Introduction to Virtual Desktop

Manager

Introduction to Virtual Desktop Manager

Introduction to Virtual Desktop Manager

Revision: 20080527
Item: VDM-ENG-Q108-451

You can find the most up-to-date technical documentation on our Web site at
[Link]
The VMware Web site also provides the latest product updates.
If you have comments about this documentation, submit your feedback to:
docfeedback@[Link]

2008 VMware, Inc. All rights reserved. Protected by one or more of U.S. Patent Nos. 6,397,242,
6,496,847, 6,704,925, 6,711,672, 6,725,289, 6,735,601, 6,785,886, 6,789,156, 6,795,966, 6,880,022,
6,944,699, 6,961,806, 6,961,941, 7,069,413, 7,082,598, 7,089,377, 7,111,086, 7,111,145, 7,117,481,
7,149,843, 7,155,558, 7,222,221, 7,260,815, 7,260,820, 7,269,683, 7,275,136, 7,277,998, 7,277,999,
7,278,030, 7,281,102, and 7,290,253; patents pending.
VMware, the VMware boxes logo and design, Virtual SMP and VMotion are registered trademarks or
trademarks of VMware, Inc. in the United States and/or other jurisdictions. All other marks and names
mentioned herein may be trademarks of their respective companies.

VMware, Inc.
3401 Hillview Ave.
Palo Alto, CA 94304
[Link]
2

VMware, Inc.

Contents

Contents

IntroductiontoVirtualDesktopManager 3
Introduction 3
Features 4
VDMOverview 5
VDMUserAuthentication 9
VDMExtendedUSBDeviceRedirection 11
VDMSecureAccess 12
VDMVirtualDesktopPoolManagement 13
VDMHighAvailabilityandScalability 15
VDMConnectionServerDMZDeployment 17
VDMConnectionServerComponents 21
VDMBroker 22
VDMSecureGatewayServer 22
VDMLDAP 23
VDMMessaging 24
VDMSecurityServer 24

Glossary

VMware, Inc.

27

Introduction to Virtual Desktop Manager

VMware, Inc.

Introduction to Virtual Desktop

Manager

VMwareVirtualDesktopManager2(VDM)isakeycomponentintheVMwareVirtual
DesktopInfrastructure(VDI)[Link]
[Link]
workswithVMwareVirtualInfrastructure3toprovideacomplete,endtoendVDI
solutionthatimprovescontrolandmanageabilityandprovidesafamiliardesktop
experience.
ThebenefitsofVDIwithVDMincludethefollowing:

ControlandmanageabilityinasingleproductAdministratorscanmoreeasily
provision,manage,andmaintaindesktopsbecausethedesktopsarerunninginthe
datacenter.

FamiliarenduserexperienceUsersgetflexibleaccesstoapersonalized,virtual
desktopthatbehavesjustliketheirPCdesktops.

VMwareInfrastructure3integrationVDIextendsthebenefitsofVMware
Infrastructure3tothedesktopbyleveragingthebackup,failover,anddisaster
recoverycapabilitiesofVMwareInfrastructure3.

Lowertotalcostofownership(TCO)Byreducingadministrationandenergy
costsandextendingtheusefullifeofPCs,VDIdeliverslowerTCO.

VMware, Inc.

Introduction to Virtual Desktop Manager

Features
ThefeaturesofVDMinVDIincludethefollowing:

EnterpriseclassconnectionbrokeringVDMmanagestheconnectionsbetween
[Link],thevirtualdesktops
[Link],users
accesstheirapplicationsasiftheapplicationsarerunninglocally.

USBclientdevicesupportUSBdevicescanbelocallyconnectedtoclientsand
accessedthroughavirtualdesktop.

WebbasedmanagementuserinterfaceAWebbasedmanagementconsole
allowsvirtualdesktopstobemanagedfromanylocation.

SmartpoolingcapabilitiesArangeofpersistentandnonpersistentpooling
capabilitiessimplifiestheprovisioningandmanagementofcentralizeddesktops.

SecureaccessOptionalsecureencapsulationcapabilitiesallowallnetwork
connectionstobeencrypted.

IntegrationwithMicrosoftActiveDirectoryConnectiontoActiveDirectory,
whichallowsyoutolocateuserandusergroupaccountsandusethe
authenticationfeaturesinActiveDirectorytocontrolwhichuserscanaccess
virtualdesktops.

SupportfortwofactorauthenticationWithRSASecurID,accesscontrolis
strengthened.

