ACE 2 Admin Manual
Contents
1. PolicyDb_Instance PolicyDb_EventType 9 instancelD PolicyDb_LongField Q eventType packageUID Q longFieldkey eventMessage aceUID longFieldindex eventCategory creatorIdName longFieldvalue eventCategoryName creatorldData sessionExpires eventLogLevel creatorauthType activationDate lastPolicyCheck revocationDate i replacementDate inheritsExpiration insUseValidDates insValidDateStart PolicyDb_Event insValidDateEnd eventuD insPassword eventTs hostName loginName hestlp aceUID insProtectionkey packageUID paces PolicyDb_Package lansoi policyVersion questIpAddress 1 ee Poli aceUID icyDb_UserData eventCategory pesmucecreze pkgName userDataPk eventType iezi sheet aaa np PETE pkgvalidDateStart Serer insTsCreated paoraabessend Sand pkaDisabled Litaa turnaroundTime insTsLastModified 3 udataType handierName d pkgProtectionkey insCustomt koce Pee ko od Semele eco pkgTsCreated udtTsCreated messageParams a pkgTsLastModified udtTsLastModified prevEventUID deleted eventSignature insCustom4 ae insCustoms insCustom insCustom insCustom8 g insCustom9 PolicyDb_RuntimePolicy aceulD policyversion dientPolicyData dlientPolicyDataExtKey hostPolicyData hostPolicyDataExtkey expirationType expYalue_1 F expYalue_2 t cacheLifetime rtpInstType PolicyDb_Access rtpAuthType 9 accessPk r2. Runtime policy for the guest OS If too long store in LongField table Runtime policy for the host OS NQ 260 VMware Inc Appendix Using the VMware ACE 2 Management Server Database Schema and Querying the Audit Event Log Data hostPolicyDataExtKey VARCHAR 128 If too long store in LongField table expirationType INTEGER NOT NULL Expiration Type enum expValue_1 VARCHAR 21 NOT NULL Expiration value depends on type expValue_2 VARCHAR 21 NOT NULL Expiration value depends on type cacheLifetime VARCHAR 21 NOT NULL How long could work without server rtpInstType INTEGER NOT NULL Instantiation authentication check type rtpAuthType INTEGER NOT NULL Runtime authentication check type rtpUseInstanceLimit VARCHAR 7 DEFAULT FALSE NOT NULL Limit number of instances for this ACE rtpInstanceLimit INTEGER NOT NULL Max no of ACE instances allowed rtpUsePerUserInstanceLimit VARCHAR 7 DEFAULT FALSE NOT NULL Limit number of instances per user rtpPerUserInstanceLimit INTEGER NOT NULL Max no of ACE instances per user copyPolicy INTEGER DEFAULT NOT NULL Behavior if VM instance is copied published VARCHAR 7 DEFAULT FALSE NOT NULL Policy published update locked rtpTsCreated VARCHAR 21 DEFAULT NOT NULL Creation timestamp rtpTsLastModified VARCHAR 21 DEFAULT NOT NULL Last modified timestamp deleted VARCHAR 7 DEFAULT FA
3. auto configuration guestConfigMsg VARCHAR 512 Message for the guest auto config insTsCreated VARCHAR 21 DEFAULT NOT NULL Creation timestamp insTsLastModified VARCHAR 21 DEFAULT NOT NULL Last modified timestamp deleted VARCHAR 7 DEFAULT FALSE Is this entry deleted tombstone VMware Inc 259 VMware ACE Administrator s Manual insCustoml VARCHAR 255 User defined field insCustom2 VARCHAR 255 User defined field insCustom3 VARCHAR 255 User defined field insCustom4 VARCHAR 255 User defined field insCustom5 VARCHAR 255 User defined field insCustom6 VARCHAR 255 User defined field insCustom7 VARCHAR 255 User defined field insCustom8 VARCHAR 255 User defined field insCustom9 VARCHAR 255 User defined field PRIMARY KEYCinstanceUID FOREIGN KEY packageUID REFERENCES PolicyDb_Package packageUID FOREIGN KEY aceUID REFERENCES PolicyDb_Ace aceUID MAC Address Pool reserved for future use CREATE TABLE PolicyDb_MacPool macPoolUID VARCHAR 128 primary key aceUID VARCHAR 128 NOT NULL ACE for which this MacPool is used macPoolName VARCHAR 128 User visible name description VARCHAR 128 name and description of the MAC pool rangeStart VARCHAR 21 NOT NULL Start address of the MAC pool rangeEnd VARCHAR 21 NOT NULL End address of the MAC pool lastAssigned VARCHAR 21 NOT N
4. Understanding the Interaction of Host Access and Guest Access Filters With Tunneling Protocols on page 146 Before You Begin Read These Notes About Host Policies Keep these facts in mind as you set host policies CAUTION A host machine for ACE instances can have only one host policy file If you try to install an ACE package with a host policy file on a machine that already has a host policy file and the new package is from an ACE master that is different from the one already installed the package install fails CAUTION Host policy settings might conflict with settings in certain other software running on the host computer for example software firewalls For information on configuring software on the host computer to avoid these conflicts see http www vmware com info id 110 130 A host policy is in effect even when no ACE instances are running The policy effect starts immediately after installation and comes up every time the host system boots Host policy can refer to both host network access policy settings and to host network configuration settings for more about the latter see Network Properties Packaging on page 145 You need to create and deploy a new package in order for the host policy to take effect If you create packages with a managed ACE master that do not contain a host policy and then later edit the master s network access policy to include a host policy and publish the change
5. Install the package on your test system and start up setup exe to open the Installation Wizard Follow the wizard steps to install the package Start up VMware Player and then use it to activate and run the ACE instance Verify that the ACE instance is configured as you had intended and runs as you had planned Shut down the guest operating system in the ACE instance and then exit from Player Post Deployment End to End Test You can run an end to end test on an updated package to replace a deployed ACE package without affecting active ACE instances Preview mode cannot be used to test host policies or ACE packages that will be deployed on a Linux host Instead you must perform end to end testing VMware Inc For managed ACE masters Create a clone of the ACE master move the clone to a server that you have designated as a test server make the desired changes in the clone and then package install and test it After you have verified that the changes are correct duplicate the changes that you made on the clone to your original ACE master Finally delete the clone See To run an end to end post deployment test using an ACE 2 Management Server test server on page 208 for details For standalone ACE masters Package the ACE master install it on another computer and test it there See To run an end to end post deployment test on another computer on page 209 for details 207 VMware ACE Administrator s Manual
6. NOTE Ifan ACE instance gets stuck while taking a powered off snapshot for example at a message that says you can power off your machine issue the command to take a powered off snapshot again to force the machine to power off The machine will be powered on again and the snapshot will have been taken VMware Inc 231 VMware ACE Administrator s Manual 232 You can also replace an existing user snapshot Choose Player gt Snapshot gt Take Snapshot and choose Yes in the message dialog that appears asking if you want to replace the previous snapshot If the administrator has enabled the option to revert to the user snapshot you can revert the ACE to the existing snapshot by choosing Player gt Snapshot gt Revert to Snapshot If you are permitted to take a user snapshot you can also remove it Select Player gt Snapshot gt Delete Snapshot Using Shared Folders Shared folders allow you to share files between a ACE and the host computer You cannot change the shared folder options in the Shared Folders dialog box Player gt Shared Folders for an ACE unless it is running in administrator mode See About the Enter Administrator Mode Command on the Troubleshoot Menu on page 235 for information about that mode Printing from VMware Player If your system administrator has enabled the print feature for your ACE you can print from applications in the ACE as you would on the host system You can choose which host
7. 208 NOTE This test might take a long time because packaging and encryption processes can be lengthy To run an end to end post deployment test using an ACE 2 Management Server test server 1 10 11 12 Select the ACE master and choose ACE gt Clone to open the Clone to ACE Master Wizard On the Clone Source page select From current state and click Next On the Clone Type page select Create a linked clone and click Next On the Name of the New ACE Master page accept the default name and location by clicking Next On the ACE Management Server page enter the name and port number of the test server or select the server from the history list and click Next On the Cloning ACE Master page click Done after checkmarks appear next to all steps on the page Edit policies and other settings to make the needed changes and then save them Click Create New Package to start the New Package Wizard and then follow the wizard steps to create the package See details at Creating a Package on page 192 Navigate to the package s location on your system and start up setup exe to open the Installation Wizard Follow the wizard steps to install the package Start up VMware Player and then use it to activate and run the ACE instance Verify that the ACE instance is configured as you had intended and runs as you had planned In the Workstation ACE Edition interface select the ACE master in the server location w
8. The Event Logging mechanism captures enough information to answer the questions like these m Who activated instance X m When was instance X activated m Who revoked instance X m Who turned off copy protection policy m What changes to policy were made on such a date m Who is failing to authenticate VMware Inc 263 VMware ACE Administrator s Manual 264 The mechanism does not necessarily answer these questions directly but provides enough data so that an administrator can view event logs and find answers to those questions The data being logged meets the following requirements m Provide details of each transaction served m Centralize the gathering of event log data when multiple servers are used m Provide a means for administrators to select which type of transactions they care to log information about m Can be configured to provide more or less logs when necessary Some of this audit trail is already in plain view by other features of the product For example the instance viewer displays the date of the last policy get operation or the expiration date etc The event logging mechanism can answer more difficult questions or ones that are not often asked such as which administrator made which policy changes which administrator revoked such instance which administrator deleted this ACE The following data is stored in a log entry fields in the Policy Db_Event table m Audit log event ID PK an
9. instanceUID VARCHAR 128 UID of the instance affected by event policyVersion INTEGER Version of ACE policy affected by event 7 VMware Inc 261 VMware ACE Administrator s Manual eventCategory INTEGER Event Category as defined in EventType eventType INTEGER Event Type as defined in EventType sessionID VARCHAR 128 Ace Server Session ID clientIP VARCHAR 128 IP Address of the client machine resvd serverIP VARCHAR 128 IP Address of the Ace Server reserved turnaroundTime VARCHAR 21 Server side execution time in ms handlerName VARCHAR 128 Name of the ClientLib handler debug returnCodeText VARCHAR 128 Text error code returned to the client messageParams VARCHAR 1024 Tab separated list of event data prevEventUID INTEGER UNIQUE UID of the previous recorded event eventSignature VARCHAR 128 Event signature signed with server key FOREIGN KEY eventType REFERENCES PolicyDb_EventType eventType FOREIGN KEY prevEventUID REFERENCES PolicyDb_Event eventUID PRIMARY KEY CeventUID Note the following about the database schema A few tables with system internal information and indices are not listed Boolean values are stored as strings with TRUE or FALSE value Timestamps are stored as decimal 64 bit number strings showing the number of microseconds from 12 00AM 01 01 1970 Other dates times are stor
10. Click Next to continue If you selected a server that is integrated with an Active Directory service the Active Directory page appears Select whether to use Active Directory with this ACE master Then click Next On the Ready to Complete page click Next The Creating ACE Master from Virtual Machine page shows progress and then displays a success or failure message Click Close to exit the wizard 99 VMware ACE Administrator s Manual Networking ACE Instances In the ACE instances you create for your users you are most likely to use NAT or bridged networking with an IP address provided by a DHCP server For details on networking see the Workstation User s Manual ACE Master Settings See ACE Menu on page 38 for a complete list of ACE master settings and descriptions of how to apply the settings 100 ACE Server Settings You can use the ACE Server dialog box in the ACE menu to change the server that manages an ACE master ACE Management Server k x gt Settings You can change the ACE Management Server this ACE master uses Changing this does not affect previous packages ACE Management Server 88 c 02 eng compani co gt Pott 443 ACE master Information Active Directory Yes Server usage Activation and tracking To change the ACE 2 Management Server for an ACE master 1 2 Select the ACE master whose server setting you want to change Choose ACE gt ACE Server In the
11. can use disk drives and USB devices at any one time If your ACE is configured to use the device and if you want to use that device directly on your host computer you must first be sure it is disconnected from the ACE The Ethernet adapter can be shared by the host computer and the ACE Setting VMware Player Preferences You can set preferences that control the behavior of VMware Player The options available to you depend on choices made by your system administrator To change the preferences choose Player gt Preferences The Preferences dialog box appears If your system administrator has made them available you can set the preferences described below VMware Inc Chapter 11 Installing and Using VMware Player and ACE Instances The exit behavior preferences allow you to specify the following m Confirm before exiting the application If selected when you give the command to exit VMware Player a dialog box appears You can confirm the intention to exit VMware Player or click Cancel to continue using VMware Player m Suspend the virtual machine when exiting If selected VMware Player suspends the ACE and closes The next time you launch VMware Player the ACE resumes operation from the point where it was suspended m Power off the virtual machine when exiting If selected VMware Player powers off the ACE The next time you launch VMware Player the ACE starts from a powered off state and the guest operating system
12. in the VMware Workstation User s Manual In addition to the standard Workstation window elements the Workstation ACE Edition window includes m ACE master icons in the Sidebar m The Recent ACE 2 Management Servers segment in the Sidebar m Summary views with layouts and commands specific to ACE masters m New ACE Master and Open Existing VM Team or ACE Master icons on the Home page m Instance view for ACE instances that are activated and tracked on an ACE 2 Management Server m The ACE menu m The ACE Master Toolbar containing Edit Policies Edit Package Settings Create new package Create Pocket ACE package and Preview in Player icons m The New ACE Master and Connect to ACE 2 Management Server commands in the File menu The following subsections describe how to use these Workstation ACE Edition window elements ACE Master Icons in the Sidebar The ACE Master icon Er designates the item as an ACE master a virtual machine template created by the ACE administrator The master can be configured with various policies and devices and package settings and then used as the basis for creating any number of packages to be sent to ACE users VMware Inc 35 VMware ACE Administrator s Manual Adding ACE Masters to ACE 2 Management Servers If you have installed and configured one or more ACE 2 Management Servers you can associate ACE masters to those servers and then use the servers to activate instances track instances
13. preserving state of 243 reactivating and deactivating from the instance view 249 removable device policy 146 running a Pocket ACE 217 VMware Inc running on a Linux host 225 running on a Windows host 222 setting policies for 106 snapshot 243 uninstalling from a Linux host 225 uninstalling from a Windows host 222 ACE Management Server Active Directory integration 57 and Active Directory password change proxying 110 associating ACE master with 36 can t change master from managed to standalone or reverse 96 caution when installing 65 changing port assignment 86 changing for an ACE master 100 components 57 configuring 69 creating Active Directory user and group for 69 70 database backup 58 database schema 255 default port assignments 64 defined 32 defining bind dn user 78 description 267 embedded database 57 external database option 57 features 55 fixing connection problem with ACE instance on Linux host 85 273 VMware ACE Administrator s Manual 274 hardware requirements 29 installing 64 installing on Linux system 66 installing on Windows system 65 installment options 65 instance view 245 licensing 69 logging on 84 opening Instance View with Connect to ACE Management Serv ercommand 254 port 96 98 querying the audit event log data 255 selecting for ACE master 96 98 serial number 69 setting name 65 settings 100 stopping and starting manually 83 using 85 ACE
14. 124 preferences VMwarePlayer 230 preserving the state of an ACE instance 243 Preview in Player icon 205 preview mode overview 204 test 205 using to test configuration 195 viewing ACE instances before deployment 203 preview defined 270 previewing packages 203 publish defined 270 publishing policy changes 203 Q quarantine network defined 269 quit VMware Player 227 R reactivate or deactivate an instance 241 reactivating ACE instances from the instance view 249 reassigning ACE master to different server 102 registration of packages 200 reimage snapshot reverting to 234 reimage snapshots 156 remote domain join providing credentials 198 setting up 188 removable device 146 removable drive for Pocket ACE 215 reset the expiration date 242 reset the password for an instance 243 reset VMware ACE 234 resource signing policy 128 resume defined 270 resuming a suspending instance 243 rules editor network access 136 ruleset editor network access 136 running an ACE instance on a Linux host 225 an ACE instance on a Windows host 222 VMware Player 225 runtime preferences policy 153 S script power on 110 118 124 scripts for instance customization 178 writing 164 SCSI drivers 94 searching for instances in Help Desk 240 searching for instances in Instance View 246 Security ID SID for guest operating system in instance customization package settings 178 security SSL 59 selec
15. ACE 2 is used across an organization to m Ensure secure controlled access to enterprise resources from a standardized PC environment called an ACE m Provide a simplified end user interface designed specifically for nontechnical users m Provide policy based controls including access network and device rights Ensure Safe Access to Enterprise Resources Reduce the threat from unmanaged and unsecured PCs used by telecommuters partners and offshore workers to access enterprise resources ACE 2 enables safe access to enterprise resources from assured computing environments isolated PC environments that run on top of existing PCs The assured computing environment contains an operating system enterprise applications and preconfigured security settings Simplified End User Interface Secure then deploy enterprise information in assured computing environments on any PC throughout the extended enterprise With virtual rights management built in copy protection controls and automatic encryption ACE 2 helps prevent theft tampering and unauthorized copying of applications data system settings and files It delivers these features in a user interface designed specifically for end users who do not require the more complex interfaces found in other desktop virtualization products Standardize and Secure PC Environments Self policing and hardware independent ACE 2 improves the manageability security and cost effectiveness of PCs Avoid b
16. Allow moving only only one instance can be active at a time Do not allow moving or copying of the instance files The administrator will need to approve the new copy protection ID to allow the use of an instance that was moved or copied without permission You can dynamically change the copy protection settings for managed ACE instances toggling the settings so that moved or copied instances will run or not run To view and change copy protection settings for a managed ACE instance click Copy Protection in the left pane of the policy editor Select Allow moving and copying multiple instances can be active to enable users to run their instances after moving or copying the instances Select Allow moving only only one instance can be active at a time to enable users to move their instances but VMware Inc 127 VMware ACE Administrator s Manual not copy them Select Do not allow moving or copying of the instance files to restrict users from moving or copying instance files In the Instance View for the server a replaced and no longer active instance has a red do not enter sign on top ofits icon If the policy allows copies and moves a replaced instance can be reenabled if the user runs it If the user moves or copies the instance and tries to run the instance from that new location but either moves or moves and copies are not allowed without approval VMware Player displays an error message that tells the user
17. Allow the user to C Replace the reimage snapshot Revert to the reimage snapshot To select options for the user snapshot Choose the options you want the user to have m Take the user snapshot m Revert to the user snapshot If you select either or both of those options the Snapshot command appears in the VMware Player menu when the instance is powered on If the user is allowed to take the snapshot the user can take a snapshot while the ACE instance is running or have VMware Player power off the ACE instance take the snapshot and then power the instance on again VMware Player gt Snapshot gt Take Snapshot Taking the snapshot when the instance is powered off provides two benefits m Gives the snapshot greater mobility A snapshot taken when the virtual machine is powered on might become unusable as it is moved between host computers m Takes up less disk space than a snapshot taken when the virtual machine is powered on If an ACE instance gets stuck during the taking of a powered off snapshot for example at a message that says you can power off your machine the user can issue the command to take a powered off snapshot again to force the machine to power off The machine will be powered on again and the snapshot will have been taken All power and snapshot operations including exiting VMware Player are disabled while the software is taking a powered off snapshot If Revert to the user snapshot is enabled the user c
18. Click Close to close the summary page Continue with the server configuration in one of the following ways If this is the initial configuration of the server click Next If you are reconfiguring the server click Apply and then click Restart or Later If you click Later you will need to restart the server manually See Stopping and Starting the Apache Service Manually on page 83 On the Logging page At this release the server by default collects log entries for events that change the data in the database You can set the logging levels and set an option for purging log entries However if you enable the Debug logging level the logs will include entries for events that do not change the database state such as getting instance information and so on To set the logging options a Set the log type categories Each category covers several server RPC interfaces and contains several distinct event types The categories are ACE Administration Logs events for ACE instance creation update and destruction Package Administration Logs events for package creation and update Policy Administration Logs events for policy set update and publish instance customization and user access control changes by an ACE administrator Instance Administration Logs instance lifecycle events creation copying revocation re enablement and deletion instance password change by a user instance password change by an admini
19. E April 3 package 4 3 2007 3 11 02 PM The parts of the ACE master summary view are m Header Contains the ACE master name the date the ACE master was last modified the directory containing the vmxa file and the name of the ACE 2 Management Server if any used with this ACE master Commands Lists commands and actions that you can perform m Policies Lists the policies that you can apply to ACE masters m Notes Provides a text area where you can enter notes about your ACE master m Package Settings Lists the package settings that you can set and have applied to every package you create m Package History Lists a history of the packages created with this ACE master VMware Inc Notes that were added to the package when it was created are displayed in the list See Step 7on page 195 for more detail on how to enter those notes You can view the properties of the packages that you have created by double clicking on an item 37 VMware ACE Administrator s Manual 38 in the Package History and edit the notes that are displayed in the Package History See Viewing Package Properties on page 200 for detailed information Viewing the Summary for All ACE Instances Managed by an ACE 2 Management Server You can view a summary of all the ACE instances managed by an ACE 2 Management Server You can set up queries to filter these summary views See Chapter 12 Instance View on page 245 for details AC
20. Help Desk advanced instance queries 240 Instance Details page 242 Instances page 239 using 239 host computer defined 268 host operating system defined 268 host policies 129 host guest data script policies 124 host only networking defined 268 hot fix defined 268 policies 160 requesting 232 responding 237 initialization scripts for instance customization package settings 178 installing ACE instance on a Linux host 224 ACE instance on a Windows host 220 ACE instances 46 ACE Management Server 64 operating system in ACE master 192 VMware Inc Pocket ACE on portable device 215 software in ACE master 192 VMware Player on a Linux host 223 VMware Player on a Windows host 220 instance customization benefits 173 completion steps on end user s machine 184 defined 268 enabled packaging overview 182 finishing on user s machine with Windows Vista guest oper ating system 185 guest operating systems for 175 initialization scripts 178 Microsoft Sysprep deployment tools 175 package settings overview 172 placeholder values 180 specifying license information for Windows server products 183 specifying package settings 177 workgroup or domain setting 179 Instance Details page accessing from the Instances page 242 using 242 instance queries 240 246 Instance View advanced instance queries 246 custom fields 248 deactivating ACE instance from 249 description 245 opening with Connect to ACE Man
21. If you are creating an ACE master optimized for Pocket ACE click Next and skip to Step 17 after entering your virtual disk size If you are creating a typical or custom ACE master continue with this step 95 VMware ACE Administrator s Manual 96 15 16 17 If you wish select Allocate all disk space now Allocating all the space at the time you create the virtual disk gives somewhat better performance but it requires as much disk space as the size you specify for the virtual disk If you do not select this option the virtual disk s files start small and grow as needed but they can never grow larger than the size you set here You can also specify whether you want the virtual disk created as one large file or split into a set of 2GB files You should split your virtual disk if it might be stored on a FAT32 file system If you plan to distribute the ACE package on CD or DVD the package installs more quickly if you split the files For the fastest package installation be sure that the files that make up the virtual disks are smaller than 4GB and smaller than the media used to distribute the package Thus you get best results if you split the virtual disk files when distributing the package on DVD Click Next to continue If you selected Typical as your configuration path skip to Step 17 If you selected Custom as your configuration path specify the location of the virtual disk s files Click Next On the Specify A
22. Reasons for login failures are presented as locked out or password expired m The ACE 2 Management Server acts as an Active Directory password change proxy m You can use the instance customization feature in ACE with your own established naming conventions to associate users with machines Security m Communications are SSL encrypted m Communications between server and clients over HTTPS traffic m Communications between server and Active Directory domain controller over LDAPS traffic E Passwords are stored securely in hashed form in the backing store 55 VMware ACE Administrator s Manual 56 Database Options Flexible database options allow use of an embedded database or external RDBMS s to store ACE instance data and policies See Database Options on page 57 for details Simple Installation and Configuration The server uses off the shelf software components m Apache Web server 2 0 m The default SQLite database store The server setup uses industry standard protocols m HTTPS and LDAPS m xml rpc for message encapsulation Client traffic can be proxied by off the shelf products The Windows installer for Workstation ACE Edition includes the installation components for the ACE 2 Management Server Extensibility and Availability You can create and use more than one ACE 2 Management Server When you use more than one server you can set the servers up so that they will share the same databas
23. Virtual Machine Settings on page 104 Creating an ACE Master You have four options for creating an ACE master VMware Inc Create a new ACE Master Choose File gt New gt ACE Master select Create a new ACE master and then follow the instructions in the New ACE Master wizard Create a new ACE Master optimized for Pocket ACE Choose File gt New gt ACE Master select Create a new ACE master optimized for Pocket ACE and then follow the instructions in the New ACE Master wizard Create from an existing virtual machine Select a virtual machine in the Favorites list or choose File gt Open and select the virtual machine then choose VM gt Clone to ACE Master You can also choose File gt New gt ACE Master and select the Create 89 VMware ACE Administrator s Manual an ACE master from an existing virtual machine option Then follow the instructions in the Clone to ACE Master Wizard m Clone an ACE Master Select an ACE master in the Favorites list or choose File gt Open and select the ACE master then choose ACE gt Clone You can clone virtual machines created with certain other VMware products and convert the clones into ACE masters Virtual machines created with the following products can be used in Workstation ACE Edition m VMware Workstation 5 x and later m VMware Server Creating a New ACE Master As you use the New ACE Master Wizard you are prompted to make decisions about many aspects of the ACE ma
24. agement Server command 254 reactivating ACE instance from 249 VMware Inc Index Instances page 239 IP address in ACE instance 94 K keyboard enhanced filter 154 knowledge base accessing 12 L LDAP See Active Directory licensing ACE Management Server 69 Linux supported host operating systems 26 27 live copy of policies 203 location of ACE master files 93 location of package on administrator machine 195 213 lockout password 116 logging events 83 logging on to the ACE Management Server 84 LSI Logic 94 managed ACE instance with Active Directory access control policies for 108 managed ACE instance defined 269 memory setting for a virtual machine 93 Microsoft Sysprep deployment tools caution download before packaging 194 downloading 176 mode full screen 268 277 VMware ACE Administrator s Manual 278 N NAT defined 269 network bridged networking defined 268 host only 268 NAT defined 269 Virtual Network Editor 271 network access zone ruleset rules editors 136 network access policies 129 network access viewing details for 243 network address translation defined 269 network image package delivery 196 network quarantine defined 269 networking ACE instances 100 networking configuring for ACE master 93 New ACE Master wizard 269 New Package wizard 192 O offline usage of ACE instances policy 161 operating system 32 bit Windows host 25 64 bit Windows host 25
25. asks for your name and email address so your system administrator can send you the hot fix or contact you for additional information Your system administrator might have configured your ACE to submit the hot fix request automatically If not or if the automatic submission fails you can save the hot fix request in a file and submit that file to your administrator Note the path to the file shown in the final page of the Hot Fix Request Wizard Also note any submission instructions the administrator provides The wizard displays those instructions in the page that allows you to save the hot fix request file If your system administrator approves your hot fix request you receive the hot fix in the form of a file Save the hot fix to the desktop of your host computer or to some other convenient location Double click the hot fix to apply it Lost or Forgotten Password If your system administrator configured your ACE so a password is required and you try to log on with an incorrect password you receive an error message Click the Request Hot Fix button in the error message to start the Hot Fix Request Wizard If your system administrator approves your hot fix request the administrator supplies you with a new temporary password by whatever method of communication the administrator has set up After applying the hot fix use that temporary password to run your ACE Then choose Player gt Change Password to set a password of your choice Ex
26. gt Clone VM to ACE Master In the Clone to ACE Master Wizard give the ACE master exactly the same name as the name of the ACE 1 x virtual machine For example if the 1 x name is winXPPro vmx then type winXPPro minus the file extension which is added automatically into the Name field on the Name the ACE Master page of the wizard Complete the rest of the pages of the wizard see Cloning an ACE Master from an Existing Virtual Machine on page 98 for detailed instructions on using the wizard On the ACE Server page choose whether or not to manage this ACE master with an ACE 2 Management Server VMware Inc 10 11 12 13 14 15 VMware Inc Chapter 3 Installing Configuring and Upgrading Workstation ACE Edition After the Clone to ACE Master Wizard has finished open the policy editor ACE gt Policies if you want to make any changes to the default policy settings for this master NOTE The policies that were set for the 1 x virtual machine are not carried over to this ACE master The default policy settings for ACE 2 are used unless you edit the policy settings and save the changes Edit any package settings and virtual machine settings that you want to change from the default settings for the ACE master ACE gt Package Settings and VM gt Settings respectively Create a package with the New Package Wizard ACE gt New Package Use the Full package type Navigate to Program Files VMware VMware
27. guest defined 268 host defined 268 Linux 32 bit host 26 Linux 64 bit host 27 supported 32 bit Windows host 24 supported 64 bit Windows host 24 P package burning files onto discs 200 changing lifetime setting 185 creating 192 creating multiple 193 creation progress 200 defined 32 269 deployment platform for 188 disc labels 200 disk space required 197 distribution format selecting 196 encryption 186 format of files 196 history 37 200 location on administrator machine 195 213 Pocket ACE 212 Pocket ACE installation 215 post deployment test 207 pre deployment test 206 previewing before deployment 203 registration 200 test options 204 testing before deployment 203 package lifetime package setting 185 package properties dialog box 200 package settings custom EULA 172 deployment platform 188 description 171 269 encryption 186 instance customization steps on end user s machine 184 instance customization overview 172 instance customization specifying 177 package lifetime 185 VMware Inc placeholder values in instance customization 180 remote domain join 188 workgroup or domain in instance customization 179 package type selecting 196 packaging burning files onto discs 200 checking VMware Tools version 195 choose package location 195 213 creation progress 200 disk space required 197 download Microsoft Sysprep tools 194 package type selecting 196 providing passwords 198 s
28. on the defined network VMware Inc Chapter 6 Setting and Using Policies and Customizing VMware Player Steps for Adding or Editing a Network Zone NOTE You cannot delete or rename the default zone which is named Everywhere if it is the only zone or Everywhere else if there is more than one zone To add or edit a network zone 1 VMware Inc If you want to add a new zone click Add Zone on the Network Access policy page and then click the New Zone entry in the table The zone editor appears If you want to edit an existing zone click the name of the zone in the table on the policy page The zone editor appears If you want to name a new zone or rename the existing zone type the new name in the Name box Select the checkboxes for any host network conditions that you want to use to identify this zone Type addresses or host names as appropriate NOTE For guidelines on choosing these settings and for detailed descriptions of the zone conditions see Guidelines for Choosing Zone Conditions on page 137 and Descriptions of the Zone Condition Settings on page 137 If you have specified DNS servers or WINS servers for the zone select the minimum number of servers that must be matched to meet the zone conditions WINS server settings are ignored by Linux hosts during zone detection NOTE Because there are multiple methods for assigning DNS domain names to a Linux host using just the DNS doma
29. 0 0 proxy abe com Click here to enter a hostname or IP address Example proxy abe com 10 0 3 12 10 0 3 12 255 255 255 0 10 3 0 0 24 More Options Remove c Onthe Everywhere Else ACE Instance Access page type host names or IP addresses for locations that this ACE instance can access in addition to the 134 VMware Inc Chapter 6 Setting and Using Policies and Customizing VMware Player default DNS DHCP and ICMP protocols and ports when the instance is outside the internal network Then click Next Network Access Wizard E x Everywhere Else ACE Instance Access Specify network access for the ACE instance everywhere else When the laptop is not in the Internal Network the ACE instance is given no access other than DNS DHCP and ICMP by default You can configure the Remote ACE Instance Access below Allow access to vpn abe com Click here to enter a hostname or IP address Example vpn abe com 10 0 3 12 10 0 3 12 255 255 255 0 10 3 0 0 24 Remove More Options d Thetableon the Finish page summarizes the access settings Click Back if you want to make any changes to the access you just configured When you are satisfied with the configuration click Finish The summary of the network access settings you have chosen appears in the table on the Network Access policy page x Finish Summary of both host and ACE instance network access Network Access Zones Host Ne
30. 102 Select Custom if you want to allow or block communication for a specific protocol The protocols are defined by their protocol numbers which range from 0 through 255 The number is in the packet If that number matches the number supplied in the Custom field the packet is allowed or blocked as specified by the rule Type the protocol s number in the Protocol number box You can find the protocol number with the protocol s RFC at http www ietf org rfc html for protocol numbers You can also see a listing of protocols and their numbers at http www iana org assignments protocol numbers NOTE The protocol number is used in the protocol field of IPv4 packets Most protocol numbers are permanently assigned If you are using either TCP or UDP and want to qualify the rule with specific port numbers for this type of traffic type the port numbers or port number ranges in the Remote Ports and Local Ports boxes as appropriate wn The wildcard port setting is double quotation marks 143 VMware ACE Administrator s Manual 10 Usually you specify filtering on one or the other port type not both because both specifications have to meet the match for the rule to be applied DHCP represents an exception to this general rule m Local port Filters on the port from the local machine either host or guest The local port is the source port for outgoing packets and the destination port for incoming packets Typically
31. 2 Management Server installation two files are created m AnRSA 1024 bit key file name server key This is the private key m A self signed certificate file name server crt It is self signed because its signature is verified by the public key which is embedded in the certificate By default these files are stored in the SSL directory in the VMware ACE 2 Management Server program directory The self signed certificate which is a public certificate is valid for 10 years from the date and time at which the server is installed The certificate file is encoded in PEM format You can browse the file to see its properties as follows m Ona Windows host system In Windows Explorer navigate to the location of the server crt file and double click the file name m Ona Linux host system use this command openssl x509 in var Lib vmware acesc ssl server crt text NOTE As noted above the self signed certificate is valid for 10 years If you should need to replace an expired certificate you can do that by deploying the affected ACE masters in an update package which would include the new certificate Do not modify certificates to make them permanent When an ACE master connects to an ACE 2 Management Server it downloads the public certificate for that server and any chain of certificates required to verify the server s public certificate A server certificate might have a chain of several certificates that must be v
32. 250 VMware Inc Chapter 12 Instance View m Guest Name IP address and MAC address m Host name and IP address x General Policies Custom Instance Number Unknown al Activated By N A Status Active ACE Master b42757 lenovo vista bus qaf217 noD Package Preview Deployment Package Activated 3 22 2007 4 59 18 PM Deactivated Deactivate IV Use the date range specified for the ACE master No expiration Valid From Valid Until Host Information Host Name lenovo laptop simplecorp com IP Address 10 17 168 119 Guest Information i Instance customization succeeded Guest Name LH W1R7AZDU0GWZ IP Address MAC Address 00 0c 29 ba 16 30 Cancel Help To activate or deactivate the instance or reset the expiration date 1 To activate or deactivate the instance press the Reactivate or Deactivate button 2 To reset the expiration date for the instance check or uncheck Use the date range specified for the ACE master or select dates in the Valid from and Valid until dropdown lists Check No expiration if you do not want the instance to expire 3 When you are finished making changes click OK VMware Inc 251 VMware ACE Administrator s Manual Policies Details View The Policies details view shows current policy information for this instance including m The date and time that the instance last retrieved the policies from the server m The current policy values including the network access t
33. ACE Master Policy File ACE Master Resources Windows Installer Linux Installer Windows Player Linux 32 bit Player To create the package click Next V CAUTION The Caution text shown at the bottom of the Package Summary page only appears if instance customization is enabled for this package See the information in the Caution on page 194 for details about obtaining the Microsoft Sysprep deployment tools and why it is important to have them in place before package creation begins To create the package click Next The Microsoft Sysprep tools are required for instance customization Verify that these files are in the correct directory For further instructions refer to the ACE Administrator s Manual VMware Inc 199 VMware ACE Administrator s Manual 13 14 15 16 Review the summary information If you need to make changes click Back If the information is correct click Next to begin package creation The Package Creation page appears and displays a progress bar It can take quite some time to complete this step especially for packages that include large virtual machines or instance customization settings See Instance Customization on page 172 for detailed information about instance customization The Package Creation Complete page appears when the process has finished It lists the location of the newly created package and provides a link to the package directory If you create
34. ACE Server dialog box select a server from the drop down list or type the server address in Server You can change from a server that uses an Active Directory service to one that does not but you can only make this change if the selected ACE master is not using Active Directory Also if you change from a server that does not use Active Directory to one that does the selected ACE master will not use Active Directory NOTE The icon next to the server name indicates whether this server is integrated with Active Directory The icon in the example is for a server with Active Directory A key icon appears for a server that is not integrated with Active Directory VMware Inc Chapter 5 Creating and Configuring ACE Masters 4 The default port is 443 Type a new port number in Port if appropriate NOTE The information in the ACE master Information area of the dialog box applies to the ACE master and not to the server Therefore in the example Active Directory Yes indicates that this ACE master uses Active Directory 5 Click OK to save the settings and close the dialog box Reassigning an ACE Master to a Server When the Master s Record Cannot Be Retrieved When you open a managed ACE master VMware Workstation ACE Edition will contact the management server that the ACE master is using to retrieve this ACE master s record If Workstation ACE Edition cannot contact the management server the ACE master record cannot be ret
35. Book This manual the VMware ACE Administrator s Manual provides information about installing and using Workstation ACE Edition Revision History This manual is revised with each release of the product or when necessary A revised version can contain minor or major changes Table 1 summarizes the significant changes in each version of this manual Table 1 Revision History Revision Description 20070507 GA release version 20070423 First version of the Workstation ACE Edition documentation Intended Audience This book is intended for anyone who needs to install upgrade or use Workstation ACE Edition ACE 2 users typically include people who do software development and testing or work with multiple operating systems or computing environments software developers QA engineers trainers salespeople who run demos and anyone who wants to create virtual machines VMware Inc 11 VMware ACE Administrator s Manual Document Feedback VMware welcomes your suggestions for improving our documentation If you have comments send your feedback to docfeedback vmware com Conventions Table 2 illustrates the typographic conventions used in this manual Table 2 Conventions Used in This Manual Style Elements Blue online only Links cross references and email addresses Black boldface User interface elements such as button names and menu items Monospace Commands filenames directories and paths Monospace
36. C Never After 30 days from activation C Valid from 5 9 2007 gt Messages Add custom text after the default text I Show warning message E 4 days before expiration Warming message This ACE will expire in 5 days Expiration message This ACE has expired VMware Inc 125 VMware ACE Administrator s Manual 126 You can select one of the following options for expiration m Never The instance does not expire m After x days from activation The instance runs for the specified number of days after the package is installed and activated it cannot be used after that time m Valid from lt date gt to lt date gt The instance can be powered on and run no earlier than the from date and no later than the to date It cannot be used before the from date or after the to date You can deploy ACE instances with expired date ranges You can set a warning message that appears each time an instance powers on as the expiration date approaches You can customize the text of the warning message Add your text after the gray text in the message box the gray text cannot be edited The expiration message appears when the instance has expired You can customize the text of this message as well adding your text after the gray text which cannot be edited When the expiration message appears the instance cannot be powered on With a standalone ACE instance the fixed expiration date or the fixed
37. CD RW Drive E CD Drive A CD Duive CD Drive Details ta Pocket ACE H Removable Disk My Computer System Folder m For Linux systems you must install VMware Player from the Player directory on the USB drive for example if the USB drive is mounted at media USBFLASH navigate to media USBFLASH player VMware player i386 tar gz Install the Player as described in Installing VMware Player on a Linux Host Computer on page 223 Then navigate in Player to the vmx file and start up the ACE instance see Running the ACE Instance on a Linux Host Computer on page 225 VMware Inc 217 VMware ACE Administrator s Manual 218 3 Both disk and checkpoint caches are initialized If the Pocket ACE has a session on this host that session continues Otherwise a new session is started The checkpoint state and virtual disk are cached on the host during use and synced back to the portable device later The checkpoint state and virtual disk are protected with the same encryption level used for the ACE instance on the portable device 4 The Pocket ACE runs primarily from the host cache although it occasionally reads from the parent disk on the portable device The ACE does not write to the parent disk 5 When the user finishes using the instance and executes a close command in Player a dialog box appears that offers a choice of leaving the session open on the host computer or closing the session and syncing it back
38. For more information about specifying command line parameters to your script see the Microsoft knowledge base article at http support microsoft com kb 177462 VMware Inc Initialization scripts Specify script files to be executed in the guest at the end of the instance customization setup process Enter each script file on a separate line On the Workgroup or Domain page a Enter the name of the workgroup or domain that this instance will use to access the network b Ifyou selected Domain and have entered the domain name now enter the user name for an account that can join a new computer to the domain NOTE Instance customization only supports DHCP not static IP addresses c Ifyou want to allow this ACE instance to join the domain from a location remote to the domain select Enable remote domain join and then type the command to run the script that establishes a VPN connection See Setting Up a Remote Domain Join on page 188 for more information about joining remote ACE instances to a domain 179 VMware ACE Administrator s Manual 180 Now create the package see Packaging with Instance Customization Enabled on NOTE If the ACE master is managed then passwords and commands specified on this page are stored on the ACE 2 Management Server If the ACE master is standalone then passwords and commands are stored with the package If the ACE master is not managed you should encrypt the package
39. Policies and Customizing VMware Player To enable the hot fix feature select Allow users to request a hot fix The hot fix request is a file that the user must submit to an administrator for action After enabling the hot fix feature you must select the preferred way for the user to submit the hot fix request Choose one of the following m Use email to submit hot fix request The Hot Fix Request Wizard on the user s computer attempts to use a MAPI email client on the host operating system to send the hot fix request as an attachment to an email message The message uses the email address and subject line that you specify here m Save the request to a file The Hot Fix Request wizard saves the hot fix request file The user must submit this file to an administrator manually The user sees any submission instructions you enter in the field labeled Specify instructions for users to submit the request If you choose email and the automatic submission fails the Hot Fix Request Wizard gives the user an opportunity to save the hot fix request as a file The user must then send the file to an administrator manually For details on responding to hot fix requests see Responding to Hot Fix Requests on page 237 For details on how the user interacts with the Hot Fix Request Wizard see Requesting a Hot Fix on page 126 Setting Policy Update Frequency You can use this policy to control m Policy update frequency How often a
40. Symbols and punctuation Enforce password lockout Failed login attempts 5 F Duration of lockout 30 seconds Choose one two or all three of m Enforce minimum length Type the number or choose it from the drop down list m Restrict password content Select one to four options for character type m Enforce password lockout Select the number of times the user can attempt to enter the password before an error message appears that tells the user that the number of allowed password attempts has been reached Also specify the amount of time in seconds that the user must wait before making another attempt to log in Script Select this option to use your own custom script to determine who can use the instance VMware Inc Chapter 6 Setting and Using Policies and Customizing VMware Player To provide a script in packages created with this ACE master 1 2 VMware Inc Create the script and save it in the ACE Resources directory for the ACE master In the access control policy page click Set to open the Set Custom Scripts dialog box If the deployment platform setting in package settings is set to Both Windows and Linux then the Set Custom Script dialog contains text fields for both Windows and Linux Set Custom Script xj m Script Specify the script file from the ACE Resources directory and command line to run the script This script will be run on the host The deployment platform can be set
41. These files must be PEM encoded After you have created or obtained these files you place them in the correct directory by uploading them from the Custom SSL Certificates page in the server setup Web application VMware Inc 61 VMware ACE Administrator s Manual 62 NOTE Workstation ACE Edition only supports certificate signatures that use the SHA1 algorithm digest To set up your own self signed certificates third party signed certificates or certificates from an internal certificate authority 1 Ensure that you have configured the ACE 2 Management Server through the server configuration Web application Create or provide the needed files a For your own self signed certificate use openssl to create a new self signed certificate b Fora third party CA or internal CA obtain an SSL certificate signed by that CA and a certificate verification chain file The chain file is a concatenation of every certificate required to verify the new SSL certificate you created or obtained c A private key file All these files must be PEM encoded Steps for obtaining the certificate chain vary depending on which host operating system you are using and on the source from which the CA certificate is obtained After you have obtained the items in Step 2 rename them as follows Private key file Rename to server key Certificate file Rename to server crt m Certificate chain file Rename to chain crt m LDAP server certifica
42. To get started with setting activation and authentication policies 1 Click Edit Policies in the ACE master summary view or choose ACE Master gt Policies 2 Click the Access Control page link in the left pane of the Policy Editor window 3 To choose settings options see the subsection that applies to your ACE management setup m Activation and Authentication for Managed Instances with Active Directory Service on page 108 m Activation and Authentication for Managed Instances Without Active Directory Service on page 113 m Activation and Authentication for Standalone Instances on page 119 VMware Inc 107 VMware ACE Administrator s Manual 108 Activation and Authentication for Managed Instances with Active Directory Service If you are using a managed ACE master with a server that is integrated with Active Directory use the following information to set activation and authentication policies The user must enter Active Directory user credentials each time the ACE instance is run Only the user who activates the instance can authenticate run the instance The activation step is performed whenever an ACE package has been installed In addition to the user s input of the correct user credentials the server also verifies these items before the instance can be authenticated and run m The revocation flag is not set and the instance is not blocked from running because of any policy errors m The expirati
