Installing VERDE Using RPMs

Confirm that virtualization (VT) is enabled in the BIOS.

To verify that the CPU is virtualization capable, run the following commands:

Intel processors:

egrep '^flags.*(vmx)' /proc/cpuinfo

AMD processors:

egrep '^flags.*(svm)' /proc/cpuinfo

If neither command produces an output, then virtualization is not enabled. Boot into the server bios and follow the hardware vendor’s steps to enable VT support.

Shared storage is an important consideration when installing VERDE. Shared storage is a requirement for any VERDE clustered implementation, but it can also be valuable when starting out with a single server. VERDE maintains its internal structures in /home/vb-verde, and therefore needs access to this folder—whether in a single server or clustered environment. By starting out on a single server with an attached network storage device, future upgrades to a multi-server VERDE installation will be much easier, as you will not have to move /home/vb-verde to a NAS device later when two or more servers need to share the single instance of a common vb-verde structure.

When installing VERDE with a NAS device, CentOS requires a custom partition layout to keep /home/vb-verde from being created as a local file path during the VERDE installation.

Prior to installing the VERDE RPMs, a number of basic CentOS configuration steps need to be performed:

• Ensure the server network connection is enabled and that you can ping the gateway from the server
• Ensure you can ping the server from the workstation/client you're going to use to access the VERDE User Console and VERDE SW Client
• As root, run the following updates. Note: that some may have already been installed via the previous yum updates and these commands should be run as verification.
  • # yum --enablerepo=updates --enablerepo=base --assumeyes update openssl
  • # yum --enablerepo=updates --enablerepo=base --assumeyes update libpng
  • # yum --enablerepo=updates --enablerepo=base --assumeyes install java-1.8.0-openjdk.x86_64
  • # yum --enablerepo=updates --enablerepo=base --assumeyes install gtk2
  • # yum --enablerepo=updates --enablerepo=base --assumeyes install zip unzip
  • # yum --enablerepo=updates --enablerepo=base --assumeyes install ntpdate ntp-doc
• Set the clock if needed:

  # chkconfig ntpd on

  # /etc/init.d/ntpd start

• If you are planning to use a NFS/NAS (Shared Storage Device), perform the following before installing the VERDE software:
  • Run the following on the local server (not the NAS/NFS)

  # yum -y install nfs-utils nfs-utils-lib

  • Run the mount command. It must include the mount command, the data format, the desired flags, the server name, storage volume and where it’s being mounted to ….. /home/vb-verde.

  Here are two examples:

  # mount -t nfs4 -o rw,noatime fsf-dal1001b-fz.adn.networklayer.com:/SL02SEV1317203_1/data01 /home/vb-verde

  # mount -t nfs -o rw,noatime 10.10.1.104:/nfs/VerdeNAS /home/vb-verde

• Create the vb-verde user with a password that never expires.

  # useradd vb-verde

  # passwd vb-verde

• Then add vb-verde to the root group:

  # usermod -G root vb-verde

  Confirm that the following items are true for this account:

  • The account is not the root user.
  • The password of this account will not expire.
  • The UID/GID must be identical across all servers.
  • The account has a unique home directory that resides on the same file system as the VERDE Server.
• Create the following file: (include the – in the text on each line)

  #vi /etc/security/limits.d/95-verde.conf

  - nproc - 1

  - nofile 65535

• Set JAVA 8 as the default java version:

  # sudo update-alternatives --config java

• VERDE is inherently secure with its use of TLS security and encryption however you will need to ensure that specific ports are available for certain tasks.

 

Ports and Their Functions

Port	Used for
8443	Access to the Management Console
3389	Access to RDP connection
48622	Access to Spice connection
48632	Optional for customers using cloud branch (Smartsync) technology
22	Optional for times when the admin wants to SSH into the VERDE server

• During the installation, we suggest you simply disable security to save time. (For security reasons, we recommend that the use of iptables or some other firewall mechanism be in place prior to production.)

