We made changes in View 5.1 and later releases that require you to configure View components a little differently than in the past. These notes will help you to avoid potential pitfalls when you install or upgrade to View 5.1 or a later release.
Note: If you are upgrading from View 5.1 to a later release, you already should have taken these configuration steps. Use these notes to review your View setup.
1) You cannot downgrade a View 5.1 or later Connection Server to previous versions.
In View 5.1 or later, the View LDAP configuration is encrypted and cannot be used by earlier versions of View.
· After you upgrade a View Connection Server instance to View 5.1 or later, you cannot downgrade that instance to an earlier version.
· After you upgrade all View Connection Server instances in a replicated group, you cannot add another instance that runs an earlier version of View.
Note: Downgrading was never supported, but in past releases it worked. Now it won’t work.
2) vCenter Server and View Composer hosts need valid SSL certificates.
· Best choice: Ensure your vCenter Server and View Composer have Certificate Authority (CA)-provided certificates:
o Install an SSL certificate, signed by a CA, on the Windows Server on which vCenter Server is installed.
o Do the same for View Composer. If you install View Composer and vCenter Server on the same host, they can use the same certificate, but you must configure the certificate separately for each component.
* If you install the certificate before you install View Composer, you can select your certificate during the View Composer installation.
* If you replace the default certificate later, run the SviConfig ReplaceCertificate command to bind the new certificate to the port used by View Composer.
o Make sure the CA for the new certificates, and any parent CAs, are trusted by each Windows server on which a View Connection Server instance is installed.
· Alternative: After you add vCenter Server and View Composer to View, accept the thumbprint of the default certificate for View Composer by clicking Verify in View Administrator. Do the same for vCenter Server.
· Alternative: Let the View server installer create a default certificate in the Windows Server certificate store. The certificate is self-signed and will be shown as invalid in View Administrator.
· Upgrading to View 5.1 or a later release: If your original View servers already have SSL certificates signed by a CA, you don’t have to do anything. During the upgrade, View imports your certificates into the Windows Server certificate store.
If your original View servers have default certificates, upgrade your View servers and follow the Best choice steps shown above.
More information: See “Configuring SSL Certificates for View Servers” in the View Installation guide.
4) Certificates for vCenter Server, View Composer, and View servers must include certificate revocation lists (CRLs).
View will not validate a certificate without a CRL.
· Best Choice: lf needed, take these steps:
o Add a CRL to your certificate.
o Import the updated certificate into the Windows certificate store on the vCenter Server, View Composer, and View server host.
· Alternative: Change the registry settings that control CRL checking.
More information: “Configuring Certificate Revocation Checking on Server Certificates” in the View Installation guide.
Note: If your company uses proxy settings for Internet access, you might have to configure your View Connection Server computers to use them. This step ensures that the servers can access the certificate revocation checking sites on the Internet. You can use Microsoft Netshell commands to import the proxy settings to View Connection Server.
More information: “Troubleshooting View Server Certificate Revocation Checking" in the View Administration guide.
5) Windows Firewall with Advanced Security must be enabled on Security Server and View Connection Server hosts.
By default, IPsec rules govern connections between the View security server and View Connection Server and require Windows Firewall with Advanced Security to be enabled.
· Best choice: Set Windows Firewall with Advanced Security to on before you install the View servers. Make sure it’s onfor any active profiles; better still, set it to on for all profiles.
· Alternative: Before you install security servers, open View Administrator and disable the Global Setting, Use IPsec for Security Server Connections, by setting it to no. (This is not recommended.)
6) Back-end firewalls must be set up to support IPsec.
If you have a back-end firewall between security servers and View Connection Server instances, you must configure firewall rules to allow the connections to work.
More information: See “Configuring a Back-End Firewall to Support IPsec ” in the View Installation guide.
7) View Clients must use HTTPS to connect to View.
View Connection Server instances and security servers use SSL for client connections.
· If View clients connect via an SSL off-loading intermediate device, you must install the intermediate device’s SSL certificate on View Connection Server or security server.
· The connection must be HTTPS whether or not a View client connects via an intermediate device such as a load balancer. If you use an intermediate device, and you want the connection between the intermediate device and View server to be over HTTP (SSL off-loading), configure the locked.properties file on the View server.
· Older View clients that can choose not to use HTTPS will get an error if users select HTTP. Previously they were silently redirected to HTTPS. Clients that cannot make SSL connections will be unable to connect to View.
More information: See “Off-loading SSL Connections to Intermediate Servers” in the View Administration guide.
8)Encrypted and cleansed View backups require new restore steps.
By default, backups of View 5.1 or later are encrypted. You can also cleanse View backups (exclude passwords and other sensitive information from the backup data) or back up in plain text (not recommended).
· To restore an encrypted backup, you must decrypt the data first. You must use the data recovery password that you provided when you installed View Connection Server.
· Do not restore cleansed backups. Data such as passwords will be missing from your View LDAP configuration. View components will not function properly without this data. To restore normal functionality, you will have to use View Administrator to manually reset all passwords and other missing data items.
More information: See “Backing Up and Restoring View Configuration Data” in the View Administration guide.
9) Before you can upgrade or reinstall a View 5.1 or later security server, you must remove the relevant IPsec rules from the paired View Connection Server instance so that fresh rules can be established.
· In View Administrator, select the security server and click More Commands > Prepare for Upgrade or Reinstallation.
Note: You don’t need to remove a security server from View before you upgrade or reinstall the server.
More information: See “Prepare to Upgrade or Reinstall a Security Server” in the View Installation guide.