2010 Quest Software, Inc.ALL RIGHTS RESERVED.

This guide contains proprietary information protected by copyright. The software described in this guide is furnished under a software license ornondisclosure agreement. This software may be used or copied only in accordance with the terms of the applicable agreement. No part of this guidemay be reproduced or transmitted in any form or by any means, electronic or mechanical, including photocopying and recording for any purposeother than the purchasers personal use without the written permission of Quest Software, Inc.

The information in this document is provided in connection with Quest products. No license, express or implied, by estoppel or otherwise, to anyintellectual property right is granted by this document or in connection with the sale of Quest products. EXCEPT AS SET FORTH IN QUEST'STERMS AND CONDITIONS AS SPECIFIED IN THE LICENSE AGREEMENT FOR THIS PRODUCT, QUEST ASSUMES NO LIABILITYWHATSOEVER AND DISCLAIMS ANY EXPRESS, IMPLIED OR STATUTORY WARRANTY RELATING TO ITS PRODUCTS INCLUD-ING, BUT NOT LIMITED TO, THE IMPLIED WARRANTY OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, ORNON-INFRINGEMENT. IN NO EVENT SHALL QUEST BE LIABLE FOR ANY DIRECT, INDIRECT, CONSEQUENTIAL, PUNITIVE,SPECIAL OR INCIDENTAL DAMAGES (INCLUDING, WITHOUT LIMITATION, DAMAGES FOR LOSS OF PROFITS, BUSINESS IN-TERRUPTION OR LOSS OF INFORMATION) ARISING OUT OF THE USE OR INABILITY TO USE THIS DOCUMENT, EVEN IF QUESTHAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. Quest makes no representations or warranties with respect to the accuracyor completeness of the contents of this document and reserves the right to make changes to specifications and product descriptions at any timewithout notice. Quest does not make any commitment to update the information contained in this document.

If you have any questions regarding your potential use of this material, contact:Quest Software World HeadquartersLEGAL Dept5 Polaris WayAliso Viejo, CA 92656www.quest.comemail: legal@quest.com

Refer to our Web site for regional and international office information.

This software includes the following third-party software:

Software developed by the Apache Software Foundation (www.apache.org). Copyright 2001-2004 The Apache Software Foundation. Licensedunder the Apache License, Version 2.0, a copy of which is included on the software media.

ViewerX VNC ActiveX Control version 2.9.5.4. Copyright 2003-2009 SmartCode Solutions.

OpenSSL 0.9.8. Copyright (c) 1998-2008 The OpenSSL Project. All rights reserved. This product includes software developed by the OpenSSLProject for use in the OpenSSL Toolkit (http://www.openssl.org/).

Net::SSLeay Copyright (c) 1996-2002 Sampo Kellomaki Copyright (c) 2005 Florian Ragwitz Copy-right (c) 2005 Mike McCauley All Rights Reserved. Distribution and use of this module is under the same terms as theOpenSSL package itself (i.e. free, but mandatory attribution; NO WARRANTY). Please consult LICENSE file in the root of the OpenSSL distribution.

Snmp Sharp net version 0.7.8 Copyright Milan Sinadinovic 2008, GNU LESSER GENERAL PUBLIC LICENSE Version 3, 29 June 2007, Copyright 2007 Free Software Foundation, Inc.NHibernate version 1.0.4.0 GNU LESSER GENERAL PUBLIC LICENSE Version 2.1, Feb 1999. Copyright (C) 1991, 1999 Free Software Foun-dation, Inc. For full license text, see http://www.quest.com/legal/third-party-licenses.aspx.

ISC DHCP Daemon, version 4.1.1. Copyright 2004-2010 by Internet Systems Consortium, Inc. ("ISC"). For full license text, see http://www.quest.com/legal/third-party-licenses.aspx.

PuTTY is copyright 1997-2009. For full license text, see http://www.quest.com/legal/third-party-licenses.aspx.

Perl Kit, Version 5.8 Copyright 1989-1999, Larry Wall, licensed under GNU Library GPL 2.0 or Perl Artistic License.

Mono Terminal 1.0. Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentationfiles (the "Software"), to deal in the Software without restriction, including without limitation the rights to use, copy, modify, merge, publish, dis-tribute, sublicense, and/or sell copies of the Software, and to permit persons to whom the Software is furnished to do so, subject to the followingconditions:Copyright (c) 2008 Novell, Inc.

Patents

Protected by U.S. Patent numbers 6,880,002, 6,990,666, 7,257,584, 7,287,186, 7,643,484, and 7,769,004; additional patents pending.

Trademarks

Quest, Quest Software, the Quest Software logo, AccessManager, ActiveRoles, Aelita, Akonix, Benchmark Factory, Big Brother, BridgeAccess,BridgeAutoEscalate, BridgeSearch, BridgeTrak, BusinessInsight, ChangeAuditor, CI Discovery, Cloud Automation Platform, Defender, Deploy-Director, Desktop Authority, Directory Analyzer, Directory Troubleshooter, DS Analyzer, DS Expert, Foglight, GPOADmin, Help Desk Author-ity, Imceda, IntelliProfile, InTrust, Invirtus, iToken, JClass, JProbe, LeccoTech, LiteSpeed, LiveReorg, LogADmin, MessageStats, Monosphere,NBSpool, NetBase, NetControl, Npulse, NetPro, PassGo, PerformaSure, Point, Click, Done!, Quest vToolkit, Quest vWorkSpace, ReportADmin,RestoreADmin, ScriptLogic, SelfServiceADmin, SharePlex, Sitraka, SmartAlarm, Spotlight, SQL Navigator, SQL Watch, SQLab, Stat, Stealth-Collect, Storage Horizon, Tag and Follow, Toad, T.O.A.D., Toad World, vAutomator, vConverter, vEcoShell, VESI, vFoglight, vPackager,vRanger Pro, vSpotlight, vStream, vToad, Vintela, Virtual DBA, VizionCore, Vizioncore vAutomation Suite, Vizioncore vEssentials, VizioncorevWorkflow, WebDefender, Webthority, Xaffire, and XRT are trademarks and registered trademarks of Quest Software, Inc in the United States ofAmerica and other countries. Other trademarks and registered trademarks are property of their respective owners.

ContentsInstallation and Administration Guide i

Target Audience vRelease Notes vAbout This Book vDocumentation viContact Information viTypeface Conventions viiAcronyms and Abbreviations vii

1 Introduction 1Architecture Overview 2Components and Solutions 3Solution Licensing 8

2 Before You Start 9Determining the Scope of Your Installation 10System Requirements 11Additional Considerations 18Network Communication 22Configuring IIS V. 7 on Windows 2008 R2 25Configuring Remotely Managed Hosts 26About Partner Extensions 33Security And Encryption 36Choosing a Windows Account for the Agent Service (Altiris) 38Using the vcsadmin Utility 38

3 Product Installation 41Installation Scenario Overview 42Installing the Core Services 43Installing the Agent Services 50Installing the Web Application and Solutions 55Installing the SOAP API 59Installing the Advanced Enterprise Pack (Optional) 62Installing the Quest CAP Agent (Altiris) 63About the CAP SOAP API Client 70Launching the CAP Web Interface 71

4 Remote Access 73Universal Remote Access 74Web Browser and Connectivity Test 80Classroom Readiness Test 80Remote Access Solution System Requirements 82Conducting Web Browser and Connectivity Test and CRT 119Troubleshooting 124

5 Advanced

Networking129Networking Overview 130NAIL Overview 135ii Installation and Administration Guide

Configuring NAIL Server Advanced Mode 137Using VLAN-isolated DHCP Networks 141Using Network Switch Automation 143NAIL Server Troubleshooting 144NAIL Diagnostics Error Message 146Using NAIL Driver 147Masquerading 148Migrating From NAIL Driver to NAIL Server 148

6 Configuration and Administration 151Moving an Existing Library Location 152Migrating the Agent Services and RSM 153Configuring Storage and Shared Access 155Managing Virtualization Hosts 161Recovering and Managing Missing Items 164Using the Dashboard 166Using High Availability with VMware vSphere 170Physical Provisioning 176Installation for a Secure IIS Service Account 178Installing the Add-In for HP Quality Center 178Editing Advanced Configuration Settings 178

7 Troubleshooting 181General Troubleshooting First Steps 182High I/O and CPU Rates 183Log In Failures with RDP Access 183Altiris Deployment Server, Suspended Scripts 183Error While Adding Host to Pool 184Install Microsoft IIS Before .NET Framework 185Installation Error Messages 186Dashboard: Enabling SSL 188

8 Image Management 189Image File Types 190Duplicating Image Files 193Creating New Images 194Preparing Images 195Agentless Images 201Converting Hardware Versions for .vmdk Files 201Using NAIL Driver on Windows Images 202

9 Physical and Network Resources 207Overview of Resources 208Resource Pools 208Network Resources 209System Library Locations 210

File Caches and File Cache Locations 211Virtualization Hosts 214Virtual Machines 215Installation and Administration Guide iii

10 System Library Objects 217Library Objects Overview 218Image Files 219Deployment Action Files 220Hardware Profiles 220Server Configurations 220Application Configurations 222Snapshots 223Catalogs 223Managing System Library Objects 223

11 Deploying and Managing Sessions 225Prerequisites to Deployment 226Scheduling a Session Reservation 226Deploying a Session 227Deploying a Session As a Service 228Reservations Requiring Approval 229Deploying a Session in Debug Mode 230Deploying a Session in Persistent Mode 230Deployment Actions 231Managing Sessions 235

12 Access Control 237Overview 238Privileges 239Privilege Sets 239Groups 241Users 243Manually Changing Access to Objects 243

13 User Management 245Organizations 246Creating User Accounts 249Creating Groups 250Quotas 250Personas 253Authentication Methods 262

14 System Monitoring 265Monitoring Log Files 265Viewing Audit Log Information 267System Notifications 267Monitoring Components Using E-mail 267SNMP Event Broadcasting 268Monitoring Components Using Syslog 268Monitoring Scripts 269

15 Reports 271Report Types 272Managing Reports 274iv Installation and Administration Guide

Customizing Reports 274Setting Access for Individual Reports 275

A Syslog Settings 277Syslog Handler Settings 277Syslog Facilities 278Severity Levels 279Setting Up Filters and Scripts 281

PrefacePreface

The Quest Cloud Automation Platform Installation and Administration Guide provides information to assist you with the process of installing and configuring a Cloud Automation Platform (CAP) environment.

