View Administration VMware Horizon 7 Version 7.0 This document supports the version of each product listed and supports all subsequent versions until the document is replaced by a new edition. To check for more recent editions of this document, see http://www.vmware.com/support/pubs.
View Administration You can find the most up-to-date technical documentation on the VMware Web site at: http://www.vmware.com/support/ The VMware Web site also provides the latest product updates. If you have comments about this documentation, submit your feedback to: docfeedback@vmware.com Copyright © 2010–2016 VMware, Inc. All rights reserved. Copyright and trademark information. VMware, Inc. 3401 Hillview Ave. Palo Alto, CA 94304 www.vmware.com 2 VMware, Inc.
Contents View Administration 7 1 Using View Administrator 9 View Administrator and View Connection Server 9 Log In to View Administrator 10 Tips for Using the View Administrator Interface 10 Troubleshooting the Text Display in View Administrator 12 2 Configuring View Connection Server 13 Configuring vCenter Server and View Composer 13 Backing Up View Connection Server 25 Configuring Settings for Client Sessions 25 Disable or Enable View Connection Server 36 Edit the External URLs 37 Join or Withdraw f
View Administration Manage and Review Access Groups 95 Manage Custom Roles 97 Predefined Roles and Privileges 99 Required Privileges for Common Tasks 103 Best Practices for Administrator Users and Groups 105 7 Configuring Policies in View Administrator and Active Directory 107 Setting Policies in View Administrator 107 Using View Group Policy Administrative Template Files 109 8 Maintaining View Components 115 Backing Up and Restoring View Configuration Data 115 Monitor View Components 123 Monitor Machi
Contents Monitoring and Troubleshooting ThinApp Applications in View Administrator 214 ThinApp Configuration Example 217 13 Setting Up Clients in Kiosk Mode 219 Configure Clients in Kiosk Mode 219 14 Troubleshooting View 229 Monitoring System Health 229 Monitor Events in View 230 Collecting Diagnostic Information for View 231 Update Support Requests 235 Troubleshooting an Unsuccessful Security Server Pairing with View Connection Server 235 Troubleshooting View Server Certificate Revocation Checking 236
View Administration 6 VMware, Inc.
View Administration ® View Administration describes how to configure and administer VMware Horizon 7, including how to configure View Connection Server, create administrators, set up user authentication, configure policies, and ® manage VMware ThinApp applications in View Administrator. This document also describes how to maintain and troubleshoot View components. Intended Audience This information is intended for anyone who wants to configure and administer VMware Horizon 7.
View Administration 8 VMware, Inc.
Using View Administrator 1 View Administrator is the Web interface through which you configure View Connection Server and manage your remote desktops and applications. For a comparison of the operations that you can perform with View Administrator, View cmdlets, and vdmadmin, see the View Integration document. NOTE In Horizon 7, View Administrator is named Horizon Administrator. This document refers to Horizon Administrator as View Administrator.
View Administration Log In to View Administrator To perform initial configuration tasks, you must log in to View Administrator. You access View Administrator by using a secure (SSL) connection. Prerequisites n Verify that View Connection Server is installed on a dedicated computer. n Verify that you are using a Web browser supported by View Administrator. For View Administrator requirements, see the View Installation document.
Chapter 1 Using View Administrator Table 1-1 describes a few additional features that can help you to use View Administrator. Table 1‑1. View Administrator Navigation and Display Features View Administrator Feature Description Navigating backward and forward in View Administrator pages Click your browser's Back button to go to the previously displayed View Administrator page. Click the Forward button to return to the current page.
View Administration Table 1‑1. View Administrator Navigation and Display Features (Continued) View Administrator Feature Description Selecting View objects and displaying View object details In View Administrator tables that list View objects, you can select an object or display object details. n To select an object, click anywhere in the object's row in the table. At the top of the page, menus and commands that manage the object become active.
Configuring View Connection Server 2 After you install and perform initial configuration of View Connection Server, you can add vCenter Server instances and View Composer services to your View deployment, set up roles to delegate administrator responsibilities, and schedule backups of your configuration data.
View Administration 2 Add the Create Computer Objects, Delete Computer Objects, and Write All Properties permissions to the account in the Active Directory container in which the linked-clone computer accounts are created or to which the linked-clone computer accounts are moved.
Chapter 2 Configuring View Connection Server n Verify that all View Connection Server instances in the replicated group trust the root CA certificate for the server certificate that is installed on the vCenter Server host. Check if the root CA certificate is in the Trusted Root Certification Authorities > Certificates folder in the Windows local computer certificate stores on the View Connection Server hosts. If it is not, import the root CA certificate into the Windows local computer certificate stores.
View Administration n If the vCenter Server instance is configured with a default certificate, you must first determine whether to accept the thumbprint of the existing certificate. See “Accept the Thumbprint of a Default SSL Certificate,” on page 22. If View uses multiple vCenter Server instances, repeat this procedure to add the other vCenter Server instances.
Chapter 2 Configuring View Connection Server 3 If you are using View Composer, select the location of the View Composer host. Option Description View Composer is installed on the same host as vCenter Server. a b Select View Composer co-installed with the vCenter Server. Make sure that the port number is the same as the port that you specified when you installed the VMware Horizon View Composer service on vCenter Server. The default port number is 18443.
View Administration 5 Click OK. 6 To add domain user accounts with privileges in other Active Directory domains in which you deploy linked-clone pools, repeat the preceding steps. 7 Click Next to display the Storage Settings page. What to do next Enable virtual machine disk space reclamation and configure View Storage Accelerator for View. Allow vSphere to Reclaim Disk Space in Linked-Clone Virtual Machines In vSphere 5.1 and later, you can enable the disk space reclamation feature for View.
Chapter 2 Configuring View Connection Server Procedure 1 2 In View Administrator, complete the Add vCenter Server wizard pages that precede the Storage Settings page. a Select View Configuration > Servers. b On the vCenter Servers tab, click Add. c Complete the vCenter Server Information, View Composer Settings, and View Composer Domains pages. On the Storage Settings page, make sure that Enable space reclamation is selected.
View Administration Prerequisites n Verify that your vCenter Server and ESXi hosts are version 5.0 or later. In an ESXi cluster, verify that all the hosts are version 5.0 or later. n Verify that the vCenter Server user was assigned the Host > Configuration > Advanced settings privilege in vCenter Server. See the topics in the View Installation document that describe View and View Composer privileges required for the vCenter Server user.
Chapter 2 Configuring View Connection Server Table 2‑1. Concurrent Operations Limits for vCenter Server and View Composer Setting Description Max concurrent vCenter provisioning operations Determines the maximum number of concurrent requests that View Connection Server can make to provision and delete full virtual machines in this vCenter Server instance. The default value is 20. This setting applies to full virtual machines only.
View Administration Logons, and therefore desktop power on operations, typically occur in a normally distributed manner over a certain time window. You can approximate the peak power-on rate by assuming that it occurs in the middle of the time window, during which about 40% of the power-on operations occur in 1/6th of the time window. For example, if users log on between 8:00 AM and 9:00 AM, the time window is one hour, and 40% of the logons occur in the 10 minutes between 8:25 AM and 8:35 AM.
Chapter 2 Configuring View Connection Server 3 Examine the certificate thumbprint that was configured for the vCenter Server or View Composer instance. a On the vCenter Server or View Composer host, start the MMC snap-in and open the Windows Certificate Store. b Navigate to the vCenter Server or View Composer certificate. c Click the Certificate Details tab to display the certificate thumbprint. Similarly, examine the certificate thumbprint for a SAML authenticator.
View Administration Procedure 1 Remove the linked-clone desktop pools that were created by View Composer. a In View Administrator, select Catalog > Desktop Pools. b Select a linked-clone desktop pool and click Delete. A dialog box warns that you will permanently delete the linked-clone desktop pool from View. If the linked-clone virtual machines are configured with persistent disks, you can detach or delete the persistent disks. c Click OK. The virtual machines are deleted from vCenter Server.
Chapter 2 Configuring View Connection Server Backing Up View Connection Server After you complete the initial configuration of View Connection Server, you should schedule regular backups of your View and View Composer configuration data. For information about backing up and restoring your View configuration, see “Backing Up and Restoring View Configuration Data,” on page 115.
View Administration The password must contain between 1 and 128 characters. Follow your organization's best practices for generating secure passwords. Procedure 1 In View Administrator, select View Configuration > Global Settings. 2 In the Security pane, click Change data recovery password. 3 Type and retype the new password. 4 (Optional) Type a password reminder. NOTE You can also change the data recovery password when you schedule your View configuration data to be backed up.
Chapter 2 Configuring View Connection Server Table 2‑2. General Global Settings for Client Sessions (Continued) Setting Description Single sign-on (SSO) If SSO is enabled, View caches a user's credentials so that the user can launch remote desktops or applications without having to provide credentials to log in to the remote Windows session. The default is Enabled. If you plan to use the True SSO feature, introduced in Horizon 7 or later, SSO must be enabled.
View Administration Table 2‑2. General Global Settings for Client Sessions (Continued) Setting Description Display warning before forced logoff Displays a warning message when users are forced to log off because a scheduled or immediate update such as a desktop-refresh operation is about to start. This setting also determines how long to wait after the warning is shown before the user is logged off. Check the box to display a warning message.
Chapter 2 Configuring View Connection Server Table 2‑3. Global Security Settings for Client Sessions and Connections Setting Description Reauthenticate secure tunnel connections after network interruption Determines if user credentials must be reauthenticated after a network interruption when Horizon clients use secure tunnel connections to remote desktops. When you select this setting, if a secure tunnel connection is interrupted, Horizon Client requires the user to reauthenticate before reconnecting.
View Administration Message Security Mode for View Components You can set the message security mode to specify the security mechanism used when JMS messages pass among View components. Table 2-4 shows the options you can select to configure the message security mode. To set an option, select it from the Message security mode list in the Global Settings dialog window. Table 2‑4. Message Security Mode Options Option Description Disabled Message security mode is disabled.
Chapter 2 Configuring View Connection Server Using the vdmutil Utility to Configure the JMS Message Security Mode You can use the vdmutil command-line interface to configure and manage the security mechanism used when JMS messages are passed between View components. Syntax and Location of the Utility The vdmutil command can perform the same operations as the lmvutil command that was included with earlier versions of View.
View Administration Table 2‑6. vdmutil Command Options Option Description Activates a pending security certificate for a View Connection Server --activatePendingConnectionServerCertificates instance in the local pod. --countPendingMsgSecStatus Counts the number of machines preventing a transition to or from Enhanced mode. Creates a new pending security certificate for a View Connection --createPendingConnectionServerCertificates Server instance in the local pod.
Chapter 2 Configuring View Connection Server Prerequisites n If you intend to enable the PCoIP Secure Gateway, verify that the View Connection Server instance and paired security server are View 4.6 or later. n If you pair a security server to a View Connection Server instance on which you already enabled the PCoIP Secure Gateway, verify that the security server is View 4.6 or later. Procedure 1 In View Administrator, select View Configuration > Servers.
View Administration Procedure 1 In View Administrator, select View Configuration > Servers. 2 On the Connection Servers tab, select a View Connection Server instance and click Edit. 3 Configure use of the Blast Secure Gateway. Option Description Enable the Blast Secure Gateway Select Use Blast Secure Gateway for Blast connections to machine Disable the Blast secure Gateway Deselect Use Blast Secure Gateway for Blast connections to machine The Blast Secure Gateway is enabled by default.
