VMware virtualization environments
Follow this guidance if you use VMware to provide virtual machines.
Install vCenter Server and the appropriate management tools. (No support is provided for vSphere vCenter Linked Mode operation.)
If you plan to use MCS, do not disable the Datastore Browser feature in vCenter Server (described in https://kb.vmware.com/selfservice/microsites/search.do?language=en_US&cmd=displayKC&externalId=2101567). If you disable this feature, MCS does not work correctly.
Required privileges
Create a VMware user account and one or more VMware roles with a set or all of the privileges listed below. Base the roles’ creation on the specific level of granularly required over the user’s permissions to request the various XenApp or XenDesktop operations at any time. To grant the user specific permissions at any point, associate them with the respective role, at the DataCenter level at a minimum.
The following tables show the mappings between XenApp and XenDesktop operations and the minimum required VMware privileges.
Add connections and resources
SDK | User interface |
---|---|
System.Anonymous, System.Read, and System.View | Added automatically. Can use the built-in read-only role. |
Provision machines (Machine Creation Services)
SDK | User interface |
---|---|
Datastore.AllocateSpace | Datastore > Allocate space |
Datastore.Browse | Datastore > Browse datastore |
Datastore.FileManagement | Datastore > Low level file operations |
Network.Assign | Network > Assign network |
Resource.AssignVMToPool | Resource > Assign virtual machine to resource pool |
VirtualMachine.Config.AddExistingDisk | Virtual machine > Configuration > Add existing disk |
VirtualMachine.Config.AddNewDisk | Virtual machine > Configuration > Add new disk |
VirtualMachine.Config.AdvancedConfig | Virtual machine > Configuration > Advanced |
VirtualMachine.Config.RemoveDisk | Virtual machine > Configuration > Remove disk |
VirtualMachine.Interact.PowerOff | Virtual machine > Interaction > Power Off |
VirtualMachine.Interact.PowerOn | Virtual machine > Interaction > Power On |
VirtualMachine.Inventory.CreateFromExisting | Virtual machine > Inventory > Create from existing |
VirtualMachine.Inventory.Create | Virtual machine > Inventory > Create new |
VirtualMachine.Inventory.Delete | Virtual machine > Inventory > Remove |
VirtualMachine.Provisioning.Clone | Virtual machine > Provisioning > Clone virtual machin |
VirtualMachine.State.CreateSnapshot | vSphere 5.0, Update 2 and vSphere 5.1, Update 1: Virtual machine > State > Create snapshot vSphere 5.5: Virtual machine > Snapshot management > Create snapshot |
If you want the VMs you create to be tagged, add the following permissions for the user account.
To ensure that you use a clean base image for creating new VMs, tag VMs created with Machine Creation Services to exclude them from the list of VMs available to use as base images.
SDK | User interface |
---|---|
Global.ManageCustomFields | Global > Manage custom attributes |
Global.SetCustomField | Global > Set custom attribute |
Provision machines (Provisioning Services)
All privileges from Provision machines (Machine Creation Services) and the following.
SDK | User interface |
---|---|
VirtualMachine.Config.AddRemoveDevice | Virtual machine > Configuration > Add or remove device |
VirtualMachine.Config.CPUCount | Virtual machine > Configuration > Change CPU Count |
VirtualMachine.Config.Memory | Virtual machine > Configuration > Memory |
VirtualMachine.Config.Settings | Virtual machine > Configuration > Settings |
VirtualMachine.Provisioning.CloneTemplate | Virtual machine > Provisioning > Clone template |
VirtualMachine.Provisioning.DeployTemplate | Virtual machine > Provisioning > Deploy template |
Power management
SDK | User interface |
---|---|
VirtualMachine.Interact.PowerOff | Virtual machine > Interaction > Power Off |
VirtualMachine.Interact.PowerOn | Virtual machine > Interaction > Power On |
VirtualMachine.Interact.Reset | Virtual machine > Interaction > Reset |
VirtualMachine.Interact.Suspend | Virtual machine > Interaction > Suspend |
Image update and rollback
SDK | User interface |
---|---|
Datastore.AllocateSpace | Datastore > Allocate space |
Datastore.Browse | Datastore > Browse datastore |
Datastore.FileManagement | Datastore > Low level file operations |
Network.Assign | Network > Assign network |
Resource.AssignVMToPool | Resource > Assign virtual machine to resource pool |
VirtualMachine.Config.AddExistingDisk | Virtual machine > Configuration > Add existing disk |
VirtualMachine.Config.AddNewDisk | Virtual machine > Configuration > Add new disk |
VirtualMachine.Config.AdvancedConfig | Virtual machine > Configuration > Advanced |
VirtualMachine.Config.RemoveDisk | Virtual machine > Configuration > Remove disk |
VirtualMachine.Interact.PowerOff | Virtual machine > Interaction > Power Off |
VirtualMachine.Interact.PowerOn | Virtual machine > Interaction > Power On |
VirtualMachine.Interact.Reset | Virtual machine > Interaction > Reset |
VirtualMachine.Inventory.CreateFromExisting | Virtual machine > Inventory > Create from existing |
VirtualMachine.Inventory.Create | Virtual machine > Inventory > Create new |
VirtualMachine.Inventory.Delete | Virtual machine > Inventory > Remove |
VirtualMachine.Provisioning.Clone | Virtual machine > Provisioning > Clone virtual machine |
Delete provisioned machines
SDK | User interface |
---|---|
Datastore.Browse | Datastore > Browse datastore |
Datastore.FileManagement | Datastore > Low level file operations |
VirtualMachine.Config.RemoveDisk | Virtual machine > Configuration > Remove disk |
VirtualMachine.Interact.PowerOff | Virtual machine > Interaction > Power Off |
VirtualMachine.Inventory.Delete | Virtual machine > Inventory > Remove |
Create AppDisks
Valid for VMware vSphere minimum version 5.5 and XenApp and XenDesktop minimum version 7.8.
