VMware Horizon 7.3 Administrator’s Guide
View Administration
Modified for Horizon 7 7.3.2
VMware Horizon 7 7.3
View Administration
You can find the most up-to-date technical documentation on the VMware website at:
https://docs.vmware.com/
If you have comments about this documentation, submit your feedback to
docfeedback@vmware.com
VMware, Inc.
3401 Hillview Ave.
Palo Alto, CA 94304
www.vmware.com
Copyright © 2014–2017 VMware, Inc. All rights reserved. Copyright and trademark information.
VMware, Inc. 2
Contents
View Administration 6
Using Horizon Administrator 7
1
Horizon Administrator and Horizon Connection Server 7
Log In to Horizon Administrator 8
Tips for Using the Horizon Administrator Interface 9
Troubleshooting the Text Display in Horizon Administrator 11
Configuring View Connection Server 12
2
Configuring vCenter Server and View Composer 12
Backing Up View Connection Server 26
Configuring Settings for Client Sessions 26
Disable or Enable View Connection Server 42
Edit the External URLs 42
Join or Withdraw from the Customer Experience Program 44
View LDAP Directory 44
Setting Up Smart Card Authentication 46
3
Logging In with a Smart Card 47
Configure Smart Card Authentication on View Connection Server 48
Configure Smart Card Authentication on Third-Party Solutions 55
Prepare Active Directory for Smart Card Authentication 56
Verify Your Smart Card Authentication Configuration 59
Using Smart Card Certificate Revocation Checking 60
VMware, Inc.
Setting Up Other Types of User Authentication 65
4
Using Two-Factor Authentication 65
Using SAML Authentication 70
Configure Biometric Authentication 77
Authenticating Users Without Requiring Credentials 78
5
Providing Unauthenticated Access for Published Applications 78
Using the Log In as Current User Feature Available with Windows-Based Horizon Client 83
Saving Credentials in Mobile and Mac Horizon Clients 84
Setting Up True SSO 85
Configuring Role-Based Delegated Administration 115
6
Understanding Roles and Privileges 115
3
View Administration
Using Access Groups to Delegate Administration of Pools and Farms 116
Understanding Permissions 118
Manage Administrators 119
Manage and Review Permissions 120
Manage and Review Access Groups 123
Manage Custom Roles 125
Predefined Roles and Privileges 127
Required Privileges for Common Tasks 131
Best Practices for Administrator Users and Groups 135
Configuring Policies in Horizon Administrator and Active Directory 136
7
Setting Policies in Horizon Administrator 136
Using Horizon 7 Group Policy Administrative Template Files 139
Maintaining View Components 146
8
Backing Up and Restoring View Configuration Data 146
Monitor View Components 155
Monitor Machine Status 156
Understanding View Services 157
Change the Product License Key 159
Monitoring Product License Usage 160
Update General User Information from Active Directory 161
Migrate View Composer to Another Machine 162
Update the Certificates on a View Connection Server Instance, Security Server, or View Composer 168
Customer Experience Improvement Program 169
Managing ThinApp Applications in View Administrator 171
9
View Requirements for ThinApp Applications 171
Capturing and Storing Application Packages 172
Assigning ThinApp Applications to Machines and Desktop Pools 176
Maintaining ThinApp Applications in View Administrator 183
Monitoring and Troubleshooting ThinApp Applications in View Administrator 187
ThinApp Configuration Example 191
Setting Up Clients in Kiosk Mode 193
10
Configure Clients in Kiosk Mode 194
Troubleshooting Horizon 7 205
11
Using Horizon Help Desk Tool 205
Monitoring System Health 217
Monitor Events in Horizon 7 217
Collecting Diagnostic Information for Horizon 7 218
VMware, Inc. 4
View Administration
Update Support Requests 223
Troubleshooting an Unsuccessful Security Server Pairing with Horizon Connection Server 224
Troubleshooting View Server Certificate Revocation Checking 225
Troubleshooting Smart Card Certificate Revocation Checking 226
Further Troubleshooting Information 226
Using the vdmadmin Command 228
12
vdmadmin Command Usage 230
Configuring Logging in Horizon Agent Using the -A Option 233
Overriding IP Addresses Using the -A Option 235
Setting the Name of a View Connection Server Group Using the ‑C Option 236
Updating Foreign Security Principals Using the ‑F Option 237
Listing and Displaying Health Monitors Using the ‑H Option 238
Listing and Displaying Reports of View Operation Using the ‑I Option 239
Generating View Event Log Messages in Syslog Format Using the ‑I Option 240
Assigning Dedicated Machines Using the ‑L Option 242
Displaying Information About Machines Using the -M Option 243
Reclaiming Disk Space on Virtual Machines Using the ‑M Option 245
Configuring Domain Filters Using the ‑N Option 246
Configuring Domain Filters 249
Displaying the Machines and Policies of Unentitled Users Using the ‑O and ‑P Options 253
Configuring Clients in Kiosk Mode Using the ‑Q Option 255
Displaying the First User of a Machine Using the -R Option 260
Removing the Entry for a View Connection Server Instance or Security Server Using the ‑S Option 260
Providing Secondary Credentials for Administrators Using the ‑T Option 262
Displaying Information About Users Using the ‑U Option 264
Unlocking or Locking Virtual Machines Using the ‑V Option 265
Detecting and Resolving LDAP Entry Collisions Using the -X Option 266
VMware, Inc. 5
View Administration
View Administration describes how to configure and administer VMware Horizon® 7, including how to
configure Horizon Connection Server, create administrators, set up user authentication, configure
policies, and manage VMware ThinApp® applications in Horizon Administrator. This document also
describes how to maintain and troubleshoot Horizon 7 components.
Intended Audience
This information is intended for anyone who wants to configure and administer VMware Horizon 7. The
information is written for experienced Windows or Linux system administrators who are familiar with
virtual machine technology and datacenter operations.
VMware, Inc.
6
Using Horizon Administrator 1
Horizon Administrator is the Web interface through which you configure Horizon Connection Server and
manage your remote desktops and applications.
For a comparison of the operations that you can perform with View Administrator, View cmdlets, and
vdmadmin, see the View Integration document.
