F5: Static Load Balancing (Ratios)

KB ID 0001700

Problem

In the previous post, we deployed a web load balanced solution with three web servers. Out of the box the BIG-IP solution will use Round Robin load balancing and it will treat all Nodes or Pool Members the same, (it assigns a RATIO OF 1).

Everything gets weighted the same, and the F5 will send requests to the Nodes or Pool members one at a time.

But what if one of those web servers was a beast of a machine, with much better CPU/RAM than all the others? How do you ensure that gets sent the ‘Lions share’ of the traffic?

Solution

Well you can simply alter the Ratio for that server, you can do that directly on the Node, or you can do it within the Pool on a Pool Member. (That’s why you can see 6 ratios in the examples I’ve posted).

What if I change the Ratios on Nodes AND Pool Members: You can do that, but the load balancing method uses one or the other. So they wont conflict.

So let’s say 10.2.0.11 is a brand new server and has ten times the processing power of the other two nodes like so;

Local Traffic > Nodes > Select the node in question > Change the Ratio accordingly > Update.

Nothing will happen until you change the load balancing method of the Pool. On the properties of the Pool, change the Load Balancing Method to Ratio (node) > Update.

If you reset the counters and wait a while, you can see now that the server is getting (more or less*) 10 times the amount of traffic.

*Note: The maths will never be perfect, and my web pages are all ‘very slightly’ different, which is amplified over time.

Changing F5 Pool Member Ratios

The process is similar, (if you are following along, you might want to change your Node value back to ‘1, not that it will affect anything, it’s just if you are like me you will forget!) So now let’s say we’ve got a new server and its 10.2.0.13, and we want to change the ratio on the Pool Member like so;

Open the Pool > Select the Node from here.

Change there ratio here > Update.

Now change the Load Balancing Method to Node (member) > Update  >Note: Here, ratios are shown on the Pool page.

Reset your counters, and wait a while, you will see the other server is now getting most of the traffic.

In large production environments, you will probably want to use Dynamic Load Balancing methods, so I’ll look at those next.

Related Articles, References, Credits, or External Links

NA

F5: Setup Basic Web Load Balancing

KB ID 0001698

Problem

In past articles I’ve got my F5 BIG IP appliance up and running, and I’ve built some web servers to test load balancing. Now to actually connect things together and start testing things. Below is my lab setup, I will be deploying simple web load balancing (Static: Round Robin) between three web servers, each serving a simple HTTP web site.

Test F5 to Web Server Connectivity

For obvious reasons the F5 needs to be able to speak to the web servers, so it needs to be on the same network/VLAN and have connectivity. To test that we can log onto the the F5 console directly, and ‘ping’ the web servers.

So connectivity is good, let’s make sure we can actually see the web content on those boxes, the best tool for that is to use curl, which will make a web request, and the wen server ‘should’ return some HTML.

[box]curl http://10.2.0.11[/box]

F5 BIG-IP Load Balancing Terminology

Yeah I said ‘load balancing‘ and not ADC sue me! There are a number of building blocks that F5 uses, and you need to understand the terminology to put things together, firstly lets look at things BEHIND the F5 appliance;

  • Node: An actual machine/appliance, (be that physical or virtual.) That provides some sort of service or a collections of services e.g. a web server, telnet server, FTP site etc.
  • Pool Member: Is a combination of a Node AND a Port/Service, e.g. 192.168.1.100:80 (IP address and TCP port 80 (or HTTP)).
  • Pool: A Logical collection on Pool Members, that provide the same service e.g a collection of pool members offering a website on TCP port 80.

F5 BIG-IP Adding Nodes

While connected to the web management portal > Local Traffic > Nodes > Create (Note: You can also press the green ‘add’ button on the Node pop-out on newer versions).

Specify a name > Description (optional) > IP address (or FQDN) > ‘Repeat‘ > Continue to add Nodes as required, then click ‘Finished‘.

F5 BIG-IP Adding Pools

Now we have our Nodes, We need to create a Pool. Local Traffic > Pools > Create, (again on newer versions theres a green add button on the pop-out).

Add a Name > Description (Optional) > Add an applicable Health Monitor (in our case http) > Select the ‘Node List’ radio button > Select your first Node > Set the Port/Service  > Add  > Continue to Add the remaining Nodes.

Note: Here is where you add the IPs to the Port/Service and create the Pool Members.

Sorry! Busy Screenshot

When all the Nodes are added > ‘Finished‘.

