New Requirement for VMware Identity Manager when clustering

Recently VMware released Identity Manager 2.7 and with it there is a new requirement when clustering the Identity Manager behind a load balancer.

It is now required that you have a minimum of 3 Identity Manager Appliances with in the cluster.

The diagram below shows this minimum requirement.

Picture1
This will also help when upgrading to future version. If there is a minimum of 3 appliances then it will be possible to upgrade these appliances one at a time with out any downtime.

To upgrade with a minimum of 3 in the cluster you and simply take a single appliance out of the load balanced pool upgrade the server and then add it back to the load balanced pool. Simply do this for each appliance in the load balanced pool and not down time will be required.

Advertisements

Configuring VMware Identity Manager and VMware Horizon 7 Cloud Pod Architecture

With the release of VMware Horizon® 7 and VMware Identity Manager™ 2.6, it is now possible to configure VMware Identity Manager to work with Horizon Cloud Pod Architecture when deploying your desktop and application pools over multiple data centers or locations.

Using VMware Identity Manager in front of your VMware Horizon deployments that are using Cloud Pod Architecture makes it much easier for users to get access to their desktops and applications. The user has just one place to connect to, and they will be able to see all of their available desktops and applications. Identity Manager will direct the user to the application hosted in the best datacenter for their location. This can also include SaaS applications as well as the applications that are available through VMware Horizon 7.

For the full blog please see my blog on VMware.com

http://blogs.vmware.com/consulting/2016/07/configuring-vmware-identity-manager.html

Configuring VMware Identity Manager with SQL Always On

For the last few weeks I have been testing VMware Identity Manager with SQL Always On database for multi-site deployments. This has been an interesting learning curve as its been some time since I last did anything substantial with Microsoft SQL. Before I start with the VMware Identity Manager I think it is worth calling out these 2 resources that I found really useful for setting up SQL Always On in my Lab.

This is a quick intro in to SQL Always On and how to configure it

https://www.youtube.com/watch?v=VKCqRgqLAuo

This was a useful step by step guide for deploying SQL Always On

http://www.careexchange.in/installingconfiguring-sql-2014-always-on-cluster-on-windows-2012-r2-recommended-way/

Now before configuring VMware Identity Manager with an SQL Always On Database you should be aware that even though there is a database in each of the datacenter’s all Read and Writes operations will take place on the Primary database with in the Availability Group.

Screen Shot 2016-05-18 at 8.41.02 AM

From my testing I found that setting the database to automatic failover worked as expected and the database was only unavailable for a very short time less than a couple of seconds. However, I did find that when I failed the database back after an outage this took a bit more time and I would recommend that any failback is done in a much more controlled manner. In my testing fail back took about 40 seconds so a noticeable difference.

Creating the VMware Identity Manager SQL Always On Database

 

  1. Open SQL Management Studio and log in with sysadmin privileges (This should be done on the primary server)
  2. Click File – New – Query with current connection
  3. In the editor window paste the following SQL Commands
CREATE DATABASE saas

COLLATE Latin1_General_CS_AS;

ALTER DATABASE saas SET READ_COMMITTED_SNAPSHOT ON;

GO

BEGIN

CREATE LOGIN horizon WITH PASSWORD = N'H0rizon!';

END

GO

USE saas;

IF EXISTS (SELECT * FROM sys.database_principals WHERE name = N'horizon')

DROP USER [horizon]

GO

CREATE USER horizon FOR LOGIN horizon

with default_schema = saas;

GO

CREATE SCHEMA saas AUTHORIZATION horizon

GRANT ALL ON DATABASE::saas TO horizon;

GO
  1. Click Execute

Picture2

  1. The saas Database will now be created
  2. Make a Full backup of the database (This must be done before adding the database to an Always On High Availability Group)
    • Right click the database – Tasks – Back Up
  3. Add the database to the Always On High Availability Group

 

NOTE: It is also recommended to make the following changes to SQL

  • Change ‘HostRecordTTL to a lower value than the default in multi-site deployments. 120 seconds is a good value
  • Change ‘RegisterAllProvidersIP’ to false in multi-site deployments

Connect VMware Identity Manager to the SQL Database

During the install of VMware Identity Manager connect to the SQL Database using the following settings

Jdbc:sqlserver://SQLAGListener;DatabaseName=saas

  • SQLAGListener = the SQL Availability Group Listener, in the example below that is SQLProdServer
  • If the secondary SQL server is on a different subnet add the following to the jdbc string
    • multiSubnetFailover=true
      • Jdbc:sqlserver://SQLAGListener;DatabaseName=saas; multiSubnetFailover=true

Picture3

 

EUC Professional Services Engineering (PSE) and VMworld

Screen Shot 2015-07-30 at 11.21.56 AM

VMworld in San Francisco is approaching very quickly. It’s a must-attend event for VMware customers, but there is a lot to take in, so I thought I would take a few minutes to highlight some key activities led by my team of End User Computing (EUC) consultants and architects that you won’t want to miss.

Our organization is called Professional Services Engineering (PSE) and is part of the Global Technical and Professional Services Organization. As VMware’s EUC subject matter experts, our team works with some of our largest EUC customers worldwide.

You can read the rest of my post and find out what I will be doing on VMware.com. Click Here

Adding a Second Connector to VMware Workspace

Recently I was asked by a customer if it was possible to add an untrusted Domain to their current VMware Workspace deployment to easily manage access to applications that are currently being managed by Workspace.

Workspace does give you the option to add a non trusted Active Directory Domain by adding a second connector to that domain as an Identity Provider.

The following figure shows the high level architecture of both a Multi-Forest Domain and separate Active Directory Domain utilizing VMware Workspace.

1

The following steps document how to add a second connector to your VMware Workspace environment.

Before Installing a Second Connector

The following is required before you configure a second connector for Workspace

  1. Workspace is currently up and running in your environment
  2. Create a IP address in DNS for the second connector and make sure its using reverse lookup.

Procedure for Adding a Second Connector

  1. Within vCenter Deploy a new OVF Template
  2. Browse to the OVF file and click Next
  3. Confirm the OVF Details and click Next
  4. Accept the License Agreement and click Next
  5. Enter the Name of the connector and select the correct location with in vCenter and click Next
  6. Select the Cluster and click Next
  7. Select the Resource Pool and click Next
  8. Select the Storage and click Next
  9. Select the Disk Format and click Next
  10. Select the Network and click Next
  11. On this screen it is important to select Connector Only Install, enter the Network Properties and click Next

2

  1. Confirm everything is correct, select Power on after deployment and click Finish
  2. While the OVF is installing connect to the Admin portal of the original Workspace deployment
  3. Click on Settings, Identity Providers and Add Identity Provider

3

  1. Add the fully qualified domain name of the second connector and click Save

4

  1. Copy the Activation Code as you will need this during the configuration of the second connector
  2. In a second web browser connect to the second connector
  3. On the Getting Started Page click Continue
  4. Configure the passwords and click Continue
  5. Paste the Activation Code and click Continue

5

NOTE: If you are using self signed certificates then you will need to copy the root certificate from the first Workspace Appliance and paste it in the Root Certificate box that will show up

  1. Configure the new Active Directory and click Continue
  2. Configure the User Attributes and click Continue
  3. Select the users and click Continue
  4. Select the AD groups and click Continue
  5. Confirm everything is correct and click Push to Workspace
  6. Click Finish