Introduction to Virtual Desktop
Manager
�Introduction to Virtual Desktop Manager
Introduction to Virtual Desktop Manager
Revision: 20080527
Item: VDM-ENG-Q108-451
You can find the most up-to-date technical documentation on our Web site at
[Link]
The VMware Web site also provides the latest product updates.
If you have comments about this documentation, submit your feedback to:
docfeedback@[Link]
2008 VMware, Inc. All rights reserved. Protected by one or more of U.S. Patent Nos. 6,397,242,
6,496,847, 6,704,925, 6,711,672, 6,725,289, 6,735,601, 6,785,886, 6,789,156, 6,795,966, 6,880,022,
6,944,699, 6,961,806, 6,961,941, 7,069,413, 7,082,598, 7,089,377, 7,111,086, 7,111,145, 7,117,481,
7,149,843, 7,155,558, 7,222,221, 7,260,815, 7,260,820, 7,269,683, 7,275,136, 7,277,998, 7,277,999,
7,278,030, 7,281,102, and 7,290,253; patents pending.
VMware, the VMware boxes logo and design, Virtual SMP and VMotion are registered trademarks or
trademarks of VMware, Inc. in the United States and/or other jurisdictions. All other marks and names
mentioned herein may be trademarks of their respective companies.
VMware, Inc.
3401 Hillview Ave.
Palo Alto, CA 94304
[Link]
2
VMware, Inc.
�Contents
Contents
IntroductiontoVirtualDesktopManager 3
Introduction 3
Features 4
VDMOverview 5
VDMUserAuthentication 9
VDMExtendedUSBDeviceRedirection 11
VDMSecureAccess 12
VDMVirtualDesktopPoolManagement 13
VDMHighAvailabilityandScalability 15
VDMConnectionServerDMZDeployment 17
VDMConnectionServerComponents 21
VDMBroker 22
VDMSecureGatewayServer 22
VDMLDAP 23
VDMMessaging 24
VDMSecurityServer 24
Glossary
VMware, Inc.
27
�Introduction to Virtual Desktop Manager
VMware, Inc.
�Introduction to Virtual Desktop
Manager
VMwareVirtualDesktopManager2(VDM)isakeycomponentintheVMwareVirtual
DesktopInfrastructure(VDI)[Link]
[Link]
workswithVMwareVirtualInfrastructure3toprovideacomplete,endtoendVDI
solutionthatimprovescontrolandmanageabilityandprovidesafamiliardesktop
experience.
ThebenefitsofVDIwithVDMincludethefollowing:
ControlandmanageabilityinasingleproductAdministratorscanmoreeasily
provision,manage,andmaintaindesktopsbecausethedesktopsarerunninginthe
datacenter.
FamiliarenduserexperienceUsersgetflexibleaccesstoapersonalized,virtual
desktopthatbehavesjustliketheirPCdesktops.
VMwareInfrastructure3integrationVDIextendsthebenefitsofVMware
Infrastructure3tothedesktopbyleveragingthebackup,failover,anddisaster
recoverycapabilitiesofVMwareInfrastructure3.
Lowertotalcostofownership(TCO)Byreducingadministrationandenergy
costsandextendingtheusefullifeofPCs,VDIdeliverslowerTCO.
VMware, Inc.
�Introduction to Virtual Desktop Manager
Features
ThefeaturesofVDMinVDIincludethefollowing:
EnterpriseclassconnectionbrokeringVDMmanagestheconnectionsbetween
[Link],thevirtualdesktops
[Link],users
accesstheirapplicationsasiftheapplicationsarerunninglocally.
USBclientdevicesupportUSBdevicescanbelocallyconnectedtoclientsand
accessedthroughavirtualdesktop.
WebbasedmanagementuserinterfaceAWebbasedmanagementconsole
allowsvirtualdesktopstobemanagedfromanylocation.
SmartpoolingcapabilitiesArangeofpersistentandnonpersistentpooling
capabilitiessimplifiestheprovisioningandmanagementofcentralizeddesktops.
SecureaccessOptionalsecureencapsulationcapabilitiesallowallnetwork
connectionstobeencrypted.
IntegrationwithMicrosoftActiveDirectoryConnectiontoActiveDirectory,
whichallowsyoutolocateuserandusergroupaccountsandusethe
authenticationfeaturesinActiveDirectorytocontrolwhichuserscanaccess
virtualdesktops.
SupportfortwofactorauthenticationWithRSASecurID,accesscontrolis
strengthened.
