Adding SQL Server Express 2012 Advanced Services to Existing Mirage 2012

With Mirage 5.3 VMware introduced a new reporting engine to create reports on the Web Management console

That requires to install SQL Server Express 2012 Advanced Services also called SQL Server Reporting Server, but that does not mean you can use SQL Server Analysis Service (SSAS) and SQL Server Integration Service (SSIS) with SQL Server Express 2012 Advanced Services. SQL Server Express 2012 Advanced Services comes with SQL Server Reporting Server only but allows you to develop SSAS and SSIS solution if you have a remote server that is running SQL Server Analysis Service and SQL Server Integration Service.

But we do not require SSAS and SSIS to create an Mirage report in the Web management console.

Lets talk about the requirements we have here. :

  • Mirage 5.3 installation files
  • SQL Server Express 2012 Advanced Services download
  • Mirage Web Management console installed
  • Admin access to Mirage server console
  • Verify that you have db_creator privileges on the SQL Server
  • Verify that you have dbo permissions on the MirageDB database

Check out the install and configure video


Mirage Client configuration via CVD policy

There are way’s to configure local client settings with settings in the CVD policy most of the client settings can be managed via a CVD policy. The mirage clients checks the CVD policy for available config in the policy and applies these settings by overwriting the local settings. To create configuration settings into a CVD policy you have to follow a couple of simple steps.

In this case we what to change the Mirage Server Name from the PoC environment to the productive environment without touching each client individual.


  1. Export the Default CVD policy
  2. Open the policy with a text editor.
  3. before the line  </Configuration> add new line with this data
  4. <Config Name=”serverAddress” Value=”eudvmmsapp004″ />
  5. In our case eudvmmsapp004 is the server we want to connect. You can put an IP address or host name.
  6. CVD config
  7. Save the changes you made to the CVD policy file.
  8. Import the changed CVD policy via MMC import and name it accordingly.
  9. You can now assign the policy the individual client of over a collection to multiple clients.



Horizon Workspace with Nginx

I tried to get my workspace accessed form remote without an expensive certificate. So I went to do the below.

In this post I demonstrate how to create  a base configuration of Horizon Workspace using an internal Microsoft Certificate Authority with Nginx as a revers proxy frontend.

This setup is likely acceptable for setting up workspace in a lab environment, since in a production environment you’ll need a trusted third party cert.

With that configuration for your lab environment is important because it will allow you to set up and test every feature you’ll be using in a production environment.


  • Microsoft Active Directory Certificate Services
  • Linux or Windows Machine running Nginx
  • Horizon Workspace 1.5 Downloaded and installed with no configuration.
    • We’ll be using the workspace FQDN of horizon.test.dom (This obviously assumes the domain of test.dom)


  1. On Linux machine, generate private key(1) and CSR(2)
    1. 1
      openssl genrsa -out horizon.test.dom.key 1024
    2. 1
      openssl req -new -key horizon.test.dom -out horizon.test.dom.csr
  2. Take CSR and get a certificate from your internal Domain CA. Download the certificate. Rename it as horizon.test.dom.crt
  3. Download your internal Domain CA root key
    1. On the machine running AD Cert Services, open the command line and type the following command:
    2. 1
      certutil -ca.cert %userprofile%\Desktop\test.dom-root.cer
  4. Ensure that Nginx is forwarding traffic correctly to the gateway-va. Below is a snippet (Entries in square brackets need to be changed]:
    1. 1
      server {
      listen [load balancer IP];
      ssl on;
      ssl_certificate [path to]horizon.test.dom.crt
      ssl_certificate_key [path to]horizon.test.dom.key
      location / {
      proxy_set_header Host $host;
      proxy_set_header X-Real-IP $remote_addr;
      proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
      proxy_read_timeout 1800;
      proxy_connect_timeout 1800;
  5. Place your domain root ca key (gathered in step 3) into the configurator web interface
    1. Open the web interface and navigate to the FQDN & SSL section
    2. Select Yes under External Load Balancer
    3. Enter: horizon.test.dom:443 in the Horizon Workspace FQDN section
    4. Paste the domain root ca key in the “Load Balancer Root CA Certificate” section.
  6. You’re all set!  You can now log into the Horizon Workspace Admin page by navigating to https://horizon.test.dom/admin

CVD Policy explained

The CVD policy controls settings of a CVD such as upload interval, relevant volumes data and settings they are preserved as well as client configuration.

