View Source

Introduction

In preparation for your migration to, and adoption of, the DaaS platform, we have compiled this document for you. Within, you will find information on how to setup a DHCP scope for DaaS, recommended Group Policies to implement, and information on how to setup Redirected Folders.

There is also additional documentation on the DaaS platform available here:

Increasing Desktop Resources

Disk can be added to existing desktops as needed, Extra disk space is billed per GB.
vCPU & RAM cannot be added to existing desktops. User must be given a new desktop in order to add these resources.

End User Devices and Limitations

Known Non-Supported Applications

Adobe Photoshop
AutoCAD
Screen Scaring- LogMein

DHCP

XTIUM will generally provide 2 Domain Controllers with the DaaS Bundle.
XTIUM will generally install the DHCP role on the Primary Domain Controller which will have an IP address of 10.200.1.10 unless requested otherwise.
XTIUM will generally provide an IP subnet of 10.200.1.0/23 (10.200.3.0/23 for DR Desktops) unless requested otherwise. Check the IP range for DR DAAS for BOTH PROD and regular. Put this info under business rules for DaaS?
If the DHCP server will be hosted in the Client’s On-Premise environment, a DHCP helper/relay will be required to deliver these DHCP requests over a VPN tunnel.

DHCP Scope Recommendation

Configure the DHCP scope to use 10.200.1.1-10.200.1.254 (10.200.2.1-10.200.2.254 for DR)
- The subnet mask will be a length of 23 (255.255.255.0)
- Setup the following exclusions
  - 200.1.1-10.200.1.50 (10.200.2.1-10.200.2.50 for DR)
    - These are generally exluded for Servers
  - 200.1.200 (10.200.2.200 for DR)
  - This is excluded for the Default Gateway
  - 200.1.230-10.200.1.232 (10.200.2.230-10.200.2.232 for DR)
    - These are excluded for DaaS Back-end Appliances
  - Set the lease duration to 1 hour
  - Set the Default Gateway to 10.200.1.200
  - Set the DNS servers to 10.200.1.10 & 10.200.1.11
    - Unless other addresses were used for the 2 domain controllers in XTIUM’s Cloud
  - Activate the Scope
- Edit the Scope Options
  - Enable option 74 using the following addresses:
    - 200.1.230 & 10.200.1.231 (Unless a different subnet was used)
    - 200.2.230 & 10.200.2.231 (For DR Desktops)
    - These are the DaaS Appliances, option 74 is used as a heartbeat to allow the DaaS platform to check in with the desktops

Redirected Folders

XTIUM recommends using Redirected Folders for User Profiles as a best practice in DaaS.
XTIUM recommends putting the Redirected Folder share on a file server on its own separate drive.
XTIUM recommends following Microsoft’s best practices when it comes to applying permissions to the share used for redirected folders.

Setting up the Redirected Folder share & permissions

Add an additional drive to the File Server that the profiles will be stored on
Create a folder called “FR” or “Users”, you can use any name that fits your naming scheme
Setup Advanced Sharing on this folder
- You can add a “$” to the end of the share name to make the share hidden
- Set the share permissions to “Everyone” allowing “Full Control”
Under Security on this folder, use the following NTFS permissions
- CREATOR OWNER – Full Control (Apply onto: Subfolders and Files Only)
- SYSTEM – Full Control (Apply onto: The Folder, Subfolders and Files)
- Domain Admins – Full Control (Apply onto: This Folder, Subfolders and Files)
- Everyone – Create Folder/Append Data (Apply onto: This Folder Only)
- Everyone – List Folder/Read Data (Apply onto: This Folder Only)
- Everyone – Read Attributes (Apply onto: This Folder Only)
- Everyone – Traverse Folder/Execute File (Apply onto: This Folder Only)

Setting up the Redirected Folder Group Policy

Create new GPO Under the OU with the desktops in it with the name: XTIUM - DaaS - Folder Redirection
Right-click the GPO that you created for the group policy settings and select Edit.
- User Configuration -> Policies -> Windows Settings -> Folder Redirection
- Favorites