Your web pool ‘should‘ show healthy, Note: that does not mean ALL the nodes are online!

To make sure ‘all’ the Nodes are healthy > Go to the Members Tab.

F5 BIG-IP Virtual Servers

I’m not a fan of using this term ‘Virtual Server‘ I prefer Virtual IP (or VIP,) but we are where we are! Above we’ve looked at things BEHIND the F5, now we need to present those services IN FRONT of the F5 (Note: I don’t say publicly, because we deploy plenty of BIIG-IP solutions inside  networks). So a Virtual Server is the outside IP address or FQDN of that a ‘consumer’ will connect to;

Local Traffic > Virtual Servers > Create.

Supply a name > Description (optional)  > Destination Address (the ‘available outside’) IP address > Set the service/port > Scroll down to the bottom.

Set the ‘Default Pool’ to the pool you created (above) > ‘Finished‘.

For a brief overview or check what you have created  > Click Local Traffic > Network Map Note: This will look different on older versions of the F5.

Then test the service form the outside, here each web server serves a different colour page so I can test it’s working properly.

My Web Page Does Not Change? If you keep seeing the same colour/page then it’s probably because you chose browser is ‘caching’ web content on your test machine, you may need to disable caching on your chosen web browser, for an accurate test.

So that’s Static Round Robin (Equal Ratio) Based Load Balancing. In the next article I’ll look at how you can manipulate the ratios, to better serve your hardware, and requirements.

Related Articles, References, Credits, or External Links

NA

Cisco ASA AnyConnect VPN ‘Using CLI’

KB ID 0000943

Problem

Note: This is for Cisco ASA 5500, 5500-x, and Cisco FTD running ASA Code.

Also See Cisco ASA AnyConnect VPN ‘Using ASDM’

This procedure was done on Cisco ASA (post) version 8.4, so it uses all the newer NAT commands. I’m also going to use self signed certificates so you will see this error when you attempt to connect.

Solution

1. The first job is to go get the AnyConnect client package(s), download them from Cisco, (with a current support agreement). Then copy them into the firewall via TFTP. If you are unsure how to do that see the following article.

Install and Use a TFTP Server

[box]

Petes-ASA(config)# copy tftp flash

Address or name of remote host [10.254.254.183]? 192.168.80.1

Source filename []?anyconnect-win-4.7.02036-webdeploy-k9.pkg

Destination filename [anyconnect-win-4.7.02036-webdeploy-k9.pkg]? {Enter}

Accessing tftp://192.168.80.1/anyconnect-win-4.7.02036-webdeploy-k9.pkg
.........!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
Writing file disk0:/anyconnect-win-4.7.02036-webdeploy-k9.pkg...
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!

4807912 bytes copied in 549.790 secs (8757 bytes/sec)
Petes-ASA(config)#

[/box]

2. Create a ‘pool’ of IP addresses that the ASA will allocate to the remote clients, also create a network object that covers that pool of addresses we will use later.

[box]

Petes-ASA(config)# ip local pool ANYCONNECT-POOL 192.168.100.1-192.168.100.254 mask 255.255.255.0
Petes-ASA(config)# object network OBJ-ANYCONNECT-SUBNET
Petes-ASA(config-network-object)# subnet 192.168.100.0 255.255.255.0

[/box]

3. Enable webvpn, set the package to the one you uploaded earlier, then turn on AnyConnect.

[box]

Petes-ASA(config)# webvpn
Petes-ASA(config-webvpn)# enable outside
INFO: WebVPN and DTLS are enabled on 'outside'.
Petes-ASA(config-webvpn)# tunnel-group-list enable
Petes-ASA(config-webvpn)# anyconnect image disk0:/anyconnect-win-4.8.02042-webdeploy-k9.pkg 1 
Petes-ASA(config-webvpn)# anyconnect enable

[/box]

4. I’m going to create a LOCAL username and password, I suggest you do the same, then once you have proved it’s working OK, you can. change the authentication method, (see links below). I’m also going to create an ACL that we will use for split-tunneling in a minute.