SeamlessintegrationwithVMwareVirtualInfrastructure3Workscloselywith
VMwareVirtualCentertoprovideadvancedvirtualdesktopmanagement
capabilities,suchasautomaticsuspendandresume,whichreducesthememory
[Link]
capabilitiesofVMwareVirtualInfrastructure3,desktopscanrunevenwhen
serverhardwarefailsandrecoverquicklyfromunplannedoutageswithout
duplicatehardware.

FlexibledeploymentoptionsCriticalcomponentscanbedeployedinavariety
ofconfigurationsandtodifferentpartsofthenetwork,whichimprovesecurity,
scalability,[Link],andVDM
canscalehorizontallytosupportmanyvirtualdesktops.

HighavailabilityServerscanbeclusteredforhighavailabilityandscalability
[Link]
loadbalancingsolutions.

VMware, Inc.

Introduction to Virtual Desktop Manager

VDM Overview
VDMincludesthefollowingkeycomponents:

VDMConnectionServer

VDMAgent

VDMClient

VDMWebAccess

VDMAdministrator

VMware, Inc.

Introduction to Virtual Desktop Manager

Figure 1showsthephysicaltopologyofaVDIinfrastructurewithVDMandshowsthe
relationshipbetweenthemainVDMcomponents.
Figure 1. Physical Topology of VMware VDI Infrastructure with VDM
Windows
VDM Client

Linux
VDM Web Access

Mac
VDM Web Access

Thin Client

network
network

VDM
Administrator
(browser)

VDM
Connection
Server

Microsoft
Active Directory

VirtualCenter
Management Server

virtual desktops
VM

VM

VM

VM

VM

VM

desktop OS
app

app

app

ESX Server hosts running

Virtual Desktop VMs

ESX Server host

VDM Agent
virtual machine

VMware, Inc.

Introduction to Virtual Desktop Manager

VDM Connection Server

ThiscomponentistheVDIconnectionbrokerthatmanagessecureaccesstovirtual
desktopsandworkswithVirtualCentertoprovideadvancedmanagementcapabilities.
ItisinstalledonaMicrosoftWindowsServer2003serverthatispartofanActive
Directorydomain.
VDMConnectionServerisinstalledasoneofthefollowinginstances:

StandardThisinstanceappearsinFigure [Link]
andisusedastheonlyVDMConnectionServer(orthefirstofagroupofVDM
ConnectionServersthatactaspartofahighavailability,fullyreplicatedgroup).

ReplicaThisinstanceisinstalledasasecondorsubsequentVDMserverina
[Link]
serverandisautomaticallyreplicatedbetweenVDMgroupmembers.

SecurityServerThisinstanceimplementsasubsetoftheVDMConnection
Serverfunctionalityandisusedinademilitarizedzone(DMZ)deployment.A
[Link]
StandardandReplicainstancesautomaticallyincludetheSecurityServer
functionality.

TheinstancetypeisselectedduringVDMConnectionServerinstallation.
HighavailabilityandDMZdeploymentsofVDMConnectionServerusingReplicaand
SecurityServerinstancesaredescribedinVDMConnectionServerDMZDeployment.
ConfigurationdataisstoredinanembeddedLDAPdirectoryoneachStandardand
Replicainstance.

VMware, Inc.

Introduction to Virtual Desktop Manager

VDM Agent
Thiscomponentrunsoneachvirtualdesktopandisusedforsessionmanagementand
[Link],thiscomponentsupportsoptionalUSBdevice
[Link]
desktopscreatedfromthattemplateautomaticallyincludetheVDMAgent.
PlacevirtualdesktopsinanActiveDirectorydomainthatisoneofthefollowing:

ThesamedomaintowhichtheVDMConnectionServersarejoined

AdomainwithatrustagreementwiththeVDMConnectionServerdomain

Whenusersconnecttotheirvirtualdesktops,theyareautomaticallyloggedinusing
[Link]
bedisabledinVDMAgentwhichmeandthatusersarealwaysrequiredtologontothe
[Link]
domainwithwhichnotrustagreementexists,singlesignonisnotavailable,andthe
usermustmanuallylogintothevirtualdesktop.
VDM Client
ThiscomponentrunsonaWindowsPCasanativeWindowsapplicationandallows
[Link]
VDMConnectionServerandallowstheusertologonusinganyofthesupported
[Link],userscanselectfromthelistofvirtual
[Link]
virtualdesktopandprovidesuserswithafamiliardesktopexperience.
VDMClientalsoworkscloselywithVDMAgenttoprovideenhancedUSBsupport.
BasicUSBsupport(suchasUSBdrivesandUSBprinters)issupportedwithoutVDM
USBsupport,[Link]
canspecifyVDMUSBsupportinVDMClientduringtheinstallation.
VDM Web Access
ThiscomponentissimilartoVDMClientbutprovidesaVDMuserinterfacethrougha
[Link]
[Link]/X,
[Link]
[Link]
AccessonLinuxusesrdesktopandonMacOS/XusesMicrosoftRemoteDesktop
ConnectionClientforMac.

