Integrating VMware Identity Manager(vIDM) with Symantec VIP Push

Integration with Symantec Multi-Factor Authentication

Symantec Multi-Factor Authentication can be integrated with vIDM in two ways:

  • via RADIUS using Enterprise Gateway
  • via SAML using VIP Login service

Limitations of RADIUS integration

Integrating vIDM via RADIUS with Symantec Enterprise Gateway to use Security Code is seamless and straightforward.

References below:

http://pubs.vmware.com/vidm/topic/com.vmware.wsair-administration/GUID-79EF08F7-B2FD-4E85-A2A8-1FEA28DDD414.html

https://support.symantec.com/en_US/article.INFO3360.html

Typical RADIUS integration involves configuring a Validation Server on Symantec Enterprise Gateway. This validation server allows you to configure multi-factor authentication using Security Code.

As of writing this I have not been successful in configuring vIDM with Symantec Enterprise Gateway using RADIUS for authentication based on VIP Access “Push” mechanism.

I suspect this issue to be related to the fact that vIDM when configured with Enterprise Gateway via RADIUS always expect the Security Code to be entered and the field “RADIUS Passcode” is always displayed like shown below. This prevents the redirection to the subsequent Push Notification screen.

RADIUS login.png

From the user experience perspective, it is not very convenient for the user to enter the Security Token during login. He has to take out his cell phone (or VIP token device), generate the one-time security code and key in the code in the vIDM portal. Quite cumbersome compared to you getting a “Push notification” on your cell phone that you need to be swiped to Allow.

Due to the above-mentioned limitations that I encountered, I integrated Symantec VIP Login using SAML.

Integrating Symantec VIP Login Service with vIDM directly (not through Symantec Enterprise Gateway)

For this integration, vIDM is the Service Provider(SP) to Symantec VIP login which is the second factor Identity Provider (IDP).

  • Retrieve SAML certificate and Metadata XML file from vIDM

vIDM cert and xml settingsDownload the Metadata XML file for vIDM as “SP” and the SAML certificate.

vIDM metadata and certificate download.png

  • Retrieve SAML certificate and Metadata XML file from Symantec VIP Manager

You can download the Metadata XML for VIP login as “IDP” and SAML certificate from the below section.

symantec metadata xml and certificate download.png

  • Configure VIP Manager

Import the vIDM certificate and the XML file into the Symantec VIP Login. This will establish a SAML trust between vIDM as SP and Symantec VIP Login as the second factor IDP.

importing vidm into symantec.png

Enable Mobile Push as the authentication option.

Symantec VIP Mobile Push Policy enable.png

Authentication Level.png

  • Configure Symantec VIP Login as a IDP in vIDM.

As shown in the screenshot below, provide the VIP Login Metadata XML, choose the domain and network range and leave all other values as default options.

Screen Shot 2017-07-23 at 01.44.00

Configure the default Authentication Method as “Push” and SAML context as Password.

Authmethod name and SAML context

  • Edit the Network Policy to enable the previously created Push Policy

Configure Push .png

The user experience looks like this.

RDS Sizing for VMware Horizon Applications

Lately, I have been getting a lot of queries around sizing RDS servers for Horizon Applications.

Though there is guidance around RDS sizing in the VMware Horizon 6 Reference Architecture Technical White Paper, there still seems to be lot of people requiring a simple tool do so.

Page 22, 23 and Page 25 of the white paper covers RDS sizing and provides you with details.

https://www.vmware.com/content/dam/digitalmarketing/vmware/en/pdf/techpaper/vmware-reference-architecture-horizon-6-view-mirage-workspace.pdf

The article provides a sizing spreadsheet which by changing 5 cells you can determine the number of ESX hosts required for your Horizon Apps RDS servers.

The aim of the sizing spreadsheet is to make things simple.

The only way in my opinion to accurately size RDS servers is to actually test it as there are so many factors that affects user density and scalability.

