VMware virtualization environments

Follow this guidance if you use VMware to provide virtual machines.

Install vCenter Server and the appropriate management tools. (No support is provided for vSphere vCenter Linked Mode operation.)

If you plan to use Machine Creation Services (MCS), do not disable the Datastore Browser feature in vCenter Server (described in this VMware article). If you disable this feature, MCS does not work correctly.

Required privileges

Create a VMware user account and one or more VMware roles with a set or all of the privileges listed below. Base the roles’ creation on the specific level of granularly required over the user’s permissions to request the various Citrix Virtual Apps or Citrix Virtual Desktops operations at any time. To grant the user-specific permissions at any point, associate them with the respective role, at the data center level at a minimum.

The following tables show the mappings between Citrix Virtual Apps and Desktops operations and the minimum required VMware privileges.

Add connections and resources

Provision machines (Machine Creation Services)

To provision machines using MCS, the following permissions are mandatory:

Storage Profile (vSAN)

To view, create, or delete storage policies during catalog creations on a vSAN datastore, the following permissions are mandatory:

Tags and Custom Attributes

Tags and custom attributes allow you to attach metadata to the VMs created in vSphere inventory and make it easier to search and filter these objects. To create, edit, assign, and delete tags or categories, the following permissions are mandatory:

Note:

When MCS creates a machine catalog, it tags the target VMs with special name tags. These tags differentiate the master image from MCS created VMs and prevent using MCS created VMs for image preparation. You can identify the difference by the value of XdProvisioned attribute in vCenter. The attribute is set to True if MCS creates VMs.

Provision machines (Citrix Provisioning)

All privileges from Provision machines (Machine Creation Services) and the following.

Power management

Image update and rollback

Delete provisioned machines

Securing connections to the VMware environment

Using HTTPS/SSL connections to vCenter requires that the connection is trusted by Citrix DaaS (formerly Citrix Virtual Apps and Desktops service).

There are two options:

• Each cloud connector trusts the vCenter certificate, and services on the connector reuses this trust. This trust can be from a:

  • vCenter certificate, issued by the Certificate Authority and trusted by windows, resulting in established trust between Windows and vCenter.
  • vCenter certificate installed on Windows, resulting in established trust between Windows and vCenter.

• Alternatively the Citrix Virtual Apps and Desktops database has the SSL thumbprint installed. This thumbprint is used by Citrix DaaS on each cloud connector to trust connections to vCenter.

Note:

vCenter certificate and VMware SSL thumbprint are not required for VMware Cloud and its partner solutions.

Obtain and import a certificate

To protect vSphere communications, Citrix recommends that you use HTTPS rather than HTTP. HTTPS requires digital certificates. Citrix recommends you use a digital certificate issued from a certificate authority in accordance with your organization’s security policy.

If you are unable to use a digital certificate issued from a certificate authority, and your organization’s security policy permits it, you can use the VMware-installed self-signed certificate. Add the VMware vCenter certificate to each Cloud Connector.

1. Add the fully qualified domain name (FQDN) of the computer running vCenter Server to the hosts file on that server, located at %SystemRoot%/WINDOWS/system32/Drivers/etc/. This step is required only if the FQDN of the computer running vCenter Server is not already present in the domain name system.

2. Obtain the vCenter certificate using any of the following three methods:

   From the vCenter server:

   1. Copy the file rui.crt from the vCenter server to a location accessible on your Cloud Connectors.
   2. On the Cloud Connector, navigate to the location of the exported certificate and open the rui.crt file.

   Download the certificate using a web browser: If you are using Internet Explorer, depending on your user account, you may must right-click on Internet Explorer and choose Run as Administrator to download or install the certificate.

   1. Open your web browser and make a secure web connection to the vCenter server (for example https://server1.domain1.com).
   2. Accept the security warnings.
   3. Click the address bar displaying the certificate error.
   4. View the certificate and click the Details tab.
   5. Select Copy to file and export in .CER format, providing a name when prompted to do so.
   6. Save the exported certificate.
   7. Navigate to the location of the exported certificate and open the .CER file.

   Import directly from Internet Explorer running as an administrator:

   1. Open your web browser and make a secure web connection to the vCenter server (for example https://server1.domain1.com).
   2. Accept the security warnings.
   3. Click the address bar displaying the certificate error.
   4. View the certificate.

3. Import the certificate into the certificate store on each Cloud Connector.

   1. Click Install certificate, select Local Machine, and then click Next.
   2. Select Place all certificates in the following store, and then click Browse. On a later supported version: Select Trusted People and then click OK. Click Next and then click Finish.

Important:

If you change the name of the vSphere server after installation, you must generate a new self-signed certificate on that server before importing the new certificate.

VMware SSL thumbprint

The VMware SSL thumbprint feature addresses a frequently reported error when creating a host connection to a VMware vSphere hypervisor. Previously, administrators had to manually create a trust relationship between the Citrix-managed Delivery Controllers in the Site and the hypervisor’s certificate before creating a connection. The VMware SSL thumbprint feature removes that manual requirement: the untrusted certificate’s thumbprint is stored on the Site database so that the hypervisor can be continuously identified as trusted by Citrix Virtual Apps or Citrix Virtual Desktops, even if not by the Controllers.

When creating a vSphere host connection, a dialog box allows you to view the certificate of the machine you are connecting to. You can then choose whether to trust it.

The VMware SSL thumbprint can be updated later using PowerShell SDK Set-Item -LiteralPath "<FullPath_to_connection>" -username $cred.username -Securepassword $cred.password -SslThumbprint "<New ThumbPrint>" -hypervisorAddress <vcenter URL>.

Tip:

The certificate thumbprint has to be written in capital letters.

Create a master VM

Use a master VM to provide user desktops and applications in a machine catalog. On your hypervisor:

1. Install a VDA on the master VM, selecting the option to optimize the desktop, which improves performance.
2. Take a snapshot of the master VM to use as a back-up.

Create a connection

In the connection creation wizard:

• Select the VMware connection type.
• Specify the address of the access point for the vCenter SDK.
• Specify the credentials for a VMware user account you set up earlier that has permissions to create new VMs. Specify the user name in the form domain/username.

Reset OS disk

Use the PowerShell command Reset-ProvVMDisk to reset the OS disk of a persistent VM in an MCS created machine catalog.

To successfully run the PowerShell command, make sure that:

• The target VMs are in a persistent MCS catalog.
• The MCS machine catalog is functioning properly. This implies that the provisioning scheme and host exist, and the provisioning scheme has correct entries.
• VMware vCenter is not in maintenance mode.
• Target VMs are powered-off and in maintenance mode.

Perform the following steps to reset the OS disk:

1. Open a PowerShell window.
2. Run asnp citrix* to load the Citrix-specific PowerShell modules.

3. Run the PowerShell command Reset-ProvVMDisk in any one of the following ways:

   • Specify the list of VMs as a comma-separated list, and perform the reset on each VM:

      Reset-ProvVMDisk -ProvisioningSchemeName "xxx" -VMName ("abc","def") -OS
      <!--NeedCopy-->