43. VMware Inc Chapter 12 Instance View m Valid m ACE Master Name m Package Name m Host Name Host IP Address m Guest Name The Guest Name which is the computer name resolved on the user s machine during instance customization a feature for Windows systems only is always shown in the Instance View as 15 characters or less The NetBIOS name is reported here and it is a maximum of 15 characters in length Even if the actual computer name contains more characters the name is always shown as the NetBIOS name Guest IP Address You can search on custom columns by selecting Show custom values and specifying the search values for those columns If you select the option Exact match only for a search category only instances with values that are exact matches of the value specified in that category field are listed in the search results Exact match values are case sensitive Specify dates in the format MM DD YYYY Search criteria are joined with AND not OR operations Click Reset in the Advanced Search dialog box if you want to clear entries in the search fields When you have finished specifying the search criteria click the Search button The search results are displayed An indicator in the lower right corner of the page displays Showing number of results in view out of total number of results for example Showing 24 out of 55 The query is remembered for the length of the Workstation ACE Edition session To cle
44. X in the upper right corner of the message box You can view messages that have been displayed for this ACE by selecting Player gt Troubleshooting gt Message Log The Message Log dialog box allows you to open and view the past messages and to remove any or all messages from the log You can view information about the ACE s network access settings and other settings such as expiration date for the ACE in the ACE Information dialog box To access this dialog box choose Player gt Troubleshoot gt ACE Information Controlling Devices Attached to VMware Player Your administrator might have configured VMware Player to give the ACE access to some of the devices attached to your host computer such as the floppy disk drive the CD or DVD drive and the Ethernet adapter Depending on the preferences you set see Setting VMware Player Preferences on page 230 those devices might appear in the toolbar or on the Devices menu To disconnect and reconnect the devices shown on the toolbar click a device s icon to toggle it off and on A device with a depressed icon is connected If the device appears level with the toolbar it is disconnected To disconnect and reconnect the devices from the Devices menu click the name of a device to toggle it off and on A check mark next to the name of a device indicates that it is connected If there is no check mark the device is disconnected Only one machine either the host computer or the ACE
45. a specific ACE master can be used VMware Inc VMware Inc Chapter 1 Introduction and System Requirements without having the instances contact the ACE 2 Management Server for policy updates Removable devices This policy allow you to control whether users can connect and disconnect removable devices from their ACE instances USB devices This policy allows you to specify in detail which USB devices and device classes can be accessed by ACE instances created from a specific ACE master Copy protection for both standalone and managed instances This policy lets you ensure that an ACE instance can run only from the location where it was originally installed For managed instances this policy allows you to specify whether users can move or copy an instance without getting approval from an administrator Snapshots This policy allows you to specify whether a user can control their own snapshot and or control the reimage snapshot These controls are independent of one another Host guest data script This policy allows you to specify a script that will run on the host operating system after the ACE instance is powered on This script can be used to pass information about the host to the guest operating system Administrator mode This policy allows you to configure virtual machine settings on Windows host systems only directly on the users machines and to use snapshot commands that have not been enabled for the
46. and ACE since the passwords are kept inside the virtual machine gt Workgroup or domain Workgroup Workgroup Domain Domain Specify a user account that has permission to add a computer to the domain Username Usemame The password for this account will be stored in the package You will provide this password when you create a new package or preview this ACE master M Remote domain join Enabling remote domain join allows you to specify a command that will be used by the ACE instance to establish a VPN connection to a separate server to join the domain The command will be stored in the package IV Enable remote domain join password may be used in the following command to insert a password Command J The password will be stored in the package You will provide this password when you create a new package or preview this ACE master page 182 Placeholder Values to Use in Instance Customization Placeholder values are values to be used inside the guest operating system during the Mini Setup procedure on the ACE user s machine to construct individualized field names The available placeholders are Logon_user or Logon_user n The logged on user on the host machine at the time the Microsoft Mini Setup process begins You can use Logon_user n where lt n gt is the maximum number of characters obtained from the actual logged on user name when the name is reso
47. and course materials designed to be used as on the job reference tools For more information about VMware Education Services go to http mylearn1 vmware com mgrreg index cfm VMware Inc 13 VMware ACE Administrator s Manual 14 VMware Inc Introduction and System Requirements Welcome to VMware ACE 2 This section covers the following topics m About VMware ACE 2 on page 15 m Key Concepts of ACE 2 on page 18 m Hardware and Software Recommendations for This Release on page 22 About VMware ACE 2 VMware s ACE 2 is a software solution that delivers enhanced management security and usability to standard desktop virtualization products Using ACE 2 an organization can rapidly provision a standardized secure PC environment an ACE to any device in the extended enterprise regardless of whether it is managed by the ACE administrator An ACE is a policy protected virtual machine containing an operating system applications and data Through virtual rights management technology ACE 2 enables desktop administrators to control ACE lifecycles protect data and ensure compliance with IT policies including software lifecycle management and access to data and applications Unlike other desktop virtualization products ACE 2 is a hardware independent solution that can be provisioned to any PC and works either connected or disconnected from the enterprise network VMware Inc 15 VMware ACE Administrator s Manual
48. and dynamically update policies instance customization data and other per ACE instance data See Chapter 4 Installing and Configuring the ACE 2 Management Server on page 51 for details on how to install and configure the ACE 2 Management Server to manage ACE deployments You associate an ACE master with an ACE 2 Management Server when you create the ACE master through one of these methods m Create anew ACE master with the New ACE Master Wizard See Chapter 5 Creating and Configuring ACE Masters on page 89 m Clone an existing virtual machine into an ACE master Use the Create an ACE master from an existing virtual machine option in the New ACE master wizard or VM gt Clone to ACE Master See Chapter 5 Creating and Configuring ACE Masters on page 89 Each method includes a step that allows you to choose an ACE 2 Management Server for the ACE master by specifying the server address and port Viewing ACE Masters in the Sidebar An ACE master might not appear in the sidebar if it has been removed from the list but not deleted from the disk If you can locate the master s configuration file on the disk you can add the master back to the sidebar Using the ACE Icons on the Home Page In addition to the standard Workstation icons the Home page for Workstation ACE Edition contains these icons m New ACE Master m Open Existing VM Team or ACE Master 36 VMware Inc Chapter 2 Learning the Basics of Work
49. any requirement that it connect to the server to retrieve policy updates If you chose Disable all offline usage or Allow offline use for x time_units the text in the Offline Timeout message box appears to ACE users when they power on the ACE instance or when the offline use limit has been reached You can customize the message text Add your text after the gray text in the message box You cannot edit the gray text If you chose Allow offline use for x time_units you can choose to have a message displayed to the user that warns that the ACE instance will soon become unavailable for offline use To do this select Display warning x time_unit before policy expiration Set x to the number of minutes hours or days and set time_unit to minutes hours or days You can customize the message text Add your text after the gray text in the message box You cannot edit the gray text Policy updates take effect while the instance is running with these exceptions VMware Inc Authentication policies User and group lists passwords and scripts can be updated Changes take effect the next time the instance is powered on Policy update frequency policies If Policy Update Frequency is set to Only when the ACE instance powers on changes take effect the next time the instance is powered on 163 VMware ACE Administrator s Manual Writing Plug In Policy Scripts 164 You may write your own scripts to control certain polic
50. are reported to the server VMware Inc Chapter 7 Package Settings After instance customization runs on an ACE instance with a Windows Vista guest operating system what happens before the ACE instance is ready to be used differs slightly from what occurs with other Windows guest operating systems The user will see a message saying that the machine is going to be restarted next the login screen will appear and then the system will reboot No user interaction is required at any point Package Lifetime You can specify a time period during which an ACE package is installable If a user attempts to install a package outside of this time period an error message appears and the package will not be installed Package lifetime Allow installation of packages Always O Upto days from package creation O From E F J The default setting for package lifetime is Always A package with this setting can be installed at any time after it is deployed If you want to allow package installation for a certain number of days after the package s creation date choose Up to x days from package creation and select the number of days from the dropdown list If you want to set package installation boundary dates choose From date to date Use the dropdown list arrows to open the calendar and specify the first date on which the package can be installed and then the last date on which the package can be installed NOTE The package l
51. as well as see the effects of changed policies as they will appear on the ACE user s machine without your having to package and install them It also allows you to see many of the effects of your setup choices for an ACE package without having to expend the time and effort required for a full package deployment and installation VMware Inc Chapter 9 Preview Save Test Publish You click the Preview in Player icon in the toolbar to create a preview instance A package based on a linked clone is created in a new directory Preview Deployment inside the ACE master s directory on your administrator machine The snapshot for the linked clone is taken of the ACE master s current state Unlike a package that is deployed to an ACE user s machine this package is not installed VMware Player starts up and the preview instance events are the same as those for a standard ACE package deployment activation of the ACE instance instance customization if any encryption You can then run the instance checking for the effects of any changes you made to the ACE master You can only have one preview instance per ACE master When you click Preview in Player for the ACE master a second or subsequent time a message asks if you want to 1 replace the current preview instance with a new deployment or 2 use the existing deployment The preview mode saves you time because you don t have to create a full package and install it Furthermore the saved m
52. bold User input Italic Document titles glossary terms and occasional emphasis lt Name gt Variable and parameter names Technical Support and Education Resources 12 The following sections describe the technical support resources available to you Self Service Support Use the VMware Technology Network VMTN for self help tools and technical information Product information http www vmware com products Technology information http www vmware com vcommunity technology Documentation http www vmware com support pubs VMTN Knowledge Base http kb vmware com Discussion forums http www vmware com community User groups http www vmware com vcommunity usergroups html For more information about the VMware Technology Network go to http www vmtn net VMware Inc About This Book Online and Telephone Support Use online support to submit technical support requests view your product and contract information and register your products Go to http www vmware com support Customers with appropriate support contracts should use telephone support for the fastest response on priority 1 issues Go to http www vmware com support phone_support html Support Offerings Find out how VMware support offerings can help meet your business needs Go to http www vmware com support services VMware Education Services VMware courses offer extensive hands on labs case study examples
53. by an ACE 2 Management Server Any changes to its policies or other settings are made by the administrator s distribution of updates to the user Setting Up Your Administrative Workstation 32 As an administrator you need to install the Workstation ACE Edition software on your workstation referred to in this manual as your host computer You can then run Workstation ACE Edition your tool for creating and managing the virtual machines you distribute to your users If your company already has a library of standard virtual machines you need network access to that library from your host computer If you are creating new virtual machines you need access to installers for the guest operating systems and application software you plan to install in the virtual machines You can install operating systems from CD from ISO image files on a local drive or on the network or from a PXE server If you need to connect to an ISO file on a network drive you use the networking capabilities of your host computer to make that connection You can install application software from CDs or from installers on a local drive or on the network If you need to connect to an installer on the network you use the networking capabilities of the virtual machine to make that connection For details on VMware Inc Chapter 2 Learning the Basics of Workstation ACE Edition networking in a virtual machine see the Workstation User s Manual If you need to use an
54. contact its server within 1 day Offline Timeout Message Cancel Help To set the policy update frequency 1 In Policy Update Frequency select one of m Every x time_unit Set x to the number of minutes hours or days and set time_unit to minutes hours or days that the ACE instance can run before it must connect to the server and retrieve any updated policies m Only when the ACE instance powers on The instance connects to the server at power on and retrieves any updated policies 162 VMware Inc 2 Chapter 6 Setting and Using Policies and Customizing VMware Player Only when the ACE instance is activated Choose this option if you do not need to have contact with the ACE instance after it has been activated In Offline Usage Select one of m Disable all offline usage The ACE instance must be connected to the server while it is being used so that policy updates are transmitted to the instance at the update frequency rate default setting is five minutes Allow offline use for x time_unit Set x to the number of minutes hours or days and set time_unit to minutes hours or days that the ACE instance is available for use before it must connect to the server to check for policy updates When the limit is reached the ACE instance cannot be powered on and used m Allow offline use indefinitely The ACE instance can be used for an indefinite period of time without
55. database record cannot be retrieved and an attempt to open the ACE master will fail You will be offered a choice to specify the new address of the server If the address has changed specify the new address of the server If the database was corrupted you can specify the address of another ACE 2 Management Server The ACE master will now use this new ACE 2 Management Server However all your deployed instances will continue to use the old server you can reassign them by creating and distributing a server update package VMware Inc Chapter 5 Creating and Configuring ACE Masters How Does Reassigning the Master to a New Server Address Work If the address of the ACE 2 Management Server has changed you can specify the new address of the server Workstation ACE Edition searches for a record for this ACE master on the new server If the record is found the ACE master will use this existing record along with all the settings stored for this record Caveat If the ACE master was using password based activation before it was reassigned this access control setting will be changed to no activation After reassigning the master you will need to change it to use password activation and specify the activation password If an existing record for this ACE master is not found on the new ACE 2 Management Server Workstation ACE Edition will create a new record for the ACE master on the new server However in this case the following settings will be
56. date range is established at activation time Each time the user powers on the instance the date date range is checked If the date at power on is beyond the specified date or outside the date range an expiration message appears and the instance cannot be powered on Expiration checks are also performed while the instance is running If the expiration is reached the expiration message appears and the instance is suspended With a managed ACE instance the expiration policy works similarly as for standalone instances but the expiration policy value can be specified on a per instance basis and all expiration values both for ACE masters and for all ACE instances are dynamic A valid date range for an ACE master applies to each of its associated ACE instances until an instance is individually configured with its own date range After that configuration any changes to the ACE master s expiration policy do not affect the instance Setting Copy Protection Policies Copy protection policies let you ensure that an ACE instance can run only from the location where it was originally installed Every ACE has a CPID copy protection identifier that contains the path of the ACE on the host filesystem and either the system s BIOS ID used for standard ACE instances or filesystem ID used for pocket ACE instances If copy protection is on Workstation ACE Edition compares the current CPID with the stored CPID If they don t match the instance has
57. dynamic policy setting You can only change the setting by changing it in the policy then creating anew ACE package and deploying the package To specify the subnet range for VMnet8 1 For the ACE master you want to package with these network properties select Policies gt Network Access 2 Click NAT Settings on the policy page The Virtual Network Settings dialog box appears NAT Settings x You can configure the subnet address of Mnet 8 on the ACE instance s host I Assign IP addresses from this subnet Subnet IP Address L This setting affects all virtual machines on the users host Coree VMware Inc 145 VMware ACE Administrator s Manual 3 Select Assign IP addresses from this subnet 4 Type the subnet IP address you want to use entering zero 0 as the last byte in the address 5 Click OK Understanding the Interaction of Host Access and Guest Access Filters With Tunneling Protocols Host access and guest access filters can differ in their interactions with tunneling protocols A host network access filter sees traffic before packets have been encapsulated in the tunneling protocol for example VPN but a guest network access filter sees traffic after the packets have been encapsulated in the tunneling protocol Because of this guest access filter behavior it might be possible for a user to circumvent guest access restrictions through use of tunneling protocols or proxies Setting Remo
58. exit 0 print FALSE exit 0 Customizing the VMware Player Interface You may customize several aspects of the VMware Player user interface including the text that appears in the title bar and the way removable devices are represented in the interface You save these customizations in a text file and identify that text file called the skin file by adding a line to the preferences ini file in the project folder Creating and Specifying the Skin File Each line in the skin file has the following form parameter value To comment out a line in the skin file begin the line with the sign The parameters acceptable values and defaults are listed in tables in this section Save the skin file with any filename you wish Save the skin file in the Project Resources folder under the project folder for the project to which it applies To specify a skin file 1 Use a text editor to open the preferences ini file in the project folder and add the following line vmplayer skin lt filename gt If the skin file is not in the project folder specify the full path to the file 2 Save preferences ini VMware Inc 169 VMware ACE Administrator s Manual 170 Customizing the VMware Player Icons VMware Player has separate large and small application icons The large icon is used in the application switching interface visible when you press Alt Tab The size of the large icon is usually 32x32 pixels but VMware Player us
59. from VMware Player 232 Troubleshooting Problems 232 Requesting a Hot Fix 233 Resetting and Powering Off 234 Reverting to the Reimage Snapshot 234 About the Enter Administrator Mode Command on the Troubleshoot Menu 235 Troubleshooting Tools 235 VMware ACE Administrator s Manual ACE Tools vmware acetool Command Line Tool 236 Password Prompts 236 Expiration Dates 237 Examples 237 Responding to Hot Fix Requests 237 Using the VMware Help Desk Web Application 239 The Instances Page 239 The Instance Details Page 242 Preserving the State of an ACE Instance 243 12 Instance View 245 Opening a View of All Instances Managed by aServer 246 Setting Up Queries to Search for Instances 246 Showing Hiding Moving and Resizing Columns in the Instances Table 248 Adding Custom Database Fields by Adding Columns 248 Changing the Sort Order of the Instances Table 249 Deactivating and Reactivating Instances from the Instance View 249 Resetting Expiration Dates for an Expired Instance by Clicking Reactivate 250 Using the Details View 250 General Details View 250 Policies Details View 252 Custom Details View 253 Using the Connect to ACE 2 Management Server Command to Open an Instance View 254 Appendix Using the VMware ACE 2 Management Server Database Schema and Querying the Audit Event Log Data 255 The VMware ACE 2 Management Server Database Schema 256 Querying the Audit Event Log Data 262 Glossary 267 Index 273 10 VMware Inc About This
60. in ACE gt Package Settings Windows Host This script will be used when the ACE Master is deployed on a Windows host Script file Browse Command line Linux Host This script will be used when the ACE Master is deployed on a Linux host Script file Browse Command line The command line must include the script file If needed it should also include the executable for running the script and arguments to the script For example perl exe myscript pl arg arg2 arg3 myscript2 bat M Timeout The timeout is the number of seconds to wait before the script terminates IV Timeout fi 0 seconds Cancel Help Browse to the script file and click Open Type the command for running the script Include the script file in the command line as well as any needed executable for running the script and any arguments to the script Optional Select Timeout and type in a timeout interval in seconds in case the script does not run to completion The user will be denied access if the timeout interval elapses before the script runs to completion 117 VMware ACE Administrator s Manual 118 6 Click OK 7 If you are enabling an authentication script after you have already deployed packages with this ACE master provide the script to the user using a policy server update package or a custom package with ACE Resources NOTE The script is signed before deployment to prevent tampering S
61. installer on a local drive you can use the virtual machine s networking capabilities You need to provide adequate disk space for two types of files Virtual machine files The files for each virtual machine can be quite large sometimes as large as several gigabytes The default location for these files is C Documents and Settings lt username gt My Documents My Virtual Machines To change the default location go to Edit gt Preferences gt Workspace When you create a new virtual machine you can specify a location for that virtual machine s files that is different from the default Package files The package files created by Workstation ACE Edition can be quite large The default location for the package files is a folder named Packages inside the ACE master s folder When you create a package you can change the location for the package s files In addition Workstation ACE Edition needs a substantial amount of temporary working space when it creates a package The total is about twice the combined sizes of all the components of the package The wizard displays information about the amount of space needed and the locations where the space is needed If you do not have enough free space the wizard displays an error message You can move or delete files on the target drives to make room for the wizard s working files Overview of the Workstation ACE Edition Window You use the Workstation ACE Edition window to handle most
62. instances or Workstation ACE Edition while leaving other ACE instances installed Upgrading from VMware ACE 1 x to VMware ACE 2 If you have VMware ACE 1 x projects you can use the upgrade tool provided with Workstation ACE Edition to upgrade the virtual machines in those projects Before You Begin Upgrading Virtual Machines Read the following before you begin the upgrade procedure m You must have both an administrator machine has Workstation ACE Edition installed and a user s machine does not have Workstation ACE Edition or VMware ACE Manager software installed to perform the upgrade procedure m You must also have your own notes about any VMware ACE 1 x policy settings for that you will want to manually apply to the upgraded machines The policies for both the VMware ACE 1 x project and its virtual machines are not carried over during the upgrade You can use these notes to configure the VMware ACE 2 policies for the virtual machines m Upgraded machines will include VMware Inc Upgraded hardware version Guest operating system applications script files and VMware Tools previously installed in the ACE 1 x virtual machine Connection to a VMware ACE 2 Management Server if you choose this option during the part of the upgrade that occurs on the administrator machine Authentication password and revert to original installed ACE environment RTI snapshot If these options were included in the VMware ACE 1 x machine
63. license do not require a user to enter a serial number for an ACE client license at the time of installation ACE Client License An ACE client license is a device specific license The details of these licensing terms are covered in the End User License Agreement for ACE published on www vmware com A licensed device is able to run any number of ACE instances The ACE client license is associated with the device it is installed on and is not tied to a specific ACE instance Devices include PCs laptops and portable media devices such as USB flash drives storing a Pocket ACE Use of the ACE volume license key is a convenience tool for ACE administrators The same device specific licensing rules apply An ACE client license must be associated with each device that has an installed ACE instance To enter an ACE Option Pack License key 1 Obtain the serial number for your ACE Option Pack 2 Start up the Workstation application 3 Chose Help gt Enter Serial Number 4 Type the serial number in the appropriate field and enter your name and the organization name in the dialog box ol Click OK 6 Shut down the Workstation application and then restart it Workstation will be converted into Workstation ACE Edition which provides all of the features of Workstation 6 plus those features specific to ACE VMware Inc Chapter 3 Installing Configuring and Upgrading Workstation ACE Edition To enter an ACE Volume Licensing Key 1
64. master reparenting or reassigning to differ ent server 102 associating with ACE Management Server 36 can t change from managed to stan dalone or reverse 96 changing associated ACE Manage ment Server 100 cloning from ACE master 97 cloning from existing virtual machine 98 configuring 191 configuring networking 93 creating multiple packages 193 defined 32 deployment platform 188 device settings 104 file location 93 installing applications and tools in 192 selecting ACE Management Server 96 98 settings 100 viewing summary 37 ACE Master icon 35 ACE menu 100 ACE package See package ACE server dialog box 100 ACE tools using 236 activation password providing during packaging 198 activation policy 107 See also access control policies activation defined 267 Active Directory creating group for use with ACE Management Server 70 creating user for use with ACE Man agement Server 70 integration with ACE Management Server 57 logon options ACE Management Server 84 setting access control policies 108 Active Directory password change proxying 110 adding notes to package history 200 address IP in ACE instance 94 administrative tools policy 158 administrator machine setting up 32 administrator mode command 235 audit event log data querying 262 authentication policy 107 See also access control policies authentication defined 267 VMware Inc B bind dn user definition of for ACE Ma
65. master you create can be easily used as a Pocket ACE This option allows you to specify the guest operating system name and location and specify the disk size Choose a disk size that will fit on the portable device on which you intend to deploy the Pocket ACE The wizard shows the minimum amount of free space needed on the portable device Adjust the size of the disk so that it has enough space for a guest operating system your applications and data In addition to the disk size there are some additional required files that must be present on the portable device The ACE master wizard will show you the space required for these files You can also choose to include VMware Player on the portable device so that the Pocket ACE can be used on a host that does not have VMware Player already installed you will need administrator privileges on the host to install VMware Player if it is not installed already When you package the Pocket ACE for deployment to the portable device you can include VMware Player in a Pocket ACE package The size required for VMware Player is also shown on the Disk Capacity page of the New ACE Master wizard marked as optional The size required for VMware Player is not included in the total size required If you intend to include VMware Player on the portable device make sure you account for the additional required space If you select Create an ACE master from an existing virtual machine the Select a Virtual Mac
66. netblock such as 10 8 172 16 12 or 192 168 16 that is also used by other networks Descriptions of the Zone Condition Settings Each zone description must contain one or more of the following setting options describing the conditions of the zone m Domain Specifies the domain name of the network for example mycompany com Only one entry can be used You can t use a list of entries The interpretation of this option is governed by the value of Allow subdomains of this domain below VMware Inc 137 VMware ACE Administrator s Manual 138 Allow subdomains of this domain Modifies the Domain option above It specifies whether for the Domain zone condition to be met a domain name must exactly match the domain name specified in the Domain box or whether a match of the domain name is made anytime the string contains lt domain_name gt For example if this option is selected then corp mycompany com is considered a match for mycompany com If this option is not selected then corp mycompany com is not considered a match for mycompany com The default setting for this option is deselected Network address Specifies an IP address or subnet range that is used by the network The value of lt subnet gt if you include a subnet range must be the number of bits in the netmask A network adapter matches this condition if it is using an IP address that lies within any of the specified ranges DNS servers Speci
67. not give them access to other administrative tools 70 VMware Inc Chapter 4 Installing and Configuring the ACE 2 Management Server Using an External Database This section describes how to use an external database To use an external database with any ACE 2 Management Server option 1 VMware Inc Install the RDBMS m On Windows Microsoft SQL Server 2000 or higher and Oracle Database 10g are supported m On Linux PostgreSQL 7 4 or higher is supported The external database does not have to be installed on the same server as the ACE 2 Management Server NOTE The ACE 2 Management Server will create the database schema automatically provided proper access rights are granted Configure a database Make sure you have a dedicated database see the Note below and a user account that has full access to this database including rights to create tables Ensure that you didn t give this database user permissions that it doesn t need for example for reading or writing to other databases managed by your RDBMS NOTE All tables in the database have a name starting with a PolicyDb_ prefix and indices with PdbIns_ or PdbLf_ prefixes so potentially you could provide the ACE 2 Management Server with a DSN to a database that it would share with some other application if the database count is at a premium If you plan to have the ACE 2 Management Server connect to the database over the network TCP socket connecti
68. of these tools are available for Windows 2003 Both versions will work so you can download either version 3 Download the zip files and unzip them into the directory where Workstation ACE Edition is installed The default installation directory for Workstation ACE Edition is C Program Files VMware VMware Workstation VMware Inc Chapter 7 Package Settings Specifying Package Settings for Instance Customization Make sure you have installed all required files for customization scripts before you specify package settings NOTE Instance customization applies only to ACE instances that have a Windows guest operating system installed To specify package settings for instance customization 1 VMware Inc See Before You Specify Instance Customization Settings Perform These Tasks on page 175 Choose ACE gt Package Settings to open the package settings editor On the Instance Customization page a Select Enable instance customization b Type the product ID for the guest operating system software you have installed in the ACE master M Instance customization Instance customization allows you to specify information now that will be used to customize instances after they are deployed This customization occurs the first time that an instance is powered on I Enable instance customization Product ID For instance customization to function a Windows license product ID must be specified Please
69. on a Windows Host Computer Any user can install an ACE instance unless the ACE instance includes a host policy That virtual machine must be installed by a user with administrator privileges An ACE package contains an ACE instance that will become an ACE instance after it has been installed and activated You can install a package from a location on the network or from one or more CDs or DVDs In either case take the following steps To install VMware Player and an ACE instance on a Windows host computer 1 If VMware Player is not yet installed on the user s machine log on to your Microsoft Windows host as the Administrator user or as a user who is a member of the Windows Administrators group If installing from CDs or DVDs insert the first disc into the computer s drive If installing from the network navigate to the location of the installer Find the setup exe file and double click it to start the installer Follow the instructions in the installation wizard The installer asks where you want to place the virtual machine files The default location on Windows XP systems is C Documents and Settings All Users Application Data VMware VMware ACE lt ACE Name gt The default location on Windows Vista systems is C ProgramData VMware VMware ACE lt ACE Name gt If you want to place the files in a different location you can click Browse and navigate to the new location or enter the path to the new location Be sure the location you
70. open the preferences ini file which is located in Application Data lt username gt VMware Add this line to the file pref ignoreToolsPkgCheck TRUE Save and close preferences ini To reinstate the VMware Tools check during packaging 1 2 3 Open preferences ini again with your text editor Delete the added line or change TRUE to FALSE Save and close the file Steps for Creating a Package To create a package 1 Start Workstation ACE Edition and open the ACE master you want to use as the basis for the package To ensure that the package is as compact as possible defragment virtual disks before you create the package Runa disk defragmentation utility inside the virtual machine to defragment each virtual disk VMware Inc Chapter 8 Creating Packages and Deploying Them to Users 3 Ensure that the guest operating system and VMware Tools are installed in the ACE master NOTE Ensure the version of VMware Tools provided with Workstation ACE Edition is installed in the guest operating system A number of key features in ACE 2 are provided by the VMware Tools package 4 Ifinstance customization is enabled for this package and the guest operating system is Windows XP Windows 2000 or Windows 2003 ensure that the correct Sysprep deployment tools are available in the correct directory See the Caution page 194 5 Ensure that the virtual machine in the package is configured as you want it then ensure it is
71. operation is cancelled and an error message tells you that instance customization failed See Downloading the Microsoft Sysprep Deployment Tools on page 176 After a successful guest operating system shutdown the following steps are taken to prepare the deployment package a The master is cloned into the package directory that is the virtual machine files are copied into the directory encrypted if needed and if specified in the package distribution setup divided up to be put on media b The master reverts to the snapshot and then the snapshot is deleted c The installer files are copied into the package directory On the ACE user s machine after the instance has been activated All the required information for resolving placeholder variables is obtained Placeholder variables are resolved and are replaced with the actual values for the ACE instance See Placeholder Values to Use in Instance Customization on page 180 for details The Microsoft Mini Setup process runs unattended Additional commands to execute other scripts that you have specified in the instance customization package settings are executed at the end of this process VMware Inc Chapter 7 Package Settings 9 Ifyou have set up instance customization to include joining a remote ACE instance to a domain the software executes the script specified in the instance customization package settings which is used to connect to the VPN server Then th
72. password is required any user can run this instance after it has been activated m User specified password Select this option to specify that the instance does not run until the user enters the correct password Each user must set a password during activation at first power on NOTE If a user enters an incorrect password a specified number of times the user will be unable to try to enter the password again for a specified amount of time The default values are five attempts and 30 seconds To set the minimum length or required character types for the password click Set password policies to open the Password Policies dialog box Password Policies Select the restrictions for user passwords Enforce minimum length Number of characters 4 a v Restrict password content Require characters from A z ja z o a _ Symbols and punctuation Enforce password lockout Failed login attempts 5 Duration of lockout 30 seconds Choose one two or all three of m Enforce minimum length Type the number or choose it from the drop down list m Restrict password content Select one to four options for character type m Enforce password lockout Select the number of times the user can attempt to enter the password before an error message appears that tells the user that the VMware Inc VMware Inc Chapter 6 Setting and Using Policies and Customizing VMware Player number of allowed pa
73. prefork MPM section On the Linux SLES 9 platform etc apache2 server tuning conf 150 client connections prefork MPM section On the ACE 2 Management Server Appliance etc httpd apache2 conf 20 client connections prefork MPM section The default installation of the PostgreSQL database on RHEL Linux allows only 100 remote connections which is less than the number of parallel threads started by the Apache server by default on the same platform so you might want to change this number if you expect a high volume of client requests to your server basically if you have more than 100 active clients VMware Inc Chapter 4 Installing and Configuring the ACE 2 Management Server Enable Database Connection Pooling If Not Already Enabled A useful performance optimization tip for servers on Linux platforms is to enable database connection pooling in the ODBC Driver Manager it is disabled by default To enable database connection pooling on Linux platforms 1 Start the ODBCConfig utility as a root user 2 Click the Advanced tab 3 Select the checkbox for Connection Pooling Enabling this option can give a substantial performance gain under high load as the ACE 2 Management Server can reuse the database connections rather than opening new one for every request On Windows platforms ODBC connection pooling is enabled by default so you don t have to take any additional configuration steps Using an External Database With the A
74. primary key aceUID VARCHAR 128 Ace for which this access policy is FK 258 VMware Inc Appendix Using the VMware ACE 2 Management Server Database Schema and Querying the Audit Event Log Data identityData VARCHAR 128 Internal representation SID in AD case token value goes here accVersion INTEGER NOT NULL Access object version number identityType INTEGER NOT NULL AD User Group or Token Value identityName VARCHAR 128 UI visible user group name in AD case accUseInstanceLimit VARCHAR 7 DEFAULT FALSE NOT NULL Limit number of instances for this ID accInstanceLimit INTEGER NOT NULL Max no of ACE instances allowed accTsCreated VARCHAR 21 DEFAULT NOT NULL Creation timestamp accTsLastModified VARCHAR 21 DEFAULT NOT NULL Last modified timestamp deleted VARCHAR 7 DEFAULT FALSE Is this entry deleted tombstone PRIMARY KEY CaccessPK FOREIGN KEY aceUID REFERENCES PolicyDb_Ace aceUID ACE Instance object data CREATE TABLE PolicyDb_Instance instanceUID VARCHAR 128 VM instance ID primary key packageUID VARCHAR 128 NOT NULL The package it belongs to aceUID VARCHAR 128 DEFAULT NOT NULL The ACE Master it belongs to creatorIdName VARCHAR 128 NOT NULL Display name of the activator user creatorIdData VARCHAR 256 Fully qualified name of the activator creatorAuthType INTEGER NOT NULL The
75. printers are available for use by the guest operating system by clicking the tray icon for the print application in the taskbar notification area of the host system and selecting the printers you want to use When you execute the Print command in the guest operating system those printers appear in the printer selection list Troubleshooting Problems If you encounter problems while running your ACE contact your system administrator for assistance Topics in this section are m Requesting a Hot Fix on page 233 m Resetting and Powering Off on page 234 m Reverting to the Reimage Snapshot on page 234 m About the Enter Administrator Mode Command on the Troubleshoot Menu on page 235 VMware Inc Chapter 11 Installing and Using VMware Player and ACE Instances Requesting a Hot Fix NOTE This feature is available only if your system administrator has enabled the feature When certain problems occur VMware Player provides a simplified method for contacting your system administrator a wizard that lets you request a hot fix for your problem If your system administrator has enabled the hot fix mechanism you can use it to resolve the following problems m Lost or forgotten password m Expired ACE m Copy protected ACE run from a new location The hot fix request includes the nature of the problem The Hot Fix Request Wizard allows you to include an additional message to your system administrator The wizard
76. server even if you do not rerun the setup application See the release notes for information about upgrading from a previous ACE 2 release to this release Continue with the server configuration in one of the following ways m If this is the initial configuration of the server click Next m Ifyou are reconfiguring the server click Apply and then click Restart or Later If you click Later you will need to restart the server manually See Stopping and Starting the Apache Service Manually on page 83 On the Security page if you want to integrate the ACE 2 Management Server to an existing LDAP directory in this case an Active Directory service select Enable LDAP NOTE To use both an ACE 2 Management Server that is integrated with Active Directory and one that is not install and configure two servers 77 VMware ACE Administrator s Manual 78 Specify credentials that the ACE 2 Management Server will use to connect to and query the domain controller m HostName Enterthe host name of the LDAP server using the name you created during the procedure in Using Active Directory Integration Using LDAP on page 70 m Bind DN Enter your bind Distinguished Name DN for the LDAP server in the syntax format that the domain controller the LDAP server requires See the example below m Bind Password Enter the password for the bind DN m Search DN Enter the search base suffix for the LDAP directory
77. settings yourself using the supplied ACE 2 Management Server Appliance Configuration and Management Web interface You can use that same interface to update the appliance when updates become available You must have access to a Web browser Mozilla 1 52 or higher or Internet Explorer 6 0 or higher to change network settings or obtain updates for the appliance NOTE You must have TLS configured on your Web browser to operate the ACE 2 Management Server If you are using Internet Explorer choose Tools gt Internet Options gt Advanced and scroll down to Security Make sure the Use TLS 1 0 check box is selected Then click OK If you are using Mozilla choose Tools gt Options gt Advanced and make sure the Use TLS 1 0 check box is selected Then click OK VMware Inc Chapter 4 Installing and Configuring the ACE 2 Management Server Installation instructions for the appliance begin on page 67 System Requirements for the ACE 2 Management Server The following sections describe the system requirements for the ACE 2 Management Server Hardware m 1200MHZz or faster compatible x86 or x86 64 architecture processor recommended 800MHz minimum m Compatible processors include Intel Celeron Pentium II Pentium III Pentium 4 Pentium M including computers with Centrino mobile technology Xeon including Prestonia AMD Athlon Athlon MP Athlon XP Duron Opteron AMD64 Opteron Athlon 64 m M
78. shut down and powered off You can use the Preview mode to see how an ACE instance created from this ACE master will run on the user s machine in the VMware Player application When you quit the VMware Player interface the ACE instance is suspended not shut down and powered off 6 Choose ACE gt New Package to start the New Package Wizard Click Next on the Welcome page 7 On the Name the Package page a Enter a name for the package in the Name field b The Location field displays the path to the default location for storing the package s files To change the location type a new path into the field or click Browse and navigate to the new location c Use the Notes field to enter any background information you want to store for the package Your users do not see this information d Click Next VMware Inc 195 VMware ACE Administrator s Manual 196 Select a package type on the Package Type page and then click Next m Full Packages default package contents including the ACE master configuration file virtual disk files and policies Player applications per the selected platform package installer and Resources files for the ACE master m Policy Update Server Update Packages the policies for this ACE master If this is a managed ACE master this option reads Server Update A server update package allows you to either change the server that the ACE master is associated with or change an activation only
79. specify has enough space to hold the virtual machine files If it does not the installer prompts you to specify a different location Click Finish to complete the installation The wizard closes VMware Inc Chapter 11 Installing and Using VMware Player and ACE Instances Installing an ACE Package Silently on a Windows Host Computer If you are installing a VMware ACE package on a number of Windows host computers you might want to use the silent installation features of the Microsoft Windows Installer Before installing a VMware ACE package silently you must ensure that the host computers have version 2 0 or higher of the MSI runtime engine This version of the installer is available in versions of Windows beginning with Windows XP The installer for the runtime is also included in the VMware ACE package as instmsiw exe To install the runtime silently from the ACE package issue the following command instmsiw exe Q This section outlines what you need to do to install an ACE package silently For additional details on using the Microsoft Windows Installer see the Microsoft Web site To perform a silent installation using default settings issue the following command setup exe s v qn This command installs the package and application if included into the default locations and creates a shortcut for the ACE instance on the desktop The default location for the VMware Player application is lt ProgramFiles gt VMware VMware
80. system is not empty m Ifthe guest operating system is Windows 2000 Windows XP or Windows 2003 checks that the folders in the Program Files VMware VMware Workstation Resources SysprepTools directory are not empty VMware Inc 193 VMware ACE Administrator s Manual 194 V CAUTION Ensure that you have downloaded the current Sysprep deployment tools from Microsoft Corporation s Web site and copied them to your machine as described in Downloading the Microsoft Sysprep Deployment Tools on page 176 before packaging with instance customization enabled begins If the tools are not available at packaging time the operation fails during the packaging process Because packaging can take a long time and the failure might not occur until well into the packaging process you could lose substantial time if the process failed because the tools were not available NOTE If you do not have the latest version of VMware Tools installed in the guest operating system the wizard fails to create the package If you need to create packages without installing the latest Tools version each time for example if you want to doa test deployment of these packages and don t need the latest Tools in the resulting instances in order to run your tests you can have the wizard ignore the Tools check To turn off the VMware Tools check during packaging 1 2 4 Close Workstation ACE Edition Use Notepad or another text editor to
81. the Pocket ACE Instance 217 11 Installing and Using VMware Player and ACE Instances 219 VMware Inc Installing the ACE Package on a Windows Host Computer and Running the ACE Instance 219 Installing VMware Player on a Windows Host Computer 220 Installing an ACE Instance on a Windows Host Computer 220 Installing an ACE Package Silently on a Windows Host Computer 221 Uninstalling VMware Player from a Windows Host Computer 222 Uninstalling an ACE Instance from a Windows Host Computer 222 Running the ACE Instance on a Windows Host Computer 222 Installing the ACE Package on a Linux Host Computer and Running the ACE Instance 223 Installing VMware Player on a Linux Host Computer 223 Installing the ACE Instance on a Linux Host Computer 224 Installing an ACE Package Silently on a Linux Host Computer 225 Uninstalling an ACE Instance from a Linux Host Computer 225 Uninstalling VMware Player from a Linux Host Computer 225 Running the ACE Instance on a Linux Host Computer 225 Running VMware Player 225 Starting VMware Player 226 Entering a Client License in VMware Player for an ACE Instance 227 Quitting VMware Player 227 Enlarging VMware Player to Fill the Screen 228 Understanding VMware Player Status Indicators 228 Viewing Messages Notifications and the ACE Information Dialog Box 230 Controlling Devices Attached to VMware Player 230 Setting VMware Player Preferences 230 Taking Snapshots in VMware Player 231 Using Shared Folders 232 Printing
82. the Server Before you start up the server setup Web application to configure the server complete the procedures in this section that are applicable to your ACE 2 Management Server option m Obtain Your ACE 2 Management Server License Information on page 69 m Using Active Directory Integration Using LDAP on page 70 m Using an External Database on page 71 m Using an External Database With the ACE 2 Management Server Appliance on page 75 m Setting Up Your Own Self Signed Certificates Third Party Signed Certificates or Certificates from an Internal Certificate Authority on page 61 Obtain Your ACE 2 Management Server License Information Obtain your license information serial number for the ACE 2 Management Server before you begin using the server setup Web application to configure the server If you do not have a serial number available at the initial server configuration you will not be VMware Inc 69 VMware ACE Administrator s Manual able to complete the configuration As a result the ACE 2 Management Server functionalities will not be available These functionalities include but are not limited to connecting to the server from Workstation ACE Edition assigning masters to be managed by the server and using the Help Desk Web application See Step 3 on page 76 for information about how to enter the serial number for your ACE 2 Management Server in the server setup Web application See ACE 2 Ma
83. the toolbar To return to a window if the mouse pointer is not available press Ctrl Alt If your system administrator has configured VMware Player to run only in full screen mode you cannot run it in a window If you click the minimize button on the toolbar or press Ctrl Alt the VMware Player window is minimized and you see the host operating system Understanding VMware Player Status Indicators Your ACE has several indicators to keep you aware of its status The activity indicator shows that your ACE is running It is represented by the VMware logo of three interlocking squares m On Windows this indicator appears in the lower right corner of the VMware Player window in windowed mode but is not visible in full screen mode m On Linux this indicator appears in the top of your window in both windowed and full screen mode VMware Inc Chapter 11 Installing and Using VMware Player and ACE Instances While your ACE is running the activity indicator is animated The status icon tray on Windows host systems only is at the lower right corner of the VMware Player window or immediately left of the activity indicator on the toolbar The status icon tray might display one or both of the following m The network access indicator is a shield shaped icon If your ACE uses network access features this icon appears Hold your mouse pointer over the icon to see whether some or all of the network traffic is being blocked Click the netw
84. they will be carried over during the upgrade 47 VMware ACE Administrator s Manual 48 Upgraded machines will not include m Upgraded VMware Tools These machines will continue to use the version of the VMware Tools installed in the VMware ACE 1 x machine and therefore VMware ACE 2 features that require the latest Tools version will not be available on these machines m The VMware ACE 1 x policies that were set for the virtual machine and for the project During the part of the upgrade that occurs on the administrator machine you can change ACE 2 policies and package settings If you choose not to change any the default ACE 2 policies and package settings are used Steps for Upgrading VMware ACE 1 x Virtual Machines to VMware ACE 2 Virtual Machines To upgrade VMware ACE 1 x virtual machines to VMware ACE 2 virtual machines NOTE After you have completed the upgrade procedure restart your system when you are prompted to do so 1 2 Power off the ACE virtual machines in the ACE 1 x project Delete any snapshots for those virtual machines On your administrator machine start up Workstation ACE Edition browse to one of the ACE 1 x virtual machines in the project and open the virtual machine by clicking the virtual machine s lt virtual_machine_name gt vmx file icon Select VM gt Upgrade or change version and select Workstation 6 as the hardware version to which this machine is to be upgraded Select File
