vRealize Log Insight broadening the Horizon: Active Directory integration deploy VMware Identity Manager

At a customer I am working on the design of vRealize Log Insight. With the authentication objective we can choose from the sources local, Active Directory or VMware Identity Manager. In the latest release (4.5) it is clearly stated that authentication configuration of Active Directory directly from Log Insight is depreciated.

Deprecated vRLI

Edit: Unlike some previous information going around, Active Directory from Log Insight directly is still supported. Quote from updated VMware Knowledge base article: Although direct connectivity from VMware vRealize Log Insight to Active Directory is still supported in Log Insight 4.5, it may be removed in a future version.

But I think it will still be very beneficial to move to vIDM sooner then later.

Now how do I authenticate my Active Directory users against Log Insight you might ask. Well this is what VMware Identity Manager is meant for. Not for a lot of VMware Products, but used in the VMware Horizon suite as Workspace ONE, vRealize Automation integrated with vRA and now vRealize Log insight as a separate virtual appliance.

First overheard reactions, that is going to cost us extra for vIDM. Well no. With a Log Insight edition you are entitled to use vIDM and you can download it from the Log Insight page (among other places). And you could even be entitled to Log Insight without knowing for example Log Insight for vCenter or via NSX for desktop for example. One heads up here, these are limited to certain versions and workloads by EULA. For NSX this has been so since the release of NSX 6.2.3: https://blogs.vmware.com/management/2016/06/log-insight-for-nsx-frequently-asked-questions-faq.html.

If you happen to have vIDM configured as part of the Horizon suite and/or vRealize Automation, you can go ahead and configure vRealize Log Insight to use that vIDM. Either by skipping the vIDM deployment part in this blog, or exit here and read the configuration specifics on the VMware blog at: https://blogs.vmware.com/management/2017/06/vidm-log-insight.html.

EUC and vRealize Log Insight

vRealize Log Insight is not standardly included with the Horizon suite licensing, however Iike above you are might be entitled by for example NSX for desktop. Else adding vRealize Log Insight to your EUC management layer will be highly beneficial as all those components in your Horizon environment and EUC landscape create a lot of information. Think about all those OS logs, virtual appliances, components logs, audit logs, application log and so on, stored on all those components. A centralized log aggregator increasing visibility, structuring unstructured data, adding deep troubleshooting insights and monitoring is what you need. Integrating with vROPS (for Horizon) to also broaden that point of view.

VMware Identity Manager Deployment

Normally you would design the vIDM architecture appropriately, it will get a more prominent part in your environment when more components are using its feature. Think about load balancing, redundancy, resilience and so on. For more input on this subjects please read VMware Identity Deployment considerations this can be found here: https://www.vmware.com/content/dam/digitalmarketing/vmware/en/pdf/techpaper/vmware-identity-manager-on-premises-deployment-considerations.pdf

For this blog post I deployed an Active Directory, vIDM and Log Insight in Lab application in Oracle Ravello Cloud. If you want to see the details on deploying virtual appliances in Oracle Ravello Cloud, see my blog post: https://pascalswereld.nl/2017/03/14/vcap-dtm-deploy-prep-horizon-lab-on-ravello-cloud-and-import-ova/. After boot up configure hostname and networking on the console. After network interface restart you are ready to go and do the vIDM initial configuration by opening vIDM from a browser and go to https://idm-hostname.

Setup vidmli

Continue the vIDM installation with passwords and database settings. Well actually not, because above screenshot I haven’t used the FQDN. You will receive “Invalid organization name. Chosen name (null) includes invalid characters” error. Restart the browser session with FQDN.

Using FQDN

Finished click the link in the summary page. Login with the local admin user for whom you set the password in the setup wizard. You are directed to the Directories page where you can add a directory.

Add Directory

Add Directory to Active Directory and fill in the required values. Service accounts to join and bind are necessary. Confirm on the domain name and attributes required for synchronization (you can change them later on). Select the required groups to synchronize for Log Insight. These normally will be role based groups for Log insight. Review what it is to be synchronized and let the engines roar. When the sync is complete you can test and logon with an administrator from your domain. When importing administrator for example, this is added the administrator role in vIDM. Logout the local admin.

Logon with Domainname\User in vIDM to test user synchronization. When we can logon with the domain user we are good for this part.

vRealize Log Insight

Now for vRealize Log Insight. Note for Oracle Ravello Cloud users, after uploading the OVA you will have to change the VM accordingly for the size of deployment. Extract the OVF file to look at the figures, lower the vCPU, vRAM and correct the disk configuration. When you boot you will get a warning and an empty vami boot screen (except for some background colors). You will have start the installer on the console. For that you will have to set the password and networking settings with vami. Take it from the part running Log Insight on Ravello in this blog post: https://michaelryom.dk/running-log-insight-on-ravello/?doing_wp_cron=1498290958.2310669422149658203125#.WU4bERN97aY.

Open a browser and go to the Log Insight URL. I am starting a new configuration for this lab.

vRLI initial

After the initial setup is done, go to the admin page and select Configuration – Authentication. On the first page we can set up authentication with VMware Identity Manager.

vIDM add to vLI

Do not forget: The username must be local System vIDM user to let the binding be succesful.

Do the test connection and accept the certificate of vIDM. Save if everything is a success. Next go to users configuration ( or Management – Access Control) page to grant access for vIDM users to Log Insight.

Add User LI

Check the information in vIDM users if you don’t know what to fill in:

Check vIDM users

Do not forget: your Active Directory user must have mail and a UPN and synchronized to vIDM.

Now logout the built-in local admin. From the login page of Log Insight select VMware Identity Manager as the provider.

Login vRLI Page

When you push Login via SSO you will be redirected to Identity Manager to logon or when you have an active token your logged on to Log Insight.

And viola: Administrator is logged on:

Administrator

This concludes the setup and configuration part.

Fun fact blast from the past, I have a blog post from 2013 where I did a Log Insight 1.0.4 Evaluation (https://pascalswereld.nl/2013/08/28/evaluation-vmware-vcenter-log-insight-part-one-the/). We have done some good life time cycles :)

 

– Happy broadening your Horizon!

 

Sources: vmware.com

VCAP-DTM Deploy Achievement Unlocked with some exam time management tips for you

After my exam earlier was postponed due to some problems between Pearson VUE and VMware Lab communications, I did my VCAP-DTM deploy last Friday. And it was a pass on the first attempt :) Woohoo.

The exam is a whopping 3,4 (or somewhat with 205 minutes) hours getting through tasks where time management is the most important piece. Well next to actually knowing what you need to be doing. I missed some questions in the end, but 30 questions seem to be enough to barely pass. I was a bit slow as deployment is something I do differently in real life, irritated about the backspace not working (arrow del key combination is not my cookie) while my Pavlov keeps hitting that key and in the last part of the exam I had to keep pushing radio buttons several times before they got active.

VCAP Passed

Some tips for the time management when you will attempt the exam:

  • Prepare your exam lab experience. Do VMware Hands on Labs from the EUC mobily courses. Is it not for the subjects, is it knowing how to operate the lab environment. The exam lab is the same as the hands-on labs. I used several HOL-1751-MBL-1 and so on. Do note the Horizon are not the versions used in the VCAP6 version, but most items are still in the right place. I have also used Ravello Cloud for my labs. Bonus with the HOL’s is that you already have the password to use in the exam drilled.

