Archive for November 2013

App-V 5 Sequencing

November 28, 2013 App-V No comments

Capture

The Microsoft Application Virtualization (or App-V) Sequencer is a component of the App-V suite used to package your applications to be deployed to systems using the App-V Client. Properly sequencing applications is the key to a successful App-V implementation.  As such, it’s important to follow Microsoft’s recommended practices and be aware of the different options when sequencing.

This blog follows from an initial blog covering App-V 5 features and how to install the App-V 5 Management Server. Click here to read more

Note: I am using App-V 5 RDS Windows Server 2012. The APP-V Sequencer runs on Windows 2012 and my App-V Client runs on a Windows Server 2012 Terminal Server for testing

Sequencer Workstation Configuration

Proper configuration of the sequencing station is imperative to ensure that applications will function properly when streamed to a client.  Microsoft recommends the following configuration when sequencing:

  • Sequence on a machine that matches the Operating System and configuration level for the target clients. Microsoft has clarified its support stance since 4.2. Sequencing on Windows XP and deploying to Windows Vista is not a supported scenario. If you choose to sequence on one Operating System and deploy to another then you do so at your own risk.  In addition to the Operating System, you want to make sure your sequencer is at the same service pack and hot fix level of your deployed workstations.
  • If Microsoft Office is part of the base image of the client, then include it as part of the base image of the sequencer.  Many applications will install differently if they recognize that Microsoft Office is already installed on the machine.  Thus, if an application is expected to integrate with Microsoft Office, it’s best to attempt sequencing on a machine with Office already installed and activated. This assumes that a Microsoft Office suite will be installed locally on all client PCs. In addition you may want to install any other programs that could be used by the application you are sequencing if they are not going to be a part of the sequence.
  • Create an ODBC DSN setting as part of the Sequencer base image.  If no ODBC DSN setting exists on the base Sequencer image and the application being packaged creates one, the entire registry key associated with ODBC settings will become virtualized.  This will prohibit the packaged application from seeing any ODBC DSN settings that exist on the base client machine.  If an ODBC entry already exists on the Sequencer machine, only the ODBC settings will become virtualized, and the ODBC settings on the Client will be merged with the ODBC settings in the package. The following locations can be checked to determine ODBC information was captured:
  • Search for odbc.ini: It will be located in the VFS\%CSIDL_WINDOWS% folder
  • HKLM\Software\ODBC\ODBC.INI\ODBC Data Sources
  • HKCU\%SFT_SID%\Software\ODBC\ODBC.INI
  • Add a dummy printer device as part of the Sequencer base image. Printers act in the same manner as ODBC settings.  It is necessary to include a dummy printer device in the sequencer PC image.  For step by step instruction on how to create a dummy printer device refer to Appendix B.
  • Setup your sequencer machine with multiple partitions. It is recommended that the sequencer machine be configured with at least two primary partitions. The first partition C:, should have the operating system installed and should be formatted as NTFS. The second partition Q:, is used as the destination path for the application installation and should also be formatted as NTFS.
  • Temp Directory. The sequencer uses the %TMP%, %TEMP%, and its own Scratch directory for temporary files.  These locations should contain free disk space equivalent to the estimated installation size. The scratch directory is where the sequencer will temporarily store files generated during the sequencing process. You can check the location of the Scratch directory by launching the sequencer, clicking Options from the Tools menu, clicking the Paths tab, and then noting the Scratch Directory box. Placing the temp directories and the scratch directory on different hard drive spindles can improve performance during sequencing.
  • Sequence using Virtual PC. Most applications will be sequenced more than once. This may be due to additional configuration changes or simply starting over to correct a mistake. The point is that you will be going back to your original configuration on the PC several times. To help facilitate this you may want to use a Virtual Machine. This will let you sequence an application and with a simple click of a button revert back to a clean state so you can continue sequencing with no down time. Additionally whenever you start a new sequence you will want to do so on a clean system.
  • Shutdown Other Programs. Processes and scheduled tasks that normally run on your computer can slow down the sequencing process and cause irrelevant data to be gathered during sequencing. These programs should be shutdown before you begin sequencing. Some of these programs include:
  • Windows Defender
  • Antivirus Software
  • Disk defragmentation software
  • Windows Search
  • Microsoft update
  • Any open Windows Explorer session

Note: The sequencer workstation should be fully scanned for viruses and malware and then the anti-virus and anti-malware software should be disabled before creating a snapshot image of the sequencer workstation

Installing and using the App-V 5 Sequencer

I am going to be using a newly built Windows 2012 Virtual Server which has had a base build + updates.

  • First of all install the APP-V Sequencer
  • Click Install

APPV1

  • Accept the License Agreement

APPV2

  • Choose whether to join the Customer Experience Improvement Program and click Install

APPV3

  • Here Setup should have completed successfully

APPV4

  • Hold down the Windows key and Q to get the aero screen showing all your applications and click on Microsoft Application virtualization Sequencer which will then pop up the box below
  • Click Create a new Virtual Application Package

APPV5

  • Select Create Package and click Next

APPV6

  • Next, the Sequencer examines the current operating environment to evaluate running processes or conditions that are in place (e.g. the Sequencer has not been reverted to a clean state after a previous sequencing operation, or there are pending reboot operations) that might prevent successful sequencing. See example below

APPV7

  • It should now look like the below when everything is ok

APPV8

  • Choose the type of application. Click Standard Application (default)
  • Standard Application (Default) Select this option when sequencing a single application or suiting multiple applications into the same virtual application package
  • Add-on or Plug-in. Select this option when sequencing multiple applications in separate virtual application packages and linking them using a Connection Group.  This option can also be used when packaging Add-ons or Plug-ins for locally installed applications like Internet Explorer.
  • Middleware. Select this option when sequencing multiple applications in separate virtual application packages and linking those using Connection Groups.  This option will first create the application package for the middleware component and then create the second virtual application package that will contain the primary application
  • Click Next