85. to the portable device Here are the scenarios that can result from the choice the user makes a If the user closes the session and syncs it back to the portable device the user can then take the device to another host computer and start up the Pocket ACE there b If the user closes the session but doesn t sync it back to the portable device the session remains on the host computer The user can unplug the device and take it elsewhere but VMware does not recommend that the user actually run the Pocket ACE on another computer c The user can discard the session much like a snapshot reversion and all changes made to the virtual machine since the last synchronization are discarded NOTE Tell your ACE users that they should safely unplug or eject the portable device before they disconnect it 6 Ifthe user doesn t close the Pocket ACE and unplugs the device the ACE remains in a Suspend state the result is the same as in Step 5b NOTE If the user leaves the Pocket ACE in a Suspend state and then moves the Pocket ACE to a different host computer it is recommended that the two host computers have the same CPU type If the host CPUs are different the user should shut down the Pocket ACE on the first machine before moving it to the second machine VMware Inc Installing and Using VMware Player and ACE Instances This chapter describes how to install and run VMware Player and ACE instances on ACE user machines Topics
86. tools weren t available 182 VMware Inc Chapter 7 Package Settings To create a new package with instance customization enabled 1 Choose ACE gt New Package to start the New Package Wizard 2 Follow the steps defined in the wizard for details see Creating a Package on page 192 3 Ifthe ACE master you are creating is a standalone ACE master the Password page of the wizard will appear Enter any passwords for domain join and if needed for the VPN connection 4 On the Package Summary page click Next to begin the packaging process 5 Finish the steps for the New Package Wizard for details see Creating a Package on page 192 NOTE See Overview of the Instance Customization Process on page 174 for details on what happens during the packaging process V CAUTION Before you deploy the package preview the ACE instance to verify that all settings are working correctly During the preview verify that instance customization runs unattended that is no dialog boxes appear that require user interaction For example If an invalid Windows product ID was entered then a dialog box requiring a product key entry appears during Mini Setup in the Preview run When you preview the ACE instance VMware Player runs in interactive mode so that you can see any instance customization errors and make corrections as needed VMware Player does not run in interactive mode when you have deployed the package to t
87. used for a domain that is accessed through a direct connection Leave the domain field blank VMware Inc Chapter 4 Installing and Configuring the ACE 2 Management Server Table 4 2 Logon Options for ACE 2 Management Servers with Active Directory Service Continued Logon Notes NETBIOS DOMAIN The NetBIOS name is a short name for domains that is NAME username registered in the NetBIOS Name Service WINS Leave the password domain field blank username password The NetBIOS name is a short name for domains that is NETBIOS DOMAIN registered in the NetBIOS Name Service WINS NAME Using the ACE 2 Management Server After the ACE 2 Management Server has been installed and configured you can use it to View the instances on the server in the Workstation ACE Edition user interface Revoke and re enable an instance Push out a dynamic policy update Fix various problems with the ACE instances as reported by instance users through the Instance View in the Workstation ACE Edition interface or through the Help Desk Web application See Chapter 12 Instance View on page 245 and Using the VMware Help Desk Web Application on page 239 for more information about these tasks Unblocking Port Traffic and Changing Port Assignments The following two topics describe how to deal with these port related issues Tf Your ACE Instance on a Linux Host Computer Cannot Contact the ACE 2 Management Server on pa
88. user Its password setting also provides you with access to the vmware acetool command line troubleshooting program on standalone ACE instances Runtime preferences This policy allows you to configure settings for runtime You can specify various settings that your users can access on their machines when running ACE instances Hot fix This policy allows you to activate the hot fix feature for standalone ACE instances You can use the hot fix policy to specify that users can request hot fixes for specific problems such as lost or forgotten passwords or expired instances Resource signing This policy allows you to specify that ACE Resource files be protected from all tampering Custom EULA package setting This package setting allows you to provide a custom EULA end user license agreement that appears when an ACE instance is activated You can use this feature to display a custom 21 VMware ACE Administrator s Manual license agreement message that the user must see and accept before the instance can be run for the first time m Package lifetime package setting This package setting allows you to specify a time period during which an ACE package can be installed Troubleshooting tools The vmware acetool command line program and the hot fix feature are available for use by administrators to fix users common problems on standalone ACE instances The Help Desk Web application and the Instance View can be used to fi
89. web based ACE 2 Management Server Help Desk Application is designed to deliver a reduced set of administrative functionality through role based access from any browser See Using the VMware Help Desk Web Application on page 239 for more information The server uses the Apache 2 0 web server The ACE 2 Management Server supports the use of external RDBMSs including Oracle 10g Microsoft SOL Server 2000 or higher and Postgres 7 4 or higher In addition it ships with an embedded SQLite database See ACE 2 Management Server on page 29 for system requirements for the ACE 2 Management Server and see Chapter 4 Installing and Configuring the ACE 2 Management Server on page 51 for information about installing and configuring the ACE 2 Management Server ACE 2 Management Server Appliance ACE 2 Management Server is now available as a production virtual appliance The appliance is a self contained pre installed pre configured ACE 2 Management Server packaged in a virtual machine Using this appliance is the fastest way to get an ACE 2 Management Server running in your environment The ACE 2 Management Server appliance is eligible for all the same VMware support options offered with other ACE 2 Management Server installation configurations Pocket ACE Pocket ACE allows an administrator to bundle and deploy an ACE onto a USB portable media device including USB flash drives Apple iPod mobile digital devices and portable hard dri
90. with the virtual machine The administrator also might patch the virtual machine or install new software retake the reimage snapshot and then revert the machine to the snapshot or instruct the user to do so User snapshots enable the user to return the virtual machine to a known stable state When they are first taken The reimage snapshot is first taken automatically after the ACE instance is created but before it is run for the first time A user snapshot is taken whenever the user chooses after powering on the ACE instance Precedence The reimage snapshot must always be older than the user snapshot Taking a new reimage snapshot deletes any existing user snapshot User snapshots can be taken reverted to and deleted without affecting the reimage snapshot Power state when taken User snapshots can be taken both in powered on and powered off states The reimage snapshot is only taken in a powered off state NOTE You can t take snapshots of a Pocket ACE instance For more about Pocket ACEs see Chapter 10 Pocket ACE on page 211 156 VMware Inc Chapter 6 Setting and Using Policies and Customizing VMware Player User snapshot VMware Player lets the user use a single snapshot Allow the user to v Take the user snapshot Revertto the user snapshot Reimage snapshot An initial reimage snapshot is taken when an ACE instance is created Replacing the reimage snapshot deletes any existing user snapshots
91. 0 0 3 12 10 3 0 0p E E T Add Edit Remove Move Up Move Down C Allow all other addresses Block all other addresses OK Cancel 2 If you want to change the name of the ruleset enter the new name in the Ruleset Name box 3 By default DNS DHCP and ICMP are included in the network access setup Generally we recommend that you keep DHCP and DNS selected as they are VMware Inc 141 VMware ACE Administrator s Manual 142 5 important for zone detection for both host and instance access Deselect them if you do not want them included in the access setting m DNS Keep this option selected if the ACE instance needs to resolve IP addresses using a DNS server that is not included in any other network access setting for the instance m DHCP Keep this option selected if the ACE instance needs to get its IP address from a DHCP server that is not included in any other network access setting for the instance m ICMP Keep this option selected if you need support for the ping command for example to check network connectivity to and from the virtual machine If you want to add or edit a rule click Add If you want to change a specific rule s settings click the row for that rule in the table in the ruleset editor and then click Edit The rule editor appears Rule Editor x Action Allow C Block Direction Incoming traffic to the host only gt Addresses Specify networ
92. 1 Create a new ACE master or clone an existing ACE master or existing virtual machine to an ACE master See Chapter 5 Creating and Configuring ACE Masters on page 89 Install guest operating systems VMware Tools and other software in the virtual machines For information on installing VMware Tools see the Workstation User s Manual For notes on installing particular guest operating systems see the VMware Guest Operating System Installation Guide available from the VMware Web site or from the Help menu Set policies for the ACE master Use policies to control what your users can do with their ACE instances for example what network access they have from the ACE instances and what devices on their host computers they may use in the instances See Chapter 6 Setting and Using Policies and Customizing VMware Player on page 105 VMware Inc Chapter 2 Learning the Basics of Workstation ACE Edition 4 Set package settings and virtual machine settings for your ACE master See Chapter 7 Package Settings on page 171 and Chapter 5 Creating and Configuring ACE Masters on page 89 5 Create packages to deploy to your users Workstation ACE Edition guides you through the process See Chapter 8 Creating Packages and Deploying Them to Users on page 191 or Creating an ACE Package for Portable Devices on page 212 6 Give the packages to your users Distribute the packages on CD DVD or
93. 141 m Packet to Rule Comparison on page 145 Using the Zone Editor to Set Up and Configure Network Zones Zone descriptions describe the characteristics of a network zone Workstation ACE Edition examines the network or networks directly connected to network adapters on the host computer to see if there is a match for all the criteria for any adapter in any of the zone definitions The zones are checked in the order they appear in the network access table from the top down When the host connects to a network checking begins to see whether the network matches the conditions for a zone The checking starts with the topmost zone in the table and continues down the table until a match is made or the Everywhere Else zone is reached When a match is made the zone checking stops and filter rules for that zone are applied Details about zone matching are m Azone can be specified by using up to six conditions m Domain m Subnet m DNS servers m DHCP servers VMware Inc Chapter 6 Setting and Using Policies and Customizing VMware Player m Gateway servers m WINS servers For a match to occur all specified conditions must be met m All zone conditions except the domain condition allow users to specify a list of addresses The match is made if the host s address matches any of the address list entries in a specified condition Guidelines for Choosing Zone Conditions Choose the characteristics you specify carefully There are
94. 2 3 4 O1 Obtain the serial number for your ACE volume license key Start up the Workstation application Chose Help gt Enter Serial Number Type the serial number in the appropriate field and enter your name and the organization name in the dialog box Click OK Shut down the Workstation application and then restart it If you have already entered the ACE Option Pack license there will be no visible differences in the product but your ACE volume license key will not be available for use during the ACE package creation process To enter the ACE client license key on an end user s device ACE packages created without the use of an ACE Volume License Key will require manual entry of an ACE client license key the first time you power on after installation 1 2 3 Obtain the ACE Client License serial number Double click the desktop shortcut for the installed ACE instance At the prompt enter the serial number in the appropriate field and enter your name and the organization name in the dialog box Click OK If you need to subsequently change or update the ACE Client License a Choose VMware Player gt Enter ACE Client License b Enter the serial number in the dialog box If you need to purchase a license click Get Serial Number and follow the directions to get your license c Click OK NOTE If you are not using an ACE volume license key be aware that when you deploy a Pocket ACE to a portable media device you sho
95. 2 18 Hardware and Software Recommendations for This Release 22 Workstation ACE Edition ACE Administrator 22 PC Hardware 23 Display 23 Disk Drives 23 Local Area Networking Optional 23 Windows Host Operating Systems 32 bit 24 Windows Host Operating Systems 64 Bit 24 VMware Player End User Client Devices 24 Hardware Requirements 24 Supported Host Operating Systems 25 ACE 2 Management Server 29 Hardware 29 Display 29 Disk Drives 29 Local Area Networking 29 Windows Operating Systems 29 Linux Operating Systems 30 VMware Inc VMware ACE Administrator s Manual External Databases 30 Web Browsers 30 2 Learning the Basics of Workstation ACE Edition 31 Terminology for This Chapter 31 Setting Up Your Administrative Workstation 32 Overview of the Workstation ACE Edition Window 33 Accessing Commands in the Workstation ACE Edition Window 34 Workstation ACE Edition Window Elements 35 ACE Master Icons in the Sidebar 35 Adding ACE Masters to ACE 2 Management Servers 36 Viewing ACE Masters in the Sidebar 36 Using the ACE Icons on the Home Page 36 Viewing the Summary for an ACE Master 37 Viewing the Summary for All ACE Instances Managed by an ACE 2 Management Server 38 ACE Menu 38 New ACE Master Connect to ACE 2 Management Server and Open Hot Fix Commands in the FileMenu 39 ACE Master Toolbar 39 Creating Packages to Distribute to Users 40 Basic Steps for Creating and Deploying ACE Packages 40 Keeping Users Up to Date 41 Troubleshooti
96. 2 Management Server are Table 4 1 Port Assignments Default Settings for the ACE 2 Management Server Port Used For https port 443 Communications between the ACE 2 Management Server and ACE instances https port 8000 ACE 2 Management Server Setup configuration Web application ACE Help Desk Web application https port 8080 ACE 2 Management Server Appliance configuration VMware Inc Chapter 4 Installing and Configuring the ACE 2 Management Server NOTE If you have another Web server installed that uses any of these default ports you might need to resolve the conflict See Unblocking Port Traffic and Changing Port Assignments on page 85 Installation Options for the ACE 2 Management Server Follow the installation instructions for your server installment option m Installing the ACE 2 Management Server on a Windows System on page 65 m Installing the ACE 2 Management Server on a Linux System on page 65 m Installing the ACE 2 Management Server Appliance on page 67 Installing the ACE 2 Management Server on a Windows System Install the ACE 2 Management Server by launching the vmware ace management server application from the server that the ACE 2 Management Server will reside on The vmware ace management server exe file is available as a separate downloadable file in the same download location as the one for the Workstation ACE Edition application To install the server follow the promp
97. 2003 Vista 32 and 64 bit Linux RHEL 4 32 bit only Virtual Printer Allow instances to use printers configured on their host operating systems This policy requires a serial port which is created automatically when the policy is enabled Disabling this policy removes the serial port I Enable Virtual Printer for instances Select Enable virtual printer for instances to allow users to print to the virtual printer After you have enabled this policy a serial port appears on the Hardware tab of the virtual machine settings editor with the summary Used by Virtual Printer You can only add or remove this serial port by enabling or disabling the option in the Virtual Printer policy Hardware Options Device Summary Memory 256 MB Hard Disk IDE 8 0 GB 2 CD ROM IDE 1 Using file C Documents 8 Floppy Auto detect EB Ethernet NAT 9 USB Controller Present Q Sound Adapter Auto detect Serial Port Used by Virtual Printer El Display 1 monitor Processors 1 This serial port is reserved for Virtual Printer To remove Device status i disable the Virtual Printer policy in ACE gt Policies NOTE If the ACE master already has four serial ports you wont be able to add another serial port for the virtual printer To enable the virtual printer delete an existing serial port The user will be able to print to any of the host printers that are available in the printer sele
98. 3 Overview of the Instance Customization Process on page 174 Before You Specify Instance Customization Settings Perform These Tasks on page 175 VMware Inc Chapter 7 Package Settings m Downloading the Microsoft Sysprep Deployment Tools on page 176 m Specifying Package Settings for Instance Customization on page 177 m Placeholder Values to Use in Instance Customization on page 180 m Packaging with Instance Customization Enabled on page 182 m How ACE Instance Customization Completes on the ACE User s Machine on page 184 For detailed information on closely related topics see m Setting Up a Remote Domain Join on page 188 m Creating a Package on page 192 Benefits of Instance Customization The instance customization feature enhances and streamlines the preparation and deployment of ACE instances The instance customization process is built around the standard Microsoft Sysprep deployment tools m It automates the Sysprep process the use of the Microsoft Sysprep deployment tools allowing you to use just one tool one user interface and so on to do all the tasks It gives you better control of some Sysprep parameters such as computer name m It provides you with an automated way to join ACE instances to a domain from a remote site with your VPN client For details see Setting Up a Remote Domain Join on page 188 NOTE Your VPN client must support a co
99. 7 0 stock 2 2 16 22 upgrade 2 2 17 14 VMware Inc Chapter 1 Introduction and System Requirements m SUSE Linux Enterprise Server 10 SUSE Linux Enterprise Server 9 SP4 Beta SUSE Linux Enterprise Server 9 9 SP1 9 SP2 9 SP3 Listed versions are also supported with no service pack SUSE Linux Enterprise Server 8 stock 2 4 19 openSUSE 10 2 formerly known as SUSE Linux 10 2 SUSE Linux 10 1 SUSE Linux 10 SUSE Linux 9 3 SUSE Linux 9 2 SP1 SUSE Linux 9 1 stock 2 6 4 52 SUSE Linux 9 0 stock 2 4 21 99 SUSE Linux 8 2 stock 2 4 20 m Ubuntu Linux 6 10 Ubuntu Linux 6 06 Ubuntu Linux 5 10 Ubuntu Linux 5 04 A Web browser is required for the Help system Linux Host Operating Systems 64 Bit Supported distributions and kernels are listed below Workstation might not run on systems that do not meet these requirements NOTE As newer Linux kernels and distributions are released VMware modifies and tests its products for stability and reliability on those host platforms VMware makes every effort to add support for new kernels and distributions in a timely manner but until a kernel or distribution is added to the list below its use with VMware products is not supported Look for newer prebuilt modules in the download area of the VMware Web site Go to www vmware com download m Mandriva Linux 2006 and 2007 Mandriva Corporate Desktop 4 0 Mandriva Corporate Server 4 0 Important On 64 bit Ma
100. ACE administration tasks including VMware Inc Creating and configuring ACE masters For details see Chapter 5 Creating and Configuring ACE Masters on page 89 Setting policies for ACE masters For details see Chapter 6 Setting and Using Policies and Customizing VMware Player on page 105 Setting package settings for ACE masters For details see Chapter 7 Package Settings on page 171 Packaging those ACE masters with their policies and the VMware Player application or packaging just updated policies For details see Chapter 8 Creating Packages and Deploying Them to Users on page 191 Testing or previewing your ACE packages or updated policies before you distribute them For details see Chapter 9 Preview Save Test Publish on page 203 33 VMware ACE Administrator s Manual 34 If you set up one or more ACE 2 Management Servers in Workstation ACE Edition as part of your ACE setup you also use the controls and options in the Workstation ACE Edition window to manage the ACE masters that you associate to those servers Topics in this section are m Accessing Commands in the Workstation ACE Edition Window on page 34 m Workstation ACE Edition Window Elements on page 35 m ACE Master Icons in the Sidebar on page 35 m Adding ACE Masters to ACE 2 Management Servers on page 36 m Viewing ACE Masters in the Sidebar on page 36 m Using the AC
101. AP you do not plan to use an Active Directory service specify the password for ACE 2 Management Server administrators Administrators must enter this password before they can modify the server s configuration If you want to enable a role for using the Help Desk Web application select Enable Helpdesk Role and specify a password that users must enter when they start up the Help Desk application See Using the VMware Help Desk Web Application on page 239 for details about that application NOTE If you are reconfiguring the server you will notice that any passwords you entered previously are shown as a 12 character display rather than as the actual number of password characters CAUTION If you lose your administrator password you set this password if the Y server is configured not to use LDAP there is no way to retrieve that password You will have to delete the server configuration file setting the server back to its initial state and then reconfigure the server and set an administrator password during the reconfiguration To delete the ACE 2 Management Server configuration file and set a new administrator password 1 If you used complex settings in your configuration file you might want to save a copy of the file so that you can look at those settings while you are reconfiguring the server 2 Navigate to the location of the ACE 2 Management Server configuration file On Linux systems var lib vmware acesc conf ac
102. BC connectivity m For Windows based servers Microsoft SQL Server 2000 or higher Oracle Database 10g m For Linux based servers PostgreSQL 7 4 or higher Web Browsers Required for ACE 2 Management Server configuration and ACE 2 Management Server Help Desk Web application m Mozilla Firefox 1 52 or higher Web browser m Internet Explorer 6 0 or higher Web browser VMware Inc Learning the Basics of Workstation ACE Edition The following sections provide an overview of how to use Workstation ACE Edition to create and deploy virtual machines for your users Terminology for This Chapter on page 31 Setting Up Your Administrative Workstation on page 32 Overview of the Workstation ACE Edition Window on page 33 Creating Packages to Distribute to Users on page 40 Basic Steps for Creating and Deploying ACE Packages on page 40 Keeping Users Up to Date on page 41 Terminology for This Chapter The following terms are used frequently in this chapter For definitions of other ACE terms both in this chapter and in the rest of the manual see Glossary on page 267 VMware Inc ACE Option Pack The additional licensing required to convert an installed copy of Workstation 6 into Workstation ACE Edition Workstation ACE Edition The program used by the administrator to create deploy and update ACE packages and manage ACE instances Workstation ACE Edition is enabled by installing Work
103. CE 2 Management Server Appliance The ACE 2 Management Server Appliance does not contain a PostgreSQL database server You must use an external server to which the server appliance connects over the network One possibility you might consider is whether an appliance version of a database server would suit your setup To set up an ODBC connection to your PostgreSQL external database 1 Log in to the server appliance console as root using the password you created during your first run of the server appliance 2 Open the etc odbc ini file in a text editor for example vaos vi etc odbc ini This file contains a setting for the ODBC DSN called postgres_dsn 3 Uncommentall lines in the postgres_dsn file except the first two that is remove the leading symbol in each line 4 Replace placeholders lt gt with the PostgreSQL database server DNS name or IP address and the database name in this server 5 If you have configured your PostgreSQL server to listen on a non default port number use that port number in the configuration otherwise keep the default port number setting 6 Save the file VMware Inc 75 VMware ACE Administrator s Manual 76 These steps ensure that postgres_dsn will appear in the dropdown box on the Database tab in the server setup application Using the ACE 2 Management Server Setup Application Ensure that you have completed any necessary pre configuration tasks See Tasks to Complete Bef
104. CE 2 are built into Workstation 6 To expose these ACE 2 features users of Workstation 6 must acquire the ACE Option Pack The ACE Option Pack is a license enablement that turns an existing copy of Workstation 6 into Workstation 6 ACE Edition There are no new software downloads required The following sections describe the ACE Option Pack and ACE client licenses ACE Option Pack License After entering the ACE Option Pack license into a copy of Workstation 6 your copy of Workstation will become Workstation ACE Edition Workstation ACE Edition has the ability to generate ACE packages containing ACE virtual machines All ACE packages require an ACE client license on the target end user s machine An ACE client license is VMware Inc 43 VMware ACE Administrator s Manual 44 a serial number based license key that must be entered upon powering on an ACE if no license key is detected or by choosing VMware Player gt Enter ACE Client License The ACE client license is tied to the device itself whether that device is a PC laptop or a portable media device such as a USB flash drive storing a Pocket ACE ACE Volume Licensing Key ACE 2 introduces a volume license key as well This volume license key is available with both the Standard and Enterprise editions of the product A copy of Workstation ACE Edition using a volume license key automatically embeds an ACE client license in all of your ACE packages ACE packages with an embedded
105. CE Management Server page choose whether you want to use the ACE 2 Management Server to manage the instances created from this ACE master m Select Use server the default choice to have an ACE 2 Management Server manage the instances created from this ACE master Then enter the server name and port or choose the server from the dropdown list of previously chosen servers The port assigned to that server appears in the Port box Click Next m Select Don t use server if you do not want to have an ACE 2 Management Server manage the ACE instances created from this ACE master NOTE You can t change the ACE master at a later time from Use server to Don t use server or the reverse The ACE master will always be either managed or standalone Click Next to continue VMware Inc Chapter 5 Creating and Configuring ACE Masters 18 Ifyou selected a server that is integrated with an Active Directory service the Active Directory page appears Select whether to use Active Directory with this ACE master Then click Next CAUTION When you choose an ACE 2 Management Server with Active Directory V integration during ACE master creation ensure that your Workstation ACE Edition administrator machine is in the same domain as that server If the machine is not in that domain you won t be able to preview the instance or add users to the ACE master 19 The Ready to Complete page appears Click Finish to complete the New ACE Mas
106. CE Master 97 Clone VM to ACE Master 98 New ACE Master 269 New Package 192 working copy of policies 203 Workstation ACE Edition accessing commands 34 defined 31 272 hardware requirements 22 interface elements 35 interface overview 33 machine setting up 32 window elements 35 window overview 33 Z zone editor network access 136 VMware Inc
107. CE Tools vmware acetool Command Line Tool The vmware acetool command line program is a troubleshooting tool that allows ACE administrators to fix a limited set of problems for standalone ACE instances directly on an ACE user s system NOTE You can actually use the vmware acetool program to reset passwords and fix expiration dates on another machine but you must have the vmx vmpl and ace dat files from the user all set up in the same directory The vmware acetool is distributed with VMware Player and is available for both Windows and Linux systems Problems you can fix with vmware acetool are m Set the user s password so the user can run the ACE instance m Set copy protection so the user can run the ACE instance in a new location m Set the expiration date so the user can continue to use an ACE instance that had reached its scheduled expiration date NOTE For you to use vmware acetool to fix a problem the configuration file for the targeted ACE instance must be on the ACE user s machine That is you cannot use the tool to make fixes to files associated with the instance unless the configuration file is on the same machine as those files It should be run on the user s machine in place Usage vmware acetool lt command gt lt ACE configuration file gt parameters Command Parameters Description setPassword Path to recovery key file Set the ACE instance s password setExpirationDate New expiration dat
108. CE instance from the portable device NOTE Tell your users that the host computers that they move Pocket ACEs among must have their clocks set to the correct time If they move a Pocket ACE from one host computer to another and the clock of the second host is behind that of the first the Pocket ACE will not run 1 The user plugs the portable device into the host computer 2 Depending on the host system autorun configuration users might have to manually start their Pocket ACE m For Windows host systems autorun is included in the package autorun checks to see if VMware Player is installed If not Player is installed automatically If the instance does not start automatically choose Start gt My Computer and browse to the removable device and run the Pocket ACE F My Computer Ele Edit view Favorites Tools Qa P Psh E Fods FE Addre ss 19 My Computer Help Name Type Total Size Free Space Comments System Tasks Files Stored on This Computer A View system information Shared Documents File Folder Add or remove programs Ega s Documents File Folder E Change a setting Hard Disk Drives Other Places Local Disk C Local Disk 149 GB 34 4 GB Se New Volume D Local Disk 152 GB 71 968 E My Network Places LACIE G Local Disk 232 GB 159 GB E My Documents Shared Documents Devices with Removable Storage E Control Panel BS Floppy A 3 Inch Floppy Disk 2 DVD
109. DBC Driver Manager API to other programs a set of configuration utilities and ODBC drivers for popular databases On both RHEL4 and SLES9 the ODBC driver for PostgreSQL is included in the unixODBC binary distribution package To use the X11 graphical configuration tool ODBCConfig for setting up a DSN on your SLES9 system you have to have the unixODBC gui qt package also installed this utility is included in the RHEL unixODBC package VMware Inc Chapter 4 Installing and Configuring the ACE 2 Management Server Because libodbc is a shared library that implements industry standard ODBC APIs the ACE 2 Management Server application is not sensitive to the particular version of the unixODBC package installed on your Linux system but we recommend that you update the package to the latest version released for your specific Linux distribution The DSN configuration for the unixODBC package is stored in the etc directory etc unixODBC for SLES on your system odbc ini for DSNs and odbcinst ini for driver and general ODBC system configuration You can edit these plain text files manually or you can edit them more conveniently by using the ODBCConfig graphical X11 utility You have to be logged in as a root user to access the configuration files or run the ODBCConfig utility NOTE If you are using the ACE 2 Management Server Appliance see the information about setting up an ODBC connection on page 75 The ODBCConfig utility mimi
110. E Edition window VMware Inc Chapter 8 Creating Packages and Deploying Them to Users The Package Properties dialog box has three tabbed pages Summary page Displays the package name creation date deployment media package type size location and components You cannot edit information on this page Settings page Displays values for package settings that have been applied to this package You cannot edit information on this page Notes page Displays and allows you to edit notes for this package These notes could have been entered into the Name the Package page when the package was created using the New Package Wizard or they could be notes that have been edited from this page Deploying Packages To deploy a package VMware Inc If this is a Full Policy Update Server Update or Custom package you can give the package to your user You can distribute the packages on CD or DVD or you can make them available on a network See Chapter 11 Installing and Using VMware Player and ACE Instances on page 219 for information on installing packages If this is a Pocket ACE package see Deploying the ACE Package on a Portable Device on page 215 201 VMware ACE Administrator s Manual 202 VMware Inc Preview Save Test Publish Before you deploy a new or updated ACE package or updated policy you might want to test it This section describes test options that allow you to see the ACE instance wor
111. E Icons on the Home Page on page 36 m Viewing the Summary for an ACE Master on page 37 m Viewing the Summary for All ACE Instances Managed by an ACE 2 Management Server on page 38 m ACE Menu on page 38 m New ACE Master Connect to ACE 2 Management Server and Open Hot Fix Commands in the File Menu on page 39 m ACE Master Toolbar on page 39 m Troubleshooting Users Problems on page 41 Accessing Commands in the Workstation ACE Edition Window You have several options for accessing commands in the interface m Menu options m Right click context menus m Commands shown in the summary view for the open ACE master This manual will typically list just the menu option when describing procedures You can of course use whichever access option is most convenient When there is no menu option available for example Publish policies to server is only available in the summary view then the manual describes the step using the appropriate option VMware Inc Chapter 2 Learning the Basics of Workstation ACE Edition Workstation ACE Edition Window Elements The Workstation ACE Edition window differs only slightly from the standard Workstation window Like that window it incorporates m Home page Summary view and Console view m Toolbars m Sidebar For details of the standard Workstation window including how to use and customize those window elements see Overview of the Workstation Window
112. E Menu The ACE menu provides these commands Policies Opens the policy editor See Chapter 6 Setting and Using Policies and Customizing VMware Player on page 105 Package Settings Opens the package settings editor See Chapter 7 Package Settings on page 171 Preview in Player Starts the Preview feature which allows you to preview how an ACE instance created from this ACE master will run on the user s machine in the VMware Player application See Chapter 9 Preview Save Test Publish on page 203 New Package Starts the New Package Wizard See Chapter 8 Creating Packages and Deploying Them to Users on page 191 New Pocket ACE Package Starts the Pocket ACE Package Wizard See Chapter 10 Pocket ACE on page 211 ACE Server Opens the ACE Server dialog box which allows you to choose for a managed ACE master a different ACE 2 Management Server than the one with which it is currently associated See ACE Server Settings on page 100 Clone Starts the Clone ACE Master Wizard See Cloning an ACE Master from an Existing ACE Master on page 97 Delete from Disk Deletes the selected ACE master from the disk A warning message appears before the ACE master is deleted asking whether you are sure that you want to take this irreversible action of deleting this ACE master s files VMware Inc Chapter 2 Learning the Basics of Workstation ACE Edition New ACE
113. E Server Settings 100 Reassigning an ACE Master to a Server When the Master s Record Cannot Be Retrieved 101 Why Would You Need to Reassign an ACE Master to a Different Server Address 102 When Do You Need to Reassign an ACE Master 102 How Does Reassigning the Master to a New Server Address Work 103 What Does Reassigning an ACE Master to a New Server Address Do 103 Virtual Machine Settings 104 6 Setting and Using Policies and Customizing VMware Player 105 Taking Advantage of Policies 105 Using the Policy Editor 106 Setting Policies 106 Setting Access Control Policies Activation and Authentication 107 Activation and Authentication for Managed Instances with Active Directory Service 108 Activation and Authentication for Managed Instances Without Active Directory Service 113 Activation and Authentication for Standalone Instances 119 Setting Host Guest Data Script Policies 124 Setting Expiration Policies 125 Setting Copy Protection Policies 126 Copy Protection Policies for Standalone ACE Instances 127 Copy Protection Policies for Managed ACE Instances 127 Setting Resource Signing Policies 128 Setting Network Access Policies 129 6 VMware Inc Contents Before You Begin Read These Notes About Host Policies 130 Getting Started with Setting Network Access 131 Using the Network Access Wizard to Configure Network Access 132 Using the Zone Ruleset and Rule Editors to Configure Network Access 136 Using the Zone Editor to S
114. E instance from a Windows host computer 1 Find the setup exe file for the package for this instance and double click it to start the installer or remove the package by choosing Settings gt Control Panel gt Add or Remove Programs 2 Follow the instructions in the installation wizard to remove the ACE instance 3 Click Finish to complete the installation The wizard closes The uninstaller reclaims everything including the ACE instance s data files shortcuts and registry entries Then the uninstaller quits NOTE The uninstaller does not uninstall the VMware Player application Running the ACE Instance on a Windows Host Computer To run the ACE instance either double click the icon on the desktop or single click on the icon in the start menu 222 VMware Inc Chapter 11 Installing and Using VMware Player and ACE Instances Installing the ACE Package on a Linux Host Computer and Running the ACE Instance The administrator creates an ACE package which includes the ACE instance and VMware Player The ACE package must be accessible to the Linux user machines for installation NOTE If this is the first installation of an ACE instance on the user machine then an administrator must install VMware Player before the ACE user can install and run ACE instances Installing VMware Player on a Linux Host Computer Only a user with administrator or root privileges can install and uninstall VMware Player Player wil
115. E master summary view 2 Click the Encryption page link in the left pane of the Package Settings window 186 VMware Inc Chapter 7 Package Settings NOTE If you change these settings after you have created a package the changes affect only new packages not existing ones m Package protection Package protection before installation C None Do not protect the package Tamper resistant Protect the configuration file in a tamper resistant format Encrypted recommended Protect the configuration file in a tamper resistant format and encrypt its data This increases the time needed for packaging mM Instance protection Instance protection after installation and activation C None Do not protect the instance Tamper resistant Protect the configuration file in a tamper resistant format Encrypted recommended Protect the configuration file in a tamper resistant format and encrypt its data This increases the time needed for installation To protect the contents of the ACE package you can specify that the New Package Wizard encrypts the virtual machine when the package is created To do so select Encrypted under Package protection Each installation of the virtual machine is encrypted differently You must specify an authentication method if you want the installer to encrypt the ACE instance See Setting Access Control Policies Activation and Authentication on page 107 for details about
116. Guide available on the VMware Web site or from the Help menu Enter a name and folder for the ACE master on the Name the Virtual Machine page Each ACE master should have its own folder All associated files such as the configuration file and the disk file are placed in this folder The default folder for this Windows XP Professional ACE master is C Documents and Settings lt username gt My Documents My Virtual Machines Windows XP Professional If you are creating an ACE master optimized for Pocket ACE skip to Step 14 If you selected Typical as your configuration path skip to Step 9 If you selected Custom as your configuration path select the number of virtual processors to use one or two Then click Next Continuing with Custom configuration adjust the memory settings or accept the defaults When choosing the ACE master memory settings you need to consider the amount of memory required by the guest operating system and applications You also need to consider the amount of RAM installed on your users computers and the amount of RAM required by the host operating system Do not set the ACE master memory below the amount recommended for the guest operating system If you set ACE master memory higher than that minimum you should not set it so high that the host operating system cannot run comfortably For common configurations set the ACE master memory no higher than half the amount of RAM you expect to find on users ho
117. LSE Is this entry deleted tombstone PRIMARY KEY aceUID policyVersion FOREIGN KEY aceUID REFERENCES PolicyDb_Ace aceUID ACE Management Server info reserved for future use CREATE TABLE PolicyDb_AcescServer serverHostname VARCHAR 128 Host name of the server computer serverPort INTEGER TCP port number server is Listening on secure VARCHAR 7 DEFAULT FALSE NOT NULL Whether HTTPS is enabled sslCertificateExtKey VARCHAR 128 SSL Certificate data key to stored in LongField table ssICertificateChainExtKey VARCHAR 128 SSL Certificate Chain data key to stored in LongField table PRIMARY KEY serverHostname serverPort Audit Event Log Event Types lookup table CREATE TABLE PolicyDb_EventType eventType INTEGER Event Type code PK eventMessage VARCHAR 1024 Printable message for this event type eventCategory INTEGER Event Category code eventCategoryName VARCHAR 128 Event Category printable name eventLogLevel INTEGER Event Log Level PRIMARY KEY eventType Audit Event Log data CREATE TABLE PolicyDb_Event eventUID INTEGER Primary key of the table sequential eventTs VARCHAR 21 Timestamp of the event creation in uSec loginName VARCHAR 128 Login user name of the actor aceUID VARCHAR 128 UID of the ACE affected by event packageUID VARCHAR 128 UID of the package affected by event
118. Management Server Appliance NOTE Before you can create a managed ACE master you must have an ACE 2 Management Server set up and configured The New ACE Master Wizard requires connection to an ACE 2 Management Server before creation of an ACE master can be successfully completed Target hardware platform support for the ACE 2 Management Server is driven almost exclusively by the number of ACE instances being supported and the frequency with which they are configured to communicate with the server VMware recommends that production deployments be installed on either a dedicated server or a virtual platform with sufficient available resources to ensure performance and stability Refer to the sizing white paper for more detailed information on VMware performance testing However the ACE 2 Management Server has been tested and can be installed on desktop or workstation platforms to support a small number of clients or non production evaluations Topics in this section are m Default Port Assignments for the ACE 2 Management Server on page 64 m Installation Options for the ACE 2 Management Server on page 65 m Installing the ACE 2 Management Server on a Windows System on page 65 m Installing the ACE 2 Management Server on a Linux System on page 65 m Installing the ACE 2 Management Server Appliance on page 67 Default Port Assignments for the ACE 2 Management Server The default port assignments used by the ACE
119. Master Connect to ACE 2 Management Server and Open Hot Fix Commands in the File Menu You use the New ACE Master command to start the New ACE Master Wizard See Creating a New ACE Master on page 90 for information about using the wizard You use the Open Hot Fix command to respond to a hot fix request from an ACE user See Responding to Hot Fix Requests on page 237 for information about hot fix requests You use the Connect to ACE 2 Management Server command to open the Connect to ACE 2 Management Server dialog box See Using the Connect to ACE 2 Management Server Command to Open an Instance View on page 254 for information about using the command ACE Master Toolbar The ACE Master Toolbar contains these icons VMware Inc SEU B Edit Policies Opens the policy editor See Chapter 6 Setting and Using Policies and Customizing VMware Player on page 105 for information about policy settings Edit Package Settings Opens the package settings editor See Chapter 7 Package Settings on page 171 for information about the settings Create new package Opens the New Package Wizard See Chapter 8 Creating Packages and Deploying Them to Users on page 191 for information about the using the wizard to create packages Create Pocket ACE package Opens the Pocket ACE Package Wizard See Creating an ACE Package for Portable Devices on page 212 for information about using the wizard
120. Mware ACE Administrator s Manual settings by using the Appliance Management and Configuration application as follows a Leave the ACE 2 Management Server Appliance running b Browse to https lt hostIPaddress gt 8080 c Inthe connection dialog box type root in the user name field and your network root password in the password field d Click the Network link on the first page of the Appliance Configuration and Management Web application to open the Network Configuration page e To view instructions about configuring network settings click the Help link in the upper right of the Web page f After you ve made the changes you want to make to the network settings click Apply If you want to revert to the settings that were on the page before you started making changes click Reset 7 Optional You can obtain updates to this appliance when they become available If you would like to reconfigure any update options for example if you want to disable automatic downloads of updates you can do that by using the Appliance Management and Configuration application as follows a b Leave the ACE 2 Management Server Appliance running Browse to https lt hostIPaddress gt 8080 In the connection dialog box type root in the user name field and your network root password in the password field Click the Update link on the first page of the Appliance Configuration and Management Web application to open the Appli
121. NAT 23 VMware ACE Administrator s Manual 24 Windows Host Operating Systems 32 bit Windows Vista Windows XP Home Edition SP1 SP2 Windows XP Professional SP1 SP2 Listed versions are also supported with no service pack Windows 2000 Server SP3 SP4 Windows 2000 Professional SP3 SP4 Windows 2000 Advanced Server SP3 SP4 Windows Server 2003 Standard Edition SP1 Windows Server 2003 Web Edition SP1 Windows Server 2003 Small Business Edition SP1 Windows Server 2003 Enterprise Edition SP1 Windows Server 2003 R2 Listed versions are also supported with no service pack Windows Host Operating Systems 64 Bit Windows Vista Windows XP Professional x64 Edition Windows Server 2003 x64 Edition SP1 Windows Server 2003 x64 Edition R2 Internet Explorer 4 0 or higher is required for the Help system VMware Player End User Client Devices The following sections describe VMware Player system requirements Hardware Requirements Processor speed 400MHz or faster 500MHz or faster recommended Memory 256MB minimum 512MB recommended You must have enough memory to run the host operating system plus the memory required for each guest operating system and for applications on the host and guest See your guest operating system and application documentation for their memory requirements Hard disk At least 1GB free disk space for each guest operating system For installation VMware Player requires app
122. Package protection in the Encryption package setting is set to None m This is a standalone ACE master and the access control policy s authentication type is set to None To set the password in those situations select Protect Pocket ACE package with password and then type in a password and confirm it Then click Next The Package Summary page appears Review the summary information If you need to make changes click Back If the information is correct click Next to begin package creation The Package Creation page appears and displays a progress bar It can take quite some time to complete this step especially for packages that include large virtual machines VMware Inc Chapter 10 Pocket ACE The Completing the Pocket ACE Package Wizard page appears when the process has finished If you want to deploy the package immediately select Deploy to a portable device now Whenever you re ready to deploy the package you can navigate to the package location the one you specified in the Name the Package page on your machine and then follow the instructions in Deploying the ACE Package on a Portable Device Deploying the ACE Package on a Portable Device You can deploy multiple ACE packages on a single portable device The only limitation on number of packages is the amount of available space on the device You run deploy exe for each ACE The wizard automatically pre allocates disk space and splits the disk into 2GB segm
123. Player The default location for the virtual machine files on a Windows XP system is C Documents and Settings All Users Application Data VMware VMware ACE lt ACE Name gt You can customize the basic package installation command to specify one or more of the following m Installation directory for the ACE instance m Installation directory for the VMware Player application m Installation without a desktop icon The following example command illustrates the options and their usage msiexec i package msi DESKTOP_SHORTCUTS 0 INSTALLDIR G packages PLAYER_INSTALLDIR C VMware VMware Player qn Enter the command on one line VMware Inc 221 VMware ACE Administrator s Manual Option DESKTOP_SHORTCUTS Description When set to 0 skips installation of the ACE instance shortcut on the desktop The default is 1 INSTALLDIR Sets the root installation directory for the ACE instance PLAYER_INSTALLDIR Sets the root installation directory for the VMware Player application You can also install an upgrade silently An upgrade is always installed in the same directory or directories as the previous package Uninstalling VMware Player from a Windows Host Computer To uninstall VMware Player 1 Navigate to Start gt Control Panel gt Add or Remove Programs gt Change or Remove Programs 2 Select the program and click Remove Uninstalling an ACE Instance from a Windows Host Computer To uninstall an AC
124. Preview in Player Allows you to run an ACE instance as it will run on the user s machine as well as view the effects of changed policies as they will appear on the user s machine See Chapter 9 Preview Save Test Publish on page 203 for information about using the Preview mode 39 VMware ACE Administrator s Manual Creating Packages to Distribute to Users Using Workstation ACE Edition create packages to distribute to your ACE users A Full package includes m A virtual machine configuration file data policies preferences and resources m The VMware Player application to run the ACE instance on the ACE user s machine or for Pocket ACE instances the installer for Player m A set of policies to control the capabilities of the ACE instance m Other Resource files for the ACE master Other package types available from the New Package Wizard are Policy Update Server Update and Custom For more about package types see Step 8 Select a package type on the Package Type page and then click Next on page 196 See Creating an ACE Package for Portable Devices on page 212 for information about creating Pocket ACE packages For more information on VMware Player see Chapter 11 Installing and Using VMware Player and ACE Instances on page 219 Basic Steps for Creating and Deploying ACE Packages 40 This section describes how to create and deploy ACE packages To create and deploy an ACE package
125. Rule Editors to Configure Network Access on page 136 NOTE Actually you can combine the two methods by using the wizard to set the basic settings and using the editors to reconfigure and fine tune the settings Using the Network Access Wizard to Configure Network Access 1 132 Click Quick Setup Wizard to start the Network Access Wizard Click Next on the welcome page On the Network Configuration Type page select one of the following options and then click Next m Desktop Configuration Select this option to set network access for ACE instances on host machines that connect indirectly to the corporate network This option allows you to restrict ACE instance access to your VPN or specified hosts Continue with Step 3 m Laptop Configuration Select this option to set network access for ACE instances on host machines that are sometimes connected remotely to the corporate network and sometimes connected directly to the corporate network Configure network access to protect your internal network from an infected host and to protect the ACE instances against infection from untrusted networks Continue with Step 4 If you selected Desktop Configuration a On the Desktop Access page click the link in the table and type the host names or IP addresses that the ACE instance is allowed to access in addition to the default DNS DHCP and ICMP protocols and ports You can optionally enter subnet masks in dotted quad format or
126. See Microsoft Sysprep deployment tools details for an instance viewing 242 device connection policy 146 device connection ACE instance 146 device settings 104 device removable policy 146 device USB 147 devices controlling with VMware Player 230 disc labels for packages 200 disconnecting devices with VMware Player 230 disk space required for packaging 197 disks virtual 271 distributing packages 192 196 DNS setup issues troubleshooting 190 275 VMware ACE Administrator s Manual domain join providing passwords during packaging 198 remote setting up 188 domain setting in instance customization package settings 179 domain problem with domain validation or name resolution 190 domain problem with logging in after revert to installed 190 downloading Microsoft Sysprep deployment tools 176 DVD package delivery 196 E encryption ACE instance protection 186 package protection 186 package setting 186 enhanced keyboard filter 154 event logging 83 expiration date for instance resetting 242 expiration policy 125 F files distribution formats for package 196 for displaying Workstation help 25 full package type 196 full screen mode defined 268 setting for VMware Player 228 G guest network access policies 129 guest operating system defined 268 for instance customization 175 installing in ACE master 192 selecting for ACE master 92 H hardware recommendations for VMware ACE 2 22
127. See the example below The fourth entry in the Bind DN field doesn t appear in the example because the text scrolls to the right the missing entry is dc com M Enable LDAP Specify the credentials to connect to the LDAP server Host Name aceserver Bind DN cn aceuser cn Users dc vmware Bind Password seeceseceecesece Search DN dce vmware dc com NOTE The ACE 2 Management Server uses the bind_dn user credentials to query for users DN s when they request authentication from the server The bind_dn user can be any user who has read access to the locations where those users credentials reside Optional but highly recommended Select Enable SSL for LDAP Connections to ensure that LDAP communication will run on an SSL connection Click Next or Apply a Select the ACE Administrators group The specified group will be used by the administrator to authenticate and authorize users You set up this group when you prepared for Active Directory integration before you started the server configuration VMware Inc Chapter 4 Installing and Configuring the ACE 2 Management Server b Ifyou want to set up a separate role for the Help Desk application enable Helpdesk LDAP Group and select a group to log in to the application If this option is not enabled then anyone who logs in to the Help Desk application must be a member of the ACE Administrators group 6 Stillon the Security page If you did not select Enable LD
