VMware Horizon Community
Maldacai
Contributor
Contributor

Deploying VM's to different vLans

Hi

I've been looking around the forums and haven't really been able to find an answer to my issue, so I'm hoping someone here can help me figure it out.

Hope I can explain this well.

I would like to deploy vm's to our public network (vLan50) our private network is on (vLan60).   All ESX servers(4.1), vCentre(4.5), View Manager(4.6) are located in vLan60.

I have trunking on the physical switch which the ESX servers connect to, and I have vlan tagged port groups  ie:   Port Group "Public" vLan50   Port Group "Private" vLan60

From with in vcentre I can create a vm and place it either on the Public or Private network and the vm will get its proper DHCP settings, When on the Public network the vm can't connect to our private nework but can acces the internet ( which is what I want ) and if I place the vm on the Private network, I can access all servers and services ( which is also what I want.)   So from just using vCentre everything works as it should.

With view manager I can create a linked clone from my base vm that is sitting in the Private vLan60, and I can deploy those vm's from that pool without issue to vLan60.   Which is fine as we have vm that are need by various users with our Private network. 

I now want to create another pool with the base vm sitting in vLan60, Set the Port group to vLan50 and make a snapshot.  In View manager I can see that the pool is provisioning the desktop, and in vcentre I can see the cloning, replication and then power up of the new vm in vLan50.     Once the vm powers up view manager reports that the vm is customizing and then after about 15min I get an error with the following "No network communication between the VDM Agent and Connection Server. Please verify that the virtual desktop can ping the Connection Server via the FQDN."

from vcentre I can open a console to the newly created vm on vLan50 and it works fine I can surf the we and cannot access my private network, which is what it should be.

What am I missing?       I can get it too work if I place a 2nd nic on the view manager server with vLan50, but I don't want that, I want vlan50 isolated from the rest of our network.

Any help would be great.

Thanks.

Reply
0 Kudos
11 Replies
Meph1234
Enthusiast
Enthusiast

Hi

First of all did you actually try having a second NIC on the connection server? I was under the impression that you could have more than one NIC on the connection server but you the program would only use one, and you couldn't specify which is uses.

Anyway in relation to your question there is only really two ways to go.

1) The desktop needs to be able to contact the connection server so it needs to be able to contact its FQDN on port 4001. So you would need to open that port and perhaps put a HOST file entry in the base image to point that FQDN to the IP address

2) you can create a replica server in vlan60 which would require ports 389, 636, 1515, 3389 and 4001 for data replication to be opened to the vlan50 connection server which is a pain. I believe it will also need to be able to contact the DC and the vcentre server. This way the agent should be able to connect with that connection server.

They're the only options that i can think of, good luck.

Phil

VCA4-DT
Reply
0 Kudos
Maldacai
Contributor
Contributor

Hi.

I did put a 2nd Nic in the view manager server so 1 nic was vLan50 and the other vLan60 and it works doing it that way, but I want to keep the 2 vLans isolated.

I'll try the replica server,  I did configure a security server in vLan60 but didn't think about a replica.   I believe I all ready have those ports open on the firewall but I'll check..

Reply
0 Kudos
Maldacai
Contributor
Contributor

I'm trying your #1 Suggestiong  " 1) The desktop needs to be able to contact the connection server so it needs to be able to contact its FQDN on port 4001. So you would need to open that port and perhaps put a HOST file entry in the base image to point that FQDN to the IP address "

I've opened up on the firewall port 4001 so that anything on vLan60 will be able to talk to the view manager server via port 4001.  And added the ip address and fqdn in the vm's host file.

My new error I get now when the customization fails is: " View Composer agent initialization state error (18): Failed to join the domain (waited 865 seconds) "

Would I need to open ports up so the vm can connect to the DC?   or could a put a standalone DC in that vLan?   not sure whats the best route.

Reply
0 Kudos
Sergei13
Enthusiast
Enthusiast

Not 100% sure this is related but I had a similar problem because of DNS issues.

I don't use Microsoft DNS but Q-IP and on top of that, I have DNS sub domains.

To make it clear, let's say the main domain is mycompany.ad.dom.com and I have sub domains like usr.dom.com or even dom.com.

The way the composer works is by default, it's going to contact the vm with it's full domain name, hence newpc.mycompany.ad.dom.com while my machines are generated in a sub domain with a dns name equal to newpc.usr.dom.com

This will never work and you will end up the pc configuration after a 10mn time out.

To get around this, you need a couple of things. I did it for XP, don't know what would be the exact procedure for 7 of else.

1) KB from Microsoft : WindowsXP-KB944043-v3-x86-LNG where LNG should be your OS language

2) copy the vdm_agent.adm onto your master in c:\windows\inf

3) run gpedit.msc

4) Add the newly copied .adm file

5) Go to computer strategies\Adminstration models\vmware...\Agent configuration\

6) You have to disable Connect using DNS name

This will force the composer to use Ip address as opposed to dns name and, firewall permitting, to discuss with the VM, even in a different vlan.

This is the technic that has to be used when deploying machines in DMZ.

Hope this helps.

Cheers

Reply
0 Kudos
Maldacai
Contributor
Contributor

Hi Sergei13,

I implimented what you suggested, and I'm still getting the "View Composer agent initialization state error (18): Failed to join the domain (waited 875 seconds)."

Now the VM's that are being deployed into vLan60 are isolated from the rest of the network so they wouldn't be able to connect to the DC.   I only have port 4001 open so that any pc on vLan60 can communicate with the view manager server on vLan50.

I was hoping other organizations would be deploying vm's into private vlans..   but perhapps not.

Reply
0 Kudos
Sergei13
Enthusiast
Enthusiast

If you need the VMs to be part of the domain, it won't work with only 4001.

Can't remember which ones are required but I would take a look 135-139 and may be others.

What I would do, I would set a any to any first to make sure the mechanism works properly, and then check the traffic going on between the machines in order to narrow down what you really need to open.

Cheers

S

Reply
0 Kudos
chaz112182
Enthusiast
Enthusiast

We just did the same thing and I ran into the same issue.   I found that if you delete the dhcp addressees prior to kicking off any view composer jobs that the vm will complete the customization process.

Reply
0 Kudos
Maldacai
Contributor
Contributor

So you have this working between isolated vLans?

Reply
0 Kudos
chaz112182
Enthusiast
Enthusiast

Indeed. we have a subset of our users in vlan 91 and another subset in vlan 90. We created dedicated port groups for each and specified the appropriate vlan. Also made sure the switch ports were trunked. Souunds like you did all that as well.

Reply
0 Kudos
chaz112182
Enthusiast
Enthusiast

I would also make sure to do an uninstall / reinstall of the agent and then do an ipconfig /release prior to powering off and taking your snap.

Reply
0 Kudos
Maldacai
Contributor
Contributor

Hi Chaz,

now when you say your delete DHCP is that not done when your do a IPconfig /release or are you going into the properties of the nic and removing dhcp.

I'm at a loss to why its not working for me...  I'm  thinking I don't have the correct ports open.

Reply
0 Kudos