Configuring Remote Desktop Features in Horizon 7 VMware Horizon 7 7.2 This document supports the version of each product listed and supports all subsequent versions until the document is replaced by a new edition. To check for more recent editions of this document, see http://www.vmware.com/support/pubs.
Configuring Remote Desktop Features in Horizon 7 You can find the most up-to-date technical documentation on the VMware Web site at: http://www.vmware.com/support/ The VMware Web site also provides the latest product updates. If you have comments about this documentation, submit your feedback to: docfeedback@vmware.com Copyright © 2017 VMware, Inc. All rights reserved. Copyright and trademark information. VMware, Inc. 3401 Hillview Ave. Palo Alto, CA 94304 www.vmware.com 2 VMware, Inc.
Contents 1 Configuring Remote Desktop Features in Horizon 7 5 2 Configuring Remote Desktop Features 7 Configuring Unity Touch 7 Configuring Flash URL Redirection for Multicast or Unicast Streaming 10 Configuring Flash Redirection 14 Configuring Real-Time Audio-Video 20 Configuring Scanner Redirection 33 Configuring Serial Port Redirection 38 Managing Access to Windows Media Multimedia Redirection (MMR) 45 Managing Access to Client Drive Redirection 47 Configure Skype for Business 49 3 Configuring URL Con
Configuring Remote Desktop Features in Horizon 7 Add the ADMX Template Files to Active Directory 100 Horizon Agent Configuration ADMX Template Settings PCoIP Policy Settings 110 VMware Blast Policy Settings 124 Using Remote Desktop Services Group Policies 128 Setting Up Location-Based Printing 163 Active Directory Group Policy Example 168 100 6 Active Directory Group Policy Example 173 Create an OU for Horizon 7 Machines 173 Create GPOs for Horizon 7 Group Policies 174 Add Horizon 7 ADMX Template File t
Configuring Remote Desktop Features in Horizon 7 1 Configuring Remote Desktop Features in Horizon 7 describes how to configure remote desktop features that are installed with Horizon Agent on virtual machine desktops or on an RDS host. You can also configure policies to control the behavior of desktop and application pools, machines, and users. Intended Audience This information is intended for anyone who wants to configure remote desktop features or policies on virtual machine desktops or RDS hosts.
Configuring Remote Desktop Features in Horizon 7 6 VMware, Inc.
Configuring Remote Desktop Features 2 Certain remote desktop features that are installed with Horizon Agent can be updated in Feature Pack Update releases as well as in core Horizon 7 releases. You can configure these features to enhance the remote desktop experience of your end users. These features include HTML Access, Unity Touch, Flash URL Redirection, Real-Time Audio-Video, Windows Media Multimedia Redirection (MMR), USB Redirection, Scanner Redirection, and Serial Port Redirection.
Configuring Remote Desktop Features in Horizon 7 System Requirements for Unity Touch Horizon Client software and the mobile devices on which you install Horizon Client must meet certain version requirements to support Unity Touch. Horizon 7 desktop Horizon Client software Mobile device operating systems To support Unity Touch, the following software must be installed in the virtual machine that the end user will access: n You install the Unity Touch feature by installing View Agent 6.0 or later.
Chapter 2 Configuring Remote Desktop Features n Create an administrative installation package from the Horizon Agent installer and distribute the package to the virtual machines n Run the Horizon Agent installer from the command line on the virtual machines Note Unity Touch assumes that shortcuts to applications are located in the Programs folder in the Start menu. If any shortcut is located outside of the Programs folder, attach the prefix Programs to the shortcut path. For example, Windows Update.
Configuring Remote Desktop Features in Horizon 7 n (Optional) Create a default list of favorite applications by creating an administrative installation package from the Horizon Agent installer. a From the command line, use the following format to create the administrative installation package. VMware-viewagent-x86_64-y.y.y-xxxxxx.
Chapter 2 Configuring Remote Desktop Features The Flash URL redirection feature uses a JavaScript that is embedded inside an HTML Web page by the Web page administrator. Whenever a remote desktop user clicks on the designated URL link from within a Web page, the JavaScript intercepts and redirects the SWF file from the remote desktop session to the client endpoint. The endpoint then opens a local Flash Projector outside of the remote desktop session and plays the media stream locally.
Configuring Remote Desktop Features in Horizon 7 Horizon Client software The following Horizon Client releases support multicast and unicast: n Horizon Client 2.2 for Linux or a later release n Horizon Client 2.2 for Windows or a later release The following Horizon Client releases support multicast only (they do not support unicast): Horizon Client computer or client access device n Horizon Client 2.0 or 2.1 for Linux n Horizon Client 5.
Chapter 2 Configuring Remote Desktop Features Set Up the Web Pages That Provide Multicast or Unicast Streams To allow Flash URL redirection to take place, you must embed a JavaScript command in the MIME HTML (MHTML) Web pages that provide links to the multicast or unicast streams. Users display these Web pages in the browsers on their remote desktops to access the video streams.
Configuring Remote Desktop Features in Horizon 7 Procedure u Install Adobe Flash Player on your client devices. Operating System Action Windows Install Adobe Flash Player 10.1 or later for Internet Explorer. Linux a Install the libexpat.so.0 file, or verify that this file is already installed. Ensure that the file is installed in the /usr/lib or /usr/local/lib directory. b Install the libflashplayer.so file, or verify that this file is already installed.
Chapter 2 Configuring Remote Desktop Features Table 2‑1. Comparison of the Flash Redirection Feature and Flash URL Redirection Item of Differentiation Flash Redirection Flash URL Redirection Support level A Tech Preview feature in Horizon 7.0 with no technical support. Fully supported in Horizon 7.0.1. Fully supported Horizon Client types that support this feature Windows client only Windows client and Linux client Display protocol In Horizon 7.0, PCoIP only. In Horizon 7.0.
Configuring Remote Desktop Features in Horizon 7 System Requirements for Flash Redirection With Flash Redirection, if you use Internet Explorer 9, 10, or 11, Flash content is sent to the client system. The client system plays the media content, which reduces the load on the ESXi host. Remote desktop n Horizon Agent 7.0 or later must be installed in a single-user (VDI) remote desktop, with the Flash Redirection option. The Flash Redirection option is not selected by default.
Chapter 2 Configuring Remote Desktop Features n Verify that the Horizon Agent Configuration ADMX template file vdm_agent.admx file has been added to the OU for the remote desktop. n Compile a list of the Web sites that can or cannot redirect Flash content. Compile a white list to ensure that only the URLs specified in the list will be able to redirect Flash content. Compile a black list to ensure that the URLs specified in the list will not be able to redirect Flash content.
Configuring Remote Desktop Features in Horizon 7 5 In the Group Policy Management Editor, edit the Flash Redirection policy settings under User Configuration. The settings are located in the User Configuration > Policies > Administrative Templates > Classic Administrative Templates > VMware Horizon Agent Configuration > VMware FlashMMR folder. a (Horizon 7.0.
Chapter 2 Configuring Remote Desktop Features Prerequisites n Compile a white list of Web sites to ensure that only the URLs specified in the list will be able to redirect Flash content. Although you can compile a black list of Web sites, you cannot use the Windows registry settings to enable the black list. A black list ensures that only the URLs specified in the list will not be able to redirect Flash content. To enable a black list, you must use the GPO settings for Flash Redirection.
Configuring Remote Desktop Features in Horizon 7 In Horizon 7.0 only, the sites are also added to Internet Explorer's list of trusted sites. You can verify the trusted sites by selecting Tools > Internet Options from the Internet Explorer menu bar, and on the Security tab, click the Sites button. Configuring Real-Time Audio-Video Real-Time Audio-Video allows Horizon 7 users to run Skype, Webex, Google Hangouts, and other online conferencing applications on their remote desktops.
Chapter 2 Configuring Remote Desktop Features System Requirements for Real-Time Audio-Video Real-Time Audio-Video works with standard webcam, USB audio, and analog audio devices, and with standard conferencing applications like Skype, WebEx, and Google Hangouts. To support Real-Time AudioVideo, your Horizon deployment must meet certain software and hardware requirements. Remote desktops You install the Real-Time Audio-Video feature by installing View Agent 6.0 or later, or Horizon Agent 7.0 or later.
Configuring Remote Desktop Features in Horizon 7 Ensuring That Real-Time Audio-Video Is Used Instead of USB Redirection Real-Time Audio-Video supports webcam and audio input redirection for use in conferencing applications. The USB redirection feature that can be installed with Horizon Agent does not support webcam redirection.
