ThinkVirt

I’ve been asked more and more lately to provide a strategy on managing a segregated VMware View environment with only one management console.

Most of the time, the customer assumes they need two completely separate VMware View environments, when what they ultimately want can often be accomplished by leveraging the Tag feature of VMware View.

How do Tags work?

A Connection Server can have one or many Tags associated with it. A Desktop Pool can also have one or many Tags associated with it.

Now, when a user logs in to a View Connection Server, they can only access Desktop Pools that have at least 1 matching tag or no tags at all.

Permission Matrix for Tags

The problem is that if you install two VMware View Servers in their own pools (e.g. Standard install), there is no easy way at this time to have a management overlay that is fully functioning (Microsoft System Center is not a solution here).

Here are a few scenarios that have been posed to me lately:

• Scenario 1: Two environments. Environment A is unclassified but trusts Environment B which is classified. The customer wants to restrict people coming in on the unclassified network to hit a Connection Server labeled unclassified (e.g. NIPRNET). Then, those users are only allowed to connect to NIPRNET virtual desktop resources within the virtual infrastructure. Conversely, users connecting on a secured network (e.g. SIPRNET) are only allowed to connect to SIPRNET virtual desktop resources.

  Note: You could also allow those connected on a secured network to access both unclassified and secured virtual desktop resources by selected multiple tags from within the properties of the Desktop Pool.

• Scenario 2: The customer has two separate inbound VPN environments. VPN A is for consultants and visitors. VPN B is for employees. The customer wants to restrict users coming in via VPN A to a desktop without any financial applications. VPN B allows users to access a desktop with the full application environment.

Great, so how do I even set this stuff up?

I’ve found the easiest way to set this up is to first build your VMware View pool, by starting with a Standard installation. Once that is complete, go into Configuration --> Servers --> View Servers --> Highlight your new server --> Edit --> Tags --> Enter the tag you wish to use (e.g. NIPRNET).

Now, install the second VMware View Connection Server in Replica mode. It will pull the configuration (including the license information) but it will not pull the Tag. Rinse and repeat the steps from above using a second tag (e.g. SIPRNET).


The green arrow indicates what View Connection Server we are currently running the /Admin console from.

Now create two separate desktop pools (you only need to do this on one server since the other is a replica and will pull the configuration).

When you get to the Desktop/Pool Settings tab, enter in the appropriate TAG information.



Create a second pool for the other tag.



Now, when a user connects to the NIPRNET View Connection Server, they will only be presented with the NIPRNET Desktop Pool because that pool is set to screen based on the tag, "NIPRNET."




Other things to keep in mind here:

• You can have more than one vCenter linked to a View environment. Therefore, not only could you limit which pools an inbound user can see, but the backend desktop pools (e.g. SIPRNET and NIPRNET) could live on completely separate virtual infrastructures (or separate resource pools or other resource managed by a vCenter instance).
• You could have one Connection Server (or one collection of Connection Servers) be tagged SIPRNET (for example) and require RSA SecurID 2-Factor authentication, while NIPRNET does not require 2-factor.
• Connection Servers can have multiple tags. For example, if you are using tags to separate Students from Faculty, you may have tags such as, “Freshman, Sophomores, Junior, Seniors, Alumni” all on the Connection Server while, “Faculty” reside on their own Connection Server.