ISE in a VDI Environment

Similar Messages

• Cisco ISE & NAC Agent in a Vmware View VDI Environment

  Hi,
  Anyone deployed Cisco ISE NAC agent on a vmware view virtual desktop environment (VDI)?

  There are no known issues regarding VMWare view that would cause this.
  For AV see -> http://www.novell.com/support/kb/doc.php?id=7007545
  I find ProcMon for Sysinternals useful to see if other prcesses such as
  AV are hitting those files unexpectedly. A few times I have seen AV
  Exclusions not quite working as expected until tweaked.
  The ZMD-Messages.log may show if the agent is doing something....
  On 9/30/2014 9:36 PM, harrymsg wrote:
  >
  > We have been running 11.2.4 in our View VDI environment and overall been
  > very successful. We just rolled Win 7 and are seeing approx. 10% of the
  > VMs with the zenworkswindowsservice.exe running steadily around 50% for
  > hours. Any thoughts? One thing I just set to try was excluding that
  > from Microsoft FEP AV. Anything other thoughts to resolve? Thanks.
  >
  >
  Going to Brainshare 2014?
  http://www.brainshare.com
  Use Registration Code "nvlcwilson" for $300 off!
  Craig Wilson - MCNE, MCSE, CCNA
  Novell Technical Support Engineer
  Novell does not officially monitor these forums.
  Suggestions/Opinions/Statements made by me are solely my own.
  These thoughts may not be shared by either Novell or any rational human.

• Running Permission Scripts for App-V packages in VDI environment

  Hi
  We use App-V 5.0 SP1 in VDI environment.
  We have a major problem with packages' permissions
  Our users don't have administrative privileges on their machines.
  As the option for "Security Descriptors" is discontinued, the only way to give permissions to a folder in a package is to use the VFSCACLS.vbs as a startup script of a package.
  This way the first time users launch an application they're prompt to reopen it, and the second time they can use the application with the needed permissions.
  The problem:
  The script saves those permission changes under LOCALAPPDATA\AppV...
  Therefore, everytime the users logoff the folder is deleted (VDI...) and again, they must run the script for the first  again to get the permissions back after logon!
  We cannot roam the LOCALAPPDATA\AppV folder as its size can be dozens of GBs...
  Folder permissions with group policy is also not a solution, as the folder name changes everytime we upgrade a package and it's impossible to follow with hundreds of packages.
  So it's either we're missing something critical in the architecture with VDI environment or there's a normal solution for these situations.
  Would love to get some help
  Thanks
  Tamir Levy

  Hi Nicke
  that's what I did! the problem is that I find my self over and over again want to sequence packages in App-V 5.0 and forced to sequence it in App-V 4.6.
  I really hope that it wasn't App-V team's goal. announcing App-V 5.0 and tell us it doesn't support many things so we will still need App-V 4.6 forever.
  I have to maintain 2 different App-V environments with 4 different servers , 4 different sequencers and 2 clients on each computer. it doesn't make any sense for me to forced to stay with both of the versions forever.
  correct me if I'm wrong but App-V 4.6 is a legacy application. the new versions cover only support on newer operating systems and nothing more. I won't be surprised if in the next version of MDOP won't come with App-V 4.6 anymore and Microsoft will announced
  it's unsupported very soon.
  Every time I open a ticket with MS Support the best thing I get is "It's a known issue, we can't tell when it will be fixed"
  can you help me more ? move it forward to other people from the inside? at least agree with me that something is not as expected in App-V 5.0... :(
  I love the technology, I believe in it, I'm kinda depend on it and I only want it to be better
  Tamir Levy

• Deploying Acrobat X in VDI environment

  Hi
  we're moving to a VDI environment in our organization with Windows 7 image.
  one of the goals is to have the minimum amount of master images for the users. therefore only components and middleware are installed on the master image and our main solution for dynamic deploying of applications is Microsoft App-V.
  now the issue is with deploying Acrobat X (Standard or Pro). Acrobat X can be packaged with App-V but one of the main features that don't work is to grab a docx file and convert it to PDF.
  I thought it's because the Adobe PDF printer is missing from the package though I tried to installed it locally and still I didn't manage to oporate it so I'm not sure if this is the problem and obviously not that easy to debug.
  the error message is :
  Unable to find "Adobe PDF" resource files. Do you want to run the installer in repair mode?
  as Adobe Acrobat is one of the most common 3rd party software in the market I wanted to hear what Adobe has to offer for companies that are headed for this type technology. I know that for example Adobe Reader XI comes with the App-V Deployment kit that installs all the necesary components of the product locally in order to deploy the software by App-V with all the features available, but I didn't find anything similar for Acrobat XI.
  obviously my last option is to add 2 seperate images (one with Acrobat Pro and one with Standard) and have a security group for every group of product users. but it's the hardest to maintain.
  hope to get a solution from you here
  thanks

  Hi Tomtomlevy,
  I can't give you the good answer you deserve because App-V was not supported in X. However, it's apparently been delivered that way successfully by many admins. Probably the component you need is PDFMaker, but I'm not sure.
  In any case, maybe someone who has experience will post here, but you may have better luck on an App-V forum.
  Ben

• Flash builder 4.7 consuming lot of memory in VMware VDI environment.

