VMware Mirage Administrator's GuideVMware Mirage Administrator's Guide 4 VMware, Inc. Configure Specific Branch Reflector Values 97 Disable Branch Reflectors 98 Reject or Accept Peer

VMware Mirage Administrator's GuideVMware Mirage 5.9

VMware Mirage Administrator's Guide

2 VMware, Inc.

You can find the most up-to-date technical documentation on the VMware Web site at:

https://docs.vmware.com/

The VMware Web site also provides the latest product updates.

If you have comments about this documentation, submit your feedback to:

[email protected]

Copyright © 2017 VMware, Inc. All rights reserved. Copyright and trademark information.

VMware, Inc.3401 Hillview Ave.Palo Alto, CA 94304www.vmware.com

https://docs.vmware.com/

mailto:[email protected]

http://pubs.vmware.com/copyright-trademark.html

Contents

Mirage Administration 9

1 Mirage System Components 11

2 Activating Endpoints 17

Centralizing Endpoints 17Working with Upload Policies 19Working with CVD Collections 23Working with Archived CVDs 25

3 End User Operations 29

Access the Client Status 29File-Level Restoration 29Directory-Level Restore 30Suspend and Reactivate Synchronization 31

4 Configuring the File Portal 33

Allow Access to CVD Files 33Configure User CVD Mapping 34Browse and View Files with the File Portal 34Download Folders and Files from the File Portal 35

5 Protecting the Mirage File Portal 37

6 Configuring the Mirage System 41

Configure the System Settings 41Managing Bandwidth Limitation Rules 41License Settings 43Import USMT Library and Settings 43Authenticating the Mirage Gateway Server 44Branch Reflector Settings 44Configure File Portal Settings 44Enable CVD Auto Creation 44Configuring User Access to the File Portal 45General System Settings 45CVD Snapshot Generation and Retention 46Configuring Secure Socket Layer Communication 47

7 Mirage Customer Experience Improvement Program 49

Data Collected for the Customer Experience Improvement Program 49Joining the Customer Experience Improvement Program 51

VMware, Inc. 3

Stop Sending Data to VMware 51

8 Introduction to Mirage PowerCLI 53

Using Mirage PowerCLI 54Install the Mirage PowerCLI 54Run PowerCLI and Mirage PowerCLI in a Single PowerShell Session 54Mirage PowerCLI Cmdlets 55Displaying Help for a Mirage PowerCLI cmdlet 55Centralize Endpoints using Mirage PowerCLI 56Migrate an Endpoint OS by Using the Mirage PowerCLI 58Provision Pending Devices by Using the Mirage PowerCLI 61Assign a Base Layer to a CVD Using the Mirage PowerCLI 64Update App Layers Assigned to a CVD Using Mirage PowerCLI 67

9 Managing the Mirage Gateway Server 71

Configuring the Mirage Gateway Server 72Update a Certificate for the Mirage Gateway Server Using a Command Line 73Update Mirage Gateway Web Console Certificate (Optional) 73Update a Certificate for the Mirage Gateway Server Using the Web Console 74Register the Mirage Gateway Server Manually 74Protecting the Mirage Gateway Server 75Configuration Files for the Mirage Gateway Server 78Using Log Files to Troubleshoot the Mirage Gateway Server 79Remove the Mirage Gateway Server from the Mirage Management Console 81Re-Register the Mirage Gateway Server When the Status is Down in the Mirage Management

Console 81

10 Managing the Driver Library 83

Driver Library Architecture 83Managing Driver Folders 84Managing Driver Profiles 86

11 Deploying Multiple Storage Volumes 89

View Storage Volume Information 89Storage Volume Parameters 90Add Storage Volumes 90Edit Storage Volume Information 91Remove or Unmount Storage Volumes 91Mount Storage Volumes 92Block Storage Volumes 92Unblock Storage Volumes 92Maintain Storage Volumes 93

12 Managing Branch Reflectors 95

Branch Reflector Matching Process 95Select Clients To Be Branch Reflectors 96Enable Branch Reflectors 96Configure Defaults for Branch Reflectors 97


4 VMware, Inc.

Configure Specific Branch Reflector Values 97Disable Branch Reflectors 98Reject or Accept Peer Clients 98Suspend or Resume Server Network Operations 99Wake on LAN 99Configure Wake on LAN 100Monitoring Branch Reflector Activity 100

13 Deploying Additional Mirage Servers 103

Using Multiple Servers 103View Server Information 104Mirage Servers Window Information 105Add New Servers 105Stop or Start the Server Service 105Remove Servers 106Integrating a Load Balancing Framework 106

14 Image Management Overview 109

Base Layers and App Layers 109Layer Management Life Cycle 109Hardware Considerations with Base Layers 111Image Management Planning 111

15 Preparing a Reference Machine for Base Layer Capture 115

Set Up the Reference Machine 115Reference Machine Data Considerations 116Reference Machine Software and Settings 116Recreate a Reference Machine from a Base Layer 117

16 Capturing Base Layers 119

Capture Base Layers 119Working with Base Layer Rules 120Applying a Base Layer Override Policy 122Post-Base Layer Assignment or Provisioning Script 124

17 Capturing App Layers 127

App Layer Capture Steps Overview 127Prepare a Reference Machine for App Layer Capture 128Performing the App Layer Capture 129What You Can Capture in an App Layer 132Capturing OEM App Layers 133Capture Multiple Layers on a Virtual Machine 134Create a Post-App Layer Deployment Script 134

18 Assigning Base Layers 135

Detect Potential Effects of the Layer Change 135Testing the Base Layer Before Distributing it to Endpoints 138Assign a Base Layer to CVDs 139

Contents

VMware, Inc. 5

Assign a Previous Layer Version 141Monitor Layer Assignments 141Correct Software Conflicts By Using a Transitional Base Layer 142Fix Broken Layers on Endpoints (Enforce Layers) 142Provisioning a Layer for an Endpoint 143Maintain Corporate Image Compliance 143

19 Assigning App Layers 145

Detect Potential Effects of the App Layer Change 145Testing App Layers Before Distributing it to Endpoints 145Assign an App Layer to CVDs 146Monitor App Layer Assignments 147

20 Create a WinPE Image for Mirage 149

21 Installing the Windows Deployment Service 151

Install the Windows Deployment Service Using the Windows Server Manager. 151Install the Windows Deployment Service by Using Microsoft PowerShell 152

22 Add the WinPE Boot Images to the Windows Deployment Service Server 153

23 Provision a Device with Mirage by Using a WinPE Image 155

24 Mirage Validations for Bare Metal Provisioning 159

25 Provisioning a Device by Using the Self-Service Provisioning Tool 161

Create a Mirage Layer Group Configuration File 161Import Mirage Layer Groups 162Export Mirage Layer Groups 162Provision a Device by Using the Self-Service Provisioning Tool 162

26 CVD File Compliance Tool 165

27 Endpoint Disaster Recovery 169

Restore a Device to a CVD Snapshot 169Restoring to a CVD After Hard Drive Replacement or Device Loss 170Restoring Windows Devices 173Working with Bootable USB Drives 174Reconnect a Device to a CVD 178End User Experience with Restore Processes 178

28 Migrating Users to Different Hardware 181

Reassign a CVD to a Different Device 181Perform a Mass Hardware Migration 183

29 Windows OS Migration 185

Performing Windows OS In-Place Migration 186


6 VMware, Inc.

Migrating to Windows OS Replacement Devices 189Monitor the Windows OS Migration 190Applying Windows OS Post-Migration Scripts 190

30 Monitoring System Status and Operations 193

Using the System Dashboard 193Using Transaction Logs 195

31 Working with Reports for Mirage Operations 197

Layer Dry Run Reports 198CVD Integrity Report 199

32 Mirage Security Reference 201

Ports and Protocols Used by Mirage 201Protecting Mirage Resources 203Mirage Log Files 204Mirage Accounts 205

33 Maintaining the Mirage System 207

Server and Management Server Operations 207Upgrading from Previous Mirage Versions 215

34 Troubleshooting 219

CVD Events History Timeline 219Problematic CVDs 219Using Event and Other System Logs 220Customize the Minimal Restore set 220Generate System Reports 221Generate System Reports Remotely 222

35 Advanced Administration Topics 225

Mirage and SCCM 225Setting Up the SSL Certificate in Windows Server 226Using Microsoft Office in a Layer 228Managing Role-Based Access Control and Active Directory Groups 228Macros in Upload Policy Rules 231

36 Managing View Desktops with Mirage 235

37 Calculate CVD Compliance Score For User Installed Apps 237

Index 239

Contents

VMware, Inc. 7


8 VMware, Inc.

Mirage Administration

The VMware Mirage Administrator's Guide provides information about how to deploy Mirage to yourendpoints and configure the MirageMirage system. With Mirage, you can manage base layer and app layerimages, desktop operations such as disaster recovery and hardware and operating system migrations, andmonitoring, reporting, and troubleshooting.

Intended AudienceThis information is intended for the Mirage administrator. The information is written for experiencedWindows system administrators who are familiar with typical Windows Data Center environments such asActive Directory, SQL, and MMC.

VMware, Inc. 9


10 VMware, Inc.

Mirage System Components 1Mirage software centralizes the entire desktop contents in the data center for management and protectionpurposes, distributes the running of desktop workloads to the endpoints, and optimizes the transfer of databetween them.

The Mirage components integrate into a typical distributed infrastructure, with the following relationshipsbetween the system components:

n Mirage clients connect to a Mirage server, either directly or through a load balancer.

n The administrator connects to the system through the Mirage Management server.

n Mirage servers and the Mirage Management server share access to the back end Mirage database andstorage volumes. Any server can access any volume.

VMware, Inc. 11

Figure 1‑1. System Components

LAN

LAN

Remote Branch Site

Branchreflector

Data Center

Mirage clientsMobile users

Mirage clientsLocal site

Mirage Gatewayserver

Loadbalancer

MirageManagementserver withfile portal

Miragedatabase,storagevolumes

Mirageservercluster

Mirage Managementconsole/Web Manager

Mirage clients

Internet

DMZ

WANMongoDB

Mirage ClientThe Mirage client software runs on the base operating system and makes sure the images at the endpointand the CVD are synchronized. The client does not create or emulate a virtual machine. No virtual machinesor hypervisors are required. The Mirage client software can run on any Type 1 or Type 2 hypervisor.

Mirage Management ServerThe Mirage Management server, located in the data center, is the component that controls and manages theMirage server cluster. Installing multiple Mirage Management servers increases Mirage availability in theevent that a Mirage Management server fails.

Note VMware recommends to set up multiple Management Servers to prevent data loss in case theManagement Server fails. A message pops up in the Mirage Management Console whenever you connect toa server inside a cluster with only one enabled Mirage Management server.

Mirage Management Console (Optional)The Mirage Management console is an optional graphical user interface used for scalable maintenance,management, and monitoring of deployed endpoints. The administrator can use the Mirage Managementconsole to configure and manage Mirage clients, base layers, app layers, and reference machines. Theadministrator uses the Mirage Management console to update and restore CVDs.


12 VMware, Inc.

MongoDB File DatabaseMirage uses the MongoDB file database to store system data and small files, reducing IOPS and uploadtime. A MongoDB instance is installed with each Mirage Management server that you install.

Note VMware recommends that you replicate the file database by installing an additional MirageManagement server to achieve a fault tolerance deployment.

If your configuration has only one Mirage Management Server, the Web Management displays a red bannerwith the following message:

Your system has a single active Management Server. Set up multiple Management Servers to preventdata loss in case the Management Server fails. Important: Do not clone the VM.

If there is more than one management server, but any of the management servers is down or disabled, thefollowing text is displayed:

Some of the Mongo nodes on your system are down, if all nodes are down Mirage operations will fail.View the Management Servers tab for details. After resolving the issue start the Management Server viaManagement Servers tab. For more information refer to KB2144975.

After you install two Mirage Management servers Mirage creates a replica of the MongoDB database.

Verify that you have a dedicated drive with at least 250GB of free disk space for the MongoDB database files.If you cannot designate a local drive or SAN for the MongoDB database files, designate a dedicated NASvolume on higher-end storage with lower latency to minimize disconnects between MongoDB and theMongoDB files.

As an administrator, you can move the MongoDB data of a selected Mirage Management Server to adifferent location. This feature is enabled only after installing more than one Mirage Management Server. Inyour Web Management, click Servers > Management Servers > Configure. In the Configure MirageManagement Server dialog, enter the name of the location where you move the MongoDB data and clickOK.

Mirage Web ManagementThe Mirage Web Management is the Web-based application that is used for scalable maintenance,management, and monitoring of deployed endpoints. Mirage Web Management has roles such as Helpdesk,Data Protection manager, Image Manager, and Administrator. Data Protection Manager ensures data isproperly backed up and protected on user devices. Image manager can capture and deploy layers, provisionnew devices, and manage branch reflectors. The administrator role has the highest level of permissions andcan preform all operations in the system including managing servers. It helps administrator and help deskpersonnel respond to service queries, and lets the Protection Manager role ensure that user devices areprotected. The administrator can use the Mirage Management console to configure and manage Mirageclients, base layers, app layers, and reference machines. The administrator uses the Mirage Managementconsole to update and restore CVDs. For more information, see the VMware Mirage Web Management Guide.

Mirage ServerThe Mirage servers, located in the data center, synchronize data between the Mirage client and thedatacenter. The Mirage servers also manage the storage and delivery of base layers, app layers, and CVDs toclients, and consolidate monitoring and management communications. You can deploy multiple servers as aserver cluster to manage endpoint devices for large enterprise organizations. It is good practice to keep theserver on a dedicated machine or a virtual machine. However, a server can run on the same machine as theMirage Management server.

The server machine must be dedicated for the Mirage server software to use. The server machine must notbe used for other purposes.

Chapter 1 Mirage System Components

VMware, Inc. 13

Centralized Virtual DesktopCVDs represent the complete contents of each PC. This data is migrated to the Mirage server and becomesthe copy of the contents of each PC. You use the CVD to centrally manage, update, patch, back up,troubleshoot, restore, and audit the desktop in the data center, regardless of whether the endpoint isconnected to the network. A CVD comprises several components.

Table 1‑1. CVD Components

Component Defined By (Role) Description

Base layer Administrator The base layer includes the operatingsystem (OS) image and coreapplications such as antivirus, firewall,and Microsoft Office. A base layer isused as a template for desktop content,cleared of specific identity information,and made suitable for centraldeployment to a large group ofendpoints.

App layers Administrator App layers include sets of one or moredepartmental or line-of-businessapplications, and any updates orpatches for already installedapplications. App layers are suitablefor deployment to a large number ofendpoints.

Driver profile Administrator The driver profile specifies a group ofdrivers for use with specific hardwareplatforms. These drivers are applied todevices when the hardware platformsmatch the criteria that theadministrator defines in the driverprofile.

User-installed applications andmachine state

End users User-installed applications andmachine state can include a uniqueidentifier, host name, anyconfiguration changes to the machineregistry, DLLs, and configuration files.

Mirage Reference MachineA Mirage reference machine is used to create a standard desktop base layer for a set of CVDs. This layerusually includes OS updates, service packs, patches, corporate applications for all target end users to use,corporate configurations, and policies. A reference machine is also used to capture app layers, which containdepartmental or line-of-business applications and any updates or patches for already installed applications.

You can maintain and update reference machines regularly over the LAN or WAN, using a Mirage referenceCVD in the data center. You can use the reference CVD at any time as a source for base and app layercapture.

Mirage Branch ReflectorA Mirage branch reflector is a peering service role that you can enable on any endpoint device. A branchreflector can then serve adjacent clients in the process of downloading and updating base or app layers onthe site, instead of the clients downloading directly from the Mirage server cluster. A branch reflector cansignificantly reduce bandwidth use in several situations, such as during mass base or app layer updates. Thebranch reflector also assists in downloading hardware drivers.


14 VMware, Inc.

Mirage File PortalEnd users can use appropriate Mirage login credentials and the Mirage file portal to access their data fromany Web browser. The back-end component runs on the Management server.

Distributed Desktop OptimizationThe Distributed Desktop Optimization mechanism optimizes transport of data between the Mirage serverand clients, making the ability to support remote endpoints feasible regardless of network speed orbandwidth. Distributed Desktop Optimization incorporates technologies that include read-write caching,file and block-level deduplication, network optimization, and desktop streaming over the WAN.

Mirage Gateway ServerThe Mirage Gateway server is the secure gateway server that is deployed outside the Mirage data centerenvironment, but should be within the datacenter. The Mirage Gateway server meets the enterprise securityand firewall requirements and provides a better user experience for Mirage clients that access the Mirageservers through the Internet. The Mirage Gateway server seamlessly integrates with the Mirage system withminor modifications to the Mirage system and protocol.

Chapter 1 Mirage System Components

VMware, Inc. 15


16 VMware, Inc.

Activating Endpoints 2The Mirage client software runs in the base operating system and verifies that the images at the endpointand the CVD are synchronized. To prepare an endpoint for centralized management of the device data, youinstall the Mirage client on the device and activate the device by synchronizing it to a CVD on the Mirageserver.

You must define upload policies, which determine which files to synchronize, before endpoints areactivated. The activation process selects an existing upload policy for the endpoint.

The client does not create or emulate a virtual machine. No virtual machines or hyper visors are required.The client can run on physical machines, Type 1 or Type 2 hypervisors.

This chapter includes the following topics:

n “Centralizing Endpoints,” on page 17

n “Working with Upload Policies,” on page 19

n “Working with CVD Collections,” on page 23

n “Working with Archived CVDs,” on page 25

Centralizing EndpointsAfter you install the Mirage client, you centralize the device. Centralization activates the endpoint in theMirage Management console and synchronizes it with, or assigns it to, a CVD on the Mirage server so thatyou can centrally manage the device data.

When you first introduce Mirage to your organization, you must back up each device, creating a copy of iton the server, in the form of a Centralized Virtual Desktop (CVD) . You can then centrally manage thedevice.

The endpoint with the client installed appears in the Mirage Management console as Pending Assignment,and is pending activation in the system. You can also reject a device that you do not want to manage in thesystem.

End User Centralization with CVD Autocreation ProcedureAfter you install the Mirage client, users can start the centralization of their own endpoint by logging in.

When a user logs in for the first time, Mirage centralizes the user’s endpoint.

Prerequisites

Verify that the administrator enabled CVD autocreation. CVD autocreation is disabled by default. See “Enable CVD Auto Creation,” on page 44.

VMware, Inc. 17

Procedure

1 The user logs in using DOMAIN\user or user@DOMAIN.

2 The user provides user credentials.

3 If the prompt is closed or cancelled, the user can restart this process by right-clicking the Mirage icon inthe notification area and selecting Create New CVD.

CVD autocreation starts.

Administrator Centralization ProcedureAfter the Mirage client is installed, the administrator can centralize the endpoint. Centralization performedby the administrator provides more control over the process, for example, allows a choice of upload policy,placement of CVDs on different volumes, and whether to assign a base layer.

You might want to add devices to a collection. A collection is a folder that aggregates CVDs that share alogical grouping, for example, Marketing CVDs. You can then implement relevant base layer changes with asingle action on all CVDs in the collection. See “Working with CVD Collections,” on page 23.

Prerequisites

The devices to centralize must be in the Pending Devices queue.

Procedure

1 In the Mirage Management console, select Common Wizards > Centralize Endpoint.

a Use Search or filter to find the device or devices you want to assign and click Next.

All devices in the filtered list are included in the centralization procedure.

b Select the upload policy to use and click Next.

If you do not make a selection, a default policy applies, as specified in the general system settings.

c Select whether you want to add a base layer to the endpoint and click Next.

d Select one or more app layers to which you want to add to the device and click Next.

This step only appears when you have selected a base layer from the previous step.

e Select a target storage volume to where you want to store the endpoint base layer and app layersand click Next. Alternatively, you can have Mirage choose the volume according to the sizes of thebase layer and app layers by selecting Automatically choose a volume.

f The Compatibility Check window displays whether or not the assigned CVDs connected to theendpoint passed the compatibility validation check. When the endpoint passes the validation, youcan click Next to proceed.

n When there are potential problems with the CVDs, a warning window appears. You can selecteach item in the Mismatch List and the validation details and resolution are displayed on thebottom of the window. You can either fix the problem, or click Ignore to bypass the problem.Alternatively, you can click Ignore All to bypass all warning messages.

n When there are fatal errors that must be resolved to centralize the endpoint, a blockingwindow appears. You can select an error from the Mismatch List to view the Validation Detailson the bottom of the window. You must resolve these issues before continuing. The Ignore andIgnore All buttons are unavailable.

2 Click Finish.

The client starts the scanning phase according to the policy defined during the installation.

After the scanning finishes, the device appears in the All CVDs panel.


18 VMware, Inc.

3 (Optional) You can monitor the centralization progress.

The notification area icon changes to show that the initialization process has started, and the consoleshows that the client has started an upload. When the initialization process finishes and serversynchronization starts, the notification area icon shows the progress of the upload. The console alsoshows the upload progress in the Progress column of the CVD inventory list. The user can also view thedetailed status of the upload operation by clicking the Mirage icon in the notification area.

Reject Pending DevicesYou can reject a client device that is pending assignment that you do not want Mirage to manage.

The server does not honor communication requests from rejected devices. After a device is rejected it movesfrom the Pending Devices list to the Rejected list.

Note This option is available in the Mirage Management Console. In Mirage Web Management console,deleting obsolete devices rejects and deletes them simultaneously.

Procedure

1 In the Mirage Management console, expand the Inventory node and click Pending Devices.

2 Right-click the pending device to remove and select Reject.

3 Click Yes to confirm.

Reinstate Rejected DevicesYou can remove a device from the Rejected list at any time to reinstate it.

If you remove a device from the Rejected list to reinstate it, the device's configuration remains valid. Thedevice connects to the server and appears in the Pending list the next time the client connects.

Note This feature is available only in available only in Mirage Management Console and not WebManagement.

Procedure

u Right-click the device that is in the Rejected list, and select Remove.

Working with Upload PoliciesAn upload policy determines which files and directories to upload from the user endpoint to the CVD in thedata center. You must define upload policies before you activate endpoints because the activation processselects an existing upload policy for the endpoint.

A CVD is assigned only one upload policy at a time.

You can create upload policies by defining whether files are unprotected or local to the endpoint, orprotected. Protected files are uploaded to the Mirage server in the data center.

To simplify the task, you identify only files and directory names or patterns that are not uploaded to theCVD. The remaining files are considered part of the CVD and are protected.

The list of files that are not protected is defined by a set of rules and exceptions.

You define two upload policy areas that the system uses according to the relevant system flow.

Chapter 2 Activating Endpoints

VMware, Inc. 19

Table 2‑1. Upload Policy Areas

Upload Policy Area Description

Unprotected area Lists files and directories on the endpoint device that are not protected, but with a subsetof exceptions defined as protected. By default, Mirage protects all other files anddirectories.

User area Lists end-user files and directories, such as document files, that are excluded from therestoration and that are kept on the endpoint devices in their current state when theRestore System Only option is used to revert a CVD. See “Restore a Device to a CVDSnapshot,” on page 169Additionally, the user area is used to filter out information from the base and app layers.The user area cannot be downloaded or viewed by the end user.

The upload policy that is applied to the CVD consists of various items.

n A selected built-in factory policy that VMware provides to assist the administrator with first timedeployment

n Administrator modifications to that policy to address specific backup and data protection needs

The built-in factory policy is a reference for further customization and includes all the mandatory rules thatthe system needs to function. The administrator cannot modify the mandatory rules.

Before you use a built-in policy, evaluate it to be sure it meets backup policy and data protection needs. Thebuilt-in policies, for example, do not upload .MP3 and .AVI files to the CVD.

You can use one of the following customizable built-in upload policies, to help manage mixed Mirage andView systems:

Mirage default uploadpolicy

Use on Mirage servers that manage CVDs on distributed physical devices.

View optimized uploadpolicy

Use on Mirage servers that manage CVDs on virtual machines. This uploadpolicy is provided for convenience. It is identical to the Mirage defaultupload policy, except that the Optimize for Horizon View check box isselected.

View Upload PoliciesYou can view an upload policy to review its content and parameters.

Procedure

1 In the Mirage Management console, expand the System Configuration node and click CVD Policies.

2 Double-click the policy to view the policy contents and parameters.

Upload Policy ParametersUpload policies have various parameters that you can view, configure, and edit.

Table 2‑2. Upload Policy Parameters

Parameter Description

Name and Description Name and description of the policy.

Upload change interval Denotes how frequently the client attempts to synchronize with the server. Thedefault is every 60 minutes. End users can override the policy in effect at anendpoint. See Suspend and Reactivate Synchronization. The Upload changeinterval affects the frequency of automatic CVD snapshot creation. See CVDSnapshot Generation and Retention.


20 VMware, Inc.

Table 2‑2. Upload Policy Parameters (Continued)


Protected volumes Denotes which volumes to centralize from the endpoint to the CVD in the server.All fixed volumes are protected by default. You can select to protect only thesystem volumes and add more volumes by using the assigned drive letters.

Unprotected Area tab Defines the rules to unprotect files and directories.

Rules list Paths that are explicitly unprotected by Mirage.

Rule Exceptionslist

Paths that are exceptions to unprotect rules in the Ruleslist. Mirage protects exceptions to unprotect rules.

User Area tab Defines the rules to unprotect files and directories defined as user files. These rulesare used instead of Unprotected Area rules when certain system flows specificallyrefer to user files.The tab contains Rules and Rule Exception areas, used in the same way as in theUnprotected Area tab.

Advanced Options tab Provides advanced policy options for optimization of the CVD policy.

Show Factory Rules check box Shows the Factory upload policy settings in the rules list, the Mirage mandatorysettings that the administrator cannot change. The factory rules are dimmed in therules list.

Export button Exports policy rules to an XML file for editing and backup. Mirage factory rulesare not exported, even if they appear in the policy window.

Import button Imports policy rules from an XML file.

Add New Upload PoliciesWhen you add a new upload policy, the new policy is added to the respective node.

Procedure

1 In the Mirage Management console, expand the System Configuration node, right-click UploadPolicies, and click Add an Upload Policy.

2 Type the policy name, description, and policy data.

3 Click OK to save the policy.

Edit Upload PoliciesYou can edit an upload policy in the Mirage Management console and distribute the revised policy.

You can also use an external editor to edit the policy. You export the policy file, edit it, and import it back tothe Mirage Management console.

The new policy takes effect at the next update interval in which the client queries the server. The defaultupdate interval time is one hour, and requires a full-disk scan.

Before you distribute the revised policy to a group of CVDs, it is good practice to test it on a sample desktop.

Procedure

1 In the Mirage Management console, expand the System Configuration node, and Upload Policies, anddouble-click an upload policy.

2 Edit the policy data and click OK.


VMware, Inc. 21

3 Indicate the scope of the update by selecting a minor version, for example, 1.1, or a major version, forexample, 2.0, and click OK.

The new policy is added to the Mirage Management console with the new version number.

4 (Optional) To distribute the changed policy, right-click the policy with this policy version and selectUpdate CVDs.

Add or Edit Upload Policy RulesYou can add or edit a policy rule or a rule exception in a policy. A rule defines directories or files that are notprotected, and a rule exception defines entities within the scope of the rule that are protected.

When you formulate policy rules, you can use macros to assist specification of various Mirage directorypaths addressed by the rules. For example, macros allow Mirage and the administrator to handle caseswhen some endpoints have Windows in c:\windows and some in d:\windows. Using macros andenvironment variables makes sure Mirage backups important files regardless of their specific location. Forinformation about the macro specifications, see “Macros in Upload Policy Rules,” on page 231.

Procedure

1 In the Mirage Management console, expand the System Configuration node, select CVD Policies , anddouble-click the required upload policy.

2 Click Add or Edit next to the required Rule or Rule Exception area.

3 Type the directory path or select it from the drop-down menu.

Important Do not type a backslash (\) at the end of the path.

4 Specify a filter for this directory or a pattern for matching files under this directory.

For example, to add a rule not to protect Windows search index files for all the users on the desktop,add the following rule:

%anyuserprofile%\Application Data\Microsoft\Search\*

5 Click OK.

Using the CVD Policies Advanced OptionsYou can set the several advanced options to the CVD policy to provide better performance of the CVD.

The CVD policy advanced options let you provide better performance and optimization for CVDs.

You can access the Advanced Options tab when editing policy rules. See “Add or Edit Upload Policy Rules,”on page 22

Table 2‑3. CVD Policy Advanced Options

Option Description

Optimize for VMware Horizon Select this option to indicate that each CVD assigned to this policy is a Viewdesktop. Mirage limits the number of concurrent layer updates currentlyassigned in the System Configuration settings. When this option is selected,the Layer assignment only and the Optimize for LAN environments optionsare automatically enabled.

Layer assignment only Select this option to prevent data from the client to be uploaded to the Mirageserver. The client is used as an image management tool without the fullbackup of the client. This option is automatically enabled when the Optimizefor VMware Horizon View option is selected.


22 VMware, Inc.

Table 2‑3. CVD Policy Advanced Options (Continued)

Option Description

Optimize for LAN environments Select this option to deactivate compression and block-level deduplication oneach CVD to which the policy is assigned. This provides a fastercentralization process Mirage in LAN environments and lowers the resourcesconsumed on the endpoint and Mirage server. When this option is enabled,the restore streaming functionality is disabled. This option is automaticallyenabled when the Optimize for VMware Horizon option is selected.

Disable client throttling Select this option to disable the client and network throttling between theMirage client and the Mirage server, giving priority to Mirage

operations.

Protect EFS files Select this option to restore Encrypted File System (EFS) files to their originalencrypted state after files are downloaded in a CVD restore or file-levelrestore. This option is unavailable when either the Optimize for VMwareHorizon option, or the Layer Management Only policy are enabled.

Hide system tray notifications When enabled, Mirage clients on endpoints run in stealth mode, hiding allinformative notifications and system tray icon. Messages that require userinteraction (like reboot request) still appear.

Optimize for Horizon View check box Optimizes performance on servers that use Horizon View to manage virtualmachines.

Working with CVD CollectionsYou can group in a collection folder CVDs that share a logical relation to other CVDs. Additionally, you canchange an upload policy to a CVD collection with a single action.

For example, you can aggregate all CVDs of users in the marketing department to a folder under a collectioncalled Marketing. Then you can change with a single action the upload policy that all the Marketing CVDsshare.

Mirage supports static and dynamic collections. You manually assign CVDs to a static collection, while CVDassignments to dynamic collections are calculated based on predefined filters every time an operation isapplied to a collection.

A CVD can be a member of multiple collections. If different base layers or policies are applied to differentcollections and a CVD belongs to more than one, the last change applied takes effect.

Add Static CollectionsYou can add a static collection folder to the Collections node, to which you can add CVDs manually.

Procedure

1 In the Mirage Management console, expand the Inventory node, right-click Collections, and select Adda Collection.

2 Type a name and description for the collection.

3 Select Static Collection.

4 Click OK.

Add CVDs to Static CollectionsYou can move CVDs to existing collection folders to organize them in logical groupings.

Procedure

1 In the Mirage Management console, expand the Inventory node and select All CVDs.


VMware, Inc. 23

2 To select the Mirage clients to move to the collection, right-click, and select Manage CVD > ManageCollections.

3 Select the collection to which to move the CVDs.

4 Click OK.

Add Dynamic CollectionsYou can add a dynamic collection. CVD assignments to the dynamic collection are calculated based onpredefined filters every time an operation is applied to the collection. You can define an unlimited numberof rules for a dynamic collection.

Procedure

1 In the Mirage Management console, expand the Inventory node, right-click Collections, and select Adda Collection.

a Type the name and description for this dynamic collection.

b Select the Dynamic collection option.

c Select the filter to define the dynamic collection from the Column drop-down list.

You might have to select a condition and value for the filter that you select.

d Click Apply to view the CVDs filtered into the collection.

These CVDs appear in the lower pane.

2 Click OK.

Add Dynamic Collections by Using Active DirectoryYou can use Active Directory (AD) to add a dynamic CVD collection. You can add CVDs to the collection byActive Directory group, organizational unit, or domain. You can create a filter for multiple Active Directoryelements.

The Active Directory is updated whenever a device is authenticated. Active Directory information mightchange if the Active Directory is updated for that user or device.

Procedure

1 In the Mirage Management console tree, expand the Inventory node, right-click Collections, and selectAdd a Collection.

a Type the name and description for this dynamic collection.

b Select Dynamic Collection.

c In the Column drop-down menu, set the filter to define the dynamic collection by Active Directorygroup, Active Directory organizational unit, or Active Directory domain.

You can select additional filters from the Column drop-down menu.

d Click Apply to view the CVDs filtered to the collection. These CVDs appear in the lower pane.

2 Click OK.


24 VMware, Inc.

Working with Archived CVDsYou can archive a CVD to preserve its data, snapshots, and operational history for long-term retention. Youcan also reinstate an archived CVD and assign it to another endpoint. You can delete archived CVDs that areno longer required to free up space.

After you archive a CVD, it does not require a Mirage license.

Archive CVDsYou can transfer a CVD that is not immediately required to the CVD archive.

Procedure

1 In the Mirage Management console tree, expand the Inventory node, and select All CVDs.

2 Right-click the CVD that you want to archive, and select Manage CVD > Archive.

3 Confirm that you want to archive the CVD.

The CVD is transferred to the CVD Archive.

View CVDs in the ArchiveYou can view a list of the CVDs that you archived.

Procedure

u In the Mirage Management console tree, expand the Inventory node and select Archive.

Delete CVDs from the ArchiveArchiving CVDs can take up disc space. You can delete archived CVDs that you do not need.

Procedure

1 In the Mirage Management console tree, expand the Inventory node and select Archive.

2 Select the archived CVD you want to delete.

3 Click the Delete from Inventory icon on the CVD Archive toolbar.

Move Archived CVDs to Another VolumeYou can move a CVD to another storage volume, according to your disc organization requirements.

Procedure


2 Right-click the archived CVD you want to move and select Move to a different volume.

3 Select the volume selection option.

Option Description

Automatically choose a volume Mirage selects the volume.

Manually choose a volume You select where to move the archived CVD, and then select the volume.

4 Click OK.


VMware, Inc. 25

Assign an Archived CVD to a DeviceYou can reinstate an archived CVD to assign it to an endpoint device, for example, when an employeereturns to the company from leave.

The device can be the original endpoint device or a new device that is a replacement for the original device.

The procedure is the same as for reassigning a CVD to a different device. See “Reassign a CVD to a DifferentDevice,” on page 181.

Prerequisites

Install the Mirage client on the client machine. See the VMware Mirage Installation Guide.

Verify that the drive letters of the new endpoint and the CVD in the data center are compatible. If the driveletters are different, the system does not allow the restore operation to proceed.

Perform Sync Now on the endpoint before migrating it to a new client machine. This ensures that all data issaved to the data center before the migration takes place. See “Suspend and Reactivate Synchronization,” onpage 31.

Select a domain for this endpoint to join after the restore operation . If you want to use the same credentialseach time, perform the following steps:

1 In the Mirage Management console tree, right-click System Configuration and select Settings.

2 On the General tab, type the credentials you want to use for domain joining.

The join domain account must meet the appropriate security privilege requirements. See “GeneralSystem Settings,” on page 45.

Procedure


2 Right-click the archived CVD and select Assign to a Device.

3 Select the device where you want to migrate the CVD and click Next.

Only devices compatible with the selected CVD are listed.


26 VMware, Inc.

4 Select a restore option.

a Select a restore option for the selected CVD and device.

Restore Option Description

Full System Restore This option includes restoring the OS, applications, user data, and user settings.Use this option for systems with Windows volume licenses or Windows OEMSLP licenses.The entire CVD is restored to the replacement device, including OS,applications, and user files. Any existing files on the replacement device are lostor overwritten.If you select this option, you must select a base layer during the migrationprocedure.

Restore Applications, UserData and Settings

Use this option only when replacing a device that has a different WindowsOEM license.The OS of the replacement device must be the same as that of the CVD.Only applications and user data are restored to the replacement device. Theexisting OS and applications installed on the replacement device are retained.Note This option is not available for Windows 8 and Windows 10 endpoints.

Only Restore User Data andSettings

Use this option to migrate users from Windows XP, Windows Vista, andWindows 7 machines to new Windows 7 machines, or Windows 7 to Windows8.1 machines, and from Windows 7 or Windows 10 machines to new Windows10 machines.The OS of the replacement device must be the same as or newer than that of theCVD.Only user data and settings are restored to the replacement device. The existingOS and applications installed on the replacement device are retained.

You can maintain the current layer, if one applies, select a new base layer from the list, or proceedwithout a base layer.

b Click Next.

5 (Optional) Type a name for the CVD and specify the domain options.

a Change or define the host name for a device being restored.

b Select a domain for this endpoint to join after the restore operation.

The current domain is shown by default.

c Type the OU and Domain or select them from the drop-down menus.

The drop-down menus are populated with all known domains in the system. Each text box showsthe required syntax pattern.

Option Description

OU Verify that the OU is in standard open LDAP format. For example,OU=Notebooks, OU=Hardware, DC=VMware, DC=com.

Join Domain account The join domain account must meet the appropriate security privilegerequirements as defined in the system general settings.The account must have access to join the domain. This is not validated.

d Click Next.

6 Use the validation summary to compare the target device with the CVD.

This summary alerts you to any potential problems that require additional attention. You can proceedonly after all blocking problems are resolved.


VMware, Inc. 27

7 Click Next and click Finish.

The CVD is moved from the CVD Archive to the All CVDs view.

The migration process proceeds and takes place in two phases. See “End User Experience with RestoreProcesses,” on page 178.


28 VMware, Inc.

End User Operations 3End users can perform certain operations, independently of the administrator, such as accessing client statusinformation, restoring files or directories from the CVD, and temporarily suspending or resuming the clientto server synchronization process.


n “Access the Client Status,” on page 29

n “File-Level Restoration,” on page 29

n “Directory-Level Restore,” on page 30

n “Suspend and Reactivate Synchronization,” on page 31

Access the Client StatusYou can view information about the client, including the client's version information, current connectionstatus and current action.

Procedure

u Right-click the Mirage icon in the notification area and select Show Status.

File-Level RestorationUsers can restore a previous version of an existing file or a deleted file from snapshots stored on the Mirageserver.

The restore is based on files and directories included in CVD snapshots, in accordance with the uploadpolicies currently in effect. See “Working with Upload Policies,” on page 19.

When the CVD contains Encrypted File System (EFS) files, the files are recovered in their original encryptedform. Only EFS files that the recovering user encrypted are restored from the CVD. Unauthorized files arefiltered from the restore.

The file restore operation generates an audit event on the Mirage server for management and supportpurposes.

Files are restored with their original Access Control Lists (ACLs).

VMware, Inc. 29

Restore a Previous File VersionYou can restore a previous version of an existing file.

Prerequisites

Verify that you have access permissions for the location to which to write. If you do not, you are redirectedto My Documents.

Procedure

1 Right-click a file in Windows Explorer and select Restore previous versions.

2 Select the archive file version to restore.

If the file exists, the File size and Modify time are updated with the file’s archive information.

3 Click Restore.

4 Browse to the required location and save the file.

The default path is the original file location.

Restore a Deleted File from the Mirage Recycle BinYou can restore a deleted file from the Mirage Recycle Bin.

For example, you can restore a file that was deleted from the My Documents folder. The file is reinstated at alocation that you select.

Prerequisites

Verify that you have access permissions for the location to which to write. If you do not, you are redirectedto My Documents.

Procedure

1 In Windows Explorer, right-click the parent directory from where the file was deleted and select MirageRecycle Bin.

2 Select the archive date from which to restore the file.

Mirage downloads the archive information and searches for the available deleted files.

3 Double-click the archive file to restore.

4 Click Restore.



Directory-Level RestoreUsers can recover entire directories back to their endpoint. The recovery includes all files and subfoldersthat the directory contains.

Prerequisites

n Verify that the directories to be recovered exist in a snapshot saved in the data center.

n Verify that you have access permissions for the location to which you want to write. If you do not, youare redirected to My Documents.


30 VMware, Inc.

Procedure

1 In Windows Explorer, right-click the parent directory from which the folder was deleted and selectRestore previous versions.

2 Select the archive date from which to restore the folder.

Mirage downloads the archive information and searches for the available deleted folders.

3 Double-click the archive folder to restore.

4 Click Restore.



Suspend and Reactivate SynchronizationThe Mirage client synchronizes the endpoint with the Mirage server at defined intervals. A user might wantto override the defined interval and synchronize immediately, or temporarily suspend the client'ssynchronization activities.

The client uses the endpoint processing power to synchronize the endpoint with the server and keep it up todate. This synchronization occurs at intervals that the upload policy upload change interval parameterdefines. See “Working with Upload Policies,” on page 19.

The client uses a network client throttle mechanism to regulate the data transfer. When the client senses useractivity, it reduces or suspends its synchronization process until the endpoint is idle.

A user can use the Sync Now feature to start synchronization outside the defined intervals. For example,when important changes are made to documents and the user wants to verify that they are backed up to theCVD.

A user who is operating over a limited or metered network link can use the Snooze feature to temporarilysuspend the client's background synchronization activities. Using Snooze to override the client’ssynchronization with the server affects the timing of scheduled CVD snapshots. For more information aboutautomatic snapshot creation, see “CVD Snapshot Generation and Retention,” on page 46.

Procedure

u Synchronize the endpoint or temporarily suspend the synchronization.

Option Action

Sync Now Right-click the Mirage icon in the notification area and select Sync Now.

Suspend Synchronization n To activate Snooze, right-click the Mirage icon in the notification areaand select Snooze. You can snooze the client for 15 minutes, 2 hours,or 4 hours. After this time elapses, regularly scheduledsynchronizations that the network client throttle mechanism regulatesresume.

n To exit the Snooze state, right-click the Mirage icon in the notificationarea and select Sync Now. This reactivates the automaticsynchronization mechanism.

Chapter 3 End User Operations

VMware, Inc. 31


32 VMware, Inc.

Configuring the File Portal 4Users can use the Mirage file portal to browse and view files in their CVD.

In some situations, for example in an MSP environment, user devices cannot access the corporate domain.

To enable users to access their files, an administrator maps a CVD that is centralized in the system to specificdomain users. Users who are not on the domain can access their files through the file portal by using theirdomain account.

Users access these files from the data center directly, not from the endpoint, so the endpoint does not need tobe accessible for file portal purposes.


n “Allow Access to CVD Files,” on page 33

n “Configure User CVD Mapping,” on page 34

n “Browse and View Files with the File Portal,” on page 34

n “Download Folders and Files from the File Portal,” on page 35

Allow Access to CVD FilesThe administrator can enable or block user access to CVD files in the Mirage file portal.

The Show File Portal icon in the user’s notification area indicates that a file portal URL is defined.

Users cannot access the file portal if any of the following conditions are present:n The file portal feature is disabled.

n The CVD is blocked for Web Access.

n The device is assigned as a reference CVD.

n The assigned user is in a workgroup, not in a domain, and a domain user account was not mapped tothe workgroup.

Procedure

1 In the Mirage Management console tree, expand the Inventory node and select All CVDs.

2 Right-click a CVD, and select File Portal.

3 Select a Web access option.

Option Action

To allow Web access Select Allow File Portal.

To block Web access Select Block File Portal.

