View Installation VMware Horizon 7 Version 7.0 This document supports the version of each product listed and supports all subsequent versions until the document is replaced by a new edition. To check for more recent editions of this document, see http://www.vmware.com/support/pubs.
View Installation You can find the most up-to-date technical documentation on the VMware Web site at: http://www.vmware.com/support/ The VMware Web site also provides the latest product updates. If you have comments about this documentation, submit your feedback to: docfeedback@vmware.com Copyright © 2019–2016 VMware, Inc. All rights reserved. Copyright and trademark information. VMware, Inc. 3401 Hillview Ave. Palo Alto, CA 94304 www.vmware.com 2 VMware, Inc.
Contents View Installation 5 1 System Requirements for Server Components 7 View Connection Server Requirements View Administrator Requirements 9 View Composer Requirements 10 7 2 System Requirements for Guest Operating Systems 13 Supported Operating Systems for Horizon Agent 13 Supported Operating Systems for Standalone View Persona Management Remote Display Protocol and Software Support 15 14 3 Installing View in an IPv6 Environment 21 Setting Up View in an IPv6 Environment 21 Supported vSphere, D
View Installation 6 Installing View Composer 39 Prepare a View Composer Database 39 Configuring an SSL Certificate for View Composer 46 Install the View Composer Service 47 Enable TLSv1.
View Installation ® View Installation explains how to install the VMware Horizon 7 server and client components. Intended Audience This information is intended for anyone who wants to install VMware Horizon 7. The information is written for experienced Windows or Linux system administrators who are familiar with virtual machine technology and datacenter operations. VMware, Inc.
View Installation 6 VMware, Inc.
System Requirements for Server Components 1 Hosts that run View server components must meet specific hardware and software requirements.
View Installation Hardware Requirements for View Connection Server You must install all View Connection Server installation types, including standard, replica, security server, and enrollment server installations, on a dedicated physical or virtual machine that meets specific hardware requirements. Table 1‑1. View Connection Server Hardware Requirements Hardware Component Required Recommended Processor Pentium IV 2.
Chapter 1 System Requirements for Server Components Network Requirements for Replicated View Connection Server Instances When installing replicated View Connection Server instances, you must usually configure the instances in the same physical location and connect them over a high-performance LAN. Otherwise, latency issues could cause the View LDAP configurations on View Connection Server instances to become inconsistent.
View Installation View Composer Requirements With View Composer, you can deploy multiple linked-clone desktops from a single centralized base image. View Composer has specific installation and storage requirements. n Supported Operating Systems for View Composer on page 10 View Composer supports 64-bit operating systems with specific requirements and limitations. You can install View Composer on the same physical or virtual machine as vCenter Server or on a separate server.
Chapter 1 System Requirements for Server Components Table 1‑4. View Composer Hardware Requirements (Continued) Hardware Component Required Recommended Memory 4GB RAM or higher 8GB RAM or higher for deployments of 50 or more remote desktops Disk space 40GB 60GB IMPORTANT The physical or virtual machine that hosts View Composer must have an IP address that does not change. In an IPv4 environment, configure a static IP address.
View Installation 12 VMware, Inc.
2 System Requirements for Guest Operating Systems Systems running Horizon Agent or Standalone View Persona Management must meet certain hardware and software requirements.
View Installation Table 2‑2. Operating Systems for Instant-Clone Remote Desktops Guest Operating System Version Edition Service pack Windows 10 64-bit and 32-bit Enterprise None Windows 7 64-bit and 32-bit Enterprise and Professional SP1 The following table lists the Windows operating systems versions that are supported for creating desktop pools and application pools on an RDS host. Table 2‑3.
Chapter 2 System Requirements for Guest Operating Systems Remote Display Protocol and Software Support Remote display protocols and software provide access to remote desktops and applications. The remote display protocol used depends on the type of client device, whether you are connecting to a remote desktop or a remote application, and how the administrator configures the desktop or application pool.
View Installation n Copy and paste of text and, on some clients, images between the client operating system and a remote application or desktop. For other client types, only copy and paste of plain text is supported. You cannot copy and paste system objects such as folders and files between systems. n Multiple monitors are supported for some client types.
Chapter 2 System Requirements for Guest Operating Systems Hardware Requirements for Client Systems For information about processor and memory requirements, see the "Using VMware Horizon Client" document for the specific type of desktop or mobile client device. Go to https://www.vmware.com/support/viewclients/doc/viewclients_pubs.html. Microsoft RDP Remote Desktop Protocol is the same multichannel protocol many people already use to access their work computer from their home computer.
View Installation n Advanced Encryption Standard (AES) 128-bit encryption is supported and is turned on by default. You can, however, change the encryption key cipher to AES-192 or AES-256. n Connections to Windows desktops with the Horizon Agent operating system versions listed in “Supported Operating Systems for Horizon Agent,” on page 13 are supported. n Connections from all types of client devices. n Optimization controls for reducing bandwidth usage on the LAN and WAN.
Chapter 2 System Requirements for Guest Operating Systems 1080p-formatted video If the remote desktop has a dual virtual CPU, you can play 1080p formatted video, although the media player might need to be adjusted to a smaller window size. 3D rendering You can configure remote desktops to use software- or hardware-accelerated graphics. The software-accelerated graphics feature enables you to run DirectX 9 and OpenGL 2.1 applications without requiring a physical graphics processing unit (GPU).
View Installation 20 VMware, Inc.
