Vmware – Horizon Application Manager – 1.5 – Installing

Category: Software and Application User Guides and Manuals

Download user manual for Vmware – Horizon Application Manager – 1.5 – Installing 
Preview: Below is a preview of the manual as extracted from the PDF file


Installing Application Manager
Application Manager 1.5
This document supports the version of each product listed and
supports all subsequent versions until the document is replaced
by a new edition. To check for more recent editions of this
document, see http://www.vmware.com/support/pubs.
EN-000856-00Installing Application Manager
2 VMware, Inc.
You can find the most up-to-date technical documentation on the VMware Web site at:
http://www.vmware.com/support/
The VMware Web site also provides the latest product updates.
If you have comments about this documentation, submit your feedback to:
docfeedback@vmware.com
Copyright
©
2012 VMware, Inc. All rights reserved. This product is protected by U.S. and international copyright and intellectual
property laws. VMware products are covered by one or more patents listed at http://www.vmware.com/go/patents.
VMware is a registered trademark or trademark of VMware, Inc. in the United States and/or other jurisdictions. All other marks
and names mentioned herein may be trademarks of their respective companies.
VMware, Inc.
3401 Hillview Ave.
Palo Alto, CA 94304
www.vmware.comContents

1 Installing and Configuring Application Manager 5
Application Manager Deployment Checklists 9

2 Introduction to Application Manager 11

3 Security Considerations and System Requirements for Application Manager 19
Application Manager Recommendations and Requirements 19

4 Preparing to Install Application Manager 23
Prepare to Install Application Manager 23
Convert the Virtual Appliance File Format 24

5 Installing Application Manager 27
Start the Application Manager Virtual Appliance 27
Use the Virtual Appliance Interface for the Initial Application Manager Configuration 28

6 Configuring Application Manager with the Operator Setup Wizard 33
Access the Application Manager Operator Web Interface 33

7 Making Additional Application Manager Configurations 35
Configure Application Manager for Logging 35
Configuring SSL Connectivity to Application Manager 36
Configuring Clustering for Application Manager 41
Update Application Manager 44

