Director 2.1 and earlier
In Director 2.1 and earlier, the information retrieval was achieved by direct communication between the Director and VDAs using Windows Remote Management (WinRM).
The XenDesktop installer can automatically enable and configure WinRM for use by Director. If you choose not to configure WinRM automatically using the XenDesktop installer, or install WinRM after running the XenDesktop installer, then these changes can be made manually. For more details on Installing, Configuring and Troubleshooting WinRM manually please refer CTX125243
To allow non-domain administrators (or groups or computer account) to use Director, run the ConfigRemoteMgmt.exe tool on the Director server with administrative privileges from a command prompt using the following arguments:
ConfigRemoteMgmt.exe /configwinrmuser domain\name
where name is a security group, user, or computer account.
- to grant the required permissions to a user security group:
ConfigRemoteMgmt.exe /configwinrmuser MyDomain\HelpDeskUsers
- to grant the permissions to a specific computer account:
ConfigRemoteMgmt.exe /configwinrmuser MyDomain\DirectorServer$
Direct communication between the Director and VDAs through WinRM can somtime lead to problems such as:
- Director machines need to be able to establish WinRM (WMI over http) connections to VDAs. Director also needed to open WMI over http communication port and add firewall exception on the VDA.
- The VDAs have no knowledge of Delegated Administration and no way to manage the access to the WMI classes other than the Microsoft provided mechanism.
- WMI security permissions are not very granular, so opening parts of the WMI functionality exposes a large functional area to the Director administrators.
The above stated problems are addressed in Director 7.0
Director 7.0 and later
In XenDesktop 7.0, Director WMI proxy plug-in is introduced to overcome all the problems mentioned above. WMI proxy plug-in is installed as a part of VDA. Director will make sure that all requests are routed through Delivery Controller to the WMI proxy plugin running on the VDA. WMI proxy plug-in responds to the Director requests. The responses are routed through the same channel.
The WinRM port need not be open:
With the introduction of WMI proxy plug-in in Director 7.0, this eliminates the need to configure WinRM. In order to support WMI proxy service, Director sends the query to the Delivery controller. Delivery Controller will in turn send the query to the VDA through an existing secure communication channel between Delivery Controller and VDA. The WMI Proxy plug-in which is loaded as part of the Broker agent in VDA will respond to the query by sending the required details. By doing this Director doesn’t need to open any WinRM ports on the VDA and the WMI queries are run locally on the VDA through WMI proxy plugin.
In addition, there is no longer a requirement to add any firewall exceptions.
Delegated Administration awareness:
The Delegated Administration model offers the flexibility to match how organization wants to delegate administration activities, using role and object-based control. In older versions there was a direct communication between the Director and VDAs using Windows Remote Management (WinRM). As VDAs have no knowledge about delegated administration, the access management to WMI objects were difficult.
Using WMI proxy plug-in, the communication is routed through Delivery Controller. As delivery Controller has a knowledge on Delegated Administration, Delivery Controller can administer the permissions on the request before forwarding it to the VDAs. The requests will be forwarded to VDAs only if the required permission is set. Each requests requires specific permissions to be set. Hence the delegated administration enforcements becomes easier.
For example: Resetting the personal v-Disk can be done by a Help Desk Administrator. But this action is not available for a Read-only administrator. Custom roles can be created to perform specific operations.
For more information on Delegated administration, please refer here
The pictorial representation of the communication would look like:
For the XenDesktop 7.0 or later deployments, there is no need to configure WinRM for Director to retrieve the data from the VDAs. However, if users have VDAs earlier than XenDesktop 7 installed (legacy VDA), Director will fall back to the WinRM calls to query the required data. WinRM will need to be configured for Director to work with these legacy VDAs.