New Requirement for VMware Identity Manager when clustering

Picture1

Recently VMware released Identity Manager 2.7 and with it there is a new requirement when clustering the Identity Manager behind a load balancer.

It is now required that you have a minimum of 3 Identity Manager Appliances with in the cluster.

The diagram below shows this minimum requirement.

Picture1
This will also help when upgrading to future version. If there is a minimum of 3 appliances then it will be possible to upgrade these appliances one at a time with out any downtime.

To upgrade with a minimum of 3 in the cluster you and simply take a single appliance out of the load balanced pool upgrade the server and then add it back to the load balanced pool. Simply do this for each appliance in the load balanced pool and not down time will be required.

Configuring VMware Identity Manager and VMware Horizon 7 Cloud Pod Architecture

DCarter_View-Application

With the release of VMware Horizon® 7 and VMware Identity Manager™ 2.6, it is now possible to configure VMware Identity Manager to work with Horizon Cloud Pod Architecture when deploying your desktop and application pools over multiple data centers or locations.

Using VMware Identity Manager in front of your VMware Horizon deployments that are using Cloud Pod Architecture makes it much easier for users to get access to their desktops and applications. The user has just one place to connect to, and they will be able to see all of their available desktops and applications. Identity Manager will direct the user to the application hosted in the best datacenter for their location. This can also include SaaS applications as well as the applications that are available through VMware Horizon 7.

For the full blog please see my blog on VMware.com

http://blogs.vmware.com/consulting/2016/07/configuring-vmware-identity-manager.html

Configuring VMware Identity Manager with SQL Always On

Screen Shot 2016-05-18 at 8.41.02 AM

For the last few weeks I have been testing VMware Identity Manager with SQL Always On database for multi-site deployments. This has been an interesting learning curve as its been some time since I last did anything substantial with Microsoft SQL. Before I start with the VMware Identity Manager I think it is worth calling out these 2 resources that I found really useful for setting up SQL Always On in my Lab.

This is a quick intro in to SQL Always On and how to configure it

https://www.youtube.com/watch?v=VKCqRgqLAuo

This was a useful step by step guide for deploying SQL Always On

http://www.careexchange.in/installingconfiguring-sql-2014-always-on-cluster-on-windows-2012-r2-recommended-way/

Now before configuring VMware Identity Manager with an SQL Always On Database you should be aware that even though there is a database in each of the datacenter’s all Read and Writes operations will take place on the Primary database with in the Availability Group.

Screen Shot 2016-05-18 at 8.41.02 AM

From my testing I found that setting the database to automatic failover worked as expected and the database was only unavailable for a very short time less than a couple of seconds. However, I did find that when I failed the database back after an outage this took a bit more time and I would recommend that any failback is done in a much more controlled manner. In my testing fail back took about 40 seconds so a noticeable difference.

Creating the VMware Identity Manager SQL Always On Database

 

  1. Open SQL Management Studio and log in with sysadmin privileges (This should be done on the primary server)
  2. Click File – New – Query with current connection
  3. In the editor window paste the following SQL Commands
CREATE DATABASE saas

COLLATE Latin1_General_CS_AS;

ALTER DATABASE saas SET READ_COMMITTED_SNAPSHOT ON;

GO

BEGIN

CREATE LOGIN horizon WITH PASSWORD = N'H0rizon!';

END

GO

USE saas;

IF EXISTS (SELECT * FROM sys.database_principals WHERE name = N'horizon')

DROP USER [horizon]

GO

CREATE USER horizon FOR LOGIN horizon

with default_schema = saas;

GO

CREATE SCHEMA saas AUTHORIZATION horizon

GRANT ALL ON DATABASE::saas TO horizon;

GO
  1. Click Execute

Picture2

  1. The saas Database will now be created
  2. Make a Full backup of the database (This must be done before adding the database to an Always On High Availability Group)
    • Right click the database – Tasks – Back Up
  3. Add the database to the Always On High Availability Group

 

