5.2
Table Of Contents
- VMware Horizon View Architecture Planning
- Contents
- VMware Horizon View Architecture Planning
- Introduction to Horizon View
- Planning a Rich User Experience
- Feature Support Matrix
- Choosing a Display Protocol
- Using View Persona Management to Retain User Data and Settings
- Benefits of Using View Desktops in Local Mode
- Accessing USB Devices Connected to a Local Computer
- Printing from a View Desktop
- Streaming Multimedia to a View Desktop
- Using Single Sign-On for Logging In to a View Desktop
- Using Multiple Monitors with a View Desktop
- Managing Desktop Pools from a Central Location
- Architecture Design Elements and Planning Guidelines
- Virtual Machine Requirements
- Horizon View ESX/ESXi Node
- Desktop Pools for Specific Types of Workers
- Desktop Virtual Machine Configuration
- vCenter Server and View Composer Virtual Machine Configuration
- View Connection Server Maximums and Virtual Machine Configuration
- View Transfer Server Virtual Machine Configuration and Storage
- vSphere Clusters
- Storage and Bandwidth Requirements
- Horizon View Building Blocks
- Horizon View Pods
- Advantages of Using Multiple vCenter Servers in a Pod
- Planning for Security Features
- Understanding Client Connections
- Choosing a User Authentication Method
- Restricting View Desktop Access
- Using Group Policy Settings to Secure View Desktops
- Implementing Best Practices to Secure Client Systems
- Assigning Administrator Roles
- Preparing to Use a Security Server
- Understanding Horizon View Communications Protocols
- Overview of Steps to Setting Up a Horizon View Environment
- Index
Using Two-Factor Authentication
You can configure a View Connection Server instance so that users are required to use RSA SecurID
authentication or RADIUS (Remote Authentication Dial-In User Service) authentication.
With Horizon View 5.1 and later releases, RADIUS support has been added to the two-factor authentication
feature included with Horizon View:
n
RADIUS support offers a wide range of alternative two-factor token-based authentication options.
n
Horizon View now provides an open standard extension interface to allow third-party solution providers
to integrate advanced authentication extensions into Horizon View.
Because two-factor authentication solutions such as RSA SecurID and RADIUS work with authentication
managers, installed on separate servers, you must have those servers configured and accessible to the View
Connection Server host. For example, if you use RSA SecurID, the authentication manager would be RSA
Authentication Manager. If you have RADIUS, the authentication manager would be a RADIUS server.
To use two-factor authentication, each user must have a token, such as an RSA SecurID token, that is registered
with its authentication manager. A two-factor authentication token is a piece of hardware or software that
generates an authentication code at fixed intervals. Often authentication requires knowledge of both a PIN and
an authentication code.
If you have multiple View Connection Server instances, you can configure two-factor authentication on some
instances and a different user authentication method on others. For example, you can configure two-factor
authentication only for users who access View desktops remotely over the Internet.
View is certified through the RSA SecurID Ready program and supports the full range of SecurID capabilities,
including New PIN Mode, Next Token Code Mode, RSA Authentication Manager, and load balancing.
Smart Card Authentication
A smart card is a small plastic card that is embedded with a computer chip. Many government agencies and
large enterprises use smart cards to authenticate users who access their computer networks. A smart card is
also referred to as a Common Access Card (CAC).
Smart card authentication is supported by the Windows-based View Client and View Client with Local Mode,
and some other types of clients. It is not supported by View Administrator. For information about whether a
particular type of client supports smart cards, see the Horizon View clients documentation at
https://www.vmware.com/support/viewclients/doc/viewclients_pubs.html.
Administrators can enable individual View Connection Server instances for smart card authentication.
Enabling a View Connection Server instance to use smart card authentication typically involves adding your
root certificate to a truststore file and then modifying View Connection Server settings.
All client connections, including client connections that use smart card authentication, are SSL enabled.
To use smart cards, client machines must have smart card middleware and a smart card reader. To install
certificates on smart cards, you must set up a computer to act as an enrollment station.
To use smart cards with local desktops, you must select a 1024-bit or 2048-bit key size during smart card
enrollment. Certificates with 512-bit keys are not supported for local desktops. By default, View Connection
Server uses AES-128 to encrypt the virtual disk file when users check in and check out a local desktop. You
can change the encryption key cipher to AES-192 or AES-256.
Chapter 5 Planning for Security Features
VMware, Inc. 65