workshop架構設計桌面池設計

1、VMware View 客戶交流交流大綱View項目流程需求分析，定義架構設計，桌面池設計協(xié)議（用RDP還是PCoIP）網(wǎng)絡接入View Manager的規(guī)劃設計vSphere 規(guī)劃設計用戶, 會話, 終端設備虛擬應用交付View運營管理（vCops）View后續(xù)版本需求收集與分析業(yè)務目標項目目標使用場景用戶類型桌面類型現(xiàn)有情況概念設計邏輯設計物理設計系統(tǒng)實施試運行運行和維護總體規(guī)劃View 項目整體思路VMware最佳實踐規(guī)范設計，實施健康檢查，優(yōu)化，調(diào)試解決特殊問題總體思路和需求分析first priority業(yè)務目標您的CIOs對企業(yè)桌面的愿景是什么?為什么會選擇VDI方案?提高桌面映像

2、的管理，包括集中升級，補丁，備份和恢復從數(shù)據(jù)中心對桌面系統(tǒng)進行集中管理將數(shù)據(jù)存放在數(shù)據(jù)中心，防止數(shù)據(jù)被竊取和法規(guī)遵從保證業(yè)務不受中斷保證用戶的隔離 （使用類似Terminal方式無法實現(xiàn)）做盡可能少的改變以保護現(xiàn)有用戶的使用體驗滿足用戶移動辦公的需要減少對現(xiàn)有桌面維護流程的修改定義項目期望您的期望是什么?怎樣衡量VDI項目是一個成功的項目?項描述期望1Users can continue to access and use applications and data pertinent to their job function.Yes/No.2Pilot users give usabili

3、ty of View solution an acceptable rating while using business related applications.User does not perceive any “l(fā)ag” while using applications pertinent to their job.3Users have an acceptable multimedia user experiennce.Same as or as close to same as physical desktop.4Performance of applications in Vi

4、ew is not adversely affected.Application launch time within 10% or better compared to legacy.5Pilot users give performance of View solution an average or higher rating.2.5 out of possible 5 in Performance metrics.6Users are able to access View solution from client access devices in the branches and

5、at HQ.Yes/No.7Number of virtual machines per core achieved with acceptable performance is at least eight.Yes/No.8Storage required per virtual desktop.No more than 5GB on average.9View user printing capabilities match or exceed legacy printing capabilities.Yes/No.Set/Measure your Expectationp定義項目期望Nu

6、mberDescriptionMessurement10The View solution allows maximum compression for known document formats (Office documents 2007 and 2010, PDF, TXT, images).Goal: 60% compression.11View user login time is not significantly longer than legacy desktops.User login completed no more than 10% additional time c

7、ompared to legacy.12View service is available if any View component fails.Yes/No.13Bandwidth use between virtual machines and file server (image streaming, profile streaming, application streaming).Less than 2Gbps peak.14WAN bandwidth use between session and user (remote display protocol).No more th

8、an 10Mbps for set of branch users (100).15Monitoring.Solution is compatible with current tools and no other products are required.16Troubleshooting/Stability.Number of service desk calls during pilot phase and average time-to-fix is no greater than current physical desktop support calls or time to f

9、ix.17View solution will provide a user personalization best practices architecture and guidelines or a software solution in order to prevent: Network contention because of large user profiles data.Files collision because of opening same file from several desktops (for example, from the physical and

10、virtual desktop).Yes/No.18View solution will provide a mechanism for AV updates on virtual desktops (frequent and non-frequent updates).Yes/No.使用場景Windows 7 遷移減少遷移成本最大程度地減少應用程序不兼容問題延長現(xiàn)有桌面軟件的使用期限合同工/EOIT/BYOPC部署和管理員工所擁有資產(chǎn)上的桌面映像集中控制桌面和數(shù)據(jù)分離公司和個人桌面遠程辦公室/分支機構通過集中管理桌面和用戶降低成本集中控制敏感數(shù)據(jù)簡化桌面和應用程序部署業(yè)務流程外包通過集中管理

