View Installation VMware Horizon 7 7.2 This document supports the version of each product listed and supports all subsequent versions until the document is replaced by a new edition. To check for more recent editions of this document, see http://www.vmware.com/support/pubs.
View Installation You can find the most up-to-date technical documentation on the VMware Web site at: http://www.vmware.com/support/ The VMware Web site also provides the latest product updates. If you have comments about this documentation, submit your feedback to: docfeedback@vmware.com Copyright © 2011–2017 VMware, Inc. All rights reserved. Copyright and trademark information. VMware, Inc. 3401 Hillview Ave. Palo Alto, CA 94304 www.vmware.com 2 VMware, Inc.
Contents View Installation 5 1 System Requirements for Server Components 7 Horizon Connection Server Requirements 7 View Administrator Requirements 9 View Composer Requirements 10 2 System Requirements for Guest Operating Systems 13 Supported Operating Systems for Horizon Agent 13 Supported Operating Systems for Standalone Horizon Persona Management Remote Display Protocol and Software Support 14 14 3 Installing View in an IPv6 Environment 19 Setting Up View in an IPv6 Environment 19 Supported vSphe
View Installation 6 Installing View Composer 37 Prepare a View Composer Database 37 Configuring an SSL Certificate for View Composer 44 Install the View Composer Service 45 Enable TLSv1.
View Installation ® View Installation explains how to install the VMware Horizon 7 server and client components. Intended Audience This information is intended for anyone who wants to install VMware Horizon 7. The information is written for experienced Windows or Linux system administrators who are familiar with virtual machine technology and datacenter operations. VMware, Inc.
View Installation 6 VMware, Inc.
System Requirements for Server Components 1 Hosts that run Horizon 7 server components must meet specific hardware and software requirements.
View Installation Hardware Requirements for Horizon Connection Server You must install all Horizon Connection Server installation types, including standard, replica, security server, and enrollment server installations, on a dedicated physical or virtual machine that meets specific hardware requirements. Table 1‑1. Horizon Connection Server Hardware Requirements Hardware Component Required Recommended Processor Pentium IV 2.
Chapter 1 System Requirements for Server Components Network Requirements for Replicated Horizon Connection Server Instances When installing replicated Horizon Connection Server instances, you must usually configure the instances in the same physical location and connect them over a high-performance LAN. Otherwise, latency issues could cause the View LDAP configurations on Horizon Connection Server instances to become inconsistent.
View Installation View Composer Requirements With View Composer, you can deploy multiple linked-clone desktops from a single centralized base image. View Composer has specific installation and storage requirements. n Supported Operating Systems for View Composer on page 10 View Composer supports 64-bit operating systems with specific requirements and limitations. You can install View Composer on the same physical or virtual machine as vCenter Server or on a separate server.
Chapter 1 System Requirements for Server Components Table 1‑4. View Composer Hardware Requirements Hardware Component Required Recommended Processor 1.
View Installation Table 1‑5. Supported Database Servers for View Composer and for the Events Database (Continued) Database Service Packs/Releases Editions Microsoft SQL Server 2008 R2 (32- and 64-bit) SP2, SP3 Express Standard Enterprise Datacenter Oracle 12c Release 1 (any release up to 12.1.0.2) Standard One Standard Enterprise Note The following versions are no longer supported: Microsoft SQL Server 2008 SP4 and Oracle 11g Release 2 (11.2.0.04). 12 VMware, Inc.
System Requirements for Guest Operating Systems 2 Systems running Horizon Agent or Standalone View Persona Management must meet certain hardware and software requirements.
View Installation Supported Operating Systems for Standalone Horizon Persona Management The standalone Horizon Persona Management software provides persona management for standalone physical computers and virtual machines that do not have Horizon Agent installed. When users log in, their profiles are downloaded dynamically from a remote profile repository to their standalone systems. Note To configure Persona Management for Horizon desktops, install Horizon Agent with the Persona Management setup option.
Chapter 2 System Requirements for Guest Operating Systems n Advanced Encryption Standard (AES) 128-bit encryption is supported and is turned on by default. You can, however, change the encryption key cipher to AES-256. n Connections to Windows desktops with the Horizon Agent operating system versions listed in “Supported Operating Systems for Horizon Agent,” on page 13 are supported. n Connections from all types of client devices.
View Installation 1080p-formatted video If the remote desktop has a dual virtual CPU, you can play 1080p formatted video, although the media player might need to be adjusted to a smaller window size. 3D rendering You can configure remote desktops to use software- or hardware-accelerated graphics. The software-accelerated graphics feature enables you to run DirectX 9 and OpenGL 2.1 applications without requiring a physical graphics processing unit (GPU).
Chapter 2 System Requirements for Guest Operating Systems VMware Blast Extreme Optimized for the mobile cloud, VMware Blast Extreme supports the broadest range of client devices that are H.264 capable. Of the display protocols, VMware Blast offers the lowest CPU consumption for longer battery life on mobile devices. VMware Blast Extreme can compensate for an increase in latency or a reduction in bandwidth and can leverage both TCP and UDP network transports.
View Installation If you have an add-in discrete GPU and an embedded GPU, the operating system might default to the embedded GPU. To fix this problem, you can disable or remove the device in Device Manager. If the problem persists, you can install the WDDM graphics driver for the embedded GPU, or disable the embedded GPU in the system BIOS. Refer to your system documentation on how disable the embedded GPU.
Installing View in an IPv6 Environment 3 View supports IPv6 as an alternative to IPv4. The environment must be either IPv6 only or IPv4 only. View does not support a mixed IPv6 and IPv4 environment. Not all View features that are supported in an IPv4 environment are supported in an IPv6 environment. View does not support upgrading from an IPv4 environment to an IPv6 environment. Also, View does not support migration between IPv4 and IPv6 environments.
