Meet the user environment management system, Norskale VUEM


    Among the many tasks facing the IT service in the field of managing the information environment of the enterprise, one of the main is the support and maintenance of the user environment. First of all, it is necessary to provide users with the most convenient and at the same time safe workspace for the effective performance of their functions. This dilemma is still faced by many system administrators.
    With the development of high technologies, the requirements for the user work environment are growing, both from the users themselves (access to more local and network resources) and from the IT side (new applications require more computing power).
    The advent of the era of virtualization has further increased the importance of managing the user environment in connection with moving it from physical workstations to data centers (virtual desktops, terminal servers). As a result, a distributed user environment requires more complex and complex configuration and support, which in turn leads to a decrease in its performance, since standard management tools (group policies, logon scripts, etc.) can not cope with the task in the new conditions . This prompts the IT service to look at specialized solutions for this task.
    One of these solutions is Norskale VUEM, which will be discussed below.
    Feature Overview

    Norskale VUEM is a full-featured User Environment Management solution.
    The main features include:
    1. Simple architecture even for complex environments;
    2. Easy to deploy and configure. For the deployment of the pilot environment, 1 day is enough;
    3. The ability to replace logon scripts, as well as GPP (Group Policy Preferences) and GPO (Group Policy Objects), which are responsible for setting up the user environment;
    4. Flexibility in assigning resources to users by creating rules and conditions;
    5. Improving workstation productivity by optimizing the use of processor and memory resources;
    6. The ability to control running processes without the need to configure AppLocker or Software Restriction Policy;
    7. Instant logout when closing a session due to Fast Logoff technology;
    8. Support for Citrix User Profile Management;
    9. The ability to provide users with Self-Service functions without violating the level of security of the environment;
    10. Ability to convert legacy workstations to full-featured thin clients using Transformer.

    Next, we consider the architecture features of the VUEM solution, as well as the main stages of its installation and basic configuration.

    The solution consists of the following components:
    1. Broker performing a managerial function. On the one hand, it interacts with agents, assigning them policies and environment settings. On the other hand, it is responsible for saving the environment configuration in a dedicated database.
    2. The database . Responsible for storing the configuration of the entire VUEM environment.
    3. Agents . A client component that is installed on workstations and servers, for the management of which the entire VUEM environment is deployed. The main tasks of the agent include interacting with a broker to obtain policy settings and applying these settings to the local system. Agents do not have direct access to the database.
    4. Management Console . The main VUEM environment management tool, including customizing agents and user workspace settings.

    Schematically, the interaction of VUEM components can be represented as follows:
    In the logical structure of the VUEM environment, the main element is a site, which is nothing more than a logical group of agents connected by common environmental parameters, for example, workstations operating in kiosk mode or terminal servers. In addition to general environmental settings (desktop settings, Start menu, Windows Explorer, etc.), you can configure access to resources (applications, printers, network drives, etc.) for individual user groups within the site.
    Practice shows that the vast majority of VUEM implementation scenarios involve more than one site. Although the optimal number of VUEM sites should be determined at the design stage of the VUEM architecture, design errors are not critical and, as a rule, do not lead to redoing the entire environment. Sites can easily be added and removed, and agents can be associated with them after installation.
    An example of a relatively simple architecture is presented in the following diagram:

    Even in the case of a more complex infrastructure with remote offices with limited bandwidth, the VUEM solution can be optimally designed:


    In the "Local Mode" mode, the broker uses the built-in local cache instead of constantly accessing the database. The database is used only in the absence of the necessary data in the cache, which leads to optimization of the use of bandwidth between the central and remote offices.
    Installation and initial configuration

    Like any software, VUEM components have a number of hardware and software requirements for the information environment in which they are deployed. First of all, it is worth noting that you can use any operating system, both for a broker and for agents, starting with Windows XP SP3, including server operating systems from Windows Server 2003.
    Before you begin installing any of the components, you must Verify that a .NET Framework 4.0 element is present or preinstall it if necessary. Other necessary elements (for example, SQL Server Compact Edition, MS Sync Framework) will be installed automatically during the installation process.
    As a database, VUEM only supports Microsoft SQL Server (including the Express edition) starting from version 2005.
    The deployment process for VUEM can be divided into the following steps:
    1. Installing a database server. You do not need to create and configure the database itself beforehand.
    2. Installation of a broker;
    3. Creation and configuration of the database;
    4. Connecting a broker to the database;
    5. Installation of the management console;
    6. Agent installation
    7. Assigning agents to relevant sites;
    8. Configuring the necessary site elements.