After you complete the installation, see the online Help for information about using the CAP web interface to create, manage, and configure the Cloud Automation Platform users and objects.

Target AudienceThe target audience for this book includes the individual responsible for installing the Cloud Automation Platform and performing the initial configuration required to begin using the product on a day-to-day basis. Typically, these users are system administrators. Additionally, Organization Administrators who are responsible for creating new users and populating the library should read this guide.

Release NotesBefore installing the product, review the Release Notes. Information about the Quest Cloud Automation Platform, the QA/Test Solution, Demo Solution, and Training Solution are included in the Release Notes. The Release Notes contain the most current information about the products and should be used in conjunction with other Cloud Automation Platform documents.

About This BookThis book provides the information you need to install and configure Cloud Automation Platform components during the initial deployment of an environment. It is not intended to provide a complete description of the features and capabilities of the Cloud Automation Platform and web interface.

The Installation and Administration Guide consists of the following sections:

Chapter 1, Introduction, on page 1

Chapter 2, Before You Start, on page 9

Chapter 3, Product Installation, on page 41

Chapter 4, Remote Access, on page 73

Chapter 5, Advanced Networking, on page 129

Chapter 6, Configuration and Administration, on page 151

Chapter 7, Troubleshooting, on page 181

Chapter 8, Image Management, on page 189Installation and Administration Guide v

Preface Chapter 9, Physical and Network Resources, on page 207

Chapter 10, System Library Objects, on page 217

Chapter 11, Deploying and Managing Sessions, on page 225

Chapter 12, Access Control, on page 237

Chapter 13, User Management, on page 245

Chapter 14, System Monitoring, on page 265

Chapter 15, Reports, on page 271

Appendix 16, Syslog Settings, on page 277

DocumentationThe following documentation is available in support of this release:

Quest Cloud Automation Platform Release Notes

Quest Cloud Automation Platform Installation and Administration Guide

Quest Cloud Automation Platform Data Dictionary

Quest Cloud Automation Platform Upgrade Documentation

Quest CAP Add-In for HP Quality Center Guide

Online Help for the Quest Cloud Automation Platform web interface

SOAP API .chm files

Contact InformationTo contact Quest Customer Support, use the Support Web page available on our Web site: https://support.quest.com/ContactSupport.aspx.vi Installation and Administration Guide

PrefaceTypeface ConventionsThe following typeface conventions are used in this book:

Acronyms and AbbreviationsThe following acronyms and abbreviations are used in this book:

Component Convention

Window and dialog names Title caps, default font

Emphasis Italic

File or directory names CourierExamples, including code CourierUI commands within a procedure when a specific action is taken

Bold

New terms Bold italic

Typed user input Bold CourierVariables

Acronym or Abbreviation Definition

API Application Programming Interface

CAP Cloud Automation Platform

CD-ROM Compact Disc Read Only Memory

CPU Central Processing Unit

DNS Domain Name System

EPU Effective Processor Units

GB Gigabyte

GUI Graphical User Interface

GUID Globally Unique Identifier

HBA Host Bus Adapter

HTTP Hypertext Transfer Protocol

ICA Independent Computing Architecture

ICMP Internet Control Message Protocol

IDE Integrated Drive ElectronicsInstallation and Administration Guide vii

PrefaceIIS Internet Information Service

IP Internet Protocol

LLP Local Listening Proxy

MAC Media Access Control

MDAC Microsoft Data Access Components

MB Megabytes

NAIL Network Abstraction and Isolation Layer

NAT Network Address Translation

NFS Network File System

NIC Network Interface Card

OS Operating System

PSA Path Signature Analysis

RAM Random Access Memory

RSM Remote Server Manager

RDP Remote Desktop Protocol

SCSI Small Computer System Interface

SE Sales Engineer

SMTP Simple Mail Transfer Protocol

SQL Structured Query Language

SSL Secure Socket Layer

SSPI (Microsoft) Security Support Provider Interface

TCP/IP Transmission Control Protocol/Internet Protocol

UI User Interface

UNC Universal Naming Convention

URA Universal Remote Access

URL Uniform Resource Locator

VM Virtual Machine

VNC Virtual Network Control

VR Virtual Resource

Acronym or Abbreviation Definitionviii Installation and Administration Guide

1 IntroductionIntroductionThis chapter provides an overview of the Cloud Automation Platform architecture and components.

For comprehensive information and procedural instructions for using the CAP web interface to accomplish both administrative and end-user tasks, refer to the Cloud Automation Platform online Help system. For an overview of the workflow and setup tasks to create a basic environment, see the Getting Started section of the online Help system.

The following topics are discussed in this chapter:

Architecture Overview on page 2

Components and Solutions on page 3

The CAP Core on page 5

CAP Core Objects on page 6

Reporting Database on page 6

Operations Database on page 6

Solution Licensing on page 8

1Installation and Administration Guide 1

1 IntroductionArchitecture OverviewThe method of installing the Cloud Automation Platform components varies depending on the type of environment you have, your choices for storage volumes, and many other details. The following two diagrams illustrate the common architecture layout for a VMware ESX environment and for a Microsoft Hyper-V R2 environment. Many environments are heterogeneous, and contain both Hyper-V R2 and ESX hosts, as well as physical computers hosting either image-based or externally provisioned server configurations. The Cloud Automation Platform architecture is flexible and can accommodate a wide range of environments.

The following installation scenario depicts an environment using VMware ESX virtualization hosts. The CAP Core components, the CAP web interface, the QA/Test Solution, and the Demo Solution are installed on three different servers. All of the platform components can be installed on a single server, but as a best practice, Quest Software recommends at least installing the Agent Services component on a separate server.

Figure 1 Example installation configuration with VMware ESX hosts2 Installation and Administration Guide

1 IntroductionThe following diagram illustrates a typical environment using Hyper-V R2 hosts, which requires the use of a SAN (Storage Area Network) for the system Library.

Figure 2 Example installation configuration with Hyper-V R2 hosts

The use of the URA Gateway is optional; refer to Remote Access on page 73 for detailed information about installing and configuring the Cloud Automation Platform remote access components.

Components and SolutionsThe following components are essential to the Cloud Automation Platform environment:

CAP Core Typically installed on multiple virtual machines (VMs) or physical servers. Depending on the size of the deployment, however, the CAP Core can be installed on a single VM or physical server.

The CAP Core consists of the following pieces, which provide the capabilities required by all Cloud Automation Platform applications:

Core services Provides the services and capabilities that enable the Cloud Automation Platform applications to create and manage virtual and physical resources. Key services include the control service, the reservation service, deployment service, and the engine service.

Agent Services Includes the following agent services:

Agent message forwarder Receives all agent responses and status data and delivers those documents to the agent message processor.

Agent message processor Processes documents submitted by Cloud Automation Platform agents, updates the operations database, and relays agent responses. This service is only intended to be called by the agent message forwarder on behalf of agents.

Remote Server Manager (RSM) Manages remote virtualization hosts and library servers. For more information about using the RSM, refer to Configuring Remotely Managed Hosts on page 26.Installation and Administration Guide 3

1 Introduction Web Application Functions as the interface to the CAP Core. Through the CAP web interface, the administrator can perform the tasks that are necessary to define and maintain the Cloud Automation Platform environment, including the creation and maintenance of users, organizations, virtual resources, and software images.

SOAP APIs Provides the capability to extend, integrate with, or externally automate the CAP Core and, optionally, with the Training Solution.

Cloud Automation Platform Solutions The following solutions are available with Cloud Automation Platform:

Note: The QA/Test Solution, Demo Solution, and Training solution are included in the Cloud Automation Platform, and are automatically installed with the CAP Core. Users access both the administrative functions of the CAP Core and the Solutions through the CAP web interface.

