Symantec SWV Symantec Workspace Virtualization What is it

Symantec SWV • Symantec Workspace Virtualization • What is it? How does it work? • Benefits of Virtualization • SWV Implementation • Use Cases • Planning for Implementation • Installing the Agent • Creating Virtual Software Layers • Preventing Data Loss • Layer Definition Tool • SWV Management • Managing with Altiris NS and DS • Patching VLA’s • Troubleshooting SWV 1

Symantec Streaming Server • SWV Streaming Server • What is it? How does it work? • Planning: Multi-Node Installation or Single Node? • External Repository Servers • Active Directory Integration and Groups / Permissions • “Set as Default” Application Upgrades • Online / Offline if Laptop • License Management • Reporting 2

Symantec Workspace Virtualization What is it? How does it work? Symantec Workspace Virtualization (SWV) is a revolutionary approach to software management. By placing applications and data into managed units, called Virtual Software Layers, Workspace Virtualization lets you instantly activate, deactivate, or reset applications. You can also completely avoid conflicts between applications without altering the base Windows installation. Rather than isolating applications to gain control, Symantec's application virtualization technologies seamlessly integrate virtualized applications to preserve the user experience. Virtualized applications act like normal applications, ensuring normal behavior and full functionality. In addition to preserving the user experience, Workspace Virtualization lets you: • Instantly repair damaged applications by resetting them to a known state. • Run two versions of the same program side by side. • Add and remove software with zero impact on the underlying operating system. • Turn applications on and off instantly. 3

Symantec Workspace Virtualization Use Cases Use the following guidelines to determine what you can and should not virtualize: What you can virtualize: Most applications can be virtualized. Typical applications include office suites, databases, Internet browsers, media, and spyware utilities. Applications function normally when virtualized by the Workspace Virtualization Agent. You can also create virtualized data layers. What you should not virtualize: • • Windows operating system components Windows operating system patches Most drivers Applications that have dedicated drivers All management agents including antivirus software, security scanners, encryption agents, or any Symantec Management Platform Agent Data files that you plan to encrypt Utilities that are designed to run only in safe mode 4

Symantec Workspace Virtualization Planning for Implementation Steps to ensure a positive POC implementation: • Determine a pool of 25 -50 non-critical machines to use for testing o Training room machines would be ideal or perhaps spare machines • Determine what applications would be most beneficial to Virtualize o Applications that are in need of upgrading ie: Office 2007 > 2010 etc. o Applications that are incompatible with Windows 7 (helps remediate migration issues) o Internet Explorer 6 (for > 6. 0 incompatible web applications) • Ensure proper testing procedures are in place to verify functionality o Provide means of access to test machines from heavy users of specific Virtual Apps o Make sure the Image used in testing is the exact Image in current Production o Install specific applications to mirror Production machines • Be sure to test upgrading or patching the Virtual Application o You can add a Virtual App to your POC like Java, utilizing an older version to understand how the process works and if it will improve on current remedies in place 5

Symantec Workspace Virtualization Installing the Agent Supported Platforms: • • • 32 Bit Windows XP Pro SP 2 or SP 3 Windows Vista SP 1 or SP 2 Windows 7 and Windows 7 SP 1 Windows Server 2003 SP 1 or 2003 R 2 when used as an endpoint Windows Server 2008 when used as an endpoint • • • 64 Bit Windows Vista SP 1 or SP 2 Windows 7 and Windows 7 SP 1 Windows Server 2008 and R 2 when used as an endpoint You can download the Workspace Virtualization Agent setup files at the following link: http: //www. symantec. com/endpoint-virtualization-suite 6

