Cloud Automation Platform 7.5

Transcription

1 Cloud Automation Platform 7.5 Installation and Administration Guide Installation and Administration Guide i

2 2010 Quest Software, Inc. ALL RIGHTS RESERVED. This guide contains proprietary information protected by copyright. The software described in this guide is furnished under a software license or nondisclosure agreement. This software may be used or copied only in accordance with the terms of the applicable agreement. No part of this guide may be reproduced or transmitted in any form or by any means, electronic or mechanical, including photocopying and recording for any purpose other than the purchaser s personal use without the written permission of Quest Software, Inc. The information in this document is provided in connection with Quest products. No license, express or implied, by estoppel or otherwise, to any intellectual property right is granted by this document or in connection with the sale of Quest products. EXCEPT AS SET FORTH IN QUEST'S TERMS AND CONDITIONS AS SPECIFIED IN THE LICENSE AGREEMENT FOR THIS PRODUCT, QUEST ASSUMES NO LIABILITY WHATSOEVER AND DISCLAIMS ANY EXPRESS, IMPLIED OR STATUTORY WARRANTY RELATING TO ITS PRODUCTS INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTY OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, OR NON-INFRINGEMENT. IN NO EVENT SHALL QUEST BE LIABLE FOR ANY DIRECT, INDI- RECT, CONSEQUENTIAL, PUNITIVE, SPECIAL OR INCIDENTAL DAMAGES (INCLUDING, WITHOUT LIM- ITATION, DAMAGES FOR LOSS OF PROFITS, BUSINESS INTERRUPTION OR LOSS OF INFORMATION) ARISING OUT OF THE USE OR INABILITY TO USE THIS DOCUMENT, EVEN IF QUEST HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. Quest makes no representations or warranties with respect to the accuracy or completeness of the contents of this document and reserves the right to make changes to specifications and product descriptions at any time without notice. Quest does not make any commitment to update the information contained in this document. If you have any questions regarding your potential use of this material, contact: Quest Software World Headquarters LEGAL Dept 5 Polaris Way Aliso Viejo, CA legal@quest.com Refer to our Web site for regional and international office information. This software includes the following third-party software: Software developed by the Apache Software Foundation ( Copyright The Apache Software Foundation. Licensed under the Apache License, Version 2.0, a copy of which is included on the software media. ViewerX VNC ActiveX Control version Copyright SmartCode Solutions. OpenSSL Copyright (c) The OpenSSL Project. All rights reserved. This product includes software developed by the OpenSSL Project for use in the OpenSSL Toolkit ( Net::SSLeay Copyright (c) Sampo Kellomaki <sampo@symlabs.com> Copyright (c) 2005 Florian Ragwitz <rafl@debian.org> Copyright (c) 2005 Mike McCauley <mikem@open.com.au> All Rights Reserved. Distribution and use of this module is under the same terms as the OpenSSL package itself (i.e. free, but mandatory attribution; NO WARRANTY). Please consult LICENSE file in the root of the OpenSSL distribution. Snmp Sharp net version Copyright Milan Sinadinovic 2008, GNU LESSER GENERAL PUBLIC LICENSE Version 3, 29 June 2007, Copyright 2007 Free Software Foundation, Inc. NHibernate version GNU LESSER GENERAL PUBLIC LICENSE Version 2.1, Feb Copyright (C) 1991, 1999 Free Software Foundation, Inc. For full license text, see ISC DHCP Daemon, version Copyright by Internet Systems Consortium, Inc. ("ISC"). For full license text, see PuTTY is copyright For full license text, see Perl Kit, Version 5.8 Copyright , Larry Wall, licensed under GNU Library GPL 2.0 or Perl Artistic License. Mono Terminal 1.0. Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the "Software"), to deal in the Software without restriction, including without limitation the rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Software, and to permit persons to whom the Software is furnished to do so, subject to the following conditions:copyright (c) 2008 Novell, Inc.

3 Patents Protected by U.S. Patent numbers 6,880,002, 6,990,666, 7,257,584, 7,287,186, 7,643,484, and 7,769,004; additional patents pending. Trademarks Quest, Quest Software, the Quest Software logo, AccessManager, ActiveRoles, Aelita, Akonix, Benchmark Factory, Big Brother, BridgeAccess, BridgeAutoEscalate, BridgeSearch, BridgeTrak, BusinessInsight, ChangeAuditor, CI Discovery, Cloud Automation Platform, Defender, DeployDirector, Desktop Authority, Directory Analyzer, Directory Troubleshooter, DS Analyzer, DS Expert, Foglight, GPOADmin, Help Desk Authority, Imceda, IntelliProfile, InTrust, Invirtus, itoken, JClass, JProbe, LeccoTech, LiteSpeed, LiveReorg, LogADmin, MessageStats, Monosphere, NBSpool, NetBase, NetControl, Npulse, NetPro, PassGo, PerformaSure, Point, Click, Done!, Quest vtoolkit, Quest vworkspace, ReportADmin, RestoreADmin, ScriptLogic, SelfServiceADmin, SharePlex, Sitraka, SmartAlarm, Spotlight, SQL Navigator, SQL Watch, SQLab, Stat, StealthCollect, Storage Horizon, Tag and Follow, Toad, T.O.A.D., Toad World, vautomator, vconverter, vecoshell, VESI, vfoglight, vpackager, vranger Pro, vspotlight, vstream, vtoad, Vintela, Virtual DBA, Vizion- Core, Vizioncore vautomation Suite, Vizioncore vessentials, Vizioncore vworkflow, WebDefender, Webthority, Xaffire, and XRT are trademarks and registered trademarks of Quest Software, Inc in the United States of America and other countries. Other trademarks and registered trademarks are property of their respective owners.

4

5 Contents Target Audience... v Release Notes... v About This Book... vi Documentation...vii Typeface Conventions...vii Acronyms and Abbreviations...viii Contact Information... ix 1 Introduction...1 Architecture Overview... 2 Components and Solutions... 3 Solution Licensing Before You Start...11 Determining the Scope of Your Installation System Requirements Additional Considerations Network Communication Configuring IIS V. 7 on Windows 2008 R Configuring Remotely Managed Hosts About Partner Extensions Security And Encryption Choosing a Windows Account for the Agent Service (Altiris) Using the vcsadmin Utility Product Installation...49 Installing the Core Services Installing the Agent Services Installing the Web Application and Solutions Installing the SOAP API Installing the Advanced Enterprise Pack (Optional) Installing the Quest CAP Agent (Altiris)...77 About the CLI Client Launching the Web Interface Remote Access...89 Universal Remote Access Installation and Administration Guide i

6 Web Browser and Connectivity Test Classroom Readiness Test Remote Access Solution System Requirements Conducting Web Browser and Connectivity Test and CRT Troubleshooting Advanced Networking Networking Overview NAIL Overview Configuring NAIL Server Advanced Mode Using VLAN-isolated DHCP Networks Using Network Switch Automation NAIL Server Troubleshooting NAIL Diagnostics Error Message Using NAIL Driver Masquerading Migrating From NAIL Driver to NAIL Server Configuration and Administration Moving an Existing Library Location Migrating the Agent Services and RSM Configuring Storage and Shared Access Managing Virtualization Hosts Recovering and Managing Missing Items Using the Dashboard Using High Availability with VMware vsphere Physical Provisioning Installation for a Secure IIS Service Account Installing the Add-In for HP Quality Center Editing Advanced Configuration Settings Troubleshooting General Troubleshooting First Steps High I/O and CPU Rates Log In Failures with RDP Access Altiris Deployment Server, Suspended Scripts Error While Adding Host to Pool Install Microsoft IIS Before.NET Framework Installation Error Messages ii Installation and Administration Guide

7 8 Image Management Image File Types Duplicating Image Files Creating New Images Preparing Images Agentless Images Converting Hardware Versions for.vmdk Files Using NAIL Driver on Windows Images Physical and Network Resources Overview of Resources Resource Pools Network Resources System Library Locations File Caches and File Cache Locations Virtualization Hosts Virtual Machines System Library Objects Library Objects Overview Image Files Deployment Action Files Hardware Profiles Server Configurations Application Configurations Snapshots Catalogs Managing System Library Objects Deploying and Managing Sessions Prerequisites to Deployment Scheduling a Session Reservation Deploying a Session Deploying a Session As a Service Reservations Requiring Approval Deploying a Session in Debug Mode Deploying a Session in Persistent Mode Deployment Actions Managing Sessions Access Control Overview Installation and Administration Guide iii

8 Privileges Privilege Sets Groups Users Manually Changing Access to Objects User Management Organizations Creating User Accounts Creating Groups Quotas Personas Authentication Methods System Monitoring Monitoring Log Files Viewing Audit Log Information System Notifications Monitoring Components Using SNMP Event Broadcasting Monitoring Components Using Syslog Monitoring Scripts Reports Report Types Managing Reports Customizing Reports Setting Access for Individual Reports A Syslog Settings Syslog Handler Settings Syslog Facilities Severity Levels Setting Up Filters and Scripts iv Installation and Administration Guide

9 Preface The Quest Cloud Automation Platform Installation and Administration Guide provides information to assist you with the process of installing and configuring a Cloud Automation Platform (CAP) environment. After you complete the installation, see the online Help for information about using the CAP web interface to create, manage, and configure the Cloud Automation Platform users and objects. Target Audience The target audience for this book includes the individual responsible for installing the Cloud Automation Platform and performing the initial configuration required to begin using the product on a day-to-day basis. Typically, these users are system administrators. Additionally, Organization Administrators who are responsible for creating new users and populating the library should read this guide. Release Notes Before installing the product, review the Release Notes. Information about the Quest Cloud Automation Platform, the QA/Test Solution, Demo Solution, and Training Solution are included in the Release Notes. The Release Notes contain the most current information about the products and should be used in conjunction with other Cloud Automation Platform documents. Installation and Administration Guide v

10 About This Book This book provides the information you need to install and configure Cloud Automation Platform components during the initial deployment of an environment. It is not intended to provide a complete description of the features and capabilities of the Cloud Automation Platform and web interface. The Installation and Administration Guide consists of the following sections: Chapter 1, Introduction, on page 1 Chapter 2, Before You Start, on page 11 Chapter 3, Product Installation, on page 49 Chapter 4, Remote Access, on page 89 Chapter 5, Advanced Networking, on page 155 Chapter 6, Configuration and Administration, on page 185 Chapter 7, Troubleshooting, on page 225 Chapter 8, Image Management, on page 235 Chapter 9, Physical and Network Resources, on page 259 Chapter 10, System Library Objects, on page 271 Chapter 11, Deploying and Managing Sessions, on page 281 Chapter 12, Access Control, on page 297 Chapter 13, User Management, on page 309 Chapter 14, System Monitoring, on page 333 Chapter 15, Reports, on page 341 Appendix 16, Syslog Settings, on page 347 vi Installation and Administration Guide

11 Documentation The following documentation is available in support of this release: Quest Cloud Automation Platform Release Notes Preface Quest Cloud Automation Platform Installation and Administration Guide Quest Cloud Automation Platform Data Dictionary Quest Cloud Automation Platform Upgrade Documentation Quest CAP Add-In for HP Quality Center Guide Online Help for the Quest Cloud Automation Platform web interface SOAP API.chm files Typeface Conventions The following typeface conventions are used in this book: Component Window and dialog names Emphasis File or directory names Examples, including code UI commands within a procedure when a specific action is taken New terms Typed user input Variables Convention Title caps, default font Italic Courier Courier Bold Bold italic Bold Courier <server_name> Installation and Administration Guide vii

12 Acronyms and Abbreviations The following acronyms and abbreviations are used in this book: Acronym or Abbreviation API CAP CD-ROM CPU DNS EPU GB GUI GUID HBA HTTP ICA ICMP IDE IIS IP LLP MAC MDAC MB NAIL NAT NFS NIC Definition Application Programming Interface Cloud Automation Platform Compact Disc Read Only Memory Central Processing Unit Domain Name System Effective Processor Units Gigabyte Graphical User Interface Globally Unique Identifier Host Bus Adapter Hypertext Transfer Protocol Independent Computing Architecture Internet Control Message Protocol Integrated Drive Electronics Internet Information Service Internet Protocol Local Listening Proxy Media Access Control Microsoft Data Access Components Megabytes Network Abstraction and Isolation Layer Network Address Translation Network File System Network Interface Card viii Installation and Administration Guide

13 Acronym or Abbreviation OS Definition Operating System Preface PSA RAM RSM RDP SCSI SE SMTP SQL SSL SSPI TCP/IP UI UNC URA URL VM VNC VR Path Signature Analysis Random Access Memory Remote Server Manager Remote Desktop Protocol Small Computer System Interface Sales Engineer Simple Mail Transfer Protocol Structured Query Language Secure Socket Layer (Microsoft) Security Support Provider Interface Transmission Control Protocol/Internet Protocol User Interface Universal Naming Convention Universal Remote Access Uniform Resource Locator Virtual Machine Virtual Network Control Virtual Resource Contact Information To contact Quest Customer Support, use the Support Web page available on our Web site: Installation and Administration Guide ix

14 x Installation and Administration Guide

15 Introduction This chapter provides an overview of the Cloud Automation Platform architecture and components. 1 For comprehensive information and procedural instructions for using the CAP web interface to accomplish both administrative and end-user tasks, refer to the Cloud Automation Platform online Help system. For an overview of the workflow and setup tasks to create a basic environment, see the Getting Started section of the online Help system. The following topics are discussed in this chapter: Architecture Overview on page 2 Components and Solutions on page 3 The CAP Core on page 6 CAP Core Objects on page 7 Reporting Database on page 8 Operations Database on page 8 Solution Licensing on page 9 Installation and Administration Guide 1

16 Architecture Overview The method of installing the Cloud Automation Platform components varies depending on the type of environment you have, your choices for storage volumes, and many other details. The following two diagrams illustrate the common architecture layout for a VMware ESX environment and for a Microsoft Hyper-V R2 environment. Many environments are heterogeneous, and contain both Hyper-V R2 and ESX hosts, as well as physical computers hosting either image-based or externally provisioned server configurations. The Cloud Automation Platform architecture is flexible and can accommodate a wide range of environments. The following installation scenario depicts an environment using VMware ESX virtualization hosts. The CAP Core components, the CAP web interface, the QA/Test Solution, and the Demo Solution are installed on three different servers. All of the platform components can be installed on a single server, but as a best practice, Quest Software recommends at least installing the Agent Services component on a separate server. Figure 1 Example installation configuration with VMware ESX hosts 2 Installation and Administration Guide

17 The following diagram illustrates a typical environment using Hyper-V R2 hosts, which requires the use of a SAN (Storage Area Network) for the system Library. 1 Introduction Figure 2 Example installation configuration with Hyper-V R2 hosts The use of the URA Gateway is optional; refer to Remote Access on page 89 for detailed information about installing and configuring the Cloud Automation Platform remote access components. Components and Solutions The following components are essential to the Cloud Automation Platform environment: CAP Core Typically installed on multiple virtual machines (VMs) or physical servers. Depending on the size of the deployment, however, the CAP Core can be installed on a single VM or physical server. The CAP Core consists of the following pieces, which provide the capabilities required by all Cloud Automation Platform applications: Core services Provides the services and capabilities that enable the Cloud Automation Platform applications to create and manage virtual and physical resources. Key services include the control service, the reservation service, deployment service, and the engine service. Installation and Administration Guide 3

18 Agent Services Includes the following agent services: Agent message forwarder Receives all agent responses and status data and delivers those documents to the agent message processor. Agent message processor Processes documents submitted by Cloud Automation Platform agents, updates the operations database, and relays agent responses. This service is only intended to be called by the agent message forwarder on behalf of agents. Remote Server Manager (RSM) Manages remote virtualization hosts and library servers. For more information about using the RSM, refer to Configuring Remotely Managed Hosts on page 30. Web Application Functions as the interface to the CAP Core. Through the CAP web interface, the administrator can perform the tasks that are necessary to define and maintain the Cloud Automation Platform environment, including the creation and maintenance of users, organizations, virtual resources, and software images. SOAP APIs Provides the capability to extend, integrate with, or externally automate the CAP Core and, optionally, with the Training Solution. Cloud Automation Platform Solutions The following solutions are available with Cloud Automation Platform: Note: The QA/Test Solution, Demo Solution, and Training solution are included in the Cloud Automation Platform, and are automatically installed with the CAP Core. Users access both the administrative functions of the CAP Core and the Solutions through the CAP web interface. QA/Test Solution Automates test lab environments for software organizations. The QA/Test Solution orchestrates the allocation, scheduling, provisioning, configuration, and deprovisioning of test environments for developers and quality assurance (QA) engineers, as well as testing of new configurations by information technology organizations (IT Operations). By providing self-service capabilities to groups and individuals who desire access to automated test lab 4 Installation and Administration Guide

19 environments, the QA/Test Solution enables software organizations to increase repeatability in the test process while optimizing test lab resources, reducing development and test cycles, increasing the productivity of developers and QA engineers, and eliminating errors. Demo Solution Provides software-demonstration capabilities that result in the faster and more reliable presentation of a product to potential customers. These enhancements, in turn, generate additional leads and shorten sales cycles. 1 Introduction Training Solution Enables training organizations to reduce delivery costs, shorten cycles, and increase reach by delivering live, hands-on, technical software training to anyone, anytime, anywhere. When using the Training Solution, customers, partners, and employees experience the full benefits of interacting with real training labs as part of instructor-led and self-paced courses. System library Contains a collection of such system resources as base images, ISO images, and snapshots. The system library also includes the templates directory and snapshots directory in which the various files are stored, and a DeploymentActions directory that stores deployment action files. The file-storage device that you use as the system library must have enough capacity to store many large files. Operations database Houses the configuration and state information for all of the physical and virtual resources. Created on an existing structured query language (SQL) server, the database also stores information about users, their roles and privileges, and their authentication policies. Reporting database Serves as a repository for historical data. Logically distinct from the operations database, the reporting database can be installed either as an independent database on the same server that the operations database is on, or on a different server altogether. Cloud Automation Platform application server A physical server or VM on which the Cloud Automation Platform web application or Cloud Automation Platform Solutions are installed. End users and application administrators access these applications through a Web browser. File cache Contains copies of images from the system library and allows multiple VMs to share the same image. When an image changes in the system library, the updated image is sent to the file cache upon the Installation and Administration Guide 5

20 next deployment of the application configuration. Multiple caches are supported, with each cache consisting of one or more file cache locations. Virtualization host The computer on which VMs are created and their configuration files stored. Physical Computer A computer that is managed by a provisioning system and is used by Cloud Automation Platform to host deployed physical servers. Refer to the online Help for additional information about using provisioned physical computers. Quest CAP Agent Handles communication between Altiris Deployment Servers and the CAP Core server. Quest CAP agents are installed on any supported Windows system that hosts an Altiris Deployment Server and system library location or a file cache location with Altiris physical machine images. The CAP Core The CAP Core provides the building blocks for the creation and deployment of sessions for Cloud Automation Platform users. A session is a software environment that can be deployed on-demand for demos, training, or testing purposes. Demo Solution, Training Solution, and QA/Test Solution users access sessions for software demonstrations and evaluations, hands-on software training, or for software testing. The CAP Core automates the setup, provisioning, deployment, teardown, and re-deployment of sessions. The CAP Core also provides access control and reports. Before you begin using the Cloud Automation Platform, make sure that the required physical and network resources have been created. Physical resources include virtualization hosts, possibly physical provisioning servers, physical computers, and Active Directory computer accounts (AD- CAs). Network resources include MAC addresses, IP addresses, DHCP network ranges, and VLAN IDs. The CAP web interface is the graphical user interface to the product. After the required resources are in place, you can use the CAP web interface to perform the tasks required to create, define, and maintain the platform objects tailored to your virtual environment s requirements. 6 Installation and Administration Guide

21 In the CAP web interface, create the objects that comprise a session by creating objects in the system library. The objects that display in the system library are the elements that build the server and software for a session. It helps to think of the system library objects as recipes for sessions. A recipe, in the traditional sense, contains a list of ingredients as well as a set of instructions. In the system library, the objects required to create a session are the list of ingredients and the instructions for how each object should be deployed and configured are included in the definition of the object. 1 Introduction CAP Core Objects To create a Session or Training Lab, create and maintain the following CAP Core objects: Images An image is a virtualized representation of a computer s disk drive. You can add images that you have created in your own environment, or you can create your own images using the CAP web interface. Either way, Quest recommends that you use the Cloud Automation Platform image preparation process to prepare any images that will be used in the Cloud Automation Platform environment. Hardware profiles The hardware profile of each server configuration defines the RAM requirements, the CPU cores, target deployment (physical or virtual), required computing capacity (measured by Effective Processor Units, or EPUs) if any, and any constraints. Server configurations All the information and image file references needed to create a fully functioning server. Cloud Automation Platform supports both virtual server configurations and physical server configurations. Virtual server configurations are used to create VMs. Physical server configurations are deployed to a physical computer to create deployed physical servers. Application configuration All the resources needed to create a single session. One or more server configurations are grouped into an application configuration. Installation and Administration Guide 7

22 Session An application configuration that has any additional collateral or material attached to it. A session is what you deploy to create and access the virtual environment. After the physical and network resources are in place and the platform objects are ready for deployment, use the CAP web interface to make sessions available to users. Additional administrator tasks include creating and maintaining user accounts and organizations, running reports, system monitoring, and managing images, physical and network resources, and the system library. Each remaining chapter in this manual provides more detail about the CAP Core objects and the administrator s role with those objects. Reporting Database The reporting database is available to all platform services. Its primary purpose is to save historical data. The reporting database acts as a data warehouse and can be used with Cloud Automation Platform-provided report generators or with third-party reporting tools. For more information, see Reports on page 341. Operations Database The operations database contains the configuration and state information for physical and virtual resources. It also stores information about users, their privilege sets and privileges, and their authentication policies. The operations database is the primary source of data accessed by the Cloud Automation Platform application program interface (API). 8 Installation and Administration Guide

23 Solution Licensing Solution licensing controls the user experience in the CAP web interface. Users will be able to access the features and functionality of the Solutions for which they have a valid license. The solution-level licensing provides several features: 1 Introduction Limit access to groups of workflows, personas and functionality that are grouped together as Solutions. Monitor the number of concurrent user logins per solution (determined by assigned persona). Monitor the number of host machines/cpu sockets that can be pooled. Monitor the total amount of RAM that can be pooled. Provide a built-in license expiration for installations used for evaluation purposes. There are three types of licenses: CAP Core, Demo Solution, and Training Solution. The QA/Test Solution is licensed by the CAP Core license. The optional limits on pooled RAM and CPUs will be part of the CAP Core license. The RAM will be licensed in whole GB units. The optional limits on the concurrent logins for Users using Personas associated with a given solution are part of the Solution licenses. The CAP Core license, which includes the QA/Test Solution, always allows unlimited concurrent users. If limits are exceeded, usage is not interrupted. However, users are prompted to enter a valid license when using the CAP web interface. Installation and Administration Guide 9

24 10 Installation and Administration Guide

25 Before You Start This chapter discusses the system requirements and other objectives and conditions that must be considered while planning an installation. 2 The following sections address these issues and provide instructions for ensuring that you are fully prepared to complete a Cloud Automation Platform installation. Determining the Scope of Your Installation on page 12 System Requirements on page 13 Additional Considerations on page 20 Network Communication on page 25 Configuring IIS V. 7 on Windows 2008 R2 on page 29 Configuring Remotely Managed Hosts on page 30 About Partner Extensions on page 39 External Provisioning with HP Server Automation on page 41 Security And Encryption on page 43 Choosing a Windows Account for the Agent Service (Altiris) on page 45 Using the vcsadmin Utility on page 46 Installation and Administration Guide 11

26 Determining the Scope of Your Installation Because the Cloud Automation Platform is highly scalable, the components and Solutions can be installed on a single server or distributed across multiple servers. If you are installing Cloud Automation Platform within the confines of a relatively small environment, for example, you can install the complete Cloud Automation Platform on the same server that hosts your databases and system library. If your installation is slated for a larger environment, installing some of the CAP Core components on one server and the remaining components on a second server can help you maximize the efficiency of your solution. Databases, Solutions, and the system library can also be set up on separate servers as needed. The following criteria can be useful when determining which approach to use: The number of sessions to be deployed and serviced. A session is a complete software environment (operating system, required software, etc.) that can be deployed on demand for demonstration, testing, or training purposes. Users of Cloud Automation Platform Solutions can access sessions for software demonstrations and evaluations, software testing, and hands-on software training. The diversity of your lab images, including the number of different images, the size and content of each image, and their hosting requirements. Your reporting needs, as determined by the amount and type of data you expect to save, as well as the number of reports you expect to generate. 12 Installation and Administration Guide

27 Installation Scenario In the typical installation scenario, the Cloud Automation Platform components are divided on multiple servers, with the database on a separate database server. For diagrams of typical Cloud Automation Platform installations, refer to Architecture Overview on page 2. 2 Before You Start System Requirements The hardware and software requirements are detailed in the following section. General Considerations Review the following general information: The disk space required by the library location depends upon the number and size of the images (labs, demos, classes) that are stored. Using NAIL Server in advanced mode requires at least two (2) 1 GB Ethernet cards in all virtualization hosts. For more information about NAIL Server in advanced mode, see Configuring NAIL Server Advanced Mode on page 165. For instructions, refer to the CAP web interface s online Help. The Active X controls used by Cloud Automation Platform require 32- bit Internet Explorer (default browser) when running on 64-bit Windows (x64) platforms. Both 32-bit Internet Explorer and 64-bit Internet Explorer are installed with Windows x64. The combination of Firefox 3.x and Sun Java J2SE 1.6 also works on Windows x64. The Platform server and all virtualization hosts should reside on the same Local Area Network (LAN). Microsoft IIS version 7, the web server on Microsoft Windows Server 2008 R2, requires additional configuration prior to installing Cloud Automation Platform. Refer to Configuring IIS V. 7 on Windows 2008 R2 on page 29 for detailed instructions. Installation and Administration Guide 13

28 System Requirements Review the following system requirements for a typical installation scenario. See Figure 1 and Figure 2 on page 3 for diagrams of two typical configurations. Note: Installation of the Cloud Automation Platform components requires that both Microsoft IIS and.net Framework 3.5 SP1 are installed on the CAP Core server before installing the CAP Core. Be aware that IIS must be installed before.net Framework on the CAP Core server. See the troubleshooting topic Install Microsoft IIS Before.NET Framework on page 230 if IIS was not installed first. Computer CAP Core server Cloud Automation Platform Components General requirements for the four main components of the CAP Core server: -Core Services -Agent Services -Web Applications -SOAP API. System Requirements Physical server or VM with the following specifications: English version of one of the following operating systems: Microsoft Windows Server 2008 SP1 (Standard, Enterprise, Datacenter ) Microsoft Windows Server 2008 R2 (Standard, Enterprise, Datacenter ) Microsoft Windows Server 2003 R2 SP2 (Standard, Enterprise, Web Editions, or x64) Microsoft Windows Server 2003 SP2 (Standard, Enterprise, Web), x86 or x64 editions supported 2 GB RAM Free disk space: 10 GB free disk space if CAP-supplied images are stored on a network attached storage (NAS) device 40 GB free disk space if images are stored on a local disk Microsoft.NET Framework 3.5 SP1 Microsoft Internet Information Services (IIS) 6.x, 7.x ASP.NET Application Server installed and enabled Note: (Windows 2003 only) IIS must be installed before.net Framework. 14 Installation and Administration Guide

29 Computer Library Server Cloud Automation Platform Components System Library (all computers, excluding Altiris DS, that host the Library must use the Remote Server Manager to manage the library, and so must be registered with the Cloud Automation Platform.) System Requirements ESX VMware ESX 3.5 Update 4, ESXi 3.5 Update 5, ESX 4.0 Update 1, ESXi 4.0 Update 1, ESX 4.1, ESXi 4.1 Library locations storage volume required to be on NFS or VMFS-3 volumes (for locations larger than 2 TB, NFS is strongly recommended) Hyper-V Windows Server 2008 R2 (required for Hyper-V and Cluster Shared Volume library content) Microsoft.NET Framework 3.5 SP1 Library locations storage volume required on Cluster Shared Volume (CSV) on a SAN 2 Before You Start Altiris Deployment Solution Windows Server 2003 R2 SP2, x86 or x64 Windows Server 2008 SP1 or SP2, x86 or x64 Quest CAP Agent installed Microsoft.NET Framework 3.5 SP1 Common 500 GB free disk space minimum (The amount of required disk space depends on the size of the disk images.) Library Server computer registered with Cloud Automation Platform (excluding Altiris). Database server Operational and Reporting database One of the following databases: Microsoft SQL Server 2005, SP2 Microsoft SQL Server 2005 Express Microsoft SQL Server 2005 x64 Microsoft SQL Server 2005 Express x64 Microsoft SQL Server 2008 SP1 Microsoft SQL Server 2008 R2 Mixed Mode Authentication must be enabled Remote connections using TCP/IP must be enabled Installation and Administration Guide 15

30 Computer Application server Virtualization Host (content host for VMs) Cloud Automation Platform Components In a distributed installation, the Web Applications component can be installed on a different computer than the other Platform components.the Application server hosts the Platform web interface and any additional web interface installations. This is the server, running a VMware or Microsoft virtualization product, on which the Cloud Automation Platform manages the virtual resources. A typical environment consists of multiple host servers whose aggregate capacity is pooled and allocated. System Requirements Physical server or VM with the following specifications: English version of one of the following operating systems: Microsoft Windows Server 2008 SP1(Standard, Enterprise, Datacenter ) Microsoft Windows Server 2008 R2 Microsoft Windows Server 2003 R2 SP2 (Standard, Enterprise, Web), or x64 Microsoft Windows Server 2003 SP2 (Standard, Enterprise, Web), x86 or x64 editions supported 2 GB RAM minimum, 4 GB recommended 6 GB free space Microsoft.NET Framework 3.5 SP1 Microsoft Internet Information Services (IIS) 6.x, 7.x ASP.NET Application Server installed and enabled Notes: (Windows 2003 only) IIS must be installed before.net Framework. Do not install on a computer that uses a WAN or the Internet to connect to the Platform Server. One of the following virtualization products: VMware ESX 3.5 Update 5, ESXi 3 Update 5, ESX 4.0 Update 1, ESXi 4.0 Update 1, ESX 4.1, ESXi 4.1 Microsoft Windows 2008 R2 with Hyper-V Server (Must use Clustered Shared Volume configuration.) NOTE: All virtualization platforms (except ESX 3.5) require x64 architecture with Intel VT-x/AMD-V support. 4 GB RAM (supports approximately 6 virtual machines with 512 MB RAM each) 10 GB free disk space (library provisioning) or 40 GB (dedicated cache location) Host must be registered with Remote Server Manager (RSM). (ESX and ESXi only) SSH must be enabled for the user account with which the ESX host is registered with the Remote Server Manager. All VMware ESX images that will run on ESX 3.5 must be in the double-file, hardware version 4 VMDK format. For ESX 4 hosts, the hardware version can be 4 or 7. See Converting Hardware Versions for.vmdk Files on page 253 for instructions to use a vcsadmin script to convert.vmdk files to a later level file format. 16 Installation and Administration Guide

31 Computer Guest VM (If your VM image does not contain a Cloud Automation Platform Guest Agent, these requirements are not applicable.) Cloud Automation Platform Components Cloud Automation Platform Guest Agent These are the requirements of the guest VM in order for the Guest Agent to function properly. System Requirements One of the following 32-bit operating systems: Windows Server 2003 R2 SP2, Windows XP, Windows 2008 SP1, or Windows Vista SP1 Business edition or higher, Windows Server 2008 R2, Windows 7, Professional and higher Red Hat Enterprise Linux Server (RHEL) 5.x Novell SUSE Enterprise Linux Server 10.3 or 11.0 OR One of the following 64-bit operating systems: Windows XP 64 or Windows Server 2003 R2 SP2 x64 Red Hat Enterprise Linux Server (RHEL) 5.x Novell SUSE Enterprise Linux Server 11.0 and above Microsoft Framework 2.0 or 3.5 SP1 (Windows only) 2 Before You Start Windows Server 2008 Hyper-V R2 Hosts only: Windows XP SP3, 32-bit only Windows Vista SP1 Business edition or higher, x86 or x64 Microsoft Windows Server 2003 R2 (Standard, Enterprise, Web Editions, or x64) Microsoft Windows Server 2003 (Standard, Enterprise, Web), x86 or x64 editions supported Windows Server 2008, x86 or x64 Windows Server 2008 R2, x64 only Note: VMs created from an image prepped with the CAP Image Tool include a Guest Agent. Active Directory Server One of the following operating systems: Microsoft Windows Server 2008 (Standard, Enterprise, Datacenter ) Microsoft Windows Server 2008 SP1 Microsoft Windows Server 2008 R2 Microsoft Windows Server 2003 R2 SP2 (Standard, Enterprise, Web) x86 or x64 editions supported Microsoft Windows Server 2003 SP2 (Standard, Enterprise, Web), x86 or x64 editions supported Installation and Administration Guide 17

32 Computer Client computer (Application users) Utility Host Cloud Automation Platform Components none This is the computer used by IT operations and lab management personnel to administer the application and by end-users to request and access lab environments A utility host is any server running supported virtualization software that also supports NAIL Server, and is used by Hyper- V hosts for network translation services. System Requirements English version of one of the following operating systems: Microsoft Windows XP SP3 Microsoft Windows Vista SP1 Business edition or higher (no console access with Vista) Microsoft Windows 7 (no console access on ESX 3.5, ESX 4 allows console access) Microsoft Windows Server 2003 SP2 Microsoft Windows Server 2003 R2 SP2 Microsoft Windows Server 2008 SP1 Microsoft Windows Server 2008 R2 SUSE Linux Enterprise Server 10.2 and 11 Apple Mac OS X 10.5 or 10.6 with Firefox browser; remote access methods supported are Citrix ICA and Java RDP. One of the following web browsers: Microsoft Internet Explorer 7.0 or 8.0 with cookies enabled (only 32-bit version of IE) Mozilla Firefox 3.5 or 3.6 with cookies enabled (Optional) The installation of Microsoft Silverlight 3 enables the Infrastructure Dashboard, a visual management view of the environment. (Optional) PowerShell 2.0 is required for use of the CAP CLI Client component. Note: Web browser must be configured for either: Microsoft ActiveX controls Sun Java Plug-in JRE version 1.6 on Windows platforms Sun Java Plug-in JRE version 1.6 for Mozilla Firefox on Linux Apple Java for Mac OS X version 1.6 for Mozilla Firefox VMware ESX utility host: VMware ESX 3.5 Update 5, ESXi 3 Update 5, ESX 4.0 Update 1, ESXi 4.0 Update 1, ESX 4.1, ESXi 4.1 (Foundation, Standard, or Enterprise) ESX server must be registered with RSM (Remote Server Manager). SSH must be enabled for the user account with which the ESX host is registered with the Remote Server Manager. Advanced Mode for the NAIL server must be implemented 18 Installation and Administration Guide

33 Partner Extension System Requirements Partner Extension System Requirements Altiris Deployment Server Altiris Deployment server 6.8 SP2, 6.9, 6.9 SP1, or 6.9 SP2 Network communication: Use either a static IP address in the.img file or use the legacy NAIL Driver. The Altiris Deployment server agent must be installed on the target server against which an Altiris Job is run. Cloud Automation Platform Administrators must have full access to all Altiris Jobs and to the Altiris Deployment Server. The Cloud Automation Platform Agent must be installed. 2 Before You Start HP Server Automation HP Server Automation 7.5 A Cloud Automation Platform guest agent must be installed in all images that will run HP Software Policies as deployment actions. However, a guest agent is not required nor supported for external provisioning (OS or physical provisioning) with HP SA. The server configurations network adapters cannot use NAIL 3 network adapters; the adapter must be set to either DHCP or static. If your environment uses both isolated networks and physical computers managed by HP SA, you must configure network switch automation. See Using Network Switch Automation on page 174. HP Network Automation 7.5 (network switch automation): supported physical switches are Cisco IOS (e.g. 3750) and Cisco Catalyst OS (e.g. 2948). Support for other switch types can be provided by Quest, as long as switch is supported by HP NA 7.5. SPARC architecture is not supported. Note: In order to be able to run administrative-level commands via the Remote Shell, the user with which the HP SA core was registered must have the "Run Command On Server" privilege with sufficient scope, as both the "root" user and the "Administrator" user (root for Linux/UNIX systems, and Administrator for Windows). VMware Vcenter VMware vcenter 2.5 Update 5, VMware vcenter 4.0 Update 1, vcenter 4.1 Network communication: Static IP Address in all VMs For more information regarding partner integrations in Cloud Automation Platform, see About Partner Extensions on page 39. For detailed information about how to register partner extensions (provisioning and automation systems) in the CAP web interface, refer to the online Help. Installation and Administration Guide 19

34 Additional Considerations Depending on the configuration of your network and the needs of your customers, the following variables can also affect how you set up the Cloud Automation Platform environment: Whether you anticipate any remote access requirements Whether you intend to implement a file cache system to help maximize network efficiency Whether you intend to use a VMFS volume on a SAN (storage area network) for a library location Whether you have any address translation needs The following sections examine these variables in more detail and provide the information necessary for you to address any potential challenges. Remote Access To address your potential remote access needs, Cloud Automation Platform provides the following solutions: Universal remote access (URA) Enables communication from a remote computer to a Cloud Automation Platform VM located behind a firewall. Classroom readiness test (CRT) Measures a network s bandwidth and latency and compares them with established ranges to determine whether they are appropriate for your classroom needs. Web Browser and Connectivity Test, or the User Readiness Test (URT) Used in conjunction with the Demo, Training, and QA/Test Solutions to determine if a remote user s computer and the computer s current location meet the requirements to successfully connect to a Cloud Automation Platform VM. These solutions are described in greater detail in Chapter 4, Remote Access, on page 89. To utilize URA, you must install a URA gateway. Similarly, to take advantage of CRT, you must install a CRT server. 20 Installation and Administration Guide

35 Note: The URA gateway and CRT server must not be installed on the same machine. For more information about the system requirements for the URA gateway see Installing and Configuring the URA Gateway Server on page 112. For more information about the system requirements for the CRT server, see System Requirements on page Before You Start Image Provisioning and File Cache Locations Images in Hyper-V environments are provisioned to destination VMs from Cluster Shared Volumes (CSV) on the Storage Area Network (SAN) server. For more information, see Using Clustered Shared Volumes for Hyper-V R2 Hosts on page 195. VMware ESX hosts can access images directly from a system library when the system library server supports NFS or VMFS access protocols. See Using NFS In a Network-Attached Storage Configuration on page 194 or Using VMWare VMFS in a SAN-based Configuration on page 190. For image provisioning from a system library to be successful, the following conditions must be met: All Windows system libraries must reside within the same Windows domain. The agent that manages a Windows system library cannot run as Local System account. Instead, it must run as a domain user in the machine s Administrators group. ESX hosts that use a library location on a SAN VMFS volume must be configured before installing Cloud Automation Platform. See Configuring the ESX Host and SAN Server on page 192. When a session is deployed under these conditions, the VM uses images that remain in the system library location. Files are not copied to the virtualization host, which reduces the time required to deploy sessions. Installation and Administration Guide 21

36 Situations exist, however, when provisioning from the system library is not optimal or possible. For instance, a very large number of VMs with heavy usage can cause excessive load on the library server. For these situations, Cloud Automation Platform uses file caches and file cache locations. A file cache location describes any physical location on a server to which an image and its related files are copied. If your environment requires a large number of simultaneously accessible VMs, file cache locations provide load balancing across multiple servers. Whenever an application configuration is deployed, any file that is part of the server configuration, including the.vhd,.vmdk,.img, and.iso files, is copied to a file cache location and attached to the appropriate VM or VMs. Upon termination of the application configuration session, the image and all of its related files remain in the file cache location, where they can be attached to other VMs during future deployments. Cloud Automation Platform supports the following types of file cache locations: Dedicated file cache locations are created on each VM host server. Dedicated file cache locations are supported by Hyper-V and VMware ESX. Note: Hyper-V hosts must use a Cluster Shared Volume (CSV) on a SAN for library or file cache location. In addition, all VM home directories must be in a local directory. No UNC paths or CIFS can be used. Shared file cache locations are accessible by all the virtualization hosts in a specified resource pool. For VMware ESX, the shared cache locations can either use NFS and VMFS. See Using NFS In a Network- Attached Storage Configuration on page 194 or Using VMWare VMFS in a SAN-based Configuration on page 190. Also refer to the CAP web interface online Help topic Adding a Shared File Cache Location. With shared file cache locations, you have the option of setting up cache locations that are all managed by an existing Quest CAP Agent on another server. Regardless of whether your shared cache locations are remote or local, the Hyper-V hosts and Windows system libraries must reside within the same Windows domain, and the managing agent must run as a domain user in the Administrators group. 22 Installation and Administration Guide

37 When planning the optimal solution for your network configuration, it is important to remember the following points: Each VM must have direct read/write access to a file cache location. A single physical host server can support multiple file cache locations, provided the locations exist on different volumes. The size of a shared file cache location is configurable. If you do not specify a size, the entire disk is used. 2 Before You Start File cache locations can be set up on servers that are on remote servers accessible by a either a managed server or by the Remote Server Manager. If you define more than one shared cache location, the system determines which location to use during a deployment by identifying the following criteria: a location that already has the files cached a location that has enough space (without deleting any existing files) a location with the most space that has unused files that can be purged to make space If the required image exists in a cache location, then that cache location is used. If the image is not currently cached it is copied to the location with the most available space, purging unused files if necessary to make space for the new images The online help provides detailed instructions for creating file cache locations. Address Translation and Virtual Networking Note: Refer to Networking Overview on page 156 for detailed information about Cloud Automation Platform networking, including typical network topologies, configuring the NAIL Server, using VLAN-isolated DHCP networks, and NAIL troubleshooting details. Installation and Administration Guide 23

