Monday, October 29, 2012

Configuring roaming profiles with VMware View 5.0 Persona Management for Windows 7 desktops

I’ve recently noticed that while I’ve written blog posts about Citrix User Profile Management, I haven’t actually written one for VMware View’s Persona Management that is bundled with VMware View 5.0 and later.  As some other VMware View professionals know, there are benefits and drawbacks to using floating and dedicated assignment pools.  I personally prefer using floating assignment pools whenever I can due to licensing benefits (I can use less licenses for more users) and avoid having a user unable to work because there’s something wrong with their desktop (good old “agent unreachable” issues).  The problem with floating assignment pools is that a user can potentially log onto any desktops available in the pool and this does not work well for users who needs to maintain persistent data or customizations to their desktops.  Microsoft’s native Redirected Desktops delivers part of the solution but as we all know, it doesn’t roam certain settings (i.e. signature assignments in Outlook) and this is where Persona Management comes in.  I won’t go into too much detail about what Persona Management can or cannot do as this blog post is more of a reference for me to use in the future when I’m setting up an environment for a customer.

Configure summary:

VMware View’s Persona Management will be used to maintain profiles across floating assignment pool desktops for users but folder redirection will be used for common user folders so users directly access files from a fileserver. 

I understand that VMware’s VMware View™ Persona Management guide found in the following URL: http://www.vmware.com/files/pdf/view/VMware-View-Persona-Management-Deployment-Guide.pdf

… specifically states the following on page 23:

In most cases, do not use folder redirection, and use the Persona Management as-needed file downloads and periodic file uploads of user profile data.

image

An explanation of various use cases for Persona Management and Redirected folders are explained in more detail in the guide but as with every solution, the environment you’re working with usually drives the type of design for the implementation.  Most of the environments I work with span multiple countries but the servers are either usually centralized in a single location or if multiple datacenters exist, are connected through a fast WAN link.  This is why I choose to use redirected folders so that files are saved instantly on file servers and, more importantly, decrease the amount of storage required on the virtual desktops.  As nice as VMware provides the flexibility of managing the where and when profiles are dynamically uploaded to a repository, I prefer redirected profiles because of the following:

  1. Less storage required for the virtual desktop’s C drive since files and folders are directly saved onto the file server
  2. Ability to set quotas for redirected folders via Windows Server 2008 Quota Management

With the reasoning behind why I went with this configure, let’s proceed with demonstrating the settings configured.

--------------------------------------------------------------------------------------------------------------------------------------------------------------------

Step 1 – Create Repository Folder Shares

The first step is to create the repository folder shares for:

  1. Persona Management
  2. Redirected Folders

For this example, I’ve created a folder named Profiles with 2 sub folders named:

  • Persona
  • Redirected

clip_image002[6]

Both of the folders above should be set with the same share and security permissions so I’ll just demonstrate setting up the Persona share.

The share settings should be set to Full control:

clip_image002[8]clip_image002[10]

**Note that whether the share is a hidden share with the $ sign appended to the end is optional.

The NTFS security permissions should have the user names and Include inheritable permissions from this object’s parent cleared and set with the following permissions:

CREATOR OWNER:
Apply to: Subfolders and files only
Permissions: Full Control

SYSTEM:
Apply to: This folder, subfolders and files
Permissions: Full Control

CREATOR OWNER:
Apply to: This folder, subfolders and files
Permissions: Full Control

imageimage

clip_image002[12]clip_image002[14]image

**Note that I understand that as per the VMware View Administration guide on page 177:

image

… VMware recommends following the following TechNet article to configure the folder permissions:

Security Recommendations for Roaming User Profiles Shared Folders
http://technet.microsoft.com/en-us/library/cc757013%28WS.10%29.aspx

… and whether you would like to use the settings as shown in the article above is up to you.

--------------------------------------------------------------------------------------------------------------------------------------------------------------------

Although not covered by VMware’s Personal Management guide, I prefer to set quotas on the redirected folders because that would prevent users from filling up the file server if they were ever to download large files.  I won’t go into how to configure quotas as the following article does a good job demonstrating it:

Create an Auto Apply Quota
http://technet.microsoft.com/en-us/library/cc731577.aspx

The only note I’d like to make is to ensure that you select Auto apply template and create quotas on existing and new subfolders while creating the quota or you’ll inadvertantly set the quota limit to be the aggregate of all the users’ redirected folders:

image

--------------------------------------------------------------------------------------------------------------------------------------------------------------------

Step 3 – Import ADM and configure Group Policy Object

Once the repository folder shares and quota have been created, the next step is to create a new GPO, edit the settings and import the Persona Management ADM into the policy.  The ADM can be found at the following location on the View Connection Server:

