VMware Horizon 6.2 Installation Manual

View Installation

VMware Horizon 6

Version 6.2

This document supports the version of each product listed and supports all subsequent versions until the document is replaced by a new edition. To check for more recent editions of this document, see http://www.vmware.com/support/pubs.

EN-001905-02

View Installation

You can find the most up-to-date technical documentation on the VMware Web site at:

http://www.vmware.com/support/

The VMware Web site also provides the latest product updates.

If you have comments about this documentation, submit your feedback to:

docfeedback@vmware.com

VMware, Inc.

3401 Hillview Ave. Palo Alto, CA 94304 www.vmware.com

2 VMware, Inc.

View Installation 5

System Requirements for Server Components 7

View Connection Server Requirements 7

View Administrator Requirements 9

View Composer Requirements 10

System Requirements for Guest Operating Systems 13

Supported Operating Systems for View Agent 13

Supported Operating Systems for Standalone View Persona Management 14

Remote Display Protocol and Software Support 14

Installing View in an IPv6 Environment 19

Setting Up View in an IPv6 Environment 19

Supported vSphere , Database, and Active Directory Versions in an IPv6 Environment 20

Supported Operating Systems for View Servers in an IPv6 Environment 20

Supported Windows Operating Systems for Desktops and RDS Hosts in an IPv6 Environment 21

Supported Clients in an IPv6 Environment 21

Supported Remoting Protocols in an IPv6 Environment 21

Supported Authentication Types in an IPv6 Environment 22

Other Supported Features in an IPv6 Environment 22

Installing View in FIPS Mode 25

Overview of Setting Up View in FIPS Mode 25

System Requirements for FIPS Mode 26

VMware, Inc.

Preparing Active Directory 27

Configuring Domains and Trust Relationships 27

Creating an OU for Remote Desktops 29

Creating OUs and Groups for Kiosk Mode Client Accounts 29

Creating Groups for Users 29

Creating a User Account for vCenter Server 29

Creating a User Account for a Standalone View Composer Server 30

Create a User Account for View Composer AD Operations 30

Configure the Restricted Groups Policy 31

Using View Group Policy Administrative Template Files 31

Prepare Active Directory for Smart Card Authentication 32

Disable Weak Ciphers in SSL/TLS 34

Installing View Composer 37

Prepare a View Composer Database 37

View Installation

Configuring an SSL Certificate for View Composer 44

Install the View Composer Service 45

Configuring Your Infrastructure for View Composer 47

Installing View Connection Server 49

Installing the View Connection Server Software 49

Installation Prerequisites for View Connection Server 49

Install View Connection Server with a New Configuration 50

Install a Replicated Instance of View Connection Server 56

Configure a Security Server Pairing Password 62

Install a Security Server 62

Firewall Rules for View Connection Server 70

Reinstall View Connection Server with a Backup Configuration 71

Microsoft Windows Installer Command-Line Options 73

Uninstalling View Components Silently by Using MSI Command-Line Options 75

Configuring SSL Certificates for View Servers 77

Understanding SSL Certificates for View Servers 77

Overview of Tasks for Setting Up SSL Certificates 79

Obtaining a Signed SSL Certificate from a CA 80

Configure View Connection Server, Security Server, or View Composer to Use a New SSL

Certificate 81

Configure Client Endpoints to Trust Root and Intermediate Certificates 86

Configuring Certificate Revocation Checking on Server Certificates 88

Configure the PCoIP Secure Gateway to Use a New SSL Certificate 89

Setting View Administrator to Trust a vCenter Server or View Composer Certificate 93

Benefits of Using SSL Certificates Signed by a CA 93

Troubleshooting Certificate Issues on View Connection Server and Security Server 94

Configuring View for the First Time 95

Configuring User Accounts for vCenter Server and View Composer 95

Configuring View Connection Server for the First Time 98

Configuring Horizon Client Connections 109

Replacing Default Ports for View Services 115

Sizing Windows Server Settings to Support Your Deployment 120

Configuring Event Reporting 123

Add a Database and Database User for View Events 123

Prepare an SQL Server Database for Event Reporting 124

Configure the Event Database 125

Configure Event Logging for Syslog Servers 126

Index 129

4 VMware, Inc.

View Installation

View Installation explains how to install the VMware Horizon™ 6 server and client components.

Intended Audience

This information is intended for anyone who wants to install VMware Horizon 6. The information is written for experienced Windows or Linux system administrators who are familiar with virtual machine technology and datacenter operations.

VMware, Inc. 5

View Installation

6 VMware, Inc.

System Requirements for Server

Components 1

Hosts that run View server components must meet specific hardware and software requirements.

This chapter includes the following topics:

“View Connection Server Requirements,” on page 7

“View Administrator Requirements,” on page 9

“View Composer Requirements,” on page 10

View Connection Server Requirements

View Connection Server acts as a broker for client connections by authenticating and then directing incoming user requests to the appropriate remote desktops and applications. View Connection Server has specific hardware, operating system, installation, and supporting software requirements.

Hardware Requirements for View Connection Server on page 8

You must install all View Connection Server installation types, including standard, replica, and security server installations, on a dedicated physical or virtual machine that meets specific hardware requirements.

Supported Operating Systems for View Connection Server on page 8

You must install View Connection Server on a supported Windows Server operating system.

Virtualization Software Requirements for View Connection Server on page 8

View Connection Server requires certain versions of VMware virtualization software.

Network Requirements for Replicated View Connection Server Instances on page 9

When installing replicated View Connection Server instances, you must usually configure the instances in the same physical location and connect them over a high-performance LAN. Otherwise, latency issues could cause the View LDAP configurations on View Connection Server instances to become inconsistent. A user could be denied access when connecting to a View Connection Server instance with an out-of-date configuration.

VMware, Inc.

View Installation

Hardware Requirements for View Connection Server

Table 1‑1. View Connection Server Hardware Requirements

Hardware Component Required Recommended

Processor Pentium IV 2.0GHz processor

or higher

Network Adapter 100Mpbs NIC 1Gbps NICs

Memory

Windows Server 2008 R2 64-bit

Memory

Windows Server 2012 R2 64-bit

These requirements also apply to replica and security server View Connection Server instances that you install for high availability or external access.

IMPORTANT The physical or virtual machine that hosts View Connection Server must have an IP address that does not change. In an IPv4 environment, configure a static IP address. In an IPv6 environment, machines automatically get IP addresses that do not change.

4GB RAM or higher At least 10GB RAM for deployments of 50 or more

4 CPUs

remote desktops

Supported Operating Systems for View Connection Server

You must install View Connection Server on a supported Windows Server operating system.

The following operating systems support all View Connection Server installation types, including standard, replica, and security server installations.

Table 1‑2. Operating System Support for View Connection Server

Operating System Version Edition

Windows Server 2008 R2 SP1 64-bit Standard

Enterprise

Datacenter

Windows Server 2012 R2 64-bit Standard

Datacenter

NOTE Windows Server 2008 R2 with no service pack is no longer supported.

Virtualization Software Requirements for View Connection Server

View Connection Server requires certain versions of VMware virtualization software.

If you are using vSphere, you must use a supported version of vSphere ESX/ESXi hosts and vCenter Server.

For details about which versions of View are compatible with which versions of vCenter Server and ESXi, see the VMware Product Interoperability Matrix at

http://www.vmware.com/resources/compatibility/sim/interop_matrix.php.

8 VMware, Inc.

Chapter 1 System Requirements for Server Components

Network Requirements for Replicated View Connection Server Instances

IMPORTANT To use a group of replicated View Connection Server instances across a WAN, MAN (metropolitan area network), or other non-LAN, in scenarios where a View deployment needs to span datacenters, you must use the Cloud Pod Architecture feature. You can link together four View pods to provide a single large desktop brokering and management environment for two geographically distant sites and manage up to 20,000 remote desktops. For more information, see Administering View Cloud Pod Architecture.

View Administrator Requirements

Administrators use View Administrator to configure View Connection Server, deploy and manage remote desktops and applications, control user authentication, initiate and examine system events, and carry out analytical activities. Client systems that run View Administrator must meet certain requirements.

View Administrator is a Web-based application that is installed when you install View Connection Server. You can access and use View Administrator with the following Web browsers:

Internet Explorer 9 (not recommended)

Internet Explorer 10

Internet Explorer 11

Firefox (latest supported versions)

Chrome (latest supported versions)

Safari 6 and later releases

To use View Administrator with your Web browser, you must install Adobe Flash Player 10.1 or later. Your client system must have access to the Internet to allow Adobe Flash Player to be installed.

The computer on which you launch View Administrator must trust the root and intermediate certificates of the server that hosts View Connection Server. The supported browsers already contain certificates for all of the well-known certificate authorities (CAs). If your certificates come from a CA that is not well known, you must follow the instructions in “Configure Client Endpoints to Trust Root and Intermediate Certificates,” on page 86.

To display text properly, View Administrator requires Microsoft-specific fonts. If your Web browser runs on a non-Windows operating system such as Linux, UNIX, or Mac OS X, make sure that Microsoft-specific fonts are installed on your computer.

Currently, the Microsoft Web site does not distribute Microsoft fonts, but you can download them from independent Web sites.

VMware, Inc. 9

View Installation

View Composer Requirements

With View Composer, you can deploy multiple linked-clone desktops from a single centralized base image. View Composer has specific installation and storage requirements.

Supported Operating Systems for View Composer on page 10

View Composer supports 64-bit operating systems with specific requirements and limitations. You can install View Composer on the same physical or virtual machine as vCenter Server or on a separate server.

Hardware Requirements for Standalone View Composer on page 10

If you install View Composer on a different physical or virtual machine from the one used for vCenter Server, you must use a dedicated machine that meets specific hardware requirements.

Database Requirements for View Composer and the Events Database on page 11

View Composer requires an SQL database to store data. The View Composer database must reside on, or be available to, the View Composer server host. You can optionally set up an Events database to record information from View Connection Server about View events.

Supported Operating Systems for View Composer

Table 1‑3. Operating System Support for View Composer

Operating System Version Edition

Windows Server 2008 R2 SP1 64-bit Standard

Enterprise

Datacenter

Windows Server 2012 R2 64-bit Standard

Datacenter

NOTE Windows Server 2008 R2 with no service pack is no longer supported.

If you plan to install View Composer on a different physical or virtual machine than vCenter Server, see

“Hardware Requirements for Standalone View Composer,” on page 10.

Hardware Requirements for Standalone View Composer

If you install View Composer on a different physical or virtual machine from the one used for vCenter Server, you must use a dedicated machine that meets specific hardware requirements.

A standalone View Composer installation works with vCenter Server installed on a separate Windows Server machine or with the Linux-based vCenter Server appliance. VMware recommends having a one-toone mapping between each View Composer service and vCenter Server instance.

Table 1‑4. View Composer Hardware Requirements

Hardware Component Required Recommended

Processor 1.4 GHz or faster Intel 64 or

AMD 64 processor with 2 CPUs

Networking One or more 10/100Mbps

network interface cards (NICs)

2GHz or faster and 4 CPUs

1Gbps NICs

10 VMware, Inc.

Chapter 1 System Requirements for Server Components

Table 1‑4. View Composer Hardware Requirements (Continued)

Hardware Component Required Recommended

Memory 4GB RAM or higher 8GB RAM or higher for deployments of 50 or more

remote desktops

Disk space 40GB 60GB

IMPORTANT The physical or virtual machine that hosts View Composer must have an IP address that does not change. In an IPv4 environment, configure a static IP address. In an IPv6 environment, machines automatically get IP addresses that do not change.

Database Requirements for View Composer and the Events Database

If a database server instance already exists for vCenter Server, View Composer can use that existing instance if it is a version listed in Table 1-5. For example, View Composer can use the Microsoft SQL Server instance provided with vCenter Server. If a database server instance does not already exist, you must install one.

View Composer supports a subset of the database servers that vCenter Server supports. If you are already using vCenter Server with a database server that is not supported by View Composer, continue to use that database server for vCenter Server and install a separate database server to use for View Composer.

IMPORTANT If you create the View Composer database on the same SQL Server instance as vCenter Server, do not overwrite the vCenter Server database.

The following table lists the supported database servers and versions as of the publication date of this document. For the most up-to-date information about supported databases, see the VMware Product Interoperability Matrixes at http://www.vmware.com/resources/compatibility/sim/interop_matrix.php. For Solution/Database Interoperability, after you select the product and version, for the Add Database step, to see a list of all supported databases, select Any and click Add.

Table 1‑5. Supported Database Servers for View Composer and for the Events Database

Database Service Packs/Releases Editions

Microsoft SQL Server 2014

(32- and 64-bit)

Microsoft SQL Server 2012

(32- and 64-bit)

Microsoft SQL Server 2008 R2

(32- and 64-bit)

Microsoft SQL Server 2008

(32- and 64-bit)

No SP, SP1 Standard

Enterprise

SP1, SP2 Express

Standard

Enterprise

SP2, SP3 Express

Standard

Enterprise

Datacenter

SP4 Express

Standard

Enterprise

VMware, Inc. 11

View Installation

Table 1‑5. Supported Database Servers for View Composer and for the Events Database (Continued)

Database Service Packs/Releases Editions

Oracle 12c Release 1 (any release up to 12.1.0.2) Standard One

Oracle 11g

(32- and 64-bit)

NOTE The following versions are no longer supported: Oracle 10g Release 2, Oracle 11g Release 1, , Microsoft SQL Server 2008 R2 SP1, Microsoft SQL Server 2012 with no SP.

Standard

Enterprise

Release 2 (11.2.0.4) Standard One

Standard

Enterprise

12 VMware, Inc.

System Requirements for Guest

Operating Systems 2

Systems running View Agent or Standalone View Persona Management must meet certain hardware and software requirements.

This chapter includes the following topics:

“Supported Operating Systems for View Agent,” on page 13

“Supported Operating Systems for Standalone View Persona Management,” on page 14

“Remote Display Protocol and Software Support,” on page 14

Supported Operating Systems for View Agent

The View Agent component assists with session management, single sign-on, device redirection, and other features. You must install View Agent on all virtual machines, physical systems, and RDS hosts.

The following table lists the Windows operating system versions that are supported on single-session virtual machines in a desktop pool. The virtual machine version must support the guest operating system. For example, to install Windows 8.1, you must use a vSphere 5.1 or later virtual machine.

Table 2‑1. Operating Systems for Linked-Clone and Full-Clone Remote Desktops

Guest Operating System Version Edition Service Pack

Windows 10 64-bit and 32-bit Enterprise None

Windows 8.1 64-bit and 32-bit Enterprise and

Professional

Windows 8 64-bit and 32-bit Enterprise and

Professional

Windows 7 64-bit and 32-bit Enterprise and

Professional

Windows Server 2012 R2 64-bit Datacenter None

Windows Server 2008 R2 64-bit Datacenter SP1

IMPORTANT View Agent 6.1 and later releases do not support Windows XP and Windows Vista desktops. View Agent 6.0.2 is the last View release that supports these guest operating systems. Customers who have an extended support agreement with Microsoft for Windows XP and Vista, and an extended support agreement with VMware for these guest operating systems, can deploy the View Agent 6.0.2 version of their Windows XP and Vista desktops with the latest version of View Connection Server.

To use the View Persona Management setup option with View Agent, you must install View Agent on Windows 8, Windows 7, Windows Server 2012 R2, or Windows Server 2008 R2 virtual machines. This option does not operate on physical computers or RDS hosts.

Latest update

None

SP1

VMware, Inc.

View Installation

You can install the standalone version of View Persona Management on physical computers. See

“Supported Operating Systems for Standalone View Persona Management,” on page 14.

The following table lists the Windows operating systems versions that are supported for creating desktop pools and application pools on an RDS host.

Table 2‑2. Operating Systems for RDS Hosts, Providing Remote Desktops or Applications

Guest Operating System Edition Service Pack

Windows Server 2008 R2 Standard, Enterprise, and

Datacenter

Windows Server 2012 Standard and Datacenter None

Windows Server 2012 R2 Standard and Datacenter Latest update

SP1

For enhanced security, VMware recommends configuring cipher suites to remove known vulnerabilities. For instructions on how to set up a domain policy on cipher suites for Windows machines that run View Composer or View Agent, see “Disable Weak Ciphers in SSL/TLS,” on page 34.

Supported Operating Systems for Standalone View Persona Management

The standalone View Persona Management software provides persona management for standalone physical computers and virtual machines that do not have View Agent installed. When users log in, their profiles are downloaded dynamically from a remote profile repository to their standalone systems.

NOTE To configure View Persona Management for View desktops, install View Agent with the View Persona Management setup option. The standalone View Persona Management software is intended for

non-View systems only.

Table 2-3 lists the operating systems supported for the standalone View Persona Management software.

Table 2‑3. Operating System Support for Standalone View Persona Management

Guest Operating System Version Edition Service Pack

Windows 10 64-bit and 32-bit Enterprise None

Windows 8 64-bit and 32-bit Enterprise and Professional None

Windows 7 64-bit and 32-bit Enterprise and Professional SP1

Windows Server 2012 R2 64-bit Datacenter None

Windows Server 2008 R2 64-bit Datacenter SP1

The standalone View Persona Management software is not supported on Microsoft Remote Desktop Services.

Remote Display Protocol and Software Support

Remote display protocols and software provide access to remote desktops and applications. The remote display protocol used depends on the type of client device, whether you are connecting to a remote desktop or a remote application, and how the administrator configures the desktop or application pool.

PCoIP on page 15

PCoIP (PC over IP) provides an optimized desktop experience for the delivery of a remote application or an entire remote desktop environment, including applications, images, audio, and video content for a wide range of users on the LAN or across the WAN. PCoIP can compensate for an increase in latency or a reduction in bandwidth, to ensure that end users can remain productive regardless of network conditions.

14 VMware, Inc.

Chapter 2 System Requirements for Guest Operating Systems

Microsoft RDP on page 16

Remote Desktop Protocol is the same multichannel protocol many people already use to access their work computer from their home computer. Microsoft Remote Desktop Connection (RDC) uses RDP to transmit data.

PCoIP

PCoIP is supported as the display protocol for remote applications and for remote desktops that use virtual machines, physical machines that contain Teradici host cards, or shared session desktops on an RDS host.

PCoIP Features

Key features of PCoIP include the following:

Users outside the corporate firewall can use this protocol with your company's virtual private network

(VPN), or users can make secure, encrypted connections to a security server or Access Point appliance in the corporate DMZ.

Advanced Encryption Standard (AES) 128-bit encryption is supported and is turned on by default. You

can, however, change the encryption key cipher to AES-192 or AES-256.

Connections to Windows desktops with the View Agent operating system versions listed in “Supported

Operating Systems for View Agent,” on page 13 are supported.

Connections from all types of client devices.

Optimization controls for reducing bandwidth usage on the LAN and WAN.

32-bit color is supported for virtual displays.

ClearType fonts are supported.

Audio redirection with dynamic audio quality adjustment for LAN and WAN.

Real-Time Audio-Video for using webcams and microphones on some client types.

Copy and paste of text and, on some clients, images between the client operating system and a remote

application or desktop. For other client types, only copy and paste of plain text is supported. You cannot copy and paste system objects such as folders and files between systems.

Multiple monitors are supported for some client types. On some clients, you can use up to 4 monitors

with a resolution of up to 2560 x 1600 per display or up to 3 monitors with a resolution of 4K (3840 x

2160) for Windows 7 remote desktops with Aero disabled. Pivot display and autofit are also supported.

When the 3D feature is enabled, up to 2 monitors are supported with a resolution of up to 1920 x 1200, or one monitor with a resolution of 4K (3840 x 2160).

USB redirection is supported for some client types.

MMR redirection is supported for some Windows client operating systems and some remote desktop

operating systems (with View Agent-installed).

For information about which desktop operating systems support specific PCoIP features, see "Feature Support Matrix for View Agent" in the View Architecture Planning document.

For information about which client devices support specific PCoIP features, go to

https://www.vmware.com/support/viewclients/doc/viewclients_pubs.html.

VMware, Inc. 15

View Installation

Recommended Guest Operating System Settings

1GB of RAM or more and a dual CPU is recommended for playing in high-definition, full screen mode, or 720p or higher formatted video. To use Virtual Dedicated Graphics Acceleration for graphics-intensive applications such as CAD applications, 4GB of RAM is required.

Video Quality Requirements

480p-formatted video

720p-formatted video

1080p-formatted video

3D rendering

You can play video at 480p or lower at native resolutions when the remote desktop has a single virtual CPU. If you want to play the video in highdefinition Flash or in full screen mode, the desktop requires a dual virtual CPU. Even with a dual virtual CPU desktop, as low as 360p-formatted video played in full screen mode can lag behind audio, particularly on Windows clients.

You can play video at 720p at native resolutions if the remote desktop has a dual virtual CPU. Performance might be affected if you play videos at 720p in high definition or in full screen mode.

If the remote desktop has a dual virtual CPU, you can play 1080p formatted video, although the media player might need to be adjusted to a smaller window size.

You can configure remote desktops to use software- or hardware-accelerated graphics. The software-accelerated graphics feature enables you to run DirectX 9 and OpenGL 2.1 applications without requiring a physical graphics processing unit (GPU). The hardware-accelerated graphics features enable virtual machines to either share the physical GPUs (graphical processing unit) on a vSphere host or dedicate a physical GPU to a single virtual machine desktop.

For 3D applications, up to 2 monitors are supported, and the maximum screen resolution is 1920 x 1200. The guest operating system on the remote desktops must be Windows 7 or later.

Hardware Requirements for Client Systems

For information about processor and memory requirements, see the "Using VMware Horizon Client" document for the specific type of desktop or mobile client device. Go to

https://www.vmware.com/support/viewclients/doc/viewclients_pubs.html.

Microsoft RDP

Microsoft RDP is a supported display protocol for remote desktops that use virtual machines, physical machines, or shared session desktops on an RDS host. (Only the PCoIP display protocol is supported for remote applications.) Microsoft RDP provides the following features:

RDP 7 has true multiple monitor support, for up to 16 monitors.

You can copy and paste text and system objects such as folders and files between the local system and

the remote desktop.

32-bit color is supported for virtual displays.

RDP supports 128-bit encryption.

16 VMware, Inc.

Chapter 2 System Requirements for Guest Operating Systems

Users outside the corporate firewall can use this protocol with your company's virtual private network

(VPN), or users can make secure, encrypted connections to a View security server in the corporate DMZ.

Hardware Requirements for Client Systems

For information about processor and memory requirements, see the "Using VMware Horizon Client" document for the specific type of client system. Go to

https://www.vmware.com/support/viewclients/doc/viewclients_pubs.html.

NOTE Mobile client devices use only the PCoIP display protocol.