QA/Test Solution Automates test lab environments for software organizations. The QA/Test Solution orchestrates the allocation, scheduling, provisioning, configuration, and deprovisioning of test environments for developers and quality assurance (QA) engineers, as well as testing of new configurations by information technology organizations (IT Operations). By providing self-service capabilities to groups and individuals who desire access to automated test lab environments, the QA/Test Solution enables software organizations to increase repeatability in the test process while optimizing test lab resources, reducing development and test cycles, increasing the productivity of developers and QA engineers, and eliminating errors.

Demo Solution Provides software-demonstration capabilities that result in the faster and more reliable presentation of a product to potential customers. These enhancements, in turn, generate additional leads and shorten sales cycles.

Training Solution Enables training organizations to reduce delivery costs, shorten cycles, and increase reach by delivering live, hands-on, technical software training to anyone, anytime, anywhere. When using the Training Solution, customers, partners, and employees experience the full benefits of interacting with real training labs as part of instructor-led and self-paced courses.

System library Contains a collection of such system resources as base images, ISO images, and snapshots. The system library also includes the templates directory and snapshots directory in which the various files are stored, and a DeploymentActions directory that stores deployment action files. The file-storage device that you use as the system library must have enough capacity to store many large files.

Operations database Houses the configuration and state information for all of the physical and virtual resources. Created on an existing structured query language (SQL) server, the database also stores information about users, their roles and privileges, and their authentication policies.

Reporting database Serves as a repository for historical data. Logically distinct from the operations database, the reporting database can be installed either as an independent database on the same server that the operations database is on, or on a different server altogether.

Cloud Automation Platform application server A physical server or VM on which the Cloud Automation Platform web application or Cloud Automation Platform Solutions are installed. End users and application administrators access these applications through a Web browser.4 Installation and Administration Guide

1 Introduction File cache Contains copies of images from the system library and allows multiple VMs to share the same image. When an image changes in the system library, the updated image is sent to the file cache upon the next deployment of the application configuration. Multiple caches are supported, with each cache consisting of one or more file cache locations.

Virtualization host The computer on which VMs are created and their configuration files stored.

Physical Computer A computer that is managed by a provisioning system and is used by Cloud Automation Platform to host deployed physical servers. Refer to the online Help for additional information about using provisioned physical computers.

Quest CAP Agent Handles communication between Altiris Deployment Servers and the CAP Core server. Quest CAP agents are installed on any supported Windows system that hosts an Altiris Deployment Server and system library location or a file cache location with Altiris physical machine images.

The CAP CoreThe CAP Core provides the building blocks for the creation and deployment of sessions for Cloud Automation Platform users. A session is a software environment that can be deployed on-demand for demos, training, or testing purposes. Demo Solution, Training Solution, and QA/Test Solution users access sessions for software demonstrations and evaluations, hands-on software training, or for software testing.

The CAP Core automates the setup, provisioning, deployment, teardown, and re-deployment of sessions. The CAP Core also provides access control and reports.

Before you begin using the Cloud Automation Platform, make sure that the required physical and network resources have been created. Physical resources include virtualization hosts, possibly physical provisioning servers, physical computers, and Active Directory computer accounts (AD-CAs). Network resources include MAC addresses, IP addresses, DHCP network ranges, and VLAN IDs.

The CAP web interface is the graphical user interface to the product. After the required resources are in place, you can use the CAP web interface to perform the tasks required to create, define, and maintain the platform objects tailored to your virtual environments requirements.

In the CAP web interface, create the objects that comprise a session by creating objects in the system library. The objects that display in the system library are the elements that build the server and software for a session. It helps to think of the system library objects as recipes for sessions. A recipe, in the traditional sense, contains a list of ingredients as well as a set of instructions. In the system library, the objects required to create a session are the list of ingredients and the instructions for how each object should be deployed and configured are included in the definition of the object.Installation and Administration Guide 5

1 IntroductionCAP Core ObjectsTo create a Session or Training Lab, create and maintain the following CAP Core objects:

Images An image is a virtualized representation of a computers disk drive.

You can add images that you have created in your own environment, or you can create your own images using the CAP web interface. Either way, Quest recommends that you use the Cloud Automation Platform image preparation process to prepare any images that will be used in the Cloud Automation Platform environment.

Hardware profiles The hardware profile of each server configuration defines the RAM requirements, the CPU cores, target deployment (physical or virtual), required computing capacity (measured by Effective Processor Units, or EPUs) if any, and any constraints.

Server configurations All the information and image file references needed to create a fully functioning server. Cloud Automation Platform supports both virtual server configurations and physical server configurations.

Virtual server configurations are used to create VMs.

Physical server configurations are deployed to a physical computer to create deployed physical servers.

Application configuration All the resources needed to create a single session. One or more server configurations are grouped into an application configuration.

Session An application configuration that has any additional collateral or material attached to it. A session is what you deploy to create and access the virtual environment.

After the physical and network resources are in place and the platform objects are ready for deployment, use the CAP web interface to make sessions available to users. Additional administrator tasks include creating and maintaining user accounts and organizations, running reports, system monitoring, and managing images, physical and network resources, and the system library.

Each remaining chapter in this manual provides more detail about the CAP Core objects and the administrators role with those objects.

Reporting DatabaseThe reporting database is available to all platform services. Its primary purpose is to save historical data. The reporting database acts as a data warehouse and can be used with Cloud Automation Platform-provided report generators or with third-party reporting tools. For more information, see Reports on page 271.

Operations DatabaseThe operations database contains the configuration and state information for physical and virtual resources. It also stores information about users, their privilege sets and privileges, and their 6 Installation and Administration Guide

1 Introductionauthentication policies. The operations database is the primary source of data accessed by the Cloud Automation Platform application program interface (API).Installation and Administration Guide 7

1 IntroductionSolution LicensingSolution licensing controls the user experience in the CAP web interface. Users will be able to access the features and functionality of the Solutions for which they have a valid license. The solution-level licensing provides several features:

Limit access to groups of workflows, personas and functionality that are grouped together as Solutions.

Monitor the number of concurrent user logins per solution (determined by assigned persona).

Monitor the number of host machines/CPU sockets that can be pooled.

Monitor the total amount of RAM that can be pooled.

Provide a built-in license expiration for installations used for evaluation purposes.

There are three types of licenses: CAP Core, Demo Solution, and Training Solution. The QA/Test Solution is licensed by the CAP Core license. The optional limits on pooled RAM and CPUs will be part of the CAP Core license. The RAM will be licensed in whole GB units.

The optional limits on the concurrent logins for Users using Personas associated with a given solution are part of the Solution licenses. The CAP Core license, which includes the QA/Test Solution, always allows unlimited concurrent users. If limits are exceeded, usage is not interrupted. However, users are prompted to enter a valid license when using the CAP web interface.8 Installation and Administration Guide

2 Before Y

ou StartBefore You StartThis chapter discusses the system requirements and other objectives and conditions that must be considered while planning an installation.

The following sections address these issues and provide instructions for ensuring that you are fully prepared to complete a Cloud Automation Platform installation.

Determining the Scope of Your Installation on page 10

System Requirements on page 11

Additional Considerations on page 18

Network Communication on page 22

Configuring IIS V. 7 on Windows 2008 R2 on page 25

Configuring Remotely Managed Hosts on page 26

About Partner Extensions on page 33

External Provisioning with HP Server Automation on page 34

Security And Encryption on page 36

Choosing a Windows Account for the Agent Service (Altiris) on page 38

Using the vcsadmin Utility on page 38

2Installation and Administration Guide 9

2 Before Y

ou StartDetermining the Scope of Your InstallationBecause the Cloud Automation Platform is highly scalable, the components and Solutions can be installed on a single server or distributed across multiple servers. If you are installing Cloud Automation Platform within the confines of a relatively small environment, for example, you can install the complete Cloud Automation Platform on the same server that hosts your databases and system library.

If your installation is slated for a larger environment, installing some of the CAP Core components on one server and the remaining components on a second server can help you maximize the efficiency of your solution. Databases, Solutions, and the system library can also be set up on separate servers as needed.

The following criteria can be useful when determining which approach to use:

The number of sessions to be deployed and serviced. A session is a complete software environment (operating system, required software, etc.) that can be deployed on demand for demonstration, testing, or training purposes. Users of Cloud Automation Platform Solutions can access sessions for software demonstrations and evaluations, software testing, and hands-on software training.

The diversity of your lab images, including the number of different images, the size and content of each image, and their hosting requirements.

Your reporting needs, as determined by the amount and type of data you expect to save, as well as the number of reports you expect to generate.10 Installation and Administration Guide

2 Before Y

ou StartInstallation ScenarioIn the typical installation scenario, the Cloud Automation Platform components are divided on multiple servers, with the database on a separate database server.

For diagrams of typical Cloud Automation Platform installations, refer to Architecture Overview on page 2.

System RequirementsThe hardware and software requirements are detailed in the following section.

General ConsiderationsReview the following general information:

The disk space required by the library location depends upon the number and size of the images (labs, demos, classes) that are stored.

Using NAIL Server in advanced mode requires at least two (2) 1 GB Ethernet cards in all virtualization hosts. For more information about NAIL Server in advanced mode, see Configuring NAIL Server Advanced Mode on page 137. For instructions, refer to the CAP web interfaces online Help.

