Centrix Universal - Installation & Configuration Guide: VMware, Inc. · Centrix Universal Metering...
94
3 Centrix Universal Installation & Configuration Guide Document Revision 1.3
-
Upload
trinhtuyen -
Category
Documents
-
view
235 -
download
0
Transcript of Centrix Universal - Installation & Configuration Guide: VMware, Inc. · Centrix Universal Metering...
3
Centrix Universal
Installation & Configuration Guide Document Revision 1.3
2
Table of Contents
1. About this document ...................................................................................................... 5
How to use this guide ........................................................................................................... 5
2. Introducing Centrix Universal ........................................................................................ 6 Centrix Universal server .................................................................................................................. 8 Centrix Universal client ................................................................................................................... 8
Centrix Universal architecture overview ............................................................................... 8
3. Systems Requirements ................................................................................................ 11
Centrix Universal server ..................................................................................................... 11
Centrix Universal client ....................................................................................................... 11
4. Planning For Deployment ............................................................................................. 12
WorkSpace databases ........................................................................................................ 12 Choosing a Database ................................................................................................................... 13
Pre-Installation Check List .................................................................................................. 15 WorkSpace server ........................................................................................................................ 15 LDAP authentication ..................................................................................................................... 15 Citrix .............................................................................................................................................. 16 Microsoft Terminal Services 2008 RemoteApp Adapter ............................................................... 16 Centrix Universal Meta-Broker Adapter ........................................................................................ 16 RSS Reader Adapter .................................................................................................................... 16
5. Installing Centrix Universal .......................................................................................... 17
Overview ............................................................................................................................. 17
Centrix Universal Server ..................................................................................................... 18
License key ......................................................................................................................... 21
Centrix Universal Management Console ............................................................................ 22
Centrix Universal Metering ................................................................................................. 24
Centrix Universal Metering server and database ............................................................... 24
Centrix Universal Metering data adapters .......................................................................... 26
Central Workspace Metering database: scheduled jobs .................................................... 27
Centrix Universal Metering Data Adapters: scheduled jobs ............................................... 29
6. Centrix Universal Configuration .................................................................................. 32
Getting Started with WorkSpace ......................................................................................... 32
Providers ............................................................................................................................. 32
LDAP - Directory Service Providers .................................................................................... 34
CITRIX - Citrix Providers .................................................................................................... 34
WSTS - Windows Server Terminal Services Providers ...................................................... 35
RSSREADER - RSS Providers ........................................................................................... 35
METABROKER - Meta-Broker Providers ........................................................................... 35
LOCALCLIENT - Local client Providers .............................................................................. 37
Modules .............................................................................................................................. 37
Workspaces ........................................................................................................................ 38
Layouts ............................................................................................................................... 38
Subscribers ......................................................................................................................... 39
Collections .......................................................................................................................... 40
Themes ............................................................................................................................... 41
Configuration ....................................................................................................................... 43
7. Managing Centrix Universal RIA clients ..................................................................... 45
Flash installation ................................................................................................................. 45
Clients for virtualization technologies ................................................................................. 45
3
Centrix Universal Windows Local Agent ............................................................................. 46
Using Centrix Universal client ............................................................................................. 47
8. Centrix Universal Metering........................................................................................... 49
Centrix Universal Metering components ............................................................................. 49
Centrix Universal Metering Data Adapters ......................................................................... 50
Centrix Universal Metering Database ................................................................................. 50
Centrix Universal Metering Graphical User Interface ......................................................... 51
Centrix Universal Metering Optimization Reports ............................................................... 52 Management Summary ................................................................................................................. 52 Application Dashboard .................................................................................................................. 52 Server Dashboard ......................................................................................................................... 53 Servers.......................................................................................................................................... 54 Server Inventory ............................................................................................................................ 54 Virtualization Mix Report ............................................................................................................... 54 Server Cost Profile Chart .............................................................................................................. 54 Most Used Servers Chart .............................................................................................................. 54 Least Used Servers Chart ............................................................................................................. 55 Most Cost Efficient Servers Chart ................................................................................................. 55 Least Cost Efficient Servers Chart ................................................................................................ 55 Demand ........................................................................................................................................ 55 Demand Profile Chart ................................................................................................................... 55 Metering ........................................................................................................................................ 56 Power Users Chart ........................................................................................................................ 56 Applications ................................................................................................................................... 56 Application Inventory ..................................................................................................................... 56 Most Used Applications Chart ....................................................................................................... 56 Least Used Applications Chart ...................................................................................................... 57 Management Console ................................................................................................................... 57 Server TCO Input .......................................................................................................................... 57 Server Tariff Input ......................................................................................................................... 57 Application License Cost Input ...................................................................................................... 58 Server Wizard ............................................................................................................................... 58
Centrix Universal Metering Chargeback Reports ............................................................... 58 Billing ............................................................................................................................................ 58
9. Two-factor authentication integration ........................................................................ 60
SecurEnvoy ......................................................................................................................... 60
Centrix Universal and SecurEnvoy architecture overview .................................................. 60
Centrix Universal and SecurEnvoy architecture overview .................................................. 60
Activating SecurEnvoy authentication ................................................................................ 62
Installing Centrix Universal with SecurEnvoy Web Agent already installed ....................... 62 Pre-requisites ................................................................................................................................ 62 Setting SecurEnvoy two-factor authentication............................................................................... 64
Installing Centrix Universal and SecurEnvoy together ....................................................... 65 Pre-requisites ................................................................................................................................ 67 Setting SecurEnvoy two-factor authentication............................................................................... 69
RSA SecurID ......................................................................................................................... 72
Centrix Universal and RSA SecurID architecture overview ................................................ 72
Activating RSA SecurID authentication .............................................................................. 73
Installing Centrix Universal with RSA SecurID Web Agent already installed ..................... 74 Pre-requisities ............................................................................................................................... 74 Setting RSA SecurID two-factor authentication............................................................................. 76
Installing Centrix Universal and RSA SecurID together ..................................................... 77 Pre-requisites ................................................................................................................................ 78 Setting RSA SecurID two-factor authentication............................................................................. 81
Centrix Universal Encryptor for RSA SecurID .................................................................... 82 Installation ..................................................................................................................................... 83
4
Using Centrix Universal Encryptor for RSA SecurID ..................................................................... 83
10. Customising WorkSpace .......................................................................................... 84
Corporate Logo Standards; creating your logo ................................................................... 84
Copying the logo using the Windows Explorer: .................................................................. 85
Sample Logos ..................................................................................................................... 85
Customising the Logon Screen, Theme and loading page colour ...................................... 85
Add your corporate logo to the Logon screen .................................................................... 85
Customising the User WorkSpace with a corporate logo ................................................... 89
11. Advanced Troubleshooting ...................................................................................... 92
12. Release Notes ............................................................................................................ 94
What‟s new in Centrix Universal ......................................................................................... 94
Known Issues ...................................................................................................................... 94
5
1. About this document
This guide is part of the Centrix Universal documentation to assist you in the planning, deployment, configuration, administration and utilization of Centrix Universal. It is organized as follows:
An overview of Centrix Universal, system requirements and planning your WorkSpace deployment are described in sections 2, 3 and 4.
Pre-installation checklist is provided on page 15 of this guide. It is advisable to print and complete this section before installing and configuring Centrix Universal.
Installing Centrix Universal server is described in section 5.
Configuring Centrix Universal and Centrix Universal Management Console is described in section 6.
Managing Centrix Universal clients is described in section 7.
Using Centrix Universal Metering is covered in section 8.
Two-factor authentication integration is detailed in section 9.
Customising WorkSpace is detailed in section 10.
Advanced Troubleshooting is detailed in section 11.
Release notes are provided in section 12.
How to use this guide
This guide is intended for system administrators responsible for installing and configuring Centrix Universal – familiar with Microsoft Windows Server configuration, Internet Information Services (IIS) and SQL Server. Note – This document assumes that the underlying virtualization technologies and infrastructure services are already existent and operational, and that the administrator has experience configuring these environments.
6
2. Introducing Centrix Universal
Centrix Universal is a universal aggregator of web-based, virtualized and local applications and resources, delivered through a rich and thin browser-based centralized launch pad. Accelerating user adoption of IT services, Centrix Universal consolidates complex and fragmented delivery mechanisms into a searchable application store and customizable, yet simple user workspace environment. Reaping the benefits of virtualization and flexible application sourcing across the private and public clouds, Centrix Universal optimizes decisions on how best to deploy and evolve services between local, virtual and web platforms. Accurate resources metering is used for chargeback, transforming IT organizations towards becoming internal software-as-a-service providers. Centrix Universal improves the user experience and lowers cost, while empowering greater business control and visibility.
Centrix Universal key capabilities include:
Provides users with access to applications and content through a browser based rich internet application; aggregating application delivery technologies and platforms, pooling them together, and presenting these resources in a way that the business wants to use them.
Operates non-intrusively with datacenter infrastructure, application delivery and virtualization technologies, prefacing and aggregating their resources into a single user interface with minimal modification to the underlying systems, making the most of existing functionality and services already available.
7
Increases user productivity, and the consumability of corporate IT applications and service. This allows end users and IT departments to quickly reap the benefits of virtualization and application sourcing from across many virtualization infrastructures, provisioning services and vendors.
Accelerates the adoption of virtualized infrastructure and IT services delivered by corporate IT, by abstracting and decoupling the underlying technologies from the user interface, making them more consumable and easy for users use.
Drives greater synergies between applications that would otherwise have been isolated from one another in their own environments by pooling together otherwise fragmented resources creating a richer, more powerful delivery solution.
Provides greater levels of visibility and control on applications and services usage. Centrix Universal Metering focuses on the main cost drivers for IT; Business Demand, Hardware Infrastructure and Applications.
Optimization - By providing detailed aggregated analysis across enterprise platforms, multiple farms and different environments, IT management can use Centrix Universal Metering to quickly identify demand trends, sub-optimal server utilization, under used applications and the groups of applications most used by business users.
Chargeback - For mature Enterprises that already chargeback costs to business units Centrix Universal Metering gives the ability to produce detailed cost analysis and to export chargeback files which can be fed into ERP systems. For Enterprises that are not currently using chargeback mechanisms or have chosen to retain IT costs centrally, WorkSpace Metering allows IT management to actively demonstrate to the business the service and value that they provide and to show accurate budget allocation.
8
Centrix Universal server
A key underlying server side technology of Centrix Universal is the Centrix Interconnect Platform (CIP), which assembles the following core modules:
Centrix Universal Provider Adapters to connect to underlying virtualization technologies
Centrix Universal LDAP Adapter to connect to directory services
Centrix Universal Management Console to configure and manage Centrix Universal
Centrix Universal configuration and usage databases
Centrix Universal Metering database and associated services The Centrix Interconnect Platform is the backbone of WorkSpace, providing a highly extensible communications bus aggregating unlimited number of resources through adapters which connect to the underlying provisioning services. The adapters are the conduit through which information of all the available applications, and services, collectively called resources, for a given user are passed from Centrix Universal server to WorkSpace Rich Internet client Application. These resources are presented in a single user interface – the Centrix Universal Rich Internet Application. This allows the user to easily subscribe to resources and consume what is available. All that is required on client device is a web browser and the Adobe Flash plug-in. Centrix Universal server relies on a set of interfaces (APIs) to allow businesses to create their own adapters to extend WorkSpace aggregation capabilities to proprietary systems not supported out of the box. Please contact Centrix Software for more information.
Centrix Universal client
This is the client-side application of WorkSpace. WorkSpace is a Rich Internet Application (RIA). Rich Internet Applications are web applications that have the features and functionality of traditional desktop applications – this means an enhanced user experience with complete portability to any device. Centrix Universal runs within a web browser and is accessed via a URL. As a result it is a light touch with little impact to IT support functions and infrastructure, but provides a rich experience to the user even to a level of personalization, including branding – skins and themes. Today, as a browser based application, Centrix Universal is also inherently secure operating within the sandbox of the browser on the client device, and external communications over HTTPS. Centrix Universal Rich Internet Application comprises of:
WorkSpace Core
Three types of WorkSpace Module o Publish Modules o Local Agent Module o Add-In Modules (e.g. RSS Reader)
Centrix Universal architecture overview
9
Centrix Interconnect PlatformPublish
Publish ManagementAuthenticationMeteringPublish
WorkSpace Server
WorkSpace Core
Add-InsAdd-InsAdd-Ins OrganiserMetering
PublishPublishPublish Windows
Local Agent
WorkSpace Client
WorkSpace
Management
Console
10
All communications between WorkSpace RIA and WorkSpace Server is SSL/HTTPS encapsulated.
