Monthly Archives: May 2015

Private VLANs with Distributed vSwitch & Extreme Networks Switches

I came across this just this week working with on a virtual desktop deployment. One of the requirements is to disallow virtual desktops in the same subnet to talk to each other. The most efficient way to do this was to make use of Private VLANs and put the desktops in an Isolated PVLAN. It was relatively easy to configure this on the distributed switch in vCenter Server. Please check out this KB article (1010703) if you need some guidance.

Just to help illustrate in this post, the Primary Promiscuous PVLAN was defined to be 100, and the Secondary Isolated PVLAN, 101.

Now, just making the configuration on the Distributed vSwitch is not enough. We have to make sure that the physical network is also PVLAN aware, and knows the relationship between 100 and 101. Why you may ask? simply because anything in PVLAN 101 must be able to talk to anything in PVLAN 100 across all the hosts. The physical switches must be able to move these packets between hosts to make this happen. Additionally, the physical switches must honour the Isolation requirement for PVLAN 101. So it is logical that there must be some configuration needed on the physical switches.

It was probably the first time the Network engineer is working on PVLANs and I had to give him the above explanation to convince him that there’s something that he needs to do on the physical side.

The environment had a pair of Extreme Networks switches. I have had no prior experience with these and found 2 pieces of information to work with the Network Engineer.

We studied the materials and did some testing, and finally got the minimal settings needed to get things working.

The KB article had steps which we discovered to be unnecessary. Below is an example of what was applied for PVLAN to be fully operational.

create vlan VDIPri
configure vlan VDIPri add port XXXX 'where XXXX are the ports connected to the ESXi hosts
configure vlan VDIPri tag 100 
create vlan VDIDesktops
configure vlan VDIDesktops add port XXXX
configure vlan VDIDesktops tag 101

'at this point the VLANs have simply been created, tagged and associated with the relevant ports
create private-vlan VDIPrivate
configure private-vlan "VDIPrivate" add network "VDIPri" 
configure private-vlan "VDIPrivate" add subscriber "VDIDesktops"

That’s all. In the KB article and documentation, there were additional commands for “translation” which we learnt were not needed in our case.

 

Errors in a KB Article – Horizon View 6.x Network Ports

This post was written on the 5th May 2015. Hopefully sometime in the near  future it is no longer relevant, but until then, be aware of an error in a KB article (2085383) for Horizon View 6.x network ports.

I’m compelled to write this post as I’ve just encountered a 2nd partner who got misled by this erroneous article.

For the proper reference, the Horizon View 6.x documentation lists out the ports that are required. The direct link to the web based documentation is here. I recommend using this.

If you want to see a correct diagram on how the ports should be like, you can look at the slightly older KB article (2061913) for View 5.x. The key differences between View 5.x and 6.x are the following

  • View 6.x no longer support Local Mode – but since it shares ports 80 & 443 for other purposes, you’ve got to keep them.
  • View 6.x adds Cloud Port Architecture – so this is a new port for View Pod to View Pod communication.
  • View 6.x adds Enhanced Message Security mode – and this also adds a new port between View Connection Servers only.

Back to the erroneous article.

The part which needs to be fixed are the ports depicted for the Horizon View Client to communicate with a View Security Server. This is typical of a situation when an end device is situated in an untrusted network (e.g. the Internet), and the connection has to be tunnelled through a View Security Server that sits in the corporate DMZ. Under such a situation, there are only 3, at most 4 ports which are required, and they are

  • 80 TCP (HTTP) – for users who use a web browser and simply just hit the access URL without prefixing a HTTPS:// in the address bar. This will simply allow the Security Server to do a redirect to the same URL, but with HTTPS
  • 443 TCP (HTTPS) – all non-desktop traffic goes through this HTTPS encrypted connection. So right from the start, all communications between a View Client and the Security Server are fully encrypted; additionally, if RDP is the chosen protocol, it will be embedded within this HTTPS communication. So, there is no need for 3389 TCP to be opened between the View Client and Security Server.
  • 4172 TCP & 4172 UDP (PCoIP) – all PCoIP based desktop traffic will use these 2 ports. The TCP port is only used for the initial setup of the PCoIP connection. Once it’s up, all desktop activities will be just 4172 UDP.

the diagram below was cut out of the KB article. You’ll see 3 additional ports which I’ve crossed out in red.

  • 9472 TCP (MMR) – this is the Multimedia Redirection port. It is not used between the View Client and Security Server. The View Client will only use it when it does a direct connection with the Virtual Desktop.
  • 3389 TCP (RDP) – this is the well known RDP port. As mentioned above, when the session is tunnelled, RDP is embedded within the 443 TCP traffic, and does not use 3389 TCP. Again, the View Client will only use this port if it is to do a direct connection with the Virtual Desktop.
  • 32111 TCP (USB) – this port is used for USB redirection. When tunnelled through a Security Server, the View Client will not use this port; instead it will send the traffic via 4172 UDP. When the View Client is to have a direct connection to the Virtual Desktop, it will then use 32111 TCP.
Horizon View 6.x - Client to Security Server Ports

Horizon View 6.x – Client to Security Server Ports

Windows 7 – Optimise Visual Effects for all New User Profiles

Optimisation Type [explain] : user experience (↓↑) / resource optimisation (↑) / functionality (-) / administration (-)

this is my 3rd post about Visual Effects optimisation. It must seem I have some obsession about this. Kind of!! As I haven’t found a completely reliable source of information on how to do this.

In the land of remote access to Windows desktops, regardless of protocols, any changes on the screen will have to be sent across the network. The more changes, the higher the network bandwidth requirements. I would think this is probably one of the reasons why Windows have an advance settings page to allow you to tweak the visual effects. Another reason would be some of these actually take up more CPU cycles, so on slower/older PCs it will actually impact the user experience.

