View Installation VMware Horizon 6 Version 6.2 This document supports the version of each product listed and supports all subsequent versions until the document is replaced by a new edition. To check for more recent editions of this document, see http://www.vmware.com/support/pubs.
View Installation You can find the most up-to-date technical documentation on the VMware Web site at: http://www.vmware.com/support/ The VMware Web site also provides the latest product updates. If you have comments about this documentation, submit your feedback to: docfeedback@vmware.com Copyright © 2015 VMware, Inc. All rights reserved. Copyright and trademark information. VMware, Inc. 3401 Hillview Ave. Palo Alto, CA 94304 www.vmware.com 2 VMware, Inc.
Contents View Installation 5 1 System Requirements for Server Components 7 View Connection Server Requirements View Administrator Requirements 9 View Composer Requirements 10 7 2 System Requirements for Guest Operating Systems 13 Supported Operating Systems for View Agent 13 Supported Operating Systems for Standalone View Persona Management Remote Display Protocol and Software Support 14 14 3 Installing View in an IPv6 Environment 19 Setting Up View in an IPv6 Environment 19 Supported vSphere , Dat
View Installation Configuring an SSL Certificate for View Composer 44 Install the View Composer Service 45 Configuring Your Infrastructure for View Composer 47 7 Installing View Connection Server 49 Installing the View Connection Server Software 49 Installation Prerequisites for View Connection Server 49 Install View Connection Server with a New Configuration 50 Install a Replicated Instance of View Connection Server 56 Configure a Security Server Pairing Password 62 Install a Security Server 62 Firewa
View Installation View Installation explains how to install the VMware Horizon™ 6 server and client components. Intended Audience This information is intended for anyone who wants to install VMware Horizon 6. The information is written for experienced Windows or Linux system administrators who are familiar with virtual machine technology and datacenter operations. VMware, Inc.
View Installation 6 VMware, Inc.
System Requirements for Server Components 1 Hosts that run View server components must meet specific hardware and software requirements.
View Installation Hardware Requirements for View Connection Server You must install all View Connection Server installation types, including standard, replica, and security server installations, on a dedicated physical or virtual machine that meets specific hardware requirements. Table 1‑1. View Connection Server Hardware Requirements Hardware Component Required Recommended Processor Pentium IV 2.
Chapter 1 System Requirements for Server Components Network Requirements for Replicated View Connection Server Instances When installing replicated View Connection Server instances, you must usually configure the instances in the same physical location and connect them over a high-performance LAN. Otherwise, latency issues could cause the View LDAP configurations on View Connection Server instances to become inconsistent.
View Installation View Composer Requirements With View Composer, you can deploy multiple linked-clone desktops from a single centralized base image. View Composer has specific installation and storage requirements. n Supported Operating Systems for View Composer on page 10 View Composer supports 64-bit operating systems with specific requirements and limitations. You can install View Composer on the same physical or virtual machine as vCenter Server or on a separate server.
Chapter 1 System Requirements for Server Components Table 1‑4. View Composer Hardware Requirements (Continued) Hardware Component Required Recommended Memory 4GB RAM or higher 8GB RAM or higher for deployments of 50 or more remote desktops Disk space 40GB 60GB IMPORTANT The physical or virtual machine that hosts View Composer must have an IP address that does not change. In an IPv4 environment, configure a static IP address.
View Installation Table 1‑5. Supported Database Servers for View Composer and for the Events Database (Continued) Database Service Packs/Releases Editions Oracle 12c Release 1 (any release up to 12.1.0.2) Standard One Standard Enterprise Oracle 11g (32- and 64-bit) Release 2 (11.2.0.4) Standard One Standard Enterprise NOTE The following versions are no longer supported: Oracle 10g Release 2, Oracle 11g Release 1, , Microsoft SQL Server 2008 R2 SP1, Microsoft SQL Server 2012 with no SP.
2 System Requirements for Guest Operating Systems Systems running View Agent or Standalone View Persona Management must meet certain hardware and software requirements.
View Installation You can install the standalone version of View Persona Management on physical computers. See “Supported Operating Systems for Standalone View Persona Management,” on page 14. The following table lists the Windows operating systems versions that are supported for creating desktop pools and application pools on an RDS host. Table 2‑2.
Chapter 2 System Requirements for Guest Operating Systems n Microsoft RDP on page 16 Remote Desktop Protocol is the same multichannel protocol many people already use to access their work computer from their home computer. Microsoft Remote Desktop Connection (RDC) uses RDP to transmit data.
View Installation Recommended Guest Operating System Settings 1GB of RAM or more and a dual CPU is recommended for playing in high-definition, full screen mode, or 720p or higher formatted video. To use Virtual Dedicated Graphics Acceleration for graphics-intensive applications such as CAD applications, 4GB of RAM is required. Video Quality Requirements 480p-formatted video You can play video at 480p or lower at native resolutions when the remote desktop has a single virtual CPU.
Chapter 2 System Requirements for Guest Operating Systems n Users outside the corporate firewall can use this protocol with your company's virtual private network (VPN), or users can make secure, encrypted connections to a View security server in the corporate DMZ. Hardware Requirements for Client Systems For information about processor and memory requirements, see the "Using VMware Horizon Client" document for the specific type of client system. Go to https://www.vmware.
View Installation 18 VMware, Inc.