VMware, Inc. 33

Configure User CVD MappingIn some situations, such as MSP environments, user's devices cannot access the corporate domain. Anadministrator can manually map a CVD that is centralized with Mirage to specific domain users. Users whoare not on the domain can then access their files through the file portal by using their domain account.

Procedure


2 Right-click the required CVD and select Properties.

3 Click the File Portal tab.

4 Type the user domain account in the text box to the right of the relevant Local User cell.

5 Click Save.

Browse and View Files with the File PortalEnd users can use the file portal to browse and view directories on their local drive and profile-related filesin their CVD, such as Desktop, My Documents, My Pictures, and so on.

End users access the files from the data center, not from the endpoint, so the endpoint does not need to beaccessible for the file portal purposes.

End users have read only access to the files and cannot modify or upload them.

End users can select files from any available CVD snapshot, which means they can access files that werepreviously deleted, or can access earlier versions of files from their snapshots.

Note When the CVD contains Encrypted File System (EFS) files, only EFS files that the accessing userencrypted are visible on the CVD. Non-authorized files are filtered from the view.

You can view the set of user files and directories that can be excluded from restoration, as defined in theupload policies User area. See “Working with Upload Policies,” on page 19.

Prerequisites

n Verify that a file portal URL is configured in the Mirage Management server.

n Verify that the administrator configured the file portal.

n End users must have permission to access the file portal by the administrator . See “Allow Access toCVD Files,” on page 33.

n If you are using Internet Explorer, you must use Internet Explorer 9 or later.

Procedure

1 Access the file portal login page.

a In the notification area of an endpoint that has the Mirage client installed, right-click and selectShow File Portal

If a file portal URL is not configured in the Management server, you can also access it at https://mirage-server-address/Explorer/.


34 VMware, Inc.

https://mirage-server-address/Explorer/


2 Log in to the file portal for your environment and type the required information.

Option Description

Enterprise Your corporate Active Directory login.

Hosted MSP (with domain) Your corporate Active Directory profile is automatically mapped to yourMSP login as part of file portal activation. This happens the first time youlogin to a computer with an active Mirage client.

Hosted MSP (without domain) If you are not a member of a domain, the local profile on the client ismanually mapped to the MSP login. This configuration is similar to theHosted MSP with domain option. The administrator can perform themapping manually using the Mirage Management console.

You can browse and open your files.

Download Folders and Files from the File PortalMirage administrators and Mirage client users can download multiple folders and files from the currentCVD or from archived CVDs in the File Portal to restore files that have been deleted or corrupted.

Prerequisites

n Ensure that the Mirage end-user is allowed to browse the File Portal. See “Allow Access to CVD Files,”on page 33.

n Verify that a file portal URL is configured in the Management server.

Procedure

1 Access the file portal login page.

a In the notification area of an endpoint that has the Mirage client installed, right-click and selectShow File Portal

If a file portal URL is not configured in the Management server, you can also access it at https://mirage-server-address/Explorer/.

2 Log in to the file portal for your environment and type the required information.

Option Description

Enterprise Your corporate Active Directory login.

Hosted MSP (with domain) Your corporate Active Directory profile is automatically mapped to yourMSP login as part of file portal activation. This happens the first time youlogin to a computer with an active Mirage client.

Hosted MSP (without domain) If you are not a member of a domain, the local profile on the client ismanually mapped to the MSP login. This configuration is similar to theHosted MSP with domain option. The administrator can perform themapping manually using the Mirage Management console.

3 Navigate to the required folder of file to download.

To navigate to the archived CVDs, click the Other Archives link.

4 Select the folder or file you want to download.

You can select other folders or files by navigating through the CVD in the file portal.

When finished, click Download.

Chapter 4 Configuring the File Portal

VMware, Inc. 35




36 VMware, Inc.

Protecting the Mirage File Portal 5The Mirage file portal runs on Windows Server 2008 or later. You must protect this host from normal OSvulnerabilities.

Use spyware filters, intrusion detection systems, and other security measures mandated by your enterprisepolicies.

Ensure that all security measures are up-to-date, including OS patches.

Table 5‑1. Protection Configuration for Code MFP01

Configuration Element Description

Code MFP01

Name Keeps the Mirage file portal properly patched.

Description By staying up-to-date on OS patches, OS vulnerabilities aremitigated.

Risk or control If an attacker gains access to the system and reassignsprivileges on the Mirage file portal, the attacker can accessall files transferring through the Mirage file portal.

Recommended level Enterprise

Condition or steps Employs a system to keep the Mirage file portal up -to-datewith patches, in accordance with industry-standardguidelines, or internal guidelines where applicable.



Code MFP02

Name Provide OS protection on the Mirage file portal host.

Description By providing OS-level protection, vulnerabilities to the OSare mitigated. This protection includes antivirus, anti-malware, and other similar measures.

Risk or control If an attacker gains access to the system and reassignsprivileges on the Mirage file portal, the attacker can accessall files transferring through the Mirage file portal.


Condition or steps Provides OS protection, such as antivirus, in accordancewith industry-standard guidelines, or internal guidelineswhere applicable.

VMware, Inc. 37



Code MFP03

Name Restrict privilege user login.

Description The number of privilege users with permission to log in tothe Mirage file portal as an administrator should beminimal.

Risk or control If an unauthorized privilege user gains access to the Miragefile portal then the system is vulnerable to unauthorizedmodification of downloading files.


Condition or steps Create specific privilege login accounts for individuals.Those accounts should be part of the local administrators'group.



Code MFP04

Name Implement an administrative password policy.

Description Set a password policy for all Mirage file portal. Thepassword should include certain parameters.n A minimum password lengthn Require special character typesn Require periodic change of the password

Risk or control If an unauthorized privilege user gains access to the Miragefile portal then the system is vulnerable to unauthorizedmodification.


Condition or steps Set a password policy for the Mirage file portal.



Code MFP05

Name Remove unnecessary network protocol.

Description The Mirage file portal only uses IPv4 communication. Youshould remove other services, such as file and printersharing of NFS, Samba server, Novell IPX, and so on.

Risk or control If unnecessary protocols are enabled, the Mirage file portalis more vulnerable to network attacks.


Condition or steps In the Control Panel or the administrative tool of theMirage file portal operating system, remove or uninstallunnecessary protocols.



Code MFP06

Name Disable unnecessary services.


38 VMware, Inc.

Table 5‑6. Protection Configuration for Code MFP06 (Continued)


Description The Mirage file portal requires a minimal number ofservices for the OS. When you disable unnecessary servicesyou enhance security. This prevents the services fromautomatically starting at boot time.

Risk or control If unnecessary services are running, the Mirage file portalis more vulnerable to network attack.

Recommended level Enterprise.

Condition or steps Verify that no server roles are enabled. Disable any servicesthat are not required. There are various Windows serviceson Server 2008 that start by default and are not required.You should disable these services.n Application Experiencen Application Managementn Certificate Propagationn Com+ Event Systemn DHCP Clientn Distributed Link Tracking Clientn Distributed Transaction Coordinatorn Diagnostic Policy Servicen IPsec Policy Agentn Print Spoolern System Event Notification

The Mirage file portal is generally deployed in a DMZ or an internal data center to control browser accessand user data over potentially hostile network, such as the Internet. In a DMZ or internal data center it isimportant that you use a firewall to control network protocol access.



Code MFP07

Name Use an external firewall in the DMZ to control networkaccess.

Description The Mirage file portal is usually deployed in a DMZ. Youmust control which protocols and network ports arepermitted so that communication with Mirage file portal isrestricted to the required minimum. Mirage file portalautomatically sends requests to .Mirage Managementservers within a data center and ensure that all forwardedtraffic is on behalf of authenticated users.

Risk or control Allowing unnecessary protocols and ports might increasethe possibility of an attack by a malicious user, especiallyfor protocols and ports for network communication fromthe Internet.

Chapter 5 Protecting the Mirage File Portal

VMware, Inc. 39

Table 5‑7. Protection Configuration for Code MFP07 (Continued)


Recommended level Configure a firewall on either side of the Mirage file portalto restrict protocols and network ports to the minimum setrequired between browsers and Mirage data storage.You should deploy the Mirage file portal on an isolatednetwork to limit the scope of frame broadcasts. Thisconfiguration can help prevent a malicious user on theinternal network from monitoring communication betweenthe Mirage file portal and the Mirage Management server.You might want to use advanced security features on yournetwork switch to prevent malicious monitoring of MirageGateway communication with Mirage servers, and toguard against monitoring attacks, such as ARP CachePoisoning.

Parameter or objects configuration For more information about the firewall rules that arerequired for a DMZ deployment, see the VMware MirageInstallation Guide.



Code MFP08

Name Do not use default, self-signed server certificates ontheMirage file portal.

Description When you first install the Mirage file portal, the HTTPSserver is unable to work until signed certificates areprepared. The Mirage file portal and the HTTPS serverrequire SSL server certificates signed by a commercialCertificate Authority (CA) or an organizational CA.

Risk or control Using self-signed certificates leaves the SSL/TSL connectionmore vulnerable to man-in-the-middle attacks. Applyingcertificates to trusted CA signed certificates mitigates thepotential for these attacks.


Condition or steps For more information about setting up Mirage file portalcertificates, see the VMware Mirage Installation Guide.

Test Use a vulnerability scanning tool to connect the Mirage fileportal. Verify that it is signed by the appropriate CA.


40 VMware, Inc.

Configuring the Mirage System 6You can apply settings to your Mirage installation that the administrator can configure, including theretention policy for snapshots. You can also configure the system to use Secure Sockets Layer (SSL)communication between the Mirage client and server.


n “Configure the System Settings,” on page 41

n “Managing Bandwidth Limitation Rules,” on page 41

n “License Settings,” on page 43

n “Import USMT Library and Settings,” on page 43

n “Authenticating the Mirage Gateway Server,” on page 44

n “Branch Reflector Settings,” on page 44

n “Configure File Portal Settings,” on page 44

n “Enable CVD Auto Creation,” on page 44

n “Configuring User Access to the File Portal,” on page 45

n “General System Settings,” on page 45

n “CVD Snapshot Generation and Retention,” on page 46

n “Configuring Secure Socket Layer Communication,” on page 47

Configure the System SettingsThe administrator can configure Mirage system settings.

Procedure

1 In the Mirage Management console, right-click System Configuration and select Settings.

2 Make the required changes and click OK.

The system configuration takes effect immediately.

Managing Bandwidth Limitation RulesYou can set an upper limit on Mirage traffic so that Mirage does not consume all of the bandwidth of a siteor subnet. When you use bandwidth limitation, you allocate your network resources more efficiently.

A bandwidth limitation rule contains parameters to set the limitations.

VMware, Inc. 41

Table 6‑1. Bandwidth Limitation Parameters


SubnetMaskV4 Uses the format IPaddress/bitmask, for example,100.100.10.100/20.For site-based rules, leave this parameter blank.

Site Site or domain name of the group of clients for which tolimit the bandwidth. The site is the DNS name.Site names cannot contain special characters or non-Englishcharacters.For subnet-based rules, leave this parameter blank.

Download limit Maximum number of KBps that you can download fromthe server to the client.

Upload limit Maximum number in KBps that you can upload from theclient to the server.

Start Time Time that the rule is applied, for example, 7:00 AM. Thetime is the local time of the endpoint. It can take up to fiveminutes after the start time for the rule to be applied.

End Time Time that the rule is no longer applicable, for example, 9:00PM. The time is the local time of the endpoint. It can takeup to five minutes after the end time to revoke the rule.

Days of Week Time The days of the week that the rule is valid, for example,Monday, Thursday, and Friday. The day is calculatedaccording to the local time of the endpoint.

You write the rules in the format SubnetMaskV4,Site,Download Limit,Upload Limit, Start Time, EndTime, Days of Week.

After you write rules, you import the rules to Mirage. You can also export existing rules to edit it, andimport the edited rules to Mirage.

You can add a global limit rule that applies to all clients in the Mirage environment. For example,0.0.0.0/0,,OutgoingKBps,UploadKBps.

To access the Bandwidth Limitation tab, in the Mirage Management console select System Configuration >Settings. Click Sample rules to view sample rules.

To add a rule using the Mirage Web management, click Add and edit the bandwidth limiting parameters. Toedit a rule that you created, double-click the rule and edit the bandwidth limiting parameters.

You write the rules in a .csv file and import the file using the Mirage Web management. You write the rulesin the format SubnetMaskV4,Site,Download Limit,Upload Limit, Start Time, End Time, Days of Week.Click Sample Rules to view a sample rule.

After you write rules, you import the rules by using the Mirage Web management. You can also exportexisting rules to edit the rules, and import the edited rules to the Mirage Web management. Imported rulesreplace and overwrite existing rules.

You can add a global limit rule that applies to all clients in the Mirage environment. For example,0.0.0.0/0,,OutgoingKBps,UploadKBps.

Table 6‑2. Rule Constraints and Limitations

Constraints Rule LImitations

No time constraint specified. No time limit. Rule is applicable 24 hours on the daysspecified.

No day constraint specified. No day limit. Rule is applicable every day on the timespecified.


42 VMware, Inc.

Table 6‑2. Rule Constraints and Limitations (Continued)

Constraints Rule LImitations

No time or day constraint specified. Always applicable.

Blank. Unlimited.

Zero (0). Blocked.

License SettingsLicense settings are used to add a license to Mirage or view existing licenses.

For the relevant procedures, see the VMware Mirage Installation Guide.

Import USMT Library and SettingsYou can import the Microsoft User State Migration Tools (USMT) files that are required for various baselayer operations.

You can import multiple USMT file versions for each operating system that is running in your environment.

Mirage supports USMT 4 and USMT 5 for Windows XP and Windows 7, USMT 6.3 for Windows 8.1, andUSMT 10 for Windows 10.

USMT files are used for the following operations:

n Migration to Windows 7, Windows 8.1, or Windows 10 from another Windows version.

n Cross-hardware Windows 7, Windows 8.1, and Windows 10 migration.

n User profile and data-only restore operations for Windows 7, Windows 8.1, and Windows 10.

To import a USMT library, click the gear icon in the upper-right corner and click USMT. Type the USMTfolder path and click the Validate button to verify that you typed a valid folder path. Click OK to completethe import procedure. The USMT folder path must be a valid UNC path. The user that is performing theimport procedure must have reader access to this folder.

Procedure

1 Find the USMT folder in the directories installed with the Windows Automated Installation Kit (AIK)software.

You can download this software free of charge from Microsoft.

2 Copy the USMT folder and all subdirectories to your Mirage server.

3 Right-click the System Configuration node and click Settings.

4 Click the USMT tab.

5 Click Import USMT Folder.

6 Navigate to the location of the USMT folders and click OK.

After the Mirage Management console imports the USMT file for the specific operating system, a checkmark is displayed next to each USMT version.

Chapter 6 Configuring the Mirage System

VMware, Inc. 43

Authenticating the Mirage Gateway ServerYou can create a custom message that end users receive when they log on to the Mirage system using theMirage Gateway server.

To create a custom message for end users, click the gear icon in the upper-right corner, click GatewayAuthentication, select the Enable Gateway Customization Log-on Messagecheck box, and type the custommessage.

Branch Reflector SettingsBranch reflector settings include default values of parameters governing the behavior of branch reflectors.

For the relevant procedures, see Chapter 12, “Managing Branch Reflectors,” on page 95.

Configure File Portal SettingsFile portal settings are used to enable the VMware file portal.

Procedure


2 Click the File Portal tab and configure the file portal.

a Select the Enable File Portal check box.

b Type the path to the file portal in the Enable File Portal text box.

For example, https://<address>/Explorer, where <address> is the host where the Mirage file portalis installed.

c In the User message text box, enter the user message that a user sees when prompted to activatethe file portal.

3 Click OK.

Enable CVD Auto CreationYou can enable end users to create a new CVD for their machine, so that the administrator need notintervene in the critical first phase of adding the machine to the Mirage system. This setting is global for allnewly discovered endpoints that communicate to the Mirage server after installation of the Mirage clients.

You can also define the message that the end user sees when the operation takes place. After this isconfigured, any device that connects to the Mirage system for the first time prompts the end user to addtheir CVD.

Note An end user can also initiate the CVD creation by right-clicking the Mirage icon in their notificationarea.

Prerequisites

When enabling the automatic CVD creation, you must select a default CVD policy in the General tab.

Procedure


2 Click the CVD Auto Creation tab.


44 VMware, Inc.

3 Select Enable automatic CVD creation.

You can change the user message as needed.

4 Click OK.

Configuring User Access to the File PortalYou can create a custom message that is displayed to end users to access the file portal. You can also enableaccess to the file portal for end users.

To provide users access to the file portal, select the Enable File Portal check box and type the file portal URLin the File Portal URL text box.

To create a custom message that is displayed to end users to access the file portal, type the message in thetext box.

General System SettingsYou can define the standard configurations for the Mirage system.

You access these options through the system settings General tab. See “Configure the System Settings,” onpage 41.

Table 6‑3. General System Settings

Option Description

Snapshots kept The number of CVD snapshots the system must keep available for restoration, at hour, day,week, and month intervals. For more information about how these values are used in snapshotretention.See “CVD Snapshot Generation and Retention,” on page 46.

Volumes This section configures the threshold percentages of data stored on a volume, which whenreached, trigger a warningThis section configures the threshold percentages of data stored on a volume, which whenreached, trigger a warning or critical events in the Events log.For more information about using multiple volumes, see Chapter 11, “Deploying MultipleStorage Volumes,” on page 89.n Volume capacity - warning threshold (%): Type the threshold percentage of data stored on a

volume, which triggers a warning event when reached.n Volume capacity - critical threshold (%): Type the threshold percentage of data stored on a

volume, which triggers a critical event when reached.n Volume capacity check interval (seconds): Type the elapsed time interval (in seconds) at

which the system rechecks the level of data stored on the volume against the thresholds.n Driver Library and USMT files volume: To select the volume to be addressed by the

threshold checks, click Change and select the required volume.

CVDs n CVD size warning threshold (MB): Type the maximum CVD size. An event is generated inthe Event Log when that size is reached.

n Default Upload Policy: To choose the default upload policy used when an end user addstheir CVD to the Mirage system, click Change and select the required policy.

Branch Reflector See Chapter 12, “Managing Branch Reflectors,” on page 95

Report Specify the report server URL. For more information, see Chapter 31, “Working with Reportsfor Mirage Operations,” on page 197

Join Domain Account User and Password: Account that authorizes joining the domain. The join domain account isused during migration operations. Note: The join domain account must have the followingpermissions - Reset Password, Write all properties, Delete, Create computer objects, and Deletecomputer objects. Permissions are set using the Advanced Security Settings for Computersdialog box for this object and all descendant objects.


VMware, Inc. 45

Table 6‑3. General System Settings (Continued)

Option Description

Bandwidth Limiting You can set an upper limit on Mirage traffic so that Mirage does not consume all of thebandwidth of a site or subnet. When you use bandwidth limitation, you allocate your networkresources more efficiently. A bandwidth limitation rule contains parameters to set thelimitations.You can import rules, export rules, and view sample rules, and create new rules by specifyingseveral parameters. See “Managing Bandwidth Limitation Rules,” on page 41.

License You can specify a license key or a license file, and view license information.

CVD Snapshot Generation and RetentionA CVD snapshot is a centrally retained point-in-time image of CVD content, including OS, applications anduser data, that enables complete restoration of a specific endpoint or a specific file. The Mirage servergenerates snapshots and keeps generations of snapshots available according to a retention policy.

Automatic Snapshot GenerationAfter the first successful CVD upload to a device, the Mirage server attempts to synchronize with the deviceat regular intervals, and to create a CVD snapshot when the synchronization is successful. The frequency ofthe attempts is defined by the Upload Change Interval parameter, for example every 60 minutes. See “Working with Upload Policies,” on page 19.

The success of a synchronization, and the snapshot creation, depends on the server being able to access thedevice at the scheduled intervals. This is not always possible since the device might be closed or the Snoozefeature might be in effect. See “Suspend and Reactivate Synchronization,” on page 31.

Snapshots can also be generated independently of the Upload Change Interval timing, in the followingcases:

n Before a base layer update. This allows an administrator to revert to the CVD state before the update ifthe update fails or is problematic, or after any migration.

n Before reverting to a snapshot. This keeps the current endpoint state available in case a rollback isrequired.

n Whenever the administrator performs a forced upload. See “Reconnect a Device to a CVD,” onpage 178.

According to these circumstances, the interval between specific snapshots can be longer or shorter than thetime defined by the Upload Change Interval parameter.

Snapshot Retention PolicyThe system keeps historical snapshots according to a retention policy, and can be used to restore files on thedevice.

You define the snapshot retention in the Snapshots kept area of the System Configuration General tab. See “General System Settings,” on page 45. The system keeps a maximum number of CVD snapshots at hourly,daily, weekly, and monthly intervals.


46 VMware, Inc.

Table 6‑4. Categories for Kept Snapshots

Retention category Description

Number of snapshotsat 1 hour intervals

Number of consecutively generated snapshots that the system keeps.For example, the value 8 means that the system always keeps the latest 8 successful CVDsnapshots in this category.Historical snapshots older than the latest 8 are discarded. However, if daily snapshot retention isdefined, whenever a first snapshot of a new day is created, the oldest snapshot in the Hourlycategory becomes a candidate as the newest daily snapshot.The default number of Hourly snapshots is zero, meaning new snapshots are not kept as theyare created. You can change this value.

Number of snapshotsat 1 day intervals

Number of snapshots that the system keeps in the Daily category.For example, the value 7, the default, means that the system always keeps the earliest-createdsnapshot in each new calendar day, up to 7 snapshots in this category.If hourly snapshots are defined, the oldest snapshot in the hourly category becomes the newestdaily snapshot.Historical snapshots older than the latest 7 in the daily category are discarded. However, ifweekly snapshot retention is defined, whenever a first snapshot of a new week is created, theoldest daily snapshot becomes the newest weekly snapshot.

Number of snapshotsat 1 week intervals

Number of snapshots that the system keeps in the Weekly category.For example, the value 3, the default, means that the system always keeps the earliest-createdsnapshot in each new calendar week, up to 3 snapshots in this category. Other aspects of theweekly snapshot retention follow the same pattern as daily snapshot retention.

Number of snapshotsat 1 month intervals

Number of snapshots that the system keeps in the Monthly category.For example, the value 11, the default, means that the system always keeps the earliest-createdsnapshot in each new calendar month, up to 11 snapshots in this category. Other aspects of themonthly snapshot retention follow the same pattern as daily or weekly snapshot retention.

The intervals between snapshots retained in each category depend on the factors described in “AutomaticSnapshot Generation,” on page 46, and how device availability affects the retention rollover timing. For thisreason, the snapshots in the daily, weekly, and monthly retention categories can typically have time intervalsof at least a day, week, or month between them.

Automatic snapshots taken before a base layer update, before reverting to a snapshot, or forced uploads arecounted against the snapshot retention capacity. They cause the number of regular snapshots retained todecrease.

Configuring Secure Socket Layer CommunicationMirage supports Secure Socket Layer (SSL) communication between the Mirage client and server.

The SSL setup is included as part of the server installation process. If for any reason this operation wasdisabled, you can perform the SSL setup at any time as described in this procedure.

For environments with multiple Mirage servers, you must enable SSL and install the SSL certificate for eachserver. See “Setting Up the SSL Certificate in Windows Server,” on page 226.

The setup involves the following steps:

1 Installing the SSL server certificate. See “Install an SSL Server Certificate for the Mirage Server,” onpage 48.

2 Configuring servers for SSL. See “Configure Mirage Servers for SSL,” on page 48.

If you enable SSL on the server, you must also enable SSL on clients.


VMware, Inc. 47

Install an SSL Server Certificate for the Mirage ServerTo set up SSL on the Mirage server, you must obtain SSL certificate values and configure them on the server.SSL certificates is a Windows feature.

The Mirage server uses the local computer store.

Prerequisites

n Ensure that the certificates are installed in the local Computer Trust Store. If you do not have acertificate, you can create one with tools such as the Microsoft MakeCert. You must then import theresult into the Certificate Manager.

n Verify that you can export the private key.

Procedure

1 Open the Windows Management Console, add the Certificates snap-in, and select the local computeraccount.

2 To navigate to your certificate, select Certificates > Personal > Certificates.

3 Note the Certificate Subject and Certificate Issuer values.

Configure Mirage Servers for SSLAfter you install the SSL Server certificate, you configure the Mirage server maximum CVD connections andtransport settings.

Allocate a larger number of concurrent CVDs for high-end servers, or a smaller number for low-end servers.For more information about this modification, contact VMware Support.

Procedure

1 In the Mirage Management console tree, expand the System Configuration node and select Servers.

2 Right-click the required server and select Configure.

3 Enter the appropriate configuration options.

Option Action

Max Connections Type the maximum number of concurrent CVD connections. The range isfrom 1 to 2500.

Port Change the port used for client-server communication. Either use thedefault port of 8000 or change the port. Changing the port might requireadding firewall rules to open the port.

TCP or SSL Change the connection type to SSL to have clients communicate with theserver using SSL encryption. This is a global change.

4 (Optional) If you selected SSL, enter the Certificate subject and Issuer values.

Option Description

Certificate Subject Typically the FQDN of the Mirage server.

Certificate Issuer Usually a known entity like VeriSign. Leave this blank if only onecertificate is on this server.

5 Click OK.


48 VMware, Inc.

Mirage Customer ExperienceImprovement Program 7

You can configure Mirage to collect data to help improve your user experience with VMware products. Thefollowing section contains important information about the Customer Experience Improvement Program.

The goal of the Customer Experience Improvement Program is to quickly identify and address issues thatmight be affecting your experience. If you choose to participate in the VMware Customer ExperienceImprovement Program, Mirage regularly sends encrypted data to VMware. VMware uses the collected datafor product development and troubleshooting purposes. Mirage anonymizes and encrypts the collected datafrom your systems or servers before securely transferring the data to VMware.


n “Data Collected for the Customer Experience Improvement Program,” on page 49

n “Joining the Customer Experience Improvement Program,” on page 51

n “Stop Sending Data to VMware,” on page 51

Data Collected for the Customer Experience Improvement ProgramTo provide the benefits of the Customer Experience Improvement Program, Mirage collects technical dataand transfers the data to VMware on a daily basis.

The Customer Experience Improvement Program collects data in several categories.

Table 7‑1. General Information

Property Description

Vertical Predefined vertical business list.

Geography Geographic area where your headquarters are located.

Mirage version Version of Mirage you are using.

Device number Total number of devices that Mirage is managing.

Pending device number Number of devices with the status "pending device".

Base layer number Total number of base layers that have been captured.

App layer number Total number of app layers that have been captured.

Subnet number Total number of subnets that Mirage is managing.

Mirage collects information about storage volumes, such as size and the number of CVDs stored in thevolume.

VMware, Inc. 49

Table 7‑2. Volume Information


Size Size of one storage volume.

CVD number Number of CVDs stored in the volume.

Dedup Ratio Dedup ratio of data stored in the volume.

Average IOPS Average IOPS of the volume.

Mirage collects information about CVDs, such as CVD size and the OS type on the CVD.

Table 7‑3. CVD Information


OS type Type of operating system.

Size Size of the CVD.

App layer number Number of app layers deployed in the CVD.

Mirage collects information about Mirage operations, such as operation type and the role of theadministrator performing the operation.

Table 7‑4. Operation Information


Time Start time of the operation.

Duration How long the operation took to complete.

Type Type of operation.

Size Relevant data size of the operation, for example, the size ofthe base layer that was captured.

Operator Role of the administrator who is performing the operation,for example, the Helpdesk role.

Invocation point Where the administrator initiated the operation, forexample, the common wizard.

Mirage collects information about Mirage servers and Mirage Gateway servers, such as network traffic, andmemory use and availability.

Table 7‑5. Server Information


Time Time when the data collection is complete.

Server type Server type, either a Mirage server or a Mirage Gatewayserver.

CPU Amount of CPU use.

Physical memory Amount of physical memory on the server.

Free memory Amount of physical memory on the server that is available.

Concurrent connection Number of concurrent connections.

In traffic Incoming traffic from the network.

Out traffic Outgoing traffic to the network.

Mirage collects information about layers, such as layer size and layer type.


50 VMware, Inc.

Table 7‑6. Layer Information


Type Layer type, either base layer or app layer.

Capture date Date the layer is captured.

OS type Operating system type of the layer.

Size Size of the captured layer.

Assigned CVD Number of CVDs that this layer is assigned to.

Joining the Customer Experience Improvement ProgramYou can join the Customer Experience Improvement Program when you install the Mirage system, or anytime after you install the Mirage system by using the Mirage Web console.

When you install the Mirage Management server, you are prompted with the Customer ExperienceImprovement Program window. The I agree to join the Mirage Customer Experience ImprovementProgram check box is selected by default. Click OK to join the Customer Experience Improvement Program.If you do not want to join the Customer Experience Improvement Program, clear the I agree to join theMirage Customer Experience Improvement Program check box and click OK. See the VMware MirageInstallation Guide.

See the VMware Mirage Web Management Guide.

Stop Sending Data to VMwareIf you no longer want to participate in the Customer Experience Improvement Program, you candiscontinue the transfer of anonymized trace data to VMware.

Prerequisites

Verify that the Mirage Web Management is installed.

Procedure

1 Click the gear icon in the upper-right corner on the Mirage Web Management.

2 Clear the I agree to join the Mirage Customer Experience Improvement Program check box and clickOK.

Mirage stops sending technical data to VMware.

Chapter 7 Mirage Customer Experience Improvement Program

VMware, Inc. 51


52 VMware, Inc.

Introduction to Mirage PowerCLI 8Windows PowerShell is a command-line and scripting environment that is designed for Microsoft Windows.PowerShell uses the .NET object model and provides administrators with management and automationcapabilities. You work with PowerShell by running commands, which are called cmdlets in PowerShell.

Mirage includes several Mirage PowerCLI cmdlets.

The command-line syntax for the Mirage PowerCLI cmdlets is the same as generic PowerShell syntax. Formore information about using PowerShell, see the Microsoft documentation.

n Using Mirage PowerCLI on page 54Mirage PowerCLI provides an easy-to-use PowerShell interface to Mirage.

n Install the Mirage PowerCLI on page 54Mirage PowerCLI provides a Windows PowerShell interface for command-line access toadministration tasks.

n Run PowerCLI and Mirage PowerCLI in a Single PowerShell Session on page 54You can write scripts that combine PowerCLI cmdlets and Mirage PowerCLI cmdlets in a singlePowerShell session.

n Mirage PowerCLI Cmdlets on page 55You can use Mirage PowerCLI cmdlets to administer Mirage.

n Displaying Help for a Mirage PowerCLI cmdlet on page 55You can display all Mirage PowerCLI cmdlets, view examples of cmdlets usage, and view fulldescriptions for each cmdlet.

n Centralize Endpoints using Mirage PowerCLI on page 56You can centralize endpoints in the Mirage PowerCLI.

n Migrate an Endpoint OS by Using the Mirage PowerCLI on page 58You can migrate existing Windows XP or Windows Vista endpoints to Windows 7, existing Windows 7endpoints to Windows 8.1 and Windows 10, and existing Windows 8.1 endpoints to Windows 10 byusing the Mirage PowerCLI.

n Provision Pending Devices by Using the Mirage PowerCLI on page 61You can provision pending devices using the Mirage PowerCLI.

n Assign a Base Layer to a CVD Using the Mirage PowerCLI on page 64You can assign a base layer to a CVD using the Mirage PowerCLI.

n Update App Layers Assigned to a CVD Using Mirage PowerCLI on page 67You can

VMware, Inc. 53

Using Mirage PowerCLIMirage PowerCLI provides an easy-to-use PowerShell interface to Mirage.

You can use the Mirage PowerCLI cmdlets to perform various administration tasks from the command lineor from scripts instead of using the Mirage Management console.

You can write scripts that combine PowerCLI cmdlets and Mirage PowerCLI cmdlets in a single PowerShellsession.

Install the Mirage PowerCLIMirage PowerCLI provides a Windows PowerShell interface for command-line access to administrationtasks.

The Mirage PowerCLI client is intended for standalone use (Mirage only). If you use PowerCLI toadminister other VMware products and want to use Mirage cmdlets, see the VMware Mirage.

Prerequisites

n Verify that you installed Microsoft PowerShell 3.0.

n Verify that you installed .NET 4.5.1 or later.

Procedure

1 Double-click the VMwarePowerCLIForMirage.buildnumber.msi file (located in the Mirage installationpackage) to start the installation wizard.

2 When prompted in the Execution Policy window, access Windows PowerShell as an administrator, andrun the Set-ExecutionPolicy RemoteSigned command.

3 Type Y and press Enter to accept the execution policy change, and close the Windows PowerShellwindow.

4 Follow the prompts to complete the installation wizard.

Run PowerCLI and Mirage PowerCLI in a Single PowerShell SessionYou can write scripts that combine PowerCLI cmdlets and Mirage PowerCLI cmdlets in a single PowerShellsession.

Procedure

1 Install PowerCLI

2 Unzip the Mirage_PowerCLI.zip file to the PowerCLI module directory. .

The default directory path is C:\Program Files (x86)\VMware\Infrastructure\vSpherePowerCLI\Modules, and the folder is VMware.Mirage.Cmds.

3 Access Microsoft PowerShell and import the necessary modules.

The Import-Module VMware.Mirage.Cmds command imports the Mirage PowerShell module.

The Import-Module VMware.VimAutomation.Core command imports the vSphere PowerShell module.


54 VMware, Inc.

Mirage PowerCLI CmdletsYou can use Mirage PowerCLI cmdlets to administer Mirage.

Table 8‑1. Mirage PowerCLI Cmdlets Ordered by Verb

Cmdlet Description

Apply-MirageAssignment Applies the Mirage download only assignment.

Apply-MirageOsMigration Applies download only migrations.

Archive-MirageCvd Archives the CVD.

Connect-MirageServer Sets up a connection to the Mirage server.

Disconnect-MirageServer Disconnects from the Mirage server.

Get-MirageAppLayer Retrieves the Mirage app layers from the Mirage system.

Get-MirageAssignment Retrieves the assignment from the Mirage system.

Get-MirageBaseLayer Retrieves the Mirage base layers from the Mirage system.

Get-MirageCvd Retrieves the CVDs from the Mirage system.

Get-MirageCvdCollection Retrieves the collections from the Mirage system.

Get-MirageOsMigration Retrieves the download only migrations from the Miragesystem.

Get-MiragePendingDevice Retrieves the pending devices from the Mirage system.

Get-MiragePolicy Retrieves the policies from the Mirage system.

Get-MirageVolume Retrieves the volumes from the Mirage system.

New-MirageCvd Creates a new CVD with the specified device, policy, andvolume, in Mirage.

New-MirageOsMigration Migrates the CVD with the specified base layer, app layer,and related information in the Mirage system.

Remove-MirageCvd Removes the CVD.

Set-MirageCvd Use this cmdlet to update the policy, base layer, andsuspend/resume network operations.

Set-MirageCvdAppLayer Updates the CVD with the specified app layers.

Sync-MirageCvd Synchronizes the device information for the CVD.

Reset-MirageCvd Reset all the base/app layers of the CVD(s).

Invoke-MirageAssignment Applies the Mirage download only assignment.

Invoke-MirageOsMigration Applies download only migrations.

Dismount-MirageCvd Archives the CVD.

Displaying Help for a Mirage PowerCLI cmdletYou can display all Mirage PowerCLI cmdlets, view examples of cmdlets usage, and view full descriptionsfor each cmdlet.

To list all Mirage PowerCLI cmdlets, type the Get-VICommand command in the PowerCLI console .

You can get help for a specific cmdlet by using the Get-Help cmdlet in the PowerCLI console. For example,to get help on the Connect-MirageServer cmdlet, type the Get-Help Connect-MirageServer command in thePowerCLI console.

Chapter 8 Introduction to Mirage PowerCLI

VMware, Inc. 55

To view a sample of how the cmdlet is used, type the Get-Help Command -Examples command in thePowerCLI console, where Command is the cmdlet, for example, Connect-MirageServer.

To view basic descriptions for a cmdlet, including command description, parameter description, and sampleusage, type the Get-Help Command -Detailed command in the PowerCLI console, where Command is thecmdlet, for example, Connect-MirageServer.

To view the full descriptions for a cmdlet, including the command description, parameter description, andsample usage, type the Get-Help Command -full command in the PowerCLI console, where Command is thecmdlet, for example, Connect-MirageServer.

Centralize Endpoints using Mirage PowerCLIYou can centralize endpoints in the Mirage PowerCLI.

Procedure

1 Run the Connect-MirageServer cmdlet to connect to the Mirage server.

Connect-MirageServer ServerIPAddress Username Password -TrustUnknownCertificate

ServerIPAddress is the IP address of the Mirage server, and Username and Password are the log-incredentials of the privileged user for the Mirage server.

2 Select a Mirage policy for the CVD.

a Run the Get-MiragePolicy cmdlet to retrieve the Mirage policies, and note the name of the Miragepolicy to assign to the CVD.

b Run the $policy = Get-MiragePolicy 'PolicyName'| Select-Object -First 1 command

policy is the name you select for this variable, and PolicyName is the name of the Mirage policy thatyou selected for the CVD.

3 Select a Mirage volume for the CVD.

a Run the Get-MirageVolume cmdlet to retrieve the Mirage volumes, and note the name of the Miragevolume to assign to the CVD.

b Run the $volume = Get-MirageVolume 'VolumeName' | Select-Object -First 1 command

volume is the name you select for this variable, and VolumeName is the name of the volume that youselected for the CVD.

4 Designate one or more pending devices for the CVD.

a Run the Get-MiragePendingDevice cmdlet to retrieve the pending devices, and note the names ofthe pending devices to assign to the CVD.

b Assign the pending devices to the $device variable.

Option Action

Assign one pending device to theCVD

Run the $device = Get-MiragePendingDevice | Select-Object -First 1 command to retrieve the pending device.

Assign one or more pending deviceto the CVD

Run the $device = Get-MiragePendingDevice DeviceFilterscommand.DeviceFilters are the filters for the devices to include in the CVD, to retrievethe pending devices.


56 VMware, Inc.

5 Create a CVD.

Option Action

Create new CVD using a variable Run the $cvd = $device | New-MirageCVD -Policy $policy -Volume $volume command.

Create new CVD without using avariable

Run the New-MirageCVD -Policy $policy -Volume $volume -Device$device command.

If volume is not specified, the volume for the new CVD is selected automatically.

If you create a CVD using a variable, you can reuse the variable in other Mirage PowerCLI procedures.

The new CVD is created.

Sample Script for Centralizing Endpoints with the Mirage PowerCLIThis is a sample script that is written in the Mirage PowerCLI. It details the procedure for centralizingendpoints in the Mirage PowerCLI.

param($server, $username, $password, $volumename, $policyname)

"--------Connect-MirageServer-------"

Connect-MirageServer $server $username $password -TrustUnknownCertificate

"----------Get-MirageVolume---------"

$volume = Get-MirageVolume $volumename | Select-Object -First 1

if (!$volume)

{

"Cannot retrieve volume with name $volumename."

return

}

$volume

"----------Get-MiragePolicy---------"

$policy = Get-MiragePolicy $policyname | Select-Object -First 1

if (!$policy)

{

"Cannot retrieve policy with name $policyname."

return

}

$policy

"------Get-MiragePendingDevice------"

$device = Get-MiragePendingDevice | Select-Object -First 1

if (!$device)

{

"There is no pending device on Mirage server."

return

}

$device

"--------------CEFlow---------------"

$cvd = $device | New-MirageCvd -Policy $policy -Volume $volume

if(!$cvd)

{

"CE flow failed"


VMware, Inc. 57

return

}

"CE flow starts"

while ($cvd.OperationProgress -ne 100 -or $cvd.State -ne 'Idle')

{

Start-Sleep -s 20

$cvd = Get-MirageCvd -Device $device

}

$cvd

"CEflow successful."

Migrate an Endpoint OS by Using the Mirage PowerCLIYou can migrate existing Windows XP or Windows Vista endpoints to Windows 7, existing Windows 7endpoints to Windows 8.1 and Windows 10, and existing Windows 8.1 endpoints to Windows 10 by usingthe Mirage PowerCLI.

Procedure




2 Select a CVD to migrate.

a Run the Get-MirageCvd cmdlet to retrieve the Mirage CVDs, and note the name of the MirageCVDfor which to migrate the OS.

b Run the $cvd = Get-MirageCvd 'cvdname' | Select-Object -First 1 command.

cvd is the name you select for this variable, and cvdname is the name of the CVD that you selected.

3 Select a base layer for the CVD.

a Run the Get-MirageBaseLayer cmdlet to retrieve the Mirage base layers, and note the name of thebase layer to apply to the CVD.

b Run the $baselayer = Get-MirageBaseLayer 'baselayername' | Select-Object -First 1command.

baselayer is the name you select for this variable, and baselayername is the name of the base layer thatyou selected for the CVD.


58 VMware, Inc.

4 Migrate the OS on the specified CVD.

a Run the New-MirageOsMigration cmdlet to migrate the OS on the specified CVD.

Option Action

Download only migration for theOS on the specified CVD withdomain join

Run the $migration = New-MirageOsMigration -CVD $cvd -BaseLayer $baselayer -Domain $domain -User $domainuser -Password $domainpassword -DownloadOnly -Force | Select-Object -First 1 command.

Full migration for the OS on thespecified CVD with domain join

Run the $migration = New-MirageOsMigration -CVD $cvd -BaseLayer $baselayer -Domain $domain -User $domainuser -Password $domainpassword -Force | Select-Object -First 1command.

Download only migration for theOS on the specified CVD with awork group

Run the $migration = New-MirageOsMigration -CVD $cvd -BaseLayer $baselayer -WorkGroup $workgroup -DownloadOnly-Force | Select-Object -First 1 command.

Full migration for the OS on thespecified CVD with a work group

Run the $migration = New-MirageOsMigration -CVD $cvd -BaseLayer $baselayer -WorkGroup $workgroup -Force |Select-Object -First 1 command.

migration is the name you select for this variable. domain is the name of the domain that themigrated CVD is joining. domainuser and domainpassword are the login credentials for the domainthat the migrated CVD is joining. workgroup is the name of the work group that you want the CVDto join.

5 If you selected the download only migration option, apply the download only migration.

a Run the Apply-MirageOsMigration cmdlet to apply the migration.

Run this command after completing the download only migration.

b Run the $cvd = Apply-MirageOsMigration $migration | Select-Object -First 1 command.

cvd is the name you select for this variable, and migration is the variable returned by the previousdownload only migration.

The CVD is migrated with the base layer that you specified in the New-MirageOsMigration command.

