Vdm20 Intro

7/21/2019 Vdm20 Intro

1/32

Introduction to Virtual DesktopManager

7/21/2019 Vdm20 Intro

2/32

VMware, Inc.3401 Hillview Ave.Palo Alto, CA 94304www.vmware.com

2 VMware, Inc.

Introduction to Virtual Desktop Manager

You can find the most up-to-date technical documentation on our Web site at

http://www.vmware.com/support/

The VMware Web site also provides the latest product updates.

If you have comments about this documentation, submit your feedback to:

[email protected]

2008 VMware, Inc. All rights reserved. Protected by one or more of U.S. Patent Nos. 6,397,242,6,496,847, 6,704,925, 6,711,672, 6,725,289, 6,735,601, 6,785,886, 6,789,156, 6,795,966, 6,880,022,6,944,699, 6,961,806, 6,961,941, 7,069,413, 7,082,598, 7,089,377, 7,111,086, 7,111,145, 7,117,481,7,149,843, 7,155,558, 7,222,221, 7,260,815, 7,260,820, 7,269,683, 7,275,136, 7,277,998, 7,277,999,

7,278,030, 7,281,102, and 7,290,253; patents pending.

VMware, the VMware boxes logo and design, Virtual SMP and VMotion are registered trademarks ortrademarks of VMware, Inc. in the United States and/or other jurisdictions. All other marks and namesmentioned herein may be trademarks of their respective companies.


Revision: 20080527Item: VDM-ENG-Q108-451
http://www.vmware.com/supportmailto:[email protected]://www.vmware.com/supportmailto:[email protected]

7/21/2019 Vdm20 Intro

3/32

VMware, Inc. 1

Contents

Contents

IntroductiontoVirtualDesktopManager 3Introduction 3

Features 4

VDMOverview 5

VDMUserAuthentication 9

VDMExtendedUSBDeviceRedirection 11

VDMSecureAccess 12

VDMVirtualDesktopPoolManagement 13

VDMHighAvailabilityandScalability 15

VDMConnectionServerDMZDeployment 17

VDMConnection

Server

Components 21

VDMBroker 22

VDMSecureGatewayServer 22

VDMLDAP 23

VDMMessaging 24

VDMSecurityServer 24

Glossary 27
http://-/?-http://-/?-

7/21/2019 Vdm20 Intro

4/32


2 VMware, Inc.

7/21/2019 Vdm20 Intro

5/32

VMware, Inc. 3

VMwareVirtualDesktopManager2(VDM)isakeycomponentintheVMwareVirtual

DesktopInfrastructure(VDI)solution.VDMisanenterpriseclassvirtualdesktop

managerthatsecurelyconnectsauthorizeduserstocentralizedvirtualdesktops.It

workswith

VMware

Virtual

Infrastructure

3to

provide

acomplete,

end

to

end

VDI

solutionthatimprovescontrolandmanageabilityandprovidesafamiliardesktop

experience.

ThebenefitsofVDIwithVDMincludethefollowing:

ControlandmanageabilityinasingleproductAdministratorscanmoreeasily

provision,manage,andmaintaindesktopsbecausethedesktopsarerunninginthe

datacenter.

FamiliarenduserexperienceUsersgetflexibleaccesstoapersonalized,virtual

desktopthatbehavesjustliketheirPCdesktops.

VMwareInfrastructure3integrationVDIextendsthebenefitsofVMware

Infrastructure3tothedesktopbyleveragingthebackup,failover,anddisaster

recoverycapabilitiesofVMwareInfrastructure3.

Lowertotal

cost

of

ownership

(TCO)

By

reducing

administration

and

energy

costsandextendingtheusefullifeofPCs,VDIdeliverslowerTCO.

Introduction to Virtual Desktop

Manager

7/21/2019 Vdm20 Intro

6/32


4 VMware, Inc.

Features

ThefeaturesofVDMinVDIincludethefollowing:

EnterpriseclassconnectionbrokeringVDMmanagestheconnectionsbetween

usersandtheirvirtualdesktops.WhenuserslogintoVDM,thevirtualdesktops

theyareauthorizedtoaccessappears.Afterconnectingtoavirtualdesktop,users

accesstheirapplicationsasiftheapplicationsarerunninglocally.

USBclientdevicesupportUSBdevicescanbelocallyconnectedtoclientsand

accessedthroughavirtualdesktop.

Webbased

management

user

interface

A

Web

based

management

console

allowsvirtualdesktopstobemanagedfromanylocation.

SmartpoolingcapabilitiesArangeofpersistentandnonpersistentpooling

capabilitiessimplifiestheprovisioningandmanagementofcentralizeddesktops.

SecureaccessOptionalsecureencapsulationcapabilitiesallowallnetwork

connectionstobeencrypted.

Integrationwith

Microsoft

Active

Directory

Connection

to

Active

Directory,

whichallowsyoutolocateuserandusergroupaccountsandusethe

authenticationfeaturesinActiveDirectorytocontrolwhichuserscanaccess

virtualdesktops.

SupportfortwofactorauthenticationWithRSASecurID,accesscontrolis

strengthened.

Seamlessintegration

with

VMware

Virtual

Infrastructure

3Works

closely

with

VMwareVirtualCentertoprovideadvancedvirtualdesktopmanagement

capabilities,suchasautomaticsuspendandresume,whichreducesthememory

andprocessingpowerrequiredtohostvirtualdesktops.Byleveragingthe

capabilitiesofVMwareVirtualInfrastructure3,desktopscanrunevenwhen

serverhardwarefailsandrecoverquicklyfromunplannedoutageswithout

duplicatehardware.