User launches WorkSpace via a web browser using a standard URL; the WorkSpace Core is loaded and the user is challenged for login credentials.
User authentication – WorkSpace Core communicates directly with the authentication adapter which passes user credentials to the configured LDAP directory.
Based on users‟ group membership, the users‟ layout configuration is read in from the WorkSpace data store via the management adapter and the modules are then loaded into the WorkSpace RIA.
Each Workspace Module communicates via the CIP to its respective adapter to authenticate, enumerate and launch resources.
Workspace Modules notify the Workspace Core when resources are available or have changed. The resources get added into the RIA Resource Explorer within WorkSpace Core.
11
3. Systems Requirements
Centrix Universal server
Centrix Universal server relies on well established technologies and follows best practices to deploy these in a datacenter environment. Minimum system requirements:
Microsoft Windows Server 2003 (32-bit or 64-bit)
Microsoft Internet Information Services 6 (IIS)
Microsoft SQL Server 2005 Components required:
Microsoft .NET Framework 2.0 and 3.5
Microsoft Visual J# .NET 2.0
Microsoft SQL ODBC Driver
Centrix Universal client
Minimum client requirements:
Web browser: o Microsoft Internet Explorer 6 SP3 and later o Apple Safari 3.0 and later o Mozilla Firefox 2.0 and later
Centrix Universal Metering requires Microsoft Internet Explorer 7 (SP3).
Adobe Flash Player 9.0.115 and above Supported client devices:
Microsoft Windows 2000, XP, Vista (32-bit)
Mac OS X 10.4 or later
Various Linux distributions including Red Hat and Ubuntu
Thin client devices To launch applications hosted on virtualization technologies, additional client software may need to be installed, for example: Resource Provider/Virtualization technology Client
Citrix XenApp or XenDesktop ICA
Microsoft Terminal Services RDP
Quest Provision Networks Virtual Access Suite PIT
12
4. Planning For Deployment
Centrix Universal operates non-intrusively with datacenter infrastructure, application delivery and virtualization technologies. The following diagram depicts the typical logical placement of WorkSpace within an enterprise infrastructure.
Internet
SSL 443
LAN
Network Load Balancer
Microsoft IIS
Centrix Workspace
Microsoft IIS
Centrix WorkSpaceMicrosoft SQL
(Cluster Node)
Microsoft SQL
(Cluster Node)
Shared Storage
WorkSpace databases
When you deploy Centrix Universal, it must have associated databases:
Centrix Universal configuration database
Centrix Universal usage database
Centrix Universal Metering database When Centrix Universal servers come online, they query the configuration database for configuration information. The configuration database provides a repository of persistent configuration information that each server can reference, including the following:
Authentication configuration
Adapter configuration
Server configuration
WorkSpace User profiles
…
13
Centrix Universal usage database gathers and records activity taking place, in particular locally on each WorkSpace client, on Windows through the integration with Centrix Universal Windows Local Agent. This provides a very accurate insight for applications launched locally through Centrix Universal client. The information gathered in Centrix Universal database is used by Centrix Universal Metering to provide greater visibility and how local, virtual and web resources are being used. Centrix Universal Metering databases collects information from Centrix Universal usage database (for activities recorded when using Centrix Universal Local Agent) and also additional information extracted from the underlying virtualization infrastructure. This provides Centrix Universal Metering with the raw data to generate the business intelligence for Optimization and Chargeback. Before you set up WorkSpace databases that will serve as your data stores (configuration, usage, metering), you need to consider issues such as: which database you will use, how your system will be sized, which hardware configuration is best for your environment, and other configuration options. For further information please contact Centrix Software or your local partner.
Choosing a Database
As an initial planning step, you must decide which database to use for your farm‟s data store. You can use the following database software for the farm data store:
Microsoft SQL Server 2005 is a true client/server databases that offer robust and scalable support for multiple-server data access. It is suited for deployments of any size.
Microsoft SQL Server 2005 Express. This type of database is most appropriate for small to medium-sized farms and can be administered using standard Microsoft SQL Server tools.
Caution - Ensure that the data store is properly backed up on a regular basis. If the data store database is lost, you must reconfigure WorkSpace. You cannot recreate the data store from an existing deployment. When using Microsoft SQL Server, the database is housed on a server dedicated to running the database product. Set up this server prior to creating the farm because during installation an ODBC connection to it will be created. You should consider many factors before deciding which database product to use for the data store, including but not limited to:
The number of servers you currently plan to have and whether or not you plan to expand that number.
Whether or not you have a database administrator on staff with the expertise to configure and manage a data store running on SQL Server.
Whether or not you foresee the enterprise expanding; therefore, expanding the size and maintenance of the database.
Whether or not the database can sustain an increase in the number of users and connections.
14
Whether a server has the appropriate hardware configuration to also run a SQL Server Express database or whether you require that the database be located on a server that is not also running Centrix Universal.
Any database maintenance requirements you may have, such as backup, redundancy, and replication.
Caution – Do not install Centrix Universal on the Microsoft SQL database server. See your database product‟s documentation for specific hardware requirements for the database server. Important – Microsoft SQL servers require significant expertise to install and maintain. If you do not have expertise with these products, attempting to use them in a production environment is not recommended. See the documentation included with your database product for important details such as performance tuning and database backup procedures.
15
Pre-Installation Check List
It is advisable to print and complete this section recording all of the requested information required to successfully install and configure Centrix Universal.
WorkSpace server
Complete these fields to record core information for deployment of WorkSpace 4.0 into your environment Centrix Universal Server
Server name
FQDN for server running Centrix Universal
Server IP Address and subnet mask
Server Gateway
Server DNS
Centrix Universal Service account username Account should have at least local administrative control of the WorkSpace server.
Centrix Universal Service account password
LDAP authentication
Service account (Active Directory account operator privileges suffice) with required for each domain – this account should have permission to read all groups and group SIDs for the domain. LDAP
Domain name
Global Catalog serverFQDN1
Domain controller serverFQDN1
LDAPConnection Binding string in the forms LDAP://servername/dc=domain,dc=com LDAP://dc=domain,dc=com GC://dc=domain,dc=com
LDAPUsername Service account username
LDAPPassword Service account password
16
Citrix
Complete these fields to record configuration information of each Citrix farm to be served by WorkSpace. Citrix XenApp(Presentation Server)
Farm Name
Zone Data Collectors. serverFQDN1,serverFQDN2 or IP addresses
Citrix Access Gateway address1
Secure Ticketing Authority URL in the form http://server/scripts/ctxsta.dll1
Microsoft Terminal Services 2008 RemoteApp Adapter
Complete these fields to record configuration information of each Microsoft Terminal Services RemoteApp server to be served by WorkSpace. Microsoft Terminal Services Server 2008
Microsoft Terminal Services Server 2008 serverFQDN1,serverFQDN2 or IP addresses
Centrix Universal Meta-Broker Adapter
Centrix Universal Meta-Broker relies on Quest vWorkspace (formerly Provision Networks Virtual Access Suite) to handle VDI desktops hosted on VMware, Microsoft Hyper-V or other infrastructures. Complete these fields to record configuration information of each vWorkspace connection broker to be served by WorkSpace. Refer to Quest vWorkspace manual provided for more information. Quest Provision Networks Virtual Access Suite
VAS Connection Broker serverFQDN1,serverFQDN2 or IP addresses
RSS Reader Adapter
URL required for each feed to be displayed by WorkSpace. RSS
RSS Feed URL
1 Only required if a Citrix Access Gateway is deployed for securing remote connections to Centrix
WorkSpace and Citrix XenApp ICA connections.
17
5. Installing Centrix Universal
This section provides an overview of the Centrix Universal installation process and steps required. Once installed your Centrix Universal license key needs to be set using WorkSpace Management Console. Please refer to the appropriate section of this guide.
Overview
Assuming all the prerequisites are in place Centrix Universal requires client and servers side components to be installed and configured for a complete installation.
Client side installed components are:
o Centrix Universal client, the Flash-based Rich Internet Application used to access WorkSpace server. This doesn‟t require to be installed as such as users‟ browsers automatically download it on-demand.
o Centrix Universal Windows Local Agent, the Windows application that extends WorkSpace to include local resources and applications on Windows user environments. This can be part of a Windows standard build (e.g. for new computers deployed within a company). Alternatively the local agent can be made available from within WorkSpace client (from the User Profile, Available Clients tab) to install as and when required (e.g. remote users, home and other unmanaged environments).
Server side components are:
o Centrix Universal server (Centrix Interconnect Platform) including WorkSpace configuration and usage databases, WorkSpace Management Console. These provide WorkSpace core functionality.
o Centrix Universal Metering server and database providing the Metering reporting capabilities.
o Centrix Universal Metering Data Adapters to be installed on each of the
environments considered to gather usage data from Citrix, VMware and WorkSpace itself.
o Optional security modules for integration with SecurEnvoy or RSA SecurID
two-factor authentication solutions. For greater flexibility the following four installation images are available:
setup.exe: the main server side components installation file covering: Centrix Universal server, WorkSpace configuration and usage databases, WorkSpace Management Console
workspace_management_console_setup.exe: a separate installation file to install Centrix Universal Management Console on separate servers
workspace_metering_setup.exe: the installation file covering Centrix Universal Metering server and database.
18
workspace_agent_setup.exe: the installation file for Centrix Universal Windows Local Agent. This file is by default made available to WorkSpace users to download and install from within WorkSpace or can be used as part of a standard build for new computers.
The next sections cover the steps required for the different installations.
Centrix Universal Server
Centrix Universal Server (Centrix Interconnect Platform) needs to be installed on a Windows Server with Internet Information Services (IIS), SQL Server, .NET Framework 2.0 and 3.5, Visual J# .NET 2.0 and SQL ODBC Driver. SQL Server Express can be used to host WorkSpace usage and configuration databases, however due to the limitations of SQL Server Express this is not recommended outside of evaluation or test environments. Note – When using Microsoft SQL Server 2005 Express, ensure that the SQL Server browser service is enabled and set to automatic. For enterprise production deployments, Centrix Software recommends hosting the WorkSpace usage and configuration databases clustered SQL Server. To install WorkSpace Server on the designated IIS server – identified in the pre-installation checklist – perform the following directions referring to the pre-installation checklist for the configuration information to be entered. Screenshot Action
Run setup.exe from Centrix Universal installation media to launch installer. Click Next
After reading the License Agreement read, select „I accept the terms of the License Agreement‟ if you do and Click Next
19
Screenshot Action
Select installation directory where installation files will be copied
Choose setup type – Complete or Custom. The Complete option installs Centrix Universal server, WorkSpace configuration and usage databases, WorkSpace Management Console. The Custom option first let you select which of these modules need installing. Click Next
Optional installation step when the Custom Setup option has been selected in the earlier step The components to be installed are group in 5 categories: Website: controls Centrix Universal website installation Database: controls WorkSpace usage and configuration database installation Service: controls the web server service and required ODBC DSN installations Management Console: controls the Management Console Installation Quest vWorkspace: controls the installation of Centrix Universal Meta-Broker component currently using Quest vWorkspace technology.
Define Service URL for WorkSpace Server Define domains which will be served by WorkSpace.
20
Screenshot Action
Define the SQL instance to be configured as WorkSpace usage and configuration databases For SQL Server 2005 Express ensure the instance is follows the convention - DatabaseServer/SQLEXPRESS/ Select authentication mode Database name – leave as default or enter new database name.
Enter WorkSpace Service account credentials
Define the SQL instance to be configured as WorkSpace Meta-Broker database For SQL Server 2005 Express ensure the instance is follows the convention - DatabaseServer/SQLEXPRESS/ Select authentication mode Database name – leave as default or enter new database name.
Click Install
21
Screenshot Action
Wait for the installation to finish
Click Finish
License key
Once installed your Centrix Universal license key needs to be set using the Centrix Universal Management Console to enable the product. If you haven‟t received you license key with the product please contact your local Centrix Software partner or Centrix Software by email at [email protected]. Please refer to the manual section for the Centrix Universal Management Console to set your license key, and enable the product.
22
Centrix Universal Meta-Broker relies on Quest vWorkspace to handle VDI desktops hosted on VMware, Microsoft Hyper-V as well as other infrastructures. If you intent to use Centrix Universal with other environments than Citrix, web and Windows local application, you need to a separate activation key. To get your Centrix Universal Meta-Broker activation key please contact your local partner or [email protected] with your VMAC details found on the server Quest vWorkspace is installed on launching vWorkspace Management Console.
