Are you looking to start monitoring VMware Virtual Desktop Infrastructure traffic? This post will get you started especially if you plan to do it with NetFlow or IPFIX. Virtual desktop Infrastructure (VDI) is a desktop-centric service that can host users’ desktop environments on remote servers and/or blade PCs, which are accessed over a network using a remote display protocol.
VMware Virtual Desktop Manager (VDM) is an enterprise class virtual desktop manager that securely connects authorized users to centralized virtual desktops. It works with VMware Virtual Infrastructure to provide a complete, end‐to‐end VDI solution that improves control and manageability and provides a familiar desktop experience.
Benefits of VDI
The benefits of VDI with VDM include the following:
- Control and manageability in a single product – Administrators can more easily provision, manage, and maintain desktops because the desktops are running in the data center.
- Familiar end user experience – Users get flexible access to a personalized, virtual desktop that behaves just like their PC desktops.
- VMware Infrastructure integration – VDI extends the benefits of VMware infrastructure to the desktop by leveraging the backup, failover, and disaster recovery capabilities of VMware Infrastructure.
- Lower total cost of ownership (TCO) – By reducing administration and energy costs and extending the useful life of PCs, VDI delivers lower TCO.
Once you have enabled the Virtual Distributed Switch NetFlow Support, the following default TCP ports are used for each protocol involved with VDI Traffic:
- JMS – 4001
- HTTP – 80
- HTTPS – 443
- RDP – 3389
- SOAP – 80 or 443
In the screen capture below, you can see that port 3389 is at the top of the list for this particular host. You can see that the traffic created by the client is only about 10K per second. These tend to be long lived flows. As a result, make sure the active timeout is set for 1 minute (I.e. 60 seconds) on your routers, switches and servers that are exporting flows. Remember, ESX can support NetFlow or IPFIX depending on the version. Both configurations are on our web site.
In the above, http (80 TCP) was being used partially to stream music. The imaps (993 TCP) traffic is caused by the email application.
To observe traffic from remote VDM Clients and VDM Web Access, the only TCP port that must be allowed in the DMZ is the HTTPS port (TCP port 443). VDM Security Servers do not need to be part of an Active Directory domain and in most cases no communication occurs between VDM Security Servers and Active Directory.
If you are thinking about switching employees over from laptops to tablets, be careful. Make sure you properly test all of your business critical applications on the tablet as you may find that some have partial or no support on a tablet (E.g. GoToMeeting). BTW: VMware IPFIX support can give you some insight but, it has issues that may prevent you from solving some problems. If you have any questions about Monitoring VMware Virtual Desktop Infrastructure traffic, give us a holler.