Flexibledeployment

options

Critical

components

can

be

deployed

in

avariety

ofconfigurationsandtodifferentpartsofthenetwork,whichimprovesecurity,

scalability,andreliability.MultipleVirtualCenterserversaresupported,andVDM

canscalehorizontallytosupportmanyvirtualdesktops.

HighavailabilityServerscanbeclusteredforhighavailabilityandscalability

withautomaticfailover.Theseserverscanalsoleverageindustrystandard

loadbalancingsolutions.

7/21/2019 Vdm20 Intro

7/32

VMware, Inc. 5


VDM Overview

VDMincludesthefollowingkeycomponents:

VDMConnectionServer

VDMAgent

VDMClient

VDMWebAccess

VDMAdministrator

7/21/2019 Vdm20 Intro

8/32


6 VMware, Inc.

Figure 1showsthephysicaltopologyofaVDIinfrastructurewithVDMandshowsthe

relationshipbetweenthemainVDMcomponents.

Figure 1. Physical Topology of VMware VDI Infrastructure with VDM

network

ESX Server hosts runningVirtual Desktop VMs

VDMConnectionServer

VDMAdministrator(browser)

VirtualCenterManagement Server

MicrosoftActive Directory

network

WindowsVDM Client

MacVDM Web Access

LinuxVDM Web Access Thin Client

virtual desktops

ESX Server host

VM VM VM

VM VM VM

virtual machine

desktop OS

app app app

VDM Agent

7/21/2019 Vdm20 Intro

9/32

VMware, Inc. 7


VDM Connection Server

ThiscomponentistheVDIconnectionbrokerthatmanagessecureaccesstovirtual

desktops

and

works

with

VirtualCenter

to

provide

advanced

management

capabilities.

ItisinstalledonaMicrosoftWindowsServer2003serverthatispartofanActive

Directorydomain.

VDMConnectionServerisinstalledasoneofthefollowinginstances:

StandardThisinstanceappearsinFigure 1.Itprovidesstandalonefunctionality

andisusedastheonlyVDMConnectionServer(orthefirstofagroupofVDM

ConnectionServersthatactaspartofahighavailability,fullyreplicatedgroup).

ReplicaThisinstanceisinstalledasasecondorsubsequentVDMserverina

highavailabilitygroup.ConfigurationdataisinitializedfromanexistingVDM

serverandisautomaticallyreplicatedbetweenVDMgroupmembers.

SecurityServerThisinstanceimplementsasubsetoftheVDMConnection

Serverfunctionalityandisusedinademilitarizedzone(DMZ)deployment.A

VDMSecurityServerdoesnotneedtobeinanActiveDirectorydomain.The

Standardand

Replica

instances

automatically

include

the

Security

Server

functionality.

TheinstancetypeisselectedduringVDMConnectionServerinstallation.

HighavailabilityandDMZdeploymentsofVDMConnectionServerusingReplicaand

SecurityServerinstancesaredescribedinVDMConnectionServerDMZDeployment.

ConfigurationdataisstoredinanembeddedLDAPdirectoryoneachStandardand

Replicainstance.

7/21/2019 Vdm20 Intro

10/32


8 VMware, Inc.

VDM Agent

Thiscomponentrunsoneachvirtualdesktopandisusedforsessionmanagementand

single

sign

on.

With

VDM

Client,

this

component

supports

optional

USB

device

redirection.Thisagentcanbeinstalledonavirtualmachinetemplatesothatvirtual

desktopscreatedfromthattemplateautomaticallyincludetheVDMAgent.

PlacevirtualdesktopsinanActiveDirectorydomainthatisoneofthefollowing:

ThesamedomaintowhichtheVDMConnectionServersarejoined

AdomainwithatrustagreementwiththeVDMConnectionServerdomain

Whenusers

connect

to

their

virtual

desktops,

they

are

automatically

logged

in

using

thesamecredentialstheyusetologintotheirdomain.Thesinglesignoncapabilitycan

bedisabledinVDMAgentwhichmeandthatusersarealwaysrequiredtologontothe

virtualdesktopmanually.Ifthevirtualdesktopisnotpartofadomainorispartofa

domainwithwhichnotrustagreementexists,singlesignonisnotavailable,andthe

usermustmanuallylogintothevirtualdesktop.

VDM ClientThiscomponentrunsonaWindowsPCasanativeWindowsapplicationandallows

userstoconnecttotheirvirtualdesktopsthroughVDM.Thiscomponentconnectstoa

VDMConnectionServerandallowstheusertologonusinganyofthesupported

authenticationmechanisms.Afterloggingin,userscanselectfromthelistofvirtual

desktopsforwhichtheyareauthorized.Thisstepprovidesremoteaccesstotheir

virtualdesktopandprovidesuserswithafamiliardesktopexperience.

VDMClient

also

works

closely

with

VDM

Agent

to

provide

enhanced

USB

support.

BasicUSBsupport(suchasUSBdrivesandUSBprinters)issupportedwithoutVDM

USBsupport,butVDMextendsthissupporttoincludeadditionalUSBdevices.You

canspecifyVDMUSBsupportinVDMClientduringtheinstallation.

VDM Web Access

ThiscomponentissimilartoVDMClientbutprovidesaVDMuserinterfacethrougha

Webbrowser.

VDM

Web

Access

is

included

automatically

during

the

VDM

ConnectionServerinstallation.VDMWebAccessissupportedonLinuxandMacOS/X,

butthisWebaccessdoesnotsupportVDMUSBextensions.AllnecessaryVDM

softwareisinstalledautomaticallyontheclientthroughtheWebbrowser.VDMWeb

AccessonLinuxusesrdesktopandonMacOS/XusesMicrosoftRemoteDesktop

ConnectionClientforMac.