Chapter 2 Configuring Remote Desktop Features With the Real-Time Audio-Video feature, video devices, audio input devices, and audio output devices work without requiring the use of USB redirection, and the amount of network bandwidth required is greatly reduced. Analog audio input devices are also supported. Note If you are using a USB webcam or microphone, do not connect it from the Connect USB Device menu in Horizon Client.
Configuring Remote Desktop Features in Horizon 7 Prerequisites n Verify that you have a USB microphone or another type of microphone installed and operational on your client system. n Verify that you are using the VMware Blast display protocol or the PCoIP display protocol for your remote desktop. Procedure 1 On your client system, select Apple menu > System Preferences and click Sound. 2 Open the Input pane of Sound preferences. 3 Select the microphone that you prefer to use.
Chapter 2 Configuring Remote Desktop Features Table 2‑2. Command Syntax for Real-Time Audio-Video Configuration (Continued) Command Description defaults read com.vmware.rtav Displays Real-Time Audio-Video configuration settings. defaults delete com.vmware.rtav setting Deletes a Real-Time Audio-Video configuration setting, for example: defaults delete com.vmware.rtav srcWCamFrameWidth Note You can adjust frame rates from 1 fps up to a maximum of 25 fps and resolution up to a maximum of 1920x1080.
Configuring Remote Desktop Features in Horizon 7 2 Find log entries for the webcam or microphone in the Real-Time Audio-Video log file. a In a text editor, open the Real-Time Audio-Video log file. The Real-Time Audio-Video log file is named ~/Library/Logs/VMware/vmware-RTAV-pid.log, where pid is the process ID of the current session. b Search the Real-Time Audio-Video log file for entries that identify the attached webcams or microphones.
Chapter 2 Configuring Remote Desktop Features The next time you connect to a remote desktop and start a new call, the desktop uses the preferred webcam or microphone that you configured, if it is available. If the preferred webcam or microphone is not available, the remote desktop can use another available webcam or microphone. Select a Default Microphone on a Linux Client System If you have multiple microphones on your client system, only one of them is used on your Horizon 7 desktop.
Configuring Remote Desktop Features in Horizon 7 Prerequisites Depending on whether you are configuring a preferred webcam, preferred microphone, or both, perform the appropriate prerequisite tasks: n Verify that you have a USB webcam installed and operational on your client system. n Verify that you have a USB microphone or another type of microphone installed and operational on your client system.
Chapter 2 Configuring Remote Desktop Features 2 Find log entries for the webcam or microphone. a Open the debug log file with a text editor. The log file with real-time audio-video log messages is located at /tmp/vmware-/vmwareRTAV-.log. The client log is located at /tmp/vmware-/vmware-view-.log. b Search the log file to find the log file entries that reference the attached webcams and microphones.
Configuring Remote Desktop Features in Horizon 7 3 Copy the description of the device and use it to set the appropriate property in the /etc/vmware/config file. ® ® For a webcam example, copy Microsoft LifeCam HD-6000 for Notebooks and Microsoft LifeCam HD-6000 for Notebooks#/sys/devices/pci0000:00/0000:00:1a.7/usb1/1-3/1-3.6 to specify the Microsoft webcam as the preferred webcam and set the properties as follows: ® rtav.srcWCamName = “Microsoft LifeCam HD-6000 for Notebooks” ® rtav.
Chapter 2 Configuring Remote Desktop Features n Familiarize yourself with RTAV group policy settings. See “Real-Time Audio-Video Group Policy Settings,” on page 31. Procedure 1 Download the Horizon 7 GPO Bundle .zip file from the VMware download site at https://my.vmware.com/web/vmware/downloads. Under Desktop & End-User Computing, select the VMware Horizon 7 download, which includes the GPO Bundle. The file is named VMware-Horizon-Extras-Bundle-x.x.x-yyyyyyy.zip, where x.x.
Configuring Remote Desktop Features in Horizon 7 Group Policy Setting Description Disable RTAV When you enable this setting, the Real-Time Audio-Video feature is disabled. When this setting is not configured or disabled, Real-Time Audio-Video is enabled. This setting is in the VMware View Agent Configuration > View RTAV Configuration folder in the Group Policy Management Editor. Max frames per second Determines the maximum rate per second at which the webcam can capture frames.
Chapter 2 Configuring Remote Desktop Features Real-Time Audio-Video Bandwidth Real-Time Audio-Video bandwidth varies according to the webcam's image resolution and frame rate, and the image and audio data being captured. The sample tests shown in Table 2-3 measure the bandwidth that Real-Time Audio-Video uses in a View environment with standard webcam and audio input devices. The tests measure the bandwidth to send both video and audio data from Horizon Client to Horizon Agent.
Configuring Remote Desktop Features in Horizon 7 The following guest operating systems are supported on single-user virtual machines and, where noted, on RDS hosts: n 32-bit or 64-bit Windows 7 n 32-bit or 64-bit Windows 8.
Chapter 2 Configuring Remote Desktop Features n If more than one locally connected scanner is configured, you can select a different scanner than the one that is selected by default. n WIA scanners are displayed in the remote desktop's Device Manager menu, under Imaging devices. The WIA scanner is named VMware Virtual WIA Scanner.
Configuring Remote Desktop Features in Horizon 7 n Verify that Active Directory GPOs are created for the scanner redirection group policy settings. The GPOs must be linked to the OU that contains your desktops and RDS hosts. See “Active Directory Group Policy Example,” on page 168. n Verify that the MMC and the Group Policy Object Editor snap-in are available on your Active Directory server. n Familiarize yourself with scanner redirection group policy settings.
Chapter 2 Configuring Remote Desktop Features Group Policy Setting Computer User Description Disable functionality X Disables the scanner redirection feature. When you enable this setting, scanners cannot be redirected and do not appear in the scanner menu on users' desktops and applications. When you disable this setting or do not configure it, scanner redirection works and scanners appear in the scanner menu.
Configuring Remote Desktop Features in Horizon 7 Group Policy Setting Default Scanner Computer User Description X X Provides centralized management of scanner autoselection. You select scanner autoselection options separately for TWAIN and WIA scanners. You can choose from the following autoselection options: n None. Do not select scanners automatically. n Autoselect Automatically select the locally connected scanner. n Last used Automatically select the last-used scanner.
Chapter 2 Configuring Remote Desktop Features System Requirements for Serial Port Redirection With this feature, users can redirect locally connected, serial (COM) ports, such as built-in RS232 ports or USB to Serial adapters, to their remote desktops. To support serial port redirection, your Horizon deployment must meet certain software and hardware requirements. Remote desktops The remote desktops must have View Agent 6.1.1 or later, or Horizon Agent 7.
Configuring Remote Desktop Features in Horizon 7 n When you click the serial port icon, the Serial COM Redirection for VMware Horizon menu appears. n By default, the locally connected COM ports are mapped to corresponding COM ports on the remote desktop. For example: COM1 mapped to COM3. The mapped ports are not connected by default.
Chapter 2 Configuring Remote Desktop Features Set the PortSettings policy setting to map client ports to redirected ports. Select the Autoconnect item in PortSettings to ensure that the redirected ports are connected at the start of each desktop session. Enable the Lock Configuration policy setting to prevent users from changing the port mappings or customizing the port configurations.
Configuring Remote Desktop Features in Horizon 7 The file is named VMware-Horizon-Extras-Bundle-x.x.x-yyyyyyy.zip, where x.x.x is the version and yyyyyyy is the build number. All ADMX files that provide group policy settings for Horizon 7 are available in this file. 2 3 Unzip the VMware-Horizon-Extras-Bundle-x.x.x-yyyyyyy.zip file and copy the ADMX files to your Active Directory or RDS host. a Copy the vdm_agent_serialport.admx file and the en-US folder to the C:\Windows\PolicyDefinitions folder on your
Chapter 2 Configuring Remote Desktop Features Group Policy Setting Computer User Description PortSettings1 PortSettings2 PortSettings3 PortSettings4 PortSettings5 X X The port settings determine the mapping between the COM port on the client system and the redirected COM port on the remote desktop and determines other settings that affect the redirected COM port. You configure each redirected COM port individually.
Configuring Remote Desktop Features in Horizon 7 Group Policy Setting Computer User Description When this setting is disabled or not configured, group policy settings take precedence over the settings that are configured on the remote desktop. This setting is in the VMware View Agent Configuration > Serial COM folder in the Group Policy Management Editor. Disable functionality X Lock configuration X Bandwidth limit X Disables the serial port redirection feature.
