfiguration of the file.

Method One

1. Create a DNS Entry (A record or CNAME) and assign the name provision or optionally, vworkspace, which is actually a Web Server located on your network.

2. Place the configured config.xml file in the root of the Web Server:

IIS: \Inetpub\wwwroot

Apache: edit the 000-default file and look for DocumentRoot (found in /etc/apache2).

Method Two

1. Create a login script or push out a Registry Setting to your client computers. The registry setting is:

HKLM\Software\Provision Networks\Provision-IT Client

Value: AutoConnectURL

Type: REG_SZ

Data: http://www.domain.com

2. If you have multiple config.xml files for multiple farms, use the following registry key:

HKLM\Software\Provision Networks\Provision-IT Client

Value: AutoConnectURL

Type: REG_MULTI_SZ

Data: (One Per Line)

633


http://www.domain1.com/config.xml

http://www.domain1.com/provconf/myconfig.xml

https://ssl.domain.com/config.xml

3. Install the Quest vWorkspace Client.

4. Start the client.

The following table lists the config.xml file settings, a description of some of the settings, and associated values.

CONFIG.XML FILE SETTING VALUES DESCRIPTION

FarmName Default = New Farm Connection

Farm Name can be anything, but once connected, it takes the name of the actual farm set in the vWorkspace Management Console.

OverrideFarmName 0=Off

1=On

Default = 0

Use this setting to override the way in which the Farm Name is presented to users in AppPortal.

PromptForLocation Integer

0= Off

1= On

Default = 1

Tells the vWorkspace Client to prompt for a location, such as Office or Home.

This is specified in the Locations section of the config.xml file. See Location Section of Config.xml.

DefaultLocation 1|2|3

Default =1 (if PromptForLocation is 0)

Three different locations for a farm connection are supported. The one selected in this setting is the default location.

SeamlessMode 0 = Off

1 = On

Default = 1

634

DesktopWidth 640 to 4096

Default = 800

Custom width for connections. Does not apply if SeamlessMode is set to 1 (on).

DesktopHeight 480 to 2048

Default = 600

Custom height for connections. Does not apply if SeamlessMode is set to 1 (on).

FullScreen 0 = Not enabled

1 = Enabled

Default = 0

SpanMonitors 0 = Not enabled

1 = Enabled

Default = 0

ColorDepth 8 to 32

Default = 8

Set the default color quality of the desktop connection/Provision applications.

AudioMode 0 = Sound on local computer.

1 = Do not play sound.

2 = Sound on remote computer.

Default = 0

KeyboardHook 0 = On local computer.

1 = On remote computer.

2 = Full screen mode only.

Default = 0


635


RedirectDrives 0 = Do not redirect local drives.

1 = Redirect local drives.

Default = 0

RedirectPrinters 0 = Do not redirect local printers. (This is not Universal Printers.)

1 = Redirect local printers.

Default = 0

RedirectComPorts 0 = Do not redirect local COM ports.

1 = Redirect local COM ports.

Default = 0

RedirectSmartCards 0 = Do not redirect SmartCards.

1 = Redirect SmartCards.

Default = 0

RedirectHandhelds 0 = Do not redirect local handheld devices.

1 = Redirect local handheld devices.

Default = 0

Applies to the USB-IT feature in Terminal Services and the USB Redirection support for desktop connections.

RedirectUniversalPrinters 0 = Do not redirect local Universal Printers.

1 = Redirect local Universal Printers.

Default = 0


636

RedirectMicroPhone 0 = Do not redirect the microphone.

1 = Redirect the microphone.

Default = 0

RedirectClipBoard 0 = Do not redirect the Clipboard.

1 = Redirect the Clipboard.

Default = 0

EnableWallpaper 0 = Do not enable local wallpaper.

1 = Enable local wallpaper.

Default = 0

EnableFullWindowDrag 0 = Do not enable windows content while dragging.

1 = Enable windows content while dragging.

Default = 0

EnableAnimation 0 = Do not enable animations.

1 = Enable animations.

Default = 0

EnableThemes 0 = Do not enable themes.

1 = Enable themes.

Default = 0

EnableBitmapCaching 0 = Do not enable Bitmap caching.

1 = Enable Bitmap caching.

Default = 0


637


EnableDesktopComposition 0 = Do not enable Desktop composition.

1 = Enable Desktop composition.

Default = 0

If Desktop Composition is enabled, Graphics Acceleration is disabled.

EnableFontSmoothing 0 = Do not enable Font smoothing.

1 = Enable Font smoothing.

Default = 0

HideSettings 0 = Do not hide the Provision Connection policies.

1 = Hide the Provision Connection policies.

Default = 0

Used to control whether users can see the settings for their vWorkspace Client.

EnableSSO 0 = Do not enable SSO.

1 = Enable SSO.

Default = 0

Used for cached credentials, not Kerberos authentication.

EnableKerberos 0 = Do not enable Kerberos ticket authentication.

1 = Enable Kerberos ticket authentication.

Default = 0

Setting takes precedence over EnableSSO.

KerberosMode 0 = All authentication.

1 = Initial authentication only (logon).

Default = 0

Used with EnableKerberos.


638

DisallowSaveCredentials 0 = Allow clients to save their credentials within the vWorkspace Client.

1 = Do not allow clients to save their credentials within the vWorkspace Client.

Default = 0

PasswordManagement Server

String Fully qualified domain name or SSL certificate name of the Password Management Server.

Do not include https or port numbers. For example:

pwdmgr.domain.com

PasswordManagement Port 1 to 65535

Default = 443

Port to use for Password Management Server.

AllowPassword Management 0 = Do not use Password Management Server.

1 = Use Password Management Server.

Default = 0

Password Management Server must be setup and functional on a member server of the domain.

DIShortcutLocations 1 = Desktop

2 = StartMenu

4 = Start Menu\Programs

EnableSmartSizing 0 = Do not use smart sizing on desktop connections.

1 = Use smart sizing on desktop connections.

Default = 0


639


AutoReconnect 0 = Do not auto reconnect to a session if disconnected or dropped.

1 = Auto reconnect to a session if it is disconnected or dropped.

Default = 0

DisplayConnectionBar 0 = Do not display the connection bar when using full screen.

1 = Display the connection bar when using full screen.

Default = 0

PinConnectionBar 0 = Do not pin the connection bar.