Centrix Universal Management Console
Centrix Management Console can be installed separately from the man installation image, for example when installed on a separate server. When installed on the WorkSpace Service Server, resources are enumerated given the security restriction applied. Screenshot Action
Run workspace_management_console_setup.exe from Centrix Universal installation media to launch installer. Click Next
After reading the License Agreement, select „I accept the terms of the License Agreement‟ if you do and Click Next
Enter the absolute URL to the WorkSpace Service. This is used inconjunction with the adapter service account details to enumerate the applications when editing collections.
23
Screenshot Action
Point to WorkSpace configuration database created during the main installation process. Select authentication mode.
Click Install
Wait for the installation to finish
Click Finish
24
Centrix Universal Metering
Centrix Metering components need be installed separately from the main installation image. Two set of installations are required:
Centrix Universal Metering server and database providing the Metering reporting capabilities.
Centrix Universal Metering Data Adapters to be installed on each of the environments considered to gather usage data from Citrix, VMware and WorkSpace itself.
At a high level, the actions and their sequencing, required to setup Centrix Universal Metering database and the local databases for each of the monitored environement is as follow:
Install WS
Metering
Database
Install WS
Metering
Procedures
Set up login
account for local
adaptors
Set up WS
Metering job
schedule
Issue Instructions
to DBAs for each
monitored
environment
1. The local
database scripts
2. The local
procedure scripts
3. The network
address for the
central database
server
Install Local
Database
Install Local
Adapters
Set up Local job
schedule
Connect to Central
Database
WS Metering
DBA
Monitored
environment
DBA
Centrix Workspace Metering
database installation flowchart
Control is maintained at the centre with instructions being issued to local DBAs to execute against each environment monitored.
Centrix Universal Metering server and database
Centrix Universal Metering needs to be installed on a Windows Server with Internet Information Services (IIS), SQL Server and .NET 3.5. Centrix Universal Metering database needs to be installed on a server which can be connected to the different environments it monitors across the network. Before starting the installation procedure, a Metering database needs to be created with the corresponding SQL account. Screenshot Action
25
Screenshot Action
Run workspace_metering_setup.exe from Centrix Universal installation media to launch installer. Click Next
Once the License Agreement read, select „I accept the terms of the License Agreement‟ if you do and Click Next
Select installation directory where installation files will be copied
Define the SQL instance to be used as WorkSpace Metering database (created beofre starting the installation). For SQL Server 2005 Express ensure the instance is follows the convention - DatabaseServer/SQLEXPRESS/ Select authentication mode
26
Screenshot Action
Click Install
Wait for the installation to finish
Click Finish
Once installed, Create permissions for the Linked Server connection for the database Finally, each environment monitored will need to upload data to Centrix Universal Metering database at regular time intervals. A timed job needs to be set to process the information as well as a timed job for the two procedures: „UpdateMeteringTable‟ and „ClearTempTable‟.
Centrix Universal Metering data adapters
The appropriate adapter (CitrixPS, XenApp, VMWare and Workspace) needs to be installed on the same SQL server as the data repository for each Virtualization Technology (Citrix Resource Manager, EdgeSight, Virtual Center and Workspace). If multiple environments are monitored this process will need to be repeated for each environments. Prerequisites:
27
1. You will need DBA permissions to be able to run the scripts. 2. You will need to know the database name and schema name for each data repository. 3. You will need to make a Linked Server connection with the central WorkSpace Analytics
database. 4. The scripts for the creation of the WorkSpace database and data adapters are held in
C:\Program Files\CentrixSoftware\Metering\Data Adapters for each of the supported environments.
Actions: 1. Select the scripts you need to install 2. Log in to each SQL Server and install the appropriate script 3. Create a Linked Server connection for the database 4. Create a timed job for each script. We suggest that this is run after each monitored
environment has completed its own update. Usually, the default option is midnight each day so anytime after 01:00 hours would normally be acceptable.
5. Set up a notification service for the timed job and check that it has run properly each day.
Finally, each environment monitored will need to upload data to Centrix Universal Metering database at regular time intervals.
Central Workspace Metering database: scheduled jobs
Once installed, at regular time intervals, each environment monitored will need to upload data to Centrix Universal Metering database. A timed job needs to be set to process the information as well as a timed job for the two procedures: „UpdateMeteringTable‟ and „ClearTempTable‟. These should be run as late as possible in order to give the local databases enough time to upload their data. „UpdateMeteringTable‟ should run first and „CleartempTable‟ should only run after „UpdateMeteringTable‟ has executed. Screenshot Action
28
Screenshot Action
From Microsoft SQl Server Management Studio select SQL Server Agent. Right click „Jobs‟ and select „New Jobs‟. Complete the General Tab as illustrated. Once you have finished, select the „Steps‟ tab
Add two new steps: Step 1: exec WorkSpace.UpdateMeteringTable Step 2: exec Workspace.CleartempTable Select the advanced tab.
For both steps make sure that the „On Success Action‟ dropdown value „Go to the next step‟ is selected, and the „On Success Action‟ dropdown value „Quit the job reporting failure‟ is selected.
29
Screenshot Action
Once you have finished your new job screen should look like this. Once you are happy, select the „Schedules‟ tab.
Complete the schedule fields as illustrated opposite. Make sure that the recurring field is set to daily and schedule the occurrence time for later than 05:00 hrs ech day. Once you are happy, click OK and select the „Notifications‟ tab and set your notification preferences for scheduled jobs. Click OK to finish.
Centrix Universal Metering Data Adapters: scheduled jobs
Screenshot Action
From Microsoft SQL Server Management Studio select SQL Server Agent. Right click „Jobs‟ and select „New Jobs‟. Complete the General Tab as illustrated. Once you have finished, select the „Steps‟ tab
30
Screenshot Action
For each adapter you have installed add a new job step. Select the advanced tab.
For both the „On success action‟ and „On failure action‟ dropdowns select the „Go to the next step‟ value. Press OK to return to the „New Job‟ window. Repeat the process for each Adapter you have installed
Once you have finished your new job screen should look like this. Once you are happy, select the „Schedules‟ tab.
31
Screenshot Action
Complete the schedule fields as illustrated opposite. Make sure that the recurring field is set to daily and schedule the occurrence time for between 01:00 and 04:30 hrs ech day. Once you are happy, click OK and select the „Notifications‟ tab and set your notification preferences for scheduled jobs. Click OK to Finish.
32
6. Centrix Universal Configuration
This section provides details of the configuration of Centrix Universal, explaining how to connect WorkSpace to new and existing virtualization platforms and directory services in your environment as well as details and also to services such as directory services.
Getting Started with WorkSpace
Following successful installation, WorkSpace can be configured using the Centrix Universal Management Console. WorkSpace configuration database will have been created, initialized, and made ready for configuration during the installation process. Centrix Management Console is based on Microsoft Management Console solution. The installation will have created a shortcut to WorkSpace Management Console on the desktop it was installed on. Its default location is: C:\Program Files\Centrix Software\WorkSpace\Management\WorkSpace.msc.
Providers
Providers connect Centrix Universal to the underlying infrastructure it relies on for services and applications delivery. These include Citrix published applications, VMware View virtual desktops or Windows local applications through Centrix Universal Local Agent, as well as user management though directory services. Centrix Universal uses Providers to deliver all the resources available to a given user. Each provider is defined by its name, set by WorkSpace administrator and its type. An additional description field is available for each provider. Centrix Universal supports 4 types of providers:
LDAP: users LDAP directory services including Microsoft Active Directory 2003 and Novell e-Directory
CITRIX: Citrix XenApp and XenDesktop published applications and virtual desktops services
WSTS: Microsoft Windows Terminal Services
RSSREADER: RSS feeds
METABROKER: virtual desktop delivered through other virtual infrastructure, e.g. VMware View, Parallels Virtuozzo, …
LOCALCLIENT: local applications and resources made available on Windows machine through Centrix Universal Local Agent
33
Each adapter has been designed to inherit the functionality of the virtualization technology it is connected to, and as such, has a specific configuration for each type detail in the following sections. Note – This section assumes that the underlying virtualization technologies and infrastructure services are already existent and operational, and that the administrator has experience configuring them.
34
LDAP - Directory Service Providers
WorkSpace operates non-intrusively with any directory services supporting native LDAP connection strings and also strings specific to Microsoft Active Directory for polling Global Catalogs. LDAP Providers can be added, edited or removed with WorkSpace Management Console. Multiple LDAP Providers can be configured providing support for multiple domains. Details required for each LDAP Provider are:
LDAP Connection: valid LDAP connection binding string point to the required directory, e.g.
o LDAP://servername/dc=domain,dc=com o LDAP://dc=domain,dc=com o GC://dc=domain,dc=com
LDAP directory account operator username and password credentials: the service account credentials for the domain. Once these credentials have been entered, they are encrypted within the WorkSpace configuration data store. If the details of the domain service account credentials need to be amended they must be edited through WorkSpace Management Console.
Should details of any domains Centrix Universal supports changed or new domain needs to be added, changes must be done by editing the config.xml file found in Inetpub\wwwroot\Workspace. Edit the following line to add, change or remove directory/domains as required.
<configitem name="Domains" value="CENTRIXDOM1, CENTRIXDOM2"></configitem>
CITRIX - Citrix Providers
Citrix Providers can be added, edited or removed with WorkSpace Management Console to deliver published applications and virtual desktops services from Citrix XenApp and XenServer. Multiple Citrix Providers can be configured providing support for multiple farms. Details required for each Citrix Provider include the following parameters; please refer to you Citrix documentation for further details:
Active Filter: filter Citrix applications. This can be used to set a location preference for example. It enumerates and filters application based on mask set. Example: All:,Office Only:*Word*+*Excel*+*Outlook*+!*Access*.
Active Validation: enable or disable the Active Filter functionality. Validate the availability of each resource on enumeration. Caution: this slows down Centrix Universal operation.
CGP: enable/disable Citrix Common Gateway protocol
Client Address: force the clients IP address to the value specified.
ICA Client Install details: o Client Install Icon: URL location (fully qualified or relative to Centrix
Universal server) for the icon to be used for the client install. o Client Install URL (Win32, Win64, Linux, MacIntel or Linux): URL location
(fully qualified or relative to Centrix Universal server) for the client setup files for their respective platforms.
Dynamic Client: enable or disable dynamic client functionality.
Dynamic Client Prefix: prefix the client name with the given string (typically used in conjunction with CAG).
External Address: Citrix NAT external address
Farm: Citrix farm‟s name.
Internal Address: Citrix NAT internal address
35
Proximity Access: enable or disable proximity access functionality
Proximity Mapping: set destination server based on client IP address. Example : 192.168.1=153.100.12.1,192.168.2=152.100.12.2
ZDC Server: comma delimited list of Citrix ZDC servers. Name or IP Address can be specified. Example : SERVER1:80,SERVER2:80.
Server Domain: domain to be used to enumerate all resources in the management console.
Service Username and Password: Centrix Universal‟s service account username and password to access Citrix resources
SG Address: Secure Gateway address.
SG Enabled: enable or disable Secure Gateway functionality.
STA URL: Secure Ticket Authority URL. For example: http://SERVER/scripts/ctxsta.dll
Use Address Translation: enable or disable Network Address Translation
WSTS - Windows Server Terminal Services Providers
Windows Server Terminal Services Providers can be added, edited or removed with WorkSpace Management Console to deliver Terminal Services sessions. Multiple WSTS Providers can be configured. Details required for each WSTS Provider include (refer to Microsoft documentation for further details):
Server: Windows Server Terminal Services‟ server name or IP address.
RSSREADER - RSS Providers
RSS Reader Providers can be added, edited or removed with WorkSpace Management Console to deliver Terminal Services sessions. Multiple RSS Reader Providers can be configured. Details required for each RSS Reader Provider include:
Add In: must be set to “RSSReader” to launch the default RSS reader module in WorkSpace RIA client.
NewsFeeds: comma delimited URLs of RSS feeds. . Use absolute address for external. Internal could be relative if on same website
ShowFeedDate: enable or disable date to be displayed under each post.
METABROKER - Meta-Broker Providers
Centrix Universal Meta-Broker relies on Quest vWorkspace (formerly Provision Networks Virtual Access Suite) to handle VDI desktops hosted on VMware, Microsoft Hyper-V or other infrastructure. Complete the following fields for each vWorkspace connection broker to be served by WorkSpace. Refer to Quest vWorkspace manual for more information. Note – Centrix Universal Meta-Broker requires a separate activation key to enable Quest vWorkspace. Refer to Quest vWorkspace manual to identify the VMAC address of your server and contact Centrix Software to get the required activation key.