APPV9

  • Select the Installer for the application is the first option. An “installer” can be any executable file designed to install the desired application.  The Sequencer will automatically launch the installer when it activates monitoring.
  • Alternatively, “Perform a custom installation” can be selected.  This option causes the sequencing wizard to enter monitoring and then wait for manual launching installation tasks.  This option is often useful when sequencing applications that may not have an install or setup file such as applications that copy from a network share

APPV10

  • I am going to use the Adobe Reader 11 installer

APPV11

  • Select a package name, typically something descriptive of the vendor, software and version.  This name is independent of the Primary Virtual Application Directory, but should be noted for saving the package. Saving the package in a directory named for the package name is recommended.  At the package name screen, select the Primary Virtual Application Directory.
  • The Primary Virtual Application Directory is the directory that will contain all files for the sequence.  It is recommended to define the application’s default installation directory (example C:\Program Files (X86)\directory) as the Primary Virtual Application Directory.
  • Click Next

APPV20

  • When multiple installers are required to create the package, click Run after the completion of each installer, select the next installation program, or manually launch the installer until all installers have been successfully installed.
    Once all installations are complete, select the I am finished installing check box and click Next.The installer popped up automatically or you can manually click on your exe to run the software

APPV13

  • The application you selected should start automatically

APPV14

  • Click Finish when the application has finished

APPV15

  • Put a tick in I am finished installing

APPV16

  •  The below screen will run

APPV21

  • Many applications have first-run tasks such as accepting license agreements, etc.  At this stage, execute the application(s) at least once by selecting the application and clicking the “Run Selected” or “Run All” buttons (multiple executions are recommended to ensure any second-run tasks are executed).  Also, it is during this execution that any applicable application configuration changes should be made.
  • Note: This screen is also running in monitoring mode.  It is possible to manage the tasks for programs that are not listed on this page by launching them outside of the Sequencer using Windows Explorer
  • Then the following screen – Configure Software will appear

APPV17

  • Example License Acceptance from Adobe on first run

APPV18

  • Click Next
  • Review the Installation Report
  • The Sequencer detects common issues during sequencing. The Installation Report page of the wizard displays diagnostic messages categorized into Errors, Warnings, and Info depending on the severity of the issue. Double click an item in the report to view detailed information about the issue as well as suggestions for resolution. Messages from the system preparation report as well as the installation report are summarized upon package completion and are saved along with the package in a report.xml file.

APPV19

  • Excluded Files
  • Drivers
  • COM+ System differences
  • SxS Conflicts
  • Shell Extensions
  • Files or registry entries that were not captured during monitoring
  • Choose Stop now if the sequence will not benefit from further customization and select Create.
  • However, often there are other steps remaining under the Customise Option such as:
  • Splitting the package into feature blocks to reduce the streaming requirement and save bandwidth.
  • Selecting additional client operating systems that will be permitted to receive this package.
  • Changing shortcuts and file type associations.
  • Modifying registry settings and adding and deleting files in the package.
  • When additional customization is required select Customize and Next to continue the sequencing process and allow additional changes prior to the creation of the package.

APPV22

  •  Choose Customise

APPV23

  • Prepare for Streaming
  • Feature blocks are designed to optimize the applications for streaming (if applicable), creating a minimum launch threshold that allows launching larger applications as soon as enough of the package has been downloaded and does not require downloading the entire package.  This enables users access to applications more quickly upon deployment.
  • Feature blocks also reduce the total network bandwidth used when launching the application for the first time and saves hard disk space on the client by leaving less-used data on the server until it is specifically called by the user.
  • Creating feature blocks is recommended unless the deployment method for virtual application packages is only completed with System Center Configuration Manager for Download Locally and Run option or via MSI for standalone mode clients.
  • At the Prepare for Streaming screen, feature blocks are created based on individual, selection of, or all applications

APPV24

  • Select and run each shortcut from the package that users execute in typical day-to-day operations.  Then, perform the common tasks that typical users perform within each particular application during normal operations.
  • During this process, the Sequencer tracks which specific pieces of the package’s resources are being executed and includes them in the primary feature block.  When a user launches the application for the first time, the App-V client will stream and cache just the data within the primary feature block over the network and will launch the application.
  • Any pieces of the package not included in the primary feature block are placed in the secondary feature block and reside on the server or storage location until specific resources from within the secondary feature block are called by the App-V client.  Those pieces are streamed on-demand and cached on the client.
  • Clicking ‘Next’ without launching any shortcuts enables the entire content of the package streaming and cached “on-demand” on the App-V client.  Typically, this is done for very small application packages if streaming the entire package does not cause any network bandwidth concerns.
  • Normally, the client launches the application after the primary feature block has been downloaded to improve launch time.  By selecting the “Force application(s) to be fully downloaded before launching” option, the client will be forced to wait until all blocks of the virtual application package have been downloaded before launching the application.  This is useful when clients may be running this package over slow WAN links.Launch your application and then close it again
  • Launch Adobe and make any modifications then close this again

APPV25

  • Now what Operating systems do you want to allow this to run on

APPV26

  • You can now continue to modify the package or save the package now. For the purpose of seeing all the options, click to continue

APPV27

  • You should now have a Package completed screen

APPV28

  • The next screen which is the package editor, is composed of several tabs that enable further configuration modification prior to saving the package.  These tabs include options to modify the various settings
  • Properties

APPV29

  • Deployment

APPV30

  • Change History

APPV31

  • Virtual Registry displays the current virtual registry configuration and allows for deleting or renaming existing keys and values as well as adding new keys and values in both the HKLM (Machine) and HKUSERS (Users) hives. Where the same registry key may exist on the local system as well as in the virtual application package, the virtual key can be configured to either merge with the local configuration or override the local configuration

APPV32

  • The Package Files tab displays the current list of files and folders added to the package and allows for the addition or deletion of files.  However, this interface should not be used to add or remove files in the package if the package has previously been optimized for streaming by way of creating feature blocks

APPV33

  • The Virtual Services tab displays the current configuration of virtualized application services and allows for changing the Startup Type, Log On and Dependencies configuration of virtualized services.
  • Note: The services tab is read-only.  In order to disable a virtual service, set the service’s properties during monitoring using Services.msc or by utilizing a dynamic configuration file post-sequencing.

