5.0
Table Of Contents
- VMware View Architecture Planning
- Contents
- VMware View Architecture Planning
- Introduction to VMware View
- Planning a Rich User Experience
- Feature Support Matrix
- Choosing a Display Protocol
- Using View Persona Management to Retain User Data and Settings
- Benefits of Using View Desktops in Local Mode
- Accessing USB Devices Connected to a Local Computer
- Printing from a View Desktop
- Streaming Multimedia to a View Desktop
- Using Single Sign-On for Logging In to a View Desktop
- Using Multiple Monitors with a View Desktop
- Managing Desktop Pools from a Central Location
- Architecture Design Elements and Planning Guidelines
- Virtual Machine Requirements
- VMware View ESX/ESXi Node
- Desktop Pools for Specific Types of Workers
- Desktop Virtual Machine Configuration
- vCenter and View Composer Virtual Machine Configuration and Desktop Pool Maximums
- View Connection Server Maximums and Virtual Machine Configuration
- View Transfer Server Virtual Machine Configuration and Storage
- vSphere Clusters
- VMware View Building Blocks
- VMware View Pod
- Planning for Security Features
- Understanding Client Connections
- Choosing a User Authentication Method
- Restricting View Desktop Access
- Using Group Policy Settings to Secure View Desktops
- Implementing Best Practices to Secure Client Systems
- Assigning Administrator Roles
- Preparing to Use a Security Server
- Understanding VMware View Communications Protocols
- Overview of Steps to Setting Up a VMware View Environment
- Index
Implementing Best Practices to Secure Client Systems
You should implement best practices to secure client systems.
n
Make sure that client systems are configured to go to sleep after a period of inactivity and require users
to enter a password before the computer awakens.
n
Require users to enter a username and password when starting client systems. Do not configure client
systems to allow automatic logins.
n
For Mac client systems, consider setting different passwords for the Keychain and the user account. When
the passwords are different, users are prompted before the system enters any passwords on their behalf.
Also consider turning on FileVault protection.
n
Local mode client systems might have more network access when they are running in local mode than
when they are remote and connected to the intranet. Consider enforcing intranet network security policies
for local mode client systems or disable network access for local mode client systems when they are
running in local mode.
Assigning Administrator Roles
A key management task in a VMware View environment is to determine who can use View Administrator and
what tasks those users are authorized to perform.
The authorization to perform tasks in View Administrator is governed by an access control system that consists
of administrator roles and privileges. A role is a collection of privileges. Privileges grant the ability to perform
specific actions, such as entitling a user to a desktop pool or changing a configuration setting. Privileges also
control what an administrator can see in View Administrator.
An administrator can create folders to subdivide desktop pools and delegate the administration of specific
desktop pools to different administrators in View Administrator. An administrator configures administrator
access to the resources in a folder by assigning a role to a user on that folder. Administrators can only access
the resources that reside in folders for which they have assigned roles. The role that an administrator has on
a folder determines the level of access that the administrator has to the resources in that folder.
View Administrator includes a set of predefined roles. Administrators can also create custom roles by
combining selected privileges.
Preparing to Use a Security Server
A security server is a special instance of View Connection Server that runs a subset of View Connection Server
functions. You can use a security server to provide an additional layer of security between the Internet and
your internal network.
A security server resides within a DMZ and acts as a proxy host for connections inside your trusted network.
Each security server is paired with an instance of View Connection Server and forwards all traffic to that
instance. You can pair multiple security servers to a single connection server. This design provides an
additional layer of security by shielding the View Connection Server instance from the public-facing Internet
and by forcing all unprotected session requests through the security server.
A DMZ-based security server deployment requires a few ports to be opened on the firewall to allow clients to
connect with security servers inside the DMZ. You must also configure ports for communication between
security servers and the View Connection Server instances in the internal network. See “Firewall Rules for
DMZ-Based Security Servers,” on page 62 for information on specific ports.
VMware View Architecture Planning
58 VMware, Inc.