NOTE: It is also recommended to make the following changes to SQL

  • Change ‘HostRecordTTL to a lower value than the default in multi-site deployments. 120 seconds is a good value
  • Change ‘RegisterAllProvidersIP’ to false in multi-site deployments

Connect VMware Identity Manager to the SQL Database

During the install of VMware Identity Manager connect to the SQL Database using the following settings

Jdbc:sqlserver://SQLAGListener;DatabaseName=saas

  • SQLAGListener = the SQL Availability Group Listener, in the example below that is SQLProdServer
  • If the secondary SQL server is on a different subnet add the following to the jdbc string
    • multiSubnetFailover=true
      • Jdbc:sqlserver://SQLAGListener;DatabaseName=saas; multiSubnetFailover=true

Picture3

 

VMware Identity Manager and F5 New Step in Configuration

Picture1

This week I deployed VMware Identity Manager in my lab to do some testing with SQL Always-On and F5.

When I configured VMware Identity Manager to work with F5, something I have done many times in the past, I came across and issue. After I logged out I couldn’t log in to VMware Identity Manager with a domain account but could login with a local account. The issue is below

Picture1

After testing a few things and trying to figure out the issue I found that when changing the FQDN of VMware Identity Manager there is a new step that need to be done.

Basically after changing the FQDN go back to the Admin UI.

Click Catalog and then settings.

From there select New End User Portal UI and click Enable New Portal UI

Picture2

After this log out and you should now be able to log back in with a domain account.

 

Announcing the App Volumes Backup Fling

Picture1

It gives me great pleasure to announce the first Fling that I have worked on.

Over the last couple months Chris Halstead, Stephane Asselin and I have been working on the new App Volumes Backup Fling.

Picture1

This tool will help customers to backup their AppStacks and Writable Volumes VMDK files using their standard backup tools, normally backup tools do not see these files as they are not seen with in the vCenter inventory unless they are connected to a users virtual desktop.

Below you will find a number of links where you can find more information about the App Volumes Backup Fling.

Fling Download

App Volumes Back Fling

Video Demo

You can also see the full announcement on VMware.com here

For instructions on how to use the Fling see the blog here

Please feel free to leave any feedback for Chris, Stephane and I and any features you would like to see added.

VMware User Environment Manager 9.0 – What’s New

Picture5

Earlier this month VMware released a new version of User Environment Manager that brings some new and exciting features, not only to User Environment Manager, but also to the Horizon Suite. To learn about the new features in Horizon 7 you can see my blog here.

Here I would like to highlight the new main features of VMware User Environment Manager 9.0

Smart Policies

The new Smart Policies offer more granular control of what users can do when they connect to their virtual desktop or applications. With the first release of Smart Policies you will be able to manage these capabilities based on the following conditions:

  • Horizon Conditions
    • View Client Info (IP and name)
    • Endpoint location (Internal/External)
    • Tags
    • Desktop Pool name
  • Horizon Capabilities
    • Clipboard
    • Client drive
    • USB
    • Printing
    • PCoIP bandwidth profiles

 

For more information on these capabilities, see my more detailed blog Here.

It should be noted that to use Smart Policies you will need Horizon 7 View and User Environment Manager 9. You will also need the latest View Agent and Clients installed to take advantage of these new features. Also note that these policies only work with the PCoIP and BLAST Extreme protocols, and not RDP.

Application Authorization (Application Blocking)

This feature gives administrators the ability to white- or black-list applications or folders. In the example below you can see that some applications are allowed and some will be blocked.

Picture1

Using this feature with User Environment Managers Conditions will not only give administrators great control over what applications users can use, but also how they can be used. An example would be if a user is on the internal network they have access to company-specific applications; however, if they accessed their desktops from an external network then these applications would not be available.

With a simple check of a box, administrators have a very simple model for enforcing applications that the users are authorized to use, and using conditions in this way could be result in a different set of applications depending on where the user connects from.

Picture2

ThinApp Support

When clicking on the DirectFlex tab of an application you will now see the new check box to Enable ThinApp Support for that application.

