5.2
Table Of Contents
- VMware Horizon View Architecture Planning
- Contents
- VMware Horizon View Architecture Planning
- Introduction to Horizon View
- Planning a Rich User Experience
- Feature Support Matrix
- Choosing a Display Protocol
- Using View Persona Management to Retain User Data and Settings
- Benefits of Using View Desktops in Local Mode
- Accessing USB Devices Connected to a Local Computer
- Printing from a View Desktop
- Streaming Multimedia to a View Desktop
- Using Single Sign-On for Logging In to a View Desktop
- Using Multiple Monitors with a View Desktop
- Managing Desktop Pools from a Central Location
- Architecture Design Elements and Planning Guidelines
- Virtual Machine Requirements
- Horizon View ESX/ESXi Node
- Desktop Pools for Specific Types of Workers
- Desktop Virtual Machine Configuration
- vCenter Server and View Composer Virtual Machine Configuration
- View Connection Server Maximums and Virtual Machine Configuration
- View Transfer Server Virtual Machine Configuration and Storage
- vSphere Clusters
- Storage and Bandwidth Requirements
- Horizon View Building Blocks
- Horizon View Pods
- Advantages of Using Multiple vCenter Servers in a Pod
- Planning for Security Features
- Understanding Client Connections
- Choosing a User Authentication Method
- Restricting View Desktop Access
- Using Group Policy Settings to Secure View Desktops
- Implementing Best Practices to Secure Client Systems
- Assigning Administrator Roles
- Preparing to Use a Security Server
- Understanding Horizon View Communications Protocols
- Overview of Steps to Setting Up a Horizon View Environment
- Index
For example, your Horizon View deployment might include two View Connection Server instances. The first
instance supports your internal users. The second instance is paired with a security server and supports your
external users. To prevent external users from accessing certain desktops, you could set up restricted
entitlements as follows:
n
Assign the tag "Internal" to the View Connection Server instance that supports your internal users.
n
Assign the tag "External" to the View Connection Server instance that is paired with the security server
and supports your external users.
n
Assign the "Internal" tag to the desktop pools that should be accessible only to internal users.
n
Assign the "External" tag to the desktop pools that should be accessible only to external users.
External users cannot see the desktop pools tagged as Internal because they log in through the View Connection
Server tagged as External, and internal users cannot see the desktop pools tagged as External because they log
in through the View Connection Server tagged as Internal. Figure 5-1 illustrates this configuration.
Figure 5-1. Restricted Entitlements Example
DMZ
external network
remote
View Client
View
Connection
Server
Tag: “External”
desktop pool A
Tag: “External”
View
Security
Server
VM VM
VM VM
local
View Client
View
Connection
Server
Tag: “Internal”
desktop pool B
Tag: “Internal”
VM VM
VM VM
You can also use restricted entitlements to control desktop access based on the user-authentication method
that you configure for a particular View Connection Server instance. For example, you can make certain
desktop pools available only to users who have authenticated with a smart card.
The restricted entitlements feature only enforces tag matching. You must design your network topology to
force certain clients to connect through a particular View Connection Server instance.
Using Group Policy Settings to Secure View Desktops
Horizon View includes Group Policy administrative (ADM) templates that contain security-related group
policy settings that you can use to secure your View desktops.
For example, you can use group policy settings to perform the following tasks.
n
Specify the View Connection Server instances that can accept user identity and credential information that
is passed when a user selects the Log in as current user check box in View Client.
Chapter 5 Planning for Security Features
VMware, Inc. 67