How to install and configure Provision Networks Virtual Access Suite (VAS) Enterprise Edition (Part 1)

If you would like to read the other parts in this article series please go to:

Virtual Access Suite (VAS) Enterprise Edition is a product suite from Provision Networks, a Division of Quest Software. VAS Enterprise Edition enables the consolidation of application and desktop delivery from Windows Terminal Services, Blade or Physical PCs, and Virtual Infrastructures such as VMware VI3 or Virtual Iron.

This set of articles will describe, in detail how to install and configure each of the components of VAS Enterprise Edition. These articles will also detail best practices on where each component should be deployed in a typical deployment.

VAS Enterprise Edition consists of all of the following modules from VAS Standard Edition:

  • Block-IT (application and network server access control)

  • Manage-IT (session/desktop configuration and lockdown)

  • Max-IT (CPU and Virtual Memory Optimization)

  • MetaProfiles-IT (user profile management)

  • Print-IT (EMF and PDF universal print driver for client printers, network printers and WAN Printing)

  • Redirect-IT (per-user file and registry redirection)

  • TimeZones-IT (per-session time zone assignment)

  • USB-IT (Redirection of USB-connected Blackberry, Palm and Pocket PC handheld devices)

  • VIP-IT (per-session IP Address assignment)

VAS Enterprise Edition also adds the following features (not included in VAS Standard Edition):

  • Provision-IT

    • Application, Desktop and Content Publishing

    • Integration with Microsoft Softricity SoftGrid

    • Application and Terminal Server Load Balancing

    • Seamless Windows

    • Session Sharing

    • Screen Resolution up to 4096 x 2048 pixels

    • Multi-Monitor Support

    • Credentials Pass-through

    • Kerberos-based authentication and pass-through

    • Smartcard Authentication

    • Windows, Windows CE, Linux, Java and ThinStall Clients

  • Web-IT (Web Portal)

    • Multi-Farm Application Set Aggregation

    • Credentials pass-through

    • Two-factor authentication (RSA, Secure Computing and RADIUS)

    • Client auto-detection and download

    • Application Auto-launch

    • Remote Password Reset

    • Load Balancing via Microsoft NLBS or 3rd party load balancer

    • Client location identification (redirects users thru SSL Gateway based upon IP Address Rules)

  • Secure-IT (SSL Gateway)

    • Secure single point of access to firewall-protected Terminal Server farm and managed desktops (VAS Infrastructure)

    • Uses SSL, so clients do not need to be able to communicate over a non-standard port.

    • Typically deployed in the DMZ so SSL traffic is not terminated in the private network

  • Proxy-IT

    • Allows RDP Clients that are not capable of installing the VAS Client to connect to a VAS Infrastructure.


The configuration of a given VAS Infrastructure is stored in an SQL Server Database. This can be in MSDE, SQL Server 2000, SQL Server 2005 Express or SQL Server 2005. It should be noted that the Provision Database requires SQL Server Authentication, so if one has an existing SQL Server that is configured for Windows Authentication, the Provision Database must be installed on another SQL Server Instance.

When installing VAS Enterprise, one can either manually create the Provision Database, or the VAS Install can create a DNS and a Database when the Provision Console is opened for the first time. In most large organizations the SQL Server DBAs will insist that they create the database, but in smaller organizations one may choose either.

In this configuration the Provision Database will be installed on SQL Server 2005 Express, which is a free download from Microsoft. This SQL Server will be installed on a member server in an Active Directory Domain. Active Directory is not a prerequisite, but is the most common directory infrastructure in use today.

While all Server Components of VAS Enterprise can be installed on a single server, this is not a typical configuration.  Problems with a Server Based Computing Infrastructure often occur due to a lack of planning, i.e. if everything is installed on one server and put into production without any testing or user acceptance. For this configuration everything is being installed on VMware, but on several different virtual machines. In this test infrastructure we have the following:

  • 2003 Server – Domain Controller & Terminal Server Licensing Server (no VAS components)

  • 2003 Server – File & Print Server (including user profiles)

  • 2003 Server – SQL Server (2005 Express – Provision Database)

  • 2003 Server – VAS Connection Broker & Password Reset Service

  • 2003 Server – Web Server (IIS w/ – Web-IT)

  • 2003 Server – Terminal Server x 2 (Provision-IT)

  • 2003 Server – SSL Gateway (Secure-IT)

  • XP Pro Workstation – Managed Desktop x 2

Components are being separated in this manner to better emulate what would exist in a typical enterprise. Since this is being configured on a virtual infrastructure using VMware, a lab with many physical servers is not necessary, if one only wants to test drive VAS Enterprise. 

