VMware Horizon View Installation View 5.2 View Manager 5.2 View Composer 5.2 This document supports the version of each product listed and supports all subsequent versions until the document is replaced by a new edition. To check for more recent editions of this document, see http://www.vmware.com/support/pubs.
VMware Horizon View Installation You can find the most up-to-date technical documentation on the VMware Web site at: http://www.vmware.com/support/ The VMware Web site also provides the latest product updates. If you have comments about this documentation, submit your feedback to: docfeedback@vmware.com Copyright © 2010–2013 VMware, Inc. All rights reserved. Copyright and trademark information. VMware, Inc. 3401 Hillview Ave. Palo Alto, CA 94304 www.vmware.com 2 VMware, Inc.
Contents VMware Horizon View Installation 5 1 System Requirements for Server Components 7 View Connection Server Requirements 7 View Administrator Requirements 9 View Composer Requirements 9 View Transfer Server Requirements 11 2 System Requirements for Guest Operating Systems 15 Supported Operating Systems for View Agent 15 Supported Operating Systems for Standalone View Persona Management Remote Display Protocol and Software Support 16 16 3 Preparing Active Directory 21 Configuring Domains and Tru
VMware Horizon View Installation 6 Installing View Transfer Server 63 Install View Transfer Server 64 Add View Transfer Server to View Manager 65 Configure the Transfer Server Repository 66 Firewall Rules for View Transfer Server 67 Installing View Transfer Server Silently 67 7 Configuring SSL Certificates for View Servers 71 Understanding SSL Certificates for View Servers 71 Overview of Tasks for Setting Up SSL Certificates 73 Obtaining a Signed SSL Certificate from a CA 74 Configure View Connection Se
VMware Horizon View Installation ® VMware Horizon View Installation explains how to install the VMware Horizon View™ server and client components. Intended Audience This information is intended for anyone who wants to install VMware Horizon View. The information is written for experienced Windows or Linux system administrators who are familiar with virtual machine technology and datacenter operations. VMware, Inc.
VMware Horizon View Installation 6 VMware, Inc.
System Requirements for Server Components 1 Hosts that run VMware Horizon View server components must meet specific hardware and software requirements.
VMware Horizon View Installation Hardware Requirements for View Connection Server You must install all View Connection Server installation types, including standard, replica, and security server installations, on a dedicated physical or virtual machine that meets specific hardware requirements. Table 1‑1. View Connection Server Hardware Requirements Hardware Component Required Recommended Processor Pentium IV 2.
Chapter 1 System Requirements for Server Components If the View LDAP configurations on View Connection Server instances become inconsistent, users might not be able to access their desktops. A user might be denied access when connecting to a View Connection Server instance with an out-of-date configuration.
VMware Horizon View Installation Supported Operating Systems for View Composer View Composer supports 64-bit operating systems with specific requirements and limitations. You can install View Composer on the same physical or virtual machine as vCenter Server or on a separate server. Table 1‑3.
Chapter 1 System Requirements for Server Components View Composer supports a subset of the database servers that vCenter Server supports. If you are already using vCenter Server with a database server that is not supported by View Composer, continue to use that database server for vCenter Server and install a separate database server to use for View Composer and View Manager database events.
VMware Horizon View Installation n Storage Requirements for View Transfer Server on page 13 View Transfer Server transfers static content to and from the Transfer Server repository and dynamic content between local desktops and remote desktops in the datacenter. View Transfer Server has specific storage requirements. Installation and Upgrade Requirements for View Transfer Server You must install View Transfer Server as a Windows application in a virtual machine that meets specific requirements.
Chapter 1 System Requirements for Server Components Storage Requirements for View Transfer Server View Transfer Server transfers static content to and from the Transfer Server repository and dynamic content between local desktops and remote desktops in the datacenter. View Transfer Server has specific storage requirements. n The disk drive on which you configure the Transfer Server repository must have enough space to store your static image files. Image files are View Composer base images.
VMware Horizon View Installation 14 VMware, Inc.
2 System Requirements for Guest Operating Systems Systems running View Agent or Standalone View Persona Management must meet certain hardware and software requirements.
VMware Horizon View Installation Supported Operating Systems for Standalone View Persona Management The standalone View Persona Management software provides persona management for standalone physical computers and virtual machines that do not have View Agent 5.x installed. When users log in, their profiles are downloaded dynamically from a remote profile repository to their standalone systems.
Chapter 2 System Requirements for Guest Operating Systems PCoIP Features Key features of PCoIP include the following: n Users outside the corporate firewall can use this protocol with your company's virtual private network (VPN), or users can make secure, encrypted connections to a View security server in the corporate DMZ. n Advanced Encryption Standard (AES) 128-bit encryption is supported and is turned on by default. You can, however, change the encryption key cipher to AES-192 or AES-256.
VMware Horizon View Installation Video Quality Requirements 480p-formatted video You can play video at 480p or lower at native resolutions when the View desktop has a single virtual CPU. If the operating system is Windows 7 or later and you want to play the video in high-definition Flash or in full screen mode, the desktop requires a dual virtual CPU. Even with a dual virtual CPU desktop, as low as 360p-formatted video played in full screen mode can lag behind audio, particularly on Windows clients.