APPV34

  • The Advanced tab provides an option to enable visibility of named and COM objects in an App-V package to the local system to improve the usability of some application functions.  Local system visibility may be useful for such tasks as virtualizing legacy versions of Microsoft Outlook

APPV35

  • The Shortcuts and FTAs tab provides the ability to customize the Shortcuts and File Type Associations for the applications identified during monitoring.  Applications may have to be added or removed from this list, based requirements for the final package.  In addition, with web-based applications it is often necessary to add Internet Explorer as an application where the web-based application requires launching Internet Explorer as a dependency.
  • Each application can be modified to change the name, icon, file type associations, and locations for shortcuts on destination computers.

APPV36

  • When you are finished making customizations, select the File pull-down menu and select Save or Save As to save the virtual application package.
  • As a recommended best practice, create a new folder for the package using the Package Name and save the package in this folder.  Once saved, copy the package folder to a preferred package repository.

APPV37

  • It should show you the below screen!

APPV38

  •  Next you need to open up the App-V 5 Web Console and connect to App-V
  • Click Add or Upgrade Packages

APPV40

  • Type in the Share or URL name and click Add. I set up a share called software which contains my Adobe App-V Package.
  • You must make sure you have added the App-V Server name e.g. dacvapp001$ to the Share and NTFS Permissions of the shared folder

APPV43

  • and

APPV44

  • Now add your package via UNC or HTTP Path
  • I also found instead of putting my server name, I could put localhost for the servername

APPV41

  • If the package import is successful, you will see the below

APPV42

  •  You will then be back to the main console showing you your added package

Appvseq

  • Underneath here you can see the following

Appvseq2

  •  Click on AD Access and add the AD Groups you want to have access. As you can see I have just added my Administrators Group as this is a test lab
  • Now you need to right click on your App and select Publish

Appvseq3

  • It should now say Published

Appvseq4

  • Next… In order to stream the app to a client, we need to have the App V 5 Client installed on a VM so I have another VM where we will install this software as per below instructions
  • Attach the App V 5 ISO to your machine and click on APP-V Client 5 SP1

Appvseq5

  •  The installer will start and will install any pre-requisites as per below

Appvseq6

  • You are now ready to install the client
  • Follow the Install Wizard
  • You should then see the following screen when complete

appv40

  • Next Open PowerShell as an Administrator and type the following commands
  • Update-Help
  • Set-ExecutionPolicy Unrestricted
  • Import-Module “C:\Program Files\Microsoft Application Virtualization\Client\AppvClient\AppvClient.psd1”
  • Get-Command – module AppvClient

appv41

  • Add-AppVPublishingServer -name dacvapp001.dacmt.local -URL http://dacvapp001.dacmt.local:82
  • Set-AppVPublishingServer -ServerID 1 -GlobalRefreshEnabled 1 -GlobalRefreshOnLogon 1

appv42

  • Close PowerShell
  • Restart the Server
  • Open the AppvClient
  • Click Update and wait a few moments

appv40

  • Next Click Virtual Apps on this screen to check that your package is there

appv43

  • Click Download
  • Lo and Behold, if everything is ok then you should see the Adobe Reader icon on your desktop
  • Go and have a glass of wine phew! 😉

appv44

 

Microsoft App-V v5

November 8, 2013 App-V No comments

APPV

What is Microsoft App-V?

Microsoft Application Virtualization is an application virtualization and application streaming solution from Microsoft

  • Allows applications to be deployed (“streamed”) in real-time to any client from a virtual application server
  • Removes the need for traditional local installation of the applications, although a standalone deployment method is also supported
  • The App-V stack sandboxes the execution environment so that an application does not make changes directly to the underlying operating system’s file system and/or Registry, but rather contained in an application-specific “bubble”
  • App-V applications are also sandboxed from each other, so that different versions of the same application can be run under App-V concurrently, and so that mutually exclusive applications can co-exist on the same system.
  • Supports policy based access control; administrators can define and restrict access to the applications by certain users by defining policies governing the usage.

App-V Deployment Options

Microsoft offers three deployment options. These three options are significantly different from an architectural standpoint: Dedicated App-V Management Server, Shared System Center Configuration Manager Architecture, and “Stand-alone” Mode wherein the application may be delivered manually.

Dedicated App-V management server

The App-V system architecture is composed of the following components:

  • ‘Microsoft Systems Center Virtual Application Server, also called App-V Application Server, which hosts virtualized application packages and streams them to the client computers for local execution. It also authorizes requesting clients and logs their application usage. Applications are converted to virtualized packages using the App-V Sequencer.
  • Microsoft Application Virtualization Client for Windows Desktops of MDOP) or Microsoft Application Virtualization Client for Remote Session Hosts (i.e. Terminal Services), which are generally called the App-V client, is the client side runtime which requests the application server to stream some application, receives the streamed virtual application packages, sets up the runtime environment and executes the applications locally.
  • App-V Management Console, the management tool to set up, administer and manage App-V servers. It can be used to define policies that govern the usage of the applications. It can also be used to create, manage, update and replicate virtualized application packages.
  • App-V Sequencer, a tool for preparing applications for virtualization.

Shared System Center Configuration Manager

In 2009 Microsoft offered a new way to implement App-V with enhancements to System Center Configuration Manager. System Center Configuration Manager Architecture consists of the following components:

  • System Center Configuration Manager Site Server, serving as the primary repository for holding system images, application packages created using traditional installers, and virtual applications.
  • System Center Configuration Manager Distribution Server, used to cache and distribute the software on a more local level.
  • Microsoft Application Virtualization Client for Windows Desktops of MDOP) or Microsoft Application Virtualization Client for Remote Session Hosts (i.e. Terminal Services), previously described.
  • App-V Sequencer, previously described.