1 = Pin the connection bar.

Default = 0

EnableLocalTextEcho 0=Disable

1=Enable

Default = 0

EnableGraphicsAcceleration 0=Disable

1=Enable

Default = 0

EnableMultimediaRedirection 0=Disable

1=Enable

Default = 0

EnableFlashRedirection 0=Disable

1=Enable

Default = 0


640

AutoLaunchAppN AppName, N = 1 to 10

A total of 10 autolaunched applications are available, but the data is the name of the managed application within the vWorkspace Management Console, Resources | Managed Applications.

Note: The vWorkspace Client only starts the first application found; it does not start multiple applications.

FarmType 0=vWorkspace

1=RDBroker

Default=0

EnableWANAcceleration 0=No

1=Yes

Default=0

NetworkConnectionType 0=Modem28

1=Modem56

2=Low speed broadband

3=Satellite

4=High speed broadband

5=WAN

6=LAN

Default=4

RDGatewayMode Auto

Specify

None

Default=Auto

RDGatewayServer <Server name or IP address>


641


RDGatewayLogonMethod Any

Password

Smartcard

Default=Any

RDGatewayBypass 0=No

1=Yes

Default=1


642

Location Section of Config.xml

CONFIG.XML LOCATION SECTION

VALUES DESCRIPTION

Number 1

2

3

Use to identify the location you created.

TCPPort 1 to 65535

Default = 1

TCP port of the Connection Broker.

ServerList For example:

broker1.domain.com,xxx.xxx.xxx.xxx, pnbroker

Comma separated string of Connection Broker severs, FQDN, IP, NetBIOS name.

Name String Name of the connection, such as Internal, External, Secure.

Protocol 0 = http

1 = https

Use 1 if using Secure Gateway. If only using this for internal connections, you can use 0.

RDPonSSL 0 = No RDP over SSL

1 = Use RDP over SSL (Protocol must be set to 1 and SSLGateway set).

Default = 0

RDP over SSL Secure Gateway connection.

SSLGateway String

For example:

broker1.domain.com, pnbroker

Secure Gateway server listed as FQDN or NetBIOS name, depending on SSL Certificate name.

643


EnableNAT 0 = Do not enable NAT translation for firewall connections.

1 = Enable NAT translation for firewall connections

Default = 0

Only for Terminal Servers. An alternative IP address must be set in the vWorkspace Management Console for each Terminal Server.

To set an alternative IP address, use the following path:

Infrastructure | Servers | Terminal Servers

Right-click on the Terminal Server and select Properties. Select the Connectivity tab, IP Address.

ProxyServer String IP: port of proxy server to use for connections.

ProxyServerBypassList String Refer to Microsoft documentation for proxy exceptions.

CONFIG.XML LOCATION SECTION

VALUES DESCRIPTION

644

Appendix C

GINA ChainingThis document describes the registry entries necessary for GINA chaining in vWorkspace.

HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon

Value: PNGinaDLL

Type: String (REG_SZ)

Data: <Gina to be chained>

For example: nwgina.dll

The default Ginadll value is: pngina.dll

Novell GINA Troubleshooting• The order of installation should be, Novell Client, ZCM Client, and then

vWorkspace PNTools (version 7.x or later).

• The user names in AD and eDirectory need to match.

• The NetWare Client needs to be preconfigured to talk to the correct NDS Tree.

645


646

Appendix D

Sentillion IntegrationSentillion markets numerous healthcare integration products that unify single sign-on (SSO), context management and strong authentication, into a fully integrated managed clinical workstation enabling caregivers to quickly access their applications and the associated patient data. Sentillion components install a custom Sentillion GINA that integrates with the clinical desktop to provide SSO services and chains to subsequent GINAs. Thus, the Sentillion components should be installed after Virtual Desktop Extensions (PNTools) to ensure proper GINA chaining with vWorkspace.

This section describes the registry entry necessary for the integration of vWorkspace and Sentillion. Because of the Sentillion GINA, vWorkspace must properly initialize Windows Explorer and bypass the normal PNStart execution. With the following integration, you are able to complete a single sign-on to a virtual computer using the Sentillion solution.

The following registry entry needs to be added to the client endpoint running AppPortal or PNTSC that is connecting to the Sentillion desktop. By setting this registry entry, pnstart.exe is bypassed, launching Explorer directly, allowing Sentillion to obtain credentials for further application logon pass thru.

HKLM\Software\Provision Networks\Provision-IT

"TSClientUsePNStart" (REG_DWORD) = "0"

This setting is only effective for TS. PNStart is executed on VDI VMs using the registry value:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon Shell REG_SZ

PNTools setup will set this value to ’PNSTART.EXE’. To disable PNSTART.EXE from running on VDI machines, change this value to ’EXPLORER.EXE’.

647


648

Appendix E

Internet Explorer RedirectionThis feature allows/causes all IE browser content that is accessed on the server side (VM or TS) to be opened/played using the IE browser on the client physical desktop.

For example, if a user clicks a link to a URL on their VDI desktop, that URL is opened using the IE browser on their local PC. The browser on the VM/TS is not used.

The pros and cons to this feature are as follows:

Pros:

• Frees up much needed resources.• Frees up much needed bandwidth.

Cons:

• If using Linux or Mac clients you will need to create separate VM/TS pools so IE is not redirected. This is because IE is unavailable to the OS’s.

• If the user is connected externally and no VPN is connected, there is no connectivity to local resources such as intranets.

This feature redirects Internet Explorer from the server to the user access device.

When you enable IE Redirection from the virtual machine to the end point, embedded URLs are intercepted on the virtual machine and sent to the end point. The user's locally installed browser is then used to access the URL. Users cannot disable this feature.

For example, users may frequently access web and multimedia URLs they encounter when running an email program published on a server.

If you do not enable IE Redirection from the virtual machine to the end point, users open these URLs with Internet Explorer present on servers running vWorkspace redirection enabled Servers.

You must install Virtual Desktop Extensions (PNTools) and the following server side registry entries need to be set:

When IE redirection is enabled, some embedded hyperlinks in documents may not be redirected.