[box]

Petes-ASA(config)# username PeteLong password Password123
Petes-ASA(config)# access-list SPLIT-TUNNEL standard permit 10.0.0.0 255.255.255.0

[/box]

5. Create a group policy, change the values to match your DNS server(s), and domain name accordingly.

[box]

Petes-ASA(config)# group-policy GroupPolicy_ANYCONNECT-PROFILE internal
Petes-ASA(config)# group-policy GroupPolicy_ANYCONNECT-PROFILE attributes
Petes-ASA(config-group-policy)# vpn-tunnel-protocol ssl-client
Petes-ASA(config-group-policy)# dns-server value 10.0.0.10 10.0.0.11
Petes-ASA(config-group-policy)# split-tunnel-policy tunnelspecified
Petes-ASA(config-group-policy)# split-tunnel-network-list value SPLIT-TUNNEL
Petes-ASA(config-group-policy)# default-domain value petenetlive.com

[/box]

6. Create a matching tunnel-group that ties everything together.

[box]

Petes-ASA(config-group-policy)# tunnel-group ANYCONNECT-PROFILE type remote-access
Petes-ASA(config)# tunnel-group ANYCONNECT-PROFILE general-attributes
Petes-ASA(config-tunnel-general)# default-group-policy GroupPolicy_ANYCONNECT-PROFILE
Petes-ASA(config-tunnel-general)# address-pool ANYCONNECT-POOL
Petes-ASA(config-tunnel-general)# tunnel-group ANYCONNECT-PROFILE webvpn-attributes
Petes-ASA(config-tunnel-webvpn)# group-alias ANYCONNECT-PROFILE enable

[/box]

7. Then stop any traffic that is going to, (or coming from) the remote clients from being NATTED.

[box]

Petes-ASA(config)# nat (inside,outside) 2 source static any any destination static OBJ-ANYCONNECT-SUBNET OBJ-ANYCONNECT-SUBNET no-proxy-arp route-lookup

[/box]

8. Save the changes.

[box]

PetesASA(config)# write mem
Building configuration...
Cryptochecksum: 5c8dfc45 ee6496db 8731d2d5 fa945425

8695 bytes copied in 3.670 secs (2898 bytes/sec)
[OK]
PetesASA(config)#

[/box]

9. Give it a test from a remote client.

AnyConnect Commands to Copy and Paste

Simply change the values shown in red;

[box]

!
ip local pool ANYCONNECT-POOL 192.168.100.1-192.168.100.254 mask 255.255.255.0
!
object network OBJ-ANYCONNECT-SUBNET
 subnet 192.168.100.0 255.255.255.0
!
webvpn
enable outside
tunnel-group-list enable
anyconnect image disk0:/anyconnect-win-4.7.02036-webdeploy-k9.pkg 1
anyconnect enable
!
username PeteLong password Password123
!
access-list SPLIT-TUNNEL standard permit 10.0.0.0 255.0.0.0
!
group-policy GroupPolicy_ANYCONNECT-PROFILE internal
group-policy GroupPolicy_ANYCONNECT-PROFILE attributes
vpn-tunnel-protocol ssl-client
dns-server value 10.0.0.10 10.0.0.11
wins-server none
split-tunnel-policy tunnelspecified
split-tunnel-network-list value SPLIT-TUNNEL
default-domain value petenetlive.com
!
tunnel-group ANYCONNECT-PROFILE type remote-access
tunnel-group ANYCONNECT-PROFILE general-attributes
default-group-policy GroupPolicy_ANYCONNECT-PROFILE
address-pool ANYCONNECT-POOL
tunnel-group ANYCONNECT-PROFILE webvpn-attributes
group-alias ANYCONNECT-PROFILE enable
!
nat (inside,outside) source static any any destination static OBJ-ANYCONNECT-SUBNET OBJ-ANYCONNECT-SUBNET no-proxy-arp route-lookup
!

[/box]

Related Articles, References, Credits, or External Links

Cisco ASA AnyConnect VPN ‘Using ASDM’

AnyConnect: Allow ‘Local’ LAN Access

Cisco AnyConnect – Essentials / Premium Licences Explained

Cisco AnyConnect – PAT External VPN Pool To An Inside Address

AnyConnect (AAA) Authentication Methods

Kerberos Authentication (Cisco ASA)

LDAP Authenticaiton (Cisco ASA)

RADIUS Authentication(Cisco ASA)

Duo 2FA Authentication (Cisco ASA)

Cisco – Testing AAA Authentication (Cisco ASA and IOS)

VMware Horizon Machines Stuck ‘Customizing’

KB ID 0001595

Problem

In all honesty there’s lots of reasons for this.

I’ll cover the ones that have tripped me up, if you find some new ones feel free to post them below.