Chapter 2 System Requirements for Guest Operating Systems n Users outside the corporate firewall can use this protocol with your company's virtual private network (VPN), or users can make secure, encrypted connections to a View security server in the corporate DMZ. NOTE For Windows XP desktop virtual machines, you must install the RDP patches listed in Microsoft Knowledge Base (KB) articles 323497 and 884020.
VMware Horizon View Installation 20 VMware, Inc.
Preparing Active Directory 3 View uses your existing Microsoft Active Directory infrastructure for user authentication and management. You must perform certain tasks to prepare Active Directory for use with View.
VMware Horizon View Installation Trust Relationships and Domain Filtering To determine which domains it can access, a View Connection Server instance traverses trust relationships beginning with its own domain. For a small, well-connected set of domains, View Connection Server can quickly determine the full list of domains, but the time that it takes increases as the number of domains increases or as the connectivity between the domains decreases.
Chapter 3 Preparing Active Directory You must give the user account privileges to perform certain operations in vCenter Server. If you use View Composer, you must give the user account additional privileges. See “Configuring User Accounts for vCenter Server and View Composer,” on page 89 for information on configuring these privileges. Create a User Account for View Composer If you use View Composer, you must create a user account in Active Directory to use with View Composer.
VMware Horizon View Installation Configure the Restricted Groups Policy To be able to log in to a View desktop, users must belong to the local Remote Desktop Users group of the View desktop. You can use the Restricted Groups policy in Active Directory to add users or groups to the local Remote Desktop Users group of every View desktop that is joined to your domain.
Chapter 3 Preparing Active Directory Prepare Active Directory for Smart Card Authentication You might need to perform certain tasks in Active Directory when you implement smart card authentication. n Add UPNs for Smart Card Users on page 25 Because smart card logins rely on user principal names (UPNs), the Active Directory accounts of users that use smart cards to authenticate in View must have a valid UPN.
VMware Horizon View Installation Add the Root Certificate to Trusted Root Certification Authorities If you use a certification authority (CA) to issue smart card login or domain controller certificates, you must add the root certificate to the Trusted Root Certification Authorities group policy in Active Directory. You do not need to perform this procedure if the Windows domain controller acts as the root CA. Procedure 1 On the Active Directory server, navigate to the Group Policy Management plug-in.
Chapter 3 Preparing Active Directory 2 Expand the Computer Configuration section and open the policy for Windows Settings\Security Settings\Public Key. 3 Right-click Intermediate Certification Authorities and select Import. 4 Follow the prompts in the wizard to import the intermediate certificate (for example, intermediateCA.cer) and click OK. 5 Close the Group Policy window.
VMware Horizon View Installation 28 VMware, Inc.
Installing View Composer 4 To use View Composer, you create a View Composer database, install the View Composer service, and optimize your View infrastructure to support View Composer. You can install the View Composer service on the same host as vCenter Server or on a separate host. View Composer is an optional feature. Install View Composer if you intend to deploy linked-clone desktop pools. You must have a license to install and use the View Composer feature.
VMware Horizon View Installation n Create a SQL Server Database for View Composer on page 30 View Composer can store linked-clone desktop information in a SQL Server database. You create a View Composer database by adding it to SQL Server and configuring an ODBC data source for it. n Create an Oracle Database for View Composer on page 32 View Composer can store linked-clone desktop information in an Oracle 11g or 10g database.
Chapter 4 Installing View Composer Add an ODBC Data Source to SQL Server After you add a View Composer database to SQL Server, you must configure an ODBC connection to the new database to make this data source visible to the View Composer service. When you configure an ODBC DSN for View Composer, secure the underlying database connection to an appropriate level for your environment. For information about securing database connections, see the SQL Server documentation.
VMware Horizon View Installation What to do next Install the new View Composer service. See “Install the View Composer Service,” on page 35. Create an Oracle Database for View Composer View Composer can store linked-clone desktop information in an Oracle 11g or 10g database. You create a View Composer database by adding it to an existing Oracle instance and configuring an ODBC data source for it.
Chapter 4 Installing View Composer 6 On the Database Credentials page, select Use the Same Administrative Passwords for All Accounts and type a password. 7 On the remaining configuration pages, click Next to accept the default settings. 8 On the Creation Options page, verify that Create Database is selected and click Finish. 9 On the Confirmation page, review the options and click OK. The configuration tool creates the database. 10 On the Database Creation Complete page, click OK.
VMware Horizon View Installation 2 Run the following SQL command to create a View Composer database user with the correct permissions.
Chapter 4 Installing View Composer What to do next Install the new View Composer service. See “Install the View Composer Service,” on page 35. Configuring an SSL Certificate for View Composer By default, a self-signed certificate is installed with View Composer. You can use the default certificate for testing purposes, but for production use you should replace it with a certificate that is signed by a Certificate Authority (CA). You can configure a certificate before or after you install View Composer.
VMware Horizon View Installation n To run the View Composer installer, you must be a domain user with Administrator privileges on the system. Procedure 1 Download the View Composer installer file from the VMware product page at http://www.vmware.com/products/ to the Windows Server computer. The installer filename is VMware-viewcomposer-y.y.y-xxxxxx.exe, where xxxxxx is the build number and y.y.y is the version number.
Chapter 4 Installing View Composer Configuring Your Infrastructure for View Composer You can take advantage of features in vSphere, vCenter Server, Active Directory, and other components of your infrastructure to optimize the performance, availability, and reliability of View Composer. Configuring the vSphere Environment for View Composer To support View Composer, you should follow certain best practices when you install and configure vCenter Server, ESX/ESXi, and other vSphere components.
