Page 1
View Installation
Modified for Horizon 7 7.3.2
VMware Horizon 7 7.3
Page 2
View Installation
You can find the most up-to-date technical documentation on the VMware website at:
https://docs.vmware.com/
If you have comments about this documentation, submit your feedback to
docfeedback@vmware.com
VMware, Inc.
3401 Hillview Ave.
Palo Alto, CA 94304
www.vmware.com
Copyright © 2011–2017 VMware, Inc. All rights reserved. Copyright and trademark information.
VMware, Inc. 2
Page 3
Contents
View Installation 6
System Requirements for Server Components 7
1
Horizon Connection Server Requirements 7
View Administrator Requirements 9
View Composer Requirements 10
System Requirements for Guest Operating Systems 13
2
Supported Operating Systems for Horizon Agent 13
Supported Operating Systems for Standalone Horizon Persona Management 14
Remote Display Protocol and Software Support 14
Installing Horizon 7 in an IPv6 Environment 21
3
Setting Up Horizon 7 in an IPv6 Environment 21
Supported vSphere, Database, and Active Directory Versions in an IPv6 Environment 22
Supported Operating Systems for Horizon 7 Servers in an IPv6 Environment 23
Supported Windows Operating Systems for Desktops and RDS Hosts in an IPv6 Environment 23
Supported Clients in an IPv6 Environment 23
Supported Remoting Protocols in an IPv6 Environment 24
Supported Authentication Types in an IPv6 Environment 24
Other Supported Features in an IPv6 Environment 24
Installing Horizon 7 in FIPS Mode 27
4
Overview of Setting Up Horizon 7 in FIPS Mode 27
System Requirements for FIPS Mode 28
Preparing Active Directory 29
5
Configuring Domains and Trust Relationships 30
Creating an OU for Remote Desktops 31
Creating OUs and Groups for Kiosk Mode Client Accounts 31
Creating Groups for Users 32
Creating a User Account for vCenter Server 32
Creating a User Account for a Standalone View Composer Server 32
Create a User Account for View Composer AD Operations 33
Create a User Account for Instant-Clone Operations 34
Configure the Restricted Groups Policy 34
Using Horizon 7 Group Policy Administrative Template Files 35
Prepare Active Directory for Smart Card Authentication 36
VMware, Inc.
3
Page 4
View Installation
Disable Weak Ciphers in SSL/TLS 39
Installing View Composer 41
6
Prepare a View Composer Database 41
Configuring an SSL Certificate for View Composer 50
Install the View Composer Service 50
Enable TLSv1.0 on vCenter and ESXi Connections from View Composer 53
Configuring Your Infrastructure for View Composer 54
Installing Horizon Connection Server 55
7
Installing the Horizon Connection Server Software 55
Installation Prerequisites for Horizon Connection Server 56
Install Horizon Connection Server with a New Configuration 57
Install a Replicated Instance of Horizon Connection Server 65
Configure a Security Server Pairing Password 72
Install a Security Server 73
Firewall Rules for Horizon Connection Server 81
Reinstall Horizon Connection Server with a Backup Configuration 83
Microsoft Windows Installer Command-Line Options 85
Uninstalling Horizon 7 Components Silently by Using MSI Command-Line Options 87
Configuring SSL Certificates for Horizon 7 Servers 89
8
Understanding SSL Certificates for Horizon 7 Servers 89
Overview of Tasks for Setting Up SSL Certificates 91
Obtaining a Signed SSL Certificate from a CA 92
Configure Horizon Connection Server, Security Server, or View Composer to Use a New SSL
Certificate 94
Configure Client Endpoints to Trust Root and Intermediate Certificates 100
Configuring Certificate Revocation Checking on Server Certificates 103
Configure the PCoIP Secure Gateway to Use a New SSL Certificate 104
Setting Horizon Administrator to Trust a vCenter Server or View Composer Certificate 109
Benefits of Using SSL Certificates Signed by a CA 109
Troubleshooting Certificate Issues on Horizon Connection Server and Security Server 110
Configuring Horizon 7 for the First Time 111
9
Configuring User Accounts for vCenter Server, View Composer, and Instant Clones 111
Configuring Horizon Connection Server for the First Time 116
Configuring Horizon Client Connections 129
Replacing Default Ports for Horizon 7 Services 138
Sizing Windows Server Settings to Support Your Deployment 144
VMware, Inc. 4
Page 5
View Installation
Configuring Event Reporting 147
10
Add a Database and Database User for Horizon 7 Events 147
Prepare an SQL Server Database for Event Reporting 148
Configure the Event Database 149
Configure Event Logging for Syslog Servers 150
VMware, Inc. 5
Page 6
View Installation
View Installation explains how to install the VMware Horizon® 7 server and client components.
Intended Audience
This information is intended for anyone who wants to install VMware Horizon 7. The information is written
for experienced Windows or Linux system administrators who are familiar with virtual machine technology
and datacenter operations.
VMware, Inc. 6
Page 7
System Requirements for Server
Components 1
Hosts that run Horizon 7 server components must meet specific hardware and software requirements.
This section includes the following topics:
n
Horizon Connection Server Requirements
n
View Administrator Requirements
n
View Composer Requirements
Horizon Connection Server Requirements
Horizon Connection Server acts as a broker for client connections by authenticating and then directing
incoming user requests to the appropriate remote desktops and applications. Horizon Connection Server
has specific hardware, operating system, installation, and supporting software requirements.
n
Hardware Requirements for Horizon Connection Server
You must install all Horizon Connection Server installation types, including standard, replica, security
server, and enrollment server installations, on a dedicated physical or virtual machine that meets
specific hardware requirements.
n
Supported Operating Systems for Horizon Connection Server
You must install Horizon Connection Server on a supported Windows Server operating system.
n
Virtualization Software Requirements for Horizon Connection Server
Horizon Connection Server requires certain versions of VMware virtualization software.
n
Network Requirements for Replicated Horizon Connection Server Instances
When installing replicated Horizon Connection Server instances, you must usually configure the
instances in the same physical location and connect them over a high-performance LAN. Otherwise,
latency issues could cause the View LDAP configurations on Horizon Connection Server instances
to become inconsistent. A user could be denied access when connecting to a Horizon Connection
Server instance with an out-of-date configuration.
VMware, Inc.
7
Page 8
View Installation
Hardware Requirements for Horizon Connection Server
You must install all Horizon Connection Server installation types, including standard, replica, security
server, and enrollment server installations, on a dedicated physical or virtual machine that meets specific
hardware requirements.
Table 1‑1. Horizon Connection Server Hardware Requirements
Hardware Component Required Recommended
Processor Pentium IV 2.0GHz processor or
higher
Network Adapter 100Mpbs NIC 1Gbps NICs
Memory
Windows Server 2008 R2 64-bit
Memory
Windows Server 2012 R2 64-bit
4GB RAM or higher At least 10GB RAM for deployments of 50 or more
4GB RAM or higher At least 10GB RAM for deployments of 50 or more
4 CPUs
remote desktops
remote desktops
These requirements also apply to replica and security server Horizon Connection Server instances that
you install for high availability or external access.
Important The physical or virtual machine that hosts Horizon Connection Server must have an IP
address that does not change. In an IPv4 environment, configure a static IP address. In an IPv6
environment, machines automatically get IP addresses that do not change.
Supported Operating Systems for Horizon Connection Server
You must install Horizon Connection Server on a supported Windows Server operating system.
The following operating systems support all Horizon Connection Server installation types, including
standard, replica, and security server installations.
Table 1‑2. Operating System Support for Horizon Connection Server
Operating System Version Edition
Windows Server 2008 R2 SP1 64-bit Standard
Enterprise
Datacenter
Windows Server 2012 R2 64-bit Standard
Datacenter
Windows Server 2016 64-bit Standard
Datacenter
Note Windows Server 2008 R2 with no service pack is no longer supported.
VMware, Inc. 8
Page 9
View Installation
Virtualization Software Requirements for Horizon Connection Server
Horizon Connection Server requires certain versions of VMware virtualization software.
If you are using vSphere, you must use a supported version of vSphere ESX/ESXi hosts and vCenter
Server.
For details about which versions of Horizon are compatible with which versions of vCenter Server and
ESXi, see the VMware Product Interoperability Matrix at
http://www.vmware.com/resources/compatibility/sim/interop_matrix.php.
Network Requirements for Replicated Horizon Connection Server Instances
When installing replicated Horizon Connection Server instances, you must usually configure the instances
in the same physical location and connect them over a high-performance LAN. Otherwise, latency issues
could cause the View LDAP configurations on Horizon Connection Server instances to become
inconsistent. A user could be denied access when connecting to a Horizon Connection Server instance
with an out-of-date configuration.
Important To use a group of replicated Connection Server instances across a WAN, MAN (metropolitan
area network), or other non-LAN, in scenarios where a Horizon deployment needs to span datacenters,
you must use the Cloud Pod Architecture feature. You can link together 25 pods to provide a single large
desktop brokering and management environment for five geographically distant sites and provide
desktops and applications for up to 50,000 sessions. For more information, see the Administering Cloud
Pod Architecture in Horizon 7 document.
View Administrator Requirements
Administrators use View Administrator to configure View Connection Server, deploy and manage remote
desktops and applications, control user authentication, initiate and examine system events, and carry out
analytical activities. Client systems that run View Administrator must meet certain requirements.
View Administrator is a Web-based application that is installed when you install View Connection Server.
You can access and use View Administrator with the following Web browsers:
n
Internet Explorer 9 (not recommended)
n
Internet Explorer 10
n
Internet Explorer 11
n
Firefox (latest supported versions)
n
Chrome (latest supported versions)
n
Safari 6 and later releases
n
Microsoft Edge (Windows 10)
VMware, Inc. 9
Page 10
View Installation
To use View Administrator with your Web browser, you must install Adobe Flash Player 10.1 or later. Your
client system must have access to the Internet to allow Adobe Flash Player to be installed.
The computer on which you launch View Administrator must trust the root and intermediate certificates of
the server that hosts View Connection Server. The supported browsers already contain certificates for all
of the well-known certificate authorities (CAs). If your certificates come from a CA that is not well known,
you must follow the instructions in Configure Client Endpoints to Trust Root and Intermediate Certificates.
To display text properly, View Administrator requires Microsoft-specific fonts. If your Web browser runs on
a non-Windows operating system such as Linux, UNIX, or Mac, make sure that Microsoft-specific fonts
are installed on your computer.
Currently, the Microsoft Web site does not distribute Microsoft fonts, but you can download them from
independent Web sites.
View Composer Requirements
With View Composer, you can deploy multiple linked-clone desktops from a single centralized base
image. View Composer has specific installation and storage requirements.
n
Supported Operating Systems for View Composer
View Composer supports 64-bit operating systems with specific requirements and limitations. You
can install View Composer on the same physical or virtual machine as vCenter Server or on a
separate server.
n
Hardware Requirements for Standalone View Composer
If you install View Composer on a different physical or virtual machine from the one used for
vCenter Server, you must use a dedicated machine that meets specific hardware requirements.
n
Database Requirements for View Composer and the Events Database
View Composer requires an SQL database to store data. The View Composer database must reside
on, or be available to, the View Composer server host. You can optionally set up an Events
database to record information from View Connection Server about View events.
VMware, Inc. 10
Page 11
View Installation
Supported Operating Systems for View Composer
View Composer supports 64-bit operating systems with specific requirements and limitations. You can
install View Composer on the same physical or virtual machine as vCenter Server or on a separate
server.
Table 1‑3. Operating System Support for View Composer
Operating System Version Edition
Windows Server 2008 R2 SP1 64-bit Standard
Enterprise
Datacenter
Windows Server 2012 R2 64-bit Standard
Datacenter
Windows Server 2016 64-bit Standard
Datacenter
Note Windows Server 2008 R2 with no service pack is no longer supported.
If you plan to install View Composer on a different physical or virtual machine than vCenter Server, see
Hardware Requirements for Standalone View Composer.
Hardware Requirements for Standalone View Composer
If you install View Composer on a different physical or virtual machine from the one used for
vCenter Server, you must use a dedicated machine that meets specific hardware requirements.
A standalone View Composer installation works with vCenter Server installed on a separate Windows
Server machine or with the Linux-based vCenter Server appliance. VMware recommends having a one-
to-one mapping between each View Composer service and vCenter Server instance.
Table 1‑4. View Composer Hardware Requirements
Hardware Component Required Recommended
Processor 1.4 GHz or faster Intel 64 or AMD
64 processor with 2 CPUs
Networking One or more 10/100Mbps network
interface cards (NICs)
Memory 4GB RAM or higher 8GB RAM or higher for deployments of 50 or more
2GHz or faster and 4 CPUs
1Gbps NICs
remote desktops
Disk space 40GB 60GB
Important The physical or virtual machine that hosts View Composer must have an IP address that
does not change. In an IPv4 environment, configure a static IP address. In an IPv6 environment,
machines automatically get IP addresses that do not change.
VMware, Inc. 11
Page 12
View Installation
Database Requirements for View Composer and the Events Database
View Composer requires an SQL database to store data. The View Composer database must reside on,
or be available to, the View Composer server host. You can optionally set up an Events database to
record information from View Connection Server about View events.
If a database server instance already exists for vCenter Server, View Composer can use that existing
instance if it is a version listed in the VMware Product Interoperability Matrixes at
http://www.vmware.com/resources/compatibility/sim/interop_matrix.php. If a database server instance
does not already exist, you must install one.
View Composer supports a subset of the database servers that vCenter Server supports. If you are
already using vCenter Server with a database server that is not supported by View Composer, continue to
use that database server for vCenter Server and install a separate database server to use for View
Composer.
Important If you create the View Composer database on the same SQL Server instance as
vCenter Server, do not overwrite the vCenter Server database.
For the most up-to-date information about supported databases, see the VMware Product Interoperability
Matrixes at http://www.vmware.com/resources/compatibility/sim/interop_matrix.php. For
Solution/Database Interoperability, after you select the product and version, for the Add Database step,
to see a list of all supported databases, select Any and click Add.
VMware, Inc. 12
Page 13
System Requirements for Guest
Operating Systems 2
Systems running Horizon Agent or Standalone View Persona Management must meet certain hardware
and software requirements.
This section includes the following topics:
n
Supported Operating Systems for Horizon Agent
n
Supported Operating Systems for Standalone Horizon Persona Management
n
Remote Display Protocol and Software Support
Supported Operating Systems for Horizon Agent
The Horizon Agent component (called View Agent in previous releases) assists with session
management, single sign-on, device redirection, and other features. You must install Horizon Agent on all
virtual machines, physical systems, and RDS hosts.
The types and editions of the supported guest operating system depend on the Windows version. For
updates to the list of supported Windows 10 operating systems, see the VMware Knowledge Base (KB)
article http://kb.vmware.com/kb/2149393. For Windows operating systems other than Windows 10, see
the VMware Knowledge Base (KB) article http://kb.vmware.com/kb/2150295.
To see a list of specific remote experience features supported on Windows operating systems where
Horizon Agent is installed, see the VMware Knowledge Base (KB) article
http://kb.vmware.com/kb/2150305.
To use the Horizon Persona Management setup option with Horizon Agent, you must install Horizon
Agent on Windows 10, Windows 8, Windows 8.1, Windows 7, Windows Server 2012 R2, Windows Server
2008 R2, or Windows Server 2016 virtual machines. This option does not operate on physical computers
or RDS hosts.
You can install the standalone version of Horizon Persona Management on physical computers. See
Supported Operating Systems for Standalone Horizon Persona Management.
Note To use the VMware Blast display protocol, you must install Horizon Agent on a single-session
virtual machine or on an RDS host. The RDS host can be a physical machine or a virtual machine. The
VMware Blast display protocol does not operate on a single-user physical computer.
VMware, Inc.
13
Page 14
View Installation
For enhanced security, VMware recommends configuring cipher suites to remove known vulnerabilities.
For instructions on how to set up a domain policy on cipher suites for Windows machines that run View
Composer or Horizon Agent, see Disable Weak Ciphers in SSL/TLS.
Supported Operating Systems for Standalone Horizon Persona Management
The standalone Horizon Persona Management software provides persona management for standalone
physical computers and virtual machines that do not have Horizon Agent installed. When users log in,
their profiles are downloaded dynamically from a remote profile repository to their standalone systems.
Note To configure Persona Management for Horizon desktops, install Horizon Agent with the Persona
Management setup option. The standalone Persona Management software is intended for non-Horizon
systems only.
To see a list of operating systems supported for the standalone Horizon Persona Management software,
see the VMware Knowledge Base (KB) article http://kb.vmware.com/kb/2150295.
The standalone Persona Management software is not supported on Microsoft Remote Desktop Services.
Remote Display Protocol and Software Support
Remote display protocols and software provide access to remote desktops and applications. The remote
display protocol used depends on the type of client device, whether you are connecting to a remote
desktop or a remote application, and how the administrator configures the desktop or application pool.
n
PCoIP
PCoIP (PC over IP) provides an optimized desktop experience for the delivery of a remote
application or an entire remote desktop environment, including applications, images, audio, and
video content for a wide range of users on the LAN or across the WAN. PCoIP can compensate for
an increase in latency or a reduction in bandwidth, to ensure that end users can remain productive
regardless of network conditions.
n
Microsoft RDP
Remote Desktop Protocol is the same multichannel protocol many people already use to access
their work computer from their home computer. Microsoft Remote Desktop Connection (RDC) uses
RDP to transmit data.
n
VMware Blast Extreme
Optimized for the mobile cloud, VMware Blast Extreme supports the broadest range of client devices
that are H.264 capable. Of the display protocols, VMware Blast offers the lowest CPU consumption
for longer battery life on mobile devices. VMware Blast Extreme can compensate for an increase in
latency or a reduction in bandwidth and can leverage both TCP and UDP network transports.
VMware, Inc. 14
Page 15
View Installation
PCoIP
PCoIP (PC over IP) provides an optimized desktop experience for the delivery of a remote application or
an entire remote desktop environment, including applications, images, audio, and video content for a wide
range of users on the LAN or across the WAN. PCoIP can compensate for an increase in latency or a
reduction in bandwidth, to ensure that end users can remain productive regardless of network conditions.
The PCoIP display protocol can be used for remote applications and for remote desktops that use virtual
machines, physical machines that contain Teradici host cards, or shared session desktops on an RDS
host.
PCoIP Features
Key features of PCoIP include the following:
n
Users outside the corporate firewall can use this protocol with your company's virtual private network
(VPN), or users can make secure, encrypted connections to a security server or Access Point
appliance in the corporate DMZ.
n
Advanced Encryption Standard (AES) 128-bit encryption is supported and is turned on by default. You
can, however, change the encryption key cipher to AES-256.
n
Connections to Windows desktops with the Horizon Agent operating system versions listed in
Supported Operating Systems for Horizon Agent are supported.
n
Connections from all types of client devices.
n
Optimization controls for reducing bandwidth usage on the LAN and WAN.
n
32-bit color is supported for virtual displays.
n
ClearType fonts are supported.
n
Audio redirection with dynamic audio quality adjustment for LAN and WAN.
n
Real-Time Audio-Video for using webcams and microphones on some client types.
n
Copy and paste of text and, on some clients, images between the client operating system and a
remote application or desktop. For other client types, only copy and paste of plain text is supported.
You cannot copy and paste system objects such as folders and files between systems.
n
Multiple monitors are supported for some client types. On some clients, you can use up to 4 monitors
with a resolution of up to 2560 x 1600 per display or up to 3 monitors with a resolution of 4K (3840 x
2160) for Windows 7 remote desktops with Aero disabled. Pivot display and autofit are also
supported.
When the 3D feature is enabled, up to 2 monitors are supported with a resolution of up to 1920 x
1200, or one monitor with a resolution of 4K (3840 x 2160).
n
USB redirection is supported for some client types.
n
MMR redirection is supported for some Windows client operating systems and some remote desktop
operating systems (with Horizon Agent installed).
VMware, Inc. 15
Page 16
View Installation
For information about which desktop operating systems support specific PCoIP features, see "Feature
Support Matrix for Horizon Agent" in the View Architecture Planning document.
For information about which client devices support specific PCoIP features, go to
https://www.vmware.com/support/viewclients/doc/viewclients_pubs.html.
Recommended Guest Operating System Settings
1GB of RAM or more and a dual CPU is recommended for playing in high-definition, full screen mode, or
720p or higher formatted video. To use Virtual Dedicated Graphics Acceleration for graphics-intensive
applications such as CAD applications, 4GB of RAM is required.
Video Quality Requirements
480p-formatted video You can play video at 480p or lower at native resolutions when the remote
desktop has a single virtual CPU. If you want to play the video in high-
definition Flash or in full screen mode, the desktop requires a dual virtual
CPU. Even with a dual virtual CPU desktop, as low as 360p-formatted
video played in full screen mode can lag behind audio, particularly on
Windows clients.
720p-formatted video You can play video at 720p at native resolutions if the remote desktop has a
dual virtual CPU. Performance might be affected if you play videos at 720p
in high definition or in full screen mode.
1080p-formatted video If the remote desktop has a dual virtual CPU, you can play 1080p formatted
video, although the media player might need to be adjusted to a smaller
window size.
3D rendering You can configure remote desktops to use software- or hardware-
accelerated graphics. The software-accelerated graphics feature enables
you to run DirectX 9 and OpenGL 2.1 applications without requiring a
physical graphics processing unit (GPU). The hardware-accelerated
graphics features enable virtual machines to either share the physical
GPUs (graphical processing unit) on a vSphere host or dedicate a physical
GPU to a single virtual machine desktop.
For 3D applications, up to 2 monitors are supported, and the maximum
screen resolution is 1920 x 1200. The guest operating system on the
remote desktops must be Windows 7 or later.