11、桌面應用程序和用戶降低成本集中控制敏感數(shù)據(jù)簡化桌面和應用程序部署業(yè)務連續(xù)性/災難恢復支持最終用戶從遠程位置操作確保桌面全天候可用快速部署新桌面移動用戶無論是否連接網(wǎng)絡都可以訪問桌面增強脫機用戶的安全性和控制利用本地設備資源使用場景不同使用場景的區(qū)分包括下列關鍵因素:離線桌面.允許用戶自己安裝軟件.使用大量的圖形軟件.Internet 訪問(企業(yè)外部).是否使用瘦客戶機，家用PC或者KIOSK模式.分支機構 (WAN 接入).使用VoIP 或者 Microsoft OCS.使用消耗大量CPU和內(nèi)存的應用程序.使用打印機，掃描儀和USB設備.用戶可以按照使用的應用程序不同進行分組. (例如, 市場

12、部同事都用同一個安裝好一系列軟件的模板).陳舊的Terminal Services應用.設計階段需要收集的關鍵數(shù)據(jù)收集下列領域的評估數(shù)據(jù):用戶和用戶使用場所.登陸和注銷的時間和行為.外設.使用的客戶端設備配置.應用程序.桌面的負載.現(xiàn)有的虛擬架構的標準.存儲的容量和性能.網(wǎng)絡的容量和性能.基礎服務的容量和性能(AD, DNS, DHCP, file/print, email).安全架構現(xiàn)有的防病毒/防火墻/VPN方案及配置,可擴展性和性能.災難恢復 桌面系統(tǒng)的 RTOs and RPOs運維 現(xiàn)有的打補丁/系統(tǒng)管理/監(jiān)控的方案配置，可擴展性和性能.人數(shù) IT工作人員, VCP個數(shù), 崗位和職責

13、.設計階段需要收集的關鍵數(shù)據(jù)資源評估參數(shù)CPU 利用率Processor:% Process Time內(nèi)存Memory: Available in megabytes(Note that inventory data is necessary to calculate memory used)Memory: Peak Commit Charge(To assist with sizing the Windows page file)存儲通量存儲的IOPSPhysical Disk: Bytes Transferred/secPhysical Disk: Transfers/sec網(wǎng)絡通量Net

14、work Interface: Bytes Transferred/sec查看現(xiàn)有物理桌面環(huán)境下的資源使用情況Liquidware Labs Stratusphere or Lakeside Software Systrack VMP can be used to get the performance number; or you can use windows sysinternal tool PerfmonTips: View 架構設計設計的工作流架構設計中的關鍵組件單元設計一個常規(guī)的桌面單元包括 500-2000個虛擬桌面，分布在2個8節(jié)點的ESX/ESXI 群集上。由分布在外面的管理

15、單元進行管理.在左圖中, 每臺ESX/ESXI 主機包括2路8核的CPU, 一共提供16核128個虛擬桌面的運行. 這個單元包括兩個群集共計2048個桌面的運行。View management building block大規(guī)模部署設計1萬個桌面由5個桌面單元（每個單元2000個桌面）和一個管理單元構成View management building block桌面池設計桌面池的設計和使用場景進行對應, 定義桌面池的類型及屬性Use CasePool AttributeOptionsDesign DecisionUser makes few/many changes to the operat

16、ing system during the week.Use View ComposerYes/NoView Composer can significantly reduce storage requirements and enables single image management. mended if the users have restricted access to the underlying operating system.If users have access to install applications and change the operating syste

17、m, this reduces the storage saved with Composer.User data and profile is/is not stored on the network.User wants to install applications locally.User has a current virtual desktop.Desktop persistenceFloatingDedicatedFloating is mended as this decouples the user from a specific desktop and provides m

18、anagement and resource efficiency.Dedicated desktops are required where users have applications or data that they want to install or keep on a specific desktop. Similarly if a user has a desktop today that they use and manage, it could be allocated as a dedicated desktop.Dedicated desktops complicat