  # /etc/init.d/iptables stop

• Turn iptables off so they do not restart during reboots:

  # chkconfig iptables off

• SELINUX: (at a minimum, SELINUX must be in permissive mode—normally we suggest disabling it)

  #vi /etc/sysconfig/selinux

  SELINUX=disabled

• Confirm that the following items are true for this account:
  • The account is not the root user.
  • The password of this account will not expire.
  • The UID/GID is identical across all servers.
  • The account has a unique home directory that resides on the same file system as the VERDE Server.
• Create the ISO root directory:

  # mkdir /home/vb-verde/ISO

• Install the ISO files to use for creating your desktop gold images. Your ISO files should have the following permissions: d-rw-r--r-- 1 root root. Example: -rw-r--r-- 1 root root 3698128896 Jan 19 17:28 Win10_32.iso

In an RPM-based installation method the configuration script can run in interactive, menu, or in unattended modes.

• Run the script as root with the following command:

  # /usr/lib/verde/bin/verde-config [options] [-h|-u|-m|-i|<none>].

• Once the configuration applet completes the VERDE service will automatically be stopped:

  # reboot

• When VERDE comes back up, ensure the service is running:

  # service LICSRV status

  Script Options

  Script Options
  -h	Prints command help.
  -u	Starts an unattended configuration, which requires an answer file.
  -m	Starts a menu-based configuration, which enables direct access to specific parameters.
  <none>	If VERDE has already been configured on this server, this option sets up some system files and restarts VERDE. Otherwise, an unattended installation is performed (with optional parameters provided with VERDE_CONFIG_CMDLINE).
  -i	Starts an interview-based (interactive) configuration with prompts to answer all configuration questions. If a default value is available, it is listed. Press Enter to accept the default value. If no value is present, pressing Enter will leave the value empty.
  -f <file>	Specifies an answer file to be used with an unattended installation.
  -l	Specifies that only the local server configuration is updated (/var/lib/verde/settings.node).
  -n	Specifies no restart of the VERDE Server when finished.

  Using the –i command line option walks you through the standard configuration options needed to properly configure VERDE. All of the configuration questions will have a default value and for the most part these default values will be sufficient. You will not have defaults for the required network IP information and you will need to be prepared to have the IP address for your internal and external network IPs, your gateway, and DNS server.

  To launch the interactive configuration script use:

  # /usr/lib/verde/bin/verde-config -i

  The VERDE for bare metal installation enables a port-redirection from VERDE ports 443 (https) and 80 (http) to standard ports 8443 (https) and 8080 (http). The redirected ports cannot be properly changed through the verde-config post installation script. If necessary, these ports can be changed by editing the following file:

  /etc/rinetd.conf

  Edit the last two lines in the file to change the port numbers. This change requires a full VERDE Server restart.

  To disable the redirection completely, run the following command as root:

  # chkconfig rinetd off

  This change also requires a full VERDE Server restart.

Run the VERDE script with the following command to view all questions:

# /usr/lib/verde/bin/verde-config -i

Once completed, a configuration summary is displayed. Press "ENTER" to save changes.

VERDE will restart or press "Ctrl+C" to quit without saving changes.