C:\Program Files\vmware\VMware View\Server\extras\GroupPolicyFiles

The ADM we’ll be loading is named ViewPM.adm:

clip_image002

Once the ADM has been imported, proceed by navigating to Computer Configuration –> Administrative Templates –> Classic Administrative Templates (ADM) –> VMware View Agent Configuration –> Persona
Management
and you’ll see the following settings available:

image

image

image

Proceed with configuring the Persona Management settings as such:

Computer Configuration –> Administrative Templates –> Classic Administrative Templates (ADM) –> VMware View Agent Configuration –> Persona
Management –> Roaming & Synchronization

image

Manage user persona – Enabled

Profile upload interval (in minutes): – 10

clip_image002[4]

Files and folders excluded from roaming – Enabled

Value:

  • My Music
  • My Videos
  • Saved Games

clip_image002[18]clip_image002[20]

The reason why I’ve chosen to exclude these folders is because I do not want files in these folders stored on the server.  I’ve also been asked before why I would need to configure this setting if I wasn’t going to configure these folders in the redirected settings (below) to redirect and the answer is because if we don’t configure it here, the folders would still be saved in the persona repository.

**Note that you will need to ensure users are aware that files stored in these folders are not preserved.

--------------------------------------------------------------------------------------------------------------------------------------------------------------------

Computer Configuration –> Administrative Templates –> Classic Administrative Templates (ADM) –> VMware View Agent Configuration –> Persona
Management –> Folder Redirection

image

Application Data (Roaming) – Enabled
Redirect to the following location - \\<fileServer>\Redirected$\%username%\AppData

Contacts – Enabled
Redirect to the following location - \\<fileServer>\Redirected$\%username%\Contacts

Cookies – Enabled
Redirect to the following location - \\<fileServer>\Redirected$\%username%\Cookies

Desktop – Enabled
Redirect to the following location - \\<fileServer>\Redirected$\%username%\Desktop

Downloads – Enabled
Redirect to the following location - \\<fileServer>\Redirected$\%username%\Downloads

Favorites – Enabled
Redirect to the following location - \\<fileServer>\Redirected$\%username%\Favorites

History – Enabled
Redirect to the following location - \\<fileServer>\Redirected$\%username%\History

Links – Enabled
Redirect to the following location - \\<fileServer>\Redirected$\%username%\Links

My Documents – Enabled
Redirect to the following location - \\<fileServer>\Redirected$\%username%\My Documents

… and repeat the following for all of the settings except for the following:

  • My Music
  • My Videos
  • Saved Games

Note that these are settings that I prefer and that this may need some tweaking depending on the environment.

--------------------------------------------------------------------------------------------------------------------------------------------------------------------

Computer Configuration –> Administrative Templates –> Classic Administrative Templates (ADM) –> VMware View Agent Configuration –> Persona
Management –> Desktop UI

image

I usually don’t make any changes to these settings because:

  • I typically use redirected folders and therefore eliminate the need to notify users when large files are being transferred
  • Sometimes it’s better to not confuse users with popup messages

Again, feel free to configure these settings if required.

--------------------------------------------------------------------------------------------------------------------------------------------------------------------

Computer Configuration –> Administrative Templates –> Classic Administrative Templates (ADM) –> VMware View Agent Configuration –> Persona
Management –> Logging

image

I usually leave these settings as Not configured but whether you customize the logging settings will be up to you.

--------------------------------------------------------------------------------------------------------------------------------------------------------------------

Step 4 – Apply the Group Policy Object to the Virtual Desktop Computer Object

With the GPO configured, proceed with applying the policy to the virtual desktops you would like to have Persona Management turned on.  Note that the policy contains settings that are applied to computer objects so do not apply them to user accounts:

image

Now when users logs onto the desktops with this GPO applied, their files and folders should be redirected to the configured repositories:

image

Tuesday, October 23, 2012

Configuring for ICA Proxy with Citrix NetScaler VPX (1000) 10 and XenApp 6.5

This post will serve as more of an update to one of my previous posts for the Citrix NetScaler 9.3:

Configuring Citrix NetScaler VPX (1000) 9.3 for publishing Web Interface server access by authenticating against Active Directory
http://terenceluk.blogspot.com/2012/02/configuring-citrix-netscaler-vpx-1000.html

… to demonstrate a similar configuration on a NetScaler VPX (1000) 10.