The Active X controls used by Cloud Automation Platform require 32-bit Internet Explorer (default browser) when running on 64-bit Windows (x64) platforms. Both 32-bit Internet Explorer and 64-bit Internet Explorer are installed with Windows x64. The combination of Firefox 3.x and Sun Java J2SE 1.6 also works on Windows x64.

The Platform server and all virtualization hosts should reside on the same Local Area Network (LAN).

(Dashboard only) If you want to use the HTTPS (SSL) protocol to access the application server (Web Appplications component), you will need to follow these steps before accessing the Dashboard:

First, enable SSL for the web site

Then, edit the web.config file (in /Platform/Web) to remove comments around the all HTTPS endpoint entries.

To locate HTTPS endpoints that are commented out, look for the following text:

2 Before Y

ou Start Microsoft IIS version 7, the web server on Microsoft Windows Server 2008 R2, requires additional configuration prior to installing Cloud Automation Platform. Refer to Configuring IIS V. 7 on Windows 2008 R2 on page 25 for detailed instructions.

System RequirementsReview the following system requirements for a typical installation scenario. See Figure 1 and Figure 2 on page 3 for diagrams of two typical configurations.

Note: Installation of the Cloud Automation Platform components requires that both Microsoft IIS and .NET Framework 3.5 SP1 are installed on the CAP Core server before installing the CAP Core. Be aware that IIS must be installed before .NET Framework on the CAP Core server. See the troubleshooting topic Install Microsoft IIS Before .NET Framework on page 185 if IIS was not installed first.

Computer

Cloud Automation Platform Components

System Requirements

CAP Core server

General require-ments for the four main components of the CAP Core server: -Core Services-Agent Services-Web Applications-SOAP API.

Physical server or VM with the following specifications: English version of one of the following operating systems:

Microsoft Windows Server 2008 SP1 (Standard, Enterprise, Datacenter )

Microsoft Windows Server 2008 R2 (Standard, Enterprise, Datacenter )

Microsoft Windows Server 2003 R2 SP2 (Standard, Enterprise, Web Editions, or x64)

Microsoft Windows Server 2003 SP2 (Standard, Enterprise, Web), x86 or x64 editions supported

2 GB RAMFree disk space:

10 GB free disk space if CAP-supplied images are stored on a network attached storage (NAS) device

40 GB free disk space if images are stored on a local disk

Microsoft .NET Framework 3.5 SP1Microsoft Internet Information Services (IIS) 6.x, 7.xASP.NET Application Server installed and enabledNote: (Windows 2003 only) IIS must be installed before .NET Framework.12 Installation and Administration Guide

2 Before Y

ou StartLibrary

Server System Library(all computers, excluding Altiris DS, that host the Library must use the Remote Server Manager to manage the library, and so must be registered with the Cloud Automation Plat-form.)

ESXVMware ESX 3.5 Update 4, ESXi 3.5 Update 5, ESX

4.0 Update 1, ESXi 4.0 Update 1, ESX 4.1, ESXi 4.1Library locations storage volume required to be on NFS or VMFS-3 volumes (for locations larger than 2 TB, NFS is strongly recommended)

Hyper-VWindows Server 2008 R2 (required for Hyper-V and Cluster Shared Volume library content)Microsoft .NET Framework 3.5 SP1Library locations storage volume required on Cluster Shared Volume (CSV) on a SAN

Altiris Deployment SolutionWindows Server 2003 R2 SP2, x86 or x64Windows Server 2008 SP1 or SP2, x86 or x64Quest CAP Agent installedMicrosoft .NET Framework 3.5 SP1

Common 500 GB free disk space minimum (The amount of

required disk space depends on the size of the disk images.)

Library Server computer registered with Cloud Automation Platform (excluding Altiris).

Database server

Operational and Reporting data-base

One of the following databases:Microsoft SQL Server 2005, SP2Microsoft SQL Server 2005 ExpressMicrosoft SQL Server 2005 x64Microsoft SQL Server 2005 Express x64Microsoft SQL Server 2008 SP1Microsoft SQL Server 2008 R2

Mixed Mode Authentication must be enabledRemote connections using TCP/IP must be enabled

Computer

Cloud Automation Platform Components

System RequirementsInstallation and Administration Guide 13

2 Before Y

ou StartApplication

serverIn a distributed installation, the Web Applications component can be installed on a different computer than the other Platform components.The Application server hosts the Platform web interface and any additional web interface installations.

Physical server or VM with the following specifications:English version of one of the following operating systems:

Microsoft Windows Server 2008 SP1(Standard, Enterprise, Datacenter )

Microsoft Windows Server 2008 R2Microsoft Windows Server 2003 R2 SP2

(Standard, Enterprise, Web), or x64Microsoft Windows Server 2003 SP2 (Standard,

Enterprise, Web), x86 or x64 editions supported2 GB RAM minimum, 4 GB recommended6 GB free spaceMicrosoft .NET Framework 3.5 SP1Microsoft Internet Information Services (IIS) 6.x, 7.xASP.NET Application Server installed and enabledNotes:

(Windows 2003 only) IIS must be installed before .NET Framework.

Do not install on a computer that uses a WAN or the Internet to connect to the Platform Server.

Virtualiza-tion Host (content host for VMs)

This is the server, running a VMware or Microsoft virtu-alization product, on which the Cloud Automation Platform man-ages the virtual resources. A typi-cal environment consists of multi-ple host servers whose aggregate capacity is pooled and allocated.

One of the following virtualization products:VMware ESX 3.5 Update 5, ESXi 3 Update 5,

ESX 4.0 Update 1, ESXi 4.0 Update 1, ESX 4.1, ESXi 4.1

Microsoft Windows 2008 R2 with Hyper-V Server (Must use Clustered Shared Volume configuration.)

NOTE: All virtualization platforms (except ESX 3.5) require x64 architecture with Intel VT-x/AMD-V support.4 GB RAM (supports approximately 6 virtual

machines with 512 MB RAM each)10 GB free disk space (library provisioning) or 40 GB

(dedicated cache location)Host must be registered with Remote Server Manager (RSM). (ESX and ESXi only) SSH must be enabled for the user account with which the ESX host is registered with the Remote Server Manager.All VMware ESX images that will run on ESX 3.5 must be in the double-file, hardware version 4 VMDK format. For ESX 4 hosts, the hardware version can be 4 or 7. See Converting Hardware Versions for .vmdk Files on page 201 for instructions to use a vcsadmin script to convert .vmdk files to a later level file format.

Computer

Cloud Automation Platform Components

System Requirements14 Installation and Administration Guide

2 Before Y

ou StartGuest VM

(If your VM image does not contain a Cloud Auto-mation Plat-form Guest Agent, these requirements are not appli-cable.)

Cloud Automation Platform Guest Agent

These are the requirements of the guest VM in order for the Guest Agent to function properly.

One of the following 32-bit operating systems:Windows Server 2003 R2 SP2, Windows XP,

Windows 2008 SP1, or Windows Vista SP1 Business edition or higher, Windows Server 2008 R2, Windows 7, Professional and higher

Red Hat Enterprise Linux Server (RHEL) 5.xNovell SUSE Enterprise Linux Server 10.3 or

11.0OR One of the following 64-bit operating systems: Windows XP 64 or Windows Server 2003 R2

SP2 x64 Red Hat Enterprise Linux Server (RHEL) 5.x Novell SUSE Enterprise Linux Server 11.0 and

aboveMicrosoft Framework 2.0 or 3.5 SP1 (Windows only)

Windows Server 2008 Hyper-V R2 Hosts only:Windows XP SP3, 32-bit onlyWindows Vista SP1 Business edition or higher, x86

or x64Microsoft Windows Server 2003 R2 (Standard, Enterprise, Web Editions, or x64)Microsoft Windows Server 2003 (Standard, Enterprise, Web), x86 or x64 editions supportedWindows Server 2008, x86 or x64Windows Server 2008 R2, x64 only

Note: VMs created from an image prepped with the CAP Image Tool include a Guest Agent.

Active Direc-tory Server

One of the following operating systems:Microsoft Windows Server 2008 (Standard, Enterprise, Datacenter )Microsoft Windows Server 2008 SP1Microsoft Windows Server 2008 R2Microsoft Windows Server 2003 R2 SP2 (Standard,

Enterprise, Web) x86 or x64 editions supportedMicrosoft Windows Server 2003 SP2 (Standard,

Enterprise, Web), x86 or x64 editions supported

Computer

Cloud Automation Platform Components

System RequirementsInstallation and Administration Guide 15

2 Before Y

ou StartClient com-

puter(Application users)

none

This is the com-puter used by IT operations and lab management per-sonnel to adminis-ter the application and by end-users to request and access lab envi-ronments

English version of one of the following operating sys-tems:Microsoft Windows XP SP3Microsoft Windows Vista SP1 Business edition or

higher (no console access with Vista)Microsoft Windows 7 (no console access on ESX 3.5, ESX 4 allows console access)Microsoft Windows Server 2003 SP2Microsoft Windows Server 2003 R2 SP2Microsoft Windows Server 2008 SP1Microsoft Windows Server 2008 R2SUSE Linux Enterprise Server 10.2 and 11Apple Mac OS X 10.5 or 10.6 with Firefox browser;

remote access methods supported are Citrix ICA and Java RDP.