Sample Mirage PowerCLI Script for Migrating Endpoint OSThis is a sample script that is written the Mirage PowerCLI. It details the procedure for migrating anendpoint OS in the Mirage PowerCLI.

param($server, $username, $password, $cvdname, $baselayername, $domain, $domainuser,

$domainpassword)

"--------Connect-MirageServer--------"


"--------Get-MirageCvd--------"

$cvd = Get-MirageCvd $cvdname | Select-Object -First 1

if (!$cvd)

{

"Can not get cvd with name $cvdname."

return

}

$cvd

"--------Get-MirageBaseLayer--------"

$baselayer = Get-MirageBaseLayer $baselayername | Select-Object -First 1


VMware, Inc. 59

if (!$baselayer)

{

"Can not get base layer with name $baselayername."

return

}

$baselayer

"--------New-MirageOsMigration--------"

$migration = New-MirageOsMigration -CVD $cvd -BaseLayer $baselayer -Domain $domain -User

$domainuser -Password $domainpassword -DownloadOnly -Force | Select-Object -First 1

if (!$migration)

{

"Fail to start download only OS migration."

return

}

$migration

"--------Wait for BI download complete--------"

$success = $false

$maxRetries = 100

$retryCount = 0

while (!$success)

{

Start-Sleep -s 20

$migration = Get-MirageOsMigration -Id $cvd.Id

if($migration.Status -eq 'DownloadComplete')

{

$success = $true

}

elseif($migration.Status -eq 'DownloadCancelled')

{

"Download only migration cancelled"

return

}

else

{

$retryCount++

if($retryCount -gt $maxRetries)

{

"Download only migration is not completed, retry times: $retryCount"

return

}

}

}

$migration

"--------Apply-MirageOsMigration--------"

$cvd = Apply-MirageOsMigration $migration

if(!$cvd)

{

"Fail to apply download only migration."

return

}


60 VMware, Inc.

"OS migration starts"

$maxRetries = 100

$retryCount = 0

while ($true)

{

Start-Sleep -s 20

$assignment = Get-MirageAssignment -CVD $cvd -TaskType 'Migration'

if($assignment)

{

if($assignment.Status -eq 'Failed')

{

"OS migration flow fails"

return

}

if($assignment.Status -eq 'Completed')

{

Get-MirageCvd -Id $cvd.Id

"OS migration flow succeeds."

return

}

}

$retryCount++


{

"Migration assignment is not created/completed, retry times: $retryCount"

return

}

}

Provision Pending Devices by Using the Mirage PowerCLIYou can provision pending devices using the Mirage PowerCLI.

Procedure




2 Select a Mirage volume for the CVD.

a Run the Get-MirageVolume cmdlet to retrieve the Mirage volumes, and note the name of the Miragevolume to assign to the CVD.

b Run the $volume = Get-MirageVolume 'VolumeName' | Select-Object -First 1 command

volume is the name you select for this variable, and VolumeName is the name of the volume that youselected for the CVD.

3 Select a Mirage policy for the CVD.

a Run the Get-MiragePolicy cmdlet to retrieve the Mirage policies, and note the name of the Miragepolicy to assign to the CVD.

b Run the $policy = Get-MiragePolicy 'PolicyName'| Select-Object -First 1 command

policy is the name you select for this variable, and PolicyName is the name of the Mirage policy thatyou selected for the CVD.


VMware, Inc. 61





5 Designate one or more pending devices for the CVD.

a Run the Get-MiragePendingDevice cmdlet to retrieve the pending devices, and note the names ofthe pending devices to assign to the CVD.

b Assign the pending devices to the $device variable.

Option Action

Assign one pending device to theCVD

Run the $device = Get-MiragePendingDevice | Select-Object -First 1 command to retrieve the pending device.

Assign one or more pending deviceto the CVD

Run the $device = Get-MiragePendingDevice $devicefilterscommand.devicefilters are the filters for the devices to include in the CVD to retrievethe pending devices.

6 Provision the pending device.

Option Action

Provision the device with domainjoin

Run the $cvd = $device | New-MirageCVD -Policy $policy -Volume $volume -BaseLayer $baselayer -Domain $domain -User$domainuser -Password $domainpassword -Provision -Forcecommand.

Provision the device with a workgroup

Run the $cvd = $device | New-MirageCVD -Policy $policy -Volume $volume -BaseLayer $baselayer -WorkGroup $workgroup-Force command.

Provision the device with domainjoin and changing device's machinename

Run the $cvd = $device | New-MirageCVD -Policy $policy -Volume $volume -BaseLayer $baselayer -Domain $domain -User$domainuser -Password $domainpassword -MachineNamePrefix$nameprefix -MachineNameStartIndex $nameindex -Provision -Force This cmd will provision the devices and change the machine namewith parameter MachineNamePrefix and MachineNameStartIndex. Forexample, if MachineNamePrefix is “newmachine-“ andMachineNameStartIndex is 100, the new machine names would benewmachine-100, newmachine-101, etc.

If Volume is not specified, the volume for the new CVD is selected automatically.

cvd is the name you select for this variable. domain is the name of the domain that the migrated CVD isjoining. domainuser and domainpassword are the login credentials for the domain that the migrated CVDis joining. workgroup is the name of the work group that you want the CVD to join.

The new CVD is created with the base layer that you specified in the New-MirageCvd command.


62 VMware, Inc.

Sample Mirage PowerCLI Script for Provisioning Pending DevicesThis is a sample script that is written in the Mirage PowerCLI. It details the procedure for provisioningpending devices in the Mirage PowerCLI.

param($server, $username, $password, $volumename, $policyname, $baselayername, $domain,

$domainuser, $domainpassword)

"--------Connect-MirageServer-------"


"----------Get-MirageVolume---------"

$volume = Get-MirageVolume $volumename | Select-Object -First 1

if (!$volume)

{

"Can not get volume with name $volumename."

return

}

$volume

"----------Get-MiragePolicy---------"

$policy = Get-MiragePolicy $policyname | Select-Object -First 1

if (!$policy)

{

"Can not get policy with name $policyname."

return

}

$policy

"---------Get-MirageBaseLayer--------"


if (!$baselayer)

{


return

}

$baselayer

"------Get-MiragePendingDevice------"

$device = Get-MiragePendingDevice | Select-Object -First 1

if (!$device)

{

"There's no pending device on Mirage server."

return

}

$device

"-----------ProvisionFlow-----------"

$cvd = $device | New-MirageCvd -Policy $policy -Volume $volume -BaseLayer $baselayer -Domain

$domain -User $domainuser -Password $domainpassword -Provision -Force

if(!$cvd)

{

"Provision flow fails"

return

}


VMware, Inc. 63

"Provision flow starts"

$maxRetries = 100

$retryCount = 0

while ($true)

{

Start-Sleep -s 60

$assignment = Get-MirageAssignment -CVD $cvd -TaskType 'DeviceProvision'

if($assignment)

{


{

"Provision flow fails"

return

}


{

Get-MirageCvd -Device $device

"Provision flow succeeds."

return

}

}

$retryCount++


{

"Provision assignment is not created/completed, retry times: $retryCount"

return

}

}

Assign a Base Layer to a CVD Using the Mirage PowerCLIYou can assign a base layer to a CVD using the Mirage PowerCLI.

Procedure




2 Select a CVD to assign the base layer.

a Run the Get-MirageCvd cmdlet to retrieve the Mirage CVDs, and note the name of the Mirage CVDfor which to assign base layer.

b Run the $cvd = Get-MirageCVD 'cvdname'| Select-Object -First 1 command.

cvd is the name you select for this variable, cvdname is the name of the CVD that you selected.


64 VMware, Inc.





4 Assign the base layer to the CVD.

a Run the Set-MirageCvd cmdlet to assign the base layer to the specified CVD.

Option Action

Download only assign base layerto the CVD

Run the $cvd = Set-MirageCvd -CVD $cvd -BaseLayer$baselayer -IgnoreWarnings -Force -DownloadOnly command.

Full assign base layer Run the $cvd = Set-MirageCvd -CVD $cvd -BaseLayer$baselayer -IgnoreWarnings -Force command.

5 (Optional) If you selected the download only assign option, query and apply the download only base

layer assignment.

a Run the Get-MirageAssignment cmdlet to retrieve the download only assignment.

b Run the Apply-MirageAssignment cmdlet to apply the assignment.

Sample Mirage PowerCLI Script for Assigning a Base Layer to a CVDThis is a sample script that is written in the Mirage PowerCLI. It details the procedure for assigning a baselayer to a CVD in the Mirage PowerCLI.

param($server, $username, $password, $cvdname, $baselayername)



"--------Get-MirageCvd--------"


if (!$cvd)

{


return

}

$cvd

"--------Get-MirageBaseLayer--------"


if (!$baselayer)

{


return

}

$baselayer

"--------Set-MirageCvd -BaseLayer--------"

$cvd = Set-MirageCvd -CVD $cvd -BaseLayer $baselayer -IgnoreWarnings -Force -DownloadOnly

if (!$cvd)


VMware, Inc. 65

{

"Fail to start download base layer."

return

}

$cvd

"--------Get-MirageAssignment--------"

$success = $false

$maxRetries = 10

$retryCount = 0

while (!$success)

{

Start-Sleep -s 20

$assignment = Get-MirageAssignment -CVD $cvd -TaskType 'DownloadOnlyBaseLayerAssignment'

if($assignment)

{

$success = $true

}

else

{

$retryCount++


{

"Download only base layer assignment is not created, retry times: $retryCount"

return

}

}

}

$assignment

"--------Apply-MirageAssignment--------"

$maxRetries = 100

$retryCount = 0

Apply-MirageAssignment -Assignment $assignment -Force

while($true)

{

Start-Sleep -s 20

$assignment = Get-MirageAssignment -CVD $cvd -Type 'BaseLayerAssignment'

if($assignment)

{


{

"Assign base layer flow fails"

return

}


{


"Assign base layer flow succeeds."

return

}

}

$retryCount++


{


66 VMware, Inc.

"Apply layer assignment is not created/completed, retry times: $retryCount"

return

}

}

Update App Layers Assigned to a CVD Using Mirage PowerCLIYou can

Procedure




2 Select a CVD that you want to update the app layers assigned to it.

a Run the Get-MirageCvd cmdlet to retrieve the Mirage CVDs, and note the name of the Mirage CVDfor which to assign base layer.

b Run the $cvd = Get-MirageCVD 'cvdname'| Select-Object -First 1 command.

cvd is the name you select for this variable, cvdname is the name of the CVD that you selected.

3 Select an app layer for the CVD.

a Run the Get-MirageAppLayer cmdlet to retrieve the Mirage app layers, and note the name of the applayer to assign to the CVD.

b Run the $applayer = MirageAppLayer 'applayername' | Select-Object -First 1 command.

applayer is the name you select for this variable, and applayername is the name of the app layer thatyou selected for the CVD.

4 Update the app layers on the selected CVD.

Option Action

Download only update app layerson the CVD

Run the $cvd = Set- MirageCvdAppLayer -CVD $cvd -AddLayer$addlayer -RemoveLayer $removelayer -IgnoreWarnings -Force-DownloadOnly command.

Full update app layer Run the $cvd = Set- MirageCvdAppLayer -CVD $cvd -AddLayer$addlayer -RemoveLayer $removelayer -IgnoreWarnings -Forcecommand.

5 (Optional) If you selected the download only update option, query and apply the download only app

layer assignment.

a Run the Get-MirageAssignment cmdlet to retrieve the download only assignment.

b Run the Apply-MirageAssignment cmdlet to apply the assignment.

Sample Mirage PowerCLI Script for Updating an App Layer on a CVDThis is a sample script that is written in the Mirage PowerCLI. It details the procedure for updating an applayer on a CVD in the Mirage PowerCLI.

param($server, $username, $password, $cvdname, $applayername)




VMware, Inc. 67

"--------Get-MirageCvd--------"


if (!$cvd)

{


return

}

$cvd

"--------Get-MirageAppLayer--------"

$applayer = Get-MirageAppLayer $applayername | Select-Object -First 1

if (!$applayer)

{

"Can not get app layer with name $applayername."

return

}

$applayer

"--------Set-MirageCvdAppLayer--------"

$cvd = Set-MirageCvdAppLayer -CVD $cvd -AddLayer $applayer -IgnoreWarnings -Force -DownloadOnly

if (!$cvd)

{

"Fail to start download app layer."

return

}

$cvd

$success = $false

$maxRetries = 10

$retryCount = 0

while (!$success)

{

Start-Sleep -s 20

$assignment = Get-MirageAssignment -CVD $cvd -TaskType 'DownloadOnlyAppLayerAssignment'

if($assignment)

{

$success = $true

}

else

{

$retryCount++


{

"Download only app layer assignment is not created, retry times: $retryCount"

return

}

}

}

$assignment

"--------Apply-MirageAssignment--------"

$maxRetries = 100

$retryCount = 0

Apply-MirageAssignment -Assignment $assignment -Force


68 VMware, Inc.

while($true)

{

Start-Sleep -s 20

$assignment = Get-MirageAssignment -CVD $cvd -Type 'AppLayerAssignment'

if($assignment)

{


{

"Update app layer flow fails"

return

}


{


"Update app layer flow succeeds."

return

}

}

$retryCount++


{

"Apply layer assignment is not created/completed, retry times: $retryCount"

return

}

}


VMware, Inc. 69


70 VMware, Inc.

Managing the Mirage Gateway Server 9The Mirage Gateway server is the secured gateway server that is deployed outside the Mirage datacenterenvironment. The Mirage Gateway server lets end users who have installed the Mirage client communicatesecurely with the Mirage servers over the Internet without using VPN configurations.

The Mirage Gateway server meets enterprise security and firewall requirements, and integrates with theMirage system with minor modifications to the Mirage system and protocol.

You can start, stop, restart, or generate the status of the Mirage Gateway server.

You run the sudo service mirage-gateway-service start command to start the Mirage Gateway server.

You run the sudo service mirage-gateway-service stop command to stop the Mirage Gateway server.

You run the sudo service mirage-gateway-service restart command to restart the Mirage Gateway server.

You run the sudo service mirage-gateway-service status command to generate the status of the MirageGateway server.

n Configuring the Mirage Gateway Server on page 72You can configure the Mirage Gateway server to communicate with the Mirage servers and theCorporate Directory Service.

n Update a Certificate for the Mirage Gateway Server Using a Command Line on page 73When a certificate expires, or if you want to use a different certificate, you can update the certificate forthe Mirage Gateway server.

n Update Mirage Gateway Web Console Certificate (Optional) on page 73

n Update a Certificate for the Mirage Gateway Server Using the Web Console on page 74You can update a certificate for the Mirage Gateway server using the Web console.

n Register the Mirage Gateway Server Manually on page 74The Mirage Gateway server might fail to register on the Mirage server during installation. You canregister the Mirage Gateway server manually.

n Protecting the Mirage Gateway Server on page 75The Mirage Gateway server runs on Linux. You must protect this host from normal OS vulnerabilities.

n Configuration Files for the Mirage Gateway Server on page 78You can view and edit the configuration file for the Mirage Gateway server. The configuration file forthe Mirage Gateway server is stored in the sub-folder etc within the installation directory.

n Using Log Files to Troubleshoot the Mirage Gateway Server on page 79Log files are an important component for troubleshooting attacks on the Mirage Gateway server, andfor obtaining status information for the Mirage Gateway server.

VMware, Inc. 71

n Remove the Mirage Gateway Server from the Mirage Management Console on page 81You can remove a Mirage Gateway server from the Mirage Management console.

n Re-Register the Mirage Gateway Server When the Status is Down in the Mirage Management Consoleon page 81The Mirage Gateway server might have the status of down in the Mirage Management console.

Configuring the Mirage Gateway ServerYou can configure the Mirage Gateway server to communicate with the Mirage servers and the CorporateDirectory Service.

You can configure the Mirage Gateway server from the Mirage Management console or the Webconfiguration portal.

To configure the Mirage Gateway server from the Mirage Management console, click System Configuration> Mirage Gateways > Configure.

To configure the Mirage Gateway server from the Web configuration portal, navigate to the Webconfiguration portal and click a configuration parameter. See the VMware Mirage Installation Guide.

You can import and export the Mirage Gateway server configuration settings by using the Mirage GatewayWeb configuration portal. You export the settings of the current Mirage Gateway server and import thesettings when you install the Mirage Gateway server on a different machine. There are common scenarioswhen you install the Mirage Gateway server on a different machine.

n Server maintenance

n Disaster recovery

n Upgrading the Mirage Gateway server

Table 9‑1. Mirage Gateway Server Configuration Parameters


Mirage server IP address or FQDN of the Mirage server.

Port Port number of the Mirage Gateway server.

Token expiration time (in hours) Login token expiration time. The token expiration timedetermines the frequency with which end users arerequired to log in to the Mirage Gateway server tocommunicate with the Mirage servers.

Use LDAPS Check box selected when using a secured LDAP serverwith TLS/SSL.

LDAP Authentication Server IP address or FQDN and port number of the LDAPauthentication server.

LDAP User DN LDAP user DN in the format: cn=username, cn=users,dc=domain, dc=com. For example, CN=Administrator,CN=USERS, DC=MIRAGEDOMAIN, DC=COM

Password LDAP bind user password.


72 VMware, Inc.

Update a Certificate for the Mirage Gateway Server Using a CommandLine

When a certificate expires, or if you want to use a different certificate, you can update the certificate for theMirage Gateway server.

Prerequisites

n Generate a certificate signing request. See the VMware Mirage Installation Guide.

n Verify that you submitted the certificate request. See the VMware Mirage Installation Guide.

n Verify that you converted the certificate file extension. See the VMware Mirage Installation Guide.

Procedure

1 Run the sudo /opt/MirageGateway/bin/cert_manage.sh command.

2 When prompted, enter the name of the certificate in theformat /opt/MirageGateway/etc/newcertname.pfx or /opt/MirageGateway/etc/newcertname.pem, wherenewcertname is the name of the new certificate.

3 When prompted, enter the certificate private key password and press Enter.

This is the password you created as part of the certificate export procedure.

Update Mirage Gateway Web Console Certificate (Optional)

Prerequisites

Deploy Mirage Gateway OVA.

Procedure

1 Log in to the Mirage Gateway command-line utility with your Mirage account.

2 Go to the following directory location:

/opt/MirageGateway/tomcat/ssl

3 To delete the older certificate files, run the following command:

order: rm tomcat.csr tomcat.cer tomcat.ks

4 Generate a certificate.

a Go to the /opt/MirageGateway/tomcat/conf folder, and open the server.xml file for editing, andsearch for the parameters:

keystorePass="vmware" maxThreads="150" SSLEnabled="true" scheme="https"

Change the value of the keystorePass parameter to your own keystore password. The defaultpassword is vmware.

Note The keystore password and key password must be the same as the password in theserver.xml file.

b Go to the following location directory location:

/opt/MirageGateway/tomcat/ssl

Chapter 9 Managing the Mirage Gateway Server

VMware, Inc. 73

c To create an untrusted certificate in a keystore file named tomcat.ks, run the following command:

keytool -keystore tomcat.ks -storepass vmware -genkey -keyalg RSA -alias tomcat -

validity 3650

d When prompted, provide the answers to the keytool questions.

e Create a certificate signing request for the Tomcat service. To create a certificate signing request inthe file tomcat.csr, run the following command:

keytool -keystore tomcat.ks -storepass vmware -certreq -alias tomcat -file tomcat.csr

5 Send the certificate signing requests to your Certification Authority.

6 When you receive the signed certificates, import them into the keystore file.

a Import the Certification Authority root certificate into the keystore file. To import the rootcertificate from the root.cer file to the tomcat.ks keystore file, run the following command:

keytool -keystore tomcat.ks -storepass vmware -import -alias root -file root.cer

b Import the certificate for the Tomcat service. To import the certificate from the tomcat.cer file to thetomcat.ks keystore file, run the following command:

keytool -keystore tomcat.ks -storepass vmware -import -alias tomcat -file tomcat.cer

7 To verify that all the certificates are imported, run the following command to view the contents of thekeystore file.

keytool -keystore tomcat.ks -storepass vmware -list

8 To restart Tomcat, run the following commands:

a Go to the /opt/MirageGateway/tomcat/bin directory location using the root account.

b To stop the Tomcat server, run ./shutdown.sh.

c To start the Tomcat server, run ./startup.sh.

Update a Certificate for the Mirage Gateway Server Using the WebConsole

You can update a certificate for the Mirage Gateway server using the Web console.

You can upload a new certificate for the Mirage in the Web console.

To upload a new certificate, navigate to the Web console and select the Certificate tab.

Register the Mirage Gateway Server ManuallyThe Mirage Gateway server might fail to register on the Mirage server during installation. You can registerthe Mirage Gateway server manually.

Procedure

1 Run the sudo /opt/MirageGateway/bin/reg.sh command.

2 When prompted, enter the Mirage server address, Mirage server port, and Mirage Gateway activationcode.


74 VMware, Inc.

Protecting the Mirage Gateway ServerThe Mirage Gateway server runs on Linux. You must protect this host from normal OS vulnerabilities.

Use spyware filters, intrusion detection systems, and other security measures mandated by your enterprisepolicies.

Ensure that all security measures are up-to-date, including OS patches.

The protection configuration codes are executed during the deployment of the OVA template.

Table 9‑2. Protection Configuration for Code MEG01


Code MEG01

Name Keeps the Mirage Gateway system properly patched.

Description By staying up-to-date on OS patches, OS vulnerabilities aremitigated.

Risk or control If an attacker gains access to the system and reassignsprivileges on the Mirage Gateway system, the attacker canaccess all CVD transferring through the Mirage Gatewayserver.


Condition or steps Employs a system to keep the Mirage Gateway system up -to-date with patches, in accordance with industry-standardguidelines, or internal guidelines where applicable.



Code MEG02

Name Provide OS protection on the MirageGateway server host.

Description By providing OS-level protection, vulnerabilities to the OSare mitigated. This protection includes anti-malware, andother similar measures.

Risk or control If an attacker gains access to the system and reassignsprivileges on the Mirage Gateway system, the attacker canaccess all CVD transferring through the Mirage Gatewayserver.


Condition or steps Provides OS protection, such as anti-malware, inaccordance with industry-standard guidelines, or internalguidelines where applicable.



Code MEG03

Name Restrict privilege user login.

Description The number of privilege users with permission to log in tothe Mirage Gateway system as an administrator should beminimal.


VMware, Inc. 75

Table 9‑4. Protection Configuration for Code MEG03 (Continued)


Risk or control If an unauthorized privilege user gains access to the MirageGateway system then the system is vulnerable tounauthorized modification.


Condition or steps Create specific privilege log-in accounts for individuals.Those accounts should be part of the local administrators'group. There should not be a shell to the account that theaccount cannot log in, and provide an invalid password forthe account.



Code MEG04

Name Implement an administrative password policy.

Description Set a password policy for all Mirage Gateway systems. Thepassword should include the following parameters:n A minimum password lengthn Require special character typesn Require periodic change of the password

Risk or control If an unauthorized privilege user gains access to the MirageGateway system then the system is vulnerable tounauthorized modification.


Condition or steps Set a password policy on each Mirage Gateway system.



Code MEG05

Name Remove unnecessary network protocol.

Description Mirage Gateway only uses IPv4 communication. Youshould remove other services, such as file and printersharing, NFS, sendmail, bind or NIC, and so on.

Risk or control If an unauthorized privilege user gains access to the MirageGateway system then the system is more vulnerable tounauthorized modification.


Condition or steps Run yast on the Mirage Gateway Suse OS. Disable allnetwork protocols under the Security and Users setting,and the Firewall setting. Retain the following three ports:n Mirage Gateway- default tcp 8000n Management- default tcp 8080n SSH- default tcp 22



Code MEG06

Name Disable unnecessary services.


76 VMware, Inc.



Description Mirage Gateway requires a minimal number of services forthe OS. When you disable unnecessary services youenhance security. This prevents the services fromautomatically starting at boot time.

Risk or control If unnecessary services are running, the Mirage Gatewaysystem is more vulnerable to network attack.

Recommended level Enterprise.

Condition or steps Disable any services that are not required. Run yast on theMirage Gateway Suse OS. Disable all network servicesexcept those related to SSHD and iSCSI under the NetworkServices drop-down menu.



Code MEG07

Name Use an external firewall in the DMZ to control

Description Mirage Gateway servers are usually deployed in a DMZ.You must control which protocols and network ports arepermitted so that communication with Mirage Gateway isrestricted to the required minimum. Mirage Gatewayautomatically does TCP forwarding to Mirage serverswithin a datacenter, and ensures that all forwarded trafficis directed from authenticated users.

Risk or control Allowing unnecessary protocols and ports might increasethe possibility of an attack by a malicious user, especiallyfor protocols and ports for network communication fromthe Internet.

Recommended level Configure a firewall on either side of the Mirage Gatewayserver to restrict protocols and network ports to theminimum set required between Mirage clients and theMirage Gateway servers.You should deploy the Mirage Gateway server on anisolated network to limit the scope of frame broadcasts.This configuration can help prevent a malicious user on theinternal network from monitoring communication betweenthe Mirage Gateway servers and the Mirage serverinstances.You might want to use advanced security features on yournetwork switch to prevent malicious monitoring of MirageGateway communication with Mirage servers, and toguard against monitoring attacks, such as ARP CachePoisoning.

Parameter or objects configuration For more information about the firewall rules that arerequired for a DMZ deployment, see the VMware MirageInstallation Guide.



Code MEG08

Name Do not use the default, self-signed server certificates on aMirage Gateway server.


VMware, Inc. 77



Description When you first install the Mirage Gateway server, the SSLserver is unable to work until signed certificates areprepared. The Mirage Gateway server and the SSL serverrequire SSL server certificates signed by a commercialCertificate Authority (CA) or an organizational CA.

Risk or control Using self-signed certificates leaves the SSL connectionmore vulnerable to man-in-the-middle attacks. Applyingcertificates to trusted CA signed certificates mitigates thepotential for these attacks.


Condition or steps For more information about setting up Mirage GatewaySSL certificates, see the VMware Mirage Installation Guide.

Test Use a vulnerability scanning tool to connect the MirageGateway. Verify that it is signed by the appropriate CA.

Configuration Files for the Mirage Gateway ServerYou can view and edit the configuration file for the Mirage Gateway server. The configuration file for theMirage Gateway server is stored in the sub-folder etc within the installation directory.

The name of the configuration file is /opt/MirageGateway/etc/MirageGateway.conf.

The log files and the process ID file are saved within the logs sub-folder within the same installationdirectory.

Read/Write privileges to these files are only given to the default Mirage user who is running the MirageGateway server.

You can protect all files to limit access privileges.

Table 9‑10. Protected Files

File Default Path

MirageGateway /opt/MirageGateway/bin

cert_manage.sh /opt/MirageGateway/bin

export.sh /opt/MirageGateway/bin

gws /opt/MirageGateway/bin

install.sh /opt/MirageGateway/bin

ptool /opt/MirageGateway/bin

GatewayStat.sh /opt/MirageGateway/bin

GatewayStatTimer.sh /opt/MirageGateway/bin

reg.sh /opt/MirageGateway/bin

sysreport_as_system.sh /opt/MirageGateway/bin

sysreport_full /opt/MirageGateway/bin

sysreport_logs /opt/MirageGateway/bin

MirageGateway.conf /opt/MirageGateway/etc

MirageGateway.pem /opt/MirageGateway/etc

config.txt /opt/MirageGateway/etc

gws.pid /opt/MirageGateway/etc


78 VMware, Inc.

Table 9‑10. Protected Files (Continued)

File Default Path

mirage_gateway_service.log /opt/MirageGateway/logs

error.log /opt/MirageGateway/logs

mirage_gateway_backend.log /opt/MirageGateway/logs

mirage_gateway_stat.log /opt/MirageGateway/logs

mirage_gateway.log /opt/MirageGateway/logs

User data /home/mirage/.mirage-gateway/

mirage-gateway-service /etc/init.d

Using Log Files to Troubleshoot the Mirage Gateway ServerLog files are an important component for troubleshooting attacks on the Mirage Gateway server, and forobtaining status information for the Mirage Gateway server.

Log files for the Mirage Gateway server are located in the /opt/MirageGateway/logs/ directory.

To increase security of the Mirage Gateway server, the log file must only grant access to the user who isrunning the Mirage Gateway process.

The format for a Mirage Gateway log is:

Date Time [Severity]: Component: Event Type: Description

This is an example of a log:

2014-04-15 03:26:33: [Error]: Auth Connector: Send: failed to send data to auth server (auth:)

2014-04-16 23:12:38: [Debug]: Gateway: Connect: coming new connection from (ip: 10.117.37.154)

2014-04-16 23:12:38: [Debug]: Gateway: Authenticate: started auth for (ip: 10.117.37.154)

2014-04-16 23:12:38: [Debug]: Auth Connector: Connect: ssl connection from (ip: 10.117.37.154)

2014-04-16 23:12:38: [Debug]: Auth Connector: Receive: reading client info from (10.117.37.154)

2014-04-16 23:12:38: [Debug]: Auth Connector: Authenticate: reading tcp auth from (ip:

10.117.37.154)

Table 9‑11. Log File Properties


Date The date that the event generated a log entry. The date is inthe local time zone of the Mirage Gateway server.The format of the date is YYYY-MM-DD.

Time The time that the event generated a log entry. The time is inthe local time zone of the Mirage Gateway server.The format of the time is HH:MM:SS

Severity The severity of the event. Then Verbosen Tracen Debugn Infon Warnn Errorn Fatal


VMware, Inc. 79

Table 9‑11. Log File Properties (Continued)


Component The sub-component of the Mirage Gateway server thatgenerated the event. For some events, the Componentproperty might not be logged.The components are:n TCP Config Parser- The parser of TCP related

configurations, for example, TCP Timeout.n Gateway Config Parser- The parser of Gateway

forwarding related configurations, for example, Mirageserver addresses and load balancing strategies.

n Auth Connector- The component that connects to thedirectory server for authentication.

n Gateway- The gateway function that accepts theconnection from the Mirage client and performs allread and write actions.

n Upstream- The gateway function that connects with theMirage server and performs all read and write actions.

Event Type The action that the Component attempted to perform. Forsome events, the Event property might not be logged.

Description A detailed explanation of the event. It may retain theinformation of other endpoints.

Table 9‑12. Log Event Type

Event Type Description

Resource Allocate Resource allocation, such as memory.

Parse Parse meaningful data, such as the configuration file.

IO Common IO events, such as port binding or duplicateconnections.

Connect Connect to, or accept a connection.

Close Close a network connection.

Receive Receive or read from a connection.

Send Send or write to a connection.

Save Save to a file or storage location.

Load Load from a file or storage location.

Forward Forward information.

Authenticate Valid date, such as certificates.

Validate Validate data, such as certificates.

Control Set parameters, such as TCP no delay.

Table 9‑13. Remote Entity

Remote Entity Type Description

ip The Mirage client.

srv The Mirage server.

auth The authentication server, for example, Active Directory.

gw The Mirage Gateway server.


80 VMware, Inc.

Remove the Mirage Gateway Server from the Mirage ManagementConsole

You can remove a Mirage Gateway server from the Mirage Management console.

Procedure

1 In the Mirage Management console, click the System Configuration node and click Gateway Servers.

2 Right-click the Mirage Gateway server you want to remove and click Remove.

3 In the confirmation message, click Yes.

Re-Register the Mirage Gateway Server When the Status is Down inthe Mirage Management Console

The Mirage Gateway server might have the status of down in the Mirage Management console.

Cause

The Mirage Gateway server was registered more than once.

Solution

1 Remove the Mirage Gateway server that has a down status from the Mirage Management console.

a In the Mirage Management console, select System Configuration > Mirage Gateways.

b Right-click the Mirage Gateway server that has a down status and select Remove.

2 Navigate to https://MirageGWIPaddress:8443/WebConsole.

MirageGWIPaddress is the IP address of the Mirage Gateway server.

3 When prompted, provide the login credentials.

The default username is mirage, and the default password is vmware.

4 Click the Mirage Server tab and enter the Mirage server address and port.

The Mirage Gateway server is registered and available in the Mirage Management console.


VMware, Inc. 81


82 VMware, Inc.

Managing the Driver Library 10You use the driver library to manage hardware-specific drivers in a separate repository, organized byhardware families.

You add drivers with an import wizard and view them in the driver library’s console.

You can configure the system to add the necessary driver library to the relevant endpoints based onmatching profiles between the library and the endpoint configuration.

The driver handling is unconnected to layers. Not having to include drivers in the layer results in smallerand more generic layers.

Mirage does not install the drivers. Mirage delivers the driver to the endpoint and Windows determineswhether to install the driver.


n “Driver Library Architecture,” on page 83

n “Managing Driver Folders,” on page 84

n “Managing Driver Profiles,” on page 86

Driver Library ArchitectureThe driver library copies drivers from the Mirage system to the endpoint. When Windows scans forhardware changes, these copied drivers are used by the Windows Plug and Play (PnP) mechanism, and theappropriate drivers are installed as required.

This diagram illustrates the driver library architecture and how rules associate drivers to endpoints.

VMware, Inc. 83

Figure 10‑1. Driver Library Architecture

Profile B

Drivers

Folder 2

Drivers

Folder n

Endpoint

Endpoint

DriversProfile A

List offolders

Rules matchmachines

Endpoint

Endpoint

List offolders

Rules matchmachines

Folder 1

n Profile A contains drivers from driver folder 1 and 2. When the profile is analyzed, the drivers fromthose folders are applied to two endpoints.

n Profile B contains drivers only from driver folder 2, which is also used by profile A. When the profile isanalyzed, the drivers from that folder are applied to only one endpoint.

The Mirage system can have multiple driver folders, multiple driver profiles, and many endpoints.

A driver profile can contain drivers from multiple driver folders and multiple driver profiles can use adriver folder.

You can apply a driver profile to one, many, or no endpoints.

The driver library is used during the following operations:

n Centralization

n Migration

n Hardware migration and restore

n Machine cleanup

n Base layer update

n Set driver library

n Endpoint provisioning

Managing Driver FoldersHardware drivers are imported and stored in driver folders in the Mirage system.

You can add driver folders to the root All folder, or create subfolders. You can also have Mirage mirror yourcurrent Driver Store folder structure.

The driver library has the following capabilities:

n You can group drivers by folder, for example, by common model. You can associate a driver withseveral folders.

n A folder can contain other folders, in a recursive hierarchy.

n You can enable or disable drivers within a folder, without deleting them.


84 VMware, Inc.

n To view a device driver’s details, right-click any driver and select Properties.

Note For best results, obtain drivers directly from vendor Web sites, or restore media.

Create Driver FoldersYou can create folders to hold related hardware drivers.

Procedure

1 In the Mirage Management console tree, expand the Driver Library node.

2 Right-click Folders or any driver folder and select Add folder.

3 Type a folder name and click OK.

Change Driver FoldersYou can rename or remove folders, or add hardware drivers to folders.

When you remove a folder, the drivers remain intact. The folder is a logical grouping of drivers that arestored on the system.

Procedure

1 In the Mirage Management console tree, and expand the Driver Library node.

2 Right-click any driver folder and select the appropriate folder option.

Option Action

Rename the folder Click Rename Folder, type the new name and click OK.

Remove the folder Click Remove Folder, and click Yes to confirm.

Add drivers to the folder Click Add drivers, select a driver and click OK.

Import Drivers to FoldersYou can import hardware drivers to driver folders to assist organization and accessibility.

Prerequisites

n Verify that the Mirage Management server has access to the UNC path where the drivers are stored.

n Verify that you extracted drivers from the archive.

Procedure


2 To select a driver import option, right-click any driver folder and select Import drivers.

Option Description

UNC path The UNC path where the drivers are stored. The path is scannedrecursively.

Keep original folder hierarchy Recreates the folder structure on your driver store in the Mirage system.

3 Click OK.

Chapter 10 Managing the Driver Library

VMware, Inc. 85

Add Drivers from the All FolderThe All folder in the driver library contains all the drivers in the library. You can add selected drivers fromthe All folder to one or more selected folders.

Procedure


2 Select the Folders > All.

3 Right-click one or more drivers, and select Add drivers to folder.

4 Select individual folders in the tree.

5 Click OK.

Managing Driver ProfilesThe driver library also contains driver profiles. A driver profile is used to select the driver folders to publishto a particular hardware model or set.

A driver profile can select one or more driver folders.

Driver profile rules check if a driver applies to a particular hardware, and can select one or more matchingdriver profiles for a device.

Create or Edit Driver ProfilesYou can define driver profiles and the rules that apply to them. The rules are used during Mirage operationsto validate the endpoints that use the profiles and check which profiles to apply to specific hardware.

Procedure

1 In the Mirage Management console tree, expand the Driver Library node, right-click Profiles, and selectAdd.

2 On the General tab, type a profile name and select the check boxes of drivers to apply in this profile.

For example, if you are building a profile for a Dell Latitude E6410, select all the driver folders thatapply to that hardware family.

3 On the Rules tab, use the drop-down menus to create specific rules for hardware families.

For example, set the Vendor to Dell, and select the appropriate OS type.

4 Click Apply to test the result set that is returned by these rules.

5 Continue to fine-tune the rules until the result set is accurate.

6 Click OK.

What to do next

After you define rules, no more work is necessary for them to function. If devices that meet these criteriaalready exist in the Mirage system, you must start a driver profile update on those systems.

Apply Driver ProfilesYou can apply newly created rules and profiles to already centralized endpoints.

The drivers are stored in one of the Mirage storage volumes in the MirageStorage directory, anddeduplication is applied. If you have multiple volumes, you can change the volume where the driver libraryis stored by editing the system configuration settings.


86 VMware, Inc.

This operation is not needed for clients added to the Mirage system after the driver library was configured.It is performed on those clients when an operation is performed that can use the driver library, includingimage updates, CVD restores, and so on.

Procedure

1 In the Mirage Management console tree, expand the Inventory node and click All CVDs.

2 Right-click one or more CVDs, or a collection, and select Apply Driver Library.

3 (Optional) Right-click a CVD and select Properties to view the assigned driver profiles of a CVD.

The driver library download progress appears in the desktop status window, the task list of theManagement console, and the transaction logs.

n A profile is selected for each device according to the rules.

n Devices that match more than one profile receive a driver store that contains a merged view of all thematching profiles.

n A warning or event, or both, is generated for devices that have no matching driver store.

Chapter 10 Managing the Driver Library

VMware, Inc. 87


88 VMware, Inc.

Deploying Multiple Storage Volumes 11Mirage provides multiple storage volume support to help manage volume congestion.

Each storage volume can contain base layers, app layers, and CVDs. CVDs are assigned to a storage volumewhen they are created. The storage volumes must be shared by the servers where Network-attached storage(NAS) permissions must be in place.

For more information about the relation between multiple servers and storage volumes, see “Using MultipleServers,” on page 103


n “View Storage Volume Information,” on page 89

n “Storage Volume Parameters,” on page 90

n “Add Storage Volumes,” on page 90

n “Edit Storage Volume Information,” on page 91

n “Remove or Unmount Storage Volumes,” on page 91

n “Mount Storage Volumes,” on page 92

n “Block Storage Volumes,” on page 92

n “Unblock Storage Volumes,” on page 92

n “Maintain Storage Volumes,” on page 93

View Storage Volume InformationYou can view information about all the storage volumes connected to the Mirage Management system.

You can view certain information about each storage volume, such as volume state, location, description,metrics, and status.

Procedure

u In the Mirage Management console tree, expand the System Configuration node and select Volumes.

For more information about storage volume parameters, see “Storage Volume Parameters,” on page 90

VMware, Inc. 89

Storage Volume ParametersYou can access the storage volume parameters from the Mirage Management console.

Table 11‑1. Mirage Storage Volume Parameters


ID Unique volume identification number set by the Mirage Management system.

Name Volume name assigned when the volume was added.

Volume State Current state of the storage volume.n Mounted. Volume is reachable and accessible.n Malfunctioned. Volume is currently unreachable and inaccessible. CVDs and base layers

on this volume cannot be accessed or used until the volume status is restored toMounted. A manual action is needed to correct the problem.

Run an SIS volume integrity check before returning the volume to the active state. See “Maintain Storage Volumes,” on page 93.

n Unmounted. Volume was temporarily disconnected by the administrator using theUnmount Volume function. See “Remove or Unmount Storage Volumes,” on page 91.

n Removing. Volume is in the process of removal from the system.

Volume Type Indicates the type of contents the volume has (Standard Volume - if it contains only CVDsand USMT & Driver Library if it contains USMT& Driver library but not limited to CVDs).

Path UNC or local path where the volume resides.

Description Description of the storage volume assigned when the volume was added. You can edit thevolume information. See “Edit Storage Volume Information,” on page 91.

Capacity (GB) Storage volume capacity in gigabytes.

Free Space (GB) Amount of free space in gigabytes available on the storage volume.

Number of CVDs Number of CVDs stored on the storage volume.

Number of Base Layers Number of base layers and base layer versions stored on the storage volume.

Status Status of the storage volume.n (blank). The storage volume is available.n Blocked. The storage volume is not used when creating new CVDs and base layers, but

continues to serve existing stored entities. See “Block Storage Volumes,” on page 92.

Add Storage VolumesYou can add storage volumes to the Mirage system.

When you add a new volume,Mirage verifies the specified path, that the volume is empty, and that thevolume supports alternative data streams.

Prerequisites

Verify that the following conditions are met:

n The user account that manages the Mirage system has access permissions to the new volume.

n The volume has sufficient privileges for the Mirage Management server and the Mirage cluster to accessthe required volume.

n The server service accesses the volume using the user credentials. In a CIFS (clustered) environment,the volume must be shared and accessible to all Mirage servers.


90 VMware, Inc.

Procedure

1 In the Mirage Management console tree, expand the System Configuration node, right-click Volumesand select Add a Volume.

Option Action

Name Type the name of the storage volume.

Path Type the server UNC path of the volume where the volume resides.

Description Type a description of the storage volume. The volume path must contain only ASCII characters.

2 Click OK.

Edit Storage Volume InformationYou can edit the volume name, description, and the UNC path in the storage volume information.

Procedure

1 In the Mirage Management console tree, expand the System Configuration node and select Volumes.

2 Right-click the required volume and select Edit Volume Info.

Option Action

Name Edit the volume name and the UNC path as needed.

Description Type a description of the volume, if needed.

3 Click OK.

Remove or Unmount Storage VolumesYou can remove a storage volume from the Mirage system or unmount it.

Removing a volume deletes a storage volume from the system.

Unmounting a volume places the volume in a non-operational status but retains the CVD and base layerdata on the volume. Verify that the volume is unmounted before you perform maintenance operations suchas integrity checks. The Volume State in the Volumes window is Unmounted.

Prerequisites

Verify that the selected volume is empty and does not contain CVDs or base layers. The remove operationfails if CVDs or base layers still reside on the volume.

Procedure


2 Right-click the required volume and select Remove Volume or Unmount Volume.


Chapter 11 Deploying Multiple Storage Volumes

VMware, Inc. 91

Mount Storage VolumesYou can activate an unmounted storage volume that is ready for reactivation.

Prerequisites

If the volume is in the Malfunctioned state, run the SIS integrity check before starting. See “Maintain StorageVolumes,” on page 93.

When using a CIFS (clustered) environment, the mounted volume must be shared and accessible to allMirage servers.

Procedure


2 Right-click the required volume and select Mount.

The Mount option is available when the Volume state is Unmounted.


Block Storage VolumesYou can block a storage volume to prevent it from being used when new CVDs or base layers are beingcreated.

Blocking a storage volume is useful when the volume reaches a volume capacity threshold or to stoppopulating it with new CVDs or base layers. Blocking a volume does not affect access or updates to existingCVDs and base layers on the volume.

Important You cannot move a CVD or a base layer to a blocked volume. You can move a CVD or a baselayer from a blocked volume.

Procedure


2 Right-click the required volume and select Block.


The Volume Status column in the Volumes window shows Blocked.

Unblock Storage VolumesYou can unblock a volume that is currently blocked. The volume can then accept new CVDs and base layersand existing data can be updated.