“Stand-alone” mode

The App-V clients may also be used in a “stand-alone” mode without either of the server infrastructures previously described. In this case, the sequenced packages are delivered using an external technique, such as an Electronic Software Delivery system or manual deployment

Architecture Overview

A typical App-V 5.0 implementation consists of the following elements.

App-V2

General Diagram of App-V Infrastructure

appv02

Microsoft Application Virtualization 5 Administrator’s Guide

http://technet.microsoft.com/en-us/library/jj713487.aspx

Recommended Deployment Methods

The following list displays the recommended methods for installing the App-V 5.0 server infrastructure:

  • Install the App-V 5.0 server.
  • Install the database, reporting, and management features on separate computers. For more information
  • Use Electronic Software Distribution (ESD).
  • Install all server features on a single computer.

Installing the App-V 5.0 server

I am going to use my following test servers which are VMware Virtual Machines running on VMware vSphere 5.5.

  • 1 x Windows 2012 Server with SQL 2012, IIS 7.5 (Web Server role), Application Server role and Silverlight pre-installed which will also be my App-V 5 Server
  • 1 x Windows 2008 R2 AD server

IIS Settings

  • Common HTTP Features > Static Content
  • Common HTTP Features > Default Document
  • Application Development > ASP.NET
  • Application Development > .NET Extensibility
  • Application Development > ISAPI Extensions
  • Application Development > ISAPI Filters
  • Security > Windows Authentication
  • Security > Request Filtering
  • Management Tools > IIS Management Console

Run the following 2 commands to register ASP.NET with .NET 4 Framework in IIS

  1. “C:\Windows\Microsoft.Net\Framework\v4.0.30319\aspnet_regiis.exe” –ir
  2. “C:\Windows\Microsoft.Net\Framework64\v4.0.30319\aspnet_regiis.exe” -ir

Instructions

  • Copy the App-V 5.0 server installation files to the computer on which you want to install it on. To start the App-V 5.0 server installation right-click and run appv_server_setup.exe as an administrator. Click Install.

APPV1

  • On the Getting Started page, review the license terms. To accept the license terms select I accept the license terms. Click Next.

APPV2

  • On the Use Microsoft Update to help keep your computer secure and up-to-date page, to enable Microsoft updates, select Use Microsoft Update when I check for updates (recommended). To disable Microsoft updates, select I don’t want to use Microsoft Update. Click Next

APPV3

  • On the Feature Selection page, select all five of the components

APPV4

  • On the Installation Location page confirm the location where the selected components will be installed. You should accept the default. To change the location, type a new path on the Installation Location line. Click Next.

APPV5

  • On the initial Create New Management Database page configure the Microsoft SQL Server instance and Management Server database
  • If you are using a custom Microsoft SQL Server instance, select Use the custom instance and type the name of the instance. For example, the format should be INSTANCENAME and the installation will assume it is on the local computer.
  • Specifying the server name using the following format ServerName\INSTANCE is not supported.
  • If you are using a custom database name, select Custom configuration. and type the database name.
  • Note: The database name provided must be unique. If an existing database name is specified the installation will fail.

APPV6

  • On the Configure page, accept the default value: Use this local computer. Click Next.
  • Note: If you are installing the management server and management database side-by-side, options on this page are not available. In this scenario the appropriate options are selected by default and cannot be changed.

APPV7

  • On the initial Create New Reporting Database page configure the Microsoft SQL Server instance and Reporting Server database
  • If you are using a custom Microsoft SQL Server instance, select Use the custom instance and type the name of the instance. For example, the format should be INSTANCENAME and the installation will assume it is on the local computer.
  • Note: Specifying the server name using the following format ServerName\ INSTANCE is not supported
  • If you are using a custom database name, select Custom configuration. and type the database name.
  • Note: The database name provided must be unique. If an existing database name is specified the installation will fail.

APPV8

  • On the Configure page, accept the default value: Use this local computer. Click Next
  • Note: If you are installing the reporting server and reporting database side-by-side, options on this page are not available. In this scenario the appropriate options are selected by default and cannot be changed.

APPV9

  • On the Configure (Management Server Configuration) page, type the AD Universal Security group with sufficient permissions to manage the App-V 5.0 environment.
  • Note: You can add additional users or groups using the management console after installation. However, global security groups and Active Directory Domain Services (AD DS) distribution groups are not supported. You must use Domain local or Universal groups are required to perform this action.
  • On the Website name line specify the custom name that will be used to run the publishing service. If you do not have a custom name, do not make any changes.
  • For the Port binding, specify a unique port number that will be used by App-V 5.0, for example 12345. You should also ensure that the port specified is not being used by another website like the default IIS website using 80

APPV11

  • On the Configure Publishing Server Configuration page, Specify the URL for the management service. This is the address the publishing server uses to connect to. For example, http://localhost:12345.
  • Specify the Website Name that you want to use for the Publishing Service. Leave the default unchanged if you do not have a custom name.
  • For the Port binding, specify a unique port number that will be used by App-V 5.0, for example 54321. You should also ensure that the port specified is not being used by another website.

appv36

  • On the Reporting Server page, Specify the Website Name that you want to use for the Reporting Service. Leave the default unchanged if you do not have a custom name
  • For the Port binding, specify a unique port number that will be used by App-V 5.0, for example 55555. You should also ensure that the port specified is not being used by another website.

APPV13

  • On the Ready page, to start the installation, click Install.