Solutions

Before continuing, the image needs to have the Horizon Agent installing within it, and it has to be the SAME version that your Composer and Connection servers are running, (or newer). Also your Horizon servers are connecting to VMware vCenter using an account, (in a lot of cases that will be the domain administrator account, or an account you setup for this reason), make sure that account has global administrator properties in vSphere.

Also in your image install the LATEST version of VMWare Tools, Note: that might be NEWER than the one that you have on your ESX servers, download it and install it manually, (to do this uninstall the old VMWare Tools, then Uninstall the Horizon Agent, then Install the NEW VMWare Tools, then finally reinstall the Horizon Agent again. (Note: If using Horizon Composer, make sure you install the composer option!)

Horizon Inability to get a licence for your KMS Server.

Check this first;

[box]

slmgr /dli

[/box]

It goes without saying you need a network connection (to the right VLAN) before KMS will work. I’ve ran though KMS setup and troubleshooting here.

Horizon Sysprep Problems

For sysprep obviously you need to be deploying images with sysprep and NOT quick prep, if you are using sysprep check the error log, (if the error log is empty, then sysprep is not your problem).

Navigate to: C:\Windows\System32\Sysprep\Panther\setuperr.log

Sysprep Problem 1

Problem 0x0f0043 Failed DeleteInstance AntiSpywareProduct

[box]

Error      [0x0f0043] SYSPRP WinMain:The sysprep dialog box returned FALSE
Error                 SYSPRP Error 0x-2147417850: Failed to re-enable Compat-Gentel custom trigger.[gle=0x0000047e]
Error                 SYSPRP setupdigetclassdevs failed with error 0
Error                 SYSPRP MRTGeneralize:107 - ERROR: Failed DeleteInstance AntiSpywareProduct.instanceGuid="{D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}" hr=2147749904
Error                 SYSPRP MRTGeneralize:116 - ERROR: Failed DeleteInstance AntiVirusProduct.instanceGuid="{D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}" hr=2147749904
Error                 SYSPRP Error 0x-2147417850: Failed to re-enable Compat-Gentel custom trigger.[gle=0x0000047e]
Error                 SYSPRP setupdigetclassdevs failed with error 0
Error                 SYSPRP MRTGeneralize:107 - ERROR: Failed DeleteInstance AntiSpywareProduct.instanceGuid="{D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}" hr=2147749904
Error                 SYSPRP MRTGeneralize:116 - ERROR: Failed DeleteInstance AntiVirusProduct.instanceGuid="{D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}" hr=2147749904

[/box]

Seen On Window Server 2016 and Windows 10: In your Source Image you need to remove Windows Defender, like so;

[box]

Uninstall-WindowsFeature Windows-Defender-Features

[/box]

Sysprep Problem 2

Problem 0x0f0073

[box]

Error      [0x0f0073] SYSPRP RunExternalDlls:Not running DLLs; either the machine is in an invalid state or we couldn't update the recorded state, dwRet = 0x1f
Error                 SYSPRP WinMain:Hit failure while processing sysprep re-specialize internal providers; hr = 0x8007001f
Error                 SYSPRP Error 0x-2147417850: Failed to re-enable Compat-Gentel custom trigger.[gle=0x0000047e]
Error                 SYSPRP setupdigetclassdevs failed with error 0

[/box]

This is happening because the machine you are using as your image has been sysprepped too many times, you nee to make some changes on the reference image to reset/rearm it, so it can be sysprepped.

On your image machine  run regedit and navigate to;

HKLM > SYSTEM > Setup > Status > Sysprep Status

Ensure the following;

  • CleanupState is set to 2
  • GeneralizationState is set to 7

Open an administrative command window and execure the following commands;

[box]

msdtc -uninstall
msdtc -install

[/box]

Back in registry editor navigate to

HKLM > SOFTWARE > Microsoft > Windows NT > CurrentVersion > SoftwareProtectionPlatform

Set SkipRearm to 1

Try again.

Related Articles, References, Credits, or External Links

NA

Deploying VMware View 5 – Part 3: Creating a ‘Manual Pool’ and Connecting a View Client

KB ID 0000598

Problem

Note: This is an old post for VMware view version 5, you might want to read Deploying VMware Horizon View instead.

In Part 2 we got our machine ready to be delivered via VMware View. Now we need to create a ‘Pool’, grant users access to that pool, and finally connect to it from a VMware View Client.

