Hopefully you’ve kept up with my How to install, Configure and deploy VMware View 5 on vSphere 5” series and had some fun playing around with View 5. Let’s now take it to the next level. Let’s get access to our View environment from outside of our home lab and without the need of VPN. One of the cool features in View 4.6 was the Security Server picked up PCoIP Support. The Security Server is essentially your ability to connect into your Virtual Desktop Environment from anywhere in the world without the need of a cumbersome VPN connection.
This blog post is going to take you through the complete process of connecting your iPad, Laptop or any other device outside of your homes firewall to your View 5 environment. Let me start off by saying that it’s not as easy as it sounds. The good news is I’m not the first person to do this so others have blazed a trail for me to follow. My hope is to do the same for you.
Here are my assumptions. You are probably running this in your home office, you have a decent internet connection and you connect to the internet through your ISP’s provided router. In my case I have Verizon FIOS, they supplied me with an ActionTec MI424-WR Router (it’s 4 or 5 years old so keep that in mind), and you don’t have a static IP for it. You want something easy to remember (URL Name) so we need to look at something like No-IP Dynamic DNS to help with that. We also need to make sure that our Security Server as well as our Connection Server get their External PCoIP IP address changed each time the router gets a new IP address from the DHCP server so I need to get that squared way.
So here is the outline of what we will do in this blog:
- Install VMware View Security Server
- Add the Security Server information into the VMware View Admin Console
- Setup a No-IP DDNS Free Account
- Install the No-IP DDNS Client on one of my servers
- Setup a PowerCLI script to take my ISP’s DHCP IP address and update View External PCoIP address when/If it changes.
- Setup a CRON Job to run my script every once in a while.
- Figure out how to poke a hole in my FIOS Router Firewall
- Test to make sure everything goes well.
Hopefully we will get all of the above squared away and give me access to my View environment when I’m on the road. Which is all about AWESOMENESS
Installing VMware View Security Server.
Please note, you install the VMware View Security Server from the View Connection Broker install media and you probably want to put this on it’s on stand-alone Windows 2008 R2 VM. You’ll see why shortly.
1). Double click on VMware View Connection Server-x86_64-5.0.0-481677 (or most current version)
2) Click next on this splash screen
3. Click next on the End User Patent Agreement
4. Accept the License Agreement
5. Choose the location of where you want it to install. I kept the default.
6. This is where you choose the View Security Server Option – click next
7. Watch the paint dry, or the water boil – whatever works for you 🙂
8. Fill in the name of your View 5 Connection Server
9. Here is a little detour. In order for the security server to work with your View Connection Server they need to make sure that you are the right person to make that happen. The way they do that is similar to setting up Bluetooth in your car. You first create a passcode and then you use that passcode to pair the things together. In this case, you need to go over to your View Admin Console and set this up. Why don’t I walk you through that process 🙂
10. Login to your View Admin Console and click on View Configuration and then click on Servers.
11. In the right hand window, first highlight the View Connection Server and then use the “More Commands” dropdown menu to select “Specify Security Server Pairing Password”
12. Setup the password and give yourself a good amount of time to get back and continuing the install. You can select Minutes or Hours if you want. Click on Okay and you will be done with setting up the pairing password. Go back to the Security Server install process and lets continue the installation. Hurry cause you are running out of time 🙂
13. Now type in the password you used to pair up the security server to the connection server and click next.
14. DOH !! if you ran into this that means you took too long and you ran out of the time you specified in step 12. Guess what, you have to start all over again with the install. Seriously, from step 1 !! You would think they would give you the ability to re-enter the password in (after you’ve gone back to set it again) instead of starting over again but they don’t. Trust me, I didn’t just google this screen shot – I took too long.
15. At this point you are just verifying that everything looks right. Correct Server name and correct internal IP address. Don’t get caught up in what we will be doing later in the blog. Just click next.
16. I let the system configure my firewall automatically. So click next
17. We are done – click Finish. Easy Peasy – sort of.
Next up on the list is to go make sure our VMware View Connect Server has our Security Server registered in the View Admin Console.
18. You probably still have this window open but just in case you don’t, you want to go to View Configuration and click on Servers as outlined in the screen shot.
19. On the right hand side you should see the vCenter Server and your connection server information and you should also see a spot for View Security Servers. it’s probably blank:
20. Just click on the right “refresh” icon and it should then look like this:
And with that, we are done with installing and setting up the View Security Server.
Setting up No-IP DDNS in your environment.
