VMware Unified Access Gateway: Horizon Deployment

KB ID 0001605

Problem

With older versions of Horizon View, we simply deployed another Connection server and called it a Security Server. The drawback of that is, it requires another Windows licence. You can now deploy  VMware UAG (Unified Access Gateway), try to think of it as a ‘Netscaler for VMware’, and like other VMware solutions it’s a small appliance built on VMware’s ‘Photon’ Linux.

Below is a typical deployment and shows you the ports you will be required to open on your firewall to make this work;

You can deploy multiple UAGs and have them behind a load balancer, or point individual UAGs to separate Horizon Connection servers. Her I’m simply deploying one internal Horizon Connection Server, and one VMware UAG in my DMZ.

Step 1: Deploy the UAG Appliance

I’ve covered deploying OVA files before, but essentially download the OVA, and within your vSphere client select deploy OVF template. Navigate to, and select the OVA file you have downloaded from VMware > Next.

Select your Datacenter and optionally folder > Next.

Pick where you want to deploy the appliance (Cluster etc.) > Next.

Review your settings > Next.

I’m deploying into a DMZ so there will be no shortcutting the firewall! > Single NIC > Next.

Select the storage you want to deploy the appliance to > Next.

Confusingly, (as we have picked single NIC?) set them all to the correct port group > Next.

Specify the IP address > Scroll down.

Complete the DNS and IP settings > Give the appliance a name > scroll down.

Untick CEIP > Set the admin, (needed for the web front end), and root (needed for console login) passwords.

Select the edition to deploy (based on your licence) > Next.

Review the settings > Finish.

Step 2: UAG Pre Configuration Tasks

To allow users to access Horizon machines externally, you need to ensure you have granted Remote Access Rights in Horizon Administrator, Note: This is in addition to any Entitlements you have already setup for the machine pools.

Take a copy of the Thumbprint, from the Horizon Connection Server you will be pointing the UAG at, keep it handy you will need it in a minute.

Optionally

If your UAGs are going into a DMZ there’s a chance that they wont be able to resolve internal domain names, (you can specify internal IP addresses of course). I prefer to enter the names/FQDNs of my connections servers, in the appliances hosts file, so it can be resolved. Log into the console as root;

[box]

vi /etc/hosts

[/box]

If you’re unsure how to use vi, (i.e you don’t wear sandals, or have a ginger pony tail.) Press I (insert) make your changes > Press Esc > Type :wq {Enter}.

Step 3: Configure UAG for Horizon

Connect to the UAG with a web browser (https{ip-address}:9443) > Login with the admin account > ‘Configure Manually’.

Optional: Add Certificate

If you have a publicly signed certificate, the easiest way to import it is with a PFX file and a password, (use the search box above, I’ve covered creating PFX files many times). You need to go to Advanced Settings > TLS Server Certificate Settings > Select admin and internet interfaces, (as required) > Browse to the PFX file and enter the password you set, (for the pfx file!) > Save.

General Settings > Edge Service Settings > SHOW > Horizon Settings > Enable Horizon > Save.

Enter the URL of the internal connection Server, and the Thumbprint you took note of, (above) > Enable PCOIP.

Set the external PCIOP URL to the external IP of the UAG, (or load balancer if using one) and add :4172 to the end, Enable Blast > Set the public URL of the UAG, (or load balancer if using one) and add :443 to the end. Enable Tunnel, and set the same URL again with :443 on the end. If you want to, open the ‘more options’ section and take a look at the optional settings, though I’m leaving everything else on the default settings > Save.

Have a cup of coffee, refresh the page a few times > Log off and back on again, and hopefully all the options should ‘go green‘. If not, check the firewall ports, and make sure the UAG can resolve the name of the connection server.

Over in Horizon Administrator > Select each internal connection server and remove ‘Secure Tunnel‘, PCOIP Secure Gateway, and select ‘Do not use Blast Secure Gateway‘ > OK.

You can register the UAGs, in the Gateway section, but you wont see anything change until they have been used ‘in anger’.

You can now test externally by trying to connect with a Horizon Client.

Related Articles, References, Credits, or External Links

NA

Mapping Printers based on Computer OU (via Script)

KB ID 0000645 

Problem

Location based printing has long been a pain. In the past I’ve tackled it with Group Policy Preferences, and I’ve even gone ‘old school’ and mapped printers with con2prt.