Installing View in an IPv6 Environment 3 View supports IPv6 as an alternative to IPv4. The environment must be either IPv6 only or IPv4 only. View does not support a mixed IPv6 and IPv4 environment. Not all View features that are supported in an IPv4 environment are supported in an IPv6 environment. View does not support upgrading from an IPv4 environment to an IPv6 environment. Also, View does not support migration between IPv4 and IPv6 environments.
View Installation n Setting the PCoIP External URL. See “Set the External URLs for a View Connection Server Instance,” on page 115. n Modifying the PCoIP External URL. See “Set the External URLs for a View Connection Server Instance,” on page 115. n Installing Horizon Agent. See the Horizon Agent installation topics in the Setting Up Desktop and Application Pools document. n Installing Horizon Client for Windows. See the VMware Horizon Client for Windows document in https://www.vmware.
Chapter 3 Installing View in an IPv6 Environment Supported Windows Operating Systems for Desktops and RDS Hosts in an IPv6 Environment In an IPv6 environment, View supports specific Windows operating systems for desktop machines and RDS hosts. RDS hosts provide session-based desktops and applications to users. The following Windows operating systems are supported for desktop machines.
View Installation n VMware Blast through Blast Secure Gateway Supported Authentication Types in an IPv6 Environment In an IPv6 environment, View supports specific authentication types.
Chapter 3 Installing View in an IPv6 Environment n Virtual Volumes n Cloud Pod Architecture n Scanner redirection n Multimedia redirection (MMR) n Real-time audio-video (RTAV) n Persona Management n vRealize Operations Desktop Agent n Lync n Syslog n Log Insight n Serial redirection n Flash URL redirection n Teradici TERA host card VMware, Inc.
View Installation 26 VMware, Inc.
Installing View in FIPS Mode 4 View can perform cryptographic operations using FIPS (Federal Information Processing Standard) 140-2 compliant algorithms. You can enable the use of these algorithms by installing View in FIPS mode. Not all View features are supported in FIPS mode. Also, View does not support upgrading from a non-FIPS installation to a FIPS installation. NOTE To ensure that View runs in FIPS mode, you must enable FIPS when you install all View components.
View Installation n When installing View Agent, select the FIPS mode option. See the View Agent installation topics in the Setting Up Desktop and Application Pools document. n When installing Horizon Client for Windows, select the FIPS mode option. See the VMware Horizon Client for Windows document in https://www.vmware.com/support/viewclients/doc/viewclients_pubs.html. Only Windows clients are supported.
Preparing Active Directory 5 View uses your existing Microsoft Active Directory infrastructure for user authentication and management. You must perform certain tasks to prepare Active Directory for use with View.
View Installation You can place Horizon Agent machines, View Composer servers, and users and groups, in the following Active Directory domains: n The View Connection Server domain n A different domain that has a two-way trust relationship with the View Connection Server domain n A domain in a different forest than the View Connection Server domain that is trusted by the View Connection Server domain in a one-way external or realm trust relationship n A domain in a different forest than the View Conn
Chapter 5 Preparing Active Directory Creating an OU for Remote Desktops You should create an organizational unit (OU) specifically for your remote desktops. An OU is a subdivision in Active Directory that contains users, groups, computers, or other OUs. To prevent group policy settings from being applied to other Windows servers or workstations in the same domain as your desktops, you can create a GPO for your View group policies and link it to the OU that contains your remote desktops.
View Installation Creating a User Account for a Standalone View Composer Server If you install View Composer on a different machine than vCenter Server, you must create a domain user account in Active Directory that View can use to authenticate to the View Composer service on the standalone machine. The user account must be in the same domain as your View Connection Server host or in a trusted domain. You must add the user account to the local Administrators group on the standalone View Composer machine.
Chapter 5 Preparing Active Directory What to do next Specify the account in View Administrator when you configure View Composer domains in the Add vCenter Server wizard and when you configure and deploy linked-clone desktop pools. Create a User Account for Instant Clone Operations If you deploy instant clones, you must create a user account in Active Directory that allows View to perform certain operations in Active Directory.
View Installation Procedure 1 On the Active Directory server, navigate to the Group Policy Management plug-in. AD Version Navigation Path Windows 2003 a b c d Windows 2008 a b Select Start > All Programs > Administrative Tools > Active Directory Users and Computers. Right-click your domain and click Properties. On the Group Policy tab, click Open to open the Group Policy Management plug-in. Right-click Default Domain Policy, and click Edit.
Chapter 5 Preparing Active Directory n Add the Root Certificate to the Enterprise NTAuth Store on page 36 If you use a CA to issue smart card login or domain controller certificates, you must add the root certificate to the Enterprise NTAuth store in Active Directory. You do not need to perform this procedure if the Windows domain controller acts as the root CA.
View Installation 3 Right-click Trusted Root Certification Authorities and select Import. 4 Follow the prompts in the wizard to import the root certificate (for example, rootCA.cer) and click OK. 5 Close the Group Policy window. All of the systems in the domain now have a copy of the root certificate in their trusted root store.
Chapter 5 Preparing Active Directory The CA is now trusted to issue certificates of this type. Disable Weak Ciphers in SSL/TLS To achieve greater security, you can configure the domain policy GPO (group policy object) to ensure that View Composer and Windows-based machines running View Agent or Horizon Agent do not use weak ciphers when they communicate using the SSL/TLS protocol.
View Installation 38 VMware, Inc.
Installing View Composer 6 To use View Composer, you create a View Composer database, install the View Composer service, and optimize your View infrastructure to support View Composer. You can install the View Composer service on the same host as vCenter Server or on a separate host. View Composer is an optional feature. Install View Composer if you intend to deploy linked-clone desktop pools. You must have a license to install and use the View Composer feature.