Note In Horizon 7, View Administrator is named Horizon Administrator. References in this document
might use View Administrator.
This section includes the following topics:
n
Horizon Administrator and Horizon Connection Server
n
Log In to Horizon Administrator
n
Tips for Using the Horizon Administrator Interface
n
Troubleshooting the Text Display in Horizon Administrator
Horizon Administrator and Horizon Connection Server
Horizon Administrator provides a Web-based management interface for Horizon 7.
The Horizon Connection Server can have multiple instances that serve as replica servers or security
servers. Depending on your Horizon 7 deployment, you can get a Horizon Administrator interface with
each instance of a Connection Server.
Use the following best practices to use Horizon Administrator with a Connection Server:
n
Use the host name and IP address of the Connection Server to log in to Horizon Administrator. Use
the Horizon Administrator interface to manage the Connection Server, and any associated security
server or replica server.
VMware, Inc.
7
View Administration
n
In a pod environment, verify that all administrators use the host name and IP address of the same
Connection Server to log in to Horizon Administrator. Do not use the host name and IP address of the
load balancer to access a Horizon Administrator web page.
Note If you use Unified Access Gateway appliances rather than security servers, you must use the
Unified Access Gateway REST API to manage the Unified Access Gateway appliances. Earlier versions
of Unified Access Gateway are named Access Point. For more information, see Deploying and
Configuring Unified Access Gateway.
Log In to Horizon Administrator
To perform initial configuration tasks, you must log in to Horizon Administrator. You access Horizon
Administrator by using a secure (SSL) connection.
Prerequisites
n
Verify that Horizon Connection Server is installed on a dedicated computer.
n
Verify that you are using a Web browser supported by Horizon Administrator. For Horizon
Administrator requirements, see the View Installation document.
Procedure
1 Open your Web browser and enter the following URL, where server is the host name of the
Connection Server instance.
https://server/admin
Note You can use the IP address if you have to access a Connection Server instance when the host
name is not resolvable. However, the host that you contact will not match the SSL certificate that is
configured for the Connection Server instance, resulting in blocked access or access with reduced
security.
Your access to Horizon Administrator depends on the type of certificate that is configured on the
Connection Server computer.
If you open your Web browser on the Connection Server host, use https://127.0.0.1 to connect,
not https://localhost. This method improves security by avoiding potential DNS attacks on the
localhost resolution.
Option Description
You configured a certificate signed by
a CA for View Connection Server.
The default, self-signed certificate
supplied with View Connection Server
is configured.
When you first connect, your Web browser displays Horizon Administrator.
When you first connect, your Web browser might display a page warning that the
security certificate associated with the address is not issued by a trusted
certificate authority.
Click Ignore to continue using the current SSL certificate.
VMware, Inc. 8
View Administration
2 Log in as a user with credentials to access the Administrators account.
You specify the Administrators account when you install a standalone Connection Server instance or
the first Connection Server instance in a replicated group. The Administrators account can be the
local Administrators group (BUILTIN\Administrators) on the Connection Server computer or a domain
user or group account.
After you log in to Horizon Administrator, you can use View Configuration > Administrators to change
the list of users and groups that have the View Administrators role.
Tips for Using the Horizon Administrator Interface
You can use Horizon Administrator user-interface features to navigate Horizon Pages and to find, filter,
and sort Horizon objects.
Horizon Administrator includes many common user interface features. For example, the navigation pane
on the left side of each page directs you to other Horizon Administrator pages. The search filters let you
select filtering criteria that are related to the objects you are searching for.
Table 1‑1 describes a few additional features that can help you to use Horizon Administrator.
Table 1‑1. Horizon Administrator Navigation and Display Features
Horizon Administrator Feature Description
Navigating backward and forward in
Horizon Administrator pages
Bookmarking Horizon Administrator pages You can bookmark Horizon Administrator pages in your browser.
Click your browser's Back button to go to the previously displayed Horizon
Administrator page. Click the Forward button to return to the current page.
If you click the browser's Back button while you are using a Horizon Administrator
wizard or dialog box, you return to the main Horizon Administrator page. The
information you entered in the wizard or dialog is lost.
In versions earlier than View 5.1, you cannot use your browser's Back and Forward
buttons to navigate within Horizon Administrator. Separate Back and Forward
buttons in the Horizon Administrator window were provided for navigation. These
buttons are removed in the View 5.1 release.
VMware, Inc. 9
View Administration
Table 1‑1. Horizon Administrator Navigation and Display Features (Continued)
Horizon Administrator Feature Description
Multicolumn sorting You can sort Horizon objects in a variety of ways by using multicolumn sorting.
Click a heading in the top row of a Horizon Administrator table to sort the Horizon
objects in alphabetical order based on that heading.
For example, in the Resources > Machines page, you can click Desktop Pool to
sort desktops by the pools that contain them.
The number 1 appears next to the heading to indicate that it is the primary sorting
column. You can click the heading again to reverse the sorting order, indicated by an
up or down arrow.
To sort the Horizon objects by a secondary item, Ctrl+click another heading.
For example, in the Machines table, you can click Users to perform a secondary sort
by users to whom the desktops are dedicated. A number 2 appears next to the
secondary heading. In this example, desktops are sorted by pool and by users within
each pool.
You can continue to Ctrl+click to sort all the columns in a table in descending order of
importance.
Press Ctrl+Shift and click to deselect a sort item.
For example, you might want to display the desktops in a pool that are in a particular
state and are stored on a particular datastore. You can select Resources >
Machines, click the Datastore heading, and Ctrl+click the Status heading.
Customizing table columns You can customize the display of Horizon Administrator table columns by hiding
selected columns and locking the first column. This feature lets you control the
display of large tables such as Catalog > Desktop Pools that contain many
columns.
Right-click any column header to display a context menu that lets you take the
following actions:
n
Hide the selected column.
n
Customize columns. A dialog displays all columns in the table. You can select
the columns to display or hide.
n
Lock the first column. This option forces the left-hand column to remain
displayed as you scroll horizontally across a table with many columns. For
example, on the Catalog > Desktop Pools page, the desktop ID remains
displayed as you scroll horizontally to see other desktop characteristics.