128. ULL Last assigned address mplTsCreated VARCHAR 21 DEFAULT NOT NULL Creation timestamp mplTsLastModified VARCHAR 21 DEFAULT NOT NULL Last modified timestamp deleted VARCHAR 7 DEFAULT FALSE Is this entry deleted tombstone PRIMARY KEY macPooLUID FOREIGN KEY aceUID REFERENCES PolicyDb_Ace aceUID Instance customization data CREATE TABLE PolicyDb_UserData userDataPK VARCHAR 516 aceUID VARCHAR 128 packageUID VARCHAR 128 Primary key ACE for which this UserData is defined Package for which this UserData is used activator VARCHAR 128 The user udataName VARCHAR 128 User data entry name udataType INTEGER NOT NULL Attribute of the date udatavalue VARCHAR 2048 User data entry value udtTsCreated VARCHAR 21 DEFAULT NOT NULL Creation timestamp udtTsLastModified VARCHAR 21 DEFAULT NOT NULL Last modified timestamp deleted VARCHAR 7 DEFAULT FALSE Is this entry deleted tombstone FOREIGN KEY aceUID REFERENCES PolicyDb_Ace aceUID FOREIGN KEY packageUID REFERENCES PolicyDb_Package packageUID PRIMARY KEY userDataPK ACE Master policy set CREATE TABLE PolicyDb_RuntimePolicy aceUID VARCHAR 128 policyVersion INTEGER clientPolicyData VARCHAR 2000 clientPolicyDataExtKey VARCHAR 128 hostPolicyData VARCHAR 2000 The ACE it belongs to Version of the RT Policy for this ACE
129. VMware Inc Chapter 6 Setting and Using Policies and Customizing VMware Player JS my username ENV TEST_USERNAME if defined username print You should set the TEST_USERNAME environment variable n exit 1 my key_seed user_map username if defined key_seed print Unrecognized username n exit 1 print key_seed exit 0 Sample Host Guest Data Script The following sample script is written in Perl It is installed by Workstation ACE Edition as sampleQuarantine pl You need a Perl interpreter to run this script VMware Sample Script Sample script for ACE Host Guest Data script Description This sample script passes information defined on the host to the guest It assumes that the machine name is defined in the environment variable TEST_MACHINENAME and that the asset tag is defined in the environment variable TEST_ASSETTAG These are fictitious variables used for this sample k HH HR HR HH Input to script None Returns 0 if successful Expected output Set of acceptable key value pairs where the values are fetched from the environment variables These values can be retrieved from within the Guest operating system using the VMware Tools Seo Se HH HH HR HH my machine_name ENV TEST_MACHINENAME VMware Inc 167 VMware ACE Administrator s Manual 168 my asset_tag ENV TEST_ASSETTAG my host_mac ENV TEST_MACHINEMAC if defined ma
130. VMware ACE Administrator s Manual VMware ACE Administrator s Manual VMware ACE Administrator s Manual Revision 20070507 Item ACE ENG Q207 008 You can find the most up to date technical documentation on our Web site at http www vmware com support The VMware Web site also provides the latest product updates If you have comments about this documentation submit your feedback to docfeedback vmware com 1998 2007 VMware Inc All rights reserved Protected by one or more of U S Patent Nos 6 397 242 6 496 847 6 704 925 6 711 672 6 725 289 6 735 601 6 785 886 6 789 156 6 795 966 6 880 022 6 944 699 6 961 806 6 961 941 7 069 413 7 082 598 7 089 377 7 111 086 7 111 145 7 117 481 7 149 843 and 7 155 558 patents pending VMware the VMware boxes logo and design Virtual SMP and VMotion are registered trademarks or trademarks of VMware Inc in the United States and or other jurisdictions All other marks and names mentioned herein may be trademarks of their respective companies VMware Inc 3145 Porter Drive Palo Alto CA 94304 www vmware com 2 VMware Inc Contents About This Book 11 1 Introduction and System Requirements 15 About VMware ACE2 15 Ensure Safe Access to Enterprise Resources 16 Simplified End User Interface 16 Standardize and Secure PC Environments 16 Key Features of ACE2 17 Manageability 17 Security 17 Usability 17 ACE Option Pack for Workstation 6 17 Key Concepts of ACE
131. Workstation and run ace_upgrade exe to start the upgrade wizard which you will use to change the full package you created in Step 10 to an upgrade package Follow the instructions in the wizard You will be asked to browse to both the VMware ACE 1 x virtual machine and to the VMware ACE 2 package of the same name as the 1 x virtual machine NOTE Ifyou are using a managed ACE 2 master and enterprise license you need to reopen the ACE master and publish policies for the license to be properly updated Deploy the upgrade package you created in Step 11 to the ACE user s machine Make sure to power off all ACE 1 x virtual machines From the package run ace_upgrade exe dont run setup exe The ace_upgrade exe program uninstalls ACE Player 1 x and then installs VMware Player and the ACE package Click the shortcut for the installed ACE package on the desktop to run the ACE virtual machine Policies and the virtual hardware version are upgraded at the first run If the ACE 1 x virtual machine had a password you are prompted to enter that password before the ACE instance is activated NOTE A reimage snapshot is not taken following the completion of the upgrade procedure Manually take a snapshot after you have performed the upgrade 49 VMware ACE Administrator s Manual 16 Go through any required steps to activate and authenticate the upgrade machine and then power it off and exit 17 Repeat this procedure for any other
132. able and the list of removable devices m The copy protection ID ACE Instance Details General Policies Custom The following policies will be effective the next time the ACE instance updates its policies Last Updated 12 31 1969 4 00 00 PM Access Control None None Update Frequency 1 minute Administrative Tools Disabled Runtime Preferences Disabled Resource Signing Verify all Copy Protection Allow moves and copies ID 56 4d b2 79 3f 44 48 47 50 6e df 40 92 46 ef af Network Access Guest unrestricted Host unrestricted Zones Host Network Access Guest Network Acc Everywhere Full Access Full Access Removable Devices Device Access E Floppy 1 Enabled CD ROM IDE 1 0 Enabled 252 VMware Inc Chapter 12 Instance View To reset the password for this ACE instance 1 Press Reset Password The Password dialog box appears 2 Type the password in the first text box and then retype it to confirm it in the second text box Then click OK Mware Workstation ACE Edition e x p build 35314 x Reset the password of this ACE instance Password Confirm Cancel To change the copy protection ID for this ACE instance 1 Select the alphanumeric string in the Copy Protection ID box 2 Type the new ID over the old one Then click OK Generally the user provides the new alphanumeric string to you with a request to allow a moved or copied instance to run The Copy Pro
133. act the zipped files to the directory where you want to have the server located Start up VMware Workstation ACE Edition and then choose File gt Open to open and run ams_appliance vmx At the password prompt enter a password and confirm it This password is used for both root and network accounts NOTE You must remember this password so that you can use it for later appliance management operations from the console and the Web At this point in the process the appliance attempts to configure its network by using DHCP NOTE The console view displays the following information m The current network settings m The URLs for remotely administering the appliance and configuring the ACE Management Server itself For the Appliance Management and Configuration application https lt hostIPaddress gt 8080 For the ACE 2 Management Server Setup application https lt hostIPaddress gt 8000 This information is displayed above each login prompt If you press Return at the login prompt the information is displayed again At the time zone prompt accept the current setting or make a change as needed Optional If you would like to reconfigure the network for instance to configure the server to use a static IP address or to specify a proxy server you can reconfigure the network settings from the current console view by following the prompts and instructions on the screen You can also reconfigure the network 67 V
134. an choose VMware Player gt Snapshot gt Revert to Snapshot whenever a user snapshot exists VMware Inc 157 VMware ACE Administrator s Manual 158 If Take a user snapshot is enabled the user can delete the user snapshot by selecting VMware Player gt Snapshot gt Delete Snapshot NOTE If the user or the administrator takes a reimage snapshot the user snapshot is deleted To select options for the reimage snapshot Choose the options you want the user to have m Replace the reimage snapshot Revert to the reimage snapshot If you select either or both of those options the appropriate commands to execute the options appear in the VMware Player gt Troubleshoot menu You might want to give the user the ability to replace the reimage snapshot Because the reimage snapshot is taken when the ACE instance is created any changes that have been made to the ACE instance after instance creation are lost if the user reverts to that reimage snapshot If the ACE instance has been updated and this option is enabled you can tell the user to replace the reimage snapshot so that it will include those changes To replace the reimage snapshot the user chooses VMware Player gt Troubleshoot gt Take Reimage Snapshot If the user chooses VMware Player gt Troubleshoot gt Revert to Reimage Snapshot a warning message appears It cautions that all changes to the virtual machine will be lost and urges the user to take this action only
135. ance Advanced Setting for Power On Script You can provide a script that runs when an ACE instance powers on that determines whether the ACE instance can be run This script provides a customizable way of controlling access to an ACE instance in addition to the authentication policy VMware Inc Chapter 6 Setting and Using Policies and Customizing VMware Player To include a power on script in the ACE master s packages 1 2 Create the script and save it in the ACE Resources folder On the access control policy page click the Advanced button at the bottom right The Choose Power on Script dialog box appears If the deployment platform setting in package settings is set to Both Windows and Linux then the Choose Power on Script dialog box contains text fields for both Windows and Linux script specifications e x Power on script script can be run before power on that can prevent an instance from running I Use power on script Windows Linux Set 7 Cancel Help Select Use power on script Click Set to open the Set Custom Script dialog box See page 122 for details on setting custom scripts If you are enabling the power on script after you have already deployed packages with this ACE master provide the script to the user using a policy server update package or a custom package with ACE Resources NOTE The scriptis signed before deployment to prevent tampering See page 128 for more info
136. ance Update page To view instructions about configuring update options click the Help link in the upper right of the Web page 8 When you have finished configuring any network or update settings navigate to the ACE 2 Management Server Setup Web application to configure the server To access that application choose one of these methods 68 From within the Appliance Management and Configuration Web application page click the ACE Login link at the top right of the page VMware Inc Chapter 4 Installing and Configuring the ACE 2 Management Server m Browse to the ACE 2 Management Server Setup Web application https lt hostIPaddress gt 8000 9 Click Configuration to open the Web application Continue with the next topic Configuring the ACE 2 Management Server Configuring the ACE 2 Management Server After you have installed the ACE 2 Management Server you must use the ACE 2 Management Server Setup Web application to configure the server You need to provide your ACE 2 Management Server license before you can configure the server features ensure that you the license information available before you start the server setup application Before you start up the server setup application you must complete the tasks described below if you will use any of the following optional features m Active Directory integration using LDAP m An external database m Custom SSL certificates Tasks to Complete Before You Configure
137. ange in the Copy Protection ID field for an active instance a warning appears to let you know that if you change the ID the original instance will no longer run You must click the Save button in the upper left of the page to institute the changed ID Reset the Password If this is an instance that has an authentication user specified password you can reset the password by clicking Reset Password and then specifying a new password Ensure that the number of characters in the password is greater than zero You must then send the new password to the user in an e mail message The change is made as soon as you click OK in the password dialog box View Network Access Details Click the links under Zone if Zone is anything other than Everywhere or Everywhere else those zones do not require further definition Host Access or Guest Access to view the Zones or Rules Detail page for this zone or this type of network access Preserving the State of an ACE Instance ACE 2 offers two ways to preserve the state of an ACE instance m Suspend and Resume m Snapshots See the Workstation User s Manual for information on these features VMware Inc 243 VMware ACE Administrator s Manual 244 VMware Inc Instance View The Instance View provides you with a central management point for all instances managed by a particular ACE 2 Management Server A summary table provides instance status activated deactivated or bl
138. ar a query 1 2 3 VMware Inc Click Search in the Instance View Click Reset in the Advanced Search dialog box Click Search 247 VMware ACE Administrator s Manual Showing Hiding Moving and Resizing Columns in the Instances Table You can show hide and move columns that appear in the Instance View table You can also resize the width of a column NOTE The column setup the visible columns and their positions is saved for each server view you work with If you rearrange the view for one server the views of other servers that you open are not affected by that rearrangement To show or hide a column Right click the column heading row and then select check or deselect uncheck the column you want to show or hide If you show a column that was previously hidden the column is added to the right side of the table To move a column Click the column header drag the column to a new location and release the mouse button To resize column width Resize column width by clicking on the right side of a column divider and dragging the column edge to a new width Adding Custom Database Fields by Adding Columns 248 You can create up to nine custom columns in the Instance View table so that you can view additional categories of information about the instances managed by this server In the Instance View table you can add delete and rename custom columns To specify a value that will appear in a custo
139. as policies and other settings associated with it is known as an ACE instance See also ACE instances Virtual machine configuration The specification of what virtual devices disks memory size etc are present in a virtual machine an ACE instance and how they are mapped to host files and devices Virtual machine configuration file A file with file extension vmx containing an ACE instance configuration It is used by VMware Player to identify and run a specific ACE instance An ACE master s configuration file has the file extension vmxa See also ACE instances ACE master Virtual machine settings editor A point and click editor used to view and modify the virtual machine settings of an ACE master You can launch it from the VM menu See also New ACE Master Wizard Virtual Network Editor A point and click editor used to view and modify the networking settings for the virtual networks created by ACE 2 You can launch it from the Edit menu vmxa The file extension for an ACE master configuration file VMware Inc 271 VMware ACE Administrator s Manual 272 VMware Player A simple application that allows an user to run an ACE instance Workstation ACE Edition The program used by the administrator to create and deploy and update ACE packages and manage ACE instances Formerly named VMware ACE Manager 7 VMware Tools A suite of utilities and drivers that enhances the performance and functionality of yo
140. as if they were inside that network The process of joining an ACE instance to an Active Directory domain is automated for both instances that are local to the domain and those that are remote to it To join an ACE instance to a domain you must provide m The domain name m The user name for an account that can join a new computer to the domain m The account password In addition to those items to join an ACE instance from a remote location to the domain you must provide a way to establish a secure connection with your network To establish a secure connection to the network you must install a VPN client in the guest and set it up to allow remote login to the domain You must supply a script to establish the secure connection to the VPN server NOTE Your VPN client must support a command line interface VMware Inc Chapter 7 Package Settings After you install the VPN client with the script file in the guest you must specify remote domain join settings in the package settings editor in Workstation ACE Edition To specify remote domain join settings in the package settings editor 1 In the package settings editor enable instance customization 2 On the Workgroup or Domain page enter the domain name the user name for an account that can join a new computer to the domain and the account password 3 On that same page select the Enable remote domain join option and enter the command that will execute the script 4 On
141. atible processors include Intel Celeron Pentium II Pentium III Pentium 4 Pentium M including computers with Centrino mobile technology Xeon including Prestonia AMD Athlon Athlon MP Athlon XP Duron Opteron AMD64 Opteron Athlon 64 Multiprocessor systems supported Experimental support for Intel IA 32e CPU Memory m Enough memory to run the host operating system plus memory required for each guest operating system and for applications on the host and guest see your guest operating system and application documentation for their memoryrequirements m 512MB minimum 1GB recommended Display 16 bit display adapter recommended 8 bit display adapter required Disk Drives m 150MB free space required for basic installation m Atleast 1GB free disk space recommended for each guest operating system and the application software used with it if you use a default setup the actual disk space needs are approximately the same as those for installing and running the guest operating system and applications on a physical computer m Additional disk space for building packages temporary files require about as much space as those of the virtual machine included in the package m IDE or SCSI hard drives CD ROM and DVD ROM drives supported Local Area Networking Optional VMware Inc Any Ethernet controller supported by the host operating system Non Ethernet networks supported using built in network address translation
142. ator mode has been enabled for your ACE the Enter Administrator Mode command appears in the Troubleshoot menu The command is for use by administrators allowing them to m Edit virtual machine settings for your ACE on Windows systems only m Take a reimage snapshot or revert to it and take a user snapshot or revert to it if those options are not enabled in the menu Snapshot operations are not available on Pocket ACEs m Change Shared Folder settings Player gt Shared Folders The feature requires the administrator to enter the administrator mode password Troubleshooting Tools VMware ACE includes some troubleshooting tools that allow administrators and help desk assistants to fix some common problems that users have with their ACE instances such as forgotten user passwords The tools are m For standalone ACE instances m The ACE Tools a command line tool See ACE Tools vmware acetool Command Line Tool on page 236 m Hot fixes See Responding to Hot Fix Requests on page 237 as well as the instructions about requesting a hot fix that you can provide to your users in Requesting a Hot Fix on page 233 m For managed ACE instances m The Help Desk Web application See Using the VMware Help Desk Web Application on page 239 m The Instance View in Workstation ACE Edition See Chapter 12 Instance View on page 245 VMware Inc 235 VMware ACE Administrator s Manual 236 A
143. authentication policies If you encrypt the package or the ACE instance configuration and policy files are automatically protected against viewing and tampering Even if you do not encrypt the virtual machine you can select Tamper resistant NOTE If you set the encryption settings to None any verification specified in the resource signing policy will not be performed The encryption package setting overrides the resource signing policy setting See Setting Resource Signing Policies on page 128 for more information about those settings VMware Inc 187 VMware ACE Administrator s Manual Deployment Platform If you want to change the platform that your ACE package is deployed to select the Deployment Platform setting The default setting is Windows Deployment platform Default deployment platform for instances Windows C Linux C Both Windows and Linux To change the platform to which an ACE package is deployed 1 Select the ACE master whose Deployment Platform setting you want to change 2 Choose ACE gt Package Settings to open the package settings editor 3 Click the Deployment Platform setting in the left hand pane 4 Select the deployment platform by choosing Windows Linux or Both Windows and Linux 5 Click OK to save the setting and close the page Setting Up a Remote Domain Join 188 The remote domain join feature allows you to manage ACE instances that are outside the corporate network
144. been moved or copied For managed ACE instances the CPID is stored on the server and can be updated by the administrator For standalone ACE instances the VMware Inc Chapter 6 Setting and Using Policies and Customizing VMware Player CPID can be set using vmware acetool or hot fixes on Windows systems if hot fixes are enabled If you copy protect an ACE instance it is still possible for the instance s files to be moved or copied However the copy protected instance cannot be run from the new location Copy protection is applied to individual ACE instances Copy Protection Policies for Standalone ACE Instances Copy protection After installing an instance fs Allow moving and copying of the instance files C Do not allow moving or copying of the instance files The administrator will need to provide a Hot Fix package to allow the use of an instance that was moved or copied without permission To apply copy protection to a standalone ACE instance click Copy Protection in the left pane of the policy editor Select Allow moving and copying of the instance files to enable users to run their instances after moving or copying the instances Select Do not allow moving or copying of the instance files to restrict users from moving or copying instance files Copy Protection Policies for Managed ACE Instances M Copy protection After installing an instance Allow moving and copying multiple instances can be active
145. bility Customizable interface Customize the behavior and look and feel for users m Flexible computing environment Users can revert to a previous state within seconds and can work online or when disconnected from the enterprise network ACE Option Pack for Workstation 6 Many of the administrator features and controls of ACE 2 are built into Workstation 6 To expose these ACE 2 features users of Workstation 6 must acquire the ACE Option Pack VMware Inc 17 VMware ACE Administrator s Manual The ACE Option Pack is a license enablement that turns an existing copy of Workstation 6 into Workstation 6 ACE Edition There are no new software downloads required As an ACE administrator you install Workstation 6 software and then the ACE Option Pack license key After entering the ACE Option Pack license key and restarting your copy of Workstation you will immediately note that the title bar reads Workstation ACE Edition and you will now see additional menu items and commands in Workstation 6 Workstation ACE Edition is a superset of Workstation 6 functionality All Workstation 6 features remain available to you In addition to all core Workstation 6 features with Workstation ACE Edition you can now create ACE instances Workstation ACE Edition creates a policy protected virtual machine an ACE instance as well as a virtual runtime environment VMware Player that is licensed and enabled to securely run ACE instances Key Concep
146. boots The option to Check the web for updates on startup is not available when you are running an ACE Removable devices preferences let you specify how you connect and disconnect devices such as floppy disk drives CD or DVD drives Ethernet adapters and sound devices available for use in VMware Player Select one of the following m Show on toolbar To disconnect and reconnect the devices shown on the toolbar click a device s icon to toggle it off and on A device with a depressed icon is connected If the device appears level with the toolbar it is disconnected m Show as menu To disconnect and reconnect the devices from the Devices menu click the name of a device to toggle it off and on A check beside the name of a device indicates that it is connected If there is no check mark the device is disconnected Taking Snapshots in VMware Player If your system administrator has enabled the option to take a user snapshot you can take a single snapshot of the ACE Choose Player gt Snapshot gt Take Snapshot and either choose to take the snapshot while the ACE is running or have VMware Player power off the ACE take the snapshot and power the ACE on again The software shuts down the ACE and restarts it after taking the snapshot You don t need to power off or restart the machine yourself All snapshot and power operations including exiting VMware Player are disabled while the software is taking a powered off snapshot
147. ces dialog box VMware Player gt Preferences and the user cannot change the option The instance exits with that default behavior if the user chooses VMware Player gt Exit or clicks the Close icon on the Player window If you select Remove the power commands from the Player Troubleshoot menu the Reset and Power off and exit options do not appear in the VMware Player gt Troubleshoot menu and the user can power off or suspend the ACE instance only by exiting VMware Player The actual exit behavior is specified in the VMware Player Preferences dialog box Enhanced Keyboard Filter for Windows Host Systems Only Select Always use the enhanced keyboard filter if you want ACE instances created with this ACE master to always run with this feature You must also turn on the enhanced keyboard filter feature in virtual machine settings To do that go to VM gt Settings gt Options gt General and select Use enhanced virtual keyboard under Miscellaneous Click OK on the General settings page You can apply the feature to existing ACE masters or virtual machines and clones of these masters and virtual machines by enabling it in the virtual machine settings VMware Inc Chapter 6 Setting and Using Policies and Customizing VMware Player The enhanced keyboard filter provides an alternate method for the way a Windows host system ordinarily processes keyboard input The filter provides a solution to these problems m Certain key combination
148. chine_name print machine id machine_name n if defined asset_tag print guestinfo assetTag asset_tag n if defined host_mac printf guestinfo mac host_mac n exit 0 Sample Power On Hook Script The following sample script is written in Perl It is installed by Workstation ACE Edition as sampleQuarantine pl You need a Perl interpreter to run this script VMware Sample Script Description This sample script implements a power on hook for ACE This can be used in addition 4 to authentication to control the circumstances under which an ACE is allowed to run 4 This script assumes that the username is defined in the environment variable TEST_USERNAME a ficticious environment variable used for this sample and returns TRUE if the user Sample script for ACE power on hook is allowed to run and FALSE otherwise 4 Input to script None Returns 4 TRUE if username is on white list FALSE if username is not on white list or is undefined 4 Expected output 4 One of the strings TRUE or FALSE VMware Inc Chapter 6 Setting and Using Policies and Customizing VMware Player my white_list C alan bob mary sonia chris my username ENV TEST_USERNAME if defined username print FALSE exit 0 my GgrepNames grep username Gwhite_list if grepNames 1 print TRUE
149. configuration choices for the IDE adapter You can choose a BusLogic or an LSI Logic SCSI adapter The default for your guest operating system is already selected All guests except Windows Server 2003 Red Hat Enterprise Linux 3 and NetWare default to the BusLogic adapter The LSI Logic adapter has improved performance and works better with generic SCSI devices The choice of which SCSI adapter to use is separate from the choice to make the virtual disk an IDE or SCSI disk Older guest operating systems do not include a driver for the LSI Logic adapter If you choose to use the LSI Logic adapter in an operating system that does not have a driver for it you must download the driver from the LSI Logic Web site See the VMware Guest Operating System Installation Guide for details about the driver and the guest operating system you plan to install in this ACE master Click Next to continue VMware Inc 11 12 13 14 VMware Inc Chapter 5 Creating and Configuring ACE Masters Select the disk you want to use with the ACE master m Create a new virtual disk Virtual disks are appropriate for any ACE masters distributed in a package By default virtual disks start as small files on the host computer s hard drive then expand as needed up to the size you specify in a later step That step also allows you to allocate all the disk space when the virtual disk is created if you wish Click Next to continue m Use an existing v
150. cs the Windows ODBC Data Sources Control Panel plugin When configuring a DSN for your database connection ensure that you are using the correct ODBC driver typically usr 1lib Libodbcpsql so or on SLES 9 user 1ib unixODBC 1ibodbcpsql so 2 You also must configure the server address and the database name in the DSN settings See http www unixodbc org for additional information about using unixODBC 6 Make anote of the database information database DSN user name and password You need to enter that information during server setup Performance Optimization Tips for External Database Use The following two subsections provide tips for optimizing server performance m Ensure That the Server Has a Sufficient Number of Database Connections on page 73 m Enable Database Connection Pooling If Not Already Enabled on page 75 Ensure That the Server Has a Sufficient Number of Database Connections For the optimal server performance the ACE 2 Management Server starts multiple parallel threads on Windows or processes on Linux listening for the incoming connections from the clients Every client connection typically executes a database transaction so it needs to open a database connection It is possible that under a high load all available listening threads or processes would be processing client requests at VMware Inc 73 VMware ACE Administrator s Manual 74 the same time so that the ACE 2 Management Server would
151. ction list from the Print dialog box The user can control which printers are available VMware Inc Chapter 6 Setting and Using Policies and Customizing VMware Player in that list by opening the tray icon for the print application in the host taskbar notification area and selecting the printers to use The tray icon is visible when the ACE instance is running Setting Runtime Preferences Policies You can set options on the runtime preferences policy page to specify which Workstation ACE Edition runtime attributes the user can choose M Runtime preferences J Always run in full screen T Always run in appliance view J Do not allow users to modify the memory allocation J Require the enhanced virtual keyboard to power on Exit behavior Exit behavior determined by user preferences Suspend the ACE instance Power off the ACE instance You can ensure the user can only power off or suspend this ACE instance by exiting Player The actual exit behavior is specified in Player Preferences J Remove the power commands from the Player Troubleshoot menu Runtime Preferences If you select Always run in full screen VMware Player fills the full screen when it starts hiding the host operating system You might find this useful for example to avoid user confusion about the differences between the host system environment and that of the ACE instance The user can minimize the Workstation ACE Edition display and r
152. d exit from the root account exit Installing the ACE Instance on a Linux Host Computer Any user can install an ACE instance unless the ACE instance includes a host policy That virtual machine must be installed by the root user NOTE Only the user who installs the ACE instance or a user with necessary permissions such as root is allowed to run that ACE instance To install the ACE instance on a Linux host computer 1 Run vmware install pl from within the package 2 When prompted select the directory in which you want to install the ACE instance The ACE instance is installed in the selected directory VMware Inc Chapter 11 Installing and Using VMware Player and ACE Instances Installing an ACE Package Silently on a Linux Host Computer The following installs an ACE package and the VMware Player as an automated default install tmp path to package ACE_Pkg vmware install pl default Uninstalling an ACE Instance from a Linux Host Computer ACE users can only uninstall their own ACE instances Only the root user can uninstall others ACE instances To uninstall an ACE instance from a Linux host computer m Inthe command line interface type either run lt path to instance directory gt vmware uninstall ace pl m or change directories to the instance directory and then type run vmware uninstall ace pl The uninstaller reclaims everything including data files the global registration and so on Then the u
153. d a single file for network distribution you can copy the file to the appropriate location on a network If you created one or more files for distribution on CD or DVD the files are now ready to burn to disc Use disc burning software of your choice to create the discs NOTE Ensure that the disc label you enter in your disc burning software for each disc is the same as the name of the folder the wizard creates to hold that disc s contents Also ensure that you burn the contents of each disc onto the top level of the disc The package installer expects to find the contents of each folder on a disc with the same name as the folder name It expects to find only the contents of the folder at the root level on the disc not the folder itself If you burn the folder onto the disc then when someone tries to install the contents of the second or subsequent discs on the user s machine error 1309 Error reading from file lt filename gt appears You are finished creating the package Continue with Deploying Packages on page 201 Viewing Package Properties 200 You can view the properties of the packages that you have created by double clicking on an item in the Package History from the ACE master summary view The Package Properties dialog also allows you to edit the notes that are displayed in the Package History These notes will not be seen by the users of your packages and are only visible from your Workstation AC
154. ddress and that address is used by the host computer If you use NAT your ACE instance does not have its own IP address on the external network Instead a separate private network is set up on the host computer Your ACE instance gets an address on that network from the VMware virtual DHCP server The VMware NAT device passes network data between one or more ACE instances and the external network It identifies incoming data packets intended for each ACE instance and sends them to the correct destination Network access Policies that give you fine grained and flexible control over the network access you provide to users of your ACE instances Using a packet filtering firewall the network access feature of ACE 2 lets you specify exactly which machines or subnets an ACE instance or its host system may access New ACE Master Wizard A point and click interface for convenient easy creation of an ACE master configuration To launch it choose File gt New ACE Master It prompts you for information suggesting default values in most cases It creates files that define the ACE master See also Virtual machine settings editor Package An installable bundle for distribution to users A full package includes an ACE master configuration file virtual disk files and policies package installer and Resources files for the ACE master It also includes the VMware Player application used to run ACE instances Package settings A set of rules and setting
155. ders in the message template VMware Inc 265 VMware ACE Administrator s Manual 266 The current list of event types is illustrated in Figure A 2 This list might grow as new functionality is added to the ACE Server Figure A 2 Event Types leventType eventMessage o 10 1000 1010 1020 1030 2000 2010 2020 2030 3000 3010 3020 4000 4020 4030 4040 4050 4060 4070 4080 4090 4100 4110 4120 4130 4140 4150 4160 4170 5000 s010 5020 5030 5040 5050 5060 5070 5080 5090 5100 Handler invoked Authentication related handler invoked Manager Authenticate type 5 administrator s helpdesk s LDAP user remote change password requested Instance Authenticate and Get Key requested supplied credentials s Ace administration related handler invoked Ace 5 Create requested active policy set version s Ace ths Destroy requested Ace 5 Update requested new name s Package administration related handler Invoked Package s Create requested sdisabled s preview s Package s Update requested new name 5 Yosdisabled s preview s Instance administration related handler invoked Instance Create requested supplied instantiation credentials s Instance Copy requested supplied instantiation credentials s replace s copy policy ts new instance UID 5 Instance Revoke requested Instance Enable requested supplied instantiation credentials s Instance Se
156. devices and changing device details select the devices in the USB Device list that you want to add to the policy page and then click OK The devices appear in the Device list on the policy page The Allow checkbox is automatically selected when you add a device VMware Inc VMware Inc Chapter 6 Setting and Using Policies and Customizing VMware Player To select a device class to be used with instances from this ACE master Under General access to all USB devices you can select a device class already in the list or add a device class by entering information in the USB Device Classes dialog box USB devices all belong to one or more classes each of which has a class identifier For example the mass storage class contains devices such as memory sticks and Apple iPods a To select a device class click the class in the USB Device Classes list and select the checkbox under Allow To disallow the device class click Block To add a class click Add in the Default Policies area of the page The USB Device Classes dialog box appears Select the classes you want to add and click OK The Allow checkbox is automatically selected when you add a device class NOTE A specific USB device can have more than one interface for example a device might include both a fax function and a print function and therefore can belong to more than one class As noted earlier the most restrictive rule is always applied For the example just given if one r
157. devices and options for an ACE master that you have selected See the Workstation User s Manual for details on these settings and options 104 VMware Inc Setting and Using Policies and Customizing VMware Player The following sections guide you through the steps for setting policies for an ACE master and ACE instances and customize the VMware Player interface Taking Advantage of Policies on page 105 Using the Policy Editor on page 106 Setting Policies on page 106 Writing Plug In Policy Scripts on page 164 Customizing the VMware Player Interface on page 169 Taking Advantage of Policies Policies give you control over many aspects of the ACE instances you distribute to your users You can for example Permit the ACE instance to be used only by certain users and groups defined in an Active Directory domain Specify which network resources your users may access from the virtual machine Permit users to connect and disconnect certain removable devices configured for the virtual machine Set an expiration date for an ACE instance You set policies with the policy editor See Using the Policy Editor on page 106 You can change some or all of the policies for an ACE instance at any time by editing the policies then creating and distributing a new package that contains only the policies VMware Inc 105 VMware ACE Administrator s Manual For ACE masters managed by the ACE 2 Manag
158. digital devices m Device class For example allow use of HIDs human input devices such as mice and keyboards but disallow use of communications devices such as modems and cell phones m All USB devices Allow or deny access to all connected USB devices VMware Inc 147 VMware ACE Administrator s Manual 148 NOTE Rule application and precedence Access control is applied at the most granular level and the most restrictive rule is always applied That is if a rule exists for a specific device then that rule overrides any rules set for device classes in which the device belongs In the same way specific device class settings override the default setting for all other device classes If no specific device rule exists and there is more than one device class rule that applies to the device then the most restrictive rule is applied For example if one applicable device class is blocked then the device is blocked even if other applicable classes are allowed M USB devices Pep ee General access to all USB devices ce C Access to specific types of USB devices overrides general access Device Class Add Remove Access to individual USB device models overrides access settings above Add Remove VMware Inc Chapter 6 Setting and Using Policies and Customizing VMware Player To set a USB device policy 1 VMware Inc To specify USB policy by specific device Yo
159. dministrator s Manual Custom EULA You can provide a custom EULA end user license agreement that appears when an ACE instance is activated You can use this feature to display a custom license agreement message that the user must see and accept before the instance can be run for the first time Custom EULA You can specify a custom text file that will be displayed the first time the ACE instance is run This text file can contain an end user license agreement EULA that you would like the end user to read before using the ACE instance Display specified EULA text file Browse To specify a custom EULA 1 Create a text file for the custom EULA and save it in the ACE Resources directory for the ACE master NOTE The file format can be either txt or rtf for an ACE instance running on a Windows system It must be a txt file for an ACE instance running on a Linux system If you have selected either Both Windows and Linux or Linux in the Deployment Platform package setting ensure that your custom EULA file is a txt format file Select Display specified EULA text file in the custom EULA package setting Click Browse and navigate to the file Click OK on the package setting page Instance Customization 172 NOTE Instance customization applies only to ACE instances that have a Windows guest operating system installed Topics in this section Benefits of Instance Customization on page 17
160. e bat on Windows operating systems perl or sh on Linux operating systems in the ACE Resource directory The guidelines a script must follow depend on which policy the script is implementing There are some general rules The script must exit with a 0 zero value to be considered a success Any other output results in failure Upon success the stdout output of the script will be examined For a given policy this should be something specific for example the power on script output should be TRUE or FALSE the authentication script output is used as a password the host guest data script is a string in a particular format for example guestinfo var1 value1 nguestinof var2 value2 VMware Inc Chapter 6 Setting and Using Policies and Customizing VMware Player Activation and Authentication for Managed Instances Without Active Directory Service If you are using a managed ACE master with a server that is not integrated with Active Directory use the following information to set activation and authentication policies VMware Inc 113 VMware ACE Administrator s Manual Activation The activation step is performed whenever an ACE package is installed Dynamic changes to the activation policy m To change the activation setting type Edit the policy and publish it The policy takes effect when a new instance from this package is installed and activated m To change the activation key Edit the policy and publish
161. e Set the ACE instance s expiration date allowCopy Allow the ACE instance to run from its current location Password Prompts All commands prompt for the administrative tools password See Setting Administrator Mode Policies on page 158 The setPassword command also prompts for the recovery key password for the private recovery key file anew ACE instance password and confirmation of that new password See page 121 for information about the recovery key password VMware Inc Chapter 11 Installing and Using VMware Player and ACE Instances Expiration Dates The new expiration date can be passed as one of m A number of days from the current date An absolute date in the format YYYY MM DD m A start date and an end date in the format YYYY MM DD YYYY MM DD m The special value never so that the instance will never expire m The special value expired so that the instance expires immediately Examples vmware acetool setPassword myACE vmx recKey priv vmware acetool setExpirationDate myACE vmx 30 vmware acetool setExpirationDate myACE vmx 2007 06 16 vmware acetool setExpirationDate myACE vmx never vmware acetool allowCopy myACE vmx 30 Responding to Hot Fix Requests If you have enabled the hot fix feature users can easily request help to resolve the following problems m Lost or forgotten password m Expired ACE instance m Copy protected ACE instance run from a new location NOTE For information
162. e and port number of the server you will use as a test server or select the server from a history list and then click OK Click Create New Package to start the New Package Wizard and then follow the wizard steps to create the package See details at Creating a Package on page 192 Navigate to the package location copy the package to a client test machine then run setup exe Follow the wizard steps to install the package Start up VMware Player and then use it to activate and run the ACE instance Verify that the ACE instance is configured as you had intended and runs as you had planned VMware Inc Chapter 9 Preview Save Test Publish In the Workstation ACE Edition interface select the ACE master in the server location where you tested it and then choose ACE gt ACE Server to open the ACE Server dialog box Choose the original server for the ACE master from the server history list and click OK NOTE After you have reassigned the ACE master back to the original server you must create a new package The package you created in the test will refer to the server you used for testing Instances created from that package would refer to that server To run an end to end pre deployment test on another computer 1 Open the ACE master you want to test click Create New Package to start the New Package Wizard and then follow the wizard steps to create the package See details in Creating a Package on page 192
163. e direction of traffic and TCP and UDP port values The filtering does not involve deep packet inspection For DNS and DHCP access the TCP and UDP ports on which those services traditionally reside are opened 140 VMware Inc Chapter 6 Setting and Using Policies and Customizing VMware Player Note the following aspects of the filtering actions m If you move your services to different ports the network access rules for those services won t work m The host or instance is open to all traffic on these protocols and ports To understand the particulars of how traffic is being blocked or allowed for DNS DHCP and ICMP protocols and ports you can look at the rules displayed in the ruleset editor Steps for Adding or Editing Rulesets and Rules To add and edit rulesets and rules for network access 1 Inthe Network Access policy page click the link in the table for the access setting you want to edit The ruleset editor appears The Zone and Access Type information just below the Ruleset Name box shows the name of the zone and whether the access setting applies to the host or to the guest Ruleset Editor Host in Internal Zone E x Ruleset Name internal Host Access Zone Internal Zone Allow V DNS Access Type Host MV DHCP Rules Fv ICMP Protocol Local Port Direction Address Remote Port Allow Bath 0 0 0 0 0 ICMP Allow Bath 0 0 0 0 0 53 UDP Allow Bath 0 0 0 0 0 53 TCP Allow Bath 0 0 0 0 0 67 68 UDP 1
164. e enough free space the wizard displays a warning message You can move or delete files on the target drives to make room for the wizard s working files 197 VMware ACE Administrator s Manual 11 If passwords are required for activation for a standalone ACE instance domain join or VPN connection the Package Password page appears The page might request one two or three passwords depending on the access control policy setting and instance customization package setting for domain and remote domain join that you have configured for this ACE master The three password types that might be included are described below Enter the required information and then click Next a Activation password Access control policy for a standalone ACE instance is set to password Enter a password and then type it in again to confirm it b Domain join credentials Access control policy for the ACE instance is set to password and the Instance Customization package setting for Domain is enabled c Domain join credentials and VPN credentials The Instance Customization package setting for Enable remote domain join is enabled Enter the password for the user account that has permission to add computers to this domain Enter the password for the user account that has permission to access this VPN connection 12 The Package Summary page appears Full package New Package Wizard E x Package Summary The package will be created with these valu
165. e for load balancing or increased fault tolerance To use increased fault tolerance you will have to use an external database If your multiple servers do not need to share a database the servers are independent of one another you can use either the embedded database or an external RDBMS A Windows system ACE 2 Management Server can be on the same system as Workstation ACE Edition You can designate a single ACE 2 Management Server name such as https ace policyserver company com and use DNS lookup to translate the host name into an address The address will be cached if a DNS server is not available Additionally different ACE 2 Management Servers can be used if users have to roam between offices in different geographic locations VMware Inc Chapter 4 Installing and Configuring the ACE 2 Management Server Components of the ACE 2 Management Server The components of the server are The ACE 2 Management Server platform based on the Apache 2 0 web server Backing store technology Database layer for the server component See Database Options the next topic for details Active Directory integration m Permits joining an operating system that is running an ACE instance to the domain remotely m In addition provides search functions so you can quickly find a particular individual or group m Enables you to use Active Directory Users and Groups to configure role based access to the features of the ACE 2 Manage
166. e machine is joined to the domain 10 For managed instances instance customization is reported to the server if it is successful Remote domain join requires that you perform some additional steps beyond those required for instance customization See Setting Up a Remote Domain Join on page 188 for further information Before You Specify Instance Customization Settings Perform These Tasks NOTE Instance customization is available for both managed and standalone ACE instances You dont have to use an ACE 2 Management Server to take advantage of the feature Before you specify instance customization settings perform the following m Install one of the following Windows guest operating systems on your ACE master m Windows 2000 m Windows XP Professional m Windows Server 2003 m Windows Vista m Install the latest version of VMware Tools on the guest operating system For information about installing and updating VMware Tools see the Workstation User s Manual m Download the Microsoft Sysprep tools See Downloading the Microsoft Sysprep Deployment Tools on page 176 for more information NOTE A Best Practice When you install Workstation ACE Edition download the Microsoft Sysprep deployment tools for all the guest operating systems you plan to deploy VMware Inc 175 VMware ACE Administrator s Manual 176 You will need the following information before you specify instance customization sett
167. e page reappears this time displaying a success message Close the window Using Event Logs At this release the server collects log entries for events that change the database You can set the logging levels and set an option for purging log entries See information about setting these levels and options in Step 5 on page 81 under Configuring the ACE 2 Management Server Stopping and Starting the Apache Service Manually This section describes how to restart the Apache service on each of the supported server types To restart the Apache service manually on a Windows host server 1 Click the Apache icon in the taskbar 2 Click Stop and then click Start Ensure that you click Stop and Start not Restart On a Red Hat Enterprise Linux 4 host server 1 Log in to your host console 2 As root type the following command etc init d httpd stop etc init d httpd start To restart the Apache service manually on a SUSE Linux Enterprise Server 9 SP3 host server On an SUSE Linux Enterprise Server 9 SP3 host server 1 Log in to your host console 2 As root type the following command etc init d apache2 stop etc init d apache2 start VMware Inc 83 VMware ACE Administrator s Manual To restart the Apache service manually on an ACE 2 Management Server appliance On the ACE 2 Management Server appliance 1 Log in to your host console 2 As root type the following command etc init d apache2 stop etc init d a
168. eature Every record in the event log except the first one must have a unique reference to the previous event further enforced by the database foreign key unique constraint Each successive record has a Unique ID incremented by 1 so missing records are immediately evident If a user with direct access to the database changes adds or removes some records he must change either the previous event pointer or other data in the remaining event record s Data within very record is hashed together with a server key and is stored in the eventSignature field The integrity of the log data can be verified by a separate utility which will be available from VMware support Event categories configuring levels of event logging per category and purging of the old events to keep the table size in check are described in the Logging Page section of Using the ACE 2 Management Server Setup Application on page 76 VMware Inc Glossary ACE instances The virtual machines that ACE administrators create associate to virtual rights management VRM policies and then package for deployment to users In short form an ACE instance is an ACE ACE 2 Management Server A server that can optionally be installed and used by the ACE administrator for activating and tracking ACE instances and for hosting dynamic policies for ACE instances ACE master A virtual machine template created by the ACE administrator The master can be configured with var
169. ection by m Creating a new master and assigning it to the server m Opening an existing master that is already assigned to the server m Opening an existing virtual machine cloning it to create a new master and then assigning the master to the server See Chapter 5 Creating and Configuring ACE Masters on page 89 for details about these tasks 254 VMware Inc Appendix Using the VMware ACE 2 Management Server Database Schema and Querying the Audit Event Log Data Tables in the VMware ACE 2 Management Server database represent the major configuration objects of ACE 2 Management Server Ace Package Instance Access Policy Runtime Policy and User Data which contains image customization settings and other per user data Administrator and user actions are audit logged in the Event table in the database while possible event types are listed in the EventType table This Appendix shows the format of the data stored in the database and the best ways to access this data For a big installation you might choose to use a third party database management or reporting tool with the VMware ACE Server database While VMware Workstation ACE Edition provides powerful tools to inspect the current state of the system the Advanced Instance Query dialog for example you might want to create custom reports of the system state using a reporting tool such as Crystal Reports You can also use a reporting tool to inspect the audit trail of the ad
