How to install and configure Provision Networks Virtual Access Suite (VAS) Enterprise Edition

[patris1]

کد:

http://www.virtualizationadmin.com/articles-tutorials/terminal-services/general/install-configure-provision-networks-virtual-access-suite-part1.html

• Author: Patrick Rouse

PART-1


Virtual Access Suite (VAS) Enterprise Edition is a product suite from Provision Networks, a Division of Quest Software. VAS Enterprise Edition enables the consolidation of application and desktop delivery from Windows Terminal Services, Blade or Physical PCs, and Virtual Infrastructures such as VMware VI3 or Virtual Iron.
This set of articles will describe, in detail how to install and configure each of the components of VAS Enterprise Edition. These articles will also detail best practices on where each component should be deployed in a typical deployment.
Modules:
VAS Enterprise Edition consists of all of the following modules from VAS Standard Edition:

• Block-IT (application and network server access control)
• Manage-IT (session/desktop configuration and lockdown)
• Max-IT (CPU and Virtual Memory Optimization)
• MetaProfiles-IT (user profile management)
• Print-IT (EMF and PDF universal print driver for client printers, network printers and WAN Printing)
• Redirect-IT (per-user file and registry redirection)
• TimeZones-IT (per-session time zone assignment)
• USB-IT (Redirection of USB-connected Blackberry, Palm and Pocket PC handheld devices)
• VIP-IT (per-session IP Address assignment)

VAS Enterprise Edition also adds the following features (not included in VAS Standard Edition):

• Provision-IT
  
  
  • Application, Desktop and Content Publishing
  • Integration with Microsoft Softricity SoftGrid
  • Application and Terminal Server Load Balancing
  • Seamless Windows
  • Session Sharing
  • Screen Resolution up to 4096 x 2048 pixels
  • Multi-Monitor Support
  • Credentials Pass-through
  • Kerberos-based authentication and pass-through
  • Smartcard Authentication
  • Windows, Windows CE, Linux, Java and ThinStall Clients
  
  
• Web-IT (Web Portal)
  
  
  • Multi-Farm Application Set Aggregation
  • Credentials pass-through
  • Two-factor authentication (RSA, Secure Computing and RADIUS)
  • Client auto-detection and download
  • Application Auto-launch
  • Remote Password Reset
  • Load Balancing via Microsoft NLBS or 3rd party load balancer
  • Client location identification (redirects users thru SSL Gateway based upon IP Address Rules)
  
  
• Secure-IT (SSL Gateway)
  
  
  • Secure single point of access to firewall-protected Terminal Server farm and managed desktops (VAS Infrastructure)
  • Uses SSL, so clients do not need to be able to communicate over a non-standard port.
  • Typically deployed in the DMZ so SSL traffic is not terminated in the private network
  
  
• Proxy-IT
  
  
  • Allows RDP Clients that are not capable of installing the VAS Client to connect to a VAS Infrastructure.

Installation

The configuration of a given VAS Infrastructure is stored in an SQL Server Database. This can be in MSDE, SQL Server 2000, SQL Server 2005 Express or SQL Server 2005. It should be noted that the Provision Database requires SQL Server Authentication, so if one has an existing SQL Server that is configured for Windows Authentication, the Provision Database must be installed on another SQL Server Instance.
When installing VAS Enterprise, one can either manually create the Provision Database, or the VAS Install can create a DNS and a Database when the Provision Console is opened for the first time. In most large organizations the SQL Server DBAs will insist that they create the database, but in smaller organizations one may choose either.
In this configuration the Provision Database will be installed on SQL Server 2005 Express, which is a free download from Microsoft. This SQL Server will be installed on a member server in an Active Directory Domain. Active Directory is not a prerequisite, but is the most common directory infrastructure in use today.
While all Server Components of VAS Enterprise can be installed on a single server, this is not a typical configuration. Problems with a Server Based Computing Infrastructure often occur due to a lack of planning, i.e. if everything is installed on one server and put into production without any testing or user acceptance. For this configuration everything is being installed on VMware, but on several different virtual machines. In this test infrastructure we have the following:

• 2003 Server – Domain Controller & Terminal Server Licensing Server (no VAS components)
• 2003 Server – File & Print Server (including user profiles)
• 2003 Server – SQL Server (2005 Express – Provision Database)
• 2003 Server – VAS Connection Broker & Password Reset Service
• 2003 Server – Web Server (IIS w/ ASP.net – Web-IT)
• 2003 Server – Terminal Server x 2 (Provision-IT)
• 2003 Server – SSL Gateway (Secure-IT)
• XP Pro Workstation – Managed Desktop x 2

Components are being separated in this manner to better emulate what would exist in a typical enterprise. Since this is being configured on a virtual infrastructure using VMware, a lab with many physical servers is not necessary, if one only wants to test drive VAS Enterprise.
Installation of SQL Server 2005 Express

If an SQL Server does not already exist in the target environment, one needs to be set up to accommodate the Provision Database. In this configuration SQL Server 2005 Express and SQL Server Management Studio Express will be installed on a dedicated Active Directory Member Server.
SQL Server 2005 Express and SQL Server Management Studio Express can be downloaded from Microsoft.com, or from ProvisionNetworks.com.
An unattended installation of SQL Server 2005 Express can be performed by extracting the installation files from SQLEXPR32.EXE via SQLEXPR32.EXE –x. Choose a target directory where the installation files will be stored, then execute the following cmd.
SETUP.EXE /qb ADDLOCAL=SQL_Engine,SQL_Data_Files INSTANCENAME="PROVISION" SECURITYMODE=SQL SAPWD="Provision" DISABLENETWORKPROTOCOLS=0
This cmd line does a quiet installation (with basic UI) of SQL Server 2005 Express to an Instance named “PROVISION”, using Mixed Mode Authentication (required), enables Network Connectivity and sets the SQL SA Password to “Provision” (feel free to change this to a stronger password).
SQL Server Management Studio Express is used by System Administrators and DBAs to manage the Database Server, backup and restore databases. Launch SQLServer2005_SSMSEE.msi to begin the installation of SQL Server Management Studio Express. Accept the defaults.
Installation of the Connection Broker and Password Reset Service

