How to install and configure Provision Networks Virtual Access Suite (VAS) Enterprise Edition (Part 2)

By /

If you would like to read the other parts in this article series please go to:

Introduction

Virtual Access Suite (VAS) Enterprise Edition is a product suite from Provision Networks, a Division of Quest Software. VAS Enterprise Edition enables the consolidation of application and desktop delivery from Windows Terminal Services, Blade or Physical PCs, and Virtual Infrastructures such as VMware VI3 or Virtual Iron.

Part two of this set of articles will describe, in detail, how to install VAS Enterprise on a Windows Terminal Server and how to publish applications to Users, Groups, Device Addresses (IP Addresses), Device Names (Client Names) and Active Directory Organizational Units (OUs).

Prerequisites

A prerequisite to installing VAS Enterprise on a 2003 Server to deliver Managed Applications (A.K.A. Published Applications) would be that the Terminal Server Role has been assigned to the server. This is a fairly simple process, but to recap, here are the steps (assuming a clean install and a non-production server):

Step one is to lock down the file system on the server. By default every logged on user has permission to create files and folders in the root of the System Drive and in the Program Files directory. This opens up the possibility that an end user could intentionally or unintentionally install spyware/malware or some other application that could make the system unstable. To remove these permissions, follow the steps below:

View the Advanced Security Settings on the root of the System Drive and remove the permissions highlighted in the picture above, so members of the “Users” group no longer has NTFS Permissions to “Create Folders / Append Data” and “Create Files / Write Data”.

View the Advanced Security Settings on the “Program Files” directory and remove the permissions highlighted in the picture above, so members of the “Power Users” and “TERMINAL SERVER USER” groups no longer have modify NTFS Permissions.

To add the Terminal Server Role, open the “Configure Your Server Wizard” Administrative Tool -> Select “Terminal server” and click “next”. The server will automatically reboot when the role has been added.

Note: 
An activated 2003 Terminal Server Licensing Server with installed 2003 Terminal Server Client Access Licenses (TSCAL) must be discoverable within 120 days of adding the Terminal Server Role or the server will stop accepting Terminal Server Session requests.

Installation

From the physical console of the Terminal Server, or via a Remote Desktop Console Session (mstsc.exe /console), switch to “install mode”. Launch the VAS Installer (vas.exe).

Select “Terminal Servers and Standard Desktops (Enterprise Edition)” and click “Next”.

Accept the default selections, and add the Provision Management Console (as shown above).

Click the “Install” button to commence the installation.

Once the installation process is complete, click “Finish”, and “Yes” to restart the system.

Launch the Provision Management Console and create a new Data Source to connect to the Provision Database.

Select the option to “Create DSN only for existing database” and enter the Provision SQL Login that was created when the Provision Management was first opened on the Connection Broker (in part one of this article series).

Confirm the SQL Login Password that will be used to connect to the Provision Management Database.

Click “Yes” to set the current main Provision database to [Provision Database].

When the Provision management Console opens, right click on the Terminal Servers node and select “New Terminal Server”.

Accept the default selection <New Server> and click “OK”.

Type in the NetBIOS name of the new Terminal Server, or click “Browse” to select it from a list. At this point the server is now added to the Provision Networks Server Farm.

Application Publishing

In contrast to Citrix Presentation Server (CPS), Managed Applications can be published and policies can be applied to Users, Groups, Device Addresses (IP Addresses), Device Names (Client Names) and Active Directory Organizational Units (OUs). In VAS, all of these are considered “Clients”. In CPS, applications can only be assigned to Users and Groups. This additional filtering capability provides more flexibility when planning the delivery of applications.

One can either define the clients via the “Clients” node, or this can be done when defining a New Managed Application.

Publishing of Applications, Desktops and Internet Content is done from Resources -> Managed Applications -> Right-Click -> New Application, or by clicking the “New” button (green plus sign) in the right pane when Managed Applications is selected.

The window shown above is the interface to publish a new application / program, Desktop or Internet Content. The default is “Program”, and this can be changed via the “Change Type:” button in the upper right corner of the General Tab. Publishing a desktop connects a user to the Explorer Desktop of either a Terminal Server, or a Managed Desktop (Windows XP Pro or Vista), whereas publishing content publishes a Website, URL or other content that launches in a Web Browser.

To publish a Program, click the ellipsis next to the “Path:” text box.

Select the button that describes where the program is located. Clicking “Terminal Server” or “Managed Desktop” buttons will allow the administrator to browse the terminal servers or desktops defined in the Provision Management Console. Clicking “File Server” allows the administrator to browse the network for a file located on a file share and clicking “This Computer” displays the file structure on the computer where the Provision Management Console is currently running.

If Terminal Server is clicked, the dialog above is displayed, where the administrator can select the Terminal Server where the program is installed.