VMware Horizon View Installation 38 VMware, Inc.
Installing View Connection Server 5 To use View Connection Server, you install the software on supported computers, configure the required components, and, optionally, optimize the components.
VMware Horizon View Installation Installation Prerequisites for View Connection Server Before you install View Connection Server, you must verify that your installation environment satisfies specific prerequisites. n n View Connection Server requires a valid license key for View Manager. The following license keys are available: n View Manager n View Manager with View Composer and Local Mode You must join the View Connection Server host to an Active Directory domain.
Chapter 5 Installing View Connection Server about participating after the installation, you can either join or withdraw from the program by editing the Product Licensing and Usage page in View Administrator. To review the list of fields from which data is collected, including the fields that are made anonymous, see "Information Collected by the Customer Experience Improvement Program" in the VMware Horizon View Administration document.
VMware Horizon View Installation 7 8 Choose how to configure the Windows Firewall service. Option Action Configure Windows Firewall automatically Let the installer configure Windows Firewall to allow the required network connections. Do not configure Windows Firewall Configure the Windows firewall rules manually. Select this option only if your organization uses its own predefined rules for configuring Windows Firewall. Authorize a View Administrators account.
Chapter 5 Installing View Connection Server What to do next Configure SSL server certificates for View Connection Server. See Chapter 7, “Configuring SSL Certificates for View Servers,” on page 71. Perform initial configuration on View Connection Server. See Chapter 8, “Configuring View for the First Time,” on page 89.
VMware Horizon View Installation Procedure 1 Download the View Connection Server installer file from the VMware product page at http://www.vmware.com/products/ to the Windows Server computer. The installer filename is VMware-viewconnectionserver-x86_64-y.y.y-xxxxxx.exe, where xxxxxx is the build number and y.y.y is the version number. 2 Open a command prompt on the Windows Server computer. 3 Type the installation command on one line. For example: VMware-viewconnectionserver-y.y.y-xxxxxx.
Chapter 5 Installing View Connection Server Table 5‑1. MSI Properties for Silently Installing View Connection Server in a Standard Installation (Continued) MSI Property Description Default Value FWCHOICE The MSI property that determines whether to configure a firewall for the View Connection Server instance. A value of 1 configures a firewall. A value of 2 does not configure a firewall.
VMware Horizon View Installation n Verify that your installation satisfies the requirements described in “View Connection Server Requirements,” on page 7. n Verify that the computers on which you install replicated View Connection Server instances are connected over a high-performance LAN. See “Network Requirements for Replicated View Connection Server Instances,” on page 8. n Prepare your environment for the installation. See “Installation Prerequisites for View Connection Server,” on page 40.
Chapter 5 Installing View Connection Server 10 Check for new patches on the Windows Server computer and run Windows Update as needed. Even if you fully patched the Windows Server computer before you installed View Connection Server, the installation might have enabled operating system features for the first time. Additional patches might now be required.
VMware Horizon View Installation n If you use MIT Kerberos authentication to log in to a Windows Server 2008 R2 computer on which you are installing View Connection Server, install the Microsoft hotfix that is described in KB 978116 at http://support.microsoft.com/kb/978116. n Verify that your installation satisfies the requirements described in “View Connection Server Requirements,” on page 7.
Chapter 5 Installing View Connection Server 4 Check for new patches on the Windows Server computer and run Windows Update as needed. Even if you fully patched the Windows Server computer before you installed View Connection Server, the installation might have enabled operating system features for the first time. Additional patches might now be required. The View services are installed on the Windows Server computer. For details, see “Install a Replicated Instance of View Connection Server,” on page 45.
VMware Horizon View Installation Table 5‑2. MSI Properties for Silently installing a Replicated Instance of View Connection Server (Continued) MSI Property Description Default Value FWCHOICE The MSI property that determines whether to configure a firewall for the View Connection Server instance. A value of 1 configures a firewall. A value of 2 does not configure a firewall. 1 For example: FWCHOICE=1 This MSI property is optional. VDM_SERVER_ RECOVERY_PWD The data recovery password.
Chapter 5 Installing View Connection Server Install a Security Server A security server is an instance of View Connection Server that adds an additional layer of security between the Internet and your internal network. You can install one or more security servers to be connected to a View Connection Server instance.
VMware Horizon View Installation Procedure 1 Download the View Connection Server installer file from the VMware product page at http://www.vmware.com/products/ to the Windows Server computer. The installer filename is VMware-viewconnectionserver-x86_64-y.y.y-xxxxxx.exe, where xxxxxx is the build number and y.y.y is the version number. 2 To start the View Connection Server installation program, double-click the installer file. 3 Accept the VMware license terms.
Chapter 5 Installing View Connection Server The security server services are installed on the Windows Server computer: n VMware View Security Server n VMware View Framework Component n VMware View Security Gateway Component n VMware View PCoIP Secure Gateway n VMware Blast Secure Gateway For information about these services, see VMware Horizon View Administration. The security server appears in the Security Servers pane in View Administrator.
VMware Horizon View Installation n Verify that the View Connection Server instance to be paired with the security server is installed and configured and is running a View Connection Server version that is compatible with the security server version. See "Horizon View Component Compatibility Matrix" in the VMware Horizon View Upgrades document.