In this configuration the VAS Connection Broker and Password Reset Service will be installed on another 2003 Member Server. These components do not need to coexist, but this is a common configuration.
The Connection Broker is an XML Service that responds to client connection requests on TCP Port 8080 (by default) and listens for Data Collector service connections (from Terminal Servers or Managed Desktops) on TCP Port 5201. It is the brains of the Virtual Access Suite.
The Password Reset Service facilitates SSL-protected password reset requests from clients, to allow them to reset their Active Directory Credentials via the Web-IT Web Interface Portal. This service requires an SSL Certificate and listens on port 443 (by default).
The VAS Installer is intelligent and will only display the components that can be installed on the host computer, so if ASP.Net is not installed, Web-IT will not be an option that can be selected. Additionally, if the installation will integrate with VMware Virtual Center, Sun JAVA™ SE Runtime Environment 5, Update 7 or higher must be installed, prior to installing VAS.
Launch VAS.exe to begin the Virtual Access Suite Installation.

Select Terminal Server and Standard Desktops (Enterprise Edition) and click “Next”.

Select “Connection Broker Service”, “Password Reset Service” and “Provision Management Console”. Click “Next” to complete the installation of the selected components.

Because VMware Integration was selected, the installation prompts for the location of the VMware Certificate Store. This is the self signed certificate that is created when VMware Virtual Center is installed. Click next to complete the installation.
At this point, the Connection Broker and Password Reset Service are installed, but the Provision Database has not been created. The Provision Database is created the first time the Provision Management Console is launched. Alternatively a DBA can create the database and provide the VAS Administrator with SQL “dbowner” Logon Credentials for the database.

Upon opening the Provision Management Console for the first time, the administrator is prompted to “Create a new database and DSN” or to “Create DSN only for existing database”. Because we want to create the database, we use the default option.

Since the Provision Management Console is being opened for the first time, the Provision Database has not yet been populated with the Customer Information that is tied to the VAS Licenses. Complete the Customer Information, then click the save button. If this information is changed at a later time, new licenses will need to be acquired.

The VMAC listed above is used to generate the VAS Licenses on the Provision Networks Website.

Once the Provision Management Console has been launched, one may want to change the name of the Provision Farm to something unique and meaningful to the business, i.e. “Corp XYZ Test Farm”. At any time an administrator may change the farm name via the Farm Properties in the Provision Management Console.

Right-click on the “Connection Brokers” node in the Provision Management Console and select “New Connection Broker”.

Enter the name of the VAS Connection Broker and click OK.

The default listening port for the Connection Brokers is 8080, but this can be changed to meet the requirements of the business. This change is made at the properties of the Connection Brokers node, as it affects all connection brokers in the farm.
Future articles will describe how to install and configure the other components of VAS Enterprise

---

موضوعات مشابه:

• آنتي ويروس نسخه Symantec Protection Suite Enterprise Edition
• How to create virtual package, install and configure Application Virtual 4.6 client for Windows 7

---

[patris1]

کد:

http://www.virtualizationadmin.com/articles-tutorials/terminal-services/general/install-configure-provision-networks-virtual-access-suite-part2.html

PART-2

Introduction

Virtual Access Suite (VAS) Enterprise Edition is a product suite from Provision Networks, a Division of Quest Software. VAS Enterprise Edition enables the consolidation of application and desktop delivery from Windows Terminal Services, Blade or Physical PCs, and Virtual Infrastructures such as VMware VI3 or Virtual Iron.
Part two of this set of articles will describe, in detail, how to install VAS Enterprise on a Windows Terminal Server and how to publish applications to Users, Groups, Device Addresses (IP Addresses), Device Names (Client Names) and Active Directory Organizational Units (OUs).
Prerequisites

A prerequisite to installing VAS Enterprise on a 2003 Server to deliver Managed Applications (A.K.A. Published Applications) would be that the Terminal Server Role has been assigned to the server. This is a fairly simple process, but to recap, here are the steps (assuming a clean install and a non-production server):
Step one is to lock down the file system on the server. By default every logged on user has permission to create files and folders in the root of the System Drive and in the Program Files directory. This opens up the possibility that an end user could intentionally or unintentionally install spyware/malware or some other application that could make the system unstable. To remove these permissions, follow the steps below:

View the Advanced Security Settings on the root of the System Drive and remove the permissions highlighted in the picture above, so members of the "Users" group no longer has NTFS Permissions to "Create Folders / Append Data" and "Create Files / Write Data".

View the Advanced Security Settings on the "Program Files" directory and remove the permissions highlighted in the picture above, so members of the "Power Users" and "TERMINAL SERVER USER" groups no longer have modify NTFS Permissions.

To add the Terminal Server Role, open the "Configure Your Server Wizard" Administrative Tool -> Select "Terminal server" and click "next". The server will automatically reboot when the role has been added.
Note:
An activated 2003 Terminal Server Licensing Server with installed 2003 Terminal Server Client Access Licenses (TSCAL) must be discoverable within 120 days of adding the Terminal Server Role or the server will stop accepting Terminal Server Session requests.
Installation


From the physical console of the Terminal Server, or via a Remote Desktop Console Session (mstsc.exe /console), switch to "install mode". Launch the VAS Installer (vas.exe).

Select "Terminal Servers and Standard Desktops (Enterprise Edition)" and click "Next".

Accept the default selections, and add the Provision Management Console (as shown above).

Click the "Install" button to commence the installation.
Once the installation process is complete, click "Finish", and "Yes" to restart the system.

Launch the Provision Management Console and create a new Data Source to connect to the Provision Database.