View Installation For a list of supported database versions, see “Database Requirements for View Composer and the Events Database,” on page 11. To add a View Composer database to an installed database instance, choose one of these procedures. n Create a SQL Server Database for View Composer on page 40 View Composer can store linked-clone desktop information in a SQL Server database. You create a View Composer database by adding it to SQL Server and configuring an ODBC data source for it.
Chapter 6 Installing View Composer 3 In the Object Explorer panel, right-click the Databases entry and select New Database. You can use the default values for the Initial size and Autogrowth parameters for the database and log files. 4 In the New Database dialog box, type a name in the Database name text box. For example: ViewComposer 5 Click OK. SQL Server Management Studio adds your database to the Databases entry in the Object Explorer panel. 6 Exit Microsoft SQL Server Management Studio.
View Installation 4 In the View Composer database, grant privileges to the VCMP_ADMIN_ROLE. a Grant the schema permissions ALTER, REFERENCES, and INSERT on the dbo schema. b Grant the permissions CREATE TABLE, CREATE VIEW, and CREATE PROCEDURES. 5 In the View Composer database, create the VCMP_USER_ROLE. 6 In the View Composer database, grant the schema permissions SELECT, INSERT, DELETE, UPDATE, and EXECUTE on the dbo schema to the VCMP_USER_ROLE.
Chapter 6 Installing View Composer 5 In the Create a New Data Source to SQL Server setup wizard, type a name and description of the View Composer database. For example: ViewComposer 6 In the Server text box, type the SQL Server database name. Use the form host_name\server_name, where host_name is the name of the computer and server_name is the SQL Server instance. For example: VCHOST1\VIM_SQLEXP 7 Click Next.
View Installation n Add an ODBC Data Source to Oracle 12c or 11g on page 46 After you add a View Composer database to an Oracle 12c or 11g instance, you must configure an ODBC connection to the new database to make this data source visible to the View Composer service. Add a View Composer Database to Oracle 12c or 11g You can use the Oracle Database Configuration Assistant to add a new View Composer database to an existing Oracle 12c or 11g instance.
Chapter 6 Installing View Composer Verify that a supported version of Oracle 12c or 11g is installed on the local or remote computer. For details, see “Database Requirements for View Composer and the Events Database,” on page 11. Procedure 1 Log in to a SQL*Plus session with the system account. 2 Run the following SQL statement to create the database. CREATE SMALLFILE TABLESPACE "VCMP" DATAFILE '/u01/app/oracle/oradata/vcdb/vcmp01.
View Installation Add an ODBC Data Source to Oracle 12c or 11g After you add a View Composer database to an Oracle 12c or 11g instance, you must configure an ODBC connection to the new database to make this data source visible to the View Composer service. When you configure an ODBC DSN for View Composer, secure the underlying database connection to an appropriate level for your environment. For information about securing database connections, see the Oracle database documentation.
Chapter 6 Installing View Composer For details about configuring SSL certificates and using the SviConfig ReplaceCertificate utility, see Chapter 8, “Configuring SSL Certificates for View Servers,” on page 79. If you install vCenter Server and View Composer on the same Windows Server computer, they can use the same SSL certificate, but you must configure the certificate separately for each component. Install the View Composer Service To use View Composer, you must install the View Composer service.
View Installation 5 Type the DSN for the View Composer database that you provided in the Microsoft or Oracle ODBC Data Source Administrator wizard. For example: VMware View Composer NOTE If you did not configure a DSN for the View Composer database, click ODBC DSN Setup to configure a name now. 6 Type the domain administrator user name and password that you provided in the ODBC Data Source Administrator wizard.
Chapter 6 Installing View Composer If your ESXi hosts are not running ESXi 6.0 U1b or later, and you cannot upgrade, you might also need to enable TLSv1.0 connections to ESXi hosts from View Composer. Prerequisites n Verify that you have View Composer 7.0 or a later release installed. n Verify that you can log in to the View Composer machine as an Administrator to use the Windows Registry Editor. Procedure 1 2 On the machine that hosts View Composer, open the Windows Registry Editor (regedit.exe).
View Installation n In vSphere 5.1 and later, a cluster that is used for View Composer linked clones can contain more than eight ESXi hosts if the replica disks are stored on VMFS5 or later datastores or NFS datastores. If you store replicas on a VMFS version earlier than VMFS5, a cluster can have at most eight hosts. In vSphere 5.0, you can select a cluster with more than eight ESXi hosts if the replicas are stored on NFS datastores.
Installing View Connection Server 7 To use View Connection Server, you install the software on supported computers, configure the required components, and, optionally, optimize the components.
View Installation Security server installation Generates a View Connection Server instance that adds an additional layer of security between the Internet and your internal network. Enrollment Server installation Installs an enrollment server that is required for the True SSO (single signon) feature, so that after users log in to VMware Identity Manager, they can connect to a remote desktop or application without having to provide Active Directory credentials.
Chapter 7 Installing View Connection Server Install View Connection Server with a New Configuration To install View Connection Server as a single server or as the first instance in a group of replicated View Connection Server instances, you use the standard installation option. When you select the standard installation option, the installation creates a new, local View LDAP configuration.
View Installation n Familiarize yourself with the network ports that must be opened on the Windows Firewall for View Connection Server instances. See “Firewall Rules for View Connection Server,” on page 73. n If you plan to pair a security server with this View Connection Server instance, verify that Windows Firewall with Advanced Security is set to on in the active profiles. It is recommended that you turn this setting to on for all profiles.
