VMware Horizon 6.2 Latest EUC Technical Videos

With the recent release of VMware Horizon 6.2, I’d like to share some excellent technical videos by my colleague Alex Birch. This release brings many new features (see the release notes), and I’ve shared these videos below. At VMworld 2015 in San Francisco, Jim Yanik and I also presented a session on Horizon 6.2 What’s New. You can check that our here: https://www.youtube.com/watch?v=SsbwpBKWc2c

RDS Host Load-Balancing

First up we have an overview of the new RDSH load-balancing capability. In prior versions of VMware Horizon, it tracked the current session count (and limit) as the only method to determine where to place a new session. With Horizon 6.2 it provides enhanced RDSH load-balancing functionality by using perfmon counters, and it also allows the specification of rules to control the number of instances of a particular application.

RDS Hosts with View Composer.

Another cool feature is the ability to compose RDS hosts with View Composer. Yep, you heard that right!  You can now provision your RDSH virtual machines with View Composer, giving you the benefits of managing a single RDS master image.

Access Point

If you are familiar with VMware Horizon environments then you will know that today we provide external access using the Security server, which is installed on a Windows server and then placed in the DMZ, typically behind a load-balancer. Access Point is a hardened SLES 11 Linux virtual appliance that has feature parity with the Security server. One of the huge benefits of this, is you can scale the number of Access Point appliances without any Connection server pairing. Without this 1:1 pairing, you can scale independently with the added advantage that it’s a Linux appliance in he DMZ and not a Windows server.

RDS File Type Association

Providing you are running the latest Horizon Client (3.5 or later), you will now benefit from file-type association for RDS published applications. It features secure SHA 256 encryption from the Horizon client, and allows file types to be associated with RDS either automatically as applications are added, or manually by the administrator.

Essential Linux Skills with CentOS 7 – Secure Firewall with iptables

Following the theme for ELS (Essential Linux Skills) with CentOS 7 (see part 1), today I want to share what I consider to the the most important topic of the lot. Firewalls. Securing your Linux host is, in my opinion, the first thing you should be doing before hosting any web services. In my last post, you learned all about systemd and hopefully are now comfortable with the switch from SysV init.

If you are responsible for building Linux hosts for web applications then this will be an especially important topic for you. The same applies if you want to master security with Linux. This might get a little technical, but hang in there.

RHEL (RedHat Enterprise Linux) and CentOS 7 introduces firewalld which is now installed by default instead of iptables. Another newcomer, but not yet loaded by default with CentOS 7 is nftables. What’s the difference? Well firewalld is new to the user-space, but it doesn’t replace iptables. Nftables will eventually replace iptables.

Confused? I don’t blame you, so let me explain the iptables architecture. It’s important to understand how iptables works in order to understand the changes that firewalld and what nftables brings to the table (pun intended).

We’ll start with this basic architecture diagram for netfilter:

Linux Netfilter Stack [Read more…]

Essential Linux Skills with CentOS 7 – Managing Services with systemd

Linux Word Cloud systemdThis is the first of two Essential Linux Skills for CentOS blogs (see part 2). For many years I’ve become used to using service and chkconfig commands to manage services with RHEL (RedHat Enterprise Linux) and CentOS. In fact I first got my hands on a Unix system back in 1993, then got my first ever job as a Unix admin in 1996. I learned about SystemV runlevels, and then became used to using /etc/init.d/<service> to manage services. It takes a while to shake bad old habits, but CentOS 7 now uses systemd as the default init system.

Init (short for initialization) was the first process to start and the last to stop on a SysV (System V Unix) Linux system, and therefore we have the concept of runlevels. Each runlevel represents the state of the system, with runlevel 0 being shutdown (halt), 3 being multiuser mode (in other words it has now booted), and runlevel 5 is running the desktop environment if you use one (X Server starts and you have a desktop). Oh and runlevel 6 restarts the system.

Why is this important? Well, whether you like it or not, having core Linux skills is essential in the IT world we live in. In fact just a few weeks ago I was presenting at VMworld in San Francisco on VMware Horizon for Linux Virtual Desktops technical deep dive. I was approached after the session by a customer that has a project to deploy RHEL virtual desktops to hundreds of students in a college. He thanked me as he had to go home the following week to configure some of those virtual desktops with direct pass-through to NVIDIA GRID graphics cards. The process of doing that requires installation of the driver at runlevel 3, but he had no idea what it meant despite it being a simple command (init 3). It also meant that he learned about how to optimize RHEL by disabling unnecessary services that start at runlevel 3.

