Tested: VDI End User Experience monitoring tools

The success  and effectiveness of a VDI environment depends on the End User Experience (UX). When the End User Experience isn’t good, users will complain and the VDI project will fail. So the ability to analyze, report and troubleshoot when a problem occurs is critical in a VDI environment. To get this insight I tested ControlUp v6 and VMware vRealize Operations for Horizon v6.3. Both tools are tested against the following subjects:

  • Architecture
  • Troubleshoot performance problems
  • Reporting
  • End User Experience monitoring
  • Supporting End-Users
  • Licensing

The features of ControlUp and VMware vRealize Operations for Horizon are tested against a VMware Horizon View 7 environment.

Architecture

ControlUp

In the on-premises datacenter reside two components:

  • ControlUp Management Console. This is a .NET Windows  application which connects to the vCenter Server/vSphere clusters and VDI desktops.
  • ControlUp Monitor Service. This Windows service is responsible for alerting, reporting and uploading historical data to the Insight database which resides in the ControlUp Cloud.

The ControlUp installation is very simple. On a management server simply execute a single executable (ControlUpConsole.exe). It runs in memory, so there is no installation needed. For alerting and uploading data the ControlUp Monitor Service is needed. Here is an overview how a ControlUp hybrid (cloud and in-prem) infrastructure looks like:

architecture

On the left is the Enterprise Network displayed. This is the on-premises datacenter where the hypervisors and Horizon environment resides and where the ControlUp Monitor and Console are installed. There is a very minimal infrastructure needed for deploying ControlUp. All the backend components are hosted in ControlUp cloud that is  hosted on Amazon Web Services (AWS).

It’s possible to have the backend  components installed on-premises with a special version of ControlUp if you have special compliance requirements. With this version everything runs on-premises.

VMware vRealize Operations for Horizon

VMware vRealize Operations for Horizon is a monitoring solution that extends the capability of VMware vRealize Operations Manager to troubleshoot, monitor, and manage the health, capacity, and performance of VMware Horizon View environments. The architecture of vROps looks like:

architecture

The main components are:

  • VMware vRealize Operations (vROps). vROps can be deployed on Windows, Linux or when using the appliance.
  • VMware vRealize Operations Horizon management pack (PAK). After the vROps is installed and configured add the VMware vRealize Operations Horizon management pack to vROps.
  • vRealize Operations for Horizon broker agent. On one Horizon View Connection Server install the agent and pair this with vROps Horizon adapter.
  • vRealize Operations for Horizon Desktop Agent. In the Horizon View Agent enable this feature.

After installing and configuring these main components the gathering of statistics, events and performance data can begin. All the components are installed in the on-premises datacenter. Besides the VMware vRealize Operations Horizon management pack there are other management packs available that can be imported in vROps such as the Virtual SAN and NSX management pack. This improves the end-to-end visibility and monitoring.

User Interface

ControlUp

When executing the ControlUp Management Console the following UI is displayed after adding the central vCenter server.

CU Management Console1

This is a real-time performance dashboard.

On the left the managed hypervisor(s), vCenter(s) and servers and desktops are listed. On the managed Windows desktops a lightweight agent is pushed.

The following dashboards are available:

  • Folders
  • Hosts
  • Computers
  • Sessions
  • Processes
  • Accounts
  • Applications

You can easily search, filter, sort, group by,  customize and organize the columns that will be displayed in each dashboard.

vROPS for Horizon

The User Interface (UI) for vROps is accessible from the internet browser.

webportal webportal1

After logging-in there are Horizon specific dashboards available such as:

  • Horizon Overview
  • Horizon Help Desk
  • Horizon Infrastructure
  • Horizon User Sessions
  • Horizon VDI Pools
  • Horizon RDS Pools
  • Horizon Applications
  • Horizon Desktop Usage
  • Horizon User Session details
  • Horizon RDS Host Details
  • Horizon End User Experience

These are the default dashboards but it is possible to create own personalized dashboards with widgets and metrics you need.

Troubleshoot performance problems

To demonstrate performance troubleshooting with both products we use a Windows 10 VDI desktop and run the tool “Heavyload.exe” to generate 100% CPU utilization.

heavy

ControlUp

With ControlUp Management Console we can troubleshoot performance problems on hosts, computers and,-sessions in real-time and  identify the process that is causing the 100% CPU utilization.

1 2a

vROPS for Horizon

With vROps we filter on “Percent Processor Time%”, select the session and perform a manual “Get Desktop Processes”.