Chapter 2 Configuring Remote Desktop Features n Verify that the Serial Port Redirection ADMX template file is added in Active Directory or on the desktop virtual machine. n Familiarize yourself with the Serial2USBModeChangeEnabled item in the PortSettings group policy setting. See “Serial Port Redirection Group Policy Settings,” on page 42. Procedure 1 In Active Directory or on the virtual machine, open the Group Policy Object Editor.
Configuring Remote Desktop Features in Horizon 7 System Requirements for Windows Media MMR To support Windows Media Multimedia Redirection (MMR), your Horizon 7 deployment must meet certain software and hardware requirements. Windows Media MMR is provided in Horizon 6.0.2 and later releases. View remote desktop n This feature is supported on virtual machine desktops that are deployed on single-user virtual machines and on RDS desktops. View Agent 6.1.
Chapter 2 Configuring Remote Desktop Features Horizon policies In Horizon Administrator, set the Multimedia redirection (MMR) policy to Allow. The default value is Deny. Back-end firewall If your Horizon 7 deployment includes a back-end firewall between your DMZ-based security servers and your internal network, verify that the backend firewall allows traffic to port 9427 on your desktops.
Configuring Remote Desktop Features in Horizon 7 With earlier client or agent releases, client drive redirection folders and files are sent across the network without encryption and might contain sensitive data, depending on the content being redirected. If the secure tunnel is enabled, client drive redirection connections between Horizon Client and the View Secure Gateway are secure, but connections from the View Secure Gateway to desktop machines are not encrypted.
Chapter 2 Configuring Remote Desktop Features Disabling Client Drive Redirection To disable client drive redirection, create a new string value named disabled and set its value to true. HKLM\Software\VMware, Inc.\VMware TSDR\disabled=true The value is false (enabled) by default.
Configuring Remote Desktop Features in Horizon 7 To use Skype for Business, you must install the Virtualization Pack for Skype for Business feature on the client machine during Horizon Client for Windows installation. See the Using Vmware Horizon Client for Windows document. A Horizon administrator must install the Virtualization Pack for the Skype for Business feature on the virtual desktop during Horizon Agent installation.
Chapter 2 Configuring Remote Desktop Features Skype for Business Limitations Skype for Business has the following limitations: n You cannot make E.911 calls. n IPv6 is not supported. n You cannot customize ringtones. n Response group call, call park, call pickup from park, call via work are not supported. n Whiteboarding, gallery view, panoramic webcams, and screen sharing are not currently supported. n You cannot record calls.
Configuring Remote Desktop Features in Horizon 7 52 VMware, Inc.
Configuring URL Content Redirection 3 With the URL Content Redirection feature, you can configure specific URLs to open on the client machine or in a remote desktop or application. You can redirect URLs that users type in the Internet Explorer address bar or in an application.
Configuring Remote Desktop Features in Horizon 7 Requirements for URL Content Redirection To use the URL Content Redirection feature, your client machines, remote desktop machines, and RDS hosts must meet certain requirements. Windows clients Horizon Client 4.0 for Windows or later. To use client-to-agent redirection, you must enable the URL Content Redirection feature during Horizon Client for Windows installation.
Chapter 3 Configuring URL Content Redirection Follow the prompts and complete the installation. To verify that the URL Content Redirection feature is installed, make sure that the vmware-url-protocollaunch-helper.exe and vmware-url-filtering-plugin.dll files are in the %PROGRAMFILES%\VMware\VMware View\Agent\bin\UrlRedirection directory. Also, verify that the VMware Horizon View URL Filtering Plugin Internet Explorer add-on is enabled.
Configuring Remote Desktop Features in Horizon 7 2 Unzip the VMware-Horizon-Extras-Bundle-x.x.x-yyyyyyy.zip file and copy the URL Content Redirection ADMX file to your Active Directory server. a Copy the urlRedirection-enUS.admx file to the C:\Windows\PolicyDefinitions folder. b Copy the urlRedirection.adml language resource file to the appropriate subfolder in the C:\Windows\PolicyDefinitions directory. For example, for the EN locale, copy the urlRedirection-enUS.adml file to the C:\Windows\PolicyDefi
Chapter 3 Configuring URL Content Redirection Table 3‑1. URL Content Redirection Group Policy Settings (Continued) Setting Properties Url Redirection Protocol 'http' For all URLs that use the HTTP protocol, specifies the URLs that should be redirected. This setting has the following options: n brokerHostname - IP address or fully qualified name of the Connection Server host to use when redirecting URLs to a remote desktop or application.
Configuring Remote Desktop Features in Horizon 7 Entry Description .* Specifies that all URLs are redirected. If you use this setting for agent rules (agentRules option), all URLs are opened in the specified remote desktop or application. If you use this setting for client rules (clientRules option), all URLs are redirected to the client. .*.acme.com;.*.example.com Specifies that all URLs that include the text .acme.com or example.com are redirected.
Chapter 3 Configuring URL Content Redirection n (Windows clients only) Enable the URL Content Redirection feature in Horizon Client for Windows. See “Installing Horizon Client for Windows with the URL Content Redirection Feature,” on page 59. n Use the vdmutil command-line utility to create a URL content redirection setting that indicates, for each protocol, how Horizon Client should redirect the URLs.
Configuring Remote Desktop Features in Horizon 7 The vdmutil command includes options to specify the user name, domain, and password to use for authentication. You must use these authentication options with all vdmutil command options except for --help and --verbose. Table 3‑2. vdmutil Command Authentication Options Option Description --authAs User name of a Horizon administrator user to authenticate to the Connection Server instance. Do not use domain\username or user principal name (UPN) format.
Chapter 3 Configuring URL Content Redirection Create a Local URL Content Redirection Setting You can create a local URL content redirection setting that redirects specific URLs to open on a remote desktop or application. A local URL content redirection setting is visible only in the local pod. You can configure any number of protocols, including HTTP, HTTPS, mailto, and callto. As a best practice, configure the same redirection settings for the HTTP and HTTPS protocols.
Configuring Remote Desktop Features in Horizon 7 3 (Optional) Run the vdmutil command with the --updateURLSetting option to add more protocols, URLs, and local resources to the URL content redirection setting that you created.
Chapter 3 Configuring URL Content Redirection Prerequisites Become familiar with vdmutil command-line interface options and requirements and verify that you have sufficient privileges to run the the vdmutil command. See “Using the vdmutil Command-Line Utility,” on page 59. Procedure 1 Log in to any Connection Server instance in the pod federation. 2 Run the vdmutil command with the --createURLSetting option to create the URL content redirection setting.
Configuring Remote Desktop Features in Horizon 7 The following example updates the Operations-Setting setting to also redirect all URLs that contain the text https://google.* to the global application entitlement called GAE1. vdmutil --updateURLSetting --urlSettingName Operations-Setting --urlRedirectionScope GLOBAL --urlScheme https --entitledApplication GAE1 --agentURLPattern "https://google.
Chapter 3 Configuring URL Content Redirection The following example assigns the URL content redirection setting called url-filtering to the group called mydomain\usergroup. vdmutil --addGoupURLSetting --authAs johndoe --authDomain mydomain --authPassword secret --urlSettingName url-filtering --groupName mydomain\usergroup What to do next Verify your URL content redirection settings. See “Test a URL Content Redirection Setting,” on page 65.
Configuring Remote Desktop Features in Horizon 7 4 On the same Windows client machine, open the registry editor (regedit) and check the registry keys in the path \Computer\HKEY_CURRENT_USER\Software\Vmware. Inc.\VMware VDM\URLRedirection\. You should see a key for each protocol specified in the setting. You can click a protocol to see the rules associated with that protocol.
Chapter 3 Configuring URL Content Redirection Using Group Policy Settings to Configure Client-to-Agent Redirection The URL Content Redirection ADMX template file (urlRedirection-enUS.admx) contains group policy settings that you can use to create rules that redirect URLs from the client to a remote desktop or application (client-to-agent redirection). Note The preferred method for configuring client-to-agent redirection is to use the vdmutil command-line interface.
Configuring Remote Desktop Features in Horizon 7 For example, if you have a rule that redirects URLs that contain acme.com, an original URL, such as http://www.acme.com/some-really-long-path, and a shortened URL of the original URL, such as https://goo.gl/xyz, the original URL is redirected, but the shortened URL is not redirected. You can work around this limitation by creating rules to block or redirect URLs from the Web sites most often used for shortening URLs.