Hardware Requirements for Client Systems
For information about processor and memory requirements, see the "Using VMware Horizon Client"
document for the specific type of desktop or mobile client device. Go to
https://www.vmware.com/support/viewclients/doc/viewclients_pubs.html.
VMware, Inc. 16
Page 17
View Installation
Microsoft RDP
Remote Desktop Protocol is the same multichannel protocol many people already use to access their
work computer from their home computer. Microsoft Remote Desktop Connection (RDC) uses RDP to
transmit data.
Microsoft RDP is a supported display protocol for remote desktops that use virtual machines, physical
machines, or shared session desktops on an RDS host. (Only the PCoIP display protocol and the
VMware Blast display protocol are supported for remote applications.) Microsoft RDP provides the
following features:
n
RDP 7 has true multiple monitor support, for up to 16 monitors.
n
You can copy and paste text and system objects such as folders and files between the local system
and the remote desktop.
n
32-bit color is supported for virtual displays.
n
RDP supports 128-bit encryption.
n
Users outside the corporate firewall can use this protocol with your company's virtual private network
(VPN), or users can make secure, encrypted connections to a View security server in the corporate
DMZ.
To support TLSv1.1 and TLSv1.2 connections to Windows 7 and Windows Server 2008 R2, you must
apply Microsoft hotfix KB3080079.
Hardware Requirements for Client Systems
For information about processor and memory requirements, see the "Using VMware Horizon Client"
document for the specific type of client system. Go to
https://www.vmware.com/support/viewclients/doc/viewclients_pubs.html.
Note Mobile client 3.x devices use only the PCoIP display protocol. Mobile client 4.x clients use only the
PCoIP display protocol or the VMware Blast display protocol.
VMware Blast Extreme
Optimized for the mobile cloud, VMware Blast Extreme supports the broadest range of client devices that
are H.264 capable. Of the display protocols, VMware Blast offers the lowest CPU consumption for longer
battery life on mobile devices. VMware Blast Extreme can compensate for an increase in latency or a
reduction in bandwidth and can leverage both TCP and UDP network transports.
The VMware Blast display protocol can be used for remote applications and for remote desktops that use
virtual machines or shared-session desktops on an RDS host. The RDS host can be a physical machine
or a virtual machine. The VMware Blast display protocol does not operate on a single-user physical
computer.
VMware, Inc. 17
Page 18
View Installation
VMware Blast Extreme Features
Key features of VMware Blast Extreme include the following:
n
Users outside the corporate firewall can use this protocol with the corporate virtual private network
(VPN), or users can make secure, encrypted connections to a security server or Access Point
appliance in the corporate DMZ.
n
Advanced Encryption Standard (AES) 128-bit encryption is supported and is turned on by default. You
can, however, change the encryption key cipher to AES-256.
n
Connections to Windows desktops with the Horizon Agent operating system versions listed in
Supported Operating Systems for Horizon Agent are supported.
n
Connections from all types of client devices.
n
Optimization controls for reducing bandwidth usage on the LAN and WAN.
n
Performance counters displayed using PerfMon on Windows agents for Blast session, imaging,
audio, CDR, USB, and virtual printing provide an accurate representation of the current state of the
system that also updates at a constant rate.
n
Network continuity during momentary network loss on Windows clients.
n
32-bit color is supported for virtual displays.
n
ClearType fonts are supported.
n
Audio redirection with dynamic audio quality adjustment for LAN and WAN.
n
Real-Time Audio-Video for using webcams and microphones on some client types.
n
Copy and paste of text and, on some clients, images between the client operating system and a
remote application or desktop. For other client types, only copy and paste of plain text is supported.
You cannot copy and paste system objects such as folders and files between systems.
n
Multiple monitors are supported for some client types. On some clients, you can use up to four
monitors with a resolution of up to 2560 x 1600 per display or up to three monitors with a resolution of
4K (3840 x 2160) for Windows 7 remote desktops with Aero disabled. Pivot display and autofit are
also supported.
When the 3D feature is enabled, up to two monitors are supported with a resolution of up to 1920 x
1200, or one monitor with a resolution of 4K (3840 x 2160).
n
USB redirection is supported for some client types.
n
MMR redirection is supported for some Windows client operating systems and some remote desktop
operating systems (with Horizon Agent installed).
n
Connections to physical machines that have no monitors attached are supported with NVIDIA
graphics cards. For best performance, use a graphics card that supports H.264 encoding. This is a
technical preview feature for Horizon 7 version 7.1.
VMware, Inc. 18
Page 19
View Installation
If you have an add-in discrete GPU and an embedded GPU, the operating system might default to the
embedded GPU. To fix this problem, you can disable or remove the device in Device Manager. If the
problem persists, you can install the WDDM graphics driver for the embedded GPU, or disable the
embedded GPU in the system BIOS. Refer to your system documentation on how disable the
embedded GPU.
Caution Disabling the embedded GPU might cause future loss of access to functionality such as
console access to BIOS setup or NT Boot Loader.
For information about which client devices support specific VMware Blast Extreme features, go to
https://www.vmware.com/support/viewclients/doc/viewclients_pubs.html.
Recommended Guest Operating System Settings
1 GB of RAM or more and a dual CPU is recommended for playing in high-definition, full screen mode, or
720p or higher formatted video. To use Virtual Dedicated Graphics Acceleration for graphics-intensive
applications such as CAD applications, 4 GB of RAM is required.
Video Quality Requirements
480p-formatted video You can play video at 480p or lower at native resolutions when the remote
desktop has a single virtual CPU. If you want to play the video in high-
definition Flash or in full screen mode, the desktop requires a dual virtual
CPU. Even with a dual virtual CPU desktop, as low as 360p-formatted
video played in full screen mode can lag behind audio, particularly on
Windows clients.
720p-formatted video You can play video at 720p at native resolutions if the remote desktop has a
dual virtual CPU. Performance might be affected if you play videos at 720p
in high definition or in full screen mode.
1080p-formatted video If the remote desktop has a dual virtual CPU, you can play 1080p formatted
video, although the media player might need to be adjusted to a smaller
window size.
3D rendering You can configure remote desktops to use software- or hardware-
accelerated graphics. The software-accelerated graphics feature enables
you to run DirectX 9 and OpenGL 2.1 applications without requiring a
physical graphics processing unit (GPU). The hardware-accelerated
graphics features enable virtual machines to either share the physical
GPUs (graphical processing unit) on a vSphere host or dedicate a physical
GPU to a single virtual desktop.
For 3D applications, up to two monitors are supported, and the maximum
screen resolution is 1920 x 1200. The guest operating system on the
remote desktops must be Windows 7 or later.
VMware, Inc. 19
Page 20
View Installation
Hardware Requirements for Client Systems
For information about processor and memory requirements, see the "Using VMware Horizon Client"
document for the specific type of desktop or mobile client device. Go to
https://www.vmware.com/support/viewclients/doc/viewclients_pubs.html.
VMware, Inc. 20
Page 21
Installing Horizon 7 in an IPv6
Environment 3
Horizon 7 supports IPv6 as an alternative to IPv4. The environment must be either IPv6 only or IPv4 only.
Horizon 7 does not support a mixed IPv6 and IPv4 environment.
Not all Horizon 7 features that are supported in an IPv4 environment are supported in an IPv6
environment. Horizon 7 does not support upgrading from an IPv4 environment to an IPv6 environment.
Also, Horizon 7 does not support migration between IPv4 and IPv6 environments.
Important To run Horizon 7 in an IPv6 environment, you must specify IPv6 when you install all Horizon 7
components.
This section includes the following topics:
n
Setting Up Horizon 7 in an IPv6 Environment
n
Supported vSphere, Database, and Active Directory Versions in an IPv6 Environment
n
Supported Operating Systems for Horizon 7 Servers in an IPv6 Environment
n
Supported Windows Operating Systems for Desktops and RDS Hosts in an IPv6 Environment
n
Supported Clients in an IPv6 Environment
n
Supported Remoting Protocols in an IPv6 Environment
n
Supported Authentication Types in an IPv6 Environment
n
Other Supported Features in an IPv6 Environment
Setting Up Horizon 7 in an IPv6 Environment
To run Horizon 7 in an IPv6 environment, you must be aware of the requirements and choices that are
specific to IPv6 when you perform certain administrative tasks.
Before you install Horizon 7, you must have a working IPv6 environment. The following Horizon 7
administrative tasks have options that are specific to IPv6.
n
Installing Horizon Connection Server. See Install Horizon Connection Server with a New
Configuration.
n
Installing View Replica Server. See Install a Replicated Instance of Horizon Connection Server.
n
Installing View Security Server. See Install a Security Server.
VMware, Inc.
21
Page 22
View Installation
n
Configuring the PCoIP External URL. See Configuring External URLs for Secure Gateway and Tunnel
Connections.
n
Setting the PCoIP External URL. See Set the External URLs for an Horizon Connection Server
Instance.
n
Modifying the PCoIP External URL. See Set the External URLs for an Horizon Connection Server
Instance.
n
Installing Horizon Agent. See the Horizon Agent installation topics in the Setting Up Desktop and
Application Pools document.
n
Installing Horizon Client for Windows. See the VMware Horizon Client for Windows document in
https://www.vmware.com/support/viewclients/doc/viewclients_pubs.html. Only Windows clients are
supported.
Note Horizon 7 does not require you to enter an IPv6 address in any administrative tasks. In cases
where you can specify either a fully qualified domain name (FQDN) or an IPv6 address, it is highly
recommended that you specify an FQDN to avoid potential errors.
Supported vSphere, Database, and Active Directory Versions in an IPv6 Environment
In an IPv6 environment, Horizon 7 supports specific vSphere, database server, and Active Directory
versions.
The following vSphere versions are supported in an IPv6 environment.
n
6.5
n
6.0
n
5.5 U2
The following database servers are supported in an IPv6 environment.
Database Server Version Edition
SQL Server 2014 SP2 32/64-bit Standard, Enterprise
SQL Server 2012 SP1 32/64-bit Standard, Enterprise
SQL Server 2012 Express 32/64-bit Free
Oracle 11g R2 32/64-bit Standard, Standard Edition One, Enterprise
The following Active Directory versions are supported in an IPv6 environment.
n
Microsoft Active Directory 2008 R2
n
Microsoft Active Directory 2012 R2
VMware, Inc. 22
Page 23
View Installation
Supported Operating Systems for Horizon 7 Servers in an IPv6 Environment
In an IPv6 environment, you must install Horizon 7 servers on specific Windows Server operating
systems.
Horizon 7 servers include Connection Server instances, replica servers, security servers, and View
Composer instances.
Operating System Edition
Windows Server 2016 Standard, Enterprise
Windows Server 2008 R2 SP1 Standard, Enterprise
Windows Server 2012 R2 Standard
Supported Windows Operating Systems for Desktops and RDS Hosts in an IPv6 Environment
In an IPv6 environment, Horizon 7 supports specific Windows operating systems for desktop machines
and RDS hosts. RDS hosts provide session-based desktops and applications to users.
The types and editions of the supported guest operating system depend on the Windows version. For
updates to the list of supported Windows 10 operating systems, see the VMware Knowledge Base (KB)
article http://kb.vmware.com/kb/2149393. For Windows operating systems other than Windows 10, see
the VMware Knowledge Base (KB) article http://kb.vmware.com/kb/2150295.
To see a list of specific remote experience features supported on Windows operating systems where
Horizon Agent is installed, see the VMware Knowledge Base (KB) article
http://kb.vmware.com/kb/2150305.
Supported Clients in an IPv6 Environment
In an IPv6 environment, Horizon 7 supports clients that run on specific desktop operating systems.
Table 3‑1. Supported Windows Operating Systems
Operating System Version Edition
Windows 7 32/64-bit Home, Professional, Enterprise, Ultimate
Windows 7 SP1 32/64-bit Home, Professional, Enterprise, Ultimate
Windows 8 32/64-bit Enterprise, Professional
Windows 8.1 32/64-bit Enterprise, Professional
Windows 10 32/64-bit Enterprise, Professional
On iOS devices, iOS 9.2 or later is supported with Horizon Client 4.1 or later.
VMware, Inc. 23
Page 24
View Installation
The following types of clients are not supported.
n
Clients that run on Mac, Android, Linux, or Windows Store
n
iOS 9.1 or earlier
n
PCoIP Zero Client
Supported Remoting Protocols in an IPv6 Environment
In an IPv6 environment, Horizon 7 supports specific remoting protocols.
The following remoting protocols are supported:
n
RDP
n
RDP with Secure Tunnel
n
PCoIP
n
PCoIP through PCoIP Secure Gateway
n
VMware Blast
n
VMware Blast through Blast Secure Gateway
Supported Authentication Types in an IPv6 Environment
In an IPv6 environment, Horizon 7 supports specific authentication types.
The following authentication types are supported:
n
Password authentication using Active Directory
n
Smart Card
n
Single Sign-On
The following authentication types are not supported:
n
SecurID
n
RADIUS
n
SAML
Other Supported Features in an IPv6 Environment
In an IPv6 environment, Horizon 7 supports certain features that are not covered in previous topics.
The following features are supported:
n
Application pools
n
Audio-out
VMware, Inc. 24
Page 25
View Installation
n
Automated desktop pools of full virtual machines or View Composer linked clones
Note Automated desktop pools of instant clones are not supported.
n
Customer Experience Improvement Program (CEIP)
n
Disk space reclamation
n
Events
n
LDAP backup
n
Manual desktop pools, including vCenter Server virtual machines, physical computers, and virtual
machines not managed by vCenter Server
n
Native NFS snapshots (VAAI)
n
PCoIP
n
PCoIP smart card
n
Persona Management
n
PSG
n
RDS desktop pools
n
RDS Host 3D
n
Role-based administration
n
Single Sign-on, including the Log in as current user feature
n
System health dashboard
n
ThinApp
n
Unity touch
n
USB
n
USB redirection
n
View Composer Agent
n
View Storage Accelerator
n
View Composer database backup
n
Virtual printing
n
VMware audio
n
VMware video
The following features are not supported:
n
Blast UDP
n
Client drive redirection
VMware, Inc. 25
Page 26
View Installation
n
Client IP Transparency (only 64-bit)
n
Cloud Pod Architecture
n
Flash URL redirection
n
HTML access
n
Log Insight
n
Lync
n
Multimedia redirection (MMR)
n
Real-time audio-video (RTAV)
n
Scanner redirection
n
Serial port redirection
n
Syslog
n
Teradici TERA host card
n
TSMMR
n
Virtual SAN
n
Virtual Volumes
n
vRealize Operations Desktop Agent
VMware, Inc. 26
Page 27
Installing Horizon 7 in FIPS
Mode 4
Horizon 7 can perform cryptographic operations using FIPS (Federal Information Processing Standard)
140-2 compliant algorithms. You can enable the use of these algorithms by installing Horizon 7 in FIPS
mode.
Not all Horizon 7 features are supported in FIPS mode. Also, Horizon 7 does not support upgrading from
a non-FIPS installation to a FIPS installation.
Note To ensure that Horizon 7 runs in FIPS mode, you must enable FIPS when you install all Horizon 7
components.
This section includes the following topics:
n
Overview of Setting Up Horizon 7 in FIPS Mode
n
System Requirements for FIPS Mode
Overview of Setting Up Horizon 7 in FIPS Mode
To set up Horizon 7 in FIPS mode, you must first enable FIPS mode in the Windows environment. Then
you install all the Horizon 7 components in FIPS mode.
The option to install Horizon 7 in FIPS mode is available only if FIPS mode is enabled in the Windows
environment. For more information about enabling FIPS mode in Windows, see
https://support.microsoft.com/en-us/kb/811833.
Note Horizon Administrator does not indicate whether Horizon 7 is running in FIPS mode.
To install Horizon 7 in FIPS mode, perform the following administrative tasks.
n
When installing Connection Server, select the FIPS mode option. See Install Horizon Connection
Server with a New Configuration.
n
When installing View Replica Server, select the FIPS mode option. See Install a Replicated Instance
of Horizon Connection Server.
n
Before installing a security server, deselect the global setting Use IPSec for Security Server
Connections in Horizon Administrator and configure IPsec manually. See
http://kb.vmware.com/kb/2000175.
VMware, Inc.
27
Page 28
View Installation
n
When installing View Security Server, select the FIPS mode option. See Install a Security Server.
n
Disable weak ciphers for View Composer and Horizon Agent machines. See Disable Weak Ciphers in
SSL/TLS.
n
When installing View Composer, select the FIPS mode option. See Chapter 6 Installing View
Composer.
n
When installing Horizon Agent, select the FIPS mode option. See the Horizon Agent installation
topics in the Setting Up Virtual Desktops in Horizon 7 or Setting Up Published Desktops and
Applications in Horizon 7 document.
n
For Windows clients, enable FIPS mode in the client operating system and select the FIPS mode
option when installing Horizon Client for Windows. See the VMware Horizon Client for Windows
Installation and Setup Guide document.
n
For Linux clients, enable FIPS mode in the client operating system. See the VMware Horizon Client
for Linux Installation and Setup Guide document.
System Requirements for FIPS Mode
To support FIPS mode, your Horizon 7 deployment must meet the following requirements.
vSphere
Remote desktop
n
vCenter Server 6.0 or later
n
ESXi 6.0 or later
n
Any Windows platform that has a FIPS certificate. For information, see
"FIPS 140 Validation" on the Microsoft TechNet website.
n
View Agent 6.2 or later or Horizon Agent 7.0 or later, for Windows
platforms only
Horizon Client
n
Any Windows platform that has a FIPS certificate. For information, see
"FIPS 140 Validation" on the Microsoft TechNet website.
n
Horizon Client for Windows 3.5 or later
Cryptographic protocol
n
TLSv1.2
VMware, Inc. 28
Page 29
Preparing Active Directory 5
Horizon 7 uses your existing Microsoft Active Directory infrastructure for user authentication and
management. You must perform certain tasks to prepare Active Directory for use with Horizon 7.
Horizon 7 supports the following Active Directory Domain Services (AD DS) domain functional levels:
n
Windows Server 2003
n
Windows Server 2008
n
Windows Server 2008 R2
n
Windows Server 2012
n
Windows Server 2012 R2
n
Windows Server 2016
This section includes the following topics:
n
Configuring Domains and Trust Relationships
n
Creating an OU for Remote Desktops
n
Creating OUs and Groups for Kiosk Mode Client Accounts
n
Creating Groups for Users
n
Creating a User Account for vCenter Server
n
Creating a User Account for a Standalone View Composer Server
n
Create a User Account for View Composer AD Operations
n
Create a User Account for Instant-Clone Operations
n
Configure the Restricted Groups Policy
n
Using Horizon 7 Group Policy Administrative Template Files
n
Prepare Active Directory for Smart Card Authentication
n
Disable Weak Ciphers in SSL/TLS
VMware, Inc.
29
Page 30
View Installation
Configuring Domains and Trust Relationships
You must join each Connection Server host to an Active Directory domain. The host must not be a
domain controller.
Active Directory also manages the Horizon Agent machines, including single-user machines and RDS
hosts, and the users and groups in your Horizon 7 deployment. You can entitle users and groups to
remote desktops and applications, and you can select users and groups to be administrators in View
Administrator.
You can place Horizon Agent machines, View Composer servers, and users and groups, in the following
Active Directory domains:
n
The Connection Server domain
n
A different domain that has a two-way trust relationship with the Connection Server domain
n
A domain in a different forest than the Connection Server domain that is trusted by the Connection
Server domain in a one-way external or realm trust relationship
n
A domain in a different forest than the Connection Server domain that is trusted by the Connection
Server domain in a one-way or two-way transitive forest trust relationship
Users are authenticated using Active Directory against the Connection Server domain and any additional
user domains with which a trust agreement exists.
If your users and groups are in one-way trusted domains, you must provide secondary credentials for the
administrator users in Horizon Administrator. Administrators must have secondary credentials to give
them access to the one-way trusted domains. A one-way trusted domain can be an external domain or a
domain in a transitive forest trust.
Secondary credentials are required only for Horizon Administrator sessions, not for end users' desktop or
application sessions. Only administrator users require secondary credentials.
You can provide secondary credentials by using the vdmadmin -T command.
n
You configure secondary credentials for individual administrator users.
n
For a forest trust, you can configure secondary credentials for the forest root domain. Connection
Server can then enumerate the child domains in the forest trust.
For details, see "Providing Secondary Credentials for Administrators Using the -T Option" in the View
Administration document.
Note Because security servers do not access any authentication repositories, including Active Directory,
they do not need to reside in an Active Directory domain.
VMware, Inc. 30
Page 31
View Installation
Trust Relationships and Domain Filtering
To determine which domains it can access, a Connection Server instance traverses trust relationships
beginning with its own domain.
For a small, well-connected set of domains, Connection Server can quickly determine the full list of
domains, but the time that it takes increases as the number of domains increases or as the connectivity
between the domains decreases. The list might also include domains that you would prefer not to offer to
users when they connect to their remote desktops and applications.
You can use the vdmadmin command to configure domain filtering to limit the domains that a Connection
Server instance searches and that it displays to users. See the View Administration document for more
information.
If a forest trust is configured with name suffix exclusions, the configured exclusions are used to filter the
list of forest child domains. Name suffix exclusion filtering is applied in addition to the filtering that is
specified with the vdmadmin command.
Creating an OU for Remote Desktops
You should create an organizational unit (OU) specifically for your remote desktops. An OU is a
subdivision in Active Directory that contains users, groups, computers, or other OUs.
To prevent group policy settings from being applied to other Windows servers or workstations in the same
domain as your desktops, you can create a GPO for your Horizon 7 group policies and link it to the OU
that contains your remote desktops. You can also delegate control of the OU to subordinate groups, such
as server operators or individual users.
