View Architecture Planning VMware Horizon 6.0 This document supports the version of each product listed and supports all subsequent versions until the document is replaced by a new edition. To check for more recent editions of this document, see http://www.vmware.com/support/pubs.
View Architecture Planning You can find the most up-to-date technical documentation on the VMware Web site at: http://www.vmware.com/support/ The VMware Web site also provides the latest product updates. If you have comments about this documentation, submit your feedback to: docfeedback@vmware.com Copyright © 2009–2014 VMware, Inc. All rights reserved. Copyright and trademark information. VMware, Inc. 3401 Hillview Ave. Palo Alto, CA 94304 www.vmware.com 2 VMware, Inc.
Contents View Architecture Planning 5 1 Introduction to View 7 Advantages of Using View 7 View Features 9 How the Components Fit Together 11 Integrating and Customizing View 14 2 Planning a Rich User Experience 19 Feature Support Matrix for View Agent 19 Choosing a Display Protocol 21 Using Hosted Applications 23 Using View Persona Management to Retain User Data and Settings 24 Using USB Devices with Remote Desktops 26 Using the Real-Time Audio-Video Feature for Webcams and Microphones 26 Using 3D Gra
View Architecture Planning Advantages of Using Multiple vCenter Servers in a Pod 67 5 Planning for Security Features 71 Understanding Client Connections 71 Choosing a User Authentication Method 73 Restricting Remote Desktop Access 76 Using Group Policy Settings to Secure Remote Desktops and Applications Implementing Best Practices to Secure Client Systems 78 Assigning Administrator Roles 78 Preparing to Use a Security Server 78 Understanding View Communications Protocols 84 77 6 Overview of Steps to Se
View Architecture Planning View Architecture Planning provides an introduction to VMware Horizon™ with View™, including a description of its major features and deployment options and an overview of how the components are typically set up in a production environment.
View Architecture Planning 6 VMware, Inc.
1 Introduction to View With View, IT departments can run remote desktops and applications in the datacenter and deliver these desktops and applications to employees as a managed service. End users gain a familiar, personalized environment that they can access from any number of devices anywhere throughout the enterprise or from home. Administrators gain centralized control, efficiency, and security by having desktop data in the datacenter.
View Architecture Planning n Remote desktops and applications that are hosted in a datacenter experience little or no downtime. Virtual machines can reside on high-availability clusters of VMware servers. Virtual desktops can also connect to back-end physical systems and Microsoft Remote Desktop Services (RDS) hosts. Convenience The unified management console is built for scalability so that even the largest View deployments can be efficiently managed from a single management interface.
Chapter 1 Introduction to View n Integration with Workspace means that IT managers can use the Web-based Workspace administration interface to monitor user and group entitlements to remote desktops. n With View Persona Management, physical and virtual desktops can be centrally managed, including user profiles, application entitlement, policies, performance, and other settings. Deploy View Persona Management to physical desktop users prior to converting to virtual desktops.
View Architecture Planning You can specify which types of USB devices end users are allowed to connect to. For composite devices that contain multiple types of devices, such as a video input device and a storage device, you can split the device so that one device (for example, the video input device) is allowed but the other device (for example, the storage device) is not.
Chapter 1 Introduction to View How the Components Fit Together End users start Horizon Client to log in to View Connection Server. This server, which integrates with Windows Active Directory, provides access to remote desktops hosted on a VMware vSphere server, a physical PC, or a Microsoft RDS host. Horizon Client also provides access to remote applications on a Microsoft RDS host.
View Architecture Planning Client Devices A major advantage of using View is that remote desktops and applications follow the end user regardless of device or location. Users can access their personalized virtual desktop or remote application from a company laptop, their home PC, a thin client device, a Mac, or a tablet or phone. End users open Horizon Client to display their remote desktops and applications.
Chapter 1 Introduction to View Horizon Client The client software for accessing remote desktops and applications can run on a tablet, a phone, a Windows, Linux, or Mac PC or laptop, a thin client, and more. After logging in, users select from a list of remote desktops and applications that they are authorized to use. Authorization can require Active Directory credentials, a UPN, a smart card PIN, or an RSA SecurID or other two-factor authentication token.