View Installation n Setting the PCoIP External URL. See “Set the External URLs for a View Connection Server Instance,” on page 115. n Modifying the PCoIP External URL. See “Set the External URLs for a View Connection Server Instance,” on page 115. n Installing Horizon Agent. See the Horizon Agent installation topics in the Setting Up Desktop and Application Pools document. n Installing Horizon Client for Windows. See the VMware Horizon Client for Windows document in https://www.vmware.
Chapter 3 Installing View in an IPv6 Environment Supported Windows Operating Systems for Desktops and RDS Hosts in an IPv6 Environment In an IPv6 environment, View supports specific Windows operating systems for desktop machines and RDS hosts. RDS hosts provide session-based desktops and applications to users. The following Windows operating systems are supported for desktop machines.
View Installation n PCoIP n PCoIP through PCoIP Secure Gateway n VMware Blast n VMware Blast through Blast Secure Gateway Supported Authentication Types in an IPv6 Environment In an IPv6 environment, View supports specific authentication types.
Chapter 3 Installing View in an IPv6 Environment n Single Sign-on, including the Log in as current user feature n System health dashboard n ThinApp n Unity touch n USB n USB redirection n View Composer Agent n View Storage Accelerator n View Composer database backup n Virtual printing n VMware audio n VMware video The following features are not supported: n Blast UDP n Client drive redirection n Client IP Transparency (only 64-bit) n Cloud Pod Architecture n Flash URL redir
View Installation 24 VMware, Inc.
Installing View in FIPS Mode 4 View can perform cryptographic operations using FIPS (Federal Information Processing Standard) 140-2 compliant algorithms. You can enable the use of these algorithms by installing View in FIPS mode. Not all View features are supported in FIPS mode. Also, View does not support upgrading from a non-FIPS installation to a FIPS installation. Note To ensure that View runs in FIPS mode, you must enable FIPS when you install all View components.
View Installation n When installing View Agent, select the FIPS mode option. See the View Agent installation topics in the Setting Up Desktop and Application Pools document. n When installing Horizon Client for Windows, select the FIPS mode option. See the VMware Horizon Client for Windows document in https://www.vmware.com/support/viewclients/doc/viewclients_pubs.html. Only Windows clients are supported.
Preparing Active Directory 5 View uses your existing Microsoft Active Directory infrastructure for user authentication and management. You must perform certain tasks to prepare Active Directory for use with View.
View Installation You can place Horizon Agent machines, View Composer servers, and users and groups, in the following Active Directory domains: n The View Connection Server domain n A different domain that has a two-way trust relationship with the View Connection Server domain n A domain in a different forest than the View Connection Server domain that is trusted by the View Connection Server domain in a one-way external or realm trust relationship n A domain in a different forest than the View Conn
Chapter 5 Preparing Active Directory Creating an OU for Remote Desktops You should create an organizational unit (OU) specifically for your remote desktops. An OU is a subdivision in Active Directory that contains users, groups, computers, or other OUs. To prevent group policy settings from being applied to other Windows servers or workstations in the same domain as your desktops, you can create a GPO for your View group policies and link it to the OU that contains your remote desktops.
View Installation Creating a User Account for a Standalone View Composer Server If you install View Composer on a different machine than vCenter Server, you must create a domain user account in Active Directory that View can use to authenticate to the View Composer service on the standalone machine. The user account must be in the same domain as your View Connection Server host or in a trusted domain. You must add the user account to the local Administrators group on the standalone View Composer machine.
Chapter 5 Preparing Active Directory What to do next Specify the account in View Administrator when you configure View Composer domains in the Add vCenter Server wizard and when you configure and deploy linked-clone desktop pools. Create a User Account for Instant-Clone Operations Before you deploy instant clones, you must create a user account that has the permission to perform certain operations in Active Directory.
View Installation Procedure 1 On the Active Directory server, navigate to the Group Policy Management plug-in. AD Version Navigation Path Windows 2003 a b c d Windows 2008 a b Select Start > All Programs > Administrative Tools > Active Directory Users and Computers. Right-click your domain and click Properties. On the Group Policy tab, click Open to open the Group Policy Management plug-in. Right-click Default Domain Policy, and click Edit.
Chapter 5 Preparing Active Directory n Add the Root Certificate to the Enterprise NTAuth Store on page 34 If you use a CA to issue smart card login or domain controller certificates, you must add the root certificate to the Enterprise NTAuth store in Active Directory. You do not need to perform this procedure if the Windows domain controller acts as the root CA.
View Installation 3 Right-click Trusted Root Certification Authorities and select Import. 4 Follow the prompts in the wizard to import the root certificate (for example, rootCA.cer) and click OK. 5 Close the Group Policy window. All of the systems in the domain now have a copy of the root certificate in their trusted root store.
Chapter 5 Preparing Active Directory The CA is now trusted to issue certificates of this type. Disable Weak Ciphers in SSL/TLS To achieve greater security, you can configure the domain policy GPO (group policy object) to ensure that View Composer and Windows-based machines running View Agent or Horizon Agent do not use weak ciphers when they communicate using the SSL/TLS protocol.
View Installation 36 VMware, Inc.
Installing View Composer 6 To use View Composer, you create a View Composer database, install the View Composer service, and optimize your View infrastructure to support View Composer. You can install the View Composer service on the same host as vCenter Server or on a separate host. View Composer is an optional feature. Install View Composer if you intend to deploy linked-clone desktop pools. You must have a license to install and use the View Composer feature.
View Installation For a list of supported database versions, see “Database Requirements for View Composer and the Events Database,” on page 11. To add a View Composer database to an installed database instance, choose one of these procedures. n Create a SQL Server Database for View Composer on page 38 View Composer can store linked-clone desktop information in a SQL Server database. You create a View Composer database by adding it to SQL Server and configuring an ODBC data source for it.