38 The repeated cloning of a small number of VMs provides a fast, efficient method to create a large pool of identical VMs. In a Cloud Automation Platform environment, many of the VMs that represent or comprise viable application configurations are clones of one or more original VMs. Unfortunately, cloned VMs share the following identifiers with the original VM as well as with each other: Machine name Duplicate machine names cause conflicts with network shares. For example, an OS like Windows 2000 or Windows 2003 disables a clone s network connection when it detects a duplicate machine name. Changing the machine name of each VM is a timeconsuming effort that requires a restart of each VM. Additionally, changing a machine name can break licensing codes, configuration files, registry entries, and certificates. Security identifier (SID) Redundant SIDs generate authentication issues. Although SIDs can be changed, the process is a time-consuming effort that requires a system restart for each VM. Further, changing a VM s SID can result in software problems that affect licensing codes, Windows authentication, Windows Shares, and IIS Services. Static IP address The duplication of IP addresses, each of which must be unique to every VM on a network, renders the original VM and all of its clones incapable of communicating over the same network. Although an administrator can change the IP address of each VM, this change can also disrupt Web services, databases, special protocol drivers, firewall rules, tuned applications, and other servers that still use the previous IP address. The Cloud Automation Platform solves the problem of duplicate IP addresses by utilizing a network abstraction and isolation layer (NAIL). If the necessary components are installed and configured, the NAIL Server is created automatically when the virtualization hosts are pooled. Note: The NAIL Server is an optional component that is not installed by default with Cloud Automation Platform. For information about installing the NAIL Server components, see Installing the Advanced Enterprise Pack (Optional) on page 75. The appropriate IP addresses and MAC addresses are configured using the CAP web interface. 24 Installation and Administration Guide

39 Note: Be aware that the IP configuration (including the subnet mask and gateway) that is defined within the image must match the subnet mask defined in the server configuration that you create in the CAP web interface. As shown in Figure 1, NAIL Server uses network address translation (NAT) to provide a unique IP address for each VM on a network. 2 Before You Start Network Communication Figure 1 Cloned VMs with Unique External IP Addresses Review the following section for information about the various types of network resources that you will need to create. Additionally, see the matrix of ports on page 28 for a list of port numbers that Cloud Automation Platform requires for communication between the CAP Core server and other components. Network Requirements You will need to define network resources for the application configurations that you want to deploy. The appropriate IP addresses, MAC addresses, DHCP networks, and VLAN IDs are defined using the CAP web interface. Refer to the online Help for detailed instructions to create network resources. Quest recommends that you verify the accuracy of all values that you enter. A small error when entering a range of addresses can result in the creation of Installation and Administration Guide 25

40 thousands of unwanted address records in the Cloud Automation Platform database. Resource Description Requirements MAC Address Ranges IP Address Ranges VLAN ID Ranges This is the most widely used of the network resources because every VM NIC (network interface card) will consume an ethernet MAC address while the VM is deployed, regardless of how the interface is configured within the VM guest operating system, and regardless of whether multiple clones of the VM are simultaneously deployed. NAIL uses IP address resources to prevent conflicts and provide a unique IP address for each VM whose network interfaces are configured with static IP addresses within the VM guest operating systems. NAIL also uses a virtual LAN (VLAN) for VMs that require grouping, as is the case when multiple server configurations comprise a single application configuration. NAIL Server uses IEEE 802.1q VLANs to isolate application configurations from one another and prevent duplicate host name or IP address errors while simultaneously deploying clones of VMs. Values should fall within the VMware Organizationally Unique Identifier (OUI) range of 00:50:56:00:00:00-00:50:56:3F:FF:FF. The size and values of this range can be changed at any time. Plan to use at least one MAC address for each VM per test configuration, up to the maximum number of concurrent VMs across all VM hosts. These IP addresses cannot overlap with addresses assigned by any DHCP server. Plan to dedicate one additional IP address per VM host, plus one for each VM per test configuration that will be configured for NAIL cloning, up to the maximum number of concurrent VMs across all VM hosts. The size and values of this range can be changed at any time. Note: Consult your network administrator to determine a range of IP addresses valid for your local network that can be dedicated to your installation. You must use IDs within the range of , inclusive. If you are implementing NAIL Server in the advanced mode, you should work with your network administrator to select the appropriate network adapters, switches, and VLAN IDs that are compatible with your physical network environment. As a general guideline, plan for 1-2 VLAN IDs per concurrent test configuration, depending on the complexity of the test configuration. The VLAN ID range selected should be dedicated for use by the Cloud Automation Platform. 26 Installation and Administration Guide

41 Resource Description Requirements DHCP Network Range For physical and virtual servers that require both network isolation and the use of DHCP, create one or more DHCP network ranges. Externally-provisioned servers that rely on the PXE network boot process and are included in multi-server deployments can use isolated DHCP networks. For details about using VLANisolated DHCP networks, see Using VLAN-isolated DHCP Networks on page 171. Two configurations support VLAN-isolated DHCP networks: OSPF (Open Shortest Path First): this widely used protocol must be enabled on the physical switch that is used to provide routing for external users to the virtualization hosts. Additionally, Cloud Automation Platform requires credentials on the OSPF routers. If OSPF cannot be used in your environment, the physical switch on the broadcast network can be set to provide DHCP addressing services. For this scenario, NAIL Server must use advanced mode. 2 Before You Start Installation and Administration Guide 27

42 Ports Used by Cloud Automation Platform The following table lists the ports or port ranges required by Cloud Automation Platform. All ports are TCP unless specified. Ping is open in some cases to facilitate connectivity testing, not for server communications. This matrix does not include Windows networking ports. To Platform Server a To DBs To App To Lib To Hosts To VMs To URA GW To Syslog To LDAP To CRT Server From Platform server From DBs From App From Lib From Hosts From VMs From URAGW From Syslog From LDAP (includes RSM) >32767 ICMP Ping (for SSH) 4277 ICMP Ping None UDP None None N/A None None None None None None None None /443 ICMP Ping 1433 N/A > /443 None 80/443 N/A > (SSH) 80/443 None 80/ > None None UDP >32767 N/A None None UDP None None None None None None None 80/443 None None None None N/A None None None None None None None None (RDP) 5901 (VNC) 1494 (Citrix) N/A None None 9999 (default) 3389 (requires port address translation) None None None None None None None N/A None None None None None None None None None None N/A None a. The Web Application component uses port The Remote Server Manager (RSM), part of Agent Services, uses port Service Host, in the Services Container, uses port The EngineService, part of Core Services, uses port Control Service, part of Core Services, uses port Installation and Administration Guide

43 Configuring IIS V. 7 on Windows 2008 R2 If your environment will use Windows Server 2008 R2, install and configure Microsoft IIS version 7 web server prior to installing the Web Application component. IIS version 7 is the default web server on Windows Server 2008 R2. 2 Before You Start Note: Use the following instructions to install and configure IIS version 7 on any Windows Server 2008 R2 on which you will install any of the four Platform components. Folow the same instructions for any servers on which you install the Web Applications component. To install and configure IIS version 7 for the Cloud Automation Platform environment, perform the following steps: 1. Open the Server Manager console. 2. In the left pane, click Roles and then click the Add Roles link in the window on the right. The Add Roles Wizard appears. A. On the Before You Begin page, click Next. B. On the Select Server Roles page, select the Web Server (IIS) role and then click Next. C. On the Web Server (IIS) page, click Next. D. On the Select Role Services page, select Application Development and then click Next. E. On the Confirm Installation Selections page, click Install. The Installation Progress page appears. F. When the Installation Results page appears, review the information and then click Close. 3. In the left pane of the Server Manager, click Features and then click the Add Features link in the window on the right. The Add Features Wizard appears. Installation and Administration Guide 29

44 A. On the Select Features page, select.net Framework Features. B. Dismiss the popup by clicking Add Required Features. C. Expand.NET Framework Features and verify that the WCF Activation check box is selected. D. On the Select Features page, click Next. E. On the Confirm Installation Selections page, click Install. The Installation Progress page appears. F. When the Installation Results page appears, click Close. 4. Open a command prompt window and type start inetmgr to open the Internet Information Services (IIS) MMC snap-in. 5. In the left pane, expand the node with the computer's name, then expand the Sites node, and then select the Default Web Site. 6. Double-click the Handler Mappings icon in the pane on the right. 7. In the list of application mappings, right-click on each ISAP-2.0.svc file, select Edit..., and verify that the file is mapped to the aspnet_isapi.dll. Configuring Remotely Managed Hosts The Remote Server Manager (RSM), installed with the Agent Services component of the Platform, manages all virtualization hosts and library servers. The RSM is used to remotely manage the following types of hosts: Microsoft Windows Server 2008 Hyper-V R2 hosts VMware ESX Server 3.5 VMware ESXi 3.5 VMware ESX Server 4.0 VMware ESXi 4.0 The use of RSM not only greatly reduces installation and upgrade efforts, it also provides performance enhancements and a simplified architecture. 30 Installation and Administration Guide

45 For important information about configuring the hosts before creating your Cloud Automation Platform environment, see: ESX Hosts on page 31 Hyper-V R2 Hosts on page 32 Note: For information about the supported library locations and file cache locations, and how to configure hosts for file access and library management, refer to Configuring Storage and Shared Access on page Before You Start ESX Hosts Review the following sections if your environment includes VMware ESX hosts. Configuring ESX Hosts To configure the Cloud Automation Platform environment for using remotely managed ESX 3.5, ESX 4.0, and ESXi hosts, follow these procedures before registering the hosts in the CAP web interface: Enable SSH for the user account of the ESX host. The authentication credentials, used when registering the ESX host to be managed by RSM, must have remote SSH access enabled before registering the host. Verify that the user account on the ESX host has the same privileges as a local administrator. Create a storage location for the images and files. Cloud Automation Platform requires that all images are in either the Hardware Version 4 or version 7 double-file VMDK format. See Converting Hardware Versions for.vmdk Files on page 253 for instructions to use a vcsadmin script to convert.vmdk files to a later version file format. Installation and Administration Guide 31

46 Note: If the host will be integrated with a VMware vcenter environment, you must define the storage locations and register the host with vcenter before you register the host with the CAP web interface. After installation is complete, refer to the online Help for additional prerequisites and information about registering ESX hosts for vcenter integration. Configure a default network for NAIL Server. If you are using NAIL Server in advanced mode, configure both a trunked network and a default network. See Configuring NAIL Server Advanced Mode on page 165. (ESX 3.5 and 4.0 only, not ESXi) Quest Software recommends the following Best Practice. Using the VMware Infrastructure Client that is installed on the ESX host, configure the amount of memory that is allocated to the ESX service console to the maximum amount, 800 MBs. The RSM interacts with the service console to perform tasks for the Cloud Automation Platform environment. Failing to set the memory allocation to 800 MB will cause the service console to perform poorly. Hyper-V R2 Hosts Review the following sections if your environment includes Hyper-V R2 hosts. Considerations Review the following considerations when using the Remote Server Manager and Hyper-V R2 hosts: No firewalls can exist between the computer on which the Agent Services is installed and the Hyper-V R2 host(s). For successful promotion of snapshots from Hyper-V hosts, constrained delegation must be enabled for the user account that the Remote Server Manager uses to remotely manage the Hyper-V host. The RSM is configured with only one user account that it uses to manage all Hyper- V R2 hosts. The Hyper-V host must be able to open virtual hard disks (.vhd files) on the CIFS server (i.e., in the system library on a NAS device) for exclusive read/write access, and because the Remote Server Manager is delegating the credentials to open the virtual hard disk file on 32 Installation and Administration Guide

47 the Hyper-V host accessing the CIFS server, that delegation must be authorized. For the authorization to occur, the user account of the RSM and the Computer Name of the CIFS server must both be in a common Active Directory server where constrained delegation of the RSM user to access the CIFS share through third-party hosts (Hyper-V) is allowed. In order for Hyper-V to host VMs with NAIL Server defined as the Ethernet Device type, a NAIL Server on another virtualization host or on a utility host must be used. See Using NAIL Server with Hyper-V R2 Hosts (Utility Hosts) on page 37 for more information about using utility hosts. 2 Before You Start The password rules for the user account must be configured to never expire. Hyper-V R2 hosts and the Remote Server Manager should not be isolated by a network address translation (NAT) layer. See Using NAIL Server with Hyper-V R2 Hosts (Utility Hosts) on page 37 for information about using network address translation with Hyper-V hosts. DHCP addressing should not be used by Hyper-V R2 hosts unless it is an infinite DHCP reservation. The Hyper-V R2 host must have 64-bit architecture and have a DVD drive. Configuring Hyper-V R2 Hosts Note: If your environment requires the use of the NAIL Server for network address translation (NAT) for VMs on a Hyper-V R2 host, refer to Using NAIL Server with Hyper-V R2 Hosts (Utility Hosts) on page 37. To configure the environment for using remotely managed Hyper-V R2 hosts, follow these steps: 1. Before installing Cloud Automation Platform, create a domain user account for the specific use of communication between the Remote Server Manager and the Hyper-V hosts. The domain user account must be a member of the Administrators group for the server with Agent Services installed and on each Hyper-V host Installation and Administration Guide 33

48 that is going to be managed remotely by the Remote Server Manager Additionally, the domain user account should have full privileges to the Windows Administrative shares (C$, D$, IPC$) and the ability to access the Hyper-V host file system with full read/write access. The following computers must all be in the same domain: The computer on which you install the platform Agent Services (which includes the Remote Server Manager) The Hyper-V host(s) (if applicable) Any file systems of the Hyper-V host that are external to the Hyper-V host itself and are used to store the Cloud Automation Platform virtualization configuration files 2. Install the Platform components. During the installation of the Agent Services (part of the Platform), you are prompted to enter the user name and password for the Remote Server Manager. Enter the user name and password of the user account defined in step 1. See page 61 in Chapter 3, Product Installation. for more information. 3. Configure each Hyper-V host to be managed remotely by ensuring the domain user account created for this purpose is a member of the local Administrators group. For security reasons, it is recommended for this domain user account not to be a member of the Domain Administrators group. 4. On each Hyper-V host, use the following steps to configure the Authorization Manager policy: A. Open the Authorization Manager MMC by using the Run command prompt to run azman.msc. B. In the Authorization Manager interface, right-click and choose Open Authorization Store from the list. C. On the Open Authorization Store window, select the XML File radio button and use the Browse option to navigate to the following directory: C:\ProgramData\Microsoft\Windows\Hyper-V D. Select InitialStore.xml and click Open. E. On the Open Authorization Store window, click OK. 34 Installation and Administration Guide

49 F. In the Authorization Manager interface, expand the tree to open the Hyper-V Services\Role Assignments\Administrator folder. G. Select Administrator. H. In the right pane, right-click and select Assign Users and Groups => From Windows and Active Directory... I. Add the new user that you created in step 1. 2 Before You Start J. Exit the Authorization Manager. K. Reboot your Hyper-V server to effect the changes. 5. On each Hyper-V host, use the following steps to configure the Ethernet NIC driver. Broadcom A. Verify that the driver version is or later. B. Add a registry setting to preserve VLAN tags. This registry value needs to be added to the configuration parameters for each of the Broadcom network interfaces on the computer: i. Run the Registry Editor (regedit). ii. Search for "PriorityVLANTag" under HKLM\SYSTEM\ControlSet001\Control\Class. Intel iii. Add the DWORD value "PreserveVlanInfoInRxPacket" with value 1 to the top level key. Add the following registry setting: MonitorModeEnabled = 1 The Hyper-V R2 hosts are now ready to serve as virtualization hosts in the Cloud Automation Platform environment. Next Steps In the Platform web interface, register and pool the host. Installation and Administration Guide 35

50 Note: If the VMs on the Hyper-V R2 host require network translation (i.e. will be on dedicated VLANs rather than on the default network), refer to Using NAIL Server with Hyper-V R2 Hosts (Utility Hosts) on page 37. Refer to the online Help for instructions to register the remote Hyper-V R2 hosts with the Platform. After the remote hosts are registered and assigned to a resource pool, the Remote Server Manager will manage the VMs and their configuration files on the registered remote hosts. 36 Installation and Administration Guide

51 Image Preparation for Hyper-V R2 Hosts The image for a VM that runs on a Hyper-V R2 host must include the Integration Services. Follow the Microsoft Hyper-V documentation for installing the Integration Services in your image. After the Hyper-V VM has the Integration Services installed, copy the.vhd file into the Library and use the Surgient_Image_Tool.iso to prepare the image. Refer to the online Help for instructions to add the images to the Library and prepare it for use in the Cloud Automation Platform environment. 2 Before You Start Using NAIL Server with Hyper-V R2 Hosts (Utility Hosts) Cloud Automation Platform uses NAIL servers to provide network address translation in an environment in which a single image (and thus a single IP address) might be duplicated or cloned, and used in multiple VMs in the environment. In such an environment, network address translation is required to prevent network conflicts; NAIL server translates the IP Address contained in the image to a unique address that is used only within the Cloud Automation Platform environment. Microsoft Hyper-V does not support VLAN trunking from a NIC to a virtual machine, so NAIL servers cannot be used on a Hyper-V host. However, network address translation can be accomplished in an all Hyper-V or a heterogeneous environment with the use of a utility host. A utility host is any server running supported virtualization software that also supports NAIL server, and is used by Hyper-V hosts for network translation services. ESX3.5, ESX 3i, ESX 4, and ESXi 4 can function as the utility host platform. Note: In order for Hyper-V R2 to host multi-server sessions that require network address translation (i.e. cloned images are used), NAIL Server must be run in advanced mode. See Configuring NAIL Server Advanced Mode on page 165. Hyper-V R2 hosts that do not run server configurations using NAIL server can continue to be pooled in standard or advanced mode, and images that use DHCP/static IP Addresses do not require external NAIL server access. But in standard mode, or advanced without an accessible NAIL server on a utility host, sessions using NAIL server-designated content are not supported. Installation and Administration Guide 37

52 Creating a Utility Host on an ESX Server Note: For a server to act as a utility host, the environment must use NAIL Server in advanced mode. For information about using NAIL Server in advanced mode, see Configuring NAIL Server Advanced Mode on page 165. To create a utility host on an ESX server, follow these steps: 1. Register the ESX server in the Cloud Automation Platform environment. For detailed instructions, see the online Help topic Registering a Remotely Managed Host. 2. Pool the utility host s RAM only (not the RAM of any of the hosted VMs). Additionally, define the computing capacity (EPUs) for the host. This must be done before pooling Hyper-V content hosts; otherwise there will be an error when you pool the Hyper-V content hosts. 3. Pool the content host(s) that will be using the utility host. This causes the Nail Server VM to be started on the utility host. 38 Installation and Administration Guide

53 About Partner Extensions Cloud Automation Platform supports integrations with Data Center Automation and virtualization management systems such as Symantec Altiris Deployment Solution, HP Server Automation (formerly Opsware Server Automation), and VMware vcenter Server. 2 Before You Start Note: For detailed information about how to use the CAP web interface to register and implement Partner Extensions, see the online Help. Information about configuration that needs to be done either before installation or before accessing the CAP web interface is included in this installation guide. Integration with the following products enables several Cloud Automation Platform features: HP Server Automation Deployment Actions -- Running HP SA Software, Audit, and Patch policies against sessions in the Cloud Automation Platform environment. External Provisioning -- HP SA uses OS provisioning to deploy server configurations. Server configurations that are intended to be externally provisioned by HP SA are created using OS Sequences. This server configuration, when deployed, installs the specified operating system and any additional software or data included in the sequence. OS sequences can be deployed to either a virtual machine or to a physical computer that is provisioned by HP SA. See External Provisioning with HP Server Automation on page 41 for more information. Provisioning to Virtual Machines -- By default, sessions based on OS sequences are provisioned to virtual machines. Provisioning details, such as whether the server configuration is deployed to a VM or to a physical computer, are determined by the hardware profile that is selected when creating the server configuration. Physical Provisioning -- Physical computers that are managed by HP Server Automation can be added to the Cloud Automation Platform resource pools and used as targets for OS Installation and Administration Guide 39

54 sequence-based sessions. For more information about physical provisioning, see Physical Provisioning on page 220. Note: If your environment requires the use of isolated DHCP networks and physical provisioning to HP Server Automation-managed physical computers, you must configure network switch automation. See Using Network Switch Automation on page 174. VMware vcenter Server vcenter Templates -- Import/Export of vcenter Server virtual machine templates Dual management -- An ESX or ESXi virtualization host can be registered with both Cloud Automation Platform and VMware, enabling features in both products to be leveraged without interference. High Availability -- Integration with VMware vcenter allows users to specify selected virtualization hosts as highly available, meaning that if the host computer fails, any VMs on the host computer will be migrated to another, functional host computer. See Using High Availability with VMware vsphere on page 211 for more information. Symantec Altiris Deployment Solution Deployment Actions -- Running Altiris jobs against sessions in the Cloud Automation Platform environment. Physical Provisioning -- Using Altiris to manage the use of physical computers in the lab environment. For more information about physical provisioning, see Physical Provisioning on page 220. Note: Integration with Altiris requires the installation of the Quest CAP Agent on the Altiris server. In order to implement the integrations, a partner extension is registered with Cloud Automation Platform. Note: Instead of using the Register feature on the Partner Extensions table page, integrations with Altiris are automatically registered with the Cloud Automation Platform environment when the Quest CAP 40 Installation and Administration Guide

55 Agent (installed on the Altiris Deployment Server) checks in with the Platform server. External Provisioning with HP Server Automation 2 Before You Start To implement external provisioning with HP SA, use the following workflow summary as a guideline. Refer to HP Server Automation on page 220 for information about using HP SA to provision physical servers. Refer to the online Help for instructions to use the CAP web interface to implement external provisioning with HP SA. Workflow Summary Verify that Wake on LAN and PXE is enabled for the primary NIC on each HP SA-managed physical computer. Register the HP Server Automation core server in the CAP web interface, using the Partner Extensions node in the left navigation pane. Refer to the online Help for detailed instructions. If the PXE boot server is not on the HP SA core server, but rather on a satellite server, you will need to specify the PXE server IP address after registering the physical computer. Edit the Physical Provisioning server Details page to specify the PXE boot server address; refer to the online Help for detailed instructions. Note: The user account used to register the HP SA core server must have broad Run Command on Server privileges, and must have both Admin and root privileges (for both Windows and Linux servers). Register any HP SA-managed physical computers that you want to use in the Cloud Automation Platform environment, using the Physical Provisioning node in the navigation pane. Refer to the online Help for instructions to register a physical computer. Note: The physical computer must have been provisioned by HP SA at least once prior to registering with Cloud Automation Platform. Servers that have not previously been provisioned by HP SA will not display in the list of servers to register in Cloud Automation Platform. Installation and Administration Guide 41

56 If NIC 0 (as reported by HP SA) is not the primary NIC (i.e. is not the interface enabled for PXE boot and Wake on LAN) you must use the Physical Provisioning server Details page to explicitly designate the primary NIC. If using VLAN-isolated DHCP networks, configure these DHCP networks. See Using VLAN-isolated DHCP Networks on page 171. If using VLAN-isolated DHCP networks and physical computers provisioned by HP SA, you must configure network switch automation. See Using Network Switch Automation on page 174. Create a new server configuration using an OS Sequence. Any OS Sequences that are on the SA Core server when the core server is registered with Cloud Automation Platform will appear in a drop-down list when creating a new server configuration. (Select External Provisioning to see list of OS Sequences.) Refer to the online Help for detailed instructions to create a server configuration using OS Sequences. When creating the server configuration, use the Hardware Profile to determine whether the server configuration will be deployed to a physical computer or virtual machine, and other deployment details. From one or more OS Sequence-based server configurations, create an application configuration and session. Note: If any step in the overall process of provisioning and deploying the OS Sequence fails, the entire deployment will fail and the user will be notified. 42 Installation and Administration Guide

57 Security And Encryption Cloud Automation Platform provides support for increased security to meet standards and requirements of IT departments and large enterprises. Cloud Automation Platform security features include: Increased security for passwords (key lengths and encoding) 2 Before You Start Support for 2-way secure communication between agents and platform Support for encrypted SQL connections (specify during installation) Obfuscate identifiers in web request resources Optional regular expression entries to generate query string input validation error Hidden password entry on vcsadmin login Review the following sections for information about configuring certain security options. Configuring 2-way Secure Communication To configure the Cloud Automation Platform environment to use 2-way secure communication (SSL), follow these steps: 1. Install the Platform components. See Product Installation on page 49 for details. Note: (Altiris only) During an upgrade (but not during a fresh installation) of the Agent Services component of the platform, you are prompted to upgrade all Windows Agents in the environment. After upgrading the Windows Agents on any Altiris Deployment Servers, resume the platform upgrade. Additionally, any Windows and Linux guest agents in Altiris physical images must be upgraded. Installation and Administration Guide 43

58 2. Configure IIS for secure communication on the computer running the Agent Services (agent message forwarder): Enable SSL port for the Default Web Site Configure the Default Web Site with a certificate 3. Before pooling any hosts, use vcsadmin to set the configuration setting DefaultMsgRoute to specify the https scheme. For example: 4. In the Windows Agent configuration file, set the MyMailbox configuration value to specify the https scheme. 5. Restart all Quest CAP Agents. Note: For an upgrade or for a time period after a fresh install, schedule a maintenance window for all hosts that have NAIL Servers and follow step 3. and step 4. Restart the Agents and the NAIL Servers. 6. Upgrade Altiris Guest Agents: If your environment includes Altiris physical images (.img), you will need to upgrade the guest agents in each image: A. Start the physical image. Deploy an application using the physical image using the Cloud Automation Platform system. Use Altiris DS directly to start the image. B. Upgrade the physical agent. Linux: rpm U linux-phy-agent <build#>.i386.rpm Windows: Surgient_Image_Tool.exe C. (Linux and Windows images) In the Agent configuration file, set the my_mailbox/mymailbox configuration value to specify the https scheme. D. Start the agent. E. Save the updated image. 44 Installation and Administration Guide

59 Perform a Save As on the session and then copy the saved image file to its permanent location in a library. Use Altiris DS directly to save the image to its permanent location in a library. Validating Query Strings 2 Before You Start Optionally, Cloud Automation Platform can validate query string inputs to check against XSS (cross-site scripting) vulnerabilities. To configure the validation properties, open the web.config file, which by default is installed in the following location: C:\Program Files\Quest Software\CAP\Web\web.config RequestValidation.Enabled Strings included in the URL of the Cloud Automation Platform web application and entered into the fields on the pages of the web application are validated if the RequestValidation.Enabled configuration is set to true. By default, it is set to false. RequestValidation.GetRegEx The RequestValidation.GetRegEx configuration setting can be used to define a pattern that, if matched with any patterns in the URL, will display an error page. RequestValidation.PostRegEx The RequestValidation.PostRegEx configuration setting can be used to validate strings entered in the fields on the web application pages. Choosing a Windows Account for the Agent Service (Altiris) Each Altiris Deployment Solution server must have a Quest CAP Agent installed. The agent runs as a service, displayed in the Services panel as Quest Software Service Agent for Altiris Deployment Solution. Installation and Administration Guide 45

60 Considerations Review the following considerations when determining which account to use for the Agent service: If the computer on which you install the Quest CAP Agent is a member of a domain, the user name and password should be for a domain account. For computers that are not in a domain, the same Windows user account must exist with the same password on every server/host where you install the agent. Every agent service must be configured to run under the same account. The account must have read/write access to the System Library location. The account must be a member of the local Administrators group (not necessarily Domain Administrators). A Domain User that is in the local Administrators group is preferred. The password rules for the account must be configured to never expire. Using the vcsadmin Utility The vcsadmin utility is a command line tool used to modify the Platform settings. 1. Launch the vcsadmin utility by double-clicking the vcsadmin.exe file in the installation directory on the CAP Core server. By default, this directory is: Program Files/Quest Software/CAP/Platform 2. When the vcsadmin utility opens, log on by typing the following and then pressing Enter: login <username> <password> OR login -o <organization> <username> <password> By default, the username is admin. The password is the administrator password that was defined during the Platform installation. 46 Installation and Administration Guide

61 Note: If you do not want to type out your password in clear text, you enter only your user name and press Enter. You will then be prompted to type your password, but it will not be displayed on the screen. For example: login <username> OR 2 Before You Start login -o <organization> <username> 3. After logging on, type the appropriate command and then press Enter. Typically, if you are setting an advanced configuration setting, the syntax is as follows: configset Name.Of.ConfigurationSetting=<x> where x is the value that you want to set. To view all of the configuration settings and possible values, use the configlist command or open the CAP web interface and click Configuration under System Settings in the left navigation pane. When in vcsadmin, type help and press Enter to display a list and description of all commands. To get the list of available commands that start with a prefix, type help <prefix> where prefix is the first part of the command. For example, type help appsession to get all the commands that start with appsession. To get help on a specific command, type help <command> where command is the name of the specific command for which you want Help. For example, type help appsessionlist to get more information about the command appsessionlist. Installation and Administration Guide 47

62 48 Installation and Administration Guide

63 Product Installation 3 This chapter provides instructions for installing the Cloud Automation Platform. Installation Scenario Overview on page 50 Installing the Core Services on page 52 Installing the Agent Services on page 61 Installing the Web Application and Solutions on page 67 Installing the SOAP API on page 71 Installing the Advanced Enterprise Pack (Optional) on page 75 Installing the Quest CAP Agent (Altiris) on page 77 Installing the CLI Client on page 86 Launching the Web Interface on page 87 Installation and Administration Guide 49

64 Installation Scenario Overview After using the information and checklist in the previous chapter to define and set up your network, use the instructions in this chapter to install each of the following: CAP Core components: Core Services: Platform server and main services Agent Services: Agent Message Forwarder, Remote Server Manager Service, Agent Message Processor Web Applications: CAP web interface, QA/Test Solution SOAP APIs (required for integration with certain third-party products.) NAIL Server (Optional, used for network address translation, cloning of image, and advanced networking capabilities) Quest CAP Agent (Optional, required on Altiris server if implementing physical provisioning) The four main components of the CAP Core are all included in a single installation file, Setup.exe. The CAP Core components include the main functionality of Cloud Automation Platform; optional additional installations include the NAIL Server components, Quest CAP Agent (for Altiris), and the URA Gateway Server. (For more information about the URA Gateway, see Installing and Configuring the URA Gateway Server on page 112.) To use the NAIL Server functionality for advanced networking, run the AdvancedEnterprisedPack.exe installation program (see Installing the Advanced Enterprise Pack (Optional) on page 75). Using NAIL server functionality allows you to deploy multiple concurrent instances of a VM or physical server without network conflicts. Most advanced networking and cloning capabilities of Cloud Automation Platform use NAIL Server. For more information, see NAIL Overview on page 163. The following sections provide instructions for installing each CAP Core component separately, in support of a scenario in which one or more components are installed separately, on different physical or virtual computers. 50 Installation and Administration Guide

65 Note: Alternatively, you can install all four CAP Core components on the same computer, if your environment is small enough. By default, the Cloud Automation Platform software is installed in c:\program Files\Quest Software\CAP\Platform. You can choose a different destination directory during the install process. Platform log files are written to the \logs subdirectory in the destination directory. Once you have completed the installation, see the online Help for information about using the System Diagnostic Test to verify your installation. 3 Product Installation Note: For information about supporting a custom configuration of Microsoft IIS, see Installation for a Secure IIS Service Account on page 222. Workflow Summary The following steps provide an overview of setting up your Cloud Automation Platform environment: 1. Install the four CAP Core components on one or more servers. See page 52 for installation instructions. 2. (Optionally, if using NAIL Server for advanced networking) Run the AdvancedEnterprisedPack.exe installation program. See page 75 for installation instructions. 3. (Optionally, if either WRDP or VNC will be used for remote access) Run the AdvancedEnterprisedPack.exe installation program. See page 75 for installation instructions. 4. (Optionally, if using Altiris for physical provisioning) Install a Quest CAP Agent on the Altiris Deployment Server. For more information, see Installing the Quest CAP Agent (Altiris) on page (Optionally, if VMware vcenter integration is planned) refer to Additional Considerations on page 20. Installation and Administration Guide 51

66 Installing the Core Services Note: The Core Services must be installed first, before any of the other CAP Core components. To install the Core Services component, perform the following steps: 1. From the installation media, double-click Setup.exe to launch the Platform Installer. Note: If an Open File Security Warning message appears, click Run. 2. Click Next to view the License Agreement page. 52 Installation and Administration Guide

67 3 Product Installation 3. Read the end user license agreement (EULA). To print a copy of the agreement, click Print. 4. Click I accept the terms of the license agreement. Installation and Administration Guide 53

68 5. Click Next to view the Installation Type page. 6. Click Standard. 54 Installation and Administration Guide

69 7. Click Next to view the Components To Install page. 3 Product Installation The amount of disk space required for the installation and the amount of space available on the currently selected disk are both shown. To view the amount of space available on your other disks or to specify a different disk for the installation, click Disk Space. 8. Ensure that Core Services is the only selected check box. 9. Optional: To specify a destination folder other than the default folder of C:\Program Files\Quest Software\CAP\Platform, click Browse. Installation and Administration Guide 55

70 10. Click Next to view the Operational Database page. The operational database stores information associated with real-time processes and functions. 11. Specify the following information for the operational database: A unique name for the database The DSN name of the server that will act as the database server.to select a server from a list of available servers, click Browse. The authentication method to use while connecting to the database. To use SQL Server authentication, specify a logon ID and password. To use Windows authentication, check Use Windows authentication. Whether to encrypt communication traffic between the platform server and the database. A certificate must already be in place. 56 Installation and Administration Guide

71 12. Click Next to view the Reporting Database page, which is automatically populated with values derived from the information specified on the Operational Database page. 3 Product Installation The reporting database captures historical information to be used when generating reports. 13. Specify the following information for the reporting database: A unique name for the database. The DSN name of the server that will act as the database server.to select a server from a list of available servers, click Browse. The authentication method to use while connecting to the database. To use SQL Server authentication, specify a logon ID and password. To use Windows authentication, check Use Windows authentication. Whether to encrypt communication traffic between the platform server and the database. A certificate must already be in place. Installation and Administration Guide 57

72 14. Click Next to view the Database User Credentials page. 15. Optionally, specify a login ID and password for the Control Services to use when connecting to the database. Leave blank to use the default credentials. These credentials are used internally and will not be requested when using the product. Note: If the database password changes after the Cloud Automation Platform is installed, a CAP Platform Administrator will need to run the following command to change, encrypt, and store the updated password. 1) Log into the platform server 2) In a command shell, change directory to the <install_directory>/platform location 3) Run db-config-manager.exe -cleartextpassword <password> If the password for the reporting database is different from the operational database, use the -configkey option to specify updates to the appropriate data source connection strings. For example, to update the password for the operational database, run the command db-config-manager.exe -cleartextpassword <password> -configkey DSN. (ReportingDSN is the option for connections to the reporting database). 58 Installation and Administration Guide

73 16. Click Next to view the Platform Administrator Password page. 3 Product Installation 17. Type a password for the platform administrator. Be sure to record the password; it will be required later in the installation process and when using the product. 18. Confirm the password by retyping it. Installation and Administration Guide 59

74 19. Click Next to view the Settings page. The information specified on this page defines who will receive the appropriate message when an error occurs. 20. Specify the following information: The DSN name of the mail server, such as mail.mycompany.com. The address to which messages will be sent. 21. Click Next to view the Start Copying Files page. 60 Installation and Administration Guide

75 3 Product Installation 22. Verify that the appropriate components will be installed according to your specifications. To make a correction, click Back until you return to the appropriate page. 23. Click Next to install the Core Services. When the installation is finished, the Complete page opens. 24. Click Finish to quit the installer. Installing the Agent Services Note: For environment largert than 16 hosts, Quest Software recommends that the Agent Services component and the the Core Services component are installed on a different servers. Additionally, be aware that the Core Services must be installed first, before any of the other Platform components. Installation and Administration Guide 61

76 To install the Agent Services component, perform the following steps: 1. Double-click Setup.exe to launch the Platform Installer. Note: If an Open File Security Warning message appears, click Run. If you install a second component on a single computer, you will be prompted by the Setup Maintenance program. Select Modify to continue the install process. In this case, go to step Click Next to view the License Agreement page. 3. Read the end user license agreement (EULA). To print a copy of the agreement, click Print. 4. Click I accept the terms of the license agreement. 5. Click Next to view the Installation Type page. 6. Click Standard as the installation type. 7. Click Next to view the Components To Install page. 62 Installation and Administration Guide

77 The amount of disk space required for the installation and the amount of space available on the currently selected disk are both shown. To view the amount of space available on your other disks or to specify a different disk for the installation, click Disk Space. 8. Ensure that Agent Services is the only selected check box. 9. Optional: To specify a destination folder other than the default folder of C:\Program Files\Quest Software\CAP\Platform, click Browse. 3 Product Installation 10. Click Next to view the System Information page. 11. Specify the following information: The name or IP address of the computer on which you have installed the Core Services. The platform administrator password that was specified during the Core Services installation. Installation and Administration Guide 63

78 12. Click Next to view the Service Configuration page. The Service Configuration page defines the authentication credentials that are used by the Remote Server Manager (included in the Agent Services component) to communicate with and manage Hyper-V virtualization file systems and hosts. 13. (Hyper-V only) Type a user name and password of the domain account under which the Remote Server Manager will run as a Windows service. This domain account must be a member of the Administrators group on both the computer on which the Agent Services component is installed and on the Hyper-V servers. At a later point, if needed, you can change the credentials. To do so, open the Services panel on the computer where you installed the Agent Services (which includes the RSM) and edit the Log On information for the Quest Software Remote Server Manager service. Note: Before using the Remote Server Manager it is important that you read the pre-installation information in Additional Considerations on page Installation and Administration Guide

79 14. Click Next to view the Library Configuration page. 3 Product Installation 15. Enter the path to the Images directory in the installation media. 16. Click Next to view the IP Address Selection page. 17. Type or select the IP address of the agent message forwarder, or mailbox. The agent message forwarder is installed with the Agent Services component of the platform, so this value is normally the IP Installation and Administration Guide 65

80 address of the machine on which you are currently installing the Agent Services. Communications addressed to the mailbox will use this IP address. 18. Click Done to view the Start Copying Files page. 19. Verify that the appropriate components will be installed according to your specifications. To make a correction, click Back until you return to the appropriate page. 20. Click Next to install the Agent Services. When the installation is finished, the Complete page opens. 21. Click Finish to quit the Platform Installer. 66 Installation and Administration Guide

81 Installing the Web Application and Solutions The CAP web interface (accessed by entering a URL in a web browser) serves both as the administrator s interface to the Cloud Automation Platform, and as the portal for the Solution end-users. (See Launching the Web Interface on page 87 for details about opening the web interface after installation.) If your environment is such that the CAP web interface users do not easily have network access to the CAP Core server, then you should install the web application component on a separate server. An environment can have multiple installations of the CAP web interface. 3 Product Installation To install the web application, perform the following steps: 1. Double-click Setup.exe to launch the Platform Installer. Note: If an Open File Security Warning message appears, click Run. If you install a second component on a single computer, you will be prompted by the Setup Maintenance program. Select Modify to continue the install process. In this case, go to step Click Next to view the License Agreement page. 3. Read the end user license agreement (EULA). To print a copy of the agreement, click Print. 4. Select I accept the terms of the license agreement. 5. Click Next to view the Installation Type page. 6. Select Standard as the installation type. 7. Click Next to view the Components To Install page. Installation and Administration Guide 67

82 The amount of disk space required for the installation and the amount of space available on the currently selected disk are both shown. To view the amount of space available on your other disks or to specify a different disk for the installation, click Disk Space. 8. Ensure that Web Applications is the only selected check box. 9. Optional: To specify a destination folder other than the default folder of C:\Program Files\Quest Software\CAP\Platform, click Browse. 10. Click Next to view the System Information page. 68 Installation and Administration Guide

83 3 Product Installation 11. Specify the following information: The name or IP address of the computer on which you have installed the CAP Core server. If you have distributed the CAP Core server across multiple servers, specify the name or IP address of the one on which the Core Services component is installed. If you are installing the Web Application component on the same computer as the CAP Core server, type the name or IP address of the computer that you are logged on to. The platform administrator password that was specified during the CAP Core server installation. 12. Click Next to view the URA Gateway Information page. Installation and Administration Guide 69

84 13. Optional: If you are installing the CAP web interface in an environment that utilizes a firewall, specify the host name or IP address of the Universal Remote Access (URA) gateway. For more information on the URA gateway, see Universal Remote Access on page Click Next to view the Start Copying Files page. 70 Installation and Administration Guide

85 3 Product Installation 15. Verify that the CAP web interface will be installed according to your specifications. To make a correction, click Back until you return to the appropriate page. 16. Click Next to install the CAP web interface. The Setup Status page displays the installation progress. When the installation is finished, the Complete page appears. 17. Click Finish to complete the Platform installation. Installing the SOAP API The SOAP API is a server-side component that is required for several Cloud Automation Platform integration products, such as the Add-In for HP Quality Center. The SOAP API is installed using the CAP Core installation program (Setup.exe). Installation and Administration Guide 71

86 To install the SOAP API component, perform the following steps: 1. From the installation media, double-click Setup.exe to launch the Platform Installer. Note: If an Open File Security Warning message appears, click Run. 2. Click Next to view the License Agreement page. 3. Read the end user license agreement (EULA). To print a copy of the agreement, click Print. 4. Select I accept the terms of the license agreement. 5. Click Next to view the Installation Type page. 6. Select Standard. 7. Click Next to view the Components To Install page. The amount of disk space required for the installation and the amount of space available on the currently selected disk are both shown. To view 72 Installation and Administration Guide

87 the amount of space available on your other disks or to specify a different disk for the installation, click Disk Space. 8. Ensure that SOAP APIs is the only selected check box. 9. Optional: To specify a destination folder other than the default folder of C:\Program Files\Quest Software\CAP\Platform, click Browse. 10. Click Next to view the System Information page. 3 Product Installation 11. Specify the following information: The name or IP address of the computer on which you installed the Core Services component. The platform administrator password that was specified during the Core Services installation. Installation and Administration Guide 73

88 12. Click Next to view the Start Copying Files page. 13. Verify that the appropriate components will be installed according to your specifications. To make a correction, click Back until you return to the appropriate page. 14. Click Next to install the SOAP API. The Setup Status page displays the installation progress. When the installation is finished, the Complete page opens. 15. Click Finish to quit the Platform Installer. 74 Installation and Administration Guide

89 Installing the Advanced Enterprise Pack (Optional) Use the AdvancedEnterprisePack.exe installation program to install the optional NAIL Server components and an optional Tight VNC component Important Considerations: 3 Product Installation Before running the AdvancedEnterprisePack.exe program, verify that the following files have been placed on the computer where you are installing the Advanced Enterprise Pack. Each file is optional, and you can choose to skip any files that you do not have or do not want to install immediately. You can run the AdvancedEnterprisePack.exe program at any time to install additional files. However, to achieve the full functionality of the Advanced Enterprise pack, install all files. ebtables_ _i386.deb mkisofs.exe ubuntu server-i386.iso Java viewer for TightVNC 1.3 (vncviewer.jar) Run the Advanced Enterprise Pack installation program on the same computer where you have already installed the Agent Services component and on all computers where you have installed the Web Applications component. To install the Advanced Enterprise Pack components, perform the following steps: 1. From the installation media, double-click AdvancedEnterprisePack.exe. 2. Click Next to view the Choose VNC Optional Component Location page. 3. Enter or browse to the directory containing the vncviewer.jar file. 4. Click Next to view the Choose NAIL Server Optional Component Location page. Installation and Administration Guide 75

