VCAP-DTA Objective 1.3 – Deploy and Configure a View Security Server

So as you probably recall from your VCP studies, a Security Server is essentially a chopped down version of a Connection Server that generally runs in a DMZ or other isolated part of your network, usually leveraged to authenticate public internet facing connections. The Security Server is “paired” with a Connection Server and as such provides access to desktop pools over a highly secure connection using the View Client.

Again our reference materials are listed as the View Architecture Planning and View Installation guides, so no fiddling around with third party firewalls. My guess here is that we simply have to manipulate the Windows Server firewall to allow the necessary traffic through. The diagram below illustrates a sample View Security Server deployment and is taken from the View Architecture Planning Guide.

So without further ado, what’s on the blueprint for this objective?

• Configure and enable firewall ports and rules. As I mentioned above, the lack of any reference point outside of the standard View documents leads me to think we won’t have to tinker with any third party firewalls. And thank heavens for that, life is complicated enough! You basically need to keep in mind two sets of firewall rules – what ports do I need to expose to the internet and what ports do I need to expose from the DMZ to my internal network? VMware KB article 1027217 summarises things pretty well, the information is shown below :-

Back-End Firewall Rules

Front-End Firewall Rules

It’s worth remembering that if you get stuck during the exam and you can’t remember a port or service you need to poke through the firewall, the product documentation is available for you to search. Don’t rely on this though – it’s very much a “Plan B” and will take a decent chunk of time away from you.

• Deploy and administer a View security server – the Security Server is pretty straight forward to deploy. Go into View Administrator and configure a pairing password on the Connection Server that you want  to pair with the Security Server. Run the Connection Server installation and select Security Server. From there, it’s pretty much a “next, next, finish” exercise.
• Enable secure tunneling for PCoIP and RDP –  Configure the secure tunnel URLs in View Administrator, if appropriate. Remember  that the Secure Tunnel URL is always a “name” or FQDN with a port appended, so https://securetunnel.acme.com:443 for example (I have a feeling this sort of thing may turn up in the exam as a troubleshooting scenario) and the PCoIP URL is always an IP address, so 192.168.31.3:4172 for example. For a Security Server, remember this has tunnel settings too, so you may be asked to alter the external address in the exam.
• Configure certificates for View Security Server – The certificate process for the Security Server is exactly the same as the Connection Server. For the exam, I’m going to speculate that they’ve already minted one for you, and you have to install and configure the Security Server to use it. So in brief again :-
  • Start MMC and add the Certificates snapin
  • Import the server certificate into the Personal store and change the friendly name to vdm
  • Import the root certificate into the certificates store, and the intermediate too, if you have one
  • Restart the Security Server service (or reboot, but I wouldn’t do that in an exam!)
• Configure Smartcard or two-factor authentication for external access – Requires an existing RSA SecureID or similar setup, again I don’t expect to have to manage this in the exam. We’ll just focus on configuring View to use an existing infrastructure. Steps taken from the View 5.2 Installation Guide.
  • In View Administrator, select View Configuration | Servers | Select the Connection Server you wish to enable
  • On the authentication tab, select RSA SecureID or RADIUS. To force RSA SecurID or RADIUS user names to match user names in Active Directory, select Enforce SecurID and Windows user name matching or Enforce 2-factor and Windows user name matching. If you select this option, users must use the same RSA SecurID or RADIUS user name for Active Directory authentication. If you do not select this option, the names can be different.
  • For RSA SecurID, click Upload File, type the location of the sdconf.rec file, or click Browse to search for the file
  • For RADIUS authentication, Select Use the same username and password for RADIUS and Windows authentication if the initial RADIUS authentication uses Windows authentication that triggers an out-of-band transmission of a token code, and this token code is used as part of a RADIUS challenge. If you select this check box, users will not be prompted for Windows credentials after RADIUS authentication if the RADIUS authentication uses the Windows username and password. Users do not have to reenter the Windows username and password after RADIUS authentication.
  • From the Authenticator drop-down list, select Create New Authenticator and complete the page.

