VMware Horizon Community
MartinGagnon
Contributor
Contributor
‎02-28-2011 12:16 PM

VMware view with Active Directory in Isolated Network??

As we all know, VMware View requires Active Directory to be implemented.

I have a test project for VMware View to implement.

We are on a Novell Infrastructure.

There are DC's in the production network but due to IT policies, we cannot use those in any way.

Plus, to help with the situation, I cannot create a new DC on the production network to prevent any communications between that DC and production DC's.

We have a back internal LAN on a 192.168.X.X range.

So I was wondering if I could proceed in the following way?  Here is a little diagram of the vDistributed Stiches that I created.

Production 10.8.X.X vDistributed Switch

vcenter (NIC1) --------------------------------|
view connection server (NIC1) ----------|
vm workstation1 (NIC1) -------------------|
vm workstation2 (NIC1) -------------------|-------------Production network Host NIC 1 on 10.8.X.X
vm workstation3 (NIC1) -------------------|-------------Production network Host NIC 2 on 10.8.X.X
vm workstation4 (NIC1) -------------------|-------------Production network Host NIC 3 on 10.8.X.X
vm workstation5 (NIC1) -------------------|
vm workstation6 (NIC1) -------------------|
Vkernel Management ----------------------|


Development 192.168.X.X vDistributed Switch

DC (NIC1) -------------------------------------|
vcenter (NIC2) -------------------------------|
view connection server (NIC2) ---------|
vm workstation1 (NIC2) ------------------|
vm workstation2 (NIC2) ------------------|-------------Development network Host NIC 4 on 192.168.X.X
vm workstation3 (NIC2) ------------------|-------------Development network Host NIC 5 on 192.168.X.X
vm workstation4 (NIC2) ------------------|
vm workstation5 (NIC2) ------------------|
vm workstation6 (NIC2) ------------------|
Vkernel vMotion ----------------------------|

The worry would be that if VM's have two NICs that they could route information from the DC of the DEV LAN to the PROD WAN.

I would appreciate any input on this possibility or on how we could implement VMware View with the requirement of Active Directory without having this Active Directory on the PROD WAN??

Any help would be greatly appreciated.

Reply
0 Kudos
10 Replies
kgsivan
VMware Employee
VMware Employee
‎02-28-2011 06:48 PM

Are you looking for placing the entire VDI setup in 'PROD WAN' but having *only* the DC in DEV LAN ? Here placing th VDI means Broker, Agents and Clients. From which all network are you planning for client access to the VDI desktops ?

If you place broker, agents and a new DC in DEV LAN then making it accessible from DEV LAN or PROD WAN is pretty simple, but I think you are not looking for that, right ?

Reply
0 Kudos
MartinGagnon
Contributor
Contributor
‎03-01-2011 08:54 AM

DC would need to be in DEV.  Or isolated in another way so that it would just communicate with the necessary servers for View and that it does not create any communication with the PROD DC's.

View Workstations would need to be PROD.

Clients would access the View client either on PROD workstations, PROD thin clients, or from home with VPN tunelling into PROD.

DEV network was setup to minimize workload on PROD network.  DEV is at 1Gb and PROD is at 100Mb.  So we are using DEV for vMotion and Backup jobs.

I hope this helps in helping me.  I've done so many reading and been investigating so many possibilities and always ended up hanging on the AD situation.

Please do not hesitate to ask any other question, and I am open to any other type of implementation that would answer our goals.

Thank you.

Reply
0 Kudos
kgsivan
VMware Employee
VMware Employee
‎03-01-2011 06:51 PM

OK there are two (or three) solutions keeping the DC in DEV

Solution:1

Give two nic card for agents and Connection server as you explained in the original post. When you install View Agent on a virtual machine that has more than one NIC, you must configure the sub-net that View Agent uses. More details are available at page 56 http://www.vmware.com/pdf/view-46-administration.pdf

Solution:2

Keep Broker, Agents and DC (everything except client) in DEV LAN. Broker should have one more nic to prod VLAN, where client will connect to.

Configure external URL for and enable tunnel connection for the view desktops. This can be configured in View admin page, server configuration page. This way entire traffic will be tunneled through connection server across PROD and DEV. But View 4.5 does not support PCoIP on such tunneled connection and you may end up using RDP

Solution:3

You can achieve PCoIP connection on Solution:2 above if you use View 4.6. To know more about on Setting up this with View 4.6 refer http://communities.vmware.com/docs/DOC-14974

Hope this helps..

Best Regards,

Siva

Reply
MartinGagnon
Contributor
Contributor
‎03-03-2011 08:23 AM

Thank you Siva,

I will be reading all the information that you've shared with me and I will give you a follow-up ASAP.

Thank you,  This is greatly appreciated.

Reply
0 Kudos
MartinGagnon
Contributor
Contributor
‎03-03-2011 12:40 PM

ok.. for now heres what comes to mind...

How can I assure that if even one of the machines has two nicks to communicate with DEV and PROD, that no communication would be routed from the DEV DC to the PROD network?

I was told a simple no, you cannot install a DC in a back network if this DC communicates with machine that are also on the PROD network because there might be some routed information from the DC to the PROD environment.

So I would have to assure, give proof that the preceding is untrue.

Reply
0 Kudos
npeter
Expert
Expert
‎03-03-2011 09:35 PM

Hi,

I hope your PROD and DEV are using different subnets. In such a scenario, a machine part of PROD or DEV to access machines on other network you need to

1 Configure routing between two network

or

2. For machines which needs to have access to both network add multiple NICs and make it a multihomed machine.

In 1st case all machines in both network will be able to access each other.

in 2nd case only the machine having NICs places on both network will be able to access both networks. Machines which are not multihomed (in both network) will be able to access this particular machine but Not other machine on other network.

So if you make your connection server part of both network by adding multiple NICs; until unless you configure that host as a router no communication will happen from the DC running on DEV to PROD.

Regards

Noble

-nObLe
Reply
MartinGagnon
Contributor
Contributor
‎03-04-2011 10:39 AM

Hello npeter,

The DEV 192. network and the PROD 10. are setup with the same subnet, 255.255.255.0 but are set up on different switches.  The DEV network is a isolated internal LAN for management only.  It is connected only to the hosts.  No Internet connections and not connected to the PROD network.

Your saying that you hope that both my networks arent on the same subnet, I am in the learning process of all of this so I would appreciate if you could explain what could be the inpact of having the same subnet for both networks.

Your help would be greatly appreciated.

Reply
0 Kudos
npeter
Expert
Expert
‎03-07-2011 01:22 AM

Hi Martin,

>The DEV 192. network and the PROD 10. are setup with the same subnet, 255.255.255.0 but are set up on different switches.

DEV and PROD will be different Network even though they have same netmask (say 255.255.255.0) as long as the network part of IP address is different (say 192.168.2.0 and 10.22.12.0 ).

-noble

-nObLe
Reply
0 Kudos
MartinGagnon
Contributor
Contributor
‎03-10-2011 02:29 PM

Hello guys,

Here is a follow-up and it is a simple one but not a good one.  Just received confirmation from the IT authorities that it is a simple "No! No!" to have a DEV Back network.

My next step will be to investigate if Unidesk could be something interesting for us.

Thank you all for your help.

Reply
0 Kudos
MartinGagnon
Contributor
Contributor
‎03-10-2011 02:29 PM

Canceled

Reply
0 Kudos