If you use View Composer, you should create a separate Active Directory container for linked-clone
desktops that is based on the OU for your remote desktops. Administrators that have OU administrator
privileges in Active Directory can provision linked-clone desktops without domain administrator privileges.
If you change administrator credentials in Active Directory, you must also update the credential
information in View Composer.
Creating OUs and Groups for Kiosk Mode Client Accounts
A client in kiosk mode is a thin client or a locked-down PC that runs the client software to connect to a
Connection Server instance and launch a remote desktop session. If you configure clients in kiosk mode,
you should create dedicated OUs and groups in Active Directory for kiosk mode client accounts.
Creating dedicated OUs and groups for kiosk mode client accounts partitions client systems against
unwarranted intrusion and simplifies client configuration and administration.
See the View Administration document for more information.
VMware, Inc. 31
Page 32
View Installation
Creating Groups for Users
You should create groups for different types of users in Active Directory. For example, you can create a
group called Horizon 7 Users for your end users and another group called Horizon 7 Administrators for
users that will administer remote desktops and applications.
Creating a User Account for vCenter Server
You must create a user account in Active Directory to use with vCenter Server. You specify this user
account when you add a vCenter Server instance in Horizon Administrator.
You must give the user account privileges to perform certain operations in vCenter Server. You can create
a vCenter Server role with the appropriate privileges and assign the role to the vCenter Server user. The
list of privileges you add to the vCenter Server role varies, depending on whether you use Horizon 7 with
or without View Composer. See Configuring User Accounts for vCenter Server, View Composer, and
Instant Clones for information on configuring these privileges.
If you install View Composer on the same machine as vCenter Server, you must add the vCenter Server
user to the local Administrators group on the vCenter Server machine. This requirement allows View to
authenticate to the View Composer service.
If you install View Composer on a different machine than vCenter Server, you do not have to make the
vCenter Server user a local administrator on the vCenter Server machine. However, you do have to
create a standalone View Composer Server user account that must be a local administrator on the View
Composer machine.
Creating a User Account for a Standalone View Composer Server
If you install View Composer on a different machine than vCenter Server, you must create a domain user
account in Active Directory that Horizon 7 can use to authenticate to the View Composer service on the
standalone machine.
The user account must be in the same domain as your Connection Server host or in a trusted domain.
You must add the user account to the local Administrators group on the standalone View Composer
machine.
You specify this user account when you configure View Composer settings in Horizon Administrator and
select Standalone View Composer Server. See Configure View Composer Settings.
VMware, Inc. 32
Page 33
View Installation
Create a User Account for View Composer AD Operations
If you use View Composer, you must create a user account in Active Directory that allows View Composer
to perform certain operations in Active Directory. View Composer requires this account to join linked-clone
virtual machines to your Active Directory domain.
To ensure security, you should create a separate user account to use with View Composer. By creating a
separate account, you can guarantee that it does not have additional privileges that are defined for
another purpose. You can give the account the minimum privileges that it needs to create and remove
computer objects in a specified Active Directory container. For example, the View Composer account
does not require domain administrator privileges.
Procedure
1 In Active Directory, create a user account in the same domain as your Connection Server host or in a
trusted domain.
2 Add the Create Computer Objects, Delete Computer Objects, and Write All Properties
permissions to the account in the Active Directory container in which the linked-clone computer
accounts are created or to which the linked-clone computer accounts are moved.
The following list shows all the required permissions for the user account, including permissions that
are assigned by default:
n
List Contents
n
Read All Properties
n
Write All Properties
n
Read Permissions
n
Reset Password
n
Create Computer Objects
n
Delete Computer Objects
Note Fewer permissions are required if you select the Allow reuse of pre-existing computer
accounts setting for a desktop pool. Make sure that the following permissions are assigned to the
user account:
n
List Contents
n
Read All Properties
n
Read Permissions
n
Reset Password
3 Make sure that the user account's permissions apply to the Active Directory container and to all child
objects of the container.
VMware, Inc. 33
Page 34
View Installation
What to do next
Specify the account in Horizon Administrator when you configure View Composer domains in the Add
vCenter Server wizard and when you configure and deploy linked-clone desktop pools.
Create a User Account for Instant-Clone Operations
Before you deploy instant clones, you must create a user account that has the permission to perform
certain operations in Active Directory.
Select this account when you add an instant-clone domain administrator before deploying instant-clone
desktop pools. For more information, see "Add an Instant-Clone Domain Administrator" in the Setting Up
Virtual Desktops in Horizon 7 document.
Procedure
1 In Active Directory, create a user account in the same domain as the Connection Server or in a
trusted domain.
2 Add the Create Computer Objects, Delete Computer Objects, and Write All Properties
permissions to the account on the container for the instant-clone computer accounts.
The following list shows the required permissions for the user account, including permissions that are
assigned by default:
n
List Contents
n
Read All Properties
n
Write All Properties
n
Read Permissions
n
Reset Password
n
Create Computer Objects
n
Delete Computer Objects
Make sure that the permissions apply to the correct container and to all child objects of the container.
Configure the Restricted Groups Policy
To be able to connect to a remote desktop, users must belong to the local Remote Desktop Users group
of the remote desktop. You can use the Restricted Groups policy in Active Directory to add users or
groups to the local Remote Desktop Users group of every remote desktop that is joined to your domain.
The Restricted Groups policy sets the local group membership of computers in the domain to match the
membership list settings defined in the Restricted Groups policy. The members of your remote desktop
users group are always added to the local Remote Desktop Users group of every remote desktop that is
joined to your domain. When adding new users, you need only add them to your remote desktop users
group.
VMware, Inc. 34
Page 35
View Installation
Prerequisites
Create a group for remote desktop users in your domain in Active Directory.
Procedure
1 On the Active Directory server, navigate to the Group Policy Management plug-in.
AD Version Navigation Path
Windows 2003 a Select Start > All Programs > Administrative Tools > Active Directory
Users and Computers.
b Right-click your domain and click Properties.
c On the Group Policy tab, click Open to open the Group Policy Management
plug-in.
d Right-click Default Domain Policy, and click Edit.
Windows 2008 a Select Start > Administrative Tools > Group Policy Management.
b Expand your domain, right-click Default Domain Policy, and click Edit.
Windows 2012R2 a Select Start > Administrative Tools > Group Policy Management.
b Expand your domain, right-click Default Domain Policy, and click Edit.
Windows 2016 a Select Start > Administrative Tools > Group Policy Management.
b Expand your domain, right-click Default Domain Policy, and click Edit.
2 Expand the Computer Configuration section and open Windows Settings\Security Settings.
3 Right-click Restricted Groups, select Add Group, and add the Remote Desktop Users group.
4 Right-click the new restricted Remote Desktop Users group and add your remote desktop users
group to the group membership list.
5 Click OK to save your changes.
Using Horizon 7 Group Policy Administrative Template Files
Horizon 7 includes several component-specific group policy administrative (ADMX) template files.
All ADMX files that provide group policy settings for Horizon 7 are available in a bundled .zip file named
VMware-Horizon-Extras-Bundle-x.x.x-yyyyyyy.zip, where x.x.x is the version and yyyyyyy is the
build number. You can download the file from the VMware download site at
https://my.vmware.com/web/vmware/downloads. Under Desktop & End-User Computing, select the
VMware Horizon 7 download, which includes the bundled .zip file.
You can optimize and secure remote desktops by adding the policy settings in these files to a new or
existing GPO in Active Directory and then linking that GPO to the OU that contains your desktops.
See the View Administration and Configuring Remote Desktop Features in Horizon 7 documents for
information on using Horizon 7 group policy settings.
VMware, Inc. 35
Page 36
View Installation
Prepare Active Directory for Smart Card Authentication
You might need to perform certain tasks in Active Directory when you implement smart card
authentication.
n
Add UPNs for Smart Card Users
Because smart card logins rely on user principal names (UPNs), the Active Directory accounts of
users and administrators that use smart cards to authenticate in Horizon 7 must have a valid UPN.
n
Add the Root Certificate to Trusted Root Certification Authorities
If you use a certification authority (CA) to issue smart card login or domain controller certificates, you
must add the root certificate to the Trusted Root Certification Authorities group policy in Active
Directory. You do not need to perform this procedure if the Windows domain controller acts as the
root CA.
n
Add an Intermediate Certificate to Intermediate Certification Authorities
If you use an intermediate certification authority (CA) to issue smart card login or domain controller
certificates, you must add the intermediate certificate to the Intermediate Certification Authorities
group policy in Active Directory.
n
Add the Root Certificate to the Enterprise NTAuth Store
If you use a CA to issue smart card login or domain controller certificates, you must add the root
certificate to the Enterprise NTAuth store in Active Directory. You do not need to perform this
procedure if the Windows domain controller acts as the root CA.
Add UPNs for Smart Card Users
Because smart card logins rely on user principal names (UPNs), the Active Directory accounts of users
and administrators that use smart cards to authenticate in Horizon 7 must have a valid UPN.
If the domain a smart card user resides in is different from the domain that your root certificate was issued
from, you must set the user’s UPN to the Subject Alternative Name (SAN) contained in the root certificate
of the trusted CA. If your root certificate was issued from a server in the smart card user's current domain,
you do not need to modify the user's UPN.
Note You might need to set the UPN for built-in Active Directory accounts, even if the certificate is
issued from the same domain. Built-in accounts, including Administrator, do not have a UPN set by
default.
Prerequisites
n
Obtain the SAN contained in the root certificate of the trusted CA by viewing the certificate properties.
n
If the ADSI Edit utility is not present on your Active Directory server, download and install the
appropriate Windows Support Tools from the Microsoft Web site.
VMware, Inc. 36
Page 37
View Installation
Procedure
1 On your Active Directory server, start the ADSI Edit utility.
2 In the left pane, expand the domain the user is located in and double-click CN=Users.
3 In the right pane, right-click the user and then click Properties.
4 Double-click the userPrincipalName attribute and type the SAN value of the trusted CA certificate.
5 Click OK to save the attribute setting.
Add the Root Certificate to Trusted Root Certification Authorities
If you use a certification authority (CA) to issue smart card login or domain controller certificates, you
must add the root certificate to the Trusted Root Certification Authorities group policy in Active Directory.
You do not need to perform this procedure if the Windows domain controller acts as the root CA.
Procedure
1 On the Active Directory server, navigate to the Group Policy Management plug-in.
AD Version Navigation Path
Windows 2003 a Select Start > All Programs > Administrative Tools > Active Directory
Users and Computers.
b Right-click your domain and click Properties.
c On the Group Policy tab, click Open to open the Group Policy Management
plug-in.
d Right-click Default Domain Policy, and click Edit.
Windows 2008 a Select Start > Administrative Tools > Group Policy Management.
b Expand your domain, right-click Default Domain Policy, and click Edit.
Windows 2012R2 a Select Start > Administrative Tools > Group Policy Management.
b Expand your domain, right-click Default Domain Policy, and click Edit.
Windows 2016 a Select Start > Administrative Tools > Group Policy Management.
b Expand your domain, right-click Default Domain Policy, and click Edit.
2 Expand the Computer Configuration section and open Windows Settings\Security
Settings\Public Key.
3 Right-click Trusted Root Certification Authorities and select Import.
4 Follow the prompts in the wizard to import the root certificate (for example, rootCA.cer) and click
OK.
5 Close the Group Policy window.
All of the systems in the domain now have a copy of the root certificate in their trusted root store.
VMware, Inc. 37
Page 38
View Installation
What to do next
If an intermediate certification authority (CA) issues your smart card login or domain controller certificates,
add the intermediate certificate to the Intermediate Certification Authorities group policy in Active
Directory. See Add an Intermediate Certificate to Intermediate Certification Authorities.
Add an Intermediate Certificate to Intermediate Certification
Authorities
If you use an intermediate certification authority (CA) to issue smart card login or domain controller
certificates, you must add the intermediate certificate to the Intermediate Certification Authorities group
policy in Active Directory.
Procedure
1 On the Active Directory server, navigate to the Group Policy Management plug-in.
AD Version Navigation Path
Windows 2003 a Select Start > All Programs > Administrative Tools > Active Directory
Users and Computers.
b Right-click your domain and click Properties.
c On the Group Policy tab, click Open to open the Group Policy Management
plug-in.
d Right-click Default Domain Policy, and click Edit.
Windows 2008 a Select Start > Administrative Tools > Group Policy Management.
b Expand your domain, right-click Default Domain Policy, and click Edit.
Windows 2012R2 a Select Start > Administrative Tools > Group Policy Management.
b Expand your domain, right-click Default Domain Policy, and click Edit.
Windows 2016 a Select Start > Administrative Tools > Group Policy Management.
b Expand your domain, right-click Default Domain Policy, and click Edit.
2 Expand the Computer Configuration section and open the policy for Windows Settings\Security
Settings\Public Key.
3 Right-click Intermediate Certification Authorities and select Import.
4 Follow the prompts in the wizard to import the intermediate certificate (for example,
intermediateCA.cer) and click OK.
5 Close the Group Policy window.
All of the systems in the domain now have a copy of the intermediate certificate in their intermediate
certification authority store.
VMware, Inc. 38
Page 39
View Installation
Add the Root Certificate to the Enterprise NTAuth Store
If you use a CA to issue smart card login or domain controller certificates, you must add the root
certificate to the Enterprise NTAuth store in Active Directory. You do not need to perform this procedure if
the Windows domain controller acts as the root CA.
Procedure
u
On your Active Directory server, use the certutil command to publish the certificate to the
Enterprise NTAuth store.
For example: certutil -dspublish -f path_to_root_CA_cert NTAuthCA
The CA is now trusted to issue certificates of this type.
Disable Weak Ciphers in SSL/TLS
To achieve greater security, you can configure the domain policy GPO (group policy object) to ensure that
View Composer and Windows-based machines running View Agent or Horizon Agent do not use weak
ciphers when they communicate using the SSL/TLS protocol.
Procedure
1 On the Active Directory server, edit the GPO by selecting Start > Administrative Tools > Group
Policy Management, right-clicking the GPO, and selecting Edit.
2 In the Group Policy Management Editor, navigate to the Computer Configuration > Policies >
Administrative Templates > Network > SSL Configuration Settings.
3 Double-click SSL Cipher Suite Order.
4 In the SSL Cipher Suite Order window, click Enabled.
5 In the Options pane, replace the entire content of the SSL Cipher Suites text box with the following
cipher list:
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256_P256,
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256_P384,
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA_P256,
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA_P384,
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA_P256,
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA_P384,
TLS_RSA_WITH_AES_128_CBC_SHA256,
TLS_RSA_WITH_AES_128_CBC_SHA,
TLS_RSA_WITH_AES_256_CBC_SHA256,
TLS_RSA_WITH_AES_256_CBC_SHA
The cipher suites are listed above on separate lines for readability. When you paste the list into the
text box, the cipher suites must be on one line with no spaces after the commas.
6 Exit the Group Policy Management Editor.
VMware, Inc. 39
Page 40
View Installation
7 Restart the View Composer and View Agent or Horizon Agent machines for the new group policy to
take effect.
VMware, Inc. 40
Page 41
Installing View Composer 6
To use View Composer, you create a View Composer database, install the View Composer service, and
optimize your View infrastructure to support View Composer. You can install the View Composer service
on the same host as vCenter Server or on a separate host.
View Composer is an optional feature. Install View Composer if you intend to deploy linked-clone desktop
pools.
You must have a license to install and use the View Composer feature.
Note Before installing View Composer, verify that you have prepared Active Directory.
This section includes the following topics:
n
Prepare a View Composer Database
n
Configuring an SSL Certificate for View Composer
n
Install the View Composer Service
n
Enable TLSv1.0 on vCenter and ESXi Connections from View Composer
n
Configuring Your Infrastructure for View Composer
Prepare a View Composer Database
You must create a database and data source name (DSN) to store View Composer data.
The View Composer service does not include a database. If a database instance does not exist in your
network environment, you must install one. After you install a database instance, you add the View
Composer database to the instance.
You can add the View Composer database to the instance on which the vCenter Server database is
located. You can configure the database locally, or remotely, on a network-connected Linux, UNIX, or
Windows Server computer.
The View Composer database stores information about connections and components that are used by
View Composer:
n
vCenter Server connections
n
Active Directory connections
VMware, Inc.
41
Page 42
View Installation
n
Linked-clone desktops that are deployed by View Composer
n
Replicas that are created by View Composer
Each instance of the View Composer service must have its own View Composer database. Multiple View
Composer services cannot share a View Composer database.
For a list of supported database versions, see Database Requirements for View Composer and the
Events Database.
To add a View Composer database to an installed database instance, choose one of these procedures.
n
Create a SQL Server Database for View Composer
View Composer can store linked-clone desktop information in a SQL Server database. You create a
View Composer database by adding it to SQL Server and configuring an ODBC data source for it.
n
Create an Oracle Database for View Composer
View Composer can store linked-clone desktop information in an Oracle 12c or 11g database. You
create a View Composer database by adding it to an existing Oracle instance and configuring an
ODBC data source for it. You can add a new View Composer database by using the Oracle
Database Configuration Assistant or by running a SQL statement.
Create a SQL Server Database for View Composer
View Composer can store linked-clone desktop information in a SQL Server database. You create a View
Composer database by adding it to SQL Server and configuring an ODBC data source for it.
Procedure
1 Add a View Composer Database to SQL Server
You can add a new View Composer database to an existing Microsoft SQL Server instance to store
linked-clone data for View Composer.
2 (Optional) Set SQL Server Database Permissions By Manually Creating Database Roles
By using this recommended method, the View Composer database administrator can set
permissions for View Composer administrators to be granted through Microsoft SQL Server
database roles.
3 Add an ODBC Data Source to SQL Server
After you add a View Composer database to SQL Server, you must configure an ODBC connection
to the new database to make this data source visible to the View Composer service.
Add a View Composer Database to SQL Server
You can add a new View Composer database to an existing Microsoft SQL Server instance to store
linked-clone data for View Composer.
If the database resides locally, on the system on which View Composer will be installed, you can use the
Integrated Windows Authentication security model. If the database resides on a remote system, you
cannot use this method of authentication.
VMware, Inc. 42
Page 43
View Installation
Prerequisites
n
Verify that a supported version of SQL Server is installed on the computer on which you will install
View Composer or in your network environment. For details, see Database Requirements for View
Composer and the Events Database.
n
Verify that you use SQL Server Management Studio to create and administer the database.
Alternatively, you can use SQL Server Management Studio Express, which you can download and
install from the following Web site.
http://www.microsoft.com/en-us/download/details.aspx?id=7593
Procedure
1 On the View Composer computer, select Start > All Programs > Microsoft SQL Server 2014,
Microsoft SQL Server 2012 or Microsoft SQL Server 2008.
2 Select SQL Server Management Studio and connect to the SQL Server instance.
3 In the Object Explorer panel, right-click the Databases entry and select New Database.
You can use the default values for the Initial size and Autogrowth parameters for the database
and log files.
4 In the New Database dialog box, type a name in the Database name text box.
For example: ViewComposer
5 Click OK.
SQL Server Management Studio adds your database to the Databases entry in the Object Explorer
panel.
6 Exit Microsoft SQL Server Management Studio.
What to do next
Optionally, follow the instructions in (Optional) Set SQL Server Database Permissions By Manually
Creating Database Roles
Follow the instructions in Add an ODBC Data Source to SQL Server.
(Optional) Set SQL Server Database Permissions By Manually Creating
Database Roles
By using this recommended method, the View Composer database administrator can set permissions for
View Composer administrators to be granted through Microsoft SQL Server database roles.
VMware recommends this method because it removes the requirement to set up the db_owner role for
View Composer administrators who install and upgrade View Composer.
In this procedure, you can provide your own names for the database login name, user name, and
database roles. The user [vcmpuser] and database roles, VCMP_ADMIN_ROLE and
VCMP_USER_ROLE, are example names. The dbo schema is created when you create the View
Composer database. You must use the dbo schema name.
VMware, Inc. 43
Page 44
View Installation
Prerequisites
n
Verify that a View Composer database is created. See Add a View Composer Database to SQL
Server.
Procedure
1 Log in to a Microsoft SQL Server Management Studio session as the sysadmin (SA) or a user
account with sysadmin privileges.
2 Create a user who will be granted the appropriate SQL Server database permissions.
use ViewComposer
go
CREATE LOGIN [vcmpuser] WITH PASSWORD=N'vcmpuser!0', DEFAULT_DATABASE=ViewComposer,
DEFAULT_LANGUAGE=us_english, CHECK_POLICY=OFF
go
CREATE USER [vcmpuser] for LOGIN [vcmpuser]
go
use MSDB
go
CREATE USER [vcmpuser] for LOGIN [vcmpuser]
go
3 In the View Composer database, create the database role VCMP_ADMIN_ROLE.
4 In the View Composer database, grant privileges to the VCMP_ADMIN_ROLE.
a Grant the schema permissions ALTER, REFERENCES, and INSERT on the dbo schema.
b Grant the permissions CREATE TABLE, CREATE VIEW, and CREATE PROCEDURES.
5 In the View Composer database, create the VCMP_USER_ROLE.
6 In the View Composer database, grant the schema permissions SELECT, INSERT, DELETE,
UPDATE, and EXECUTE on the dbo schema to the VCMP_USER_ROLE.
7 Grant the VCMP_USER_ROLE to the user [vcmpuser].
8 Grant the VCMP_ADMIN_ROLE to the user [vcmpuser].
9 In the MSDB database, create the database role VCMP_ADMIN_ROLE.
10 Grant privileges to the VCMP_ADMIN_ROLE in MSDB.
a On the MSDB tables syscategories, sysjobsteps, and sysjobs, grant the SELECT
permission to the user [vcmpuser].
b On the MSDB stored procedures sp_add_job, sp_delete_job, sp_add_jobstep,
sp_update_job, sp_add_jobserver, sp_add_jobschedule, and sp_add_category, grant the
EXECUTE permission to the role VCMP_ADMIN_ROLE.