Chapter 7 Installing View Connection Server 11 Authorize a View Administrators account. Only members of this account can log in to View Administrator, exercise full administration rights, and install replicated View Connection Server instances and other View servers. 12 Option Description Authorize the local Administrators group Allows users in the local Administrators group to administer View.
View Installation Perform initial configuration on View Connection Server. See Chapter 9, “Configuring View for the First Time,” on page 97. If you plan to include replicated View Connection Server instances and security servers in your deployment, you must install each server instance by running the View Connection Server installer file. If you are reinstalling View Connection Server and you have a data collector set configured to monitor performance data, stop the data collector set and start it again.
Chapter 7 Installing View Connection Server Procedure 1 Download the View Connection Server installer file from the VMware download site at https://my.vmware.com/web/vmware/downloads. Under Desktop & End-User Computing, select the VMware Horizon 7 download, which includes View Connection Server. The installer filename is VMware-viewconnectionserver-x86_64-y.y.y-xxxxxx.exe, where xxxxxx is the build number and y.y.y is the version number. 2 Open a command prompt on the Windows Server computer.
View Installation If you are configuring View for the first time, perform initial configuration on View Connection Server. See Chapter 9, “Configuring View for the First Time,” on page 97. Silent Installation Properties for a View Connection Server Standard Installation You can include specific View Connection Server properties when you perform a silent installation from the command line.
Chapter 7 Installing View Connection Server Enable TLSv1.0 on vCenter Connections from Connection Server Horizon 7 and later components have the TLSv1.0 security protocol disabled by default. If your deployment includes an older version of vCenter Server that supports only TLSv1.0, you might need to enable TLSv1.0 for View Connection Server connections after installing or upgrading to View Connection Server 7.0 or a later release. Some earlier maintenance releases of vCenter Server 5.0, 5.1, and 5.
View Installation After the installation, identical View LDAP configuration data is maintained on all View Connection Server instances in the replicated group. When a change is made on one instance, the updated information is copied to the other instances. If a replicated instance fails, the other instances in the group continue to operate. When the failed instance resumes activity, its configuration is updated with the changes that took place during the outage.
Chapter 7 Installing View Connection Server n If your network topology includes a back-end firewall between a security server and the View Connection Server instance, you must configure the firewall to support IPsec. See “Configuring a BackEnd Firewall to Support IPsec,” on page 74. Procedure 1 Download the View Connection Server installer file from the VMware download site at https://my.vmware.com/web/vmware/downloads.
View Installation n VMware Horizon View Message Bus Component n VMware Horizon View Script Host n VMware Horizon View Security Gateway Component n VMware Horizon View PCoIP Secure Gateway n VMware Horizon View Blast Secure Gateway n VMware Horizon View Web Component n VMware VDMDS, which provides View LDAP directory services For information about these services, see the View Administration document.
Chapter 7 Installing View Connection Server n Verify that the computers on which you install replicated View Connection Server instances are connected over a high-performance LAN. See “Network Requirements for Replicated View Connection Server Instances,” on page 9. n Prepare your environment for the installation. See “Installation Prerequisites for View Connection Server,” on page 52.
View Installation The View services are installed on the Windows Server computer: n VMware Horizon View Connection Server n VMware Horizon View Framework Component n VMware Horizon View Message Bus Component n VMware Horizon View Script Host n VMware Horizon View Security Gateway Component n VMware Horizon View PCoIP Secure Gateway n VMware Horizon View Blast Secure Gateway n VMware Horizon View Web Component n VMware VDMDS, which provides View LDAP directory services For information abou
Chapter 7 Installing View Connection Server Table 7‑2. MSI Properties for Silently installing a Replicated Instance of View Connection Server (Continued) MSI Property Description Default Value ADAM_PRIMARY_NAME The host name or IP address of the existing View Connection Server instance you are replicating. None For example: ADAM_PRIMARY_NAME=cs1.companydomain.com This MSI property is required.
View Installation What to do next Install a security server. See “Install a Security Server,” on page 66. IMPORTANT If you do not provide the security server pairing password to the View Connection Server installation program within the password timeout period, the password becomes invalid and you must configure a new password. Install a Security Server A security server is an instance of View Connection Server that adds an additional layer of security between the Internet and your internal network.
Chapter 7 Installing View Connection Server n If you are installing View in FIPS mode, you must deselect the global setting Use IPSec for Security Server Connections in View Administrator, because in FIPS mode, you must configure IPsec manually after installing a security server. Procedure 1 Download the View Connection Server installer file from the VMware download site at https://my.vmware.com/web/vmware/downloads.
View Installation 12 In the Blast External URL text box, type the external URL of the security server for users who use HTML Access to connect to remote desktops. The URL must contain the HTTPS protocol, client-resolvable host name, and port number. For example: https://myserver.example.com:8443 By default, the URL includes the FQDN of the secure tunnel external URL and the default port number, 8443. The URL must contain the FQDN and port number that a client system can use to reach this security server.
Chapter 7 Installing View Connection Server Install a Security Server Silently You can use the silent installation feature of the Microsoft Windows Installer (MSI) to install a security server on several Windows computers. In a silent installation, you use the command line and do not have to respond to wizard prompts. With silent installation, you can efficiently deploy View components in a large enterprise. Prerequisites n Determine the type of topology to use.
View Installation Procedure 1 Download the View Connection Server installer file from the VMware download site at https://my.vmware.com/web/vmware/downloads. Under Desktop & End-User Computing, select the VMware Horizon 7 download, which includes View Connection Server. The installer filename is VMware-viewconnectionserver-x86_64-y.y.y-xxxxxx.exe, where xxxxxx is the build number and y.y.y is the version number. 2 Open a command prompt on the Windows Server computer.
