VMware Hands-on Labs - HOL-1791-CHG-1


Lab Overview - HOL-1791-CHG-1 - Horizon Challenge Lab

Lab Guidance


Note: It will take more than 90 minutes to complete this lab. You should expect to only finish 2-3 of the modules during your time.  The modules are independent of each other so you can start at the beginning of any module and proceed from there. You can use the Table of Contents to access any module of your choosing. Please use the Module Switcher located on the Desktop to prepare the environment for the module in which you select.

The Table of Contents can be accessed in the upper right-hand corner of the Lab Manual.

Lab Module List:

 

This lab manual can be downloaded from the Hands-on Labs Document site found here:

http://docs.hol.vmware.com

This lab may be available in other languages.  To set your language preference and have a localized manual deployed with your lab, you may utilize this document to help guide you through the process:

http://docs.hol.vmware.com/announcements/nee-default-language.pdf


 

Location of the Main Console

 

  1. The area in the RED box contains the Main Console.  The Lab Manual is on the tab to the Right of the Main Console.
  2. A particular lab may have additional consoles found on separate tabs in the upper left. You will be directed to open another specific console if needed.
  3. Your lab starts with 90 minutes on the timer.  The lab can not be saved.  All your work must be done during the lab session.  But you can click the EXTEND button to increase your time.  If you are at a VMware event, you can extend your lab time twice, for up to 30 minutes.  Each click gives you an additional 15 minutes.  Outside of VMware events, you can extend your lab time up to 9 hours and 30 minutes. Each click gives you an additional hour.

 

 

Alternate Methods of Keyboard Data Entry

During this module, you will input text into the Main Console. Besides directly typing it in, there are two very helpful methods of entering data which make it easier to enter complex data.

 

 

Click and Drag Lab Manual Content Into Console Active Window

You can also click and drag text and Command Line Interface (CLI) commands directly from the Lab Manual into the active window in the Main Console.  

 

 

Accessing the Online International Keyboard

 

You can also use the Online International Keyboard found in the Main Console.

  1. Click on the Keyboard Icon found on the Windows Quick Launch Task Bar.

 

 

Click once in active console window

 

In this example, you will use the Online Keyboard to enter the "@" sign used in email addresses. The "@" sign is Shift-2 on US keyboard layouts.

  1. Click once in the active console window.
  2. Click on the Shift key.

 

 

Click on the @ key

 

  1. Click on the "@" key.

Notice the @ sign entered in the active console window.

 

 

Activation Prompt or Watermark

 

When you first start your lab, you may notice a watermark on the desktop indicating that Windows is not activated.  

One of the major benefits of virtualization is that virtual machines can be moved and run on any platform.  The Hands-on Labs utilizes this benefit and we are able to run the labs out of multiple datacenters.  However, these datacenters may not have identical processors, which triggers a Microsoft activation check through the Internet.

Rest assured, VMware and the Hands-on Labs are in full compliance with Microsoft licensing requirements.  The lab that you are using is a self-contained pod and does not have full access to the Internet, which is required for Windows to verify the activation.  Without full access to the Internet, this automated process fails and you see this watermark.

This cosmetic issue has no effect on your lab.  

 

 

Look at the lower right portion of the screen

 

Please check to see that your lab has finished all the startup routines and is ready for you to start. If you see anything other than "Ready", please wait a few minutes.  If after 5 minutes your lab has not changed to "Ready", please ask for assistance.

 

Module 1 - First day at work: Introduction to the Environment (30 minutes)

Introduction


This module will challenge you to understand the Horizon Environment that you have just inherited.

This Module contains the following lessons:


 

Look at the lower right portion of the screen

 

Please check to see that your lab has finished all the startup routines and is ready for you to start. If you see anything other than "Ready", please wait a few minutes.  If after 5 minutes your lab has not changed to "Ready", please ask for assistance.

 

Module Switcher Instructions


The following steps will instruct you on how to launch the modules using the Module Switcher tool.


 

Start Module Switcher Application

 

If the Hands-on Labs Module Switcher is not running, you can launch it by double clicking on the Module Switcher Icon on the Desktop.

 

 

Start Module 1

 

Click on the Start Button Below Module 1

 

 

Module Start

 

Wait for script to finish running. Press Enter to continue when the script prompts you to do so.

 

Challenge 1: Inventory


During this module you will get familiarized with the Horizon environment you just inherited from the previous administrator. You will leverage tools and consoles for Horizon, vSphere, vRealize Operations for Horizon, and App Volumes to get a better understanding of the current infrastructure. 

Take note of all resources, applications, performance, etc. Understanding the environment you have just inherited is very important as the CEO will be calling upon your expertise to help with company deliverables. You will be required to use these accounts (located here and in the Readme.txt file on the Desktop of the Main Console) and URLs to access the appropriate tools to remedy the challenges ahead.


 

***LAB RESOURCE CONSTRAINTS***

Please note that due to resource constraints the following vm's and/or virtual appliances are shutdown by default:

 

 

Open Chrome Browser from Windows Quick Launch Task Bar

 

To review the environment, you are going to need a web browser to connect to most administrator consoles.

  1. Click on the Chrome Icon on the Windows Quick Launch Task Bar.

 

 

Review vSphere Environment

 

Log in to the vSphere Web Client and correlate some of the components: 


vSphere Web Client: https://vcsa-01a.corp.local/vsphere-client

  1. User: administrator@corp.local
  2. Password: VMware1!
  3. Click on Login

TIP: You can save time by clicking on User Windows session authentication and then on the Login button.

 

 

Review Networking & Security (NSX)

 

Log into NSX Manager:

Please use the "Networking & Security" link from vCenter to review the configuration

 

 

Review Active Directory

 

Login into Active Directory Users and Computers:

The Active Directory Users and Computers console can be launched from:

  1. Start Menu -> All Programs
  2. Administrative Tools
  3. Active Directory Users and Computers

Active Directory Console: accessed from Main Console

 

 

Review vRealize Operations

 

Log into vRealize Operations:

Connect to the vRealize Operations Console using the bookmark or go to: https://vrops-01a.corp.local

  1. Authentication Source: Local Users
  2. User: admin
  3. Password: VMware1!
  4. Click on Login

 

 

Review Log Insight

 

Log into Log Insight:

Connect to the vRealize Log Insight Console using the bookmark or go to: https://log-01a.corp.local

  1. User: admin
  2. Password: VMware1!
  3. Click on Login

 

 

Review View Environment

 

Log into Horizon View admin console: 


View Admin Console: https://view-01a.corp.local/admin

  1. User name: administrator
  2. Password: VMware1!
  3. Domain: CORP
  4. Click on Log In

 

 

Log in to the Identity Management Console

 

Log in to the Identity Management Console:

 

Connect to the Identity Manager Console using the bookmark or go to: https://idm-01a.corp.local/admin

  1. User: admin
  2. Password: VMware1!
  3. Click on Sign in

 

 

Log in to the User Environment Manager Console

 

Log in to User Environment Manager Console:

 

You can access the User Environment Manager Console by double clicking its icon on the Main Console desktop.

***PLEASE NOTE: User Environment Manager has not been configured and will prompt you to enter a UNC path. Please disregard as this will be configured later in the lab (Module 5). At this time, it is more important to recognize that User Environment Manager is licensed and available; even though it is not utilized today.***

 

 

Review App Volumes Deployed App Stacks

 

Log into App Volumes:

 

Connect to the App Volumes Management Console using the bookmark or go to https://appvolumes-01a.corp.local/horizonadmin

  1. Username: administrator
  2. Password: VMware1!
  3. Domain: CORP
  4. Click on Login

 

Key Takeaways


Upon review of the environment, you will now have a good understanding of what you have just inherited.  You should understand potential limitations and concerns that could potentially come up as a result of how your predecessor deployed the End User Compute Resources.


 

Conclusion

This concludes Module 1: First day at work: Introduction to the Environment.  We hope you have enjoyed taking it. Please do not forget to fill out the survey when you are finished.

Always remember to review the current documentation and release notes.

http://pubs.vmware.com/horizon-7-view/index.jsp?
http://pubs.vmware.com/Release_Notes/en/horizon-7-view/horizon-70-view-release-notes.html

 

Module 2 - Users reporting connection issues (30 minutes)

Introduction


It's day 2 in your role as VDI administrator at Rainpole and you receive your first support escalation. During this exercise you will identify, reproduce, and troubleshoot a common connection problem from end users.


 

Module 1 revision

Every module in this lab is independent and designed to be fully functional on its own. However, Module 1 includes introductory information to the general scenario and your new role as Head of Desktop Engineering at Rainpole, Inc. It is recommended that you familiarize yourself with the information contained in Module 1 before proceeding.

 

 

Required information

 

Your predecessor did not leave you a lot in terms of documentation, but rummaging through some drawers, you found the following "design".

Your View environment consists of the following:

Additional notes for the lab:

 

 

Look at the lower right portion of the screen

 

Please check to see that your lab has finished all the startup routines and is ready for you to start. If you see anything other than "Ready", please wait a few minutes.  If after 5 minutes your lab has not changed to "Ready", please ask for assistance.

 

Module Switcher Instructions


The following steps will instruct you on how to launch the modules using the Module Switcher tool.


 

Start Module Switcher Application

 

If the Hands-on Labs Module Switcher is not running, you can launch it by double clicking on the Module Switcher Icon on the Desktop.

 

 

Start Module 2

 

Click on the Start Button below Module 2

 

 

Stop Previous Module

 

If you ran a previous module before Module 2, the STOP script for that module will be run (Module 1 is shown in the image). If this is the first module you are running, this step is not necessary and will be skipped.

Wait for the script that stops the previous module to finish and press Enter to continue.

 

 

Module 2 Start

 

Wait for the Module 2 START script to finish running. Press Enter to continue when the script prompts you to do so. This may take a few minutes.

 

Challenge 2: Black Screen Issues


Help Desk is reporting users are having trouble connecting to their desktops and are just receiving a black screen. During this module you will use troubleshooting techniques to diagnose and solve the issue.


 

The dreaded Black Screen

Have you ever experienced a Black Screen when trying to connect to your virtual desktop? Well, today...a number of users are calling the help desk with this exact issue. What would be the most efficient way to understand and resolve this issue with the tools you have at hand? Well, I hope you can figure this out soon...before the CEO calls in complaining that He too cannot interact with his desktop properly.

Determine what might cause this type of experience and remediate it accordingly. Validate your solution by successfully logging into a virtual desktop.

Symptoms: Black screen issues

 

Problem description


Some users are reporting that they are unable to connect to their desktops.


 

User connections stalled

 

Some users report being permanently stuck trying to connect to their desktops using the Rainpole Desktop pool.