A few months ago I put in a new network at a school, they were using a vbs script to deploy all their classroom printers, and I had a quick (unsuccessful) attempt to do the same. But time was against me and I used GPP and location variables to solve the problem.

I did however take a copy of the script to have a play with, so yesterday while it was quiet I dropped a copy on the test network, and failed again! So I trawled round the internet and cobbled together a new script which works they way I wanted.

Note: Please do not email me and ask “Can you change the scripts to do xyz” you probably know as much about vbs as I do!

Solution

Requirements

1. I want the script to run and map the printers based on the OU that the computer is in, in these example I’ve only got two OU’s, but in a live environment you might want all the computers in the maths classroom to get the black and white laser printer in that classroom as the default printer and also be connected to the colour printer in the same room.

2. On my test network I’ve only got two printers, an HP 4600 Colour Laser, and an HP 3055 multifunction printer, so to illustrate how the script works I’ll map both printers to the computers in both OU’s, but I’ll change the default printer for OU1 and OU2. Both these printers are already setup and installed on my server.

Note: You may need to add x64 AND x32 bit drivers to your printers if you have a mix of client operating systems, as they download the driver from the server.

Script to Map Printers Based on OU

3. This script will remove any mapped network printers, Note: Local printers are NOT removed. It will then connect the printers you require for each OU. Lastly it will set the default printer.

Note: You need to connect the printer before you can set it as default.

[box]

'=========================================================================<br />
' MAP PRINTERS BASED ON OU<br />
'<br />
' AUTHOR:  PeteLong<br />
' COMPANY: www.petenetlive.com<br />
' DATE:    03/08/12<br />
'=========================================================================<br />
Set objSysInfo = CreateObject("ADSystemInfo")<br />
strName = objSysInfo.ComputerName</p>
<p>arrComputerName = Split(strName, ",")<br />
arrOU = Split(arrComputerName(1), "=")<br />
strComputerOU = arrOU(1)</p>
<p>Set objNetwork = CreateObject("WScript.Network")</p>
<p>'=========================================================================<br />
'STEP 1 - Remove any NETWORK printers (NOT Local Printers)<br />
'=========================================================================</p>
<p>Set WshNetwork = WScript.CreateObject("WScript.Network")<br />
Set Printers = WshNetwork.EnumPrinterConnections</p>
<p>For i = 0 to Printers.Count - 1 Step 2</p>
<p>    If Left(ucase(Printers.Item(i+1)),2) = "" Then<br />
        WSHNetwork.RemovePrinterConnection Printers.Item(i+1)<br />
    End IF<br />
Next</p>
<p>'=========================================================================<br />
'STEP 2 - Connect Printers based on COMPUTER OU membership<br />
'=========================================================================</p>
<p>Select Case strComputerOU<br />
    Case "OU1"<br />
        objNetwork.AddWindowsPrinterConnection "PNL-DC3055"<br />
        objNetwork.AddWindowsPrinterConnection "PNL-DC4600"<br />
        objNetwork.SetDefaultPrinter "PNL-DC4600"<br />
    Case "OU2"<br />
        objNetwork.AddWindowsPrinterConnection "PNL-DC3055"<br />
        objNetwork.AddWindowsPrinterConnection "PNL-DC4600"<br />
        objNetwork.SetDefaultPrinter "PNL-DC3055"<br />
End Select

[/box]

What you would need to change

Simply change PNL-DC for the name of your print server, add your OU’s and printers, you would just add a new ‘case’ for each OU you require.

4. I’m deploying this script as a USER logon script, though If you wanted you could also use a COMPUTER startup script.

What computers in OU1 would see

What computers in OU2 would see

Related Articles, References, Credits, or External Links

NA

SCCM OSD Capture a Windows 7 Reference Machine

KB ID 0000302 

Problem

You have a reference machine (physical or virtual), and you want to capture an image of that machine to your System Center Configuration Manager 2007 Infrastructure.So you can then deploy that image to multiple machines.

Solution

Prerequisites

1. SCCM needs to be installed and configured.

2. Download the Task and Registry File in Zip Format (Edit the .reg file with notepad to enter the correct administrator password see below).