170. ecurity ID SID Hosttime zone You can select whether to keep the quest machine s time zone in sync with the ost machine s time zone M Sync the quest time zone with the host time zone Make sure that computer names on Windows Vista systems work in mini setup The computer name must be 15 characters or less for your ACE instance with a Windows Vista guest operating system in order for the Mini Setup process to run successfully on the user s machine To meet this computer name requirement specify placeholder values that give you control of the resolved value length such as placeholders for random strings host name and logged on user CAUTION If you do not ensure that the host computer name will not exceed the 15 character limit Mini Setup will fail on the user machine if the name is too long Packaging with Instance Customization Enabled V CAUTION Ensure that you have downloaded the current Sysprep deployment tools from Microsoft Corporation s Web site and copied them to your machine as described in Downloading the Microsoft Sysprep Deployment Tools on page 176 before packaging with instance customization enabled begins If the tools are not available at packaging time the operation fails during the packaging process Because packaging can take a long time and the failure might not occur until well into the packaging process you could lose substantial time if the process failed because the
171. ed This problem is unlikely to occur because the file is usually not large and is copied quickly To avoid the possibility of an inconsistent snapshot however you should 1 stop the server 2 copy the file to VMware Inc Chapter 4 Installing and Configuring the ACE 2 Management Server an alternative location from which you will do the backup and then 3 restart the server Other alternatives for backing up an open database as recommended by members of an SQLite community as discussed in this forum thread are noted below http marc 10east com l sqlite users amp m 111487876701133 amp w 2 m Log in to the SQLite database using the sqlite3 command line tool Use the dump command store the result in a separate file and back up that result file It is a SQL script that will recreate the database m Using the Shadow Volume Copy mechanism on Windows systems or LVM volume snapshots on Linux and the crash restore feature of SQLite back up the complete database directory including journal files if they are present This method is actually easier than it sounds On a Windows XP SP1 or later operating system just use ntbackup on the database directory When the database is restored it should work fine m Log in to the database as described in the first method Issue BEGIN EXCLUSIVE copy the database file and then issue COMMIT Integrating the ACE 2 Management Server with Management Tools or Automated Scripts If you need
172. ed as decimal strings showing the number of seconds from 12 00AM 01 01 1970 ACE Package Instance Access and UserData records are never deleted from the database but rather marked as deleted with the deleted field set to TRUE so that the previous information can be inspected for audit purposes The guest and host operating system portions of the ACE policy set are stored in the PolicyDb_RuntimePolicy table in respective fields as strings if their length is less than 2000 bytes If the length of the policy component exceeds 2000 bytes the string is split in 2000 byte chunks and stored in the PolicyDb_LongField table In this case the value for the respective ExtKey field in the RuntimePolicy table will contain the foreign key pointing to the corresponding series of strings in the LongField table see the notes in the table definition Querying the Audit Event Log Data In the ACE Server Component it is possible to create an audit trail for all transactions that are performed by the server This system can be used by administrators to track down usage security breaches policy errors performance etc The ACE Server Component Event Logging infrastructure is flexible enough to provide detailed logging when necessary without overwhelming the system by causing a significant performance slowdown when in operation 262 VMware Inc Appendix Using the VMware ACE 2 Management Server Database Schema and Querying the Audit Event Log Data
173. ee page 128 for more information about resource signing Allowances Under Allowances In Total number of activations choose how many instances can be activated from this ACE master Unlimited m Maximum of Type the number or choose it from the drop down list Advanced Setting for Power On Script You can provide a script to run at ACE instance power on that determines whether the ACE instance can be run See To include a power on script in the ACE master s packages on page 111 for the procedure VMware Inc Chapter 6 Setting and Using Policies and Customizing VMware Player Activation and Authentication for Standalone Instances If you are using a standalone ACE master you can set the following policies Activation The activation step is performed whenever an ACE package has been installed Under Activation select one activation type m None No password is required any user can activate this instance m Password The user must enter the password specified by you to activate this ACE instance You must provide the user with the password through email or other means For standalone ACE masters the password is provided during the packaging process VMware Inc 119 VMware ACE Administrator s Manual 120 Authentication The authentication step is performed whenever the user runs the instance unless Authentication is set to None Under Authentication select one authentication type m None No
174. elect distribution format 196 with instance customization enabled 182 password activation 198 lockout 116 Pocket ACE deployment 214 requesting 233 required at packaging 198 resetting 243 placeholder values in instance customization package settings 180 platform deployment setting 188 Player policy 153 plug ins writing 164 Pocket ACE correct time necessary on host computers 217 creating packages 212 description 211 installing on portable device 215 package type 196 VMware Inc Index portable device requirements 211 providing deployment password 214 recommendation to safely unplug or eject device 218 running 217 space requirements for 212 syncing portable device and host 218 use with different CPUs 218 policies access control 107 activation 107 administrative tools 158 authentication 107 copy protection 126 device connection 146 expiration 125 host guest data script 124 hot fix 160 live copy of 203 network access 129 Player runtime 153 removable device 146 resource signing 128 runtime preferences 153 setting for ACE instances 106 setting for an ACE instance 106 snapshot 156 update frequency 161 USB device 147 using scripts 164 working copy of 203 policy editor using 106 policy update frequency 161 policy defined 270 port assignments default 64 port for ACE Management Server 86 96 98 279 VMware ACE Administrator s Manual 280 power off VMware ACE 234 power on script 110 118
175. ement Server you can dynamically change some policies and deploy those changes to the ACE instances on the users machines Using the Policy Editor You set policies using the policy editor You can start the policy editor in any of the following ways m Click the ACE master in the Sidebar then choose ACE gt Policies m Click the ACE master in the Sidebar then click Edit Policies in the summary view m Click the Edit Policies icon in the toolbar m Right click the ACE master in the Sidebar then choose Policies NOTE The default Update Frequency the rate at which managed instances check the server for changes is 5 minutes Setting Policies 106 You can set the following policies for ACE instances m Setting Access Control Policies Activation and Authentication on page 107 m Setting Host Guest Data Script Policies on page 124 m Setting Expiration Policies on page 125 m Setting Copy Protection Policies on page 126 m Setting Resource Signing Policies on page 128 m Setting Network Access Policies on page 129 m Setting Removable Devices Policies on page 146 m Setting USB Device Policies on page 147 m Setting Virtual Printer Policies on page 152 m Setting Runtime Preferences Policies on page 153 m Setting Snapshot Policies on page 156 m Setting Administrator Mode Policies on page 158 m Setting Hot Fix Policies on page 160 m Se
176. ement Servers to Use SSL 63 Installing the ACE 2 Management Server 64 Default Port Assignments for the ACE 2 Management Server 64 Installation Options for the ACE 2 Management Server 65 Installing the ACE 2 Management Server on a Windows System 65 Installing the ACE 2 Management Server on a Linux System 65 Installing the ACE 2 Management Server Appliance 67 Configuring the ACE 2 Management Server 69 Tasks to Complete Before You Configure the Server 69 Obtain Your ACE 2 Management Server License Information 69 Using Active Directory Integration Using LDAP 70 Using an External Database 71 Performance Optimization Tips for External Database Use 73 Using an External Database With the ACE 2 Management Server Appliance 75 Using the ACE 2 Management Server Setup Application 76 Using Event Logs 83 Stopping and Starting the Apache Service Manually 83 Logging On to the ACE 2 Management Server 84 VMware Inc 5 VMware ACE Administrator s Manual Using the ACE 2 Management Server 85 Unblocking Port Traffic and Changing Port Assignments 85 If Your ACE Instance on a Linux Host Computer Cannot Contact the ACE 2 Management Server 85 If You Need to Change the Port Assignment for the Server 86 5 Creating and Configuring ACE Masters 89 Creating an ACE Master 89 Creating a New ACE Master 90 Cloning an ACE Master from an Existing ACE Master 97 Cloning an ACE Master from an Existing Virtual Machine 98 Networking ACE Instances 100 ACE Master Settings 100 AC
177. ent Server system requirements Hardware 1200MHz or faster compatible x86 and x86 64 architecture processor recommended 800MHz minimum m Compatible processors include Intel Celeron Pentium II Pentium III Pentium 4 Pentium M including computers with Centrino mobile technology Xeon including Prestonia AMD Athlon Athlon MP Athlon XP Duron Opteron AMD64 Opteron Athlon 64 m Multiprocessor systems supported m Experimental support for Intel IA 32e CPU m Memory 1024MB recommended 256MB minimum Display 16 bit display adapter recommended 8 bit display adapter required Disk Drives 40MB free space required for basic installation at least 10GB free disk space recommended Local Area Networking Any Ethernet controller supported by the operating system Windows Operating Systems VMware Inc Windows Server 2003 Web Edition SP1 Windows Server 2003 Standard Edition SP1 Windows Server 2003 Enterprise Edition SP1 includes 64 bit and R2 editions Windows XP Professional includes 64 bit editions Windows 2000 Server Service Pack 4 Windows 2000 Advanced Server Service Pack 4 29 VMware ACE Administrator s Manual 30 Linux Operating Systems m Red Hat Enterprise Linux Advanced Server 4 0 with Update 4 m SUSE Linux Enterprise Server 9 Service Pack 3 External Databases The SQLite database engine is embedded in the ACE 2 Management Server In addition you can use external databases through OD
178. ents To deploy the package on the portable device 1 Click deploy exe 2 If the Enter Password dialog box appears enter the deployment password VMware Inc 215 VMware ACE Administrator s Manual 3 On the VMware Pocket ACE Deploy Utility page lu VMware Pocket ACE Deploy Utility VMware Pocket ACE Deploy Utility Select a location for deployment Please select the removable drive or custom folder where you want the Pocket ACE deployed Click Deploy after making your selection 8 Choose a removable drive Choose a custom folder a Select the removable drive or browse to the folder where you want to deploy the ACE package Click Refresh if you need to refresh the drive list b Click Deploy A progress screen appears c When the deployment is finished click Deploy to deploy more instances or click Close if you are done deploying instances The Pocket ACE instance is re encrypted during the deployment instead of after the user s first run of the instance For this re encryption the policy applied is the package protection policy that was in place at the time of packaging NOTE When you distribute the Pocket ACE give it directly to the user and tell the user to keep the Pocket ACE secure until the user runs the ACE and changes the user password 216 VMware Inc Chapter 10 Pocket ACE Running the Pocket ACE Instance The following steps describe what happens when the user runs the A
179. er Giving the power off command is like turning the power off and leaving it off In addition the ACE closes The next time you run your ACE you see a VMware startup screen for a few moments before the operating system in your ACE begins to run Reverting to the Reimage Snapshot If you encounter serious problems with your ACE your system administrator might tell you to use a menu choice to revert to the reimage snapshot of your ACE The reimage snapshot is first taken automatically when the ACE is created The administrator might have retaken the reimage snapshot or enabled the option to allow you to do so If you do revert to the reimage snapshot you lose all changes made to your ACE since the time that snapshot was taken including any data you have saved in the ACE any new software you have installed and any configuration changes Thus in most cases you should not take this action unless your system administrator recommends it NOTE Taking a reimage snapshot deletes the user snapshot To revert to the ACE reimage snapshot choose Player gt Troubleshooting gt Revert to Reimage Snapshot To take the reimage snapshot choose Player gt Troubleshooting gt Take Reimage Snapshot VMware Inc Chapter 11 Installing and Using VMware Player and ACE Instances These menu items are available only if your system administrator has enabled them About the Enter Administrator Mode Command on the Troubleshoot Menu If the administr
180. er Package Guest Name GuestIF DAI N A Windows XP Professi Preview Deployment B N A Second PkgFresh Second PkgFresh Pa An instance has one of three status types m Active The instance is active It is available for immediate use m Blocked by policies The instance is still active but is blocked cannot be run due to a violation of a policy such as expiration or copy protection For details on the reason for the blockage you can view the server s log for the instance m Deactivated This instance has been purposely deactivated You must reactivate it to make it usable again Expiration dates are shown in the Instance View in the Valid From and Valid Until column If there is no expiration date set for the instance those columns don t contain dates Setting Up Queries to Search for Instances 246 You can use the advanced search function in the Instance View to query the ACE 2 Management Server database to find one or more particular ACE instances To search for an ACE instance 1 Click Search in the upper right of the Available ACE Instances page of the Instance View The Advanced Search dialog box appears 2 Specify the criteria to be included when the database is queried Type your entry in the fields that require text Choose dates from the calendar pop ups for date fields In the date fields you can enter a start date and leave the end date empty if you wish m Activated by m Activated m Deactivated
181. er and confirm the password to protect the private key f Click OK to generate the keys It takes several seconds to generate the keys When the keys are generated and saved the Create New Recovery Key dialog box disappears and the newly generated public key is listed in the field on the Recovery Key tab The two parts of the key are stored in the location you indicated with the names you specified followed by extensions pub and priv for the public and private portions of the key respectively NOTE You must know the password for the private key and the location of the private key file to reset a user s password m Script Select this option to use your own custom script to determine who can use the instance To provide this script in packages created with this ACE master 1 Create the script and save it in the ACE Resources directory for the ACE master 2 Inthe access control policy page click Set to open the Set Custom Scripts dialog box 122 VMware Inc Chapter 6 Setting and Using Policies and Customizing VMware Player If the deployment platform setting in package settings is set to Both Windows and Linux then the Set Custom Script dialog contains text fields for both Windows and Linux Set Custom Script 3 Browse to the script file and click Open 4 Type the command for running the script Include the script file in the command line as well as any needed executable for running the scr
182. erating system might have this problem Solution Tell the user to power off the instance and then power it on again to retry instance customization The problem is intermittent and restarting might solve the problem 190 VMware Inc Creating Packages and Deploying Them to Users The following sections guide you through the process of creating a package to deploy to your users m Reviewing the Configuration of the ACE Master and Installing Software on page 191 m Creating a Package on page 192 m Viewing Package Properties on page 200 m Deploying Packages on page 201 Reviewing the Configuration of the ACE Master and Installing Software To finish preparing your ACE master and its files before packaging review its configuration and policies and ensure that the appropriate operating system and software are installed in it Review Policies Review the policy settings for this ACE master To change the policies click Edit policies in the summary view then change the settings as needed VMware Inc 191 VMware ACE Administrator s Manual Review Package Settings Review the package settings for this ACE master To change the package settings click Edit package settings in the summary view then change the settings as needed Review Virtual Machine Settings Review the devices and options configured for this ACE master and make any needed changes Installing an Operating System Applicati
183. erified step by step until the verification process reaches the root trusted certificate in the certificate store The first time a connection is made to a server by any ACE master on a Workstation ACE Edition administrator machine the certificate is downloaded to the Workstation ACE Edition host system The store or collection of certificates that is downloaded when an ACE master connects to a server is included in each ACE package that you create with that ACE master It is saved in the ACE Resources directory When you deploy and run an ACE instance of this master the VMware Player application uses the certificates included in the package to verify connections made to the ACE 2 Management Server It verifies that the VMware Inc Chapter 4 Installing and Configuring the ACE 2 Management Server certificates that are in the ACE package match those provided by the server If they do not match exactly VMware Player displays an error message and does not run the instance NOTE If you change the custom SSL certificate for your ACE 2 Management Server you need to update the Resource directory for all of your existing ACE instances You can do this by creating and distributing a custom package that contains only Resources See Chapter 8 Creating Packages and Deploying Them to Users on page 191 for more information VMware Player does an integrity check of the certificate store included in the package every time it communicates wi
184. error message appears if the number of password tries has reached the set limit and you will not be able to try to log in again for the specified lockout time After you have entered any required passwords VMware Player starts Click inside the VMware Player window to begin using the guest operating system and the applications installed in the ACE In general you use the operating system and applications just as you would if they were running directly on a physical computer After the ACE has started running you can change a password that you created by choosing Player gt Change Password and typing in a new password Entering a Client License in VMware Player for an ACE Instance If the Enter Serial Number dialog box appears when you attempt to power on an ACE instance enter the serial number provided by your ACE administrator or click Get Serial Number You can also choose Player gt Enter ACE Client License to enter a new serial number Quitting VMware Player Quit VMware Player before you shut down the host computer the computer where VMware Player is running To quit VMware Player do one of the following m Choose Player gt Exit on Windows or Player gt Quit on Linux m Click the X in the upper right corner of the toolbar Depending on the configured exit behavior the ACE either suspends or shuts down and the window closes If your system administrator has enabled the appropriate controls you can change the exi
185. erver c Enter the serial number if you are not changing the serial number at this reconfiguration enter the existing number d Click Apply and then click Restart or Later If you click Later you will need to restart the server manually See Stopping and Starting the Apache Service Manually on page 83 On the Database page select one of m Embedded Database Select this option if you plan to use the default embedded SQLite database engine Then click Next m External Database ODBC compatible Select this option to use an external database either Microsoft SQL Server or Oracle Database 10g Windows or PostgreSQL Linux Provide the database DSN user name and password After you enter the database connection credentials the setup application checks for an existing database If the database is present the setup application offers an option to re initialize it erase all data restoring the database to its default state the default setting for the option is No You can also use the reinitialization option at a later time after setup is complete by revisiting this page to reset the database If the database setup is unsuccessful the server setup will fail and the server won t be able to start NOTE If you are upgrading the server from the previous release the database schema will be upgraded automatically and you will not lose your previous data The upgrade will be done on the first start of the upgraded
186. es Name Clone of Windows XP Professional Package 2 Location C Documents and Settings one of My Documents My Virtual Machines Clone of Windows XP Professional Packages Clone of Windows XP Professional Package 2 Package Type Full Package Contents Clone of Windows XP Professional ACE Master Policy File ACE Master Resources Windows Installer Windows Player Package Size 1 91 GB To create the package click Next 198 VMware Inc Chapter 8 Creating Packages and Deploying Them to Users Policy Update Server Update package ew Package zar i Package Summary The package will be created with these values Name Clone of Windows XP Professional Package 3 Location C Documents and Settings one of My Documents My Virtual MachinesiClone of Windows XP Professional Packages Clone of Windows XP Professional Package 3 Package Type Policy Update Package Contents ACE Master Policy File ACE Master Resources Windows Installer Package Size 3 50 MB To create the package click Next Custom package New Package Wizard F x Package Summary The package will be created with these values Name Clone of Windows XP Professional 2 Package 3 Location C Documents and Settings one of My Documents My Virtual Machines Clone of Windows XP Professional 2 Packages Clone of Windows XP Professional 2 Package 3 Package Type Custom Package Contents Clone of Windows XP Professional 2
187. es over to the live copy See also Policy Live copy of policies and Working copy of policies Resume Return an ACE instance to operation from its suspended state When you resume a suspended instance all applications are in the same state they were when the instance was suspended See also Suspend Snapshot A snapshot preserves the ACE instance or ACE master just as it was when you took the snapshot the state of the data on all the ACE instance s disks and whether the instance was powered on powered off or suspended Standalone ACE instance An ACE instance that is not managed by an ACE 2 Management Server Any changes to its policies or other settings are made by the administrator s distribution of updates to the user VMware Inc Glossary Suspend Save the current state of a running ACE instance To return a suspended ACE instance to operation use the resume feature See also Resume Virtual disk A file or set of files usually on the host file system that appears as a physical disk drive to a guest operating system These files can be on the host machine or on a remote file system When you configure an ACE master with a virtual disk you can install a new operating system into the disk file without the need to repartition a physical disk or reboot the host Virtual machine A virtualized x86 PC environment in which a guest operating system and associated application software can run The managed virtual machine that h
188. es whatever size is specified in the system preference for icon size The small 16x16 icon is used in the VMware Player title bar and on the Windows taskbar button for VMware Player The icons used for these purposes must be in ico format and are specified by the following options in the skin file player iconSmall lt filename gt player iconLarge lt filename gt One ico file can contain multiple icons of different sizes You can specify the same ico file for player iconSmall and player iconLarge VMware Player extracts the icon of the appropriate size for each use Customizing the Title Bar Text You may specify what text appears in the VMware Player title bar You may also specify the font and font size used to display the text The text displayed in the title bar consists of three sections a prefix the virtual machine name and a suffix The parameters listed here allow you to set any prefix and suffix or to omit the prefix the suffix or both They also allow you to include or omit the virtual machine name If you leave the defaults for all values the title bar displays only the virtual machine name at 32 points in the font MS Shell Dlg Table 6 3 describes the VMware Player title text parameters Table 6 3 VMware Player Title Text Parameters Parameter Type Default Controls player title prefix string ow Title bar prefix player title useVMName boolean TRUE Is virtual machine TRUE or name di
189. esc conf On Windows systems C Program Files VMware VMware ACE Management Server conf acesc conf 3 Delete the configuration file Navigate to the server setup Web application and configure the server again specifying a password on the Security page VMware Inc 79 VMware ACE Administrator s Manual 80 Continue with the server configuration in one of the following ways m If this is the initial configuration of the server click Next m Ifyou are reconfiguring the server click Apply and then click Restart or Later If you click Later you will need to the server manually See Stopping and Starting the Apache Service Manually on page 83 On the Custom SSL Certificates page If you are setting up the server to use custom SSL certificates either your own self signed certificates or those of a third party or internal CA certificate authority then use this page to upload the PEM encoded files to the correct directory You created the files earlier see Setting Up Your Own Self Signed Certificates Third Party Signed Certificates or Certificates from an Internal Certificate Authority on page 61 To upload files for your own self signed certificates or for third party or internal CAs a Click the appropriate Browse button to navigate to and upload the key and certificate files you created b Ifyou are using CAs upload the chain file c If you are using SSL with your LDAP connection and want to have that connec
190. et Up and Configure Network Zones 136 Using the Ruleset and Rule Editors to Configure Host and Guest Access 140 Network Properties Packaging 145 Understanding the Interaction of Host Access and Guest Access Filters With Tunneling Protocols 146 Setting Removable Devices Policies 146 Setting USB Device Policies 147 Setting Virtual Printer Policies 152 Setting Runtime Preferences Policies 153 Runtime Preferences 153 Exit Behavior 154 Enhanced Keyboard Filter for Windows Host Systems Only 154 Setting Snapshot Policies 156 Setting Administrator Mode Policies 158 Setting Hot Fix Policies 160 Setting Policy Update Frequency 161 Writing Plug In Policy Scripts 164 Authentication Scripts 165 Sample Scripts 166 Sample Authentication Script 166 Sample Host Guest Data Script 167 Sample Power On Hook Script 168 Customizing the VMware Player Interface 169 Creating and Specifying the Skin File 169 Customizing the VMware Player Icons 170 Customizing the Title Bar Text 170 7 Package Settings 171 Custom EULA 172 Instance Customization 172 Benefits of Instance Customization 173 Overview of the Instance Customization Process 174 Before You Specify Instance Customization Settings Perform These Tasks 175 Downloading the Microsoft Sysprep Deployment Tools 176 VMware Inc 7 VMware ACE Administrator s Manual Specifying Package Settings for Instance Customization 177 Placeholder Values to Use in Instance Customization 180 Packaging with Ins
191. eturn to the host operating system by clicking the minimize button on the toolbar If the mouse pointer is not available pressing Ctrl Alt minimizes the display NOTE If the user has more than one monitor full screen mode fills only one display and the host system is available on the other display If you select Always run in appliance view the ACE instance will open in Appliance mode and the user will not have the option of running the instance in Console mode VMware Inc 153 VMware ACE Administrator s Manual 154 NOTE You must enable the appliance view in virtual machine settings VM gt Settings gt Options gt Appliance for this runtime option to work If you select Always run in appliance view in this policy but do not enable the appliance view setting in virtual machine settings an error message appears when the user attempts to start up the ACE instance If you select Do not allow users to modify the memory allocation the Change Memory Allocation command does not appear in the VMware Player gt Troubleshoot menu of VMware Player so the user cannot alter memory allocation for the ACE instance Exit Behavior If you select The user determines the exit behavior the user has access to both Suspend and Power off choices in the Preferences dialog box VMware Player gt Preferences If you select either Suspend the ACE instance or Power off the ACE instance that option is selected by default in the Preferen
192. ew Even if you supplied AutoMode PerSeat you will still see AutoMode PerServer and AutoUsers 5 in the Mini Setup user interface This is the expected behavior The license information will be set correctly by the Mini Setup process nonetheless Next Steps for Instance Customization You have completed the steps for instance customization on the Workstation ACE Edition machine Continue with How ACE Instance Customization Completes on the ACE User s Machine How ACE Instance Customization Completes on the ACE User s Machine To customize an instance 1 The ACE user installs the ACE package on her machine and activates the instance 2 All the required information for resolving placeholder variables is obtained 3 The placeholder variables are resolved and are replaced with the actual values for the ACE instance 4 The Microsoft Mini Setup process runs 5 If the Mini Setup process fails the ACE instance shuts down NOTE After this failure the ACE instance is not runnable 6 At the end of the Mini Setup process the additional commands are executed 7 Ifthe remote domain join procedure is selected the software executes the script provided in the instance customization package settings which is used to connect to the VPN server The machine is then joined to the domain 8 At the end of this process if this is a managed instance the results of instance customization the instance s MAC address and new computer names
193. f the table See Packet to Rule Comparison on page 145 for details VMware Inc Chapter 6 Setting and Using Policies and Customizing VMware Player Packet to Rule Comparison The rules in the ruleset editor are listed in the order in which they are to be evaluated When a network traffic packet arrives or is to be sent from the host or guest it is compared with each rule in the ruleset in order from the top down If the packet s settings that is source address for incoming packets destination address for outgoing packets protocol and ports match the rule conditions the packet is allowed or blocked according to the rule s action The packet is compared to each rule in order until either it matches a rule or it has been compared with all of the rules When a match is made the packet to rule comparison ends the packet is not compared to subsequent rules in the ordered list If it has been compared to all rules without a match the default rule action is applied Network Properties Packaging You can use the network properties packaging feature of the network access policy to specify the IP address range for the virtual network VMnet8 on the ACE instance s host system You deploy this network properties setting with the ACE package V CAUTION If you set this property the setting affects all the ACE instances and virtual machines on this instance s host system NOTE The network properties packaging setting is not a
194. fied appear directly below the Guest MAC Address criterion VMware Inc Chapter 11 Installing and Using VMware Player and ACE Instances If you select the option Exact match only for a search category only instances with values that are exact matches of the value specified in that category field are listed in the search results Exact match values are case sensitive Specify dates in the format MM DD YYYY Search criteria are joined with AND not OR operations 3 Click Reset in the Search dialog box if you want to clear entries in the search fields 4 When you have finished specifying the search criteria click the Search button The Search dialog box closes and the search results are displayed 5 Click Back to all instances in the upper left of the window if you want to refresh the display with the total list of instances 6 If the results list cannot all be displayed on one page of the Instances table you can click the Next arrow at the bottom right of the table to see the next page of results Reactivate Deactivate an Instance You can immediately deny or allow access to an instance by deactivating or reactivating it To reactivate or deactivate an instance select the instance by clicking the instance row once and then click the appropriate icon Deactivate or Reactivate in the upper left of the Instances page The change is made as soon as you click the icon Reset Expiration Dates by Clicking Reactivate You can reset
195. fies one or more IP addresses or host names for DNS servers on the network A network adapter matches this condition if it is using at least one of these servers Match at least Modifies the DNS servers option A network might have multiple DNS servers and a host might be configured to use more than one DNS server If the value of this option is greater than 1 the host must be using the specified number of DNS servers on the list before a network adapter is considered to be on the defined network DHCP servers Specifies one or more IP addresses or host names for DHCP servers on the network A network adapter matches this condition if it is using at least one of these servers Gateway servers Specifies one or more IP addresses or host names for default gateways on the network A network adapter matches this condition if it is using at least one of these gateways WINS servers Specifies one or more IP addresses or host names for WINS servers on the network A network adapter matches this condition if it is using at least one of these servers WINS server settings are ignored by Linux hosts during zone detection Match at least Modifies the WINS servers option A network can have multiple WINS servers and a host might be configured to use more than one WINS server If the value of this option is greater than 1 the host must be using the specified number of WINS servers on the list before a network adapter is considered to be
196. ge 85 If You Need to Change the Port Assignment for the Server on page 86 If Your ACE Instance on a Linux Host Computer Cannot Contact the ACE 2 Management Server If your ACE instance cannot contact the server check to see whether a firewall or proxy setting is blocking or rerouting https traffic on port 443 By default https traffic from the VMware Player to ACE 2 Management Server is routed on port 443 Disable the firewall or turn off the proxy setting to allow the Player to server traffic on that port VMware Inc 85 VMware ACE Administrator s Manual 86 If You Need to Change the Port Assignment for the Server The ACE 2 Management Server is a module running on the Apache 2 0 platform If you need to change the port that the server listens on you must manually edit the Apache configuration file To change the port that the ACE 2 Management Server listens on 1 Using a text editor open the ACE 2 Management Server component http configuration file which is located at On a Windows host server C Program Files VMware VMware ACE Management Server Apache2 conf httpd conf On a Red Hat Enterprise Linux 4 host server etc httpd conf d acesc conf On an SUSE Linux Enterprise Server 9 SP3 host server etc apache2 conf d acesc conf NOTE This path will be different if you installed VMware ACE 2 Management Server in a different location Use the path you established for your server Locate the line ent
197. ge called Select a Disk Type The default is already selected m Use an existing virtual disk rather than create a new virtual disk m Set memory options that are different from the defaults m Assign more than one virtual processor to the virtual machine Click Next If you selected Typical skip to Step 5 If you selected Custom the Virtual Machine Hardware Compatibility page appears Specify whether you want to create a Workstation 5 or 6 virtual machine and click Next When you make a selection from the Hardware Compatibility list you will see a list of other VMware products and versions that are compatible with your selection You will also see a list of features that will not be available for that version Click Next The Guest Operating System page appears This page asks which operating system you plan to install in the ACE master Select both an operating system and a version The New ACE Master Wizard uses this information to select appropriate default values such as the amount of memory needed VMware Inc VMware Inc Chapter 5 Creating and Configuring ACE Masters If the operating system you plan to use is not listed select Other for both guest operating system and version Click Next The remaining steps assume you plan to install a Windows XP Professional guest operating system You can find detailed installation notes for this and other guest operating systems in the VMware Guest Operating System Installation
198. he guest operating system and VMware Tools are installed in the ACE master NOTE Ensure the version of VMware Tools provided with Workstation ACE Edition is installed in the guest operating system A number of key features in ACE 2 are provided by the VMware Tools package Ensure that the virtual machine in the package is configured as you want it then ensure it is shut down and powered off If an ACE instance is suspended on one host computer it cannot be resumed reliably on a host computer with different hardware As a result you must ensure that the ACE instance is powered off not just suspended when you create a package Choose ACE gt New Pocket ACE Package to start the Pocket ACE Package Wizard Click Next on the Welcome page NOTE If you are creating an update package for a Pocket ACE you use the New Package Wizard and select the Update package type Remember not to include a restricted host policy or a snapshot policy in this update for your Pocket ACE See Steps for Creating a Pocket ACE Package on page 213 for information about creating an update package with the New Package Wizard On the Name the Package page a Enter a name for the package in the Name field b The Location field displays the path to the default location for storing the package s files To change the location type a new path into the field or click Browse and navigate to the new location c Use the Notes field to enter any backgr
199. he user s machine NOTE If the ACE instance is configured for automatic login and automatic login fails then instance customization also fails It fails because the VMware Tools service is required during instance customization for sealing the ACE master and preparing it for deployment but the Tools service does not start if automatic login fails To fix this problem power on the ACE master fix the automatic login problem and then preview the ACE master to verify that instance customization runs successfully Specifying Additional License Information for Windows Server Products In order to supply additional license information for Windows Server products you can add a file named sysprep_license txt to the lt ACE_master_name gt directory in which you can specify two parameters AutoMode which can have either of two values PerSeat or PerServer and AutoUsers which indicates the number of client licenses VMware Inc 183 VMware ACE Administrator s Manual 184 purchased for the server in the PerServer case See http technet2 microsoft com WindowsServer en library c4f0b57a f4 7 478b 9667 ca2 0af32611d1033 mspx mfr true for more information about these values If this file is not found in the lt ACE_master_name gt directory a default is used AutoMode is set to PerServer with 5 client licenses If you choose to supply this file you won t see any change to the license portion of the Mini Setup process during previ
200. here you tested it and then choose ACE gt ACE Server to open the ACE Server dialog box Choose the original server for the ACE master from the server history list and click OK VMware Inc Chapter 9 Preview Save Test Publish To run an end to end post deployment test on another computer 1 Open the ACE master that you made changes to and want to test click Create New Package to start the New Package Wizard and then follow the wizard steps to create the package See details in Creating a Package on page 192 2 Install the package on your test system and start up setup exe to open the Installation Wizard Follow the wizard steps to install the package 3 Start up VMware Player and then use it to activate and run the ACE instance Verify that the ACE instance is configured as you had intended and runs as you had planned 4 Shut down the guest operating system in the ACE instance and then exit from Player VMware Inc 209 VMware ACE Administrator s Manual 210 VMware Inc Pocket ACE The Pocket ACE feature allows you to store ACE instances on portable devices such as USB keys flash memory drives Apple iPod mobile digital devices and portable hard drives Your ACE users attach these portable devices to x86 host computers run their ACE instances with VMware Player and then detach the portable devices The next time they need access to their ACE instances they can attach the devices to the same host computers
201. hine page opens After you select a virtual machine to create your ACE master from the Clone to ACE Master Wizard opens For information about using that wizard see Cloning an ACE Master from an Existing Virtual Machine on page 98 Select the method you want to use for configuring your ACE master If you select Typical the wizard prompts you to specify or accept defaults for m The guest operating system The ACE master name and the location of the ACE master s files The network connection type m Disk size 91 VMware ACE Administrator s Manual 92 m Allocation of space for the disk m Splitting the disk into 2GB files m Specifying an ACE 2 Management Server if you want to manage the ACE master s instances with a server Select Custom if you want to m Make a different version of virtual machine than what is specified in the preferences editor from the Workstation menu bar choose Edit gt Preferences and see the setting for Default hardware compatibility m Store your virtual disk s files in a particular location m Use an IDE virtual disk for a guest operating system that would otherwise have a SCSI virtual disk created by default In order to find out what type of virtual disk would be created by default for a particular operating system select the Custom option and click Next through the wizard pages select the desired guest operating system and then continue through the wizard until you get to the pa
202. ication or the Instance View in Workstation ACE Edition to fix problems with managed instances See Using the VMware Help Desk Web Application on page 239 for information about using that application and Chapter 12 Instance View on page 245 for information about using the Instance View M Hot fix If users cannot access their ACE instance they may request a hot fix for any of the following problems forgotten password expired ACE instance and copy protection violation IV Allow users to request a hot fix Select how the hot fix request should be submitted to the administrator C Use email to submit hot fix request Administrator email address Email subject m Save the request to a file Users will manually submit the hot fix request file to the administrator Specify instructions for users to submit the request A To allow hot fixes for forgotten passwords specify a recovery key in the Access Control policy If you enable the hot fix feature users can easily request help to resolve the following problems m Lost or forgotten password NOTE If you want to be able to use a hot fix to reset a user s password for encrypted or tamper resistant ACE instances you must enable a recovery key in the access control policy See page 121 for details on enabling a recovery key m Expired ACE instance m Copy protected ACE instance run from a new location 160 VMware Inc Chapter 6 Setting and Using
203. ies in VMware Player You may use any language that is supported on the user s computer For security reasons scripts must be deployed as part of a package and installed by the package installer They cannot be deployed separately to users computers and cannot be modified by the end user Your scripts must write the appropriate values to StdOut Output to StdOut maybe up to 4096 bytes long Place any scripts you want to use for a package in the ACE Resources directory They must be in the main ACE Resources directory not in a subdirectory under that folder If the scripts need any additional resource files place those files in the main ACE Resources folder too Your script should reference those resources using relative paths Your scripts may also write messages to StdErr Output to StdErr maybe up to 4096 bytes long Any messages generated on StdErr are captured in the log file on the end user s machine at lt UserAppData gt VMware VMware ACE lt package_name gt Virtual Machines lt VM_name gt vmware Log The exit code of a script indicates whether the script succeeded or failed Table 6 1 describes the environment variables that are set in the script execution environment Table 6 1 Environment Variables Variable Description VMWARE_NQ_DESCRIPTOR If custom network quarantine is in use this variable holds the network quarantine descriptor that was last set by an update VMWARE_EXPIRE_TIME This is the time at
204. if advised to do so by the ACE administrator NOTE If you choose not to enable the reimage snapshot options for the user you can replace the reimage snapshot or revert to it on the user s machine by providing administrator mode access through the Administrator Mode policy See Setting Administrator Mode Policies on page 158 Setting Administrator Mode Policies You can use the administrator mode policy to set an administrative password so you can do any of the following m Run the ACE instance on the user s machine and enter the administrator mode to access the virtual machine settings and make changes to the instance s configuration on Windows systems only You can only edit the settings you cannot add or remove devices m Run the ACE instance on the user s machine and enter the administrative mode to access all the snapshot commands including Take Snapshot Take Powered Off VMware Inc Chapter 6 Setting and Using Policies and Customizing VMware Player Snapshot Revert to Snapshot these first three refer to the user snapshot Take Reimage Snapshot and Revert to Reimage Snapshot See Setting Snapshot Policies on page 156 for information about the user snapshot and the reimage snapshot m Use the vmware acetool command line program directly on an ACE user s system to fix a limited set of problems for standalone ACE instances Administrator mode Provide access to administrator only features including
205. ifetime setting is not intended to be used as a security feature Use other policies and package settings such as access control policies and package encryption settings to keep your packages secure VMware Inc 185 VMware ACE Administrator s Manual Encryption Encryption settings are of two types m Package encryption Protects package files from being copied or altered while in transit m ACE instance encryption Protects ACE instance files from being copied or altered NOTE You can choose to encrypt the package while leaving the ACE instance files unencrypted or to encrypt instance files while leaving the package unencrypted The Workstation ACE Edition software applies encryption settings to the package and files by using defaults that are determined by the settings in place for the activation and authentication policies See Setting Access Control Policies Activation and Authentication on page 107 for more information on those settings NOTE Changing activation and authentication settings resets encryption settings to their default settings In general VMware recommends that you not override the default encryption settings In circumstances when you might want to do so for instance if you want to test deploy a package and dont need to have the files encrypted you can change the encryption settings on the Encryption page To change encryption settings 1 Click Edit Package Settings in the AC
206. ilter installation requires a host system restart VMware Inc 155 VMware ACE Administrator s Manual Setting Snapshot Policies You can set policy options for two types of snapshots Reimage snapshots The program automatically takes a reimage snapshot of an ACE instance when the ACE is created It takes the snapshot after all the required instance setup steps are complete including if applicable encryption instance customization and domain join The snapshot is taken while the ACE instance is powered off NOTE You can manually disable the automatic reimage snapshot by editing the ACE master s aceMaster dat file Edit the option packaging takeReimageSnapshot User snapshots You can enable users to take a user snapshot of the ACE instance either when the instance is running or immediately after powering it off and you can also enable them to delete that user snapshot If you enable options in this policy for this user snapshot Snapshot appears in the VM menu when the ACE instance is powered on Only one user snapshot can be saved at a time The two snapshot types differ in these ways Primary uses Reimage snapshots allow the ACE administrator or the user if the administrator enables reimage snapshot options for the user to revert the ACE instance to its known good starting state or to the known good updated reimage state The administrator might tell the user to revert to the reimage snapshot to fix a problem
207. in name to define a zone can be error prone We recommend that you use criteria in addition to the DNS domain name to define a zone for Linux hosts 139 VMware ACE Administrator s Manual 6 When you have finished making your zone condition selections click OK Zone Editor Internal Zone Name internal Zone Specify the host network conditions that identify this zone The hostis in this zone when any of its NICs matches all these conditions Network address is any of the following DHCP servers are any of the following 10 03 12 REZ Click here to enter an IP address C DNS servers are any of the following WINS servers are any of the following Match atleast Match atleast Ll Gateway servers are any of the following Domain is firstabe com V Allow subdomains of this domain Using the Ruleset and Rule Editors to Configure Host and Guest Access Each access setting for the ACE instance s host machine and for the ACE instance s guest system is based on a set of access rules Whenever you create a host or guest access setting with the Network Access Wizard a default ruleset is used You can change the parameters of those rules by using the ruleset and rules editors Before You Begin Configuring Rulesets and Rules Details on Filtering Action Network access policies are applied by filtering on the IP address the protocol number from the IP header th
208. in slash notation When you have VMware Inc 4 VMware Inc Chapter 6 Setting and Using Policies and Customizing VMware Player finished entering names and addresses click Next at the bottom of the Desktop Access page Network Access Wizard x Desktop Access Allow the ACE instance to access pour YPN or other network hosts To protect the ACE instance its network access will be restricted except for DNS DHCP ICMP and the network locations listed below You can configure the Remote ACE Instance Access below Allow access to pn abc com 10 0 3 12 10 3 0 0 Click here to enter a hostname or IP address Example pn abc com 10 0 3 12 10 0 3 12 255 255 255 0 10 3 0 0 24 Options Remove b The summary of the settings appears in the table on the Finish page Click Back if you want to make any changes to the access you just configured When you are satisfied with the configuration click Finish Network Access Wizard j x Finish Summary of both host and ACE instance network access Network Access Zones Host Network Access Guest Network Access Everywhere Full Access Remote Instance Access If you selected Laptop Configuration a On the Define Internal Zone page specify the conditions that identify your internal corporate network You specify this internal zone by IP address and range and or by domain subdomain IP Address Range is selected by default If you don t wa
209. in this section are Installing the ACE Package on a Windows Host Computer and Running the ACE Instance on page 219 Installing the ACE Package on a Linux Host Computer and Running the ACE Instance on page 223 Running VMware Player on page 225 Troubleshooting Tools on page 235 Preserving the State of an ACE Instance on page 243 Installing the ACE Package on a Windows Host Computer and Running the ACE Instance The administrator creates an ACE package which includes the ACE instance and VMware Player NOTE If this is the first installation of an ACE instance on the user machine then an administrator a user with administrator privileges must install VMware Player before the ACE user can install and run ACE instances VMwere Inc 219 VMware ACE Administrator s Manual 220 Installing VMware Player on a Windows Host Computer Only a user with administrator privileges can install and uninstall VMware Player To install VMware Player on a Windows host computer log on with administrator privileges and then follow the instructions for installing an ACE instance The installation program installs VMware Player before it installs the virtual machine files if VMware Player is not already on the machine NOTE Although you must be logged in as an administrator to install VMware Player a user with normal user privileges can run the program after it is installed Installing an ACE Instance
210. incrementing integer m Log timestamp in microseconds from 12 00 AM 01 01 1970 stored as a decimal string m Logon user name m Affected Ace UID FK m Affected Package UID FK m Affected Instance UID FK m Affected Policy Set Version m Event Category Auth AceAdmin PkgAdmin PolicyAdmin InstAdmin m Event Type code FK references PolicyDb_EventType table m Session ID debug m Incoming IP Address reserved for future use m Server IP Address reserved for future use m Operation Turnaround Time time spent in server in ms m Operation Handler Name debug m Return code text success failure specific error VMware Inc Appendix Using the VMware ACE 2 Management Server Database Schema and Querying the Audit Event Log Data m Message Parameters tab separated list see below m Previous event UUID to prevent unauthorized record deletion or insertion log integrity m Event record hash with a server key to reveal modification of the record log integrity ACE package and instance UIDs and policy version provide coordinates of the log event in the space of ACE Server objects They help to identify the event with the state of the system By using database query tools such as Crystal Reports the administrator can for example find all ACE administration events that affected a particular ACE from its moment of creation until it was deleted since we never delete objects from the database but rather ma