3High CPU 1

The “Get Desktop Processes” task takes between 10-30 seconds to generate a list of process information per desktop. In ControlUp getting the processes list is in real-time. Besides identifying high CPU utilization other performance counters can be identified with both products.

Reporting

ControlUp Insights

With ControlUp v5 ControlUp Insights was introduced. ControlUp Insights is historical reporting and analytics platform in the cloud. In v6 ControlUp Insights is extended with new reports. Each month new reports are added to the portal. The portal is accessible from the following URL:

  • https://insights.controlup.com

When logging-in there are three main sections with a couple of sub-sections:

  • User Activity
    • Session Count
    • Session Activity
    • Session Details
    • Session Resources
    • Logon Durationreports
    • Protocol Latency
  • System Health
    • Computer Trends
    • Computer Statistics
    • Host Trends
    • Top Windows Errors
  • Application Usage
    • App Usage Details
    • Citrix License Usage

Each section has a several reports with information about user activity, user experience, resource consumption, application activity, system health and license information. The reports are simple, interactive and good-looking.  In addition, where applicable, ControlUp Insights presents global benchmark values for performance and user experience metrics. These metrics are calculated based on anonymize metadata sent to ControlUp Insights from the customers that use this platform

Here are 4 examples reports of Insights:

Computer Trends Host Trends Resource usage Toperrors

The report data can be exported as CSV files.

export

vROPS for Horizon

There are several predefined Horizon reports that can be run or scheduled on regular basis. These reports provide information about remote desktop and application usage, desktop and application pool configuration details, and license compliance. Here are some examples:

2016-08-15_15h39_39 2016-08-15_15h50_12 2016-08-15_15h50_30 2016-08-15_15h50_50

The reports aren’t as fancy and interactive as in ControlUp. The reports can be exported as CSV or PDF files.

End User Experience (UX) monitoring

Besides performance metrics User Experience (UX) metrics are very important in a VDI and SBC environment.

ControlUp UX metrics

  • PCoIP Session bandwidth usage and latency.
  • Desktop Load Time.
  • Group Policy Load Time.

Protocol LatencyUX metrics

  • Application Load Time.

appl load time

vROps for Horizon

  • PCoIP and Blast extreme protocol metrics
  • Profile Load Time
  • Shell Load Time

UX

Both products offer UI metrics. The Application Load Time is a new cool feature in ControlUp 6 that measures the time that it takes that an application become available for the end user. This is good indicator for the User Experience.

Supporting End-Users

ControlUp

Besides monitoring and reporting there are other features built-in to support the End-users. The following screenshot show some of these features:

2016-08-15_16h34_23

Script-Based Actions (SBA) allows the admin to extend ControlUp functionality. Scripts (either developed internally or by the community and then sanitized by ControlUp before being published), can be written using Batch, VBScript or PowerShell.
These scripts can be used and executed on one or more target computers. This following SBA list the PCoIP bandwidth usage for example

sba pcoip

The Application usage report lists the number of concurrent   instances and named users for the selected application.

2

This helps identifying who is using what application(s) and licensing applications.

The “top 10 Windows errors” report shows the most frequently occurring errors on all managed computers. If the error is known, it has a link with a possible solution and how to fix it.

1

All the errors are benchmarkend against other organizations.

vROps for Horizon

vROps focuses primarily on monitoring and reporting. So no other end-user supporting features are available as  in ControlUp. Other unique features are:

  • Horizon VDI and application pool indicator metrics
  • Besides PCoIP Blast Extreme protocol metrics are available in vROps for Horizon 6.3
  • Management Packs.  There is a lot (VMware and third party) management packs available such as Virtual SAN and NSX. This improves the end-to-end visibility and monitoring with there own metrics.

Licensing

ControlUp

ControlUp is available as Pro, Enterprise, or Platinum edition. The main differences between these versions are in:

  • Insights retention data (1 Day for Pro, 1 Month for Enterprise, 1 Year for Platinum)
  • Multi Tenancy Support (Enterprise and above)
  • Multi AD support (Enterprise and above)

vROPS for Horizon

vROps for Horizon is licensed as:

  • standalone product.
  • Included in the Horizon Enterprise license

Conclusion

In this blogpost I tried to give a impression of both products. ControlUp and VMware vRealize Operations for Horizon are both great products for monitoring and reporting on your Horizon environment.  Each products has several pros against the other such as:

ControlUp:

  • Less infra structure is needed than vROps for Horizon.
  • Simplicity of the product with an easy learning curve.
  • Great tool for real-time troubleshooting. Process information is available is real-time.
  • Pre-defined interactive reports available for troubleshooting and management information.
  • Offers other functions such as: killing services, Script Based Actions, chatting, managing the file system and registry, application usage, top Windows events etc.