  Flash builder 4.7 consuming lot of memory in VMware VDI environment. When we debugg the application then it is throwing out of memory exception. We need to close and relaunch Flash builder IDE numerous times. Can you please help us with setting changes we need to make for flash builder or VMware VDI environment so that we can resolve this issue?

  Hi Atul_Saini,
  So I checked your link and all seems correct on my computer.
  At the bottom of the link you provided there is "see also" section, about activation / deactivation.
  I did not deactivated my licenses before my window re-install, and if now I go to Flash Builder -> Help , desactivation button is greyed out. Could it be the source of my problem that I used my licenses on two computer and did not deactivated them ?
  If yes, how could I deactivate thoses products ? I searched on my profile but I can't find a way to do it.

• ISE Configuration in Distributed Environment

                    Hi All,
  I have quick questions about  ISE deployment in Distributed environment, as i have purchased 2 X Cisco ise 3395 - For Data Center and 3 X Cisco ISE 3355 for remote location with 3500 Base licences and 500 Advance licences.
  i have some questions on this deployment
  i will install 1 3395 in Primary Datacenter and other 3395 in Our secondary Data center as Primary admin+Primary Monitoring and Secondary Admin+Secondary Monitoring
  and each 3355 will get installed in Remote location as policy server, My Question is it this will be correct deployment?
  or while configuring 3395 do i need to configure Policy server as well in addition to Primary admin and monitoring?
  or please suggest me best deployment stratagy!
  Thanks,
  Sachin

  Thanks for the reply,
  all three sites are connected in MPLS with 100MB redundant band width
  we are have 2 data center one is primary and other is secondary. and all client locations are connected with 100 Meg links where i am planning to install 3355 which will act as authentication server.
  but now my question is
  3395 - Primary Admin+Primary Monitoring - Primary DC
  3395 - Secondary Admin+ Secondary Monitoring - Secondary DC
  3355- will say for one remote location(PSN)
  3355- Second remote Location(PSN)
  3355- third Remote location (PSN)
  thanks,
  Sachin

• Deploying Adobe Acrobat Pro XI in a VDI environment

  In our VDI environment (using VMware Horizon View 5.3), we are using a Windows 8.1 base image (Parent VM) with Adobe Acrobat Pro XI installed on it (signed-in and registered). We then deploy new instances (Linked-Clones) of Windows 8.1
  using this base. When userA logs into any desktops we have deployed from this Windows 8.1 base image, they get prompted to license the software: 1) Sign in and 2) Provide serial number.
  Even though UserA licenses the software properly on DesktopA, they get prompted for the same licensing information on DesktopB and so on.
  I have tried to virtualize the application using VMware View ThinApp. Same issue.
  What is the proper way to distribute the application to multiple systems/users without running into this licensing loop?
  I have read this post, but no luck: Packaging Adobe Acrobat XI Pro - Bug after installation
  Thanks.

  First thing to know that this VMware Horizon View 5.3 isn't a currently supported environment. They support Citrix XenApp.
  Second, VMWare's ThinApp implementation isn't supported either.  They do support MS AppV
  See the following documentation:
  12   Citrix Deployments — Enterprise Administration Guide
  14   App-V Deployment — Enterprise Administration Guide
  Finally, the issue that you are running into is likely a permission problem on the licensing folders.
  Have a look at this KB and adjust your permissions on these folders with appropriate permissions to see if that makes a difference.
  Error "License store does not allow writing" | Install log | CS5, CS5.5

• Best practice to run Microsoft Endpoint Protection client in VDI environment

  We are using Citrix XenDesktop VDI environment. Symantec Endpoint Protection client (VDI performance optimised) has been installed on the “streamed to the clients” virtual machine image. Basically, all the files (in golden image) have been “tattooed” with
  Symantec signature. Now, when the new VM starts, Symantec scan engine simply ignores “tattooed” files and also randomise scan times. This is a rough explanations but I hope you’ve got the idea.
  We are switching from Symantec to Microsoft Endpoint Protection and I’m looking for any information and documentation in regards best practice for running Microsoft Endpoint Protection clients in VDI environment.
   Thanks in advance.