211. ings m The Windows product ID for the guest operating system installation m If the ACE instance will be joined to a domain whether the instance is local or remote to the domain the user name and password for an account that has permission to add computers to the domain m Remote domain join parameters if a remote ACE instance will be joined to a domain See Setting Up a Remote Domain Join on page 188 for more information Downloading the Microsoft Sysprep Deployment Tools NOTE Microsoft Sysprep deployment tools are automatically installed with the Windows Vista operating system installation so you do not need to download Sysprep tools if your guest operating system is a Windows Vista system To ensure that the tools are on your admin machine when you need them 1 Go to http www microsoft com and search for Sysprep deployment tools 2 Follow the instructions on the site for downloading the Sysprep deployment tools Download all versions of the Sysprep deployment tools that correspond to the guest operating systems that you will deploy The Sysprep deployment tools you might need are m Sysprep deployment tools for Windows XP Professional SP1 and SP2 The SP1 version works with Windows XP Professional with no service pack and Windows XP Professional SP1 The SP2 version is of course for Windows XP Professional SP2 m Sysprep deployment tools for Windows 2000 m Sysprep deployment tools for Windows 2003 Two versions
212. instances created from packages of that master will not have a host policy applied A warning appears on the network access policy page if you attempt to apply a host policy in this way VMware Inc Chapter 6 Setting and Using Policies and Customizing VMware Player m You can package just the host policy in a Custom package keeping the package size quite small m Ifyou set up network access by using the Network Access Wizard through the Laptop Configuration option described on page 107 and you do not modify any of the default settings provided by the wizard then even though the host is otherwise blocked from all access to the network it is allowed to communicate with DNS and DHCP servers so the zone detection mechanism can function properly m Any restrictions on the host s network access also restrict network access for an ACE instance using NAT networking because the NAT connection is affected by all the policies you apply to the host If you set up restricted host access by using the ruleset and rules editors rather than the Network Access Wizard ensure that you have configured the ACE master s virtual NICs to use bridged networking m If you are setting up a managed ACE master then you must allow the host to access the ACE 2 Management Server communicating through TCP over the appropriate port that you configure m Host policies do not apply to Pocket ACE instances If you specify a restricted host policy for an ACE master a
213. ion Script The following sample script is written in C It is installed by Workstation ACE Edition as sampleAuth c You may compile it with a C compiler if you want to run it VMware Sample Script Description This sample script lookups the user as defined in the environment variable TEST_USERNAME and returns seed data that is used to make a key for authentication purposes It assumes that the username is defined in the environment variable TEST_USERNAME a ficticious environment variable used for this sample and returns the seed data Sample script for ACE script authentication 4 from a harcoded map of username to seed data Input to script None Returns 0 if successful user is correctly authenticated 1 if TEST_USERNAME is not set or the user is unrecognized Expected output Seed data for creating script authentication key on stdout Notes If the script returns success its output will be used to create a key Therefore it is important that the output of this script be unique for each user and that there is enough data to make a meaningful key at least 16 bytes my user_map charlie gt E1C4F612135B4D98A33B2C9BD595025D kathy gt C79AFFEF773D61225751C2566858DB08 beth gt 05B169B439B26AAB2EA4F755B7E3800C ernie gt 8CE63D4AA2068BD8AFF2D1B05F3495A5 bert gt 172B1619B2EFBEQE4F381AA1C428F049
214. ious policies and devices and package settings and then used as the basis for creating any number of packages to be sent to ACE users Activation A step in ACE instance setup that includes package protection and setting up the ACE instance s runtime authentication policy The successful completion of activation makes the packaged virtual machine with its policies and other settings into an ACE instance The activation setting in the access control policy determines who can access an installed ACE package and turn it into an ACE instance See also Authentication Authentication A step in ACE instance setup that includes instance protection The successful completion of the authentication step allows the user to run the instance See also Activation VMware Inc 267 VMware ACE Administrator s Manual 268 Bridged networking A type of network connection between an ACE instance and the rest of the world Under bridged networking an ACE instance appears as an additional computer on the same physical Ethernet network as the host See also Host only networking Configuration See Virtual machine configuration file Full screen mode A display mode in which the ACE instance s display fills the entire screen Guest operating system An operating system that runs inside an ACE instance See also Host operating system Host computer The physical computer on which the VMware Player software is installed It hosts the ACE instances Ho
215. ipt and any arguments to the script 5 Optional Select Timeout and type in a timeout interval in seconds in case the script doesn t run to completion 6 Click OK VMware Inc 123 VMware ACE Administrator s Manual 124 7 Ifyou are enabling this script for an ACE master that you have already deployed include the script in the update package you distribute to your users so that existing instances can be updated to use the new authentication script NOTE The script is signed before deployment to prevent tampering See page 128 for more information about resource signing m To change the authentication setting from one type to another Create a policy update package and distribute it to the user m To change the script Create a new package with the new script and distribute the package to the user Advanced Setting for Power On Script You can provide a script to run at ACE instance power on that determines whether the ACE instance can be run See To include a power on script in the ACE master s packages on page 111 for the procedure Setting Host Guest Data Script Policies You can provide a host guest data script that runs when the ACE instance is powered on and can be used to pass values to the guest operating system The script which runs on the host operating system should output a set of key value pairs which become available to the applications running inside the guest operating system The facili
216. irtual disk If you select this option click Next and then skip to Step 13 If you chose to create a new virtual disk now select a disk type an IDE or SCSI disk The wizard recommends the best choice based on the guest operating system you selected All Linux distributions you can select in the wizard use SCSI virtual disks by default as do Windows NT Windows 2000 Windows Server 2003 and Longhorn All Windows operating systems except Windows NT Windows 2000 Windows Server 2003 and Longhorn use IDE virtual disks by default NetWare FreeBSD MS DOS and other guests default to IDE virtual disks Click Next to continue then skip to Step 14 If you chose to use an existing virtual disk select the disk you want to use Click Next and then click Finish Specify the capacity of the virtual disk NOTE The virtual disk should be large enough to hold the guest operating system and all of the software that you intend to install with room for data and growth You might prefer to increase total disk space by adding virtual disks to the ACE master You can install additional virtual disks by using the virtual machine settings editor choose VM gt Settings You must add any additional virtual disks after completing this wizard but before you create the package for distribution to your users See the Workstation User s Manual for more information about using virtual disks Enter the size of the virtual disk that you wish to create
217. is not necessary to create a cert_chain file unless you use CA signed certificates then follow the instructions above for CA signed certificates Each certificate must have a unique common name Multiple servers using DNS round robin Each server can have its own SSL key certificate ACE 2 Management Server and proxy server The cert_chain file must contain the certificate and verification chain for every certificate being used by the servers Place this certificate chain file in each of the ACE 2 Management Servers Follow instructions above on how to do that In the case of self signed certificates being used the actual certificate is the verification chain so the chain file would contain each self signed certificate being used by each of the servers It is also possible to use the same key certificate for every server In this case it is not necessary to create a cert_chain file unless you use CA signed certificates then follow the instructions above for CA signed certificates Multiple servers without any round robin or behind any proxy servers You don t need to do anything for this case Because there is no DNS round robin or proxy server the ACE master behaves as if there is only one server it can talk to 63 VMware ACE Administrator s Manual Installing the ACE 2 Management Server 64 Follow the instructions provided below for installing the server on your Windows or Linux system or for installing the ACE 2
218. it The policy takes effect when a new instance from this package is installed and activated You can also edit an imported keyword list and publish the change Under Activation select one activation type m None No password or key is required any user can activate this instance m Password The user must enter the password specified by you to activate this ACE instance You must provide the user with the password through email or other means 114 VMware Inc Chapter 6 Setting and Using Policies and Customizing VMware Player m Activation key The user must enter a key that is in the key list you have created for this ACE instance Click Set key list to open the Activation keys dialog box Activation Keys E x Only the following keys can be used to activate instances of this ACE Master Keys can be any free formed string such as a serial number NOTE Activation keys are essentially serial numbers that can be tracked as used or unused by the server The admin can enter the keys they want to use in the dialog or import them into the dialog from a text file After an ACE instance or ACE master has been activated using a key that key can t be used to activate another instance m To add keys Click Add Type in the free form string m To import keys Click Import and browse to the file that contains the list of activation tokens you want to import Each token is one line in the file Blank lines are ignored m To rem
219. k locations to filter 10 0 3 12 10 3 0 0 proxy abe com Click here to enter a hostname or IP address Example 192 168 0 1 255 255 255 0 192 168 0 1 24 or vpn abc com Remove Protocol Protocol rcP Protocol Number E Remote Ports fico Local Ports fed You can enter single port numbers and port number ranges Example 25 80 100 102 Cancel To change the action for this rule select the new action Allow or Block as appropriate VMware Inc VMware Inc Chapter 6 Setting and Using Policies and Customizing VMware Player To change the direction of traffic for the rule select the option you want from the drop down list under Direction Direction Both incoming and outgoing traffic A Both incoming and outgoing traffic Incoming traffic to the hast only Qutgoing traffic from the host onl To add a host name or IP address for the rule click the link in the table under Addresses and type the new name or address The wildcard setting for all IP addresses is 0 0 0 0 0 If you want to edit an existing host name or address click that item and edit it To remove a host name or address click the item and then click Remove To change the protocol used for this rule select the new protocol you want from the Protocol drop down list Protocol Protocol ice ts Protocol Number fe Remote Ports Local Ports z geport numbers and port number ranges Example 25 80 100
220. king exactly as the ACE user will see it NOTE You can run any ACE master directly in Workstation ACE Edition to be sure the guest operating system and applications perform as expected However an ACE master running in Workstation ACE Edition does not respect any policies that restrict its functionality The following subsections describe m Understanding Test Terminology on page 203 m Choosing a Test Option on page 204 m Quick and Easy Test with Preview Mode on page 204 m Pre Deployment End to End Test on page 206 m Post Deployment End to End Test on page 207 Understanding Test Terminology m Live copy of policies The currently deployed policy set The active ACE instances on the ACE users machines are using these policies m Working copy of policies The policy set that you are using to make changes For managed masters these are unpublished policies For standalone masters these are policies that you have not yet packaged or distributed for deployment VMware Inc 203 VMware ACE Administrator s Manual m Preview A mode that allows you to run the ACE instance as it will run on the user s machine as well as see the effects of changed policies as they will appear on the ACE user s machine without your having to package and install them The Preview mode displays the working copy of the policies See a full description of the Preview mode on page 204 m Publish Policie
221. l be automatically installed when you run vmware install pl as root or sudo Manually install Player on systems where the end user will not have root access The manual installation procedure is described below To install VMware Player on a Linux host computer 1 Ina terminal window become the root user so you can perform the initial installation steps su 2 Mount the ACE package and locate the player installer in the package directory VMware player i386 tar gz Or vMware player x86_64 tar gz 3 Copy the tar archive to a temporary directory on your hard drive in this example tmp cp VMware player i386 tar gz tmp Or cp VMware player x86_64 tar gz tmp 4 Change to the directory to which you copied the file cd tmp VMware Inc 223 VMware ACE Administrator s Manual 224 5 Unpack the archive tar zxf VMware player i386 tar gz Or tar zxf VMware player x86_64 tar gz 6 Change to the installation directory cd vmware player distrib 7 Run the installation program vmware install pl Accept the default directories for the binary files library files manual files documentation files and the initiation script 8 Select Yes when prompted to run vmware config pl and accept the default values for the remaining prompts NOTE If you do not enable host only networking when you install VMware Player you cannot allow a virtual machine to use both bridged and host only networking 9 When installation is complete
222. log box tells you that the policy has been published Pre Deployment End to End Test You can run an end to end test on a new ACE package before you deploy it to ACE users Preview mode cannot be used to test host policies or ACE packages that will be deployed on a Linux host Instead you must perform end to end testing For managed ACE masters Designate a separate ACE server as a test server On the ACE master you are testing change the target ACE server to the test server Publish and package your changes Deploy the new package to a test client machine and the instance will use the test server When you have finished testing and the ACE instance works as you want it to switch the target ACE server back to the original server Then delete the activated ACE instance from the test server See To run an end to end pre deployment test using an ACE 2 Management Server test server on page 206 for more information For standalone ACE masters Package the ACE master deploy it on another computer and test it there See To run an end to end pre deployment test on another computer on page 207 for details NOTE This test might take a long time because packaging and encryption processes can be lengthy To run an end to end pre deployment test using an ACE 2 Management Server test server 1 Select the ACE master in its server location and then choose ACE gt ACE Server to open the ACE Server dialog box Enter the nam
223. lost and you will need to re enter them m Activation password if using password based activation m Activation token list if using token list based activation m Allowed users if using Active Directory based access control m Domain join password if instance customization and domain join are enabled m Remote domain join password if instance customization and remote domain join are enabled What Does Reassigning an ACE Master to a New Server Address Do Note that reassigning the ACE master to a new server address only copies the record for the ACE master The records for the ACE instances are not copied After the master has been reassigned all the deployed instances of the master will continue to attempt to contact the old server If the old server cannot be contacted the instances will use their cached policies if offline policy usage is enabled until their cache expires If you want to change your deployed instances to contact the new server you will need to do two things 1 Make sure the new server can access the same database that your old server was using either by copying it if it was an embedded database or by configuring your new server through the server setup Web application if it is using an external database 2 Create aserver update package distribute it to all your users and have them install it VMware Inc 103 VMware ACE Administrator s Manual Virtual Machine Settings You can change the settings for
224. lved if you need to ensure that the user name is resolved to no more than a certain number of characters For example if you specify that 3 random characters are to be added to VMware Inc Chapter 7 Package Settings the actual logged on user name and you want to limit the maximum length of the resolved name to 15 then set lt n gt to 12 Your entry in the Name field in System Options would be Logon_user 12 random_alpha_digit 3 Including n in the placeholder is optional If you dont use it that is you use Logon_user or if you set lt n gt to zero that is you use Llogon_user 0 the placeholder will resolve to the full logged on user name host_name or host_name n The name of the host computer usually used with some additional random number or name You can use host_name n where lt n gt is the maximum number of characters obtained from the actual computer host name when the name is resolved if you need to ensure that the host name is resolved to not more than a certain number of characters For example if you specify that 3 random characters are to be added to the actual host name and you want to limit the maximum length of the resolved name to 15 then set lt n gt to 12 Your entry in the Computer Name field in System Options would be host_name 12 random_alpha_digit 3 Including n in the placeholder is optional If you dont use it that is you use host_name or if you set lt n gt to
225. m column go to the Details view for the instance See Custom Details View on page 253 To add a custom column 1 Right click anywhere in the column heading row and choose Add Custom Column The Custom Column Name dialog box appears 2 Type a name for the new column in the Name text box and click OK NOTE If you have added nine custom columns the Add Custom command in the right click menu is dimmed and you can t select it You must delete one of the nine existing custom columns before you can add another one VMware Inc Chapter 12 Instance View To delete a custom column Right click on the column header for the custom column and choose Delete Column sfrom the context menu To edit a custom column name 1 Right click on the column header for the custom column and choose Edit Title from the context menu Type the new name in the Name field of the Custom Column Name dialog box and click OK Changing the Sort Order of the Instances Table You can change the sort order for the rows in the instances table To change the column sort order Choose either of Click the column heading for the column you want to sort by An arrow appears at the right of the column heading cell showing whether sorting is currently ascending or descending Click again to reverse the order Right click the column heading and choose Sort Deactivating and Reactivating Instances from the Instance View To deactivate an active i
226. managed ACE instance must connect with the ACE 2 Management Server to download any policy updates while it is running m Offline usage How long a managed ACE instance is available for use without connecting to the ACE 2 Management Server Offline in this usage refers to the instance not being connected to the server the instance might be running with other active network connections VMware Inc 161 VMware ACE Administrator s Manual NOTE This policy applies only to managed ACE instances Policy updates for standalone ACE instances are applied as policy update packages Policy changes are applied when the instance is started up after the update package has been installed M Policy update Frequency Select how often running instances of this ACE master check with the ACE Management Server for policy updates Every 5 minutes C Only when the ACE instance powers on C Only when the ACE instance is activated instances will not receive policy updates from the server after activation M Offline usage Select the maximum time that instances of this ACE master can be used without successfully connecting to the ACE Management Server Disable all offline use Allow offline use for 30 days Allow offline use indefinitely Add custom text after the default text Warning Message IV Show warning 1 days before offline timeout This ACE will become unavailable for use if it cannot
227. ment Server SSL certificate management See Using SSL Certification and Protocol on page 59 for details Event logging See Using Event Logs on page 83 Database Options The ACE 2 Management Server offers two database options VMware Inc Embedded SQLite database The default mode of the ACE 2 Management Server works with an embedded SQLite 3 database engine The SQLite database engine is initialized during server installation and requires no special configuration The embedded database supports up to several gigabytes of data Supported external database If your enterprise IT environment requires the reliability and performance characteristics of a commercial database engine you can use a supported external database as a backing store for the ACE 2 Management Server through ODBC connectivity Supported external database engines are Microsoft SQL Server SQL Server 2000 or SQL Server 2005 and Oracle Database 10g for Windows based servers and PostgreSQL 7 4 or higher for Linux based servers 57 VMware ACE Administrator s Manual Some common benefits of using an external database with the ACE 2 Management Server are m Online backup You don t have to shut down the ACE 2 Management Server to back up the database m Enhanced security model You can fine tune permissions to access sensitive data The SQLite database engine provides file system based security m Performance fine tuning m Ability to u
228. ministrator or user actions stored in the Event table For example you might look for active instances that have not updated their ACE policy with the latest ACE policy set changes or for excessive failed authentication attempts VMware Inc 255 VMware ACE Administrator s Manual The VMware ACE 2 Management Server Database Schema CAUTION The data stored in the database is protected by the RDBMS access control W mechanism Make sure that you do not allow the database user account used by your reporting tool to have a higher than necessary level of access to the data otherwise you could compromise the security of your VMware ACE system For example reporting tools typically do not need write access to the database Instead you can create a separate read only account for the reporting tool You might also want to disallow read access to database fields that contain sensitive information such as user passwords instance customization data which may have the domain administrator logon or instance disk encryption keys See the schema in the following section The embedded SQLite database does not support authentication so access can be protected only by all or nothing file based security Figure A 1 shows the VMWare ACE 2 Management Server Database Schema 256 VMware Inc Appendix Using the VMware ACE 2 Management Server Database Schema and Querying the Audit Event Log Data Figure A 1 Database Schema Diagram
229. mmand line interface m For managed ACE instances the instance customization process on the user s machine reports back the status success or failure of the process to the server The information is available in the Instance View of Workstation ACE Edition See Chapter 12 Instance View on page 245 for details on the view Besides status the process also reports back the MAC address and the new computer name VMware Inc 173 VMware ACE Administrator s Manual Overview of the Instance Customization Process This section provides an overview of instance customization To customize an instance On the Workstation ACE Edition machine during packaging 1 2 174 A snapshot of the ACE master is taken and saved The master is powered on and all the required deployment tools and files including the appropriate Microsoft Sysprep tools are copied into the guest There is no visible indication of the copying process See Downloading the Microsoft Sysprep Deployment Tools on page 176 for more information The Microsoft deployment tools run inside the guest operating system to seal the guest and prepare for deployment The guest operating system shuts down this is visible of course NOTE If the guest operating system does not shut down the problem might be that the Sysprep tools were not in place If the guest operating system fails to shut down promptly after approximately 10 minutes generally the
230. more logging entries than other log levels It logs all informational transactions such as instance status and so on You would use this setting only when debugging running servers in the field c Use the Event Log Purging feature to specify whether to keep log entries indefinitely keep log entries for at least a minimum specified number of days or keep at least a minimum specified number of log entries after each purge The oldest entries are purged first The purge maintenance process runs approximately every 6 hours d Continue with the server configuration in one of the following ways If this is the initial configuration of the server click Next If you are reconfiguring the server click Apply and then click Restart or Later If you click Later you will need to restart the server manually See Stopping and Starting the Apache Service Manually on page 83 6 When you see the message about the completion of server setup click Restart If you click Later you will need to manually restart the server to have the 82 VMware Inc Chapter 4 Installing and Configuring the ACE 2 Management Server configuration changes take effect See Stopping and Starting the Apache Service Manually on page 83 NOTE At this point the new configuration has been written The system must be restarted for the ACE 2 Management Server to use the configuration 7 On the Login page type your admin password Then click Login 8 The Welcom
231. n package any ACE master for a portable device if the device has enough space to hold the files Select ACE gt New Pocket ACE Package or click Create New Pocket ACE package in the ACE master summary view to open the Pocket ACE Package Wizard This section contains the following topics m Policies and Package Settings That Do Not Apply to Pocket ACEs on page 212 m Steps for Creating a Pocket ACE Package on page 213 Policies and Package Settings That Do Not Apply to Pocket ACEs Host snapshot and copy protection policies will be ignored by Pocket ACE instances If you attempt to create any of these policies for an ACE master and then attempt to create a Pocket ACE package with that ACE master the package will be created but the policy will not be included in the package In addition administrators are not able to revert to reimage snapshots when running a Pocket ACE in administrator mode in VMware Player To create an update package for a deployed Pocket ACE use the New Package Wizard and select the Update package type in that wizard If you enable a restricted host policy or any options in the snapshot policy those settings are ignored when the update package is created VMware Inc Chapter 10 Pocket ACE Steps for Creating a Pocket ACE Package To create a Pocket ACE package 1 VMware Inc Start Workstation ACE Edition and open the ACE master you want to use as the basis for the package Ensure that t
232. nagement Server 78 bridged networking defined 268 Cc caution about reassigning ACE master to new server 102 check server name when installing ACE Management Server 65 instance customization for Windows Vista guest operating sys tem ensure computer names work in Mini Setup 182 packaging download Microsoft Sysprep deployment tools 194 CD package delivery 196 certificates setting up 61 change the copy protection ID 242 changing deployment platform for an ACE master 188 Clone VM to ACE Master wizard 98 Cloning ACE master from existing master 97 cloning an existing virtual machine to an ACE master 98 column headings sorting by 241 commands accessing in Workstation ACE Edition 34 configuring ACE Management Servers 69 ACE masters 191 preferences for Workstation ACE Edition 46 virtual machines defined 271 Connect to ACE Management Server command 254 VMware Inc Index connecting devices with VMware Player 230 copy protection policy 126 copy protection changing the ID for 242 creating packages 192 Pocket ACE packages 212 policies for an ACE instance 106 custom EULA package setting 172 custom fields in Instance View 248 D database for ACE Management Server 57 database backup 58 database external 57 deactivate or reactivate an instance 241 deactivating ACE instances from the instance view 249 deploying packages 192 deployment platform setting 188 deployment tools
233. nagement Server Licenses on page 46 for information about the license requirements for the server Using Active Directory Integration Using LDAP This section describes how to use Active Directory integration To use Active Directory integration using LDAP 1 Create a user that the ACE 2 Management Server will use to connect to the LDAP server and use for querying Find out what the full LDAP Distinguished Name DN is for that user later referred to as the bind_dn user in this manual For example create a user called aceuser whose LDAP DN is cn aceuser cn Users dc vmware dc com 2 Create an ACE Administrators group in the domain 3 Add users who will be ACE administrators to that group 4 Ifyou will permit certain users to perform Help Desk tasks from with the Help Desk Web application but do not want to give them access to other administrative tasks create a Help Desk group and assign users to it for the Help Desk role When you configure the ACE 2 Management Server and select Enable LDAP on the Security tab by default the Web application configures the server to use the group ACE Administrators as its admin group Only members of that group can modify the server configuration NOTE You can log into the Help Desk Web application with your administrative LDAP credentials or password Creating a Help Desk role allows you to permit certain users to perform Help Desk tasks from within the Help Desk application but does
234. nd then attempt to create a Pocket ACE package with that master the package will be created but the host policy will not be included in the package m You cannot view changes to host policies in the Preview mode If you want to test the effects of such changes you must do a test deployment See Chapter 9 Preview Save Test Publish on page 203 for details on test scenarios Getting Started with Setting Network Access To get started In the policy editor select Network Access and then choose one of the following options m Full network access for both the ACE instance and its host This option allows full network access with no restrictions This is the default setting If you don t need to restrict network access verify that this option is selected and then click OK m Restrict network access of the ACE instance and or its host This option allows restricted network access that is based on rules that you specify VMware Inc 131 VMware ACE Administrator s Manual If you chose Restrict network access you can now specify the access rules Workstation ACE Edition provides you with two methods for setting up the rules Use the Network Access Wizard to set up access quickly using the default settings See Using the Network Access Wizard to Configure Network Access on page 132 Skip the wizard and configure network access options by using the zone ruleset and rule editors See Using the Zone Ruleset and
235. ndriva hosts some 32 bit compatibility libraries are required Specifically 32 bit glibc X11 and libXtst so are required VMware Inc 27 VMware ACE Administrator s Manual Red Hat Enterprise Linux 5 0 Red Hat Enterprise Linux 4 5 Red Hat Enterprise Linux AS 4 0 updates 3 4 Red Hat Enterprise Linux ES 4 0 updates 3 4 Red Hat Enterprise Linux WS 4 0 updates 3 4 Red Hat Enterprise Linux AS 3 0 stock 2 4 21 updates 2 4 21 15 6 7 8 Red Hat Enterprise Linux ES 3 0 stock 2 4 21 updates 2 4 21 15 6 7 8 Red Hat Enterprise Linux WS 3 0 stock 2 4 21 updates 2 4 21 15 6 7 8 SUSE Linux Enterprise Server 10 SUSE Linux Enterprise Server 9 SP4 Beta SUSE Linux Enterprise Server 9 SP1 SP2 SP3 Listed versions are also supported with no service pack openSUSE 10 2 formerly known as SUSE Linux 10 2 SUSE Linux 10 1 SUSE Linux 10 SUSE Linux 9 3 SUSE Linux 9 2 SP1 SUSE Linux 9 1 stock 2 6 4 52 Ubuntu Linux 6 10 Ubuntu Linux 6 06 Ubuntu Linux 5 10 Ubuntu Linux 5 04 Important On 64 bit Ubuntu 6 x hosts some 32 bit compatibility libraries are required Specifically 32 bit gLibc and X11 are required See the VMware Guest Operating System Installation Guide for version details about these operating systems A Web browser is required for the Help system 28 VMware Inc Chapter 1 Introduction and System Requirements ACE 2 Management Server The following sections describe the ACE 2 Managem
236. ng Users Problems 41 3 Installing Configuring and Upgrading Workstation ACE Edition 43 ACE Option Pack and ACE Client Licenses 43 ACE Option Pack License 43 ACE Volume Licensing Key 44 ACE Client License 44 ACE 2 Management Server Licenses 46 Setting Preferences for Workstation ACE Edition 46 Installing ACE Instances on User Machines 46 Installing Multiple ACE Instances on a Single User Machine 46 Uninstalling Individual ACE Instances and Workstation ACE Edition 47 Upgrading from VMware ACE 1 x to VMware ACE2 47 Before You Begin Upgrading Virtual Machines 47 Steps for Upgrading VMware ACE 1 x Virtual Machines to VMware ACE 2 Virtual Machines 48 4 VMware Inc Contents 4 Installing and Configuring the ACE 2 Management Server 51 ACE 2 Management Server Setup Options 52 System Requirements for the ACE 2 Management Server 53 Hardware 53 Display 53 Disk Drives 53 Local Area Networking 53 Operating Systems 53 Supported Windows Host Systems 54 Supported Linux Host Systems 54 External Databases 54 Web Browsers 54 Features of the ACE 2 Management Server 55 Components of the ACE 2 Management Server 57 Database Options 57 About Database Backup 58 Integrating the ACE 2 Management Server with Management Tools or Automated Scripts 59 Using SSL Certification and Protocol 59 Setting Up Your Own Self Signed Certificates Third Party Signed Certificates or Certificates from an Internal Certificate Authority 61 Configuring Multiple ACE 2 Manag
237. ninstaller quits Uninstalling VMware Player from a Linux Host Computer To uninstall VMware Player run usr bin vmware uninstall pl Running the ACE Instance on a Linux Host Computer To run the ACE enter the following on the command line vmplayer lt path_to_installed_package_directory gt lt name_of_ACE_vmx_file gt vmx Or run the ACE instance from the VMware ACE menu Running VMware Player This section provides an overview of the most used features of VMware Player You might not see all these features in the VMware Player installed on your computer Certain features are available only if the administrator who created the package included them m Starting VMware Player on page 226 m Entering a Client License in VMware Player for an ACE Instance on page 227 VMware Inc 225 VMware ACE Administrator s Manual 226 Quitting VMware Player on page 227 Enlarging VMware Player to Fill the Screen on page 228 Understanding VMware Player Status Indicators on page 228 Viewing Messages Notifications and the ACE Information Dialog Box on page 230 Controlling Devices Attached to VMware Player on page 230 Setting VMware Player Preferences on page 230 Taking Snapshots in VMware Player on page 231 Using Shared Folders on page 232 Printing from VMware Player on page 232 Troubleshooting Problems on page 232 See also the VMware Player online help for gene
238. nly VMware Inc VMware Inc Chapter 5 Creating and Configuring ACE Masters Click Next On the Clone Type page select Create a linked clone or Create a full clone Click Next NOTE Deployed instances of this master will always include a complete copy of the virtual machine Select a name and folder for the ACE master on the Name of the New ACE Master page Each ACE master should have its own folder All associated files such as the configuration file and the disk file are placed in this folder The default folder for this Windows XP Professional ACE master is C Documents and Settings lt username gt My Documents My Virtual Machines Windows XP Professional On the ACE Management Server page choose whether you want to use the ACE 2 Management Server to manage the instances created from this ACE master m Select Use server the default choice to have an ACE 2 Management Server manage the instances created from this ACE master Then enter the server name and port or choose the server from the dropdown list of previously chosen servers The port assigned to that server appears in the Port box Click Next m Select Don t use server if you do not want to have an ACE 2 Management Server manage the ACE instances created from this ACE master NOTE You can t change the ACE master at a later time from Use server to Don t use server or the reverse The ACE master will always be either managed or standalone
239. nstance 1 2 3 Click the instance in the right pane of the view so that the instance row is highlighted Click the Deactivate icon at the top left of the view Verify that the icon is dimmed To reactivate a deactivated instance 1 VMware Inc Click the instance in the right pane of the view so that the instance row is highlighted Click the Reactivate icon at the top left of the view Verify that the icon is no longer dimmed 249 VMware ACE Administrator s Manual Resetting Expiration Dates for an Expired Instance by Clicking Reactivate You can reset the expiration dates for an expired instance in the Instance View by selecting the instance row clicking Reactivate resetting the expiration dates in the dialog box and clicking OK NOTE You can press Ctrl click or Shift click to select multiple instances and then reactivate or deactivate them all at once Using the Details View To open a details view of an instance Do one of the following m Double click the instance row in the right pane of the view m Click the instance in the right pane of the view so that the instance row is highlighted and then click the Details icon at the top left of the view General Details View The General details view shows statistics for this instance including m Instance number activated by and activation status m ACE master name and package name Activation and deactivation dates m Expiration date range
240. nt to use this option deselect it To use it click the link in the table and type the IP addresses or address ranges If you select Domain type the domain name Select Include subdomains of this domain see the descriptions of Allow subdomains of this domain and other zone conditions on page 137 if you wish to include them when the software searches for a 133 VMware ACE Administrator s Manual domain name match When you have finished entering addresses and or the domain name click Next Network Access Wizard d x Define Internal Zone Specify your internal network To protect your internal network from an untrusted host you can restrict the host operating system when the laptop is directly connected to your internal network Define your network below IV IP Address Range Remove M Domain first abc cor IV Include subdomains of this domain More Options b On the Internal Network Host Access page type any host names and addresses for internal network locations that you want to allow this host machine to access in addition to the default DNS DHCP and ICMP protocols and ports and then click Next Network Access Wizard xj Internal Network Host Access Specify network access for the host on your internal network In your internal network the host is given no access other than DHCP DNS and ICMP by default You can configure the Internal Host Access below Allow access to 10 0 3 12 10 3
241. o active RT policy aceTsCreated VARCHAR 21 DEFAULT NOT NULL Creation timestamp aceTsLastModified VARCHAR 21 DEFAULT NOT NULL Last modified timestamp deleted VARCHAR 7 DEFAULT FALSE Is this entry deleted tombstone PRIMARY KEY CaceUID Package data CREATE TABLE PolicyDb_Package packageUID VARCHAR 128 Unique ID primary key aceUID VARCHAR 128 NOT NULL The ACE it belongs to pkgName VARCHAR 128 UI visible name pkgUseValidDates VARCHAR 7 DEFAULT FALSE NOT NULL Use validity dates or always valid pkgValidDateStart VARCHAR 21 NOT NULL The package is valid from this date pkgValidDateEnd VARCHAR 21 NOT NULL The package is valid till this date pkgDisabled VARCHAR 7 DEFAULT FALSE NOT NULL Is the package disabled pkgProtectionKey VARCHAR 1024 The key used for package distribution pkgPreview VARCHAR 7 DEFAULT FALSE NOT NULL Is preview package pkgTsCreated VARCHAR 21 DEFAULT NOT NULL Creation timestamp pkgTsLastModified VARCHAR 21 DEFAULT NOT NULL Last modified timestamp deleted VARCHAR 7 DEFAULT FALSE Is this entry deleted tombstone PRIMARY KEY packageUID FOREIGN KEY aceUID REFERENCES PolicyDb_Ace aceUID Access Control object data single item of the list associated with ACE master CREATE TABLE PolicyDb_Access accessPK VARCHAR 128 Unique ID
242. o hot fix requests 237 users problems 41 232 with vmware acetool 236 U uninstalling an ACE instance from a Linux host 225 an ACE instance from a Windows host 222 update frequency 106 161 USB device connection 146 USB device policy 147 user groups accessing 12 user interface See Workstation ACE Edition using the ACE Management Server 85 V view details for an instance 242 view network access details 243 viewing instances managed by an ACE Management Server 246 viewing package history 200 virtual disk defined 271 size 95 virtual machine defined 271 existing cloning to ACE master 98 location of files 92 memory settings 93 281 VMware ACE Administrator s Manual settings 104 settings editor defined 271 Virtual Network Editor 271 VMware ACE 2 components 18 described 15 hardware and software recommendations 22 key features 17 VMware ACE Management Server database schema event types 266 database schema script 258 database schema illustrated 257 VMware community forums accessing 12 VMware Player defined 272 fixing ACE Server connection prob lem on Linux host 85 hardware requirements 24 installing on a Linux host 223 installing on Windows host 220 quitting 227 running 225 setting preferences 230 starting 226 stopping 227 VMware Tools checking for latest version 195 defined 272 vmware acetool using 236 VPN credentials providing during packaging 198 282 W wizard Clone A
243. ocked by policy violation and validity dates expiration for the instances as well as many details such as who the instance was activated by ACE master for this instance package name guest name and IP address and host name You can select an instance in the table and then deactivate or reactivate the instance You can also open a details view for each instance that shows the instance s general statistics and policy settings The topics in this section are VMware Inc Opening a View of All Instances Managed by a Server on page 246 Setting Up Queries to Search for Instances on page 246 Showing Hiding Moving and Resizing Columns in the Instances Table on page 248 Adding Custom Database Fields by Adding Columns on page 248 Changing the Sort Order of the Instances Table on page 249 Deactivating and Reactivating Instances from the Instance View on page 249 Resetting Expiration Dates for an Expired Instance by Clicking Reactivate on page 250 Using the Details View on page 250 Using the Connect to ACE 2 Management Server Command to Open an Instance View on page 254 245 VMware ACE Administrator s Manual Opening a View of All Instances Managed by a Server To open a view of all instances managed by a server click the server in the Sidebar An example of an Instance View appears below Available ACE Instances Refresh Search Filters Activated By ACE Mast
244. ode in Preview which allows you to use an existing deployment can save you additional time by allowing you to skip activation and instance customization steps that were done during the first preview instance for this ACE master You can switch from running the ACE instance in preview mode back to the Workstation ACE Edition interface without having to shut down the preview if you wish You can t start up another preview run however because only one preview instance is allowed per master You can start up a preview of a different ACE master Run a Quick and Easy Test in Preview Mode This test allows you to view and test changes without having to take the time to create a full package and install that package To run a quick and easy test with Preview mode 1 Open the ACE master you want to test and invoke the policy editor 2 Select the page for the policy you want to change and make the change 3 Click OK on the policy page to save the change 4 Click the Preview in Player icon in the toolbar to invoke VMware Player Player allows you to activate and authenticate the ACE instance if those policies are set and starts up the guest operating system 5 Test the change in the running ACE instance to ensure that it is the one you want to make VMware Inc 205 VMware ACE Administrator s Manual 206 6 For managed ACE masters only After you are satisfied that the change is correct click Publish Policies to Server A pop up dia
245. of instances managed by this server are shown on this page For example 11 20 150 indicates that instances 11 through 20 of 150 instances appear on the current page VMware Inc 239 VMware ACE Administrator s Manual 240 Set Up Queries to Search for Instances You can use the advanced search function in the VMware Help Desk to query the ACE 2 Management Server database to find one or more particular ACE instances To search for an ACE instance 1 Click Search in the upper left of the Instances page The Search window appears 2 Specify the criteria to be included when the database is queried Type your entries in the fields that you want to query Activated by Activated by refers to the activation method such as password or activation key If there is no such activation method then N A appears in the column Activated Deactivated Valid ACE Master Name Package Name Host Name Host IP Address Guest Name NOTE The Guest Name which is the computer name resolved on the user s machine during instance customization a feature for Windows systems only is always shown in the help desk view as 15 characters or less The NetBIOS name is reported here and it is a maximum of 15 characters in length Even if the actual computer name contains more characters the name is always shown as the NetBIOS name Guest IP Address Guest MAC Address custom_column_name Any custom columns that you have speci
246. on ensure that TCP connectivity is enabled in the database configuration options Also ensure that the TCP connection is not blocked by firewall settings on either the database server or the ACE 2 Management Server system Additionally if you are using a PostgreSQL external database you must configure per user permission to connect to the database over the network Configure that permission in the file pg_hba conf which is located in the root folder of your database To ensure smooth configuration of the ACE 2 Management Server you could also verify the server s connectivity to the configured database with the configured user credentials by running a command line or graphical SQL tool on the ACE 2 Management Server machine Examples of such tools are sglemd exe for SQL Server sqlplus exe for Oracle and psql for Postgres Refer to the respective database user manual for database configuration and verification instructions 71 VMware ACE Administrator s Manual 72 Create a System DSN entry on the ACE 2 Management Server machine The only required information in DSN configuration is the DSN name server IP address or host name and the database name In other words you don t have to provide a user name and password in the DSN configuration Any values entered here will be ignored You will provide a user name and password when configuring your ACE 2 Management Server using the Web Setup application NOTE Ensure that you create a Sy
247. on date set for the instance if any has not been reached VMware Inc Chapter 6 Setting and Using Policies and Customizing VMware Player Dynamic changes to the authentication policy You can add or remove users from the list of those who can activate ACE packages User list changes are effective at the next startup of this instance NOTE You cannot change activation and authentication policies that use Active Directory to policies that do not use Active Directory nor can you make the reverse change of without Active Directory to with Active Directory M Activation and authentication Only selected users and groups can activate and power on instances of this ACE master Once an instance has been activated no one except the activator can power it on User or Group Domain Add A Adding many users may take several minutes Allowances Total number of activations Unlimited C Maximum of fi 00 I Allow multiple activations per user Advanced Cancel Help Activation and Authentication Under Activation and authentication you can edit the list of users and groups who can activate and authenticate run the instance m Click Add to open the Active Directory users and groups dialog box Select the users and groups who can activate and authenticate the instance VMware Inc 109 VMware ACE Administrator s Manual 110 NOTE Ensure that your adminis
248. on enabling the hot fix feature see Setting Hot Fix Policies on page 160 For information on setting a recovery key which you must have to send a hot fix for a lost or forgotten user password see page 121 The user runs the Hot Fix Request Wizard which generates a hot fix request file The user can submit this file to you as an email attachment or in some other way VMware Inc 237 VMware ACE Administrator s Manual 238 To respond to the hot fix request take the following steps 1 Save the file to a location you can reach easily from the computer on which you are running Workstation ACE Edition In Workstation ACE Edition open the ACE master for the instance requiring the hot fix Choose File gt Open Navigate to the location of the hot fix request file and click Open A hot fix tab opens in the Workstation ACE Edition window The hot fix tab displays the user s name and email address the problem that led to the hot fix request and any additional note the user entered Click Approve hot fix to open a dialog box in which you can make the appropriate settings to approve the request Click Deny hot fix to deny the request Enter the appropriate information in the dialog box m Lost or forgotten password Browse to the location of the private recovery key used for the project See page 121 for information about creating a recovery key Enter the password for the private part of the recovery key Enter and c
249. onfirm a temporary password for the user You must communicate this temporary password to the user separately m Expired ACE instance Set the new expiration information for the ACE instance You can extend use by a specified number of days or set a new expiration date m Copy protected ACE instance run from a new location The dialog box displays the path to the location from which the user wants to run the ACE instance m Denied request The dialog box provides a field in which you can enter a message to the user Select one of the following methods for sending the response m Click Send hot fix on the hot fix tab Then click OK m Send the hot fix file in the same folder as the hot fix request the file extension for the fix file is vmhf The display on the hot fix tab shows the status of the hot fix request approved or denied and the date on which you took action The user applies the hot fix by double clicking the hot fix file VMware Inc Chapter 11 Installing and Using VMware Player and ACE Instances Using the VMware Help Desk Web Application The VMware Help Desk Web application allows help desk assistants or administrators to view ACE instances that are managed by a particular VMware ACE 2 Management Server and to provide some fixes requested by users of those instances Help desk assistants can access the ACE instance through the VMware Help Desk Web application and can fix just a limited set of ACE ins
250. ons and VMware Tools in the ACE Master Before deploying a package to your users be sure the ACE master has the necessary operating system and software installed See the Workstation User s Manual for details about installing the guest operating system applications and VMware Tools Creating a Package 192 After you have created an ACE Master and configured policies devices and package settings use the New Package Wizard to create a package to deploy instances to users NOTE To create a Pocket ACE package for distribution on portable devices use the Pocket ACE Package Wizard rather than the New Package Wizard See Creating an ACE Package for Portable Devices on page 212 This section has the following topics m Overview of Package Creation on page 192 m Package Validation on page 193 m Steps for Creating a Package on page 194 Overview of Package Creation A Full package includes an installer and the additional files needed to install an ACE package and the VMware Player application that runs the ACEs A Full package allows you to create a completely new ACE instance A Policy Update package includes just the policy related files A Server Update package allows you to update the ACE 2 VMware Inc Chapter 8 Creating Packages and Deploying Them to Users Management Server and server usage for a managed ACE master A Custom package allows you to choose specific items to deploy The component
251. or to different ones You can thus package a daily computing environment and allow your users to take that environment including their documents settings applications and even VPN access wherever they need to go This chapter describes how to create deploy and run Pocket ACE instances Portable Devices Requirements on page 211 m Space Requirements for Your Pocket ACE on page 212 m Creating an ACE Package for Portable Devices on page 212 m Deploying the ACE Package on a Portable Device on page 215 m Running the Pocket ACE Instance on page 217 Portable Devices Requirements You can install ACE packages on the following types of devices m Flash memory drives USB keys m Flash based Apple iPod mobile digital device VMware Inc 211 VMware ACE Administrator s Manual m Hard drive based Apple iPod mobile digital device m Portable hard drives NOTE Use USB2 high speed devices only Space Requirements for Your Pocket ACE When you create anew ACE master that you will use it to create a Pocket ACE package make sure that the removable device you intend to use to store your Pocket ACE has enough space to store the virtual disk s total capacity memory and approximately 300MB for overhead When a Pocket ACE package is deployed to a removable device the virtual disk is preallocated to the full capacity for enhanced performance Creating an ACE Package for Portable Devices 212 You ca
252. ore You Configure the Server on page 69 To configure the server 1 Start up the configuration application m On Windows Choose Start gt VMware gt VMware ACE Management Server and click the Configuration link m OnLinux Open a browser point it to the address for the host system on which you installed the server and open the Web page Click the Configuration link on the page On the Welcome page for the server setup application m If this page says This server has not been configured click Start m If this page says This server is configured click the tab for the page on which you want to make a configuration change On the Licenses page To set up the license at the initial configuration of your ACE 2 Management Server a Enter the serial number for the server b Optionally enter a user name and company name c Click Next If you are reconfiguring the server the current licensing information is displayed at the top of the page The License Expiration field shows either No Expiration or a date for permanent and expiring licenses respectively If the system on which you have installed the ACE 2 Management Server currently has more than one valid server license just one license is displayed on that page To make changes to the license information a Click Change b Optional Type in the new user name or company name VMware Inc VMware Inc Chapter 4 Installing and Configuring the ACE 2 Management S