Selecting Horizon objects and displaying
Horizon object details
In Horizon Administrator tables that list Horizon objects, you can select an object or
display object details.
n
To select an object, click anywhere in the object's row in the table. At the top of
the page, menus and commands that manage the object become active.
n
To display object details, double-click the left cell in the object's row. A new page
displays the object's details.
For example, on the Catalog > Desktop Pools page, click anywhere in an individual
pool's row to activate commands that affect the pool.
Double-click the ID cell in the left column to display a new page that contains details
about the pool.
VMware, Inc. 10
View Administration
Table 1‑1. Horizon Administrator Navigation and Display Features (Continued)
Horizon Administrator Feature Description
Expanding dialog boxes to view details You can expand Horizon Administrator dialog boxes to view details such as desktop
names and user names in table columns.
To expand a dialog box, place your mouse over the dots in the lower right corner of
the dialog box and drag the corner.
Displaying context menus for Horizon
objects
You can right-click Horizon objects in Horizon Administrator tables to display context
menus. A context menu gives you access to the commands that operate on the
selected Horizon object.
For example, in the Catalog > Desktop Pools page, you can right-click a desktop
pool to display commands such as Add, Edit, Delete, Disable (or Enable)
Provisioning, and so on.
Troubleshooting the Text Display in Horizon Administrator
If your Web browser runs on a non-Windows operating system such as Linux, UNIX, or Mac OS, the text
in Horizon Administrator does not display properly.
Problem
The text in the Horizon Administrator interface is garbled. For example, spaces occur in the middle of
words.
Cause
Horizon Administrator requires Microsoft-specific fonts.
Solution
Install Microsoft-specific fonts on your computer.
Currently, the Microsoft Web site does not distribute Microsoft fonts, but you can download them from
independent Web sites.
VMware, Inc. 11
Configuring View Connection
Server 2
After you install and perform initial configuration of View Connection Server, you can add vCenter Server
instances and View Composer services to your View deployment, set up roles to delegate administrator
responsibilities, and schedule backups of your configuration data.
This section includes the following topics:
n
Configuring vCenter Server and View Composer
n
Backing Up View Connection Server
n
Configuring Settings for Client Sessions
n
Disable or Enable View Connection Server
n
Edit the External URLs
n
Join or Withdraw from the Customer Experience Program
n
View LDAP Directory
Configuring vCenter Server and View Composer
To use virtual machines as remote desktops, you must configure View to communicate with vCenter
Server. To create and manage linked-clone desktop pools, you must configure View Composer settings in
View Administrator.
You can also configure storage settings for View. You can allow ESXi hosts to reclaim disk space on
linked-clone virtual machines. To allow ESXi hosts to cache virtual machine data, you must enable View
Storage Accelerator for vCenter Server.
Create a User Account for View Composer AD Operations
If you use View Composer, you must create a user account in Active Directory that allows View Composer
to perform certain operations in Active Directory. View Composer requires this account to join linked-clone
virtual machines to your Active Directory domain.
To ensure security, you should create a separate user account to use with View Composer. By creating a
separate account, you can guarantee that it does not have additional privileges that are defined for
another purpose. You can give the account the minimum privileges that it needs to create and remove
computer objects in a specified Active Directory container. For example, the View Composer account
does not require domain administrator privileges.
VMware, Inc.
12
View Administration
Procedure
1 In Active Directory, create a user account in the same domain as your Connection Server host or in a
trusted domain.
2 Add the Create Computer Objects, Delete Computer Objects, and Write All Properties
permissions to the account in the Active Directory container in which the linked-clone computer
accounts are created or to which the linked-clone computer accounts are moved.
The following list shows all the required permissions for the user account, including permissions that
are assigned by default:
n
List Contents
n
Read All Properties
n
Write All Properties
n
Read Permissions
n
Reset Password
n
Create Computer Objects
n
Delete Computer Objects
Note Fewer permissions are required if you select the Allow reuse of pre-existing computer
accounts setting for a desktop pool. Make sure that the following permissions are assigned to the
user account:
n
List Contents
n
Read All Properties
n
Read Permissions
n
Reset Password
3 Make sure that the user account's permissions apply to the Active Directory container and to all child
objects of the container.
What to do next
Specify the account in Horizon Administrator when you configure View Composer domains in the Add
vCenter Server wizard and when you configure and deploy linked-clone desktop pools.
Add vCenter Server Instances to Horizon 7
You must configure Horizon 7 to connect to the vCenter Server instances in your Horizon 7 deployment.
vCenter Server creates and manages the virtual machines that Horizon 7 uses in desktop pools.
If you run vCenter Server instances in a Linked Mode group, you must add each vCenter Server instance
to Horizon 7 separately.
Horizon 7 connects to the vCenter Server instance using a secure channel (SSL).
VMware, Inc. 13
View Administration
Prerequisites
n
Install the Connection Server product license key.
n
Prepare a vCenter Server user with permission to perform the operations in vCenter Server that are
necessary to support Horizon 7. To use View Composer, you must give the user additional privileges.
For details about configuring a vCenter Server user for Horizon 7, see the View Installation document.
n
Verify that a TLS/SSL server certificate is installed on the vCenter Server host. In a production
environment, install a valid certificate that is signed by a trusted Certificate Authority (CA).
In a testing environment, you can use the default certificate that is installed with vCenter Server, but
you must accept the certificate thumbprint when you add vCenter Server to Horizon 7.
n
Verify that all Connection Server instances in the replicated group trust the root CA certificate for the
server certificate that is installed on the vCenter Server host. Check if the root CA certificate is in the
Trusted Root Certification Authorities > Certificates folder in the Windows local computer
certificate stores on the Connection Server hosts. If it is not, import the root CA certificate into the
Windows local computer certificate stores.