VMware vRealize Operations for Horizon:

  • Besides the VMware vRealize Operations Horizon management pack, there are other management packs (VMware and third party) available that can be imported in vROps such as the Virtual SAN and NSX management pack. Such components become more and more common in a VMware Horizon environment. Adding these management packs improves the end-to-end visibility and monitoring.
  • Ability to create personalized dashboards.
  • vSphere and Horizon Infrastructure related counters such as VDI and Horizon applications pool information.

What product do I need for Horizon environment? This depends on your requirements, use case and what licenses you already have. For example when having a Horizon Enterprise license, vROps for Horizon is included. Even when having a vROps environment, ControlUp adds great value by it’s unique features such as the interactive ControlUp Insights reports and complement vROps.

Tested: VMware snapshot management with Snapwatcher

To monitor and manage VMware Virtual Machine Snapshots Opvizor has released a tool called Snapwatcher.  As consultant I see often that admins don’t have an overview of all the snapshots that exists in their environment. The main concerns with Virtual Machine snapshots are:

  • Snapshots are created and forgot to remove
  • Snapshots can very quickly grow in size
  • Snapshots filling datastore space
  • Delta files may cause decreased Virtual Machine and host performance

In this review Opvizor Snapwatcher is tested. With the Snapwatcher tool it is possible to centrally monitoring and managing snapshots one on more more vCenter server environments.

Installation

The installation of Snapwatcher is simple. Before installing make sure the requirements are met:

  • Windows Installer 4.5
  • Microsoft .NET Framework 4 (x86 and x64)
  • VMware vCenter 4.1 or higher

Download and  installation the Snapwatcher application.  The installation downloads the latest bits from opvizor.com and installs Snapwatcher.

1_InstallNew Update

Every time Snapwatcher is started it checks for the latest updates. So Snapwather is always up-t0-date.

Configuration

The first configuration step is adding one or more vCenter Servers:

add vcenter

After adding the vCenter Server(s), thresholds on warning and error levels can be set, for example:

  • Size and age of the snapshot
  • Size and percentage of the datastore
  • Amount of snapshots for a Virtual Machine

thresholds

Monitor

The dashboard is divided in seperate windows. The screenshot below lists the dabboard with all the 5 windows:

dashboard

Each window can be resized and re-ordered. The 5 windows displays the following information:

1. Overview of the 5 largest snapshots. The amount of snapshots displayed is configurable.

2. Snapshot Disk Waste History (GB). Displays how much disk space is wasted over a period of time.

3. Overview of all the snapshot. All the snapshots are listed with there status.  Snapshots can be sorted on VM or snapshot name, description, status, Size (GB) and created Date. Actions can performed against snapshots such as delete, fix it and exclude.

4. General overview information. Display information about the number of vCenters, ESXi servers, VMs, VMs with snapshots added, the total snapshots and snapshot size.

general info

5. Work History. Displays information about the deleted snapshots and sizes.

Manage

From the dashboard the following actions can be performed against snapshots:

Buttons

Refresh: Refreshes the dashboard and perform an updated inventory of the snapshots.

Delete: Remove the snapshot from the VM.

delete

Exclude: Snapshots can be excluded in the dashboard from displaying. This can be handy for template VM with snapshots or VMware Horizon View Linked Clones.

Fix It: Fix It repairs broken snapshots are snapshots that are not managed by the vCenter Server but are still getting used by the Virtual Machine. In the vSphere Web/Client this status is showed as “Virtual Machine disks consoldition is needed”. In Snapwatcher the status is invalid.

lx250 01 Snapshot

Licensing

When the trail period (7 days) is expired it is still possible to use Snapwatcher. The following Enterprise Edition features will not work when the trail period is over:

  • Fix broken and inconsistent snapshots with our patent pending technology
  • Ignore certain VM snapshots
  • Track your VMware snapshot history

Conclusion

Opvizor Snapwatcher is a great tool for a VMware admin to centrally monitor and manage all the snapshots that exists in there VMware environment. Want to try Snapwatcher? Use this link.