Some of them are:

  • Clock Speed of the core. 2.4 Gz core offers better performance than 2.0 Gz core
  • Number of sockets. 24 cores on a Quad core ESX host usually is less performant than 24 cores on a Dual core ESX host.
  • Applications types. Outlook 2016 with O365 with large OST files takes up a lot of CPU, memory and IOPs.
  • Application usage,
  • Graphics,
  • OS version. Windows 2008 R2 offers better user density than Windows Server 2012 R2 which offers better user density than Windows Server 2016

In the absence of real testing, the next best option is to do an application and workload assessment with tools like Systrack.

So assuming that we don’t have Systrack data and do not have the luxury of testing the load, my sizing spreadsheet should provide a conservative output for your RDS sizing.

Here it is: https://www.dropbox.com/s/jc1zryijswl03tl/RDSH%20Sizing%20v1.0.xlsx?dl=0

Here is how a 2000 users RDS sizing looks like:

Screen Shot 2017-07-15 at 22.40.48Some guidance:

  • Blue Boxes requires your input
  • Purple Box is the output which is the Total number of ESX hosts.

Further Guidance:

  • No overcommit for vCPU to pCPU. 1:1 mapping.
  • Ratio is nothing but a percentage. 20% of heavy users = 0.2, 50% of medium users = 0.5, 30% or light users = 0.3
  • VMware recommends 30 users per RDS server. Also recommends 4 vCPU per RDS server.
  • Buffer Ratio is up to you: for 10%, the ratio is 1.1. for 30%, the ratio is 1.3 and so on.

For the simplicity, I have excluded IOPS and Storage. If you need a number you may assume 10 IOPS for heavy user, 5 IOPS for medium user and 3 IOPS for light user.

Hope you find this useful.

Running IE 6, IE 7 and IE 8 on MacOS at the same time using VMware Fusion!

It is very common especially in the banking, insurance and government sectors to find numerous legacy applications still needing older Internet Explorer versions. Typical example is certain modules of core banking software.

This is even more painful when some of the organizations try to rollout out “BYOD” programs and there are MacOS users in the mix. That’s when VMware Fusion and ThinApp comes to your rescue.

I ll tell you exactly how.

Things you need to get started aka “Pre-requisites

For the end user:

  • VMware Fusion
  • Windows 7

For the administrator:

  • VMware Fusion or VMware Workstation or VMware vSphere
  • VMware ThinApp
  • Windows XP 32-bit SP3
  • Windows 7
  • Internet Explorer installers.
    • IE 7
    • IE 8

The following are the high-level steps:

  • Virtualize IE 6
  • Virtualize IE 7
  • Virtualize IE 8
  • Install IE packages on Windows 7
  • Run the applications in Unity mode and create MacOS Doc shortcuts

Virtualize IE 6

I don’t want to re-invent the wheel. Refer to the below KB article.

https://kb.vmware.com/selfservice/microsites/search.do?language=en_US&cmd=displayKC&externalId=1026565

I have created a video below.

Virtualize IE 7

Refer to the KB article below.

https://kb.vmware.com/selfservice/microsites/search.do?language=en_US&cmd=displayKC&externalId=1026674

Files required can be downloaded from below link.

https://www.dropbox.com/sh/3id9xqq8uyzaz9e/AAAuKOldIWVJVkZmRRffPMRoa?dl=0

I have created a video below.

Virtualize IE 8

Refer to the wonderful blogpost below.

https://blogs.vmware.com/thinapp/2015/01/package-internet-explorer-8.html

Files required can be downloaded from the below link.

https://www.dropbox.com/sh/yhdadx6q5613psd/AAA8TdfgE-hzCid7zY2FHJtha?dl=0

I have created a video below.

Install MSI packages on a Windows 7 machine

In the previous videos, you created MSI packages which now needs to be installed on a Win 7 x64 machine.

Creating MacOS shortcuts

Creating MacOS shortcuts in the dock is simple. The following is what you need to do:

  • Power On Win 7 x64 VMs that is already installed with IE 6,7,8.
  • Run the programs in “Unity” mode instead of “Full screen” or “Window Mode” like shown below.

