In
this post I will not go into detailed installation steps, in stead I'll
try and give an overview of the components that I have used (local mode
and linked clones not included) and then link to the posts I've used
for inspiration.
Components
First
of all, a vCenter installation and a domain controller are required. I
have chosen to go with Windows Server 2008 R2 but other than that it is
pretty much standard installations.
The main
component of the View installation is the Connection Server. And then
there is the Security Server which is basically a subset of features
from the Connection Server. After installation it is linked to the
Connection Server from the Connection Server administrative web
interface - and it is also configured from there.
I used this excellent guide
by Poul Slager to install the Connection Server. I did the same as Poul
and installed just one Win7 VM with the View agent on it and added it
to a static pool.
A new feature in View 4.6 is
that the PCoIP protocol can now be used also from external sources (e.g.
from outside the company network) but this requires a Security Server.
The Security Server is typically placed in a DMZ and it is the Security
Server which establishes the PCoIP connection directly to virtual
desktop.
At the VMware View blog, there's a post with a 40 minute video explaining the infrastructure and new features of View 4.6.
For the specific configurations for enabling PCoIP from external sources, I used the Setting up PCoIP Remote Access with View 4.6 document.
I
experienced a strange error when at first I connected to the Security
Server from and external source. It worked fine internally but from the
outside I could connect and authenticate but then the remote connection
just showed a black screen for about 10 seconds and the connection
closed. In the View desktop event viewer there was en entry stating:
"Closed PCoIP connection doesn't match global value". To fix this I
adjusted the configuration in the Connection Server under View
Configuration -> Servers and made sure that the external URLs for the
Security Server and the Connection Server were identical. The external
URL was set for the actual outside URL in both cases and the IP was set
for the outside ip of the ADSL modem in both cases - this solved the
issue in my case (see screen dumps below).
Currently,
with all the components running, the setup is taking up about 10 GB of
memory, so there's still room to load up the ESXi box, it has a total of
16 GB, with more VMs! (see screendump below).
Networking
For
routing and firewall internally between the infrastructure components I
chose a Vyatta virtual appliance which I downloaded from VMware
Marketplace. Per default, this appliance included three NICs which
suited my requirements for creating an inside LAN, outside LAN, and a
DMZ for the security server. On the vSwitch I have created three
different VM networks. However, I have not VLAN tagged any of the
networks as only one ip range will leave the physical ports on the
switch (the Vyatta router acts as gateway for all the infrastructure
components).
The learning curve for the Vyatta
is quite steep in my opnion. I have spend my fair share of hours trying
to figure out the logic of the NAT, DNAT, and the firewal rules. For
configuration I have been using a mix between the web gui and the CLI.
The CLI is actually quite nice when you get used to it (TAB is your
friend).
Remember to save your configurations to disk before
rebooting or you will loose all configurations (I learned this a couple
of times ;-)). So obviously type 'configure' to into configuration mode
and then 'commit' when your done. 'Exit' to exit configuration mode.
'save config.boot' to save configuration to disk. Default credentials
for the vyatta is user: vyatta, pw: vyatta.
To get started and setup the Vyatta I used the Quick Start Guide which you can get at vyatta.org. At the site there is also a quick start video which is useful.
And then for firewall configuration etc. I used this guide which worked surprisingly well.
The
basic principle for the router in this setup is that you want to allow
all traffic from the Inside Lan and the DMZ to be able to get out to the
internet. You also want your Inside LAN to be able to access the DMZ.
All traffic from the Outside entering the gateway NIC on the router
should be dropped. However from all addresses on the Internet, access on
port 4172 should be allowed (and directed) only to the security server.
And then only the Security server's IP will be allowed to open
connections on the same port to the inside LAN. So for 'opening up' a
port in the firewall you will need both a firewall rule and a DNAT rule
(destination NAT). This last part had me quite confused.
So,
the final setup currently configured according to the diagram below. I used it to connect to the View Desktop and from there I can
open a vSphere client and have full access to the vSphere home lab.
No comments:
Post a Comment