    As you can see, each environment component is installed separately and independently, and then the necessary connections between them are configured.
    The process of installing VUEM components (broker, management console and agents) is as simple as possible and consists in launching the corresponding executable file and blindly following the installation wizard by clicking Next. The only parameter that can be changed during the installation process is the path to the installation folder.
    The success of installing these components can be checked by the presence of the Norskale Infrastructure Service for the broker and the Norskale Agent Host Service for the agent.
    The first thing to do after installing the broker is to create and configure a database for the VUEM environment. To do this, use the Database Management utility.installed during the installation of the broker.

    Next, you need to start the Create Database Wizard by clicking Create Database.
    The first page contains information about the database (server name, name and path to the database itself):

    Data File and Log File parameters are set automatically and indicate the default file location used when installing SQL Server. If your existing SQL server uses other paths, you must specify them here manually. If this is not done, then at the end of the wizard a little informative error message “Database creation error!” Will appear.
    Going to the next page of the wizard, you need to specify the account with which the database will be created.

    By default, the account of the user who launched the configuration wizard is used. If this user does not have sufficient permissions to create the database, you must either disable the Use Integrated Connection option and specify the internal SQL server account, or log in to the system as another user.
    Next, you need to determine the group of administrators of the VUEM environment, as well as the account under which the broker will connect to the database.

    If you do not specify an account for the broker, the wizard creates an internal vuemUser account on the SQL server with the necessary permissions.
    On the last page of the wizard, after checking the correctness of the entered data, you must start the database creation process by clicking Create Database.

    After receiving confirmation of the successful creation of the database, the installation wizard can be closed, as well as the Database Management utility itself.
    At the next stage, you need to connect the broker to the previously created database using the Broker Service Configuration utility (also installed with the broker):

    To apply and save the configuration, click Save Configuration, which will restart the Norskale Infrastructure Service broker service.
    Now the server side of the VUEM environment is ready for further configuration.
    Introducing the Management Console

    As mentioned above, a separate console is used to configure the VUEM environment, which is installed independently.
    When you open the Norskale Administration Console for the first time, you must manually connect to the broker by clicking the Connect button.

    In the window that opens, specifying the broker name and port, click Connect to connect.

    To prevent this window from appearing each time the console is opened, it is enough to activate the automatic administrative login:

    After opening the console, it looks like this:

    At first glance, the variety of sections with various parameters can scare away an inexperienced administrator, creating a false impression of the complexity of managing the environment. If you look closely at each section, the purpose of the vast majority of parameters will become obvious and intuitive. In general, if you were dealing with setting up a user's environment using group policies, then you already know most of the management console.
    However, the following table provides a brief description of each section:
    A comment
    Local resources that must be controlled
    Very similar to the structure of Group Policy Preferences, right? In essence, they are.
    Terms and conditions under which resources are provided to users
    If the user or his workstation satisfy the conditions, then the resource will be available
    Assigning resources to users with conditions from the Filters section
    Before assigning a resource to a user, the latter must be added to the Configured Users section
    Configured Users
    Users whose access to resources must be controlled
    You can specify both individual users and their groups. Using priorities to resolve conflicts in the allocation of resources
    Optimization technologies, CPU \ RAM, as well as white and black lists of processes
    The main set of parameters for setting up the user's environment. Also includes customization of Citrix User Profile Management and Microsoft User State Virtualization.
    These parameters are usually configured in group policies
    A dedicated section for activating and configuring the kiosk mode on the workstation, essentially transforming it into a thin client
    Advanced settings
    Parameters for configuring agents, as well as for additional tuning of the entire environment
    Some parameters are required for normal operation of the environment.
    Allows you to delegate authority to manage the environment, as well as view the change log and brief user statistics