 

 

Black Screen

 

Other users report the dreaded Black Screen, where after connecting to their "Rainpole Desktop" the connection seems to be established, but all they receive is a black screen.

 

 

Open Chrome Browser from Windows Quick Launch Task Bar

 

To solve the issue, you are going to need the vCenter Web Client connected to vCenter vcsa-01a.corp.local:

  1. Click on the Chrome Icon on the Windows Quick Launch Task Bar.
  2. Log in using the username administrator@corp.local and password VMware1! (you can also use Windows Session Authentication)

 

Hint 1: Different users


The first step in resolving an end-user related connectivity issue is to confirm if the problem affects all users or only a subset.

In this case, you might want to consider:

  1. How many types of users are there?
  2. Do they connect differently?
  3. Can you reproduce the issue?

The answers will be given in the next step.


 

Hint 1: Different users (answers)

The first step in resolving an end-user related connectivity issue is to confirm if the problem affects all users or only a subset.

In this case, you might want to consider:

  1. How many types of users are there?

Four. Internal and external users, both connecting through PCoIP and Blast.

  1. Do they connect differently?

Yes. Internal users connect to "view-01a.corp.local", while external users connect to "view.rainpole.com". The display protocol (PCoIP/Blast) is controlled by the client in this case.

  1. Can you reproduce the issue?

Yes. In the following steps you will see how to connect to Horizon View as an internal or an external user, choosing either display protocol.

 

 

Connecting from the internal network

 

From the desktop of the Main Console, launch the VMware Horizon Client.

 

 

Connect to Horizon View Connection Server

 

Double-click the icon for "view-01a.corp.local"

 

 

Authenticate as The CEO

 

  1. User name: ceo
  2. Password: VMware1!
  3. Domain: CORP
  4. Click "Login"

 

 

Selecting the Display Protocol

 

  1. Right-click on the "Rainpole Desktop" icon
  2. Select the display protocol

Double-click on the "Rainpole Desktop" icon to launch the desktop.

 

 

Connecting from the external network

 

The "External Client" VM can be used to connect to the Horizon View environment as an external user. From the vSphere Web Client, search for "External Client".

 

 

 

Launch External Client Remote Console

 

Click on the "Launch Remote Console" link.

 

 

Launch the VMware Horizon Client

 

From the desktop of the External Client, launch the VMware Horizon Client.

 

 

Connect to VMware EUC Access Point

 

Double-click the icon for "view.rainpole.com"

 

 

Authenticate as The CEO

 

  1. User name: ceo
  2. Password: VMware1!
  3. Domain: CORP
  4. Click "Login"

 

 

Selecting the Display Protocol

 

  1. Right-click on the "Rainpole Desktop" icon
  2. Select the display protocol

Double-click on the "Rainpole Desktop" icon to launch the desktop.

 

Hint 2: The connection process


What were the results of your connectivity tests?

You should have observed the following behavior:

  1. Internal users using PCoIP: No problems connecting
  2. Internal users using Blast: No problems connecting
  3. External users using PCoIP: Stuck connecting to desktop
  4. External users using Blast: Black Screen

So now that you know that only the external users are having problems connecting, ask yourself, what is different between how internal and external users connect?

Next, think about the connection process. Is the entire connection process broken? What parts of the connection process are working?

This should get you on the way to solving the challenge, but if you would like to see the answers to these questions and more information to help you solve the challenge, see the next step.


 

Hint 2: The connection process (answers)

What were the results of your connectivity tests?

You should have observed the following behavior:

  1. Internal users using PCoIP: No problems connecting
  2. Internal users using Blast: No problems connecting
  3. External users using PCoIP: Stuck connecting to desktop
  4. External users using Blast: Black Screen

So now that you know that only the external users are having problems connecting, ask yourself, what's different between how internal and external users connect?

Next, think about the connection process: is the entire connection process broken? What parts of the connection process are working?

  1. Connecting to the Connection Server to authenticate (functioning, we receive a login dialog prompt)
  2. Authentication (functioning, we can authenticate to AD in this case)
  3. Query to Connection Server to list available desktops and applications (also working properly)
  4. Connection Server to Horizon Agent (probably working, since we never received an error stating the desktop was actually unavailable. Can be double-checked in the Horizon View Management Console)
  5. Horizon Client to Horizon Agent connection (definitely not working since we can't fully connect to the virtual desktop)

Four out of five is not that bad, but it's definitely not enough for end users to connect to their desktops.  

At this point we need to focus on Step 5 of the connection process. Go on to the next steps to see more hints.

 

Hint 3: The final step


We have narrowed it down to a single problem: something is preventing the connection from the Horizon Client to the Horizon Agent.

What elements are part of the flow of the Client to Agent connection?

What role does each of the elements play?

Identifying these elements will get you on track to solve the issue, but if you want to see the answers to these questions, go on to the next step.


 

Hint 3: The final step (answers)

We have narrowed it down to a single problem: something is preventing the connection from the Horizon Client to the Horizon Agent.

What elements are part of the flow of the Client to Agent connection?

  1. Horizon Client
  2. Perimeter Firewall 1 (Transit/DMZ)
  3. Access Point
  4. Perimeter Firewall 2 (DMZ/Internal)
  5. Horizon Agent

What role does each of the elements play?

We're almost there! Knowing the specific architecture greatly helps in pinpointing the source of the problem.

Continue to the next step if you want the last hint to solve the challenge.  

 

 

Hint 4: The broken element


Out of all the elements that are part of that last Horizon Client to Horizon Agent connection, we know most of them are behaving properly:

  1. Horizon Client: working normally, validated by authentication
  2. Firewall: need to check
  3. Access Point: the Connection Server configuration is working, because we can authenticate and list available desktops
  4. Horizon Agent: the internal users do not have any problems with the agent and it is connecting normally to the Connection Server

We definitely need to work on the firewall. What firewall configuration do we need? What ports need to be open? How can we check the firewall configuration?

The documentation is always helpful in these cases: http://pubs.vmware.com/horizon-7-view/topic/com.vmware.horizon-ap.deploy-config.doc/GUID-F197EB60-3A0C-41DF-8E3E-C99CCBA6A06E.html

The answers to the above question are available in the next step.


 

Hint 4: The broken element (answers)

Out of all the elements that are part of that last Horizon Client to Horizon Agent connection, we know most of them are behaving properly:

  1. Horizon Client: working normally, validated by authentication
  2. Firewall: need to check
  3. Access Point: the Connection Server configuration is working, because we can authenticate and list available desktops
  4. Horizon Agent: the internal users do not have any problems with the agent and it is connecting normally to the Connection Server

We definitely need to work on the firewall. What firewall configuration do we need? What ports need to be open? How can we check the firewall configuration?

  1. TCP 4172
  2. UDP 4172
  1. TCP 443
  2. UDP 443
  1. TCP 22443
  2. UDP 22443

The documentation is always helpful in these cases: http://pubs.vmware.com/horizon-7-view/topic/com.vmware.horizon-ap.deploy-config.doc/GUID-F197EB60-3A0C-41DF-8E3E-C99CCBA6A06E.html

The answers to the above question are available in the next step.

 

 

Connect to the Networking & Security Administrator Console

 

  1. Click on the vSphere Web Client Home icon
  2. Select Networking & Security from the drop down menu

 

 

Open Perimeter Firewall Properties

 

  1. In the Navigator pane on the left, select NSX Edges
  2. Double click on edge-3 to open the Perimeter_Firewall properties

 

 

Firewall Configuration

 

Click on the Firewall tab and make sure the Firewall Status shows as Enabled.

 

 

Gain screen space by collapsing the right Task Pane

 

  1. Clicking on thePush-Pins will allow task panes to collapse and provide more viewing space to the main pane.  You can also collapse the left-hand pane to gain the maximum space.

 

 

Gain screen space by zooming out

 

  1. Select the Options menu in Chrome.
  2. Click the '-' button to zoom out to 90%

This will provide more viewing space while still allowing you to read the text.

 

 

Firewall Rules

 

Within the list of firewall rules in the main panel, scroll down until you find the rule named "Allow Traffic AP to Agents". This aptly named rule controls which traffic is allowed to pass between the Access Point in the DMZ and the Agents in the VDI network.

We need to allow Blast Extreme and PCoIP UDP traffic between the Access Point and the Agents if we want desktops to display properly.

Hover the mouse over the top right corner of the list of allowed services, as indicated in the picture, and click on the + icon that will appear, to add more services.

 

 

Add Required Services

 

  1. Make sure the Object Type is set to Service
  2. Look for the following services in the Available Object list:
    1. Blast Extreme TCP
    2. Blast Extreme UDP
    3. VMware-View5.x-PCoIP-UDP
  3. For each service, select it from the list and click the -> button to add it to the Selected Object list
  4. Click OK

When you are finished, the complete list should look like the one in the picture.

 

 

Publish Firewall Configuration

 

Back in the Firewall configuration window, click on Publish to commit the firewall rule change.

 

Validate your results!


Time to see if our firewall rule changes had the desired effect and all of our users are able to connect to their desktops properly.

The following steps will again walk you through connecting to the Rainpole Desktop as the CEO from the External Client to validate the connection.


 

Connecting from the external network

 

The "External Client" VM can be used to connect to the Horizon View environment as an external user. Form the vSphere Web Client, search for "External Client".

 

 

 

Launch External Client Remote Console

 

Click on the "Launch Remote Console" link.

 

 

Launch the VMware Horizon Client

 

From the desktop of the External Client, launch the VMware Horizon Client.

 

 

Connect to VMware EUC Access Point

 

Double-click the icon for "view.rainpole.com"

 

 

Authenticate as The CEO

 

  1. User name: ceo
  2. Password: VMware1!
  3. Domain: CORP
  4. Click "Login"

 

 

Selecting the Display Protocol

 

  1. Right-click on the "Rainpole Desktop" icon
  2. Select the display protocol

Double-click on the "Rainpole Desktop" icon to launch the desktop.

Make sure you test with both protocols! (PCoIP and VMware Blast)

 

 

Success!

 

You should now be able to connect to the Rainpole Desktop using both PCoIP and VMware Blast from an External Client.

You can sign out of the desktop and close the Horizon Client when you are finished.

 

Module 3 - The CEO cannot log into vIDM (30 minutes)

Introduction


This module will challenge you to resolve the issue that the CEO (and his C-Level team) cannot log into Identity Manager

This module contains the following lessons:


 

Look at the lower right portion of the screen

 

Please check to see that your lab has finished all the startup routines and is ready for you to start. If you see anything other than "Ready", please wait a few minutes.  If after 5 minutes your lab has not changed to "Ready", please ask for assistance.

