Connection to VMware
Create and manage connections and resources describes the wizards that create a connection. The following information covers details specific to VMware virtualization environments.
Note:
Before creating a connection to VMware, you need to first finish setting up your VMware account as a resource location. See VMware virtualization environments.
Required permissions
Create a VMware user account and one or more VMware roles with a set or all permissions listed in this article. Base the roles’ creation on the specific level of granularity required over the user’s permissions to request the various Citrix DaaS operations at any time. To grant the user-specific permissions at any point, associate them with the respective role, at the data center level at a minimum, with the Propagate to children option selected. However, for StorageProfile permissions and a specific Tags permission, apply the permissions at the Root vCenter Server level, without Propagate to Children. See the notes in each of those tables.
The following tables show the mappings between Citrix DaaS operations and the minimum required VMware permissions.
Add connections and resources
| SDK | User interface |
|---|---|
| System.Anonymous, System.Read, and System.View | Added automatically. Can use the built-in read-only role. |
Power management
| SDK | User interface |
|---|---|
| VirtualMachine.Interact.PowerOff | Virtual machine > Interaction > Power Off |
| VirtualMachine.Interact.PowerOn | Virtual machine > Interaction > Power On |
| VirtualMachine.Interact.Reset | Virtual machine > Interaction > Reset |
| VirtualMachine.Interact.Suspend | Virtual machine > Interaction > Suspend |
| Datastore.Browse | Datastore > Browse datastore |
Provision machines (Machine Creation Services)
To provision machines using MCS, the following permissions are mandatory:
| SDK | User interface |
|---|---|
| Datastore.AllocateSpace | Datastore > Allocate space |
| Datastore.Browse | Datastore > Browse datastore |
| Datastore.FileManagement | Datastore > Low level file operations |
| Network.Assign | Network > Assign network |
| Resource.AssignVMToPool | Resource > Assign virtual machine to resource pool |
| VirtualMachine.Config.AddExistingDisk | Virtual machine > Configuration > Add existing disk |
| VirtualMachine.Config.AddNewDisk | Virtual machine > Configuration > Add new disk |
| Virtual machine.Config.Add or remove device | Virtual machine > Configuration > Add or remove device |
| VirtualMachine.Config.AdvancedConfig | Virtual machine > Configuration > Advanced |
| VirtualMachine.Config.RemoveDisk | Virtual machine > Configuration > Remove disk |
| VirtualMachine.Config.CPUCount | Virtual machine > Configuration > Change CPU count |
| VirtualMachine.Config.Memory | Virtual machine > Configuration > Change memory |
| VirtualMachine.Config.Settings | Virtual machine > Configuration > Change settings |
| VirtualMachine.Interact.PowerOff | Virtual machine > Interaction > Power Off |
| VirtualMachine.Interact.PowerOn | Virtual machine > Interaction > Power On |
| VirtualMachine.Interact.Reset | Virtual machine > Interaction > Reset |
| VirtualMachine.Interact.Suspend | Virtual machine > Interaction > Suspend |
| VirtualMachine.Inventory.CreateFromExisting | Virtual machine > Inventory > Create from existing |
| VirtualMachine.Inventory.Create | Virtual machine > Inventory > Create new |
| VirtualMachine.Inventory.Delete | Virtual machine > Inventory > Remove |
| VirtualMachine.Provisioning.Clone | Virtual machine > Provisioning > Clone virtual machine |
| VirtualMachine.State.CreateSnapshot | vSphere 5.0, Update 2, vSphere 5.1, Update 1, and vSphere 6.x, Update 1: Virtual machine > State > Create snapshot; vSphere 5.5: Virtual machine > Snapshot management > Create snapshot; vSphere 8.0: Virtual machine > Snapshot management > Create snapshot |
Image update and rollback
| SDK | User interface |
|---|---|
| Datastore.AllocateSpace | Datastore > Allocate space |
| Datastore.Browse | Datastore > Browse datastore |
| Datastore.FileManagement | Datastore > Low level file operations |
| Network.Assign | Network > Assign network |
| Resource.AssignVMToPool | Resource > Assign virtual machine to resource pool |
| VirtualMachine.Config.AddExistingDisk | Virtual machine > Configuration > Add existing disk |
| VirtualMachine.Config.AddNewDisk | Virtual machine > Configuration > Add new disk |
| VirtualMachine.Config.AdvancedConfig | Virtual machine > Configuration > Advanced |
| VirtualMachine.Config.RemoveDisk | Virtual machine > Configuration > Remove disk |
| VirtualMachine.Interact.PowerOff | Virtual machine > Interaction > Power Off |
