The end of Tera1 zero client support in VMware Horizon View 6

The Tera1 zero clients has reached their limits on new features that can be added and the ability to support new features of Horizon View such as RDSH.  Teradici supports the following combinations:

Processor Firmware Horizon View Version support VMware Certified
Tera2 4.8.0 6.1 Yes
Tera2 4.7.1 6.0 Yes
Tera1 4.7.1 6.0.1 No (*2)

(*2) Tera1 zero clients are certified on VMware Horizon View 5.3 and earlier. Horizon View 6.x is not supported by VMware. If you require VMware support use VMware Horizon View 5.3 and earlier or upgrade to Tera2 zero clients.

Teradici provides technical support on PCoIP Firmware (FW 4.7.1 and earlier) for Tera1 zero clients with VMware Horizon View 6.0.1 and earlier. Here is an overview of the Teradici End-of-Life (EOL) notifications:

Definition Date
End-of-Life (EOL) Notification Notification of EOL provided through Teradici’s Technical Support portal.Tera1 firmware releases will not include development for new platform version support or features.Firmware updates will only be provided to address issues deemed critical by Teradici for Tera1 against supported platform. April 21, 2015
End-of-Support No additional firmware updates or maintenance releases for Tera1 products after this date. April 30, 2016
End-of-Technical Guidance The last day in which Teradici Technical Support can answer questions, assist in finding workarounds or provide development guidance. December 31, 2016

The latest release of VMware Horizon View when written is version 6.1. Both VMware and Teradici don’t have support for the Tera1 zero clients in this release.

So what options do you have?

The following options can be used when having Tera1 zero clients:

  • Use VMware Horizon View 5.3 or earlier. This options is fully supported by Teradici and VMware.
  • Upgrade to View Horizon 6.0.1. This option is only supported by Teradici.
  • Use Tera1 zero clients with Horizon View version 6.1. Don’t use any new features that are introduced in VMware Horizon View 6 and later. Be sure to test test and test this option, because this isn’t supported by VMware and Teradici!
  • Buy new Tera2 zero clients. 10ZiG for example offers a buy-back program for any Tera1 Zero Client when upgrading to Tera2 hardware. It does not matter which brand the Tera1 zero client is. This can reduced the hardware upgrade costs! Tera2 zero clients adds support for the latest version of Horizon View and improves performance. To learn more about the 10ZiG Tera1 buy-back offer, use the following this link.

I created a Horizon 6 matrix with the new and  features that aren’t supported anymore. The matrix can be found here, link.

VMware tools update fails on ESXi 6 hosts with Dutch Operating System VMs

After upgrading all the hosts in the lab environment to VMware ESXi 6, I tried to upgrade the VMware tools version of a Dutch Windows 7 golden VM used by VMware Horizon View. The VMware tools upgrade fails with the following message:

VMware Tools Setup Wizard ended prematurely

vmware tools

This is a known bug in VMware ESXi 6.0 with Dutch Operating System VMs (see KB, link).

The following work around can be used:

  • Create a local group named “everyone”
  • Add the user used for installing VMware tools to the “everyone” group
  • Run the VMware tools upgrade
  • Remove the “everyone” group

 

VMware Horizon Q2 2015 announcements

VMware announced  last week what’s new with Horizon 6 (Q2 2015) as well as some brand new offerings that will help you to deliver and manage apps and end users across physical, virtual and cloud-hosted environments. Here are the announcements:

  • User Experience improvements
  • Linux Desktops support (GA in Q2)
  • User Environment Manager (UEM) (GA in Q2)
  • VMware Workspace Environment Management (WEM)
  • Free SysTrack Desktop Assessment tool

User Experience Improvements

Some new improvements for the upcomming Horizon 6 version are:

  • USB Mass storage support for RDS and Hosted Apps
  • Client drive redirection support. For example make an c-drive available in a RDS desktop.
  • VMware Horizon Client for Chrome Access (Chromebook) with support for Horizon Hosted Apps. Apply for the early access program here, link.

1

Linux Desktop Support

Linux support for VDI desktops will be available in Q2 2015. Ubuntu, Red Hat Enterprise Linux and CentOS VDI desktops are supported for 3D and Linux office applications. A nice thing about Linux VDI desktop support is the Microsoft desktop licensing is eliminated.