SeamlessintegrationwithVMwareVirtualInfrastructure3Workscloselywith
VMwareVirtualCentertoprovideadvancedvirtualdesktopmanagement
capabilities,suchasautomaticsuspendandresume,whichreducesthememory
[Link]
capabilitiesofVMwareVirtualInfrastructure3,desktopscanrunevenwhen
serverhardwarefailsandrecoverquicklyfromunplannedoutageswithout
duplicatehardware.
FlexibledeploymentoptionsCriticalcomponentscanbedeployedinavariety
ofconfigurationsandtodifferentpartsofthenetwork,whichimprovesecurity,
scalability,[Link],andVDM
canscalehorizontallytosupportmanyvirtualdesktops.
HighavailabilityServerscanbeclusteredforhighavailabilityandscalability
[Link]
loadbalancingsolutions.
VMware, Inc.
�Introduction to Virtual Desktop Manager
VDM Overview
VDMincludesthefollowingkeycomponents:
VDMConnectionServer
VDMAgent
VDMClient
VDMWebAccess
VDMAdministrator
VMware, Inc.
�Introduction to Virtual Desktop Manager
Figure 1showsthephysicaltopologyofaVDIinfrastructurewithVDMandshowsthe
relationshipbetweenthemainVDMcomponents.
Figure 1. Physical Topology of VMware VDI Infrastructure with VDM
Windows
VDM Client
Linux
VDM Web Access
Mac
VDM Web Access
Thin Client
network
network
VDM
Administrator
(browser)
VDM
Connection
Server
Microsoft
Active Directory
VirtualCenter
Management Server
virtual desktops
VM
VM
VM
VM
VM
VM
desktop OS
app
app
app
ESX Server hosts running
Virtual Desktop VMs
ESX Server host
VDM Agent
virtual machine
VMware, Inc.
�Introduction to Virtual Desktop Manager
VDM Connection Server
ThiscomponentistheVDIconnectionbrokerthatmanagessecureaccesstovirtual
desktopsandworkswithVirtualCentertoprovideadvancedmanagementcapabilities.
ItisinstalledonaMicrosoftWindowsServer2003serverthatispartofanActive
Directorydomain.
VDMConnectionServerisinstalledasoneofthefollowinginstances:
StandardThisinstanceappearsinFigure [Link]
andisusedastheonlyVDMConnectionServer(orthefirstofagroupofVDM
ConnectionServersthatactaspartofahighavailability,fullyreplicatedgroup).
ReplicaThisinstanceisinstalledasasecondorsubsequentVDMserverina
[Link]
serverandisautomaticallyreplicatedbetweenVDMgroupmembers.
SecurityServerThisinstanceimplementsasubsetoftheVDMConnection
Serverfunctionalityandisusedinademilitarizedzone(DMZ)deployment.A
[Link]
StandardandReplicainstancesautomaticallyincludetheSecurityServer
functionality.
TheinstancetypeisselectedduringVDMConnectionServerinstallation.
HighavailabilityandDMZdeploymentsofVDMConnectionServerusingReplicaand
SecurityServerinstancesaredescribedinVDMConnectionServerDMZDeployment.
ConfigurationdataisstoredinanembeddedLDAPdirectoryoneachStandardand
Replicainstance.
VMware, Inc.
�Introduction to Virtual Desktop Manager
VDM Agent
Thiscomponentrunsoneachvirtualdesktopandisusedforsessionmanagementand
[Link],thiscomponentsupportsoptionalUSBdevice
[Link]
desktopscreatedfromthattemplateautomaticallyincludetheVDMAgent.
PlacevirtualdesktopsinanActiveDirectorydomainthatisoneofthefollowing:
ThesamedomaintowhichtheVDMConnectionServersarejoined
AdomainwithatrustagreementwiththeVDMConnectionServerdomain
Whenusersconnecttotheirvirtualdesktops,theyareautomaticallyloggedinusing
[Link]
bedisabledinVDMAgentwhichmeandthatusersarealwaysrequiredtologontothe
[Link]
domainwithwhichnotrustagreementexists,singlesignonisnotavailable,andthe
usermustmanuallylogintothevirtualdesktop.
VDM Client
ThiscomponentrunsonaWindowsPCasanativeWindowsapplicationandallows
[Link]
VDMConnectionServerandallowstheusertologonusinganyofthesupported
[Link],userscanselectfromthelistofvirtual
[Link]
virtualdesktopandprovidesuserswithafamiliardesktopexperience.
VDMClientalsoworkscloselywithVDMAgenttoprovideenhancedUSBsupport.