Chapter 6 Installing View Composer 3 In the Object Explorer panel, right-click the Databases entry and select New Database. You can use the default values for the Initial size and Autogrowth parameters for the database and log files. 4 In the New Database dialog box, type a name in the Database name text box. For example: ViewComposer 5 Click OK. SQL Server Management Studio adds your database to the Databases entry in the Object Explorer panel. 6 Exit Microsoft SQL Server Management Studio.
View Installation 4 In the View Composer database, grant privileges to the VCMP_ADMIN_ROLE. a Grant the schema permissions ALTER, REFERENCES, and INSERT on the dbo schema. b Grant the permissions CREATE TABLE, CREATE VIEW, and CREATE PROCEDURES. 5 In the View Composer database, create the VCMP_USER_ROLE. 6 In the View Composer database, grant the schema permissions SELECT, INSERT, DELETE, UPDATE, and EXECUTE on the dbo schema to the VCMP_USER_ROLE.
Chapter 6 Installing View Composer 5 In the Create a New Data Source to SQL Server setup wizard, type a name and description of the View Composer database. For example: ViewComposer 6 In the Server text box, type the SQL Server database name. Use the form host_name\server_name, where host_name is the name of the computer and server_name is the SQL Server instance. For example: VCHOST1\VIM_SQLEXP 7 Click Next.
View Installation n Add an ODBC Data Source to Oracle 12c or 11g on page 44 After you add a View Composer database to an Oracle 12c or 11g instance, you must configure an ODBC connection to the new database to make this data source visible to the View Composer service. Add a View Composer Database to Oracle 12c or 11g You can use the Oracle Database Configuration Assistant to add a new View Composer database to an existing Oracle 12c or 11g instance.
Chapter 6 Installing View Composer Verify that a supported version of Oracle 12c or 11g is installed on the local or remote computer. For details, see “Database Requirements for View Composer and the Events Database,” on page 11. Procedure 1 Log in to a SQL*Plus session with the system account. 2 Run the following SQL statement to create the database. CREATE SMALLFILE TABLESPACE "VCMP" DATAFILE '/u01/app/oracle/oradata/vcdb/vcmp01.
View Installation Add an ODBC Data Source to Oracle 12c or 11g After you add a View Composer database to an Oracle 12c or 11g instance, you must configure an ODBC connection to the new database to make this data source visible to the View Composer service. When you configure an ODBC DSN for View Composer, secure the underlying database connection to an appropriate level for your environment. For information about securing database connections, see the Oracle database documentation.
Chapter 6 Installing View Composer For details about configuring SSL certificates and using the SviConfig ReplaceCertificate utility, see Chapter 8, “Configuring SSL Certificates for View Servers,” on page 79. If you install vCenter Server and View Composer on the same Windows Server computer, they can use the same SSL certificate, but you must configure the certificate separately for each component. Install the View Composer Service To use View Composer, you must install the View Composer service.
View Installation 5 Type the DSN for the View Composer database that you provided in the Microsoft or Oracle ODBC Data Source Administrator wizard. For example: VMware View Composer Note If you did not configure a DSN for the View Composer database, click ODBC DSN Setup to configure a name now. 6 Type the domain administrator user name and password that you provided in the ODBC Data Source Administrator wizard.
Chapter 6 Installing View Composer If your ESXi hosts are not running ESXi 6.0 U1b or later, and you cannot upgrade, you might also need to enable TLSv1.0 connections to ESXi hosts from View Composer. Prerequisites n Verify that you have View Composer 7.0 or a later release installed. n Verify that you can log in to the View Composer machine as an Administrator to use the Windows Registry Editor. Procedure 1 2 On the machine that hosts View Composer, open the Windows Registry Editor (regedit.exe).
View Installation n In vSphere 5.1 and later, a cluster that is used for View Composer linked clones can contain more than eight ESXi hosts if the replica disks are stored on VMFS5 or later datastores or NFS datastores. If you store replicas on a VMFS version earlier than VMFS5, a cluster can have at most eight hosts. In vSphere 5.0, you can select a cluster with more than eight ESXi hosts if the replicas are stored on NFS datastores.
Installing View Connection Server 7 To use View Connection Server, you install the software on supported computers, configure the required components, and, optionally, optimize the components.
View Installation Security server installation Generates a View Connection Server instance that adds an additional layer of security between the Internet and your internal network. Enrollment Server installation Installs an enrollment server that is required for the True SSO (single sign-on) feature, so that after users log in to VMware Identity Manager, they can connect to a remote desktop or application without having to provide Active Directory credentials.
Chapter 7 Installing View Connection Server Install View Connection Server with a New Configuration To install View Connection Server as a single server or as the first instance in a group of replicated View Connection Server instances, you use the standard installation option. When you select the standard installation option, the installation creates a new, local View LDAP configuration.
View Installation n Familiarize yourself with the network ports that must be opened on the Windows Firewall for View Connection Server instances. See “Firewall Rules for View Connection Server,” on page 71. n If you plan to pair a security server with this View Connection Server instance, verify that Windows Firewall with Advanced Security is set to on in the active profiles. It is recommended that you turn this setting to on for all profiles.
Chapter 7 Installing View Connection Server 11 Authorize a View Administrators account. Only members of this account can log in to View Administrator, exercise full administration rights, and install replicated View Connection Server instances and other View servers. 12 Option Description Authorize the local Administrators group Allows users in the local Administrators group to administer View.