Q & A: Configuration Script

Interactive Mode Questions	Description	Default Value
What is the VERDE Management Console account?	This account owns the VERDE configuration files, Gold Images, and related configuration settings. The VERDE software runs with the privileges of this account as a system account. When entering names that contain backslashes, be sure to enter a corresponding escape sequence by typing two backslashes. For example: domain\\vb-verde If the letter that follows the backslash is “n”, “r”, or “t” then enter four backslashes. For example: domain\\\\nt\\user	vb-verde
What is the role of this server?	Option 1) The server can act as a cluster master, runs the VERDE Management Console, but will not host VDI sessions. This option is typically used in clustering environments. Option 2) This server is a cluster master candidate, runs the VERDE Management Console, and hosts VDI sessions. Select this option for standalone server deployment or in cluster configurations for cluster master fail-over. Option 3) The server only hosts VDI sessions. This option is used in cluster environments with multiple servers. Option 4) A gateway server relays VDI connections to other servers shielding them from direct internet connections. It does not host VDI sessions nor serve as a cluster master candidate.	2
What is the public IP or FQDN of this server, to be used for management traffic?	Enter the public IP or the fully qualified domain name of this server. This name or address needs to be resolvable from other servers in the cluster. Note: VERDE Management Console uses this information for reporting. If the IP address is used instead of the server name, changing the IP address requires editing this value in the verde-config script	<Servername>
What is the public IP or FQDN, to be used for user traffic?	This is the address for VERDE User Console connections. The default is the address entered in question 3.	<Servername>
What are the initial resource tags for this server?	Categories are pre-defined and not editable: ORG: tags for organizations. The format is ORG:orgname-<org id>. Web names can also be used as tags. NETWORK: network tags. The format is NETWORK:network_tag. HARDWARE: tags determined by VERDE about server hardware and not editable. OTHER: user defined tags, including computer resource tags. To create a tag, such as a resource tag enter OTHER:resourceTag1. The list of tags within a category will also support a wildcard option (*). When ORG:* is specified, it is a shortcut for specifying a list of all available organization tags. VERDE event reports all known tags using the same value format.	No default and can be left empty.
How often should branches synchronize?	This parameter defines how often the changes to the Gold Images, settings, deployment rules, and related settings will be synchronized with the central server.	5
Is this a branch server?	If this is a VERDE Cloud Branch environment, one branch download server is required per branch. Select “Yes” if the server is a cloud branch server. Additional questions display.	No
On which port should VERDE Management Console and VERDE User Console run?	Enter the https port on which the User Console is available to end users. The VERDE Management Console and User Console will also communicate on port 8080.	8443
What character should be used to replace space characters in user names?	In order to be able to use spaces in user names, the space must be substituted by a “dummy” character. This character will be used by PowerBroker during the authentication process with Microsoft Active Directory. For example, the “User Principal Name" or "UPN” would be “test^user” where the space is replaced the “^” symbol.	^
The following settings are used only when Read Cache I/O is enabled in the VERDE Management Console	These settings apply to cluster environments where multiple servers share a central storage (NAS).

Q & A: Configuring the Branch Server

Interactive Mode Questions	Description	Default Value
How often should VDI nodes synchronize gold images from external storage (1-600 minutes)?	If an update of a Gold Image is available, it will be synchronized with the cached copy of this Gold Image stored on the local node. This parameter defines the synchronization frequency. The default is 1 minute. Unlike the rest of the values in this table, this is configured in the data center to which the branch servers connect.	1
What local directory should be used for Write Cache I/O (leave empty to use users' home directories)?	This is the directory where temporary changes (transient storage) to the system volume (such as the C: drive) will be stored. Confirm there is enough space. Those changes will be lost at initialization of the next session. If left blank, the user’s home directories will be used. Use “^D” to denote an empty string. If another value is used, such as /tmp, that directory must be writable by all. To make the directory writable, change the permissions (777). To improve performance in a cluster environment, directly attach a drive for this folder.
What is the address of the SmartSync server?	Enter the address (IP or FQDN address) of the server in the data center that is going to handle the data synchronization (Gold Images, configuration files) with the branch. This can be a single server address as well as a FQDN that will provide a round robin DNS resolution to a node in the cluster. The Branch Server requires credentials for downloading updates from the SmartSync server. Enter the credentials for this operation. Backslashes are not supported in passwords and passwords will not be echoed back to the terminal.	None
Enter the Active Directory domain for logging in to the Smart Sync server.	This step is only required if your SmartSync user is an Active Directory user. If it is, enter the AD domain for logging in to the Smart Sync server. For example, ADNETWORK	None
Enter username for logging in to the SmartSync server.	The Gold Image synchronization process authenticates with this user on the cloud server in the data center. The username and password specified for Branch synchronization be a Master Console Administrator in global space.	None
Enter password for logging in to the SmartSync server.	Enter and verify the password of the user defined in the previous question.	None
How often should branches synchronize (1-1440 minutes)?	This parameter defines how often the changes to the Gold Images, settings, deployment rules, and related settings will be synchronized with the central server.	5
Enter time of day at which user data will be synchronized (00:00 - 23:59)?	This parameter defines the time of day when the user data (from My Documents in Windows, for example) will be backed up on the cloud server in the data center, for example at 05:45. Enter "NEVER" to disable user data synchronization. This can happen only once a day and user documents must be stored outside of the user image for the synchronization to work properly.	None

The VERDE configuration script can also run in menu mode, which enables direct access to specific parameters. Run the script with the following command:

# /usr/lib/verde/bin/verde-config -m

These options are listed as:

*** VERDE Server Configuration ***Please select an item to configure:

1) Set VERDE Management account

Node settings:

2) Set server's role

3) Set role-specific settings

Cluster settings:

4) Set VERDE Administrator user account

5) Set VERDE Branch download settings

6) Set other cluster-wide settings

7) Set Read CacheI/O settings

8) Set Write CacheI/O settings

General:

v) View configuration

s) Save settings, restart VERDE and exit

q) Quit without saving

Select an item and press "Enter." A subset of interview questions is listed.