  • Set Accounting port to 0

     unless you want to enable RADIUS accounting. Set this port to a non-zero number only if your RADIUS server supports collecting accounting data. If the RADIUS server does not support accounting messages and you set this port to a nonzero number, the messages will be sent and ignored and retried a number of times, resulting in a delay in authentication.

    Accounting data can be used in order to bill users based on usage time and data. Accounting data can also be used for statistical purposes and for general network monitoring.

  • If you specify a realm prefix string, the string is placed at the beginning of the username when it is sent to the RADIUS server. For example, if the username entered in the View Client is jdoe and the realm prefix DOMAIN-A\ is specified, the username DOMAIN-A\jdoe is sent to the RADIUS server. Similarly if you use the realm suffix, or postfix, string @mycorp.com, the username jdoe@mycorp.com is sent to the RADIUS server.
  • Click OK to save changes. A Connection Server service or server restart is not required as the settings take effect immediately. When you connect to this Connection Server using two factor authentication, the prompts will reflect this for the end user.

VCAP-DTA Objective 1.2 – Deploy and configure View Composer

So in case you forgot, View Composer is the optional View component that allows us to provision linked clone desktops. It used to be that in older versions of View (5.0 backwards, as far as I remember), you had to install View Composer on the same Windows server as vCenter, the two could simply not live apart. However, in 5.1 and newer, this dependency was broken and you can now put View Composer on it’s own Windows server, away from vCenter Server. When I went on the View 5.1 ICM course, we ruminated that this was mainly for vCenter Server Appliance customers who also used View.

One of the limitations of this setup was that as the VCSA is a Linux box, you can’t really stack Composer on top of this in any meaningful way. So to workaround this and give customers a choice of vCenter platform, View Composer became effectively a “stand alone” component away from vCenter.