Solution

VMware View – Creating a Manual Pool

1. Open a connection to your VMware View Administrator console (https://{connection-server-name}admin). Log in and navigate to Inventory > Pools > Add.

2. We are going to create a manual pool (Note: An automated pool will create machines dynamically as required).

3. I’m selecting dedicated (the machine will get allocated to the first user that connects to it, and remains theirs). With a floating Pool machines are returned to the pool after they are finished with to be given to the next user that requires a machine.

4. My machine is in vCenter.

5. And there’s my vCenter

6. Give the new pool a sensible name.

7. Change the settings for the pool as required, I pretty much accept the defaults, but I allow the users to “reset” their desktop.

8. Select the machine(s) you are going to add to the pool, and complete the wizard.

9. Now you have a new pool, you need to grant users/groups an ‘entitlement’ to use it.

10. Simply add in the users or groups from Active Directory as required.

VMware View – Installing the VMware View Client

11. You will find that there are x32 and x64 bit VMware client software installs. There are available in two flavours, (with local mode, or without local mode).

Note: Local Mode: This is a mechanism where users can ‘check out’ their virtual machines and work on them remotely, then ‘sync’ them back to the network when they return, it requires a VMware Transport Server (use the connection server install media and change the server type to Transport Server).

12. During setup it will ask you the name of your connection server.

13. Normally you would tick “Set default option to login as current user”. If not you will see the login option in step 16 below.

14. When you launch the software, you may want to change the certificate options. The Connection server will have installed with a ‘self signed’ certificate, (which is fine) but you might want to change the ‘Configure SSL” options.

15. Here I’ve set them to allow, it says not secure – but its still encrypted, it should really say ‘least secure’.

16. If you didn’t tick the box in step 13 above you will need to login again.

17. Now you will see all the pools you have an entitlement to, select as appropriate and click connect.

18. All being well the desktop will connect and dynamically resize to fit.

19. Whist connected you will can control your connection with the menu on the view client bar at the top of the screen, also here you will see options for connecting USB Devices (Note: USB will only be available if you had it selected when you installed the client, it IS selected by default).

Related Articles, References, Credits, or External Links

VMware View 5 – Part 4 Installing and Configuring SQL 2008 R2 and VMware Composer

Deploying VMware View 5 – Part 5 Deploying Linked Clone View Desktops

KB ID 0000607

Problem

Note: This is an old post for VMware view version 5, you might want to read Deploying VMware Horizon View instead.

It’s been a while since I wrote Part 4, so it’s time to wrap this up. Now we have Composer installed on the Virtual Center, we can start to deploy our linked clone desktops.

Solution

VMware View – Prepare your Source Machine

1. I’ve already covered how to prepare your Windows 7 client machine to be a View client here. Once that’s done, release its IP address (ipconfig /release) and shut it down.

2. With your source machine shut down, take a snapshot of the machine.

VMware View – Create an Automated Linked Clone Pool

3. Log into your VMware View Administrator console > Inventory > Pools > Add.

4. Automated > Next.

5. Dedicated > Next (unless you want a floating user assignment, the description of each is on this page).

6. View Composer linked clones > Next (ensure your vCenter is listed, and has “Yes” in the View Composer section).

7. Give the pool an ID, name, and description. (Note: If you use folders for your VM’s, you can also select those here).

8. I tend to stick with the defaults, except I let the users reset their desktops > Next.

9. I’m not redirecting any disposable files or profiles > Next.

10. Expand Security > Logins > Create a new login.

11. For the default Image, browse to your source machine, then select the snapshot. Set the Folder, Host/Cluster, and Resource pool as applicable. Then browse for a datastore.

12. Here I’ve selected to store my disks on different datastores. If you can, put your replica disk on the FASTEST storage, as this gets the most “Read” traffic > OK > Next.

13. The domain should auto populate > Pick an OU to place the new machines into, then select either to use quickprep (the VMware one), or Sysprep (the Microsoft one). > Next.

Note: You can also use a customization specification (yes Americans are worse at spelling than me!), you set these up in the VI client on the home screen under ‘Customization Specifications Manager’.

14. Review the information > Finish.

15. Now you have you pool, you need to allow your users to connect to it, with it selected press ‘Entitlements’.

16. Add in the users and/or groups you want to grant access to > OK.

17. It can take a while for the replica to be created then all the linked clones to become ‘Available’ watch progress under ‘Inventory > Desktops’.