VCAP Lab

  • Familiarize with the subjects. Read through the exam objectives and practice those in your own lab or hands on labs. These blog posts were very helpful:
  • Schedule your exam. Have something to work to. Do this before starting to study, but allow for a reasonable study preparation period.
  • There is no non-native English speaker time extension, 205 minutes is what everyone gets.
  • A VCAP study group with peers is worth it, especially working together on a shared goal and for sharing experiences, tips and tricks. At our company ITQ (http://itq.nl) we did VCAP Bootcamps were we had multiple sessions and let some of the team present an objective. Don’t have peers at your company that go for the same kind of exams? Well reach out on twitter, the community is strong in its knowledge sharing force and you will get a group in no time.
  • Mirage base layer and application layer capturing, restoring, as well as App Volumes capturing take time to complete. Make a note on your whiteboard and do some other questions while these are capturing. Return to see the progress.
  • Set your environment to a comfortable screen resolution, mine was to set the screen to 1024×768. Also change this resolution in the Remote Desktop Manager. If you happen to need console access to a virtual machine (mostly RDP will work), use the web client not VMRC or the vSphere client console as the CTRL-ALT are not working.
  • Once at the exam, go through the exam questions, start the capturings, complete the ones you know, skip the ones you don’t know or are not sure about. You can navigate back and forth through the tasks, but don’t go skipping in berserk mode. Have some idea what questions are for what subjects, use your white board to write done the questions, make notes and mark completed, in progress or fail.
  • Do take time to read the assignment, you have multiple clusters, desktops and connections servers. Don’t wasted time starting the task on the wrong component.
  • Don’t let slow performance get you. This is a lab environment and not running in your exam centre or even region. It can be slow, be prepared and be patience. But that doesn’t mean that if it is unworkable you shouldn’t say something about it….

Know how Horizon architecture, application capturing and desktop pools work, know your way with Identity Manager (vIDM) and Mirage, know the lmvutil and vdmadmin command line help options, and you will be a okay. And yes that time management….

Painting Time

 

– Enjoy your exam experience!

VCAP-DTM Icon

Sources: vmware.com, szumigalski.com, sostechblog.com

 

EUC Layers: Horizon Connectivity or From NSX Load Balancers with Love

Another layer that will hit your end users is the connectivity from the client device to the EUC solution. No intermitted errors allowed in this communication. Users very rarely like connection server is not reachable pop ups. Getting your users securely and reliable connected to your organizations data, desktops and applications while guaranteeing connection quality and performance is key for any EUC solution. For a secure workspace protecting and reacting to threats as they happen even makes software defined networking more important for EUC. Dynamic software is required. And that all for any place, any device and any time solution. And if something breaks well….

Rest of the fire

One of the first things we talk about is the need for reliable load balance several components as they scale out. And for not getting in to all the networking bits in one blog post, I am sticking with load balancing for this part.

As Horizon does not have a one package deal with networking or load balancing, you have to look use an add on to the Horizon offering or outside the VMware Product suite. Options are:

  • interacting with physical components,
  • depending on other infrastructure components such as DNS RR (that is a poor mans load balancing) preferably with something extra like Infoblox DNS RR with service checks,
  • using virtual appliances like Kemp or NetScaler VPX. VPX Express is a great free load balancer and more.
  • Specific Software-Defined Networking for desktops, using NSX for Desktop as an add-on. Now instantly that question pops up why isn’t NSX included in for example Horizon Enterprise like vSAN? I have no idea but probably has something to do money (and cue Pink Floyd for the ear worm).

And some people will also hear about the option of doing nothing. Well nothing isn’t an option if you have two components. At a minimum you will have to do a manual or scripted way of redirecting your users to the second component when the first hits the load mark, needs maintenance or fails. I doubt that you or your environment will remain long loved when trying this in a manual way…..

The best fit all depends on what you are trying to achieve with the networking as a larger picture or for example load balancing specifically. Are you load balancing the user connections to two connection servers for availability, doing tunneled desktop sessions, or doing a cloud pod architecture over multiple sites and thus globally. That all has to be taken into account.

In this blog post I want to show you using NSX for load balancing connection server resources.

Horizon Architecture and load balancers

Where in the Horizon architecture do we need load balancers? Well the parts that connect to our user sessions and a scaled out for resources or availability. We need them in our local pods and global load balancers when we have several sites.

Externally:

  • Unified Access Gateway (formally known as Access point)
  • Security Server (if you happen to have that one lying around)

Internally:

  • Workspace ONE/vIDM.
  • Connection Servers within a Pod, with or without CPA. However with CPA we need some more than just local traffic.
  • AppVolumes Managers.

And maybe you have other components to load balance, such as multiple vROPS analytical nodes for user interface load not hitting one node. As long as the node the Horizon for adapter connects to or from is not load balanced.

Load Balancers

To improve the availability of all these kind of components, a load balancer is used to publish a single virtual service that internal or external clients connect to. For example for the connection server load balanced configuration, the load balancer serves as a central point for authentication traffic flow between clients and the Horizon infrastructure, sending clients to the best performing and most available connection server instance. I will keep the lab a bit simple by just load balancing two connection server resources.

Want to read up more about load balancing CPA? EUC Junkie Bearded VDI Junkie vHojan (https://twitter.com/vhojan) has an excellent blog post about CPA and impact of certain load balancing decisions. Read it here https://vhojan.nl/deploy-cpa-without-f5-gtm-nsx/.

For this one here, on to the Bat-Lab….

Bat-Labbing NSX Edge Load Balancing

Lets make the theory stick and get it up and running in a Horizon lab I have added to Ravello. Cloned from an application blueprint I use for almost all my Horizon labs and ready for adding a load balancing option NSX for Desktop. Scenario is load balancing the connection servers. In this particular example, we are going for one-armed. this means the load balancer node will live on the same network segment as the connection servers. Start your engines!

Deploying NSX Manager

Now how do your get NSX in Ravello? Well either deploy it on a nested ESXi or import method to deploy NSX directly on Ravello Cloud AWS or GC. I’m doing the last. As you did not set a password you can log in to the manager with user admin and password ‘default’.
That is the same password you can use to go to enable mode, type enable. And if you wish config t for configuration mode. Flashback to my Cisco days :))….In configuration mode you can set host names, IP and such via CLI.
But the easiest way is to type setup in basic/enable mode. Afterwards you should be able to login via the HTTPS interface. Use that default password and we are in.

NSX - vTestlab

Add a vCenter registration for allowing NSX components to be deployed. On to the vSphere Web Client. Add this point you must register a NSX license else you will fail to deploy the NSX Edge Security Gateway Appliance.

Next prepare the cluster for a network fabric to receive the Edges. Goto Installation and click the Host Preparation tab. Prepare hosts in your cluster you want to deploy to (and have licensed for VDI components or NSX for Desktop is no option). Click on actions – install when you are all set.

NSX - Prepare Host

For this Edge Load Balancer services deployment you don’t need a VXLAN or NSX Controller. So for this blog part I will skip this.

Next up deploying a NSX Edge. Go to NSX Edge and client on the green cross to add. Fill in the details, configure a minimum of one interface (depending on the deployment type) as I am using a one-arm – select the pools, networks and fill in the details. In a production you would also want some sort of cluster for your load balancers, but I have only deployed one for now. Link the network to logical switch, distributed vSwitch or standard vswitch. I have only one, so the same network standard vSwitch. Put in the IP addresses. Put in gateway and decide on your firewall settings. And let it deploy the OVA.

If you forgot to allow for nested in the /etc/vmware/config and get You are running VMware ESX through an incompatible hypervisor error. Add vmx.allowNested = “TRUE” to that file on the ESXi host nested on Ravello. Run /sbin/auto-backup.sh after that. If you retry the deployment this will normally work.

Load Balancing

We have two connection servers in vTestLab

Connection Servers

Go back to the vSphere web client and double-click the just created NSX edge. Go to Manage and tab Load Balancer. Enable the Load Balancer.

Horizon LB - Enable Global

Create an Application Profile. For this configuration I used a SSL pass through for HTTPS protocol with Session persistency.

NSX LB - Application Profile

For this setup you can leave the default HTTPS service monitor. Normally you would also want to have service checks on for example the Blast gateway (8443) or PCoIP (4172) if components use this.
Next setup your pool to include your virtual servers (the connection servers) and the service check, monitor port and connections to take in to account.

NSX Hor Pool Detail

Next up create the virtual server with the load balancing VIP and match that one to the just created pool.

Virtual Server

After this look at the status and select pool

NSX Pool Status.png

Both are up.
You can now test if a HTTPS to 10.0.0.12 will show you the connection server login page.

Connected.png

Connected. Using HTML Access will fail with an error connecting to the connection server (Horizon 7.1) as I did not change the origin checking. You can disable this protection by adding the following entry to the file locked.properties (C:\Program Files\VMware\VMware View\Server\sslgateway\conf) on each connection server:

checkOrigin=false
balancedHost=load-balancer-name

Restart the VMware Horizon View Connection Server service.
And of course you would add a DNS record to 10.0.0.12 to let your users use in the connection to the connection servers, like vdi.vtest.lab. And use a SSL certificate with that name.