View Installation Perform initial configuration on View Connection Server. See Chapter 9, “Configuring View for the First Time,” on page 97. If you plan to include replicated View Connection Server instances and security servers in your deployment, you must install each server instance by running the View Connection Server installer file. If you are reinstalling View Connection Server and you have a data collector set configured to monitor performance data, stop the data collector set and start it again.
Chapter 7 Installing View Connection Server Procedure 1 Download the Connection Server installer file from the VMware download site at https://my.vmware.com/web/vmware/downloads. Under Desktop & End-User Computing, select the VMware Horizon 7 download, which includes Connection Server. The installer filename is VMware-viewconnectionserver-x86_64-y.y.y-xxxxxx.exe, where xxxxxx is the build number and y.y.y is the version number. 2 Open a command prompt on the Windows Server computer.
View Installation If you are configuring View for the first time, perform initial configuration on View Connection Server. See Chapter 9, “Configuring View for the First Time,” on page 97. Silent Installation Properties for a View Connection Server Standard Installation You can include specific View Connection Server properties when you perform a silent installation from the command line.
Chapter 7 Installing View Connection Server Enable TLSv1.0 on vCenter Connections from Connection Server Horizon 7 and later components have the TLSv1.0 security protocol disabled by default. If your deployment includes an older version of vCenter Server that supports only TLSv1.0, you might need to enable TLSv1.0 for Connection Server connections after installing or upgrading to Connection Server 7.0 or a later release. Some earlier maintenance releases of vCenter Server 5.0, 5.1, and 5.
View Installation After the installation, identical View LDAP configuration data is maintained on all View Connection Server instances in the replicated group. When a change is made on one instance, the updated information is copied to the other instances. If a replicated instance fails, the other instances in the group continue to operate. When the failed instance resumes activity, its configuration is updated with the changes that took place during the outage.
Chapter 7 Installing View Connection Server n If your network topology includes a back-end firewall between a security server and the View Connection Server instance, you must configure the firewall to support IPsec. See “Configuring a BackEnd Firewall to Support IPsec,” on page 72. Procedure 1 Download the Connection Server installer file from the VMware download site at https://my.vmware.com/web/vmware/downloads.
View Installation n VMware Horizon View Message Bus Component n VMware Horizon View Script Host n VMware Horizon View Security Gateway Component n VMware Horizon View PCoIP Secure Gateway n VMware Horizon View Blast Secure Gateway n VMware Horizon View Web Component n VMware VDMDS, which provides View LDAP directory services For information about these services, see the View Administration document.
Chapter 7 Installing View Connection Server n Verify that the computers on which you install replicated View Connection Server instances are connected over a high-performance LAN. See “Network Requirements for Replicated Horizon Connection Server Instances,” on page 9. n Prepare your environment for the installation. See “Installation Prerequisites for View Connection Server,” on page 50.
View Installation The Horizon 7 services are installed on the Windows Server computer: n VMware Horizon Connection Server n VMware Horizon View Framework Component n VMware Horizon View Message Bus Component n VMware Horizon View Script Host n VMware Horizon View Security Gateway Component n VMware Horizon View PCoIP Secure Gateway n VMware Horizon View Blast Secure Gateway n VMware Horizon View Web Component n VMware VDMDS, which provides View LDAP directory services For information abou
Chapter 7 Installing View Connection Server Table 7‑2. MSI Properties for Silently installing a Replicated Instance of View Connection Server (Continued) MSI Property Description Default Value ADAM_PRIMARY_NAME The host name or IP address of the existing View Connection Server instance you are replicating. None For example: ADAM_PRIMARY_NAME=cs1.companydomain.com This MSI property is required.
View Installation What to do next Install a security server. See “Install a Security Server,” on page 64. Important If you do not provide the security server pairing password to the View Connection Server installation program within the password timeout period, the password becomes invalid and you must configure a new password. Install a Security Server A security server is an instance of View Connection Server that adds an additional layer of security between the Internet and your internal network.
Chapter 7 Installing View Connection Server n If you are installing View in FIPS mode, you must deselect the global setting Use IPSec for Security Server Connections in View Administrator, because in FIPS mode, you must configure IPsec manually after installing a security server. Procedure 1 Download the Connection Server installer file from the VMware download site at https://my.vmware.com/web/vmware/downloads.
View Installation 12 In the Blast External URL text box, type the external URL of the security server for users who use HTML Access to connect to remote desktops. The URL must contain the HTTPS protocol, client-resolvable host name, and port number. For example: https://myserver.example.com:8443 By default, the URL includes the FQDN of the secure tunnel external URL and the default port number, 8443. The URL must contain the FQDN and port number that a client system can use to reach this security server.
Chapter 7 Installing View Connection Server Install a Security Server Silently You can use the silent installation feature of the Microsoft Windows Installer (MSI) to install a security server on several Windows computers. In a silent installation, you use the command line and do not have to respond to wizard prompts. With silent installation, you can efficiently deploy View components in a large enterprise. Prerequisites n Determine the type of topology to use.
View Installation Procedure 1 Download the Connection Server installer file from the VMware download site at https://my.vmware.com/web/vmware/downloads. Under Desktop & End-User Computing, select the VMware Horizon 7 download, which includes Connection Server. The installer filename is VMware-viewconnectionserver-x86_64-y.y.y-xxxxxx.exe, where xxxxxx is the build number and y.y.y is the version number. 2 Open a command prompt on the Windows Server computer. 3 Type the installation command on one line.
Chapter 7 Installing View Connection Server Silent Installation Properties for a Security Server You can include specific properties when you silently install a security server from the command line. You must use a PROPERTY=value format so that Microsoft Windows Installer (MSI) can interpret the properties and values. Table 7‑3.