8 Troubleshooting Application Manager 47
Potential Network Time Protocol Issue 47
Missing the Application Manager Operator Web Interface Password 48
Connector Issue Prevents Administrator Access to Application Manager 49
Using a Static IP Address for Application Manager with vCenter Server Can Result in an Access
Issue 50
Index 51
VMware, Inc. 3Installing Application Manager
4 VMware, Inc.Installing and Configuring Application
Manager 1
This information describes how to install Application Manager, the on-premise appliance as opposed to the
hosted version of Application Manager. When you host Application Manager, you control the operator and
administrator pages that allow you to manage end-user access to your Windows, SaaS, and Web applications.
The Connector is a required software piece that you must install separately.
Intended Audience
This information is intended for organization administrators. The information is written for experienced
Windows and Linux system administrators who are familiar with VMware virtual machine technology,
identity management, entitlement, and directory services. SUSE Linux is the underlying operating system of
the Application Manager virtual appliance. Knowledge of Linux is essential to configure the Application
Manager directly and to perform system-level functions, such as configuring network settings, time settings,
and log files. Knowledge of other technologies, such as VMware ThinApp and RSA SecurID, is helpful if you
plan to implement those features.
Application Manager Installation Overview
This process involves a variety of tasks and you can deploy the Application Manager in several different ways.
A key distinction in deployments is in the mode of authentication you choose. See Chapter 2, “Introduction to
Application Manager,” on page 11. An important deployment factor depends on if you choose to provide
Application Manager users with access to Windows applications captured as ThinApp packages. See Installing
and Configuring the Connector for more information.
Installation and Configuration Flow of an Application Manager
Deployment
Figure 1-1 provides a broad overview of the installation and configuration tasks involved in an on-premise
Application Manager deployment. The summary that follows reiterates the main steps.
VMware, Inc. 5Figure 1-1. Application Manager Installation and Configuration Flowchart
• Create DNS records for the Service and the Connector
• Ensure the hardware, software, and network requirements
are met
• Prepare the optional features that apply. For example,
create the ThinApp repository for ThinApp integration
and configure KDC for Kerberos authentication
• Prepare ESXi for the mode of authentication suitable for
your enterprise: Service Authentication mode, Connector
Authentication mode, or both
Obtain the virtual
appliances
End
Install and
Configure the
Service virtual
appliance
Install and
configure the
Connector
Return to the
Service as an
operator
Configure the
Service as an
administrator
Configure
logging
Provide users with
URLs to access
applications
Obtain the Service and Connector
virtual appliances
Provide network information, including:
• IP/subnet/gateway info
• DNS servers
• Hostname
• A Network Time Protocol server
• Time zone
• SSL connectivity to the Service*
• Use a browser to login to the Operator
Web interface
• Run the setup wizard
• Copy and save the URL for the Service
and the activation code for the Connector
In the Web interface, you can enable
SSL for end user authentication*
Configure the
Service as
an Operator
Configure the Connector using the virtual appliance interface
and the applicable wizards of the Web interface. If you are
providing users with access to Windows Applications captured
as ThinApp packages, configure the Windows Apps page
Create delegated operators, add
applications, etc
Using a browser, return to the Service for further
configuration. For example, you can configure
IdP Discovery, add applications, create groups,
set entitlements, and define roles for delegated
administration
Return to the virtual appliances of
both the Service and Connector to
configure logging
Distribute URLs to users to provide access
to the User Portal and directly to individual
applications
*NOTE: SSL connectivity to the Service and the Connector is disabled by default to simplify the configuration of your
Application Manger deployment during the proof-of-concept phase. You can enable SSL later when you are prepared
to put Application Manager into production. Verify that the state of SSL, enabled or disabled, always matches between
the Connector and the Service.
After you enable SSL for your Application Manager deployment, perform the following tasks that apply:
• If you are providing users with access to Windows Applications captured as ThinApp packages, reinstall
the Horizon Agent on each user’s system to update the Service URL from HTTP to HTTPS.
• Update each SAML application that you previously configured without SSL to now use SSL. Therefore,
ensure that each SAML application now reaches Application Manager using HTTPS instead of HTTP.
This might involve working with account administrators for specific applications.
Prepare your
environment
1 Prepare your environment:
Installing Application Manager
6 VMware, Inc.n Create DNS records for Application Manager and the Connector.
n Ensure hardware and software requirements are met.
n Prepare the optional features that apply. For example, create the ThinApp repository for ThinApp
integration and configure KDC for Kerberos authentication.
n Prepare vSphere for Connector Authentication mode.
2 Obtain virtual appliances:
n Obtain the Application Manager and Connector virtual appliances.
3 Install and configure the Application Manager virtual appliance:
n Provide network information, including:
n IP/subnet/gateway info
n DNS servers
n Hostname
n A Network Time Protocol server
n Time zone
n SSL connectivity to Application Manager
4 Configure Application Manager as an operator:
n Use a browser to log in to the Operator Web interface.
n Run the setup wizard to create your first organization.
n Copy and save the URL for Application Manager and the activation code for the Connector.
5 Install and configure the Connector:
n Configure the Connector using the virtual appliance interface and the applicable wizards of the Web
interface. If you are providing users with access to Windows Applications captured as ThinApp
packages, configure Windows Apps in the Connector setup wizard. You can also perform additional
configuration such as setting up RSA SecurID.
n In the Web interface, you can enable SSL for end user authentication.
6 Return to Application Manager as an operator of your first organization:
n Create delegated operators, add applications, additional organizations, etc.
7 Configure Application Manager as an administrator:
n Using a browser, return to Application Manager for further configuration. For example, you can add
ThinApp packages, configure IdP Discovery for ThinApp integration, add applications, create
groups, set entitlements, and define roles for delegated administration.
8 Configure logging:
n Configure logging for Application Manager. Return to the Connector virtual appliance interface to
configure logging for the Connector.
9 Provide users with URLs to access applications:
n Distribute URLs to users to provide access to the User Web interface and directly to individual
applications
Trial, Test, and Production Deployment Phases
To reduce the complexity of the deployment process, you might want to deploy Application Manager in phases.
Chapter 1 Installing and Configuring Application Manager
VMware, Inc. 7SSL connectivity, load balancing, and high availability add layers of complexity to your deployment that can
be avoided during the proof-of-concept phase.
By default, secure ports are disabled for the Connector and Application Manager. For the proof-of-concept
phase, you can install the Connector and Application Manager using the default insecure ports. This frees you
during this phase from managing SSL certificates.
Also, by default, Application Manager uses an internal database server. To support load balancing or high
availability you must install and configure a supported external database server and point multiple Application
Manager instances to that external database server. For the proof-of-concept phase, you can use the default
internal database server. This frees you from installing an external database server and configuring clustering.
Table 1-1. Recommended Phases of Deployment
Phase Recommended Actions
Trial (Proof-of-
Concept)
n SSL Connectivity (Do not configure)
n For Application Manager, keep the insecure ports enabled and the secure ports disabled.
These settings are accessible with the Application Manager virtual appliance interface, on
the Configure Web Server screen.
n For the Connector, accept the default insecure mode. This setting is accessible with the
Connector virtual appliance interface, on the Configure Web Server screen.
NOTE You can test ThinApp integration in Insecure mode.
n Load Balancing and High Availability (Do not configure)
n For Application Manager, keep the internal database server configuration. This setting is
accessible with the Application Manager virtual appliance interface, on the Configure
Database Connection screen.
Test (Pre-
Production)
n SSL Connectivity
n For Application Manager, disable the insecure ports and enable the secure ports.
n For the Connector, enable secure mode, which requires you to reset and reconfigure the
Connector.
n Generate both an Application Manager SSL certificate and a Connector SSL certificate.
n If you are using self-signed SSL certificates, deploy the certificates to user machines. In
addition, distribute the Application Manager certificate to each Connector instance.
n Reconfigure SAML applications to use HTTPS instead of HTTP.
n Reinstall the Horizon Agent on user machines to use HTTPS instead of HTTP.
n Load Balancing and High Availability
n For Application Manager, install a supported external database server and point multiple
Application Manager instances to that external database server.
Production n SSL Connectivity
n Replace your self-signed SSL certificates with signed third-party CA certificates.
n For Application Manager, verify that insecure ports are disabled and secure ports are
enabled.
n For the Connector, verify that secure mode is enabled.
n Verify that SAML applications are configured for HTTPS.
n Verify that the Horizon Agent has been reinstalled on user machines to use HTTPS.
n Load Balancing and High Availability
n For Application Manager, install a supported external database server and point multiple
Application Manager instances to that external database server.
Installing Application Manager
8 VMware, Inc.Application Manager Deployment Checklists
You can use the Application Manager Deployment Checklist to gather the necessary information to install
Application Manager on premise.
Network Information for Application Manager
