With the recent addition of twins to my family, we found one of the greatest challenges during our pregnancy was picking baby names. We culled through a number of resources and had many family discussions to try to come up with them. We wanted good, strong, meaningful names that would carry them through the years. I learned a lot throughout this process, including how important it is to make the right selection.

As a 10 year veteran in the area of IP voice, I have heard every name imaginable used to describe this technology. IP telephony, VoIP, Unified Communications, IP PBX, Digital Voice, and the most recent term, Collaboration! Which made me think…why does the name matter? Why does my job title keep changing? Does it really matter what we call it? As I learned while choosing baby names, it does!

I have spent a lot of time and energy changing and reshaping the way enterprise telecom directors think when it comes to this technology. You see, it all started with the term “VOIP, or Voice over Internet Protocol.” I would ask customers what the term VoIP meant to them, and 9 out of 10 people would say that it was the ability to make phone calls over the Public Open Internet. Therein lies the start of the name game, and a big problem to boot! The term “Public Open Internet”…do you really want your business-class voice system to be on the Internet?

Others would answer that VoIP was a way to save money on long distance calls. Companies sold this technology as a way to consolidate monthly communication bills. For example, instead of paying for a data and voice connection, with VoIP, a customer could just pay for a data connection. So the customer saved a little money, except no one but the CFO really noticed because the call still gets to the end users and it still sounds clear, no matter what it’s named.

Well that’s where this post comes in. You see, Collaboration (and therefore VoIP) is more than getting a phone call or a voicemail from someone…it’s about enablement! It’s about taking the way we do business and allowing for the modern-day workforce to do business wherever and however they see fit.

There is more to workforce enablement then just providing a remote data connection to the end-user. Just having a soft phone client and a VPN application running on a laptop is no longer good enough. Employees need to have a suite of Collaboration tools to allow them to have the same in-office experience while outside of the corporate walls. The new era of Bring Your Own Device (BYOD) and teleworking has raised the bar on the standard old way we use to communicate.

Let’s take a moment to talk about business transformation. How does Collaboration allow for true business transformation? What if we had the ability to do everything that we would do from your desk or home office on your mobile device or tablet whenever and wherever it made sense? How would that change the way we work and communicate? What if we didn’t always have to walk down the hall to a conference room to conduct a meeting or travel to Washington, DC in the middle of an ice storm to attend a meeting (True story – four hours of my life that I’ll never get back!)? What if we could launch a conference call or a video call from any communication device of your choosing?

Enterprise video is just one way to begin to enable the workforce. The complexity around video communication has been removed. No longer do you have to fumble around with a bulky remote control to launch a video call. No longer do you have to sit in a board room watching a bad video conference with little-to-no productivity. Video calls are now as easy as making a phone call. Video is now available at the desktop, the laptop, the tablet and the mobile device. The business transformation that video brings allows for real time end-to-end communication with customers and employees whether they are in the same building or across the globe. It is projected that mobile video usage will double each year over the next five years. Just in my home alone I constantly see my kids making video calls to their friends in different states and different countries.

Video is pervasive. It reaches down to almost every endpoint device available on the market today. Video adoption within the organizations is the key to begin taking advantage of the way video delivers a true end-user experience. So don’t let a name limit the possibilities of what your workforce can do. True collaboration can take your business or agency to the next level.

By Rob Chee, Security Team Lead

Watch and listen to Rob Chee, Force 3 Security Team Lead, demonstrate the monitoring functionality of Cisco’s Identity Services Engine here.

Take note, workforce. We have entered a new era: The “Post-PC Era”. No longer does the PC tie employees down with its chains. Studies show that sales of PCs are down 30%…and it’s not because we’re in a bad economy. Those same studies are showing that sales of tablets are up 30%. This means that in today’s rapidly changing world, smart phones, tablets, and laptops are beginning to rule the consumer market. With this new paradigm shift, Corporate and Government organizations are finding it very difficult to securely and reliably support consumer based devices with traditional strategies. This is an unprecedented time because never before has there been such a user demand for corporate networks to support consumer based products.

As a Solutions Architect at Force 3, I am constantly asked the same questions over and over again: “How do we securely support our iPad and smart phone users?!” and, “How do we provide a secure App Store?!” Questions like these have presented major challenges to the way corporate networks deliver IT services today. How does an IT group secure these devices allowing them to connect to the corporate network but yet be managed and controlled by the employees? How does an Enterprise Infrastructure deal with the constant changing world of gadgets?