7/21/2019 Vdm20 Intro

11/32

VMware, Inc. 9


VDMWebAccesscanalsobeusedonaWindowsclientwithVDMClient.Auser

obtainstherequiredsoftwareontheirclientdevicebyaccessingaVDMConnection

ServerwithaWebbrowser.IftheVDMClientsoftwareisinstalledwithUSBsupport

byauser

with

administrative

rights,

VDM

Web

Access

on

Windows

has

complete

VDMUSBsupport.

VDM Administrator

ThiscomponentprovidesVDMadministrationthroughaWebbrowser.Itisusedby

VDMadministratorstodothefollowing:

Makeconfigurationsettings

ManagevirtualdesktopsandentitlementsofdesktopsofWindowsusersand

groups

VDMAdministratoralsoprovidesaninterfacetomonitorlogeventsonaVDMServer

andisinstalledwithVDMConnectionServer.MoreinformationabouttheVDM

ConnectionServercomponentsandtheirrelationshipwithotherVDMcomponents,

seeVDMConnectionServerComponents.

VDM User Authentication

UsersneedtologintoVDMfirstinordertoprovetheiridentityandtogainaccessto

theirvirtualdesktops.Normally,theydothisbyenteringtheirWindowscredentialsat

theloginprompt.

Asanaddedlevelofsecurity,VDMcanbeconfiguredtorequireRSASecurID

authentication.This

requires

the

use

of

aSecurID

token

for

each

user.

As

part

of

the

loginprocess,usersmustentertheirSecurIDusernamestogetherwiththeirSecurID

PINsandtokencodes.AftersuccessfulverificationoftheSecurIDdetailsentered,users

arepromptedfortheirWindowscredentials.

Active Directory Authentication

EachVDMConnectionServermustbejoinedtoanActiveDirectorydomain.This

allowsuser

authentication

for

VDM

against

Active

Directory

for

the

joined

domain

and

foradditionaluserdomainswithwhichatrustagreementexists.Forexample,ifVDM

ConnectionServerisamemberofDomainA,andatrustagreementexistsbetween

DomainAandDomainB,usersfromeitherdomaincanlogintoVDM.

7/21/2019 Vdm20 Intro

12/32


10 VMware, Inc.

ByauthenticatingusersagainstanexistingActiveDirectory,anorganizationcan

simplifytheoperationalmanagementofVDMbyensuringthatthemanagementof

useraccountsishandledinoneplace.IfauseraccountisdisabledinActiveDirectory,

thatuser

cannot

log

in

to

VDM.

Policies,

such

as

restricting

permitted

hours

of

login

andtheexpirationdateforpasswords,arealsohandledthroughexistingActive

Directoryoperationalprocedures.

RSA SecurID Authentication

VDMiscertifiedthroughtheRSASecurIDReadyprogramtooperatewithRSA

SecurIDauthenticationtechnology.IndividualVDMConnectionServerscanbe

enabledfor

RSA

SecurID

authentication.

Users

who

access

aVDM

Connection

Server

thatisenabledforRSASecurIDauthenticationarepromptedfortheirRSASecurID

usernamesandpasscodes(PINsandtokencodes).AfterauthenticatingagainstanRSA

AuthenticationManager,userscancontinuetologin.

UsingRSASecurIDprovidesenhancedsecuritywithtwofactorauthentication.This

requiresknowledgeoftheusersPINandtokencode,whichisonlyavailableonthe

physicalSecurIDtoken.AsrequiredforRSASecurIDcertification, VDMsupportsthe

fullrangeofSecurIDcapabilities,includingNewPINMode,NextTokenCodeMode,RSAAuthentication Manager,loadbalancing,andsoon.

7/21/2019 Vdm20 Intro

13/32

VMware, Inc. 11


Figure 2showsthephysicaltopologydiagramforVDMwithanadditionalserverused

toauthenticateRSASecurIDusers.TheRSAAuthenticationManagerisshownasa

singleserver,butforhighavailabilitydeployments,youneedmultipleservers.

Figure 2. VDMRSASecurIDAuthenticationwithRSAAuthenticationManager

WhenusersentertheirRSASecurIDcredentials,VDMConnectionServer

communicateswithRSAAuthenticationManagertoverifytheinformation.Afterthe

credentialsareverified,VDMConnectionServerrequestsActiveDirectorydomain

credentialsfromtheuserandcommunicateswithActiveDirectorytocontinuethe

authenticationprocess.

VDM Extended USB Device Redirection

VDMallowstheredirectionofavarietyoflocallyattachedUSBdevicesforsoftware

thatrunonausersvirtualdesktop.Suitabledevices,whenattached,canbeselected

fromadynamicdropdownmenuinVDMClient.Devicesattachedafterthevirtual

desktopsessionstartswillappearinthemenuandareavailableforredirectionafter

beinginitialized.

ESX Server hosts runningVirtual Desktop virtual machines



VDMConnection

Server

network

Client

VDMAdministrator

RSAAuthentication

Manager

7/21/2019 Vdm20 Intro

14/32


12 VMware, Inc.

Somedevices,suchasprinters,localUSBflashdrives,andsmartcards,canbe

forwardedtothevirtualdesktopusingstandardMicrosoftRemoteDesktopProtocol

(RDP).ButVDMClientUSBredirectionextendstherangeofusabledevicesandthe

functionalityof

some

devices

beyond

that

provided

by

RDP.

