Administration
Table Of Contents
- Horizon 7 Administration
- Contents
- Horizon 7 Administration
- Using Horizon Administrator
- Configuring Horizon Connection Server
- Configuring vCenter Server and View Composer
- Create a User Account for View Composer AD Operations
- Add vCenter Server Instances to Horizon 7
- Configure View Composer Settings
- Configure View Composer Domains
- Allow vSphere to Reclaim Disk Space in Linked-Clone Virtual Machines
- Configure View Storage Accelerator for vCenter Server
- Concurrent Operations Limits for vCenter Server and View Composer
- Setting a Concurrent Power Operations Rate to Support Remote Desktop Logon Storms
- Accept the Thumbprint of a Default TLS Certificate
- Remove a vCenter Server Instance from Horizon 7
- Remove View Composer from Horizon 7
- Conflicting vCenter Server Unique IDs
- Backing Up Horizon Connection Server
- Configuring Settings for Client Sessions
- Set Options for Client Sessions and Connections
- Change the Data Recovery Password
- Global Settings for Client Sessions
- Global Security Settings for Client Sessions and Connections
- Message Security Mode for Horizon 7 Components
- Configure the Secure Tunnel and PCoIP Secure Gateway
- Configure the Blast Secure Gateway
- Off-load TLS Connections to Intermediate Servers
- Configure the Gateway Location for a Horizon Connection Server or Security Server Host
- Disable or Enable Horizon Connection Server
- Edit the External URLs
- Join or Withdraw from the Customer Experience Program
- View LDAP Directory
- Configuring vCenter Server and View Composer
- Setting Up Smart Card Authentication
- Logging In with a Smart Card
- Configure Smart Card Authentication on Horizon Connection Server
- Configure Smart Card Authentication on Third-Party Solutions
- Prepare Active Directory for Smart Card Authentication
- Verify Your Smart Card Authentication Configuration
- Using Smart Card Certificate Revocation Checking
- Setting Up Other Types of User Authentication
- Using Two-Factor Authentication
- Using SAML Authentication
- Using SAML Authentication for VMware Identity Manager Integration
- Configure a SAML Authenticator in Horizon Administrator
- Configure Proxy Support for VMware Identity Manager
- Change the Expiration Period for Service Provider Metadata on Connection Server
- Generate SAML Metadata So That Connection Server Can Be Used as a Service Provider
- Response Time Considerations for Multiple Dynamic SAML Authenticators
- Configure Workspace ONE Access Policies in Horizon Administrator
- Configure Biometric Authentication
- Authenticating Users Without Requiring Credentials
- Providing Unauthenticated Access for Published Applications
- Create Users for Unauthenticated Access
- Enable Unauthenticated Access for Users
- Entitle Unauthenticated Access Users to Published Applications
- Search Unauthenticated Access Sessions
- Delete an Unauthenticated Access User
- Unauthenticated Access From Horizon Client
- Configure Login Deceleration for Unauthenticated Access to Published Applications
- Configure Users for Hybrid Logon
- Using the Log In as Current User Feature Available with Windows-Based Horizon Client
- Saving Credentials in Mobile and Mac Horizon Clients
- Setting Up True SSO
- Determining an Architecture for True SSO
- Set Up an Enterprise Certificate Authority
- Create Certificate Templates Used with True SSO
- Install and Set Up an Enrollment Server
- Export the Enrollment Service Client Certificate
- Import the Enrollment Service Client Certificate on the Enrollment Server
- Configure SAML Authentication to Work with True SSO
- Configure Horizon Connection Server for True SSO
- Command-line Reference for Configuring True SSO
- Advanced Configuration Settings for True SSO
- Identify an AD User That Does not Have an AD UPN
- Unlock a Desktop With True SSO and Workspace ONE
- Using the System Health Dashboard to Troubleshoot Issues Related to True SSO
- Providing Unauthenticated Access for Published Applications
- Configuring Role-Based Delegated Administration
- Understanding Roles and Privileges
- Using Access Groups to Delegate Administration of Pools and Farms