Now a last check if the load balancing is working correctly. I kill of one of the connection server.

Man down

And let see what the URL is doing now:

Admin after man down

Perfect the load balancer connects to the remaining connection server. This time for the admin page.

This concludes this small demonstration of using NSX for Load Balancing Horizon components.

– Happy load balancing the EUC world!

Sources: vmware.com

WebCommander Walnut Installation Walk-through

In a previous blog post from a far away history, I wrote about the WebCommander Fling (https://pascalswereld.nl/2013/10/30/webcommander/). Man that one is from 2013, I have been putting blog posts out there for a while now, hope you did find something useful on the blog…..
Anyhow back to this one. The WebCommander developer reached out in that previous post comment with a request to write-up a guide for WebCommander Walnut. I am writing it up as a walk-through to get it started and showing some output. If you would like some additions to the post, add some of the information your would like to see added to the post, or post questions / remarks and I will try to look if I can make some additions. But first….a little reminder about that commander out on the web…

What is WebCommander

WebCommander is a collection of web services around PowerShell and PowerCLI scripts. The interface can be used to provide users with scripts without them learning or knowing the PowerCLI commands. Or to give users access only to specific prepared tasks without giving them access to the web client (they still need to have permissions in the environment to do their operations). A great way in delegating specific tasks!

WebCommander was initially released and maintained as a VMware Fling. WebCommander was received very well by the community and saw the Fling being released as, and in turn moved to, an open source project on GitHub in 2014 (as announced on http://www.virtu-al.net/2014/09/03/webcommander-goes-open-source/).

The WebCommander project page can be found at: https://github.com/vmware/webcommander. This WebCommander version mainly uses XML with browser side transforming (XSLT). And when you hear version you know there might be another one, and yes there is WebCommander Walnut in a different branch.

WebCommander Walnut is to be used when :

  • you prefer JSON over XML,
  • combining commands in workflows for more or complex automation,
  • run local or cloud scripts (WebCommander Hybrid),
  • having a history,
  • 64-bit PowerShell,
  • more new features,
  • and a new User Interface

WebCommander

Take a look at WebCommander Walnut for yourself, go to GitHub: https://github.com/9whirls/webcommander_walnut

Installation Guide

Prepare the system:

Create a VM

Use Windows 2012R2 or Windows 2008R2 as the OS.

When using Windows2008R2 there are the following specifics:

  • Install .Net Framework 4.5.2. Needed for the installation of PowerShell v5 on 2008R2
  • Install PowerShell version 5

When using a fresh installation of Windows2012R2 install PowerShell Version 5.

For installation of the PowerShell version 5 install the Windows Management Framework 5.0 that can be downloaded as an update, or directly from https://www.microsoft.com/en-us/download/details.aspx?id=50395&ranMID=24542&ranEAID=TnL5HPStwNw&ranSiteID=TnL5HPStwNw-UGYM_0Jpr8QpSOcSBwTXfQ&tduid=(97816b302a22d507fcc1386696df4801)(256380)(2459594)(TnL5HPStwNw-UGYM_0Jpr8QpSOcSBwTXfQ)().

For Webcommander and PowerShell: Set-ExecutionPolicy Unrestricted -Force.

IIS Web-Server (including SubFeatures and Management Tools). Either use the Add Roles and Features GUI to install the Web Server role or use PowerShell:

Install-WindowsFeature Web-Server -IncludeManagementTools -IncludeAllSubFeature

PHP from https://php.iis.net. Click  ‘Install PHP now’ from the web site to download the latest version. Execute the downloaded exe to start the Web Platform Installer. Continue the installer with all the default options (you can change by clicking the options link) and accept to do the installation. The installer will download and install the prerequisites.

PHP IIS Installation

And click Finish when done.

Install MongoDB for commands history.

In short the procedure for MongoDB is:

MongoDB download CEIt should offer you the correct release and OS.

  • Install via the downloaded msi. Select complete or customize if you want. Complete will install in the default locations.
  • Add the installation location as a system path environment. The default installation location is C:\Program Files\MongoDB\Server\3.4\bin.
  • Use your powershell window used to install IIS or open a command prompt
  • MongoDB requires a data directory to store all data. MongoDB’s default data directory path is \data\db. Create this folder using the following a command line
md \data\db
  • Or use another location to suit your needs.
  • MongoDB also requires a location to store logs. Create the log folder using command line
md \data\log
  • Create a config file location with
md \data\conf
  • And add a text file mongodb.cfg there (watch the view – file extensions there!)
  • Add the following to the cfg file and save:
           systemLog:
                  destination: file
                  path: c:\data\log\mongod.log
           storage:
                  dbPath: c:\data\db

mongodb

  • Install MongoDB as a Windows service by running mongod.exe with –install parameter (as administrator!).
mongod.exe --config "C:\data\conf\mongodb.cfg" --install

If you get api-ms-win-crt-runtime-l1-1-0.dll is missing from your computer like this

System Error - Mongod

your Windows updates either screwed up or you have to install Visual C++ Redistributable. (Re)installing Visual C++ will mostly do the trick.

  • And now we will have a MongoDB service (use –serviceName and –serviceDisplayName to change to another name if you wish).
  • Start the MongoDB service with net start MongoDB.
  • Create database and collection in MongoDB for WebCommander by running the commands below:
    • exe
    • use webcmd
    • createCollection(“history”)
    • Mongo should respond with “ok”:1
  • Install the MongoDB powershell module:
    • In PowerShellv5
Install-Module Mdbc
    • Accept the installation of required components.

Install latest version of VMware PowerCLI (version 6.5.1 at time of writing):

  • Good thing is that version 6.5.1 does not require a msi installer anymore. You can install from the PowerShell Gallery via PowerShellGet (and the correct version of PowerShell, but we covered that one already):
Install-Module VMware.PowerCLI
    • Use –Scope CurrentUser to use only for this user and no admin permissions required

Install WebCommander:

Download the files from GitHub, for example for the zip file: https://github.com/9whirls/webcommander_walnut/archive/master.zip

Extract the zip and copy to c:\WebCommander. Or use your own location.

The Zip is composed of the following files and directories as subdirs of the master directory:
www/ – These are the files that need to be setup as the web service in IIS. _def is the file that is used to add the locations to the local scripts as defined in sources.json.
powershell/ …the local commands powershells
README.md – Readme file of the project
sources.json – Locations of local and remote scripts when wanting to use the remote script capability.
Note: that is, currently composed of… You never know what the future brings

Note: For scripts depending on your security policy Windows will normally block the files because they were downloaded from an external location, so you will have to unblock these files. Select the file – properties – and press the unblock in the security part at the bottom.

Open IIS Manager to configure the WebCommander site:

  • Remove the default site
  • Add a new site (in this case I used the administrator to connect as to know which user is running, don’t just copy but do what is appropriate for your environment)

Add Webcommandersite

  • select the WebCommander site and open the authentication feature
  • Enable Windows Authentication, and disable Anonymous.

Site Authentication

  • If we now open a browser we will see the initial page

Initial Localhost

When clicking on select a command we can only select the remote commands. use the source.json to define the local locations. For me it was fixed when removing http://localhost/ from the local configuration to read: “local” : “_def.json”,

This one could also help as the _def.json was also a bit empty. Go to c:\WebCommander\powershell\ and execute .\genDefJson.ps1 to recreate the definition json. We should use genDefJson when updating any ps1 scripts.

And voila local also shows up

WebCommander Local also

 

Test drive WebCommander

There are scripts for vSphere actions and Horizon view actions distributed with the Git.

I have seen the following error message pop-up: AuthorizationManager check failed. The following is witnessed, and changed:

  • For some reason the execution policy is back to restricted, Set-ExecutionPolicy RemoteSigned or Unrestricted.
  • with the ExecutionPolicy set to RemoteSigned or Unrestricted, this error may occur if the script or some of the other included scripts is still blocked. From the explorer right-click the file, select Properties and click Unblock. Go through all the files!