So in terms of skills being measured, this is what we need to know :-

• Install, Configure and Upgrade View Composer. Hmm, OK. Right. So I would guess it’s likely we’ll have to both install and upgrade Composer, as there are a couple of vCenters and therefore most likely a couple of desktop pods. So what is required?
  •  Create a database for View Composer. If you’re a SQL shop, anything from 2005 upwards looks good. If you’re an Oracle shop, 10g R2 and above. To be honest, I’d expect the database to already exist. Again it comes down to what the exam blueprint is asking you to do, and you are not pointed towards database documentation, so it should already be there, albeit in an empty state.
  • Windows 2008 R2 and above server
  • 4 vCPU, 8GB and 60GB disk space. Again I wouldn’t expect to be asked to provision this VM, I’d expect it to be there, ready for some Composer goodness. This is only a 3 hour exam, remember!
  • Remember that Composer can’t co-exist on the same server as any other View component, such as Connection, Transfer or Security Server. Even a VM with the View client or agent is out too.
  • You should quickly check the SQL DSN if you have time, in Data Sources in Control Panel. I’d expect this task to be completed for you, anyway.
  • You can add your own certificate at this point, but for this guide, I’ll just concentrate on using self signed for now.
  • Run the installer as an administrator and run through the steps to install the service. Remember that the user account specified as the Composer user must be a local Administrator on the server it’s on.
  • If you want to specify a custom certificate during the installation, see the section below on certificates.
  • Once Composer itself is installed and the service started, you go into View Administrator and enter in the details under View Configuration | Servers | vCenter Servers | Add. Enable View Composer, verify the correct port is specified (defaults usually work pretty well) and add the domains you wish to put linked clones into.
  • If you’re asked to upgrade, run the Composer 5.2 installer as an administrator and follow the prompts, it’s pretty straightforward. Choose to upgrade the Composer database when prompted.
• Implement and Upgrade Certificates for View Composer. The good news is that certificates in View 5.2 are a lot less fiddly than they used to be in version 4.x. Instead of having to mess about with command line tools and bits of OpenSSL, you just get the trusted root certificate and server certificate (and intermediate certificate, if appropriate) and import them into the certificate store of the local computer (not the current user, if you have to go through the steps). This is done via MMC, adding in the Certificates snap-in.
  • Remember to change the friendly name of the certificate in MMC to vdm.
  • Import and verify the SSL certificate you want to use in MMC before you run the tool to setup Composer SSL certificates.
  • Stop the Composer service.
  • Run sviconfig -operation=ReplaceCertificate – delete=false, select the certificate you want to use from the Windows certificate store.
  • Restart the Composer service.
  • Verify Composer is running successfully.
• Configure View Composer for one-way and two-way trust scenarios. My interpretation of this objective is actually quite simple (and I’m no AD expert!). If you have a two way trust then one single service account is enough in Composer to be able  to provision linked clone desktops in a domain that has a two way trust with the domain that the Composer server is a member of. On the other hand, if there is just a one way trust, you may need to configure another service account in the domain where you want to create desktops, if that’s different from the domain that Composer lives in.
  • Adding details of Service Accounts is done from View Administrator, View Configuration, Servers, vCenter Servers, Edit and in the View Composer pane at the bottom of the dialog, click Add and fill out the service account details. This dialog can be quite pernickety, so ensure you put in the full FQDN of the domain in the top box and then username and password. If you get an error even though you know the details are correct, check this account has Administrator rights to the Composer server. Jason Langer’s website has a good example of this.
• Migrate View Composer to a standalone installation. This is quite an involved process so I would imagine you can bank on this being tested on during the exam. There are several options around how migration can be performed, but what it mainly boils down to is whether or not you want to use the existing Composer database when you move the service to another Windows Server. If you already have linked clone pools then this is pretty much a given. You can either leave the Composer database where it is and point to it from the new Composer server, or you can move the database at the same time you move the Composer server. Either way, the key thing to remember here is that the Composer service uses RSA keys to encrypt and and decrypt information from the Composer database. When you move Composer from one Windows Server to another, you have to ensure the keys get carried across, otherwise you basically lose the ability to access your existing linked clone pools.
  • Remember Composer instances must have their own databases, they cannot share the same database but can be on the same database server.
  • If your current Composer instance does not have any linked clone pools defined, you can migrate Composer without worrying about maintaining database links, as there is basically nothing in there you need.
  • You may well be tested on both migrating Composer with an existing “populated” database and also without, so it’s worth knowing how to accomplish both goals.
  • Migrate with an existing Composer database – In View Administrator, click View Configuration, Servers and click “Disable Provisioning”. If you need to relocate the database elsewhere, this is when you would do it. I would expect this to be out of scope for the exam as it’s a DBA task. You then need to uninstall Composer from its current location and then export the RSA keys out, to send over to your new Composer Server. .NET and ASP.NET IIS needs to be installed on both source and target, but I think we can assume this will be done for you in advance.
    • On the Composer source server, open a command prompt and go to %windir%\Microsoft.NET\Framework\v2.0xxx folder (where xxx  is the installed version number)
    • Run the key export by running aspnet_iisreg -px “SviKeyContainer” “keys.xml” -pri. This will export the public and private keys to a file called keys.xml.
    • Copy keys.xml to the target Composer server
    • Open a command prompt and go to the .NET directory as per the first step
    • Run the command aspnet_iisreg -pi “SviKeyContainer” “<path>\keys.xml” -exp. This command imports the RSA keys into the local key container. The -exp switch marks the keys as exportable, in case you need to export then again in future
    • Install Composer on the target server, selecting the appropriate SQL DSN during the installation
    • Configure SSL certificates for Composer as needed, as per above
    • In View Administrator, click View Configuration > Servers, select the vCenter Server instance that is associated with this View Composer service, and click Edit
    • In the View Composer tab, provide the new View Composer settings. If you are installing View Composer with vCenter Server on the new computer, select View Composer co-installed with the vCenter Server. If you are installing View Composer on a standalone computer, select Standalone View Composer Server and provide the FQDN of the View Composer computer and the user name and password of the View Composer user.
    • In the Domains pane, click Verify Server Information and add or edit the View Composer domains as needed. Click OK.