View Architecture Planning View Administrator This Web-based application allows administrators to configure View Connection Server, deploy and manage remote desktops and applications, control user authentication, and troubleshoot end user issues. When you install a View Connection Server instance, the View Administrator application is also installed.
Chapter 1 Introduction to View VMware Mirage n End users can access the Workspace user portal on the Web from inside a remote desktop for applications they need. n If you also use HTML Access, end users can open a remote desktop inside a browser, without having to install any client application on the client system or device. n IT managers can use the Workspace Administrator Web interface to monitor user and group entitlements to remote desktops.
View Architecture Planning This feature is available only on some types of clients. To find out whether this feature is supported on a particular type of client, see the feature support matrix included in the "Using VMware Horizon Client" document for the specific type of desktop or mobile client device. Go to https://www.vmware.com/support/viewclients/doc/viewclients_pubs.html.
Chapter 1 Introduction to View The View PowerCLI provides an easy-to-use PowerShell interface to View. You can use the View PowerCLI cmdlets to perform various administration tasks on View components. n Create and update desktop pools. n Configure multiple network labels to greatly expand the number of IP addresses assigned to virtual machines in a pool. n Add datacenter resources to a full virtual machine or linked-clone pool.
View Architecture Planning 18 VMware, Inc.
2 Planning a Rich User Experience View provides the familiar, personalized desktop environment that end users expect. For example, on some client systems, end users can access USB and other devices connected to their local computer, send documents to any printer that their local computer can detect, authenticate with smart cards, and use multiple display monitors. View includes many features that you might want to make available to your end users.
View Architecture Planning Table 2‑1. Operating Systems for Linked-Clone and Full-Clone Remote Desktops (Continued) Guest Operating System Version Edition Service Pack Windows 7 64-bit and 32-bit Enterprise and Professional None and SP1 Windows Vista 32-bit Business and Enterprise SP2 Windows XP 32-bit Professional SP3 Windows Server 2008 R2 64-bit Datacenter SP1 Table 2‑2.
Chapter 2 Planning a Rich User Experience In addition, several VMware partners offer thin client devices for View deployments. The features that are available for each thin client device are determined by the vendor and model and the configuration that an enterprise chooses to use. For information about the vendors and models for thin client devices, see the Thin Client Compatibility Guide, available on the VMware Web site.
View Architecture Planning n MMR redirection is supported for some Windows client operating systems and some remote desktop operating systems (with View Agent-installed). For information about which desktop operating systems support specific PCoIP features, see “Feature Support Matrix for View Agent,” on page 19. For information about which client devices support specific PCoIP features, go to https://www.vmware.com/support/viewclients/doc/viewclients_pubs.html.
Chapter 2 Planning a Rich User Experience Microsoft RDP Remote Desktop Protocol is the same multichannel protocol many people already use to access their work computer from their home computer. Microsoft Remote Desktop Connection (RDC) uses RDP to transmit data. Microsoft RDP is a supported display protocol for remote desktops that use virtual machines, physical machines, or shared session desktops on an RDS host. (Only the PCoIP display protocol is supported for remote applications.
View Architecture Planning For example, when a user must access a database remotely, if large amounts of data must be transmitted over the WAN, performance is usually affected. With hosted applications, all parts of the application can be located in the same data center as the database, so that traffic is isolated and only the screen updates are sent across the WAN.
Chapter 2 Planning a Rich User Experience By setting group policies (GPOs), you have granular control of the files and folders to include in a persona: n Specify whether to include the local settings folder. For Windows 7, Windows 8, and Windows Vista, this policy affects the AppData\Local folder. For Windows XP, this policy affects the Local Settings folder. n Specify which files and folders to load at login time. For example: Application Data\Microsoft\Certificates.
View Architecture Planning Using USB Devices with Remote Desktops Administrators can configure the ability to use USB devices, such as thumb flash drives, cameras, VoIP (voice-over-IP) devices, and printers, from a remote desktop. This feature is called USB redirection, and it supports using either the RDP or the PCoIP display protocol. A remote desktop can accommodate up to 32 USB devices.
Chapter 2 Planning a Rich User Experience Using 3D Graphics Applications The software- and hardware-accelerated graphics features available with the PCoIP display protocol enable remote desktop users to run 3D applications ranging from Google Earth to CAD and other graphicsintensive applications. Virtual Dedicated Graphics Acceleration (vDGA) Available with vSphere 5.5 and later, this feature dedicates a single physical GPU (graphical processing unit) on an ESXi host to a single virtual machine.