36
The following can be specified for each Centrix Meta-Broker Providers:
Server: server name or IP address.
Desktop Height: default height in pixels of the applications or desktops served.
Desktop Width: width in pixels of the applications or desktops served.
Fullscreen: enable or disable the applications or desktops to be displayed in full screen, overriding the width and height when enabled.
Seamless Mode: enable or disable seamless Windows (borderless „native‟ application look).
Span Monitors: enable or disable spanning across multiple monitors.
Server Domain: domain to be used to enumerate all resources in Centrix Universal Management Console.
Service Username: user name to be used to enumerate all resources in Centrix Universal Management Console.
Service Password: service password to be used to enumerate all resources in Centrix Universal Management Console.
Quest vWorkspace Client Install details: o Client Install Icon: URL location (fully qualified or relative to Centrix
Universal server) for the icon to be used for the client install. o Client Install URL (Win32, Win64, Linux, MacIntel or Linux): URL location
(fully qualified or relative to Centrix Universal server) for the client setup files for their respective platforms.
37
LOCALCLIENT - Local client Providers
Centrix Universal enables Windows local applications to be made available to Centrix Universal RIA client application running on a given environment. This is currently only available on Windows machines (check with Centrix Software for Mac and Linux support) and requires Centrix Universal Windows Local Agent to be installed. Local applications are unique and only available on a specific machine. LOCALCLIENT: windows local app served by Centrix WS Local agent Install URL and ICON as per Citrix Description: free text field to describe the provider only for ref in console
Modules
A Module is the representation of a Provider in Centrix Universal clients. The following parameters define how Modules are called, Providers they are associated with and how they are to be graphically positioned in WorkSpace RIA clients.
A Provider needs to have at least one Module associated with it to be represented in WorkSpace clients. The following parameters can be defined for each module:
Name: reference name of the module.
Module Provider: Provider to be used by this Module.
Top / Bottom: module‟s relative position in pixels from the top (or bottom) of Centrix Universal RIA client. Only one of Top or Bottom can be set but not both.
38
Left / Right: module‟s relative position in pixels from the left (or right) of Centrix Universal RIA client. Only one of Left or Right can be set but not both.
Height: module‟s height in pixels. If left empty the module height will be set to 100%.
Width: module‟s width in pixels. If left empty the module width will be set to 100%.
Visible: enable or disable the Module to be visible in Centrix Universal RIA client. This allows for a Provider to be used while not shown, for example to loading different Citrix providers.
Workspaces
A Workspace is a virtual workspace environment for Centrix Universal RIA client. It is a useful way to organize different views of the different modules/providers combination.
A Workspace is defined by a single parameter: its reference Name.
Layouts
A layout defines the modules that will be loaded for a given User Group. NOTE: Even if a module is not visible it must be loaded into a layout for it to become active when a user logins in.
39
A Layout is defined with the following parameters:
Subscribers: group or users the Layout applies to.
Workspace: name of the Workspace the Module will be displayed on in Centrix Universal RIA client.
Module: Module to be displayed.
Order: order the Modules are loaded. The last Module loaded is the top most being displayed in Centrix Universal RIA client.
Subscribers
Subscriber defines the environment given to a user based on Group and individual user setting defined. Generally most environments would be defined for a given Active Directory group rather than individual users.
40
A Subscriber is defined by the following parameters:
Subscriber Identity: reference name formatted as domain/usename. This is case sensitive as defined in the service directory used (LDAP or Active Directories).
Type: subscriber type: either G for group or U for users.
Theme: Theme to use. For a user belonging to multiple groups, the theme displayed is based on the last group listed.
Collections
A Collection is a way to group resources from made available by Providers. Collections can be created and managed by each user. Likewise Collections can be defined for each individual or Subscriber groups. By default, Collections created for a group are automatically shared by group members. They can set or delete resources in such Collections with any changes being propagated to all group members when they next login to WorkSpace. Locking a Collection prevents group members to add/remove resources and is an easy way to provide a set of prescribed set of resources to a given user or group of users.
41
A shared or lock Collection is defined by:
Name: reference name for the Collection.
Subscriber: Subscribers the Collection is made available to.
Resources: resources to be made available in the Collection from the environments available.
Themes
A Theme is a graphical skin used by Centrix Universal RIA client. Default themes are provided with Centrix Universal default installation others can be customized or developed. Please contact Centrix Software for more information: [email protected].
42
A Theme is defined by the following parameters:
Name: reference name for a theme.
Skin: Flash compiled style sheet.
Logo: logo displayed at the top left corner. The format required is .png or .jpg with a recommended height of 60 pixels maximum and recommended width of 700 pixels maximum.
43
Configuration
This section covers generic parameters and setting for a given Centrix Universal server installation.
The following parameters can be defined for a given Centrix Universal server:
License Key: cut and paste your Centrix Universal license key (evaluation, permanent or subscription key) provided by Centrix Software or its partners.
Workspace Title: change the default “Centrix Universal” title to set a new title displayed for browser running WorkSpace client.
Show WorkSpace Explorer: enable or disable WorkSpace Explorer in WorkSpace clients connecting to this server.
Show Resource Explorer: enable or disable WorkSpace Resource Explorer in WorkSpace clients connecting to this server.
Show Resource Explorer Icon: enable or disable the icon view in WorkSpace Resource Explorer for WorkSpace clients connecting to this server.
Show Resource Explorer List View: enable or disable the list view in WorkSpace Resource Explorer for WorkSpace clients connecting to this server.
Show Resource Explorer Providers: enable or disable the Providers in WorkSpace Resource Explorer for WorkSpace clients connecting to this server.
44
Show Resource Folder: enable or disable the folder view in WorkSpace Resource Explorer for WorkSpace clients connecting to this server.
Show Icon Reflexion: enable or disable the icon reflexion in WorkSpace clients connecting to this server.
Show Profile: enable or disables the User Profile button in WorkSpace clients connecting to this server. When enabled, this provides an easy way to access IP address and other details useful to support WorkSpace users and provides them with a way to access and install clients available (ICA client, Centrix Universal Windows Local Agent …).
Enable Single Click: enable or disables to open a WorkSpace resource in WorkSpace clients connecting to this server.
The following configuration parameters are required to use the password reset functionality provided within Centrix Universal:
Allow User Email: allow users to provide alternative email address to receive WorkSpace new password.
SMTP Server: name or IP address of the SMTP server to use for password reset.
SMTP Requires Authentication: enable or disable depending of SMTP authentication required or not.
SMTP User: SMTP server service username.
SMTP Password: SMTP server service password.
SMTP Domain: SMTP server domain.
SMTP From Address: “from address” to be used for WorkSpace generated emails.
SMTP Subject: “subject” to be used for WorkSpace generated emails.
Login disclaimer and internal help page for a Centrix Universal deployment:
Login Disclaimer: text disclaimer presented on Centrix Universal login screen to all users. This field can be left blank.
Help URL: URL to an internal help site if required, e.g. IT help desk …
45
7. Managing Centrix Universal RIA clients
Centrix Universal RIA client requires only a web browser and Adobe Flash Player 9 or later to run.
Flash installation
Upon first launch on a device, WorkSpace RIA client will detect for the Adobe Flash Player. If it is not present will prompt the user to fulfill the managed download and installation, or if possible an update.
Clients for virtualization technologies
To launch resources from the virtualization infrastructures provisioned through Centrix Universal, the client device will also require the appropriate client type. If not already installed users can download and install clients for virtualization technologies such as Citrix ICA or Quest Vworkspace Virtual Access Suite. Clients‟s download are configured in Centrix Universal Management Console. When made available users can install and download them clicking on the User Profile button in WorkSpace client and follow the the instructions.
46
Centrix Universal Windows Local Agent
To make full use of Centrix Universal on Windows machine (including gathering data on application used locally though Centrix Universal client) Centrix Universal Local Agent needs to be installed. If not already installed users can download and install Centrix Universal Windows Local Agent on their machines. Users can install and download it clicking on the User Profile button in WorkSpace client (see earlier section), selecting Centrix Universal logo and follow the instructions. Once installed Centrix Universal Windows Local Agent is automatically started and registered to start every time.
47
Using Centrix Universal client
To deploy Centrix Universal, users simply needs to be pointed to the URL Centrix Universal server has been configured to run on to presented with WorkSpace logon screen:
Centrix Universal server and Centrix Universal client-side user environment is highly configurable. Each user‟s view will depend on the modules and layouts made available to them. Typically users will have an environment similar to this:
48
The key elements of Centrix Universal clients are:
Collections: where user defined, shared and locked Collections are accessible and managed (add, delete, rename Collection).
o If allowed users can create, rename and delete Collections in their environments. They can add, remove resources from any of their user defined Collections too.
o Shared Collections can only be created by Centrix Universal administrators using the Management Console. Shared Collections are accessible to all group members. Members can add or delete resources and change shared Collection name. Any such modifications will be propagated to all group members when they next logon their Centrix Universal environment.
o Locked Collections can only be created by Centrix Universal administrator s using the Management Console. Locked Collections can not be modified by the users.
Quick Links: a special Collection for frequently used resources that always remain visibile.
Workspace: the main user interface displaying current Collection‟s resources.
Search and Resource Explorer: enable to browse and search across providers, including if present local resources through Centrix Universal Windows Local Agent.
o One of the most power features of Centrix Universal client is the Dynamic
Search that enables to easily find resources across all providers available.
o Depending on WorkSpace configuration set though WorkSpace Management Console, users can toggle the Resource Explorer View between „list‟ and „icon view‟.
o Details of a resource (name, type, provider, etc…) can be found right clicking on
it and selecting „Properties‟.
RSS Readers, when configured display the RSS feeds they are pointing at.
Deleted Items, when no longer required in a Collection resources can be dragged in the Deleted Items. Resouces will not be deleted as such but removed from their Collections.
49
8. Centrix Universal Metering
Centrix Universal Metering offers greater visibility and control over IT services usage and focuses on the main cost drivers for IT; Business Demand, Hardware Infrastructure and Applications. By providing detailed aggregated analysis across enterprise platforms, multiple farms and different environments, IT management can use Centrix Universal Metering to quickly identify demand trends, sub-optimal server utilisation, under used applications and the groups of applications most used by business users. Metering reports which show demand at a domain, business area and user level can be used to provide business managers with detailed usage information enabling them to optimise the way they consume IT resources. By combining this with cost information business managers can be encouraged to make optimisation decisions themselves. Examples include:
Decommissioning legacy / underutilized applications,
Allowing business-units to maximise performance on specific servers by sharing them with other business units,
Switching from expensive full license products to cheaper “viewer” alternatives For mature Enterprises that already chargeback costs to business units Centrix Universal Metering gives the ability to produce detailed cost analysis and to export chargeback files which can be fed into ERP systems. For Enterprises that are not currently using chargeback mechanisms or have chosen to retain IT costs centrally, WorkSpace Metering allows IT management to actively demonstrate to the business the service and value that they provide and to show accurate budget allocation. Finally, WorkSpace Metering allows IT Management to benchmark their services, set Key Performance Indicators (KPIs) and track progress.
Centrix Universal Metering components
Centrix Universal Metering consists of three main elements:
WorkSpace Metering Adapters: These live in the same environment as your main virtualisation technologies (Citrix, VMWare, WorkSpace etc) and are used to gather utilisation data to be synchronised with the WorkSpace Metering Database
WorkSpace Metering Database: This lives in a central location and is used to process, groom, aggregate and store utilisation data captured by the Adapters
WorkSpace Metering Web Application: This ASP.NET application is the Graphical User Interface giving the end user access to management information
The adapters gather utilisation data from the environments they are monitoring and synchronise the data back to the WorkSpace Metering Database on a regular basis. A diagram outlining the architecture of Centrix Universal Metering is shown below.
50
Citrix PSX
Adaptor
XenApp
Adaptor
VMware
Adaptor
WorkSpace
Adaptor
Centrix
WorkSpace
Metering
Database
Centrix Universal Metering Data Adapters
Currently Centrix Universal Metering is currently shipped with 4 data adapters:
Citrix PSX
Citrix XenApp
VMWare
WorkSpace Adapter‟s can be replicated to sit on multiple farms to gather utilisation data. Centrix Universal Metering architecture allows for additional adapters to be created to aggregate data from other sources on a bespoke basis, please contact Centrix Software for more details.
Centrix Universal Metering Database
The Centrix Universal Metering Database is synchronised with data from each adapter on a daily basis. It requires MS SQL 2005.
