VMware View

VMware Horizon Virtualization Pack for Skype for Business

Optimizing Skype for EUC Is the Only Way to Go

You can run Skype for Business inside Horizon 7 virtual desktops without negatively affecting the virtual infrastructure and overloading the network. During Skype audio and video calls, all media processing takes place on the Windows client machine, instead of in the virtual desktop,.

To learn more about the Horizon Virtualization Pack for Skype for Business, watch the following two videos (each 10 minutes long) that provide a technical overview of the technology and offer some insights to its performance-enhancing characteristics.

Technical Overview for the Horizon Virtualization Pack (Video Presentation)

The technical overview for the Horizon Virtualization pack video covers the following topics:

  • Challenges delivering Skype audio and video media
  • How it works
  • Key benefits and capabilities
  • Architecture
  • External accessibility
  • Installation steps
  • Supportability
  • Troubleshooting and configuration
  • Resources

Horizon with Skype for Business Testing (Video Results)

The Horizon with Skype for Business Testing video demonstrates VMware Horizon 7 with Skype for Business for audio and video call scenarios. The video provides a series of test cases that show the benefits of the Horizon Virtualization Pack for Skype for Business. The video offers both qualitative and quantitative test results that compare two Horizon 7 deployment scenarios that include and exclude the Virtualization Pack.

The difference does not seem significant at first, but the impact is more far-reaching when you consider performance when scaling beyond the resource consumption of two sessions. When sites try to scale EUC workloads based on Skype for Business, the importance of using the Virtualization Pack becomes paramount, as is evident from the details of this study.

The testing environment consisted of:

  • VMware Horizon 7.2
  • VMware Client 4.5
  • Skype for Business
    • Server: Office 365
    • Client: Office 2016 Pro Plus, 32-bit
  • Horizon 7 test lab
    • Located in Washington state
    • Two Windows 10 Enterprise 64-bit virtual desktops
  • Horizon 7 test clients
    • Located in North and South Florida
    • Two Windows 10 systems

The configuration scenarios for the point-to-point video-call testing included:

  • Test 1: The first test scenario was configured for a point-to-point video call using the VMware Real-Time Audio-Video (RTAV) feature included with Horizon 7. Although RTAV supports webcams and audio devices, it is not the most efficient means for delivering Skype due to the media hairpinning and transcoding method that this technology uses. However, RTAV does serve as sufficient fallback for times when the Virtualization Pack cannot be used.

Testing was staged with virtual desktops hosted in Washington, and the client endpoint devices across the U.S., 3,000 miles away in Florida. There was over 100 ms of network latency that separated the virtual desktops from the endpoints. This is a great example of why media hairpinning is very costly; the audio and video from the local endpoints was sent to the virtual desktops, exchanged among the Skype clients, transcoded as part of the remote delivery protocol, and then finally delivered to the endpoints coast-to-coast a second time.

  • Test 2: The second test scenario was configured for a point-to-point video call using the VMware Horizon Virtualization Pack for Skype for Business feature included with Horizon 7. The Virtualization Pack is the optimized, best approach for delivering Skype because the audio and video media is delivered directly to and from the client endpoint devices without transcoding, and is routed out-of-band to the remote delivery protocol.

Test 2 used the same hosting environment, client endpoint devices, and network conditions as the first test scenario. Because the Virtualization Pack was enabled for this configuration, the audio and video media exchanges were contained in the endpoints and never traversed across the country. A clearer, better user experience can be observed in the captured footage while substantially fewer EUC infrastructure resources were consumed when compared to the first test scenario.

Be sure to watch the video in its entirety for other data points and details, as well as another testing scenario using a single desktop session.

 

Summary

These two videos provide a technical overview of the Horizon Virtualization Pack for Skype for Business and demonstrate the performance-enhancing characteristics of the technology.

  • VMware Horizon Virtualization Pack for Skype for Business – Technical Overview
  • VMware Horizon and Skype for Business Demonstration

 

The post VMware Horizon Virtualization Pack for Skype for Business appeared first on VMware End-User Computing Blog.

Read more..

Using VMware Identity Manager to transform users between Active Directory domains..

I get a lot of questions about how to solve Single Sign-On (SSO) of users between two Active Directories without trust. Using the federation protocol SAML and VMware Identity Manager this is easy to achieve.

