An SSL certificate could be described as a data container that includes the identity of a computer, the public key and the digital signature of the publisher of the certificate. Certificates are used to confirm the authenticity of a website, or the the public key contained can be used to encrypt the connection between a client and a server.

Making no further action the View Server is using a self-signed certificate. When you open the website of the View Server it gives you a security warning back that states that the certificate comes from an untrusted source.

To use your own certificates that have been signed from a trusted Certification Authority (CA), you can use the keytool that comes with the view installation on the Connection Server. With this tool, you create a trust store on the View Server, where your certificates  can be integrated. Request a certificate from an authorized CA. This may be the CA of your company, or a third party such as thawte, VeriSign and GlobalSign. It is also possible to integrate already-signed certificates for your server. In the next section, you can read the entire process for requesting a certificate from the Microsoft Certification Authority. For certificates from other parties, please refer to their documentation.

Certificates are only used by Connection Servers which are having direct connections with the clients. If you are using the Security Server for connections the certificate is needed only by this server.

Companies that use the Active Directory as their directory service, also often use  the Microsoft Certification Authority for their security certificates. The following example explains the steps needed to apply for a certificate and then to integrate this in a VMware View Server. First, you must apply for a certificate from the CA. Use the Microsoft Internet Explorer on the View Server because only with this browser the  import and export of the certificate works without problems. "Open the Internet Explorer and type the correct address of your certification server in the address bar." This should be <certificatesrevername.fqdn> /certsrv/. Replace the wildcard certificate server name with the computer name of the appropriate server and fqdn with the fully qualified DNS domain name. Apply for a certificate on the website and mark it as exportable. After the newly requested certificate has been approved you revisit the site with Microsoft Internet Explorer and install the issued certificate. The certificate will be stored in the local certificate store now and you can export it in a file from there. In Internet Explorer perform the following action. »Click on the Tools menu and select Internet Options." This will open a window where you can change the properties and options of your Internet Explorer. »Select content from the tab and then click the button labeled Certificates. In the following dialog you have to select the certificate of your server and then export it to a directory on your hard disk. It is important that you export the certificate with the private key in the PFX file format. Name the certificate i.e. as server.pfx. After that you’ve to export the certificate for the CA of your company in the file format X509.

After a successful export of both security certificates, the trust store can be created. You have to use the keytool application. To use the application you should first adjust the environment variables on your computer so that the keytool can run without using long file paths. Open a Windows command line on the View server and type the following command:

set PATH =% PATH%,% Program Files% VMware \ VMware View \ Server \ jre \ bin \

Then switch the command prompt to the  directory where you’ve saved the certificates. Using the exported CA certificate in the keytool you’ll now generate the truststore. Replace <ca-alias name> by the name of the Certification Authority and <ca-certificate name.ce> by the real name of the CA certificate.

keytool-import-alias-file <ca-alias name> <ca-certificate name.ce>-keystore truststore

The newly created trust store and the PFX certificate must be copied to the subdirectory \sslgateway\conf in the program directory of the VMware Server View. If there is no file named locked.properties in the directory you’ve to create it as normal text file with Notepad. Otherwise, you open the existing file and modify it with the following parameters.

keyfile = server.pfx

keypass = <secret>

trustKeyfile = truststore

truststore type = JKS

useCertAuth = true

Please ensure that you’ve the correct password for the certificate in the keypass parameter. Afterwards the View Connection Server service must be restarted. This can be done via the Windows Services Manager. Check the Windows Event Log and the View server log files under c: \documents and settings\all users\application data\ vdm\logs for errors. If the View Connection Server service is not strating, there might be an issue with the certificate or password.

RT @viewgeek: Check VMware View 4.x pool provisioning status with a PS-script and get a mail if it is disabled. Check out: http://3url.de/bj

Again I found a great tweet on Twitter, this time from Joel, the VMware End User Computing Specialist in Sweden. He tweeted a link to a great blog article which can be found here: http://www.vpeeling.com/?p=173. If you are using automatic provisioning together with the option “Stop provisioning on error” in your View environment you may know that provisioning gets stopped if the View Composer encounters an error. Currently it is not possible to get an alert if this happens but the mentioned article gives you a Powershell scripts which helps. Cool stuff.

My colleague Simon Long from PSO published a nice write up on how the View Transfer Server works today. It’s not deep technical, more high-level but definitely a great read. Check it out.

Link: Simon Long

VMware published some new knowledge base articles for VMware View.

VMware View Manager
Cannot log in to the View Admin portal after a fresh installation of View Manager (1037952)
Date Published: 4/25/2011
Accessing the View Security server externally fails with the error: Given final block not properly padded (1037985)
Date Published: 4/25/2011
When using a Wyse R50L Thin client with multiple monitors in the VMware View environment, the Windows cursor becomes corrupted (1038155)
Date Published: 4/27/2011
Unable to update the iOS software on Apple devices in View (1038222)
Date Published: 4/27/2011
View Composer service fails to start with the error: The process terminated unexpectedly (1038380)
Date Published: 4/26/2011
Controlling the client MAC address that is sent to the View desktop volatile environment variables (1038435)
Date Published: 4/27/2011
The Connection Server does not start with the debug log error: Problem with HTTP listener: javax.net.ssl.SSLException: No available certificate or key corresponds to the SSL cipher suites which are enabled (1038438)
Date Published: 4/27/2011
Connecting to the View Connection server fails with the error: A secure connection to the server ‘(null)’ cannot be established (1038334)
Date Published: 4/26/2011

Sometimes, i.e. for support reasons it is necessary that you can mirror a users remote session. There are three ways to do that in VMware View. Windows remote assistent (VMware Knowledge Base article), a remote software like VNC or PC Anywhere or using the vCenter Console. Usually when you try to use the vCenter’s console for mirroring the users desktop, you’ll just see a blank screen, which is the normal behaviour. If you want to see the users screen, just must change/add a value in/to the Windows Registry.

