A Few Pointers When Upgrading VMware View to 5.1
I recently had the opportunity to upgrade my lab’s VMware View 5.0 installation to version 5.1. When doing research on the documentation, I found a lot of new concerns around security and certificates that make the upgrade process a bit more complex than the 4.6 to 5.0 upgrade I performed earlier this year.
This post contains documentation on my upgrade to version 5.1, including some of the few gotchas that I encountered.
Please keep in mind that my home lab is not a production environment, your setup will most likely be different and more complex, and that only one user is entitled to my View install (me) which makes outages very easy.
Lab Upgrade Process
Here is an overview of the upgrade process that I used in the home lab. My configuration is rather simple, with a single Connection Server along with Composer installed on the vCenter Server.
- Updated all ESXi hosts to 5.0 update 1
- Updated vCenter Server 5.0 update 1a
- Created snapshot of the View Connection Server running 5.0
- Updated View Connection Server to 5.1
- Note: If you have multiple servers in a replica group, VMware recommends to “Stop the service called VMware View Connection Server service on all View Connection Server instances in the group.”
- Verified I could connect to a desktop using the View Client before proceeding, if there were issues I could potentially roll back at this time.
- Upgraded View Composer from 2.7 to 3.0, including an upgrade of the Composer DB.
- Restart the vCenter Server
- Accepted the self signed certificates from the View Administrator.
- Pushed the View Agent 5.1 to desktops using a GPO (I will not be covering this piece, as it is highly variable for each environment).
So, let’s get started.
Upgrading the View Connection Server
When you first begin the upgrade to the View Connection Server, a warning appears that showcases some of the security enhancements to View 5.1 that involve certificates.
I would imagine that a lot of folks simply used the self signed certificate. The warning is suggesting that you should go grab some CA signed certificates, either from your own authority or perhaps a 3rd party like VeriSign or GoDaddy. However, you do have the option to stick with self signed certificates if you so desire.
The installation itself is rather straight forward.
Once finished, a WordPad document pops open with some View 5.1 notes from the ReadMe file. The main points are:
- You cannot downgrade View 5.1 Connection Server to previous versions.
- vCenter Server and View Composer hosts need valid SSL certificates. (Editor’s Note: optional)
- Security server and View Connection Server hosts need valid SSL certificates. (Editor’s Note: optional)
- Certificates for vCenter Server, View Composer, and View servers must include certificate revocation lists (CRLs).
- Windows Firewall with Advanced Security must be enabled on Security Server and View Connection Server hosts.
- Back-end firewalls must be set up to support IPsec.
- View Clients must use HTTPS to connect to View.
- Encrypted and cleansed View backups require new restore steps.
- Before you can upgrade or reinstall a View 5.1 security server, you must remove the relevant IPsec rules from the paired View Connection Server instance so that fresh rules can be established.
If you log into the View Administrator at this point, a number of red boxes will be waiting to greet you. In my case, I have 3 red areas.
- My View Connection server is using a self signed certificate
- My View Composer Server certificate has not been verified (self signed) and is still running Composer version 2.7
- My vCenter Server certificate has not been verified (self signed)
Upgrading the View Composer Application
I next upgraded the View Composer application from 2.7 to 3.0. This part will induce an isolated outage. As per the documentation:
For View 5.1, during the first maintenance window, upgrade View Composer. Operations such as provisioning and recomposing linked-clone desktops and publishing View Composer base images are not supported until all View servers are upgraded to View 5.1.
I performed these housekeeping activities:
- Snapshot the vCenter Server
- Backup of the Composer DB
- Disabled provisioning on Linked Clone pools and ensure that no desktops are set to refresh on logoff (this would fail).
Make sure you have that DB backup before doing the database upgrade.
You also have the option to select an SSL certificate in the next screen. I just created a default SSL certificate.
When finished, you are prompted to restart the server.
Accepting Self Signed Certificates
The last step was to accept the self signed certificates used on vCenter and Composer.
From the View Administrator, click on View Configuration > Servers. Find your vCenter server in the list, click it, and then click “Edit…” at the top.
For both the vCenter Server Settings and the View Composer Server Settings, click on “Edit…” and then “View Certificate…” to review the certificate.
Click “Accept” to accept the configuration.
Note: If your vCenter Server was added to View as an IP instead of its fully qualified domain name (FQDN) you will hit a snag. The self signed or CA certificate is created with a FQDN. When the View Administrator attempts to check the certificate, it will not find an IP address, and you’ll see an error.
The final look of the View Administrator dashboard should be like this:
Note that the Connection Server is still red, because the certificate is self signed. This is as intended in my lab.
Hopefully this gives you an idea of what it requires to upgrade View from 5.0 to 5.1. There are a lot of considerations with the new security features that revolve around certificates, but other than that, I found the install to be relatively straight forward. Make sure to read the VMware View Upgrades documentation, as it contains a lot of little gotchas and details on the proper order, supported configurations, and system requirements.