At VMware I see more and more customers deploying Linux desktops, but also server workloads are often running Linux (such as the server hosting this blog!), and virtual appliances.

SysV is still present on CentOS 7, but you’ll not find much there. If you run the following command, you can see which services are enabled at boot (runlevel 3). [Read more…]

VMware Horizon 6.1.1 Network Ports Diagram

Horizon 6.1.1 Network PortsWith the recent release of VMware Horizon 6.1.1 (June 2015) come many new features and changes. For 3 years now I’ve been maintaining a diagram detailing all of the network ports used by VMware Horizon (formerly View), and I am pleased to share the third version for the latest release. Many new components are present such as Blast on Linux virtual desktops, the new JMS enhanced security mode (JMS SSL), App Volumes and RDS hosts just to name a few.

I’ve also taken the opportunity to separate tunneled (E.g. PCoIP Secure Gateway or Blast Gateway) connections at the top of the diagram and direct connections at the bottom.

The diagram is an A0 PDF (118.88cm x 84.1cm) which is simply huge! Feel free to print this out and use it as a wall poster :)

Download here

Key Firewall Considerations for VMware Horizon 6

Update: App Volumes was showing incorrectly in the DMZ, the diagram has now been updated to show App Volumes  Manager in the LAN segment

  • TCP/UDP 4173: PCoIP port used internally on RDS hosts (note the diagram needs updating, it still uses 4172 from the client) – See page 221 here
  • TCP 4002: JMS enhanced security mode (SSL)
  • TCP 5443: Blast protocol listening port for Linux virtual desktop direct connections. Requires Horizon Client (requires Horizon Client 3.3 or higher)
  • TCP 8443: Blast protocol listening port for Linux virtual desktop connections via Blast Secure Gateway. Requires Horizon Client (requires Horizon Client 3.3 or higher)
  • TCP 8472: View interpod API (Cloud Pod Architecture)
  • TCP 22389: Global ADLDS (Cloud Pod Architecture)
  • HTTPS (443): Horizon Client access, authentication and RDP tunnel (HTTPS Secure Gateway)*
  • HTTPS (8443): Used for HTML Access. Note: HTML Access for Linux virtual desktops are not officially supported, although most browsers do work.
  • HTTPS (22443): HTML Access (Blast) to Windows virtual desktops
  • TCP 9427: Used by Windows multimedia redirection (MMR) and Client Drive Redirection (CDR)
  • TCP 32111: USB Redirection
  • ESP (Protocol 50) used for Security Server and Connection Server IPSEC communication (requires Windows firewall with Advanced Security to be enabled)
  • UDP 500: IPsec negotiation for Security Server and Connection Server communication and pairing.

*I’d also like to point out that if you enable HTTP(S) Secure Gateway, MMR, CDR and USB redirection channels will use HTTPS.

For a full list of network ports please refer to the latest Horizon 6 documentation: https://www.vmware.com/support/pubs/view_pubs.html

VCDX Study Plan – No Excuses! #VCDX

VCDX Study Plan - No ExcusesStarting my day as usual, I make a coffee and check Twitter to see what folks are up to. I notice some tweets about sacrifice, lack of sleep and the struggle finding time for VCDX study. This isn’t the first time I’ve heard this, and I want to deal with this head on. No more excuses!

No matter what our goal, it seems that the obstacles life throws in front of us simply get in our way. In particular you have it worse than others right? I mean, where the hell do these people seem to find the time?

Lets take a look at some of the excuses I hear, then we’ll deal with each of them. By the way, keep the conversation going on Twitter! #VCDX

  1. I’m just too busy with the day job.
  2. I have kids!
  3. I don’t have a design to use / it’s out of date.
  4. I have blogging to do!
  5. I don’t have a mentor.
  6. My dog ate it.

[Read more…]

OnePlus One – The Worst Customer Service

I do not usually write blog posts of this nature, but as many of the readers of my blog are in the also into technology and gadgets then you may want to hear about the terrible customer service I have received from OnePlus. On February 2nd 2015 I ordered a OnePlus One 64GB Sandstone Black which arrived next day. I am extremely pleased with the phone itself, but in less than 2 weeks the charger stopped working. In my line of work I travel a lot, and depend on using my phone at the airport for my BA tickets, navigation, email, calendar and it goes without saying that a charger is essential. [Read more…]