APPV14

  • On the Finished page, to close the wizard, click Close.
  • To confirm that setup completed successfully, open a web browser, and type the following URL: http://<Management server machine name>:<Management service port number>/Console.html. For example, http://localhost:12345/console.html. If the installation succeeded the App-V 5.0 management console will be displayed without any errors

APPV15

  • And then you will see the following web console

APPV16

The App-V Management Server has a Silverlight®-based management site, which enables administrator configuration of the App-V infrastructure from any computer. By using this site, administrators can add and remove applications, manipulate shortcuts, assign access permissions to users and groups, and create connection groups. The App-V Management Server is the communication conduit between the App-V Web Management Console and the SQL Server data store

Also in a test environment, you may want to change the following registry settings on your publishing server. By default the Publishing Server polls the App-V database for published applications every 10 minutes (600 seconds). This is called a publishing refresh. change the publishing refresh interval to 10 seconds to reduce wait times during publishing. Evaluation of the correct interval for a production environment is outside the scope of this blog.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\AppV\Server\PublishingService PUBLISHING_MGT_SERVER_REFRESH_INTERVAL = 600 (default setting in seconds) PUBLISHING_MGT_SERVER_REFRESH_INTERVAL = 10 (common value used for test environment)

Create and Share a Content folder

The content share is the central library of App-V packages. The content store contains the source files of the packages published by the App-V publishing server.

  1. Open Windows Explorer.
  2. Create a folder on the root of the C: drive named Content.

NOTE: In the production environment, the content folder should not be placed on the same drive as the operating system files as it can affect performance of the system. Ensure the use of a different drive in a production environment.

  1. Browse to C:\, right click the Content folder, go to Properties.
  2. Click the Sharing tab, click Advanced Sharing.
  3. Check Share this folder. Click Permissions
  4. Click Add. Click Object Types. Select Computers. Click OK.
  5. In the Enter the object names to select box, enter the name of the App-V management server. Select Full Control and Click OK.
  6. In the Enter the object names to select box, enter the name of the NETWORK SERVICE account. Click OK. Select Full Control and Click OK.
  7. In the Enter the object names to select box, enter the name of the App-V management server and the AppV Administrators group. Select Full Control and Click OK.
  8. Click OK, Click OK, Click Close

Configure Windows Firewall to Allow Incoming Connections

  1. Open Control Panel, open Windows Firewall
  2. Click Advanced Settings.
  3. Click Inbound Rules, in the actions pane click New Rule…
  4. Select Port, click Next
  5. Select TCP, in the Specific local ports: field, enter your 3 port numbers, click Next
  6.  Click Next, Unselect Private, and Public, click Next
  7. In the Name field, enter AppV Server Connections, click Finish

Next

The next thing to do is to start installing and using the App-V 5 Sequencer and Microsoft Application Virtualization Desktop Client and/or the Microsoft Application Virtualization Remote Desktop Services (RDS) Client which I have covered in another blog. Please see below link

http://www.electricmonk.org.uk/2013/11/28/app-v-5-sequencing/

IPv6 Transition Mechanisms

November 1, 2013 IPv6 No comments

world

What are IPv6 Transition Mechanisms?

IPv6 transition mechanisms are technologies that facilitate the transitioning of the Internet from its initial (and current) IPv4 infrastructure to the successor addressing and routing system of Internet Protocol Version 6 (IPv6). As IPv4 and IPv6 networks are not directly interoperable, these technologies are designed to allow hosts on either network to participate in networking with the opposing network.

IPv6 is the next generation Internet protocol. Although IPv6 standardization efforts have been on going for over a decade, recent attention to IPv6 has increased because of IPv4 address shortages, mobility requirements, and the need for global, secure, seamless, and permanent connectivity. The next generation Internet that uses IPv6 promises to enable a whole new breed of applications.

Types of Nodes

  • IPv4-only node. A node that uses only IPv4 and has only IPv4 addresses assigned
  • IPv6/IPv4 node. A node that uses both IPv4 and IPv6.
  • IPv6-only node. A node that uses only IPv6 and has only IPv6 addresses assigned
  • IPv6 node. An IPv6 node can be an IPv6-only node or an IPv6/IPv4 node.
  • IPv4 node. An IPv4 node can be an IPv4-only node or an IPv6/IPv4 node.

The Mechanisms 

  • Dual IP layer (also known as dual stack):  A technique for providing complete support for both Internet protocols — IPv4 and IPv6 — in hosts and routers
  • Configured tunnelling of IPv6 over IPv4:  A technique for establishing point-to-point tunnels by encapsulating IPv6 packets within IPv4 headers to carry them over IPv4 routing infrastructures

Dual IP Layer Operation

The most straightforward way for IPv6 nodes to remain compatible with IPv4-only nodes is by providing a complete IPv4 implementation.  IPv6 nodes that provide complete IPv4 and IPv6 implementations are called “IPv6/IPv4 nodes”.  IPv6/IPv4 nodes have the ability to send and receive both IPv4 and IPv6 packets.  They can directly interoperate with IPv4 nodes using IPv4 packets, and also directly interoperate with IPv6 nodes using IPv6 packets

Even though a node may be equipped to support both protocols, one or the other stack may be disabled for operational reasons.  Here we use a rather loose notion of “stack”.  A stack being enabled has IP addresses assigned, but whether or not any particular application is available on the stacks is explicitly not defined.  Thus, IPv6/IPv4 nodes may be operated in one of three modes:

  • With their IPv4 stack enabled and their IPv6 stack disabled.
  • With their IPv6 stack enabled and their IPv4 stack disabled.
  • With both stacks enabled.

IPv6/IPv4 nodes with their IPv6 stack disabled will operate like IPv4-only nodes.  Similarly, IPv6/IPv4 nodes with their IPv4 stacks disabled will operate like IPv6-only nodes.  IPv6/IPv4 nodes may provide a configuration switch to disable either their IPv4 or IPv6 stack.

Configured Tunnelling Mechanisms

In most deployment scenarios, the IPv6 routing infrastructure will be built up over time.  While the IPv6 infrastructure is being deployed, the existing IPv4 routing infrastructure can remain functional and can be used to carry IPv6 traffic.  Tunnelling provides a way to utilize an existing IPv4 routing infrastructure to carry IPv6 traffic.

IPv6/IPv4 hosts and routers can tunnel IPv6 datagrams over regions of IPv4 routing topology by encapsulating them within IPv4 packets.