253. ork access status icon to open the ACE Information dialog box which displays a detailed summary of your ACE s network access status m If the ACE has a host network access policy m On Windows the host access icon appears in the system tray of your computer s Windows operating system The icon features a VMware logo connected to a network cable Hold your mouse pointer over the icon for a brief description of host access status Click the icon to open the VMware ACE Host Network Access Info dialog box which displays a summary of the host network access status m On Linux you can use the following commands to set the log level and to see the current zone and log level Usage vmnet detect d d lt PID file gt daemon mode l lt log level gt set the log level g get the current zone and log level Valid log levels are mute terse normal and verbose Sample output from a g command Current zone Default Zone Not blocking network traffic Current log level verbose Sample output from a l command Log level set to normal VMware Inc 229 VMware ACE Administrator s Manual 230 Viewing Messages Notifications and the ACE Information Dialog Box VMware Player displays pop up notifications about changes in network access settings and other status information Those notification messages appear in the lower right corner of the Player window when you start up the ACE You can close the messages by clicking the
254. ound information you want to store for the package Your users do not see this information d Click Next 213 VMware ACE Administrator s Manual 214 V CAUTION When you select the Location on the Name the Package page note that you are choosing a location usually on the administrator machine in which to store the package Do NOT select the portable device to which the package will be deployed If you do that the package will not work You will deploy the package to the device at a later time see the instructions under Deploying the ACE Package on a Portable Device on page 215 for details On the Select Player page select the Player installers you want to include in the package All the contents needed for a Pocket ACE are packaged including the installers for Player The Player installers that are packaged will be for the operating systems selected in the Deployment Platforms page of the package settings editor The Disk Space area on the page includes a value for Required on portable device Click Next The Pocket ACE Deployment Password page appears If you supply a password here anyone who attempts to deploy the package to a portable device will have to enter the password during deployment m For most Pocket ACE packages you must specify a deployment password Type in a password and confirm it m Specifying a Pocket ACE deployment password is optional if the ACE master has either of these qualities m
255. ove keys Select the entry or entries you want to remove in the table Click Remove then click Yes Removing a key does not affect an instance that has been activated with that key Authentication The user must authenticate the ACE instance each time the user runs the instance unless the authentication type see below is set to None In addition to the user s input of the correct password or the key resulting from the successful execution of the script the server also verifies these settings before the instance can be powered on m The revocation flag is not set and the instance is not blocked from running because of any policy errors m The expiration date set for the instance if any has not been reached VMware Inc 115 VMware ACE Administrator s Manual 116 Under Authentication select one authentication type None No password is required any user can activate this instance User specified password Select this option to specify that the instance does not run until the user enters the correct password Each user must set a password during activation at first power on To set the minimum length or required character types for the password click Set password policies to open the Password Policies dialog box Password Policies Select the restrictions for user passwords Enforce minimum length a v Number of characters 4 Restrict password content Require characters from a z ja z L o a d
256. ox has just been opened or 2 you clicked Refresh The device is added to the device database and is maintained there as an entry even after you unplug the device 2 Click Manual Add to open the Add USB Device dialog box In that dialog box type a name for the device in the Name box Then type the vendor ID and product ID in the appropriate boxes Vendor IDs are assigned to manufacturers by the USB Implementers Forum the USB IF Web site is http www usb org Product IDs are assigned by manufacturers to their individual products Click OK The device appears as an entry at the end of the Device list in the USB Device List dialog box Add USB Device xj Enter the information about the USB device you would like to add Name juse Key 2 e g USB Key Vendor ID 084248 e g 044248 Product ID 043872 e g 0x3B71 Cancel To make changes to the details of a device in the list To edit a device name click Add in the USB Devices policy page The USB Device List dialog box appears Double click the device to select it The name is highlighted in its own editable text box Edit the name Device Vendor ID Product ID USB Mass Storage Device Ox0BC2 040888 0x4248 0x3B71 024248 0x3B72 To alter the Vendor or Product IDs for a device already in the list click Add in the USB Device List dialog box Type in the name of the device then make changes as needed in the ID fields Then click OK When you are finished adding
257. pache2 start Logging On to the ACE 2 Management Server 84 Communications between Workstation ACE Edition and the ACE 2 Management Server take place over a secure SSL connection When you attempt to access the ACE 2 Management Server for the first time ina Workstation ACE Edition session a login dialog box appears You need to supply the appropriate login information m If the server is not integrated with LDAP Active Directory service type in the administrator password that you set when you configured the server m If the server is integrated with Active Directory service enter your administrative credentials username password and domain in one of the formats shown in Table 4 2 Table 4 2 Logon Options for ACE 2 Management Servers with Active Directory Service Logon long name password domain name Notes The long name is the First_name Last_name format for example ACE User long name password The long name is the First_name Last_name format for example ACE User Leave the domain field blank short name password domain The short name is the sAMAccountName for example ace as the shorter form of long name Ace User short name password The short name is the sAMAccountName for example ace as the shorter form of long name Ace User Leave the domain field blank email address password This logon option can only be
258. pecify exactly which machines or subnets an ACE instance or its host system may access This means that you can for example configure the instance so it is allowed to connect only to your VPN server which then controls access to other resources You can also customize the network access settings to filter on the basis of network addresses traffic direction protocol and ports Workstation ACE Edition provides methods for you to perform the following tasks from within the user interface m Define network zones m Define network access for your ACE instances host machines also known as host network access m Define network access for your ACE instances guest systems also known as guest network access Network access policies can be dynamic if the ACE instance is associated with an ACE 2 Management Server This means for example that you can quickly lock ACE instances out of all or part of your network to help combat the spread of a worm or virus without deploying updated packages VMware Inc 129 VMware ACE Administrator s Manual Topics in this section include Before You Begin Read These Notes About Host Policies on page 130 Getting Started with Setting Network Access on page 131 Using the Network Access Wizard to Configure Network Access on page 132 Using the Zone Ruleset and Rule Editors to Configure Network Access on page 136 Network Properties Packaging on page 145
259. pired ACE If your system administrator configured your ACE to run fora limited time you receive an error message if you try to run the ACE after it has expired To VMware Inc 233 VMware ACE Administrator s Manual 234 request an extension of the time you are authorized to run the ACE click the Request Hot Fix button in the error dialog box This starts the Hot Fix Request Wizard Copy Protected ACE Run from a New Location If your system administrator has applied copy protection to your ACE it runs only from the location where it is installed by the package installer If you try to run it from a different location for example if you have copied it to a different directory you receive an error message To request authorization to run the ACE from the new location click the Request Hot Fix button in the error dialog box This starts the Hot Fix Request Wizard Resetting and Powering Off In the course of troubleshooting a problem your system administrator might ask you to reset or power off your ACE These commands are on the VMware Player menu Choose Player gt Troubleshoot gt Reset or Player gt Troubleshoot gt Power Off and Exit The reset command affects your ACE the same way a reset button affects a physical computer Giving the reset command is like turning the power off then immediately turning it on again The power off command affects your ACE the same way turning off the power affects a physical comput
260. portable media or make them available on a network See Chapter 8 Creating Packages and Deploying Them to Users on page 191 or Deploying the ACE Package on a Portable Device on page 215 Keeping Users Up to Date Workstation ACE Edition gives you tools you can use to ensure that your users are running up to date ACE instances You can provide a new package to replace an ACE master to distribute an additional ACE master or to change the policies applied to the VMware Player application or to the ACE instance You might need to provide updates to users packages You might need to update the guest operating system or provide an update to a program running inside the ACE instance Or you might need to update either the ACE instance itself or policies set for the package V CAUTION Ifyou replace an existing ACE instance by supplying a new package your users lose any data or custom settings stored in it For information on these topics see Deploying Packages on page 201 Troubleshooting Users Problems Your users might need help with lost passwords expired ACE instances or copy protected ACE instances that they have moved to a different location For managed ACE instances you can fix those problems by using the Instance View in Workstation ACE Edition or by using the Help Desk Web application See Chapter 12 Instance View on page 245 and Using the VMware Help Desk Web Application on page 239
261. provide this information below RRRRK RRR RARRRRA RARAK The Instance Customization sub pages are disabled and cannot be accessed if the Enable instance customization option is not selected Similarly you cannot type in the Product ID box if the Enable option is not selected On the System Options page NOTE You can use placeholder variables for the system name organization name and computer name For details on the placeholder variables including an example see Placeholder Values to Use in Instance Customization on page 180 a _ Enter a system name b Enter an organization name c Enter a computer name 177 VMware ACE Administrator s Manual 178 V CAUTION For Windows Vista guest operating systems the computer name must be 15 characters or less in length If the name is more than 15 characters the Mini Setup process fails on the user machine NOTE Do not enter administrator in the Name field or the Computer Name field of the System Options page If you type the text administrator in those fields instance customization will fail during the Mini Setup process If you set the Logon_user placeholder in those fields and the placeholder variable resolves to administrator the software automatically changes the value to a random alphanumeric string of 10 characters d Select Generate new security ID SID if you want to have anew security ID generated for each copy of the gue
262. r information on setting these preferences see the Workstation User s Manual Installing ACE Instances on User Machines The procedures for installing and uninstalling ACE instances from both Windows and Linux host computers are described in Chapter 11 Installing and Using VMware Player and ACE Instances on page 219 The flexibility and modularity of the ACE 2 instances allow you to install and uninstall ACE instances in new ways as described in these topics m Installing Multiple ACE Instances on a Single User Machine on page 46 m Uninstalling Individual ACE Instances and Workstation ACE Edition on page 47 m Uninstalling Individual ACE Instances and Workstation ACE Edition on page 47 m Upgrading from VMware ACE 1 x to VMware ACE 2 on page 47 Installing Multiple ACE Instances on a Single User Machine ACE 2 allows you or your ACE users to install multiple ACE instances on the same machine This flexibility means that you and the ACE users can install and run ACE 46 VMware Inc Chapter 3 Installing Configuring and Upgrading Workstation ACE Edition instances from different vendors and that are governed by different policies all on one system Uninstalling Individual ACE Instances and Workstation ACE Edition ACE 2 allows you or ACE users to uninstall individual ACE instances and Workstation ACE Edition independently of each other This flexibility enables ACE users to uninstall individual ACE
263. ral information on using the Player Starting VMware Player To start VMware Player double click the ACE icon on the desktop or single click an ACE instance in the Start menu Depending on how the administrator has configured your ACE you might be required to enter zero one or even two passwords when you run the instance for the first time The various possibilities are You don t have to enter any passwords either at the first run of the instance or on subsequent runs You must enter one password at the first run and that password has been supplied to you by the administrator On subsequent runs of the instance you don t have to enter any passwords You must enter one password at the first run a password that you create On subsequent runs of the instance you have to enter that password You must enter two passwords at the first run both an administrator supplied password and one that you create On subsequent runs of the instance you only have to enter the password that you created For any passwords your administrator might require that you include numbers or punctuation marks or that you mix capital and lowercase letters The password dialog box shows what requirements your administrator has set VMware Inc Chapter 11 Installing and Using VMware Player and ACE Instances If this ACE requires you to enter a user password and your system administrator has configured this ACE with password lockout settings then an
264. requested name Sus MAC Address Pool Add requested UID 5 name 5 description 5 range start s range end s MAC Address Pool Remove requested UID 5 name s description tes range start s range end s last assigned MAC Address s leventCategory eventCategoryName JeventLogtevel o o 1 1 1 1 2 2 2 2 3 3 3 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 s s 5 s s 5 5 5 s 5 5 NJA s NA Authentication Authentication Authentication Authentication ACE Administration ACE Administration ACE Administration ACE Administration Package Administration Package Administration Package Administration Instance Administration Instance Administration Instance Administration Instance Administration Instance Administration Instance Administration Instance Administration Instance Administration Instance Administration Instance Administration Instance Administration Instance Administration Instance Administration Instance Administration Instance Administration Instance Administration Instance Administration Policy Administration Policy Administration Policy Administration Policy Administration Policy Administration Policy Administration Policy Administration Policy Administration Policy Administration Policy Administration Policy Administration NNO OENONND ENN ON GANNRNOONNNN SENN ENE NEON N SS ACE Server event logging contains an experimental tamper evidence f
265. require at least as many database connections available for its use If the server runs out of database connections the clients might start receiving connection errors To ensure smooth operation of the server with an external database option ensure that the server has a sufficient amount of database connections available for it The maximum number of remote connections allowed to the database is a database configuration option check your database manual for the information on how to configure it You should configure at least as many connections as there could be parallel threads or processes in the Apache HTTP server running the ACE 2 Management Server component or allow an unlimited number of connections To find out how many parallel threads or processes your Apache server could start inspect the Apache configuration file looking for the prefork or MPM section The number of allowed clients is the lower bound for the required number of database connections You can either reduce this number or increase the number of the allowed remote connections in the database As a rough guide here is the location of the Apache configuration file per platform and the typical default number of connections On the Windows platform C Program Files VMware VMware ACE Management Server Apache2 conf httpd conf 250 client connections WinNT MPM section On the Linux RHEL 4 platform etc httpd conf httpd conf 256 client connections
266. respectively for details For standalone ACE instances you can use the vmware acetool command line program to fix those problems directly on the users machines See ACE Tools VMware Inc 41 VMware ACE Administrator s Manual 42 vmware acetool Command Line Tool on page 236 for details You can also use the hot fix feature to respond to these problems For information on using the hot fix feature see Setting Hot Fix Policies on page 160 and Responding to Hot Fix Requests on page 237 You might find it useful to modify the configuration of a ACE instance on an user s computer You can do so if you have enabled the administrator mode providing administrator access in VMware Player to the ACE instance on the user s machine in that package For information see Setting Administrator Mode Policies on page 158 VMware Inc Installing Configuring and Upgrading Workstation ACE Edition For information about installing uninstalling and configuring Workstation ACE Edition on your workstation as well as related installation licensing and upgrade topics see m ACE Option Pack and ACE Client Licenses on page 43 m Setting Preferences for Workstation ACE Edition on page 46 m Installing ACE Instances on User Machines on page 46 m Upgrading from VMware ACE 1 x to VMware ACE 2 on page 47 ACE Option Pack and ACE Client Licenses Many of the administrator features and controls of A
267. rieved and the ACE master cannot be opened A server record for an ACE master might be unavailable for various reasons including m The server address has changed m The record for the ACE master has somehow been deleted The solution to these problems is to assign the ACE master to a new server address When you attempt to open an ACE master whose management server cannot be contacted Workstation ACE Edition displays a message that tells you that the server cannot be contacted and asks whether you want to select a new server address If the new address that you provide is simply the updated address for the original server for example the address obtained from DHCP servers has changed then the ACE master s record will be intact in the new server location If the original server is unavailable or the ACE master s record has been deleted then when you open the ACE master Workstation ACE Edition offers to create a new record for the ACE master Some data that was contained in the original record is lost such as access lists key lists and domain join passwords because that data was maintained on the server VMware Inc 101 VMware ACE Administrator s Manual To reassign an ACE master to a new server address 1 When you see the message that prompts you to select a new server select or type in a new server address and port If the ACE master was using Active Directory then you can only reassign it to a new management ser
268. rity of only policy scripts in the ACE Resources folder No verification Select Verify the integrity of all files in the ACE Resources folder if you wish to protect against tampering with any resource files 128 VMware Inc Chapter 6 Setting and Using Policies and Customizing VMware Player Select Verify the integrity of policy scripts in the ACE Resources folder only if you wish to protect against tampering with any policy scripts that have been saved in ACE Resources Select No verification if you do not want to verify that the resource files have not been tampered with NOTE If you set the encryption package setting options to None any verification specified in the resource signing policy will not be performed The encryption package setting overrides the resource signing policy setting See Encryption on page 186 for more information about that package setting If you are creating a package that has substantial resources for example an ISO image that is hundreds of megabytes in size and are using many policy scripts you might want to set the resource signing option to verify scripts only or no verification because signature checking could take a long time Setting Network Access Policies Network access policies give you fine grained and flexible control over the network access you provide to users of your ACE instances Using a packet filtering firewall the network access feature of ACE 2 lets you s
269. rk them as deleted Not all coordinates have to be present for all events For instance if a package expiration date update is logged the instance UID field is not set since all instances within the package will be affected If the data in the log event is stored permanently elsewhere in the database and it is immutable it is not duplicated in the log entry For example when a new policy gets published we do not include the complete policy text in the log entry but rather reference its version number so that the complete data of the event can be reconstructed from PolicyDb_ RuntimePolicy and PolicyDb_Access tables if necessary NOTE ACE Server does not log sensitive data like passwords or encryption keys The event type code is associated with a lookup table Policy Db_EventType which contains a text message template for each type of event category and log level of the event The message may contain parameter placeholders s in which case the message parameters field in the log entry will contain a tab delimited list of values for these parameters For example an instance administration event with type 4110 will have the message 4110 gt Instance Set Guest Info requested IP address s MAC address s configuration message s machine name s configuration status s And the Message Parameters field will show 10 17 0 3 00 0C 29 1A 2B 3C OK ACETest 0 The resulting parameters should replace the s placehol
270. rmation about resource signing When the script runs on the user s system the script should print TRUE power on or FALSE power off and should conform to standard script exit code rules The following is a sample power on script Fe Sh HE THR OH OH OH Fe VMware Inc VMware Sample Script Sample script for ACE power on hook Description This sample script implements a power on hook for ACE This can be used in addition to authentication to control the circumstances under which an ACE is allowed to run 111 VMware ACE Administrator s Manual 112 4 This script assumes that the username is defined in the environment variable TEST_USERNAME a ficticious environment variable used for this sample and returns TRUE if the user is allowed to run and FALSE otherwise 4 Input to script None Returns TRUE if username is on white list FALSE if username is not on white list or is undefined Expected output One of the strings TRUE or FALSE my white_list C alan bob mary sonia chris my username ENV TEST_USERNAME if defined username print FALSE exit 0 my grepNames grep username white_list if grepNames 1 print TRUE exit 0 print FALSE exit 0 NOTE Scripts can be in any language A script provides Workstation ACE Edition with a command line executable or a script file for exampl
271. roximately 70MB VMware Inc Chapter 1 Introduction and System Requirements Supported Host Operating Systems VMware Player is available for both Windows and Linux host operating systems Windows Host Operating Systems 32 Bit Workstation supports the following Windows 32 bit host operating systems m Windows Vista Enterprise Edition Windows Vista Business Edition Windows Vista Home Basic and Premium Editions Windows Vista Ultimate Edition m Windows Server 2003 Standard Edition SP1 Windows Server 2003 Web Edition SP1 Windows Server 2003 Small Business Edition SP1 Windows Server 2003 Enterprise Edition SP1 Windows Server 2003 R2 Listed versions are also supported with no service pack m Windows XP Home Edition SP1 SP2 Windows XP Professional SP1 SP2 Listed versions are also supported with no service pack m Windows 2000 Server SP3 SP4 Windows 2000 Professional SP3 SP4 Windows 2000 Advanced Server SP3 SP4 Windows Host Operating Systems 64 Bit m Windows Vista Enterprise Edition Windows Vista Business Edition Windows Vista Home Basic and Premium Editions Windows Vista Ultimate Edition m Windows Server 2003 x64 Edition SP1 Windows Server 2003 x64 Edition R2 m Windows XP Professional x64 Edition A Web browser is required for the Help system VMware Inc 25 VMware ACE Administrator s Manual 26 Linux Host Operating Systems 32 Bit Supported distributions and kernels are listed below Works
272. rt to Installed snapshot The ACE instance has a Windows guest operating system installed and the machine account password for the domain is periodically renewed by default If the password has been renewed by the time the user reverts the ACE to the snapshot the snapshot s password will be invalid and the login will fail Solution To avoid this problem ensure that the following security policy is enabled Refuse machine account password changes You can enable this policy on the ACE master affecting all instances created from it or on the primary domain controller For details on how to change the policy see these Microsoft articles m Local Security Policies http support microsoft com kb 175468 m PDC Security Policies http technet2 microsoft com WindowsServer en library bd36a5c9 e757 4658 9554 593bf a30f0761033 mspx mfr true Problem When you try to join an ACE master to a domain domain validation or name resolution isn t working Description Some ACE masters with certain network configurations might demonstrate these problems Solution Consult the following Microsoft knowledge base article http support microsoft com kb 314108 Problem An ACE instance running under a Windows Vista guest operating system cannot join the local domain and that instance customization failed with NetDomainJoin function Error 1722 Could not join domain Description ACE instances running in the Windows Vista op
273. ry in the file that reads Listen 443 and then change the port number to the desired port configuration Locate the Virtual Server configuration for port 443 It starts with the line lt VirtualHost default_ 443 gt and ends with the line lt VirtualHost gt Change the port number in the section header to the desired port number for example to change to port 8443 change 443 to 8443 Save the file Stop and start the Apache service See Stopping and Starting the Apache Service Manually on page 83 The ACE 2 Management Server is now listening on the specified port NOTE Port 8000 is used by the server for configuration and port 8080 is used for the ACE 2 Management Server Appliance so you cannot choose those ports VMware Inc Chapter 4 Installing and Configuring the ACE 2 Management Server When you create an ACE master you can specify which port is to be used to talk to the ACE 2 Management Server VMware Inc 87 VMware ACE Administrator s Manual 88 VMware Inc Creating and Configuring ACE Masters This chapter discusses how to create and configure ACE masters Topics in this chapter are Creating an ACE Master on page 89 Creating a New ACE Master on page 90 Cloning an ACE Master from an Existing ACE Master on page 97 Cloning an ACE Master from an Existing Virtual Machine on page 98 Networking ACE Instances on page 100 ACE Master Settings on page 100
274. rypt and decrypt virtual machine files The first time this script is run the output is hashed to encrypt the virtual machine When a virtual machine is decrypted the script must return the same value If the script returns a different value the virtual machine is not decrypted and the user sees an error message The script may return any value To ensure best security a value that includes only printable characters should be at least 32 bytes long For binary data the value should be at least 16 bytes long to ensure proper entropy What can I do with this script The script should do one of the following m Ifthe user is to be granted access to the virtual machine generate the data used to create the key for this user and send it as output The data should be unique for each user m If the user is to be denied access to the virtual machine the script should exit with a non zero exit code Note This is a reference to the exit code not the output value Where should the output of the script go The script should send its output to StdOut What should the exit code of the script be If access is granted the exit code should be 0 If access is denied the exit code should be nonzero Note This is a reference to the exit code not the output value VMware Inc 165 VMware ACE Administrator s Manual 166 Sample Scripts The following sections contain sample policy scripts Sample Authenticat
275. s are reserved by Windows operating systems and are processed at a very low level For example if you press Ctrl Alt Delete while the running ACE instance has keyboard focus the host system as well as the guest system acts on the entered command m Keyboard input is passed quickly through the operating system driver stack and possibly through other low level keyboard handlers providing opportunities for malware to log keystrokes intended for an ACE instance m International keyboards or keyboards with extra keys might not be handled well The enhanced keyboard filter provides a new keyboard input path for Windows host systems It processes raw keyboard input as soon as possible bypassing Windows keystroke processing and any malware that s not already at a lower layer For example with the enhanced keyboard filter Ctrl Alt Delete works in the guest system only if the instance has keyboard focus The virtual machine settings editor has the enhanced keyboard filter option setting enabled by default With that setting the virtual machine or ACE instance runs in VMware Player with the enhanced option as long as the needed keyboard filter driver has been included in the virtual machine instance s files If you enable this runtime preference policy then an ACE instance created with this setting must use the enhanced keyboard filter option If the driver is not available to the instance at power on the instance will not run Keyboard f
276. s associated with a package such as Revert to Installed and Instance Customization settings These settings cannot be changed after packaging The only way to change package settings is to create a new package VMware Inc 269 VMware ACE Administrator s Manual 270 Pocket ACE An ACE feature that allows the ACE administrator to distribute an ACE instance on a removable device such as a USB key Apple iPod mobile digital device or portable hard drive The user of a Pocket ACE instance can plug the device into a host computer run the instance save data from the session and close it and then unplug the device The user can then take the instance to another host computer and use it in that new location Policy A policy controls the capabilities of an ACE instance Policies are set in the policy editor See also Live copy of policies Working copy of policies and Publish Preview An operating and viewing mode that an administrator can use to preview the ACE instance as it will run on the user s machine The administrator can use this feature to see the effects of policy and configuration settings without having to go through the packaging and deployment steps The preview mode displays the working copy of the policies See also Working copy of policies Publish To publish policies applies only to managed ACE instances is to make those policies part of the live copy of the policy set Publishing copies the working copy of the polici
277. s for a Pocket ACE package vary slightly from those for the Full package For information about the Pocket ACE package see Creating an ACE Package for Portable Devices on page 212 The package settings and device settings that you already set for this ACE master allow you to create multiple packages quickly because you can use those same settings over and over again You don t have to set them for each individual package You can deploy a package over a network or on DVD or CD If you deploy the package on discs the first disc of the set includes the autorun files needed to start the installer automatically when the user inserts the disc in the host computer s drive Package Validation Package validation does the following m Checks that all files required by the ACE master are present Those files include m Disk snapshot files m Script files if any policy is using scripts NOTE Package validation does not check for device files ISO images flp images and so on To include device files in the package put the files in the ACE Resources folder for the ACE master and set the devices to point to that location m Checks that the ACE master is cloneable the master is powered off multiple snapshots are enabled and the master is not read only m Checks that the latest version of VMware Tools is installed m Ifinstance customization is enabled checks that the SysprepTools directory for the ACE master s guest operating
278. s to Server Applies only to managed ACE masters A command that commits the changes you made in the working copy to the live copy Choosing a Test Option 204 Recommended test options You can use Preview mode as a test option without having to install a package Because Preview mode is available as part of the Workstation ACE Edition interface and Workstation ACE Edition runs only on Windows hosts you cannot use Preview mode to run ACE instances as they will run on Linux hosts You also cannot test a host policy in Preview on your administrator machine For ACE instances that will be deployed on Linux hosts or for which you want to test a host policy use one of the other test options either pre or post deployment end to end testing as applicable rather than using Preview mode The test option you choose depends on what you are deploying m Ifyou are deploying minor policy changes see Quick and Easy Test with Preview Mode on page 204 m If you are deploying anew ACE package see Pre Deployment End to End Test on page 206 m If you are deploying an updated ACE package see Post Deployment End to End Test on page 207 Quick and Easy Test with Preview Mode This subsection provides m Understanding Preview Mode on page 204 m Runa Quick and Easy Test in Preview Mode on page 205 Understanding Preview Mode Preview mode allows you to run the ACE instance as it will run on the user s machine
279. se external database management and reporting tools If your setup includes clustered ACE 2 Management Servers you must use an external RDBMS as the backing store because the SQLite database cannot be shared across processes running on multiple machines NOTE The SQLite database is file based and is not designed to be effectively shared across multiple processes If you use third party tools to access the database for a read operation therefore you cannot depend on transactional isolation of the pending write operations of the ASM About Database Backup If you are using an external database you can use the backup recovery strategy that you have determined is appropriate for your database system V CAUTION We recommend that you back up your ACE 2 Management Server database on a regular basis to ensure that the database can be recovered promptly if needed 58 If you are using the embedded database you can use standard file backup tools such as ntbackup or dd The data is stored in one of On Windows servers C Program Files VMware VMware ACE Management Server db acesc bin On Linux servers var lib vmware acesc db acesc bin If you are using the embedded database in a production environment Because SQLite is file based the database file could be modified by the ACE 2 Management Server process at the same time it is being copied for backup Therefore an inconsistent database snapshot potentially could be produc
280. server setup to an activation and tracking setup m Custom Packages the particular package elements that you select If you chose a Custom package the Package Contents page appears Select the items to be included in the package and deselect any default selected items that you do not want to have in the package New Package Wizard a x Select the Package Contents What contents would you like to include in this package Clone of Windows XP Professional 2 Virtual machine ACE policies Resources 7 Players Windows Player Linux 32 bit Player 7 Installers O Windows Installer Ip Linux Installer KARK lt Disk space Required 1 85GB Required for deployment 1 85 GB Available 17 94 GB lt Back Cne Cancel 10 Select a package distribution format and then click Next VMware Inc VMware Inc Chapter 8 Creating Packages and Deploying Them to Users NOTE This page does not appear for any packages that are being deployed only to Linux host machines Package files C Network Image New Package Wizard x Select the Package Distribution Format How would you like to distribute this package Single folder containing all created files gt Multiple folders for creating DVDs or CDs Fit each folder on DVD v Size Disc label prefix p ISC A When you burn the discs for the package you must label each disc with the same name as i
281. servers The port assigned to that server appears in the Port box Click Next m Select Don t use server if you do not want to have an ACE 2 Management Server manage the ACE instances created from this ACE master NOTE You can t change the ACE master at a later time from Use server to Don t use server or the reverse The ACE master will always be either managed or standalone Click Next to continue If you selected a server that is integrated with an Active Directory service the Active Directory page appears Select whether to use Active Directory with this ACE master Then click Next On the Ready to Complete page click Next The Cloning ACE Master page shows progress and then displays a success or failure message Click Close to exit the wizard Cloning an ACE Master from an Existing Virtual Machine 98 For detailed information about full and linked clones see the Workstation User s Manual To clone an ACE master from an existing virtual machine 1 Choose File gt New gt ACE Master and select the Create an ACE master from an existing virtual machine option in the New ACE Master wizard or if you have already opened the virtual machine you want to clone choose VM gt Clone to ACE Master The Welcome page of the Clone to ACE Master Wizard appears Click Next The Clone Source page appears Under Clone from select one of m The current state in the virtual machine m An existing snapshot powered off o
282. splayed FALSE player title suffix string mt Title bar suffix player title font face string MS Shell Name of font font Dlg must be on user s computer player title font size integer 32 Point size for the text VMware Inc Package Settings Package settings enable you to configure package characteristics such as instance customization and encryption and then apply those settings to as many packages as you choose The ability to set these package characteristics and then apply them to every package you create saves you the time and effort required to set each of these details every time you create a package Changes to package settings affect only packages created after the changes were made they do not apply to existing packages The following sections describe the package settings you can choose to apply to your ACE masters m Custom EULA on page 172 m Instance Customization on page 172 m Package Lifetime on page 185 m Encryption on page 186 m Deployment Platform on page 188 Specific information about how to join an ACE instance to a remote domain a procedure that requires you to set particular parameters in the instance customization package settings is provided under m Setting Up a Remote Domain Join on page 188 Some troubleshooting tips about DNS setup issues appear at the end of the chapter m Troubleshooting Setup Issues on page 190 VMware Inc 171 VMware ACE A
283. ssword attempts has been reached Also specify the amount of time in seconds that the user must wait before making another attempt to log in To set a recovery key You can specify the key to be used for access to encrypted ACE instances If you specify password protection for an ACE master and want to be able to reset the password for a deployed ACE instance from that master you must specify a recovery key before you create the package that includes the virtual machine a Click Set recovery key The Recovery Key dialog box appears Recovery Key x recovery key can be used to access or modify an encrypted instance Public recovery key Browse For Existing Key Create New Recovery Key b kh the Recovery Key dialog box select Use recovery key to configure a recovery key c Touse an existing PEM format key pair click Browse for Existing Key to navigate to the public key of the pair you want to use To create a new 121 VMware ACE Administrator s Manual PEM format key pair click Create New Recovery Key The Create New Recovery Key dialog box appears Create New Recovery Key x Generate a new recovery key Key name Location Browse The following keys will be created Public key none Private key none Enter and confirm a password to protect the private portion of this recovery key pair Password Confirm Cancel d Enter a name and location for the key pair e Ent
284. st computers You cannot allocate more than 2GB of memory to an ACE master if the ACE master s files are stored on a file system such as FAT32 that does not support files greater than 2GB Click Next to continue Configure the networking capabilities of the ACE master If the package is to be installed on a host computer that is on a network and a separate IP address is available for the ACE instance deployed from the ACE 93 VMware ACE Administrator s Manual 10 94 master or it can get one automatically from a DHCP server select Use bridged networking This setting is most likely to be appropriate if the package is to be installed on a computer connected to an office network If the package is to be installed where no separate IP address is available for the ACE instance but the ACE instance must be able to connect to the Internet select Use network address translation NAT NAT also allows the user to share files between the ACE instance and the host operating system For more details about networking options see the Workstation User s Manual Click Next to continue If you selected Typical as your configuration path skip to Step 14 If you selected Custom as your configuration path continue with the steps below to configure a disk for the ACE master Select the type of SCSI adapter you want to use with the ACE master An IDE adapter and a SCSI adapter are installed in the ACE master You do not need to make any
285. st only networking A type of network connection between an ACE instance and the host Under host only networking an ACE instance is connected to the host on a private network which normally is not visible outside the host Multiple virtual machines configured with host only networking on the same host are on the same network See also Bridged networking and Network address translation NAT Host operating system An operating system that runs on the host machine See also Guest operating system Hot fix An installable file that resets a user s password renews an expired virtual machine or allows a cop protected virtual machine to run from a new location Instance customization The act of customizing an ACE instance thus making it unique from all other instances The instance customization process automates the actions of the Microsoft sysprep utility It also provides the ACE administrator with features needed to set up an automated remote domain join process of the ACE instance to a company VPN network VMware Inc Glossary Live copy of policies The currently deployed policy set The active ACE instances on the ACE users machines use this set Managed ACE instance An ACE instance that is managed by an ACE 2 Management Server See also ACE 2 Management Server Network address translation NAT A type of network connection that allows you to connect your ACE instances to an external network when you have only one IP network a
286. st operating system NOTE A new SID is always generated for Windows Vista guest operating systems regardless of the setting you choose here in the package settings editor Select Sync the guest time zone with the host time zone if you want to have that synchronization take place automatically M System options fou can specify a name and organization to be used for each copy of the guest operating system as well as a computer name for identifying each ACE instance on a network Macros can be used as placeholder variables Name VM_Zlogon_user random_alpha 4 Organization VMware Inc Computer Name zhost_namez random_digit 3 m Security ID You can select to generate a new security identity for each copy of the guest operating system IV Generate New Security ID SID mM Host time zone fou can select whether to keep the guest machine s time zone in sync with the host machine s time zone IV Sync the guest time zone with the host time zone On the Initialization Scripts page type the additional commands to run scripts in the guest operating system at the end of the Mini Setup process on the ACE user s machine See the Microsoft deployment tools documentation for information about additional commands VMware Inc Chapter 7 Package Settings V CAUTION Specify the path to the batch file without using quotation marks The quotation marks will be added automatically
287. station 6 and entering an ACE Option Pack key ACE instances The virtual machines that ACE administrators create associate to virtual rights management VRM policies and then package for deployment to users In short form an ACE instance is an ACE 31 VMware ACE Administrator s Manual m ACE 2 Management Server A server that can optionally be installed and used by the ACE administrator for activating and tracking ACE instances and for hosting dynamic policies for ACE instances m ACE master A virtual machine template created by the ACE administrator The master can be configured with various policies and devices and package settings and then used as the basis for creating any number of packages to be sent to ACE users m Package An installable bundle for distribution to users There are several different types of packages an ACE administrator can create including a full package Pocket ACE package policy update package server update package and custom package A full package includes an ACE master configuration file virtual disk files policies package installer and Resources files for the ACE master It also includes the virtual runtime environment VMware Player application used to run ACE instances The other package types have a subset of these components m Managed ACE instance An ACE instance that is managed by an ACE 2 Management Server m Standalone ACE instance An ACE instance that is not managed
288. station ACE Edition Viewing the Summary for an ACE Master To view a full summary of an ACE master click the name of the ACE master in the sidebar The summary shows all the details about the ACE master as shown in the following screenshot Windows XP Professional with ACE Last modified 4 2 2007 4 39 55 PM ACE Master directory ACE Management Server Not using ACE Management Server Commands Policies D Start this ACE master Access Contd Host Guest Data Script fh Edit virtual machine settings Expi xpiration Copy Protection amp Edit policies Resource Signing Preview in Player Network Access Removable Devices Edit package settings Virtual Printer Runtime Preferences ta Create new package Snapshots Create Pocket ACE package Administrator Mode Hot Fix Notes Package Settings Type here to enter notes for this ACE master Encryption Package Lifetime C Documents and Settings cariffen My Documents My Virtual Machines Windows XP Profess Windows XP Professional vmxa Administrator password User password Disabled 3 20 2007 4 19 2007 Allow moves and copies Verify all Guest unrestricted Host unrestricted Allow all Enabled Enabled Enabled Disabled Enabled Using recommended settings 4 3 2007 5 3 2007 Instance Customization Disabled Custom EULA Disabled Deployment Platform Windows Package History Name Created on Notes F windows XP Professional with ACE Package 4 2 2007 4 47 42 PM
289. stem DSN and not a User DSN If you were to create a User DSN it would be visible only to your user account The ACE 2 Management Server runs under the local system account so a User DSN would not be visible to and therefore not usable by the server m For Windows based systems Using the ODBC Data Sources plugin Control Panel gt Administrative Tools gt Data Sources ODBC create a System DSN entry for connecting to this database using the proper driver refer to your operating system and database documentation If the DSN Setup wizard provides this option test the connection to verify that it is working with the database user credentials NOTE If your ACE 2 Management Server is running on a 64 bit Windows host system do not use the default Control Panel plug in to create the DSN Using that default plug in will result in your creating a DSN for a 64 bit subsystem and that DSN will not be visible to the ACE 2 Management Server Instead navigate to WINDIR syswow64 odbcad32 exe and use that program to create a DSN for a 32 bit subsystem m For Linux based systems You must have the unixODBC rpm package installed on your Linux system for the external database option to be available in the ACE 2 Management Server Setup Web application The unixODBC package provides an ODBC API to programs running on Linux systems that is similar to the Windows ODBC API The package contains the Libodbc shared library providing the O
290. ster Before you begin using the wizard review the topics under Setting Up a New Virtual Machine in the Workstation User s Manual The subsections there under Before You Begin describe considerations for making configuration choices particularly for the custom configuration These subsections describe for example what to consider when choosing a guest operating system They provide information about the issues involved so that you can determine which choices you want to make before running the wizard To create a new ACE master 1 Click File gt New gt ACE Master Click Next on the Welcome page The Use New or Existing Virtual Machine page appears 2 Select whether you want to create a completely new ACE master an ACE master optimized for Pocket ACE or an ACE master cloned from an existing virtual machine If you select Create a new ACE master and click Next the Configuration page appears If you select Create anew ACE master optimized for Pocket ACE the Select a Guest Operating System page appears Proceed to Step 5 if you selected the Pocket ACE option 90 VMware Inc VMware Inc Chapter 5 Creating and Configuring ACE Masters NOTE Choose the Create anew ACE master optimized for Pocket ACE option if you intend to use this ACE master as a Pocket ACE and store it on a portable device This option chooses appropriate values for the virtual machine configuration policies and package settings so that the ACE
291. strator changes of per instance 81 VMware ACE Administrator s Manual expiration changes of instance guest or host OS information and setting instance custom fields The debug level can be used to log the most ubiquitous traffic policy update requests from active instances Failed instance verifications are only logged at the debug level Authentication Logs events for every authentication request Administration or helpdesk authentication attempts at the normal level instance authentication at the informational level and remote LDAP password change You might want to set logging for this category to as minimal a level as is practical for you otherwise this category can generate a large volume of entries b Set the detail level individually for each of the logs The detail levels are None No log entry will be made for this event Critical The log will provide entries for the critical category of events which are those having broad and critical effects for example an event that would remove all packages instances and policies associated with an ACE master Normal The amount of information given in the entry will be sufficient to answer most queries Informative The log will provide entries for nondestructive events that have limited effect Debug The log will provide entries for every client access of the server It will provide more records of certain event types creating potentially orders of magnitude
292. t Custom Field requested for field s new value 5 Instance Set All Custom Fields requested values 5 yas Yes os Ys Yes Mos Yes Mos Mos Set Custom Instance Field Name requested for field s new value s Instance Set Password requested value werrre Instance Change Password requested new value eee Instance Set Guest Info requested IP address s MAC address s configuration message 5 machine name 5 configuration status s Instance Set Host Info requested IP address s machine name 5 Instance Set Expiration requested inherit from ACE s enable expiration s start date s end date s Instance Set Copy Protection ID requested MAC Address For a New Instance requested returned address s Instance Clear Custom Field s for all instances requested Instance Delete requested Policy administration related handler invoked Access Control add requested identity type s name s details 5 Access Control remove requested found Access Control abject with identity type s name ths details Qs Update Working Policy version s requested Publish Working Policy version s requested Add User Data For Ace requested name s value type 5 Add User Data For Package requested name s value type 5 Remove User Data For Ace requested name s Remove User Data For Package
293. t Logs on page 83 m Stopping and Starting the Apache Service Manually on page 83 m Logging On to the ACE 2 Management Server on page 84 m Using the ACE 2 Management Server on page 85 m Unblocking Port Traffic and Changing Port Assignments on page 85 ACE 2 Management Server Setup Options 52 To set up an ACE 2 Management Server you can choose any of the following options If you set up multiple ACE 2 Management Servers they must all be the same type m Install the server on a Windows host system See page 54 for a list of supported Windows host systems m Install the server on a Linux host system See page 54 for a list of supported Windows host systems m Download and configure the ACE 2 Management Server Appliance See System Requirements for the ACE 2 Management Server the next topic for basic information about this option You can download the ACE 2 Management Server appliance from the ACE 2 page and configure it as your ACE 2 Management Server A virtual appliance is a pre built pre configured and ready to run software application packaged with the operating system inside a virtual machine The ACE 2 Management Server Appliance is a self contained pre installed pre configured ACE 2 Management Server packaged with a small operating system in a virtual machine By default the appliance attempts to configure its network by using DHCP You can optionally configure the network
294. t Server rpm curl openldap openssl apache gdbm You must have these packages installed on your RHEL4 or SLES9 system before you install the ACE 2 Management Server If you are going to use the external database option then the following packages are dependencies as well For RHEL4 unixODBC For SLES9 unixODBC as well as unixODBC gui qt if you want to use the X11 graphical configuration tool To install the ACE 2 Management Server on a Red Hat Enterprise Linux 4 or SUSE Linux Enterprise Server 9 system 1 Run the appropriate rpm installer for the ACE 2 Management Server vmware ace management server lt bui ld_number gt i386 rhe14 rpm vmware ace management server lt bui ld_number gt i386 sles9 rpm For an SLES9 server ensure that the LDAP module mod_1dap has been configured for loading a Using a text editor open this file etc sysconfig apache2 b Add the config option ldap to the variable APACHE_MODULES c Save and close the file Now continue with Configuring the ACE 2 Management Server 66 VMware Inc Chapter 4 Installing and Configuring the ACE 2 Management Server Installing the ACE 2 Management Server Appliance To install the ACE 2 Management Server Appliance 1 VMware Inc Download the zipped file for the appliance from the ACE 2 release download page VMware ACE Management Server Appliance 2 0 0 lt NNNNN gt zip where lt NNNNN gt is the ACE build number Extr