19、e management and disaster recovery because of the need to recover that specific desktop if anything happens to it.設計例子詳細定義每個桌面池的屬性每個桌面池最多512個虛擬機的軟限制。主要是從維護角度桌面的配置（邏輯設計）定義虛擬桌面的配置桌面的硬件配置（物理設計）定義虛擬桌面的虛擬硬件配置（包括硬件版本）最佳實踐浮動還是專有桌面? if users want to have specific data, applications keep on a specific deskto

20、p. If users data and profile in network, they dont touch OS/app change, use floating pool.是否采用連接克隆? (桌面是IT管理還是用戶自己管理？). 如果用戶需要修改系統(tǒng)設置，頻繁安裝各種軟件，不推薦使用鏈接克隆。離線模式桌面的硬件配置需要根據(jù)客戶端設備來進行設計(占用客戶端資源的比例).離線桌面在View5.0中尚不支持Hardware 版本8.VMware不推薦給桌面虛擬機配置多個vCPU.配置多個vCPU? 為單個虛擬機配置多個CPU將對ESX協(xié)調(diào)CPU的時間輪換產(chǎn)生影響. 提高單個虛擬機的CPU無

21、疑為降低ESX主機的虛擬機整合比. VMware推薦盡量少設置多個vCPUs 除非是必須需要多個CPU來處理比如多媒體轉換播放的應用.另外，1 vCPU多個核比多個單核的vCPU效率更高.配置更多的內(nèi)存? 給虛擬及配置更多的內(nèi)存會對存儲的使用造成很大的基于vmswap 文件和Windows paging files的浪費.分配太少內(nèi)存又會影響到用戶的體驗. 我們推薦盡量減少對內(nèi)存的過量分配，減少系統(tǒng)的pagefile的大小，采用disposable磁盤減少pagefile的占用和盡量避免暫停虛擬機。(swapfile = configured reservation，pagefile 大小一般

22、在256-內(nèi)存之間)桌面池電源策略. (保持虛擬桌面一直開機可以減少IO風暴和加速用戶登陸)虛擬桌面顯存的大小是在View的桌面池里進行設置的.如果使用PCoIP遇到一些限制, 請放心使用RDP！桌面操作系統(tǒng)的設計虛擬桌面的操作系統(tǒng)應該使用最新patch版本的批量License(VL). 通常情況下：Microsoft Windows XP Professional SP3 (VL) or Windows 7 SP1 Enterprise (VL). 根據(jù)具體需要選擇32位版本還是64位版本.安裝好系統(tǒng)之后，需要對系統(tǒng)進行優(yōu)化XP/Windows7 優(yōu)化桌面系統(tǒng)的優(yōu)化 - XP桌面系統(tǒng)優(yōu)化 W

23、indows7Windows 7 優(yōu)化請參考: VMware-View-OptimizationGuideWindows7-EN.pdf 并運行pdf附件中帶的腳本. Windows 7 優(yōu)化FromMicrosofts Jonathan Bennett: 下列網(wǎng)站提供了較好的關于VDI 優(yōu)化和規(guī)劃的報告: 在Windows7中，不能像XP那樣對default user進行定制! 建議采用腳本或者組策略來做.Tips: 桌面部署方式- Quickprep還是Sysprep采用quickprep還是sysprep?Tips: NewSID is retired. 核心提示： 不在域中，同SID沒

24、有問題。在域中，請確保域控沒有同SID。協(xié)議：RDP or PCoIPRDP & PCoIP比較單個RDP會話的最小帶寬是30Kbps, 放多媒體內(nèi)容則需要200Kbps. 一個好的參考是普通用戶平均需要100-150kbps. 中度和高負載用戶 (圖形密集的應用) 在200-250Kbps.PCoIP 協(xié)議和RDP協(xié)議最大的區(qū)別在于它的自適應性和其使用的是UDP協(xié)議。這種特性促使PCoIP能提供更好的用戶體驗。對PCoIP, Teradici 建議對每個用戶會話提供平均250-300Kbps. 單個用戶會話最高可能會跳到500Kbps-1Mbps. 通過使用客戶端的cache和禁用無損特性，