| VirtualMachine.Interact.PowerOn | Virtual machine > Interaction > Power On |
| VirtualMachine.Interact.Reset | Virtual machine > Interaction > Reset |
| VirtualMachine.Inventory.CreateFromExisting | Virtual machine > Inventory > Create from existing |
| VirtualMachine.Inventory.Create | Virtual machine > Inventory > Create new |
| VirtualMachine.Inventory.Delete | Virtual machine > Inventory > Remove |
| VirtualMachine.Provisioning.Clone | Virtual machine > Provisioning > Clone virtual machine |
Delete provisioned machines
| SDK | User interface |
|---|---|
| Datastore.Browse | Datastore > Browse datastore |
| Datastore.FileManagement | Datastore > Low level file operations |
| VirtualMachine.Config.RemoveDisk | Virtual machine > Configuration > Remove disk |
| VirtualMachine.Interact.PowerOff | Virtual machine > Interaction > Power Off |
| VirtualMachine.Inventory.Delete | Virtual machine > Inventory > Remove |
Storage Profile (vSAN)
To view, create, or delete storage policies during catalog creations on a vSAN datastore, the following permissions are mandatory:
| SDK | User interface |
|---|---|
| StorageProfile.Update | PROFILE-DRIVEN STORAGE > Profile-driven storage update. For vSphere 8: VM storage policies > Update VM storage policies |
| StorageProfile.View | PROFILE-DRIVEN STORAGE > Profile-driven storage view. For vSphere 8: VM storage policies > View VM storage policies |
Note:
Apply the storage profile permissions at the Root vCenter Server level, without Propagate to Children.
Tags and Custom Attributes
Tags and custom attributes allow you to attach metadata to the VMs created in vSphere inventory and make it easier to search and filter these objects. To create, edit, assign, and delete tags or categories, the following permissions are mandatory:
| SDK | User interface |
|---|---|
| InventoryService.Tagging.CreateTag | vSphere Tagging > Create vSphere Tag |
| InventoryService.Tagging.CreateCategory | vSphere Tagging > Create vSphere Tag Category |
| InventoryService.Tagging.EditTag | vSphere Tagging > Edit vSphere Tag |
| InventoryService.Tagging.EditCategory | vSphere Tagging > Edit vSphere Tag Category |
| InventoryService.Tagging.DeleteTag | vSphere Tagging > Delete vSphere Tag |
| InventoryService.Tagging.DeleteCategory | vSphere Tagging > Delete vSphere Tag Category |
| InventoryService.Tagging.AttachTag | vSphere Tagging > Assign or Unassign vSphere Tag |
| InventoryService.Tagging.ObjectAttachable | vSphere Tagging > Assign or Unassign vSphere Tag on Object |
| Global.ManageCustomFields | Global > Manage custom attributes |
| Global.SetCustomField | Global > Set custom attribute |
Note:
- When MCS creates a machine catalog, it tags the target VMs with special name tags. These tags differentiate the master image from MCS created VMs and prevent using MCS created VMs for image preparation. You can identify the difference by the value of
XdProvisionedattribute in vCenter. The attribute is set to True if MCS creates VMs.- Apply the
InventoryService.Tagging.AttachTagpermission at the Root vCenter Server level, without Propagate to Children.
Cryptographic operations
Cryptographic operations privileges control who can perform which type of cryptographic operation on which type of object. vSphere Native Key Provider uses the Cryptographer.* privileges. The following minimum permissions are required for cryptographic operations:
Note:
These permissions are required for creating MCS machine catalogs with vTPM equipped VM.
| SDK | User interface |
|---|---|
| Cryptographer.Access | Privileges > All Privileges > Cryptographic operations > Direct Access |
| Cryptographer.AddDisk | Privileges > All Privileges > Cryptographic operations > Add disk |
| Cryptographer.Clone | Privileges > All Privileges > Cryptographic operations > Clone |
| Cryptographer.Encrypt | Privileges > All Privileges > Cryptographic operations > Encrypt |
| Cryptographer.EncryptNew | Privileges > All Privileges > Cryptographic operations > Encrypt new |
| Cryptographer.Decrypt | Privileges > All Privileges > Cryptographic operations > Decrypt |
| Cryptographer.Migrate | Privileges > All Privileges > Cryptographic operations > Migrate |
| Cryptographer.ReadKeyServersInfo | Privileges > All Privileges > Cryptographic operations > Read KMS information |
Provision machines (Citrix Provisioning)
These permissions to clone and deploy a template are required to provision VMs using Citrix Virtual Apps and Desktops Setup Wizard and Export Devices Wizard through the Citrix Provisioning console. Set the permissions while creating a hosting connection. You need all the permissions from Provision machines (Machine Creation Services) and the following.