11 In the MSDB database, grant the VCMP_ADMIN_ROLE to the user [vcmpuser].
12 Create the ODBC DSN using the SQL Server login vcmpuser.
13 Install View Composer.
VMware, Inc. 44
Page 45
View Installation
14 In the MSDB database, revoke the VCMP_ADMIN_ROLE from the user [vcmpuser].
After you revoke the role, you can leave the role as inactive or remove the role for increased security.
For instructions for creating an ODBC DSN, see Add an ODBC Data Source to SQL Server.
For instructions for installing View Composer, see Install the View Composer Service.
Add an ODBC Data Source to SQL Server
After you add a View Composer database to SQL Server, you must configure an ODBC connection to the
new database to make this data source visible to the View Composer service.
When you configure an ODBC DSN for View Composer, secure the underlying database connection to an
appropriate level for your environment. For information about securing database connections, see the
SQL Server documentation.
If the underlying database connection uses SSL encryption, we recommend that you configure your
database servers with SSL certificates signed by a trusted CA. If you use self-signed certificates, your
database connections might be susceptible to man-in-the-middle attacks.
Prerequisites
Complete the steps described in Add a View Composer Database to SQL Server.
Procedure
1 On the computer on which View Composer will be installed, select Start > Administrative Tools >
Data Source (ODBC).
2 Select the System DSN tab.
3 Click Add and select SQL Native Client from the list.
4 Click Finish.
5 In the Create a New Data Source to SQL Server setup wizard, type a name and description of the
View Composer database.
For example: ViewComposer
6 In the Server text box, type the SQL Server database name.
Use the form host_name\server_name, where host_name is the name of the computer and
server_name is the SQL Server instance.
For example: VCHOST1\VIM_SQLEXP
7 Click Next.
VMware, Inc. 45
Page 46
View Installation
8 Make sure that the Connect to SQL Server to obtain default settings for the additional
configuration options check box is selected and select an authentication option.
Option Description
Integrate Windows authentication Select this option if you are using a local instance of SQL Server. This option is
also known as trusted authentication. Integrate Windows authentication is
supported only if SQL Server is running on the local computer.
SQL Server authentication Select this option if you are using a remote instance of SQL Server. Windows NT
authentication is not supported on remote SQL Server.
If you manually set SQL Server database permissions and assigned them to a
user, authenticate with that user. For example, authenticate with the user
vcmpuser. If not, authenticate as the sysadmin (SA) or a user account with
sysadmin privileges.
9 Click Next.
10 Select the Change the default database to check box and select the name of the View Composer
database from the list.
For example: ViewComposer
11 If the SQL Server connection is configured with SSL enabled, navigate to the Microsoft SQL Server
DSN Configuration page and select Use strong encryption for data.
12 Finish and close the Microsoft ODBC Data Source Administrator wizard.
What to do next
Install the new View Composer service. See Install the View Composer Service.
Create an Oracle Database for View Composer
View Composer can store linked-clone desktop information in an Oracle 12c or 11g database. You create
a View Composer database by adding it to an existing Oracle instance and configuring an ODBC data
source for it. You can add a new View Composer database by using the Oracle Database Configuration
Assistant or by running a SQL statement.
n
Add a View Composer Database to Oracle 12c or 11g
You can use the Oracle Database Configuration Assistant to add a new View Composer database to
an existing Oracle 12c or 11g instance.
n
Use a SQL Statement to Add a View Composer Database to an Oracle Instance
n
Configure an Oracle Database User for View Composer
By default, the database user that runs the View Composer database has Oracle system
administrator permissions. To restrict the security permissions for the user that runs the View
Composer database, you must configure an Oracle database user with specific permissions.
VMware, Inc. 46
Page 47
View Installation
n
Add an ODBC Data Source to Oracle 12c or 11g
After you add a View Composer database to an Oracle 12c or 11g instance, you must configure an
ODBC connection to the new database to make this data source visible to the View Composer
service.
Add a View Composer Database to Oracle 12c or 11g
You can use the Oracle Database Configuration Assistant to add a new View Composer database to an
existing Oracle 12c or 11g instance.
Prerequisites
Verify that a supported version of Oracle 12c or 11g is installed on the local or remote computer. See
Database Requirements for View Composer and the Events Database.
Procedure
1 Start the Database Configuration Assistant on the computer on which you are adding the View
Composer database.
Database Version Action
Oracle 12c Select Start > All Programs > Oracle-OraDb12c_home > Configuration and
Migration Tools > Database Configuration Assistant.
Oracle 11g Select Start > All Programs > Oracle-OraDb11g_home > Configuration and
Migration Tools > Database Configuration Assistant.
2 On the Operations page, select Create a database.
3 On the Database Templates page, select the General Purpose or Transaction Processing
template.
4 On the Database Identification page, type a Global Database Name and an Oracle System Identifier
(SID) prefix.
For simplicity, use the same value for both items.
5 On the Management Options page, click Next to accept the default settings.
6 On the Database Credentials page, select Use the Same Administrative Passwords for All
Accounts and type a password.
7 On the remaining configuration pages, click Next to accept the default settings.
8 On the Creation Options page, verify that Create Database is selected and click Finish.
9 On the Confirmation page, review the options and click OK.
The configuration tool creates the database.
10 On the Database Creation Complete page, click OK.
What to do next
Follow the instructions in Add an ODBC Data Source to Oracle 12c or 11g.
VMware, Inc. 47
Page 48
View Installation
Use a SQL Statement to Add a View Composer Database to an Oracle Instance
When you create the database, you can customize the location of the data and log files.
Prerequisites
The View Composer database must have certain table spaces and privileges. You can use a SQL
statement to create the View Composer database in an Oracle 12c or 11g database instance.
Verify that a supported version of Oracle 12c or 11g is installed on the local or remote computer. For
details, see Database Requirements for View Composer and the Events Database.
Procedure
1 Log in to a SQL*Plus session with the system account.
2 Run the following SQL statement to create the database.
CREATE SMALLFILE TABLESPACE "VCMP" DATAFILE '/u01/app/oracle/oradata/vcdb/vcmp01.dbf'
SIZE 512M AUTOEXTEND ON NEXT 10M MAXSIZE UNLIMITED LOGGING EXTENT MANAGEMENT LOCAL SEGMENT
SPACE MANAGEMENT AUTO;
In this example, VCMP is the sample name of the View Composer database and vcmp01.dbf is the
name of the database file.
For a Windows installation, use Windows conventions in the directory path to the vcmp01.dbf file.
What to do next
If you want to run the View Composer database with specific security permissions, follow the instructions
in Configure an Oracle Database User for View Composer.
Follow the instructions in Add an ODBC Data Source to Oracle 12c or 11g
Configure an Oracle Database User for View Composer
By default, the database user that runs the View Composer database has Oracle system administrator
permissions. To restrict the security permissions for the user that runs the View Composer database, you
must configure an Oracle database user with specific permissions.
Prerequisites
Verify that a View Composer database was created in an Oracle 12c or 11g instance.
Procedure
1 Log in to a SQL*Plus session with the system account.
VMware, Inc. 48
Page 49
View Installation
2 Run the following SQL command to create a View Composer database user with the correct
permissions.
CREATE USER "VCMPADMIN" PROFILE "DEFAULT" IDENTIFIED BY "oracle" DEFAULT TABLESPACE
"VCMP" ACCOUNT UNLOCK;
grant connect to VCMPADMIN;
grant resource to VCMPADMIN;
grant create view to VCMPADMIN;
grant create sequence to VCMPADMIN;
grant create table to VCMPADMIN;
grant create materialized view to VCMPADMIN;
grant execute on dbms_lock to VCMPADMIN;
grant execute on dbms_job to VCMPADMIN;
grant unlimited tablespace to VCMPADMIN;
In this example, the user name is VCMPADMIN and the View Composer database name is VCMP.
By default the resource role has the create procedure, create table, and create sequence
privileges assigned. If the resource role does not have these privileges, explicitly grant them to the
View Composer database user.
Add an ODBC Data Source to Oracle 12c or 11g
After you add a View Composer database to an Oracle 12c or 11g instance, you must configure an ODBC
connection to the new database to make this data source visible to the View Composer service.
When you configure an ODBC DSN for View Composer, secure the underlying database connection to an
appropriate level for your environment. For information about securing database connections, see the
Oracle database documentation.
If the underlying database connection uses SSL encryption, we recommend that you configure your
database servers with SSL certificates signed by a trusted CA. If you use self-signed certificates, your
database connections might be susceptible to man-in-the-middle attacks.
Prerequisites
Verify that you completed the steps described in Add a View Composer Database to Oracle 12c or 11g or
Use a SQL Statement to Add a View Composer Database to an Oracle Instance.
Procedure
1 On the View Composer database computer, select Start > Administrative Tools > Data Source
(ODBC).
2 From the Microsoft ODBC Data Source Administrator wizard, select the System DSN tab.
3 Click Add and select the appropriate Oracle driver from the list.
For example: OraDb11g_home
4 Click Finish.
VMware, Inc. 49
Page 50
View Installation
5 In the Oracle ODBC Driver Configuration dialog box, type a DSN to use with View Composer, a
description of the data source, and a user ID to connect to the database.
If you configured an Oracle database user ID with specific security permissions, specify this user ID.
Note You use the DSN when you install the View Composer service.
6 Specify a TNS Service Name by selecting the Global Database Name from the drop-down menu.
The Oracle Database Configuration Assistant specifies the Global Database Name.
7 To verify the data source, click Test Connection and click OK.
What to do next
Install the new View Composer service. See Install the View Composer Service.
Configuring an SSL Certificate for View Composer
By default, a self-signed certificate is installed with View Composer. You can use the default certificate for
testing purposes, but for production use you should replace it with a certificate that is signed by a
Certificate Authority (CA).
You can configure a certificate before or after you install View Composer. In View 5.1 and later releases,
you configure a certificate by importing it into the Windows local computer certificate store on the
Windows Server computer where View Composer is, or will be, installed.
n
If you import a CA-signed certificate before you install View Composer, you can select the signed
certificate during the View Composer installation. This approach eliminates the manual task of
replacing the default certificate after the installation.
n
If you intend to replace an existing certificate or the default, self-signed certificate with a new
certificate after you install View Composer, you must import the new certificate and run the
SviConfig ReplaceCertificate utility to bind your new certificate to the port used by View
Composer.
For details about configuring SSL certificates and using the SviConfig ReplaceCertificate utility, see
Chapter 8 Configuring SSL Certificates for Horizon 7 Servers.
If you install vCenter Server and View Composer on the same Windows Server computer, they can use
the same SSL certificate, but you must configure the certificate separately for each component.
Install the View Composer Service
To use View Composer, you must install the View Composer service. Horizon 7 uses View Composer to
create and deploy linked-clone desktops in vCenter Server.
You can install the View Composer service on the Windows Server computer on which vCenter Server is
installed or on a separate Windows Server computer. A standalone View Composer installation works
with vCenter Server installed on a Windows Server computer and with the Linux-based vCenter Server
Appliance.
VMware, Inc. 50
Page 51
View Installation
The View Composer software cannot coexist on the same virtual or physical machine with any other
Horizon 7 software component, including a replica server, security server, Connection Server, Horizon
Agent, or Horizon Client.
For enhanced security, we recommend configuring cipher suites to remove known vulnerabilities. For
instructions on how to set up a domain policy on cipher suites for Windows machines that run View
Composer or Horizon Agent, see Disable Weak Ciphers in SSL/TLS.
Prerequisites
n
Verify that your installation satisfies the View Composer requirements described in View Composer
Requirements.
n
Verify that no other Horizon 7 component, including Connection Server, security server, Horizon
Agent, or Horizon Client, is installed on the machine on which you intend to install View Composer.
n
Verify that you have a license to install and use View Composer.
n
Verify that you have the DSN, domain administrator user name, and password that you provided in
the ODBC Data Source Administrator wizard. You enter this information when you install the View
Composer service.
n
If you plan to configure an SSL certificate signed by a CA for View Composer during the installation,
verify that your certificate is imported in the Windows local computer certificate store. See Chapter 8
Configuring SSL Certificates for Horizon 7 Servers.
n
Verify that no applications that run on the View Composer computer use Windows SSL libraries that
require SSL version 2 (SSLv2) provided through the Microsoft Secure Channel (Schannel) security
package. The View Composer installer disables SSLv2 on the Microsoft Schannel. Applications such
as Tomcat, which uses Java SSL, or Apache, which uses OpenSSL, are not affected by this
constraint.
n
To run the View Composer installer, you must be a user with administrator privileges on the system.
Procedure
1 Download the View Composer installer file from the VMware product page at
http://www.vmware.com/products/ to the Windows Server computer.
The installer filename is VMware-viewcomposer-y.y.y-xxxxxx.exe, where xxxxxx is the build
number and y.y.y is the version number. This installer file installs the View Composer service on 64-bit
Windows Server operating systems.
2 To start the View Composer installation program, right-click the installer file and select Run as
administrator.
3 Accept the VMware license terms.
4 Accept or change the destination folder.
VMware, Inc. 51
Page 52
View Installation
5 Type the DSN for the View Composer database that you provided in the Microsoft or Oracle ODBC
Data Source Administrator wizard.
For example: VMware View Composer
Note If you did not configure a DSN for the View Composer database, click ODBC DSN Setup to
configure a name now.
6 Type the domain administrator user name and password that you provided in the ODBC Data Source
Administrator wizard.
If you configured an Oracle database user with specific security permissions, specify this user name.
7 Type a port number or accept the default value.
View Connection Server uses this port to communicate with the View Composer service.
8 Provide an SSL certificate.
Option Action
Create default SSL certificate Select this radio button to create a default SSL certificate for the View Composer
service.
After the installation, you can replace the default certificate with an SSL certificate
signed by a CA.
Use an existing SSL certificate Select this radio button if you installed a signed SSL certificate that you want to
use for the View Composer service. Select an SSL certificate from the list.
9 Click Install and Finish to complete the View Composer service installation.
The VMware Horizon View Composer service starts.
View Composer uses the cryptographic cipher suites that are provided by the Windows Server operating
system. You should follow your organization's guidelines for managing cipher suites on Windows Server
systems. If your organization does not provide guidelines, VMware recommends that you disable weak
cryptographic cipher suites on the View Composer server to enhance the security of your Horizon 7
environment. For information about managing cryptographic cipher suites, see your Microsoft
documentation.
What to do next
If you have an older version of vCenter Server, see Enable TLSv1.0 on vCenter and ESXi Connections
from View Composer.
If you manually set SQL Server database permissions and assigned them to a user, you can revoke the
database administrator role from that user. For details, see the last step in the procedure in (Optional) Set
SQL Server Database Permissions By Manually Creating Database Roles.
VMware, Inc. 52
Page 53
View Installation
Enable TLSv1.0 on vCenter and ESXi Connections from View Composer
Horizon 7 and later components have the TLSv1.0 security protocol disabled by default. If your
deployment includes an older version of vCenter Server that supports only TLSv1.0, you might need to
enable TLSv1.0 for View Composer connections after installing or upgrading to View Composer 7.0 or a
later release.
Some earlier maintenance releases of vCenter Server 5.0, 5.1, and 5.5 support only TLSv1.0, which is no
longer enabled by default in Horizon 7 and later releases. If it is not possible to upgrade vCenter Server to
a version that supports TLSv1.1 or TLSv1.2, you can enable TLSv1.0 for View Composer connections.
If your ESXi hosts are not running ESXi 6.0 U1b or later, and you cannot upgrade, you might also need to
enable TLSv1.0 connections to ESXi hosts from View Composer.
Prerequisites
n
Verify that you have View Composer 7.0 or a later release installed.
n
Verify that you can log in to the View Composer machine as an Administrator to use the Windows
Registry Editor.
Procedure
1 On the machine that hosts View Composer, open the Windows Registry Editor (regedit.exe).
2 Navigate to
HKLM\System\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS
1.0\Client
If this key does not already exist, create this key.
3 Delete the value Enabled if it exists.
4 Create or edit the DWORD value DisabledByDefault and set it to 0.
5 Restart the VMware Horizon View Composer service.
TLSv1.0 connections from View Composer to vCenter are now enabled.
6 In the Windows Registry on the View Composer machine, navigate to HKLM\SOFTWARE\VMware,
Inc.\VMware View Composer.
7 Create or edit the String value EnableTLS1.0 and set it to 1.
8 If the View Composer host is a 64-bit machine, navigate to HKLM\SOFTWARE\WOW6432Node\VMware,
Inc\VMware View Composer.
9 Create or edit the String value EnableTLS1.0 and set it to 1.
10 Restart the VMware Horizon View Composer service.
TLSv1.0 connections from View Composer to ESXi hosts are now enabled.
VMware, Inc. 53
Page 54
View Installation
Configuring Your Infrastructure for View Composer
You can take advantage of features in vSphere, vCenter Server, Active Directory, and other components
of your infrastructure to optimize the performance, availability, and reliability of View Composer.
Configuring the vSphere Environment for View Composer
To support View Composer, you should follow certain best practices when you install and configure
vCenter Server, ESXi, and other vSphere components.
These best practices let View Composer work efficiently in the vSphere environment.
n
After you create the path and folder information for linked-clone virtual machines, do not change the
information in vCenter Server. Instead, use Horizon Administrator to change the folder information.
If you change this information in vCenter Server, Horizon 7 cannot successfully look up the virtual
machines in vCenter Server.
n
Make sure that the vSwitch settings on the ESXi host are configured with enough ports to support the
total number of virtual NICs that are configured on the linked-clone virtual machines that run on the
ESXi host.
n
When you deploy linked-clone desktops in a resource pool, make sure that your vSphere
environment has enough CPU and memory to host the number of desktops that you require. Use
vSphere Client to monitor CPU and memory usage in resource pools.
n
In vSphere 5.1 and later, a cluster that is used for View Composer linked clones can contain more
than eight ESXi hosts if the replica disks are stored on VMFS5 or later datastores or NFS datastores.
If you store replicas on a VMFS version earlier than VMFS5, a cluster can have at most eight hosts.
n
Use vSphere DRS. DRS efficiently distributes linked-clone virtual machines among your hosts.
Note Storage vMotion is not supported for linked-clone desktops.
Additional Best Practices for View Composer
To make sure that View Composer works efficiently, check that your dynamic name service (DNS)
operates correctly, and run antivirus software scans at staggered times.
By making sure that DNS resolution operates correctly, you can overcome intermittent issues caused by
DNS errors. The View Composer service relies on dynamic name resolution to communicate with other
computers. To test DNS operation, ping the Active Directory and View Connection Server computers by
name.
If you stagger the run times for your antivirus software, performance of the linked-clone desktops is not
affected. If the antivirus software runs in all linked clones at the same time, excessive I/O operations per
second (IOPS) occur in your storage subsystem. This excessive activity can affect performance of the
linked-clone desktops.
VMware, Inc. 54
Page 55
Installing Horizon Connection
Server 7
To use Connection Server, you install the software on supported computers, configure the required
components, and, optionally, optimize the components.
This section includes the following topics:
n
Installing the Horizon Connection Server Software
n
Installation Prerequisites for Horizon Connection Server
n
Install Horizon Connection Server with a New Configuration
n
Install a Replicated Instance of Horizon Connection Server
n
Configure a Security Server Pairing Password
n
Install a Security Server
n
Firewall Rules for Horizon Connection Server
n
Reinstall Horizon Connection Server with a Backup Configuration
n
Microsoft Windows Installer Command-Line Options
n
Uninstalling Horizon 7 Components Silently by Using MSI Command-Line Options
Installing the Horizon Connection Server Software
Depending on the performance, availability, and security needs of your Horizon 7 deployment, you can
install a single instance of Connection Server, replicated instances of Connection Server, and security
servers. You must install at least one instance of Connection Server.
When you install Connection Server, you select a type of installation.
Standard installation Generates a Connection Server instance with a new View LDAP
configuration.
Replica installation Generates a Connection Server instance with a View LDAP configuration
that is copied from an existing instance.
VMware, Inc. 55
Page 56
View Installation
Security server
installation
Enrollment Server
installation
Generates a Connection Server instance that adds an additional layer of
security between the Internet and your internal network.
Installs an enrollment server that is required for the True SSO (single sign-
on) feature, so that after users log in to VMware Identity Manager, they can
connect to a remote desktop or application without having to provide Active
Directory credentials. The enrollment server requests the short-lived
certificates that are used for authentication.
Note Because this feature requires that a certificate authority also be set
up, and specific configuration performed, the installation procedure for the
enrollment server is provided in the View Administration document, in the
chapter "Authenticating Users Without Requiring Credentials," rather than
in this installation document.
Installation Prerequisites for Horizon Connection Server
Before you install Connection Server, you must verify that your installation environment satisfies specific
prerequisites.
n
You must have a valid license key for Horizon 7.
n
You must join the Connection Server host to an Active Directory domain. Connection Server supports
the following Active Directory Domain Services (AD DS) domain functional levels:
n
Windows Server 2003
n
Windows Server 2008
n
Windows Server 2008 R2
n
Windows Server 2012
n
Windows Server 2012 R2
n
Windows Server 2016
The Connection Server host must not be a domain controller.
Note Connection Server does not make, nor does it require, any schema or configuration updates to
Active Directory.
n
Do not install Connection Server on systems that have the Windows Terminal Server role installed.
You must remove the Windows Terminal Server role from any system on which you install Connection
Server.
n
Do not install Connection Server on a system that performs any other functions or roles. For example,
do not use the same system to host vCenter Server.
n
The system on which you install Connection Server must have an IP address that does not change.