See "Import a Root Certificate and Intermediate Certificates into a Windows Certificate Store," in the
View Installation document.
n
Verify that the vCenter Server instance contains ESXi hosts. If no hosts are configured in the vCenter
Server instance, you cannot add the instance to Horizon 7.
n
If you upgrade to vSphere 5.5 or a later release, verify that the domain administrator account that you
use as the vCenter Server user was explicitly assigned permissions to log in to vCenter Server by a
vCenter Server local user.
n
If you plan to use Horizon 7 in FIPS mode, verify that you have vCenter Server 6.0 or later and ESXi
6.0 or later hosts.
For more information, see "Installing Horizon 7 in FIPS Mode," in the View Installation document.
n
Familiarize yourself with the settings that determine the maximum operations limits for vCenter Server
and View Composer. See Concurrent Operations Limits for vCenter Server and View Composer and
Setting a Concurrent Power Operations Rate to Support Remote Desktop Logon Storms.
Procedure
1 In Horizon Administrator, select View Configuration > Servers.
2 On the vCenter Servers tab, click Add.
VMware, Inc. 14
View Administration
3 In the vCenter Server Settings Server address text box, type the fully qualified domain name (FQDN)
of the vCenter Server instance.
The FQDN includes the host name and domain name. For example, in the FQDN
myserverhost.companydomain.com, myserverhost is the host name and companydomain.com is
the domain.
Note If you enter a server by using a DNS name or URL, Horizon 7 does not perform a DNS lookup
to verify whether an administrator previously added this server to Horizon 7 by using its IP address. A
conflict arises if you add a vCenter Server with both its DNS name and its IP address.
4 Type the name of the vCenter Server user.
For example: domain\user or user@domain.com
5 Type the vCenter Server user password.
6 (Optional) Type a description for this vCenter Server instance.
7 Type the TCP port number.
The default port is 443.
8 Under Advanced Settings, set the concurrent operations limits for vCenter Server and View
Composer operations.
9 Click Next to display the View Composer Settings page.
What to do next
Configure View Composer settings.
n
If the vCenter Server instance is configured with a signed SSL certificate, and Connection Server
trusts the root certificate, the Add vCenter Server wizard displays the View Composer Settings page.
n
If the vCenter Server instance is configured with a default certificate, you must first determine whether
to accept the thumbprint of the existing certificate. See Accept the Thumbprint of a Default SSL
Certificate.
If Horizon 7 uses multiple vCenter Server instances, repeat this procedure to add the other vCenter
Server instances.
Configure View Composer Settings
To use View Composer, you must configure settings that allow View to connect to the VMware Horizon
View Composer service. View Composer can be installed on its own separate host or on the same host
as vCenter Server.
There must be a one-to-one mapping between each VMware Horizon View Composer service and
vCenter Server instance. A View Composer service can operate with only one vCenter Server instance. A
vCenter Server instance can be associated with only one VMware Horizon View Composer service.
VMware, Inc. 15
View Administration
After the initial View deployment, you can migrate the VMware Horizon View Composer service to a new
host to support a growing or changing View deployment. You can edit the initial View Composer settings
in View Administrator, but you must perform additional steps to ensure that the migration succeeds. See
Migrate View Composer to Another Machine.
Prerequisites
n
Verify that you created a user in Active Directory with permission to add and remove virtual machines
from the Active Directory domain that contains your linked clones. See Create a User Account for
View Composer AD Operations.
n
Verify that you configured View to connect to vCenter Server. To do so, you must complete the
vCenter Server Information page in the Add vCenter Server wizard. See Add vCenter Server
Instances to Horizon 7.
n
Verify that this VMware Horizon View Composer service is not already configured to connect to a
different vCenter Server instance.
Procedure
1 In View Administrator, complete the vCenter Server Information page in the Add vCenter Server
wizard.
a Select View Configuration > Servers.
b On the vCenter Servers tab, click Add and provide the vCenter Server settings.
2 On the View Composer Settings page, if you are not using View Composer, select Do not use View
Composer.
If you select Do not use View Composer, the other View Composer settings become inactive. When
you click Next, the Add vCenter Server wizard displays the Storage Settings page. The View
Composer Domains page is not displayed.
3 If you are using View Composer, select the location of the View Composer host.
Option Description
View Composer is installed on the
same host as vCenter Server.
View Composer is installed on its own
separate host.
a Select View Composer co-installed with the vCenter Server.
b Make sure that the port number is the same as the port that you specified
when you installed the VMware Horizon View Composer service on vCenter
Server. The default port number is 18443.
a Select Standalone View Composer Server.
b In the View Composer server address text box, type the fully qualified domain
name (FQDN) of the View Composer host.
c Type the name of the View Composer user.
For example: domain.com\user or user@domain.com
d Type the password of the View Composer user.
e Make sure that the port number is the same as the port that you specified
when you installed the VMware Horizon View Composer service. The default
port number is 18443.
VMware, Inc. 16
View Administration
4 Click Next to display the View Composer Domains page.
What to do next
Configure View Composer domains.
n
If the View Composer instance is configured with a signed SSL certificate, and View Connection
Server trusts the root certificate, the Add vCenter Server wizard displays the View Composer
Domains page.
n
If the View Composer instance is configured with a default certificate, you must first determine
whether to accept the thumbprint of the existing certificate. See Accept the Thumbprint of a Default
SSL Certificate.
Configure View Composer Domains
You must configure an Active Directory domain in which View Composer deploys linked-clone desktops.
You can configure multiple domains for View Composer. After you first add vCenter Server and View
Composer settings to View, you can add more View Composer domains by editing the vCenter Server
instance in Horizon Administrator.
Prerequisites
n
Your Active Directory administrator must create a View Composer user for AD operations. This
domain user must have permission to add and remove virtual machines from the Active Directory
domain that contains your linked clones. For information about the required permissions for this user,
see Create a User Account for View Composer AD Operations.
n
In Horizon Administrator, verify that you completed the vCenter Server Information and View
Composer Settings pages in the Add vCenter Server wizard.
Procedure
1 On the View Composer Domains page, click Add to add the View Composer user for AD operations
account information.
2 Type the domain name of the Active Directory domain.
For example: domain.com
3 Type the domain user name, including the domain name, of the View Composer user.
For example: domain.com\admin
4 Type the account password.
5 Click OK.
6 To add domain user accounts with privileges in other Active Directory domains in which you deploy
linked-clone pools, repeat the preceding steps.