You will find the Internet Explorer Windows seemingly running as a part of the MacOS. Now all you need to do is “Keep in Dock” as shown below.

Full Video can be found below.

Thank you folks, hope they are useful

Migrating Desktops with Persistent disks to new VMware Cluster and Desktop Pool

Introduction

One of my customers asked me about migrating Horizon linked clones (with persistent disks) from one Nutanix cluster to another.

Traditional way of doing this is to detach the persistent disks and then recreate the persistent desktops as documented below.

https://kb.vmware.com/selfservice/microsites/search.do?language=en_US&cmd=displayKC&externalId=2086416

But if the requirement is to have minimum downtime and to minimize touching the production environment (no detaching of disks and recreation of current desktop), you can do a copy of disks and do an import as documented below.

Step 1: Make a list of all persistent disks and the users associated with them.

  • Below is my VDI pool with 3 persistent desktops.

  • If you go to the persistent disks portion, you ll find the names of the persistent disks and the associated users.

  • Use Powershell to get a complete and detailed list.

Step 2: New Datastore creation

  • Create a new datastore attached the new VMware cluster that you want to migrate to.
  • Make sure that all users shutdown their desktops so that persistent disks are not being written to.
  • Once all the VMs are shutdown, copy over the persistent disks to the new datastore.
  • In my example, I have copied over the 3 disks to a new datastore as below.

Step 3: Create a new desktop pool on the new VMware Cluster

  • You will now create a Desktop Pool for Persistent disk based desktops on the new VMware cluster.

Ensure that you select the new VMware Cluster, the correct parent VM, snapshot and the folder location.

New Desktop Pool gets created.

Step 4: Import the persistent disks and recreate desktops

Click on Persistent Disks and select the “Detached” tab. You will find no disks.

Import the persistent disks from the new datastore and assign users to them. You must refer to the user assignment list created earlier to assign the correct disk to the correct user.

The disks get listed as below.

Recreate the persistent desktops from the disks.

Desktops VMs get recreated.

Another possible option(I have not tested this myself):

  1. Add the new Nutanix cluster into the existing vCenter Cluster. So you will end up having a single vCenter Cluster with 2 Nutanix clusters.
    • Schedule downtime and ensure users are not using the system.
  2. A new storage(of the newly added Nutanix cluster) appears in the vCenter Cluster.
    • DRS and HA need to disabled.
  3. You may migrate the persistent desktops using the “Rebalance” option. Something like this http://blog.purestorage.com/vmware-view-desktop-migration/
  4. You should now migrate the VMs to the new Nutanix nodes from the old.
  5. You will now have the desktops running off the new Nutanix clusters without changing any settings in Horizon.

Simplifying(hopefully) vSphere for Desktop licensing

There has not been a single week at VMware so far that I have not been asked to clarify vSphere for Desktop licensing.

Last week, two of Singapore’s biggest FSI customers contacted me on exactly this. I thought it will be a good idea to document some of the clarifications that was needed.

Introduction

vSphere for Desktop is a license to run “VDI and related” workloads.

Note: All details that follows is as of 1 July 2016. VMware has all rights to change licensing in the future.

For starters, the following are some of the salient aspects you will need to remember:

  • vSphere for desktop is only meant to run VDI and related workloads. This includes Windows Desktop OS workloads and Windows Server OS workloads to run Remote Desktop Services based applications or desktops. This license also includes VDI management components such as Connection brokers, profile servers, application delivery controllers that are used as in a VDI environment. Monitoring tools are also covered by this license. So in a nutshell, anything related to VDI is covered by the license.
  • vSphere for desktop licensing is NOT based on CPU or sockets.

