Professional Documents
Culture Documents
AppV5Book 02 Native-Deployment-Infrastructure
AppV5Book 02 Native-Deployment-Infrastructure
AppV5Book 02 Native-Deployment-Infrastructure
Falko Gräfe, Ment van der Plas, Nicke Källén and Kalle Saunamäki
All rights reserved. No content of this book may be reproduced, stored in a retrieval system, or
transmitted in any form or by any means, without the prior written permission of all authors.
The authors shall assume no liability, either explicit or implied, for this document. Information in
this document, including URL and other references, is subject to change without prior notice.
All sample code and guidelines described in this document for illustrative purposes only. These
examples have not been thoroughly tested under all conditions. The authors, therefore, cannot
guarantee or imply reliability, serviceability, or functionality of these programs or code examples.
All brand names and product names used in this document are trademarks of their respective
holders and are recognized as such.
This document is for your personal use only. You may not distribute it neither
printed nor electronically to anybody else within or outside your organization.
You also may not use any content of this document for any commercial activities
including trainings, workshops, architectural designs, presentations or alike,
without the written permission of all authors.
Please pay respect to the voluntary community contribution of the authors by following this
“don’t distribute at all” guideline!
Chapter 2
App-V Native
Deployment
Infrastructure
A P P -V R E Q U IR E M EN T S
So you’re thinking about installing the Microsoft App-V Native Infrastructure? In
this chapter we’ll walk through the general architecture of such an environment
and discuss the various requirements and dependencies of the infrastructure
components.
INFRASTRUCTURE REQUIREMENTS
When planning your App-V 5.0 Native Infrastructure it’s important to know the
requirements of the infrastructure components. In this chapter we’ve divided them
into:
General requirements, that need to exist in the environment, but are outside
the scope of the App-V infrastructure, such as Active Directory and
installation accounts.
Software requirements, which are installed locally on each machine and may
depend on a server role.
The first chapter of our book described different server roles that can exist in the
App-V Native Infrastructure. Some roles can be installed from the App-V installer
software. We’ll call these the “official” roles. The installer will check if the technical
and software requirements of those particular server roles are met before installing
the software. Other roles are more or less a conceptual component and are not
Personal copy, do not distribute. Commercial use prohibited. © 2012, 2013 Authors
General Architecture
installable from the App-V installer software. They need to be configured or setup
manually. Requirements for these roles also need to be manually checked.
The following table shows an overview of the server roles and their availability
from the App-V installer software.
Management Server
Publishing Server
Streaming Server
Reporting Server
Package Repository
Note: Even the official roles are not mandatory in each and every environment.
The Reporting Server for example can be installed as a standalone component in
any given infrastructure.
Personal copy, do not distribute. Commercial use prohibited. © 2012, 2013 Authors
General Architecture
GENERAL REQUIREMENTS
Before anything else, preparation is the key to success. Whichever architecture you
choose, you should prepare your rollout by setting up the following components:
Requirement Description
Package Repository The Package Repository is the authoritative source for all
package related data. It will also act as the source for all
replication that occurs to the Streaming Servers. One of the
Streaming Servers can be assigned as the authoritative source as
well.
Depending on the given infrastructure the following
components need to have access to this location:
• The account who administers the App-V infrastructure
and adds application to the environment
• The service which accesses the packages and extracts
meta data information from the package (the
Management Server).
Personal copy, do not distribute. Commercial use prohibited. © 2012, 2013 Authors
General Architecture
The server roles that are not installed by the installer can be installed on any
supported Windows operating system, as they are only dependent on either
Internet Information Server (IIS) for streaming over HTTP(s) or File Shares for
streaming over SMB.
Management Server
Package Repository
Publishing Server
Streaming Server
Reporting Server
Minimum OS
Personal copy, do not distribute. Commercial use prohibited. © 2012, 2013 Authors
General Architecture
Minimum SQL
Management Database
Reporting Database
Microsoft SQL Server 2008 Standard, Enterprise, Datacenter or Developer
Edition (32 or 64-bit)
UNSUPPORTED SCENARIOS
Although the design of an App-V 5.0 environment is very flexible, there are certain
scenarios that are not supported. The table on the next page shows an overview of
these scenarios:
Personal copy, do not distribute. Commercial use prohibited. © 2012, 2013 Authors
General Architecture
Unsupported Description
Scenario
Domain Controller None of the official App-V Server components can be installed on a
server that holds the role Active Directory Domain Controller
Server Core None of the official App-V Server components can be installed on a
server that runs Windows Server Core
Database Engine Microsoft SQL Server Express as a database engine for either App-
V 5.0 databases is not supported.
Remote Database If you want to let the App-V installer software create the
Creation management or reporting database for you, you must run the
software on the local machine that is also running Microsoft SQL
Server.
Alternatively you could create the database by running the SQL
scripts provided with the setup.
1 An installation of App-V 5.0 server components side-by-side with a Microsoft App-V 4.5
Lightweight Streaming Server (LWS) is supported, but we don’t recommend it.
HTTP://TECHNET.MICROSOFT.COM/EN-US/LIBRARY/JJ713426.ASPX
Personal copy, do not distribute. Commercial use prohibited. © 2012, 2013 Authors
General Architecture
I N F RA ST R U CT UR E CO MP O N EN T S
Now that we’ve looked at the general and technical requirements, and discussed
some unsupported scenarios, it’s time to take a detailed look at various server
components and their characteristics.
While the different components are discussed in this chapter, they are also
supported by diagrams positioning them within the entire architecture. These
diagrams are explained in the upcoming sections, and all of them share a common
component: data flow. While designing this environment it’s important to
understand that there are two different types of data in a typical App-V
Infrastructure:
Management data (or meta data) flows through the environment and
includes generic application information (i.e. name, version etc.) and their
relationships, authorization and reporting. This data is stored in XML files
and is typically small in size. This data is represented with a blue arrow.
Management Data
Package data (or binary data) flows primarily to the components that either
require this for their service offerings (Streaming Server) or for execution
(Client). As this data holds the entire package, it’s typically pretty large. This
data is represented with a green arrow.
Personal copy, do not distribute. Commercial use prohibited. © 2012, 2013 Authors
General Architecture
Unlike earlier versions of App-V, it does not maintain any reporting features. This
functionality is now offered as a dedicated server role, which does not require
deployment of a Management Server. The license provider functionality, which
was also available in earlier version, no longer exists.
Personal copy, do not distribute. Commercial use prohibited. © 2012, 2013 Authors
General Architecture
The installation of the App-V Management Server will create a dedicated IIS
website, for which the name can be specified during the installation setup. By
default it’s called the Microsoft App-V Management Service. The Microsoft
App-V Management Service will be configured to listen on a dedicated port
number, which can be provided during setup (FIGURE 2 APP-V MANAGEMENT
SERVER WEB SERVICE). In the setup process Web Distributed Authoring and
Versioning (WebDAV) is automatically disabled for the Management Service.
Note: You must ensure that the Microsoft App-V Management Service website
name and port are available on the computer and are not in use by another
website. Also make sure that the port is opened in the firewall, if present.
Personal copy, do not distribute. Commercial use prohibited. © 2012, 2013 Authors
General Architecture
Important!
Unless the Default Web Site is r emoved from IIS or reconfi gured
this means that port 80 is not available for the Microsoft App-V
Management Service Web Site.
The App-V Management Server is not directly contacted by the App-V Client. It
communicates solely with the App-V Management Database and the App-V
Publishing Server(s).
The Management Database will be consulted for all administrative actions within
the App-V Management console or PowerShell and will be used to record
necessary changes. The Publishing Server(s) synchronize(s) the configuration from
the Management Server periodically to be able to serve their clients. The
Publishing Server registers with the Management Server before it can start
synchronization.
Personal copy, do not distribute. Commercial use prohibited. © 2012, 2013 Authors
General Architecture
The only component in the environment that contacts the database is the App-V
Management Server.
The database (incl. stored procedures, views, permissions etc.) can be created by
the App-V server setup when the first App-V Management Server is installed or
by executing SQL scripts that are extracted from the server setup. As remote
database creation by setup is not supported you will most likely go for the SQL
scripts, unless you can actually run the App-V server installer on the SQL server
when the database administrator isn’t watching.
Personal copy, do not distribute. Commercial use prohibited. © 2012, 2013 Authors
General Architecture
The SQL scripts (there’s a total of 6 scripts) however can’t be executed out of the
box. Customization is required because the scripts reference two distinct Domain
Accounts or Domain Groups (for read and write permission on the database) that
need to match your organizational environment. Customization is also needed if
you want to change the default database name [AppVManagement].
Note: It’s not only the name of the Domain Group but also the SID that should be
configured in the script. For more information on how to determine this, see the
installation sub chapter.
Personal copy, do not distribute. Commercial use prohibited. © 2012, 2013 Authors
General Architecture
Important!
If the Management Server and t he Management Database are being
installed to the same system, the
[Management DbWri teAccessAccountName] should be set to
"NT AUTHORITY\N ETWORK SERVICE" and
[Management DbWri teAccessAccountSid] should be set to
“010100000000000514000000".
The size of the Management Database depends on several variables. As the App-V
Management Server extracts the application information from the package and
stores it in the database, the calculated size of the database is dependent on the
number of applications, the size of the main configuration file
(AppXManifest.XML) and the number of customization that you will apply to the
package. Depending on your environment this may or may not be hard to predict
beforehand.
Number of packages
Size of the database
= * Average size of manifest (in MB)
(in MB)
* (Number of customizations + 4)
Example:
Given an environment with 250 packages with an average manifest file of 1MB
(which is the one from Microsoft Office 2013, so presumably pretty large) and an
average of 2 customization per package would set the size of the Management
Database to: 250 * 1Mb * (2 + 4) = 1500Mb (1.5Gb).
Personal copy, do not distribute. Commercial use prohibited. © 2012, 2013 Authors
General Architecture
Procedures for backup and restore of the Management Database don’t differ from
any other given database and depend highly on your configuration (e.g. single or
clustered servers). Since the entire environment configuration is stored in the
database it’s highly recommended that you should keep your backup current and
test the restore procedures regularly. In case of a restore of the database the
Management Server(s) will pick up the configuration without jeopardizing any
data integrity.
The Publishing Server takes pride in being the man-in-the-middle and is therefore
blessed with one of the most crucial roles in the App-V infrastructure. It positioned
to be both the central delivery service for all App-V Client communication as well
as the retrieval service for all configuration updates from the Management Server.
Without a Publishing Server no applications would be delivered.
Didn’t we always love the App-V 4.x Management infrastructure for its speed and
snappiness in getting the latest information and configuration down to the client?
Well, we can truly see the influence of the Microsoft System Center team: in the
5.0 Management infrastructure we are confronted with timers and intervals now.
But quite honestly, there is nothing to be really upset about.
Personal copy, do not distribute. Commercial use prohibited. © 2012, 2013 Authors
General Architecture
This default interval means that it can take up to 10 minutes before a Publishing
Server is aware of a new or modified application. Depending on the App-V Client
Refresh interval it could take even longer before the change is replicated down to
the client. Unlike earlier versions of the App-V Client, version 5.0 no longer
actively checks package status on the server for each subsequent application
launch. This means that any changes (including applying and removing
authorization) will require more time to be known to the client.
Lowering the default interval value results in a higher load on both, the
Management and the Publishing Server. Increasing the interval results in a longer
delay in the availability of new or updated applications.
Note: We think that the default value of 600 seconds is fast enough for most
production environments. In case of emergency you could also restart the web
service to force an update.
Just like the Management Server, the Publishing Server is based on IIS and the
installation of the Publishing Server will create a dedicated IIS Website. By default
it’s called the [Microsoft App-V Publishing Service] but its name can be
altered during setup.
Personal copy, do not distribute. Commercial use prohibited. © 2012, 2013 Authors
General Architecture
The Microsoft App-V Publishing Service also requires a dedicated port number to
listen on, which must be provided during setup.
Note: You must ensure that the Microsoft App-V Publishing Service website name
and port are available on the computer and are not in use by another website.
Also make sure that the port is opened in the firewall.
Important!
Unless the Default Web Site is r emoved from IIS or reconfi gured,
port 80 is not available for the Microsoft App-V Publishing
Service. If you are i nstalling the Publishing Server onto t he same
machine as t he Management Server, the port that is used by the
Management Server is also not available.
The Publishing Server has no management console. Instead, during the setup the
Publishing Server is configured to communicate to a dedicated Management
Server through its web service and port.
Example: http://appvmgmt.appv.demo.local:8080
Personal copy, do not distribute. Commercial use prohibited. © 2012, 2013 Authors
General Architecture
Tip: To check general availability of the Publishing Server and its health you could
browse to http://publishingserver.FQDN:port/ and a formatted list of
applications, GUIDs and network locations should be presented to you.
Personal copy, do not distribute. Commercial use prohibited. © 2012, 2013 Authors
General Architecture
Unlike the Management Server, the Publishing Server is in direct contact with all
the App-V Clients. Sizing and scaling the server is therefore an important part of
the design process, as the load on this server will increase with the number of
users and devices. It is also dependent on the number of periodic refreshes from
each client. The impact on the network is limited as only the Publishing
Configuration (like the example above) travels to the clients, not the application
binaries…just yet.
The App-V Streaming Server is not a component that we can ‘install’ anymore.
Instead it merely represents a network location in the form a file share or an IIS
website where the virtual application packages are located.
The Streaming Server doesn’t connect to or handle connections from any other
component than the App-V Client, the Package Repository and other Streaming
Servers in the case of replication, depending on how that’s configured.
Setting up an App-V Streaming Server is not hard, but it’s not automated by one of
the installers. First you need to determine the protocol that you want to use. App-
Personal copy, do not distribute. Commercial use prohibited. © 2012, 2013 Authors
General Architecture
V 5.0 supports both HTTP (and HTTPS) as well as SMB as delivery protocols.
HTTP(s) requires a web server, while for SMB a simple File Server is sufficient.
Compared to SMB 2.x, HTTP is a more efficient network protocol. While the
throughput of data when using HTTP(s) as a protocol is likely to be higher, so is
the impact on the server (from a CPU and Memory perspective). Also take the
number of concurrent connections into consideration while planning your protocol
choice. Although this may not be true for SMB 3.x this does however require
capable Operating System on both the clients and servers. Securing the App-V
data stream (remember we are talking about delivering application binaries here,
not application communication traffic) will always have a negative impact on
performance.
Note: When deciding secure protocols over unsecure protocols, think for a second
about what you are actually securing! It’s not the communication traffic of the
application that’s being secured, but the application binaries travelling over the
network. Because using HTTPS instead of HTTP causes significant encryption
overhead on the Publishing Server and decryption overhead on the client while
not protecting very sensitive data we don’t generally recommend encrypting that
traffic.
Secondly, if you are going stream with HTTP, you need to setup your website.
This can be a dedicated web server or a server that already hosts other web
services. The Publishing Server would be a good candidate for also hosting the
App-V Streaming Server. Keep in mind that combining roles might have a
negative impact on performance. Creating the App-V Streaming Server is done by
creating a Virtual Directory that points to the (local) location of all the package
content and registering a MIME type APPV: application/appv. By default this
will cause the App-V Streaming Server to use port 80, but other ports can be
configured in IIS to suit your needs. Don’t forget to open up this port in the
firewall.
Personal copy, do not distribute. Commercial use prohibited. © 2012, 2013 Authors
General Architecture
Thirdly you need to think of access security. Users and computers that are
authorized for a certain application also need access to the application package.
This may sound logical, but the application authorization is handled at two
different places. The Management console connects the application object to the
security group, so the Publishing Server is able to deliver all the application objects
to the App-V Client. However, the machine or user that is allowed to access the
application objects also requires access to the application object binaries to retrieve
and register the actual application. This is often realized by applying the same
security groups to both the application object in the Management console as well
as the actual NTFS permissions on the application binaries on the network source.
Lastly you need to think of replication. Unless your environment is relatively small
or you are bound to one geographical location, it’s very likely that you will have
multiple App-V Streaming Servers in your environment. Keeping those servers in
sync is very important because the unavailability of an application on one server
may cause application launch failures on connected clients. The App-V Streaming
Server does not handle replication for you. However Microsoft has some pretty
good solutions for you, Distributed File System Replication (DFSR) being one of
them. DFSR uses a compression algorithm called Remote Differential Compression
(RDC) which optimizes replication. Alternatively, good-old Robocopy may save
the day as well.
Tip: Make sure that you match your application authorization process to you fit
your replication model to ensure you don’t authorize an application object that
hasn’t been fully replicated.
Personal copy, do not distribute. Commercial use prohibited. © 2012, 2013 Authors
General Architecture
The last installable server role is actually a new one, the App-V Reporting Server.
It sits between the App-V Clients and a database - the App-V Reporting Database.
The App-V Reporting Server receives reporting data from the App-V Clients and
writes it to the database.
Just like the other App-V server roles it’s based on IIS, so it also requires a Web
Service name and a dedicated port. The default name is [Microsoft App-V
Reporting Service] but this can be changed during setup.
Note: You must ensure that the Microsoft App-V Reporting Service website name
and port are available on the computer and are not in use by another website. Also
make sure that the port is opened in the firewall, if present.
Important!
Unless the D e f a ul t W eb Si te is removed from II S or r econfigured,
port 80 is not available for the [ M i c r os of t A p p- V Re p or ti ng
S e rv i ce . If you are installing the Reporting Server ont o the same
machine as t he Management Server and / or the Publishing Server,
the ports t hat are used by these servers are also not availabl e.
Personal copy, do not distribute. Commercial use prohibited. © 2012, 2013 Authors
General Architecture
The App-V Reporting Server has no management console nor does it connect to
other servers or services except for the Reporting Database. In fact, the availability
of other infrastructure components other than the database is not even required.
This means that in standalone or 3rd party deployment scenarios the Reporting
Server can function just the same.
Strangely enough, the App-V Reporting Server itself can’t generate any reports by
itself. It merely acts as a central reporting point for all clients coordinating the data
throughput to the database. Reports can however be created by means of SQL
Reporting Services or by 3rd party database analysis tools or just Excel.
The App-V Reporting Server stores all acquired reporting data into the App-V
Reporting Database. This includes relevant information about application usage,
reporting clients and packages. The only component in the environment that
contacts the database is the App-V Reporting Server. The number of concurrent
connections to the database and the amount of data flowing to the Reporting
Server will determine the load on the server. As the number of concurrent
connections is low because of asynchronous behavior it’s not very likely that it will
put the server under serious stress.
Personal copy, do not distribute. Commercial use prohibited. © 2012, 2013 Authors
General Architecture
The database (incl. stored procedures, views, permissions etc.) can be created by
the App-V server setup when the first App-V Reporting Server is installed or by
executing SQL scripts that can be extracted from the server setup. Just like with the
Management Database, remote database creation of the Reporting Database is not
offered by the setup.
There are several SQL scripts for the Reporting Database and just like with the
Management Database they can’t be executed out of the box. Customization is
required because the scripts reference two distinct Domain Accounts or Domain
Groups (for read and write permission on the database) that need to match your
organizational environment. Customization is also needed if you want to change
the default database name [AppVReporting].
Personal copy, do not distribute. Commercial use prohibited. © 2012, 2013 Authors
General Architecture
Note: It’s not only the name of the Domain Group but also the SID that has to be
configured in the script. For more information on how to determine this, see our
installation section later in this chapter.
Important!
If the Management Server and t he Management Database are being
installed to the same system, the
[ReportingDbWriteAccessAccountName] should be set to "NT
AUTHORITY\NETWORK SERVICE" and
[ReportingDbWriteAccessAccountSid] should be set t o
“010100000000000514000000".
Personal copy, do not distribute. Commercial use prohibited. © 2012, 2013 Authors
General Architecture
D ES IG N CO N S ID E R AT I O N S
We’ve discussed the infrastructure components, their functionality, service and
high-level configuration in the previous section. What we haven’t discussed yet is
how you design these components for your environment and organization.
Although the requirements for an individual company may differ the general
considerations are usually very similar. This section will discuss most of them,
including physical and functional placement of infrastructure components, the
impact of service disruption of these components, disaster recovery scenarios and
security.
Subsequent application use refers to a situation where the package has been
published and used on the client before.
Personal copy, do not distribute. Commercial use prohibited. © 2012, 2013 Authors
General Architecture
The impact of a failing subsequent launch however is high, because users already
have visible access to published packages or may even have started them
previously. A failing application launch is a major issue in most organizations,
especially when several or all applications are affected. From an App-V client
perspective, a previously published package can have the following major load
states:
Not available - The package is not available on the client, nor is the client and
user aware that there is an authorized access to an application; it’s simply not
registered. Needless to say that the application can’t be started at this point.