For

example,

sound

can

bebroughttothelocalmachineusingRDP,butdisablingthisfeatureandusingVDM

USBredirectionallowsyoutouseVoIPdevices.

VDMUSBredirectionisinitiatedaftertheuserisauthenticated.Becauseofthis,smart

cardforwardingislimitedtoRDPfunctionalitysothatsmartcardscanbeusedto

authenticatethevirtualdesktopsession.Asaresult,thesedevicesdonotappearinthe

VDMClientdevicesmenu.Humaninterfacedevices(HIDs),suchasakeyboardora

mouse,are

also

filtered

from

the

USB

device

list

because

these

devices

are

required

locallyandfunctionwithoutbeingforwardedorredirected.

RDPforwardingandVDMUSBredirectioncanbegovernedthroughActiveDirectory

GroupPolicyandVDMAdministrator.UsingVDMUSBredirectionrequiresVDM

Client,VDMAgent,andtheusertohaveadministrationrightsontheVDMClientand

theVDMAgentoperatingsystems.

VDM Secure Access

VDMConnectionServerwithVDMClientandVDMWebAccessprovidessecurityfor

thedesktopprotocolsbetweentheclientdeviceandtheVDMConnectionServer.

VDMencapsulatesallprotocols,suchastheextendedRDPinanHTTPSconnection,

whichoffersthefollowingadvantages:

TheRDP

Protocol

is

tunneled

through

HTTPS

and

is

encrypted

using

SSL

Thisisapowerfulsecurityprotocolandisconsistentwiththesecurityprovidedby

othersecureWebsiteslikethoseusedforonlinebanking,creditcardpayments,

andsoon.

OneHTTPSconnectionisusedforallclientservercommunicationMultiple

desktopconnectionsaremultiplexedoverthisHTTPSconnection,whichreduces

theoverallprotocoloverheads.

VDMcontrolsbothendsofthisHTTPSconnection,sothereliabilityofthe

underlyingprotocolsissignificantlyimprovedIfausertemporarilylosesa

networkconnection,afteritisrestored,theHTTPSconnectionisreestablishedand

theRDPconnectionsautomaticallyresumewithouthavingtoreconnectandlogin

again.

7/21/2019 Vdm20 Intro

15/32

VMware, Inc. 13


VDMisaccessedusingstandardWebprotocols,soitcanbeeasilyaccessed

throughcorporateproxiesInastandarddeploymentofjustVDMConnection

Servers,theHTTPSsecureconnectionterminatesattheVDMConnectionServer

andin

aDMZ

deployment,

at

the

VDM

Security

Server.

See

VDM

Connection

ServerDMZDeployment.

VDMConnectionServercanbeconfiguredtonotuseasecureconnection,sothatRDP

communicationisdirectfromtheclientdevicetothevirtualdesktop.

VDM Virtual Desktop Pool Management

VDMincludes

integrated

virtual

desktop

pool

management

capabilities

that

leverage

thecontrolprovidedbyVirtualCentertoprovisionandmanagethevirtualdesktops.

VDMprovidesthefollowingtypesofdesktops:

IndividualdesktopsTheseareexistingvirtualdesktopsthatareavailable

throughVDM.Thepoolmanagercancontrolthepowerstateofthesevirtual

desktops.

Persistentdesktop

pool

This

type

is

apool

of

virtual

desktops

whose

lifecycle

andpowerstateiscontrolledbythepoolmanager.Persistentvirtualdesktopsare

assignedtotheiruseronthefirstuse,sotheuserreturnseachtimetothesame

virtualdesktop.Thistypeofpoolisusedwhenuserswanttocustomizetheir

desktopsbyinstallingadditionalapplicationsandstoringlocaldata.

NonpersistentdesktoppoolSimilartoapersistentdesktoppool,exceptinthis

casethevirtualdesktopsarenotpermanentlyassignedtousers.Whenasessionis

finished,the

virtual

desktop

is

returned

to

the

pool

and

made

available

for

other

users.

Bydeletingthevirtualdesktopsaftereachuse,thistypeofpoolensuresthateach

userreceivesanewlyprovisionedvirtualdesktopeachtimetheuserconnects

(optional).Usethistypeofpoolwhereacleanmachineisneededforeachuser

sessionorinhighlycontrolledenvironmentsthathasnorequirementfor

customizationtobestoredonthevirtualdesktop.

7/21/2019 Vdm20 Intro

16/32


14 VMware, Inc.

Thetwopooldesktopsaresizedusingthefollowingparameters:

MinimumTheminimumnumberofvirtualdesktopstobecreatedwhenthepool

is

first

created.

The

pool

manager

continues

to

create

virtual

desktops

until

this

minimumcountisreached.Thisprocessensuresthatapoolisappropriatelysized

whenauserpopulationismovedtoVDM.

MaximumThemaximumnumberofvirtualdesktopsthatcanexistinthepool.

Usethisparametertolimitthenumberofvirtualdesktopsinthepooltoavoid

overusingavailableresources.

AvailableThenumberofvirtualdesktopsthatareavailableforimmediateuse.

Forpersistent

pools,

this

parameter

relates

only

to

the

unassigned

virtual

desktops.Thisisusedtoensurethatthepoolmanagercreatesenoughvirtual

desktopsinadvancetocopewithdemand.Useahighernumberformorevolatile

environments.

Whenapoolcontainstoofewvirtualdesktops,themanagerprovisionsnewvirtual

desktopsfromadesignatedtemplate.Thesevirtualdesktopscanalsobeautomatically

customized(forexample,namedandbecomepartofanActiveDirectorydomain)orbe

leftfor

an

administrator

to

manually

configure.

