5.2
Table Of Contents
- VMware Horizon View Architecture Planning
- Contents
- VMware Horizon View Architecture Planning
- Introduction to Horizon View
- Planning a Rich User Experience
- Feature Support Matrix
- Choosing a Display Protocol
- Using View Persona Management to Retain User Data and Settings
- Benefits of Using View Desktops in Local Mode
- Accessing USB Devices Connected to a Local Computer
- Printing from a View Desktop
- Streaming Multimedia to a View Desktop
- Using Single Sign-On for Logging In to a View Desktop
- Using Multiple Monitors with a View Desktop
- Managing Desktop Pools from a Central Location
- Architecture Design Elements and Planning Guidelines
- Virtual Machine Requirements
- Horizon View ESX/ESXi Node
- Desktop Pools for Specific Types of Workers
- Desktop Virtual Machine Configuration
- vCenter Server and View Composer Virtual Machine Configuration
- View Connection Server Maximums and Virtual Machine Configuration
- View Transfer Server Virtual Machine Configuration and Storage
- vSphere Clusters
- Storage and Bandwidth Requirements
- Horizon View Building Blocks
- Horizon View Pods
- Advantages of Using Multiple vCenter Servers in a Pod
- Planning for Security Features
- Understanding Client Connections
- Choosing a User Authentication Method
- Restricting View Desktop Access
- Using Group Policy Settings to Secure View Desktops
- Implementing Best Practices to Secure Client Systems
- Assigning Administrator Roles
- Preparing to Use a Security Server
- Understanding Horizon View Communications Protocols
- Overview of Steps to Setting Up a Horizon View Environment
- Index
n
Because Horizon View manages the HTTPS connection, the reliability of the underlying protocols is
significantly improved. If a user temporarily loses a network connection, the HTTP connection is
reestablished after the network connection is restored and the RDP connection automatically resumes
without requiring the user to reconnect and log in again.
In a standard deployment of View Connection Server instances, the HTTPS secure connection terminates at
the View Connection Server. In a DMZ deployment, the HTTPS secure connection terminates at a security
server. See “Preparing to Use a Security Server,” on page 69 for information on DMZ deployments and
security servers.
Clients that use the PCoIP display protocol can use the tunnel connection for USB redirection and multimedia
redirection (MMR) acceleration, but for all other data, PCoIP uses the PCoIP Secure Gateway on a security
server. For more information, see “Client Connections Using the PCoIP Secure Gateway,” on page 62.
Direct Client Connections
Administrators can configure View Connection Server settings so that View desktop sessions are established
directly between the client system and the View desktop virtual machine, bypassing the View Connection
Server host. This type of connection is called a direct client connection.
With direct client connections, an HTTPS connection is still made between the client and the View Connection
Server host for users to authenticate and select View desktops, but the second HTTPS connection (the tunnel
connection) is not used.
Direct PCoIP connections include the following built-in security features:
n
PCoIP supports Advanced Encryption Standard (AES) encryption, which is turned on by default.
n
The hardware implementation of PCoIP uses both AES and IP Security (IPsec).
n
PCoIP works with third-party VPN clients.
For clients that use the Microsoft RDP display protocol, direct client connections are appropriate only if your
deployment is inside a corporate network. With direct client connections, RDP traffic is sent unencrypted over
the connection between the client and the View desktop virtual machine.
View Client with Local Mode Client Connections
View Client with Local Mode offers mobile users the ability to check out View desktops onto their local
computer.
View Client with Local Mode supports both tunneled and nontunneled communications for LAN-based data
transfers. Communication between View Client and View Connection Server is encrypted. With tunneled
communications, all traffic is routed through the View Connection Server host, and you can specify whether
to encrypt data transfers between View Connection Server and View Transfer Server. With nontunneled
communications, data is transferred directly between the local desktop on the client system and the View
Transfer Server. You can also specify whether to encrypt these data transfers.
Local data is always encrypted on the user's computer, regardless of whether you configure tunneled or
nontunneled communications.
The data disk stored locally on client systems is encrypted using a default encryption strength of AES-128. The
encryption keys are stored encrypted on the client system with a key derived from a hash of the user's
credentials (username and password or smart card and PIN). On the server side, the key is stored in View
LDAP. Whatever security measures you use to protect View LDAP on the server also protect the local mode
encryption keys stored in LDAP.
NOTE You can change the encryption key cipher from AES-128 to AES-192 or AES-256.
Chapter 5 Planning for Security Features
VMware, Inc. 63