Installing View in an IPv6 Environment 3 View supports IPv6 as an alternative to IPv4. The environment must be either IPv6 only or IPv4 only. View does not support a mixed IPv6 and IPv4 environment. Not all View features that are supported in an IPv4 environment are supported in an IPv6 environment. View does not support upgrading from an IPv4 environment to an IPv6 environment. Also, View does not support migration between IPv4 and IPv6 environments.
View Installation n Setting the PCoIP External URL. See “Set the External URLs for a View Connection Server Instance,” on page 113. n Modifying the PCoIP External URL. See “Set the External URLs for a View Connection Server Instance,” on page 113. n Installing View Agent. See the View Agent installation topics in the Setting Up Desktop and Application Pools document. n Installing Horizon Client for Windows. See the VMware Horizon Client for Windows document in https://www.vmware.
Chapter 3 Installing View in an IPv6 Environment Supported Windows Operating Systems for Desktops and RDS Hosts in an IPv6 Environment In an IPv6 environment, View supports specific Windows operating systems for desktop machines and RDS hosts. RDS hosts provide session-based desktops and applications to users. The following Windows operating systems are supported for desktop machines.
View Installation n HTML Access through Blast Secure Gateway Supported Authentication Types in an IPv6 Environment In an IPv6 environment, View supports specific authentication types.
Chapter 3 Installing View in an IPv6 Environment n Scanner redirection n USB redirection n Multimedia redirection (MMR) n Real-time audio-video (RTAV) n Persona Management n vRealize Operations Desktop Agent n Lync n Syslog n Log Insight n Serial redirection n Flash URL redirection n Teradici TERA host card VMware, Inc.
View Installation 24 VMware, Inc.
Installing View in FIPS Mode 4 View can perform cryptographic operations using FIPS (Federal Information Processing Standard) 140-2 compliant algorithms. You can enable the use of these algorithms by installing View in FIPS mode. Not all View features are supported in FIPS mode. Also, View does not support upgrading from a non-FIPS installation to a FIPS installation. NOTE To ensure that View runs in FIPS mode, you must enable FIPS when you install all View components.
View Installation n When installing View Agent, select the FIPS mode option. See the View Agent installation topics in the Setting Up Desktop and Application Pools document. n When installing Horizon Client for Windows, select the FIPS mode option. See the VMware Horizon Client for Windows document in https://www.vmware.com/support/viewclients/doc/viewclients_pubs.html. Only Windows clients are supported.
Preparing Active Directory 5 View uses your existing Microsoft Active Directory infrastructure for user authentication and management. You must perform certain tasks to prepare Active Directory for use with View.
View Installation You can place View Agent machines, View Composer servers, and users and groups, in the following Active Directory domains: n The View Connection Server domain n A different domain that has a two-way trust relationship with the View Connection Server domain n A domain in a different forest than the View Connection Server domain that is trusted by the View Connection Server domain in a one-way external or realm trust relationship n A domain in a different forest than the View Connect
Chapter 5 Preparing Active Directory Creating an OU for Remote Desktops You should create an organizational unit (OU) specifically for your remote desktops. An OU is a subdivision in Active Directory that contains users, groups, computers, or other OUs. To prevent group policy settings from being applied to other Windows servers or workstations in the same domain as your desktops, you can create a GPO for your View group policies and link it to the OU that contains your remote desktops.
View Installation Creating a User Account for a Standalone View Composer Server If you install View Composer on a different machine than vCenter Server, you must create a domain user account in Active Directory that View can use to authenticate to the View Composer service on the standalone machine. The user account must be in the same domain as your View Connection Server host or in a trusted domain. You must add the user account to the local Administrators group on the standalone View Composer machine.
Chapter 5 Preparing Active Directory What to do next Specify the account in View Administrator when you configure View Composer domains in the Add vCenter Server wizard and when you configure and deploy linked-clone desktop pools. Configure the Restricted Groups Policy To be able to connect to a remote desktop, users must belong to the local Remote Desktop Users group of the remote desktop.
View Installation Prepare Active Directory for Smart Card Authentication You might need to perform certain tasks in Active Directory when you implement smart card authentication. n Add UPNs for Smart Card Users on page 32 Because smart card logins rely on user principal names (UPNs), the Active Directory accounts of users and administrators that use smart cards to authenticate in View must have a valid UPN.
Chapter 5 Preparing Active Directory Add the Root Certificate to Trusted Root Certification Authorities If you use a certification authority (CA) to issue smart card login or domain controller certificates, you must add the root certificate to the Trusted Root Certification Authorities group policy in Active Directory. You do not need to perform this procedure if the Windows domain controller acts as the root CA. Procedure 1 On the Active Directory server, navigate to the Group Policy Management plug-in.
View Installation 2 Expand the Computer Configuration section and open the policy for Windows Settings\Security Settings\Public Key. 3 Right-click Intermediate Certification Authorities and select Import. 4 Follow the prompts in the wizard to import the intermediate certificate (for example, intermediateCA.cer) and click OK. 5 Close the Group Policy window. All of the systems in the domain now have a copy of the intermediate certificate in their intermediate certification authority store.
Chapter 5 Preparing Active Directory The cipher suites are listed above on separate lines for readability. When you paste the list into the text box, the cipher suites must be on one line with no spaces after the commas. 6 Exit the Group Policy Management Editor. 7 Restart the View Composer and View Agent machines for the new group policy to take effect. VMware, Inc.
View Installation 36 VMware, Inc.