In an IPv4 environment, configure a static IP address. In an IPv6 environment, machines
automatically get IP addresses that do not change.
VMware, Inc. 56
Page 57
View Installation
n
To run the Horizon Connection Server installer, you must use a domain user account with
Administrator privileges on the system.
n
When you install Connection Server, you authorize an Administrators account. You can specify the
local Administrators group or a domain user or group account. Horizon 7 assigns full administration
rights, including the right to install replicated Connection Server instances, to this account only. If you
specify a domain user or group, you must create the account in Active Directory before you run the
installer.
Install Horizon Connection Server with a New
Configuration
To install Connection Server as a single server or as the first instance in a group of replicated Connection
Server instances, you use the standard installation option.
When you select the standard installation option, the installation creates a new, local View LDAP
configuration. The installation loads the schema definitions, Directory Information Tree (DIT) definition,
and ACLs and initializes the data.
After installation, you manage most View LDAP configuration data by using Horizon Administrator.
Connection Server automatically maintains some View LDAP entries.
The Connection Server software cannot coexist on the same virtual or physical machine with any other
Horizon 7 software component, including a replica server, security server, View Composer, Horizon
Agent, or Horizon Client.
When you install Connection Server with a new configuration, you can participate in a customer
experience improvement program. VMware collects anonymous data about your deployment in order to
improve VMware's response to user requirements. No data that identifies your organization is collected.
You can choose not to participate by deselecting this option during the installation. If you change your
mind about participating after the installation, you can either join or withdraw from the program by editing
the Product Licensing and Usage page in Horizon Administrator. To review the list of fields from which
data is collected, including the fields that are made anonymous, see "Information Collected by the
Customer Experience Improvement Program" in the View Administration document.
By default, the HTML Access component is installed on the Connection Server host when you install
Connection Server. This component configures the Horizon 7 user portal page to display an
HTML Access icon in addition to the Horizon Client icon. The additional icon allows users to select
HTML Access when they connect to their desktops.
For an overview of setting up Connection Server for HTML Access, see the VMware Horizon HTML
Access Installation and Setup Guide document, located on the Horizon Client Documentation page.
Prerequisites
n
Verify that you can log in as a domain user with administrator privileges on the Windows Server
computer on which you install Connection Server.
n
Verify that your installation satisfies the requirements described in Horizon Connection Server
Requirements.
VMware, Inc. 57
Page 58
View Installation
n
Prepare your environment for the installation. See Installation Prerequisites for Horizon Connection
Server.
n
If you intend to authorize a domain user or group as the Administrators account, verify that you
created the domain account in Active Directory.
n
If you use MIT Kerberos authentication to log in to a Windows Server 2008 R2 computer on which
you are installing Connection Server, install the Microsoft hotfix that is described in KB 978116 at
http://support.microsoft.com/kb/978116.
n
Prepare a data recovery password. When you back up Connection Server, the View LDAP
configuration is exported as encrypted LDIF data. To restore the encrypted backup Horizon 7
configuration, you must provide the data recovery password. The password must contain between 1
and 128 characters. Follow your organization's best practices for generating secure passwords.
Important You will need the data recovery password to keep Horizon 7 operating and avoid
downtime in a Business Continuity and Disaster Recovery (BCDR) scenario. You can provide a
password reminder with the password when you install Connection Server.
n
Familiarize yourself with the network ports that must be opened on the Windows Firewall for
Connection Server instances. See Firewall Rules for Horizon Connection Server.
n
If you plan to pair a security server with this Connection Server instance, verify that Windows Firewall
with Advanced Security is set to on in the active profiles. It is recommended that you turn this setting
to on for all profiles. By default, IPsec rules govern connections between security server and
Connection Server and require Windows Firewall with Advanced Security to be enabled.
n
If your network topology includes a back-end firewall between a security server and the Connection
Server instance, you must configure the firewall to support IPsec. See Configuring a Back-End
Firewall to Support IPsec.
Procedure
1 Download the Connection Server installer file from the VMware download site at
https://my.vmware.com/web/vmware/downloads.
Under Desktop & End-User Computing, select the VMware Horizon 7 download, which includes
Connection Server.
The installer filename is VMware-viewconnectionserver-x86_64-y.y.y-xxxxxx.exe, where
xxxxxx is the build number and y.y.y is the version number.
2 To start the Connection Server installation program, double-click the installer file.
3 Accept the VMware license terms.
4 Accept or change the destination folder.
5 Select the View Standard Server installation option.
6 Select the Internet Protocol (IP) version, IPv4 or IPv6.
You must install all Horizon 7 components with the same IP version.
VMware, Inc. 58
Page 59
View Installation
7 Select whether to enable or disable FIPS mode.
This option is available only if FIPS mode is enabled in Windows.
8 Make sure that Install HTML Access is selected if you intend to allow users to connect to their
desktops by using a Web browser.
If IPv4 is selected, this setting is selected by default. If IPv6 is selected, this setting is not displayed
because HTML Access is not supported in an IPv6 environment.
9 Type a data recovery password and, optionally, a password reminder.
10 Choose how to configure the Windows Firewall service.
Option Action
Configure Windows Firewall
automatically
Do not configure Windows Firewall Configure the Windows firewall rules manually.
Let the installer configure Windows Firewall to allow the required network
connections.
Select this option only if your organization uses its own predefined rules for
configuring Windows Firewall.
11 Authorize a Horizon Administrators account.
Only members of this account can log in to Horizon Administrator, exercise full administration rights,
and install replicated Connection Server instances and other Horizon 7 servers.
Option Description
Authorize the local Administrators
group
Authorize a specific domain user or
domain group
Allows users in the local Administrators group to administer Horizon 7.
Allows the specified domain user or group to administer Horizon 7.
12 If you specified a domain Horizon Administrators account, and you are running the installer as a local
administrator or another user without access to the domain account, provide credentials to log in to
the domain with an authorized user name and password.
Use domain name\user name or user principal name (UPN) format. UPN format can be
user@domain.com.
13 Choose whether to participate in the customer experience improvement program.
If you participate, you can optionally select the type, size, and location of your organization.
14 Complete the installation wizard to finish installing Connection Server.
15 Check for new patches on the Windows Server computer and run Windows Update as needed.
Even if you fully patched the Windows Server computer before you installed Connection Server, the
installation might have enabled operating system features for the first time. Additional patches might
now be required.
VMware, Inc. 59
Page 60
View Installation
The Horizon 7 services are installed on the Windows Server computer:
n
VMware Horizon Connection Server
n
VMware Horizon View Framework Component
n
VMware Horizon View Message Bus Component
n
VMware Horizon View Script Host
n
VMware Horizon View Security Gateway Component
n
VMware Horizon View PCoIP Secure Gateway
n
VMware Horizon View Blast Secure Gateway
n
VMware Horizon View Web Component
n
VMware VDMDS, which provides View LDAP directory services
For information about these services, see the View Administration document.
If the Install HTML Access setting was selected during the installation, the HTML Access component is
installed on the Windows Server computer. This component configures the HTML Access icon in the
Horizon 7 user portal page and enables the VMware Horizon View Connection Server (Blast-In) rule in
the Windows Firewall. This firewall rule allows Web browsers on client devices to connect to the
Connection Server on TCP port 8443.
What to do next
Configure SSL server certificates for Connection Server. See Chapter 8 Configuring SSL Certificates for
Horizon 7 Servers.
If you have an older version of vCenter Server, see Enable TLSv1.0 on vCenter Connections from
Connection Server.
Perform initial configuration on Connection Server. See Chapter 9 Configuring Horizon 7 for the First
Time.
If you plan to include replicated Connection Server instances and security servers in your deployment,
you must install each server instance by running the Connection Server installer file.
If you are reinstalling Connection Server and you have a data collector set configured to monitor
performance data, stop the data collector set and start it again.
Install Horizon Connection Server Silently
You can use the silent installation feature of the Microsoft Windows Installer (MSI) to perform a standard
installation of Connection Server on several Windows computers. In a silent installation, you use the
command line and do not have to respond to wizard prompts.
With silent installation, you can efficiently deploy Horizon 7 components in a large enterprise.
VMware, Inc. 60
Page 61
View Installation
Prerequisites
n
Verify that you can log in as a domain user with administrator privileges on the Windows Server
computer on which you install Connection Server.
n
Verify that your installation satisfies the requirements described in Horizon Connection Server
Requirements.
n
Prepare your environment for the installation. See Installation Prerequisites for Horizon Connection
Server.
n
If you intend to authorize a domain user or group as the Horizon Administrators account, verify that
you created the domain account in Active Directory.
n
If you use MIT Kerberos authentication to log in to a Windows Server 2008 R2 computer on which
you are installing Connection Server, install the Microsoft hotfix that is described in KB 978116 at
http://support.microsoft.com/kb/978116.
n
Familiarize yourself with the network ports that must be opened on the Windows Firewall for
Connection Server instances. See Firewall Rules for Horizon Connection Server.
n
If you plan to pair a security server with this Connection Server instance, verify that Windows Firewall
with Advanced Security is set to on in the active profiles. It is recommended that you turn this setting
to on for all profiles. By default, IPsec rules govern connections between security server and
Connection Server and require Windows Firewall with Advanced Security to be enabled.
n
If your network topology includes a back-end firewall between a security server and the Connection
Server instance, you must configure the firewall to support IPsec. See Configuring a Back-End
Firewall to Support IPsec.
n
Verify that the Windows computer on which you install Connection Server has version 2.0 or later of
the MSI runtime engine. For details, see the Microsoft Web site.
n
Familiarize yourself with the MSI installer command-line options. See Microsoft Windows Installer
Command-Line Options.
n
Familiarize yourself with the silent installation properties available with a standard installation of
Connection Server. See Silent Installation Properties for a View Connection Server Standard
Installation.
Procedure
1 Download the Connection Server installer file from the VMware download site at
https://my.vmware.com/web/vmware/downloads.
Under Desktop & End-User Computing, select the VMware Horizon 7 download, which includes
Connection Server.
The installer filename is VMware-viewconnectionserver-x86_64-y.y.y-xxxxxx.exe, where
xxxxxx is the build number and y.y.y is the version number.
2 Open a command prompt on the Windows Server computer.
VMware, Inc. 61
Page 62
View Installation
3 Type the installation command on one line.
For example: VMware-viewconnectionserver-y.y.y-xxxxxx.exe /s /v"/qn
VDM_SERVER_INSTANCE_TYPE=1 VDM_INITIAL_ADMIN_SID=S-1-5-32-544
VDM_SERVER_RECOVERY_PWD=mini VDM_SERVER_RECOVERY_PWD_REMINDER=""First car"""
Important When you perform a silent installation, the full command line, including the data recovery
password, is logged in the installer's vminst.log file. After the installation is complete, either delete
this log file or change the data recovery password by using Horizon Administrator.
4 Check for new patches on the Windows Server computer and run Windows Update as needed.
Even if you fully patched the Windows Server computer before you installed Connection Server, the
installation might have enabled operating system features for the first time. Additional patches might
now be required.
The Horizon 7 services are installed on the Windows Server computer:
n
VMware Horizon Connection Server
n
VMware Horizon View Framework Component
n
VMware Horizon View Message Bus Component
n
VMware Horizon View Script Host
n
VMware Horizon View Security Gateway Component
n
VMware Horizon View PCoIP Secure Gateway
n
VMware Horizon View Blast Secure Gateway
n
VMware Horizon View Web Component
n
VMware VDMDS, which provides View LDAP directory services
If the Install HTML Access setting was selected during the installation, the HTML Access component is
installed on the Windows Server computer. This component configures the HTML Access icon in the
Horizon 7 user portal page and enables the VMware Horizon View Connection Server (Blast-In) rule in
the Windows Firewall. This firewall rule allows Web browsers on client devices to connect to the
Connection Server on TCP port 8443.
For information about these services, see the View Administration document.
What to do next
Configure SSL server certificates for Connection Server. See Chapter 8 Configuring SSL Certificates for
Horizon 7 Servers.
If you have an older version of vCenter Server, see Enable TLSv1.0 on vCenter Connections from
Connection Server.
If you are configuring Horizon 7 for the first time, perform initial configuration on Connection Server. See
Chapter 9 Configuring Horizon 7 for the First Time.
VMware, Inc. 62
Page 63
View Installation
Silent Installation Properties for a View Connection Server Standard Installation
You can include specific View Connection Server properties when you perform a silent installation from
the command line. You must use a PROPERTY=value format so that Microsoft Windows Installer (MSI)
can interpret the properties and values.
Table 7‑1. MSI Properties for Silently Installing View Connection Server in a Standard
Installation
MSI Property Description Default Value
INSTALLDIR The path and folder in which the View Connection Server software is
installed.
For example: INSTALLDIR=""D:\abc\my folder""
The sets of two double quotes that enclose the path permit the MSI
installer to interpret the space as a valid part of the path.
VDM_SERVER_
INSTANCE_TYPE
FWCHOICE The MSI property that determines whether to configure a firewall for
VDM_INITIAL_
ADMIN_SID
The type of View server installation:
n
1. Standard installation
n
2. Replica installation
n
3. Security server installation
n
5. Enrollment server installation
For example, to perform a standard installation, define
VDM_SERVER_INSTANCE_TYPE=1
the View Connection Server instance.
A value of 1 configures a firewall. A value of 2 does not configure a
firewall.
For example: FWCHOICE=1
The SID of the initial View Administrators user or group that is
authorized with full administration rights in View.
The default value is the SID of the local Administrators group on the
View Connection Server computer. You can specify a SID of a domain
user or group account.
%ProgramFiles
%\VMware\VMware
View\Server
1
1
S-1-5-32-544
VDM_SERVER_
RECOVERY_PWD
VDM_SERVER_RECOVERY
_
PWD_REMINDER
VDM_IP_PROTOCOL_
USAGE
VMware, Inc. 63
The data recovery password. If a data recovery password is not set in
View LDAP, this property is mandatory.
The password must contain between 1 and 128 characters. Follow
your organization's best practices for generating secure passwords.
The data recovery password reminder. This property is optional. None
Specifies the IP version that View components use for communication.
The possible values are IPv4 and IPv6.
None
IPv4
Page 64
View Installation
Table 7‑1. MSI Properties for Silently Installing View Connection Server in a Standard
Installation (Continued)
MSI Property Description Default Value
VDM_FIPS_ENABLED Specifies whether to enable or disable FIPS mode. A value of 1
enables FIPS mode. A value of 0 disables FIPS mode. If this property
is set to 1 and Windows is not in FIPS mode, the installer will abort.
HTMLACCESS Controls the HTML Access add-on installation. Set this property to 1 to
configure HTML Access or omit the property if HTML Access is not
needed.
0
1
Enable TLSv1.0 on vCenter Connections from Connection Server
Horizon 7 and later components have the TLSv1.0 security protocol disabled by default. If your
deployment includes an older version of vCenter Server that supports only TLSv1.0, you might need to
enable TLSv1.0 for Connection Server connections after installing or upgrading to Connection Server 7.0
or a later release.
Some earlier maintenance releases of vCenter Server 5.1, and 5.5 support only TLSv1.0, which is no
longer enabled by default in Horizon 7 and later releases. If it is not possible to upgrade vCenter Server to
a version that supports TLSv1.1 or TLSv1.2, you can enable TLSv1.0 for Connection Server connections.
Prerequisites
n
If you are upgrading to Horizon 7, perform this procedure before you upgrade to minimize the number
of times you must restart the service. During an upgrade the VMware Horizon View Connection
Server service is restarted, and a restart is required to apply the configuration changes described in
this procedure. If you upgrade before you perform this procedure, you will need to restart the service
a second time.
n
See the Microsoft TechNet Web site for information on how to use the ADSI Edit utility on your
Windows operating system version.
Procedure
1 Start the ADSI Edit utility on your Connection Server host.
2 In the console tree, select Connect to.
3 In the Select or type a Distinguished Name or Naming Context text box, type the distinguished
name DC=vdi, DC=vmware, DC=int.
4 In the Computer pane, select or type localhost:389 or the fully qualified domain name (FQDN) of
the Connection Server host followed by port 389.
For example: localhost:389 or mycomputer.example.com:389
5 Expand the ADSI Edit tree, expand OU=Properties, select OU=Global, and double-click
CN=Common in the right pane.
VMware, Inc. 64
Page 65
View Installation
6 In the Properties dialog box, edit the pae-ClientSSLSecureProtocols attribute to add the following
value
\LIST:TLSv1.2,TLSv1.1,TLSv1
Be sure to include the back slash at the beginning of the line.
7 Click OK.
8 If this is a fresh installation, to apply the configuration change, restart the VMware Horizon View
Connection Server service on each connection server instance.
If you plan to perform an upgrade, you do not need to restart the service because the process of
upgrading automatically restarts the service.
Install a Replicated Instance of Horizon Connection Server
To provide high availability and load balancing, you can install one or more additional instances of
Connection Server that replicate an existing Connection Server instance. After a replica installation, the
existing and newly installed instances of Connection Server are identical.
When you install a replicated instance, Horizon 7 copies the View LDAP configuration data from the
existing Connection Server instance.
After the installation, identical View LDAP configuration data is maintained on all Connection Server
instances in the replicated group. When a change is made on one instance, the updated information is
copied to the other instances.
If a replicated instance fails, the other instances in the group continue to operate. When the failed
instance resumes activity, its configuration is updated with the changes that took place during the outage.
Note Replication functionality is provided by View LDAP, which uses the same replication technology as
Active Directory.
The replica server software cannot coexist on the same virtual or physical machine with any other
Horizon 7 software component, including a security server, Connection Server, View Composer, Horizon
Agent, or Horizon Client.
By default, the HTML Access component is installed on the Connection Server host when you install
Connection Server. This component configures the Horizon 7 user portal page to display an
HTML Access icon in addition to the Horizon Client icon. The additional icon allows users to select
HTML Access when they connect to their desktops.
For an overview of setting up Connection Server for HTML Access, see the VMware Horizon HTML
Access Installation and Setup Guide document, located on the Horizon Client Documentation page.
Prerequisites
n
Verify that at least one Connection Server instance is installed and configured on the network.
VMware, Inc. 65
Page 66
View Installation
n
To install the replicated instance, you must log in as a user with the Administrators role. You specify
the account or group with the Administrators role when you install the first instance of Connection
Server. The role can be assigned to the local Administrators group or a domain user or group. See
Install Horizon Connection Server with a New Configuration.
n
If the existing Connection Server instance is in a different domain than the replicated instance, the
domain user must also have Administrator privileges on the Windows Server computer where the
existing instance is installed.
n
If you use MIT Kerberos authentication to log in to a Windows Server 2008 R2 computer on which
you are installing Connection Server, install the Microsoft hotfix that is described in KB 978116 at
http://support.microsoft.com/kb/978116.
n
Verify that your installation satisfies the requirements described in Horizon Connection Server
Requirements.
n
Verify that the computers on which you install replicated Connection Server instances are connected
over a high-performance LAN. See Network Requirements for Replicated Horizon Connection Server
Instances.
n
Prepare your environment for the installation. See Installation Prerequisites for Horizon Connection
Server.
n
If you install a replicated Connection Server instance that is View 5.1 or later, and the existing
Connection Server instance you are replicating is View 5.0.x or earlier, prepare a data recovery
password. See Install Horizon Connection Server with a New Configuration.
n
Familiarize yourself with the network ports that must be opened on the Windows Firewall for
Connection Server instances. See Firewall Rules for Horizon Connection Server.
n
If you plan to pair a security server with this Connection Server instance, verify that Windows Firewall
with Advanced Security is set to on in the active profiles. It is recommended that you turn this setting
to on for all profiles. By default, IPsec rules govern connections between security server and
Connection Server and require Windows Firewall with Advanced Security to be enabled.
n
If your network topology includes a back-end firewall between a security server and the Connection
Server instance, you must configure the firewall to support IPsec. See Configuring a Back-End
Firewall to Support IPsec.
Procedure
1 Download the Connection Server installer file from the VMware download site at
https://my.vmware.com/web/vmware/downloads.
Under Desktop & End-User Computing, select the VMware Horizon 7 download, which includes
Connection Server.
The installer filename is VMware-viewconnectionserver-x86_64-y.y.y-xxxxxx.exe, where
xxxxxx is the build number and y.y.y is the version number.
2 To start the Connection Server installation program, double-click the installer file.
3 Accept the VMware license terms.
VMware, Inc. 66
Page 67
View Installation
4 Accept or change the destination folder.
5 Select the View Replica Server installation option.
6 Select the Internet Protocol (IP) version, IPv4 or IPv6.
You must install all Horizon 7 components with the same IP version.
7 Select whether to enable or disable FIPS mode.
This option is available only if FIPS mode is enabled in Windows.
8 Make sure that Install HTML Access is selected if you intend to allow users to connect to their
desktops by using HTML Access.
If IPv4 is selected, this setting is selected by default. If IPv6 is selected, this setting is not displayed
because HTML Access is not supported in an IPv6 environment.
9 Enter the host name or IP address of the existing Connection Server instance you are replicating.
10 Type a data recovery password and, optionally, a password reminder.
You are prompted for a data recovery password only if the existing Connection Server instance you
are replicating is View 5.0.x or earlier.
11 Choose how to configure the Windows Firewall service.
Option Action
Configure Windows Firewall
automatically
Do not configure Windows Firewall Configure the Windows firewall rules manually.
Let the installer configure Windows Firewall to allow the required network
connections.
Select this option only if your organization uses its own predefined rules for
configuring Windows Firewall.
12 Complete the installation wizard to finish installing the replicated instance.
13 Check for new patches on the Windows Server computer and run Windows Update as needed.
Even if you fully patched the Windows Server computer before you installed Connection Server, the
installation might have enabled operating system features for the first time. Additional patches might
now be required.
