5.0
Table Of Contents
- VMware View Architecture Planning
- Contents
- VMware View Architecture Planning
- Introduction to VMware View
- Planning a Rich User Experience
- Feature Support Matrix
- Choosing a Display Protocol
- Using View Persona Management to Retain User Data and Settings
- Benefits of Using View Desktops in Local Mode
- Accessing USB Devices Connected to a Local Computer
- Printing from a View Desktop
- Streaming Multimedia to a View Desktop
- Using Single Sign-On for Logging In to a View Desktop
- Using Multiple Monitors with a View Desktop
- Managing Desktop Pools from a Central Location
- Architecture Design Elements and Planning Guidelines
- Virtual Machine Requirements
- VMware View ESX/ESXi Node
- Desktop Pools for Specific Types of Workers
- Desktop Virtual Machine Configuration
- vCenter and View Composer Virtual Machine Configuration and Desktop Pool Maximums
- View Connection Server Maximums and Virtual Machine Configuration
- View Transfer Server Virtual Machine Configuration and Storage
- vSphere Clusters
- VMware View Building Blocks
- VMware View Pod
- Planning for Security Features
- Understanding Client Connections
- Choosing a User Authentication Method
- Restricting View Desktop Access
- Using Group Policy Settings to Secure View Desktops
- Implementing Best Practices to Secure Client Systems
- Assigning Administrator Roles
- Preparing to Use a Security Server
- Understanding VMware View Communications Protocols
- Overview of Steps to Setting Up a VMware View Environment
- Index
RSA SecurID Authentication
RSA SecurID provides enhanced security with two-factor authentication, which requires knowledge of the
user's PIN and token code. The token code is only available on the physical SecurID token.
Administrators can enable individual View Connection Server instances for RSA SecurID authentication by
installing the RSA SecurID software on the View Connection Server host and modifying View Connection
Server settings.
When users log in through a View Connection Server instance that is enabled for RSA SecurID authentication,
they are first required to authenticate with their RSA user name and passcode. If they are not authenticated at
this level, access is denied. If they are correctly authenticated with RSA SecurID, they continue as normal and
are then required to enter their Active Directory credentials.
If you have multiple View Connection Server instances, you can configure RSA SecurID authentication on
some instances and a different user authentication method on others. For example, you can configure RSA
SecurID authentication only for users who access View desktops remotely over the Internet.
VMware View is certified through the RSA SecurID Ready program and supports the full range of SecurID
capabilities, including New PIN Mode, Next Token Code Mode, RSA Authentication Manager, and load
balancing.
Smart Card Authentication
A smart card is a small plastic card that is embedded with a computer chip. Many government agencies and
large enterprises use smart cards to authenticate users who access their computer networks. A smart card is
also referred to as a Common Access Card (CAC).
Smart card authentication is supported by the Windows-based View Client and View Client with Local Mode
only. It is not supported by View Administrator.
Administrators can enable individual View Connection Server instances for smart card authentication.
Enabling a View Connection Server instance to use smart card authentication typically involves adding your
root certificate to a truststore file and then modifying View Connection Server settings.
Client connections that use smart card authentication must be SSL enabled. Administrators can enable SSL for
client connections by setting a global parameter in View Administrator.
To use smart cards, client machines must have smart card middleware and a smart card reader. To install
certificates on smart cards, you must set up a computer to act as an enrollment station.
To use smart cards with local desktops, you must select a 1024-bit or 2048-bit key size during smart card
enrollment. Certificates with 512-bit keys are not supported for local desktops. By default, View Connection
Server uses AES-128 to encrypt the virtual disk file when users check in and check out a local desktop. You
can change the encryption key cipher to AES-192 or AES-256.
Using the Log In as Current User Feature
When View Client users select the Log in as current user check box, the credentials that they provided when
logging in to the client system are used to authenticate to the View Connection Server instance and to the View
desktop. No further user authentication is required.
To support this feature, user credentials are stored on both the View Connection Server instance and on the
client system.
n
On the View Connection Server instance, user credentials are encrypted and stored in the user session
along with the username, domain, and optional UPN. The credentials are added when authentication
occurs and are purged when the session object is destroyed. The session object is destroyed when the user
logs out, the session times out, or authentication fails. The session object resides in volatile memory and
is not stored in View LDAP or in a disk file.
Chapter 5 Planning for Security Features
VMware, Inc. 55