PowermanagementisappliedtoallvirtualdesktopsunderVDMcontrol,andthe

followingpoliciesaresupported:

RemainonAfterbeingstarted,VDMdoesnotpowerthemachinedown.Ifa

virtualdesktopispowereddown,forexampleusingtheVirtualCenterclient,

VDMautomaticallystartsitwhenitisneeded.

AlwayspoweredonVDMensuresthatanyvirtualdesktopwiththispolicy

appliedispoweredonallthetime.Ifavirtualdesktopispowereddown,VDM

immediatelypowersitupagain.

SuspendwhennotinuseIfavirtualdesktopisnotrequired,itissuspended.

Thispolicyisappliedtoindividualandassignedpersistentvirtualdesktopswhen

theuserlogsoff.Itisalsoappliedtononpersistentvirtualdesktopswhenthereare

too

many

available

virtual

desktops.

For

example,

this

can

be

triggered

by

a

virtual

desktopbeingreturnedtothepoolwhenauserlogsout.

7/21/2019 Vdm20 Intro

17/32

VMware, Inc. 15


PoweroffwhennotinuseIfavirtualdesktopisnotrequired,itispoweredoff.

ThisisjustliketheSuspendwhennotinusepolicy,exceptthatthevirtual

desktopiscompletelypoweredoff.

VDMsupportsindividualandpooleddesktopsonmultipleVirtualCenterinstances.A

poolcannotspanVirtualCenters,butVDMcanmanagemultiplepoolsacrossmultiple

VirtualCenters.VDMlimitsthenumberofprovisioningandpoweroperationsthatcan

beconcurrentlyactiveforeachVirtualCentertoensurethattherateofoperationsisnot

excessive.TheselimitsareappliedacrossallpoolsanddesktopsforeachVirtualCenter.

Inamultibrokerenvironment,theVDMConnectionServerscooperatewitheachother

toenforcetheselimitsandtoperformthepoolmanagementoperations.

VDM High Availability and Scalability

Tosupporthighavailabilityandscalabilityrequirements,VDMConnectionServercan

bedeployedusingmultipleVDMConnectionServers.ThefirstVDMConnection

ServertobedeployedisinstalledasaStandardinstance.Inthiscase,anewinstanceof

theLDAPdirectoryisinstalledandtheVDMConnectionServersupportsfull

functionality

using

its

local

LDAP

directory.Toextendtheenvironment,asecondservercanbeinstalledasaReplicainstance.

Duringthisinstallation,theuserreferencesanexistingVDMConnectionServerandthe

ReplicainstanceisjoinedtotheStandardinstancetoformaVDMConnectionServer

group.TheLDAPVDMconfigurationdatafromtheStandardinstanceiscopiedtothe

Replicainstance.AtwowayreplicationagreementisestablishedsothatVDM

configurationchangesoneitherserverareautomaticallyandimmediatelymadeonthe

other.

Bothserversofferidenticalfunctionalityandintheeventofserverfailure,theother

servercancontinuetooperatealone.Whenthefailedserverresumes,anychanged

LDAPVDMconfigurationdataisreflectedontheresumedserversothatbothservers

remainuptodate.AddingathirdandsubsequentVDMConnectionServerstothe

groupisdonebyinstallingadditionalReplicainstances.DuringtheReplicainstance

installation,theusercanreferenceanyexistinggroupmembertojointhenewserverto

thegroup.

Afterinstallation,nodifferencesexistbetweenaReplicainstanceandaStandard

instance.IfthefirstStandardinstanceisdecommissioned,additionalReplicascanbe

addedtothegroupbyreferencinganyactiveVDMConnectionServerinthegroup.All

VDMconfigurationdatacanbebackedupbybackinguptheLDAPdirectoryinstance.

7/21/2019 Vdm20 Intro

18/32


16 VMware, Inc.

Figure 3showstwoVDMConnectionServersoperatingasagroup.Toautomatically

usebothVDMConnectionServersandsupporthighavailabilityandscalabilityneeds,

deployloadbalancing.Thisensuresthatloadisbalancedevenlyacrosstheavailable

VDMConnection

Servers

and

that

failed

servers

are

automatically

avoided.

VDM

ConnectionServerdoesnotprovideloadbalancingfunctionalitybutworkswith

standardthirdpartyloadbalancingsolutions.

Figure 3. MultipleVDMConnectionServers



VDMConnection

Servers

load balancing

network

Client


7/21/2019 Vdm20 Intro

19/32

VMware, Inc. 17


TheloadbalancingrequirementsforVDMConnectionServeraretosupportstandard

HTTPandHTTPSloadbalancingwithsessionaffinity.Loadbalancingsolutionsfor

VDMConnectionServercanincludeMicrosoftNetworkLoadBalancing(NLB),

standardhardware

based

load

balancers,

or

virtual

appliance

load

balancers

that

can

operateonESXServer.

UsersinaloadbalancedVDMConnectionServerenvironmentusealoadbalanced

URLtomaketheconnection.ThisisanaliasURLusedbytheloadbalancertodirect

theconnectiontoanyoftheavailableVDMConnectionServersinthegroup.

VDM Connection Server DMZ Deployment

Insecureenvironments,particularlywhenVDMisbeingaccessedfromaninsecure

networksuchastheInternet,itiscommonpracticetodeployserversinaDMZ.

VDMConnectionServerfunctionalityissplitbetweenserversinthesecurenetwork

andtheDMZ.VDMConnectionServersthatoperateinaDMZareknownasVDM

SecurityServersandareinstalledusingtheVDMConnectionServerinstallerand

specifyingaSecurityServerinstancetype.VDMSecurityServersintheDMZoperate

withVDM

Connection

Servers

(Standard

or

Replica)

in

the

secure

network.