Tunnelling can be used in a variety of ways:

  • Router-to-Router. IPv6/IPv4 routers interconnected by an IPv4 infrastructure can tunnel IPv6 packets between themselves. In this case, the tunnel spans one segment of the end-to-end path that the IPv6 packet takes.
  • Host-to-Router. IPv6/IPv4 hosts can tunnel IPv6 packets to an intermediary IPv6/IPv4 router that is reachable via an IPv4 infrastructure.  This type of tunnel spans the first segment of the packet’s end-to-end path.
  • Host-to-Host. IPv6/IPv4 hosts that are interconnected by an IPv4 infrastructure can tunnel IPv6 packets between themselves. In this case, the tunnel spans the entire end-to-end path that the packet takes.
  • Router-to-Host. IPv6/IPv4 routers can tunnel IPv6 packets to their final destination IPv6/IPv4 host. This tunnel spans only the last segment of the end-to-end path.

Configured tunnelling can be used in all of the above cases, but it is most likely to be used router-to-router due to the need to explicitly configure the tunnelling endpoints.

The underlying mechanisms for tunnelling are:

  • The entry node of the tunnel (the encapsulator) creates an encapsulating IPv4 header and transmits the encapsulated packet.
  • The exit node of the tunnel (the decapsulator) receives the encapsulated packet, reassembles the packet if needed, removes the IPv4 header, and processes the received IPv6 packet.
  • The encapsulator may need to maintain soft-state information for each tunnel recording such parameters as the MTU of the tunnel in order to process IPv6 packets forwarded into the tunnel

In configured tunnelling, the tunnel endpoint addresses are determined in the encapsulator from configuration information stored for each tunnel.  When an IPv6 packet is transmitted over a tunnel, the destination and source addresses for the encapsulating IPv4 header are set.

The determination of which packets to tunnel is usually made by routing information on the encapsulator. This is usually done via a routing table, which directs packets based on their destination address using the prefix mask and match technique.

The decapsulator matches the received protocol-41 packets to the tunnels it has configured, and allows only the packets in which IPv4 source addresses match the tunnels configured on the decapsulator. Therefore, the operator must ensure that the tunnel’s IPv4 address configuration is the same both at the encapsulator and the decapsulator.

Other Mechanisms

  • Teredo
  • 6 to 4
  • ISATAP

Teredo

teredomechanisms

Teredo is specified to be an IPv6 provider of last resort, not to be used when a native IPv6 connection or ISATAP/6to4 is available. It is also meant to be a temporary solution, with its retirement intended to be automatic due to disuse. (The availability of Teredo will to some extent slow down the deployment of other IPv6 methods, because it reduces the incentive for ISPs to provide native IPv6 connectivity and for users to upgrade their NAT and other perimeter devices.) While the use of Teredo will eventually diminish, Teredo services will certainly be available on the Internet for longer than actual use would necessitate.

Teredo, also known as IPv4 network address translator (NAT) traversal (NAT-T) for IPv6, provides address assignment and host-to-host automatic tunnelling for unicast IPv6 connectivity across the IPv4 Internet, even when the IPv6/IPv4 hosts are located behind one or multiple IPv4 NATs. To traverse IPv4 NATs, IPv6 packets are sent as IPv4-based User Datagram Protocol
(UDP) messages

6to4 provides a similar function as Teredo; however, 6to4 router support is required in the edge device that is connected to the Internet. 6to4 router functionality is not widely supported by IPv4 NATs. Even if the NAT were 6to4-enabled, 6to4 would still not work for configurations in which there are multiple NATs between a site and the IPv4 Internet.

Teredo resolves the issues of the lack of 6to4 functionality in modern-day NATs or multi-layered NAT configurations by tunnelling IPv6 packets between the hosts within the sites. In contrast, 6to4 uses tunnelling from the edge device. Tunnelling from the hosts presents another issue for NATs: IPv4-encapsulated IPv6 packets are sent with the Protocol field in the IPv4 header set to 41. Most NATs only translate TCP or UDP traffic and must either be manually configured to translate other protocols or have an installed NAT editor that handles the translation. Because Protocol 41 translation is not a common feature of NATs, IPv4-encapsulated IPv6 traffic will not flow through typical NATs. Therefore, the IPv6 packet is encapsulated as an IPv4 UDP message, containing both IPv4 and UDP headers. UDP messages can be translated by most NATs and can traverse multiple layers of NATs

The Teredo infrastructure consists of the following components:

Teredo Clients

A Teredo client is an IPv6/IPv4 node that supports a Teredo tunnelling interface through which packets are tunneled to other Teredo clients or nodes on the IPv6 Internet (via a Teredo relay). A Teredo client communicates with a Teredo server to obtain an address prefix from which a Teredo-based IPv6 address is configured or used to facilitate communication with other Teredo clients or hosts on the IPv6 Internet.

Windows XP with Service Pack 1 (SP1) with the Advanced Networking Pack, Windows XP with Service Pack 2 (SP2), Windows Server 2003 with Service Pack 1 (SP1),Windows Server 2003 with Service Pack 2 (SP2), Windows Vista, and Windows Server 2008 all include the Teredo client.

Teredo Servers

A Teredo server is an IPv6/IPv4 node that is connected to both the IPv4 Internet and the IPv6 Internet, and supports a Teredo tunneling interface over which packets are received. The general role of the Teredo server is to assist in the address configuration of Teredo clients and to facilitate the initial communication between Teredo clients and other Teredo clients or between Teredo clients and IPv6-only hosts. The Teredo server listens on UDP port 3544 for Teredo traffic.

Unlike the client, the Teredo server is not included with Microsoft operating platforms. To facilitate communication between Windows-based Teredo client computers, Microsoft has deployed Teredo servers on the IPv4 Internet.

Teredo Relays

A Teredo relay is an IPv6/IPv4 router that can forward packets between Teredo clients on the IPv4 Internet (using a Teredo tunnelling interface) and IPv6-only hosts. In some cases, the Teredo relay interacts with a Teredo server to facilitate initial communication between Teredo clients and IPv6-only hosts. The Teredo relay listens on UDP port 3544 for Teredo traffic.