Symantec Workspace Virtualization Installing the Agent To install the Agent on a base computer: 1. Run the x 32 or x 64 bit version of Symantec_Workspace_Virtualization. exe. (The version you select must match the endpoint architecture) 2. Enter the product key, and then click Next. 3 On the “Select Features” page, select any optional components you want to install: • Symantec Workspace Virtualization Admin Tool This installs the SWV Admin tool. This tool creates, edits, and manages virtual layers on the endpoint. • Symantec Workspace Virtualization SDK This option installs documentation and samples for the SDK. It should be installed if you write applications that use the SDK. (It does not need to be installed to run applications that are written with the SDK. ) • Altiris Notification Server Support This option installs support for managing Workspace Virtualization on endpoints in a Notification Server environment. 4. Complete the setup wizard. 5. Restart the computer after the installation completes. 7

Symantec Workspace Virtualization Installing the Agent Silently You can run the Workspace Virtualization installation program from a command Line or Altiris NS or DS etc. to perform a silent installation. For example: Symantec_Workspace_Virtualization. exe SWV. PRODUCT_KEY=<product-key> SWV. ADDLOCAL=SVS_Admin, SDK, Altiris_NS (Useful) Options: SWV. REBOOT=Really. Suppress This suppresses the restart prompts. Without this switch, the installer automatically restarts the computer. Do not attempt to use Workspace Virtualization or to import or activate any layers until the computer is restarted. SWV. ADDLOCAL=<value 1>, <value 2> REMOVE=<value 1>, <value 2> This option allows for adding or removing a value (SVS_Admin, SDK, Altiris_NS) from the endpoint machine. 8

Symantec Workspace Virtualization Creating Virtual Software Layers Types of Virtual Software Layers: • Application Layers o An application layer is created by capturing the installation of an application. It contains all the installed files and registry settings of the application. An application layer can contain one or more applications. • Data Layers o A data layer captures and stores data files that an application creates. A data layer is one way to prevent the loss of application data when an application layer is reset. • Empty Layers o An empty layer lets you manually add an application or capture an application. Empty layers let advanced users create custom layers. 9

Symantec Workspace Virtualization Creating Virtual Software Layers Before you create layers, you should be familiar with the following: • What you can and should not virtualize. • The types of virtual software layers. • How to set up the base computer “Clean Machine” that you use to create layers. Methods for capturing Virtual Software Layers: • • • Wise Virtual Composer o Wise Virtual Composer provides an advanced UI for capturing applications not exact but similar to the original Wise Composer Suite SWV Admin Tool “Single Program Capture” o When you use this method, only changes that are made during the installation of a specified application are captured. Any other activity on the computer is ignored. This method captures all the files, registry settings, and processes of an application. The capture includes child processes and process-induced changes. It also captures Microsoft Installer (MSI) and Service Control Manager changes. You can use this method to capture both a single installation into a layer or multiple installations into a layer. You can also use this method to capture post-installation configurations. SWV Admin Tool “Global Capture” o This method captures all changes that are made to a computer during the capture process. Because it captures all changes, it also captures all background activity on the system. Use this method only when you can’t use the single program capture. 10

Symantec Workspace Virtualization Preventing Data Loss When an application layer creates or modifies files they are stored in the writeable Sub-layer. If the layer is then reset, the files in the writeable sub-layer are deleted. This behavior lets you reset an application to the default state if settings become corrupted. However, many applications create data files that you do not want to lose when a layer is reset. These files need to be stored on the base file system and not in the layer to prevent potential loss. For example, you create and activate a Microsoft Word layer. You do not create any layer exclude entries, global exclude entries, or data layers to redirect. doc files from the layer’s writeable sub-layer. You then activate the Microsoft Word layer and use it to create. doc files that you save on the computer’s hard drive. If you then reset the Word layer, all of the. doc files you created are lost. To prevent the loss of application data when a layer is reset, you must ensure that the data is not stored in the application layer. The Workspace Virtualization Agent provides the following methods that you can use to prevent the loss of application data. (On the next slide) 11