Chapter 7 Installing View Connection Server Silent Installation Properties for a Security Server You can include specific properties when you silently install a security server from the command line. You must use a PROPERTY=value format so that Microsoft Windows Installer (MSI) can interpret the properties and values. Table 7‑3.
View Installation Table 7‑3. MSI Properties for Silently Installing a Security Server (Continued) MSI Property Description Default Value VDM_SERVER_SS_PCOIP_U DPPORT The PCoIP Secure Gateway external UDP port number. This property is supported only when the security server is installed on Windows Server 2008 R2 or later. None For example: VDM_SERVER_SS_PCOIP_UDPPORT=4172 This property is required if you plan to use the PCoIP Secure Gateway component.
Chapter 7 Installing View Connection Server You can configure an initial security server pairing without using IPsec rules. Before you install the security server, you can open View Administrator and deselect the global setting Use IPSec for Security Server Connections, which is enabled by default. If IPsec rules are not in effect, you do not have to remove them before you upgrade or reinstall.
View Installation Table 7‑4. Ports Opened During View Connection Server Installation (Continued) Protocol Ports View Connection Server Instance Type HTTP TCP 80 Standard, replica, and security server HTTPS TCP 443 Standard, replica, and security server PCoIP TCP 4172 in; UDP 4172 both directions Standard, replica, and security server HTTPS TCP 8443 UDP 8443 Standard, replica, and security server.
Chapter 7 Installing View Connection Server Table 7‑6. NAT Firewall Requirements to Support IPsec Rules Source Protocol Port Destination Notes Security server ISAKMP UDP 500 View Connection Server Security servers use UDP port 500 to initiate IPsec security negotiation. Security server NAT-T ISAKMP UDP 4500 View Connection Server Security servers use UDP port 4500 to traverse NATs and negotiate IPsec security.
View Installation 4 Uninstall the View Connection Server from the computer by using the Windows Add/Remove Programs utility. Do not uninstall the View LDAP configuration, called the AD LDS Instance VMwareVDMDS instance. You can use the Add/Remove Programs utility to verify that the AD LDS Instance VMwareVDMDS instance was not removed from the Windows Server computer. 5 Reinstall View Connection Server. At the installer prompt, accept the existing View LDAP directory.
Chapter 7 Installing View Connection Server Table 7‑8. MSI Command-Line Options and MSI Properties MSI Option or Property /qn Description Instructs the MSI installer not to display the installer wizard pages. For example, you might want to install Horizon Agent silently and use only default setup options and features: VMware-viewagent-y.y.y-xxxxxx.exe /s /v"/qn" Alternatively, you can use the /qb option to display the wizard pages in a noninteractive, automated installation.
View Installation Uninstalling View Components Silently by Using MSI Command-Line Options You can uninstall View components by using Microsoft Windows Installer (MSI) command-line options. Syntax msiexec.exe /qb /x product_code Options The /qb option displays the uninstall progress bar. To suppress displaying the uninstall progress bar, replace the /qb option with the /qn option. The /x option uninstalls the View component.
Configuring SSL Certificates for View Servers 8 VMware strongly recommends that you configure SSL certificates for authentication of View Connection Server instances, security servers, and View Composer service instances. A default SSL server certificate is generated when you install View Connection Server instances, security servers, or View Composer instances. You can use the default certificate for testing purposes. IMPORTANT Replace the default certificate as soon as possible.
View Installation n If you upgrade to View 5.1 or later from an earlier release, and a valid keystore file is configured on the Windows Server computer. The installation extracts the keys and certificates and imports them into the Windows Certificate Store. vCenter Server and View Composer Before you add vCenter Server and View Composer to View in a production environment, make sure that vCenter Server and View Composer use certificates that are signed by a CA.
Chapter 8 Configuring SSL Certificates for View Servers Similarly, if a SAML 2.0 authenticator is configured for View Connection Server, the View Connection Server computer must have installed the root certificate of the signing CA for the SAML 2.0 server certificate. Overview of Tasks for Setting Up SSL Certificates To set up SSL server certificates for View servers, you must perform several high-level tasks.
View Installation If a SAML authenticator is configured for use with a View Connection Server instance, View Connection Server also performs certificate revocation checking on the SAML server certificate. Obtaining a Signed SSL Certificate from a CA If your organization does not provide you with an SSL server certificate, you must request a new certificate that is signed by a CA. You can use several methods to obtain a new signed certificate.
Chapter 8 Configuring SSL Certificates for View Servers n Verify that you have the appropriate credentials to request a certificate that can be issued to a computer or service. Procedure 1 In the MMC window on the Windows Server host, expand the Certificates (local computer) node and select the Personal folder. 2 From the Action menu, go to All Tasks > Request New Certificate to display the Certificate Enrollment wizard. 3 Select a Certificate Enrollment Policy.
View Installation 2 Import a Signed Server Certificate into a Windows Certificate Store on page 84 You must import the SSL server certificate into the Windows local computer certificate store on the Windows Server host on which the View Connection Server instance or security server service is installed.
Chapter 8 Configuring SSL Certificates for View Servers For more information about certificates, consult the Microsoft online help available with the Certificate snap-in to MMC. NOTE If you off-load SSL connections to an intermediate server, you must import the same SSL server certificate onto both the intermediate server and the off-loaded View server. For details, see "Off-load SSL Connections to Intermediate Servers" in the View Administration document.
View Installation 3 On the General tab, delete the Friendly name text and type vdm. 4 Click Apply and click OK. 5 Verify that no other server certificates in the Personal > Certificates folder have a Friendly name of vdm. a Locate any other server certificate, right-click the certificate, and click Properties. b If the certificate has a Friendly name of vdm, delete the name, click Apply, and click OK.