Procedure


2 Right-click the required volume and select Unblock.



92 VMware, Inc.

Maintain Storage VolumesWhen a storage volume reaches a certain capacity, Mirage blocks operations such as writing to a storagevolume.

When this occurs, you can:

n Increase the storage capacity by adding additional storage volumes to the Mirage Management console.Click System Configuration > Volumes to add storage volumes.

n Change the storage capacity of existing volumes in the MirageManagement console. Click SystemConfiguration > Volumes to manage storage volumes.

n Delete CVDs from a storage volume.

n Move CVDs to another storage volume.

You can configure Mirage system settings for storage volume thresholds and alerts to enable you to triggerevents in the events log. For more information, see “Configure the System Settings,” on page 41.

Additionally, inconsistencies may occur after a volume malfunction, such as following a network disconnector storage access error. Performing a Single-Instance Storage (SIS) integrity procedure may help find and fixthem.

When a volume state has changed to Malfunctioned, such as following a network disconnect or a storageaccess error, it is good practice to schedule a Single-Instance Storage (SIS) integrity procedure beforemounting the volume on the system.

This procedure might take several hours to complete depending on the number of files on the volume.CVDs residing on the volume are suspended and base layers stored on the volume are not accessible duringthat time.

The SIS integrity procedure can also be run from C:\Program Files\Wanova\Mirage Server.

Prerequisites

Verify that the volume is unmounted before performing any maintenance operations such as integritychecks. See “Remove or Unmount Storage Volumes,” on page 91.

Procedure

1 Unmount the volume using the Unmount option.

2 Run the SIS Integrity script from a Mirage server.

a Open the command window.

b Type

C:\Program Files\Wanova\Mirage Server>Wanova.Server.Tools.exe

SisIntegrity -full volume path

For example:

SisIntegrity -full \\apollo\vol100\MirageStorage

An SIS integrity check summary appears when the SIS Integrity script is completed.

Chapter 11 Deploying Multiple Storage Volumes

VMware, Inc. 93


94 VMware, Inc.

Managing Branch Reflectors 12Using Mirage branch reflectors promotes efficient distribution to branch offices and remote sites wheremultiple users share the WAN link to the data center. You can enable the branch reflector peering service onendpoint devices that are installed with a Mirage client.

The branch reflector downloads base layer images, app layers, driver files, and USMT files from the Mirageserver and makes them available for transfer to other Mirage clients in the site. Only files that reside on thebranch reflector machine's disk are transferred and files are not requested from the Mirage server at all.

In this way, files are downloaded to the branch reflector only once, and common files across base layersbecome readily available to other clients without duplicate downloads.


n “Branch Reflector Matching Process,” on page 95

n “Select Clients To Be Branch Reflectors,” on page 96

n “Enable Branch Reflectors,” on page 96

n “Configure Defaults for Branch Reflectors,” on page 97

n “Configure Specific Branch Reflector Values,” on page 97

n “Disable Branch Reflectors,” on page 98

n “Reject or Accept Peer Clients,” on page 98

n “Suspend or Resume Server Network Operations,” on page 99

n “Wake on LAN,” on page 99

n “Configure Wake on LAN,” on page 100

n “Monitoring Branch Reflector Activity,” on page 100

Branch Reflector Matching ProcessYou can enable one or more branch reflectors per site. Client endpoints detect enabled branch reflectors onthe same or different sites.

The Mirage IP detection and proximity algorithm finds a matching branch reflector using the followingprocess:

1 The algorithm first verifies that a potential branch reflector is in the same subnet as the client.

2 If the branch reflector is in a different subnet, the algorithm checks if the branch reflector is configuredto service the client subnet.

VMware, Inc. 95

See “Configure Specific Branch Reflector Values,” on page 97.

Alternatively, the algorithm can use the client site information to check that the branch reflector is in thesame Active Directory site as the client.

See “Configure Defaults for Branch Reflectors,” on page 97.

3 The algorithm checks that the latency between the branch reflector and the client is within thethreshold.

See “Configure Defaults for Branch Reflectors,” on page 97.

4 If a client and branch reflector match is found that satisfies these conditions, the client connects to thebranch reflector to download a base layer. Otherwise, the client repeats the matching process with thenext branch reflector.

5 If no match is found or all suitable branch reflectors are currently unavailable, the client connects to theserver directly.

Alternatively, to keep network traffic as low as possible, you can select Always Prefer Branch Reflectorto force clients to continually repeat the matching process until a suitable branch reflector becomesavailable. See “Configure Defaults for Branch Reflectors,” on page 97.

In this case, the client connects to the Mirage server only if no branch reflectors are defined for thespecific endpoint.

You can see the results of the Mirage IP detection and proximity algorithm for a selected CVD. See “ShowPotential Branch Reflectors,” on page 102.

Select Clients To Be Branch ReflectorsYou can select any Mirage client endpoint to function as a branch reflector, in addition to serving a user.Alternatively, you can designate a branch reflector to a dedicated host to support larger populations. Abranch reflector can run on any operating system compatible with Mirage clients.

Prerequisites

Clients that serve as branch reflectors must satisfy the following conditions:

n Connect the device that will serve as a branch reflector to a switched LAN rather than to a wirelessnetwork.

n Verify that enough disk space is available to store the base layers of the connected endpoint devices.

n Verify that port 8001 on the branch reflector host is open to allow incoming connections from peerendpoint devices.

n If the branch reflector endpoint also serves as a general purpose desktop for an interactive user, use adual-core CPU and 2GB RAM.

To determine if an endpoint has an eligible branch reflector, click the CVD Inventory tab, select a CVD, andclick Show Potential Branch Reflectors.

Enable Branch ReflectorsYou enable branch reflectors to make them available to be selected by the Mirage IP detection and proximityalgorithm for distribution to clients.

You can disable an enabled branch reflector. See “Disable Branch Reflectors,” on page 98.

Procedure

1 In the Mirage Management console tree, expand the Inventory node and select Assigned Devices.


96 VMware, Inc.

2 Right-click an endpoint device and select Branch Reflector > Enable Branch Reflector.

When a device is enabled as a branch reflector, it is listed in the Branch Reflectors window, as well asremaining on the Device Inventory window.

3 (Optional) Select System Configuration > Branch Reflectors to view which devices are enabled asbranch reflectors.

Configure Defaults for Branch ReflectorsYou can set default values of parameters that govern the behavior of branch reflectors.

The current Maximum Connections and Cache Size values apply to newly defined branch reflectors. Youcan correct them individually for selected branch reflectors. See “Configure Specific Branch ReflectorValues,” on page 97.

Other parameters in this window apply system-wide to all branch reflectors, existing or new.

Prerequisites

Verify that the branch reflector endpoint has enough disk space to support the Default Cache Size value, inaddition to its other use as a general purpose desktop.

Procedure

1 In the Mirage Management console tree, right-click System Configuration and click Settings.

2 Click the Branch Reflector tab and configure the required default values.

Option Action

Default Maximum Connections Type the maximum number of endpoint devices that can simultaneouslyconnect to the branch reflector.

Default Cache Size (GB) Type the cache size that the branch reflector allocated.

Required Proximity (msec) Type the maximum time, for example 50 ms, for a branch reflector toanswer a ping before an endpoint considers downloading through thebranch reflector. The endpoint downloads from the server if no branchreflectors satisfy the specified proximity.

Use Active Directory Sites Mirage uses subnet and physical proximity information to choose branchreflectors. Select this check box to use Active Directory site information todetermine to which branch reflector to connect.

Always Prefer Branch Reflector To keep network traffic as low as possible, select this option to force clientsto continually repeat the matching process until a suitable branch reflectorbecomes available. In this case, a client connects to the Mirage server onlyif no branch reflectors are defined. If the option is not selected, and nomatch is found or suitable branch reflectors are currently unavailable, theclient connects to the Mirage server directly as a last resort.

Wake-on-LAN The Wake-On-LAN protocol allows the administrator to start machinesfrom a dormant state (State from which you can resume. Depends on theNIC, and whether it keeps a low power state).

3 Click OK.

Configure Specific Branch Reflector ValuesNewly created branch reflectors are assigned default parameter values. You can adjust some of these valuesfor individual branch reflectors.

Default values apply to the Maximum Connections, Cache Size, and Additional Networks parameters fornewly created branch reflectors. See “Configure Defaults for Branch Reflectors,” on page 97. You can adjustthese values for a selected branch reflector.

Chapter 12 Managing Branch Reflectors

VMware, Inc. 97

Prerequisites

Verify that the branch reflector endpoint has enough disk space for the indicated cache size, in addition to itsother use as a general purpose desktop.

Procedure

1 In the Mirage Management console tree, expand the System Configuration node and click the BranchReflectors tab.

2 Right-click the branch reflector device and select Branch Reflector > Configure.

Option Action

Maximum Connections Type the maximum number of endpoint devices that can connect to thebranch reflector at the same time.

Cache Size (GB) Type the cache size in gigabytes that the branch reflector has allocated.

Additional Networks Type the networks where the branch reflector is authorized to service clientendpoints in addition to its own local subnets.

3 Click OK.

The branch reflector configuration settings take effect immediately. You do not need to restart thebranch reflector client.

Disable Branch ReflectorsYou can disable the branch reflector peering service at any time.

When a branch reflector is disabled, the device is deleted from the Branch Reflectors list. But it continues tobe available because an endpoint device remains as a regular Mirage endpoint in the device inventory.

When a branch reflector is disabled, its base layer cache is deleted.

Procedure

1 In the Mirage Management console tree, expand the System Configuration node and click the BranchReflectors node.

2 Right-click the branch reflector device and select Branch Reflector > Disable Branch Reflector.

Reject or Accept Peer ClientsWhen the branch reflector is operating slowly or is using excessive bandwidth, you can stop providingservice to its peer clients. You can resume providing service to the peer clients of a paused branch reflectorat any time.

When you use the Reject Peers feature, the branch reflector is not deleted from the Branch Reflectors list. Thebranch reflector cache is preserved.

You can use the Accept Peers feature to resume providing service to the peer clients of a paused branchreflector.

Procedure

1 In the Mirage Management console tree, right-click System Configuration, select Settings, and click theBranch Reflectors tab.


98 VMware, Inc.

2 Right-click the branch reflector device and reject or accept the peer clients.

Option Action

Reject peer clients Select Branch Reflector > Reject Peers.The branch reflector service status is set to Paused.

Accept peer clients Select Branch Reflector > Accept Peers.The branch reflector status is set to Enabled.

Suspend or Resume Server Network OperationsYou can suspend network communications with the Mirage server for the branch reflectors and for regularendpoint devices. Suspending network operations for a branch reflector still allows peer clients to downloadlayer files from the branch reflector cache, but the branch reflector cannot download new files from theserver.

When you resume network operations, the branch reflector or the individual endpoint device cancommunicate with the Mirage server cluster.

Procedure

1 In the Mirage Management console tree, right-click System Configuration, select Settings, and click theBranch Reflectors tab.

2 Right-click the branch reflector device and select Suspend Network Operations or Resume NetworkOperations.

3 (Optional) Select Connection State from the column headings drop-down menu to view which branchreflectors are connected or suspended in the Branch Reflectors window.

Wake on LANThe Wake-on-LAN protocol allows the administrator to start machines from a dormant state (State fromwhich you can resume. Depends on the NIC, and whether it keeps a low power state). A Wake-on-Lanpacket is sent during flows manually run by the customer:

A Wake-on-Lan packet is sent during flows manually run by the customer:

n Enforce Base Layer

n Provisioning

n Migration

n Assign Base Layer/Application Layer

n Restore

n Centralization

Packets are sent only if the endpoint is down when the flow is initiated. The packet is sent to the broadcastaddress by the management server. Servers will request all the branch reflectors to send wake on lan packetsin their own subnet.


VMware, Inc. 99

Configure Wake on LANThe Wake-on-LAN protocol allows the administrator to start machines from a dormant state (State fromwhich you can resume. Depends on the NIC, and whether it keeps a low power state). A Wake-on-Lanpacket is sent during flows manually run by the customer:

Prerequisites

Go to System Configuration > Branch Reflectors > Select Wake On LAN.

Make sure the infrastructure supports wake on LAN:

n Networking infrastructure

n Enable Wake On LAN in the BIOS of the endpoint

n Enable Wake On LAN in Windows

Note The following procedure is an example to show the Wake-on-LAN procedure. You can run throughany flow to automatically awaken the VM from dormant state.

Procedure

1 Log in to your Web Console.

2 Go to Pending Devices and select the dormant machine that you want to start.

3 Click Centralize Endpoint.

4 In the Select CVD Policy section of the Centralize Endpoint window, select VMware Mirage defaultCVD policy, and click Next.

5 In the Data Layer Selection section of the Centralize Endpoint window, select Do not use a base layer,and click Next.

6 In the Target Volume Selection section of the Centralize Endpoint window, Automatically chose avolume, and click Next.

The selected machine is awakened from a dormant state.

Monitoring Branch Reflector ActivityYou can monitor branch reflector and associated peer client base layer download activity. You can also showwhich branch reflectors are potentially available to a client, and the branch reflector to which it is currentlyconnected, if any.

View CVD Activity and Branch Reflector AssociationYou can view the CVD current activity and associated upload and download progress and transfer speed.

The All CVDs window shows the following information.

n CVD current activity

n Percent completed of associated upload and download progress

n Rate of transfer speed in KBps

For more information, see “Show Potential Branch Reflectors,” on page 102.

Procedure



100 VMware, Inc.

2 Right-click a CVD in the list and select Device > Go to Branch Reflectors.

View Branch Reflector and Peer Client InformationYou can view information about branch reflectors and their connected peer clients.

The Branch Reflectors window shows the following information about peer client activity.

Downloading Peers Shows how many peer clients connected to a branch reflector aredownloading the base layer from this branch reflector.

Waiting Peers Shows how many peer clients connected to a branch reflector are waiting todownload.

Endpoints in excess of the maximum number of simultaneously downloading client peers allowed for thisbranch reflector are rejected and receive their download from another branch reflector or directly from theserver. If you observe that the number of downloading peers is constantly close to the MaximumConnections, consider either increasing the Maximum Connections value or configuring another client in thesite as a branch reflector.

The Connected Peers window shows the following information about connected peers clients:

n Peer client identifiers

n Peer client current activity, for example, waiting and downloading, and the progress of that activity.

Procedure

1 In the Mirage Management console tree, right-click System Configuration, and select Settings, andclick the Branch Reflectors tab.

2 Click on a branch reflector and select Branch Reflector > Show Connected Peers.

Monitor Branch Reflector and Peer Client TransactionsYou can track branch reflector and peer client activity related to a base layer, and how much data wasacquired from a branch reflector by a peer client.

The Transaction Log window shows the following branch reflector and peer client activity related to baselayer download.

n A branch reflector downloading the base layer.

n An endpoint in which a peer client has updated its image. The properties of the Update Base Layertransaction show how much data was downloaded from the branch reflector and how much data wasdownloaded directly from the Mirage server.

The Transaction Properties window shows how much data was acquired from a branch reflector by a peerclient, for example, how much data the endpoint transaction downloaded from the branch reflector, andhow much from the server.

Procedure

n To view the Transaction log, in the Mirage Management console tree, expand the Logs node and selectTransaction Log.

n To view transaction properties, right-click a transaction line and select Update Base Layer transaction >Properties.


VMware, Inc. 101

Show Potential Branch ReflectorsYou can show which branch reflectors are potentially available to a selected client.

The Potential Branch Reflector window lists the branch reflectors that can potentially serve a selected client,in the order defined by the Mirage IP detection and proximity algorithm. See “Branch Reflector MatchingProcess,” on page 95. It also provides information about the branch reflector to which the CVD is currentlyconnected.

Table 12‑1. Potential Branch Reflectors Window Information


Serving column Green V denotes the branch connector is currently selected for theCVD by the Mirage IP Selection and Proximity algorithm.

Connection Status icon Branch reflector's connection status with the server, and whetherthe branch reflector is currently connected, disconnected,suspended, or resumed.

Connected Peers and Waiting Peers See “View Branch Reflector and Peer Client Information,” onpage 101

Maximum Connections Maximum connections to peer devices defined for the branchreflector. See “Configure Specific Branch Reflector Values,” onpage 97

Last Connection Time A branch reflector's last connection time to the server.

The Show Branch Reflectors View button opens the Branch Reflectors window with the potential branchreflectors for the CVD filtered in. See “View Branch Reflector and Peer Client Information,” on page 101.

Procedure

1 In the Mirage Management console tree, expand the Inventory node and select Assigned Devices.

2 Right-click a CVD in the list and select Branch Reflector > Show Potential Branch Reflectors.


102 VMware, Inc.

Deploying Additional Mirage Servers 13Mirage provides multiple server volume support. Enterprise organizations with large numbers of endpointdevices can add servers to the system, providing better access and efficiency where a single server is notsufficient to keep up with data storage requirements.


n “Using Multiple Servers,” on page 103

n “View Server Information,” on page 104

n “Mirage Servers Window Information,” on page 105

n “Add New Servers,” on page 105

n “Stop or Start the Server Service,” on page 105

n “Remove Servers,” on page 106

n “Integrating a Load Balancing Framework,” on page 106

Using Multiple ServersYou can use the Mirage Management server and the console to control and manage the multiple servers.

An enterprise data center can configure multiple servers in a cluster. Each Mirage server, or cluster node,supports up to 1500 CVDs when uploads are enabled, or 5000 CVDs when using the Layer ManagementOnly policy setting, depending on its actual system specifications. You can control the number of CVDspermitted on each server with the server configuration Maximum Connections option. See “ConfigureMirage Servers for SSL,” on page 48.

Load balancers are used in conjunction with the Mirage system to direct client connections to availableservers. For more information about load balancing in the Mirage system, see “Integrating a Load BalancingFramework,” on page 106. Any server that uses the Mirage file portal requires an IIS 7.0 installation.

Every server connects to every storage volume and the Mirage database. Network-attached storage (NAS)permissions must be in place.

The diagram shows how multiple servers in a cluster connect to clients via the system and load balancers.Each server shares all storage volumes and the Mirage database.

VMware, Inc. 103

Figure 13‑1. Multiple Servers and Storage Volumes

Mirage clients

Load balancer

Mirage storage volumes

MirageManagement console

Mirage database

WAN

Mirage servers

MirageManagement

servers

MongoDB

MongoDB

View Server InformationYou can view information about the servers connected to the Mirage Management system.

Procedure

u In the Mirage Management console tree, expand the System Configuration node and select Servers.


104 VMware, Inc.

Mirage Servers Window InformationMirage server information is available from the Mirage Management console.

The Servers window provides information about servers in the system.

Table 13‑1. Mirage Servers Window Information


ID Unique server identification number configured by the Mirage Management system.

Status Status of the server. Up Indicates the server is available and running. Down indicatesthat the server is not available.

Name Name of the server machine.

Status duration Amount of time that the server has been in the same status.

Connections Number of endpoints currently connected to the server.

Max Connections Maximum number of concurrent CVD connections allowed on the server. You can usethe server configuration to configure this setting. See “Configure Mirage Servers forSSL,” on page 48.Use the default setting. Different server specifications allow changing this setting. Forbest results, consult with VMware Support before changing the default settings.

Use SSL Indicates if this server is configured to have clients connect using SSL. This is a globalconfiguration.

Port: Port over which the Mirage server is configured to communicate with clients.

CPU Average percentage of CPU running for this server over a 15 minute period.

Used memory (committed) Average amount of memory in megabytes used for the server over a 15 minute period.

Physical Memory Amount of physical memory allocated for the server.

Add New ServersYou can install multiple Mirage servers on the Mirage Management system. When the server is installed, itregisters itself with the Mirage Management server and appears in the servers list.

See the VMware Mirage Installation Guide.

Procedure

1 Double-click the Mirage.server.x64.buildnumber.msi file.

The server installation starts.

2 Repeat the process for each server to install on the Mirage Management system.

Stop or Start the Server ServiceWhen you need to perform server maintenance or backup, you can stop and start a server service.

See also “Suspend or Resume Server Network Operations,” on page 99.

Chapter 13 Deploying Additional Mirage Servers

VMware, Inc. 105

Procedure

u In the Mirage Management console tree, expand the System Configuration node and select Servers.

Option Action

To stop the server service Right-click the server and select Stop Server Service. Click Yes to confirm.

To start the server service Right-click the server and select Start Server Service. The server status isUp.

Remove ServersYou can remove a Mirage server from the Mirage Management system.

Removing a server does not uninstall the server, but removes only the server from the system. It does notremove CVD data from the shared storage volumes. You must uninstall a server manually.

Procedure

1 In the Mirage Management console tree, expand the System Configuration node and select Servers.

2 Right-click the server to remove and select Remove.


Integrating a Load Balancing FrameworkAdministrators can use a load balancing framework, called VMware Watchdog, to integrate with existingload balancer servers and communicate state changes to them.

The VMware Watchdog service periodically checks if a specific server is running and can receive newconnections.

Table 13‑2. Mirage Server States

State Description

Alive Signals that a server is running and is available to receive new client connections.

Full Signals that a server has reached the maximum number of concurrent connections. Theservice is still running, but new client connections are not accepted.

Dead Signals that a Mirage server service is not responding or is not operational.

When the server state changes, VMware Watchdog calls an external command to communicate the statechange to the load balancer. You can customize and configure the command to match the particular type ofload balancer deployed in the data center. See “VMware Watchdog Service Configuration,” on page 106

By default, the Watchdog service is initially disabled. You must start the service for it to function.

The Watchdog log file is located at C:\ProgramData\Wanova Mirage\Watchdog\Watchdog.txt.

VMware Watchdog Service ConfigurationYou can configure which service and port the VMware Watchdog service monitors, the time interval (inmilliseconds), and the load balancing command to run when switching to any state.

You do this in the Watchdog configuration file, Wanova Watchdog.exe.xml, located in the C:\ProgramFiles\Wanova\Mirage server directory.

You use a default script, called NLBControl.vbs, to work with the Microsoft Network Load Balancer (NLB).This script configures Microsoft Cluster (NLB) according to the system state. It contains a list of actions forenabling or disabling traffic for a specific server.


106 VMware, Inc.

You then use the Watchdog configuration file Wanova Watchdog.exe.xml to configure the Mirage server hostuse the NLBControl.vbs script.

For each Mirage server, replace the IP address with the dedicated IP address of the server node as registeredwith the cluster manager.

Some NLB parameters are configurable through the XML file. The PollTimeMs, ServiceName, and ListenPortcommands are relevant for all load balancing scripts.

After you edit XML file settings, you must restart the VMware Watchdog service.

Note Any time that you configure an NLB port rule, you must configure it to listen on all the clustervirtual IP (VIP) addresses and not just on a specific VIP address. This configuration is required for thedefault script to work.

Table 13‑3. NBL Parameters in the Watchdog.exe XML File

Command Description Syntax

PollTimeMs Polling frequency (in milliseconds) <setting name="PollTimeMs" serializeAs="String"><value>5000</value>

ServiceName VMware server service name <setting name="ServiceName" serializeAs="String"><value>VMware Mirage Server Service</value>

ListenPort Listening port <setting name="ListenPort" serializeAs="String"><value>8000</value>

OnAliveProcess

Commands to run when the Mirage serveris open to receive new connections

<setting name="OnAliveProcess" serializeAs="String"><value>cscript.exe</value>

OnAliveArgs Arguments used for the OnAliveProcesscommands

<setting name="OnAliveArgs" serializeAs="String"><value>nlbcontrol.vbs 10.10.10.10 enable -1 </value>

OnDeadProcess

Commands to run when the Mirage serveris down

<setting name="OnDeadProcess" serializeAs="String"><value>cscript.exe</value>

OnDeadArgs Arguments used for the OnDeadProcesscommands

<setting name="OnDeadArgs" serializeAs="String"><value>NlbControl.vbs 10.10.10.10 disable -1</value>

OnFullProcess

Commands to run when the Mirage servercannot receive new connections

<setting name="OnFullProcess" serializeAs="String"><value>cscript.exe</value>

OnFullArgs Arguments used for the OnFullProcesscommands

<setting name="OnFullArgs" serializeAs="String"><value>NlbControl.vbs 10.10.10.10 drain -1</value>

Chapter 13 Deploying Additional Mirage Servers

VMware, Inc. 107


108 VMware, Inc.

Image Management Overview 14Mirage extends the image layer concept to image updates. Layers are not implemented just once duringinitial deployment. Separate app layers are used to distribute more specialized applications to specificgroups of users.

The Mirage approach to image management involves a layer life cycle, which includes base layer and applayer preparation, capture, update, and assignment processes used to synchronize endpoints.


n “Base Layers and App Layers,” on page 109

n “Layer Management Life Cycle,” on page 109

n “Hardware Considerations with Base Layers,” on page 111

n “Image Management Planning,” on page 111

Base Layers and App LayersA base layer is a template for common desktop content, cleared of specific identity information and madesuitable for mass deployment to endpoints. You can also define app layers, separate from the common baselayer, to distribute more specific applications to groups of users.

The base layer includes the operating system, service packs and patches, as well as core enterpriseapplications and their settings.

An app layer can include a single application, or a suite of applications. You can deploy app layers withother app layers on any compatible endpoint.

App layers require a base layer to be present on an endpoint, but the base layer and any app layers can beupdated independently of each other.

The app layer assignment process is wizard driven and similar to base layer assignment. App layer optionsare listed under separate nodes in CVD views, in parallel with base layer action nodes.

The base layer can still include applications directly. App layers are not needed in organizations whereeveryone uses the same applications.

Layer Management Life CycleThe base layer or app layer life cycle begins with a reference machine, where the administrator creates andmaintains the layer content.

The layer management life cycle involves layer capture from a reference machine, layer assignment toendpoints, and CVD synchronization.

VMware, Inc. 109

Figure 14‑1. Layer Management Life Cycle

Base layeror

app layer

Revisecontent

Referencemachine

Endpoint

Distributelayer

CVD

CVD

CVD Endpoint

SyncCVD Layer

swapping

EndpointLayer

capture

1 You manage and revise the base layer and app layer contents on a reference machine, throughoperations such as adding core or specific applications or patching the OS. See Chapter 15, “Preparing aReference Machine for Base Layer Capture,” on page 115.

2 You perform a base layer or app layer capture from the reference machine using the MirageManagement console. Mirage collects the data from the reference machine to create the layer, which isgeneralized for mass deployment. You give the layer a name and version. You can make multiplecaptures from the same reference machine, and store them in the Mirage server’s layer repositories. See Chapter 16, “Capturing Base Layers,” on page 119, and Chapter 17, “Capturing App Layers,” onpage 127.

3 The resulting changes in an endpoint are propagated back to the endpoint’s CVD on the server. Afterthe CVD is synchronized with the latest changes, the layer update operation for that endpoint iscompleted.

Each endpoint operates at its own pace, and this phase ends at different times for different desktopsdepending on network connectivity and whether the desktop is online or offline.

4 You initiate base layer or app layer assignment, or update, from the Mirage Management console.

n This operation first distributes and stores the revised layer at each endpoint, ready to be applied.

n It then swaps the old base or app layer on the endpoint with the new one, thereby assigning thelayer to that endpoint. The base layer, or specific applications in the app layer, are instantiated onthe endpoint.

See “Assign a Base Layer to CVDs,” on page 139 and “Assign an App Layer to CVDs,” on page 146.

When you next update the base layer or an app layer, the process begins again by generating a new versionof the layer.

If you want to move an application that is being managed by the base layer to the app layer, first capture anew base layer without that application, capture an app layer with that application, then assign the newbase layer and app layer to the endpoints.

The management life cycle for base layers is policy driven. For example, the Upload policy that belongs tothe reference CVD contains system rules that determine which elements of the reference machine are notincluded in the base layer. Similarly, the Base Layer Rules policy determines which elements of the baselayer are not downloaded to endpoints. Both policies contain system-defined defaults, which are typicallysufficient for standard deployments. You can also add custom rules to the policy. See “Working with BaseLayer Rules,” on page 120.


110 VMware, Inc.

Hardware Considerations with Base LayersYou can create generic base layers for use on hardware families with the Mirage driver library feature. Youcan maintain a minimum number of generic base layers and use driver profiles to apply the appropriatehardware drivers.

Virtual Machine SupportA common Mirage situation is reassigning a CVD from a physical machine to a virtual machine, and thereverse. You can then download a CVD to a workbench virtual machine at the data center fortroubleshooting purposes.

Most virtualization platforms include integration components to enhance the experience of working on avirtual machine, for example, VMware Tools. These components are also part of a virtual machine baselayer.

Use a separate base layer for the virtual machine, especially if the integration features are part of the baselayer, for example, VMware Tools.

Special Case Hardware DriversCertain hardware drivers include installation programs that make them incompatible for pre-installation ina base layer, for example, Bluetooth Driver installation and Wireless-over-USB. You can install these driversusing a special script that Mirage starts after a base layer is applied. Mirage then reports failures to themanagement service at the data center.

Image Management PlanningWhen you build a reference machine, you must select the core software to include in the base layer carefully,as this software is distributed with the base layer to all end users.

Software considerations apply for image management and special instructions for specific softwarecategories. See “Reference Machine Software and Settings,” on page 116.

System-Level SoftwareFor best results, include the following applications in the base layer:

n Antivirus and security products

n VPN or other connectivity software, such as iPass

n Firewalls

n Windows components and frameworks, such as .NET and Java

n Global Windows configuration and settings changes

System-level software is sensitive to conflicting software. Endpoints must not receive conflicting softwarethrough other distribution methods. If a certain type of system-level software, for example an antivirus, isdistributed with a base layer, do not distribute different versions of the same software or conflictingsoftware through other software distribution mechanisms, and the reverse.

Include the organization VPN, antivirus, firewall applications, and the driver store in the minimal restoreset.

Chapter 14 Image Management Overview

VMware, Inc. 111

Software LicensingThe base layer generally includes core applications that an organization uses, while more specializedapplications are typically distributed with app layers. Verify that the software is suitable for massdistribution and uses a volume license that does not require machine-specific identification or individualmanual activation.

Certain applications are protected by hardware-based identification methods or a unique license key thatresides on the endpoint, for example, in a license file, and must not be distributed with the base or app layeror installed on the reference machine. The user can still install these applications on the endpoint or throughsoftware distribution solutions that target individual endpoints.

Most enterprise software is protected by a floating or volume license that eliminates this problem.

User-Specific SoftwareOn the reference machine, install software as an administrator, and if the option exists, install software forall users. Exclude user profiles on the reference machine from the base layer so that you do not distributethem. Do not distribute software installed exclusively for a specific user, because it might not functionproperly.

For example, the Google Chrome default installation is to the current user profile. Make sure you install itfor All Users if it is to be included in the base layer.

To ensure the presence of an application shortcut on the end user’s desktop or Programs menu, verify thatthe shortcut is correctly created when the application is installed on the reference machine. If it is not, createthe shortcut manually in the All Users profile.

Applications that set up and use local user accounts or local groups, or both, might not function well onendpoints when the base layer is applied to them. Consequently, you must exclude definitions of local useraccounts and local groups from the base layer.

OEM SoftwareMany hardware vendors include special software to enhance the user experience of their platforms. Theseapplications can support specific hardware buttons, connection management capabilities, powermanagement capabilities, and so on.

To include special software as part of the base layer, use the base layer only for compatible hardware. Do notpreinstall hardware-specific software on a single base layer that you want to use for multiple hardwareplatforms.

Use App layering for OEM software.

Endpoint Security SoftwareMirage does not distribute software that changes the Master Boot Record (MBR). Full disk encryptionsoftware usually modifies the MBR, so this type of software cannot be delivered with a base layer. Suchsoftware can still be installed on individual endpoints through an external delivery mechanism or duringfirst-time provisioning.

Examples of disk encryption software that use pre-boot authentication are Checkpoint Full Disk Encryption,PGPDisk, Sophos SafeGuard, and McAfee Endpoint Encryption.

Note Mirage requires certain full disk encryption applications to be pre-configured before performing aWindows 7, Windows 8.1, or Windows 10 migration.


112 VMware, Inc.

Certain security software products take measures to protect their software and do not allow other processesto modify their files. Software of this type cannot be updated through Mirage. Instead, you must use theupdate process recommended by the security vendor to implement central control and management of thatsoftware. Mirage does not interfere with or manipulate the operation of these security products, and doesnot override the security measures they provide.

BitLocker SupportMicrosoft BitLocker, in Windows 7, Windows 8.1, and Windows 10, performs full disk encryption and isfully compatible with Mirage. The state of BitLocker is maintained and managed on each endpoint and doesnot propagate to the Mirage CVD in the data center.

After you use Boot USB to perform a bare metal restore, the BitLocker state is not preserved and themachine is not encrypted.

You can use BitLocker scenarios:

n If BitLocker is enabled on the target endpoint. BitLocker remains enabled after Mirage restore, baselayer update, or rebase operations, regardless of the BitLocker configuration in the original endpoint onwhich the CVD was running, or on the reference machine from which the base layer was captured.

n If BitLocker is disabled on the target endpoint, it remains disabled after Mirage restore, base layerupdate, or rebase operations.

Important When you build a Windows 7, Windows 8.1, or Windows 10 base layer for migration purposes,verify that BitLocker is disabled on the reference machine. Otherwise the migration operations cannot becompleted.

Chapter 14 Image Management Overview

VMware, Inc. 113


114 VMware, Inc.

Preparing a Reference Machine forBase Layer Capture 15

A reference machine is used to create a standard desktop base layer for a set of CVDs. A base layer on thereference machine usually includes operating system updates, service packs and patches, corporateapplications for all target users to use, and corporate configuration and policies.

The reference machine used for app layer capture does not generally require advance preparation. Certainguidelines apply for special circumstances. A base layer does not have to be present on the referencemachine for app layer capture purposes. For more information, see “Prepare a Reference Machine for AppLayer Capture,” on page 128 and “Recreate a Reference Machine from a Base Layer,” on page 117.


n “Set Up the Reference Machine,” on page 115

n “Reference Machine Data Considerations,” on page 116

n “Reference Machine Software and Settings,” on page 116

n “Recreate a Reference Machine from a Base Layer,” on page 117

Set Up the Reference MachineYou assign a pending device as a reference CVD and configure it with applications and settings for a baselayer that applies to a set of endpoints. After the reference machine is built and configured, the installedMirage client uploads its content to an assigned reference CVD, which is used to capture a base layer.

Note If you are managing Point of Sale devices, set up physical reference machines for layer captureoperations.

A pending device that is assigned as a reference machine is moved from the Pending Devices list to theReference CVDs view.

Caution Files and settings from the reference machine are captured in the base layer, and are thendistributed to a large number of endpoint desktops. To avoid unintended consequences, make sure theconfiguration is appropriate for mass distribution.

Procedure

1 In the Mirage Management console tree, expand the Inventory node and select Pending Devices.

2 Right-click the reference machine to be assigned and select Create a new Reference CVD.

3 Select the required upload policy and click Next.

VMware, Inc. 115

4 Select a base layer and click Next.

Option Description

Don’t Use a Base Layer For first-time use, when no base layer exists.

Select Base Layer from List You select an existing base layer to apply updates and modify content.

5 Select a volume and click Next.

6 Click Finish.

The device is moved from the Pending Devices list to the Reference CVDs view.

After the reference machine is configured with applications and settings for a base layer, you can use it tocapture a base layer.

Reference Machine Data ConsiderationsA base layer consists of all the files in the reference CVD, excluding a list of files and registry entriesspecified in the Base Layer Rules policy. The excluded items are the factory policy combined with user-customized base layer rules.

All the data placed on the reference machine is downloaded as part of a base layer. Keep the followingconsiderations in mind when you use reference machines.

n Directories that reside directly under the root (C:\) are by default included in the base layer. Do notleave directories in the root that you do not want in the base layer.

n Avoid storing unnecessary data on the reference machine. Unnecessary data can consume excessivedisk space on the endpoints.

n Verify that the Documents and Settings directory does not contain abandoned user profile directories. Ifan old user directory exists under the Documents and Settings directory and no user profile isregistered for it in the system, the system considers it a regular directory and treats it as part of the baselayer.

n The base layer captures the power options of the reference machine. Verify that the selected poweroptions are supported on the target devices.

You can exclude specific areas of the reference machine from the base layer. See “Working with Base LayerRules,” on page 120.

Reference Machine Software and SettingsThe software installed on the reference machine becomes part of the base layer that you capture. When youdeploy the base layer to other endpoints, those software and settings are delivered to those endpoints aswell.

Software ConsiderationsConsider the following items before you decide on the software to include in your base layers:

n Do not include software that is licensed specifically to individual pieces of hardware, or whose licensesare tied to the hardware.

n If the reference machine contains OEM software, you can deploy that base layer only to endpoints of thesame hardware family. This restriction is because OEM software is tied to specific hardware vendors,makes and models.


116 VMware, Inc.

n The following items are examples of core corporate software that is typically the most commonlyincluded software in a base layer:

n Antivirus

n VPN client

n Microsoft Office

n Corporate applications to be used by all target users

Departmental applications should generally be distributed through app layers.

n You can install disk encryption software on the reference machine, but it must not be part of thebase layer. Always deploy disk encryption software to the endpoints after.

n It is recommended that you include in the base layer all .NET Framework versions that might berequired by target endpoints. For example, some users might have applications that require .NETFramework 3.5, and some users might have applications that require .NET Framework 4.0. Includeboth .NET Framework versions in the base layer.

For additional software considerations, see “Image Management Planning,” on page 111.

System-Wide SettingsSystem-wide settings are transferred from the reference machine to all machines that receive the base layer.

n Check which settings are required and configure them accordingly.

n In special cases, you can add specific exclusion rules to the Base Layer Rules policy. See “Working withBase Layer Rules,” on page 120.

n For more detailed control outside the base layer configuration, you can use Active Directory GroupPolicy Objects (GPOs) to configure settings.

n Disable automatic updates of Windows Store Applications on reference machines. If automatic updatesof Windows Store Applications is enabled on reference machines, base layers or app layers might becaptured in the middle of an update.

Examples of settings in the reference machine are power management, remote desktop settings, and servicestartup options.

Domain Membership and Login SettingsIf the target endpoints assigned to the base layer are members of a domain, verify that the followingconditions are in place:

n The reference machine used for this base layer is a member of the same domain. Otherwise, users of thetarget endpoints are prevented from logging in to the domain and only local users can log in.

n The Net Login service is set to start automatically.

n To keep the reference machine clear of user-specific information, ensure that you do not log in to thereference machine using a Mircrosoft liveID account.

Recreate a Reference Machine from a Base LayerWhen you want to update a base layer, but the reference machine that was used to create the original baselayer is not available, you can recreate the original reference machine from the existing base layer.

Procedure

1 In the Mirage Management console, expand the Image Composer node and select the Base Layers tab.

2 Right-click the base layer and select Create Reference CVD from layer.

Chapter 15 Preparing a Reference Machine for Base Layer Capture

VMware, Inc. 117

3 Select a pending device and click Next.

4 Select an upload policy and click Next.

5 Click Finish.

What to do next

Use a Mirage restore operation to download and apply the image of the original reference machine to aselected device to serve as a new reference machine. See “Restoring to a CVD After Hard Drive Replacementor Device Loss,” on page 170. You then update or install core applications and apply security updates on thenew reference machine before you capture a new base layer using the existing reference CVD.


118 VMware, Inc.

Capturing Base Layers 16After you set up the base layer for a reference machine, you can capture a base layer from it so thatendpoints can be updated with that content.

The base layer capture process creates a point-in-time snapshot of the data and state of the live referencemachine, generalized for mass deployment.

A similar process is employed to capture app layers.

You can use a custom post-base layer script called post_core_update.bat to perform certain actions after thebase layer update.


n “Capture Base Layers,” on page 119

n “Working with Base Layer Rules,” on page 120

n “Applying a Base Layer Override Policy,” on page 122

n “Post-Base Layer Assignment or Provisioning Script,” on page 124

Capture Base LayersAfter the reference machine is centralized to a reference CVD on the Mirage server, you can capture a newbase layer from that reference CVD. You can capture the base layer from either an existing reference CVD, ora new reference CVD as a new source of layer capture.

Prerequisites

When you create a base layer to be used in a Windows 7, Windows 8.1, or Windows 10 migration, make surethe base layer requirements are satisfied. Restart the reference machine (if the Windows updates requirerestart to complete the installation) before starting the base layer capture process.

Procedure

1 In the Mirage Management console, select Common Wizards > Capture Base Layer.

2 Select the capture type, and an existing CVD or pending device, and click Next.

Option Action

Use an existing reference CVD a Select to capture a base layer from an existing CVD.b Select the reference CVD from which you want to capture the base

layer.

Create a new reference CVD a Select this to create a new source of layer capture.b Select the pending device and the upload policy to use for this

reference CVD.

VMware, Inc. 119

3 Select the base layer capture action to perform and click Next.

Option Action

Create a new layer Select this option and specify the new base layer details.

Update an existing layer Select this option and the base layer to update.

4 Fix validation problems, click Refresh to make sure they are resolved, and click Next.

5 (Optional) If Microsoft Office 2010 or Microsoft 2013 is installed on the reference machine, specify yourMicrosoft Office 2010 or Microsoft Office 2013 license keys and click Next.

6 Click Finish to start the capture process.

7 Click Yes to switch to the task list view where you can monitor the progress of the capture task.

When the task is finished, the base layer is moved to the Base Layers list under the Image Composer nodeand you can apply the capture to endpoints. See Chapter 18, “Assigning Base Layers,” on page 135.

Working with Base Layer RulesBy default, the base layer is applied to the endpoints. You can define rules to exclude specific content in thebase layer from being applied and include specified subsets of that content.

The system employs a built-in default rule set for production use. You can define a draft rule set, or edit arule set. You can test a draft rule set, and when you are satisfied, define it as the default. Only the rule setcurrently defined as the default applies for base layer capture purposes.

When a draft rule set is being tested, only the selected CVD is affected. Other CVDs still use the default ruleset, so the production environment is not affected.

You can also define Override policies to prevent specific endpoint content from being overwritten by thebase layer. See “Applying a Base Layer Override Policy,” on page 122.

View Layer Rule SetsYou can select a rule set to view the details of the rule set.

Procedure

1 In the Mirage Management console, expand the Image Composer node and select Layer Rules.

2 Right-click a layer rule set and select Properties.

A read-only Layer Rules Details window displays the rule details.

Create a Rule Set based on an Existing Rule SetYou can create a copy of a selected rule set with its original details and a new name. You can edit thecontents of the rule set. A new Draft layer rule set is listed in the Layer Rules list.

Procedure


2 Right-click a layer rule set and select Clone.

3 (Optional) Select the Show factory rules checkbox if you want to view the Mirage mandatory settingsthat the administrator cannot change. Factory rules are dimmed in the rules list.


120 VMware, Inc.

4 Configure Do Not Download rules and rule exceptions.

Option Description

Rules list Defines the files and directories on the reference machine that must not beapplied to the CVD.

Rule Exceptions list Lists specific files and directories within the directories to be excluded thatmust be applied.

For example:

C:\Windows\* in the Rules list will exclude all Windows directories and files.

You can then apply only certain system DLLs in C:\Windows by typing specific paths in the RuleExceptions list, such as: c:\Windows\system32\myapp.dll.

All files not matching a rule in the Rules list are applied to the CVD.

Option Action

Add a new rule or a rule exception a Click Add next to the relevant list.b Type the rule or exception details, and click OK.

Edit a rule or rule exception a Select the rule or rule exception line.b Click Edit next to the relevant list.c Correct the rule or exception details, and click OK.