VMware, Inc.

Introduction to Virtual Desktop Manager

[Link]
obtainstherequiredsoftwareontheirclientdevicebyaccessingaVDMConnection
[Link]
byauserwithadministrativerights,VDMWebAccessonWindowshascomplete
VDMUSBsupport.
VDM Administrator
[Link]
VDMadministratorstodothefollowing:

Makeconfigurationsettings

ManagevirtualdesktopsandentitlementsofdesktopsofWindowsusersand
groups

VDMAdministratoralsoprovidesaninterfacetomonitorlogeventsonaVDMServer
[Link]
ConnectionServercomponentsandtheirrelationshipwithotherVDMcomponents,
seeVDMConnectionServerComponents.

VDM User Authentication

UsersneedtologintoVDMfirstinordertoprovetheiridentityandtogainaccessto
[Link],theydothisbyenteringtheirWindowscredentialsat
theloginprompt.
Asanaddedlevelofsecurity,VDMcanbeconfiguredtorequireRSASecurID
[Link]
loginprocess,usersmustentertheirSecurIDusernamestogetherwiththeirSecurID
[Link],users
arepromptedfortheirWindowscredentials.

Active Directory Authentication

[Link]
allowsuserauthenticationforVDMagainstActiveDirectoryforthejoineddomainand
[Link],ifVDM
ConnectionServerisamemberofDomainA,andatrustagreementexistsbetween
DomainAandDomainB,usersfromeitherdomaincanlogintoVDM.

VMware, Inc.

Introduction to Virtual Desktop Manager

ByauthenticatingusersagainstanexistingActiveDirectory,anorganizationcan
simplifytheoperationalmanagementofVDMbyensuringthatthemanagementof
[Link],
[Link],suchasrestrictingpermittedhoursoflogin
andtheexpirationdateforpasswords,arealsohandledthroughexistingActive
Directoryoperationalprocedures.

RSA SecurID Authentication

VDMiscertifiedthroughtheRSASecurIDReadyprogramtooperatewithRSA
[Link]
[Link]
thatisenabledforRSASecurIDauthenticationarepromptedfortheirRSASecurID
usernamesandpasscodes(PINsandtokencodes).AfterauthenticatingagainstanRSA
AuthenticationManager,userscancontinuetologin.
[Link]
requiresknowledgeoftheusersPINandtokencode,whichisonlyavailableonthe
[Link],VDMsupportsthe
fullrangeofSecurIDcapabilities,includingNewPINMode,NextTokenCodeMode,
RSAAuthenticationManager,loadbalancing,andsoon.

10

VMware, Inc.

Introduction to Virtual Desktop Manager

Figure 2showsthephysicaltopologydiagramforVDMwithanadditionalserverused
[Link]
singleserver,butforhighavailabilitydeployments,youneedmultipleservers.
Figure 2.

VDMRSASecurIDAuthenticationwithRSAAuthenticationManager
Client

network

VDM
Administrator

VDM
Connection
Server

Microsoft
Active Directory

RSA
Authentication
Manager

VirtualCenter
Management Server

ESX Server hosts running

Virtual Desktop virtual machines

WhenusersentertheirRSASecurIDcredentials,VDMConnectionServer
[Link]
credentialsareverified,VDMConnectionServerrequestsActiveDirectorydomain
credentialsfromtheuserandcommunicateswithActiveDirectorytocontinuethe
authenticationprocess.

VDM Extended USB Device Redirection

VDMallowstheredirectionofavarietyoflocallyattachedUSBdevicesforsoftware
[Link],whenattached,canbeselected
[Link]
desktopsessionstartswillappearinthemenuandareavailableforredirectionafter
beinginitialized.

VMware, Inc.