The purpose of this post is to provide the method on how to apply the same settings to users from the moment their user profile is created the first time. Now, although the default settings applied to new users may be what IT prefers, but savvy users will know a trick or two and change the settings to what they may like. To counter these, we need to add on a second control to enforce the settings.

I wrote a post earlier on how to enforce the Visual Effects settings via GPO. That is still an important step. Applying the settings via GPO helps to keep individual user settings to that desired by IT. Although it may not be a realtime enforcement, but it will make sure the settings are what it needs to be each time the user logs on.

Back to this.

I’ve read many documents and posts and quite a few just suggest to tweak registry settings to the default user profile. I couldn’t find any that gives the complete solution. I hope this post will you out, if you are looking for a solution.

The most common solution I found was to simply set the registry which defines the setting for “Adjust for best XXXXX” settings, and the checkboxes below. Unfortunately, that doesn’t help.

The registry value which stores the setting is

HKU\Software\Microsoft\Windows\CurrentVersion\Explorer\VisualEffects > VisualFXSetting

By setting the value to 0x2 (hex) it adjusts the radio button to “Adjust for best performance”. As you can the picture below on the right, the desired setting is in place, and all the check boxes are turned off. It is suppose to mean all visual effects have been disabled. Well, it’s not really the case. Compare the appearance of the two windows below. The one on the left is when the settings are truly in place and in effect. So, setting that registry value alone is insufficient.

Best Performance Windows 7 Visual Effects when applied

Best Performance Windows 7 Visual Effects when applied

Best Performance Windows 7 Visual Effects Not in Effect Best Performance Windows 7 Visual Effects Not in Effect[/caption]

The second registry value that is also commonly suggested is

HKU\Control Panel\Desktop > UserPreferencesMask

Making changes to the above value in default user profile does nothing at all. It is only useful when we push settings from GPO on an ongoing basis, but when a new profile is being created, quite unexpectedly the settings are not inherited from the default user profile. In fact, these settings are actually taken from a particular key under HKEY_LOCAL_MACHINE.

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\VisualEffects

I have create a batch file that you can run to turn everything off. Feel free to copy the below into a text file in notepad and save as a .bat file. Of course, if you may not need to turn everything off, please pick and choose the values to maintain.

@REM Use this script for Windows 7 desktops to tune down Visual Effects
@REM Setting Default HKLM values
@REM Script by Jason Yeo; @jasonyzs88
@REM Script Version 1.1 - covers 3D (AERO) and 2D Visual Effects; disables Themes service.

reg load "hku\temp" "%USERPROFILE%\..\Default User\NTUSER.DAT"
reg add "hku\temp\Software\Microsoft\Windows\CurrentVersion\Explorer\VisualEffects" /v VisualFXSetting /t REG_DWORD /d 0x3 /f
reg unload "hku\temp"

reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\VisualEffects\AnimateMinMax" /v DefaultValue /t REG_DWORD /d 0x0 /f
reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\VisualEffects\ComboBoxAnimation" /v DefaultValue /t REG_DWORD /d 0x0 /f
reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\VisualEffects\ControlAnimations" /v DefaultValue /t REG_DWORD /d 0x0 /f
reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\VisualEffects\CursorShadow" /v DefaultValue /t REG_DWORD /d 0x0 /f
reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\VisualEffects\DragFullWindows" /v DefaultValue /t REG_DWORD /d 0x0 /f
reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\VisualEffects\DropShadow" /v DefaultValue /t REG_DWORD /d 0x0 /f
reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\VisualEffects\DWMAeroPeekEnabled" /v DefaultValue /t REG_DWORD /d 0x0 /f
reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\VisualEffects\DWMEnabled" /v DefaultValue /t REG_DWORD /d 0x0 /f
reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\VisualEffects\DWMSaveThumbnailEnabled" /v DefaultValue /t REG_DWORD /d 0x0 /f
reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\VisualEffects\FontSmoothing" /v DefaultValue /t REG_DWORD /d 0x0 /f
reg DELETE "HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\VisualEffects\FontSmoothing" /v NoApplyDefault /f
reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\VisualEffects\ListBoxSmoothScrolling" /v DefaultValue /t REG_DWORD /d 0x0 /f
reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\VisualEffects\ListviewAlphaSelect" /v DefaultValue /t REG_DWORD /d 0x0 /f
reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\VisualEffects\ListviewShadow" /v DefaultValue /t REG_DWORD /d 0x0 /f
reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\VisualEffects\MenuAnimation" /v DefaultValue /t REG_DWORD /d 0x0 /f
reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\VisualEffects\SelectionFade" /v DefaultValue /t REG_DWORD /d 0x0 /f
reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\VisualEffects\TaskbarAnimations" /v DefaultValue /t REG_DWORD /d 0x0 /f
reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\VisualEffects\ThumbnailsOrIcon" /v DefaultValue /t REG_DWORD /d 0x0 /f
reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\VisualEffects\TooltipAnimation" /v DefaultValue /t REG_DWORD /d 0x0 /f
reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\VisualEffects\TransparentGlass" /v DefaultValue /t REG_DWORD /d 0x0 /f

sc config Themes start= disabled
sc stop Themes

pause

Conclusion & Recommendation

How I would optimise an environment is to apply both the settings from this post, and to enable ongoing enforcement of the settings via GPO. This would be a complete solution where user visual settings are configured up front right from the first time their profiles are created. If the settings change, the GPO enforcement will then re-apply the settings back to what is desired by IT.