Registered - The package has been added to the client, but it has not been
registered to the user or the operating system. The App-V Management
Server will skip this stage when an application is new to a user or client and
publishes it straightaway, but when application authorization is revoked; it
will only revert the publishing part of the registration and will not remove the
package from client. Hence the package ends up in this state.
Published - The package has been registered to the client and has also been
published. Shortcuts and file type associations are visible to the user, entry
points are registered to the OS and if applicable, dynamic configuration files
have been applied. The application hasn’t been started at this point, but the
user is able to do so.
Launch components loaded - If the package has been optimized for network
traffic (e.g. feature block definition) and the user starts the application, the
client downloads just enough components to start the application and a user
can perform basic/common tasks with these components. Depending on
Autoload setup (configured to always download to 100% by default) the
Personal copy, do not distribute. Commercial use prohibited. © 2012, 2013 Authors
General Architecture
App-V client will continue downloading the remaining bits in one stream or
will stop and send additional bits per request.
Fully loaded - The package is downloaded and extracted entirely onto the
client machine. In this scenario the application can also be used offline,
assuming the application itself doesn’t require network access.
The following diagram shows the flow of the Package Load State:
Personal copy, do not distribute. Commercial use prohibited. © 2012, 2013 Authors
General Architecture
enormous amount of disk space. This is typically beneficial for hosted desktop
implementations like Virtual Desktop Infrastructures (VDI) and Server Based
Computing (SBC) scenarios. Instead of downloading and caching the application
binaries on the client, it will fetch each and every (including recurring) streaming
requests straight from the server.
Note: These states will be discussed more detailed in the Client chapter of this
book. The above descriptions are therefore simplified 2.
As you can imagine, reaching one of the states directly impacts the usability of
applications in the case of a network outage situation. If an application was not
loaded previously or can’t be loaded on request, the application can’t be launched,
but users are able to try. Between this state and the fully loaded state the
application can be launched and it can be used as well. However calling a certain
feature may cause the application to fail, if the corresponding component hasn’t
already been downloaded. A fully loaded package can be considered to be ‘ready
for offline use’. A Shared Content Store on the other hand always requires a (fast
and available) network connection to the Streaming Server and applications
simply won’t work without a connection.
For a risk analysis, the targeted load state is an important factor for the calculation:
While the probability of an outage of the Streaming Server component is the same
for all scenarios, the impact on a VDI implementation with a Shared Content Store
is extremely high compared to a Fat Client or Remote Desktop Session Host with
fully preloaded packages.
2 Also there might be in-between states like a load state somewhere between FB1 and fully loaded
state. Also a Shared Content Store model allows downloading some portions of the package (like
FB1) onto the client and only access less frequently used components on the central store.
Personal copy, do not distribute. Commercial use prohibited. © 2012, 2013 Authors
General Architecture
Whatever scenario you choose, you should incorporate failover capabilities right
from the beginning. Most failover technologies used here can be leveraged to scale
the environment in the case of increased requirements (more apps or users). In the
upcoming sections, first HA and scalability options for individual components are
discussed. After that, some scenarios will be described that we expect to be mostly
frequently used.
ACTIVE DIRECTORY
3 This is true for a Native Infrastructure, which is what we are talking about here. Other models,
namely a stand-alone deployment, may not need an AD
Personal copy, do not distribute. Commercial use prohibited. © 2012, 2013 Authors
General Architecture
Focusing on App-V (Server) components alone one could identify six scenarios in
which the App-V service is disrupted, that are described below.
Note: Some server components are optional and may not exist in your
environment. Disruption of multiple components should be treated as a
concatenation of each individual scenario.
The scenarios above will be discussed in detail below. We assume that only one
entity of a component exists in the environment and that if that component fails
there are no backup components available, unless stated otherwise.
Personal copy, do not distribute. Commercial use prohibited. © 2012, 2013 Authors
General Architecture
The first scenario is our reference scenario. In this scenario all components are
fully operational. Applications, including their relationships, can be added or
modified in the environment and users are able to retrieve new or updated
applications and have the ability to start them, even if they haven’t been started
before. Reporting information flows upstream to the management environment
and everybody is happy.
This first failure scenario assumes disruption of the Management Database, a fairly
critical component but not as critical as you may think. When the Management
Database is down the Management Server is no longer able to retrieve and save
changes to the management environment. This means that you can no longer
logon to the Management Server web console and it’s not possible to add, update
or delete applications and Connection Groups. The Publishing Server, which
contacts the Management Server on a regular basis, will no longer receive any
updates, but will however continue to service the clients existing applications and
Connection Groups based on the information received during the last refresh.
Personal copy, do not distribute. Commercial use prohibited. © 2012, 2013 Authors
General Architecture
Your users will hardly notice this disruption as they’re able to start and run their
applications as normal. They can even receive access to new applications if these
applications were created prior to the service disruption.
The Publishing Server is probably one of the most critical components in the
infrastructure as it is the primary point of contact for the App-V Client to receive
authorized application records. If the Publishing Server is unavailable the user will
Personal copy, do not distribute. Commercial use prohibited. © 2012, 2013 Authors
General Architecture
not receive any application updates, however previously acquired and registered
applications can be used. The user does not receive an error or prompt when the
client is unable to perform a publishing refresh. Most important aspect of a failing
Publishing Server might be the fact that the configuration change of an application
authorization is not propagated down to the client. This would either prevent a
user from using an application or wrongly allow him to continue using it.
When the Streaming Server fails the impact depends on the actual endpoint device
type and configuration, especially on the configuration of Autoload and Shared
Content Store. A traditional device like a desktop or laptop with a default App-V
Client installation would be configured to automatically load used applications in
the background (Autoload). This means that any application that the user has
started is stored completely in cache (100%) and can be used offline. This also
means that these applications continue to run if the Streaming Server is not
operational. Consequently applications that haven’t been started previously can’t
be used in such an event.
Autoload can also be configured not to load applications in the background. This
would leave the application deployment in a state where only the bits that are
required to actually run the application are loaded. Other bits are left on the server
and are requested on demand. This configuration is typically used to prevent
excessive or unnecessary network traffic (for example in always connected or low
bandwidth scenarios) but it’s not a proper configuration for offline usage. Hence if
the client was configured this way, a failing Streaming Server would impact the
Personal copy, do not distribute. Commercial use prohibited. © 2012, 2013 Authors
General Architecture
application usage heavily. The user would experience starting and running
applications (that were previously started) up to the point where the application
required an unused feature. The following streaming request will remain
unanswered and the application would typically crash.
The third and last configuration state of Autoload is to load all applications. This
could be considered the ultimate offline scenario where all applications, regardless
of the user actually having run them, will be loaded into cache, making them
available offline. This would of course have more impact on storage. However if
the client was setup with this configuration state it would mean that the
applications are able to start even when the Publishing Server is not operational.
Note: Needless to say, the ability to run an application while being offline depends
also on the architecture of the application. Typically client-server applications
don’t support such a scenario in the first place.
4 Even in SCS mode, administrators can load/mount applications into the local cache, allowing
mixed-mode operations.
Personal copy, do not distribute. Commercial use prohibited. © 2012, 2013 Authors
General Architecture
better. The side effect of this configuration is that while the size requirements for
storage go down, the requirements for network and connecting services go up,
both for bandwidth and availability. As you can imagine an App-V Client in SCS
mode without a Streaming Server is useless.
Personal copy, do not distribute. Commercial use prohibited. © 2012, 2013 Authors
General Architecture
DISRUPTION MATRIX
The following table shows an overview of all the service disruption scenarios and
their impact on each relevant service, structured by impact on Administration and
User Experience:
Service Baseline
Availability
Management
Add new
application(s)
Update existing
application(s)
Delete
application(s)
Create new
Connection Group(s)
Update existing
Connection Group(s)
Delete Connection
Group(s)
Receive reporting
information
Personal copy, do not distribute. Commercial use prohibited. © 2012, 2013 Authors
General Architecture
Service Baseline
Availability
User Experience
MGMT MGMT PUB STR REP REP
DB SRV SRV SRV DB SRV
5 Ability depends on Autoload configuration: by default it is set to fully load applications after first
launch; therefore packages will be available without network connectivity later on.
Personal copy, do not distribute. Commercial use prohibited. © 2012, 2013 Authors
General Architecture
HIGH AVAILABILITY
While reading through the service disruption impact in the previous section you
might have created a mental picture of which components are good candidates for
a high availability (HA) scenario. There are two distinct components that can be
configured for increased availability:
DATABASES
Microsoft App-V databases are only supported on Microsoft SQL Server, which
means that high availability scenarios also depend on the supported functionality
offered by SQL Server. The App-V infrastructure supports SQL high availability
based on Windows Server Failover Clustering (WSFC) or SQL Mirroring 6.
Personal copy, do not distribute. Commercial use prohibited. © 2012, 2013 Authors
General Architecture
Log shipping (which allows you to send the SQL transaction log from a primary
database to one or more secondary databases) is not supported.
SERVER COMPONENTS
The setup installation wizard of the server components has no built-in ability to
configure the environment for a high availability scenario. Sure you can run the
setup on multiple servers and install the individual services across different
machines, but these identical services are created in isolation and unaware of each
other. E.g. if you setup a Management Server on two different servers, this doesn’t
automatically mean they are load balanced.
So creating a high available implementation for the server components means that
we need to perform additional steps post-setup.
LOAD BALANCER
As all of the App-V Server components are web server services, one way to
achieve high availability in the web server services of App-V is by adding a Load
Balancer to the environment, either as a software load balancer through Windows
Network Load Balancing (NLB) or a hardware or virtual load balancer from
vendors like Cisco, F5, Barracuda, Riverbed, Kemp and Citrix.
Personal copy, do not distribute. Commercial use prohibited. © 2012, 2013 Authors
General Architecture
A load balancer intelligently distributes network traffic from client devices over
multiple servers. In this way, it enhances the following service quality attributes:
Availability (unavailable servers are detected and removed from the pool)
First of all, the load balancer will make all servers that are in scope, available
through a single Virtual IP-address (VIP) or Virtual Cluster; a one stop shop.
Additionally it will listen on designated ports and manage all connections and
traffic that pass through it. The client needs to be setup to “talk” to the VIP on the
configured port and as the-man-in-the-middle the load balancer will handle the
request for the client to the server(s).
Note: You may consider distributing load to a server’s specific TCP port only (and
not to entire machines based on IP addresses), but that is not required and may
result in more complex load balancing rules.
Secondly a load balancer uses probing to determine the health of a server that is
part of its scope. The simplest way is to ping the server, usually several times per
minute. More advanced probing would not only check the availability the server,
but also check the service running on it. In the case of App-V this would be a
probe that checks the HTTP response of the IIS Web Service that is running on the
server.
Personal copy, do not distribute. Commercial use prohibited. © 2012, 2013 Authors
General Architecture
Note: Keep in mind to check the correct ports that where defined during setup.
The default port 80 might be in use by the Default Web Site and not the actual
App-V Web Service.
Depending on the probe interval and the retry attempts of the load balancer, a
server or service that is not responding correctly is removed from the scope. For
example if the probe interval is set to 15 seconds and the retry attempt is set to 3, it
would take 45 seconds before the load balancer determines a service failure.
During this period the user would experience a “freeze” of the application or an
interrupted stream, depending of the client configuration. The application doesn’t
crash and after the server is removed from the pool the application or stream
continues as expected, but from another server.
The same rules apply when the server or service is restored. The interval is likely
to be higher because you want the server or service to stabilize before the load
balancer adds the server back into the pool. It’s very common for services to
chatter during startup. For example if the interval is set to 60 seconds and the retry
attempt is set to 3, it would take 3 minutes before a server is added back to the
pool. Users don’t experience this because only subsequent sessions or requests will
be divided across the entire scope of servers.
Note: Be sure to mimic these scenarios and check out the user experience for each
and every of them to determine if it’s sufficient and as expected.
Personal copy, do not distribute. Commercial use prohibited. © 2012, 2013 Authors
General Architecture
PUBLISHING SERVER
The Publishing Server is queried by App-V Clients regularly, usually during log-
on, but potentially also during daily operations.
In case of a failing Publishing Server, users could still launch virtual applications,
but they would not be able to get new applications and information about
application updates or retirements.
The App-V Publishing Server is one of the client facing components in an App-V
native infrastructure that should ideally be made highly available. For some
scenarios it might be acceptable that publishing information isn’t updated for a
couple of hours to days, but most implementations do not allow this. It is also
recommended to plan for scaling-out the Publishing Server service from the
beginning, especially in scenarios where some thousands of users may connect to
the environment during peak-hours.
Personal copy, do not distribute. Commercial use prohibited. © 2012, 2013 Authors
General Architecture
MANAGEMENT SERVER
The Management Server is queried by the Publishing Servers every few minutes
(default: 10) for a list of packages, Connection Groups and their corresponding AD
group assignments. Publishing Servers cache this information and are therefore
able to operate even when the Management Server service fails , even when the
Publishing Server is rebooted. The Management Server machine also hosts the
Management console (Silverlight based GUI) and the PowerShell cmdlets required
for administrative tasks.
The Management Server is an IIS web application, just like the Publishing Server.
It can be configured for high availability following the same design guidelines as
the Publishing Server.
STREAMING SERVER
As described before, the availability requirements for the Streaming Server may
vary depending on the actual implementation and configuration. In a scenario
where packages are fully loaded into the client’s cache and only a few changes or
updates are applied, the availability and performance of the Streaming service
doesn’t need to be that high. If, on the other hand, Shared Content Mode is
implemented, access to package files must be guaranteed for the entire operation
and the service has to provide very high performance as well. Based on the
technology you have chosen for package delivery, achieving HA and scalability is
different as well.
Personal copy, do not distribute. Commercial use prohibited. © 2012, 2013 Authors
General Architecture
Because it is just a file server you can rely on a set of proven methods to ensure
ability and scalability requirements in an App-V deployment as well. The most
common approaches are:
File Server Cluster: Using Microsoft Cluster Services is perhaps the best-
known technology for implementing failover capabilities for file services.
Also 3rd party solutions (like storage systems) offer cluster-like features.
Implementing a File Server Cluster usually is considered to be a proven and
well-known technology.
Distributed File System (DFS) is a newer model, namely for high availability
scenarios, introducing the concept of DFS name spaces (DFS-N) that can
actually span several individual file servers (or even file server clusters).
While DFS is presumably Microsoft’s preferred method, organizations often
find it difficult to implement DFS correctly. As an extra you could also benefit
from the replication services that are offered by DFS replication (DFS-R) for
keeping multiple Streaming Servers synchronized.
As for some of the services we’ve already discussed: this section is not intended to
explain the configuration of File Server clustering or DFS – please refer to your
trusted advisor when you need help here.
There is not much to say about how to configure a scalable and reliable web server
infrastructure beyond the information that was provided above. Compared to the
IIS web applications like the App-V Management Server or the App-V Publishing
Server, web based streaming is even simpler, because it is not a .NET application,
but just a core feature of IIS.
Content Replication
No matter what technology is used for deploying the package files or how
requests are routed to the server, all nodes that provide the Streaming service
feature usually need to hold the same package files and XML files, and they have
Personal copy, do not distribute. Commercial use prohibited. © 2012, 2013 Authors
General Architecture
Microsoft’s Distributed File System Services Replication (DFS-R), available for free
on each Windows based fileserver, is one solution to accomplish that task. The
advantage of DFS-R is that you’d set it up once, and then it just replicates all the
files automatically. Fire and Forget. (You never did hear about a broken DFS
replication, did you? 😉)
Another frequently used method, that’s proven its reliability in real life scenarios,
is simply Robocopy. Microsoft made it part of every Operating Systems a while
back now, so it is available on every App-V server. You can run Robocopy
regularly using Windows Task Scheduler, or you just force a replication as often as
you need it. Note that Robocopy is flexible enough to retry failed attempts – and
remember that it even can delete files, so validate its settings carefully.
REPORTING SERVER
For the App-V Reporting Service usually the requirements for HA and scalability
are quite low, because deploying App-V applications works without reporting at
all. If configured, App-V clients periodically try to upload usage information to
that server – and if it fails, they just try it again. Load on the Reporting Server can
be indirectly controlled by the client’s upload interval as well. Because the App-V
Reporting Server doesn’t do any more than receiving XML data and transfer it into
an SQL database, there is not much computing power required.
If required, it can be designed for HA & scalability exactly as any other IIS based
web service.
Personal copy, do not distribute. Commercial use prohibited. © 2012, 2013 Authors
General Architecture
BRANCHECACHE
In both scenarios the actual cache is passive and read-only, meaning that content is
only retrieved when a client requests it and writes are always done directly to the
source.
Although not specially designed for this scenario, one could leverage BranchCache
as a high availability solution for the App-V streaming data because the App-V
Client supports the same protocols. Even though the cache is volatile and will only
build when clients start making requests, it will provide a form of high
availability; albeit without any form of management. On remote locations it will
also provide an increased delivery performance and user experience as well as
lower the dependency of high latency or instable network connections.
Personal copy, do not distribute. Commercial use prohibited. © 2012, 2013 Authors
General Architecture
CLIENT CONFIGURATION
The App-V Client has three configuration items where its setup to connect to App-
V related server components: the Publishing Server, the Reporting Server and the
Package Source Root (the latter one being for the Streaming Server source).
If the Publishing Server is part of your environment (and judging by the fact that
you are reading this chapter we assume you are at least thinking about it) you can
configure the App-V Client the location (URL) and the frequency as well as the
trigger of the Publishing Refresh. From a HA perspective the App-V Client allows
you to configure multiple Publishing Servers on a single client, each represented
by a unique ID. This could be because you want to distinguish the User Publishing
Refresh from the Global Publishing Refresh or because of implementing a
failover / backup solution.
Personal copy, do not distribute. Commercial use prohibited. © 2012, 2013 Authors
General Architecture
multiple Publishing Servers acting as each other’s backup, without going through
the hassle of implementing load balancers or other network components.
Now the Reporting Server is another story. The App-V Client can only be
configured with one Reporting Server. However since unavailability of the
Reporting Server only means that the client will keep the data locally until the
server is restored, a HA configuration seems a little overrated here.
When could you consolidate roles onto a single server? E.g. combining or co-
hosting functionality.
Personal copy, do not distribute. Commercial use prohibited. © 2012, 2013 Authors
General Architecture
This first of our scalable and reliable scenarios addresses environments with some
hundreds to a very few thousands of users and clients, a few (up to a hundred)
packages and a single geographical site (or multiple sites but well connected).
Active
Directory
App-V Server
Virtual Address
MS SQL
Clients Cluster
For such a scenario, the ‘smallest possible’ flexible scenarios would be a co-hosted
two box implementation.
Note: As mentioned before, we consider the Active Directory and the SQL
Database services as ‘external’ components. We always recommend hosting SQL
services on a server other than the App-V machines.
Personal copy, do not distribute. Commercial use prohibited. © 2012, 2013 Authors
General Architecture
For the native App-V services, two Operating System environments (‘machines’,
physical or virtual) are required. On each of these equally configured
environments, the following services are installed:
So, in this scenario the App-V services are co-hosted (one machine hosts several
services). If you are using the Reporting Server, then it is going to be installed on
the same machines as well. However, for the Streaming service, the term ‘optional’
has another meaning. If you have an existing File Server or Web Server that meets
your streaming requirement, you are fine to use that. If you don’t have any
existing suitable infrastructure, providing the package file download service from
the two co-hosted machines is probably ideal. In this case, it’s recommended to use
the web based approach as reliability for the web based services has to be
implemented anyway. If you opt for a file based delivery, you additionally also
would have to establish high availability and scalability for a file server as well.
To implement HA and scalability, such a small scenario will most likely leverage
Windows Network Load Balancing services. External load balancing solutions are
usually not available for such deployments, but if they are it’s much easier to use
them than to implement Microsoft NLB.
In this scenario client requests for publishing data, streaming data or upload
requests for reporting data will be directed to a virtual IP address / host name
Personal copy, do not distribute. Commercial use prohibited. © 2012, 2013 Authors
General Architecture
which is bound to the load balancing solution. It’s not necessary to make the
requests from the Publishing Service to the Management Service run through the
load balancer as well. This is not only potentially faster; it also does not require re-
configuring the Publishing Service after its initial installation. Theoretically this
could lead to a situation where the Management Service is down but the
Publishing Service still is active and unable to receive updates. However that
scenario is very unlikely because both services run on the same host and both rely
on IIS, so if that failed, all web services wouldn’t be available.