11

Introduction to Virtual Desktop Manager

Somedevices,suchasprinters,localUSBflashdrives,andsmartcards,canbe
forwardedtothevirtualdesktopusingstandardMicrosoftRemoteDesktopProtocol
(RDP).ButVDMClientUSBredirectionextendstherangeofusabledevicesandthe
[Link],soundcan
bebroughttothelocalmachineusingRDP,butdisablingthisfeatureandusingVDM
USBredirectionallowsyoutouseVoIPdevices.
[Link],smart
cardforwardingislimitedtoRDPfunctionalitysothatsmartcardscanbeusedto
[Link],thesedevicesdonotappearinthe
[Link](HIDs),suchasakeyboardora
mouse,arealsofilteredfromtheUSBdevicelistbecausethesedevicesarerequired
locallyandfunctionwithoutbeingforwardedorredirected.
RDPforwardingandVDMUSBredirectioncanbegovernedthroughActiveDirectory
[Link]
Client,VDMAgent,andtheusertohaveadministrationrightsontheVDMClientand
theVDMAgentoperatingsystems.

VDM Secure Access

VDMConnectionServerwithVDMClientandVDMWebAccessprovidessecurityfor
thedesktopprotocolsbetweentheclientdeviceandtheVDMConnectionServer.
VDMencapsulatesallprotocols,suchastheextendedRDPinanHTTPSconnection,
whichoffersthefollowingadvantages:

12

TheRDPProtocolistunneledthroughHTTPSandisencryptedusingSSL
Thisisapowerfulsecurityprotocolandisconsistentwiththesecurityprovidedby
othersecureWebsiteslikethoseusedforonlinebanking,creditcardpayments,
andsoon.

OneHTTPSconnectionisusedforallclientservercommunicationMultiple
desktopconnectionsaremultiplexedoverthisHTTPSconnection,whichreduces
theoverallprotocoloverheads.

VDMcontrolsbothendsofthisHTTPSconnection,sothereliabilityofthe
underlyingprotocolsissignificantlyimprovedIfausertemporarilylosesa
networkconnection,afteritisrestored,theHTTPSconnectionisreestablishedand
theRDPconnectionsautomaticallyresumewithouthavingtoreconnectandlogin
again.

VMware, Inc.

Introduction to Virtual Desktop Manager

VDMisaccessedusingstandardWebprotocols,soitcanbeeasilyaccessed
throughcorporateproxiesInastandarddeploymentofjustVDMConnection
Servers,theHTTPSsecureconnectionterminatesattheVDMConnectionServer
andinaDMZdeployment,[Link]
ServerDMZDeployment.

VDMConnectionServercanbeconfiguredtonotuseasecureconnection,sothatRDP
communicationisdirectfromtheclientdevicetothevirtualdesktop.

VDM Virtual Desktop Pool Management

VDMincludesintegratedvirtualdesktoppoolmanagementcapabilitiesthatleverage
thecontrolprovidedbyVirtualCentertoprovisionandmanagethevirtualdesktops.
VDMprovidesthefollowingtypesofdesktops:

IndividualdesktopsTheseareexistingvirtualdesktopsthatareavailable
[Link]
desktops.

PersistentdesktoppoolThistypeisapoolofvirtualdesktopswhoselifecycle
[Link]
assignedtotheiruseronthefirstuse,sotheuserreturnseachtimetothesame
[Link]
desktopsbyinstallingadditionalapplicationsandstoringlocaldata.

NonpersistentdesktoppoolSimilartoapersistentdesktoppool,exceptinthis
[Link]
finished,thevirtualdesktopisreturnedtothepoolandmadeavailableforother
users.
Bydeletingthevirtualdesktopsaftereachuse,thistypeofpoolensuresthateach
userreceivesanewlyprovisionedvirtualdesktopeachtimetheuserconnects
(optional).Usethistypeofpoolwhereacleanmachineisneededforeachuser
sessionorinhighlycontrolledenvironmentsthathasnorequirementfor
customizationtobestoredonthevirtualdesktop.

VMware, Inc.

13

Introduction to Virtual Desktop Manager

Thetwopooldesktopsaresizedusingthefollowingparameters:

MinimumTheminimumnumberofvirtualdesktopstobecreatedwhenthepool
[Link]
[Link]
whenauserpopulationismovedtoVDM.

MaximumThemaximumnumberofvirtualdesktopsthatcanexistinthepool.
Usethisparametertolimitthenumberofvirtualdesktopsinthepooltoavoid
overusingavailableresources.

AvailableThenumberofvirtualdesktopsthatareavailableforimmediateuse.
Forpersistentpools,thisparameterrelatesonlytotheunassignedvirtual
[Link]
[Link]
environments.

Whenapoolcontainstoofewvirtualdesktops,themanagerprovisionsnewvirtual
[Link]
customized(forexample,namedandbecomepartofanActiveDirectorydomain)orbe
leftforanadministratortomanuallyconfigure.
PowermanagementisappliedtoallvirtualdesktopsunderVDMcontrol,andthe
followingpoliciesaresupported:

14

RemainonAfterbeingstarted,[Link]
virtualdesktopispowereddown,forexampleusingtheVirtualCenterclient,
VDMautomaticallystartsitwhenitisneeded.

