Chat now with support
Chat with Support

Foglight for VMware Horizon View 6.1.0 - User Guide

Manage desktops in virtual environments Interact with Foglight for VMware Horizon View dashboards Reference

Host configuration (WinRM)

When using this collection method to obtain information from remote hosts, Foglight for VMware Horizon View relies on WinRM to expose the data.

* 
IMPORTANT: If you plan a user number higher than 140 in your VDI environment, you must increase the maximum envelope size for the connection server. For more information, see Data returned by PowerShell may exceed the default envelope size of WinRM when the scale of VMware Horizon View is large enough.
Step 1: Configure WinRM

This section includes some specific information related to configuring WinRM to remotely access the monitored hosts. It should not be used as a complete reference for this Windows® component.

For complete information about configuring the WinRM service, refer to the WinRM documentation. To quickly access the WinRM help, type WinRM at the command prompt.

* 
NOTE: If an Access is denied error occurs when running WinRM commands, run the command-line tool as an administrator or temporarily disable the User Account Control (UAC). For instructions on disabling the UAC, see: http://technet.microsoft.com/en-us/library/cc709691(WS.10).aspx.

When the WinRM configuration is complete, ensure that the Windows® Remote Management service is started:
Check the existing configuration. Open a command prompt as administrator. Type:
winrm quickconfig
The message appears, specifying whether the WinRM is already configured. If it is not, you are prompted to enable WinRM and open the required ports in the firewall.
Create a listener. Type:
winrm create winrm/config/listener?Address=*+Transport=HTTP
This command creates a listener if one does not already exist. If one exists, a message appears.
Enable Kerberos authentication. Type:
winrm set winrm/config/service/auth @{Kerberos="true"}

Choose either to allow non-encrypted (HTTP) communication or to require encryption (HTTPS). This choice corresponds to the Use SSL (True/False) section during agent configuration. When choosing to require encryption, you must have your certificate thumbprint. See your domain administrator for details.

To allow non-encrypted communication:
Type: winrm set winrm/config/service @{AllowUnencrypted="true"}
To require encrypted communication:
Type: winrm create winrm/config/listener?Address=*+Transport=HTTPS @{CertificateThumbprint="PASTE_CERTIFICATE_THUMBPRINT_HERE"}
 
* 
NOTE: This type of authentication requires that WinRM be configured with an HTTPS listener and that an appropriate certificate exists to identify the machine on which WinRM is running. In addition to this WinRM configuration, the server that is running the Agent Manager must be configured to trust the WinRM Server's Certificate. You must configure the Agent Manager on a remote host to trust third-party certificates.
Step 2: Verify the WS-Man communication port

The port returned by the command below is used in the WS-Man Communication Port field during agent configuration. The WS-Man Communication Port is set to 5985 by default. Most Windows® versions use 5985/5986; however, some versions are known to use other port values, such as 80/443.

To verify the WS-Man communication port:
From a command prompt, type: winrm enumerate winrm/config/listener

Host configuration (DCOM)

When using this collection method to collect process information from remote hosts, Foglight for VMware Horizon View relies on DCOM to access the Windows® Management Instrumentation (WMI) infrastructure on the remote hosts, to connect to virtual and physical machine hosts and collect their metrics.

The following information must be taken into consideration when using this collection method with Foglight for VMware Horizon View:
Only a domain user that is in the monitored hosts administrators group is allowed to collect data.
Using the DCOM with Foglight for VMware Horizon View to collect metrics through a firewall requires additional configuration steps. For more information, see Configure firewall settings manually.
This collection method may require that the Remote Registry service be running on the target host. Some versions of Microsoft® Windows have this service disabled by default. It is recommended that you verify whether this service is running and is configured to start automatically.
* 
NOTE: If the Remote Registry service starts after attempting collection, restart the Foglight Agent Manager for the collection to be successful.
Some restrictions on the Windows Server® limit the access to certain areas of the registry that prohibit the Connection Server Agent from collecting data. For more information, see Enable DCOM on a Windows Server. Alternatively, use WinRM to collect process data from these hosts.
Configure firewall settings manually

When using DCOM to collect metrics through a firewall, configure the firewall manually, then create and run a configuration script (as shown in Configure firewall settings using a script).

To configure firewall settings manually:
1
Enable all incoming traffic to the default DLL surrogate (dllhost.exe).
a
Create a rule that allows all incoming traffic for the file: %systemroot%\system32\dllhost.exe
b
64-bit systems only. Create a rule that allows all incoming traffic for the file: %systemroot%\SysWOW64\dllhost.exe
2
Enable the COM+ Network Access (DCOM-In) rule for the active profile.
3
Enable all rules in the File and Printer sharing group for the active profile.
 
* 
NOTE: The scope defined for the updated rules should include the host on which the Management Server is running.
Enable DCOM on a Windows Server

Use the following process to bypass the access restrictions that prohibit the View Connection Server Agent from collecting data from a monitored system.