Chapter 8 Configuring SSL Certificates for View Servers 2 Right-click the Trusted Root Certification Authorities > Certificates folder and click All Tasks > Import. 3 In the Certificate Import wizard, click Next and browse to the location where the root CA certificate is stored. 4 Select the root CA certificate file and click Open. 5 Click Next, click Next, and click Finish.
View Installation 6 Restart the View Composer service to make your changes take effect.
Chapter 8 Configuring SSL Certificates for View Servers 2 On the Active Directory server, navigate to the Group Policy Management plug-in. AD Version Navigation Path Windows 2003 a b c d Windows 2008 a b Select Start > All Programs > Administrative Tools > Active Directory Users and Computers. Right-click your domain and click Properties. On the Group Policy tab, click Open to open the Group Policy Management plug-in. Right-click Default Domain Policy, and click Edit.
View Installation Configure Horizon Client for iOS to Trust Root and Intermediate Certificates If a server certificate is signed by a CA that is not trusted by iPads and iPhones that run Horizon Client for iOS, you can configure the the device to trust the root and intermediate certificates. You must distribute the root certificate and all intermediate certificates in the trust chain to the devices Procedure 1 Send the root certificate and intermediate certificates as email attachments to the iPad.
Chapter 8 Configuring SSL Certificates for View Servers Value Description 1 Do not perform certificate revocation checking. 2 Check only the server certificate. Do not check any other certificates in the chain. 3 Check all certificates in the chain. 4 (Default) Check all certificates except the root certificate. If this registry value is not set, or if the value set is not valid (that is, if the value is not 1, 2, 3, or 4), all certificates are checked except the root certificate.
View Installation 2 Configure a PSG Certificate in the Windows Certificate Store on page 92 To replace the default PSG certificate with a CA-signed certificate, you must configure the certificate and its private key in the Windows local computer certificate store on the View Connection Server or security server computer on which the PSG is running.
Chapter 8 Configuring SSL Certificates for View Servers Prerequisites n Verify that the key length is at least 1024 bits. n Verify that the SSL certificate is valid. The current time on the server computer must be within the certificate start and end dates. n Verify that the certificate subject name or a subject alternate name matches the SSLCertPsgSni setting in the Windows registry. See “Verify That the Server Name Matches the PSG Certificate Subject Name,” on page 92.
View Installation Set the PSG Certificate Friendly Name in the Windows Registry The PSG identifies the SSL certificate to use by means of the server name and certificate Friendly name. You must set the Friendly name value in the Windows registry on the View Connection Server or security server computer on which the PSG is running. The certificate Friendly name vdm is used by all View Connection Server instances and security servers.
Chapter 8 Configuring SSL Certificates for View Servers Prerequisites Verify that all client devices that connect to this server, including thin clients, run Horizon Client 5.2 for Windows or Horizon Client 2.0 or later releases. You must upgrade the legacy clients. Procedure 1 Start the Windows Registry Editor on the View Connection Server or security server computer where the PCoIP Secure Gateway is running. 2 Navigate to the HKEY_LOCAL_MACHINE\SOFTWARE\Teradici\SecurityGateway registry key.
View Installation Troubleshooting Certificate Issues on View Connection Server and Security Server Certificate issues on a View server prevent you from connecting to View Administrator or cause a red health indicator to be displayed for a server. Problem You cannot connect to View Administrator on the View Connection Server instance with the problem.
Configuring View for the First Time 9 After you install the View server software and configure SSL certificates for the servers, you must take a few additional steps to set up a working View environment. You configure user accounts for vCenter Server and View Composer, install a View license key, add vCenter Server and View Composer to your View environment, configure the PCoIP Secure Gateway and secure tunnel, and, optionally, size Windows Server settings to support your View environment.
View Installation Where to Use the vCenter Server User and View Composer Users After you create and configure these user accounts, you specify the user names in View Administrator. n You specify a vCenter Server user when you add vCenter Server to View. n You specify a standalone View Composer Server user when you configure View Composer settings and select Standalone View Composer Server. n You specify a View Composer user for AD operations when you configure View Composer domains.
Chapter 9 Configuring View for the First Time 2 In vSphere Client, right-click the vCenter Server at the top level of the inventory, click Add Permission, and add the vCenter Server user. NOTE You must define the vCenter Server user at the vCenter Server level. 3 From the drop-down menu, select the Administrator role, or the View Composer or View Manager role that you created, and assign it to the vCenter Server user.
View Installation Table 9‑1. Privileges Required for the View Manager Role (Continued) Privilege Group Privileges to Enable Host In Configuration: n Advanced settings Profile Driven Storage (If you are using Virtual SAN datastores or Virtual Volumes) (all) View Composer Privileges Required for the vCenter Server User To support View Composer, the vCenter Server user must have privileges in addition to those required to support View.
Chapter 9 Configuring View for the First Time View Administrator and View Connection Server View Administrator provides a management interface for View. Depending on your View deployment, you use one or more View Administrator interfaces. n Use one View Administrator interface to manage the View components that are associated with a single, standalone View Connection Server instance or a group of replicated View Connection Server instances.
View Installation 2 Log in as a user with credentials to access the View Administrators account. You specify the View Administrators account when you install a standalone View Connection Server instance or the first View Connection Server instance in a replicated group. The View Administrators account can be the local Administrators group (BUILTIN\Administrators) on the View Connection Server computer or a domain user or group account.