Tested SMS PASSCODE multi-factor authentication with VMware Horizon View

SMS PASSCODE offers a Multi-Factor Authentication (MFA) solution that adds an extra security layer for a broad range of authentication clients such as:

  • Citrix Web Interface Protection
  • RADIUS Protection
  • Cloud Application Protection
  • IIS Web Site Protection
  • ISA/TMG Web Site Protection
  • Windows Logon Protection
  • Secure Device Provisioning (for ActiveSync devices)

In this review we test how-to integrate SMS PASSCODE with the latest version of VMware Horizon View using RADIUS authentication.

What is SMS PASSCODE

Unlike traditional hardware-token based solutions, SMS PASSCODE works without distribution of any hardware-tokens. As a result, the logistic overhead involved is minimal and roll-out is much faster. On the mobile phone is no software installation needed. Just extract the cell phone number from the AD.

SMS PASSCODE sends a One-Time-Passcode (OTP) to the user mobile phone. SMS PASSCODE looks at multiple factors such as time, geo-location, and type of login system being accessed.

SMS PASSCODE offers a Multi-Factor Authentication (MFA) solution that adds an extra security layer to the VMware Horizon View environment. VMware Horizon View has support for RADUIS authentication.

LAB environment

In the lab environment the following components are installed:

SMS Passcode

  1. Horizon View Clients (PCoIP, RDP and HTML)
  2. Horizon View Security Server
  3. Horizon View Connection Server external
  4. Horizon View Connection Server internal
  5. Microsoft SQL Server
  6. Horizon View Composer
  7. vCenter Server
  8. Active Directory Domain Controller
  9. SMS PASSCODE version with Network Policy Server (NPS) role installed

For the external connection to the VMware Horizon View environment a Multi-Factor Authentication (MFA) is configured by using SMS PASSCODE. The internal Horizon View users don’t use SMS PASSCODE to connect.

The following software versions are used:

  • Windows Server 2012 R2 Active Directory (AD)
  • Windows Server 2008 R2 for the SMS PASSCODE and NPS software role
  • VMware vSphere 6
  • VMware Horizon View 6.1
  • SMS PASSCODE 7.2

Instead of using a GSM modem, a Web Service SMS dispatching service is used for sending messages. A GSM modem is highly preferred in a production environment.

Installation and configuration Management

Installation of SMS PASSCODE

SMS PASSCODE is installed on a Microsoft 32-or 64-bit Windows Operating System.. The core components of SMS PASSCODE are:

  • Database Service. The database stores the SMS PASSCODE configuration and user data.
  • Transmitter service. This service is responsible for dispatching messages and validation of SMS PASSCODE logons. Handles load balancing and failover between all GSM modems
  • Load Balancing service. Service responsible for load balancing and failover.
  • Web Administration Interface. Web site for maintaining user and configuration data

These core components can be distributed over one of more servers to provide redundancy and load distribution for enterprise 24×7 uptime demands.  In the lab setup all the core components are installed on a single server.

As Authentication Client Radius protection is selected during the installation.

Network Policy Server (NPS)

On the SMS PASSCODE server the Network Policy Server (NPS) role is installed for RADIUS authentication.

Configuration

Web Administration Interface (WAI)

The Web Administration Interface (WAI) is available from the web browser on port 2000. From the WAI the configuration of SMS PASSCODE is done.

From the WAI we need to do the following main steps:

  1. Configure AD integration and the messaging infrastructure used in the General settings
  2. Configure the User Integration Policy (UIP)
  3. Configure User Group Policies
  4. Configure transmission infrastructure for creating a dispatching entity

Step 1. General Settings

In the general settings tab AD integration in single sync mode is enabled. With single sync mode users are imported from a single user group.

AD integration

In the globalization options the messaging infrastructure used. The following messages infrastructures can be used in SMS PASSCODE:

  • SMS OTP
  • E-mail OTP
  • Voice call OTP
  • Web service SMS OTP
  • Token OTP
  • Personal passcode OTP

The SMS OTP is the most secure option to use and highly preferable. In our lab environment we use Web service SMS OTP as messaging infrastructure. A 3rd party web service is used for SMS dispatching.

general settings - web service

Step 2. User Integration Policy (UIP)

User Integration Policies are used to configure how users in the SMS PASSCODE database are synchronized with users from one or more Active Directory stores.

