5.3

ManualsBrandsVMware ManualsApplicationsHorizon View

Table Of Contents

VMware Horizon View Agent Direct-Connection Plugin Administration

Certificates with Subject Alternative Name (SAN) and wildcard certificates are supported.

NOTE To distribute the CA signed SSL Server Certificates to a large number of View desktops using the

View Agent Direct-Connection Plugin, use Active Directory Enrollment to distribute the certificates to each

virtual machine. For more information see: http://technet.microsoft.com/en-us/library/cc732625.aspx

Authorizing View Client to Access the View Desktop

The authorization mechanism that allows a View Client user to access the View desktop directly is

controlled within a local operating system group called View Agent Direct-Connection Users.

If a user is a member of this group, that user is authorized to connect to the desktop directly. When the

plugin is first installed, this local group is created and contains the Authenticated Users group. Anyone who

is successfully authenticated by the plugin is authorized to access the desktop.

To restrict access to this desktop, you can modify the membership of this group to specify a list of users and

user groups. These users can be local or domain users and user groups. If the View Client user is not in this

group, the user gets a message after authentication saying that the user is not entitled to access this desktop.

Using Network Address Translation and Port Mapping

Network Address Translation (NAT) and port mapping configuration are required if View Clients connect

to View desktops on different networks.

In the examples included here, you must configure external addressing information on the View desktop so

that View Client can use this information to connect to the View desktop by using NAT or a port mapping

device. This URL is the same as the External URL and PCoIP External URL settings on View Connection

Server and security server.

When View Client is on a different network and a NAT device is between View Client and the View virtual

desktop running the plugin, a NAT or port mapping configuration is required. For example, If there is a

firewall between the View Client and the View virtual desktop the firewall is acting as a NAT or port

mapping device.

An example deployment of a View desktop whose IP address is 192.168.1.1 illustrates the configuration of

NAT and port mapping. A View Client system with an IP address of 192.168.1.9 on the same network

establishes a PCoIP connection by using TCP and UDP. This connection is direct without any NAT or port

mapping configuration.

Figure 2‑1. Direct PCoIP from a Client on the Same Network

IP address

192.168.1.9

PCoIP Client

PCoIP server

TCP DST 192.168.1.1:4172

SRC 192.168.1.9:?

UDP DST 192.168.1.1:4172

SRC

192.168.1.9:55000

UDP DST 192.168.1.9:55000

SRC 192.168.1.1:4172

View Desktop

IP address

192.168.1.1

If you add a NAT device between the client and desktop so that they are operating in a different address

space and do not make any configuration changes to the plugin, the PCoIP packets will not be routed

correctly and will fail. In this example, the client is using a different address space and has an IP address of

10.1.1.9. This setup fails because the client will use the address of the desktop to send the TCP and UDP

PCoIP packets. The destination address of 192.168.1.1 will not work from the client network and might

cause the client to display a blank screen.

Chapter 2 VMware Horizon View Agent Direct-Connection Plugin Advanced Configuration

VMware, Inc.