I t d ti t Vi t l D kt M

7/21/2019 Vdm20 Intro

20/32


18 VMware, Inc.

Figure 4showsahighavailabilityenvironmentcomprisingtwoloadbalancedVDM

SecurityServersintheDMZworkingwithtwofullVDMConnectionServers(Standard

andReplicainstance)inthesecurenetwork.

Figure 4. DMZDeploymentwithMultipleVDMConnectionServers



VDMConnection

Servers

load balancing

VDM

SecurityServers

DMZ

external network

RemoteClient



7/21/2019 Vdm20 Intro

21/32

VMware, Inc. 19


VDMSecurityServersdonotcontainanLDAPconfigurationrepositoryanddonot

accessanyauthenticationrepositories(ActiveDirectoryorRSAAuthentication

Manager).WhenremoteusersconnectusingaVDMSecurityServer,theymust

successfullyauthenticate

before

asecure

connection

is

established.

This

means

they

cannotattempttoaccessanyvirtualdesktopsuntiltheyaresuccessfullyauthenticated.

WithappropriatefirewallrulesonbothsidesoftheDMZ,thistypeofdeploymentis

suitableforaccessingvirtualdesktopsfromInternetlocatedclientdevices.

TosupportremoteVDMClientandVDMWebAccessconnectingtotheenvironment

usingHTTPSfromanexternalnetwork,theonlyTCPportthatmustbeallowedinthe

DMZistheHTTPSport(TCPport443).VDMSecurityServersdonotneedtobepart

ofan

Active

Directory

domain,

and

no

communication

occurs

between

VDM

Security

ServersandActiveDirectory.

AlthoughFigure 4showsaonetoonerelationshipbetweenVDMSecurityServersand

VDMConnectionServers,multipleVDMSecurityServerscanbeconnectedtoeach

VDMConnectionServer.ADMZdeploymentcanbecombinedwithastandard

deploymenttoofferVDMaccessforinternalusersandexternalusers.

Figure 5shows

amore

complex

environment

where

four

VDM

Connection

Servers

act

asonegroupwiththeserversintheinternalnetworkdedicatedtotheusersofthat

network,andtheserversintheexternalnetworkdedicatedtousersofthatnetwork.

TheserversontherightcanbeenabledforRSASecurIDauthentication,sothatall

externalnetworkusersarerequiredtoauthenticateusingRSASecurIDtokens.


7/21/2019 Vdm20 Intro

22/32


20 VMware, Inc.

Figure 5. DMZDeploymentwithInternalNetworkAccess

load balancing

load balancing

VDMSecurityServers

DMZ

external network

internal network

Client



VDMConnection

Servers

remoteClient



7/21/2019 Vdm20 Intro

23/32

VMware, Inc. 21

p g

VDM Connection Server Components

Figure 6showstheVDMConnectionServercomponentsandtheirrelationshipwith

theother

VDM

components

and

the

protocols

used

for

communication

between

the

components.

ThefollowingdefaultTCPportsareusedforeachprotocol:

JMS4001

HTTP80

HTTPS443

RDP3389

SOAP80or443


7/21/2019 Vdm20 Intro

24/32

22 VMware, Inc.

Figure 6. VDMComponents

VDMAdministrator

VDMMessaging

VDM SecureGW Server

VDM Broker &Admin Server

VDM SecureGW Client

VDM Agent

VDM Client

Windows Client Linux and Mac Client Thin Client


Virtual Desktop VM

Admin Console

VDM LDAP

HTTP(S)

HTTP(S)

HTTP(S)

HTTP(S) HTTP(S)

HTTP(S)

JMS

RDP

RDPClient

RDPClient

browser

RDP

VirtualCenterServer

thin clientoperating system

SOAP

VirtualCenter

RDP RDP


7/21/2019 Vdm20 Intro

25/32

VMware, Inc. 23

VDM Broker

VDMBrokeristhecoreofVDMConnectionServer.Itisresponsibleforalluser

interaction

between

the

client

(VDM

Client,

VDM

Web

Access,

and

Thin

Client)

and

the

VDMConnectionServer.

VDMBrokerprovidesthefollowing:

Userauthentication

UserdesktopentitlementswithVDMLDAP

Virtualdesktopsessionmanagement

Coordinationofthesecureconnectionestablishment,virtualdesktop

connection,andsinglesignon

AdministrationserverusedbyVDMAdministratorWebclient

Virtualdesktoppoolmanagement

VDMBrokeroperatescloselywithVirtualCentertoprovideadvancedmanagementof

virtualdesktops.

This

includes

virtual

desktop

creation

as

part

of

pool

management

andpoweroperations,suchasautomaticsuspendandresume.

VDM Secure Gateway Server

VDMSecureGatewayServerprovidestheserversidecomponentforthesecure

HTTPSconnectionbetweentheVDMClient(orVDMSecureGatewayClient)andthe

VDMConnectionServer.Aftertheuserisauthenticated,asecureHTTPSconnectionis

establishedbetween

the

client

and

the

VDM

Connection

Server.

For

aWindows

client,

thisconnectionisinitiatedbythenativeWindowsVDMClient.OnLinuxorMacOS/X,

itisinitiatedbytheJavaVDMSecureGatewayClientusingJavaWebStarttechnology.

Afterthissecureconnectionisestablished,virtualdesktopprotocols(RDP)can

securelyandreliablyconnect.