Setting: Basic (Redirect everyone’s folder to the same location)
Target Folder Location: Create a folder for each user under the root path
Path: ‘\\CUST_FILE_SERVER\FOLDER\SHARE’
Options:
- Grant user exclusive rights to Favorites: Disabled
- Move the Contents of Favorites to the new location: Enabled
- Also apply redirection policy to Windows 2000 server, Windows…: Disabled
- Policy Removal Behavior: Leave Contents
Desktop
- Setting: Basic (Redirect everyone’s folder to the same location)
- Target Folder Location: Create a folder for each user under the root path
- Path: ‘\\CUST_FILE_SERVER\FOLDER\SHARE’
- Options:
  - Grant user exclusive rights to Desktop: Disabled
  - Move the Contents of Desktop to the new location: Enabled
  - Also apply redirection policy to Windows 2000 server, Windows…: Disabled
  - Policy Removal Behavior: Leave Contents
- Documents
  - Setting: Basic (Redirect everyone’s folder to the same location
  - Target Folder Location: Create a folder for each user under the root path
  - Path: ‘\\CUST_FILE_SERVER\FOLDER\SHARE’
  - Options:
    - Grant user exclusive rights to Documents: Disabled
    - Move the Contents of Documents to the new location: Enabled
    - Also apply redirection policy to Windows 2000 server, Windows…: Disabled
    - Policy Removal Behavior: Leave Contents
  - Downloads
    - Setting: Basic (Redirect everyone’s folder to the same location)
    - Target Folder Location: Create a folder for each user under the root path
    - Path: ‘\\CUST_FILE_SERVER\FOLDER\SHARE’
    - Options:
      - Grant user exclusive rights to Downloads: Disabled
      - Move the Contents of Downloads to the new location: Enabled
      - Also apply redirection policy to Windows 2000 server, Windows…: Disabled
      - Policy Removal Behavior: Leave Contents
    - Music
      - Setting: Follow the Documents Folder
    - Videos
      - Setting: Follow the Documents Folder
    - Photos
      - Setting: Follow the Documents Folder

Recommended Group Policies

XTIUM recommends additional group policies to enhance user experience & provide the best performance possible

Setting up Group Policies

Agent Desktop Timeout
1. Create new GPO Under the OU with the desktops in it with the name: XTIUM - DaaS - Agent Desktop Timeout
2. Right-click the GPO that you created for the group policy settings and select Edit.
  1. Computer Configuration -> Polices -> Administrative Templates -> Classic Administrative Templates -> VMWare View Agent Configuration -> View Agent Direct-Connection Configuration
    1. Session Timeout: Enabled -> 999999
    2. User Idle Timeout: Enabled -> -1
    3. Client Session Timeout: Enabled -> 99999999
  2. Disable Shutdown Event Tracker
    1. Create new GPO Under the OU with the desktops in it with the name: XTIUM - DaaS - Disable Shutdown Event Tracker
    2. Right-click the GPO that you created for the group policy settings and select Edit
      1. Computer Configuration -> Policies- > Administrative Template -> System
        Display Shutdown Event Tracker: Disabled
      2. PCoIP - Clipboard Redirection & vSphere Console Access
        Create new GPO Under the OU with the desktops in it with the name: XTIUM - DaaS - PCoIP
        Right-click the GPO that you created for the group policy settings and select Edit.
        Computer Configuration -> PCoIP Session Variables -> Overridable Administrator Defaults
        Configure clipboard redirection: Enabled in both directions
        Enable access to a PCoIP session from a Sphere console: Enabled
3. Turn off Display
  1. Create new GPO Under the OU with the desktops in it with the name: XTIUM - DaaS - Turn Off Display
  2. Right-click the GPO that you created for the group policy settings and select Edit.
    1. Computer Configuration -> Administrative Templates -> System -> Power Management -> Video and Display Settings
      1. Turn Off the Display (Plugged In): Enabled
      2. Turn Off the Display (seconds): 0
    2. User Group Policy Loop-back (Ensure that this GPO is always applied last)
      1. Create new GPO Under the OU with the desktops in it with the name: XTIUM - DaaS - User Group Policy Loopback
      2. Right-click the GPO that you created for the group policy settings and select Edit.
        Computer Configuration -> Policies -> Administrative Templates -> System -> Group Policy
        User Group Policy loopback processing mode: Enabled
        Mode: Merge
        Ensure this GPO is processed last.