Using USB Devices with Remote Desktops and Applications 4 Administrators can configure the ability to use USB devices, such as thumb flash drives, cameras, VoIP (voice-over-IP) devices, and printers, from a remote desktop. This feature is called USB redirection, and it supports using the Blast Extreme, PCoIP, or Microsoft RDP display protocol. A remote desktop can accommodate up to 128 USB devices.
Configuring Remote Desktop Features in Horizon 7 n “Using Log Files for Troubleshooting and to Determine USB Device IDs,” on page 75 n “Using Policies to Control USB Redirection,” on page 76 n “Troubleshooting USB Redirection Problems,” on page 86 Limitations Regarding USB Device Types Although Horizon 7 does not explicitly prevent any devices from working in a remote desktop, due to factors such as network latency and bandwidth, some devices work better than others.
Chapter 4 Using USB Devices with Remote Desktops and Applications Beginning with Horizon 7 version 7.0.2, you can redirect signature pads, dictation foot pedals, and some Wacom tablets to a published desktop or application. These devices are disabled by default in Horizon 7 version 7.0.2. To enable these devices, delete the Windows registry key settings ExcludeAllDevices and IncludeFamily from the following path: HKLM\Software\Policies\VMware, Inc\VMware VDM\Agent\USB.
Configuring Remote Desktop Features in Horizon 7 Network Traffic and USB Redirection USB redirection works independently of the display protocol (RDP or PCoIP) and USB traffic usually uses TCP port 32111. Network traffic between a client system and a remote desktop or application can travel various routes, depending on whether the client system is inside the corporate network and how the administrator has chosen to set up security.
Chapter 4 Using USB Devices with Remote Desktops and Applications Video feature. In some cases, a USB device might not be excluded from redirection by default but might require administrators to explicitly exclude the device from redirection. For example, the following types of USB devices are not good candidates for USB redirection and must not be automatically connected to a remote desktop: n USB Ethernet devices.
Configuring Remote Desktop Features in Horizon 7 n Use Smart Policies to create a policy that disables the USB redirection Horizon Policy setting. With this approach, you can disable USB redirection on a specific remote desktop if certain conditions are met. For example, you can configure a policy that disables USB redirection when users connect to a remote desktop from outside your corporate network.
Chapter 4 Using USB Devices with Remote Desktops and Applications By default, Horizon 7 blocks certain device families from being redirected to the remote desktop or application. For example, HID (human interface devices) and keyboards are blocked from appearing in the guest. Some released BadUSB code targets USB keyboard devices. You can prevent specific device families from being redirected to the remote desktop or application.
Configuring Remote Desktop Features in Horizon 7 Table 4‑2. Log File Locations (Continued) Client or Agent Path to Log Files Mac client /var/root/Library/Logs/VMware/vmware-view-usbd-xxxx.log /Library/Logs/VMware/vmware-usbarbitrator-xxxx.log Linux client (Default location) /tmp/vmware-root/vmware-view-usbd-*.log If a problem with the device occurs after the device is redirected to the remote desktop or application, examine both the client- and agent-side logs.
Chapter 4 Using USB Devices with Remote Desktops and Applications Configuring Device Splitting Policy Settings for Composite USB Devices Composite USB devices consist of a combination of two or more different devices, such as a video input device and a storage device or a microphone and a mouse device.
Configuring Remote Desktop Features in Horizon 7 Manual Device Splitting You can use the Split Vid/Pid Device policy to specify the vendor and product IDs of a composite USB device that you want to split. You can also specify the interfaces of the components of a composite USB device that you want to exclude from redirection. Horizon 7 does not apply any filter policy settings to components that you exclude in this way.
Chapter 4 Using USB Devices with Remote Desktops and Applications n For Horizon Agent, se the Exclude VidPid From Split policy to o:vid-xxx_pid-yyyy, where xxx and yyyy are the appropriate IDs. Allow automatic device splitting for desktops and specify policies for splitting specific devices on client computers: n For Horizon Agent, set the Allow Auto Device Splitting policy to Allow - Override Client Setting.
Configuring Remote Desktop Features in Horizon 7 Interaction of Client-Interpreted USB Settings The following table shows the modifiers that specify how Horizon Client handles a Horizon Agent filter policy setting for a client-interpreted setting. Table 4‑8. Filter Modifiers for Client-Interpreted Settings Modifier Description Default (d in the registry setting) If a Horizon Client filter policy setting does not exist, Horizon Client uses the Horizon Agent filter policy setting.
Chapter 4 Using USB Devices with Remote Desktops and Applications 4 Include Vid/Pid Device 5 Exclude Device Family 6 Include Device Family 7 Allow Audio Input Devices, Allow Audio Output Devices, Allow HIDBootable, Allow HID (Non Bootable and Not Mouse Keyboard), Allow Keyboard and Mouse Devices, Allow Smart Cards, and Allow Video Devices 8 Combined effective Exclude All Devices policy evaluated to exclude or include all USB devices You can set Exclude Path and Include Path filter policy settings
Configuring Remote Desktop Features in Horizon 7 n For all users in a desktop pool, block audio and video devices to ensure that these devices will always be available for the Real-Time Audio-Video feature. Use an agent-side setting:: Exclude Device Family: o:video;audio Note that another strategy would be to exclude specific devices by vendor and product ID.
Chapter 4 Using USB Devices with Remote Desktops and Applications Table 4‑10. USB Device Families (Continued) Device Family Name Description wireless Wireless networking adapters. wusb Wireless USB devices. USB Settings in the Horizon Agent Configuration ADMX Template You can define USB policy settings for both Horizon Agent and Horizon Client.
Configuring Remote Desktop Features in Horizon 7 Table 4‑11. Horizon Agent Configuration Template: Device-Splitting Settings Setting Allow Auto Device Splitting Property: AllowAutoDeviceSplitting Exclude Vid/Pid Device from Split Property: SplitExcludeVidPid Properties Allows the automatic splitting of composite USB devices. The default value is undefined, which equates to false. Excludes a composite USB device specified by vendor and product IDs from splitting.
Chapter 4 Using USB Devices with Remote Desktops and Applications Table 4‑12. Horizon Agent Configuration Template: Agent-Enforced Settings Setting Properties Exclude All Devices Property: ExcludeAllDevices Excludes all USB devices from being forwarded. If set to true, you can use other policy settings to allow specific devices or families of devices to be forwarded. If set to false, you can use other policy settings to prevent specific devices or families of devices from being forwarded.
Configuring Remote Desktop Features in Horizon 7 Table 4‑13. Horizon Agent Configuration Template: Client-Interpreted Settings (Continued) Setting Properties Allow Other Input Devices Allows input devices other than hid-bootable devices or keyboards with integrated pointing devices to be forwarded. The default value is undefined. Allow Keyboard and Mouse Devices Property: AllowKeyboardMouse Allows keyboards with integrated pointing devices (such as a mouse, trackball, or touch pad) to be forwarded.
Chapter 4 Using USB Devices with Remote Desktops and Applications n For some USB HIDs, you must configure the virtual machine to update the position of the mouse pointer. See http://kb.vmware.com/kb/1022076. n Some audio devices might require changes to policy settings or to registry settings. See http://kb.vmware.com/kb/1023868. n Network latency can cause slow device interaction or cause applications to appear frozen because they are designed to interact with local devices.
Configuring Remote Desktop Features in Horizon 7 88 VMware, Inc.
Configuring Policies for Desktop and Application Pools 5 You can configure policies to control the behavior of desktop and application pools, machines, and users. You use Horizon Administrator to set policies for client sessions. You can use Active Directory group policy settings to control the behavior of Horizon Agent, Horizon Client for Windows, and features that affect single-user machines, RDS hosts, PCoIP, or VMware Blast.
Configuring Remote Desktop Features in Horizon 7 Lower-level policy settings can be more or less restrictive than the equivalent higher-level settings. For example, you can set a global policy to Deny and the equivalent desktop pool-level policy to Allow, or vice versa. Note Only global policies are available for RDS desktop and application pools. You cannot set user-level policies or pool-level policies for RDS desktop and application pools.
Chapter 5 Configuring Policies for Desktop and Application Pools 4 To find a user, click Add, type the name or description of the user, and then click Find. 5 Select one or more users from the list, click OK, and then click Next. The Add Individual Policy dialog box appears. 6 Configure the Horizon policies and click Finish to save your changes. Horizon 7 Policies You can configure Horizon 7 policies to affect all client sessions, or you can apply them to affect specific desktop pools or users.