View Architecture Planning Printing from a Remote Desktop The virtual printing feature allows end users on some client systems to use local or network printers from a remote desktop without requiring that additional print drivers be installed in the remote desktop operating system. The location-based printing feature allows you to map remote desktops to the printer that is closest to the endpoint client device.
Chapter 2 Planning a Rich User Experience This feature has the following limitations: n If you use PCoIP, the maximum number of monitors that you can use to display a remote desktop is 4, with a resolution of up to 2560 X 1600 if you have enough video RAM. The maximum number of monitors that can be stacked vertically is 2. If you use more than 2 monitors, the monitors must be in the same mode and have the same screen resolution.
View Architecture Planning 30 VMware, Inc.
Managing Desktop and Application Pools from a Central Location 3 You can create pools that include one or hundreds or thousands of remote desktops. As a desktop source, you can use virtual machines, physical machines, and Windows Remote Desktop Services (RDS) hosts. Create one virtual machine as a base image, and View can generate a pool of remote desktops from that image. You can also create pools of applications that give users remote access to applications.
View Architecture Planning In addition, using desktop pools provides many conveniences. Dedicated-assignment pools Each user is assigned a particular remote desktop and returns to the same desktop at each login. Users can personalize their desktops, install applications, and store data. Floating-assignment pools The remote desktop is optionally deleted and re-created after each use, offering a highly controlled environment.
Chapter 3 Managing Desktop and Application Pools from a Central Location Reducing and Managing Storage Requirements Deploying desktops on virtual machines that are managed by vCenter Server provides all the storage efficiencies that were previously available only for virtualized servers. Using View Composer increases the storage savings because all virtual machines in a pool share a virtual disk with a base image.
View Architecture Planning Replica disks must be stored on VMFS5 or later datastores or NFS datastores. If you store replicas on a VMFS version earlier than VMFS5, a cluster can have at most eight hosts. OS disks and persistent disks can be stored on NFS or VMFS datastores. Compatible vSphere 5.5 Update 1 or Later Features With vSphere 5.
Chapter 3 Managing Desktop and Application Pools from a Central Location n Virtual SAN does not support the View Composer Array Integration (VAAI) feature because Virtual SAN does not use NAS devices. NOTE Virtual SAN is compatible with the View Storage Accelerator feature. Virtual SAN provides a caching layer on SSD disks, and the View Storage Accelerator feature provides a content-based cache that reduces IOPS and improves performance during boot storms.
View Architecture Planning Disposable Disks for Paging and Temp Files When you create a linked-clone pool, you can also optionally configure a separate, disposable virtual disk to store the guest operating system's paging and temp files that are generated during user sessions. When the virtual machine is powered off, the disposable disk is deleted. Using disposable disks can save storage space by slowing the growth of linked clones and reducing the space used by powered off virtual machines.
Chapter 3 Managing Desktop and Application Pools from a Central Location If you intend to take advantage of the benefits of local storage, you must carefully consider the following limitations: n You cannot use VMotion, VMware High Availability (HA), or vSphere Distributed Resource Scheduler (DRS). n You cannot use the View Composer rebalance operation to load-balance virtual machines across a resource pool.
View Architecture Planning Deploying Applications and System Updates with View Composer Because linked-clone desktop pools share a base image, you can quickly deploy updates and patches by updating the parent virtual machine. The recompose feature allows you to make changes to the parent virtual machine, take a snapshot of the new state, and push the new version of the image to all, or a subset of, users and desktops.
Chapter 3 Managing Desktop and Application Pools from a Central Location Using Existing Processes or VMware Mirage for Application Provisioning With View, you can continue to use the application provisioning techniques that your company currently uses, and you can use Mirage. Two additional considerations include managing server CPU usage and storage I/O and determining whether users are permitted to install applications.
View Architecture Planning 40 VMware, Inc.
Architecture Design Elements and Planning Guidelines for Remote Desktop Deployments 4 A typical View architecture design uses a pod strategy that consists of components that support up to 10,000 remote desktops using a vSphere 5.1 or later infrastructure. Pod definitions can vary, based on hardware configuration, View and vSphere software versions used, and other environment-specific design factors.