Remove a rule or exception Select the rule or exception line and click Remove next to the relevant list.

5 When you are finished working with this rule set, click OK.

What to do next

Consider whether override policies are needed to prevent specific problems. See “Applying a Base LayerOverride Policy,” on page 122.

Test the rule set as a draft on several base layers. See “Test a Draft Layer Rule Set on a Test Machine,” onpage 121.

When you are satisfied with the changes, you can define the new layer rule set as the Default rule set. See “Set the Default Rule Set,” on page 122.

Test a Draft Layer Rule Set on a Test MachineIt is good practice to test a rule set as a draft on several base layers.

When a draft rule set is being tested, only the selected CVD is affected. Other CVDs still use the default ruleset, so the production environment is not affected.

Prerequisites

You can only test rule sets with Draft status. To test changes to the Default rule set, first create a clone of thatrule set with the changes you want for testing purposes, then define that new rule set as the Default if thetesting is satisfactory. See “Create a Rule Set based on an Existing Rule Set,” on page 120.

Procedure


2 Right-click the layer rule set to test and select Test Rules Draft.

3 Select the CVD on which you want to test the selected layer rules and click Next.

4 Select the base layer to use for the test.

5 Click Finish.

Chapter 16 Capturing Base Layers

VMware, Inc. 121

Test the Default Rule SetYou can only test rule sets with Draft status. To test changes to the Default rule set, first create a clone of thatrule set with the changes you want for testing purposes, then define that new rule set as the Default if thetesting is satisfactory.

Set the Default Rule SetWhen you make changes to a rule set or create a rule set and you are satisfied with the changes, you candefine the new layer rule set as the Default rule set.

Procedure


2 Right-click a Draft rule set and select Set As Default.

The rule set has the status Default and replaces the previous default rule set for base layer capturepurposes.

Applying a Base Layer Override PolicyYou can define an override policy that allows the base layer to distribute a file only if the file does not existin the CVD. You can also define an override policy for registry values and registry keys.

An override policy overcomes problems that can arise when base layers are updated, making it possible forcertain CVD files to remain the same across base layer updates.

Add a Base Layer Override Rule SetYou can add a Do Not Override by Layer rule. This rule allows the base layer to distribute a file only if itdoes not exist in the CVD, and makes it possible for certain CVD files to remain the same across base layerupdates.

The same syntax apply as for layer rule sets. See “Create a Rule Set based on an Existing Rule Set,” onpage 120.

Procedure


2 Select a base layer rule set.

The same syntax for layer rule sets applies to a base layer rule set.

3 Scroll to and configure the Do Not Override By Layer rules and rule exceptions.

Option Description

Rules list Defines the files and directories on the reference machine that must not beapplied to the CVD.

Rule Exceptions list Lists specific files and directories within the directories to be excluded thatmust be applied.


122 VMware, Inc.

All files not matching a rule in the Rules list are applied.

Option Action

Add a new rule or a rule exception a Click Add next to the relevant list.b Type the rule or exception details, and click OK.

Edit a rule or rule exception a Select the rule or rule exception line.b Click Edit next to the relevant list.c Correct the rule or exception details, and click OK.

Remove a rule or exception Select the rule or exception line and click Remove next to the relevant list.

4 When you are finished working with this rule set, click OK.

Base Layer Override ExamplesYou can construct base layer override policies to address issues that might occur when base layers areupdated.

Avoid Incompatibility When CVD and Base Layer Applications Share a ComponentA base layer update can cause a shared component to be unusable by an application that does not supportthe new component version.

Microsoft Office and Microsoft Visual Studio have a common shared component. Office is part of the baselayer but Visual Studio is user-installed and part of the layer that maintains user-installed applications anduser machine information.

Microsoft Visual Studio includes a newer version of the shared component that is backwards compatiblewith Office, but the Microsoft Office component version is too outdated for Microsoft Visual Studio.

Without an override policy, every base layer update that occurs after Microsoft Visual Studio is installedmight corrupt the Microsoft Visual Studio installation.

Procedure


2 Add the path of the component to the Do Not Override By Layer policy section.

The following behavior is enforced:

n If the user first installs Microsoft Visual Studio and then receives Microsoft Office with a base layerupdate, Mirage recognizes that the component file already exists and does not override it, leaving thenewer version.

n If the user first receives the base layer update, the component file does not exist and is downloaded aspart of Microsoft Office. If the user then installs Microsoft Visual Studio, the newer version of theshared file is installed, and Microsoft Office and Microsoft Visual Studio function properly.

Avoid Losing Customizations at Initial Provisioning of a Global Configuration FileA base layer update can cause local customization of shared files to be lost.

Lotus Notes has a configuration file that is placed under the Program Files directory that is shared across allusers. The base layer must initially provision the file for Lotus Notes to function properly. However, the fileis then modified locally to maintain the user configuration.

Without a base layer override policy, each base layer update or Enforce All Layers operation causes usercustomization to be lost.


VMware, Inc. 123

Procedure


2 Add the configuration file path to the Do Not Override By Layer policy section.

The base layer version of the file is provisioned to users who receive Lotus Notes for the first time, but is notdelivered to existing Lotus Notes users.

Overriding Registry Values and KeysYou can apply a base layer override policy for setting registry values and registry keys.

Overriding Registry ValuesRegistry values behave similarly to files.

n If a registry value exists, it is not overwritten.

n If the registry value does not exist, its content is distributed with the base layer.

Overriding Registry KeysRegistry keys behave uniquely.

n If a registry key path is included in the Do Not Override By Layer policy section, and the key exists inthe CVD and the base layer, the key, including its subkeys and values, is skipped entirely in the baselayer update.

n If the key does not exist in the CVD, it is handled normally and delivered with all of its subkeys andvalues with the base layer.

Post-Base Layer Assignment or Provisioning ScriptYou can include a custom post-base layer script in the base layer capture. This script perform certain actionsrequired after a base layer update, such as installing software that must be run on the individual endpoint,or updating or removing hardware drivers that might already exist on the endpoint. You can also use a post-base layer script following a layer provisioning operation.

Software required to be run on the individual end point can include hardware-specific software that iscompatible with only certain endpoints.

The client installation includes a default sample script that does not perform post-base layer script actions.

The client continues to run the post-base layer script at every startup, until the first upload following thebase layer update is finished. This ensures that the state of the CVD on the server includes the result of thepost-base layer script. This process is also done for every enforce base layer operation.

Caution The script must include the relevant checks and conditional clauses so that any parts that requireone-time execution are not run again.

Prerequisites

The post-base layer script file and auxiliary files used or called by the script are captured as part of the baselayer and distributed to the endpoints. Verify that the auxiliary files are placed in the same directory as thescript or another directory that is captured in the base layer.


124 VMware, Inc.

Procedure

1 After a base layer update operation, create a file called post_core_update.bat under the %ProgramData%\Wanova\Mirage Service directory.

OR

After a layer provisioning operation, create a file called post_provisioning.bat under the %ProgramData%\Wanova\Mirage Service directory.

2 Edit the file on the reference machine to perform the required post-deployment actions on the endpoint.

To monitor the execution of the post-base layer script, the client reports events to the central managementservice if the script returns an error value other than zero.


VMware, Inc. 125


126 VMware, Inc.

Capturing App Layers 17You can provide sets of more specialized applications to specific users through app layers, independent ofthe core applications that are generally distributed with the common base layer.

You can capture an app layer that contains a single application, or a suite of applications from the samevendor. You can create app layers to include applications relevant for a specific department or group. Youcan combine app layers with other app layers and deploy them on any compatible endpoint.

You define and deliver app layers by capturing an app layer and then assigning them to endpoints. SeeAssigning App Layers.

The app layer capture process creates a snapshot of designated applications installed on a live referencemachine, which is generalized for mass deployment.

You can use a CVD as the reference CVD for app layer purposes. A base layer does not need to be present onthe reference machine.

See Base Layers and App Layers and Layer Management Life Cycle.


n “App Layer Capture Steps Overview,” on page 127

n “Prepare a Reference Machine for App Layer Capture,” on page 128

n “Performing the App Layer Capture,” on page 129

n “What You Can Capture in an App Layer,” on page 132

n “Capturing OEM App Layers,” on page 133

n “Capture Multiple Layers on a Virtual Machine,” on page 134

n “Create a Post-App Layer Deployment Script,” on page 134

App Layer Capture Steps OverviewCapturing a single app layer involves several procedures.

For information about capturing multiple app layers, see “Capture Multiple Layers on a Virtual Machine,”on page 134.

Prepare the Reference MachineA standard reference machine is required for capturing an app layer. A virtual machine is suitable forcapturing most applications.

See “Prepare a Reference Machine for App Layer Capture,” on page 128.

VMware, Inc. 127

Capture the Pre-install StateAfter the reference machine is ready, capture the pre-installation state of the machine.

See “Start an App Layer Capture,” on page 130.

Install the ApplicationsWhen the pre-installation state of the machine is captured, you install the applications to be captured, applyany application updates and patches, and customize global settings or configurations.

n “Install Applications on the Reference Machine,” on page 130

n “What You Can Capture in an App Layer,” on page 132

n “Capturing OEM App Layers,” on page 133

n “Application Upgrades,” on page 128

Capture the Post-Install StateAfter applications are installed, updated and configured, complete the capture. This process uploads theapp layer to the Mirage server and adds it to the list of available app layers in the Management console. Formore information, see “Create Layers Post Scan,” on page 131.

Test the App Layer DeploymentBefore you deploy app layers to many endpoints, test each captured app layer by deploying it to a selectedsample of target endpoints to verify that the applications work as expected on these endpoints afterdeployment.

Deploy the App LayerAfter testing is completed, the app layer is ready for deployment to any selected collection of targetendpoints. See Chapter 19, “Assigning App Layers,” on page 145.

Application UpgradesWhen a new version of an application is available, you can replace the existing app layer with a new layer.

1 Capture the upgraded application in an app layer, together with any other applications or updatesrequired at that time. As described in this procedure, start with a clean reference machine and capturethe installed new application.

2 After you have a new app layer, update the layers to replace the old app layer with the new app layer.See Chapter 19, “Assigning App Layers,” on page 145.

Prepare a Reference Machine for App Layer CaptureThe reference machine for app layer capture should have a standard installation of the required operatingsystem. Other advance preparation is not required. Certain guidelines apply for special circumstances.

Prerequisites

Verify that the following conditions exist for special circumstances:

n A virtual machine is created for capturing all except hardware-specific app layers.

n The reference machine has a standard installation of the required OS, for example, Windows XP,Windows 7 32-bit or Windows 7 64-bit, Windows 8.1 32-bit or Windows 8.1 64-bit, or Windows 10 (64-bit).


128 VMware, Inc.

n App layers are deployed to compatible OS versions. You must capture app layers separately forWindows XP, Windows 7 32-bit, Windows 7 64-bit, Windows 8.1 32-bit, Windows 8.1 64-bit, Windows10 (64-bit). An app layer captured on Windows 7 cannot be deployed on a Windows 8.1 (32-bit or 64-bit)machine, and the reverse. An app layer captured on Windows 8.1 32-bit cannot be deployed toWindows 8.1 64-bit, and the reverse.

n Avoid software in the standard state of the reference machine that have the following characteristics:

n Can cause changes to be made to the machine while you are installing the applications.

n Is auto-updating. If you cannot avoid auto-updating software, try to disable the auto-updatefeature of any pre-existing software. For example, turn off automatic Windows Update installationand automatic anti-virus definition updates.

n If you plan to capture a .NET-based application that uses a version of .NET not included in the standardWindows OS you installed, install the required .NET Framework in the clean reference machine beforeyou start the capture and install your application. Deliver the .NET Framework itself through the baselayer, if possible.

n Verify that the standard reference machine is similar in content to the base layers used throughout theorganization, for example, with the same Windows service pack version and .NET Framework versionas the base layer.

n Disable automatic updates of Windows Store Applications and the Windows operating system onreference machines. If automatic updates of Windows Store Applications are enabled on referencemachines, base layers or app layers might be captured in the middle of an update.

n If automatic updates of Windows Store Applications are enabled on reference machines, partiallyinstalled Windows updates might be recorded as part of the base layers or the app layers captureprocess, which lead to unexpected behavior on the endpoints.

Procedure

1 Install the Mirage client on the reference machine.

The virtual machine device state is Pending Assignment in the Mirage Management console.

2 Restart the reference machine.

Restarting assures best scan performance when you are capturing app layers.

What to do next

Continue to capture the pre-install state of the machine. See “Start an App Layer Capture,” on page 130.

Performing the App Layer CaptureThe app layer capture process starts with a pre-scan of the reference machine, installing the applications,and a post-scan.

n The pre-scan creates an image of the reference machine before the required applications are installed.See “Start an App Layer Capture,” on page 130.

n The application installation installs the required applications on the reference machine that was selectedin the pre-scan. See “Install Applications on the Reference Machine,” on page 130.

n The post-scan creates an image of the reference machine after the required applications are installed.The system then detects all changes following the installation and starts the capture process. See “Create Layers Post Scan,” on page 131.

Chapter 17 Capturing App Layers

VMware, Inc. 129

Start an App Layer CaptureThe pre-scan step creates an image of the reference machine before the required applications are installed.

Follow the prompts to remove any validation warnings or errors.

Prerequisites

You can use any CVD as the reference CVD for app layer purposes.

The Mirage client is installed on a clean reference machine.

A base layer does not need to be present on the reference machine.

Procedure

1 In the Mirage Management console, select Common Wizards > Capture App Layer.

2 Select a pending device from which to capture an app layer and click Next.

3 Select an upload policy and click Next.

If you do not make an Upload policy selection, a default upload policy value applies.

4 Follow the prompts to remove validation warnings or errors and click Next.

The validations ensure that the machine is ready for capture.

5 Click Finish to start the pre-scan capture process.

A message appears asking if you want to switch to the task list view to follow the progress of thecapture task in the Task list.

When the task is complete, the app layer is moved to the App Layers list under the Image Composer node.The pre-scan processing starts. A progress window shows the Pre-Install State Capture progress. Alertsshow the process stage.

The Task Monitoring window shows a Capture App Layer task, from which you can monitor the operationprogress and status.

Note If you miss the message, check that the red recording icon appears on the Mirage icon before youstart installing applications.

What to do next

When the Finished capturing pre-installation system state message appears, you can installapplications to the reference machine. See “Install Applications on the Reference Machine,” on page 130.

Install Applications on the Reference MachineThe application installation step installs the required applications on a reference machine.

After the pre-scan step is completed, the client notifies you that you can install applications.

Caution Any file or registry change that you make inside the captured area will be part of the app layerand applied to endpoints when you deliver the app layer. The Mirage policy can configure this area. Avoidputting sensitive information in the reference machine used for capturing app layers that you do not want todistribute to other devices.

See “What You Can Capture in an App Layer,” on page 132.


130 VMware, Inc.

Prerequisites

n Mirage does not capture application installations or configuration changes made for specific userprofiles for an app layer. Whenever applications such as Google Chrome give options to install or setshortcuts for either a specific user or globally for all users, always choose the all users option so thatthese installations and configurations are captured as part of the app layer.

n When you install applications, do not make any changes that are not wanted in the capture. Forexample:

n Avoid installing software updates or applications that you do not want to capture.

n Avoid launching other applications or Windows components that the installation process of theapplication you want to capture does not require.

n Avoid hardware changes, domain membership changes, and other configurations that are notrequired.

n Avoid GPO scripts running on the machine during the recording phase.

n To reduce conflicts between vendors, install applications of the same vendor in the same single-applayer.

n Whenever possible, install software that can be volume-licensed and does not require hardware-boundlicensing and activation. Delivering hardware-bound licensed applications through app layers usuallytriggers reactivation of the software on the endpoints.

Procedure

u Install all of the applications required to be captured for the app layer on the reference machine.

This process includes applying application updates and patches to the installed applications, andcustomizing global settings and configurations.

The CVD remains in a Recording mode until processing is started, which signals that applicationinstallations were completed.

If the reference machine is restarted for any reason, the console reminds you that recording is still inprogress and that you should complete application installation.

What to do next

After all the required applications are installed, run each application one time to ensure that the applicationswere installed correctly. After you run the applications, you can perform a post scan and create a layer. See “Create Layers Post Scan,” on page 131.

Create Layers Post ScanAfter the scan, you create an image of the reference machine, after the required applications are installed.The process then detects all changes following the installation and starts the final capture.

Prerequisites

All application, update, and configuration changes must be successfully finished, including machine restartsthat the application installer requires.

Procedure

1 In a Reference CVD view, select the reference CVD where you installed the applications to be captured.

2 Right-click the reference CVD and select Finalize App Layer Capture.

In the Web Management, Finalize App Layer Capture is available on the CVD Inventory toolbar.

3 Verify the list of applications to be captured and click Next.


VMware, Inc. 131

4 (Optional) Select the Show Updates checkbox to display hot fixes for Windows that were installed inthe recording phase.

5 Select the type of capture and click Next.

Option Action

Create a new layer Specify the new app layer details.

Update an existing layer Select the app layer to update. Selected by default if the installedapplication upgrade codes indicate the new app layer is an update of anexisting App Layer. You can change the selection.

6 Follow the prompts to remove validation warnings or errors and click Next.

7 If Microsoft Office 2010 or Microsoft Office 2013 is installed, define your Microsoft Office license keysand click Next.

8 Click Next again and click Finish to start the capture conclusion processing.

The Mirage client indicates the progress of the post-scan.

The Task list shows that the task is completed. The new app layer appears in the App Layers list.

What to do next

You can now apply the capture to endpoints. See Chapter 19, “Assigning App Layers,” on page 145.

What You Can Capture in an App LayerYou can capture a wide range of entities as part of an app layer.

Supported EntitiesAn app layer can contain the following entities:

n A single application or a set of applications

n Any updates or patches related to the installed applications

n Global application configurations and settings

n Any custom set of files and registry entries

For example, an app layer can contain Adobe Reader, Microsoft Visio 2010 or the entire Microsoft Office2010 suite. An app layer can also be used to capture OEM software, such as the Dell software suite,including drivers and utilities.

Note When an update, patch, or service pack becomes available for an application in the app layer, youmust capture a new complete app layer with the original application and the update installed in theapplication software.

Mirage can additionally contain the following elements:

n Windows services

n Kernel drivers

n Shell integration components or shell extensions

n Browser plug-ins

n COM objects

n Global .NET assemblies


132 VMware, Inc.

n OS language packs

Unsupported EntitiesThe following components are not supported for delivery as part of Mirage app layers:

n User accounts and groups, both local and domain users, and user-specific changes

n OS components or OS-bundled applications, for example, the .NET framework, Windows updates,Internet Explorer, and Windows Media Player

n Windows license

n Applications that are already part of the base layer

Note You can deliver OS components or OS-bundled applications and the Windows license as part of abase layer instead.

Partially Supported EntitiesThe following applications are partially supported for delivery as app layers:

n Disk encryption software

n Applications that make changes to the Master Boot Record or to disk blocks

n Kaspersky Internet Security

n Microsoft SQL Server

Recommended for Base Layer OnlyInstall the following applications in the base layer and not in app layers:

n Windows security applications, for example anti-virus, anti-malware, and firewalls

n VPN or other connectivity software, such as iPass

n Windows components and frameworks, for example .NET, Java

n Global Windows configuration and settings changes

n Applications that add a network provider, such as Citrix Receiver

Capturing OEM App LayersYou must follow certain guidelines when you capture hardware-specific software.

Follow these guidelines to successfully capture hardware-specific software, such as Dell or HP applicationand driver suite.

n Some vendors provide a single OEM application suite that is compatible with many or most of theirhardware models. Use this suite for the OEM layer capture.

n If the vendor only provides an OEM suite that is relevant for a specific hardware model or model line,install the OEM software on the hardware model for which it is intended or on a compatible model.

n Mirage provides the following ways to deliver OEM device drivers to target endpoints.

n Through the driver library. For more information about how to deliver device drivers to specifichardware models in a rule-based manner, see Chapter 10, “Managing the Driver Library,” onpage 83.


VMware, Inc. 133

n Through base or app layers. In this method, you either install or place all relevant device driverpackages in the reference machine, in a path that is also defined in the Windows DevicePathregistry value. You can also install the corresponding OEM applications in the same referencemachine. You then capture a base or app layer from the reference machine. You can use this layer todeploy OEM applications and drivers to any endpoint of the matching hardware models.

Capture Multiple Layers on a Virtual MachineWhen you need to capture multiple app layers, it is useful to use a single virtual machine.

Procedure

1 Create a standard reference machine on a virtual machine, install the Mirage client, and centralize thedevice to a reference CVD.

2 In the Management console, use the Start App Layer Capture option to take a snapshot of the clean pre-install state.

3 Install the applications.

4 In the Management console, use the Finalize App Layer Capture option to complete the creation of theapp layer.

5 Wait until the app layer appears in the App Layers view of the Management console.

6 Revert the virtual machine to the Clean State snapshot.

7 Wait for the device status to become Pending Assignment.

8 Repeat Step 3 to Step 7 to capture the next app layer.

Create a Post-App Layer Deployment ScriptIn rare cases, you might need the client to run a custom script after the app layer is deployed, for example, toapply a specific application license after it is installed through an app layer. This script is captured as part ofthe app layer.

Procedure

1 Start the App Layer Capture wizard to complete a prescan of the reference machine.

2 Install the application you want to capture.

3 Give your script a unique name with this pattern: post_layer_update_*.bat

For example: post_layer_update_myappv2_license.bat

4 Copy the script to %programdata%\Wanova\Mirage Service.

This path usually translates to:

c:\ProgramData\Wanova\Mirage Service (Windows 7)

c:\Documents and Settings\All Users\Application Data\Wanova\Mirage Service (Windows XP)

5 Run the Finalize App Layer Capture wizard to complete the postscan and the creation of the app layer.

6 After the app layer is deployed to an endpoint, Mirage starts your script.


134 VMware, Inc.

Assigning Base Layers 18After a base layer capture is completed, the revised base layer is distributed and stored at each endpointdesktop, and then assigned at each endpoint .

Assigning a base layer to an endpoint, or collection of endpoints, applies the contents of the base layer to thedesignated endpoints. Any applications, updates, or patches built in the base layer also reside on theendpoint device. See Assign a Base Layer to CVDs.

Processes similar to assigning a base layer are employed to assign applications associated with app layers toendpoints. See Assign an App Layer to CVDs.

For more information about the base layer deployment process, see Layer Management Life Cycle.

For more information, see the VMware Mirage Administrator's Guide.


n “Detect Potential Effects of the Layer Change,” on page 135

n “Testing the Base Layer Before Distributing it to Endpoints,” on page 138

n “Assign a Base Layer to CVDs,” on page 139

n “Assign a Previous Layer Version,” on page 141

n “Monitor Layer Assignments,” on page 141

n “Correct Software Conflicts By Using a Transitional Base Layer,” on page 142

n “Fix Broken Layers on Endpoints (Enforce Layers),” on page 142

n “Provisioning a Layer for an Endpoint,” on page 143

n “Maintain Corporate Image Compliance,” on page 143

Detect Potential Effects of the Layer ChangeBefore you apply a new base layer or replacing app layers, or both, for a CVD or collection of CVDs, you canrun a report that describes the potential effects of the layer changes on the CVDs. This report can help youplan the layer update process and resolve in advance conflicts that might result from mismatches in layercontents on the selected CVDs.

The Comparison report is generated in HTML format and opened in your default Web browser. You can useMicrosoft Excel to view the report and filter data. See “Comparison Report Format,” on page 137.

VMware, Inc. 135

Procedure

1 Select at least one base layer to use in the analysis and click Next.

Option Description

No change to the target base layer Analyzes only app layer changes.

Select Base Layer from list a Select to apply a new base layer to all the selected CVDs.b Select the required base layer.If the selected CVDs have different base layers, this option standardizesthe base layer over all the CVDs.

2 Select at least one app layers to use in the analysis.

Option Description

Available Layers panel Lists the available app layers that are not currently used by any of theselected CVDs. When Show only latest layers is selected, older versions ofany software are suppressed from the view.

Assigned layers panel Lists the app layers currently used by some or all the selected CVDs. Blacklines denote app layers used by all the CVDs, gray lines denote app layersused by only some of the CVDs.

3 Select what to analyze.

Option Description

Analyze only a base layer changewithout app layer changes:

Click Finish without making any changes in this page.

Add app layers to all the selectedCVDs:

Select lines in the Available Layers panel and click the right arrow.

Remove app layers from all theselected CVDs where they are used:


4 Click Finish.

The HTML report is generated and opened in your default Web browser.

What to do next

Review the listed changes and adjust the reference machine to avoid unintended consequences. In the caseof downgrades, consider upgrading the relevant software to avoid software being downgraded onendpoints or CVDs excluded from the assignment.

Compare Base Layers to Each OtherYou can produce a comparison report that compares one or more base layers with another base layer.

The comparison report describes the differences between the contents of one or more base layers and aselected base layer. This report uses the same format as in “Detect Potential Effects of the Layer Change,” onpage 135, but in terms of base layers instead of CVDs.

Procedure

1 Select one or more base layers in the base layers view, right-click, and select Compare Programs withLayer.


136 VMware, Inc.

2 Select at least one base layer to use in the analysis and click Next.

Option Description

No change to the target base layer Analyzes only app layer changes.

Select Base Layer from list a Select to apply a new base layer to all the selected CVDs.b Select the required base layer.If the selected CVDs have different base layers, this option standardizesthe base layer over all the CVDs.

3 Select at least one app layers to use in the analysis.

Option Description

Available Layers panel Lists the available app layers that are not currently used by any of theselected CVDs. When Show only latest layers is selected, older versions ofany software are suppressed from the view.

Assigned layers panel Lists the app layers currently used by some or all the selected CVDs. Blacklines denote app layers used by all the CVDs, gray lines denote app layersused by only some of the CVDs.

4 Select what to analyze.

Option Description

Analyze only a base layer changewithout app layer changes:

Click Finish without making any changes in this page.

Add app layers to all the selectedCVDs:


Remove app layers from all theselected CVDs where they are used:


5 Click Finish.

The HTML report is generated and opened in your default Web browser.

What to do next

Review the listed changes and adjust the reference machine to avoid unintended consequences. In the caseof downgrades, consider upgrading the relevant software to avoid software being downgraded onendpoints or CVDs excluded from the assignment.

Comparison Report FormatThe Comparison report summarizes the changes in the programs installed on the selected endpointsresulting from planned changes in their assigned layers.

You run the Comparison report for a selection of CVDs, pending devices, or a collection, as described in “Detect Potential Effects of the Layer Change,” on page 135,

The report lists the layering operations to be performed and simulates the resulting user program listchanges. The layering operations can include the following operations, in any combination:

n Base layer change or assignment

n Single or multiple app layer assignments or removals

n Enforcement or reinstallation of the current layers

n Enforcement with removal of user installed applications

Chapter 18 Assigning Base Layers

VMware, Inc. 137

This report is one of several Layer Dry-Run reports available from the Management Console Reportsfeature. See “Layer Dry Run Reports,” on page 198.

The report includes general information, user-installed application conflicts, and managed applicationchanges sections.

General InformationTable 18‑1. General Information Section Parameters


Generated By Username of the administrator who generated the report.

New Base Layer Base layer requested to be assigned, if any.

Added App Layers App layers requested to be assigned, if any.

Removed App Layers App layers requested to be removed, if any.

Enforced Indicates whether the administrator asked to enforce the content of the layers.

User Installed Application ConflictsUser-installed application conflicts generate tables that summarize any conflict that the layer operationwould involve, such as upgrade or downgrade, on programs installed or changed by users. Tables varyaccording to scope of changes. These conflicts cannot be anticipated from previous layering operations.

Table 18‑2. User Installed Application Conflicts Tables

Table Description

Installed Programs to be installed. Applies to Managed Application Changes section only.

Removed Programs to be removed.

Downgraded Programs to be downgraded.

Upgraded Programs to be installed or upgraded to a new version.

Managed Application ChangesManaged application changes tables summarize the changes resulting from the layer operation on programsmanaged with Mirage layers. Tables vary according to scope of changes.

Table 18‑3. Managed Application Changes Tables

Table Description

Installed Programs to be installed. Applies to Managed Application Changes section only.

Removed Programs to be removed.

Downgraded Programs to be downgraded.

Upgraded Programs to be installed or upgraded to a new version.

Testing the Base Layer Before Distributing it to EndpointsBecause base layer updates include operating system and other critical component updates, test a new baselayer before distributing it to endpoints.

After you capture a base layer, select a sample group of endpoints and distribute the base layer to them toverify that no problems exist.


138 VMware, Inc.

If the base layer is used with multiple hardware platforms, test one sample per platform. Also do a testdistribution of a base layer to a typical user machine with user-installed applications to verify that theoverall update results are satisfactory before you distribute to multiple endpoints.

The Base Layer Rules policy is used during first-time deployment to identify the parts of the endpoint thatthe base layer manages, and the parts to be left unmanaged at the endpoint. In an initial distribution, noprevious base layer exists to compare against, so Mirage does not remove existing software from theendpoints before applying the base layer.

Assign a Base Layer to CVDsAfter a base layer is updated at the server and tested on at least one CVD, you can assign it to individual ormultiple CVDs.

If collections are defined, you can assign the new base layer to all the CVDs in a collection in one step. See “Working with CVD Collections,” on page 23.

The download to the endpoint transfers only new files and incremental changes to existing files of the targetendpoint.

When a file exists in a base layer, it overwrites the corresponding file in the target endpoint, unless one ofthe following conditions apply:

n The file is defined in the Do Not Download rules in the Layer Rules.

n The file is defined in the Unprotected Area in the CVD Policy Details.

When software or system registry keys and values exist in the base layer, they overwrite the correspondingregistry keys in the target endpoint, unless the registry entry is defined in the Registry Keys To Exclude inthe System Hive or Software Hive tabs in the Layer Rules.

User profiles, for example c:\users\john, and any corresponding user registry hives are not overwritten bythe base layer update operation.

The process swaps the old base layer with the new one, assigning the base layer to the endpoint andinstantiating the endpoint. The changes in an endpoint are propagated back to the endpoint CVD on theserver.

Before a new or updated base layer is applied, the Mirage server takes a CVD snapshot so that it can rollback in case of post-update problems.

Before and during base layer download, Mirage verifies that enough disk space is available to proceed withthe operation.

The same interfaces are used to apply or modify a base layer for multiple CVDs, or a collection.

You can upgrade an existing base layer or app layers to all CVDs that are already assigned with previousversions of those layers. See “Assign a Previous Layer Version,” on page 141.

During the assignment process, certain system aspects are validated.

Table 18‑4. Assignment Validations

System Aspect Validation Description

Operating System The system checks that the CVD and the new base layer have the same OS and type(32- or 64-bit). If they are different, the system blocks those CVDs from receivingthe base layer.

Computer Type The system checks that the CVDs and the base layer share the same computer type(for example, laptop versus desktop). A warning appears if they are different. If thebase layer was prepared to support both desktops and laptops, you can approveand continue.


VMware, Inc. 139

Table 18‑4. Assignment Validations (Continued)

System Aspect Validation Description

Vendor and Model Name The system checks that the base layer and the CVDs are from the same computervendor. A warning appears if they are different. If the base layer was prepared tosupport the different vendor types, you can approve and continue.

Drive Letters The system checks that the CVDs include the required drive letter in the base layer.If the CVDs do not have the appropriate drive letters, the system blocks these CVDsfrom receiving the base layer.

Prerequisites

Assign a base layer to a CVD only after endpoint centralization is completed for that CVD and its content isprotected in the server. You can revert to the previous CVD state.

Procedure

1 In the Mirage Management console tree, select Common Wizards > Assign Base Layer

2 Select individual or multiple CVDs, or a collection of CVDs to update, click Select and click Next whenyou are finished.

The selected CVD details appear in the bottom pane.

3 Select the base layer with which you want to update the CVDs and click Next.

The details of a base layer appear in the bottom pane.

4 Correct mismatches between the base layer and the selected CVDs if needed.

Ignore any warnings that are not applicable. The following system aspects are validated.

5 Click Finish.

An update task is created. The client periodically checks the server for updates to download as part ofits regular processing.

The administrator procedure is finished.

When the client next connects, download and swap operations take place, which ask the user to restart.Allow some time for the changes to download.

Cancel a Base Layer Assignment in ProgressYou can discontinue a base layer assignment that is not yet finished.

Procedure

1 In the Mirage Management console tree, expand the Inventory node and select All CVDs orCollections.

2 Right-click the CVD or collection for which you want to cancel the base layer update.

3 Select Layers > Cancel Pending Layers.

Monitor the Layer Assignment ProgressAfter a layer is assigned to a number of CVDs, you can monitor the update process.

The layer deployment view displays the current status of the layer deployment progress.


140 VMware, Inc.

Table 18‑5. Assignment Progress States

Progress State Description

Pending The layer was assigned to the CVD, but has not begun downloading to the endpoint.

Throttled The endpoint tried to download the layer from the Mirage server and was rejected becauseof server resource throttling.

Downloading The endpoint is downloading the layer.

Committing The layer was downloaded and installed successfully by the endpoint and the client is nowupdating the CVD with the new content.

Blocked The layer was blocked, and was not downloaded to the endpoint.

Canceled The layer download process was canceled by the administrator.

Rejected The layer was downloaded to the endpoint and failed the validation check on the endpoint.

Done The layer update operation was completed.

Procedure

1 In the Mirage Management console, select the Task Monitoring node.

2 Right-click the specific layer task, and select View assignments.

The specific layer update or assignment view appears.

Assign a Previous Layer VersionYou can upgrade an existing base layer or app layers in all CVDs to which previous versions of those layersare already assigned. Programs in a CVD that are at the same version as in the layer are not reinstalled andnot enforced.

The operation status is Update Layer, similar to a regular Update Layers operation.

Procedure

1 In the Mirage Management console tree, expand the Image Composer node and select Base Layers orApp Layers.

2 Select the base layer or app layers with which you want to update all CVDs with previous versions ofthose layers.

3 Right-click and select Update CVDs to this layer version.

Monitor Layer AssignmentsYou can view and monitor which endpoints have certain layers assigned to them.

You can monitor layer assignment progress through the Layer Assignments window. The Task Monitoringwindow shows the overall status and the task progress.

Procedure

u From the Mirage Management console, select a monitoring method.

Option Action

To monitor all of your current layerassignments

Expand the Image Composer node and select Layer Assignments.

To monitor the progress of a layerprovisioning download to a specificdevice

Expand the Image Composer node, select Layer Assignments, right-click aCVD, and select Layers > View assignments.


VMware, Inc. 141

Option Action

To monitor the progress or status ofa specific layer

Expand the Image Composer node, select Base layer or App Layer, right-click a layer, and select View assignments.

To monitor the progress of a layerassignment task

For example, you sent a layer to 100 CVDs. From the Mirage Managementconsole tree root, select Task Monitoring, right-click the task and selectView assignments.

Correct Software Conflicts By Using a Transitional Base LayerBefore you apply a base layer, verify that software to be deployed by the base layer does not conflict withlocally installed software, for example, an antivirus product on the base layer and on an endpoint aredifferent.

You can perform an ad-hoc cleanup using a transitional base layer to remove conflicting software.

Procedure

1 Use the problematic endpoint as a reference machine to capture a temporary transitional base layerwith the conflicting software.

2 Apply the transitional base layer to the endpoint and any similar endpoints.

3 Replace the temporary base layer by applying the base layer of choice, which replaces the conflictingsoftware.

The initial rollout flow with a transitional base layer includes the following aspects:

1 Any application that is included in the transition base layer becomes a managed application when thetransition base layer is assigned.

2 Managed applications undergo an update or removal process upon subsequent base layer updateoperations.

3 New base layers are constructed and endpoints are updated with the new base layer.

Fix Broken Layers on Endpoints (Enforce Layers)Users and applications might make changes to files and registry settings that were provisioned through abase layer or app layer. Sometimes these changes create problems with the desktop operation. In most cases,you can resolve the problem by enforcing the layer originally assigned to the CVD.

The Mirage client downloads only the relevant files and registry settings required to realign the CVD withthe original layer. User profiles, documents, and installed applications that do not conflict with the layercontent are preserved.

Enforcing all layers can also be set to remove user-installed applications residing in the machine area of theCVD. This ability is useful, for example, for fixing a problematic CVD in which all layer applications do notfunction because of overwritten or corrupted system files. Removing user applications deletes machine areafiles and registry keys that are not in the current base layer, with the exception of files defined in the UserArea policy.

Procedure


2 Right-click the relevant CVD and select Enforce All Layers.


142 VMware, Inc.

3 Select an enforce option.

Option Description

Preserve user applications Keeps the user-installed applications on the CVD.

Remove user applications Deletes user-installed applications from the CVD.

4 Click OK.

Provisioning a Layer for an EndpointWhen Mirage is already implemented, you can prepare new devices to be part of the organization usinglayer provisioning.

The layer provisioning process first cleans up the device files and applies an existing base layer and applayers, if you selected app layers, as a common template. The device is then freshly imaged, and assigned toand synchronized with a newly created CVD.

After the Mirage client is installed on the new device, the Pending Devices panel shows the device aspending assignment.

The user can use the desktop as usual, performing offline work and network transitions, after thecentralization processing associated with the provisioning operation starts. The Mirage client monitors useractivities and adjusts its operation to optimize the user experience and performance.

After the server synchronization is completed, the transaction log shows a successful provisioning entry. Thedesktop is protected and you can centrally manage the desktop at the data center.

You can use the post_provisioning.bat custom post-base layer script to perform certain actions after layerprovisioning.

Maintain Corporate Image ComplianceMirage can assist in maintaining endpoint compliance with the corporate base and app layers. Miragecalculates the compliance of each CVD that has one or more assigned base or app layers. By default, CVDcompliance score changes when end-users uninstall managed applications that were delivered via base orapp layers.

CVD Compliance percentage is calculated by dividing the number of installed managed applications withthe number of applications that were delivered via Mirage layers.

For example, a CVD assigned with a base layer containing ten line of business apps, while the end userremoved two of these apps, show compliance score of 80% (because eight out of ten apps are currentlyinstalled on the endpoint).

When apps are delivered to endpoints via base and app layers, the compliance score is calculated based onthe combined number of apps in the base and app layer.

In addition to compliance score per CVD, Mirage shows the compliance score for given base or app layers.The compliance percentage of given layer is calculated based on average compliance score of all CVDsassigned to that layer.

For example, a deployment with ten CVDs, all of them assigned with base layer containing ten line ofbusiness apps. When an end user removed two of these apps, the compliance score for that base layer dropsto 98% (average of one CVD with 80% and nine CVDs with 100% compliance).

Mirage can be set to include unmanaged, user installed apps for compliance calculation. For moreinformation on how to enable user installed apps compliance, see Chapter 37, “Calculate CVD ComplianceScore For User Installed Apps,” on page 237.


VMware, Inc. 143


144 VMware, Inc.

Assigning App Layers 19After an app layer capture is completed, you can distribute and assign the revised app layer to eachendpoint desktop.

When you assign app layers to an endpoint, their contents are applied to the endpoint, so that all thechanges or modifications to the applications reside on the endpoint devices. See Assign an App Layer toCVDs.

For more information about app layers, see Base Layers and App Layers.

For more information about the layer deployment process, see Layer Management Life Cycle.

For more information, see the VMware Mirage Administrator's Guide.


n “Detect Potential Effects of the App Layer Change,” on page 145

n “Testing App Layers Before Distributing it to Endpoints,” on page 145

n “Assign an App Layer to CVDs,” on page 146

n “Monitor App Layer Assignments,” on page 147

Detect Potential Effects of the App Layer ChangeBefore applying a new base layer or app layers, or both, to a CVD or collection of CVDs, you can view thepotential effects of the base layer or app layer changes on the CVD contents.

The Comparison report can help you plan the layer update process and resolve in advance conflicts thatmight result from mismatches in the layer contents on the selected CVDs.

For more information, see “Detect Potential Effects of the Layer Change,” on page 135 and “ComparisonReport Format,” on page 137.

Testing App Layers Before Distributing it to EndpointsIt is good practice to verify that an app layer was captured properly and all intended settings are in placebefore you distribute an app layer widely.

Before distributing to multiple endpoints, test-distribute an app layer to some sample user machines withuser-installed applications to verify that the overall update results are satisfactory.

VMware, Inc. 145

Assign an App Layer to CVDsAfter an app layer is updated at the server and tested on at least one CVD, you can assign it to individual ormultiple CVDs.

If Collections are defined, you can assign the new app layer to all the CVDs in a collection in one step. See “Working with CVD Collections,” on page 23.

The assignment process swaps the old app layer with the new one, thereby assigning the app layer to theendpoint and instantiating the applications to the endpoint. The changes in the endpoint are propagatedback to the endpoint’s CVD on the server.

The download to the endpoint transfers only new files and incremental changes to existing files of the targetendpoint.

Before a new or updated app layer is applied, the Mirage server takes a CVD snapshot so that it can rollback if any post-update problem arises.

Before and during app layer download, the system verifies that enough disk space is available to proceedwith the operation.

The same interfaces are used to apply or modify app layers for multiple CVDs, or a collection.

You can upgrade an existing base layer or app layers to all CVDs that are already assigned with previousversions of those layers. See “Assign a Previous Layer Version,” on page 141.

Prerequisites

Verify that endpoint centralization is completed for that CVD and its content is protected in the server. Youcan revert to the previous CVD state.

Verify that the software to be deployed by the app layer does not conflict with locally installed applications.See “Correct Software Conflicts By Using a Transitional Base Layer,” on page 142.

App layer assignment requires a base layer to be present on the endpoints.

Procedure

1 In the Mirage Management console, select Common Wizards > Update App Layer.

2 Select individual or multiple CVDs, or a collection of CVDs that you want to update, and click Select.When you finish selecting CVDs or a CVD collection, click Next.

3 Select the app layers with which you want to update the CVDs.

The app layer details appear in the bottom pane.

You select a layer in the Available Layers pane and click the right arrow to move it to the AssignedLayers pane. To remove a layer, select it in the Assigned Layers pane and click the left arrow.

Layers shown in gray indicate that they are already assigned to some CVDs.


146 VMware, Inc.

4 Correct mismatches between the app layer and the selected CVDs if needed. The following systemaspects are validated. Ignore any warnings that are not applicable.

Table 19‑1. System Aspect Validations

System Aspect Validation

Operating System The system verifies that the CVD and the new app layer have the same OS and type(32- or 64-bit). If they are different, the system blocks those CVDs from receiving theapp layer.

Drive Letters The system verifies that the CVDs include the required drive letter in the app layer. Ifthe CVDs do not have the appropriate drive letters, the system blocks these CVDsfrom receiving the app layer.

5 Click Finish.

An update task is created. The Mirage client periodically checks the server for updates to download aspart of its regular processing.

This completes the administrator procedure.

When the client next connects, download and swap operations take place, which ask the user to restart.Allow some time for the changes to download.

Cancel an App Layer Assignment in ProgressYou can discontinue an app layer update that is not yet completed.

Procedure

1 In the Mirage Management console tree, expand the Inventory node and select All CVDs orCollections.

2 Right-click the CVD or collection for which you want to cancel the app layer update.

3 Select Layers > Cancel Pending Layers.

Monitoring the App Layer Assignment ProgressAfter an app layer has been assigned to a number of CVDs, you can monitor the update process through theApp Layer Deployment view.

