Delivering Web Applications with Hyper-V hosted RD Session Host VMs and Quest Workspace Desktop Virtualization

Today I finished a large RD Session Host deployment using Quest Workspace Desktop Virtualization.

The deployment consisted of 8 Hyper-V Servers, each hosting 7 RD Session Host VMs.  The 56 VMs serve up seamless RemoteApps for a few web applications.

One of the requirements was to limit users web browsing to the websites that the customer needed published.  There are several ways this could be accomplished, like host files, proxy filtering, web filtering applications and probably some I haven’t thought of.

They way we chose to accomplish this was via Quest Workspace Desktop Virtualization’s URL Redirection feature.  In a nutshell we placed the VMs in an OU and linked a GPO to this OU where the Quest URL Redirection ADMX template was loaded.  In the template we specified which URL strings were allowed on the RD Session Hosts, and any other URLs that hit the hosted IE Browser got redirected back to the client device’s Internet Browser.

The customer did not mention this as a requirement when they purchased Quest Workspace Desktop Virtualization and Quest Defender to secure their applications for use by remote contractors, but it was very easy to implement.  It was nice to be able to meet a customer’s requirements on the fly, without having to scramble to figure out how.  It was simply, we can do that….

Updates to the allowed URLs can be made on the fly via GPO, and updates to the VM configuration or installed applications on the RD Session Hosts can be made to all 56 VMs in about 10 minutes by updating the template VM and reprovisioning the 56 child VMs.  Quest Workspace Desktop Virtualization automatically and instantly replicates the update VM template to all 8 Hyper-V servers, and using our Hyper-V Catalyst Components, the instant the first block of data from the VM template is replicated to each Hyper-V Server, the VMs can be rebuilt.  They will retain their MAC address, IP address, FQDN, Domain Membership, VM configuration (NIC, Memory, CPU, VLAN tags…) and of course any settings from Quest Workspace Desktop Virtualization, like applications being published.

Another thing we did that one cannot do with the in box functionality of Microsoft’s RD Broker is publish different applications on different RD Session Hosts.  This is commonly referred to as “Application Siloing”.  We had to do this because one application had different security requirements than the others.

Other components of the architecture included a set of 2 Quest Web Access and Secure Gateway VMs that were load balanced by F5 Big IP LTMs and front ended by Microsoft ISA server.  ISA Server was not a technical requirement, but the customer’s security team required all access to go thru their ISA servers.

Quest’s brokers not only load balance the RD Session Host connections, but also the placement of the VMs across Hyper-V Servers.

Gearing up for MGX and Briforum

Last year was the first time I missed Briforum since 2006 so I’m pleased to be attending this year.  I’m also going to MGX for the first time and hope to be showing some new goodies on Windows 8 Client Hyper-V.

If you haven’t made plans to attend Briforum yet, don’t miss out on the Conference for REAL Desktop Virtualization GEEKS!  Be sure to visit the Quest Software demo to see demos of Dell Wyse gear and Quest Workspace Desktop Virtualization, as well as Quest Workspace ChangeBASE!

www.briforum.com

The Experts Conference (TEC) in San Diego – April 29-May 2

If you’re in the San Diego area from April 29 to May 2nd don’t miss TEC 2012 Virtualization and Workspace Management Track. Brian Madden is delivering the keynote and the session content is listed here:

http://www.theexpertsconference.com/us/2012/virtualization-cloud/agenda/

Microsoft Education Roadshow in Overland Park, KS

I’m on my way to Kansas City (Overland Park) to speak at a Microsoft Education Roadshow.

https://msevents.microsoft.com/cui/m/EventDetail.aspx?EventID=1032507819&Culture=en-US

Mitigating IE6 Compatibility Issues when migrating to Windows 7

In this video I demonstrate how vWorkspace seamlessly redirects specific (defined by IT via GPO) URLs from the local IE8 or IE9 Browser to IE6.  If a user browses to a the site that does not require IE6, they are redirected back to their local IE browser.

Because IE6 is running in its native operating system (Server 2003 R2 Terminal Server), this is completely legal, in accordance with the Microsoft EULA and supported and endorsed by Microsoft and Quest.

There is no application virtualization going on here, just application presentation.  As you know, RemoteApp didn’t exist on 2003 R2 Terminal Server, so the seamless Windows engine here is Quest vWorkspace.

Using this, customers can continue their Win7 migrations and can deal with remediating their IE6 applications on a separate timeline and/or separate project.

Microsoft & Quest – Desktop Virtualization for Higher-Ed and K-12 Schools

In this presentation Kevin Sullivan (Microsoft) and Patrick Rouse (me – Quest) explain how Microsoft and Quest help Education Customers to access and manage their desktops using Desktop Virtualization.

