Horizon View 6.1.1 and the Agent Unreachable Curse
One of my customers recently asked me to help them set up a stand-alone DR solution for their Unidesk + VMware View VDI. We decided to try out the Unidesk LayerSync utility, to replicate their desktop configurations to the remote site, where we installed brand new View 6.1 connection servers. There were a few small challenges to getting that running, but it's still in beta so that's perfectly understandable. After we got the replication working, we stood up a few desktops as a test. They booted up fine, all of the layer assembling as expected, and we were able to log into the consoles without trouble.
We came across an issue though, Unidesk successfully added the desktops into the selected pool, but View reported them as being Agent Unreachable. I went through the normal troubleshooting steps (testing name resolution, checking HKLM\Software\VMware, Inc.\VMware VDM\Agent\Configuration\ to make sure that the Broker setting is correct, verifying that network flows are communicating on the specific ports, etc.), but with no luck.
Eventually, I came across an interesting KB article about some important changes with View 6.1.1. The JMS Message security mode in versions prior to 6.1.1 was "enabled" whereas 6.1.1 and newer use "enhanced". This change can cause some pain, as view agents that are using the "enabled" mode can't connect to Connection Brokers that are set to "enhanced". Fortunately, VMware is well aware of the issue and so does not change this setting when you're doing an upgrade. So, if you upgrade an older View environment to 6.1.1 or newer, it will maintain its "enabled" setting so that all of the agents will continue to communicate successfully. If you install a new environment, only then will it use "enhanced" mode, and in that case, you'll be installing correspondingly new View Agents which will also install in "enhanced" mode. Except for when you're installing a stand-alone DR environment.
Our View environment at the DR site was brand new, so it installed with the "enhanced" security mode. We replicated our existed VDI layers though, including the View Agent layer, which was using the "enabled" security mode. When we stood up our first batch of test desktops, they all went Agent Unreachable because of the disagreement about which security mode to use.
So, that brings us back to that KB article that I referenced earlier. It turns out that it's pretty easy to set the Connection Servers to use the JMS Messaging "enabled" security mode, by using ADSI edit. The descriptions in the KB article aren't quite as verbose as I would have liked (as I'm not particularly familiar with LDAP or ADSI Edit), but I was able to fumble my way through the process. The biggest hurdle for me was step 4; I forgot that LDAP strings are specified "backwards". So, when you're trying to follow step 4:
On the object CN=Common, OU=Global, OU=Properties, set the pae-MsgSecMode attribute to ON.
You should navigate to DC-vdi,DC=vmware,DC=int > Properties > Global and then doubleclick on the CN=Common object and change its pae-MsgSecMode property to have a value of "ON".
After we made that change and restarted the servers, all of the desktops successfully checked in as "available".
We came across an issue though, Unidesk successfully added the desktops into the selected pool, but View reported them as being Agent Unreachable. I went through the normal troubleshooting steps (testing name resolution, checking HKLM\Software\VMware, Inc.\VMware VDM\Agent\Configuration\ to make sure that the Broker setting is correct, verifying that network flows are communicating on the specific ports, etc.), but with no luck.
Eventually, I came across an interesting KB article about some important changes with View 6.1.1. The JMS Message security mode in versions prior to 6.1.1 was "enabled" whereas 6.1.1 and newer use "enhanced". This change can cause some pain, as view agents that are using the "enabled" mode can't connect to Connection Brokers that are set to "enhanced". Fortunately, VMware is well aware of the issue and so does not change this setting when you're doing an upgrade. So, if you upgrade an older View environment to 6.1.1 or newer, it will maintain its "enabled" setting so that all of the agents will continue to communicate successfully. If you install a new environment, only then will it use "enhanced" mode, and in that case, you'll be installing correspondingly new View Agents which will also install in "enhanced" mode. Except for when you're installing a stand-alone DR environment.
Our View environment at the DR site was brand new, so it installed with the "enhanced" security mode. We replicated our existed VDI layers though, including the View Agent layer, which was using the "enabled" security mode. When we stood up our first batch of test desktops, they all went Agent Unreachable because of the disagreement about which security mode to use.
So, that brings us back to that KB article that I referenced earlier. It turns out that it's pretty easy to set the Connection Servers to use the JMS Messaging "enabled" security mode, by using ADSI edit. The descriptions in the KB article aren't quite as verbose as I would have liked (as I'm not particularly familiar with LDAP or ADSI Edit), but I was able to fumble my way through the process. The biggest hurdle for me was step 4; I forgot that LDAP strings are specified "backwards". So, when you're trying to follow step 4:
On the object CN=Common, OU=Global, OU=Properties, set the pae-MsgSecMode attribute to ON.
You should navigate to DC-vdi,DC=vmware,DC=int > Properties > Global and then doubleclick on the CN=Common object and change its pae-MsgSecMode property to have a value of "ON".
After we made that change and restarted the servers, all of the desktops successfully checked in as "available".
Comments
Post a Comment
Sorry guys, I've been getting a lot of spam recently, so I've had to turn on comment moderation. I'll do my best to moderate them swiftly after they're submitted,