VCAP-DTA Objective 1.1 – Deploy Highly Available View Installations

So the first objective in the exam blueprint is “Deploy highly available View installations”. That can come in many forms. Looking at the main bullet points and the reference sources cited by VMware Education, let’s drill down into it.

• Configure highly available connectivity to the View environment. So what we can we read into this objective? The reference source is the View Architecture Planning guide and the View Installation guide. My inference here is that we’re not going to be expected to manipulate any kind of load balancing or content acceleration product, and there’s no reason why we should as it’s not a core part of Horizon View.
  • Firstly we can ensure we reduce the single points of failure. We may be asked to add more Connection Servers if there are only individual instances. Remember to select Replica Server when being asked what type of Connection Server we wish to add. Only the first instance of a Connection Server in a replicated/ADAM group is the Standard View Connection server. Remember this, or you’re going to have problem adding servers to an existing group.
  • What else? Well there are the main features of vSphere such as DRS and HA which we can leverage to ensure that View Connection Servers not only come back up in the event of host failure, but also ensure the Connection Server has enough grunt to perform when lots of connections will be coming in. I don’t think it outlandish that we may be asked to configure a memory reservation for Connection Servers, after all, they’re Java based services remember and VMware’s best practice is to set a memory reservation on VMs hosting JVMs.

• Configure stateful and stateless load balancing for a View implementation. What did we just say earlier, we shouldn’t be asked to configure a load balancing solution because it’s not part of Horizon View? I’m really not sure why this objective is listed in the blueprint. I’ve had a good look through the reference sources and there is nothing specifically listed there regarding stateful/stateless load balancing. I looked around for a good reference on this topic, and found a useful article at F5 which actually mentions View as well. However, some good things to remember :-
• • Stateless means the connection is not tied to an individual Connection Server or Pod on connection/reconnection. This can be referred to as persistence or some load balancers call this “stickiness”. No history of the previous connection is retained on the load balancer.
  • Stateful load balancers “distribute traffic based on L3,L4 or L7 criteria to increase traffic capacity and reliability by improving application performance”.
  • One caveat to the above is that I’m absolutely not a networking or F5 expert, so take the above with a grain of salt. If anyone can provide a better explanation, I’d be happy to amend this bit. To be honest, I’m not really sure what this has to do with core Horizon View apart from the behaviour on disconnect (logoff, retain session etc.)

•  Implement vSphere cluster isolation and High Availability rules.  Now we’re back in the land where we know what we’re doing (or at least I do!). So as I mentioned earlier, one area you can look at in the area of highly available View infastructure components is to use vSphere High Availability to ensure a high level of resilience and availability for your Connection, Security and/or Transfer Servers.

  • Cluster isolation  – what you you want to do if a host becomes isolated? The safe option is the default option of leave VMs powered on, but the exam may ask you to adopt a more aggressive stance. Bit dangerous that one, you may end up restarting a Connection Server chock full of users that can communicate on the network quite happily.
  • VM Restart Policy – This setting will give you ability to override the cluster level setting which is usually “medium” for all VMs. In this particular case, it’s likely you’ll have to set rules to ensure Connection/Security/Transfer servers restart first before other VMs such as desktops, remember the dependencies here. In which case, don’t overlook vCenter Server and also SQL Server, if you have that virtualised. You’ll need to group those into the first VM restarts too.

• Configure a View implementation with multiple vCenter Servers. As discussed in the previous blog posting, VMware will likely use this exam to reinforce the Pod and Block reference design, so to scale your View implementation into the thousands, you need to create blocks of 2,000 desktops with their own vCenter and manage them as one. This way you don’t kill a single vCenter with lots of power management requests (power off/on/, reboot etc) as well as pool provisioning tasks.
• • View Administrator is the web based administration tool used to connect vCenter servers into View.
  • Go to View Configuration | Servers | vCenter Servers | Add and fill out the relevant details for the vCenter Server you wish to add. Note also this is where you configure View Composer settings. You may not be asked to configure this first up, but worth remembering this is where to go when dealing with the Composer based questions.