Symantec Workspace Virtualization Preventing Data Loss • Data Layers o You can create a data layer that captures the application data files that have specified extensions or that are in a specified directory. A data layer captures the application data so that it is not redirected to the writeable sub-layer of the application layer. • Layer Exclude Entries o You can create layer exclude entries for an application layer. A layer exclude entry can be a file extension or a directory. Application data that matches the layer exclude entry is saved in the base file system. • Global Exclude Entries (Ideal option for most cases) o You can create global exclude entries for a computer. A global exclude entry can be a file extension or a directory. A global exclude entry applies to all layers on a computer. Application data that matches the global exclude entry is saved in the base file system. • Using Non-Local Storage or “New Reset Points” (Not Recommended) o You can save the application data of a virtualized application to a non-local storage device, such as a network share. The data is then not redirected to the application layer. o You can copy the data from the writeable sub-layer to the read-only sub-layer using a new reset point. 12

Symantec Workspace Virtualization Layer Definition Tool The Layer Definition Tool lets you create packages without capturing an installation. Layer Definition Files provide everything necessary to build a Virtual Application Layer utilizing the Layer Definition Tool. The Layer Definition Files are useful for scenarios where capturing an application install is not possible or produces inconsistent results. The SWV Layer Definition Tool lets you export Virtual Application information to Layer Definition Files. It also lets you create or modify layers from the Layer Definition File. After an application is captured using the Layer Definition Tool, it can be exported as a VSA file and deployed to endpoints. To create virtual software layers from a LDF: 1. Run the self-extracting exe. A command window will appear to display progress. 2. After the layer is created successfully, you can export the layer using SWV Admin or SWVCMD to create a package. Note: While creating Virtual Software Layers using LDF’s, it is still highly recommended to use a “clean machine” 13

Symantec Workspace Virtualization Managing with the Altiris NS and DS With Notification Server 6. x - 7. 0 and later, the Workspace Virtualization Agent lets you create tasks and policies. Tasks and policies let you deliver and manage virtual software layers on client computers. Deployment Solution lets you create jobs to deploy and manage virtual software layers. The "built in” tasks include : • Import Layer • Delete Layer • Activate Layer • Deactivate Layer • Reset Layer Keep in mind that although those listed above are the only “built in” options, you can still create NS and DS jobs to run command lines or scripts in order to manipulate layers with the SVSCMD tool. 14

Symantec Workspace Virtualization Patching VLA’s Layer patches provide a mechanism to make small, incremental updates to an existing application layer. Layer patches reduce the need to create a new layer to provide an application update. A layer patch file contains the changes between two versions of an application. Layer patches let you update layers without distributing a completely new layer. For example, an existing Firefox 3. 01 virtual software layer can be updated to version 3. 02 by applying a small patch file. When applying a patch, you can select to keep the previous layer and create new layer with the updated versions. This feature can simplify application migration by providing access to both versions. You can also copy all of the data and the settings that are stored in the writeable sub-layer to the new version. Patch files must be applied incrementally. If you create multiple patches, they must be applied in the order they were created. To create a layer patch file you need a layer that contains the existing version of an application. This layer must have the same GUID as the layer distributed in your environment. You also need a second layer that contains the updated version of the same application. For example, Firefox 3. 01 in the first layer and Firefox 3. 02 in the second. Applying patch files can be done through NS and DS jobs (utilizing SVSCMD), or through the GUI. 15

Symantec Workspace Virtualization Troubleshooting SWV Most troubleshooting with SWV starts and ends with the SWV Client Installation. Since the virtual layers themselves can be reset, there is not much of an issue with them for as long as they are captured correctly. You can complete most failed installations with a restart and a reinstallation. The installation log is stored in the %Temp% directory. In the installation log, search for "return value 3". The lines preceding this value should contain an error message regarding the failure. If the error message identifies the problem (for example, an invalid product key), you should be able to resolve it. For more complex problems, you may need to a manual cleanup of the installation. Note: For manual cleanups of failed installations, you will need to look at the SWV User’s Guide. The manual cleanup is a lengthy process! If you are performing a massive rollout, consider building an automated NS or DS task to manually cleanup failed installations. 16