The same method applies as for base layer assignment monitoring. See “Monitor the Layer AssignmentProgress,” on page 140.

Monitor App Layer AssignmentsYou can see which endpoints have certain layers assigned to them. There are several ways to review andmonitor currently running assignments.

The same methods apply as for base layer monitoring. See “Monitor Layer Assignments,” on page 141.

Chapter 19 Assigning App Layers

VMware, Inc. 147


148 VMware, Inc.

Create a WinPE Image for Mirage 20You can use a WinPE image to provision a device that does not have an operating system installed.

Mirage supports running only the WinPE creation script in the English (United States) region. You can stopthe WinPE creation script at any point by pressing CTRL+C. The next time you run the WinPE creationprocess, the previous operation leftovers are cleared.

If you change the output directory of the WinPE image to a path in the network, the script fails to run.

Create a new WinPE image for each new version of Mirage. You do not have to recapture the base layersand app layers.

Prerequisites

n Install the Windows Assessment and Deployment Kit (ADK) for Windows 10 to the default location.Windows ADK is supported only on Windows Vista and later. While the ADK for Windows 8.1 issupported, you must install the latest Win10 ADK.

n Select the Windows Preinstall Environment option when you install the Windows ADK.

n Verify that you have administrator privileges.

Procedure

1 Double-click the file for your environment to extract the WinPE creation environment.

Option Description

64-bit Mirage.WinPE.x64.buildnumber.zip

32-bit Mirage.WinPE.x86.buildnumber.zip The WinPE version must match the capabilities of the processor. If the processor is 32-bit use a WinPE32-bit image. If the processor is 64-bit use a WinPE 32-bit or WinPE 64-bit image.

VMware, Inc. 149

2 Edit the BuildMirageWinPE.cmd file.

a Right-click the BuildMirageWinPE.cmd file and select an editing program.

b Configure the connection to the Mirage server.

Option Description

Mirage server address Address of the Mirage server.

Mirage server port Port of the Mirage server.

Use SSL to connect to the Mirageserver

Must be TRUE or FALSE.

Directory to which the WinPEcreation binaries are compiled

Directory to which the WinPE creation binary files are saved.

Mirage log level when running inthe WinPE environment

Can be DEBUG, TRACE, INFO, WARN, or VERBOSE.

Do not use a space before and after the equals sign, for example, SERVER_PORT=12345.

3 Add the drivers for the WinPE image to the Drivers directory.

4 Add the certificates for the WinPE image to the Certificates directory.

Mirage supports .cer, .crt, and .pfx certificate formats.

a Export the corporate CA server certificate in .cer format and copy it to the certificates directory toenable secure communication between the Mirage WinPE client and the Mirage server.

5 Add optional scripts or customized applications that you want to run on WinPE startup to the scriptsfolder.

6 Access the command prompt as an administrator and run the BuildMirageWinPE.cmd command fromthe extracted directory.

For example, if you extracted the file to your desktop,desktopdir\WinPeCreation.version\BuildMirageWinPe.cmd.

An .iso file for CDs, DVDs, or USB, and a .wim file for a PXE server are created. The location where thesefiles are stored appears at the end of the process.

What to do next

Load the .wim file to the PXE server or burn the .iso file to a CD, DVD, or USB. You can reuse the WinPEimage that you create.


150 VMware, Inc.

Installing the Windows DeploymentService 21

You can use the Windows Deployment Service (WDS) to deploy Windows operating systems over thenetwork.

You can install the WDS by using either the Windows server manager or Microsoft PowerShell.

If you want the PXE boot to work across VLANs in your organization, configure DHCP options. You accessthe DHCP options from the DHCP management console. After you configure the DHCP options, you canperform a PXE boot to the Mirage environment.

Table 21‑1. DHCP Options

Option Description

066 Boot Server Host Name Boot server host name and the IP address or FQDN of theserver on which you installed WDS.

067 Boot File Name Default value for the boot file name. Do not change thisvalue.


n “Install the Windows Deployment Service Using the Windows Server Manager.,” on page 151

n “Install the Windows Deployment Service by Using Microsoft PowerShell,” on page 152

Install the Windows Deployment Service Using the Windows ServerManager.

You install the Windows Deployment Service before adding boot files to the PXE server.

Procedure

n Access the Server Manager on the server that you are installing the Windows Deployment Service(WDS).

n Right-click Server Roles in the left panel, select Windows Deployment Service, and click Next.

n On the Role Services page verify that the Windows Server Deployment and Transport Server roles areselected and click Next.

The Windows Deployment Service is installed.

What to do next

Add the boot files to the PXE server.

VMware, Inc. 151

Install the Windows Deployment Service by Using MicrosoftPowerShell

You install the Windows Deployment Service before adding boot files to the PXE server.

Prerequisites

Ensure that you have administrator privileges for Microsoft PowerShell.

Procedure

u Run the ServerManagerCmd -install WDS cmdlet in Microsoft PowerShell.

The Windows Deployment Service is installed.

What to do next

Add the boot files to the PXE server.


152 VMware, Inc.

Add the WinPE Boot Images to theWindows Deployment Service Server 22

You add the WinPE boot images to provision a device with that image.

Install the Windows Deployment Service on the server that you are loading the boot images.

Procedure

1 Select Start > Administrative Tools > Windows Deployment Serviceson the machine that has theMirage server.

2 Expand the Servers node, right-click the Windows Deployment Services server, and select ConfigureServer.

3 Verify the system requirements and click Next.

4 Select the remote installation folder that contains the boot images and installation images.

Verify that the drive meets the space requirements.

5 On the PXE Server Initial Settings page select Respond to all client computers (known and unknown),and click Next.

6 On the Operation Complete page, clear the Add images to the server now check box and click Next.

7 On the Windows Deployment Services window right-click Boot Images and select Add Boot Image....

8 Select the appropriate .wim boot image and click Open.

9 Follow the prompts to install the boot image.

VMware, Inc. 153


154 VMware, Inc.

Provision a Device with Mirage byUsing a WinPE Image 23

You can use the WinPE image to provision a device that does not have a Mirage client installed or toprovision a device that does not have an operating system installed.

The image that you create with WinPE runs on memory, not on the hard disk.

On the WinPE image you can only perform provisioning procedures and generate sysreports.

Mirage supports provisioning into legacy systems and EFI systems. In some cases, such as when the disk isnot Windows ready, or when there is insufficient space on the existing volumes, Mirage might re-partitionthe disks. Re-partitioning creates a single partition for the whole disk that is selected by Mirage. Re-partitioning only succeeds on EFI machines if they are configured to boot in legacy mode.

Note If you do not have the option to select legacy boot on the endpoint, you can implement a PreMiragescript using diskpart to partition the disk.

VMware, Inc. 155

Figure 23‑1. Disk Partition Logic

Start Mirage WinPE

Boot Method?

Base layer is smaller than system drive?

Raw disk?

Base layer is smaller than

system drive? Disk0 layout is

GPT?

Base layer is smaller than

disk0?

Disk0 layout is GPT?

Unified Extensible Firmware Interface (UEFI)Legacy Boot mode (BIOS)

No

No

No

Yes

Yes

No

No

No

Yes

Yes Yes

Yes

Yes

Device disk too small for base layer. Replace disk

System drive will be format-ted

Disk0 will be repartitioned.

Change the boot mode to legacy boot

If WinPE reboots during a provisioning procedure, the device reconnects and is identified as a new pendingdevice. Previous provisioning orders on the device are not applied and you must restart the provisioningprocess.


156 VMware, Inc.

When the image boots, two command prompt windows appear. One command prompt window is fortroubleshooting. The other command prompt window runs Mirage in the WinPE environment.

Important WinPE stops running the shell and restarts after 72 hours of continuous use.

You can provision a device with Mirage by using a base layer with the following operating systems.

n POSReady 2009

n POSReady 7

n Windows 7

n Windows 8.1

n Windows 10

Procedure

1 Boot the device using the appropriate WinPE image.

n The .wim file.

n The .iso file.

2 When the Mirage status window appears, note the host name of the device.

A host name is generated during each reboot.

3 Provision the device using the WinPE image.

Option Action

Mirage Web management a Navigate to the Mirage Web console and click the Pending Devicestab.

b Select the device with the host name that you noted and clickProvision Endpoint.

Mirage Management console a Navigate to the Mirage Management console and select Inventory >Pending Devices.

b Right-click the WinPE device and select Device Provisioning. After you provision the device, the device boots with the provisioned operating system.

Chapter 23 Provision a Device with Mirage by Using a WinPE Image

VMware, Inc. 157


158 VMware, Inc.

Mirage Validations for Bare MetalProvisioning 24

Mirage runs validations for bare metal provisioning operations to determine if repartitioning is required forthe provisioned device. The validation that Mirage runs is determined by which operating system themachine had installed before the bare metal provisioning operation.

Machines with WindowsOS

Mirage locates the system drive and determines if sufficient space exists onthe drive for the selected base layer. If sufficient space exists, the drive isformatted. If the drive does not contain sufficient space for the specified baselayer, then Mirage displays a warning validation message that the disk willbe repartitioned to carry the selected base layer. If the hard drive does notcontain sufficient space, then Mirage displays a blocking validation forinsufficient disk space and the user is prompted to replace the disk.

Mirage checks the boot mode of the device. If the boot mode is UEFI and thesystem disk partition layout is MBR, Mirage displays a blocking validationmessage. Change the boot mode to legacy boot.

Machines with new HDDor non-Windows OSmachines that are beingprovisioned to runWindows.

Mirage determines if sufficient space exists on the disk to download theselected base layer, and displays a disk partitioning message validation. Ifthe hard drive does not contain sufficient space, then Mirage displays ablocking validation message for insufficient disk space and the user isprompted to replace the disk.

Mirage checks the boot mode of the device. If the boot mode is UEFI and thesystem disk partition layout is MBR, Mirage displays a blocking validationmessage. Change the boot mode to legacy boot.

Mirage checks for boot mode and disk partition layout mismatches. Mirage displays a blocking validation ifthe boot modes of the machines do not support its boot disk partitioning layout.n MBR on UEFI boot mode

n GPT on legacy boot mode

VMware, Inc. 159


160 VMware, Inc.

Provisioning a Device by Using theSelf-Service Provisioning Tool 25

Users with the Image Manager role or Administrator role can provision new laptops and desktops directlyfrom the device using the self-service provisioning interface.

1 Create a Mirage Layer Group Configuration File on page 161You use layer groups to centrally manage layers that are used in self-service provisioning procedures.Layer groups are useful for rapid provisioning of devices for different groups with differentapplication needs. You create Mirage layer groups in a CSV file.

2 Import Mirage Layer Groups on page 162After you create layer groups that have base layers and app layers, you import the layer groups to theMirage system by using a server tool. You assign the layer group to a WinPE machine during a self-service provisioning procedure.

3 Export Mirage Layer Groups on page 162You export a layer group file to edit the file. After you edit the layer group file, you import it to theMirage system.

4 Provision a Device by Using the Self-Service Provisioning Tool on page 162You provision new laptops and desktops directly from the device using the self-service provisioninginterface.

Create a Mirage Layer Group Configuration FileYou use layer groups to centrally manage layers that are used in self-service provisioning procedures. Layergroups are useful for rapid provisioning of devices for different groups with different application needs.You create Mirage layer groups in a CSV file.

Procedure

1 Generate the layergroup_template.csv file using the - export method to create a blank templateWanova.Server.Tools.exe ExportLayerGroup ManagementServerAddress CsvFilePath.

Example: Wanova.Server.Tools.exe ExportLayerGroup MiragemgmtServer.domain.localc:\temp\ExportedLayerGroup.csv

2 Edit the layergroup_template.csv file with the necessary values. Include the layer version inparentheses after the base and app layer names.

Layer Group Name,Description,BaseLayer,AppLayers,

G1,description1,BaseLayer 10X64(1.0),App A Win10x64(1.0),App B Win10x64(2.1)

G2,description2,BaseLayer Win8.1X64(1.0),App C Win8.1x64(1.4),App B Win8.1x64(1.0)

3 Save the CSV file.

VMware, Inc. 161

Import Mirage Layer GroupsAfter you create layer groups that have base layers and app layers, you import the layer groups to theMirage system by using a server tool. You assign the layer group to a WinPE machine during a self-serviceprovisioning procedure.

Prerequisites

n Verify that you created layer groups in a CSV file.

n Verify that you have administrator privileges.

Procedure

1 Access the command prompt.

2 Run the Wanova.Server.Tools.exe ImportLayerGroup ManagementServerAddress CsvFilePath command.

ManagementServerAddress is the IP address or host address of the Mirage Management server.CsvFilePath is the file path of the layer group file you created.

The layer groups are available to use in a self-service provisioning procedure.

Export Mirage Layer GroupsYou export a layer group file to edit the file. After you edit the layer group file, you import it to the Miragesystem.

Prerequisites

Verify that you have administrator privileges.

Procedure

1 Access the command prompt.

2 Run the Wanova.Server.Tools.exe ExportLayerGroup ManagementServerAddress CsvFilePathcommand.

ManagementServerAddress is the IP address or host address of the Mirage Management server.CsvFilePath is the file path where you export the layer group file.

Provision a Device by Using the Self-Service Provisioning ToolYou provision new laptops and desktops directly from the device using the self-service provisioninginterface.

Prerequisites

n Verify that you have Image Manager role or Administrator role permissions.


162 VMware, Inc.

Procedure

1 Copy the root certificate authority (CA) .

a Double-click the file for your environment to extract the WinPE creation environment.

Option Description

64-bit Mirage.WinPE.x64.buildnumber.zip

32-bit Mirage.WinPE.x86.buildnumber.zip The WinPE version must match the capabilities of the processor. If the processor is 32-bit use aWinPE 32-bit image. If the processor is 64-bit use a WinPE 32-bit or WinPE 64-bit image.

b Copy the root CA from the VMware Mirage Management Web Site to theMirage.WinPE.version.buildnumber\Certificates\Browser folder.

version is the WinPE version that you selected.

2 Edit the parameters in the BuildMirageWinPE.cmd file.

3 Access a command prompt and run the BuildMirageWinPE.cmd command to build the WinPE image.

The WinPE machine starts, and when the status of the Mirage client changes to Pending Assignment,the self-service tool starts.

4 Set default values for the Join Domain Name .

a Access the IIS manager, expand Sites > VMware Mirage Management Web Siteand select ssp >Application Settings .

b Double-click DefaultJoinDomainName and enter a value for the DefaultJoinDomainNameparameter in the text box.

5 Set default values for the Join Domain OU .

a Access the IIS manager, expand Sites > VMware Mirage Management Web Siteand select ssp >Application Settings .

b Double-click DefaultJoinDomainOU and enter a value for the DefaultJoinDomainOU parameter inthe text box.

6 (Optional) Configure the self-service provisioning tool to enable the Skip Steps feature.

a Access the IIS manager, expand Sites > VMware Mirage Management Web Siteand select ssp >Application Settings.

b Double-click SspSkipSteps and type Volume;Policy in the Value text box. When you enable theSkip Steps feature, the self-service provisioning wizard skips the steps to select a volume and apolicy. To disable the Skip Steps feature, clear the Value text box.

7 (Optional) Configure the self-service provisioning tool to enable the Remember Last Value feature.

a Access the IIS manager, expand Sites > VMware Mirage Management Web Siteand select ssp >Application Settings.

b Right-click RememberLastValues and type SelfProvision in the Value text box.When you enable the Remember Last Values feature, the

Mirage

self-service provisioning tool remembers the values that you entered and applies them as the defaultvalues when you perform the self-service provisioning procedure. To disable this feature, clear theValue text box.

Chapter 25 Provisioning a Device by Using the Self-Service Provisioning Tool

VMware, Inc. 163

8 Set a default policy and domain account.

a Access the Mirage Web management with the Image Manager role or the Administrator role.

Mirage

Users with the Administrator role can set the default policy and domain account. Users with theImage Manager role can set the default policy.

b Click the gear icon and select CVDs in the left panel.

c Click Change and select a default policy.

d Click OK to exit the Update Policy window.

e Click Domain Account in the left panel and enter the log-in credentials in the text box.

9 Start the WinPE machine and when the Self-Service Provisioning console appears, enter log-incredentials for the Image Manager role or Administrator role.

10 Follow the steps to complete the self-service provisioning procedure.


164 VMware, Inc.

CVD File Compliance Tool 26The CVD file compliance tool monitors file changes on endpoints to detect abnormal file activity, ensuringimage compliance.

Use the tool to detect any abnormal activity and changes on machines that are usually static, track anysecurity breaches, and prevent data leakage or unexpected behavior.

The tool consists of two modes:

n Create reference manifest mode: The tool copies the last manifest that was loaded to a special path onthe storage. It does not use a policy file in this mode and includes all manifest entries.

n Check compliance mode: You specify a policy file that includes extensions to track and exclude foldersyou do not want to track. The tool applies the policy file on both the reference manifest and the latestmanifest, then checks for modifications, and reports the changes.

Each file in the end point has a signature (data checksum) that is stored in the manifest, which is a list of allfiles that are backed up to storage. Use the path and checksum data in the manifest to identify when a filewas moved or modified from its original location. Mirage stores the last manifest in a specific file in thestorage.

Create the Reference ManifestBefore running the tool, verify the endpoint completed an upload operation to the server.

The frequency of upload depends on the Mirage configuration. The tool creates a reference manifest on aspecific path if the manifest does not already exist and if it exists, the tool compares the manifest with thelast manifest in the storage and reports if the manifest was modified. Note that if you do not use the flag -CreateReferenceFileList and the reference manifest does not exist, you get an error.

To create the reference manifest for the first time, run FileComplianceScan -CreateReferenceFileList -MgmServerAddress localhost -CvdID 10008

where

n -CreateReferenceFileList creates the first manifest reference file.

n -MgmServerAddress is the name or IP address of the Mirage management server.

n -CvdID <id> is the Machine/CVD identifier.

The tool lists the number of files found, which includes all files in the CVD policy.

Check ComplianceTo check the files you want to track, run FileComplianceScan -MgmServerAddress localhost -FilesPolicy"C:\PolicyFile.xml" -OutputDir "c:\DetectManifestOutput" -LogTraceLevel -CvdID 10008

VMware, Inc. 165

where

n -MgmServerAddress is the name or IP address of the Mirage management server.

n -FilesPolicy <xmlFilePath> is the path to the xml file that includes extensions to include and folders toexclude. If the file does not exist, the tool reports it and creates a template file that you edit to define thefiles you want the tool to track when you run the command again.

n -OutputDir <CsvResultDirPath> is the path to a directory in which the tool creates the CSV file thatincludes a report of the files that were found. Not valid in CreateReferenceFileList mode.

n -LogTraceLevel is a parameter to obtain more detailed data to the output log for troubleshooting.

n -CvdID <id> is the Machine/CVD identifier.

Policy FileThe policy file is an xml file where you define the rules for the tool. Edit the file to enter directory excludepaths and file extensions for the tool to track. Example of the file:

<?xml version="1.0" encoding="utf-8"?>

<DetectManifestFilterOptions xmlns:xsd="http://www.w3.org/2001/XMLSchema"

xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">

<PathFilterArray>

<Directory ExcludePath="C:\\Folder1\\Folder2" Recursive="true" />

<Directory ExcludePath=" C:\\Folder1\\FileName.exe" Recursive="false" />

</PathFilterArray>

<TrackExtArray>

<Track Extention="exe" />

<Track Extention="dll" />

</TrackExtArray>

</DetectManifestFilterOptions>

You can modify this file to include new file extensions based on the output data and run the commandagain.

OutputThe output of the tool goes in a csv file with format: Modification Type, File Data Signature, File Path in Ref.Manifest, Latest File Path

Table 26‑1. Output Formats

Output Description

Modification Type FileAdded: Signature does not exist on original manifest but exists on new manifest.FileRemoved: Signature exists on original manifest but not on new manifest.FilePathChanged: If signature exists on both manifests but the path name has changed or thenumber of instances of this file has changed.

File Data Signature 32 Hex value of the signature of the file. The file cannot have more than one signature value.

File Path in Ref. Manifest List of full paths from ref manifest of all files with this signature.

Latest File Path List of full paths from current manifest of all files with this signature.

The summary on the command line reports the number of rows in the output file and the number of rowsfrom each modification type. If the tool finds no issues, the output csv file is empty.

If the machine is not 100% in compliance, check the output file and decide if you want to do any Mirageoperation to revert the machine back to its original state.


166 VMware, Inc.

Use CasesIn the banking industry, if a branch ATM contains a virus, an IT administrator can manage the endpointimage from a central console by running the tool to detect the virus, and revert the machine to its originalstate. This process saves critical downtime of the endpoints and cost of sending a technician onsite to resolvethe problem.

In the retail industry, this tool can detect any damaged machines that are not 100% file compliant and canrevert them to their original state.

Tool ConditionsThe tool is subject to these conditions:

n You can run the tool on one CVD at a time. The execution is around 1 minute/CVD.

n You cannot run the tool on an archived CVD.

n You cannot run this tool on a CVD with LMO (Layer Management Only).

n If the tool cannot complete the scan due to errors, it displays the appropriate error message.

n The tool can run in any machine that is running the Mirage server tools. For scalability purposes, it doesnot need to be run only from the Mirage management server.

Example of an error message:

CVD 10001 is an archived CVD. This tool does not support archive CVD. Please type valid CVD ID

Could not find volume path for CVD 10001

Error: Invalid program parameter(s): Missing server address

Chapter 26 CVD File Compliance Tool

VMware, Inc. 167


168 VMware, Inc.

Endpoint Disaster Recovery 27You can restore device files to an earlier CVD snapshot, or restore a device from a CVD after hard-drivereplacement, file corruption, format operation, or device replacement.

VMware Mirage provides two modes of disaster recovery:

n Restore files or the entire desktop to a previous CVD snapshot on an existing device. Files anddirectories are included in CVD snapshots in accordance with the active upload policies.

n Restore the hard drive on an existing or a replacement device:

n Restore a CVD to the same device after a hard-drive replacement, file corruption, or formatoperation.

n Restore the CVD to a replacement device.

When the CVD contains Encrypted File System (EFS) files, the files are recovered in their original encryptedform.

Note For better deduplication in the revert-to snapshot, the end user must be logged in during the restorePrefetch operation if the CVD contains EFS files.


n “Restore a Device to a CVD Snapshot,” on page 169

n “Restoring to a CVD After Hard Drive Replacement or Device Loss,” on page 170

n “Restoring Windows Devices,” on page 173

n “Working with Bootable USB Drives,” on page 174

n “Reconnect a Device to a CVD,” on page 178

n “End User Experience with Restore Processes,” on page 178

Restore a Device to a CVD SnapshotYou can use a CVD snapshot to restore a specific file or a complete endpoint on an existing device.

Mirage automatically creates CVD snapshots at regular intervals, preserves them based on a retentionpolicy, and makes them available for restoration as needed. See “CVD Snapshot Generation and Retention,”on page 46.

You can use a selected CVD snapshot to restore a specific file or a complete endpoint on an existing device.Restoring a specific file is the same process as restoring a previous file version. To restore a specific file froma CVD snapshot, see “Restore a Previous File Version,” on page 30.

VMware, Inc. 169

You can restore a complete device from a CVD snapshot between the same operating system, for example,Windows 8.1 to Windows 8.1, or cross-operating systems, for example, Windows 7 to Windows XP orWindows Vista. However, you cannot revert a Windows XP CVD snapshot to a Windows 7 or Windows 8.1device.

Procedure

1 In the Mirage Management console tree, expand the Inventory node and select the All CVDs node.

2 Right-click the CVD that you want to restore to an earlier snapshot and click Revert to Snapshot.

3 Select the revert options.

a Select the snapshot date to which you want to revert.

b Select whether you want to only restore the system and click Next.

The Restore System Only check box is selected by default. Select This restores system files only,including the base layer, user-installed applications and user machine settings. The user areacontent is not affected and any new files in the user area are not erased.

User data in this option pertains to files and directories listed in the upload policies User area.

The option behavior depends if the reversion you are performing is to the same OS or cross-OS.

Option Action

If to the same OS, for example,Windows 8.1 to Windows 8.1:

Clear this check box if you want to restore the entire CVD, includingthe User area, from the CVD snapshot.If the checkbox is cleared, any application, setting, or document in thecurrent CVD that does not exist in the snapshot is erased from theendpoint.

If to a different OS, for example,Windows 8.1 to Windows 7:

This checkbox is not selected so the entire CVD, including the Userarea, is always restored from the CVD snapshot.

4 Verify the snapshot details and click Finish.

Restoring to a CVD After Hard Drive Replacement or Device LossIf the hard drive on an endpoint is replaced, corrupted, or formatted, or if the user machine is lost and a newmachine is supplied, you must restore the CVD to the device or a replacement device.

You must set up the device with at least a basic OS image that complies with Mirage software requirements.See Software Requirements in the VMware Mirage Installation Guide.

When replacing the hard drive, you do not have to specifically identify the endpoint and locate the CVD inthe console. The server recognizes the endpoint’s GUID in the device BIOS and finds the associated CVD.

Use one of the following restore procedures to restore a CVD:

n Restore to CVD After Hard Drive Replacement, Corruption, or Format

n Restore a CVD to a Replacement Device

Restore to CVD After Hard Drive Replacement, Corruption, or FormatYou can restore a CVD after hard-drive replacement, file corruption, or format operation.

Prerequisites


Procedure

1 In the Mirage Management console, select Common Wizards > Disaster Recovery.


170 VMware, Inc.

2 Select Replace Hard Disk and click OK.

3 Select the device you want to use for the restore operation and click Next.

Only devices that are recognized as connected to CVDs and are pending restore are listed.

4 Select a restore option and click Next.

u To restore system files only, including the base layer, user-installed applications and user machinesettings, select the Restore System Only check box.

The user area content is not affected, and new files in the user area are not erased. User data in thisoption pertains to files and directories listed in the upload policies user area. See “Working withUpload Policies,” on page 19

u To restore the entire CVD, including the user area, from the CVD snapshot, deselect the RestoreSystem Only check box.

Any application, setting, or document in the current CVD that does not exist in the snapshot iserased from the endpoint.

5 Click Finish.

Restore a CVD to a Replacement DeviceYou can restore a CVD to a replacement device.

The endpoint changes its operating system in all cross-OS restore operations. For example, if a Windows 7endpoint is selected where Windows XP or Vista CVD is to be restored, that Windows 7 endpoint becomes aWindows XP or Windows Vista device.

You can also restore users from Windows XP, Windows Vista, and Windows 7 machines to new Windows 7machines, or from Windows 7 machines to Windows 8.1 and Windows 10 machines, and from Windows 8.1machines to new Windows 10 machines. See “Migrating to Windows OS Replacement Devices,” onpage 189. In this case, select Only Restore User Data and Settings as the restore option.

Prerequisites






Procedure

1 In the Mirage Management console, select Common Wizards > Disaster Recovery.

2 Select Replace the user machine and click OK.

3 Select the device where you want to restore the CVD and click Next.

Only devices to which the CVD can be restored are listed.

Chapter 27 Endpoint Disaster Recovery

VMware, Inc. 171










b Click Next.







Option Description



d Click Next.

6 Use the information on the Validation Summary page to compare the target device with the CVD andclick Next.

The summary alerts you to any potential problems that require additional attention. You cannotproceed until blocking problems are resolved.

7 Click Finish to complete the restore procedure..


172 VMware, Inc.

The migration process takes place in two phases. See “End User Experience with Restore Processes,” onpage 178.

Restoring Windows DevicesMirage supports restoring Windows devices for endpoint disaster recovery. You can perform a full-systemrestore between Windows devices or revert to an earlier Windows CVD snapshot.

Mirage supports Windows 8, Windows 8.1, and Windows 10, Professional and Enterprise Editions.

Restore a Windows DeviceYou can restore a Windows 8 CVD to a Windows 8 device.

Prerequisites


The procedure enables you to select a domain for this endpoint to join after the restore operation. If youwant to use the same credentials each time, perform the following:


2 Select the General tab and then type the credentials you want to use for domain joining.


Procedure

1 In the Management console, select Common Wizards > Disaster Recovery.

2 Select Replace the user machine and click OK.

3 Select the device where you want to restore the CVD and click Next.

Only devices to which the CVD can be restored are listed.

4 Select a restore option for the selected CVD and device and Next.


Option Description

Full System Restore This option includes OS, applications, user data, and user settings.Use this option for systems with Windows volume licenses or WindowsOEM SLP licenses.The entire CVD is restored to the replacement device, including OS,applications, and user files. Any existing files on the replacement deviceare lost or overwritten.This option requires you to select a base layer.


Use this option to migrate users from Windows 8 machines to Windows 8machines.The OS of the replacement device must be the same as or newer than thatof the CVD.Only user data and settings are restored to the replacement device. Theexisting OS and applications installed on the replacement device areretained.


VMware, Inc. 173

5 (Optional) Specify CVD naming and domain options.

a Change or define the hostname for a device being restored.

b Select a domain for this endpoint to join after the restore operation. The current domain is shownby default.

Type the OU and Domain or select them from the drop-down menus.


Option Description



c Click Next.

6 Use the validation summary to compare the target device with the CVD. This summary alerts you toany potential problems that require additional attention.

You cannot proceed until blocking problems are resolved.


The migration process starts and takes place in two phases. See “End User Experience with RestoreProcesses,” on page 178.

Working with Bootable USB DrivesMirage bootable USB media can assist you with recovery operations and system imaging. After the bootableUSB drive is created, it contains a clean install of Windows 7 Professional or Enterprise Edition, or Windows8.1 Professional or Enterprise Edition. The Mirage client is also installed and preconfigured to connect toyour Mirage server when the client machine restarts.

Note Mirage supports creating bootable USB keys for Windows 7 and Windows 8.1 only. For Windows 10endpoints, create a Mirage WinPE image on a bootable USB drive, provision a Windows 10 base layer, andrestore the CVD to the new device.

You can customize the bootable USB key to accommodate different hardware platforms and additionalWindows pre- and post-installation actions, for example, joining the new system to the required domain orrenaming the system. The following are the most common use scenarios:

n Restoring a device that can no longer boot to Windows

n Restoring or reimaging a remote device in the field

n Provisioning or imaging a new Windows installation on an existing machine quickly

Deploying the Windows image with the Mirage bootable USB key generally takes 15 to 30 minutes.

The following components are required:

n Windows 7 or Windows 8.1 Professional or Enterprise Edition machine.

This is represented in this guide as drive C.

n Mirage bootable USB Scripts provided by VMware.


174 VMware, Inc.

n Windows 7 or Windows 8.1 Professional or Enterprise Edition DVD or ISO file.

This is represented in this guide as drive D.

n A USB Drive with at least 8 GB available disk space

This is represented in this guide as drive U.

n Mirage client MSI installer file x86 or x64 version.

You can find current clients on the Mirage support downloads page.

n (Optional) Drivers for the end point hardware.

n Network drivers are highly recommended.

Note You can access all other drivers with the Driver Library feature within the Mirage server.

Limitations of the Bootable USB Driven The Windows installation is not activated and does not include a product key. Windows installation

allows you to work with a non-activated machine for a few days. You can work around this limitationby editing the autounattend.xml file.

n Some antivirus products (for example, Trend Micro) are known to prevent copying autorun.inf toremovable disks . As the process of creating a bootable USB disk requires copying such a file, you mustdisable the antivirus application while creating the USB disk using this utility.

n If you attempt to install Mirage with an SSL-enabled server, the newly deployed client machine mightnot be able to connect to the server, as it is not yet a member of the domain. In such a case, add a customaction on the USB disk to add the client machine to the domain.

Windows XP Bootable USB KeysMirage does not support a bootable USB key for Windows XP. To restore a bare metal Windows XP device,use your Windows 7 bootable USB drive, and then use Mirage to restore the device to a previous WindowsXP snapshot.

Create the Bootable USB KeyYou can create a folder, drive, or virtual drive on a USB disk containing the Windows 7 or Windows 8.1installation folders.

Important The process formats the entire USB drive!

Prerequisites

n The drive letter U:\ must be available to create the bootable USB disk. The creation scripts do not warnyou if it is already in use.

n When using a .ISO file for Windows installation, extract the content of the .ISO file by one of thefollowing methods:

n Use .ISO image file software to download and save the .ISO image file to a CD-R or a DVD-R.

n Virtually mount and access .ISO files as a virtual device.

n Extract the .ISO files to your hard drive.

Procedure

1 On your workstation, create the folder C:\BootUSB.

2 Create two subdirectories in C:\BootUSB. One called Drivers and one called MirageClient.


VMware, Inc. 175

3 Extract the VMware Boot USB Scripts from the BootUSB.zip file to the root of the C:\BootUSB folder.

Do not modify the file structure or add subdirectories.

4 Open the C:\BootUSB\MirageClient folder and copy the Mirage client installation MSI to this folder.

5 Find any hardware drivers you need for the new hardware and copy them to the C:\BootUSB\Driversfolder.

6 Insert the Windows installation DVD to your DVD drive.

Alternatively, you can mount your Windows ISO file. This speeds up bootable USB key creation.

7 Insert the USB Key and wait until Plug and Play detection completes.

8 Open a Command Prompt window as an administrator and run cd C:\BootUSB.

9 Select the command you want to run and press Enter.

Boot USB OS Command

Windows 7 win7usb.cmd

Windows 8.1 win8usb.cmd A list of the available disks and their disk number is displayed. Look for the disk number of your USBdrive, which you can identify by the size value.

10 Run the complete command with the following syntax:

n Windows 7: win7usb.cmd [win7 dvd path] [msi path] [server address] [use ssl transport(true/false)] [usb disk number] [Drivers folder (optional)]

n Windows 8.1: win8usb.cmd [win8 dvd path] [msi path] [server address] [use ssl transport(true/false)] [usb disk number] [Drivers folder (optional)]

Option Description

win7/win8 dvd path The path to the Windows 7 or Windows 8.1 DVD or folder containing theWindows installation files (folder containing the contents of the WindowsDVD).

msi path The path of a Mirage client MSI.

server address The IP address for your Mirage server for client devices to connect.

Use SSL transport A flag that indicates whether this client uses SSL. Use true or false.Note The Mirage server must already be configured for the SSL for thisto be enabled.

usb disk number This is the number of the USB disk to be formatted. A list of connected disknumbers is displayed upon invocation of the batch file that do not haveany parameters.

Drivers folder The location where any hardware drivers required on your new device arestored, from which you can add them to the bootable USB key. Thisparameter is optional.

The exact string for each endpoint is different.

Table 27‑1. Example of a Typical Command String

Operating System Command String

Windows 7 C:\BootUSB>win7usb.cmd D:\ C:\BootUSB\MirageClient\MirageClient.msi192.168.11.203 false 2 C:\BootUSB\Drivers

Windows 8.1 C:\BootUSB>win8usb.cmd D:\ C:\BootUSB\MirageClient\MirageClient.msi192.168.11.203 false 2 C:\BootUSB\Drivers


176 VMware, Inc.

The USB disk is prepared. When the USB key creation is completed, you can customize it in additionalways. For example, you can have it install additional software, or embed hardware drivers.

Install Windows with the Bootable USB KeyYou can use the bootable USB key to install Windows on a device.

Procedure

1 Insert the USB disk.

Do not unplug the USB disk until this process is fully completed and you have Windows and Mirageinstalled on your Windows 7 or Windows 8 system.

2 Perform a one-time boot from the USB disk by choosing the correct option in the startup menu.

For example, most Dell laptops use the F12 key. Windows begins loading.

3 Install Windows.

Prompts might vary according to the version of Windows you are installing and Windows installations,if any, currently on the endpoint.

Option Action

Version of Windows Select a Professional or Enterprise edition. Mirage does not support Homeeditions.

Upgrade and custom (advanced) Select the Custom (advanced) option.

Partition Select a partition in which to install the new copy of Windows. Formattingthe partition is optional.Note VMware software does not modify any existing partition tables.

Windows now installs. No further user intervention is required.

4 Log in with the following information:

Option Description

User name TEST.

Password password

Administrator password passwd1!

Note You can change these passwords by editing the account values in the autounattend.xml filefound on the USB Key. You can use the System Image Manager (SIM) tool that comes with the WindowsAutomated Installation Kit (AIK) to do this.

After you log in for the first time, the target machine is ready to use but might perform additional Windowsoperations in the background.

Customize Your Bootable USB KeyAfter the bootable USB is created, you can customize and configure it to suit your site or location.

You can use a number of files that for this purpose without having to rebuild the Bootable USB key in theprocess. Unless specified otherwise, these files are located in: USB_ROOT\sources\$oem$\$$\setup\Wanova\:


VMware, Inc. 177

Table 27‑2. Customization Files

File Name Description

InstallClient.cmd The file that controls the command that runs the Mirage installer. You can modify thecommands here, including the server Mirage connects to, using SSL or not, and any MSIswitches you want to use during installation.

SetupComplete.cmd The batch file called automatically when the Windows deployment is completed. You canadd more commands to this file as needed (install VPN client, for example).

MirageClient.msi Mirage client installed on the new Windows machine. Make sure the client version matchesthe Mirage server version.

Autounattend.xml An answer file for the unattended Windows installation that you can edit to customize thedeployed Windows installation. This file is found in the root of the USB drive.

Procedure

1 (Optional) Add Boot-critical drivers to the Bootable USB by putting them in USB drive:\$WinPEDrivers$.

Do this only if the Windows installation cannot proceed due to missing a critical driver, for example, amissing disk controller, preventing the installation from detecting the hard drive.

2 Copy the contents of USB drive:\sources\$oem$\$1\MirageDrivers\ to the local folderC:\MirageDrivers.

The Windows installation searches for and uses drivers located in the MirageDrivers folder on the rootof any drive.

3 (Optional) Customize the Windows installation further.

a Copy the contents of USB drive:\sources\$oem$\$$ to the Windows folder on the installation drive,e.g. C:\Windows.

b Copy the contents of USB drive:\sources\$oem$\$1 to the installation drive, e.g. C:\.

Reconnect a Device to a CVDYou can reconnect a device that has lost its synchronization for any reason to its CVD. After the ForceUpload operation, you can then continue backing up incremental changes as before.

You can connect an Assignment Pending device to an existing CVD and upload the current device data tothe CVD through a Force Upload process.

Procedure

1 In the Mirage Management console, expand the Inventory node and select Pending Devices.

2 Select the device, right-click and select Force Upload.

The device then synchronizes all its data to the CVD. Local client changes take precedence (“win”) overCVD changes.

End User Experience with Restore ProcessesEnd users can start working as soon as a subset of data is resident on their endpoints. An end user orapplication request for a file that is not yet downloaded, takes priority over background transfers. When thefile finishes downloading, the system notifies the end user that the file is available.

Restore processes take place in two phases: Restore Prefetch and Restore Streaming.


178 VMware, Inc.

Restore PrefetchThe server downloads the minimal set of files and configuration required for the endpoint to boot to theCVD and connect to the network. This is called the Minimal Restore Set. End users can start working as soonas this subset of data is resident on their endpoints.

Restore StreamingAfter the Minimal Restore Set is downloaded and reboot is completed, the server begins streaming theremaining CVD content to the endpoint in the background while the end user works. If the user orapplication request a file that is not yet downloaded, this request takes priority over background transfers.

The end user can view the streaming status of each downloading file by right-clicking the Mirage icon in thenotification area and clicking Show Streaming Status.

When an end user opens a file which is not yet fully downloaded, the system notifies the user that the file iscurrently downloading. When the file finishes downloading, the system notifies the end user that the file isavailable.

The system might advise the end user to wait until the connection is reestablished.

CVD files which have not yet been streamed to the endpoint appear in Windows Explorer with the Offlineicon overlay. This indicates that the files exist on a remote storage medium and that accessing them involvesa network download delay.


VMware, Inc. 179


180 VMware, Inc.

Migrating Users to DifferentHardware 28

You can move a user from one device to another, for example, when new hardware is purchased. You canmigrate users one at a time or as a mass hardware migration, which includes many user machines.


n “Reassign a CVD to a Different Device,” on page 181

n “Perform a Mass Hardware Migration,” on page 183

Reassign a CVD to a Different DeviceYou can reassign a CVD to a different device.

Prerequisites


Verify that the drive letters of the new endpoint and the CVD in the data center are compatible. If the driveletters are different, the system does not allow the restore operation to proceed.

Perform Sync Now on the endpoint before migrating it to a new client machine. This ensures that all data issaved to the data center before the migration takes place. See “Suspend and Reactivate Synchronization,” onpage 31.





The endpoint changes its operating system in all cross-OS restore operations. For example, if a Windows 7endpoint is selected to be restored to a Windows XP or Vista CVD, that Windows 7 endpoint becomes aWindows XP or Windows Vista device. For example, if a Windows 8.1 endpoint is selected to be restored toa Windows 7 CVD, that Windows 8.1 endpoint becomes a Windows 7 device.

Procedure

1 In the Mirage Management console, select Common Wizards > Hardware Migration.

2 Select the CVD you want to migrate and click Next.

3 Select the device where you want to migrate the CVD and click Next.

Only devices compatible with the selected CVD are listed.

VMware, Inc. 181










b Click Next.







Option Description



d Click Next.

6 Use the validation summary to compare the target device with the CVD.

This summary alerts you to any potential problems that require additional attention. You can proceedonly after all blocking problems are resolved.



182 VMware, Inc.

The migration process starts and takes place in two phases. See “End User Experience with RestoreProcesses,” on page 178.

Perform a Mass Hardware MigrationYou can migrate a mass of old user machines, for example, in the thousands, to new hardware models. TheOS version is not changed in this process.

You use a CSV-based input file that defines the set of transitions needed, including source machine,destination machine, and parameters. This is performed using Mirage command line tools.

Table 28‑1. CSV File Information


Source CVD name Windows name of the CVD

New CVD name Following the rebase - machine name + OU

Target device name Windows name of the device

Optional note per machine Appears in the Management console

Identifier Identifier of the target base layer (rebase) or no target base layer (universalrestore)

Credentials for the domain join account Username, password, and domain

Server address URL of the server

Procedure

1 Centralize the source machines to the Mirage server.

2 Assign these CVDs to a specific collection.

3 Connect the new machines to the network with an initial Windows system and deploy the Mirage clientto them. You can use mass deployment tools to deploy the client. There are several ways to do this:

n Use the Mirage bootable USB or LAN to deploy the initial image.

n Deploy an image using third party solutions, for example, PXE or MDT.

n Ask the hardware vendor to integrate the Mirage client in the Windows image deployed on themachines.

4 After the Mirage client is deployed, the new client machines appear in the Inventory > PendingDevices queue.

5 Create a CSV file mapping of source machine names to target machine names.

The target machine names are the desired names of the machines after the migration. Existing namesare not used as these are sometimes randomly generated by the hardware vendor.

Optionally, you can import this mapping from XML.

6 Provide the Mirage Management console with a domain join account, with username and password.

This account is used to rejoin the machines to the domain.

7 Select the pending devices to be used as target machines.

The number of target and source machines must be the same.

Chapter 28 Migrating Users to Different Hardware

VMware, Inc. 183

8 Choose from the following base layer options:

n Maintain the base layer from the source machines, which removes extraneous applications, such asOEM applications, from the target machines.

n Apply a new base layer to the target machines to apply additional applications to the targetdevices.