Configuring Remote Desktop Features in Horizon 7 n Users must use Horizon Client 4.0 or later to connect to remote desktops that you manage with Smart Policies. Installing User Environment Manager To use Smart Policies to control the behavior of remote desktop features on a remote desktop, you must install User Environment Manager 9.0 or later on the remote desktop. You can download the User Environment Manager installer from the VMware Downloads page.
Chapter 5 Configuring Policies for Desktop and Application Pools Horizon Smart Policy Settings You control the behavior of remote desktop features in User Environment Manager by creating a Horizon smart policy. Table 5-2 describes the settings that you can select when you define a Horizon smart policy in User Environment Manager. Table 5‑2. Horizon Smart Policy Settings Setting Description USB redirection Determines whether USB redirection is enabled on the remote desktop.
Configuring Remote Desktop Features in Horizon 7 Bandwidth Profile Reference With Smart Policies, you can use the Bandwidth profile policy setting to configure a bandwidth profile for PCoIP or Blast sessions on remote desktops. Table 5‑3.
Chapter 5 Configuring Policies for Desktop and Application Pools Table 5‑4. Predefined Properties for the Horizon Client Property Condition Property Corresponding Registry Key Description Client location ViewClient_Broker_GatewayLocation Specifies the location of the user's client system.
Configuring Remote Desktop Features in Horizon 7 Using Other Conditions The User Environment Manager Management Console provides many conditions. The following conditions can be especially useful when creating policies for remote desktop features. Group Member You can use this condition to configure the policy to take effect only if a user is a member of a specific group.
Chapter 5 Configuring Policies for Desktop and Application Pools 3 Select the Settings tab and define the smart policy settings. a In the General Settings section, type a name for the smart policy in the Name text box. For example, if the smart policy will affect the client drive redirection feature, you might name the smart policy CDR. b In the Horizon Smart Policy Settings section, select the remote desktop features and settings to include in the smart policy.
Configuring Remote Desktop Features in Horizon 7 Enabling Loopback Processing for Remote Desktops By default, a user's policy settings come from the set of GPOs that are applied to the user object in Active Directory. However, in the Horizon 7 environment, GPOs apply to users based on the computer they log in to. When you enable loopback processing, a consistent set of policies applies to all users that log in to a particular computer, regardless of their location in Active Directory.
Chapter 5 Configuring Policies for Desktop and Application Pools Table 5‑5. Horizon ADMX Template Files (Continued) Template Name Template File Description VMware Horizon URL Redirection urlRedirection-enUS.admx Contains policy settings related to the URL Content Redirection Feature. If you add this template to a GPO for a remote desktop pool or application pool, certain URL links clicked inside the remote desktops or app can be redirected to a Windows-based client and opened in a clientside browser.
Configuring Remote Desktop Features in Horizon 7 Add the ADMX Template Files to Active Directory You can add the policy settings for specific remote desktop features in the Horizon 7 ADMX files to group policy objects (GPOs) in Active Directory. Prerequisites n Verify that the setup option for the remote desktop feature you are applying the policy for is installed on your desktops and RDS hosts. The group policy settings have no effect if the remote desktop feature is not installed.
Chapter 5 Configuring Policies for Desktop and Application Pools The following table describes policy settings in the Horizon Agent Configuration ADMX template file other than those settings that are used with USB devices. The template contains both Computer Configuration and User Configuration settings. The User Configuration setting overrides the equivalent Computer Configuration setting. Table 5‑6.
Configuring Remote Desktop Features in Horizon 7 Table 5‑6. Horizon Agent Configuration Template Settings (Continued) 102 Setting Computer User Properties CommandsToRunOnReconnect X Specifies a list of commands or command scripts to be run when a session is reconnected after a disconnect. This setting is in the VMware View Agent Configuration > Agent Configuration folder in the Group Policy Management Editor. See “Running Commands on Horizon Desktops,” on page 110 for more information.
Chapter 5 Configuring Policies for Desktop and Application Pools Table 5‑6. Horizon Agent Configuration Template Settings (Continued) Setting Computer Enable multi-media acceleration X Determines whether multimedia redirection (MMR) is enabled on the remote desktop. MMR is a Windows Media Foundation filter that forwards multimedia data from specific codecs on the remote system directly through a TCP socket to the client. The data is then decoded directly on the client, where it is played.
Configuring Remote Desktop Features in Horizon 7 Table 5‑6. Horizon Agent Configuration Template Settings (Continued) 104 Setting Computer User Send updates for empty or offscreen windows X Specifies whether the client receives updates about empty or offscreen windows. When this setting is disabled, information about window that are smaller than 2x2 pixels, or that are located entirely offscreen, are not sent to the client.
Chapter 5 Configuring Policies for Desktop and Application Pools Table 5‑6. Horizon Agent Configuration Template Settings (Continued) Setting Computer Accept SSL encrypted framework channel User Properties X Enables the SSL encrypted framework channel. The following options are available: n Disable - Disable SSL. n Enable - Enable SSL. Allow legacy clients to connect without SSL. Enforce - Enable SSL. Refuse legacy client connections.
Configuring Remote Desktop Features in Horizon 7 Table 5‑6. Horizon Agent Configuration Template Settings (Continued) Setting Computer Minimum rect size to enable FlashMMR X Definition for FlashMMR url list usage User Properties Specifies the minimum rect size to enable Flash Redirection. This setting is in the VMware View Agent Configuration > VMware FlashMMR folder in the Group Policy Management Editor. The default width is 320 pixels and the default height is 200 pixels.
Chapter 5 Configuring Policies for Desktop and Application Pools If Horizon Client is running inside of a remote desktop session, it sends the physical client information instead of the virtual machine information to the remote desktop. For example, if a user connects from their client system to a remote desktop, launches Horizon Client inside the remote desktop and connects to another remote desktop, the IP address of the physical client system is sent to the second remote desktop.
Configuring Remote Desktop Features in Horizon 7 Table 5‑7. Client System Information (Continued) Supports Nested Mode Description ViewClient_Broker_DNS_Name The DNS name of the View Connection Server instance. VDI (single-user machine) RDS Value is sent directly from View Connection Server, not gathered by Horizon Client. ViewClient_Broker_URL The URL of the View Connection Server instance.
Chapter 5 Configuring Policies for Desktop and Application Pools Table 5‑7. Client System Information (Continued) Supports Nested Mode Supported Desktops Supported Client Systems Specifies the arrangement, resolution, and dimensions of displays on the client. VDI (single-user machine) RDS Windows, Linux, Mac, Android, iOS, Windows Store ViewClient_Keyboard.Type Specifies the type of keyboard being used on the client. For example: Japanese, Korean.
Configuring Remote Desktop Features in Horizon 7 Running Commands on Horizon Desktops You can use the Horizon Agent CommandsToRunOnConnect, CommandsToRunOnReconnect, and CommandsToRunOnDisconnect group policy settings to run commands and command scripts on Horizon desktops when users connect, reconnect, and disconnect. To run a command or a command script, add the command name or the file path of the script to the group policy setting's list of commands. For example: date C:\Scripts\myscript.
Chapter 5 Configuring Policies for Desktop and Application Pools Non-Policy Registry Keys If a local machine setting needs to be applied and cannot be placed under HKLM\Software\Policies\Teradici, local machine settings can be placed in registry keys in HKLM\Software\Teradici. The same registry keys can be placed in HKLM\Software\Teradici as in HKLM\Software\Policies\Teradici. If the same registry key is present in both locations, the setting in HKLM\Software\Policies\Teradici overrides the local machine v
Configuring Remote Desktop Features in Horizon 7 Table 5‑8. PCoIP General Policy Settings (Continued) Setting Description Configure PCoIP image quality levels Controls how PCoIP renders images during periods of network congestion. The Minimum Image Quality, Maximum Initial Image Quality, and Maximum Frame Rate values interoperate to provide fine control in network-bandwidth constrained environments.
Chapter 5 Configuring Policies for Desktop and Application Pools Table 5‑8. PCoIP General Policy Settings (Continued) Setting Description Configure PCoIP session encryption algorithms Controls the encryption algorithms advertised by the PCoIP endpoint during session negotiation. Checking one of the check boxes disables the associated encryption algorithm. You must enable at least one algorithm. This setting applies to both agent and client.