649


To register:

• HKEY_CLASSES_ROOT\HTTP\shell\open\command

"(Default)" (REG_SZ) = ""C:\Program Files\Quest Software\ vWorkspace\iexplore.exe" %1"

• HKEY_CLASSES_ROOT\HTTPS\shell\open\command

"(Default)" (REG_SZ) = ""C:\Program Files\Quest Software\ vWorkspace\iexplore.exe" %1"

For a x64 bit system, the registry entry should be set as follows:


"(Default)" (REG_SZ) = ""C:\Program Files(x86)\Quest Software\ vWorkspace\iexplore.exe" %1"


"(Default)" (REG_SZ) = ""C:\Program Files(x86)\Quest Software\ vWorkspace\iexplore.exe" %1"

For a computer where Windows is installed on a drive other than C:, the registry entry should be set with the appropriate drive designation as follows:

For example, if the drive designation is D:


"(Default)" (REG_SZ) = ""D:\Program Files\Quest Software\ vWorkspace\iexplore.exe" %1"


"(Default)" (REG_SZ) = ""D:\Program Files\Quest Software\ vWorkspace\iexplore.exe" %1"

To unregister:


"(Default)" (REG_SZ) = ""C:\Program Files\Internet Explorer\IEXPLORE.EXE" -nohome"


"(Default)" (REG_SZ) = ""C:\Program Files\Internet Explorer\IEXPLORE.EXE" -nohome"

650

Appendix F

Wyse Thin OS

vWorkspace supports Wyse Thin OS (WTOS), and the configuration of it is controlled by DHCP and INI files on the Connection Broker. The following steps must be followed for configuration.

Configuration

DHCP option 188 is used to list the addresses of each Connection Broker, and the XML Communication Port. DHCP option 161 lists the servers that hold updated WTOS Firmware. Since Connection Brokers can do both of these, once may configure either or both options.

On the Connection Broker, browse to %ProgramFiles%\Provision Networks\Wyse. Create a subdirectory named WNOS (case sensitive). In the WNOS directory, create two sub-directories, ini and bitmap.

651


Use Notepad to create the two ini files listed in the WNOS directory:

wnos.ini contents:

signon=1autoload=1autosignoff=yesprivilege=HighDomainlist=YourDomainName

rdp.ini contents:

Fullscreen=yesColors=highEncryption=128Experience=15Lowband=noAutoconnect=1

To update the WTOS Firmware, copy the new firmware (RCA_wnos) to the WNOS directory, and set autoload=1 on the wnos.ini file.

The basic configuration is completed to connect a WTOS Thin Client to a Connection Broker. If one has multiple Connection Brokers, list them in the DHCP options, and copy the contents of the Wyse Directory to each additional Connection Broker.

For more detailed information on the Wyse products, please refer to Wyse documentation.

The CompatiblityMode registry entry allows support of pre-version VAS 5.10 clients. When CompatibilityMode is set to 1, the broker checks the version of the connected client and if the version is lower than 5.10, the broker does not use the ticketing mechanism introduced in VAS 5.10, instead the PIT file delivered is the previous PIT file format.To place a Connection Broker in to CompatibilityMode, create the following registry value on all the Connection Brokers in a farm.HKLM\Software\Provision Networks\Common\Load And License Manager CompatibilityMode = 1 REG_DWORD

652

Appendix G

VMware vCenter Server CertificateConnections to VMware vCenter servers from vWorkspace are made without a keystore and VMware vCenter servers are not identified by their certificates.

The following instructions describe the process for creating Vmware vCenter Server keystores on each Connection Broker.

The VMware keystore is stored in one of the following places on the Connection Broker:

• For a new installation:

c:\Program Files\Quest Software\vWorkspace\Vmware-Certs

• For an upgrade installation:

c:\Program Files\Provision Networks\Vmware-Certs

How to ...

• Create the Keystore by the Script Procedure

• View or Modify Keystore Registry Entries

• Copy to Other Connection Brokers

Create the Keystore by the Script Procedure

The keystore generation script, ImportCert.vbs, is found in the Scripts folder which is either C:\Program Files\Quest Software\vWorkspace\Scripts in a new installation or C:\Program Files\Provision Networks\Scripts if you are upgrading to vWorkspace. The syntax for using this script is:

Wscript.exe<scripts_folder>\ImportCerts.vbs"<VirtualCenter_Name" "<keystore_password>" "<admin_name_optional>" "admin_password_optional>"

The "<admin_name_optional>" and "<admin_password_optional>"are only necessary if the logged on user does not have administrative access to the VirtualCenter server.

View or Modify Keystore Registry Entries

1. Log on to the Connection Broker using an account that has administrative rights.

653


2. Open the Registry Editor.

3. Navigate to HKEY_LOCAL_MACHINE\SOFTWARE\Provision Networks\VDI.

4. To view the current value, locate and select the REG_SZ value named TrustStore.

The value should be:

New installation: C:\Program Files\Quest Software\vWorkspace\VMware-Certs\vmware.keystore

Upgrade installation:C:\Program Files\Provision Networks\VMware-Certs\vmware.keystore

5. To modify the current value, enter the correct path and file name into the Value Data box, and then click OK to save and close the Edit String window.

6. Close the Registry Editor.

Copy to Other Connection Brokers

Use the following instructions to copy the VMware certificates to additional Connection Brokers.

1. Copy the contents of the C:\Program Files\Quest Software\vWorkspace\VMware-Certs folder from the first Connection Broker in your environment to the additional designated Connection Brokers.

If vWorkspace has been installed prior to completing the above procedure, restart the Connection Broker to enable it to read the root certificate store, vmware.keystore.

The Connection Broker service must be restarted when the TrustStore registry value is modified.Also, if vWorkspace had already been installed prior to copying the C:\Program Files\Quest Software\vWorkspace\VMware-Certs folder from another Connection Broker, restart the Connection Broker to enable it to read the root certificate store, vmware.keystore.

654

Appendix H

Configurable Registry Settings

Active Setup

Controls whether Active Setup is run on Win 7 for first time logins. In 7.2, PNShell on VDI will run Active Setup by default on first-time login. If a user wishes to disable ActiveSetup on Win7 they should create the following registry value:

HKLM\Software\Provision Networks\Provision-IT

DisableActiveSetupOnWin7 REG_DWORD 0=run active setup(default) 1=don't run active setup

PNTSC

Controls whether a message box is displayed when PNTSC disconnects. In 7.2, by default PNTSC will display a message box on disconnect. To not show the message box on disconnect create the following registry value:

HKLM\SOFTWARE\Provision Networks\Provision-IT

TSClientShowMsgBoxOnDisconnect REG_DWORD 0=don't show msgbox 1=show msgbox (default)

PHNS

Controls the default initial application wait time. The default wait time value is set to 10 seconds. To change the default wait time value to some other value create the following registry value. In the example below the initial wait time value is set to 15 seconds.