View Architecture Planning Virtual Machine Requirements for Remote Desktops When you plan the specifications for remote desktops, the choices that you make regarding RAM, CPU, and disk space have a significant effect on your choices for server and storage hardware and expenditures.
Chapter 4 Architecture Design Elements and Planning Guidelines for Remote Desktop Deployments Estimating Memory Requirements for Virtual Machine Desktops RAM costs more for servers than it does for PCs. Because the cost of RAM is a high percentage of overall server hardware costs and total storage capacity needed, determining the correct memory allocation is crucial to planning your desktop deployment.
View Architecture Planning ESXi swap file This file, which has a .vswp extension, is created if you reserve less than 100 percent of a virtual machine's RAM. The size of the swap file is equal to the unreserved portion of guest RAM. For example, if 50 percent of guest RAM is reserved and guest RAM is 2GB, the ESXi swap file is 1GB. This file can be stored on the local data store on the ESXi host or cluster. ESXi suspend file This file, which has a .
Chapter 4 Architecture Design Elements and Planning Guidelines for Remote Desktop Deployments RAM Sizing for Specific Workloads and Operating Systems Because the amount of RAM required can vary widely, depending on the type of worker, many companies conduct a pilot phase to determine the correct setting for various pools of workers in their enterprise.
View Architecture Planning Choosing the Appropriate System Disk Size When allocating disk space, provide only enough space for the operating system, applications, and additional content that users might install or generate. Usually this amount is smaller than the size of the disk that is included on a physical PC. Because datacenter disk space usually costs more per gigabyte than desktop or laptop disk space in a traditional PC deployment, optimize the operating system image size.
Chapter 4 Architecture Design Elements and Planning Guidelines for Remote Desktop Deployments There is no substitute for measuring performance under actual, real world scenarios, such as in a pilot, to determine an appropriate consolidation ratio for your environment and hardware configuration. Consolidation ratios can vary significantly, based on usage patterns and environmental factors.
View Architecture Planning You create stateful desktop images by creating dedicated-assignment pools of either linked-clone virtual machines or full virtual machines. If you use linked-clone virtual machines, you can configure View Composer persistent disks and folder redirection. Some storage vendors have cost-effective storage solutions for stateful desktop images. These vendors often have their own best practices and provisioning utilities.
Chapter 4 Architecture Design Elements and Planning Guidelines for Remote Desktop Deployments n Use the Persona Management feature so that users always have their preferred desktop appearance and application settings, as with Windows user profiles. If you do not have the desktops set to be refreshed or deleted at logoff, you can configure the persona to be removed at logoff.
View Architecture Planning Pools for Kiosk Users Kiosk users might include customers at airline check-in stations, students in classrooms or libraries, medical personnel at medical data entry workstations, or customers at self-service points. Accounts associated with client devices rather than users are entitled to use these desktop pools because users do not need to log in to use the client device or the remote desktop.
Chapter 4 Architecture Design Elements and Planning Guidelines for Remote Desktop Deployments The amount of system disk space required depends on the number of applications required in the base image. VMware has validated a setup that included 8GB of disk space. Applications included Microsoft Word, Excel, PowerPoint, Adobe Reader, Internet Explorer, McAfee Antivirus, and PKZIP. The amount of disk space required for user data depends on the role of the end user and organizational policies for data storage.
View Architecture Planning RDS Host Virtual Machine Configuration Use RDS (Remote Desktop Services) hosts for providing hosted applications and session-based remote desktops to end users. An RDS host can be a physical machine or a virtual machine. This example uses a virtual machine with the specifications listed in the following table. The ESXi host for this virtual machine can be part of a VMware HA cluster to guard against physical server failures. Table 4‑5.
Chapter 4 Architecture Design Elements and Planning Guidelines for Remote Desktop Deployments This example assumes that you are using View with vSphere 5.1 or later and vCenter Server 5.1 or later. IMPORTANT This example also assumes that View Composer and vCenter Server are installed on separate virtual machines. Table 4‑6.
