Director requires information from the VDAS to retrieve information about user sessions available, for example, CPU , store display, run applications, etc.
Director 2.1 and earlier
In Director 2.1 and earlier, the information retrieval has been through direct communication between the director and VDAS remote management with Windows achieved (WinRM).
The XenDesktop installer can automatically enable and configure WinRM for use by Director. If you do not select WinRM automatically configure the XenDesktop installer or install WinRM running after the XenDesktop installer, then these changes can be made manually. For more information about installing, configuring and troubleshooting WinRM manually see CTX125243
non-domain administrators (or groups or computer account) In order to use Director, the ConfigRemoteMgmt.exe tool on the Director server with administrator privileges run by a command prompt with the following arguments:
ConfigRemoteMgmt.exe / configwinrmuser domain name
where name is a security group, user or computer account
. for example:
- to grant the necessary permissions for a user security group:
ConfigRemoteMgmt.exe / configwinrmuser MyDomain Helpdesk Users
- , the to grant permissions on a specific computer account:
ConfigRemoteMgmt.exe / configwinrmuser MyDomain Director Server $
direct communication between the director and VDAS by WinRM can lead to problems such somtime example:
- Director machines need to establish connections to VDAS be able WinRM (WMI via HTTP). Director also requires WMI via HTTP port to open and add a firewall exception on the VDA.
- The VDAS have to manage not aware of any delegated administration and no way to access the WMI classes except the Microsoft provided mechanism.
- WMI security permissions are not very granular, so open parts of the WMI functionality to Director administrators makes a great functional range available.
The above mentioned problems are in Director addressed 7.0
Director 7.0+
in XenDesktop 7.0 is Director WMI Proxy plug -in presented to overcome all the problems mentioned above. WMI Proxy plug-in is installed as part of the VDA. Director will ensure that all requests forwarded by Delivery Controller to the WMI proxy plugin runs on the VDA. WMI Proxy plug-in responds to the Director requests. The answers will be routed through the same channel
The WinRM port must not be opened.
to configure With the introduction of WMI proxy plug-in in Director 7.0, this eliminates the need for WinRM. In order to support WMI Proxy service, sends the query to the Director Delivery Controller. Delivery Controller will turn send the query to the VDA an existing secure communication channel between Delivery Controller and VDA. The WMI proxy plug-in, which is loaded as part of the broker agent in VDA, is by sending the information necessary to respond to the query. By doing this director does not need WinRM ports on the VDA and the WMI queries to open will be run locally on the VDA about WMI proxy plug.
Moreover, there is no longer required any firewall add exceptions
delegated administration awareness .:
model delegated administration provides the flexibility to match, such organization will delegate administrative activities, role and with object-based control. In previous versions it was a direct communication between the director and VDAS with Windows Remote Management (WinRM). As VDAS have no knowledge of the delegated administration, access management to WMI objects were difficult.
using WMI Proxy plug-in, the communication is routed through Delivery Controller. As Delivery Controller has a knowledge of the delegated administration, Delivery Controller can manage the permissions for the request before it is forwarded to the VDAS. The inquiries will be forwarded to VDAS only if the necessary authorization has been set. This request requires certain permissions are set. Hence the delegated administration is easier enforcements
. For example: Resetting the personal v-disc can be performed by a Help Desk Administrator. But this action is not available for a read-only Administrator. Customized roles can be created to perform certain operations
would need more information about delegated administration, please refer here
The pictorial representation of the communication look .:
Summary:
for XenDesktop 7.0 or later installations, there is no need for WinRM Director configure that retrieve the data from the VDAS. However, if users VDAS earlier than XenDesktop have 7 installed (Legacy VDA), Director will use to query the required data to the WinRM calls. WinRM must be configured to work for Director with these older VDAS.
0 Komentar