Chapter 5 Installing View Connection Server What to do next Configure an SSL server certificate for the security server. See Chapter 7, “Configuring SSL Certificates for View Servers,” on page 71. You might have to configure client connection settings for the security server, and you can tune Windows Server settings to support a large deployment. See “Configuring View Client Connections,” on page 103 and “Sizing Windows Server Settings to Support Your Deployment,” on page 112.
VMware Horizon View Installation Table 5‑3. MSI Properties for Silently Installing a Security Server (Continued) MSI Property Description Default Value VDM_SERVER_SS_PCOIP_IP ADDR The PCoIP Secure Gateway external IP address. This property is supported only when the security server is installed on Windows Server 2008 R2 or later. None For example: VDM_SERVER_SS_PCOIP_IPADDR=10.20.30.40 This property is required if you plan to use the PCoIP Secure Gateway component.
Chapter 5 Installing View Connection Server You can configure an initial security server pairing without using IPsec rules. Before you install the security server, you can open View Administrator and deselect the global setting Use IPSec for Security Server Connections, which is enabled by default. If IPsec rules are not in effect, you do not have to remove them before you upgrade or reinstall.
VMware Horizon View Installation Configuring a Back-End Firewall to Support IPsec If your network topology includes a back-end firewall between security servers and View Connection Server instances, you must configure certain protocols and ports on the firewall to support IPsec. Without proper configuration, data sent between a security server and View Connection Server instance will fail to pass through the firewall.
Chapter 5 Installing View Connection Server You might also use this procedure when you set up a second datacenter with the existing View configuration. Or you might use it if your View deployment contains only a single View Connection Server instance, and a problem occurs with that server. You do not have to follow this procedure if you have multiple View Connection Server instances in a replicated group, and a single instance goes down.
VMware Horizon View Installation Microsoft Windows Installer Command-Line Options To install View components silently, you must use Microsoft Windows Installer (MSI) command-line options and properties. The View component installers are MSI programs and use standard MSI features. You can also use MSI command-line options to uninstall View components silently. For details about MSI, see the Microsoft Web site.
Chapter 5 Installing View Connection Server Table 5‑8. MSI Command-Line Options and MSI Properties MSI Option or Property Description /qn Instructs the MSI installer not to display the installer wizard pages. For example, you might want to install View Agent silently and use only default setup options and features: VMware-viewagent-y.y.y-xxxxxx.exe /s /v"/qn" In the examples, xxxxxx is the build number and y.y.y is the version number.
VMware Horizon View Installation Options The /qb option displays the uninstall progress bar. To suppress displaying the uninstall progress bar, replace the /qb option with the /qn option. The /x option uninstalls the View component. The product_code string identifies the View component product files to the MSI uninstaller. You can find the product_code string by searching for ProductCode in the %TEMP%\vmmsi.log file that is created during the installation.
Installing View Transfer Server 6 View Transfer Server transfers data between local desktops and the datacenter during check in, check out, and replication. To install View Transfer Server, you install the software on a Windows Server virtual machine, add View Transfer Server to your View Manager deployment, and configure the Transfer Server repository. You must install and configure View Transfer Server if you deploy View Client with Local Mode on client computers.
VMware Horizon View Installation Install View Transfer Server View Transfer Server downloads system-image files, synchronizes data between local desktops and the corresponding remote desktops in the datacenter, and transfers data when users check in and check out local desktops. You install View Transfer Server in a virtual machine that runs Windows Server. At runtime, View Transfer Server is deployed to an Apache Web Server.
Chapter 6 Installing View Transfer Server What to do next In View Administrator, add View Transfer Server to your View Manager deployment. Add View Transfer Server to View Manager View Transfer Server works with View Connection Server to transfer files and data between local desktops and the datacenter. Before View Transfer Server can perform these tasks, you must add it to your View Manager deployment. You can add multiple View Transfer Server instances to View Manager.
VMware Horizon View Installation Configure the Transfer Server Repository The Transfer Server repository stores View Composer base images for linked-clone desktops that run in local mode. To give View Transfer Server access to the Transfer Server repository, you must configure it in View Manager. If you do not use View Composer linked clones in local mode, you do not have to configure a Transfer Server repository.
Chapter 6 Installing View Transfer Server 5 Type the Transfer Server repository location and other information. Option Description Network share n n n n Type the path that you configured on the local View Transfer Server virtual machine. Local filesystem 6 Path. Type the UNC path that you configured. User name. Type the user ID of an administrator with credentials to access the network share. Password. Type the administrator password. Domain.
VMware Horizon View Installation Procedure 1 Log in to the Windows Server computer and click Start > Run. 2 Type gpedit.msc and click OK. 3 In the Group Policy Object Editor, click Local Computer Policy > Computer Configuration. 4 Expand Administrative Templates, expand Windows Components, open the Windows Installer folder, and double-click Always install with elevated privileges. 5 In the Always Install with Elevated Privileges Properties window, click Enabled and click OK.
Chapter 6 Installing View Transfer Server 3 Type the installation command on one line. For example: VMware-viewconnectionserver-y.y.y-xxxxxx.exe /s /v"/qn VDM_SERVER_INSTANCE_TYPE=4" The VMware View Transfer Server, View Transfer Server Control Service, and VMware View Framework Component services are installed and started on the virtual machine. What to do next In View Administrator, add View Transfer Server to your View Manager deployment.