7 Click Next to display the Storage Settings page.
VMware, Inc. 17
View Administration
What to do next
Enable virtual machine disk space reclamation and configure View Storage Accelerator for Horizon 7.
Allow vSphere to Reclaim Disk Space in Linked-Clone Virtual Machines
In vSphere 5.1 and later, you can enable the disk space reclamation feature for Horizon 7. Starting in
vSphere 5.1, Horizon 7 creates linked-clone virtual machines in an efficient disk format that allows ESXi
hosts to reclaim unused disk space in the linked clones, reducing the total storage space required for
linked clones.
As users interact with linked-clone desktops, the clones' OS disks grow and can eventually use almost as
much disk space as full-clone desktops. Disk space reclamation reduces the size of the OS disks without
requiring you to refresh or recompose the linked clones. Space can be reclaimed while the virtual
machines are powered on and users are interacting with their remote desktops.
Disk space reclamation is especially useful for deployments that cannot take advantage of storage-saving
strategies such as refresh on logoff. For example, knowledge workers who install user applications on
dedicated remote desktops might lose their personal applications if the remote desktops were refreshed
or recomposed. With disk space reclamation, Horizon 7 can maintain linked clones at close to the
reduced size they start out with when they are first provisioned.
This feature has two components: space-efficient disk format and space reclamation operations.
In a vSphere 5.1 or later environment, when a parent virtual machine is virtual hardware version 9 or later,
Horizon 7 creates linked clones with space-efficient OS disks, whether or not space reclamation
operations are enabled.
To enable space reclamation operations, you must use Horizon Administrator to enable space
reclamation for vCenter Server and reclaim VM disk space for individual desktop pools. The space
reclamation setting for vCenter Server gives you the option to disable this feature on all desktop pools
that are managed by the vCenter Server instance. Disabling the feature for vCenter Server overrides the
setting at the desktop pool level.
The following guidelines apply to the space reclamation feature:
n
It operates only on space-efficient OS disks in linked clones.
n
It does not affect View Composer persistent disks.
n
It works only with vSphere 5.1 or later and only on virtual machines that are virtual hardware version
9 or later.
n
It does not operate on full-clone desktops.
n
It operates on virtual machines with SCSI controllers. IDE controllers are not supported.
Native NFS snapshot technology (VAAI) is not supported in pools that contain virtual machines with
space-efficient disks.
VMware, Inc. 18
View Administration
Prerequisites
n
Verify that your vCenter Server and ESXi hosts, including all ESXi hosts in a cluster, are version 5.1
with ESXi 5.1 download patch ESXi510-201212001 or later.
Procedure
1 In Horizon Administrator, complete the Add vCenter Server wizard pages that precede the Storage
Settings page.
a Select View Configuration > Servers.
b On the vCenter Servers tab, click Add.
c Complete the vCenter Server Information, View Composer Settings, and View Composer
Domains pages.
2 On the Storage Settings page, make sure that Enable space reclamation is selected.
Space reclamation is selected by default if you are performing a fresh installation of View 5.2 or later.
You must select Enable space reclamation if you are upgrading to View 5.2 or later from View 5.1 or
an earlier release.
What to do next
On the Storage Settings page, configure View Storage Accelerator.
To finish configuring disk space reclamation in Horizon 7, set up space reclamation for desktop pools.
Configure View Storage Accelerator for vCenter Server
In vSphere 5.1 and later, you can configure ESXi hosts to cache virtual machine disk data. This feature,
called View Storage Accelerator, uses the Content Based Read Cache (CBRC) feature in ESXi hosts.
View Storage Accelerator improves Horizon 7 performance during I/O storms, which can take place when
many virtual machines start up or run anti-virus scans at once. The feature is also beneficial when
administrators or users load applications or data frequently. Instead of reading the entire OS or
application from the storage system over and over, a host can read common data blocks from cache.
By reducing the number of IOPS during boot storms, View Storage Accelerator lowers the demand on the
storage array, which lets you use less storage I/O bandwidth to support your Horizon 7 deployment.
You enable caching on your ESXi hosts by selecting the View Storage Accelerator setting in the vCenter
Server wizard in Horizon Administrator, as described in this procedure.
Make sure that View Storage Accelerator is also configured for individual desktop pools. To operate on a
desktop pool, View Storage Accelerator must be enabled for vCenter Server and for the individual
desktop pool.
VMware, Inc. 19
View Administration
View Storage Accelerator is enabled for desktop pools by default. The feature can be disabled or enabled
when you create or edit a pool. The best approach is to enable this feature when you first create a
desktop pool. If you enable the feature by editing an existing pool, you must ensure that a new replica
and its digest disks are created before linked clones are provisioned. You can create a new replica by
recomposing the pool to a new snapshot or rebalancing the pool to a new datastore. Digest files can only
be configured for the virtual machines in a desktop pool when they are powered off.
You can enable View Storage Accelerator on desktop pools that contain linked clones and pools that
contain full virtual machines.
Native NFS snapshot technology (VAAI) is not supported in pools that are enabled for View Storage
Accelerator.
View Storage Accelerator is now qualified to work in configurations that use Horizon 7 replica tiering, in
which replicas are stored on a separate datastore than linked clones. Although the performance benefits
of using View Storage Accelerator with Horizon 7 replica tiering are not materially significant, certain
capacity-related benefits might be realized by storing the replicas on a separate datastore. Hence, this
combination is tested and supported.
Important If you plan to use this feature and you are using multiple View pods that share some ESXi
hosts, you must enable the View Storage Accelerator feature for all pools that are on the shared ESXi
hosts. Having inconsistent settings in multiple pods can cause instability of the virtual machines on the
shared ESXi hosts.
Prerequisites
n
Verify that your vCenter Server and ESXi hosts are version 5.1 or later.
In an ESXi cluster, verify that all the hosts are version 5.1 or later.
n
Verify that the vCenter Server user was assigned the Host > Configuration > Advanced settings
privilege in vCenter Server.
See the topics in the View Installation document that describe Horizon 7 and View Composer
privileges required for the vCenter Server user.
