View Installation VMware Horizon 6.0 This document supports the version of each product listed and supports all subsequent versions until the document is replaced by a new edition. To check for more recent editions of this document, see http://www.vmware.com/support/pubs.
View Installation You can find the most up-to-date technical documentation on the VMware Web site at: http://www.vmware.com/support/ The VMware Web site also provides the latest product updates. If you have comments about this documentation, submit your feedback to: docfeedback@vmware.com Copyright © 2010–2014 VMware, Inc. All rights reserved. Copyright and trademark information. VMware, Inc. 3401 Hillview Ave. Palo Alto, CA 94304 www.vmware.com 2 VMware, Inc.
Contents View Installation 5 1 System Requirements for Server Components 7 View Connection Server Requirements View Administrator Requirements 9 View Composer Requirements 9 7 2 System Requirements for Guest Operating Systems 13 Supported Operating Systems for View Agent 13 Supported Operating Systems for Standalone View Persona Management Remote Display Protocol and Software Support 14 14 3 Preparing Active Directory 19 Configuring Domains and Trust Relationships 19 Creating an OU for Remote Deskt
View Installation 6 Configuring SSL Certificates for View Servers 63 Understanding SSL Certificates for View Servers 63 Overview of Tasks for Setting Up SSL Certificates 65 Obtaining a Signed SSL Certificate from a CA 66 Configure View Connection Server, Security Server, or View Composer to Use a New SSL Certificate 67 Configure Client Endpoints to Trust Root and Intermediate Certificates 72 Configuring Certificate Revocation Checking on Server Certificates 74 Configure the PCoIP Secure Gateway to Use a N
View Installation View Installation explains how to install the VMware Horizon™ with View™ server and client components. Intended Audience This information is intended for anyone who wants to install View. The information is written for experienced Windows or Linux system administrators who are familiar with virtual machine technology and datacenter operations. VMware, Inc.
View Installation 6 VMware, Inc.
System Requirements for Server Components 1 Hosts that run View server components must meet specific hardware and software requirements.
View Installation Hardware Requirements for View Connection Server You must install all View Connection Server installation types, including standard, replica, and security server installations, on a dedicated physical or virtual machine that meets specific hardware requirements. Table 1‑1. View Connection Server Hardware Requirements Hardware Component Required Recommended Processor Pentium IV 2.
Chapter 1 System Requirements for Server Components Network Requirements for Replicated View Connection Server Instances When installing replicated View Connection Server instances, you must usually configure the instances in the same physical location and connect them over a high-performance LAN. Otherwise, latency issues could cause the View LDAP configurations on View Connection Server instances to become inconsistent.
View Installation n Hardware Requirements for Standalone View Composer on page 10 If you install View Composer on a different physical or virtual machine from the one used for vCenter Server, you must use a dedicated machine that meets specific hardware requirements. n Database Requirements for View Composer on page 10 View Composer requires an SQL database to store data. The View Composer database must reside on, or be available to, the View Composer server host.
Chapter 1 System Requirements for Server Components View Composer supports a subset of the database servers that vCenter Server supports. If you are already using vCenter Server with a database server that is not supported by View Composer, continue to use that database server for vCenter Server and install a separate database server to use for View Composer and View database events.
View Installation 12 VMware, Inc.
2 System Requirements for Guest Operating Systems Systems running View Agent or Standalone View Persona Management must meet certain hardware and software requirements.
View Installation The following table lists the Windows operating systems versions that are supported for creating desktop pools and application pools on an RDS host. Table 2‑2.
Chapter 2 System Requirements for Guest Operating Systems PCoIP PCoIP (PC over IP) provides an optimized desktop experience for the delivery of a remote application or an entire remote desktop environment, including applications, images, audio, and video content for a wide range of users on the LAN or across the WAN. PCoIP can compensate for an increase in latency or a reduction in bandwidth, to ensure that end users can remain productive regardless of network conditions.
View Installation n For Windows 7 or 8 desktops or Windows Server 2012 or R2 desktops: 1GB of RAM or more and a dual CPU is recommended for playing in high-definition, full screen mode, or 720p or higher formatted video. To use Virtual Dedicated Graphics Acceleration for graphics-intensive applications such as CAD applications, 4GB of RAM is required.
Chapter 2 System Requirements for Guest Operating Systems n Users outside the corporate firewall can use this protocol with your company's virtual private network (VPN), or users can make secure, encrypted connections to a View security server in the corporate DMZ. NOTE For Windows XP desktop virtual machines, you must install the RDP patches listed in Microsoft Knowledge Base (KB) articles 323497 and 884020.