Chapter 2 Configuring View Connection Server If you do not deploy security servers, or if you have a mixed network environment with some security servers and some external-facing View Connection Server instances, External URLs are required for any View Connection Server instances that connect to the intermediate server. NOTE You cannot off-load SSL connections from a PCoIP Secure Gateway (PSG) or Blast Secure Gateway.
View Administration Example: locked.properties file This file allows non-SSL HTTP connections to a View server. The IP address of the View server's clientfacing network interface is 10.20.30.40. The server uses the default port 80 to listen for HTTP connections. The value http must be lower case. serverProtocol=http serverHostNonSSL=10.20.30.
Chapter 2 Configuring View Connection Server Procedure 1 In View Administrator, select View Configuration > Servers. 2 On the Connection Servers tab, select the View Connection Server instance. 3 Click Disable. You can enable the instance again by clicking Enable. Edit the External URLs You can use View Administrator to edit external URLs for View Connection Server instances and security servers.
View Administration 4 Type the Blast Secure Gateway external URL in the Blast External URL text box. The URL must contain the HTTPS protocol, client-resolvable host name, and port number. For example: https://myserver.example.com:8443 By default, the URL includes the FQDN of the secure tunnel external URL and the default port number, 8443. The URL must contain the FQDN and port number that a client system can use to reach this host.
Chapter 2 Configuring View Connection Server n View component entries that store configuration settings View LDAP also contains a set of View plug-in DLLs that provide automation and notification services for other View components. NOTE Security server instances do not contain a View LDAP directory. LDAP Replication When you install a replicated instance of View Connection Server, View copies the View LDAP configuration data from the existing View Connection Server instance.
View Administration 40 VMware, Inc.
Setting Up Smart Card Authentication 3 For added security, you can configure a View Connection Server instance or security server so that users and administrators can authenticate by using smart cards. A smart card is a small plastic card that contains a computer chip. The chip, which is like a miniature computer, includes secure storage for data, including private keys and public key certificates. One type of smart card used by the United States Department of Defense is called a Common Access Card (CAC).
View Administration Logging In with a Smart Card When a user or administrator inserts a smart card into a smart card reader, the user certificates on the smart card are copied to the local certificate store on the client system if the client operating system is Windows. The certificates in the local certificate store are available to all of the applications running on the client computer, including Horizon Client.
Chapter 3 Setting Up Smart Card Authentication Obtain the Certificate Authority Certificates You must obtain all applicable CA (certificate authority) certificates for all trusted user certificates on the smart cards presented by your users and administrators. These certificates include root certificates and can include intermediate certificates if the user's smart card certificate was issued by an intermediate certificate authority.
View Administration What to do next Add the CA certificate to a server truststore file. Add the CA Certificate to a Server Truststore File You must add root certificates, intermediate certificates, or both to a server truststore file for all users and administrators that you trust. View Connection Server instances and security servers use this information to authenticate smart card users and administrators.
Chapter 3 Setting Up Smart Card Authentication Procedure 1 Create or edit the locked.properties file in SSL gateway configuration folder on the View Connection Server or security server host. For example: install_directory\VMware\VMware View\Server\sslgateway\conf\locked.properties 2 3 Add the trustKeyfile, trustStoretype, and useCertAuth properties to the locked.properties file. a Set trustKeyfile to the name of your truststore file. b Set trustStoretype to jks.
View Administration 3 To configure smart card authentication for remote desktop and application users, perform these steps. a b On the Authentication tab, select a configuration option from the Smart card authentication for users drop-down menu in the View Authentication section. Option Action Not allowed Smart card authentication is disabled on the View Connection Server instance.
Chapter 3 Setting Up Smart Card Authentication 6 Restart the View Connection Server service. You must restart the View Connection Server service for changes to smart card settings to take effect, with one exception. You can change smart card authentication settings between Optional and Required without having to restart the View Connection Server service. Currently logged in user and administrators are not affected by changes to smart card settings.
View Administration n Add the Root Certificate to Trusted Root Certification Authorities on page 49 If you use a certification authority (CA) to issue smart card login or domain controller certificates, you must add the root certificate to the Trusted Root Certification Authorities group policy in Active Directory. You do not need to perform this procedure if the Windows domain controller acts as the root CA.
Chapter 3 Setting Up Smart Card Authentication Add the Root Certificate to Trusted Root Certification Authorities If you use a certification authority (CA) to issue smart card login or domain controller certificates, you must add the root certificate to the Trusted Root Certification Authorities group policy in Active Directory. You do not need to perform this procedure if the Windows domain controller acts as the root CA.
View Administration 2 Expand the Computer Configuration section and open the policy for Windows Settings\Security Settings\Public Key. 3 Right-click Intermediate Certification Authorities and select Import. 4 Follow the prompts in the wizard to import the intermediate certificate (for example, intermediateCA.cer) and click OK. 5 Close the Group Policy window. All of the systems in the domain now have a copy of the intermediate certificate in their intermediate certification authority store.
Chapter 3 Setting Up Smart Card Authentication n If smart card users select the PCoIP display protocol or the VMware Blast display protocol to connect to single-session desktops, verify that the View Agent or Horizon Agent component called Smartcard Redirection is installed on the single-user machines. The smart card feature lets users log in to singlesession desktops with smart cards.
View Administration Logging in with CRL Checking When you configure CRL checking, View constructs and reads a CRL to determine the revocation status of a user certificate. If a certificate is revoked and smart card authentication is optional, the Enter your user name and password dialog box appears and the user must provide a password to authenticate. If smart card authentication is required, the user receives an error message and is not allowed to authenticate.
Chapter 3 Setting Up Smart Card Authentication Configure OCSP Certificate Revocation Checking When you configure OCSP certificate revocation checking, View sends a verification request to an OCSP Responder to determine the revocation status of a smart card user certificate. Prerequisites Familiarize yourself with the locked.properties file properties for OCSP certificate revocation checking. See “Smart Card Certificate Revocation Checking Properties,” on page 53. Procedure 1 Create or edit the locked.
View Administration Table 3‑1. Properties for Smart Card Certificate Revocation Checking Property Description enableRevocationChecking Set this property to true to enable certificate revocation checking. When this property is set to false, certificate revocation checking is disabled and all other certificate revocation checking properties are ignored. The default value is false. crlLocation Specifies the location of the CRL, which can be either a URL or a file path.
Setting Up Other Types of User Authentication 4 View uses your existing Active Directory infrastructure for user and administrator authentication and management. You can also integrate View with other forms of authentication besides smart cards, such as biometric authentication or two-factor authentication solutions, such as RSA SecurID and RADIUS, to authenticate remote desktop and application users.
View Administration n Enable Two-Factor Authentication in View Administrator on page 56 You enable a View Connection Server instance for RSA SecurID authentication or RADIUS authentication by modifying View Connection Server settings in View Administrator. n Troubleshooting RSA SecurID Access Denial on page 58 Access is denied when Horizon Client connects with RSA SecurID authentication.
Chapter 4 Setting Up Other Types of User Authentication 3 On the Authentication tab, from the 2-factor authentication drop-down list in the Advanced Authentication section, select RSA SecureID or RADIUS. 4 To force RSA SecurID or RADIUS user names to match user names in Active Directory, select Enforce SecurID and Windows user name matching or Enforce 2-factor and Windows user name matching.
View Administration Troubleshooting RSA SecurID Access Denial Access is denied when Horizon Client connects with RSA SecurID authentication. Problem A Horizon Client connection with RSA SecurID displays Access Denied and the RSA Authentication Manager Log Monitor displays the error Node Verification Failed. Cause The RSA Agent host node secret needs to be reset. Solution 1 In View Administrator, select View Configuration > Servers.
Chapter 4 Setting Up Other Types of User Authentication Using SAML Authentication The Security Assertion Markup Language (SAML) is an XML-based standard that is used to describe and exchange authentication and authorization information between different security domains. SAML passes information about users between identity providers and service providers in XML documents called SAML assertions.
View Administration Configure a SAML Authenticator in View Administrator To launch remote desktops and applications from VMware Identity Manager or to connect to remote desktops and applications through a third-party load balancer or gateway, you must create a SAML authenticator in View Administrator. A SAML authenticator contains the trust and metadata exchange between View and the device to which clients connect. You associate a SAML authenticator with a View Connection Server instance.
Chapter 4 Setting Up Other Types of User Authentication 3 On the Authentication tab, select a setting from the Delegation of authentication to VMware Horizon (SAML 2.0 Authenticator) drop-down menu to enable or disable the SAML authenticator. Option Description Disabled SAML authentication is disabled. You can launch remote desktops and applications only from Horizon Client. Allowed SAML authentication is enabled.
View Administration 7 In the System Health section on the View Administrator dashboard, select Other components > SAML 2.0 Authenticators, select the SAML authenticator that you added, and verify the details. If the configuration is successful, the authenticator's health is green. An authenticator's health can display red if the certificate is untrusted, if VMware Identity Manager is unavailable, or if the metadata URL is invalid.
Chapter 4 Setting Up Other Types of User Authentication Generate SAML Metadata So That View Connection Server Can Be Used as a Service Provider After you create and enable a SAML authenticator for the identity provider you want to use, you might need to generate View Connection Server metadata. You use this metadata to create a service provider on the Access Point appliance or a third-party load balancer that is the identity provider.
View Administration 2 In the Connection Settings dialog box, select or connect to DC=vdi,DC=vmware,DC=int. 3 In the Computer pane, select or type localhost:389 or the fully qualified domain name (FQDN) of the View Connection Server host followed by port 389. For example: localhost:389 or mycomputer.mydomain.com:389 4 On the object CN=Common, OU=Global, OU=Properties, edit the pae-ClientConfig attribute and add the value BioMetricsTimeout=.
Authenticating Users Without Requiring Credentials 5 After users log in to a client device or to VMware Identity Manager, they can connect to a remote application or desktop without being prompted for Active Directory credentials. For Windows clients, administrators can configure the setup so that users do not need to supply additional credentials to log in to a Horizon server after they log in to a Windows client with Active Directory (AD) credentials.
View Administration Administrators can use Horizon Client group policy settings to control the availability of the Log in as current user check box and to specify its default value. Administrators can also use group policy to specify which View Connection Server instances accept the user identity and credential information that is passed when users select the Log in as current user check box in Horizon Client.
Chapter 5 Authenticating Users Without Requiring Credentials On View Connection Server, the new setting takes effect immediately. You do not need to restart the View Connection Server service or the client computer. Setting Up True SSO With the True SSO (single sign-on) feature, after users log in to VMware Identity Manager using a smart card or RSA SecurID or RADIUS authentication, users are not required to also enter Active Directory credentials in order to use a remote desktop or application.
View Administration Very Simple True SSO Architecture AD Certificate Authority VMware Identity Manager Appliance Enrollment Server SAML Trust Connection Server Client The following figure illustrates True SSO in a single domain architecture.
Chapter 5 Authenticating Users Without Requiring Credentials True SSO Single Forest Multiple Domain Architecture (non HA) Forest Domain #2 Domain #1 (Root Domain) CA AD AD CA Enrollment Server VMware Identity Manager Appliance Connection Server Client The following figure illustrates True SSO in a multiple-forest architecture.
View Administration Set Up an Enterprise Certificate Authority If you do not already have a certificate authority set up, you must add the Active Directory Certificate Services (AD CS) role to a Windows server and configure the server to be an enterprise CA. If you do already have an enterprise CA set up, verify that you are using the settings described in this procedure. You must have at least one enterprise CA, and VMware recommends that you have two for purposes of failover and load balancing.