In my example we have two Domains, A and B. Users in Domain A wants to access resources in Domain B without being prompted for username or password.

Prerequisites

  • You need two VMware Identity Managers. One in each domain.
  • Federate the resource (a web server in my example) in Domain B to VMware Identity Manager in Domain B
  • A user object representing the user must exist in both Domains. One user attribute must be shared across the two domains. In my example I use the Email attribute. The attribute you choose must uniquely identify the user.

If your resource is a Windows application, VMware Horizon and the feature TrueSSO can be used to achieve SSO access for Domain A users into a Windows application running in Domain B.

Establish SAML based trust

First thing first, once the prerequisites are in place next step is to establish a trust between the two VMware Identity Managers. This trust is based on SAML and is much easier to establish than traditional Active Directory trust.

You establish trust by exchanging metadata.xml files between the two Identity Managers. In my example users from Domain A need to access resources in Domain B. So, VMware Identity Manager B must trust Identity Manager A as a third-party Identity Provider (idP).

On the VMware Identity Manager in Domain A navigate to Catalog – Settings – SAML Metadata. Right click on Identity Provider (idP) metadata and choose Copy link address.

Now navigate to the VMware Identity Manager in Domain B and add a third-party idP.

Give the new Identity Provider a name and paste the link to the idp.xml into the metadata field. Scroll down and click Save.

Once saved you&#rsquo;ll see all the settings being populated.

In my example, I&#rsquo;m relying on the Email attribute. Therefore, delete all the other Name ID Formats.

Next configure the user store where your users are in Domain B&#rsquo;s VMware Identity Manager and which network ranges this idP will serve.

You need to create an Authentication Method. I will use Password to login users in Domain A&#rsquo;s VMware Identity Manager. So I named the Authentication Method: domainA_PWD and password typically use SAML Context: urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport. But obviously here your settings must match your implementation.

Scroll down..

Right click on the SAML Metadata, Service Provider (SP) metadata link and choose Save link as…

Now you have downloaded a file called sp.xml.

Click Save

Still on the VMware Identity Manager in Domain B you need to add the new Authentication Method in your access policy. In my example I simply add it as the last one. In my case I will only support idP initiated flow. If you are planning on supporting SP-init flow you must think about the order of authentication (authN) methods.

In above picture, you can see I added domainA_PWD as the third authN method. (This name was given the authentication method in previous step.)

With these steps, we have now established a SAML based trust. Domain B&#rsquo;s VMware Identity Manager trusts SAML assertions from Domain A&#rsquo;s Identity Manager.

Configure Users

Next step is to make sure you have user objects in both domains sharing the same attribute.

I&#rsquo;m using the Email attribute as the unique User Identifier.

Above is a screenshot of my test user synced into VMware Identity Manager in Domain B.

And below is the user object in my Domain A&#rsquo;s VMware Identity Manager.

As you can see in my example most attributes are the same. But the only important attribute is the Email one. That must be identical in both Domain A and B.

Run a test

Let&#rsquo;s now run a test to verify the SAML trust works from A to B.

We need to create an application in Domain A&#rsquo;s VMware Identity Manager that represents the Identity Manager in Domain B.

In Domain A create a new SAML 2.0 based Web Application.

Paste the content of the sp.xml file you saved previously into the Meta-data XML field and click on Save.

Modify the Configuration to use Email instead of Username:

Name ID Format: Email address

Name ID Value: ${user.email}

Click Save.

Entitle your test user to the newly created application.

Login to VMware Identity Manager in Domain A as your test user.

Click on the application icon representing the VMware Identity Manager in Domain B.

SAML Assertion is generated..

..if all is correctly configured you should now have been Single Sign-On into the VMware Identity Manager in Domain B. Now all resources entitled to the test user in Domain B are possible to consume.

Below is a picture showing what we have configured and tested so far.

While the test was successful. This method is not ideal from an end-user experience perspective. Users have to login to one portal and then get SSO:d into another portal. Next users must launch the application. We can solve this by adding resources from Domain B straight into the portal in Domain A.

Adding remote resources in VMware Identity Manager portal

VMware Identity Manager have one very nice feature and that is that each resource has its own unique launch URL. This can be used in many ways. Customers are placing links that launches applications on their intranet pages and such.. But in this case, we will use it to provide a greater user experience.