 

Module Switcher Instructions


The following steps will instruct you on how to launch the modules using the Module Switcher tool.


 

Start Module Switcher Application

 

If the Hands-on Labs Module Switcher is not running, you can launch it by double clicking on the Module Switcher Icon on the Desktop.

 

 

Start Module 3

 

Click on the Start Button below Module 3

 

 

Stop Module 2

 

If you ran a previous module before Module 3, the STOP script for that module will be run (Module 2 is shown in the image). If this is the first module you are running, this step is not necessary and will be skipped.

Wait for the script that stops the previous module to finish and press Enter to continue.

 

 

Module 3 Start

 

Wait for the Module 3 START script to finish running. Press Enter to continue when the script prompts you to do so. This may take a few minutes.

 

Challenge 3 - The CEO cannot log in to VMware Identity Manager


Part of the environment you have inherited has VMware Identity Manager deployed. The CEO is keen to use the Single Sign on Service but is reporting that they cannot log in to it; not only that, the rest of the C-Level team cannot log in either!


 

User Error?

 

The CEO has sent you a screen shot showing the error and insisted that he is putting in his password correctly, stating that he can log in to his Horizon View desktop fine using the same credentials.

 

 

Determine the cause of the issue

Log in to VMware Identity Manager as the local Admin user and troubleshoot the problem. Once again, the previous Administrator has not left you much in the way of information, other than having admin access to VMware Identity Manager and full Administrator rights to Active Directory. Why can't they log in to Identity Manager?

 

Hint 1: Active Directoy


Are the users in Active Directory?


 

Open Active Directory Users and Computers

 

From the Start menu, open:

 

 

Check Active Directory

 

1. Are the users configured in Active Directory?

2. Being more specific, where is the CEO and C-Level team setup in Active Directory?

 

 

What does this tell you?

So here we can see that the CEO and C-Level team are setup in an Active Directory OU called VDI Users. Where else does this configuration have an effect?

 

Hint 2: Identity Manager AD Configuration


Verify how Identity Manager connects to Active Directory to obtain the lists of users and groups.


 

Log into VMware Identity Manager as Local Admin User

 

Select 'Local Users' as the domain and log into VMware Identity Manager as the 'Admin' user, using password VMware1!

 

 

Check the Active Directory configuration

 

Once your logged in, click on Identity & Access Management to check the configuration

 

 

Check Corp.Local Directory Setup

 

1. Here we can see that corp.local is setup as a directory

2. We can see that it has been setup as Active Directory over LDAP and has a green tick as well as sync'd Users and Groups...

3. Maybe we need to check how that has been setup? Click on the corp.local to check this

 

 

VMware Identity Manager Directory Configuration

 

Here we can see the configuration for Active Directory, the method, the Sync Connector configuration, etc. We can even test the connection by entering the administrator@corp.local password (VMware1!) and click the 'Test Connection' green button. It all checks out, right?

Then why can't the CEO Login?

 

Solution


Check the 'Bind User Details' in the Directory Configuration in VMware Identity Manager


 

Users in Active Directory

 

So we know that the CEO and C-Level team are configured in Active Directory in the OU 'VDI Users'

 

 

Directory Configuration in VMware Identity Manager

 

So let's check that in VMware Identity Manager while logged in as the local Admin user

1. Click on 'Identity & Access Management'

2. Under 'Directories'

3. Scroll down to the bottom and check the Bind User Details section

4. Check the 'Base DN' configuration

 

 

'Base DN' configuration

 

Here we can see that the Base DN will look through 'Local' domain > 'Corp' > 'Users'

But the CEO is in the OU = VDI Users

 

 

Correct 'Base DN'

 

1. Change the last lookup base to 'OU=VDI Users'

2. Enter the Password for the Administrator (VMware1!) and Test the Connection

3. Once tested, Click on 'Save'

Finally Log out of VMware Identity Manager

 

 

Log in to VMware Identity Manager as the CEO

 

Once you've logged out, click on the Go back to login page button.

Select the 'corp.local' domain

Then log in as the CEO - user = 'ceo' password = 'VMware1!'

 

 

Success!

 

We can log in as the CEO and can see the Applications and Desktops that they have been entitled to, awesome!

Check that the other C-Level team can log in too. You can then let them know the service is fixed and ready for them to use!

 

Conclusion


Active Directory Users and Groups can be configured using multiple options, from Forest Groups, OU's and others groups. Depending on the way that it is set up, it can affect the way VMware Identity Manager connects and authenticates users against Active Directory.

In this example, the Base DN was set up to check the 'Users' container but our users were actually in the 'VDI Users' OU and thus not being checked when VMware Identity Manager went to authenticate against Active Directory.

From Domain setup to DNS server locations, there are many things that can affect mapping users to authenticate successfully.

For further information on configuring Active Directory to VMware Identity Manager you can check the VMware Identity Manager documentation center.

 


Module 4 - Deploying Applications in a better way (45 minutes)

Module Switcher Instructions


The following steps will instruct you on how to launch the modules using the Module Switcher tool.


 

Look at the lower right portion of the screen

 

Please check to see that your lab has finished all the startup routines and is ready for you to start. If you see anything other than "Ready", please wait a few minutes.  If after 5 minutes your lab has not changed to "Ready", please ask for assistance.

 

 

Start Module Switcher Application

 

If the Hands-on Labs Module Switcher is not running, you can launch it by double clicking on the Module Switcher Icon on the Desktop.

 

 

Start Module 4

 

Click on the Start button below Module 4.

 

 

Stop Module 3

 

If you ran a previous module before Module 4, the STOP script for that module will be run (Module 3 is shown in the image). If this is the first module you are running, this step is not necessary and will be skipped.

Wait for the script that stops the previous module to finish and press Enter to continue.

 

 

Module 4 Start

 

Wait for the script to finish running. Press Enter to continue when the script prompts you to do so. This may take a few minutes.

 

Challenge 4: Deploying applications in a better way


After solving the main user reported issues, you finally get the opportunity to start improving your Horizon infrastructure. You have been assigned the task to provide users with two applications that are critical to the business operations at Rainpole: Notepad++ and VLC.

During this module you will leverage App Volumes 3 to deliver applications faster using a more reliable, modern architecture that separates application from OS image management.


 

Problem Description

Desktops without applications are... well, pointless. From your previous experience managing Virtual Desktop Infrastructure (VDI), Remote Desktop, and Published Application environments, you have dealt first hand with the difficulties of managing applications that are directly installed on OS images.

In this scenario, we need to deliver our two main business applications in the following manner:

Case in point: For this very simple scenario with two (2) applications and three (3) users, we would require three (3) different desktop pools if we were to install the applications directly on the OS image. Part of this lab challenge is to deliver all applications to all users, using a single Horizon View desktop pool and OS image.

It appears that your predecessor already started this process, given that:

 

 

Lab Notes

The following notes should be taken into consideration, given the nature of the lab environment:

 

 

Open Chrome Browser from Windows Quick Launch Task Bar

 

To solve the issue, you are going to need the vCenter Web Client connected to vCenter vcsa-01a.corp.local:

  1. Click on the Chrome Icon on the Windows Quick Launch Task Bar.
  2. Use Windows Session Authentication to log in. Alternatively, you can log in using the username administrator@corp.local and password VMware1!

 

Hint 1: Who has access to Notepad++?


The first thing we want to do is verify the status of Notepad++, particularly:

  1. Which users currently have access to Notepad++?
  2. Which AppStack contains the Notepad++ application?
  3. Where is this AppStack stored?

The answers will be given in the next step.


 

Hint 1: Who has access to Notepad++? (answers)

The first thing we want to do is verify the status of Notepad++, particularly:

  1. Which users currently have access to Notepad++?

All Domain Users currently have access to Notepad++. This needs to be corrected since according to the requirements, only the CEO and CFO should have access to the application.

  1. Which AppStack contains the Notepad++ application?

The application Notepad++(6.9.1) is contained in the Notepad++ AppStack.

  1. Where is this AppStack stored?

The AppStack is located in \\controlcenter.corp.local\appstacks\notepad++.vmdk with its corresponding notepad++.json file.

The following steps will detail the process of obtaining the information and addressing the required configuration changes.

 

 

Opening the App Volumes Manager Console

 

  1. Open a new tab on Google Chrome by clicking on the next empty tab.
  2. Click on the provided App Volumes Manager bookmark. Alternatively, you can enter the full address in the location bar: https://appvolumes-01a.corp.local/horizonadmin/

 

 

Logging in to the App Volumes Manager Console

 

Use the following information to log in to the App Volumes Manager Console:

  1. Username: administrator
  2. Password: VMware1!
  3. Domain: CORP
  4. Click on Login

 

 

Checking Application Entitlements

 

Once connected, click Assign on the left toolbar.

You will see a list of all the application assignments in the environment. In our case, you should only see the Notepad-for-Everyone assignment. Click on the assignment name to view its properties.

 

 

Assignment Properties

 

While reviewing the Assignment properties, notice at the bottom that the application is assigned to Domain Users.

Our requirement states that only the CEO and CFO should have access to this application. Let's go ahead and fix this:

  1. Click on the Edit button in the Users section to edit the user assignment.

NOTE: You might see in the environment that the Notepad++ App Stack is also assigned to the RDS Management Servers and RDS Endpoint Servers. These assignments are used in a different module and can be safely ignored for the purposes of this module.

 

 

Changing Application User Assignments

 

Use the controls in the dialog box to remove the Domain Users group from the assignment and add the CEO and CFO users. Click the Save & Exit button. The end result should look like the image above.

EXTRA CREDIT: Maybe the name "Notepad-for-Everyone" is not appropriate anymore. Try changing the name of the assignment to "Notepad-for-Some". The following screenshots in the module will reference this new name.

LAB NOTE: In a production environment it is recommended that you assign applications to security groups rather than directly to users.

 

 

What AppStack contains this application?

 

An AppStack might contain several applications. In this case, we want to know which AppStack is serving the Notepad++ application. To accomplish this:

  1. Click on the Inventory option on the left toolbar.
  2. When the secondary toolbar slides out, select Applications.
  3. Click on the application name Notepad++(6.9.1)

 

 

Application Properties

 

In our case the AppStack is also called Notepad++. The names do not have to necessarily match in all circumstances. Notepad++ could have been part of an AppStack called Executive-Apps serving multiple applications, Notepad++ being just one of them.

 

 

Where is the AppStack stored?

 

To find out the where the AppStacks are being stored:

  1. Click on Settings button on the left toolbar.
  2. Select Locations from the slide out menu.
  3. Since AppStacks are stored in File Shares, we are going to select this option and look for file shares of type Applications.