View Architecture Planning View Connection Server Maximums and Virtual Machine Configuration When you install View Connection Server, the View Administrator user interface is also installed. View Connection Server Configuration Although you can install View Connection Server on a physical machine, this example uses a virtual machine with the specifications listed in Table 4-8. The ESXi host for this virtual machine can be part of a VMware HA cluster to guard against physical server failures. Table 4‑8.
Chapter 4 Architecture Design Elements and Planning Guidelines for Remote Desktop Deployments Table 4‑9.
View Architecture Planning In cases where availability requirements are high, proper configuration of VMware HA is essential. If you use VMware HA and are planning for a fixed number of desktops per server, run each server at a reduced capacity. If a server fails, the capacity of desktops per server is not exceeded when the desktops are restarted on a different host.
Chapter 4 Architecture Design Elements and Planning Guidelines for Remote Desktop Deployments Table 4‑11. Virtual Machine Desktop Cluster Example (Continued) Item Example Non-SSD storage 32 Non-SSD datastores for clones (450 GB per datastore) Cluster type DRS (Distributed Resource Scheduler)/HA NOTE With vSphere 5.1 and later, if you use View Composer and store replica disks on NFS or VMFS5 datastores, the cluster can contain up to 32 ESXi hosts. With vSphere 5.
View Architecture Planning The external storage system that vSphere uses can be a Fibre Channel or iSCSI SAN (storage area network), or an NFS (Network File System) NAS (network-attached storage). With the Virtual SAN feature, available with vSphere 5.5 Update 1 or later, the storage system can also be aggregated local server-attached storage. The following example describes the tiered storage strategy used in a View 5.2 test setup in which one vCenter Server managed 10,000 desktops.
Chapter 4 Architecture Design Elements and Planning Guidelines for Remote Desktop Deployments Figure 4‑1. Tiered Storage Example for a Large Desktop Pool Parent 2 Parent 4 Parent 1 Parent 3 Parent 5 PARENT SSD, shared across all clusters Replica 1 ES X ES X ES X ESX cluster, consisting of 192 Intel cores and 2.
View Architecture Planning Storage Bandwidth Considerations In a View environment, logon storms are the main consideration when determining bandwidth requirements. Although many elements are important to designing a storage system that supports a View environment, from a server configuration perspective, planning for proper storage bandwidth is essential. You must also consider the effects of port consolidation hardware.
Chapter 4 Architecture Design Elements and Planning Guidelines for Remote Desktop Deployments Optimization Controls Available with PCoIP If you use the PCoIP display protocol from VMware, you can adjust several elements that affect bandwidth usage. n You can configure the image quality level and frame rate used during periods of network congestion. The quality level setting allows you to limit the initial quality of the changed regions of the display image.
View Architecture Planning Infra-dvswitch (2 uplink per host) Desktop-dvswitch (2 uplink per host) This switch was used by the ESXi hosts of infrastructure virtual machines. n Jumbo frame (9000 MTU) n 1 Ephemeral distributed port group n Infrastructure VLAN /24 (256 addresses) This switch was used by the ESXi hosts of parent, and desktop virtual machines.
Chapter 4 Architecture Design Elements and Planning Guidelines for Remote Desktop Deployments Time Required for Recomposing a Pool You can use a recompose operation to provide operating system patches, install or update applications, or modify the desktop hardware settings of virtual machines in a pool. Before recomposing a pool, you take a snapshot of a virtual machine that has new configuration. The recompose operation uses that snapshot to update all virtual machines in the pool.
View Architecture Planning Bandwidth Requirements for Various Types of Users When determining minimum bandwidth requirements for PCoIP, plan with the following estimates: n 100 to 150Kbps average bandwidth for a basic office productivity desktop: typical office applications with no video, no 3D graphics, and the default Windows and View settings.
Chapter 4 Architecture Design Elements and Planning Guidelines for Remote Desktop Deployments View Building Blocks A building block consists of physical servers, a vSphere infrastructure, View servers, shared storage, and virtual machine desktops for end users. You can include up to five building blocks in a View pod. Table 4‑12.
View Architecture Planning If a View Connection Server instance fails or becomes unresponsive during an active session, users do not lose data. Desktop states are preserved in the virtual machine desktop so that users can connect to a different View Connection Server instance and their desktop session resumes from where it was when the failure occurred. Figure 4‑2.