- Understanding Permissions
- Manage Administrators
- Manage and Review Permissions
- Manage and Review Access Groups
- Manage Custom Roles
- Predefined Roles and Privileges
- Required Privileges for Common Tasks
- Best Practices for Administrator Users and Groups
- Configuring Policies in Horizon Administrator and Active Directory
- Maintaining Horizon 7 Components
- Backing Up and Restoring Horizon 7 Configuration Data
- Monitor Horizon 7 Components
- Monitor Machine Status
- Understanding Horizon 7 Services
- Change the Product License Key
- Monitoring Product License Usage
- Update General User Information from Active Directory
- Migrate View Composer to Another Machine
- Update the Certificates on a Connection Server Instance, Security Server, or View Composer
- Join the Customer Experience Improvement Program
- Managing ThinApp Applications in Horizon Administrator
- Horizon 7 Requirements for ThinApp Applications
- Capturing and Storing Application Packages
- Assigning ThinApp Applications to Machines and Desktop Pools
- Best Practices for Assigning ThinApp Applications
- Assign a ThinApp Application to Multiple Machines
- Assign Multiple ThinApp Applications to a Machine
- Assign a ThinApp Application to Multiple Desktop Pools
- Assign Multiple ThinApp Applications to a Desktop Pool
- Assign a ThinApp Template to a Machine or Desktop Pool
- Review ThinApp Application Assignments
- Display MSI Package Information
- Maintaining ThinApp Applications in Horizon Administrator
- Remove a ThinApp Application Assignment from Multiple Machines
- Remove Multiple ThinApp Application Assignments from a Machine
- Remove a ThinApp Application Assignment from Multiple Desktop Pools
- Remove Multiple ThinApp Application Assignments from a Desktop Pool
- Remove a ThinApp Application from Horizon Administrator
- Modify or Delete a ThinApp Template
- Remove an Application Repository
- Monitoring and Troubleshooting ThinApp Applications in Horizon Administrator
- ThinApp Configuration Example
- Setting Up Clients in Kiosk Mode
- Configure Clients in Kiosk Mode
- Prepare Active Directory and Horizon 7 for Clients in Kiosk Mode
- Set Default Values for Clients in Kiosk Mode
- Display the MAC Addresses of Client Devices
- Add Accounts for Clients in Kiosk Mode
- Enable Authentication of Clients in Kiosk Mode
- Verify the Configuration of Clients in Kiosk Mode
- Connect to Remote Desktops from Clients in Kiosk Mode
- Configure Clients in Kiosk Mode
- Troubleshooting Horizon 7
- Using Horizon Help Desk Tool
- Verify Horizon Help Desk Tool License
- Configure Role-Based Access for Horizon Help Desk Tool
- Log In to Horizon Help Desk Tool
- Troubleshooting Users in Horizon Help Desk Tool
- Session Details for Horizon Help Desk Tool
- Session Processes for Horizon Help Desk Tool
- Application Status for Horizon Help Desk Tool
- Troubleshoot Desktop or Application Sessions in Horizon Help Desk Tool
- Using the VMware Logon Monitor
- Using VMware Horizon Performance Tracker
- Monitoring System Health
- Configuring Load Balancers for Horizon Connection Server Health Monitoring
- Monitor Events in Horizon 7
- Collecting Diagnostic Information for Horizon 7
- Create a Data Collection Tool Bundle for Horizon Agent
- Save Diagnostic Information for Horizon Client for Windows
- Collect Diagnostic Information for View Composer Using the Support Script
- Collect Diagnostic Information for Horizon Connection Server
- Collect Diagnostic Information for Horizon Agent, Horizon Client, or Horizon Connection Server from the Console
- Horizon Connection Server Integration with Skyline Collector Appliance
- Update Support Requests
- Troubleshooting an Unsuccessful Security Server Pairing with Horizon Connection Server
- Troubleshooting Horizon 7 Server Certificate Revocation Checking
- Troubleshooting Smart Card Certificate Revocation Checking
- Further Troubleshooting Information
- Using Horizon Help Desk Tool
- Using the vdmadmin Command
- vdmadmin Command Usage
- Configuring Logging in Horizon Agent Using the -A Option
- Overriding IP Addresses Using the -A Option