 

 

File Share Properties

 

There is only one defined file share of type Applications, aptly named AppStacks.

  1. Select the file share using the checkbox in the first column.
  2. Click on the Edit button.

 

 

File Share Location

 

There it is! You can see that the AppStacks are being stored in \\controlcenter\appstacks. This will be very important if we want to add new AppStacks, and since we don't have an AppStack for VLC, it will be a good idea to write this down so we know where to put our new AppStacks.

EXTRA CREDIT: What happens if the File Server is not available? Will the users experience an interruption in the application delivery? The answer will be provided in the next step.

 

 

EXTRA CREDIT: Where are the AppStacks delivered from?

EXTRA CREDIT: What happens if the File Server is not available? Will the users experience an interruption in the application delivery?

No. The file share only acts as a synchronization point for all the different vCenter Servers that actually deliver the AppStack. That means that as long as the vCenter Server can reach the datastore with the vmdk file that supports the AppStack, the users will not experience any interruption in the service.

See if you can find out in our lab in which datastore and path the Notepad++.vmdk file actually resides. This information is not required to fully complete the module.

 

Hint 2: How do we deliver VLC?


At this point we have taken care of Notepad++ and the appropriate users have access to it. Now we have to find a way to deliver VLC to the CEO and CMO.

As you try your own approach to delivering VLC, think of the following:

  1. What mechanisms are available in our environment to deliver VLC?
  2. Should we create a new AppStack or can we add the application to an existing one?

You can find the answers to these questions in the following step.


 

Hint 2: How do we deliver VLC? (answers)

 

As you try your own approach to delivering VLC, think of the following:

  1. What mechanisms are available in our environment to deliver VLC?

You could either install the application natively on the OS image, or deliver it using App Volumes. Since not all users will have access to the application and we want to separate and simplify our application management, the recommended approach is to leverage App Volumes.

  1. Should we create a new AppStack or can we add the application to an existing one?

Either option is available on App Volumes 3.0. In AppVolumes 2.x assignments were mapped to AppStacks so we would have been forced to create a new AppStack for VLC. In AppVolumes 3.0 assignments are mapped to applications, so a user can have access to a subset of the applications available in an AppStack.

The best place to start is the documentation. Click on the following link to go to the AppCapture tool documentation: http://pubs.vmware.com/appvolumes-30/topic/com.vmware.appvolumes.install-admin.doc_30/GUID-FE40E9CB-3AB6-4763-99C3-E588F0977AA8.html

 

 

The Clean Machine

 

To capture applications, you will need a clean machine to run AppCapture and create or modify AppStacks. In our lab environment this machine is called Win10-AppCapture. A snapshot of the machine's clean state has already been taken so you can revert to it after capturing a new application.

From the vCenter Web Client, search for the Win10-AppCapture machine and click on its name in the search result box.

 

 

Launch AppCapture Remote Console

 

Launch the AppCapture machine's Remote Console by clicking on Launch Remote Console.

 

 

Install the AppCapture Tool (1)

 

Once connected to the Win10-AppCapture machine, you need to install the AppCapture tool.

Right-click on the Windows 10 Start Button and select Run.

 

 

Install the AppCapture Tool (2)

 

The AppCapture tool is available at \\controlcenter\software.

 

 

Install the AppCapture Tool (3)

 

Right-click on the installer VMware-appvolumes-appcapture-3.0.0.272.exe and select Run as administrator.

 

 

Install the AppCapture Tool (4)

 

Accept the security warning by clicking on the Run button.

 

 

Install the AppCapture Tool (5)

 

Click Next.

 

 

Install the AppCapture Tool (6)

 

Accept the license agreement and click Next.

 

 

Install the AppCapture Tool (7)

 

Click Install.

 

 

Install the AppCapture Tool (8)

 

Click Finish.

 

 

Install the AppCapture Tool (9)

 

Restart the machine by clicking Yes.

 

 

Install the AppCapture Tool (10)

 

Wait for the machine to restart to finish the AppCapture tool installation.

 

 

Log in to the AppCapture machine (1)

 

Press the Ctrl-Alt-Del button on the VMware Remote Console (VMRC) toolbar to log in to Win10-AppCapture

 

 

Log in to the AppCapture machine (2)

 

Log in with username CORP\Administrator and password VMware1!

 

 

Capturing an Application in a new AppStack (1)

 

We are going to start the process of capturing the VLC application in a new AppStack.

To make the automation of the capture process easier, App Volumes 3.0 provides a command-based tool (AppCapture) to capture AppStacks. There is no Graphical User Interface (GUI). You can use either the Command Prompt or a PowerShell script.

For this lab, we are going to use PowerShell script. From the Windows 10 Start Menu select All Apps.

 

 

Capturing an Application in a new AppStack (2)

 

Scroll down until you find the Windows PowerShell folder and expand it by clicking on the chevron.

 

 

Capturing an Application in a new AppStack (3)

 

With the folder expanded, click on Windows PowerShell to launch it.

 

 

Capturing an Application in a new AppStack (4)

 

Once PowerShell loads, we need to import the required module with the supported AppCapture functions. To do this, type the following command:

Import-Module vmware.appcapture

If the import is successful you should not receive any response from the command, as shown in the picture.

 

 

Capturing an Application in a new AppStack (5)

 

Start the AppStack capture by entering the following command:

Start-AVAppCapture -Name VLC

This will start the capture for a new AppStack called VLC in the default folder. We will take note of the location of the folder in a later step.

At this point we should go ahead and install the VLC application.

 

 

Capturing an Application in a new AppStack (6)

 

Run the VLC installer from \\controlcenter\software by right-clicking on the vlc-2.2.4-win64 file and selecting Run as administrator.

 

 

Capturing an Application in a new AppStack (7)

 

Click Run to accept the security warning.

 

 

Capturing an Application in a new AppStack (8)

 

Click OK to continue.

 

 

Capturing an Application in a new AppStack (9)

 

Click Next to continue.

 

 

Capturing an Application in a new AppStack (10)

 

Click Next.

 

 

Capturing an Application in a new AppStack (11)

 

Accept the default components and click Next.

 

 

Capturing an Application in a new AppStack (12)

 

Accept the default install location and click Install.

 

 

Capturing an Application in a new AppStack (13)

 

Wait for VLC to finish installing.

 

 

Capturing an Application in a new AppStack (14)

 

Make sure that the Run VLC media player checkbox is checked and click Finish.

It's always a good idea to run the application you are capturing once, because many applications run some initialization processes that otherwise would have to be run by the users when they launch it.

 

 

Capturing an Application in a new AppStack (15)

 

Click Continue.

 

 

Capturing an Application in a new AppStack (16)

 

Close the VLC media player window by clicking on the X button on the top right corner.

 

 

Capturing an Application in a new AppStack (17)

 

Go back to the PowerShell windows and hit ENTER twice.

 

 

Capturing an Application in a new AppStack (18)

 

Wait for the machine to restart and log back in again as CORP\Administrator. A command prompt will start running to finish the AppCapture process. Wait for the process to finish. The result should be similar to the one shown in the image above.

Now we know where the AppStacks were saved! They are located in C:\ProgramData\VMware\AppCapture\appvhds\ by default. Let's go over there and see what we've got.

 

 

Capturing an Application in a new AppStack (19)

 

Type the following commands:

cd \programdata\VMware\AppCapture\appvhds\
dir

You will see that three files were generated: a .json file, a .vhd file, and a .vmdk file. We just need the json (metadata) and vmdk files, so we will go ahead and copy them to our AppStack fileshare (you wrote down where that was right?)

EXTRA CREDIT: What would the .vhd file be used for?

 

 

Capturing an Application in a new AppStack (20)

 

Type the following command:

xcopy .\VLC.json \\controlcenter\appstacks\

 

 

Capturing an Application in a new AppStack (21)

 

Type the following command:

xcopy .\VLC.vmdk \\controlcenter\appstacks\

 

 

Force AppStacks synchronization (1)

 

To avoid waiting for the synchronization process, we are going to force the App Volumes file share synchronization and have our new AppStack immediately available.

Go back to the App Volumes Manager console. In case it was closed, log back in and navigate to Settings -> Locations -> File Share.

To force a synchronization:

  1. Select the AppStacks file share using the checkbox in the first column
  2. Click on the ... button
  3. Click on Sync Now

 

 

Force AppStacks synchronization (2)

 

You should see a success message like the one above. Pay attention because it will disappear pretty fast!

 

 

Check the Applications Inventory

 

Check your Applications inventory by going to Inventory -> Applications. The VLC media player(2.2.4) application should be listed in the Inventory.

Success!

 

Hint 3: Assign VLC


Now that we have a VLC App Stack, it is time to assign it to the right users!

See if you can assign the application to the CEO and CMO users.

In the following steps, the process will be shown.


 

Assign the VLC application to users

 

In the App Volumes Manager console, select the Assign menu in the left toolbar.

 

 

Assign the VLC application to users (1)

 

  1. In the App Volumes Manager console, select the Assign menu in the left toolbar.
  2. Click on New to create a new assignment.

 

 

Assign the VLC application to users (2)

 

Click on Applications.

 

 

Name the Application Assignment

 

Enter a name for the Application Assignment. In this case, we chose "VLC-for-Execs".

 

 

Select the VLC media player Application

 

Select the VLC media player(2.2.4) application and click Next.

 

 

Select Users for the Assignment

 

Add the CEO and CMO users to the assignment and click Next.

 

 

Finish Application Assignment

 

Check that all the information is correct and click Submit to create the application assignment.

 

Validate your results!


You have two options to validate that your application delivery configuration fulfills the established requirements:

  1. Log in to the published Rainpole Desktop with each user to validate the applications. Keep in mind that after you log in with each user the only available VDI desktop is assigned to that user, so you will need to unassign the desktop before testing with a different user. The following steps will detail the process.
  2. Check your results during Module 6, when you will be creating a new and fast desktop pool using the new Instant Clones Technology.  

 

Connecting to the Rainpole Desktop

 

From the desktop of the Main Console, launch the VMware Horizon Client.

 

 

Connect to Horizon View Connection Server

 

Double-click the icon for "view-01a.corp.local"

 

 

Authenticate as the appropriate User

 

  1. User name: ceo, cfo or cmo. (Depending on which user you are testing).
  2. Password: VMware1!
  3. Domain: CORP
  4. Click "Login"

 

 

Unassign the Virtual Desktop (1)

 

If you need to unassign the virtual desktop, first open a new tab in Google Chrome and click on the View Administrator bookmark. Alternatively you can launch the View Administrator console directly by entering the following URL in the locator bar: https://view-01a.corp.local/admin/

 

 

Unassign the Virtual Desktop (2)

 

Log in using the domain administrator credentials:

  1. User name: administrator
  2. Password: VMware1!
  3. Domain: CORP
  4. Click the Log In button

 

 

Unassign the Virtual Desktop (3)

 

Select Machines from the Inventory menu on the left.