BasicUSBsupport(suchasUSBdrivesandUSBprinters)issupportedwithoutVDM
USBsupport,[Link]
canspecifyVDMUSBsupportinVDMClientduringtheinstallation.
VDM Web Access
ThiscomponentissimilartoVDMClientbutprovidesaVDMuserinterfacethrougha
[Link]
[Link]/X,
[Link]
[Link]
AccessonLinuxusesrdesktopandonMacOS/XusesMicrosoftRemoteDesktop
ConnectionClientforMac.
VMware, Inc.
�Introduction to Virtual Desktop Manager
[Link]
obtainstherequiredsoftwareontheirclientdevicebyaccessingaVDMConnection
[Link]
byauserwithadministrativerights,VDMWebAccessonWindowshascomplete
VDMUSBsupport.
VDM Administrator
[Link]
VDMadministratorstodothefollowing:
Makeconfigurationsettings
ManagevirtualdesktopsandentitlementsofdesktopsofWindowsusersand
groups
VDMAdministratoralsoprovidesaninterfacetomonitorlogeventsonaVDMServer
[Link]
ConnectionServercomponentsandtheirrelationshipwithotherVDMcomponents,
seeVDMConnectionServerComponents.
VDM User Authentication
UsersneedtologintoVDMfirstinordertoprovetheiridentityandtogainaccessto
[Link],theydothisbyenteringtheirWindowscredentialsat
theloginprompt.
Asanaddedlevelofsecurity,VDMcanbeconfiguredtorequireRSASecurID
[Link]
loginprocess,usersmustentertheirSecurIDusernamestogetherwiththeirSecurID
[Link],users
arepromptedfortheirWindowscredentials.
Active Directory Authentication
[Link]
allowsuserauthenticationforVDMagainstActiveDirectoryforthejoineddomainand
[Link],ifVDM
ConnectionServerisamemberofDomainA,andatrustagreementexistsbetween
DomainAandDomainB,usersfromeitherdomaincanlogintoVDM.
VMware, Inc.
�Introduction to Virtual Desktop Manager
ByauthenticatingusersagainstanexistingActiveDirectory,anorganizationcan
simplifytheoperationalmanagementofVDMbyensuringthatthemanagementof
[Link],
[Link],suchasrestrictingpermittedhoursoflogin
andtheexpirationdateforpasswords,arealsohandledthroughexistingActive
Directoryoperationalprocedures.
RSA SecurID Authentication
VDMiscertifiedthroughtheRSASecurIDReadyprogramtooperatewithRSA
[Link]
[Link]
thatisenabledforRSASecurIDauthenticationarepromptedfortheirRSASecurID
usernamesandpasscodes(PINsandtokencodes).AfterauthenticatingagainstanRSA
AuthenticationManager,userscancontinuetologin.
[Link]
requiresknowledgeoftheusersPINandtokencode,whichisonlyavailableonthe
[Link],VDMsupportsthe
fullrangeofSecurIDcapabilities,includingNewPINMode,NextTokenCodeMode,
RSAAuthenticationManager,loadbalancing,andsoon.
10
VMware, Inc.
�Introduction to Virtual Desktop Manager
Figure 2showsthephysicaltopologydiagramforVDMwithanadditionalserverused
[Link]
singleserver,butforhighavailabilitydeployments,youneedmultipleservers.
Figure 2.
VDMRSASecurIDAuthenticationwithRSAAuthenticationManager
Client
network
VDM
Administrator
VDM
Connection
Server
Microsoft
Active Directory
RSA
Authentication
Manager
VirtualCenter
Management Server
ESX Server hosts running
Virtual Desktop virtual machines
WhenusersentertheirRSASecurIDcredentials,VDMConnectionServer
[Link]
credentialsareverified,VDMConnectionServerrequestsActiveDirectorydomain
credentialsfromtheuserandcommunicateswithActiveDirectorytocontinuethe
authenticationprocess.
VDM Extended USB Device Redirection
VDMallowstheredirectionofavarietyoflocallyattachedUSBdevicesforsoftware
[Link],whenattached,canbeselected
[Link]
desktopsessionstartswillappearinthemenuandareavailableforredirectionafter
beinginitialized.
VMware, Inc.
11
�Introduction to Virtual Desktop Manager
Somedevices,suchasprinters,localUSBflashdrives,andsmartcards,canbe
forwardedtothevirtualdesktopusingstandardMicrosoftRemoteDesktopProtocol
(RDP).ButVDMClientUSBredirectionextendstherangeofusabledevicesandthe
[Link],soundcan
bebroughttothelocalmachineusingRDP,butdisablingthisfeatureandusingVDM
USBredirectionallowsyoutouseVoIPdevices.