View Installation Table 7‑3. MSI Properties for Silently Installing a Security Server (Continued) MSI Property Description Default Value VDM_SERVER_SS_PCOIP_U DPPORT The PCoIP Secure Gateway external UDP port number. This property is supported only when the security server is installed on Windows Server 2008 R2 or later. None For example: VDM_SERVER_SS_PCOIP_UDPPORT=4172 This property is required if you plan to use the PCoIP Secure Gateway component.
Chapter 7 Installing View Connection Server You can configure an initial security server pairing without using IPsec rules. Before you install the security server, you can open View Administrator and deselect the global setting Use IPSec for Security Server Connections, which is enabled by default. If IPsec rules are not in effect, you do not have to remove them before you upgrade or reinstall.
View Installation Table 7‑4. Ports Opened During View Connection Server Installation (Continued) Protocol Ports View Connection Server Instance Type HTTP TCP 80 Standard, replica, and security server HTTPS TCP 443 Standard, replica, and security server PCoIP TCP 4172 in; UDP 4172 both directions Standard, replica, and security server HTTPS TCP 8443 UDP 8443 Standard, replica, and security server.
Chapter 7 Installing View Connection Server Table 7‑6. NAT Firewall Requirements to Support IPsec Rules Source Protocol Port Destination Notes Security server ISAKMP UDP 500 View Connection Server Security servers use UDP port 500 to initiate IPsec security negotiation. Security server NAT-T ISAKMP UDP 4500 View Connection Server Security servers use UDP port 4500 to traverse NATs and negotiate IPsec security.
View Installation 4 Uninstall the View Connection Server from the computer by using the Windows Add/Remove Programs utility. Do not uninstall the View LDAP configuration, called the AD LDS Instance VMwareVDMDS instance. You can use the Add/Remove Programs utility to verify that the AD LDS Instance VMwareVDMDS instance was not removed from the Windows Server computer. 5 Reinstall View Connection Server. At the installer prompt, accept the existing View LDAP directory.
Chapter 7 Installing View Connection Server Table 7‑8. MSI Command-Line Options and MSI Properties MSI Option or Property /qn Description Instructs the MSI installer not to display the installer wizard pages. For example, you might want to install Horizon Agent silently and use only default setup options and features: VMware-viewagent-y.y.y-xxxxxx.exe /s /v"/qn" Alternatively, you can use the /qb option to display the wizard pages in a noninteractive, automated installation.
View Installation Uninstalling View Components Silently by Using MSI Command-Line Options You can uninstall View components by using Microsoft Windows Installer (MSI) command-line options. Syntax msiexec.exe /qb /x product_code Options The /qb option displays the uninstall progress bar. To suppress displaying the uninstall progress bar, replace the /qb option with the /qn option. The /x option uninstalls the View component.
Chapter 7 Installing View Connection Server n HKLM\SOFTWARE\VMware, Inc.\VMware VDM\* n HKLM\SOFTWARE\Wow6432Node\Microsoft\SystemCertificates\VMware Horizon View Certificates\* n HKLM\SOFTWARE\Wow6432Node\Microsoft\SystemCertificates\VMwareView\* n HKLM\SOFTWARE\Wow6432Node\Policies\VMware, Inc.\VMware VDM\* n HKLM\SOFTWARE\Wow6432Node\Policies\VMware, Inc.\vRealize Operations for Horizon\* n HKLM\SOFTWARE\Wow6432Node\VMware, Inc. n HKLM\SOFTWARE\Wow6432Node\VMware, Inc.\VMware VDM VMware, I
View Installation 78 VMware, Inc.
Configuring SSL Certificates for View Servers 8 VMware strongly recommends that you configure SSL certificates for authentication of View Connection Server instances, security servers, and View Composer service instances. A default SSL server certificate is generated when you install View Connection Server instances, security servers, or View Composer instances. You can use the default certificate for testing purposes. Important Replace the default certificate as soon as possible.
View Installation n If you upgrade to View 5.1 or later from an earlier release, and a valid keystore file is configured on the Windows Server computer. The installation extracts the keys and certificates and imports them into the Windows Certificate Store. vCenter Server and View Composer Before you add vCenter Server and View Composer to View in a production environment, make sure that vCenter Server and View Composer use certificates that are signed by a CA.
Chapter 8 Configuring SSL Certificates for View Servers Similarly, if a SAML 2.0 authenticator is configured for View Connection Server, the View Connection Server computer must have installed the root certificate of the signing CA for the SAML 2.0 server certificate. Overview of Tasks for Setting Up SSL Certificates To set up SSL server certificates for View servers, you must perform several high-level tasks.
View Installation If a SAML authenticator is configured for use with a View Connection Server instance, View Connection Server also performs certificate revocation checking on the SAML server certificate. Obtaining a Signed SSL Certificate from a CA If your organization does not provide you with an SSL server certificate, you must request a new certificate that is signed by a CA. You can use several methods to obtain a new signed certificate.
Chapter 8 Configuring SSL Certificates for View Servers Procedure 1 In the MMC window on the Windows Server host, expand the Certificates (local computer) node and select the Personal folder. 2 From the Action menu, go to All Tasks > Request New Certificate to display the Certificate Enrollment wizard. 3 Select a Certificate Enrollment Policy. 4 Select the types of certificates that you want to request, select the Make private key exportable option, and click Enroll. 5 Click Finish.
View Installation 3 Modify the Certificate Friendly Name on page 85 To configure a View Connection Server instance or security server to recognize and use an SSL certificate, you must modify the certificate Friendly name to vdm.
Chapter 8 Configuring SSL Certificates for View Servers For more information about certificates, consult the Microsoft online help available with the Certificate snap-in to MMC. Note If you off-load SSL connections to an intermediate server, you must import the same SSL server certificate onto both the intermediate server and the off-loaded View server. For details, see "Off-load SSL Connections to Intermediate Servers" in the View Administration document.