HKLM\SOFTWARE\Provision Networks\Provision-IT

"InitialAppWaitTime" (REG_SZ) = "15"

This registry value needs to be placed in the SysWOW64 directory and Wow6432Node on a 64-bit platform.

655


656

Glossary

This glossary contains some definitions that are from Microsoft and VMware publications.

AACE

Access Control EntryAn entry in an access-control list (ACL) that contains a set of access rights and a security identifier (SID) that identifies a trustee, such as a user or group, for whom the rights are allowed, denied, or audited.

ACL Access Control ListA list of access-control entries (ACEs) that define the security protections on an object. There are two kinds of ACLs that can appear in an object's security descriptor: a discretionary ACL (DACL) that controls access to the object, and a system ACL (SACL) that controls auditing of attempts to access the object.

Active Directory ReplicationSynchronization of directory partition replicas between Windows 2000 domain controllers. Directory partition replicas are writable on each domain controller, except for Global Catalog replicas. Replication automatically copies the changes from a specified directory partition replica to all other domain controllers that hold the same directory partition replica. More specifically, a server called the destination pulls changes from another server called the source.

ADActive DirectoryThe Windows directory service.

Administrative rightsThe rights granted to a member of the Administrators local group. A member of this group can perform such actions as creating user accounts and groups, and adding group members.

APIApplication Programming Interface

657


AuthenticationThe process required to log on to a computer locally. Authentication requires a valid user name and password. An access token is created if the information provided matches the account in the database.

BBDC

Backup Domain ControllerIn a Windows NT server 4.0 or earlier domain, the backup domain controller is the server host computer that receives a copy of the domain's directory database, with all account and security policy information for the domain. The copy is synchronized periodically and automatically with the master copy on the primary domain controller (PDC). BDCs also authenticate user logons and can be promoted to function as PDCs as needed. Multiple BDCs can exist on a domain.

CChild Domain

For DNS and Active Directory, a domain located in the namespace tree directly beneath another domain name (its parent domain). For example, "example.reskit.com" is a child domain of the parent domain, "reskit.com" Child domain is also called subdomain.

Child ObjectAn object that is the immediate subordinate of another object in a hierarchy. A child object can have only one immediate superior, or parent, object. In Active Directory, the schema determines what classes of objects can be child objects of what other classes of objects. Depending on its class, a child object can also be the parent of other objects.

ClientA software application that requests the services, data, or processing of another application or computer (known as the server).

ClusterA group of independent computers, referred to as nodes, that provide access to the same resources. If one node fails, the other nodes in the cluster keep the resources available.

658

CNCommon NameEach object in Active Directory® has a naming attribute from which its relative distinguished name is formed. For most object classes, the naming attribute is the Common Name (cn).

COMComponent Object ModelA model for binary code that allows applications and systems to be built from components supplied by different software vendors.

Connection Broker(from VMware glossary) A server that allows connections between remote users and virtual desktops and provides authentication and session management.

Container A directory object that can contain other directory objects.

Controlled DomainA controlled domain is a Windows NT or Windows 2000 domain over which administrative rights have been delegated.

CPUCentral Processing Unit

DDACL

Discretionary Access-Control ListA list that is controlled by the owner of an object and that specifies the access that particular users or groups can have to the object.

DAPIDirectory APIA collection of high-level functions to work with MS Exchange Directory.

659


DCDomain Component A domain component is used in distinguished names (DNs) to indicate an identifier for a part of an object's network domain. Domain Controller A server that authenticates domain logon passwords and maintains security policy and the security accounts master database for a domain.

DesktopSee Virtual Desktop.

Directory PartitionA directory partition, or naming context, is a contiguous Active Directory subtree replicated on one, or more, Windows 2000 domain controllers (DCs) in a forest. Each DC has a replica of three partitions: the schema partition, the configuration partition, and a domain partition.

Directory TreeA hierarchy of objects and containers in a directory. Can be viewed graphically as an upside-down tree, with the root object at the top.

DLLDynamic Link LibraryA dynamic link library is a collection of small programs, that can be called when a larger program that is running on the computer requires any of them.

DMZ (demilitarized zone)(from the VMware glossary) A logical or physical subnetwork that connects internal servers to a larger, untrusted network (usually the Internet) and provides an additional layer of security and gives administrators more control over who can access network resources.

DNDistinguished NameA name that identifies an object by indicating its current location in the directory hierarchy. The name is formed by concatenating the relative distinguished names of the object and each of its ancestors up to the root of the directory partition. An object's distinguished name is unique across the entire directory, but it changes if the object is moved or renamed.

660

DNSDomain Name System A hierarchical naming system used for locating domain names on the Internet and private TCP/IP networks.

DomainA domain is a logical collection of resources. It consists of computers, printers, computer accounts, user accounts, and other related objects.

Domain ComponentA domain component is used in distinguished names (DNs) to indicate an identifier for a part of an object's network domain. For example, /O=Internet/DC=COM/DC=Fabrikam/ CN=Users/CN=Jeff Smith contains the Domain Components "COM" and "Fabrikam".

Domain Local GroupA domain local group can be used on access-control lists (ACLs) only in its own domain. A domain local group can contain users and global groups from any domain in the forest, universal groups, and other domain local groups in its own domain.

Domain Naming MasterThe domain controller that has the domain naming master role is the only domain controller that can add new domains to the forest, remove existing domains from the forest, and add or remove cross-reference objects to external directories.

FFault Tolerance

Fault tolerance is the ability of a system to keep working in the event of a hardware or a software failure on the primary service computer.

FATFile Allocation TableThe part of the DOS, Windows and OS/2 file system that keeps track of where data is stored on disk.

File AttributeInformation that indicates whether a file is read-only, hidden, ready for archiving, compressed, or encrypted, and whether the file contents should be indexed for fast file searching.

661


File Replication ServiceA multithreaded replication engine that allows simultaneous replication of files between different computers. File Replication service replaces the LMRepl service that is used in Microsoft Windows NT.