90 5. Enter or browse to the directory containing the following files: ebtables_ _i386.deb mkisofs.exe ubuntu server-i386.iso 6. Click Next to view the Quest CAP Admin Password page. 7. Enter the Platform Admin password that was defined during the Cloud Automation Platform installation. 8. Click Next to view the Ready to Install page. 9. Click Install to being the installation. When the installation is finished, the Complete page appears. 76 Installation and Administration Guide

91 Installing the Quest CAP Agent (Altiris) A Cloud Automation Platform agent must be installed on any Symantec Altiris Deployment Server if the server is used to manage virtualization hosts in the Cloud Automation Platform environment. Note: The Cloud Automation Platform agent on virtualization hosts and library servers is no longer required nor supported. All hosts and library servers must be managed by the Remote Server Manager. Refer to the Upgrade Documentation and the Release Notes for additional information. 3 Product Installation The following section describes how to install the agent on an Altiris server. Note: Before installing the agent, review Choosing a Windows Account for the Agent Service (Altiris) on page 45 for important information about selecting an account for the agent service to run as. Installing the Agent to Manage an Altiris Server To install the agent on a server running the Altiris Deployment Server, perform the following steps. 1. From the directory containing the distribution files, double-click WindowsAgent.exe to launch the Agent installer. Note: If a File Download message appears, click Open. Installation and Administration Guide 77

92 2. Click Next to view the Agent Configuration page. 3. For the Agent Message Forwarder, specify the name or IP address of the computer on which you have installed the Agent Services component of the Platform. 78 Installation and Administration Guide

93 4. Click Next to view the Setup Folder page. 3 Product Installation 5. Review the Destination Folder in which to install the agent. To specify a destination folder other than the default folder of C:\Program Files\Quest Software\CAP\Agent, click Browse. Installation and Administration Guide 79

94 6. Click Next to view the Altiris express Deployment Server Database page. Enter the Database Name and the Database Server of the database that the Altiris Deployment Solution uses. By default, the name of the database is express. For the name of the server, if the database is on the same computer as the Deployment Server, enter or browse to (local). 7. Click Next to view the Pre-Boot Linux OS File Path page. Note: If you previously installed the Cloud Automation Platform agent, and did not delete the Altiris Deployment Database that is created by the Platform, you will be prompted to reset the existing database for use with the new agent installation. 80 Installation and Administration Guide

95 3 Product Installation 8. Enter the directory path to the appropriate pre-boot file (.frm) that is included with the installation media in the /Images directory. For Altiris Deployment Solution version 6.8, navigate to this file: BDCgpl_ frm For Altiris Deployment Solution version 6.9, navigate to this file: BDCgpl_ frm 9. Click Next to download the file and install the pre-boot program. Installation and Administration Guide 81

96 After the file has been downloaded and installed, the Library Configuration page appears. A library location that contains Altiris files (.img) requires a Cloud Automation Platform agent to manage the use of the library images and files, as well as to facilitate communication between the CAP Core server, the web application, and any client computers. (Libraries for VMware and Hyper-V files are remotely managed by the Remote Server Manager.) 10. Provide the following information: Location to create the library: enter the path to connect to the server that will serve as the library location host (where the Altiris images and files will reside). Note: The library location must be on a server to which all virtualization hosts that will use images from the library have access. Location of the Images directory: the Images directory is located on installation media, and contains images and files that are necessary for the configuration of the Cloud Automation Platform environment. When you enter the location of the Images directory, the installation program 82 Installation and Administration Guide

97 copies the required files into the library location that you defined in the previous step. 11. Click Next to view the Service Configuration page. 3 Product Installation 12. Type a user name and password of a domain account under which the agent communicate with the Altiris Deployment Solution. If the Altiris Deployment Share is on the same computer as the Deployment Server (where you are installing the Quest CAP Agent), you can leave these fields blank and run as the Local System account. 13. Click Next. Installation and Administration Guide 83

98 The Ready to Install page appears. 14. Click Install to begin the installation program. 84 Installation and Administration Guide

99 The Setup Status page appears. 3 Product Installation 15. When the installation is finished, the Complete page opens. 16. Click Finish to conclude the agent installation. Installation and Administration Guide 85

100 About the CLI Client The Cloud Automation Platform CLI includes both a server component and a client component. The CLI client is an optional component that allows users to issue commands and run scripts on the CAP Core server from their remote computer. The SOAP API is a server-side component that allows users who have installed the CLI Client to issue commands and run scripts in order to integrate with the environment. Note: The SOAP API must be installed on the CAP Core server before you can use the CLI Client. Use the Quest Cloud Automation Platform installation program (Setup.exe) to install the SOAP API. See Installing the SOAP API on page 71 for details. Installing the CLI Client To install the CLI client on a Windows computer, navigate to the installation media, and double-click QuestCAPSoapApiPowershell.exe to launch the installation wizard. During the installation process, you will be prompted to enter the IP address of the computer where you installed the SOAP API component. Optionally, when prompted, enter the following information: User ID: Enter the ID that was defined during the installation of the CAP Core. By default, this user is admin. Password: Enter the password for the user. Org: Enter the Organization to which the user belongs. Note: If an Open File Security Warning message appears, click Run. 86 Installation and Administration Guide

101 By default, the CLI application and all supporting files are written to the following directory: C:\Program\Quest Software\CAP\SOAPAPIPowerShell The sub-directory Examples under the above directory includes several utility and example scripts, to help you get started automating the environment. 3 Product Installation Note: To view documentation for using the SOAP API, copy the SOAPAPIHelp.chm file in the installation directory above to your desktop, and double-click to open. To launch the the CLI Client, select Start => Quest Software => SOAP API Power Shell. Launching the Web Interface After you install Cloud Automation Platform, begin the setup process by logging on to the CAP web interface Note: (Altiris only) Verify that the Quest CAP Agent that you installed on any Altiris Deployment Server is running. To do so, view the Services panel to confirm that the agent is started (the service name is Quest CAP Agent). To access the CAP web interface in Microsoft Internet Explorer or Mozilla Firefox, type the following URL in the web browser address bar: where <server> is the name or IP address of the server on which you installed the Core Services of the CAP Core in Product Installation on page 31. When the Log On panel opens, enter the user name (by default the user name is admin) and the platform administrator password that you created during the Platform installation process. Note: Before clicking Log On to open the CAP web interface for the first time, see the Testing Your Web Browser on page 88. Installation and Administration Guide 87

102 Figure 2 Log On Panel Testing Your Web Browser Before logging on to the CAP web interface, Quest Software recommends that you test your web browser. To do so, click the Is your browser ready? link on the Log On panel. The Web Browser and Connectivity Test launches and runs several tests. As each of the tests are completed, a message displays with the success or failure status. If all tests are successful, close the Test browser window and return to the Lon On panel for the CAP web interface. If any test failed, review the diagnostic information and make the required fixes. 88 Installation and Administration Guide

103 Remote Access 4 Cloud Automation Platform Solutions allow software companies to simplify and automate the delivery of prepared software demonstrations and online software evaluations as well as online training labs and virtual test sessions. These solutions enable communication from a remote computer to a Cloud Automation Platform deployed virtual machine (VM) located behind a firewall. This chapter contains detailed information on connecting to a deployed Cloud Automation Platform VM using a URA Gateway server. It also includes descriptions and typical workflows of the Web Browser and Connectivity Test and the Classroom Readiness Test. Universal Remote Access on page 90 Web Browser and Connectivity Test on page 97 Classroom Readiness Test on page 98 Installation and Administration Guide 89

104 Universal Remote Access Universal remote access (URA) enables communication from a remote computer to a Cloud Automation Platform deployed VM located behind a firewall, using the following remote access protocols: Microsoft s remote desktop protocol (RDP) Linux s virtual network computing (VNC) Citrix Independent Computing Architecture (ICA) Console access The available remote access types are determined by the method specified when creating the server configuration. If you specify multiple remote access methods for a server configuration, an application user can then select the method with which to connect to the remote desktop of the VM. URA bypasses firewall-imposed restrictions by transforming the Cloud Automation Platform s remote packets into viable HTTP or HTTPS traffic. Once the packets have passed through the URA Gateway server, they are returned to their original state and forwarded to their destination without compromising the security of the network. The following components enable this process: A local listening proxy (LLP) that is available in ActiveX and Java formats. As the origination endpoint of the URA tunnel, the LLP transforms the remote protocol packets as they leave or return to the workstation. A URA terminal client for RDP, VNC, or Citrix environments, available in ActiveX and Java formats. A URA Gateway server that complements the LLP, receiving the data required to establish connections to the appropriate destination server from the information embedded in the initiating requests. Functioning as the termination endpoint of the tunnel, the URA Gateway server returns the packets to their original state as RDP, VNC, Citrix, or Console packets. When a user establishes a terminal or desktop connection to a Cloud Automation Platform VM from within a Cloud Automation Platform 90 Installation and Administration Guide

105 application, URA determines if the user s workstation is configured to use ActiveX or Java. The appropriate LLP and URA terminal client are automatically downloaded to and installed on a remote workstation. However, you must install the URA Gateway server -- either manually on a server that remote users can access by way of HTTP(S) or directly, using the appropriate URA terminal client s ports (for example, 3389 for RDP, 5901 for VNC, and so on). For information on ports, see Figure 5. 4 Remote Access If complications prevent the LLP or URA terminal client from installing automatically on a remote workstation, they can also be installed manually. For details on installing the URA terminal client manually, see Installing the URA Terminal Client on page 121. Note: If you install the LLP or URA terminal client manually, future upgrades to the downloadable content will not take place automatically. To upgrade content to an LLP or a URA terminal client that was installed manually, you must uninstall the proxy or client and then reinstall it. Figure 3 URA Communication Paths For the ActiveX components to function properly, ActiveX must be enabled in the user s browser settings. Similarly, Java must be enabled before the Java components can function correctly. Installation and Administration Guide 91

106 At that point, the URA components are ready for communication between the workstation and the destination VM. The destination VM must also be set up for the appropriate communication. The server image must have one of the following installed or enabled, depending on the chosen remote technology: Microsoft RDP in a Windows environment A supported VNC server installed in a Linux or Windows environment A licensed Citrix server Figure 4 shows the URA components installed on the end user s Windows or Linux workstation, the URA Gateway server, and on the VMs running a Windows or Linux image: CAP RDP (ms-rdp.ocx) or jrdp Applet or Smartcode VNC or End user computers TightVNC Applet or Citrix Citrix Local Listening Proxy Local Listening Proxy ActiveX Java (MSJVM/Sun JRE) URA Gateway Server Windows XP or 2003 with - Windows RDP enabled or - TightVNC Server or - Citrix installed Virtual Machines Linux server with - Native VNC or - RealVNC Server Figure 4 URA Components 92 Installation and Administration Guide

107 Local Listening Proxy The LLP is a signed, self-installing, and self-activating component that is downloaded, along with the URA terminal client, from the Cloud Automation Platform application server to the end user s workstation. Its main functions include: Converting RDP, VNC, or Citrix packets to traffic that can pass through the firewall 4 Remote Access Transforming packets coming into the workstation back to the original RDP, VNC, or Citrix packets Depending on the capabilities of the web browser on the end user s workstation, the LLP can be implemented as either an ActiveX control or a Java applet. URA automatically tests the configuration of the user s machine to determine which implementation to use. The configuration settings determine which remote technology is to be used and the order in which URA tests the user s configuration. The LLP can also support HTTP over SSL, which provides server-side authentication as well as message integrity and confidentiality. Before such support can be realized, however, a commonly issued commercial certificate that enables SSL must be installed on the gateway. URA Terminal Client The URA terminal client is automatically downloaded along with the LLP to the end user s workstation. Cloud Automation Platform provides URA terminal clients for RDP, VNC, and Citrix environments. These clients are available in ActiveX and Java format. In RDP environments with ActiveX enabled, URA uses the Microsoft Remote Desktop Client. When ActiveX is disabled, Cloud Automation Platform provides a Java RDP (jrdp) client that enables many of the same capabilities seen in the ActiveX terminal client. Installation and Administration Guide 93

108 In a VNC environment, URA uses a Smartcode VNC component if ActiveX is enabled or a TightVNC applet for Java support. Color support is determined by configuration of the VNC server or by the display properties of the Linux workstation. Citrix environments also have an ActiveX and a Java terminal client available for remote connections. Both Citrix clients support full color. For installation instructions, see Installing the URA Terminal Client on page 121. URA Gateway Server As shown in Figure 4, the URA Gateway server brokers the data transmitted between the LLP and the destination VM. It accomplishes this task by transforming the packets that arrive from the LLP and forwarding them to the appropriate destination VM. Conversely, the URA Gateway server also transforms all returning traffic sent from a destination VM and forwards it to the LLP. The URA Gateway server can receive hundreds of concurrent requests some coming in from the end user and some going out from the destination VM. To facilitate this level of traffic, the URA Gateway server utilizes the following pair of directional channels: An upstream channel that delivers keyboard and mouse commands from the user to the destination VM. A downstream channel that carries the video traffic returning from a destination VM to the end user. To set or change the URA Gateway server s IP address, use the vcsadmin tool to modify the Ura.GatewayServerIp configuration value. See Using the vcsadmin Utility on page 46. For installation instructions, see Installing and Configuring the URA Gateway Server on page 112. Accessing a Deployed VM There are four methods from which an end user can choose to connect to a deployed Cloud Automation Platform VM using the URA Gateway server. 94 Installation and Administration Guide

109 Cloud Automation Platform employs a failover mechanism that opts for each method in the following order: 1. Direct access - The fastest connectivity option, direct access bypasses the URA Gateway server. Of the four connectivity methods, direct access offers the highest performance. Typically, direct access is employed when end user machines reside in the same physical location as and inside the firewall of the deployed VM. Occasionally, an end user chooses direct access for a machine outside the firewall of the deployed VM; such a connection requires all RDP traffic be allowed through the firewall. 4 Remote Access 2. Socket proxy - The second fastest connectivity option, a socket proxy connection is a port socket redirect by the URA Gateway server that passes packets from the client computer to the Cloud Automation Platform deployed resource. Socket proxy requires either using port address translation (PAT) on the firewall or setting up the normal port for the connectivity method. Socket proxy can service other destination ports for multiple remote access types (such as VNC, Citirix and ESX console). However, for socket proxy to support more than one connectivity method at a time, port redirects are required. The actual connection starts with the Cloud Automation Platform LLP on the client machine. (See Universal Remote Access on p. 104.) This LLP creates a connection to the socket proxy server on the target port. In the recommended configuration, the firewall translates the incoming connection from the target port to port 9999 and sends the packets off to the URA server. Once the LLP connects to the socket proxy, the LLP requests that the socket proxy create a connection to the target resource IP. Once the connection is created, the remote control utility is hooked up to the connection to allow access to the Cloud Automation Platform. Since socket proxy use does not incur the overhead involved in HTTP/ HTTPS tunnels, it is a preferred connection method for both bandwithand latency-constrained connections. In some companies, HTTP/ HTTPS tunneling is not allowed, or the local web proxies cannot handle the long-term, high-bandwidth RDP tunnels. In many cases, network administrators do not block outgoing remote access ports when you use the correct port for that protocol, such as 3389 for Remote Desktop Protocol (RDP). 3. HTTP tunneling - The third fastest connectivity option, HTTP tunneling over port 80 offers a conduit for remote access protocols to traverse firewalls using the web. Installation and Administration Guide 95

110 4. HTTPS tunneling - The slowest connectivity option, HTTPS tunneling over port 443 offers the same conduit as HTTP tunneling with the confidentiality of Transport Layer Security (TLS). Note: Functioning as the termination endpoint of the tunnel, the URA Gateway server returns the packets to their original state as RDP, VNC, Citrix, or Console packets, regardless of which connectivity method is used. Figure 5 Cloud Automation Platform End User Connectivity 96 Installation and Administration Guide

111 Web Browser and Connectivity Test The Web Browser and Connectivity Test (formerly named URT) verifies whether a Web browser is configured to utilize the URA solution. When a user logs on to a Solution or the CAP web interface, he or she has the option of clicking the Is Your Browser Ready? link that appears on the Log On panel. 4 Remote Access Note: The Is Your Browser Ready? link can also be featured on a Web site, included in an message, or delivered by any other method you deem appropriate. If a user clicks this link, a test is conducted on the browser. When a browser passes the test, a message informs the user that the browser is configured to successfully use URA. Conversely, when a tested browser is not configured to utilize URA, the user is provided with the steps necessary to remedy the situation. The Web Browser and Connectivity Test also measures a network s bandwidth and compares it with a set of defined performance ranges. If the amount of available bandwidth is high enough to fall within the passing range, the network passes the test. If the measurement falls within the range that is associated with failing, the network fails the test. The Web Browser and Connectivity Test requires no installation. However, you might need to set or change some of its configuration settings. See Editing Web Browser and Connectivity Test Configuration Settings on page 133. For instructor-led sessions and other scheduled events, the Web Browser and Connectivity Test must be run in advance on all participating machines. For on-demand events, however, the Web Browser and Connectivity Test can be either run in advance or integrated with the user registration and sign-up processes. Such on-demand events include activities like self-paced training and online product evaluations. The typical workflow for a user readiness test is as follows: 1. The Platform administrator configures the Web Browser and Connectivity Test to make it available to the appropriate users. 2. The user conducts the connectivity test and returns the results to the Platform administrator. Installation and Administration Guide 97

112 3. The Platform administrator analyzes the test results. Note: The Web Browser and Connectivity Test must be re-run on a user s computer whenever the computer configuration, network connection, or location changes (for instance, if a student uses his laptop at work and home). Classroom Readiness Test The CRT works with the Training Solution to measure the connectivity and performance characteristics of a physical classroom where hands-on training is scheduled to occur. More precisely, CRT measures the bandwidth and latency values of the classroom s network and compares them with established ranges to determine whether they are favorable, unfavorable, or merely adequate for your classroom needs. The CRT application is automatically installed on the application server when the Training Solution is installed, and testers connect to the CRT application by way of a URL that the Platform administrator or class instructor provides. After a tester connects to the CRT application by way of this link, he or she specifies the following information: The number of students expected to participate in the class The desired quality of the classroom sessions While the CRT Load Test server uses this information to generate bandwidth load, the CRT client is automatically downloaded to the workstation, where it measures the bandwidth and conducts tests on network latency. Upon completion of the readiness test, the tester can send the results to a Platform administrator by way of an message from the test page. Note: Test results can be sent in an message only if a value for the CRT. .DefaultAddresses configuration setting has been specified in the Platform. This procedure is performed using the vcsadmin command-line utility. See Editing CRT Configuration Settings on page 139. If the test passes, the classroom is declared ready for use. If the classroom does not pass the test, the Platform administrator analyzes the results and recommends a solution. 98 Installation and Administration Guide

113 Note: A URA Gateway server and a CRT Load Test server must not be installed on the same machine because load testing can interfere with interactive users accessing virtual machines. See Installing the CRT Load Test Server on page 135 for installation directions. If complications prevent the CRT application from installing itself automatically on a tester s workstation, you can install the CRT application manually. See Installing the CRT Application on page 137 for instructions. 4 Remote Access The typical workflow for the classroom readiness test includes the following: 1. The Platform administrator installs and configures CRT and then delivers the CRT web address to the classroom tester. Ideally, the person who runs CRT has access to information about the network path to the Internet that the classroom machines take, including any routers, firewalls, or proxy servers that are in place. 2. The tester conducts the readiness test and s the results to the Platform administrator. 3. If the test passes, the classroom is ready. If the classroom does not pass the test, the Platform administrator analyzes the CRT results and recommends a solution. Installation and Administration Guide 99

114 Remote Access Solution System Requirements Depending on the configuration of your network and the needs of your customers, remote access solution system requirements can affect how you set up a Cloud Automation Platform environment. The following sections discuss these requirements as well as other objectives and conditions that must be considered while planning an installation of Cloud Automation Platform Solutions that requires remote access. The following sections provide instructions for ensuring that you are fully prepared to address any potential challenges: Universal Remote Access (URA) Gateway Server Prerequisites on page 100 Web Browser and Connectivity Test Prerequisites on page 101 Classroom Readiness Test (CRT) Prerequisites on page 108 Socket Proxy Gateway Server Prerequisites on page 111 Universal Remote Access (URA) Gateway Server Prerequisites The minimum hardware and software requirements for the URA Gateway server are as follows: 1 GHz Pentium 4 1 GB RAM Microsoft Windows Server 2003 SP2 (Enterprise, Standard, or Web) Microsoft Windows Server 2008 R2 Microsoft.NET Framework 3.5 SP1 Microsoft IIS 6.x or 7.x with ASP.NET enabled Note: The URA Gateway server and CRT Load Test server must not be installed on the same machine because load testing can interfere with interactive users accessing virtual machines. 100 Installation and Administration Guide

115 For more information about the system requirements for the CRT Load Test server, see CRT Load Test Server Minimum Requirements on page 108. Web Browser and Connectivity Test Prerequisites The requirements for a successful session are as follows: 4 Remote Access One of the following browsers: Microsoft Internet Explorer 7.0 or 8.0 with cookies enabled. On 64-bit Windows operating systems, you must use the 32-bit version of Internet Explorer, which is the default browser on these systems. Mozilla Firefox 3.0 or 3.5 with cookies enabled Browser support for frames Enabled pop-ups and cookies Enabled JavaScript and VB Script Enabled Java Applets and/or Microsoft s ActiveX controls Java 2 Platform Standard Edition (J2SE) version 1.4.2_ (available from for Microsoft Windows Java 2 Platform Standard Edition (J2SE) version (available from for Linux Java 2 Platform Standard Edition (J2SE) version 1.5 (included in Mac OS X) Network bandwidth exceeds 80 KB/s per machine Installation and Administration Guide 101

116 The following topics provide more detailed information on the Web Browser and Connectivity Test requirements. Testing Your Web Browser If the Web browser test fails, ensure that you are using Internet Explorer 7.0 or 8.0, or Mozilla Firefox 3.0 or 3.5. Note: If you are using Internet Explorer, and the connection to a Citrix server fails, you might need to add the Citrix server to Internet Explorer s Trusted Sites zone. See Adding an Entry to Your Trusted Sites Zone on page 107. Verifying Support of Frames The frames test verifies whether your Web browser supports HTML frames. If this test fails, you are most likely using a Web browser that does not support HTML frames. Upgrade to Internet Explorer 7.0 or 8.0, or Mozilla Firefox 3.0 or 3.5. Disabling Pop-Up Blockers Performing the Web Browser and Connectivity Test requires that you disable all pop-up blockers. Disable pop-up blocking in any third party extensions to your browser, such as Yahoo!, Google, or Windows Live toolbars. To disable the Internet Explorer pop-up blocker, perform the following steps: 1. Click Tools => Internet Options Click the Privacy tab. 3. Under Pop-up Blocker, ensure that the Turn on Pop-up Blocker check box is unchecked. 4. Click OK. To disable the Mozilla Firefox pop-up blocker, perform the following steps: 102 Installation and Administration Guide

117 1. Click Tools => Options Click the Content icon and ensure that the Block Popup Windows check box is unchecked. 3. Click OK. Enabling Active Scripting 4 Remote Access The scripting test verifies whether your Web browser has Javascript and other active scripting options enabled. If this test fails, ensure that your browser has Javascript (or other active scripting options) enabled. To enable Javascript/VBscript in Internet Explorer, perform the following steps: 1. Click Tools => Internet Options Click the Security tab. 3. Under Security level for this zone, click Custom Level Under Scripting, ensure that the following options are enabled: Active scripting Scripting of Java applets 5. Click OK. 6. Click OK. To enable Javascript in Mozilla Firefox, perform the following steps: 1. Click Tools => Options Click the Content icon and select the Enable Javascript check box. 3. Click OK. Installation and Administration Guide 103

118 Ensuring Your Browser Supports Setting of Cookies If the cookies test fails, ensure that your Web browser supports the setting of cookies. To enable cookies in Internet Explorer, perform the following steps: 1. Click Tools => Internet Options Click the Privacy tab. 3. Under Settings, click Sites. 4. In the Address of Website field, type the URL for the host of your solution (for example, *.demoservers.com). 5. Click Allow. 6. Click OK. 7. Click OK. To enable cookies in Mozilla Firefox, perform the following steps: 1. Click Tools => Options Click the Privacy icon. 3. Under Cookies, select the Accept cookies from sites check box. 4. Click OK. 104 Installation and Administration Guide

119 Enabling ActiveX or Java for Embedded Content Embedded content includes Microsoft's ActiveX controls and Java Applets. If this test fails, enable your Web browser's ActiveX or Java options as instructed below. In some cases, you might need to contact your administrator to change these settings. To enable the appropriate ActiveX controls and plug-ins in Internet Explorer, perform the following steps: 4 Remote Access 1. Click Tools => Internet Options Click the Security tab. 3. Under Security level for this zone, click Custom Level Under ActiveX controls and plug-ins, set the value for Download signed ActiveX controls to Prompt. 5. In the same section, ActiveX controls and plug-ins, ensure that the following options are enabled: Run ActiveX controls and plug-ins Script ActiveX controls marked safe for scripting 6. Click OK. Note: If a message asks you to confirm the change in security settings for this zone, click Yes. 7. Click OK. To enable Java in Internet Explorer, perform the following steps: 1. Click Tools => Internet Options Click the Advanced tab. 3. Under Java (Sun), select Use Java 2/JRE vx.x.x for <applet> (requires restart). 4. Click OK. Installation and Administration Guide 105

120 To enable Java in Mozilla Firefox, perform the following steps: 1. Click Tools => Options Click the Content icon and select the Enable Java check box. 3. Click OK. Determining the Best Connection Type The connection test uses different remote-access methods to determine whether ActiveX or Java is the connection type better suited for your computer and Internet connection. During this test, your Web browser will download several pieces of embedded content. These pieces are safe and cannot interfere with any part of your computer or browser. You will need to read and accept the security notifications during this process. If your connection test fails and network restrictions prevent you from downloading the requisite ActiveX control or Java applet, you will be unable to access the application. Contact your administrator to obtain permission to download either the ActiveX control or the Java applet. Measuring Bandwidth The bandwidth test measures the amount of data that can be transmitted within a set amount of time. A high bandwidth indicates a fast connection, which helps create a more satisfying user experience. A low bandwidth, however, indicates a slow connection that can result in a sluggish performance, delays, and a frustrating overall experience. A minimum bandwidth value of 25 KB/sec is required to successfully pass the test. Test results indicate Slow, Acceptable, or Preferred bandwidth. The ranges are as follows: Minimum Bandwidth = 25 KB/sec Acceptable Bandwidth = KB/sec Preferred Bandwidth = 100 KB/sec and above 106 Installation and Administration Guide

121 If the bandwidth test fails because your connection is slow, use a different computer, Web browser, or network to connect to the Internet. After you successfully establish a connection, access the Web Browser and Connectivity Test page and run the test again. Adding an Entry to Your Trusted Sites Zone 4 Remote Access It might be necessary to add an entry to the Trusted Sites zone, informing your Web browser that the site to which you are attempting to connect can be trusted not to harm your system. To add an entry to your browser's Local Intranet zone in Internet Explorer, perform the following steps: 1. Click Tools => Internet Options Click the Security tab. 3. Click Trusted sites. 4. Click Sites. 5. In the Add this Website to the zone field, type the URL for the host of your solution (for example, *.demoservers.com). 6. Ensure that Require server verification ( for all sites in this zone is unchecked. 7. Click Add. 8. Click OK. 9. Click OK. Installation and Administration Guide 107

122 Java Platform Cloud Automation Platform Solutions support Java 2 Platform Standard Edition (J2SE) version 1.4.2_ for Microsoft Windows, version for Linux, and version 1.5 for Mac OS X. Classroom Readiness Test (CRT) Prerequisites Note: If you intend to run the CRT, you must install the CRT Load Test server. Although a URA Gateway server must also be installed on your network, it cannot reside on the same machine as the CRT Load Test server because load testing can interfere with interactive users accessing virtual machines. It is recommended that you identify the DNS name and IP address of the server that you intend to use as the CRT Load Test server and record these values.these values are necessary when you install the CRT application. CRT Load Test Server Minimum Requirements The minimum hardware and software requirements for the CRT Load Test server are as follows: 1 GB RAM Microsoft Windows 2003 Server SP2 (Standard, Enterprise, or Web) Microsoft Windows Server 2008 R2 Microsoft.NET Framework 3.5 SP1 Note: Because a URA Gateway server can receive hundreds of concurrent requests and load testing can interfere with interactive users accessing virtual machines, a URA Gateway server must not be installed on the same machine that hosts a CRT Load Test server. 108 Installation and Administration Guide

123 CRT Requirements The requirements for a successful classroom simulation are as follows: Internet Explorer 7.0 or 8.0 on Windows XP or later. Cloud Automation Platform applications support Internet Explorer and Mozilla Firefox. However, the CRT runs on Internet Explorer only. 4 Remote Access Access to the same network environment in which the class is going to be conducted Ideally, you would run the CRT from the classroom where the class will be conducted, at the same time of day that the class is scheduled to occur. If you cannot run CRT from a student machine, run the test from a 2 GHz or better machine or an equivalent laptop that meets the following criteria. connected on the same LAN and configured to use the same routing, firewalls, and proxy servers as the classroom machines can sufficiently process the network load of the student lab against the virtual machine network Note: The requirements for the CRT test machine are not related to the requirements for the student machines. The network load being generated from the computer that runs CRT simulates the network load generated by a classroom of student systems. If the system from which the test is conducted is not fast enough to generate the required network load, the test results may falsely report a test failure. Note: For CRT testing, it is recommended that you do not use a laptop with a wireless connection if the classroom utilizes desktop computers with wired connections. The purpose of the test is to measure the classroom experience under the same conditions and network demands as a live class. Installation and Administration Guide 109

124 CRT requires enabled ActiveX controls to establish the test connection. If your Internet Explorer Security settings are set to High or have been customized, you might need to install the ActiveX control manually. To enable the appropriate ActiveX controls and plug-ins in IE, perform the following steps: 1. Select Tools => Internet Options. 2. Click the Security tab. 3. Under Security level for this zone, click Custom Level Under ActiveX controls and plug-ins, set the value for Download signed ActiveX controls to Prompt. 5. In the ActiveX controls and plug-ins section, ensure that the following options are enabled: Run ActiveX controls and plug-ins Script ActiveX controls marked safe for scripting 6. Click OK. Note: If a message asks you to confirm the change in security settings for this zone, click Yes. 7. Click OK. 110 Installation and Administration Guide

125 Socket Proxy Gateway Server Prerequisites The minimum hardware and software requirements for the socket proxy Gateway server are as follows: 1 GHz Pentium 4 4 Remote Access 512 MB RAM (note the amount of RAM per expected connection) Microsoft Windows Server 2003 SP2 (Enterprise, Standard, or Web) Microsoft Windows Server 2008 (Data Center, Enterprise, or Standard) Microsoft.NET Framework 3.5 SP1 Microsoft IIS 6.x or 7.x with ASP.NET enabled Installation and Administration Guide 111

126 Installing and Configuring the URA Gateway Server For system requirements, see Universal Remote Access (URA) Gateway Server Prerequisites on page 100. For more detailed information about the URA Gateway, see Universal Remote Access on page 90. The URA Gateway server brokers the data that is transmitted between the LLP and the destination Cloud Automation Platform VM. It accomplishes this task by transforming the packets that arrive from the LLP and forwarding them to the appropriate destination VM. Conversely, the URA Gateway server also transforms all returning traffic sent from a destination VM and forwards it to the LLP. Note: Because a URA Gateway server can receive hundreds of concurrent requests and load testing can interfere with interactive users accessing virtual machines, a URA gateway server must not be installed on the same machine that hosts a CRT Load Test server. Note: The URA Gateway server must be accessible externally by Cloud Automation Platform users. Note: By default, when Cloud Automation Platform administrators install the URA Gateway server, the socket proxy component is also installed.the default path for socket proxy installation and configuration files is C:\Program Files\Quest Software\CAP\URAGateway\SocketGateway. 112 Installation and Administration Guide

127 To install and configure the URA Gateway server, perform the following steps: 1. From the installation media, navigate to the RemoteAccess directory, which is located in the DiskImage directory. Double-click URAGateway.exe to launch the Install URA Gateway Wizard. 4 Remote Access Note: If an Open File Security Warning message appears, click Run. 2. Click Next to view the Setup Type page. Installation and Administration Guide 113

128 3. Select either Named or Typical as the setup type. Named For environments with multiple, locale-specific gateways. Using named gateways, each user can specifiy a preference for a particular gateway. For example, all users in Australia could be configured to use a gateway in Sydney. If you select Named, you are prompted to provide the Platform password that was defined during the Platform installation. Note: If you define Named gateways, you will need to use the Platform web interface to modify each user account to specify which Gateway the user accesses. This should be done after installing the gateway but before users access the named URA Gateway. Refer to the online Help topic called Editing a User Account. Typical If your environment only has one gateway (the default gateway defined during the Platform installation), select Typical. If you select Typical, skip to step (Named Gateway option only) If you selected Named, click Next to view the System Information page. 114 Installation and Administration Guide

129 4 Remote Access 5. (Named Gateway option only) Specify the following information: The name or IP address of the computer on which you have installed the Core Services (Core Services is a component of the Platform). Refer to Installing the Core Services on page 52 for more information.) The platform administrator password that was specified during the Core Services installation. 6. (Named Gateway option only) Click Next. 7. (Named Gateway option only) On the URA Gateway Name page, enter the name for this gateway. This defines and creates the new named gateway. Installation and Administration Guide 115

130 8. Click Next to view the Choose Destination Location page. 116 Installation and Administration Guide

131 9. Optional: To specify a destination folder other than the default folder of C:\Program Files\Quest Software\CAP\URAGateway, click Browse. 10. Click Next to view the Start Copying Files page. 4 Remote Access 11. Verify that the URA Gateway server will be installed according to your specifications. To make a correction, click Back until you return to the appropriate page. 12. Click Next to install the URA Gateway server. The Setup Status page appears. 13. On the Complete page of the Install URA Gateway Wizard, click Finish. After the URA Gateway server installation is complete, the URA Gateway Configuration dialog box opens. Installation and Administration Guide 117

132 Note: The URA Gateway server configuration consists of a list of approved servers. Approved servers are remote servers with which the URA Gateway server will broker a connection for Cloud Automation Platform user communication. 118 Installation and Administration Guide

133 14. Add to the list of approved servers each remote server with which the URA Gateway server will broker a connection. The following identifiers can be used to specify a server: Host name You can use regular expressions (regexes) wildcards to specify more than one host name. For example, to describe a host whose exact name is system, specify a host name of system. To describe every host whose name contains the string system, specify a host name of.*system.*. 4 Remote Access The following table lists some of the more common regex operators. Regex Operator Matches.... Any one character? The preceding element zero times or one time * The preceding element zero or more times + The preceding element one or more times ^ At the start of the line $ At the end of the line IP address range To grant a range of IP addresses access to the URA Gateway server, specify the first and last addresses in the range. IP subnet Unique IP address To grant a virtualization host access to the URA Gateway server, specify that console s IP address. This tab is also where you must add your CRT Load Test server and your Web Browser and Connectivity Test target. Installation and Administration Guide 119

134 Warning:Saving changes to the list of approved servers disconnects all HTTP/HTTPS tunneled users. To add a server to the list of approved servers, perform the following steps: a. Click the tab that corresponds to the appropriate identifier. For example, if you plan to identify a server by specifying its unique IP address, click the By IP Address tab. B. Type the appropriate value or range of values, depending on the tab that you clicked. C. Click Add. Note: To revoke a system s ability to receive traffic from the URA Gateway server, select it from the list of approved servers and click Remove. 15. After you list all the servers to which the URA Gateway server can establish a connection, click OK to close the URA Gateway Configuration dialog box. Note: For information on URA Gateway server configuration settings, see Editing URA Gateway Server Configuration Settings on page Installation and Administration Guide

135 The URA Gateway server is installed in the directory that you specified. Make certain to configure the external firewall to allow HTTP and HTTPS connectivity to the URA Gateway server through ports 80 and 443, respectively. If it becomes necessary to change the destination access control or otherwise reconfigure the URA Gateway, administrators can access a configuration utility from the Start menu. 4 Remote Access Installing the URA Terminal Client Before you install the URA Terminal Client, see Installing and Configuring the URA Gateway Server on page 112. In a typical scenario, the URA terminal client is installed automatically on a remote workstation when a user establishes a desktop connection to a Cloud Automation Platform VM from within a Cloud Automation Platform application. Sometimes, however, the client is not installed successfully. In such instances, it can be installed manually on a workstation. Note: If you install the URA terminal client manually, future upgrades to the downloadable content will not take place automatically. To upgrade content to a URA terminal client that was installed manually, you must uninstall the client and then reinstall it. To install the URA terminal client manually, perform the following steps: 1. From the installation media or CD, navigate to the RemoteAccess directory and double-click URAClient.msi to launch the Install URA Client Wizard. Installation and Administration Guide 121

136 Note: If an Open File Security Warning message appears, click Run. 2. Click Next to view the Destination Folder page. 122 Installation and Administration Guide

137 4 Remote Access 3. Optional: To specify a destination folder other than the default folder of C:\Program Files\Quest Software\CAP\URAClient, click Change. 4. Click Next to view the Ready To Install page. Installation and Administration Guide 123

138 Note: To change the destination folder, click Back to return to the Destination Folder page. 5. Click Install to install the URA client. When the installation is finished, the Complete page opens. 124 Installation and Administration Guide

139 4 Remote Access 6. Click Finish. Installation and Administration Guide 125

140 Editing URA Gateway Server Configuration Settings There are several URA-specific configuration settings in the Platform. All Platform configuration settings can be viewed in the CAP web interface by clicking Configuration in the left pane. When Cloud Automation Platform is installed, the ability to edit advanced configuration settings is, by default, disabled. However, you can edit individual advanced configuration settings using the vcsadmin commandline utility and the appropriate commands. Note: To prevent unnecessary and potentially disruptive modifications to the settings, Quest Software recommends editing select configuration values only after discussing the needs and possible impact with Quest Software Support. To access the vcsadmin command-line utility to perform edits to URA Gateway server configuration settings, navigate to the Cloud Automation Platform installation directory, open the Platform directory, and double-click vcsadmin.exe. Log in to the vcsadmin command-line utility using the following syntax: login <user_name defined_during_cap_core_install> <password defined during install> To edit a URA Gateway server configuration setting using the vcsadmin utility, use the following syntax: configset <setting>=<value> 126 Installation and Administration Guide

141 The following topics discuss the functionality of five URA-specific configuration settings as well as how to edit them using the vcsadmin utility: Ura.GatewayServerIp (required) Note: Once the URA Gateway server installation is complete, it is required that you set a new configuration value for URA.GatewayServerIP. 4 Remote Access Ura.TunnelConfigs Ura.AllowConsoleAccess Ura.ControlPlatforms Ura.SocketGateway.Port Defining URA Gateway Server IP or Hostname The Ura.GatewayServerIp configuration setting communicates to the Cloud Automation Platform view of the remote desktop (also known as the Chrome) the URA Gateway server for which you will be tunnelling traffic. Set the value for Ura.GatewayServerIp to be either the external IP address of the URA Gateway server that the end user would contact or a resolvable DNS name that resolves on the client side. You can add new hostnames or a new IP address for socket proxy, as needed, at a later time. To add more approved servers, log in to the socket proxy server and then select Start => Quest Software => URA Gateway => Launch GatewayConfig.exe. Then, you must communicate such changes to the Chrome, using the Ura.GatewayServerIp configuration setting. Installation and Administration Guide 127

142 Establishing Sequence of URA Tunnel Configurations Cloud Automation Platform offers four methods for connecting to a deployed Cloud Automation Platform VM via the URA Gateway server. The Cloud Automation Platform s default failover mechanism opts for each of these methods in the following order: 1. Direct access (also known as NoOpTunnel) 2. Socket proxy 3. HTTP tunneling 4. HTTPS tunneling For more information on these connectivity options, see Accessing a Deployed VM on page 94. The Ura.TunnelConfigs configuration setting establishes the sequence in which the URA selects the protocol for tunneling to the active deployment. By default, the URA attempts to connect the user to the active deployment using the following list of protocols from left to right. NoOpTunnel,SocketProxy,HTTPTunnel,HTTPSTunnel Once you have decided on the prioritization of your URA connectivity options, you can use the Ura.TunnelConfigs configuration setting to establish their new sequence from left to right. This newly assigned order will override Cloud Automation Platform s default failover mechanism. Sample URA Tunnel Configs Modification To edit the Ura.TunnelConfigs configuration setting, use the vcsadmin command and list the protocols from left to right. To modify the order that the URA attempts connectivity to start with socket proxy, use the following syntax: configset Ura.TunnelConfigs=HTTPTunnel,HTTPSTunnel This establishes a Ura.TunnelConfigs sequence of: 1. HTTP Tunneling 2. HTTPS Tunneling 128 Installation and Administration Guide

143 Enabling and Disabling Remote Access Via the Console If the Ura.AllowConsoleAccess configuration setting is set to 'true', it enables remote access via the console to virtual machines. If the Ura.AllowConsoleAccess configuration setting is set to 'false', it disables this connection type. The default for this configuration setting is 'true'. 4 Remote Access To edit the Ura.AllowConsoleAccess configuration setting to disable remote access via the console to virtual machines, use the following syntax: configset Ura.AllowConsoleAccess=false To edit the Ura.AllowConsoleAccess configuration setting back to the 'true' value, thereby enabling remote access via the console to virtual machines, use the following syntax: configset Ura.AllowConsoleAccess=true Note: The remote access port for ESX Console is 902. Establishing Sequence of URA Client Platforms The Ura.ControlPlatforms configuration setting establishes the order in which URA attempts supported client platforms. The default setting of the Ura.ControlPlatforms configuration setting is: ActiveX,Applet. To edit the order in which URA attempts supported client platforms, use the following syntax: configset Ura.ControlPlatforms=Applet,ActiveX Installation and Administration Guide 129