VMware, Inc. 17

View Installation

18 VMware, Inc.

Installing View in an IPv6

Environment 3

View supports IPv6 as an alternative to IPv4. The environment must be either IPv6 only or IPv4 only. View does not support a mixed IPv6 and IPv4 environment.

Not all View features that are supported in an IPv4 environment are supported in an IPv6 environment. View does not support upgrading from an IPv4 environment to an IPv6 environment. Also, View does not support migration between IPv4 and IPv6 environments.

IMPORTANT To run View in an IPv6 environment, you must specify IPv6 when you install all View components.

This chapter includes the following topics:

“Setting Up View in an IPv6 Environment,” on page 19

“Supported vSphere, Database, and Active Directory Versions in an IPv6 Environment,” on page 20

“Supported Operating Systems for View Servers in an IPv6 Environment,” on page 20

“Supported Windows Operating Systems for Desktops and RDS Hosts in an IPv6 Environment,” on

page 21

“Supported Clients in an IPv6 Environment,” on page 21

“Supported Remoting Protocols in an IPv6 Environment,” on page 21

“Supported Authentication Types in an IPv6 Environment,” on page 22

“Other Supported Features in an IPv6 Environment,” on page 22

Setting Up View in an IPv6 Environment

To run View in an IPv6 environment, you must be aware of the requirements and choices that are specific to IPv6 when you perform certain administrative tasks.

Before you install View, you must have a working IPv6 environment. The following View administrative tasks have options that are specific to IPv6.

Installing View Connection Server. See “Install View Connection Server with a New Configuration,” on

page 50.

Installing View Replica Server. See “Install a Replicated Instance of View Connection Server,” on

page 56.

Installing View Security Server. See “Install a Security Server,” on page 62.

Configuring the PCoIP External URL. See “Configuring External URLs for Secure Gateway and Tunnel

Connections,” on page 112.

VMware, Inc.

View Installation

Setting the PCoIP External URL. See “Set the External URLs for a View Connection Server Instance,” on

page 113.

Modifying the PCoIP External URL. See “Set the External URLs for a View Connection Server Instance,”

on page 113.

Installing View Agent. See the View Agent installation topics in the Setting Up Desktop and Application

Pools document.

Installing Horizon Client for Windows. See the VMware Horizon Client for Windows document in

https://www.vmware.com/support/viewclients/doc/viewclients_pubs.html. Only Windows clients are

supported.

NOTE View does not require you to enter an IPv6 address in any administrative tasks. In cases where you can specify either a fully qualified domain name (FQDN) or an IPv6 address, it is highly recommended that you specify an FQDN to avoid potential errors.

Supported vSphere , Database, and Active Directory Versions in an IPv6 Environment

In an IPv6 environment, View supports specific vSphere, database server, and Active Directory versions.

The following vSphere versions are supported in an IPv6 environment.

6.0

5.5 U2

The following database servers are supported in an IPv6 environment.

Database Server Version Edition

SQL Server 2012 SP1 32/64-bit Standard, Enterprise

SQL Server 2012 Express 32/64-bit Free

Oracle 11g R2 32/64-bit Standard, Standard Edition One, Enterprise

The following Active Directory versions are supported in an IPv6 environment.

Microsoft Active Directory 2008 R2

Microsoft Active Directory 2012 R2

Supported Operating Systems for View Servers in an IPv6 Environment

In an IPv6 environment, you must install View servers on specific Windows Server operating systems.

View servers include View Connection Server instances, replica servers, security servers, and View Composer instances.

Operating System Edition

Windows Server 2008 R2 Standard, Enterprise

Windows Server 2008 R2 SP1 Standard, Enterprise

Windows Server 2012 R2 Standard

20 VMware, Inc.

Chapter 3 Installing View in an IPv6 Environment

Supported Windows Operating Systems for Desktops and RDS Hosts in an IPv6 Environment

In an IPv6 environment, View supports specific Windows operating systems for desktop machines and RDS hosts. RDS hosts provide session-based desktops and applications to users.

The following Windows operating systems are supported for desktop machines.

Operating System Version Edition

Windows 7 SP1 32/64-bit Enterprise, Professional

Windows 8 32/64-bit Enterprise, Professional

Windows 8.1 32/64-bit Enterprise, Professional

Windows Server 2008 R2 SP1 Datacenter

The following Windows operating systems are supported for RDS hosts.

Operating System Edition

Windows Server 2008 R2 SP1 Standard, Enterprise, Datacenter

Windows Server 2012 R2 Standard, Datacenter

Supported Clients in an IPv6 Environment

In an IPv6 environment, View supports clients that run on specific desktop operating systems.

Operating System Version Edition

Windows 7 32/64-bit Home, Professional, Enterprise, Ultimate

Windows 7 SP1 32/64-bit Home, Professional, Enterprise, Ultimate

Windows 8 32/64-bit Enterprise, Professional

Windows 8.1 32/64-bit Enterprise, Professional

The following types of clients are not supported.

Clients that run on OS X, Android, iOS, Linux, or Windows Store

Horizon Client for Windows with the Local Mode option

PCoIP Zero Client

Supported Remoting Protocols in an IPv6 Environment

In an IPv6 environment, View supports specific remoting protocols.

The following remoting protocols are supported:

RDP

RDP with Secure Tunnel

PCoIP

PCoIP through PCoIP Secure Gateway

The following remoting protocols are not supported:

HTML Access

VMware, Inc. 21

View Installation

HTML Access through Blast Secure Gateway

Supported Authentication Types in an IPv6 Environment

In an IPv6 environment, View supports specific authentication types.

The following authentication types are supported:

Password authentication using Active Directory

Smart Card

Single Sign-On

The following authentication types are not supported:

SecurID

RADIUS

SAML

Other Supported Features in an IPv6 Environment

In an IPv6 environment, View supports certain features that are not covered in previous topics.

The following features are supported:

Automated desktop pools, including full virtual machines and View Composer linked clones

Manual desktop pools, including vCenter Server virtual machines, physical computers, and virtual

machines not managed by vCenter Server

RDS desktop pools

Application pools

View Storage Accelerator

Disk space reclamation

Native NFS snapshots (VAAI)

ThinApp

Virtual Printing

Events

Role-based administration

System health dashboard

LDAP backup

View Composer database backup

Customer Experience Improvement Program (CEIP)

Single Sign-on, including the Log in as current user feature

Audio-out

The following features are not supported:

Virtual SAN

Virtual Volumes

Cloud Pod Architecture

22 VMware, Inc.

Scanner redirection

USB redirection

Multimedia redirection (MMR)

Real-time audio-video (RTAV)

Persona Management

vRealize Operations Desktop Agent

Lync

Syslog

Log Insight

Serial redirection

Flash URL redirection

Teradici TERA host card

Chapter 3 Installing View in an IPv6 Environment

VMware, Inc. 23

View Installation

24 VMware, Inc.

Installing View in FIPS Mode 4

View can perform cryptographic operations using FIPS (Federal Information Processing Standard) 140-2 compliant algorithms. You can enable the use of these algorithms by installing View in FIPS mode.

Not all View features are supported in FIPS mode. Also, View does not support upgrading from a non-FIPS installation to a FIPS installation.

NOTE To ensure that View runs in FIPS mode, you must enable FIPS when you install all View components.

This chapter includes the following topics:

“Overview of Setting Up View in FIPS Mode,” on page 25

“System Requirements for FIPS Mode,” on page 26

Overview of Setting Up View in FIPS Mode

To set up View in FIPS mode, you must first enable FIPS mode in the Windows environment. Then you install all the View components in FIPS mode..

The option to install View in FIPS mode is available only if FIPS mode is enabled in the Windows environment. For more information about enabling FIPS mode in Windows, see

https://support.microsoft.com/en-us/kb/811833.

VMware, Inc.

NOTE View Administrator does not indicate whether View is running in FIPS mode.

To install View in FIPS mode, perform the following View administrative tasks.

When installing View Connection Server, select the FIPS mode option. See “Install View Connection

Server with a New Configuration,” on page 50.

When installing View Replica Server, select the FIPS mode option. See “Install a Replicated Instance of

View Connection Server,” on page 56.

Before installing a security server, deselect the global setting Use IPSec for Security Server

Connections in View Administrator and configure IPsec manually. See

http://kb.vmware.com/kb/2000175.

When installing View Security Server, select the FIPS mode option. See “Install a Security Server,” on

page 62.

Disable weak ciphers for View Composer and View Agent machines. See “Disable Weak Ciphers in

SSL/TLS,” on page 34.

When installing View Composer, select the FIPS mode option. See Chapter 6, “Installing View

Composer,” on page 37.

View Installation

When installing View Agent, select the FIPS mode option. See the View Agent installation topics in the

Setting Up Desktop and Application Pools document.

When installing Horizon Client for Windows, select the FIPS mode option. See the VMware Horizon

Client for Windows document in

https://www.vmware.com/support/viewclients/doc/viewclients_pubs.html. Only Windows clients are

supported.

System Requirements for FIPS Mode

To support FIPS mode, your View deployment must meet the following requirements.

vSphere

View desktop

Horizon Client

Cryptographic protocol

vCenter Server 6.0 or later

ESXi 6.0 or later

Windows 7 SP1 (32- or 64-bit)

View Agent 6.2 or later

Windows 7 SP1 (32- or 64-bit)

Horizon Client 3.5 or later

TLSv1.2

26 VMware, Inc.

Preparing Active Directory 5

View uses your existing Microsoft Active Directory infrastructure for user authentication and management. You must perform certain tasks to prepare Active Directory for use with View.

View supports the following Active Directory Domain Services (AD DS) domain functional levels:

Windows Server 2003

Windows Server 2008

Windows Server 2008 R2

Windows Server 2012

Windows Server 2012 R2

This chapter includes the following topics:

“Configuring Domains and Trust Relationships,” on page 27

“Creating an OU for Remote Desktops,” on page 29

“Creating OUs and Groups for Kiosk Mode Client Accounts,” on page 29

“Creating Groups for Users,” on page 29

“Creating a User Account for vCenter Server,” on page 29

“Creating a User Account for a Standalone View Composer Server,” on page 30

“Create a User Account for View Composer AD Operations,” on page 30

“Configure the Restricted Groups Policy,” on page 31

“Using View Group Policy Administrative Template Files,” on page 31

“Prepare Active Directory for Smart Card Authentication,” on page 32

“Disable Weak Ciphers in SSL/TLS,” on page 34

Configuring Domains and Trust Relationships

You must join each View Connection Server host to an Active Directory domain. The host must not be a domain controller.

Active Directory also manages the View Agent machines, including single-user machines and RDS hosts, and the users and groups in your Horizon 6 deployment. You can entitle users and groups to remote desktops and applications, and you can select users and groups to be administrators in View Administrator.

VMware, Inc.

View Installation

You can place View Agent machines, View Composer servers, and users and groups, in the following Active Directory domains:

Users are authenticated using Active Directory against the View Connection Server domain and any additional user domains with which a trust agreement exists.

If your users and groups are in one-way trusted domains, you must provide secondary credentials for the administrator users in View Administrator. Administrators must have secondary credentials to give them access to the one-way trusted domains. A one-way trusted domain can be an external domain or a domain in a transitive forest trust.

Secondary credentials are required only for View Administrator sessions, not for end users' desktop or application sessions. Only administrator users require secondary credentials.

You can provide secondary credentials by using the vdmadmin -T command.

The View Connection Server domain

A different domain that has a two-way trust relationship with the View Connection Server domain

A domain in a different forest than the View Connection Server domain that is trusted by the View Connection Server domain in a one-way external or realm trust relationship

A domain in a different forest than the View Connection Server domain that is trusted by the View Connection Server domain in a one-way or two-way transitive forest trust relationship

You configure secondary credentials for individual administrator users.

For a forest trust, you can configure secondary credentials for the forest root domain. View Connection

Server can then enumerate the child domains in the forest trust.

For details, see "Providing Secondary Credentials for Administrators Using the -T Option" in the View Administration document.

NOTE Because security servers do not access any authentication repositories, including Active Directory, they do not need to reside in an Active Directory domain.

Trust Relationships and Domain Filtering

To determine which domains it can access, a View Connection Server instance traverses trust relationships beginning with its own domain.

For a small, well-connected set of domains, View Connection Server can quickly determine the full list of domains, but the time that it takes increases as the number of domains increases or as the connectivity between the domains decreases. The list might also include domains that you would prefer not to offer to users when they connect to their remote desktops and applications.

You can use the vdmadmin command to configure domain filtering to limit the domains that a View Connection Server instance searches and that it displays to users. See the View Administration document for more information.

If a forest trust is configured with name suffix exclusions, the configured exclusions are used to filter the list of forest child domains. Name suffix exclusion filtering is applied in addition to the filtering that is specified with the vdmadmin command.

28 VMware, Inc.

Chapter 5 Preparing Active Directory

Creating an OU for Remote Desktops

You should create an organizational unit (OU) specifically for your remote desktops. An OU is a subdivision in Active Directory that contains users, groups, computers, or other OUs.

To prevent group policy settings from being applied to other Windows servers or workstations in the same domain as your desktops, you can create a GPO for your View group policies and link it to the OU that contains your remote desktops. You can also delegate control of the OU to subordinate groups, such as server operators or individual users.

If you use View Composer, you should create a separate Active Directory container for linked-clone desktops that is based on the OU for your remote desktops. Administrators that have OU administrator privileges in Active Directory can provision linked-clone desktops without domain administrator privileges. If you change administrator credentials in Active Directory, you must also update the credential information in View Composer.

Creating OUs and Groups for Kiosk Mode Client Accounts

A client in kiosk mode is a thin client or a locked-down PC that runs the client software to connect to a View Connection Server instance and launch a remote desktop session. If you configure clients in kiosk mode, you should create dedicated OUs and groups in Active Directory for kiosk mode client accounts.

Creating dedicated OUs and groups for kiosk mode client accounts partitions client systems against unwarranted intrusion and simplifies client configuration and administration.

See the View Administration document for more information.

Creating Groups for Users

You should create groups for different types of users in Active Directory. For example, you can create a group called View Users for your end users and another group called View Administrators for users that will administer remote desktops and applications.

Creating a User Account for vCenter Server

You must create a user account in Active Directory to use with vCenter Server. You specify this user account when you add a vCenter Server instance in View Administrator.

You must give the user account privileges to perform certain operations in vCenter Server. You can create a vCenter Server role with the appropriate privileges and assign the role to the vCenter Server user. The list of privileges you add to the vCenter Server role varies, depending on whether you use View with or without View Composer. See “Configuring User Accounts for vCenter Server and View Composer,” on page 95 for information on configuring these privileges.

If you install View Composer on the same machine as vCenter Server, you must add the vCenter Server user to the local Administrators group on the vCenter Server machine. This requirement allows View to authenticate to the View Composer service.

If you install View Composer on a different machine than vCenter Server, you do not have to make the vCenter Server user a local administrator on the vCenter Server machine. However, you do have to create a standalone View Composer Server user account that must be a local administrator on the View Composer machine.

VMware, Inc. 29

View Installation

Creating a User Account for a Standalone View Composer Server

If you install View Composer on a different machine than vCenter Server, you must create a domain user account in Active Directory that View can use to authenticate to the View Composer service on the standalone machine.

The user account must be in the same domain as your View Connection Server host or in a trusted domain. You must add the user account to the local Administrators group on the standalone View Composer machine.

You specify this user account when you configure View Composer settings in View Administrator and select Standalone View Composer Server. See “Configure View Composer Settings,” on page 102.

Create a User Account for View Composer AD Operations

If you use View Composer, you must create a user account in Active Directory that allows View Composer to perform certain operations in Active Directory. View Composer requires this account to join linked-clone virtual machines to your Active Directory domain.

To ensure security, you should create a separate user account to use with View Composer. By creating a separate account, you can guarantee that it does not have additional privileges that are defined for another purpose. You can give the account the minimum privileges that it needs to create and remove computer objects in a specified Active Directory container. For example, the View Composer account does not require domain administrator privileges.

Procedure

1 In Active Directory, create a user account in the same domain as your View Connection Server host or

in a trusted domain.

2 Add the Create Computer Objects, Delete Computer Objects, and Write All Properties permissions to

the account in the Active Directory container in which the linked-clone computer accounts are created or to which the linked-clone computer accounts are moved.

The following list shows all the required permissions for the user account, including permissions that are assigned by default:

List Contents

Read All Properties

Write All Properties

Read Permissions

Reset Password

Create Computer Objects

Delete Computer Objects

NOTE Fewer permissions are required if you select the Allow reuse of pre-existing computer accounts setting for a desktop pool. Make sure that the following permissions are assigned to the user account:

List Contents

Read All Properties

Read Permissions

Reset Password

3 Make sure that the user account's permissions apply to the Active Directory container and to all child

objects of the container.

30 VMware, Inc.

What to do next

Specify the account in View Administrator when you configure View Composer domains in the Add vCenter Server wizard and when you configure and deploy linked-clone desktop pools.

Configure the Restricted Groups Policy

To be able to connect to a remote desktop, users must belong to the local Remote Desktop Users group of the remote desktop. You can use the Restricted Groups policy in Active Directory to add users or groups to the local Remote Desktop Users group of every remote desktop that is joined to your domain.

The Restricted Groups policy sets the local group membership of computers in the domain to match the membership list settings defined in the Restricted Groups policy. The members of your remote desktop users group are always added to the local Remote Desktop Users group of every remote desktop that is joined to your domain. When adding new users, you need only add them to your remote desktop users group.

Prerequisites

Create a group for remote desktop users in your domain in Active Directory.

Procedure

1 On the Active Directory server, navigate to the Group Policy Management plug-in.

Chapter 5 Preparing Active Directory

AD Version Navigation Path

Windows 2003

Windows 2008

a Select Start > All Programs > Administrative Tools > Active Directory

Users and Computers.

b Right-click your domain and click Properties.

c On the Group Policy tab, click Open to open the Group Policy

Management plug-in.

d Right-click Default Domain Policy, and click Edit.

a Select Start > Administrative Tools > Group Policy Management.

b Expand your domain, right-click Default Domain Policy, and click

Edit.

2 Expand the Computer Configuration section and open Windows Settings\Security Settings.

3 Right-click Restricted Groups, select Add Group, and add the Remote Desktop Users group.

4 Right-click the new restricted Remote Desktop Users group and add your remote desktop users group

to the group membership list.

5 Click OK to save your changes.

Using View Group Policy Administrative Template Files

View includes several component-specific group policy administrative (ADM and ADMX) template files.

All ADM and ADMX files that provide group policy settings for View are available in a bundled .zip file named VMware-Horizon-View-Extras-Bundle-x.x.x-yyyyyyy.zip, where x.x.x is the version and yyyyyyy is the build number. You can download the file from the VMware download site at

https://my.vmware.com/web/vmware/downloads. Under Desktop & End-User Computing, select the

VMware Horizon 6 download, which includes the bundled .zip file.

You can optimize and secure remote desktops by adding the policy settings in these files to a new or existing GPO in Active Directory and then linking that GPO to the OU that contains your desktops.

See the View Administration and Setting Up Desktop and Application Pools in View documents for information on using View group policy settings.

VMware, Inc. 31

View Installation

Prepare Active Directory for Smart Card Authentication

You might need to perform certain tasks in Active Directory when you implement smart card authentication.

Add UPNs for Smart Card Users on page 32

Because smart card logins rely on user principal names (UPNs), the Active Directory accounts of users and administrators that use smart cards to authenticate in View must have a valid UPN.

Add the Root Certificate to Trusted Root Certification Authorities on page 33

If you use a certification authority (CA) to issue smart card login or domain controller certificates, you must add the root certificate to the Trusted Root Certification Authorities group policy in Active Directory. You do not need to perform this procedure if the Windows domain controller acts as the root CA.

Add an Intermediate Certificate to Intermediate Certification Authorities on page 33

If you use an intermediate certification authority (CA) to issue smart card login or domain controller certificates, you must add the intermediate certificate to the Intermediate Certification Authorities group policy in Active Directory.

Add the Root Certificate to the Enterprise NTAuth Store on page 34

If you use a CA to issue smart card login or domain controller certificates, you must add the root certificate to the Enterprise NTAuth store in Active Directory. You do not need to perform this procedure if the Windows domain controller acts as the root CA.

Add UPNs for Smart Card Users

Because smart card logins rely on user principal names (UPNs), the Active Directory accounts of users and administrators that use smart cards to authenticate in View must have a valid UPN.

If the domain a smart card user resides in is different from the domain that your root certificate was issued from, you must set the user’s UPN to the Subject Alternative Name (SAN) contained in the root certificate of the trusted CA. If your root certificate was issued from a server in the smart card user's current domain, you do not need to modify the user's UPN.

NOTE You might need to set the UPN for built-in Active Directory accounts, even if the certificate is issued from the same domain. Built-in accounts, including Administrator, do not have a UPN set by default.

Prerequisites

Obtain the SAN contained in the root certificate of the trusted CA by viewing the certificate properties.

If the ADSI Edit utility is not present on your Active Directory server, download and install the

appropriate Windows Support Tools from the Microsoft Web site.

Procedure

1 On your Active Directory server, start the ADSI Edit utility.

2 In the left pane, expand the domain the user is located in and double-click CN=Users.

3 In the right pane, right-click the user and then click Properties.

4 Double-click the userPrincipalName attribute and type the SAN value of the trusted CA certificate.

5 Click OK to save the attribute setting.

32 VMware, Inc.

Chapter 5 Preparing Active Directory

Add the Root Certificate to Trusted Root Certification Authorities

Procedure

1 On the Active Directory server, navigate to the Group Policy Management plug-in.

AD Version Navigation Path

Windows 2003

Windows 2008

2 Expand the Computer Configuration section and open Windows Settings\Security Settings\Public

Key.

a Select Start > All Programs > Administrative Tools > Active Directory

Users and Computers.

b Right-click your domain and click Properties.

c On the Group Policy tab, click Open to open the Group Policy

Management plug-in.

d Right-click Default Domain Policy, and click Edit.

a Select Start > Administrative Tools > Group Policy Management.

b Expand your domain, right-click Default Domain Policy, and click

Edit.

3 Right-click Trusted Root Certification Authorities and select Import.

4 Follow the prompts in the wizard to import the root certificate (for example, rootCA.cer) and click OK.

5 Close the Group Policy window.

All of the systems in the domain now have a copy of the root certificate in their trusted root store.

What to do next

If an intermediate certification authority (CA) issues your smart card login or domain controller certificates, add the intermediate certificate to the Intermediate Certification Authorities group policy in Active Directory. See “Add an Intermediate Certificate to Intermediate Certification Authorities,” on page 33.