AlwayspoweredonVDMensuresthatanyvirtualdesktopwiththispolicy
[Link],VDM
immediatelypowersitupagain.

SuspendwhennotinuseIfavirtualdesktopisnotrequired,itissuspended.
Thispolicyisappliedtoindividualandassignedpersistentvirtualdesktopswhen
[Link]
[Link],thiscanbetriggeredbyavirtual
desktopbeingreturnedtothepoolwhenauserlogsout.

VMware, Inc.

Introduction to Virtual Desktop Manager

PoweroffwhennotinuseIfavirtualdesktopisnotrequired,itispoweredoff.
ThisisjustliketheSuspendwhennotinusepolicy,exceptthatthevirtual
desktopiscompletelypoweredoff.

VDMsupportsindividualandpooleddesktopsonmultipleVirtualCenterinstances.A
poolcannotspanVirtualCenters,butVDMcanmanagemultiplepoolsacrossmultiple
[Link]
beconcurrentlyactiveforeachVirtualCentertoensurethattherateofoperationsisnot
[Link].
Inamultibrokerenvironment,theVDMConnectionServerscooperatewitheachother
toenforcetheselimitsandtoperformthepoolmanagementoperations.

VDM High Availability and Scalability

Tosupporthighavailabilityandscalabilityrequirements,VDMConnectionServercan
[Link]
[Link],anewinstanceof
theLDAPdirectoryisinstalledandtheVDMConnectionServersupportsfull
functionalityusingitslocalLDAPdirectory.
Toextendtheenvironment,asecondservercanbeinstalledasaReplicainstance.
Duringthisinstallation,theuserreferencesanexistingVDMConnectionServerandthe
ReplicainstanceisjoinedtotheStandardinstancetoformaVDMConnectionServer
[Link]
[Link]
configurationchangesoneitherserverareautomaticallyandimmediatelymadeonthe
other.
Bothserversofferidenticalfunctionalityandintheeventofserverfailure,theother
[Link],anychanged
LDAPVDMconfigurationdataisreflectedontheresumedserversothatbothservers
[Link]
[Link]
installation,theusercanreferenceanyexistinggroupmembertojointhenewserverto
thegroup.
Afterinstallation,nodifferencesexistbetweenaReplicainstanceandaStandard
[Link],additionalReplicascanbe
[Link]
VDMconfigurationdatacanbebackedupbybackinguptheLDAPdirectoryinstance.

VMware, Inc.

15

Introduction to Virtual Desktop Manager

Figure [Link]
usebothVDMConnectionServersandsupporthighavailabilityandscalabilityneeds,
[Link]
[Link]
ConnectionServerdoesnotprovideloadbalancingfunctionalitybutworkswith
standardthirdpartyloadbalancingsolutions.
Figure 3.

MultipleVDMConnectionServers
Client

network

load balancing

VDM
Connection
Servers

Microsoft
Active Directory

VirtualCenter
Management Server

ESX Server hosts running

Virtual Desktop virtual machines

16

VMware, Inc.

Introduction to Virtual Desktop Manager

TheloadbalancingrequirementsforVDMConnectionServeraretosupportstandard
[Link]
VDMConnectionServercanincludeMicrosoftNetworkLoadBalancing(NLB),
standardhardwarebasedloadbalancers,orvirtualapplianceloadbalancersthatcan
operateonESXServer.
UsersinaloadbalancedVDMConnectionServerenvironmentusealoadbalanced
[Link]
theconnectiontoanyoftheavailableVDMConnectionServersinthegroup.

VDM Connection Server DMZ Deployment

Insecureenvironments,particularlywhenVDMisbeingaccessedfromaninsecure
networksuchastheInternet,itiscommonpracticetodeployserversinaDMZ.
VDMConnectionServerfunctionalityissplitbetweenserversinthesecurenetwork
[Link]
SecurityServersandareinstalledusingtheVDMConnectionServerinstallerand
[Link]
withVDMConnectionServers(StandardorReplica)inthesecurenetwork.

VMware, Inc.