Configuring Remote Desktop Features in Horizon 7 Table 5‑8. PCoIP General Policy Settings (Continued) Setting Description Configure PCoIP USB allowed and unallowed device rules Specifies the USB devices that are authorized and not authorized for PCoIP sessions that use a zero client that runs Teradici firmware. USB devices that are used in PCoIP sessions must appear in the USB authorization table. USB devices that appear in the USB unauthorization table cannot be used in PCoIP sessions.
Chapter 5 Configuring Policies for Desktop and Application Pools Table 5‑8. PCoIP General Policy Settings (Continued) Setting Description Configure PCoIP virtual channels Specifies the virtual channels that can and cannot operate over PCoIP sessions. This setting also determines whether to disable clipboard processing on the PCoIP host. Virtual channels that are used in PCoIP sessions must appear on the virtual channel authorization list.
Configuring Remote Desktop Features in Horizon 7 Table 5‑8. PCoIP General Policy Settings (Continued) 116 Setting Description Configure the TCP port to which the PCoIP host binds and listens Specifies the TCP agent port bound to by software PCoIP hosts. The TCP port value specifies the base TCP port that the agent attempts to bind to. The TCP port range value determines how many additional ports to try if the base port is not available. The port range must be between 1 and 10.
Chapter 5 Configuring Policies for Desktop and Application Pools Table 5‑8. PCoIP General Policy Settings (Continued) Setting Description Enable access to a PCoIP session from a vSphere console Determines whether to allow a vSphere Client console to display an active PCoIP session and send input to the desktop. By default, when a client is attached through PCoIP, the vSphere Client console screen is blank and the console cannot send input.
Configuring Remote Desktop Features in Horizon 7 Table 5‑8. PCoIP General Policy Settings (Continued) Setting Description Configure SSL Connections to satisfy Security Tools Specifies how SSL session negotiation connections are established.
Chapter 5 Configuring Policies for Desktop and Application Pools Table 5‑9. PCoIP Clipboard Policy Settings Setting Description Configure clipboard memory size on server (in kilobytes) Specifies the server's clipboard memory size value, in kilobytes. The client also has a value for the clipboard memory size. After the session is set up, the server sends its clipboard memory size value to the client.
Configuring Remote Desktop Features in Horizon 7 Table 5‑9. PCoIP Clipboard Policy Settings (Continued) Setting Description Filter Microsoft Text Effects data out of the incoming clipboard data Specifies whether Microsoft Office text effects data (HTML Format) is filtered out of the clipboard data coming from the client to the agent. When this setting is enabled and the check box is selected, the data is filtered out. When this setting is disabled or not configured, the data is allowed.
Chapter 5 Configuring Policies for Desktop and Application Pools Table 5‑10. Horizon PCoIP Session Bandwidth Variables Setting Description Configure the maximum PCoIP session bandwidth Specifies the maximum bandwidth, in kilobits per second, in a PCoIP session. The bandwidth includes all imaging, audio, virtual channel, USB, and control PCoIP traffic.
Configuring Remote Desktop Features in Horizon 7 Table 5‑10. Horizon PCoIP Session Bandwidth Variables (Continued) 122 Setting Description Configure the PCoIP session MTU Specifies the Maximum Transmission Unit (MTU) size for UDP packets for a PCoIP session. The MTU size includes IP and UDP packet headers. TCP uses the standard MTU discovery mechanism to set MTU and is not affected by this setting. The maximum MTU size is 1500 bytes. The minimum MTU size is 500 bytes. The default value is 1300 bytes.
Chapter 5 Configuring Policies for Desktop and Application Pools PCoIP Keyboard Settings The View PCoIP ADMX template file contains group policy settings that configure PCoIP settings that affect the use of the keyboard. All of these settings are in the Computer Configuration > Policies > Administrative Templates > PCoIP Session Variables > Overridable Administrator Defaults folder in the Group Policy Management Editor.
Configuring Remote Desktop Features in Horizon 7 The build-to-lossless feature provides the following characteristics: n Dynamically adjusts image quality n Reduces image quality on congested networks n Maintains responsiveness by reducing screen update latency n Resumes maximum image quality when the network is no longer congested You can turn on the build-to-lossless feature by disabling the Turn off Build-to-Lossless feature group policy setting. See “PCoIP Bandwidth Settings,” on page 120.
Chapter 5 Configuring Policies for Desktop and Application Pools Table 5‑12. VMware Blast Policy Settings (Continued) Setting Description Image Quality Specifies the image quality of the remote display. You can specify two low-quality settings, two high-quality settings, and a mid-quality setting. The low-quality settings are for areas of the screen that change often, for example, when scrolling occurs.
Configuring Remote Desktop Features in Horizon 7 Table 5‑12. VMware Blast Policy Settings (Continued) 126 Setting Description Configure file transfer Specifies the permissible behavior for file transfer between a remote desktop and the HTML Access client. You can select one of the following values: n Disabled both upload and download n Enabled both upload and download n Enabled file upload only (Users can upload files from the client system to the remote desktop only.
Chapter 5 Configuring Policies for Desktop and Application Pools Table 5‑12. VMware Blast Policy Settings (Continued) Setting Description Filter Microsoft Office text data out of the outgoing clipboard data Specifies whether Microsoft Office text format data (BIFF12 format) is filtered out of the clipboard data sent from the agent to the client. When this setting is enabled and the check box is selected, the data is filtered out. When this setting is disabled or not configured, the data is allowed.
Configuring Remote Desktop Features in Horizon 7 Using Remote Desktop Services Group Policies You can use Remote Desktop Services (RDS) group policies to control the configuration and performance of RDS hosts and RDS desktop and application sessions. Horizon 7 provides ADMX files that contain the Microsoft RDS group policies that are supported in Horizon 7. As a best practice, configure the group policies that are provided in the Horizon 7 ADMX files rather than the corresponding Microsoft group policies.
Chapter 5 Configuring Policies for Desktop and Application Pools The steps for opening the Group Policy Management Console differ in the Windows 2012, Windows 2008, and Windows 2003 Active Directory versions. See “Create GPOs for Horizon 7 Group Policies,” on page 169. Procedure 1 Download the Horizon 7 GPO Bundle .zip file from the VMware download site at https://my.vmware.com/web/vmware/downloads. Under Desktop & End-User Computing, select the VMware Horizon 7 download, which includes the GPO Bundle.
Configuring Remote Desktop Features in Horizon 7 RDS Application Compatibility Settings The RDS Application Compatibility group policy settings control Windows installer compatibility, remote desktop IP virtualization, network adapter selection, and the use of the RDS host IP address. Table 5‑13.
Chapter 5 Configuring Policies for Desktop and Application Pools RDS Connections Settings The RDS Connections group policy settings let users set policies for connections to sessions on RDS hosts. The Horizon 7 RDS group policy settings are installed in the Computer Configuration > Policies > Administrative Templates > Windows Components > Remote Desktop Services > Remote Desktop Session Host > Connections folder.
Configuring Remote Desktop Features in Horizon 7 Table 5‑14. RDS Connections Group Policy Settings (Continued) 132 Setting Description Deny logoff of an administrator logged in to the console session This policy setting determines whether an administrator attempting to connect remotely to the console of a server can log off an administrator currently logged on to the console. This policy is useful when the currently connected administrator does not want to be logged off by another administrator.
Chapter 5 Configuring Policies for Desktop and Application Pools Table 5‑14. RDS Connections Group Policy Settings (Continued) Setting Description Set rules for remote control of Remote Desktop Services user sessions Use this policy setting to specify the level of remote control permitted in a Remote Desktop Services session. You can use this policy setting to select one of two levels of remote control: View Session or Full Control. View Session permits the remote control user to watch a session.
Configuring Remote Desktop Features in Horizon 7 Table 5‑14. RDS Connections Group Policy Settings (Continued) Setting Description Allow remote start of unlisted programs Use this policy setting to specify whether remote users can start any program on the RDS host when they start a Remote Desktop Services session, or whether they can only start programs that are listed in the RemoteApp Programs list.
Chapter 5 Configuring Policies for Desktop and Application Pools Table 5‑15. RDS Device and Resource Redirection Group Policy Settings Setting Description Allow audio and video playback redirection Use this policy setting to specify whether users can redirect the remote computer's audio and video output in a Remote Desktop Services session.