Select the option to "Create DSN only for existing database" and enter the Provision SQL Login that was created when the Provision Management was first opened on the Connection Broker (in part one of this article series).

Confirm the SQL Login Password that will be used to connect to the Provision Management Database.

Click "Yes" to set the current main Provision database to [Provision Database].

When the Provision management Console opens, right click on the Terminal Servers node and select "New Terminal Server".

Accept the default selection <New Server> and click "OK".


Type in the NetBIOS name of the new Terminal Server, or click "Browse" to select it from a list. At this point the server is now added to the Provision Networks Server Farm.
Application Publishing

In contrast to Citrix Presentation Server (CPS), Managed Applications can be published and policies can be applied to Users, Groups, Device Addresses (IP Addresses), Device Names (Client Names) and Active Directory Organizational Units (OUs). In VAS, all of these are considered "Clients". In CPS, applications can only be assigned to Users and Groups. This additional filtering capability provides more flexibility when planning the delivery of applications.
One can either define the clients via the "Clients" node, or this can be done when defining a New Managed Application.

Publishing of Applications, Desktops and Internet Content is done from Resources -> Managed Applications -> Right-Click -> New Application, or by clicking the "New" button (green plus sign) in the right pane when Managed Applications is selected.

The window shown above is the interface to publish a new application / program, Desktop or Internet Content. The default is "Program", and this can be changed via the "Change Type:" button in the upper right corner of the General Tab. Publishing a desktop connects a user to the Explorer Desktop of either a Terminal Server, or a Managed Desktop (Windows XP Pro or Vista), whereas publishing content publishes a Website, URL or other content that launches in a Web Browser.
To publish a Program, click the ellipsis next to the "Path:" text box.

Select the button that describes where the program is located. Clicking "Terminal Server" or "Managed Desktop" buttons will allow the administrator to browse the terminal servers or desktops defined in the Provision Management Console. Clicking "File Server" allows the administrator to browse the network for a file located on a file share and clicking "This Computer" displays the file structure on the computer where the Provision Management Console is currently running.

If Terminal Server is clicked, the dialog above is displayed, where the administrator can select the Terminal Server where the program is installed.

Select the share on the Terminal Server that contains the program. On the Terminal Server that is selected in the dialog above, only the Admin Share to the System Drive is available. Click "OK" to continue.

At this point the Explorer Select File Shell Extension is displayed, where the administrator can browse to and select any executable file, i.e. files with the extension exe, com, cmd, pif or bat.

After the program is selected, the associated icon is displayed, but can be changed via the General Tab -> Display Section -> Icon.

In that same Display Section, there also exists an "Application Startup" tab where the administrator can define whether the application starts Normal, Maximized or Minimized.

On the furthest right Tab in the Display Section exists a "Status" tab where the administrator can define whether the application is enabled or disabled, i.e. whether or not it is displayed in the user's application set (list of applications).

The arguments text box in the Program Specifications section of the General Tab allows an administrator to add any application specific switches. This text box is also used to define a file that should be opened by the defined program, i.e. publishing msaccess.exe and a specific MDB (access data file) file. The working directory is fairly self explanatory.

On the User Experience Tab of the Managed Application definition, the administrator can specify whether application shortcuts will be displayed on the client's Desktop, Start Menu or Start Menu \ Programs. This only affects the AppPortal Client in Desktop-Integrated (DI) Mode, where the AppPortal UI is hidden. This will be described in more detail in another section of this article series.

The "Published On" Tab is where the administrator defines which Terminal Servers or Managed Desktop Groups host the managed application. If the administrator selects a Managed Desktop Group (logical grouping of XP Pro or Vista VMs, or PC Blades) it is assumed that the application exists on each member of the group.


The Workload Management tab allows the administrator to select a Workload Evaluator, which defines how the application is load balanced in the VAS Farm. The Default Load Evaluator (shown above) is based upon Number of Users that have Terminal Server Sessions on a given Terminal Server. Additional workload evaluators can be defined based upon any combination of the available counters. One should only use custom workload evaluators as needed, as over customizing workload evaluators can cause inconsistent load balancing results.

The Application Restrictions tab allows the administrator to add the program to an existing list of allowed applications, or to create a new list. Application Lists are defined and assigned to clients to limit them executing to only these applications.

The default setting for Application Restrictions is to allow applications to be executed. This setting can be changed from the properties of the Application Restrictions Node. It is possible to restrict access to all unmanaged applications checking the "Deny access to unmanaged apps, as well as applications belonging to conflicting file groups".
In contrast to Citrix Presentation Server where application publishing is simply an application delivery mechanism, VAS Enterprise offers bullet-proof, easy to define rules to restrict users only to the applications that are defined by the administrator. These rules can be assigned to the same Clients that were described earlier in this article, i.e. Users, Groups, Device Addresses, Device Names and Organizational Units. These rules will be described in more detail in a future installation of this article series.

The Virtual IP Tab is used to define whether or not Virtual IP Addressing (VIP) should be enabled for this Managed Application. VIP is used for Winsock applications where the application requires a unique IP Address for each instance of the application, whether for identification or communication. VIP will be described in more detail in a future installation of this article series.

Finally, the Access Control List tab is where the administrator defines which clients receive the managed application. Click the "Assign clients to [Program Name]:" button to assign clients to the application.

If no Clients have been defined in the Provision Management Console, or the clients to which the application will be assigned is not displayed, click the "Show Edit Tools" button.

Click the "New Client:" button to add a client.

On the Add Client(s) dialog, the administrator may enter or browse the list of Domain or Local Users or Groups. If an NT/Active Directory domain or Local SAM is selected, the list of users/groups is listed in a flat list.

The Device IP Addresses Tab of the Add Client(s) dialog allows the administrator to add a client that is an IP Address, or IP Address Range. This is particularly useful for roaming users that should only have access from a client that has a Private IP Address on the corporate network.