Add an Intermediate Certificate to Intermediate Certification Authorities

Procedure

1 On the Active Directory server, navigate to the Group Policy Management plug-in.

AD Version Navigation Path

Windows 2003

Windows 2008

a Select Start > All Programs > Administrative Tools > Active Directory

Users and Computers.

b Right-click your domain and click Properties.

c On the Group Policy tab, click Open to open the Group Policy

Management plug-in.

d Right-click Default Domain Policy, and click Edit.

a Select Start > Administrative Tools > Group Policy Management.

b Expand your domain, right-click Default Domain Policy, and click

Edit.

VMware, Inc. 33

View Installation

2 Expand the Computer Configuration section and open the policy for Windows Settings\Security

Settings\Public Key.

3 Right-click Intermediate Certification Authorities and select Import.

4 Follow the prompts in the wizard to import the intermediate certificate (for example,

intermediateCA.cer) and click OK.

5 Close the Group Policy window.

All of the systems in the domain now have a copy of the intermediate certificate in their intermediate certification authority store.

Add the Root Certificate to the Enterprise NTAuth Store

Procedure

On your Active Directory server, use the certutil command to publish the certificate to the Enterprise

NTAuth store.

For example: certutil -dspublish -f path_to_root_CA_cert NTAuthCA

The CA is now trusted to issue certificates of this type.

Disable Weak Ciphers in SSL/TLS

To achieve greater security, you can configure the domain policy GPO (group policy object) to ensure that View Composer and Windows-based machines running View Agent do not use weak ciphers when they communicate using the SSL/TLS protocol.

Procedure

1 On the Active Directory server, edit the GPO by selecting Start > Administrative Tools > Group Policy

Management, right-clicking the GPO, and selecting Edit.

2 In the Group Policy Management Editor, navigate to the Computer Configuration > Policies >

Administrative Templates > Network > SSL Configuration Settings.

3 Double-click SSL Cipher Suite Order.

4 In the SSL Cipher Suite Order window, click Enabled.

5 In the Options pane, replace the entire content of the SSL Cipher Suites text box with the following

cipher list:

TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256_P256, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256_P384, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA_P256, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA_P384, TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA_P256, TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA_P384, TLS_RSA_WITH_AES_128_CBC_SHA256, TLS_RSA_WITH_AES_128_CBC_SHA, TLS_RSA_WITH_AES_256_CBC_SHA256, TLS_RSA_WITH_AES_256_CBC_SHA

The cipher suites are listed above on separate lines for readability. When you paste the list into the text box, the cipher suites must be on one line with no spaces after the commas.

34 VMware, Inc.

Chapter 5 Preparing Active Directory

6 Exit the Group Policy Management Editor.

7 Restart the View Composer and View Agent machines for the new group policy to take effect.

VMware, Inc. 35

View Installation

36 VMware, Inc.

Installing View Composer 6

To use View Composer, you create a View Composer database, install the View Composer service, and optimize your View infrastructure to support View Composer. You can install the View Composer service on the same host as vCenter Server or on a separate host.

View Composer is an optional feature. Install View Composer if you intend to deploy linked-clone desktop pools.

You must have a license to install and use the View Composer feature.

This chapter includes the following topics:

“Prepare a View Composer Database,” on page 37

“Configuring an SSL Certificate for View Composer,” on page 44

“Install the View Composer Service,” on page 45

“Configuring Your Infrastructure for View Composer,” on page 47

Prepare a View Composer Database

You must create a database and data source name (DSN) to store View Composer data.

VMware, Inc.

The View Composer service does not include a database. If a database instance does not exist in your network environment, you must install one. After you install a database instance, you add the View Composer database to the instance.

You can add the View Composer database to the instance on which the vCenter Server database is located. You can configure the database locally, or remotely, on a network-connected Linux, UNIX, or Windows Server computer.

The View Composer database stores information about connections and components that are used by View Composer:

vCenter Server connections

Active Directory connections

Linked-clone desktops that are deployed by View Composer

Replicas that are created by View Composer

Each instance of the View Composer service must have its own View Composer database. Multiple View Composer services cannot share a View Composer database.

For a list of supported database versions, see “Database Requirements for View Composer and the Events

Database,” on page 11.

To add a View Composer database to an installed database instance, choose one of these procedures.

View Installation

Create a SQL Server Database for View Composer on page 38

View Composer can store linked-clone desktop information in a SQL Server database. You create a View Composer database by adding it to SQL Server and configuring an ODBC data source for it.

Create an Oracle Database for View Composer on page 41

View Composer can store linked-clone desktop information in an Oracle 12c or 11g database. You create a View Composer database by adding it to an existing Oracle instance and configuring an ODBC data source for it. You can add a new View Composer database by using the Oracle Database Configuration Assistant or by running a SQL statement.

Create a SQL Server Database for View Composer

View Composer can store linked-clone desktop information in a SQL Server database. You create a View Composer database by adding it to SQL Server and configuring an ODBC data source for it.

Procedure

1 Add a View Composer Database to SQL Server on page 38

You can add a new View Composer database to an existing Microsoft SQL Server instance to store linked-clone data for View Composer.

2 (Optional) Set SQL Server Database Permissions By Manually Creating Database Roles on page 39

By using this recommended method, the View Composer database administrator can set permissions for View Composer administrators to be granted through Microsoft SQL Server database roles.

3 Add an ODBC Data Source to SQL Server on page 40

After you add a View Composer database to SQL Server, you must configure an ODBC connection to the new database to make this data source visible to the View Composer service.

Add a View Composer Database to SQL Server

You can add a new View Composer database to an existing Microsoft SQL Server instance to store linkedclone data for View Composer.

If the database resides locally, on the system on which View Composer will be installed, you can use the Integrated Windows Authentication security model. If the database resides on a remote system, you cannot use this method of authentication.

Prerequisites

Verify that a supported version of SQL Server is installed on the computer on which you will install

View Composer or in your network environment. For details, see “Database Requirements for View

Composer and the Events Database,” on page 11.

Verify that you use SQL Server Management Studio to create and administer the database.

Alternatively, you can use SQL Server Management Studio Express, which you can download and install from the following Web site.

http://www.microsoft.com/en-us/download/details.aspx?id=7593

Procedure

1 On the View Composer computer, select Start > All Programs > Microsoft SQL Server 2014, Microsoft

SQL Server 2012 or Microsoft SQL Server 2008.

2 Select SQL Server Management Studio and connect to the SQL Server instance.

3 In the Object Explorer panel, right-click the Databases entry and select New Database.

You can use the default values for the Initial size and Autogrowth parameters for the database and log files.

38 VMware, Inc.

Chapter 6 Installing View Composer

4 In the New Database dialog box, type a name in the Database name text box.

For example: ViewComposer

5 Click OK.

SQL Server Management Studio adds your database to the Databases entry in the Object Explorer panel.

6 Exit Microsoft SQL Server Management Studio.

What to do next

Optionally, follow the instructions in “(Optional) Set SQL Server Database Permissions By Manually

Creating Database Roles,” on page 39

Follow the instructions in “Add an ODBC Data Source to SQL Server,” on page 40.

(Optional) Set SQL Server Database Permissions By Manually Creating Database Roles

By using this recommended method, the View Composer database administrator can set permissions for View Composer administrators to be granted through Microsoft SQL Server database roles.

VMware recommends this method because it removes the requirement to set up the db_owner role for View Composer administrators who install and upgrade View Composer.

In this procedure, you can provide your own names for the database login name, user name, and database roles. The user [vcmpuser] and database roles, VCMP_ADMIN_ROLE and VCMP_USER_ROLE, are example names. The dbo schema is created when you create the View Composer database. You must use the dbo schema name.

Prerequisites

Verify that a View Composer database is created. See “Add a View Composer Database to SQL Server,”

on page 38.

Procedure

1 Log in to a Microsoft SQL Server Management Studio session as the sysadmin (SA) or a user account

with sysadmin privileges.

2 Create a user who will be granted the appropriate SQL Server database permissions.

use ViewComposer go CREATE LOGIN [vcmpuser] WITH PASSWORD=N'vcmpuser!0', DEFAULT_DATABASE=ViewComposer, DEFAULT_LANGUAGE=us_english, CHECK_POLICY=OFF go CREATE USER [vcmpuser] for LOGIN [vcmpuser] go use MSDB go CREATE USER [vcmpuser] for LOGIN [vcmpuser] go

3 In the View Composer database, create the database role VCMP_ADMIN_ROLE.

4 In the View Composer database, grant privileges to the VCMP_ADMIN_ROLE.

a Grant the schema permissions ALTER, REFERENCES, and INSERT on the dbo schema.

b Grant the permissions CREATE TABLE, CREATE VIEW, and CREATE PROCEDURES.

5 In the View Composer database, create the VCMP_USER_ROLE.

VMware, Inc. 39

View Installation

6 In the View Composer database, grant the schema permissions SELECT, INSERT, DELETE, UPDATE,

7 Grant the VCMP_USER_ROLE to the user [vcmpuser].

8 Grant the VCMP_ADMIN_ROLE to the user [vcmpuser].

9 In the MSDB database, create the database role VCMP_ADMIN_ROLE.

10 Grant privileges to the VCMP_ADMIN_ROLE in MSDB.

11 In the MSDB database, grant the VCMP_ADMIN_ROLE to the user [vcmpuser].

12 Create the ODBC DSN using the SQL Server login vcmpuser.

13 Install View Composer.

14 In the MSDB database, revoke the VCMP_ADMIN_ROLE from the user [vcmpuser].

and EXECUTE on the dbo schema to the VCMP_USER_ROLE.

a On the MSDB tables syscategories, sysjobsteps, and sysjobs grant the SELECT permission to the

user [vcmpuser].

b On the MSDB stored procedures sp_add_job, sp_delete_job, sp_add_jobstep, sp_update_job,

sp_add_jobserver, sp_add_jobschedule, and sp_add_category, grant the EXECUTE permission to

the role VCMP_ADMIN_ROLE.

After you revoke the role, you can leave the role as inactive or remove the role for increased security.

For instructions for creating an ODBC DSN, see “Add an ODBC Data Source to SQL Server,” on page 40.

For instructions for installing View Composer, see “Install the View Composer Service,” on page 45.

Add an ODBC Data Source to SQL Server

After you add a View Composer database to SQL Server, you must configure an ODBC connection to the new database to make this data source visible to the View Composer service.

When you configure an ODBC DSN for View Composer, secure the underlying database connection to an appropriate level for your environment. For information about securing database connections, see the SQL Server documentation.

If the underlying database connection uses SSL encryption, we recommend that you configure your database servers with SSL certificates signed by a trusted CA. If you use self-signed certificates, your database connections might be susceptible to man-in-the-middle attacks.

Prerequisites

Complete the steps described in “Add a View Composer Database to SQL Server,” on page 38.

Procedure

1 On the computer on which View Composer will be installed, select Start > Administrative Tools > Data

Source (ODBC).

2 Select the System DSN tab.

3 Click Add and select SQL Native Client from the list.

4 Click Finish.

5 In the Create a New Data Source to SQL Server setup wizard, type a name and description of the View

Composer database.

For example: ViewComposer

40 VMware, Inc.

Chapter 6 Installing View Composer

6 In the Server text box, type the SQL Server database name.

Use the form host_name\server_name, where host_name is the name of the computer and server_name is the SQL Server instance.

For example: VCHOST1\VIM_SQLEXP

7 Click Next.

8 Make sure that the Connect to SQL Server to obtain default settings for the additional configuration

options check box is selected and select an authentication option.

Option Description

Integrate Windows authentication

SQL Server authentication

Select this option if you are using a local instance of SQL Server. This option is also known as trusted authentication. Integrate Windows authentication is supported only if SQL Server is running on the local computer.

Select this option if you are using a remote instance of SQL Server. Windows NT authentication is not supported on remote SQL Server.

If you manually set SQL Server database permissions and assigned them to a user, authenticate with that user. For example, authenticate with the user vcmpuser. If not, authenticate as the sysadmin (SA) or a user account with sysadmin privileges.

9 Click Next.

10 Select the Change the default database to check box and select the name of the View Composer

database from the list.

For example: ViewComposer

11 If the SQL Server connection is configured with SSL enabled, navigate to the Microsoft SQL Server DSN

Configuration page and select Use strong encryption for data.

12 Finish and close the Microsoft ODBC Data Source Administrator wizard.

What to do next

Install the new View Composer service. See “Install the View Composer Service,” on page 45.

Create an Oracle Database for View Composer

Add a View Composer Database to Oracle 12c or 11g on page 42

You can use the Oracle Database Configuration Assistant to add a new View Composer database to an existing Oracle 12c or 11g instance.

Use a SQL Statement to Add a View Composer Database to an Oracle Instance on page 42

Configure an Oracle Database User for View Composer on page 43

By default, the database user that runs the View Composer database has Oracle system administrator permissions. To restrict the security permissions for the user that runs the View Composer database, you must configure an Oracle database user with specific permissions.

Add an ODBC Data Source to Oracle 12c or 11g on page 44

After you add a View Composer database to an Oracle 12c or 11g instance, you must configure an ODBC connection to the new database to make this data source visible to the View Composer service.

VMware, Inc. 41

View Installation

Add a View Composer Database to Oracle 12c or 11g

You can use the Oracle Database Configuration Assistant to add a new View Composer database to an existing Oracle 12c or 11g instance.

Prerequisites

Verify that a supported version of Oracle 12c or 11g is installed on the local or remote computer. See

“Database Requirements for View Composer and the Events Database,” on page 11.

Procedure

1 Start the Database Configuration Assistant on the computer on which you are adding the View

2 On the Operations page, select Create a database.

Composer database.

Database Version Action

Oracle 12c

Oracle 11g

Select Start > All Programs > Oracle-OraDb12c_home > Configuration and Migration Tools > Database Configuration Assistant.

Select Start > All Programs > Oracle-OraDb11g_home > Configuration and Migration Tools > Database Configuration Assistant.

3 On the Database Templates page, select the General Purpose or Transaction Processing template.

4 On the Database Identification page, type a Global Database Name and an Oracle System Identifier

(SID) prefix.

For simplicity, use the same value for both items.

5 On the Management Options page, click Next to accept the default settings.

6 On the Database Credentials page, select Use the Same Administrative Passwords for All Accounts

and type a password.

7 On the remaining configuration pages, click Next to accept the default settings.

8 On the Creation Options page, verify that Create Database is selected and click Finish.

9 On the Confirmation page, review the options and click OK.

The configuration tool creates the database.

10 On the Database Creation Complete page, click OK.

What to do next

Follow the instructions in “Add an ODBC Data Source to Oracle 12c or 11g,” on page 44.

Use a SQL Statement to Add a View Composer Database to an Oracle Instance

When you create the database, you can customize the location of the data and log files.

Prerequisites

The View Composer database must have certain table spaces and privileges. You can use a SQL statement to create the View Composer database in an Oracle 12c or 11g database instance.

Verify that a supported version of Oracle 12c or 11g is installed on the local or remote computer. For details, see “Database Requirements for View Composer and the Events Database,” on page 11.

42 VMware, Inc.

Chapter 6 Installing View Composer

Procedure

1 Log in to a SQL*Plus session with the system account.

2 Run the following SQL statement to create the database.

CREATE SMALLFILE TABLESPACE "VCMP" DATAFILE '/u01/app/oracle/oradata/vcdb/vcmp01.dbf' SIZE 512M AUTOEXTEND ON NEXT 10M MAXSIZE UNLIMITED LOGGING EXTENT MANAGEMENT LOCAL SEGMENT SPACE MANAGEMENT AUTO;

In this example, VCMP is the sample name of the View Composer database and vcmp01.dbf is the name of the database file.

For a Windows installation, use Windows conventions in the directory path to the vcmp01.dbf file.

What to do next

If you want to run the View Composer database with specific security permissions, follow the instructions in “Configure an Oracle Database User for View Composer,” on page 43.

Follow the instructions in “Add an ODBC Data Source to Oracle 12c or 11g,” on page 44

Configure an Oracle Database User for View Composer

Prerequisites

Verify that a View Composer database was created in an Oracle 12c or 11g instance.

Procedure

1 Log in to a SQL*Plus session with the system account.

2 Run the following SQL command to create a View Composer database user with the correct

permissions.

CREATE USER "VCMPADMIN" PROFILE "DEFAULT" IDENTIFIED BY "oracle" DEFAULT TABLESPACE

"VCMP" ACCOUNT UNLOCK; grant connect to VCMPADMIN; grant resource to VCMPADMIN; grant create view to VCMPADMIN; grant create sequence to VCMPADMIN; grant create table to VCMPADMIN; grant create materialized view to VCMPADMIN; grant execute on dbms_lock to VCMPADMIN; grant execute on dbms_job to VCMPADMIN; grant unlimited tablespace to VCMPADMIN;

In this example, the user name is VCMPADMIN and the View Composer database name is VCMP.

By default the resource role has the create procedure, create table, and create sequence privileges assigned. If the resource role does not have these privileges, explicitly grant them to the View Composer database user.

VMware, Inc. 43

View Installation

Add an ODBC Data Source to Oracle 12c or 11g

After you add a View Composer database to an Oracle 12c or 11g instance, you must configure an ODBC connection to the new database to make this data source visible to the View Composer service.

Prerequisites

Verify that you completed the steps described in “Add a View Composer Database to Oracle 12c or 11g,” on page 42 or “Use a SQL Statement to Add a View Composer Database to an Oracle Instance,” on page 42.

Procedure

1 On the View Composer database computer, select Start > Administrative Tools > Data Source (ODBC).

2 From the Microsoft ODBC Data Source Administrator wizard, select the System DSN tab.

3 Click Add and select the appropriate Oracle driver from the list.

For example: OraDb11g_home

4 Click Finish.

5 In the Oracle ODBC Driver Configuration dialog box, type a DSN to use with View Composer, a

description of the data source, and a user ID to connect to the database.

If you configured an Oracle database user ID with specific security permissions, specify this user ID.

NOTE You use the DSN when you install the View Composer service.

6 Specify a TNS Service Name by selecting the Global Database Name from the drop-down menu.

The Oracle Database Configuration Assistant specifies the Global Database Name.

7 To verify the data source, click Test Connection and click OK.

What to do next

Install the new View Composer service. See “Install the View Composer Service,” on page 45.

Configuring an SSL Certificate for View Composer

By default, a self-signed certificate is installed with View Composer. You can use the default certificate for testing purposes, but for production use you should replace it with a certificate that is signed by a Certificate Authority (CA).

You can configure a certificate before or after you install View Composer. In View 5.1 and later releases, you configure a certificate by importing it into the Windows local computer certificate store on the Windows Server computer where View Composer is, or will be, installed.

If you import a CA-signed certificate before you install View Composer, you can select the signed

certificate during the View Composer installation. This approach eliminates the manual task of replacing the default certificate after the installation.

If you intend to replace an existing certificate or the default, self-signed certificate with a new certificate

after you install View Composer, you must import the new certificate and run the SviConfig

ReplaceCertificate utility to bind your new certificate to the port used by View Composer.

44 VMware, Inc.

For details about configuring SSL certificates and using the SviConfig ReplaceCertificate utility, see

Chapter 8, “Configuring SSL Certificates for View Servers,” on page 77.

If you install vCenter Server and View Composer on the same Windows Server computer, they can use the same SSL certificate, but you must configure the certificate separately for each component.

Install the View Composer Service

To use View Composer, you must install the View Composer service. View uses View Composer to create and deploy linked-clone desktops in vCenter Server.

You can install the View Composer service on the Windows Server computer on which vCenter Server is installed or on a separate Windows Server computer. A standalone View Composer installation works with vCenter Server installed on a Windows Server computer and with the Linux-based vCenter Server Appliance.

The View Composer software cannot coexist on the same virtual or physical machine with any other View software component, including a replica server, security server, View Connection Server, View Agent, or Horizon Client.

For enhanced security, we recommend configuring cipher suites to remove known vulnerabilities. For instructions on how to set up a domain policy on cipher suites for Windows machines that run View Composer or View Agent,, see “Disable Weak Ciphers in SSL/TLS,” on page 34.

Chapter 6 Installing View Composer

Prerequisites

Verify that your installation satisfies the View Composer requirements described in “View Composer

Requirements,” on page 10.

Verify that no other View component, including View Connection Server, security server, View Agent,

or Horizon Client, is installed on the machine on which you intend to install View Composer.

Verify that you have a license to install and use View Composer.

Verify that you have the DSN, domain administrator user name, and password that you provided in

the ODBC Data Source Administrator wizard. You enter this information when you install the View Composer service.

If you plan to configure an SSL certificate signed by a CA for View Composer during the installation,

verify that your certificate is imported in the Windows local computer certificate store. See Chapter 8,

“Configuring SSL Certificates for View Servers,” on page 77.

Verify that no applications that run on the View Composer computer use Windows SSL libraries that

require SSL version 2 (SSLv2) provided through the Microsoft Secure Channel (Schannel) security package. The View Composer installer disables SSLv2 on the Microsoft Schannel. Applications such as Tomcat, which uses Java SSL, or Apache, which uses OpenSSL, are not affected by this constraint.

To run the View Composer installer, you must be a user with administrator privileges on the system.

Procedure

1 Download the View Composer installer file from the VMware product page at

http://www.vmware.com/products/ to the Windows Server computer.

The installer filename is VMware-viewcomposer-y.y.y-xxxxxx.exe, where xxxxxx is the build number and y.y.y is the version number. This installer file installs the View Composer service on 64-bit Windows Server operating systems.

2 To start the View Composer installation program, right-click the installer file and select Run as

administrator.

3 Accept the VMware license terms.

4 Accept or change the destination folder.

VMware, Inc. 45

View Installation

5 Type the DSN for the View Composer database that you provided in the Microsoft or Oracle ODBC

6 Type the domain administrator user name and password that you provided in the ODBC Data Source

7 Type a port number or accept the default value.

8 Provide an SSL certificate.

9 Click Install and Finish to complete the View Composer service installation.

Data Source Administrator wizard.

For example: VMware View Composer

NOTE If you did not configure a DSN for the View Composer database, click ODBC DSN Setup to configure a name now.

Administrator wizard.

If you configured an Oracle database user with specific security permissions, specify this user name.

View Connection Server uses this port to communicate with the View Composer service.

Option Action

Create default SSL certificate

Use an existing SSL certificate

Select this radio button to create a default SSL certificate for the View Composer service.

After the installation, you can replace the default certificate with an SSL certificate signed by a CA.

Select this radio button if you installed a signed SSL certificate that you want to use for the View Composer service. Select an SSL certificate from the list.

The VMware Horizon View Composer service starts.

View Composer uses the cryptographic cipher suites that are provided by the Windows Server operating system. You should follow your organization's guidelines for managing cipher suites on Windows Server systems. If your organization does not provide guidelines, VMware recommends that you disable weak cryptographic cipher suites on the View Composer server to enhance the security of your View environment. For information about managing cryptographic cipher suites, see your Microsoft documentation.