Let see if we can get some vSphere information:

  • Add Command vSphere (local)
  • Add the required parameters, go to method to select what you want to do. I just want to see, so listDatastore is my option.
  • And press the play
  • Go to the output if there is a Pass
  • And ….

Pass vSphere (local)

If we want to get rid of the PowerCLI Customer Experience Improvement Program (CEIP) warning in the output. Run the following in Powershell:

Set-PowerCLIConfiguration -ParticipateInCEIP $false

(optionally with -Scope User / AllUsers)

And that’s it for now

– Enjoy WebCommanding throughout the universe!

Sources: labs.vmware.com, virtu-al.net, github.com/9whirls/webcommander_walnut

EUC Toolbox: Regshotting across the end user universe

For managing applications and user environments it is very useful to know the way the application and the user behaves. And for application provisioning and user environment management it is necessary to know where the application and system stores the settings and personalizations options. We will need some form of application to use for capturing or monitoring the system for changes that the application or it’s settings are doing. For UEM for example we have the Application Profiler to use and create application configuration or predefined settings. But if you like to see where our Windows friend stores its changes, application profiler is not enough. We need other tools for the job. We can use Process monitor (https://technet.microsoft.com/en-us/sysinternals/processmonitor.aspx) or SpyStudio (http://www.nektra.com/products/spystudio-api-monitor/) to name a few. Or regshot.

The main difference of regshot to, for example the mentioned Process monitor or SpyStudio, is that this tool does not require admin permissions like Process monitor or installation on the system like SpyStudio. You can just download and run in the user context. This is what is the strong point is of Regshot, low footprint and no changes to the system that could influence your capturing. As long as the changes you want to monitor are within the user context, but wasn’t this the point in the first place….

What does regshot do?

In short regshot takes a first and a second shot of the registry, and shows you the differences between these. Next to this regshot also allows you to scan dirs. For example save the registry and APPDATA after you have changed that minor customization. Isn’t that what you would want to see?

In short take a first shot before your change. Change the system and take a second shot. Press compare and see what has been changed. And use that output in for example UEM configurations.

Options

First up the application is available in 32-bit and 64-bit, and in ANSI and Unicode encoding.

Regshot Files

The difference here is the program architecture and how the character encoding is handled. If for example your language settings include non-latin characters, you may want to use the Unicode version of Regshot. Else it will not matter which one you take as long as the processor architecture is right.

Secondly with the shots you can do your shot, or do and save your shot. When saved you can later use this with the load option.

Capture and shot

Third, want your output in HTML or text. HTML is friendlier on the eyes, however it will take some more time to output. Sometimes the external program connection to HTML is screwed.

Fourth is including a scandir. Default regshot will do registry, but a lot of application do save something in for example the AppData Local, ProgramData or other locations. I would recommend to include the scandirs where possible. To only downside is that you would need to know where an application stores its values, or put in the most likely suspects. Just going for all out C:\users is getting you a lot of background noises from other applications using the same space.

Fifth is setting an output path. Currently it is set to the administrators AppData profile path. If I am scanning dirs in that location it might be a better idea to redirect the output to another location not to mess up the output.

Do keep in mind not to let in a lot of cycles between the first and second shot. The system will continue to run and add up in changes between the shots. Do your required change and shoot again.

Where can I get Regshot?

RegShot is available on its Sourceforge project page at https://sourceforge.net/projects/regshot/. You can download Regshot as a compressed .7z file. You can open this with 7Zip or WinZip. Downpart of the 7z is that if you haven’t brought an additional zip application, native Windows can’t handle this. There goes my no changes to the system with using Regshot…..or just unzip it on another system ;)

Show me

Don’t mind if I do. First we are going to take our first shot. Just let the program count the keys and values, and the dirs and files, until the second shot button appears.

Regshot Shooting

I don’t mind the time it takes, my testlab is a bit on the slow hand. And including the scandir takes an even longer time than just browsing the registry. But I’m there for the results not the speed.

Next up do a change to the system. For this example I changed Chrome browser settings to show the home and always show the bookmark bar. Done with the change? Take the 2nd shot. And wait until the compare button is available. Than press that one. In the output is for example:

Keys Home

Now it is up to you to analyse what is needed..

We see that Chrome wrote to the \Software\Google\Chrome\PreferenceMACs in the USER SID key. However SIDs we cannot capture with for example UEM. We do know that this is the same as HKCU and can be captured from the HKCU\Software\Google\Chrome\PreferenceMACs. Just add the HKCU\Software\Google\Chrome\PreferenceMACs or HKCU\Software\Google\Chrome to be included in the UEM Configuration.

Now it is up to you to analyse what is needed.

– Happy shooting at your users…ermmm user environment I mean!

Sources: sourceforge.net/projects/regshot

Product Evaluation: Inuvika Open Virtual Desktop (OVD)

Occasionally I get a request, or some urge bubbles in me, to look at vendor X with its product Y. And there is nothing wrong with that as I like to keep a broader view on things and not just betting on one horse.

And so a request from Inuvika did find me asking to look at their evolution of the open virtual desktop (OVD) solution. Okay using virtual desktop and application delivery triggers will get my attention for sure. Kudos for that. On top of that the name Inuvika gets my curiosity running in again a somewhat higher gear. No problem, I will take a peek and see if I can brew up a blog article at the same time. At the same time was almost a year ago…..But still wanting to take that peek. You will probably figure out that letting  you read about OVD is a little bit overdue. Sorry for the delay….

A little notice up front: this blog post is my view only and not paid for, pre-published or otherwise influenced by the vendor. Their opinion might differ. Or not.

Wait what… Inuvika you say?

Yes Inuvika (ĭ-noo′vĭk-ă). If you open up your browser you could learn that the company name is based on a Canadian town Inuvik where it can be very cold. And that for 30 days in the year the sun doesn’t rise above the Horizon (*wink* *wink*). In such a place you will need a strong community and a collaborative approach to be able to be living in harse an environment. Their product strategy is the same. Offering an open source solution and collaborative with the community out there (however the separate community version and site is dead).
Inuvika mothership is based in Toronto, so hopefully that doesn’t lose a bit of the magic just introduced ;). But where ever they are based, it does not change the approach of Inuvika.

Main thing, the guys and gals from Inuvika is where you can get the Open Virtual Desktop from. Go to https://inuvika.com/downloads to download your version. Or take a peak around the site.

Open Virtual Desktop sounds interesting enough, show me

Glad you asked. Let’s find out. We have the option to use a trail version for evaluation purposes, enterprise license or the cloud version. I like it when we can find out a little about the bits and bytes ourselves. So I will be downloading OVD. But first up some architecture to know what screw and bolts we need, or can opt out from.

Architecture

The following diagram has been taken from the architecture and system requirements document and show the components and the network flow for the system.

OVD-Architecture Overview

The OVD Roles:

  • The OVD Session Manager is first required component. The OSM will be installed prior to the other components. As the master of puppets it’s the session broker, administration console and centralized management of the other OVD components.
  • The OVD Application Server is one of the Slaveservers that will communicate with OSM. The OAS is the component that serves the application and desktops pools to the users. Accessed from either the web portal or the OVD Enterprise client. OAS is available in a Linux or Windows flavor. OAS can be pooled together and load balanced from the OSM. However you will need Enterprise for that as Foundation is limited to one application server (seriously just one?).
  • The OVD Web Access. OWA is responsible for managing and brokering Web sessions.Now where did we see that abbreviation before… Either using Java (going away in a next release) or HTML5, SSL tunneled if required. If using OVD clients only this is component is not needed. OWA will also offer an API (Javascript) to integrate OVD with other web-based applications.
  • The OVD File Server. The OFS component offers a centralized network file system to the users of the OAS’ses keeping access to the same data not depending on the OAS the user is on. Data can be user profiles, application data or other company data. The data is only accessible from the OAS sessions and is not published in another way like a contentlocker or dropbox.
  • ESG (hey wait no O something something). The Enterprise Secure Gateway is used as a unified access layer for external, but optionally also internal connections. ESG tunnels all the OVD connections between the client and itself, over a HTTPS session. So from any location, users that have access to HTTPS (443), will also be able to start a OVD session. If not using ESG tunnels OVD client will need to have HTTPS and RDP open to the OAS. Require the Enterprise license.
  • Further 2.3.0 brings a tech preview to OWAC. Web Application Connector to offer SSO integration as an identity appliance.