User Environment Manager (UEM)

VMware has acquired Immidio in February 2015. Immidio is now called User Environment Manager (UEM). UEM offers personalization and dynamic policy configuration across any virtual, physical and cloud-based environment. UEM has no new features, only VMware branding is included in this release. UEM will be sold separately as standalone product, included in the Horizon View Enterprise license and available in the VMware Horizon Application Management Bundle.

VMware has released a VMware User Environment Manager Deployed in 60 Minutes or Less whitepaper. UEM is a simple and straightforward to deploy and get up-and-running, as there is no extra infrastructure needed to configure. The whitepaper can be found here, link.

VMware Workspace Environment Management (WEM)

VMware Workspace Environment Management (WEM) is a bundle of products. This bundle is called the VMware Horizon Application Management Bundle. The following products are  includes in the bundle:

  • VMware User Environment Manager (UEM)
  • VMware vRealize for Published Applications (End-to-End Monitoring). In Q2 XenApp support will be added.
  • VMware App Volumes (Real-Time application delivery)
  • VMware ThinApp (Application Virtualization)
  • VMware Workspace Portal (central portal for your applications)

WEM

The VMware Horizon Application Management Bundle is sold as standalone product and is available to Citrix Customer for example.

SysTrack Desktop Assessment

SysTrack Desktop Assessment (Lakeside software)  is a free assessment tool. For customers considering the purchase of VMware Horizon 6 or VMware Horizon Air, Systrack Desktop Assessment provides quick and easy insight into end-user computing infrastructure, applications and desktops. This FREE service provides you with everything you need to gain visibility into your end user environment, understand the best deployment options for Horizon and assess your costs.  More information can be found here, link.

Tested SMS PASSCODE multi-factor authentication with VMware Horizon View

SMS PASSCODE offers a Multi-Factor Authentication (MFA) solution that adds an extra security layer for a broad range of authentication clients such as:

  • Citrix Web Interface Protection
  • RADIUS Protection
  • Cloud Application Protection
  • IIS Web Site Protection
  • ISA/TMG Web Site Protection
  • Windows Logon Protection
  • Secure Device Provisioning (for ActiveSync devices)

In this review we test how-to integrate SMS PASSCODE with the latest version of VMware Horizon View using RADIUS authentication.

What is SMS PASSCODE

Unlike traditional hardware-token based solutions, SMS PASSCODE works without distribution of any hardware-tokens. As a result, the logistic overhead involved is minimal and roll-out is much faster. On the mobile phone is no software installation needed. Just extract the cell phone number from the AD.

SMS PASSCODE sends a One-Time-Passcode (OTP) to the user mobile phone. SMS PASSCODE looks at multiple factors such as time, geo-location, and type of login system being accessed.

SMS PASSCODE offers a Multi-Factor Authentication (MFA) solution that adds an extra security layer to the VMware Horizon View environment. VMware Horizon View has support for RADUIS authentication.

LAB environment

In the lab environment the following components are installed:

SMS Passcode

  1. Horizon View Clients (PCoIP, RDP and HTML)
  2. Horizon View Security Server
  3. Horizon View Connection Server external
  4. Horizon View Connection Server internal
  5. Microsoft SQL Server
  6. Horizon View Composer
  7. vCenter Server
  8. Active Directory Domain Controller
  9. SMS PASSCODE version with Network Policy Server (NPS) role installed

For the external connection to the VMware Horizon View environment a Multi-Factor Authentication (MFA) is configured by using SMS PASSCODE. The internal Horizon View users don’t use SMS PASSCODE to connect.

The following software versions are used:

  • Windows Server 2012 R2 Active Directory (AD)
  • Windows Server 2008 R2 for the SMS PASSCODE and NPS software role
  • VMware vSphere 6
  • VMware Horizon View 6.1
  • SMS PASSCODE 7.2

Instead of using a GSM modem, a Web Service SMS dispatching service is used for sending messages. A GSM modem is highly preferred in a production environment.