The CVD policy evaluates what file are included or excluded in the image area.that consist of Unprotected Area  and User Area. The evaluation is done by file.

A path will be evaluated against all include rules in the policy if it matched file is found the file is considered as part of the “area”.

The path is then evaluated against all exclude rules one by one. If an exclude rule is found the file is removed from the “area” and evaluation is stopped.

A rule is composed of:

  • A directory path (possible expanded to multiple directories by the use of macros).
  • A pattern for matching files under this directory.
  • Whether the rule applies recursively.

A file matches a rule if it resides in the rule’s directory (or its sub-directories, if applied recursively)
and if it matches the file pattern

Include Rules

Adding an IncludeRule adds files that match it to the relavant group.

  • Adding a directory recursively to an include rule removes the directory with all its children.
  • Adding a directory with a filter (non recursively) does not remove the directory itself.

Exclude Rules

As the exclude rules define some special behavior it is important to specifically describe them. As most files
are handled by Mirage adding an IncludeRule effectivly removes the file from the default behaviour. The
Exclude Rules are there to allow re-insertion of files/paths into Mirage managment.


<Directory path=”C:\UserData” recursive=”true” filter=”*”/>
<Directory path=”C:\UserData” recursive=”true” filter=”*.doc”/>
<Directory path=”C:\UserData\Pictures\Images” recursive=”false” filter=”Logo*.jpg”/>

The results:

  1. Anything under C:\UserData is Unprotected
  2. Any file matching *.doc under C:\UserData is preserved
  3. Any file matching Logo*.jpg under C:\UserData\Pictures\Images is preserved


But also:

  1. Rule 2 and 3 ensure that: C:\, C:\UserData, C:\UserData\Pictures, c:\UserData\Pictures\Images are all preserved too.
  2. Rule 2 ensures that any directory under C:\UserData is preserved as well under the suspicion that it might contain a file matching *.doc

Rule Macros

The supported macros for the directory path are the following:

  • %systemvolume% – the system drive letter followed by a “:” (e.g. c:)
  • %anyvolume% – expands to multiple rules, one per drive letter (e.g. c:, d:, e:)
  • %systemtemp% – the Windows system temp directory (usually: c:\windows\temp)
  • %windows% – the Windows directory (usually: c:\windows)
  • %documentsandsettings% – expands to one rule the path that contains the user profiles (usually: c:\documents and settings)
  • %anyuserprofile% – expands to multiple rules, one per user profile, including local userprofiles, domain users profiles (for example, in XP, it will expand into the followingdirectories: C:\Documents and settings\myuser, … – In Win7 it’ll be C:\Users\myuser, …). This doesn’t include “All Users”, “Default User” but does include “LocalService?” and “NetworkService?”.
  • %anyuserlocalappdata% – expands to multiple rules, one per user profile (as in
  • %anyuserprofile%), for the local application data directory of that user. The localapplication data directory is calculated by appending the local application data suffix (e.g.AppData\Local) to the user profile directory.
  • %anyuserroamingappdata% – expands to multiple rules, one per user profile (as in
  • %anyuserprofile%), for the roaming application data directory of that user. The roaming application data directory is calculated by appending the roaming application data suffix (AppData\Roaming in Win7 and Application Data in XP) to the user profile directory.
  • %anyusertempinternetfiles% – expands to multiple rules, one per user profile (as in
  • %anyuserprofile%), for the temporary internet files directory of that user. The temporary internet files directory is calculated by appending the temporary internet files suffix (e.g. Local Settings\Temporary Internet Files) to the user profile directory.
  • %anyusertemp% – expands to multiple rules, one per user profile (as in
  • %anyuserprofile%), for the temp directory of that user. The temp directory is calculated by appending the temp suffix (e.g. Local Settings\Temp) to the user profile directory.
  • %domainuserprofile% – same as above, but for domain users only.
  • %localuserprofile% – same as above, but for local users only.
  • %programdata% – the “All Users\Application Data” directory in WinXP and the “ProgramData?” directory in Win7
  • %defaultuserprofile% – the special “Default User” directory
  • %localserviceprofile% – the special “Local Service” directory
  • %programfiles% – the Program Files directory (including support for localized Windows versions) and also the Program Files (x86) in 64-bit.
  • %builtinuserprofile% – expands to multiple rules, one per built-in user profile (not including local or domain users), e.g. “NetworkService?”, “LocalService?”. In XP, this also includes “All Users”.
  • %desktop% – The desktop directory for any user on the machine
  • %favorites% – The Internet Explorer Favorites directory for any user on the machine
  • %videos% – The Videos directory/directories (in case of a Windows 7 Libraries) for any user on the machine
  • %pictures% – The Pictures directory/directories (in case of a Windows 7 Libraries) for any user on the machine
  • %documents% – The Documents directory/directories (in case of a Windows 7 Libraries) for any user on the machine
  • %music% – The Music directory/directories (in case of a Windows 7 Libraries) for any user on the machine
  • %anyshellpaths% – a combiniation of all the paths described above (from desktop to music)