UIP

When enabling AD integration, users are synced when belonging to a specified group or attribute. For example the mobile attribute is used to retrieve AD users. Only users with the phone number filled in are synced to SMS PASSCODE.

import

Step 3. User Group Policies (UGP)

User Group Policies (UGP) are used for managing users. Every users is assigned to a UGP and automatically inherits the settings specified by this policy. For example the administrator could change type of passcode dispatching, SMS type (Flash/normal) or Self Service Site permissions in the UGP. A UGP manage user settings on a group basis or on individual basis by overriding the UGP .

We changed the default UGP for the dispatch type to “Send passcodes by web services SMS”.

basic

Step 4. transmission infrastructure for creating a dispatching entity

In our lab environment we don’t have a GSM modem for send SMS messages, so we used and configure a Web Service Dispatcher service for sending in SMS messages.

step 4 dispatcher

After these four main configuration steps we can test if the SMS message is sent to the user mobile phone by selecting the test button and choose for the Web Service Dispatcher option. A test SMS message is sent to the users mobile phone. If the SMS message arrives on the mobile phone the configuration is ready for the next step.

sms test

When the four main steps are performed it is possible to perform some optional additional steps such as:

  • Adjust the passcode policy to reflect to the organization policy. For example adjust the minimal passcode length, composition of the passcode, lifetime and message composition for the SMS message that is sent to the mobile phone.
  • Create Authentication policies and lockout periods settings
  • Enable Geo IP and IP history lookup to identify where in the world your users are logging-in.
  • Configure date and time restrictions
  • Configure the Self Service Web Site. The Self-service web site is for maintaining the users account settings and Password Resets.

Network Policy Server (NPS)

On the Network Policy Server a RADIUS Client profile is created. The RADIUS profile points to the VMware Horizon View Connection Server (3) that is configured for the external users. In this Client profile we enter the following information:

  • Friendly Name.
  • DNS or IP address of the Connection server.
  • Manually assigned a shared secret that will be used for the RADIUS connection between the NPS and Connection Server.

NPS

VMware Horizon View external Connection Server configuration

On the Horizon View Connection Server (3) for the external access we configure 2-factor authentication for Remote Authentication Dial-In User Service (RADIUS). On the VMware Horizon View Connection Server we create a RADUIS profile using the following settings:

Connection Server ViewConnection1

In the primary Authentication Hostname/Address the IP address of the NPS server. NPS is installed on the SMS PASSCODE server. The same shared secret is used from the NPS Client configuration.

Connecting to the VMware Horizon View environment

Externally users connect to the VMware Horizon View environment by using the VMware View Client and HTML Access.

VMware Horizon View Client

When connecting externally to the VMware Horizon View environment by using the Horizon View Client, the following login box appears in the Horizon View Client:

VIewclient

After entering the AD user name and password credentials, a One-Time-Passcode (OTP) is send the user mobile phone.

Iphone

Entering the OTP in the Next Code: field and you’re authenticated to the VMware Horizon View environment and you see your pool entitlements.

Next code

HTML access

Another option is to connect to the VMware Horizon View environment is by using HTML access. This option does not require any software other than a supported browser such as IE, Chrome or Firefox on the client. HTML access uses the Blast protocol instead of the PCoIP protocol.  The login steps are the same as the Horizon View client.

 html5 html5-1 html5-3

Conclusion

SMS PASSCODE is a multifactor solution that adds an extra security layer to the VMware Horizon View environment. SMS PASSCODE has the following pros:

  • Stable and flexible product. We tested SMS PASSCODE for several months and it is a very stable product. We experienced no crashes or strange things during our tests.
  • Simple installation, configuration and maintaining
  • Can be used in Small and Midsize Business (SMB) till large Enterprise (24×7) environments (scalable).
  • No extra software is needed on the users mobile phone
  • No hardware-tokens are needed
  • Because RADIUS authentication is used, it works with new versions of VMware Horizon View out of the box.

For SMS PASSCODE a Windows Operating System is needed. It would be great if in the future an appliance version can be used wihout the need of a Windows Operating System.

When working with external users that connect to your VMware Horizon View environment an extra security layer is needed besides the standard username and password.

SMS PASSCODE offers that extra layer of security by using 2-factor or Multi-Factor Authentication.

More information

Want to try SMS PASSCODE live or request a free 30 day trial? Click the linkvExperts can obtain a NFR license by sending an email to support@smspasscode.com. Provide some documentation that proves you are a vExpert.