3. Create a SHARE on your network to hold the images and files > and grant full control to your sccadmin user.

4. Windows and application media that is either “Volume Licensed” or “Multiple Activation Licensed”.

5. Your Windows 7 reference machine needs the local administrators account enabling, and the local administrator’s password changing to mach the password in the registry file you downloaded above. (In the example below Password123).

[box]

Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionWinlogon]
"AutoAdminLogon"="1"
"DefaultUserName"="Administrator"
"DefaultPassword"="Password123"

[/box]

Step 1: SCCM Put your Reference Machine into a Collection

1. Open the SCCM Manager > Expand Site Database > Computer Management > Collections > Right Click > New Collection > Call It “Image Reference Machine” > Next.

2. Next > Click the small computer Icon to add a rule > Next > Change the Resource Class to “System Resource” > Change the attribute name to “Name” > Enter the reference machines Name.

3. Supply the “All systems” Collection > Next.

4. Select your Reference Machine > Next

5. Set the schedule so it occurs 5 minutes in the future > OK > Next > Next > Finish.

6. When finished you should have your Reference Machine in the Collection.

 

Step 2: SCCM Create an “AutoLogon Package”

1. Open the SCCM Manager > Expand Site Database > Computer Management > Software Distribution > Right Click > New > Package > Call it AutoLogon > Next.

2. Tick “This Task contains source files” > Put in the path to share containing the AutoLogon.reg file > Next.

3. Next > Next > Next > Next > Next > Close

4. Expand Your AutoLogon Package > Programs > Right Click > New > Program > Call it “AutoLogon” > In the Command Line Section enter reg import “AutoLogon.reg” > Next.

5. Next > In the Environment Section change the “Program Can Run” Section to “Whether of not a User is Logged on” > Tick Run with Administrative rights > Tick “Runs with UNC Name” > Next.

6. Next > Next > Next > Next > Close.

7. Expand your AutoLogon Package > Distribution Points > Right Click > New Distribution Point > Next > Tick the Server > Next > Close.

8. Extract the AutoLogon.reg file to the location you specified in number 2 above.

 

Step 3: SCCM Import the “Windows 7 Import Task”

1. Extract the Windows7_Capture_Task.xml file to the Desktop.

2. Launch the SCCM Manager > Expand > Site Database > Computer Management > Operating System Deployment > Task Sequences > Right Click > Import > Select the Windows7_Capture_Task.xml from your desktop.

3. You Will be asked if you want to Edit the Task Select Yes > Under “Autologin Via Registry” Select the Package you created in Step 2 above.

4. In the Capture The Reference Machine Section > Set the Network share you want to save the Image in > Set an account (Note user DOMAINNAMEusername) that account MUST have permissions to the network share > Apply > OK.

5. Right Click the Task you have just imported > Properties > Advanced > Tick “Use Boot Image” > Select either the x86 or x64 (to match your reference machine) > Apply > OK.

6. Right Click the Task you have just imported > Advertise > Under Collection Set your “Reference Image Machine” > Next.

7. Next > Next > Next > Next > Close.

 

Step 6: SCCM Send the Boot Media to Distribution

1. Launch the SCCM Manager > Expand > Site Database > Computer Management > Operating System Deployment > Boot Images > Boot Image (x86) > Distribution Points > Right CLick > New Distribution Points > Next.

2. Select the Server share > Next

3. Check the settings > Next.

3. Repeat the above for the Boot Image x64

Step 7: SCCM Create Task Sequence Media

1. Right click the Task you have created > Create Task Sequence Media.

2. Capture Media > Next.

2. Save the ISO image to the network share you created earlier.

 

Step 8: SCCM Perform the Capture

1. Boot Your Windows 7 Reference Machine > Start > Control Panel > Run Advertised Programs > Select “Windows 7 Capture Task” (If it’s not there, reboot and apply the cup of coffee rule) > Run > Yes.

2.The machine will reboot then “Prepare ConfigMgr Client.”