Table 1-2. Application Manager Network Checklist
Information to Gather List the Information
IP Address
Subnet Mask
Gateway
DNS Server
Network Information for the Connector
Table 1-3. Connector Network Checklist
Information to Gather List the Information
IP Address
Subnet Mask
Gateway
DNS Server
DNS Record for Application Manager
Table 1-4. Application Manager DNS Checklist
Information to Gather List the Information
Application Manager Host
(MyHost.MyDomain.com)
The best practice is to use the same name
for MyHost that you plan to use for your
first organization.
First Organization
(MyOrg.MyDomain.com)
When you configure Application
Manager, organizations are created
within logical/functional containers for
users and applications.
DNS Record for the Connector
Table 1-5. Connector DNS Checklist
Information to Gather List the Information
Connector Host
Chapter 1 Installing and Configuring Application Manager
VMware, Inc. 9Active Directory Domain Controller
Table 1-6. Active Directory Domain Controller Checklist
Information to Gather List the Information
Active Directory IP Address
Active Directory FQDN
Installing Application Manager
10 VMware, Inc.Introduction to Application Manager 2
Application Manager is an identity and access management service or virtual appliance that unifies your
software as a service (SaaS) applications and Windows applications (captured as ThinApp packages) into a
single catalog for entitlement.
Table 2-1. Application Manager Component Terminology
Application Manager Component Other Terms Used Description
Application Manager deployment n None The entire Application Manager
deployment, including Application
Manager, the Connector, the related
interfaces to access those components,
and all other components necessary to
enable users to access applications.
Application Manager
n Application Manager
n Application Manager Appliance
None
n hosted service
n on-premise appliance
Two versions of Application Manager
exist: the hosted service and the on-
premise virtual appliance. As a
generalization, both versions are
referred to as the service. If you have the
hosted service, it is maintained for you.
If you have the on-premise appliance,
you install and maintain it yourself.
Application Manager stores
entitlement, SaaS, policy, and ThinApp
package information and
communicates with your Connector
instances to access Active Directory
information.
Application Manager virtual appliance
interface
n virtual appliance interface The interface of the Application
Manager virtual appliance. You use this
interface to perform the initial
configuration of Application Manager
on premise. You also use this interface
to access the command-line interface of
the underlying Linux operating system.
Application Manager Operator Web
interface
n Operator Web interface The browser-based interface of the on-
premise version of Application
Manager that individuals with operator
privileges access to manage
organizations and the Operator
application catalog. Application
Manager provides multi-tenancy. This
interface provides an overview of all the
organizations managed by Application
Manager.
VMware, Inc. 11Table 2-1. Application Manager Component Terminology (Continued)
Application Manager Component Other Terms Used Description
Application Manager Administrator
Web interface
n Administrator Web interface The browser-based interface of
Application Manager that you, as an
administrator of a specific organization,
use to manage user access and
entitlements to SaaS and ThinApp-
packaged applications. This interface
provides an overview of a single
organization.
Application Manager User Web
interface
n Workspace
n User Web interface
The browser-based interface of
Application Manager that users access
to use SaaS or ThinApp-packaged
applications. This interface includes the
User Portal, which provides users easy
access to applications.
Application Manager internal database
server
n internal database server The default database server, vPostgres
9.1, that ships with the on-premise
version of Application Manager. You
can use this internal database server
during the proof-of-concept phase of
deployment. For production, you
should disable the internal database
server and use a supported external
database server, such as PostgreSQL 9.1.
Application Manager Operator
application catalog
n Operator application catalog
n Operator catalog
The master catalog of applications,
which is accessible using the operator
Web interface. Operators can create
application in this catalog. Operators
can assign applications to all
organizations in the system or only to
specific organizations.
Application Manager Administrator
application catalog
n Administrator source application
catalog
n Administrator active application
catalog
n Administrator application catalog
n Administrator catalog
A catalog of applications accessible
using the Administrator Web interface.
You, as an organization administrator,
manage the applications assigned to
you by operators. To make applications
available to users, you must move them
from the Administrator source
application catalog to the Administrator
active application catalog.
Application Manager User application
catalog
n User application catalog
n User catalog
A catalog of applications accessible
using the User Web interface. Users
access and use the applications assigned
to them by you as an organization
administrator.
Connector n Connector Appliance
n Connector instance
The virtual appliance you install in your
enterprise network to connect
Application Manager to Active
Directory and to the ThinApp package
repository.
Connector virtual appliance interface n None The interface of the Connector virtual
appliance. You use this interface to
make the initial configurations of the
Connector. You also use this interface to
access the command-line interface of the
underlying Linux operating system.
Installing Application Manager
12 VMware, Inc.Table 2-1. Application Manager Component Terminology (Continued)
Application Manager Component Other Terms Used Description
Connector Web interface n None The browser-based interface you use to
configure and manage the Connector
after using the Connector virtual
appliance to make the initial Connector
configurations.
ThinApp Repository n Windows applications network
share
A shared folder that you create to store
Windows applications captured as
ThinApp packages. You then provide
users access to these applications.
Horizon Agent n Agent A ThinApp-specific component
installed on user`s Windows systems
that allows users to access Windows
applications captured as ThinApp
packages.
Flow of Applications Through the Various Application Manager
Catalogs
Applications move through a hierarchy of Application Manager catalogs before appearing in a user’s User
Portal, where the user can launch them.
1 The Application Manager Appliance ships with a set of default applications available in the Operator
application catalog. Operators then customize the Operator application catalog by adding and deleting
applications. They can make specific applications available to each organization, which places the
application in organizations’ Administrator source application catalog. Operators can make applications
public (available to all organizations) or private (available to only specified organizations).
2 When organization administrators initially access their organization’s catalog, they access the
Administrator source application catalog, which was prepopulated by the operator. Administrators can
add applications not provided by operators. Next, administrators move the applications from the
Administrator source application catalog to the Administrator active application catalog. By adding group
and individual user entitlements, administrators entitle specific applications to specific users.
Administrators can entitle applications as automatic or self-activated.
3 When users access the Application Manager User Web interface, their Workspace, they see the User Portal
and an Application Catalog link. The application catalog lists all applications to which users are entitled.
Unless the administrator made an application automatically available, users must activate each
application in the User application catalog that they want to use. Activating an application moves it to the
User Portal where the user can launch it.
Chapter 2 Introduction to Application Manager
VMware, Inc. 13Figure 2-1. Application Manager Application Catalogs
Next, the administrator entitles
users and groups to
specific applications.
The administrator can entitle
applications as either automatic
or self-activated.
Application Manager Operator
application catalog
Operator
OperatorApp1 OperatorApp4 OperatprApp8
OperatorApp11 OperatorApp12
Administrator
of Example
Organization
Application Manager
Administrator application catalog
OperatorApp1
OperatorApp4
OperatorApp11
OperatorApp12
OrgApp1
OperatorApp1
OperatorApp12
OrgApp1
Users
User 1
Application Manager
User application
catalog
OperatorApp1
OperatorApp12
User 2
Application Manager
User application
catalog
OperatorApp12
User 3
Application Manager
User application
catalog
OperatorApp1
OperatorApp12
OrgApp1
Dynamic List:The catalogs are dynamic.
Applications can be added and deleted.
For this example, Application
Manager ships with ten
applications (OperatorApp1–
OperatorApp10). The operator
deletes seven applications and
adds two others (OperatorApp11
and OperatorApp12).
The operator assigns applications
to each organization. For example,
the operator assigns OperatorApp1,
OperatorApp4, OperatorApp11, and
OperatorApp12 to Example
Organization, where they populate
the Administrator source application
catalog.
For this example, the administrator
of Example Organization adds
OrgApp1 to the source catalog.
Next, the administrator moves
OperatorApp1, OperatorApp12,
and OrgApp1 to the active catalog,
keeping OperatorApp4 and
OperatorApp11 inactive.
Users launch applications from the User Portal, not the User catalog.
Depending on how the administrator assigned applications, users
might be able to access all of their entitled applications immediately
in the User Portal. If not, they must go to the User catalog to activate
an application. Users cannot add applications to the catalog.
Administrator source
application catalog
Administrator active
application catalog
Application Manager Authentication Modes
Application Manager facilitates username and password validation by using your Active Directory server on
site. You install the Connector as a virtual appliance that communicates with your local directory using LDAP.
You can use LDAP over SSL.
The Connector can operate in two different modes: Connector Authentication mode or Service Authentication
mode. You can also combine both modes in one deployment. However, the Application Manager Appliance
only supports Connector authentication mode. Service Authentication mode is supported for the Application
Manager hosted service. The modes of authentication indicate the flow of user authentication to access