First, we need to identify the unique application ID used in the VMware Identity Manager in Domain B.

In above picture, you can easily find the UUID. This is the key to the unique launch URL. For Web Applications, you can also find the unique launch URL under Configuration tab.

But for Horizon resources it is different.. Here you will have to build your own launch URL using the UUID.

The launch URL format is:https:///SAAS/API/1.0/GET/apps/launch/app/

So now when we know the unique launch URL let&#rsquo;s login to VMware Identity Manager in Domain A and manually create the representation of the resource.

Create a new SAML 2.0 SAML Web Application in Domain A&#rsquo;s VMware Identity Manager.

Configure the new Web Application:

  1. Copy the content of the sp.xml (same one as we used to create the icon for the full Domain B&#rsquo;s VMware Identity Manager) into the metadata field
  2. Name ID Format and Name ID Value should be Email (just the same as we did before)
  3. RelayState, enter the unique Launch URL of the application

Once saved, entitle the new application to your test user..

Now let&#rsquo;s test this new method..

Login to Domain A&#rsquo;s VMware Identity Manager as your test user.

Now launch the application pointing to the unique Launch URL. In my case Office 365 Portal.

SAML Assertion is generated..

..if the configuration is correct you should get straight into your federated application.

That concludes this blog post.. I hope you found it useful.

The post Using VMware Identity Manager to transform users between Active Directory domains.. appeared first on Horizon Tech Blog.

Read more..

Profiling Applications with VMware User Environment Manager, Part 1: Introduction to Application Profiler

With contributions from:

Jim Yanik, Senior Manager, End-User-Computing Technical Marketing, VMware

Pim Van De Vis, Product Engineer, User Environment Manager, Research & Development, VMware

Stephane Asselin, Lead Architect, App Volumes, VMware

Successful management of applications across physical, virtual, and cloud devices is becoming increasingly important. Whether your organization fits neatly in to one of those silos, or spans all three, the challenge is finding tools designed to work well for any one platform, and seamlessly across them all. VMware User Environment Manager is one of those tools. With a little savvy, you can provide a superior experience for your end users while simplifying profile management.

Introduction

Personalization, or management of user-specific application settings, is one of many features included with VMware User Environment Manager. This feature enables end users to roam between disparate devices, while preserving custom application settings. IT benefits from simplified application installations, while delivering necessary configuration settings based on any number of environmental conditions.

If you are new to User Environment Manager, I encourage you to visit the VMware User Environment Manager Product Page for an overview, and the VMware User Environment Manager video series on YouTube for more detail. You will learn about a variety of features and benefits such as dynamic policy configuration across physical, virtual, and cloud desktops. An overview of User Environment Manager is outside the scope of this blog post, but there is a fundamental concept which is sometimes overlooked or misunderstood. VMware User Environment Manager takes a whitelist approach to managing the user profile. Given this design approach, IT must specify which applications and settings will be managed. Although it does mean a little more work up front, this solution prevents excessive profile growth and profile corruption, enables user settings to roam across Windows versions, and provides IT granular control to manage as much or as little of the user experience as needed.

Preserving user-specific application settings and applying or enforcing specific default application settings are key features of User Environment Manager. Both of these concepts are illustrated in a recent blog post titled VMware User Environment Manager, Part 2: Complementing Mandatory Profiles with VMware User Environment Manager which demonstrates the power and flexibility of combining User Environment Manager with Microsoft Mandatory Profiles. VMware provides application management templates for commonly-used software packages, and the VMware User Environment Manager Community Forum contains many more templates created with an included tool called Application Profiler.

Application Profiler is a standalone tool that helps you determine where in the file system or registry an application is storing its user settings. The output from Application Profiler is a configuration file which can be used to preserve and roam application settings for your end users. Optionally, you can record a default set of application settings, and apply and/or enforce these defaults for your users based on a variety of conditions.

For more information or to get started with the Application Profiler tool, see the VMware User Environment Manager Application Profiler Administration Guide.

The Pareto Principle

The Pareto Principle, commonly referred to as the 80/20 rule, states that 80% of the effects come from 20% of the causes. I have been using application management software in some form or another for nearly two decades. In that time, I have found the Pareto Principle to be particularly applicable in that a small number of applications tend to cause the vast majority of challenges for IT.