The following migration processes take place:

n For each source CVD, an available pending device is selected.

n The source CVD is assigned to the selected pending target device, along with the base layer for thetarget model, if any.

n The migration operation starts, including automatic boots whenever necessary.

n The migration task is marked as done only when an upload was completed.

What to do next

After the process is completed, the previous CVDs are migrated to the new machines.


184 VMware, Inc.

Windows OS Migration 29You can migrate existing Windows XP or Windows Vista endpoints to Windows 7, existing Windows 7endpoints to Windows 8.1 and Windows 10, and existing Windows 8.1 endpoints to Windows 10. Themigrations can be either in-place, on the same devices, or to replacement devices.

The migration installs a Windows 7, Windows 8.1, or Windows 10 base layer on each target endpoint whilepreserving user profile data and settings through the Microsoft User State Migration Tool.

n USMT 4.0 or USMT 5.0 for Windows XP to Windows 7 migration

n USMT 6.3 for Windows 7 to Windows 8.1 migration

n USMT 10.0 for Windows 7 to Windows 10 migration

n USMT 10.0 for Windows 8.1 to Windows 10 migration

Unlike base layer updates, the migration process installs a complete OS image, including local user profilesas configured on the reference machine when the base layer was captured. You can use this to set up a localadministrator and default user account.

The migration moves existing content of a target endpoint to the C:\Windows.Old directory, which is thenprocessed by USMT. Application settings and data that are not handled by USMT are kept in theC:\Windows.Old directory. You can manually restore this data, or delete it when you do not need it.

OS migration with Mirage retains the original computer name but requires rejoining the domain to create aWindows 7, Windows 8.1, or Windows 10 machine account. You can define this account in the Miragesystem configuration.

Custom boot loaders on the target machine are removed by the migration. If an endpoint includes multipleoperating systems, the migration overwrites only the one on the active OS partition and does not provideboot options for the others. You can manually restore other boot options after booting to the new OS.

Note Mirage requires certain Full Disk Encryption applications to be pre-configured before performing anOS migration. For more information about supported Full Disk Encryption software, contact VMwareSupport.

Prerequisitesn You must be an advanced administrator and familiar with system operations and the functional

behavior of Mirage to proceed with this operation.

n To reduce bandwidth during OS migration in a small or remote office, use the Mirage branch reflectorfeature. In particular, a Windows 7, Windows 8.1, or Windows 10 test machine configured as a branchreflector can share its OS files with client endpoints to assist in the migration process.

VMware, Inc. 185

n USMT does not migrate applications installed on Windows XP or Windows Vista to Windows 7, orapplications installed on Windows 7 to Windows 8.1 or to Windows 10, or applications installed onWindows 8.1 to Windows 10.

n Make sure to remove any sensitive data from the reference machine. All user data on the referencemachine is applied to the target as part of the migration process.

Windows OS Migration End User ExperienceAfter the migration base layer download is completed, the system requests a reboot. A swap is made andWindows 7, Windows 8.1, or Windows 10 boots.

Login is disabled until the system completes the migration process. The new OS is loaded and Plug-and-Play hardware is installed and configured. This process might take a few minutes, during which thecomputer is busy.

You can monitor the progress in the Windows login screen. When the process is completed, the systemrestarts the PC and you can then log in.

The post-migration script runs the USMT and then rejoins the domain. The PC must be connected to thecorporate network to be assigned a network address.

Note To rejoin the domain, the PC must have network access to the Mirage server and the domaincontroller. End users can log in using their domain credentials only after the domain join is complete.


n “Performing Windows OS In-Place Migration,” on page 186

n “Migrating to Windows OS Replacement Devices,” on page 189

n “Monitor the Windows OS Migration,” on page 190

n “Applying Windows OS Post-Migration Scripts,” on page 190

Performing Windows OS In-Place MigrationYou can perform an in-place migration of existing Windows XP or Windows Vista endpoints to Windows 7,existing Windows 7 32-bit endpoints to Windows 7 64-bit, existing Windows 7 endpoints to Windows 8.1and Windows 10, and existing Windows 8.1 endpoints to Windows 10 on the same equipment.

You can perform the OS in-place migration in two ways.

n You can download and apply the Windows base layer in one step. Each endpoint is migrated as soon asWindows 7, Windows 8.1 or Windows 10 image is downloaded to the endpoint. Each CVD starts themigration process as soon as the image is downloaded to the endpoint.

n Alternatively, you can download the base layer first and apply it to selected or all CVDs at a later time.This gives you control over when the new OS is applied to specific endpoints. As the amount of time ittakes to download might vary by endpoint, you might want to migrate certain endpoints that havefinished downloading in advance of the others.

In both cases, you start with a basic procedure, where you can apply CVDs immediately, or can downloadand apply them later. See “Perform Basic Windows OS In-Place Migration,” on page 187.

If you choose to only download a CVD, after the initial procedure is finished, you can complete themigration procedure by performing the steps described in “Download First and Apply in Stages,” onpage 188.

To perform a migration to different hardware, see “Migrating to Windows OS Replacement Devices,” onpage 189.


186 VMware, Inc.

Perform Basic Windows OS In-Place MigrationIn the basic procedure, the CVDs act independently and the migration operation starts on each endpoint assoon as the image completed the download, regardless of the state of the other CVDs in the task.Alternatively, for more control, you can choose to download first and apply to selected or all CVDs at a latertime.

Prerequisites





Procedure

1 In the Mirage Management console tree, select Common Wizards > Windows OS Migration.

2 Choose one or more CVDs to update and click Select and click Next.

You can either choose individual or multiple CVDs from the CVD List pane, or a collection from theCollections tab.

3 Select the base layer image for the migration.

a Select Download and Apply Base Layer or Only Download Base layer.

Option Description

Download and Apply Base Layer This performs the migration in one step. The CVDs act independentlyand the migration operation starts on each endpoint as soon as theimage completed the download, regardless of the state of the otherCVDs in the task.

Only Download Base Layer This performs only the Download stage, allowing you to selectivelymigrate CVDs that have completed downloading as a separateoperation.In this case, after the Wizard procedure is finished, you can start tomigrate certain endpoints that finished downloading.

b Select the Windows OS base layer image for migration.

c Click Next.

4 Select one or more available app layers to assign to the endpoint, move them to the Assigned layers listand click Next.

Note When performing Windows OS migration with app layers, Mirage is only able to deliver driverpackages as part of the Mirage driver library mechanism. In this scenario, Mirage will not deploy driverpackages which were recorded as part of the app layers.





Chapter 29 Windows OS Migration

VMware, Inc. 187



Option Description



d Click Next.

6 Use the validation page to resolve any compatibility problems between the base layer and selectedCVDs.

You cannot proceed until blocking problems are resolved.

7 Click Next and Finish.

After the operation is completed, one task is created that contains all the CVDs that you selected.

What to do next

If you chose Download and Apply Base Layer, the migration proceeds and you can now monitor themigration progress. See “Monitor the Windows OS Migration,” on page 190.

If you chose Only Download Base Layer, after the basic procedure is finished, you can start to migratecertain endpoints that finished downloading. See “Download First and Apply in Stages,” on page 188.

Download First and Apply in StagesIf you completed the basic Windows OS in-place migration procedure using the Only Download BaseLayer option, you can now apply the base layer to downloaded CVDs.

The basic migration operation that you ran with the Only Download Base Layer option created a MigrationDownload task that contains the CVDs you selected. At the end of that operation, the Windows 7, Windows8.1, or Windows 10 image that downloaded to individual endpoints is either ongoing or completed. See “Perform Basic Windows OS In-Place Migration,” on page 187, but applying the CVDs is not started.

You must now apply the image to the endpoints.

You can apply all the CVDs that have finished downloading, or you can select specific CVDs to apply first.You can then apply the remaining CVDs in additional cycles.

If not all the CVDs in the task, or in your selection of CVDs, are finished downloading, you can additionallychoose to wait until all CVDs are downloaded, or apply the ones that have finished. You can then apply theremaining CVDs in additional cycles as they finish downloading.

Procedure

1 Select Task Monitoring in the Mirage Management console tree.


188 VMware, Inc.

2 (Optional) Download all the CVDs in the task.

a Right-click the Migration Download task and select Start Migration.

b If downloads were not completed on at least one of the CVDs in the task, select:

Option Description

Yes Apply migration to the CVDs that have finished downloading so far.The not-yet-downloaded CVDs continue to download and are left inthe Migration Download task.

No Wait for the downloading to finish on all CVDs in the task and applymigration automatically to all the CVDs at that time.

The migration starts on the eligible CVDs according to the selected option.

c Continue to step 4.

3 (Optional) Download specific CVDs in the task.

a Right-click the Migration Download task and select View Assignments.

b To view the CVDs in the task, select Image Composer Layer Assignments.

c Select the CVDs that you want to migrate, right-click, and select Start Migration.

The Status panel displays how many CVDs were downloaded. Multiple statuses are shown whiledownloading is in progress. If downloads were not completed on at least one of the selected CVDs,a warning appears concerning these assignments.

d Select on of the following options.

Option Description

Yes Apply migration to the selected CVDs that have finished downloadingso far. The not-yet-downloaded CVDs continue to download and areleft in the Migration Download task.

No Wait for the downloading to finish on all the selected CVDs and applymigration automatically on all the CVDs at that time.

The migration starts on the eligible CVDs according to the selected option.

4 You can repeat the procedure as more CVDs complete downloading.

The migration operation starts on the eligible CVDs, according to the option you selected.

What to do next

You can monitor the progress of the migration. See “Monitor the Windows OS Migration,” on page 190.

You can repeat the procedure as more CVDs complete downloading.

Migrating to Windows OS Replacement DevicesYou can migrate end users from Windows XP, or Windows Vista, or from Windows 7 machines to Windows8.1 or Windows 10, or from Windows 8.1 to Windows 10 machines. This is relevant for if you are usingWindows OEM SLP licenses, and supports both disaster recovery and hardware refresh scenarios.

You can use the migrate to Windows OS replacement devices operation for the following operating systems:

n Windows XP 32-bit to Windows 7 32-bit or 64-bit

n Windows Vista 32-bit to Windows 7 32-bit or 64-bit

n Windows Vista 64-bit to Windows 7 64-bit

n Windows 7 32-bit to Windows 8 32 bit or 64-bit


VMware, Inc. 189

n Windows 7 32-bit to Windows 7 64-bit


n Windows 7 32-bit to Windows 8.1 32 bit or 64-bit

n Windows 7 64-bit to Windows 8.1 64-bit



n Windows 8 32-bit to Windows 8 32-bit or 64-bit


n Windows 8.1 32-bit to Windows 8.1 32-bit or 64-bit

n Windows 8.1 64-bit to Windows 8.1 64-bit

n Windows 8.1 32-bit to Windows 10 64-bit

n Windows 8.1 64-bit to Windows 10 64-bit


Migration to a different device requires restoring only user data and settings, see “Restore a CVD to aReplacement Device,” on page 171.

Note In-place migration for Windows OS described in Chapter 29, “Windows OS Migration,” on page 185is not suitable for migration to replacement devices.

Monitor the Windows OS MigrationYou can monitor the detailed progress of all the CVDs in the migration by viewing the task progress.

Procedure

1 In the Mirage Management console tree, select Task Monitoring.

2 Right-click the required task and select View Assignments.

The Status panel shows how many CVDs were downloaded. Multiple statuses are shown whiledownloading is in progress.

Applying Windows OS Post-Migration ScriptsYou can create a custom post-migration script to perform certain actions after the migration update, such asinstall software or add or remove drivers.

A custom post-migration script is required in cases such as:

n Install software requiring execution on the individual endpoint. This can include hardware-specificsoftware that is compatible only with certain endpoints.

n Update or remove hardware drivers that might already exist on the endpoint.

This file and any auxiliary files used or called by the script are captured as part of the base layer anddistributed to the various endpoints. It is important to verify that the auxiliary files are placed in the samedirectory as the script or another directory that is captured in the base layer.


190 VMware, Inc.

Procedure

u Create a file called post_migration.bat under the %ProgramData%\Wanova\Mirage Service directory. Youmust edit the file on the reference machine.

Note The Mirage client installation includes a default sample script that does not perform any post-migration script actions.

The Mirage client monitors the post-migration script execution and reports events to the Mirage centralmanagement service if the script returns an error value other than zero.


VMware, Inc. 191


192 VMware, Inc.

Monitoring System Status andOperations 30

The system dashboard assists you to monitor the system status and operations. The transaction log lets youmonitor the progress of updates coming from and to the Mirage server.


n “Using the System Dashboard,” on page 193

n “Using Transaction Logs,” on page 195

Using the System DashboardThe system dashboard provides at-a-glance monitoring of system component status and operations, such asstatistics about system activities, alerts, and indications of actions the administrator must carry out, as wellas centralization and backup processes. It also assists the Protection Manager role to ensure that user devicesare protected.

Most dashboard information is refreshed automatically every three minutes. You can also refresh keyinformation indicators, such as system status, server status, and capacity use, by pressing F5.

System StatusThe System Status area shows the number of unacknowledged events by severity (Critical, Warning, or Info)and source (Server or Clients).

System events are propagated from clients, the server, and the management service on the server. Warningand Info events provide advice or instructions that do not require urgent attention. You can click an eventbutton to open the Event log view filtered according to the selected severity and source.

ServersThe Server area shows the Up or Down status of Mirage servers. The icon also reflects the server status.

Note MMC contains limited monitoring capabilities. It is recommended to use the Servers tab in theMirage Web Management for status of Management Servers and their MongoDB databases.

Capacity StatusThe Capacity Status area shows the number of devices according to the following statuses:

VMware, Inc. 193

Table 30‑1. Device Statuses

Status Description

Pending Number of devices pending restore or activation, irrespective of their connection status.

Online Number of activated devices that are online, excluding online devices pending restore.

Offline Number of activated devices that are offline, excluding offline devices pending restore.

You can click the Pending label or counter to link to the Pending Devices window where you can view thepending devices and apply relevant actions.

An exclamation mark icon indicates license depletion. This occurs if the total number of pending plus onlinedevices is greater than the licensed capacity.

Update ProgressThe Update Progress area histogram shows the number of clients currently downloading updates orinvolved in restore activities, for example, following base layer assignment, enforcement, or update, andCVD restore. The information is presented in percentage progress ranges, from just started (0-20%) to almostcompleted (80-100%).

Totals of desktops finished downloading or currently downloading are also provided.

Table 30‑2. Totals of Desktops Finished Downloading or Currently Downloading

Statistic Description

Total Ready Number of desktops that have finished downloading (reached 100%), or that have no pendingdownload.

Total in Progress Total number of desktops that are currently downloading or have an incomplete downloadpending network reconnection.

Data ProtectionThe Data Protection meter indicates the total protection level of the desktop deployment.

The gauge shows the ratio of total desktop content stored and protected at the server versus total desktopdata at the endpoint in the process of synchronization. The gauge reflects information provided by onlinedevices. Offline devices report the next time they connect.

Core Image ComplianceThe Core Image Compliance meter indicates the total compliance level of your endpoints.

The gauge represents the percentage compliance of managed endpoints with their IT-approved base layer.Based on this information, you can enforce the base layer for one or many endpoints to bring them back intocompliance and decrease the likelihood of end user problems.

Efficiency BenchmarksThe Efficiency Benchmarks area shows the actual traffic between the desktops and the server over the last 24hours as a histogram.

Table 30‑3. Efficiency Benchmark Histograms

Histogram Description

Network Usage (In) Shows upload traffic from desktops to server.

Network Usage (Out) Shows the download traffic from server to desktops.


194 VMware, Inc.

Each bar shows the total data for one hour. The bar representing the current hour shows total traffic fromthe start of the hour to the last dashboard refresh time.

Table 30‑4. Information Provided in Each Histogram

Element Description

Y axis Data size in bytes, KB, MB, or GB, according to the maximum data transferred in the 24-hour span.

X axis Time in hours, where each bar represents one hour.

Total Total traffic in the last 24 hours.

Average Hourly traffic average in the last 24 hours.

Peak Hourly traffic peak in the last 24 hours.

Using Transaction LogsA transaction is a logical operation between the Mirage server and the Mirage client. You can use thetransaction log to monitor the progress of updates coming from and to the server.

Each transaction is built from a collection of sub-transactions, each representing a network session betweenthe client and server. Sub-transactions are reported only when a session is either complete (succeeded) orterminated (failed due to a network disconnect or other specified reason).

Table 30‑5. Transaction Types in the Transaction Log

Transaction Type Description

Centralize Endpoint First time upload of the end user machine to the server.

Upload Incremental Changes Synchronizing ongoing changes from the end user machine to the server.

Update Base Layer End user machine is updated with the assigned base layer

Update App Layer End user machine is updated with the assigned app layer.

Base Layer Caching The branch reflector downloads a base layer.

Base Layer Verification Base layer download is verified prior to being applied.

Restore Prefetch Client downloads the minimum file set required from the CVD to allow theendpoint to boot the restored CVD and allow network access to complete restorethrough background streaming.

Restore Streaming Client streams the remainder of the restored CVD to the endpoint while the userworks normally online.

Note More than one sub-transaction appears when one or more attempts to complete the parenttransaction failed. The sub-transaction status reported is final and does not change.

Transaction Entry PropertiesTable 30‑6. Transaction Log Information for Each Entry


CVD Number of the CVD

CVD Name Name of the CVD

Type Type of operation being performed, such as Centralize Endpoint or UploadIncremental Changes

Status Status of the transaction, for example Success.

Layer Base Layer ID and version, if applicable

Chapter 30 Monitoring System Status and Operations

VMware, Inc. 195

Table 30‑6. Transaction Log Information for Each Entry (Continued)


Changed Files Total number of changed files

Unique Files Total number of files to be transferred, after duplicate files are eliminated

Size (MB) Total Data size of the files to be transferred, after duplicate files areeliminated

Size After File Dedup (MB) Data Size After Dedup, meaning the total size of file and metadata to betransferred after it is reduced by intra-file and inter-file block leveldeduplication, but before LZ compression

Size After Block Dedup (MB) Before Compression size, which is the total network transfer as seen overWAN, before applying LZ compression

Data Transferred (MB) The total network transfer that took place.

Branch Reflector Transfer (MB) The amount of data that was sent from the branch reflector to the endpoint(instead of from the Mirage server directly to clients).

Savings Transfer Savings, meaning the ratio of the total size of the changed files andactual transfer size

Start Time Start time of the transaction

End Time End time of the transaction

Duration Duration of the transaction

Search and Filter Results SpecificationWhenever a search or filter query is initiated in any list window, the first page of results appears in the viewarea. The number of pages of qualifying records appears under the Search text box and you can scroll to thenext or previous page by clicking arrow icons. For improved query response time, when the number ofrecords retrieved is very large, the associated page count is not calculated and is replaced by three dots (...).

Total Transaction Record LimitsThe system implements transaction record limits to prevent log files from becoming too large:

Table 30‑7. Transaction Record Limit by Record type

Transaction Record Type Cleaned up after:

Steady State (SS) transactions 30 days

Layer transactions 180 days

All other transactions 365 days


196 VMware, Inc.

Working with Reports for MirageOperations 31

You can generate and view reports on demand. Reports display the status of various Mirage operations.

You access, generate, import, and export reports from the Reports tab in the Mirage Web Management.

You can preview a report as a PDF. The preview displays in a new tab of the Web browser. Ensure that youdisable pop-up blocker.

The maximum number of records that you can include in a report by default is 2,000. If the report includesmore than 2,000 records, the report fails to generate. When you generate a report that contains more than200 records, you receive a warning message that the procedure might take some time to generate. You canconfigure these parameters by editing the configuration files located in C:\Program Files\Wanova\MirageWeb Management\web.config.

n <add key="ReportRecordCriticalThreshold" value="0"/>

n <add key="ReportRecordWarnThreshold" value="0"/>

Centralization ProgressYou generate the Centralization Progress report during the first phase of the Mirage deployment to view theprogress of CVDs being centralized. The Centralization Progress report displays the centralization status ofCVDs and the average time, average CVD size, and average data transfer size of completed CVDs duringthe specified time frame for the report.

OS Migration ProcessThe OS Migration Process report displays the number of CVDs that have started, are still pending, and havecompleted an OS migration procedure.

Endpoint Provisioning Progress ReportYou generate the Endpoint Provisioning report to view the CVDs that are being provisioned and the CVDsthat have completed provisioning during the specified time frame for the report.

Data Protection StatusYou generate the Data Protection Status report to view the percentage of users' systems that are backed up.

The Data Protection Status report displays the data protection status of CVDs and lists the CVDs and usersfor whom an upload procedure is incomplete.

Custom ReportYou can create a custom report based on your organization's requirements.

VMware, Inc. 197

Branch Reflector Cached LayersThe Branch Reflector Cached Layer report displays the cached base and app layers of each branch reflectoras well as the branch reflectors that do not have any cached layers.


n “Layer Dry Run Reports,” on page 198

n “CVD Integrity Report,” on page 199

Layer Dry Run ReportsYou can run a Layer Dry Run report to compare the content of the layers and the CVD before applying alayer update to a CVD or collection of CVDs. This report provides a method to detect unforeseen effects,and resolves conflicts that might result from any mismatch between the CVD and the layers content.

Table 31‑1. Types of Conflict Described in the Report

Conflict Type Description

Base Layer Application Downgrades a userinstalled application

An application installed in the base layer uses an older version ofshared components than another user installed application uses.

Base Layer Application Downgrades OS component An application installed in the base layer downgrades OScomponents.

Base Layer OS Components downgrades userinstalled application

OS components in the base layer downgrades shared componentsthat are used by a user installed application.

You can generate this report in two ways:

Table 31‑2. Types of Layer Dry Run Report

Report Type Description

Application-level report Describes projected applications that are added to, updated in, or deleted from to anendpoint device when the selected layer changes are applied. It compares theapplications installed on the layers and the CVD and provides a general view of theresult for the change in layers. For more information, see 16.2 Comparison Reportbetween Base Layer and CVD.

Program Executable (PE) levelreport

Analyzes the outcome of removing or updating a PE file. It projects affected softwaremodules, such as .DLL files, when a base layer is downloaded to an endpoint deviceclient, and details whether each affected module is downgraded.

Note Depending on the number of CVDs selected, running the report might take some time.

Procedure

1 In the Mirage Management console tree, under the Reports tree, click the report type that you want togenerate or view.

2 To generate a dry run report:

a Click the Generate Report icon on the report toolbar.

b Type a report name in the Report Name text box.

c Select a CVD and click Select , and click Next.

To deselect a CVD, click Remove. To deselect all CVDs, click Clear.


198 VMware, Inc.

d Select a base layer option.

Select No change to target base layer, or Select Base layer from list and select a base layer, andclick Next.

e Select app layers to be included in the report.

f Click Finish.

The report is generated. You can view the report when the status is Done.

3 To view a report that was generated:

u Click the View Report icon on the report list toolbar.

The report appears as an HTML page.

4 To delete a report:

a On the report list, select the report you want to delete.

b Click the Delete icon on the report console toolbar.

CVD Integrity ReportYou generate the CVD Integrity report if a system event warns that a CVD might have inconsistencies.

The CVD Integrity report verifies that a CVD is consistent and free of corruption, and can continue to residein the system and be used for restore and other purposes.

Procedure

1 In the Mirage Management console tree, expand the Reports node and select the CVD Integrity report.

2 To generate a report:

a Click the Generate Report icon on the report toolbar.

b Type a report name in the Report Name text box. If none is given, the default name format isapplied (CVD_Integrity_{User's environment name}_{Short date}).

c Select a CVD in the CVD List area, and click Next.

d Select a report option:

Option Description

Check Only Generates only the CVD Integrity report, which checks for errors on theselected CVD. No repair actions are performed.

Fix For Upload Use this report option if you were performing a non-restore process (forexample, periodic upload) when you encountered a problem with theCVD. Corrupted files are re-uploaded so that the interrupted processcan resume.

Fix For Restore Use this report option if you were performing a restore process whenyou encountered a problem with the CVD. Corrupted files are repairedso that the interrupted process can resume.

e Click Next and click Finish.

3 To view a report that was generated:

u Click the View Report icon on the report list toolbar.

The report appears as an HTML page.

Chapter 31 Working with Reports for Mirage Operations

VMware, Inc. 199

4 To delete a report:

n On the report list, select the report you want to delete.

n Click the Delete icon on the report console toolbar.


200 VMware, Inc.

Mirage Security Reference 32When you configure a secure Mirage environment, you can change settings and make adjustments in severalareas to protect your systems.


n “Ports and Protocols Used by Mirage,” on page 201

n “Protecting Mirage Resources,” on page 203

n “Mirage Log Files,” on page 204

n “Mirage Accounts,” on page 205

Ports and Protocols Used by MirageThe Mirage system and clients use default communication ports. Make sure that the correct ports andprotocols are selected for the system.

The Mirage Management server and Mirage servers use external communications to communicate with theMirage clients or the Mirage Management console, and internal communications to communicate with eachother.

Table 32‑1. Ports and Protocols for Mirage Components

ComponentCommunications Port Protocol Notes

Mirage service External 8000 TCP/IP orSSL/TLS

The only port required for communications betweenMirage clients and servers.Note SSL/TLS is optional and can be enabled. See “Installan SSL Server Certificate for the Mirage Server,” onpage 48.

Mirage BranchReflector

External 8001 TCP/IP Used for communication between the branch reflector andthe local peers at the remote site.

Mirage Managementservice

External 8443 ,1443

TCP/IP Used for communication between the Mirage Managementconsole and the Mirage Management service. SOAPMessage-level Security is applied.

Mirage Server service Internal 135,445

TCP/IP Used for control communication between the MirageManagement service and the Mirage server.Note You can limit access to this port to incomingconnections from the Mirage Management service host.

File portal Internal 6080,6443

TCP/IP Used to access the file portal.

Mirage WebManagement

Internal 7080,7443

TCP/IP Used to access the Web Management.

VMware, Inc. 201

Table 32‑1. Ports and Protocols for Mirage Components (Continued)

ComponentCommunications Port Protocol Notes

Mirage Gatewayserver

Internal 8000 TCP/IP Used for communication between the Mirage Gatewayserver and the Mirage server.Note The port must have DNS update access.

Internal 389,636

TCP/IPLDAP orLDAPS

Used for communications between the Mirage Gatewayserver and the LDAP servers.

Internal 8080 /8443

TCP/IP Used for communications between the Mirage Gatewayserver and the Mirage Management server.Used for the Mirage Gateway Web console.

External 8000 TLS/SSL Used for communication between the Mirage client andthe Mirage Gateway server.

Internal 8093 TCP/IP Used for communication between Mirage Gatewayauthentication service and Mirage Management Server.

Mirage API Internal 7443 HTTPS

MongoDB FileDatabase

Internal 27017,27018

TCP/IP Used to communicate with the MongoDB nodes located oneach Mirage server and Mirage Management server.


202 VMware, Inc.

Protecting Mirage ResourcesMirage includes several configuration files and similar resources that must be protected.

Table 32‑2. Mirage Resources

Resource Location Protection

Configuration files web.config

app.config

Mirage Gateway server:/opt/MirageGateway/etc/MirageGateway.conf

/opt/MirageGateway/apache-tomcat-7.0.54/conf

Mirage Web Manager:/opt/MirageGateway/apache-tomcat-7.0.54/webapps/WebConsole/WEB-INF/classes/log4j.properties

Customer ExperienceImprovement Program:%Program Files%\Wanova\MirageManagementServer\Ceip\conf\ceip.prop

%Program Files%\Wanova\MirageManagementServer\Ceip\conf\CEIPTimeControl.prop

%Program Files%\Wanova\MirageManagementServer\Ceip\conf\Customer.conf

%Program Files%\Wanova\MirageManagementServer\Ceip\conf\DataAccess.cfg.xml

%Program Files%\Wanova\MirageManagementServer\Ceip\conf\JoinCEIP.conf

%Program Files%\Wanova\MirageManagementServer\Ceip\conf\log4j.properties

Mirage API configuration files:%\Program Files%\Wanova\MirageAPI\log4net.config

Mirage Management server:

Configurations are automatically access protectedfrom other computers. User passwords arescrambled in the database.

Chapter 32 Mirage Security Reference

VMware, Inc. 203

Table 32‑2. Mirage Resources (Continued)

Resource Location Protection

%Program Files%\Wanova\MirageAPI\web.config

%Program Files%\Wanova\MirageManagementServer\Wanova.Management.Service.exe.config

Mirage server:%Program Files%\Wanova\MirageServer\Wanova.Server.Service.exe.config

Log files See “Mirage Log Files,” onpage 204

Protected by access control.

Mirage client log files %ProgramFiles%\Wanova\MirageService\Logs

These files are accessible to all users

Mirage Log FilesMirage creates log files that record the installation and operation of its components.

Note Mirage log files are intended for use by VMware Support. Configure and use the event database tomonitor Mirage.

Table 32‑3. Mirage Log Files

Mirage Component File Paths

Mirage server %Program Files%\Wanova\Mirage Server\server.log

%Program Files%\Wanova\Mirage ManagementServer\mgmtservice.log

Mirage Management server %Program Files%\Wanova\Mirage Server\server.log

%Program Files%\Wanova\Mirage ManagementServer\mgmtservice.log

Mirage client %ProgramFiles%\Wanova\MirageService\Logs

Mirage Web Management Web Manager log files:%ProgramData%\Wanova Mirage\WebManagement\logs\webapp.log

Customer Experience Improvement Program log files:Error log. Ceip\logs\MirageCEIPerror.logData collection log. Ceip\logs\MirageCEIPlog.logService log. Ceip\logs\MirageCEIPService.log


204 VMware, Inc.

Table 32‑3. Mirage Log Files (Continued)

Mirage Component File Paths

Mirage API %ProgramData%\Wanova Mirage\WebManagement\logs\mirage_api.log

Mirage Gateway server /opt/MirageGateway/logs/error.log

/opt/MirageGateway/logs/mirage_gateway.log

/opt/MirageGateway/logs/mirage_gateway_backend.log

/opt/MirageGateway/logs/mirage_gateway_current_stat.log

/opt/MirageGateway/logs/mirage_gateway_service.log

/opt/MirageGateway/logs/mirage_gateway_stat.log

/opt/MirageGateway/apache-tomcat-7.0.54/logs/MirageGateway.log

Mirage AccountsYou set up system and database accounts to administer Mirage components.

You must set up system and database accounts to administer Mirage system components.

Table 32‑4. Mirage System Accounts

Mirage Component Required Accounts

Mirage server The domain group is created during installation andadministrator roles are created in the Mirage Managementconsole.

Mirage Management server The domain group is created during installation andadministrator roles are created in theMirageManagement console.

Mirage client Not applicable.

Mirage Web Management Configure user accounts in Active Directory, and assignusers to an Active Directory group. In theMirageManagement console, assign roles, such as protectionmanager or help desk, to the Active Directory group.VMware recommends that you limit log-in privileges to thedesignated administrator group.

Mirage API and Mirage PowerCLI Use NT account credentials.

Mirage Gateway server The default username is Mirage and the default password isvmware.

Chapter 32 Mirage Security Reference

VMware, Inc. 205


206 VMware, Inc.

Maintaining the Mirage System 33You can perform maintenance operations on Mirage servers and the Management server, including backup,restore, and upgrade from previous Mirage versions.


n “Server and Management Server Operations,” on page 207

n “Upgrading from Previous Mirage Versions,” on page 215

Server and Management Server OperationsYou can perform maintenance operations on Mirage servers and the Mirage Management server, includingbackup and restore.

Back up a Server or the Management ServerYou can back up a Mirage server or the Mirage Management server. Server state backup involves the backupof all storage volumes and the database.

Important Configure your server backup software to stop the Mirage server cluster and the MirageManagement server during the snapshot and database backup time. Back up the SIS and the database usinga point-in-time representation so that the backup is consistent across all the volumes and the database.

Contact VMware support for assistance with this procedure.

Prerequisites

Copy the Mirage storage volumes to the backup location, preferably through a snapshot mechanism, andalso back up the database.

If storage snapshots are not used, verify that the Mirage servers and the Management server are stopped forthe full duration of the backup.

VMware, Inc. 207

Export Mirage System SettingsIf your current Mirage system deployment exceeds the maximum number of clients, you can migrate all ofthe systems settings from your current deployment to your new deployment. This helps you to easily installand configure your new Mirage system. You can export the Mirage system configuration and layers to a self-contained archive using a command-line tool that is external to Mirage. You can use the exported items laterto import and synchronise items to your new Mirage deployment.

You can export the following items from your current Mirage deployment to a zip file:

n System settings

n Configuration files

n Bandwidth limiting settings

n USMT files

n Driver libraries

n Master and CVD policies

n Base layers

n Application layers

Procedure

1 To export the Mirage system configuration and layers to a self-contained archive, run the followingcommand.

C:\Program Files\Wanova\Mirage Management

Server\Wanova.Server.Tools.exe“ ExportSystemSettings -MirageMgmtIp <IP address> -

outputFolder c:\temp\configParams -tempVolumePath c:\temp\tempVol

Where,n -MirageMgmtIp is followed by the IP address of your Mirage management server.

n -outputFolder is followed by the full-path of the folder where you want to save the exported self-contained archive. The path provided should be empty or contain a previously exported settings.

n -tempVolumePath is followed by the path to hold the temporary mirage volume.

n (Optional) -layersFile is followed by the path of a layers the cvs file.

2 To view the progress of the utility, go to the VMware Mirage Console on your Mirage System andselect Task Monitoring.

Note You can only track the progress of the tasks from the Task Monitoring option in the VMwareMirage Console. Use the command-line tool to abort exporting the system configurations files.

Branch Reflector Cache Export and Import ToolsThe branch reflector cache export and import tools allow you to export warmed up base layers, app layers,and drivers to a compressed archive that you can transfer to branch reflectors in advance, saving time andbandwidth.

Use this tool to prepare for a major operation, such as a migration for an entire office, or speeding up imagedistribution to remote or bandwidth-distressed branches. You can define images to export by providing thefollowing:

n Set of base and app layers

n Set of layer groups that consist of base and app layers


208 VMware, Inc.

n Driver library

Branch Reflector Cache Export ToolThe branch reflector cache export tool exports the images to an archive which you can then transfer to thebranch reflector and import it using the import tool.

To export the file, specify these server parameters.

Table 33‑1. Server Parameters


ExportBranchReflectorCache Activate branch reflector export tool

-tempfolder The temporary folder used by the tool

-outputfolder Output folder to put the archived file

-layercsvfile [Optional] Path of csv file containing a list of layers or layer groups. Example: 5, 1.0where 5 is the image identifier and 1.0 is the image version. If you omit thisparameter, you must include-layergroupslist.

-layergroupslist [Optional] Path of text file containing a group name on each line in the file. If youomit this parameter, you must include -layercsvfile.

-includedrivers [Optional] Provide this parameter to export the driver library

-serveraddress IP address of a management server

The tool performs some external calls to other server tools: ExportLayers to export the required layers andthe DriverLibraryCloner to export the driver library. The tool mounts the exported layers and drivers,performs a scan of all files and outputs them into a branch reflector cache format. After the tool archives thebranch reflector cache, it performs a cleanup of the temp folder.

Sample execution line:

..\Mirage management server\>Wanova.Server.Tools.exe ExportBranchReflectorCache -tempfolder

c:\temp -layercsvfile c:\temp\layer.txt

-serveraddress 10.26.200.175 -outputfolder c:\temp\brout -includedrivers -layergroupslist

c:\temp\groups.txt

The branch reflector cache import tool extracts the branch reflector cache archive file and imports itscontents into the cache of an active branch reflector. Run the tool on the branch reflector machine with localadministrator rights.

Branch Reflector Cache Import ToolThe branch reflector cache import tool extracts the branch reflector cache archive file and imports itscontents into the cache of an active branch reflector. Run the tool on the branch reflector machine with localadministrator rights.

To import the file, you must specify these parameters.

Table 33‑2. Client Parameters

Parameters Description

<path of archive file> The full path of the exported branch reflector cache. This path can be a UNC path.

<path of temp folder> The temporary folder must be local path on the branch reflector machine.

Chapter 33 Maintaining the Mirage System

VMware, Inc. 209

The tool extracts the archive into the temp folder, then the Mirage desktop service API initiates a warmupoperation, providing the service with the location of the extracted content and a path to a temp folder. TheMirage desktop service adds the required files to the branch reflector cache. The warmup process occurs inthe background and does not impact the operation of the Mirage client or branch reflector. The tool runsuntil the warmup process completes.

Sample execution line:

C:\Program Files\Wanova\Mirage Service>Wanova.Desktop.BrWarmup.exe "C:\temp\ExportedBRCache.

2017-01-10 13.26.15.zip" c:\temp"

After you run the command, the console displays the progress of the tool and the output is saved to thedesktop log. Closing the console window does not cancel the warmup process as the desktop serviceperforms the extraction and import phase.

Note The size of a base image and application layer can vary depending on the different characteristics ofthe layers. A rough estimate is 8 GB per base layer and 1 GB per app layer. The archive is extracted to a templocation and then imported into the cache, which requires double the disk space for the import operation.After the import is complete, the temporary location is cleared and only a single copy of each image isstored in cache.

Querying the Branch ReflectorYou can query a branch reflector and obtain a report of warmed up layers in its cache.

The desktop component of this reporting tool detects the list of layers cached by the branch reflector andvalidates the integrity of the files in each layer. When 80% (a configurable setting) of the files are in thebranch reflector cache, a layer is considered warmed up. The branch reflector downloads the remaining filesfrom the server on demand.

The branch reflector periodically reports to the server a list of layers that exist in its cache. You can query thebranch reflector to send information on its cached layers and view the list by running the Branch ReflectorCached Layers Report from the Mirage Web Management Console or by using a special CLI tool.

Querying MethodsThere are three ways to query the existing layers from a Mirage system:

n Mirage report tool can display the information on screen or output to CSV.

n Mirage CLI can show the warmed up layers on screen.

n A Mirage report called Branch Reflector Cached Layers. This report requires you to install the Miragereporting component which utilizes Microsoft SSRS.

Important The report does not show layers that have been exported from a separated Mirage deploymentbecause they contain a different layer GUID. For example, if you deployed two separate Mirage instancesand want to export and import layers between these environments, you must export and create a separatebranch reflector cache that can be imported to branch reflectors on each Mirage instance, since the layer IDsand GUIDs are different in each instance. Exporting branch reflector cache from instance A and importing itto a branch reflector managed by instance B copies the layer files to the branch reflector's local cache but thelayer will not appear in the branch reflector report on instance B.

Important Layers warmed up by branch reflectors before Mirage 5.9 will not appear in the BranchReflector Cached Layers Report or the WarmedUpLayersReport CLI. The layers are warmed up, but thereport or query tool does not display them in the output.


210 VMware, Inc.

Branch Reflector Cached Layers Report OutputThe output contains information on the branch reflector and layers:

Branch Reflector Cached Layers CLITable 33‑3. Parameters

Goal Parameter

Query the warmed up layers of a branchreflector or set of branch reflectors

Wanova.Server.Cli localhost > QueryWarmedUpLayers10010,10011

View the output of all warmed up layers toscreen

Wanova.Server.Tools WarmedUpLayersReport -mirageMgmtAddress localhost

View the output of all warmed up layers toCSV

Wanova.Server.Tools WarmedUpLayersReport -mirageMgmtAddress localhost -outputFilec:\Temp\result.csv

View the output of warmed up layers of aspecific branch reflectors to screen

Wanova.Server.Tools WarmedUpLayersReport -mirageMgmtAddress localhost -specificBrIds 10010

View the output warmed up layers of aspecific set of branch reflectors to screen

Wanova.Server.Tools WarmedUpLayersReport -mirageMgmtAddress localhost -specificBrIds 10010,10011

View the output warmed up layers of aspecific set of branch reflectors to CSV

Wanova.Server.Tools WarmedUpLayersReport -mirageMgmtAddress localhost -specificBrIds 10010,10011 -outputFile c:\Temp\Result.csv

Configuring Advanced SettingsYou can also configure these settings using the Mirage Server CLI: Wanova.Server.Cli localhost andsetConfigParam <Configuration Name> <Value>

Table 33‑4. Advanced Settings

Setting Description

branchReflectorWarmedUpLayersManifestNumberLimit

Number of manifests to keep. Default is 50 manifests.

branchReflectorWarmedUpLayersEnumeratorReinitializationThreshold

Number of integrity tests to rerun on a layer. Default is 24enumerations. Mirage determines whether a layer is warmed upby using an integrity process. To conserve resources, this processdoes not run all the time. This setting constitutes the amount ofenumerations which have to run before integrity is rerun on analready warmed up layer.

branchReflectorWarmedUpLayersPercentThreshold

Percentage of the files in the cache that constitute a warmed uplayer. Default is 80%.


VMware, Inc. 211

Importing System Settings and LayersIf your current Mirage system deployment exceeds the maximum number of clients, you can plan to deployan additional Mirage system.

Deploying a replica environment when your deployment exceeds the maximum number of managedendpoints helps you to restore system or synchronize between several individual deployments. You canmigrate all the system settings and layers from your existing deployment to your new deployment. You canimport the Mirage system configuration and layers from the self-contained archive that was previouslyexported from your existing Mirage system. Use the command-line tool to make necessary changes to thedestination Mirage system by either overriding current configuration or adding new items to the Miragesystem. You can also use this tool to either restore your Mirage system to an earlier state or synchronizemultiple Mirage systems. For the synchronization, create an automated task to export settings from oneMirage cluster once a day and import them to the other clusters. If there is no change, this daily task doesnot impact the Mirage system. The import process also restores items that existed on both source anddestination Mirage systems and were deleted from the source.

You can import the following information and settings from the ZIP file that is exported from an existingMirage deployment:

n Common server configuration values

n Bandwidth limiting settings

n Driver libraries and profiles

n Factory and CVD policies

n USMT files

n Base layers

n App layers

Prerequisites

n Ensure that the exported settings are valid before they can be imported.

n Ensure that the destination location has enough free disk space (8 GB per base layer and 1 GB per applayer).

n The administrator must be aware of the risks of importing the settings (for example, Overwritingcurrent configuration, changing bandwidth limiting, and overwriting current USMT package) andprovide in-process inputs if necessary.

n The version of the source Mirage system and the destination Mirage systems must be the same.

Procedure

u To import the system configuration and layers from a self-contained archive, run the followingcommand.

C:\Program Files\Wanova\Mirage Management Server\Wanova.Server.Tools.exe

ImportSystemSettings -miragemgmtIp IP address -tempFolder c:\export\tmp -iniFile

c :\config.ini -archiveFile c:\export\MirageSettingsExport.zip

Where:

n -miragemgmtIp is followed by the IP address of the Mirage system to which you want to import thesettings .

n -tempFolder is followed by the path to the folder with the file to be imported is extracted.


212 VMware, Inc.

n -iniFile is followed by the path to the .ini answer file.

Note Create a .ini file using your text editor and add the following entries and toggle the valuesbetween true or false based on your requirements. Set the value of the parameters to true if you want toimport the settings. Set the value of the parameters to false if you do not want to import the settings. IfMergeContent is set to true, the imported settings are merged with the existing settings. If theMergeContent is set to false, the existing settings are overridden by the imported settings.

Note You must be aware of the settings in the .ini file because they might severely impact yoursystem configuration.