17

Introduction to Virtual Desktop Manager

Figure 4showsahighavailabilityenvironmentcomprisingtwoloadbalancedVDM
SecurityServersintheDMZworkingwithtwofullVDMConnectionServers(Standard
andReplicainstance)inthesecurenetwork.
Figure 4. DMZDeploymentwithMultipleVDMConnectionServers
Remote
Client

external network

DMZ
load balancing

VDM
Security
Servers

VDM
Connection
Servers

Microsoft
Active Directory

VirtualCenter
Management Server

ESX Server hosts running

Virtual Desktop virtual machines

18

VMware, Inc.

Introduction to Virtual Desktop Manager

VDMSecurityServersdonotcontainanLDAPconfigurationrepositoryanddonot
accessanyauthenticationrepositories(ActiveDirectoryorRSAAuthentication
Manager).WhenremoteusersconnectusingaVDMSecurityServer,theymust
[Link]
cannotattempttoaccessanyvirtualdesktopsuntiltheyaresuccessfullyauthenticated.
WithappropriatefirewallrulesonbothsidesoftheDMZ,thistypeofdeploymentis
suitableforaccessingvirtualdesktopsfromInternetlocatedclientdevices.
TosupportremoteVDMClientandVDMWebAccessconnectingtotheenvironment
usingHTTPSfromanexternalnetwork,theonlyTCPportthatmustbeallowedinthe
DMZistheHTTPSport(TCPport443).VDMSecurityServersdonotneedtobepart
ofanActiveDirectorydomain,andnocommunicationoccursbetweenVDMSecurity
ServersandActiveDirectory.
AlthoughFigure 4showsaonetoonerelationshipbetweenVDMSecurityServersand
VDMConnectionServers,multipleVDMSecurityServerscanbeconnectedtoeach
[Link]
deploymenttoofferVDMaccessforinternalusersandexternalusers.
Figure 5showsamorecomplexenvironmentwherefourVDMConnectionServersact
asonegroupwiththeserversintheinternalnetworkdedicatedtotheusersofthat
network,andtheserversintheexternalnetworkdedicatedtousersofthatnetwork.
TheserversontherightcanbeenabledforRSASecurIDauthentication,sothatall
externalnetworkusersarerequiredtoauthenticateusingRSASecurIDtokens.

VMware, Inc.

19

Introduction to Virtual Desktop Manager

Figure 5.

DMZDeploymentwithInternalNetworkAccess
remote
Client

external network

DMZ
load balancing

Client

VDM
Security
Servers

internal network

load balancing

VDM
Connection
Servers

Microsoft
Active Directory

VirtualCenter
Management Server

ESX Server hosts running

Virtual Desktop virtual machines

20

VMware, Inc.

Introduction to Virtual Desktop Manager

VDM Connection Server Components

Figure 6showstheVDMConnectionServercomponentsandtheirrelationshipwith
theotherVDMcomponentsandtheprotocolsusedforcommunicationbetweenthe
components.
ThefollowingdefaultTCPportsareusedforeachprotocol:

JMS4001

HTTP80

HTTPS443

RDP3389

SOAP80or443

VMware, Inc.

21

Introduction to Virtual Desktop Manager

Figure 6. VDMComponents
Windows Client

Linux and Mac Client

Thin Client

browser
thin client
operating system
RDP
Client

VDM Client

VDM Secure
GW Client

RDP
Client

HTTP(S)

HTTP(S)

HTTP(S)
HTTP(S)

HTTP(S)

RDP

Admin Console
VDM
Administrator

VDM Secure
GW Server

RDP

VDM
Messaging

HTTP(S)

VDM Broker &

Admin Server
SOAP

VDM Connection Server

VirtualCenter
Server
VirtualCenter

VDM LDAP

JMS
RDP

RDP

VDM Agent

Virtual Desktop VM

22

VMware, Inc.

Introduction to Virtual Desktop Manager

VDM Broker
[Link]
interactionbetweentheclient(VDMClient,VDMWebAccess,andThinClient)andthe
VDMConnectionServer.
VDMBrokerprovidesthefollowing:

Userauthentication

UserdesktopentitlementswithVDMLDAP

Virtualdesktopsessionmanagement

Coordinationofthesecureconnectionestablishment,virtualdesktop
connection,andsinglesignon

AdministrationserverusedbyVDMAdministratorWebclient

Virtualdesktoppoolmanagement

VDMBrokeroperatescloselywithVirtualCentertoprovideadvancedmanagementof
[Link]
andpoweroperations,suchasautomaticsuspendandresume.