Procedure
1 In Horizon Administrator, complete the Add vCenter Server wizard pages that precede the Storage
Settings page.
a Select View Configuration > Servers.
b On the vCenter Servers tab, click Add.
c Complete the vCenter Server Information, View Composer Settings, and View Composer
Domains pages.
2 On the Storage Settings page, make sure that the Enable View Storage Accelerator check box is
selected.
This check box is selected by default.
VMware, Inc. 20
View Administration
3 Specify a default host cache size.
The default cache size applies to all ESXi hosts that are managed by this vCenter Server instance.
The default value is 1,024MB. The cache size must be between 100MB and 2,048MB.
4 To specify a different cache size for an individual ESXi host, select an ESXi host and click Edit cache
size.
a In the Host cache dialog box, check Override default host cache size.
b Type a Host cache size value between 100MB and 2,048MB and click OK.
5 On the Storage Settings page, click Next.
6 Click Finish to add vCenter Server, View Composer, and Storage Settings to Horizon 7.
What to do next
Configure settings for client sessions and connections. See Configuring Settings for Client Sessions.
To complete View Storage Accelerator settings in Horizon 7, configure View Storage Accelerator for
desktop pools. See "Configure View Storage Accelerator for Desktop Pools" in the Setting Up Virtual
Desktops in Horizon 7 document.
Concurrent Operations Limits for vCenter Server and View Composer
When you add vCenter Server to Horizon 7 or edit the vCenter Server settings, you can configure several
options that set the maximum number of concurrent operations that are performed by vCenter Server and
View Composer.
You configure these options in the Advanced Settings panel on the vCenter Server Information page.
Table 2‑1. Concurrent Operations Limits for vCenter Server and View Composer
Setting Description
Max concurrent vCenter
provisioning operations
Max concurrent power
operations
Determines the maximum number of concurrent requests that Connection Server can make
to provision and delete full virtual machines in this vCenter Server instance.
The default value is 20.
This setting applies to full virtual machines only.
Determines the maximum number of concurrent power operations (startup, shutdown,
suspend, and so on) that can take place on virtual machines managed by Connection Server
in this vCenter Server instance.
The default value is 50.
For guidelines for calculating a value for this setting, see Setting a Concurrent Power
Operations Rate to Support Remote Desktop Logon Storms.
This setting applies to full virtual machines and linked clones.
VMware, Inc. 21
View Administration
Table 2‑1. Concurrent Operations Limits for vCenter Server and View Composer (Continued)
Setting Description
Max concurrent View Composer
maintenance operations
Max concurrent View Composer
provisioning operations
Determines the maximum number of concurrent View Composer refresh, recompose, and
rebalance operations that can take place on linked clones managed by this View Composer
instance.
The default value is 12.
Remote desktops that have active sessions must be logged off before a maintenance
operation can begin. If you force users to log off as soon as a maintenance operation begins,
the maximum number of concurrent operations on remote desktops that require logoffs is half
the configured value. For example, if you configure this setting as 24 and force users to log
off, the maximum number of concurrent operations on remote desktops that require logoffs is
12.
This setting applies to linked clones only.
Determines the maximum number of concurrent creation and deletion operations that can
take place on linked clones managed by this View Composer instance.
The default value is 8.
This setting applies to linked clones only.
Setting a Concurrent Power Operations Rate to Support Remote Desktop Logon Storms
The Max concurrent power operations setting governs the maximum number of concurrent power
operations that can occur on remote desktop virtual machines in a vCenter Server instance. This limit is
set to 50 by default. You can change this value to support peak power-on rates when many users log on
to their desktops at the same time.
As a best practice, you can conduct a pilot phase to determine the correct value for this setting. For
planning guidelines, see "Architecture Design Elements and Planning Guidelines" in the View Architecture
Planning document.
The required number of concurrent power operations is based on the peak rate at which desktops are
powered on and the amount of time it takes for the desktop to power on, boot, and become available for
connection. In general, the recommended power operations limit is the total time it takes for the desktop
to start multiplied by the peak power-on rate.
For example, the average desktop takes two to three minutes to start. Therefore, the concurrent power
operations limit should be 3 times the peak power-on rate. The default setting of 50 is expected to support
a peak power-on rate of 16 desktops per minute.
The system waits a maximum of five minutes for a desktop to start. If the start time takes longer, other
errors are likely to occur. To be conservative, you can set a concurrent power operations limit of 5 times
the peak power-on rate. With a conservative approach, the default setting of 50 supports a peak power-
on rate of 10 desktops per minute.
VMware, Inc. 22
View Administration
Logons, and therefore desktop power on operations, typically occur in a normally distributed manner over
a certain time window. You can approximate the peak power-on rate by assuming that it occurs in the
middle of the time window, during which about 40% of the power-on operations occur in 1/6th of the time
window. For example, if users log on between 8:00 AM and 9:00 AM, the time window is one hour, and
40% of the logons occur in the 10 minutes between 8:25 AM and 8:35 AM. If there are 2,000 users, 20%
of whom have their desktops powered off, then 40% of the 400 desktop power-on operations occur in
those 10 minutes. The peak power-on rate is 16 desktops per minute.
Accept the Thumbprint of a Default SSL Certificate
When you add vCenter Server and View Composer instances to Horizon 7, you must ensure that the SSL
certificates that are used for the vCenter Server and View Composer instances are valid and trusted by
Connection Server. If the default certificates that are installed with vCenter Server and View Composer
are still in place, you must determine whether to accept these certificates' thumbprints.
If a vCenter Server or View Composer instance is configured with a certificate that is signed by a CA, and
the root certificate is trusted by Connection Server, you do not have to accept the certificate thumbprint.
No action is required.
If you replace a default certificate with a certificate that is signed by a CA, but Connection Server does not
trust the root certificate, you must determine whether to accept the certificate thumbprint. A thumbprint is
a cryptographic hash of a certificate. The thumbprint is used to quickly determine if a presented certificate
is the same as another certificate, such as the certificate that was accepted previously.
Note If you install vCenter Server and View Composer on the same Windows Server host, they can use
the same SSL certificate, but you must configure the certificate separately for each component.
