View Agent DirectConnection Plug-In Administration Modified for Horizon 7 7.3.2 VMware Horizon 7 7.
View Agent Direct-Connection Plug-In Administration You can find the most up-to-date technical documentation on the VMware website at: https://docs.vmware.com/ If you have comments about this documentation, submit your feedback to docfeedback@vmware.com VMware, Inc. 3401 Hillview Ave. Palo Alto, CA 94304 www.vmware.com Copyright © 2013–2017 VMware, Inc. All rights reserved. Copyright and trademark information. VMware, Inc.
Contents View Agent Direct-Connection Plug-In Administration 4 1 Installing View Agent Direct-Connection Plug-In 5 View Agent Direct-Connection Plug-In System Requirements Install View Agent Direct-Connection Plug-In 5 6 Install View Agent Direct-Connection Plug-In Silently 7 2 View Agent Direct-Connection Plug-In Advanced Configuration 8 View Agent Direct-Connection Plug-In Configuration Settings Disabling Weak Ciphers in SSL/TLS 8 12 Replacing the Default Self-Signed SSL Server Certificate 13
View Agent Direct-Connection Plug-In Administration View Agent Direct-Connection Plug-In Administration provides information about installing and configuring View Agent Direct-Connection Plugin. This plug-in is an installable extension to View Agent that allows Horizon Client to directly connect to a virtual machine-based desktop, a Remote Desktop Services (RDS) desktop, or an application without using View Connection Server.
Installing View Agent DirectConnection Plug-In 1 View Agent Direct-Connection (VADC) Plug-In enables Horizon Clients to directly connect to virtual machine-based desktops, RDS desktops, or applications. VADC Plug-In is an extension to View Agent and is installed on virtual machine-based desktops or RDS hosts.
View Agent Direct-Connection Plug-In Administration Install View Agent Direct-Connection Plug-In View Agent Direct-Connection (VADC) Plug-In is packaged in a Windows Installer file that you can download from the VMware Web site and install. Prerequisites n Verify that View Agent is installed. If your environment does not include View Connection Server, install View Agent from the command line and specify a parameter that tells View Agent not to register with View Connection Server.
View Agent Direct-Connection Plug-In Administration Install View Agent Direct-Connection Plug-In Silently You can use the silent installation feature of Microsoft Windows Installer (MSI) to install View Agent Direct-Connection (VADC) Plug-In. In a silent installation, you use the command line and do not have to respond to wizard prompts. With silent installation, you can efficiently deploy VADC Plug-In in a large enterprise.
View Agent Direct-Connection Plug-In Advanced Configuration 2 You can use the default View Direct-Connection Plug-In configuration settings or customize them through Windows Active Directory group policy objects (GPOs) or by modifying specific Windows registry settings.
View Agent Direct-Connection Plug-In Administration Table 2‑1. View Agent Direct-Connection Plug-In Configuration Settings (Continued) Setting Registry Value Type Description Default Protocol defaultProtocol REG_SZ The default display protocol used by Horizon Client to connect to the desktop. If the value is not set, then the default value is BLAST. Disclaimer Enabled disclaimerEnabled REG_SZ The value can be set to TRUE or FALSE.
View Agent Direct-Connection Plug-In Administration Table 2‑1. View Agent Direct-Connection Plug-In Configuration Settings (Continued) Setting Registry Value Type Description External IP Address externalIPAddress REG_SZ The IPV4 address sent to Horizon Client for the destination IP address that is used for secondary protocols (RDP, PCoIP, Framework channel, and so on). Only set this value if the externally exposed address does not match the address of the desktop machine.
View Agent Direct-Connection Plug-In Administration Table 2‑1. View Agent Direct-Connection Plug-In Configuration Settings (Continued) Setting Registry Value Type Description Smart Card Certificate Source x509SSLCertAuth REG_SZ Indicates that the smart card certificate is obtained from the SSL negotiation. The value must be set to TRUE whenever x509CertAuth is set to 1 or 2. The default value is FALSE. Changing this setting requires a restart of the View Agent service.
View Agent Direct-Connection Plug-In Administration Disabling Weak Ciphers in SSL/TLS To achieve greater security, you can configure the domain policy GPO (group policy object) to ensure that communications that use the SSL/TLS protocol between Horizon Clients and virtual machine-based desktops or RDS hosts do not allow weak ciphers. Procedure 1 On the Active Directory server, edit the GPO by selecting Start > Administrative Tools > Group Policy Management, right-clicking the GPO, and selecting Edit.
View Agent Direct-Connection Plug-In Administration Replacing the Default Self-Signed SSL Server Certificate A self-signed SSL server certificate cannot give Horizon Client sufficient protection against threats of tampering and eavesdropping. To protect your desktops from these threats, you must replace the generated self-signed certificate.
View Agent Direct-Connection Plug-In Administration Using Network Address Translation and Port Mapping Network Address Translation (NAT) and port mapping configuration are required if Horizon Clients connect to virtual machine-based desktops on different networks. In the examples included here, you must configure external addressing information on the desktop so that Horizon Client can use this information to connect to the desktop by using NAT or a port mapping device.
