5.2
Table Of Contents
- VMware Horizon View Architecture Planning
- Contents
- VMware Horizon View Architecture Planning
- Introduction to Horizon View
- Planning a Rich User Experience
- Feature Support Matrix
- Choosing a Display Protocol
- Using View Persona Management to Retain User Data and Settings
- Benefits of Using View Desktops in Local Mode
- Accessing USB Devices Connected to a Local Computer
- Printing from a View Desktop
- Streaming Multimedia to a View Desktop
- Using Single Sign-On for Logging In to a View Desktop
- Using Multiple Monitors with a View Desktop
- Managing Desktop Pools from a Central Location
- Architecture Design Elements and Planning Guidelines
- Virtual Machine Requirements
- Horizon View ESX/ESXi Node
- Desktop Pools for Specific Types of Workers
- Desktop Virtual Machine Configuration
- vCenter Server and View Composer Virtual Machine Configuration
- View Connection Server Maximums and Virtual Machine Configuration
- View Transfer Server Virtual Machine Configuration and Storage
- vSphere Clusters
- Storage and Bandwidth Requirements
- Horizon View Building Blocks
- Horizon View Pods
- Advantages of Using Multiple vCenter Servers in a Pod
- Planning for Security Features
- Understanding Client Connections
- Choosing a User Authentication Method
- Restricting View Desktop Access
- Using Group Policy Settings to Secure View Desktops
- Implementing Best Practices to Secure Client Systems
- Assigning Administrator Roles
- Preparing to Use a Security Server
- Understanding Horizon View Communications Protocols
- Overview of Steps to Setting Up a Horizon View Environment
- Index
The desktop has a lifetime controlled through policy. If the client loses contact with View Connection Server,
the maximum time without server contact is the period in which the user can continue to use the desktop before
the user is refused access. On the client side, this expiration policy is stored in a file that is encrypted by a key
that is built into the application. This built-in key prevents users who have access to the password from
circumventing the expiration policy.
Choosing a User Authentication Method
Horizon View uses your existing Active Directory infrastructure for user authentication and management. For
added security, you can integrate Horizon View with two-factor authentication solutions, such as RSA SecurID
and RADIUS, and smart card authentication solutions.
n
Active Directory Authentication on page 64
Each View Connection Server instance is joined to an Active Directory domain, and users are
authenticated against Active Directory for the joined domain. Users are also authenticated against any
additional user domains with which a trust agreement exists.
n
Using Two-Factor Authentication on page 65
You can configure a View Connection Server instance so that users are required to use RSA SecurID
authentication or RADIUS (Remote Authentication Dial-In User Service) authentication.
n
Smart Card Authentication on page 65
A smart card is a small plastic card that is embedded with a computer chip. Many government agencies
and large enterprises use smart cards to authenticate users who access their computer networks. A smart
card is also referred to as a Common Access Card (CAC).
n
Using the Log In as Current User Feature Available with Windows-Based View Client on page 66
With View Client for Windows, when users select the Log in as current user check box, the credentials
that they provided when logging in to the client system are used to authenticate to the View Connection
Server instance and to the View desktop. No further user authentication is required.
Active Directory Authentication
Each View Connection Server instance is joined to an Active Directory domain, and users are authenticated
against Active Directory for the joined domain. Users are also authenticated against any additional user
domains with which a trust agreement exists.
For example, if a View Connection Server instance is a member of Domain A and a trust agreement exists
between Domain A and Domain B, users from both Domain A and Domain B can connect to the View
Connection Server instance with View Client.
Similarly, if a trust agreement exists between Domain A and an MIT Kerberos realm in a mixed domain
environment, users from the Kerberos realm can select the Kerberos realm name when connecting to the View
Connection Server instance with View Client.
View Connection Server determines which domains are accessible by traversing trust relationships, starting
with the domain in which the host resides. For a small, well-connected set of domains, View Connection Server
can quickly determine a full list of domains, but the time that it takes increases as the number of domains
increases or as the connectivity between the domains decreases. The list might also include domains that you
would prefer not to offer to users when they log in to their desktops.
Administrators can use the vdmadmin command-line interface to configure domain filtering, which limits the
domains that a View Connection Server instance searches and that it displays to users. See the
VMware Horizon View Administration document for more information.
Policies, such as restricting permitted hours to log in and setting the expiration date for passwords, are also
handled through existing Active Directory operational procedures.
VMware Horizon View Architecture Planning
64 VMware, Inc.