Installation and configuration Management

Installation of SMS PASSCODE

SMS PASSCODE is installed on a Microsoft 32-or 64-bit Windows Operating System.. The core components of SMS PASSCODE are:

  • Database Service. The database stores the SMS PASSCODE configuration and user data.
  • Transmitter service. This service is responsible for dispatching messages and validation of SMS PASSCODE logons. Handles load balancing and failover between all GSM modems
  • Load Balancing service. Service responsible for load balancing and failover.
  • Web Administration Interface. Web site for maintaining user and configuration data

These core components can be distributed over one of more servers to provide redundancy and load distribution for enterprise 24×7 uptime demands.  In the lab setup all the core components are installed on a single server.

As Authentication Client Radius protection is selected during the installation.

Network Policy Server (NPS)

On the SMS PASSCODE server the Network Policy Server (NPS) role is installed for RADIUS authentication.

Configuration

Web Administration Interface (WAI)

The Web Administration Interface (WAI) is available from the web browser on port 2000. From the WAI the configuration of SMS PASSCODE is done.

From the WAI we need to do the following main steps:

  1. Configure AD integration and the messaging infrastructure used in the General settings
  2. Configure the User Integration Policy (UIP)
  3. Configure User Group Policies
  4. Configure transmission infrastructure for creating a dispatching entity

Step 1. General Settings

In the general settings tab AD integration in single sync mode is enabled. With single sync mode users are imported from a single user group.

AD integration

In the globalization options the messaging infrastructure used. The following messages infrastructures can be used in SMS PASSCODE:

  • SMS OTP
  • E-mail OTP
  • Voice call OTP
  • Web service SMS OTP
  • Token OTP
  • Personal passcode OTP

The SMS OTP is the most secure option to use and highly preferable. In our lab environment we use Web service SMS OTP as messaging infrastructure. A 3rd party web service is used for SMS dispatching.

general settings - web service

Step 2. User Integration Policy (UIP)

User Integration Policies are used to configure how users in the SMS PASSCODE database are synchronized with users from one or more Active Directory stores.

UIP

When enabling AD integration, users are synced when belonging to a specified group or attribute. For example the mobile attribute is used to retrieve AD users. Only users with the phone number filled in are synced to SMS PASSCODE.

import

Step 3. User Group Policies (UGP)

User Group Policies (UGP) are used for managing users. Every users is assigned to a UGP and automatically inherits the settings specified by this policy. For example the administrator could change type of passcode dispatching, SMS type (Flash/normal) or Self Service Site permissions in the UGP. A UGP manage user settings on a group basis or on individual basis by overriding the UGP .

We changed the default UGP for the dispatch type to “Send passcodes by web services SMS”.

basic

Step 4. transmission infrastructure for creating a dispatching entity

In our lab environment we don’t have a GSM modem for send SMS messages, so we used and configure a Web Service Dispatcher service for sending in SMS messages.

step 4 dispatcher

After these four main configuration steps we can test if the SMS message is sent to the user mobile phone by selecting the test button and choose for the Web Service Dispatcher option. A test SMS message is sent to the users mobile phone. If the SMS message arrives on the mobile phone the configuration is ready for the next step.

sms test

When the four main steps are performed it is possible to perform some optional additional steps such as:

  • Adjust the passcode policy to reflect to the organization policy. For example adjust the minimal passcode length, composition of the passcode, lifetime and message composition for the SMS message that is sent to the mobile phone.
  • Create Authentication policies and lockout periods settings
  • Enable Geo IP and IP history lookup to identify where in the world your users are logging-in.
  • Configure date and time restrictions
  • Configure the Self Service Web Site. The Self-service web site is for maintaining the users account settings and Password Resets.

Network Policy Server (NPS)

On the Network Policy Server a RADIUS Client profile is created. The RADIUS profile points to the VMware Horizon View Connection Server (3) that is configured for the external users. In this Client profile we enter the following information:

  • Friendly Name.
  • DNS or IP address of the Connection server.
  • Manually assigned a shared secret that will be used for the RADIUS connection between the NPS and Connection Server.