What to do next

If you manually set SQL Server database permissions and assigned them to a user, you can revoke the database administrator role from that user. For details, see the last step in the procedure in “(Optional) Set

SQL Server Database Permissions By Manually Creating Database Roles,” on page 39.

46 VMware, Inc.

Configuring Your Infrastructure for View Composer

You can take advantage of features in vSphere, vCenter Server, Active Directory, and other components of your infrastructure to optimize the performance, availability, and reliability of View Composer.

Configuring the vSphere Environment for View Composer

To support View Composer, you should follow certain best practices when you install and configure vCenter Server, ESXi, and other vSphere components.

These best practices let View Composer work efficiently in the vSphere environment.

After you create the path and folder information for linked-clone virtual machines, do not change the

information in vCenter Server. Instead, use View Administrator to change the folder information.

If you change this information in vCenter Server, View cannot successfully look up the virtual machines in vCenter Server.

Make sure that the vSwitch settings on the ESXi host are configured with enough ports to support the

total number of virtual NICs that are configured on the linked-clone virtual machines that run on the ESXi host.

When you deploy linked-clone desktops in a resource pool, make sure that your vSphere environment

has enough CPU and memory to host the number of desktops that you require. Use vSphere Client to monitor CPU and memory usage in resource pools.

Chapter 6 Installing View Composer

In vSphere 5.1 and later, a cluster that is used for View Composer linked clones can contain more than

eight ESXi hosts if the replica disks are stored on VMFS5 or later datastores or NFS datastores. If you store replicas on a VMFS version earlier than VMFS5, a cluster can have at most eight hosts.

In vSphere 5.0, you can select a cluster with more than eight ESXi hosts if the replicas are stored on NFS datastores. If you store replicas on VMFS datastores, a cluster can have at most eight hosts.

Use vSphere DRS. DRS efficiently distributes linked-clone virtual machines among your hosts.

NOTE Storage vMotion is not supported for linked-clone desktops.

Additional Best Practices for View Composer

To make sure that View Composer works efficiently, check that your dynamic name service (DNS) operates correctly, and run antivirus software scans at staggered times.

By making sure that DNS resolution operates correctly, you can overcome intermittent issues caused by DNS errors. The View Composer service relies on dynamic name resolution to communicate with other computers. To test DNS operation, ping the Active Directory and View Connection Server computers by name.

If you stagger the run times for your antivirus software, performance of the linked-clone desktops is not affected. If the antivirus software runs in all linked clones at the same time, excessive I/O operations per second (IOPS) occur in your storage subsystem. This excessive activity can affect performance of the linkedclone desktops.

VMware, Inc. 47

View Installation

48 VMware, Inc.

Installing View Connection Server 7

To use View Connection Server, you install the software on supported computers, configure the required components, and, optionally, optimize the components.

This chapter includes the following topics:

“Installing the View Connection Server Software,” on page 49

“Installation Prerequisites for View Connection Server,” on page 49

“Install View Connection Server with a New Configuration,” on page 50

“Install a Replicated Instance of View Connection Server,” on page 56

“Configure a Security Server Pairing Password,” on page 62

“Install a Security Server,” on page 62

“Firewall Rules for View Connection Server,” on page 70

“Reinstall View Connection Server with a Backup Configuration,” on page 71

“Microsoft Windows Installer Command-Line Options,” on page 73

“Uninstalling View Components Silently by Using MSI Command-Line Options,” on page 75

Installing the View Connection Server Software

Depending on the performance, availability, and security needs of your View deployment, you can install a single instance of View Connection Server, replicated instances of View Connection Server, and security servers. You must install at least one instance of View Connection Server.

When you install View Connection Server, you select a type of installation.

Standard installation

Replica installation

Security server installation

Generates a View Connection Server instance with a new View LDAP configuration.

Generates a View Connection Server instance with a View LDAP configuration that is copied from an existing instance.

Generates a View Connection Server instance that adds an additional layer of security between the Internet and your internal network.

Installation Prerequisites for View Connection Server

Before you install View Connection Server, you must verify that your installation environment satisfies specific prerequisites.

You must have a valid license key for View.

VMware, Inc.

View Installation

You must join the View Connection Server host to an Active Directory domain. View Connection Server supports the following Active Directory Domain Services (AD DS) domain functional levels:

Windows Server 2003

Windows Server 2008

Windows Server 2008 R2

Windows Server 2012

Windows Server 2012 R2

The View Connection Server host must not be a domain controller.

NOTE View Connection Server does not make, nor does it require, any schema or configuration updates to Active Directory.

Do not install View Connection Server on systems that have the Windows Terminal Server role installed. You must remove the Windows Terminal Server role from any system on which you install View Connection Server.

Do not install View Connection Server on a system that performs any other functions or roles. For example, do not use the same system to host vCenter Server.

The system on which you install View Connection Server must have an IP address that does not change. In an IPv4 environment, configure a static IP address. In an IPv6 environment, machines automatically get IP addresses that do not change.

To run the View Connection Server installer, you must use a domain user account with Administrator

privileges on the system.

When you install View Connection Server, you authorize a View Administrators account. You can

specify the local Administrators group or a domain user or group account. View assigns full View Administration rights, including the right to install replicated View Connection Server instances, to this account only. If you specify a domain user or group, you must create the account in Active Directory before you run the installer.

Install View Connection Server with a New Configuration

To install View Connection Server as a single server or as the first instance in a group of replicated View Connection Server instances, you use the standard installation option.

When you select the standard installation option, the installation creates a new, local View LDAP configuration. The installation loads the schema definitions, Directory Information Tree (DIT) definition, and ACLs and initializes the data.

After installation, you manage most View LDAP configuration data by using View Administrator. View Connection Server automatically maintains some View LDAP entries.

The View Connection Server software cannot coexist on the same virtual or physical machine with any other View software component, including a replica server, security server, View Composer, View Agent, or Horizon Client.

When you install View Connection Server with a new configuration, you can participate in a customer experience improvement program. VMware collects anonymous data about your deployment in order to improve VMware's response to user requirements. No data that identifies your organization is collected. You can choose not to participate by deselecting this option during the installation. If you change your mind about participating after the installation, you can either join or withdraw from the program by editing the Product Licensing and Usage page in View Administrator. To review the list of fields from which data is collected, including the fields that are made anonymous, see "Information Collected by the Customer Experience Improvement Program" in the View Administration document.

50 VMware, Inc.

Chapter 7 Installing View Connection Server

By default, the HTML Access component is installed on the View Connection Server host when you install View Connection Server. This component configures the View user portal page to display an HTML Access icon in addition to the Horizon Client icon. The additional icon allows users to select HTML Access when they connect to their desktops.

For an overview of setting up View Connection Server for HTML Access, see "Preparing View Connection Server and Security Servers for HTML Access" in the Using HTML Access document, located on the Horizon Client Documentation page.

Prerequisites

Verify that you can log in as a domain user with administrator privileges on the Windows Server

computer on which you install View Connection Server.

Verify that your installation satisfies the requirements described in “View Connection Server

Requirements,” on page 7.

Prepare your environment for the installation. See “Installation Prerequisites for View Connection

Server,” on page 49.

If you intend to authorize a domain user or group as the View Administrators account, verify that you

created the domain account in Active Directory.

If you use MIT Kerberos authentication to log in to a Windows Server 2008 R2 computer on which you

are installing View Connection Server, install the Microsoft hotfix that is described in KB 978116 at

http://support.microsoft.com/kb/978116.

Prepare a data recovery password. When you back up View Connection Server, the View LDAP

configuration is exported as encrypted LDIF data. To restore the encrypted backup View configuration, you must provide the data recovery password. The password must contain between 1 and 128 characters. Follow your organization's best practices for generating secure passwords.

IMPORTANT You will need the data recovery password to keep View operating and avoid downtime in a Business Continuity and Disaster Recovery (BCDR) scenario. You can provide a password reminder with the password when you install View Connection Server.

Familiarize yourself with the network ports that must be opened on the Windows Firewall for View

Connection Server instances. See “Firewall Rules for View Connection Server,” on page 70.

If you plan to pair a security server with this View Connection Server instance, verify that Windows

Firewall with Advanced Security is set to on in the active profiles. It is recommended that you turn this setting to on for all profiles. By default, IPsec rules govern connections between security server and View Connection Server and require Windows Firewall with Advanced Security to be enabled.

If your network topology includes a back-end firewall between a security server and the View

Connection Server instance, you must configure the firewall to support IPsec. See “Configuring a Back-

End Firewall to Support IPsec,” on page 71.

Procedure

1 Download the View Connection Server installer file from the VMware download site at

https://my.vmware.com/web/vmware/downloads.

Under Desktop & End-User Computing, select the VMware Horizon 6 download, which includes View Connection Server.

The installer filename is VMware-viewconnectionserver-x86_64-y.y.y-xxxxxx.exe, where xxxxxx is the build number and y.y.y is the version number.

2 To start the View Connection Server installation program, double-click the installer file.

3 Accept the VMware license terms.

VMware, Inc. 51

View Installation

4 Accept or change the destination folder.

5 Select the View Standard Server installation option.

6 Select the Internet Protocol (IP) version, IPv4 or IPv6.

7 Select whether to enable or disable FIPS mode.

8 Make sure that Install HTML Access is selected if you intend to allow users to connect to their

9 Type a data recovery password and, optionally, a password reminder.

10 Choose how to configure the Windows Firewall service.

11 Authorize a View Administrators account.

You must install all View components with the same IP version.

This option is available only if FIPS mode is enabled in Windows.

desktops by using HTML Access.

If IPv4 is selected, this setting is selected by default. If IPv6 is selected, this setting is not displayed because HTML Access is not supported in an IPv6 environment.

Option Action

Configure Windows Firewall automatically

Do not configure Windows Firewall

Let the installer configure Windows Firewall to allow the required network connections.

Configure the Windows firewall rules manually.

Select this option only if your organization uses its own predefined rules for configuring Windows Firewall.

Only members of this account can log in to View Administrator, exercise full administration rights, and install replicated View Connection Server instances and other View servers.

Option Description

Authorize the local Administrators group

Authorize a specific domain user or domain group

Allows users in the local Administrators group to administer View.

Allows the specified domain user or group to administer View.

12 If you specified a domain View Administrators account, and you are running the installer as a local

administrator or another user without access to the domain account, provide credentials to log in to the domain with an authorized user name and password.

Use domain name\user name or user principal name (UPN) format. UPN format can be

user@domain.com.

13 Choose whether to participate in the customer experience improvement program.

If you participate, you can optionally select the type, size, and location of your organization.

14 Complete the installation wizard to finish installing View Connection Server.

15 Check for new patches on the Windows Server computer and run Windows Update as needed.

Even if you fully patched the Windows Server computer before you installed View Connection Server, the installation might have enabled operating system features for the first time. Additional patches might now be required.

The View services are installed on the Windows Server computer:

VMware Horizon View Connection Server

VMware Horizon View Framework Component

52 VMware, Inc.

Chapter 7 Installing View Connection Server

VMware Horizon View Message Bus Component

VMware Horizon View Script Host

VMware Horizon View Security Gateway Component

VMware Horizon View PCoIP Secure Gateway

VMware Horizon View Blast Secure Gateway

VMware Horizon View Web Component

VMware VDMDS, which provides View LDAP directory services

For information about these services, see the View Administration document.

If the Install HTML Access setting was selected during the installation, the HTML Access component is installed on the Windows Server computer. This component configures the HTML Access icon in the View user portal page and enables the VMware Horizon View Connection Server (Blast-In) rule in the Windows Firewall. This firewall rule allows Web browsers on client devices to connect to the View Connection Server on TCP port 8443.

What to do next

Configure SSL server certificates for View Connection Server. See Chapter 8, “Configuring SSL Certificates

for View Servers,” on page 77.

Perform initial configuration on View Connection Server. See Chapter 9, “Configuring View for the First

Time,” on page 95.

If you plan to include replicated View Connection Server instances and security servers in your deployment, you must install each server instance by running the View Connection Server installer file.

If you are reinstalling View Connection Server and you have a data collector set configured to monitor performance data, stop the data collector set and start it again.

Install View Connection Server Silently

You can use the silent installation feature of the Microsoft Windows Installer (MSI) to perform a standard installation of View Connection Server on several Windows computers. In a silent installation, you use the command line and do not have to respond to wizard prompts.

With silent installation, you can efficiently deploy View components in a large enterprise.

Prerequisites

Verify that you can log in as a domain user with administrator privileges on the Windows Server

computer on which you install View Connection Server.

Verify that your installation satisfies the requirements described in “View Connection Server

Requirements,” on page 7.

Prepare your environment for the installation. See “Installation Prerequisites for View Connection

Server,” on page 49.

If you intend to authorize a domain user or group as the View Administrators account, verify that you

created the domain account in Active Directory.

If you use MIT Kerberos authentication to log in to a Windows Server 2008 R2 computer on which you

are installing View Connection Server, install the Microsoft hotfix that is described in KB 978116 at

http://support.microsoft.com/kb/978116.

Familiarize yourself with the network ports that must be opened on the Windows Firewall for View

Connection Server instances. See “Firewall Rules for View Connection Server,” on page 70.

VMware, Inc. 53

View Installation

Procedure

1 Download the View Connection Server installer file from the VMware download site at

If you plan to pair a security server with this View Connection Server instance, verify that Windows Firewall with Advanced Security is set to on in the active profiles. It is recommended that you turn this setting to on for all profiles. By default, IPsec rules govern connections between security server and View Connection Server and require Windows Firewall with Advanced Security to be enabled.

If your network topology includes a back-end firewall between a security server and the View Connection Server instance, you must configure the firewall to support IPsec. See “Configuring a Back-

End Firewall to Support IPsec,” on page 71.

Verify that the Windows computer on which you install View Connection Server has version 2.0 or later of the MSI runtime engine. For details, see the Microsoft Web site.

Familiarize yourself with the MSI installer command-line options. See “Microsoft Windows Installer

Command-Line Options,” on page 73.

Familiarize yourself with the silent installation properties available with a standard installation of View Connection Server. See “Silent Installation Properties for a View Connection Server Standard

Installation,” on page 55.

https://my.vmware.com/web/vmware/downloads.

Under Desktop & End-User Computing, select the VMware Horizon 6 download, which includes View Connection Server.

The installer filename is VMware-viewconnectionserver-x86_64-y.y.y-xxxxxx.exe, where xxxxxx is the build number and y.y.y is the version number.

2 Open a command prompt on the Windows Server computer.

3 Type the installation command on one line.

For example: VMware-viewconnectionserver-y.y.y-xxxxxx.exe /s /v"/qn VDM_SERVER_INSTANCE_TYPE=1

VDM_INITIAL_ADMIN_SID=S-1-5-32-544 VDM_SERVER_RECOVERY_PWD=mini VDM_SERVER_RECOVERY_PWD_REMINDER=""First car"""

IMPORTANT When you perform a silent installation, the full command line, including the data recovery password, is logged in the installer's vminst.log file. After the installation is complete, either delete this log file or change the data recovery password by using View Administrator.

4 Check for new patches on the Windows Server computer and run Windows Update as needed.

The View services are installed on the Windows Server computer:

VMware Horizon View Connection Server

VMware Horizon View Framework Component

VMware Horizon View Message Bus Component

VMware Horizon View Script Host

VMware Horizon View Security Gateway Component

VMware Horizon View PCoIP Secure Gateway

VMware Horizon View Blast Secure Gateway

VMware Horizon View Web Component

54 VMware, Inc.

Chapter 7 Installing View Connection Server

VMware VDMDS, which provides View LDAP directory services

For information about these services, see the View Administration document.

What to do next

Configure SSL server certificates for View Connection Server. See Chapter 8, “Configuring SSL Certificates

for View Servers,” on page 77.

If you are configuring View for the first time, perform initial configuration on View Connection Server. See

Chapter 9, “Configuring View for the First Time,” on page 95.

Silent Installation Properties for a View Connection Server Standard Installation

You can include specific View Connection Server properties when you perform a silent installation from the command line. You must use a PROPERTY=value format so that Microsoft Windows Installer (MSI) can interpret the properties and values.

Table 7‑1. MSI Properties for Silently Installing View Connection Server in a Standard Installation

MSI Property Description Default Value

INSTALLDIR The path and folder in which the View Connection Server software is

installed. For example: INSTALLDIR=""D:\abc\my folder""

The sets of two double quotes that enclose the path permit the MSI installer to interpret the space as a valid part of the path.

VDM_SERVER_

INSTANCE_TYPE

FWCHOICE The MSI property that determines whether to configure a firewall for

VDM_INITIAL_

ADMIN_SID

VDM_SERVER_

RECOVERY_PWD

VDM_SERVER_RECOVERY_

PWD_REMINDER

The type of View server installation:

1. Standard installation

2. Replica installation

3. Security server installation

For example, to perform a standard installation, define

VDM_SERVER_INSTANCE_TYPE=1

the View Connection Server instance.

A value of 1 configures a firewall. A value of 2 does not configure a firewall.

For example: FWCHOICE=1

The SID of the initial View Administrators user or group that is authorized with full administration rights in View.

The default value is the SID of the local Administrators group on the View Connection Server computer. You can specify a SID of a domain user or group account.

The data recovery password. If a data recovery password is not set in View LDAP, this property is mandatory.

The password must contain between 1 and 128 characters. Follow your organization's best practices for generating secure passwords.

The data recovery password reminder. This property is optional. None

%ProgramFiles %\VMware\VMware View\Server

S-1-5-32-544

None

VMware, Inc. 55

View Installation

Table 7‑1. MSI Properties for Silently Installing View Connection Server in a Standard Installation (Continued)

MSI Property Description Default Value

VDM_IP_PROTOCOL_

USAGE

VDM_FIPS_ENABLED Specifies whether to enable or disable FIPS mode. A value of 1 enables

Specifies the IP version that View components use for communication. The possible values are IPv4 and IPv6.

FIPS mode. A value of 0 disables FIPS mode. If this property is set to 1 and Windows is not in FIPS mode, the installer will abort.

IPv4

Install a Replicated Instance of View Connection Server

To provide high availability and load balancing, you can install one or more additional instances of View Connection Server that replicate an existing View Connection Server instance. After a replica installation, the existing and newly installed instances of View Connection Server are identical.

When you install a replicated instance, View copies the View LDAP configuration data from the existing View Connection Server instance.

After the installation, identical View LDAP configuration data is maintained on all View Connection Server instances in the replicated group. When a change is made on one instance, the updated information is copied to the other instances.

If a replicated instance fails, the other instances in the group continue to operate. When the failed instance resumes activity, its configuration is updated with the changes that took place during the outage.

NOTE Replication functionality is provided by View LDAP, which uses the same replication technology as Active Directory.

The replica server software cannot coexist on the same virtual or physical machine with any other View software component, including a security server, View Connection Server, View Composer, View Agent, or Horizon Client.

Prerequisites

Verify that at least one View Connection Server instance is installed and configured on the network.

To install the replicated instance, you must log in as a user with the View Administrators role. You

specify the account or group with the View Administrators role when you install the first instance of View Connection Server. The role can be assigned to the local Administrators group or a domain user or group. See “Install View Connection Server with a New Configuration,” on page 50.

If the existing View Connection Server instance is in a different domain than the replicated instance, the

domain user must also have View Administrator privileges on the Windows Server computer where the existing instance is installed.

If you use MIT Kerberos authentication to log in to a Windows Server 2008 R2 computer on which you

are installing View Connection Server, install the Microsoft hotfix that is described in KB 978116 at

http://support.microsoft.com/kb/978116.

Verify that your installation satisfies the requirements described in “View Connection Server

Requirements,” on page 7.

56 VMware, Inc.

Chapter 7 Installing View Connection Server

Verify that the computers on which you install replicated View Connection Server instances are

connected over a high-performance LAN. See “Network Requirements for Replicated View Connection

Server Instances,” on page 9.

Prepare your environment for the installation. See “Installation Prerequisites for View Connection

Server,” on page 49.

If you install a replicated View Connection Server instance that is View 5.1 or later, and the existing

View Connection Server instance you are replicating is View 5.0.x or earlier, prepare a data recovery password. See “Install View Connection Server with a New Configuration,” on page 50.

Familiarize yourself with the network ports that must be opened on the Windows Firewall for View

Connection Server instances. See “Firewall Rules for View Connection Server,” on page 70.

If you plan to pair a security server with this View Connection Server instance, verify that Windows

If your network topology includes a back-end firewall between a security server and the View

Connection Server instance, you must configure the firewall to support IPsec. See “Configuring a Back-

End Firewall to Support IPsec,” on page 71.

Procedure

1 Download the View Connection Server installer file from the VMware download site at

https://my.vmware.com/web/vmware/downloads.

Under Desktop & End-User Computing, select the VMware Horizon 6 download, which includes View Connection Server.

The installer filename is VMware-viewconnectionserver-x86_64-y.y.y-xxxxxx.exe, where xxxxxx is the build number and y.y.y is the version number.

2 To start the View Connection Server installation program, double-click the installer file.

3 Accept the VMware license terms.

4 Accept or change the destination folder.

5 Select the View Replica Server installation option.

6 Select the Internet Protocol (IP) version, IPv4 or IPv6.

You must install all View components with the same IP version.

7 Select whether to enable or disable FIPS mode.

This option is available only if FIPS mode is enabled in Windows.

8 Make sure that Install HTML Access is selected if you intend to allow users to connect to their

desktops by using HTML Access.

If IPv4 is selected, this setting is selected by default. If IPv6 is selected, this setting is not displayed because HTML Access is not supported in an IPv6 environment.

9 Enter the host name or IP address of the existing View Connection Server instance you are replicating.

10 Type a data recovery password and, optionally, a password reminder.

You are prompted for a data recovery password only if the existing View Connection Server instance you are replicating is View 5.0.x or earlier.

VMware, Inc. 57

View Installation

11 Choose how to configure the Windows Firewall service.

12 Complete the installation wizard to finish installing the replicated instance.

13 Check for new patches on the Windows Server computer and run Windows Update as needed.

The View services are installed on the Windows Server computer:

Option Action

Configure Windows Firewall automatically

Do not configure Windows Firewall

Let the installer configure Windows Firewall to allow the required network connections.

Configure the Windows firewall rules manually.

Select this option only if your organization uses its own predefined rules for configuring Windows Firewall.

VMware Horizon View Connection Server

VMware Horizon View Framework Component

VMware Horizon View Message Bus Component

VMware Horizon View Script Host

VMware Horizon View Security Gateway Component

VMware Horizon View PCoIP Secure Gateway

VMware Horizon View Blast Secure Gateway

VMware Horizon View Web Component

VMware VDMDS, which provides View LDAP directory services

For information about these services, see the View Administration document.