The Device Names Tab of the Add Client(s) dialog allows the administrator to add a client that has a specific name, or naming convention. This is particularly useful for roaming users that should only have access from a client that has a specific name on the corporate network.

• Multiple Device Names are separated by semi-colons.
• A range of devices with a common naming convention are entered with the variable enclosed in brackets, i.e. CorpABC-[1-99].
• An Asterisk can be used as a wildcard character.

The Active Directory tab or the Client(s) dialog allows the administrator to select a client that is an object in Active Directory.

Once a client is selected, the Select Folder(s) dialog displays, where the administrator selects in which Server and Client Folders the application should be displayed.

The completed Managed Application is displayed above. Click OK to return to the Provision Management Console, or click the Assign clients to [Program Name].. button to assign more clients to this application.
Future articles will describe how to install and configure the other components of VAS Enterprise

[patris1]

کد:

http://www.virtualizationadmin.com/articles-tutorials/terminal-services/general/install-configure-provision-networks-virtual-access-suite-part3.html

PART-3

Virtual Access Suite, Desktop Services can connect RDP clients to desktops whether they are standard PCs (XP Pro or Vista), PC Blades, or hosted on a Virtual Infrastructure like VMware, Virtual Iron, SWsoft Virtuozzo, Microsoft Virtual Server, Citrix XenServer.... When used in combination with a system with a centralized management console (Managed Virtual Infrastructure) like VMware Virtual Center or Virtual Iron, Virtual Access Suite uses the Virtual Infrastructure Vendor's SDK to automate and tasks that could otherwise be accomplished only via the vendor's management server. Use of an SDK also adds functionality that does not exist in the vendor’s native management console.
PNTools

A component called PNTools is installed on each RDP Host, whether virtual or physical, to provide features like Seamless Windows, Universal Printer Driver, USB Handheld Sync and management of the group membership of the Remote Desktop User’s Group. This component installs two services:

1. Provision Networks Data Collector. This service communicates (tcp port 5203) with the Provision Networks Connection Broker (tcp port 5201) and manages the user assignment to the Remote Desktop Users Group.
2. Provision Networks Print-IT. This service enables Universal Printing, so users can print, with full functionality, to any printer defined on their Windows Client. This does NOT require installation of any Native Windows Printer Drivers on each Virtual Desktop to support client printing.

If one manually installs PNTools on Windows XP Pro SP2, the installer will automatically configure the Windows Firewall to allow communication on the appropriate ports. If the installation is pushed from the Provision Management Console, the firewall must be manually configured.
Configuring integration with a managed Virtual Infrastructure Server

Ensure that VMware and Virtual Iron Integration was selected during the Virtual Access Suite Connection Broker installation. This can be verified via add/remove programs, select Modify on the Virtual Access Suite installation, expand Connection Broker.

Install .Net Framework 2.0 and Sun Java Runtime 5.0 update 9, 10, or 11 on the Connection Broker. Virtual Access Suite does NOT currently work with Sun Java Runtime Environment 6, but if it is already installed, JRE 5 update 9, 10, or 11 can be installed without uninstalling JRE 6.
Acquiring the SSL Server Certificate from Virtual Center

Logon to a Provision Networks Connection Broker and launch the VDI Preinstall Configurator. This .hta file has the capability to download and install prerequisites like .Net Framework 2.0 and Sun Java Runtime Environment 5 update 9 (updates 10 and 11 also supported). It can also download and install the SSL Server Certificate from the Virtual Center Server and save it to the Java Keystore.
Enter the information required to connect to Virtual Center. The credentials entered need to be able to map a network drive to the Virtual Center Server to download and install the SSL Server Certificate. The user name should be in the format Domain\User. The default password for the VMWare.keystore file is “changeit”

If an account is not available that has such permissions, the SSL Certificate can be downloaded and manually configured. Instructions for this manual configuration are in the referenced Provision Networks Virtual Access Suite Troubleshooting FAQ. When the configurator is complete, the certificate files are written to c:\VMware-Certs.

Verify that files exist, and that the directory name is exactly as listed, as the communication between the Connection Broker and Virtual Center is done via Java, which is case sensitive.

If more than one connection broker is in operation, copy the contents of the “c:\VMware-Certs” directory to each of the servers, or run the configurator on each server. Restart the Provision Networks Connection Broker Service, or restart the server.
Defining Virtual Management Servers in the Provision Management Console

Launch the Provision Management Console and browse to the Desktop Services Node. Right-click and select "Virtual Management Servers".

Enter the name of the Virtual Center Server and select the Server Type as VMware.

Enter the Server URL to the Virtual Center Server, i.e. https://VirtualCenter/sdk
Enter the credentials for a local or domain account with administrative permissions in Virtual Center. A custom role can be created in Virtual Center with more granular permissions, but that is beyond the scope of this document.
The correct value connection timeout depends on how many objects are defined in Virtual Center. The larger the environment, the longer import operations can take, and the larger the timeout value should be.

The other settings options for each Virtual Management Server define the number of concurrent operations can be sent to the Virtual Management Server by the Provision Networks Connection Broker. The clone operation is the most resource intensive operation, as it requires creating new virtual disk files and spinning up the new virtual machines. These settings can be tailored to one’s environment, i.e. 2 clone operations for an environment with one Virtual Infrastructure Host and connected SAN LUN. If many Virtual Infrastructure Hosts exist in the environment, and the SAN that hosts the virtual disk files is robust, the number of clone operations can be increased accordingly as the load can be simultaneously spread across multiple resource pools, Virtual Infrastructure Hosts and SAN LUNS.
Importing Datacenters into the Provision Management Console

To import one or many Datacenters from Virtual Center to the Provision Management Console, right click on Desktop Services and select Data Centers. At least one datacenter MUST by imported to interact with the Virtual Management Server.

Select the Datacenter Type as VMware.

Select the Virtual Management Server from which the Datacenters should be imported.