You’ll find that key at: HKLM\SOFTWARE\VMware, Inc.\VMware SVGA DevTap\NoBlankOnAttach : DWORD: 1

Kudos go to my colleague Vincent Wu from China. Here is his blog. (Chinese language)

Teradici released a new firmware for PCoIP zero clients. This release is only a maintenance release, which fixes some issues from version 3.3.0.

Here is an excerpt from the official release notes:

Compatibility Notes:

• VMware View 4.6 or newer is required to use USB enhancements in Firmware 3.3.x.

Resolved Issues:

• Fixed USB audio issue with VMware View guests running Microsoft Windows 7 64-bit host OS
• Fixed an issue where PCoIP Zero Clients could not connect to the VMware View Connection Server through certain load balancers
• Fixed an issue with a Logitech ClearChat wireless headset
• Fixed degraded performance with PCoIP Host cards on networks with packet loss, high latency, and/or low bandwidth
• Fixed password protection default setting
• Fixed CAC PIV endpoint smart card issue
• Fix for invalid OEM VPD (vendor product information) content
• Fixed issue with OSD appearing on the wrong set of monitors in certain quad display PCoIP Zero Clients
• Fixed issue with Power-over-Ethernet failing to power devices if VLAN enabled
• Language translation updates

Known Issues:

• Low Initial Quality for PCoIP Zero Clients connected to PCoIP Host Cards (15134-636)
• CD/DVD drive interoperability
  • Refer to the list of CD/DVD drives that have been tested.  See What CD/DVD drives have been tested with Firmware 3.3.x? (15134-566).
  • Note that a session disconnect may occur occasionally on disc eject/insert

We can expect all vendors to release their proven version of this firmware version soon.

When you have to configure your firewall policies for a VMware View environment it’s sometimes a little bit hard to find a simple overview of all the necessary ports and firewall settings.

To help you doing your job, I provide you here a comprehensive overview of all important communication flows of such an implementation.

This documents is a consolidated aggregation of the information you can find in the following documents:

• VMware View Architecture Planning Guide (View 4.6)
• KB1012382 – TCP and UDP Ports required to access vCenter Server, ESX hosts and other network components

Perimeter Firewall Rules

DMZ Firewall Rules

Connection Server Rules

Transfer Server Rules

View Agent Rules

View Client Rules (internal / without using Security Server)

View Client Rules (external / using Security Server)

HTTP and HTTPS-Traffic can be proxied on the application layer.

Every other protocol should only be proxied using a transparent TCP-/UDP-Proxy.

Thanks to Scott Vessey (on Twitter @vmtraining) who spotted that the VMware VCA4-DT exam is now open for registration at the VUE Pearson website. You can register for the exam via this link: http://www.pearsonvue.com/vmware/schedule.

Via: VMTraining

Yesterday night I got the confirmation from VMware’s certification department that I’ve passed the VCA-DT desktop exam. By next week I should get my score. I’m really looking forward to this. The VMware Certified Associate 4 (VCA4-DT) is the first certification especially for VMware’s end user computing products. The exam is design for desktop administrators who want to show their ability to manage, monitor and troubleshoot desktop environments and the VMware View components.

VMware recommends the following courses for preperation but they are not a requirement for the exam:

• VMware View 4.5 Fundamentals (web-based course)
• VMware View™: Install, Configure, Manage (VIEW)

If you want to learn more about the VCA4-DT exam, please follow this link and check the blueprint for the exam here.

If you’re running a VMware View proof of concept you might run into an issue which I’ve seen very rarely in the last few years. After a successful installation of all components you’re connecting to a virtual desktop for the first time and everything seems to be fine. You logoff the user and you may login again to your dedicated desktop from a automated pool. But then you spot that you’re getting a new desktop every time you logon to the View Manager. Strange you might think, because you’ve configured a dedicated desktop for the user. In the next step you login to the View Administrator and you check the configuration. It seems to be finde but then you figure out, that you can’t see the session information for a user who’s currently connected to a virtual desktop. I didn’t see this issue for a long time now but today my colleague Kim from the Global Desktop team came to me with it again. I thought it might be worth sharing the information with you so please go on with reading if you’re interested.

As I said, the session information for active sessions to the virtual desktops  is not shown in  the Session tab, which has the same root cause as the issue with the dedicated desktop described above.

The reason for this is a process which is not running, but needed on the virtual desktop. As you know may know there is a software component called the View Agent, which must run on the virtual desktop in order to connect to it via the View Manager/View Client. The View Agent manages loads of tasks on the virtual desktop, i.e. starts the PCoIP server, controls the USB redirection and also sending information about the current status/user to the broker component. And here is the root cause! The user/session information is managed by a process called wssm.exe which is running in the user’s context. This process will be started every time the operating system starts up, by a registry key called userinit.

When everything is ok, you’ll see the wssm.exe process via the Task Manager on your Windows box, if not, you should check the Windows registry key: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit.

Can you see the wssm.exe here? If not, this is your problem. But don’t worry if it is there and it’s still not working. In that case you should check if each entry is separated from each other by a comma. This issue may occur if you’re using software on the virtual desktop which modifies the userinit key. Sysprep for example could do that.