One of the following web browsers:Microsoft Internet Explorer 7.0 or 8.0 with

cookies enabled (only 32-bit version of IE)Mozilla Firefox 3.5 or 3.6 with cookies enabled

(Optional) The installation of Microsoft Silverlight 3 enables the Infrastructure Dashboard, a visual management view of the environment.

(Optional) PowerShell 2.0 is required for use of the CAP CLI Client component.

Note: Web browser must be configured for either:Microsoft ActiveX controlsSun Java Plug-in JRE version 1.6 on Windows

platforms Sun Java Plug-in JRE version 1.6 for Mozilla

Firefox on LinuxApple Java for Mac OS X version 1.6 for Mozilla

Firefox

Utility Host A utility host is any server running supported virtual-ization software that also supports NAIL Server, and is used by Hyper-V hosts for net-work translation services.

VMware ESX utility host:VMware ESX 3.5 Update 5, ESXi 3 Update 5, ESX 4.0 Update 1, ESXi 4.0 Update 1, ESX 4.1 , ESXi 4.1 (Foundation, Standard, or Enterprise)ESX server must be registered with RSM (Remote Server Manager). SSH must be enabled for the user account with which the ESX host is registered with the Remote Server Manager.Advanced Mode for the NAIL server must be implemented

Computer

Cloud Automation Platform Components

System Requirements16 Installation and Administration Guide

2 Before Y

ou StartPartner Extension System Requirements

For more information regarding partner integrations in Cloud Automation Platform, see About Partner Extensions on page 33. For detailed information about how to register partner extensions (provisioning and automation systems) in the CAP web interface, refer to the online Help.

PartnerExtension System Requirements

Altiris Deployment Server Altiris Deployment server 6.8 SP2, 6.9, 6.9 SP1, or 6.9 SP2Network communication: Use either a static IP address in the .img file or use the legacy NAIL Driver.The Altiris Deployment server agent must be installed on the target server against which an Altiris Job is run.Cloud Automation Platform Administrators must have full access to all Altiris Jobs and to the Altiris Deployment Server.The Cloud Automation Platform Agent must be installed.

HP Server Automation HP Server Automation 7.5A Cloud Automation Platform guest agent must be installed in all images that will run HP Software Policies as deployment actions. However, a guest agent is not required nor supported for external provisioning (OS or physical provisioning) with HP SA.The server configurations network adapters cannot use NAIL 3 network adapters; the adapter must be set to either DHCP or static. If your environment uses both isolated networks and physical computers managed by HP SA, you must configure network switch automation. See Using Network Switch Automation on page 143.HP Network Automation 7.5 (network switch automation): supported physical switches are Cisco IOS (e.g. 3750) and Cisco Catalyst OS (e.g. 2948). Support for other switch types can be provided by Quest, as long as switch is supported by HP NA 7.5.SPARC architecture is not supported.Note: In order to be able to run administrative-level com-mands via the Remote Shell, the user with which the HP SA core was registered must have the "Run Command On Server" privilege with sufficient scope, as both the "root" user and the "Administrator" user (root for Linux/UNIX systems, and Administrator for Windows).

VMware Vcenter VMware vCenter 2.5 Update 5, VMware vCenter 4.0 Update 1, vCenter 4.1Network communication: Static IP Address in all VMsInstallation and Administration Guide 17

2 Before Y

ou StartAdditional ConsiderationsDepending on the configuration of your network and the needs of your customers, the following variables can also affect how you set up the Cloud Automation Platform environment:

Whether you anticipate any remote access requirements

Whether you intend to implement a file cache system to help maximize network efficiency

Whether you intend to use a VMFS volume on a SAN (storage area network) for a library location

Whether you have any address translation needs

The following sections examine these variables in more detail and provide the information necessary for you to address any potential challenges.

Remote AccessTo address your potential remote access needs, Cloud Automation Platform provides the following solutions:

Universal remote access (URA) Enables communication from a remote computer to a Cloud Automation Platform VM located behind a firewall.

Classroom readiness test (CRT) Measures a networks bandwidth and latency and compares them with established ranges to determine whether they are appropriate for your classroom needs.

Web Browser and Connectivity Test, or the User Readiness Test (URT) Used in conjunction with the Demo, Training, and QA/Test Solutions to determine if a remote users computer and the computers current location meet the requirements to successfully connect to a Cloud Automation Platform VM.

These solutions are described in greater detail in Chapter 4, Remote Access, on page 73. To utilize URA, you must install a URA gateway. Similarly, to take advantage of CRT, you must install a CRT server.

Note: The URA gateway and CRT server must not be installed on the same machine.

For more information about the system requirements for the URA gateway see Installing and Configuring the URA Gateway Server on page 94.

For more information about the system requirements for the CRT server, see System Requirements on page 11.18 Installation and Administration Guide

2 Before Y

ou StartImage Provisioning and File Cache LocationsImages in Hyper-V environments are provisioned to destination VMs from Cluster Shared Volumes (CSV) on the Storage Area Network (SAN) server. For more information, see Using Clustered Shared Volumes for Hyper-V R2 Hosts on page 159.

VMware ESX hosts can access images directly from a system library when the system library server supports NFS or VMFS access protocols. See Using NFS In a Network-Attached Storage Configuration on page 157 or Using VMWare VMFS in a SAN-based Configuration on page 155.

For image provisioning from a system library to be successful, the following conditions must be met:

All Windows system libraries must reside within the same Windows domain.

The agent that manages a Windows system library cannot run as Local System account. Instead, it must run as a domain user in the machines Administrators group.

ESX hosts that use a library location on a SAN VMFS volume must be configured before installing Cloud Automation Platform. See Configuring the ESX Host and SAN Server on page 156.

When a session is deployed under these conditions, the VM uses images that remain in the system library location. Files are not copied to the virtualization host, which reduces the time required to deploy sessions.

Situations exist, however, when provisioning from the system library is not optimal or possible. For instance, a very large number of VMs with heavy usage can cause excessive load on the library server.

For these situations, Cloud Automation Platform uses file caches and file cache locations. A file cache location describes any physical location on a server to which an image and its related files are copied. If your environment requires a large number of simultaneously accessible VMs, file cache locations provide load balancing across multiple servers.

Whenever an application configuration is deployed, any file that is part of the server configuration, including the .vhd, .vmdk, .img, and .iso files, is copied to a file cache location and attached to the appropriate VM or VMs. Upon termination of the application configuration session, the image and all of its related files remain in the file cache location, where they can be attached to other VMs during future deployments.

Cloud Automation Platform supports the following types of file cache locations:

Dedicated file cache locations are created on each VM host server. Dedicated file cache locations are supported by Hyper-V and VMware ESX.

Note: Hyper-V hosts must use a Cluster Shared Volume (CSV) on a SAN for library or file cache location. In addition, all VM home directories must be in a local directory. No UNC paths or CIFS can be used.

Shared file cache locations are accessible by all the virtualization hosts in a specified resource pool. For VMware ESX, the shared cache locations can either use NFS and VMFS. See Using NFS In a Network-Attached Storage Configuration on page 157 or Using VMWare VMFS in a SAN-based Installation and Administration Guide 19

2 Before Y

ou StartConfiguration on page 155. Also refer to the CAP web interface online Help topic Adding a Shared File Cache Location.

With shared file cache locations, you have the option of setting up cache locations that are all managed by an existing Quest CAP Agent on another server. Regardless of whether your shared cache locations are remote or local, the Hyper-V hosts and Windows system libraries must reside within the same Windows domain, and the managing agent must run as a domain user in the Administrators group.

When planning the optimal solution for your network configuration, it is important to remember the following points:

Each VM must have direct read/write access to a file cache location.

A single physical host server can support multiple file cache locations, provided the locations exist on different volumes.

The size of a shared file cache location is configurable. If you do not specify a size, the entire disk is used.

File cache locations can be set up on servers that are on remote servers accessible by a either a managed server or by the Remote Server Manager. If you define more than one shared cache location, the system determines which location to use during a deployment by identifying the following criteria:

a location that already has the files cached a location that has enough space (without deleting any existing files)

a location with the most space that has unused files that can be purged to make space

If the required image exists in a cache location, then that cache location is used. If the image is not currently cached it is copied to the location with the most available space, purging unused files if necessary to make space for the new images

The online help provides detailed instructions for creating file cache locations.

Address Translation and Virtual NetworkingNote: Refer to Networking Overview on page 130 for detailed information about Cloud

Automation Platform networking, including typical network topologies, configuring the NAIL Server, using VLAN-isolated DHCP networks, and NAIL troubleshooting details.

The repeated cloning of a small number of VMs provides a fast, efficient method to create a large pool of identical VMs. In a Cloud Automation Platform environment, many of the VMs that represent or comprise viable application configurations are clones of one or more original VMs.