The Horizon 7 services are installed on the Windows Server computer:
n
VMware Horizon Connection Server
n
VMware Horizon View Framework Component
n
VMware Horizon View Message Bus Component
n
VMware Horizon View Script Host
n
VMware Horizon View Security Gateway Component
n
VMware Horizon View PCoIP Secure Gateway
n
VMware Horizon View Blast Secure Gateway
VMware, Inc. 67
Page 68
View Installation
n
VMware Horizon View Web Component
n
VMware VDMDS, which provides View LDAP directory services
For information about these services, see the View Administration document.
If the Install HTML Access setting was selected during the installation, the HTML Access component is
installed on the Windows Server computer. This component configures the HTML Access icon in the
Horizon 7 user portal page and enables the VMware Horizon View Connection Server (Blast-In) rule in
the Windows Firewall. This firewall rule allows Web browsers on client devices to connect to the
Connection Server on TCP port 8443.
What to do next
Configure an SSL server certificate for the Connection Server instance. See Chapter 8 Configuring SSL
Certificates for Horizon 7 Servers.
You do not have to perform an initial Horizon 7 configuration on a replicated instance of Connection
Server. The replicated instance inherits its configuration from the existing Connection Server instance.
However, you might have to configure client connection settings for this Connection Server instance, and
you can tune Windows Server settings to support a large deployment. See Configuring Horizon Client
Connections and Sizing Windows Server Settings to Support Your Deployment.
If you are reinstalling Connection Server and you have a data collector set configured to monitor
performance data, stop the data collector set and start it again.
Install a Replicated Instance of Horizon Connection Server Silently
You can use the silent installation feature of the Microsoft Windows Installer (MSI) to install a replicated
instance of Connection Server on several Windows computers. In a silent installation, you use the
command line and do not have to respond to wizard prompts.
With silent installation, you can efficiently deploy Horizon 7 components in a large enterprise.
Prerequisites
n
Verify that at least one Connection Server instance is installed and configured on the network.
n
To install the replicated instance, you must log in as a user with credentials to access the
Administrators account. You specify the Administrators account when you install the first instance of
Connection Server. The account can be the local Administrators group or a domain user or group
account. See Install Horizon Connection Server with a New Configuration.
n
If the existing Connection Server instance is in a different domain than the replicated instance, the
domain user must also have Administrator privileges on the Windows Server computer where the
existing instance is installed.
n
If you use MIT Kerberos authentication to log in to a Windows Server 2008 R2 computer on which
you are installing Connection Server, install the Microsoft hotfix that is described in KB 978116 at
http://support.microsoft.com/kb/978116.
VMware, Inc. 68
Page 69
View Installation
n
Verify that your installation satisfies the requirements described in Horizon Connection Server
Requirements.
n
Verify that the computers on which you install replicated Connection Server instances are connected
over a high-performance LAN. See Network Requirements for Replicated Horizon Connection Server
Instances.
n
Prepare your environment for the installation. See Installation Prerequisites for Horizon Connection
Server.
n
Familiarize yourself with the network ports that must be opened on the Windows Firewall for
Connection Server instances. See Firewall Rules for Horizon Connection Server.
n
If you plan to pair a security server with this Connection Server instance, verify that Windows Firewall
with Advanced Security is set to on in the active profiles. It is recommended that you turn this setting
to on for all profiles. By default, IPsec rules govern connections between security server and
Connection Server and require Windows Firewall with Advanced Security to be enabled.
n
If your network topology includes a back-end firewall between a security server and the Connection
Server instance, you must configure the firewall to support IPsec. See Configuring a Back-End
Firewall to Support IPsec.
n
Familiarize yourself with the MSI installer command-line options. See Microsoft Windows Installer
Command-Line Options.
n
Familiarize yourself with the silent installation properties available with a replica installation of
Connection Server. See Silent Installation Properties for a Replicated Instance of Horizon Connection
Server.
Procedure
1 Download the Connection Server installer file from the VMware download site at
https://my.vmware.com/web/vmware/downloads.
Under Desktop & End-User Computing, select the VMware Horizon 7 download, which includes
Connection Server.
The installer filename is VMware-viewconnectionserver-x86_64-y.y.y-xxxxxx.exe, where
xxxxxx is the build number and y.y.y is the version number.
2 Open a command prompt on the Windows Server computer.
VMware, Inc. 69
Page 70
View Installation
3 Type the installation command on one line.
For example: VMware-viewconnectionserver-y.y.y-xxxxxx.exe /s /v"/qn
VDM_SERVER_INSTANCE_TYPE=2 ADAM_PRIMARY_NAME=cs1.companydomain.com
VDM_INITIAL_ADMIN_SID=S-1-5-32-544"
If you install a replicated Connection Server instance that is View 5.1 or later, and the existing
Connection Server instance you are replicating is View 5.0.x or earlier, you must specify a data
recovery password, and you can add a password reminder. For example: VMware-
viewconnectionserver-y.y.y-xxxxxx.exe /s /v"/qn VDM_SERVER_INSTANCE_TYPE=2
ADAM_PRIMARY_NAME=cs1.companydomain.com VDM_INITIAL_ADMIN_SID=S-1-5-32-544
VDM_SERVER_RECOVERY_PWD=mini VDM_SERVER_RECOVERY_PWD_REMINDER=""First car"""
Important When you perform a silent installation, the full command line, including the data recovery
password, is logged in the installer's vminst.log file. After the installation is complete, either delete
this log file or change the data recovery password by using Horizon Administrator.
4 Check for new patches on the Windows Server computer and run Windows Update as needed.
Even if you fully patched the Windows Server computer before you installed Connection Server, the
installation might have enabled operating system features for the first time. Additional patches might
now be required.
The Horizon 7 services are installed on the Windows Server computer:
n
VMware Horizon Connection Server
n
VMware Horizon View Framework Component
n
VMware Horizon View Message Bus Component
n
VMware Horizon View Script Host
n
VMware Horizon View Security Gateway Component
n
VMware Horizon View PCoIP Secure Gateway
n
VMware Horizon View Blast Secure Gateway
n
VMware Horizon View Web Component
n
VMware VDMDS, which provides View LDAP directory services
For information about these services, see the View Administration document.
If the Install HTML Access setting was selected during the installation, the HTML Access component is
installed on the Windows Server computer. This component configures the HTML Access icon in the
Horizon 7 user portal page and enables the VMware Horizon View Connection Server (Blast-In) rule in
the Windows Firewall. This firewall rule allows Web browsers on client devices to connect to the
Connection Server on TCP port 8443.
VMware, Inc. 70
Page 71
View Installation
What to do next
Configure an SSL server certificate for the Connection Server instance. See Chapter 8 Configuring SSL
Certificates for Horizon 7 Servers.
You do not have to perform an initial Horizon 7 configuration on a replicated instance of Connection
Server. The replicated instance inherits its configuration from the existing Connection Server instance.
However, you might have to configure client connection settings for this Connection Server instance, and
you can tune Windows Server settings to support a large deployment. See Configuring Horizon Client
Connections and Sizing Windows Server Settings to Support Your Deployment.
Silent Installation Properties for a Replicated Instance of Horizon Connection Server
You can include specific properties when you silently install a replicated Horizon Connection Server
instance from the command line. You must use a PROPERTY=value format so that Microsoft Windows
Installer (MSI) can interpret the properties and values.
Table 7‑2. MSI Properties for Silently installing a Replicated Instance of Horizon Connection
Server
MSI Property Description Default Value
INSTALLDIR The path and folder in which the Connection Server software is
installed.
For example: INSTALLDIR=""D:\abc\my folder""
The sets of two double quotes that enclose the path permit the MSI
installer to interpret the space as a valid part of the path.
This MSI property is optional.
VDM_SERVER_INSTANCE_
TYPE
ADAM_PRIMARY_NAME The host name or IP address of the existing Connection Server instance
FWCHOICE The MSI property that determines whether to configure a firewall for the
The type of Connection Server installation:
n
1. Standard installation
n
2. Replica installation
n
3. Security server installation
To install a replicated instance, define VDM_SERVER_INSTANCE_TYPE=2
This MSI property is required when installing a replica.
you are replicating.
For example: ADAM_PRIMARY_NAME=cs1.companydomain.com
This MSI property is required.
Connection Server instance.
A value of 1 configures a firewall. A value of 2 does not configure a
firewall.
For example: FWCHOICE=1
This MSI property is optional.
%ProgramFiles
%\VMware\VMware
View\Server
1
None
1
VMware, Inc. 71
Page 72
View Installation
Table 7‑2. MSI Properties for Silently installing a Replicated Instance of Horizon Connection
Server (Continued)
MSI Property Description Default Value
VDM_SERVER_
RECOVERY_PWD
VDM_SERVER_RECOVERY
_
PWD_REMINDER
VDM_IP_PROTOCOL_
USAGE
VDM_FIPS_ENABLED Specifies whether to enable or disable FIPS mode. A value of 1 enables
The data recovery password. If a data recovery password is not set in
View LDAP, this property is mandatory.
Note The data recover password is not set in View LDAP if the
standard Connection Server instance you are replicating is View 5.0 or
earlier. If the Connection Server instance you are replicating is View 5.1
or later, you do not have to provide this property.
The password must contain between 1 and 128 characters. Follow your
organization's best practices for generating secure passwords.
The data recovery password reminder. This property is optional. None
Specifies the IP version that Horizon 7 components use for
communication. The possible values are IPv4 and IPv6
FIPS mode. A value of 0 disables FIPS mode. If this property is set to 1
and Windows is not in FIPS mode, the installer will abort.
None
IPv4
0
Configure a Security Server Pairing Password
Before you can install a security server, you must configure a security server pairing password. When you
install a security server with the Connection Server installation program, the program prompts you for this
password during the installation process.
The security server pairing password is a one-time password that permits a security server to be paired
with a Connection Server instance. The password becomes invalid after you provide it to the Connection
Server installation program.
Note You cannot pair an older version of security server with the current version of Connection Server. If
you configure a pairing password on the current version of Connection Server and try to install an older
version of security server, the pairing password will be invalid.
Procedure
1 In Horizon Administrator, select View Configuration > Servers.
2 In the Connection Servers tab, select the Connection Server instance to pair with the security server.
3 From the More Commands drop-down menu, select Specify Security Server Pairing Password.
4 Type the password in the Pairing password and Confirm password text boxes and specify a password
timeout value.
You must use the password within the specified timeout period.
5 Click OK to configure the password.
VMware, Inc. 72
Page 73
View Installation
What to do next
Install a security server. See Install a Security Server.
Important If you do not provide the security server pairing password to the Connection Server
installation program within the password timeout period, the password becomes invalid and you must
configure a new password.
Install a Security Server
A security server is an instance of Connection Server that adds an additional layer of security between
the Internet and your internal network. You can install one or more security servers to be connected to a
Connection Server instance.
The security server software cannot coexist on the same virtual or physical machine with any other
Horizon 7 software component, including a replica server, Connection Server, View Composer, Horizon
Agent, or Horizon Client.
Prerequisites
n
Determine the type of topology to use. For example, determine which load balancing solution to use.
Decide if the Connection Server instances that are paired with security servers will be dedicated to
users of the external network. For information, see the View Architecture Planning document.
Important If you use a load balancer, it must have an IP address that does not change. In an IPv4
environment, configure a static IP address. In an IPv6 environment, machines automatically get IP
addresses that do not change.
n
Verify that your installation satisfies the requirements described in Horizon Connection Server
Requirements.
n
Prepare your environment for the installation. See Installation Prerequisites for Horizon Connection
Server.
n
Verify that the Connection Server instance to be paired with the security server is installed and
configured and is running a Connection Server version that is compatible with the security server
version. See "View Component Compatibility Matrix" in the View Upgrades document.
n
Verify that the Connection Server instance to be paired with the security server is accessible to the
computer on which you plan to install the security server.
n
Configure a security server pairing password. See Configure a Security Server Pairing Password.
n
Familiarize yourself with the format of external URLs. See Configuring External URLs for Secure
Gateway and Tunnel Connections.
n
Verify that Windows Firewall with Advanced Security is set to on in the active profiles. It is
recommended that you turn this setting to on for all profiles. By default, IPsec rules govern
connections between security server and View Connection Server and require Windows Firewall with
Advanced Security to be enabled.
VMware, Inc. 73
Page 74
View Installation
n
Familiarize yourself with the network ports that must be opened on the Windows Firewall for a
security server. See Firewall Rules for Horizon Connection Server.
n
If your network topology includes a back-end firewall between the security server and Connection
Server, you must configure the firewall to support IPsec. See Configuring a Back-End Firewall to
Support IPsec.
n
If you are upgrading or reinstalling the security server, verify that the existing IPsec rules for the
security server were removed. See Remove IPsec Rules for the Security Server.
n
If you are installing Horizon 7 in FIPS mode, you must deselect the global setting Use IPSec for
Security Server Connections in Horizon Administrator, because in FIPS mode, you must configure
IPsec manually after installing a security server.
Procedure
1 Download the Connection Server installer file from the VMware download site at
https://my.vmware.com/web/vmware/downloads.
Under Desktop & End-User Computing, select the VMware Horizon 7 download, which includes
Connection Server.
The installer filename is VMware-viewconnectionserver-x86_64-y.y.y-xxxxxx.exe, where
xxxxxx is the build number and y.y.y is the version number.
2 To start the Connection Server installation program, double-click the installer file.
3 Accept the VMware license terms.
4 Accept or change the destination folder.
5 Select the View Security Server installation option.
6 Select the Internet Protocol (IP) version, IPv4 or IPv6.
You must install all Horizon 7 components with the same IP version.
7 Select whether to enable or disable FIPS mode.
This option is available only if FIPS mode is enabled in Windows.
8 Type the fully qualified domain name or IP address of the Connection Server instance to pair with the
security server in the Server text box.
The security server forwards network traffic to this Connection Server instance.
9 Type the security server pairing password in the Password text box.
If the password has expired, you can use Horizon Administrator to configure a new password and
type the new password in the installation program.
VMware, Inc. 74
Page 75
View Installation
10 In the External URL text box, type the external URL of the security server for client endpoints that
use the RDP or PCoIP display protocols.
The URL must contain the protocol, client-resolvable security server name, and port number. Tunnel
clients that run outside of your network use this URL to connect to the security server.
For example: https://view.example.com:443
11 In the PCoIP External URL text box, type the external URL of the security server for client endpoints
that use the PCoIP display protocol.
In an IPv4 environment, specify the PCoIP external URL as an IP address with the port number 4172.
In an IPv6 environment, you can specify an IP address or a fully qualified domain name, and the port
number 4172. In either case, do not include a protocol name.
For example, in an IPv4 environment: 10.20.30.40:4172
Clients must be able to use the URL to reach the security server.
12 In the Blast External URL text box, type the external URL of the security server for users who use
HTML Access to connect to remote desktops.
The URL must contain the HTTPS protocol, client-resolvable host name, and port number.
For example: https://myserver.example.com:8443
By default, the URL includes the FQDN of the secure tunnel external URL and the default port
number, 8443. The URL must contain the FQDN and port number that a client system can use to
reach this security server.
13 Choose how to configure the Windows Firewall service.
Option Action
Configure Windows Firewall
automatically
Do not configure Windows Firewall Configure the Windows firewall rules manually.
Let the installer configure Windows Firewall to allow the required network
connections.
Select this option only if your organization uses its own predefined rules for
configuring Windows Firewall.
14 Complete the installation wizard to finish installing the security server.
The security server services are installed on the Windows Server computer:
n
VMware Horizon View Security Server
n
VMware Horizon View Framework Component
n
VMware Horizon View Security Gateway Component
n
VMware Horizon View PCoIP Secure Gateway
n
VMware Blast Secure Gateway
For information about these services, see the View Administration document.
The security server appears in the Security Servers pane in Horizon Administrator.
VMware, Inc. 75
Page 76
View Installation
The VMware Horizon View Connection Server (Blast-In) rule is enabled in the Windows Firewall on the
security server. This firewall rule allows Web browsers on client devices to use HTML Access to connect
to the security server on TCP port 8443.
Note If the installation is cancelled or aborted, you might have to remove IPsec rules for the security
server before you can begin the installation again. Take this step even if you already removed IPsec rules
prior to reinstalling or upgrading security server. For instructions on removing IPsec rules, see Remove
IPsec Rules for the Security Server.
What to do next
Configure an SSL server certificate for the security server. See Chapter 8 Configuring SSL Certificates for
Horizon 7 Servers.
You might have to configure client connection settings for the security server, and you can tune Windows
Server settings to support a large deployment. See Configuring Horizon Client Connections and Sizing
Windows Server Settings to Support Your Deployment.
If you are reinstalling the security server and you have a data collector set configured to monitor
performance data, stop the data collector set and start it again.
Install a Security Server Silently
You can use the silent installation feature of the Microsoft Windows Installer (MSI) to install a security
server on several Windows computers. In a silent installation, you use the command line and do not have
to respond to wizard prompts.
With silent installation, you can efficiently deploy Horizon 7 components in a large enterprise.
Prerequisites
n
Determine the type of topology to use. For example, determine which load balancing solution to use.
Decide if the Connection Server instances that are paired with security servers will be dedicated to
users of the external network. For information, see the View Architecture Planning document.
Important If you use a load balancer, it must have an IP address that does not change. In an IPv4
environment, configure a static IP address. In an IPv6 environment, machines automatically get IP
addresses that do not change.
n
Verify that your installation satisfies the requirements described in Horizon Connection Server
Requirements.
n
Prepare your environment for the installation. See Installation Prerequisites for Horizon Connection
Server.
n
Verify that the Connection Server instance to be paired with the security server is installed and
configured and is running a Connection Server version that is compatible with the security server
version. See "View Component Compatibility Matrix" in the View Upgrades document.
VMware, Inc. 76
Page 77
View Installation
n
Verify that the Connection Server instance to be paired with the security server is accessible to the
computer on which you plan to install the security server.
n
Configure a security server pairing password. See Configure a Security Server Pairing Password.
n
Familiarize yourself with the format of external URLs. See Configuring External URLs for Secure
Gateway and Tunnel Connections.
n
Verify that Windows Firewall with Advanced Security is set to on in the active profiles. It is
recommended that you turn this setting to on for all profiles. By default, IPsec rules govern
connections between security server and Connection Server and require Windows Firewall with
Advanced Security to be enabled.
n
Familiarize yourself with the network ports that must be opened on the Windows Firewall for a
security server. See Firewall Rules for Horizon Connection Server.
n
If your network topology includes a back-end firewall between the security server and Connection
Server, you must configure the firewall to support IPsec. See Configuring a Back-End Firewall to
Support IPsec.
n
If you are upgrading or reinstalling the security server, verify that the existing IPsec rules for the
security server were removed. See Remove IPsec Rules for the Security Server.
n
Familiarize yourself with the MSI installer command-line options. See Microsoft Windows Installer
Command-Line Options.
n
Familiarize yourself with the silent installation properties available with a security server. See Silent
Installation Properties for a Security Server.
n
If you are installing Horizon 7 in FIPS mode, you must deselect the global setting Use IPSec for
Security Server Connections in Horizon Administrator, because in FIPS mode, you must configure
IPsec manually after installing a security server.
Procedure
1 Download the Connection Server installer file from the VMware download site at
https://my.vmware.com/web/vmware/downloads.
Under Desktop & End-User Computing, select the VMware Horizon 7 download, which includes
Connection Server.
The installer filename is VMware-viewconnectionserver-x86_64-y.y.y-xxxxxx.exe, where
xxxxxx is the build number and y.y.y is the version number.
2 Open a command prompt on the Windows Server computer.
VMware, Inc. 77
Page 78
View Installation
3 Type the installation command on one line.
For example: VMware-viewconnectionserver-y.y.y-xxxxxx.exe /s /v"/qn
VDM_SERVER_INSTANCE_TYPE=3 VDM_SERVER_NAME=cs1.internaldomain.com
VDM_SERVER_SS_EXTURL=https://view.companydomain.com:443
VDM_SERVER_SS_PCOIP_IPADDR=10.20.30.40 VDM_SERVER_SS_PCOIP_TCPPORT=4172
VDM_SERVER_SS_PCOIP_UDPPORT=4172
VDM_SERVER_SS_BSG_EXTURL=https://view.companydomain.com:8443
VDM_SERVER_SS_PWD=secret"
The security server services are installed on the Windows Server computer:
n
VMware Horizon View Security Server
n
VMware Horizon View Framework Component
n
VMware Horizon View Security Gateway Component
n
VMware Horizon View PCoIP Secure Gateway
n
VMware Blast Secure Gateway
For information about these services, see the View Administration document.
The security server appears in the Security Servers pane in Horizon Administrator.
The VMware Horizon View Connection Server (Blast-In) rule is enabled in the Windows Firewall on the
security server. This firewall rule allows Web browsers on client devices to use HTML Access to connect
to the security server on TCP port 8443.
Note If the installation is cancelled or aborted, you might have to remove IPsec rules for the security
server before you can begin the installation again. Take this step even if you already removed IPsec rules
prior to reinstalling or upgrading security server. For instructions on removing IPsec rules, see Remove
IPsec Rules for the Security Server.
What to do next
Configure an SSL server certificate for the security server. See Chapter 8 Configuring SSL Certificates for
Horizon 7 Servers.
You might have to configure client connection settings for the security server, and you can tune Windows
Server settings to support a large deployment. See Configuring Horizon Client Connections and Sizing
Windows Server Settings to Support Your Deployment.
VMware, Inc. 78
Page 79
View Installation
Silent Installation Properties for a Security Server
You can include specific properties when you silently install a security server from the command line. You
must use a PROPERTY=value format so that Microsoft Windows Installer (MSI) can interpret the properties
and values.