SDK | User interface |
---|---|
Datastore.AllocateSpace | Datastore > Allocate space |
Datastore.Browse | Datastore > Browse datastore |
Datastore.FileManagement | Datastore > Low level file operations |
VirtualMachine.Config.AddExistingDisk | Virtual machine > Configuration > Add existing disk |
VirtualMachine.Config.AddNewDisk | Virtual machine > Configuration > Add new disk |
VirtualMachine.Config.AdvancedConfig | Virtual machine > Configuration > Advanced |
VirtualMachine.Config.EditDevice | Virtual machine > Configuration > Modify Device Settings |
VirtualMachine.Config.RemoveDisk | Virtual machine > Configuration > Remove disk |
VirtualMachine.Interact.PowerOff | Virtual machine > Interaction > Power Off |
VirtualMachine.Interact.PowerOn | Virtual machine > Interaction > Power On |
Delete AppDisks
Valid for VMware vSphere minimum version 5.5 and XenApp and XenDesktop minimum version 7.8.
SDK | User interface |
---|---|
Datastore.Browse | Datastore > Browse datastore |
Datastore.FileManagement | Datastore > Low level file operations |
VirtualMachine.Config.RemoveDisk | Virtual machine > Configuration > Remove disk |
VirtualMachine.Interact.PowerOff | Virtual machine > Interaction > Power Off |
Obtain and import a certificate
To protect vSphere communications, Citrix recommends that you use HTTPS rather than HTTP. HTTPS requires digital certificates. Citrix recommends you use a digital certificate issued from a certificate authority in accordance with your organization’s security policy.
If you are unable to use a digital certificate issued from a certificate authority, and your organization’s security policy permits it, you can use the VMware-installed self-signed certificate. Add the VMware vCenter certificate to each Controller.
STEP 1. Add the fully qualified domain name (FQDN) of the computer running vCenter Server to the hosts file on that server, located at %SystemRoot%/WINDOWS/system32/Drivers/etc/. This step is required only if the FQDN of the computer running vCenter Server is not already present in the domain name system.
STEP 2. Obtain the vCenter certificate using any of the following three methods:
From the vCenter server:
- Copy the file rui.crt from the vCenter server to a location accessible on your Delivery Controllers.
- On the Controller, navigate to the location of the exported certificate and open the rui.crt file.
Download the certificate using a web browser: If you are using Internet Explorer, depending on your user account, you may need to right-click on Internet Explorer and choose Run as Administrator to download or install the certificate.
- Open your web browser and make a secure web connection to the vCenter server (for example
https://server1.domain1.com
). - Accept the security warnings.
- Click on the address bar displaying the certificate error.
- View the certificate and click the Details tab.
- Select Copy to file and export in .CER format, providing a name when prompted to do so.
- Save the exported certificate.
- Navigate to the location of the exported certificate and open the .CER file.
Import directly from Internet Explorer running as an administrator:
- Open your web browser and make a secure web connection to the vCenter server (for example
https://server1.domain1.com
). - Accept the security warnings.
- Click on the address bar displaying the certificate error.
- View the certificate.
STEP 3. Import the certificate into the certificate store on each of your Controllers.
- Click Install certificate, select Local Machine, and then click Next.
- Select Place all certificates in the following store, and then click Browse.
On Windows Server 2008 R2: Select the Show physical stores check box. Expand Trusted People. Select Local Computer. Click Next and then click Finish.
On a later supported version: Select Trusted People and then click OK. Click Next and then click Finish.
Important:: If you change the name of the vSphere server after installation, you must generate a new self-signed certificate on that server before importing the new certificate.
Configuration considerations
Create a master VM:
Use a master VM to provide user desktops and applications in a machine catalog. On your hypervisor:
- Install a VDA on the master VM, selecting the option to optimize the desktop, which improves performance.
- Take a snapshot of the master VM to use as a back-up.
Create a connection:
In the connection creation wizard:
- Select the VMware connection type.
- Specify the address of the access point for the vCenter SDK.
- Specify the credentials for a VMware user account you set up earlier that has permissions to create new VMs. Specify the username in the form domain/username.
VMware SSL thumbprint
The VMware SSL thumbprint feature addresses a frequently-reported error when creating a host connection to a VMware vSphere hypervisor. Previously, administrators had to manually create a trust relationship between the Delivery Controllers in the Site and the hypervisor’s certificate before creating a connection. The VMware SSL thumbprint feature removes that manual requirement: the untrusted certificate’s thumbprint is stored on the Site database so that the hypervisor can be continuously identified as trusted by XenApp or XenDesktop, even if not by the Controllers.
When creating a vSphere host connection in Studio, a dialog box allows you to view the certificate of the machine you are connecting to. You can then choose whether to trust it.