Symantec Workspace Virtualization Streaming Server – What is it? How does it work? • MORE control of your applications • Accelerate rollouts • Track licenses • Complete lifecycle management Workspace Streaming is much more than a better way to package and deliver software. Workspace Streaming goes beyond resolving application conflicts and restoring broken applications to provide: • Entire applications streamed for disconnected remote users. License and usage restrictions are enforced even if the computer is disconnected. • Application version control. Easily upgrade your entire company to a new software version. • Management of both virtual and traditional applications from a single point. Complete lifecycle management lets you quickly roll out software, ensure proactive license compliance, and reduce support and upgrade costs for complex custom applications. Retired applications can be quickly removed from your environment eliminating problems with upgrades. 17

Symantec Workspace Virtualization Streaming Server – Multi Node or Single Node? The central components of the system are the Streaming Server, the Launch Server, and the Streamlet Engine. The Streaming Console is an administration tool used to manage the streaming and Launch servers and the Streamlet Engine. Additionally, a Data Access Server can be added to provide load balancing and fault tolerance for the Streamlet Engine. In a single-node configuration, all components are installed on a single server. This configuration can be used for the applications that have a limited number of users. It can also be used for the systems that do not require failover or load balancing and for evaluation. All components reside on the same system. A single-node configuration appears as a default server group configuration in the Streaming Console. To enhance security, clients communicate only with the Launch Server. The Launch Server in turn communicates with Streaming Server and the Launch Server. In a distributed environment, the multi-node Front End components are installed on the servers that are distributed throughout your network. When you install multiple, distributed multi-node Front End servers it provides higher availability and minimizes network traffic. Multi-node Front End servers connect to a central server hosting the multi-node Back End components and either the database or a high-bandwidth database connection. 18

Symantec Workspace Virtualization Streaming Server – Multi Node Multi-node Front End servers (Streaming Servers and Launch Servers ) are installed on one system. The Streamlet Engine and Streaming Console are installed on another. One system with a Streamlet Engine can support multiple multi-node Front End servers. A multi-node installation facilitates load-balanced and failover network configurations. This configuration can be used to configure a server farm also. Multi-node configurations include a multi-node Front End a multi-node Back End, as follows: • Multi-node Front End—A Streaming Server, a Launch Server, and a Workspace Streaming Agent. • Multi-node Back End—A Streaming Console, the Streamlet Engine, and a Workspace Streaming Agent. After you create the multi-node Back End, it is possible to add the multi-node Front End components to this system. Each multi-node Front End server includes a Streaming Server and a Launch Server. The Launch Server typically uses the default HTTP port (port 80). A server group contains multiple multi-node Front End servers that are connected to a Streamlet Engine. All servers in a server group inherit the same settings. 19

Symantec Workspace Virtualization Streaming Server – External Repository Servers If you plan on streaming simultaneously to more than 300 agents, it is recommended to set up an external package repository. This enables packages to stream from a network share and reduces the load on the streaming server. This also avoids max thread limitations in the Tomcat servlet engine used by Workspace Streaming lets you stream packages directly from a file share or HTTP address. Streaming from a file share is enabled on a user by user basis by specifying user matching rules. Users who match the rules receive their packages from the specified location. Users who do not match a rule receive the package from the multi-node Front End server using the standard delivery infrastructure. This configuration is recommended in large deployments to reduce load on the Streaming Server and avoid limitations in the Tomcat servlet engine used by Workspace Streaming from a file share is often used in the environments that have existing file shares or Web servers deployed. Note: When evaluating your infrastructure to stream from a file share, it is important to remember that authentication process still occurs at the multi-node Front End server. Even when users have a fast connection to the file share, if your multi-node Front End servers are located over a slow connection with high latency you might experience a slight delay before streaming begins. 20

