The Odyssey of building a lightweight VMware View Linux workstation for Horizon 6

We want to reuse some rather old windows workstations until replace them by zero or thin client terminals. We selected a lightweight Linux OS to replace windows OS to avoid the need of Microsoft licenses. On the other end, we have deployed VDI desktops on Horizon View 6 platform. The desktop pool consists of floating dedicated desktops with persistent disks.

Let’s walk through the various steps to build the lightweight workstation, unfortunately various settings must be configured!

1. Install a lightweight linux OS

Goto http://lubuntu.net/ and download the latest version of lubuntu linux. In my case the 15.04 version.

  • Burn the iso image on a CD
  • Install Lubuntu
  • Enable user to automatically log in the workstation
  • Configure network settings or use your DHCP server
  • Connect to internet
  • Goto to System Tools – Software Updater to install the latest updates.
  • Reboot.

2. Download the vmware-view client

Goto https://www.vmware.com/go/viewclients and download the latest Vmware Horizon Client for Linux. In my case, this is the VMware-Horizon-Client-3.2.0-2331566.x86.bundle.

3. Install vmware-view client

Open a Unix terminal and goto Downloads folder

cd ~/Downloads

Give execute permissions to vmware view file

chmod +x VMware-Horizon-Client-3.2.0-2331566.x86.bundle

Execute the file with root permissions

sudo ./VMware-Horizon-Client-3.2.0-2331566.x86.bundle

At the end of the installation wizard press the scan button to check for compatibility issues. It returns errors for libudev.so.0, libcrypto.so.1.0.1 and libssl.so.1.0.1 libraries.

Now, If you execute vmware-view on the terminal, you will get the following error:

We have to create the following symbolic links as root to resolve the errors

sudo ln -s /lib/i386-linux-gnu/libssl.so.1.0.0 /lib/i386-linux-gnu/libssl.so.1.0.1
sudo ln -s /lib/i386-linux-gnu/libcrypto.so.1.0.0 /lib/i386-linux-gnu/libcrypto.so.1.0.1
sudo ln -s /lib/i386-linux-gnu/libudev.so.1 /lib/i386-linux-gnu/libudev.so.0

If you run the vmware-view client, you will notice that

  • It supports only PCoIP protocol
  • A warning will inform you that the installed openssl version is old. Actually this version is vulnerable to Heartbleed bug.
  • USB redirection does not work
  • Finally an SSL root certificate should be installed

4. Support RDP protocol

Install freerdp application by running

sudo apt-get install freerdp

Try vmware-view again by selecting the RDP protocol (Connection – Settings) to connect to Horizon View 6 platform.

5. Install the latest version of openssl

Unfortunately Lubuntu software update does not upgrade to the latest version of openssl. If you run sudo apt-get install openssl nothing happens.

Goto ftp://ftp.us.debian.org/debian/pool/main/o/openssl and download the latest versions of libssl and openssl. In my case, these are libssl1.0.0_1.0.2a-1_i386.deb and openssl_1.0.2a-1_i386.deb.

First remove the old openssl package.

sudo apt-get remove openssl

I removed everything.

Goto Downloads and install the aforementioned packages as root.

cd ~/Downloads
sudo dpkg --install libssl1.0.0_1.0.2a-1_i386.deb
sudo dpkg --install openssl_1.0.2a-1_i386.deb

Now if you check the version by running openssl version, it should return OpenSSL 1.0.2a 19 Mar 2015.

During the package removal, the symbolic links have been deleted, so, recreate the symbolic links to the new paths.

sudo ln -s /usr/lib/i368-linux-gnu/libssl.so.1.0.0 /lib/i386-linux-gnu/libssl.so.1.0.1
sudo ln -s /usr/lib/i368-linux-gnu/libcrypto.so.1.0.0 /lib/i386-linux-gnu/libcrypto.so.1.0.1

Now vmware-view does not display the openssl warning message.

6. Install the Domain Root Certificate

First copy company’s root certificate to Downloads folder, e.g company.crt and install ca-certificate package as root.

sudo apt-get install ca-certificates

Copy the root certificate to /usr/local/share/ca-certificates folder

sudo cp ~/Downloads/company.crt /usr/local/share/ca-certificates/

Install and trust the certificate

sudo update-ca-certificates

The URL link goes green!

7. Enable USB Redirection

Vmware view client 3.2 for linux supports USB redirection.

Goto /etc folder and edit the rc.local file as root.

cd /etc
sudo vi rc.local

Insert the following lines before exit 0 command:

/usr/lib/vmware/view/usb/vmware-usbarbitrator
/usr/lib/vmware/view/usb/vmware-view-usbd

Finally, reboot the workstation and connect to the Horizon View. Notice that USB redirection works using PCoIP connection protocol and RDP as well.

8. Post installation jobs

Disable screenlock

Goto Preferences -> Power Manager

At Security tab select “Never” at Automatically lock the session


Autostart vmware view client

Goto Preferences -> Default applications for LXSession -> Goto Autostart
Type in “Manual autostarted applications”

vmware-view --nomenubar --fullscreen
or
vmware-view --kioskLogin --nonInteractive --once --fullscreen --nomenubar --serverURL="server.mycomany.com" --userName="username" --password="password"

depending on your taste and press the “Add” button

Checkout https://www.vmware.com/pdf/horizon-view/horizon-view-client-linux-document.pdf document for more options.

At any time <Ctrl><Esc> brings you the Start Menu.

Good luck!

 

Advertisements

How to secure the internet side of your Citrix Netscaler

This is a two-minute guide to securify the internet side of your Netscaler. We will setup two parameters, the “Deny SSL Renegotiation” and the acceptable Ciphers.