WhentheVDMSecureGatewayServerseesanincomingRDPconnectionthroughthe

HTTPSconnection,itforwardsthisconnectiontotheappropriatevirtualdesktop.To

ensurethatallvirtualdesktopsareonlyaccessedthroughVDMConnectionServer,firewallrulescanbeappliedtoeachvirtualdesktopsothatallRDPconnections

originatefromaVDMConnectionServer.Thisway,directaccesstovirtualdesktops

bypassingVDMConnectionServerisnotpossiblebecauseVDMConnectionServer

actsasgatekeeperforallvirtualdesktopaccess.WithVDM2.1andnewer,theVDM

AgentcanbeconfiguredsothatdirectincomingRDPconnectionstovirtualdesktops

arenotallowed.Thisensuresthatallremoteaccesstovirtualdesktopsmustpass

throughaVDM

Connection

Server


7/21/2019 Vdm20 Intro

26/32

24 VMware, Inc.

VDMSecureGatewayServerisalsoresponsibleforforwardingotherWebtraffic(such

asauthenticationtraffic,userdesktopselectiontraffic,andsoon)totheVDMbroker

fromtheVDMclients.VDMAdministratorWebtrafficispassedbyVDMSecure

GatewayServer

to

the

VDM

Broker.

VDM LDAP

VDMLDAPisanembeddedLDAPdirectoryoneachVDMConnectionServer

StandardandReplicainstances.ItisusedastheconfigurationrepositoryforallVDM

configurationdata.VDMLDAPforWindowsServer2003usesMicrosoftActive

DirectoryApplicationMode(ADAM).ThisisanembeddedLDAPdirectorybundled

withVDM.

It

installs

the

following

components

that

are

appropriate

for

VDM:

SpecificVDMschemadefinitions

Directoryinformationtree(DIT)definitions

Accesscontrollists(ACLs)

VDMLDAPalsoincludesasetofVDMpluginDLLstoprovideautomationand

notificationservices

for

other

VDM

components.

VDMLDAPcontainsentriestorepresentthefollowingconfigurationitems:

VirtualdesktopentriesthatrepresenteachaccessiblevirtualdesktopThis

containsreferencestoForeignSecurityPrincipalentriesofWindowsusersand

WindowsusergroupsinActiveDirectorywhoareauthorizedtousethisdesktop.

VirtualDesktopPoolentriesthatrepresentmultiplevirtualdesktopsmanaged

together

Virtualmachineentriesthatrepresenteachvirtualdesktop

VDMcomponentconfigurationentriesusedtostoreconfigurationsettings

WhenaStandardinstanceisinstalledduringVDMConnectionServerinstallation,a

new,localstandaloneADAMinstanceiscreated.Theschemadefinitions,DIT

definition,ACLs,andsoonareloadedandinitialdataisadded.Configurationdatain

VDMLDAP

is

mainly

maintained

from

VDM

Administrator,

although

VDM

Broker

alsomanagessomepartsautomatically.


7/21/2019 Vdm20 Intro

27/32

VMware, Inc. 25

WhenaVDMConnectionServerReplicainstanceisinstalled,anADAMinstanceis

alsocreatedlocally,buttheinitialdataisretrievedfromanexistinginstance.This

meansthattheinitialdataisacopyofanexistinginstancethatincludesall

configurationsettings.

During

aReplica

instance

installation,

areplication

agreement

issetupsothatallVDMConnectionServersinthegroupsharethesameconfiguration

data.LDAPchangesonanyserverarereplicatedtoallotherservers.Thisreplication

functionalityisprovidedbyADAM,whichusesthesamereplicationtechnologyas

ActiveDirectory.

VDM Messaging

Thiscomponent

provides

the

messaging

router

for

communication

between

VDM

ConnectionServercomponentsandbetweenVDMAgentandVDMConnection

Server.ItsupportstheJavaMessageService(JMS)API,whichisusedformessagingin

VDM.

VDM Security Server

VDMSecurity

Server

is

an

instance

type

that

is

selected

when

VDM

Connection

Server

isinstalled.IthasasubsetofthefunctionalityofafullVDMConnectionServerandis

usedinaDMZdeployment.Figure 7showsaVDMSecurityServerandshowsthe

relationshipwithallotherVDMcomponentsandtheprotocolsusedfor

communicationbetweenthecomponents.

ThefollowingdefaultTCPportsareusedforeachprotocol:

JMS

4001 AJP138009

HTTP80

HTTPS443

RDP3389

SOAP

80

or

443


7/21/2019 Vdm20 Intro

28/32

26 VMware, Inc.

Figure 7. VDMComponentDiagramwithSecurityServer

FormoreinformationaboutVDMdeploymentwithinaDMZ,seeVDMConnection

ServerDMZDeployment.

VDMAdministrator

VDMMessaging

VDM SecureGW Server

VDM Broker &Admin Server

VDM SecureGW Client

VDM Agent

VDM SecureGW Server

VDM Client

Windows Client Linux and Mac Client Thin Client

VDM Security Server


Virtual Desktop VM

Admin Console

VDM LDAP

HTTP(S)

HTTP(S)

HTTP(S)

HTTP(S) HTTP(S)

JMS AJP13

HTTP(S)

JMS

RDP

RDPClient

RDPClient

browser

RDP

VirtualCenterServer

thin clientoperating system

SOAP

VirtualCenter

RDP RDP

7/21/2019 Vdm20 Intro

29/32

VMware, Inc. 27

A

ActiveDirectory

A

Microsoft

directory

service

that

stores

information

about

the

network

operating

systemandprovidesservices.ActiveDirectoryconfiguresandmanagesusersand

groupsandenablesadministratorstosetsecuritypolicies,controlresources,and

deployprogramsacrossanenterprise.