[Link],smart
cardforwardingislimitedtoRDPfunctionalitysothatsmartcardscanbeusedto
[Link],thesedevicesdonotappearinthe
[Link](HIDs),suchasakeyboardora
mouse,arealsofilteredfromtheUSBdevicelistbecausethesedevicesarerequired
locallyandfunctionwithoutbeingforwardedorredirected.
RDPforwardingandVDMUSBredirectioncanbegovernedthroughActiveDirectory
[Link]
Client,VDMAgent,andtheusertohaveadministrationrightsontheVDMClientand
theVDMAgentoperatingsystems.
VDM Secure Access
VDMConnectionServerwithVDMClientandVDMWebAccessprovidessecurityfor
thedesktopprotocolsbetweentheclientdeviceandtheVDMConnectionServer.
VDMencapsulatesallprotocols,suchastheextendedRDPinanHTTPSconnection,
whichoffersthefollowingadvantages:
12
TheRDPProtocolistunneledthroughHTTPSandisencryptedusingSSL
Thisisapowerfulsecurityprotocolandisconsistentwiththesecurityprovidedby
othersecureWebsiteslikethoseusedforonlinebanking,creditcardpayments,
andsoon.
OneHTTPSconnectionisusedforallclientservercommunicationMultiple
desktopconnectionsaremultiplexedoverthisHTTPSconnection,whichreduces
theoverallprotocoloverheads.
VDMcontrolsbothendsofthisHTTPSconnection,sothereliabilityofthe
underlyingprotocolsissignificantlyimprovedIfausertemporarilylosesa
networkconnection,afteritisrestored,theHTTPSconnectionisreestablishedand
theRDPconnectionsautomaticallyresumewithouthavingtoreconnectandlogin
again.
VMware, Inc.
�Introduction to Virtual Desktop Manager
VDMisaccessedusingstandardWebprotocols,soitcanbeeasilyaccessed
throughcorporateproxiesInastandarddeploymentofjustVDMConnection
Servers,theHTTPSsecureconnectionterminatesattheVDMConnectionServer
andinaDMZdeployment,[Link]
ServerDMZDeployment.
VDMConnectionServercanbeconfiguredtonotuseasecureconnection,sothatRDP
communicationisdirectfromtheclientdevicetothevirtualdesktop.
VDM Virtual Desktop Pool Management
VDMincludesintegratedvirtualdesktoppoolmanagementcapabilitiesthatleverage
thecontrolprovidedbyVirtualCentertoprovisionandmanagethevirtualdesktops.
VDMprovidesthefollowingtypesofdesktops:
IndividualdesktopsTheseareexistingvirtualdesktopsthatareavailable
[Link]
desktops.
PersistentdesktoppoolThistypeisapoolofvirtualdesktopswhoselifecycle
[Link]
assignedtotheiruseronthefirstuse,sotheuserreturnseachtimetothesame
[Link]
desktopsbyinstallingadditionalapplicationsandstoringlocaldata.
NonpersistentdesktoppoolSimilartoapersistentdesktoppool,exceptinthis
[Link]
finished,thevirtualdesktopisreturnedtothepoolandmadeavailableforother
users.
Bydeletingthevirtualdesktopsaftereachuse,thistypeofpoolensuresthateach
userreceivesanewlyprovisionedvirtualdesktopeachtimetheuserconnects
(optional).Usethistypeofpoolwhereacleanmachineisneededforeachuser
sessionorinhighlycontrolledenvironmentsthathasnorequirementfor
customizationtobestoredonthevirtualdesktop.
VMware, Inc.
13
�Introduction to Virtual Desktop Manager
Thetwopooldesktopsaresizedusingthefollowingparameters:
MinimumTheminimumnumberofvirtualdesktopstobecreatedwhenthepool
[Link]
[Link]
whenauserpopulationismovedtoVDM.
MaximumThemaximumnumberofvirtualdesktopsthatcanexistinthepool.
Usethisparametertolimitthenumberofvirtualdesktopsinthepooltoavoid
overusingavailableresources.
AvailableThenumberofvirtualdesktopsthatareavailableforimmediateuse.
Forpersistentpools,thisparameterrelatesonlytotheunassignedvirtual
[Link]
[Link]
environments.
Whenapoolcontainstoofewvirtualdesktops,themanagerprovisionsnewvirtual
[Link]
customized(forexample,namedandbecomepartofanActiveDirectorydomain)orbe
leftforanadministratortomanuallyconfigure.