From a performance perspective, the App-V Client benefits most when the App-V
Streaming Server is geographically close by. In a single site scenario this is no
issue, but in a multi-site scenario one could opt to place one server on each site,
depending on HA requirements.
Personal copy, do not distribute. Commercial use prohibited. © 2012, 2013 Authors
General Architecture
Active
Directory
Streaming Server
Virtual Address Management Server
Virtual Address
MS SQL
Cluster
Publishing Server
Virtual Address
Reporting Server
Virtual Address
DISTRIBUTED DEPLOYMENT
Organizations that opt for this scenario usually don’t just have a single datacenter
(or a nearby pair) but host their services in different datacenters, sometimes spread
around the world. Also many organizations need to support subsidiaries that
don’t have a dedicated datacenter or have a very weak internet connection.
Personal copy, do not distribute. Commercial use prohibited. © 2012, 2013 Authors
General Architecture
The Publishing Server, sitting between the Management Service and the Client,
usually should be located close to the client because every user log-on will initiate
a Client-to-Publishing Server connection. A refresh uses HTTP(S) to transfer XML
data, which under normal circumstances is relatively small. Communication
timeouts and interval refreshes can be adjusted in the Publishing Server’s
configuration according to the actual network capabilities.
The Streaming Server should always be located close to the client. Compared to
previous discussed components, it’s responsible for transferring the largest
amount of data. As it only relies on standard file or web services, this might
already be available in your data centers and larger locations anyway.
Personal copy, do not distribute. Commercial use prohibited. © 2012, 2013 Authors
General Architecture
Unfortunately, at this time, Microsoft has not released any server sizing metrics to
design an App-V infrastructure. There are also no other sources that have
published any reports on performance either. This makes it very hard to predict
“how many users can exist on a single server?” or “how much RAM a Streaming
Server requires?”
But this does not mean that we simply have to make an educated guess and pray
for a good end result? No! Your design should be flexible enough to support a
changing environment and provide a quality foundation. If your infrastructure
design is adaptable and scalable you can always withstand these demands.
INTERNAL SCALABILITY
As the metrics for hardware sizing are not available yet, you have to make sure
that your hardware can scale when resource utilization is high. One way to
achieve this is to build your environment on virtualization solutions, which allow
you to expand both CPU and RAM on a machine level easily; e.g. scale up and
down. Even on the network layer you could benefit from virtualization, for
example when the (virtual) server and the virtual desktops are on the same data
center location, switch, chassis or even blade.
Personal copy, do not distribute. Commercial use prohibited. © 2012, 2013 Authors
General Architecture
EXTERNAL SCALABILITY
If you don’t want to expand your (virtual) hardware, a virtualization platform also
makes it easier to expand the number of virtual machines; e.g. scale out and in. In
some scenarios external scalability (creating more similar equipped components in
parallel) might even give you more performance than internal scalability (expand
resources on existing components). To support external scalability it’s recommend
to always design your environment with a load balancer from the start. Although
implementing a load balancer at a later stage is technically not more difficult, there
are far more configuration adjustments on existing components you have to make
in the process.
The most common change in every organization is the number of users and
devices that are reliant on your environment and the number of applications they
use. Let’s say you’ve established an adaptable and scalable solution. How would
these changes affect the components in the App-V infrastructure?
Personal copy, do not distribute. Commercial use prohibited. © 2012, 2013 Authors
General Architecture
impact these components, but the chance of that impact being severe is not very
likely.
The Streaming Server is a component that is in direct contact with the Client, so an
increasing amount of users will definitely impact resource utilization. The amount
of data transferred from server to the client is very large, when compared to the
Publishing Server.
Lastly we have the Reporting Server and its corresponding Database. One would
say that because it’s in direct contact with the device, it’s likely to have impact
when the numbers go up. Well basically it doesn’t. Not only because the amount
of data is relatively low, but also when compared the Publishing Server the
communication times do not need to be as frequent and can be limited in size as
well. Furthermore the Client caches the information it wants to send when the
Reporting Server is unavailable, making this component very unlikely to be
affected by an increasing number of users.
MORE APPLICATIONS
However, unlike with the user growth impact, the Management Database does get
affected by an increasing amount of the applications, as these application
definitions are stored within the database. As we’ve described previously, the size
of the database depends on the number of applications and the amount of
customizations that you apply. This will grow by MBs and not GBs.
Personal copy, do not distribute. Commercial use prohibited. © 2012, 2013 Authors
General Architecture
Conclusively we think the table below gives a weighted impact on the App-V
Native Infrastructure component of a changing environment:
DISASTER RECOVERY
We’ve talking about service disruption in an earlier section, discussing the impact
of failing services on the infrastructure. Independent of your high availability
design, it’s a good thing to have a disaster recovery plan so you at least know how
to respond to a service outage. High availability usually only buys you time.
BACKUP
Disaster Recovery plans can only be executed if you have backed up the critical
components of your environment. If you look at the App-V infrastructure, there
are two components that actually hold crucial data: the database(s) and the
package repository. With this data you can recreate any environment.
Tip: It’s a good idea to back up at least the database(s) and the package repository
data. Other components can be easily recreated.
Personal copy, do not distribute. Commercial use prohibited. © 2012, 2013 Authors
General Architecture
The Management Server does not hold any unique information but instead stores
everything in the Management Database. The Publishing Server also does not hold
any unique information as it’s no more than a read-only Management Server. The
Streaming Server holds a replicated copy of the package repository, which you
only have to backup once. Lastly the Reporting Server, just like Management
Server, stores its information in the Reporting Database. What we do recommend
is to make sure you make unattended installations and configuration of these
components, including the prerequisite software or components.
RESTORE
A failing server; an entire server (and therefore all services that it provides) is
down due to hardware or software failure.
A failing service; a particular service is down but the server it runs on is still
operational.
Personal copy, do not distribute. Commercial use prohibited. © 2012, 2013 Authors
General Architecture
Tip: To keep impact as low as possible you could preferably keep the name
identical to the originally failing component.
If you’ve restored the server you have to restore the service that was running on it.
This means installing the prerequisites on the server, installing and configuring
Internet Information Services, installing SQL Server on the database servers and
the App-V service that originated on component you are restoring. If you don’t
like doing this manually, we are including some unattended installation scripts
during the installation sections later. Be sure to capture your initial installation and
keep the unattended installation for later reference.
Personal copy, do not distribute. Commercial use prohibited. © 2012, 2013 Authors
General Architecture
With so many moving parts it may be hard to figure out the order in which restore
should take place. So let’s assume you are experiencing an entire meltdown and
you have to restore all components from scratch.
You first start with restoring all the basic server components. By basic we mean
getting the (virtual) hardware running again and get the basic operating system on
the box, including other required components. As discussed earlier you preferably
keep original server names (and IP addresses) when you install the server, to ease
configuration of other components, such as firewall exceptions..
Next it’s time to install the SQL Server onto the server that holds the Management
Database and restore the Management Database onto it. After we have a running
Management Database we can start installing the Management Server(s) and point
it to the restored database. All configurations should be picked up directly by the
Management Server from the Management Database.
Note: One could bring up the Streaming Server first so that the client can connect
to it and continue to run applications as soon as possible. This actually is a good
strategy as well.
Personal copy, do not distribute. Commercial use prohibited. © 2012, 2013 Authors
General Architecture
To complete the infrastructure you can now install the Publishing Server(s) again.
As soon as they’ve synchronized with the Management Server, your primary
application delivery chain is restored.
Lastly you should restore the Reporting Database and install the Reporting Server.
SECURITY
Personal copy, do not distribute. Commercial use prohibited. © 2012, 2013 Authors
General Architecture
Unlike earlier releases, the App-V Client itself no longer offers non-local
administrators the ability to perform any delegated administrative tasks. That
applies to both the user interface and PowerShell administration. Instead, the non-
local administrators have a limited set of activities that they can perform on the
client, such as initiating a publishing refresh, an application repair and setting
application offline availability. A local administrator can also perform all other
actions.
SUPPORTABILITY
Personal copy, do not distribute. Commercial use prohibited. © 2012, 2013 Authors
General Architecture
Although this is a highly powerful and extendable administrative solution, it’s not
very user friendly for users who not familiar with the PowerShell language or
scripting. Typically your first and second lines of support don’t have this
knowledge. These users better off using the native App-V Client Management
console 8.
Not only will this support those staff and the user performing some of the more
simple actions on the client, it even has an option to show the PowerShell
commands that were executed underneath.
8 Note that the Beta version of Service Pack 2 for App-V 5 does not install the Client Management
Console by default any longer. It might be that Microsoft will offer it as a separate download later.
Personal copy, do not distribute. Commercial use prohibited. © 2012, 2013 Authors
Installing a Working Deployment Infrastructure
Personal copy, do not distribute. Commercial use prohibited. © 2012, 2013 Authors
Installing a Working Deployment Infrastructure
P R E - R E Q U IS IT ES I N S TAL LAT IO N S
The prerequisites for various App-V infrastructure components are summarized in
the following table.
KB2533623/KB2758857 (*)
SQL Server connection 9
PowerShell 3 (*)
IIS extended
Silverlight
IIS basic
(*)
Management DB
Reporting DB
Management
Server
Publishing Server
Reporting Server
Streaming Server
(File)
Streaming Server
(Web)
9 Connection to a SQL Server means that ‘somewhere’ a supported version of SQL Server instance is
running.
Personal copy, do not distribute. Commercial use prohibited. © 2012, 2013 Authors
Installing a Working Deployment Infrastructure
Components that are marked with a (*) are already part of a default installation of
Windows Server 2012 and only need to be installed on Windows Server 2008 R2.
Hotfixes or Service Packs for the OS may pre-install or supersede some of these
components.
Note: KB2533623 was replaced by KB2758857 (or maybe even newer hotfixes).
Launching the KB2555623 update may return a ‘this update is not applicable to
this machine’ message if a newer hotfix is already installed.
As stated above and below several times we do not recommend to use individual
accounts at all, neither user nor computer. Whenever possible, you should use AD
groups. The recommendation goes even further by implementing a role-based
access control model (RBAC). In a Microsoft model, this usually implemented
following the AGDLP principle. Accounts (A) become members of role oriented
Global groups (G), like the App-V administrators group or the App-V
Management Server group. These Global groups are assigned to access right
oriented Domain Local (DL) groups, like a group for SQL server write access or a
group for content repository write access. Finally these groups are used to assign
the technical Permission (P), for instance inside SQL server, on NTFS, shares,
management consoles and alike. Within our description we try to align with the
AGDLP principle as much as possible 10. Throughout this document, permission
10 AGDLP does not only allow to leverage a role-based access model, it also addresses the challenge
of ‘token size explosion’, where Kerberos tickets get very long by placing target resources (file
Personal copy, do not distribute. Commercial use prohibited. © 2012, 2013 Authors
Installing a Working Deployment Infrastructure
groups include ‘ACL’ as part of their name to differentiate them from account
groups.
servers, web servers and alike) in dedicated AD Domains. When Domain Local groups are used, a
user’s token does not contain group information from ‘different’ target systems, but only the one
from the current (sub) domain.
Personal copy, do not distribute. Commercial use prohibited. © 2012, 2013 Authors
Installing a Working Deployment Infrastructure
App-V Client Content Store Read for Global Publishing (Application Access)
Machines Content Store Read for Shared Content Store
Personal copy, do not distribute. Commercial use prohibited. © 2012, 2013 Authors
Installing a Working Deployment Infrastructure
12 According to the SQL script provided by Microsoft, this account ‘should be the account
corresponding to the user who will be installing Management Service’. This is misleading. This
‘Read Only’ group does not seem to be used at all.
Personal copy, do not distribute. Commercial use prohibited. © 2012, 2013 Authors
Installing a Working Deployment Infrastructure
Personal copy, do not distribute. Commercial use prohibited. © 2012, 2013 Authors
Installing a Working Deployment Infrastructure
Note: If you are importing web based packages using the Management console or
PoSh, the (local and hidden) IIS_IUSR account has to have access to IIS’
web.config file in order to read IIS permissions.
During the App-V Management Server component installation you have to specify
connection parameters to a SQL database that holds the management information.
When you install the Reporting Server component, this also requires (another)
database.
When you decide to install the SQL database on the same machine as the App-V
services, the setup wizard can create and configure the database(s) as an integrated
part of the process. However the wizard is not able to create and configure the
database if the DB should be hosted on another machine. Remember that we do
not recommend installing SQL services and App-V services on the same machine
for production deployments anyway; therefore using a remote database is a
default configuration from our perspective. Also remember that the SQL database
may not be hosted on an Active Directory Domain Controller, as this is not
supported by Microsoft.
There are several ways to pre-create the App-V management database and
reporting database on SQL Server machines.
Personal copy, do not distribute. Commercial use prohibited. © 2012, 2013 Authors
Installing a Working Deployment Infrastructure
For the App-V setup wizard to succeed, several tables, stored procedures and
other objects have to be pre-configured. Microsoft provides two methods to pre-
create the databases. One method is to execute the App-V setup wizard directly on
the SQL server. This is a good and recommended scenario for non-production or
smaller environments or for environments where a single SQL server machine is
dedicated for App-V. The other method is to prepare multiple SQL scripts
(.sql files) that SQL administrators can review and execute on the SQL server.
While this method requires more preparation, it might be required in
environments where it is not permitted to run any applications (including setup
wizards) on the SQL server machines or where the database should be hosted on a
SQL cluster. Also the setup wizard does only allow specifying a single computer
(but not a permission group) for granting access. The advantage of using the SQL
scripts is that rigorous SQL administrators may inspect and validate them, because
they are presented in clear-text, also it allows to specify computer groups.
Furthermore it can be used to prepare SQL cluster instances. The following table
summarizes the main differences between the two preparation methods:
Personal copy, do not distribute. Commercial use prohibited. © 2012, 2013 Authors
Installing a Working Deployment Infrastructure
SQL Sysadmin privileges Installing user on SQL User who runs the scripts
machine
Accounts that can be specified One individual account One group of users and/or
for SQL access rights (typically a computer) computers (incl. nesting)
Accounts that can be specified One individual account One group of users and/or
for App-V Admin rights (typically a user) computers (incl. nesting)
Personal copy, do not distribute. Commercial use prohibited. © 2012, 2013 Authors
Installing a Working Deployment Infrastructure
For both pre-creation methods you need to specify accounts or groups that will be
given permissions to the database.
One group needs to get read and write permissions to the App-V management
database. All App-V Management Server computer accounts should be members
of this group. Optionally (and ideally) you should also add the App-V
administrators to that group. We’ll use demo\SG.SQL.ACL.AppvDB.RW in the
upcoming screenshots for that.
When using the SQL scripts (and not the setup wizard) you’ll notice that there is a
second group for ‘public access’. This group is – according to some information –
is only required for the installation and gets read access to a single table. You
could use the same group as for the read-write access or create another one. For
the examples the group demo\SG.SQL.ACL.AppvDB.RO is used, however it
contains the same members as the .RW group.
If you are using the App-V Reporting service to store client usage data in a SQL
database, similar access rights are required. You may use the same or different
groups depending on the security policy within your organization. Note that you
may need an additional group with specific SQL permissions if Non-App-V
admins should be able to extract reporting data later on.
Personal copy, do not distribute. Commercial use prohibited. © 2012, 2013 Authors
Installing a Working Deployment Infrastructure
To use the App-V setup wizard for database pre-creation, you have to logon to the
targeted SQL server. You have to have local Windows admin permissions and SQL
sysadmin permissions.
Launch the App-V setup wizard “as administrator” (FIGURE 17). You may run it
from a network share.
The setup wizard will launch. Click Install then proceed through the wizard
using the default values until you reach the Feature Selection screen.
In the Feature Selection screen, activate the Management Server DB feature, then
click Next (FIGURE 18):
Personal copy, do not distribute. Commercial use prohibited. © 2012, 2013 Authors
Installing a Working Deployment Infrastructure
Accept the default settings in the Installation Location screen; proceed to the first
Configure screen.
In the first Configuration screen (FIGURE 19), choose if you want to use the SQL
default instance or if you want to specify another named instance.
Personal copy, do not distribute. Commercial use prohibited. © 2012, 2013 Authors
Installing a Working Deployment Infrastructure
Figure 19: Setup Wizard - Specify Management Database name and location
Click Next .
In the second Configure screen (FIGURE 20), specify a computer account that will
access the database. Provide the name of the App-V Management Server AD
account here. Note that you only can specify a single computer (neither multiple
computers nor a group) here. Use the domain\account format.
Enter the App-V Administrators group name or the name of the currently
installing account into the Install Administrator Login field. As mentioned above
the recommendation is to prefer a group to an individual account here. Because
there is only a limited effect, you may enter the read-write group (instead of the
read-only group) here as well.
Personal copy, do not distribute. Commercial use prohibited. © 2012, 2013 Authors
Installing a Working Deployment Infrastructure
Confirm your settings with Next , and then proceed through the subsequent steps
until the wizard ends.
If the setup wizard is not appropriate (for security or flexibility reasons) you may
be required to use the SQL script based method to pre-create the App-V
management database.
The first task is to extract the script from the setup.exe. For this, run the
following command (as an administrator) on a temporary or test server (you may
also run this on the machine that should become an App-V server):
appv_server_setup.exe /layout c:\temp
Personal copy, do not distribute. Commercial use prohibited. © 2012, 2013 Authors
Installing a Working Deployment Infrastructure
This will extract the content of the setup wizard to the temp folder. Underneath of
it, there is a new folder for the database scripts, containing one folder with the (not
yet working) SQL scripts to pre-configure the management database, and another
folder containing the scripts to pre-configure the reporting database. FIGURE 21
shows the content of the ManagementDatabase subfolder.
These scripts need some preparation beforehand. Both the readme.txt and each .sql
file contain some further information we will use for the upcoming steps.
At first you have to determine the SIDs for the entities that should get access to the
App-V Management database.
Personal copy, do not distribute. Commercial use prohibited. © 2012, 2013 Authors
Installing a Working Deployment Infrastructure
$objUser = New-Object
System.Security.Principal.NTAccount("demo\SG.SQL.ACL.AppvDB.RW")
$strSID =
$objUser.Translate([System.Security.Principal.SecurityIdentifier])
$strSID.Value
The output of $sftSID.Value returns the group’s SID, the command also works
for computer or user objects as shown in FIGURE 22.
For the App-V SQL scripts, this SID has to be streamlined first. Remove all dashes
and the ‘S’ at the beginning, so that it looks
like 1521397847259041778234562756747971114.
If you want to use a separate account or group for the read-only access to the
management DB, you also have to determine the streamlined SID for that.
Now, the SID(s) and account/group name(s) have to be entered into the
Permissions.sql file. You can modify it with Notepad or any other text editor.
Within Permissions.sql, replace the presets in square brackets with your actual
values, removing the square brackets. FIGURE 23 shows you the original, FIGURE 24
the modified Permissions.sql file.
Personal copy, do not distribute. Commercial use prohibited. © 2012, 2013 Authors
Installing a Working Deployment Infrastructure
Personal copy, do not distribute. Commercial use prohibited. © 2012, 2013 Authors
Installing a Working Deployment Infrastructure
The default name for the upcoming database is AppVirtManagement. If this name
doesn’t match your requirements, edit the Database.sql file.
Simply Search and Replace all instances of AppVirtManagement with your new
name. Interestingly you don’t need to remove the square brackets in this file.
FIGURE 25 shows a modified SQL script; save and close that as well.
If you don’t want to manually modify all the different SQL files, there is a PoSh
script available that might make things a little bit easier 15.
After they are adjusted, the scripts have to be executed by the SQL administrator
against the SQL server that should host the database. For this, sysadmin
permissions are required.
There are several ways to run SQL scripts. One is to log on to a SQL server using
the SQL Server Management Studio. This provides the ability to open a file and
Personal copy, do not distribute. Commercial use prohibited. © 2012, 2013 Authors
Installing a Working Deployment Infrastructure
run it as a ‘query’. However there is a certain chance that the scripts are executed
against the wrong database, because the target database has to be manually
selected (and the ‘master’ DB is the default target – something you don’t want to
modify, right?).
Another method is using the OSQL command line application. Suppose the
modified SQL scripts are located under C:\temp, the following commands have to
be executed; remember to adjust the database name if you have modified that and
note that the parameters -E, -i, -d are case sensitive:
CD c:\temp\DatabaseScripts\ManagementDatabase
OSQL -E -i database.sql
OSQL -E -d MS_Appv5_Management -i CreateTables.sql
OSQL -E -d MS_Appv5_Management -i CreateStoredProcs.sql
OSQL -E -d MS_Appv5_Management -i UpdateTables.sql
OSQL -E -d MS_Appv5_Management -i InsertVersionInfo.sql
OSQL -E -d MS_Appv5_Management -i Permissions.sql
FIGURE 26 shows the OSQL online help as well as two examples of how to run a
SQL script against the DB server and against a specific database.