File SystemA structure for naming, organizing and storing files. The most common types of file systems are: NTFS, and FAT.

ForestA collection of one or more Windows Active Directory trees, organized as peers and connected by two-way transitive trust relationships between the root domains of each tree.

FQDNFully Qualified Domain NameThe complete domain name for a specific computer (host) on the Internet. It provides enough information so that it can be converted into a physical IP address. The FQDN consists of host name and domain name.

FRSFile Replication Service A multithreaded replication engine that allows the simultaneous replication of files between different computers.

FSMOFlexible Single Master OperationsActive Directory operations that are not permitted to occur at different places in the network at the same time.

GGlobal Catalog

A domain controller that contains a partial replica of every domain directory partition in the forest as well as a full replica of its own directory partition and the schema and configuration directory partitions. The Global Catalog holds a replica of every object in Active Directory, but each object includes a limited number of its attributes.

Global Catalog ServerA Windows 2000 domain controller that holds a copy of the global catalog for the forest.

662

Global GroupA global group can appear on access-control lists (ACLs) anywhere in the forest. A global group can contain users and other global groups from its own domain.

GPOGroup Policy ObjectA collection of group policy settings. Group Policy objects are stored at the domain level, and they affect users and computers contained in sites, domains, and organizational units.

Group PolicyAn administrator’s tool for defining and controlling how programs, network resources, and the operating system operate for users and computers in an organization.

GUIGraphical User InterfaceA display format that represents a program’s functions with graphic images such as buttons and icons. The GUI allows the user to perform actions and make choices by pointing and clicking with the mouse.

GUIDGlobal Unique IdentifierAn unchangeable 128-bit number that uniquely identifies an object. It works in conjunction with SIDs to identify Active Directory objects.

HHot Fixes

A software patch that repairs components without the user having to restart the computer.

Hosted Desktop or DesktopA virtual or physical computer, usually deployed inside a secure data center, running a Windows desktop or server operating system such as Windows XP, Windows Vista, or Windows Server 2003.

IIDE

Integrated Development EnvironmentA set of programs run from a single user interface. For example, programming languages often include a text editor, compiler and debugger, which are all activated and function from a common menu.

663


InheritanceInheritance allows a given access control entry (ACE) to be propagated from the container where it was applied to all children of the container.

KKerberos Authentication Protocol

The default authentication mechanism in most Active Directory forests.

LLAN

Local Area NetworkA computer network that connects computers in a small geographical area, such as in a building or on a campus.

LDAPLightweight Directory Access ProtocolThe standard Internet communications protocol used to communicate with Active Directory.

Load BalancingThe fine-tuning of a computer system, network or disk subsystem in order to more evenly distribute the data and processing across available resources.

Local GroupA local group provides access to resources and rights to perform system tasks. A local group remains strictly local to the computer where it is created, and does not appear in the directory.

LSALocal Security Authority

LSASSLocal Security Authority Subsystem

MMAPI

Messaging Application Programming InterfaceA messaging architecture and a client interface component.

664

Member ServerA computer that runs Windows 2000 Server but is not a domain controller of a Windows 2000 domain. Member servers participate in a domain, but do not store a copy of the directory database.

MetricsThe measurement of a particular characteristic of a program's performance or efficiency.

Mixed ModeWindows 2000 domains are installed in mixed mode, by default. In mixed mode, the domain may have Windows NT 4.0 backup domain controllers present. Nested groups are not supported in mixed mode.

NNaming Context

A naming context (also called a directory partition) is a contiguous Active Directory subtree that is replicated on one or more Windows 2000 domain controllers (DCs) in a forest.

Native ModeA Windows 2000 Domain is in native mode when all domain controllers in the domain have been upgraded to Windows 2000 and an administrator has enabled the native mode operation using the domain property page in the Active Directory Users and Computers snap-in. Domains must be operating in native mode for nested groups to be supported.

NICNetwork Interface Card

NodeIn tree structures, a location on the tree that can have links to one or more items below it.

In local area networks (LANs), a device that is connected to the network and is capable of communicating with other network devices.

In a server cluster, a server that has Cluster service software installed and is a member of the cluster.

665


NTFS File SystemA recoverable file system designed for use specifically with Windows NT and Windows 2000. NTFS uses database, transaction-processing, and object paradigms to provide data security, file system reliability, and other advanced features. It supports file system recovery, large storage media, and various features for the POSIX subsystem. It also supports object-oriented applications by treating all files as objects with user-defined and system-defined attributes.

OOffline

In a server cluster, the state of a resource, group, or node when it is unavailable to the cluster. Resources and groups also have an offline state

OnlineIn a server cluster, the state of a resource, group, or node when it is available to the cluster.

OUOrganizational UnitAn Active Directory container object used within domains. An organizational unit is a logical container into which users, groups, computers, and other organizational units are placed. It can contain objects only from its parent domain. An organizational unit is the smallest scope to which a Group Policy object can be linked, or over which administrative authority can be delegated.

OwnerIn Windows 2000, the person who controls how permissions are set on objects and can grant permissions to others.

PPaging

The process of moving virtual memory back and forth between physical memory and the disk. Paging occurs when physical memory limitations are reached and only occurs for data that is not already "backed" by disk space. For example, file data is not paged out because it already has allocated disk space within a file system.

666

Parent DomainFor DNS and Active Directory, domains that are located in the namespace tree directly above other derivative domain names (child domains). For example, "reskit.com" would be the parent domain for "eu.reskit.com," a child domain.

Parent ObjectThe object that is the immediate superior of another object in a hierarchy. A parent object can have multiple subordinate, or child, objects. In Active Directory, the schema determines what objects can be parent objects of what other objects. Depending on its class, a parent object can be the child of another object.

PartitionA logical division of a hard disk. Partitions make it easier to organize information. Each partition can be formatted for a different file system. A partition must be completely contained on one physical disk, and the partition table in the Master Boot Record for a physical disk can contain up to four entries for partitions.

PermissionA rule associated with an object to regulate access to a particular object on the network. For example, a user may have read and write access to a file on the network.

PDCPrimary Domain ControllerThe first controller created in a domain and contains the primary storehouse for domain data.

Physical DesktopA physical computer, such as a conventional PC or blade, running a desktop or server operating system such as Windows XP, Windows Vista, or Windows Server 2003.