All components run on a Linux distribution supporting the flavors RHEL, CentOs or Ubuntu LTS. The only component where Windows will be used is when OAS is offering Windows desktops or Windows-based applications on RDS services. Supported RDS OS versions are Windows 2K8R2, W2012 and W2012R2. Isn’t it time for Windows 2016 by now?

In the OVD architecture we see sorts of familiar components that we see in similar virtual desktop solutions, only with a bit of a different naming. In a first overview the OVD architecture seems like what we are used to, no barriers here to cross.

In a production environment the Inuvika OVD installation will use several servers all doing their specific role. Some roles you will always see in a OVD deployment. Others are optional or can be configured to run together with other roles. And with external dependencies entering the mix with load balancers in front of OWA for example. Small shops will have some roles combined while having a smaller amount of OAS times n.

It all depends on the environment size and requirements you have for availability, scalability, resilience, security and so on.

Into the Bat-lab

Come on Robin to the Bat Cave! I mean the test lab. Time to see that OVD in action and take it for a spin. Lab action that is, however Inuvika also offers access to a hosted demo platform if you don’t have a lab or test environment lying around. From the download page https://inuvika.com/downloads you can download the Demo Appliance or register for the OVD Full installation. I will use the demo appliance for this blog post. As I would probably also would be installing multiple roles on the same virtual machine. The Demo Appliance is a virtual machine with the following OVD roles installed:

  • OVD Session Manager (OSM)
  • OVD Web Access (OWA),
  • OVD Application Server for Linux (OAS)
  • OVD File Server (OFS).

I will be using my Ravello Cloud vTestlab to host the OVD. So first I have to upload the OVA into the Ravello library. Once available in Ravello I can create a lab environment. I can just import the OVD, but I also want to see some client and AD integration if possible. I added my vTestlab domain controller and Windows 10 Clients in to the mix.

Invuvika Demo Lab

Let’s see if I can use them both, or I am wasting CPU cycles in Ravello. Good thing April is half through and I still have 720 CPU hours remaining this month, so not much of a problem in my book.

When starting the OVD demo appliance it will start with the Inuvika Configuration Tools. Choose your keyboard settings (US). And presto the appliance starts up with the IP I configured while deploying the application.

OVD - Demo Console after start

Here you can also capture the login details for the appliance: inuvika/inuvika. The default user for the administration console is admin/admin. Open up a browser and point to the FQDN or IP for web access. HTTP://<your appliance>/. Here we are greeted by a page where we can start a user sessions, open the administration console, documentation, the installer bits for the Windows AS and the clients.

The user sessions offered in the demo appliance are based on the internal users and internal Ubuntu Desktop and applications. The client can be set to desktop mode, which is a virtual desktop with the applications published to the user. Or can be portal mode, where the user is presented with a portal (so it’s not just a clever name) with all its application entitlements. The client starts with Java to allow for redirecting drives. Using HTML5 will not allow a drive to be redirected. The Demo appliance is populated with demo users where the password is the same as the user name. Just add cholland with password cholland in the client screen and you will be presented with a user session.

OVD Web login.png

And see the portal with the users entitlement and the file browser for data exchange between sessions.

OVD Demo - Client Portal

Start up a Firefox browser session and open my blog. Yup all works.

OVD - Client Firefox Blog

For using the Enterprise Client the demo appliance needs to be switched to Enterprise. And you need a license for that! Via the admin console you need to set the system in maintenance mode. Via the appliance console after logging in you get the menu where you can choose option 3 Install OVD Enterprise. After this you can set the system back to production, are greeted by a subscription error and via Configuration – Subscription Keys you can upload the license File. When a valid license is installed you can now run the Enterprise client for your evaluation. The client options are the somewhat similar as with the web client. Besides adding the site name in the client instead of a browser URL.

OVD Ent Client Login

We also have the administration console. While this has a bit more options and I am not trying to rewrite the documentation, I will show some of the parts. Basic try out the options yourself to see what the differences are.

We are greeted with an index page with an environment overview and user/applications publications. These will be the main actions when using the product. Of course we also have some menu options for reporting and configuration.

OVD - Admin Index

Let see if we can get some AD users in and entitle them to the demo. Seems like a lot of organization have their identity source already in place, and Microsoft is something used there. Configuration option seems like a logical part to start. And here we have the domain integration settings. Currently it is set to the internal database. Let get some information in the Microsoft option to see if we get the AD part in.

OVD - Configuration

I am using the internal users to keep it simple and leave in the support for Linux. This is a demo, not production.

When the information is done and added push the test button to see if the LDAP connect and bind works. Save when all green. Problems here? Go to status – logs to see wtf is happening. Main issues can be DNS, time offset or the standard account not having to correct information or UPN in the domain. The OVD Linux bind command is trying Login@Domain hardcoded.

And viola Administrator from the vTestlab domain has a session connected:

OVD - Administrator Session

My opinion about OVD

It works out of the box with any HTML5 Browser. Or you can of course use the Enterprise client, but this will required an Enterprise license and RDP or i-RDP to the client desktops (or ESG to be SSL tunneled).

[Edit] I most correct my previous version that Inuvika is using RDP as an enterprise display protocol.  That is not entirely true. OVD uses RemoteFX with the Enterprise Desktop Client and Windows Application Servers. RemoteFX is a set of technologies on top of RDP that enhances the visual experience significantly in comparison with the older RDP (the non-RemoteFX). Indeed better for the user experience, how much better we will leave up to the users. For Linux Application Servers there is not yet RemoteFX support, this is forthcoming.
[Close Edit]

For HTML browser user connections, or using the Enterprise client in combination with the ESG, OVD utilizes HTTPS (tcp/443) and thus is roadwarior friendly. With roadwarrior friendly I mean a service that is firewall friendly and makes hotel, Starbucks cafe or airport WiFi a place to use the environment without blockages, changing ports, VPN tunnels or not be able to use the service remotely from that location.

For IT Operations the administration console is in a single console. No scattering consoles or admin tools all over the place. And no dependencies, like the disliked flash plugin for some other solution out there ;). Further the expected components are there in a logical location.

Cross publishing apps between distributions is a very nice feature. Windows in Linux or Linux with Windows apps, great. Or add web applications to the mix. Furthermore Inuvika is not bound by a stack choice or hypervisor. VMware vSphere yes, Nutanix (Nutanix Ready AHV) yes, KVM, etc yes.

The use cases, applications and desktops still have to be assessed and designed accordingly. And these will be the most important bits for the users. This is what wins or breaks an EUC environment. I won’t see a lot of users now on Windows-based desktops and applications, going to Linux desktop and apps without more or less resistance and opposition. That Windows will be in there for now. But this is the same for the other vendors, not much difference here.

I personally don’t know what the user experience is when doing your day-to-day working throughout the business cycle. I haven’t come across Inuvika OVD in the wild.

One of the strong points of going open source is that the product will be improved by the contributions of the community (if there still is a community version….). That will mitigate some of the above. But also will require the OVD community to have a footprint of some sort for the required input and change. If the community is too small it will not be able to help Inuvika and the OVD user base.

I think cost wise it will be interesting for some shops out there looking to replace their EUC solutions and in the mean time look for ways to cut costs. These shops probably already have some issues and bad experience with their current solution along the way. I do not think organizations happy with VMware Horizon or Citrix will be lining up to replace their EUC with Inuvika. Yet ..that is.
This is a fast world, and it is interesting to see that there are vendors thinking outside of the paved roads. It makes their but also other solutions a better place for the users. It’s the community and open source that is really interesting here. So just give it a go and see for yourself. Don’t forget to share your experience with the community.

– Happy using your OVD from Inuvika!

Sources: inuvika.com.

EUC: Can I kick it – upgrading to Horizon 7.1

The 16th of March was a good day. The NLVMUG was going on in the Netherlands (great event!) , great weather and Horizon 7.1 went GA. And I wanted to get my TestLab up and running with that version, and take a little peek if there are any of my’s in the upgrade. See what and where things are changed. So why not write-up this pirate’s adventure….