Unfortunately, cloned VMs share the following identifiers with the original VM as well as with each other:

Machine name Duplicate machine names cause conflicts with network shares. For example, an OS like Windows 2000 or Windows 2003 disables a clones network connection when it detects a 20 Installation and Administration Guide

2 Before Y

ou Startduplicate machine name. Changing the machine name of each VM is a time-consuming effort that requires a restart of each VM. Additionally, changing a machine name can break licensing codes, configuration files, registry entries, and certificates.

Security identifier (SID) Redundant SIDs generate authentication issues. Although SIDs can be changed, the process is a time-consuming effort that requires a system restart for each VM. Further, changing a VMs SID can result in software problems that affect licensing codes, Windows authentication, Windows Shares, and IIS Services.

Static IP address The duplication of IP addresses, each of which must be unique to every VM on a network, renders the original VM and all of its clones incapable of communicating over the same network. Although an administrator can change the IP address of each VM, this change can also disrupt Web services, databases, special protocol drivers, firewall rules, tuned applications, and other servers that still use the previous IP address.

The Cloud Automation Platform solves the problem of duplicate IP addresses by utilizing a network abstraction and isolation layer (NAIL). If the necessary components are installed and configured, the NAIL Server is created automatically when the virtualization hosts are pooled.

The appropriate IP addresses and MAC addresses are configured using the CAP web interface.

Note: Be aware that the IP configuration (including the subnet mask and gateway) that is defined within the image must match the subnet mask defined in the server configuration that you create in the CAP web interface.

As shown in Figure 1, NAIL Server uses network address translation (NAT) to provide a unique IP address for each VM on a network.

Figure 1 Cloned VMs with Unique External IP AddressesInstallation and Administration Guide 21

2 Before Y

ou StartNetwork CommunicationReview the following section for information about the various types of network resources that you will need to create. Additionally, see the matrix of ports on page 24 for a list of port numbers that Cloud Automation Platform requires for communication between the CAP Core server and other components.

Network RequirementsYou will need to define network resources for the application configurations that you want to deploy. The appropriate IP addresses, MAC addresses, DHCP networks, and VLAN IDs are defined using the CAP web interface. Refer to the online Help for detailed instructions to create network resources.

Quest recommends that you verify the accuracy of all values that you enter. A small error when entering a range of addresses can result in the creation of thousands of unwanted address records in the Cloud Automation Platform database.

Resource Description Requirements

MAC Address Ranges

This is the most widely used of the network resources because every VM NIC (network interface card) will consume an ethernet MAC address while the VM is deployed, regardless of how the interface is configured within the VM guest operating system, and regardless of whether multiple clones of the VM are simultane-ously deployed.

Values should fall within the VMware Organizationally Unique Identifier (OUI) range of 00:50:56:00:00:00-00:50:56:3F:FF:FF.The size and values of this range can be changed at any time.Plan to use at least one MAC address for each VM per test configuration, up to the maximum number of concurrent VMs across all VM hosts.

IP Address Ranges

NAIL uses IP address resources to prevent conflicts and provide a unique IP address for each VM whose network interfaces are configured with static IP addresses within the VM guest operating systems.

These IP addresses cannot overlap with addresses assigned by any DHCP server. Plan to dedicate one additional IP address per VM host, plus one for each VM per test configuration that will be configured for NAIL cloning, up to the maximum number of con-current VMs across all VM hosts. The size and values of this range can be changed at any time.

Note: Consult your network administrator to determine a range of IP addresses valid for your local network that can be dedi-cated to your installation. 22 Installation and Administration Guide

2 Before Y

ou StartVLAN ID Ranges

NAIL also uses a virtual LAN (VLAN) for VMs that require grouping, as is the case when multiple server configurations comprise a single application configuration. NAIL Server uses IEEE 802.1q VLANs to isolate application configurations from one another and prevent dupli-cate host name or IP address errors while simultaneously deploying clones of VMs.

You must use IDs within the range of 2 - 4095, inclusive. If you are implementing NAIL Server in the advanced mode, you should work with your network administrator to select the appropriate network adapters, switches, and VLAN IDs that are compatible with your physical network environment. As a general guideline, plan for 1-2 VLAN IDs per concurrent test configuration, depending on the complexity of the test configuration. The VLAN ID range selected should be dedicated for use by the Cloud Automation Platform.

DHCP Network Range

For physical and virtual servers that require both network isola-tion and the use of DHCP, cre-ate one or more DHCP network ranges. Externally-provisioned servers that rely on the PXE net-work boot process and are included in multi-server deploy-ments can use isolated DHCP networks.

For details about using VLAN-isolated DHCP networks, see Using VLAN-isolated DHCP Networks on page 141.

Two configurations support VLAN-isolated DHCP networks:OSPF (Open Shortest Path First): this widely used protocol must be enabled on the physical switch that is used to provide routing for external users to the virtualization hosts. Additionally, Cloud Automation Platform requires credentials on the OSPF routers.If OSPF cannot be used in your environment, the physical switch on the broadcast network can be set to provide DHCP addressing services. For this scenario, NAIL Server must use advanced mode.

Resource Description RequirementsInstallation and Administration Guide 23

2 Before Y

ou StartPorts Used by Cloud Automation PlatformThe following table lists the ports or port ranges required by Cloud Automation Platform. All ports are TCP unless otherwise specified. Ping is open in some cases to facilitate connectivity testing, not for server communications. This matrix does not include Windows networking ports.

To Plat-form Servera

a. The Web Application component uses port 2995. The Remote Server Manager (RSM), part of Agent Services, uses port 2996. Service Host, in the Services Container, uses port 2997. The EngineService, part of Core Services, uses port 2998. Control Service, part of Core Services, uses port 2999.

To DBs

To App To Lib To Hosts

To VMs To URA GW

To Sys-log

To LDAP

To CRT Server

From Plat-form

server

2995-2999(includes RSM)

1433 1024-4999>32767ICMP Ping

4277 427722 (for SSH)

4277ICMP Ping

Noneb

b. An ephemeral port is opened briefly during installation.

UDP 514

389 None

From DBs

None N/A None None None None None None None None

From App

2995-

2999

80/443ICMP Ping

1433 N/A 42771024-4999 >32767

4277 None None UDP 514

389 None

From Lib

80/443 None 80/443 N/A 1024-4999 >3276722 (SSH)

1024-4999 >32767

None None None None

From Hosts

80/443 None 80/443 1024-4999 >32767

N/A None None UDP 514

None None

From VMs

80/443 None None None None N/A None None None None

From URAGW

2995-2999

None None None 5900902

3389 (RDP)5901 (VNC)1494 (Citrix)

N/A None None 9999 (default)3389 (requires port address translation)

From Syslog

None None None None None None None N/A None None

From LDAP

None None None None None None None None N/A None24 Installation and Administration Guide

2 Before Y

ou StartConfiguring IIS V. 7 on Windows 2008 R2If your environment will use Windows Server 2008 R2, install and configure Microsoft IIS version 7 web server prior to installing the Web Application component. IIS version 7 is the default web server on Windows Server 2008 R2.

Note: Use the following instructions to install and configure IIS version 7 on any Windows Server 2008 R2 on which you will install any of the four Platform components. Follow the same instructions for any servers on which you install the Web Applications component.

To install and configure IIS version 7 for the Cloud Automation Platform environment, perform the following steps:

1. Open the Server Manager console.

2. In the left pane, click Roles and then click the Add Roles link in the window on the right.

The Add Roles Wizard appears.

A. On the Before You Begin page, click Next.

B. On the Select Server Roles page, select the Web Server (IIS) role and then click Next.

C. On the Web Server (IIS) page, click Next.

D. On the Select Role Services page, select Application Development and then click Next.

E. On the Confirm Installation Selections page, click Install.

The Installation Progress page appears.

F. When the Installation Results page appears, review the information and then click Close.

3. In the left pane of the Server Manager, click Features and then click the Add Features link in the window on the right.

The Add Features Wizard appears.

A. On the Select Features page, select .NET Framework 3.5.1 Features.

B. Dismiss the popup by clicking Add Required Features.

C. Expand .NET Framework 3.5.1 Features and verify that the WCF Activation check box is selected.

D. On the Select Features page, click Next.

E. On the Confirm Installation Selections page, click Install.

The Installation Progress page appears.

F. When the Installation Results page appears, click Close.Installation and Administration Guide 25

2 Before Y

ou Start4. Open a command prompt window and type start inetmgr to open the Internet Information Services (IIS) MMC snap-in.

5. In the left pane, expand the node with the computer's name, then expand the Sites node, and then select the Default Web Site.

6. Double-click the Handler Mappings icon in the pane on the right.

7. In the list of application mappings, verify that each ISAP-2.0.svc file (look under the Path column for the .svc extension) has an entry of IsapiModule in the Handler column. Alternatively, right-click on each .svc file and select Edit..., and then verify that the file is mapped to the aspnet_isapi.dll.If there are no entries for ISAP-2.0.svc files, you will need to add them. If you are using any 64-bit computers to host IIS, you will need to also add an entry for the 64-bit framework.