Installing View Composer 6 To use View Composer, you create a View Composer database, install the View Composer service, and optimize your View infrastructure to support View Composer. You can install the View Composer service on the same host as vCenter Server or on a separate host. View Composer is an optional feature. Install View Composer if you intend to deploy linked-clone desktop pools. You must have a license to install and use the View Composer feature.
View Installation n Create a SQL Server Database for View Composer on page 38 View Composer can store linked-clone desktop information in a SQL Server database. You create a View Composer database by adding it to SQL Server and configuring an ODBC data source for it. n Create an Oracle Database for View Composer on page 41 View Composer can store linked-clone desktop information in an Oracle 12c or 11g database.
Chapter 6 Installing View Composer 4 In the New Database dialog box, type a name in the Database name text box. For example: ViewComposer 5 Click OK. SQL Server Management Studio adds your database to the Databases entry in the Object Explorer panel. 6 Exit Microsoft SQL Server Management Studio.
View Installation 6 In the View Composer database, grant the schema permissions SELECT, INSERT, DELETE, UPDATE, and EXECUTE on the dbo schema to the VCMP_USER_ROLE. 7 Grant the VCMP_USER_ROLE to the user [vcmpuser]. 8 Grant the VCMP_ADMIN_ROLE to the user [vcmpuser]. 9 In the MSDB database, create the database role VCMP_ADMIN_ROLE. 10 Grant privileges to the VCMP_ADMIN_ROLE in MSDB. a On the MSDB tables syscategories, sysjobsteps, and sysjobs grant the SELECT permission to the user [vcmpuser].
Chapter 6 Installing View Composer 6 In the Server text box, type the SQL Server database name. Use the form host_name\server_name, where host_name is the name of the computer and server_name is the SQL Server instance. For example: VCHOST1\VIM_SQLEXP 7 Click Next. 8 Make sure that the Connect to SQL Server to obtain default settings for the additional configuration options check box is selected and select an authentication option.
View Installation Add a View Composer Database to Oracle 12c or 11g You can use the Oracle Database Configuration Assistant to add a new View Composer database to an existing Oracle 12c or 11g instance. Prerequisites Verify that a supported version of Oracle 12c or 11g is installed on the local or remote computer. See “Database Requirements for View Composer and the Events Database,” on page 11.
Chapter 6 Installing View Composer Procedure 1 Log in to a SQL*Plus session with the system account. 2 Run the following SQL statement to create the database. CREATE SMALLFILE TABLESPACE "VCMP" DATAFILE '/u01/app/oracle/oradata/vcdb/vcmp01.dbf' SIZE 512M AUTOEXTEND ON NEXT 10M MAXSIZE UNLIMITED LOGGING EXTENT MANAGEMENT LOCAL SEGMENT SPACE MANAGEMENT AUTO; In this example, VCMP is the sample name of the View Composer database and vcmp01.dbf is the name of the database file.
View Installation Add an ODBC Data Source to Oracle 12c or 11g After you add a View Composer database to an Oracle 12c or 11g instance, you must configure an ODBC connection to the new database to make this data source visible to the View Composer service. When you configure an ODBC DSN for View Composer, secure the underlying database connection to an appropriate level for your environment. For information about securing database connections, see the Oracle database documentation.
Chapter 6 Installing View Composer For details about configuring SSL certificates and using the SviConfig ReplaceCertificate utility, see Chapter 8, “Configuring SSL Certificates for View Servers,” on page 77. If you install vCenter Server and View Composer on the same Windows Server computer, they can use the same SSL certificate, but you must configure the certificate separately for each component. Install the View Composer Service To use View Composer, you must install the View Composer service.
View Installation 4 Accept or change the destination folder. 5 Type the DSN for the View Composer database that you provided in the Microsoft or Oracle ODBC Data Source Administrator wizard. For example: VMware View Composer NOTE If you did not configure a DSN for the View Composer database, click ODBC DSN Setup to configure a name now. 6 Type the domain administrator user name and password that you provided in the ODBC Data Source Administrator wizard.
Chapter 6 Installing View Composer Configuring Your Infrastructure for View Composer You can take advantage of features in vSphere, vCenter Server, Active Directory, and other components of your infrastructure to optimize the performance, availability, and reliability of View Composer. Configuring the vSphere Environment for View Composer To support View Composer, you should follow certain best practices when you install and configure vCenter Server, ESXi, and other vSphere components.
View Installation 48 VMware, Inc.
Installing View Connection Server 7 To use View Connection Server, you install the software on supported computers, configure the required components, and, optionally, optimize the components.
View Installation n You must join the View Connection Server host to an Active Directory domain. View Connection Server supports the following Active Directory Domain Services (AD DS) domain functional levels: n Windows Server 2003 n Windows Server 2008 n Windows Server 2008 R2 n Windows Server 2012 n Windows Server 2012 R2 The View Connection Server host must not be a domain controller.
Chapter 7 Installing View Connection Server By default, the HTML Access component is installed on the View Connection Server host when you install View Connection Server. This component configures the View user portal page to display an HTML Access icon in addition to the Horizon Client icon. The additional icon allows users to select HTML Access when they connect to their desktops.
View Installation 4 Accept or change the destination folder. 5 Select the View Standard Server installation option. 6 Select the Internet Protocol (IP) version, IPv4 or IPv6. You must install all View components with the same IP version. 7 Select whether to enable or disable FIPS mode. This option is available only if FIPS mode is enabled in Windows. 8 Make sure that Install HTML Access is selected if you intend to allow users to connect to their desktops by using HTML Access.