The first response by IT managers was to not allow these devices on the network therefore so they wouldn’t have to deal with these devices and business would resume as usual. Not so fast! What do you do when your CIO gets a new iPad2 and they want it to have all of the same access that their desktop has? They are not going to take no for an answer! So now what?

This was a scenario that I experienced at a government customer of mine. The employees were demanding that the network support these devices and not just with basic network access, they want full on access to corporate resources. They wanted the ability to share, communicate, and work seamlessly without sacrificing productivity whether they were in the office or at a local coffee shop. And what about the new generation of employees entering the workforce? How do you deliver corporate services to the generation whose main form of communication over the past 5 years has been IM and Text Messaging? Try giving them a phone as their main form of communications…good luck! A word to the wise: organizations will continue to have trouble recruiting younger employees because of old and out dated technology.

Organizations need networks that can scale and deliver the performance and security needed to meet these demands. Users should be able to take full advantage of a complete portfolio of collaboration utilities such as voice, video, presence, instant messaging, and text messaging in a secure and reliable way. With the next generation of collaboration tools employees no longer have to be tied down to the desk. They can now conduct their business anytime from anywhere without the sacrifice of productivity and security. Force 3 realizes these challenges and continues to team with companies like Cisco, VMware, Apple, and Samsung to create solutions that are designed to give organizations a jumpstart by providing a full line up of collaboration tools.

Virtualization technologies such as VMware ESX Server and clustering solutions at such as Microsoft Cluster Service currently require Layer 2 Ethernet connectivity to function properly. With the increased use of these types of technologies in data centers and now even across data center locations, organizations are shifting from a highly scalable Layer 3 network model to a highly scalable Layer 2 model. This shift is causing changes in the technologies used to manage large Layer 2 network environments, including migration away from Spanning Tree Protocol as a primary loop management technology toward new technologies such as vPC and IETF TRILL (transparent interconnection of lots of links).

In early Layer 2 Ethernet network environments, it was necessary to develop protocol and control mechanisms that limited the disastrous effects of a topology loop in the network. Spanning Tree Protocol was the primary solution to this problem, providing a loop detection and loop management capability for Layer 2 Ethernet networks. This protocol has gone through a number of enhancements and extensions, and while it scales to very large network environments, it still has one suboptimal principle: to break loops in a network, only one active path is allowed from one device to another, regardless of how many actual connections might exist in the network. Although Spanning Tree Protocol is a robust and scalable solution to redundancy in a Layer 2 network, the single logical link does create two problems. One problem is that half (or more) of the available system bandwidth is off-limits to data traffic, and the other problem is that a failure of the active link tends to cause multiple seconds of system wide data loss while the network reevaluates the new “best” solution for network forwarding in the Layer 2 network. Although enhancements to Spanning Tree Protocol reduce the overhead of the rediscovery process and allow a Layer 2 network to reconverge far faster, the delay can still be too great for some networks. In addition, no efficient dynamic mechanism exists for using all the available bandwidth in a robust network with Spanning Tree Protocol loop management.

There has been strong adoption of both vPC and VSS in both Data Center and campus environments given the interest to remove the use of Spanning Tree in Layer 2 environments. Removing spanning tree from Layer 2 networks can have tremendous benefits towards improving scalability by allowing more links to forward traffic concurrently and also eliminating the risk associated with having large scale spanning tree networks. With that being said, neither technology completely removes the need for Spanning Tree like TRILL does, but they are an effective migration path that achieves similar benefits while also providing an effective migration path towards a Spanning Tree free network. Cisco vPC and VSS are somewhat similar technologies that both enable Multichassis Etherchannel (MEC), which is the ability to have Etherchannel links that extend beyond a single chassis. Cisco, recognizing this value has extended Etherchannel support to their ASA product line which dramatically improves the ability for an ASA to be gracefully integrated into a vPC or VSS based implementation. Not having the support can create suboptimal flows and design complexity when pursuing vPC or VSS architectures.

As an example, if you look at the sample design figure below you will see a pair of Nexus 7Ks with vPC enabled so that active/active forwarding can be achieved for the downstream Layer 2 connectivity without Spanning Tree blocking any ports.