The terms used in an Mirage deployment are:
  • CVD: Centralized Virtual Desktop
  • Reference CVD: CVD used as “gold image” for Base Layer creation
  • Base Layers: Logical Endpoint configurations with native installed software
Base Layer captures include by default:
  • Contents of the C:\ drive (with some exceptions)
  • All major settings registry settings



Base layer Captures do NOT include
  • Machine identity
  • User profiles
Application Layers: One or more applications that can be deployed to Endpoints
Driver Profile: Drivers required by a specific brand/model of Endpoint

Disable Mirage shell extension in Explorer

After you install the mirage agent on a device the installation extends the shell of Windows explorer. With that extension the user is able to restore preserved data via context menu on his device.


I some cases you might what to disable does shell extensions  therefor you have to delete the blow registry entries

Software\Classes\*\ShellEx\ContextMenuHandlers\Wanova Mirage Shell Extension

Software\Classes\Directory\Background\shellex\ContextMenuHandlers\Wanova Mirage Shell Extension

Software\Classes\Folder\shellex\ContextMenuHandlers\Wanova Mirage Shell Extension

Mirage and Symantec Endpoint

Assuming that the environment is centrality managed and you have SEP installed on the XP clients you will have to set the below too.

When SEP is installed on WinXP, you will face the issue the SEP is blocking Mirage from moving the folder C:\Documents and Settings into C:\Windows.Old\Documents and Settings

The main reason for that is that SEP tries to protect files several of it’s files under C:\Documents and Settings\All Users\Application Data\Symantec\Symantec Endpoint Protection

This issue can be solved with configuration below:

  • Exclude Mirage in SEP.

From Symatec Endpoint Protection Manager:

  1. Select Policies.
  2. Under Policies, click on Exceptions.
  3. Under Exceptions Policies, right click on the relevant policy and select Edit…
  4. Under Exceptions, click on Add -> Windows Exceptions -> Tamper Protection Exception
  5. Under File enter the full path of Mirage service, which is probably “C:\Program Files\Wanova\Mirage
    Note: DO NOT USE [PROGRAM FILES] MACRO (i.e. just keep the Prefix variable [NONE] ).


  • Another option (less secure) is to set the “Tamper Protection” actions to “Log Only”:

From Symatec Endpoint Protection Manager:

  1. Set the “Tamper Protection” actions to “Log Only”:
  2. Select Clients.
  3. Under Clients, select the Root Group.
  4. Go to Policies tab, and click on General Settings
  5. Go to Tamper Protection tab.
  6. Choose Log the event only.

These settings are also available on the local client if un-managed.

In some rare cases even that configuration above is not enough to make the migration successfully happen. Most of the time the initial Windows 7 Migration takes successful place but the profile is not migrated.

I that case you can add entries to the mirage CVD policy to stop services short before pivot state to migrate the user profile too.