51
Centrix Universal Metering Graphical User Interface
The GUI consists of 7 main elements:
Menu
Parameter Tool Bar
Grouping Tool Bar
Column Headers
Filter Boxes
Data Sets
Charts
Paging Controls The Menu The Menu gives access to all of the reports and charts. Rolling the mouse pointer across each element will generate a drop down giving further choices. The file menu item allows you to Export data from any of the data grids to Excel, Comma Separated Values (CSV), Word and PDF. Chart Graphics can be exported by right clicking the chart and saving the resulting file. Each element of the Menu bar will be explained in detail in each report. The Parameter Tool Bar Some reports give you the ability to set date ranges and/or values. The parameter input controls, where applicable are shown directly under the menu. The Grouping Tool Bar All of the data reports give the user the ability to group by any column. Clicking and holding a column and dragging it to the toolbar will result in groups being created. When you have finished with the grouping, dragging the column from the grouping bar back to the column header bar will ungroup. Column Headers Clicking on a column header will result in a sort on the header value. Initial direction is set to ascending, a second click will order by descending values. Right Clicking on a column header brings up a drop down menu that allows you to group, ungroup, sort, clear filters and control the visibility of columns. To reduce the level of detail shown, you can right click the header, select the Columns option and then deselect columns of data you do not wish to see. Filter Boxes The Filter Boxes allow you to insert data or values that you want to filter by. Once you have put a value in the filter box, clicking the filter icon will give you a list of possible filter options.
52
Data Sets This area contains the data retrieved by the report. Some reports give the user the ability to see charts, see extra information or input/update data. Where that capability is supplied there will either be a column indicator:
Shown in bold and underlined which can be clicked to generate/update the extra information.
Column indicator showing the „>‟ symbol which can be clicked to open up further detail.
Charts All charts can be exported by right clicking the chart and saving the graphic. Some detailed charts allow the user to zoom in on the detail level. Where this capability is supplied you will see red cross hairs along each axis of the chart when you move your mouse over the chart. Clicking and dragging the cursor over the area you want to zoom in on will result in the chart being reloaded at the chosen level of detail. Scroll bars can be used to move along the axis of the chart. Paging Controls All of the data grids have paging controls which allow you to:
Increase or decrease the number of rows displayed
Jump to other pages of data
Centrix Universal Metering Optimization Reports
Management Summary
Application Dashboard
Prerequisites In order to get the maximum value from this report you will need to input the TCO and Tariff using the Application License Cost Input form from the Management Console What can you use this report for? The primary use of the Application Dashboard is to identify the demand for applications from users:
How many people use the application (Unique Users)
How many times the application has been used (Logins)
How much you charge users for the application per month (Tariff)
The annual license cost (TCO)
What your recovery rate is (Tariff apportioned over the time period)
What your cost is (TCO apportioned over the time period)
The net cost (Recovery- Cost) for that application
53
Suggested ways to use the report 1. Identify under utilized applications
Use the sort column function on Unique Users and Logins to identify applications with low usage. Alternatively use the filter column to select bands of user demand (i.e. show me all the applications with logins < 20)
Click the „details‟ field to see the detailed demand profile, the servers that application uses and the user demand profile for that application
For applications that have no usage consider uninstalling them
For applications with little or sporadic usage which are installed on a number of servers consider uninstalling the application from all but a single server
2. Identify „loss making‟ applications
Use sort or filter on „Delta‟ to identify those applications where your set tariff is failing to recover your costs
Click the „details‟ field to see the detailed demand profile, the servers that application uses and the user demand profile for that application
Consider increasing your tariff rate so that costs can be recovered
Server Dashboard
Prerequisites: In order to get the maximum value from this report you will need to input the TCO and Tariff using the Server TCO and Server Tariff Input forms from the Management Console What can you use this report for? The primary use of the Server Dashboard is to identify the demand for servers from users:
How many people use the server (Unique Users)
How many times the server has been used (Logins)
How much you charge users for the server per hour (Tariff)
The Total Cost of Ownership (TCO)
What your recovery rate is (Tariff apportioned over the time period)
What your cost is (TCO apportioned over the time period)
The net cost (Recovery- Cost) for that application Suggested ways to use the report 1. Identify under utilized servers
Use the sort column function on Unique Users and Logins to identify servers with low usage. Alternatively use the filter column to select bands of user demand (i.e. show me all the servers with logins < 20)
Click the „details‟ field to see the detailed demand profile, the applications that server hosts and the user demand profile for that server
For servers that have no usage consider decommissioning them or using them elsewhere
For servers with little or sporadic usage consider consolidating the applications onto alternative servers and decommissioning
54
2. Identify „loss making‟ servers
Use sort or filter on „Delta‟ to identify those servers where your set tariff is failing to recover your costs
Click the „details‟ field to see the detailed demand profile, the applications that server uses and the user demand profile for that server
Consider increasing your tariff rate so that costs can be recovered
Look for further business demand that can increase the utilisation rate of the server
Servers
Server Inventory
Prerequisites: In order to get the maximum value from this report you will need to input the TCO and Tariff using the Server TCO and Server Tariff Input forms from the Management Console What can you use this report for? Quickly identify servers, manufacturer details, model and type, processors, operating system etc...
Virtualization Mix Report
What can you use this report for? The Virtualisation mix report shows the proportion of the estate that is being used by each of the main virtualisation technologies deployed.
Server Cost Profile Chart
Prerequisites: In order to get the maximum value from this report you will need to input the TCO and Tariff using the Server TCO and Server Tariff Input forms from the Management Console. What can you use this report for? See at a glance the proportion of efficient and inefficient servers in your estate.
Most Used Servers Chart
Prerequisites: In order to get the maximum value from this report you will need to input the TCO and Tariff using the Server TCO and Server Tariff Input forms from the Management Console. What can you use this report for? Identify the servers that are experiencing most demand.
55
Suggested ways to use the report Use the parameter dropdown to select the number of servers you want to see.
Least Used Servers Chart
Prerequisites: In order to get the maximum value from this report you will need to input the TCO and Tariff using the Server TCO and Server Tariff Input forms from the Management Console. What can you use this report for? Identify the servers that are experiencing least demand. Suggested ways to use the report Use the parameter dropdown to select the number of servers you want to see.
Most Cost Efficient Servers Chart
Prerequisites: In order to get the maximum value from this report you will need to input the TCO and Tariff using the Server TCO and Server Tariff Input forms from the Management Console. What can you use this report for? Identify the most cost efficient servers.
Suggested ways to use the report Use the parameter dropdown to select the number of servers you want to see.
Least Cost Efficient Servers Chart
Prerequisites: In order to get the maximum value from this report you will need to input the TCO and Tariff using the Server TCO and Server Tariff Input forms from the Management Console What can you use this report for? Identify the least cost efficient servers.
Suggested ways to use the report Use the parameter dropdown to select the number of servers you want to see.
Demand
Demand Profile Chart
Prerequisites: None.
56
What can you use this report for? See, at a glance, the demand your users have put on your infrastructure. Suggested ways to use the report Use the date parameters to determine start and end periods for the report.
Metering
Prerequisites: None. What can you use this report for? See, at an individual level, the demand users have put on your infrastructure. Suggested ways to use the report
Use the sort columns to identify heavy/low users
Use the > key at the side of each row to see detailed user information (demand profile, applications used and servers used
Power Users Chart
Prerequisites: None. What can you use this report for? See, at a glance, the people who use your infrastructure the most. Suggested ways to use the report Use the parameter dropdown to select how many power users to see.
Applications
Application Inventory
Prerequisites: In order to get the maximum value from this report you will need to input the TCO and Tariff using the Application License Cost Input form from the Management Console. What can you use this report for? To quickly identify applications, their manufacturer, usage and costs.
Most Used Applications Chart
Prerequisites:
57
None What can you use this report for? Identify, at a glance, the most popular applications in use Suggested ways to use the report Use the parameter dropdown to select the number of applications you want to see
Least Used Applications Chart
Prerequisites: None What can you use this report for? Identify, at a glance, the least popular applications in use Suggested ways to use the report Use the parameter dropdown to select the number of applications you want to see
Management Console
Server TCO Input
Prerequisites: None What can you use this report for? Input details for your server estate Suggested ways to use the report
Click the „Edit‟ button
Input the detail where you have it
Click „Update‟ to commit the data or „Cancel‟ to abort
Server Tariff Input
Prerequisites: None What can you use this report for? Input tariff details for your server estate Suggested ways to use the report
Click the „Change Tariff‟ button
58
Input the detail where you have it
Click „Update‟ to commit the data or „Cancel‟ to abort
Application License Cost Input
Prerequisites: None What can you use this report for? Input tariff and details for your applications Suggested ways to use the report
Click the „Change Tariff‟ button
Input the detail where you have it
Click „Update‟ to commit the data or „Cancel‟ to abort
Server Wizard
Prerequisites: None. What can you use this report for?
This report allows you to enter an estimated TCO for your server estate in the parameter box.
Once the TCO has been input the Wizard will estimate the cost per hour for each server
Suggested ways to use the report
Using this report you can get a feel for the approximate server tariff that you would need to apply across your infrastructure in order to recover your TCO each year
Inevitably, there will be extremes in terms of results, both high and low. We suggest taking an average cost for the bulk of your server infrastructure and then use the Bulk Server Tariff Input Form.
Once you have applied the bulk tariff, return to this report and use the filter and sort columns to identify extremes and set individual values for them.
Centrix Universal Metering Chargeback Reports
Billing
Prerequisites: In order to get the maximum value from this report you will need to input the TCO and Tariff using the Application License Cost Input form from the Management Console You will also need to input the TCO and Tariff using the Server TCO and Server Tariff Input forms from the Management Console
59
What can you use this report for? Allocating cost back to users based on real consumption figures Suggested ways to use the report
Export the file to CSV and use as input to your ERP
Select the „Bill Now‟ option from the parameter dropdown. This will set the flag on all items to „Billed‟ and they will no longer appear in the Billing Report.
60
9. Two-factor authentication integration
Centrix Universal provides out of the box integration with leading two-factor authentication solutions commonly used in enterprise security environments. These can easily be extended to other security solutions, please contact Centrix Software for more information: [email protected].
SecurEnvoy
Centrix Universal and SecurEnvoy architecture overview
SecurEnvoy two-factor authentication is based on something you know (a password or PIN) and something you have (an authenticator), providing a much more reliable level of user authentication than reusable passwords. SecurEnvoy uses a centralized server as an authenticator that sends one-time passcodes to the user‟s mobiles via SMS. SecurEnvoy two-factor authentication solution has the advantage of linking automatically the users to their Active Directory credentials providing a fully integrated solution that Centrix Universal can leverage. For example, should the Active Directory password be reset for a user, it will automatically be reflected within SecurEnvoy hence Centrix Universal. Centrix Universal provides out of the box integration with SecurEnvoy two-factor authentication solution. The installation and configuration steps required are detailed below.
Centrix Universal and SecurEnvoy architecture overview
The diagram below illustrates the architecture using SecurEnvoy two-factor authentication along Centrix Universal. Actual deployment may differ based on the security architecture and design in place, e.g. existence of a second firewall and DMZ, load balanced architecture of servers, etc... The overall principle would remain the same in most cases.
61
The key elements of the architecture are:
An IIS web server, where SecurEnvoy Web Agent and Centrix Universal are installed
SecurEnvoy Authentication Manager handling the two-factor authentication and connecting to an Active Directory domain controller
Active Directory domain controller holding users‟ credentials
Internet
SSL 443
LAN
SecurEnvoy
Auth manager
AD database
AD domain controller1. SecurEnvoy
Auth Web Agent
2. Workspace 4.0
SecurEnvoy Authentication Web Agent handles WorkSpace‟s request for two-factor authentication using a password or PIN and one-time passcode received by the user on his/her mobile phone. SecurEnvoy Web Agent takes the credentials and authenticates the user by secure communication with the SecurEnvoy Authentication Manager. SecurEnvoy authenticates the first factor credentials (username and password) by communicating with the AD, and authenticate the second factor credentials (one-time mobile phone passcode) by itself. Passcodes are sent by SecurEnvoy Authentication Manager mobile messaging gateway. Once a phone passcode is used, it is invalidated and a new one is sent automatically to the user.