Now to move on to the next stuff. Setting up a NO-IP DDNS account. You can use any Dynamic DNS service that you want. I simply used this because I was following Kendrick Coleman’s outline blog post on how to set this up . I will tell you that you can use the free version. Don’t feel obligated to pay for it. The free version will work just fine for you. Once you have that setup, you will need to download the D.U.C Software
Here is the link to No-IP.Com – http://www.no-ip.com/services/managed_dns/free_dynamic_dns.html
Once you have the account, you want to download the following software to your Security Server (or any server behind your firewall).
Here is the link to the software: http://www.no-ip.com/downloads.php
21. Once you have an account setup, login to the site and click Add a Host
22. Pick a name you want to use, and also pick a domain name you want to use as well. Make sure you have “DNS Host (A) selected and don’t pay attention to the IP address – we will cover that in the DUC Software install. Also, don’t worry about the group etc.
Now let’s install the Dynamic DNS Update Client (DUC) Software from their site. This software is going to keep your host record (the one you just created) updated with your routers most current IP address. This will save us from having to memorizing your Routers current IP address. We will simply go to the Host name you setup.
23. From the download site – choose the Windows version and click on it.
24. Once that is downloaded to your VM, double click the icon to install and click next.
25. I’ll skip the next-next-next-finish part. When you are done you will see the following ICON on your desktop. Double click on go:
26. Enter in your No IP Credentials from the website and click OK
27. From here you should see the host name you configured. This is how your “A Record” is updated on the host at No-IP.Com. Select the Host name you want to use for this information and then click Save. You are now done with this part.
FUN with PowerCLI
Next thing we need to do is the fun part. We get a little dirty with PowerCLI. The good news is we are only editing and not creating. A wise man once told me “Its ALWAYS easier to edit, then it is to create” and with that, lets RDP into our View Connection Server and start playing around with Power CLI
Remember the work we did above with No-IP and the fact that we had to download an app to keep our host information updated just in case we get a new IP from our ISP? Well we have to do the same thing on the Connection server. The great news is VMware has done some great work with their CMDLETS for View so we can actually script the IP address update.
So below is the copy of the script I run on my Connection Server to update both the connection server and the security server’s External PCoIP information (Screen shot #15 above). I borrowed this script from KenndrickColeman.com who borrowed it from Gabe’s site :).
Commentary about the script is below.
1: #Add-PSSnapin VMware.VimAutomation.Core
2: #Add-PSSnapin VMware.View.Broker
3:
4: # Name of the Security Server
5: # $SecurityServer = "SecurityServerNameHere"
6:
7: # For logging creating a timestamp
8: $TimeStamp = Get-Date -format yyyy-MM-dd-H-mm
9:
10: # Filling $CheckedIP with the external IP address, using whatismyip.com service
11: $wc = New-Object net.WebClient
12: $CheckedIP = $wc.downloadstring("http://automation.whatismyip.com/n09230945.asp")
13:
14: # Now check the current ExternalPCoIPURL entry
15: $CurrentSettings = Get-ConnectionBroker
16: $CurrentIP = $CurrentSettings[0].externalPCoIPURL
17: # Check if $CurrentIP starts with the IP address from $CheckedIP
18: # Used StartsWith because $CurrentIP has port address at the end
19: $Result = $CurrentIP.StartsWith($CheckedIP)
20:
21: # Are IP address the same?
22: If ($Result)
23: {
24: # Yes, both IP addresses are the same, do nothing, only write a log entry
25: $row = $TimeStamp + "," + $CheckedIP + "," + $CurrentIP + ",nochange"
26: }
27: else
28: {
29: # External IP is not equal to IP set in externalPCoIPURL
30: # Changing the externalPCoIPURL
31: #Update-ConnectionBroker -broker_id "ConnectionServerNameHere" -externalPCoIPURL $CheckedIP
32: Update-ConnectionBroker -broker_id "SecurityServerNameHere" -externalPCoIPURL $CheckedIP
33:
34: # Check if it was succesful
35: $NewSettings = Get-ConnectionBroker
36: $row = $TimeStamp + "," + $CheckedIP + "," + $CurrentIP + "," + $NewSettings.externalPCoIPURL
37: }
38: $row | Out-File -FilePath "c:loggingcheck-ip.log" –Append
**FYI – I recommend using Notepad++ (downloaded from here: http://notepad-plus-plus.org/download/v5.9.6.2.html) to edit and save the script. Yup, I said it, I had to edit what I got it from Kenny in order to make it work on my system. Nothing can ever be easy I guess !