Application Manager.
In Connector Authentication mode, once users are logged in to the internal network, they are usually not
prompted for their credentials when attempting to access the Application Manager. In specific situations where
users are prompted for their credentials to access Application Manager, the Connector presents the login page.
Installing Application Manager
14 VMware, Inc.Application Manager User Authentication
Connector Authentication mode refers to access to Application Manager where the Connector is the starting
point for user authentication.
Table 2-2. Providing User Access to Application Manager in Connector Authentication Mode
User Access From Inside the Enterprise Network User Access From Outside the Enterprise Network
n Configure Kerberos authentication or
username/password authentication.
n Install both the Application Manager and Connector
virtual appliances in a manner that provides Internet
access. Kerberos authentication is not available outside
the network. Therefore, the best practice is to use RSA
SecurID authentication, though username/password
authentication is available as well.
n You can install the Connector and Application Manager
virtual appliances without Internet access. However, to
provide user access from outside the enterprise network,
users will need a VPN connection.
If you decide to enable Internet access to Application Manager and the Connector to provide users outside the
enterprise network access to Application Manager, configure them in one of the following ways:
n Install Application Manager and the Connector inside the DMZ.
n Install a reverse proxy server in the DMZ pointing to Application Manager and the Connector installed
behind the firewall.
n Configure firewall port forwarding or router port forwarding to point to Application Manager and the
Connector installed behind the firewall.
For Connector Authentication mode, if you do not configure IdP discovery, you must provide users access to
specific URLs that direct the authentication flow through the Connector. These URLs contain the appropriate
information to direct users through the Connector directly to Application Manager. You must provide users
access to such URLs.
IMPORTANT Configuring IdP discovery eliminates the need to use the long URLs provided in the following
table. See “IdP Discovery,” on page 17.
Table 2-3. Connector Authentication Mode: URL Examples
Target URL Example Information
The Application Manager
User Web Interface
https://
MyOrg.MyDomain.com/SAAS/API/1.0/GET/federatio
n/request?i=IDP#&s=0
When your deployment is
production ready, provide this URL
to users to give them access to the
User Web interface. Replace MyOrg
and MyDomain with the appropriate
values and replace IDP# with the IdP
ID available on the Connector
Internal Access page.
https://ConnectorHost.MyDomain/login/ Use this URL for testing and
troubleshooting purposes if Kerberos
is not configured. Replace
ConnectorHostConnectorHost and
MyDomain with the appropriate
values.
Chapter 2 Introduction to Application Manager
VMware, Inc. 15Table 2-3. Connector Authentication Mode: URL Examples (Continued)
Target URL Example Information
https://ConnectorHost.MyDomain/authenticate/ Use this URL for troubleshooting and
testing purposes if Kerberos is
configured. Replace ConnectorHost
and
MyDomain with the appropriate
values.
Specific Applications https://
MyOrg.MyDomain.com/SAAS/API/1.0/GET/federatio
n/request?i=IDP#&s=SP#
When your deployment is
production ready, provide this URL
to users to give them one-click access
to a specific application. Replace the
placeholders. For example, replace
SP# with the ID number for a specific
application. The application ID
numbers are available from the
Application Manager User
application catalog.
For deployments where Kerberos is configured, the Connector validates user desktop credentials using
Kerberos tickets distributed by the key distribution center (KDC).
In Connector Authentication mode, the Connector acts as a federation server within your network, creating
an in-network federation authority that communicates with Application Manager using SAML 2.0 assertions.
The Connector authenticates the user with Active Directory within the enterprise network (using existing
network security).
A troubleshooting-related aspect of Connector Authentication mode is that users can still be authenticated
even when Kerberos fails. In fact, users can still be authenticated when Kerberos is not configured. In such
cases, an Application Manager redirect takes place causing the Connector to present users with a login page.
This Connector-supplied login page prompts users to provide their usernames and passwords again for access
to Application Manager. The Connector then validates users against Active Directory.
Connector Authentication Mode and RSA SecurID
After you install the Connector in Connector Authentication mode, you can configure SecurID to provide
additional security. For an overview of using RSA SecurID with the Connector, see Installing and Configuring
the Connector.
You can configure SecurID with or without Kerberos. However, the most common use case is to use SecurID
to authenticate users outside the enterprise network, while Kerberos authentication is not available outside
the network. See “IdP Discovery,” on page 17 for more information about configuring two Connector
instances, one instance for users inside the enterprise network and the other for users outside the network.
RSA SecurID with Result
Kerberos configured Kerberos authentication takes precedence. Users are only prompted for their
SecurID passcode if Kerberos authentication fails.
username-password verification as
part of Connector Authentication
mode
SecurID takes precedence and username password verification is disabled. Users
are prompted for their SecurID passcode. They are never prompted for their Active
Directory credentials.
For various reasons, both intentional and unintentional, Kerberos authentication might not function. For
example, you might intentionally prevent specific users from accessing the enterprise network. Also, non-
Windows machines do not support Kerberos authentication. When Kerberos and SecurID are both configured,
but Kerberos authentication fails, users are prompted for their SecurID passcode.
Installing Application Manager
16 VMware, Inc.IdP Discovery
You configure the IdP Discovery feature using the Application Manager Administrator Web interface. See
Application Manager Administration Help. The IdP Discovery feature works in conjunction with Connector
Authentication mode. IdP Discovery refers to the discovery of identity providers. The Connector acts as an
identity provider. Therefore, even though users access a URL directly to Application Manager, such as
https://MyOrg.MyDomain.com, when IdP Discovery is properly configured, it finds (discovers) and redirects
users to the specific Connector instance. With a single URL, you can provide all users access to the User Web
Interface.
For the IdP Discovery feature to function, you must configure IP address ranges in Application Manager. When
you have multiple Connector instances, the order in which the corresponding Connector records are listed in
Application Manager is important if the IP ranges overlap. In such cases, the first Connector record to include
an IP address is given precedence.
CAUTION When you remove or reset a Connector instance, you must remove the corresponding Connector
record from the list of Connector records accessible with the Application Manager Administrator Web
interface.
The IdP Discovery feature typically applies when users attempt to access Application Manager from inside
the enterprise network and when they are on the same domain as the Active Directory instance.
When users within the specified IP address ranges access the provided URL, their request is processed in
Connector Authentication mode and the request is redirected to the Connector. Assuming that Kerberos is
configured, a SAML assertion generated by the Connector is used for authentication and users are granted
access to the User Web interface without being prompted for their username and password. If Kerberos is not
configured, users must provide their username and password on the Connector login page to gain access.
When users outside the specified IP address range use the provided URL, their request is processed in Service
Authentication mode, if you have it enabled, requiring them to provide their username and password on the
Application Manager login page to gain access.
You can configure your Application Manager deployment with IdP Discovery in a variety of ways, one of
which is summarized in the example that follows.
External RSA SecurID
and Internal Kerberos
Authentication Example
of IdP Discovery
This is one possible way to configure IdP Discovery and SecurID in the same
Application Manager deployment. For an overview of configuring RSA
SecurID with the Connector, see Installing and Configuring the Connector. For
this deployment, you configure two Connector instances, both in Connector
Authentication mode.
n Internal – First Connector instance in Connector Authentication mode: You
do not configure SecurID for this Connector instance. In Application
Manager, you configure IP address ranges to include users within the
enterprise network.
n External – Second Connector instance in Connector Authentication mode:
You configure SecurID for this Connector instance. In Application
Manager, you configure a single IP address range that includes all possible
users. Therefore, you set the IP address range from 0.0.0.0 to
255.255.255.255.
The result of this configuration is that users attempting to access the User Portal
are authenticated in Connector Authentication mode. Users inside the
enterprise network are authenticated by Kerberos or username/password
authentication. Users outside the enterprise network are authenticated by
SecurID authentication.
Chapter 2 Introduction to Application Manager
VMware, Inc. 17ThinApp Packages
ThinApp package access requires Connector Authentication mode. See Installing and Configuring the
Connector for information about integrating the Connector with ThinApp.
Evaluation and Quick Access to Application Manager
For evaluation purposes, you can access the User Portal as an administrative user with minimum configuration.
This quick-access configuration works in Connector Authentication mode only. Using the Connector Web
interface, you run the initial configuration wizard, stopping before running the setup wizard. The initial
configuration wizard requires you to provide your activation code and information for Active Directory. The
Active Directory information is not used for Directory Sync because quick-access configuration does not enable
directory synchronization. The Active Directory information is required for the following purposes:
n To establish a connection to Active Directory, which is used to verify your administrative user credentials