What to do next

Configure an SSL server certificate for the View Connection Server instance. See Chapter 8, “Configuring

SSL Certificates for View Servers,” on page 77.

You do not have to perform an initial View configuration on a replicated instance of View Connection Server. The replicated instance inherits its configuration from the existing View Connection Server instance.

However, you might have to configure client connection settings for this View Connection Server instance, and you can tune Windows Server settings to support a large deployment. See “Configuring Horizon Client

Connections,” on page 109 and “Sizing Windows Server Settings to Support Your Deployment,” on

page 120.

If you are reinstalling View Connection Server and you have a data collector set configured to monitor performance data, stop the data collector set and start it again.

58 VMware, Inc.

Chapter 7 Installing View Connection Server

Install a Replicated Instance of View Connection Server Silently

You can use the silent installation feature of the Microsoft Windows Installer (MSI) to install a replicated instance of View Connection Server on several Windows computers. In a silent installation, you use the command line and do not have to respond to wizard prompts.

With silent installation, you can efficiently deploy View components in a large enterprise.

Prerequisites

Verify that at least one View Connection Server instance is installed and configured on the network.

To install the replicated instance, you must log in as a user with credentials to access the View

Administrators account. You specify the View Administrators account when you install the first instance of View Connection Server. The account can be the local Administrators group or a domain user or group account. See “Install View Connection Server with a New Configuration,” on page 50.

If the existing View Connection Server instance is in a different domain than the replicated instance, the

domain user must also have View Administrator privileges on the Windows Server computer where the existing instance is installed.

If you use MIT Kerberos authentication to log in to a Windows Server 2008 R2 computer on which you

are installing View Connection Server, install the Microsoft hotfix that is described in KB 978116 at

http://support.microsoft.com/kb/978116.

Verify that your installation satisfies the requirements described in “View Connection Server

Requirements,” on page 7.

Verify that the computers on which you install replicated View Connection Server instances are

connected over a high-performance LAN. See “Network Requirements for Replicated View Connection

Server Instances,” on page 9.

Prepare your environment for the installation. See “Installation Prerequisites for View Connection

Server,” on page 49.

Familiarize yourself with the network ports that must be opened on the Windows Firewall for View

Connection Server instances. See “Firewall Rules for View Connection Server,” on page 70.

If you plan to pair a security server with this View Connection Server instance, verify that Windows

If your network topology includes a back-end firewall between a security server and the View

Connection Server instance, you must configure the firewall to support IPsec. See “Configuring a Back-

End Firewall to Support IPsec,” on page 71.

Familiarize yourself with the MSI installer command-line options. See “Microsoft Windows Installer

Command-Line Options,” on page 73.

Familiarize yourself with the silent installation properties available with a replica installation of View

Connection Server. See “Silent Installation Properties for a Replicated Instance of View Connection

Server,” on page 61.

VMware, Inc. 59

View Installation

Procedure

1 Download the View Connection Server installer file from the VMware download site at

2 Open a command prompt on the Windows Server computer.

3 Type the installation command on one line.

https://my.vmware.com/web/vmware/downloads.

Under Desktop & End-User Computing, select the VMware Horizon 6 download, which includes View Connection Server.

The installer filename is VMware-viewconnectionserver-x86_64-y.y.y-xxxxxx.exe, where xxxxxx is the build number and y.y.y is the version number.

For example: VMware-viewconnectionserver-y.y.y-xxxxxx.exe /s /v"/qn VDM_SERVER_INSTANCE_TYPE=2

ADAM_PRIMARY_NAME=cs1.companydomain.com VDM_INITIAL_ADMIN_SID=S-1-5-32-544"

If you install a replicated View Connection Server instance that is View 5.1 or later, and the existing View Connection Server instance you are replicating is View 5.0.x or earlier, you must specify a data recovery password, and you can add a password reminder. For example: VMware-

viewconnectionserver-y.y.y-xxxxxx.exe /s /v"/qn VDM_SERVER_INSTANCE_TYPE=2 ADAM_PRIMARY_NAME=cs1.companydomain.com VDM_INITIAL_ADMIN_SID=S-1-5-32-544 VDM_SERVER_RECOVERY_PWD=mini VDM_SERVER_RECOVERY_PWD_REMINDER=""First car"""

4 Check for new patches on the Windows Server computer and run Windows Update as needed.

The View services are installed on the Windows Server computer:

VMware Horizon View Connection Server

VMware Horizon View Framework Component

VMware Horizon View Message Bus Component

VMware Horizon View Script Host

VMware Horizon View Security Gateway Component

VMware Horizon View PCoIP Secure Gateway

VMware Horizon View Blast Secure Gateway

VMware Horizon View Web Component

VMware VDMDS, which provides View LDAP directory services

For information about these services, see the View Administration document.

60 VMware, Inc.

Chapter 7 Installing View Connection Server

What to do next

Configure an SSL server certificate for the View Connection Server instance. See Chapter 8, “Configuring

SSL Certificates for View Servers,” on page 77.

Connections,” on page 109 and “Sizing Windows Server Settings to Support Your Deployment,” on

page 120.

Silent Installation Properties for a Replicated Instance of View Connection Server

You can include specific properties when you silently install a replicated View Connection Server instance from the command line. You must use a PROPERTY=value format so that Microsoft Windows Installer (MSI) can interpret the properties and values.

Table 7‑2. MSI Properties for Silently installing a Replicated Instance of View Connection Server

MSI Property Description Default Value

INSTALLDIR The path and folder in which the View Connection Server software is

installed. For example: INSTALLDIR=""D:\abc\my folder""

The sets of two double quotes that enclose the path permit the MSI installer to interpret the space as a valid part of the path.

This MSI property is optional.

VDM_SERVER_INSTANCE_ TYPE

ADAM_PRIMARY_NAME The host name or IP address of the existing View Connection Server

FWCHOICE The MSI property that determines whether to configure a firewall for

VDM_SERVER_

RECOVERY_PWD

VDM_SERVER_RECOVERY_

PWD_REMINDER

The type of View server installation:

1. Standard installation

2. Replica installation

3. Security server installation

To install a replicated instance, define VDM_SERVER_INSTANCE_TYPE=2

This MSI property is required when installing a replica.

instance you are replicating. For example: ADAM_PRIMARY_NAME=cs1.companydomain.com

This MSI property is required.

the View Connection Server instance.

A value of 1 configures a firewall. A value of 2 does not configure a firewall.

For example: FWCHOICE=1

This MSI property is optional.

The data recovery password. If a data recovery password is not set in View LDAP, this property is mandatory.

NOTE The data recover password is not set in View LDAP if the standard View Connection Server instance you are replicating is View

5.0 or earlier. If the View Connection Server instance you are replicating is View 5.1 or later, you do not have to provide this property.

The password must contain between 1 and 128 characters. Follow your organization's best practices for generating secure passwords.

The data recovery password reminder. This property is optional. None

%ProgramFiles %\VMware\VMware View\Server

None

VMware, Inc. 61

View Installation

Table 7‑2. MSI Properties for Silently installing a Replicated Instance of View Connection Server (Continued)

MSI Property Description Default Value

VDM_IP_PROTOCOL_

USAGE

VDM_FIPS_ENABLED Specifies whether to enable or disable FIPS mode. A value of 1 enables

Specifies the IP version that View components use for communication. The possible values are IPv4 and IPv6

FIPS mode. A value of 0 disables FIPS mode. If this property is set to 1 and Windows is not in FIPS mode, the installer will abort.

IPv4

Configure a Security Server Pairing Password

Before you can install a security server, you must configure a security server pairing password. When you install a security server with the View Connection Server installation program, the program prompts you for this password during the installation process.

The security server pairing password is a one-time password that permits a security server to be paired with a View Connection Server instance. The password becomes invalid after you provide it to the View Connection Server installation program.

NOTE You cannot pair an older version of security server with the current version of View Connection Server. If you configure a pairing password on the current version of View Connecton Server and try to install an older version of security server, the pairing password will be invalid.

Procedure

1 In View Administrator, select View Configuration > Servers.

2 In the Connection Servers tab, select the View Connection Server instance to pair with the security

server.

3 From the More Commands drop-down menu, select Specify Security Server Pairing Password.

4 Type the password in the Pairing password and Confirm password text boxes and specify a password

timeout value.

You must use the password within the specified timeout period.

5 Click OK to configure the password.

What to do next

Install a security server. See “Install a Security Server,” on page 62.

IMPORTANT If you do not provide the security server pairing password to the View Connection Server installation program within the password timeout period, the password becomes invalid and you must configure a new password.

Install a Security Server

A security server is an instance of View Connection Server that adds an additional layer of security between the Internet and your internal network. You can install one or more security servers to be connected to a View Connection Server instance.

The security server software cannot coexist on the same virtual or physical machine with any other View software component, including a replica server, View Connection Server, View Composer, View Agent, or Horizon Client.

62 VMware, Inc.

Chapter 7 Installing View Connection Server

Prerequisites

Determine the type of topology to use. For example, determine which load balancing solution to use.

Decide if the View Connection Server instances that are paired with security servers will be dedicated to users of the external network. For information, see the View Architecture Planning document.

IMPORTANT If you use a load balancer, it must have an IP address that does not change. In an IPv4 environment, configure a static IP address. In an IPv6 environment, machines automatically get IP addresses that do not change.

Verify that your installation satisfies the requirements described in “View Connection Server

Requirements,” on page 7.

Prepare your environment for the installation. See “Installation Prerequisites for View Connection

Server,” on page 49.

Verify that the View Connection Server instance to be paired with the security server is installed and

configured and is running a View Connection Server version that is compatible with the security server version. See "View Component Compatibility Matrix" in the View Upgrades document.

Verify that the View Connection Server instance to be paired with the security server is accessible to the

computer on which you plan to install the security server.

Configure a security server pairing password. See “Configure a Security Server Pairing Password,” on

page 62.

Familiarize yourself with the format of external URLs. See “Configuring External URLs for Secure

Gateway and Tunnel Connections,” on page 112.

Verify that Windows Firewall with Advanced Security is set to on in the active profiles. It is

recommended that you turn this setting to on for all profiles. By default, IPsec rules govern connections between security server and View Connection Server and require Windows Firewall with Advanced Security to be enabled.

Familiarize yourself with the network ports that must be opened on the Windows Firewall for a

security server. See “Firewall Rules for View Connection Server,” on page 70.

If your network topology includes a back-end firewall between the security server and View

Connection Server, you must configure the firewall to support IPsec. See “Configuring a Back-End

Firewall to Support IPsec,” on page 71.

If you are upgrading or reinstalling the security server, verify that the existing IPsec rules for the

security server were removed. See “Remove IPsec Rules for the Security Server,” on page 69.

If you are installing View in FIPS mode, you must deselect the global setting Use IPSec for Security

Server Connections in View Administrator, because in FIPS mode, you must configure IPsec manually after installing a security server.

Procedure

1 Download the View Connection Server installer file from the VMware download site at

https://my.vmware.com/web/vmware/downloads.

Under Desktop & End-User Computing, select the VMware Horizon 6 download, which includes View Connection Server.

The installer filename is VMware-viewconnectionserver-x86_64-y.y.y-xxxxxx.exe, where xxxxxx is the build number and y.y.y is the version number.

2 To start the View Connection Server installation program, double-click the installer file.

3 Accept the VMware license terms.

4 Accept or change the destination folder.

VMware, Inc. 63

View Installation

5 Select the View Security Server installation option.

6 Select the Internet Protocol (IP) version, IPv4 or IPv6.

7 Select whether to enable or disable FIPS mode.

8 Type the fully qualified domain name or IP address of the View Connection Server instance to pair with

9 Type the security server pairing password in the Password text box.

10 In the External URL text box, type the external URL of the security server for client endpoints that use

You must install all View components with the same IP version.

This option is available only if FIPS mode is enabled in Windows.

the security server in the Server text box.

The security server forwards network traffic to this View Connection Server instance.

If the password has expired, you can use View Administrator to configure a new password and type the new password in the installation program.

the RDP or PCoIP display protocols.

The URL must contain the protocol, client-resolvable security server name, and port number. Tunnel clients that run outside of your network use this URL to connect to the security server.

For example: https://view.example.com:443

11 In the PCoIP External URL text box, type the external URL of the security server for client endpoints

that use the PCoIP display protocol.

In an IPv4 environment, specify the PCoIP external URL as an IP address with the port number 4172. In an IPv6 environment, you can specify an IP address or a fully qualified domain name, and the port number 4172. In either case, do not include a protocol name.

For example, in an IPv4 environment: 10.20.30.40:4172

Clients must be able to use the URL to reach the security server.

12 In the Blast External URL text box, type the external URL of the security server for users who use

HTML Access to connect to remote desktops.

The URL must contain the HTTPS protocol, client-resolvable host name, and port number.

For example: https://myserver.example.com:8443

By default, the URL includes the FQDN of the secure tunnel external URL and the default port number,

8443. The URL must contain the FQDN and port number that a client system can use to reach this security server.

13 Choose how to configure the Windows Firewall service.

Option Action

Configure Windows Firewall automatically

Do not configure Windows Firewall

Let the installer configure Windows Firewall to allow the required network connections.

Configure the Windows firewall rules manually.

Select this option only if your organization uses its own predefined rules for configuring Windows Firewall.

14 Complete the installation wizard to finish installing the security server.

The security server services are installed on the Windows Server computer:

VMware Horizon View Security Server

VMware Horizon View Framework Component

64 VMware, Inc.

Chapter 7 Installing View Connection Server

VMware Horizon View Security Gateway Component

VMware Horizon View PCoIP Secure Gateway

VMware Blast Secure Gateway

For information about these services, see the View Administration document.

The security server appears in the Security Servers pane in View Administrator.

The VMware Horizon View Connection Server (Blast-In) rule is enabled in the Windows Firewall on the security server. This firewall rule allows Web browsers on client devices to use HTML Access to connect to the security server on TCP port 8443.

NOTE If the installation is cancelled or aborted, you might have to remove IPsec rules for the security server before you can begin the installation again. Take this step even if you already removed IPsec rules prior to reinstalling or upgrading security server. For instructions on removing IPsec rules, see “Remove IPsec Rules

for the Security Server,” on page 69.

What to do next

Configure an SSL server certificate for the security server. See Chapter 8, “Configuring SSL Certificates for

View Servers,” on page 77.

You might have to configure client connection settings for the security server, and you can tune Windows Server settings to support a large deployment. See “Configuring Horizon Client Connections,” on page 109 and “Sizing Windows Server Settings to Support Your Deployment,” on page 120.

If you are reinstalling the security server and you have a data collector set configured to monitor performance data, stop the data collector set and start it again.

Install a Security Server Silently

You can use the silent installation feature of the Microsoft Windows Installer (MSI) to install a security server on several Windows computers. In a silent installation, you use the command line and do not have to respond to wizard prompts.

With silent installation, you can efficiently deploy View components in a large enterprise.

Prerequisites

Determine the type of topology to use. For example, determine which load balancing solution to use.

Decide if the View Connection Server instances that are paired with security servers will be dedicated to users of the external network. For information, see the View Architecture Planning document.

Verify that your installation satisfies the requirements described in “View Connection Server

Requirements,” on page 7.

Prepare your environment for the installation. See “Installation Prerequisites for View Connection

Server,” on page 49.

Verify that the View Connection Server instance to be paired with the security server is installed and

configured and is running a View Connection Server version that is compatible with the security server version. See "View Component Compatibility Matrix" in the View Upgrades document.

Verify that the View Connection Server instance to be paired with the security server is accessible to the

computer on which you plan to install the security server.

VMware, Inc. 65

View Installation

Configure a security server pairing password. See “Configure a Security Server Pairing Password,” on page 62.

Familiarize yourself with the format of external URLs. See “Configuring External URLs for Secure

Gateway and Tunnel Connections,” on page 112.

Verify that Windows Firewall with Advanced Security is set to on in the active profiles. It is recommended that you turn this setting to on for all profiles. By default, IPsec rules govern connections between security server and View Connection Server and require Windows Firewall with Advanced Security to be enabled.

Familiarize yourself with the network ports that must be opened on the Windows Firewall for a security server. See “Firewall Rules for View Connection Server,” on page 70.

If your network topology includes a back-end firewall between the security server and View Connection Server, you must configure the firewall to support IPsec. See “Configuring a Back-End

Firewall to Support IPsec,” on page 71.

If you are upgrading or reinstalling the security server, verify that the existing IPsec rules for the security server were removed. See “Remove IPsec Rules for the Security Server,” on page 69.

Familiarize yourself with the MSI installer command-line options. See “Microsoft Windows Installer

Command-Line Options,” on page 73.

Familiarize yourself with the silent installation properties available with a security server. See “Silent

Installation Properties for a Security Server,” on page 67.

If you are installing View in FIPS mode, you must deselect the global setting Use IPSec for Security

Server Connections in View Administrator, because in FIPS mode, you must configure IPsec manually after installing a security server.

Procedure

1 Download the View Connection Server installer file from the VMware download site at

https://my.vmware.com/web/vmware/downloads.

Under Desktop & End-User Computing, select the VMware Horizon 6 download, which includes View Connection Server.

The installer filename is VMware-viewconnectionserver-x86_64-y.y.y-xxxxxx.exe, where xxxxxx is the build number and y.y.y is the version number.

2 Open a command prompt on the Windows Server computer.

3 Type the installation command on one line.

For example: VMware-viewconnectionserver-y.y.y-xxxxxx.exe /s /v"/qn VDM_SERVER_INSTANCE_TYPE=3

VDM_SERVER_NAME=cs1.internaldomain.com VDM_SERVER_SS_EXTURL=https://view.companydomain.com: 443 VDM_SERVER_SS_PCOIP_IPADDR=10.20.30.40 VDM_SERVER_SS_PCOIP_TCPPORT=4172 VDM_SERVER_SS_PCOIP_UDPPORT=4172 VDM_SERVER_SS_BSG_EXTURL=https://view.companydomain.com:8443 VDM_SERVER_SS_PWD=secret"

The security server services are installed on the Windows Server computer:

VMware Horizon View Security Server

VMware Horizon View Framework Component

VMware Horizon View Security Gateway Component

VMware Horizon View PCoIP Secure Gateway

VMware Blast Secure Gateway

For information about these services, see the View Administration document.

66 VMware, Inc.

Chapter 7 Installing View Connection Server

The security server appears in the Security Servers pane in View Administrator.

for the Security Server,” on page 69.

What to do next

Configure an SSL server certificate for the security server. See Chapter 8, “Configuring SSL Certificates for

View Servers,” on page 77.

Silent Installation Properties for a Security Server

You can include specific properties when you silently install a security server from the command line. You must use a PROPERTY=value format so that Microsoft Windows Installer (MSI) can interpret the properties and values.

Table 7‑3. MSI Properties for Silently Installing a Security Server

MSI Property Description Default Value

INSTALLDIR The path and folder in which the View Connection Server software is

installed. For example: INSTALLDIR=""D:\abc\my folder""

The sets of two double quotes that enclose the path permit the MSI installer to interpret the space as a valid part of the path.

This MSI property is optional.

VDM_SERVER_INSTANCE_ TYPE

VDM_SERVER_NAME The host name or IP address of the existing View Connection Server

VDM_SERVER_SS_EXTURL The external URL of the security server. The URL must contain the

VDM_SERVER_SS_PWD The security server pairing password.

The type of View server installation:

1. Standard installation

2. Replica installation

3. Security server installation

To install a security server, define VDM_SERVER_INSTANCE_TYPE=3

This MSI property is required when installing a security server.

instance to pair with the security server. For example: VDM_SERVER_NAME=cs1.internaldomain.com

This MSI property is required.

protocol, externally resolvable security server name, and port number

For example:

VDM_SERVER_SS_EXTURL=https://view.companydomain.com:443

This MSI property is required.

For example: VDM_SERVER_SS_PWD=secret

This MSI property is required.

%ProgramFiles %\VMware\VMware View\Server

None

VMware, Inc. 67

View Installation

Table 7‑3. MSI Properties for Silently Installing a Security Server (Continued)

MSI Property Description Default Value

FWCHOICE The MSI property that determines whether to configure a firewall for

the View Connection Server instance.

A value of 1 configures a firewall. A value of 2 does not configure a firewall.

For example: FWCHOICE=1

This MSI property is optional.

VDM_SERVER_SS_PCOIP_IP ADDR

The PCoIP Secure Gateway external IP address. In an IPv6 environment, this property can also be set to the FQDN of the PCoIP Secure Gateway. This property is supported only when the security server is installed on Windows Server 2008 R2 or later.

For example: VDM_SERVER_SS_PCOIP_IPADDR=10.20.30.40

This property is required if you plan to use the PCoIP Secure Gateway component.

VDM_SERVER_SS_PCOIP_T CPPORT

The PCoIP Secure Gateway external TCP port number. This property is supported only when the security server is installed on Windows Server 2008 R2 or later.

For example: VDM_SERVER_SS_PCOIP_TCPPORT=4172

This property is required if you plan to use the PCoIP Secure Gateway component.

VDM_SERVER_SS_PCOIP_U DPPORT

The PCoIP Secure Gateway external UDP port number. This property is supported only when the security server is installed on Windows Server 2008 R2 or later.

For example: VDM_SERVER_SS_PCOIP_UDPPORT=4172

This property is required if you plan to use the PCoIP Secure Gateway component.

VDM_SERVER_SS_BSG_EXT URL

The Blast Secure Gateway external URL. The URL must contain the HTTPS protocol, an externally resolvable security server name, and port number

For example:

VDM_SERVER_SS_BSG_EXTURL=https://view.companydomain.com: 8443

The default port number is 8443. A Blast Secure Gateway must be installed on the security server to allow users to make Web connections to View desktops.

VDM_SERVER_SS_FORCE_I PSEC

Forces IPsec to be used between the security server and its paired View Connection Server instance.

By default, an unattended installation and pairing of security server to a View Connection Server instance with IPsec disabled causes the pairing to fail.

The default value of 1 forces IPsec pairing. Set this value to 0 to allow pairing without IPsec.

VDM_IP_PROTOCOL_USAGESpecifies the IP version that View components use for communication.

The possible values are IPv4 and IPv6

VDM_FIPS_ENABLED Specifies whether to enable or disable FIPS mode. A value of 1 enables

FIPS mode. A value of 0 disables FIPS mode. If this property is set to 1 and Windows is not in FIPS mode, the installer will abort.

None

IPv4

68 VMware, Inc.

Chapter 7 Installing View Connection Server

Remove IPsec Rules for the Security Server

Before you can upgrade or reinstall a security server instance, you must remove the current IPsec rules that govern communication between the security server and its paired View Connection Server instance. If you do not take this step, the upgrade or reinstallation fails.