Personal copy, do not distribute. Commercial use prohibited. © 2012, 2013 Authors
Installing a Working Deployment Infrastructure
Setting up the database for Reporting data basically requires the same steps as for
the Management database. In the setup wizard Feature Selection step just select
the “Reporting Database” option and proceed.
The process to pre-create the Reporting database using SQL scripts is very similar
to the one for the Management DB, however the scripts itself are not exactly the
same. The main difference is that the reporting sub folder contains an additional
Personal copy, do not distribute. Commercial use prohibited. © 2012, 2013 Authors
Installing a Working Deployment Infrastructure
Install the following components onto the App-V specific server machines
according to the requirements table in the following order:
Silverlight 4 or 5
Management
Server
Publishing
Server
Reporting
Server
Personal copy, do not distribute. Commercial use prohibited. © 2012, 2013 Authors
Installing a Working Deployment Infrastructure
The components can usually be installed using a (very) basic graphical user
interface; because they are so simple, self-explaining and well documented we
won’t annoy you by including all these next-next-finish screenshots here. For an
unattended installation, take the following script as an example (you may need to
adjust it):
:: @echo off
:: ---------- Install System Requirements for App-V 5 Servers
:: ---------- on Windows Server 2008 R2
:: ---------- Script expects components in the INS subfolder
Personal copy, do not distribute. Commercial use prohibited. © 2012, 2013 Authors
Installing a Working Deployment Infrastructure
Note that the dism command spans several lines. Each of these line ends with a ^
to indicate that the command continues on the next line. Make sure to include that
^ symbol at the end of each line.
%windir%\microsoft.net\framework64\v4.0.30319\aspnet_regiis.exe –ir
Personal copy, do not distribute. Commercial use prohibited. © 2012, 2013 Authors
Installing a Working Deployment Infrastructure
As a result of the script (or as a guideline if you really want to manually enable the
IIS role services), the IIS role configuration looks like in FIGURE 27
Personal copy, do not distribute. Commercial use prohibited. © 2012, 2013 Authors
Installing a Working Deployment Infrastructure
Note that you’ll be prompted with another window during a manual install and
configure IIS once you select the ASP.NET role service as shown in FIGURE 28. Just
accept the default value to add the services.
The Management Server has the same IIS requirements as the Publishing Server,
so you may refer to the previous section for instructions.
For the Streaming Service, which isn’t an installable component, you simply have
to enable the IIS role on the server.
On a Windows Server 2008 R2 or Windows Server 2012 machine, use the Server
Manager / Add Roles to enable the Web Server (IIS) role on the machine and click-
through the wizard.
Personal copy, do not distribute. Commercial use prohibited. © 2012, 2013 Authors
Installing a Working Deployment Infrastructure
In fact you also could use the script from section IIS FOR PUBLISHING SERVER,
however this also would install some application server / ASP features that are not
required
Remember to enable the .appv MIME type extension as part of the configuration
process as described in the section ADD .APPV AS A MIME TYPE
The Reporting Server has the same requirements as the Publishing and
Management Servers, so use the information from the section IIS for Publishing
Server
Personal copy, do not distribute. Commercial use prohibited. © 2012, 2013 Authors
Installing a Working Deployment Infrastructure
In order to configure the App-V services for port 80 right during installation, the
IIS Default Website port has to be reconfigured first. There is no easy rule for when
to use what configuration, but here are some guidelines
If using web based streaming, IIS Default Website (and thereby the streaming
port) of that machine should remain on 80. Other App-V services should be
configured to other ports.
If using file based streaming, the IIS Default Website’s port should be
relocated to somewhere like 84 or 8080 and ‘one’ App-V service should listen
on 80.
If you are spreading all App-V services across different machines, every App-
V service should listen on port 80.
IIS Default Website should not be relocated for the web-based streaming
machine, since that one is a sub-feature of default IIS
If you are using any co-hosted scenario (more than one App-V service on a
machine) you should try to find a configuration that allows using different
ports.
Personal copy, do not distribute. Commercial use prohibited. © 2012, 2013 Authors
Installing a Working Deployment Infrastructure
If this is not possible and you are limited to using only one port, install
the services to the above, different ports and relocate them afterwards as
described in a blog post 17.
Finally, if you are forced to use SSL encryption forget anything about IIS port
sharing – it then gets way to complicated (you’d ask one of us for a week of
Consultancy)
After all these considerations, to actually change the port of the IIS Default Web
Site, open the IIS Management console, right click on it and select Edit Bindings .
Here you’ll find the port number to modify. Restart IIS after doing that (FIGURE
30).
16 The ‘P‘ is the 16th, ‘M’ the 13th and ‘R’ the 19th letter in a Latin alphabet – now after reading this
imagine how ‘creative’ our App-V documentations for customers look like when we could write
more than 3 pages about an IIS port
17 H T T P : / / K I R X B L O G . W O R D P R E S S . C O M / 2 0 1 3 / 0 2 / 0 4 / H O W - T O - S H A R E - P O R T S - O F - A P P - V - 5 -
SERVICES/
Personal copy, do not distribute. Commercial use prohibited. © 2012, 2013 Authors
Installing a Working Deployment Infrastructure
Personal copy, do not distribute. Commercial use prohibited. © 2012, 2013 Authors
Installing a Working Deployment Infrastructure
M AN AG EM EN T S E RV E R I N S TA L LAT IO N
OVERVIEW
If a single server is hosting multiple components then they can either use different
ports or be configured to share a single port 18.
18 A port sharing implementation can’t be configured using the installation wizard. See the
description at H T T P : / / K I R X B L O G . W O R D P R E S S . C O M / 2 0 1 3 / 0 2 / 0 4 / H O W - T O - S H A R E - P O R T S -
OF-APP-V-5-SERVICES/
Personal copy, do not distribute. Commercial use prohibited. © 2012, 2013 Authors
Installing a Working Deployment Infrastructure
To start the installation, locate the installation files (FIGURE 31 INSTALLATION FILES)
in your source directory.
Personal copy, do not distribute. Commercial use prohibited. © 2012, 2013 Authors
Installing a Working Deployment Infrastructure
The installation wizard first presents you with an overview of the options, and
since there are no components presently installed we can only pick from the choice
of Install .
Figure 33 Install
Personal copy, do not distribute. Commercial use prohibited. © 2012, 2013 Authors
Installing a Working Deployment Infrastructure
After we have clicked Install we first need to accept the licensing terms (FIGURE
34 LICENSE TERMS). It is not possible to continue the installation unless the terms
are agreed to.
Next up we are presented with a list of all the possible roles we can install (FIGURE
35 MANAGEMENT SERVER) and this screen actually gives a very good overview of
all the components that the App-V infrastructure is made up of. As the
Management Server DB can no longer be installed remotely as in the past versions
of App-V, we have already set-up that database previously on a SQL Server and
Personal copy, do not distribute. Commercial use prohibited. © 2012, 2013 Authors
Installing a Working Deployment Infrastructure
will now only install the Management Server feature. Simply check the required
feature and click Next .
The installer offers to install the Management Server components in any directory,
but there is no reason for placing the files anywhere else as the installation
directory will not contain any content data and thus will be small in size 20. (FIGURE
36 INSTALLATION DIRECTORY)
20 In fact there is a bug that prevents you from installing some App-V server components on a drive
other than C: (HTTP://SUPPORT.MICROSOFT.COM/KB/2800730 )
Personal copy, do not distribute. Commercial use prohibited. © 2012, 2013 Authors
Installing a Working Deployment Infrastructure
Next up is to set the parameters for our SQL Server connection. We can use a local
server or a remote one; in this case we have a remote SQL Server that is going to be
used. It is recommended to specify a FQDN (instead of a short name) here. We can
also specify a custom (i.e. named) instance if necessary, however we have only a
default instance setup. Last option is to specify our database name.
Personal copy, do not distribute. Commercial use prohibited. © 2012, 2013 Authors
Installing a Working Deployment Infrastructure
The Management Server itself has a few pieces to configure – such as who can
administer the server and how to reach the web server. (FIGURE 38 MANAGEMENT
SERVER CONFIGURATION)
We can name our management website anything we like, but suggested default
name is probably a good choice unless you have compelling reasons to customize
it such as when the IIS on the local machine already has website by the same name.
Personal copy, do not distribute. Commercial use prohibited. © 2012, 2013 Authors
Installing a Working Deployment Infrastructure
The Port Binding (what port the website the App-V Management Server will be
reachable at) is blank and you will have to enter a valid port number that is
currently not in use on the server. We recommend to use port 80 unless it’s
conflicting with another website on that specific server.
Personal copy, do not distribute. Commercial use prohibited. © 2012, 2013 Authors
Installing a Working Deployment Infrastructure
Figure 39 Install
Personal copy, do not distribute. Commercial use prohibited. © 2012, 2013 Authors
Installing a Working Deployment Infrastructure
Remember to install Hot Fix 1 (or newer) after installing the Management Server
software!
COMMAND-LINE INSTALLATION
Installing any App-V Server components via a command-line is now easier than
ever before and offers a possibility to set all the necessary parameters. As there are
Personal copy, do not distribute. Commercial use prohibited. © 2012, 2013 Authors
Installing a Working Deployment Infrastructure
quite a few options, let us begin with locating the installation files and retrieving
the documentation – by executing the following command;
Appv_server_setup.exe /?
A nicely documented window presents itself with examples and definitions that
will certainly fit whatever scenario you had in mind. (FIGURE 41 COMMAND LINE
PARAMETERS)
Personal copy, do not distribute. Commercial use prohibited. © 2012, 2013 Authors
Installing a Working Deployment Infrastructure
1. Dedicated server
2. Use suggested name for the website and port 80 for website.
3. AD group (SG.AppV.Admin)
5. Default instance
As with the GUI –based installer, we have to execute the command line setup from
an elevated command prompt.
Personal copy, do not distribute. Commercial use prohibited. © 2012, 2013 Authors
Installing a Working Deployment Infrastructure
Since the installation is executed silently, we can only verify the log-files
afterwards to see if the installation was successful. An installation log file is
generated in %TEMP% of the current user and it is named
Appv_server_datetime.log, wherein the datetime portion represents the
installation timestamp.
Remember to install Hot Fix 1 (or newer) after installing the Management Server
software!
Personal copy, do not distribute. Commercial use prohibited. © 2012, 2013 Authors
Installing a Working Deployment Infrastructure
OVERVIEW
The App-V Publishing Server has, just as the other components, a straightforward
installation. It does require an App-V Management Server to interact with, but this
does not have to be reachable at the time of installation. App-V dedicated
infrastructure is a three-tier infrastructure, where the Publishing Server will
connect to the Management Server to retrieve all packages and configurations.
During the installation we need to configure which Management Server we will
connect to and receive configuration from, and which port the publishing website
will be available on. This component’s address is what we will configure any
future clients to connect to for receiving information about available applications.
To simplify the configuration, we should strive to offer the website on port 80
which is the default for HTTP traffic 21.
The component can be installed on multiple servers to provide scalability and high
availability; however the high availability itself needs to be configured through an
external load balancing mechanism, as App-V does not have such a feature built-
in. Publishing Server nodes only need connectivity to the Management Server.
21 A port sharing implementation can’t be configured using the installation wizard. See the
description at H T T P : / / K I R X B L O G . W O R D P R E S S . C O M / 2 0 1 3 / 0 2 / 0 4 / H O W - T O - S H A R E - P O R T S -
OF-APP-V-5-SERVICES/
Personal copy, do not distribute. Commercial use prohibited. © 2012, 2013 Authors
Installing a Working Deployment Infrastructure
To start the installation, locate the installation files (FIGURE 31 INSTALLATION FILES)
in your source directory.
Personal copy, do not distribute. Commercial use prohibited. © 2012, 2013 Authors
Installing a Working Deployment Infrastructure
The installation wizard first presents you with an overview of the options, and
since there are no components presently installed we can only pick from the choice
of Install
Figure 44 Install
Personal copy, do not distribute. Commercial use prohibited. © 2012, 2013 Authors
Installing a Working Deployment Infrastructure
After we have clicked Install we need to confirm whether we accept the license
terms or not (FIGURE 45 LICENSE TERMS). It is not possible to continue the
installation unless the terms are agreed to.
Personal copy, do not distribute. Commercial use prohibited. © 2012, 2013 Authors
Installing a Working Deployment Infrastructure
Personal copy, do not distribute. Commercial use prohibited. © 2012, 2013 Authors
Installing a Working Deployment Infrastructure
The installer offers to install the Publishing Server components in any directory,
but there is little reason for placing the files elsewhere. (FIGURE 47 INSTALLATION
DIRECTORY)
First we must enter the URL of our Management Server , which is either already
installed or is going to be installed later. Both the address of the server and the
port of the website have to match what is configured during the Management
Personal copy, do not distribute. Commercial use prohibited. © 2012, 2013 Authors
Installing a Working Deployment Infrastructure
Server installation. The address here can be configured to point to an external load
balancer that will pass the requests between multiple Management Servers, or in a
simpler environment it would be the actual URL with FQDN of our single
Management Server.
We also have to specify a Website name and the port for the website that
Publishing Server will listen on. No port is recommended by the installer, but
since the App-V Publishing Server will need to be contactable by all clients, we do
recommend the standard port 80 for all HTTP services.
Personal copy, do not distribute. Commercial use prohibited. © 2012, 2013 Authors
Installing a Working Deployment Infrastructure
Finally, we receive a confirmation that we can proceed with the installation before
committing any changes to the server. (FIGURE 49 READY FOR INSTALLATION)
Once we complete the wizard we will receive feedback that the installation was
successful and what the final steps are before using the Publishing Server (FIGURE
50 FINISHED INSTALLATION). As noted on the summary screen, we now have to
register the Publishing Server with the Management Server so it can receive all
metadata for applications.
Personal copy, do not distribute. Commercial use prohibited. © 2012, 2013 Authors
Installing a Working Deployment Infrastructure
If the Publishing Server and the Management Server are installed on the same
node, the Publishing Server should be registered automatically. If the Management
Server and the Publishing Server are installed on separate nodes, you will have to
manually register the Publishing Server with the Management Server. This is
described in the section CONFIGURING PUBLISHING SERVERS.
Personal copy, do not distribute. Commercial use prohibited. © 2012, 2013 Authors
Installing a Working Deployment Infrastructure
COMMAND-LINE INSTALLATION
Just as for using the command-line to install the App-V Management Server we
can leverage this powerful installer for the Publishing Server. Let us start starting
the documentation from the installer:
Appv_server_setup.exe /?
Once again we have a nice list of examples and definitions and can easily create
our command-line. (FIGURE 41 COMMAND LINE PARAMETERS)
Personal copy, do not distribute. Commercial use prohibited. © 2012, 2013 Authors
Installing a Working Deployment Infrastructure
Before we dive into the possible parameters, let’s summarize what we do know;
2. It uses port 80
Since the installation is executed silently we only can verify the log-files afterwards
to see if the installation went through correctly. Installation log file is generated
within %TEMP% of the current user and it is named Appv_server_datetime.log,
wherein the datetime portion represents the installation timestamp.
Personal copy, do not distribute. Commercial use prohibited. © 2012, 2013 Authors
Deployment Infrastructure Configurations
2.3 D EPLOYMENT
I NFRASTRUCTURE
C ONFIGURATIONS
Personal copy, do not distribute. Commercial use prohibited. © 2012, 2013 Authors
Deployment Infrastructure Configurations
S TAN D ARD C O N F IG U R AT IO N S
After the components for the App-V Native Infrastructure have been installed
(and perhaps updated with Hot Fixes), the environment is almost ready to use.
However there are some configuration steps required and you may find some
information in this section that may help you in optimizing the environment and
troubleshooting it. In contrast to administration, the configuration section does not
address topics like application management or other tasks that can be considered
as daily business. Instead it covers more one-time configuration tasks. Right here
we’ll focus on native App-V infrastructure components; as the Package Repository
and the databases for the management or reporting data are relying on industry-
standard technologies, they aren’t discussed here and as the Client and Sequencer
have their own, dedicated chapters in this book later on, they aren’t discussed here
either.
To make configuration changes (and of course to verify them), Regedit, the IIS
Management console and perhaps a text editor are sufficient.
Personal copy, do not distribute. Commercial use prohibited. © 2012, 2013 Authors
Deployment Infrastructure Configurations
INSTALLDIR specifies the installation directory and should not be modified under
any circumstances. If the installation was to an incorrect directory it’s surely better
to uninstall and re-install the Publishing Server. Because the Publishing Server
does not hold any configuration data, this is an easy and low-risk task.
PUBLISHING_MGT_SERVER specifies the protocol, server name and port of the App-
V Management Server service that is to be queried. If both, Publishing Server and
Management Server are installed on the same machine (co-hosted scenario) and if
no encryption is used, localhost can be used to specify the Management Server.
Note that the right communication port (81 in the screenshot) has to be specified.
When you modify the environment later on (like isolate the Management Service
on a dedicated machine, place it behind a load-balancer or such), you can adjust
the Registry setting here. Because the targeted App-V Management Service is also
an IIS web service, HTTP and HTTPS are the only two supported protocols.
Remember that any encrypted (HTTPS) communication between the two services
– even on the same machine – not only would require decent certificates, but also
the FQDN of the Management Server has to be specified.
Personal copy, do not distribute. Commercial use prohibited. © 2012, 2013 Authors
Deployment Infrastructure Configurations
You may find some references to modifying the webconfig.xml file for adjusting
this setting. This recommendation was true for pre-releases and the beta version of
App-V 5 but does not apply to the final release.
PUBLISHING_WEBSITE_NAME specifies the name of the IIS web site for the
Publishing Service as it was defined during installation. You should not modify
this setting.
PUBLISHING_WEBSITE_PORT specifies the TCP port IIS uses for the Publishing
Service. Clients will connect to the service using this port to retrieve individual
publishing information. You should not change this setting – and you should
ensure that your firewall allows communications to this port. To add more ports
(like 443 for a secure HTTPS connection) you should use the IIS (site) configuration
settings only.
To force the changes to take effect you can restart the WWW Web Publishing
Service (Windows service), restart the App-V Publishing web application
Personal copy, do not distribute. Commercial use prohibited. © 2012, 2013 Authors
Deployment Infrastructure Configurations
within IIS or launch the iisreset command with elevated rights. Of course you
also can restart the entire machine. All actions cause the service to stop functioning
for a while, so clients won’t receive publishing information during that time.
The App-V Management Server is also an IIS web application. Like the Publishing
Service it can be configured via the Registry or IIS Manager. Additionally some
settings show up in the Management console or in configuration text files.
INSTALLDIR shows the directory the App-V Management Server components were
installed to. You shouldn’t modify this.
MANAGEMENT_ADMINACCOUNT, _SID and _TYPE are also values that you should not
change. They show which user or group was specified during installation as being
the “App-V Administrator”.
Personal copy, do not distribute. Commercial use prohibited. © 2012, 2013 Authors
Deployment Infrastructure Configurations
There are two files that appear to be used for configuration purposes. Both are
located in the INSTALLDIR (usually C:\Program Files\Microsoft Application
Virtualization Server\ManagementService, see FIGURE 54).
22 A guess: The name was changed during the development process, whereas some modules still
point to the original entry while others use the renamed one. MANAMGEMENT_DB_SERVER may
include the instance name (server\instance).
23 For a connection to a SQL Mirror, refer to the section APP-V 5 SQL MIRRORING CONFIGURATION in
the Appendix.
Personal copy, do not distribute. Commercial use prohibited. © 2012, 2013 Authors
Deployment Infrastructure Configurations
Personal copy, do not distribute. Commercial use prohibited. © 2012, 2013 Authors
Deployment Infrastructure Configurations
The folder also contains a web.config file: It doesn’t contain any options you
should modify.
When moving over from Registry and file based modifications to the web based
management console, there are two sections that can be considered as having
configuration purposes.
The Servers section shows the list of know Publishing Servers, but not the
Management or Reporting Servers (FIGURE 56). After you installed the Publishing
Server, you may have to register it using the Management console – you should
verify its registration anyway.
Clicking on the REGISTER NEW SERVER link (top-right) will open a new form that
allows you to enter the name and a description for that new Publishing Server
(FIGURE 57):
Personal copy, do not distribute. Commercial use prohibited. © 2012, 2013 Authors
Deployment Infrastructure Configurations
Enter the server name (or a part of it), then click on Check and select the
appropriate machine name from the drop down list showing potential matches.
