In this post I will not go into detailed installation steps, in stead I'll try and give an overview of the components that I have used (local mode and linked clones not included) and then link to the posts I've used for inspiration.
Components
First of all, a vCenter installation and a domain controller are required. I have chosen to go with Windows Server 2008 R2 but other than that it is pretty much standard installations.
The main component of the View installation is the Connection Server. And then there is the Security Server which is basically a subset of features from the Connection Server. After installation it is linked to the Connection Server from the Connection Server administrative web interface - and it is also configured from there.
I used this excellent guide by Poul Slager to install the Connection Server. I did the same as Poul and installed just one Win7 VM with the View agent on it and added it to a static pool.
A new feature in View 4.6 is that the PCoIP protocol can now be used also from external sources (e.g. from outside the company network) but this requires a Security Server. The Security Server is typically placed in a DMZ and it is the Security Server which establishes the PCoIP connection directly to virtual desktop.
At the VMware View blog, there's a post with a 40 minute video explaining the infrastructure and new features of View 4.6.
For the specific configurations for enabling PCoIP from external sources, I used the Setting up PCoIP Remote Access with View 4.6 document.
I experienced a strange error when at first I connected to the Security Server from and external source. It worked fine internally but from the outside I could connect and authenticate but then the remote connection just showed a black screen for about 10 seconds and the connection closed. In the View desktop event viewer there was en entry stating: "Closed PCoIP connection doesn't match global value". To fix this I adjusted the configuration in the Connection Server under View Configuration -> Servers and made sure that the external URLs for the Security Server and the Connection Server were identical. The external URL was set for the actual outside URL in both cases and the IP was set for the outside ip of the ADSL modem in both cases - this solved the issue in my case (see screen dumps below).
Currently, with all the components running, the setup is taking up about 10 GB of memory, so there's still room to load up the ESXi box, it has a total of 16 GB, with more VMs! (see screendump below).
Networking
For routing and firewall internally between the infrastructure components I chose a Vyatta virtual appliance which I downloaded from VMware Marketplace. Per default, this appliance included three NICs which suited my requirements for creating an inside LAN, outside LAN, and a DMZ for the security server. On the vSwitch I have created three different VM networks. However, I have not VLAN tagged any of the networks as only one ip range will leave the physical ports on the switch (the Vyatta router acts as gateway for all the infrastructure components).
The learning curve for the Vyatta is quite steep in my opnion. I have spend my fair share of hours trying to figure out the logic of the NAT, DNAT, and the firewal rules. For configuration I have been using a mix between the web gui and the CLI. The CLI is actually quite nice when you get used to it (TAB is your friend).
Remember to save your configurations to disk before rebooting or you will loose all configurations (I learned this a couple of times ;-)). So obviously type 'configure' to into configuration mode and then 'commit' when your done. 'Exit' to exit configuration mode. 'save config.boot' to save configuration to disk. Default credentials for the vyatta is user: vyatta, pw: vyatta.
To get started and setup the Vyatta I used the Quick Start Guide which you can get at vyatta.org. At the site there is also a quick start video which is useful.
And then for firewall configuration etc. I used this guide which worked surprisingly well.
The basic principle for the router in this setup is that you want to allow all traffic from the Inside Lan and the DMZ to be able to get out to the internet. You also want your Inside LAN to be able to access the DMZ. All traffic from the Outside entering the gateway NIC on the router should be dropped. However from all addresses on the Internet, access on port 4172 should be allowed (and directed) only to the security server. And then only the Security server's IP will be allowed to open connections on the same port to the inside LAN. So for 'opening up' a port in the firewall you will need both a firewall rule and a DNAT rule (destination NAT). This last part had me quite confused.
So, the final setup currently configured according to the diagram below. I used it to connect to the View Desktop and from there I can open a vSphere client and have full access to the vSphere home lab.
Would you please care to share the actual vyatta CLI config details you used to enable the end to end functionality to access from the internet into your home router and connect to the View SS vm. You can off course change the actual IP details.
ReplyDeleteThanks