View Installation 18 VMware, Inc.
Preparing Active Directory 3 View uses your existing Microsoft Active Directory infrastructure for user authentication and management. You must perform certain tasks to prepare Active Directory for use with View.
View Installation Users are authenticated against Active Directory for the View Connection Server host's domain and against any additional user domains with which a trust agreement exists. NOTE Because security servers do not access any authentication repositories, including Active Directory, they do not need to reside in an Active Directory domain.
Chapter 3 Preparing Active Directory Creating Groups for Users You should create groups for different types of users in Active Directory. For example, you can create a group called View Users for your end users and another group called View Administrators for users that will administer remote desktops and applications. Creating a User Account for vCenter Server You must create a user account in Active Directory to use with vCenter Server.
View Installation n Delete Computer Objects NOTE If you select the Allow reuse of pre-existing computer accounts setting for a desktop pool, you only need to add the following permissions: 3 n List Contents n Read All Properties n Read Permissions n Reset Password Make sure that the user account's permissions apply to the Active Directory container and to all child objects of the container.
Chapter 3 Preparing Active Directory Using View Group Policy Administrative Template Files View includes several component-specific group policy administrative (ADM and ADMX) template files. All ADM and ADMX files that provide group policy settings for View are available in a bundled .zip file named VMware-Horizon-View-GPO-Bundle-x.x.x-yyyyyyy.zip, where x.x.x is the version and yyyyyyy is the build number. You can download the file from the VMware Horizon (with View) download site at http://www.vmware.
View Installation n If the ADSI Edit utility is not present on your Active Directory server, download and install the appropriate Windows Support Tools from the Microsoft Web site. Procedure 1 On your Active Directory server, start the ADSI Edit utility. 2 In the left pane, expand the domain the user is located in and double-click CN=Users. 3 In the right pane, right-click the user and then click Properties.
Chapter 3 Preparing Active Directory Add an Intermediate Certificate to Intermediate Certification Authorities If you use an intermediate certification authority (CA) to issue smart card login or domain controller certificates, you must add the intermediate certificate to the Intermediate Certification Authorities group policy in Active Directory. Procedure 1 On the Active Directory server, navigate to the Group Policy Management plug-in.
View Installation 26 VMware, Inc.
Installing View Composer 4 To use View Composer, you create a View Composer database, install the View Composer service, and optimize your View infrastructure to support View Composer. You can install the View Composer service on the same host as vCenter Server or on a separate host. View Composer is an optional feature. Install View Composer if you intend to deploy linked-clone desktop pools. You must have a license to install and use the View Composer feature.
View Installation n Create a SQL Server Database for View Composer on page 28 View Composer can store linked-clone desktop information in a SQL Server database. You create a View Composer database by adding it to SQL Server and configuring an ODBC data source for it. n Create an Oracle Database for View Composer on page 30 View Composer can store linked-clone desktop information in an Oracle 11g or 10g database.
Chapter 4 Installing View Composer Add an ODBC Data Source to SQL Server After you add a View Composer database to SQL Server, you must configure an ODBC connection to the new database to make this data source visible to the View Composer service. When you configure an ODBC DSN for View Composer, secure the underlying database connection to an appropriate level for your environment. For information about securing database connections, see the SQL Server documentation.
View Installation What to do next Install the new View Composer service. See “Install the View Composer Service,” on page 33. Create an Oracle Database for View Composer View Composer can store linked-clone desktop information in an Oracle 11g or 10g database. You create a View Composer database by adding it to an existing Oracle instance and configuring an ODBC data source for it. You can add a new View Composer database by using the Oracle Database Configuration Assistant or by running a SQL statement.
Chapter 4 Installing View Composer 6 On the Database Credentials page, select Use the Same Administrative Passwords for All Accounts and type a password. 7 On the remaining configuration pages, click Next to accept the default settings. 8 On the Creation Options page, verify that Create Database is selected and click Finish. 9 On the Confirmation page, review the options and click OK. The configuration tool creates the database. 10 On the Database Creation Complete page, click OK.
View Installation 2 Run the following SQL command to create a View Composer database user with the correct permissions.
Chapter 4 Installing View Composer What to do next Install the new View Composer service. See “Install the View Composer Service,” on page 33. Configuring an SSL Certificate for View Composer By default, a self-signed certificate is installed with View Composer. You can use the default certificate for testing purposes, but for production use you should replace it with a certificate that is signed by a Certificate Authority (CA). You can configure a certificate before or after you install View Composer.