Chapter 7 Installing View Connection Server n VMware Horizon View Message Bus Component n VMware Horizon View Script Host n VMware Horizon View Security Gateway Component n VMware Horizon View PCoIP Secure Gateway n VMware Horizon View Blast Secure Gateway n VMware Horizon View Web Component n VMware VDMDS, which provides View LDAP directory services For information about these services, see the View Administration document.
View Installation n If you plan to pair a security server with this View Connection Server instance, verify that Windows Firewall with Advanced Security is set to on in the active profiles. It is recommended that you turn this setting to on for all profiles. By default, IPsec rules govern connections between security server and View Connection Server and require Windows Firewall with Advanced Security to be enabled.
Chapter 7 Installing View Connection Server n VMware VDMDS, which provides View LDAP directory services If the Install HTML Access setting was selected during the installation, the HTML Access component is installed on the Windows Server computer. This component configures the HTML Access icon in the View user portal page and enables the VMware Horizon View Connection Server (Blast-In) rule in the Windows Firewall.
View Installation Table 7‑1. MSI Properties for Silently Installing View Connection Server in a Standard Installation (Continued) MSI Property Description Default Value VDM_IP_PROTOCOL_ USAGE Specifies the IP version that View components use for communication. The possible values are IPv4 and IPv6. IPv4 VDM_FIPS_ENABLED Specifies whether to enable or disable FIPS mode. A value of 1 enables FIPS mode. A value of 0 disables FIPS mode.
Chapter 7 Installing View Connection Server n Verify that the computers on which you install replicated View Connection Server instances are connected over a high-performance LAN. See “Network Requirements for Replicated View Connection Server Instances,” on page 9. n Prepare your environment for the installation. See “Installation Prerequisites for View Connection Server,” on page 49. n If you install a replicated View Connection Server instance that is View 5.
View Installation 11 Choose how to configure the Windows Firewall service. Option Action Configure Windows Firewall automatically Let the installer configure Windows Firewall to allow the required network connections. Do not configure Windows Firewall Configure the Windows firewall rules manually. Select this option only if your organization uses its own predefined rules for configuring Windows Firewall. 12 Complete the installation wizard to finish installing the replicated instance.
Chapter 7 Installing View Connection Server Install a Replicated Instance of View Connection Server Silently You can use the silent installation feature of the Microsoft Windows Installer (MSI) to install a replicated instance of View Connection Server on several Windows computers. In a silent installation, you use the command line and do not have to respond to wizard prompts. With silent installation, you can efficiently deploy View components in a large enterprise.
View Installation Procedure 1 Download the View Connection Server installer file from the VMware download site at https://my.vmware.com/web/vmware/downloads. Under Desktop & End-User Computing, select the VMware Horizon 6 download, which includes View Connection Server. The installer filename is VMware-viewconnectionserver-x86_64-y.y.y-xxxxxx.exe, where xxxxxx is the build number and y.y.y is the version number. 2 Open a command prompt on the Windows Server computer.
Chapter 7 Installing View Connection Server What to do next Configure an SSL server certificate for the View Connection Server instance. See Chapter 8, “Configuring SSL Certificates for View Servers,” on page 77. You do not have to perform an initial View configuration on a replicated instance of View Connection Server. The replicated instance inherits its configuration from the existing View Connection Server instance.
View Installation Table 7‑2. MSI Properties for Silently installing a Replicated Instance of View Connection Server (Continued) MSI Property Description Default Value VDM_IP_PROTOCOL_ USAGE Specifies the IP version that View components use for communication. The possible values are IPv4 and IPv6 IPv4 VDM_FIPS_ENABLED Specifies whether to enable or disable FIPS mode. A value of 1 enables FIPS mode. A value of 0 disables FIPS mode.
Chapter 7 Installing View Connection Server Prerequisites n Determine the type of topology to use. For example, determine which load balancing solution to use. Decide if the View Connection Server instances that are paired with security servers will be dedicated to users of the external network. For information, see the View Architecture Planning document. IMPORTANT If you use a load balancer, it must have an IP address that does not change. In an IPv4 environment, configure a static IP address.
View Installation 5 Select the View Security Server installation option. 6 Select the Internet Protocol (IP) version, IPv4 or IPv6. You must install all View components with the same IP version. 7 Select whether to enable or disable FIPS mode. This option is available only if FIPS mode is enabled in Windows. 8 Type the fully qualified domain name or IP address of the View Connection Server instance to pair with the security server in the Server text box.
Chapter 7 Installing View Connection Server n VMware Horizon View Security Gateway Component n VMware Horizon View PCoIP Secure Gateway n VMware Blast Secure Gateway For information about these services, see the View Administration document. The security server appears in the Security Servers pane in View Administrator. The VMware Horizon View Connection Server (Blast-In) rule is enabled in the Windows Firewall on the security server.
View Installation n Configure a security server pairing password. See “Configure a Security Server Pairing Password,” on page 62. n Familiarize yourself with the format of external URLs. See “Configuring External URLs for Secure Gateway and Tunnel Connections,” on page 112. n Verify that Windows Firewall with Advanced Security is set to on in the active profiles. It is recommended that you turn this setting to on for all profiles.
Chapter 7 Installing View Connection Server The security server appears in the Security Servers pane in View Administrator. The VMware Horizon View Connection Server (Blast-In) rule is enabled in the Windows Firewall on the security server. This firewall rule allows Web browsers on client devices to use HTML Access to connect to the security server on TCP port 8443.