PowermanagementisappliedtoallvirtualdesktopsunderVDMcontrol,andthe
followingpoliciesaresupported:
14
RemainonAfterbeingstarted,[Link]
virtualdesktopispowereddown,forexampleusingtheVirtualCenterclient,
VDMautomaticallystartsitwhenitisneeded.
AlwayspoweredonVDMensuresthatanyvirtualdesktopwiththispolicy
[Link],VDM
immediatelypowersitupagain.
SuspendwhennotinuseIfavirtualdesktopisnotrequired,itissuspended.
Thispolicyisappliedtoindividualandassignedpersistentvirtualdesktopswhen
[Link]
[Link],thiscanbetriggeredbyavirtual
desktopbeingreturnedtothepoolwhenauserlogsout.
VMware, Inc.
�Introduction to Virtual Desktop Manager
PoweroffwhennotinuseIfavirtualdesktopisnotrequired,itispoweredoff.
ThisisjustliketheSuspendwhennotinusepolicy,exceptthatthevirtual
desktopiscompletelypoweredoff.
VDMsupportsindividualandpooleddesktopsonmultipleVirtualCenterinstances.A
poolcannotspanVirtualCenters,butVDMcanmanagemultiplepoolsacrossmultiple
[Link]
beconcurrentlyactiveforeachVirtualCentertoensurethattherateofoperationsisnot
[Link].
Inamultibrokerenvironment,theVDMConnectionServerscooperatewitheachother
toenforcetheselimitsandtoperformthepoolmanagementoperations.
VDM High Availability and Scalability
Tosupporthighavailabilityandscalabilityrequirements,VDMConnectionServercan
[Link]
[Link],anewinstanceof
theLDAPdirectoryisinstalledandtheVDMConnectionServersupportsfull
functionalityusingitslocalLDAPdirectory.
Toextendtheenvironment,asecondservercanbeinstalledasaReplicainstance.
Duringthisinstallation,theuserreferencesanexistingVDMConnectionServerandthe
ReplicainstanceisjoinedtotheStandardinstancetoformaVDMConnectionServer
[Link]
[Link]
configurationchangesoneitherserverareautomaticallyandimmediatelymadeonthe
other.
Bothserversofferidenticalfunctionalityandintheeventofserverfailure,theother
[Link],anychanged
LDAPVDMconfigurationdataisreflectedontheresumedserversothatbothservers
[Link]
[Link]
installation,theusercanreferenceanyexistinggroupmembertojointhenewserverto
thegroup.
Afterinstallation,nodifferencesexistbetweenaReplicainstanceandaStandard
[Link],additionalReplicascanbe
[Link]
VDMconfigurationdatacanbebackedupbybackinguptheLDAPdirectoryinstance.
VMware, Inc.
15
�Introduction to Virtual Desktop Manager
Figure [Link]
usebothVDMConnectionServersandsupporthighavailabilityandscalabilityneeds,
[Link]
[Link]
ConnectionServerdoesnotprovideloadbalancingfunctionalitybutworkswith
standardthirdpartyloadbalancingsolutions.
Figure 3.
MultipleVDMConnectionServers
Client
network
load balancing
VDM
Connection
Servers
Microsoft
Active Directory
VirtualCenter
Management Server
ESX Server hosts running
Virtual Desktop virtual machines
16
VMware, Inc.
�Introduction to Virtual Desktop Manager
TheloadbalancingrequirementsforVDMConnectionServeraretosupportstandard
[Link]
VDMConnectionServercanincludeMicrosoftNetworkLoadBalancing(NLB),
standardhardwarebasedloadbalancers,orvirtualapplianceloadbalancersthatcan
operateonESXServer.
UsersinaloadbalancedVDMConnectionServerenvironmentusealoadbalanced
[Link]
theconnectiontoanyoftheavailableVDMConnectionServersinthegroup.
VDM Connection Server DMZ Deployment
Insecureenvironments,particularlywhenVDMisbeingaccessedfromaninsecure
networksuchastheInternet,itiscommonpracticetodeployserversinaDMZ.
VDMConnectionServerfunctionalityissplitbetweenserversinthesecurenetwork
[Link]
SecurityServersandareinstalledusingtheVDMConnectionServerinstallerand
[Link]
withVDMConnectionServers(StandardorReplica)inthesecurenetwork.
VMware, Inc.
17
�Introduction to Virtual Desktop Manager
Figure 4showsahighavailabilityenvironmentcomprisingtwoloadbalancedVDM
SecurityServersintheDMZworkingwithtwofullVDMConnectionServers(Standard
andReplicainstance)inthesecurenetwork.