Symantec Workspace Virtualization Streaming Server – AD Integration Integrating with Active Directory lets you use integrated Windows authentication. After a user logs on to a domain computer, they are automatically authenticated to Workspace Streaming. They can then stream provisioned applications and access the Streaming Portal without reauthentication. A good practice for utilizing Active Directory is to create an AD Group for your environments specific use cases. You can use an AD Group for each package and add users to the group to enable them permissions, or you can provision bundles of applications to AD User Groups in order to create department specific provisions. For Example: Finance needs Office, SAP, Adobe Standard, and Snag-It. You can create an AD Group for Finance and provision these specific applications to that group. In some cases, only a few users will need a certain application, for example: If only a few users in Finance need Adobe Pro and not Adobe Standard, you can then create an AD Group for just provisioning Adobe Pro and add the specific users to that group as well. 21

Symantec Workspace Virtualization Streaming Server – Upgrading Applications A default package version offers an easy way to roll out a package upgrade to a user or user group without provisioning again. In a multi-tier configuration, the parent server controls the package version and passes the version to the child server. When you have a newer version of an application and have finished packaging or have finished patching an older package, you can simply upload the new version to the selected server groups specified and then set the package as the default package. Upon setting a package as the “default”, users that have an earlier package provision will then automatically pull down the difference between the old version and the new default version instantaneously. The process from an end user standpoint is seamless because upon launching the application, the upgrade takes place in the background. Default versions can not only be used for upgrading but can also be used in order to roll back to an older version if necessary as well. Sometimes there are issues and security holes discovered in applications that have yet to have a patch. In rare cases but it does happen, it is a good idea to roll back to a more secure version of an application until the hole has been patched. 22

Symantec Workspace Virtualization Streaming Server – Online / Offline if Laptop Workspace Streaming lets you provision an application and then stream it automatically when an associated file is opened on the endpoint. For example, you can provision and Adobe Reader package to all users. When any user opens a PDF file, Adobe reader is streamed to the endpoint and the file is opened. The icons for associated files are updated to indicate that an application is configured to open the file. Note: For those of you whom are familiar with “MSI Advertisements” this is very similar with the improvement of icon associations. You can choose to pre-cache just the icon (Advertisement), or you can cache the entire application. Caching the entire application will cut down on bandwidth utilization as well as enable users on laptops to be able to leave the network yet still have usage of the application. In some cases, you may need a desktop relocated (off of the network at times) in which will need applications to be cached locally. There is another option that allows for packages to cache only if the machine is a laptop in order to streamline this idea without having to manually specify per user group. 23

Symantec Workspace Virtualization Streaming Server – License Management Workspace Streaming provides powerful, verifiable license tracking with active enforcement of virtualized, streamed, and unmanaged software. Integrated reports provide a wide range of license, provisioning, and usage statistics. The backend database lets you integrate with other reporting systems or create custom reports. Using Workspace Streaming, license compliance is guaranteed using active enforcement. With the Streaming server, you can choose between: • Allowing users to share a pool of licenses • Reclaim licenses from an application once closed • Allow a user or group of users a grace period of said days to allow a license Note: Although this can in some cases be used to expand small amounts of licenses throughout your entire organization, in some cases the vendor of the application will be based upon a “per user” license type which will violate license agreements if used by more than one or few certain users. 24

Symantec Workspace Virtualization Streaming Server – Reporting The Report Listing link in the Streaming Console offers you links to reports on licenses, applications, user groups , Client activity, and provisioning. You can view the reports in a PDF format or in an HTML format. Reports can also be generated into a CSV file which the user can download. All the regular options of Acrobat Reader are available along with the horizontal and vertical scroll bars. This provides you the convenience of printing, saving and emailing these reports, in addition to providing easy navigation through the pages of the report. The system permits you to customize the reports in terms of the sort order of the report and the period for which the information is presented. The default report timeout has been set to three minutes. Large reports that take a longer time cannot be generated due to timeout expiration. This can be changed if needed to accommodate longer periods for larger reports but not recommended to stay other than temporarily. 25