Chapter 5 Authenticating Users Without Requiring Credentials 9 On the Credentials page, click Next and complete the AD CS Configuration wizard pages as described in the following table. Option Action Role Services Select Certification Authority, and click Next (rather than Configure). Setup Type Select Enterprise CA. CA Type Select Root CA or Subordinate CA. Some enterprises prefer two-tier PKI deployment. For more information, see http://social.technet.microsoft.com/wiki/contents/articles/15037.
View Administration Procedure 1 On the machine that you are using for the certificate authority, log in to the operating system as an administrator and go to Administrative Tools > Certification Authority. 2 Expand the tree in the left pane, right-click Certificate Templates and select Manage. 3 Right-click the Smartcard Logon template and select Duplicate.
Chapter 5 Authenticating Users Without Requiring Credentials 9 In the Enable Certificate Templates window, select Enrollment Agent Computer and click OK. What to do next Create an enrollment service. See “Install and Set Up an Enrollment Server,” on page 73. Install and Set Up an Enrollment Server You run the Connection Server installer and select the Horizon 7 Enrollment Server option to install an enrollment server.
View Administration 2 Issue an enrollment agent certificate: a In the Certificates console, expand the console root tree, right-click the Personal folder, and select All Tasks > Request New Certificate. b In the Certificate Enrollment wizard, accept the defaults until you get to the Request Certificates page. c On the Request Certificates page, select the Enrollment Agent (Computer) check box and click Enroll. d Accept the defaults on the other wizard pages, and click Finish on the last page.
Chapter 5 Authenticating Users Without Requiring Credentials The Enrollment Service Client certificate is automatically created when a Horizon 7 or later connection server is installed and the VMware Horizon View Connection Server service starts. The certificate is distributed through View LDAP to other Horizon 7 connection servers that get added to the cluster later. The certificate is then stored in a custom container (VMware Horizon View Certificates\Certificates) in the Windows Certificate Store on the
View Administration n Verify that you have the correct certificate to import. You can use either your own certificate or the automatically generated, self-signed Enrollment Service Client certificate from one connection server in the cluster, as described in “Export the Enrollment Service Client Certificate,” on page 74. IMPORTANT To use your own certificates for pairing, place the preferred certificate (and the associated private key) in the custom container (VMware Horizon View Certificates\Certificates
Chapter 5 Authenticating Users Without Requiring Credentials Although the process for configuring SAML authentication for VMware Identity Manager has not changed, one additional step has been added for True SSO. You must configure VMware Identity Manager so that password pop-ups are suppressed. NOTE If your deployment includes more than one View Connection Server instance, you must associate the SAML authenticator with each instance.
View Administration 7 In the System Health section on the View Administrator dashboard, select Other components > SAML 2.0 Authenticators, select the SAML authenticator that you added, and verify the details. If the configuration is successful, the authenticator's health is green. An authenticator's health can display red if the certificate is untrusted, if the VMware Identity Manager service is unavailable, or if the metadata URL is invalid.
Chapter 5 Authenticating Users Without Requiring Credentials Procedure 1 On a connection server in the cluster, open a command prompt and enter the command to add an enrollment server. vdmUtil --authAs admin-role-user --authDomain domain-name --authPassword admin-user-password --truesso --environment --add --enrollmentServer enroll-server-fqdn The enrollment server is added to the global list. 2 Enter the command to list the information for that enrollment server.
View Administration To configure advanced options, use Windows advanced settings on the appropriate system. See “Advanced Configuration Settings for True SSO,” on page 83. Command-line Reference for Configuring True SSO You can use the vdmutil command-line interface to configure and manage the True SSO feature. Location of the Utility By default, the path to the vdmutil command executable file is C:\Program Files\VMware\VMware View\Server\tools\bin.
Chapter 5 Authenticating Users Without Requiring Credentials Commands for Managing Enrollment Servers You must add one enrollment server for each domain. You can also add a second enrollment server and later designate that server to be used as a backup. For readability, the options shown in the following table do not represent the complete command you would enter. Only the options specific to the particular task are included.
View Administration For more information about the authentication options, see “Command-line Reference for Configuring True SSO,” on page 80. Table 5‑3.
Chapter 5 Authenticating Users Without Requiring Credentials Table 5‑4. vdmutil truesso Command Options for Managing Authenticators Command and Options Description --list --authenticator [--verbose] Lists the fully qualified domain names (FQDNs) of all SAML authenticators found in the domain. For each one, specifies whether True SSO is enabled. If you use the --verbose option, the FQDNs of the associated connection servers are also listed.
View Administration Table 5‑5. Keys for Configuring True SSO on Horizon Agent (Continued) Key Min & Max Number of keys to pre-create 1-100 Number of keys to pre-create on RDS servers that provide remote desktops and hosted Windows applications. The default is 5. Minimum validity period required for a certificate N/A Minimum validity period, in minutes, required for a certificate when it is being reused to reconnect a user. The default is 5.
Chapter 5 Authenticating Users Without Requiring Credentials Table 5‑6. Registry Keys for Configuring True SSO on the Enrollment Server (Continued) Registry Key Min & Max Type Description PreferLocalCa N/A REG_SZ Specifies whether to prefer the locally installed CA, if available, for performance benefits. If set to TRUE, the enrollment server will send requests to the local CA. If the connection to the local CA fails, the enrollment server will try to send certificates requests to alternate CAs.
View Administration Using the System Health Dashboard to Troubleshoot Issues Related to True SSO You can use the system health dashboard in View Administrator to quickly see problems that might affect the operation of the True SSO feature. For end users, if True SSO stops working, when the system attempts to log the user in to the remote desktop or application, the user sees the following message: "The user name or password is incorrect." After the user clicks OK, the user is taken to the login screen.
Chapter 5 Authenticating Users Without Requiring Credentials Table 5‑9. Enrollment Server Connectivity Status Text Description This domain does not exist on the enrollment server. The True SSO connector has been configured to use this enrollment server for this domain, but the enrollment server has not yet been configured to connect to this domain.
View Administration Table 5‑11. Certificate Template Status Status Text Description The template does not exist on the enrollment server domain. Check that you specified the correct template name. Certificates generated by this template can NOT be used to log on to windows. This template does not have the smart card usage enabled and data signing enabled. Check that you specified the correct template name. Verify that you have .
Configuring Role-Based Delegated Administration 6 One key management task in a View environment is to determine who can use View Administrator and what tasks those users are authorized to perform. With role-based delegated administration, you can selectively assign administrative rights by assigning administrator roles to specific Active Directory users and groups.
View Administration To create administrators, you select users and groups from your Active Directory users and groups and assign administrator roles. Administrators obtain privileges through their role assignments. You cannot assign privileges directly to administrators. An administrator that has multiple role assignments acquires the sum of all the privileges contained in those roles.
Chapter 6 Configuring Role-Based Delegated Administration Table 6‑1. Different Administrators for Different Access Groups Administrator Role Access Group view-domain.com\Admin1 Inventory Administrators /CorporateDesktops view-domain.com\Admin2 Inventory Administrators /DeveloperDesktops In this example, the administrator called Admin1 has the Inventory Administrators role on the access group called CorporateDesktops and the administrator called Admin2 has the Inventory Administrators role on the a
View Administration Table 6‑4. Permissions on the Folders Tab for MarketingDesktops Admin Role Inherited view-domain.com\Admin1 Inventory Administrators view-domain.com\Admin1 Administrators (Read only) Yes The first permission is the same as the first permission shown in Table 6-3. The second permission is inherited from the second permission shown in Table 6-3.
Chapter 6 Configuring Role-Based Delegated Administration n To assign a custom role to the administrator, create the custom role. See “Add a Custom Role,” on page 98. n To create an administrator that can manage specific desktop pools, create an access group and move the desktop pools to that access group. See “Manage and Review Access Groups,” on page 95. Procedure 1 In View Administrator, select View Configuration > Administrators. 2 On the Administrators and Groups tab, click Add User or Group.
View Administration n Delete a Permission on page 94 You can delete a permission that includes a specific administrator user or group, a specific role, or a specific access group. n Review Permissions on page 95 You can review the permissions that include a specific administrator or group, a specific role, or a specific access group. Add a Permission You can add a permission that includes a specific administrator user or group, a specific role, or a specific access group.
Chapter 6 Configuring Role-Based Delegated Administration Procedure 1 In View Administrator, select View Configuration > Administrators. 2 Select the permission to delete. 3 Option Action Delete a permission that applies to a specific administrator or group Select the administrator or group on the Administrators and Groups tab. Delete a permission that applies to a specific role Select the role on the Roles tab.
View Administration n Review the vCenter Virtual Machines in an Access Group on page 97 You can see the vCenter virtual machines in a particular access group in View Administrator. A vCenter virtual machine inherits the access group from its pool. Add an Access Group You can delegate the administration of specific machines, desktop pools, or farms to different administrators by creating access groups. By default, desktop pools, application pools, and farms reside in the root access group.
Chapter 6 Configuring Role-Based Delegated Administration Procedure 1 In View Administrator, select View Configuration > Administrators. 2 On the Access Groups tab, select the access group and click Remove Access Group. 3 Click OK to remove the access group. Review the Desktop Pools, Application Pools, or Farms in an Access Group You can see the desktop pools, the application pools, or the farms in a particular access group in View Administrator.
View Administration Add a Custom Role If the predefined administrator roles do not meet your needs, you can combine specific privileges to create your own roles in View Administrator. Prerequisites Familiarize yourself with the administrator privileges that you can use to create custom roles. See “Predefined Roles and Privileges,” on page 99. Procedure 1 In View Administrator, select View Configuration > Administrators. 2 On the Roles tab, click Add Role.
Chapter 6 Configuring Role-Based Delegated Administration Predefined Roles and Privileges View Administrator includes predefined roles that you can assign to your administrator users and groups. You can also create your own administrator roles by combining selected privileges. n Predefined Administrator Roles on page 99 The predefined administrator roles combine all of the individual privileges required to perform common administration tasks. You cannot modify the predefined roles.
View Administration Table 6‑6. Predefined Roles in View Administrator Role User Capabilities Administrators Perform all administrator operations, including creating additional administrator users and groups. In a Cloud Pod Architecture environment, administrators that have this role can configure and manage a pod federation and manage remote pod sessions.
Chapter 6 Configuring Role-Based Delegated Administration Table 6‑6. Predefined Roles in View Administrator (Continued) Applies to an Access Group Role User Capabilities Local Administrators Perform all local administrator operations, except for creating additional administrator users and groups. In a Cloud Pod Architecture environment, administrators that have this role cannot perform operations on the Global Data Layer or manage sessions on remote pods.
View Administration Object-Specific Privileges Object-specific privileges control operations on specific types of inventory objects. Roles that contain objectspecific privileges can be applied to access groups. Table 6-8 describes the object-specific privileges. The predefined roles Administrators and Inventory Administrators contain all of these privileges. Table 6‑8. Object-Specific Privileges Privilege User Capabilities Object Enable Farms and Desktop Pools Enable and disable desktop pools.
Chapter 6 Configuring Role-Based Delegated Administration Required Privileges for Common Tasks Many common administration tasks require a coordinated set of privileges. Some operations require permission at the root access group in addition to access to the object that is being manipulated. Privileges for Managing Pools An administrator must have certain privileges to manage pools in View Administrator.