Chapter 9 Configuring View for the First Time In a testing environment, you can use the default certificate that is installed with vCenter Server, but you must accept the certificate thumbprint when you add vCenter Server to View. n Verify that all View Connection Server instances in the replicated group trust the root CA certificate for the server certificate that is installed on the vCenter Server host.
View Installation What to do next Configure View Composer settings. n If the vCenter Server instance is configured with a signed SSL certificate, and View Connection Server trusts the root certificate, the Add vCenter Server wizard displays the View Composer Settings page. n If the vCenter Server instance is configured with a default certificate, you must first determine whether to accept the thumbprint of the existing certificate. See “Accept the Thumbprint of a Default SSL Certificate,” on page 110.
Chapter 9 Configuring View for the First Time 3 If you are using View Composer, select the location of the View Composer machine. Option Description View Composer is installed on the same machine as vCenter Server. a b Select View Composer co-installed with the vCenter Server. Make sure that the port number is the same as the port that you specified when you installed the View Composer service on vCenter Server. The default port number is 18443. View Composer is installed on its own separate machine.
View Installation 3 Type the domain user name, including the domain name, of the View Composer user. For example: domain.com\admin 4 Type the account password. 5 Click OK. 6 To add domain user accounts with privileges in other Active Directory domains in which you deploy linked-clone pools, repeat the preceding steps. 7 Click Next to display the Storage Settings page. What to do next Enable virtual machine disk space reclamation and configure View Storage Accelerator for View.
Chapter 9 Configuring View for the First Time Prerequisites n Verify that your vCenter Server and ESXi hosts, including all ESXi hosts in a cluster, are version 5.1 with ESXi 5.1 download patch ESXi510-201212001 or later. Procedure 1 2 In View Administrator, complete the Add vCenter Server wizard pages that precede the Storage Settings page. a Select View Configuration > Servers. b On the vCenter Servers tab, click Add.
View Installation View Storage Accelerator is now qualified to work in configurations that use View replica tiering, in which replicas are stored on a separate datastore than linked clones. Although the performance benefits of using View Storage Accelerator with View replica tiering are not materially significant, certain capacity-related benefits might be realized by storing the replicas on a separate datastore. Hence, this combination is tested and supported.
Chapter 9 Configuring View for the First Time Concurrent Operations Limits for vCenter Server and View Composer When you add vCenter Server to View or edit the vCenter Server settings, you can configure several options that set the maximum number of concurrent operations that are performed by vCenter Server and View Composer. You configure these options in the Advanced Settings panel on the vCenter Server Information page. Table 9‑3.
View Installation For example, the average desktop takes two to three minutes to start. Therefore, the concurrent power operations limit should be 3 times the peak power-on rate. The default setting of 50 is expected to support a peak power-on rate of 16 desktops per minute. The system waits a maximum of five minutes for a desktop to start. If the start time takes longer, other errors are likely to occur. To be conservative, you can set a concurrent power operations limit of 5 times the peak power-on rate.
Chapter 9 Configuring View for the First Time Procedure 1 When View Administrator displays an Invalid Certificate Detected dialog box, click View Certificate. 2 Examine the certificate thumbprint in the Certificate Information window. 3 Examine the certificate thumbprint that was configured for the vCenter Server or View Composer instance. a On the vCenter Server or View Composer host, start the MMC snap-in and open the Windows Certificate Store.
View Installation When the secure tunnel and secure gateways are disabled, desktop and application sessions are established directly between the client device and the remote machine, bypassing the View Connection Server or security server host. This type of connection is called a direct connection. Desktop and application sessions that use direct connections remain connected even if View Connection Server is no longer running.
Chapter 9 Configuring View for the First Time 4 Configure use of the PCoIP Secure Gateway. Option Description Enable the PCoIP Secure Gateway Select Use PCoIP Secure Gateway for PCoIP connections to machine. Disable the PCoIP secure Gateway Deselect Use PCoIP Secure Gateway for PCoIP connections to machine. The PCoIP Secure Gateway is disabled by default. 5 Click OK to save your changes.
View Installation Configuring External URLs for Secure Gateway and Tunnel Connections To use the secure tunnel, a client system must have access to an IP address, or a fully qualified domain name (FQDN) that it can resolve to an IP address, that allows the client to reach a View Connection Server or security server host. To use the PCoIP Secure Gateway, a client connects to a View Connection Server or security server host using an URL. In an IPv4 environment, the URL must identify a host by its IP address.
Chapter 9 Configuring View for the First Time Set the External URLs for a View Connection Server Instance You use View Administrator to configure the external URLs for a View Connection Server instance. The secure tunnel external URL, PCoIP external URL, and Blast external URL must be the addresses that client systems use to reach this View Connection Server instance. Prerequisites n Verify that the secure tunnel connections and the PCoIP Secure Gateway are enabled on the View Connection Server instance.
View Installation The secure tunnel external URL, PCoIP external URL, and Blast external URL must be the addresses that client systems use to reach this security server. Prerequisites n Verify that the secure tunnel connections and the PCoIP Secure Gateway are enabled on the View Connection Server instance that is paired with this security server. See “Configure the PCoIP Secure Gateway and Secure Tunnel Connections,” on page 112.
Chapter 9 Configuring View for the First Time Give Preference to DNS Names When View Connection Server Returns Address Information By default, when sending the addresses of desktop machines and RDS hosts to clients and gateways, View Connection Server gives preference to IP addresses. You can change this default behavior with a View LDAP attribute that tells View Connection Server to give preference to DNS names.
View Installation 2 Add the balancedHost property and set it to the address of the load balancer. For example, if users type https://view.example.com in a browser to reach any of the load-balanced View servers, add balancedHost=view.example.com to the locked.properties file. 3 Save the locked.properties file. 4 Restart the View Connection Server service or security server service to make your changes take effect.