vSphere for Desktop for VMware Horizon VDI

  • All editions of VMware Horizon are bundled with vSphere for Horizon.
  • Horizon licensing is based on named user or concurrent user. It doesn’t matter to vSphere for Desktop how many hosts you use for your Horizon VDI and related workload. As long as you only host VDI and related workloads and not other non-vdi server workloads, you are free to use this license on as many hosts.
    • o For egs, lets say you have 300 VDI desktops. You may host 300 desktops and Horizon Management cluster on any number of physical hosts and this license covers all.
  • vCenter for Desktop is also included as a part of Horizon. So you may run as many vCenter Servers for your Horizon VDI infrastructure.

vSphere for Desktop for non-VMware VDI (for egs: Citrix)

  • vSphere for Desktop can be bought separately to host VDI and related workloads from another vendor such as Citrix.
  • The licensing is NOT based on CPU or sockets or named users or concurrent users.
  • The licensing is based on number of “Powered On” VMs. This means that the total number of “powered on” vms are counted. For egs, if you have 10 vms for VDI management, 100 desktops for user workloads, you will need to license 110 VMs as a part of vSphere for Desktop.
  • Please note XenApp or RDS VM is also considered as a VM even though you can host multiple sessions or users on a single RDS or XenApp VM. So a single XenApp or RDS workload will only consume a single vSphere for Desktop license.
  • vSphere for Desktop does not include vCenter for Desktop.
    • You will need to purchase vCenter separately to manage your VDI infrastructure.
    • As of writing this, you CANNOT buy vCenter for Desktop separately. vCenter for Desktop is ONLY bundled as a part of VMware Horizon and not available for non-Horizon customer. So you will to buy the “normal” vCenter Server to manage your VDI workload.

References:

https://www.vmware.com/products/vsphere/vsphere-desktop

https://kb.vmware.com/selfservice/microsites/search.do?language=en_US&cmd=displayKC&externalId=2132201

 

READONLY USB and Client Drive Redirection in Horizon 7

One of the features of Horizon 7 is the ability to redirect USB and Client Drives as Read-only.

This is extremely useful for customers who are security conscious and do not want users to modify files on drives or usb devices connected to the endpoint devices from their virtual desktops.

A good example is a customer who is using VDI for Internet Separation. Lets a Govt Agency do not allow internet access on their production network. They may choose to publish Internet Explorer for users for web browsing via VDI or RDS. In such a case, IE browser runs in a totally isolated environment from the production network. Users are not allowed to download files or make modifications to the endpoint devices on the production network. However, they may still want users to upload files to external websites or use data on the endpoint. This can be done redirecting Client Drive and USB devices on the client endpoint to the virtual desktops.

This functionality is achieved by pushing down a group policy as below. Documentation reference.

Preventing Write Access to Shared Folders

To prevent write access to all folders that are shared with the remote desktop, create a new string value named permissions and set its value to any string that begins with r, except for rw.

HKLM\Software\VMware, Inc.\VMware TSDR\permissions=r

USB and Client Drive Redirection without the Policy

The client drives and USB drives are seen as below.

drives shown

Users are able to write/modify files on the Client Drives and USB

writable

USB and Client Drive Redirection with the Policy

Registry setting is modified

readonly

Users get an error while trying to write to the drives.

cannot read

Launching an ICA session takes forever – Stuck at Connecting

Recently I had a high profile customer having a terrible connection experience launching ICA sessions.

ICA connecting window

I checked the usual suspects like connection timeouts, disabling session reliability, checking for NAT settings and so on. No improvement.

However one thing I observed was launching the ICA session from within the same desktop network did not exhibit this behavior. So it must be something at the level of the client network settings or the ICA file itself.

After some Googling and messing around, it turned out to be Client Proxy settings inherited by the ICA file from the Internet Explorer Proxy settings. The users had proxy settings configured in their Internet Explorer. So the ICA connection first goes to proxy server before making a direct connection and that explains the long delay in establishing the connection.

Fix

Configure Client Proxy settings in StoreFront to None instead of the default “auto”. Use this CTX article http://support.citrix.com/article/CTX136516

Thanks,

Arun.