Now, It might be that he uses View 4.6 in his script or something but I couldn’t get it to work with out the following changes. I had to comment out line’s 1 and 2 because it kept bombing out trying to add a snap in that was already loaded. I’m also fairly certain, and Gabe (@GabvirtualWorld) confirmed (huge SHOUT OUT to Gabe for helping me over Instant Messenger!!) that line #5 doesn’t really do anything but I left it in none the less. Why fix something that ain’t broke 🙂 Another thing you need to do is line 38 references a place to dump a log. Go create the folder and the file or the script will bomb on that as well. Finally you need to run the Snapin.PS1 script found in the “extras” folders which can be found at: C:Program FilesVMwareVMware ViewServerextrasPowerShell.
So let’s get into the View PowerCLI Gui and start on this process.
28. Open up View PowerCLI and run as Admin.
29. Then change directory to c:Program FilesVMwareVMware ViewServerextrasPowerShell and run the add-snapin.PS1 you do that by typing ./add-snapin.ps1 and it should run the script to add the necessary snapins.
30. Now take your script, save it as a .PS1 file and run it and see what happens. It should just give you a command prompt when it’s done. You may have to run: set-executionpolicy bypass and it will prompt you to be “okay” with running possible bad scripts.
The best way to see if it works is to run Get-ConnectionBroker at the PowerCLI Prompt. It will return a bunch of information but specifically we are looking for: external1PCoIPURL and it should be your ISP’s router IP address. In other words, my FIOS DHCP Enabled IP address. You can also double check this in View Admin Console in the servers area. Just right click on the Security Server and check out the properties. You should see the external PCoIP IP address.
When you are done with your script, and it works perfectly then simply setup a kron job to schedule how often you want to run it. Maybe every hour or two depending on how often your system may update your IP’s.
Poking a hole in your firewall
The last major work we need to do is in your firewall/ISP Router. If you are lucky enough to have your own Router (maybe running DD-WRT) you can setup Port Forwarding. I borrowed this screen shot from Kenny’s site:
I have a Verizon FIOS ActionTec MI424-WR router and its about 5 years old. It was not very intuitive on the port forwarding. I played around with it but then just got frustrated and tossed the Security Server into the DMZ and called it good. I’m working on getting it updated, or even replaced with a DD-WRT system to make it easier. My recommendation would be to start with your Security Server is in the DMZ and make sure everything works correctly before you go back and mess around with port forwarding.
Setting up your iPad to connect to your Security Server
Once you have all this stuff squared away now we need to setup our IP to connect to it. If you are lucky enough to have a 3G enabled iPad you can test this immediately. If not, then you will want/need to test this outside your internal (home) network. if you work for EMC, don’t bother trying to get to this while inside the EMC Network. It’s locked down 
Follow this blog post on how to setup your iPad VMware View Client. Instead of adding in your internal Connection Broker name, simply use your No-IP Host name and continue the setup process.
So that’s it !! My hope is that you didn’t run into any issues and you sailed right through everything. If you did, feel free to leave a comment below. Especially if you ran into an issue and then figured out how to fix it. This way you can save someone else from banging their head against the wall !!
@vTexan
vtexan.com 
All my servers are on a single ESXi host connected to the Firewall
On the ESXi host:
-Domain Controller
-MSSQL server
-vCenter server and View composer
-Connection server
-Security server
I am not too great with Firewalls. I am using an iPAD to connect. I am having issues connecting to desktops from outside the firewall. It is giving the error “desktop is loading too slowly”
If I connected to the security server or connection server. It works like a charm
Can you help me? I am not sure how to configure the DMZ for security server. Any details on that side will be great
Sunny
This script dosn’t work anymore…
to get IP address:
$wc=New-Object net.webclient
$wc.downloadstring(“http://checkip.dyndns.com”) -replace “[^d.]”
link: http://tfl09.blogspot.ru/2008/07/finding-your-external-ip-address-with.html
script:
# Filling $CheckedIP with the external IP address, using whatismyip.com service
$wc=New-Object net.webclient
$CheckedIP = $wc.downloadstring(“http://checkip.dyndns.com”) -replace “[^d.]”
in scheduler argument:
-PSConsoleFile “C:Program Files (x86)VMwareInfrastructurevSphere PowerCLIvim.psc1” “C:loggingChangeIP.ps1”
how can I change the directory ? :((((((((( pls helppp