Previous software support didn’t support Port Channels on the ASA platform forcing the necessity for it to be single homed to each chassis with a single firewall being active for a respective context. Additionally, to avoid certain peer-link failure scenarios, it is recommended to not carry non-vPC VLANs on the peer-link so an additional Port Channel was required to just carry the firewall VLANs in a best practice implementation. If you are running multiple VDCs, this meant two sets of port channels being necessary per VDC which adds up to a lot of 10g ports. From a packet flow perspective, traffic would load balance via etherchannel hashing to both 7ks to then only being forwarded to a single firewall using the cross link. Only the primary firewall that is connected to one of the switches is able to carry traffic. A multi-context firewall implementation does not address this issue since we are referring to traffic at Layer 2 within the same VLAN. As another alternative solution, redundant interfaces does allow for a dual home physical topology but does not really address the issue since only a single interface is active per interface group.

Fast forward to the release of ASA 8.4 and now EtherChannel support has been added. This feature adds great value because you can now more effectively integrate ASA firewalls into a vPC or VSS environment.

As depicted above, with 8.4 running on the ASA firewalls you can then pursue a dual home design with each respective firewall connected to both nodes in your network allowing for single hop direct connectivity to the firewalls from either chassis. An active firewall can now receive traffic from both members of a MCEC link in a vPC or VSS enabled design. This allows for a much cleaner and robust implementation so that the benefits of vPC or VSS can be better utilized when adding firewalls to your design.

As a side note 8.4 has some other noticeable enhancements worth checking out if you are running ASA firewalls in your network:

• 64 bit Architecture
• Stateful routing during failover
• Enhanced bridge-group support for transparent firewalling (more BVIs)

The Cisco Identity Services Engine (ISE) provides a way to ensure that only authorized users gain access to the network and that these authorized users are using approved computers that meet the company security policy requirements. ISE is built on the mature capabilities of Cisco ACS for 802.1X authentication and NAC Appliance for posture assessment. In addition, ISE introduces the integration of profiling and guest services features into the solution. The end result is a new identity and access solution that is built on mature technologies and provides one consolidated web GUI that allows for intuitive configuration and monitoring of authentication, computer posture, device profiles, and guest services. It is important to understand that ISE is based on endpoints rather than users. This is because ISE introduces the capability to profile endpoints based on information gathered from the network. ISE can use the MAC addresses of the profiled endpoints to automatically allow certain endpoints access to the network.

A perfect example would be the profiling of printers. ISE can use its profiling capabilities to discover printer MAC addresses and automatically allow discovered printers just the access to the network required to provide printing services. This allows for both the scalability of automatically allowing printers access to the network and the security of limiting the access. The same example can be extrapolated to other devices that cannot provide authentication such as IP phones or UPS devices

With all of these capabilities, it can easily be assumed that ISE only supports medium to large enterprises. In actuality, ISE has been built to scale from small environments of less than 100 endpoints to large environments up to 100,000 endpoints. This is all made possible because ISE has been built on a modular architecture. It is broken into the services listed below:

These services can be placed on one physical appliance/virtual machine or broken out into many physical appliances/virtual machines. This is what allows the solution to scale from a small environment to a large environment. For example, a small office, such as a lawyer or doctor’s office, could be supported using one physical appliance or virtual machine. In addition, the licensing to support this environment starts at 100 endpoint license.

For larger environments, each of the services can be split into multiple ISE servers. For example, the PAP can be placed on a separate server. Additionally, failover can be provided by adding a second PAP. Two M&T servers can be added. Both of the M&T ISE servers receive data for an active/active solution. The true secret to the scalability of ISE is the flexibility to create multiple PDPs. The PDPs are the workhorses of the solution that provide the RADIUS server functionality, posture assessment, and profiling. As the number of supported endpoints grows, additional PDPPs can be added to the solution. These PDPs can be clustered behind a load balancer or distributed throughout the organization depending on the network architecture.