View Administration Table 6‑12. Persistent Disk Management Tasks and Privileges Task Required Privileges Detach a disk Manage Persistent Disks on the disk and Manage Farms and Desktop and Application Pools on the pool. Attach a disk Manage Persistent Disks on the disk and Manage Farms and Desktop and Application Pools on the machine. Edit a disk Manage Persistent Disks on the disk and Manage Farms and Desktop and Application Pools on the selected pool.
Chapter 6 Configuring Role-Based Delegated Administration Table 6‑14. Privileges for General Administration Tasks and Commands (Continued) Task Required Privileges Use the vdmadmin and vdmimport commands Must have the Administrators role on the root access group. Use the vdmexport command Must have the Administrators role or the Administrators (Read only) role on the root access group.
View Administration 106 VMware, Inc.
Configuring Policies in View Administrator and Active Directory 7 You can use View Administrator to set policies for client sessions. You can configure Active Directory group policy settings to control the behavior of View Connection Server, the PCoIP display protocol, and View logging and performance alarms. You can also configure Active Directory group policy settings to control the behavior of Horizon Agent, Horizon Client for Windows, View Persona Management, and certain features.
View Administration n View Policies on page 109 You can configure View policies to affect all client sessions, or you can apply them to affect specific desktop pools or users. Configure Global Policy Settings You can configure global policies to control the behavior of all client sessions users. Prerequisites Familiarize yourself with the policy descriptions. See “View Policies,” on page 109. Procedure 1 In View Administrator, select Policies > Global Policies.
Chapter 7 Configuring Policies in View Administrator and Active Directory 5 Select one or more users from the list, click OK, and then click Next. The Add Individual Policy dialog box appears. 6 Configure the View policies and click Finish to save your changes. View Policies You can configure View policies to affect all client sessions, or you can apply them to affect specific desktop pools or users. Table 7-1 describes each View policy setting. Table 7‑1.
View Administration n The User Configuration policies set policies that apply to all users, regardless of the remote desktop or application they connect to. User Configuration policies override equivalent Computer Configuration policies. Microsoft Windows applies policies at desktop startup and when users log in. View ADM and ADMX Template Files The View ADM and ADMX template files provide group policy settings that let you control and optimize View components. Table 7‑2.
Chapter 7 Configuring Policies in View Administrator and Active Directory Table 7‑2. View ADM and ADMX Template Files (Continued) Template Name Template File Description View Persona Management Configuration ViewPM.adm Contains policy settings related to View Persona Management. See the Setting Up Desktop and Application Pools in View document. View Remote Desktop Services vmware_rdsh.admx vmware_rdsh_server.admx Contains policy settings related to Remote Desktop Services.
View Administration View Common Configuration ADM Template Settings The View Common Configuration ADM template file (vdm_common.adm) contains policy settings common to all View components. This template contains only Computer Configuration settings. Log Configuration Settings Table 7-4 describes the log configuration policy setting in the View Common Configuration ADM template file. Table 7‑4.
Chapter 7 Configuring Policies in View Administrator and Active Directory Table 7‑5. View Common Configuration Template: Performance Alarm Settings (Continued) Setting Properties Overall memory usage percentage to issue log info Specifies the threshold at which the overall committed system memory use is logged. Committed system memory is memory that has been allocated by processes and to which the operating system has committed physical memory or a page slot in the pagefile.
View Administration 114 VMware, Inc.
Maintaining View Components 8 To keep your View components available and running, you can perform a variety of maintenance tasks.
View Administration You can perform backups in several ways. n Schedule automatic backups by using the View configuration backup feature. n Initiate a backup immediately by using the Backup Now feature in View Administrator. n Manually export View LDAP data by using the vdmexport utility. This utility is provided with each instance of View Connection Server.
Chapter 8 Maintaining View Components View Configuration Backup Settings View can back up your View Connection Server and View Composer configuration data at regular intervals. In View Administrator, you can set the frequency and other aspects of the backup operations. Table 8‑1. View Configuration Backup Settings Setting Description Automatic backup frequency Every Hour. Backups take place every hour on the hour. Every 6 Hours. Backups take place at midnight, 6 am, noon, and 6 pm. Every 12 Hours.
View Administration 2 At the command prompt, type the vdmexport command and redirect the output to a file. For example: vdmexport > Myexport.LDF By default, the exported data is encrypted. You can specify the output file name as an argument to the -f option. For example: vdmexport -f Myexport.LDF You can export the data in plain text format (verbatim) by using the -v option. For example: vdmexport -f Myexport.
Chapter 8 Maintaining View Components If you backed up your View LDAP configuration by using View Administrator or the default vdmexport command, the exported LDIF file is encrypted. You must decrypt the LDIF file before you can import it. If the exported LDIF file is in plain text format, you do not have to decrypt the file. NOTE Do not import an LDIF file in cleansed format, which is plain text with passwords and other sensitive data removed.
View Administration 11 Log in to View Administrator and validate that the configuration is correct. 12 Start the View Composer instances. 13 Reinstall the replica server instances. 14 Start the security server instances. If there is a risk that the security servers have inconsistent configuration, they should also be uninstalled rather than stopped and then reinstalled at the end of the process.
Chapter 8 Maintaining View Components 2 On the computer where View Composer is installed, stop the VMware Horizon View Composer service. 3 Open a Windows command prompt and navigate to the SviConfig executable file. The file is located with the View Composer application. The default path is C:\Program Files (x86)\VMware\VMware View Composer\sviconfig.exe. 4 Run the SviConfig restoredata command.
View Administration Familiarize yourself with the SviConfig exportdata parameters: n DsnName - The DSN that is used to connect to the database. If it is not specified, DSN name, user name and password will be retrieved from server configuration file. n Username - The user name that is used to connect to the database. If this parameter is not specified, Windows authentication is used. n Password - The password for the user that connects to the database.
Chapter 8 Maintaining View Components Monitor View Components You can quickly survey the status of the View and vSphere components in your View deployment by using the View Administrator dashboard. View Administrator displays monitoring information about View Connection Server instances, the event database, security servers, View Composer services, datastores, vCenter Server instances, and domains. NOTE View cannot determine status information about Kerberos domains.
View Administration The Machines page displays all machines with the selected status. What to do next You can click a machine name to see details about the machine or click the View Administrator back arrow to return to the Dashboard page. Understanding View Services The operation of View Connection Server instances and security servers depends on several services that run on the system.
Chapter 8 Maintaining View Components Services on a View Connection Server Host The operation of View depends on several services that run on a View Connection Server host. Table 8‑4. View Connection Server Host Services Service Name Startup Type Description VMware Horizon View Blast Secure Gateway Automatic Provides secure HTML Access and Blast Extreme services. This service must be running if clients connect to View Connection Server through the Blast Secure Gateway.
View Administration Table 8‑5. Security Server Services (Continued) Service Name Startup Type Description VMware Horizon View PCoIP Secure Gateway Manual Provides PCoIP Secure Gateway services. This service must be running if clients connect to this security server through the PCoIP Secure Gateway. VMware Horizon View Security Gateway Component Manual Provides common gateway services. This service must always be running.
Chapter 8 Maintaining View Components For named users, View counts the number of unique users that have accessed the View environment. If a named user runs multiple single-user desktops, RDS desktops, and remote applications, the user is counted once. For named users, the Current column on the Product Licensing and Usage page displays the number of users since your View deployment was first configured or since you last reset the Named Users Count. The Highest column is not applicable to named users.
View Administration You can also use the vdmadmin command to update user and domain information. See “Updating Foreign Security Principals Using the -F Option,” on page 246. Prerequisites Verify that you can log in to View Administrator as an administrator with the Manage Global Configuration and Policies privilege. Procedure 1 In View Administrator, click Users and Groups. 2 Choose whether to update information for all users or an individual user.
Chapter 8 Maintaining View Components Guidelines for Migrating View Composer The steps you take to migrate the VMware Horizon View Composer service depend on whether you intend to preserve existing linked-clone virtual machines. To preserve the linked-clone virtual machines in your deployment, the VMware Horizon View Composer service that you install on the new virtual or physical machine must continue to use the existing View Composer database.
View Administration n Familiarize yourself with installing the VMware Horizon View Composer service. See "Installing View Composer" in the View Installation document. n Familiarize yourself with configuring an SSL certificate for View Composer. See "Configuring SSL Certificates for View Servers" in the View Installation document. n Familiarize yourself with configuring View Composer in View Administrator.
Chapter 8 Maintaining View Components Migrate View Composer Without Linked-Clone Virtual Machines If the current VMware Horizon View Composer service does not manage any linked-clone virtual machines, you can migrate View Composer to a new physical or virtual machine without migrating the RSA keys to the new machine. The migrated VMware Horizon View Composer service can connect to the original View Composer database, or you can prepare a new database for View Composer.
View Administration e In the Domains pane, click Verify Server Information and add or edit the View Composer domains as needed. f Click OK. Prepare a Microsoft .NET Framework for Migrating RSA Keys To use an existing View Composer database, you must migrate the RSA key container between machines. You migrate the RSA key container by using the ASP.NET IIS registration tool provided with the Microsoft .NET Framework. Prerequisites Download the .NET Framework and read about the ASP.
Chapter 8 Maintaining View Components 5 Type the aspnet_regiis command to migrate the RSA key pair data. aspnet_regiis -pi "SviKeyContainer" "path\keys.xml" -exp where path is the path to the exported file. The -exp option creates an exportable key pair. If a future migration is required, the keys can be exported from this machine and imported to another machine.
View Administration 3 4 For View Connection Server or security server, add the certificate Friendly name, vdm, to the new certificate that is replacing the previous certificate. a Right-click the new certificate and click Properties b On the General tab, in the Friendly name field, type vdm. c Click Apply and click OK. For a server certificate that is issued to View Composer, run the SviConfig ReplaceCertificate utility to bind the new certificate to the port used by View Composer.
Chapter 8 Maintaining View Components How VMware Ensures Your Privacy VMware is committed to protecting your privacy and takes several steps to ensure that no data collected by the customer experience improvement program (CEIP) includes sensitive information that could uniquely identify a particular customer or user. The program does not collect any information that can be used to identify you or contact you. No data that identifies your organization or users is collected.
View Administration Additional Information About the Customer Experience Improvement Program After you choose to participate in the CEIP, data is collected on the first View Connection Server instance that starts in a View deployment. Configuration data is collected on a weekly basis. Performance and usage data is collected on an hourly basis.
Chapter 8 Maintaining View Components Table 8‑6.
View Administration Table 8‑8.
Chapter 8 Maintaining View Components Table 8‑9.
View Administration Table 8‑10. Dynamic Usage Data Collected from View Connection Server (Continued) Is This Field Made Anonymous? Example Value Number of times application connections have been launched for a user who is entitled to n number of applications No List of integers Number of times n protocol (such as PCoIP) sessions have been in existence when a user launches another application.
Chapter 8 Maintaining View Components Table 8‑12.
View Administration Table 8‑12.
Chapter 8 Maintaining View Components Table 8‑12.
View Administration Table 8‑13.
Chapter 8 Maintaining View Components Table 8‑14.
View Administration Table 8‑18. ESX Node Information Description Identifier of the vCenter Server that manages a particular ESXi host, along with an identifier for the ESXi host Is This Field Made Anonymous? No Example Value 1234-ADEE-BECF-41AA-4950BCDAhost-14 Table 8‑19.
