Meet the user environment management system, Norskale VUEM

Introduction

Among the many tasks facing the IT service in the field of managing the information environment of an enterprise, one of the main tasks is to support and maintain the user environment. First of all, it is necessary to provide users with the most convenient and at the same time safe working space for the effective performance of their functions. This dilemma and now face many system administrators.
With the development of high technologies, the requirements for the user work environment are growing, both from the users themselves (access to more local and network resources) and from the IT side (new applications require more computing power).
The advent of the virtualization era has further increased the importance of managing the user environment in connection with moving it from physical workstations to Data Centers (virtual desktops, terminal servers). As a result, a distributed user environment requires more complex and complex configuration and support, which in turn leads to a decrease in its performance, since standard management tools (group policies, logon scripts, etc.) do not cope with the task in the new environment . This prompts the IT service to look at specialized solutions for this task.
One of these solutions is Norskale VUEM, which will be discussed below.

Feature Overview

Norskale VUEM is a full-featured User Environment Management solution.
The main features include:

1. Simple architecture even for complex environments;
2. Easy to deploy and configure. It takes 1 day to deploy a pilot environment;
3. The ability to replace login scripts (logon-scripts), as well as GPP (Group Policy Preferences) and GPO (Group Policy Objects), which are responsible for setting up the user environment;
4. Flexibility in assigning resources to users by creating terms and conditions;
5. Increased workstation performance by optimizing the use of processor and memory resources;
6. Ability to control the running processes without the need to configure AppLocker or Software Restriction Policy;
7. Instant logout when closing a session due to Fast Logoff technology;
8. Citrix User Profile Management support;
9. The ability to provide users with Self-Service functions without violating the security environment;
10. The ability to convert legacy workstations into full-featured thin clients using the Transformer.

Next, we consider the features of the VUEM solution architecture, as well as the main stages of its installation and basic configuration.

Architecture

The solution consists of the following components:

1. Broker performing management function. On the one hand, it interacts with agents, assigning them policies and environmental parameters. On the other hand, it is responsible for saving the environment configuration in a dedicated database.
2. Database Responsible for storing the configuration of the entire VUEM environment.
3. Agents . A client component that is installed on workstations and servers, for the management of which the entire VUEM environment is deployed. The main tasks of the agent include interacting with a broker to obtain policy parameters and applying these parameters to the local system. Agents do not have direct access to the database.
4. Management console The main tool for managing the VUEM environment, including configuring agents and custom workspace settings.

Schematically, the interaction of the VUEM components can be represented as follows:

In the logical structure of the VUEM environment, the main element is the site, which is nothing more than a logical group of agents connected by common environmental parameters, for example, workstations operating in kiosk mode or terminal servers. In addition to the general environment settings (desktop settings, Start menu, Windows Explorer, etc.), within the site, you can configure access to resources (applications, printers, network drives, etc.) for individual user groups.
Practice shows that the vast majority of VUEM deployment scenarios imply the presence of more than one site. Although the optimal number of VUEM sites should be determined at the design stage of the VUEM architecture, design errors are not critical and do not lead, as a rule, to redoing the entire environment. Sites can be easily added and removed, as well as associating agents with them, after installation.
An example of a relatively simple architecture is presented in the following diagram:

Even in the case of more complex infrastructure with the presence of remote offices with limited bandwidth, the VUEM solution can be designed in an optimal way:

Note:

In the “Local Mode” mode, the broker uses the built-in local cache instead of constantly accessing the database. The database is used only in the absence of the necessary data in the cache, which leads to an optimized use of bandwidth between central and remote offices.

Installation and Initial Configuration

Like any software, VUEM components have a number of software and hardware requirements for the information environment in which they are deployed. First of all, it is worth noting that as an operating system, both for a broker and agents, you can use any one, starting with Windows XP SP3, including server operating systems from Windows Server 2003.
Before proceeding with the installation of any of the components, you must make sure that the .NET Framework 4.0 element is present or you must first install it if necessary. The remaining necessary elements (for example, SQL Server Compact Edition, MS Sync Framework) will be installed automatically during the installation process.
As a database, VUEM only supports Microsoft SQL Server (including the Express edition), starting with version 2005.
The process of deploying a VUEM solution can be divided into the following steps:

1. Installing a database server. Pre-create and configure the database itself is not necessary.
2. Broker installation;
3. Create and configure a database;
4. Broker connection to the database;
5. Installing the management console;
6. Installing agents;
7. Assigning agents to relevant sites;
8. Configuring the necessary elements of sites.