Figure 4. DMZDeploymentwithMultipleVDMConnectionServers
Remote
Client
external network
DMZ
load balancing
VDM
Security
Servers
VDM
Connection
Servers
Microsoft
Active Directory
VirtualCenter
Management Server
ESX Server hosts running
Virtual Desktop virtual machines
18
VMware, Inc.
�Introduction to Virtual Desktop Manager
VDMSecurityServersdonotcontainanLDAPconfigurationrepositoryanddonot
accessanyauthenticationrepositories(ActiveDirectoryorRSAAuthentication
Manager).WhenremoteusersconnectusingaVDMSecurityServer,theymust
[Link]
cannotattempttoaccessanyvirtualdesktopsuntiltheyaresuccessfullyauthenticated.
WithappropriatefirewallrulesonbothsidesoftheDMZ,thistypeofdeploymentis
suitableforaccessingvirtualdesktopsfromInternetlocatedclientdevices.
TosupportremoteVDMClientandVDMWebAccessconnectingtotheenvironment
usingHTTPSfromanexternalnetwork,theonlyTCPportthatmustbeallowedinthe
DMZistheHTTPSport(TCPport443).VDMSecurityServersdonotneedtobepart
ofanActiveDirectorydomain,andnocommunicationoccursbetweenVDMSecurity
ServersandActiveDirectory.
AlthoughFigure 4showsaonetoonerelationshipbetweenVDMSecurityServersand
VDMConnectionServers,multipleVDMSecurityServerscanbeconnectedtoeach
[Link]
deploymenttoofferVDMaccessforinternalusersandexternalusers.
Figure 5showsamorecomplexenvironmentwherefourVDMConnectionServersact
asonegroupwiththeserversintheinternalnetworkdedicatedtotheusersofthat
network,andtheserversintheexternalnetworkdedicatedtousersofthatnetwork.
TheserversontherightcanbeenabledforRSASecurIDauthentication,sothatall
externalnetworkusersarerequiredtoauthenticateusingRSASecurIDtokens.
VMware, Inc.
19
�Introduction to Virtual Desktop Manager
Figure 5.
DMZDeploymentwithInternalNetworkAccess
remote
Client
external network
DMZ
load balancing
Client
VDM
Security
Servers
internal network
load balancing
VDM
Connection
Servers
Microsoft
Active Directory
VirtualCenter
Management Server
ESX Server hosts running
Virtual Desktop virtual machines
20
VMware, Inc.
�Introduction to Virtual Desktop Manager
VDM Connection Server Components
Figure 6showstheVDMConnectionServercomponentsandtheirrelationshipwith
theotherVDMcomponentsandtheprotocolsusedforcommunicationbetweenthe
components.
ThefollowingdefaultTCPportsareusedforeachprotocol:
JMS4001
HTTP80
HTTPS443
RDP3389
SOAP80or443
VMware, Inc.
21
�Introduction to Virtual Desktop Manager
Figure 6. VDMComponents
Windows Client
Linux and Mac Client
Thin Client
browser
thin client
operating system
RDP
Client
VDM Client
VDM Secure
GW Client
RDP
Client
HTTP(S)
HTTP(S)
HTTP(S)
HTTP(S)
HTTP(S)
RDP
Admin Console
VDM
Administrator
VDM Secure
GW Server
RDP
VDM
Messaging
HTTP(S)
VDM Broker &
Admin Server
SOAP
VDM Connection Server
VirtualCenter
Server
VirtualCenter
VDM LDAP
JMS
RDP
RDP
VDM Agent
Virtual Desktop VM
22
VMware, Inc.
�Introduction to Virtual Desktop Manager
VDM Broker
[Link]
interactionbetweentheclient(VDMClient,VDMWebAccess,andThinClient)andthe
VDMConnectionServer.
VDMBrokerprovidesthefollowing:
Userauthentication
UserdesktopentitlementswithVDMLDAP
Virtualdesktopsessionmanagement
Coordinationofthesecureconnectionestablishment,virtualdesktop
connection,andsinglesignon
AdministrationserverusedbyVDMAdministratorWebclient
Virtualdesktoppoolmanagement
VDMBrokeroperatescloselywithVirtualCentertoprovideadvancedmanagementof
[Link]
andpoweroperations,suchasautomaticsuspendandresume.
VDM Secure Gateway Server
VDMSecureGatewayServerprovidestheserversidecomponentforthesecure
HTTPSconnectionbetweentheVDMClient(orVDMSecureGatewayClient)andthe
[Link],asecureHTTPSconnectionis
[Link],
[Link]/X,
itisinitiatedbytheJavaVDMSecureGatewayClientusingJavaWebStarttechnology.