ADAM(ActiveDirectoryApplicationMode)

AnLDAPimplementationbasedonActiveDirectory.

activesession

AliveconnectionfromaclientorWebAccessusertoavirtualdesktop.An

establishedconnectiontoavirtualdesktopthathasnottimedout.

administratoruserinterface

TheWebbasedadministratoruserinterfaceusedtoperformconfigurationand

managementtasksinVDM.AlsoknownastheVDMAdministrator.

agent

SeeVMwareVDMAgent.

B broker

Alsoknownasaconnectionbroker.TheVDMConnectionServerisatypeof

connectionbroker.SeealsoVMwareVDMConnectionServer.

Glossary


7/21/2019 Vdm20 Intro

30/32

28 VMware, Inc.

C client

SeeVMwareVDMClient.

connectionbroker

Aserverthatallowsconnectionsbetweenremoteusersandvirtualdesktopsand

providesauthenticationandsessionmanagement.TheVDMConnectionServeris

atypeofconnectionbroker.SeealsoVMwareVDMConnectionServer.

connectionserver

SeeVMwareVDMConnectionServer.

D desktopSeevirtualdesktop.

desktopvirtualmachine

Seevirtualdesktop.

desktoppool

Apool

of

virtual

machines

that

an

administrator

designates

for

users

or

groups

of

users.Seealsopersistentdesktoppool,nonpersistentdesktoppool.

DMZ(demilitarizedzone)

Alogicalorphysicalsubnetworkthatconnectsinternalserverstoalarger,

untrustednetwork(usuallytheInternet)andprovidesanadditionallayerof

securityandgivesadministratorsmorecontroloverwhocanaccessnetwork

resources.

DNS(DomainNameSystem)

AnInternetdataqueryservicethattranslateshostnamesintoIPaddresses.Also

calledDomainNameServerorDomainNameService.

F FQDN(fullyqualifieddomainname)

Thename

of

ahost,

including

both

the

host

name

and

the

domain

name.

For

example,

theFQDNofahostnamedesx1inthedomainvmware.comisesx1.vmware.com.

G guest

Seeguestoperatingsystem.

guestoperatingsystem

Anoperatingsystemthatrunsinsideavirtualmachine.

Glossary

7/21/2019 Vdm20 Intro

31/32

VMware, Inc. 29

H highavailability

Asystemdesignapproachthatensuresadegreeofoperationalcontinuity.

L loadbalancing

Atechniqueusedfordistributingprocessesacrossserverssothatthetrafficloadis

spreadmoreevenlyandserversdonotbecomeoverloaded.

N nonpersistentdesktoppool

Adesktoppoolinwhichusersarenotassignedtoaspecificdesktop.Whenusers

logofforaretimedoutofadesktop,theirdesktopsarereturnedtothepooland

made

available

to

other

users.

Users

should

not

save

data

or

files

to

their

desktops

whenusinganonpersistentpool.

P persistentdesktoppool

Adesktoppoolinwhichusersareassignedtoaspecificdesktop.Userslogonto

thesamedesktopeverytimeandtheirdataispreservedwhentheylogoff.Users

cansavedataandfilestotheirdesktopswhenusingapersistentpool.

R RDP(remote

desktop

protocol)

Amultichannelprotocolthatallowsausertoconnecttoacomputerremotely.

RSASecurID

AproductfromRSAthatprovidesstrongtwofactorauthenticationusinga

passwordandanauthenticator.

S securityserver

AVDMConnectionServerdeploymentthataddsalayerofsecuritybetweenthe

Internetandtheinternalnetwork.SecurityServerisanoptionthatyouchoose

duringVDMconnectionserverinstallation.SeealsoDMZ(demilitarizedzone).

T thinclient

Adevicethatallowsausertoaccessvirtualdesktopsbutrequireslittlememoryor

disk

drive

space.

Application

software,

data,

and

CPU

power

resides

on

a

network

computerandnotontheclientdevice.

V VMwareVDMAgent

Installedontheguest,theVDMAgentenablescommunicationbetweenthe

desktopvirtualmachine,theVDMConnectionServer,andenduserswhoaccess

virtualdesktopsbyusingVDMWebAccessorVDMClients.


7/21/2019 Vdm20 Intro

32/32

30 VMware, Inc.

VMwareVDMClient

AWindowsbasedapplicationusedforaccessingvirtualdesktops.

VMware

VDM

Connection

ServerAconnectionbrokerthatprovidesmanagementanduserauthenticationforvirtual

desktops.TheVDMConnectionServerdirectsincomingremotedesktopuser

requeststotheappropriatevirtualdesktop.

VMwareVDMWebAccess

Webbrowserbasedapplicationforaccessingvirtualdesktops.Enduserswhorun

supportedWindows,Linux,orMacintoshoperatingsystemscanaccessvirtual

desktopsby

using

VDM

Web

Access.

virtualdesktop

Adesktopoperatingsystemthatrunsonavirtualmachine.Avirtualdesktopis

indistinguishablefromanyothercomputerrunningthesameoperatingsystem.

VMwareVirtualDesktopInfrastructure

The

VMware

desktop

infrastructure

solution

that

consists

of

VMware

ESX

Server,

VMwareVirtualCenter,andVMwareVirtualDesktopManager.VDIprovidesan

endtoendvirtualdesktopsolutionthatallowsadministratorstoeasilydeploy

andmanagevirtualdesktopenvironments.

W webaccess

SeeVMwareVDMWebAccess.

Vdm20 Intro

Documents

Transcript of Vdm20 Intro