 

 

Unassign the Virtual Desktop (4)

 

Right-click on the WIN10-VDI-01 machine and select Unassign User...

 

 

Unassign the Virtual Desktop (5)

 

Confirm the unassignment by clicking OK.

 

Conclusion


When connecting to the virtual desktops of the CEO, CFO, and CMO users, you should be able to see the right applications available on their desktop (see next step).

As you have seen during this module, App Volumes provides a much better way to deliver applications to users. Among other things:

  1. Did you notice that we NEVER touched the base OS image? No more maintenance windows, recomposing, etc.!
  2. Although the lab is limited in resources, you could deliver an application instantly to thousands of users across your organization from a single console.
  3. The separation of management layers, from base OS to application, makes for a better IT organizational structure. You could delegate the administration of the applications to the line of business owners.
  4. Application Lifecycle Management is streamlined by controlling which users can access the application, delivering fast updates, rolling back versions in case of emergency, and decomissioning applications.

 

The CEO Desktop

 

This is what the CEO desktop should look like, with both applications available on the desktop. The CFO and CMO desktop should only show the Notepad++ and VLC applications respectively.

 

Module 5 - Improving User Experience (30 Minutes)

Introduction


This module will challenge you to understand the Horizon Environment that you have just inherited.

In order to complete this module you will need to ensure that you have completed the following:


 

Look at the lower right portion of the screen

 

Please check to see that your lab has finished all the startup routines and is ready for you to start. If you see anything other than "Ready", please wait a few minutes.  If after 5 minutes your lab has not changed to "Ready", please ask for assistance.

 

Module Switcher Instructions


The following steps will instruct you on how to launch the module using the Module Switcher tool.


 

Start Module Switcher Application

 

If the Hands-on Labs Module Switcher is not running, you can launch it by double clicking on the Module Switcher Icon on the Desktop.

 

 

Start Module 5

 

Click on the Start button below module 5.

 

 

Stop Module 4

 

If you ran a previous module before Module 5, the STOP script for that module will be run (Module 4 is shown in the image). If this is the first module you are running, this step is not necessary and will be skipped.

Wait for the script that stops the previous module to finish and press Enter to continue.

 

 

Module 5 Start

 

Wait for the Module 5 START script to finish running. Press Enter to continue when the script prompts you to do so. This may take a few minutes.

 

Challenge 5: Provide Users with consistent experience


With multiple access methods, users are reporting that their user experience is not consistent across the board. During this module, you will leverage User Environment Manager to address this issue and provide your users with a consistent experience across RDS Hosted Desktops and Traditional Virtual Desktops.

 

Please access the User Environment Manager Console from the Main Console.

Please note that UEM files are stored in \\controlcenter.corp.local\customizations.


 

Problem Description

Different tools make sense for different use cases. Sometimes it will be more practical to deliver an application as a published application from a Remote Desktop Session Host (RDSH) server, in other cases a Virtual Desktop (VDI) will provide a better user experience.

Regardless of the method we choose to deliver a desktop or application, user acceptance hinges heavily on them having a good consistent experience across the board, be it using RDSH, VDI, or even their physical desktops.

Based on the business requirements, the following technical configuration needs to be achieved:

  1. User should always have an F: drive mapped to \\controlcenter\AppStacks
  2. A log of the user customization process must be kept
  3. Provide consistent user experience for VLC.
  4. Provide consistent user experience for Notepad++.

The above configuration should be available regardless if the user is connecting using VDI or RDSH.

 

 

Lab Notes

For this challenge, you will be leveraging VMware User Environment Manager (UEM) to maintain, deliver, and enforce the required user configurations.

The following notes should be taken into consideration, given the nature of the lab environment:

QUESTION: Where is the UEM server? That is a trick question because there is no UEM server. The entire configuration is kept in file shares.

 

 

Log in to the User Environment Manager Console

 

You can access the User Environment Manager Console by double clicking its icon on the Main Console desktop.

 

 

What now? Documentation

A good place to start is the UEM Administrator Guide: https://www.vmware.com/pdf/uem-90-admin-guide.pdf

Page 18 provides a good overview of the implementation process.

Remember your predecessor already started the process, so the required software is already installed, even the UEM Administrative Templates for Group Policy Objects (GPOs) are ready, but the GPOs are not there yet. The required file shares are also created.

 

Hint 1: Let's review all the steps


The UEM Administrator Guide has a good list of high level steps required to implement UEM. Review the list and determine which steps you need to take to accomplish your task.


 

List of required steps

 

In the image you will see the list of high level steps required to implement UEM, directly obtained from the UEM Administrator Guide.

The crossed out steps are not required because they have been done already by your predecessor. We will run FlexEngine as a Group Policy extension, so there is no need for a logon script.

That means that the only steps left are:

 

Hint 2: UEM Management Console configuration


First things first: we need to configure the UEM Management Console to be able to manage UEM.

Check the UEM Administrator Guide to configure the UEM Management Console.


 

Configure the UEM Management Console

 

The UEM Administrator Guide* details the UEM Management console process in page 34.

 

After starting the UEM Management Console for the first time, you have to select a location where the UEM configuration will be stored:

  1. Enter \\controlcenter\customizations in the Location field
  2. Click OK

For our requirements, that is it. Simple enough.

* https://www.vmware.com/pdf/uem-90-admin-guide.pdf

 

Hint 3: Point the clients in the right direction


The next step in the process will be to point clients in the right direction. To put it another way: How are the users going to know from where to pull their configuration information?


 

Let's check out the list

 

According to our list we now need to create a UEM GPO. That is from where our users are going to pull their UEM configuration.

This process is described in the UEM Administrator Guide starting on page 23. Try for yourself, but if you get stuck the next steps will guide you through the process.

 

 

Start the Group Policy Management Console

 

You will find the Group Policy Management Console in the Main Console, under:

 

 

Create the GPO

 

In the Group Policy Management Console, navigate the AD tree until you find the VDI Users OU. Right-click and select Create a GPO in this domain, and Link it here...

 

 

Name the GPO

 

  1. Name the new GPO UEM GPO
  2. Click OK to continue

 

 

Edit the GPO

 

  1. Expand the VDI Users OU by clicking on the triangle on the left
  2. Right-click on the UEM GPO
  3. Select Edit...

 

 

Configure FlexEngine Settings

 

Expand the GPO tree on the left until you get to:

FlexEngine is the UEM component that runs on the user's desktop, physical or virtual. Sometimes it is casually referred to as the "UEM Client".

We are going to configure the following FlexEngine Settings:

 

 

Flex config files

 

This is the setting that tells the FlexEngine (UEM Client) from where to get the configuration.

  1. Click on Enable
  2. Enter \\controlcenter.corp.local\Customizations\General
  3. Click OK

Leave the option to Process folder recursively enabled.

 

 

Profile archive backups

 

  1. Click on Enabled
  2. Enter the following location for storing user profiles archive backups: \\controlcenter.corp.local\Users\%username%\Backups
  3. Click OK to continue

 

 

Profile Archives

 

  1. Click on Enabled
  2. Enter the following location for storing user profile archives: \\controlcenter.corp.local\Users\%username%\Archives
  3. Click on OK to continue

 

 

Run FlexEngine as Group Policy Extension

 

We are going to run FlexEngine as a Group Policy Extension so that we will not need a logon script. We will need a logoff script that we will set up later, as well as make sure to wait for the network at computer startup and logon, to make sure the FlexEngine configuration is processed before the user session starts.

  1. Click on Enabled
  2. Click on OK

 

 

FlexEngine logging

 

  1. Click on Enabled
  2. Enter the following path and name of log file: \\controlcenter.corp.local\Users\%username%\Logs\FlexEngine.log
  3. Click on OK to continue

You can leave the rest of the parameters with their default values.

 

 

Always wait for the network at computer startup and logon

 

To make sure that that the UEM configuration is processed properly, we need to make sure that the network is available to the user desktop before processing Group Policy Extensions.

Since this is a computer configuration, rather than a user configuration, we will need to create a new GPO and link it to the user's computers. In our case, all computers are in the Computers container (this would not be recommended in a real production environment). Since Computers is a container, we cannot link an OU here, so we will have to bind it at the domain level.

Go back to the Group Policy Management Console:

  1. Right-click on corp.local
  2. Select Create a GPO in this domain, and Link it here...

 

 

Name the GPO

 

  1. Name the new GPO Wait for network
  2. Click OK to continue

 

 

Edit the GPO

 

  1. Expand the corp.local domain by clicking on the triangle on the left
  2. Right-click on the Wait for network GPO
  3. Select Edit...

 

 

Configure Logon Settings

 

Expand the GPO tree on the left until you get to:

Double click on Always wait for the network at computer startup and logon

 

 

Always wait for the network at computer startup and logon

 

  1. Click on Enabled
  2. Click on OK

 

Hint 4: Make sure the user configuration is saved at logoff


To make sure that the user configuration persists from one session to the next, make sure that the user configuration is saved at logoff.

You can always check the UEM Administrator Guide* to understand the process and try for yourself, or look at the following steps for details.


 

Let's check out the list

 

According to our list, we now need to add a command to the logoff script. That is how we are going to make sure that any user configuration changes are saved before the user logs off.

This process is described in the UEM Administrator Guide starting on page 32. Try for yourself, but if you get stuck, the next steps will guide you through the process.

QUICK TIP: In the lab environment, the FlexEngine installed in the clients was installed in the C:\Program Files (x86)\VMware\VMware App Volumes Unified Agent\UEM\ path, as it was installed as part of the App Volumes Unified Agent and not as a standalone component.

 

 

Edit the UEM GPO

 

Go back to the Group Policy Management Console and edit the UEM GPO (see previous steps if you need help)

Navigate to

Double-click on Logoff to edit the setting.

 

 

Logoff Properties

 

In the Logoff Properties dialog box, click on Add...

 

 

Add a Script

 

Use the following command for the Script Name:

C:\Program Files (x86)\VMware\VMware App Volumes Unified Agent\UEM\FlexEngine.exe

For the Script Parameters:

-s

Click OK.

 

Hint 5: Configure the Applications


We have User Environment Manager up and running, but it is not actually doing anything because we have not set up any configuration yet.

Maybe we should be looking at how to configure UEM to manage the configuration for VLC and Notepad++.

 


 

Let's check out the list

 

According to our list, we now need to create the Flex config files. That is how we are going to manage the application configuration, save it, and make sure it is available to provide a consistent user experience.