Afterthissecureconnectionisestablished,virtualdesktopprotocols(RDP)can
securelyandreliablyconnect.
WhentheVDMSecureGatewayServerseesanincomingRDPconnectionthroughthe
HTTPSconnection,[Link]
ensurethatallvirtualdesktopsareonlyaccessedthroughVDMConnectionServer,
firewallrulescanbeappliedtoeachvirtualdesktopsothatallRDPconnections
[Link],directaccesstovirtualdesktops
bypassingVDMConnectionServerisnotpossiblebecauseVDMConnectionServer
actsasgatekeeperforallvirtualdesktopaccess.WithVDM2.1andnewer,theVDM
AgentcanbeconfiguredsothatdirectincomingRDPconnectionstovirtualdesktops
[Link]
throughaVDMConnectionServer
VMware, Inc.
23
�Introduction to Virtual Desktop Manager
VDMSecureGatewayServerisalsoresponsibleforforwardingotherWebtraffic(such
asauthenticationtraffic,userdesktopselectiontraffic,andsoon)totheVDMbroker
[Link]
GatewayServertotheVDMBroker.
VDM LDAP
VDMLDAPisanembeddedLDAPdirectoryoneachVDMConnectionServer
[Link]
configurationdata.VDMLDAPforWindowsServer2003usesMicrosoftActive
DirectoryApplicationMode(ADAM).ThisisanembeddedLDAPdirectorybundled
[Link]:
SpecificVDMschemadefinitions
Directoryinformationtree(DIT)definitions
Accesscontrollists(ACLs)
VDMLDAPalsoincludesasetofVDMpluginDLLstoprovideautomationand
notificationservicesforotherVDMcomponents.
VDMLDAPcontainsentriestorepresentthefollowingconfigurationitems:
VirtualdesktopentriesthatrepresenteachaccessiblevirtualdesktopThis
containsreferencestoForeignSecurityPrincipalentriesofWindowsusersand
WindowsusergroupsinActiveDirectorywhoareauthorizedtousethisdesktop.
VirtualDesktopPoolentriesthatrepresentmultiplevirtualdesktopsmanaged
together
Virtualmachineentriesthatrepresenteachvirtualdesktop
VDMcomponentconfigurationentriesusedtostoreconfigurationsettings
WhenaStandardinstanceisinstalledduringVDMConnectionServerinstallation,a
new,[Link],DIT
definition,ACLs,[Link]
VDMLDAPismainlymaintainedfromVDMAdministrator,althoughVDMBroker
alsomanagessomepartsautomatically.
24
VMware, Inc.
�Introduction to Virtual Desktop Manager
WhenaVDMConnectionServerReplicainstanceisinstalled,anADAMinstanceis
alsocreatedlocally,[Link]
meansthattheinitialdataisacopyofanexistinginstancethatincludesall
[Link],areplicationagreement
issetupsothatallVDMConnectionServersinthegroupsharethesameconfiguration
[Link]
functionalityisprovidedbyADAM,whichusesthesamereplicationtechnologyas
ActiveDirectory.
VDM Messaging
ThiscomponentprovidesthemessagingrouterforcommunicationbetweenVDM
ConnectionServercomponentsandbetweenVDMAgentandVDMConnection
[Link](JMS)API,whichisusedformessagingin
VDM.
VDM Security Server
VDMSecurityServerisaninstancetypethatisselectedwhenVDMConnectionServer
[Link]
[Link] 7showsaVDMSecurityServerandshowsthe
relationshipwithallotherVDMcomponentsandtheprotocolsusedfor
communicationbetweenthecomponents.
ThefollowingdefaultTCPportsareusedforeachprotocol:
JMS4001
AJP138009
HTTP80
HTTPS443
RDP3389
SOAP80or443
VMware, Inc.
25
�Introduction to Virtual Desktop Manager
Figure 7. VDMComponentDiagramwithSecurityServer
Windows Client
Linux and Mac Client
Thin Client
browser
thin client
operating system
RDP
Client
VDM Client
VDM Secure
GW Client
RDP
Client
HTTP(S)
HTTP(S)
HTTP(S)
HTTP(S)
HTTP(S)
RDP
VDM Secure
GW Server
VDM Security Server
RDP
JMS
AJP13
VDM
Administrator
VDM Secure
GW Server
VDM
Messaging
Admin Console
HTTP(S)
VDM Broker &
Admin Server
SOAP
VDM Connection Server
VirtualCenter
Server
VirtualCenter
VDM LDAP
JMS
RDP
RDP
VDM Agent
Virtual Desktop VM
FormoreinformationaboutVDMdeploymentwithinaDMZ,seeVDMConnection
ServerDMZDeployment.