144 Changing Socket Proxy Gateway Server s Default Port The default port that the socket proxy executable listens on is To edit the value that the socket proxy executable listens on, use the following syntax: configset Ura.SocketGateway.Port=<value> After you have changed the value to a user-defined port, restart the socket proxy service: Note: The socket proxy is installed and configured as a Window service. To stop, start, or restart the socket proxy service, open up the Windows Services applet and select Quest URA Socket Gateway. If you change the default port on the socket proxy gateway server, you must also contact your network administrator to make the same port address translation (PAT) change on the network devices. Note: Now that you have installed the URA Gateway server and set the configuration settings, it is recommended that you test your connectivity. For instructions to test your URA Gateway server s local and external connectivity, see Troubleshooting on page Installation and Administration Guide

145 Recommended Socket Proxy Network Configuration (Required for Multiple Connection Types) The default socket proxy listen port is 9999, and its remote access traffic is forwarded to the deployed VM. However, in order to administer and correctly configure socket proxy, you must set the data center firewall for port address translation of inbound connections. 4 Remote Access Enabling and Configuring the Network Device Cloud Automation Platform Administrators must notify the network administrators to set up the port translation configurations for the required remote connectivity methods: Examples: RDP ura.demoservers.com:3389 = ura.demoservers.com:9999 VNC ura.demoservers.com:5900 = ura.demoservers.com:9999 Citrix ura.demoservers.com:1494 = ura.demoservers.com:9999 Installation and Administration Guide 131

146 Simple Socket Proxy Network Configuration In some cases, port address translation is either not available or inconvenient to set up. In such cases, you can set up the socket proxy gateway server to listen on the normal port for a remote connectivity method. This requires that the firewall allow direct inbound connections to the URA Gateway server on the normal port for that method. If the URA Gateway server is being remotely managed by that same connectivity method, you must reconfigure the remote access server to use a different port. Since this configuration is limited to one connection type and can interfere with local management, Quest Software does not recommend using this configuration unless absolutely necessary. The following instructions assume that RDP is in use for both remote connectivity into the Cloud Automation Platform system and remote management of the URA Gateway server. Enabling and Configuring the Operating System Default RDP Port Because we will enable socket proxy, administrators cannot RDP into the socket proxy server without changing the Terminal Services default port when using Remote Desktop Connection application. Use the following Microsoft Knowledge Base article to change the default listen port. Make sure to back up the Windows Registry and be careful when making any changes to the Windows Registry Start Registry Editor. 2. Locate the following registry subkey: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\ TerminalServer\WinStations\RDP-Tcp\PortNumber 3. Click the registry subkey. Note: The above registry key is one path, which was wrapped for readability. 4. Select Edit => Modify => Decimal. 132 Installation and Administration Guide

147 5. Type the new port number (3390) and then click OK. 6. Quit Registry Editor. 7. Restart Terminal Server. Now, Administrators must access the socket proxy server using the new port number (for example, ura.demoservers.com:3390). 4 Remote Access Editing Web Browser and Connectivity Test Configuration Settings For system requirements, see Web Browser and Connectivity Test Prerequisites on page 101. For more detailed information about the Web Browser and Connectivity Test, see Web Browser and Connectivity Test on page 97. There are several configuration settings in the Platform that are specific to the Web Browser and Connectivity Test. All Platform configuration settings can be viewed in the CAP web interface by clicking Configuration in the left pane. When Cloud Automation Platform is installed, the ability to edit advanced configuration settings is, by default, disabled. However, you can edit individual advanced configuration settings using the vcsadmin commandline utility and the appropriate commands. Note: To prevent unnecessary and potentially disruptive modifications to the settings, Quest Software recommends editing select configuration values only after discussing the needs and possible impact with Quest Software support. To access the vcsadmin utility to perform edits to Web Browser and Connectivity Test configuration settings, navigate to the Cloud Automation Platform installation directory, open the Platform directory, and double-click vcsadmin.exe. Log in to the vcsadmin utility using the following syntax: login <user_name_defined_during_cap_core_install> <password defined during install> To edit a Web Browser and Connectivity Test configuration setting using the vcsadmin utility, use the following syntax: configset <setting>=<value> Installation and Administration Guide 133

148 For most scenarios, editing the default values is not necessary for the user readiness test to run. The following topics discuss the functionality of three specific Web Browser and Connectivity Test configuration settings as well as how to edit them using the vcsadmin utility: Urt.RunConnectionTest Urt.RdpServerIp Urt. .DefaultAddresses Enabling the Web Browser and Connectivity Test The Urt.RunConnectionTest configuration setting enables/disables the Web Browser and Connectivity Test. The default value is 'false'. Note: The Web Browser and Connectivity Test will not attempt to test your connection to a VM unless you set the value for Urt.RunConnectionTest to 'true'. You can only set the Urt.RunConnectionTest configuration setting to 'true' if you have a test target. See Defining Servers as Test Targets on page 134. Defining Servers as Test Targets In some situations, it might be required to test connectivity and browser configurations before any VM hosts are created in a Cloud Automation Platform environment. In this case, where a VM cannot be used as a test target for the Web Browser and Connectivity Test, it is necessary to create a test infrastructure with servers designated as test targets for the Web Browser and Connectivity Test. For each remote access method used by your labs, you must install a test server or VM that uses the appropriate protocol in the same LAN where the VMs will deploy. Also, you must configure the Web Browser and Connectivity Test with the IP address and port number of each test server. For instance, if your labs use Citrix, install a Citrix server or VM in the same LAN where the VMs will deploy and, using vcsadmin, configure the Urt.CitrixServerIp and Urt.CitrixServerPort values to reference your Citrix server. Or if your environment will use RDP or VNC, set the equivalent values. To find the relative configuration values for each type of remote access, view the list of settings in the CAP web interface by clicking 134 Installation and Administration Guide

149 Configuration in the left pane, and then use the Search feature to find the appropriate setting. Defining the Web Browser and Connectivity Test RDP Server The Urt.RdpServerIp configuration setting contains the IP address or hostname of the Web Browser and Connectivity Test RDP server. To edit the Urt.RdpServerIp configuration setting, use the vcsadmin commandline utility. 4 Remote Access Defining Additional Recipients By default, the test results of the Web Browser and Connectivity Test are sent only to the address designated in the To Address field of the Web Browser and Connectivity Test page, which appears when you click the Is Your Browser Ready? link that appears on the Log On panel. If you want to add additional addresses, such as your IT administrator or whomever is responsible for connectivity issues, use the vcsadmin utility to edit the Urt. .DefaultAddresses configuration setting. Note: This list of recipients addresses is semicolon delimited. Installing the CRT Load Test Server For system requirements, see Classroom Readiness Test (CRT) Prerequisites on page 108. For more detailed information about the CRT, see Classroom Readiness Test on page 98. Note: If you intend to use CRT, you must install the CRT Load Test server. The URA Gateway server must also be installed on your network. However, since the URA Gateway server can receive hundreds of concurrent requests and load testing can interfere with interactive users accessing virtual machines, a URA Gateway server must not be installed on the same machine that hosts a CRT Load Test server. Installation and Administration Guide 135

150 To install the CRT Load Test server, perform the following steps: 1. From the installation media, double-click CRTServer.exe to launch the Install CRT Server Wizard. Note: If an Open File Security Warning message appears, click Run. 2. Click Next to view the Destination Folder page. 3. Optional: To specify a destination folder other than the default folder of C:\Program Files\Quest Software\CAP\CRTServer, click Change. 4. Click Next to view the Ready To Install page. Note: To change the destination folder, click Back to return to the Destination Folder page. 5. Click Install to install the CRT Load Test server. When the installation is finished, the Complete page opens. 6. Click Finish. 136 Installation and Administration Guide

151 Installing the CRT Application Before you install the CRT application, see Installing the CRT Load Test Server on page 135. Although the CRT application is installed automatically when the Training Solution is installed, you might need to install CRT on a different server. To install the CRT application, perform the following steps: 4 Remote Access 1. From the installation media, double-click CRT.exe to launch the Install CRT Wizard. Note: If an Open File Security Warning message appears, click Run. 2. Click Next to view the System Information page. 3. Specify the following information: The name or IP address of the computer on which you have installed the Core Services component of the Platform. The Platform administrator password that was specified during the installation of the Platform Core Services. 4. Click Next to view the CRT Server Information page. 5. Type the host name or IP address of the CRT Load Test server. 6. Click Next to view the Choose Destination Location page. 7. Optional: To specify a destination folder other than the default folder of C:\Program Files\Quest Software\CAP\CRT, click Browse. 8. Click Next to view the Start Copying Files page. 9. Verify that the CRT application will be installed according to your specifications. To make a correction, click Back until you return to the appropriate page. 10. Click Next to install the CRT application. When the installation is finished, the Complete page opens. Installation and Administration Guide 137

152 11. Click Finish. Although the CRT can be run at this time, you must specify a value for the CRT. . DefaultAddresses configuration setting before the test results can be sent in an message. Installing the CRT Client Before you install the CRT client, see Installing the CRT Load Test Server on page 135 and Installing the CRT Application on page 137. You can manually install the CRT client if browser settings prevent the client s automatic installation. To install the CRT client on a workstation, perform the following steps: 1. From the installation media, double-click CRTClient.msi to launch the Install CRT Client Wizard. Note: If an Open File Security Warning message appears, click Run. 2. Click Next to view the Destination Folder page. 3. Optional: To specify a destination folder other than the default folder of C:\Program Files\Quest Software\CAP\CRTClient, click Change. 4. Click Next to view the Ready To Install page. Note: To change the destination folder, click Back to return to the Destination Folder page. 5. Click Install to install the CRT client. When the installation is finished, the Complete page opens. 6. Click Finish. 138 Installation and Administration Guide

153 Editing CRT Configuration Settings There are several CRT-specific configuration settings in the Platform. All Platform configuration settings can be viewed in the CAP web interface by clicking Configuration in the left pane. When Cloud Automation Platform is installed, the ability to edit advanced configuration settings is, by default, disabled. However, you can edit individual advanced configuration settings using the vcsadmin utility and the appropriate commands. 4 Remote Access Note: To prevent unnecessary and potentially disruptive modifications to the settings, Quest Software recommends editing select configuration values only after discussing the needs and possible impact with Quest Software support. To access the vcsadmin command-line utility to perform edits to CRT configuration settings, navigate to the Cloud Automation Platform installation directory, open the Platform directory, and double-click vcsadmin.exe. Log in to the vcsadmin utility using the following syntax: login <user_name_defined_during_cap_core_install> <admin_password_defined_during_install> To edit a CRT configuration setting using the vcsadmin utility, use the following syntax: configset <setting>=<value> The following topics discuss the functionality of four CRT-specific configuration settings as well as how to edit them using the vcsadmin utility: Crt. .DefaultAddresses Crt. .DefaultSubject Crt.NetTest.ServerIP (required) Crt.NetTest.ServerPort (required) Installation and Administration Guide 139

154 Note: Before you run the CRT, it is required that you first set a new configuration value for Crt.NetTest.ServerIP and Crt.NetTest.ServerPort. Defining Additional Recipients CRT results can be sent to a Cloud Automation Platform administrator in an message only if you specify the administrator s address as a value for the CRT. .DefaultAddresses configuration setting. Use the vcsadmin utility to edit the CRT. .DefaultAddresses configuration setting. Note: If you include additional recipients addresses in the CRT. .DefaultAddresses configuration setting, keep in mind that this list is semicolon delimited. Defining Subject Line The Crt. .DefaultSubject configuration setting contains the subject line for CRT test results s. The default value is: Surgient Classroom Readiness Test Results To edit the Crt. .DefaultSubject configuration setting, use the vcsadmin utility. Defining CRT NetTest Server IP or Hostname Note: Before you run the CRT, it is required that you first set a new configuration value for Crt.NetTest.ServerIP. The Crt.NetTest.ServerIP configuration setting contains the IP address or hostname of the CRT NetTest Server. The default value is To edit the Crt.NetTest.ServerIP configuration setting, use the vcsadmin utility. 140 Installation and Administration Guide

155 Defining CRT NetTest Server Port Note: Before you run the CRT, it is required that you first set a new configuration value for Crt.NetTest.ServerPort. The Crt.NetTest.ServerPort configuration setting contains the port number of the CRT NetTest Server. The default value is To edit the Crt.NetTest.ServerPort configuration setting, use the vcsadmin utility. 4 Remote Access If you want to edit CRT configuration settings that, by default, cannot be edited, contact Support to request the enabling of this feature. Conducting Web Browser and Connectivity Test and CRT The following sections detail how to conduct the Web Browser and Connectivity Test and the CRT. Conducting the Web Browser and Connectivity Test on page 141 Conducting the Classroom Readiness Test on page 143 Conducting the Web Browser and Connectivity Test For Web Browser and Connectivity Test System Requirements, see Web Browser and Connectivity Test Prerequisites on page 101. For more information, see Editing Web Browser and Connectivity Test Configuration Settings on page 133. Note: The Web Browser and Connectivity Test will not attempt to test your connection to a VM unless you set the value for Urt.RunConnectionTest to 'true'. See Enabling the Web Browser and Connectivity Test on page 134. Ideally, this test is run from the machine where the class will be conducted at the same time of day when the virtual class is scheduled to occur. To conduct the Web Browser and Connectivity Test, perform the following steps: Installation and Administration Guide 141

156 1. Navigate to the application Log On page. For example, the address might be or 2. Click the Is your browser ready? link. Follow any onscreen instructions or click the Help link on the Web Browser and Connectivity Test window for more information. 3. If the Web Browser and Connectivity Test fails or if Support requests your test results, complete the form in the Results area of the Web Browser and Connectivity Test window. By default, the results are sent to the addresses specified by the Web Browser and Connectivity Test administrator. Enter the requested information in all fields, except for the Comments field and then click Send Results. Note: If you are using Internet Explorer, and the connection to a Citrix server fails, you might need to add the Citrix server to Internet Explorer s Trusted Sites zone. See Adding an Entry to Your Trusted Sites Zone on page Installation and Administration Guide

157 Conducting the Classroom Readiness Test For CRT System Requirements, see Classroom Readiness Test (CRT) Prerequisites on page 108. For CRT installation instructions, see Installing the CRT Load Test Server on page 135, Installing the CRT Application on page 137, and Installing the CRT Client on page Remote Access It is recommended that you run CRT as far in advance as possible. Ideally, you would run the test when the class is scheduled or a request has been made for on-site training, but no later than one week before the class is delivered. This would give you the necessary visibility to make alternate arrangements in case the location is deemed unacceptable. Before Running the CRT 1. Before you run the CRT, you must set a new configuration value for Crt.NetTest.ServerIP and Crt.NetTest.ServerPort. See Defining CRT NetTest Server IP or Hostname on page 140 and Defining CRT NetTest Server Port on page Run the Web Browser and Connectivity Test on the machine that will be used to conduct the CRT. The Web Browser and Connectivity Test determines if a computer and the computer s current location meet the requirements to successfully connect to the Cloud Automation Platform application. When the machine passes the test, continue with the CRT. For instructions on running the Web Browser and Connectivity Test, see Conducting the Web Browser and Connectivity Test on page 141. Installation and Administration Guide 143

158 Running the CRT To conduct the classroom readiness test, perform the following steps: Note: Do not run any applications or CPU-consuming services while the CRT is running. For instance, if a personal firewall or virus software that actively monitors network activity is running, temporarily disable it until the test completes. Any unnecessary processor activity might skew the test results. 1. Using the CRT web application address provided by the Platform administrator, navigate to the Classroom Readiness Test page. When you navigate to the CRT web page, ActiveX components are installed. 2. From the Classroom Readiness Test page, type 2 in the number of participants field. 3. Choose a performance profile. The performance profile determines the bandwidth and latency values for the CRT. Default profiles include: Intensive Graphics Lab Use for classes where students open and close many windows and perform graphics-intensive exercises. For example, choose this profile for classes where students use applications such as Powerpoint or view animated graphics or Flash demos. Minimal Graphics Lab Use for classes where labs involve minimal graphics and a nominal amount of scrolling, mouse movement, and data entry. The bandwidth test measures the amount of data that can be transmitted within a set amount of time. The following table illustrates the default ranges for the bandwidth test in bytes per second. Connection Profile Bandwidth ranges in bytes/second Preferred Acceptable Intensive Graphics Lab Minimal Graphics Lab Installation and Administration Guide

159 The latency test measures the amount of time it takes for data to travel from the source to the destination. The following table illustrates the default ranges for the latency test in milliseconds. Connection Profile Latency ranges in bytes/second Preferred Acceptable 4 Remote Access Intensive Graphics Lab Minimal Graphics Lab Note: Additional profiles might be included in your list of profiles. Select the profile and click View or edit profile details to see the range of values that are tested. 4. Click Start the test now. The test can take several minutes to complete. 5. In the Submit test results section, type the appropriate values in the fields. The value specified in the address field displays as the From address in the results . Installation and Administration Guide 145

160 By default, the results are sent to the addresses specified in the web.config file set by the web application administrator. However, you can send the results to additional classroom contacts by adding values to the Results will be copied to the following addresses field. Specify multiple addresses by inserting a space, comma, semicolon, line break, or bar ( ) between addresses. All fields are required except for the Additional Notes field. 6. Click Send test results. The content contains the classroom configuration values as well as all the sample data returned by the test. Repeat steps 2 6, using 10 students. Then, if the class size exceeds 10 students, repeat steps 2 6, typing the expected class size in the number of participants field. 7. Optional: If CRT is from a 2 GHz machine outside of the classroom or with a laptop, use a classroom machine to run a test for 2 students to verify that the network path works. If the tests pass, the classroom is ready. If the classroom does not pass the test, the administrator analyzes the CRT results and recommends a solution. 8. Run the Web Browser and Connectivity Test on every machine in the classroom to ensure that all the student machines can connect to the Cloud Automation Platform application. 146 Installation and Administration Guide

161 Troubleshooting This section provides tips for troubleshooting URA Gateway connectivity issues. Note: Once the URA Gateway installation is complete, it is required that you set a new configuration value for URA.GatewayServerIP. See Editing URA Gateway Server Configuration Settings on page Remote Access Testing the URA Gateway Server Locally Immediately after you install the URA Gateway server, it is recommended that you test your local access to it. Using Internet Explorer or Mozilla Firefox, enter the following, using the URL of the local machine: Note: HTGateway is the Installation/web folder. Entering this URL prompts the Windows web server, Internet Information Server (IIS), to compile the ASP.NET application and render a URA Gateway Statistics page. If you get errors during this test, that indicates that something went wrong either with the installation or with the automated configuration of IIS on that machine. See Troubleshooting a URA Gateway Server Test Error on page 150. Testing the URA Gateway Server Externally Once you establish that you can access the URA Gateway server locally and the Gateway Statistics is displayed, it is recommended that you test your external connectivity. Using Internet Explorer or Mozilla Firefox, enter the following, using the external IP address of the URA Gateway server: Installation and Administration Guide 147

162 Testing Connectivity from URA to Your Approved Server IPs After you have confirmed that you can access the URA Gateway server locally and externally, it is recommended that you test your connectivity directly from the URA Gateway server to your approved server IPs. Within Cloud Automation Platform, deploy a virtual machine (VM). Then, perform a manual RDP connection using Microsoft Remote Desktop Client to the IP address of the deployed virtual machine. A successful RDP connection to an active and accessible VM in the Cloud Automation Platform environment confirms that URA is actually communicating on the network with the deployed VM. Testing URA Gateway Connectivity Using HTTP Tunneling Note: If you contact Quest Software support regarding testing your URA Gateway connectivity using HTTP tunneling, your support representative might perform the following steps. This procedure might not work with Microsoft Vista or Mac OS X. After confirming that you can access the URA Gateway server locally and externally and successfully connecting directly from the URA Gateway server to your approved server IPs, use the following steps to confirm that the URA Gateway server connects to the deployed VM using HTTP tunneling: 1. If you are using ActiveX control, in Internet Explorer enter the following, using the external IP address of the URA Gateway server: testcontrol.html If you are using the Java applet, in Internet Explorer or Mozilla Firefox, enter the following, using the external IP address of the URA Gateway server: testapplet.html 148 Installation and Administration Guide

163 2. On the Local Proxy ActiveX Control Test Page, type the protocol you are using, followed by the IP address of the deployed VM in the Proxy connection to destination URL field (for example, rdp://ip address). You can test various protocols (for example, RDP, Citrix, or VMX for the Console) by changing the protocol entry in that field 3. Make sure that the start terminal window automatically (must disable pop-up blocker) check box is checked. 4 Remote Access 4. Under Settings Tunnel mechanism, select the Tunnel through HTTP/HTTPS (via HTTP Gateway) radio button. 5. Click the Start button under Proxy connection to destination. A pop-up window is displayed, and the connection commences, using the HTTP/HTTPS (via HTTP Gateway) tunnel mechanism. If you receive an error message, proceed to the following topic, Troubleshooting a URA Gateway Server Test Error on page 150. Installation and Administration Guide 149

164 Troubleshooting a URA Gateway Server Test Error If any of the following situations occur, an error message is displayed on the ActiveX Control Test page, stating that an error occurred while establishing a connection to the remote server through the URA Gateway server: URA is unable to connect to the actual gateway address; you did not set the configuration setting with the gateway address; you entered an incorrect gateway address in the configuration setting; you have a networking issue; To resolve this connectivity issue, perform the following steps: 1. Click OK to close the error message. 2. On the Local Proxy ActiveX Control Test Page, type the protocol you are using, followed by the IP address of the deployed VM in the Proxy connection to destination URL field (for example, rdp://ip address). You can test various protocols (for example, RDP, Citrix, or VMX for the Console) by changing the protocol entry in that field 3. Make sure that the start terminal window automatically (must disable pop-up blocker) check box is checked. 4. Under Settings Tunnel mechanism, select the radio button that corresponds to the type of connection that you want to test. 5. Click the Start button under Proxy connection to destination. A pop-up window is displayed, and the connection commences, using the tunnel mechanism that you chose. 6. In the srdp.cab Security Warning dialog, asking if you want to install this software, click Install to download the control. The ActiveX RDP Client Start Page opens, showing that you have successfully connected to your destination VM using the URA Gateway server. 150 Installation and Administration Guide

165 Addressing a Non-Responsive URA Gateway Server Each time your URA Gateway connections use HTTP(S) or socket proxy, separate log files are created under the Install directory (C:\Program Files\Quest Software\CAP\Logs is the default location). These files are named HTGateway.log and SocketGateway.log, respectively. These log files contain information about your connections as well as any errors that might have occurred. If your URA Gateway server becomes nonresponsive, use the pertinent log file to troubleshoot your HT Gateway or socket proxy connections. 4 Remote Access Connection to Citrix Server Fails If you are using Internet Explorer, and the connection to a Citrix server fails, you might need to add the Citrix server to Internet Explorer s Trusted Sites zone. See Adding an Entry to Your Trusted Sites Zone on page 107. Locating Socket Proxy Server Log Files The socket proxy server log files are located in the following directory: C:\Program Files\Quest Software\CAP\Logs \SocketGateway.log Testing Socket Proxy Server Connectivity To debug end users connectivity, run the Web Browser and Connectivity Test (formerly named URT). The link to this test can be found on the Cloud Automation Platform Login Page. If the Web Browser and Connectivity Test fails, perform the following steps: 1. Create a C:\TEMP directory. Installation and Administration Guide 151

166 2. Run the Web Browser and Connectivity Test again. 3. Inspect the log files. Active X: Surgient_SocketProxyActiveXTunnelConfig.log Java Applet: Surgient_SocketProxyAppletTunnelConfig.log Successful Socket Proxy Server Connections :50: [3824] Testing connection to rdp:// : :50: [3824] Trying connection class SocketProxyConnection :50: [3824] Connection tests OK using class SocketProxyConnection :50: [3824] Listening on :3455 Failed Socket Proxy Server Connections :55: [4652] Testing connection to rdp:// : :55: [4652] Trying connection class SocketProxyConnection :55: [4276] Thread::Join: Wait timed out :55: [4652].\SocketProxyConnection.cpp:98 Exception in SocketProxyConnection::TestConnect: Exception thrown at.\socket.cpp:99: Socket connect failed in system connect(ura.demoservers.com:3389): A socket operation was attempted to an unreachable host :55: [4652].\SocketProxyConnection.cpp:130 Exception: An error occurred while trying to establish a connection to the Gateway server 152 Installation and Administration Guide

167 :55: [4652] Unable to connect using SocketProxyConnection, exception: An error occurred while trying to establish a connection to the Gateway server :55: [4652].\ProxyConnection.cpp:185 Exception: An error occurred while trying to establish a connection to the Gateway server :55: [4652].\ProxyConnection.cpp:246 Exception: An error occurred while trying to establish a connection to the Gateway server 4 Remote Access :55: [4652] Exception in StartThread: An error occurred while trying to establish a connection to the Gateway server :55: [4652] Thread Thread-4 about to terminate ( Thread Id:4652) Installation and Administration Guide 153

168 154 Installation and Administration Guide

169 Advanced Networking 5 This chapter discusses NAIL (Network Abstraction and Isolation Layer) and advanced networking for more complex environments. The following topics are discussed in this chapter: Networking Overview on page 156 NAIL Overview on page 163 Configuring NAIL Server Advanced Mode on page 165 Using VLAN-isolated DHCP Networks on page 171 Using Network Switch Automation on page 174 NAIL Server Troubleshooting on page 176 NAIL Diagnostics Error Message on page 179 Using NAIL Driver on page 179 Migrating From NAIL Driver to NAIL Server on page 181 Installation and Administration Guide 155

170 Networking Overview Establishing the physical and virtual networking configuration for the Cloud Automation Platform environment requires considerations and decisions on several issues. Considerations Before deciding how to configure the networking for your environment, you should consider several environmental and resource issues, including the following: Number and size of virtualization hosts for example, if you have many small virtualization hosts that will not host many VMs, a single application configuration might need to span several of these small hosts. If this is the case, NAIL server in advanced mode might be required. Or if you only have two very large virtualization hosts that can each host a large number of VMs, your multi-server application configurations can probably reside on a single host. Images Are your images configured for DHCP, or do they have a static IP address? Do you have heterogeneous images (ESX and Hyper-V)? How will these images be used in the server configurations of an application configuration (i.e. will the various types of images be mixed in a single application configuration)? If you are using physical server images, and plan to deploy a single image to multiple computers, you must either configure the images for DHCP or use the legacy NAIL driver. (See NAIL Overview on page 163 for more information.) Typical Networking Configurations You must set up a network connection or the host server, a TCP/IP gateway, IP addresses, and most likely a URA gateway. These values must be compatible, which means that the IP addresses that you assign to the resource pool, must not include the IP address of the TCP/IP gateway, URA gateway, or the host server network. Otherwise, resource pooling errors will occur. For example, if your external network connection NIC uses External Network (Intel(R) PRO_1000 MT Dual Port Server Adapter), , your TCP/IP gateway address uses , and your URA gateway server 156 Installation and Administration Guide

171 address uses , ensure that , , and are not included in the list of IP addresses assigned to the resource pool. Additionally, if there is a requirement for network address translation, the server configurations need to be defined to use NAIL Server. If no NATing is required, but isolation is, VLAN-isolated DHCP networks might be appropriate. Note: The NAIL Server is an optional component that is not installed by default with Cloud Automation Platform. For information about installing the NAIL Server components, see Installing the Advanced Enterprise Pack (Optional) on page Advanced Networking Depending on the type and complexity of the virtual network that you require, you can configure your networking in a number of ways. Some of the options are: An isolated, private virtual network A launchpad configuration in which all VMs are on a single host using a virtual network, but only one VM uses Nail Server to connect to the public, external network A single NAIL Server virtual network on a single host An application configuration that has multiple server configurations that span several hosts Multiple application configurations on multiple hosts with several NAIL Servers: If network address translation is needed, specify NAIL 3 as the ethernet device type on the server configurations so that the NAIL Server does the NATing. If network address translation is not needed (i.e. DHCP or Static IP Addresses), but VLAN isolation is desired, specify DHCP as the ethernet device type on the server configurations, and create DHCP networks. A combination environment with virtual machines using NAIL Server and physical computers using NAIL Driver Installation and Administration Guide 157

172 The following diagrams illustrate four common network topologies: Default Network This network configuration has the following characteristics: Static or DHCP IP addresses are used in all VMs and deployed physical servers Open to all broadcast network traffic; no network isolation No NAIL Server, thus no network address translation 1. Figure 1 Typical topology using the default network 158 Installation and Administration Guide

173 NAIL Server, Standard Mode This network configuration has the following characteristics: DHCP or Static IP addresses Network address translation provided by NAIL Server 2. 5 Advanced Networking Figure 2 Using NAIL Server (Standard mode) to provide network translation Installation and Administration Guide 159

174 NAIL Server, Advanced Mode This network configuration has the following characteristics: DHCP or Static IP addresses Network address translation provided by NAIL Server A single application configuration can have server configurations on different physical hosts. For information about using NAIL Server in advanced mode, see Configuring NAIL Server Advanced Mode on page Figure 3 Using NAIL Server (Advanced mode) to provide network translation 160 Installation and Administration Guide

175 VLAN-isolated DHCP Networks (Using OSPF) This network configuration has the following characteristics: DHCP or Static IP addresses No network translation; IP Addresses assigned and routed by NAIL Server NAIL Server mode can be either Standard or Advanced (use Advanced if a single application configuration spans physical hosts) 5 Advanced Networking OSPF must be enabled, and Cloud Automation Platform must have proper credentials on OSPF router For more information about using VLAN-isolated DHCP Networks see Using VLAN-isolated DHCP Networks on page Figure 4 Typical topology using VLAN-isolated DHCP Networks, with the NAIL Server acting as the gateway Installation and Administration Guide 161

176 VLAN-isolated DHCP Networks (Using Switch to route IP Addresses) This network configuration has the following characteristics: DHCP or Static IP addresses No network translation; IP Addresses assigned by NAIL Server NAIL Server must be in advanced mode For more information about using VLAN-isolated DHCP Networks see Using VLAN-isolated DHCP Networks on page Figure 5 Typical topology using VLAN-isolated DHCP Networks, with the switch acting as the gateway 162 Installation and Administration Guide

177 NAIL Overview Virtual machines (VMs) are incapable of communicating over a network if certain identifiers are not unique for each VM. When a VM is cloned, some identifiers are always duplicated, including the machine name, security identifier (SID), and IP configuration. To solve the problem of duplicate IP addresses, the Cloud Automation Platform network abstraction and isolation layer (NAIL) uses network address translation (NAT) to provide a unique IP address for each cloned VM on a network. With NAIL, an entire operating system (OS) stack and application, including groups of applications, can be imaged and moved from one VM to another and from one environment to another without any changes to the image itself. 5 Advanced Networking Use NAIL if any of the following conditions is true: Multiple copies of the same server configuration are deployed on a network and the server configurations are not using DHCP An isolated network is required NAIL also uses virtual LANs (VLANs) for VMs that require grouping, as is the case when multiple server configurations comprise a single application configuration. NAIL Server uses IEEE 802.1q VLANs to isolate application configurations from one another and prevent duplicate host name or IP address errors while simultaneously deploying clones of VMs. You must use VLAN IDs within the range of , inclusive. Note: In version 5.3, NAIL Driver was deprecated and replaced by NAIL Server. In the documentation, NAIL Driver is sometimes referred to as Legacy NAIL. The NAIL Driver is required if you want to deploy a single physical server image to multiple computers and the images are not configured to use DHCP. By default, NAIL Server is installed in Standard mode. The standard mode is for environments where all VMs within a application configuration are on the same physical host. If the VMs that are included in an application configuration are spread out over multiple physical hosts, then use NAIL Server Advanced mode. If you are implementing NAIL Server in the advanced mode, you should work with your network administrator to select the appropriate network adapters, switches, and VLAN IDs that are compatible with your physical network environment. Installation and Administration Guide 163

178 Note: In environments where a DHCP server is used for allocation of IP addresses to VMs, it is important to ensure that the pooled IP addresses used in the Cloud Automation Platform environment do not duplicate those used by the DHCP server. If your platform is in a non-us time zone, then the NAIL servers will log at US/Central time zone by default. In order to override this, before pooling your hosts, change the NailServer.Timezone advanced configuration setting to make the nail server log in the appropriate time zone. 164 Installation and Administration Guide

179 Configuring NAIL Server Advanced Mode In environments where a single application configuration will include servers that are located on different physical computers, the NAIL Server must be configured to run in advanced mode. NAIL (Network Abstraction and Isolation Layer) uses network address translation (NAT) to provide a unique IP address for each cloned VM on a network. With NAIL, an entire operating system (OS) stack and application, including groups of applications, can be imaged and moved from one VM to another and from one environment to another without any changes to the image itself. 5 Advanced Networking By default, NAIL Server is installed in standard mode. The standard mode is suitable for environments where all VMs within a single application configuration are on the same host (i.e., the same physical computer). Using NAIL Server in standard mode requires relatively simple networking and switch configuration. However, if the VMs that are included in an application configuration must be deployed over multiple physical computers, then use NAIL Server advanced mode. In advanced mode, NAIL Server uses VLANs to isolate application configuration instances from one another. If you are implementing NAIL Server in the advanced mode, you should work with your network administrator to select the appropriate network adapters, switches, and VLAN IDs that are compatible with your physical network environment. The VLANs used must be defined as network resources and pooled in the CAP web interface. Note: Microsoft Hyper-V does not support VLAN trunking from a NIC to a virtual machine, so NAIL servers cannot be used on a Hyper-V host. However, network address translation can be accomplished in an all Hyper-V or a heterogeneous environment with the use of a utility host. A utility host is any server running supported virtualization software that also supports NAIL server, and is used by Hyper-V hosts for network translation services. See Using NAIL Server with Hyper-V R2 Hosts (Utility Hosts) on page 37 for more information about utility hosts. Installation and Administration Guide 165

180 To implement NAIL Server Advanced Mode Review the following steps for implementing NAIL Server in advanced mode. Note: The following instructions assume that you have successfully installed and are running NAIL Server in standard mode. If you are running in standard mode, then you already have defined a default network, and you simply need to add a trunked network. However, instructions to create the default network are still provided below. If your installation is already running in standard mode, ignore the steps below to create the default network and follow those to create the trunked network. 1. Configure the physical network infrastructure (i.e. the system of switches and cables used by the virtualization hosts) The physical network switches must allow traffic that is tagged with VLAN IDs. See NAIL Server Advanced Mode: Physical Cabling on page 168 for detailed information and diagrams about configuring the switches and cables. 2. Connect the physical host (where the VMs reside) to the physical network switch. One adapter or NIC must be cabled to a network switch port that allows access to the CAP Core server computer and to external assets (file servers, web servers, the Internet, etc.). The second adapter must be cabled to a trunked port on the switch that allows VLAN tagged traffic. 3. Create two virtual networks that connect to the physical network adapters or NICs (Network Interface Cards) on the host. Use VMware ESX to create the two virtual networks, one for each of the following purposes: Default network: this is the network that will be used to access external assets. 166 Installation and Administration Guide

181 Note: Trunked network: this is the network that will be used for VLAN traffic between the VM hosts. Make note of the exact names of the two networks, as you will need to select the appropriate network when assigning the hosts to a resource pool in the CAP web interface. For detailed instructions about creating these two required virtual networks, see NAIL Server Advanced Mode: Creating Required Virtual Networks (ESX) on page Advanced Networking 4. After creating the two virtual networks, alert the Quest CAP Agent on the host to the fact that two new virtual switches have been created. To do so, open the vcsadmin tool on the CAP Core server host, login, and run the following command for each host: commandrun name_of_host poll Alternatively, you can wait for the poll cycle to occur, during which the Quest CAP Agent communicates with the CAP Core server. 5. Unpool all hosts in the Cloud Automation Platform environment. Consider using the Maintenance Mode feature to prevent deployments from occurring while you are changing to Advanced mode. See Performing Maintenance on Hosts on page 200 for more information. 6. Change the Advanced Configuration setting to advanced. To change the mode to advanced, open the CAP web interface and click System Settings in the left pane. On the System Settings page, view the System Environment Properties area in the right pane. In the System Environment Properties area, click the current setting for the NAIL Server Mode option, and change to Advanced. 7. Edit each host s details so that the new virtual networks are selected. To do so, open the CAP web interface and click Hosts in the left pane to view the list of all hosts. Click the name of the host from the list and on the Details page, click Edit. On the Edit a Host page, under the Properties area, select from the Trunked Network list the new virtual network that you defined for VLAN traffic. 8. Re-assign all hosts to their appropriate pools, and stop the Maintenance Window, if it was started. Installation and Administration Guide 167

182 NAIL Server Advanced Mode: Physical Cabling Physical hosts are cabled as shown in the diagram below. Configuring the physical network infrastructure as described here is the first step in implementing NAIL Server in advanced mode. For an overview of all required steps, see To implement NAIL Server Advanced Mode on page 166. The following diagram shows the configuration for a two-port host (VMware or Microsoft Virtual Server (MSVS). 9. In addition to using the cabling descriptions above, the following steps must be done to configure the port on the physical switch that will be used for the trunked network: Create the required VLANs on the switch. These VLAN IDs must match the VLAN ID ranges that are defined as network resources in the CAP web interface. Set the allowed VLAN IDs for the port. Again, these IDs must match those defined as network resources in the CAP web interface. Furthermore, be sure to exclude any VLAN IDs that are used as native VLANs on the default networks. Enable BPDU filtering on all ports that the trunked NIC will connect to. Enable 802.1q trunking on the port. Set the bridge priority to a value less than (which is the NAIL server's bridge priority). 168 Installation and Administration Guide

183 NAIL Server Advanced Mode: Creating Required Virtual Networks (ESX) Using NAIL Server in advanced mode requires the existence of two virtual networks, a default network for external communication and a trunked network for VLAN-tagged traffic between virtual machines within a deployed application configuration. Use the following instructions for creating these networks in VMware ESX 3.5 or 4.x. 5 Advanced Networking Note: If your environment uses DVS (Distributed Virtual Switch), refer to the Workflow Summary on page 216 about configuring vcenter and creating the default and trunked networks using DVS. DVS is required if you implement High Availability. For an overview of all steps required to implement NAIL Server in advanced mode, see Configuring NAIL Server Advanced Mode on page 165. To create the default network 1. Open the VMware client (Virtual Infrastructure Client for 3.5 or vsphere client for VMware 4). 2. Select the VMware ESX server that you want to configure in the left pane. 3. Click the Configuration tab. 4. In the Hardware area, click the Network Adapters link. View the network adapters and determine which vmnic is connected to the default network on the physical switch. 5. In the Hardware area, click the Networking link. 6. The Network Configuration displays on the right. 7. To create the new default network, click the Add Networking... link. The Add Network Wizard appears. 8. In the Add Network Wizard, under the Connection Type area, select Virtual Machine, and then click Next. 9. Select Create a virtual switch and select the vmnic that is connected to the default network. Installation and Administration Guide 169

184 10. Click Next. 11. Under Port Group Properties, define the Network Label. This is the name of the default virtual network that will appear in the CAP web interface when you pool the VM host. Note: Leave the VLAN ID field blank. Do not assign a VLAN ID to this port group. 12. Click Next. 13. On the Ready to Complete page, review the Summary and click Finish. To create the trunked network 1. Open VMware Virtual Infrastructure Client. 2. Select the VMware ESX server that you want to configure in the left pane. 3. Click the Configuration tab. 4. In the Hardware area, click the Network Adapters link. View the network adapters and determine which vmnic is connected to the trunked network on the physical switch. 5. In the Hardware area, click the Networking link. The Network Configuration displays on the right. To create the new trunked network, click the Add Networking...link. The Add Network Wizard appears. 6. In the Add Network Wizard, under the Connection Type area, select Virtual Machine, and then click Next. 7. Under Create a virtual switch, select the vmnic that is connected to the physical adapter for the trunked network. 8. Click Next. 9. Under Port Group Properties, define the Network Label. This is the name of the trunked virtual network that will appear in the CAP web interface when you pool the VM host. Quest Software recommends that you name the network Trunked Network. 170 Installation and Administration Guide

185 10. In the VLAN ID field, enter This value causes the network to accept all VLAN IDs, which is required by NAIL Server in advanced mode. 11. Click Next. 12. On the Ready to Complete page, review the Summary and click Finish. After completing the above steps, the two new virtual networks that you created are shown in the networking diagram on the Configuration tab of the Virtual Infrastructure Client. 5 Advanced Networking Next Step: Return to step 4 of Configuring NAIL Server Advanced Mode on page 165. Using VLAN-isolated DHCP Networks Using VLAN-isolated DHCP networks are recommended or required for several scenarios. Servers (physical or virtual) that are externally provisioned by HP Server Automation require DHCP for the initial network boot process (PXE). Using isolated DHCP networks would normally prevent the VMs and physical servers on that network from receiving broadcast traffic, including the netboot traffic. With Cloud Automation Platform s VLAN-isolated DHCP networks, the Platform performs the role of managing IP addressing and routing traffic between servers that are outside of the isolated network and the servers on the isolated network. Additionally, in an environment using virtual images with non-static, DHCP addresses, you might want to use an isolated DHCP network. This allows the servers included in the application configuration to communicate with one another on a dedicated, isolated network without interference from servers that are in other deployments, nor from broadcast network traffic. When using isolated DHCP networks, use the CAP web interface to create one or more DHCP networks, a type of network resource, such as DHCP networks, IP address ranges, and VLAN ID ranges. The DHCP networks must be pooled, just as other network resources are, before they can be used. For more information about creating network resources see Chapter 9, Physical and Network Resources, on page 259. Installation and Administration Guide 171

186 Implementing VLAN-isolated DHCP Networks There are two ways to configure isolated DHCP networks: Dynamic/OSPF: Using OSPF (Open Shortest Path First) and enabling Cloud Automation Platform to perform both the DHCP addressing and network routing. Static/Switch: Using the physical switch to provide network routing, while Cloud Automation Platform provides DHCP addressing services for the isolated DHCP network. Using OSPF (Dynamic/OSPF Option) To implement VLAN-isolated DHCP networks using OSPF, use the following procedure: 1. Enable OSPF on the switch that is used to connect external users to the virtualization hosts on the network. 2. Verify that the Advanced Configuration Nail.DhcpGatewayMode setting uses the value nailserver, not switch. 3. The default network needs to be in the OSPF backbone area (Area 0). 4. In the CAP web interface, create one DHCP network range (the NAIL Server will divide the range into subnets as needed). Ensure that the network range is large enough to accommodate the three IP Addresses that are required for the address network, the broadcast address, and the gateway server, in addition to an IP address for each VM or physical server on the network. 5. Create at least one VLAN ID range. 6. Configure one Trunked network if using Advanced mode for the NAIL Server. For more information, see Configuring NAIL Server Advanced Mode on page Installation and Administration Guide