VMware Horizon View Installation Table 6‑2. MSI Properties for Silently Installing View Transfer Server (Continued) MSI Property Description Default Value SERVERADMIN The email address of the administrator of Apache Web Server that is configured with View Transfer Server. None For example: SERVERADMIN=admin@companydomain.com If you specify a custom Apache Web Server administrator with the MSI property, SERVERADMIN, you also must specify custom SERVERDOMAIN and SERVERNAME properties.
Configuring SSL Certificates for View Servers 7 VMware strongly recommends that you configure SSL certificates for authentication of View Connection Server instances, security servers, and View Composer service instances. A default SSL server certificate is generated when you install View Connection Server instances, security servers, or View Composer instances. You can use the default certificate for testing purposes. IMPORTANT Replace the default certificate as soon as possible.
VMware Horizon View Installation By default, when you install View Connection Server or security server, the installation generates a selfsigned certificate for the View server. However, the installation uses an existing certificate in the following cases: n If a valid certificate with a Friendly name of vdm already exists in the Windows Certificate Store n If you upgrade to View 5.1 or later from an earlier release, and a valid keystore file is configured on the Windows Server computer.
Chapter 7 Configuring SSL Certificates for View Servers Additional Guidelines For general information about requesting and using SSL certificates that are signed by a CA, see “Benefits of Using SSL Certificates Signed by a CA,” on page 88. When View Clients connect to a View Connection Server instance or security server, they are presented with the View server's SSL server certificate and any intermediate certificates in the trust chain.
VMware Horizon View Installation 7 If your CA is not well known, configure View Clients to trust the root and intermediate certificates. Also ensure that the computers on which you launch View Administrator trust the root and intermediate certificates. 8 Determine whether to reconfigure certificate revocation checking. View Connection Server performs certificate revocation checking on View servers, View Composer, and vCenter Server.
Chapter 7 Configuring SSL Certificates for View Servers n Verify that the Certificate snap-in was added to MMC. See “Add the Certificate Snap-In to MMC,” on page 76. n Verify that you have the appropriate credentials to request a certificate that can be issued to a computer or service. Procedure 1 In the MMC window on the Windows Server host, expand the Certificates (local computer) node and select the Personal folder.
VMware Horizon View Installation 3 Modify the Certificate Friendly Name on page 77 To configure a View Connection Server instance or security server to recognize and use an SSL certificate, you must modify the certificate Friendly name to vdm.
Chapter 7 Configuring SSL Certificates for View Servers For more information about certificates, consult the Microsoft online help available with the Certificate snap-in to MMC. NOTE If you off-load SSL connections to an intermediate server, you must import the same SSL server certificate onto both the intermediate server and the off-loaded View server. For details, see "Off-load SSL Connections to Intermediate Servers" in the VMware Horizon View Administration document.
VMware Horizon View Installation 3 On the General tab, delete the Friendly name text and type vdm. 4 Click Apply and click OK. What to do next Import the root certificate and intermediate certificates into the Windows local computer certificate store. After all certificates in the chain are imported, you must restart the View Connection Server service or Security Server service to make your changes take effect.
Chapter 7 Configuring SSL Certificates for View Servers 5 Click Next, click Next, and click Finish. 6 If your server certificate was signed by an intermediate CA, import all intermediate certificates in the certificate chain into the Windows local computer certificate store. 7 a Go to the Certificates (Local Computer) > Intermediate Certification Authorities > Certificates folder. b Repeat steps 3 through 6 for each intermediate certificate that must be imported.
VMware Horizon View Installation Configure View Clients to Trust Root and Intermediate Certificates If a View server certificate is signed by a CA that is not trusted by View Client computers and client computers that access View Administrator, you can configure all Windows client systems in a domain to trust the root and intermediate certificates.
Chapter 7 Configuring SSL Certificates for View Servers 4 5 Import the certificate. Option Description Root certificate a b Right-click Trusted Root Certification Authorities and select Import. Follow the prompts in the wizard to import the root certificate (for example, rootCA.cer) and click OK. Intermediate certificate a b Right-click Intermediate Certification Authorities and select Import. Follow the prompts in the wizard to import the intermediate certificate (for example, intermediateCA.
VMware Horizon View Installation Configuring Certificate Revocation Checking on Server Certificates Each View Connection Server instance performs certificate revocation checking on its own certificate and on those of the security servers paired to it. Each instance also checks the certificates of vCenter and View Composer servers whenever it establishes a connection to them. By default, all certificates in the chain are checked except the root certificate. You can, however, change this default.
Chapter 7 Configuring SSL Certificates for View Servers Configuring Certificate Checking in View Client for Windows You can use a security-related group policy setting in the View Client Configuration ADM template file (vdm_client.adm) to configure SSL server certificate checking in the Windows-based View Client. Certificate checking occurs for SSL connections between View Connection Server and View Client.
VMware Horizon View Installation The default certificates provide secure connections from View Clients to the PSG and do not require further configuration in View Administrator. However, configuring the PSG service to use a CA-signed certificate is highly recommended, particularly for deployments that require you to use security scanners to pass compliance testing.
Chapter 7 Configuring SSL Certificates for View Servers 3 Verify that the value of the SSLCertPsgSni setting matches the server name in the URL that scanners will use to connect to the PSG and matches the subject name or a subject alternate name of the SSL certificate that you intend to install for the PSG. If the value does not match, replace it with the correct value. 4 Restart the VMware View PCoIP Secure Gateway service to make your changes take effect.