With this scalable architecture, ISE can provide the following services for small environments as well as large environments:

• Provide secure access to the network for employees
• Check the health of computers and remediate missing applications or patches
• Provide credentialed internet access for guests
• Categorize all network connected endpoints into profiles that can be used to identify devices and granularly allow network access based on the profile category

By Chris Kostolini, Data Center Engineer

With VDI gaining a lot of popularity, a lot of companies may want to “test” this solution before investing their time and money into a product that may or may not suit their business needs. In order to help our customers that may be in this situation, we want to save them as much money as possible. So you may be wondering “how can you implement this solution any cheaper?” Let’s consider the fact that PCoIP will deliver the most brilliant and vibrant virtualized desktop experience. Well we have constructed a solution that will still leverage that connection, but will not require you to invest in a handful of zero clients and thin clients for every single user…they can simply just keep the desktop or laptop they currently have at their desks now!

What this solution essentially allows you to do is replace whatever OS is used at the local machine, with a 2x operating system which boots from the network. Now, on top of being more secure, easier to manage, and all the other added benefits of virtualizing desktops, this will allow you to turn any old laptop, desktop PC, into a thin client or even a zero client. 2x offers two ways to easily do this:

A.) You can install the 2x ThinClientOS directly onto your PC/Laptop/Thin Client/Zero client as long as you have a cd burner (to burn the ISO onto), and a cd drive on your client.

B.) The ThinClientServer allows you to actually propagate a copy of the ThinClientOS down to your client via PXE boot.

There are a few things that you will need before you begin, mainly a working VMware View infrastructure set in place (View Connection Broker, vCenter, view desktop etc, etc…). You are also going to need a free Windows 2000/2003/2008 server or Windows 2000/XP with 256 MB of RAM with a 800Mhz processor (preferably more) with at least 1GB of free hard drive space. This is where you’re going to install your ThinClientServer.

Let’s dive into the dynamics of how our ThinClientServer works with our current infrastructure. You’re first going to install the ThinClientServer on a Windows server or 2000/XP machine as listed above. You can obtain the .exe installation file from www.2x.com/downloads. As you’re running through the installation you’re going to install the ThinClientServer web-based management console, along with a TFTP server (this is where your PXE booting clients are going to pull their ThinClientOS from), as well as a DHCP Helper to assist first time PXE boot clients, and MySQL database to store the users connection settings. You’ll also need to integrate Active Directory (if you do not wish to use active directory, you can also set up a per user account). The 2x ThinClientServer ties in directly with your active directory in order to assign users to certain connection settings

Note that along with integrating 2x ThinClientServer with VMware View, it also contains built in remote desktop protocols including RDP, VNC, and the No Machines’ protocol NX.

To give you a basic understanding of how your 2x client is utilizing the 2x infrastructure you have just created, there are actually a number of procedures taking place after booting your remote client. When the machine first boots, it receives an IP address for TFTP server through DHCP broadcasts. Once the address is obtained the client will proceed by downloading the corresponding files from the TFTP server, containing the ThinClient OS. Once the actual operating system boots, the ThinClientServers IP address is obtained via the DHCP Helper Service you enabled earlier on the 2x server. Once the username and password are entered, the ThinClientServer matches the associated “User Profile” you configured before back with Active Directory, and you now brought to your VMware View desktop connection.

As you can see, the business case for a 2x solution is strong…it allows you to re-deploy old machinery, which saves on CAPEX, as well as keeping all of that equipment out of our landfills. Who doesn’t like to do their part for the environment?

Unlike the ESXi install, VMware View installation was straight forward.  I spend most of the time updating windows during the installation process.  Plan for at least 3 hours for windows update (server and Windows 7).  Rest of the VMware View component installation may take another 2 to 3 hours.

These are key pre-requisites for installing VMware View.

• ISO for Windows 2008 R2 server and Windows 7 OS
• Windows Volume License key for Windows 2008 R2 server and Windows 7
• VMware Virtual Center SW
• VMware View SW with license key

I’m going to use the internal 500G SATA drives for server VM, user data storage, and ISO files, and use the SSD storage for VMware View replica and linked clones.