PlatformA platform is an underlying computer system on which application programs can run.

Plug-inA plug-in is a software module that adds functionality to a product.

PoliciesGeneral controls that enhance the security of an operating environment. In Windows 2000, policies affect restrictions on password use and rights assignment, and determine the events that will be recorded in the Security log.

667


POP3Post Office Protocol 3A standard mail server commonly used on the Internet. It provides a message store that holds incoming email until users log on and download it. POP3 is a simple system with little selectivity. All pending messages and attachments are downloaded at the same time. POP3 uses the SMTP messaging protocol.

ProcessAn operating system object that consists of an executable program, a set of virtual memory addresses, and one or more threads. When a program runs, a Windows 2000 process is created.

PropertyA property is an attribute of an object. Examples include a user's password, groups to which a user belongs, and a group's description.

QQuery

(noun) A statement that returns a set of values.(verb) The process of extracting information.

QueueA list of programs or tasks waiting for execution.

RRegistry

In Microsoft Windows systems, a database of information about a computer's configuration. The registry is organized in a hierarchical structure and consists of subtrees and their keys, hives, and entries.

ReplicationThe process of copying data from a data store or file system to multiple computers that store the same data for the purpose of synchronizing the data. In Windows 2000, replication of the directory service occurs through Active Directory replication, and replication of the file system occurs through the File Replication service.

RDP (remote desktop protocol)(from VMware glossary) A multichannel protocol that allows a user to connect to a computer remotely.

668

RootThe top-level in a hierarchically-organized set of information.

SSACL

System Access Control List A list that controls the generation of audit messages for attempts to access a securable object. The ability to get or set an object's SACL is controlled by a privilege typically held only by system administrators.

ScalabilityRefers to how much a system can be expanded. The term by itself implies a positive capability. For example, the device is known for its scalability, means that it can be made to serve a larger number of users without breaking down or requiring major changes in procedure.

SchemaThe universe of objects that can be stored in the directory is defined in the schema. For each object class, the schema defines what attributes an instance of the class must have, what additional attributes it may have, and what object class can be a parent of the current object class.

ScriptA program or sequence of instructions that is interpreted by another program or application rather than by the computer processor.

Security PrincipalAn account-holder, such as a user, computer, or service. Each security principal within a Windows 2000 domain is identified by a unique security ID (SID). When a security principal logs on to a computer running Windows 2000, the Local Security Authority (LSA) authenticates the security principal's account name and password.

Security Principal NameA name that identifies a user, group, or computer within a single domain.

ServerA computer in a network shared by multiple users.

Share A folder or printer that can be accessed by users over a network.

669


SIDSecurity IdentifierA variable length value that uniquely identifies a security principal (such as a user or group). SIDs are used in security descriptors and access-control entries.

SMTPSimple Mail Transfer ProtocolThe standard email protocol on the Internet for sending email messages between servers.

SNMPSimple Network Management ProtocolA network management protocol installed with TCP/IP and widely used on TCP/IP and Internet Package Exchange (IPX) networks. SNMP transports management information and commands between a management program run by an administrator and the network management agent running on a host.

SubdomainA DNS domain located directly beneath another domain name (the parent domain) in the namespace tree. For example, "eu.reskit.com" is a subdomain of the domain "reskit.com."

TThin client

(from VMware glossary) A device that allows a user to access virtual desktops but requires little memory or disk drive space. Application software, data, and CPU power resides on a network computer and not on the client device.

ThreadA type of object within a process that runs program instructions. Using multiple threads allows concurrent operations within a process and enables one process to run different parts of its program on different processors simultaneously.

ThresholdA item that places limits or acceptable ranges of values on monitored conditions.

TimeoutWhat occurs when one computer fails to respond to another within a predetermined interval during a conversation.

670

TreeA set of Active Directory domains that share a common namespace and are connected by a transitive two-way trust.

UUniversal Group

A universal group can appear in access-control lists (ACLs) anywhere in the forest, and can contain other universal groups, global groups, and users from anywhere in the forest.

UNCUniversal Naming ConventionIn a network, it is used to identify a shared file in a computer without having to specify the specific storage device on which it is located. In Windows operating systems, the UNC can be used instead of the local naming system. The UNC name format is: \\servername\sharename\path\filename. The idea behind UNC is to provide a format so that each shared resource can be identified with a unique address.

VVA

Virtual administratorA virtual administrator is a trusted user who is granted one or more administrative rights to one or more virtual domains/OUs.

vWorkspaceSoftware for provisioning, managing, and delivering desktop workspaces from a central infrastructure. Provides automation of desktop management tasks such as auto-provisioning and power management of virtual computers. Also offers scalable and intelligent connection brokering capabilities, as well as multiple client connectivity options.

vWorkspace Management Console The vWorkspace Management Console provides management and administrative functions to vWorkspace administrators using a graphical user interface.

671


Virtual Desktop(From VMware glossary) A desktop operating system that runs on a virtual computer. A virtual desktop is indistinguishable from any other computer running the same operating system.

vWorkspace enabled desktop infrastructureA desktop infrastructure consisting of virtual and/or physical desktops, and managed using vWorkspace.

Virtual Domain A virtual domain/OU is a logical collection of the following items in any combination: domains, shares, local groups, global groups, users, services, devices, computers, printers, and other virtual domains/OUs.

Virtual MemoryThe space on the hard disk that Windows 2000 uses as memory. Because of virtual memory, the amount of memory taken from the perspective of a process can be much greater than the actual physical memory in the computer. The operating system does this in a way that is transparent to the application, by paging data that does not fit in physical memory to and from the disk at any given instant.

Virtual ServerIn a server cluster, a set of resources, including a Network Name resource and an IP address resource, that is contained by a resource group. To clients, a virtual server presents the appearance of a system that is running Windows NT Server or Windows 2000 Server.

VMAn acronym that denotes a virtual computer.

WWAN

Wide Area NetworkA computer network that connects computers across long distances.