Upgrade Procedure and Interoperability

Before the upgrade it is important to know in which order the bits are to be upgraded, are we doing an in place or new VM deployment and does new versions still work with other components in the environment or are those also needed to be upgraded or break the upgrade.

The upgrade procedure is more or less the same as with the previous ones:

  • Check the status of the components. If there currently are health issues, fix them before the upgrade. Or use the upgrade to try to fix your issue if they are named as a fix in the release notes.
  • Get out your password manager for database passwords and so on.
  • Complete backups and snapshots. Don’t forget databases and such!
  • Disable provisioning and upgrade Composers. Provisioning can only be enabled when all components are upgraded.
  • Disable connection server and upgrade connection server. If you have more you can do one at a time to leave your users the option to connect. Disable connection server in Horizon admin and load balancer.
  • Optional Upgrade Paired Connection Server and Security Server. Disable connection and prepare security server for upgrade in the Horizon Admin, and in load balancer. First upgrade the paired connection server and then the Security server.
  • Upgrade the Horizon Agent.
  • Upgrade the Horizon Clients.
  • Upgrade the GPO’s to ADMX’s.

Note: during an upgrade it is allowed, or supported, that some older versions interact with the new versions. For example first upgrade the composer in a maintenance window and in the following the connections servers. Just don’t let that upgrade window take for ages.

Your environment probably will have some other upgrades like other Horizon suite components, vSphere, Tools, Windows versions and so on. Be sure to have the steps breakdown before doing any upgrades.

Check if the component versions can work together by checking the VMware Product Interoperability Matrices at http://www.vmware.com/resources/compatibility/sim/interop_matrix.php#interop. Be sure to put in all the VMware solutions you are using. And check with vendors of components outside of the VMware scope. Don’t forget your Zero or Thin Client vendors!

Find a red in there, well stop right there before upgrading.

Trasure map

I have my testlab in the cloud. So for not breaking all the bits, I am cloning my lab in a new lab that I will use for the upgrade. Pretty nice functionality!

Announcement and location

While preparing for the upgrade bit to download we have some time to browse through the 7.1 announcements. Sure you have seen to VMware announcement or blog write ups where you can choose from. If not, ITQ Master of Drones and EUC Laurens has a post on the announcement bit that you can find over here: https://www.vdrone.nl/whats-new-vmware-horizon-7-1/.

Downloads, well easy pease they are in the usual my.vmware.com spot (linkie to the VMware spot: https://my.vmware.com/group/vmware/info?slug=desktop_end_user_computing/vmware_horizon/7_1). Have an active SnS and your entitled to get the upgrade bits or else go for an evaluation.

Grab - Download Horizon 7.1

And while your at it get the ADMX files for all of the Horizon GPO. Thumbs up, finally they are there VMware. Better late than never.

Upgrade Procedure

I have the following components in my vTestlab that need upgrading: Horizon Composer because of the current desktop pools, Horizon Connection Server and databases that are running because of these services. And Horizon Agent in the desktop pools.

For my testlab I used a saved blueprint of my VCAP-DTM lab and used that blueprint to publish a new testlab in Ravello.

After the upgrade I have to check the following components that interact with Horizon, vIDM and vROPS for Horizon. And client connections of course.

Composer

After disabling the provisioning of the desktop pools, log on to your composer server.

Capture - Disable Provisioning Desktop Pool

On the composer server start the installer. After the startup it detects that an upgrade should take place.

Capture - Composer Upgrade

  1. Click next,
  2. Accept the EULA,
  3. Check your destination folder,
  4. Check database settings and input password,
  5. Check port and certificate settings. Note: if you create a new SSL certificate you will have to retrust that one in Horizon. I am reusing the SSL certificate so I select the one installed,
  6. Check and push the install button,
  7. Grab a coffee and check status,
  8. Finish,
  9. Restart server,
  10. Rinse and repeat for other composers in your environment,
  11. If you are done with all components in your desktop block, don’t forget to enable provisioning of the desktop pool!

Connection Server

After disabling the connection server you are going to work on, log on to the connection server.

Capture - Disable connection serverSelect the connection server and click the disable button.

On the connection server start the installer. Like the composer upgrade, the installer will detect it is in an upgrade scenario.Capture - Horizon Connection Upgrade

  1. Click next,
  2. Accept the EULA,
  3. Check and push the install button,
  4. Grab another coffee and check status,
  5. Finish and read the read me. Yes really, depending where your coming from there are some pointers in there to check or change to make your life simpler,
  6. Open a browser to your upgraded host and look at that spiffy portal,
  7. Open the admin console and check connection to other components,
  8. Enable your connection server,
  9. Rinse and repeat for others,
  10. (don’t forget your load balancers….)

Look at that pretty new portal

Capture - Horizon Portal

unfortunately the administration console GUI isn’t changed and flash (ahaaaa) is still around. Sad panda…..

Don’t forget to check if vIDM and vROPS for Horizon isn’t broken. I had to repair/restart the broker agent with vROPS. And have a little patience for the metrics to flow back in.

Agent

I have got an RDSH Hosted application farm server, I will be updating that agent. And some desktop pools, but the procedure is the same. First off, disabling access to the RDSH. Well that depends on the amount of servers you have in the farm and what your hosting from it. Disable hosted desktop pool for example. With my test lab its one server, so disabling the farm would be sufficient. Heck I am the only user so letting everything running would only bug my multiple personalities (who said that?!?).

With several servers you could maintenance one by removing it from the farm. Be sure to have your farm running with the same versions. Or have a cloned pool, just update the template.

On the RDSH host start the installer. Again the installer will notice it is an upgrade.

  1. Click next,
  2. Accept the EULA,
  3. Check your IP version,
  4. Custom setup components, but we are not adding just upgrading click next,
  5. (manual only) Check registered settings RDSH with connection server,
  6. Next and Install,
  7. Finish and reboot,
  8. Enable hosts or pools when the farm is done.

What’s new in the admin?

Instance Clone pools have the option to select specific vLANs for that pool or use the VM network of the template snapshot.

Capture - IC Select Networks

In Global Settings – you have two new client settings:

Capture - Global Settings client

  • hide server information in client interface. You will only see the lock if the certificate is trusted, but not https://connectiontoserver.fq.dn.
  • hide domain list in client interface. Only the username and password boxes are shown. The drop down with the domains are gone. Great for use cases where you want to hide the domain or there is a sh*t load of domains in there. Users have to remember there UPN.

With client user interface this is the Horizon Client and the HTML client (for the domain list the URL is still in your browser if you haven’t hidden that in another way).

Capture - HTML client no domain

Mind that this is currently not working if the Horizon client is pushed from AirWatch to iOS.

In global settings you can also add an automatic refresh of the admin interface (can’t remember if this was already in) or display some MOTD or legal pre-login to all your users. This must be accepted by all your users before able to logon.

What is missing from the admin?

As @jketels already mentioned on twitter:

Still no VLAN selection support for Dedicated and Floating pools. Only Instant-Clones have this new option available. #Horizon #View 7.1 pic.twitter.com/ehYCnZa4nB

— Joey Ketels (@jketels) March 17, 2017

The network selection you can only do from the GUI in instant clone desktop pools. The network selection (step 7 in vCenter settings) are not available in for example Linked clone pools. And like networks are not used in a CPA multiple POD deployment, or all other reasons that a lot of customers are using multi vLANs for the desktop pools. Again a missed opportunity. And no, linked clones are not yet depreciated or planned to be so support this from the GUI. Well if needed, with PowerShell you can still get this in for your linked clones.

That’s it

That it, core components are upgraded and running happily. I probably still have to find out a bit more about what has been changed within this release but for a start it looks pretty slick and without to much of a hassle.

– Happy getting your Horizon going the distance!

Sources: vmware.com, vdrone.nl

 

VCAP-DTM Deploy Prep: Horizon Lab on Ravello Cloud importing OVA

In my last post I was writing about creating a lab for your VCAP-DTM prep. Read it here VCAP-DTM Deploy Prep: La La Land Lab and Horizon software versions. In that post I mentioned the cloud lab option with Ravello Cloud that I’m using myself. With appliances the are some o did you look at this moments while deploying them on Ravello Cloud. There are two or three appliances to take care of depending on your chosen architecture: vROPS, vIDM and VCSA. Two of those you can also do on a VM, vCenter on Windows and vROPS on Windows or Linux. For vROPS, 6.4 is the last version with a Windows installer.