A. Deny SSL Renegotiation

Go to Traffic Management – SSL page on your netscaler and press the “Change Advanced SSL Settings” link.

Change advanced SSL Settings

Change advanced SSL Settings

The advanced SSL settings will appear. Notice that the default value of “Deny SSL Renegotiation” property is “NO”. Change it to “FRONTEND_CLIENT”.

Deny SSL Renegotiation

Deny SSL Renegotiation

You may want to change it to the strict value “ALL” depending on your web farm structure. This setting is usually a finding after a penetration test, so set it up to avoid SSL Renegotiation Denial of Service attacks.

B. Configure the Cipher Group

Go to the SSL tab in your virtual server and select Ciphers. The configured Cipher Group is called “DEFAULT” and includes 128bit strength ciphers. Remove this value and in the available Cipher Groups pane, select “HIGH”. This group includes high strength 168bit encryption ciphers. The available ciphers pane lists the acceptable ciphers of the selected group.

All modern browser are compatible with these ciphers, so go ahead and use them.

Cipher Groups

Cipher Groups

Do the same for all your virtual servers.

Prevent Remote Desktop Services Interactive Logon but allow RemoteApps to run

When you enable remoteapps to run using Microsoft’s Remote Desktop Services, it is usually desirable to prevent users to logon into their Remote Desktops. A workaround of this issue is to terminate the Remote Desktop session when someone tries to login. To accomplish this, run the “Remote Desktop Session Host Configuration” application, select and right click the properties of the RDP-Tcp connection name.

Remote Desktop Session Host Configuration

Remote Desktop Session Host Configuration

Then go to Environment tab and select the “Start the following program when the user logs on:” bullet, finally type in the path of logoff.exe file, c:\windows\system32\logoff.exe.

RDP-Tcp Properties

RDP-Tcp Properties

Now, try to connect by Remote Desktop Connection to your RDS server.

Clone a VMware’s VM without vCenter in ESXi 5.x by commands (the official way)

Almost a year ago, I wrote an article about cloning VMWare VMs via vSphere client GUI and actually this is one of the most viewed posts in my blog. This method had the disadvantage of keeping the vm filenames the same. Let’s see an official way of cloning VMWare vms using vmkfstools command. Of course this method works with the free edition of ESXi 5.5 as well. I will show the procedure by cloning a snapshot of a vm since this is a little more tricky than cloning just a single vm.

First let’s make a snapshot of my Xp3 vm. Right click the vm and make a snapshot, let’s call it “mySnapshot”. Of course you don’t need to do this if you just want to clone a single vm. After that, shutdown the vm otherwise the files will be locked.

vm snapshot

vm snapshot

Now enable the ssh service on your ESXi by going to the configuration tab and the security policy option. Just start it for the moment, you don’t need to set it to start automatically. Use a ssh client like putty and connect to the hypervisor. Browse the folder under /vmfs/volumes path. It should look like this

datastores

datastores

so type

cd /vmfs/volumes
ls -la

in my case I have two datastores and my Xp3 vm is in datastore2, so let’s get into it.

Xp3 vm and snapshot

Xp3 vm and snapshot

cd datastore2
ls -la

As you can see now, there are more than one vmdk disk files, the flat vmdk, the delta vmdk and the vmdk descriptor file (the Xp3-000001.vmdk file in our example), along with the memory snapshot and various control and log files. What we should use here as a source file is the descriptor file that points to our snapshot. If you didn’t have a snapshot, the source file would be the vmdk descriptor file of your vm, Xp3.vmdk.

Now, what I need to do is clone my Xp3 snapshot to a new Xp4 vm. First create the destination folder in datastore2 folder and type in the following commands

mkdir Xp4

and clone the disk file

vmkfstools -i /vmfs/volumes/datastore2/Xp3/Xp3-000001.vmdk /vmfs/volumes/datastore2/Xp4/Xp4.vmdk -d thin

if it was a single vm without a snapshot, you should run

vmkfstools -i /vmfs/volumes/datastore2/Xp3/Xp3.vmdk /vmfs/volumes/datastore2/Xp4/Xp4.vmdk -d thin

if you list the files in the destination folder you will see the new flat file and the descriptor file.

cloned disk files

cloned disk files

The actual syntax of vmkfstools command is

vmkfstools -i source_path destination_path -d disk_format -a adapter_type

type man vmkfstools for more on this command

Finally create a new vm and force the use of an existing disk file.

create new vm

create new vm

use existing virtual disk

use existing virtual disk

select the cloned vmdk

select the cloned vmdk

You are ready to power it on.

power on

power on

if you list the folder of the cloned vm you will see something like that

cloned vm files

cloned vm files

Don’t forget to use sysprep command in windows to generalize your new virtual machine. More on this at the end of my previous article.

Reference: VMWare’s website article

Configuring a 2nd local partition on Citrix Xenserver 6.2

Recently, I came across a server with two storage arrays, one hdd  and one ssd. Citrix Xenserver was installed on the first storage array and the second one was not configured. I had to ssh on xenserver and run a few commands to force xenserver see the 2nd array properly.

First run fdisk -l

fdisk command

fdisk command

As you can see /dev/sda is the first storage array and /dev/sdb partition is not valid. So run pvcreate /dev/sdb to create the LVM on sdb physical storage device.

pvcreate command

pvcreate command

Finally create the local storage repository by running

xe sr-create type=lvm content-type=user device-config:device=/dev/sdb name-label="Local SSD"

sr-create command

sr-create command

Now the new storage disk will appear on xencenter under the “Local SSD” label.