25、能節(jié)省高達75%的帶寬。高網(wǎng)絡延遲導致虛擬桌面的刷新緩慢，影響用戶體驗. 對單個操作任務例如鍵盤操作，鼠標操作，系統(tǒng)的反應時間應該少于150ms. 理想的操作延遲應該在0 to 150ms之間. 當網(wǎng)絡延遲達到200ms時，用戶體驗會下降. 當網(wǎng)絡延遲超過250ms后, 用戶體驗已經(jīng)沒有保證。（最多不能超過250ms)當你需要使用下列功能的時候，可以考慮使用RDP協(xié)議serial ports redirectionLocal drive mappingSome legacy applications(if issues with PCoIP)Multimedia on windows7（nee

26、d client support)PCoIP 仍然在快速進化PCoIP優(yōu)化（必做）根據(jù)實際情況設計網(wǎng)絡帶寬（WAN網(wǎng)接入）網(wǎng)絡接入View的連通中注意問題每一個View Connection server 都必須和所有的vCenter和虛擬桌面保持網(wǎng)絡連通.虛擬桌面必須能解析View連接服務器的全名.(FQDN) View Clients端必須能通過RDP或者PCoIP連通虛擬桌面（直連），或者能夠連通View安全服務器（如果采用Tunneling模式）View連接服務器必須能解析所有vCenter服務器的FQDN.網(wǎng)絡應針對PCoIP作優(yōu)化.Tips: DNS 在View環(huán)境中非常重要.確保

27、你所有的DNS服務器都能解析所有ViewManager的FQDN. (主從DNS）ViewManager能解析vCenter的FQDN.網(wǎng)絡端口碰到過黑屏然后斷開的情況嗎?99%的可能性是因為防火墻或者網(wǎng)絡根本不通.內(nèi)外網(wǎng)接入VMware 當前不推薦使用tunneling PCoIP 的基于TCP的SSL VPN. 這種方案完全較少了基于UDP協(xié)議的PCoIP帶來的好處。你可以選擇基于 UDP 的VPN方案或者可以使用完全免費的View安全服務器VPN 還是 安全服務器負載均衡當你配置LB設備的時候，你需要知道這些信息以配置設備負載均衡使用場景例如：當你既需要企業(yè)內(nèi)部直連又需要外部連接的時候，

28、你需要各自的連接服務器以滿足要求。Tips: 雙活View設計借助于Load balancing, 可以很方便的實現(xiàn)異地容災和雙活View Manager設計(connection server, security server, transfer server)View連接服務器To configure the Java heap size the following changes must be made in the registry:HKLMSOFTWAREVMware, Inc.VMware VDMPluginswsnmtunnelServiceParams -Xms128m -X

29、mx1024m -Dsimple.http.poller=simple.http.GranularPoller .vmware.vdi.front.SimpleConfigurator大規(guī)模的部署VCS需要調(diào)優(yōu)以滿足要求View連接服務器配置添加vCenter的信息你可以根據(jù)具體ESX的個數(shù)來修改并發(fā)數(shù)的默認值View連接服務器設置vCenter 全局設置改變SSO超時的設置。View5.0默認為15分鐘Start the ADSI Edit utility on your View Connection Server host.Select or connect to DC=vdi, DC=

30、vmware, DC=int.On the object mon, OU=Global, OU=Properties, set the pae-SSOCredentialCacheTimeout attribute to the new SSO timeout limit in minutes.The default value is -1, which means that no SSO timeout limit is set. A value of 0 disables SSO.Tips: View傳輸服務器（如果使用離線桌面）配置要求全局策略View的管理員模式（文件夾）Use bes

31、t practices for managing administrator users and groups to increase the security and manageability of the View environment.Because the Administrator role contains all privileges, assign it to a single user or to a limited set of users. Choose a local Windows user or group to have the Administrator r

32、ole.Create new user groups for administrators. Avoid using Windows built-in groups or other existing groups that might contain additional users or groups.Because it is highly visible and easily guessed, avoid using the name Administrator when creating administrators.Create folders to segregate sensi