Select the Datacenters to be imported. In an enterprise deployment, dedicated datacenters may be defined for VDI, for use for the desktop support engineers.
Creating managed Desktop Groups

A Desktop Group is a set of desktops that contains new desktops that are created from a virtual machine template, or that are imported from the defined datacenter. Typically Desktop Groups are created to organize desktops by Business Unit, i.e. machines that had the same system image on deployment of physical PCs.

Right click on Desktop Services and select New Managed Desktop Group.

Enter a descriptive Group Name, i.e. “Accounting Dept XP Pro Desktops”.

Enter the name of a Desktop Administrative Account (Service/Role Account) that will be used to perform the management functions (installation/upgrade of PNTools, Shutdown, Restart, Logoff, Reset…) from the Provision Management Console. This account MUST be a member of the local administrators group on the desktops. This account could be the local administrator account, or a service account that is created specifically for these management tasks and is added to the local administrators group via Group Policy.

Enter the number of desktops to create (from a virtual machine template that was created in Virtual Center). One could also import existing desktops from Virtual Center. The number of desktops to be created is only limited by the capacity of the Virtual Infrastructure. The recommended maximum number of desktops that can be managed by a single instance of VMware Virtual Center is 1500.

This list is empty the first time this wizard is run, so click “Import” to import the list of available virtual machine templates from Virtual Center. Select the Virtual Machine Template that will be cloned to create the new desktops. This template is created in Virtual Center.

This list is empty the first time this wizard is run, so click “Import” to import the folder structure from Virtual Center. Select the folder in which the new virtual machines should be organized.

This list is empty the first time this wizard is run, so click “Import” to import the list of available Resource Pools/Datastores from Virtual Center.

One can spread the virtual machines across multiple resource pools and datastores. Define how the wizard should distribute the machines across the datastores.

In the example shown, the five desktops being built are spread equally across five different datastores.

Provide a naming convention for the new desktops, or provide a list of names via a text file. In the example above the base name is “XPACCT?”. This will generate the new desktops with names XPACCT1, XPACCT2, XPACCT3, XPACCT4, and XPACCT5. If ten or more desktops were being created, two question marks would be in the base name.

With sysprep customizations, the administrator can apply a new sysprep.inf file to the desktops being built. Click the “New” button to create a new Sysprep Template.

For the sysprep customizations to be applied when the virtual machines boot, the sysprep files MUST exist on the Virtual Center Server in “%SystemRoot%\Documents and Settings\All Users\Application Data\VMware\VMware Virtual Center\sysprep\xp\”. If one is not familiar with Sysprep, these file can be downloaded from Microsoft’s website. When installed they are written to %WinDir%\system32\deploy.cab. Extract the files shown in the picture from the deploy.cab file to the specified directory on the Virtual Center Server.

Assign a meaningful name to the new Sysprep Customizations, i.e. the name of the Managed Desktop Group.

If one already has a completed sysprep.inf file, it can be imported from a file.

Select the Operating System of the new desktops that are being built. The OS selected must match the version of the Sysprep files on Virtual Center.

Enter the registration information for the new desktops.

Enter the Time Zone that will be set.

Enter the Windows Volume License Product Key, or provide a list of Product Keys from a file.

Enter the new local Administrator Password for the desktops.

Specify the Domain or Workgroup. If specifying that the desktops should join a Domain, specify the account that will be used create the computer accounts in Active Directory.

Browse to the Active Directory OU where the new computer accounts should be created. If nothing is specified, the accounts will be created in the default “Computers” OU. Specifying the correct OU allows the machines to receive the correct Group Policy on the first boot after the machine joins the domain.

Use the default regional settings, or select one from the list.

If necessary, select language groups in addition to or other than the default.

One can specify additional commands that should be executed, and which order they should execute.

An Identification String can be inserted into the registry so one can tell which sysprep customizations were used to build the desktop.

Custom Sysprep Entries are any other entries that are supported by sysprep that are not exposed in this GUI.

A Summary is displayed so one may review all of the settings that were entered. Click Finish to save the new sysprep customizations.

Select the newly created Sysprep Customizations and click next.

Back to the Managed Desktop Group Wizard, the Options allow one to start the creation of the virtual machines “immediately”, or one may schedule the operations to be started at a specified date and time, i.e. during a period when the build of the desktops would not adversely affect production.

Review the names of the desktops that will be created, and on which Datastores they will be created. Click finish to submit the jobs into the task list. The jobs are sent to Virtual Center at the scheduled time that was specified.

When the Managed Desktop Group is selected, on the bottom of the console the tasks are listed along with the progress of each and their current status.

When the Managed Desktop Group is selected, from the Desktops Tab, the administrator can right click on a desktop and perform options like Update Power Status (if the console isn’t set to automatically refresh), install/update PNTools, Power On/Off the VM, Reset the VM, Resume a suspended VM, Suspend a running VM, Shut Down the OS, Restart the OS, Logoff the current user, Reset the current user’s session (non-graceful logoff), Cancel the current running task, Remote the VM from the Desktop Group, Delete the VM, View/Edit the policy applied to the Desktop and view the Properties of the Desktop.

By right clicking on a Desktop Group, one of the options is “Group Policy”. This is unrelated to Active Directory Group Policies, but rather are policy settings that are applied to the Desktop Group

[patris1]

.
The User Assignment Tab allows the administrator to specify whether users are temporarily or permanently assigned to the desktop to which the Connection Broker directs them.
When set to Temporary, the Provision Networks Data Collector Service on the Managed Desktop inserts the User’s Account into the Local Remote Desktop User’s Group at logon, and removes it at logoff. This allows the desktop to be dynamically assigned to another user as directed by the Connection Broker.

When set to Permanently, the first time a user is directed to a desktop by the Connection Broker, the desktop is permanently assigned to the desktop, so that user is the only user that can logon to the machine (along with administrators). At subsequent logons the connection broker always directs the user back to the same desktop. The screenshot above shows the permanent assignment on a given desktop.