I personally went with one vCenter on Windows combined with composer (Windows only), so I will skip that one. For vIDM you will have to use the OVA.

Okay, options for OVA’s and getting them deployed: 1) directly on Ravello or 2) use nested hypervisor to deploy to, or 3) use a frog-leap with a deployment on vSphere and upload those to Ravello. The first we are going to do as the second creates a dependency with a nested hypervisor, wasting resource on that layer, getting the data there, traffic data flow, and for this lab I don’t want the hypervisor to be used other than for composer actions required in the objectives. The third, well wasn’t there a point to putting labs in Ravello Cloud.

Now how do I get my OVA deployed on Ravello?

For this we have the Ravello import tool where we can upload several VM’s, disks and installers to the environment. We first need to have the install bits for identity manager and vROPS downloaded from my.vmware.com.

In Ravello Cloud go to Library – VM – +Import VM. This will either prompt you to install Ravello Import Tool (available for Windows and Mac) or start the import tool.
In the Ravello import tool click on Upload (or Upload a new item). This will open the upload wizard. Select the Upload a VM from a OVF, OVA or Ravello Export File source. And click start to select your OVA location.

Grab Ravello Import Wizard - VM from OVA

Select the vIDM OVA and upload.

Grab - Ravello Upload There she goes

But are we done?
No grab vROPS as well.

Grab - Ravello Upload vROPS as well.png

If the upload is finished we will need to verify the VM. As part of the VM import process, the Ravello Import Tool automatically gets the settings from the OVF extracted out of the OVA. Verify that the settings for this imported VM matches its original configuration or the one you want to use. You can verify at Library – VM. You will see your imported VM’s with a configuration icon. Click your VM and select the configuration, go through the tabs to check. Finish.

It normally imports the values from the OVF, it will sometimes screw up some values. When you have multiple deployment options like vROPS you will have to choose the default size. vROPS import will be set either to extra small deployment 2vCPU 8GB or very large. Or use the one you like yourself. Same goes with the External Services. I won’t put them in (yet). Checking the settings from the OVA yourself up in the next paragraph.

Now how do I get the information to verify to?

You can from the sizing calculations done in designing the solution ;). But an other wat is to look in the OVA. OVA is just an archive format for OVF and VMDK’s that make up the appliance.

We need something to extract the ova’s. Use tar on any Linux/Mac or 7Zip on a Windows. I am using tar for this example on my mac. First up getting vIDM in running my test lab.

Open a terminal and go to the download location. Extract the ova with tar xvf. xvf stands for verbosely extract file followed by the filename. Well not in that order, but that’s the way I learned to type it ;).

That give us this:

Capture - tar - ova

Here we see the appliance has four disks, system, db, tomcat and var vmdks.

If we look in the OVF (use VI) file, at the DiskSection we will see need to have system in front and bootable. Followed by DB, Tomcat and last var.

Still in the OVF file, next up note the resource requirements for the vIDM VM. We need that figures later on to configure the VM with the right resources. In the VirtualHardwareSection you will find Number of virtual CPUs and Memory Size sections. We will need 2 vCPUs and 6 GB of vRAM (6144). And one network interface, so reserve one IP from your lab IP scheme. Okay ready and set prepping done.

Deploying a VM from the Library

Go to the application you want to add the VM to. Click the plus sign and select the imported VM from the list. In the right pane customize the name, network, external settings and all the things you like to have set.

GRab - Ravello Add imported VM to App

Save and update the Application.

Wait for all the background processes to finish, and the VM is deployed and starts. Open a console to check if the start-up goes accordingly. And it will not ;) When you have opened a console you will notice a press any key message that the appliance fails to detect VMware’s Hypervisor and you are not supposed to run the product on this system. When you continue the application will run in an unsupported state. But we are running in a lab and not production.

IF YOU ARE READING THIS BLOG AND (MERELY) THINK ABOUT RUNNING PRODUCTION ON RAVELLO OR RUNNING PRODUCTION WITH THE IMPORTED VIDM LATER ON, GO QUIT YOUR JOB AND GO WALK THE WALK OF SHAME FOREVER.

Grab - Ravello Press Key

Press any key if you can find the any key on your keyboard. And yes you will have to do this all the time you start-up. Or use the procedure highlighted at this blog post https://www.ravellosystems.com/blog/install-vcenter-server-on-cloud/  to change /etc/init.d/boot.compliance (Scroll to 4 action 2 in the post, or to MSG in the file). Do it after you have configured the VM and the required passwords. But sssst you didn’t hear that from me…..

Back to the deployment and configure the VM with hostname, DNS and IPv4. Save and restart network. After this the deployment will continue with the startup.

And now you have a started appliance. We need the install wizard for IDM. Go to the vIDM URL that is shown on the blue screen in the console. For example, https://hostname.example.com. If this is the first time it will start the install wizard. Put in the passwords you want, select your database and finish.

After that you are redirected to the login screen. Log on with your login details and voila vIDM is deployed.

Grab - Ravello vIDM

Bloody Dutch in the interface, everything on my client is English except for the region settings. Have the “wrong” order in Chrome and boom vIDM is in Dutch. For the preparation and the simple fact that I cannot find anything in the user interface when its in Dutch I want to change this. Change the order in Chrome://settings – advanced settings – Languages – Language and input Settings button – drag English in front of Dutch to change the order. Refresh or click on a different tab and voila vIDM talks the language required for the VCAP-DTM or to find stuff…

Grab - Ravello vIDM English

Aaand the same goes for vROPS?

You can do the same with the vROPS deployment. Ravello doesn’t support the ovf properties normally used for setting vROPS appliance configuration. You miss that nifty IP address for the vROPS appliance. At the same time you have the issue that vROPS doesn’t like changes too much, it breaks easily. But follow more or less the same procedure as vIDM. For vROPS set the Ravello network to DHCP. Put in a reservation so the IP is not shared within your lab and is shown with the remote console. The IP reservation is used in the appliance itself. It is very important that an IP is set correctly on first boot, else it will break 11 out of 10 times. I have also noticed that setting a static IP in Ravello is not copied to the appliance, use a DHCP for vROPS works more often.

And now for vROPS:

  • Press any key to continue the boot sequence.
  • The initial screen needs you to press ALT+F1 to go to the prompt.
  • the vROPS console password of root is blank the first time you logon to the console. You will have to set the password immediately and it’s a little strict compared to for example the vIDM appliance.
  • the appliance (hopefully) starts with DHCP configured. And you can open a session to the hostname.
  • [Optional if you don’t trust the DHCP reservation] Within vROPS appliance. Change the IP to manual to stay fixed within vROPS so it will not break when changing IP’s. Use the IP it received from the DHCP, do not change or you will have to follow the change IP configuration procedure for master IP (see a how to blog post here: http://imallvirtual.com/change-vrops-master-node-ip-address/):

Changing vROPS DHCP to static:
Run /opt/vmware/share/vami/vami_config_net. Choose option 6 and put in your values, choose option 4 and put yours in and change hostname etc……

Next reboot the appliance and verify the boot up and IP address is correct. If you get to the initial cluster configuration your ready and set.

Other issues failing the deployment are resolved by redeploying the VM, sometimes by first re-downloading and re-importing the OVA in Ravello.

Grab - vROPS First Start

Do choose New installation and get it up for the VCAP-DTM objectives.

If you happen to have enough patience and your application is not set to stop during the initial configuration, you will have a vROPS appliance to use in your Horizon preparations.

So appliances are no issue for Ravello?

Well I do not know for all appliances, but for Horizon the appliance only components that are needed for a VCAP-DTM lab can be deployed on Ravello.

 

-Happy Labbing in Ravello Cloud!

 

Sources: ravellosystems.com, vmware.com

VCAP-DTM Deploy Prep: La La Land Lab and Horizon software versions

VCAP-DTMmmmmm. After securing the VCP-DTM for version 6 and getting the pass results in for the version 7 DTM Beta, my sniper target is set for the VCAP-DTM’s. Maybe I should cut down on Battlefield 1 a bit ;). Anyhow…..