To add the .svc files, perform the following steps:

A. Click Add Script Map.

B. In the Request path field, enter *.svc.

C. In the Executable field, navigate to one of the following directories and select the aspnet_isapi.dll:

C:\Windows\Microsoft.NET\Framework64\v2.0.50727(for 64-bit computers)

C:\Windows\Microsoft.NET\Framework\v2.0.50727 (for 32-bit computers)

Configuring Remotely Managed HostsThe Remote Server Manager (RSM), installed with the Agent Services component of the Platform, manages all virtualization hosts and library servers. The RSM is used to remotely manage the following types of hosts:

Microsoft Windows Server 2008 Hyper-V R2 hosts

VMware ESX Server 3.5

VMware ESXi 3.5

VMware ESX Server 4.0

VMware ESXi 4.0

The use of RSM not only greatly reduces installation and upgrade efforts, it also provides performance enhancements and a simplified architecture.

For important information about configuring the hosts before creating your Cloud Automation Platform environment, see:26 Installation and Administration Guide

2 Before Y

ou Start ESX Hosts on page 27

Hyper-V R2 Hosts on page 28

Note: For information about the supported library locations and file cache locations, and how to configure hosts for file access and library management, refer to Configuring Storage and Shared Access on page 155.

ESX HostsReview the following sections if your environment includes VMware ESX hosts.

Configuring ESX HostsTo configure the Cloud Automation Platform environment for using remotely managed ESX 3.5, ESX 4.0, and ESXi hosts, follow these procedures before registering the hosts in the CAP web interface:

Enable SSH for the user account of the ESX host. The authentication credentials, used when registering the ESX host to be managed by RSM, must have remote SSH access enabled before registering the host.

Verify that the user account on the ESX host has the same privileges as a local administrator.

Create a storage location for the images and files. Cloud Automation Platform requires that all images are in either the Hardware Version 4 or version 7 double-file VMDK format. See Converting Hardware Versions for .vmdk Files on page 201 for instructions to use a vcsadmin script to convert .vmdk files to a later version file format.Installation and Administration Guide 27

2 Before Y

ou StartNote: If the host will be integrated with a VMware vCenter environment, you must define the storage locations and register the host with vCenter before you register the host with the CAP web interface. After installation is complete, refer to the online Help for additional prerequisites and information about registering ESX hosts for vCenter integration.

Configure a default network for NAIL Server. If you are using NAIL Server in advanced mode, configure both a trunked network and a default network. See Configuring NAIL Server Advanced Mode on page 137.

(ESX 3.5 and 4.0 only, not ESXi) Quest Software recommends the following Best Practice. Using the VMware Infrastructure Client that is installed on the ESX host, configure the amount of memory that is allocated to the ESX service console to the maximum amount, 800 MBs. The RSM interacts with the service console to perform tasks for the Cloud Automation Platform environment. Failing to set the memory allocation to 800 MB will cause the service console to perform poorly.

Hyper-V R2 HostsReview the following sections if your environment includes Hyper-V R2 hosts.

Considerations

Review the following considerations when using the Remote Server Manager and Hyper-V R2 hosts:

No firewalls can exist between the computer on which the Agent Services is installed and the Hyper-V R2 host(s).

For successful promotion of snapshots from Hyper-V hosts, constrained delegation must be enabled for the user account that the Remote Server Manager uses to remotely manage the Hyper-V host. The RSM is configured with only one user account that it uses to manage all Hyper-V R2 hosts. The Hyper-V host must be able to open virtual hard disks (.vhd files) on the CIFS server (i.e., in the system library on a NAS device) for exclusive read/write access, and because the Remote Server Manager is delegating the credentials to open the virtual hard disk file on the Hyper-V host accessing the CIFS server, that delegation must be authorized. For the authorization to occur, the user account of the RSM and the Computer Name of the CIFS server must both be in a common Active Directory server where constrained delegation of the RSM user to access the CIFS share through third-party hosts (Hyper-V) is allowed.

In order for Hyper-V to host VMs with NAIL Server defined as the Ethernet Device type, a NAIL Server on another virtualization host or on a utility host must be used. See Using NAIL Server with Hyper-V R2 Hosts (Utility Hosts) on page 31 for more information about using utility hosts.

The password rules for the user account must be configured to never expire.

Hyper-V R2 hosts and the Remote Server Manager should not be isolated by a network address translation (NAT) layer. See Using NAIL Server with Hyper-V R2 Hosts (Utility Hosts) on page 31 for information about using network address translation with Hyper-V hosts.

DHCP addressing should not be used by Hyper-V R2 hosts unless it is an infinite DHCP reservation.28 Installation and Administration Guide

2 Before Y

ou Start The Hyper-V R2 host must have 64-bit architecture and have a DVD drive.

Configuring Hyper-V R2 Hosts

Note: If your environment requires the use of the NAIL Server for network address translation (NAT) for VMs on a Hyper-V R2 host, refer to Using NAIL Server with Hyper-V R2 Hosts (Utility Hosts) on page 31.

To configure the environment for using remotely managed Hyper-V R2 hosts, follow these steps:

1. Before installing Cloud Automation Platform, create a domain user account for the specific use of communication between the Remote Server Manager and the Hyper-V hosts.

The domain user account must be a member of the Administrators group for the server with Agent Services installed and on each Hyper-V host that is going to be managed remotely by the Remote Server Manager Additionally, the domain user account should have full privileges to the Windows Administrative shares (C$, D$, IPC$) and the ability to access the Hyper-V host file system with full read/write access.

The following computers must all be in the same domain:

The computer on which you install the platform Agent Services (which includes the Remote Server Manager)

The Hyper-V host(s)

(if applicable) Any file systems of the Hyper-V host that are external to the Hyper-V host itself and are used to store the Cloud Automation Platform virtualization configuration files

2. Install the Platform components. During the installation of the Agent Services (part of the Platform), you are prompted to enter the user name and password for the Remote Server Manager. Enter the user name and password of the user account defined in step 1. See page 50 in Chapter 3, Product Installation. for more information.

3. Configure each Hyper-V host to be managed remotely by ensuring the domain user account created for this purpose is a member of the local Administrators group. For security reasons, it is recommended for this domain user account not to be a member of the Domain Administrators group.

4. On each Hyper-V host, use the following steps to configure the Authorization Manager policy:

A. Open the Authorization Manager MMC by using the Run command prompt to run azman.msc.

B. In the Authorization Manager interface, right-click and choose Open Authorization Store from the list.

C. On the Open Authorization Store window, select the XML File radio button and use the Browse option to navigate to the following directory:

C:\ProgramData\Microsoft\Windows\Hyper-V

D. Select InitialStore.xml and click Open.Installation and Administration Guide 29

2 Before Y

ou StartE. On the Open Authorization Store window, click OK.

F. In the Authorization Manager interface, expand the tree to open the Hyper-V Services\Role Assignments\Administrator folder.

G. Select Administrator.

H. In the right pane, right-click and select Assign Users and Groups => From Windows and Active Directory....

I. Add the new user that you created in step 1.

J. Exit the Authorization Manager.

K. Reboot your Hyper-V server to effect the changes.

5. On each Hyper-V host, use the following steps to configure the Ethernet NIC driver.

Broadcom

A. Verify that the driver version is 4.4.15 or later.

B. Add a registry setting to preserve VLAN tags. This registry value needs to be added to the configuration parameters for each of the Broadcom network interfaces on the computer:

i. Run the Registry Editor (regedit).

ii. Search for "PriorityVLANTag" under HKLM\SYSTEM\ControlSet001\Control\Class.

iii. Add the DWORD value "PreserveVlanInfoInRxPacket" with value 1 to the top level key.

Intel

Add the following registry setting: MonitorModeEnabled = 1

The Hyper-V R2 hosts are now ready to serve as virtualization hosts in the Cloud Automation Platform environment.

Next Steps

In the Platform web interface, register and pool the host.

Note: If the VMs on the Hyper-V R2 host require network translation (i.e. will be on dedicated VLANs rather than on the default network), refer to Using NAIL Server with Hyper-V R2 Hosts (Utility Hosts) on page 31.

Refer to the online Help for instructions to register the remote Hyper-V R2 hosts with the Platform. After the remote hosts are registered and assigned to a resource pool, the Remote Server Manager will manage the VMs and their configuration files on the registered remote hosts.30 Installation and Administration Guide

2 Before Y

ou StartImage Preparation for Hyper-V R2 Hosts

The image for a VM that runs on a Hyper-V R2 host must include the Integration Services. Follow the Microsoft Hyper-V documentation for installing the Integration Services in your image.

After the Hyper-V VM has the Integration Services installed, copy the .vhd file into the Library and use the Surgient_Image_Tool.iso to prepare the image. Refer to the online Help for instructions to add the images to the Library and prepare it for use in the Cloud Automation Platform environment.

Using NAIL Server with Hyper-V R2 Hosts (Utility Hosts)

Cloud Automation Platform uses NAIL servers to provide network address translation in an environment in which a single image (and thus a single IP address) might be duplicated or cloned, and used in multiple VMs in the environment. In such an environment, network address translation is required to prevent network conflicts; NAIL server translates the IP Address contained in the image to a unique address that is used only within the Cloud Automation Platform environment.