The Access Timetable tab allows the administrator to define days of the week and hours when logons to the desktops are allowed or denied. Click on the grid to view the Schedule Editor.


The User Privileges tab allows the administrator to specify whether users that are assigned to desktops shall be inserted into the local Power Users or Administrators Group.

The Session Auto-Logoff tab allows the administrator to define a list of applications that shall cause the system to force a logoff, if they are still running after the user closes all published applications, or if the user tries to logoff of their desktop and the logoff process does not complete successfully.

The Inactivity Timeout tab allows the administrator to define whether the VM shall be suspended after a successful logoff, or after the defined inactivity timeout. This helps to conserve resources, but can cause the end user to have to wait for the VM to power on at the next logon.

The Inactivity Timeout is defined in the properties of the root Desktop Services node in the Provision Management Console.

Since PNTools is required to exist on the Desktop OS for the client to connect to the VM via the Connection Broker, it is often best to install PNTools as part of the base system image. The location of PNTools for deployment from the Provision Management Console is defined in the PNTools tab.

To manually install PNTools on a single desktop, multiple desktops or an entire Desktop Group, right click on the object in the Provision Management Console. This will schedule a task to install PNTools and will force a reboot of the VM when the installation is completed.
Rumor has it that this technology is currently being extended so any MSI based application will be able to scheduled for installation on a VM via the Provision Management Console.
Overriding the Managed Desktop Group Policy

While the Group Policy applied to a Desktop Group is a very convenient method of managing groups of desktops as a whole, there is usually a need to make an exception to a rule.
If the administrator double clicks on a given desktop, each of the Group Policy Tabs can be overridden for that individual desktop.

If a user is currently logged onto the selected desktop, the administrator can permanently assign the user to the desktop. If no user is logged on, the administrator can pre-select a specific user (from Active Directory) that shall be permanently assigned to the desktop.
Managed Applications

As described in the previous article on Terminal Services, the administrator can publish programs, desktops or content. The same holds true for VDI. Unlike other VDI solutions, the Provision Networks Connection Broker can present users with a published desktop or multiple individual applications, regardless of whether the destination system is a Terminal Server, or a single-user Desktop Operating System.

One can publish applications to Managed Desktop Groups from Resources -> Managed Applications, or from the right click menu on a selected Desktop Group.
The steps for publishing applications to Managed Desktop Groups are identical to Publishing Applications to Terminal Services, with a couple exceptions.

Select the ellipses next to the “Path” text box, and then select “Managed Desktop…”

Enter the name of a “Powered On” desktop in the destination Managed Desktop Group.

Select the Drive on which the application exists, and then browse the file system to the program being published. If publishing individual applications, instead of desktops, the assumption is that each desktop in a Managed Desktop Group has the same software installed.

Refer to the part two of this article series for more in depth details on application publishing.
Connecting from Provision Networks Web-IT

One of the connection mechanisms available is a secure web portal, with or without an SSL Reverse Proxy. Configuration of these components will be detailed in a future article in this series.

After authenticating, the user is presented with the applications that have been assigned to them by the administrator.

If the destination computer is not powered on, or is suspended, the user will be presented with the status when the application is selected. The connection broker will send commands to Virtual Center to power on or resume the appropriate Virtual Machine. The status in the window (show above) will be reported back to the client in real time. Once the OS is loaded, the Application or Managed Desktop will be connected.

If the end user has been assigned a published desktop, a standard Windows Desktop will be displayed. If however the user has been assigned multiple individual published applications, the applications will be displayed in Seamless Windows, and will share the same Windows Session, as shown in the screenshot above. If a user were to be allowed the choice of a Published Desktop, or Published Applications, launching a Published Desktop while using Published Applications will simply expose the desktop around the currently running seamless applications.
Clients

Clients can be configured to communicate with an unlimited list of communication brokers, which they contact randomly (not in the order listed), to provide redundancy. A future installation of this article series will discuss how to configure the different clients. The following clients exist for use with Virtual Access Suite:

• Win32 ActiveX Web Client
• Win32 Desktop Applet / Desktop Integrated Client (AppPortal)
• Java Web Client
• Linux Client
• Wyse Thin OS (WTOS) Client
• HP Neoware Neolinux Client
• Windows CE Client
• Linux-based PXE Boot Client (available soon)

References

• Provision Networks VDI Configurator
• Provision Networks Connection Broker Stress Utility
• Provision Networks Virtual Access Suite Architectural Diagram
• Sun Java Runtime Environment 5.0, update 11.
• Provision Networks Virtual Access Suite Troubleshooting FAQ
• Configuration Maximums for VMware Infrastructure 3
• Updated System Preparation tool for Windows XP Service Pack 2, Windows Server 2003, and Windows XP Tablet PC Edition 2005

[patris1]

کد:

http://www.virtualizationadmin.com/articles-tutorials/terminal-services/general/install-configure-provision-networks-virtual-access-suite-part4.html

PART-4

Anyone who has managed a Windows Terminal Services environment can testify that printing has been a problem since day one. The problems that exist are:

• System stability – the installation of 3rd party printer drivers not designed for use on a multi-user system like Terminal Server can cause failures in applications, the Windows Printer Spooler and the Windows Server Operating System
• Manageability – maintaining a consistent set of stable printer drivers, while fielding constant requests to support new printer models is difficult and time consuming. Additionally, many Windows System Administrators are not scripting experts, so mapping the appropriate Network Printers via logon script can be challenging, especially in complex environments
• End user frustration – printing is a function that should just work, and when it doesn’t it frustrates users, resulting in a loss of productivity and helpdesk calls. Use of more stable Windows Printer Drivers often results in loss of functionality.
• Bandwidth Congestion – sending print jobs across a Wide Area Network (WAN) or the Public Internet in their PCL or Postscript format can consume enormous amounts of bandwidth which costs money and impacts end user perceived performance.