Chapter 8 Maintaining View Components Cloud Pod Architecture Information Collected by VMware If you join the customer experience improvement program, VMware collects data from certain Cloud Pod Architecture fields. Fields containing sensitive information are made anonymous. Table 8‑21.
View Administration Table 8‑22. Data Collected from Horizon Clients for the Customer Experience Improvement Program Is This Field Made Anonymous ? Example Value Company that produced the Horizon Client application No VMware Product name No VMware Horizon Client Client product version No (The format is x.x.x-yyyyyy, where x.x.x is the client version number and yyyyyy is the build number.
Chapter 8 Maintaining View Components Table 8‑22. Data Collected from Horizon Clients for the Customer Experience Improvement Program (Continued) Description Is This Field Made Anonymous ? MB of memory on the host system No Example Value Examples include the following: 4096 n unknown (for Windows Store) n Number of USB devices connected No 2 (USB device redirection is supported only for Linux, Windows, and Mac OS X clients.
View Administration Table 8‑23. Client Data Collected for the Customer Experience Improvement Program (Continued) Description Field name Is This Field Made Anonymous ? Native architecture of the browser No Example Value Examples include the following values: n Win32 n Win64 n MacIntel n Browser user agent string No Examples include the following values: n Mozilla/5.0 (Windows NT 6.1; WOW64) n AppleWebKit/703.00 (KHTML, like Gecko) n n n 150 iPad Chrome/3.0.
Managing View Composer LinkedClone Desktop Virtual Machines 9 You can update View Composer linked-clone desktop machines, reduce the size of their operating system data, and rebalance the machines among datastores. You also can manage the persistent disks associated with linked clones.
View Administration 2 Select the desktop pool to refresh by double-clicking the pool ID in the left column. 3 Choose whether to refresh multiple virtual machines or a single virtual machine. Option Action To refresh all virtual machines in the desktop pool a b c d e To refresh a single virtual machine a b c 4 In View Administrator, select Catalog > Desktop Pools. Select the desktop pool to refresh by double-clicking the pool ID in the left column. On the Inventory tab, click Machines.
Chapter 9 Managing View Composer Linked-Clone Desktop Virtual Machines n A refresh preserves the unique computer information set up by QuickPrep or Sysprep. You do not need to rerun Sysprep after a refresh to restore the SID or the GUIDs of third-party software installed in the system drive. n After you recompose a linked clone, View takes a new snapshot of the linked clone's OS disk.
View Administration Procedure 1 In vCenter Server, update the parent virtual machine for the recomposition. n Install OS patches or service packs, new applications, application updates, or make other changes in the parent virtual machine. n Alternatively, prepare another virtual machine to be selected as the new parent during the recomposition. 2 In vCenter Server, power off the updated or new parent virtual machine. 3 In vCenter Server, take a snapshot of the parent virtual machine.
Chapter 9 Managing View Composer Linked-Clone Desktop Virtual Machines Procedure 1 Choose whether to recompose the whole desktop pool or a single machine. Option Action To recompose all virtual machines in the desktop pool a b c d e To recompose selected virtual machines a b c 2 In View Administrator, select Catalog > Desktop Pools. Select the desktop pool to recompose by double-clicking the pool ID in the left column. On the Inventory tab, click Machines.
View Administration Desktop recompositions do not affect View Composer persistent disks. Apply these guidelines to recompositions: n You can recompose dedicated-assignment and floating-assignment desktop pools. n You can recompose a desktop pool on demand or as a scheduled event. You can schedule only one recomposition at a time for a given set of linked clones. Before you can schedule a new recomposition, you must cancel any previously scheduled task or wait until the previous operation is completed.
Chapter 9 Managing View Composer Linked-Clone Desktop Virtual Machines 2 Recompose the desktop pool again. View Composer creates a base image from the snapshot and recreates the linked-clone OS disks. View Composer persistent disks that contain user data and settings are preserved during the recomposition. Depending on the conditions of the incorrect recomposition, you might refresh or rebalance the linked clones instead of or in addition to recomposing them.
View Administration Procedure 1 Choose whether to rebalance the whole pool or a single virtual machine. Option Action To rebalance all virtual machines in the pool a b c d e To rebalance a single virtual machine a b c 2 In View Administrator, select Catalog > Desktop Pools. Select the pool to rebalance by double-clicking the pool ID in the left column. On the Inventory tab, click Machines. Use the Ctrl or Shift keys to select multiple all the machine IDs in the left column.
Chapter 9 Managing View Composer Linked-Clone Desktop Virtual Machines n If you edit a pool and change the host or cluster and the datastores on which linked clones are stored, you can only rebalance the linked clones if the newly selected host or cluster has full access to both the original and the new datastores. All hosts in the new cluster must have access to the original and new datastores.
View Administration An original persistent disk has a filename with a user-disk label: desktop_name-vdm-user-disk-D-ID.vmdk. An original disposable-data disk has a filename with a disposable label: desktop_name-vdm-disposable- ID.vmdk. After a rebalance operation moves a linked clone to a new datastore, vCenter Server uses a common filename syntax for both types of disks: desktop_name_n.vmdk.
Chapter 9 Managing View Composer Linked-Clone Desktop Virtual Machines 3 Choose where to store the persistent disk. Option Description Use current datastore Store the persistent disk on the datastore where it is currently located. Use the following datastore Select a new datastore on which to store the persistent disk. Click Browse, click the down arrow, and select a new datastore from the Choose a Datastore menu. You cannot select a local datastore to store a detached persistent disk.
View Administration What to do next Make sure that the user of the linked clone has sufficient privileges to use the attached secondary disk. For example, if the original user had certain access permissions on the persistent disk, and the persistent disk is attached as drive D on the new linked clone, the new user of the linked clone must have the original user's access permissions on drive D.
Chapter 9 Managing View Composer Linked-Clone Desktop Virtual Machines To move a detached persistent disk from non-Virtual SAN to Virtual SAN, you can recreate the disk on a virtual machine that is stored on a non-Virtual SAN datastore and rebalance the virtual machine's desktop pool to a Virtual SAN datastore. Procedure 1 In View Administrator, select Resources > Persistent Disks. 2 On the Detached tab, select the persistent disk and click Recreate Machine.
View Administration Delete a Detached View Composer Persistent Disk When you delete a detached persistent disk, you can remove the disk from View and leave it on the datastore or delete the disk from View and the datastore. Procedure 1 In View Administrator, select Resources > Persistent Disks. 2 On the Detached tab, select the persistent disk and click Delete. 3 Choose whether to delete the disk from the datastore or let it remain on the datastore after it is removed from View.
Managing Desktop Pools, Machines, and Sessions 10 In View Administrator, you can manage desktop pools, virtual machine-based desktops, physical machinebased desktops, desktop sessions, and application sessions.
View Administration After you schedule a push image and before the operation is started, you can reschedule the operation by clicking Push Image > Reschedule, or cancel the operation by clicking Push Image > Cancel. If you cancel the operation while clone recreation is in progress, the clones that have the new image remain in the pool, which means that the pool will have a mix of clones, some with the new image and the others with the old image.
Chapter 10 Managing Desktop Pools, Machines, and Sessions Table 10‑1. Editable Settings in an Existing Desktop Pool (Continued) Configuration Tab Description Provisioning Settings Edit desktop pool provisioning options and add machines to the desktop pool. This tab is available for automated desktop pools only. vCenter Settings Edit the virtual machine template or default base image. Add or change the vCenter Server instance, ESXi host or cluster, datastores, and other vCenter features.
View Administration Table 10‑1. Editable Settings in an Existing Desktop Pool (Continued) Configuration Tab Description Advanced Storage > Use native NFS snapshots (VAAI) If you select or deselect Use native NFS snapshots (VAAI), the new setting only affects virtual machines that are created after the settings are changed. You can change existing virtual machines to become native NFS snapshot clones by recomposing and, if needed, rebalancing the desktop pool.
Chapter 10 Managing Desktop Pools, Machines, and Sessions Table 10‑2. Fixed Settings in an Existing Desktop Pool (Continued) Setting Description View Composer persistent disks You cannot configure persistent disks after a linked-clone desktop pool is created without persistent disks. View Composer customization method After you customize a linked-clone desktop pool with QuickPrep or Sysprep, you cannot switch to the other customization method when you create or recompose virtual machines in the pool.
View Administration In this example, two machines are added. The second machine is associated with a user: Desktop-001 Desktop-002,abccorp.com/jdoe NOTE In a floating-assignment pool, you cannot associate user names with machine names. The machines are not dedicated to the associated users. In a floating-assignment pool, all machines that are not currently in use remain accessible to any user who logs in. Prerequisites Verify that you created the desktop pool by manually specifying machine names.
Chapter 10 Managing Desktop Pools, Machines, and Sessions 2 3 Select a desktop pool and change the status of the pool. Option Action Disable the pool Select Disable Desktop Pool from the Status drop-down menu. Enable the pool Select Enable Desktop Pool from the Status drop-down menu. Click OK. Disable or Enable Provisioning in an Automated Desktop Pool When you disable provisioning in an automated desktop pool, View stops provisioning new virtual machines for the pool.
View Administration Adobe Flash Quality and Throttling You can specify a maximum allowable level of quality for Adobe Flash content that overrides Web page settings. If Adobe Flash quality for a Web page is higher than the maximum level allowed, quality is reduced to the specified maximum. Lower quality results in more bandwidth savings. To make use of Adobe Flash bandwidth-reduction settings, Adobe Flash must not be running in full screen mode.
Chapter 10 Managing Desktop Pools, Machines, and Sessions Procedure 1 In View Administrator, select Catalog > Desktop Pools. 2 Select a desktop pool and click Delete. 3 Choose how to delete the desktop pool. Pool Options Automated desktop pool of instant clones or linked clones without persistent disks. No available options. View deletes all virtual machines from disk. Users' sessions to their remote desktops are terminated. Automated desktop pool of linked clones with persistent disks.
View Administration 3 In the Computer pane, select or type localhost:389 or the fully qualified domain name (FQDN) of the View Connection Server host followed by port 389. For example: localhost:389 or mycomputer.mydomain.com:389 4 On the object CN=Common, OU=Global, OU=Properties, edit the pae-NameValuePair attribute and add the value cs-disableNonEmptyPoolDelete=1. The new setting takes effect immediately. You do not need to restart the View Connection Server service.
Chapter 10 Managing Desktop Pools, Machines, and Sessions Procedure 1 In View Administrator, select Resources > Machines or select Catalog > Desktop Pools, double-click a pool ID, and click the Inventory tab. 2 Select the machine. 3 Select Unassign User from the More Commands drop-down menu. 4 Click OK. The machine is available and can be assigned to another user.
View Administration 2 3 In the Machine Status pane, expand a status folder. Option Description Preparing Lists the machine states while the virtual machine is being provisioned, deleted, or in maintenance mode. Problem Machines Lists the machine error states. Prepared for use Lists the machine states when the virtual machine is ready for use. Locate the machine status and click the hyperlinked number next to it. The Machines page displays all virtual machines with the selected status.
Chapter 10 Managing Desktop Pools, Machines, and Sessions Table 10‑5. Status of Virtual Machines That Are Managed by vCenter Server (Continued) Status Description Protocol failure A display protocol did not start before the View Agent or Horizon Agent startup period expired. NOTE View Administrator can display machines in a Protocol failure state when one protocol failed but other protocols started successfully.
View Administration Table 10‑6. Machine Status Conditions Condition Description Missing The virtual machine is missing in vCenter Server. Typically, the virtual machine was deleted in vCenter Server, but the View LDAP configuration still has a record of the machine. Task halted An instant clone task such as push image or a View Composer operation such as refresh, recompose, or rebalance was stopped.