Microsoft Hyper-V does not support VLAN trunking from a NIC to a virtual machine, so NAIL servers cannot be used on a Hyper-V host. However, network address translation can be accomplished in an all Hyper-V or a heterogeneous environment with the use of a utility host. A utility host is any server running supported virtualization software that also supports NAIL server, and is used by Hyper-V hosts for network translation services. ESX3.5, ESX 3i, ESX 4, and ESXi 4 can function as the utility host platform.

Note: In order for Hyper-V R2 to host multi-server sessions that require network address translation (i.e. cloned images are used), NAIL Server must be run in advanced mode. See Configuring NAIL Server Advanced Mode on page 137.

Hyper-V R2 hosts that do not run server configurations using NAIL server can continue to be pooled in standard or advanced mode, and images that use DHCP/static IP Addresses do not require external NAIL server access. But in standard mode, or advanced without an accessible NAIL server on a utility host, sessions using NAIL server-designated content are not supported.

Creating a Utility Host on an ESX Server

Note: For a server to act as a utility host, the environment must use NAIL Server in advanced mode. For information about using NAIL Server in advanced mode, see Configuring NAIL Server Advanced Mode on page 137.

To create a utility host on an ESX server, follow these steps:

1. Register the ESX server in the Cloud Automation Platform environment. For detailed instructions, see the online Help topic Registering a Remotely Managed Host.

2. Pool the utility hosts RAM only (not the RAM of any of the hosted VMs). Additionally, define the computing capacity (EPUs) for the host. This must be done before pooling Hyper-V content hosts; otherwise there will be an error when you pool the Hyper-V content hosts.Installation and Administration Guide 31

2 Before Y

ou Start3. Pool the content host(s) that will be using the utility host. This causes the Nail Server VM to be started on the utility host.32 Installation and Administration Guide

2 Before Y

ou StartAbout Partner ExtensionsCloud Automation Platform supports integrations with Data Center Automation and virtualization management systems such as Symantec Altiris Deployment Solution, HP Server Automation (formerly Opsware Server Automation), and VMware vCenter Server.

Note: For detailed information about how to use the CAP web interface to register and implement Partner Extensions, see the online Help. Information about configuration that needs to be done either before installation or before accessing the CAP web interface is included in this installation guide.

Integration with the following products enables several Cloud Automation Platform features:

HP Server Automation

Deployment Actions -- Running HP SA Software, Audit, and Patch policies against sessions in the Cloud Automation Platform environment.

External Provisioning -- HP SA uses OS provisioning to deploy server configurations. Server configurations that are intended to be externally provisioned by HP SA are created using OS Sequences. This server configuration, when deployed, installs the specified operating system and any additional software or data included in the sequence. OS sequences can be deployed to either a virtual machine or to a physical computer that is provisioned by HP SA. See External Provisioning with HP Server Automation on page 34 for more information.

Provisioning to Virtual Machines -- By default, sessions based on OS sequences are provisioned to virtual machines. Provisioning details, such as whether the server configuration is deployed to a VM or to a physical computer, are determined by the hardware profile that is selected when creating the server configuration.

Physical Provisioning -- Physical computers that are managed by HP Server Automation can be added to the Cloud Automation Platform resource pools and used as targets for OS sequence-based sessions. For more information about physical provisioning, see Physical Provisioning on page 176.

Note: If your environment requires the use of isolated DHCP networks and physical provisioning to HP Server Automation-managed physical computers, you must configure network switch automation. See Using Network Switch Automation on page 143.

VMware vCenter Server

vCenter Templates -- Import/Export of vCenter Server virtual machine templates.

Dual management -- An ESX or ESXi virtualization host can be registered with both Cloud Automation Platform and VMware, enabling features in both products to be leveraged without interference.

High Availability -- Integration with VMware vCenter allows users to specify selected virtualization hosts as highly available, meaning that if the host computer fails, any VMs on the Installation and Administration Guide 33

2 Before Y

ou Starthost computer will be migrated to another, functional host computer. See Using High Availability with VMware vSphere on page 170 for more information.

Symantec Altiris Deployment Solution

Deployment Actions -- Running Altiris jobs against sessions in the Cloud Automation Platform environment.

Physical Provisioning -- Using Altiris to manage the use of physical computers in the lab environment. For more information about physical provisioning, see Physical Provisioning on page 176.

Note: Integration with Altiris requires the installation of the Quest CAP Agent on the Altiris server.

In order to implement the integrations, a partner extension is registered with Cloud Automation Platform.

Note: Instead of using the Register feature on the Partner Extensions table page, integrations with Altiris are automatically registered with the Cloud Automation Platform environment when the Quest CAP Agent (installed on the Altiris Deployment Server) checks in with the Platform server.

External Provisioning with HP Server AutomationTo implement external provisioning with HP SA, use the following workflow summary as a guideline. Refer to HP Server Automation on page 177 for information about using HP SA to provision physical servers. Refer to the online Help for instructions to use the CAP web interface to implement external provisioning with HP SA.

Workflow Summary

Verify that Wake on LAN and PXE is enabled for the primary NIC on each HP SA-managed physical computer.

Register the HP Server Automation core server in the CAP web interface, using the Partner Extensions node in the left navigation pane. Refer to the online Help for detailed instructions.

If the PXE boot server is not on the HP SA core server, but rather on a satellite server, you will need to specify the PXE server IP address after registering the physical computer. Edit the Physical Provisioning server Details page to specify the PXE boot server address; refer to the online Help for detailed instructions.

Note: The user account used to register the HP SA core server must have broad Run Command on Server privileges, and must have both Admin and root privileges (for both Windows and Linux servers).

Register any HP SA-managed physical computers that you want to use in the Cloud Automation Platform environment, using the Physical Provisioning node in the navigation pane. Refer to the online Help for instructions to register a physical computer.34 Installation and Administration Guide

2 Before Y

ou StartNote: The physical computer must have been provisioned by HP SA at least once prior to registering with Cloud Automation Platform. Servers that have not previously been provisioned by HP SA will not display in the list of servers to register in Cloud Automation Platform.

If NIC 0 (as reported by HP SA) is not the primary NIC (i.e. is not the interface enabled for PXE boot and Wake on LAN) you must use the Physical Provisioning server Details page to explicitly designate the primary NIC.

If using VLAN-isolated DHCP networks, configure these DHCP networks. See Using VLAN-isolated DHCP Networks on page 141.

If using VLAN-isolated DHCP networks and physical computers provisioned by HP SA, you must configure network switch automation. See Using Network Switch Automation on page 143.

Create a new server configuration using an OS Sequence. Any OS Sequences that are on the SA Core server when the core server is registered with Cloud Automation Platform will appear in a drop-down list when creating a new server configuration. (Select External Provisioning to see list of OS Sequences.) Refer to the online Help for detailed instructions to create a server configuration using OS Sequences.

When creating the server configuration, use the Hardware Profile to determine whether the server configuration will be deployed to a physical computer or virtual machine, and other deployment details.

From one or more OS Sequence-based server configurations, create an application configuration and session.

Note: If any step in the overall process of provisioning and deploying the OS Sequence fails, the entire deployment will fail and the user will be notified.Installation and Administration Guide 35

2 Before Y

ou StartSecurity And EncryptionCloud Automation Platform provides support for increased security to meet standards and requirements of IT departments and large enterprises.

Cloud Automation Platform security features include:

Increased security for passwords (key lengths and encoding)

Support for 2-way secure communication between agents and platform

Support for encrypted SQL connections (specify during installation)

Obfuscate identifiers in web request resources

Optional regular expression entries to generate query string input validation error

Hidden password entry on vcsadmin login

Review the following sections for information about configuring certain security options.

Configuring 2-way Secure CommunicationTo configure the Cloud Automation Platform environment to use 2-way secure communication (SSL), follow these steps:

1. Install the Platform components. See Product Installation on page 41 for details.

Note: (Altiris only) During an upgrade (but not during a fresh installation) of the Agent Services component of the platform, you are prompted to upgrade all Windows Agents in the environment. After upgrading the Windows Agents on any Altiris Deployment Servers, resume the platform upgrade.

Additionally, any Windows and Linux guest agents in Altiris physical images must be upgraded.

2. Configure IIS for secure communication on the computer running the Agent Services (agent message forwarder):

Enable SSL port for the Default Web Site

Configure the Default Web Site with a certificate3. Before pooling any hosts, use vcsadmin to set the configuration setting DefaultMsgRoute to

specify the https scheme. For example: https://IP_Address/ingress/mailbox.aspx

4. In the Windows Agent configuration file, set the MyMailbox configuration value to specify the https scheme.

5. Restart all Quest CAP Agents.36 Installation and Administration Guide

2 Before Y

ou StartNote: For an upgrade or for a time period after a fresh install, schedule a maintenance window for all hosts that have NAIL Servers and follow step 3. and step 4. Restart the Agents and the NAIL Servers.

6. Upgrade Altiris Guest Agents: If your environment includes Altiris physical images (.img), you will need to upgrade the guest agents in each image:

A. Start the physical image.

Deploy an application using the physical image using the Cloud Automation Platform system.

Use Altiris DS directly to start t