当前位置：文江博客知识库 citrix en-us citrix-virtual-apps-desktops 2203-ltsr install-configure install-prepare vmware

VMware virtualization environments 编辑

Follow this guidance if you use VMware to provide virtual machines.

Install vCenter Server and the appropriate management tools. (No support is provided for vSphere vCenter Linked Mode operation.)

If you plan to use MCS, do not disable the Datastore Browser feature in vCenter Server (described in https://kb.vmware.com/selfservice/microsites/search.do?language=en_US&cmd=displayKC&externalId=2101567). When you disable this feature, MCS does not work correctly.

You can use Citrix Provisioning (formerly Provisioning Services) and Machine Creation Services to provision:

legacy BIOS for supported Desktop or Server OS VMs.
UEFI for supported Desktop or Server OS VMs, including Secure Boot.

Required privileges

Create a VMware user account and one or more VMware roles. Base the creation of these roles on the level of granularity at which you need to assign users permissions. Define the privileges for each role, using the list of vCenter permissions that Citrix Virtual Apps and Desktops needs to perform the operations.

To grant permissions to a user, associate the user with the role at the data center level. For more about setting permissions in vCenter, see the VMware documentation.

The following tables show the mappings between Citrix Virtual Apps and Desktops operations and the minimum required VMware privileges.

Note:
The permissions list display name, specifically the User Interface, is different for some vSphere versions. For example, in vSphere 6.7 the User Interface permission is Change Memory and Change Settings, rather than Settings and Memory as described in the required privileges noted on this page.

Add connections and resources

SDK	User interface
System. Anonymous, System. Read, and System.View	Added automatically. Can use the built-in read-only role.

Provision machines (Machine Creation Services)

To provision machines using MCS, the following permissions are mandatory:

SDK	User interface
Datastore.AllocateSpace	Datastore > Allocate space
Datastore.Browse	Datastore > Browse datastore
Datastore.FileManagement	Datastore > Low level file operations
Network.Assign	Network > Assign network
Resource.AssignVMToPool	Resource > Assign virtual machine to resource pool
VirtualMachine.Config.AddExistingDisk	Virtual machine > Configuration > Add existing disk
VirtualMachine.Config.AddNewDisk	Virtual machine > Configuration > Add new disk
VirtualMachine.Config.AdvancedConfig	Virtual machine > Configuration > Advanced
VirtualMachine.Config.RemoveDisk	Virtual machine > Configuration > Remove disk
VirtualMachine.Config.CPUCount	Virtual machine > Configuration > Change CPU count
VirtualMachine.Config.Memory	Virtual machine > Configuration > Change memory
VirtualMachine.Config.Settings	Virtual machine > Configuration > Change settings
VirtualMachine.Interact.PowerOff	Virtual machine > Interaction > Power Off
VirtualMachine.Interact.PowerOn	Virtual machine > Interaction > Power On
VirtualMachine.Interact.Reset	Virtual machine > Interaction > Reset
VirtualMachine.Interact.Suspend	Virtual machine > Interaction > Suspend
VirtualMachine.Inventory.CreateFromExisting	Virtual machine > Inventory > Create from existing
VirtualMachine.Inventory.Create	Virtual machine > Inventory > Create new
VirtualMachine.Inventory.Delete	Virtual machine > Inventory > Remove
VirtualMachine.Provisioning.Clone	Virtual machine > Provisioning > Clone virtual machine
VirtualMachine.State.CreateSnapshot	vSphere 5.0, Update 2, vSphere 5.1, Update 1, and vSphere 6.x, Update 1: Virtual machine > State > Create snapshot; vSphere 5.5: Virtual machine > Snapshot management > Create snapshot

Storage Profile (vSAN)

To view, create, or delete storage policies during catalog creations on a vSAN datastore, the following permissions are mandatory:

SDK	User interface
storage.Profile-driven storage update	PROFILE-DRIVEN STORAGE > Profile-driven storage update
storage.Profile-driven storage view	PROFILE-DRIVEN STORAGE > Profile-driven storage view

Tags and Custom Attributes

Tags and custom attributes allow you to attach metadata to the VMs created in vSphere inventory and make it easier to search and filter these objects. To create, edit, assign, and delete tags or categories, the following permissions are mandatory:

SDK	User interface
Tagging.Create	vSphere Tagging > Create vSphere Tag
Tagging.Create	vSphere Tagging > Create vSphere Tag Category
Tagging.Edit	vSphere Tagging > Edit vSphere Tag
Tagging.Edit	vSphere Tagging > Edit vSphere Tag Category
Tagging.Delete	vSphere Tagging > Delete vSphere Tag
Tagging.Delete	vSphere Tagging > Delete vSphere Tag Category
Tagging.Assign	vSphere Tagging > Assign or Unassign vSphere Tag
Tagging.Assign	vSphere Tagging > Assign or Unassign vSphere Tag on Object
Global.ManageCustomFields	Global > Manage custom attributes
Global.SetCustomField	Global > Set custom attribute

Note:
When MCS creates a machine catalog, it tags the target VMs with special name tags. These tags differentiate the master image from MCS created VMs and prevent using MCS created VMs for image preparation. You can identify the difference by the value of XdProvisioned attribute in vCenter. The attribute is set to True if MCS creates VMs.

Provision machines (Citrix Provisioning)

All privileges from Provision machines (Machine Creation Services) and the following.