View Installation 3 On the General tab, delete the Friendly name text and type vdm. 4 Click Apply and click OK. 5 Verify that no other server certificates in the Personal > Certificates folder have a Friendly name of vdm. a Locate any other server certificate, right-click the certificate, and click Properties. b If the certificate has a Friendly name of vdm, delete the name, click Apply, and click OK.
Chapter 8 Configuring SSL Certificates for View Servers 2 Right-click the Trusted Root Certification Authorities > Certificates folder and click All Tasks > Import. 3 In the Certificate Import wizard, click Next and browse to the location where the root CA certificate is stored. 4 Select the root CA certificate file and click Open. 5 Click Next, click Next, and click Finish.
View Installation 6 Restart the View Composer service to make your changes take effect.
Chapter 8 Configuring SSL Certificates for View Servers 2 On the Active Directory server, navigate to the Group Policy Management plug-in. AD Version Navigation Path Windows 2003 a b c d Windows 2008 a b Select Start > All Programs > Administrative Tools > Active Directory Users and Computers. Right-click your domain and click Properties. On the Group Policy tab, click Open to open the Group Policy Management plug-in. Right-click Default Domain Policy, and click Edit.
View Installation Configure Horizon Client for iOS to Trust Root and Intermediate Certificates If a server certificate is signed by a CA that is not trusted by iPads and iPhones that run Horizon Client for iOS, you can configure the the device to trust the root and intermediate certificates. You must distribute the root certificate and all intermediate certificates in the trust chain to the devices Procedure 1 Send the root certificate and intermediate certificates as email attachments to the iPad.
Chapter 8 Configuring SSL Certificates for View Servers Value Description 1 Do not perform certificate revocation checking. 2 Check only the server certificate. Do not check any other certificates in the chain. 3 Check all certificates in the chain. 4 (Default) Check all certificates except the root certificate. If this registry value is not set, or if the value set is not valid (that is, if the value is not 1, 2, 3, or 4), all certificates are checked except the root certificate.
View Installation 2 Configure a PSG Certificate in the Windows Certificate Store on page 92 To replace the default PSG certificate with a CA-signed certificate, you must configure the certificate and its private key in the Windows local computer certificate store on the View Connection Server or security server computer on which the PSG is running.
Chapter 8 Configuring SSL Certificates for View Servers Prerequisites n Verify that the key length is at least 1024 bits. n Verify that the SSL certificate is valid. The current time on the server computer must be within the certificate start and end dates. n Verify that the certificate subject name or a subject alternate name matches the SSLCertPsgSni setting in the Windows registry. See “Verify That the Server Name Matches the PSG Certificate Subject Name,” on page 92.
View Installation Set the PSG Certificate Friendly Name in the Windows Registry The PSG identifies the SSL certificate to use by means of the server name and certificate Friendly name. You must set the Friendly name value in the Windows registry on the View Connection Server or security server computer on which the PSG is running. The certificate Friendly name vdm is used by all View Connection Server instances and security servers.
Chapter 8 Configuring SSL Certificates for View Servers Prerequisites Verify that all client devices that connect to this server, including thin clients, run Horizon Client 5.2 for Windows or Horizon Client 2.0 or later releases. You must upgrade the legacy clients. Procedure 1 Start the Windows Registry Editor on the View Connection Server or security server computer where the PCoIP Secure Gateway is running. 2 Navigate to the HKEY_LOCAL_MACHINE\SOFTWARE\Teradici\SecurityGateway registry key.
View Installation Troubleshooting Certificate Issues on View Connection Server and Security Server Certificate issues on a View server prevent you from connecting to View Administrator or cause a red health indicator to be displayed for a server. Problem You cannot connect to View Administrator on the View Connection Server instance with the problem.
Configuring View for the First Time 9 After you install the View server software and configure SSL certificates for the servers, you must take a few additional steps to set up a working View environment. You configure user accounts for vCenter Server and View Composer, install a View license key, add vCenter Server and View Composer to your View environment, configure the PCoIP Secure Gateway and secure tunnel, and, optionally, size Windows Server settings to support your View environment.
View Installation Where to Use the vCenter Server User and View Composer Users After you create and configure these user accounts, you specify the user names in View Administrator. n You specify a vCenter Server user when you add vCenter Server to View. n You specify a standalone View Composer Server user when you configure View Composer settings and select Standalone View Composer Server. n You specify a View Composer user for AD operations when you configure View Composer domains.
Chapter 9 Configuring View for the First Time 2 In vSphere Client, right-click the vCenter Server at the top level of the inventory, click Add Permission, and add the vCenter Server user. Note You must define the vCenter Server user at the vCenter Server level. 3 From the drop-down menu, select the Administrator role, or the View Composer or View Manager role that you created, and assign it to the vCenter Server user.
View Installation Table 9‑1. Privileges Required for the View Manager Role (Continued) Privilege Group Privileges to Enable Host The following Host privilege is required to implement View Storage Accelerator, which enables ESXi host caching. If you do not use View Storage Accelerator, the vCenter Server user does not need this privilege.
Chapter 9 Configuring View for the First Time Horizon Administrator and Horizon Connection Server Horizon Administrator provides a Web-based management interface for Horizon 7. The Horizon Connection Server can have multiple instances that serve as replica servers or security servers. Depending on your Horizon 7 deployment, you can get a Horizon Administrator interface with each instance of a Connection Server.
View Installation 2 Log in as a user with credentials to access the View Administrators account. You specify the View Administrators account when you install a standalone Connection Server instance or the first Connection Server instance in a replicated group. The View Administrators account can be the local Administrators group (BUILTIN\Administrators) on the Connection Server computer or a domain user or group account.