672

INDEX

Aaccess control list

scheduling access hours for users 452

add computers toolabout 122Microsoft SCVMM 323Parallels Virtuozzo 369VMware 275

adding new locations 63additional components

about 228additional customizations

Resources node 441administration

about 21adding a new administrator 24editing settings 25removing an administrator 25setting permissions 25

Application Compatibility Enhancements (Redirect-IT)

about 214creating a file redirection rule 217creating a folder redirection

rule 218creating a registry redirection

rule 215how it works 214installing 215

application restrictions (Block-IT)about 7application restrictions server

groups 448assigning clients to the client

list 452hash checking 445how application restrictions

work 444path checking 445properties 446Resources node 444scheduling access hours for

users 452termination of applications 445unassigning clients to the access

control list 452

application restrictions listproperties 449

application restrictions server groups 448

AppPortalabout 388about desktop-integrated

mode 388actions menu 426configuring new connection 394configuring new RD Connection

Broker connection 303connectivity tab 399credentials tab 402desktop integration mode

options 431desktop integration tab 410display tab 403experience tab 407farm type tab 398local resources tab 405Microsoft RD Connection Broker

connection properties 412password management tab 409PNTray 430settings menu 428vWorkspace Connection Broker

connection properties 398App-V import wizard 49App-V node

about 46editing imported application

properties 51editing properties 48establishing server connections 47importing applications 49

Assign Load Balancing to Managed Applications 609

Ccertificate

Secure Gateway 497Clients node

about 39client types 40defining clients by device

address 42defining clients by device name 42defining clients by groups 41defining clients by organizational

unit 43defining clients by users 40

673


clone types SCVMM 322clone types VMware 275color schemes 457CompatibilityMode

about 652computer group wizard 109computer groups

add computers tool 122adding published applications 210adding to Microsoft Hyper-V 346adding to Microsoft SCVMM 318adding to Parallels Virtuozzo 366adding to VMware 270modifying properties 117ordering columns 118Parallels Virtuozzo 364properties 110property of other type 376resizing columns 118selecting columns 119session protocol RGS option 114task automation 120viewing logs 117viewing tasks 117

config.xmlabout 633location section 643

connect to an existing database 33Connection Brokers

adding a new Connection Broker 95load balancing 603node 94permissions 98properties 90removing 98

connection policiesabout 453defining properties 454

Control PanelPrint-IT applet 532

create a new database and DSN 32

Ddata centers

about non-power managed 376data collector service

about 158deferred authentication 392Desktops

modifying published applications 211

node 104

properties 90setting properties 104starting new applications 196terminologies 108

differencing disksabout 309

disk and memory persistence 259documentation

conventions xviiifeedback xx

drive mappings 457

Eenvironment variables 459EOP Multimedia Acceleration 171EOP Text Echo 169EOP Xtream

about 184client side timeout 189configuring 185

experience optimized protocolEOP Multimedia Acceleration 171EOP Text Echo (local text echo) 169graphics acceleration 176optimization settings 164overview 164

FFarm node 35feedback

document xxfields 564File & Registry Redirection node

about 55file redirection rule

creating 217flash redirection

defining in connection policies 172enabling in AppPortal 174enabling in Web Access 175EOP Multimedia Acceleration 171setting up 172

folder redirection rulecreating 218

GGINA chaining 645graphics acceleration

about 176defining in connection policies 180disabling by application 179enabling globally 178

674

enabling in AppPortal 182enabling in Web Access 183implementation 177registry settings 177setup 178

Hhash checking 445host restrictions

about 460creating 460

Hyper-V See Microsoft Hyper-V

Iinitialize computer

about 154common failures 155triggers 156

installationPerformance Optimization

(Max-IT) 613Internet Explorer Redirection 649

register 650unregister 650

Kkerberos credentials pass-through 9keystore

creating a VMware vCenter keystore 653

Llatency reduction 169licensing

about 25access in the Management

Console 26linked clones

VMware 254load balancing

about 602assigning load balancing to

servers 608counters 603guidelines 606how it works 603terminal servers 606

Load Balancing nodeabout 55

local text echo 169locations

about 62adding new locations 63deleting 90node options 62properties 90

Locations nodeabout 38

Mmanaged applications

overview 192properties 193session sharing 203

managed computer groupsdeleting 118publishing a managed desktop 204viewing 115

managed computersabout 121network interface card 123properties 122publishing an application 206session protocol RGS option 135viewing 152viewing logs 153viewing tasks 153

management serversadding network storage

servers 249adding virtualization servers 244management servers window 242

mandatory virtual user profilesabout 485assigning 485

Max-IT See Performance Optimization

media player redirectionEOP Multimedia Acceleration 171

MetaProfiles-IT See Virtual User Profiles

Microsoft Active Directory Group Policy settings

about 157Microsoft Hyper-V

about 340adding a host 340adding computer groups 346broker helper service 340computer group properties 344importing existing desktops 349

675


power management 351session protocol RGS option 346

Microsoft RD Connection Brokerabout 294add an RD Connection Broker 301AppPortal 303install 296RemoteApp Support 295

Microsoft SCVMMabout 308adding computer groups 318adding computers using the

standard clone method 323importing existing desktops 330monitoring the cloning process 332power management 336session protocol RGS option 318

module bindingabout 612

module rebasingabout 612

MSI Packagesabout 51adding a new package 52

multiple monitor support 395

Nnetwork interface card 123network storage servers

about 239adding servers 249implementation 241rapid provisioning 240requirements 241

non-power managed data centersabout 376adding a computer group 378adding computers 380power management 385properties 376session protocol RGS option 377

Ooptimized settings 164optional one-session-per-user within

a farm 392other servers

about 105adding 105permissions 106properties 106

other/physical typeabout 376 See non-power managed data

centers

PPackaged Applications node

about 46Parallels Virtuozzo

adding computer groups 366adding computers to a managed

computer group 369adding independent nodes 360computer groups 364importing existing desktops 371importing slave nodes 356power management 373session protocol RGS option 365

password reset serviceabout 228configuring 229

path checking 445Performance Optimization (Max-IT)

about 610how it works 611installing 613master policy settings 614setting the policy for specific

servers 621permissions

about 22setting 25user profiles properties 482

PNTrayabout 430Print-IT options 430

power managementMicrosoft Hyper-V 351Microsoft SCVMM 336non-power managed data

centers 385Parallels Virtuozzo 373VMware 290

Print-ITabout 514about the Control Panel applet 532about Universal Network Print

Server Extensions 534about Universal Network Print

Services 534adding network printers 536

676

adding printers to remote relay servers 541

assigning printers to clients 537assigning remote printers to

clients 544autocreating network printers 515componentsconfiguring remote site relay 538Control Panel applet properties 518importing remote printers 542network printer properties 546setting up Print-IT printers 535Universal Client Printer