View Installation n To run the View Composer installer, you must be a domain user with Administrator privileges on the system. Procedure 1 Download the View Composer installer file from the VMware product page at http://www.vmware.com/products/ to the Windows Server computer. The installer filename is VMware-viewcomposer-y.y.y-xxxxxx.exe, where xxxxxx is the build number and y.y.y is the version number. This installer file installs the View Composer service on 64-bit Windows Server operating systems.
Chapter 4 Installing View Composer Configuring Your Infrastructure for View Composer You can take advantage of features in vSphere, vCenter Server, Active Directory, and other components of your infrastructure to optimize the performance, availability, and reliability of View Composer. Configuring the vSphere Environment for View Composer To support View Composer, you should follow certain best practices when you install and configure vCenter Server, ESXi, and other vSphere components.
View Installation 36 VMware, Inc.
Installing View Connection Server 5 To use View Connection Server, you install the software on supported computers, configure the required components, and, optionally, optimize the components.
View Installation n You must join the View Connection Server host to an Active Directory domain. View Connection Server supports the following Active Directory Domain Services (AD DS) domain functional levels: n Windows Server 2003 n Windows Server 2008 n Windows Server 2008 R2 n Windows Server 2012 n Windows Server 2012 R2 The View Connection Server host must not be a domain controller.
Chapter 5 Installing View Connection Server By default, the HTML Access component is installed on the View Connection Server host when you install View Connection Server. This component configures the View user portal page to display an HTML Access icon in addition to the Horizon Client icon. The additional icon allows users to select HTML Access when they connect to their desktops.
View Installation 6 Make sure that Install HTML Access is selected if you intend to allow users to connect to their desktops by using HTML Access. This setting is selected by default. 7 Type a data recovery password and, optionally, a password reminder. 8 Choose how to configure the Windows Firewall service. 9 Option Action Configure Windows Firewall automatically Let the installer configure Windows Firewall to allow the required network connections.
Chapter 5 Installing View Connection Server n VMware VDMDS, which provides View LDAP directory services For information about these services, see the View Administration document. If the Install HTML Access setting was selected during the installation, the HTML Access component is installed on the Windows Server computer. This component configures the HTML Access icon in the View user portal page and enables the VMware Horizon View Connection Server (Blast-In) rule in the Windows Firewall.
View Installation n Familiarize yourself with the MSI installer command-line options. See “Microsoft Windows Installer Command-Line Options,” on page 59. n Familiarize yourself with the silent installation properties available with a standard installation of View Connection Server. See “Silent Installation Properties for a View Connection Server Standard Installation,” on page 43. Procedure 1 Download the View Connection Server installer file from the VMware product page at http://www.vmware.
Chapter 5 Installing View Connection Server If you are configuring View for the first time, perform initial configuration on View Connection Server. See Chapter 7, “Configuring View for the First Time,” on page 81. Silent Installation Properties for a View Connection Server Standard Installation You can include specific View Connection Server properties when you perform a silent installation from the command line.
View Installation If a replicated instance fails, the other instances in the group continue to operate. When the failed instance resumes activity, its configuration is updated with the changes that took place during the outage. NOTE Replication functionality is provided by View LDAP, which uses the same replication technology as Active Directory.
Chapter 5 Installing View Connection Server Procedure 1 Download the View Connection Server installer file from the VMware product page at http://www.vmware.com/products/ to the Windows Server computer. The installer filename is VMware-viewconnectionserver-x86_64-y.y.y-xxxxxx.exe, where xxxxxx is the build number and y.y.y is the version number. 2 To start the View Connection Server installation program, double-click the installer file. 3 Accept the VMware license terms.
View Installation If the Install HTML Access setting was selected during the installation, the HTML Access component is installed on the Windows Server computer. This component configures the HTML Access icon in the View user portal page and enables the VMware Horizon View Connection Server (Blast-In) rule in the Windows Firewall. This firewall rule allows Web browsers on client devices to connect to the View Connection Server on TCP port 8443.
Chapter 5 Installing View Connection Server n If you plan to pair a security server with this View Connection Server instance, verify that Windows Firewall with Advanced Security is set to on in the active profiles. It is recommended that you turn this setting to on for all profiles. By default, IPsec rules govern connections between security server and View Connection Server and require Windows Firewall with Advanced Security to be enabled.
View Installation n VMware VDMDS, which provides View LDAP directory services For information about these services, see the View Administration document. If the Install HTML Access setting was selected during the installation, the HTML Access component is installed on the Windows Server computer. This component configures the HTML Access icon in the View user portal page and enables the VMware Horizon View Connection Server (Blast-In) rule in the Windows Firewall.