18. When available you should be able to connect to them using the VMware View Client.

19. And finally get your new Windows 7 linked clone desktop.

Related Articles, References, Credits, or External Links

NA

VMware View 5 – Configure and Deploy Clients in ‘Kiosk Mode’

KB ID 0000610 

Problem

Kiosk mode is quite useful, if you have some machines that you want to put in a public area for visitors to use, or for machines that are used in displays etc. Or if you have some older PC’s that you just want to repurpose as internet terminals or ‘point of sale’ box’s.

Essentially it’s a system that delivers a virtual VMware View desktop to a PC or Thin client without the need to authenticate to the connection server. Kiosk authentication is disabled by default, so you need to run a few commands to get it enabled.

Solution

Before starting you will need a Virtual Machine ready to be used for the Kiosk machine. You might want to create this machine with a “nonpersistent” disk.

Configure Windows 7 to be a VMware View Desktop

Step 1: Prepare Active Directory

1. Set yourself up an OU to hold your kiosk machine, and a security group that will contain the user account you are going to create later.

Step 2: Configure the VMware Connection Server

2. Now log into your VMware Connection Server, open a command window with elevated privileges. then issue the following command;

[box]vdmadmin -Q -clientauth -setdefaults -ou “OU=Kiosk,OU=ViewDesktops,DC=petenetlive,DC=com” -noexpirepassword -group kioskusers[/box]

Note: where kioskusers is the name of the group you created.

3. Now I will create a user ‘custom-kiosk-user’ with a password of ‘Password123’, and put him in the OU and group we created earlier;

[box]vdmadmin -Q -clientauth -add -domain petenetlive -clientid custom-kiosk-user -password “Password123” -ou “OU=Kiosk,OU=ViewDesktops,DC=petenetlive,DC=com” -group kioskusers -description “Kiosk Terminal”[/box]

Note: Alternatively you can create a user that matches the MAC address of the client machine and auto generate a password like so, (this assumes the thin client or PC’s MAC addresses is 3C:4A:92:D3:12:1C).

4. Then allow this connection server to accept kiosk connections with the following command;

[box]vdmadmin -Q -enable -s PNL-CS[/box]

Note: Where PNL-CS is the name of my VMware Connection Server.

5. You can view the settings configured on this connection server with the following command;

[box]vdmadmin -Q -clientauth -list[/box]

6. While still on your connection server open VMware View Administrator, and create a ‘Pool’ for your Kiosk machine.

7. Manual Pool > Next.

8. Dedicated > Next.

9. vCenter virtual Machines > Next.

10. Next.

11. Give the pool an ID and Display name > Next.

12. Select the machine you are using as the source for the Kiosk machine > Next.

13. When the pool is created > Entitlements.

14. Add in the group that you created in step 1 > OK.

15. Just check on the ‘desktops’ tab and make sure the machine is listed as ‘available’.

Step 3: Connect to the Kiosk Machine

16. Now from your client machine or thin client, you can execute the following command to open the kiosk session.

[box]c:program filesvmwarevmware viewclientbinwswc” -unattended -serverURL PNL-CS -userName custom-kiosk-user -password “Password123″[/box]

Note: In a live environment you may want to make the host machine or thin client automatically log on and put this command in the ‘startup’ folder, or call it from a startup/logon script so the machine will boot straight into the kiosk virtual machine.

17. All being well you should be presented with the kiosk VM machine, note you no longer get the normal VMware View tool bar etc, it will behave as if the machine is in front of you.

Related Articles, References, Credits, or External Links

Deploying VMware View 5

VMware View – Windows Pool ‘Stuck’ on Customizing

KB ID 0000646 

Problem

While trying to deploy a Windows XP Pool yesterday, I hit upon this problem. Windows 7 works fine, but as soon as I tried to roll out a Windows XP pool, they stopped like this;

After a couple of hours, the whole operation timed out, and each machine shows as;

Status
{Date}{Time} o’clock {Time-Zone}:
Customization operation timed out

I tried to deploy the pool with both ‘quick prep’ and ‘sysprep’, but the results were the same. The replica is created, the pool creates the machines, but they DO NOT join the domain.

Solution

Despite my best efforts, I had to admit defeat and call VMware. Turns out they knew what the problem was straight away.

1. In my case the pool was going to be a linked clone pool. Go to the reference XP machine that you are using for this pool, and power it on.