Table 7‑3. MSI Properties for Silently Installing a Security Server
MSI Property Description Default Value
INSTALLDIR The path and folder in which the Connection Server software is
installed.
For example: INSTALLDIR=""D:\abc\my folder""
The sets of two double quotes that enclose the path permit the MSI
installer to interpret the space as a valid part of the path.
This MSI property is optional.
VDM_SERVER_INSTANCE_
TYPE
VDM_SERVER_NAME The host name or IP address of the existing Connection Server instance
VDM_SERVER_SS_EXTURL The external URL of the security server. The URL must contain the
The type of Connection Server installation:
n
1. Standard installation
n
2. Replica installation
n
3. Security server installation
To install a security server, define VDM_SERVER_INSTANCE_TYPE=3
This MSI property is required when installing a security server.
to pair with the security server.
For example: VDM_SERVER_NAME=cs1.internaldomain.com
This MSI property is required.
protocol, externally resolvable security server name, and port number
For example:
VDM_SERVER_SS_EXTURL=https://view.companydomain.com:443
This MSI property is required.
%ProgramFiles
%\VMware\VMware
View\Server
1
None
None
VDM_SERVER_SS_PWD The security server pairing password.
For example: VDM_SERVER_SS_PWD=secret
This MSI property is required.
FWCHOICE The MSI property that determines whether to configure a firewall for the
Connection Server instance.
A value of 1 configures a firewall. A value of 2 does not configure a
firewall.
For example: FWCHOICE=1
This MSI property is optional.
VDM_SERVER_SS_PCOIP_I
PADDR
VMware, Inc. 79
The PCoIP Secure Gateway external IP address. In an IPv6
environment, this property can also be set to the FQDN of the PCoIP
Secure Gateway. This property is supported only when the security
server is installed on Windows Server 2008 R2 or later.
For example: VDM_SERVER_SS_PCOIP_IPADDR=10.20.30.40
This property is required if you plan to use the PCoIP Secure Gateway
component.
None
1
None
Page 80
View Installation
Table 7‑3. MSI Properties for Silently Installing a Security Server (Continued)
MSI Property Description Default Value
VDM_SERVER_SS_PCOIP_
TCPPORT
VDM_SERVER_SS_PCOIP_
UDPPORT
VDM_SERVER_SS_BSG_EX
TURL
VDM_SERVER_SS_FORCE_
IPSEC
The PCoIP Secure Gateway external TCP port number. This property is
supported only when the security server is installed on Windows Server
2008 R2 or later.
For example: VDM_SERVER_SS_PCOIP_TCPPORT=4172
This property is required if you plan to use the PCoIP Secure Gateway
component.
The PCoIP Secure Gateway external UDP port number. This property is
supported only when the security server is installed on Windows Server
2008 R2 or later.
For example: VDM_SERVER_SS_PCOIP_UDPPORT=4172
This property is required if you plan to use the PCoIP Secure Gateway
component.
The Blast Secure Gateway external URL. The URL must contain the
HTTPS protocol, an externally resolvable security server name, and port
number
For example:
VDM_SERVER_SS_BSG_EXTURL=https://view.companydomain.com:
8443
The default port number is 8443. A Blast Secure Gateway must be
installed on the security server to allow users to make Web connections
to Horizon 7 desktops.
Forces IPsec to be used between the security server and its paired
Connection Server instance.
By default, an unattended installation and pairing of security server to a
Connection Server instance with IPsec disabled causes the pairing to
fail.
The default value of 1 forces IPsec pairing. Set this value to 0 to allow
pairing without IPsec.
None
None
None
1
VDM_IP_PROTOCOL_USAGESpecifies the IP version that Horizon 7 components use for
communication. The possible values are IPv4 and IPv6
VDM_FIPS_ENABLED Specifies whether to enable or disable FIPS mode. A value of 1 enables
FIPS mode. A value of 0 disables FIPS mode. If this property is set to 1
and Windows is not in FIPS mode, the installer will abort.
IPv4
0
Remove IPsec Rules for the Security Server
Before you can upgrade or reinstall a security server instance, you must remove the current IPsec rules
that govern communication between the security server and its paired Connection Server instance. If you
do not take this step, the upgrade or reinstallation fails.
By default, communication between a security server and its paired Connection Server instance is
governed by IPsec rules. When you upgrade or reinstall the security server and pair it again with the
Connection Server instance, a new set of IPsec rules must be established. If the existing IPsec rules are
not removed before you upgrade or reinstall, the pairing fails.
VMware, Inc. 80
Page 81
View Installation
You must take this step when you upgrade or reinstall a security server and are using IPsec to protect
communication between the security server and Connection Server.
You can configure an initial security server pairing without using IPsec rules. Before you install the
security server, you can open Horizon Administrator and deselect the global setting Use IPSec for
Security Server Connections, which is enabled by default. If IPsec rules are not in effect, you do not
have to remove them before you upgrade or reinstall.
Note You do not have to remove a security server from Horizon Administrator before you upgrade or
reinstall the security server. Remove a security server from Horizon Administrator only if you intend to
remove the security server permanently from the Horizon 7 environment.
With View 5.0.x and earlier releases, you could remove a security server either from within the Horizon
Administrator user interface or by using the vdmadmin -S command-line command. In View 5.1 and later
releases, you must use vdmadmin -S. See "Removing the Entry for a Horizon Connection Server
Instance or Security Server Using the -S Option" in the View Administration document.
Caution If you remove the IPsec rules for an active security server, all communication with the security
server is lost until you upgrade or reinstall the security server. Therefore, if you use a load balancer to
manage a group of security servers, perform this procedure on one server and then upgrade that server
before removing IPsec rules for the next server. You can remove servers from production and add them
back one-by-one in this manner to avoid requiring any downtime for your end users.
Procedure
1 In Horizon Administrator, click View Configuration > Servers.
2 In the Security Servers tab, select a security server and click More Commands > Prepare for
Upgrade or Reinstallation.
If you disabled IPsec rules before you installed the security server, this setting is inactive. In this case,
you do not have to remove IPsec rules before you reinstall or upgrade.
3 Click OK.
The IPsec rules are removed and the Prepare for Upgrade or Reinstallation setting becomes inactive,
indicating that you can reinstall or upgrade the security server.
What to do next
Upgrade or reinstall security server.
Firewall Rules for Horizon Connection Server
Certain ports must be opened on the firewall for Connection Server instances and security servers.
When you install Connection Server, the installation program can optionally configure the required
Windows Firewall rules for you. These rules open the ports that are used by default. If you change the
default ports after installation, you must manually configure Windows Firewall to allow Horizon Client
devices to connect to Horizon 7 through the updated ports.
VMware, Inc. 81
Page 82
View Installation
The following table lists the default ports that can be opened automatically during installation. Ports are
incoming unless otherwise noted.
Table 7‑4. Ports Opened During Horizon Connection Server Installation
Protocol Ports Horizon Connection Server Instance Type
JMS TCP 4001 Standard and replica
JMS TCP 4002 Standard and replica
JMSIR TCP 4100 Standard and replica
JMSIR TCP 4101 Standard and replica
AJP13 TCP 8009 Standard and replica
HTTP TCP 80 Standard, replica, and security server
HTTPS TCP 443 Standard, replica, and security server
PCoIP TCP 4172 in;
UDP 4172 both
directions
HTTPS TCP 8443
UDP 8443
HTTPS TCP 8472 Standard and replica
HTTP TCP 22389 Standard and replica
HTTPS TCP 22636 Standard and replica
Standard, replica, and security server
Standard, replica, and security server.
After the initial connection to Horizon 7 is made, the Web browser or client device connects
to the Blast Secure Gateway on TCP port 8443. The Blast Secure Gateway must be
enabled on a security server or View Connection Server instance to allow this second
connection to take place.
For the Cloud Pod Architecture feature: used for interpod communication.
For the Cloud Pod Architecture feature: used for global LDAP replication.
For the Cloud Pod Architecture feature: used for secure global LDAP replication.
Configuring a Back-End Firewall to Support IPsec
If your network topology includes a back-end firewall between security servers and Connection Server
instances, you must configure certain protocols and ports on the firewall to support IPsec. Without proper
configuration, data sent between a security server and Connection Server instance will fail to pass
through the firewall.
By default, IPsec rules govern the connections between security servers and Connection Server
instances. To support IPsec, the Connection Server installer can configure Windows firewall rules on the
Windows Server hosts where Horizon 7 servers are installed. For a back-end firewall, you must configure
the rules yourself.
Note It is highly recommended that you use IPsec. As an alternative, you can disable the Horizon
Administrator global setting, Use IPsec for Security Server Connections.
The following rules must allow bidirectional traffic. You might have to specify separate rules for inbound
and outbound traffic on your firewall.
VMware, Inc. 82
Page 83
View Installation
Different rules apply to firewalls that use network address translation (NAT) and those that do not use
NAT.
Table 7‑5. Non-NAT Firewall Requirements to Support IPsec Rules
Source Protocol Port Destination Notes
Security server ISAKMP UDP 500 Horizon Connection
Server
Security server ESP N/A Horizon Connection
Server
Security servers use UDP port 500 to
negotiate IPsec security.
ESP protocol encapsulates IPsec
encrypted traffic.
You do not have to specify a port for ESP
as part of the rule. If necessary, you can
specify source and destination IP
addresses to reduce the scope of the rule.
The following rules apply to firewalls that use NAT.
Table 7‑6. NAT Firewall Requirements to Support IPsec Rules
Source Protocol Port Destination Notes
Security server ISAKMP UDP 500 Horizon Connection
Server
Security server NAT-T ISAKMP UDP 4500 Horizon Connection
Server
Security servers use UDP port 500 to
initiate IPsec security negotiation.
Security servers use UDP port 4500 to
traverse NATs and negotiate IPsec
security.
Reinstall Horizon Connection Server with a Backup
Configuration
In certain situations, you might have to reinstall the current version of a Connection Server instance and
restore the existing Horizon 7 configuration by importing a backup LDIF file that contains the View LDAP
configuration data.
For example, as part of a business continuity and disaster recovery (BC/DR) plan, you might want to have
a procedure ready to implement in case a datacenter stops functioning. The first step in such a plan is to
ensure that the View LDAP configuration is backed up in another location. A second step is to install
Connection Server in the new location and import the backup configuration, as described in this
procedure.
You might also use this procedure when you set up a second datacenter with the existing Horizon 7
configuration. Or you might use it if your Horizon 7 deployment contains only a single Connection Server
instance, and a problem occurs with that server.
You do not have to follow this procedure if you have multiple Connection Server instances in a replicated
group, and a single instance goes down. You can simply reinstall Connection Server as a replicated
instance. During the installation, you provide connection information to another Connection Server
instance, and Horizon 7 restores the View LDAP configuration from the other instance.
VMware, Inc. 83
Page 84
View Installation
Prerequisites
n
Verify that the View LDAP configuration was backed up to an encrypted LDIF file.
n
Familiarize yourself with restoring a View LDAP configuration from an LDIF backup file by using the
vdmimport command.
See "Backing Up and Restoring Horizon 7 Configuration Data" in the View Administration document.
n
Familiarize yourself with the steps for installing a new Connection Server instance. See Install
Horizon Connection Server with a New Configuration.
Procedure
1 Install Connection Server with a new configuration.
2 Decrypt the encrypted LDIF file.
For example:
vdmimport -d -p mypassword
-f MyEncryptedexport.LDF > MyDecryptedexport.LDF
3 Import the decrypted LDIF file to restore the View LDAP configuration.
For example:
vdmimport -f MyDecryptedexport.LDF
Note At this stage, the Horizon 7 configuration is not yet accessible. Clients cannot access
Connection Server or connect to their desktops.
4 Uninstall the Connection Server from the computer by using the Windows Add/Remove Programs
utility.
Do not uninstall the View LDAP configuration, called the AD LDS Instance VMwareVDMDS instance.
You can use the Add/Remove Programs utility to verify that the AD LDS Instance VMwareVDMDS
instance was not removed from the Windows Server computer.
5 Reinstall Connection Server.
At the installer prompt, accept the existing View LDAP directory.
What to do next
Configure Connection Server and your Horizon 7 environment as you would after you install a Connection
Server instance with a new configuration.
VMware, Inc. 84
Page 85
View Installation
Microsoft Windows Installer Command-Line Options
To install Horizon 7 components silently, you must use Microsoft Windows Installer (MSI) command-line
options and properties. The Horizon 7 component installers are MSI programs and use standard MSI
features.
For details about MSI, see the Microsoft Web site. For MSI command-line options, see the Microsoft
Developer Network (MSDN) Library Web site and search for MSI command-line options. To see MSI
command-line usage, you can open a command prompt on the Horizon 7 component computer and type
msiexec /?.
To run a Horizon 7 component installer silently, you begin by silencing the bootstrap program that extracts
the installer into a temporary directory and starts an interactive installation.
At the command line, you must enter command-line options that control the installer's bootstrap program.
Table 7‑7. Command-Line Options for a Horizon 7 Component's Bootstrap Program
Option Description
/s
/v"
MSI_command_line_options"
Disables the bootstrap splash screen and extraction dialog, which prevents the display of
interactive dialogs.
For example: VMware-viewconnectionserver-y.y.y-xxxxxx.exe /s
The /s option is required to run a silent installation.
Instructs the installer to pass the double-quote-enclosed string that you enter at the command
line as a set of options for MSI to interpret. You must enclose your command-line entries
between double quotes. Place a double quote after the /v and at the end of the command
line.
For example: VMware-viewagent-y.y.y-xxxxxx.exe /s /v"command_line_options"
To instruct the MSI installer to interpret a string that contains spaces, enclose the string in two
sets of double quotes. For example, you might want to install the Horizon 7 component in an
installation path name that contains spaces.
For example: VMware-viewconnectionserver-y.y.y-
xxxxxx.exe /s /v"command_line_options INSTALLDIR=""d:\abc\my folder"""
In this example, the MSI installer passes on the installation-directory path and does not
attempt to interpret the string as two command-line options. Note the final double quote that
encloses the entire command line.
The /v"command_line_options" option is required to run a silent installation.
You control the remainder of a silent installation by passing command-line options and MSI property
values to the MSI installer, msiexec.exe. The MSI installer includes the Horizon 7 component's
installation code. The installer uses the values and options that you enter in the command line to interpret
installation choices and setup options that are specific to the Horizon 7 component.
VMware, Inc. 85
Page 86
View Installation
Table 7‑8. MSI Command-Line Options and MSI Properties
MSI Option or
Property Description
/qn
INSTALLDIR
ADDLOCAL
Instructs the MSI installer not to display the installer wizard pages.
For example, you might want to install Horizon Agent silently and use only default setup options and
features:
VMware-viewagent-y.y.y-xxxxxx.exe /s /v"/qn"
Alternatively, you can use the /qb option to display a basic progress dialog box in a noninteractive,
automated installation.
The /qn or /qb option is required to run a silent installation.
For information about additional /q parameters, see the Microsoft Dev Center website.
Specifies an alternative installation path for the Horizon 7 component.
Use the format INSTALLDIR=path to specify an installation path. You can ignore this MSI property if you
want to install the Horizon 7 component in the default path.
This MSI property is optional.
Determines the component-specific options to install.
In an interactive installation, the Horizon 7 installer displays custom setup options that you can select or
deselect. In a silent installation, you can use the ADDLOCAL property to selectively install individual setup
options by specifying the options on the command line. Options that you do not explicitly specify are not
installed.
In both interactive and silent installations, the Horizon 7 installer automatically installs certain features.
You cannot use ADDLOCAL to control whether or not to install these non-optional features.
Type ADDLOCAL=ALL to install all custom setup options that can be installed during an interactive
installation, including those that are installed by default and those that you must select to install, except
NGVC. NGVC and SVIAgent are mutually exclusive.
The following example installs Core, BlastProtocol, PCoIP, UnityTouch, VmVideo, PSG, and all features
that are supported on the guest operating system: VMware-viewagent-y.y.y-xxxxxx.exe /s /v"/qn
ADDLOCAL=ALL"
If you do not use the ADDLOCAL property, the custom setup options that are installed by default and the
automatically installed features are installed. Custom setup options that are off (unselected) by default are
not installed.
The following example installs Core, BlastProtocol, PCoIP, UnityTouch, VmVideo, PSG, and the on-by-
default custom setup options that are supported on the guest operating system: VMware-viewagent-
y.y.y-xxxxxx.exe /s /v"/qn"
To specify individual setup options, type a comma-separated list of setup option names. Do not use
spaces between names. Use the format ADDLOCAL=value,value,value....
You must include Core when you use the ADDLOCAL=value,value,value... property.
The following example installs Horizon Agent with the Core, BlastProtocol, PCoIP, UnityTouch, VmVideo,
PSG, Instant Clone Agent, and Virtual Printing features:
VMware-viewagent-y.y.y-xxxxxx.exe /s /v"/qn ADDLOCAL=Core,NGVC,ThinPrint"
The preceding example does not install other components, even those that are installed by default
interactively.
The ADDLOCAL MSI property is optional.
VMware, Inc. 86
Page 87
View Installation
Table 7‑8. MSI Command-Line Options and MSI Properties (Continued)
MSI Option or
Property Description
REBOOT
/l*v log_file
You can use the REBOOT=ReallySuppress option to allow system configuration tasks to complete before
the system reboots.
This MSI property is optional.
Writes logging information into the specified log file with verbose output.
For example: /l*v ""%TEMP%\vmmsi.log""
This example generates a detailed log file that is similar to the log generated during an interactive
installation.
You can use this option to record custom features that might apply uniquely to your installation. You can
use the recorded information to specify installation features in future silent installations.
The /l*v option is optional.
Uninstalling Horizon 7 Components Silently by Using MSI Command-Line Options
You can uninstall Horizon 7 components by using Microsoft Windows Installer (MSI) command-line
options.
Syntax
msiexec.exe
/qb
/x
product_code
Options
The /qb option displays the uninstall progress bar. To suppress displaying the uninstall progress bar,
replace the /qb option with the /qn option.
The /x option uninstalls the Horizon 7 component.
The product_code string identifies the Horizon 7 component product files to the MSI uninstaller. You can
find the product_code string by searching for ProductCode in the %TEMP%\vmmsi.log file that is created
during the installation. To find the product_code string that applies to older versions of Horizon 7
components, see the VMware Knowledge Base (KB) article at http://kb.vmware.com/kb/2064845.
For information about MSI command-line options, see Microsoft Windows Installer Command-Line
Options.
VMware, Inc. 87
Page 88
View Installation
Uninstall a Horizon Agent Example
To uninstall a 32-bit Horizon Agent version 7.0.2, enter the following command:
msiexec.exe /qb /x {B23352D8-AD44-4379-A56E-0E337F9C4036}
To uninstall a 64-bit Horizon Agent version 7.0.2, enter the following command:
msiexec.exe /qb /x {53D6EE37-6B10-4963-81B1-8E2972A1DA4D}
Add a verbose log to the command.
/l*v "%TEMP%\vmmsi_uninstall.log"
If you do not explicitly pass the /l option, the default verbose log file is %TEMP%\MSInnnn.log, where
nnnn is a four-character GUID.
The Horizon Agent uninstallation process retains some registry keys. These keys are required for
retaining the Connection Server configuration information that enables the remote desktop to continue
being paired with the Connection Server even if the agent is uninstalled and then reinstalled. Removing
these registry keys will break that pairing.
The following registry keys are retained:
n
HKLM\SOFTWARE\Microsoft\SystemCertificates\VMware Horizon View Certificates\*
n
HKLM\SOFTWARE\Microsoft\SystemCertificates\VMwareView\Certificates\*
n
HKLM\SOFTWARE\Microsoft\SystemCertificates\VMwareView\CRLs
n
HKLM\SOFTWARE\Microsoft\SystemCertificates\VMwareView\CTLs
n
HKLM\SOFTWARE\Policies\VMware, Inc.\VMware VDM\*
n
HKLM\SOFTWARE\Policies\VMware, Inc.\vRealize Operations for Horizon\*
n
HKLM\SOFTWARE\VMware, Inc.\VMware VDM\*
n
HKLM\SOFTWARE\Wow6432Node\Microsoft\SystemCertificates\VMware Horizon View
Certificates\*
n
HKLM\SOFTWARE\Wow6432Node\Microsoft\SystemCertificates\VMwareView\*
n
HKLM\SOFTWARE\Wow6432Node\Policies\VMware, Inc.\VMware VDM\*
n
HKLM\SOFTWARE\Wow6432Node\Policies\VMware, Inc.\vRealize Operations for Horizon\*
n
HKLM\SOFTWARE\Wow6432Node\VMware, Inc.
n
HKLM\SOFTWARE\Wow6432Node\VMware, Inc.\VMware VDM
VMware, Inc. 88
Page 89
Configuring SSL Certificates for
Horizon 7 Servers 8
VMware strongly recommends that you configure SSL certificates for authentication of Connection Server
instances, security servers, and View Composer service instances.
A default SSL server certificate is generated when you install Connection Server instances, security
servers, or View Composer instances. You can use the default certificate for testing purposes.
Important Replace the default certificate as soon as possible. The default certificate is not signed by a
Certificate Authority (CA). Use of certificates that are not signed by a CA can allow untrusted parties to
intercept traffic by masquerading as your server.