Chapter 5 Installing View Connection Server Table 5‑2. MSI Properties for Silently installing a Replicated Instance of View Connection Server (Continued) MSI Property Description Default Value FWCHOICE The MSI property that determines whether to configure a firewall for the View Connection Server instance. A value of 1 configures a firewall. A value of 2 does not configure a firewall. 1 For example: FWCHOICE=1 This MSI property is optional. VDM_SERVER_ RECOVERY_PWD The data recovery password.
View Installation Install a Security Server A security server is an instance of View Connection Server that adds an additional layer of security between the Internet and your internal network. You can install one or more security servers to be connected to a View Connection Server instance.
Chapter 5 Installing View Connection Server 2 To start the View Connection Server installation program, double-click the installer file. 3 Accept the VMware license terms. 4 Accept or change the destination folder. 5 Select the View Security Server installation option. 6 Type the fully qualified domain name or IP address of the View Connection Server instance to pair with the security server in the Server text box.
View Installation n VMware Horizon View PCoIP Secure Gateway n VMware Blast Secure Gateway For information about these services, see the View Administration document. The security server appears in the Security Servers pane in View Administrator. The VMware Horizon View Connection Server (Blast-In) rule is enabled in the Windows Firewall on the security server. This firewall rule allows Web browsers on client devices to use HTML Access to connect to the security server on TCP port 8443.
Chapter 5 Installing View Connection Server n Familiarize yourself with the format of external URLs. See “Configuring External URLs for Secure Gateway and Tunnel Connections,” on page 97. n Verify that Windows Firewall with Advanced Security is set to on in the active profiles. It is recommended that you turn this setting to on for all profiles. By default, IPsec rules govern connections between security server and View Connection Server and require Windows Firewall with Advanced Security to be enabled.
View Installation The VMware Horizon View Connection Server (Blast-In) rule is enabled in the Windows Firewall on the security server. This firewall rule allows Web browsers on client devices to use HTML Access to connect to the security server on TCP port 8443. NOTE If the installation is cancelled or aborted, you might have to remove IPsec rules for the security server before you can begin the installation again.
Chapter 5 Installing View Connection Server Table 5‑3. MSI Properties for Silently Installing a Security Server (Continued) MSI Property Description Default Value FWCHOICE The MSI property that determines whether to configure a firewall for the View Connection Server instance. A value of 1 configures a firewall. A value of 2 does not configure a firewall. 1 For example: FWCHOICE=1 This MSI property is optional. VDM_SERVER_SS_PCOIP_IP ADDR The PCoIP Secure Gateway external IP address.
View Installation You must take this step when you upgrade or reinstall a security server and are using IPsec to protect communication between the security server and View Connection Server. You can configure an initial security server pairing without using IPsec rules. Before you install the security server, you can open View Administrator and deselect the global setting Use IPSec for Security Server Connections, which is enabled by default.
Chapter 5 Installing View Connection Server Table 5‑4. Ports Opened During View Connection Server Installation (Continued) Protocol Ports View Connection Server Instance Type AJP13 TCP 8009 Standard and replica HTTP TCP 80 Standard, replica, and security server HTTPS TCP 443 Standard, replica, and security server PCoIP TCP 4172 in; UDP 4172 both directions Standard, replica, and security server HTTPS TCP 8443 Standard, replica, and security server.
View Installation The following rules apply to firewalls that use NAT. Table 5‑6. NAT Firewall Requirements to Support IPsec Rules Source Protocol Port Destination Notes Security server ISAKMP UDP 500 View Connection Server Security servers use UDP port 500 to initiate IPsec security negotiation. Security server NAT-T ISAKMP UDP 4500 View Connection Server Security servers use UDP port 4500 to traverse NATs and negotiate IPsec security.
Chapter 5 Installing View Connection Server 4 Uninstall the View Connection Server from the computer by using the Windows Add/Remove Programs utility. Do not uninstall the View LDAP configuration, called the AD LDS Instance VMwareVDMDS instance. You can use the Add/Remove Programs utility to verify that the AD LDS Instance VMwareVDMDS instance was not removed from the Windows Server computer. 5 Reinstall View Connection Server. At the installer prompt, accept the existing View LDAP directory.
View Installation Table 5‑8. MSI Command-Line Options and MSI Properties MSI Option or Property Description /qn Instructs the MSI installer not to display the installer wizard pages. For example, you might want to install View Agent silently and use only default setup options and features: VMware-viewagent-y.y.y-xxxxxx.exe /s /v"/qn" Alternatively, you can use the /qb option to display the wizard pages in a noninteractive, automated installation.