View Installation Table 7‑3. MSI Properties for Silently Installing a Security Server (Continued) MSI Property Description Default Value FWCHOICE The MSI property that determines whether to configure a firewall for the View Connection Server instance. A value of 1 configures a firewall. A value of 2 does not configure a firewall. 1 For example: FWCHOICE=1 This MSI property is optional. VDM_SERVER_SS_PCOIP_IP ADDR The PCoIP Secure Gateway external IP address.
Chapter 7 Installing View Connection Server Remove IPsec Rules for the Security Server Before you can upgrade or reinstall a security server instance, you must remove the current IPsec rules that govern communication between the security server and its paired View Connection Server instance. If you do not take this step, the upgrade or reinstallation fails. IMPORTANT This task pertains to View 5.1 and later security servers. It does not apply to View 5.0.x and earlier security servers.
View Installation Firewall Rules for View Connection Server Certain ports must be opened on the firewall for View Connection Server instances and security servers. When you install View Connection Server, the installation program can optionally configure the required Windows Firewall rules for you. These rules open the ports that are used by default.
Chapter 7 Installing View Connection Server Configuring a Back-End Firewall to Support IPsec If your network topology includes a back-end firewall between security servers and View Connection Server instances, you must configure certain protocols and ports on the firewall to support IPsec. Without proper configuration, data sent between a security server and View Connection Server instance will fail to pass through the firewall.
View Installation You might also use this procedure when you set up a second datacenter with the existing View configuration. Or you might use it if your View deployment contains only a single View Connection Server instance, and a problem occurs with that server. You do not have to follow this procedure if you have multiple View Connection Server instances in a replicated group, and a single instance goes down. You can simply reinstall View Connection Server as a replicated instance.
Chapter 7 Installing View Connection Server Microsoft Windows Installer Command-Line Options To install View components silently, you must use Microsoft Windows Installer (MSI) command-line options and properties. The View component installers are MSI programs and use standard MSI features. For details about MSI, see the Microsoft Web site. For MSI command-line options, see the Microsoft Developer Network (MSDN) Library Web site and search for MSI command-line options.
View Installation Table 7‑8. MSI Command-Line Options and MSI Properties (Continued) MSI Option or Property Description ADDLOCAL Determines the component-specific options to install. In an interactive installation, the View installer displays custom setup options that you can select or deselect. In a silent installation, you can use the ADDLOCAL property to selectively install individual setup options by specifying the options on the command line.
Chapter 7 Installing View Connection Server Uninstalling View Components Silently by Using MSI Command-Line Options You can uninstall View components by using Microsoft Windows Installer (MSI) command-line options. Syntax msiexec.exe /qb /x product_code Options The /qb option displays the uninstall progress bar. To suppress displaying the uninstall progress bar, replace the /qb option with the /qn option. The /x option uninstalls the View component.
View Installation 76 VMware, Inc.
Configuring SSL Certificates for View Servers 8 VMware strongly recommends that you configure SSL certificates for authentication of View Connection Server instances, security servers, and View Composer service instances. A default SSL server certificate is generated when you install View Connection Server instances, security servers, or View Composer instances. You can use the default certificate for testing purposes. IMPORTANT Replace the default certificate as soon as possible.
View Installation n If you upgrade to View 5.1 or later from an earlier release, and a valid keystore file is configured on the Windows Server computer. The installation extracts the keys and certificates and imports them into the Windows Certificate Store. vCenter Server and View Composer Before you add vCenter Server and View Composer to View in a production environment, make sure that vCenter Server and View Composer use certificates that are signed by a CA.
Chapter 8 Configuring SSL Certificates for View Servers Similarly, if a SAML 2.0 authenticator is configured for View Connection Server, the View Connection Server computer must have installed the root certificate of the signing CA for the SAML 2.0 server certificate. Overview of Tasks for Setting Up SSL Certificates To set up SSL server certificates for View servers, you must perform several high-level tasks.
View Installation If a SAML authenticator is configured for use with a View Connection Server instance, View Connection Server also performs certificate revocation checking on the SAML server certificate. Obtaining a Signed SSL Certificate from a CA If your organization does not provide you with an SSL server certificate, you must request a new certificate that is signed by a CA. You can use several methods to obtain a new signed certificate.
Chapter 8 Configuring SSL Certificates for View Servers n Verify that you have the appropriate credentials to request a certificate that can be issued to a computer or service. Procedure 1 In the MMC window on the Windows Server host, expand the Certificates (local computer) node and select the Personal folder. 2 From the Action menu, go to All Tasks > Request New Certificate to display the Certificate Enrollment wizard. 3 Select a Certificate Enrollment Policy.
View Installation 2 Import a Signed Server Certificate into a Windows Certificate Store on page 82 You must import the SSL server certificate into the Windows local computer certificate store on the Windows Server host on which the View Connection Server instance or security server service is installed.
Chapter 8 Configuring SSL Certificates for View Servers For more information about certificates, consult the Microsoft online help available with the Certificate snap-in to MMC. NOTE If you off-load SSL connections to an intermediate server, you must import the same SSL server certificate onto both the intermediate server and the off-loaded View server. For details, see "Off-load SSL Connections to Intermediate Servers" in the View Administration document.
View Installation 3 On the General tab, delete the Friendly name text and type vdm. 4 Click Apply and click OK. 5 Verify that no other server certificates in the Personal > Certificates folder have a Friendly name of vdm. a Locate any other server certificate, right-click the certificate, and click Properties. b If the certificate has a Friendly name of vdm, delete the name, click Apply, and click OK.