187 Using the Switch as a Gateway (Static/Switch Option) In this scenario, OSPF is not enabled, the physical switch provides the network routing services, and Cloud Automation Platform still provides the DHCP addressing services. While performance is typically faster with this scenario, much more detailed pre-deployment configuration is required, because all required network ranges and VLAN IDs will need to be created in advance. Quest Software recommends using this implementation only if your environment cannot use OSPF. 5 Advanced Networking To implement VLAN-isolated DHCP networks in an environment where OSPF is not used, use the following procedure: 1. Verify that the Advanced Configuration Nail.DhcpGatewayMode setting uses the value switch, not nailserver. 2. Configure one Trunked network (NAIL Server Advanced mode is required to use the Static/Switch option). For more information, see Configuring NAIL Server Advanced Mode on page Create one VLAN ID range. 4. In the CAP web interface, create one DHCP network for each VLAN that is configured on the switch Additional Considerations The first IP address immediately following the network address in each DHCP range must be assigned to the Gateway. This is true no matter which way the DHCP networks are implemented. When pooling network resources (see Chapter 9, Physical and Network Resources, on page 259), be aware that a single pool can either use isolated DHCP networks or use NAIL Server for normal network translation. When using the OSPF option, the default network needs to be in the OSPF backbone area (Area 0). If this requirement cannot be met, then the following steps will need to be performed (contact Quest Support for more details): Installation and Administration Guide 173

188 Pool all the content hosts first Note down the IP address assigned by the platform to each pooled NAIL server For each of these IP addresses, set up virtual links on the backbone router to the dynamically configured networks on the NAIL server, using the default network as the transit area. Use the NAIL server IP address as the router-id of these dynamic networks (i.e., the networks that come and go when a deployment is setup/torn down, respectively). Consult your switch vendor's documentation on OSPF to accomplish this. The following example shows how this may be done on a Cisco 3750: area <default-network-area-id> virtual-link <nailserver-ip> Edit the ospfd.conf.vm template file under the Platform\Templates directory on the machine where the ServiceHost.exe is installed to add virtual links from the dynamically configured networks to the backbone area via the default network as the transit area. Under the "router ospf" section, add the following line: area <default-network-area-id> virtual-link <area- 0-router-id> If OSPF authentication is desired, then contact Quest Customer Support for additional assistance Using Network Switch Automation If your environment will use VLAN-isolated DHCP networks and physical provisioning to HP Server Automation-managed physical computers, you must configure network switch automation. Note: To use network switch automation, the NAIL Server must be running in advanced mode. See Configuring NAIL Server Advanced Mode on page In the HP Network Automation (HP NA) user interface, register the switches (add the devices) to be managed. (Skip this step if already done.) 174 Installation and Administration Guide

189 2. Using the vcsadmin utility, run the vcsadmin command networkautomationenable to enable HP NA switch automation for Cloud Automation Platform. See Using the vcsadmin Utility on page 46 for more information about running vcsadmin commands. 3. In the CAP web interface, describe the cabling and networking topology by defining the physical server NIC properties Switch Address and Switch Port. See the online Help for detailed instructions to define these NIC properties on the Physical Provisioning Details page for the server. 5 Advanced Networking Additional Considerations If any of the server configurations included in an application configuration have an ethernet device defined but that is not connected to a network (on the server config, you selected Not Connected in the Virtual Network list for an ethernet device s virtual network), then those network adaptors are, by default, connected to VLAN 1. To specify a different VLAN ID, use the vcsadmin to set a new ID for the advanced configuration setting PhysicalServer.NetworkAutomation.ParkedVlan. See Using the vcsadmin Utility on page 46 for more information about using vcsadmin. Refer to System Requirements on page 13 for details about the physical switches supported by Cloud Automation Platform s network switch automation feature. Installation and Administration Guide 175

190 NAIL Server Troubleshooting The following diagnostics charts address two possible errors you might encounter when using the NAIL server: Host cannot be added to a resource pool The guest agent on a VM doesn t register with the Platform server Unable to Add a Host to a Pool The following errors related to pooling a host could occur: An error stating that the NAIL server agent on a host has not registered with the Platform server after 600 seconds, it is most often the result of one of the following two problems: The NAIL server's assigned pooled IP address is incompatible with its host's default network (if the 'Use Pooled IP Address' option was chosen when the host was added to the pool). The NAIL server was not able to obtain an IP address from a DHCP server (if the 'DHCP' option was chosen when the host was added to the pool). The STP (spanning tree protocol) configuration for a host in advanced mode is incorrectly inactive; thereby disabling the bridge interface The STP state of the NAIL server host has an incorrect root bridge; check that the switch is properly configured to pass BPDUs for using the advanced mode of NAIL. 176 Installation and Administration Guide

191 Refer to the following diagnostics workflow to troubleshoot the error. 5 Advanced Networking Figure 6 Diagnostic workflow for unsuccessful pooling issue Installation and Administration Guide 177

192 Guest Agent Does Not Register If an error occurs stating that the VM was successfully started, but that the guest agent of the VM did not register with the Platform server after 600 seconds, refer to the diagnostics workflow below. 4. Figure 7 Diagnostic workflow for guest registration issue 178 Installation and Administration Guide

193 NAIL Diagnostics Error Message For sessions using NAIL Server, a post-deployment process is automatically enacted to determine if any networking issues occur, and to collect NAIL server logs, deployment group and app/server config details upon failures. Some of the common issues that would be diagnosed automatically include: Incorrect image preparation (e.g., network adapters still configured for legacy NAIL driver even though it is set to NAIL Server in the server configuration) 5 Advanced Networking Server configuration mis-configuration (e.g., setting the internal IP address of network adapter 1 in the server config to be when it is actually in the image) Trunked network not connected to the trunked port on a physical switch in NAIL advanced mode Application configuration networking is incorrect NAIL server network adapters not starting in the correct order when rebooted The NAIL diagnostics tool is controlled by an advanced configuration setting, Nail.RunNetworkDiagnostics. The log file that is generated as a result of the diagnostics is NailDiagnosticsDeploymentGroup-{0}, where {0} is the deployment group ID Using NAIL Driver If your environment includes physical server images that will be deployed to multiple physical computers using the Altiris Deployment Solution, and the images are not configured for DHCP, you will need to use NAIL Driver to avoid network conflicts. That is, if a single physical server image that is not DHCP-configured is deployed to multiple computers simultaneously, NAIL Installation and Administration Guide 179

194 Driver is required to translate the IP address of each image to a unique address that can be used externally. Note: NAIL Server (or NAIL 3) is not supported with physical server images. For detailed networking information about configurations for using NAIL Driver, refer to the Cloud Automation Platform online Help. The NAIL Driver runs on Windows 2003 or Windows XP, 32-bit platform. Additionally, the network connection on the NAIL Driver host must be named Local Area Connection. During the process of creating a physical server configuration, you must select NAIL 2 in order to use NAIL for IP address translation. (NAIL Driver is also referred to as NAIL 2.) If you select DHCP, be sure that the image is configured for DHCP. For detailed instructions to create a physical server configuration, refer to the Cloud Automation Platform online Help. To populate the physical server configuration creation page with the choice of NAIL 2, you must have first set the NAIL.EnableLegacyMode advanced configuration setting to true. Use the following instructions to do so: 1. Launch the vcsadmin utility by double-clicking the vcsadmin.exe file in the installation directory on the Platform server. By default, this directory is Program Files/Quest Software/Platform. 2. When the vcsadmin utility opens, log on by typing the following and then pressing Enter: login <userid> <password> By default, the user ID is admin. The password is the Cloud Automation Platform administrator password that was defined during the Platform installation. 3. After logging on, enter the following command and then press Enter: configset NAIL.EnableLegacyMode=true 180 Installation and Administration Guide

195 Masquerading Server configurations can be created with MAC address masquerading enabled. When a server configuration with masquerading is reserved, a fixed, user-assigned MAC address is configured within the guest OS on the VM. Masquerading enables one or more VMs to use the same internal MAC address. Externally, the network sees the actual virtual MAC address, which is uniquely assigned to each cloned VM. While internally within a guest VM, each clone sees the masqueraded MAC address. 5 Advanced Networking Note: To use masquerading, the deprecated legacy NAIL Driver must be included in the images. When an application configuration is bound to a fixed MAC address, you can use MAC masquerading to ensure that all deployed VMs use the same, fixed MAC address. When you enable MAC masquerading, the new or disguised MAC address is seen by the OS network stack and used when commands like ipconfig are run. For example, if your VM uses an application that assigns a MAC address to trace the number of installed licenses, assign a MAC masquerade value that matches the MAC address assigned by the application. Migrating From NAIL Driver to NAIL Server This section discusses the essential steps required to remove NAIL driver from an application configuration, then adjust the configuration to work with NAIL server. Note: Be aware that if a server configuration with NAIL driver is using MAC masquerading, migrating to NAIL server might break the configuration. There are three phases to the process of migrating from NAIL driver to NAIL server: Preparation Optimization Integration Installation and Administration Guide 181

196 Phase 1: Preparation Before you update any application configurations, verify that the Surgient_Image_Tool.iso file is in the system library. This is the same.iso that is used to prepare images for use in the Cloud Automation Platform environment. If the Surgient_Image_Tool.iso file is not already in the /Images/ Templates directory in the library, copy it into the library from the Cloud Automation Platform media that you used to install the product. In the CAP web interface, click Images in the left pane (the Navigation pane). The Images area displays a table of all images in all library locations. Verify that the Surgient_Image_Tool.iso is shown in the list. If not, click the Re-Sync button to refresh the library contents. Phase 2: Optimization Now that the Surgient_Image_Tool.iso is in place, you can start updating the images and application configurations. The last upgrade you did, as long as it was 5.3 or later, automatically populated your new installation with your previous application and server configurations that used NAIL Driver. While these configurations will still deploy, they will need to be updated to take advantage of NAIL Server. To begin, select an application configuration which needs to be updated and create a session for it. Deploy the session normally. Once the reservation is available, check to insure console access is enabled for all virtual machines deployed with this session. Once console access is enabled, launch the console page for the VM and log in normally: Finally, use the Attach Media option to attach the Surgient_Image_Tool.iso. Run the appropriate optimizer ISO image (Windows or Linux, virtual or physical). This is the same process as preparing images. See Preparing Images on page 244 for detailed instructions. The Image Optimizer Express tool should automatically launch once the ISO image is attached. If it doesn t, you ll need to navigate to the Surgient_Image_Tool.iso, and manually start Express.exe, which is included in the.iso file. 182 Installation and Administration Guide

197 Once the optimization process completes, the express runtime will display a compact HTML report using Internet Explorer. Most tasks should succeed. Obvious exceptions are steps which uninstall a particular piece of software (which a later step re-installs). Once you ve reviewed the report, close Internet Explorer. The express runtime should now launch the Disk Inspector. The tool reports a variety of interesting facts about the current system. take special note of the network configuration. You ll want to write these values down, or take a screen shot. Once you ve recorded the network information, stop the VM. 5 Advanced Networking If there are multiple virtual machines in the application configuration, repeat the optimization process on each of them. When all the images are complete, use the CAP web interface to save the new configurations. Click Sessions in the left pane. On the Sessions Details page click Active Reservation Actions... and select Save As from the menu. Select names for the new application and server configurations. Monitor the reservation details screen, and wait for the save process to complete. Phase 3: Integration Now that the updated disk images are stored in the system library, you can begin updating the related configurations. Find the newly-created application configuration. Write down (or take a screen shot of) the component server configurations. For each of the server configurations, edit the network configuration. To do so, click Server Configurations in the left navigation pane, and then in the list of server configurations, click the blue menu icon beside the name of the server configuration and select Edit. If the original server configuration used NAIL driver, the Ethernet Device 0 checkbox under Network Adaptors area will display NAIL 2. Select NAIL 3 instead. In the IP Configuration area, enter the IP address information you recorded from the Disk Inspector. Add and configure any additional network adapters. When you re done, save the updated server configuration. Installation and Administration Guide 183

198 The Save As process will have automatically created a new application configuration. Add the updated server configurations, and save. Once you ve successfully deployed and tested the new application configuration, you can safely delete the original configurations. Note: Any client snapshots and sessions that were created previously will still refer to the original configurations. 184 Installation and Administration Guide

199 Configuration and Administration 6 This chapter addresses the following topics: Moving an Existing Library Location on page 186 Migrating the Agent Services and RSM on page 188 Configuring Storage and Shared Access on page 190 Managing Virtualization Hosts on page 198 Performing Maintenance on Hosts on page 200 Recovering and Managing Missing Items on page 202 Using the Dashboard on page 205 Recommendation-Based Migrations on page 210 Manually Migrating an Active VM on page 210 Using High Availability with VMware vsphere on page 211 Physical Provisioning on page 220 Installation for a Secure IIS Service Account on page 222 Editing Advanced Configuration Settings on page 222 Installation and Administration Guide 185

200 Moving an Existing Library Location The vcsadmin command librarymove can be used to move library content from one location to another. The main purpose of this command is to support the ability to move the library location that was defined during the original installation (now possibly too small ) into a larger directory. Moving library content includes physically copying files from the source location to the destination location, then adjusting all affected server configurations and snapshots to point to the new files at the destination location. The librarymove command can optionally delete source library files and/or the source library itself after everything has been successfully moved to the destination. The move operation involves copying very large files, so it could take hours or even days depending upon the size of the library in the source location. Note: The destination location is not created as part of the move operation; it must first be created in the CAP web interface. Refer to the online Help topic Adding a New Library Location. Because moving a library can take a long time, it is not required that activity on the CAP Core server cease while file copying is in progress. The source library is fully functional until the very end of the move operation, when the script begins modifying objects in the database. Because CAP Core server activity is continuing during the move, it is possible that the move script will encounter circumstances that prevent it from completely finishing the move. In that case an is sent describing the problem. To recover, the user need only a) remove the blocking circumstance (e.g., cancelling a reservation) and b) run the same move operation again. The move script will resume where it left off without duplicating any file copying or other work that was completed during the first invocation. Deployments that are in the "Available" state are allowed and will continue to work normally during and after a library move. However, if any deployment is in an active phase (e.g., provisioning, deprovisioning, saving a snapshot, etc) the script will exit to prevent unexpected deployment failures. Using the librarymovestatus command, it should be possible to predict with some accuracy the time at which the copy procedure will finish and the script enters into its critical database update phase. As a best practice Quest Software recommends that Cloud Automation Platform 186 Installation and Administration Guide

201 administrators try to ensure that no active deployment automation occurs during this last phase of a move. To use vcsadmin to move a library location, follow these steps: 1. Launch the vcsadmin utility by double-clicking the vcsadmin.exe file in the installation directory on the CAP Core server. By default, this directory is Program Files/Quest Software/Platform. 2. When the vcsadmin utility opens, log on by typing the following and pressing Enter: login <userid> <password> 6 Configuration and Administration By default, the user ID is admin. The password is the Cloud Automation Platform administrator password that was defined during the installation. 3. After logging on, use the following syntax (providing the name of the server where the library is currently, the directory path of current library, the server name of the new library location, and the exact directory path): librarymove <options> <sourceservername> <sourcepath> <destinationservername> <destinationpath> The following vcsadmin commands support this feature: librarymove: starts the operation, which is performed in the background by an automation script. When the move is complete, an is sent to the user that requested the move. librarymovestatus: use to monitor the progress of the move operation. librarymovecancel: use to cancel an in-progress move operation. librarylist: use to show a list of all existing library locations. To see additional information about any of the library commands, enter help <name_of_command>. Installation and Administration Guide 187

202 Migrating the Agent Services and RSM In some cases, the Agent Services component of the platform needs to be migrated to another server. For example, if you installed all components of the platform on a single computer, you might later decide to move the Agent Services component to another computer in order to increase throughput and handle more virtualization hosts. Note: The Agent Services component includes the Remote Server Manager (RSM), the Agent message forwarder, which functions as the mailbox for the CAP Core server, and the Agent message processor, which parses agent documents. To migrate the Agent Services component from one computer to another, perform the following steps: 1. Uninstall Agent Services on the computer where it is currently installed: a. Start Add or Remove Programs. B. Click on Change for the Platform program (Quest Cloud Automation Platform). C. In the Installshield Wizard, select Modify and click Next. D. Uncheck the Agent Services feature and click Next. E. Enter the Control Service information and click Next. F. Click Next in the following panel to uninstall the Agent Services 2. After uninstalling the Agent Services on the first computer, you should immediately use the following procedure to create a redirecting Mailbox location on the same computer (where the Agent Services was originally installed). To redirect the Mailbox location, you can either run the SAR.exe file that is included in the installation media, or perform the following steps to manually redirect the location: A. Start the Internet Information Services (IIS) Manager on the first computer 188 Installation and Administration Guide

203 B. Right click on Default Web Site and select New -> Virtual Directory. C. In the Virtual Directory Creation Wizard, click Next. D. Enter the value ingress for Virtual Directory Alias and click Next. E. Enter the directory C:\Inetpub\wwwroot for the web site path and click Next. F. Accept the default Permissions and click Next. G. Click Finish in the final pane. H. Right-click on the new virtual directory named ingress and select Properties. 6 Configuration and Administration I. Select A redirection to a URL under the Virtual Directory tab. J. Enter in the Redirect to... box where <IP_address> is the address of the target computer, where you will next install the Agent Services. K. Click OK to save the changes. 3. Install the Agent Services on target computer. a. Run the Setup.exe installer. B. Select the Standard installation type. C. Uncheck all features except for Agent Services. D. Enter the IP address of the machine the Control Service is running on (the first computer where Agent Services was installed). E. Enter the username and password of the user account that will run the Agent Services. F. Click Next in the following dialogs to complete the installation. 4. Run the AdvancedEnterprisePack.exe to install NAIL Server images. See Installing the Advanced Enterprise Pack (Optional) on page 75. Installation and Administration Guide 189

204 Configuring Storage and Shared Access Depending on the storage and network access architecture used in your environment, and the type of images and library content, there are several different ways to configure the storage and shared access for your environment. Refer to the following sections for detailed information about the various supported configurations. Note: The next three sections outline the suggested practices for storing and sharing content in environments in which the content type (.vmdk,.vhd.,img, etc.) will be stored and accessed from the same type of host; a homogeneous environment. For options in a heterogeneous environment, in which the image types and files for an ESX host might be stored on a Hyper-V server, or vice-versa, see Using Heterogeneous Host and Storage Types on page 197. Using VMWare VMFS in a SAN-based Configuration Cloud Automation Platform enables a shared, SAN-based VMFS file system to serve as a library location for VMware ESX hosts. All hosts that have direct access to the VMFS LUN will be able to run images directly from the library without requiring NFS. Using a shared library location on a SANbased VMFS file system reduces VM deployment times by eliminating the need to copy files locally to the virtualization host. Existing investments that customers have made in Fibre Channel or ISCSI networks can be utilized directly. As a suggested best practice, separate storage areas (local VMFS, a separate LUN on the SAN, or a unique directory on the shared VMFS LUN) for each virtualization host can still be used to store redo files and snapshots for each host. 190 Installation and Administration Guide

205 Considerations Review these notes about using VMFS: If your environment does not include a SAN, you can select an NFSenabled server as the library location. For more information, see Using NFS In a Network-Attached Storage Configuration on page 194 All ESX 3.5 and ESXi 3.5 servers that use iscsi must be configured to support the VMkernel Port (see Configuring the VMkernel Port on page 194). The maximum number of hosts that can connect to a single VMFS volume is Configuration and Administration The LUN on which the VMFS volume resides cannot be larger than 2 TB nor can the volume span LUNs. Cloud Automation Platform requires Hardware Version 4 or version 7 double-file VMDK format for all.vmdk files. Refer to Converting Hardware Versions for.vmdk Files on page 253 for instructions to use a vcsadmin script to convert files. A VMFS directory can also be used as a shared file cache location on the SAN. All of the considerations noted for defining the library location on the SAN also apply to creating a shared file cache. For additional information, see the CAP web interface online Help topic Adding New File Cache Location. To use a VMFS volume on a SAN as the library location, perform the following steps: Before installing the Platform: 1. Create the volume on the SAN server that you want to use as the library location. 2. Verify that SSH access is enabled for the ESX host.see Configuring ESX Hosts on page Select which virtualization host will be the library server. 4. Configure the selected ESX host to connect to the SAN server. See Configuring the ESX Host and SAN Server on page 192. Installation and Administration Guide 191

206 After installing the Platform: 5. If the ESX host that will be the library server has not already been registered with Cloud Automation Platform, register the server as a remotely managed host. Refer to Registering a Remotely Managed Host in the online Help for detailed instructions. 6. If the host will be used as both a library server and a virtualization host, use the CAP web interface to edit the host to perform the following tasks. If not, and the host will only be used a library server, skip to step 7. Specify the Default Network and the Trunked Network Select the Dedicated File Cache Volume Specify the Root VM Volumes directory where the VM configuration files and redo files will be created. This directory could be on a local disk or on a dedicated VMFS volume on the SAN. Refer to the online Help for detailed instructions about editing a host. 7. Create the new library location. Refer to the online Help for detailed instructions. Configuring the ESX Host and SAN Server Before using the CAP web interface to add a library location or file cache location on a VMFS volume of a SAN (storage area network), the VMware ESX or ESXi host needs to be configured to connect with the SAN server. Note: The following section outlines the basic steps required, and refers to the use of iscsi protocol for communication between the ESX server and the SAN. The specific steps required in your environment might be different. 1. Log on to ESX server using the VI Client or vsphere Client and enable the iscsi Software Adapter on the ESX host. This process adds the IP address of the SAN server to the ESX host s list of connected storage devices, so that the ESX host is aware of the SAN server. 192 Installation and Administration Guide

207 2. Log on to the SAN server management interface and add the ESX host as a client. 3. Using the SAN server management interface, map the ESX host to a volume on the SAN server. Note: When using a SAN VMFS volume as a library location, a single volume is shared by multiple ESX hosts (maximum of 32). Be aware that the LUN on which the volume resides cannot be larger than 2 TB nor can the volume span LUNs. Using a shared library location reduces VM deployment times by eliminating the need to copy files locally to the ESX server. 6 Configuration and Administration 4. On the ESX host, scan for new VMFS volumes. This process should be done whenever changes are made to the volumes available to your ESX server. a. Login to ESX server using the VI Client or vsphere Client. B. In the Configuration tab, click on Storage Adapters in the Hardware list. C. Right-Click on the iscsi Software Adapter item and select Rescan. D. In the Configuration tab, click on Storage in the Hardware list. E. Click the Refresh link to see the new VMFS volume. If you are connecting to a volume that has not been formatted, do the following steps: a. Click the Add Storage... link to add the LUN B. Select Disk/LUN for the type of storage C. Follow the prompts to format the volume with the VMFS file system Warning: Do not Remove the datastore from the Storage locations. This permanently deletes all of the files on the volume which makes them unavailable to the other servers that are sharing the volume. If you want to disconnect the ESX server from the SAN server, disable the Storage Adapter. Installation and Administration Guide 193

208 Using NFS In a Network-Attached Storage Configuration A storage device that is selected to act as an NFS system library or shared file cache must support the NFS access protocol. The Remote Server Manager and ESX hosts access the device through an NFS exported path. For ESX servers to remotely access the NFS server, the following conditions must be met: The NFS volume used for the file cache or library location must be exported by the NFS server. Access permissions on the NFS server must be set so that the library location or file cache location is accessible by the ESX host server. All ESX 3.5 and ESXi 3.5 servers must be configured to support the VMkernel Port (see Configuring the VMkernel Port on page 194). For a detailed list of supported NFS platforms, refer to the VMware ESX documentation. ESX Storage Access Permissions The NFS client username and UNIX uid presented to the NFS server is root/ uid:0. Be aware that VMware does not support changing the NFS client userid and uid used to connect to an NFS server. Configuring the VMkernel Port Any ESX 3.5 or ESXi 3.5 host servers that will access a remote file cache or system library location on a SAN or NAS over iscsi must be configured to support the VMkernel Port. Configuring these hosts is best done using the VMware Infrastructure Client. Note: This procedure does not need to be done for ESX 4 or ESXi 4 hosts. To download and install the Client, use the following procedure: 1. In a Web browser, type the IP address of the ESX host. 2. Click Download the VMware Infrastructure Client. 194 Installation and Administration Guide

209 3. Run the downloaded installer and accept all default settings. To configure the ESX server, use the following procedure: 1. From the Start menu on your local machine, select Programs -> VMware -> VMware Virtual Infrastructure Client 2. Log in to the ESX server. 3. In the tree view on the left, highlight the server. 4. Click the Configuration tab on the right. 5. In the Hardware panel, click Networking. 6 Configuration and Administration 6. Click Add Networking in the upper right corner to open the Add Network Wizard. 7. Select the VMkernel radio button and click Next. 8. In the Network Access window, you can choose to create a new virtual switch or use an existing switch, then click Next. 9. Enter a routable IP address, subnet mask, and gateway address, then click Next. 10. Verify the connection settings and click Finish. Using Clustered Shared Volumes for Hyper-V R2 Hosts Hyper-V R2 hosts use Cluster Shared Volumes (CSV) on a SAN (Storage Area Network). Using SAN for image and file storage requires the use of the Failover Cluster technology of Hyper-V. All Hyper-V R2 hosts are added as nodes to the failover cluster. Additionally, after the cluster is defined and the hosts are specified, add the shared volume on the SAN as a cluster shared volume. This shared volume must be accessible from every Hyper-V R2 host in the failover cluster. This shared volume is used to define system library locations and shared file cache locations in the CAP web interface. For more information about defining library locations, refer to the online Help. Installation and Administration Guide 195

210 Note: The user account that was used to install the system library and the remote credentials used to manage the Hyper-V hosts must have read/write permission on the shared volume. When adding a library or shared file cache location on a Windows Server 2008 R2 computer, you cannot select a witness disk as the library location. Volumes that are eligible for locations, that are of the type "NTFS (Cluster Shared Volume)", must begin with the path: "C:\ClusterStorage". As a best practice, Quest Software recommends that if you use a single computer to act as both a virtualization host and a library server, you should pool less RAM for running VMs. Estimate the amount of RAM required for the library server role, taking into consideration the number of files, frequency of snapshots, etc., and subtract that amount from the total server capacity. Also subtract enough for the server s operating system and normal functions. Pool the resulting amount. Hardware Requirements Hyper-V R2 At least 3 network adapters: One dedicated to access to the SAN (the storage network) One dedicated to managing the host (the host network) One dedicated for the VMs (the default network) One trunked network if running in advanced mode (the trunked network) SAN subsystem Domain controller that's compatible with the Hyper-V R2 hosts (at least Windows Server 2003) 196 Installation and Administration Guide

211 Software Requirements Microsoft iscsi Initiator, if using iscsi (available by default on Windows Server 2008 and later) Following Roles: File Server File Server Resource Manager Following Features: Fail Over Clustering 6 Configuration and Administration Multi-path IO Remote Server Administration Tools (File Server Resource Manager Tools and Fail Over Clustering Tools) Using Heterogeneous Host and Storage Types In some situations, if your environment includes both Hyper-V and ESX hosts, you might need to use a more complex architecture. Using mixed host and storage types is not the recommended option, but does allow for a flexible heterogeneous configuration. Be aware that while using a heterogeneous environment can increase flexibility, there are costs, such as increased time to copy files between dissimilar server types. The following table illustrates how the different types of library content can be stored and accessed in a heterogeneous environment. Library Content Hyper-V (.vhd files) Library Location ESX host with VMFS or NFS File Cache Location Local (on the virtualization host) or on CSV to which the Hyper-V host has access. Installation and Administration Guide 197

212 Library Content Library Location File Cache Location ESX (.vmdk files) Hyper-V with CSV ESX host with VMFS or NFS Altiris (.img files) Windows Library on local storage or on a remote CIFS share N/A Note: Altiris.img files cannot be managed on a library location on an ESX host or a remotely-managed Hyper-V host. Managing Virtualization Hosts After the initial setup of the Cloud Automation Platform environment, you might need to add or modify virtualization hosts. This section explains how to manage changes to virtualization hosts. Several options exist for reconfiguring virtualization hosts. Using the CAP web interface, you can make the following changes: Change the default network on page 198 Pool or unpool the host on page 199 Test Communication on page 199 Change the maximum number of VMs for a host on page 199 Change RAM allocation on page 199 Modify the amount of Pooled EPUs on page 200 Performing Maintenance on Hosts on page 200 Change the default network You can change which NIC the VMs are routed through by changing the default network setting for the host. The default network setting ensures that VMs bind to the correct network adapter, usually one with external connectivity. 198 Installation and Administration Guide

213 Pool or unpool the host Virtualization hosts, and their RAM, VMs, and EPUs must be added to a resource pool before the host can be used in the Cloud Automation Platform environment. Test Communication Use the Test Communication feature to verify that communication between the virtualization host and the Platform server is successful. See the online Help for detailed instructions. 6 Configuration and Administration Change the maximum number of VMs for a host When pooling a host, you can specify the number of VMs that can be created on that host. If you increase RAM allocation from a host, or if you change the hardware profile for an application configuration, change the maximum number of VMs for that host. To calculate the maximum number of VMs, divide the total pooled RAM for the host by the minimum hardware profile size (256 MB). For example, if the amount of pooled RAM for the host is 3072 MB, and the minimal hardware profile is 256 MB of RAM, then the number of VMs that this host would contribute to the pool is 12. Note: If you edit the maximum number of VMs for a virtualization host and then later change the hardware profile, you might artificially limit the number of VMs for that virtualization host. For instance, if you initially use a hardware profile that uses 512MB of RAM, the maximum number of VMs available on your host that has 1024MB of RAM is two. If you change the hardware profile to use 256MB of RAM, your host can now support a maximum of four VMs. However, unless you edit this value, the host will allow only two VMs. Change RAM allocation You can edit the amount of RAM allocated for VMs in a pool. To do so, use the Manage Pooling feature to modify the Pooled RAM value. Note: If you change the RAM allocation, also change the maximum number of VMs for a host server. Otherwise, you might artificially limit the number of VMs for that server. For instance, if you initially Installation and Administration Guide 199

214 use a hardware profile that uses 512 MB of RAM, the maximum number of VMs available on your host that has 1024MB of RAM is two. If you change the server to use 2 GB of RAM, your host can now support a maximum of four VMs. However, unless you edit this value, the host will create only two VMs. Modify the amount of Pooled EPUs When you assign a host to a pool, you are required to specify how much computing capacity the host can contribute to the pool. Effective Processor Units (EPUs - EPU pronounced like CPU) are a computational value which governs the overall computing capacity of a Host, Physical Computer, or Server Configuration. The default value for these units are derived with the following formula: EPUs = Speed of CPU(s) in GHz * the number of cores * 100 For example, 2.5 GHz Quad-core host would have 1000 EPUs (2.5 * 4 * 100 = 1000 EPUs). Note: There is an option on each hardware profile to forcibly cap the computing capacity that can be used by the server configuration. Unless this check box is selected, the system will allow occasional fluctuations above the number of EPUs that are specified for the Pooled Computing Capacity. Performing Maintenance on Hosts You can perform maintenance on virtualization hosts or physical computers on a scheduled basis by taking the system out of circulation, upgrading it, and returning it to circulation without disrupting existing reservations. Typically, this operation is performed for hosts or physical computers that require upgrades or basic maintenance on the OS, virtualization software, or the drivers. Refer to the Cloud Automation Platform online Help for detailed instructions about using these features. Note: It is not necessary to unpool a host or physical computer before scheduling it for a maintenance window. 200 Installation and Administration Guide

215 The following features support maintenance of hosts: Maintenance Windows (host-specific): one or more hosts are selected for a specified maintenance window. When a host is targeted for maintenance, the host is reserved for the period of time that you specify. No sessions or snapshots can be deployed to the host during that time. Essentially, the virtualization host is not available in the resource pool for the duration of the maintenance window. When an administrator creates a maintenance window, the system checks to see if there are any conflicting reservations; that is, if any sessions are scheduled to start or still be running during the requested maintenance window. If there are conflicting sessions scheduled, the administrator must choose how to manage these conflicts. (Refer to the online Help for details about resolving conflicts.) After any conflicts have been resolved, the host is reserved for the requested maintenance time period and no sessions or snapshots are deployed to that server during that time. If the time period that was requested is not available, the system suggests alternate, available times. 6 Configuration and Administration For detailed information about creating a maintenance window for virtualization hosts, see the online Help topic Adding a Maintenance Window for A Host. For detailed information about creating a maintenance window for physical computers, see the online Help topic Adding a Maintenance Window for A Physical Computer. If your environment uses High Availability, review Using High Availability with VMware vsphere on page 211. For conceptual information about creating a maintenance window and using High Availability to migrate all VMs from a host that is a member of a HA pool, refer to Creating a Maintenance Window for High Availability Hosts on page 218. Finally, refer to the online Help for detailed instructions about how to create a maintenance window. Maintenance Mode (with optional Pause Mode): A platform administrator can use the maintenance mode to provide a system-wide period during which no sessions can be deployed. When the Cloud Automation Platform environment is placed in maintenance mode, users are temporarily disallowed from logging on to the system. The regular login panel is replaced with a notice that the platform is undergoing Installation and Administration Guide 201

216 maintenance and the expected time the system will be available again. Non-administrative users who are already logged in the system at the time the maintenance mode is started can continue to access their sessions, and can take actions such as snapshots, migrations, etc. Nonadministrative users cannot deploy sessions immediately (Start Now), though sessions can be scheduled for a future time after the maintenance mode has completed. Non-administrative users cannot extend a session. If a session is canceled, deprovisioning does not occur until after the Maintenance Mode has ended. Platform Administrators retain full functionality, and can start a session immediately (Start Now) or can schedule a session to start at any time. Platform administrators can also make snapshots, promote snapshots, initiate migrations, etc. With the optional Pause Mode (which is set using the check box on the Maintenance Mode dialog box) all of the above about Maintenance Mode still applies, with the additional fact that non-administrative users cannot do actions such as snapshots, promotions, or migrations. Notifications are displayed if there are any deployments in Pending or Available state when the Pause Mode starts. Refer to the online Help for detailed directions for using Pause Mode. Upgrade Window (system-wide): a platform administrator can create a system wide upgrade window that places all pooled hosts into a maintenance window. If there are any conflicts with scheduled or active deployments, the administrator is prompted to resolve each. When an upgrade window is created, the system is also automatically placed in maintenance mode. When creating the upgrade window, the administrator can specify that the system exit maintenance mode when the upgrade window is completed. However, the upgrade window is independent of the maintenance mode; the administrator might choose to have the upgrade window complete but leave the maintenance mode in place, meaning that new users will not be able to log on but current users will have access to hosts. Recovering and Managing Missing Items Due to hardware or infrastructure outages, items such as virtual networks, VMs, files, or storage volumes are sometimes inaccessible from the Cloud Automation Platform environment. The Platform considers such items as missing. The missing resource might have been literally removed (a file was 202 Installation and Administration Guide

217 purposefully deleted outside of the Cloud Automation Platform environment) or a resource appears to the Cloud Automation Platform system to have been deleted but was not really (for example, a VM was migrated using vcenter, in which case Cloud Automation Platform is unaware of the VM s new location, and thus considers it to be missing). Another example is if connectivity is lost to an iscsi volume; all files on that volume would be reported as missing by Cloud Automation Platform, and would appear listed on the Item Recovery page. The primary purpose of this feature is to alert administrators to any items that are no longer accessible by Cloud Automation Platform, but are required for successful deployment and management of the environment. Administrators can view the Item Recovery page to see a list of all items that Cloud Automation Platform considers missing, including such information as type (image, virtual network, VM, or volume), the exact name of the item, and the host that managed the item. Additionally, any lists or tables elsewhere in the CAP web interface that reference the missing object display an alert icon beside the missing item s name. 6 Configuration and Administration Important Considerations Missing items can be handled in one of several ways through the CAP web interface and in your infrastructure. A file that was deleted accidentally can be restored to the file system using tools outside of Cloud Automation Platform. Missing volumes can be remounted (again, outside of Cloud Automation Platform). Other infrastructure objects that the Platform considers as missing might be remedied in a number of ways outside of Cloud Automation Platform. Quest Software strongly recommends that before deleting an item using the Delete option on the Item Recovery page, you fully research the item and determine the object was purposefully deleted outside of Cloud Automation Platform, and that there will not be an adverse impact to scheduled deployments or resource allocation. For example, if an image that is used by an upcoming reservation is shown as missing, and you delete the item through the CAP web interface rather than trying to recover the object, the reservation will fail, as will all subsequent deployments that use the image. If you chose to delete items, remember to resynchronize the library afterwards. If an item is been deleted using the Item Recovery page, cleanup operations are completed and any internal references to the item are removed (server configuration references are removed, etc.). Installation and Administration Guide 203

218 When an item is recovered instead of deleted, and Cloud Automation Platform is again made aware of and can access the item, the item is no longer listed as missing and deployments using the item are successful. After restoring a file or other missing item, use the Re-Sync option on any of the applicable resources: Images To resynchronize the library objects, click Images in the left pane, under Library, then on the Images page click Re-Sync. Hosts To resynchronize a host that might have been impacted by a missing item such as a VM, click Hosts in the left pane, and then select Re-Sync Host from the drop-down menu beside the host name. Partner extension servers (HP-SA, Altiris, vcenter) To resynchronize partner extension servers, click Partner Extensions in the left pane, and then select Re-Sync Extension Server from the drop-down menu beside the host name. For example, if a virtual network is considered missing and is then re-established, resynchronizing the partner extension server could recover the network. A single file in a library on shared storage will have separate entries in the Item Recovery table for each host that shares the storage. Be aware that if you delete a file from the Item Recovery page, the entries for the other hosts still remain. For instance, if three hosts share the same storage that holds an image, and the image file is marked as missing by Cloud Automation Platform, the Item Recovery page will display three entries for that image, one for each host. To delete the file from the Item Recovery page, each entry in the table must be deleted separately, and the library resynchronized. When an item is listed as missing on the Item Recovery page, some procedures in Cloud Automation Platform can continue as normal. For example, if you are modifying a server configuration that uses a missing image file as the boot source, you can edit attributes of the configuration (excluding the image file that Cloud Automation Platform considers to be missing) and save the changes. However, there are certain actions that cannot be done on a missing item. The most significant impact of missing items is that deployments and future reservations might not succeed. 204 Installation and Administration Guide

219 The following actions can not be done on missing items: Virtual Machines Not available for reservation or deployment binding Most deployment actions not available for an active deployment based on the Virtual Machine Files Cannot be used for creating / editing Server Configurations Cannot be used for Post-Deployment actions 6 Configuration and Administration Will not be used by a file cache Volumes Cannot be used for library or file cache locations Cannot be specified as a VM root directory location Using the Dashboard Using the Infrastructure Dashboard, administrators can manage and view graphic representations of resource pools, virtualization hosts, physical computers, VMs, NAIL Servers, and other components of the Cloud Automation Platform environment. The Dashboard allows users to quickly understand the overall usage pattern of the cloud at varying levels of detail as well as provide tools to search and isolate workloads based on a variety of parameters. Additionally, the Dashboard provides the ability to initiate VM migrations from one host to another while graphically depicting the impact on other scheduled workloads. Migrations can either be manually initiated (see Manually Migrating an Active VM on page 210), or an admin can approve and initiate migrations that are recommended by an external system such as VMware s Distributed Resource Scheduler (DRS). See Recommendation- Based Migrations on page 210. Installation and Administration Guide 205

220 Figure 8 Infrastructure Dashboard Only Platform Administrators and Organization Administrators can access the Dashboard. Non-administrative users will not see the Dashboard entry in the navigation pane. Important Considerations Review the following information about using the Dashboard: In order to view the Dashboard, you must have Microsoft Silverlight installed. Recommendation-based migrations are supported only on ESX vsphere hosts. Hosts that have no assets pooled (RAM, VMs, EPU, etc.) do not appear in the Dashboard. The results of VM migrations (recommendation-based or manual) are recorded in the Cloud Automation Platform reporting database, allowing for the creation of migration reports. Refer to the online Help system for a table that describes the various icons used in the Dashboard to indicate resource utilization or other issues. 206 Installation and Administration Guide

221 Navigating the Dashboard The Dashboard is accessed from the CAP web interface in the same way other Cloud Automation Platform features are, from the navigation pane on the left of the product interface. The objects (resource pools, hosts, VMs, etc.) that are displayed in the Dashboard are organized in levels. The top level, displayed when the Dashboard first opens, is the Cloud, which displays all resource pools in the environment. The next layer displays the hosts that are assigned to the selected pool, and then the final layer shows the VMs and NAIL Servers on each host. 6 Configuration and Administration Review the following important tips about navigating within the Dashboard. For comprehensive instructions, refer to the online Help system. Breadcrumbs At the top of the Dashboard, a breadcrumbs feature allows you to easily see where you are, and to navigate back up one or more levels by clicking on the level name. You can use the Back icon to navigate up the levels, or simply click the level name. Menu icon in upper right of each object Each object displayed in the Dashboard has a context menu icon ( ) in the upper right. Click this icon to access a menu of all tasks related to the object. For example, if you click the menu icon of a virtualization host, and select Explore Host, all of the VMs and NAIL Servers that are active on that host appear. Drilling down by clicking object name Clicking the name of the pool or host at the upper left of the object also drills down a level. For example, click the name of a host to display all of the VMs and NAIL Servers that are active on that host. Sorting Use the Sort feature at the top of each Dashboard panel to display the objects (at any level) based on such attributes as name, RAM, and number of VMs and EPUs, and then sort the items in ascending or descending order. Search The Search feature at the top of each Dashboard panel allows you to search for deployed VMs, Physical Servers, and NAIL Servers. Additionally, an administrator can use the context menu on a VM or NAIL Server to do a Quick Search for related VMs and NAIL Servers; Installation and Administration Guide 207

222 for example, all VMs and NAIL Servers that are active within the same active session, or all VMs that are supported by the a specific NAIL Server. Viewing utilization graphs At all levels, from the resource pool down to individual VMs, you can view utilization graphs based on amount pooled and amount used for such assets as RAM, VMs, and EPUs. If a host is overcommitted because of resource allocations completed outside of the Cloud Automation Platform environment, the usage bars for RAM and VMs are red. Tasks outside of the Dashboard There are certain menu options and links within the Dashboard that open pages outside of the Dashboard. For example, selecting Go to Details Page from a host s menu will open the Host Details page in the CAP web interface, outside of the Dashboard. You can easily return to the Dashboard by clicking Back in the browser. Dashboard Tasks The following list shows the administrative tasks that one can do in the Dashboard. For comprehensive instructions for each task refer to the online Help system. View all resource pools in the environment (the Cloud level) View details for each resource pool Pool Inspector Displays high-level information for each host. Go To Details Page Opens the Host Details page outside of the Dashboard; shows more detailed information. View all hosts in a resource pool View details for each host Inspector Displays high-level information for each host. Go To Details Page Opens the Host Details page outside of the Dashboard; shows more detailed information. Search for: All deployed VMs, physical servers, and NAIL Servers 208 Installation and Administration Guide