IMPORTANT This task pertains to View 5.1 and later security servers. It does not apply to View 5.0.x and earlier security servers.

By default, communication between a security server and its paired View Connection Server instance is governed by IPsec rules. When you upgrade or reinstall the security server and pair it again with the View Connection Server instance, a new set of IPsec rules must be established. If the existing IPsec rules are not removed before you upgrade or reinstall, the pairing fails.

You must take this step when you upgrade or reinstall a security server and are using IPsec to protect communication between the security server and View Connection Server.

You can configure an initial security server pairing without using IPsec rules. Before you install the security server, you can open View Administrator and deselect the global setting Use IPSec for Security Server Connections, which is enabled by default. If IPsec rules are not in effect, you do not have to remove them before you upgrade or reinstall.

NOTE You do not have to remove a security server from View Administrator before you upgrade or reinstall the security server. Remove a security server from View Administrator only if you intend to remove the security server permanently from the View environment.

With View 5.0.x and earlier releases, you could remove a security server either from within the View Administrator user interface or by using the vdmadmin -S command-line command. In View 5.1 and later releases, you must use vdmadmin -S. See "Removing the Entry for a View Connection Server Instance or Security Server Using the -S Option" in the View Administration document.

CAUTION If you remove the IPsec rules for an active security server, all communication with the security server is lost until you upgrade or reinstall the security server. Therefore, if you use a load balancer to manage a group of security servers, perform this procedure on one server and then upgrade that server before removing IPsec rules for the next server. You can remove servers from production and add them back one-by-one in this manner to avoid requiring any downtime for your end users.

Procedure

1 In View Administrator, click View Configuration > Servers.

2 In the Security Servers tab, select a security server and click More Commands > Prepare for Upgrade

or Reinstallation.

If you disabled IPsec rules before you installed the security server, this setting is inactive. In this case, you do not have to remove IPsec rules before you reinstall or upgrade.

3 Click OK.

The IPsec rules are removed and the Prepare for Upgrade or Reinstallation setting becomes inactive, indicating that you can reinstall or upgrade the security server.

What to do next

Upgrade or reinstall security server.

VMware, Inc. 69

View Installation

Firewall Rules for View Connection Server

Certain ports must be opened on the firewall for View Connection Server instances and security servers.

When you install View Connection Server, the installation program can optionally configure the required Windows Firewall rules for you. These rules open the ports that are used by default. If you change the default ports after installation, you must manually configure Windows Firewall to allow Horizon Client devices to connect to View through the updated ports.

If you choose to install HTML Access with View Connection Server, the installer configures the VMware Horizon View Connection Server (Blast-In) rule in Windows Firewall to open TCP port 8443, used by HTML Access.

The following table lists the default ports that can be opened automatically during installation. Ports are incoming unless otherwise noted.

Table 7‑4. Ports Opened During View Connection Server Installation

Protocol Ports View Connection Server Instance Type

JMS TCP 4001 Standard and replica

JMS TCP 4002 Standard and replica

JMSIR TCP 4100 Standard and replica

JMSIR TCP 4101 Standard and replica

AJP13 TCP 8009 Standard and replica

HTTP TCP 80 Standard, replica, and security server

HTTPS TCP 443 Standard, replica, and security server

PCoIP TCP 4172 in;

UDP 4172 both directions

HTTPS TCP 8443 Standard, replica, and security server.

HTTPS TCP 8472 Standard and replica

HTTP TCP 22389 Standard and replica

HTTPS TCP 22636 Standard and replica

Standard, replica, and security server

After the initial connection to View is made, the Web browser on a client device connects to the Blast Secure Gateway on TCP port 8443. The Blast Secure Gateway must be enabled on a security server or View Connection Server instance to allow this second connection to take place.

For the Cloud Pod Architecture feature: used for interpod communication.

For the Cloud Pod Architecture feature: used for global LDAP replication.

For the Cloud Pod Architecture feature: used for secure global LDAP replication.

70 VMware, Inc.

Chapter 7 Installing View Connection Server

Configuring a Back-End Firewall to Support IPsec

If your network topology includes a back-end firewall between security servers and View Connection Server instances, you must configure certain protocols and ports on the firewall to support IPsec. Without proper configuration, data sent between a security server and View Connection Server instance will fail to pass through the firewall.

By default, IPsec rules govern the connections between security servers and View Connection Server instances. To support IPsec, the View Connection Server installer can configure Windows firewall rules on the Windows Server hosts where View servers are installed. For a back-end firewall, you must configure the rules yourself.

NOTE It is highly recommended that you use IPsec. As an alternative, you can disable the View Administrator global setting, Use IPsec for Security Server Connections.

The following rules must allow bidirectional traffic. You might have to specify separate rules for inbound and outbound traffic on your firewall.

Different rules apply to firewalls that use network address translation (NAT) and those that do not use NAT.

Table 7‑5. Non-NAT Firewall Requirements to Support IPsec Rules

Source Protocol Port Destination Notes

Security server ISAKMP UDP 500 View Connection

Server

Security server ESP N/A View Connection

Server

Security servers use UDP port 500 to negotiate IPsec security.

ESP protocol encapsulates IPsec encrypted traffic.

You do not have to specify a port for ESP as part of the rule. If necessary, you can specify source and destination IP addresses to reduce the scope of the rule.

The following rules apply to firewalls that use NAT.

Table 7‑6. NAT Firewall Requirements to Support IPsec Rules

Source Protocol Port Destination Notes

Security server ISAKMP UDP 500 View Connection

Server

Security server NAT-T

ISAKMP

UDP 4500 View Connection

Server

Security servers use UDP port 500 to initiate IPsec security negotiation.

Security servers use UDP port 4500 to traverse NATs and negotiate IPsec security.

Reinstall View Connection Server with a Backup Configuration

In certain situations, you might have to reinstall the current version of a View Connection Server instance and restore the existing View configuration by importing a backup LDIF file that contains the View LDAP configuration data.

For example, as part of a business continuity and disaster recovery (BC/DR) plan, you might want to have a procedure ready to implement in case a datacenter stops functioning. The first step in such a plan is to ensure that the View LDAP configuration is backed up in another location. A second step is to install View Connection Server in the new location and import the backup configuration, as described in this procedure.

VMware, Inc. 71

View Installation

You might also use this procedure when you set up a second datacenter with the existing View configuration. Or you might use it if your View deployment contains only a single View Connection Server instance, and a problem occurs with that server.

You do not have to follow this procedure if you have multiple View Connection Server instances in a replicated group, and a single instance goes down. You can simply reinstall View Connection Server as a replicated instance. During the installation, you provide connection information to another View Connection Server instance, and View restores the View LDAP configuration from the other instance.

Prerequisites

Procedure

1 Install View Connection Server with a new configuration.

2 Decrypt the encrypted LDIF file.

Verify that the View LDAP configuration was backed up to an encrypted LDIF file.

Familiarize yourself with restoring a View LDAP configuration from an LDIF backup file by using the

vdmimport command.

See "Backing Up and Restoring View Configuration Data" in the ViewAdministration document.

Familiarize yourself with the steps for installing a new View Connection Server instance. See “Install

View Connection Server with a New Configuration,” on page 50.

For example:

vdmimport -d -p mypassword

-f MyEncryptedexport.LDF > MyDecryptedexport.LDF

3 Import the decrypted LDIF file to restore the View LDAP configuration.

For example:

vdmimport -f MyDecryptedexport.LDF

NOTE At this stage, the View configuration is not yet accessible. Clients cannot access View Connection Server or connect to their desktops.

4 Uninstall the View Connection Server from the computer by using the Windows Add/Remove

Programs utility.

Do not uninstall the View LDAP configuration, called the AD LDS Instance VMwareVDMDS instance. You can use the Add/Remove Programs utility to verify that the AD LDS Instance VMwareVDMDS instance was not removed from the Windows Server computer.

5 Reinstall View Connection Server.

At the installer prompt, accept the existing View LDAP directory.

What to do next

Configure View Connection Server and your View environment as you would after you install a View Connection Server instance with a new configuration.

72 VMware, Inc.

Chapter 7 Installing View Connection Server

Microsoft Windows Installer Command-Line Options

To install View components silently, you must use Microsoft Windows Installer (MSI) command-line options and properties. The View component installers are MSI programs and use standard MSI features.

For details about MSI, see the Microsoft Web site. For MSI command-line options, see the Microsoft Developer Network (MSDN) Library Web site and search for MSI command-line options. To see MSI command-line usage, you can open a command prompt on the View component computer and type

msiexec /?.

To run a View component installer silently, you begin by silencing the bootstrap program that extracts the installer into a temporary directory and starts an interactive installation.

At the command line, you must enter command-line options that control the installer's bootstrap program.

Table 7‑7. Command-Line Options for a View Component's Bootstrap Program

Option Description

/v" MSI_command_line_options"

Disables the bootstrap splash screen and extraction dialog, which prevents the display of interactive dialogs.

For example: VMware-viewconnectionserver-y.y.y-xxxxxx.exe /s The /s option is required to run a silent installation.

Instructs the installer to pass the double-quote-enclosed string that you enter at the command line as a set of options for MSI to interpret. You must enclose your command-line entries between double quotes. Place a double quote after the /v and at the end of the command line.

For example: VMware-viewagent-y.y.y-xxxxxx.exe /s /v"command_line_options"

To instruct the MSI installer to interpret a string that contains spaces, enclose the string in two sets of double quotes. For example, you might want to install the View component in an installation path name that contains spaces.

For example: VMware-viewconnectionserver-y.y.y-

xxxxxx.exe /s /v"command_line_options INSTALLDIR=""d:\abc\my folder"""

In this example, the MSI installer passes on the installation-directory path and does not attempt to interpret the string as two command-line options. Note the final double quote that encloses the entire command line.

The /v"command_line_options" option is required to run a silent installation.

You control the remainder of a silent installation by passing command-line options and MSI property values to the MSI installer, msiexec.exe. The MSI installer includes the View component's installation code. The installer uses the values and options that you enter in the command line to interpret installation choices and setup options that are specific to the View component.

Table 7‑8. MSI Command-Line Options and MSI Properties

MSI Option or Property Description

/qn

INSTALLDIR

VMware, Inc. 73

Instructs the MSI installer not to display the installer wizard pages.

For example, you might want to install View Agent silently and use only default setup options and features:

VMware-viewagent-y.y.y-xxxxxx.exe /s /v"/qn"

Alternatively, you can use the /qb option to display the wizard pages in a noninteractive, automated installation. As the installation proceeds, the wizard pages are displayed, but you cannot respond to them.

The /qn or /qb option is required to run a silent installation.

Specifies an alternative installation path for the View component. Use the format INSTALLDIR=path to specify an installation path. You can ignore this

MSI property if you want to install the View component in the default path.

This MSI property is optional.

View Installation

Table 7‑8. MSI Command-Line Options and MSI Properties (Continued)

MSI Option or Property Description

ADDLOCAL

REBOOT

/l*v log_file

Determines the component-specific options to install.

In an interactive installation, the View installer displays custom setup options that you can select or deselect. In a silent installation, you can use the ADDLOCAL property to selectively install individual setup options by specifying the options on the command line. Options that you do not explicitly specify are not installed.

In both interactive and silent installations, the View installer automatically installs certain features. You cannot use ADDLOCAL to control whether or not to install these nonoptional features.

Type ADDLOCAL=ALL to install all custom setup options that can be installed during an interactive installation, including those that are installed by default and those that you must select to install, as well as all non-optional features that are installed automatically (on supported guest operating systems).

The following example installs Core, PCoIP, UnityTouch, VmVideo, PSG, and all features that are supported on the guest operating system: VMware-viewagent-y.y.y-

xxxxxx.exe /s /v"/qn ADDLOCAL=ALL"

If you do not use the ADDLOCAL property, the custom setup options that are installed by default and the automatically installed features are installed. Custom setup options that are off (unselected) by default are not installed.

The following example installs Core, PCoIP, UnityTouch, VmVideo, PSG, and the onby-default custom setup options that are supported on the guest operating system:

VMware-viewagent-y.y.y-xxxxxx.exe /s /v"/qn"

To specify individual setup options, type a comma-separated list of setup option names.

Do not use spaces between names. Use the format ADDLOCAL=value,value,value....

You must include Core when you use the ADDLOCAL=value,value,value... property.

The following example installs View Agent in a guest operating system with the Core, PCoIP, UnityTouch, VMVideo, PSG, View Composer Agent, and Virtual Printing features (if View Composer Agent and Virtual Printing are supported on the guest operating system):

VMware-viewagent-y.y.y-xxxxxx.exe /s /v"/qn ADDLOCAL=Core,SVIAgent,ThinPrint"

The preceding example does not install other options, even those that are installed by default interactively.

The ADDLOCAL MSI property is optional.

You can use the REBOOT=ReallySuppress option to allow system configuration tasks to complete before the system reboots.

This MSI property is optional.

Writes logging information into the specified log file with verbose output. For example: /l*v ""%TEMP%\vmmsi.log""

This example generates a detailed log file that is similar to the log generated during an interactive installation.

You can use this option to record custom features that might apply uniquely to your installation. You can use the recorded information to specify installation features in future silent installations.

The /l*v option is optional.

74 VMware, Inc.

Chapter 7 Installing View Connection Server

Uninstalling View Components Silently by Using MSI Command-Line Options

You can uninstall View components by using Microsoft Windows Installer (MSI) command-line options.

Syntax

msiexec.exe /qb /x product_code

Options

The /qb option displays the uninstall progress bar. To suppress displaying the uninstall progress bar, replace the /qb option with the /qn option.

The /x option uninstalls the View component.

The product_code string identifies the View component product files to the MSI uninstaller. You can find the product_code string by searching for ProductCode in the %TEMP%\vmmsi.log file that is created during the installation.

For information about MSI command-line options, see “Microsoft Windows Installer Command-Line

Options,” on page 73.

Examples

Uninstall a View Connection Server instance.

msiexec.exe /qb /x {D6184123-57B7-26E2-809B-090435A8C16A}

VMware, Inc. 75

View Installation

76 VMware, Inc.

Configuring SSL Certificates for View

Servers 8

VMware strongly recommends that you configure SSL certificates for authentication of View Connection Server instances, security servers, and View Composer service instances.

A default SSL server certificate is generated when you install View Connection Server instances, security servers, or View Composer instances. You can use the default certificate for testing purposes.

IMPORTANT Replace the default certificate as soon as possible. The default certificate is not signed by a Certificate Authority (CA). Use of certificates that are not signed by a CA can allow untrusted parties to intercept traffic by masquerading as your server.

This chapter includes the following topics:

“Understanding SSL Certificates for View Servers,” on page 77

“Overview of Tasks for Setting Up SSL Certificates,” on page 79

“Obtaining a Signed SSL Certificate from a CA,” on page 80

“Configure View Connection Server, Security Server, or View Composer to Use a New SSL

Certificate,” on page 81

“Configure Client Endpoints to Trust Root and Intermediate Certificates,” on page 86

“Configuring Certificate Revocation Checking on Server Certificates,” on page 88

“Configure the PCoIP Secure Gateway to Use a New SSL Certificate,” on page 89

“Setting View Administrator to Trust a vCenter Server or View Composer Certificate,” on page 93

“Benefits of Using SSL Certificates Signed by a CA,” on page 93

“Troubleshooting Certificate Issues on View Connection Server and Security Server,” on page 94

Understanding SSL Certificates for View Servers

You must follow certain guidelines for configuring SSL certificates for View servers and related components.

View Connection Server and Security Server

SSL is required for client connections to a server. Client-facing View Connection Server instances, security servers, and intermediate servers that terminate SSL connections require SSL server certificates.

By default, when you install View Connection Server or security server, the installation generates a selfsigned certificate for the server. However, the installation uses an existing certificate in the following cases:

If a valid certificate with a Friendly name of vdm already exists in the Windows Certificate Store

VMware, Inc.

View Installation

If you upgrade to View 5.1 or later from an earlier release, and a valid keystore file is configured on the

Windows Server computer. The installation extracts the keys and certificates and imports them into the Windows Certificate Store.

vCenter Server and View Composer

Before you add vCenter Server and View Composer to View in a production environment, make sure that vCenter Server and View Composer use certificates that are signed by a CA.

For information about replacing the default certificate for vCenter Server, see "Replacing vCenter Server Certificates" on the VMware Technical Papers site at http://www.vmware.com/resources/techresources/.

If you install vCenter Server and View Composer on the same Windows Server host, they can use the same SSL certificate, but you must configure the certificate separately for each component.

PCoIP Secure Gateway

To comply with industry or jurisdiction security regulations, you can replace the default SSL certificate that is generated by the PCoIP Secure Gateway (PSG) service with a certificate that is signed by a CA. Configuring the PSG service to use a CA-signed certificate is highly recommended, particularly for deployments that require you to use security scanners to pass compliance testing. See “Configure the PCoIP

Secure Gateway to Use a New SSL Certificate,” on page 89.

Blast Secure Gateway

By default, the Blast Secure Gateway (BSG) uses the SSL certificate that is configured for the View Connection Server instance or security server on which the BSG is running. If you replace the default, selfsigned certificate for a server with a CA-signed certificate, the BSG also uses the CA-signed certificate.

SAML 2.0 Authenticator

VMware Workspace Portal uses SAML 2.0 authenticators to provide Web-based authentication and authorization across security domains. If you want View to delegate authentication to Workspace Portal, you can configure View to accept SAML 2.0 authenticated sessions from Workspace Portal. When Workspace Portal is configured to support View, Workspace Portal users can connect to remote desktops by selecting desktop icons on the Horizon User Portal.

In View Administrator, you can configure SAML 2.0 authenticators for use with View Connection Server instances.

Before you add a SAML 2.0 authenticator in View Administrator, make sure that the SAML 2.0 authenticator uses a certificate that is signed by a CA.

Additional Guidelines

For general information about requesting and using SSL certificates that are signed by a CA, see “Benefits of

Using SSL Certificates Signed by a CA,” on page 93.

When client endpoints connect to a View Connection Server instance or security server, they are presented with the server's SSL server certificate and any intermediate certificates in the trust chain. To trust the server certificate, the client systems must have installed the root certificate of the signing CA.

When View Connection Server communicates with vCenter Server and View Composer, View Connection Server is presented with SSL server certificates and intermediate certificates from these servers. To trust the vCenter Server and View Composer servers, the View Connection Server computer must have installed the root certificate of the signing CA.

78 VMware, Inc.

Chapter 8 Configuring SSL Certificates for View Servers

Similarly, if a SAML 2.0 authenticator is configured for View Connection Server, the View Connection Server computer must have installed the root certificate of the signing CA for the SAML 2.0 server certificate.

Overview of Tasks for Setting Up SSL Certificates

To set up SSL server certificates for View servers, you must perform several high-level tasks.

In a pod of replicated View Connection Server instances, you must perform these tasks on all instances in the pod.

The procedures for carrying out these tasks are described in the topics that follow this overview.

1 Determine if you need to obtain a new signed SSL certificate from a CA.

If your organization already has a valid SSL server certificate, you can use that certificate to replace the default SSL server certificate provided with View Connection Server, security server, or View Composer. To use an existing certificate, you also need the accompanying private key.

Starting Place Action

Your organization provided you with a valid SSL server certificate.

You do not have an SSL server certificate. Obtain a signed SSL server certificate from a CA.

Go directly to step 2.

2 Import the SSL certificate into the Windows local computer certificate store on the View server host.

3 For View Connection Server instances and security servers, modify the certificate Friendly name to vdm.

Assign the Friendly name vdm to only one certificate on each View server host.

4 On View Connection Server computers, if the root certificate is not trusted by the Windows Server host,

import the root certificate into the Windows local computer certificate store.

In addition, if the View Connection Server instances do not trust the root certificates of the SSL server certificates configured for security server, View Composer, and vCenter Server hosts, you also must import those root certificates. Take these steps for View Connection Server instances only. You do not have to import the root certificate to View Composer, vCenter Server, or security server hosts.

5 If your server certificate was signed by an intermediate CA, import the intermediate certificates into the

Windows local computer certificate store.

To simplify client configuration, import the entire certificate chain into the Windows local computer certificate store. If intermediate certificates are missing from the View server, they must be configured for clients and computers that launch View Administrator.

6 For View Composer instances, take one of these steps:

If you import the certificate into the Windows local computer certificate store before you install

View Composer, you can select your certificate during the View Composer installation.

If you intend to replace an existing certificate or the default, self-signed certificate with a new

certificate after you install View Composer, run the SviConfig ReplaceCertificate utility to bind the new certificate to the port used by View Composer.

7 If your CA is not well known, configure clients to trust the root and intermediate certificates.

Also ensure that the computers on which you launch View Administrator trust the root and intermediate certificates.

8 Determine whether to reconfigure certificate revocation checking.

View Connection Server performs certificate revocation checking on View servers, View Composer, and vCenter Server. Most certificates signed by a CA include certificate revocation information. If your CA does not include this information, you can configure the server not to check certificates for revocation.

VMware, Inc. 79

View Installation

If a SAML authenticator is configured for use with a View Connection Server instance, View Connection Server also performs certificate revocation checking on the SAML server certificate.

Obtaining a Signed SSL Certificate from a CA

If your organization does not provide you with an SSL server certificate, you must request a new certificate that is signed by a CA.

You can use several methods to obtain a new signed certificate. For example, you can use the Microsoft

certreq utility to generate a Certificate Signing Request (CSR) and submit a certificate request to a CA.

See the Scenarios for Setting Up SSL Certificates for View document for an example that shows you how to use

certreq to accomplish this task.

For testing purposes, you can obtain a free temporary certificate based on an untrusted root from many CAs.

IMPORTANT You must follow certain rules and guidelines when you obtain signed SSL certificates from a CA.

When you generate a certificate request on a computer, make sure that a private key is generated also.

When you obtain the SSL server certificate and import it into the Windows local computer certificate store, there must be an accompanying private key that corresponds to the certificate.

To comply with VMware security recommendations, use the fully qualified domain name (FQDN) that

client devices use to connect to the host. Do not use a simple server name or IP address, even for communications within your internal domain.

Do not create certificates for servers using a certificate template that is compatible only with a Windows

Server 2008 enterprise CA or later.

Do not generate certificates for servers using a KeyLength value under 1024. Client endpoints will not

validate a certificate on a server that was generated with a KeyLength under 1024, and the clients will fail to connect to the server. Certificate validations that are performed by View Connection Server will also fail, resulting in the affected servers showing as red in the View Administrator dashboard.

For general information about obtaining certificates, consult the Microsoft online help available with the Certificate Snap-in to MMC. If the Certificate Snap-in is not yet installed on your computer, see “Add the

Certificate Snap-In to MMC,” on page 82.