Chapter 8 Configuring SSL Certificates for View Servers 2 Right-click the Trusted Root Certification Authorities > Certificates folder and click All Tasks > Import. 3 In the Certificate Import wizard, click Next and browse to the location where the root CA certificate is stored. 4 Select the root CA certificate file and click Open. 5 Click Next, click Next, and click Finish.
View Installation 6 Restart the View Composer service to make your changes take effect.
Chapter 8 Configuring SSL Certificates for View Servers 2 On the Active Directory server, navigate to the Group Policy Management plug-in. AD Version Navigation Path Windows 2003 a b c d Windows 2008 a b Select Start > All Programs > Administrative Tools > Active Directory Users and Computers. Right-click your domain and click Properties. On the Group Policy tab, click Open to open the Group Policy Management plug-in. Right-click Default Domain Policy, and click Edit.
View Installation Configure Horizon Client for iOS to Trust Root and Intermediate Certificates If a server certificate is signed by a CA that is not trusted by iPads and iPhones that run Horizon Client for iOS, you can configure the the device to trust the root and intermediate certificates. You must distribute the root certificate and all intermediate certificates in the trust chain to the devices Procedure 1 Send the root certificate and intermediate certificates as email attachments to the iPad.
Chapter 8 Configuring SSL Certificates for View Servers Value Description 1 Do not perform certificate revocation checking. 2 Check only the server certificate. Do not check any other certificates in the chain. 3 Check all certificates in the chain. 4 (Default) Check all certificates except the root certificate. If this registry value is not set, or if the value set is not valid (that is, if the value is not 1, 2, 3, or 4), all certificates are checked except the root certificate.
View Installation 2 Configure a PSG Certificate in the Windows Certificate Store on page 90 To replace the default PSG certificate with a CA-signed certificate, you must configure the certificate and its private key in the Windows local computer certificate store on the View Connection Server or security server computer on which the PSG is running.
Chapter 8 Configuring SSL Certificates for View Servers Prerequisites n Verify that the key length is at least 1024 bits. n Verify that the SSL certificate is valid. The current time on the server computer must be within the certificate start and end dates. n Verify that the certificate subject name or a subject alternate name matches the SSLCertPsgSni setting in the Windows registry. See “Verify That the Server Name Matches the PSG Certificate Subject Name,” on page 90.
View Installation Set the PSG Certificate Friendly Name in the Windows Registry The PSG identifies the SSL certificate to use by means of the server name and certificate Friendly name. You must set the Friendly name value in the Windows registry on the View Connection Server or security server computer on which the PSG is running. The certificate Friendly name vdm is used by all View Connection Server instances and security servers.
Chapter 8 Configuring SSL Certificates for View Servers Prerequisites Verify that all client devices that connect to this server, including thin clients, run Horizon Client 5.2 for Windows or Horizon Client 2.0 or later releases. You must upgrade the legacy clients. Procedure 1 Start the Windows Registry Editor on the View Connection Server or security server computer where the PCoIP Secure Gateway is running. 2 Navigate to the HKEY_LOCAL_MACHINE\SOFTWARE\Teradici\SecurityGateway registry key.
View Installation Troubleshooting Certificate Issues on View Connection Server and Security Server Certificate issues on a View server prevent you from connecting to View Administrator or cause a red health indicator to be displayed for a server. Problem You cannot connect to View Administrator on the View Connection Server instance with the problem.
Configuring View for the First Time 9 After you install the View server software and configure SSL certificates for the servers, you must take a few additional steps to set up a working View environment. You configure user accounts for vCenter Server and View Composer, install a View license key, add vCenter Server and View Composer to your View environment, configure the PCoIP Secure Gateway and secure tunnel, and, optionally, size Windows Server settings to support your View environment.
View Installation Where to Use the vCenter Server User and View Composer Users After you create and configure these user accounts, you specify the user names in View Administrator. n You specify a vCenter Server user when you add vCenter Server to View. n You specify a standalone View Composer Server user when you configure View Composer settings and select Standalone View Composer Server. n You specify a View Composer user for AD operations when you configure View Composer domains.
Chapter 9 Configuring View for the First Time 2 In vSphere Client, right-click the vCenter Server at the top level of the inventory, click Add Permission, and add the vCenter Server user. NOTE You must define the vCenter Server user at the vCenter Server level. 3 From the drop-down menu, select the Administrator role, or the View Composer or View Manager role that you created, and assign it to the vCenter Server user.
View Installation Table 9‑1. Privileges Required for the View Manager Role (Continued) Privilege Group Privileges to Enable Host In Configuration: n Advanced settings Profile Driven Storage (If you are using Virtual SAN datastores or Virtual Volumes) (all) View Composer Privileges Required for the vCenter Server User To support View Composer, the vCenter Server user must have privileges in addition to those required to support View.
Chapter 9 Configuring View for the First Time View Administrator and View Connection Server View Administrator provides a management interface for View. Depending on your View deployment, you use one or more View Administrator interfaces. n Use one View Administrator interface to manage the View components that are associated with a single, standalone View Connection Server instance or a group of replicated View Connection Server instances.
View Installation 2 Log in as a user with credentials to access the View Administrators account. You specify the View Administrators account when you install a standalone View Connection Server instance or the first View Connection Server instance in a replicated group. The View Administrators account can be the local Administrators group (BUILTIN\Administrators) on the View Connection Server computer or a domain user or group account.