when you attempt to log in to Application Manager.
n To allow you to log in to the Application Manager. You use the username associated with the Bind DN
user account and respective password as the credentials to log in to Application Manager as an
administrator.
With quick-access configuration, you cannot configure Kerberos authentication, nor can you access Windows
applications captured as ThinApp packages. Also, with the quick-access configuration, you can use the default
internal database, instead of configuring an external database. The purpose of quick-access configuration is to
provide easy access to the basic functionality of Application Manager, which you can evaluate.
Application Manager Database
Application Manager stores information, such as user information, application entitlements, and policies in
an internal database that runs directly in the Application Manager virtual appliance.
IMPORTANT During the proof-of-concept phase, you can use the internal database server. Do not use the internal
database server in production. For production, install and configure an external database server.
To support high availability and load balancing of Application Manager instances, you must configure a
connection from each Application Manager instance to a shared external database server. See “Configure an
External Database Connection,” on page 41. When you switch to an external database server and use multiple
Application Manager instances, you make Application Manager highly available. Making the external
database server highly available is outside the scope of this document. Refer to the database product
documentation for more information.
Installing Application Manager
18 VMware, Inc.Security Considerations and System
Requirements for Application
Manager 3
When you install and configure Application Manager, you install the Application Manager virtual appliance
and use both the Application Manager virtual appliance interface and the Application Manager Web interface
for configuration purposes. You must manage the Web interface with care to avoid security issues.
Consider the Application Manager system requirements within the context of the following security concerns:
n The Application Manager virtual appliance interface is accessible to anyone with access to the machine
on which vSphere and the virtual appliance are hosted. Protection relies on firewalling and enforcing
authentication to the vSphere host.
n The Application Manager Web interface listens on HTTP ports 8443 for administration and port 443 for
user authentication.
Insecure mode 8080 for operation and administration and 80 for user authentication.
Secure mode 8443 for operation and administration and 443 for user authentication.
For quick trials and tests, you can use Insecure mode. For pre-production testing and production, you should
switch to Secure mode.
Application Manager Recommendations and Requirements
To synchronize your Active Directory data effectively with Application Manager, ensure that the environment
for the Application Manager virtual appliance meets the minimum requirements.
The following components are required:
n The Application Manager virtual appliance that VMware provides as an Open Virtual Appliance .ova file.
n VMware vSphere as the host of the virtual appliance. See the release notes for the currently supported
vSphere versions.
n A virtual machine client, such as vSphere Client, that provides access to Application Manager virtual
appliance interface. This client is required to deploy the .ova file to vSphere and to access the deployed
virtual appliance remotely in order to configure networking.
n The appropriate VMware licenses.
n A conversion tool, if your VMware hypervisor does not open OVA files directly. VMware offers a free
tool for Windows and Linux. See “Convert the Virtual Appliance File Format,” on page 24.
You must consider your entire Application Manager deployment. Therefore, consider how you are integrating
the Connector with Application Manager when you make decisions about hardware, resource, and network
requirements. See Installing and Configuring the Connector.
VMware, Inc. 19Hardware Requirements for the Application Manager Virtual Appliance Host
Ensure that the environment for the host, the vSphere instance, to run the Application Manager virtual
appliance meets the minimum hardware requirements.
Table 3-1. Minimum Application Manager Hardware Requirements
Component Minimum Requirement
Processor One Intel Xeon Dual Core, 3.0GHz, 4MB Cache
RAM 6GB DDR2 667 MHz, ECC and registered
On-board LAN One 10/100/1000Base-TX port
Storage 32GB
Resource Requirements and Recommendations for the Application Manager
Virtual Appliance
Ensure that the resources allocated to the Application Manager virtual appliance meet the minimum
requirements.
IMPORTANT In reference to storage, you can use the internal database for the proof-of-concept phase. Do not
use the internal database server in production. For production, install and configure an external database
server.
Table 3-2. Application Manager Resource Requirements and Recommendations
Component Required Recommended
Processor 2 vCPU 4 vCPU for higher performance
Random-
access
memory
4GB 4GB
Storage 32GB External database sizing information: 64GB
for first 100,000 users. Add 20GB for each
additional 100,00 users
Network Configuration Requirements for the Application Manager Virtual
Appliance
For the Application Manager virtual appliance is specific to configuring a Network Time Protocol (NTP) server.
Table 3-3. Network Configuration Requirements
Network Requirements
Access to a Network Time Protocol (NTP) server made available in one of the following ways:
n To allow Application Manager to access an external NTP server, you must ensure that the outbound firewall port 123
(NTP Protocol) is opened from Application Manager to the Internet.
n If you do not want a firewall port open for the NTP server, you must ensure that the NTP configuration is pointing to
an internal NTP server. You perform this action when you configure the Application Manager using the Application
Manager virtual appliance interface.
Inbound firewall port 443 opened from users outside the enterprise network to Application Manager.
Installing Application Manager
20 VMware, Inc.System Requirements for User Systems Running the Horizon Agent
This requirement applies when Application Manager provides ThinApp Package access. If users run the
Horizon Agent from their systems, ensure that users` systems meet the minimum requirements.
Table 3-4. User System Requirements
Component Required
Random-access memory 1GB
Chapter 3 Security Considerations and System Requirements for Application Manager
VMware, Inc. 21Installing Application Manager
22 VMware, Inc.Preparing to Install Application
Manager 4
Preparing to install the Application Manager involves creating the DNS name; obtaining the Application
Manager virtual appliance; and configuring the hardware, resource, and network settings of the Application
Manager host. Other preinstallation tasks might be required depending on the specifics of your deployment.
This chapter includes the following topics:
n “Prepare to Install Application Manager,” on page 23
n “Convert the Virtual Appliance File Format,” on page 24
Prepare to Install Application Manager
You must prepare your environment for the installation of Application Manager.
Prerequisites
n Plan your Application Manager deployment, deciding how to integrate the Connector. See Installing and
Configuring the Connector.
n Ensure that all the hardware, network, and resource requirements are met. See “Application Manager
Recommendations and Requirements,” on page 19.
Procedure
1 Create the Domain Name System (DNS) record for the Application Manager virtual appliance host.
CAUTION As part of creating the DNS record, create a pointer (PTR) resource record in a reverse lookup
zone. This allows reverse resolving of IP addresses, which is a required configuration for Application
Manager to function properly.
VMware, Inc. 23The DNS name must be available in your DNS server for the Application Manager hostname to be
recognized. Depending on your organization, creating the DNS record might take several days. Provide
enough time to ensure that the DNS name is available when required.
The hostname has at least three parts, a.b.c. For example, Org1.MyDomain.com.
IMPORTANT When you are prompted for a hostname in the Application Manager virtual appliance, be
aware that the name you enter, such as Temp.MyDomain.com, is also used for initial access to the Operator
Web interface. For example: http://Temp.MyDomain.com. The first part of the hostname, “Temp” in this
example, is later replaced with the first organization you create in the Operator Web interface. If you name
the first organization Org1, http://Org1.MyDomain.com can be used to reach Application Manger in the
future. The URL http://Temp.MyDomain.com continues to provide access to Application Manager, too.
To avoid having two URLs that access the same interface, the best practice is to enter a DNS name where
the first part of the name, such as Org1, matches the first organization name that you plan to create. This
practice allows one URL, http://Org1.MyDomain.com, to continuously provide access to Application
Manager.
2 Create a DNS address record, or DNS address records, for each additional organization you plan to create
for Application Manager, pointing to the same IP address.
3 Download the .ova file for the Application Manager virutal appliance from the VMware Download Center
and deploy it.
You can download the .ova file directly to the vSphere host or you can download it to another machine.
Convert the Virtual Appliance File Format
You can convert the virtual appliance file format from the OVA format to the VMX format by using the VMware
OVF tool. Perform this file format conversion only if the hypervisor does not support the OVA format.
The Open Virtualization Format (OVF) tool is a free command-line utility that can convert file formats of virtual
machines. You install the virtual appliance on a VMware hypervisor that supports the VMX format and convert
the OVA format to the VMX format.
Procedure
1 Download the VMware OVF tool from the VMware Web site and install it.
Follow the installer instructions to install the tool.
2 Create and name a directory in your hypervisor`s data store, which is the directory where virtual machines
reside.
Provide the name for the directory.
3 Move to that directory.
The converter tool deposits output files in the current directory.
4 Start the converter tool with the following command: path-to-ovftool -tt=VMX ova-file-name VMX-file-
name
For example: /usr/bin/ovftool -tt=VMX virtualappliance-1.1.0.ova virtualappliance
The command might take a few minutes to complete. The following is sample output:
Opening OVA source:
../virtualappliance-1.1.0.ova
Opening VMX target: central-virtualappliance
Target: central-virtualappliance.vmx
Installing Application Manager
24 VMware, Inc.Disk progress: 36%