Chapter 5 Installing View Connection Server Uninstalling View Components Silently by Using MSI Command-Line Options You can uninstall View components by using Microsoft Windows Installer (MSI) command-line options. Syntax msiexec.exe /qb /x product_code Options The /qb option displays the uninstall progress bar. To suppress displaying the uninstall progress bar, replace the /qb option with the /qn option. The /x option uninstalls the View component.
View Installation 62 VMware, Inc.
Configuring SSL Certificates for View Servers 6 VMware strongly recommends that you configure SSL certificates for authentication of View Connection Server instances, security servers, and View Composer service instances. A default SSL server certificate is generated when you install View Connection Server instances, security servers, or View Composer instances. You can use the default certificate for testing purposes. IMPORTANT Replace the default certificate as soon as possible.
View Installation n If you upgrade to View 5.1 or later from an earlier release, and a valid keystore file is configured on the Windows Server computer. The installation extracts the keys and certificates and imports them into the Windows Certificate Store. vCenter Server and View Composer Before you add vCenter Server and View Composer to View in a production environment, make sure that vCenter Server and View Composer use certificates that are signed by a CA.
Chapter 6 Configuring SSL Certificates for View Servers Similarly, if a SAML 2.0 authenticator is configured for View Connection Server, the View Connection Server computer must have installed the root certificate of the signing CA for the SAML 2.0 server certificate. Overview of Tasks for Setting Up SSL Certificates To set up SSL server certificates for View servers, you must perform several high-level tasks.
View Installation If a SAML authenticator is configured for use with a View Connection Server instance, View Connection Server also performs certificate revocation checking on the SAML server certificate. Obtaining a Signed SSL Certificate from a CA If your organization does not provide you with an SSL server certificate, you must request a new certificate that is signed by a CA. You can use several methods to obtain a new signed certificate.
Chapter 6 Configuring SSL Certificates for View Servers 2 From the Action menu, go to All Tasks > Request New Certificate to display the Certificate Enrollment wizard. 3 Select a Certificate Enrollment Policy. 4 Select the types of certificates that you want to request, select the Make private key exportable option, and click Enroll. 5 Click Finish. The new signed certificate is added to the Personal > Certificates folder in the Windows Certificate Store.
View Installation 4 Import a Root Certificate and Intermediate Certificates into a Windows Certificate Store on page 70 If the Windows Server host on which View Connection Server is installed does not trust the root certificate for the signed SSL server certificate, you must import the root certificate into the Windows local computer certificate store.
Chapter 6 Configuring SSL Certificates for View Servers Prerequisites Verify that the Certificate snap-in was added to MMC. See “Add the Certificate Snap-In to MMC,” on page 68. Procedure 1 In the MMC window on the Windows Server host, expand the Certificates (Local Computer) node and select the Personal folder. 2 In the Actions pane, go to More Actions > All Tasks > Import. 3 In the Certificate Import wizard, click Next and browse to the location where the certificate is stored.
View Installation 5 Verify that no other server certificates in the Personal > Certificates folder have a Friendly name of vdm. a Locate any other server certificate, right-click the certificate, and click Properties. b If the certificate has a Friendly name of vdm, delete the name, click Apply, and click OK. What to do next Import the root certificate and intermediate certificates into the Windows local computer certificate store.
Chapter 6 Configuring SSL Certificates for View Servers 3 In the Certificate Import wizard, click Next and browse to the location where the root CA certificate is stored. 4 Select the root CA certificate file and click Open. 5 Click Next, click Next, and click Finish. 6 If your server certificate was signed by an intermediate CA, import all intermediate certificates in the certificate chain into the Windows local computer certificate store.
View Installation Example: SviConfig ReplaceCertificate The following example replaces the certificate that is bound to the View Composer port: sviconfig -operation=ReplaceCertificate -delete=false Configure Client Endpoints to Trust Root and Intermediate Certificates If a View server certificate is signed by a CA that is not trusted by client computers and client computers that access View Administrator, you can configure all Windows client systems in a domain to trust the root and intermediate certifica
Chapter 6 Configuring SSL Certificates for View Servers 2 On the Active Directory server, navigate to the Group Policy Management plug-in. AD Version Navigation Path Windows 2003 a b c d Windows 2008 a b Select Start > All Programs > Administrative Tools > Active Directory Users and Computers. Right-click your domain and click Properties. On the Group Policy tab, click Open to open the Group Policy Management plug-in. Right-click Default Domain Policy, and click Edit.
View Installation Configure Horizon Client for iOS to Trust Root and Intermediate Certificates If a server certificate is signed by a CA that is not trusted by iPads and iPhones that run Horizon Client for iOS, you can configure the the device to trust the root and intermediate certificates. You must distribute the root certificate and all intermediate certificates in the trust chain to the devices Procedure 1 Send the root certificate and intermediate certificates as email attachments to the iPad.