  I see this post is a bt old but the organization I'm with has a very large VDI deployment using VMware. We also are using SCEP 2012 for the AV.
  Did you find out what you were looking for or did you elect to take a different direction?
  We install SCEP 2012 into the base image and manage the settings using GPO and the updates for defs are through the normal route.
  Our biggest challenge is getting alert message from the client.
  Thanks

• ZCM 11.2.4 in a VMWare View VDI environment

  We have been running 11.2.4 in our View VDI environment and overall been very successful. We just rolled Win 7 and are seeing approx. 10% of the VMs with the zenworkswindowsservice.exe running steadily around 50% for hours. Any thoughts? One thing I just set to try was excluding that from Microsoft FEP AV. Anything other thoughts to resolve? Thanks.

  There are no known issues regarding VMWare view that would cause this.
  For AV see -> http://www.novell.com/support/kb/doc.php?id=7007545
  I find ProcMon for Sysinternals useful to see if other prcesses such as
  AV are hitting those files unexpectedly. A few times I have seen AV
  Exclusions not quite working as expected until tweaked.
  The ZMD-Messages.log may show if the agent is doing something....
  On 9/30/2014 9:36 PM, harrymsg wrote:
  >
  > We have been running 11.2.4 in our View VDI environment and overall been
  > very successful. We just rolled Win 7 and are seeing approx. 10% of the
  > VMs with the zenworkswindowsservice.exe running steadily around 50% for
  > hours. Any thoughts? One thing I just set to try was excluding that
  > from Microsoft FEP AV. Anything other thoughts to resolve? Thanks.
  >
  >
  Going to Brainshare 2014?
  http://www.brainshare.com
  Use Registration Code "nvlcwilson" for $300 off!
  Craig Wilson - MCNE, MCSE, CCNA
  Novell Technical Support Engineer
  Novell does not officially monitor these forums.
  Suggestions/Opinions/Statements made by me are solely my own.
  These thoughts may not be shared by either Novell or any rational human.

• Soft VOIP in a VDI Environment

  I've been tasked with conducting research and looking into adding a Soft VOIP solution into our VDI environment. Aside from a local call manager, what else would help us in the deployment of this solution? I know this is not a cookie cutter solution, but I'm beginning to put together a wish list and figuring out exactly what this is going to take. Thanks for the help.

  Ravi,
  Is 802.1x supplicant only available with the RDP display protocol? Is it not available with PCoIP?
  Not all networks are SGT ready and would not be able to benefit from the capability in the document from the link you provided. Is it not possible to have downloadable ACLs enforced by the AnyConnect?
  I have also been trying to find out if VM-FEX ports were capable of 802.1x and dACL, but haven't found anything that says it is supported. My thinking is that since the ports were extended from the network to VM, that it may be a possibility.
  Thanks,
  Mark

• Adobe CS5 in Thin VDI environment

  My company is moving to a thin client VDI environment.  Our shop is a graphic, photo, and video shop currently using Adobe CS5 Master Collection.  We primarily use Photoshop, Illustrator, and Premier Pro.  Will these programs be fully functional in a thin environment, especially Premier Pro?  TIA Lisa

  Erm, no. Sorry, given the dependency for hardware acceleration in Premiere Pro, this is just a stupid move. And even PS has hardware acceleration features for 3D, clone stamp overlays, canvas rotation, art brushes... Seriously, you're shooting yourselves in the foot.
  Myleniuzm

• Office 2003 Activation in VDI environment

  Hi,
  Does office 2003 support KMS activation. If not how to activate Office 2003 in VDI environment. I have activated 2010 and 2013 in VDI environment successfully . But not sure about 2003
  Thanks and Regards
  J.P Raj

  Hi Don,
  Thanks for ur confirmation on KMS activation. 'There is no "activation" needed for Office2003 nor Office2007'
  Does this mean no key installation and activation needed if we use Volume Licensing channel product.
  Oue real problem is the activation state will not be retained ( on logoff, restart) in virtual desktops if we use
  MAK kind of activation.
  Thanks and regard's
  J.P Raj
  For the VL channel products, Office2010/2013 uses Volume Activation v2.0, which involves the use of KMS, or, MAK.
  VL channel products of Office2003/Office2007, do not use VA v2.0, they only use a type of CSVLK (Customer Specific Volume License Key), which does not require to be "activated" with MS, nor with any on-premise activation service.
  So, when you install these older products, yes, you must input a product key (or have the installation customised in such a way that the relevant key is applied automatically).
  For Office2007, you can use the same approach as you would for Office2010/2013, i.e., use the config.xml, or the OCT.
  For Office2003, you must use the ORKtools to generate an MST, or, modify the setup***.ini (I think, it has been a very very long time since I built Office2003 packages ;)
  We used to have large VDI pools of WindowsXP+Office2003, and, WindowsXP+Office2007, they were all setup this way and never had any activation issues at all.
  Many of the VDI pools we had, were destroyed every night, and no issues with Office2003/2007 at all.
  For newer versions of Windows+Office, we use KMS, many thousands of VDI's and physicals.
  Don
  (Please take a moment to "Vote as Helpful" and/or "Mark as Answer", where applicable.
  This helps the community, keeps the forums tidy, and recognises useful contributions. Thanks!)