- Updating Foreign Security Principals Using the ‑F Option
- Listing and Displaying Health Monitors Using the ‑H Option
- Listing and Displaying Reports of Horizon 7 Operation Using the ‑I Option
- Generating Horizon 7 Event Log Messages in Syslog Format Using the ‑I Option
- Assigning Dedicated Machines Using the ‑L Option
- Displaying Information About Machines Using the -M Option
- Reclaiming Disk Space on Virtual Machines Using the ‑M Option
- Configuring Domain Filters Using the ‑N Option
- Configuring Domain Filters
- Displaying the Machines and Policies of Unentitled Users Using the ‑O and ‑P Options
- Configuring Clients in Kiosk Mode Using the ‑Q Option
- Displaying the First User of a Machine Using the -R Option
- Removing the Entry for a Connection Server Instance or Security Server Using the ‑S Option
- Providing Secondary Credentials for Administrators Using the ‑T Option
- Displaying Information About Users Using the ‑U Option
- Unlocking or Locking Virtual Machines Using the ‑V Option
- Detecting and Resolving LDAP Entry and Schema Collisions Using the -X Option
Setting up VMware Identity Manager and Horizon 7 integration involves configuring VMware
Identity Manager with Horizon 7 information and configuring Horizon 7 to delegate responsibility
for authentication to VMware Identity Manager.
To delegate responsibility for authentication to VMware Identity Manager, you must create a
SAML authenticator in Horizon 7. A SAML authenticator contains the trust and metadata exchange
between Horizon 7 and VMware Identity Manager. You associate a SAML authenticator with a
Connection Server instance.
Note If you intend to provide access to your desktops and applications through VMware
Identity Manager, verify that you create the desktop and application pools as a user who has
the Administrators role on the root access group in Horizon Administrator. If you give the user
the Administrators role on an access group other than the root access group, VMware Identity
Manager will not recognize the SAML authenticator you configure in Horizon 7, and you cannot
configure the pool in VMware Identity Manager.
Configure a SAML Authenticator in Horizon Administrator
To launch remote desktops and applications from VMware Identity Manager or to connect to
remote desktops and applications through a third-party load balancer or gateway, you must
create a SAML authenticator in Horizon Administrator. A SAML authenticator contains the trust
and metadata exchange between Horizon 7 and the device to which clients connect.
You associate a SAML authenticator with a Connection Server instance. If your deployment
includes more than one Connection Server instance, you must associate the SAML authenticator
with each instance.
You can allow one static authenticator and multiple dynamic authenticators to go live at a time.
You can configure vIDM (Dynamic) and Unified Access Gateway (Static) authenticators and retain
them in active state. You can make connections through either of these authenticators.
You can configure more than one SAML authenticator to a Connection Server and all the
authenticators can be active simultaneously. However, the entity-ID of each of these SAML
authenticators configured on the Connection Server must be different.
The status of the SAML authenticator in dashboard is always green as it is predefined metadata
that is static in nature. The red and green toggling is only applicable for dynamic authenticators.
For information about configuring a SAML authenticator for VMware Unified Access Gateway
appliances, see
Deploying and Configuring Unified Access Gateway
.
Prerequisites
n Verify that Workspace ONE, VMware Identity Manager, or a third-party gateway or load
balancer is installed and configured. See the installation documentation for that product.
n Verify that the root certificate for the signing CA for the SAML server certificate is installed
on the connection server host. VMware does not recommend that you configure SAML
authenticators to use self-signed certificates. For information about certificate authentication,
see the
Horizon 7 Installation
document.
Horizon 7 Administration
VMware, Inc. 76