Chapter 10 Managing Desktop Pools, Machines, and Sessions 4 Choose how to delete the virtual-machine desktop. Option Description Pool that contains full virtualmachine desktops Choose whether to keep or delete the virtual machines in vCenter Server. If you delete the virtual machines from disk, users in active sessions are disconnected from their desktops.
View Administration When you reconfigure a setting that affects an unmanaged machine, it can take up to 10 minutes for the new setting to take effect. For example, if you change the Message security mode in Global Settings or change the Automatically logoff after disconnect setting for a pool, View might take up to 10 minutes to reconfigure the affected unmanaged machines.
Chapter 10 Managing Desktop Pools, Machines, and Sessions Remove Registered Machines from View If you do not plan to use a registered machine again, you can remove it from View. There are two types of registered machines in View: RDS Hosts and Others. Unmanaged machines are in the Others category. Unmanaged machines include physical computers and virtual machines that are not managed by vCenter Server. They are used to form manual desktop pools that do not contain vCenter Server virtual machines.
View Administration Table 10‑7. Status of Unmanaged Machines (Continued) Status Description Protocol failure A display protocol did not start before the View Agent or Horizon Agent startup period expired. NOTE View Administrator can display machines in a Protocol failure state when one protocol failed but other protocols started successfully. For example, the Protocol failure state might be displayed when HTML Access failed but PCoIP and RDP are working.
Chapter 10 Managing Desktop Pools, Machines, and Sessions 3 4 Choose whether to disconnect, log off, send a message, or reset a virtual machine. Option Description Disconnect Session Disconnects the user from the session. Logoff Session Logs the user off the session. Data that is not saved is lost. Reset Virtual Machine Restarts the virtual machine without a graceful shutdown.
View Administration 184 VMware, Inc.
Managing Application Pools, Farms, and RDS Hosts 11 In View Administrator, you can perform management operations such as configuring or deleting desktop pools, farms, or RDS hosts.
View Administration Delete an Application Pool When you delete an application pool, users can no longer launch the application in the pool. You can delete an application pool even if users are currently accessing the application. After the users close the application, they can no longer access the application. Procedure 1 In View Administrator, select Catalog > Application Pools. 2 Select one or more application pools and click Delete. 3 Click OK to confirm.
Chapter 11 Managing Application Pools, Farms, and RDS Hosts Disable or Enable a Farm When you disable a farm, users can no longer launch RDS desktops or applications from the RDS desktop pools and the application pools that are associated with the farm. Users can continue to use RDS desktops and applications that are currently open. You can disable a farm if you plan to do maintenance on the RDS hosts in the farm or on the RDS desktop and application pools that are associated with the farm.
View Administration Selecting the Stop at first error option does not affect customization. If a customization error occurs on a linked clone, other clones continue to be provisioned and customized. n Verify that provisioning is enabled. When provisioning is disabled, View stops the machines from being customized after they are recomposed. n If your deployment includes replicated View Connection Server instances, verify that all instances are the same version.
Chapter 11 Managing Application Pools, Farms, and RDS Hosts Managing RDS Hosts You can manage RDS hosts that you set up manually and RDS hosts that are created automatically when you add an automated farm. When you manually set up an RDS host, it automatically registers with View Connection Server. You cannot manually register an RDS host with View Connection Server. See "Setting Up Remote Desktop Session Hosts" in the Setting Up Desktop and Application Pools in View document.
View Administration Remove an RDS Host from a Farm You can remove an RDS host from a manual farm to reduce the scale of the farm, to perform maintenance on the RDS host, or for other reasons. As a best practice, disable the RDS host and ensure that users are logged off from active sessions before you remove a host from a farm. If users have application or desktop sessions on hosts that you remove, the sessions remain active, but View no longer keeps track of them.
Chapter 11 Managing Application Pools, Farms, and RDS Hosts 6 Click OK. If you enable the RDS host, a check mark appears in the Enabled column, and Available appears in the Status column. If you disable the RDS host, the Enabled column is empty and Disabled appears in the Status column. Monitor RDS Hosts You can monitor the status and view the properties of RDS hosts in View Administrator. Procedure u In View Administrator, navigate to the page that displays the properties that you want to view.
View Administration Table 11‑1. Status of an RDS Host (Continued) Status Description Disabled Process of disabling the RDS host is complete. Validating Occurs after View Connection Server first becomes aware of the RDS host, typically after View Connection Server is started or restarted, and before the first successful communication with View Agent or Horizon Agent on the RDS host. Typically, this state is transient.
Chapter 11 Managing Application Pools, Farms, and RDS Hosts Configuring Load Balancing for RDS Hosts By default, View Connection Server uses the current session count and limit to balance the placement of new application sessions on RDS hosts. You can override this default behavior and control the placement of new application sessions by writing and configuring load balancing scripts. A load balancing script returns a load value.
View Administration Writing a Load Balancing Script for an RDS Host You can write a load balancing script to generate a load value based on any RDS host metric that you want to use for load balancing. You can also write a simple load balancing script that returns a fixed load value. Your load balancing script must return a single number from 0 to 3. For descriptions of the valid load values, see “Load Values and Mapped Load Preferences,” on page 193.
Chapter 11 Managing Application Pools, Farms, and RDS Hosts Enable the VMware Horizon View Script Host Service on an RDS Host You must enable the VMware Horizon View Script Host service on an RDS host before you configure a load balancing script. The VMware Horizon View Script Host service is disabled by default. Procedure 1 Log in to the RDS host as an administrator. 2 Start Server Manager. 3 Select Tools > Services and navigate to the VMware Horizon View Script Host service.
View Administration 6 Right-click in the topic area for the RdshLoad key, select New > String Value, and create a new string value. As a best practice, use a name that represents the load balancing script to be run, for example, cpuutilisationScript for the cpuutilisation.vbs script. 7 Right-click the entry for the new string value you created and select Modify. 8 In the Value data text box, type the command line that invokes your load balancing script and click OK.
Chapter 11 Managing Application Pools, Farms, and RDS Hosts Load Balancing Session Placement Examples These examples illustrate two load balancing session placement scenarios. Example 1: No Existing User Session This example illustrates how session placement might occur for a farm that contains six RDS hosts when a user session does not currently exist on any of the RDS hosts. 1 2 3 4 VMware, Inc. Horizon Agent reports the following load preferences for each RDS host in the farm.
View Administration 5 View Connection Server attempts to place a new application session on RDS host 4 first, followed by RDS host 3, and so on. RDS Host Session Placement Order 4 3 1 6 2 NOTE Anti-infinity rules can prevent an application from being placed on an RDS host, regardless of the reported load preference. For more information, see “Configure an Anti-Affinity Rule for an Application Pool,” on page 199.
Chapter 11 Managing Application Pools, Farms, and RDS Hosts 4 View adds the RDS host that contains the existing session to the top of the new bucket ordered list. RDS Host Session Placement Order 3 4 1 5 2 Configure an Anti-Affinity Rule for an Application Pool When you configure an anti-affinity rule for an application pool, View Connection Server attempts to launch the application only on RDS hosts that have sufficient resources to run the application.
View Administration Anti-Affinity Feature Constraints The anti-affinity feature has certain constraints. 200 n Anti-affinity rules affect new application sessions only. An RDS host that contains sessions in which a user has previously run an application is always reused for the same application. This behavior overrides reported load preferences and anti-affinity rules. n Aniti-affinity rules do not affect application launches from within an RDS desktop session.
Managing ThinApp Applications in View Administrator 12 You can use View Administrator to distribute and manage applications packaged with VMware ThinApp. Managing ThinApp applications in View Administrator involves capturing and storing application packages, adding ThinApp applications to View Administrator, and assigning ThinApp applications to machines and desktop pools. You must have a license to use the ThinApp management feature in View Administrator.
View Administration n Make sure that a disjoint namespace does not prevent domain member computers from accessing the network share that hosts the MSI packages. A disjoint namespace occurs when an Active Directory domain name is different from the DNS namespace that is used by machines in that domain. See VMware Knowledge Base (KB) article 1023309 for more information. n To run streamed ThinApp applications on remote desktops, users must have access to the network share that hosts the MSI packages.
Chapter 12 Managing ThinApp Applications in View Administrator Procedure 1 Start the ThinApp Setup Capture wizard and follow the prompts in the wizard. 2 When the ThinApp Setup Capture wizard prompts you for a project location, select Build MSI package. 3 If you plan to stream the application to remote desktops, set the MSIStreaming property to 1 in the package.ini file.
View Administration Procedure 1 In View Administrator, select View Configuration > ThinApp Configuration and click Add Repository. 2 Type a display name for the application repository in the Display name text box. 3 Type the path to the Windows network share that hosts your application packages in the Share path text box. The network share path must be in the form \\ServerComputerName\ShareName where ServerComputerName is the DNS name of the server computer. Do not specify an IP address.
Chapter 12 Managing ThinApp Applications in View Administrator Creating ThinApp templates is optional. NOTE If you add an application to a ThinApp template after assigning the template to a machine or desktop pool, View Administrator does not automatically assign the new application to the machine or desktop pool. If you remove an application from a ThinApp template that was previously assigned to a machine or desktop pool, the application remains assigned to the machine or desktop pool.
View Administration n Assign a ThinApp Application to Multiple Desktop Pools on page 208 You can assign a particular ThinApp application to one or more desktop pools. n Assign Multiple ThinApp Applications to a Desktop Pool on page 208 You can assign one more ThinApp applications to a particular desktop pool.
Chapter 12 Managing ThinApp Applications in View Administrator 2 Select Assign Machines from the Add Assignment drop-down menu. The machines that the ThinApp application is not already assigned to appear in the table. 3 Option Action Find a specific machine Type the name of the machine in the Find text box and click Find. Find all of the machines that follow the same naming convention Type a partial machine name in the Find text box and click Find.
View Administration View Administrator begins installing the ThinApp applications a few minutes later. After the installation is finished, the applications are available to all of the users of the remote desktop that is hosted by the virtual machine. Assign a ThinApp Application to Multiple Desktop Pools You can assign a particular ThinApp application to one or more desktop pools.
Chapter 12 Managing ThinApp Applications in View Administrator Procedure 1 In View Administrator, select Catalog > Desktop Pools and double-click the pool ID. 2 On the Inventory tab, click ThinApps and then click Add Assignment. The ThinApp applications that are not already assigned to the pool appear in the table. 3 To find a particular application, type the name of the ThinApp application in the Find text box and click Find. 4 Select a ThinApp application to assign to the pool and click Add.
View Administration 5 Select an installation type and click OK. Option Action Streaming Installs a shortcut to the application on the machine. The shortcut points to the application on the network share that hosts the repository. Users must have access to the network share to run the application. Full Installs the full application on the machine's local file system. Some ThinApp applications do not support both installation types.
Chapter 12 Managing ThinApp Applications in View Administrator Table 12‑1. ThinApp Application Installation Status Status Description Assigned The ThinApp application is assigned to the machine. Install Error An error occurred when View Administrator attempted to install the ThinApp application. Uninstall Error An error occurred when View Administrator attempted to uninstall the ThinApp application. Installed The ThinApp application is installed.
View Administration n Modify or Delete a ThinApp Template on page 214 You can add and remove applications from a ThinApp template. You can also delete a ThinApp template. n Remove an Application Repository on page 214 You can remove an application repository from View Administrator. Remove a ThinApp Application Assignment from Multiple Machines You can remove an assignment to a particular ThinApp application from one or more machines.