Chapter 9 Configuring View for the First Time In a testing environment, you can use the default certificate that is installed with vCenter Server, but you must accept the certificate thumbprint when you add vCenter Server to View. n Verify that all View Connection Server instances in the replicated group trust the root CA certificate for the server certificate that is installed on the vCenter Server host.
View Installation What to do next Configure View Composer settings. n If the vCenter Server instance is configured with a signed SSL certificate, and View Connection Server trusts the root certificate, the Add vCenter Server wizard displays the View Composer Settings page. n If the vCenter Server instance is configured with a default certificate, you must first determine whether to accept the thumbprint of the existing certificate. See “Accept the Thumbprint of a Default SSL Certificate,” on page 110.
Chapter 9 Configuring View for the First Time 3 If you are using View Composer, select the location of the View Composer machine. Option Description View Composer is installed on the same machine as vCenter Server. a b Select View Composer co-installed with the vCenter Server. Make sure that the port number is the same as the port that you specified when you installed the View Composer service on vCenter Server. The default port number is 18443. View Composer is installed on its own separate machine.
View Installation 3 Type the domain user name, including the domain name, of the View Composer user. For example: domain.com\admin 4 Type the account password. 5 Click OK. 6 To add domain user accounts with privileges in other Active Directory domains in which you deploy linked-clone pools, repeat the preceding steps. 7 Click Next to display the Storage Settings page. What to do next Enable virtual machine disk space reclamation and configure View Storage Accelerator for View.
Chapter 9 Configuring View for the First Time Prerequisites n Verify that your vCenter Server and ESXi hosts, including all ESXi hosts in a cluster, are version 5.1 with ESXi 5.1 download patch ESXi510-201212001 or later. Procedure 1 2 In View Administrator, complete the Add vCenter Server wizard pages that precede the Storage Settings page. a Select View Configuration > Servers. b On the vCenter Servers tab, click Add.
View Installation View Storage Accelerator is now qualified to work in configurations that use Horizon 7 replica tiering, in which replicas are stored on a separate datastore than linked clones. Although the performance benefits of using View Storage Accelerator with Horizon 7 replica tiering are not materially significant, certain capacity-related benefits might be realized by storing the replicas on a separate datastore. Hence, this combination is tested and supported.
Chapter 9 Configuring View for the First Time Concurrent Operations Limits for vCenter Server and View Composer When you add vCenter Server to View or edit the vCenter Server settings, you can configure several options that set the maximum number of concurrent operations that are performed by vCenter Server and View Composer. You configure these options in the Advanced Settings panel on the vCenter Server Information page. Table 9‑3.
View Installation For example, the average desktop takes two to three minutes to start. Therefore, the concurrent power operations limit should be 3 times the peak power-on rate. The default setting of 50 is expected to support a peak power-on rate of 16 desktops per minute. The system waits a maximum of five minutes for a desktop to start. If the start time takes longer, other errors are likely to occur. To be conservative, you can set a concurrent power operations limit of 5 times the peak power-on rate.
Chapter 9 Configuring View for the First Time Procedure 1 When View Administrator displays an Invalid Certificate Detected dialog box, click View Certificate. 2 Examine the certificate thumbprint in the Certificate Information window. 3 Examine the certificate thumbprint that was configured for the vCenter Server or View Composer instance. a On the vCenter Server or View Composer host, start the MMC snap-in and open the Windows Certificate Store.
View Installation When the secure tunnel and secure gateways are disabled, desktop and application sessions are established directly between the client device and the remote machine, bypassing the View Connection Server or security server host. This type of connection is called a direct connection. Desktop and application sessions that use direct connections remain connected even if View Connection Server is no longer running.
Chapter 9 Configuring View for the First Time 4 Configure use of the PCoIP Secure Gateway. Option Description Enable the PCoIP Secure Gateway Select Use PCoIP Secure Gateway for PCoIP connections to machine. Disable the PCoIP secure Gateway Deselect Use PCoIP Secure Gateway for PCoIP connections to machine. The PCoIP Secure Gateway is disabled by default. 5 Click OK to save your changes.
View Installation Prerequisites If users select remote desktops by using VMware Identity Manager, verify that VMware Identity Manager is installed and configured for use with Connection Server and that Connection Server is paired with a SAML 2.0 Authentication server. Procedure 1 In Horizon Administrator, select View Configuration > Servers. 2 On the Connection Servers tab, select a Connection Server instance and click Edit. 3 Configure use of the Blast Secure Gateway.
Chapter 9 Configuring View for the First Time Configuring External URLs You configure more than one external URL. The first URL allows client systems to make tunnel connections. A second URL allows clients that use PCoIP to make secure connections through the PCoIP Secure Gateway. In an IPv4 environment, the URL must identify a host by its IP address. In an IPv6 environment, the URL can identify a host by either its IP address or its FQDN. The URL allows clients to connect from an external location.
View Installation 4 Type the PCoIP Secure Gateway external URL in the PCoIP External URL text box. In an IPv4 environment, specify the PCoIP external URL as an IP address with the port number 4172. In an IPv6 environment, you can specify an IP address or a fully qualified domain name, and the port number 4172. In either case, do not include a protocol name. For example, in an IPv4 environment: 10.20.30.40:4172 Clients must be able to use the URL to reach the security server.
Chapter 9 Configuring View for the First Time 4 Type the PCoIP Secure Gateway external URL in the PCoIP External URL text box. In an IPv4 environment, specify the PCoIP external URL as an IP address with the port number 4172. In an IPv6 environment, you can specify an IP address or a domain name, and the port number 4172. In either case, do not include a protocol name. For example, in an IPv4 environment: 10.20.30.40:4172 Clients must be able to use the URL to reach the security server.