1. Configure ESXi server
   1. Change the swap file location to the 500G Sata datastore.  By placing the swapfile to the SATA drive, expensive SSD storage space consumption can be reduced.  By default, esx will place swap file with VM.
   2. Load windows ISOs to SATA datastore.
2. Creating base Windows 2008 server image
   1. Even though VM provisioning can be simplified with templates, it requires Virtual Center.  Before VC can be installed, mechanism for VM provisioning should be setup to deploy of server VMs such as AD and the VC server itself.  Easy way to achieve the VM provisioning without VC is OVF packaging.   A Windows 2008 R2 server with the latest patches and application can be exported out to OVF package for future deployment.
   2. Create Windows 2008 R2 VM (use VM version 7) with 1G RAM (we don’t have lots of RAM here), 50G HD (thin provisioned) and VMXNET3 vNIC.  Install Windows 2008 R2 server OS, install VMware Tools, and apply all the patches including SP1.  Also install nice to have SW such as Adobe reader, Adobe Flash, putty, Chrome etc.
   3. After the server VM is ready, set the IP property to DHCP and run sysprep.  In Windows 2008 R2, the sysprep is pre-loaded with the OS.  Navigate to C:\Windows\System32\sysprep directory and run sysprep.exe
   4. Select “System Out of Box Experience (OOBE)” for System Cleanup Action and check “Generalize” box, and select “Shutdown” for Shutdown options.
   5. Disconnect CDROM drives mapped to ISO datastore by mapping the CDROM device for VM to “Client Device” in VM settings.
   6. Highlight the Windows 2008 R2 VM, and choose File->Export-Export OVF Template
   7. Select directory and choose “Folder of File (OVF)” format
   8. It will take 20 to 30 minutes to export the VM to OVF format.  The export process will create subdirectory in the output directory and will place compressed VMDK file.
   9. To deploy new VM, choose File-Deploy OVF Template form vSPhere client.
3. Installing AD, DNS, and DHCP server
   1. Before VMware virtual center can be installed, Active Directory need to be available.  Existing AD server can be used or new AD can be deployed. 
   2. Setup new AD by deploying pre-created Windows 2008 R2 OVF template (File->Deploy OVF Template).  The deployment of new VM will take about 10 minutes.
   3. Set static IP to the AD VM.  Install DNS (without configuring), and install AD and DHCP server role.
   4. If folder redirection is desired, create OU for VDI users and apply folder redirection GPO for My Documents and Desktop.
   5. Add ESXi, VC, and VMware View Connection server address in the DNS.  Configure ESXi server with proper DNS, Gateway, and NTP server.  0.pool.ntp.org can be used for external NTP server.
4. Installing Virtual Center and VMware View Composer

VMware View Composer enables single image management for VMware View VDI environment by utilizing VMware linked clone and persistent disk technology.  Linked clone is a hypervisor based writable snapshot technology that can rapidly create many VMs based on a single master image.  With persistent disk, all the user profile information is redirected to a separate VMDK file (which typically shows up as a D: drive) that persists during VM refresh or recreation process.  With persistent user data disk, the user desktop can be easily recreated even after system failure.  VMware View composer changes the default user profile path to the D: drive in the Microsoft Windows registry during image customization steps.  

Note of caution:  Since the profile redirection only applies to users whose accounts do not exist on the master image, any user account which was used to prepare the image will not be redirected to the persistent disk.  Either use separate admin account for master image setup or delete the user profile before image deployment.

1. 1. Deploy Microsoft Windows 2008 R2 server and install the Virtual Center software.  Use built in SQL Express DB.
   2. Download and install “Microsoft SQL Server Management Express Studio.”  Open the command prompt as the administrator and execute the installation package from the command prompt. (http://www.microsoft.com/downloads/en/details.aspx?familyid=c243a5ae-4bd1-4e3d-94b8-5a0f62bf7796&displaylang=en”)
   3. VMware View Composer, which handles the linked clone creation, installs on the Virtual Center server.  VMware View Composer will require its own database.  To create the VMware View Composer database, launch the SQLExpress Management studio with the “run as administrator” option.

        i.     In SQLExpress Management Studio, create new a new database name for VMware View Composer (ex.  VMware ViewCMP)

       ii.     Go to Administrative Tools->Data Source (ODBC) and create System a DSN for the VMware View database with “SQL Native Client” driver.  Choose integrated Windows authentication and change the default database to VMware View Composer database (ex. VMware ViewCMP).

      iii.     Test the ODBC connection Install VMware View Composer.  Make sure to install the Composer with the “run as administrator” option

Finally, install VMware View Composer.  Make sure to install the Composer with the “run as administrator” option

Next up, creating the master desktop VM

Setting up VMware View Security Server

Now that I have the base VMware View setup, I really wanted to watch videos on my iPad from Starbucks. To access the VMware View environment from outside, the VMware View security server must be setup. The security server is an outside PCoIP tunneling mechanism linked to the connection broker. If a static IP address for the security server is available, it’s easy job. However, with a dynamic IP address, typical of a home internet service provider, it’s another matter.