Like the Teredo  server, Microsoft operating platforms do not include Teredo relay functionality. Microsoft does not currently plan to deploy  Teredo relays on the IPv4 Internet. Teredo relays are not required to communicate with Teredo host-specific relays.

Teredo, also known as IPv4 network address translator (NAT) traversal (NAT-T) for IPv6, provides address assignment and host-to-host automatic tunnelling for unicast IPv6 connectivity across the IPv4 Internet, even when the IPv6/IPv4 hosts are located behind one or multiple IPv4 NATs. To traverse IPv4 NATs, IPv6 packets are sent as IPv4-based User Datagram Protocol (UDP) messages

Teredo Host-Specific Relays

Communication between Teredo clients and IPv6 hosts that are configured with a global address must go through a Teredo relay. This is required for IPv6-only hosts connected to the IPv6 Internet. However, when the IPv6 host is IPv6 and IPv4-capable and connected to both the IPv4 Internet and IPv6 Internet, then communication should occur between the Teredo client and the IPv6 host over the IPv4 Internet, rather than having to traverse the IPv6 Internet and go through a Teredo relay.

A Teredo host-specific relay is an IPv6/IPv4 node that has an interface and connectivity to both the IPv4 Internet and the IPv6 Internet and can communicate directly with Teredo clients over the IPv4 Internet, without the need for an intermediate Teredo relay. The connectivity to the IPv4 Internet can be through a public IPv4 address or through a private IPv4 address and a neighboring NAT. The connectivity to the IPv6 Internet can be through a direct connection to the IPv6 Internet or through an IPv6 transition technology such as 6to4, where IPv6 packets are tunneled across the IPv4 Internet. The Teredo host-specific relay listens on UDP port 3544 for Teredo traffic.

Windows XP with SP1 with the Advanced Networking Pack, Windows XP with SP2, Windows Server 2003 with SP1, Windows Server 2003 with SP2, Windows Vista, and Windows Server 2008  include Teredo host-specific relay functionality, which is automatically enabled if the computer has a global address assigned. A global address is assigned in a received Router Advertisement message from a native IPv6 router, an ISATAP router, or a 6to4 router. If the computer does not have a global address, Teredo client functionality is enabled.

The Teredo host-specific relay allows Teredo clients to efficiently communicate with 6to4 hosts, IPv6 hosts with a non-6to4 global prefix, or ISATAP or 6over4 hosts within organizations that use a global prefix for their addresses, provided both hosts are using a version of Windows that supports Teredo

6 to 4

6to4mechanisms

6to4 is an Internet transition mechanism for migrating from IPv4 to IPv6, a system that allows IPv6 packets to be transmitted over an IPv4 network (generally the IPv4 Internet) without the need to configure explicit tunnels. Special relay servers are also in place that allow 6to4 networks to communicate with native IPv6 networks.

6to4 is especially relevant during the initial phases of deployment to full, native IPv6 connectivity, since IPv6 is not required on nodes between the host and the destination. However, it is intended only as a transition mechanism and is not meant to be used permanently.

6to4 may be used by an individual host, or by a local IPv6 network. When used by a host, it must have a global IPv4 address connected, and the host is responsible for encapsulation of outgoing IPv6 packets and decapsulation of incoming 6to4 packets. If the host is configured to forward packets for other clients, often a local network, it is then a router.

Most IPv6 networks use autoconfiguration, which requires the last 64 bits for the host. The first 64 bits are the IPv6 prefix. The first 16 bits of the prefix are always 2002:, the next 32 bits are the IPv4 address, and the last 16 bits of the prefix are available for addressing multiple IPv6 subnets behind the same 6to4 router. Since the IPv6 hosts using autoconfiguration already have determined the unique 64 bit host portion of their address, they must simply wait for a Router Advertisement indicating the first 64 bits of prefix to have a complete IPv6 address. A 6to4 router will know to send an encapsulated packet directly over IPv4 if the first 16 bits are 2002, using the next 32 as the destination, or otherwise send the packet to a well-known relay server, which has access to native IPv6.

6to4 does not facilitate interoperation between IPv4-only hosts and IPv6-only hosts. 6to4 is simply a transparent mechanism used as a transport layer between IPv6 nodes

6to4 performs three functions:

  • Assigns a block of IPv6 address space to any host or network that has a global IPv4 address.
  • Encapsulates IPv6 packets inside IPv4 packets for transmission over an IPv4 network using 6in4.
  • Routes traffic between 6to4 and “native” IPv6 networks

Address block allocation

For any 32-bit global IPv4 address that is assigned to a host, a 48-bit 6to4 IPv6 prefix can be constructed for use by that host (and if applicable the network behind it) by appending the IPv4 address to 2002::/16.

For example the global IPv4 address 192.0.2.4 has the corresponding 6to4 prefix 2002:c000:0204::/48. This gives a prefix length of 48 bits, which leaves room for a 16-bit subnet field and 64 bit host addresses within the subnets.

Any IPv6 address that begins with the 2002::/16 prefix (in other words, any address with the first two octets of 2002 hexadecimal) is known as a 6to4 address, as opposed to a native IPv6 address which does not use transition technologies.

Encapsulation and transmission

6to4 embeds an IPv6 packet in the payload portion of an IPv4 packet with protocol type 41. To send an IPv6 packet over an IPv4 network to a 6to4 destination address, an IPv4 header with protocol type 41 is prepended to the IPv6 packet. The IPv4 destination address for the prepended packet header is derived from the IPv6 destination address of the inner packet (which is in the format of a 6to4 address), by extracting the 32 bits immediately following the IPv6 destination address’ 2002::/16 prefix. The IPv4 source address in the prepended packet header is the IPv4 address of the host or router which is sending the packet over IPv4. The resulting IPv4 packet is then routed to its IPv4 destination address just like any other IPv4 packet.