VMware Horizon View Installation 3 Verify that the new certificate contains a private key by taking one of these steps: n Verify that a yellow key appears on the certificate icon. n Double-click the certificate and verify that the following statement appears in the Certificate Information dialog box: You have a private key that corresponds to this certificate.. 4 Right-click the new certificate and click Properties.
Chapter 7 Configuring SSL Certificates for View Servers 4 Modify the SSLCertWinCertFriendlyName value and type the certificate Friendly name to be used by the PSG. For example: pcoip If you use the same certificate as the View server, the value must be vdm. 5 Restart the VMware View PCoIP Secure Gateway service to make your changes take effect. What to do next Verify that View Client devices continue to connect to the PSG. If you are using a security scanner for compliance testing, scan the PSG port.
VMware Horizon View Installation Replacing the default certificate for View Transfer Server with a certificate that is signed by a CA would not significantly affect the secure communications between View Transfer Server, View Connection Server, and View clients. In View 5.0.x and earlier versions, you did have to configure an SSL certificate for View Transfer Server. If you are upgrading from View 5.0.x or earlier to View 5.
Configuring View for the First Time 8 After you install the View server software and configure SSL certificates for the servers, you must take a few additional steps to set up a working View environment. You configure user accounts for vCenter Server and View Composer, install a View license key, add vCenter Server and View Composer to your View environment, configure the PCoIP Secure Gateway and secure tunnel, and, optionally, size Windows Server settings to support your View environment.
VMware Horizon View Installation Configure a vCenter Server User for View Manager, View Composer, and Local Mode To configure a user account that gives View Manager permission to operate in vCenter Server, you must assign a role with appropriate privileges to that user. To use the View Composer service in vCenter Server, you must give the user account additional privileges.
Chapter 8 Configuring View for the First Time 3 From the drop-down menu, select the Administrator role, or the View Composer or View Manager role that you created, and assign it to the vCenter Server user. 4 If you use View Composer, on the vCenter Server computer, add the vCenter Server user account as a member of the local system Administrators group. View Composer requires that the vCenter Server user is a system administrator on the vCenter Server computer.
VMware Horizon View Installation View Composer Privileges Required for the vCenter Server User To support View Composer, the vCenter Server user must have privileges in addition to those required to support View Manager. Create a View Composer role for the vCenter Server user with the View Manager privileges and these additional privileges. Table 8‑2.
Chapter 8 Configuring View for the First Time Configuring View Connection Server for the First Time After you install View Connection Server, you must install a product license, add vCenter Servers and View Composer services to View Manager. You can also allow ESXi hosts to reclaim disk space on linked-clone virtual machines and configure ESXi hosts to cache virtual machine disk data. If you install security servers, they are added to View Manager and appear in View Administrator automatically.
VMware Horizon View Installation Procedure 1 Open your Web browser and enter the following URL, where server is the host name of the View Connection Server instance. https://server/admin NOTE You can use the IP address if you have to access a View Connection Server instance when the host name is not resolvable. However, the host that you contact will not match the SSL certificate that is configured for the View Connection Server instance, resulting in blocked access or access with reduced security.
Chapter 8 Configuring View for the First Time Add vCenter Server Instances to View Manager You must configure View Manager to connect to the vCenter Server instances in your View deployment. vCenter Server creates and manages the virtual machines that View Manager uses as desktop sources. If you run vCenter Server instances in a Linked Mode group, you must add each vCenter Server instance to View Manager separately. View Manager connects to the vCenter Server instance using a secure channel (SSL).
VMware Horizon View Installation 4 Type the name of the vCenter Server user. For example: domain\user or user@domain.com 5 Type the vCenter Server user password. 6 (Optional) Type a description for this vCenter Server instance. 7 Type the TCP port number. The default port is 443. 8 Under Advanced Settings, set the concurrent operations limits for vCenter Server and View Composer operations. 9 Click Next to display the View Composer Settings page.
Chapter 8 Configuring View for the First Time 2 On the View Composer Settings page, if you are not using View Composer, select Do not use View Composer. If you select Do not use View Composer, the other View Composer settings become inactive. When you click Next, the Add vCenter Server wizard displays the Storage Settings page. The View Composer Domains page is not displayed. 3 If you are using View Composer, select the location of the View Composer host.
VMware Horizon View Installation 4 Type the account password. 5 Click OK. 6 To add domain user accounts with privileges in other Active Directory domains in which you deploy linked-clone pools, repeat the preceding steps. 7 Click Next to display the Storage Settings page. What to do next Enable virtual machine disk space reclamation and configure View Storage Accelerator for View. Allow vSphere to Reclaim Disk Space in Linked-Clone Virtual Machines In vSphere 5.
Chapter 8 Configuring View for the First Time Prerequisites n Verify that your vCenter Server and ESXi hosts are version 5.1 with ESXi 5.1 download patch ESXi510-201212001 or later. In an ESXi cluster, verify that all the hosts are version 5.1 with download patch ESXi510-201212001 or later. Procedure 1 2 In View Administrator, complete the Add vCenter Server wizard pages that precede the Storage Settings page. a Select View Configuration > Servers. b In the vCenter Servers tab, click Add.