View Agent Direct-Connection Plug-In Administration Figure 2‑2. PCoIP From a Client via a NAT Device Showing the Failure NAT PNAT IP address 10.1.1.9 IP address 192.168.1.1 View Desktop PCoIP Client TCP DST 192.168.1.1:4172 SRC 10.1.1.9:? PCoIP server To resolve this problem, you must configure the plug-in to use an external IP address. If externalIPAddress is configured as 10.1.1.1 for this desktop, the plug-in gives the client an IP address of 10.1.1.
View Agent Direct-Connection Plug-In Administration Advanced Addressing Scheme When you configure virtual machine-based desktops to be accessible through a NAT and port mapping device on the same external IP address, you must give each desktop a unique set of port numbers. The clients can then use the same destination IP address, but use a unique TCP port number for the HTTPS connection to direct the connection to a specific virtual desktop.
View Agent Direct-Connection Plug-In Administration Table 2‑2. NAT and Port Mapping Values (Continued) VM# Desktop IP Address HTTPS RDP PCOIP (TCP and UDP) Framework Channel 2 192.168.0.2 10.20.30.40:1010 -> 192.168.0.2:443 10.20.30.40:1011 -> 192.168.0.2:3389 10.20.30.40:1012 -> 192.168.0.2:4172 10.20.30.40:1013 -> 192.168.0.2:32111 3 192.168.0.3 10.20.30.40:1015 -> 192.168.0.3:443 10.20.30.40:1016 -> 192.168.0.3:3389 10.20.30.40:1017 -> 192.168.0.3:4172 10.20.30.40:1018 -> 192.168.0.
View Agent Direct-Connection Plug-In Administration 7 If the smart card certificate is issued by an intermediate CA, import all intermediate certificates in the certificate chain. a Go to the Certificates (Local Computer) > Intermediate Certification Authorities > Certificates folder. b Repeat steps 3 through 6 for each intermediate certificate. VMware, Inc.
Setting Up HTML Access 3 View Agent Direct-Connection (VADC) Plug-In supports HTML Access to virtual machine-based desktops and RDS desktops. HTML Access to RDS applications is not supported.
View Agent Direct-Connection Plug-In Administration Set Up Static Content Delivery If the HTML Access client needs to be served by the desktop, you must perform some setup tasks on the desktop. This enables a user to point a browser directly at a desktop. Prerequisites n Download the View HTML Access portal.war zip file from the VMware download page at http://www.vmware.com/go/downloadview. The filename is VMware-Horizon-View-HTML-Access-y.y.y-xxxxxx.zip, where y.y.
View Agent Direct-Connection Plug-In Administration 19 Unzip VMware-Horizon-View-HTML-Access-y.y.y-xxxxxx.zip. The result is a file named portal.war. 20 Rename portal.war to portal.zip. 21 Unzip portal.zip to the folder C:\inetpub\wwwroot. If necessary, adjust the permissions on the folder to allow files to be added. The folder C:\inetpub\wwwroot\portal is created. 22 Open Notepad. 23 Create the file C:\inetpub\wwwroot\Default.
View Agent Direct-Connection Plug-In Administration 4 Copy the Thumbprint value. 5 Start the Windows Registry Editor. 6 Navigate to the registry key HKEY_LOCAL_MACHINE\SOFTWARE\VMware, Inc.\VMware Blast\Config. 7 Add a new String (REG_SZ) value, SslHash, to this registry key. 8 Set the SslHash value to the Thumbprint value.
Setting Up View Agent Direct Connection on Remote Desktop Services Hosts 4 Horizon 7 supports Remote Desktop Services (RDS) hosts that provide RDS desktops and applications that users can access from Horizon Clients. An RDS desktop is based on a desktop session to an RDS host. In a typical Horizon 7 deployment, clients connect to desktops and applications through Horizon Connection Server.
View Agent Direct-Connection Plug-In Administration Entitle RDS Desktops and Applications You must entitle users to RDS desktops and applications before the users can access the desktops and applications. If the RDS host is running Windows Server 2008 R2 SP1, run RemoteApp Manager to configure entitlements. If the RDS host is running Windows Server 2012 or 2012 R2, run Server Manager and navigate to Remote Desktop Services to configure entitlements.
Troubleshooting View Agent Direct-Connection Plug-In 5 When using View Agent Direct-Connection Plug-In, you might encounter known issues. When you investigate a problem with View Agent Direct-Connection Plug-In, make sure that the correct version is installed and running. If a support issue needs to be raised with VMware, always enable full logging, reproduce the problem, and generate a Data Collection Tool (DCT) log set. VMware technical support can then analyze these logs.
View Agent Direct-Connection Plug-In Administration Insufficient Video RAM To support PCoIP, a virtual machine that runs a desktop or an RDS host must have a minimum of 128 MB of video RAM. Problem A black screen is displayed when a user connects to a desktop or an application using PCoIP. Cause The virtual machine does not have enough video RAM. Solution u Configure at least 128 MB of video RAM for each virtual machine.