To collect data from Windows® using DCOM:
1
Log in to the target remote host as the Administrator.
2
Start the Windows Registry Editor (regedit.exe).
* 
TIP: It is recommended that you create a backup copy of the Windows Registry before making any changes, so that you can revert the changes, if necessary.
3
If you are prompted to allow the Regedit program to make changes to the computer, click Yes.
4
For each of the following registry keys:
HKEY_CLASSES_ROOT\CLSID\{76A64158-CB41-11D1-8B02-00600806D9B6}
HKEY_CLASSES_ROOT\Wow6432Node\CLSID\{76A64158-CB41-11D1-8B02-00600806D9B6}
HKEY_CLASSES_ROOT\Wow6432Node\CLSID\{72C24DD5-D70A-438B-8A42-98424B88AFB8}
a
Right-click the key, and from the shortcut menu that appears, select Permissions.
b
In the Permissions dialog box, click Advanced.
c
In the Advanced Security Settings dialog box that appears, open the Owner tab.
d
In the Change Owner to list, select the account with which you are currently logged in.
e
Click OK to close the Advanced Security Settings dialog box.
f
In the Permissions dialog box, click OK to close it.
g
In the Registry Editor window, right-click the same registry key again and, from the shortcut menu that appears, select Permissions.
h
In the Permissions dialog box that appears, select the Administrators group.
i
Grant the Full Control permissions to this group by selecting the Allow check box.
j
In the Permissions dialog box, click OK to close it.
k
Close the Windows Registry Editor.
5
Continue with Configure firewall settings using a script.
Configure firewall settings using a script
To configure firewall settings using a script:
1
On the target machine create the file firewall-config.ps1 containing the following script.
*
* QUEST PROPRIETARY INFORMATION
*
* This software is confidential. Quest Software Inc., or one of its
* supplied this software to you under the terms of a license agreement,
* nondisclosure agreement or both. You may not copy, disclose, or use this
* software except in accordance with those terms.
*
* Copyright 2017 Quest Software Inc.
* ALL RIGHTS RESERVED.
*
* QUEST SOFTWARE INC. MAKES NO REPRESENTATIONS OR WARRANTIES
* ABOUT THE SUITABILITY OF THE SOFTWARE, EITHER EXPRESS
* OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE IMPLIED
* WARRANTIES OF MERCHANTABILITY, FITNESS FOR A
* PARTICULAR PURPOSE, OR NON-INFRINGEMENT. QUEST SHALL
* NOT BE LIABLE FOR ANY DAMAGES SUFFERED BY LICENSEE
* AS A RESULT OF USING, MODIFYING OR DISTRIBUTING
* THIS SOFTWARE OR ITS DERIVATIVES.
*
$OS = Get-WmiObject Win32_OperatingSystem
$OSBuildNumber = $OS.BuildNumber
$OSCaption = $OS.Caption
$useAdvancedFirewall = $true
$COMNetworkAccessGroup = "COM+ Network Access (DCOM-In)"
if (($OSBuildNumber -eq 2600) -or ($OSBuildNumber -eq 3790)) {
$useAdvancedFirewall = $false
}
if ($OSBuildNumber -eq 7600) {
# Windows® 7
$COMNetworkAccessGroup = "Windows Management Instrumentation (WMI)" }
if ($useAdvancedFirewall) {
Echo "Configuring firewall for Windows"
netsh advfirewall firewall add rule name="DLL Host (32-Bits)"
dir=in action=allow program="%systemroot%\system32\dllhost.exe"
netsh advfirewall firewall add rule name="DLL Host (64-Bits)"
dir=in action=allow program="%systemroot%\SysWOW64\dllhost.exe"
netsh advfirewall firewall set rule
group=$COMNetworkAccessGroup new enable=yes
netsh advfirewall firewall set rule group="File and Printer
Sharing" new enable=yes
}
else {
Echo "Configuring firewall for Windows XP/2003"
netsh firewall add allowedprogram
"%systemroot%\system32\dllhost.exe" "DLL Host (32-Bits)" ENABLE
netsh firewall add allowedprogram
"%systemroot%\SysWOW64\dllhost.exe" "DLL Host (64-Bits)" ENABLE
netsh firewall add portopening TCP 135 "DCE/RPC Locator
service" ENABLE
netsh firewall set service FileAndPrint ENABLE}
2
Run the script with the Administrator's privileges by issuing the following command:
powershell -File firewall-config.ps1

Troubleshoot agent collection problems

This section provides information about problems that you might encounter while monitoring your environment using Foglight for VMware Horizon View, and describes the solutions available to troubleshoot these problems.

Data returned by PowerShell may exceed the default envelope size of WinRM when the scale of VMware Horizon View is large enough

Summary

Data collected by the VMware Horizon View agent by PowerShell command-lets through WinRM may exceed the default envelope size of WinRM when the scale of VMware Horizon View is large enough.

The maximum envelope size for the connection server and for the VMware Horizon View agent may be different. For the connection server, the default value of MaxEnvelopeSizekb is 150. For the Client (VMware Horizon View agent), the default value of MaxEnvelopeSizekb is 15,360,000 (about 15,000 * 1024, which is 100 times bigger than the default value on Server side).