VMware Horizon View Installation View Storage Accelerator is now qualified to work in configurations that use View replica tiering, in which replicas are stored on a separate datastore than linked clones. Although the performance benefits of using View Storage Accelerator with View replica tiering are not materially significant, certain capacity-related benefits might be realized by storing the replicas on a separate datastore. Hence, this combination is tested and supported.
Chapter 8 Configuring View for the First Time Table 8‑4. Concurrent Operations Limits for vCenter Server and View Composer Setting Description Max concurrent vCenter provisioning operations Determines the maximum number of concurrent requests that View Manager can make to provision and delete full virtual machines in this vCenter Server instance. The default value is 20. This setting applies to full virtual machines only.
VMware Horizon View Installation View waits a maximum of five minutes for a desktop to start. If the start time takes longer, other errors are likely to occur. To be conservative, you can set a concurrent power operations limit of 5 times the peak power-on rate. With a conservative approach, the default setting of 50 supports a peak power-on rate of 10 desktops per minute. Logons, and therefore desktop power on operations, typically occur in a normally distributed manner over a certain time window.
Chapter 8 Configuring View for the First Time 3 Examine the certificate thumbprint that was configured for the vCenter Server or View Composer instance. a On the vCenter Server or View Composer host, start the MMC snap-in and open the Windows Certificate Store. b Navigate to the vCenter Server or View Composer certificate. c Click the Certificate Details tab to display the certificate thumbprint. Similarly, examine the certificate thumbprint for a SAML 2.0 authenticator.
VMware Horizon View Installation You can also provide secure connections to external users who use HTML Access to connect to View desktops. The Blast Secure Gateway, enabled by default on View Connection Server and security server hosts, ensures that only authenticated users can communicate with View desktops. With HTML Access, View Client software does not have to be installed on the users' endpoint devices. SSL is required for all client connections to View Connection Server and security server hosts.
Chapter 8 Configuring View for the First Time Configure Secure HTML Access In View Administrator, you can configure the use of the Blast Secure Gateway to provide secure HTML access to View desktops. The Blast Secure Gateway ensures that only authenticated users can communicate with View desktops by using HTML Access. View Client does not have to be installed on users' endpoint devices.
VMware Horizon View Installation n To open the port for HTML Access on a security server, manually enable the VMware View Connection Server (Blast-In) rule in the Windows Firewall. Configuring External URLs for Secure Gateway and Tunnel Connections To use the secure tunnel, a client system must have access to an IP address, or a fully qualified domain name (FQDN) that it can resolve to an IP address, that allows the client to reach a View Connection Server or security server host.
Chapter 8 Configuring View for the First Time Set the External URLs for a View Connection Server Instance You use View Administrator to configure the external URLs for a View Connection Server instance. Both the secure tunnel external URL and PCoIP external URL must be the addresses that client systems use to reach this View Connection Server instance. For example, do not specify the secure tunnel external URL for this instance and the PCoIP external URL for a paired security server.
VMware Horizon View Installation Modify the External URLs for a Security Server You use View Administrator to modify the external URLs for a security server. You initially configure these external URLs when you install a security server in the View Connection Server installation program. The secure tunnel external URL, PCoIP external URL, and Blast external URL must be the addresses that client systems use to reach this security server.
Chapter 8 Configuring View for the First Time 6 Click OK to save your changes. View Administrator sends the updated external URLs to the security server. You do not need to restart the security server service for the changes to take effect. Replacing Default Ports for View Services During installation, View services are set up to listen on certain network ports by default. In certain organizations, these ports must be changed to comply with organization policies or to avoid contention.
VMware Horizon View Installation 3 (Optional) If the View server computer has multiple NICs, select one NIC to listen on the configured ports. Add the serverHost and serverHostNonSsl properties to specify the IP address that is bound to the designated NIC. For example: serverHost=10.20.30.40 serverHostNonSsl=10.20.30.40 Typically, both the SSL and non-SSL listeners are configured to use the same NIC.
Chapter 8 Configuring View for the First Time 4 (Optional) If the computer on which the PCoIP Secure Gateway is running has multiple NICs, select one NIC to listen on the configured ports. Under the same registry key, add the following String (REG_SZ) values to specify the IP address that is bound to the designated NIC. For example: ExternalBindIP "10.20.30.40" InternalBindIP "172.16.17.
VMware Horizon View Installation During installation, View configures the Windows firewall to open the ports that are used by View Transfer Server by default. If you change the ports, you must manually reconfigure your Windows firewall to open the updated ports so that View Client devices can connect to the View Transfer Server instance. Procedure 1 Stop the VMware View Transfer Server service. 2 On the View Transfer Server computer, navigate to the install_directory\VMware\VMware View\Server\httpd\conf
Chapter 8 Configuring View for the First Time By default, the system can create a maximum of approximately 16,000 ephemeral ports that run concurrently on Windows Server 2008. 16,000 ephemeral ports can support more than 2,000 concurrent client connections, the maximum supported number for a View Connection Server instance. On Windows Server 2008 computers, you do not need to increase the maximum size of the TCB hash table. Windows Server 2008 fully tunes this value by default.
VMware Horizon View Installation Procedure 1 On the Windows Server computer on which View Connection Server is installed, navigate to the Virtual Memory dialog box. By default, Custom size is selected. An initial and maximum page-file size appear. 2 Click System managed size. Windows continually recalculates the system page-file size based on current memory use and available memory. 114 VMware, Inc.