Chapter 9 Configuring View for the First Time In a testing environment, you can use the default certificate that is installed with vCenter Server, but you must accept the certificate thumbprint when you add vCenter Server to View. n Verify that all View Connection Server instances in the replicated group trust the root CA certificate for the server certificate that is installed on the vCenter Server host.
View Installation What to do next Configure View Composer settings. n If the vCenter Server instance is configured with a signed SSL certificate, and View Connection Server trusts the root certificate, the Add vCenter Server wizard displays the View Composer Settings page. n If the vCenter Server instance is configured with a default certificate, you must first determine whether to accept the thumbprint of the existing certificate. See “Accept the Thumbprint of a Default SSL Certificate,” on page 108.
Chapter 9 Configuring View for the First Time 3 If you are using View Composer, select the location of the View Composer machine. Option Description View Composer is installed on the same machine as vCenter Server. a b Select View Composer co-installed with the vCenter Server. Make sure that the port number is the same as the port that you specified when you installed the View Composer service on vCenter Server. The default port number is 18443. View Composer is installed on its own separate machine.
View Installation 3 Type the domain user name, including the domain name, of the View Composer user. For example: domain.com\admin 4 Type the account password. 5 Click OK. 6 To add domain user accounts with privileges in other Active Directory domains in which you deploy linked-clone pools, repeat the preceding steps. 7 Click Next to display the Storage Settings page. What to do next Enable virtual machine disk space reclamation and configure View Storage Accelerator for View.
Chapter 9 Configuring View for the First Time View Composer Array Integration (VCAI) is not supported in pools that contain virtual machines with space-efficient disks. VCAI is not supported on linked clones that are virtual hardware version 9 or later, because these OS disks are always space-efficient, even when you disable the space reclamation operation. VCAI uses vStorage APIs for Array Integration (VAAI) native NFS snapshot technology to clone virtual machines.
View Installation View Storage Accelerator is now qualified to work in configurations that use View replica tiering, in which replicas are stored on a separate datastore than linked clones. Although the performance benefits of using View Storage Accelerator with View replica tiering are not materially significant, certain capacity-related benefits might be realized by storing the replicas on a separate datastore. Hence, this combination is tested and supported.
Chapter 9 Configuring View for the First Time Concurrent Operations Limits for vCenter Server and View Composer When you add vCenter Server to View or edit the vCenter Server settings, you can configure several options that set the maximum number of concurrent operations that are performed by vCenter Server and View Composer. You configure these options in the Advanced Settings panel on the vCenter Server Information page. Table 9‑3.
View Installation For example, the average desktop takes two to three minutes to start. Therefore, the concurrent power operations limit should be 3 times the peak power-on rate. The default setting of 50 is expected to support a peak power-on rate of 16 desktops per minute. The system waits a maximum of five minutes for a desktop to start. If the start time takes longer, other errors are likely to occur. To be conservative, you can set a concurrent power operations limit of 5 times the peak power-on rate.
Chapter 9 Configuring View for the First Time Procedure 1 When View Administrator displays an Invalid Certificate Detected dialog box, click View Certificate. 2 Examine the certificate thumbprint in the Certificate Information window. 3 Examine the certificate thumbprint that was configured for the vCenter Server or View Composer instance. a On the vCenter Server or View Composer host, start the MMC snap-in and open the Windows Certificate Store.
View Installation When the secure tunnel and secure gateways are disabled, desktop and application sessions are established directly between the client device and the remote machine, bypassing the View Connection Server or security server host. This type of connection is called a direct connection. Desktop and application sessions that use direct connections remain connected even if View Connection Server is no longer running.
Chapter 9 Configuring View for the First Time 4 Configure use of the PCoIP Secure Gateway. Option Description Enable the PCoIP Secure Gateway Select Use PCoIP Secure Gateway for PCoIP connections to machine. Disable the PCoIP secure Gateway Deselect Use PCoIP Secure Gateway for PCoIP connections to machine. The PCoIP Secure Gateway is disabled by default. 5 Click OK to save your changes.
View Installation Configuring External URLs for Secure Gateway and Tunnel Connections To use the secure tunnel, a client system must have access to an IP address, or a fully qualified domain name (FQDN) that it can resolve to an IP address, that allows the client to reach a View Connection Server or security server host. To use the PCoIP Secure Gateway, a client connects to a View Connection Server or security server host using an URL. In an IPv4 environment, the URL must identify a host by its IP address.
Chapter 9 Configuring View for the First Time Set the External URLs for a View Connection Server Instance You use View Administrator to configure the external URLs for a View Connection Server instance. The secure tunnel external URL, PCoIP external URL, and Blast external URL must be the addresses that client systems use to reach this View Connection Server instance. Prerequisites n Verify that the secure tunnel connections and the PCoIP Secure Gateway are enabled on the View Connection Server instance.
View Installation The secure tunnel external URL, PCoIP external URL, and Blast external URL must be the addresses that client systems use to reach this security server. Prerequisites n Verify that the secure tunnel connections and the PCoIP Secure Gateway are enabled on the View Connection Server instance that is paired with this security server. See “Configure the PCoIP Secure Gateway and Secure Tunnel Connections,” on page 110.
Chapter 9 Configuring View for the First Time Give Preference to DNS Names When View Connection Server Returns Address Information By default, when sending the addresses of desktop machines and RDS hosts to clients and gateways, View Connection Server gives preference to IP addresses. You can change this default behavior with a View LDAP attribute that tells View Connection Server to give preference to DNS names.