Chrome Graphics Optimization

Create new GPO Under the OU with the desktops in it with the name: XTIUM - DaaS - Chrome Graphics Optimization
Right-click the GPO that you created for the group policy settings and select Edit.
1. Computer Configuration -> Polices -> Administrative Templates -> Classic Administrative Templates -> Google -> Google Chrome
  1. Use hardware acceleration when available: Disabled

IE Graphics Optimization

Create new GPO Under the OU with the desktops in it with the name: XTIUM - DaaS - IE Graphics Optimization
Right-click the GPO that you created for the group policy settings and select Edit.
1. User Configuration -> Preferences -> Windows Settings -> Registry
  1. Action: Create
  2. Hive: HKEY_CURRENT_USER
  3. Key Path: Software\Microsoft\Internet Explorer\Main
  4. Value Name: UseSWRender
  5. Value Type: REG_DWORD
  6. Value Data: 00000001
  7. Base: Hexadecimal
2. Office 2016 Graphics Optimization
  1. Create new GPO Under the OU with the desktops in it with the name: XTIUM - DaaS - Office 2016 Graphics Optimization
  2. Right-click the GPO that you created for the group policy settings and select Edit.
    1. User Configuration -> Policies -> Administrative Templates -> Microsoft 2016 -> Miscellaneous
      1. Do not use hardware graphics acceleration: Enabled
    2. Disable Server Manager
      1. Create new GPO Under the OU with the desktops in it with the name: XTIUM - DaaS - Disable Server Manager
      2. Right-click the GPO that you created for the group policy settings and select Edit.
        Computer Configuration -> Policies -> Administrative Templates -> System -> Server Manager
        Do Not display Server Manager automatically at logon: Enabled

Images

What is an Image?

An image is a Virtual Machine that is the master template that will be used to clone and deploy your DaaS desktops.
You install all applications on this Virtual Machine that you want each user to have access to.

Things to Know about your Image

To create desktop pools, you first create an image and then deploy the image into the pool. Images help define different desktop configurations. Two images are included with every account and one image will be preloaded for you during installation. If you need additional images beyond the two that are included and the one that is initially deployed for you, please contact your CTA.
When a change is made to a Image, it will not affect your existing desktops.
Changes to the Image only affect new desktops that are provisioned from that image after it has been completed.
A image must be sealed before it can be used or before any existing pool that is associated with it can be modified.
When a Image is sealed, the process runs sysprep on the Image and then shuts it down.
This allows sysprep to automatically run on all new desktops that are created from it.
When you power on a Image to make changes to it, it takes some time to become available as it is running through that sysprep process.
XTIUM recommends taking a backup of a Image before making any changes to it.
To do this select the Image open ellipses and select backup now.
Do not join the image to your domain.
1. If this is required to install an application you may join it to the domain, but it must be removed from the domain before sealing it.
You always want to ensure that the network category on the NIC is set to private (Not public).
Any customizations that you make to the start menu or toolbar will not stick to new desktops, these customizations are user specific and must be done per user.
If you need to create a shortcut on the desktop for all users, you can create a shortcut under C:\Users\Public\Public Desktop (Which is a hidden folder).