2. Start > Run > appwiz.cpl {Enter}.

3. Locate and uninstall the VMware View Agent software.

4. Reboot the machine.

5. Download and install Microsoft Update 944043 on the XP Source machine. (Note: here’s the x32 bit version for XP).

6. Reboot the machine, (or the next step will fail and ask for a reboot!)

7. Reinstall the VMware View Agent.

8. Now if you are creating a linked clone pool, release the IP address > shut down the guest machine > snapshot the guest machine > recreate your pool.

Conclusion

VMware tell me that this is well documented in this kb article. But both at the time, and since, I’ve analysed the logs on the connection server, and the agent logs on the deployed machines, and found no mention of the following error,

“View Composer agent initialization state error (18): Failed to join the domain”

Hopefully this will help out someone stuck in the same position.

Related Articles, References, Credits, or External Links

NA

AnyConnect Error ‘The secure gateway has rejected the connection attempt, No assigned address’

KB ID 0000876 

Problem

I upgraded a clients ASA5510 firewall(s) yesterday. Post upgrade he got this error;

The secure gateway has rejected the connection attempt. A new connection attempt to the same or another secure gateway is needed, which requires re-authentication. The following message was received from the secure gateway: No assigned address.

Solution

Thankfully the error is pretty descriptive, the remote client can not get an IP address. So I’m missing an ip local pool command, or that pool is missing from the AnyConnect tunnel-group. To Test;

[box]

WHAT IT SHOULD LOOK LIKE

Petes-ASA# show run | incl pool ip local pool SSL-POOL 172.16.1.1-172.16.1.254 mask 255.255.255.0 address-pool SSL-POOL Petes-ASA#

[/box]

In the example above, I have my address pool, and the second line is that pool being applied to the tunnel-group I’m using for AnyConnect.

If you are missing both (I was post upgrade)

Note: Change the subnet to match your requirements, and DONT use addresses that are in use INSIDE your LAN.

[box]

User Access Verification

Password:
Type help or '?' for a list of available commands.
Petes-ASA> enable
Password: ********
Petes-ASA# configure terminal
Petes-ASA(config)# ip local pool SSL-POOL 172.16.1.1-172.16.1.254 mask 255.255.255.0

[/box]

If you are missing the address-pool command

The IP pool used, is defined in the tunnel group, (in the general-attributes section).

[box]

HERE THE POOL REFERENCE IS MISSING;

User Access Verification

Password:
Type help or '?' for a list of available commands.
Petes-ASA> enable
Password: ********
Petes-ASA# show run tunnel-group
tunnel-group SSL-PROFILE type remote-access
tunnel-group SSL-PROFILE general-attributes
authentication-server-group Windows-IAS
default-group-policy SSL-POLICY
tunnel-group SSL-PROFILE webvpn-attributes
group-alias PROFILE enable
Petes-ASA#

TO ADD IT IN (Take note of the tunnel group name SSL-PROFILE (above))

User Access Verification

Password:
Type help or '?' for a list of available commands.
Petes-ASA> enable
Password: ********
Petes-ASA# configure terminal
Petes-ASA(config)# tunnel-group SSL-PROFILE general-attributes
Petes-ASA(config)# address-pool SSL-POOL
Petes-ASA(config)#

WHAT IT SHOULD LOOK LIKE

User Access Verification

Password:
Type help or '?' for a list of available commands.
Petes-ASA> enable
Password: ********
Petes-ASA# show run tunnel-group
tunnel-group SSL-PROFILE type remote-access
tunnel-group SSL-PROFILE general-attributes
address-pool SSL-POOL
authentication-server-group Windows-IAS
default-group-policy SSL-POLICY
tunnel-group SSL-PROFILE webvpn-attributes
group-alias PROFILE enable
Petes-ASA#

[/box]

 

Finally, don’t forget to save the changes.

[box]

Petes-ASA# configure terminal
Petes-ASA(config)# write memory
Building configuration...
Cryptochecksum: aab5e5a2 c707770d f7350728 d9ac34de
[OK]
Petes-ASA(config)#

[/box]

Afterthoughts

This happened because (pre migration) I had the following command in the firewall config;

[box]

ip local pool SSL-POOL 172.16.33.1 mask 255.255.255.0

[/box]

 

The firewall was (at that time) running version 8.2, in the past that syntax was fine, now you would need to specify the mask as 255.255.255.255 (to lease one address). During conversion this command was dropped, so it was never added to the tunnel-group either.

Related Articles, References, Credits, or External Links

NA