For details about configuring SSL certificates, see "Configuring SSL Certificates for View Servers" in the
View Installation document.
You first add vCenter Server and View Composer in Horizon Administrator by using the Add
vCenter Server wizard. If a certificate is untrusted and you do not accept the thumbprint, you cannot add
vCenter Server and View Composer.
After these servers are added, you can reconfigure them in the Edit vCenter Server dialog box.
Note You also must accept a certificate thumbprint when you upgrade from an earlier release and a
vCenter Server or View Composer certificate is untrusted, or if you replace a trusted certificate with an
untrusted certificate.
On the Horizon Administrator dashboard, the vCenter Server or View Composer icon turns red and an
Invalid Certificate Detected dialog box appears. You must click Verify and follow the procedure shown
here.
VMware, Inc. 23
View Administration
Similarly, in Horizon Administrator you can configure a SAML authenticator for use by a Connection
Server instance. If the SAML server certificate is not trusted by Connection Server, you must determine
whether to accept the certificate thumbprint. If you do not accept the thumbprint, you cannot configure the
SAML authenticator in Horizon 7. After a SAML authenticator is configured, you can reconfigure it in the
Edit View Connection Server dialog box.
Procedure
1 When Horizon Administrator displays an Invalid Certificate Detected dialog box, click View
Certificate.
2 Examine the certificate thumbprint in the Certificate Information window.
3 Examine the certificate thumbprint that was configured for the vCenter Server or View Composer
instance.
a On the vCenter Server or View Composer host, start the MMC snap-in and open the Windows
Certificate Store.
b Navigate to the vCenter Server or View Composer certificate.
c Click the Certificate Details tab to display the certificate thumbprint.
Similarly, examine the certificate thumbprint for a SAML authenticator. If appropriate, take the
preceding steps on the SAML authenticator host.
4 Verify that the thumbprint in the Certificate Information window matches the thumbprint for the
vCenter Server or View Composer instance.
Similarly, verify that the thumbprints match for a SAML authenticator.
5 Determine whether to accept the certificate thumbprint.
Option Description
The thumbprints match. Click Accept to use the default certificate.
The thumbprints do not match. Click Reject.
Troubleshoot the mismatched certificates. For example, you might have provided
an incorrect IP address for vCenter Server or View Composer.
Remove a vCenter Server Instance from View
You can remove the connection between View and a vCenter Server instance. When you do so, View no
longer manages the virtual machines created in that vCenter Server instance.
Prerequisites
Delete all the virtual machines that are associated with the vCenter Server instance. For more information
about deleting virtual machines, see "Delete a Desktop Pool" in the Setting Up Virtual Desktops in
Horizon 7 document.
Procedure
1 Click View Configuration > Servers.
VMware, Inc. 24
View Administration
2 On the vCenter Servers tab, select the vCenter Server instance.
3 Click Remove.
A dialog warns you that View will no longer have access to the virtual machines that are managed by
this vCenter Server instance.
4 Click OK.
View can no longer access the virtual machines created in the vCenter Server instance.
Remove View Composer from View
You can remove the connection between View and the VMware Horizon View Composer service that is
associated with a vCenter Server instance.
Before you disable the connection to View Composer, you must remove from View all the linked-clone
virtual machines that were created by View Composer. View prevents you from removing View Composer
if any associated linked clones still exist. After the connection to View Composer is disabled, View cannot
provision or manage new linked clones.
Procedure
1 Remove the linked-clone desktop pools that were created by View Composer.
a In View Administrator, select Catalog > Desktop Pools.
b Select a linked-clone desktop pool and click Delete.
A dialog box warns that you will permanently delete the linked-clone desktop pool from View. If
the linked-clone virtual machines are configured with persistent disks, you can detach or delete
the persistent disks.
c Click OK.
The virtual machines are deleted from vCenter Server. In addition, the associated View
Composer database entries and the replicas that were created by View Composer are removed.
d Repeat these steps for each linked-clone desktop pool that was created by View Composer.
2 Select View Configuration > Servers.
3 On the vCenter Servers tab, select the vCenter Server instance with which View Composer is
associated.
4 Click Edit.
5 Under View Composer Server Settings, click Edit, select Do not use View Composer, and click OK.
You can no longer create linked-clone desktop pools in this vCenter Server instance, but you can
continue to create and manage full virtual-machine desktop pools in the vCenter Server instance.
VMware, Inc. 25
View Administration
What to do next
If you intend to install View Composer on another host and reconfigure View to connect to the new
VMware Horizon View Composer service, you must perform certain additional steps. See Migrate View
Composer Without Linked-Clone Virtual Machines.
Conflicting vCenter Server Unique IDs
If you have multiple vCenter Server instances configured in your environment, an attempt to add a new
instance might fail because of conflicting unique IDs.
Problem
You try to add a vCenter Server instance to View, but the unique ID of the new vCenter Server instance
conflicts with an existing instance.
Cause
Two vCenter Server instances cannot use the same unique ID. By default, a vCenter Server unique ID is
randomly generated, but you can edit it.
Solution
1 In vSphere Client, click Administration > vCenter Server Settings > Runtime Settings.
2 Type a new unique ID and click OK.
For details about editing vCenter Server unique ID values, see the vSphere documentation.
Backing Up View Connection Server
After you complete the initial configuration of View Connection Server, you should schedule regular
backups of your View and View Composer configuration data.
For information about backing up and restoring your View configuration, see Backing Up and Restoring
View Configuration Data.
Configuring Settings for Client Sessions
You can configure global settings that affect the client sessions and connections that are managed by a
View Connection Server instance or replicated group. You can set the session timeout length, display
prelogin and warning messages, and set security-related client connection options.
Set Options for Client Sessions and Connections
You configure global settings to determine the way client sessions and connections work.
The global settings are not specific to a single View Connection Server instance. They affect all client
sessions that are managed by a standalone View Connection Server instance or a group of replicated
instances.
VMware, Inc. 26
View Administration
You can also configure View Connection Server instances to use direct, nontunneled connections
between Horizon clients and remote desktops. See Configure the Secure Tunnel and PCoIP Secure
Gateway for information about configuring direct connections.