    For greater clarity, a dry description of the console, the following are examples of some environment settings:

    Agent installation and configuration

    As mentioned above, an agent in a VUEM environment can be either a workstation or a server. In general, any computer running Windows that can host a user's workspace (general or corporate workstations, terminal servers, etc.). In order to make a VUEM agent from a workstation or server, it is enough to install a special software module , not burdening the system with its resource intensity (uses no more than 20Mb RAM). It is he who periodically contacts the broker to monitor and control the user's working environment settings configured in the management console.
    Like a broker, installing an agent is simple and does not contain any parameters other than the path to the installation folder. But for normal functioning, he needs to know at least the name of the site to which he belongs and the name of the broker. You can use the attached administrative template for group policies to configure these settings.

    In the process of its work on the workstation, the only thing that displays the presence of the VUEM agent is the icon in the system notification area on the taskbar:

    Also, when updating the settings, a window appears briefly:

    If necessary, both of these elements can be hidden in the management console. There you can configure other parameters of the agent, changing both its appearance and behavior when interacting with a broker:

    Agent parameters, like most other parameters in the console, are global for the entire VUEM site and apply to the workstation regardless of the connected user.
    Some of the agent settings are closely related to the user environment settings made in other sections of the console. Therefore, in order to determine which of them need to be activated, it is important to understand the purpose of the site itself, or rather the workstations \ servers included in its composition.
    For example, a site has been created designed to restrict access to the desktop and environment settings. Assigning resources (application shortcuts, network drives, etc.) on workstations is not required. In this case, there is no need to activate the “Advanced Settings \ Main Configuration \ Agent Actions” section for the agent (see the screenshot above).

    Transformer is an optional VUEM component with separate licensing. The main task of this component is to transform the workstation into a "thin client", thus relieving the IT service of the need to dispose of an outdated computer park.
    To use Transformer, you do not need to install additional software on the workstation other than the VUEM agent itself. To configure the component, a separate section is selected in the management console, “Transformer Settings”, which allows not only restricting access to local computer resources, but also specifying additional parameters for environments such as Citrix XenApp / XenDesktop, VMware View, and Microsoft RDS.
    Using Transformer, you can implement several thin client options.
    First of all, we are talking about the classic "thin client", on which access to local resources is completely closed. For such a client to function properly, you must provide the Citrix Web Interface server address in order to gain access to remote resources.
    The images below show an example of Transformer configuration for this scenario, as well as the appearance of the workstation as a “thin client”.

    In addition to directly activating Transformer, additional settings must be made to prevent the user from switching to the local desktop.

    After performing this minimal configuration, the appearance of the desktop will look like this:

    Another version of the “thin client” is a workstation that needs to close free access to external resources, including Citrix, VMware, RDS environments. Moreover, the task is to protect the local resources of the workstation as much as possible, providing for use only those resources that are defined by the administrator.
    In this case, in the Transformer settings, you need to remove the Web Interface server address and activate the application panel, as shown in the screenshot below:

    Thus, instead of the web page for entering the Citrix environment, the user will be presented with a list of local applications created and assigned previously in the management console VUEM.
    After these manipulations, the user will receive a desktop of the following form:

    Of course, in order to prevent user access to local resources (disks, command line, control panel, etc.) from within applications, it is also necessary to configure other VUEM parameters discussed above.


    This article provides an overview of one of the leading UEM solutions in the IT market, Norskale VUEM, including an additional component, Transformer.
    Despite the simple architecture, VUEM functionality is able to meet the needs and meet the expectations of companies of various sizes, from small offices to the enterprise level. Implementation of the VUEM solution for managing the user workspace provides a higher level of flexibility and productivity of the user environment, its uniformity when used in different scenarios. This increases the degree of user satisfaction with the convenience of their work, which leads to better adaptation of new technologies.

    Also popular now: