Configuring Self-Service
The Virtual Machine Manager (VMM) Self-Service Portal is an optional, Web-based component that a VMM administrator can configure to enable end users to create and manage their own virtual machines within a controlled environment.
Through virtual machine self-service, you can allow a select set of users to independently create, operate, and manage their own virtual machines within a controlled environment. Self-service users work with their virtual machines via a Web site, the Virtual Machine Manager Self-Service Portal. Access to self-service virtual machines is provided through the Virtual Machine Remote Control (VMRC) client of Microsoft Virtual Server 2005 R2.
The VMM administrator limits the scope of self-service users by creating self-service policies. A self-service policy grants a user or group permissions to create, operate, manage, store, create checkpoints for, and connect to their own virtual machines.
This topic describes the steps you must perform to configure virtual machine self-service:
- Install the VMM Self-Service Portal
- Configure VMM Administration Settings
- Create a Host Group for Self-Service
- Add and Configure Hosts
- Create Virtual Machine Templates
- Create Self-Services Policies
- Configure Virtual Machines for Self-Service
- Send Instructions to Self-Service Users
Install the VMM Self-Service Portal
Install the VMM Self-Service Portal on a Web server by using Internet Information Services (IIS) 6.0. For step-by-step instructions for installing the VMM Self-Service Portal, see Installing the VMM Self-Service Portal.
Configure VMM Administration Settings
After installing the VMM Self-Service Portal, you must identify the Web server in VMM.
How to add a self-service Web server
In Administration view, click Self-Service in the navigation pane, and then, in the Actions pane, click Manage self-service Web servers.
In the Manage Self-Service Web Servers dialog box, click Add. Then enter the computer name of the Web server in the format server.contoso.com, and then click OK.
Users on the Self-Service Portal can click Contact Administrator to send an e-mail message to the designated administrator. To ensure that self-service users can contact an administrator from the VMM Self-Service Portal, you can specify an administrative contact.
To specify the administrative contact for self-service users
In Administration view, click Settings in the navigation pane.
In the results pane, double-click Self-Service Settings.
In the Self-Service Settings dialog box, specify the e-mail address for the administrator whom you want self-service users to contact if they have a question or issue.
Create a Host Group for Self-Service
Self-service policies are properties of a host group. A host group is a container that you can use to group hosts and the virtual machines on those hosts in a meaningful way. You should create and designate one or more host groups to be used exclusively for self-service. For step-by-step instructions for creating a host group, see the "How to Create a Host Group" topic in VMM Help (https://go.microsoft.com/fwlink/?LinkId=103314).
Add and Configure Hosts
After adding a host group for self-service, add the hosts that you want self-service users to use to the host group. To enable self-service users to connect to their virtual machines, you need to enable and configure Virtual Machine Remote Control (VMRC) on each of the hosts in the self-service host group.
VMRC is a feature of Virtual Server 2005 that you can enable, disable, and configure from within VMM. For step-by-step instructions for enabling VMRC, see the "How to Modify VMRC Settings on a Host" topic in VMM Help (https://go.microsoft.com/fwlink/?LinkId=102194).
Important
We recommend that you implement Secure Sockets Layer (SSL) security for Virtual Machine Remote Control (VMRC) connections, particularly if you use Basic authentication, which transmits passwords in plaintext.
You can enable multiple connections by selecting the Allow multiple VMRC connections checkbox; however, each user can access the guest operating system without the knowledge of the other users. This is by design for training and lab scenarios where one user wants to demonstrate a task to other users and have them connect to and view the same remote session. Because VMRC connections do not use sessions, allowing more than one user to connect can result in collisions of user actions on the guest operating system.
Create Virtual Machine Templates
A virtual machine template provides a standardized group of hardware and software settings that can be used repeatedly to create new virtual machines configured with those settings. You can create templates specifically for self-service users, and then use a self-service policy to limit self-service users to using only those templates to create virtual machines.
When creating templates for self-service users, we recommend that you install Virtual Machine Additions on a physical computer, and then create a template from that computer. For step-by-step instructions for creating a template, see the "Creating Templates" topic (https://go.microsoft.com/fwlink/?LinkId=104335)
Create Self-Service Policies
A self-service policy grants a user or group permissions to create, operate, manage, store, create checkpoints for, and connect to their own virtual machines through the Virtual Machine Manager Self-Service Portal. The self-service policy is added to a host group.