Chapter 4 Architecture Design Elements and Planning Guidelines for Remote Desktop Deployments Cloud Pod Architecture Overview To use a group of replicated View Connection Server instances across a WAN, MAN (metropolitan area network), or other non-LAN, in scenarios where a View deployment needs to span datacenters, you must use the Cloud Pod Architecture feature.
View Architecture Planning Duration of Maintenance Windows Concurrency settings for virtual machine power, provisioning, and maintenance operations are determined per vCenter Server instance. Pod designs with one vCenter Server instance Concurrency settings determine how many operations can be queued up for an entire View pod at one time.
Chapter 4 Architecture Design Elements and Planning Guidelines for Remote Desktop Deployments Frequency of Power, Provisioning, and Refit Operations Certain virtual machine desktop power, provisioning, and refit operations are initiated only by administrator actions, are usually predictable and controllable, and can be confined to established maintenance windows.
View Architecture Planning 70 VMware, Inc.
Planning for Security Features 5 View offers strong network security to protect sensitive corporate data. For added security, you can integrate View with certain third-party user-authentication solutions, use a security server, and implement the restricted entitlements feature.
View Architecture Planning n Tunneled Client Connections with Microsoft RDP on page 72 When users connect to a remote desktop with the Microsoft RDP display protocol, Horizon Client can make a second HTTPS connection to the View Connection Server host. This connection is called the tunnel connection because it provides a tunnel for carrying RDP data.
Chapter 5 Planning for Security Features In a standard deployment of View Connection Server instances, the HTTPS secure connection terminates at the View Connection Server. In a DMZ deployment, the HTTPS secure connection terminates at a security server. See “Preparing to Use a Security Server,” on page 78 for information on DMZ deployments and security servers.
View Architecture Planning Active Directory Authentication Each View Connection Server instance is joined to an Active Directory domain, and users are authenticated against Active Directory for the joined domain. Users are also authenticated against any additional user domains with which a trust agreement exists.
Chapter 5 Planning for Security Features Smart Card Authentication A smart card is a small plastic card that is embedded with a computer chip. Many government agencies and large enterprises use smart cards to authenticate users who access their computer networks. A smart card is also referred to as a Common Access Card (CAC). Smart card authentication is supported by the Windows-based client devices and some other types of clients. It is also supported by View Administrator 5.3 and later.
View Architecture Planning n The client machine must be able to communicate with the corporate Active Directory server and not use cached credentials for authentication. For example, if users log in to their client machines from outside the corporate network, cached credentials are used for authentication.
Chapter 5 Planning for Security Features Figure 5‑1. Restricted Entitlements Example client device external network DMZ View Security Server client device View Connection Server Tag: “External” View Connection Server Tag: “Internal” VM VM VM VM VM VM VM VM desktop pool A Tag: “External” desktop pool B Tag: “Internal” You can also use restricted entitlements to control desktop access based on the user-authentication method that you configure for a particular View Connection Server instance.
View Architecture Planning Implementing Best Practices to Secure Client Systems You should implement best practices to secure client systems. n Make sure that client systems are configured to go to sleep after a period of inactivity and require users to enter a password before the computer awakens. n Require users to enter a username and password when starting client systems. Do not configure client systems to allow automatic logins.
Chapter 5 Planning for Security Features Because users can connect directly with any View Connection Server instance from within their internal network, you do not need to implement a security server in a LAN-based deployment. NOTE Security servers include a PCoIP Secure Gateway component so that clients that use the PCoIP display protocol can use a security server rather than a VPN.
View Architecture Planning Figure 5‑2. Load-Balanced Security Servers in a DMZ client device external network DMZ load balancing View Security Servers View Connection Servers Microsoft Active Directory vCenter Management Server ESX hosts running Virtual Desktop virtual machines When users outside the corporate network connect to a security server, they must successfully authenticate before they can access remote desktops and applications.
Chapter 5 Planning for Security Features Figure 5‑3. Multiple Security Servers client device client device external network DMZ external network load balancing View Security Servers load balancing View Connection Servers vCenter Management Server Microsoft Active Directory ESXi hosts running Virtual Desktop virtual machines You must implement a hardware or software load balancing solution if you install more than one security server.
View Architecture Planning Figure 5‑4.