Chapter 9 Configuring View for the First Time Replace the Default HTTP Ports or NICs for View Connection Server Instances and Security Servers You can replace the default HTTP ports or NICs for a View Connection Server instance or security server by editing the locked.properties file on the server computer. Your organization might require you to perform these tasks to comply with organization policies or to avoid contention. The default SSL port is 443. The default non-SSL port is 80.
View Installation What to do next If necessary, manually configure your Windows firewall to open the updated ports. Replace the Default Ports or NICs for the PCoIP Secure Gateway on View Connection Server Instances and on Security Servers You can replace the default ports or NICs that are used by a PCoIP Secure Gateway service that runs on a View Connection Server instance or security server.
Chapter 9 Configuring View for the First Time Replace the Default Port for View Composer The SSL certificate that is used by the View Composer service is bound to a certain port by default. You can replace the default port by using the SviConfig ChangeCertificateBindingPort utility. When you specify a new port with the SviConfig ChangeCertificateBindingPort utility, the utility unbinds the View Composer certificate from the current port and binds it to the new port.
View Installation Procedure 1 Create or edit the locked.properties file in the SSL gateway configuration folder on the View Connection Server or security server computer. For example: install_directory\VMware\VMware View\Server\sslgateway\conf\locked.properties The properties in the locked.properties file are case sensitive. 2 Add the following lines to the locked.properties file: frontMappingHttpDisabled.1=5:*:moved:https::port frontMappingHttpDisabled.
Chapter 9 Configuring View for the First Time Sizing Windows Server Settings to Support Your Deployment To support a large deployment of remote desktops, you can configure the Windows Server computers on which you install View Connection Server. On each computer, you can size the Windows page-file. On Windows Server 2008 R2 and Windows Server 2012 R2 computers, the ephemeral ports, TCB hash table, and Java Virtual Machine settings are sized by default.
View Installation Procedure 1 On the Windows Server computer on which View Connection Server is installed, navigate to the Virtual Memory dialog box. By default, Custom size is selected. An initial and maximum page-file size appear. 2 Click System managed size. Windows continually recalculates the system page-file size based on current memory use and available memory. 124 VMware, Inc.
Configuring Event Reporting 10 You can create an event database to record information about View events. In addition, if you use a Syslog server, you can configure View Connection Server to send events to a Syslog server or create a flat file of events written in Syslog format.
View Installation 2 Add a user for this database that has permission to create tables, views, and, in the case of Oracle, triggers and sequences, as well as permission to read from and write to these objects. For a Microsoft SQL Server database, do not use the Integrated Windows Authentication security model method of authentication. Be sure to use the SQL Server Authentication method of authentication.
Chapter 10 Configuring Event Reporting Configure the Event Database The event database stores information about View events as records in a database rather than in a log file. You configure an event database after installing a View Connection Server instance. You need to configure only one host in a View Connection Server group. The remaining hosts in the group are configured automatically.
View Installation 3 (Optional) In the Event Settings window, click Edit, change the length of time to show events and the number of days to classify events as new, and click OK. These settings pertain to the length of time the events are listed in the View Administrator interface. After this time, the events are only available in the historical database tables. The Database Configuration window displays the current configuration of the event database.
Chapter 10 Configuring Event Reporting 2 (Optional) In the Syslog area, to configure View Connection Server to send events to a Syslog server, click Add next to Send to syslog servers, and supply the server name or IP address and the UDP port number. 3 (Optional) To enable View event log messages to be generated and stored in Syslog format, in log files, select the Log to file: Enable check box. The log files are retained locally unless you specify a UNC path to a file share.
View Installation 130 VMware, Inc.
Index A D Active Directory configuring domains and trust relationships 29 preparing for smart card authentication 34 preparing for use with View 29 Active Directory groups, creating for kiosk mode client accounts 31 ADM template files 34 antivirus software, View Composer 50 databases creating for View Composer 39 View events 125, 127 default certificate, replacing 79 direct connections, configuring 112 DNS names, giving preference 117 DNS resolution, View Composer 50 documentation feedback, how to provi
View Installation H hardware requirements PCoIP 15 View Composer, standalone 10 View Connection Server 8 Horizon Agent, installation requirements 13 Horizon Client for iOS, trusting the root certificate 90 Horizon Client for Mac OS X, trusting the root certificate 89 Horizon clients, configuring connections 111 host caching, for vCenter Server 107 HTML access, configuring 113 HTML Access 117, 118 HTTP changing the port for HTTP redirection 121 preventing HTTP redirection 122 I initial configuration, View
Index professional services 5 R RDP 17 reinstalling, View Connection Server 75 remote display protocols PCoIP 15 RDP 17 ReplaceCertificate option, sviconfig utility 87 replicated instances installing 59 installing silently 62 network requirements 9 silent installation properties 64 Restricted Groups policy, configuring 33 root certificate, importing into Windows Certificate Store 86 root certificates adding to the Enterprise NTAuth store 36 adding to trusted roots 35, 88 S secure tunnel, external URL 114
View Installation Oracle 12c and 11g 43, 44 requirements 11, 39 SQL Server 40 View Composer configuration concurrent operations limits 109 creating a user account 32 creating a vCenter Server user 31, 98 domains 105 privileges for the vCenter Server user 100 settings in View Administrator 104 SSL certificates 46 View Composer infrastructure configuring vSphere 49 optimizing 49 testing DNS resolution 50 View Composer installation installer file 47 overview 39 requirements overview 10 View Composer upgrade c