--------------------------------------------------------------------------------------------------------------------------------------------------------------------

The environment for this example consists of a NetScaler VPX appliance with 2 network interfaces. 1 interface is sitting in the DMZ (172.16.x.x) network and the other leg is sitting in the internal server network (192.168.x.x). A CheckPoint firewall is configured to allow port 443 traffic to be directed to the NetScaler’s 172.16.x.x IP via a public IP. The XML broker is the XenApp servers and the port they’re using is port 8080. Finally, the NetScaler has a certificate issued by a public Certificate Authority and is a virtual machine on an ESXi 5.0 host with dvSwitches configured.

Start by configuring your NetScaler’s MIP, SNIP and VIP IPs:

image

As important as the NetScaler IP, Mapped IP and Subnet IP are, I would like to note that I’ve configured 2 Virtual IPs.  The one sitting out on the DMZ leg will be used to respond to traffic coming in from the internet while the second one sitting on the internal LAN will be used to respond to the call back from the Web Interface server during authentication.

Proceed with navigating to Access Gateway –> Virtual Servers:

image

Right click on the right hand pane and select Add then in the Create Access Gateway Virtual Server window’s Certificates tab, select the public certificate you’ve installed and click on the Add button:

image

Next, give this virtual server a name and enter the DMZ IP address:

image

Proceed with clicking on the Authentication tab:

image

Click on the Insert Policy button at the bottom to create a new policy then click on the small drop down box under Policy Name and click on New Policy:

image

The Create Authentication Policy window is where you select the Authentication Type (i.e. LDAP, RADIUS, etc) and set up Expressions (i.e. TrendMicro installed?) which act as rules you have to check against the client that tries to authenticate against the NetScaler:

clip_image002

Enter a name for the policy and select LDAP as the Authentication Type and click on the New button:

image

The Create Authentication Server window is where you specify the settings for your LDAP server which will be your Active Directory domain controller:

clip_image002[6]

The following is an example of what you might enter into the settings:

clip_image002[8]

Once you’ve completed entering the information for your LDAP server and exit out, you’ll be brought back to the Create Authentication Policy window. Proceed with adding an Expression by clicking on the drop down menu beside the Add Expression button:

image

For the purpose of this example, we’re not going to add any special expressions in so we’ll be adding the expression True value which just means all or any client:

image

Once you’ve added in the expression, proceed with clicking the Create button and Close:

imageimage

Once you’ve exited out of the previous window, you’ll then be brought back out to the Create Authentication Policy window with the policy you’ve just created shown in the Authentication Policies window:

image

Note that you should be creating a secondary entry or multiple policies with different priorities to build in some redundancy in case your configured LDAP server becomes unavailable.

With the authentication policy created, proceed with navigating to the Policies tab to create a new Access Gateway Session Policy:

image

image

image

The configuration options here are pretty much the same as the Authentication Policy settings only in a different context. Here is where we’ll be entering the information for the access gateway to contact the back end web interface servers:

clip_image002[10]

As with the authentication policy, we won’t be putting any special expressions into this policy so we’ll use the True value again:

image

Once we’ve added the expression, proceed with clicking on the New button to bring up the Access Gateway Session Profile settings which will allow us to enter our web interface server settings:

clip_image002[12]

clip_image002[14]

The first tab we’ll be changing is the Security tab where we’ll be setting the Default Authorization Action to ALLOW:

clip_image002[16]clip_image002[18]

The next tab we’ll need to configure is the Published Applications tab which is where we’ll be entering our web interface servers’ information:

clip_image002[20]image

Note that the Web Interface Address should point to a load balanced VIP or virtual name that spreads across multiple web interface servers to provide redundancy.

Once you’ve completed the configuration of the Publish Applications tab, proceed with clicking on the Create and Close button to exit out returning to the Create Access Gateway Session Policy window:

clip_image002[22]

Continue with clicking on the Create and Close button to exit back to the Access Gateway Virtual Server window:

image

With the access gateway virtual server set up, the next step is to click on the Published Applications tab to list the Secure Ticket Authority (STA) servers. For this example, my STAs are the XenApp servers:

imageimage

Note that the STA uses port 8080:

image

Once you’ve completed entering the STA information, proceed with clicking on Create and then Close.

If you’ve configured everything properly, you should see your newly configured virtual server with the State as up:

image

With the public facing Virtual Server configured, repeat the steps for configuring a virtual server and configure a second one mapped to an IP on the internal network.  This web interface will be used for the call back from the Web Interface server during the authentication process.  I won’t be including screenshots with instructions as it would look exactly the same as the public facing one.  Once the second virtual server is configured, your list of should look something similar to the following:

image

Now that we have our NetScaler set up, we should proceed with configuring an additional site on the web interface server for the NetScaler to access so log onto your web interface server and open up the Citrix Web Interface Management console.  I won’t be including instructions for this but you can see it in my previous NetScaler 9.3 post (URL is at the beginning of this post).