Mitigating IE6 Application Compatibility in Windows 7 with Quest vWorkspace

In this presentation I explain how Quest and Microsoft have partnered to offer an IE6 Compatibility Bundle (known as Quest vWorkspace IE6 Compatibility Edition) for customers migrating to Windows 7 who need to support IE6 applications.  As you may well know, Windows 7 can’t natively run Internet Explorer 6 (or 7).  Many customers are left without a viable solution on how to migrate to Windows 7, when they have mission critical applications that REQUIRE IE6.

Initially Application Virtualization seems like the answer, but virtualizing Internet Explorer is neither compliant with the Microsoft EULA, nor is it supported (just like running any binaries from one Microsoft OS is not supported if the binaries are executed on a different OS).  So while it may be technically possible to virtualize IE6 with Microsoft App-V, VMware ThinApp, Symantec SVS, Citrix Application Virtualization, none of these are supported and all violate the Microsoft EULA.

The solution detailed in this presentation is SUPPORTED, COMPLIANT and ENDORSED by Microsoft and Quest.  In a nutshell, Quest vWorkspace seamlessly presents IE6 (from 2003 R2 Terminal Server) onto the Windows 7 Desktop (physical or virtual).

This solution for IE6 Delivery to Win7 includes all of the bells and whistles of vWorkspace (when publishing IE6) Enterprise Edition, such as:

• Server and Application Load Balancing
• Seamless Application Presentation
• Desktop & Start Menu Integration
• WAN Acceleration & RDP Compression (via Quest EOP)
• Multimedia Acceleration (Flash)
• Bi-directional audio
• Universal Printing (Client, Network and Remote Relay)
• User Profile Management
• User Environment Configuration
• Single Management Console with Granular Delegated Administration

vWorkspace is the same product that has helped customers like Kingston University to deploy a large scale VDI implementation on Hyper-V and integrates with App-V and SCVMM.

What is Microsoft VDA Licensing?

In this session I describe what Microsoft Virtual Desktop Access (VDA) Licensing is, when it’s required, when it’s not, when one needs RDS CALs, and how SA on the Client Workstation affects things.

Rapid Virtual Desktop Provisioning / Cloning with Microsoft SCVMM, Hyper-V and Quest vWorkspace

Last week I took some time to record two new youtube videos of Quest vWorkspace automating Microsoft SCVMM (System Center Virtual Machine Manager).  Quest vWorkspace is a Connection Broker for VDI, Terminal Server and Physical PCs and has hooks into SCVMM, RD Session Host, App-V and non-Microsoft platforms like VMware vCenter and Parallels Virtuozzo.

Since I work on the Microsoft Partner Alliance at Quest’s Desktop Virtualization Group, I get to spend lots of time working with Hyper-V and SCVMM, so I recorded these videos to show what I could do with my little demo environment (Dell Precision M6500 Core i7 with 16GB RAM, 250GB SATA, 128GB SSD and NVidia Quadro FX 3800M Display Adapter (for RemoteFX)).

In the first video I narrate using Quest vWorkspace to rapidly provision / clone 3 new Windows 7 Virtual Desktops and in the second video I rapidly provision 10 new Windows 7 Virtual Desktops and then reprovision 2 of the Virtual Desktops to show that vWorkspace can automate SCVMM to redeploy VMs from a SCVMM Template while retaining the original VMs Active Directory identity and SCVMM VM Settings.

All of this capability is native to SCVMM, but only accessible via powershell, so Quest Software (the company where I work) automates the whole process for you.

 

Demonstrating SCVMM Cloning/Provisioning without an Internet Connection

If you ever need to demonstrate SCVMM 2008 R2 Provisioning (via Template) or via 3rd Party Product like Quest vWorkspace, the SCVMM Server has to have an Wired Internet Connection (not Wifi/WLAN.  This has bugged me for quite some time as at my home office everything works great, but if I take my Uber-Notebook with me to a conference, provisioning fails unless I have a hard-wired Internet Connection.

The error message in SCVMM is:

Error (2944): VMM is unable to complete the requested operation because the server name [Insert Server Name Here] can not be resolved.

The error message is the same in Quest vWorkspace:

One needs a hard wired Internet Connection because Hyper-V and SCVMM don’t support Wireless Cards. Since I use a DHCP Server on one of my VMs, I really don’t want to be plugged into someone’s network

So after months of mucking around I finally found a workaround.  On my SCVMM Server, if I disable the “Microsoft ISATAP Adapter”, this check for an Internet Connection does not appear to happen and my VM Provisioning works perfectly.

So now I can be connected to the Internet (or not) via WiFi, have my Virtual Network Adapter bound to my Physical NIC and it works perfectly.  The additional bonus is that because my DHCP Server is on a VM that’s bound to the physical adapter, I don’t have to worry about WiFi/WLAN users on the same subnet depleting my DHCP Scope.

This also means I don’t have to carry a pocket router with me to plug my notebook into.  I used to do this so I’d always connect my physical NIC to the same NAT IP Address and protect all of my VMs from getting re-IPed on a different subnet.

So far so good!  Please let me know if you have any questions.  Below are screenshots of what SCVMM and Quest vWorkspace look like when provisioning is working.