I am getting to play with App-V a little bit more so I decided that it was a good idea to build a test lab, well resources are short I currently have no 64 bit hardware capable of running vSphere in my lab, so I have had to resort to my faithful Workstation 7 instance on my Laptop.
So lets get on with building a App-V lab in Workstation 7
Firstly you will need the following pieces of software
- Windows Server 2008
- SQL 2008
- App-V 4.5 – (this may be a little hard to get hold off as it is only available via the MDOP package or a Technet subscription
- Internet Connection – This is for SQL to download some of its pre-req’s
We will start at the beginning a Windows 2008 installation. This configuration is vanilla…. and I mean vanilla…. all that has been done is to allow internet connection to download any patches that are required!!! Configure your VM’s NIC with Static IP’s etc then you need to configure active directory! I am calling my domain PVM.internal call yours whatever rocks your boat.
Domain Name: PVM.internal
Forest Functional Level: Windows 2008 Native Mode
Once AD and DNS have been configured you will need to install a SQL server I chose SQL 2008. I am not going to go into installing SQL(details on that can be obtained for it is a generic SQL install consisting of the Database Engine and the Complete Management Tools
Create a service account to use for with the SQL installation, Ed don’t shout, but I did configure my Domain Administrator to be an administrator for the SQL Server also (however as this is a test environment I am not that bothered regarding the security implications).
One thing to note is that once SQL 2008 is installed you NEED to allow TCP/IP to be enabled. to do this go to the start menu of the Guest and look for SQL Configuration Manager. Once the application has opened browse the SQL Server Network Configuration > Protocols for MSSQLSERVER, in the right pane you will see a TCP/IP Protocol name, you need to change this from disabled to ENABLED. if you do not do this you will not be able to connect to the SQL DB for App-V to install.
Now that we have the base OS it is time to get a couple of pre-req’s sorted. So first let’s setup IIS. there is only a requirement for a few elements of IIS7. well to be fair there is only one thing that needs altering from a default install.
So lets get started!
- Go to the server Manager, and add right click roles > add new role
- The New Role Wizard will start > Click Next
- In the select Server role add the “Web Server (IIS)”, and then click “Add the required Feature” when the pop up appears.
- In the Intro to IIS screen just click next to take us onto the IIS options.
- Now in the “Role Services” section of the wizard add the “IIS Management Scripts and Tools” also confirm that the “IIS Management Console” is added. Also Select “Windows Authentication” under the security section and from the Application Development confirm that ASP.NET and .NET Extensibility are selected and then click next to review the options you have selected, and then select next again. One little thing as an aside if you are not going to utilise Certificates and just want to utilise the Management server console you must enable ASP.NET/.Net Extensibility as a Role, or you will receive an error code 0000C809 when you attempt to log into the console
- Sit with a cuppa tea or Coffee whilst IIS adds it self to your Win2k8 platform and hit finish at the end!
That’s IIS done and dusted.
Now to Configure CA for Certificates read my post here, I decided to split out this section as this post would have become a book!!!!.
Before you start to install the management server add the following groups to AD;
- App-V Admins (I have added my administrator account into this)
- App-V Users (I have added this to the Domain Users Group as a nested group)
- On the extracted files click rather surprisingly for a Microsoft product setup.exe to start the installation. On the Welcome screen, click Next.
- On the License Agreement screen, have a very good read of the license agreement, every word there will be a test at the end ;), select I accept the terms in the license agreement , and click Next. (Now obviously only select I agree if you do really agree 😉 ) .
- Next select whether to allow MS Updates for ease I selected to allow MS updates, click Next.
- On the Registering Information screen, enter the name of a user and the user’s organization, and then click Next.
- Now In the Setup Type select the Custom Install (Go on you know you want too, you are a big boy now and mummy says you are allowed!) and than select Next.
- On the Custom Setup screen, Select all Application Virtualisation Platform components and then click Next.
- Now in the configuration database I have chosen to point the installation directly to my database by checking the use the following database and specify my local machine and the default SQL port of 1433 and then click Next.
Remember this is a test deployment not production in production you would separate these functions for performance and resilience.
- Select Create a new database and Type your new database name (PVM-APP-V) and then select Next.
- In the connection security mode lets really join the big boys and use enhanced security. In the drop down menu select the certificate you created in IIS7 (see my post on Certificate Services I did warn you to read my post earlier, Remember) and then select Next.
- On the Port Setting screen, select the default port (322) and then click Next.
- On the Administrator Group screen, enter the name of the administrator group, remember at the beginning of this post we mentioned that I had already created the Global Group for App-V Admins (Well this is where you enter that group), and then click Next.
- On the Default Provider Group screen, enter the name of the default provider group, Again remember we specified this earlier (App-V Users) and then click Next.
- I left the Content Path location as default for now, then click Next.
- Click Install and go make another cup of tea and coffee again and wait for all the database/Management server/Web Service gubbins to be installed and created.
- Once completed click Finish and reboot your server! now image having to reboot a Windows server after an installation.
- Once rebooted, it is now time to play……… well no, not exactly there are still some minor config steps left to go, but then you already guessed that didn’t you!!
So what are these final few steps I hear you say!!
Well remember that certificate that was used earlier. We need to modify some ACL’s on it to allow the network service to have access to use the certificate and RTSPS.
At this moment in the sft-server.txt file you should see the following messages
To give the network service access to the certificate the permissions of the certificate must be modified to allow access to the security context that the App-V service is running as. It is also is required for successful TLS secured communications. Basically if this is part is not done, all TLS communications will fail when SChannel attempts to access the key during a TLS transaction.
Now to do this you will need to down load a special tool from the Windows 2003 resource kit (yes I did say 2003), this tool is called WinHttpCertCfg.exe. Now there are other ways to modify the certificate permissions, however I have found this to be the most straightforward and by far the easiest way of completing this task. You can find winhttpcertcfg.exe at the link below.
- On the machine that will become the App-V Management or Streaming server, type the following commands in the command shell to list the current permissions assigned to a specific certificate.
winhttpcertcfg -l -c LOCAL_MACHINE\My -s Name_of_cert
- Next, if necessary modify the permissions of the certificate to provide read access to the security context that will be used for Management or Streaming Service.
NOTE: The default security context is Network Service.
winhttpcertcfg -g -c LOCAL_MACHINE\My -s Name_of_cert -a NetworkService
- Verify that the security context was properly added by listing the permissions on the certificate.
winhttpcertcfg –l –c LOCAL_MACHINE\My –s Name_of_cert
Once this is completed and is successful, restart your App-V Management Server Service and review the sft-server.txt which should look a lot happier;
That is a good place to stop this post. Next configuring Client Server communication