Chapter 6 Configuring SSL Certificates for View Servers Value Description 1 Do not perform certificate revocation checking. 2 Check only the server certificate. Do not check any other certificates in the chain. 3 Check all certificates in the chain. 4 (Default) Check all certificates except the root certificate. If this registry value is not set, or if the value set is not valid (that is, if the value is not 1, 2, 3, or 4), all certificates are checked except the root certificate.
View Installation 2 Configure a PSG Certificate in the Windows Certificate Store on page 76 To replace the default PSG certificate with a CA-signed certificate, you must configure the certificate and its private key in the Windows local computer certificate store on the View Connection Server or security server computer on which the PSG is running.
Chapter 6 Configuring SSL Certificates for View Servers Prerequisites n Verify that the key length is at least 1024 bits. n Verify that the SSL certificate is valid. The current time on the server computer must be within the certificate start and end dates. n Verify that the certificate subject name or a subject alternate name matches the SSLCertPsgSni setting in the Windows registry. See “Verify That the Server Name Matches the PSG Certificate Subject Name,” on page 76.
View Installation Set the PSG Certificate Friendly Name in the Windows Registry The PSG identifies the SSL certificate to use by means of the server name and certificate Friendly name. You must set the Friendly name value in the Windows registry on the View Connection Server or security server computer on which the PSG is running. The certificate Friendly name vdm is used by all View Connection Server instances and security servers.
Chapter 6 Configuring SSL Certificates for View Servers Prerequisites Verify that all client devices that connect to this server, including thin clients, run Horizon Client 5.2 for Windows or Horizon Client 2.0 or later releases. You must upgrade the legacy clients. Procedure 1 Start the Windows Registry Editor on the View Connection Server or security server computer where the PCoIP Secure Gateway is running. 2 Navigate to the HKEY_LOCAL_MACHINE\SOFTWARE\Teradici\SecurityGateway registry key.
View Installation Troubleshooting Certificate Issues on View Connection Server and Security Server Certificate issues on a View server prevent you from connecting to View Administrator or cause a red health indicator to be displayed for a server. Problem You cannot connect to View Administrator on the View Connection Server instance with the problem.
Configuring View for the First Time 7 After you install the View server software and configure SSL certificates for the servers, you must take a few additional steps to set up a working View environment. You configure user accounts for vCenter Server and View Composer, install a View license key, add vCenter Server and View Composer to your View environment, configure the PCoIP Secure Gateway and secure tunnel, and, optionally, size Windows Server settings to support your View environment.
View Installation Prerequisites n In Active Directory, create a user in the View Connection Server domain or a trusted domain. See “Creating a User Account for vCenter Server,” on page 21. n Familiarize yourself with the vCenter Server privileges that are required for the user account. See “Privileges Required for the vCenter Server User,” on page 83. n If you use View Composer, familiarize yourself with the additional required privileges.
Chapter 7 Configuring View for the First Time Privileges Required for the vCenter Server User The vCenter Server user must have sufficient vCenter Server privileges to enable View to perform operations in vCenter Server. Create a View Manager role for the vCenter Server user with the required privileges. Table 7‑1.
View Installation View Composer Privileges Required for the vCenter Server User To support View Composer, the vCenter Server user must have privileges in addition to those required to support View. Create a View Composer role for the vCenter Server user with the View Manager privileges and these additional privileges. Table 7‑2.
Chapter 7 Configuring View for the First Time n You must use a separate View Administrator interface to manage the View components for each single, standalone View Connection Server instance and each group of replicated View Connection Server instances. You also use View Administrator to manage security servers associated with View Connection Server. Each security server is associated with one View Connection Server instance.
View Installation After you install the license key, View Administrator displays the dashboard page when you log in. You do not have to configure a license key when you install a replicated View Connection Server instance or a security server. Replicated instances and security servers use the common license key stored in the View LDAP configuration. NOTE View Connection Server requires a valid license key. Starting with the release of View 4.0, the product license key is a 25-character key.
Chapter 7 Configuring View for the First Time n If you upgrade to vSphere 5.5 or a later release, verify that the domain administrator account that you use as the vCenter Server user was explicitly assigned permissions to log in to vCenter Server by a vCenter Server local user. n Familiarize yourself with the settings that determine the maximum operations limits for vCenter Server and View Composer.
