7.0
Table Of Contents
- View Architecture Planning
- Contents
- View Architecture Planning
- Introduction to View
- Planning a Rich User Experience
- Feature Support Matrix for Horizon Agent
- Choosing a Display Protocol
- Using Hosted Applications
- Using View Persona Management to Retain User Data and Settings
- Using USB Devices with Remote Desktops and Applications
- Using the Real-Time Audio-Video Feature for Webcams and Microphones
- Using 3D Graphics Applications
- Streaming Multimedia to a Remote Desktop
- Printing from a Remote Desktop
- Using Single Sign-On for Logging In
- Monitors and Screen Resolution
- Managing Desktop and Application Pools from a Central Location
- Advantages of Desktop Pools
- Advantages of Application Pools
- Reducing and Managing Storage Requirements
- Application Provisioning
- Deploying Individual Applications Using an RDS Host
- Deploying Applications and System Updates with View Composer
- Deploying Applications and System Updates with Instant Clones
- Managing VMware ThinApp Applications in View Administrator
- Deploying and Managing Applications Using App Volumes
- Using Existing Processes or VMware Mirage for Application Provisioning
- Using Active Directory GPOs to Manage Users and Desktops
- Architecture Design Elements and Planning Guidelines for Remote Desktop Deployments
- Virtual Machine Requirements for Remote Desktops
- View ESXi Node
- Desktop Pools for Specific Types of Workers
- Desktop Virtual Machine Configuration
- RDS Host Virtual Machine Configuration
- vCenter Server and View Composer Virtual Machine Configuration
- View Connection Server Maximums and Virtual Machine Configuration
- vSphere Clusters
- Storage and Bandwidth Requirements
- View Building Blocks
- View Pods
- Advantages of Using Multiple vCenter Servers in a Pod
- Planning for Security Features
- Understanding Client Connections
- Choosing a User Authentication Method
- Restricting Remote Desktop Access
- Using Group Policy Settings to Secure Remote Desktops and Applications
- Using Smart Policies
- Implementing Best Practices to Secure Client Systems
- Assigning Administrator Roles
- Preparing to Use a Security Server
- Understanding View Communications Protocols
- Overview of Steps to Setting Up a View Environment
- Index
Tunneled Client Connections with Microsoft RDP
When users connect to a remote desktop with the Microsoft RDP display protocol, Horizon Client can make
a second HTTPS connection to the View Connection Server host. This connection is called the tunnel
connection because it provides a tunnel for carrying RDP data.
The tunnel connection offers the following advantages:
n
RDP data is tunneled through HTTPS and is encrypted using SSL. This powerful security protocol is
consistent with the security provided by other secure Web sites, such as those that are used for online
banking and credit card payments.
n
A client can access multiple desktops over a single HTTPS connection, which reduces the overall
protocol overhead.
n
Because View manages the HTTPS connection, the reliability of the underlying protocols is significantly
improved. If a user temporarily loses a network connection, the HTTP connection is reestablished after
the network connection is restored and the RDP connection automatically resumes without requiring
the user to reconnect and log in again.
In a standard deployment of View Connection Server instances, the HTTPS secure connection terminates at
the View Connection Server. In a DMZ deployment, the HTTPS secure connection terminates at a security
server or Access Point appliance. See “Preparing to Use a Security Server,” on page 87 for information on
DMZ deployments and security servers.
Clients that use the PCoIP or Blast Extreme display protocol can use the tunnel connection for USB
redirection and multimedia redirection (MMR) acceleration, but for all other data, PCoIP uses the PCoIP
Secure Gateway, and Blast Extreme uses the Blast Secure Gateway, on a security server or Access Point
appliance. For more information, see “Client Connections Using the PCoIP and Blast Secure Gateways,” on
page 80.
For more information about Access Point virtual appliances, see Deploying and Configuring Access Point.
Direct Client Connections
Administrators can configure View Connection Server settings so that remote desktop and application
sessions are established directly between the client system and the remote application or desktop virtual
machine, bypassing the View Connection Server host. This type of connection is called a direct client
connection.
With direct client connections, an HTTPS connection is still made between the client and the View
Connection Server host for users to authenticate and select remote desktops and applications, but the second
HTTPS connection (the tunnel connection) is not used.
Direct PCoIP and Blast Extreme connections include the following built-in security features:
n
Support for Advanced Encryption Standard (AES) encryption, which is turned on by default, and IP
Security (IPsec)
n
Support for third-party VPN clients
For clients that use the Microsoft RDP display protocol, direct client connections to remote desktops are
appropriate only if your deployment is inside a corporate network. With direct client connections, RDP
traffic is sent unencrypted over the connection between the client and the desktop virtual machine.
Chapter 5 Planning for Security Features
VMware, Inc. 81