You can set a virtual machine quota in a self-service policy to limit the number of virtual machines that a user or group can deploy. Quota points can then be assigned to virtual machines and the templates that self-service users can use to create virtual machines. When a self-service user's quota is reached, the user cannot create any new virtual machines until an existing virtual machine is removed or stored in the library.
Quota points apply only to virtual machines on a host. If a self-service user is allowed to store virtual machines, the quota does not apply to virtual machines stored in the library. For more information, see the "About Virtual Machine Quotas" topic in VMM Help (https://go.microsoft.com/fwlink/?LinkId=103560).
For more information about creating a self-service policy, see the "How to Create a Self-Service Policy" topic in VMM Help (https://go.microsoft.com/fwlink/?LinkId=103542).
Self-Service Policies Configurations
You can create a self-service policy for an individual user or for a domain group. When creating self-service policies, you have the following range of options:
- Create a single self-service policy that uses a domain group with all self-service users in the group.
- Create multiple self-service policies, each that uses its own domain group with a small number of users in each group.
- Create one self-service policy for each individual self-service user.
It is a best practice to create one self-service policy for each individual self-service user. If you use domain groups, limit the number of users in each group.
If you have a large number of self-service users, you are also likely to have a large number of virtual machines designated for self-service use. When a user within a domain group connects to the self-service portal, the portal opens connections to all the virtual machines that the user has permission to access. When multiple users connect to the portal, this can create a heavy workload on the portal and quickly deteriorate its performance. By creating one self-service policy for each individual self-service user, you can improve the portal's performance. When a self-service user with a user-specific policy connects to the portal, the portal opens only one connection. Thus, multiple users can connect to the portal without diminishing its performance.
Configure Virtual Machines for Self-Service
If you create virtual machines for self-service users to use instead of, or in addition to, the virtual machines they create for themselves, you need to:
- Configure the virtual machines for self-service.
- Deploy the virtual machines on a host in the host group that you use for self-service.
For more information, see the "How to Configure a Virtual Machine for Self-Service" topic in VMM Help (https://go.microsoft.com/fwlink/?LinkId=104562).
Send Instructions to Self-Service Users
After you have completed the configuration of self-service, you need to provide instructions to the self-service users.
The instructions to users should include the following information:
Web address of the VMM Self-Service Portal
If the Web server has a dedicated TCP port, the Web address of the portal should be in the following format:
- http://<WebServerName>:<PortNumber>
If the Web server has a TCP port that is shared with other Web sites and uses a host header, the Web address of the portal should be in the following format:
- http://<Host Header Name>
Other information
- If self-service users have shared ownership, explain the effects of shared ownership on their virtual machines and virtual machine quotas. For more information about shared ownership, see the "About Virtual Machine Ownership" topic in VMM Help (https://go.microsoft.com/fwlink/?LinkId=103562). For more information about quotas, see the "About Virtual Machine Quotas" topic in VMM Help (https://go.microsoft.com/fwlink/?LinkId=103560).
- If the virtual machines for self-service users are in a workgroup rather than a domain, provide the local Administrator credentials to access their virtual machines.
- If you register your own CA-signed certificate for encrypting VMRC communication, instruct users to accept the certificate for encrypting their VMRC sessions when prompted.
- Self-service users might be asked for credentials when connecting to virtual machines. This is because the self-service portal Web page uses Microsoft Internet Explorer, which interprets a virtual machine host to be an external Internet resource. To avoid being asked for credentials, have the user add the Fully Qualified Domain Name (FQDN) of the host to the Local intranet sites in the Security settings of Internet Options for Internet Explorer by using the following procedure.
To add a host to a security zone
In Internet Explorer, on the Tools menu, click Internet Options.
Click the Security tab, and then click Local intranet zone.
Click Sites, and then click Advanced.
In the Add this Web site to the zone text box, type the FQDN for the virtual machine host that you want to add to this zone, in the form http://hostname.contoso.com, and then click Add.
Note
To find the FQDN of the host click Properties.
Additional Resources
- Planning for Self-Service (https://go.microsoft.com/fwlink/?LinkId=103541)