Configuring Remote Desktop Features in Horizon 7 Table 5‑15. RDS Device and Resource Redirection Group Policy Settings (Continued) 136 Setting Description Limit audio playback quality Use this policy setting to limit the audio playback quality for a Remote Desktop Services session. Limiting the quality of audio playback can improve connection performance, particularly over slow links. If you enable this policy setting, you must select one of the following: High, Medium, or Dynamic.
Chapter 5 Configuring Policies for Desktop and Application Pools Table 5‑15. RDS Device and Resource Redirection Group Policy Settings (Continued) Setting Description Do not allow drive redirection Specifies whether to prevent the mapping of client drives in a Remote Desktop Services session (drive redirection). By default, an RD Session Host server maps client drives automatically upon connection.
Configuring Remote Desktop Features in Horizon 7 Table 5‑15. RDS Device and Resource Redirection Group Policy Settings (Continued) Setting Description Do not allow smart card device redirection Use this policy setting to control the redirection of smart card devices in a Remote Desktop Services session. If you enable this policy setting, Remote Desktop Services users cannot use a smart card to log on to a Remote Desktop Services session.
Chapter 5 Configuring Policies for Desktop and Application Pools Table 5‑16. RDS Licensing Group Policy Settings Setting Description Use the specified Remote Desktop license servers This policy setting allows you to specify the order in which an RDS host server attempts to locate Remote Desktop license severs. If you enable this policy setting, an RDS host server first attempts to locate the license servers that you specify.
Configuring Remote Desktop Features in Horizon 7 RDS Printer Redirection Settings The RDS Printer Redirection group policy settings let users configure policies for printer redirection. The Horizon 7 RDS group policy settings are installed in the Computer Configuration > Policies > Administrative Templates > Windows Components > Remote Desktop Services > Remote Desktop Session Host > Printer Redirection folder.
Chapter 5 Configuring Policies for Desktop and Application Pools Table 5‑17. RDS Printer Redirection Group Policy Settings (Continued) Setting Description Use Remote Desktop Easy Print printer driver first Use this policy setting to specify whether the Remote Desktop Easy Print printer driver is used first to install all client printers. If you enable or do not configure this policy setting, the RDS host first tries to use the Remote Desktop Easy Print printer driver to install all client printers.
Configuring Remote Desktop Features in Horizon 7 Table 5‑17. RDS Printer Redirection Group Policy Settings (Continued) Setting Description Specify RD Session Host Server fallback printer driver behavior Use this policy setting to specify the RDS host fallback printer driver behavior. By default, the RDS host fallback printer driver is disabled. If the RDS host does not have a printer driver that matches the client's printer, no printer will be available for the Remote Desktop Services session.
Chapter 5 Configuring Policies for Desktop and Application Pools RDS Profiles Settings The RDS Profiles group policy settings control roaming profile and home directory settings for Remote Desktop Services sessions. Table 5‑18. RDS Profiles Group Policy Settings Setting Description Limit the size of the entire roaming user profile cache This policy setting allows you to limit the size of the entire roaming user profile cache on the local drive.
Configuring Remote Desktop Features in Horizon 7 Table 5‑18. RDS Profiles Group Policy Settings (Continued) Setting Description Use mandatory profiles on the RD Session Host server This policy setting allows you to specify whether Remote Desktop Services uses a mandatory profile for all users connecting remotely to the RDS host.
Chapter 5 Configuring Policies for Desktop and Application Pools RDS Connection Server Settings The RDS Connection Server group policy settings let users set policies for Connection Server. The Horizon 7 RDS group policy settings are installed in the Computer Configuration > Policies > Administrative Templates > Windows Components > Remote Desktop Services > Remote Desktop Session Host > RD Connection Broker folder. VMware, Inc.
Configuring Remote Desktop Features in Horizon 7 Table 5‑19. RDS Connection Server Group Policy Settings 146 Setting Description Join RD Connection Broker Use this policy setting to specify whether the RDS host should join a farm in Connection Server that is installed on an RDS host. Connection Server on an RDS host tracks user sessions and allows a user to reconnect to their existing session in a load-balanced RDS farm.
Chapter 5 Configuring Policies for Desktop and Application Pools Table 5‑19. RDS Connection Server Group Policy Settings (Continued) Setting Description Use IP Address Redirection Use this policy setting to specify the redirection method to use when a client device reconnects to an existing Remote Desktop Services session in a load-balanced RDS farm. This setting applies to an RDS host that is configured to use the Connection Server on an RDS host and not to the Connection Server on a remote desktop.
Configuring Remote Desktop Features in Horizon 7 Table 5‑19. RDS Connection Server Group Policy Settings (Continued) Setting Description Configure RD Connection Broker Server name Use this policy setting to specify the Connection Server that the RDS host uses to track and redirect user sessions for a load-balanced RDS farm. The specified RDS host must be running the Connection Server service. All RDS hosts in a load-balanced farm should use the same Connection Server.
Chapter 5 Configuring Policies for Desktop and Application Pools RDS Remote Session Environment Settings The RDS Remote Session Environment group policy settings control configuration of the user interface in Remote Desktop Services sessions. The Horizon 7 RDS group policy settings are installed in the Computer Configuration > Policies > Administrative Templates > Windows Components > Remote Desktop Services > Remote Desktop Session Host > Remote Session Environment folder.
Configuring Remote Desktop Features in Horizon 7 Table 5‑20. RDS Remote Session Environment Group Policy Settings (Continued) 150 Setting Description Configure RemoteFX Use this policy setting to control the availability of RemoteFX on both a Remote Desktop Virtualization Host (RD Virtualization host) and an RDS host. When deployed on an RD Virtualization host, RemoteFX delivers a rich user experience by rendering content on the server by using graphics processing units (GPUs) or hardware.
Chapter 5 Configuring Policies for Desktop and Application Pools Table 5‑20. RDS Remote Session Environment Group Policy Settings (Continued) Setting Description Remove "Disconnect" option from Shut Down dialog Use this policy setting to remove the "Disconnect" option from the Shut Down Windows dialog box in Remote Desktop Services sessions. You can use this policy setting to prevent users from using this familiar method to disconnect their client from an RDS host.
Configuring Remote Desktop Features in Horizon 7 Table 5‑20. RDS Remote Session Environment Group Policy Settings (Continued) 152 Setting Description Set compression algorithm for RDP data Use this policy setting to specify which Remote Desktop Protocol (RDP) compression algorithm to use. By default, servers use an RDP compression algorithm that is based on the server's hardware configuration. If you enable this policy setting, you can specify which RDP compression algorithm to use.
Chapter 5 Configuring Policies for Desktop and Application Pools Table 5‑20. RDS Remote Session Environment Group Policy Settings (Continued) Setting Description Start a program on connection Configures Remote Desktop Services to run a specified program automatically upon connection. You can use this setting to specify a program to run automatically when a user logs on to a remote computer.
Configuring Remote Desktop Features in Horizon 7 Table 5‑20. RDS Remote Session Environment Group Policy Settings (Continued) 154 Setting Description Allow desktop composition for remote desktop sessions Use this policy setting to specify whether desktop composition is allowed for remote desktop sessions. This policy setting does not apply to RemoteApp sessions. Desktop composition provides the user interface elements of Windows Aero, such as translucent windows, for remote desktop sessions.
Chapter 5 Configuring Policies for Desktop and Application Pools RDS Security Settings The RDS Security group policy setting controls whether to let local administrators customize permissions. The Horizon 7 RDS group policy settings are installed in the Computer Configuration > Policies > Administrative Templates > Windows Components > Remote Desktop Services > Remote Desktop Session Host > Security folder. VMware, Inc.
Configuring Remote Desktop Features in Horizon 7 Table 5‑21. RDS Security Group Policy Settings Setting Description Server Authentication Certificate Template Use this policy setting to specify the name of the certificate template that determines which certificate is automatically selected to authenticate an RDS host. A certificate is needed to authenticate an RDS host when SSL (TLS 1.0) is used to secure communication between a client and an RDS host during RDP connections.
Chapter 5 Configuring Policies for Desktop and Application Pools Table 5‑21. RDS Security Group Policy Settings (Continued) Setting Description If you disable or do not configure this setting, the encryption level to be used for remote connections to RDS host is not enforced through Group Policy. However, you can configure a required encryption level for these connections by using the Remote Desktop Session Host Configuration tool.
Configuring Remote Desktop Features in Horizon 7 Table 5‑21. RDS Security Group Policy Settings (Continued) Setting Description Require secure RPC communication Specifies whether an RDS host requires secure RPC communication with all clients or allows unsecured communication. You can use this setting to strengthen the security of RPC communication with clients by allowing only authenticated and encrypted requests.