Routing between 6to4 and native IPv6

6to4

The figure depicts two isolated 6to4 networks, Site A and Site B. Each site has configured a router with an external connection to an IPv4 network. In the figure, a 6to4 tunnel across the IPv4 network connects the 6to4 sites.

Before an IPv6 site can become a 6to4 site, you must configure at least one router interface for 6to4 support. This interface must provide the external connection to the IPv4 network. The address that you configure on qfe0 must be globally unique. In the previous figure, boundary Router A’s interface qfe0 connects Site A to the IPv4 network. Interface qfe0 must already be configured with an IPv4 address before you can configure qfe0 as a 6to4 pseudo-interface.

In the figure, 6to4 Site A is composed of two subnets, which are connected to interfaces hme0 and hme1 on Router A. All IPv6 hosts on either subnet of Site A automatically reconfigure with 6to4–derived addresses on receipt of the advertisement from Router A.

Site B is the opposite endpoint of the tunnel from Site A. To correctly receive traffic from Site A, a boundary router on Site B must be configured for 6to4 support. Otherwise, packets that the router receives from Site A are not recognized and dropped.

To allow hosts and networks using 6to4 addresses to exchange traffic with hosts using “native” IPv6 addresses, “relay routers” have been established. A relay router connects to an IPv4 network and an IPv6 network. 6to4 packets arriving on an IPv4 interface will have their IPv6 payloads routed to the IPv6 network, while packets arriving on the IPv6 interface with a destination address prefix of 2002::/16 will be encapsulated and forwarded over the IPv4 network.

There is a difference between a “relay router” and a “border router” (also known as a “6to4 border router”). A 6to4 border router is an IPv6 router supporting a 6to4 pseudo-interface. It is normally the border router between an IPv6 site and a wide-area IPv4 network, where the IPv6 site uses 2002::/16 co-related to the IPv4 address used later on. On the other hand, a “relay router” is a 6to4 router configured to support transit routing between 6to4 addresses and pure native IPv6 addresses.

To allow a 6to4 host to communicate with the native IPv6 Internet, it must have its IPv6 default gateway set to a 6to4 address which contains the IPv4 address of a 6to4 relay router. To avoid the need for users to set this up manually, the anycast address of 192.88.99.1 has been allocated for the purpose of sending packets to a 6to4 relay router. Note that when wrapped in 6to4 with the subnet and hosts fields set to zero this IPv4 address (192.88.99.1) becomes the IPv6 address 2002:c058:6301::. To ensure BGP routing propagation, a short prefix of 192.88.99.0/24 has been allocated for routes pointed at 6to4 relay routers that use this anycast IP address. Providers willing to provide 6to4 service to their clients or peers should advertise the anycast prefix like any other IP prefix, and route the prefix to their 6to4 relay.

Packets from the IPv6 Internet to 6to4 systems must be sent to a 6to4 relay router by normal IPv6 routing methods. The specification states that such relay routers must only advertise 2002::/16 and not subdivisions of it to prevent IPv4 routes polluting the routing tables of IPv6 routers. From here they can then be sent over the IPv4 Internet to the destination.

For a 6to4 host to have fast and reliable connectivity with a host natively using the IPv6 Internet, both the 6to4 host and the native IPv6 host must have a route to a fast, reliable and correctly configured relay server. The 6to4 host’s ISP can ensure that outgoing packets go to such a relay, but they have no control over the relay used for the responses from the native IPv6 host. A variant called IPv6 rapid deployment (“6rd”) uses the same basic principles as 6to4 but uses a relay operated by the 6rd user’s ISP for traffic in both directions. To achieve this an address block allocated by the user’s ISP is used instead of 2002::/16.

ISATAP

isatap

ISATAP (Intra-Site Automatic Tunnel Addressing Protocol) is an IPv6 transition mechanism meant to transmit IPv6 packets between dual-stack nodes on top of an IPv4 network. ISATAP defines a method for generating a link-local IPv6 address from an IPv4 address, and a mechanism to perform Neighbour Discovery on top of IPv4.

Its impact on your IPv4 support infrastructure is reduced to the configuration of one ISATAP router. With ISATAP, IPv4-dependent applications continue to utilize IPv4 while newer IPv6-capable applications can be deployed immediately. Both types of traffic will share a single common IPv4 infrastructure. ISATAP-based connectivity can immediately be used to deliver IPv6 services while the IPv4-only infrastructure is gradually migrated to integrate native IPv6 capabilities.

Link-local address generation

Any host wishing to participate in ISATAP over a given IPv4 network can set up a virtual IPv6 network interface. The link-local address is determined by prepending fe80::0200:5efe:… for globally unique addresses, or fe80::0000:5efe:… for private addresses, in front of the 32 bits of the host’s IPv4 address.

For example, the global IPv4 address 192.0.2.143 would use fe80::0200:5efe:192.0.2.143 as its link-local IPv6 address. The shortened notation would be fe80::200:5efe:c000:028f (where c0 00 02 8f is 192.0.2.143 in hexadecimal notation)

The benefits of ISATAP are the following:

  1. An existing IPv4 infrastructure can provide unicast IPv6 connectivity immediately with the only requirement being the configuration of an ISATAP router. Native IPv6 capabilities can be enabled slowly over time during natural refresh cycles.
  2. Native IPv6 connectivity can be enabled first in the backbone, while allowing other parts of the IPv4 infrastructure to preserve their investment and naturally evolve to support native IPv6. ISATAP islands can be created to allow gradual evolution to native IPv6 capabilities within different parts of an organization without blocking end-to-end IPv6 service deployments.
  3. End-to-end IPv6 services can be enabled and maintained using ISATAP while allowing access to native IPv6 infrastructure, such as a native IPv6 backbone or the IPv6 Internet.

Useful Links

http://technet.microsoft.com/en-us/library/bb962076.aspx#ID0ETGAC

Microsoft Document showing much greater detail on Teredo, 6to4 and ISATAP

IPv6Trans.doc