View Installation Replace the Default HTTP Ports or NICs for View Connection Server Instances and Security Servers You can replace the default HTTP ports or NICs for a View Connection Server instance or security server by editing the locked.properties file on the server computer. Your organization might require you to perform these tasks to comply with organization policies or to avoid contention. The default SSL port is 443. The default non-SSL port is 80.
Chapter 9 Configuring View for the First Time What to do next If necessary, manually configure your Windows firewall to open the updated ports. Replace the Default Ports or NICs for the PCoIP Secure Gateway on View Connection Server Instances and on Security Servers You can replace the default ports or NICs that are used by a PCoIP Secure Gateway service that runs on a View Connection Server instance or security server.
View Installation Replace the Default Port for View Composer The SSL certificate that is used by the View Composer service is bound to a certain port by default. You can replace the default port by using the SviConfig ChangeCertificateBindingPort utility. When you specify a new port with the SviConfig ChangeCertificateBindingPort utility, the utility unbinds the View Composer certificate from the current port and binds it to the new port.
Chapter 9 Configuring View for the First Time Procedure 1 Create or edit the locked.properties file in the SSL gateway configuration folder on the View Connection Server or security server computer. For example: install_directory\VMware\VMware View\Server\sslgateway\conf\locked.properties The properties in the locked.properties file are case sensitive. 2 Add the following lines to the locked.properties file: frontMappingHttpDisabled.1=5:*:moved:https::port frontMappingHttpDisabled.
View Installation Sizing Windows Server Settings to Support Your Deployment To support a large deployment of remote desktops, you can configure the Windows Server computers on which you install View Connection Server. On each computer, you can size the Windows page-file. On Windows Server 2008 R2 and Windows Server 2012 R2 computers, the ephemeral ports, TCB hash table, and Java Virtual Machine settings are sized by default.
Chapter 9 Configuring View for the First Time Procedure 1 On the Windows Server computer on which View Connection Server is installed, navigate to the Virtual Memory dialog box. By default, Custom size is selected. An initial and maximum page-file size appear. 2 Click System managed size. Windows continually recalculates the system page-file size based on current memory use and available memory. VMware, Inc.
View Installation 122 VMware, Inc.
Configuring Event Reporting 10 You can create an event database to record information about View events. In addition, if you use a Syslog server, you can configure View Connection Server to send events to a Syslog server or create a flat file of events written in Syslog format.
View Installation 2 Add a user for this database that has permission to create tables, views, and, in the case of Oracle, triggers and sequences, as well as permission to read from and write to these objects. For a Microsoft SQL Server database, do not use the Integrated Windows Authentication security model method of authentication. Be sure to use the SQL Server Authentication method of authentication.
Chapter 10 Configuring Event Reporting Configure the Event Database The event database stores information about View events as records in a database rather than in a log file. You configure an event database after installing a View Connection Server instance. You need to configure only one host in a View Connection Server group. The remaining hosts in the group are configured automatically.
View Installation 3 (Optional) In the Event Settings window, click Edit, change the length of time to show events and the number of days to classify events as new, and click OK. These settings pertain to the length of time the events are listed in the View Administrator interface. After this time, the events are only available in the historical database tables. The Database Configuration window displays the current configuration of the event database.
Chapter 10 Configuring Event Reporting 2 (Optional) In the Syslog area, to configure View Connection Server to send events to a Syslog server, click Add next to Send to syslog servers, and supply the server name or IP address and the UDP port number. 3 (Optional) To enable View event log messages to be generated and stored in Syslog format, in log files, select the Log to file: Enable check box. The log files are retained locally unless you specify a UNC path to a file share.
View Installation 128 VMware, Inc.
Index A D Active Directory configuring domains and trust relationships 27 preparing for smart card authentication 32 preparing for use with View 27 Active Directory groups, creating for kiosk mode client accounts 29 ADM template files 31 antivirus software, View Composer 47 databases creating for View Composer 37 View events 123, 125 default certificate, replacing 77 direct connections, configuring 110 DNS names, giving preference 115 DNS resolution, View Composer 47 documentation feedback, how to provi
View Installation View Composer, standalone 10 View Connection Server 8 Horizon Client for iOS, trusting the root certificate 88 Horizon Client for Mac OS X, trusting the root certificate 87 Horizon clients, configuring connections 109 host caching, for vCenter Server 105 HTML access, configuring 111 HTTP changing the port for HTTP redirection 118 preventing HTTP redirection 119 I initial configuration, View 95 installation, silent installation options 73 intermediate certificates, adding to intermediate
Index ReplaceCertificate option, sviconfig utility 85 replicated instances installing 56 installing silently 59 network requirements 9 silent installation properties 61 Restricted Groups policy, configuring 31 root certificate, importing into Windows Certificate Store 84 root certificates adding to the Enterprise NTAuth store 34 adding to trusted roots 33, 86 S secure tunnel, external URL 112 security servers configuring a pairing password 62 configuring an external URL 112 installer file 62 installing si
View Installation settings in View Administrator 102 SSL certificates 44 View Composer infrastructure configuring vSphere 47 optimizing 47 testing DNS resolution 47 View Composer installation installer file 45 overview 37 requirements overview 10 View Composer upgrade compatibility with vCenter Server versions 10 operating system requirements 10 requirements overview 10 View Connection Server, hardware requirements 8 View Connection Server configuration client connections 109 event database 123, 125 events