As you can see, each component of the environment is established separately and independently, and then the necessary connections between them are set up.
The installation process for VUEM components (broker, management console and agents) is as simple as possible and consists of launching the corresponding executable file and blindly following the installation wizard by clicking the Next button. The only parameter that can be changed during the installation process is the path to the installation folder.
The success of the installation of these components can be checked by the availability of the Norskale Infrastructure Service for the broker and the Norskale Agent Host Service for the agent.
The first thing to do after installing the broker is to create and configure a database for the VUEM environment. To do this, you must use the Database Management utility installed during the broker installation.

Next, you need to run the database creation wizard by clicking Create Database.
The first page contains information about the database (server name, name and path to the database itself):

IMPORTANT:
The values ​​of the Data File and Log File parameters are set automatically and indicate the location of files, the default when installing SQL Server. If the existing SQL server uses other paths, they should be specified here manually. If this is not done, then at the end of the wizard, the uninformative error message “Database creation error!” Will appear.
Moving to the next page of the wizard, you must specify the account with which the database will be created.

The default is the account of the user who launched the configuration wizard. If this user does not have sufficient permissions to create a database, then you must either disable the Use Integrated Connection option and specify the internal SQL server account, or log in to the system under another user.
Next, you need to define the VUEM environment administrators group, as well as the account under which the broker will connect to the database.

Note:
If you do not specify an account for the broker, the wizard will create an internal vuemUser account on the SQL server with the necessary permissions.
On the last page of the wizard, after checking the correctness of the entered data, you need to start the process of creating a database by clicking Create Database.

After receiving confirmation of the successful creation of the database, the installation wizard can be closed, as well as the Database Management utility itself.
In the next step, you need to associate the broker with the database created earlier using the Broker Service Configuration utility (also installed with the broker):


To apply and save the configuration, you must click Save Configuration, which restarts the Norskale Infrastructure Service broker service.
Now the server part of the VUEM environment is ready for further configuration.

Introduction to the management console

As mentioned above, a separate console is used to configure the VUEM environment, which is installed independently.
When you first open the Norskale Administration Console, you must manually connect to the broker by clicking the Connect button.

In the window that opens, specify the name of the broker and the port, click Connect to connect.

Note:
To prevent this window from appearing each time you open the console, you just need to activate the automatic administrative input:

After opening the console has the following form:

At first glance, the diversity of sections with different parameters may scare an inexperienced administrator, creating a false impression of the complexity of managing the environment. If you look at each section more closely, the appointment of the vast majority of parameters will become obvious and intuitive. In general, if you dealt with setting the user's environment using group policies, then you already know most of the management console.
However, in the following table I will give a brief description of each of the sections:

Section	Purpose	Comment
Actions	Local resources that need to be controlled	Very similar to the Group Policy Preferences structure, isn't it? In essence, they are.
Filters	Terms and conditions by which resources are provided to users	If the user or his workstation meets the conditions, the resource will be available.
Assignments	Assigning resources to users with conditions from the Filters section	Before assigning a resource to a user, the latter must be added to the Configured Users section.
Configured Users	Users whose access to resources needs to be controlled	You can specify both individual users and their groups. Prioritization resolves conflicts when assigning resources.
SystemUtilities	Optimization technologies, CPU \ RAM, as well as white and black lists of processes
PoliciesandProfiles	The main set of parameters for setting the user environment. Also includes setting up Citrix User Profile Management and Microsoft User State Virtualization	These parameters are usually configured in group policies.
TransformerSettings	Dedicated section to activate and configure the kiosk mode on the workstation, in fact, transforming it into a thin client
Advanced settings	Parameters for setting agents, as well as for additional tuning of the whole environment	Some of the parameters are mandatory for the normal operation of the environment.
Administration	Allows you to delegate authority to manage the environment, as well as view the change log and a brief user statistics