Chapter 12 Managing ThinApp Applications in View Administrator Remove a ThinApp Application Assignment from Multiple Desktop Pools You can remove an assignment to a particular ThinApp application from one or more desktop pools. Prerequisites Notify the users of the remote desktops in the pools that you intend to remove the application. Procedure 1 In View Administrator, select Catalog > ThinApps and double-click the name of the ThinApp application.
View Administration Modify or Delete a ThinApp Template You can add and remove applications from a ThinApp template. You can also delete a ThinApp template. If you add an application to a ThinApp template after assigning the template to a machine or desktop pool, View Administrator does not automatically assign the new application to the machine or desktop pool.
Chapter 12 Managing ThinApp Applications in View Administrator Cause The View Connection Server host cannot access the network share that hosts the application repository. The network share path that you typed in the Share path text box might be incorrect, the network share that hosts the application repository is in a domain that is not accessible from the View Connection Server host, or the network share permissions have not been set up properly.
View Administration Solution If the template contains a ThinApp application that is already assigned to the machine or desktop pool, create a new template that does not contain the application or edit the existing template and remove the application. Assign the new or modified template to the machine or desktop pool. To change the installation type of a ThinApp application, you must remove the existing application assignment from the machine or desktop pool.
Chapter 12 Managing ThinApp Applications in View Administrator Horizon Agent log files are located on the machine in drive:\Documents and Settings\All Users\Application Data\VMware\VDM\logs for Windows XP systems and drive:\ProgramData\VMware\VDM\logs for Windows 7 systems. View Connection Server log files are located on the View Connection Server host in the drive:\Documents and Settings\All Users\Application Data\VMware\VDM\logs directory. Solution 1 In View Administrator, select Catalog > ThinApps.
View Administration Procedure 1 Download the ThinApp software from http://www.vmware.com/products/thinapp and install it on a clean computer. View supports ThinApp version 4.6 and later. 2 Use the ThinApp Setup Capture wizard to capture and package your applications in MSI format.
Setting Up Clients in Kiosk Mode 13 You can set up unattended clients that can obtain access to their desktops from View. A client in kiosk mode is a thin client or a lock-down PC that runs Horizon Client to connect to a View Connection Server instance and launch a remote session. End users do not typically need to log in to access the client device, although the remote desktop might require them to provide authentication information for some applications.
View Administration n Administrators, Inventory Administrators, or an equivalent role to use View Administrator to entitle users or groups to remote desktops. n Administrators or an equivalent role to run the vdmadmin command. Procedure 1 Prepare Active Directory and View for Clients in Kiosk Mode on page 220 You must configure Active Directory to accept the accounts that you create to authenticate client devices.
Chapter 13 Setting Up Clients in Kiosk Mode 3 Configure the guest operating system so that the clients are not locked when they are left unattended. View suppresses the pre-login message for clients that connect in kiosk mode. If you require an event to unlock the screen and display a message, you can configure a suitable application on the guest operating system. 4 In View Administrator, create the desktop pool that the clients will use and entitle the group to this pool.
View Administration Option Description -noexpirepassword Specifies that passwords on client accounts do not expire. -nogroup Clears the setting for the default group. -ou DN Specifies the distinguished name of the default organizational unit to which client accounts are added. For example: OU=kiosk-ou,DC=myorg,DC=com NOTE You cannot use the command to change the configuration of an organizational unit. The command updates the default values for clients in the View Connection Server group.
Chapter 13 Setting Up Clients in Kiosk Mode Add Accounts for Clients in Kiosk Mode You can use the vdmadmin command to add accounts for clients to the configuration of a View Connection Server group. After you add a client, it is available for use with a View Connection Server instance on which you have enabled authentication of clients. You can also update the configuration of clients, or remove their accounts from the system.
View Administration The command creates a user account in Active Directory for the client in the specified domain and group (if any). Example: Adding Accounts for Clients Add an account for a client specified by its MAC address to the MYORG domain, using the default settings for the group kc-grp. vdmadmin -Q -clientauth -add -domain MYORG -clientid 00:10:db:ee:76:80 -group kc-grp Add an account for a client specified by its MAC address to the MYORG domain, using an automatically generated password.
Chapter 13 Setting Up Clients in Kiosk Mode 2 If the remote desktop is provided by a Microsoft RDS host, log in to the RDS host and add the user account to the Remote Desktop Users group. For example, say that on the View server, you entitle the user account custom-11 to a session-based View desktop on an RDS host.
View Administration Password Generated: false Client Authentication Connection Servers ======================================== Common Name : CONSVR1 Client Authentication Enabled : false Password Required : false Common Name : CONSVR2 Client Authentication Enabled : true Password Required : false What to do next Verify that the clients can connect to their remote desktops.
Chapter 13 Setting Up Clients in Kiosk Mode Procedure u To connect to a remote session, type the appropriate command for your platform. Option Description Windows Enter C:\Program Files (x86)\VMware\VMware Horizon View Client\vmware-view.exe -unattended [-serverURL connection_server] [-userName user_name] [-password password] Linux -password password Specifies the password for the client's account. If you defined a password for the account, you must specify this password.
View Administration Run Horizon Client on a Linux client using an assigned name and password. vmware-view -unattended -s 145.124.24.100 --once -u custom-Terminal21 -p "Secret1!" 228 VMware, Inc.
Troubleshooting View 14 You can use a variety of procedures for diagnosing and fixing problems that you might encounter when using View. You can use troubleshooting procedures to investigate the causes of such problems and attempt to correct them yourself, or you can obtain assistance from VMware Technical Support. For information about troubleshooting desktops and desktop pools, see the Setting Up Desktop and Application Pools in View document.
View Administration Events Provides links to the Events screen filtered for error events and for warning events. System Health Provides links to the Dashboard screen, which displays summaries of the status of View components, vSphere components, domains, desktops, and datastore usage. The system health dashboard displays a numbered link against each item. This value indicates the number of items that the linked report provides details about.
Chapter 14 Troubleshooting View Collecting Diagnostic Information for View You can collect diagnostic information to help VMware Technical Support diagnose and resolve issues with View. You can collect diagnostic information for various components of View. How you collect this information varies depending on the View component.
View Administration 2 Open a command prompt and run the command to generate the DCT bundle. Option Action On View Connection Server, using vdmadmin To specify the names of the output bundle file, desktop pool, and machine, use the -outfile, -d, and -m options with the vdmadmin command. vdmadmin -A [-b authentication_arguments] -getDCT -outfile local_file -d desktop -m machine On the remote desktop Change directories to c:\Program Files\VMware\VMware View\Agent\DCT and run the following command: suppo
Chapter 14 Troubleshooting View Collect Diagnostic Information for View Composer Using the Support Script You can use the View Composer support script to collect configuration data and generate log files for View Composer. This information helps VMware customer support diagnose any issues that arise with View Composer. Prerequisites Log in to the computer on which View Composer is installed.
View Administration 3 When you have collected enough information about the behavior of View Connection Server, select Start > All Programs > VMware > Generate View Connection Server Log Bundle. The support tool writes the log files to a folder called vdm-sdct on the desktop of the View Connection Server instance. 4 File a support request on the Support page of the VMware Web site and attach the output files.
Chapter 14 Troubleshooting View Option Description 7 Selects debug logging for virtual channels (Horizon Agent and Horizon Client only). 8 Selects trace logging for virtual channels (Horizon Agent and Horizon Client only). The script writes the zipped log files to the folder vdm-sdct on the desktop. 3 You can find the View Composer guest agent logs in the C:\Program Files\Common Files\VMware\View Composer Guest Agent svi-ga-support directory.
View Administration Solution If you intend to keep the security server in your View environment, take these steps: 1 In View Administrator, select View Configuration > Servers. 2 On the Security Servers tab, select a security server, select Prepare for Upgrade or Reinstallation from the More Commands drop-down menu, and click OK.
Chapter 14 Troubleshooting View 5 Configure the proxy settings. For example, at the netsh winhttp> prompt, type import proxy source=ie. The proxy settings are imported to the View Connection Server computer. 6 Verify the proxy settings by typing show proxy. 7 Restart the VMware Horizon View Connection Server service. 8 On the View Administrator dashboard, verify that the security server or View Connection Server icon is green.
View Administration 238 VMware, Inc.
Using the vdmadmin Command 15 You can use the vdmadmin command line interface to perform a variety of administration tasks on a View Connection Server instance. You can use vdmadmin to perform administration tasks that are not possible from within the View Administrator user interface or to perform administration tasks that need to run automatically from scripts. For a comparison of the operations that are possible in View Administrator, View cmdlets, and vdmadmin, see the View Integration document.
View Administration n Assigning Dedicated Machines Using the -L Option on page 250 You can use the vdmadmin command with the -L option to assign machines from a dedicated pool to users. n Displaying Information About Machines Using the -M Option on page 251 You can use the vdmadmin command with the -M option to display information about the configuration of virtual machines or physical computers.
Chapter 15 Using the vdmadmin Command vdmadmin Command Usage The syntax of the vdmadmin command controls its operation. Use the following form of the vdmadmin command from a Windows command prompt. vdmadmin command_option [additional_option argument] ... The additional options that you can use depend on the command option. By default, the path to the vdmadmin command executable file is C:\Program Files\VMware\VMware View\Server\tools\bin.
View Administration Table 15‑1. Options for Selecting Output Format Option Description -csv Formats the output as comma-separated values. -n Display the output using ASCII (UTF-8) characters. This is the default character set for comma-separated values and plain text output. -w Display the output using Unicode (UTF-16) characters. This is the default character set for XML output. -xml Formats the output as XML.
Chapter 15 Using the vdmadmin Command Table 15‑2. Vdmadmin Command Options (Continued) Option Description -U Displays information about a user including their remote desktop entitlements and ThinApp assignments, and Administrator roles. See “Displaying Information About Users Using the -U Option,” on page 267. -V Unlocks or locks virtual machines. See “Unlocking or Locking Virtual Machines Using the -V Option,” on page 267.
View Administration Table 15‑3. Options for Configuring Logging in Horizon Agent (Continued) Option Description -outfile local_file Specifies the name of the local file in which to save a DCT bundle or a copy of a log file. -setloglevel level Sets the logging level of Horizon Agent. debug Logs error, warning, and debugging events. normal Logs error and warning events. trace Logs error, warning, informational, and debugging events.
Chapter 15 Using the vdmadmin Command Usage Notes Horizon Agent reports the discovered IP address of the machine on which it is running to the View Connection Server instance. In secure configurations where the View Connection Server instance cannot trust the value that Horizon Agent reports, you can override the value provided by Horizon Agent and specify the IP address that the managed machine should be using.
View Administration If you do not specify a name for the group, the command returns the GUID of the group to which the local View Connection Server instance belongs. You can use the GUID to verify whether a View Connection Server instance is a member of the same View Connection Server group as another View Connection Server instance. For a description of how to use SCOM with View, see the View Integration document. Options The -c option specifies the name of the View Connection Server group.
Chapter 15 Using the vdmadmin Command Listing and Displaying Health Monitors Using the ‑H Option You can use the vdmadmin command -H to list the existing health monitors, to monitor instances for View components, and to display the details of a specific health monitor or monitor instance.