223 Quick Search: Session Displays all VMs and any Nail Server that comprise a session. The VMs and NAIL Server might be distributed across different hosts. Quick Search: NAIL Server If accessed from a VM, displays the NAIL Server that serves that VM and all VMs, on any host, that are managed by the NAIL Server. If accessed from a NAIL Server, shows the NAIL Server and all VMs that it serves, on any host. Quick Search: Lab Displays all VMs and any Nail Server that comprise a lab. The VMs and NAIL Server might be distributed across different hosts. Quick Search: Deployed Service Displays all VMs and any Nail Server that comprise a deployed service. The VMs and NAIL Server might be distributed across different hosts. 6 Configuration and Administration View utilization graphs for a resource pool, a host, a VM, or a physical server. At any level of the Cloud, click the green buttons at top to view graphs representing how much RAM, EPUs, and how many VMs (at the host level) are in use. View migration recommendations View and approve or cancel migrations that are recommended by an external system such as VMware s Distributed Resource Scheduler (DRS). See Recommendation-Based Migrations on page 210. View a list of reservations that conflict with recommended migrations, and select resolutions for each. Migrate VMs Manually migrate VMs to another host, or approve migrations recommended by the system. See Manually Migrating an Active VM on page 210 for more information. Manage virtualization hosts and individual VMs: Test communications between hosts and the CAP Core server Create a new maintenance window for a host For VMs, perform a rollback, restart, start/stop, or suspend. Installation and Administration Guide 209

224 Recommendation-Based Migrations Another feature enabled by integration with VMware vsphere enables Cloud Automation Platform to recognize and implement VM migration recommendations from other virtualization products, such as VMware s Distributed Resource Scheduler (DRS). Using the Infrastructure Dashboard, administrators can view and manage VM migrations, as well as perform other administrative tasks. When a migration is recommended, you can verify that the migration will not adversely affect any scheduled or active reservations by clicking the Check Recommendation button. If there is a session conflict, or any other reason for the Cloud Automation Platform system to counter the recommendation, that information is displayed. Cloud Automation Platform can operate in two modes for handling migration recommendations, Automatic or Manual. To specify which mode the Cloud Automation Platform system uses, open the CAP web interface and edit the Migration Recommendation Mode setting on the Pools Details page. Automatic, in which migrations that are recommended by services such as DRS are automatically implemented by Cloud Automation Platform, with no interaction with an administrator needed. Manual, also referred to as Gatekeeping mode. The manual mode requires that a Cloud Automation Platform administrator review each recommendation, and either approve or reject one. To enable Cloud Automation Platform Manual mode, use the vsphere Client to set the DRS Automation Level for the cluster to Manual. Note: For more information about configuring the DRS automation mode in see Workflow Summary on page 216. Manually Migrating an Active VM You can also manually migrate an active VM, outside of the Recommendations window. To do so, drill down to the VM level in the Dashboard, click the menu icon on the VM, and select Migrate from the context menu. 210 Installation and Administration Guide

225 When an administrator requests to migrate a VM from within the Dashboard, the Migration View is displayed, with a list of possible target hosts. The target hosts that are available display a green check mark beside them. Refer to the online Help system in the CAP web interface for detailed instructions. Using High Availability with VMware vsphere Integration with VMware vsphere allows users to specify selected virtualization hosts as belonging to a High Availability (HA) resource pool. This ability provides extended management of the Cloud Automation Platform environment, especially in the area of failovers and migrations of VMs and host resources. 6 Configuration and Administration Review the following sections about Cloud Automation Platform High Availability: Important Considerations on page 213 High Availability Host Requirements on page 214 Failover Host Requirements on page 215 Workflow Summary on page 216 Creating a Maintenance Window for High Availability Hosts on page 218 Note: For information about migration of specific VMs based on recommendations of other products, such as VMware s Distributed Resource Scheduler (DRS), see Physical Provisioning on page 220. Failing Over to Another Host Using the Cloud Automation Platform High Availability feature, vsphere hosts are assigned to a resource pool that is specifically for HA hosts. If the host computer fails, or is scheduled for a maintenance window, any VMs on the host computer are migrated to another, functional host computer. Cloud Automation Platform uses VMware vmotion technology to perform live migration of running VMs. Installation and Administration Guide 211

226 Note: Be aware that all VMs on the host are migrated to the failover, or standby, host. Additionally, the VMs are migrated to a single failover host, and cannot be distributed to multiple failover hosts. Failover can be initiated in three ways: Manually, by using the CAP web interface to modify the Host Details page. Refer to the online Help for details. As part of a scheduled maintenance window. (See Creating a Maintenance Window for High Availability Hosts on page 218.) Using an external tool that calls the SOAP API to automatically invoke the failover process. For example, an external tool determines that a host in the Cloud Automation Platform High Availability pool is no longer functional. The tool can then instruct Cloud Automation Platform to initiate failover. See Using the SOAP API To Manage Failovers on page 219. When a failover occurs, the failover host assumes all of the roles of the host that failed; any active and scheduled reservations are moved to the failover host, and the pooled capacity of the failed host is adopted by the failover host. In a maintenance window scenario, an administrator can specify that when the failed host is again functional, it is automatically pooled as a failover host for future failovers. If the failover attempt using vmotion technology is not successful with the first VM, the live migration is aborted. A cold migration is then attempted, in which the VMs are powered off, migrated to the failover host, and then restarted. If both live and cold migrations of the first VM fail, the entire migration effort is stopped. If the first VM migrates successfully (either live or cold), but the second or any subsequent VMs fail to migrate, a replacement VM, basically an empty slot, is put on the failover host in order to retain the allocated resources. In this scenario, any changes to the image that were made to redo files, etc., are lost. 212 Installation and Administration Guide

227 Important Considerations For additional important information about configuring vcenter to support Cloud Automation Platform High Availability and about vmotion compatibility with Cloud Automation Platform, refer also to Workflow Summary on page 216. Only ESX 4 or 4.1 and ESXi 4 or 4.1 hosts that are managed by vcenter 4 can be used as High Availability hosts. To use the High Availability feature in Cloud Automation Platform, the NAIL Server mode must be Advanced, not Standard. See Configuring NAIL Server Advanced Mode on page 165 for detailed information. 6 Configuration and Administration When a virtualization host is added to a Cloud Automation Platform High Availability resource pool, its assets (RAM, VMs, and EPU) can only be added to a single pool. Partial pooling is not supported for High Availability pools. See Resource Pools on page 260 for more information about partial pooling. An administrator must ensure that there are a sufficient number of failover, or standby, hosts.to create a failover host, open the host s Pool Host page by click Manage Pooling. Select the Pool for High Availability check box. Then select the Is Failover check box. Refer to the online Help for detailed instructions. A Cloud Automation Platform resource pool can span multiple VMware clusters, but there must be at least one failover host from each cluster. Every host in the High Availability pool must be HA-compatible. See High Availability Host Requirements on page 214. If both the HA host and the failover host are powered on and accessible, VMs are migrated live to the failover host. If the high availability host is not functional, the VMs are shut down and restarted on the failover host, and the Cloud Automation Platform administrator will receive an when the VM is again available. Failover hosts cannot be used for deployments; they are essentially on standby waiting to be used if failover is initiated. Thus, when pooling a failover host, you cannot pool any of the assets for the host, because they are reserved for use in a failover scenario. Installation and Administration Guide 213

228 A Failover host cannot be used to manage a shared file cache location nor a library location. If a host that is placed in a maintenance window also serves as a library host or manages a file cache, you can select whether to migrate the library or file cache to the failover host along with the VMs, or to another host. Physical computers (managed by Cloud Automation Platform, Altiris, or HP SA) can be assigned to a High Availability pool, but cannot be designated as a failover host nor as a highly available host. The support of physical computers in HA pools allows for application configurations that might include both virtualization hosts and physical hosts. An example of such an application configuration is one with a database server hosted on a physical computer plus two VMs (both hosted on ESX 4 using High Availability): a software application running on one VM and a web server running on the other VM. When assigning a host to a High Availability pool, and using the Required Computing Capacity/EPU feature, be cognizant of CPU differences in an HA pool. Specifically, verify that a CPU reservation on a pooled HA host can be satisfied on any of the failover HA hosts.that is, the core speed of the failover hosts needs to be sufficient to host the largest possible CPU reservation granted on a pooled host, and the maximum aggregate reservations on a pooled HA host need to be satisfiable on any failover HA hosts. High Availability Host Requirements Each host must be: A member of a VMware cluster that also has at least one host that is designated in Cloud Automation Platform as a failover host In a Cloud Automation Platform resource pool that is designated as High Availability CPU compatible with the failover host as required by vmotion or other virtualization vendor. Cloud Automation Platform-utilized storage must be shared by all hosts in the cluster: VM root directories 214 Installation and Administration Guide

229 Dedicated file cache locations Note: Library and shared file cache locations The file cache and library locations must be on a shared VMFS or NFS volume. The Default and Trunked networks must be on a Distributed Virtual Switch (DVS) shared by all hosts in the cluster. The Host must have a VMware Enterprise Plus license (required for DVS support). No virtual device on any VM (e.g. one of its virtual CD-ROM drives) can be connected to a physical device on the host (e.g. the actual CD- ROM device on the host). 6 Configuration and Administration These requirements are validated by the Cloud Automation Platform, and appropriate messages are displayed in the CAP web interface. Failover Host Requirements The computer that will act as the failover, or standby, host, must be: In the same High Availability pool as the hosts it is intended to support. In the same VMware cluster as the hosts it is intended to support. CPU compatible with the host(s) in the same pool. Failover hosts should have at least as many cores as the maximum number of vcpus called for by hardware profiles deployed to the HA pool in question. Failover hosts should have fast enough clock speeds such that the largest EPU hardware profiles divided into the clock speeds of the fastest non-ha hosts are still supportable on the failover hosts. The failover host cannot have any shared file cache locations nor library locations on any of its volumes. Installation and Administration Guide 215

230 Workflow Summary The following steps must be taken to implement High Availability in Cloud Automation Platform: Configure vcenter: Create a Data Center if not already extant Create and configure vcenter clusters VMware Distributed Resource Scheduler (DRS) should be configured for Cloud Automation Platform-managed VMs in a manner that supports how you will use the Recommendationbased Migrations feature in the CAP web interface: To review and approve all DRS-recommended migrations through the CAP web interface, set DRS to Manual. To review and approve all DRS-recommended migrations through the CAP web interface, and to allow DPM to power automatically relocate VMs at power-on time, set DRS mode to Partially Automated. To allow DRS migrations to occur without receiving any notifications via the CAP web interface, set DRS mode to Fully Automated. Settings such as Isolation Response can be configured according to administrator preference. Cloud Automation Platform will disable the specific VMs that are Platform-managed. Configure the Power Management (DPM) setting in the DRS cluster to Off. Alternatively, if you set DPM to Manual or Automatic for the cluster, you can override the DPM setting for any hosts that are included in the Cloud Automation Platform environment. If your environment requires using DPM, contact Quest Software about possible product extensions that allows DPM implementation. Configure the cluster Swapfile Location to store the swapfile in the same directory as the VM. 216 Installation and Administration Guide

231 The vcenter registered host name must match the hostname used to register with Cloud Automation Platform (fullyqualified domain names in vcenter are fine). Edit cluster settings to enable EVC for Intel/AMD as necessary, and set EVC to a level compatible with all hosts in that cluster. If the host CPUs are identical, EVC may not be necessary. Consult vmotion documentation for more details. Add your hosts to the vcenter cluster. Configure networking: Note: Cloud Automation Platform requires 2 NICs, one for the Default network and one for the Trunked network. The vmotion, Management, and storage requirements can be configured as desired. 6 Configuration and Administration Create a VMkernel port that is enabled for vmotion. Must have unused host NICs (1 per host per DVS) available. (Verify that there is no vswitch using the NIC, delete it if so.) Create two Distributed Virtual Switches (DVS); one for the default network and one for the trunked network. Use the Inventory- >Networking view. Rename the port groups created (dvportgroup). Quest Software recommends that the names include default and trunked, as appropriate. These name will appear in Cloud Automation Platform as options for the trunked network and the default network. For the trunked port group, set the VLAN Trunking as necessary. Configure shared storage (this can be configured through vcenter or Cloud Automation Platform). All hosts must have access to all VM images and other required files. In the CAP web interface, register the vcenter server with Cloud Automation Platform, using the Partner Extensions node in the left navigation pane. Refer to the online Help for detailed instructions. Installation and Administration Guide 217

232 After registering the vcenter server, the Edit Partner Extensions page for the vcenter server is displayed. Under the Clusters area, specify the Default Network and the Trunked Network. These two networks were defined earlier in the vsphere client Hosts inherit Default/Trunked from their Cluster, unless a different network is defined. In the CAP web interface, register each vcenter-managed host, using the Register option on the Hosts table. This registers the host with the Remote Server Manager (RSM), and enables Cloud Automation Platform to communicate with the host. See Additional Considerations on page 20 for additional information about the RSM. After registering each host, the Edit Host page for the host appears. Under the Properties area, for Root VM Volumes, select the shared volume to which all hosts have access. For Default Network and Trunked Network, click the Auto- Select Networks Compatible with High Availability option to use the distributed networks created earlier in the vsphere Client. Refer to the online Help for detailed instructions. Add virtualization and failover hosts to Cloud Automation Platform HA resource pools. Refer to the online Help for detailed instructions. Create a session and schedule the session for deployment using a High Availability resource pool. Refer to the online Help for detailed instructions. Creating a Maintenance Window for High Availability Hosts When you schedule a maintenance window for a host that is a member of a High Availability pool, you can specify that when the maintenance window begins, the VMs on the host will be migrated to a failover host in the same pool and the same cluster. See Performing Maintenance on Hosts on page 200 for a high-level discussion of maintenance windows. On the Hosts list page, select the host(s) for which you want to schedule a maintenance window, and then click New Maintenance Window.To implement the High Availability option, select the Use Failover check box by each host that you want to fail over. For detailed instructions to create a maintenance window, refer to the online Help. 218 Installation and Administration Guide

233 Note: There must be at least one host designated as a failover host in order for the check box to appear, and in order for High Availability to function. When scheduling a maintenance window, Cloud Automation Platform checks to see if there are any reservations or active sessions that conflict with the specified time period of the maintenance window. If conflicts are found, you can specify what to do with the session: Cancel Suspend 6 Configuration and Administration Migrate active VMs to the next available and compatible host Save the session and end early Discard changes and end early. (If host is a member of a High Availability pool) Leave any active VMs running. The Leave Running option designates that when the maintenance window starts and the failover occurs, the VMs are live migrated to the failover host using vmotion. Using the SOAP API To Manage Failovers The SOAP API can be used to integrate with an external monitoring system to determine if a host is inaccessible, has failed, or is in danger of failing and initiate failover of VMs for High Availability hosts. The SOAP API requires identification of the host to be immediately failed-over and has optional inputs for the source of the command and the reason. The following method is used: FailoverHost(VcsRequestContext ctx, VcsHost host) For additional information, go to: SoapAdapter.asmx?op=FailoverHost Installation and Administration Guide 219

234 Physical Provisioning Cloud Automation Platform supports the integration of the server automation products HP Server Automation and Symantec Altiris Deployment Solution to manage the use of physical computers in the lab environment. (Refer to About Partner Extensions on page 39 for information about all of the partner extensions that Cloud Automation Platform supports.) HP Server Automation integrates with Cloud Automation Platform to allow OS Provisioning; users can deploy OS Sequence-based sessions to physical computers that are managed by HP Server Automation. Use the CAP web interface to search for and register the HP SA core server(s), and then register each physical computer managed by that core server. These computers are then added to one or more resource pools. See External Provisioning with HP Server Automation on page 41. Altiris Deployment Solution physical provisioning servers that have a Quest CAP Agent installed will automatically identify themselves to the Platform, and display in the CAP web interface under the list of Physical Provisioning systems. Once a physical provisioning server is identified by the platform, you can then register any physical computers that you want to manage through the Cloud Automation Platform environment. These physical computers can then be pooled into a resource pool just as the VMs are, and utilized as part of your Cloud Automation Platform environment. HP Server Automation Review the workflow summary under External Provisioning with HP Server Automation on page 41. The requirements for provisioning physical computers using HP SA are included in this workflow. Additional Considerations If your environment uses both isolated networks and physical computers managed by HP SA, you must configure network switch automation. See Using Network Switch Automation on page 174. Refer to Partner Extension System Requirements on page 19 for important information. 220 Installation and Administration Guide

235 Deployment actions cannot be run on servers that are provisioned by HP Server Automation, because Cloud Automation Platform Guest Agents are not supported on HP SA-provisioned servers. However, on server configurations that are not provisioned by HP SA, and against which you want to run HP-SA Policies as deployment actions, a Cloud Automation Platform Guest Agent much be installed on the server configuration. For more information about Deployment Actions, see Deployment Actions on page 289. When you provision a server (virtual or physical) using external provisioning with HP SA, you cannot take a snapshot of the session. To designate that an OS Sequence-based server configuration is deployed to a physical computer, and not to a VM, select a hardware profile that species deployment to a physical computer. 6 Configuration and Administration Also, when creating the server configuration, select Provisioning Automation from the Assign... list under the Boot Source area. Symantec Altiris Deployment Solution To deploy sessions to a physical computer that is managed by Altiris, the following tasks must have been accomplished: Prepare and create the physical server image (.img) using the appropriate image preparation tool. See Preparing Physical Server Images on page 250 for detailed information. Add the physical server image to the system library. Refer to the online Help for detailed instructions. Create a physical server configuration based on the physical server image (.img file), an application configuration using the physical server image, and finally a session. Refer to the online Help for detailed instructions. Refer to the online Help for detailed information about registering, or importing, physical computers into the Cloud Automation Platform environment and adding them to resource pools. Installation and Administration Guide 221

236 Installation for a Secure IIS Service Account If you use a custom configuration of Microsoft Internet Information Services (IIS), special consideration might need to be taken during installation of the Platform. To employ a secure IIS configuration, you must install the Platform Core Services on a computer separate from where the Agent Services, SOAP API and Web Application components are installed. In this scenario, the Platform Core Services are installed under the normal Program Files directory (or any other directory) and the remaining components (Agent Services, SOAP API, Web Applications) are installed on a different computer under InetPub\wwwroot for the secured version of IIS. Installing the Add-In for HP Quality Center For detailed information about installing and using the Add-In for HP Quality Center, access the Add-In for HP Quality Center manual by clicking the Quality Center link under Documentation and Support on the CAP web interface Workbench page. Note: The SOAP API must be installed on the CAP Core server before you can use the Add-In for HP Quality Center. By default, the \ SOAP API is installed with the Platform. Refer to Installing the SOAP API on page 71 for more information. Editing Advanced Configuration Settings When Cloud Automation Platform is installed, the ability to edit advanced configuration settings is, by default, disabled. Quest Software recommends that the editing function not be enabled without first contacting Quest Customer Support and discussing the needs. To Enable Editing 1. Launch the vcsadmin utility by double-clicking the vcsadmin.exe file in the installation directory on the CAP Core server. By default, this directory is Program Files/Quest Software/Platform. 222 Installation and Administration Guide

237 2. When the vcsadmin utility opens, log on by typing the following and pressing Enter: login <userid> By default, the user ID is admin. 3. Type the password, and then press Enter. The password is the platform administrator password that was defined during the Cloud Automation Platform installation. 4. After logging on, enter the following command and press Enter: configset AdvancedConfiguration.AllowEditing=true 6 Configuration and Administration 5. Open the CAP web interface and in the left pane click Configuration, under System Settings. 6. On the Configuration page, verify that the Edit option appears when you click a menu icon ( ) in the Menu column. To change an Advanced Configuration setting, click the menu icon beside the name of the specific configuration that you want to edit, and then select Edit. Note: Certain configuration settings are editable even if the AdvancedConfiguration.AllowEditing configuration is set to False. Editable configurations have a menu icon ( ) beside the name. Installation and Administration Guide 223

238 224 Installation and Administration Guide

239 Troubleshooting 7 This chapter addresses the following troubleshooting topics: General Troubleshooting First Steps on page 226 High I/O and CPU Rates on page 227 Log In Failures with RDP Access on page 227 Altiris Deployment Server, Suspended Scripts on page 228 Error While Adding Host to Pool on page 229 Install Microsoft IIS Before.NET Framework on page 230 Installation Error Messages on page 232 Installation and Administration Guide 225

240 General Troubleshooting First Steps Take the following steps if you encounter problems and do not have an immediate diagnosis or work-around. 1. Verify that the following three services are running on the Platform host where you installed the Core Services component of the CAP Core (see page 50 for more information): Quest CAP Control Service Quest CAP Engine Service Quest CAP Services Container 2. Run the Test Communication test in the CAP web interface to verify that all agents are responding to and communicating with the CAP Core server. 3. If you plan to contact Quest Support, we recommend that you first create a.zip file of all relevant logs. This compilation can be very useful to the support team in diagnosing any issues. The customer database is also automatically exported to the zip file. To create the.zip file, perform the following steps: a. On the computer where the CAP Core components are installed, open a command prompt window. B. Type the following command, with any additional parameters as needed, and press Enter. surgient-support.exe Optional parameters: -numhours <number_of_hours> Use this parameter to retrieve log data recorded since the number of hours in the past that you enter as the numhours value. By default, the compression file includes the past 24 hours of data. 226 Installation and Administration Guide

241 -server <server_name> Use this parameter to include agent logs from the specified server(s). Can be specified multiple times. -database This parameter returns export the entire contents of the operational database in XML format into the ZIP archive. 7 Troubleshooting outdir <directory_name> Specify the name of the directory where the output.zip file will be placed. The default is the working directory. The output file is called SurgientLogs, and includes the date and time stamp. For example: SurgientLogs_2010_7_17_14_49_23.zip, which corresponds to July 17, 2010 at 2:49.43 PM. High I/O and CPU Rates Verify that if there is anti-virus software installed on the image, the software is not configured to automatically perform a full-disk scan. A full-disk scan at boot-up or any other time once the image is in the environment can potentially cause performance and deployment issues. Quest Software recommends that if a full-disk scan is required, run it when building the image. Once the image is in the Cloud Automation Platform environment, on-access scanning can be done, but be aware that it might impact performance. Additionally, consider generating a checksum hash to verify that the image is not modified between creation and delivery for deployment. Log In Failures with RDP Access Be aware that when creating an image to be imported into the Cloud Automation Platform environment, and the image: was created outside of the Cloud Automation Platform environment will be used in a server configuration with Active Directory Registration enabled Installation and Administration Guide 227

242 will use auto-generated accounts to access the VM's remote desktop the last login must have been to a local computer account. This is because the server's login screen defaults to the last domain used to login, so if it was a domain instead of the local machine it causes the autogenerated accounts to fail to login. If this issue does occur, the work-around is to connect using console access and manually log into a local machine account. Be sure to log out using a local account so that the next login using RDP will work. Altiris Deployment Server, Suspended Scripts The Altiris Deployment Server can be in a state in which it is not able to extract values out of the Cloud Automation Platform-Altiris integration database (a.k.a., the token data source) and the Cloud Automation Platform scripts with tokens in them are suspended. If this issue occurs, deployments to a computer managed by Altiris will fail with a message such as Error 1 during script execution from the Altiris agent. The error message will appear in the CAP web interface in the Alerts area of the Sessions Details page. To resolve this issue, reconfigure the Altiris Express Database system DSN (Data Source Name) through Administrative Tools -> Data Sources (ODBC).Click on Configure and verify that all the database settings are accurate and that the connection to the data source works. 228 Installation and Administration Guide

243 Error While Adding Host to Pool Review the following information if you receive this error message, or a similar one, while adding a host to a pool: Command 'Engine.Script.initialize-nail-vm' did not complete successfully 7 Troubleshooting This error message occurs for a variety of reasons, including the following: The Default Network selected when assigning the host to the pool might not have connectivity to the network on which the CAP Core server is located. Verify that there is not a firewall between the CAP Core server and the Default Network. The IP Address range defined as a network resource for the pool is not valid for the Default Network selected when assigning the host to the pool. Modify either the IP Address range or select a different network. If you selected DHCP for the NAIL Server Address when assigning the host to a pool, and there is no DHCP server on the Default Network, select the Use Pooled IP Address option. Spanning Tree Protocol (STP) is disabled for the access port on the switch into which the VM host network adapter (which is associated with the Default Network) is connected. Consult your network administrator to enable STP for the switch port. Installation and Administration Guide 229

244 Install Microsoft IIS Before.NET Framework Installation of the CAP Core components requires that both IIS and.net Framework be installed on the computer before you install Cloud Automation Platform. Be sure to install IIS before installing.net Framework. If IIS is installed after.net Framework, the CAP Core components can be installed but the Agent Message Forwarder (the Mailbox) will not run correctly. Whenever an agent attempts to access the Mailbox web site, the following error occurs: The current identity (NT AUTHORITY\NETWORK SERVICE) does not have write access to 'C:\WINDOWS\Microsoft.NET\Framework\v \Temporar y ASP.NET Files'. The solution for this problem is to run the Repair operation on the.net Framework installer. Windows Run the Add or Remove Programs tool on the CAP Core server. 2. Select Microsoft.NET Framework from the list of installed applications. 3. Click Change/Remove. 4. When the.net Framework installer appears, check the Repair option and click Next. 5. Wait for the operation to complete and reboot the machine when prompted. 6. From a windows command prompt, run c:\windows\microsoft.net\framework\v \aspnet _regiis.exe -i -enable Note: For 64-bit windows, run: c:\windows\microsoft.net\framework64\v \a spnet_regiis.exe -i -enable 230 Installation and Administration Guide

245 Windows Open the Server Manager. To do so, click Start Menu -> All Programs -> Administrative Tools -> Server Manager 2. In the left pane of the Server Manager, click Roles. 3. In the right pane, click Add Roles. 7 Troubleshooting 4. In the Add Roles wizard, click Next. 5. In the list of roles, select Web Server (IIS). The Add Roles wizard prompts for additional information. 6. Click Add Required Role Services. 7. On the Select Server Roles page, click Next to continue. 8. On the Web Server (IIS) page, review the information and then click Next. 9. On the Select Role Services page, click Install. 10. If prompted, click Add Required Role Services. 11. On the Confirm Installation Options page, click Install. 12. From a windows command prompt, run c:\windows\microsoft.net\framework\v \aspnet _regiis.exe -i -enable Note: For 64-bit windows, run: c:\windows\microsoft.net\framework64\v \a spnet_regiis.exe -i -enable Installation and Administration Guide 231

246 Installation Error Messages Review the following installation errors and solutions. Read/Write Access to the System Library Location Review the following information if you receive this error message, or a similar one, during the installation process: User does not have proper permissions to manage library or wrong password entered. Verify the following permissions for the user account under which the Quest CAP Agent service runs: a. Directory permissions for the local directory on the CAP Core server or B. Directory and share permissions for the remote volume UNC location Refer to Choosing a Windows Account for the Agent Service (Altiris) on page 45 for detailed information. Error Accessing Agent Message Forwarder Review the following information if you receive this error message, or a similar one, during the installation process: Error accessing Agent Message Forwarder site: /ingress This is likely due to a misconfiguration of IIS or ASPNET. Correct these issues then install again. To resolve this issue, take the following steps: Verify the Default Web Site in IIS. The home directory must exist and must be configured with the proper permissions. 232 Installation and Administration Guide

247 Run the Repair operation on the.net Framework 2.0 installer (see instructions on page 230). Verify that ASP.NET 2.0 is enabled. To do so, open the IIS Manager and select Web Services Extensions, and then verify that ASP.NET v2.0 is set to Allowed. Required Components Not Installed 7 Troubleshooting If you receive the following error messages, cancel the installation and install the required software, then install again. For information about prerequisites, see System Requirements on page 13. Examples of error messages: Install requires that your computer is running Windows Server 2003 Install needs.net 3.5 to continue Install needs IIS to continue To install IIS, follow these steps: Open the Add/Remove Programs panel. In the far left pane, click Add/ Remove Windows Components to launch the Windows Components Wizard. Select the checkbox for Application Server, and then click Details. In the Application Server panel, select the checkbox for Internet Information Services (IIS). Install needs ASPNET to continue This error occurs when the ASP.NET subcomponent of IIS is not enabled. To enable ASP.NET, open the Add/Remove Programs panel. In the far left pane, click Add/Remove Windows Components to launch the Windows Components Wizard. Select the checkbox for Application Server, and then click Details. In the Application Server panel, select the checkbox for ASP.NET. Installation and Administration Guide 233

248 234 Installation and Administration Guide

249 Image Management 8 This chapter details the file types and locations involved in image management and explains the function of images in the Cloud Automation Platform environment. Additionally, this chapter discusses the process of creating new images and preparing the images for use in the Cloud Automation Platform environment. The following topics are discussed in this chapter: Image File Types on page 236 Duplicating Image Files on page 241 Creating New Images on page 242 Preparing Images on page 244 Agentless Images on page 252 Converting Hardware Versions for.vmdk Files on page 253 Using NAIL Driver on Windows Images on page 254 Installation and Administration Guide 235

250 Image File Types Both virtual machine images and physical server images can be used in the Cloud Automation Platform environment. Virtual machine images are used to create the VMs in the environment. Physical server images are used to create server configurations that run on physical computers managed by a physical provisioning system. Note: For information about using HP Server Automation OS Sequences to create VMs, instead of images, see External Provisioning with HP Server Automation on page 41. Physical Server Images A physical server image is a capture, or image, of the physical computer, both hardware and software, from which the image was created. A physical server image does not use undo files to capture changes made to the deployed physical server. If a user wants to rollback to the original state of the server, the physical server image that is stored in the system library is used to recreate the original state. Supported physical server image types are physical server images, Linux or Windows, that are created by Altiris Deployment Solution(.img) Virtual Machine Images A virtual machine image is a virtual hard disk; a virtualized representation of a computer s disk drive, CD-ROM, floppy disk, or other storage device. Virtual machine images act as disk drives for virtual machines (VMs). When a computer has multiple disk drives, multiple image files are required to recreate the machine. A virtual machine image can include either a solitary base image or a base image plus undo files, which capture only the changes made to the base image. 236 Installation and Administration Guide

251 Supported image types include: VMware ESX virtual disk (.vmdk) Note: Cloud Automation Platform requires Hardware Version 4 or version 7 double-file VMDK format for all.vmdk files. Refer to Converting Hardware Versions for.vmdk Files on page 253 for instructions to use a vcsadmin script to convert files. 8 Image Management Microsoft Windows Server 2008 Hyper-V virtual disk (.vhd) Note: For Hyper-V images, the latest Integration Services must be installed. The following types of files are used in conjunction with virtual machine images: Base Images Undo Files, Redo Files, and Differencing Disks Snapshots ISO image files Base Images A base image is a file directly representing the initial state of a virtual disk drive in a VM. A single, virtual disk drive is represented by a single base image. A base image provides the fundamental software image for a session. The same image can be used in multiple contexts. For instance, the same base image might be used for several different sessions that require the same guest operating system. If the base image is an installation of a company s newest software release, the Training department might use that image for customer training. The same image can also be used by the Sales department to create customer demonstrations of the software. Furthermore, the Test/QA department can use the same image as Training and Sales to create a test environment. Base images are stored in the system library s templates directory in readonly mode. Installation and Administration Guide 237

252 During use, each base image is typically paired with a redo or undo file, which records all changes made to the virtual drive. Undo Files, Redo Files, and Differencing Disks An undo file (also known as a differencing disk or redo file) is chained to a base image and records all changes made to the virtual drive during use. The creation and contents of these files is a basic capability of the underlying virtualization platform. Each time an application configuration is deployed to a VM, the VM is placed in undoable or append mode, and a new undo file is created for each virtual hard drive in the associated server configurations. Undo files are saved on the VM s host server. When work with a VM is completed, the recorded changes can be saved, discarded, or merged with the base image. If the user does not save the changes from his session, the corresponding undo file is deleted. Saved undo files are stored in the system library s snapshots directory in read-only mode. Cloud Automation Platform provides additional file management capabilities for snapshots. Snapshots A snapshot saves the changes that occur during a single user session by saving the user s undo file and a link to the original base image. A user can save a snapshot to easily capture a specific environment, such as an OS with his application installed and configured. For instance, a user might want to save a snapshot before he installs a service pack or a new software program. If a problem occurs, he can easily end the session without saving any changes to revert to his initial environment. Any data saved to disk or configuration settings that a user makes after a snapshot is saved will not be restored when he reverts to the snapshot. He must save the snapshot again to preserve changes. Note: If a user saves a session and then saves the session again, the initial snapshot is overwritten. When an application user saves a snapshot, it is saved from the virtualization host to the snapshots directory on the system library. 238 Installation and Administration Guide

253 When an application user schedules a session with a snapshot to resume his or her work in a session, his snapshot and the image to which it is chained are deployed. The base image is attached to the VM from the corresponding file cache location or the system library and the undo file is copied from the system library to the virtualization host to complete the image. Consider a test engineer conducting a software test. Once the necessary software is installed on the first test machine, a base image is created. This image can be used to create the remaining servers for the test. However, to more effectively test the material in the test plan, the test engineer wants to install some additional software. The test engineer saves a snapshot, which chains the undo file that contains the software to the base image. The test engineer can deploy a session with his snapshot, which specifies both the base image and undo file. Once the test engineer creates and saves the final test configuration, you can promote the base and undo images to the system library as a single, merged image file. 8 Image Management You can promote a snapshot using the CAP web interface. When you promote a snapshot, a new image is created based on the original image and includes the changes from the user s undo file. If the snapshot is based on multiple server configurations, a new base image is created for each server configuration. Server configurations and application configuration are also created. The new images, server configurations, and application configuration are available in the system library. New images are saved to the templates directory on the system library. The following graphic shows the platform objects and images before and after an snapshot is promoted. Installation and Administration Guide 239

254 User environment with a snapshot Application configuration #1 Newly created platform objects and images after promotion New application configuration Server configuration #1 and #2 Base image #1 and #2 Snapshot #1 and #2 New server configurations that are linked to the corresponding base images New base images that merge base #1 with snapshot #1 and base #2 with snapshot #2 Figure 1 Effects of Promoting a Snapshot on Platform Objects and Images Additionally, you can view, delete, and deploy sessions with snapshots using the CAP web interface. For details on performing these procedures, refer to the online help. Whether or not a user can save a snapshot is determined by the persona associated with the user. You can also set the maximum space allowed for snapshots per user and per organization. For details, see Quotas on page 316. ISO Image Files An ISO image is a virtualized copy of a physical CD or DVD media disk and can contain many file systems. An ISO file is stored in the templates directory in the system library and can be mounted to a VM as part of the application configuration. Using the CAP web interface, you can use the Attach Media option to mount an ISO file. Additionally, an application administrator can mount an ISO file from the file repository. You can mount ISO images to update disk images at any time. 240 Installation and Administration Guide

255 Note: Attaching ISO images is not supported for physical servers. Using the CAP web interface, you can select a deployed session and then attach media to that VM. This attaches a CD-ROM, DVD, or ISO device to the deployed VM and the user can access the files on that drive. For more information, see Managing Sessions on page 295. Alternatively, instead of attaching the ISO to a server configuration, you can include the ISO in a library to which users have access. A user accesses the file repository, copies the ISO locally and mounts the ISO as a virtual CD or DVD driver (at which point it displays as a CD or DVD drive). 8 Image Management Duplicating Image Files When an image (either a virtual machine image or a physical server image with a static IP Address) is cloned, some identifiers are always duplicated, including the machine name, security identifier (SID), and IP address. To solve the problem of duplicate IP addresses causing network conflicts, the Cloud Automation Platform network abstraction and isolation layer (NAIL) uses network address translation (NAT) to provide a unique IP address for each cloned VM or physical server image on a network. With the NAIL Server managing the network translation, an entire operating system (OS) stack and application, including groups of applications, can be imaged and moved from one VM or physical computer to another and from one environment to another without any changes to the image itself. For detailed information about NAIL, see Chapter 5, Advanced Networking, on page 155. Note: The NAIL Server is an optional component that is not installed by default with Cloud Automation Platform. For information about installing the NAIL Server components, see Installing the Advanced Enterprise Pack (Optional) on page 75. Dynamic Host Configuration Protocol (DHCP) prevents IP address conflicts by dynamically configuring non-conflicting IP addresses to DHCP-enabled VMs and deployed physical servers. Installation and Administration Guide 241

256 Note: In configurations where a DHCP server is used for allocation of IP addresses to VMs and deployed physical servers, it is important to ensure that the pooled IP addresses used in the Cloud Automation Platform environment do not duplicate those used by the DHCP server. For more information about configuring images, refer to the online help. You can also specify a virtual network range or masquerade properties for an image to simplify the creation of multiple VMs from a single image file on a network. Creating New Images The processes for creating and preparing images are different for virtual machine images and physical server images. Refer to the following sections for more information: Creating Virtual Machine Images on page 242 Creating Physical Server Images on page 243 Creating Virtual Machine Images There are several different options for creating the images that will be used in the Cloud Automation Platform environment. Quest Software Professional Services provides image creation, conversion, and management for many customers. Or, your company can leverage your ISO images to create images for the Cloud Automation Platform environment. Finally, you can use the CAP web interface to create new virtual machine images. (Refer to the online Help for detailed instructions.) Note: The appropriate virtual machine tools must be installed on the image. Install Microsoft's Integration Services on all images that will use a Microsoft Hyper-V host server and install VMware Tools on all images that will use a VMware ESX host server. When you create a virtual machine image using the CAP web interface, you create a blank application configuration, and the corresponding image and server configuration. You must specify mount points, a hardware profile, optional image files, application configuration name and description, and server configuration name and description. 242 Installation and Administration Guide

257 After you create a blank application configuration and then create a session, deploy the session and use the Session Details page to connect to the remote console of the VM using Console access. From the remote console, install an OS and any software that you want to include in the image. To add an OS or software to the blank disk, you must access an ISO file. You can attach an ISO file by using the Attach Media option or you can include an ISO file in the server configuration that you create. 8 Image Management Note: Quest Software recommends that you save the image after you install the OS but before adding any software. Using the Save As command on an active session enables you to create a new server configuration, application configuration, and session that reference the newly saved image file. Saving an OS without any applications provides an image file that can be used as the starting point for additional image creation. The newly saved image is saved to the Templates directory of the system library. Images created with the CAP web interface use the following naming convention: NewDisk-<n> For instance, if you create a blank application configuration with a single disk, the image created is named NewDisk-0. To create additional new images, you can re-use the original blank application configuration or create new blank application configurations that specify any additional disk size or ISO requirements. Creating Physical Server Images Physical server images are used to create server configurations that run on physical computers managed by a physical provisioning system, such as Altiris Deployment Solution. The workflow for creating physical server images is different from that of creating virtual machine images primarily in that the image must be prepared in advance for use in the Cloud Automation Platform environment before creating it and adding it to the system library. Installation and Administration Guide 243

258 To create a physical server image, configure the physical computer exactly as you want the image to be. Then use the Surgient_Image_Tool.exe to prepare the image s configuration for use in the Cloud Automation Platform environment. Finally, create an image (.img) of the physical server using the physical provisioning tool. For details about preparing a physical server image for Windows or Linux, see Preparing Physical Server Images on page 250. Note: The Altiris physical server images must have an extension of.img, with all lowercase letters. Otherwise the image will not deploy in the Cloud Automation Platform environment. Preparing Images Both virtual machine images and physical server images can be used in the Cloud Automation Platform environment. Virtual machine images are used to create the VMs in the environment. Physical server images are used to create server configurations that run on physical computers managed by a physical provisioning system. Any images, virtual or physical, that will be used in the Cloud Automation Platform environment should, with a few exceptions, be prepared, or optimized, using the CAP-provided optimization tool. Quest Software recommends that you create a resource pool in which all image creation and preparation is performed. For virtual images, attach the Surgient_Image_Tool.iso media and select the appropriate scripts to run. See Preparing Virtual Machine Images on page 246. For physical server images, run the Surgient_Image_Tool.exe. See Preparing Physical Server Images on page 250. Before you begin preparing a.vhd,.vmdk, or.img image for use in your Cloud Automation Platform environment, it is helpful to know how many images you need, the amount of RAM required for each image, and other related information. 244 Installation and Administration Guide

259 Warning: Be aware that when creating an image to be imported into the Cloud Automation Platform environment, and the image: was created outside of the Cloud Automation Platform environment, will be used in a server configuration with Active Directory Registration enabled, and will use auto-generated accounts to access the VM's remote desktop, 8 Image Management the last login must have been to a local computer account. This is because the server's login screen defaults to the last domain used to login, so if it was a domain instead of the local machine it causes the auto-generated accounts to fail to login. If this issue does occur, the work-around is to connect using console access and manually log into a local machine account. Afterwards the RDP sessions will connect normally. Warning: Verify that if there is anti-virus software installed on the image, the software is not configured to automatically perform a full-disk scan. A full-disk scan at boot-up or any other time once the image is in the environment can potentially cause performance and deployment issues. Quest Software recommends that if a full-disk scan is required, run it when building the image. Once the image is in the Cloud Automation Platform environment, on-access scanning can be done, but be aware that it might impact performance. Additionally, consider generating a checksum hash to verify that the image is not modified between creation and delivery for deployment. Installation and Administration Guide 245

260 Preparing Virtual Machine Images For detailed instructions to prepare a virtual machine image, see: Preparing Windows Virtual Machine Images on page 247 Preparing Linux Virtual Images on page 248 To use virtual images in to your Cloud Automation Platform environment, you can either: Import existing images that were created outside of the Cloud Automation Platform environment, using virtualization software. See the Warning below for important information about images creating outside of the Cloud Automation Platform environment. Create an image using the CAP web interface. Cloud Automation Platform uses the underlying virtualization software to create an image in the software s supported format. Workflow Summary After the virtual images are imported into the Cloud Automation Platform environment, the workflow for preparing virtual images is as follows (refer to the online Help for exact instructions for each step): 1. Add the image(s) to the Library. 2. Create a server configuration using the image. 3. Create a single-server application configuration. 4. Create a session from the application configuration. 5. Access the console of the deployed VM (created from the image). 6. Prepare the image for use in the Cloud Automation Platform environment, using the Surgient_Image_Tool.iso file. 7. Save the modified server as a new image. Considerations: If an image will be included in a configuration that enables Active Directory, review the Warning on page Installation and Administration Guide