Note that you have to use the domain\server format. You also can enter a
description. Clicking on Add inserts the new server name into the database. If the
Add button is grayed out, repeat the check/select steps.
Personal copy, do not distribute. Commercial use prohibited. © 2012, 2013 Authors
Deployment Infrastructure Configurations
As a result, the new server appears in the server list (FIGURE 58):
Right clicking on a server entry allows for removing it; this is useful if a Publishing
Server machine was de-provisioned (FIGURE 59). You’d be prompted if you really
want to remove that server.
Personal copy, do not distribute. Commercial use prohibited. © 2012, 2013 Authors
Deployment Infrastructure Configurations
CONFIGURING ADMINISTRATORS
The Administrators section (accessible via the cogwheel icon) does indeed allow
some configuration.
The top right Add Administrators link opens a form where you can select new
groups (or users) for becoming an App-V admins. Enter the domain name
followed by a backslash and the actual group name (or user name if you really
have to). It is sufficient to enter the first few characters of the group; a list of
matching items will be generated for you (FIGURE 61). Clicking the Check button
retrieves a list of matching objects, allowing you to select one.
Personal copy, do not distribute. Commercial use prohibited. © 2012, 2013 Authors
Deployment Infrastructure Configurations
Then click Add , followed by Close , and the new group or user will be added to the
App-V administrators list.
Personal copy, do not distribute. Commercial use prohibited. © 2012, 2013 Authors
Deployment Infrastructure Configurations
You’ll be prompted with a warning message that needs confirmation (FIGURE 63).
Personal copy, do not distribute. Commercial use prohibited. © 2012, 2013 Authors
Deployment Infrastructure Configurations
If you confirm the removal, the task ends with an information message bar, telling
you that the entry was removed from the list of administrators.
Managing Administrators can only be done using the GUI, and not with PoSh.
Ok, so just for the fun of it: What happens if you are removing the last
administrator account from the list? Does the Management console prevent this?
After reading and understanding the warning message just above you easily can
guess the answer: The console allows you to remove even the last account!
Immediately after you’ve done this you are prevented from performing any
further actions. You can still click through the sections, but an error message
clearly indicates that you are lost.
Personal copy, do not distribute. Commercial use prohibited. © 2012, 2013 Authors
Deployment Infrastructure Configurations
Are you really? Luckily not: Just initiate an iisreset (or reboot the machine). In
such a situation the App-V Management Service reads the file AdminGroup.xml
located in the installation directory C:\Program Files\Microsoft Application
Virtualization Server\ManagementService\
The group/user object, which is identified by its AccountSID value, then will be
added back automatically as an App-V Administrator (also in the database). But
again this isn’t a daily occurrence, this is an emergency task! 24
24 Another way to restore the App-V admin group would be to directly modify the database,
RoleAssigmnents table.
Personal copy, do not distribute. Commercial use prohibited. © 2012, 2013 Authors
Deployment Infrastructure Configurations
Though there is no dedicated installer for the Streaming Server, this component
still requires some configuration as well. The configuration differs depending on
the technology used: File server or Web server.
FILE SERVER
If the App-V packages should be downloaded by the client from a file share, of
course you’d need to configure one. Because Windows file share configuration is a
common task, it won’t be described detailed here. However, just to remind you of
a few Best Practices:
Limit the actual access rights by configuring NTFS permissions on files and
folders.
Prefer the Share and Storage management console over the right-click-on-a-
folder method.
The App-V Client potentially accesses the file in the actual user’s and the
machine’s context. Therefor users and computers require read access
permissions on the respective .appv files.
The App-V Management Server machine accounts require read access to the
files.
Personal copy, do not distribute. Commercial use prohibited. © 2012, 2013 Authors
Deployment Infrastructure Configurations
As a common sense name the share ‘content’. Most organizations did and
do it this way.
Changing the file server or file share name afterwards requires to adjust all
packages that were previously added from the old file share name or to
modify the Client’s PackageSoureRoot Registry value.
Remember: The App-V Management Server machine accounts need read access,
all users and client computers need read access to the shared files.
WEB SERVER
Like for a file server implementation, the default configuration of a web server like
Internet Information Server will not be part of this book.
Create a new Virtual Directory in IIS that points to a directory on the server.
Add .appv files as a perceived MIME type to Virtual Directory within IIS as
described here in this section below.
Personal copy, do not distribute. Commercial use prohibited. © 2012, 2013 Authors
Deployment Infrastructure Configurations
Do not enable Directory Browsing, neither on the top IIS level nor on the
Virtual Directory level. Because it is IIS 25 and not an individual user who
accesses the folders, there is no easy method to restrict access based on user
group memberships.
Ensure that clients treat the Streaming Server URL as ‘local intranet’.
To allow downloading .appv files and to import configuration.xml files via IIS into
the management Database, a Virtual Directory has to be created that links to the
physical (file system) location. Our recommended best practice is to name this
Virtual Directory “Content”.
In the IIS Management console right-click the Default Website and select Add
Virtual Directory… (FIGURE 66)
Personal copy, do not distribute. Commercial use prohibited. © 2012, 2013 Authors
Deployment Infrastructure Configurations
You’ll be prompted with a new window where you specify the name (Alias) and
Physical path for that directory (FIGURE 67). Avoid special characters in the
alias.
Personal copy, do not distribute. Commercial use prohibited. © 2012, 2013 Authors
Deployment Infrastructure Configurations
Leave the other (default) settings and confirm with OK ; the new Virtual Directory
on IIS has been created.
Because IIS only offers files of known types we must tell IIS about the .appv file
format. This is done by adding a new MIME type.
To accomplish this, select the newly created virtual directory (content) in the IIS
Management console. The main window (FIGURE 68) will show you a set of
configuration items.
Personal copy, do not distribute. Commercial use prohibited. © 2012, 2013 Authors
Deployment Infrastructure Configurations
Click on MIME Types brings up a list of know types, mostly inherited from the IIS
installation as shown in FIGURE 69. Just click anywhere in the right-hand pane and
choose Add...
Personal copy, do not distribute. Commercial use prohibited. © 2012, 2013 Authors
Deployment Infrastructure Configurations
In the next screen (FIGURE 70), add .appv (or appv without the dot) into the file
name extension field. Enter application/ms-appv as the actual type 26.
26 It doesn’t really matter what you enter here; in fact also application/zip would be fine, because
essentially .appv files are .zip containers. HTTP://EN.WIKIPEDIA.ORG/WIKI/MIME_TYPE lists some well-
known MIME types, the official registration is done by IANA
HTTP://WWW.IANA.ORG/ASSIGNMENTS/MEDIA-TYPES
Personal copy, do not distribute. Commercial use prohibited. © 2012, 2013 Authors
Deployment Infrastructure Configurations
As a result, the .appv extension should appear in the list. With this operation, a
web.config (xml formatted) file is placed into the virtual directory.
Important:
The < s e r v er n am e> \I I S_ I SU RS group has to have read access to the
web.config file. Ensure to adjust NTFS settings of the superi or
folder.
An example of NTFS permissions to the web based content share can be seen in
FIGURE 71.
Personal copy, do not distribute. Commercial use prohibited. © 2012, 2013 Authors
Deployment Infrastructure Configurations
Personal copy, do not distribute. Commercial use prohibited. © 2012, 2013 Authors
Deployment Infrastructure Configurations
M O N IT O R IN G
As Microsoft Application Virtualization might be the primary or at least a very
important delivery model for applications, it is critical to monitor App-V related
services to verify their availability. Though users might be able to launch
applications even if all servers have failed, this shouldn’t be your default mode of
operation. As a reminder you should refer back to the ERROR! REFERENCE SOURCE
NOT FOUND. sections above in the GENERAL ARCHITECTURE sub chapter.
IDENTIFY COUNTERS
Hardware counters
Personal copy, do not distribute. Commercial use prohibited. © 2012, 2013 Authors
Deployment Infrastructure Configurations
CPU Utilization
Memory Utilization
Service Counters
There are some IIS application specific counters, grouped under the
following sections of Windows Performance Counters. They do contain
specific entries for App-V related objects:
A_POOL_WAS
W3SVC_W3WP
WAS_W3WP
Web Service
Service Monitoring
You should verify that the following Windows services are active
Server
Functional Tests
Personal copy, do not distribute. Commercial use prohibited. © 2012, 2013 Authors
Deployment Infrastructure Configurations
From a client, try to get the list of applications (query the Publishing
Server) and download some well-known .appv files regularly. You also
might use the Client’s PowerShell interface to add/mount applications 27
Collecting counters and errors is not enough: not every single error is a real issue
(but a bunch of errors occurring within an hour potentially is) and having a
number of 123.456 for a counter doesn’t tell itself if things are good or not.
Therefore, each of the counters that you want to observe needs a threshold that
marks the spot where things go critical (amber traffic lights) or wrong (red traffic
lights). While there are some easy ones (75%-90% CPU or Memory Utilization)
other ones are not that easy to define, such as for Disk I/O of the Streaming Server.
To identify realistic values for such counters, you should monitor the values in
three states: low (nothing happening), intensively used (a lot of users are working
with no issues) and overloaded. Then define your thresholds based on those
figures.
You should use tools such as the following to actually create or simulate load in
the environment 28.
HP LoadRunner H T T P :// W W W 8. H P . C OM / U S / E N / S OF T W A R E -
S O L U T I O N S / S O F T W A R E . H T M L ? C OM P URI=1175451& J U M P I D = R E G _ R 1
27 But you’d have to wait for the next chapter of this book to learn how ;-)
28 Just use the one with the shortest URL - at least two of the authors would like you for that ;-)
Personal copy, do not distribute. Commercial use prohibited. © 2012, 2013 Authors
Deployment Infrastructure Configurations
Of course you also can start asking your users to help you here, but you shouldn’t
do so if they know your name, so using tools or robots is easier to handle.
Microsoft offers a Management Pack for its own monitoring solution, System
Center Operations Manager (aka MOM or OpsMgr). It can be downloaded from
HTTP://WWW.MICROSOFT.COM/EN-US/DOWNLOAD/DETAILS.ASPX?ID=38418 and
includes pre-created tests and categorizations. Note that the description of
Management Pack can also be used as a guideline for other solutions.
Personal copy, do not distribute. Commercial use prohibited. © 2012, 2013 Authors
Deployment Infrastructure Configurations
H IG H A VAI LA BI L IT Y AN D S CA L ABI L IT Y
In the SERVICE DISRUPTION IMPACT section we explained the effects of failing
components to the App-V application delivery chain, how to avoid them and what
technologies to use. On the next pages we’ll explain how to actually configure
components for HA scenarios.
Active
Directory
Streaming Server
Virtual Address Management Server
Virtual Address
MS SQL
Cluster
Publishing Server
Virtual Address
Reporting Server
Virtual Address
ACTIVE DIRECTORY
Personal copy, do not distribute. Commercial use prohibited. © 2012, 2013 Authors
Deployment Infrastructure Configurations
If you need to change your AD domain, well, then you should re-install and re-
configure all individual App-V Components (you probably need to do that for
almost all your Windows systems anyway, don’t you?).
MANAGEMENT DATABASE
The App-V Management service is the only component that connects to the
Management DB. Because it is not trivial to connect an existing Management
Server machine to an SQL cluster afterwards, it is strongly recommended to
establish that connection during the initial installation of the App-V Management
Server(s). Remember that only the script-based installation of the Management
Database is able to create a clustered database.
MANAGEMENT DATABASE
Personal copy, do not distribute. Commercial use prohibited. © 2012, 2013 Authors
Deployment Infrastructure Configurations
In
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\AppV\Server\ManagementService
adjust the following settings:
MANAGEMENT_DB_NAME <New_Database_Name>
MANAGEMENT_DB_SQL_INSTANCE <New_SQL-Server_Instance_Name>
<New_SQL-Server(cluster)_Name> \
MANAGEMENT_DB_SQL_SERVER
<Instance_Name>
MANAGEMENT_DB_SQL_SERVER_NAME <New_SQL-Server(cluster)_Name>
After these modifications, restart the IIS web application, IIS or the entire machine.
PUBLISHING SERVER
For some scenarios it might be acceptable that publishing information isn’t update
for a day or two, but most implementations will not allow for this , so HA is a
requirement.
Plan and reserve a virtual IP address and a virtual server name for App-V
Publishing right from the beginning – even if you start planning for a single
machine only. Use that virtual server name in all configurations.
Personal copy, do not distribute. Commercial use prohibited. © 2012, 2013 Authors
Deployment Infrastructure Configurations
node. While this is not a technical requirement, it may allow the individual
nodes to cache certain information. 29
You may consider distributing load to the Publishing Server’s specific TCP
port only (and not to entire machines based on IP addresses), but that is not
required, though it would be more correct.
As for now, Microsoft has not provided any scaling information for the Publishing
Server. For a rough estimation expect that every client queries an XML document
from the Publishing Server during logon (and additionally at manual refresh
operations). Note that some configuration data may be as large as 5 MBs.
If the Publishing Server address changes (like to a virtual load-balanced name), the
App-V Client configuration has to be adjusted.
This can be done by modifying the corresponding Registry value on the client
(HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\AppV\Client\Publishing\Serve
rs\<ID>: URL value); directly, by using the App-V Client ADMX or with
29 It also may make troubleshooting easier, esp. in test and pilot deployments. If the load Balancer
directs all requests from a given client to the same node, also ‘admin’ requests like an RDP
connection would be directed to the same node as the App-V publishing requests.
Personal copy, do not distribute. Commercial use prohibited. © 2012, 2013 Authors
Deployment Infrastructure Configurations
Remember that you have to add each new Publishing Server to the Management
DB using the Server Management console, but you don’t need to add a virtual
name to that list.
MANAGEMENT SERVER
Like the Publishing Server, the Management Server is an IIS application: High
availability and scalability can be achieved by using a simple web load balancer or
even Microsoft NLB. Because only Administrators and the Publishing Servers
access this service, it usually does not warrant such scalability.
MANAGEMENT SERVER
Also you have to tell your administrators that they should connect to a new URL.
Personal copy, do not distribute. Commercial use prohibited. © 2012, 2013 Authors
Deployment Infrastructure Configurations
STREAMING SERVER
Based on the technology you have chosen for the .appv file delivery achieving HA
and scalability is different as well.
To configure a highly available web server, just follow the instructions given for
the Publishing Server above… it’s just a web server.
Personal copy, do not distribute. Commercial use prohibited. © 2012, 2013 Authors
Deployment Infrastructure Configurations
CONTENT REPLICATION
Unlike common Software Distribution systems, App-V does not have a built-in
method for replicating package files (content) across several App-V Streaming
Servers. Therefore, you have to find an appropriate solution that copies the
package files from the central Package Repository down to each Streaming Server.
The most common methods are Robocopy and DFS-R (Microsoft Distributed File
System Replication). Both methods have their advantages and disadvantages;
selecting one of them potentially depends on your attitude.
Note for both methods that your replication source (or first replication target)
should be the node ‘close’ to your Management Server so that you can start
importing apps even when they haven’t replicated entirely.
One way to overcome this would be to use nasty hosts files on your admin
machines, telling that <virtual Streaming Server> name always points to
StreamingServer_A – or you ensure that your load balancing solution / DFS name
space or so always points every request from a given client (your admin PC) to a
given target (StreamingServer_A) – which is not easy, though, because you might
be using different technologies.
Personal copy, do not distribute. Commercial use prohibited. © 2012, 2013 Authors
Deployment Infrastructure Configurations
Changing the Streaming Source after adding packages would require some work,
because the streaming URL/UNC is stored for each package in the Management
Database, PackageVersions table. Because the path is not visible in the
Management console, you can’t modify it there. Also the PoSh commands don’t
provide for changing just the URL. Thus one method would be to adjust all the
paths directly in the Management Database.
Luckily there’s another option by telling the Client to ignore the original URL and
download/stream the package (and configuration files) from another server
instead. There is a Client Registry setting called PackageSourceRoot that can be
used to override the source URL. It is located at
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\AppV\Client\Streaming and can
also be set via Group Policies / ADMX template. A downside of that method is that
some entities may show the original URL (like the database, the XML files which
are transferred between the Publishing Server and the Client), while the active
download location is somewhere else.
Personal copy, do not distribute. Commercial use prohibited. © 2012, 2013 Authors
Deployment Infrastructure Configurations
Personal copy, do not distribute. Commercial use prohibited. © 2012, 2013 Authors
Deployment Infrastructure Configurations
App-V Client
Management
Management
Server
Publishing
Streaming
Reporting
Reporting
Directory
Database
Database
Active
Server
Server
Server
Server
Client
App-V HTTP
HTTP HTTP KERB
Client SMB
Publishing
HTTP KERB
Server
Streaming
KERB
Server
Reporting
SQL KERB
Server
Management HTTP
SQL KERB
Server SMB
Management
KERB
Database
Reporting
KERB
Database
Active
Directory
Admin’s
HTTP KERB*
Browser
In this table, the component in the first column (the client) establishes a connection
to the components listed in the other columns (the server). In fact often the
majority of data packages go from the server to the client. Note that the App-V
Personal copy, do not distribute. Commercial use prohibited. © 2012, 2013 Authors
Deployment Infrastructure Configurations
To streamline this document, some explanations about SSL Security have been
placed in the APPENDIX.
ACTIVE DIRECTORY
MANAGEMENT DATABASE
While the communication to SQL Servers (and Clusters) can be encrypted using
SSL, Microsoft has not yet disclosed any information on whether this is a
supported scenario for the App-V Management Server. It might be possible to
Personal copy, do not distribute. Commercial use prohibited. © 2012, 2013 Authors
Deployment Infrastructure Configurations
enable SSL on the SQL Server as described in a TechNet article 32. Because the
App-V Management Server’s Registry refers to FQDNs instead of short server
names, chances are there that the entire communication can be encrypted. Since
the initial communication (namely the authentication) is always automatically
encrypted anyway, there is only a limited benefit of encrypting the entire
communication.
The stored database itself can also be encrypted. This can be achieved on the file
system level (using BitLocker or EFS) or by using Transparent Data Encryption
(TDE 33), which was introduced with SQL Server 2008 Enterprise Edition and
basically provides the same level of security as BitLocker and EFS (when you look
at the data on the disk/file level, you only see encrypted information. When you
look at the data from within SQL Server (with Management Studio, OSQL, SQL
Query), that data is not encrypted.
SQL Server also supports cell encryption, but since the application (App-V) would
have to be aware of that it can’t be used for the App-V Management Database.
PUBLISHING SERVER
Personal copy, do not distribute. Commercial use prohibited. © 2012, 2013 Authors
Deployment Infrastructure Configurations
MANAGEMENT SERVER
Note: You can and should enforce the usage of SSL connections to the
Management console if you have to ensure a secure communication. If you don’t,
admins may open the console’s URL over HTTP. The Appendix outlines how to
achieve this.
Personal copy, do not distribute. Commercial use prohibited. © 2012, 2013 Authors
Deployment Infrastructure Configurations
As you can see, PowerShell can’t connect to the App-V Management Service any
longer, though it’s running on the same machine. The trigger that caused that error
was SSL enforcement.
To allow the PowerShell cmdlet to connect, the Management Server’s Registry has
to be adjusted at HKLM\Software\Microsoft\AppV\Server\
ManagementService.
To place emphasis on a repeated statement: Just changing the protocol and port
isn’t enough.
Personal copy, do not distribute. Commercial use prohibited. © 2012, 2013 Authors
Deployment Infrastructure Configurations
Because the given server name does not match with the CN of the Server
Certificate (= the FQDN of the machine), PowerShell still would fail.
Personal copy, do not distribute. Commercial use prohibited. © 2012, 2013 Authors
Deployment Infrastructure Configurations
STREAMING SERVER
FILE SERVER
If the Streaming Server is accessed using SMB, the encryption capabilities depend
on the SMB version. In SMB 3 (Windows 8, Windows Server 2012), the
communication to file shares can be easily encrypted by activating a check box in
the share’s properties dialog 34. However non-SMB 3 devices won’t be able to
access that share. In SMB 2, the initial authentication uses encryption, but the
actual data transmission would need some underlying security technologies like
IPSec or hardware encryption to be protected. While older SMB implementations
don’t offer encryption, SMB signing can at least be activated via Group Policy 35.
All clients and the Management Servers would potentially establish a secure
connection to the package store.
WEB SERVER
It is not surprising that a web based streaming source can be secured with the
same methods as the other web based features of App-V: SSL. Note that the App-V
Management Server machine (namely via the Management console during
package import) and all clients have to establish a secure connection to the
Streaming Server and would hence require a valid root/intermediate certificate.