26
VMware, Inc.
�Glossary
A
ActiveDirectory
AMicrosoftdirectoryservicethatstoresinformationaboutthenetworkoperating
[Link]
groupsandenablesadministratorstosetsecuritypolicies,controlresources,and
deployprogramsacrossanenterprise.
ADAM(ActiveDirectoryApplicationMode)
AnLDAPimplementationbasedonActiveDirectory.
activesession
[Link]
establishedconnectiontoavirtualdesktopthathasnottimedout.
administratoruserinterface
TheWebbasedadministratoruserinterfaceusedtoperformconfigurationand
[Link].
agent
SeeVMwareVDMAgent.
broker
[Link]
[Link].
VMware, Inc.
27
�Introduction to Virtual Desktop Manager
client
SeeVMwareVDMClient.
connectionbroker
Aserverthatallowsconnectionsbetweenremoteusersandvirtualdesktopsand
[Link]
[Link].
connectionserver
SeeVMwareVDMConnectionServer.
desktop
Seevirtualdesktop.
desktopvirtualmachine
Seevirtualdesktop.
desktoppool
Apoolofvirtualmachinesthatanadministratordesignatesforusersorgroupsof
[Link],nonpersistentdesktoppool.
DMZ(demilitarizedzone)
Alogicalorphysicalsubnetworkthatconnectsinternalserverstoalarger,
untrustednetwork(usuallytheInternet)andprovidesanadditionallayerof
securityandgivesadministratorsmorecontroloverwhocanaccessnetwork
resources.
DNS(DomainNameSystem)
[Link]
calledDomainNameServerorDomainNameService.
FQDN(fullyqualifieddomainname)
Thenameofahost,[Link],
[Link].
guest
Seeguestoperatingsystem.
guestoperatingsystem
Anoperatingsystemthatrunsinsideavirtualmachine.
28
VMware, Inc.
�Glossary
highavailability
Asystemdesignapproachthatensuresadegreeofoperationalcontinuity.
loadbalancing
Atechniqueusedfordistributingprocessesacrossserverssothatthetrafficloadis
spreadmoreevenlyandserversdonotbecomeoverloaded.
nonpersistentdesktoppool
[Link]
logofforaretimedoutofadesktop,theirdesktopsarereturnedtothepooland
[Link]
whenusinganonpersistentpool.
persistentdesktoppool
[Link]
[Link]
cansavedataandfilestotheirdesktopswhenusingapersistentpool.
RDP(remotedesktopprotocol)
Amultichannelprotocolthatallowsausertoconnecttoacomputerremotely.
RSASecurID
AproductfromRSAthatprovidesstrongtwofactorauthenticationusinga
passwordandanauthenticator.
securityserver
AVDMConnectionServerdeploymentthataddsalayerofsecuritybetweenthe
[Link]
[Link](demilitarizedzone).
thinclient
Adevicethatallowsausertoaccessvirtualdesktopsbutrequireslittlememoryor
[Link],data,andCPUpowerresidesonanetwork
computerandnotontheclientdevice.
VMwareVDMAgent
Installedontheguest,theVDMAgentenablescommunicationbetweenthe
desktopvirtualmachine,theVDMConnectionServer,andenduserswhoaccess
virtualdesktopsbyusingVDMWebAccessorVDMClients.
VMware, Inc.
29
�Introduction to Virtual Desktop Manager
VMwareVDMClient
AWindowsbasedapplicationusedforaccessingvirtualdesktops.
VMwareVDMConnectionServer
Aconnectionbrokerthatprovidesmanagementanduserauthenticationforvirtual
[Link]
requeststotheappropriatevirtualdesktop.
VMwareVDMWebAccess
[Link]
supportedWindows,Linux,orMacintoshoperatingsystemscanaccessvirtual
desktopsbyusingVDMWebAccess.
virtualdesktop
[Link]
indistinguishablefromanyothercomputerrunningthesameoperatingsystem.
VMwareVirtualDesktopInfrastructure
TheVMwaredesktopinfrastructuresolutionthatconsistsofVMwareESXServer,
VMwareVirtualCenter,[Link]
endtoendvirtualdesktopsolutionthatallowsadministratorstoeasilydeploy
andmanagevirtualdesktopenvironments.
30
webaccess
SeeVMwareVDMWebAccess.
VMware, Inc.