261 If you do not want to include the Quest CAP Agent in the image as a guest agent, see Agentless Images on page 252. When creating a the server configuration with an image does not have a guest agent, deselect the Has Agent check box under the Remote Access Types area on the New Server Configuration page. The appropriate virtual machine tools must be installed on the image. Hyper-V host server and install VMware Tools on all images that will use a VMware ESX host server. 8 Image Management Preparing Windows Virtual Machine Images To prepare a Windows virtual machine image for use in a Cloud Automation Platform environment and add the Quest CAP Agent, run the Express.exe file that is included in the Surgient_Image_tool.iso. The Express.exe executable prepares the image by: adding the Quest CAP Agent enabling and configuring Remote Desktop connectivity disabling automatic updates changing the last CD-ROM Drive Letter to S installing.net Framework 2.0 Note: If you do not want to add the Quest CAP Agent to the image, do not follow the steps below. Instead, see Agentless Images on page Verify that the appropriate virtual machine tools were installed on the image. 2. Verify that the image was created from a fully licensed Windows operating system. Because the Express.exe program attempts to detect a volume-licensed copy of Windows for activation detection, it does not work with an image that does not have a permanent product key (license key) entered. 3. Establish a terminal session by opening the console of the VM. 4. Mount the Surgient_Image_tool.iso file on the VM host. Installation and Administration Guide 247

262 5. If auto-start is enabled, the Image Optimizer Express dialog opens after the.iso has been successfully mounted. If the dialog does not open, navigate to the Express.exe file and double-click it. Note: If an Open File - Security Warning message appears, click Run. 6. Enter the Username, Password, and Domain. For Vista, Windows 7 and Windows 2008 Server, this must be the local Administrator account. For versions of Windows prior to Vista, an account in the local Administrator's group is sufficient. 7. Click Start. The Executing Task... dialog appears and displays progress information. After the program has completed, a web browser launches and displays the Image Update and Analysis Report. This information describes the changes made to the image. (Optional) If you plan to access this image using VNC, install and configure TightVNC Server. After you successfully prepared your Windows image for use in a Cloud Automation Platform environment, add the image to the system library. Preparing Linux Virtual Images To prepare a Linux virtual machine image for use in a Cloud Automation Platform environment and add the Quest CAP Agent, run the linuxagent-*.i386.rpm file that is included in the Surgient_Image_tool.iso. The linux-agent-*.i386.rpm prepares the image by adding the Quest CAP Agent. Note: If you do not want to add the Quest CAP Agent as a guest agent to the image, do not follow the steps below. Instead, see Agentless Images on page Installation and Administration Guide

263 1. Verify that the appropriate virtual machine tools were installed on the image. 2. Establish a terminal session by opening the console of the VM. 3. Create a temporary directory by entering the following command: mkdir /<temp> Where <temp> is the name of the temporary directory. 8 Image Management 4. Copy the following file from the Cloud Automation Platform installation distribution files to the temporary directory that you created in step 3: linux-agent-*.i386.rpm 5. Install and configure the agent by performing the following steps: A. Navigate to the temporary directory that you created in step 3. B. Type the following command and press Enter. rpm -iv /dir_path_of_iso/linux-agent-*.i386.rpm C. After the system finishes setting up the appropriate files, modify the agent s CDDEVICE variable, as follows: i. Navigate to /etc/init.d. ii. Open surgientagent in a text editor. iii. Set the CDDEVICE variable to /dev/scd0. iv. Save surgientagent and quit the text editor. 6. After you successfully prepared your Linux image for use in a Cloud Automation Platform environment, save the image as a new configuration. Installation and Administration Guide 249

264 Preparing Physical Server Images Any physical images that will be used in the Cloud Automation Platform environment should, with a few exceptions, be optimized by using the appropriate Cloud Automation Platform image preparation tool. Note: Physical server images must be prepared for use in the Cloud Automation Platform environment before they are added to the system library. Physical server images cannot use NAIL Server; the legacy NAIL Driver must be used instead. For more information, see Using NAIL Driver on Windows Images on page 254. For detailed instructions to prepare a physical server image, see: Preparing Windows Physical Server Images on page 251 Preparing Linux Physical Images on page 251 Workflow Summary The workflow for preparing, creating, and importing physical server images is as follows: 1. Log on to the physical computer from which you want to make the image. 2. Prepare the server for the Cloud Automation Platform environment using the appropriate tool (on installation media): Windows Surgient_Image_Tool.exe Linux rpm -i linux-phy-agent-v.0.0-*.i386.rpm 3. Using the provisioning system, such as Altiris, create an image of the server. 4. Add the image(s) to the Library. 250 Installation and Administration Guide

265 Preparing Windows Physical Server Images To prepare a Windows physical server image for use in a Cloud Automation Platform environment and add the Quest CAP Agent, use the Surgient_Image_Tool.exe file that is included in the Cloud Automation Platform distribution media (CD or download). Note: If you do not want to add the Quest CAP Agent to the image, do not follow the steps below. Instead, see Agentless Images on page Image Management 1. Copy the Surgient_Image_Tool.exe file to the physical computer from which you want to create a physical server image. 2. Double-click the Surgient_Image_Tool.exe file to start running the launch. 3. When prompted, enter the local administrator's log in ID and password. The computer will reboot itself several times to complete the preparation process. 4. After the Surgient_Image_Tool.exe file has finished running, create an image (a.img file) of the physical server using the physical provisioning tool. Note: The Altiris physical server images must have an extension of.img, with all lowercase letters. Otherwise the image will not deploy in the Cloud Automation Platform environment. 5. Add the image to the system library. Preparing Linux Physical Images To prepare a Linux physical image for use in a Cloud Automation Platform environment and add the Quest CAP Agent, perform the following steps: Note: If you do not want to add the Quest CAP Agent to the image, do not follow the steps below. Instead, see Agentless Images on page Copy the linux-phy-agent *.i386.rpm file to the physical computer from which you want to create a physical server image. Installation and Administration Guide 251

266 2. Use the following command to run the.rpm file and prepare the server. 3. When the.rpm file has finished preparing the server, make an image of the server using the physical provisioning tool. 4. Add the image to the system library. 5. After you successfully prepared and created your Linux physical image for use in a Cloud Automation Platform environment, create a physical server configuration, an application configuration, a session, and then save the image as a new configuration. Note: The physical server image must have an extension of.img, with all lowercase letters. Otherwise the image will not deploy in the Cloud Automation Platform environment. Agentless Images An image used in the Cloud Automation Platform environment typically includes a Quest CAP Guest Agent which communicates with the CAP Core server and runs commands issued to it from the CAP Core server. However, there are some situations in which installing the guest agent is not desired or allowed. For example, your environment may prohibit, for security reasons, the installation of third-party software. In summary: Agentless Windows images that will run in ESX require that you run the ESX_networking_fix.reg file that is included in the Surgient_Image_Tool.iso. Agentless Window images that will run in Hyper-V do not require additional preparation. Linux images do not require additional preparation, either. Note: Be aware that provisioning a virtual server without the Agent will limit your remote access to native console access. For physical server images created by Altiris, there will be no remote access to the deployed virtual server possible from the CAP web interface without the guest agent. In addition, your server should boot and shutdown unattended without any interactive prompts. If the 252 Installation and Administration Guide

267 virtualization guest tools can not properly shutdown your server, saving changes through snapshots and promotions may lead to data loss. When creating a server configuration with an image that does not have an Agent, deselect the Has Agent check box under the Remote Access Types area on the New Server Configuration page. 8 Image Management Converting Hardware Versions for.vmdk Files Cloud Automation Platform requires that all VMware ESX images are in the Version 4 or Version 7 double-file VMDK format. For ESX 3.5 hosts all.vmdk files must be hardware version 4. ESX 4 hosts can use files in the hardware version 4 or 7. To convert.vmdk files, perform the following steps: 1. Launch the vcsadmin utility by double-clicking the vcsadmin.exe file in the installation directory on the CAP Core server. By default, this directory is Program Files/Quest Software/CAP/ Platform. 2. When the vcsadmin utility opens, log on by typing the following and then pressing Enter: login <userid> <password> By default, the user ID is admin. The password is the administrator password that was defined during the Cloud Automation Platform installation. 3. After logging on, use one of the following commands and then press Enter: Installation and Administration Guide 253

268 To convert one specific file in the system Library directory: imageconvert image <image_name.vmdk> <library_path> VMDKx VMDKy Where x is the version number of the source and y is the version to which you want to convert. Example: imageconvert \library VMDK3 VMDK7 To convert all files in the system Library directory: imageconvert <library_path> VMDKx VMDKy Where x is the version number of the source and y is the version to which you want to convert. Note: To determine your library path, run the librarylist command in vcsadmin. If the file is in a sub-directory beneath the default Templates directory, add the subdirectory name in front of the image name value. For example: imageconvert image <subdirectory_name\image_name.vmdk> <library_path> VMDK3 VMDK4 Using NAIL Driver on Windows Images When preparing either virtual server images that will run on Hyper-V or physical server images, and you plan to use the legacy NAIL driver (deprecated in version 5.x), please review the following information and procedures. Physical Server Images and NAIL Driver To prepare Windows physical server images to use the NAIL driver for cloning, complete the following steps: 1. Log on to the physical computer from which you want to make a physical server image. 2. Copy the following files from the installation media to the physical computer on which you want to create the image: 254 Installation and Administration Guide

269 ImagePreparation\Surgient_Image_Tool.exe ImagePreparation\ImagePrep.exe 3. Set the IP Address to a static IP Address: A. In the Control Panel, double-click Network Connections. B. On the Network Connections dialog box, double-click Local Area Connection. 8 Image Management C. In the Local Area Network Status dialog box, on the General tab, click Properties. D. In the Local Area Network Properties dialog box, on the General tab, select Internet Protocol (TCP/IP) entry and click Properties. E. In the Internet Protocol (TCP/ Properties dialog box, select Use the Following IP Address radio button. Provide a static IP Address that is not on the network where the image will be deployed. F. Click OK and close dialog boxes. 4. Double-click the Surgient_Image_Tool.exe file to start running the image preparation tool for physical server images. A. When prompted, enter the local administrator's log in ID and password. The computer will reboot itself several times to complete the preparation process. B. After the above process is complete, double-click the ImagePrep.exe file. C. Select Standard for the type of installation, and on the next panel, select only NAIL and Terminal Services. Note: Be sure to deselect Guest Agent, since an Agent was already installed by the Surgient_Image_Tool.exe file. D. Click Next through rest of the ImagePrep program, and then click Finish. Installation and Administration Guide 255

270 E. After both.exe files have completed their processes, create an image (.img) of the physical server using the physical provisioning tool. F. Add the physical server image to the system Library. Note: Note: The Altiris physical server images must have an extension of.img, with all lowercase letters, and no spaces in the name. Otherwise the image will not deploy in the Cloud Automation Platform environment. Virtual Machine Images and NAIL Driver To prepare a Windows virtual machine image for deployment on a Hyper-V host and to install the NAIL driver (which enables the simultaneous deployment of multiple, cloned VM configurations), use the following procedures: 1. Verify that the appropriate virtual machine tools were installed on the image. 2. Verify that the image was created from a fully licensed Windows operating system. Because the Express.exe program attempts to detect a volume-licensed copy of Windows for activation detection, it does not work with an image that does not have a permanent product key (license key) entered. The Windows operating system must be either Windows 2003 or Windows XP, and be a 32-bit platform. The network connection in the virtual machine must be named Local Area Connection (Windows only). 3. Establish a terminal session by opening the console of the VM. 4. Mount the Surgient_Image_tool.iso file from the VM host. 5. If auto-start is enabled, the Image Optimizer Express dialog opens after the.iso has been successfully mounted. 6. If the dialog does not open, navigate to the directory where the Surgient_Image_Tool.iso is mounted, and double-click the Express.exe file. 7. Enter the Username, Password, and Domain. 8. Click Start. 256 Installation and Administration Guide

271 9. The Executing Task... dialog appears and displays progress information. After the program has completed, a web browser launches and displays the Image Update and Analysis Report. This information describes the changes made to the image. 10. Set the IP Address of the image to a static IP Address that is not on the network where the image will be deployed. (For detailed steps, see step 3. on page 255). 11. Navigate to the directory where the Surgient_Image_Tool.iso is mounted, and double-click the ImagePrep.exe file. 8 Image Management 12. Select Standard for the type of installation, and on the next panel, select only NAIL and Terminal Services. Note: Be sure to deselect Guest Agent, since an Agent was installed by the Express.exe file. Optional: If you plan to access this image using VNC, you can select the VNC option to install and configure TightVNC Server. 13. Click Next through rest of ImagePrep program, and then click Finish. 14. After you successfully prepared your Windows image for use in a Cloud Automation Platform environment, add the image to the system library. Installation and Administration Guide 257

272 258 Installation and Administration Guide

273 Physical and Network Resources 9 This chapter explains how the physical and network resources interact in the Cloud Automation Platform environment. The following topics are discussed in this chapter: Overview of Resources on page 260 Resource Pools on page 260 Network Resources on page 261 System Library Locations on page 263 File Caches and File Cache Locations on page 265 Virtualization Hosts on page 268 Virtual Machines on page 270 Installation and Administration Guide 259

274 Overview of Resources Before you begin using the Cloud Automation Platform environment, make sure physical and network resources are available for use. Physical resources include system library locations, file cache locations, virtualization hosts, and optionally, physical computers and physical provisioning servers. Network resources include MAC addresses, DHCP network ranges, IP addresses, VLAN ID ranges, and, optionally, NAIL virtual network ranges (for legacy NAIL Driver support). After the physical and network resources have been made available, use the CAP web interface to define the resources for Cloud Automation Platform. All virtualization hosts, physical computers, and network resources must be assigned to a resource pool, which contains the physical and network resources that determine capacity for the Cloud Automation Platform environment. Resources must be allocated to resource pools before they can be used by Cloud Automation Platform applications. The resources of a single host can be divided among several pools, unless the pool is a High Availability pool. Refer to the online Help topic Assigning a Host to a Pool for details. For more information about High Availability pools, see Using High Availability with VMware vsphere on page 211. Resource Pools A resource pool contains the host and network resources that determine capacity for the Cloud Automation Platform environment. A resource pool contains computing resources such as RAM, IP addresses, MAC addresses, virtual network prefixes, virtualization hosts, and physical computers. Resources must be assigned to resource pools before they can be used by Cloud Automation Platform applications. Manage resources and resource pools using the CAP web interface. You can add, change, assign, or unassign a host or network resource to or from a resource pool. If you try to unassign a resource that is scheduled for use and no other resource is available in its place, the resource cannot be unassigned from the resource pool. You can also associate each resource pool with a file cache. To use the Cloud Automation Platform High Availability (HA) feature, assign the required assets to an HA pool. For more information about High Availability, see Using High Availability with VMware vsphere on page 260 Installation and Administration Guide

275 211. Also refer to the online Help for instructions about pooling hosts and other assets. A single resource pool can fulfill multiple heterogeneous resource requirements. For example, an application configuration that requires 512 MB of RAM might be deployed into the same resource pool as an application configuration that requires 2 GB of RAM. A single resource pool can be shared, which allows multiple organizations to use the same network and host resources. Shared resource pools enable the most effective use of limited resources. Resource pooling and sharing balance resource requests and provides high availability of resources. However, it is possible for some users to monopolize the majority of the resources. 9 Physical and Network Resources Ultimately, you must monitor the fair allocation and utilization of resources. Using the CAP web interface, configure restrictions for resource allocations, snapshots, and reservations to prevent resource monopolization. For more information, see Quotas on page 316. You can also limit access to a resource pool to a specific user group or organization. For example, if your environment hosts a training solution with both self-paced and instructor-led labs, you might want to assign all resources for the self-paced labs to a specific pool and all instructor-led lab resources to another pool. For more information about access control, see Access Control on page 297. Network Resources Network resources are used to create a working network on VMs. Network resources are required when multiple copies of the same application configuration are deployed or when an isolated network is required. Determine which network resources are required for your environment and then use the CAP web interface to define those resources. Network resources include: MAC addresses Ethernet MAC addresses uniquely identify network adapters as nodes on a network. Each network adapter of a VM deployed by the CAP Core is assigned a MAC address from the pool of network resources. MAC address resources should be added in blocks of sequential addresses that begin with the virtualization vendor s Organizationally Unique Identifier (OUI). For example, when deploying Installation and Administration Guide 261

276 to VMware hosts, the MAC addresses should be in the form 00:50:56:xx:xx:xx. IP addresses Pooled IP addresses are used for TCP/IP communication between VMs, deployed physical servers, and the CAP Core. IP addresses added to a Cloud Automation Platform pool must be within the network range defined by that pool s gateway and netmask. VM network interfaces that are configured for NAIL have static internal IP addresses, and NAIL servers perform network address translation (NAT) that maps these internal IP addresses to external IP addresses taken from the pool of network resources. VM network interfaces that are configured for VLAN-isolated DHCP will also be assigned one of these pooled addresses from the NAIL server, which acts as that VM s DHCP server. You must pool some IP addresses even if you will not be using NAIL or VLAN-isolated DHCP, since they are required by other platform components. NAIL Driver network range Allow servers within the same application configuration to communicate with each other using an internal IP addresses. If you are specifying a NAIL Driver Network Range (legacy) it is recommended that you specify a range of Class B IP addresses that falls within the larger range of to If you specify a range of Class B IP addresses for the virtual network pool, ensure that the internal subnet masks of the corresponding VMs support a Class B network, such as Similarly, if you specify a range of Class C addresses, ensure that the internal subnet masks of the corresponding VMs support a Class C network, like Best Practice: When you define the NAIL Driver network range, use the third octet of the IP address range for the second octet of the NAIL virtual network range. For example, if your IP address range begins with x, the NAIL driver network range should be x.0. This helps the NAIL driver network ranges remain unique. VLAN ID range A session deployment creates the networks, as defined in that deployment s application configuration, that are required between the deployed VMs. Each network created in a deployment is assigned a VLAN ID from the pool of network resources. If the NAIL Server Mode is set to Standard Mode, VLAN tagged network traffic never leaves the hosts, so you can choose to pool any VLAN IDs in the range 2 through 4094, excluding the VLAN ID that your network is using as its Default VLAN. If the CAP Core is operating in NAIL Server Advanced Mode, VLAN tagged traffic will be passed between switches in your environment, so you must work with your network administrator 262 Installation and Administration Guide

277 to make certain that you only pool VLAN IDs that are supported by your switch configuration, and which are not already in use in other parts of your network. Plan for one VLAN ID per virtual network for each deployment of an application configuration; so for each test configuration that will be scheduled, define a VLAN ID. As a best practice, creating extra VLAN IDs is better than having too few. The IDs created should be unique and not used anywhere else. DHCP network range For physical servers and virtual images that require both network isolation and the use of DHCP, create one or more DHCP network ranges. For details about using VLAN-isolated DHCP networks, see Using VLAN-isolated DHCP Networks on page Physical and Network Resources If you use a mixed environment where some server configurations use non- VLAN-isolated DHCP and others do not, at a minimum, ensure that the IP addresses provided by your DHCP server are excluded from the IP address range specified in the Cloud Automation Platform network resources. Note: Some DHCP servers require that you add the MAC addresses created for Cloud Automation Platform to the DHCP configuration table. NAIL enables several VMs to use a single image file by providing each VM with a unique MAC address, IP address, and VLAN ID range if it is required. For more information about NAIL, see Chapter 5, Advanced Networking, on page 155. After you specify network resources, assign them to a resource pool. When a session is provisioned, network resources are assigned automatically to VMs and deployed physical servers. System Library Locations A system library location acts as a physical repository for base image files, snapshots, and deployment action files. Each system library server location contains three directories, a Templates directory, a Snapshots directory, and a DeploymentActions directory. The Templates directory can contain virtual machine images (virtual hard drives), physical server images, ISO files, and virtual configuration files. The Snapshots directory contains the individual undo or redo log files on Installation and Administration Guide 263

278 which snapshots are based. The DeploymentActions directory contains files used for post-deployment actions (see Deployment Actions on page 289). Cloud Automation Platform system libraries are managed by the Remote Server Manager (RSM), which requires that the library server is registered with the Cloud Automation Platform environment. For detailed instructions to register the host, refer to the online Help topic Registering a Remotely Managed Host. Library location and file cache location directories can be either on VMFS, CSV, NFS volumes. Note: Altiris physical server images are only supported in a library location that is managed by a Windows Agent, and must be in a local or remote SMB share (optionally configured with SMB credentials for security). Altiris physical server images cannot be accessed from a file cache location; i.e. any images created with Altiris will be provisioned directly from the library. Note: For information about the supported library locations and file cache locations, and how to configure hosts for file access and library management, refer to Configuring Storage and Shared Access on page 190. Hosts can access images directly from the system library when the library server is on either: An ESX host that supports NFS or VMFS. ESX hosts that use a library location on a SAN VMFS volume must be configured before installing Cloud Automation Platform. Refer to Using VMWare VMFS in a SAN-based Configuration on page 190. A Hyper-V host that accesses a CSV on a SAN. Use the CAP web interface to define the system library location for the Cloud Automation Platform environment. In the CAP web interface, click Library in the Navigation pane on the left, and then in the Library Locations area click New. Cloud Automation Platform automatically creates Templates, snapshots, and DeploymentActions directories in the library root directory. 264 Installation and Administration Guide

279 Note: Note: As a best practice, Quest Software recommends that virtualization hosts with system library locations be pooled with less RAM or fewer effective processor units (EPUs) contributed to a pool. Using the library server to host VMs may negatively impact system performance and may need tuning to minimize resource conflicts. As a best practice, when populating the system library, first copy the image files into the library root directory and then move the files into the Templates subdirectory. This prevents users from deploying an application configuration that references an image that is not fully copied. 9 Physical and Network Resources To view the images in the system library, using the CAP web interface, click Images in the Navigation pane to the left. Click Re-Sync to view the most up-to-date list of files. If you have added files to the library, but they do not appear in the list, click Re-Sync. If files do not appear after Re-Sync, ensure that file permissions allow the RSM to access the files. File Caches and File Cache Locations A file cache is a logical collection of one or more file cache locations which can store files being used by a deployed application. File caches should be created before creating pools or assigning hosts to a pool (See Note below.) File caches can help with scalability and load balancing in your environment. For example, instead of having 50 deployments use the same base image from the same place, create multiple file caches (perhaps one per pool) and have duplicates of the image in each file cache location. This way, the image is accessed only by the hosts of a specific pool, instead of by all hosts in the environment. Note: When creating a new file cache and subsequently associating that file cache with a pool, consider what type of hosts (ESX or Hyper- V) will access the locations of the file cache. If the hosts are ESX, the file cache location must contain shared locations on either VMFS volumes or NFS-accessible directories. If the hosts are Hyper-V, the file cache locations must be located on a SAN-based CSV. A file cache location is a physical area of storage to which base images are copied as part of deploying an image to a virtual machine. Any image file Installation and Administration Guide 265

280 (.vhd,.vmdk,.iso, and so on) that is part of a server configuration might be copied to a file cache location when an application configuration is deployed. The two types of Cloud Automation Platform file cache locations are dedicated and shared. All pooled hosts have a dedicated file cache location, which must be specified when the host is registered. When an application cannot be deployed by directly accessing its image files from a remote system library location, a location (dedicated or shared) in the file cache is used to store a copy of the image file while the application is deployed. Using the CAP web interface, an administrator can also create or delete optional shared file cache locations, which are used to provide faster access by remote servers. Using shared file cache locations is recommended for any organization that has virtualization hosts some distance apart and where network time impacts the VM performance. If all shared file cache locations are full, VMs that require cached files will use the dedicated file cache location on the VM's host. If you add a file cache location, make sure that the associated file cache is assigned to a resource pool. Otherwise, the file cache location will not be used. Using the CAP web interface, click Pools in the left pane, and then edit the pool to assign a file cache to a pool. The associated file cache is used for all deployments to that resource pool. Note: A shared file cache location cannot be added to the same volume that already has a library location. After the application configuration session finishes, the image and any other related files remain in the file cache location. When a file cache location reaches full capacity, the least recently used images and files are purged automatically when space is needed in that file cache location. If a cached image is connected to a VM the file is considered in use and cannot be purged. When a shared file cache location is deleted, all contents that are not being used in an active session are purged. However, in a dedicated file cache, the location is removed from the system only when the corresponding server is deleted. Note: Altiris physical server images cannot be cached. Any images created with Altiris will always be provisioned directly from the library. 266 Installation and Administration Guide

281 File Cache Location Types Cloud Automation Platform supports two types of file cache locations: Dedicated file cache location Shared file cache location A dedicated file cache location is created locally on a virtualization host. Depending on the host server, the dedicated file cache location is created in the following location: For Hyper-V hosts, the dedicated file cache location is created in: <drive>:\surgientdfcl.<#> 9 Physical and Network Resources For VMware ESX hosts, the dedicated file cache is created in the subdirectory under a vmfs volume: surgientdfcl.<#> where # is the Cloud Automation Platform generated sequence number. If no shared file cache location is defined when an application configuration is deployed with a method of Use File Cache, Cloud Automation Platform automatically creates a dedicated file cache location on each virtualization host used in the deployment. By default, the volume or drive with the most space available is used for the dedicated file cache location to support High Availability.The volume on which the dedicated file cache location is located can be selected by the user by editing the host properties. If all shared file cache locations are full, then the host's dedicated file cache location is used. Also, there are certain image types, such as NAIL Server images, that must be accessed from a dedicated file cache location. You can also create one or more shared cache locations. A shared cache location can reside on a volume on a CAP-managed server or a remote volume accessible from a CAP-managed server. Note: A shared file cache location cannot be added to the same volume that already has a library location. Installation and Administration Guide 267

282 For CIFS remote volumes (supported only for Altiris), the directory hosting the cache location must exist, the location must be configured with the proper export path, and access privileges must be set up manually. Note: Be aware of the following host requirements: For VMware ESX hosts, shared cache locations must be accessible using NFS or stored on a VMFS volume on a SAN. For ESX hosts that are added to a High Availability pool, the host s dedicated file cache location must be on a shared volume. For Hyper-V hosts, either the shared file cache location or the library location on the Clustered Shared Volume must be used. In addition, all VM home directories must be in a local directory. No UNC paths or CIFS-based locations can be used. A single virtualization host can support multiple file cache locations if the locations are on different volumes. For instance, a single file cache might have multiple file cache locations that correspond with different volumes on a single NFS system. If the size of the location is not specified during creation, the entire volume will be used. A shared cache location can be used by any virtualization hosts in the resource pool through network-attached storage, while a dedicated cache services a single host. For a shared file cache location to be used, at least one virtualization host in that pool must have direct access to the shared file cache location. Virtualization Hosts A virtualization host is the physical server on which the virtualization technology runs and on which virtual machines are created. It is the computer that hosts the VMs. Before the Cloud Automation Platform environment can recognize a virtualization host, the host must be registered so that the Remote Server Manager can manage it. After the host is registered, a host displays as an available host resource in the CAP web interface. Assign the host to a resource pool to use it for deployments. A host can belong to a single resource pool, or the resources of a host can be divided across multiple pools (excluding hosts that are added to a High Availability pool). A virtualization host can contribute RAM, maximum 268 Installation and Administration Guide

283 concurrent VM capability, and EPUs (Effective Processor Units) to the pool s available capacity. For example, a pool might contain 8 GB of RAM from virtualization host A and 10 GB of RAM from virtualization host B. Therefore the pool has the capacity to provide 18 GB of RAM. This capacity is used for the creation of VMs. Note: Hosts that are assigned to a High Availability pool cannot divide their resources. For more information about using High Availability in Cloud Automation Platform, see Using High Availability with VMware vsphere on page 211. Utility hosts, which are Hyper-V R2 hosts that require NAIL Servers for network translation, can contribute only RAM to a pool. For more information about utility hosts, see Using NAIL Server with Hyper-V R2 Hosts (Utility Hosts) on page 37.) 9 Physical and Network Resources When a virtualization host is added to a resource pool, you specify the amount of each resource type that the host will contribute to the pool. For instance, if you know an application configuration is CPU-intensive, you might want to limit the maximum number of VMs that can be created on that host. In this case, even though enough RAM exists on the host to deploy additional VMs, limiting the number of VMs ensures that the system performs optimally. For more information, see Managing Virtualization Hosts on page 198. Note: Since some RAM must be used to run services on the virtualization host, do not allocate all the RAM for VM utilization. However, you can contribute all of a single host s EPUs to the pool. Before you add a host to a resource pool, you must edit the host details and specify the default network and the trunked network connections. ESX network connection names display in a drop-down list that includes all the physical network names followed by the NIC name. For High Availability pools, you must select distributed switches for the default and trunked network connections. The default network connection setting ensures that VMs bind to the correct network adapter, usually one with external connectivity. For instance, if your physical machine has two network interface cards (NICs), but only one NIC port is used to connect application users through a firewall to the VM, specify that NIC port as the default network connection. Typically, the default network connection acts as a virtual layer 2 network switch that Installation and Administration Guide 269

284 communicates to a network on a cabled physical NIC port. If the environment requires using NAIL Server in Advanced mode, a trunked network is also required. Note: As a best practice, Quest Software recommends that virtualization hosts with system library locations be pooled with less RAM or less effective processor units (EPUs) contributed to a pool. Using the library server to host VMs may negatively impact system performance and may need tuning to minimize resource conflicts. Virtual Machines Each virtualization host can support several VMs running different guest operating systems. A VM appears to a session user as computer hardware and software that is completely dedicated to that user. In reality, a VM is a small portion of a virtualization host that is temporarily allocated to a session user. Cloud Automation Platform automatically creates VMs as needed at deployment time. The number of VMs created is determined by the size of the smallest hardware profile. For instance, if you specify a host server that has 1024 MB of available RAM and the smallest hardware profile uses 256 MB of RAM, Cloud Automation Platform creates four VMs on the host. Note: Remotely creating and deleting VMs directly on the host server using the virtualization software is not recommended. Use the CAP web interface to ensure that VMs are deployed and configured correctly. When an application configuration is deployed to a resource pool, the existing VM or VMs are reconfigured to the specifications defined in the deployed hardware profile and image file. For more information about deployment, see Chapter 11, Deploying and Managing Sessions, on page 281. You can change the number of VMs that can be created on a specific host server. For more informations, see Virtualization Hosts on page 268. You can monitor deployed VMs, or sessions, from the CAP web interface. For more information, see Managing Sessions on page Installation and Administration Guide

285 System Library Objects 10 This chapter details the objects that comprise the Cloud Automation Platform system library and describes the relationships between these components. The following topics are discussed in this chapter: Library Objects Overview on page 272 Image Files on page 274 Deployment Action Files on page 274 Hardware Profiles on page 274 Server Configurations on page 275 Application Configurations on page 277 Snapshots on page 278 Catalogs on page 279 Managing System Library Objects on page 279 Installation and Administration Guide 271

286 Library Objects Overview The system library serves as a logical repository for the CAP Core objects that are used for reserving resources for deployments to create a session. These objects define the list of resource requirements as well as how each object should be deployed and configured. Ultimately, the objects in the system library provide the ingredients and instructions to create a session. Use the CAP web interface to create and manage the platform objects that are used for reserving resources for deployments. The system library includes the following platform objects: Object Images Deployment Action Files Hardware profiles Server configurations Application configurations Catalogs Review templates Description An image is a representation of a computer s disk drive, CD-ROM, floppy disk, or other storage device, plus any software installed when the image was created. A deployment actions file is a file, normally a script or other executable, that is selected to run on a CAP-deployed server, either immediately after a session starts or at any time during the session. The definition of the RAM requirements, target hardware type (physical or virtual) CPU requirements, and required computing capacity. All the resource requirements and file references needed to create a fully functioning server. All the information needed to deploy a single session. One or more server configurations are grouped into an application configuration, optionally along with additional files such as deployment action files or material. The classification mechanism for elements in the system library. Catalogs are solely for categorization. Reviews templates are used to enable users to convey their level of satisfaction with a session and summarize their overall experience. Users can only write reviews after completing a session. 272 Installation and Administration Guide

287 The system library also acts as a physical repository for image files and snapshots, which is discussed in System Library Locations on page 263. Note: Images, deployment action files, snapshots, and review templates display in the system library and are core ingredients in deployments. They are actual, physical files. In contrast, the other items in the system library are only relevant to the CAP Core. Workflow Summary 10 System Library Objects The objects in the system library are building blocks for one another. To create the platform objects for your environment, perform the following steps: 1. Determine if Professional Services will provide images for your environment or if you will create them using the CAP web interface. For more information about images, see Chapter 8, Image Management, on page If you will be creating images for your environment, create a blank disk application configuration. This type of application configuration automatically creates corresponding server configurations and enables you to create new images. For more information, see Creating New Images on page Review the default hardware profiles and determine if the profiles meet your RAM requirements or if you must create new hardware profiles. For more information, see Hardware Profiles on page After all the image files are created, prepared, and moved into the library, you are ready to build server configurations that reference a hardware profile and one or more image files. Then, build application configurations that reference one or more server configurations. Optionally, create review templates that an application configuration can reference, and attach one or more deployment action files to an application configuration. Finally create a session from an application configuration, and deploy the session. For more information, see Server Configurations on page 275, Application Configurations on page 277, and Snapshots on page 278. Installation and Administration Guide 273

288 Image Files Image files are representations of a computer s disk drive. Images can be manually copied into the system library or created using the CAP web interface. Both virtual machine images and physical server images can be used in the Cloud Automation Platform environment.virtual machine images are used to create the VMs in the environment. Physical server images are used to create server configurations that run on physical computers managed by certain physical provisioning systems. Note: For more information about images, see Chapter 8, Image Management, on page 235. For important information about.vmdk file format and conversion, see Converting Hardware Versions for.vmdk Files on page 253. Deployment Action Files Deployment Actions Files are files, normally scripts of some type, that are selected to run on a Cloud Automation Platform environment immediately after a session starts. Deployment Actions Files are stored in the system library, and are added to library using the CAP web interface. Note: See Deployment Actions on page 289 for information about running deployment actions. Actions are run against a particular server configuration within an application configuration. The action is not persistently attached to the server configuration itself. The same server configuration may be used within a different application configuration and be deployed with a different action. Hardware Profiles Hardware profiles define the hardware requirements for individual server configurations. RAM, target hardware (physical or virtual), CPU requirements, and required computing capacity is specified in a hardware profile. The default hardware profile has 1GB RAM. You can create 274 Installation and Administration Guide

289 additional hardware profiles if necessary. Typically, a system library contains only a few hardware profiles. Server Configurations A server configuration is a record of all the information and file references needed to create a fully functioning server. Server configurations include a hardware profile, networking information, at least one boot source (image or provisioning automation), as well as other configuration settings. 10 System Library Objects A server configuration includes the following information: Boot source: Image To create a new server configuration using an image, select Image from the Assign... drop-down list in the Boot Source area. Then select the primary image file. You can add additional files or images to a server configuration based on the number of drives the VM or physical computer requires. Available image types include Hyper-V virtual disk, ESX virtual disk, a physical server image, ISO image, and floppy image. To provide access to an ISO or floppy image, attach the ISO or floppy image as part of a server configuration. When the user starts the session, the image displays as a CD or floppy drive and the user can access the files on that drive. For instance, if a user needs to install new software, include the ISO file in the server configuration so he can access the CD drive and install the software. Provisioning Automation A provisioned boot source, such as an HP Server Automation OS Sequence, can be used to create a server configuration. To create a new server configuration, select Provisioning Automation from the Assign... drop-down list in the Boot Source area. For more information about external provisioning, see External Provisioning with HP Server Automation on page 41. After the boot source is selected, further configurations (based on the selected type of boot source) are defined, such as the mount point, the hardware profile, and the bus type. Refer to the online Help for detailed information about the configuration settings. Mount point Each image is attached to the server configuration at a mount point. Available device types include IDE or SCSI. Installation and Administration Guide 275

290 Note: Cloud Automation Platform reserves mount point IDE 1:1 for VM management. Associated hardware profile A server configuration is linked to a hardware profile, which defines several hardware requirements (RAM, CPU, etc.) for the VM or physical computer. When a server configuration is created, a hardware profile must be specified. Active Directory Registration Type Specifies whether the server configuration will join an Active Directory domain. An Active Directory server must already be defined and enabled for at least one resource pool. If the exact computer account on the domain that the VM or physical computer needs to use does not matter, Dynamic is specified. If the VM will use a specific computer account on the domain, Selected is the appropriate choice. A computer account must already be defined in Cloud Automation Platform with the same name as the computer account known to the Active Directory server. Bus type For VMware ESX you must specify BusLogic, LsiLogicSAS, or LsiLogic or problems will result. Earlier versions of VMware use BusLogic, while newer versions use LsiLogic as the SCSI device type. To determine the bus type of your initial image template, in the VM s configuration file (.vmx), find the line that begins with scsi0.virtualdev and note the associated value. Alternatively, view the Disk Controller Type displayed in the VMware client. Network Adaptors This setting defines the number and types of network adaptors required by the server configuration. Ethernet Device Specifies whether the ethernet device is configured for NAIL 3 (use if network address translation is required), DHCP, or Static. When NAIL is selected, the IP address, the Subnet Mask, and the IP Address of the Gateway for each ethernet device must be specified. If the server configuration will be used in a VLAN-isolated DHCP network, you must create the network resource called DHCP network range. NAIL enables several VMs to use a single image file that contains a static IP Address in it by providing each VM with a unique IP address, via network address translation (NAT). When using NAIL, 276 Installation and Administration Guide

291 a unique IP address is reserved when pooled computing capacity is reserved. For more information, see Duplicating Image Files on page 241. Network Card Type For VMware ESX, correct network card type selection prevents TCP/IP conflicts and image duplication errors. The vmxnet driver installs automatically with VMware and provides better networking performance. However, several other options are available; refer to your hypervisor s documentation for guidance. Remote Access Configuration Identifies which methods of remote access are available to users for each server configuration. Supported types include: RDP, Citrix, VNC, and the virtualization console. 10 System Library Objects If you specify multiple remote access methods for a server configuration, an application user can then select the method with which to connect to the resource. For information about configuring universal remote access (URA) to enable communication from a remote computer to a Cloud Automation Platform VM, see Universal Remote Access on page 90. Use the Authentication Type to select the type of user authentication used by the server (VM or physical computer) and credentials, if required. Ultimately, a server configuration is associated with an application configuration. Server configurations cannot be deployed directly to a physical host. They must be associated with an application configuration, which is then deployed as needed. Application Configurations An application configuration defines all the resources needed to create a single session. An application configuration includes the following information: Properties The basic information about the application configuration, including the name, description, default duration of a session deployed from this configuration, the deployment method (from where images will be provisioned), and whether or not the application configuration is locked. Associated server configurations One or more server configurations are grouped into an application configuration. Server configurations Installation and Administration Guide 277

292 Snapshots provide all the information and file references needed to create fully functioning VMs or deployed physical servers. Session References A session is an application user s session-specific reference to an application configuration. The session references area shows what sessions are using the application configuration. Notes, Materials, and Catalogs A session contains information such as notes, material, and reviews (Demo Solution only). An application configuration can be added to a specific catalog. Refer to the CAP web interface online Help for additional information. When application configurations are deployed to resource pools, a VM or physical computer is provisioned for each server configuration associated with the application configuration. Specifying Server Configuration Boot Order If an application configuration contains multiple server configurations, you can specify the order in which the server configurations start. You can specify whether server configurations boot concurrently, serially, or use a mixture of both. For example, if your application configuration contains four server configurations, you can specify that the DHCP server configuration boots first and the server configuration that contains the domain controller boots second. You can assign the two remaining server configurations the same boot order number to start them concurrently. To do so, edit the application configuration, and set the boot order for each server configuration. If no boot order is specified and multiple server configurations exist within the application configuration, the server configurations boot simultaneously. A snapshot captures the changes that occur to a base image during a single user session. If the user chooses to save a snapshot, the undo file is saved to the Snapshots directory in the system library and is chained to the original base image. For information about snapshots and image files, see Chapter 8, Image Management, on page Installation and Administration Guide

293 Catalogs Using the CAP web interface, you can deploy a snapshot and its linked base image, delete a snapshot, promote a snapshot to a base image, and save a deployed application configuration as a snapshot. For details about each of these tasks, refer to the CAP web interface online help. Catalogs serve as a classification tool for objects in the system library. Application configurations, server configurations, deployment action files, and image files can be included in catalogs. Catalogs enable administrators to create categories for internal or public use. Entities can belong to multiple catalogs. For example, you might create three catalogs Pending, Enterprise, and New Labs. The New Labs catalog might contain application configurations that also exist in the Enterprise catalog as well as application configurations that only exist in the New Labs catalog. While the Pending catalog might contain only application configurations that are not ready for release. 10 System Library Objects From within the CAP web interface, you can create catalogs and edit catalog content. Managing System Library Objects Using the CAP web interface, you can create, delete, edit and otherwise manage the system library objects. To view more information about specific library objects, click the object type in the Navigation pane to the left, and then click the name of the specific object that you want to manage. Review the properties and details about the object, and use the menu or buttons at the top of the page to manage the object. Installation and Administration Guide 279

294 280 Installation and Administration Guide

295 Deploying and Managing Sessions 11 This chapter discusses reserving resources for deployments, including the prerequisites for deployment, and the provisioning, deployment, teardown, and re-deployment of sessions. Deploying sessions also involves file caching, managing deployed VMs and physical servers, and optionally customizing resource deployments and staging deployments in advance. The following topics are discussed in this chapter: Prerequisites to Deployment on page 282 Scheduling a Session Reservation on page 283 Deploying a Session on page 284 Deploying a Session As a Service on page 286 Deploying a Session in Debug Mode on page 287 Deploying a Session in Persistent Mode on page 288 Reservations Requiring Approval on page 287 Deployment Actions on page 289 Managing Sessions on page 295 Installation and Administration Guide 281

296 Prerequisites to Deployment Before an application configuration can be deployed as an active session, perform the following steps: 1. Define the physical and network resources that will be used to create the environment. For more information, see Chapter 9, Physical and Network Resources, on page Make sure the images that your sessions require are in the system library. For more information about images, see Chapter 8, Image Management, on page Determine whether the default hardware profile values are adequate or create hardware profiles to meet your requirements for resource deployment. For more information, see Hardware Profiles on page Create server configurations by grouping one or more images based on the number of drives the VM or deployed physical server requires. When the server configuration is created, it is linked to a hardware profile. For more information, see Server Configurations on page Create an application configuration, which defines the resources needed to deploy a session and the server configurations to which it is linked. For more information, see Application Configurations on page Create a session, which is based on a single application configuration, and might include materials and/or be shared with another user. For more information, see Snapshots on page 278. A session can either be deployed as a standalone session, or it can be joined to other sessions to create a deployed service, in which multiple application configurations are joined and deployed simultaneously. For more information about deployed services, see Deploying a Session on page 284. Typically, an application user schedules a session, which triggers resource deployment. For details about how to create and deploy a session, refer to the CAP web interface online Help. 282 Installation and Administration Guide