• How to license Adobe Photoshop in VDI environment.

  Hi,
  How to license Adobe Photoshop in VDI environment where the virtual desktops will be provisioned from single master image.
  Any best practise or guides available .
  Thanks & Regards
  J.P Raj

  Hi Noel,
  No issues with photoshop funtionalities. We have Nvidia K1 grid GPU in Server and using hypervisor functionality we provide a share of this GPU to each VM or desktop
  Our Issue is when we provision a new VM or desktop from IMAGE it will undergo a preparation phase (sysprep) so any activation status will flush off. To avoid this normally we use network or floating license (user based). I want to know how this would work on photoshop case
  Thanks and regards
  J.P raj

• Break the Password of ISE in a virtual Environment.

  Hi All,
  I have forgot my password of my ISE. Infact it is running in a Secure Network Server 3415.  This equipment was installed by my ex-colleague and he left the organization. Please help me and let me know how to break the password in ISE; which is running in a virtual environment.
  Please let me know if you need more information on this.
  Regards, 
  Shafi U

  As per the Cisco TAC case Update : 
  For 3415 there are two options:
  1. ISO can be converted into a bootable USB drive.
  2. The CIMC can be used to mount the ISO file from your computer as a virtual disk onto the appliance.
  Let me know if anyone has the direct link where I can download the ISO. 

• Cisco ISE in Apple Mac Environment

  Hi,
  One of our clients need to implement BYOD in their network. They are using Mac servers and clients. The requirement is to authenticate (wireless) users against the Mac directory server, in order to provide access to resources. I am trying to figure out whether Cisco ISE can perform LDAP authentication with Mac server. As per this document, Mac server is not a supported external identity source/LDAP server. Currently they are providing access to users by adding MAC addresses to WLC manually, which is not practical now due to increase in number of end devices, and limitation in MAC addresses supported by WLC (2048).
  Is it possible to implement this? Has anyone came across similar scenario?
  Thanks,
  John

  The Cisco Identity Services Engine (Cisco ISE) integrates with external identity sources to validate credentials in user authentication functions, and to retrieve group information and other attributes that are associated with the user for use in authorization policies. You must configure the external identity source that contains your user information in Cisco ISE. External identity sources also include certificate information for the Cisco ISE server and certificate authentication profiles.
  Both internal and external identity sources can be used as the authentication source for sponsor authentication and also for authentication of remote guest users.
  Table 5-1 lists the identity sources and the protocols that they support.
  Table 5-1 Protocol Versus Database Support 
   Protocol (Authentication Type)
   Internal Database
   Active Directory
   LDAP1
   RADIUS Token Server or RSA
   EAP-GTC2 , PAP3 (plain text password)
   Yes
   Yes
   Yes
   Yes
   MS-CHAP4 password hash: MSCHAPv1/v25  EAP-MSCHAPv26  LEAP7
   Yes
   Yes
   No
   No
   EAP-MD58  CHAP9
   Yes
   No
   No
   No
   EAP-TLS10  PEAP-TLS11  (certificate retrieval) Note For TLS authentications (EAP-TLS and PEAP-TLS), identity sources are not required, but are optional and can be added for authorization policy conditions.
   No
   Yes
   Yes
   No
   1 LDAP = Lightweight Directory Access Protocol. 2 EAP-GTC = Extensible Authentication Protocol-Generic Token Card 3 PAP = Password Authentication Protocol 4 MS-CHAP = Microsoft Challenge Handshake Authentication Protocol 5 MS-CHAPv1/v2 = Microsoft Challenge Handshake Authentication Protocol Version 1/Version 2 6 EAP-MSCHAPv2 = Extensible Authentication Protocol-Microsoft Challenge Handshake Authentication Protocol Version 2 7 LEAP = Lightweight Extensible Authentication Protocol 8 EAP-MD5 = Extensible Authentication Protocol-Message Digest 5 9 CHAP = Challenge-Handshake Authentication Protocol 10 EAP-TLS = Extensible Authentication Protocol-Transport Layer Security 11 PEAP-TLS = Protected Extensible Authentication Protocol-Transport Layer Security
  and for the WLC Check the Link : www.cisco.com/c/en/us/support/docs/wireless-mobility/wlan-security/91901-mac-filters-wlcs-config.html#backinfo