62
Activating SecurEnvoy authentication
By default SecurEnvoy integration is not active when installing Centrix Universal. Two pre-requisites are required before activating this functionality. SecurEnvoy Web Agent and Centrix Universal must be installed on the same IIS server. Installing SecurEnvoy Web Agent and Centrix Universal are relatively independent processes. The following covers two scenarios:
SecurEnvoy is already installed, Centrix Universal is installed on the same IIS server
SecurEnvoy and Centrix Universal are installed for the first time together
Installing Centrix Universal with SecurEnvoy Web Agent already installed
In case SecurEnvoy Web Agent is already installed and used, Centrix Universal must be installed on the same IIS server. Alternatively, should a high workload be expected on the existing SecurEnvoy Web Agent, an additional instance of SecurEnvoy Web Agent can be installed on a separate server, as per the next section. It is recommended to thoroughly test the existing SecurEnvoy Web Agent before installing Centrix Universal.
Pre-requisites
A test to protect an HTML page using SecurEnvoy should be conducted before setting up WorkSpace. A test page is included in WorkSpace installation in: C:\Program Files\Centrix Software\WorkSpace\Security\securenvoy\test-SecurEnvoy.htm, and it looks like: <HTML>
<HEAD>
<TITLE>test SecurEnvoy</TITLE>
</HEAD>
<BODY>
Test SecurEnvoy - OK
</BODY>
</HTML>
The page displays “Test SecurEnvoy – OK” if two-factor authentication works correctly. The HTML file can be deleted once this step is completed. To set this test up the following steps are required:
1. Copy the test page in http://yourIIS/test/test-SecurEnvoy.htm
Action
63
Set the IIS protection of web site (if it is not already set up) by checking Enable SecurAccess Authentication on this server check box
Set Authentication timeout=1
In IIS management console, right click on test-SecurEnvoy.htm, properties.
Click on SecurEnvoy tab and check Enable Authentication:
Set up the test-SecurEnvoy.htm protection by SecurEnvoy by checking Enable Authentication
1. Browse the test page by Internet explorer: http://yourIIS/test/test-SecurEnvoy.htm 2. The first window you will see on your browser pops up and asks for your username
password and phone code. Fill them having a valid username, password and phone code form your working SecurEnvoy system.
3. When you click on Send, the SecurEnvoy Agent will authenticate you, by connecting with your SecurEnvoy authentication server
4. If you are successfully authenticated, then you will see the plain text of that page: Test SecurEnvoy – OK
5. Delete the page: test-SecurEnvoy.htm
64
If successful, your IIS configuration is ready for SecurEnvoy security and WorkSpace can be installed. 6. Install Centrix Universal following the required installation steps described in the
installation manual. After installation, normal login without two-factor authentication, is set by default
7. Test WorkSpace login process to confirm it works and login to WorkSpace main page.
Setting SecurEnvoy two-factor authentication
From the earlier steps, two-factor authentication is ready to be set:
1. With IIS Management Console, navigate to WorkSpace website configuration to set the authentication parameters
Action
Right click on file: SecurEnvoy.aspx, properties and click on SecurEnvoy Tab
Click on SecurEnvoy tab and check Enable Authentication
1. Using Windows Explorer on the server used go to WorkSpace installation directory
(C:\InetPub\wwwroot\workspace by default)
2. Open the XML configuration file: config.xml
3. In this configuration file the 7th line should by default look like:
<!–Security Types – RSA SecurID, SecurEnvoy, SmartCard, WorkSpaceLogin -->
<configitem name="SecurityTypes" value=”WorkSpaceLogin” />
Replace “WorkSpaceLogin” with “SecurEnvoy”. This line must now look like: <configitem name="SecurityTypes" value=”SecurEnvoy” />
4. Save the file.
65
5. The original WEB and WEBAUTHTEMPLATE folders must be overwritten with modified folders. They can be copied from Centrix Universal installation directory: C:\Program Files\Centrix Software\WorkSpace\Security\securenvoy\ to the WEB and WEBAUTHTEMPLATE original folders under C:\Program Files\SecurEnvoy\Microsoft IIS Agent.
6. The links in the following 2 files need to be overwritten too with the link generated by WorkSpace after the first login. Open the config.js file created by WorkSpace in C:\InetPub\wwwroot\workspace\scripts. It looks like:
function GetDomainString() {
return "CENTRIXDEV,CENTRIX_AD";
}
//full path to this file - admin will need it for RSA SecurID, SecurEnvoy, SmartCard
// http://192.168.2.40/securelogin/scripts/config.js
Copy the line in full without the comments: http://192.168.2.40/securelogin/scripts/config.js
7. Open auth.htm and accessdenied.htm from the WEBAUTHTEMPLATE folder and
insert the line above in the header of both to look like: <script language=”JavaScript” type=”text/javascript” src=”http://192.168.2.40/securelogin/scripts/config.js”></script>
8. Open passcodeok.htm from the WEBAUTHTEMPLATE folder and change the URL
in the ACTION statement of the FORM to point to the exact full http location of the file SecurEnvoy.aspx.As an example it should look similar to:
<FORM method="POST" action="http://192.168.0.194/Workspace/authentication/SecurEnvoy.aspx" name="NFuseForm" autocomplete="off">
9. Optionally the login screen text “Centrix Universal Secure Login” can be changed
by editing the following two files in WEBAUTHTEMPLATE: auth.htm and accessdenied.htm. In both files right at the bottom search for:
<h1 align="right">Centrix Universal Secure Login</h1>
And change the login text with a new one.
Centrix Universal security with SecurEnvoy two-factor authentication is now activated.
Installing Centrix Universal and SecurEnvoy together
In this scenario, neither Centrix Universal nor SecurEnvoy has been previously installed, leading to the following two options:
1. Install SecurEnvoy Authentication Manager (separate agreement with SecurEnvoy required) on a separate server following SecurEnvoy product documentation. Architectural and security design may be required for Security and Disaster/Recovery. Proper architectural and security design should be conducted first and not in the scope of this document.
66
2. Install IIS SecurEnvoy Web Agent (separate agreement with SecurEnvoy required) following the steps below:
Find the name / location of your SecurEnvoy Authentication Manager server
Get a copy of the Config.db form the SecurEnvoy Authentication Manager server
Form the SecurEnvoy installation, in folder: SecurAccess IIS Agent run setup.exe
Action
Click Next, and follow the next installation screens by default
In the page below fill the name of the SecurEnvoy Authentication server, and click on upload config.db file
Point to the file and click Open
Test the communication with the SecurEnvoy Server - finally the page must look like:
67
Click Yes/No depends if you want non secure http authentication. Be aware that form a security point of view it is not recommended to use non-secure communication as credentials are going back and forward in plain text otherwise
Click on finish
From this point the rest installation is the same as the first scenario above. Before carrying out WorkSpace installation it is best to test SecurEnvoy Web Agent.
Pre-requisites
A test to protect an HTML page using SecurEnvoy should be conducted before setting up WorkSpace. A test page is included in WorkSpace installation in: C:\Program Files\Centrix Software\WorkSpace\Security\rsasecurid\test-SecurEnvoy.htm, and it looks like: <HTML>
<HEAD>
<TITLE>test SecurEnvoy</TITLE>
</HEAD>
<BODY>
Test SecurEnvoy - OK
</BODY>
</HTML>
The page displays “Test SecurEnvoy – OK” if two-factor authentication works correctly. The HTML file can be deleted once this step is completed. To set this test up the following steps are required:
1. Copy the test page in http://yourIIS/test/test-SecurEnvoy.htm
Action
68
Set the IIS protection of web site (if it is not already set up) by checking Enable SecurAccess Authentication on this server check box
Set Authentication timeout=1
In IIS management console, right click on test-SecurEnvoy.htm, properties
Click on SecurEnvoy tab and check Enable Authentication:
Set up the test-SecurEnvoy.htm protection by SecurEnvoy by checking Enable Authentication
69
1. Browse the test page by Internet explorer: http://yourIIS/test/test-SecurEnvoy.htm
2. The first window you will see on your browser pops up and asks for your username password and phone code. Fill them having a valid username, password and phone code form your working SecurEnvoy system.
3. When you click on Send, the SecurEnvoy Agent will authenticate you, by connecting
with your SecurEnvoy authentication server
4. If you are successfully authenticated, then you will see the plain text of that page: Test SecurEnvoy – OK
5. Delete the page: test-SecurEnvoy.htm
If successful, your IIS configuration is ready for SecurEnvoy security and WorkSpace can be installed.
6. Install Centrix Universal following the required installation steps described in the installation manual. After installation, normal login without two-factor authentication is set by default.
7. Test WorkSpace login process to confirm it works and login to WorkSpace main page.
Setting SecurEnvoy two-factor authentication
From the earlier steps, two-factor authentication is ready to be set:
1. With IIS management console, navigate to WorkSpace website configuration to set the authentication parameters
Action
Right click on file: SecurEnvoy.aspx, properties and click on SecurEnvoy Tab
Click on SecurEnvoy tab and check Enable Authentication
1. Using Windows Explorer on the server used go to WorkSpace installation directory
(C:\InetPub\wwwroot\workspace by default)
2. Open the XML configuration file: config.xml
3. In this configuration file the 7th line should by default look like:
<!–Security Types – RSA SecurID, SecurEnvoy, SmartCard, WorkSpaceLogin -->
<configitem name="SecurityTypes" value=”WorkSpaceLogin” />
Replace “WorkSpaceLogin” with “SecurEnvoy”. This line must now look like:
70
<configitem name="SecurityTypes" value=”SecurEnvoy” />
4. Save the file.
5. The original WEB and WEBAUTHTEMPLATE folders must be overwritten with
modified folders. They can be copied from Centrix Universal installation directory: C:\Program Files\Centrix Software\WorkSpace\Security\securenvoy\ to the WEB and WEBAUTHTEMPLATE original folders under C:\Program Files\SecurEnvoy\Microsoft IIS Agent.
6. The links in the following 2 files need to be overwritten too with the link generated by WorkSpace after the first login. Open the config.js file created by WorkSpace in C:\InetPub\wwwroot\workspace\scripts. It looks like:
function GetDomainString() {
return "CENTRIXDEV,CENTRIX_AD";
}
//full path to this file - admin will need it for RSA SecurID, SecurEnvoy, SmartCard
// http://192.168.2.40/securelogin/scripts/config.js
7. Copy the line in full without the comments:
http://192.168.2.40/securelogin/scripts/config.js
8. Open auth.htm and accessdenied.htm from the WEBAUTHTEMPLATES folder and
insert the line above in the header of both to look like: <script language=”JavaScript” type=”text/javascript” src=”http://192.168.2.40/securelogin/scripts/config.js”></script>
9. Open passcodeok.htm from the WEBAUTHTEMPLATES folder and change the
URL in the ACTION statement of the FORM to point to the exact full http location of the file SecurEnvoy.aspx.As an example it should look similar to:
<FORM method="POST" action="http://192.168.0.194/Workspace/authentication/SecurEnvoy.aspx" name="NFuseForm" autocomplete="off">
10. Optionally the login screen text “Centrix Universal Secure Login” can be changed by
editing the following two files in WEBAUTHTEMPLATE: auth.htm and accessdenied.htm. In both files right at the bottom search for:
<h1 align="right">Centrix Universal Secure Login</h1>
and change the login text with the require text that needs displaying.
71
Centrix Universal security with SecurEnvoy two-factor authentication is now activated. User will be prompted with the following screen when login on:
72
RSA SecurID
RSA SecurID two-factor authentication is based on something you know (a password or PIN) and something you have (RSA authenticator, or token) providing a much more reliable level of user authentication than reusable passwords. As an authenticator RSA SecurID uses special hardware token that generates one-time passcodes (OTP). These OTP are 6 digits long and change every 60 seconds. RSA Authentication Manger server has the ability to authenticate the user based on the provided PIN and token passcode. Centrix Universal provides out of the box integration with RSA SecurID two-factor authentication solution. The installation and configuration steps required are detailed below. By default, RSA SecurID operates independently from Active Directory. Using Centrix Universal Encryptor enables RSA SecurID users‟ credentials to be linked to their Active Directory credentials providing a transparent login procedure through a single step. This however requires using Centrix Universal Encryptor every time Active Directory passwords are created or changed. Installing and using Centrix Universal Encryptor is covered in the last part of this section. For large and existing RSA SecurID installations it might be better not to link RSA SecurID users‟ credentials to Active Directory. In this case Centrix Universal integration still works, challenging first the users for their RSA SecurID credentials, then if positively authenticated without Active Directory pre-populated (see above), challenged for their Active Directory credentials before been logged in.
Centrix Universal and RSA SecurID architecture overview
The diagram below illustrates the architecture using RSA SecurID two-factor authentication along Centrix Universal. Actual deployment may differ based on the security architecture and design in place, e.g. existence of a second firewall and DMZ, load balanced architecture of servers, etc... The overall principle would remain the same in most cases.