RACI

R = Responsible

A = Accountable

C = Consulted

I = Informed

DaaS 3.0
		XTIUM	Client
DaaS Infrastructure	Datacenter Infrastructure	R, A	I
	Build, Operate, and Maintain Server Infrastructure to support DaaS Solution	R,A	I
	Provide One license of Microsoft RDS per desktop	R,A
	End points (Windows and MAC, Thin/Zero Clients, Tablets, Smart Phones) intended to run the DaaS client must support the Horizon View client or the HTML5/ Blast client	C,I	R,A
	Support the PCoIP protocol	C,I	R,A
	Maintain image(s)	C,I	R,A

Implementation and Administration	DaaS Image Creation	A,R	I
	DaaS OS Licensing	C,I	R,A
	DaaS Application Licensing	I	A,R
	DaaS Application Installation	C,I	A,R
	Administration of Active Directory (AD)	I	R,A
	Group Policy Administration (GPO)	I	R,A
	Assign One Group Administrator for each location.	I	R,A
	User profile	I	R,A
	Group Administrator- learn the features of the Services and provide assistance to internal users of the Services.	I	R,A
	Direct support only to specified Group Administrators	R	A, C
	Creation of Rules and Policies	I	R,A
	File Permissions	I	R,A
	Configuration of new IP address assignments on any hardware and/or software not managed by EIP	I	R,A
	Provide knowledgebase (support.xtium.com) access to training materials, user guides, quick tip videos, and best practices	R,A	C, I
	Provide access to appropriate web portals for administration of XTIUM Services
	Seeding of data to the XTIUM Cloud	I	R,A
	Local Device Support	I	R,A
	Printer Issues	I	R,A
	Print Server performance	I	R,A
	Zero/Thin client/Client Devices	C,I	R

Customer Network infrastructure	Provide local network connectivity for client devices	C,I	R,A
	Provide local internet connectivity for client devices	C,I	R,A
	Appropriate available bandwidth per concurrent use ((150 kbps for a one-display session plus 50-100 kbps per each additional display per-session)	C,I	R,A
	Provide or ensure sufficient bandwidth, so that total traffic does not regularly exceed 75% of the total available bandwidth	C,I	R,A
	LAN switches must have individual VLANS for voice and data according to XTIUM provided instructions.	C,I	R,A
	lnternal cabling is CAT 5, CAT 5E, CAT 6, or is otherwise capable of delivering at least 100mbps to the end device	C,I	R,A
	engaging the service provider for support in the event of a service outage and/or quality degradation	C,I	R,A

Security	Dual Factor Authentication	I	R, A
	Maintain non-parsed log records in raw log formats	R,A	I
	Install security patches, updates, and service packs for the DaaS desktops	I	R,A
	Virus and Malware Protection	I	R,A
	Education of its employees related to responsible use of Internet-based resources and the security of its data	I	R,A
	Maintain backups of data	R,A	I
	Maintain Encryption keys for optional software based encryption of data	I	R,A

Anti Virus Exclusions

DaaS clients using Trend Worry Free from XTIUM will already have these VMware and Microsoft exclusions configured by our Implementation team:

pcoip_server_win32.exe
splwow64.exe
vmtoolsd.exe
DaaSAgent.exe
wssm.exe
VMBlastS.exe
wsnm_jms.exe
vmwareviewclipboard.exe*
C:\Windows\system32\taskmgr.exe
${WinDir}\SoftwareDistribution\Datastore\DataStore.edb
${WinDir}\SoftwareDistribution\Datastore\Logs\Edb*.jrs
${WinDir}\SoftwareDistribution\Datastore\Logs\Edb.chk
${WinDir}\SoftwareDistribution\Datastore\Logs\Tmp.edb
${windir}\Security\Database\*.edb
${windir}\Security\Database\*.sdb
${windir}\Security\Database\*.log
${windir}\Security\Database\*.chk
${windir}\Security\Database\*.jrs
${windir}\Security\Database\*.xml
${windir}\Security\Database\*.csv
${windir}\Security\Database\*.cmtx
outlook.exe*
excel.exe
word.exe