View Administration Display the health of a specified vCenter monitor instance. vdmadmin -H -monitorid VCMonitor -instanceid 4aec2c99-4879-96b2-de408064d035 -xml Listing and Displaying Reports of View Operation Using the ‑I Option You can use the vdmadmin command with the -I option to list the available reports of View operation and to display the results of running one of these reports.
Chapter 15 Using the vdmadmin Command Generating View Event Log Messages in Syslog Format Using the ‑I Option You can use the vdmadmin command with the -I option to record View event messages in Syslog format in event log files. Many third-party analytics products require flat-file Syslog data as input for their analytics operations.
View Administration Examples Disable generating View events in Syslog format. vdmadmin -I -eventSyslog -disable Direct Syslog output of View events to the local system only. vdmadmin -I -eventSyslog -enable -localOnly Direct Syslog output of View events to a specified path. vdmadmin -I -eventSyslog -enable -path path Direct Syslog output of View events to a specified path that requires access by an authorized domain user. vdmadmin -I -eventSyslog -enable -path \\logserver\share\ViewEvents -user mydomain
Chapter 15 Using the vdmadmin Command Table 15‑9. Options for Assigning Dedicated Desktops Option Description -d desktop Specifies the name of the desktop pool. -m machine Specifies the name of the virtual machine that hosts the remote desktop. -r Removes an assignment to a specified user, or all assignments to a specified machine. -u domain\user Specifies the login name and domain of the user. Examples Assign the machine machine2 in the desktop pool dtpool1 to the user Jo in the CORP domain.
View Administration n URL of the vCenter Server (if applicable). Options Table 15-10 shows the options that you can use to specify the machine whose details you want to display. Table 15‑10. Options for Displaying Information About Machines Option Description -d desktop Specifies the name of the desktop pool. -m machine Specifies the name of the virtual machine. -u domain\user Specifies the login name and domain of the user.
Chapter 15 Using the vdmadmin Command n Verify that a blackout period is not in effect. See "Set Blackout Times for ESXi Operations on Remote Desktops" in the Setting Up Desktop and Application Pools in View document. Options Table 15‑11. Options for Reclaiming Disk Space on Virtual Machines Option Description -d desktop Specifies the name of the desktop pool. -m machine Specifies the name of the virtual machine. -MarkForSpaceReclamation Marks the virtual machine for disk space reclamation.
View Administration Table 15‑12. Options for Configuring Domain Filters Option Description -add Adds a domain to a list. -domain domain Specifies the domain to be filtered. You must specify domains by their NetBIOS names and not by their DNS names. -domains Specifies a domain filter operation. -exclude Specifies an operation on a exclusion list. -include Specifies an operation on an inclusion list.
Chapter 15 Using the vdmadmin Command Broker Settings: CONSVR-2 Include: Exclude: Search : View limits the domain search on each View Connection Server host in the group to exclude the domains FARDOM and DEPTX. The characters (*) next to the exclusion list for CONSVR-1 indicates that View excludes the YOURDOM domain from the results of the domain search on CONSVR-1. Display the domain filters in XML using ASCII characters.
View Administration Table 15‑13. Types of Domain List Domain List Type Description Search exclusion list Specifies the domains that View can traverse during an automated search. The search ignores domains that are included in the search exclusion list, and does not attempt to locate domains that the excluded domain trusts. You cannot exclude the primary domain from the search. Exclusion list Specifies the domains that View excludes from the results of a domain search.
Chapter 15 Using the vdmadmin Command Display the currently active domains after including the YOURDOM and DEPTX domains. C:\ vdmadmin -N -domains -list -active Domain Information (CONSVR) =========================== Primary Domain: MYDOM Domain: MYDOM DNS:mydom.mycorp.com Domain: YOURDOM DNS:yourdom.mycorp.com Domain: DEPTX DNS:deptx.mycorp.com View applies the include list to the results of a domain search.
View Administration Domain: Domain: Domain: Domain: YOURDOM DNS:yourdom.mycorp.com DEPTX DNS:deptx.mycorp.com DEPTY DNS:depty.mycorp.com DEPTZ DNS:deptz.mycorp.com Extend the search exclusion list to exclude the DEPTX domain and all its trusted domains from the domain search for all View Connection Server instances in a group. Also, exclude the YOURDOM domain from being available on CONSVR-1.
Chapter 15 Using the vdmadmin Command Displaying the Machines and Policies of Unentitled Users Using the ‑O and ‑P Options You can use the vdmadmin command with the -O and -P options to display the virtual machines and policies that are assigned to users who are no longer entitled to use the system.
View Administration Display virtual machines that are assigned to unentitled users, grouped by user, in XML format using ASCII characters. vdmadmin -O -lu -xml -n Apply your own stylesheet C:\tmp\unentitled-users.xsl and redirect the output to the file uu-output.html. vdmadmin -O -lu -xml -xsltpath "C:\tmp\unentitled-users.xsl" > uu-output.html Display the user policies that are associated with unentitled users’ virtual machinse, grouped by desktop, in XML format using Unicode characters.
Chapter 15 Using the vdmadmin Command You can define alternate prefixes to "custom-" in the pae-ClientAuthPrefix multi-valued attribute under cn=common,ou=global,ou=properties,dc=vdi,dc=vmware,dc=int in ADAM on a View Connection Server instance. Avoid using these prefixes with ordinary user accounts. If you do not specify a name for a client, View generates a name from the MAC address that you specify for the client device.
View Administration Table 15‑16. Options for Configuring Clients in Kiosk Mode (Continued) Option Description -force Disables the confirmation prompt when removing the account for a client in kiosk mode. -genpassword Generates a password for the client's account. This is the default behavior if you do not specify either -password or -genpassword. -getdefaults Gets the default values that are used for adding client accounts.
Chapter 15 Using the vdmadmin Command Add an account for a client specified by its MAC address to the MYORG domain, and use the default settings for the group kc-grp. vdmadmin -Q -clientauth -add -domain MYORG -clientid 00:10:db:ee:76:80 -group kc-grp Add an account for a client specified by its MAC address to the MYORG domain, and use an automatically generated password.
View Administration ======================================== Common Name : CONSVR1 Client Authentication Enabled : false Password Required : false Common Name : CONSVR2 Client Authentication Enabled : true Password Required : false Displaying the First User of a Machine Using the -R Option You can use the vdmadmin command with the -R option to find out the initial assignment of a managed virtual machine.
Chapter 15 Using the vdmadmin Command You can also use the vdmadmin command with the -S option to remove a security server from your View environment. You do not have to use this option if you intend to upgrade or reinstall a security server without removing it permanently. To make the removal permanent, perform these tasks: 1 Uninstall the View Connection Server instance or security server from the Windows Server computer by running the View Connection Server installer.
View Administration Active Directory account lock, disable, and logon hours checks can be performed only when a user in a oneway trusted domain first logs on. PowerShell administration and smart card authentication of users is not supported in one-way trusted domains. SAML authentication of users in one-way trusted domains is not supported. Secondary credential accounts require the following permissions. A standard user account should have these permissions by default.
Chapter 15 Using the vdmadmin Command Displaying Information About Users Using the ‑U Option You can use the vdmadmin command with the -U option to display detailed information about users. Syntax vdmadmin -U [-b authentication_arguments] -u domain\user [-w | -n] [-xml] Usage Notes The command displays information about a user obtained from Active Directory and View. n Details from Active Directory about the user's account. n Membership of Active Directory groups.
View Administration Options Table 15-18 shows the options that you can specify to unlock or lock virtual machines. Table 15‑18. Options for Unlocking or Locking Virtual Machines Option Description -d desktop Specifies the desktop pool. -e Unlocks a virtual machine. -m machine Specifies the name of the virtual machine. -p Locks a virtual machine. -vcdn vCenter_dn Specifies the distinguished name of the vCenter Server. -vmpath inventory_path Specifies the inventory path of the virtual machine.
Chapter 15 Using the vdmadmin Command Examples Detect LDAP entry collisions in a View Connection Server group. vdmadmin -X -collisions Detect and resolve LDAP entry collisions. vdmadmin -X -collisions -resolve VMware, Inc.
View Administration 270 VMware, Inc.
Index A access groups changing, for a desktop pool or a farm 96 creating 90, 91, 96 managing 95 organizing desktops and pools 90 removing 96 reviewing desktop pools, application pools, or farms 97 reviewing vCenter virtual machines 97 root 90 Active Directory preparing for clients in kiosk mode 220 preparing for smart card authentication 47 updating Foreign Security Principals of users 246 updating general user information 127 ADM template files View components 109 View Common Configuration 112 View Server
View Administration automated farms, recompose 187 automated desktop pools adding machines manually 169 changing the pool size 169 B backing up configuration backup settings 117 scheduling backups 116 View configuration data 115 View Connection Server 25 biometric authentication, configuring 63 Blast Extreme 33 Blast Secure Gateway service 125 C CBRC, configuring for vCenter Server 19 certificate templates 71 certificate revocation checking enabling 51 troubleshooting for security server 236 certificates
Index detached persistent disks attaching 161 deleting 164 editing the desktop pool or user 162 recreating a virtual machine 162 detecting LDAP entry collisions 268 diagnostic information collecting 231 collecting for View Composer 233 collecting using the support tool 233 using support scripts 234 direct connections, configuring 32 Direct Interaction privilege 101 disjoint namespaces 201 domain filters configuring 255 displaying 253 example of excluding domains 257 example of including domains 256 domains
View Administration K keytool utility 44 kiosk mode adding client accounts 223 configuring 219 connecting to desktops 226 displaying information about clients 225 displaying MAC address of client devices 222 enabling authentication of clients 224 managing client authentication 260 preparing Active Directory 220 setting defaults for clients 221 setting up 219 viewing and modifying client accounts 260 Knowledge Base articles, where to find 237 L LDAP entries, detecting and resolving collisions 268 LDAP repo
Index Message Bus Component service 125 message security mode global settings 30 JMS 31 migrating linked-clone virtual machines 159 View Composer with an existing database 129 View Composer without linked clones 131 View Composer to another machine 128 MSI packages creating 202 invalid 217 N NET Framework, migrating RSA key container 132 O OCSP certificate revocation checking configuring 53 logging in 52 ocspCRLFailover property 53 ocspSendNonce property 53 ocspSigningCert 53 ocspSigningCert property 53
View Administration remote sessions privileges for managing 103 viewing 229 removing registered machines 181 reports, displaying 248 resolving LDAP entry collisions 268 restoredata, result codes 121 restoring, View configuration data 115, 118 result codes, restoredata operation 121 role-based delegated administration best practices 105 configuring 89 roles, See administrator roles root certificates adding to the Enterprise NTAuth store 48 adding to trusted roots 49 exporting 43 importing to a server trusts
Index T templates, certificate 71 text display issues, View Administrator 12 ThinApp applications assigning 205–208 checking installation status 210 configuration walkthrough 217 displaying MSI package information 211 maintaining 211 packaging 202 problems assigning 215 problems installing 216 problems uninstalling 216 removing assignments 212, 213 removing from View Administrator 213 requirements 201 reviewing assignments 210 troubleshooting 214 upgrading 211 ThinApp templates assigning 209 creating 204 r
View Administration View Composer maintenance backing up configuration data 25, 115 guidelines for migrating 129 migrating an RSA key container 132 migrating View Composer to another machine 128 migrating with the existing database 129 restoring configuration data 118 restoring the database 120 scheduling backups 116 View Composer persistent disks attaching 161 deleting detached 164 detaching 160 editing the desktop pool or user 162 importing from vSphere 163 management overview 160 understanding 160 View