33、tive desktops. Delegate the administration of those folders to a limited set of users.Create separate administrators who can modify global policies and View configuration settings.Note that View folders are not the same as vCenter Server folders where virtual machines are placed.創(chuàng)建獨立的View管理賬戶。根據(jù)需要創(chuàng)建

34、多個獨立子管理員進行不同部門的管理。vSphere規(guī)劃設計vSphere 架構Separate Virtual Desktop,View Management workload on different clusters.將管理服務器和虛擬桌面分布在不同的群集中主機設計(CPU,Memory)CPU NeededMemory NeededPhysical CPUPhysical Memory主機設計(CPU,Memory)VMware 推薦一個群集8臺ESX (in accordance with View Composer limits), 提供大約1000臺虛擬桌面, 其中包括一臺供HA使

35、用. 為什么有時候你發(fā)現(xiàn)ESX的內(nèi)存使用比較高？但是上面的虛擬機內(nèi)存使用率卻不高？ESX 內(nèi)存管理技術:允許過載TPSharing, Baloon, Vmkernel swap通常情況下實際CPU的使用小于60%存儲設計 虛擬機磁盤介紹存儲設計FSFCLCReplicaVMFS3264 - 12832NFS250#VM Per datastore第一次部署之后確保各個Datastore上分布的虛擬機的個數(shù)比較相當。另外存儲的容量使用應該 DOMAINviewdfsprofiles%USERNAME%Home Mapped to H drive DOMAINviewdfshome%USERNAM

36、E%Additionally, implement redirected folders by configuring the following GPO settings:User Configuration Windows Settings Folder Redirection configure application data, desktop, my documents to basic redirect to, for example: DOMAINviewdfshome%USERNAME%User Configuration Administrative Templates Sy

37、stem User Profiles Exclude Directories from Roaming Profile add the directories that have been redirected Application Data, My Documents, DesktopComputer Configuration Administrative Templates System Logon Always wait for network enabledThese settings optimize the roaming profile solution by reducin

38、g the amount of data in the profile and also verifying the desktop has network connectivity before attempting to load the roaming profile (thus removing the possibility of a temporary local profile).最佳實踐: 使用profile roaming 和 文件夾重定向1.采用 DFS/file 文件服務器2.對用戶進行存儲配額限制3.控制用戶權限防病毒（掃描和更新）避免負載風暴,如同時更新病毒定義和同時

39、掃描病毒。通常情況下VMware 推薦大的病毒升級應該通過更新父模板虛擬機來操作.防病毒軟件不應掃描VMware View logs.3. 采用VDI的防病毒方案：vShield endpoint + 病毒廠商提供SVM。Trend Micro - version 8.0 GAd in January Bit Defender - GAd in February Kaspersky - GA is targeted for early April. McAfee - Their GA is also targeted for early/mid April. Sophos - Early 2n

40、d HalfSymantec - Late 2nd Half (probably Q4)2012年主流防病毒廠商都會支持vSheild Endpoint虛擬機角色應用程序操作系統(tǒng)內(nèi)核BIOS虛擬機角色應用程序操作系統(tǒng)內(nèi)核BIOS虛擬機角色應用程序操作系統(tǒng)內(nèi)核BIOSSVM操作系統(tǒng)VMware vSphereAV加強型自檢2012年，主流廠商都會支持vShield Endpoint, 請咨詢第三方廠商虛擬打印 兩種方式Thinprint .thinprint engin （打印重定向的技術）.support only on Windows client. . Printer redirectio

41、n installs a universal print driver in the guest, and sends print jobs over a secure session channel to the client, which does the printing on behalf of the guest. In this case the guest acquires a list of printers from the client when the session starts.2. Location based printing （網(wǎng)絡打?。￤ith locatio

42、n-based printing, the clients MAC address is used to look up a list of local printers, and the guest prints directly to them. This requires that the client-local printers be reachable from the guest. Support all clients.VoIP 語音視頻電話View offers the ability for unified communications vendors to plug into the View Client and integrate VoIP into a View desktop without needing to run the VoIP tra