View Installation Prerequisites n Your Active Directory administrator must create a domain user with permission to add and remove virtual machines from the Active Directory domain that contains your linked clones. To manage the linked-clone machine accounts in Active Directory, the domain user must have Create Computer Objects, Delete Computer Objects, and Write All Properties permissions. See “Create a User Account for View Composer,” on page 21.
Chapter 7 Configuring View for the First Time Configure View Composer Domains You must configure an Active Directory domain in which View Composer deploys linked-clone desktops. You can configure multiple domains for View Composer. After you first add vCenter Server and View Composer settings to View, you can add more View Composer domains by editing the vCenter Server instance in View Administrator.
View Installation To enable space reclamation operations, you must use View Administrator to enable space reclamation for vCenter Server and reclaim VM disk space for individual desktop pools. The space reclamation setting for vCenter Server gives you the option to disable this feature on all desktop pools that are managed by the vCenter Server instance. Disabling the feature for vCenter Server overrides the setting at the desktop pool level.
Chapter 7 Configuring View for the First Time You enable caching on your ESXi hosts by selecting the View Storage Accelerator setting in the vCenter Server wizard in View Administrator, as described in this procedure. Make sure that View Storage Accelerator is also configured for individual desktop pools. View Storage Accelerator is enabled for desktop pools by default, but this feature can be disabled or enabled when you create or edit a desktop pool.
View Installation What to do next To configure the PCoIP Secure Gateway, secure tunnel, and external URLs for client connections, see “Configuring Horizon Client Connections,” on page 94. To complete View Storage Accelerator settings in View, configure View Storage Accelerator for desktop pools. See "Configure View Storage Accelerator for Desktop Pools" in the Setting Up Desktop and Application Pools in View document.
Chapter 7 Configuring View for the First Time Setting a Concurrent Power Operations Rate to Support Remote Desktop Logon Storms The Max concurrent power operations setting governs the maximum number of concurrent power operations that can occur on remote desktop virtual machines in a vCenter Server instance. This limit is set to 50 by default. You can change this value to support peak power-on rates when many users log on to their desktops at the same time.
View Installation You first add vCenter Server and View Composer in View Administrator by using the Add vCenter Server wizard. If a certificate is untrusted and you do not accept the thumbprint, you cannot add vCenter Server and View Composer. After these servers are added, you can reconfigure them in the Edit vCenter Server dialog box.
Chapter 7 Configuring View for the First Time When users connect to remote desktops and applications, by default the client makes a second connection to the View Connection Server or security server host. This connection is called the tunnel connection because it provides a secure tunnel for carrying RDP and other data over HTTPS.
View Installation n If you pair a security server to a View Connection Server instance on which you already enabled the PCoIP Secure Gateway, verify that the security server is View 4.6 or later. Procedure 1 In View Administrator, select View Configuration > Servers. 2 In the View Connection Servers panel, select a View Connection Server instance and click Edit. 3 Configure use of the secure tunnel. Option Description Disable the secure tunnel Deselect Use secure tunnel connection to machine.
Chapter 7 Configuring View for the First Time 3 Configure use of the Blast Secure Gateway. Option Description Enable the Blast Secure Gateway Select Use Blast Secure Gateway for HTML access to machine Disable the Blast secure Gateway Deselect Use Blast Secure Gateway for HTML access to machine The Blast Secure Gateway is enabled by default. 4 Click OK to save your changes.
View Installation n For a security server, you set the external URLs when you run the View Connection Server installation program. You can use View Administrator to modify an external URL for a security server. Set the External URLs for a View Connection Server Instance You use View Administrator to configure the external URLs for a View Connection Server instance.
Chapter 7 Configuring View for the First Time Modify the External URLs for a Security Server You use View Administrator to modify the external URLs for a security server. You initially configure these external URLs when you install a security server in the View Connection Server installation program. The secure tunnel external URL, PCoIP external URL, and Blast external URL must be the addresses that client systems use to reach this security server.
View Installation Replacing Default Ports for View Services During installation, View services are set up to listen on certain network ports by default. In certain organizations, these ports must be changed to comply with organization policies or to avoid contention. You can change the default ports that are used by View Connection Server, security server, PCoIP Secure Gateway, and View Composer services. Changing ports is an optional setup task.
Chapter 7 Configuring View for the First Time 3 (Optional) If the server computer has multiple NICs, select one NIC to listen on the configured ports. Add the serverHost and serverHostNonSsl properties to specify the IP address that is bound to the designated NIC. For example: serverHost=10.20.30.40 serverHostNonSsl=10.20.30.40 Typically, both the SSL and non-SSL listeners are configured to use the same NIC.