For better visualization of the dry description of the console, below are examples of some of the environmental settings:

Install and configure agent

As mentioned above, the agent in the VUEM environment can be either a workstation or a server. In general, any computer running the Windows operating system on which the user's workspace can be located (shared or corporate workstations, terminal servers, etc.). In order to make a VUEM agent from a workstation or server, it is enough to install a special software module , not burdening the system with its resource consumption (uses no more than 20Mb RAM). It is he who periodically contacts the broker to monitor and control the parameters of the user's work environment configured in the management console.
Similar to a broker, installing an agent is simple and does not contain any parameters other than the path to the installation folder. But after all, for normal operation, he needs to know at least the name of the site to which he belongs and the name of the broker. To configure these settings, you can use the attached administrative template for group policies.

In the course of its work at the workstation, the only thing that indicates the presence of the VUEM agent is the icon in the system notification area on the taskbar:

Also, when updating parameters for a short time, a window appears:

If necessary, both of these elements can be hidden in the management console. You can also configure other agent parameters that change both its appearance and behavior when interacting with a broker:



Agent parameters, like most other parameters in the console, are global to the entire VUEM site and apply to the workstation regardless of the connected user.
Some of the parameters of the agent are closely related to the settings of the user environment, made in other sections of the console. Therefore, in order to determine which of them need to be activated, it is important to understand the purpose of the site itself, or rather, workstations / servers included in its composition.
For example, a website was created designed to limit access to the desktop and environment settings. Resource allocation (application shortcuts, network drives, etc.) is not required on workstations. In this case, there is no need to activate the Advanced Settings \ Main Configuration \ Agent Actions section for the agent (see the screenshot above).

Transformer

Transformer is an optional component of VUEM with separate licensing. The main task of this component is to transform the workstation into a “thin client”, thus eliminating the IT service from the need to dispose of an outdated fleet of computers.
To use Transformer, no additional software is needed on the workstation, except for the VUEM agent itself. For the configuration of the component, a separate section is allocated in the management console, “Transformer Settings”, which allows not only restricting access to local computer resources, but also specifying additional parameters for environments such as Citrix XenApp / XenDesktop, VMware View and Microsoft RDS.
With the help of Transformer you can implement several variants of "thin clients".
First of all, we are talking about the classic "thin client", which is completely closed access to local resources. For this client to function properly, you must specify the address of the Citrix Web Interface server to gain access to remote resources.
The pictures below show an example of setting up Transformer for this scenario, as well as the appearance of the workstation as a “thin client”.

In addition to directly activating Transformer, you need to make additional settings to prevent the user from switching to the local desktop.

After completing this minimal configuration, the desktop will look like this:

Another thin client option is a workstation that needs to block free access to external resources, including Citrix, VMware, RDS environments. Moreover, the task is to protect the local resources of the workstation as much as possible by providing for use only those resources that are defined by the administrator.
In this case, in the Transformer settings, you must remove the address of the Web Interface server and activate the application panel, as shown in the picture below:

Thus, instead of entering the Citrix environment web page, the user will be presented with a list of local applications that were previously created and assigned in the VUEM management console.
After these manipulations, the user will receive the following desktop:

Of course, in order to prevent a user from accessing local resources (disks, command line, control panel, etc.) from within applications, it is also necessary to configure other VUEM parameters discussed above.

Conclusion

This article provides an overview of one of the leading UEM solutions in the IT market, Norskale VUEM, including an additional component, Transformer.
Despite the simple architecture, the VUEM functionality is able to meet the needs and meet the expectations of companies of different sizes, from small offices to the enterprise level. The implementation of the VUEM solution for managing user workspace provides a higher level of flexibility and performance of the user environment, its uniformity when used in different scenarios. This increases the degree of user satisfaction with the convenience of their work, which leads to a better adaptation of new technologies.