34 http://blogs.technet.com/b/filecab/archive/2012/05/03/smb-3-security-enhancements-in-windows-
server-2012.aspx
35 Since only the communication (and not the original files) is signed, the added value is quite
limited.
Personal copy, do not distribute. Commercial use prohibited. © 2012, 2013 Authors
Deployment Infrastructure Configurations
for every package in the Management Database directly (but because you do your
planning in advance and as careful as us, later adjustments shouldn’t be required,
right?)
Personal copy, do not distribute. Commercial use prohibited. © 2012, 2013 Authors
Deployment Infrastructure Configurations
C O N F IG U R AT I O N AN D M O N IT O RIN G B ES T
P RA CT IC E S
We recommend:
Use only groups (not individual users) for any permission assignments;
follow the AGDLP principle
As the streaming source, a web server is preferred to a file server. Past tests
have shown that HTTP file transfer appears to be much faster than SMB
transfers. This may, however, change with SMB 3.
Monitor the server component’s Event Logs for errors, the general network
availability via ping and service availability via customized HTTP requests
with a given user account and result validation. Monitor the Streaming
Server’s Disk I/O
Plan high availability for all components right from the start: It is easier to
configure a Load Balancer with just one node than re-architecting the
environment from a one-node scenario to a load balanced solution
Personal copy, do not distribute. Commercial use prohibited. © 2012, 2013 Authors
Deployment Infrastructure Configurations
File based Streaming: Scale-out File Cluster, DFS or a highly available 3rd
party file server with SMB 2 and SMB 3 support
Co-hosting: Do not run the SQL database on any of the App-V servers. Co-
locate the Publishing, Management and Reporting services on a single
(virtual) machine; consider a separate machine for the streaming feature.
For a highly available co-hosted scenario, do not load balance the services
individually (Publishing on machine A Management on machine B), but
the entire machine (Publishing on machine A Management on machine A).
Personal copy, do not distribute. Commercial use prohibited. © 2012, 2013 Authors
Administration for App-V Management Server
Personal copy, do not distribute. Commercial use prohibited. © 2012, 2013 Authors
Administration for App-V Management Server
Before we dive into the actual doing of things, here are a few basic steps to enable
the use of PowerShell that is vital to our explanations below.
POWERSHELL
Run the below PowerShell command to see the list of available PowerShell
Modules:
Get-Module –ListAvailable
Personal copy, do not distribute. Commercial use prohibited. © 2012, 2013 Authors
Administration for App-V Management Server
To import the AppVServer module, you must first loosen the execution policy by
running the following command. This needs to be executed with Administrative
permissions;;
Set-ExecutionPolicy RemoteSigned
Once the module is imported, you can list all the management commands
available by running the below command;;
Personal copy, do not distribute. Commercial use prohibited. © 2012, 2013 Authors
Administration for App-V Management Server
This will produce a list of possible commandlets that can be used with the App-V
Management Server. Let's continue with specific operations within the App-V
Management Server.
PACKAGE MANAGEMENT
A file-share has been setup that is readily available through out the use of this
entire chapter, also known as our package repository. For purposes of later
Personal copy, do not distribute. Commercial use prohibited. © 2012, 2013 Authors
Administration for App-V Management Server
discussion in this section, we have placed three different App-V packages on the
file-share to be used as examples (see FIGURE 78 FILE share).
OVERVIEW
Lets present an overview of the steps that can be performed for the management of
our packages
Enable an application;;
Disable an application;;
Personal copy, do not distribute. Commercial use prohibited. © 2012, 2013 Authors
Administration for App-V Management Server
ADD APPLICATION
MANAGEMENT CONSOLE
When you first start the App-V Management Server web-based management
console you are directly presented with the view of the packages and applications
currently imported to the system. The initial setup (unlike the previous App-V 4.5
Management Server) does not have any example packages imported for quick
streaming and client testing, therefore the view is empty (FIGURE 79 APP-V
MANAGEMENT SERVER CONSOLE)
To add a new package you can simply click the ADD OR UPGRADE PACKAGES in the
upper right-hand corner. Adding a package will not readily make it available for
Personal copy, do not distribute. Commercial use prohibited. © 2012, 2013 Authors
Administration for App-V Management Server
You can browse to the package using the UNC path or via URL to a possible web
server. In this case the package is located on a UNC-path. The path selected is the
final path which the client will use to retrieve the package from. A good practice is
to select the proper path – UNC or URL – from the beginning.
Personal copy, do not distribute. Commercial use prohibited. © 2012, 2013 Authors
Administration for App-V Management Server
Once the package is selected you can click Add . A progress indicator will show the
status of importing packages’ metadata into the database.
Personal copy, do not distribute. Commercial use prohibited. © 2012, 2013 Authors
Administration for App-V Management Server
You can also choose to add multiple packages by simply clicking on Browse
repeatedly and locating multiple files. Any new files selected will be appended
onto the list of packages to process. (FIGURE 84 PROGRESS OF MULTIPLE PACKAGES)
The package paths are separated by a semicolon. Our experience so far is that there
isn’t a limitation on how many packages you can add in a single run.
Personal copy, do not distribute. Commercial use prohibited. © 2012, 2013 Authors
Administration for App-V Management Server
The progress of adding each package will be presented as soon as you click Add .
Once you click Close you can see your newly added packages listed, and if you
right-click a package you are presented with options pertaining to that package
(FIGURE 85 PACKAGE OPTIONS).
Personal copy, do not distribute. Commercial use prohibited. © 2012, 2013 Authors
Administration for App-V Management Server
These options provide possible ways of editing the configuration of a package and
making it available to different users. Let's briefly go through the options
presented in FIGURE 85 PACKAGE OPTIONS.
Edit active directory access allows us to define a security group that the
application will be available to. Each granted AD access can have a separate
configuration.
Edit default configuration will alter the default configuration (can only be
the Deployment Configuration) for the package.
Personal copy, do not distribute. Commercial use prohibited. © 2012, 2013 Authors
Administration for App-V Management Server
Delete will remove the entire package, including all assignments and
configurations.
POWERSHELL
Figure 86 Import-AppVServerPackage
Personal copy, do not distribute. Commercial use prohibited. © 2012, 2013 Authors
Administration for App-V Management Server
This output can be used later on when handling the package and indicates a
successful import. You can also verify what packages are available by using the
verb “Get”.
Get-AppVServerPackage
Personal copy, do not distribute. Commercial use prohibited. © 2012, 2013 Authors
Administration for App-V Management Server
PUBLISH APPLICTION
Before you make the application available to clients you need to specify who will
have access to it and how it is going to be configured.
You can assign access to a security group only, but not directly to either user
objects or computer objects. Right-click on the application and choose edit
active directory access (FIGURE 88 EDIT AD ACCESS).
You can search for an full security group by entering domain\group-name (FIGURE
89 ASSIGN AD GROUP) and clicking Check or pressing the Enter key. If you do not
enter the full name of a group it will begin a search for matching group names.
Personal copy, do not distribute. Commercial use prohibited. © 2012, 2013 Authors
Administration for App-V Management Server
When searching for security groups you will be presented with a list of possible
options. See example of a search in FIGURE 90 SEARCH FOR AD GROUPS.
Personal copy, do not distribute. Commercial use prohibited. © 2012, 2013 Authors
Administration for App-V Management Server
When you have clicked Grant Access it will become grey and be assigned to the
application. You can choose to DELETE it, Edit Default to modify the
configuration or Close to go back to the general view of the application.
To delete an AD group assignment you can remain in this view and see the list of
currently assigned AD groups. Each AD group can have a different configurations
assigned to an application that you can easily alter. If you want to delete a single
or multiple AD groups you can simply check the box on the left of the AD
Personal copy, do not distribute. Commercial use prohibited. © 2012, 2013 Authors
Administration for App-V Management Server
group and then click the top-column name DELETE (FIGURE 92 EDIT AD GROUP).
This will trigger a confirmation dialog and will also remove the configuration
created.
You can verify the properties of the application after you press close and verify
that the security group is visible (or not visible if removed) under AD ACCESS of
the package properties (FIGURE 93).
Personal copy, do not distribute. Commercial use prohibited. © 2012, 2013 Authors
Administration for App-V Management Server
POWERSHELL
Import-AppvServerPackage
\\filesrv.demo.lab\content\InstEd\InstEd.appv | Grant-
AppvServerPackage -Groups DEMO\SG.AppV.U.InstEd
To make the application available for clients there is a final step to perform. This
basic On/Off button is an easy way to make it appear or disappear on the clients,
regardless of how many security group assignments there are. Right-click the
application and choose Publish (FIGURE 94 PUBLISH APPLICATION) to make the
application available.
Personal copy, do not distribute. Commercial use prohibited. © 2012, 2013 Authors
Administration for App-V Management Server
There are no confirmations that an application will be published, but rather once
the action is completed it will show a green icon with the word “published” under
status (FIGURE 95 ONE PUBLISHED APPLICATION). The package is now available to
clients as soon as the Publishing Servers refresh their data against the Management
Server.
Personal copy, do not distribute. Commercial use prohibited. © 2012, 2013 Authors
Administration for App-V Management Server
POWERSHELL
To publish the application using PowerShell you can use the cmdlet Publish-
AppVServerPackage. The Publish-AppVServerPackage only requires the
identification of the package you want publish and then it will toggle the
publishing state. Parameters to identify a package are PackageID and VersionID.
To avoid to manually extracting the GUIDs for PackageID and VersionID you can
pipe the previous resulting objects to the next cmdlet using a single line:
Import-AppvServerPackage
\\filesrv.demo.lab\content\InstEd\InstEd.appv | Grant-
AppvServerPackage -Groups DEMO\SG.AppV.U.InstEd | Publish-
AppVServerPackage
Personal copy, do not distribute. Commercial use prohibited. © 2012, 2013 Authors
Administration for App-V Management Server
UPDATE AN APPLICATION
MANAGEMENT CONSOLE
For clarity the folder carrying the updated package in the example below also has
the suffix appended to its name, although this is not something that Sequencer will
do for you. The version number of our package becomes 2 on a first update done
against it, and therefore all the files making up the package will have _2 appended
to the file name as depicted in FIGURE 97 UPDATED PACKAGE FILES.
Personal copy, do not distribute. Commercial use prohibited. © 2012, 2013 Authors
Administration for App-V Management Server
In the management console, the steps to update a package are very similiar to
adding a new package. We click on the ADD or UPGRADE PACKAGE from the
management console.
Personal copy, do not distribute. Commercial use prohibited. © 2012, 2013 Authors
Administration for App-V Management Server
Now simply select our newly generated APPV file with the name InstEd_2.appv
and click Add (FIGURE 99 ADD OR UPGRADE PACKAGES).
Once the addition into the database is complete, a few new options will be
presented.
This happens because the package GUID is the same as for the original package,
however the version GUID is different making it as new revision of the same
package. The App-V Management Server will therefore detect that this is an
upgrade of an already existing package within our environment. You can choose
to copy any assigned AD Access and configurations from the previous package
and choose to Apply those via Apply Upgrade Options (FIGURE 100 PACKAGE
UPDATE IMPORT PROGRESS).
As you may also want to reuse the previous configuration, choose to check Copy
access and configurations from previous version and click Apply
Upgrade Options . Once that is completed you can safely click Close .
Personal copy, do not distribute. Commercial use prohibited. © 2012, 2013 Authors
Administration for App-V Management Server
You can now see that there are two entries for InstEd package, with different
version numbers to them. Our newly added version is not yet published and
therefore it is not available to any clients which will continue to see only the
original one. This gives you the time to verify that the AD Access and
configuration has followed along to our new package, modify it according to new
requirements if necessary and perhaps perform any other tasks you wish to
complete before it is made available for the endpoints running the virtual
application in the package.
Personal copy, do not distribute. Commercial use prohibited. © 2012, 2013 Authors
Administration for App-V Management Server
Select the package shows that the AD Access is the same as for version 1 of the
package.
Once the new version is published it will become available to all workstations or
users associated with it. Since you can assign different active directory groups to
the original package and the updated package, there is a possibility to do a
gradual move to a new version or staged update. Server will only present the
highest version of a package to a client if multiple active versions exists, and the
client will also only use the highest version of any package with the same GUID.
Personal copy, do not distribute. Commercial use prohibited. © 2012, 2013 Authors
Administration for App-V Management Server
Within the App-V 5.0 RTM release that has been available since November 2012
there was an issue on the client where an updated package could not be added
during a publishing refresh for an account with only User privileges. Performing a
publishing refresh as a user with Administrative privileges then allowed the
package to be added. App-V 5 hotfix 1 has been released to address this topic and
can be requested from Microsoft. Original KB-article can still be downloaded,
however App-V 5.0 Service Pack 1 also remediates the issue 36
REMOVE A PACKAGE
There are multiple ways to ensure that an application will no longer be visible;
MANAGEMENT CONSOLE
If you right-click a package from the management console you immediately see
two options that handle the package removal phase differently (FIGURE 103
PACKAGE OPTIONS - REMOVE PACKAGE).
36 HTTP://SUPPORT.MICROSOFT.COM/KB/2799153
Personal copy, do not distribute. Commercial use prohibited. © 2012, 2013 Authors
Administration for App-V Management Server
Delete package will request a confirmation before the change goes into effect, and
it will delete a package from the database regardless of whether it's published or
not. It will not delete any files on a file server or web server; the files must be
removed manually if you want to retire the package completely.
The confirmation will not – unfortunately - clarify which version of the package is
going to be deleted, but only presents you with the package name. (FIGURE 104
CONFIRMATION TO DELETE PACKAGE)
Personal copy, do not distribute. Commercial use prohibited. © 2012, 2013 Authors
Administration for App-V Management Server
You should note that any configurations tied to the package will also disappear if
you choose to delete the package.
POWERSHELL
Using PowerShell you can both delete and unpublish the package just like in the
web console.
If you wish to perform this on all of our InstEd packages to ensure that no version
is available for the clients, you can remove the -Version parameter.
Get-AppvServerPackage -Name insted | Unpublish-AppvServerPackage
The output provided by running the command will show us that all InstEd
packages have been unpublished.
Personal copy, do not distribute. Commercial use prohibited. © 2012, 2013 Authors
Administration for App-V Management Server
Like many of the other cmdlets you can also identify packages using PackageGuid
and VersionGuid to improve accuracy of selecting packages. As the demonstration
shows, just using the -Name parameter may not limit the selection to a single
package.
Using the Remove-AppVServerPackage you can just as easily delete the package
from our App-V Management Server.
Get-AppvServerPackage -Name insted -Version 0.0.0.2 | Remove-
AppvServerPackage
Personal copy, do not distribute. Commercial use prohibited. © 2012, 2013 Authors
Administration for App-V Management Server
Connection Groups allow packages to interact with each other at runtime, linking
them together in a shared virtual environment.
In the App-V Management Server, a Connection Group is treated as its own entity,
just like a package. Once assigned to a group that Connection Group will bring in
tow all of the packages that are assigned to it even if they are unpublished.
MANAGEMENT CONSOLE
The Connection Group node is not visible when you open the management
console for the first time, as you are redirected to the Packages node immediately.
37 HTTP://SUPPORT.MICROSOFT.COM/KB/2873465.
Personal copy, do not distribute. Commercial use prohibited. © 2012, 2013 Authors
Administration for App-V Management Server
By choosing the Packages-node on the left hand side you are presented with the
new text options: Packages and Connection Groups (FIGURE 106 CONNECTION
GROUPS MENU).
The Connection Groups overview looks very much like the general Packages
overview and you can become familiar quite easily with the interface. Click the
ADD CONNECTION GROUP in the upper right hand corner to create a new
Connection Group (FIGURE 107 CONNECTION GROUPS OVERVIEW, EMPTY)
Personal copy, do not distribute. Commercial use prohibited. © 2012, 2013 Authors
Administration for App-V Management Server
A New Connection Group v1 will be created, but not yet published. (FIGURE 108
CONNECTION GROUP OVERVIEW - NEWLY CREATED GROUP) All its properties will be
blank until they are configured. Let’s rename the Connection Group by double-
clicking the name New Connection Group. You can add packages by clicking EDIT
within the CONNECTED PACKAGES column.
Personal copy, do not distribute. Commercial use prohibited. © 2012, 2013 Authors
Administration for App-V Management Server
The view to add packages (FIGURE 109 CONNECTION GROUP - EDIT PACKAGES) will
be presented at the bottom of the window and is quite simple. It offers the entire
library of packages on the right hand side, but unfortunately there is no possibility
to filter which packages are seen. You can select one package at a time and click
the arrow pointing towards packages to add them to the Connection Group.
If the packages you assign to the Connection Group already have an AD ACCESS
entitlement setup it is possibile to copy this configuration to the Connection
Group. If there is a small number of packages (in the above figure we will only
assign Java and Freemind) this can be easy to grasp, but if adding a large amount
of packages it will be a challenge to understand how many AD groups actually
will be assigned until you click Close . Since you haven’t published the newly
created Connection Group yet, an excessive amount of assigned AD Groups will
not impact anything, but it’s perhaps a good idea to review afterwards in any case.
Once all our configurations are set you can choose to publish the Connection
Group and thereby make it visible to the clients. Simply right click the Connection
Group and choose to Publish it (FIGURE 110 CONNECTION GROUP RIGHT-CLICK
OPTIONS). The status will toggle from a black icon to a green icon to indicate that
it's now available.
Personal copy, do not distribute. Commercial use prohibited. © 2012, 2013 Authors
Administration for App-V Management Server
POWERSHELL
Personal copy, do not distribute. Commercial use prohibited. © 2012, 2013 Authors
Administration for App-V Management Server
The server will generate both a GroupGuid and VersionGuid and as the output in
FIGURE 110 CONNECTION GROUP RIGHT-CLICK OPTIONS shows, there aren’t any
packages or AD groups assigned to the Connection Group just yet. You can
continue to assign an AD group by using Grant-AppvServerConnectionGroup
command, which requires that you provide it an identifier to which Connection
Group you want to grant the permission to.
To be certain that you are dealing with the right Connection Group, we
recommend to use the GroupGuid and VersionGuid, but in smaller environments
you can go ahead with specifying just a name.
The output will be almost the same as previously shown from New-
AppvServerConnectionGroup and should additionally clearly show the new AD
group assigned.
The next step is to add packages to our Connection Group. Packages can be
assigned using the Set-AppvServerConnectionGroup and the parameter
AppvServerPackage. Unfortunately, this parameter is too ambiguous and
therefore it is recommended to get packages using the Get-AppvServerPackage
and pass the information onwards to the Set-AppvServerConnectionGroup.
Personal copy, do not distribute. Commercial use prohibited. © 2012, 2013 Authors
Administration for App-V Management Server
The above example will fetch the Java package that was previously created and
pass on the information to Set-AppvServerConnectionGroup, and make it part of
the Connection Group. Using the AppvServerPackage property you can also use
the Get-AppvServerPackage cmdlet to insert packages.
Once you run the above command and make a change to the Connection Group, a
new VersionID will be generated for the Connection Group and both Java and
Freemind will be added to the Connection Group. One potential issue that you
could be looking at is the lack of control in ordering the packages. When utilizing
the web-based administration console you can clearly see in what order packages
are added.
This will toggle the Connection Group to a published state and make it available
as soon as the Publishing Server has refreshed against the Management Server.
MANAGEMENT CONSOLE
Removing a Connection Group can be done in two different ways. To allow for a
fast rollback we always recommend to unpublish the Connection Group. Just as
the packages are handled this way, Connection Groups can be unpublished and
thereby made unavailable for all clients, but still have their configuration intact
and available for re-publishing later if needed.
Personal copy, do not distribute. Commercial use prohibited. © 2012, 2013 Authors
Administration for App-V Management Server
If you right-click on the Connection Group you can simply choose to Unpublish it
and have its publishing state toggled.
To remove the Connection Group and loose all configurations related to it, you can
right-click on it and choose Delete . This will generate a confirmation prompt
(FIGURE 112 CONFIRM DELETE OF CONNECTION GROUP) to acknowledge that you
want to remove it. Once removed, all configurations will be deleted.
POWERSHELL
Just as with performing the removal of a Connection Group via the management
console, we recommend unpublishing the Connection Group first. Use the
Unpublish-AppvServerConnectionGroup which can accept the parameters
PackageID and VersionID or Name.
This will provide the ouput to confirm that the package is unpublished. To entirely
remove the package you can use Remove-AppvServerConnectiongroup, which
also accepts PackageID and VersionID or Name as parameters to specify a
package.