This section includes the following topics:
n
Understanding SSL Certificates for Horizon 7 Servers
n
Overview of Tasks for Setting Up SSL Certificates
n
Obtaining a Signed SSL Certificate from a CA
n
Configure Horizon Connection Server, Security Server, or View Composer to Use a New SSL
Certificate
n
Configure Client Endpoints to Trust Root and Intermediate Certificates
n
Configuring Certificate Revocation Checking on Server Certificates
n
Configure the PCoIP Secure Gateway to Use a New SSL Certificate
n
Setting Horizon Administrator to Trust a vCenter Server or View Composer Certificate
n
Benefits of Using SSL Certificates Signed by a CA
n
Troubleshooting Certificate Issues on Horizon Connection Server and Security Server
Understanding SSL Certificates for Horizon 7 Servers
You must follow certain guidelines for configuring SSL certificates for Horizon 7 servers and related
components.
Horizon Connection Server and Security Server
SSL is required for client connections to a server. Client-facing Connection Server instances, security
servers, and intermediate servers that terminate SSL connections require SSL server certificates.
VMware, Inc.
89
Page 90
View Installation
By default, when you install Connection Server or security server, the installation generates a self-signed
certificate for the server. However, the installation uses an existing certificate in the following cases:
n
If a valid certificate with a Friendly name of vdm already exists in the Windows Certificate Store
n
If you upgrade to View 5.1 or later from an earlier release, and a valid keystore file is configured on
the Windows Server computer. The installation extracts the keys and certificates and imports them
into the Windows Certificate Store.
vCenter Server and View Composer
Before you add vCenter Server and View Composer to Horizon 7 in a production environment, make sure
that vCenter Server and View Composer use certificates that are signed by a CA.
For information about replacing the default certificate for vCenter Server, see "Replacing vCenter Server
Certificates" on the VMware Technical Papers site at http://www.vmware.com/resources/techresources/.
If you install vCenter Server and View Composer on the same Windows Server host, they can use the
same SSL certificate, but you must configure the certificate separately for each component.
PCoIP Secure Gateway
To comply with industry or jurisdiction security regulations, you can replace the default SSL certificate that
is generated by the PCoIP Secure Gateway (PSG) service with a certificate that is signed by a CA.
Configuring the PSG service to use a CA-signed certificate is highly recommended, particularly for
deployments that require you to use security scanners to pass compliance testing. See Configure the
PCoIP Secure Gateway to Use a New SSL Certificate.
Blast Secure Gateway
By default, the Blast Secure Gateway (BSG) uses the SSL certificate that is configured for the Connection
Server instance or security server on which the BSG is running. If you replace the default, self-signed
certificate for a server with a CA-signed certificate, the BSG also uses the CA-signed certificate.
SAML 2.0 Authenticator
VMware Identity Manager uses SAML 2.0 authenticators to provide Web-based authentication and
authorization across security domains. If you want Horizon 7 to delegate authentication to
VMware Identity Manager, you can configure Horizon 7 to accept SAML 2.0 authenticated sessions from
VMware Identity Manager. When VMware Identity Manager is configured to support Horizon 7,
VMware Identity Manager users can connect to remote desktops by selecting desktop icons on the
Horizon User Portal.
In Horizon Administrator, you can configure SAML 2.0 authenticators for use with Connection Server
instances.
Before you add a SAML 2.0 authenticator in Horizon Administrator, make sure that the SAML 2.0
authenticator uses a certificate that is signed by a CA.
VMware, Inc. 90
Page 91
View Installation
Additional Guidelines
For general information about requesting and using SSL certificates that are signed by a CA, see Benefits
of Using SSL Certificates Signed by a CA.
When client endpoints connect to a Connection Server instance or security server, they are presented
with the server's SSL server certificate and any intermediate certificates in the trust chain. To trust the
server certificate, the client systems must have installed the root certificate of the signing CA.
When Connection Server communicates with vCenter Server and View Composer, Connection Server is
presented with SSL server certificates and intermediate certificates from these servers. To trust the
vCenter Server and View Composer servers, the Connection Server computer must have installed the
root certificate of the signing CA.
Similarly, if a SAML 2.0 authenticator is configured for Connection Server, the Connection Server
computer must have installed the root certificate of the signing CA for the SAML 2.0 server certificate.
Overview of Tasks for Setting Up SSL Certificates
To set up SSL server certificates for Horizon 7 servers, you must perform several high-level tasks.
In a pod of replicated Connection Server instances, you must perform these tasks on all instances in the
pod.
The procedures for carrying out these tasks are described in the topics that follow this overview.
1 Determine if you need to obtain a new signed SSL certificate from a CA.
If your organization already has a valid SSL server certificate, you can use that certificate to replace
the default SSL server certificate provided with Connection Server, security server, or View
Composer. To use an existing certificate, you also need the accompanying private key.
Starting Place Action
Your organization provided you with a valid SSL server certificate. Go directly to step 2.
You do not have an SSL server certificate. Obtain a signed SSL server certificate from a CA.
2 Import the SSL certificate into the Windows local computer certificate store on the Horizon 7 server
host.
3 For Connection Server instances and security servers, modify the certificate Friendly name to vdm.
Assign the Friendly name vdm to only one certificate on each Horizon 7 server host.
4 On Connection Server computers, if the root certificate is not trusted by the Windows Server host,
import the root certificate into the Windows local computer certificate store.
In addition, if the Connection Server instances do not trust the root certificates of the SSL server
certificates configured for security server, View Composer, and vCenter Server hosts, you also must
import those root certificates. Take these steps for Connection Server instances only. You do not have
to import the root certificate to View Composer, vCenter Server, or security server hosts.
VMware, Inc. 91
Page 92
View Installation
5 If your server certificate was signed by an intermediate CA, import the intermediate certificates into
the Windows local computer certificate store.
To simplify client configuration, import the entire certificate chain into the Windows local computer
certificate store. If intermediate certificates are missing from the Horizon 7 server, they must be
configured for clients and computers that launch Horizon Administrator.
6 For View Composer instances, take one of these steps:
n
If you import the certificate into the Windows local computer certificate store before you install
View Composer, you can select your certificate during the View Composer installation.
n
If you intend to replace an existing certificate or the default, self-signed certificate with a new
certificate after you install View Composer, run the SviConfig ReplaceCertificate utility to
bind the new certificate to the port used by View Composer.
7 If your CA is not well known, configure clients to trust the root and intermediate certificates.
Also ensure that the computers on which you launch Horizon Administrator trust the root and
intermediate certificates.
8 Determine whether to reconfigure certificate revocation checking.
Connection Server performs certificate revocation checking on Horizon 7 servers, View Composer,
and vCenter Server. Most certificates signed by a CA include certificate revocation information. If your
CA does not include this information, you can configure the server not to check certificates for
revocation.
If a SAML authenticator is configured for use with a Connection Server instance, Connection Server
also performs certificate revocation checking on the SAML server certificate.
Obtaining a Signed SSL Certificate from a CA
If your organization does not provide you with an SSL server certificate, you must request a new
certificate that is signed by a CA.
You can use several methods to obtain a new signed certificate. For example, you can use the Microsoft
certreq utility to generate a Certificate Signing Request (CSR) and submit a certificate request to a CA.
See the Scenarios for Setting Up SSL Certificates for View document for an example that shows you how
to use certreq to accomplish this task.
VMware, Inc. 92
Page 93
View Installation
For testing purposes, you can obtain a free temporary certificate based on an untrusted root from many
CAs.
Important You must follow certain rules and guidelines when you obtain signed SSL certificates from a
CA.
n
When you generate a certificate request on a computer, make sure that a private key is generated
also. When you obtain the SSL server certificate and import it into the Windows local computer
certificate store, there must be an accompanying private key that corresponds to the certificate.
n
To comply with VMware security recommendations, use the fully qualified domain name (FQDN) that
client devices use to connect to the host. Do not use a simple server name or IP address, even for
communications within your internal domain.
n
Do not create certificates for servers using a certificate template that is compatible only with a
Windows Server 2008 enterprise CA or later.
n
Do not generate certificates for servers using a KeyLength value under 1024. Client endpoints will
not validate a certificate on a server that was generated with a KeyLength under 1024, and the
clients will fail to connect to the server. Certificate validations that are performed by Connection
Server will also fail, resulting in the affected servers showing as red in the Horizon Administrator
dashboard.
For general information about obtaining certificates, consult the Microsoft online help available with the
Certificate Snap-in to MMC. If the Certificate Snap-in is not yet installed on your computer, see Add the
Certificate Snap-In to MMC.
Obtain a Signed Certificate from a Windows Domain or Enterprise
CA
To obtain a signed certificate from a Windows Domain or Enterprise CA, you can use the Windows
Certificate Enrollment wizard in the Windows Certificate Store.
This method of requesting a certificate is appropriate if communications between computers remain within
your internal domain. For example, obtaining a signed certificate from a Windows Domain CA might be
appropriate for server-to-server communications.
If your clients connect to Horizon 7 servers from an external network, request SSL server certificates that
are signed by a trusted, third-party CA.
Prerequisites
n
Determine the fully qualified domain name (FQDN) that client devices use to connect to the host.
To comply with VMware security recommendations, use the FQDN, not a simple server name or IP
address, even for communications within your internal domain.
n
Verify that the Certificate snap-in was added to MMC. See Add the Certificate Snap-In to MMC.
n
Verify that you have the appropriate credentials to request a certificate that can be issued to a
computer or service.
VMware, Inc. 93
Page 94
View Installation
Procedure
1 In the MMC window on the Windows Server host, expand the Certificates (local computer) node
and select the Personal folder.
2 From the Action menu, go to All Tasks > Request New Certificate to display the Certificate
Enrollment wizard.
3 Select a Certificate Enrollment Policy.
4 Select the types of certificates that you want to request, select the Make private key exportable
option, and click Enroll.
5 Click Finish.
The new signed certificate is added to the Personal > Certificates folder in the Windows Certificate
Store.
What to do next
n
Verify that the server certificate and certificate chain were imported into the Windows Certificate
Store.
n
For a Connection Server instance or security server, modify the certificate friendly name to vdm. See
Modify the Certificate Friendly Name.
n
For a View Composer server, bind the new certificate to the port that used by View Composer. See
Bind a New SSL Certificate to the Port Used by View Composer.
Configure Horizon Connection Server, Security Server, or
View Composer to Use a New SSL Certificate
To configure a Connection Server instance, security server, or View Composer instance to use an SSL
certificate, you must import the server certificate and the entire certificate chain into the Windows local
computer certificate store on the Connection Server, security server, or View Composer host.
In a pod of replicated Connection Server instances, you must import the server certificate and certificate
chain on all instances in the pod.
By default, the Blast Secure Gateway (BSG) uses the SSL certificate that is configured for the Connection
Server instance or security server on which the BSG is running. If you replace the default, self-signed
certificate for a View server with a CA-signed certificate, the BSG also uses the CA-signed certificate.
Important To configure Connection Server or security server to use a certificate, you must change the
certificate Friendly name to vdm. Also, the certificate must have an accompanying private key.
If you intend to replace an existing certificate or the default, self-signed certificate with a new certificate
after you install View Composer, you must run the SviConfig ReplaceCertificate utility to bind the
new certificate to the port used by View Composer.
VMware, Inc. 94
Page 95
View Installation
Procedure
1 Add the Certificate Snap-In to MMC
Before you can add certificates to the Windows Certificate Store, you must add the Certificate snap-
in to the Microsoft Management Console (MMC) on the Windows Server host on which the
Horizon 7 server is installed.
2 Import a Signed Server Certificate into a Windows Certificate Store
You must import the SSL server certificate into the Windows local computer certificate store on the
Windows Server host on which the Connection Server instance or security server service is
installed.
3 Modify the Certificate Friendly Name
To configure a Connection Server instance or security server to recognize and use an SSL
certificate, you must modify the certificate Friendly name to vdm.
4 Import a Root Certificate and Intermediate Certificates into a Windows Certificate Store
If the Windows Server host on which Connection Server is installed does not trust the root certificate
for the signed SSL server certificate, you must import the root certificate into the Windows local
computer certificate store. In addition, if the Connection Server host does not trust the root
certificates of the SSL server certificates configured for security server, View Composer, and
vCenter Server hosts, you also must import those root certificates.
5 Bind a New SSL Certificate to the Port Used by View Composer
If you configure a new SSL certificate after you install View Composer, you must run the SviConfig
ReplaceCertificate utility to replace the certificate that is bound to the port used by View
Composer. This utility unbinds the existing certificate and binds the new certificate to the port.
Add the Certificate Snap-In to MMC
Before you can add certificates to the Windows Certificate Store, you must add the Certificate snap-in to
the Microsoft Management Console (MMC) on the Windows Server host on which the Horizon 7 server is
installed.
Prerequisites
Verify that the MMC and Certificate snap-in are available on the Windows Server computer on which the
Horizon 7 server is installed.
Procedure
1 On the Windows Server computer, click Start and type mmc.exe.
2 In the MMC window, go to File > Add/Remove Snap-in.
3 In the Add or Remove Snap-ins window, select Certificates and click Add.
4 In the Certificates snap-in window, select Computer account, click Next, select Local computer,
and click Finish.
5 In the Add or Remove snap-in window, click OK.
VMware, Inc. 95
Page 96
View Installation
What to do next
Import the SSL server certificate into the Windows Certificate Store.
Import a Signed Server Certificate into a Windows Certificate
Store
You must import the SSL server certificate into the Windows local computer certificate store on the
Windows Server host on which the Connection Server instance or security server service is installed.
You also must perform this task on the Windows Server host where the View Composer service is
installed.
Depending on your certificate file format, the entire certificate chain that is contained in the keystore file
might be imported into the Windows local computer certificate store. For example, the server certificate,
intermediate certificate, and root certificate might be imported.
For other types of certificate files, only the server certificate is imported into the Windows local computer
certificate store. In this case, you must take separate steps to import the root certificate and any
intermediate certificates in the certificate chain.
For more information about certificates, consult the Microsoft online help available with the Certificate
snap-in to MMC.
Note If you off-load SSL connections to an intermediate server, you must import the same SSL server
certificate onto both the intermediate server and the off-loaded Horizon 7 server. For details, see "Off-load
SSL Connections to Intermediate Servers" in the View Administration document.
Prerequisites
Verify that the Certificate snap-in was added to MMC. See Add the Certificate Snap-In to MMC.
Procedure
1 In the MMC window on the Windows Server host, expand the Certificates (Local Computer) node
and select the Personal folder.
2 In the Actions pane, go to More Actions > All Tasks > Import.
3 In the Certificate Import wizard, click Next and browse to the location where the certificate is stored.
4 Select the certificate file and click Open.
To display your certificate file type, you can select its file format from the File name drop-down menu.
5 Type the password for the private key that is included in the certificate file.
6 Select Mark this key as exportable.
7 Select Include all extended properties.
8 Click Next and click Finish.
The new certificate appears in the Certificates (Local Computer) > Personal > Certificates folder.
VMware, Inc. 96
Page 97
View Installation
9 Verify that the new certificate contains a private key.
a In the Certificates (Local Computer) > Personal > Certificates folder, double-click the new
certificate.
b In the General tab of the Certificate Information dialog box, verify that the following statement
appears: You have a private key that corresponds to this certificate.
What to do next
Modify the certificate Friendly name to vdm.
Modify the Certificate Friendly Name
To configure a Connection Server instance or security server to recognize and use an SSL certificate, you
must modify the certificate Friendly name to vdm.
You do not have to modify the Friendly name of SSL certificates that are used by View Composer.
Prerequisites
Verify that the server certificate is imported into the Certificates (Local Computer) > Personal >
Certificates folder in the Windows Certificate Store. See Import a Signed Server Certificate into a
Windows Certificate Store.
Procedure
1 In the MMC window on the Windows Server host, expand the Certificates (Local Computer) node
and select the Personal > Certificates folder.
2 Right-click the certificate that is issued to the Horizon 7 server host and click Properties.
3 On the General tab, delete the Friendly name text and type vdm.
4 Click Apply and click OK.
5 Verify that no other server certificates in the Personal > Certificates folder have a Friendly name of
vdm.
a Locate any other server certificate, right-click the certificate, and click Properties.
b If the certificate has a Friendly name of vdm, delete the name, click Apply, and click OK.
What to do next
Import the root certificate and intermediate certificates into the Windows local computer certificate store.
After all certificates in the chain are imported, you must restart the Connection Server service or Security
Server service to make your changes take effect.
VMware, Inc. 97
Page 98
View Installation
Import a Root Certificate and Intermediate Certificates into a
Windows Certificate Store
If the Windows Server host on which Connection Server is installed does not trust the root certificate for
the signed SSL server certificate, you must import the root certificate into the Windows local computer
certificate store. In addition, if the Connection Server host does not trust the root certificates of the SSL
server certificates configured for security server, View Composer, and vCenter Server hosts, you also
must import those root certificates.
If the Connection Server, security server, View Composer, and vCenter Server certificates are signed by a
root CA that is known and trusted by the Connection Server host, and there are no intermediate
certificates in your certificate chains, you can skip this task. Commonly used Certificate Authorities are
likely to be trusted by the host.
You must import untrusted root certificates on all replicated Connection Server instances in a pod.
Note You do not have to import the root certificate into View Composer, vCenter Server, or security
server hosts.
If a server certificate is signed by an intermediate CA, you also must import each intermediate certificate
in the certificate chain. To simplify client configuration, import the entire intermediate chain to security
server, View Composer, and vCenter Server hosts as well as Connection Server hosts. If intermediate
certificates are missing from a Connection Server or security server host, they must be configured for
clients and computers that launch Horizon Administrator. If intermediate certificates are missing from a
View Composer or vCenter Server host, they must be configured for each Connection Server instance.
If you already verified that the entire certificate chain is imported into the Windows local computer
certificate store, you can skip this task.
Note If a SAML authenticator is configured for use by a Connection Server instance, the same
guidelines apply to the SAML 2.0 authenticator. If the Connection Server host does not trust the root
certificate configured for a SAML authenticator, or if the SAML server certificate is signed by an
intermediate CA, you must ensure that the certificate chain is imported into the Windows local computer
certificate store.
Procedure
1 In the MMC console on the Windows Server host, expand the Certificates (Local Computer) node
and go to the Trusted Root Certification Authorities > Certificates folder.
n
If your root certificate is in this folder, and there are no intermediate certificates in your certificate
chain, skip to step 7.
n
If your root certificate is not in this folder, proceed to step 2.
2 Right-click the Trusted Root Certification Authorities > Certificates folder and click All Tasks >
Import.
VMware, Inc. 98
Page 99
View Installation
3 In the Certificate Import wizard, click Next and browse to the location where the root CA certificate
is stored.
4 Select the root CA certificate file and click Open.
5 Click Next, click Next, and click Finish.
6 If your server certificate was signed by an intermediate CA, import all intermediate certificates in the
certificate chain into the Windows local computer certificate store.
a Go to the Certificates (Local Computer) > Intermediate Certification Authorities >
Certificates folder.
b Repeat steps 3 through 6 for each intermediate certificate that must be imported.
7 Restart the Connection Server service, Security Server service, View Composer service, or vCenter
Server service to make your changes take effect.
Bind a New SSL Certificate to the Port Used by View Composer
If you configure a new SSL certificate after you install View Composer, you must run the SviConfig
ReplaceCertificate utility to replace the certificate that is bound to the port used by View Composer.
This utility unbinds the existing certificate and binds the new certificate to the port.
If you install the new certificate on the Windows Server computer before you install View Composer, you
do not have to run the SviConfig ReplaceCertificate utility. When you run the View Composer
installer, you can select a certificate signed by a CA instead of the default, self-signed certificate. During
the installation, the selected certificate is bound to the port used by View Composer.
If you intend to replace an existing certificate or the default, self-signed certificate with a new certificate,
you must use the SviConfig ReplaceCertificate utility.
Prerequisites
Verify that the new certificate was imported into the Windows local computer certificate store on the
Windows Server computer on which View Composer is installed.
Procedure
1 Stop the View Composer service.
2 Open a command prompt on the Windows Server host where View Composer is installed.
3 Navigate to the SviConfig executable file.
The file is located with the View Composer application. The default path is C:\Program Files
(x86)\VMware\VMware View Composer\sviconfig.exe.
VMware, Inc. 99
Page 100
View Installation
4 Type the SviConfig ReplaceCertificate command.
For example:
sviconfig -operation=ReplaceCertificate
-delete=false
where -delete is a required parameter that operates on the certificate that is being replaced. You
must specify either -delete=true to delete the old certificate from the Windows local computer
certificate store or -delete=false to keep the old certificate in the Windows certificate store.
The utility displays a numbered list of SSL certificates that are available in the Windows local
computer certificate store.
5 To select a certificate, type the number of a certificate and press Enter.
6 Restart the View Composer service to make your changes take effect.
Example: SviConfig ReplaceCertificate
The following example replaces the certificate that is bound to the View Composer port:
sviconfig -operation=ReplaceCertificate
-delete=false
Configure Client Endpoints to Trust Root and
Intermediate Certificates
If a Horizon 7 server certificate is signed by a CA that is not trusted by client computers and client
computers that access Horizon Administrator, you can configure all Windows client systems in a domain
to trust the root and intermediate certificates. To do so, you must add the public key for the root certificate
to the Trusted Root Certification Authorities group policy in Active Directory and add the root certificate to
the Enterprise NTAuth store.
For example, you might have to take these steps if your organization uses an internal certificate service.
You do not have to take these steps if the Windows domain controller acts as the root CA, or if your
certificates are signed by a well known CA. For well known CAs, the operating system venders preinstall
the root certificate on client systems.
If your server certificates are signed by a little-known intermediate CA, you must add the intermediate
certificate to the Intermediate Certification Authorities group policy in Active Directory.
For client devices that use other operating systems than Windows, see the following instructions for
distributing root and intermediate certificates that users can install:
n
For Horizon Client for Mac, see Configure Horizon Client for Mac to Trust Root and Intermediate
Certificates.
n
For Horizon Client for iOS, see Configure Horizon Client for iOS to Trust Root and Intermediate
Certificates.
VMware, Inc. 100
Loading...