Disk Transfer Completed
Completed successfully
Example: File Conversion Output
Two items appear in your current directory as a result of this task: a .vmdk disk image file and a .VMX virtual
machine configuration file, as the following example shows:
-rw——- 1 root root 1.6G 2011-05-17 14:46 central-virtualappliance-disk1.vmdk
-rw-r–r– 1 root root 1.1K 2011-05-17 14:46 central-virtualappliance.vmx
What to do next
Install the virtual appliance on your hypervisor.
Chapter 4 Preparing to Install Application Manager
VMware, Inc. 25Installing Application Manager
26 VMware, Inc.Installing Application Manager 5
After you install Application Manager virtual appliance, you can access the Application Manager Operator
Web interface to run the Operator setup wizard.
Installing Application Manager includes the following tasks:
n Use vSphere Client to install the Application Manager virtual appliance.
n Start and configure the virtual appliance.
n Use the Application Manager Web interface to perform the initial configuration of Application Manager
necessary to log in to Application Manager as an operator.
The steps to prepare the virtual appliance can vary. For specific instructions, see the vSphere documentation.
This chapter includes the following topics:
n “Start the Application Manager Virtual Appliance,” on page 27
n “Use the Virtual Appliance Interface for the Initial Application Manager Configuration,” on page 28
Start the Application Manager Virtual Appliance
Starting the Application Manager virtual appliance gives you access to the Application Manager virtual
appliance interface, including the CLI of the underlying SLES operating system.
You perform the preliminary configuration of Application Manager with the virtual appliance interface. The
underlying operating system for Application Manager is SUSE Linux Enterprise Server (SLES) 11 SP1. You can
configure the operating system files directly from the Application Manager virtual appliance interface. Use
caution when editing the operating system files since changes can have unanticipated affects on the
deployment.
Procedure
1 Use vSphere Client to install the Application Manager virtual appliance by choosing the Deploy OVF
Template option.
See VMware vSphere documentation.
2 Power on the virtual appliance.
This action boots the virtual appliance`s SLES operating system, starts the Application Manager processes,
and connects to a DHCP server, if present, to acquire an IP address.
During start up, the virtual machine displays messages in the Application Manager virtual appliance interface.
You can usually ignore the messages until you are prompted to change the UNIX password. You can perform
the initial configuration of the Application Manager as described in “Use the Virtual Appliance Interface for
the Initial Application Manager Configuration,” on page 28.
VMware, Inc. 27Use the Virtual Appliance Interface for the Initial Application Manager
Configuration
Use the Application Manager virtual appliance interface to make the initial configurations to Application
Manager, such as network and time-related configurations.
When you install the Application Manager virtual appliance, the Application Manager virtual appliance
interface first prompts you for the root and sshuser passwords. After you provide and confirm the passwords,
the interface presents you with a wizard that leads you through the basic configuration. You can return to the
Application Manager virtual appliance interface at any time to update these settings or to perform other
configurations to the SLES operating system.
Prerequisites
n Configure the Application Manager virtual appliance interface after you have installed the virtual
appliance on vSphere. See “Start the Application Manager Virtual Appliance,” on page 27.
n Verify that you followed the steps to prepare for the installation of the Application Manager. See “Prepare
to Install Application Manager,” on page 23.
n If applicable, open a firewall port for an external Network Time Protocol (NTP) server. For more
information about the network requirements for configuring an NTP server, see “Application Manager
Recommendations and Requirements,” on page 19.
Procedure
1 At the root UNIX password prompts, provide and confirm the root user password for access to the SLES
operating system of the Application Manager.
2 At the sshuser UNIX password prompts, provide and confirm the password for remote access to the SLES
operating system of Application Manager.
Application Manager creates the user sshuser for you. This user can access Application Manager virtual
appliance command line remotely using the ssh Linux command, or SSH client. This user has limited
privileges to the command line. Therefore, once you connect remotely, you might want to use the su
command to switch users from sshuser to root.
IMPORTANT SSH (Secure Shell) client is a program for remote access. By default ssh access is limited to
machines on the same subnet. Changing the scope of access involves sshd, the ssh daemon, and might
require you to edit the hosts.allow and hosts.deny files. See Linux man pages for more information.
The wizard of the Application Manager virtual appliance interface starts.
Installing Application Manager
28 VMware, Inc.3 Respond to the wizard prompts with information specific to your deployment.
Option Action
Respond to the IPv6 prompt. Type y if you have an IPv6 network. If you do not have an IPv6 network,
accept the default response of n.
Respond to the DHCPv4 prompt. NOTE The recommended practice is to use a static IP address.
If you have a static IP address, type n. Continue responding to the
subprompts related to a static IP address.
If you have a DHCPv4 address, accept the default response y and continue
responding to the subprompts related to DHCP and a proxy server.
If you respond with n, continue responding to the subprompts related to a
static IP address, including subprompts about IPv4 address, netmask,
gateway, DNS servers, and proxy server.
Respond to the hostname prompt. Type a unique hostname with at least three parts, a.b.c.
IMPORTANT Be aware that the name you enter, such as
Temp.MyDomain.com, is also used for initial access to the Operator Web
interface. For example: http://Temp.MyDomain.com. The first part of the
hostname, “Temp” in this example, is later replaced with the first
organization you create in the Operator Web interface. If you name the first
organization Org1, http://Org1.MyDomain.com can be used to reach
Application Manger in the future. The URL http://Temp.MyDomain.com
continues to provide access to Application Manager, too. To avoid having
two URLs that access the same interface, the best practice is to enter a
hostname where the first part of the name, such as Org1, matches the first
organization name that you plan to create. This practice allows one URL,
http://Org1.MyDomain.com, to continuously provide access to Application
Manager.