Chapter 5 Planning for Security Features Table 5‑1. Front-End Firewall Rules (Continued) Default Port Source Protocol Destination Default Port Notes Horizon Client TCP Any UDP Any PCoIP Security server TCP 4172 UDP 4172 External client devices connect to a security server within the DMZ on TCP port 4172 and UDP port 4172 to communicate with a remote desktop or application over PCoIP.
View Architecture Planning Table 5‑2. Back-End Firewall Rules (Continued) Default Port Protocol Destination Remote desktop or application UDP 4172 PCoIP Security server UDP 55000 Remote desktops and applications send PCoIP data back to a security server from UDP port 4172 . The destination UDP port will be the source port from the received UDP packets and so as this is reply data, it is normally unnecessary to add an explicit firewall rule for this.
Chapter 5 Planning for Security Features Figure 5‑5. View Components and Protocols Without a Security Server client device RDP Client Horizon Client PCoIP RDP HTTP(S) View Secure GW Server & PCoIP Secure GW View Connection Server View Messaging View Broker & Admin Server View Administrator HTTP(S) SOAP vCenter Server View Manager LDAP JMS RDP PCoIP View Agent View desktop virtual machine NOTE This figure shows direct connections for clients using either PCoIP or RDP.
View Architecture Planning Figure 5‑6.
Chapter 5 Planning for Security Features Table 5‑3. Default Ports (Continued) Protocol Port PCoIP Any TCP port from Horizon Client to port 4172 of the remote desktop or application. PCoIP also uses UDP port 50002 from Horizon Client (or UDP port 55000 from the PCoIP Secure Gateway) to port 4172 of the remote desktop or application. PCoIP or RDP For USB redirection, TCP port 32111 is used alongside PCoIP or RDP from the client to the remote desktop.
View Architecture Planning When end users such as home or mobile workers access desktops from the Internet, security servers provide the required level of security and connectivity so that a VPN connection is not necessary. The PCoIP Secure Gateway component ensures that the only remote traffic that can enter the corporate data center is traffic on behalf of a strongly authenticated user. End users can access only the resources that they are authorized to access.
Chapter 5 Planning for Security Features Table 5‑4. Ports Opened During View Connection Server Installation (Continued) Protocol Ports View Connection Server Instance Type HTTPS TCP 8443 Standard, replica, and security server. After the initial connection to View is made, the Web browser on a client device connects to the Blast Secure Gateway on TCP port 8443. The Blast Secure Gateway must be enabled on a security server or View Connection Server instance to allow this second connection to take place.
View Architecture Planning 90 VMware, Inc.
Overview of Steps to Setting Up a View Environment 6 Complete these high-level tasks to install View and configure an initial deployment. Table 6‑1. View Installation and Setup Check List Step Task 1 Set up the required administrator users and groups in Active Directory. Instructions: View Installation and vSphere documentation. 2 If you have not yet done so, install and set up ESXi hosts and vCenter Server. Instructions: VMware vSphere documentation.
View Architecture Planning 92 VMware, Inc.
Index Symbols .
View Architecture Planning front-end firewall configuring 81 rules 82 G gateway server 87 GPOs, security settings for remote desktops 77 H HA cluster 52, 54, 55 hardware requirements, PCoIP 21 hardware-accelerated graphics 27 Horizon Client 39 Horizon Client for Linux 13 Horizon Workspace 7 hosted applications 23 I I/O storms 60 iSCSI SAN arrays 33 J Java Message Service 88 Java Message Service protocol 82 JMS protocol 82, 84 K kiosk mode 50 knowledge workers 42, 43, 49 L LAN configurations 65 latenc
Index RSA SecurID authentication, configuring 74 S SBPM (storage-based policy management) 34 scalability, planning for 41 SCOM 14 SCSI adapter types 50 security 32 security servers best practices for deploying 79 firewall rules for 82 implementing 78 load balancing 79 overview 12 PCoIP Secure Gateway 87 security features, planning 71 setup, View 91 shared storage 33, 57 single sign-on (SSO) 13, 28, 75 smart card authentication 75 smart card readers 75 snapshots 38 Soft 3D 27 software provisioning 38, 39 s
View Architecture Planning W WAN support 63 webcam 26 Windows page file 46 Windows roaming profiles 24 worker types 42, 43, 45, 47 Wyse MMR 19, 27 96 VMware, Inc.