Installation of SQL Server 2005 Express

If an SQL Server does not already exist in the target environment, one needs to be set up to accommodate the Provision Database. In this configuration SQL Server 2005 Express and SQL Server Management Studio Express will be installed on a dedicated Active Directory Member Server.

SQL Server 2005 Express and SQL Server Management Studio Express can be downloaded from, or from

An unattended installation of SQL Server 2005 Express can be performed by extracting the installation files from SQLEXPR32.EXE via SQLEXPR32.EXE –x. Choose a target directory where the installation files will be stored, then execute the following cmd.


This cmd line does a quiet installation (with basic UI) of SQL Server 2005 Express to an Instance named “PROVISION”, using Mixed Mode Authentication (required), enables Network Connectivity and sets the SQL SA Password to “Provision” (feel free to change this to a stronger password).

SQL Server Management Studio Express is used by System Administrators and DBAs to manage the Database Server, backup and restore databases. Launch SQLServer2005_SSMSEE.msi to begin the installation of SQL Server Management Studio Express.  Accept the defaults.

Installation of the Connection Broker and Password Reset Service

In this configuration the VAS Connection Broker and Password Reset Service will be installed on another 2003 Member Server. These components do not need to coexist, but this is a common configuration.

The Connection Broker is an XML Service that responds to client connection requests on TCP Port 8080 (by default) and listens for Data Collector service connections (from Terminal Servers or Managed Desktops) on TCP Port 5201. It is the brains of the Virtual Access Suite.

The Password Reset Service facilitates SSL-protected password reset requests from clients, to allow them to reset their Active Directory Credentials via the Web-IT Web Interface Portal. This service requires an SSL Certificate and listens on port 443 (by default).

The VAS Installer is intelligent and will only display the components that can be installed on the host computer, so if ASP.Net is not installed, Web-IT will not be an option that can be selected. Additionally, if the installation will integrate with VMware Virtual Center, Sun JAVA™ SE Runtime Environment 5, Update 7 or higher must be installed, prior to installing VAS.

Launch VAS.exe to begin the Virtual Access Suite Installation.

Select Terminal Server and Standard Desktops (Enterprise Edition) and click “Next”.

Select “Connection Broker Service”, “Password Reset Service” and “Provision Management Console”. Click “Next” to complete the installation of the selected components.

Because VMware Integration was selected, the installation prompts for the location of the VMware Certificate Store. This is the self signed certificate that is created when VMware Virtual Center is installed. Click next to complete the installation.

At this point, the Connection Broker and Password Reset Service are installed, but the Provision Database has not been created. The Provision Database is created the first time the Provision Management Console is launched. Alternatively a DBA can create the database and provide the VAS Administrator with SQL “dbowner” Logon Credentials for the database.

Upon opening the Provision Management Console for the first time, the administrator is prompted to “Create a new database and DSN” or to “Create DSN only for existing database”. Because we want to create the database, we use the default option.

Since the Provision Management Console is being opened for the first time, the Provision Database has not yet been populated with the Customer Information that is tied to the VAS Licenses. Complete the Customer Information, then click the save button. If this information is changed at a later time, new licenses will need to be acquired.

The VMAC listed above is used to generate the VAS Licenses on the Provision Networks Website.

Once the Provision Management Console has been launched, one may want to change the name of the Provision Farm to something unique and meaningful to the business, i.e. “Corp XYZ Test Farm”. At any time an administrator may change the farm name via the Farm Properties in the Provision Management Console.

Right-click on the “Connection Brokers” node in the Provision Management Console and select “New Connection Broker”.

Enter the name of the VAS Connection Broker and click OK.

The default listening port for the Connection Brokers is 8080, but this can be changed to meet the requirements of the business. This change is made at the properties of the Connection Brokers node, as it affects all connection brokers in the farm.

Future articles will describe how to install and configure the other components of VAS Enterprise.

If you would like to read the other parts in this article series please go to:

About The Author

Leave a Comment

Your email address will not be published. Required fields are marked *

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

Scroll to Top