Chapter 5 Configuring Policies for Desktop and Application Pools Table 5‑21. RDS Security Group Policy Settings (Continued) Setting Description Require user authentication for remote connections by using Network Use this policy setting to specify whether to require user authentication for remote connections to the RDS host by using Network Level Authentication. This policy setting enhances security by requiring that user authentication occur earlier in the remote connection process.
Configuring Remote Desktop Features in Horizon 7 Table 5‑22. RDS Session Time Limits Group Policy Settings 160 Setting Description Set time limit for disconnected sessions Use this policy setting to configure a time limit for disconnected Remote Desktop Services sessions. You can use this policy setting to specify the maximum amount of time that a disconnected session is kept active on the server.
Chapter 5 Configuring Policies for Desktop and Application Pools Table 5‑22. RDS Session Time Limits Group Policy Settings (Continued) Setting Description Set time limit for active Remote Desktop Services sessions Use this policy setting to specify the maximum amount of time that a Remote Desktop Services session can be active before it is automatically disconnected. If you enable this policy setting, you must select the desired time limit in the Active session limit drop-down list.
Configuring Remote Desktop Features in Horizon 7 Table 5‑22. RDS Session Time Limits Group Policy Settings (Continued) 162 Setting Description Terminate session when time limits are reached Specifies whether to terminate a timed-out Remote Desktop Services session instead of disconnecting it.
Chapter 5 Configuring Policies for Desktop and Application Pools RDS Temporary Folders Settings The RDS Connections group policy settings control the creation and deletion of temporary folders for Remote Desktop Services sessions. Table 5‑23. RDS Temporary Folders Group Policy Settings Setting Description Do not delete temp folder upon exit Specifies whether Remote Desktop Services retains a user's per-session temporary folders at logoff.
Configuring Remote Desktop Features in Horizon 7 In Horizon 6.0.1 and later, location-based printing is supported on the following remote desktops and applications: n Desktops that are deployed on single-user machines, including Windows Desktop and Windows Server machines n Desktops that are deployed on RDS hosts, where the RDS hosts are virtual machines n Hosted Apps n Hosted Apps that are launched from Horizon Client inside remote desktops In Horizon 6.
Chapter 5 Configuring Policies for Desktop and Application Pools Register the Location-Based Printing Group Policy DLL File Before you can configure the group policy setting for location-based printing, you must register the DLL file TPVMGPoACmap.dll. The 32-bit and 64-bit versions of TPVMGPoACmap.dll are available in a bundled .zip file named VMwareHorizon-Extras-Bundle-x.x.x-yyyyyyy.zip, where x.x.x is the version and yyyyyyy is the build number.
Configuring Remote Desktop Features in Horizon 7 Procedure 1 On the Active Directory server, edit the GPO. AD Version Navigation Path Windows 2003 a b c d Windows 2008 a b Select Start > All Programs > Administrative Tools > Active Directory Users and Computers. Right-click the OU that contains your Horizon desktops and select Properties. On the Group Policy tab, click Open to open the Group Policy Management plug-in.
Chapter 5 Configuring Policies for Desktop and Application Pools Table 5‑24. Translation Table Columns and Values Column Description IP Range A translation rule that specifies a range of IP addresses for client systems. To specify IP addresses in a specific range, use the following notation: ip_address-ip_address For example: 10.112.116.0-10.112.119.255 To specify all of the IP addresses in a specific subnet, use the following notation: ip_address/subnet_mask_bits For example: 10.112.4.
Configuring Remote Desktop Features in Horizon 7 Table 5‑25. Location-Based Printing Group Policy Setting Example IP Range Client Name Mac Address User/ Group Printer Name Printer Driver * * * * PRINTER-1-CLR HP Color LaserJet 4700 PS IP_10.114.24.1 10.112.116.140-10.1 12.116.145 * * * PRINTER-2-CLR HP Color LaserJet 4700 PS IP_10.114.24.
Chapter 5 Configuring Policies for Desktop and Application Pools What to do next Create GPOs for Horizon 7 group policies. Create GPOs for Horizon 7 Group Policies Create GPOs to contain group policies for Horizon 7 components and location-based printing and link them to the OU for your Horizon 7 machines. Prerequisites n Create an OU for your Horizon 7 machines. n Verify that the Group Policy Management feature is available on your Active Directory server.
Configuring Remote Desktop Features in Horizon 7 The steps for opening the Group Policy Management Console differ in the Windows 2012, Windows 2008, and Windows 2003 Active Directory versions. See “Create GPOs for Horizon 7 Group Policies,” on page 169. Procedure 1 Download the Horizon 7 GPO Bundle .zip file from the VMware download site at https://my.vmware.com/web/vmware/downloads. Under Desktop & End-User Computing, select the VMware Horizon 7 download, which includes the GPO Bundle.
Chapter 5 Configuring Policies for Desktop and Application Pools 5 6 VMware, Inc. Select Enabled and then select a loopback processing mode from the Mode drop-down menu. Option Action Merge The user policy settings applied are the combination of those included in both the computer and user GPOs. Where conflicts exist, the computer GPOs take precedence. Replace The user policy is defined entirely from the GPOs associated with the computer. Any GPOs associated with the user are ignored.
Configuring Remote Desktop Features in Horizon 7 172 VMware, Inc.
Active Directory Group Policy Example 6 One way to implement Active Directory group policies in Horizon 7 is to create an OU for the Horizon 7 machines that deliver remote desktop sessions and link one or more GPOs to that OU. You can use these GPOs to apply group policy settings to your Horizon 7 machines. You can link GPOs directly to a domain if the policy settings apply to all computers in the domain.
Configuring Remote Desktop Features in Horizon 7 4 To add Horizon 7 machines to the new OU: a Click Computers in the left pane. All the computer objects in the domain appear in the right pane. b Right-click the name of the computer object that represents the Horizon 7 machine in the right panel and select Move. c Select the OU and click OK. The Horizon 7 machine appears in the right pane when you select the OU. What to do next Create GPOs for Horizon 7 group policies.
Chapter 6 Active Directory Group Policy Example Add Horizon 7 ADMX Template File to a GPO To apply Horizon 7 component group policy settings to your published desktops and applications, add their ADMX template files to GPOs. Prerequisites n Create GPOs for the Horizon 7 component group policy settings and link them to the OU that contains your Horizon 7 machines. n Verify that the Group Policy Management feature is available on your Active Directory server.
Configuring Remote Desktop Features in Horizon 7 Procedure 1 On the Active Directory server, open the Group Policy Management Console. 2 Expand your domain, right-click the GPO that you created for the group policy settings, and select Edit. 3 In the Group Policy Management Editor, navigate to Computer Configuration > Policies > Administrative Templates: Policy definitions > System > Group Policy. 4 In the right pane, double-click User Group Policy loopback processing mode.
Index A addGroupURLSetting 64 addUserURLSetting 64 ADMX files adding ADMX files to Active Directory 100 adding to Active Directory 128 ADMX template file Real-Time Audio-Video 30 scanner redirection 35 serial port redirection 41 ADMX template files PCoIP Session Variables 110 PCoIP session bandwidth settings 120 VMware Blast 124 where to find 98 Adobe Flash URL redirection, system requirements 11 agent-to-client redirection 55, 58 application compatibility, RDS group policy settings 130 B bandwidth, Real-
Configuring Remote Desktop Features in Horizon 7 loopback processing benefits 98 enabling 170, 175 M managing URL content redirection settings 66 MHTML Web pages, setting up for multicast 13 microphone 23, 27 microphones, selecting default 22 MMR, system requirements 46 multicast redirection configuring 10 system requirements 11 multimedia redirection enabling 45 managing across a network 45 network latency 47 override network latency trigger 47 system requirements 46 O OUs, creating for remote desktops
Index U unicast redirection configuring 10 system requirements 11 Unity Touch configuring 7 system requirements 8 Unity Touch feature 8 URL Content Redirection, installing 54 USB redirection automatic connections 72 controlling using policies 76, 83 deploying devices securely 73 disabling all devices 73 disabling specific devices 74 ports for 72 preventing conflicts with Real-Time AudioVideo 22 troubleshooting failure 86 USB device families 82 USB device filters 79 USB devices support for 70 using with Vie
Configuring Remote Desktop Features in Horizon 7 180 VMware, Inc.