While the Application Profiler tool is easy to use, and most applications can be profiled with little more effort than a simple installation, there are exceptions. The aforementioned Community Forum is a great place to look when you are having trouble profiling an application, but what if you cannot find the particular application template you need?

Know Thine App

A friend once gave me a t-shirt with this expression on it. Over the years, I have found it to be invaluable advice, though it is sometimes easier said than done.

Because Windows is an open platform, application developers have a great deal of flexibility in the way applications they design behave. While guidelines and best practices have been established over the years, we still occasionally find and application which writes a log file to C:Temp!

Understanding the behavior of an application, not just during installation, but as the application is opened, modified, updated, and so on, is critical to successfully managing the application lifecycle. There are a number of tools available, such as the Sysinternals Suite, to help you understand how an application behaves. These are powerful tools, but as you can see they are plentiful, and can be time-consuming and cumbersome to use.

The VMware User Environment Manager Application Profiler tool is purpose-built to help you easily understand how an application behaves. With real-time application analysis capabilities, Application Profiler automatically generates configuration files which enable application management.

What to Expect from This Blog Series

The purpose of this blog series is to enable you, the IT Administrator, to successfully profile and manage any applications you choose. In each subsequent blog post we will explore a new application.

Going back to the Pareto Principle, most applications are simple to profile using the steps detailed in the VMware User Environment Manager Application Profiler Administration Guide. Because of this, applications known to require some troubleshooting will be chosen for this series. You will get a chance to see the symptoms of applications that do not initially profile correctly, and the process used to resolve the problem. You can then take these practices and apply them to applications in your environment.

This series is designed for a User Environment Manager administrator with at least a basic understanding of the Application Profiler tool. If you are new to Application Profiler, review the guide listed previously before continuing to the rest of the series.

Summary

Managing applications with User Environment Manager improves the experience for end users and simplifies application lifecycle management for IT. Profiling applications is a simple process, and most applications will work out of the box. For problematic applications, you can find configuration templates on the Community Forum. If you cannot find what you are looking for, the skills you learn in this blog series should help you to create your own templates. Have you already created a configuration template? Be sure to share!

The post Profiling Applications with VMware User Environment Manager, Part 1: Introduction to Application Profiler appeared first on VMware End-User Computing Blog.

Read more..

Automating VMware Horizon 7 with VMware PowerCLI 6.5

With VMware PowerCLI 6.5 Release 1, the automation of VMware Horizon 7 matures and we get integrated PowerShell support for the View component of Horizon 7 built into VMware PowerCLI. We have a proper Horizon 7 module that is distributed and ships with the core VMware PowerCLI installation.

For information about all the new features of VMware PowerCLI 6.5 R1, see the New Release: PowerCLI 6.5 R1 blog post.

So, what do we get with the release of the new VMware PowerCLI Horizon 7 module? We actually get three things: the Horizon 7 module itself, access to the View API with online documentation, and a set of advanced functions released on GitHub.

VMware PowerCLI – Horizon 7 Module

Even though the Horizon 7 module contains only two cmdlets, they are extremely useful. These cmdlets allow you to connect and disconnect from the View API service. Importantly, this functionality provides a convenient way to access the full View API and the capabilities normally only available through the Horizon Administrator console.

Unlike previous VMware PowerCLI for Horizon 7 implementations, you can now connect and run VMware PowerCLI scripts for Horizon 7 from remote workstations or servers, such as an administrator&#rsquo;s desktop, using different credentials. You can also easily build federated scripts across VMware assets. For example, you can write a script to get a list of datastores from a vCenter Server inventory and use that information to select the best datastores on which to create a pool.

View API

To accompany the new VMware PowerCLI module, VMware is happy to announce the release of public View API Reference Documentation for Horizon 7 and access to the full public View API. The View API is a web service and is available from any Horizon Connection Server within a Horizon Pod. The View API is used by the Horizon Administrator console for configuration, administration, and monitoring, so we are now exposing programmatic access to all the functionality available in the console.

To make exploring the data objects and methods of interacting with them easier, VMware has created a new Developer Center online API Explorer, a unified interface for all API documentation across the VMware stack.