73
The key elements of the architecture are:
1. An IIS web server, where RSA SecurID Web Agent and Workspace are installed
2. RSA SecurID Authentication Manager handling the two-factor authentication
Internet
SSL 443
LAN
RSA database
RSA Authentication
Manager server1. RSA Authentication
Web Agent
2. Workspace 4.0
RSA SecurID Authentication Web Agent handles WorkSpace‟s request for two-factor authentication using a Passwords or PINs and an RSA Authentication token. RSA SecurID Web Agent takes the credentials and authenticates the user by secure communicating with the RSA SecurID Authentication Manager. RSA SecurID authenticates the PIN comparing it with the RSA database and calculates the RSA token passcode. If both factors are OK, the user is authenticated. RSA Authentication tokens can be a small hardware device, like a keyfob with a LCD screen, or a software token, a small application running on different platforms. Token generates 6 digits at a time.
Activating RSA SecurID authentication
By default RSA SecurID integration is not active when installing Centrix Universal.
74
Two pre-requisites are required before activating this functionality. RSA SecurID Web Agent and Centrix Universal must be installed on the IIS server. Installing RSA SecurID Web Agent and Centrix Universal are relatively independent processes. The following covers two scenarios:
RSA SecurID is already installed, Centrix Universal is installed on the same IIS server
RSA SecurID and Centrix Universal are installed for the first time together
Installing Centrix Universal with RSA SecurID Web Agent already installed
In case RSA SecurID Web Agent is already installed and used, Centrix Universal must be installed on the same IIS server. Alternatively, should a high workload be expected on the existing RSA SecurID Web Agent, an additional instance of RSA SecurID Web Agent can be installed on a separate server, as per the next section. It is recommended to thoroughly test the existing RSA SecurID Web Agent before installing Centrix Universal.
Pre-requisities
A test to protect an HTML page using RSA SecurID should be conducted before setting up WorkSpace. A test page is included in WorkSpace installation in: C:\Program Files\Centrix
Software\WorkSpace\Security\rsasecurid\ test-RSA SecurID.htm, and it looks like: <HTML>
<HEAD>
<TITLE>test RSA SecurID</TITLE>
</HEAD>
<BODY>
Test RSA SecurID - OK
</BODY>
</HTML>
The page displays “Test RSA SecurID – OK” if two-factor authentication works correctly. The HTML file can be deleted once this step is completed. To set this test up the following steps are required:
1. Copy the test page in http://yourIIS/test/test-RSA SecurID.htm
Action
75
Set the IIS protection of web site (if it is not already set up) by checking Enable RSA Web Access Future Set on This Server check box
Both cookie expiration times must be set to 1
In IIS management console, right click on test-RSA SecurID.htm, properties.
Click on RSA SecurID tab and check Protect this resource with RSA SecurID. Uncheck Apply Change Recursively
1. Browse the test page by Internet explorer: http://yourIIS/test/test-RSA SecurID.htm
2. The first window you will see on your browser pops up and asks for your username
password and RSA token passcode. Fill them having a valid username, RSA PIN and RSA token passcode form your working RSA SecurID system.
3. When you click on Send, the RSA SecurID Agent will authenticate you, by
connecting with your RSA SecurID authentication server
4. If you are successfully authenticated, then you will see the plain text of that page: Test RSA SecurID – OK
5. Delete the page: test-RSASecurID.htm
76
If successful, your IIS configuration is ready for RSA SecurID security and WorkSpace can be installed.
1. Install Centrix Universal following the required installation steps described in the installation manual. After installation, normal login without two-factor authentication, is set by default
2. Test WorkSpace login process to confirm it works and login to WorkSpace main
page.
Setting RSA SecurID two-factor authentication
From earlier steps, two-factor authentication is ready to be set:
1. With IIS management console, navigate to WorkSpace website configuration to set the authentication parameters
Action
Right click on file: RSA SecurID.aspx, properties and click on RSA SecurID Tab
Click on RSA SecurID tab and check Enable RSA Web Access Future Set on This Server check box
1. Using Windows Explorer on the server used go to WorkSpace installation directory
(C:\InetPub\wwwroot\workspace by default)
2. Open the XML configuration file: config.xml
3. In this configuration file the 7-th line by default looks like: <!-- Security Types - RSASecurID, SecurEnvoy, SmartCard, WorkSpaceLogin -->
<configitem name="SecurityTypes" value=”WorkSpaceLogin” />
Replace “WorkspaceLogin” with “RSASecurID”. This line must now looks like: <configitem name="SecurityTypes" value=”RSASecurID” />
4. Save the file.
5. The original TEMPLATES folder must be overwritten with a modified folder. It can
be copied form Centrix Universal installation directory: C:\Program Files\Centrix
Software\workSpace\Security\rsasecurid\templates to the TEMPLATES original folder under C:\Program Files\RSA Security\RSAWebAgent.
6. The links in the following 2 files need to be overwritten too with the link generated by WorkSpace after the first login. Open the config.js file created by WorkSpace in: C:\InetPub\wwwroot\workspace\scripts. It looks like:
77
function GetDomainString() {
return "CENTRIXDEV,CENTRIX_AD";
}
//full path to this file - admin will need it for RSA SecurID, SecurEnvoy, SmartCard
// http://192.168.2.40/securelogin/scripts/config.js
Copy the full line without the comments: http://192.168.2.40/securelogin/scripts/config.js
7. Open useridandpasscode.htm and file redirect.htm from the TEMPLATES folder
and insert the line above in the header of both files to look like: <script language=”JavaScript” type=”text/javascript” src=”http://192.168.2.40/securelogin/scripts/config.js”></script>
8. Optionally the login screen text “Centrix Universal Secure Login” can be changed by
editing the following two files in TEMPLATES: auth.htm and accessdenied.htm. In both files search for the following at the bottom of the files:
<h1 align="right">Centrix Universal Secure Login</h1>
And change the login text with a new one.
Centrix Universal security with RSA SecurID two-factor authentication is now activated.
Installing Centrix Universal and RSA SecurID together
In this scenario neither RSA SecurID nor WorkSpace 4.0 has been previously installed, leading to the following two options:
1. Install the RSA SecurID authentication manager server (separate agreement with RSA required) on a separate server following RSA SecurID product documentation.
2. Architectural and security design may be required for Security and Disaster/Recovery. Proper architectural and security design should be conducted first and not in the scope of this document.
Install IIS RSA SecurID Web Agent (separate agreement with RSA required) following the steps below:
Get a copy of the sdconfig.rec form the RSA SecurID Authentication manager server
Form RSA SecurID Web Agent installation run setup.exe
Action
On first screen click Next. On this screen choose the origin of
installation, and click Next
78
Accept the license and click Next
Point to the correct sdconfig.rec file using Browse
Click Install and then Finish
From this point the rest installation is the same as the first scenario above Before carrying out WorkSpace it is best to test RSA SecurID Web Agent.
Pre-requisites
A test to protect an HTML page using RSA SecurID should be conducted setting up WorkSpace. A test page is included in the installation in: C:\Program Files\Centrix Software\WorkSpace\Security\rsasecurid\ test-RSA SecurID.htm, and it looks like: <HTML>
<HEAD>
<TITLE>test RSA SecurID</TITLE>
</HEAD>
<BODY>
Test RSA SecurID - OK
79
</BODY>
</HTML>
The page shows a text: “Test RSA SecurID – OK” in case all 2 factor authentication works correctly. After the tests the page must be deleted. To set this test up the following steps are required:
1. Copy, or create the test page in http://yourIIS/test/test-RSA SecurID.htm
Action
Set the IIS protection of web site (if it is not already set up) by checking
Enable RSA Web Access Future Set on This Server check box
Both cookie expiration times must be set to 1
In IIS management console, right click on test-RSA SecurID.htm, properties.
Click on RSA SecurID tab and check Protect this resource with RSA SecurID. Uncheck Apply Change Recursively
1. Browse the test page by Internet explorer: http://yourIIS/test/test-RSA SecurID.htm
80
2. The first window you will see on your browser pops up and asks for your username password and RSA token passcode. Fill them having a valid username, RSA PIN and RSA token passcode form your working RSA SecurID system.
3. When you click on Send, the RSA SecurID Agent will authenticate you, by
connecting with your RSA SecurID authentication server
4. If you are successfully authenticated, then you will see the plain text of that page: Test RSA SecurID – OK
5. Delete the page: test-RSASecurID.htm
If successful, your IIS configuration is ready for RSA SecurID security and WorkSpace can be installed.
6. Install Centrix Universal following the required installation steps described in the installation manual. After installation, normal login without two-factor authentication is set by default.
7. Test WorkSpace login process to confirm it works and login to WorkSpace main
page.
81
Setting RSA SecurID two-factor authentication
From earlier steps, two-factor authentication is ready to be set:
1. With IIS management console, navigate to WorkSpace website configuration to set the authentication parameters
Action
Right click on file: RSA SecurID.aspx, properties and click on RSA SecurID Tab
Click on RSA SecurID tab and check Enable RSA Web Access Future Set on This Server check box
1. Using Windows Explorer on that server go to the workspace web installation
directory (C:\InetPub\wwwroot\workspace)
2. Open the XML configuration file: config.xml
3. In this configuration file the 7th line by default looks like:
<!-- Security Types - RSASecurID, SecurEnvoy, SmartCard, WorkSpaceLogin -->
<configitem name="SecurityTypes" value=”WorkSpaceLogin” />
Replace “WorkspaceLogin” with “RSASecurID”. This line must now looks like: <configitem name="SecurityTypes" value=”RSASecurID” />
4. Save the file.
5. The original TEMPLATES folder must be overwritten with a modified folder. It can
be copied form Centrix Universal installation directory: C:\Program Files\Centrix
software\workSpace\Security\rsasecurid\templates to the TEMPLATES original folder under C:\Program Files\RSA Security\RSAWebAgent.
82
6. The links in the following 2 files need to be overwritten too with the link generated by WorkSpace after the first login. Open the config.js file created by WorkSpace in: C:\InetPub\wwwroot\workspace\scripts. It looks like:
function GetDomainString() {
return "CENTRIXDEV,CENTRIX_AD";
}
//full path to this file - admin will need it for RSA SecurID, SecurEnvoy, SmartCard
// http://192.168.2.40/securelogin/scripts/config.js
Copy the full line without the comments: http://192.168.2.40/securelogin/scripts/config.js
7. Open useridandpasscode.htm and file redirect.htm from the TEMPLATES folder
and insert the line above in the header of both files to look like: <script language=”JavaScript” type=”text/javascript” src=”http://192.168.2.40/securelogin/scripts/config.js”></script>
8. Optionally the login screen text “Centrix Universal Secure Login” can be changed
by editing the following two files in TEMPLATES: auth.htm and accessdenied.htm. In both files search for the following at the bottom of the files:
<h1 align="right">Centrix Universal Secure Login</h1>
And change the login text with a new one.
Centrix Universal security with RSA SecurID two-factor authentication is now activated. Users will be prompted with the following screen when logging on:
Centrix Universal Encryptor for RSA SecurID
Using Centrix Universal Encryptor enables RSA SecurID users‟ credentials to be linked to their Active Directory credentials providing a transparent login procedure through a single step. This however requires using Centrix Universal Encryptor everytime Active Directory
83
passwords are created or changed. In this case Centrix Universal Encryptor (an additional tool provided) must be installed and used to maintain the link between RSA SecurID and Active Directory credentials. Centrix Universal Encryptor encrypts the users‟ ActiveDirectory passwords before setting them in the RSA administration console. The encoding is done using AES 256 encryption. In this way the credentials are always safely encrypted throughout when communicating with the Centrix Universal client.
Installation
Centrix Universal Encryptor has to be installed on the same environment where the RSA administrator usually operates. The MSI installer can be found in Centrix Universal installation folder: C:\Program Files\Centrix Software\WorkSpace\Security\rsasecurid\RSA-PasswordEncryptor\CentrixEncryptorSetup.msi
Using Centrix Universal Encryptor for RSA SecurID
Once Centrix Universal Encryptor is started you will get the following interface:
1. Type the new password twice.
2. Click on Encrypt Password button to perform the encryption.
3. Copy the encrypted password and paste it in RSA Administration console, in user field “Default Shell” under “Authentication Setting” menu.
84
10. Customising WorkSpace
Once WorkSpace is operational, you may wish to add a corporate logo or change the theme / skin to further personalise your user experience. There are two areas of customisation that are possible today:-
Currently, WorkSpace has a choice of 2 themes (the font styles are pre-determined are not currently customisable) – these are:- Obsidian (Default) - Black / Grey Theme Whitewash - White Theme More themes will be made available in future releases of the software.