View Installation 4 (Optional) If the computer on which the PCoIP Secure Gateway is running has multiple NICs, select one NIC to listen on the configured ports. Under the same registry key, add the following String (REG_SZ) values to specify the IP address that is bound to the designated NIC. For example: ExternalBindIP "10.20.30.40" InternalBindIP "172.16.17.18" If you configure external and internal connections to use the same NIC, the external and internal UDP ports must not be the same.
Chapter 7 Configuring View for the First Time Prerequisites Verify that you changed the default port number from 443. If you use the default values that are configured during installation, you do not have to perform this procedure to preserve the HTTP redirection rule. Procedure 1 Create or edit the locked.properties file in the SSL gateway configuration folder on the View Connection Server or security server computer. For example: install_directory\VMware\VMware View\Server\sslgateway\conf\locked.
View Installation 3 Add a new String (REG_SZ) value, Management Port. 4 Set the Management Port value to 32111. Sizing Windows Server Settings to Support Your Deployment To support a large deployment of remote desktops, you can configure the Windows Server computers on which you install View Connection Server. On each computer, you can size the Windows page-file.
Chapter 7 Configuring View for the First Time Procedure 1 On the Windows Server computer on which View Connection Server is installed, navigate to the Virtual Memory dialog box. By default, Custom size is selected. An initial and maximum page-file size appear. 2 Click System managed size. Windows continually recalculates the system page-file size based on current memory use and available memory. VMware, Inc.
View Installation 106 VMware, Inc.
Configuring Event Reporting 8 You can create an event database to record information about View events. In addition, if you use a Syslog server, you can configure View Connection Server to send events to a Syslog server or create a flat file of events written in Syslog format.
View Installation 2 Add a user for this database that has permission to create tables, views, and, in the case of Oracle, triggers and sequences, as well as permission to read from and write to these objects. For a Microsoft SQL Server database, do not use the Integrated Windows Authentication security model method of authentication. Be sure to use the SQL Server Authentication method of authentication.
Chapter 8 Configuring Event Reporting Configure the Event Database The event database stores information about View events as records in a database rather than in a log file. You configure an event database after installing a View Connection Server instance. You need to configure only one host in a View Connection Server group. The remaining hosts in the group are configured automatically.
View Installation 3 (Optional) In the Event Settings window, click Edit, change the length of time to show events and the number of days to classify events as new, and click OK. These settings pertain to the length of time the events are listed in the View Administrator interface. After this time, the events are only available in the historical database tables. The Database Configuration window displays the current configuration of the event database.
Chapter 8 Configuring Event Reporting 2 (Optional) In the Syslog area, to configure View Connection Server to send events to a Syslog server, click Add next to Send to syslog servers, and supply the server name or IP address and the UDP port number. 3 (Optional) To enable View event log messages to be generated and stored in Syslog format, in log files, select the Log to file: Enable check box. The log files are retained locally unless you specify a UNC path to a file share.
View Installation 112 VMware, Inc.
Index A D Active Directory configuring domains and trust relationships 19 preparing for smart card authentication 23 preparing for use with View 19 Active Directory groups, creating for kiosk mode client accounts 20 ADM template files 23 antivirus software, View Composer 35 databases creating for View Composer 27 View events 107, 109 default certificate, replacing 63 direct connections, configuring 95 DNS resolution, View Composer 35 documentation feedback, how to provide 5 domain filtering 20 B E br
View Installation Horizon Client for Mac OS X, trusting the root certificate 73 Horizon clients, configuring connections 94 host caching, for vCenter Server 90 HTML access, configuring 96 HTTP changing the port for HTTP redirection 102 preventing HTTP redirection 103 I initial configuration, View 81 installation, silent installation options 59 intermediate certificates, adding to intermediate certification authorities 25 Intermediate Certification Authorities policy 25 Internet Explorer, supported version
Index modifying an external URL 99 operating system requirements 8 prepare to upgrade or reinstall 55 remove IPsec rules 55 silent installation properties 54 silent installation replicated instances 46 security servers 52 View Connection Server 41 silent installation options 59 sizing Windows Server settings, increasing the JVM heap size 104 smart card authentication Active Directory preparation 23 UPNs for smart card users 23 software requirements, server components 7 sparse disks, configuring for vCenter
View Installation sizing Windows Server settings 104 system page file size 104 trust relationships 19 View Connection Server installation installation types 37 network configuration 9 overview 37 prerequisites 37 product license key 85 reinstalling with a backup configuration 58 replicated instances 43 requirements overview 7 security servers 50 silent 41 silent installation properties 43 single server 38 supported operating systems 8 virtualization software requirements 8 View desktops, configuring direct