VDM Secure Gateway Server

VDMSecureGatewayServerprovidestheserversidecomponentforthesecure
HTTPSconnectionbetweentheVDMClient(orVDMSecureGatewayClient)andthe
[Link],asecureHTTPSconnectionis
[Link],
[Link]/X,
itisinitiatedbytheJavaVDMSecureGatewayClientusingJavaWebStarttechnology.
Afterthissecureconnectionisestablished,virtualdesktopprotocols(RDP)can
securelyandreliablyconnect.
WhentheVDMSecureGatewayServerseesanincomingRDPconnectionthroughthe
HTTPSconnection,[Link]
ensurethatallvirtualdesktopsareonlyaccessedthroughVDMConnectionServer,
firewallrulescanbeappliedtoeachvirtualdesktopsothatallRDPconnections
[Link],directaccesstovirtualdesktops
bypassingVDMConnectionServerisnotpossiblebecauseVDMConnectionServer
actsasgatekeeperforallvirtualdesktopaccess.WithVDM2.1andnewer,theVDM
AgentcanbeconfiguredsothatdirectincomingRDPconnectionstovirtualdesktops
[Link]
throughaVDMConnectionServer

VMware, Inc.

23

Introduction to Virtual Desktop Manager

VDMSecureGatewayServerisalsoresponsibleforforwardingotherWebtraffic(such
asauthenticationtraffic,userdesktopselectiontraffic,andsoon)totheVDMbroker
[Link]
GatewayServertotheVDMBroker.

VDM LDAP
VDMLDAPisanembeddedLDAPdirectoryoneachVDMConnectionServer
[Link]
configurationdata.VDMLDAPforWindowsServer2003usesMicrosoftActive
DirectoryApplicationMode(ADAM).ThisisanembeddedLDAPdirectorybundled
[Link]:

SpecificVDMschemadefinitions

Directoryinformationtree(DIT)definitions

Accesscontrollists(ACLs)

VDMLDAPalsoincludesasetofVDMpluginDLLstoprovideautomationand
notificationservicesforotherVDMcomponents.
VDMLDAPcontainsentriestorepresentthefollowingconfigurationitems:

VirtualdesktopentriesthatrepresenteachaccessiblevirtualdesktopThis
containsreferencestoForeignSecurityPrincipalentriesofWindowsusersand
WindowsusergroupsinActiveDirectorywhoareauthorizedtousethisdesktop.

VirtualDesktopPoolentriesthatrepresentmultiplevirtualdesktopsmanaged
together

Virtualmachineentriesthatrepresenteachvirtualdesktop

VDMcomponentconfigurationentriesusedtostoreconfigurationsettings

WhenaStandardinstanceisinstalledduringVDMConnectionServerinstallation,a
new,[Link],DIT
definition,ACLs,[Link]
VDMLDAPismainlymaintainedfromVDMAdministrator,althoughVDMBroker
alsomanagessomepartsautomatically.

24

VMware, Inc.

Introduction to Virtual Desktop Manager

WhenaVDMConnectionServerReplicainstanceisinstalled,anADAMinstanceis
alsocreatedlocally,[Link]
meansthattheinitialdataisacopyofanexistinginstancethatincludesall
[Link],areplicationagreement
issetupsothatallVDMConnectionServersinthegroupsharethesameconfiguration
[Link]
functionalityisprovidedbyADAM,whichusesthesamereplicationtechnologyas
ActiveDirectory.

VDM Messaging
ThiscomponentprovidesthemessagingrouterforcommunicationbetweenVDM
ConnectionServercomponentsandbetweenVDMAgentandVDMConnection
[Link](JMS)API,whichisusedformessagingin
VDM.

VDM Security Server

VDMSecurityServerisaninstancetypethatisselectedwhenVDMConnectionServer
[Link]
[Link] 7showsaVDMSecurityServerandshowsthe
relationshipwithallotherVDMcomponentsandtheprotocolsusedfor
communicationbetweenthecomponents.
ThefollowingdefaultTCPportsareusedforeachprotocol:

JMS4001

AJP138009

HTTP80

HTTPS443

RDP3389

SOAP80or443

VMware, Inc.

25

Introduction to Virtual Desktop Manager

Figure 7. VDMComponentDiagramwithSecurityServer
Windows Client

Linux and Mac Client

Thin Client

browser
thin client
operating system
RDP
Client

VDM Client

VDM Secure
GW Client

RDP
Client

HTTP(S)

HTTP(S)

HTTP(S)
HTTP(S)

HTTP(S)

RDP

VDM Secure
GW Server

VDM Security Server

RDP
JMS

AJP13

VDM
Administrator

VDM Secure
GW Server

VDM
Messaging

Admin Console

HTTP(S)

VDM Broker &

Admin Server
SOAP

VDM Connection Server

VirtualCenter
Server
VirtualCenter

VDM LDAP

JMS
RDP

RDP

VDM Agent

Virtual Desktop VM

FormoreinformationaboutVDMdeploymentwithinaDMZ,seeVDMConnection
ServerDMZDeployment.