[BandwidthLimiting]

Import=true

MergeContent=true

[USMT]

Import=true

[Policy]

Import=true

[Driver]

Import=true

[CommonConfig]

Import=true

SkipKeys=key1,key2,key3

OverwriteKeys=key8,key9

MergeKeys=keyA,keyB,keyC,keyD

[Layers]

Import=true

n archivePath is followed by the path to the settings ZIP file exported from your existing Miragedeployment.

Restore the Mirage Management ServerYou can restore the Mirage Management server, without reference to Mirage servers.

When you need to restore the Mirage Management server, you need to reinstall only the MirageManagement server. For detailed instructions on installing a Mirage Management server, see theVMware Mirage Installation Guide.

Use the same fully-qualified name of the original Mirage Management server so that existing Mirage serverscan locate the Management server and connect to it.

Important Restore all Mirage storage volumes and the database at the same time, even if only a singlevolume or only the Mirage database needs to be restored.

Procedure

1 Restore the complete server system from a full disk image.

2 Start the server in Windows Safe Mode.

3 Set the VMware Server Service and VMware Management Service start type to Disabled.

4 Start the server normally.


VMware, Inc. 213

5 Run the following command: Wanova.Server.Tools.exe ResetPendingBI .

The ResetPendingBIIcommand stops the CVDs from downloading the pending base layers.

6 Set the VMware Server Service and VMware Management Service start type to Automatic.

7 Start the VMware server service and VMware management service.

Restore a Mirage ServerYou can restore a Mirage server, without reference to the Mirage Management server.

When only a single server needs to be restored and no Mirage storage or database is installed on thismachine, you need to reinstall only the Mirage server and point it to the Mirage Management server.

If the Mirage Management server was installed on the same machine, you need to reinstall the MirageManagement server before reinstalling the server.

For more information about installing the Mirage server and Management server, see the VMware MirageInstallation Guide.

Restore Mirage Storage Volumes and DatabaseYou can restore the Mirage storage volumes and database in a standalone or clustered environment, wherethe volumes and database are not co-hosted on the same server as the Mirage Management server.

Prerequisites

You must obtain the Server.Tools.zip package prior to installing the Mirage server. For information aboutobtaining the package, contact VMware Support.

Procedure

1 Verify that all Mirage servers and the Mirage Management server are stopped.

2 Restore all the storage volumes and the database from backup.

Make sure to restore to original UNC paths.

3 Copy the Server.Tools.zip to the server machine, extract the zip file, and run the following commandfrom any server machine: Wanova.Server.Tools.exe ResetPendingBI.

4 Start the Mirage Management server and all servers.

What to do next

If the UNC path was changed on any of the volumes, you must change the UNC path in the Edit Volumedialog box and mount the volume. See “Edit Storage Volume Information,” on page 91.

Restore a Standalone ServerRestoring a standalone Mirage server is suitable for small-scale, standalone server setups where thedatabase, storage and Mirage services are all co-hosted on the same server.

The procedure restores the complete Mirage server system from backup, including OS image, serversoftware, storage and database.

Procedure

1 Restore the complete server system from a full disk image.

2 Start the server in Windows Safe Mode.

3 Set the VMware Server Service and VMware Management Service start type to Disabled.

4 Start the server normally.


214 VMware, Inc.

5 Run the following command: Wanova.Server.Tools.exe ResetPendingBI .

The ResetPendingBIIcommand stops the CVDs from downloading the pending base layers.

6 Set the VMware Server Service and VMware Management Service start type to Automatic.

7 Start the VMware server service and VMware management service.

Export Grid Data to CSVYou can use this feature to export all of the data that is presented in the Web console grid to a CSV file. As anadministrator, you can export the CSV file to Microsoft Excel for further analysis.

You can export the data from the following grids:

n CVD inventory

n Pending devices

n Tasks

n Assignments

n Logs (all inner event tabs, including transactions and audit events)

n Layers

n Policies

n Collections

Procedure

1 Log in to you Web Management Console and navigate to the grid from where you want to export thedata.

2 Click the Export button on the upper right corner of the grid.

The CSV file containing all the data from the selected grid is saved on your system.

Upgrading from Previous Mirage VersionsYou can upgrade the Mirage system from earlier Mirage versions.

Upgrading the Mirage servers does not remove data from storage volumes that were connected to theMirage system.

Before You Start to Upgrade MirageBefore you begin the upgrade process, you must perform certain pre-upgrade steps.

Mirage uses a MongoDB database to store system data and small files, which improves performance. TheMongoDB files are created and stored on a dedicated path. Unlike previous Mirage versions, 5.3 and earlier,loss of system data stored in the MongoDB database can impact the entire system, including CVDs. VMwarerecommends that after you upgrade Mirage, you install an additional Mirage Management server.

If you are upgrading from Mirage 5.3 or earlier, when you install the Mirage Management server, you areprompted to specify a path for the MongoDB database files.

If you are upgrading from Mirage 5.4, when you install the Mirage Management server, you are notprompted to specify a path for the MongoDB database files. After you upgrade from Mirage 5.4, VMwarerecommends that you install an additional Mirage Management server to ensure data availability.


VMware, Inc. 215

Prerequisites

Verify that you have the following information available from the server config file.

n Database server name

n Credentials for the database server

n Mirage server cache directory location

n Cache size

Procedure

1 Stop Mirage services.

2 Back up the Mirage database.

n Double-click the C:\Program Files\Wanova\Mirage Management Server\sysreport_full.cmd file torun a full sysreport in Mirage

n Use SQL Server Management Studio.

3 Take snapshots of all Mirage storage volumes.

Use image-based block backup, not file-based backup.

4 If you cannot make a snapshot, create and run a backup job for each volume's directory using anyavailable backup program.

This process can take a significant amount of time to complete. The backup software must supportAlternate Data Streams (ADS). For best results, use block-based backup programs rather than file-levelbackup using ADS.

Upgrade from a Previous Mirage VersionWhen you upgrade Mirage, it is important to upgrade Mirage in a specific order.

Use the .msi files from the Mirage installation package to upgrade to the latest version of Mirage.

Prerequisites

n Ensure that you shut down the Mirage servers.

n Change the name of volume paths that contain non-ASCII characters.

Procedure

1 To upgrade the Mirage Management server, double-click the mirage.management.server.64x.buildnumber.msi file.

By default, the configuration settings you selected during the initial installation are applied. You canchange the configuration settings during the upgrade process.

2 To upgrade the Mirage server, double-click the mirage.server.64x.buildnumber.msi file.

By default, the configuration settings you selected during the initial installation are applied. You canchange the configuration settings during the upgrade process.

3 To upgrade the Mirage Web Management, double-click themirage.WebManagement.console.x64.buildnumber.msi file.

a When prompted provide the necessary configuration information.


216 VMware, Inc.

4 To upgrade the Mirage file portal, double-click the mirage.WebAccess.console.x64.buildnumber.msifile.

a Follow the prompts until you come to the Web Access Configuration page and provide the Webaccess configuration information.

Option Description

Web Access Select Web Access to provide access to only an end-user's user files, asdefined by the administrator, across all CVD snapshots. The Mirageclient user can access the Web Access feature to only download theirfiles at http://server:6080/Explorer.

Admin Web Access Select Admin Web Access to give the administrator full access to alluser CVDs across all CVD snapshots. The administrator can access theAdmin Web Access feature to download all files of any user athttp://server:6080/AdminExplorer.

By default, both the Web Access and Admin Web Access Web applications are configured for thefile portal. You can select not to configure either of these options by clicking the drop-down menuand selecting Entire feature will be unavailable.

5 To upgrade the Mirage Management console, double-click the .msi file for your environment.

Option Description

64-bit mirage.management.console.x64.buildnumber.msi

32-bit mirage.management.console.x86.buildnumber.msi By default, the configuration settings you selected during the initial installation are applied. You canchange the configuration settings during the upgrade process.


VMware, Inc. 217


218 VMware, Inc.

Troubleshooting 34Various troubleshooting mechanisms are available, including the CVD History view, Event log, and othersystem logs and reports.


n “CVD Events History Timeline,” on page 219

n “Problematic CVDs,” on page 219

n “Using Event and Other System Logs,” on page 220

n “Customize the Minimal Restore set,” on page 220

n “Generate System Reports,” on page 221

n “Generate System Reports Remotely,” on page 222

CVD Events History TimelineTo help you troubleshoot problems in a CVD, the Mirage Management console consolidates all the eventsduring a CVD’s life in a common timeline.

The following events are displayed in the CVD history view:

n Transaction log events

n Audit events

n Client system events

Procedure

1 Expand the Inventory node and select All CVDs.

2 Right-click the CVD name and select History > Timeline.

3 You can copy and paste information from the CVD History view for use elsewhere by using thestandard Windows key combinations Ctrl + C to copy, and Ctrl + V to paste.

Problematic CVDsIn the Mirage Management console you can view the CVDs that have open alarms.

There are five alarms that might be triggered for CVDs.

n Vss alarm

n Not enough disk space alarm (the Mirage client)

VMware, Inc. 219

n Not enough volume disk space (the Mirage server)

n Download failure alarm

n Upload failure alarm

You can view a list of the CVDs with open alarms on the Problematic CVDs node in the MirageManagement console. Alternatively, in the CVD Inventory grid view, CVDs with open alarms display a redbell icon.

A CVD can only have one open alarm at a time.

Using Event and Other System LogsThe Mirage Management console provides a range of system logs, including the Event log, Transaction log,and the Manager Journal, which records audit events.

The Mirage Management console includes the following logs:

Table 34‑1. Management Console Logs

Log Description

Event Log Lists important system events as propagated from the server and clients.

Transaction Log Records logical operations between the Mirage server and client. You can use the transactionlog to monitor the progress of updates coming from and to the server. See “UsingTransaction Logs,” on page 195.

Manager Journal Collects and tracks audit event history.An audit event is created for any administrator action that results in a system setting orconfiguration change. This includes actions performed using the Management console orthrough a CLI. Read-only actions do not create audit events. Audit events provide theoperation time, name, and details, and the user name.

Customize the Minimal Restore setYou can customize the minimal set of files that must be restored to an endpoint so that it can reboot to theCVD and work online. The Minimal Restore set generally includes the organization VPN, antivirus, firewallapplications, and driver store.

Minimal restore sets can be static or dynamic.

Table 34‑2. Minimal Restore Set Types

Minimal Restore Set Type Description

Static Minimal Restore Set A static list of files created by the administrator and placed in an XML file thatis fetched during the restore operation. The files restored provide the endpointwith the minimum environment required to boot to a CVD. The static list isused for all endpoint devices in the system.

Dynamic Minimal Restore Set This is a CVD-specific list of files that is acquired during normal CVD use. Thelist is built on each boot and captures the system, applications, and user filesover a short time period after booting. A separate dynamic restore set iscreated for each CVD in the system and is used in conjunction with the staticminimal restore set when a restore is performed.

The procedure describes how to customize the minimal set.

You can remove the minimal set using this procedure with the command removeMinimalSet. When thiscommand is run, the entire CVD content is downloaded prior to the restore and online streaming is notused.


220 VMware, Inc.

You can revert to the original (default) VMware minimal set. The file is located at: C:\ProgramFiles\Wanova\Mirage Server\MinimalSet.xml.

You can used the same file as basis for further customization, such as adding the corporate antivirus andVPN files.

Important The procedure describes how to modify critical Mirage configurations using the CLI. Followthese steps carefully, as serious problems can occur if the CLI is used incorrectly.

Prerequisites

You must be authenticated as a member of a group with access to the Mirage Management console. See “Managing Role-Based Access Control and Active Directory Groups,” on page 228.

Procedure

1 On the Start menu, click Run, type cmd, and click OK.

2 In the Command window, type: cd Mirage Server program files path\

For example, C:\Program Files\Wanova\Mirage Server and then press Enter.

3 Type Wanova.Server.Cli.exe localhost and press Enter.

The Mirage server management console starts running.

4 To export the minimal restore set, type: getminimalset path to output file.

5 Edit the file using an XML editor.

6 Add the modified file to the minimal set, using the following command:addMinimalSet path to XML file and press Enter.

Note Executing this command overrides any existing static minimal set.

A message appears confirming that the Static Minimal Set was added successfully.

7 To view the minimal set, type printMinimalSetand press Enter.

8 Type Exit and press Enter to exit the Command window.

Generate System ReportsYou can use the System Report Utility to collect internal system log files, relevant registry entries, event logs,system information, and configuration information to troubleshoot issues that you might run into.

You can generate several types of system reports.

Table 34‑3. Available Report Types

Report Description

Full report Collects the most comprehensive set of system logs, registry information, and systeminformation. While helpful in troubleshooting confirmed problems, this report can bevery large (containing several hundreds of MB of data), and is used only by specialrequest from VMware Support.

Medium report Used most frequently, this report type collects a limited set of system logs and systeminformation. It is faster to generate and more resource efficient than the full report.

Logs only report Returns a minimal set of log entries. Usually used in early troubleshooting stages todetermine next steps.

Prerequisites

Log in as an administrator.

Chapter 34 Troubleshooting

VMware, Inc. 221

Procedure

1 Run the report.

Option Action

From a server Run the sysreport batch file from the Mirage install directory, forexample: C:\Program Files\Wanova\Mirage Server, and run therequired script:n Full Report: sysreport_full.cmdn Medium report: sysreport_medium.cmdn Logs only report: sysreport_logs_only.cmd

From a client Right-click the Mirage icon in the notifications area, select Tools, and selectthe report you want.

The sysreport commands can be CPU-intensive, especially on the server, so an intermediate impact isgenerally expected. A CAB file containing all the logs is created at c:\sysreport-MMDDYYYY-HHMM-ComputerName.cab.

2 Generate a system report for the Mirage Gateway server.

Option Description

sudo /opt/MirageGateway/bin/sysreport_logs

Collects logs that include Mirage Gateway logs, and Mirage Gatewayperformance logs.

sudo /opt/MirageGateway/bin/sysreport_full

Collects logs that include Mirage Gateway logs, Mirage Gatewayperformance logs, and system logs.

A ZIP file containing all the logs is created at ComputerName.MMDDYYYY-HHMMSS-logs.zip.

Generate System Reports RemotelyYou can save system reports from any device attached to the Mirage server.

The reports can be saved to a UNC path or sent to an FTP site.

Important Consider your privacy and regulatory requirements before sending support data to VMware.Log files, system reports and support data generated in order to obtain support from VMware may containsensitive, confidential or personal information, including file and folder names and information aboutinstalled programs and user settings.

Procedure


2 Right-click the CVD for which you want to generate a report and select Device > Generate SystemReport.

3 Select system report.

Option Description

Full Includes all logs and collectable information from this endpoint.

Medium Includes the logs and some additional information.

Logs Generates a report of only the basic logs for this client.


222 VMware, Inc.

4 Specify either the UNC path or FTP Server details.

Option Action

UNC Select the Remote Share radio button and type the UNC path.

FTP Select FTP server and type the server name, user name, and password.

5 Click OK.

Chapter 34 Troubleshooting

VMware, Inc. 223


224 VMware, Inc.

Advanced Administration Topics 35Advanced topics serve to supplement information provided in the VMware Mirage Administrator's Guide.


n “Mirage and SCCM,” on page 225

n “Setting Up the SSL Certificate in Windows Server,” on page 226

n “Using Microsoft Office in a Layer,” on page 228

n “Managing Role-Based Access Control and Active Directory Groups,” on page 228

n “Macros in Upload Policy Rules,” on page 231

Mirage and SCCMWhen you capture a base layer for Windows 7, Windows 8.1, or Windows 10 migration using MicrosoftSystem Center Configuration Manager (SCCM), certain preparatory steps must be performed.

The reference machine must not be rebooted, and the ccmexec service must not be restarted during the timebetween performing the procedure and capturing the base layer.

Regular base layer updates do not require these steps, as this is already handled by Mirage.

Procedure

1 If SCCM client is not yet installed, manually install the client following the instructions at http://technet.microsoft.com/en-us/library/bb693546.aspx.

Do not specify a SCCM site code for the client in the CCMSetup.execommand-line properties(SMSSITECODE parameter).

2 Stop the SMS Agent Host service (net stop ccmexec).

3 Use ccmdelcert.exe to delete the SMS certificates. ccmdelcert.exe is available as part of the SystemsManagement Server 2003 Toolkit, and is also attached to the wiki page.

4 Delete c:\windows\smscfg.ini if it exists.

5 Capture a base layer.

Do not reboot or start the ccmexec service. Otherwise you must repeat this procedure.

VMware, Inc. 225

http://technet.microsoft.com/en-us/library/bb693546.aspx

Setting Up the SSL Certificate in Windows ServerFor environments with multiple Mirage servers where SSL is required, you must enable SSL and install theSSL certificate for each server.

Enabling SSL involves setting up the SSL certificate in Windows Server on Mirage servers, which includesgenerating the certificate signing request (CSR), requesting the CSR, and installing the signed certificate.

In a multiserver setup, the SSL certificate setup for Windows Server must be repeated for each installedMirage server.

Generate the Certificate Signing RequestWhen you set up an SSL certificate, you must first generate the certificate signing request.

Procedure

1 Add and configure the Certificates snap-in:

a On the server, open the Mirage Management console.

b Select File > Add/Remove Snap-in.

c Add Certificates.

d Specify that the snap-in will manage certificates for the Computer account and click Next.

e Verify that This snap-in will always manage Local computer is selected and click Finish.

f Click OK.

2 Select the Certificates node in the console root, right-click Personal store and select All Tasks >Advanced Operations > Create Custom Request.

3 Verify the information on the Custom Request page, select Proceed without enrollment policy.

a On

Option Description

Custom Request Select Proceed without enrollment policy.

Template and Request Format Accept the default settings for the CNG Key and PKCS #10 text boxes.

Certificate Information Click Details for the Custom Request and click Properties.

4 Click the General tab and type a certificate-friendly name.

You can use the same name as the subject name.

5 Click the Subject tab, and in the Subject Name area, provide the relevant certificate information.

Option Description

Common name, value Server FQDN. This is the certificate subject name that is used in the Mirageconfiguration to find the certificate. The FQDN must point to that serverand is validated by the client upon connection.

Organization, value Company name, usually required by the CA.

Country, value Two-letter standard country name, for example, US or UK. Usuallyrequired by the CA.

State, value (Optional) State name.

Locality, value (Optional) City name.


226 VMware, Inc.

6 Click the Extensions tab and select the key use information from the drop-down menus.

Option Description

Key Usage Select Data Encipherment.

Extended Key Usage Select Server Authentication.

7 Click the Private Key tab and select key size and export options.

Option Description

Key Options Select the required key size (usually 1024 or 2048).

Make Private Key Exportable Select to export the CSR, and later the certificate, with the private key forbackup or server movement purposes.

8 Click OK to close the Certificate Properties window, and click Next in the Certificate Enrollment

wizard.

9 Leave the default file format (Base 64), and click Browse to select a filename and location of where tosave the CSR.

The certificate request is completed.

10 Click the Certificate Enrollment Requests & Certificates tab, and click Refresh.

You can export the CSR with the private key for backup purposes.

What to do next

After you generate the certificate signing request, you submit the certificate request. See “Submit theCertificate Request,” on page 227

Submit the Certificate RequestAfter you generate the certificate signing request, you submit the request.

Procedure

1 Go to the external CA Web site and click Request a certificate.

2 On the Request a Certificate page, select advanced certificate request.

3 On the Advanced Certificate Request page, select Submit a certificate request using a base-64-encodedCMC or PKCS #10 file or submit a renewal request by using a base-64-encoded PKCS #7 file.

4 Open the csr.req file with a text editor and copy the text.

5 Paste the CSR text in the Base-64-encoded certificate request text box.

6 Select Web Server from the Certificate Template drop-down menu and click Submit.

7 On the Certificate Issued page, select Base 64 encoded, and then click Download certificate.

8 When prompted, select Save As, type the file name, and save the certificate as a .p7b file.

Install the Signed CertificateWhen the CA sends you the signed certificate file (.cer or .crt), go back to the certificates snap-in andinstall the signed certificate.

Procedure

1 On the server, open the Mirage Management console.

2 Select the Certificates node in the console root, right-click Personal store and select All Tasks > Import.

Chapter 35 Advanced Administration Topics

VMware, Inc. 227

3 Browse to the signed certificate file and select it.

4 Select System Auto Selection or Personal Store for the certificate.

5 Follow the prompts to complete the import.

6 Click the Personal Certificates tab and click Refresh to load current details.

7 Open the certificate and verify that it states that you have the private key.

8 Click the Certification Path tab and check that you have all of the certificates in the chain and that novalidity warnings or missing certificates are present.

Using Microsoft Office in a LayerYou can capture Microsoft Office in a base layer or app layer, and deploy Microsoft Office as part of a baselayer or app layer.

You cannot deliver different versions of Microsoft Office in the same layer assignment.

When you deploy a base layer or app layer that has Microsoft Office, to a machine that already has one ormore versions of Microsoft Office installed, the base layer or app layer must include the Microsoft Officeshared components of the Microsoft Office versions that are already installed on the machine. MicrosoftOffice shared components are Microsoft Office shared features and Microsoft Office tools. Each base layer orapp layer must have the shared features from all versions of Microsoft Office that exist in your organization.

When you prepare a reference machine, verify that you install the earlier versions of Microsoft Office beforethe later versions.

If you upgrade to a later version of Microsoft Office, and end users have specific applications, such asMicrosoft Visio, installed on their endpoints, verify that those applications are also installed in the newlayers so that those applications function on the endpoints.

During the layer capture process, Mirage prompts you for the Microsoft Office Suite license key, as well aslicenses for every other activated Microsoft Office application on the reference machine, such as MicrosoftVisio, and Microsoft OneNote. When you deploy the layer to an endpoint, these Microsoft Office keys areused when delivering Microsoft Office. This is done to preserve the licensing for an existing version ofMicrosoft Office and helps prevent problems with Microsoft Office and Microsoft Visio licensing.

Note When capturing a base layer or an app layer that contains office products using the webmanagement, enter the license key information using the Licence Keys button after the layer has beencaptured.

Managing Role-Based Access Control and Active Directory GroupsAn administrator can use dynamic role-based access control (RBAC) to define which users can performwhich operations in the system. You can grant a role to one or more Active Directory (AD) groups. TheMirage server identifies users by AD group membership and automatically assigns them roles in the Miragesystem.

A user can have only one active role at a time. If the user’s group is assigned to more than one role, the userinherits the superset privileges of all assigned roles.

Each role is mapped to a set of actions the user can perform in the system, such as managing CVDs, baselayers, users, groups, and events, as well as viewing the dashboard and other system information.

You can define additional custom roles to suit various company processes.

Role DefinitionsYou can define role-based access to specific users for several actions in the system.


228 VMware, Inc.

Table 35‑1. System Actions for which Role-Based Access can be Defined for a User

Action Description

View dashboard View the dashboard.

View server status View the server status node. If not applicable, the server status appears as an emptylist.

View tasks View the tasks list in the Task Monitoring node.

Manage tasks Delete running tasks.

View CVDs View the CVD inventory.

Manage CVDs Delete a CVD, assign a base layer to a CVD, enforce a base layer, assign a policy to aCVD, and revert to snapshot.

Support CVDs Enforce base layer, set driver libraries, revert CVDs. confirm restore, and edit CVDcomments.

Manage collections Create and remove collections.

Manage collections CVDs Add and remove CVDs from a collection.

View CVD policies View CVD policies.

Manage CVD policies Edit, create, and delete CVD policies. This role requires the view CVD policies role.

View devices View the devices in the device inventory and the pending list.

Manage devices Assign a device to a CVD, reject a device, restore a device, remove a device, suspend adevice, and synchronize the device with the CVD.

Support devices Suspend and resume devices, collect sysreports, restart a device, and run the SyncNow procedure on a device.

View layers View the layers that are assigned to different devices.

Manage layers Create layers, delete layers, cancel layer assignment , and update layer data (name,details).

View ref CVDs View the reference CVD inventory.

Manage ref CVDs Assign a reference device to a reference CVD, assign a base layer to a reference CVD,assign a policy to a reference CVD, and delete a reference CVD.

View base layer rules View the image rules.

Manage base layer rules Add new rules, remove rules, test base layer draft rules, and set new default baselayer rules.

View driver library See the driver profiles and driver folders and their details in the driver library

Manage driver library Add drivers to the driver folders and create new driver profiles, and modify existingdriver folders and libraries.

View reports View the generated reports.

Manage reports Create reports and delete reports.

View events View the events under the Event log and Manager Journal.

Manage events Delete, acknowledge, and reinstate events.

View transactions View transactions.

View users and roles View the Mirage users and their roles.

Manage security roles Modify user access roles.

Manage security groups Modify the security groups' settings.

View configuration View system configuration settings, cluster configurations, server and volumesconfigurations.

Manage configuration Modify system configuration settings.


VMware, Inc. 229

Table 35‑1. System Actions for which Role-Based Access can be Defined for a User (Continued)

Action Description

Manage minimal restore set Modify the minimal restore set.

Access CVDs via admin fileportal

View CVDs in the file portal.

Predefined User RolesMirage includes predefined Administrator, Desktop Engineer, and Helpdesk user roles.

Table 35‑2. Predefined User Roles

User Role Access Permission

Desktop Engineer role Perform all system operations except base layer management, user management, and rolemanagement. You can customize the default privilege set for the Desktop Engineer role.

Help Desk Provides information about the Mirage client user device in order to respond to servicequeries. Access with the Help Desk role displays the Select User and Device page by default..

Image Manager Captures and assigns base layers and app layers to CVDs. The Image Manager roleprovisions new devices with a specified image.

Protection Manager Provides detailed information of the Mirage system. Users with the Protection Manager rolecan update the Mirage system to protect Mirage end-user devices.

Administrator A super-set of all Mirage operations.

Add a New User RoleYou can add a new user role.

Procedure

1 In the Mirage Management console tree, right-click Users and Roles and select Add a Role.

2 Type the role name and description, and click OK.

By default, the new role does not have any privileges until they are assigned by the administrator.

Edit an Existing User RoleYou can edit an existing user role.

Procedure

1 In the Mirage Management console tree, click Users and Roles.

2 Edit the role check boxes in the right pane as required and click Save.

Assign an Active Directory Group to a User RoleYou can assign an Active Directory (AD) Group to a role.

A group cannot be added to two different roles.

The role view is not auto-refreshed.

Procedure

1 Expand the Users and Roles node, right-click the required user role, and select Add a Group.

2 Type the group name in the Group Name text box, using the following syntax: domain\group.


230 VMware, Inc.

Macros in Upload Policy RulesMacros assist specification of various Mirage directory paths addressed by policy rules. For example, macrosallow Mirage and the administrator to handle cases when some endpoints have Windows in c:\windowsand some in d:\windows. Using macros and environment variables makes sure Mirage backups importantfiles regardless of their specific location.

For information about upload policy rule specification, see “Add or Edit Upload Policy Rules,” on page 22.

System DirectoriesThe following macros are supported for system directory paths:

Table 35‑3. System Directory Macros

Macro Description

%systemvolume% The system drive letter followed by a ":".

%systemtemp% The Windows system temp directory.

%windows% The Windows directory.

%Anyvolume% Expands to multiple rules, one per drive letter.

%documentsandsettings% Expands to one rule of the path that contains the user profiles.

%programfiles% The program files directory, including support for localized Windows versions,and the Program Files (x86) in 64-bit.For example:C:\Program Files

C:\Program Files (x86)

%systemdir% The Windows system directory.

Profile DirectoriesThe following macros are supported for profile directory paths:

Table 35‑4. Profile Directory Macros

Macro Description

%anyuserprofile% Expands to multiple rules, one per any user profile, including both local userprofiles and domain user profiles.For example:C:\Windows\system32\config\systemprofile

C:\Windows\ServiceProfiles\LocalService

C:\Windows\ServiceProfiles\NetworkService

C:\Users\User1

%domainuserprofile% Expands to multiple rules, one per any domain user profile.

%localuserprofile% Expands to multiple rules, one per any local user profile.


VMware, Inc. 231

Table 35‑4. Profile Directory Macros (Continued)

Macro Description

%anyuserlocalappdata% All the users local app data directories.For example:C:\Windows\system32\config\systemprofile\AppData\Local

C:\Windows\ServiceProfiles\LocalService\AppData\Local

C:\Windows\ServiceProfiles\NetworkService\AppData\Local

C:\Users\User1\AppData\Local

%anyusertemp% All the user’s TEMP directories.For example:C:\Windows\system32\config\systemprofile\AppData\Local\Temp

C:\Windows\ServiceProfiles\LocalService\AppData\Local\Temp

C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp

C:\Users\User1\AppData\Local\Temp

Special Profile DirectoriesThe following macros are supported for special profile directory paths, not included in the profiledirectories:

Table 35‑5. Special Profile Directory Macros

Macro Description

%ProgramData% The special Application data directory under the All Users directory.

%defaultuserprofile% The special Default User directory.

%builtinuserprofile% Expands to multiple rules, one for each built-in user profile (not including localor domain users).For example:C:\Users\Public

C:\Windows\system32\config\systemprofile

C:\Windows\ServiceProfiles\LocalService

C:\Windows\ServiceProfiles\NetworkService

%localserviceprofile% The special “local service” directory.

%Anyuserroamingappdata% The roaming application data directory is calculated by appending the roamingapplication data suffix to the user profile directory. This suffix isAppData\Roaming in Windows 7 and Application Data in Windows XP.For example:C:\Windows\system32\config\systemprofile\AppData\Roaming

C:\Windows\ServiceProfiles\LocalService\AppData\Roaming

C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming

C:\Users\User1\AppData\Roaming

%Anyusertempinternetfiles% All the user's temp internet directories on the machine.For example:C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files

C:\Windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\Temporary Internet Files

C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\Temporary Internet Files

C:\Users\User1\AppData\Local\Microsoft\Windows\TemporaryInternet Files

%anydesktopshellpaths% All the directories below.

%desktop% All the user’s desktop directories in the machine.


232 VMware, Inc.

Table 35‑5. Special Profile Directory Macros (Continued)

Macro Description

%favorites% All the user's favorites directories in the machine.

%videos% All the user's Video directories in the machine.

%pictures% All the user's pictures directories in the machine.

%documents% All the user's documents directories in the machine.

%music% All the user's music directories in the machine.

%skydrive% All the user's Microsoft OneDrive directories in the machine.


VMware, Inc. 233


234 VMware, Inc.

Managing View Desktops with Mirage 36Mirage lets administrators use Mirage base and app layering capabilities to manage full-clone, dedicatedassignment View desktop machines.

With Mirage, a View administrator of a large scale environment can automatically update operating systemand infrastructure software, add and remove application layers, and fix software problems. Users in Viewpersistent desktop pools with Mirage image management can preserve user data customizations and userinstalled applications through Mirage image updates.

Desktop devices undergoing a Mirage layer update require more resources than usual. Mass imagemanagement operations can affect user experience for users in an updated pool and in neighboring poolswith which it shares resources. To diminish this effect, Mirage must limit the level of concurrency when youperform image management operations in the View pool. An administrator can control the concurrent levelthrough the concurrency value, which controls the effect Mirage has on the ESX resources.

Supported ConfigurationsMirage supports the following View configurations.

n Full-clone, dedicated assignment desktop pools

n View Persona management is not supported with Mirage.

Supported Mirage OperationsThe following Mirage operations are supported with View:

Table 36‑1. Supported Mirage Operations in View

Mirage Operation Supported with View

App layer assignment Yes

Base layer assignment Yes

Enforce layers Yes

Apply driver library Yes

Centralization No

File Portal No

HW migration No

Endpoint provisioning No

Restore No

Revert to snapshot No

VMware, Inc. 235

Table 36‑1. Supported Mirage Operations in View (Continued)

Mirage Operation Supported with View

Steady state uploads No

Windows OS migration No

Behavior of Mirage CVDs with the View PolicyCVDs that use the View optimized policy have special characteristics.

No data protection The corresponding devices do not upload files to the data center. You cannotrevert the devices to a Mirage snapshot or restore user files to previousversions. Mirage only periodically uploads metadata about these devices, forexample the list of installed applications.

No WAN optimizations To improve performance for managing View pools, Mirage disables mostWAN optimizations for these CVDs because they are generally hosted in thesame data center as the Mirage server.


236 VMware, Inc.

Calculate CVD Compliance Score ForUser Installed Apps 37

You can set the CVD compliance score to reflect changes in user installed applications, providing bettervisibility of unmanaged software running on the endpoints. The CVD compliance score is affected if theuser install application are not managed by Mirage. This optional method to calculate the CVD compliancescore can used only when configured.

To configure the method to calculate the CVD compliance score, run the following command:

wanova.server.Cli.exe localhost setConfigParam uiaCompliance true

When User Installed Compliance is enabled, CVD compliance score takes into account all apps that areinstalled on the endpoint (both user-installed apps and Managed apps that are delivered via Mirage layers).To explain this, the following parameters are defined:

n Machine Manage Application (Machine_MA) = Applications that are currently installed on end pointand are also part of the assigned base or app layer.

n User Installed Applicaiton (UIA) = Number of apps that are not managed (not included in the assignedbase or app layers).

n CVD Managed Applications (CVD_MA) = Total number of applications that are assigned to the CVD bybase and app layers.

When User Installed Compliance is enabled, CVD compliance score calculation is: Machine_MA /(CVD_MA+ UIA)

In this mode, compliance score can drop in two cases:

n When end-user removes managed applications (delivered via Mirage layers).

n When end-user installs additional applications that are not part of Mirage base or app layers.

For example, a CVD assigned with a base layer containing ten line of business apps, while the end userinstalled additional two apps show a compliance score of 83% (10/12).

VMware, Inc. 237


238 VMware, Inc.

Index

Aabout this guide 9activating endpoints 17Active Directory groups and role-based access

control 228, 230advanced administration topics 225app layer, capturing 127app layer assignment

cancel assignment in progress 147detect potential effects 145monitor assignment progress 147procedure 146testing before distribution 145

app layer capturecapture overview 127capture procedure 129multiple layer capture 134OEM software in app layer 133post-app layer deployment script 134procedure 130, 131reference machine 128what you can capture 132

app layer definition 109app layers, Mirage PowerCLI 67archive CVDs

assign to a device 26manage CVDs in the archive 25move to another volume 25

assigning a base layer, Mirage PowerCLI 65assigning base layers, Mirage PowerCLI 64audit events in Manager journal 220authenticating, Mirage Gateway server 44

Bback up servers and Management server 207bandwidth limitation, rules 41bare metal provisioning, re-partitioning 159base layer

and BitLocker support 111and system-level software 111and user-specific software 111and endpoint security software 111and OEM software 111and software licensing 111capturing 119

hardware considerations 111recreate reference machine from 117

base layer assignmentassign to a previous layer version 141detect potential effects of layer

change 135–137enforce layers on endpoints 142monitor assignments 141software conflict correction 142testing before distribution 138

base layer definition 109base layer assignment procedure

cancel assignment in progress 140monitor progress 140

base layer capturecapture procedure 119override rule examples 123override registry values and keys 124post-base layer deployment script 124rules 120

base layer capture rulesset default rule set 122test 121, 122view and create rules 120

base layer capture override rules, add overriderule set 122

base layer override rule examplesavoid losing local customization 123avoid shared component incompatibility 123

BitLocker support in base layers 111boot images, PXE server 153bootable USB keys

create 175customize 177how to use 177

branch reflectorsconfigurable values 97configuration 97default values 97disable peering service 98enable branch reflector 96IP detection and proximity algorithm 95matching process 95pause 98peer clients, accept or reject 98select clients to be branch reflectors 96

VMware, Inc. 239

server network operations 99settings in system configuration 44

branch reflector tool 208branch reflector download monitoring

connected peer clients 101CVD associations 100peer client transactions 101show potential branch reflectors 102

branch reflector query tool 210

Ccentralization progress, report 197centralize endpoints

by administrator 18by end-user 17

certificate, updating 73certificates, Mirage Gateway 74client status, access 29cmdlets 55comparison report

base layer assignment 136, 137potential effects of app layer 145potential effects of base layer 135

configuration filesMirage Gateway 78protection 203

configure the system, See system settingsconfiguring, file portal 45Corporate Image Compliance 143creating layer groups 161Customer Experience Improvement Program

cancelling 51data collection 49joining 51registering 49

CVDarchive, See archive CVDsautocreation 44events history timeline view 219file portal end-user mapping 34settings 45snapshot generation and retention 46view files in CVD with file portal 33

CVD Integrity report 197, 199CVD collection

add dynamic collection 24add dynamic using Active Directory 24static collection management 23

CVD Compliance Score 237CVD file compliance tool 165CVDs, alarms 219

Ddashboard statistics 193data protection status, report 197database and volumes restore 214desktop deployment monitoring 193detect potential effects of layer change 135–137device provisioning, PowerCLI 61directory-level restore 30disaster recovery, See endpoint disaster

recoverydrivers

and base layers 111and folder management 84–86driver library 83driver library architecture 83driver profile management 86import drivers to folders 85

Eend-user operations

directory-level restore 30file-level restore 29Snooze to suspend synchronization 31Sync Now to resume synchronization 31view files in CVD with file portal 33

endpoint provisioning 143endpoint disaster recovery

bootable USB keys 174reconnect a device to a CVD 178restore process experience 178restoring Windows 8 devices 173

endpoint disaster recovery, restore to a CVDafter device loss 170, 171after hard drive replacement or format 170specific files from a CVD snapshot 169

endpointsactivate 17centralize by administrator 18centralize by end-user 17centralizing 56, 57endpoint provisioning 143

enforce layers on endpoints 142Event log 220events history timeline for a CVD 219Export 208exporting, layer groups 162exporting bandwidth limitation rules 41

Ffile portal

allow access to 33configuration in system settings 44configuring 45


240 VMware, Inc.

download folders and files 35end-user CVD mapping 34securing 37view files 34

file-level restoredeleted file from Recycle Bin 30previous file version 30

GGateway server

configuring 72removing 81

Grid Data 215

Hhardware drivers, See drivers

Iimage management overview 109importing, layer groups 162importing bandwidth limitation rules 41IP detection and proximity algorithm 95

JJoin Domain Account settings 45

Llayer dry run report 198layer groups

creating 161exporting 162importing 162

layer management life cycle 109layers, capturing base layers 119licenses for Mirage 43licenses for Microsoft Office upgrade in

layer 228load balancing framework 106logs, See system logs

Mmacros in upload policy rules 231maintain the system

servers, Management server, andvolumes 207

upgrade Mirage version 215Management server restore 213Manager journal 220managing View desktops, supported

configurations 235Microsoft Office licenses in layer 228Microsoft System Center Configuration Manager,

See SCCM

migrate to Windows OS, See Windows OSmigration

migrate users to different hardwarea user CVD to another device 181many user CVDs 183

minimal restore set, customize 220Mirage

accounts 205administration 9configuration files 203log files 204PowerCLI 53, 54PowerCLI installation 54security 201, 205servers 105

Mirage Gatewaycertificate 74certificates 73configation files 78manual registration 74protecting 75

Mirage Gateway serverauthenticating 44MMC 81troubleshooting 79, 81

Mirage PowerCLIassigning a base layer 64, 65centralizing endpoints 56, 57cmdlets 55migrating OS 58provisioning 61updating an app layer 67updating app layers 67

monitor system statusdashboard statistics 193Transaction log 195

mount volumes 92multiple servers, See serversmultiple volume deployment, See volume

deployment

Nnetwork client throttle mechanism 31

OOEM software

in app layer 133in base layers 111

OS migration 58, 59OS migration progress, report 197

Index

VMware, Inc. 241

Ppending assignment devices

reinstate using Remove 19reject 19

ports and protocols 201potential branch reflectors 102PowerCLI

cmdlets 53, 54installing 54Mirage 54vSphere 54

provision, bare metal 149, 155provisioning, See endpoint provisioningprovisioning a device, self-service

provisioning 161, 162

Rreassign users to different hardware, See

migrate users to different hardwarereference machine for app layer capture 128reference machine for base layer capture

data selection 116recreate from a base layer 117setup 115software considerations and settings 116

registry value override in base layer capture 124rejected devices, reinstating 19reports

centralization progress 197CVD integrity 197, 199data protection status 197layer dry run 198OS migration progress 197system reports 221, 222

restorecustomize minimal restore set 220Management server 213restore process experience 178servers 214specific files from a CVD snapshot 169standalone server 214storage volumes and database 214

restore device to a CVDafter device loss 170, 171after hard drive replacement or format 170specific files from a CVD snapshot 169

restore filesdeleted file from Recycle Bin 30directories from a CVD 30files from a CVD 29previous file version 30

restoring, Windows 173

retention policyCVD snapshots 46transaction records 195

role-based access control (RBAC) 228rules for base layer capture 120

SSCCM client migration preparation 225scripts for

post-app layer deployment operations 134post-base layer deployment operations 124post-Windows OS migration operations 190

secure socket layer communication, See SSLsecure sockets layer, See SSLsecurity, file portal 37security settings 201self-service provisioning 161, 162server, Mirage Gateway 71servers

add another server 105information 105load balancing integration 106multiple server scenario 103network operations with branch reflectors and

clients 99parameters 104remove from system 106restore 214restore standalone server 214stop or start server service 105VMware Watchdog service 106

servers and Management serverback up 207maintenance 207

show potential branch reflectors 102single-instance storage integrity, See SISSIS volume integrity procedure 93snapshot generation and retention 46snapshots kept 45Snooze to suspend synchronization 31software in base layers

conflict correction 142endpoint security 111licensing 111OEM 111system-level 111user-specific 111

SSLinstall the SSL certificate 48server SSL configuration 48

SSL certificate setup 226, 227storage volume, parameters 90storage volumes, See volume deployment


242 VMware, Inc.

Sync Now to resume synchronization 31system dashboard 193system monitoring, See monitor system statussystem reports 221system settings

access 41branch reflector settings 44CVD auto creation 44file portal 44general system settings 45licenses for Mirage 43SSL configuration 47USMT setting import 43

system components 11system logs

audit events in Manager journal 220events 220Transaction log 220

system maintenance, See maintain the systemsystem requirements, ports and protocols 201System Settings and Layers 212

Ttesting

app layers before distribution 145base layers before distribution 138layer capture rules 121

Transaction log, record retention policy log 195troubleshooting 219

Uunblock volumes 92unmount volumes 91update app layer, See app layer assignmentupdate base layer, See base layer assignmentupdating an app layer, Mirage PowerCLI 67updating app layers, Mirage PowerCLI 67upgrade Mirage version

before you start 215upgrade procedure 216

upload policiesadvanced options 22parameters 20upload policy management 20, 21upload policy rule macros 231upload policy rule management 22

USMT setting import 43

VView desktops, managing with Mirage 235virtual machine

and base layer 111multiple app layer capture on 134

VMware Watchdog service, configuration 106

volume deploymentadd volumes 90block volumes 92edit volume information 91maintain volumes 93mount volumes 92remove volumes 91restore volumes and database 214SIS volume integrity procedure 93unblock volumes 92unmount volumes 91volume information 89

volume settings 45volume reactivation, See mount volumes

WWake on LAN 99Wake-on-LAN 100Watchdog, See VMware Watchdog serviceWeb Console Certificate 73Windows, restoring 173Windows 8 devices, restoring 173Windows Deployment Service

installation 151, 152Microsoft PowerShell 152Windows server manager 151

Windows OS 186Windows OS migration

in-place migration to same machine 187, 188migration to replacement devices 189monitor the migration process 190post-migration operations using a script 190

WinPE image 149, 155

Index

VMware, Inc. 243


244 VMware, Inc.