Obtain a Signed Certificate from a Windows Domain or Enterprise CA

To obtain a signed certificate from a Windows Domain or Enterprise CA, you can use the Windows Certificate Enrollment wizard in the Windows Certificate Store.

This method of requesting a certificate is appropriate if communications between computers remain within your internal domain. For example, obtaining a signed certificate from a Windows Domain CA might be appropriate for server-to-server communications.

If your clients connect to View servers from an external network, request SSL server certificates that are signed by a trusted, third-party CA.

Prerequisites

Determine the fully qualified domain name (FQDN) that client devices use to connect to the host.

To comply with VMware security recommendations, use the FQDN, not a simple server name or IP address, even for communications within your internal domain.

Verify that the Certificate snap-in was added to MMC. See “Add the Certificate Snap-In to MMC,” on

page 82.

80 VMware, Inc.

Chapter 8 Configuring SSL Certificates for View Servers

Verify that you have the appropriate credentials to request a certificate that can be issued to a computer

or service.

Procedure

1 In the MMC window on the Windows Server host, expand the Certificates (local computer) node and

select the Personal folder.

2 From the Action menu, go to All Tasks > Request New Certificate to display the Certificate Enrollment

wizard.

3 Select a Certificate Enrollment Policy.

4 Select the types of certificates that you want to request, select the Make private key exportable option,

and click Enroll.

5 Click Finish.

The new signed certificate is added to the Personal > Certificates folder in the Windows Certificate Store.

What to do next

Verify that the server certificate and certificate chain were imported into the Windows Certificate Store.

For a View Connection Server instance or security server, modify the certificate friendly name to vdm.

See “Modify the Certificate Friendly Name,” on page 83.

For a View Composer server, bind the new certificate to the port that used by View Composer. See

“Bind a New SSL Certificate to the Port Used by View Composer,” on page 85.

Configure View Connection Server, Security Server, or View Composer to Use a New SSL Certificate

To configure a View Connection Server instance, security server, or View Composer instance to use an SSL certificate, you must import the server certificate and the entire certificate chain into the Windows local computer certificate store on the View Connection Server, security server, or View Composer host.

In a pod of replicated View Connection Server instances, you must import the server certificate and certificate chain on all instances in the pod.

By default, the Blast Secure Gateway (BSG) uses the SSL certificate that is configured for the View Connection Server instance or security server on which the BSG is running. If you replace the default, selfsigned certificate for a View server with a CA-signed certificate, the BSG also uses the CA-signed certificate.

IMPORTANT To configure View Connection Server or security server to use a certificate, you must change the certificate Friendly name to vdm. Also, the certificate must have an accompanying private key.

If you intend to replace an existing certificate or the default, self-signed certificate with a new certificate after you install View Composer, you must run the SviConfig ReplaceCertificate utility to bind the new certificate to the port used by View Composer.

Procedure

1 Add the Certificate Snap-In to MMC on page 82

Before you can add certificates to the Windows Certificate Store, you must add the Certificate snap-in to the Microsoft Management Console (MMC) on the Windows Server host on which the View server is installed.

VMware, Inc. 81

View Installation

2 Import a Signed Server Certificate into a Windows Certificate Store on page 82

You must import the SSL server certificate into the Windows local computer certificate store on the Windows Server host on which the View Connection Server instance or security server service is installed.

3 Modify the Certificate Friendly Name on page 83

To configure a View Connection Server instance or security server to recognize and use an SSL certificate, you must modify the certificate Friendly name to vdm.

4 Import a Root Certificate and Intermediate Certificates into a Windows Certificate Store on page 84

If the Windows Server host on which View Connection Server is installed does not trust the root certificate for the signed SSL server certificate, you must import the root certificate into the Windows local computer certificate store. In addition, if the View Connection Server host does not trust the root certificates of the SSL server certificates configured for security server, View Composer, and vCenter Server hosts, you also must import those root certificates.

5 Bind a New SSL Certificate to the Port Used by View Composer on page 85

If you configure a new SSL certificate after you install View Composer, you must run the SviConfig

ReplaceCertificate utility to replace the certificate that is bound to the port used by View Composer.

This utility unbinds the existing certificate and binds the new certificate to the port.

Add the Certificate Snap-In to MMC

Prerequisites

Verify that the MMC and Certificate snap-in are available on the Windows Server computer on which the View server is installed.

Procedure

1 On the Windows Server computer, click Start and type mmc.exe.

2 In the MMC window, go to File > Add/Remove Snap-in.

3 In the Add or Remove Snap-ins window, select Certificates and click Add.

4 In the Certificates snap-in window, select Computer account, click Next, select Local computer, and

click Finish.

5 In the Add or Remove snap-in window, click OK.

What to do next

Import the SSL server certificate into the Windows Certificate Store.

Import a Signed Server Certificate into a Windows Certificate Store

You also must perform this task on the Windows Server host where the View Composer service is installed.

Depending on your certificate file format, the entire certificate chain that is contained in the keystore file might be imported into the Windows local computer certificate store. For example, the server certificate, intermediate certificate, and root certificate might be imported.

For other types of certificate files, only the server certificate is imported into the Windows local computer certificate store. In this case, you must take separate steps to import the root certificate and any intermediate certificates in the certificate chain.

82 VMware, Inc.

Chapter 8 Configuring SSL Certificates for View Servers

For more information about certificates, consult the Microsoft online help available with the Certificate snap-in to MMC.

NOTE If you off-load SSL connections to an intermediate server, you must import the same SSL server certificate onto both the intermediate server and the off-loaded View server. For details, see "Off-load SSL Connections to Intermediate Servers" in the View Administration document.

Prerequisites

Verify that the Certificate snap-in was added to MMC. See “Add the Certificate Snap-In to MMC,” on page 82.

Procedure

1 In the MMC window on the Windows Server host, expand the Certificates (Local Computer) node and

select the Personal folder.

2 In the Actions pane, go to More Actions > All Tasks > Import.

3 In the Certificate Import wizard, click Next and browse to the location where the certificate is stored.

4 Select the certificate file and click Open.

To display your certificate file type, you can select its file format from the File name drop-down menu.

5 Type the password for the private key that is included in the certificate file.

6 Select Mark this key as exportable.

7 Select Include all extended properties.

8 Click Next and click Finish.

The new certificate appears in the Certificates (Local Computer) > Personal > Certificates folder.

9 Verify that the new certificate contains a private key.

a In the Certificates (Local Computer) > Personal > Certificates folder, double-click the new

certificate.

b In the General tab of the Certificate Information dialog box, verify that the following statement

appears: You have a private key that corresponds to this certificate.

What to do next

Modify the certificate Friendly name to vdm.

Modify the Certificate Friendly Name

To configure a View Connection Server instance or security server to recognize and use an SSL certificate, you must modify the certificate Friendly name to vdm.

You do not have to modify the Friendly name of SSL certificates that are used by View Composer.

Prerequisites

Verify that the server certificate is imported into the Certificates (Local Computer) > Personal > Certificates folder in the Windows Certificate Store. See “Import a Signed Server Certificate into a Windows Certificate

Store,” on page 82.

Procedure

1 In the MMC window on the Windows Server host, expand the Certificates (Local Computer) node and

select the Personal > Certificates folder.

2 Right-click the certificate that is issued to the View server host and click Properties.

VMware, Inc. 83

View Installation

3 On the General tab, delete the Friendly name text and type vdm.

4 Click Apply and click OK.

5 Verify that no other server certificates in the Personal > Certificates folder have a Friendly name of vdm.

a Locate any other server certificate, right-click the certificate, and click Properties.

b If the certificate has a Friendly name of vdm, delete the name, click Apply, and click OK.

What to do next

Import the root certificate and intermediate certificates into the Windows local computer certificate store.

After all certificates in the chain are imported, you must restart the View Connection Server service or Security Server service to make your changes take effect.

Import a Root Certificate and Intermediate Certificates into a Windows Certificate Store

If the View Connection Server, security server, View Composer, and vCenter Server certificates are signed by a root CA that is known and trusted by the View Connection Server host, and there are no intermediate certificates in your certificate chains, you can skip this task. Commonly used Certificate Authorities are likely to be trusted by the host.

You must import untrusted root certificates on all replicated View Connection Server instances in a pod.

NOTE You do not have to import the root certificate into View Composer, vCenter Server, or security server hosts.

If a server certificate is signed by an intermediate CA, you also must import each intermediate certificate in the certificate chain. To simplify client configuration, import the entire intermediate chain to security server, View Composer, and vCenter Server hosts as well as View Connection Server hosts. If intermediate certificates are missing from a View Connection Server or security server host, they must be configured for clients and computers that launch View Administrator. If intermediate certificates are missing from a View Composer or vCenter Server host, they must be configured for each View Connection Server instance.

If you already verified that the entire certificate chain is imported into the Windows local computer certificate store, you can skip this task.

NOTE If a SAML authenticator is configured for use by a View Connection Server instance, the same guidelines apply to the SAML 2.0 authenticator. If the View Connection Server host does not trust the root certificate configured for a SAML authenticator, or if the SAML server certificate is signed by an intermediate CA, you must ensure that the certificate chain is imported into the Windows local computer certificate store.

Procedure

1 In the MMC console on the Windows Server host, expand the Certificates (Local Computer) node and

go to the Trusted Root Certification Authorities > Certificates folder.

If your root certificate is in this folder, and there are no intermediate certificates in your certificate

chain, skip to step 7.

If your root certificate is not in this folder, proceed to step 2.

84 VMware, Inc.

Chapter 8 Configuring SSL Certificates for View Servers

2 Right-click the Trusted Root Certification Authorities > Certificates folder and click All Tasks >

Import.

3 In the Certificate Import wizard, click Next and browse to the location where the root CA certificate is

stored.

4 Select the root CA certificate file and click Open.

5 Click Next, click Next, and click Finish.

6 If your server certificate was signed by an intermediate CA, import all intermediate certificates in the

certificate chain into the Windows local computer certificate store.

a Go to the Certificates (Local Computer) > Intermediate Certification Authorities > Certificates

folder.

b Repeat steps 3 through 6 for each intermediate certificate that must be imported.

7 Restart the View Connection Server service, Security Server service, View Composer service, or vCenter

Server service to make your changes take effect.

Bind a New SSL Certificate to the Port Used by View Composer

If you configure a new SSL certificate after you install View Composer, you must run the SviConfig

ReplaceCertificate utility to replace the certificate that is bound to the port used by View Composer. This

utility unbinds the existing certificate and binds the new certificate to the port.

If you install the new certificate on the Windows Server computer before you install View Composer, you do not have to run the SviConfig ReplaceCertificate utility. When you run the View Composer installer, you can select a certificate signed by a CA instead of the default, self-signed certificate. During the installation, the selected certificate is bound to the port used by View Composer.

If you intend to replace an existing certificate or the default, self-signed certificate with a new certificate, you must use the SviConfig ReplaceCertificate utility.

Prerequisites

Verify that the new certificate was imported into the Windows local computer certificate store on the Windows Server computer on which View Composer is installed.

Procedure

1 Stop the View Composer service.

2 Open a command prompt on the Windows Server host where View Composer is installed.

3 Navigate to the SviConfig executable file.

The file is located with the View Composer application. The default path is C:\Program Files

(x86)\VMware\VMware View Composer\sviconfig.exe.

4 Type the SviConfig ReplaceCertificate command.

For example:

sviconfig -operation=ReplaceCertificate

-delete=false

where -delete is a required parameter that operates on the certificate that is being replaced. You must specify either -delete=true to delete the old certificate from the Windows local computer certificate store or -delete=false to keep the old certificate in the Windows certificate store.

The utility displays a numbered list of SSL certificates that are available in the Windows local computer certificate store.

5 To select a certificate, type the number of a certificate and press Enter.

VMware, Inc. 85

View Installation

6 Restart the View Composer service to make your changes take effect.

Example: SviConfig ReplaceCertificate

The following example replaces the certificate that is bound to the View Composer port:

sviconfig -operation=ReplaceCertificate

-delete=false

Configure Client Endpoints to Trust Root and Intermediate Certificates

If a View server certificate is signed by a CA that is not trusted by client computers and client computers that access View Administrator, you can configure all Windows client systems in a domain to trust the root and intermediate certificates. To do so, you must add the public key for the root certificate to the Trusted Root Certification Authorities group policy in Active Directory and add the root certificate to the Enterprise NTAuth store.

For example, you might have to take these steps if your organization uses an internal certificate service.

You do not have to take these steps if the Windows domain controller acts as the root CA, or if your certificates are signed by a well known CA. For well known CAs, the operating system venders preinstall the root certificate on client systems.

If your server certificates are signed by a little-known intermediate CA, you must add the intermediate certificate to the Intermediate Certification Authorities group policy in Active Directory.

For client devices that use other operating systems than Windows, see the following instructions for distributing root and intermediate certificates that users can install:

For Horizon Client for Mac OS X, see “Configure Horizon Client for Mac OS X to Trust Root and

Intermediate Certificates,” on page 87.

For Horizon Client for iOS, see “Configure Horizon Client for iOS to Trust Root and Intermediate

Certificates,” on page 88.

For Horizon Client for Android, see documentation on the Google Web site, such as the Android 3.0

User's Guide

For Horizon Client for Linux, see the Ubuntu documentation

Prerequisites

Verify that the server certificate was generated with a KeyLength value of 1024 or larger. Client endpoints will not validate a certificate on a server that was generated with a KeyLength under 1024, and the clients will fail to connect to the server.

Procedure

1 On your Active Directory server, use the certutil command to publish the certificate to the Enterprise

NTAuth store.

For example: certutil -dspublish -f path_to_root_CA_cert NTAuthCA

86 VMware, Inc.

Chapter 8 Configuring SSL Certificates for View Servers

2 On the Active Directory server, navigate to the Group Policy Management plug-in.

AD Version Navigation Path

Windows 2003

Windows 2008

a Select Start > All Programs > Administrative Tools > Active Directory

Users and Computers.

b Right-click your domain and click Properties.

c On the Group Policy tab, click Open to open the Group Policy

Management plug-in.

d Right-click Default Domain Policy, and click Edit.

a Select Start > Administrative Tools > Group Policy Management.

b Expand your domain, right-click Default Domain Policy, and click

Edit.

3 Expand the Computer Configuration section and go to Windows Settings > Security Settings > Public

Key Policies.

4 Import the certificate.

Option Description

Root certificate

Intermediate certificate

a Right-click Trusted Root Certification Authorities and select Import.

b Follow the prompts in the wizard to import the root certificate (for

example, rootCA.cer) and click OK.

a Right-click Intermediate Certification Authorities and select Import.

b Follow the prompts in the wizard to import the intermediate certificate

(for example, intermediateCA.cer) and click OK.

5 Close the Group Policy window.

All systems in the domain now have certificate information in their trusted root certificate stores and intermediate certificate stores that allows them to trust the root and intermediate certificates.

Configure Horizon Client for Mac OS X to Trust Root and Intermediate Certificates

If a server certificate is signed by a CA that is not trusted by computers that run Horizon Client for Mac OS X, you can configure these computers to trust the root and intermediate certificates. You must distribute the root certificate and all intermediate certificates in the trust chain to the client computers.

Procedure

1 Deliver the root certificate and intermediate certificates to the computer that is running Horizon Client

for Mac OS X.

2 Open the root certificate on the Mac OS X computer.

The certificate displays the following message: Do you want your computer to trust certificates

signed by CA name from now on?

3 Click Always Trust

4 Type the user password.

5 Repeat steps 2 through 4 for all intermediate certificates in the trust chain.

VMware, Inc. 87

View Installation

Configure Horizon Client for iOS to Trust Root and Intermediate Certificates

If a server certificate is signed by a CA that is not trusted by iPads and iPhones that run Horizon Client for iOS, you can configure the the device to trust the root and intermediate certificates. You must distribute the root certificate and all intermediate certificates in the trust chain to the devices

Procedure

1 Send the root certificate and intermediate certificates as email attachments to the iPad.

2 Open the email attachment for the root certificate and select Install.

The certificate displays the following message:

Unverifiable Profile. The authenticity of Certificate name cannot be verified. Installing this profile will change settings on your iPad.

Root Certificate. Installing the certificate Certificate name will add it to the list of trusted certificates on your iPad.

3 Select Install again.

4 Repeat steps 2 and 3 for all intermediate certificates in the trust chain.

Configuring Certificate Revocation Checking on Server Certificates

Each View Connection Server instance performs certificate revocation checking on its own certificate and on those of the security servers paired to it. Each instance also checks the certificates of vCenter and View Composer servers whenever it establishes a connection to them. By default, all certificates in the chain are checked except the root certificate. You can, however, change this default.

If a SAML 2.0 authenticator is configured for use by a View Connection Server instance, View Connection Server also performs certificate revocation checking on the SAML 2.0 server certificate.

View supports various means of certificate revocation checking, such as certificate revocation lists (CRLs) and the Online Certificate Status Protocol (OCSP). A CRL is a list of revoked certificates published by the CA that issued the certificates. OCSP is a certificate validation protocol that is used to get the revocation status of an X.509 certificate.

With CRLs, the list of revoked certificates is downloaded from a certificate distribution point (DP) that is often specified in the certificate. The server periodically goes to the CRL DP URL specified in the certificate, downloads the list, and checks it to determine whether the server certificate has been revoked. With OCSP, the server sends a request to an OCSP responder to determine the revocation status of the certificate.

When you obtain a server certificate from a third-party certificate authority (CA), the certificate includes one or more means by which its revocation status can be determined, including, for example, a CRL DP URL or the URL for an OCSP responder. If you have your own CA and generate a certificate but do not include revocation information in the certificate, the certificate revocation check fails. An example of revocation information for such a certificate could include, for example, a URL to a Web-based CRL DP on a server where you host a CRL.

If you have your own CA but do not or cannot include certificate revocation information in your certificate, you can choose not to check certificates for revocation or to check only certain certificates in a chain. On the server, with the Windows Registry Editor, you can create the string (REG_SZ) value CertificateRevocationCheckType, under HKLM\Software\VMware, Inc.\VMware VDM\Security, and set this value to one of the following data values.

88 VMware, Inc.

Chapter 8 Configuring SSL Certificates for View Servers

Value Description

1 Do not perform certificate revocation checking.

2 Check only the server certificate. Do not check any other certificates in the chain.

3 Check all certificates in the chain.

4 (Default) Check all certificates except the root certificate.

If this registry value is not set, or if the value set is not valid (that is, if the value is not 1, 2, 3, or 4), all certificates are checked except the root certificate. Set this registry value on each server on which you intend to modify revocation checking. You do not have to restart the system after you set this value.

NOTE If your organization uses proxy settings for Internet access, you might have to configure your View Connection Server computers to use the proxy settings to ensure that certificate revocation checking can be performed for security servers or View Connection Server instances that are used for secure client connections. If a View Connection Server instance cannot access the Internet, certificate revocation checking might fail, and the View Connection Server instance or paired security servers might show up as red on the View Administrator dashboard. To resolve this issue, see "Troubleshooting Security Server Certificate Revocation Checking" in the View Administration document.

Configure the PCoIP Secure Gateway to Use a New SSL Certificate

In View 5.2 or later releases, the PSG service creates a default, self-signed SSL certificate when the service starts up. The PSG service presents the self-signed certificate to clients running Horizon Client 2.0 (or Horizon Client 5.2 for Windows) or later releases that connect to the PSG.

The PSG also provides a default legacy SSL certificate that is presented to clients running older clients or earlier releases that connect to the PSG.

The default certificates provide secure connections from client endpoints to the PSG and do not require further configuration in View Administrator. However, configuring the PSG service to use a CA-signed certificate is highly recommended, particularly for deployments that require you to use security scanners to pass compliance testing.

Although it is not required, you are most likely to configure new CA-signed SSL certificates for your servers before you replace the default PSG certificate with a CA-signed certificate. The procedures that follow assume that you already imported a CA-signed certificate into the Windows certificate store for the server on which the PSG is running.

NOTE If you are using a security scanner for compliance testing, you might want to start by setting the PSG to use the same certificate as the server and scan the View port before the PSG port. You can resolve trust or validation issues that occur during the scan of the View port to ensure that these issues do not invalidate your test of the PSG port and certificate. Next, you can configure a unique certificate for the PSG and do another scan.

Procedure

1 Verify That the Server Name Matches the PSG Certificate Subject Name on page 90

When a View Connection Server instance or security server is installed, the installer creates a registry setting with a value that contains the FQDN of the computer. You must verify that this value matches the server name part of the URL that security scanners use to reach the PSG port. The server name also must match the subject name or a subject alternate name (SAN) of the SSL certificate that you intend to use for the PSG.

VMware, Inc. 89

View Installation

2 Configure a PSG Certificate in the Windows Certificate Store on page 90

To replace the default PSG certificate with a CA-signed certificate, you must configure the certificate and its private key in the Windows local computer certificate store on the View Connection Server or security server computer on which the PSG is running.

3 Set the PSG Certificate Friendly Name in the Windows Registry on page 92

The PSG identifies the SSL certificate to use by means of the server name and certificate Friendly name. You must set the Friendly name value in the Windows registry on the View Connection Server or security server computer on which the PSG is running.

4 (Optional) Force a CA-Signed Certificate to Be Used for Connections to the PSG on page 92

You can ensure that all client connections to the PSG use the CA-signed certificate for the PSG instead of the default legacy certificate. This procedure is not required to configure a CA-signed certificate for the PSG. Take these steps only if it makes sense to force the use of a CA-signed certificate in your View deployment.

Verify That the Server Name Matches the PSG Certificate Subject Name

For example, if a scanner connects to the PSG with the URL https://view.customer.com:4172, the registry setting must have the value view.customer.com. Note that the FQDN of the View Connection Server or security server computer that is set during installation might not be the same as this external server name.

Procedure

1 Start the Windows Registry Editor on the View Connection Server or security server host where the

PCoIP Secure Gateway is running.

2 Navigate to the HKEY_LOCAL_MACHINE\SOFTWARE\Teradici\SecurityGateway\SSLCertPsgSni registry

setting.

3 Verify that the value of the SSLCertPsgSni setting matches the server name in the URL that scanners

will use to connect to the PSG and matches the subject name or a subject alternate name of the SSL certificate that you intend to install for the PSG.

If the value does not match, replace it with the correct value.

4 Restart the VMware Horizon View PCoIP Secure Gateway service to make your changes take effect.

What to do next

Import the CA-signed certificate into the Windows local computer certificate store and configure the certificate Firendly name.

Configure a PSG Certificate in the Windows Certificate Store

If you intend the PSG to use a unique certificate, you must import the certificate into the Windows local computer certificate store with an exportable private key and set the appropriate Friendly name.

If you intend the PSG to use the same certificate as the server, you do not have to follow this procedure. However, in the Windows registry you must set the server name to match the server certificate subject name and set the Friendly name to vdm.

