5.0
Table Of Contents
- VMware View Architecture Planning
- Contents
- VMware View Architecture Planning
- Introduction to VMware View
- Planning a Rich User Experience
- Feature Support Matrix
- Choosing a Display Protocol
- Using View Persona Management to Retain User Data and Settings
- Benefits of Using View Desktops in Local Mode
- Accessing USB Devices Connected to a Local Computer
- Printing from a View Desktop
- Streaming Multimedia to a View Desktop
- Using Single Sign-On for Logging In to a View Desktop
- Using Multiple Monitors with a View Desktop
- Managing Desktop Pools from a Central Location
- Architecture Design Elements and Planning Guidelines
- Virtual Machine Requirements
- VMware View ESX/ESXi Node
- Desktop Pools for Specific Types of Workers
- Desktop Virtual Machine Configuration
- vCenter and View Composer Virtual Machine Configuration and Desktop Pool Maximums
- View Connection Server Maximums and Virtual Machine Configuration
- View Transfer Server Virtual Machine Configuration and Storage
- vSphere Clusters
- VMware View Building Blocks
- VMware View Pod
- Planning for Security Features
- Understanding Client Connections
- Choosing a User Authentication Method
- Restricting View Desktop Access
- Using Group Policy Settings to Secure View Desktops
- Implementing Best Practices to Secure Client Systems
- Assigning Administrator Roles
- Preparing to Use a Security Server
- Understanding VMware View Communications Protocols
- Overview of Steps to Setting Up a VMware View Environment
- Index
The desktop has a lifetime controlled through policy. If the client loses contact with View Connection Server,
the maximum time without server contact is the period in which the user can continue to use the desktop before
the user is refused access. On the client side, this expiration policy is stored in a file that is encrypted by a key
that is built into the application. This built-in key prevents users who have access to the password from
circumventing the expiration policy.
Choosing a User Authentication Method
VMware View uses your existing Active Directory infrastructure for user authentication and management.
For added security, you can integrate VMware View with RSA SecurID and smart card authentication
solutions.
n
Active Directory Authentication on page 54
Each View Connection Server instance is joined to an Active Directory domain, and users are
authenticated against Active Directory for the joined domain. Users are also authenticated against any
additional user domains with which a trust agreement exists.
n
RSA SecurID Authentication on page 55
RSA SecurID provides enhanced security with two-factor authentication, which requires knowledge of
the user's PIN and token code. The token code is only available on the physical SecurID token.
n
Smart Card Authentication on page 55
A smart card is a small plastic card that is embedded with a computer chip. Many government agencies
and large enterprises use smart cards to authenticate users who access their computer networks. A smart
card is also referred to as a Common Access Card (CAC).
n
Using the Log In as Current User Feature on page 55
When View Client users select the Log in as current user check box, the credentials that they provided
when logging in to the client system are used to authenticate to the View Connection Server instance and
to the View desktop. No further user authentication is required.
Active Directory Authentication
Each View Connection Server instance is joined to an Active Directory domain, and users are authenticated
against Active Directory for the joined domain. Users are also authenticated against any additional user
domains with which a trust agreement exists.
For example, if a View Connection Server instance is a member of Domain A and a trust agreement exists
between Domain A and Domain B, users from both Domain A and Domain B can connect to the View
Connection Server instance with View Client.
Similarly, if a trust agreement exists between Domain A and an MIT Kerberos realm in a mixed domain
environment, users from the Kerberos realm can select the Kerberos realm name when connecting to the View
Connection Server instance with View Client.
View Connection Server determines which domains are accessible by traversing trust relationships, starting
with the domain in which the host resides. For a small, well-connected set of domains, View Connection Server
can quickly determine a full list of domains, but the time that it takes increases as the number of domains
increases or as the connectivity between the domains decreases. The list might also include domains that you
would prefer not to offer to users when they log in to their desktops.
Administrators can use the vdmadmin command-line interface to configure domain filtering, which limits the
domains that a View Connection Server instance searches and that it displays to users. See the VMware View
Administration document for more information.
Policies, such as restricting permitted hours to log in and setting the expiration date for passwords, are also
handled through existing Active Directory operational procedures.
VMware View Architecture Planning
54 VMware, Inc.