The VERDE configuration script can run in unattended mode. This enables quick set up of several servers, which is useful when VERDE is deployed in a cluster environment. Cluster-wide settings only need to be configured once. It is possible to run concurrent installations on multiple servers.

The setup parameters are defined in a configuration file that is specified as an option when running the script. Run the script with the following command:

# /usr/lib/verde/bin/verde-config -f <file> -u

A sample answer file is provided in /usr/lib/verde/etc/verde-config-answer-file.txt as a template. The file can be located anywhere on the server. Specify the correct path when running the configuration script.

The verde-config-answer-file.txt contains the following. Update it according to your requirements.

# Sample verde-config answer file

# ------ VERDE Node configuration ------

#

# mc_user default: vb-verde

# server_role values: CM_Only, CM_VDI, VDI_Only, Gateway; default: CM_VDI

# pubaddr required only if server_role is CM_VDI or VDI_Only; default: output # of hostname -f

# debug_level values: note, info, dbg; default: note

#

#mc_user="vb-verde"

#server_role="CM_Only"

#pubaddr="192.168.1.100"

# ------ VERDE Cluster configuration ------

#

# master_admin default: mcadmin1

# leaf_update_port default: 8080

# username_space_replacement default: ^

#

#master_admin="mcadmin1"

#tomcat_port="8443"

#leaf_update_port="8080"

#username_space_replacement="^"

#

# ------ Cache I/O configuration ------

#

# snap_dir default: empty

# cacheio_dir required if cache I/O will be used, default:

# /var/lib/verde/cacheio

# cacheio_sync_interval default: 4 minutes

#

#snap_dir=""

#cacheio_dir="/var/lib/verde/cacheio"

#cacheio_sync_interval="4"

#

# ------ Branch server configuration ------

#

# cloud_addr if empty then server is not a branch server

# cloud_username required if cloud_addr is not empty

# cloud_password required if cloud_addr is not empty

# cloud_domain default: empty

# branch_user_data_sync_time default: 1:00 (i.e. 1 AM)

# branch_sync_interval default: 5 minutes

#

#cloud_addr="10.0.7.100"

#cloud_domain="DOMAIN"

#cloud_username="admin"

#cloud_password="123456"

#branch_user_data_sync_time="02:00"

#branch_sync_interval="5"

There are two methods for beginning an install on a multi-server environment:

• Install the first node manually, then use it to build and test the response file.
• Use the unattended method to install all of the nodes.

Since the cluster will likely include a mix of cluster master candidates as well as VDI-only servers, two response files are needed:

• cluster master candidate response file
• VDI server response file

Cluster Master Candidate response file (example answer.cm)

Update as many parameters as needed. However, the server role must be set to “CM_VDI”

# answer.cm

server_role="CM_VDI"

VDI Server response file (example answer.vdi)

Set the server role to “VDI-Only”

# answer.vdi

server_role="VDI_Only"

It is possible to use environment variables to run the VERDE installation. Command line options can be entered with the VERDE_CONFIG_CMDLINE variable.

To upgrade the VERDE system, on rpm-based distributions (CentOS/RHEL), remove the VERDE package prior to running the installation command.

First confirm the VERDE installation package is available to all the nodes, then install.

RPM-based installation:

VERDE_CONFIG_CMDLINE="-f <response file> -u" rpm --install <VERDE package>

Debian package installation:

VERDE_CONFIG_CMDLINE="-f <response file> -u" dpkg --install <VERDE pack-age>

On the Cluster Master Candidate Nodes

VERDE_CONFIG_CMDLINE="-f /home/vb-verde/temp/answer.cm -u" \

rpm --install VERDE-7.0.xxxxx.x86_64.rpm

On the VDI Nodes

VERDE_CONFIG_CMDLINE="-f /home/vb-verde/temp/answer.vdi -u" \

A gateway is a server network node that provides access into and out of a network. Set up VERDE Gateways to communicate with VERDE servers located in a secure environment. VERDE Gateways reside within the Demilitarized Zone (DMZ) to reduce exposure to internal servers. VERDE Gateways provide secure public network access and grant remote users proper access to the internal network where VERDE, applications, resources, and internal data resides. Communication between client devices and the isolated gateway is encrypted. Users must log in to the secure network with valid user credentials to access their virtual desktop (s).