When you are finished configuring the network settings, the main screen of the Application Manager
virtual appliance interface appears.
4 If necessary, configure a Network Time Protocol server.
By default, the Application Manager Appliance points to specific external NTP servers, as listed in
the /etc/ntp.conf file. However, networking or DNS issues might prevent the virtual appliance from
reaching the external NTP servers. Also, you might want to use NTP servers other than the default settings.
When you properly configure the Application Manager deployment, the time for all systems is maintained
within a range of one minute.
CAUTION Failure to follow the NTP recommendations can prevent user access to the Application Manager
Web interface since both the SAML and Kerberos protocols rely on an accurate system clock. The protocols
used between Application Manager and the Connector and between the Connector and Active Directory
require that the time synchronization of these systems falls within a narrow range.
a Select Login and log in to the Linux operating system with root credentials.
b Using Linux commands configure Application Manager`s time settings.
See Timekeeping best practices for Linux guests (KB 1006427) for information about time settings for
SLES 11. Consult the section on NTP recommendations.
c Exit the command line to return to the main page of the Application Manager virtual appliance
interface.
5 Confirm the Network Time Protocol configuration.
You should check this screen in the following situations:
n When you first install the Application Manager Appliance.
n Any time in the future when you modify the networking environment that can affect the ability to
contact the NTP server or when you change the NTP configuration.
Chapter 5 Installing Application Manager
VMware, Inc. 29n As a troubleshooting option when users experience an access issue.
See the troubleshooting section for information about the possible messages on this screen.
6 Set the time zone for Application Manager.
a Select Set Timezone.
b Continue selecting location options to select your specific time zone.
7 In the Application Manager virtual appliance interface, select Configure to view or set available
configuration options.
You should initially configure the Application Manager virtual appliance for testing or trial purposes.
Therefore, you can leave several options unconfigured and return to the Application Manager virtual
appliance later for further configuration. The following list describes options you can skip during the
initial configuration.
Option Description
Generate New SSL Certificate By default, SSL is not enabled and no SSL certificate is needed. You do not
need to enable SSL for trials or testing. However, for security reasons, you
should enable SSL before you move the deployment to production.
If you configure your Web server to be secure, you need a certificate to certify
your organization`s Application Manager Website to end users. You can use
either a third-party CA certificate or you can generate your own self-signed
SSL certificate. If you use a self-signed SSL certificate, you must deploy it to
user machines for ThinApp integration.
Configure Web Server Insecure. By default, the Web server uses insecure ports, which is appropriate
for initial trials or testing. Also, using insecure ports allows you to test
ThinApp integration without installing certificates on user machines.
Secure. Use secure ports for pre-production testing or production. To use
secure ports, you need either a third-party CA certificate or an SSL certificate
to certify your organization`s Application Manager Website to end users.
Configure Database Connection By default, Application Manager uses an internal database that runs directly
in the Application Manager virtual appliance. To support high availability
and load balancing, you must disable the internal database and configure a
connection to a supported external database.
Database Key Management Database key management applies when you point multiple Application
Manager instances to a shared external database.
Gather Diagnostic Information for
Support
Gathering diagnostic information applies to a troubleshooting procedure
that involves gathering log and other data for technical support purposes.