Solution

1
Run the following command on the connection server, to enlarge the default value:
winrm set winrm/config '@{MaxEnvelopeSizekb="NEW_LARGER_VALUE"}'
If NEW_LARGER_VALUE is less than 15,000, the problem is resolved. Otherwise, continue with Step 2.
2
On the Agent Manager side, enlarge the envelope size by inserting the following JVM parameter:
vmparameter.1 = "-Drdsl.winrm.maxenvelopesizekb=NEW_LARGER_VALUE_2";
 
* 
NOTE: The value of NEW_LARGER_VALUE_2 should equal to 1024*NEW_LARGER_VALUE.
in the following file:
<FGL_INSTALL_PATH>\state\default\config\baseline.jvmargs.config (for Foglight for Virtualization, Enterprise Edition 7.0 or later)
or
<FGL_INSTALL_PATH>\state\default\config\vm.config (for Foglight for Virtualization, Enterprise Edition versions prior to 7.0)
Configure LDAP over SSL for Active Directory LDS

Summary

By default, SSL is not enabled for Active Directory® Lightweight Directory Services (AD LDS), previously named Active Directory Application Mode (ADAM). VMware Horizon View monitoring fails in this case.

Solution

To use LDAP over SSL for Active Directory LDS:
1
Obtain a server authentication certificate from a trusted certification authority (CA).
The CA can be a trusted CA in your organization or a trusted third-party CA.
The certificate should issue to the FQDN of the server name.
The certificate should contain the Server Authentication purpose.
The certificate should contain the Private Key.
For more information about installing and using a CA, see Certificate Services on http://go.microsoft.com/fwlink/?LinkID=48952.
2
Install a server authentication certificate.
If the certificate is shared with other services on the server, install the certificate to the computer’s personal store.
If the certificate is used for AD LDS only, install the certificate to the AD LDS instance’s personal store.
 
* 
NOTE: The VMware Horizon View AD LDS instance name is VMwareVDMDS. Ensure that you install the certificate to that service account’s personal store if you are configuring for VMware Horizon View.
For more information about installing a certificate, see section “Step 1: Install a server authentication certificate” of the “Configuring LDAP over SSL Requirements for AD LDS” topic on http://technet.microsoft.com/en-us/library/cc725767(v=ws.10).aspx#BKMK_1.
3
Configure permissions on the server authentication certificate.
In order to use the certificate for authentication, the service account running the AD LDS should have Read access of the private key. By default, the service account is NETWORK SERVICE. If you use another account to run the service, you must grant the permission to that account.
If the certificate is installed in the computer’s personal store:
a
Click Start, right-click Command Prompt, and then click Run as administrator.
b
Type mmc to open Microsoft® Management Console (MMC).
c
Click File, click Add/Remove Snap-in, select the Certificates snap-in in Available snap-ins, and then click Add.
d
In Add or Remove Snap-ins, select Computer account to view the certificates, and then click Next.
e
In Add or Remove Snap-ins, select Local computer, and then click Finish.
f
In Add or Remove Snap-ins, click OK.
g
In the console tree, expand Certificates(Local Computer), expand Personal, and then expand Certificates.
h
Right click a certificate, select All Tasks, and then click Manage Private Keys.
i
Add the permission to the service account. Ensure that it has Read permission of the private key.
If the certificate is install in the AD LDS instance’s personal store:
Follow the instructions in section “Step 2: Configure permissions on the server authentication certificate” of the “Configuring LDAP over SSL Requirements for AD LDS” topic on http://technet.microsoft.com/en-us/library/cc725767(v=ws.10).aspx#BKMK_1.
4
Connect to the AD LDS instance over LDAPS using Ldp.exe.
Follow the instructions in section “Step 3: Connect to the AD LDS instance over LDAPS using Ldp.exe” of the “Configuring LDAP over SSL Requirements for AD LDS” topic on http://technet.microsoft.com/en-us/library/cc725767(v=ws.10).aspx#BKMK_1.
5
Test the PTR record.
The view connection server needs to have a PTR record on the DNS server, which can be resolved on the Fglam server. To test a PTR record, use the command ping -a IP. The IP should be resolved to a FQDN.
For example, in Win2k8 R2:
a
Go to Start Menu > Administrative Tools > DNS, to open the DNS Manager.
b
Select and expand the target AD server, right click Reverse Lookup Zones, and select New Zone from the menu.
c
Follow the wizard to complete the configuration.

References:

Configuring LDAP over SSL Requirements for AD LDS: http://technet.microsoft.com/en-us/library/cc725767(v=ws.10).aspx#BKMK_1
LDAP over SSL (LDAPS) Certificate: http://social.technet.microsoft.com/wiki/contents/articles/2980.ldap-over-ssl-ldaps-certificate.aspx

Explore administrative tasks

The Administration tab of the VMware View Environment dashboard contains links to agent administration tasks that you can use to manage or create agent instances. From this tab, you can choose to either detect the agent instance information during creation or enter the information manually. Both methods create a View Connection Server Agent.

This tab consists of the Tasks area and the Agents view. Additional administrative tasks include:
Manually add View instances
Discover View instances
Add Host Agents
Figure 7. VMware View Environment dashboard: Administration tab

Related Documents

The document was helpful.

Select Rating

I easily found the information I needed.

Select Rating