This process is described in the UEM Administrator Guide starting on page 37. Try for yourself, but if you get stuck, the next steps will guide you through the process.

 

 

Create Config File

 

Click the Create Config File button.

 

 

Create a custom config file

 

  1. Select Create a custom config file
  2. Click Next to continue

 

 

Config file name

 

  1. Enter Notepad++ for the File name
  2. Click Finish

 

 

Import / Export Settings (1)

 

We are in luck because we know very well how Notepad++ keeps its configuration. Everything is kept in several files in %AppData%\Notepad++ according to their documentation: http://docs.notepad-plus-plus.org/index.php/Configuration_Files So we need to make sure that everything in that folder tree is kept as part of the user configuration.

  1. Click anywhere in the white edit area to declare the Import / Export settings.
  2. Click on the Section button to add a new section.
  3. Select IncludeFolderTrees from the dropdown menu

 

 

Import / Export Settings (2)

 

Complete the information so that the Import / Export configuration looks like this:

[IncludeFolderTrees]
<AppData>\Notepad++

Select the DirectFlex tab before proceeding to the next step.

 

 

DirectFlex Configuration

 

Configuring DirectFlex will allow us to load and save the configuration of an application when the application is launched and closed. This will be very useful later when we are running a VDI session and we decide to launch a Published Application before finishing the VDI session.

Click on Enable DirectFlex for this config file

 

 

DirectFlex Executable Path

 

  1. Enter the following path for the executable: C:\Program Files (x86)\Notepad++\Notepad++.exe
  2. Click OK to continue

 

 

Save Config File

 

Click on Save Config File

 

 

EXTRA CREDIT: VLC Configuration

 

To create the configuration file for VLC, repeat the same process we used to create the configuration file for Notepad++, with the following changes:

 

Hint 6: Mapped Drives


We only have one more thing on our list: mapping the F: drive to \\controlcenter\AppStacks.

The UEM Administrator Guide surely has information on the subject.


 

Let's check out the list

 

Last thing on our list! We need to configure the user environment to set up the network drive mapping.

This process is described in the UEM Administrator Guide starting on page 77. Try for yourself, but if you get stuck, the next steps will guide you through the process.

 

 

Create Drive Mapping

 

  1. Select the User Environment tab
  2. Select Drive Mapping from the list on the left
  3. Click on the Create button

 

 

Drive Mapping Information

 

Enter the following information:

  1. Name: AppStacks
  2. Drive Letter: F
  3. Remote Path: \\controlcenter\appstacks
  4. Click on Save to continue

 

Validation


All the hard work is done and now it's time to validate that everything is working properly.

To validate our configuration we are going to:

EXTRA CREDIT: If you ran through Module 6 (Just-in-Time Desktops) you can validate that the application configuration persists even if the desktop is destroyed after the user logs off.

* NOTE: VLC will only be available if you ran through Module 4


 

Launch VMware Horizon Client

 

From the desktop of the Main Console, launch the VMware Horizon Client.

 

 

Connect to Horizon View Connection Server

 

Double-click the icon for "view-01a.corp.local"

 

 

Authenticate as The CEO

 

  1. User name: ceo
  2. Password: VMware1!
  3. Domain: CORP
  4. Click Login

 

 

Launch the Rainpole Desktop

 

Double-click on the Rainpole Desktop icon

 

 

Verify Drive F Mapping

 

Wait for the desktop to launch.

Once Windows Explorer finishes loading, verify that the F drive was properly mapped by

  1. Clicking on the folder icon in the Quick Launch Bar
  2. Click on This PC to get a list of the drives
  3. There it is!

 

 

Launch Notepad++

 

Close the Windows Explorer windows and launch Notepad++ from the desktop icon.

 

 

Change Notepad++ Preferences

 

Change the user preferences by selecting the Settings -> Preferences... menu.

 

 

Set Big Icons

 

  1. Select Big icons
  2. Click Close

Notice our new fancy big icons and close the application.

 

 

Launch Notepad++ Published Application

 

Minimize the VDI session to go back to the Main Console.

Use the Horizon Client to launch the Notepad++ Published Application.

 

 

Verify Big Icons

 

Wait for the Notepad++ Published Application to launch and you will see the big icons in the toolbar. The setting was preserved from one session to another, from one machine to another, from one OS to another!

 

 

Verify Drive F Mapping

 

Use the File -> Open menu to verify that you can access the F drive from the Published Application.

 

Key takeaways


User Environment Manager is very powerful and, with the correct conditions, can be extremely granular providing user environment setup or application configuration management.

Leveraging custom scripts will allow you to enhance your deployment and manage every use case that comes your way.

Folder Redirection lets you configure redirection of a folder from within the VMware User Environment Manager. Hence Active Directory GPOs for redirection are not required.

Horizon Policies or Smart Policies are an integration between UEM 9 and Horizon 7 with conditional support for poolnames, tags, endpoint location, and View name and IP information. Administrators can use Horizon Policies to contextually and dynamically control the system clipboard, client drive, USB access, printing capabilities, and bandwidth profiles for PCoIP connections.

 

Documentation to reference:

User Environment Manager Administrator’s Guide https://www.vmware.com/pdf/uem-90-admin-guide.pdf

Aaron Black's blog on Horizon 7 Smart Policies http://blogs.vmware.com/euc/2016/05/vmware-horizon-7-implementation-with-smart-policies.html

Dale Carter’s blog on VMware User Environment Manager Deployed in 60 Minutes or Less
 https://blogs.vmware.com/euc/2015/04/vmware-horizon-view-user-environment-manager-deploy-60-minutes.html

Mark Richards blog on Using RDS Volatile Environment Variableshttps://virtualmarkr.wordpress.com/2015/11/23/vmware-euc-uem-using-rds-volatile-environment-variables/

VMware End-User-Computing TV 
https://bit.ly/how-to-uem


 

Conclusion

This concludes Module 5: Improving User Experience.  We hope you have enjoyed taking it. Please do not forget to fill out the survey when you are finished.

 

Module 6 - Just-in-Time Desktops (45 minutes)

Module Switcher Instructions


The following steps will instruct you on how to launch the module using the Module Switcher tool.


 

Look at the lower right portion of the screen

 

Please check to see that your lab has finished all the startup routines and is ready for you to start. If you see anything other than "Ready", please wait a few minutes.  If after 5 minutes your lab has not changed to "Ready", please ask for assistance.

 

 

Start Module Switcher Application

 

If the Hands-on Labs Module Switcher is not running, you can launch it by double clicking on the Module Switcher Icon on the Desktop.

 

 

Start Module 6

 

Click on the Start button below Module 6

 

 

Stop Module 5

 

If you ran a previous module before Module 6, the STOP script for that module will be run (Module 5 is shown in the image). If this is the first module you are running, this step is not necessary and will be skipped.

Wait for the script that stops the previous module to finish and press Enter to continue.

 

 

Module 6 Start

 

Wait for the Module 6 START script to finish running. Press Enter to continue when the script prompts you to do so.

 

Challenge 6: Growth and Environment Optimization


As part of optimizing your environment, you have been tasked with reducing the storage footprint and reducing the burden on the maintenance windows required for desktop recomposing. During this module you will use Instant Clone technology to provide users with the ultimate flexible desktop: Just-in-Time desktops!


 

Challenge Description

A new project (sponsored by the CEO) has just kicked off. As a result, you have been asked to give all users access to specific applications and desktops. Normally, that should be an easy ask, however, you were recently informed that almost all of the storage provisioned for your Virtual Desktop environment has been consumed. So...HOW ARE YOU going to meet this requirement? What are some of the things you will need to consider and deploy to make this feasible?

You know your predecessor did some research into the advantages of leveraging Instant Clone technology to deploy Just-in-Time Desktops and found tremendous advantages:

You can find more information on Just-In-Time Desktops and Instant Clone technology here:

http://blogs.vmware.com/euc/2016/02/horizon-7-view-instant-clone-technology-linked-clone-just-in-time-desktop.html

These are the specific requirements for this challenge:

 

 

Required Information

The following information will be helpful in solving the challenge:

 

Hint 1: Where do I start?


Remember the blog post we referenced a couple of steps ago? Maybe there's some information there on how to create the desktop pool.

Just so you don't have to go back and look for the URL, here it is again: http://blogs.vmware.com/euc/2016/02/horizon-7-view-instant-clone-technology-linked-clone-just-in-time-desktop.html

Need more detailed information? There's always the official documentation: http://pubs.vmware.com/horizon-7-view/topic/com.vmware.horizon-view.desktops.doc/GUID-F5C53552-F6C8-4BE8-B486-9D172CA1F5CD.html

More? Tom Fenton at Virtualization Review has a great step-by-step guide: https://virtualizationreview.com/articles/2016/03/24/how-to-use-vmware-instant-clone-setup-and--installation.aspx

 


 

Hint 1: Where do I start? (answers)

At this point your Just-In-Time Desktop pool should be up and running and ready, but in case it is not, the following steps will guide you through the entire process.

 

 

Open Chrome Browser from Windows Quick Launch Task Bar

 

To connect to the Horizon View Administrator Console, you will need to launch Google Chrome:

  1. Click on the Chrome Icon on the Windows Quick Launch Task Bar.

 

 

Open a New Tab

 

Open a new tab by clicking on the free tab button.

 

 

Start the Horizon View Administrator Console

 

Start the Horizon View Administrator Console by clicking on the provided bookmark. Alternatively, you can connect to https://view-01a.corp.local/admin

 

 

Log In to the VMware Horizon Administrator Console

 

  1. User name: administrator
  2. Password: VMware1!
  3. Domain: CORP
  4. Click on Log In

 

 

Open Desktop Pools

 

In the Inventory panel on the left, under Catalog, click on Desktop Pools.

 

 

Add a New Desktop Pool

 

Click on the Add... button to create a new desktop pool.

 

 

Automated Desktop Pool

 

Just-In-Time Desktop pools are always automated. Select Automate Desktop Pool and click Next >.

 

 

User Assignment

 

Just-In-Time Desktops are always Floating desktops. Select Floating and click Next >.

 

 

vCenter Server

 

Just-In-Desktops use vSphere Instant Clone technology to create new VMs in a matter of seconds. Select Instant Clones, click on the vcsa-01a vCenter Server, and click Next >.

 

 

Desktop Pool Identification

 

Enter the following information and click Next >

 

 

Desktop Pool Settings

 

There is no need to change anything here. You can just click Next >

 

 

Provisioning Settings

 

  1. Naming pattern: WIN10-JIT-{n:fixed=2}
  2. Max number of machines: 10
  3. Provision machines on demand: Select
  4. Click on Next >

 

 

Storage Optimization

 

We do not have VSAN set up or a different datastore to keep replicas, so just click Next >.