NPS

VMware Horizon View external Connection Server configuration

On the Horizon View Connection Server (3) for the external access we configure 2-factor authentication for Remote Authentication Dial-In User Service (RADIUS). On the VMware Horizon View Connection Server we create a RADUIS profile using the following settings:

Connection Server ViewConnection1

In the primary Authentication Hostname/Address the IP address of the NPS server. NPS is installed on the SMS PASSCODE server. The same shared secret is used from the NPS Client configuration.

Connecting to the VMware Horizon View environment

Externally users connect to the VMware Horizon View environment by using the VMware View Client and HTML Access.

VMware Horizon View Client

When connecting externally to the VMware Horizon View environment by using the Horizon View Client, the following login box appears in the Horizon View Client:

VIewclient

After entering the AD user name and password credentials, a One-Time-Passcode (OTP) is send the user mobile phone.

Iphone

Entering the OTP in the Next Code: field and you’re authenticated to the VMware Horizon View environment and you see your pool entitlements.

Next code

HTML access

Another option is to connect to the VMware Horizon View environment is by using HTML access. This option does not require any software other than a supported browser such as IE, Chrome or Firefox on the client. HTML access uses the Blast protocol instead of the PCoIP protocol.  The login steps are the same as the Horizon View client.

 html5 html5-1 html5-3

Conclusion

SMS PASSCODE is a multifactor solution that adds an extra security layer to the VMware Horizon View environment. SMS PASSCODE has the following pros:

  • Stable and flexible product. We tested SMS PASSCODE for several months and it is a very stable product. We experienced no crashes or strange things during our tests.
  • Simple installation, configuration and maintaining
  • Can be used in Small and Midsize Business (SMB) till large Enterprise (24×7) environments (scalable).
  • No extra software is needed on the users mobile phone
  • No hardware-tokens are needed
  • Because RADIUS authentication is used, it works with new versions of VMware Horizon View out of the box.

For SMS PASSCODE a Windows Operating System is needed. It would be great if in the future an appliance version can be used wihout the need of a Windows Operating System.

When working with external users that connect to your VMware Horizon View environment an extra security layer is needed besides the standard username and password.

SMS PASSCODE offers that extra layer of security by using 2-factor or Multi-Factor Authentication.

More information

Want to try SMS PASSCODE live or request a free 30 day trial? Click the linkvExperts can obtain a NFR license by sending an email to support@smspasscode.com. Provide some documentation that proves you are a vExpert.

First impressions of Cisco UCS Central 1.3

Cisco released version 1.3(1a) of UCS Central. Cisco UCS Central integrates management of one or more UCS domains in a single management solution. This release has the following new enhancements:

  • HTML5 UI: New task based HTML5 user interface.
  • KVM Hypervisor Support: Ability to install Cisco UCS Central in KVM Hypervisor
  • Scheduled backup: Ability to schedule domain backup time. Provides you flexibility to schedule different backup times for different domain groups.
  • Domain specific ID pools: The domain specific ID pools are now available to global service profiles.
  • NFS shared storage: Support for NFS instead of RDM for the shared storage is required for Cisco UCS Central cluster installation for high availability.
  • The ability to manually push global VLANs and VSANs to UCS Manager without having to deploy a Global Service Profile to improve the centralized VLAN and VSAN management.
  • Support for Cisco M-Series Servers.
  • Connecting to SQL server that uses dynamic port.
  • Support for SQL 2014 database and Oracle 12c Database.

Upgrading

For upgrading Cisco UCS Central, use the ISO image. You can upgrade Cisco UCS Central to release 1.3(1a) from any of the following two releases:

  • From 1.1(2a) to 1.3(1a)
  • From 1.2(x) to 1.3(1a)

The upgrade process is simple, attach the ISO and reboot the the Cisco UCS Central Virtual Machine and select the upgrade option.

1 2 3

After a couple of minutes the upgrade is finished and the appliance can rebooted.

User Interfaces (UI)

The legacy interface can still be used by using a https connection to the UCSC appliance.

4

The new HTML 5 interface can be accessed by using the following URL:

  • https://<ucs central ip>/ui

Below are some screenshots of the new HTML-5 UI:

5 6 7 8

More information can be found in the following blog post from: UCS Central User Interface Reworked with UCS Central 1.3 release, link.