Director WMI proxy plug-in has been introduced in XenDesktop 7.0, to address and solve all problems related to communication method between the Director and VDA used in Director 2.1 and earlier. WMI proxy plug-in is installed as a part of the Broker Agent in VDA. In the communication process all requests from Director are routed through Delivery Controller to the WMI proxy plugin running on the VDA. The same secure channel is used to send responses from WMI proxy plug-in to the Director. Implementation of a new WMI proxy plug-in is a essential change because it introduces new features making our life much easier.
The most important changes include:
- WinRM is not used – the main advantage of new solution is that there is no need to configure WinRM for Director to retrieve the data from the VDA. All Director requests are send to and manage by Delivery Controler. All WMI queries are run locally on the VDA by WMI proxy plug-in and required details are send back to the Delivery Controller. Director does not need to open any WinRM ports on the VDA and this eliminates all problems related to communication between the Director and VDAs through WinRM.
- Delegated Administration support – in Direictor 7.x, the communication is routed through Delivery Controller. As delivery Controller is responsible for sending the request to VDA and can verify user permissions on the request before forwarding it to the VDA. The requests will be forwarded to VDA only if the required permission is set.
The communication flow is shown in Figure 1 below
Communication method in Director 2.1 and earlier
In Director 2.1 and earlier, the information requests were performed in direct communication between the Director and VDA using Windows Remote Management (WinRM). WinRM is the implementation of Microsoft of the WS-Management protocol and enables remote monitoring using a firewall friendly SOAP-based protocol.
The most common problems reported by users are the following:
- Director machines need to be able to establish WinRM (WMI over http) connections to VDAs. Director also needed to open WMI over http communication port and add firewall exception on the VDA.
- The VDAs have no knowledge of Delegated Administration and no way to manage the access to the WMI classes other than the Microsoft provided mechanism.
- WMI security permissions are not very granular, so opening parts of the WMI functionality exposes a large functional area to the Director administrators.
For more information on WinRM Configuration and Troubleshooting see CTX125243