Auto-Creation 517Universal Network Print Server

Extensions 535universal network printer

auto-creation 515Universal Print Driver 515Universal Print Relay Service for

Remote Sites 537universal printer properties 544viewing and editing network printer

properties 546viewing and editing universal

properties 544Print-IT properties

bandwidth tab 526compression tab 521general tab 518license tab 529logging tab 528naming tab 525notification tab 531PDF publisher tab 532server farm tab 530upgrade tab 527

progressive image display 177Proxy-IT

about 231configuring 232

publish contentabout 207

published applicationdeleting 212duplicating 212

QQuest vWorkspace

contacting support xxQuick Start Wizard

about 58

RRDP

vWorkspace remote computer sound 167

registry redirection rulecreating 215

registry settingsdeferred authentication 391optional one-session-per-user

within a farm 391registry tasks

about 461modifying 462

remote control sessionviewing from Computers tab 29viewing from User Sessions 28

Report 563Report Viewer Setup 563reprovision computers

SCVMM 309, 333VMware 257

Resources nodeabout 43about the Printers window 543additional customizations 441application restrictions 444color schemes 457connection policies 453drive mappings 457environment variables 459host restrictions 460modifying published

applications 212registry tasks 461scripts 464starting new applications 196time zones 466user policies 466wallpapers 469

RGScomputer group property 114managed computer property 135Microsoft Hyper-V session protocol

property 346Microsoft SCVMM session protocol

property 318non-power managed data centers

session protocol property 377Parallels Virtuozzo session protocol

property 365VMware session protocol

property 268

677


Sscripts

about 464assigning 465

SCVMMclone types 322

Secure Gatewayabout 496accessing by AppPortal and the

Web Access 509certificate 497configuring 499configuring AppPortal access 507configuring for both AppPortal and

Web Access access 510installing 497

Secure Sockets Layer Gateway See Secure Gateway

Sentillion Integrationabout 647

session sharingapplication 203

silosabout 479

storage serversabout 478special folder in user profiles 491

supportcontacting Quest vWorkspace xx

sysprep customizationabout 140alternative sysprep mode 140creating 142creating for unattend.xml 146importing sysprep.inf file 141

Ttask automation

about 120adding 120automated task wizard 120

TCP/IP portsrequirements 11

terminal serversadding 99adding permissions 103adding published applications 209assigning load balancing to

servers 608load balancing 606properties 90removing 104

server wizard 99setting properties 103viewing applications 440viewing processes 439viewing sessions 436viewing users connected 435

Terminal Servers nodeabout 98modifying published

applications 211starting new applications 196

terminal services enhancementsSecure Gateway (Secure-IT) 6

termination of applications 445time zones

assigning 466overview 466

UUniversal Client Printer

Auto-Creation 517Universal Network Print Server

Extensions 535adding network printers 536assigning printers to clients 537setting up Print-IT printers 535

Universal Network Printer Auto-Creation 515

Universal Print Driverabout 159

Universal Print Relay Service for Remote Sites 537

adding remote relay servers 541assigning remote printers to

clients 544configuring 538importing remote printers 542

unlock VMVMware 254

USB-ITabout 558configuring 559how it works 559

user policiesabout 466creating 467modifying 468viewing properties 467

user profile elementsproperties 487

User Profilesabout special folders 491

678

configuring properties 483defining a registry key 489defining special folders 492silo wizard 479

Vvas client 32 package 390vas client 32T package 390vas client 32TS package 391Virtual Desktop Extensions (PNTools)

about 158installing 160

Virtual IPabout 222adding a master range 224configuring 222configuring applications 226configuring virtual IP address

ranges 223enabling 222modifying address range

allocations 225virtual memory optimization

about 611benefits 612manually applying 624module binding 612module rebasing 612viewing results for a specific

session 623viewing results per application 623viewing session summary

information 623Virtual USB Hub Client

about 548client applet 549client components 549client services 552client system tray 552requirements 548

Virtual USB Hub Serverabout 553server applet 553server services 555server system tray 554

Virtual User Profilesabout registry elements 486about silos 479assigning mandatory user

profiles 485features and benefits 474how it works 475

mandatory user profiles 485overview 474properties 476storage servers 478

Virtual User Profiles (MetaProfiles-IT)about 8

virtualization server wizard 244virtualization servers

about 238adding connections 244

VMwareabout linked clones 254adding a virtualization server 262adding computer groups 270adding computers using the NetApp

FlexClone method 279adding computers using the

standard clone method 277adding computers using the

VMware linked clone method 282

clone types 275customizations 268datacenters 261disk and memory persistence 259importing existing desktops 287modifying keystore registry

entries 653monitoring the cloning process 290power management 290rapid provisioning 240session protocol RGS option 268unlock VM 254vCenter server keystore 653viewing keystore registry

entries 653virtualization server 261

vWorkspacebenefits 4remote desktop connection 167

vWorkspace Connectorabout 12AppPortal 388configuring 393executable files 391overview 388vas client 32 package 390vas client 32T package 390vas client 32TS package 391Web Access 389

vWorkspace databaseabout 5

679


vWorkspace Management Consoleabout 16administration 21Clients node 39connect to an existing database 33Connections Brokers node 94create a new database and DSN 32Farm node 35first time use 30icons 20Locations node 38menu options 19monitoring the cloning process for

SCVMM 332monitoring the cloning process for

VMware 290object nodes 34Packaged Applications node 46permissions 22Resources node 43Terminal Servers node 98viewing and editing network printer

properties 546viewing and editing universal

printer properties 544viewing client information for an

active session 438viewing terminal server

applications 440viewing terminal server

processes 439viewing terminal server

sessions 436viewing users connected to

terminal servers 435

Wwallpapers

about 469adding new wallpaper 470assigning 469changing properties 469

wizardsApp-V import 49automated task 120computer group 109Microsoft Hyper-V Host 340MSI Packages 52new locations 63server wizard 95silo 479sysprep customization 142

sysprep customization unattend.xml 146

task automation 120virtualization servers 244

workload managementabout 602

Wyse Thin OSabout 651configuration 651

680

vWorkspaceAdminGuide_72MR1

Documents

Transcript of vWorkspaceAdminGuide_72MR1