VCAP-DTA Exam Blueprint Released

So the VCAP-DTA exam has finally made it out of beta and is now available to sit at your local (!) Prometric test centre. Now I’ve got the two VCAP-DCx exams passed and out of the way, I want to complete my desktop VCAP collection. I already passed the VCAP-DTD when it went through beta, but unfortunately missed the beta of the DTA owing to work commitments.

Anyway, feel free to download the exam blueprint here, I’m going to try and get some thoughts down on the objectives with a view to sitting the exam sometime in the next couple of months when the next discount vouchers start doing the rounds!

Exam Format

So looking at the blueprint, what can we infer? Well this exam is slightly shorter than the VCAP-DCA equivalent – only 3 hours (ha, only!) and 23 lab activities instead of 26 for the DCA. The passing score requirement is still the same, 300/500 and I’m guessing you will still have to wait for your score on completion so a real person can go and score it for you.

As per previous exams, there is a short survey at the start of the exam of 9 questions which apparently have no effect on the final score or your questions, but I do wonder what the point of it is otherwise. I always select the answer which marks me out at a total newbie in the vain hope I’ll get an easier bunch of questions. As ever, your mileage may vary and I have no evidence to substantiate my suspicions.

The blueprint makes reference of the fact you get credit for partially correct responses. It goes without saying that you should do as much as you can on a question, even if you’re running out of time or tackling a topic you might not be that hot on. At the end of the day, 10 marks could be the difference between passing or failing.

Exam Environment

The blueprint references the fact that the exam is based on VMware Horizon View 5.2. This is an important and often overlooked fact. The VCAP-DCA exam is based on vSphere 5.0, and as most of my recent experience was with 5.1, sometimes subtle differences in dialog boxes can really throw you. Make sure you study for the exam with the 5.2 version so you’re fully conversant with the interfaces, functionality and basically how to “do stuff” quickly and accurately.

There is also reference to the fact that the live lab consists of the following :-

• 4 ESXi hosts
• 3 vCenter Servers
• 4 View Connection Servers
• “A number of pre-configured virtual machines”

From this I’m inferring that at least one objective will involve connecting a vCenter Server into the View Administrator console, so know how to do that. This emphasises the pod and block reference design that VMware publish as best practice. If you do pod and block for large deployments, you’ll need multiple vCenters.

Intended Audience

This section is again useful in providing some useful tit bits as to what you might see on the exam, or be expected to do. I picked out the following :-

• Installation, configuration, administration and troubleshooting of a VMware View environment
• Utilise View Administrator to create, manage and deploy desktop images
• Optimise and troubleshoot “all” View components, so I’m thinking Connection Server, Security Server, Transfer Server at a minimum
• Windows desktop administration including group policy, AD, DNS and DHCP. So from this I’m thinking you’ll need to know the View ADM templates and what to configure (how to optimise slow connections, for example). Also, there’s probably a good chance you’ll have to configure an OU for View desktops and some groups to add View users to, such as Remote Desktop Users. Again, all my own inference here, I’ve not sat the exam yet

Other Notes

Section 3.1 (objectives introduction) mentions the need to know VMware View and VMware ThinApp for the exam. There is no explicit mention of Horizon Workspace or any of the other suite products such as vCOps for View, so I think we can safely assume that focussing our revision efforts on the “main” View components (Connection Server, Security Server, Transfer Server, View Administrator) and ThinApp will be enough and will be all we will be tested on.

I hope you’ve enjoyed this brief intro into the VCAP-DTA exam. Hopefully over the next few weeks, time permitting, I can add some more notes to a small study guide to share with the community.

As always, comments and thoughts welcome.