Advanced Functions

To get you started quickly, the Horizon 7 team has put together a set of functions that cover common operations. These functions allow you to easily interact with pools, farms, and desktops without having to write scripts from scratch. Be sure to visit the VMware PowerCLI Community Repository site on GitHub periodically to get new functions and consider contributing your own.

Installation

Install VMware PowerCLI

  1. Download the VMware PowerCLI 6.5 R1 installer and run the installation wizard.
  2. As part of the installation, you are prompted to change the ExecutionPolicy of PowerShell.
  3. Launch PowerShell (run as Administrator), and run the following command.
Set-ExecutionPolicy RemoteSigned

Install Advanced Functions

  1. Go to the GitHub repository page at https://github.com/vmware/PowerCLI-Example-Scripts.
  2. Click the green Clone or download button and then click Download ZIP.
  3. Extract the zip file and copy the advanced functions Hv.Helper folder to a modules directory.
  4. Check your PowerShell $env:PSModulePath variable to see which directories are in use:
    • User specific: %UserProfile%DocumentsWindowsPowerShellModules
    • System wide: C:Program FilesWindowsPowerShellModules
  5. Unblock the advanced functions to allow them to be executed.
    • In a PowerShell prompt (as Administrator), run the following command, tailoring the path to where you copied the VMware.Hv.Helperfolder:
dir &#lsquo;C:Program FilesWindowsPowerShellModulesVMware.HvHelper&#rsquo; | Unblock-File

Locate documentation

  • Bookmark the View API Reference Documentation.
  • Bookmark the VMware PowerCLI Cmdlets Reference.

Getting Started

Launching PowerShell by using the VMware PowerCLI shortcut created during installation loads all the VMware modules, including the one for Horizon 7. If you use a normal PowerShell shortcut you have to load the modules as part of your script.

You can import all of the VMware modules or just the Horizon 7 module, though you need the Core module too if you plan on interacting with VMware vSphere. To load all the modules, use the following command:

Get-Module -ListAvailable VMware* | Import-Module

To load only the Horizon 7 module or the Horizon 7 module and the Core module, use one or both of the following commands:

Import-Module VMware.VimAutomation.HorizonViewImport-Module VMware.VimAutomation.Core

You can now connect to the Horizon Connection Server and the View API using your credentials:

Connect-HVServer -server horizon1.mydomain.com

In this example, horizon1.mydomain.com is one of the Horizon Connection Servers.

You are prompted for credentials, but you could alternatively include your credentials in the command.

Connect-HVServer -server horizon1.mydomain.com -user demoadmin -password mypassword -domain mydomain

A global variable called DefaultHVServers is created, which stores information about connections to the Horizon Connection Servers. You can access this variable with $Global:DefaultHVServers.

All the interesting stuff is really under ExtensionData. To make working with this property a bit easier we will assign it to a variable $Services1 and take a look.

$Services1=$Global:DefaultHVServers.ExtensionData$Services1

Looking at the View API reference documentation you will start to recognize some of these entries. The ExtensionData property (and now the $Services1 variable) holds access to the entire View API.

Examples

Let&#rsquo;s run a couple of commands and start to explore how we can use the VMware PowerCLI. Remember we have access to the full View API!

First, let&#rsquo;s use a simple View API command and get a list of all the Horizon Connection Servers in the pod. The commands in the following example use the View API service ConnectionServer and method ConnectionServer_List and assign the results to variable $hvServers1. For more information about this service, see the View API reference documentation.

$hvServers1 = $Services1.ConnectionServer.ConnectionServer_List()$hvServers1.General

Next, let&#rsquo;s use one of the advanced functions to get a list of desktops, depending on the state of the Horizon Agent. This listing is useful for understanding the state of the desktops, including whether they are in use, available for new user connections, or in an error state.

The following command returns a list of the desktops which have users logged in but the user is currently disconnected from the desktop:

$DisconnectedVMs = Get-HVMachineSummary -State DISCONNECTED$DisconnectedVMs | Out-GridView

For a complete list of possible states, check out the View API documentation on baseState.