Remove-AppvServerConnectionGroup –Name FreemindPowershell
This will, just like the management console, present a confirmation request before
proceeding with the removal. If you wish to suppress the confirmation the switch
–Confirm can be used. No output is provided once the removal is completed.
Personal copy, do not distribute. Commercial use prohibited. © 2012, 2013 Authors
Administration for App-V Management Server
MANAGEMENT CONSOLE
One aspect of the Connection Groups we haven’t mentioned yet is the importance
it plays for user settings. Once a Connection Group is created, user settings will be
maintained within the Connection Group ID and not within each seperate
package. If a brand new Connection Group, with its own Connection Group ID is
created, no settings will be transfered from any other Connection Group. To
persist user settings between Connection Groups, we can create a new version of a
Connection Group.
To update a Connection Group and maintain the Group ID to avoid the loss of
settings, you can select copy as new version (FIGURE 113 COPY AS NEW VERSION)
from the context menu.
Personal copy, do not distribute. Commercial use prohibited. © 2012, 2013 Authors
Administration for App-V Management Server
The option will create a new Connection Group with an incremented version
number. You can copy from any past version of the same Connection Group, as
the version number will always be incremented to the highest number in the
series. If you choose to copy a published Connection Group, the new Connection
Group will also be created in a published state (FIGURE 114 CONNECTION GROUPS
WITH THREE VERSIONS)
Once the Publishing Server refreshes the configuration from the Management
Server, clients will only be presented with the highest version of the Connection
Group.
POWERSHELL
Personal copy, do not distribute. Commercial use prohibited. © 2012, 2013 Authors
Administration for App-V Management Server
or
The two above commands will result in a a new Connection Group with the
highest version number of all Connection Groups with the same Group ID (or
Group GUID).
Personal copy, do not distribute. Commercial use prohibited. © 2012, 2013 Authors
Administration for App-V Management Server
The App-V 5 Management Server can easily deploy – in different variations – these
configuration files for both computers (Deployment Configuration) and users
(User Configuration) to accomodate any specific departmental needs. Let’s go
through the native possibilities the Management Server offers and then continue
with the extended ability to deploy your own complex configurations.
CONFIGURATION HANDLING
MANAGEMENT CONSOLE
For each package added onto the Management Server, there are several different
ways to edit its configuration. Simply by right clicking a package (FIGURE 115
RIGHT-CLICK A PACKAGE) you can see multiple options refering to configuration. In
fact, all of the options apart from unpublish and delete refers to editing a
configuration set for the package and in some way deploy it differently to the
selected targets. Edit default configuration is the obvious choice if one
wants to edit the options for the package and only have a single deployment
requirement or a target.
Personal copy, do not distribute. Commercial use prohibited. © 2012, 2013 Authors
Administration for App-V Management Server
DEFAULT CONFIGURATION
The first choice here is Applications which will show a list of the different
virtual applications within the package. By unchecking the Enable column, the
application and all its associated extensions (File Type Associations, shortcuts,
protocol handlers, etc.) will no longer be presented to the client.
Personal copy, do not distribute. Commercial use prohibited. © 2012, 2013 Authors
Administration for App-V Management Server
Choosing Shortcuts presents a view where you can control which application
shortcuts are created and where they are presented at. You can completely disable
placements of shortcuts for all applications using Enable Shortcuts option, or
customize some of them to your liking. Click Add new shortcut (FIGURE 117
SHORTCUTS) to create additional shortcuts or Edit to edit any of the existing
shortcuts. If you do not select any specific shortcut in the list and click Edit , you
will be editing the topmost one.
Personal copy, do not distribute. Commercial use prohibited. © 2012, 2013 Authors
Administration for App-V Management Server
Modifying an existing shortcut is not a very complicated affair and the menu does
offer a very intuitive way forward. The applications are preconfigured from within
the package. If you wish to modify a different application you can choose them
from the list or simply choose to Add new shortcut from the previous menu
(FIGURE 117 SHORTCUTS). The placement of the shortcut can be picked from the
drop-down menu (FIGURE 118 EDIT SHORTCUT) and any additional path can be
added in the text-field just below it. If any additional parameters are necessary for
the shortcut (obviously depending on the particular application and its
requirements), you can add them to the PARAMETERS line.
Personal copy, do not distribute. Commercial use prohibited. © 2012, 2013 Authors
Administration for App-V Management Server
Unfortunately it is not possible to rename the shortcut and thereby create multiple
shortcuts side-by-side with different parameters (for example with parameters
pointing to different servers like development, validation or production etc.), as
the shortcut name is inherited from the application name. A possible way to get
around this limitation would be to place the shortcut with a different subfolder per
desired startup configuration.
Personal copy, do not distribute. Commercial use prohibited. © 2012, 2013 Authors
Administration for App-V Management Server
File Type Associations are a bit more complex to configure than shortcuts and
unlike the App-V 4.x Management Server, there can be no customization done at
the Management Server level for FTAs. Rather, a simplistic view is offered that
presents some basic information regarding published FTAs, but certainly not
enough if extensive troubleshooting is required. (FIGURE 119 FILE TYPE
ASSOCIATION). There is also no possibility of disabling all File Type Associations
completely as it was the case with shortcuts, and all of the editing is under the
Advanced menu. Alterations to File Type Associations are expected to be
performed within the dynamic configurationfile.
Advanced offers only two buttons (FIGURE 120 ADVANCED), but it is quite powerful
despite this. Using the Advanced functionality, you will work directly with the
Dynamic Configuration files, providing all the possibilities for application and
package publishing customization.
Personal copy, do not distribute. Commercial use prohibited. © 2012, 2013 Authors
Administration for App-V Management Server
Note: You should always export the current configuration before making
alterations.
If you make alterations and aren’t really sure where you are starting from,
exporting the current configuration before importing any alterations will allow
you to quickly and easily revert to a known working configuration.
An export will also allow you to save the configuration to an external file to any
location you desire.
Personal copy, do not distribute. Commercial use prohibited. © 2012, 2013 Authors
Administration for App-V Management Server
Once you import a configuration (the import is directly into the database), you will
be prompted for confirmation to overwrite the existing configuration (FIGURE 121
CONFIRM OVERWRITE). The prompt clearly states that any previous configurations
will be lost.
TRANSFER OF CONFIGURATIONS
Looking back at options available from the package’s context menu (FIGURE 115
RIGHT-CLICK A PACKAGE) two additional menu items are presented:
Personal copy, do not distribute. Commercial use prohibited. © 2012, 2013 Authors
Administration for App-V Management Server
CUSTOM CONFIGURATION
Selecting the option edit active directory access (back from FIGURE 115
RIGHT-CLICK A PACKAGE) will also present a different method for apply a
configuration, however now limited to the User Configuration XML file. FIGURE
123 AD ACCESS shows the options presented when the choice is made to edit the
AD Access.
Personal copy, do not distribute. Commercial use prohibited. © 2012, 2013 Authors
Administration for App-V Management Server
If you select the drop-down menu (FIGURE 123 AD ACCESS) from Assigned
Configuration , you can see that there are two choices, Default and Custom . If
Custom is selected, there is a new option presented: Edit (FIGURE 124 CUSTOM
CONFIGURATION).
Personal copy, do not distribute. Commercial use prohibited. © 2012, 2013 Authors
Administration for App-V Management Server
initial page will give you the Advanced options (FIGURE 125 CUSTOM
CONFIGURATION EDIT).
You can edit a Custom Configuration very much like you can edit a Default
Configuration, however the configuration is now only applied for users. As such,
you can only import a User Configuration file, as opposed to Default
Configuration which only accepts the Deployment Configuration file. It will ask
you to confirm an overwrite of the configuration and if uncertain, it’s
recommended to export the current running configuration for recovery in case
something goes wrong.
Personal copy, do not distribute. Commercial use prohibited. © 2012, 2013 Authors
Administration for App-V Management Server
One topic that is relevant at this point when dealing with both the Default
Configuration and Custom Configuration is precedence and how to best leverage
it. There are a few basic rules:
I cannot motivate why it is like this, but there can be only one
Deployment Configuration per package. The name suggests this, Default
Configuration, but why is unfortunately unknown
You cannot mix and match between multiple Custom Configurations for
a user.
Personal copy, do not distribute. Commercial use prohibited. © 2012, 2013 Authors
Administration for App-V Management Server
CONFIGURATION MANAGEMENT
POWERSHELL
To retrieve the current configuration for any package there are two commands:
Get-AppvServerPackageDeploymentConfiguration -Name java
Get-AppvServerPackageUserConfiguration -Name java -Group
DEMO\SG.AppV.U.Freemind
The first cmdlet will retrieve what is called Default Configuration from the web-
based console, but called the Deployment Configuration within the PowerShell
cmdlets. Since there can be only one Deployment Configuration, there is only a
requirement to specify which package contains the desired configuration. It
accepts the parameters Name (as used in the example), PackageID along with
VersionID or a package passed from Get-AppVServerPackage.
The second cmdlet allows you to retrieve Custom Configuration, as it’s called in
the management console, or the contents of the currently applied User
Configuration. As there can be multiple user configurations assigned to a package
the cmdlet requires some additional parameters compared to the previous cmdlet
Get-AppvServerPackageDeploymentConfiguration. The package must be
specified, just like the previous cmdlet, however it also requires information as to
which AD entitlement is assigned the configuration. The parameter is called –
Group and the entry should match the domain and AD group name.
Both of the above commands will output the contents directly to the console for a
quick review. To allow for editing, and to re-import it, you can send it to a text-file
with the below example:
Personal copy, do not distribute. Commercial use prohibited. © 2012, 2013 Authors
Administration for App-V Management Server
As the Deployment Configuration can only exist as one instance per package, we
only need to specify which package we wish to update and where the
configuration file is located.
User Configuration is, again, a bit trickier however it is quite simple once you
understand that it can exist as multiple configurations.
We have to specify which package and which User Configuration file to use and
need to identify the AD entitlement this should affect. If you omit the –Groups
parameter there will be no error message to indicate that this import was not
successful, however you will notice that no configurations are altered.
Personal copy, do not distribute. Commercial use prohibited. © 2012, 2013 Authors
Administration for App-V Management Server
A D M IN IST RAT IO N B ES T P R A CT IC ES
As part of maintaining an environment there are a few practices that will assist
any administrator in scaling the environment in regards to packages and users and
computers that are using those packages. Let’s clarify a few key bullet points
before we dive into the nitty-gritty details of naming standards and structure.
Applications that are part of a Connection Group, are published in the same
context (user vs. global)
All applications that are members of a Connection Group are published once
the Connection Group is assigned and published, regardless of the
assignment or publishing state of those applications
Personal copy, do not distribute. Commercial use prohibited. © 2012, 2013 Authors
Administration for App-V Management Server
Moving an application between Connection Groups will not transfer its user
settings
These rules are good to remember when it comes to building your environment.
In previous versions of App-V a large portion of any training time was spent on
naming conventions and in particular the requirement for a unique 8.3 directory
name. This was strongly recommended to allow for trouble-free co-existence of
packages on the same client. In addition, every package had to have truly unique
package name and combination of name+version. Two applications having
identical human-visible names had bad implications for publishing and co-
existence on the same client.
App-V 5 has greatly improved this area by utilizing GUIDs for packages and
Connection Groups, completed by version GUIDs. There could still be a need to
emphasize App-V 5 characteristics within the package name, however they are far
less complex and anyone familiar with traditional package building will realize
that there is nothing unique with App-V 5 and its requirement for package names.
Technically the App-V 5 Management Server does not require a separate folder or
location for a new version of a package; however it could be logical to place a new
version within a separate folder to avoid overwriting configuration files and to be
able to remove an older package version more easily. As the App-V 5 Management
console will detect the version number on its own and match it to a previous
version of the package (with version number in 0.0.0 format) based on the package
GUID, we are not forced to separate the two packages physically. To allow for
easy filtering amongst a thousand packages, creating a base identifier such as the
Personal copy, do not distribute. Commercial use prohibited. © 2012, 2013 Authors
Administration for App-V Management Server
Vendor-name within the package name will allow for an easy overview. We could
also use language, to easily identify all packages relating to a specific set of users,
or OS architecture to identify packages only compatible with a certain operating
system.
This all leads to the following suggestion for a folder per package. It is
recommended to omit the package version from the package name, as it will be
available within the package itself and can be viewed in a unique column within
the Management console.
This creates a way of grouping applications and filtering them within the
management console and can allow an administrator to easily identify the folder
on a file-server / web-server and relate it to an imported package.
Personal copy, do not distribute. Commercial use prohibited. © 2012, 2013 Authors
Administration for App-V Management Server
ASSIGNMENT OF APPLICATIONS
User Configuration can be assigned to a specific AD group, and will allow you to
reuse a specific package for multiple purposes without altering the core package
file. However, a user cannot be assigned a package with multiple configurations.
CONNECTION GROUPS
Since Connection Groups are providing a wide entitlement to any applications that
are members of those groups, , they should be considered their own application in
their own right.
Personal copy, do not distribute. Commercial use prohibited. © 2012, 2013 Authors
Administration for App-V Management Server
Examples include:
Assign both users and computer objects within the same AD Group
Define the User Publishing Refresh on the laptops (as an example) to allow
the users to receive their applications
Create multiple AD groups – one for each context (users vs. computers)
Define both a Global Publishing Refresh and the User Publishing Refresh on
all clients
The above two scenarios leverage the App-V infrastructure quite differently, but
can ensure that only the desired application will be delivered to the user.
Personal copy, do not distribute. Commercial use prohibited. © 2012, 2013 Authors
Administration for App-V Management Server
A very simple approach is to decide which context you will deliver applications to
– for example only configure the User Publishing Refresh and therefore only allow
applications assigned to users to receive applications.
Personal copy, do not distribute. Commercial use prohibited. © 2012, 2013 Authors
Troubleshooting a Native Deployment
2.5 T ROUBLESHOOTING A
N ATIVE D EPLOYMENT
Personal copy, do not distribute. Commercial use prohibited. © 2012, 2013 Authors
Troubleshooting a Native Deployment
C O M MO N R EC O M ME N D AT I O N S
Before digging into the details, here are some common guidelines that you should
follow regardless of the actual issue. The upcoming sections will be more specific.
In our tests there were almost no App-V related issues that did not leave any
traces in Windows Event Logs. A first step should always be to view the
Application and Services Logs / Microsoft / App-V section of
Eventvwr.exe or Eventvwr.msc as shown in FIGURE 126: WINDOWS EVENT LOG -
COHOSTED SERVER.
While the Client log is especially chatty and even though it doesn’t provide too
much meaningful text, you will be able to see if something goes wrong, and
Personal copy, do not distribute. Commercial use prohibited. © 2012, 2013 Authors
Troubleshooting a Native Deployment
receive some explicit information along with some cryptic error codes that assist
with searching for solutions. As an example we forced our demo implementation
to throw some errors in FIGURE 127: WINDOWS EVENT LOG - MANAGEMENT
ERRORS.
Personal copy, do not distribute. Commercial use prohibited. © 2012, 2013 Authors
Troubleshooting a Native Deployment
Figure 128: Windows Event Log - Unhide Analytic and Debug Logs
After the visibility of these logs has been triggered, you have to enable them to
gather results (FIGURE 129: WINDOWS EVENT LOG - ENABLE AN ANALYTIC LOG).
Personal copy, do not distribute. Commercial use prohibited. © 2012, 2013 Authors
Troubleshooting a Native Deployment
You should enable only one or a small number of the Debug/Performance logs at
the same time, otherwise the system could become saturated. You should also only
enable them for a limited time, while you are reproducing an error.
You should try to isolate the issue as well as you possibly can: “does it affect one
or all machines or users?”, “is it only showing up at one or several packages?”,
“did it ever work previously?” and similar questions don’t only help you to
identify the potential cause; they also might help others (like in forums) to help
you better.
Personal copy, do not distribute. Commercial use prohibited. © 2012, 2013 Authors
Troubleshooting a Native Deployment
We know that this is a hard one, especially if your production environment has a
severe issue or if an issue that prevents you from reaching an important milestone,
but anyway; document your remediation steps. Make a note about configuration
changes that you made to solve a problem – even if it did not seemed to improve
the situation. This helps you to make your solution reproducible. It also supports
working in a more structured manner. And others won’t ask you to this and that if
you already did it.
It may be obvious but we’d really remind you to use two search engines to
identify potential causes before you start asking questions of others. Failing actions
in the Management console or with PowerShell as well as the Event Viewer often
return text and some (alpha)numeric error code. It is that error code you should be
after. Unfortunately App-V Error codes follow different conventions (or masks).
Sometime it is a single block like 0x80511008, sometime it consists of several
blocks like 0x5970167-0xB or 0x74F00F0C-0x80190191, and so an easy advice
like v4 just can’t be given. Look for single ‘full’ hexadecimal blocks: 0x80511008,
0x5970167, 0x74F00F0C and 0x80190191 would be the terms to search for.
Personal copy, do not distribute. Commercial use prohibited. © 2012, 2013 Authors
Troubleshooting a Native Deployment
As a side note, if ‘App-V 0x74F00F0C’ doesn’t return a result, try it again without
‘App-V’: Microsoft tends to use similar error codes for similar issues across
different products – so even errors for another product might provide you with a
hint.
Additionally it might be helpful to convert some values between hex and decimal.
Take that 191 portion of one of the errors and convert it. Doesn’t that look like a
familiar HTTP error code? Indeed it is. 38 Finally, don’t rely on Microsoft Event IDs.
38 And no, we don’t do the conversion and unveiling for you right here. Troubleshooting does not
mean ‘sit and wait for an answer’, it means ‘go, do something’!
Personal copy, do not distribute. Commercial use prohibited. © 2012, 2013 Authors
Troubleshooting a Native Deployment
Two of the errors shown so far have the same Event ID, but different causes and
App-V Event IDs aren’t that popular on the Internet yet, either.
So, your package doesn’t show up on the client? In that case you should go down
the route that the App-V client goes, make a turn on the crossroads to follow
Publishing Server Road until you reach Management Server Boulevard with its
intersections. You get it… down in this sub chapter.
Personal copy, do not distribute. Commercial use prohibited. © 2012, 2013 Authors
Troubleshooting a Native Deployment
I N S TA L LAT IO N I SS U ES
Monitoring forums and blogs indicate that installing App-V components does not
cause major issues. Of course you did install and verify the system prerequisites in
advance.
A small lesson that you’ll learn very quickly is that the App-V installation wizard
does not request privileged execution automatically, even though it’s required. So
you have to right-click Run as administrator to launch the wizard. In
theory it could occur that the machines you are installing on are not member of a
domain yet, or that your account doesn’t have proper permissions.
In case of an installation issue, MSI logs should give some guideline about what
went wrong, allowing you to search the Internet for similar issues.
A minor challenge might be that App-V doesn’t support database access if the
database instances use dynamic ports (instead of the default TCP 1433). Because
most organizations protect their SQL servers using firewalls, dynamic ports are
very uncommon. And you should install App-V server components to the C:\
drive only.
Personal copy, do not distribute. Commercial use prohibited. © 2012, 2013 Authors
Troubleshooting a Native Deployment
C O N F IG U R AT I O N I SS UE S
Even after the installation wizard(s) have finished without any errors there might
be situations where the App-V environment still isn’t working well correctly. This
subsection gives some more general guidelines, because it partially overlaps with
the upcoming OPERATIONAL TROUBLESHOOTING section that is actually more
detailed.
Open the database with Microsoft SQL Server Management Studio and validate
that the App-V Management database’s Permissions table contains at least one
entry (perhaps your SQL Server admin may need to complete this step).
Open the App-V Management console and verify that you can access data.
Enter the following URL in a browser and ensure that it does not return an error:
http(s)://<App-V Management Server>:<Port>/Console.html.
Personal copy, do not distribute. Commercial use prohibited. © 2012, 2013 Authors
Troubleshooting a Native Deployment
Open the IIS Management console and verify that the Application Virtualization
Management (web site and application pool) are running and not in a stopped
state (it’s hard to see, but FIGURE 132: MANAGEMENT SERVER VERIFICATION - WEB
SITE shows a little Stop icon, and FIGURE 133: MANAGEMENT SERVER VERIFICATION
- APPLICATION POOL shows a Stop as well).
Personal copy, do not distribute. Commercial use prohibited. © 2012, 2013 Authors
Troubleshooting a Native Deployment
Personal copy, do not distribute. Commercial use prohibited. © 2012, 2013 Authors
Troubleshooting a Native Deployment
If you are running an HA/LB scenario repeat the above steps on every machine
that hosts the Management Service.
