5.0
Table Of Contents
- VMware View Architecture Planning
- Contents
- VMware View Architecture Planning
- Introduction to VMware View
- Planning a Rich User Experience
- Feature Support Matrix
- Choosing a Display Protocol
- Using View Persona Management to Retain User Data and Settings
- Benefits of Using View Desktops in Local Mode
- Accessing USB Devices Connected to a Local Computer
- Printing from a View Desktop
- Streaming Multimedia to a View Desktop
- Using Single Sign-On for Logging In to a View Desktop
- Using Multiple Monitors with a View Desktop
- Managing Desktop Pools from a Central Location
- Architecture Design Elements and Planning Guidelines
- Virtual Machine Requirements
- VMware View ESX/ESXi Node
- Desktop Pools for Specific Types of Workers
- Desktop Virtual Machine Configuration
- vCenter and View Composer Virtual Machine Configuration and Desktop Pool Maximums
- View Connection Server Maximums and Virtual Machine Configuration
- View Transfer Server Virtual Machine Configuration and Storage
- vSphere Clusters
- VMware View Building Blocks
- VMware View Pod
- Planning for Security Features
- Understanding Client Connections
- Choosing a User Authentication Method
- Restricting View Desktop Access
- Using Group Policy Settings to Secure View Desktops
- Implementing Best Practices to Secure Client Systems
- Assigning Administrator Roles
- Preparing to Use a Security Server
- Understanding VMware View Communications Protocols
- Overview of Steps to Setting Up a VMware View Environment
- Index
n
Because VMware View manages the HTTPS connection, the reliability of the underlying protocols is
significantly improved. If a user temporarily loses a network connection, the HTTP connection is
reestablished after the network connection is restored and the RDP connection automatically resumes
without requiring the user to reconnect and log in again.
In a standard deployment of View Connection Server instances, the HTTPS secure connection terminates at
the View Connection Server. In a DMZ deployment, the HTTPS secure connection terminates at a security
server. See “Preparing to Use a Security Server,” on page 58 for information on DMZ deployments and
security servers.
Clients that use the PCoIP display protocol can use the tunnel connection for USB redirection and multimedia
redirection (MMR) acceleration, but for all other data, PCoIP uses the PCoIP Secure Gateway on a security
server. For more information, see “Client Connections Using the PCoIP Secure Gateway,” on page 52.
Direct Client Connections
Administrators can configure View Connection Server settings so that View desktop sessions are established
directly between the client system and the View desktop virtual machine, bypassing the View Connection
Server host. This type of connection is called a direct client connection.
With direct client connections, an HTTPS connection can still be made between the client and the View
Connection Server host for users to authenticate and select View desktops, but the second HTTPS connection
(the tunnel connection) is not used.
Direct PCoIP connections include the following built-in security features:
n
PCoIP supports Advanced Encryption Standard (AES) encryption, which is turned on by default.
n
The hardware implementation of PCoIP uses both AES and IP Security (IPsec).
n
PCoIP works with third-party VPN clients.
For clients that use the Microsoft RDP display protocol, direct client connections are appropriate only if your
deployment is inside a corporate network. With direct client connections, RDP traffic is sent unencrypted over
the connection between the client and the View desktop virtual machine.
View Client with Local Mode Client Connections
View Client with Local Mode offers mobile users the ability to check out View desktops onto their local
computer.
View Client with Local Mode supports both tunneled and nontunneled communications for LAN-based data
transfers. With tunneled communications, all traffic is routed through the View Connection Server host, and
you can specify whether to encrypt communications and data transfers. With nontunneled communications,
unencrypted data is transferred directly between the local desktop on the client system and the View desktop
virtual machine in vCenter Server.
Local data is always encrypted on the user's computer, regardless of whether you configure tunneled or
nontunneled communications.
The data disk stored locally on client systems is encrypted using a default encryption strength of AES-128. The
encryption keys are stored encrypted on the client system with a key derived from a hash of the user's
credentials (username and password or smart card and PIN). On the server side, the key is stored in View
LDAP. Whatever security measures you use to protect View LDAP on the server also protect the local mode
encryption keys stored in LDAP.
NOTE You can change the encryption key cipher from AES-128 to AES-192 or AES-256.
Chapter 5 Planning for Security Features
VMware, Inc. 53