Picture3

When this is selected you will be able to manage what happens within the ThinApp “bubble” from within User Environment Manager, rather than doing this by setting specific values during the ThinApp capture process, or afterward via a script. This integration generalizes the approach that packagers can take when choosing isolation or encapsulation. It allows them to not have to force the knowledge of each and every configuration during the capture process by setting isolation modes or creating separate packages for different application configurations.

You should also note that you do not need to configure a separate application within User Environment Manager to take advantage of this. If the box is checked the flex agent will notice if the application is natively installed or accessible via ThinApp, and automatically apply the correct settings.

Manage Personal Data

User Environment Manager now has the ability to easily manage personal data. This would include things like My Documents, My Music, My Pictures, etc.

The example below shows how easy this is to configure.

Picture4

Office 2016 Support

User Environment Manager 9.0 now supports Office 2016. As you can see from the example below this also includes Skype for Business and OneDrive. Just like with earlier versions these can all be added with the Easy Start button.

Picture5

New User Environment Manager Conditions

As part of the new deep integration with Horizon 7, User Environment Manager has added a number of new conditions that can be pulled from Horizon 7. These include Pool-Name, Tags, and client location – such as internal or external.

Picture6

 

I have also posted this blog on VMware.com here

VMware Horizon 7 New Features

With the release of VMware Horizon 7 I thought I would try and highlight some of the new features that have now been added with this released.

Blast Extreme Protocol

With the update to Blast Extreme, VMware has upgraded the Blast Extreme protocol to the same level as PCoIP and RDP. Now not only will you be able to use the Blast Extreme protocol when connecting via HTML5, but now when you connect to a Virtual desktop or RDSH App using your Horizon client on any device you will be able to connect using the Blast Extreme protocol.

Just as with PCoIP and RDP, Horizon Administrators will be able to configure the Blast Extreme protocol as the default protocol for both desktop and application pools.

1

Blast Extreme will not only be available for standard desktop and application pools but also Global pools when configured with Cloud Pod Architecture

2

As time permits I will write another blog with more details around the new Blast Extreme protocol so watch this space

VMware Instant Clone Technology

VMware Instant Clones is the long awaited technology that is built on the VMware Fork technology that was previewed at VMworld and VMware has been working on for some time. VMware Instant Clones is helping to create the Just in Time desktop and it allows for a new virtual desktop to be created in seconds and thousands of virtual desktops to be created in a very short time. This is one of the best features of the Horizon 7 release and I believe that Horizon Administrators are going to love creating desktop pools using this new Instant Clone Technology.

For information on configuring the new Horizon Instant Clone technology see my blog here

Cloud Pod Architecture

The two main updates to Cloud Pod Architecture are Scale and Home Site improvements.

I have written two new blogs to cover these new updates you can find them below

Cloud Pod Architecture New Features

Update to How CPA Home Sites Work with Horizon 7

Smart Policies

The new Smart Policies are a way to have more granular control of what users can do when they connect to their virtual desktop or applications. With the first release of Smart Policies you will be able to manage these capabilities based on the following conditions

  • Horizon Conditions
    • View Client Info (IP & Name)
    • Endpoint location (Internal/External)
    • Tags
    • Desktop Pool name
  • Horizon Capabilities
    • Clipboard
    • Client Drive
    • USB
    • Printing
    • PCoIP bandwidth profiles

For more information on these Capabilities see my more detailed blog Here

It should be noted to use Smart Policies you will need Horizon 7 and User Environment Manager 9. You would also need the latest View Agent and Clients installed to take advantage of these new features. The other thing to note is that these policies only work with the PCoIP and BLAST Extreme protocols and not RDP.

Desktop Pool Deletion

The Desktop Pool Deletion feature is often a request from customers to make it possible to stop Administrators from deleting a desktop pool that currently has active desktops with in the pool. With Horizon 6.x and earlier it was possible that an administrator could accidentally delete the wrong desktop pool and all the VM’s with in that pool. This feature when enabled would stop that from happening.

To enable this feature follow the instructions in my blog Here

 

These are just some of the new features that have been released with Horizon 7. For a full list of the new features check out the release notes here.

I also posted this blog on VMware.com here