This figure shows one of many ways to set up this configuration.

An isolated gateway requires the following:

• At least one VERDE server.
• At least one network interface controller (NIC) with access to both internal and public networks, or two NICs (one for internal access and one for external).
• Configure Isolated Gateway Servers to reside within the authorized demilitarized zone (DMZ).

Before configuring the cluster master and the VERDE Gateway servers, prepare the following:

• Download the VERDE installation package onto the cluster master candidates and the Isolated Gateway server(s).
• On the GTW server, designate a system user (vb-verde) with the same UUID and GUID as the infrastructure. The system user is the designated isolated gateway administrator role.
• Determine the IP addresses of each cluster master candidate. Set up of Isolated Gateways requires a list of assigned server IP addresses for use during VERDE configuration.
• Set up the following ports to facilitate communication between the public network and the internal data center via the Isolated Gateway host(s).
• Public Network —> DMZ
  • 48622 Public IP —> 48622 Gateway IP
  • 443 Public IP —> 8443 Gateway IP (or forward 8443 —> 8443. The first setting does not require appending a port on a URL).
• DMZ —> Internal Network
  • Secure LDAP —> port 636 (encrypted) or 389 (non-encrypted) on the LDAP server Clear LDAP —> port 389 on the LDAP server
  • 48616 Gateway IP —> 48616 cluster master IP(s) 48622 Gateway IP —> 48622 VDI server IP(s)

Virtualization on the server is not required because the Isolated Gateway is not used to host VDI sessions. Isolated Gateway(s) acts as a proxy for the cluster master, and UXP, SPICE or RDP traffic.

Only configure the vb-verde user with matching UID/GID on CM/VDI satellites (RPM based installation methods).

Configure the VERDE gateway in a test environment prior to implementing it in a production environment to ensure that all settings work correctly.

Q & A: Gateway Configuration Settings

What is the VERDE Management Console account?	Enter the vb-verde user or the equivalent VERDE Console system account user defined on the VERDE Server for the designated environment.
What is the role of this server?	Enter option 4: VERDE Gateway only (connection broker).
Is this an Isolated Gateway server?	Enter yes.
What is/are the public IP address(es) or FQDN(‘s) of the Cluster Master(s)?	The public IP address or FQDN is not needed on a Gateway server. When specifying multiple addresses, separate them by semi-colons. Enter a semicolon delimited list of the IP address(es) of the cluster master candidate(s) in your environment (for example, CM_Only or CM_VDI in /var/lib/ver-de/settings.node). For example: VERDE_GATEWAY_CM_LIST=17.16.1.54; 17.16.1.88; 17.16.1.02.
Who is the master VERDE Management Console administrator?	Enter the VERDE Management Console system account user. For example, mcadmin1.
Is this a branch server?	Enter no regardless of whether this server will be a gateway for the core VERDE server or whether it will be a gateway for a branch server.
On which port should the VERDE Management Console and User Console run?	Enter 8443 or the port that will be used for https access to the User Console on the Isolated Gateway. Tomcat runs as a non-privileged user, so the port must be greater than 1024.
What character should be used to denote a space in user names?	Enter the default value of ^ or choose another character.
What local directory should be used for Read Cache I/O?	The following settings are used only when Read Cache I/O is enabled in the VERDE Management Console. Use the default value; the Isolated Gateway does not get cached GI copies because it does not host any VDI sessions.
How often should VDI nodes synchronize gold images from external storage (1-600 minutes)	The recommended value is 600 since the local cache copies are not used by the Isolated Gateway
What local directory should be used for Write Cache I/O?	Leave the default value (empty to use the users’ home directories). The Isolated Gateway does not get cached copies of Gold Images since it does not host any VDI sessions.