Open the following URL in a browser with a user account that has been provided
access to App-V applications. Open the following URL to check the Publishing
Server’s internal status: http(s)://<App-V Publishing Server>:<Port>. It
should return an XML formatted document that looks similar to FIGURE 134:
PUBLISHING SERVER VERIFICATION - APPLICATION LIST.
Open the IIS Management console and verify that the Application Virtualization
Publishing web site and application pool are running and not in a stopped state
Personal copy, do not distribute. Commercial use prohibited. © 2012, 2013 Authors
Troubleshooting a Native Deployment
If you are running an HA/LB scenario validate this on every machine that hosts the
Publishing Service.
As a user, open the URI (UNC or URL) to an .appv file. Regardless of the
implementation type you should be asked if that file should be opened / saved /
canceled. This message indicates that the .appv file can be read and can
potentially be downloaded. This should work for all .appv files even before they
are imported into the Management console. FIGURE 135: STREAMING SERVER
VERIFICATION - FILE DOWNLOAD shows a web based successful download attempt.
Personal copy, do not distribute. Commercial use prohibited. © 2012, 2013 Authors
Troubleshooting a Native Deployment
O P E R AT I O N AL T RO U BL E SH O O T IN G
One of the first steps in a troubleshooting process is to identify the actual failing
sub-process or component - let’s remind ourselves of some of the general tasks that
are performed by App-V components and how they interact with others.
APP-V CLIENT
On an App-V Client, to get a new application the following sub processes are
(almost) always performed: 39
Add Package: The App-V Client creates a key with the Packages’ GUID in the
Registry at HKLM\Software\Microsoft\App-V\Client\Packages. This step is
automatically initiated by the Publishing Refresh step or by using the PoSh
command add-appvclientpackage.
Note that adding the package is a prerequisite for both, publishing and mounting
a package, but publishing and mounting can be performed in any sequence.
39
These steps will be discussed more detailed in the upcoming ‚Client‘ chapter of our book
Personal copy, do not distribute. Commercial use prohibited. © 2012, 2013 Authors
Troubleshooting a Native Deployment
Regardless of the publishing method, several files from inside the .appv file are
downloaded and extracted during this step. These components are referred to as
Primary Feature Block.
Mount / Stream / Download the package content: In its default configuration, all
files that are accessed by virtual applications first have to be downloaded into the
client’s App-V cache (as opposed to Shared Content Store mode, where files are
not really downloaded, but spares-files to the URI location are created).
are downloaded in separate steps (Feature Block 1 first entirely, then the files
of Feature Block 2 as they are required).
Personal copy, do not distribute. Commercial use prohibited. © 2012, 2013 Authors
Troubleshooting a Native Deployment
Launch Applications: The App-V Client creates the virtual environment for the
package and starts the application.
The Publishing Server is queried by clients and returns the list of currently
assigned packages and applications. It regularly initiates connections to the App-V
Management Server to retrieve a list of all available packages and applications.
The interval is specified in the Publishing Server’s Registry:
HLKM\Software\Microsoft\AppV\Server\PublishingService, value
PUBLISHING_MGT_SERVER_REFRESH_INTERVALL.
The Publishing Server caches the information, so it still can continue to operate if
the Management Server is not responding; a persistent caching model is used that
even keeps the information across reboots.
The App-V Management Service itself queries the App-V Management Database
quite often, but the data cache is not persistent. That means that after a few
minutes the Management Server would throw error messages if the database is
offline. However this is not that much of an issue, because the Publishing Server
does cache the info – so clients still can retrieve an application list.
The App-V Streaming Server (file or web) is queried by the App-V Client to
download the content of .appv files.
Personal copy, do not distribute. Commercial use prohibited. © 2012, 2013 Authors
Troubleshooting a Native Deployment
Remember that the initial contact to an .appv file is initiated during the Publishing
phase, such as to download the icon files for shortcuts and FTAs.
Also, the Streaming Server is queried by the App-V Management Server while
adding/importing packages into the App-V environment via the Management
console or PowerShell.
PUBLISHING SERVER
Establish a browser connection to the Publishing Server URL. If you use variables
for the server location, use the variables (placeholders) and their resolved value(s).
If you have multiple servers behind a load balancer, connect to all of them.
The first attempt should be performed from a client machine with the user account
that faces the issues.
You should receive an XML formatted reply like in FIGURE 136: PUBLISHING
SERVER VERIFICATION - APPLICATION LIST EXPANDED.
Personal copy, do not distribute. Commercial use prohibited. © 2012, 2013 Authors
Troubleshooting a Native Deployment
Personal copy, do not distribute. Commercial use prohibited. © 2012, 2013 Authors
Troubleshooting a Native Deployment
If the prompt comes from the Publishing Server, add the Publishing Server URL to
the list of ‘Intranet sites’ on the operating system 40. Alternatively you could use
Windows Credential Manager to store and ‘auto fill’ these credentials.
You may receive a certificate related error message (FIGURE 138: PUBLISHING
SERVER VERIFICATION - SSL CONNECTION ERROR gives an example) while using a
secured HTTPS connection.
40 Note that Site-Zone assignments, proxies and other settings usually are effective on the operating
system level although they are configured using Internet Explorer settings. In return, settings that
you configure ‘obviously’ in IE in fact influence App-V client communication.
Personal copy, do not distribute. Commercial use prohibited. © 2012, 2013 Authors
Troubleshooting a Native Deployment
The client machine does not trust the issuer of the certificate: install a
root/intermediate certificate into the client’s machine store.
The connection URL and the name on the certificate don’t match: adjust the
Publishing Server URL for the App-V client accordingly, retry with the
adjusted URL (note that adjusting the URL in the browser’s address bar does
not solve any issue of the App-V client!). Alternatively you may be required
to re-issue a new, proper Server Certificate.
If you are receiving an XML document, but it does not contain anything or does
contain odd or expired information, validate that:
Personal copy, do not distribute. Commercial use prohibited. © 2012, 2013 Authors
Troubleshooting a Native Deployment
The user is member of the right groups (and has logged off and on before a
publishing refresh)
The Publishing Server’s last refresh time is not old. To validate it, open the
URL http(s)://<App-V Publishing Server>:<Port>/info.. If the last
refresh is too old, there is potentially an issue with the Management Server
(the Publishing Server seems to be working). FIGURE 139: PUBLISHING SERVER
VERIFICATION - LAST REFRESH TIME INFO shows an example.
If you are getting HTTP errors, you may need to expand the message text.
404 errors indicate that the URL (server name, port, path) is not valid or that IIS
and/or the Publishing Service are not running at all.
50x errors are often internal server errors of the web application or IIS. They may
occur if software prerequisites aren’t properly installed. They also appear if
accounts used by IIS don’t have proper access rights to local or remote folders.
Personal copy, do not distribute. Commercial use prohibited. © 2012, 2013 Authors
Troubleshooting a Native Deployment
Personal copy, do not distribute. Commercial use prohibited. © 2012, 2013 Authors
Troubleshooting a Native Deployment
MANAGEMENT SERVER
While the Management Server is not crucial for continuous package delivery, it is
required to import new packages or versions into the native App-V environment
and to update deployment configuration and user configuration adjustments.
As the Management service also is an IIS web application, initial checks should
include that IIS and the web application pool are running and that the requests to
the URL return valid results.
Personal copy, do not distribute. Commercial use prohibited. © 2012, 2013 Authors
Troubleshooting a Native Deployment
If the App-V Management Server fails to connect to the Database, it will return
errors. FIGURE 144 shows an error of an entirely disconnected database, and
FIGURE 145 shows the Event Viewer entry for this.
Personal copy, do not distribute. Commercial use prohibited. © 2012, 2013 Authors
Troubleshooting a Native Deployment
Personal copy, do not distribute. Commercial use prohibited. © 2012, 2013 Authors
Troubleshooting a Native Deployment
There is not that much to check on the Streaming Server – it’s just a file or web
server, right? However, to validate its availability you again should try to
download one or more .appv files from the location that is specified in the
application list returned by the Publishing Server or that can be found in the result
of get-appvclientpackage –all.
Remember– based on the publishing method – both, the client machine and the
user may need to have read access to these files.
If you are using a web server, ensure that ‘.appv’ is registered as a MIME type.
Personal copy, do not distribute. Commercial use prohibited. © 2012, 2013 Authors
Appendix
2.6 A PPENDIX
Personal copy, do not distribute. Commercial use prohibited. © 2012, 2013 Authors
Appendix
A P P -V 5 SQL M I RRO R IN G C O N F IG U R AT I O N
The f ollowing descr iption has not been validated by the aut hors
nor is it based on any public Microsoft documentation. Follow at
your own risk!
In August 2013, Microsoft ‘silently’ updated its article of Planning for High
Availability with App-V 5 (HTTP://TECHNET.MICROSOFT.COM/EN-
US/LIBRARY/DN343758.ASPX). In here, SQL Mirroring is named as a supported
method to achieve high availability for the Management Database (interestingly
the Reporting Database is not mentioned in that section).
However, MS did not provide any documentation how to achieve it. The only
indication of how to tell the App-V Management Server to fall back to the
mirrored database in case of a primary DB failure is a description given by
Hal Lange at Technet’s App-V forum
HTTP://SOCIAL.TECHNET.MICROSOFT.COM/FORUMS/EN-US/57D10F6E-16B6-4F76-
A0BD-06A6710C74D4/APPV-50-DATABASE-MIRRORING.
Because of our aimed press date for this chapter, we did not verify the
configuration, but it seems valid. As forums are volatile, FIGURE 146: SQL
MIRRORING FORUM POST shows a quote of it.
Personal copy, do not distribute. Commercial use prohibited. © 2012, 2013 Authors
Appendix
Personal copy, do not distribute. Commercial use prohibited. © 2012, 2013 Authors
Appendix
A P P -V 5 C O N N E CT IO N S E CU R IT Y
CERTIFICATES
Let’s start this section with a prediction: we won’t be über-precise here. This
section is just to remind you some of the key principles of SSL/TLS communication
by using free-style explanations of common terms and procedures. We’ll focus on
SSL communication, namely for Windows and IIS, as they are relevant for App-V.
TYPES OF CERTIFICATES
First, you can imagine a Certificate as a form of ID, Passport or other document
that proves someone’s identity.
SERVER CERTIFICATES
A Server Certificate usually identifies a computer that answers requests. The key
information on such a certificate is a Common Name (what is the referenced name
for that server), the expiration date, the issuer (who created that certificate) and a
Private Key validator.
Here comes the first point to note: the Common Name has to match the
URI/address clients are connecting to.
Let’s suppose you have one sever behind a load balancer. Technically you can
establish a connection through the load balancer’s name, the load balancer’s IP
address, the actual machine name or the actual machine’s IP address. And yes, in a
Personal copy, do not distribute. Commercial use prohibited. © 2012, 2013 Authors
Appendix
LAN you can use a short name (myNLB) or a fully qualified domain name
(myNLB.demo.lab) to connect to that machine.
However, in an SSL scenario you are limited in your freedom. Most software only
will allow a connection to the address that matches the certificate’s Common
Name. So if the certificate is issued to ‘myNLB.demo.lab’, only connections to that
address will succeed (actually it’s not case sensitive). Due to some restrictions of
some issuers:
Do only use the FQDN (and neither short names nor IP addresses) as the Common
name of a certificate. In return, also use FQDNs only when you specify addresses.
(Note that relative paths like ‘/content’ or ports like ‘:443’ are not considered as
part of the name).
Depending on the issuer, there are some classes identified. Public Certificates are,
well, used in the public and are often issued by large security companies like
VeriSign. Private Certificates are issued by an organization’s IT department and
are usually only used inside that organization. Then we have self-signed
certificates that a single server (or appliance) creates. These aren’t very common
outside of small lab environments.
Personal copy, do not distribute. Commercial use prohibited. © 2012, 2013 Authors
Appendix
Because of security reasons, you cannot install any server certificate on any server.
Instead usually a server only accepts certificates that were requested by it. A
‘Certificate Signing Request’ is created and sent to the Issuer – and only if the
returning certificate matches the original request, will that server accept it.
Technically, the server holds a Private Key for that certificate. (If someone sends
you an ID card – will you use it if you never requested it? Probably not. Servers act
the same way). In certain scenarios, the Certificate and the Private Key are
bundled together and can be imported into any server – but as you can see that
doesn’t really increase security, so most server certificates do not contain an
exportable Private Key.
In the section above we mentioned that a client only accepts certificates from a
‘trustworthy’ organization. If a man shows you an ID issued by Interpol, you
might trust it. If a man shows you an ID issued by TheAppvBook.Inc, you’ll
probably just ignore that. The way to tell a computer (or application) to trust an
issuer is to install a Root or Intermediate Certificate. A Root Certificate is highest in
the hierarchy, but there might be intermediate certificate authorities as well. In the
above example, Interpol may allow the Dutch Police to create Interpol ID Cards for
Dutch Interpol Employees. Because you trust Interpol (as a reliable organization)
and Interpol trusts its Dutch department, you (should) automatically trust the
Dutch Interpol (at least this is how computers act). In this case, Dutch Interpol is
an Intermediate Certificate Authority. And yes, as an administrator (or even user)
you may choose to trust us as well and to install our TheAppvBook root or
intermediate certificate.
Returning to the Server Certificates – because most Public issuers are already
installed on the operating system (or in browsers), server certificates issued by
them or by subordinate authorities are trusted automatically. For Private
Certificate Authorities, the Root/Intermediate Certificate has to be installed onto
Personal copy, do not distribute. Commercial use prohibited. © 2012, 2013 Authors
Appendix
CLIENT CERTIFICATES
Whenever you hear someone talking about Client Certificates, you should first
listen carefully: because they often have to be installed on a client,
Root/Intermediate Certificates are called Client Certificates. In fact they aren’t.
SECURITY TECHNOLOGIES
AUTHENTICATION
Like a combination of username and password, certificates are used to identify the
communicating end points. Commonly a server authenticates itself to a client by
presenting a server certificate (the client can be sure it’s communicating with the
right server and not just any server with the same name). Client certificates can be
used to authenticate users. The client certificate is presented to a server and that
Personal copy, do not distribute. Commercial use prohibited. © 2012, 2013 Authors
Appendix
server allows or denies access to certain resources based on the information stored
in the certificate. Client certificates often do not only contain the username, but
may also contain group membership information. Client certificates are usually
installed on a client machine or they are stored on USB drives or smart cards.
SIGNING
To ensure that a document (or data) was not modified during communication,
signing is used. In contrast to Encryption (see the next section), signing itself does
not hide any data that is transferred. Often, the sender runs an algorithm to create
a so-called ‘fingerprint’ of the actual data. That fingerprint cannot be converted
back to the original data. The receiver can then run a similar algorithm to validate
the fingerprint: if the newly generated fingerprint is the same, the data has not
been modified. Private Key / Public Key technologies can validate that the
fingerprint was created by the original sender (and not by a man-in-the-middle). If
that ‘sender verification’ is not in place, an attacker could of course could easily
modify the actual data and the fingerprint. SSL does use signing silently.
ENCRYPTION
If the data should be kept secret, encryption comes into place. Here some
mathematical magic ensures that only the right receiver of data can convert
encrypted data back into clear text. Again, certificates and Private/Public key
combinations are used in SSL to ensure that no man-in-the-middle can read or
decrypt the data.
In fact, most SSL communication uses Encryption and Signing at the same time.
This not only ensures that the data is kept secret during the communication, it also
Personal copy, do not distribute. Commercial use prohibited. © 2012, 2013 Authors
Appendix
ensures that the data was not modified. And because sender and receiver
exchange one-time keys during the initial communication process, they both can
make sure that they are communicating with the same endpoint during the entire
process.
Using a PKI / Certificates for App-V with IIS is not that complicated, at least if the
organization has an existing PKI infrastructure.
Let’s start simply: you have one server that should be accessible via SSL, IIS is
already installed.
You can use IIS Manager to do that. In this case, you also have to use IIS to
import the certificate itself later on.
Some Certificate Authorities / issuer offer a web page to create such a request.
Personal copy, do not distribute. Commercial use prohibited. © 2012, 2013 Authors
Appendix
1 In IIS Manager, select the server and find the Server Certificates icon
Personal copy, do not distribute. Commercial use prohibited. © 2012, 2013 Authors
Appendix
Specify the provider and the Bit (key) length. Note that 1024 Bits isn’t
4
considered secure any longer (but not all systems understand keys with
4096+ bits length).
Personal copy, do not distribute. Commercial use prohibited. © 2012, 2013 Authors
Appendix
5 Save the request as a (text) file. You should give it a meaningful name
and you may use the .csr (certificate signing request) extension. The
content looks cryptic.
Next, you send the CRL file to the Certificate Authority or insert the cryptic
content into the CA’s web form. With a sample, web based internal CA; the
process looks similar to this (but might be different for other CAs)
Personal copy, do not distribute. Commercial use prohibited. © 2012, 2013 Authors
Appendix
Personal copy, do not distribute. Commercial use prohibited. © 2012, 2013 Authors
Appendix
3 When you have an .csr like text file, you could submit a certificate
by using a … file
Personal copy, do not distribute. Commercial use prohibited. © 2012, 2013 Authors
Appendix
4 Copy the entire content of the text file (including the ---Begin and
the Request--- pieces into the form and select the right template: Web
Server. Other CAs may ask you for the web server type (Windows or
IIS).
Personal copy, do not distribute. Commercial use prohibited. © 2012, 2013 Authors
Appendix
5 Now you can download the Server Certificate (or you are asked to
return to the website if the certificate requires approval or the CA sends
you the certificate by mail). While Windows likes DER certificates, some
Linux based server may require using Base 64 encoded certificates
When you have the actual (server) certificate file, it has to be imported using IIS
Manager, openssl or the Certificates MMC Snap-in.
1 When using IIS, you return to the Server Certificates section on the
server level, there you click on Complete Certificate Request…
Personal copy, do not distribute. Commercial use prohibited. © 2012, 2013 Authors
Appendix
2 This will ask you for the certificate file name and a ‘friendly’ name.
While you can choose basically any name here you should also use the
FQDN.
Personal copy, do not distribute. Commercial use prohibited. © 2012, 2013 Authors
Appendix
4 Now you have to bind the certificate to your web site, so in our
example select the App-V Management Service site then click on
Bindings…
Personal copy, do not distribute. Commercial use prohibited. © 2012, 2013 Authors
Appendix
6 Select https as the type and the right server certificate from the drop
down box. In the example below the port was to 4431 to avoid potential
conflicts with other secure services on this machine
If you have more than one App-V service running on a single box, it doesn’t have
to get scary – you can use one and the same Server Certificate for different
components.
All services have to be made available under the same server FQDN (you
can’t use different DNS aliases for different services)
All IIS based services have to be bound to different SSL ports. You cannot just
use 443. You could use spare ports like 444. Remember that 445 is reserved for
SMB already!
Personal copy, do not distribute. Commercial use prohibited. © 2012, 2013 Authors
Appendix
Windows NLB: each node needs a Server Certificate that is issued to the
virtual name. You can request individual certificates (with individual CSRs)
for each server, or you can ask for a Server Certificate that allows you to
export the Private Key as well. Such a Certificate can be copied and imported
to other machines (most CAs will refuse to do that).
DNS Round Robin (not recommended): each node needs a Server Certificate
that is issued to the virtual DNS name.
Web Load Balancing: when using an external Load Balancer, there are again
several configuration options. With SSL Offloading configured, the LB
accepts SSL connections (from a less secure network) but forwards the
request unencrypted to the server. In this scenario only the LB has to have a
Server Certificate. Another scenario takes the SSL stream, decrypts it and
actively establishes own SSL connections to the server nodes. Because the
connection then would be interrupted, this is an uncommon scenario. Most
commonly the LB will be transparent to the client and simply forward
requests to one of the nodes. In that case the LB doesn’t need any Server
Certificate, but every node needs one issued to the virtual name (similar to
the NLB scenario)
ENFORCING ENCRYPTION
Just adding a Server Certificate to a machine, import it into IIS and bind it to a web
service or application doesn’t increase security: users and clients can still connect
using unsecure channels. Therefore, SSL encryption has to be enforced.
Personal copy, do not distribute. Commercial use prohibited. © 2012, 2013 Authors
Appendix
1 Enforcing SSL is done on the application/site level, so select the site and
click on SSL Settings.
Personal copy, do not distribute. Commercial use prohibited. © 2012, 2013 Authors
Appendix
2 Enable the checkbox at Require SSL and leave the other settings as
they are ( Ignore )
Personal copy, do not distribute. Commercial use prohibited. © 2012, 2013 Authors
Appendix
Personal copy, do not distribute. Commercial use prohibited. © 2012, 2013 Authors