SDK	User interface
VirtualMachine.Config.AddRemoveDevice	Virtual machine > Configuration > Add or remove device
VirtualMachine.Config.CPUCount	Virtual machine > Configuration > Change CPU Count
VirtualMachine.Config.Memory	Virtual machine > Configuration > Memory
VirtualMachine.Config.Settings	Virtual machine > Configuration > Settings
VirtualMachine.Provisioning.CloneTemplate	Virtual machine > Provisioning > Clone template
VirtualMachine.Provisioning.DeployTemplate	Virtual machine > Provisioning > Deploy template

Power management

SDK	User interface
VirtualMachine.Interact.PowerOff	Virtual machine > Interaction > Power Off
VirtualMachine.Interact.PowerOn	Virtual machine > Interaction > Power On
VirtualMachine.Interact.Reset	Virtual machine > Interaction > Reset
VirtualMachine.Interact.Suspend	Virtual machine > Interaction > Suspend

Image update and rollback

SDK	User interface
Datastore.AllocateSpace	Datastore > Allocate space
Datastore.Browse	Datastore > Browse datastore
Datastore.FileManagement	Datastore > Low level file operations
Network.Assign	Network > Assign network
Resource.AssignVMToPool	Resource > Assign virtual machine to resource pool
VirtualMachine.Config.AddExistingDisk	Virtual machine > Configuration > Add existing disk
VirtualMachine.Config.AddNewDisk	Virtual machine > Configuration > Add new disk
VirtualMachine.Config.AdvancedConfig	Virtual machine > Configuration > Advanced
VirtualMachine.Config.RemoveDisk	Virtual machine > Configuration > Remove disk
VirtualMachine.Interact.PowerOff	Virtual machine > Interaction > Power Off
VirtualMachine.Interact.PowerOn	Virtual machine > Interaction > Power On
VirtualMachine.Interact.Reset	Virtual machine > Interaction > Reset
VirtualMachine.Inventory.CreateFromExisting	Virtual machine > Inventory > Create from existing
VirtualMachine.Inventory.Create	Virtual machine > Inventory > Create new
VirtualMachine.Inventory.Delete	Virtual machine > Inventory > Remove
VirtualMachine.Provisioning.Clone	Virtual machine > Provisioning > Clone virtual machine

Delete provisioned machines

SDK	User interface
Datastore.Browse	Datastore > Browse datastore
Datastore.FileManagement	Datastore > Low level file operations
VirtualMachine.Config.RemoveDisk	Virtual machine > Configuration > Remove disk
VirtualMachine.Interact.PowerOff	Virtual machine > Interaction > Power Off
VirtualMachine.Inventory.Delete	Virtual machine > Inventory > Remove

Obtain and import a certificate

To protect vSphere communications, Citrix recommends that you use HTTPS rather than HTTP.

HTTPS requires digital certificates. Use a digital certificate issued from a certificate authority that meets your organization’s security policy.

If you are unable to use a digital certificate issued from a certificate authority, you can use the VMware-installed self-signed certificate. Only use this method if your organization’s security policy permits it. Add the VMware vCenter certificate to each Delivery Controller.

Add the fully qualified domain name (FQDN) of the computer running vCenter Server to the hosts file on that server, at %SystemRoot%/WINDOWS/system32/Drivers/etc/. This step is required only if the FQDN of the computer running vCenter Server is not already present in the domain name system.
Obtain the vCenter certificate using any of the following three methods:
From the vCenter server.
1. Copy the file rui.crt from the vCenter server to a location accessible on your Delivery Controllers.
2. On the Controller, navigate to the location of the exported certificate and open the rui.crt file.
Download the certificate using a web browser. If you are using Internet Explorer, right-click on Internet Explorer and choose Run as Administrator to download or install the certificate.
1. Open your web browser and make a secure web connection to the vCenter server (for example https://server1.domain1.com).
2. Accept the security warnings.
3. Click the address bar displaying the certificate error.
4. View the certificate and click the Details tab.
5. Select Copy to file and export in .CER format, providing a name when prompted to do so.
6. Save the exported certificate.
7. Navigate to the location of the exported certificate and open the .CER file.
Import directly from Internet Explorer running as an administrator.
- Open your web browser and make a secure web connection to the vCenter server (for example https://server1.domain1.com).
- Accept the security warnings.
- Click the address bar displaying the certificate error.
- View the certificate.
Import the certificate into the certificate store on each of your Controllers.
1. Click the Install certificate option, select Local Machine, and then click Next.
2. Select Place all certificates in the following store, and then click Browse. Select Trusted People and then click OK. Click Next and then click Finish.
If you change the name of the vSphere server after installation, you must generate a new self-signed certificate on that server before importing the new certificate.

Configuration considerations

Create a master VM:

Use a master VM to provide user desktops and applications in a machine catalog. On your hypervisor:

Install a VDA on the master VM, selecting the option to optimize the desktop, which improves performance.
Take a snapshot of the master VM to use as a back-up.

Create a connection:

In the connection creation wizard:

Select the VMware connection type.
Specify the address of the access point for the vCenter SDK.
Specify the credentials for a VMware user account you set up earlier that has permissions to create VMs. Specify the user name in the form domain/username.

VMware SSL thumbprint

The VMware SSL thumbprint feature eliminates the need to manually create a host connection to a VMware vSphere hypervisor. It is no longer required to manually create a trust relationship between the Delivery Controllers in the Site and the hypervisor’s certificate before creating a connection.

The VMware SSL thumbprint feature stores the untrusted certificate’s thumbprint on the Site database. This configuration ensures that the hypervisor can be continuously identified as trusted by Citrix Virtual Apps and Desktops, even if not by the Controllers.

When creating a vSphere host connection in Studio, a dialog box allows you to view the certificate of the machine you are connecting to. You can then choose whether to trust it.

分享到QQ

分享到微博