The main problem is that a security server setup requires an IP address and DNS name, which means that I need to automatically update the WAN IP address changes to the security server configuration. The dynamic DNS can be used for outside DNS name resolution. After much Googling, I found the solution from Gabe’s Virtual World Blog.

1. First, set up a dynamic DNS. I used dyndns.org. In order to update the WAN IP address changes, a dynamic DNS update client needs to be installed on one of the servers
2. Next, set up the security server. The security server is not joined to the domain since it sits in the DMZ. Uninstall all unnecessary programs and turn on the Microsoft Windows firewall. Install the connection broker software and choose the security server role. You will have to enter a password to pair it with the connection broker. A security server hardening guide can be found at http://communities.vmware.com/docs/DOC-14612
3. Configure the router to forward ports 80, 443 and 4172 to the security server. Ports 80 and 443 are TCP only. Port 4172 is both UDP and TCP.
4. Configure the connection broker. The connection broker’s external URL is the local host name (ex: https://connectionsvr:443). The PCoIP URL is an internal IP address (ex: 192.168.1.50:4172)
5. Configure security server from the VMware View Manager window. The security server external URL is the public dynamic DNS name (ex: https://mysecuritysvr.dyndns.org:443) and the PCoIP URL is the external dynamic IP address (ex: 172.66.192.52:4172). The PCoIP URL needs to change whenever your router gets new WAN IP address.
6. Set up the power shell script in the connection broker server. Set the task manager to run every hour or so. In order to run the Microsoft Windows Power shell script, I had to install the vSphere Power CLI (downloaded from VMware site [AP2] ), and VMware View Power CLI (located on the C:\Program Files\VMware\VMware VMware View\server\extras\Powershell\add-snapin.ps1).
7. I modified the Powershell script to update without checking for IP address changes.

Add-PSSnapin VMware.VimAutomation.Core

Add-PSSnapin VMware.VMware View.Broker

# Name of the Security Server

$SecurityServer = “slsecsvr”

# For logging creating a timestamp

$TimeStamp = Get-Date -format yyyy-MM-dd-H-mm

# Filling $CheckedIP with the external IP address, using whatismyip.com service

$wc = New-Object net.WebClient

$CheckedIP =

$wc.downloadstring(“http://automation.whatismyip.com/n09230945.asp”)

# Now check the current ExternalPCoIPURL entry

$CurrentSettings = Get-ConnectionBroker

$CurrentIP = $CurrentSettings.externalPCoIPURL

Update-ConnectionBroker -broker_id “slsecsvr” -externalPCoIPURL $CheckedIP

$NewSettings = Get-ConnectionBroker

$row = $TimeStamp + “,” + $CheckedIP + “,” + $CurrentIP + “,”

+ $NewSettings.externalPCoIPURL

$row | Out-File -FilePath “c:\scripts\check-ip.log” –Append

The big question: How well does it work?

The View system was very easy to setup and works very well. On the internal LAN, it’s almost a PC-like experience. While you cannot play 3D games, you are able to watch video, use Microsoft Office applications, browse the web, and also use bi-directional audio tools such as Skype. The iPad experience has been excellent from both inside home and Starbucks while watching Adobe Flash videos. I say it’s definitely well spent $500. My wife agrees…most of the time!

The Force 3 teleworker architecture for remote user support is based upon the Force 3 VDI reference architecture. This teleworking architecture simplifies end-user support and management by utilizing zero-client hardware and a pre-configured VPN router. 

Key highlights of the Force 3 telework architecture includes:

• Security – The use of zero client hardware means that valuable data never leaves the data center. The PCoIP zero client does not store any data locally and is used solely as a graphical interface. With View 4.6, PCoIP protocol also supports SmartCard redirection, which is of importance for most of Federal agencies with increasing adaption of the HSPD12 directive mandating smart card login.  Multi-layer security mechanisms will provide additional protection by limiting which devices can connect to the VPN router, and will allow only PCoIP protocols to travel over the VPN tunnel.  In all, zero clients and the Cisco ISE security management architecture provide best-in-class security for remote access solutions.
• Ease of management and reduced support – Components can be managed via a web-based console for simplified central management of thousands of teleworkers.  The proposed solution allows zero touch provisioning.   The VPN routers can be configured from a central configuration server minimizing manual intervention and reducing deployment costs.  Using both the VPN router and zero-client hardware agencies can dramatically reduce support requirements.
• Ease of Use by End-Users – The use of zero clients with a centrally managed VPN router allows for simple “plug and play” technology for end-users to setup the telework environment remotely.  A one-step plug in of the WAN port to the router and the end-user gains immediate access and use of the device.  The telework environment is “instant on”, where a user does not have to wait for their PC to boot up.