View Installation 5 On the object CN=Common, OU=Global, OU=Properties, set the pae-PreferDNS attribute value to 1. When this attribute is set to 1, View Connection Server returns a DNS name, if a DNS name is available and the recipient supports name resolution. Otherwise, View Connection Server returns an IP address, if an IP address of the correct type for your environment (IPv4 or IPv6) is available.
Chapter 9 Configuring View for the First Time 2 Add the portalHost property and set it to the address of the gateway. For example, if https://view-gateway.example.com is the address that browsers use to access View through the gateway, add portalHost=view-gateway.example.com to the locked.properties file. If the View Connection Server instance or security server is behind multiple gateways, you can specify each gateway by adding a number to the portalHost property, for example: portalHost.
View Installation Procedure 1 Create or edit the locked.properties file in the SSL gateway configuration folder on the View Connection Server or security server computer. For example: install_directory\VMware\VMware View\Server\sslgateway\conf\locked.properties The properties in the locked.properties file are case sensitive. 2 Add the serverPort or serverPortNonSsl property, or both properties, to the locked.properties file.
Chapter 9 Configuring View for the First Time Procedure 1 Start the Windows Registry Editor on the View Connection Server or security server computer where the PCoIP Secure Gateway is running. 2 Navigate to the HKEY_LOCAL_MACHINE\SOFTWARE\Teradici\SecurityGateway registry key. 3 Under this registry key, add one or more of the following String (REG_SZ) values with your updated port numbers.
View Installation 6 Restart the Connection Server service or security server service to make your changes take effect. Replace the Default Port for View Composer The SSL certificate that is used by the View Composer service is bound to a certain port by default. You can replace the default port by using the SviConfig ChangeCertificateBindingPort utility.
Chapter 9 Configuring View for the First Time Procedure 1 Create or edit the locked.properties file in the SSL gateway configuration folder on the View Connection Server or security server computer. For example: install_directory\VMware\VMware View\Server\sslgateway\conf\locked.properties The properties in the locked.properties file are case sensitive. 2 Add the following lines to the locked.properties file: frontMappingHttpDisabled.1=5:*:moved:https::port frontMappingHttpDisabled.
View Installation Sizing Windows Server Settings to Support Your Deployment To support a large deployment of remote desktops, you can configure the Windows Server computers on which you install View Connection Server. On each computer, you can size the Windows page-file. On Windows Server 2008 R2 and Windows Server 2012 R2 computers, the ephemeral ports, TCB hash table, and Java Virtual Machine settings are sized by default.
Chapter 9 Configuring View for the First Time Procedure 1 On the Windows Server computer on which View Connection Server is installed, navigate to the Virtual Memory dialog box. By default, Custom size is selected. An initial and maximum page-file size appear. 2 Click System managed size. Windows continually recalculates the system page-file size based on current memory use and available memory. VMware, Inc.
View Installation 126 VMware, Inc.
Configuring Event Reporting 10 You can create an event database to record information about View events. In addition, if you use a Syslog server, you can configure View Connection Server to send events to a Syslog server or create a flat file of events written in Syslog format.
View Installation 2 Add a user for this database that has permission to create tables, views, and, in the case of Oracle, triggers and sequences, as well as permission to read from and write to these objects. For a Microsoft SQL Server database, do not use the Integrated Windows Authentication security model method of authentication. Be sure to use the SQL Server Authentication method of authentication.
Chapter 10 Configuring Event Reporting You can use Microsoft SQL Server or Oracle database reporting tools to examine events in the database tables. For more information, see the View Integration document. You can also generate View events in Syslog format so that the event data can be accessible to third-party analytics software. You use the vdmadmin command with the -I option to record View event messages in Syslog format in event log files.
View Installation Configure Event Logging for Syslog Servers You can generate View events in Syslog format so that the event data can be accessible to analytics software. You need to configure only one host in a View Connection Server group. The remaining hosts in the group are configured automatically. If you enable file-based logging of events, events are accumulated in a local log file. If you specify a file share, these log files are moved to that share.
Index A D Active Directory configuring domains and trust relationships 27 preparing for smart card authentication 32 preparing for use with View 27 Active Directory groups, creating for kiosk mode client accounts 29 antivirus software, View Composer 48 B databases creating for View Composer 37 View events 127, 128 default certificate, replacing 79 direct connections, configuring 112 DNS names, giving preference 117 DNS resolution, View Composer 48 documentation feedback, how to provide 5 domain filteri
View Installation H L hardware requirements Horizon Connection Server 8 PCoIP 14 View Composer, standalone 10 Horizon Agent, installation requirements 13 Horizon Client for iOS, trusting the root certificate 90 Horizon Client for Mac, trusting the root certificate 89 Horizon clients, configuring connections 111 Horizon Connection Server, hardware requirements 8 Horizon Connection Server installation network configuration 9 requirements overview 7 supported operating systems 8 virtualization software requ
Index port changing for View Connection Server 119, 121 changing for PSG 121 changing for PCoIP Secure Gateway 120 changing for security server 119 changing for View Composer 122 ports, replacing defaults 119 power operations, setting concurrency limits 109 professional services 5 R RDP 16 reinstalling, View Connection Server 73 remote display protocols PCoIP 14 RDP 16 ReplaceCertificate option, sviconfig utility 87 replicated instances installing 57 installing silently 60 network requirements 9 silent in
View Installation overview 101 requirements 9 View Storage Accelerator, configuring for vCenter Server 107 View Composer hardware requirements for standalone View Composer 10 standalone user account 30 View Composer database ODBC data source for Oracle 12c or 11g 44 ODBC data source for SQL Server 40 Oracle 12c and 11g 41, 42 requirements 11, 37 SQL Server 38 View Composer configuration concurrent operations limits 109 creating a user account 30 creating a vCenter Server user 29, 98 domains 105 privileges