Corporate Logo Standards; creating your logo
Adding a logo to WorkSpace will further personalise the user experience, and help to maintain your corporate image, brand and identity. The logo format used by WorkSpace should adhere to the following parameters:- 700 (W) x 60 (H) pixels / the file format should be PNG on a transparent matte. To blend the logo into WorkSpace, you should also adopt a gradient fill to ALPHA fade for background colours.
Example 1: Two Corporate Logo Samples - “myEnergy_Logo.png” / “myBranch.png”
The logo can be saved as a suitable filename – for example “my_new_logo.png” Once this is created – you will need to transfer / copy the file to the appropriate folder on the WorkSpace server.
Logon Screen
• Add a Corporate Logo
• Modify the Background Colour (Whilst loading the RIA)
• Select one of the Logon Screen Themes
• Obsidian
• Whitewash
User WorkSpace
• Add a Corporate Logo
• Select one of the WorkSpace Themes
• Obsidian
• Whitewash
85
Copying the logo using the Windows Explorer:
Copy your new logo file to the following location
C:\Inetpub\wwwroot\Workspace\themes
Sample Logos
For your convenience, the WorkSpace installation includes 2 x sample logos which can be utilized during your initial setup or testing (for ease of use). Filename/s:- myBranch_Logo.png myEnergy_Logo.png These are installed by default in the following location:- C:\Inetpub\wwwroot\Workspace\themes
Customising the Logon Screen, Theme and loading page colour
Once your logo file has been created as per the standards shown above, you are ready to start customising your WorkSpace installation. This section will explain how to customise the “outside” of WorkSpace, in other words – the logon screen [users are not authenticated at this stage]. Modifying the logon screen is a „global change‟ to the WorkSpace server; all users accessing the logon screen will see an identical screen. Important folders and files PLEASE NOTE: Before editing or copying any files – please ensure that you make a backup copy to prevent unrecoverable errors occurring. Filename/s Default Location Description
config.xml C:\Inetpub\wwwroot\Workspace Configuration file for the WorkSpace CORE application (Modify this file to specify :- Filename of the Logo displayed on the Logon Screen)
default.swf C:\Inetpub\wwwroot\Workspace\themes The default theme SKIN (obsidian)
obsidian.swf C:\Inetpub\wwwroot\Workspace\themes A smart black theme SKIN (suitable for most corporate identities)
whitewash.swf C:\Inetpub\wwwroot\Workspace\themes A clean white theme SKIN
workspace.html C:\Inetpub\wwwroot\Workspace Configuration file for loading the WorkSpace CORE application (Modify this file to change the loading screen colours – bgcolor values) Typical HTML bgcolor values : #202020 [BLACK] #EFEFEF [WHITE]
Add your corporate logo to the Logon screen
Once you have created and copied your corporate logo to the themes folder, the next step is to modify the config.xml file to reference the image. By default – the config.xml file is located in C:\Inetpub\wwwroot\Workspace
86
Using a Windows based text editor (Notepad) – modify the highlighted value / property for “DefaultLogo” in the file as shown in the example below. The configuration file will need to be saved in order for the changes to take effect. EXAMPLE: Config.xml <?xml version="1.0" encoding="UTF-8"?> <config> <configitem name="WorkspaceService" value="/WorkSpaceService"></configitem> <configitem name="WorkspaceServiceName" value="WorkspaceService.asmx"></configitem> <configitem name="Domains" value="DOMAIN1, DOMAIN2"></configitem> <configitem name="DefaultTheme" value="default.swf"></configitem> <configitem name="DefaultLogo" value="my_new_logo.png"></configitem> <!-- debug level - DEBUG, ERROR, FATAL --> <configitem name="DebugLevel" value="FATAL"></configitem> <configitem name="Mac" value="/install/MacICA_OSX.dmg.zip"></configitem> <configitem name="Windows" value="/install/Ica32Pkg.msi"></configitem> <configitem name="Linux" value="/install/en.linuxx86.tar.gz"></configitem> </config>
87
Modify the background loading screen colours (Please Note: This section is ONLY applicable if you are NOT using the default / Obsidian theme) If you have decided to use a non default theme, for example “whitewash”, then you will also be required to modify the background colour values for the loading screens (prior to the WorkSpace CORE RIA loading into memory). If you are using the default theme (obsidian) then you can proceed to the next section. 1. Using a Windows based text editor – open the workspace.html file for editing 2. Using the “search” feature of the editor, find and locate the value “bgcolor” 3. There are FOUR entries for the bgcolor parameter which you need to edit 3.1. Change the value from “#202020” to read “#EFEFEF” – which is the HTML bgcolor
value for White. (See example below with highlighted values) EXAMPLE: workspace.html (edited) (Modify this file to change the Background Colour prior to loading the WorkSpace CORE RIA)
<html lang="en"> <head> <meta http-equiv="Content-Type" content="text/html; charset=utf-8" /> <!-- BEGIN Browser History required section --> <link rel="stylesheet" type="text/css" href="history/history.css" /> <!-- END Browser History required section --> <title></title> <script src="AC_OETags.js" language="javascript"></script> <!-- BEGIN Browser History required section --> <script src="history/history.js" language="javascript"></script> <!-- END Browser History required section --> <style> body { margin: 0px; overflow:hidden; } h1 { font-family: Arial, Helvetica, sans-serif; font-size: 14px; font-weight: normal; color: #ffffff; } p { font-family: Arial, Helvetica, sans-serif; font-size: 12px; font-weight: normal; color: #ffffff; } </style> <script language="JavaScript" type="text/javascript"> <!-- // ----------------------------------------------------------------------------- // Globals // Major version of Flash required var requiredMajorVersion = 9; // Minor version of Flash required var requiredMinorVersion = 0; // Minor version of Flash required
88
var requiredRevision = 28; // ----------------------------------------------------------------------------- // --> </script> </head> <body scroll="no"> <script src="scripts/iFrameScripts.js" language="javascript"></script> <script src="scripts/cookieScripts.js" language="javascript"></script> <script src="scripts/detectBrowserScripts.js" language="javascript"></script> <script src="scripts/detectCitrixClient.js" language="javascript"></script> <div id="iframeDiv" style="position:absolute;background-color:transparent;border:0px;visibility:hidden;"></div> <script language="JavaScript" type="text/javascript"> <!-- // Version check for the Flash Player that has the ability to start Player Product Install (6.0r65) var hasProductInstall = DetectFlashVer(6, 0, 65); // Version check based upon the values defined in globals var hasRequestedVersion = DetectFlashVer(requiredMajorVersion, requiredMinorVersion, requiredRevision); if ( hasProductInstall && !hasRequestedVersion ) { // DO NOT MODIFY THE FOLLOWING FOUR LINES // Location visited after installation is complete if installation is required var MMPlayerType = (isIE == true) ? "ActiveX" : "PlugIn"; var MMredirectURL = window.location; document.title = document.title.slice(0, 47) + " - Flash Player Installation"; var MMdoctitle = document.title; AC_FL_RunContent( "src", "playerProductInstall", "FlashVars", "MMredirectURL="+MMredirectURL+'&MMplayerType='+MMPlayerType+'&MMdoctitle='+MMdoctitle+"", "width", "100%", "height", "100%", "align", "middle", "id", "Workspace", "quality", "high", "bgcolor", "#202020", "name", "Workspace", "allowScriptAccess","sameDomain", "type", "application/x-shockwave-flash", "pluginspage", "install/installFlash.html", "allowFullScreen", "false" ); } else if (hasRequestedVersion) { // if we've detected an acceptable version // embed the Flash Content SWF when all tests are passed AC_FL_RunContent( "src", "Workspace", "width", "100%", "height", "100%", "align", "middle", "id", "Workspace", "quality", "high", "bgcolor", "#202020", "name", "Workspace", "allowScriptAccess","sameDomain", "type", "application/x-shockwave-flash", "pluginspage", "install/installFlash.html", "allowFullScreen", "false" ); } else { // flash is too old or we can't detect the plugin iframeDiv.style.width = "100%"; iframeDiv.style.height = "100%"; iframeDiv.style.visibility = "visible"; loadIFrameVisible( "install/installFlash.html" ); // insert non-flash content } // --> </script>
89
<noscript> <object classid="clsid:D27CDB6E-AE6D-11cf-96B8-444553540000" id="Workspace" width="100%" height="100%" codebase="install/swflash.cab"> <param name="movie" value="Workspace.swf" /> <param name="quality" value="high" /> <param name="bgcolor" value="#202020" /> <param name="allowScriptAccess" value="sameDomain" /> <param name="allowFullScreen" value="true" /> <embed src="Workspace.swf" quality="high" bgcolor="#EFEFEF" width="100%" height="100%" name="Workspace" align="middle" play="true" loop="false" quality="high" allowScriptAccess="sameDomain" type="application/x-shockwave-flash" pluginspage="install/installFlash.html" allowFullScreen="false"> </embed> </object> </noscript> </body> </html>
Customising the User WorkSpace with a corporate logo
This is a 2 part process, in this section – we will:-
1) Associate a Logo with a Theme / Theme Skin 2) Associate the Users / Groups (subscribers) to a Theme
PART 1 – Associate a logo with a Theme / Theme Skin Using the WorkSpace Management Console, expand the Console Tree and select the Themes section.
As you can see from the screenshot shown below, there are two theme names (which are mapped to a SKIN):- DEFAULT Obsidian.swf CLASSIC whitewash.swf
This area of the management console defines which Theme name maps to which SKIN, and in addition which corporate logo is assigned to the SKIN. In the above example, there are currently no logos defined to the SKIN. If you would like your logo to appear under the DEFAULT Theme, with the Obsidian SKIN – select the Theme and choose „Edit‟ and enter a value for the name of your logo file – as in the previous example – “my_new_logo.png” (This was created and copied to the themes folder in the previous section on customisation)
90
Previous Example e.g. “my_new_logo.png”
PART 2 – Associate a User / Group with a Theme Name Within the WorkSpace Management Console, navigate to the “Subscribers” section
The screen will now show you the association between the “subscribers” and the themes.
Click on the Subscriber Identity you wish to change (e.g. DEFAULT), and choose „EDIT SUBSCRIBER‟ from the MMC actions panel (on the right hand side).
In the example shown above, All Subscribers (DEFAULT GROUP) will be given the “CLASSIC” theme. To add a new Subscriber – e.g. a specific Active Directory Group within an OU (DOMAIN\Finance) – select “Add New Subscriber” from the MMC actions panel and complete the required fields.
91
Click on the drop-down box to change the theme.
92
11. Advanced Troubleshooting
How to find the fully qualified name using LDAP standards (when referencing Users and Groups in WorkSpace Collections)
In order to grant the correct level of access to WorkSpace collections, the administrator of WorkSpace needs to provide a fully qualified LDAP string to ensure the users/groups are mapped correctly to the collection. In order to achieve this easily, follow the steps outlined below. 1. On the WorkSpace Server
1.1. Open the “Internet Information Services Manager” console
1.2. Navigate to “Web Sites”, “Default Web Site”, and “WorkSpaceService” in the left
hand panel
1.3. In the right hand pane, right-click on “Authentication.asmx” and select “Browse”
93
This will open a web browser session and display the following screen:-
1.4 Select “GetUserDetails” from the Service Operations List
1.5 Under “username” – enter the Domain\Username that you require the LDAP string for. For example: - centrixselab\user1
1.6 Click on “INVOKE”
The WorkSpace service will now perform an LDAP lookup and in a new browser window return an XML query which will contain the correct LDAP string for the user within the domain.
Using the fully qualified LDAP string, you can now successfully add the User / Group to the COLLECTIONS configuration page within the WorkSpace Management Console. LDAP://CN=User 1,CN=Users,DC=CENTRIXSELAB,DC=LOCAL
94
12. Release Notes
What‟s new in Centrix Universal
Centrix Universal is a major new version including both fixes and major capabilities enhancements, including:
Scalability and performance improvements to Centrix Universal core architecture.
Windows Local Agent: Centrix Universal Windows Local Agent.
Metering capabilities: enabling greater visibility and control of IT services delivery and the ability to optimize decision on how best deploy new services and reationalize exiting service delivery while also empowering chargeback mechanisms.
Known Issues
• Metering: for a better experience we recommend using Microsoft Internet Explorer version 7 (SP3). • Most issues experienced using Centrix Universal are related to the underlying environments supported or Centrix Universal configuration. Please email [email protected] , or contact Centrix Software for troubleshooting assistance or contact your local partner.