90 VMware, Inc.

Chapter 8 Configuring SSL Certificates for View Servers

Prerequisites

Verify that the key length is at least 1024 bits.

Verify that the SSL certificate is valid. The current time on the server computer must be within the

certificate start and end dates.

Verify that the certificate subject name or a subject alternate name matches the SSLCertPsgSni setting in

the Windows registry. See “Verify That the Server Name Matches the PSG Certificate Subject Name,” on page 90.

Verify that the Certificate snap-in was added to MMC. See “Add the Certificate Snap-In to MMC,” on

page 82.

Familiarize yourself with importing a certificate into the Windows certificate store. See “Import a

Signed Server Certificate into a Windows Certificate Store,” on page 82.

Familiarize yourself with modifying the certificate Friendly name. See “Modify the Certificate Friendly

Name,” on page 83.

Procedure

1 In the MMC window on the Windows Server host, open the Certificates (Local Computer) > Personal

folder.

2 Import the SSL certificate that is issued to the PSG by selecting More Actions > All Tasks > Import.

Select the following settings in the Certificate Import wizard:

a Mark this key as exportable

b Include all extendable properties

Complete the wizard to finish importing the certificate into the Personal folder

3 Verify that the new certificate contains a private key by taking one of these steps:

Verify that a yellow key appears on the certificate icon.

Double-click the certificate and verify that the following statement appears in the Certificate

Information dialog box: You have a private key that corresponds to this certificate..

4 Right-click the new certificate and click Properties.

5 On the General tab, delete the Friendly name text and type the Friendly name that you have chosen.

Make sure that you enter exactly the same name in the SSLCertWinCertFriendlyName setting in the Windows registry, as described in the next procedure.

6 Click Apply and click OK.

The PSG presents the CA-signed certificate to client devices that connect to the server over PCoIP.

NOTE This procedure does not affect legacy client devices. The PSG continues to present the default legacy certificate to legacy client devices that connect the this server over PCoIP.

What to do next

Configure the certificate Friendly name in the Windows registry.

VMware, Inc. 91

View Installation

Set the PSG Certificate Friendly Name in the Windows Registry

The certificate Friendly name vdm is used by all View Connection Server instances and security servers. By contrast, you can configure your own certificate Friendly name for the PSG certificate. You must configure a Windows registry setting to enable the PSG to match the correct name with the Friendly name that you will set in the Windows certificate store.

The PSG can use the same SSL certificate as the server on which the PSG is running. If you configure the PSG to use the same certificate as the server, the Friendly name must be vdm.

The Friendly name value, in both the registry and the Windows certificate store, is case sensitive.

Prerequisites

Verify that the Window registry contains the correct subject name that is used to reach the PSG port and

that matches the PSG certificate subject name or subject alternate name. See “Verify That the Server

Name Matches the PSG Certificate Subject Name,” on page 90.

Verify that the certificate Friendly name is configured in the Windows local computer certificate store.

See “Configure a PSG Certificate in the Windows Certificate Store,” on page 90.

Procedure

1 Start the Windows Registry Editor on the View Connection Server or security server computer where

the PCoIP Secure Gateway is running.

2 Navigate to the HKEY_LOCAL_MACHINE\SOFTWARE\Teradici\SecurityGateway registry key.

3 Add a new String (REG_SZ) value, SSLCertWinCertFriendlyName, to this registry key.

4 Modify the SSLCertWinCertFriendlyName value and type the certificate Friendly name to be used by the

PSG.

For example: pcoip

If you use the same certificate as the server, the value must be vdm.

5 Restart the VMware Horizon View PCoIP Secure Gateway service to make your changes take effect.

What to do next

Verify that client devices continue to connect to the PSG.

If you are using a security scanner for compliance testing, scan the PSG port.

(Optional) Force a CA-Signed Certificate to Be Used for Connections to the PSG

In some cases, the PSG might present the default legacy certificate instead of the CA-signed certificate to a security scanner, invalidating the compliance test on the PSG port. To resolve this issue, you can configure the PSG not to present the default legacy certificate to any device that attempts to connect.

IMPORTANT Performing this procedure prevents all legacy clients from connecting to this server over PCoIP.

92 VMware, Inc.

Chapter 8 Configuring SSL Certificates for View Servers

Prerequisites

Verify that all client devices that connect to this server, including thin clients, run Horizon Client 5.2 for Windows or Horizon Client 2.0 or later releases. You must upgrade the legacy clients.

Procedure

1 Start the Windows Registry Editor on the View Connection Server or security server computer where

the PCoIP Secure Gateway is running.

2 Navigate to the HKEY_LOCAL_MACHINE\SOFTWARE\Teradici\SecurityGateway registry key.

3 Add a new String (REG_SZ) value, SSLCertPresentLegacyCertificate, to this registry key.

4 Set the SSLCertPresentLegacyCertificate value to 0.

5 Restart the VMware Horizon View PCoIP Secure Gateway service to make your changes take effect.

Setting View Administrator to Trust a vCenter Server or View Composer Certificate

In the View Administrator dashboard, you can configure View to trust a vCenter Server or View Composer certificate that is untrusted.

VMware strongly recommends that you configure vCenter Server and View Composer to use SSL certificates that are signed by a CA. Alternatively, you can accept the thumbprint of the default certificate for vCenter Server or View Composer.

Similarly, VMware recommends that you configure SAML 2.0 authenticators to use SSL certificates that are signed by a CA. Alternatively, in the View Administrator dashboard you can configure View to trust an untrusted SAML 2.0 server certificate by accepting the thumbprint of the default certificate.

Benefits of Using SSL Certificates Signed by a CA

A CA is a trusted entity that guarantees the identity of the certificate and its creator. When a certificate is signed by a trusted CA, users no longer receive messages asking them to verify the certificate, and thin client devices can connect without requiring additional configuration.

You can request an SSL server certificate that is specific to a Web domain such as www.mycorp.com, or you can request a wildcard SSL server certificate that can be used throughout a domain such as *.mycorp.com. To simplify administration, you might choose to request a wildcard certificate if you need to install the certificate on multiple servers or in different subdomains.

Typically, domain-specific certificates are used in secure installations, and CAs usually guarantee more protection against losses for domain-specific certificates than for wildcard certificates. If you use a wildcard certificate that is shared with other services, the security of the VMware Horizon product also depends on the security of those other services. If you use a wildcard certificate, you must ensure that the private key is transferrable between servers.

When you replace the default certificate with your own certificate, clients use your certificate to authenticate the server. If your certificate is signed by a CA, the certificate for the CA itself is typically embedded in the browser or is located in a trusted database that the client can access. After a client accepts the certificate, it responds by sending a secret key, which is encrypted with the public key contained in the certificate. The secret key is used to encrypt traffic between the client and the server.

VMware, Inc. 93

View Installation

Troubleshooting Certificate Issues on View Connection Server and Security Server

Certificate issues on a View server prevent you from connecting to View Administrator or cause a red health indicator to be displayed for a server.

Problem

You cannot connect to View Administrator on the View Connection Server instance with the problem. When you connect to View Administrator on another View Connection Server instance in the same pod, you see that the dashboard health indicator is red for the problem View Connection Server instance.

From the other View Connection Server instance, clicking the red health indicator displays SSL

Certificate: Invalid and Status: (blank), indicating that a valid certificate could not be found. The View

log file contains a log entry of type ERROR with the following error text: No qualifying certificates in

keystore.

The View log data is located in C:\ProgramData\VMware\VDM\logs\log-*.txt on the View Connection Server instance.

Cause

A certificate might not be installed successfully on a View server for any of the following reasons:

The certificate is not in the Personal folder in the Windows local computer certificate store.

The certificate store does not have a private key for the certificate.

The certificate does not have a friendly name of vdm.

The certificate was generated from a v3 certificate template, for a Windows Server 2008 or later server.

View cannot detect a private key, but if you use the Certificate snap-in to examine the Windows certificate store, the store indicates that there is a private key.

Solution

Verify that the certificate is imported into the Personal folder in the Windows local computer certificate

store.

See “Import a Signed Server Certificate into a Windows Certificate Store,” on page 82.

Verify that the certificate contains a private key.

See “Import a Signed Server Certificate into a Windows Certificate Store,” on page 82.

Verify that the certificate has a friendly name of vdm.

See “Modify the Certificate Friendly Name,” on page 83.

If the certificate was generated from a v3 certificate template, obtain a valid, signed certificate from a

CA that does not use a v3 template.

See “Obtaining a Signed SSL Certificate from a CA,” on page 80.

94 VMware, Inc.

Configuring View for the First Time 9

After you install the View server software and configure SSL certificates for the servers, you must take a few additional steps to set up a working View environment.

You configure user accounts for vCenter Server and View Composer, install a View license key, add vCenter Server and View Composer to your View environment, configure the PCoIP Secure Gateway and secure tunnel, and, optionally, size Windows Server settings to support your View environment.

This chapter includes the following topics:

“Configuring User Accounts for vCenter Server and View Composer,” on page 95

“Configuring View Connection Server for the First Time,” on page 98

“Configuring Horizon Client Connections,” on page 109

“Replacing Default Ports for View Services,” on page 115

“Sizing Windows Server Settings to Support Your Deployment,” on page 120

Configuring User Accounts for vCenter Server and View Composer

To use vCenter Server with View, you must configure a user account with appropriate vCenter Server privileges. You can create a vCenter Server role with the appropriate privileges and assign that role to the vCenter Server user account.

VMware, Inc.

If you install View Composer on a different machine than vCenter Server, you also must create a user account in Active Directory that View can use to authenticate to the View Composer service on the standalone machine.

If you use View Composer, you must create a third user account in Active Directory that allows View Composer to perform certain operations in Active Directory. View Composer requires this account to join linked-clone virtual machines to your Active Directory domain. See “Create a User Account for View

Composer AD Operations,” on page 30.

To summarize, when you configure View for the first time, you provide these user accounts in View Administrator:

The vCenter Server user allows View and View Composer to perform operations in vCenter Server.

The standalone View Composer Server user allows View to authenticate to the View Composer service

on a standalone machine.

If you install View Composer on the same machine as vCenter Server, the vCenter Server user performs both of the preceding functions, and you do not use a standalone View Composer Server user.

The View Composer user for AD operations allows View Composer to perform certain operations in

Active Directory.

View Installation

Where to Use the vCenter Server User and View Composer Users

After you create and configure these user accounts, you specify the user names in View Administrator.

You specify a vCenter Server user when you add vCenter Server to View.

You specify a standalone View Composer Server user when you configure View Composer settings and

select Standalone View Composer Server.

You specify a View Composer user for AD operations when you configure View Composer domains.

You specify the View Composer user for AD operations when you create linked-clone pools.

Configure a vCenter Server User for View and View Composer

To configure a user account that allows View to perform operations in vCenter Server, you must assign a vCenter Server role with appropriate privileges to that user.

The list of privileges that you must add to the vCenter Server role varies, depending on whether you use View with or without View Composer. The View Composer service performs operations in vCenter Server that require privileges in addition to the base privileges.

If you install View Composer on the same machine as vCenter Server, you must make the vCenter Server user a local system administrator on the vCenter Server machine. This requirement allows View to authenticate to the View Composer service.

Prerequisites

In Active Directory, create a user in the View Connection Server domain or a trusted domain. See

“Creating a User Account for vCenter Server,” on page 29.

Familiarize yourself with the vCenter Server privileges that are required for the user account. See

“Privileges Required for the vCenter Server User,” on page 97.

If you use View Composer, familiarize yourself with the additional required privileges. See “View

Composer Privileges Required for the vCenter Server User,” on page 98.

Procedure

1 In vCenter Server, prepare a role with the required privileges for the user.

You can use the predefined Administrator role in vCenter Server. This role can perform all

operations in vCenter Server.

If you use View Composer, you can create a limited role with the minimum privileges needed by

View Connection Server and View Composer to perform vCenter Server operations.

In vSphere Client, click Home > Roles > Add Role, enter a role name such as

View Composer Administrator, and select privileges for the role.

This role must have all the privileges that both View Connection Server and View Composer need to operate in vCenter Server.

If you use View without View Composer, you can create an even more limited role with the

minimum privileges needed by View Connection Server to perform vCenter Server operations.

In vSphere Client, click Home > Roles > Add Role, enter a role name such as

View Manager Administrator, and select privileges for the role.

96 VMware, Inc.

Chapter 9 Configuring View for the First Time

2 In vSphere Client, right-click the vCenter Server at the top level of the inventory, click Add Permission,

and add the vCenter Server user.

NOTE You must define the vCenter Server user at the vCenter Server level.

3 From the drop-down menu, select the Administrator role, or the View Composer or View Manager role

that you created, and assign it to the vCenter Server user.

4 If you install View Composer on the same machine as vCenter Server, add the vCenter Server user

account as a member of the local system Administrators group on the vCenter Server machine.

This step is not required if you install View Composer on a different machine than vCenter Server.

What to do next

In View Administrator, when you add vCenter Server to View, specify the vCenter Server user. See “Add

vCenter Server Instances to View,” on page 100.

Privileges Required for the vCenter Server User

The vCenter Server user must have sufficient vCenter Server privileges to enable View to perform operations in vCenter Server. Create a View Manager role for the vCenter Server user with the required privileges.

Table 9‑1. Privileges Required for the View Manager Role

Privilege Group Privileges to Enable

Folder Create Folder

Delete Folder

Datastore Allocate space

Virtual Machine In Configuration:

Add or remove device

Advanced

Modify device settings

In Interaction:

Power Off

Power On

Reset

Suspend

In Inventory:

Create new

Create from existing

Remove

In Provisioning:

Customize

Deploy template

Read customization specifications

Resource Assign virtual machine to resource pool

Global Act as vCenter Server

The following Host privilege is required to implement View Storage Accelerator, which enables ESXi host caching. If you do not use View Storage Accelerator, the vCenter Server user does not need this privilege.

VMware, Inc. 97

View Installation

Table 9‑1. Privileges Required for the View Manager Role (Continued)

Privilege Group Privileges to Enable

Host In Configuration:

Advanced settings

Profile Driven Storage (If you are using Virtual SAN datastores or Virtual Volumes)

(all)

View Composer Privileges Required for the vCenter Server User

To support View Composer, the vCenter Server user must have privileges in addition to those required to support View. Create a View Composer role for the vCenter Server user with the View Manager privileges and these additional privileges.

Table 9‑2. View Composer Privileges

Privilege Group Privileges to Enable

Datastore Allocate space

Browse datastore

Low level file operations

Virtual machine Inventory (all)

Configuration (all)

Snapshot management (all)

In Provisioning:

Clone virtual machine

Allow disk access

Resource Assign virtual machine to resource pool

The following privilege is required to perform View Composer rebalance operations.

Migrate powered off virtual machine

Global Enable methods

Disable methods

System tag

The following privilege is required to implement View Storage Accelerator, which enables ESXi host caching. If you do not use View Storage Accelerator, the vCenter Server user does not need this privilege.

Act as vCenter Server

Network (all)

Profile Driven Storage (all--If you are using Virtual SAN datastores or Virtual

Volumes)

Configuring View Connection Server for the First Time

After you install View Connection Server, you must install a product license, add vCenter Servers and View Composer services to View. You can also allow ESXi hosts to reclaim disk space on linked-clone virtual machines and configure ESXi hosts to cache virtual machine disk data.

If you install security servers, they are added to View and appear in View Administrator automatically.

98 VMware, Inc.

Chapter 9 Configuring View for the First Time

View Administrator and View Connection Server

View Administrator provides a management interface for View.

Depending on your View deployment, you use one or more View Administrator interfaces.

Use one View Administrator interface to manage the View components that are associated with a

single, standalone View Connection Server instance or a group of replicated View Connection Server instances.

You can use the host name or IP address of any replicated instance to log in to View Administrator.

You must use a separate View Administrator interface to manage the View components for each single,

standalone View Connection Server instance and each group of replicated View Connection Server instances.

You also use View Administrator to manage security servers associated with View Connection Server. Each security server is associated with one View Connection Server instance.

NOTE If you use Access Point appliances rather than security servers, you must use the Access Point REST API to manage the Access Point appliances. For more information, see Deploying and Configuring Access Point.

Log In to View Administrator

To perform initial configuration tasks, you must log in to View Administrator.

Prerequisites

Verify that you are using a Web browser supported by View Administrator. See “View Administrator

Requirements,” on page 9.

Procedure

1 Open your Web browser and enter the following URL, where server is the host name of the View

Connection Server instance.

https://server/admin

NOTE You can use the IP address if you have to access a View Connection Server instance when the host name is not resolvable. However, the host that you contact will not match the SSL certificate that is configured for the View Connection Server instance, resulting in blocked access or access with reduced security.

Your access to View Administrator depends on the type of certificate that is configured on the View Connection Server computer.

If you open your Web browser on the View Connection Server host, use https://127.0.0.1 to connect, not https://localhost. This method improves security by avoiding potential DNS attacks on the

localhost resolution.

Option Description

You configured a certificate signed by a CA for View Connection Server.

The default, self-signed certificate supplied with View Connection Server is configured.

When you first connect, your Web browser displays View Administrator.

When you first connect, your Web browser might display a page warning that the security certificate associated with the address is not issued by a trusted certificate authority.

Click Ignore to continue using the current SSL certificate.

VMware, Inc. 99

View Installation

2 Log in as a user with credentials to access the View Administrators account.

You specify the View Administrators account when you install a standalone View Connection Server instance or the first View Connection Server instance in a replicated group. The View Administrators account can be the local Administrators group (BUILTIN\Administrators) on the View Connection Server computer or a domain user or group account.

After you log in to View Administrator, you can use View Configuration > Administrators to change the list of users and groups that have the View Administrators role.

Install the Product License Key

Before you can use View Connection Server, you must enter a product license key.

The first time you log in, View Administrator displays the Product Licensing and Usage page.

After you install the license key, View Administrator displays the dashboard page when you log in.

You do not have to configure a license key when you install a replicated View Connection Server instance or a security server. Replicated instances and security servers use the common license key stored in the View LDAP configuration.

NOTE View Connection Server requires a valid license key. Starting with the release of View 4.0, the product license key is a 25-character key.

Procedure

1 In View Administrator, select View Configuration > Product Licensing and Usage.

2 In the Licensing panel, click Edit License.

3 Enter the license serial number and click OK.

4 Verify the license expiration date.

5 Verify that the Desktop, Application Remoting, and View Composer licenses are enabled or disabled,

based on the edition of VMware Horizon that your product license entitles you to use.

Not all features and capabilities of VMware Horizon 6 are available in all editions. For a comparison of feature sets in each edition, see

http://www.vmware.com/files/pdf/products/horizon-view/VMware-Horizon-View-Pricing-LicensingFAQ.pdf.

Add vCenter Server Instances to View

You must configure View to connect to the vCenter Server instances in your View deployment. vCenter Server creates and manages the virtual machines that View uses in desktop pools.

If you run vCenter Server instances in a Linked Mode group, you must add each vCenter Server instance to View separately.

View connects to the vCenter Server instance using a secure channel (SSL).

Prerequisites

Install the View Connection Server product license key.

Prepare a vCenter Server user with permission to perform the operations in vCenter Server that are

necessary to support View. To use View Composer, you must give the user additional privileges.

See “Configure a vCenter Server User for View and View Composer,” on page 96.

Verify that a TLS/SSL server certificate is installed on the vCenter Server host. In a production

environment, install a valid certificate that is signed by a trusted Certificate Authority (CA).

100 VMware, Inc.

VMware Horizon 6.2 Installation Manual

Specifications and Main Features

Frequently Asked Questions

User Manual

Contents

View Installation

View Connection Server Requirements

Hardware Requirements for View Connection Server

Supported Operating Systems for View Connection Server

Virtualization Software Requirements for View Connection Server

Network Requirements for Replicated View Connection Server Instances

View Administrator Requirements

View Composer Requirements

Supported Operating Systems for View Composer

Hardware Requirements for Standalone View Composer

Database Requirements for View Composer and the Events Database

Supported Operating Systems for View Agent

Supported Operating Systems for Standalone View Persona Management

Remote Display Protocol and Software Support

PCoIP

Microsoft RDP

Setting Up View in an IPv6 Environment

Supported vSphere , Database, and Active Directory Versions in an IPv6 Environment

Supported Operating Systems for View Servers in an IPv6 Environment

Supported Windows Operating Systems for Desktops and RDS Hosts in an IPv6 Environment

Supported Clients in an IPv6 Environment

Supported Remoting Protocols in an IPv6 Environment

Supported Authentication Types in an IPv6 Environment

Other Supported Features in an IPv6 Environment

Installing View in FIPS Mode 4

Overview of Setting Up View in FIPS Mode

System Requirements for FIPS Mode

Preparing Active Directory 5

Configuring Domains and Trust Relationships

Trust Relationships and Domain Filtering

Creating an OU for Remote Desktops

Creating OUs and Groups for Kiosk Mode Client Accounts

Creating Groups for Users

Creating a User Account for vCenter Server

Creating a User Account for a Standalone View Composer Server

Create a User Account for View Composer AD Operations

Configure the Restricted Groups Policy

Using View Group Policy Administrative Template Files

Prepare Active Directory for Smart Card Authentication

Add UPNs for Smart Card Users

Add the Root Certificate to Trusted Root Certification Authorities

Add an Intermediate Certificate to Intermediate Certification Authorities

Add the Root Certificate to the Enterprise NTAuth Store

Disable Weak Ciphers in SSL/TLS

Installing View Composer 6

Prepare a View Composer Database

Create a SQL Server Database for View Composer

Add a View Composer Database to SQL Server

Add an ODBC Data Source to SQL Server

Create an Oracle Database for View Composer

Add a View Composer Database to Oracle 12c or 11g

Use a SQL Statement to Add a View Composer Database to an Oracle Instance

Configure an Oracle Database User for View Composer

Add an ODBC Data Source to Oracle 12c or 11g

Configuring an SSL Certificate for View Composer

Install the View Composer Service

Configuring Your Infrastructure for View Composer

Configuring the vSphere Environment for View Composer

Additional Best Practices for View Composer

Installing View Connection Server 7

Installing the View Connection Server Software

Installation Prerequisites for View Connection Server

Install View Connection Server with a New Configuration

Install View Connection Server Silently

Silent Installation Properties for a View Connection Server Standard Installation

Install a Replicated Instance of View Connection Server

Install a Replicated Instance of View Connection Server Silently

Silent Installation Properties for a Replicated Instance of View Connection Server

Configure a Security Server Pairing Password

Install a Security Server

Install a Security Server Silently

Silent Installation Properties for a Security Server

Remove IPsec Rules for the Security Server

Firewall Rules for View Connection Server

Configuring a Back-End Firewall to Support IPsec