Adding the View Desktops Plug-in to the vSphere Web Client 9 The View Desktops plug-in lets you use the vSphere Web Client to find information about View deployments that run in your vSphere environment. You add the View Desktops plug-in to the vSphere Web Client by registering the plug-in with the vCenter Lookup Service. In View 5.
VMware Horizon View Installation View Desktops Support for View Pods and vCenter Server Services The View Desktops plug-in supports a single pod of replicated View Connection Server instances. You cannot use the View Desktops plug-in to search for desktops that are managed by different pods of replicated View Connection Server instances. Even if multiple View pods use the same vCenter Single Sign-On Service and vCenter Lookup Service, the View Desktops plug-in can support only one pod at a time.
Chapter 9 Adding the View Desktops Plug-in to the vSphere Web Client n Verify that you have a user with vCenter Single Sign-On (SSO) administrator privileges. You must provide this account when you register the View Desktops plug-in. a Log in to the vSphere Web Client with a user account that has vCenter SSO administrator privileges. For example, on a vCenter Server that runs on Windows Server, the default vCenter SSO administrator user is Admin@System-Domain.
VMware Horizon View Installation 4 If the SSL certificate that is issued for the vCenter Lookup Service is not trusted by the View Connection Server computer, accept the certificate thumbprint. The following error message is displayed: Error: The security certificate presented by this Lookup Service was not issued by a trusted certificate authority. The thumbprint of the certificate is thumbprint. Return code: -1 Accept the thumbprint by using the -lt option and copying the thumbprint.
Chapter 9 Adding the View Desktops Plug-in to the vSphere Web Client sso-admin@domain is the username and domain of a user with vCenter SSO administrator privileges. On a vCenter Server that runs on Windows Server, the default vCenter SSO administrator user is Admin@System-Domain. On a vCenter Server Virtual Appliance, the default user is root@localos. 3 At the prompt, type the View Administrators user password. 4 At the prompt, type the vCenter SSO administrator user password.
VMware Horizon View Installation Procedure 1 Log in to the vSphere Web Client as a user with the View Administrators or View Administrators (read only) role and the appropriate vSphere Administrator privileges. For example: https://vSphere_Web_Client_IP_address_or_FQDN:9443/vsphere-client/ 2 In the Search box, type the username of a View user. 3 Select the username from the search results. 4 Select a desktop from the list of desktops that is associated with the user.
Configuring Event Reporting 10 You can create an event database to record information about View Manager events. In addition, if you use a Syslog server, you can configure View Connection Server to send events to a Syslog server or create a flat file of events written in Syslog format.
VMware Horizon View Installation 2 Add a user for this database that has permission to create tables, views, and, in the case of Oracle, triggers and sequences, as well as permission to read from and write to these objects. For a Microsoft SQL Server database, do not use the Integrated Windows Authentication security model method of authentication. Be sure to use the SQL Server Authentication method of authentication.
Chapter 10 Configuring Event Reporting Configure the Event Database The event database stores information about View events as records in a database rather than in a log file. You configure an event database after installing a View Connection Server instance. You need to configure only one host in a View Connection Server group. The remaining hosts in the group are configured automatically.
VMware Horizon View Installation 3 (Optional) In the Event Settings window, click Edit, change the length of time to show events and the number of days to classify events as new, and click OK. These settings pertain to the length of time the events are listed in the View Administrator interface. After this time, the events are only available in the historical database tables. The Database Configuration window displays the current configuration of the event database.
Chapter 10 Configuring Event Reporting 2 (Optional) In the Syslog area, to configure View Connection Server to send events to a Syslog server, click Add next to Send to syslog servers, and supply the server name or IP address and the UDP port number. 3 (Optional) To enable View event log messages to be generated and stored in Syslog format, in log files, select the Log to file: Enable check box. The log files are retained locally unless you specify a UNC path to a file share.
VMware Horizon View Installation 126 VMware, Inc.
Index A D Active Directory configuring domains and trust relationships 21 preparing for smart card authentication 25 preparing for use with View 21 Active Directory groups creating for kiosk mode client accounts 22 creating for View users and administrators 22 ADM template files 24 antivirus software, View Composer 37 databases creating for View Composer 29 View events 121, 123 default certificate, replacing 71 direct connections, configuring 104 DNS resolution, View Composer 37 documentation feedback,
VMware Horizon View Installation View Composer, standalone 10 View Connection Server 8 host caching, for vCenter Server 99 HTML access, configuring 105 HTML Access, opening port 105 httpd.
Index root certificates adding to the Enterprise NTAuth store 27 adding to trusted roots 26, 80 S secure tunnel, external URL 106 security servers configuring a pairing password 50 configuring an external URL 106 installer file 51 installing silently 53 modifying an external URL 108 opening port for HTML Access 105 operating system requirements 8 prepare to upgrade or reinstall 56 remove IPsec rules 56 silent installation properties 55 silent installation group policies to allow installation 67 replicated
VMware Horizon View Installation View Composer database ODBC data source for Oracle 11g or 10g 34 ODBC data source for SQL Server 31 Oracle 11g and 10g 32 requirements 10, 29 SQL Server 30 View Composer infrastructure configuring vSphere 37 optimizing 37 testing DNS resolution 37 View Composer installation installer file 35 overview 29 requirements overview 9 View Composer upgrade compatibility with vCenter Server versions 10 operating system requirements 10 requirements overview 9 View Connection Server,