 

 

vCenter Settings (1)

 

Click on Browse.. to select the Parent VM.

 

 

Select Parent VM

 

Select the WIN10-VDI-JIT parent VM and click OK.

 

 

vCenter Settings (2)

 

Click on Browse... to select a snapshot.

 

 

Select Snapshot

 

There should only be one available snapshot in the parent VM, called JIT-Snapshot. Select it and click OK.

 

 

vCenter Settings (3)

 

To select the VM Folder Location, click Browse...

 

 

Select VM Folder Location

 

Select the Win10 Virtual Desktops folder and click OK.

 

 

vCenter Settings (4)

 

Click Browse... to select a Cluster.

 

 

Select Cluster

 

Select the RegionA01-MGMT01 cluster and click OK.

 

 

vCenter Settings (5)

 

Click Browse... to select a Resource Pool.

 

 

Select Resource Pool

 

Select the RegionA01-MGMT01 Resource Pool and click OK.

 

 

vCenter Settings (6)

 

Click Browse... to select the datastore.

 

 

Select Datastore

 

Select the RegionA01-ISCSI-COMP01 datastore and click OK. You might need to expand the column size to see the full name of the datastores.

 

 

vCenter Settings (7)

 

Check that all the information is correct and complete and click Next >.

 

 

Guest Customization

 

We do not require any Guest Customization. Click Next >.

 

 

Ready to Complete

 

Select the option to Entitle users after this wizard finishes. Review the information and click Finish to start the desktop pool creation and provisioning.

NOTE: The full provisioning process will take between 20 - 30 minutes.

 

 

Entitlements (1)

 

Click the Add... button to add a user or group.

 

 

Find User or Group

 

  1. Deselect Users
  2. Look for Domain Users
  3. Click on the Find button
  4. The Domain Users group should populate in the results pane. Make sure to select it.
  5. Click OK.

 

 

Entitlements (2)

 

Make sure Domain Users is entitled to the desktop pool. Click Close.

 

 

Monitor the Desktop Pool Provisioning (1)

 

To monitor the desktop pool provisioning, double-click on the JIT_Pool desktop pool.

 

 

Monitor the Desktop Pool Provisioning (2)

 

In the Summary tab, scroll down until you see the vCenter Server section. There you will see the Pending Image status, in this case the state is Publishing and the operation is Initial Publish. This process will take between 20 and 30 minutes.

 

 

Monitor the Desktop Pool Provisioning (3)

 

When the process is finished, you will see the state change to Publish.

 

Validate your Results


Now that we have created and provisioned our Just-In-Time Desktops pool, it is time to test it and validate it by connecting as an end user to the environment.


 

Test the new Just-In-Time desktop

 

From the desktop of the Main Console, launch the VMware Horizon Client.

 

 

Connect to Horizon View Connection Server

 

Double-click the icon for "view-01a.corp.local"

 

 

Authenticate as The CFO

 

  1. User name: cfo
  2. Password: VMware1!
  3. Domain: CORP
  4. Click "Login"

 

 

Connect to the Just-In-Time Desktop

 

Connect to the Just-In-Time Desktop by double-clicking on JIT Desktops.

 

 

User Personalization

 

Once you log in, you will see the Windows 10 user profile creation process. This will take a few minutes.

Since this is a floating desktop, what is going to happen the next time the user logs in?

How could you mitigate this issue if you actually wanted the user profile to be destroyed after the session ends?

What if you want to keep the user configuration and profile?

 

 

Just-In-Time Desktop

 

You will eventually be logged in to the user desktop. Note that all your App Stacks will be available!

 

 

Open Chrome Browser from Windows Quick Launch Task Bar

 

To check the status of the VMs you are going to need the vCenter Web Client connected to vCenter vcsa-01a.corp.local:

  1. Click on the Chrome Icon on the Windows Quick Launch Task Bar.
  2. Log in using the username administrator@corp.local and password VMware1! (you can also use Windows Session Authentication)

 

 

vCenter Server (1)

 

Switch windows to the vCenter Server Web Client (Google Chrome). Look at the VM inventory. You should see two desktop VMs (if both are not present, wait a minute and refresh): the current desktop VM the user is using (WIN10-JIT-01, in our case) and the new one that was just created to support new connections. In a production environment WIN10-JIT-02 would have been created in a matter of a few seconds.

 

 

Log Off from the Just-In-Time Desktop (1)

 

Click on the windows Start button. Click on the user name on top.

 

 

Log Off from the Just-In-Time Desktop (2)

 

In the pop-up menu, click on Sign out.

 

 

vCenter Server (2)

 

Switch windows to the vCenter Server Web Client (Google Chrome). Look at the VM inventory. Notice that the WIN10-JIT-01 desktop VM was destroyed after the user log off was finalized.

 

Conclusion


This module showed us a much better way to provision virtual desktops: Instant Clone technology.

Delivering Just-In-Time desktops using Instant Clone technology we:


 

Extra Credit

During this exercise we created a non-persistent desktop VM, meaning that the user data and configuration will be lost after each log out.

What if that is not our use case? What if we need to provide a persistent experience to the end user, but leveraging the simplicity and agility of Just-In-Time Desktops?

Using the same lab environment try to create a persistent experience by:

 

Module 7 - Securing your Horizon Desktops (45 minutes)

Introduction


As the organization continues to adopt and develop virtual desktop use cases, the Security Team has raised concerns around the ability to access critical database and application resources when using virtual desktops. In this module, you will leverage network virtualization to ensure isolation of applications, databases and desktops.


 

Look at the lower right portion of the screen

 

Please check to see that your lab is finished all the startup routines and is ready for you to start. If you see anything other than "Ready", please wait a few minutes.  If after 5 minutes you lab has not changed to "Ready", please ask for assistance.

 

Module Switcher Instructions


The following steps will instruct you on how to launch the module using the Module Switcher tool.


 

Start Module Switcher Application

 

If the Hands-on Labs Module Switcher is not running, you can launch it by double clicking on the Module Switcher Icon on the Desktop.

 

 

Start Module 7

 

Click on the Start button below Module 7

 

 

Stop Module 6

 

If you ran a previous module before Module 7, the STOP script for that module will be run (Module 6 is shown in the image). If this is the first module you are running, this step is not necessary and will be skipped.

Wait for the script that stops the previous module to finish and press Enter to continue.

 

 

Module 7 Start

 

Wait for the script to finish running. Press Enter to continue when the script prompts you to do so.

 

Challenge 7: Isolation of Desktops from Internal Resources


Security has raised concerns around users having visibility of applications and information that are outside of their departments. It is up to you to mitigate their concerns. Rather than making traditional firewall rules for every individual connection, what if you could make a policy associated to an Active Directory (AD) User/Group? Wouldn't that make life so much easier? (HINT: NSX and Active Directory Integration).

 

Create a Policy to isolate traffic based on the User (CEO) and the IT Operations Group. Ensure the user(s) are only able to communicate with the required applications and not with other resources.


 

Challenge Description

During the last Security Joint Task Force meeting, it was brought to your attention that some unauthorized users were trying to access the Log Insight Management Console from the VDI environment. They even questioned the security of your VDI environment, arguing that it is too dangerous to have users running desktops in the datacenter where there is no control as to what resources they can connect to!

But you know better. The security team is thinking in terms of traditional physical network security but what they do not know is that you have the power of NSX to make your environment even MORE secure than a physical one.

Apparently your predecessor also started some of the work leveraging NSX, as the main components are already installed and deployed. As you learned in Module 1, there are even some Logical Switches and an Edge Router deployed. Even Guest Introspection has been installed! But it seems like the Distributed Firewall functionality has not been used yet.

These are the specific requirements for this challenge:

 

 

Required Information

The following information will be helpful in solving the challenge:

 

Hint 1: User distinction (or "Do you know WHO I AM?")


Before we go ahead and create firewall rules, we are going to have to be able to distinguish between authorized and unauthorized users.

The AD part is straight forward: we need to create an AD security group, but how can we implement this distinction in NSX?

For the answer and implementation guidance see the following steps.


 

Hint 1: User distinction (answer)

Before we go ahead and create firewall rules, we are going to have to be able to distinguish between authorized and unauthorized users.

The AD part is straight forward: we need to create an AD security group, but how can we implement this distinction in NSX?

You can try for yourself. The process is described in the NSX Administration Guide here:   https://pubs.vmware.com/NSX-62/topic/com.vmware.nsx.admin.doc/GUID-B9FC0D05-BE96-4D83-8C58-98B0F96DB342.html

In the following steps we will go through this process in detail.

 

 

Open Active Directory Users and Computers

 

From the Start menu, open:

 

 

Create new AD Group

 

  1. Select the Users container
  2. Click the Create a new group button

 

 

Type a name for the AD Security Group

 

  1. Group name: LogInsight_Users
  2. Click OK to continue

 

 

Add CEO user to the LogInsight_Users AD Group

 

  1. Select the VDI Users OU
  2. Select the Chief Exec. Officer user
  3. Click on the Add selected object to a group icon

 

 

Search for AD Security Group

 

  1. Type LogInsight_Users in the text box.
  2. Click on Check Names. Make sure the group name in the text box is underlined to confirm that it was found in the AD.
  3. Click on OK to continue.

 

 

Accept and close AD Users and Computers

 

After successfully adding the CEO user to the LogInsight_Users group, click OK to dismiss the dialog box and close Active Directory Users and Computers.

 

 

Open Chrome Browser from Windows Quick Launch Task Bar

 

To connect to the vSphere Web Client, you are going to need a web browser.

  1. Click on the Chrome Icon on the Windows Quick Launch Task Bar.

 

 

Log in to the vSphere Web Client

 

Log in to the vSphere Web Client and correlate some of the components: 

  1. User: administrator@corp.local
  2. Password: VMware1!
  3. Click on Login

TIP: You can save time by clicking on User Windows session authentication and then on the Login button.

 

 

Open Networking & Security (NSX)

 

Use the Networking & Security link from the vSphere Web Client Home screen.

 

 

Open NSX Managers

 

Under Networking & Security Inventory click NSX Managers.

 

 

Configure NSX Manager

 

Click on the NSX Manager name 192.168.110.15 to configure it.

 

 

Update local state of AD Objects

 

Since we just created the AD Security Group, we need to manually synchronize the NSX Manager with AD so that it is aware of the existence of the new group.