It would be useful to get a list of problem VMs with agent states that include the following:

PROVISIONING_ERROR, ERROR, AGENT_UNREACHABLE, AGENT_ERR_STARTUP_IN_PROGRESS, AGENT_ERR_DISABLED, AGENT_ERR_INVALID_IP, AGENT_ERR_NEED_REBOOT, AGENT_ERR_PROTOCOL_FAILURE, AGENT_ERR_DOMAIN_FAILURE, AGENT_CONFIG_ERROR, UNKNOWN

You can modify the command used above to return a list of desktops with one of these states by replacing the state to check for. For example:

$ProblemVMs = Get-HVMachineSummary -State AGENT_UNREACHABLE

You can take this further and use a script to list desktops with the Horizon Agent in a number of different problem states. You could then carry out tasks to remediate the problems. The following sample script gets all the problem desktops by querying the View API using this advanced function. The script then uses a vSphere command to reboot the problem VMs.

In the script, replace the values for the variables to indicate your Horizon Connection Server, user name, and so on.

Also, consider adding a -WhatIf parameter to the Restart-VMGuest command. A -WhatIf parameter shows you the outcome without actually executing the command.

##################################################################### Get List of Desktops that have Horizon Agent in problem states.# Reboot the OS of each these.#####################################################################region variables#################################################################### Variables ####################################################################$cs = 'horizon1.mydomain.com' #Horizon Connection Server$csUser= 'demoadmin' #User account to connect to Connection Server$csPassword = 'mypassword' #Password for user to connect to Connection Server$csDomain = 'mydomain' #Domain for user to connect to Connection Server$vc = 'vcenter1.mydomain.com' #vCenter Server$vcUser = 'al' #User account to connect to vCenter Server$vcPassword = 'mypassword' #Password for user to connect to vCenter Server$baseStates = @('PROVISIONING_ERROR', 'ERROR', 'AGENT_UNREACHABLE', 'AGENT_ERR_STARTUP_IN_PROGRESS', 'AGENT_ERR_DISABLED', 'AGENT_ERR_INVALID_IP', 'AGENT_ERR_NEED_REBOOT', 'AGENT_ERR_PROTOCOL_FAILURE', 'AGENT_ERR_DOMAIN_FAILURE', 'AGENT_CONFIG_ERROR', 'UNKNOWN')#endregion variables#region initialize#################################################################### Initialize ##################################################################### --- Import the PowerCLI Modules required ---Import-Module VMware.VimAutomation.HorizonViewImport-Module VMware.VimAutomation.Core# --- Connect to Horizon Connection Server API Service ---$hvServer1 = Connect-HVServer -Server $cs -User $csUser -Password $csPassword -Domain $csDomain# --- Get Services for interacting with the View API Service ---$Services1= $hvServer1.ExtensionData# --- Connect to the vCenter Server ---Connect-VIServer -Server $vc -User $vcUser -Password $vcPassword#endregion initialize#region main#################################################################### Main ####################################################################Write-Output ""if ($Services1) { foreach ($baseState in $baseStates) { # --- Get a list of VMs in this state --- $ProblemVMs = Get-HVMachineSummary -State $baseState foreach ($ProblemVM in $ProblemVMs) { $VM = Get-VM -Name $ProblemVM.Base.Name # --- Reboot each of the Problem VMs --- Restart-VMGuest -VM $VM # Add -WhatIf to see what would happen without actually carrying out the action. } } Write-Output "", "Disconnect from Connection Server." Disconnect-HVServer -Server $cs} else { Write-Output "", "Failed to login in to Connection Server." pause }# --- Disconnect from the vCenter Server ---Write-Output "", "Disconnect from vCenter Server."Disconnect-VIServer -Server $vc#endregion main

Summary

These have been fairly simple examples, but these and the installation instructions should be enough to get you going. These examples only scratched the surface of what is possible. Now that you are armed with the new PowerCLI module for Horizon, access to the View API, the documentation, and the advanced functions, you can start to explore new ways of automating your Horizon 7 environment.

Let us know how you get on, what use cases and problems you solve, and be sure to feed your scripts back into the community for others to benefit from.

The post Automating VMware Horizon 7 with VMware PowerCLI 6.5 appeared first on VMware End-User Computing Blog.

Read more..

Automating VMware Horizon 7 with VMware PowerCLI 6.5

Read full post . . . or http://www.go-que.com/automating-vmware-horizon-7-with-vmware-powercli-6-5