Print-IT completely addresses each of these issues:

• System stability – Uses a single Universal Printer Driver that was designed for Terminal Services and has been in use on Terminal Services and Citrix since 2001, so there is little chance of system stability due to printing. This Universal Printer Driver supports both Client and Session Printers, so there is no need to install 3rd Party Printer Drivers on Terminal Servers.
• Manageable – There is no need to replicate printer drivers, or worry about what kind of printers end users and business units purchase, as Print-IT fully supports all printers regardless of make or model. Printers can be mapped via the Provision Management Console based upon User, Group, OU, Client IP Address or Client Name, without writing a single script. If using Citrix, these same printers can be mapped via Citrix Session Printer Policy.
• End user productivity and reduced support costs – printing just works, the way users would expect.
• Bandwidth Compression – print jobs are compressed and sent across the network in Enhanced EMF or PDF Format. This compression and intelligent font embedding drastically reduce printing bandwidth requirements and causes print jobs to start and complete more quickly.

Print-IT Server Components

• Universal Print Driver (Print-IT) – Universal Client Printer Auto-Creation: This is installed by default on Windows Terminal Services, and when installing PNTools on Virtual Desktops.
• Universal Print Driver (Print-IT) – Universal Network Printer Auto-Creation: This feature enables mapping of Network Printers shared on a Windows Print Server or Dedicated Print-IT Network Print Server.
• Print-IT Control Panel Applet: This control panel applet is used to configure the features of Print-IT on a Windows Terminal Server, and can replicate those settings to other Terminal Servers.

Universal Network Print Services

• Universal Network Print Server Extensions: This feature is installed on a Windows Print Server or dedicated Windows Server to enable printing to Network Printers via the Universal Printer Driver. These printers can be assigned to Terminal Server Sessions via the Provision Management Console or to Citrix Sessions via Citrix Session Printer Policies in the Presentation Server Console (if Print-IT is installed on a Citrix Server).
• Universal Print Relay Service for Remote Sites: This feature is installed on a Windows Print Server, dedicated Windows Server, or even a Windows Client OS (like Windows 2000 Professional or Windows XP) that is not in the same site / location as the Terminal Servers. This enables administrators to assign the remote site printers to Terminal Server Sessions via the Provision Management Console or to Citrix Sessions via Citrix Session Printer Policies in the Presentation Server Console (if Print-IT is installed on a Citrix Server). This also allows print jobs that transverse a Wide Area Network to be compressed in EMF or PDF format until they are processed by the remote print server.
• Print-IT Client: The Print-IT Client is part of the Virtual Access Suite Web and AppPortal Clients, and can be installed separately on systems only using Print-IT functionality of Virtual Access Suite. The Print-IT client is only necessary to auto-create printers defined on the client machine.

Installation of Print-IT Server

Print-IT consists of two features when installed on a Terminal Server:

• Universal Client Printer Auto-Creation. This feature installs EMF and PDF Universal Printer Drivers and does not require the Provision Management Console. This enables the auto-creation of printers that are defined on client devices with the Print-IT or Virtual Access Suite Client installed.
• Universal Network Printer Auto-Creation. This feature installs PNShell and the Provision Management Console to support mapping of Network Printers, Shared on a Print-IT Enabled Windows Print Server, or a Dedicated Print-IT Print Server. This feature is not displayed as selected by default, when installing Virtual Access Suite Enterprise on a Terminal Server, because other Power Tools for Terminal Servers install PNShell and the Provision Management Console. If performing a standalone installation of Print-IT on a Terminal Server, Universal Network Printer Auto-Creation must be selected to map Network Printers via the Provision Management Console. The only exception to this rule would be if Print-IT is being installed as a standalone component on a Citrix Server, where Policies in the Presentation Server Console will be used to map Network Printers.

The installation of Print-IT Server is a default option when installing Virtual Access Suite Enterprise or Standard Edition on a Windows Terminal Server. It can also be installed by itself if Print-IT licensed separately. Virtual Access Suite is licensed per concurrent user, whereas Print-IT and other Power Tools for Windows Terminal Services are licensed per Terminal Server.
When this feature is licensed and installed as a standalone component, it does not require the Provision Database, Provision Management Console or a Connection Broker. These components are required when installing any of the “Universal Network Print Services”.

Figure 1
Configuration of Print-IT Server features

The Print-IT Server installation installs two Print Drivers on Windows Terminal Servers.

Figure 2
Print-IT Server features are configured via the Print-IT Control Panel Applet. The original Print-IT Driver is in PDF Format. This driver is no longer the default driver used by Print-IT, because it has known limitations. The newer Print-IT EMF Driver is an enhanced EMF File Format that includes intelligent font embedding.
The features of Print-IT Server can be configured via the Print-IT Control Panel Applet, pnupcfg.cpl.

Figure 3
On the General tab of the Print-IT Control Panel, the administrator can:

• Set the Print Data Format from the default EMF, to PDF.
• Select which client printers can be auto-created.
• Specify if client printers shall be auto-created synchronously or asynchronously. Asynchronously means that the printer will continue to be created after the application or desktop launches, whereas synchronous means that the application or desktop will not launch until the client printers are created.
• Define whether printers will be created with full permissions, if the printers will be deleted at session disconnect and whether the default printer on the client will become the default printer in the Terminal Services Session.

Figure 4
On the Compression tab, the administrator can define the level of Data and JPEG Compression. The default values are usually appropriate for most installations.

Figure 5
The Client Printer Naming Convention can be altered to meet the requirements of the business. One problem that exists with some applications is that Terminal Server Client Printer Names change at each logon, due to the dynamic nature of the Terminal Server Session ID. Options exist that do not append the Session ID to the Client Printer names. These options to drop the Session ID should not be used in situations where users logon simultaneously with the same account on multiple clients, as users could print to each other’s printers, and the default printer could get reset.