8 Record the Application Manager hostname or IP address as listed on the Change Application Manager
Configuration page.
When you finish the initial configuration of the Application Manager virtual appliance, you can enter the
hostname in a browser to gain initial access to the Application Manager Operator Web interface. The
Operator setup wizard leads you through the creation of the first Application Manager organization.
Option Description
Configure Hostname The three-part hostname is listed.
Configure Network The IP address is listed.

9 Restart the Apache Tomcat server for the time zone configuration to take effect.
a In the Application Manager virtual appliance interface, select Configure.
b Type the number to Manage Web Server.
c Type the number to Restart Tomcat.
Installing Application Manager
30 VMware, Inc.Application Manager is ready for further configuration.
What to do next
Use a browser to access the Operator Web interface.
Chapter 5 Installing Application Manager
VMware, Inc. 31Installing Application Manager
32 VMware, Inc.Configuring Application Manager with
the Operator Setup Wizard 6
Use the Operator setup wizard for the initial configuration of Application Manager, including the creation of
the first organization. You can then configure the Connector or return to the Operator Web interface for further
configuration.
The setup wizard leads you through a quick and simple configuration process.
Access the Application Manager Operator Web Interface
When Application Manager has a hostname and IP address, you can use a browser to access the Operator Web
interface. The first time you access the Operator Web Interface, the Operator setup wizard leads you through
the initial configuration, including the creation of the first Application Manager organization.
Running the Operator setup wizard creates your deployment`s initial Application Manager organization.
NOTE In the Operator setup wizard, you are required to provide a name for your organization. That name
becomes part of the URL used to access your initial organization. See “Prepare to Install Application
Manager,” on page 23 for the best practice for creating a DNS record for the virtual appliance host. That best
practice relates to the name yo

Leave a Comment