297 Scheduling a Session Reservation A session can be started immediately or scheduled for a specified time period in future. A reservation is a set of pooled assets held for a specific amount of time for a specific user in a target resource pool. Using a date range, a target resource pool, and a session, the Cloud Automation Platform environment reserves the required host and network resources necessary to deploy the specified session. These assets are reserved for the specified date range. A reservation links the following components and events: Resource pool The container for the resources to be deployed and the link to the file cache of images. 11 Deploying and Managing Sessions Reserved resources The reservable, pooled computing assets that consist of network and physical resources such as RAM, host servers, and VMs. A reserved resource is a reservation for computing capacity. For more information about resources, see Chapter 9, Physical and Network Resources, on page 259. Scheduled deployment of the reserved resources A scheduled deployment, or reservation, reserves system library objects, defines how the resources are configured, and defines how users can access the deployment remotely. For information about application configurations, sessions, and the system library, see Chapter 10, System Library Objects, on page 271. Using the CAP web interface, you can create, view, change, or cancel session reservations. When you change or cancel a reservation that you did not create, the owner of the reservation is sent a notification. To create a test deployment, use the CAP web interface to deploy a session. No application users have access to this deployment, but you can monitor the stages of the deployment. Any errors can be addressed before application users begin creating reservations. If a scheduled session cannot occur as scheduled because of a resource issue, an event is logged. Using event monitoring, you can address resource issues before a deployment is impacted in most cases. For details, see Monitoring Components Using Syslog on page 338. Installation and Administration Guide 283

298 Occasionally, you might want to reserve a resource without scheduling a deployment. You can schedule a maintenance window for a virtualization host or a physical computer to accomplish this. For details, see Performing Maintenance on Hosts on page 200. Optionally, an administrator can configure a session to have a reservation expiration notice; when a session reaches a defined time before the end of the scheduled reservation, a notification will be created. Refer to the online Help system for details about configuring reservation expiration notifications. Deploying a Session A session can be started immediately or scheduled for a specified time period in the future. The following section discusses the deployment of the session, whether scheduled or started immediately. Before a session is deployed, Cloud Automation Platform checks the availability of virtualization host (or physical computer) resources for the total amount of time for which those resources are required. The required amount of time includes the length of the user s reservation plus any setup and teardown time. For instance, a session that runs for one hour might take 10 minutes to provision the resource and another 15 minutes to deprovision the resource. Therefore, the total amount of time that the resources are required is one hour and 25 minutes. Note: The setup and teardown times affect the quota for reservation maximum duration. If the total time requirement exceeds the quota, the reservation cannot be scheduled. For details, see Quotas on page 316. When a resource is reserved, a set of deployment directives defines how the resource is configured, and a set of remote access instructions defines how a user can access the scheduled resources. By default, resource deployment is based on load balancing. For server configurations based on virtual machine images, the host with the greatest amount of available RAM is chosen at fulfillment time, which spreads VM load across the infrastructure. However, if a file cache location already has the appropriate image cached and a VM linked to that cache location with sufficient capacity is available that VM is used. 284 Installation and Administration Guide

299 For sessions using server configurations that are based on a physical server images, a single physical computer is provisioned for each server configuration. When a session is deployed, the assigned resource pool provides the virtualization host or physical computer and defines the file cache locations. Deployment configures a VM or physical computer for each server configuration associated with the application configuration. The associated images are copied to the file cache locations as necessary and are then attached to the available VMs or the designated physical computers. For instance, if a server configuration contains ISO files and hard drive files, both are copied to the file cache location when an application configuration is deployed and both are attached to the corresponding VM or physical computer. 11 Deploying and Managing Sessions The following figure shows the deployment workflow for a session with two server configurations. Figure 1 Deployment Workflow Later, when the same session is reserved, Cloud Automation Platform determines if the images stored in the file cache location have changed, indicating that new copies need to be provisioned from the system library. You can monitor deployed VMs and deployed physical servers from the CAP web interface. Administrators can use the Sessions table to monitor and Installation and Administration Guide 285

300 modify deployments. The table of sessions can be searched by name, or filtered to show only sessions owned by the user or all sessions. Additionally, a user can select to show only sessions with snapshots. For more information about other available commands, see Managing Sessions on page 295. Deploying a Session As a Service Cloud Automation Platform provides the ability to join multiple sessions (each based on a single application configuration) together to create a Service. By building a stack of related sessions, IT Operations and other organizations can use Services to create a single deployment that provides multiple, concurrent purposes. The individual sessions can still be deployed as a standalone session, or joined with other sessions to create a Service. To specify that a session should be deployed as a Service, schedule the session (or an application configuration) and under Advanced Options, select Joinable Service as the Deployment Mode. Designating a session as a Joinable Service means that other sessions can be added to it to create a service. After the first session has been created as a joinable service, other sessions or application configurations are added to it by scheduling them and selecting Join Existing Service as the Deployment Mode. For detailed instructions to schedule an application configuration or session as a Service, refer to the online Help. Additional Considerations After a Service has been deployed, the Service can then be saved as a new application configuration. This new application configuration contains the full stack of all the server configurations included in each of the sessions deployed by the Service. When scheduling a session as a Joinable Service, and the session (known as the base session) uses DHCP and a public broadcast network, you can specify the expected number of servers that can be joined to the base session to create a Service. This allows the system to reserve the required number of network resources for all the sessions that are included in the Service. Be aware that any joining services utilize the network resources that are reserved by the base session (Joinable Service); they do not have their own resources. 286 Installation and Administration Guide

301 When joining a session to an existing Service, be sure to select the name of the Service that you want to join. By default, the first Service created is shown in the To Service field. Any sessions that you join to the base session must use a network type that is also used by the base session. For example, if the base session uses DHCP for IP addresses, you can only add a DHCP session, but not a session that uses NAIL 3. However, if the base session contains two server configurations, one of which uses DHCP and the other NAIL 3, you can join either type of session to that base session. By default, the privileges to create a Service (DeployedService.Create) and delete a Service (DeployedService.Delete) are granted to the Admin privilege set, and thus to members of the Administrators group. Members of the Users group are by default granted the privilege DeployedService.Join, which allows the user to add a session to an existing Service. 11 Deploying and Managing Sessions Reservations Requiring Approval Users who do not have the Self Service privilege set can request a reservation, but the session is not deployed until an administrator with the Reservation Approver privilege set grants approval. In the CAP web interface, you can view all sessions that are waiting to be approved for deployment. In the left pane, click Pending Approvals. From the Reservations Pending Approval page, an administrator can Approve or deny the reservation request. For an overview about reservation approval, refer to the online Help topic About the Reservation Approval Process. For detailed information about creating users who require approval to deploy a session, refer to the online Help topic Creating a User without Self-Service Privileges. Deploying a Session in Debug Mode When scheduling a session, users with the required privileges can expand the Advanced Options and select Debug Mode under Deployment Options. Using debug mode sets the deployment automation to allow deployment even if there are VM (or physical server) start failures and Quest CAP Agent check-in failures. Neither of those conditions will cause the reservation to be canceled or any de-provisioning actions to take place. However, if either of Installation and Administration Guide 287

302 these conditions exists for a VM or physical server within the deployment, both the server and session are shown to be in the state Available with Errors rather than Available. Once a session is deployed in debug mode, that session will by default continue to deploy in Debug Mode, unless the option is deselected. Note: Debug mode is not available for Training Labs. For detailed instructions to implement Debug mode, refer to the online Help. Deploying a Session in Persistent Mode Certain types of sessions can be very read/write intensive, and long-running sessions can sometimes create large redo files, or differencing disks, which are expensive both in storage and read/write activity. Cloud Automation Platform offers the deployment option of running the session in persistent mode. When running in the persistent mode, a session does not use a redo file, to store changes made during the session to the base image. Instead, a copy of the base image is made at deployment time, and changes made during the session are written to that copy, instead of to a redo file. For detailed instructions to implement persistent mode, refer to the online Help. Important considerations: The default mode for new server configurations made from an empty boot disk is persistent mode, and the default for non-empty boot disk is to use a redo file. With non-empty disks, the mode is inherited by the new server configuration. An administrator can override the default mode by editing the settings for the server configuration from the application configuration edit page. VMs running in persistent mode will support the same set of operations as VMs running with a difference disk: snapshots, promote, etc. 288 Installation and Administration Guide

303 Deployment Actions A Deployment Action is a file, normally a script of some type, or an externally defined job, such as an Altiris job, that is associated with a specific server configuration and then run on the VM or deployed physical server either immediately after a session starts, or when manually selected to run. Three different types of deployments actions are supported: Guest Agent Actions HP Server Automation Policies (Audit, Patch, and Software) 11 Deploying and Managing Sessions Altiris Deployment Server Jobs Deployment Action files are stored in the system library, and are added to the library using the CAP web interface. Actions are run against a particular server configuration within an application configuration. The action is not persistently attached to the server configuration itself. The same server configuration may be used within a different application configuration and be deployed with a different action or with no action. Guest agent actions can only be executed on server configurations (VM or physical) that have a guest agent installed. Results of an action are collected and saved with the session; each server configuration stores the results of whichever deployment action was run on it. To view the results, open the Sessions table, and then click the blue menu icon beside the name of the session for which you want to view deployment actions. From the menu list, select View Deployment Actions. When the deployment action is added to the application configuration, the Run Mode is selected. The Run Once mode causes the deployment action to run only the first time that the session starts. Run Always causes the deployment action to run every time that a session using the server starts. The Manual mode allows you to later choose whether and when to run the deployment action on an active session, using the Run Deployment Action process. Note: The manual process of running a deployment action can be used no matter which Run Mode was selected when the deployment action was originally added. For example, you might select Run Always Installation and Administration Guide 289

304 mode when you add the action, meaning that the action will run every time that the sessions starts, but also run the action manually multiple times during the session. Running Deployment Actions Note: Refer to the online Help for additional information about using deployment actions. The method for manually running a deployment action for a guest agent action, an HP Server Automation action, or an Altiris job are the same. However, the configuration and prerequisites for each are different. To run a guest agent action, the following steps must have been already accomplished: 1. Add a deployment action file to the system library 2. Add a deployment action to an application configuration that contains the server configuration against which you want to run the deployment action. 3. Start the session of the application configuration containing the deployment action. Before running an HP Server Automation action, verify that the required setup steps have been already accomplished. See About Running HP Server Automation Policies on page 292 for more detailed information. Before running an Altiris Deployment Server Job, verify that the required setup steps have been already accomplished. See About Running Altiris Jobs on page 294 for more information. When the deployment action is initially added to the application configuration, the Run Mode is selected. The Run Once mode causes the deployment action to run only the first time that the session starts. Run Always causes the deployment action to run every time that a session using the server configuration starts. The Manual mode allows you to later choose whether and when to run the deployment action on an active session, using the Run Deployment Action process described below. 290 Installation and Administration Guide

305 Note: The manual process of running a deployment action can be used no matter which Run Mode was selected when the deployment action was originally added. For example, you might select Run Always mode when you add the action, meaning that the action will run every time that the session starts, and then you can also run the action manually multiple times during the session. To run a deployment action on a server in an active session, perform the following steps: 1. In the left pane, click Sessions. The table of existing sessions appears. 11 Deploying and Managing Sessions 2. In the table in the right pane, click the name of the active session that contains the server configuration against which you want to run the deployment action. The session must have been started and in an Available state to run a deployment action on it. 3. On the Sessions Details page, click Run Actions. The Run Session Actions page appears. 4. On the Run Session Actions page, in the Deployment Actions area, click Run All Actions. If there are multiple servers in the session with actions, you can select each server individually or run all actions. Installation and Administration Guide 291

306 About Running HP Server Automation Policies Cloud Automation Platform integration with HP Server Automation allows you to run HP-SA Software, Audit, and Patch policies against sessions in the Cloud Automation Platform environment. For specific instructions to run an HP Server Automation policy against a VM in the Cloud Automation Platform environment, see Adding a Deployment Action and Running a Deployment Action. Important Considerations The HP Server Automation core server must be configured to enable automatic installation of the HP Server Agent on the HP Server Automation core server when an HP Server Automation policy is run. The HP Server Agent is automatically removed from the core server when the session is finished. See Configuring HP Server Automation Core Server on page 293. A Quest CAP Guest Agent must be installed on the VM against which the HP SA policy is run. There is no option to stop an HP SA policy once it has started. The guest operating system of the server configuration to which the policy is associated must be supported by HP SA. To run an HP Server Automation action, the following steps must have been already accomplished: 1. In the HP-SA environment, create the appropriate Policy (Software, Patch, or Audit Policy). 2. (Audit Policy only) Create an HP-SA Archived Snapshot to serve as the source against which to compare to the target server (Cloud Automation Platform VM or physical computer). The name of the Audit Policy must match exactly the name of the Audit Policy, with the pre-fix "Audit Source:" 3. In the CAP web interface, register your HP Server Automation as a Partner Extension. Refer to the online Help for exact directions. 4. In the CAP web interface, add the policy (as a deployment action) to an application configuration that contains the server configuration against 292 Installation and Administration Guide

307 which you want to run the deployment action. Refer to the online Help for exact directions. 5. Start the session of the application configuration containing the deployment action. Refer to the online Help for exact directions. Configuring HP Server Automation Core Server To run an HP Server Automation policy, configure the HP Server Automation core server to enable automatic installation of the HP Server Agent on the core server. To enable automated installation, the location on the SA Core that contains the Server Agent installers needs to be made available in read-only fashion over both NFS and CIFS. This is accomplished by modifying the SAMBA configuration, the NFS configuration, and making the installers themselves executable. 11 Deploying and Managing Sessions 1. On the HP SA core server, export /var/opt/opsware/ agent_installers via CIFS: A. Add the following to /etc/opt/opsware/samba/smb.conf: [hpsa-installers] path = /var/opt/opsware/agent_installers read only = yes> B. Restart the Samba services: opt/opsware/samba/sbin/samba restart 2. Export the same directory via NFS using the following command on the HP SA Core server. A. Add the following line to /etc/exports: /var/opt/opsware/agent_installers *(ro) B. Restart the NFS services: /etc/init.d/nfs restart 3. Make the installers executable: chmod +x /var/opt/opsware/agent_installers/* Installation and Administration Guide 293

308 About Running Altiris Jobs Cloud Automation Platform integration with Symantec Altiris Deployment Solution allows you to run Altiris jobs against sessions in the Cloud Automation Platform environment. For specific instructions to run an Altiris job against a VM in the Cloud Automation Platform environment, see the online Help topics Adding a Deployment Action and Running a Deployment Action. Important Considerations The Altiris Deployment server agent must be installed on the VM against which the Altiris Job is run. A Guest Agent is not required to be installed on the VM against which the Altiris Job is run. Cloud Automation Platform Administrators must have full access to all Altiris Jobs and to the Altiris Deployment Server. Before running an Altiris Deployment Server Job, the following steps must have been already accomplished: 1. Verify that the Altiris Deployment Server agent is installed and running on the Altiris server. 2. On the Altiris Deployment Server, create the Altiris Job(s). 3. In the CAP web interface, add the job (as a deployment action) to an application configuration that contains the server configuration against which you want to run the deployment action. 4. Start the session of the application configuration containing the deployment action. 294 Installation and Administration Guide

309 Managing Sessions You can manage the resources for a scheduled deployment before and during session deployment. Using the Sessions table in the CAP web interface, you can view, modify, and cancel unscheduled, pending and deployed sessions. Refer to the CAP web interface online Help for exact instructions for each of these tasks. You can perform the following commands for every server configuration or for a specific server configuration in a session. Some of these tasks can only be performed on an active session, using the Session Commands menu on the Sessions Details page. Edit Edit the details of the session. 11 Deploying and Managing Sessions Delete Delete the session. Cancel Reservation Cancels the reservation. Schedule Schedule when the session should deploy. Start Now Starts the session immediately, if the required resources are available. Duplicate A user to whom a session is shared can duplicate, or make a copy of, a session, thereby creating a version of that session for which they are the owner. Promote When you promote a snapshot, a new application configuration, server configuration, and image file is created based on the existing snapshot. View Deployment Actions Any deployment actions that are associated with a server configuration in the session can be viewed. Run Deployment Actions Runs any deployment actions that are associated with a server configuration in the session. View Resource Utilization The Resource Utilization dialog box displays the list of Asset Types (MAC Address, IP Address, RAM, Virtual Machine, etc.), the Server Configuration that contains the asset, the Amount of each asset, and the Source of the asset. Extend Extends the reservation deployment time. Installation and Administration Guide 295

310 Rollback Discards the changes made to an image and returns the VM to its last saved image state. Snapshot Saves the current state of all VMs in a session so you can restore the VMs to the state preserved in that snapshot. Save as Saves a new application configuration, server configuration, and image based on the currently deployed VM. Suspend all / Suspend Saves the current state of all VMs or a specific VM temporarily, so you can continue work later from the same state. You cannot restore a VM using this command. Use the Suspend command in combination with the Run command. Stop all / Stop Stops all the VMs or a specific VM. Run Starts all the VMs that were stopped or suspended. Additional available actions for a specific VM include: Restart Restarts a VM that is currently running. Change RAM Changes the amount of RAM allocated to a VM after an application configuration is deployed. Note: A VM must be stopped before you can change its RAM allocation. Attach media Attaches a CD-ROM, DVD, or ISO device to a deployed VM. Console / RDP / VNC / Citrix Connects to a remote desktop session for the selected VM. 296 Installation and Administration Guide

311 Access Control 12 This chapter explains the components that govern access control within the Cloud Automation Platform environment and changes that can be made to access control using the CAP web interface. The following topics are discussed in this chapter: Overview on page 298 Privileges on page 299 Privilege Sets on page 300 Groups on page 303 Users on page 306 Manually Changing Access to Objects on page 307 Installation and Administration Guide 297

312 Overview Cloud Automation Platform uses the access control list (ACL) model to enforce access control. As a result, access control governs almost every object in the Cloud Automation Platform. Cloud Automation Platform assigns privilege sets to user groups to provide access control. Access control dictates which groups can create, delete, view, or edit content. Access control combines the following elements: Privileges A privilege is the basic unit in access control. For instance, create account is a privilege. Privilege sets A privilege set is a collection of privileges, which can be assigned to a group or user. Groups A group combines user accounts in a single collection. A group is assigned a privilege set, which dictates the objects to which the group has access. Users A user account belongs to a group and inherits access control from that group. A user also has direct privileges on any object that he creates. Access control objects An access control object is a Cloud Automation Platform object (i.e. an image, a server configuration) on which a privilege can be granted. A user or a group can be granted privileges directly for a specific object. A group s access rights are determined by the privilege set assigned to it and the objects on which the privileges act. Additionally, privilege sets can be assigned for a specific object; you can select certain users or groups (and define their privilege sets) that have privileges on the object. The following graphic illustrates the relationship between users, a group, privilege set, and an access control object. In this example, the Users group is assigned the user privilege set and then acts on the application configuration access control object. 298 Installation and Administration Guide

313 Group: Users Sue Normal John Quo Trent Smith Access controlled object Application configuration 12 Access Control Privilege set: User AppConfig.View AppSession.View Privileges Figure 1 Relationships Between a Group, Privilege Set, and Access Controlled Object Typically, the Cloud Automation Platform environment uses organizationwide access control. Groups provide a method for easily assigning default behavior. A user who belongs to the Users group has the User privilege set on every object in the organization. However, occasionally you may want to grant access control on a specific object basis. For more information, see Manually Changing Access to Objects on page 307. Access control is closely aligned with organizations and user management. Those concepts are discussed in detail in the following chapter, Chapter 13, User Management, on page 309. A privilege is the basic unit in access control. Privileges are defined by Cloud Automation Platform and are enforced in the Cloud Automation Platform code. Privileges are associated with a privilege set. A platform administrator can associate privileges with a privilege set, but he cannot create new privileges. Installation and Administration Guide 299

314 Each privilege is linked to a specific type of object. For example, for the Catalog object, there are privileges such as Catalog.Create, Catalog.Delete, Catalog.Edit, and Catalog.View. In general, privileges for access control objects are of the following types: View A user can view an access control object and run reports that include data from this object. Edit A user can view an access control object and change settings that include this object. Create A user can create the specified access control object within his organization. Delete A user can delete the specified access control object. Use A user can use image files from the file cache or resources in a resource pool. Manage A user can manage a range of IP addresses, MAC addresses, or virtual network addresses for a resource pool. Execute A user can execute agent and script commands. To view the privileges assigned to a privilege set, click Settings in the left pane (the Navigation pane) of the CAP web interface. Click the blue menu icon beside the name of the privilege set and then select Edit. Privilege Sets Privilege sets are a collection of privileges that are assigned to groups or user accounts. Privilege sets group similar privileges to provide a single unit to assign to a group or user, which simplifies access control management. The default Cloud Automation Platform privilege sets include: Platform administrator Users with this privilege set can create, view, edit, delete, and access all portions of the Cloud Automation Platform environment. 300 Installation and Administration Guide

315 Administrator Groups with this privilege set can create, view, and modify access-controlled objects within their organization. Users who require the administrator privilege set generally include sales engineer administrators, technical instructors, and test administrators. Members of the Administrators group are assigned this privilege set by default. Suborganization administrator Users with this privilege set can modify child organization quotas and delete organizations. Users can also view information about all parent organizations by default. This privilege set is used in combination with other privilege sets and is automatically assigned to users who create child organizations and to members of the Administrators group. 12 Access Control User Groups with this privilege set typically include Training, Demo, or QA/Test Solution users (sales engineers, instructors, or testers) who require scheduling privileges. Members of the User group are assigned this privilege set by default. Restricted Groups with this privilege set typically include evaluation users and students who require view-only privileges. Members of the Restricted group are assigned this privilege set by default. Report Viewer Groups with this privilege can review reports created from the Cloud Automation Platform reporting database. Reservation Approver Partial role granted to users that approve or deny reservation requests. Self Service User Partial role granted to users that are allowed to deploy sessions without approval. Refer to the online Help topic About the Reservation Approval Process for detailed information. Session Viewer Groups with this privilege set include evaluation users and students who require view-only privileges for sessions. This privilege set is used in combination with the Restricted privilege set and is automatically assigned to users who require view-only privileges for sessions. This privilege set enables users to view a session and its deployment. Although the default privilege sets are sufficient for most environments, privilege sets can be edited and customized if necessary. Only a platform administrator can modify the privileges associated with privilege sets. Any changes made to a privilege set affects all the groups that use that privilege Installation and Administration Guide 301

316 set. A platform administrator can also delete default privilege sets, but it is not recommended. A platform administrator can add a new privilege set or duplicate an existing privilege set. When a privilege set is created, it has no privileges. They must be assigned manually. When a privilege set is duplicated, it is based on an existing privilege set and its privileges. For example, to create a privilege set that uses nearly the same privileges as the user privilege set, duplicate the user privilege set and then add or remove privileges to modify the new privilege set. The easiest way to change a specific user s privilege set is to change the user s group assignment. You can remove a user from one group and assign the user to another group, which changes the user s privilege set. Alternatively, you can modify the objects to which the user has access. For more information, see Chapter 12, Manually Changing Access to Objects, on page Installation and Administration Guide

317 Groups A group combines user accounts in a single collection. Groups are assigned a default privilege set which determines the level of access group members have to objects within their organization. When you add a user to a group, the user inherits the privilege set assigned to that group. The default Cloud Automation Platform groups include: 12 Access Control Administrators Users who require Administrator group membership generally include sales engineer administrators, technical instructors, test administrators, and organization managers. The administrator privilege set is automatically assigned to all members of the Administrators group. Users Typically, users who are sales engineers, instructors, or testers belong to the Users group. The user privilege set is automatically assigned to all members of the Users group. Restricted Users Typically, all demo users, evaluation users, and students belong to this group. The restricted user privilege set is automatically assigned to all members of the Restricted User group. Note: Be aware that all new users are added by default to the Internal organization s Restricted User group. This group has the Self Service privilege set, so users of the group have, by default, the ability to start or schedule any session to which they have access. For detailed information about creating users who do not have the Self Service privilege set, refer to the online Help topic Creating a User without Self-Service Privileges. Whenever an organization is created, the preceding groups are automatically added to the organization. When a group belongs to a child organization, the organization name displays before the default group name. For instance, the group names for the Training organization are Training Administrators, Training Users, and Training Restricted Users. For more information about organizations, see Organizations on page 310. Group membership is determined when a user account is created. When a user account is created in the CAP web interface, you select either a group, or if you save the new user without selecting a group, one will be automatically assigned based on the user s persona. For instance, if the user account is assigned the Instructor persona, the account is assigned to the Installation and Administration Guide 303

318 Users group. For more information about personas, see Personas on page 319. When a user self-registers using an application, a group is automatically assigned to the user account based on the organization default value. In most cases, the default group for an organization is the Restricted Users group. Using the CAP web interface, you can change a user s group membership if necessary. Creating Groups Note: The information in this section is only relevant if you want to customize the default access control settings for an application. Typically, the default groups are the only groups an organization requires. Create groups to easily distribute custom access control to specific users. For instance, you might add a user to multiple groups so the user inherits access to the privilege set closest to his needs and then inherits an additional group assignment with the custom access that he requires. For instance, if you create a Reporting group to enable specific users to run reports, you might assign those users to the default Users group also. Since the Reporting group members only inherit access to reports, the users also require the Users group membership. In the following graphic, a member of the Users group also belongs to the Reporting group. The Reporting group has a custom privilege set, Reporting, which provides access to additional reporting privileges. 304 Installation and Administration Guide

319 Group: Users Tim Sill Mary Brown Gus Noun Privilege set: Users Access controlled objects Reviews Files Accounts Pools 12 Access Control Group: Reporting Privilege set: Reporting Access controlled objects Tim Sill Reports Figure 2 Example of a Group with a Custom Privilege Set Using the CAP web interface, you can create groups. When you create a group, specify one of the following default access behaviors: Automatic The group s assigned privilege set is automatically assigned to newly created objects, which gives group members immediate access to new objects. Manual The group must be manually assigned to each newly created object. Therefore, members of the group have no access to objects until you manually change access permissions for the objects. For more information, see Manually Changing Access to Objects on page 307. If you select the Automatic option, you must then select one or more default privilege sets on newly created objects for each organization. Access control is not retroactive. If a group s privilege set is modified after objects have been created, you must manually edit the permissions on existing objects to include the group. For instance, if you create several application configurations, members of the Administrators group automatically have access to those objects. If you modify the Users group privilege set to include application configuration privileges, you must manually edit permissions on existing application configurations to include the Users group. Any new application configurations automatically include the Users group as a permitted group. Installation and Administration Guide 305

320 Users A user s access to and permissions on objects are controlled by the user s group membership. Users belong to one or more groups, which have been granted access to objects in the environment. The privilege set assigned to the group dictates the permissions that group members have on these objects. Users have additional privileges on objects that they create, known as account-owned objects. The owner is given an explicit administrator privilege set on these objects, in addition to the privilege set assigned to the user s group. For instance, snapshots and reviews are owned by the user who creates them. If that user s group membership changes, the user can still view, use, and manage the objects that he created even after being moved to a different group with a different privilege set. For more information about privilege sets, see Privilege Sets on page 300. The following graphic shows an example of account owned objects associated with a single user account. Tim belongs to the Users group and has the user privilege set on all access control objects in the Cloud Automation Platform. Tim has administrator privileges on the snapshots that he creates. Other members of the Users group have the user privilege set on the objects that Tim creates. Group: Users Tim Sill Mary Brown Gus Noun Privilege set: User Access controlled objects Accounts Snapshots Reviews Tim Sill Privilege set: Admin Account owned objects Snapshot...n Figure 3 Example of User Access Control Privileges For more information about a user s access to and permissions on objects, see Groups on page Installation and Administration Guide

321 Manually Changing Access to Objects Using the CAP web interface, you can manually assign groups or users access to individual objects including: Hardware profiles Server configurations 12 Access Control Application configurations Catalogs Images and files Resource pools Network resources File caches Organizations Groups Users Reports Optionally, you can also change a group s privilege set on those objects. For details on how to change access permissions for a specific object, refer to the CAP web interface online help. In the following graphic, a Users group is assigned the administrator privilege set, which is then applied to the specific application configuration selected in the system library. For instance, if a group is assigned the default user privilege set, but needs additional privileges to create, edit, and delete a specific application configuration, the administrator privilege set must be associated with that group for that application configuration. The privilege set assignment and object access enables a group to perform the task. Installation and Administration Guide 307

322 OR Assigned Administrator privilege set Applied to Individual application configuration Users group Figure 4 Relationships Between a Group, Privilege Set, and Library Object 308 Installation and Administration Guide

323 User Management 13 This chapter explains the components involved in managing user accounts including organizations, user accounts, user groups, quotas, and personas. In the Cloud Automation Platform environment, user management is linked to access control. Before you create an organization or add users to an organization, make sure the access control that your environment requires is in place. For more information about privilege sets, user groups, and access control, see Access Control on page 297. Organizations on page 310 Creating User Accounts on page 314 Creating Groups on page 315 Quotas on page 316 Personas on page 319 Authentication Methods on page 330 Installation and Administration Guide 309

324 Organizations An organization is a collection of users and objects with a common business objective. The objects that belong to an organization include: Child organizations When an organization adds a suborganization, that child organization belongs to the parent organization. User groups When an organization is created, it is automatically populated with default groups. These groups belong to the organization. For more information, see Creating Groups on page 315. User accounts A user account belongs to the organization in which it is created. Cloud Automation Platform objects When a Cloud Automation Platform object (application configuration, server configuration, hardware profile, and so on) is added, it belongs to the organization in which it is created. Organizations dictate the user experience, set limits on capacity, and facilitate reporting. Organizations also provide a way to capture product customizations in clearly labeled files and directories. For example, if your company provides self-paced training and instructor-led training using the Training Solution, you can set up two organizations, one for the self-paced training, and another for the instructor-led training. Then, you can define the appropriate quotas for each organization. For instance, you can set the maximum number of user accounts for the self-paced training class to 25 and the maximum number of user accounts for the instructor-led training to 10. Using Cloud Automation Platform reports, you can review data about each organization. For details about reports, see Chapter 15, Reports, on page 341. The Cloud Automation Platform environment supports hierarchical organizations.you can create as many organizations as needed for your environment.you can also create suborganizations for those organizations. As a best practice, create at least one suborganization. Sibling organizations cannot see each other. However, sibling organizations can both use the same system library objects if necessary. Additionally, a single resource pool can be shared, which allows multiple organizations to use the same network and host resources. Using a single resource pool enables the most effective use of limited resources by balancing resource requests and providing high availability of resources. 310 Installation and Administration Guide

325 A default organization, Internal, is automatically set up when the CAP Core server is installed. The Internal organization sets the quotas for the organization hierarchy and the platform administrator user account (the super user ) belongs to this organization. This organization cannot be deleted. If your Cloud Automation Platform environment is hosted by the Cloud Automation Platform data center, Cloud Automation Platform maintains the Internal organization. If your environment is not hosted by the Cloud Automation Platform data center, your company must appoint a platform administrator and set the quotas for the organization hierarchy. 13 User Management Each organization can have customized skins that provide a specific look and feel for the application UI. Child organizations inherit customizations from their parent organization. Although, specific child customizations can override parent customizations if necessary. Figure 1 illustrates an example organization structure. The main organization is called Training. Suborganizations include Self-Led and Instructor-Led. You can create additional suborganizations for each of these suborganizations if necessary. For instance, you might want to create suborganizations in the Self-Led organization based on branding and snapshot capability. Accounts in both organizations can utilize the same courses, but use different branding and snapshot settings. In the following graphic, the Internal organization sets quotas for the suborganizations in the hierarchy. The Training organization sets additional quotas for its child organizations, Self-Led and Instructor-Led. For additional details, see Quotas on page 316. Internal Organization Parent organization Training Child to Internal organization Parent to Self-Led and Instructor-Led Self-Led Instructor-Led Children to Internal and Training Figure 1 Example of an Organization Hierarchy Installation and Administration Guide 311

326 A single user account in an organization is identified as the organization s contact point, called the Organization Manager. The Organization Manager belongs to the Administrators group. For instance, you might identify your organization s IT Manager as the person to contact since any issues with the organization might be funneled to her. The user assigned to be the organization s contact can be changed. Organization settings determine an account s persona (and thus group membership) when a user self registers. You can create organizations to enable different self-registration options per organization. For more information, see Personas on page 319. Relationship Between Organizations and Access Control Since users and groups are subject to access control rules and yet belong to an organization, organizations are closely related to access control. The following figure illustrates a possible access control environment based on group access and privilege set assignment and how it relates to the organization hierarchy. The following points are illustrated: The platform administrator sets the quotas for the entire organization hierarchy. The platform administrator privilege set is only available in the Internal organization. Members of the Administrator group can edit quotas for suborganizations that they create. Members of the Users group can view other members of the same organization only. Members of a suborganization are also included in the parent organization s Restricted Users group. This provides suborganization users with view privileges on application configurations by default. Members of the Restricted Users groups cannot view any organization hierarchy or user information. Members of this group can view only the evaluations or labs to which they are assigned. If any of the default Cloud Automation Platform privilege sets are changed at any level of the organization hierarchy, the change is applied to every organization within the hierarchy. 312 Installation and Administration Guide

327 Internal Organization Platform Admin Training Organization Sets quotas for the organization hierarchy and has access to all organizations. Cannot be modified or deleted. 13 User Management Group members can view other members of this organization Group: Users User 1 User 2 Group: Admin Suborganization Admin Created the Self-Led and Instructor-Led Organizations and sets quotas for those organizations Group members cannot view users in sibling Sub-orgs Self-Led Organization Instructor-Led organization Group: Restricted Group: Admin Group: Restricted Group: Admin Restricted User 1 Restricted User 2 Organization Admin Restricted User 1 Restricted User 2 Organization Admin Figure 2 Example User Access Control Scenario in a Organization Hierarchy In the following graphic, Chris Cay is assigned to the Administrators group with the administrator privilege set. As a member of the Training organization, Chris can view both the Self-Led Training and the Instructor- Led Training organizations as well as the Training organization. Both Mary Smith and June Park are also assigned to the Administrators group with the administrator privilege set. Neither can view any information about the other s organization. Both are members of the Restricted Users group on the Training organization and both have view privileges on application configurations in the Training organization by default. Installation and Administration Guide 313

328 Training Organization Chris Cay Chris Cay can view the child organizations, Self-Led and Instructor- Led Training because he has administrator privileges. Self-Led Training Organization Mary Smith Instructor-Led Training Organization The child organization administrators cannot see information from other sibling organizations. June Park Figure 3 Example of Multiple Organizations and Implications of Privilege Sets For more information, see Privilege Sets on page 300. Creating User Accounts The organization in which a user account is created is considered the user s home organization. Even if a user account can access suborganizations, the user account only belongs to a single organization. For instance, in Figure 3, Chris Cay belongs to the Training organization, but he can access components in the Self-Led Training and the Instructor-Led Training organizations as well. Using the CAP web interface, a user who belongs to the Administrators group can create, edit, and delete user accounts. When a user account is created, the administrator specifies the persona for the user account, and the user is automatically assigned to the corresponding user group. The administrator also specifies general account information, such as address and password. The user can edit the general account information. However, only users s in the Administrator group can change the user persona. For details about personas, see Personas on page Installation and Administration Guide

329 If a student or an evaluation participant registers for a class or product demonstration, a user account is automatically created. The user account is assigned a default persona, which is defined by the organization. By default, any user account that is created in a suborganization of Internal is assigned to the Internal Restricted Users group. A member of the Administrator group can change user account information if necessary. When a user is added to a group, he inherits the group s assigned privilege set. A member of a suborganization is automatically added to the parent organization s Restricted Users group. As a member of the parent organization s Restricted Users group, a user has view privileges on any application configurations created in the parent organization. 13 User Management Note: For information about creating users who require administrative approval for reservations, refer to the online Help topic Creating a User without Self-Service Privileges.. Creating Groups The Cloud Automation Platform environment provides the following default groups in suborganization: Administrators Users Restricted Users For more information, see Groups on page 303. Typically, a user account is assigned to one of the default groups, depending on the persona assigned to the account. However, an administrator can create a new group to grant custom permissions or more selective access to objects. For instance, if your company wants to group instructors by region or by speciality and then grant those users additional privileges, a new group might be the best solution. As a result, you might create a group for East Coast or a group for Enterprise Software. Then, if you want East Coast instructors to modify specific application configurations, you can ensure that only that group can edit those configurations. A group belongs to the organization in which it is created (i.e.. When a group is created, the default access type is specified. Default access types include: Installation and Administration Guide 315

330 Quotas Automatic If automatic is specified, the group automatically has the specified privilege set on all new objects. Manual If manual is specified, members of the group will not have access to newly created objects unless access is explicitly granted. For details about manually assigning objects to a group, see Manually Changing Access to Objects on page 307. An alternate means of controlling user access and permissions is to create a suborganization. The suborganization inherits all the groups and privileges of the parent. You can also limit group privileges to meet the requirements for the suborganization. A suborganization can also contain groups. Every environment has a limited amount of computing and storage capacity. This limit can be increased or decreased by adding or removing additional host servers or disk space. However, there is always a limit on the amount of capacity that an organization can use. Hierarchical organizations must share capacity. To prevent monopolization, each organization has a set of limits, or quotas, on capacity. Quotas restrict an organization s peak usage for reservations, snapshots, user accounts, reserved resources, and published application configurations. Quotas include: General Sets user account, application configuration, and library quotas. Maximum number of accounts Specifies the maximum number of users in the organization. Maximum unlocked applications Specifies the maximum number of available application configurations. Maximum library space Specifies the maximum amount of storage capacity that is permitted for images and snapshots per organization. Reservations Sets restrictions for reservations. Advanced scheduling Specifies the maximum number of days in advance that a user can schedule a reservation. 316 Installation and Administration Guide

331 Note: The reservation must be completed before the maximum number of days is reached. Maximum deployment duration Specifies the maximum number of days that a reservation can occur. Snapshots Sets quotas for snapshots. Maximum space allowed Sets the maximum amount of storage capacity permitted for snapshots per organization. 13 User Management Maximum space per user Restricts the amount of storage that a user can consume for snapshot storage. If the maximum space limit is exceeded, an error message displays. An administrator can remove unnecessary or outdated snapshots in order to create space to save new snapshots. Resources Sets quotas for reserved resources. Maximum concurrent servers Sets the number of VMs (or physical server configurations) that can be deployed at the same time across the entire organization. For instance, if a user deploys an application configuration that includes a Web server, database, and application server, the application configuration uses three VMs. If the maximum concurrent value is set to two, the deployment will fail. For the Training solution, this quota must account for the number of students per class also. For instance, if an instructor schedules a class of 25 students and each lab requires 4 VMs, the maximum concurrent value must be greater than 100. Maximum total servers per user Sets the number of VMs or physical servers that any one user can schedule. For instance, if a limit of two exists and Chris schedules two single-server demos to start immediately, he cannot schedule another demo until one of the deployed demos finishes. For the Training solution, this quota must account for the number of students per class also. Since the quota is the same for all users in the organization, the instructor must have a large enough quota to account for himself and all of the students in the class he leads. For instance, if the quota is set to four and Joe schedules a class for eight students, an error message displays. Installation and Administration Guide 317

332 For the following quota settings, the sum of the child organization limits cannot exceed the parent s organization limit: Maximum number of accounts Maximum number of concurrent servers Maximum space allowed for snapshots (MB) Maximum library space For these settings, the parent organization is also affected by the settings of its child organizations. For instance, if the Internal organization s number of accounts quota specifies 100 user accounts and its child organization s uses 100 accounts, then no user accounts can be added to the Internal organization. To increase quotas, a platform administrator must increase the quota for all parent organizations first. For instance, if a parent organization s maximum space allowed is 100 TB and its suborganization needs 150 TB, to make more space available, the platform administrator must increase the parent organization s quota and then increase the suborganization s quota. To decrease quotas, a platform administrator must decrease the quota for all the child organizations first. This only applies when a platform administrator is trying to decrease the quota to a value that is less than the total sum of the child organizations. For instance, if a parent organization s maximum space allowed is 100 TB and its suborganizations quota are 25 TB and 50 TB for two different child organizations, then the platform administrator is allowed to decrease the parent organization s maximum space allowed down to only 75 TB. If he wishes to decrease it lower than 75 TB, then the platform administrator must decrease one or more of the child organizations quota first and then decrease the parent organization s quota. Quotas are imposed at the organization level. If your environment requires strict capacity limits, creating multiple organizations rather than a single organization with several groups may be the best solution. Administrators and Organization Quotas In the Cloud Automation Platform environment, the platform administrator can create, edit, and view the quotas for all organizations. An organization administrator can view the quotas for the organization to which he belongs but can only edit a limited set of the quotas. For instance, if an administrator 318 Installation and Administration Guide

333 is a member of Training organization and creates the Self-Led child organization, he can edit all the quotas for the Self-Led child organization but only a limited number of quotas for the Training organization. The following table shows the privilege set and quota privileges that each administrator has. Privilege Set Parent Organization Child Organization 13 User Management Platform administrator Create, edit, view Create, delete, edit, view Suborganization administrator View Delete, privileged edit for its organization (can edit quotas) Administrator View Create, unprivileged edit (cannot edit quotas), view Table 1 Administrator Privilege Sets and Quota Privileges Note: Typically, the Organization Manager cannot edit all the quotas for the organization that he manages. If the Organization Manager did not create the organization, he does not have the suborganization administrator privilege set. Personas For more information about privilege sets, see Privilege Sets on page 300. The persona that is assigned to a user account determines the user s experience in the product interface; the user s persona regulates which options in the navigation pane (left pane) are displayed to the user, which determines the content that a user can view. For example, a user with the persona of Instructor will see very limited options in the navigation pane, with no links or buttons to access such features as user management or system settings. A user with a persona of Organization Administrator, however, will see all options. See Figure 4 and Figure 5. Installation and Administration Guide 319

334 Figure 4 Navigation Pane Displayed for Instructor Persona Figure 5 Navigation Pane Displayed for Organization Administrator The persona associated with a user account depends on the nature of the user s duties and responsibilities. For example, if a user s job description 320 Installation and Administration Guide