5.2
Table Of Contents
- VMware Horizon View Architecture Planning
- Contents
- VMware Horizon View Architecture Planning
- Introduction to Horizon View
- Planning a Rich User Experience
- Feature Support Matrix
- Choosing a Display Protocol
- Using View Persona Management to Retain User Data and Settings
- Benefits of Using View Desktops in Local Mode
- Accessing USB Devices Connected to a Local Computer
- Printing from a View Desktop
- Streaming Multimedia to a View Desktop
- Using Single Sign-On for Logging In to a View Desktop
- Using Multiple Monitors with a View Desktop
- Managing Desktop Pools from a Central Location
- Architecture Design Elements and Planning Guidelines
- Virtual Machine Requirements
- Horizon View ESX/ESXi Node
- Desktop Pools for Specific Types of Workers
- Desktop Virtual Machine Configuration
- vCenter Server and View Composer Virtual Machine Configuration
- View Connection Server Maximums and Virtual Machine Configuration
- View Transfer Server Virtual Machine Configuration and Storage
- vSphere Clusters
- Storage and Bandwidth Requirements
- Horizon View Building Blocks
- Horizon View Pods
- Advantages of Using Multiple vCenter Servers in a Pod
- Planning for Security Features
- Understanding Client Connections
- Choosing a User Authentication Method
- Restricting View Desktop Access
- Using Group Policy Settings to Secure View Desktops
- Implementing Best Practices to Secure Client Systems
- Assigning Administrator Roles
- Preparing to Use a Security Server
- Understanding Horizon View Communications Protocols
- Overview of Steps to Setting Up a Horizon View Environment
- Index
Using the Log In as Current User Feature Available with Windows-Based View
Client
With View Client for Windows, when users select the Log in as current user check box, the credentials that
they provided when logging in to the client system are used to authenticate to the View Connection Server
instance and to the View desktop. No further user authentication is required.
To support this feature, user credentials are stored on both the View Connection Server instance and on the
client system.
n
On the View Connection Server instance, user credentials are encrypted and stored in the user session
along with the username, domain, and optional UPN. The credentials are added when authentication
occurs and are purged when the session object is destroyed. The session object is destroyed when the user
logs out, the session times out, or authentication fails. The session object resides in volatile memory and
is not stored in View LDAP or in a disk file.
n
On the client system, user credentials are encrypted and stored in a table in the Authentication Package,
which is a component of View Client. The credentials are added to the table when the user logs in and are
removed from the table when the user logs out. The table resides in volatile memory.
Administrators can use View Client group policy settings to control the availability of the Log in as current
user check box and to specify its default value. Administrators can also use group policy to specify which View
Connection Server instances accept the user identity and credential information that is passed when users
select the Log in as current user check box in View Client.
The Log in as current user feature has the following limitations and requirements:
n
When smart card authentication is set to Required on a View Connection Server instance, authentication
fails for users who select the Log in as current user check box when they connect to the View Connection
Server instance. These users must reauthenticate with their smart card and PIN when they log in to View
Connection Server.
n
Users cannot check out a desktop for use in local mode if they selected the Log in as current user check
box when they logged in.
n
The time on the system where the client logs in and the time on the View Connection Server host must be
synchronized.
n
If the default Access this computer from the network user-right assignments are modified on the client
system, they must be modified as described in VMware Knowledge Base (KB) article 1025691.
n
The client machine must be able to communicate with the corporate Active Directory server and not use
cached credentials for authentication. For example, if users log in to their client machines from outside
the corporate network, cached credentials are used for authentication. If the user then attempts to connect
to a security server or a View Connection Server instance without first establishing a VPN connection, the
user is prompted for credentials, and the Log in as Current User feature does not work.
Restricting View Desktop Access
You can use the restricted entitlements feature to restrict View desktop access based on the View Connection
Server instance that a user connects to.
With restricted entitlements, you assign one or more tags to a View Connection Server instance. Then, when
configuring a desktop pool, you select the tags of the View Connection Server instances that you want to be
able to access the desktop pool. When users log in through a tagged View Connection Server instance, they
can access only those desktop pools that have at least one matching tag or no tags.
VMware Horizon View Architecture Planning
66 VMware, Inc.