295. t behavior in the Preferences dialog box Player gt Preferences VMware Inc 227 VMware ACE Administrator s Manual 228 You can specify the following m Confirm before exiting the application If selected when you give the command to exit VMware Player a dialog box appears You can confirm the intention to exit VMware Player or click Cancel to continue using VMware Player m Suspend the virtual machine when exiting If selected VMware Player suspends the ACE and closes The next time you launch VMware Player the ACE resumes operation from the point where it was suspended m Power off the virtual machine when exiting If selected VMware Player powers off the ACE The next time you launch VMware Player the ACE starts from a powered off state and the guest operating system boots Enlarging VMware Player to Fill the Screen Click the maximize button on the VMware Player window to run your ACE in full screen mode The desktop expands to fill the full screen leaving a small toolbar visible at the top of the screen After a few seconds with no use the toolbar disappears if it is unpinned To make it visible again move the mouse pointer to the top edge of the screen To pin the toolbar so it is always visible click the pushpin on the toolbar To release the toolbar so it can hide again click the pushpin a second time To reduce the VMware Player display so it is running in a window again click the restore button on
296. t computer to host computer see Chapter 10 Pocket ACE on page 211 You or the user can delete single or multiple ACE instances while leaving other ACE instances on the same machine intact Updated Policy and Package Settings Enhancements to the policies and package settings you can apply and the ways in which you can update policies make it easier for you to secure and manage your ACE deployments All policies are dynamic Updated policies and package settings include m Network access These policies give you fine grained and flexible control over the network access you provide to users of your ACE instances Using a packet filtering firewall the network access feature of ACE 2 lets you specify exactly which machines or subnets an ACE instance or its host system may access This means that you can for example configure the instance so it is allowed to connect only to your VPN server which then controls access to other resources You can also customize the network access settings to filter on the basis of network addresses traffic direction protocol and ports m Access control The new activation policy one of the access control policies along with authentication allows you to determine who can activate an ACE instance after the ACE package has been installed giving you finer control over your ACE instances m Policy update frequency This policy allows you to specify how long the managed ACE instances created from
297. tance Customization Enabled 182 Specifying Additional License Information for Windows Server Products 183 Next Steps for Instance Customization 184 How ACE Instance Customization Completes on the ACE User s Machine 184 Package Lifetime 185 Encryption 186 Deployment Platform 188 Setting Up a Remote Domain Join 188 Troubleshooting Setup Issues 190 8 Creating Packages and Deploying Them to Users 191 Reviewing the Configuration of the ACE Master and Installing Software 191 Review Policies 191 Review Package Settings 192 Review Virtual Machine Settings 192 Installing an Operating System Applications and VMware Tools in the ACE Master 192 Creating a Package 192 Overview of Package Creation 192 Package Validation 193 Steps for Creating a Package 194 Viewing Package Properties 200 Deploying Packages 201 9 Preview Save Test Publish 203 Understanding Test Terminology 203 Choosing a Test Option 204 Quick and Easy Test with Preview Mode 204 Understanding Preview Mode 204 Run a Quick and Easy Test in Preview Mode 205 Pre Deployment End to End Test 206 Post Deployment End to End Test 207 10 Pocket ACE 211 Portable Devices Requirements 211 Space Requirements for Your Pocket ACE 212 Creating an ACE Package for Portable Devices 212 8 VMware Inc Contents Policies and Package Settings That Do Not Apply to Pocket ACEs 212 Steps for Creating a Pocket ACE Package 213 Deploying the ACE Package on a Portable Device 215 Running
298. tance problems such as reactivating an instance changing the instance s expiration date or resetting the user password if the user has lost or forgotten it To set up a password for help desk assistants Open the ACE 2 Management Server Setup Web application see Using the ACE 2 Management Server Setup Application on page 76 for information for details and choose Enable Help Desk Role on the Security tab Type in a help desk password and confirm the password To access the Help Desk application m On Windows Choose Start gt All Programs gt VMware gt VMware ACE Management Server Click the Help Desk link on the page m On Linux Open a browser and point it to https lt hostname gt 8000 Click the Help Desk link on the page The VMware Help Desk opens to the Instances page which contains a summary table of all the instances managed by that server The Instances Page On the Instances page you can m Set Up Queries to Search for Instances on page 240 m Reactivate Deactivate an Instance on page 241 m Reset Expiration Dates by Clicking Reactivate on page 241 m Sort Instances by Column Heading on page 241 m Access the Instance Details Page on page 242 To navigate through the Instances page click the previous and next arrows at the right of the status bar at the bottom of the Instances table The indicator at the left edge of the status bar displays which instances of the total number
299. tation might not run on systems that do not meet these requirements NOTE As newer Linux kernels and distributions are released VMware modifies and tests its products for stability and reliability on those host platforms VMware makes every effort to add support for new kernels and distributions in a timely manner but until a kernel or distribution is added to the list below its use with VMware products is not supported Look for newer prebuilt modules in the download area of the VMware Web site Go to www vmware com download Mandriva Linux 2006 and 2007 Mandriva Corporate Desktop 4 0 Mandriva Corporate Server 4 0 Mandrake Linux 10 1 Mandrake Linux 9 0 stock 2 4 19 Red Hat Enterprise Linux 5 0 Red Hat Enterprise Linux WS 4 5 Red Hat Enterprise Linux AS 4 0 updates 1 2 3 4 Red Hat Enterprise Linux ES 4 0 updates 1 2 3 4 Red Hat Enterprise Linux WS 4 0 updates 1 2 3 4 Red Hat Enterprise Linux AS 3 0 updates 1 2 3 4 5 6 7 8 Red Hat Enterprise Linux ES 3 0 updates 1 2 3 4 5 6 7 8 Red Hat Enterprise Linux WS 3 0 updates 1 2 3 4 5 6 7 8 Red Hat Enterprise Linux 2 1 stock 2 4 9 e3 Red Hat Linux 9 0 stock 2 4 20 8 upgrade 2 4 20 20 9 Red Hat Linux 8 0 stock 2 4 18 Red Hat Linux 7 3 stock 2 4 18 Red Hat Linux 7 2 stock 2 4 7 10 upgrade 2 4 9 7 upgrade 2 4 9 13 upgrade 2 4 9 21 upgrade 2 4 9 31 Red Hat Linux 7 1 stock 2 4 2 2 upgrade 2 4 3 12 Red Hat Linux
300. te file Rename to Ldap crt Use the ACE 2 Management Server configuration Web application to upload the files See Step 4 on page 80 under Configuring the ACE 2 Management Server Stop and restart the Apache service See Stopping and Starting the Apache Service Manually on page 83 To update any existing ACE masters to use a new certificate and key file 1 2 Open the ACE master Create an update package The package will contain the new certificate file and certificate chain VMware Inc Chapter 4 Installing and Configuring the ACE 2 Management Server Configuring Multiple ACE 2 Management Servers to Use SSL The following describes various scenarios in which you might configure multiple ACE 2 Management Servers to use SSL VMware Inc Multiple servers behind one or more proxy servers Each server can have its own SSL key certificate ACE 2 Management Server and proxy server The cert_chain file must contain the certificate file and verification chain for the SSL certificates being used by the proxy servers Place this cert_chain file in each of the ACE 2 Management Servers Follow instructions above on how to do that In the case of self signed certificates being used the actual certificate is the verification chain so the chain file would contain each self signed certificate being used by the proxies It is also possible to use the same key certificate for every server and proxy In this case it
301. tection ID field is always active so you can change the ID whenever you want If you enter a change in the Copy Protection ID box for an active instance a warning appears to let you know that if you change the ID the original instance will no longer run Custom Details View The Custom details view shows values for any custom columns that you have created To specify values for custom columns 1 Inthe Instance View table click the row for the instance that has custom columns for which you need to set values 2 Click the Details icon 3 In the Details view click the Custom tab VMware Inc 253 VMware ACE Administrator s Manual 4 Type a string value for each custom column in the appropriate text box There are no character or format restrictions on your entries You can even leave the fields empty 5 When you have finished adding and editing values click OK Using the Connect to ACE 2 Management Server Command to Open an Instance View To open the Instance View for a particular ACE 2 Management Server you can click the server in the list of Recent ACE 2 Management Servers in the Sidebar of the Workstation ACE Edition interface If the server you want does not appear in the list choose File gt Connect to ACE Management Server Enter the server address and port number in the dialog box and click OK In addition to using the Connect to ACE 2 Management Server command to open a server connection you can open the conn
302. ter Wizard Cloning an ACE Master from an Existing ACE Master For detailed information about full and linked clones see the Workstation User s Manual To clone an ACE master from an existing ACE master 1 VMware Inc Choose File gt Open to navigate to and open the ACE master you want to clone and then choose ACE gt Clone The Welcome page of the Clone ACE Master Wizard appears Click Next The Clone Source page appears Under Clone from select one of m The current state in the virtual machine m An existing snapshot powered off only Click Next On the Clone Type page select Create a linked clone or Create a full clone Click Next Select aname and folder for the ACE master in the Name of the New ACE Master page Each ACE master should have its own folder All associated files such as the configuration file and the disk file are placed in this folder The default folder for this Windows XP Professional ACE master is C Documents and Settings lt username gt My Documents My Virtual Machines Windows XP Professional 97 VMware ACE Administrator s Manual On the ACE Management Server page choose whether you want to use the ACE 2 Management Server to manage the instances created from this ACE master m Select Use server to have an ACE 2 Management Server manage the instances created from this ACE master Then enter the server name and port or choose the server from the dropdown list of previously chosen
303. tgreSQL 7 4 or higher Web Browsers One of the following Web browsers is required for ACE 2 Management Server configuration as well as for configuration of the ACE 2 Management Server Appliance if you choose that server option m The Mozilla Firefox 1 52 or higher Web browser m Internet Explorer 6 0 or higher Web browser NOTE Make sure that TLS is enabled on your browser VMware Inc Chapter 4 Installing and Configuring the ACE 2 Management Server Features of the ACE 2 Management Server The ACE 2 Management Server has the following features VMware Inc Scalability and reliability You can increase capacity by adding network resources such as load balancers and extra server hardware For single server small size to medium size deployments the default embedded backing store provides a simple and efficient database solution To scale the ACE 2 Management Server for large deployments you can configure and use an external RDBMS Server requests are handled by multithreaded processes with the Windows operating system and by multiple processes in Linux operating systems If one process dies another takes over Active Directory Integration m You can use Active Directory to authenticate users of ACE instances m Noschema change for your existing Active Directory is required m LDAP is used to access Active Directory m Information about Windows domain user account states is provided in clear and useful messages
304. th the server The VMware Player application does not use any certificates stored in the host system because their integrity cannot be verified NOTE ACE 2 Management Server only supports public key certificates that have been signed using the SHA1 algorithm Any other algorithms will result in an error when the ACE is deployed Because the Player does not trust any certificates stored on the host machine that it is running on and instead relies on a complete certification chain that is included in the ACE package the use of self signed certificates is adequate for most security needs If however your enterprise requires the use of a certificate signed by a certificate authority internal or commercial you can set up that type of key certificate pair for the ACE packages to use A certificate authority or CA is an entity that issues and signs public key certificates typically for a fee See Setting Up Your Own Self Signed Certificates Third Party Signed Certificates or Certificates from an Internal Certificate Authority below for details Setting Up Your Own Self Signed Certificates Third Party Signed Certificates or Certificates from an Internal Certificate Authority If you want to use custom SSL certificates either your own self signed certificates or those of a third party or internal CA certificate authority you must provide the various needed certificate key and in the case of CAs certificate chain files
305. that this action is not allowed The message also lists an alphanumeric string for the user to send to the system administrator or help desk assistant if the user wishes to request permission to move or copy the instance Administrators and help desk assistants can then reset the copy protection ID if they choose allowing the moved or copied instance to be run The administrator can apply this change in the Instance View in Workstation ACE Edition and the administrator or help desk assistant can apply this change from the Help Desk Web application See Chapter 12 Instance View on page 245 or Using the VMware Help Desk Web Application on page 239 respectively for details about these two options Setting Resource Signing Policies You can set the resource signing policy so that an ACE instance cannot be run if resource files such as policy scripts or custom EULA text files have been tampered with A resource for these cases is any file that is in the ACE Resources directory during packaging Files that are put in this directory on the user s machine are not resources in this sense and are not signature checked Signature checking is performed on the user s machine at power on and then every time a script is run Resource signing Ensure that resources distributed with instances of this ACE master are not tampered with C Verify the integrity of all files in the ACE Resources folder C Verify the integ
306. the Initialization Scripts page specify a VPN connect script to a list of scripts to be run after Mini Setup is complete NOTE You can take advantage of a password placeholder variable password by entering it in the Password field under Remote Domain Join The placeholder variable is resolved and replaced with the actual value when the script executes See Step 6 on page 179 for details about these package settings After you have saved the package settings you create a package See Packaging with Instance Customization Enabled on page 182 for details Then you deploy the package After the package has been installed on the ACE user s machine and the ACE instance has been activated and authenticated the Microsoft Mini Setup process runs The script for joining the remote ACE instance to the domain executes at the end of that process and the machine is joined to the domain VMware Inc 189 VMware ACE Administrator s Manual Troubleshooting Setup Issues If you or your ACE users have problems with logging back into a domain after invoking the Revert to Installed snapshot or with domain validation and name resolution see if the following descriptions and resolutions are applicable to those problems Problem The ACE user can t log the ACE instance back into a domain after the Revert to Installed snapshot has been invoked Description An ACE instance has been configured both to log into a domain and to use the Reve
307. the expiration dates for an expired instance by selecting the instance row clicking Reactivate resetting the expiration dates in the dialog box and clicking OK Sort Instances by Column Heading You can re order the instances in the table and change column widths as follows m Re order the list alphabetically or numerically depending on the selected column s contents in ascending or descending order Click to the right of the column heading that you want to sort the column Click again to re sort in the opposite ascending or descending order m Re size column width by clicking on a column divider and dragging the column edge to a new width VMware Inc 241 VMware ACE Administrator s Manual 242 Access the Instance Details Page To access the details page for an instance double click the instance row You can also select the row and click the Details icon in the upper left of the Instances page The Instance Details Page On the Instance Details page you can m View Details for the Instance m Reactivate Deactivate an Instance m Reset the Instance Expiration Date m Change the Copy Protection ID m Reset the Password m View Network Access Details View Details for the Instance The general details for the instance appear at the top of the Instance Details page The rest of the page provides details about any instance customization results the guest MAC address and the various policy settings Removable devices sho
308. the virtual machine settings editor far Windows host systems only snapshots and vmware acetool C Enable administrator mode E To use these features select Enable administrator mode in this policy To edit the virtual machine settings or use snapshot commands not available to the user on the ACE user s machine select VMware Player gt Troubleshoot gt Enter Administrator Mode Enter and confirm the password to be used for administrator access Then choose the appropriate commands as follows m To edit virtual machine settings from the user s machine on Windows systems only select VMware Player gt Troubleshoot gt Virtual Machine Settings m To use the user snapshot commands select them from the Snapshot menu VMware Player gt Snapshot m To use the reimage snapshot commands select them from the Troubleshoot menu VMware Player gt Troubleshoot When you are finished resetting the virtual machine settings or using the snapshot commands select VMware Player gt Troubleshoot gt Exit Administrator Mode For detailed information about using the ACE Tools see ACE Tools vmware acetool Command Line Tool on page 236 VMware Inc 159 VMware ACE Administrator s Manual Setting Hot Fix Policies You can use the hot fix policy to specify that users can request hot fixes for specific problems NOTE Hot fixes can be used only with standalone ACE instances You can use the Help Desk Web appl
309. ting package type 196 server name setting for ACE Management Server 65 setting correct time on Pocket ACE host computers 217 policies for an ACE instance 106 preferences for Workstation ACE Edition 46 preferences in VMware Player 230 server name for ACE Management Server 65 VMware Inc setting up a Workstation ACE Edition machine 32 ACE master configuration 191 packages 192 size virtual disk 95 snapshot defined 270 of an ACE instance 243 policies 156 reimage reverting to 234 software recommendations for VMware ACE 2 22 software installing in ACE master 192 sort instances 241 space needed for Pocket ACE 212 SQLite database for ACE Management server 57 SSL certification using 59 SSL protocol using 59 standalone ACE instance defined 270 starting VMware Player 226 stopping and starting the Apache service manually 83 stopping VMware Player 227 summary view of ACE master 37 suspend defined 271 suspending an ACE instance 243 Sysprep deployment tools See Microsoft Sysprep deployment tools system options in instance customization package settings 178 T technical support resources 12 testing a package 203 testing package post deployment 207 pre deployment 206 VMware Inc Index time zones syncing guest with host in instance customization package settings 178 tools See VMware Tools troubleshooting Help Desk Web application 239 requesting a hot fix 232 responding t
310. tion authenticated upload the file that contains the CA certificate or certificates required to verify the certificate for the LDAP server d Click Upload certificates e Verify that the summary page shows that the correct files have been uploaded If you upload an invalid certificate file the server setup application fails when you click Apply and then Restart and you won t be able to restart the Apache service To fix this problem restore the backup certificate file for the corresponding certificate The backup certificate files are in the following format lt certificate_filename gt lt date gt lt time gt where lt certificate_filename gt is one of server crt for the server public certificate server key for the server private key chain crt for the certificate chain 1dap crt for the LDAP certificate VMware Inc VMware Inc Chapter 4 Installing and Configuring the ACE 2 Management Server lt date gt is in the format YYYYMMDD year month day lt time gt is in the format HHMMSS hours minutes seconds The backup files are in the ACE 2 Management Server directory with the filename appended with the date and time for example server crt 20070216 095344 Save the file in the correct location as ss1 lt filename gt crt Then restart the Apache server manually to complete the restoration process and to bring up the VMware ACE 2 Management Server Setup Web application again and continue the configuration
311. to use your company s own management or reporting tools or automated scripts with the data in the VRM database see Appendix Using the VMware ACE 2 Management Server Database Schema and Querying the Audit Event Log Data which describes the schema for the database Using SSL Certification and Protocol NOTE The ACE 2 Management Server and LDAP server must be configured to use SSL For more information on configuring ACE 2 Management Server to use SSL see Configuring Multiple ACE 2 Management Servers to Use SSL on page 63 For more information on configuring LDAP see Using Active Directory Integration Using LDAP on page 70 By default the ACE 2 Management Server uses the SSL protocol to provide encrypted secure communications The server connects to its managed instances using SSL If the server is integrated with an Active Directory service it communicates with the service through an SSL protected link VMware Inc 59 VMware ACE Administrator s Manual 60 The SSL Secure Sockets Layer protocol was developed by Netscape Communications Corporation to be used for secure document transmission over the Internet SSL encrypts data through the use of a public key private key pair the public key is known to everyone and the private key is known only to the message recipient URLs that require an SSL connection start with https The following is a description of how the ACE 2 Management Server uses SSL At ACE
312. tpUselnstanceLimit aceUID rtpInstanceLimit nee PolicyDb_Ace rtpUsePerUserlnstanceLimit Q aceuID cl ttPPerUserinstancetimit identityType PET pa copyPolicy 1___ nl dt activePolicySetVersion Published accUselnstanceLimit aceTsCreated rtpTsCreated Sore ink aceTsLastModified TTsam accTsCreated deleted accTsLastModified no deleted VMware Inc 257 VMware ACE Administrator s Manual The following is the Database Schema script Name value pairs of service information e g DB schema version number CREATE TABLE PolicyDb_MetaInfo name VARCHAR 128 Name of the name value pair value VARCHAR 1024 Value of the name value pair PRIMARY KEY name This table holds data for guest and host policy sets split in 2K chunks Select all fields for the key in the order of index and append strings together to reconstruct the policy set CREATE TABLE PolicyDb_LongField LongFieldKey VARCHAR 128 Unique ID of the long field series longFieldIndex INTEGER Index in the series longFieldvalue VARCHAR 2000 Up to 2000 chars of field value chunk sessionExpires VARCHAR 21 Optional field for storing session blob PRIMARY KEY ClongFieldKey lLongFieldIndex ACE Master data CREATE TABLE PolicyDb_Ace aceUID VARCHAR 128 Unique ID primary key aceName VARCHAR 128 Name of this ace activePolicySetVersion INTEGER NOT NULL Soft foreign key t
313. trade offs between using shorter and longer lists of conditions If you use a longer list you minimize the chances of a false positive or a misidentification Minimizing the chance of a false positive or a misidentification can be important if you are providing an ACE package to someone who connects a host computer to multiple networks at different times If one of the other networks matches the characteristics you define in the zone definition the host and instance access policies are applied even if the host is not connected to your network In some cases however using a longer list might also increase the likelihood that an user could circumvent the detection mechanism for example switching the host to use static IP instead of DHCP and configuring the host with only a subset of the characteristics defined for your zone for example only Network address or Network address and DNS server information Another point to consider is that the addresses or names of certain servers can change over time Such changes can also introduce detection issues Using a smaller set of information for example using only the network address and the subnet mask in a zone description lessens the chance that the detection mechanism fails to restrict a host or guest that should be restricted but it also increases the chance that a false positive or misidentification can occur Such false positives are especially likely if your network is using a common
314. trator machine the one on which you re running Workstation ACE Edition is on the same domain as the one that the ACE 2 Management Server is configured to interoperate with If it is not you wont be able to add users m To remove a user or group from the list select the entry in the User or Group Domain table and click Remove Active Directory Password Change Proxying NOTE Password change proxy is only enabled if the Active Directory is using LDAP over SSL You can provide additional security for your ACE instances by integrating with Active Directory You can specify password expiration and change requirements set up the domain to expire passwords and require password changes periodically These settings are in addition to ACE access control policy settings In cases in which Active Directory users need to change their passwords you can configure the ACE 2 Management Server as an Active Directory password change proxy In this mode the ACE 2 Management Server makes the password change request to the Active Directory domain controller on the user s behalf Allowances Under Allowances In Total number of activations choose how many instances can be activated from this package Unlimited m Maximum of Type the number or choose it from the drop down list By default users can activate one instance per ACE package Select Allow multiple activations per user to allow individual users to activate more than one inst
315. ts disc folder DISC1 DISC2 etc If you plan to distribute the package through network distribution select Network image Then click Next If you plan to distribute the package on CD or DVD select Multiple folders for creating DVDs or CDs When you select the multiple files option you must choose the type of media you plan to use If you choose DVD or CD the default media size for a standard disc is shown If you choose Custom you can set the maximum file size must be at least 10MB for the media you plan to use When the New Package Wizard creates the package it divides the package into sets of files small enough to fit on the media you choose in this step The default disc label prefix is shown You can change it if you wish When files are created for each disc they are saved into folders named with this prefix plus a number beginning with 1 The labels must include this prefix If you use multiple discs ensure that the disc label you enter in your disc burning software for each disc is the same as the name of the folder the wizard creates to hold that disc s contents for example DISC1 DISC2 NOTE When the New Package Wizard creates a package it needs a substantial amount of working space for temporary files The total is about twice the combined sizes of all the components of the package The wizard displays information about the amount of space needed and the locations where the space is needed If you do not hav
316. ts in the installation wizard CAUTION On the Server Information page in the wizard ensure that the server name Y you use matches the name of the machine on which you are installing the ACE 2 Management Server If you set the server name to something other than this you will not be able to log in to the ACE 2 Management Server after you finish the installation and ACE instances might have trouble making required connections to the server during activation NOTE If you are installing the server on a host computer that has a firewall enabled you might see a message at the end of the installation asking whether you want to unblock the Apache service Choose Unblock The ACE 2 Management Server will not work properly if you do not unblock the service Installing the ACE 2 Management Server on a Linux System You can install the ACE 2 Management Server on the following Linux systems m Red Hat Enterprise Linux 4 m SUSE Linux Enterprise Server 9 SP3 VMware Inc 65 VMware ACE Administrator s Manual Before you install the ACE 2 Management Server on a Linux system You must have a working installation of Apache 2 0 on the system The rpm for a Web server comes with your RHEL4 or SLES9 installation Verify that the Apache Web service is operating normally and is receiving requests for SSL http You must have the mod_ ldap and mod_ssl modules available on your system The following packages are dependencies of the ACE 2 Managemen
317. ts of ACE 2 18 The following are components of ACE 2 m ACE master A virtual machine template created by the ACE administrator The master can be configured with various policies and devices and package settings and then used as the basis for creating any number of packages to be sent to ACE users m ACE instance The virtual machine that ACE administrators create associate to virtual rights management VRM policies and then package for deployment to users In short form an ACE instance is an ACE The following are new features of ACE 2 m ACE 2 Management Server The ACE 2 Management Server enables you to manage ACE instances to dynamically publish policy changes for those instances and to test and deploy packages more easily It adds new integration with your Active Directory setups and provides secure Active Directory LDAP integration with role based secure SSL communication There are two ways administrators can interact with the ACE 2 Management Server directly from Workstation ACE Edition s Instance View or through browser based access to the ACE 2 Management Server Help Desk application The Instance View allows an administrator to view and control all managed ACE instances An advanced search function allows you to locate instances in the VMware Inc VMware Inc Chapter 1 Introduction and System Requirements database quickly You can customize the Instance View by adding searchable custom fields The
318. tting Policy Update Frequency on page 161 VMware Inc Chapter 6 Setting and Using Policies and Customizing VMware Player For information about encrypting ACE packages and instances see Encryption on page 186 Setting Access Control Policies Activation and Authentication Set activation and authentication policies to control access to installed ACE packages and the instances created from those packages When you choose settings for these policies those choices in turn determine the default settings to be used for package and ACE instance encryption policies which protect the ACE packages and files in transit See Encryption on page 186 for more information about those encryption settings The activation policy specifies who can access an installed ACE package and turn it into an ACE instance The authentication policy specifies who can run power on an ACE instance The particular settings for these policies and how they are implemented vary depending on how your ACE instances are managed and optionally tracked The possible management setups are m Server with Active Directory ACE instances are managed by an ACE 2 Management Server and the server is integrated with Active Directory m Server no Active Directory ACE instances are managed by an ACE 2 Management Server and the server is not integrated with Active Directory m Standalone ACE instances are standalone they are not managed by a server
319. twork Access Guest Network Access Internal Zone Internal Host Access Full Access Everywhere else Full Access Remote ACE Instance You have finished setting up network access for the ACE instance and its host The current settings for all zones with the labels you have applied appears on the Network Access policy page If you want to click on the links and buttons in the policy page to open the zone ruleset and rule editors and then to reconfigure and fine tune the access settings See Using the Zone Ruleset and Rule Editors to Configure Network Access VMware Inc 135 VMware ACE Administrator s Manual 136 Using the Zone Ruleset and Rule Editors to Configure Network Access You can configure and edit network access settings with the zone ruleset and rule editors by clicking the links in the table on the Network Access policy page The use of those editors is described in the following sections m Using the Zone Editor to Set Up and Configure Network Zones on page 136 m Guidelines for Choosing Zone Conditions on page 137 m Descriptions of the Zone Condition Settings on page 137 m Steps for Adding or Editing a Network Zone on page 139 m Using the Ruleset and Rule Editors to Configure Host and Guest Access on page 140 m Before You Begin Configuring Rulesets and Rules Details on Filtering Action on page 140 m Steps for Adding or Editing Rulesets and Rules on page
320. ty to do this is provided by the VMware Tools Service Use this policy setting to share specific host information with the guest operating system when the ACE instance is powered on The set of acceptable keys consists of machine id and keys prefixed with guestinfo such as guestinfo ipAddress If the ACE master for this instance is configured to be deployed to both Windows and Linux platforms you can provide scripts for both Windows and Linux systems Host Guest data script Use a host guest data script to share information from host to guest J Run a host quest script at power on Windows Linux VMware Inc Chapter 6 Setting and Using Policies and Customizing VMware Player To provide a host guest data script to be run in the guest operating system enable Run a host guest script at power on Then click Set to open the Set Custom Script dialog box and specify the scripts you want to run in the guest operating system See page 117 for information about setting up custom scripts NOTE If you change a script for a deployed ACE instance create an update package that contains the script and deploy it to the user s machine Setting Expiration Policies Select Expiration from the Policy Editor window to set an expiration date for the ACE instance When an instance expires the files remain on the user s computer but the instance cannot be used gt Expiration Instances of this ACE master expire
321. type of access check at activation activationDate VARCHAR 21 NOT NULL The date and time for the activation lastPolicyCheck VARCHAR 21 NOT NULL Last time when the player called server revocationDate VARCHAR 21 NOT NULL When the instance was revoked replacementDate VARCHAR 21 NOT NULL When replaced because of Copy Protect policy inheritsExpiration VARCHAR 7 DEFAULT FALSE NOT NULL Use expiration info from Ace Policy Set insUseValidDates VARCHAR 7 DEFAULT FALSE NOT NULL Use validity dates or always valid insValidDateStart VARCHAR 21 NOT NULL The instance is valid from this date insValidDateEnd VARCHAR 21 NOT NULL The instance is valid till this date insPassword VARCHAR 128 The login password for non AD authentication for this instance hostName VARCHAR 128 The name of the host PC the VM runs on hostIp VARCHAR 128 The IP addr of the host the VM runs on insProtectionKey VARCHAR 1024 Instance VM disk encryption key copyProtectionId VARCHAR 1024 Stores location of the copy insPreview VARCHAR 7 DEFAULT FALSE NOT NULL Is preview instance guestIpAddress VARCHAR 128 DEFAULT Reported VM IP address guestMacAddress VARCHAR 128 DEFAULT Assigned VM MAC address guestMachineName VARCHAR 128 DEFAULT The guest VM OS host name guestConfigStatus INTEGER DEFAULT 0 The completion status of guest
322. u can allow or block a device in the Device list You can add a device by clicking the Add button below the Device list All entries in the Device list are maintained in a device database that is included with the files for this ACE master a To selecta device to be used with instances from this ACE master click the device in the Device list and then select the checkbox under Allow To disallow the specific device click Block b To add a device or manually enter information about a device click the Add button below the Device list The USB Device List dialog box appears USB Device List Select device s from the list and click OK If you don t see the device you re looking far connect it and press Refresh or you can specify the parameters manually by clicking Manual Add USB Devices Device Vendor ID Product ID USB Mass Storage Device Ox42A8 Ox3B71 Manual Add NOTE You can copy and share the database Note however that it is not write protected The default location for the file is C Documents and Settings All Users Application Data VMware VMware Workstation usbhistory ini m You can add devices to the list in two ways 1 Plug in the device and click Refresh to add it When the system recognizes the device the device appears as an entry at the end of the Device list in the USB Device List dialog box after one of 149 VMware ACE Administrator s Manual 150 two occurrences 1 The dialog b
323. uilding and supporting hardware specific images for PCs Ensure compliance with IT policies while maintaining user freedom Provide policy based controls including access network and device rights 16 VMware Inc Chapter 1 Introduction and System Requirements Key Features of ACE 2 The following sections describe the key features of ACE 2 Manageability m Design once deploy anywhere Create standardized hardware independent PC environments and deploy them to any PC throughout the extended enterprise m Virtual rights management interface Control ACE 2 lifecycle security settings network settings system configuration and user interface capabilities m Instance tracking Through the user interface view and manage the activation expiration and other policies of instances managed with the new policy server ACE 2 Management Server Security m Rules based network access Identify and quarantine unauthorized or out of date ACE instances Enable access to the network once the ACE instance complies with IT policies m Tamper resistant computing environment Protect the entire ACE instance and package including data and system configuration with seamless encryption m Copy protected computing environment Prevent users from copying enterprise information m Roles based secure SSL communications between ACE 2 Management Server and client m Resource signing Specify that ACE Resource files be protected from all tampering Usa
324. uld enter an ACE client license immediately The Pocket ACE will run locally on that copy of Workstation ACE Edition but if it is moved to another unlicensed device without having the ACE client license entered it will not power on VMware Inc 45 VMware ACE Administrator s Manual ACE 2 Management Server Licenses The optional ACE 2 Management Server requires its own license See information about how to enter that license in Step 3 on page 76 under Configuring the ACE 2 Management Server NOTE If you do not configure the server and enter the license in the server setup Web application you cant connect to the server in Workstation ACE Edition Neither Workstation ACE Edition nor ACE instances will be able to connect to an ACE Server with an expired or non existent license Setting Preferences for Workstation ACE Edition The Preferences dialog box allows you to change a number of settings that apply to Workstation ACE Edition itself The settings on the Workspace Input and Hot Keys tabs apply to the user currently logged on to the host computer They do not affect settings made by any other user on the computer The settings on the Memory tab apply no matter what virtual machine is running or who is logged on to the host computer The settings on the Priority tab apply to all virtual machines for the user currently logged on to the host computer They do not affect settings made by any other user on the computer Fo
325. ule blocks a fax device but another rule allows a print device then a combination fax print device is blocked USB Device Classes i x Select the device classes you want to add and click OK One USB device can potentially have several USB device classes USB Device Classes Device Class Description Vendor Specific Non standard interfaces Unknown Interfaces we failed to recognize Other New USB interfaces Audio Device Headphones sound cards and webcams Communications Modems and cell phones HID Mice keyboards and joysticks HID Bootable HID devices loaded on boot Physical Force feedback devices Imaging Digital cameras Printers None To select the default device policy to be used for all other USB devices that is any devices not already specifically allowed or blocked with device or device class settings with instances from this ACE master click either Allow or Block next to Default for other device classes 151 VMware ACE Administrator s Manual 152 Setting Virtual Printer Policies VMware ACE includes a virtual printer that allows users to print to any printer available to the host computer from applications inside a virtual machine without installing additional drivers in the virtual machine NOTE The virtual printer feature is available for ACE instances running with these Windows host and guest operating systems m Host Windows 2000 XP 2003 or Vista 32 bit only m Guest Windows 2000 XP
326. ultiprocessor systems supported m Experimental support for Intel IA 32e CPU m Memory 1024MB recommended 256MB minimum Display 16 bit display adapter recommended 8 bit display adapter required Disk Drives 40MB free space required for basic installation at least 10GB free disk space recommended Local Area Networking Any Ethernet controller supported by the operating system Operating Systems The following sections describe the supported operating systems for the ACE 2 Management Server VMware Inc 53 VMware ACE Administrator s Manual 54 Supported Windows Host Systems m Windows Server 2003 Web Edition SP1 Windows Server 2003 Standard Edition SP1 Windows Server 2003 Enterprise Edition SP1 includes 64 bit and R2 editions m Windows XP Professional includes 64 bit editions m Windows 2000 Server Service Pack 4 Windows 2000 Advanced Server Service Pack 4 NOTE At this release an ACE 2 Management Server running under a Windows 2000 operating system cannot be configured for Active Directory integration Supported Linux Host Systems m Red Hat Enterprise Linux Advanced Server 4 0 with Update 4 m SLES 9 Service Pack 3 External Databases The SQLite database engine is embedded in the ACE 2 Management Server In addition you can use external databases through ODBC connectivity m For Windows based servers m Microsoft SQL Server 2000 or higher m Oracle Database 10g m For Linux based servers Pos
327. ur guest operating system Key features of VMware Tools include some or all of the following depending on your guest operating system an SVGA driver a mouse driver the VMware Tools control page and support for such features as shared folders shrinking virtual disks time synchronization with the host VMware Tools scripts and connecting and disconnecting devices while the ACE instance is running Working copy of policies The policy that the ACE administrator uses to make and try out policy changes For managed ACE masters the working copy contains unpublished policies For standalone masters the working copy contains policies that have not yet been packaged or distributed Manipulating the working copy for a managed ACE master does not affect any existing instances associated with that master VMware Inc Index A access control policies Active Directory password change proxying 110 for managed ACE instance with no Active Directory 113 for managed ACE instances with Ac tive Directory 108 setting 107 ACE 2 See VMware ACE 2 ACE instance access control policies for managed instance 113 access control policies for standal one instance 119 defined 31 device connection policy 146 encryption 186 installing 46 installing on a Linux host 224 installing on a Windows host 220 IP address 94 managed update check 106 networking 100 offline usage 161 on Linux host fixing server connec tion problem 85
328. vable Devices Policies Removable devices policies allow you to control whether users can connect and disconnect removable devices from their ACE instances A Removable Devices policy is applied to an ACE master and affects all users of all instances created from that ACE master To apply a removable devices policy click Removable Devices in the left pane of the policy editor All removable device types for this ACE master are visible in the list To enable all users of ACE instances created from this master to connect and disconnect a device select the device in the Allow column Removable devices You can specify which devices will be accessible from instances of this ACE master Allow Device Summary CD ROM IDE 1 0 Auto detect Floppy 1 Auto detect NOTE To add devices use the virtual machine settings editor VM gt Settings 146 VMware Inc Chapter 6 Setting and Using Policies and Customizing VMware Player Setting USB Device Policies You can set USB device policies to restrict the ACE user s access to USB devices to protect the integrity of ACE instances and your network The policies are dynamic so you can allow and then block access to USB devices You can set restrictions at various levels of specificity and you can mix levels of restriction in a policy setting The levels of restriction are m Specific USB device For example allow use of a specific type of digital camera but disallow use of iPod mobile
329. ver that is integrated with Active Directory If the ACE master was not using Active Directory then it can be reassigned to any management server 2 Click OK Select ACE gt New package provide the name and location of the package in the wizard and then select the Server Update package type CAUTION If you reassign an ACE master to a new server be aware that unless the new server has access to the old database or to a copy of it existing instances of that ACE master will not continue to run 102 Why Would You Need to Reassign an ACE Master to a Different Server Address Every time you open a managed ACE master Workstation ACE Edition looks up the ACE master s record on the ACE 2 Management Server and downloads the master s policies and other information from the server If Workstation ACE Edition fails to contact the server or cannot find a record for the ACE master it cannot open the master and the master becomes unusable In this case you can choose to change the server address of the ACE master s ACE 2 Management Server When Do You Need to Reassign an ACE Master Common situations when you might need to reassign an ACE master to an new server address m The address of the ACE 2 Management Server changes for example if it was a DHCP assigned address or if you change the server s network address m The database used by the ACE 2 Management Server gets corrupted In either of these cases the ACE master s
330. ves Pocket ACE is designed to be run directly from the USB portable media device and can be run with the VMware Player that is bundled with the software Virtual Printer VMware ACE allows you to configure your ACE instances to use printers that are configured on their host operating systems Linux Systems Available as Host Systems for ACE User Machines You can create a single package that can be installed on either a Windows or Linux host operating system 19 VMware ACE Administrator s Manual 20 Instance Customization The instance customization feature automates Microsoft Sysprep deployment tools actions and streamlines the process of customizing instances after they have been deployed to user machines This feature makes it easier for you to deploy and customize a single package for many users Remote Domain Join The remote domain join feature which you set up through the instance customization pages in the package settings editor allows you to automate the join of a remote ACE instance through your own VPN client server setup to the domain that you specify Modular ACE Components ACE 2 allows greater flexibility and mobility for ACE distributions and instances You can install Workstation ACE Edition and ACE packages on the same machine You can install multiple ACE instances on a single user machine You can easily move the instances within the same system And you can move one particular type of ACE instance from hos
331. virtual machines in the VMware ACE 1 x project that you want to convert 50 VMware Inc Installing and Configuring the ACE 2 Management Server The ACE 2 Management Server allows you to manage ACE instances in real time By including the ACE 2 Management Server in your system setup you can Manage activation of ACE packages determine who can deploy a package Manage authentication of those activated packages determine who can run managed ACE instances Dynamically deliver policy updates to managed ACE instances Dynamically deliver instance customization data for managed ACE instances with Windows guest operating systems See Instance Customization on page 172 for information NOTE Use of the ACE 2 Management Server is optional If you do not need ACE 2 Management Server functionality for your ACE deployments skip to Chapter 5 Creating and Configuring ACE Masters on page 89 The following topics are covered in this chapter VMware Inc ACE 2 Management Server Setup Options on page 52 System Requirements for the ACE 2 Management Server on page 53 Features of the ACE 2 Management Server on page 55 Components of the ACE 2 Management Server on page 57 Using SSL Certification and Protocol on page 59 Installing the ACE 2 Management Server on page 64 Configuring the ACE 2 Management Server on page 69 51 VMware ACE Administrator s Manual m Using Even
332. which this virtual machine will expire If set to 1 it means never expire if set to 0 it means expired VMWARE_PROJ_ID The ID of the project to which this virtual machine belongs VMWARE_MVM_ID The ID of this virtual machine The virtual machine ID is unique within a project All scripts run each time the end user launches VMware Player or resets the virtual machine Some may run more often For example an expiration script is run once each 24 hours VMware Inc Chapter 6 Setting and Using Policies and Customizing VMware Player The sample scripts presented in Sample Scripts on page 139 are installed with VMware Player The default location is C Program Files VMware VMware Player Samples The following descriptions give the format for the output that your scripts must write to StdOut to control various policies Authentication Scripts Table 6 2 outlines the basic information you need to write authentication scripts Table 6 2 Writing Authentication Scripts Question When does this script execute Explanation This script executes when the virtual machine is opened What relevant environment variables are available to the script No authentication specific environment variables are available but VMWARE_PROJ_ID and VMWARE_MVM_ID give some context indicating what virtual machine the user is trying to open What is the expected output The output of this script is hashed to create a key to enc
333. ws the settings for the removable devices policy including details about which devices are allowed and blocked See View Network Access Details on page 243 for more information about the display for network access policy settings Reactivate Deactivate an Instance You can immediately deny or allow access to an instance by deactivating or reactivating it To reactivate or deactivate an instance click the appropriate icon Deactivate or Reactivate in the upper left of the Instance Details page The change is made as soon as you click the icon Reset the Instance Expiration Date You can reset the expiration date by selecting or deselecting Use the date range specified for the ACE master typing in Valid From and Valid Until dates and selecting or deselecting Never expire You must click the Save button in the upper left of the page to institute the changed expiration date Change the Copy Protection ID You can change the copy protection ID to allow the user to run a moved or copied instance Select the alphanumeric string in the Copy Protection ID box and replace it VMware Inc Chapter 11 Installing and Using VMware Player and ACE Instances with the new copy protection ID generally the user sends you a request to allow a moved or copied instance to run and includes the new ID in that request message The Copy Protection ID field is always active so you can change the ID whenever you want V CAUTION If you enter a ch
334. x those same sorts of problems for managed instances Enhancements to Preview Mode Preview mode allows you to run the ACE instance as it will run on the user s machine as well as see the effects of changed policies as they will appear on the ACE user s machine without your having to package and install them It also allows you to see many of the effects of your setup choices for an ACE package without having to expend the time and effort required for a full package deployment and installation New ACE Integration with Workstation The VMware ACE product is now a superset of VMware Workstation so you get all the advantages of both products in one easy to use interface Workstation features such as multiple snapshots and full and linked clones are now available to you Hardware and Software Recommendations for This Release 22 The following sections describe hardware and software recommendations for this release Workstation ACE Edition ACE Administrator What do you need to get the most out of Workstation ACE Edition Use the following list of requirements as a starting point An ACE is like a physical computer in many ways and like a physical computer it generally performs better if it has a faster processor and more memory VMware Inc Chapter 1 Introduction and System Requirements PC Hardware Standard PC 1000MHz or faster compatible x86 and x86 64 architecture processor recommended 600MHz minimum Comp
335. you specify a local port when the host or guest is being used as a server getting remote connections on some port m Remote port Filters on the port from the remote machine The remote port is the source port for incoming packets and the destination port for outgoing packets Typically you specify a remote port when the host or guest is a client and is contacting a remote server on some port When you have finished making all the changes you want to make in the rule click OK The ruleset editor reappears with the changes now appearing in the rule that you edited Ruleset Editor Host in Internal Zone x Ruleset Name Intemal Host Access Zone Internal Zone Allow V DNS Access Type Host MV DHCP Rules ICMP Action Direction Address Remote Port __ Local Port Protocol Allow Both 0 0 0 0 0 ICMP Allow Both 0 0 0 0 0 53 UDP Allow Both 0 0 0 0 0 53 TCP Allow Bath 0 0 0 0 0 67 68 UDP Allow Inbound 110 0312 10300p 100 a CE Add Edit Remove Move Up Move Down Allow all other addresses Block all other addresses OK Cancel 11 If you want to remove a rule select the row for the rule in the table and click 12 144 Remove If you want to move a rule up or down in the table to change the order in which the rules are applied select the row for the rule in the table and click Move Up or Move Down as needed Precedence for rule application starts with the rule at the top o
336. zero that is you use host_name 0 the placeholder will resolve to the full actual computer host name random_alpha_digit n A randomly generated string of alphabetic and numeric characters where lt n gt is the number of characters You must specify lt n gt random_alpha n A randomly generated string of alphabetic characters where lt n gt is the number of characters You must specify lt n gt random_digit n A randomly generated string of numeric characters where lt n gt is the number of characters You must specify lt n gt 181 VMware ACE Administrator s Manual You can use these placeholders to generate unique names that are useful to you The following is an example of their use Package Settings System options Setting Summary B Encryption None None You can specify a name and organization to be used for each copy of the guest B Pack age Lifetime Always Operating system as well as a computer name for identifying each ACE i instance on a network Macros can be used as placeholder variables Instance Customizat Enabled B Initialization Scripts Name VM_ logon_user random_alpha 4 Workgroup or D ONEARTH eee Custom EULA Disabled Organization VMware Inc Deployment Platform Windows Connie Narre chost_name randam_digit 3 Security ID You can selectto generate a new security identity for each copy of the guest operating system Generate New S
Download Pdf Manuals
Related Search