As the title of this post suggests, first up the deploy exam. Version 6 as version 7 VCAP’s are not yet out. Deploy is possibly the one that fits my person a bit lesser than the design part, but it is always good to have the “weakest” out-of-the-way the fastest. But there is no requirement that you should do deploy first, if you want design out of the way first go with that one.

Sniper Rifle target

With the VCAPs I have attempted and by hearing of the experience from those that have tried, next to actually knowing what you’re doing time management is (still) the key of securing the VCAPs. I think the actually knowing bit is pretty okay for most that will attempt this exam. Maybe some bit of practice in the Mirage parts for myself. And that is exactly needed for time management. Know your weak(est) and strong(est) points in the list of exam objectives. And next to that, with time management comes drill drill drill. And where better to drill than in a lab. Or to put it in other words, you will need a lab for the deploy!

VCAP-DTM Deploy

Now where are we with DTM?

Exam Topics aka Objectives

You will find a lot of blog post explaining how to prepare and going through all the exam objectives. And I do mean a lot. I am not putting in a how to study for that objective in this blog post. Use your google-fu for that.

The exam objectives for this post are important for what components you need to have in your lab.

On the mylearn page of the exam the exam topics are in expendable sections and clickable white papers, documents and such to prepare. Just go to: https://mylearn.vmware.com/mgrReg/plan.cfm?plan=88780&ui=www_cert. I haven’t seen an other PDF exam blueprint document for this exam on the VMware site.

Some bloggers will offer their packages of collected set of documents for preparation. One for example is offering theirs on: http://www.virtuallyvirtuoso.com/vcap6-dtm/.

VCAP6-DTM Component Versions

When going through the VCAP6 objectives we will need the following components and their versions of the Horizon Suite:

  • Horizon 6.2 Components: CPA, Connection Server, Security Server and Composer.
  • Pools: Linked clone PCoIP pool (Windows 7), RDSH Farm (W2K8R2/W2K12R2), Application Pools (Evernote). Reference machine Windows 7 and RDS version for ThinApp and App Volumes.
  • vSphere and vSAN 6.0: vSphere HA/DRS Cluster resources for management and pools. VSAN Storage.
  • Identity Management: vIDM 2.4.1
  • Application Layer Management: App Volumes 2.9, ThinApp 5, version 5.1.1.
  • Image Management: Mirage 5.4
  • Endpoints: Web-based, Horizon Clients, Kiosk.
  • Operations Management: vROPS for Horizon version 6.1.0.
  • Supporting Infrastructure/Tools: Active Directory (DNS,DHCP), GPO, MSSQL Database server, VMware OS Optimization Tool (OSOT) with support for Windows 7/8, File Services ThinApps Repository, syslog and Windows 2012R2 Jump Host.

The easiest way to get the VMware bits is to go to the Horizon Enterprise edition download on my.vmware.com and select the version 6.2. You need evaluation or an entitled my VMware user to access those. You can use this link for your bits: https://my.vmware.com/group/vmware/info?slug=desktop_end_user_computing/vmware_horizon/6_2.

VCAP Lab Download bits

Download OSOT here: https://labs.vmware.com/flings/vmware-os-optimization-tool.

Strange, wondering why they did not put Access Point or UEM in the exam objectives. Access Point for example is designed to be deployed with Horizon version 6.2. A well less bits to put in the lab.

For supporting Infrastructure and tools, and client versions it is up to you, at least put in the supporting versions.

Study Lab options

The deploy part is a lab based exam. Hands-on experience with the Horizon suite is crucial for success. Not everyone has a home lab, cloud lab credits or have enough resources on their notebooks to put in all the resource hungry Horizon suite components, you can use a combination of lab options in your exam preparations. Don’t forget the Horizon suite versions that are used in the VCAP version and components in your study lab. Practice with the right version, or know what have been changed between versions what takes a little more preparation time.

Get command line experience in practicing with vdmadmin, lvmutil, client and dct command line options, web interface locations, RDP to servers, SSH to appliance and log / config file locations.

Home

This can be a lab in a notebook and to some people having a home lab that are offering more services and resources than a small country uses in a decade. Home labs are excellent for build and break your own. You will not have any permissions issues. Downside mostly are the resources required.

Cloud

Again this provides good experience in build and break your own. Accessible from anywhere. Downside mostly are the resources required and the costs that are involved.

If you are a 2017 vExpert like me, Ravello (https://www.ravellosystems.com/go/vexpert/lab-service-description) still offers 1000 CPU hours per month to vExperts. Build your lab, configure an application start-up and stop procedure and set your lab to stop after practicing. For example put in 2:00 hours of studying and after that your lab will shut down and no CPU cycles will be wasted.

You can even simulate the exam lab speed and put your lab in a cost optimized far away cloud provider location. Pretty good for the time management preparations.
Downside for Ravello is the support of VMware OVA appliance deployment, there are some tips and tricks needed to get appliances uploaded to Ravello. Or optionally go for Windows components or nested deployments.

I’m currently building my lab in here: (yes status stopped in screenshot and Windows 10 is my client)

Ravello vExpert VCAP-DTM Prep

Hands on Labs.

VMware Hands on Labs are an excellent place to practice with a whole scale of VMware products. Use the manual to be guided through the labs, or just click it away and go on your own. Choose from the mobility labs for example: http://labs.hol.vmware.com/HOL/catalogs/catalog/125.

I personally use HOL-1751-MBL-1-HOL a lot. Downside no composer as Horizon 7 instant clones is used, version mismatch with exam lab and no vROPS for Horizon. For vROPS for Horizon I use Testdrive. You also aren’t administrator on Windows hosts and there is no Internet connection to get some missing piece in.

VCAP-HOL1751

You start with 1hr:30min, and you can extend the lab time up to 8 times with one hours. Topping up to 9hr:30minutes of lab time per enrollment. Amazing discovery Mike!

Testdrive

VMware Testdrive is the EUC demo environment. Need to show the customer some part they are missing or need some extra’s to make your point, open up a testdrive for the customer and let them show see it. As a superuser I also misuse it to work on some vROPS for Horizon parts. You are admin in vROPS so testing a metric set for a dashboard or showing policies without breaking the customers vROPS environment. The rest of the components are limited in what you can do and practice over there. But that wasn’t the use case of Testdrive in the first place.

Time management studying for the exam

Time management starts with studying. Plan your exam date and schedule your exam up front. Take enough time to prepare and work through the objectives. How much depends on your own strong and weak points. But do schedule the exam, else you will have no target to work to and that VCAP-DTM will be a never-ending story.

Time management throughout the Exam Lab

You can navigate through the lab exercise scenario’s. Go through the objectives. Use you notepad to put an order for easy or though ones. Get the easy one’s done and out-of-the-way. Labs that require deployments, captures, synchronisation or otherwise take time to finish, start-up those actions and go to the next. Don’t waste time watching progress bars……

There are dependencies between questions and skipping a part of a question because you are waiting for a deployment can be tricky for your mind if your also working through the scenario. You have to make sure you come back to that incomplete task and finish it.

ticktock

Test Center Check

If you have the opportunity and have multiple options for test centers in your friendly neighborhood, be sure to check out what lab setup they have. I know where I would go if I had to choose between test centers that have 21″ or 17″ screens. Or ask on twitter or Reddit if someone has experience with the test center.

– Happy prepping your exam!

Sources: vmware.com, ravellosystems.com

vExpert 2015 Announcement

Last year was my first year I was awarded vExpert. This year I can happily repeat the following statement: it’s a great honour to be awarded and to be added to this years list of vExperts. I’m glad to be a part of the community and a big thank you is in order to be selected in this list for 2015.

Looks like a second star to my record of achievements and the year is just starting.

gold-star

The vExpert Listing

The current listing is 1028 rows long. Not sure if this is the official number but hey we are all in this together. The full listing and the announcement blog post can be found over here: http://blogs.vmware.com/vmtn/2015/02/vexpert-2014-announcement-2.html.

Congratulations to all the 2015 vExperts, returning and new ones. Keep up the good work!