Figure 6
The administrator can limit how much bandwidth can be sent through the Universal Printer Virtual Channel in the RDP or ICA Protocol in each user’s session. This prevents a large print job from consuming the total available bandwidth.

Figrue 7
If using the standalone Print-IT product, the administrator can select a Print-IT client that will upgrade user’s previous version clients. The Print-IT client is built-into the Virtual Access Suite Client, so this option should not be used with Virtual Access Suite Enterprise or Desktop Services Editions.

Figure 8
The PDF Publisher tab allows the administrator to enable a PDF Printer on client devices, as part of the Print-IT Client. With this option enabled clients can print to PDF, instead of to a physical printer (if necessary).

Figure 9
From the Server Farms tab, the administrator may propagate the Print-IT Control Panel Settings from the current Terminal Server to other servers in the farm.

Figure 10
On the logging tab debug logging can be enabled for Print-IT Printers and the Print-IT Port Monitor, and print job statistics can be written to the Event Log.
Installation of Universal Network Print Services

The installation of Universal Network Print Server Extensions is performed on existing Windows Print Servers or dedicated Print Server(s) at the same location as the Terminal Servers.

Figure 11
This feature installs the Print-IT Universal Printer Drivers and the Provision Management Console. These enable the creation of Print-IT Printer objects that forward print jobs to the destination print queue where the print jobs are processed with the native print driver.
The installation of Universal Print Relay Service for Remote Sites is performed on existing Windows Print Servers or dedicated Print Server(s) at a remote site. This feature does not install the Provision Management Console

Figure 12
Printers from this Print Relay Server are imported into a Universal Network Print Server at the main site. These printers from the Print Relay Server may be assigned to Terminal Services Sessions in the same manner as printers at the remote site. The connection between the Universal Print Relay Service for Remote Sites and Universal Network Print Server at the main site is done via a port that is configured by the administrator.

Figure 13
The Print-IT Remote Site Relay Control Panel (pnuprelay.cpl) is used to

• Configure the listening TCP Port for the service
• Enable encryption for the communication between the Print-IT Servers and the Remote Site Relay Server
• Limit the bandwidth for the printing traffic between the sites

Figure 14

• Select the Printers to be exported to the Print-IT Server at the main site.

Adding Print Relay Servers to the Provision Management Console


Figure 15
Open the Provision Management Console -> Resources -> Printers

Figure 16
Select “Manage Print-IT Servers” -> Click “Site Relay”

Figure 17
On the “Manage Relay Servers” tab, click “Add”.

Figure 18
Enter the NetBIOS Name or IP Address of the Print Relay Server.

Figure 19
Click “OK” to create a new Site.

Figure 20
Enter a descriptive name for the Printer Relay Site.

Figure 21
Enter a two character suffix that will be appended to the printers that are imported from the remote site to Print-IT Servers.

Figure 22
Enter the encryption passphrase that was created on the Relay Server.

Figure 23
Select the available bandwidth for the printing link between the Print-IT Server and the Print Relay Site.

Figure 24
On the “Import Remote Printers” tab, click “Import Now” to import the printers that were exported via the Print Relay Control Panel.

Figure 25

Figure 26
Review the printers that were imported from the Print Relay.
Add Print-IT Printers to the Provision Management Console

Open the Provision Management Console -> Resources -> Printers -> Manage Print-IT Servers -> underneath right pane -> Click “Add”

Figure 27
Browse the Network to any Windows Print Server and select the Shared Printers to add to the Print-IT Server.

Figure 28
Review the results to verify that the Shared Printers were created on the Print-IT Server.

Figure 29
Review the list of printers that have been added to the Print-IT Print Server.

Figure 30
Select the Properties of a Print-IT Printer to review and/or change the Print Data Format (PDF or EMF) and associated Performance Options.

Figure 31
Change the Print Data Format to EMF, unless there is a specific reason to use PDF.
Assign the Print-IT Printers to Clients


Figure 32
On the Access Control List, assign clients to the Print-IT Printers, and specify if the printer should be default printer in the assigned client’s Terminal Services Session. Like any other application or resource, Printers may be assigned to Users, Groups, OUs, Client IP Address Ranges or Client Naming Conventions.
Using the Print-IT options in the Virtual Access Suite Client

The Print-IT Client options only pertain to auto-created client printers, not to Print-IT Printers assigned via the Provision Management Console.

Figure 33
When connected to a Terminal Services or Virtual Desktop Session, right-click on the Virtual Access Suite Client in the System Notification Area -> Select “Client Properties”

Figure 34
On the General Tab the end user can select (if enabled on the server) whether to auto-create the default printer, local printers, network printers or specific printers, i.e. two network printers and one local printer.

Figure 35
On the bandwidth tab, the end user may select a lower amount of bandwidth to be used for “client printing” than was defined on the server.

Figure 36
The logging tab is used to capture debugging information if there is a problem with the client.

Figure 37
In the PDF publisher options fly-out menu, the end user may specify (if enabled on the server) whether print jobs sent to the PDF Publisher shall be saved to file, or inserted into a new email message.
The “Apply additional printer properties” option allows the private attributes of the Manufacturer’s Printer Driver to be exposed. This is often the first thing to have the end user check if they are having problems accessing features of a client printer.
The “Preview before printing” option is fairly self explanatory, and performs a local print preview of a print job before it is sent to the printer.

Figure 38
When printing from an application, review the naming convention of the assigned printers. The names of the printers can be altered in the Provision Management Console.
Summary

Print-IT is a very mature, stable, scalable and easy to manage Universal Printing Environment. These features can be installed and configured in less than an hour, after which “printing should just work”. After Print-IT is installed and configured, administrators should be able to remove all 3rd party printer drivers from the Terminal Servers. As with anything else, testing should be done in a controlled environment before making changes to the production environment