  1. Click on the Manage tab
  2. Click on the Domains tab
  3. Select the corp.local domain
  4. Click on the Update the local state for all AD objects icon

 

 

Add Security Group

 

  1. Click on the Manage tab
  2. Click on the Grouping Objects tab
  3. Click Security Group
  4. Click the Add Security Group (+) icon

 

 

Type a name for the Security Group

 

  1. Name: LogInsight_Users
  2. Click Next to continue

 

 

Define Dynamic Membership

 

  1. Use the dropdown to select Entity
  2. Click on the Select Entity button

 

 

Select Entity

 

  1. Use the dropdown to select Directory Group entity type.
  2. Use the search box to shorten the list of available groups. Type LogInsight in the search box.
  3. Click on the radio button to select the LogInsight_Users group.
  4. Click on OK to continue.

 

 

Select objects to include

 

We are not adding any additional static objects, so just click Next to continue.

 

 

Select objects to exclue

 

Again, not excluding any static objects either, so click Next to continue.

 

 

Ready to Complete

 

Check your configuration and click Finish.

 

Hint 2: Rule enforcement


So now that we know how to distinguish the users, we need to enforce rules around that distinction, so only authorized users can connect to the Log Insight Management Console.

What would be the best place to enforce those rules?


 

Hint 2: Rule enforcement (answer)

So now that we know how to distinguish the users, we need to enforce rules around that distinction, so only authorized users can connect to the Log Insight Management Console.

What would be the best place to enforce those rules?

There is the option to set the rules in the Perimeter Firewall (see Module 2), but since these are identity based rules, it will make more sense to enforce them at a level that is independent of network topology.

How do we do this? The NSX Administration Guide explains it well, so you can try for yourself: https://pubs.vmware.com/NSX-62/topic/com.vmware.nsx.admin.doc/GUID-C7A0093A-4AFA-47EC-9187-778BDDAD1C65.html

Or you can continue to the next steps to see a detailed walkthrough.

 

 

Go back to Networking and Security Home

 

Go back to the Networking and Security home by:

  1. Clicking on the Home icon
  2. Selecting Networking & Security from the dropdown

 

 

Navigate to Firewall

 

Navigate to Firewall.

 

 

Gain screen space by collapsing the right Task Pane

 

  1. Clicking on thePush-Pins will allow task panes to collapse and provide more viewing space to the main pane.  You can also collapse the left-hand pane to gain the maximum space.

 

 

Expand Layer 3 Rules Section

 

  1. Expand Default Section Layer3 using the triangle on the left.
  2. Select Rule 2 Default Rule DHCP
  3. Click on the Add Rule (+) button

 

 

Name the rule (1)

 

Hover the mouse over the top right corner of the name field of your new rule (number 3) until a pencil icon appears. Click on the pencil icon to edit the rule's name.

 

 

Name the rule (2)

 

  1. Rule Name: LogInsight_Reject
  2. Click Save

 

 

Set the Source

 

Hover the mouse over the top right corner of the source field of your new rule (number 3) until a pencil icon appears. Click on the pencil icon to edit the rule's source.

 

 

Add VDI Network to the Source

 

First, we will create a rule to reject any connection attempt to the Log Insight server from the VDI Network. Later we will create a higher priority rule to allow access to the users of the LogInsight_Users group.

  1. Use the dropdown to set the Object Type to Logical Switch
  2. In the list of available objects select VDI Network
  3. Click on the -> icon to add the VDI Network object
  4. Click OK to continue

 

 

Set the Destination

 

Since the Log Insight server is a physical machine and not part of the vCenter Server Inventory, we will reference it by its IP: 192.168.110.24

Hover the mouse over the bottom right corner of the destination field of your new rule (number 3) until the IP icon appears. Click on the IP icon to edit the rule's destination.

 

 

Destination Raw IP

 

  1. Value: 192.168.110.24/32 (we want to make sure we are specifying a host and not a network, hence the /32 suffix)
  2. Click on Save to continue

 

 

Set the Service

 

Hover the mouse over the top right corner of the service field of your new rule (number 3) until the pencil icon appears. Click on the pencil icon to edit the rule's service.

 

 

Specify Service

 

Since the Log Insight Management Console runs on HTTPS, that is the service we want to reject for most users.

  1. Click on the search box and type HTTPS
  2. Select HTTPS from the Available Objects List
  3. Click on the -> icon to add the service
  4. Click on OK to continue

 

 

Set the Action

 

Hover the mouse over the top right corner of the action field of your new rule (number 3) until a pencil icon appears. Click on the pencil icon to edit the rule's action.

 

 

Edit Action

 

  1. Use the dropdown to select the Reject action
  2. Click Save to continue

EXTRA CREDIT: What's the difference between the Block and Reject actions? Tip: the answer is in the NSX Administrator Guide here: https://pubs.vmware.com/NSX-62/topic/com.vmware.nsx.admin.doc/GUID-C7A0093A-4AFA-47EC-9187-778BDDAD1C65.html

 

 

Copy Reject Rule to create the Allow Rule

 

Right click on the firewall rule and select Copy

 

 

Paste Reject Rule to create the Allow Rule

 

Right click on the firewall rule and select Paste Above

 

 

Name the Allow Rule (1)

 

Hover the mouse over the top right corner of the name field of your new rule (number 3) until a pencil icon appears. Click on the pencil icon to edit the rule's name.

 

 

Name the Allow Rule (2)

 

  1. Rule Name: LogInsight_Allow
  2. Click Save

 

 

Set the Source

 

Hover the mouse over the top right corner of the source field of your new rule (number 3) until a pencil icon appears. Click on the pencil icon to edit the rule's source.

 

 

Remove VDI Network from the Source

 

  1. In the list of selected objects select VDI Network
  2. Click on the <- icon to remove the VDI Network object

 

 

Add LogInsight_Users Group to the Source

 

Now we will create a rule to accept any connection attempt to the Log Insight server from the LogInsight_Users. This is the NSX Security Group that we created earlier that references the AD Security Group.

  1. Use the dropdown to set the Object Type to Security Group
  2. In the list of available objects select LogInsight_Users
  3. Click on the -> icon to add the LogInsight_Users object
  4. Click OK to continue

 

 

Set the Action

 

Hover the mouse over the top right corner of the action field of your new rule (number 3) until a pencil icon appears. Click on the pencil icon to edit the rule's action.

 

 

Edit Action

 

  1. Use the dropdown to select the Allow action
  2. Click Save to continue

 

 

Publish Changes

 

The firewall rules that we just created will not be deployed to the Distributed Firewall until we click on the Publish Changes button. Go ahead and click the Publish Changes button.

 

Validation


We have finished with the required security configuration. so all that is left to do is validate that our configuration is working properly.

To validate our configuration we are going to:

EXTRA CREDIT: If you ran through Module 6 (Just-in-Time Desktops) you can validate that the application configuration persists even if the desktop is destroyed after the user logs off and that since it uses dynamic IP configuration, the desktop's IP address changes from one session to the next.


 

Launch VMware Horizon Client

 

From the desktop of the Main Console, launch the VMware Horizon Client.

 

 

Connect to Horizon View Connection Server

 

Double-click the icon for "view-01a.corp.local"

 

 

Authenticate as The CEO

 

  1. User name: ceo
  2. Password: VMware1!
  3. Domain: CORP
  4. Click Login

 

 

Launch the Rainpole Desktop

 

Double-click on the Rainpole Desktop icon.

Use the JIT Desktops instead if you went through Module 6.

 

 

Launch Microsoft Edge

 

Wait for the desktop to launch.

Once Windows Explorer finishes loading, launch Microsoft Edge by clicking on its icon on the Quick Launch bar.

 

 

Connect to Log Insight Management Console

 

Connect to the Log Insight Management Console

 

 

Successful Connection

 

You should be able to successfully connect to the Log Insight Management Console. The authentication screen will be shown as in the image.

 

 

Sign out from the desktop

 

Right-click on the Start menu button, select Shutdown or sign out, and click on Sign out.

 

 

Disconnect from Horizon

 

Use the disconnect button to sign out from Horizon. Confirm by clicking OK.

 

 

Change the user

We were successful connecting as the CEO. Now we will try to connect as the CFO and see if things change.

Since we only have one instance of the Rainpole Desktop in the lab environment, we will need to unassign that desktop from the CEO user so the CFO user can use it. The following steps describe that process.

If you are using Just-in-Time Desktops (only if you went through Module 6) these steps are not required. Click here to skip these steps.

 

 

Unassign the Virtual Desktop (1)

 

If you need to unassign the virtual desktop, first open a new tab in Google Chrome and click on the View Administrator bookmark. Alternatively you can launch the View Administrator console directly by entering the following URL in the locator bar: https://view-01a.corp.local/admin/

 

 

Unassign the Virtual Desktop (2)

 

Log in using the domain administrator credentials:

  1. User name: administrator
  2. Password: VMware1!
  3. Domain: CORP
  4. Click the Log In button

 

 

Unassign the Virtual Desktop (3)

 

Select Machines from the Inventory menu on the left.

 

 

Unassign the Virtual Desktop (4)

 

Right-click on the WIN10-VDI-01 machine and select Unassign User...

 

 

Unassign the Virtual Desktop (5)

 

Confirm the unassignment by clicking OK.

 

 

Connect to Horizon View Connection Server

 

Double-click the icon for "view-01a.corp.local"

 

 

Authenticate as The CFO

 

  1. User name: cfo
  2. Password: VMware1!
  3. Domain: CORP
  4. Click Login

 

 

Launch the Rainpole Desktop

 

Double-click on the Rainpole Desktop icon.

Use the JIT Desktops instead if you went through Module 6.

 

 

Launch Microsoft Edge

 

Wait for the desktop to launch.

Once Windows Explorer finishes loading, launch Microsoft Edge by clicking on its icon on the Quick Launch bar.

 

 

Connect to Log Insight Management Console

 

Connect to the Log Insight Management Console

 

 

Connection Rejected

 

The connection should be rejected. That means everything worked out as expected: the CEO user was allowed access, while other users (CFO in this case) were denied.

 

Key takeaways


Using NSX on a VDI/RDSH environment gives you the ability to secure the environment beyond what is available in traditional physical deployments.

Rules do not have to be limited to physical constructs such as IP addresses, ports, network segments, etc. but can actually leverage user identity and group memberships which relate directly to the business process.

For example, you can restrict user access to the backend database and make sure all users connect to the application layer that in turn connects to the database.

You can find more information on NSX and Horizon here:

https://www.vmware.com/products/horizon/horizon-nsx.html


 

Conclusion

This concludes Module 7: Securing your Horizon Desktops. We hope you have enjoyed taking it. Please do not forget to fill out the survey when you are finished.

 

Conclusion

Thank you for participating in the VMware Hands-on Labs. Be sure to visit http://hol.vmware.com/ to continue your lab experience online.

Lab SKU: HOL-1791-CHG-1

Version: 20170105-044704