26

VMware, Inc.

Glossary

A
ActiveDirectory
AMicrosoftdirectoryservicethatstoresinformationaboutthenetworkoperating
[Link]
groupsandenablesadministratorstosetsecuritypolicies,controlresources,and
deployprogramsacrossanenterprise.
ADAM(ActiveDirectoryApplicationMode)
AnLDAPimplementationbasedonActiveDirectory.
activesession
[Link]
establishedconnectiontoavirtualdesktopthathasnottimedout.
administratoruserinterface
TheWebbasedadministratoruserinterfaceusedtoperformconfigurationand
[Link].
agent
SeeVMwareVDMAgent.

broker
[Link]
[Link].

VMware, Inc.

27

Introduction to Virtual Desktop Manager

client
SeeVMwareVDMClient.
connectionbroker
Aserverthatallowsconnectionsbetweenremoteusersandvirtualdesktopsand
[Link]
[Link].
connectionserver
SeeVMwareVDMConnectionServer.

desktop
Seevirtualdesktop.
desktopvirtualmachine
Seevirtualdesktop.
desktoppool
Apoolofvirtualmachinesthatanadministratordesignatesforusersorgroupsof
[Link],nonpersistentdesktoppool.
DMZ(demilitarizedzone)
Alogicalorphysicalsubnetworkthatconnectsinternalserverstoalarger,
untrustednetwork(usuallytheInternet)andprovidesanadditionallayerof
securityandgivesadministratorsmorecontroloverwhocanaccessnetwork
resources.
DNS(DomainNameSystem)
[Link]
calledDomainNameServerorDomainNameService.

FQDN(fullyqualifieddomainname)
Thenameofahost,[Link],
[Link].

guest
Seeguestoperatingsystem.
guestoperatingsystem
Anoperatingsystemthatrunsinsideavirtualmachine.

28

VMware, Inc.

Glossary

highavailability
Asystemdesignapproachthatensuresadegreeofoperationalcontinuity.

loadbalancing
Atechniqueusedfordistributingprocessesacrossserverssothatthetrafficloadis
spreadmoreevenlyandserversdonotbecomeoverloaded.

nonpersistentdesktoppool
[Link]
logofforaretimedoutofadesktop,theirdesktopsarereturnedtothepooland
[Link]
whenusinganonpersistentpool.

persistentdesktoppool
[Link]
[Link]
cansavedataandfilestotheirdesktopswhenusingapersistentpool.

RDP(remotedesktopprotocol)
Amultichannelprotocolthatallowsausertoconnecttoacomputerremotely.
RSASecurID
AproductfromRSAthatprovidesstrongtwofactorauthenticationusinga
passwordandanauthenticator.

securityserver
AVDMConnectionServerdeploymentthataddsalayerofsecuritybetweenthe
[Link]
[Link](demilitarizedzone).

thinclient
Adevicethatallowsausertoaccessvirtualdesktopsbutrequireslittlememoryor
[Link],data,andCPUpowerresidesonanetwork
computerandnotontheclientdevice.

VMwareVDMAgent
Installedontheguest,theVDMAgentenablescommunicationbetweenthe
desktopvirtualmachine,theVDMConnectionServer,andenduserswhoaccess
virtualdesktopsbyusingVDMWebAccessorVDMClients.

VMware, Inc.

29

Introduction to Virtual Desktop Manager

VMwareVDMClient
AWindowsbasedapplicationusedforaccessingvirtualdesktops.
VMwareVDMConnectionServer
Aconnectionbrokerthatprovidesmanagementanduserauthenticationforvirtual
[Link]
requeststotheappropriatevirtualdesktop.
VMwareVDMWebAccess
[Link]
supportedWindows,Linux,orMacintoshoperatingsystemscanaccessvirtual
desktopsbyusingVDMWebAccess.
virtualdesktop
[Link]
indistinguishablefromanyothercomputerrunningthesameoperatingsystem.
VMwareVirtualDesktopInfrastructure
TheVMwaredesktopinfrastructuresolutionthatconsistsofVMwareESXServer,
VMwareVirtualCenter,[Link]
endtoendvirtualdesktopsolutionthatallowsadministratorstoeasilydeploy
andmanagevirtualdesktopenvironments.

30

webaccess
SeeVMwareVDMWebAccess.

VMware, Inc.