Read more about Force 3’s teleworker architecture on the VMware Ready site.

Setting up VMware View Security Server

Now that I have the base VMware View setup, I really wanted to watch videos on my iPad from Starbucks. To access the VMware View environment from outside, the VMware View security server must be setup. The security server is an outside PCoIP tunneling mechanism linked to the connection broker. If a static IP address for the security server is available, it’s easy job. However, with a dynamic IP address, typical of a home internet service provider, it’s another matter.

The main problem is that a security server setup requires an IP address and DNS name, which means that I need to automatically update the WAN IP address changes to the security server configuration. The dynamic DNS can be used for outside DNS name resolution. After much Googling, I found the solution from Gabe’s Virtual World Blog.

1. First, set up a dynamic DNS. I used dyndns.org. In order to update the WAN IP address changes, a dynamic DNS update client needs to be installed on one of the servers
2. Next, set up the security server. The security server is not joined to the domain since it sits in the DMZ. Uninstall all unnecessary programs and turn on the Microsoft Windows firewall. Install the connection broker software and choose the security server role. You will have to enter a password to pair it with the connection broker. A security server hardening guide can be found at http://communities.vmware.com/docs/DOC-14612
3. Configure the router to forward ports 80, 443 and 4172 to the security server. Ports 80 and 443 are TCP only. Port 4172 is both UDP and TCP.
4. Configure the connection broker. The connection broker’s external URL is the local host name (ex: https://connectionsvr:443). The PCoIP URL is an internal IP address (ex: 192.168.1.50:4172)
5. Configure security server from the VMware View Manager window. The security server external URL is the public dynamic DNS name (ex: https://mysecuritysvr.dyndns.org:443) and the PCoIP URL is the external dynamic IP address (ex: 172.66.192.52:4172). The PCoIP URL needs to change whenever your router gets new WAN IP address.
6. Set up the power shell script in the connection broker server. Set the task manager to run every hour or so. In order to run the Microsoft Windows Power shell script, I had to install the vSphere Power CLI (downloaded from VMware site [AP2] ), and VMware View Power CLI (located on the C:\Program Files\VMware\VMware VMware View\server\extras\Powershell\add-snapin.ps1).
7. I modified the Powershell script to update without checking for IP address changes.

Add-PSSnapin VMware.VimAutomation.Core

Add-PSSnapin VMware.VMware View.Broker

# Name of the Security Server

$SecurityServer = “slsecsvr”

# For logging creating a timestamp

$TimeStamp = Get-Date -format yyyy-MM-dd-H-mm

# Filling $CheckedIP with the external IP address, using whatismyip.com service

$wc = New-Object net.WebClient

$CheckedIP =

$wc.downloadstring(“http://automation.whatismyip.com/n09230945.asp”)

# Now check the current ExternalPCoIPURL entry

$CurrentSettings = Get-ConnectionBroker

$CurrentIP = $CurrentSettings.externalPCoIPURL

Update-ConnectionBroker -broker_id “slsecsvr” -externalPCoIPURL $CheckedIP

$NewSettings = Get-ConnectionBroker

$row = $TimeStamp + “,” + $CheckedIP + “,” + $CurrentIP + “,”

+ $NewSettings.externalPCoIPURL

$row | Out-File -FilePath “c:\scripts\check-ip.log” –Append

The big question: How well does it work?

The View system was very easy to setup and works very well. On the internal LAN, it’s almost a PC-like experience. While you cannot play 3D games, you are able to watch video, use Microsoft Office applications, browse the web, and also use bi-directional audio tools such as Skype. The iPad experience has been excellent from both inside home and Starbucks while watching Adobe Flash videos. I say it’s definitely well spent $500. My wife agrees…most of the time!