Select the share on the Terminal Server that contains the program. On the Terminal Server that is selected in the dialog above, only the Admin Share to the System Drive is available. Click “OK” to continue.

At this point the Explorer Select File Shell Extension is displayed, where the administrator can browse to and select any executable file, i.e. files with the extension exe, com, cmd, pif or bat.

After the program is selected, the associated icon is displayed, but can be changed via the General Tab -> Display Section -> Icon.

In that same Display Section, there also exists an “Application Startup” tab where the administrator can define whether the application starts Normal, Maximized or Minimized.

On the furthest right Tab in the Display Section exists a “Status” tab where the administrator can define whether the application is enabled or disabled, i.e. whether or not it is displayed in the user’s application set (list of applications).

The arguments text box in the Program Specifications section of the General Tab allows an administrator to add any application specific switches. This text box is also used to define a file that should be opened by the defined program, i.e. publishing msaccess.exe and a specific MDB (access data file) file.  The working directory is fairly self explanatory.

On the User Experience Tab of the Managed Application definition, the administrator can specify whether application shortcuts will be displayed on the client’s Desktop, Start Menu or Start Menu \ Programs. This only affects the AppPortal Client in Desktop-Integrated (DI) Mode, where the AppPortal UI is hidden. This will be described in more detail in another section of this article series.

The “Published On” Tab is where the administrator defines which Terminal Servers or Managed Desktop Groups host the managed application. If the administrator selects a Managed Desktop Group (logical grouping of XP Pro or Vista VMs, or PC Blades) it is assumed that the application exists on each member of the group.

The Workload Management tab allows the administrator to select a Workload Evaluator, which defines how the application is load balanced in the VAS Farm. The Default Load Evaluator (shown above) is based upon Number of Users that have Terminal Server Sessions on a given Terminal Server. Additional workload evaluators can be defined based upon any combination of the available counters. One should only use custom workload evaluators as needed, as over customizing workload evaluators can cause inconsistent load balancing results.

The Application Restrictions tab allows the administrator to add the program to an existing list of allowed applications, or to create a new list. Application Lists are defined and assigned to clients to limit them executing to only these applications.

The default setting for Application Restrictions is to allow applications to be executed. This setting can be changed from the properties of the Application Restrictions Node. It is possible to restrict access to all unmanaged applications checking the “Deny access to unmanaged apps, as well as applications belonging to conflicting file groups”.

In contrast to Citrix Presentation Server where application publishing is simply an application delivery mechanism, VAS Enterprise offers bullet-proof, easy to define rules to restrict users only to the applications that are defined by the administrator. These rules can be assigned to the same Clients that were described earlier in this article, i.e. Users, Groups, Device Addresses, Device Names and Organizational Units. These rules will be described in more detail in a future installation of this article series.

The Virtual IP Tab is used to define whether or not Virtual IP Addressing (VIP) should be enabled for this Managed Application. VIP is used for Winsock applications where the application requires a unique IP Address for each instance of the application, whether for identification or communication. VIP will be described in more detail in a future installation of this article series.

Finally, the Access Control List tab is where the administrator defines which clients receive the managed application. Click the “Assign clients to [Program Name]:” button to assign clients to the application.

If no Clients have been defined in the Provision Management Console, or the clients to which the application will be assigned is not displayed, click the “Show Edit Tools” button.

Click the “New Client:” button to add a client.

On the Add Client(s) dialog, the administrator may enter or browse the list of Domain or Local Users or Groups. If an NT/Active Directory domain or Local SAM is selected, the list of users/groups is listed in a flat list.

The Device IP Addresses Tab of the Add Client(s) dialog allows the administrator to add a client that is an IP Address, or IP Address Range. This is particularly useful for roaming users that should only have access from a client that has a Private IP Address on the corporate network.

The Device Names Tab of the Add Client(s) dialog allows the administrator to add a client that has a specific name, or naming convention. This is particularly useful for roaming users that should only have access from a client that has a specific name on the corporate network.

  • Multiple Device Names are separated by semi-colons.
  • A range of devices with a common naming convention are entered with the variable enclosed in brackets, i.e. CorpABC-[1-99].
  • An Asterisk can be used as a wildcard character.

The Active Directory tab or the Client(s) dialog allows the administrator to select a client that is an object in Active Directory.

Once a client is selected, the Select Folder(s) dialog displays, where the administrator selects in which Server and Client Folders the application should be displayed.

The completed Managed Application is displayed above. Click OK to return to the Provision Management Console, or click the Assign clients to [Program Name].. button to assign more clients to this application.

Future articles will describe how to install and configure the other components of VAS Enterprise.

If you would like to read the other parts in this article series please go to:

About The Author

Read Next

Leave a Comment

Your email address will not be published. Required fields are marked *

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

Scroll to Top