3. Then it will run sysprep.

4. Then it will reboot again, sccm will launch.

5. The Machine will start to capture.

6. Capturing can take a LONG! time

7. When finished the machine will reboot and (because its been sysprepped) will rebuild itself.

8. Your Image file will be in the network share you defined in step xx above with the name you specified in step xx above

 

Related Articles, References, Credits, or External Links

Install SCCM 2007 on Windows

Server 2008 R2 – Step by Step

SCCM 2007 Initial Setup and Configuration

Exchange 2010 (c/w SP1) Install – Greenfield Site

(Installing on Server 2008 R2)

KB ID 0000416

Problem

Microsoft have not only slipstreamed the service pack into the install media, they have (Finally!) got the install routine to put in all the usual pre-requisites, roles, and features, that you had to do yourself before. (With the exception of the Microsoft 2010 filter pack, but even then you can do that after the install).

The procedure below was done on a single server in a test environment, to demonstrate the simplified procedure, it IS NOT good practice to install Exchange (any version) on a domain controller.

Solution

Before Site Visit

1. Have your install media downloaded and ready to go (Make sure you also have the unlock codes for Exchange – or you will have 119 days to licence it, post install).

2. Does your current anti virus solution support Exchange 2010? Do you need an upgrade?

3. Does your current backup software support Exchange 2010? Do you need to purchase extra remote agents or updates?

Before Deploying Exchange 2010

1. Depending on what documentation you read, some say that the global catalog server(s) in the current site need to be at least Server 2003 SP2. Other documentation says the schema master needs to be at least Server 2003 SP2. Let’s hedge our bets, and make sure that ALL the domain controllers are at least Server 2003 SP2 🙂

2. Your domain and forest functional levels need to be at Windows Server 2003.

3. Don’t forget – your server needs to be x64 bit (the video below was shot on a Server 2008 R2 server).

4. Make sure both the server you are installing on, and the Windows domain, are happy (get into the event viewers of your servers and have a good spring clean before deploying Exchange 2010).

5. Install the Office 2010 Filter Pack, and the Office 2010 Filter Pack Service Pack 1.

6. Install the roles required with the following PowerShell Commands;

[box]

Import-Module ServerManager

For Client Access, Hub Transport, and the Mailbox roles issue the following command;

Add-WindowsFeature NET-Framework,RSAT-ADDS,Web-Server,Web-Basic-Auth,Web-Windows-Auth,Web-Metabase,Web-Net-Ext,Web-Lgcy-Mgmt-Console,WAS-Process-Model,RSAT-Web-Server,Web-ISAPI-Ext,Web-Digest-Auth,Web-Dyn-Compression,NET-HTTP-Activation,RPC-Over-HTTP-Proxy,Web-WMI -Restart

For Client Access and Hub Transport server roles issue the following command;

Add-WindowsFeature NET-Framework,RSAT-ADDS,Web-Server,Web-Basic-Auth,Web-Windows-Auth,Web-Metabase,Web-Net-Ext,Web-Lgcy-Mgmt-Console,WAS-Process-Model,RSAT-Web-Server,Web-ISAPI-Ext,Web-Digest-Auth,Web-Dyn-Compression,NET-HTTP-Activation,RPC-Over-HTTP-Proxy,Web-WMI -Restart

For only the Mailbox role issue the following command;

Add-WindowsFeature NET-Framework,RSAT-ADDS,Web-Server,Web-Basic-Auth,Web-Windows-Auth,Web-Metabase,Web-Net-Ext,Web-Lgcy-Mgmt-Console,WAS-Process-Model,RSAT-Web-Server -Restart

For only the Unified Messaging role issue the following command;

Add-WindowsFeature NET-Framework,RSAT-ADDS,Web-Server,Web-Basic-Auth,Web-Windows-Auth,Web-Metabase,Web-Net-Ext,Web-Lgcy-Mgmt-Console,WAS-Process-Model,RSAT-Web-Server,Desktop-Experience -Restart

For only the Edge Transport role issue the following command;

Add-WindowsFeature NET-Framework,RSAT-ADDS,ADLDS -Restart

[/box]

7. Set the Net.Tcp Port Sharing Service for Automatic startup by running the following command;

[box]Set-Service NetTcpPortSharing -StartupType Automatic[/box]

Exchange 2010 (c/w SP1) Install – Greenfield Site

The single best thing Microsoft has done with the SP1 install media, is to include this tick box.

Related Articles, References, Credits, or External Links

How To Install Exchange 2016 (Greenfield Site)