| SDK | User interface |
|---|---|
| VirtualMachine.Config.AddRemoveDevice | Virtual machine > Configuration > Add or remove device |
| VirtualMachine.Config.CPUCount | Virtual machine > Configuration > Change CPU Count |
| VirtualMachine.Config.Memory | Virtual machine > Configuration > Memory |
| VirtualMachine.Config.Settings | Virtual machine > Configuration > Settings |
| VirtualMachine.Provisioning.CloneTemplate | Virtual machine > Provisioning > Clone template |
| VirtualMachine.Provisioning.DeployTemplate | Virtual machine > Provisioning > Deploy template |
| VApp.Export | vApp > Export |
Note:
The
VApp.Exportis required for creating MCS machine catalogs using machine profile.
Securing connections to the VMware environment
Using HTTPS/SSL connections to vCenter requires that the connection is trusted by Citrix DaaS.
There are two options:
- (Recommended) The Citrix DaaS database has the SSL thumbprint installed. This thumbprint is used by Citrix DaaS on each Cloud Connector to trust connections to vCenter.
- (Alternative) Each Cloud Connector trusts the vCenter certificate, and services on the Cloud Connector reuses this trust. This trust can be from:
- vCenter certificate, issued by the Certificate Authority and trusted by windows, resulting in established trust between Windows and vCenter.
- vCenter certificate installed on Windows, resulting in established trust between Windows and vCenter.OT
Note:
vCenter certificate and VMware SSL thumbprint are not required for VMware Cloud and its partner solutions.
VMware SSL thumbprint
The VMware SSL thumbprint feature addresses a frequently reported error when creating a host connection to a VMware vSphere hypervisor. Previously, administrators had to manually create a trust relationship between the Citrix-managed Delivery Controllers in the Site and the hypervisor’s certificate before creating a connection. The VMware SSL thumbprint feature removes that manual requirement: the untrusted certificate’s thumbprint is stored on the Site database so that the hypervisor can be continuously identified as trusted by Citrix DaaS, even if not by the Controllers.
When creating a vSphere host connection, a dialog box allows you to view the certificate of the machine you are connecting to. You can then choose whether to trust it.
The VMware SSL thumbprint can be updated later using PowerShell SDK Set-Item -LiteralPath "<FullPath_to_connection>" -username $cred.username -Securepassword $cred.password -SslThumbprint "<New ThumbPrint>" -hypervisorAddress <vcenter URL>.
Tip:
The certificate thumbprint must be written in capital letters.
Obtain and import a certificate
To protect vSphere communications, Citrix recommends that you use HTTPS rather than HTTP. HTTPS requires digital certificates. Citrix recommends you use a digital certificate issued from a certificate authority in accordance with your organization’s security policy.
If you are unable to use a digital certificate issued from a certificate authority, and your organization’s security policy permits it, you can use the VMware-installed self-signed certificate. Add the VMware vCenter certificate to each Cloud Connector.
-
Add the fully qualified domain name (FQDN) of the computer running vCenter Server to the host file on that server, located at %SystemRoot%/WINDOWS/system32/Drivers/etc/. This step is required only if the FQDN of the computer running vCenter Server is not already present in the domain name system.
-
Obtain the vCenter certificate using any of the following three methods:
From the vCenter server:
- Copy the file rui.crt from the vCenter server to a location accessible on your Cloud Connectors.
- On the Cloud Connector, navigate to the location of the exported certificate and open the rui.crt file.
Download the certificate using a web browser: If you are using Internet Explorer, depending on your user account, you must right-click on Internet Explorer and choose Run as Administrator to download or install the certificate.
- Open your web browser and make a secure web connection to the vCenter server (for example https://server1.domain1.com).
- Accept the security warnings.
- Click the address bar displaying the certificate error.
- Click Certificate is not valid, and then click the Details tab.
- Click Export..
- Save the exported certificate.
- Navigate to the location of the exported certificate and open the .CER file.
Import directly from Internet Explorer running as an administrator:
- Open your web browser and make a secure web connection to the vCenter server (for example https://server1.domain1.com).
- Accept the security warnings.
- Click the address bar displaying the certificate error.
- View the certificate.
-
Import the certificate into the certificate store on each Cloud Connector.
- Click Install certificate, select Local Machine, and then click Next.
- Select Place all certificates in the following store, and then click Browse. On a later supported version: Select Trusted People and then click OK. Click Next and then click Finish.
Important:
If you change the name of the vSphere server after installation, you must generate a new self-signed certificate on that server before importing the new certificate.
Where to go next
- If you’re in the initial deployment process, see Create machine catalogs.
- For VMware specific information, see Create a VMware catalog.