Prerequisites
Familiarize yourself with the global settings. See Global Settings for Client Sessions and Global Security
Settings for Client Sessions and Connections.
Procedure
1 In View Administrator, select View Configuration > Global Settings.
2 Choose whether to configure general settings or security settings.
Option Description
General global settings In the General pane, click Edit.
Global security settings In the Security pane, click Edit.
3 Configure the global settings.
4 Click OK.
What to do next
You can change the data recovery password that was provided during installation. See Change the Data
Recovery Password.
Change the Data Recovery Password
You provide a data recovery password when you install View Connection Server version 5.1 or later. After
installation, you can change this password in View Administrator. The password is required when you
restore the View LDAP configuration from a backup.
When you back up View Connection Server, the View LDAP configuration is exported as encrypted LDIF
data. To restore the encrypted backup View configuration, you must provide the data recovery password.
The password must contain between 1 and 128 characters. Follow your organization's best practices for
generating secure passwords.
Procedure
1 In View Administrator, select View Configuration > Global Settings.
2 In the Security pane, click Change data recovery password.
3 Type and retype the new password.
4 (Optional) Type a password reminder.
Note You can also change the data recovery password when you schedule your View configuration data
to be backed up. See Schedule View Configuration Backups.
VMware, Inc. 27
View Administration
What to do next
When you use the vdmimport utility to restore a backup View configuration, provide the new password.
Global Settings for Client Sessions
General global settings determine session timeout lengths, SSO enablement and timeout limits, status
updates in View Administrator, whether prelogin and warning messages are displayed, whether View
Administrator treats Windows Server as a supported operating system for remote desktops, and other
settings.
Changes to any of the settings in the following table take effect immediately. You do not need to restart
View Connection Server or Horizon Client.
Table 2‑2. General Global Settings for Client Sessions
Setting Description
View Administrator session timeout Determines how long an idle View Administrator session continues before the session
times out.
Important Setting the View Administrator session timeout to a high number of minutes
increases the risk of unauthorized use of View Administrator. Use caution when you
allow an idle session to persist a long time.
By default, the View Administrator session timeout is 30 minutes. You can set a session
timeout from 1 to 4320 minutes (72 hours).
Forcibly disconnect users Disconnects all desktops and applications after the specified number of minutes has
passed since the user logged in to View. All desktops and applications will be
disconnected at the same time regardless of when the user opened them.
For clients that do not support application remoting, a maximum timeout value of 1200
minutes applies if the value of this setting is Never or greater than 1200 minutes.
The default is After 600 minutes.
Single sign-on (SSO) If SSO is enabled, View caches a user's credentials so that the user can launch remote
desktops or applications without having to provide credentials to log in to the remote
Windows session. The default is Enabled.
If you plan to use the True SSO feature, introduced in Horizon 7 or later, SSO must be
enabled. With True SSO, if a user logs in using some other form of authentication than
Active Directory credentials, the True SSO feature generates short-term certificates to
use, rather than cached credentials, after users log in to VMware Identity Manager.
Note If a desktop is launched from Horizon Client, and the desktop is locked, either by
the user or by Windows based on a security policy, and if the desktop is running View
Agent 6.0 or later or Horizon Agent 7.0 or later, View Connection Server discards the
user's SSO credentials. The user must provide login credentials to launch a new desktop
or a new application, or reconnect to any disconnected desktop or application. To enable
SSO again, the user must disconnect from View Connection Server or exit
Horizon Client, and reconnect to View Connection Server. However, if the desktop is
launched from Workspace ONE or VMware Identity Manager and the desktop is locked,
SSO credentials are not discarded.
VMware, Inc. 28
View Administration
Table 2‑2. General Global Settings for Client Sessions (Continued)
Setting Description
For clients that support applications.
If the user stops using the keyboard
and mouse, disconnect their
applications and discard SSO
credentials:
Other clients.
Discard SSO credentials:
Protects application sessions when there is no keyboard or mouse activity on the client
device. If set to After ... minutes, View disconnects all applications and discards SSO
credentials after the specified number of minutes without user activity. Desktop sessions
are not disconnected. Users must log in again to reconnect to the applications that were
disconnected or launch a new desktop or application.
This setting also applies to the True SSO feature. After SSO credentials are discarded,
users are prompted for Active Directory credentials. If users logged in to VMware Identity
Manager without using AD credentials and do not know what AD credentials to enter,
users can log out and log in to VMware Identity Manager again to access their remote
desktops and applications.
Important Users must be aware that when they have both applications and desktops
open, and their applications are disconnected because of this timeout, their desktops
remain connected. Users must not rely on this timeout to protect their desktops.
If set to Never, View never disconnects applications or discards SSO credentials due to
user inactivity.
The default is Never.
Discards SSO credentials after the specified number of minutes. This setting is for
clients that do not support application remoting. If set to After ... minutes, users must
log in again to connect to a desktop after the specified number of minutes has passed
since the user logged in to View, regardless of any user activity on the client device.
If set to Never, View stores SSO credentials until the user closes Horizon Client, or the
Forcibly disconnect users timeout is reached, whichever comes first.
The default is After 15 minutes.
Enable automatic status updates Determines if status updates appear in the global status pane in the upper-left corner of
View Administrator every few minutes. The dashboard page of View Administrator is
also updated every few minutes.
By default, this setting is not enabled.
Display a pre-login message Displays a disclaimer or another message to Horizon Client users when they log in.
Type your information or instructions in the text box in the Global Settings dialog box.
To display no message, leave the check box unselected.
Display warning before forced logoff Displays a warning message when users are forced to log off because a scheduled or
immediate update such as a desktop-refresh operation is about to start. This setting also
determines how long to wait after the warning is shown before the user is logged off.
Check the box to display a warning message.
Type the number of minutes to wait after the warning is displayed and before logging off
the user. The default is 5 minutes.
Type your warning message. You can use the default message:
Your desktop is scheduled for an important update and
will be shut down in 5 minutes. Please save
any unsaved work now.
VMware, Inc. 29
View Administration
Table 2‑2. General Global Settings for Client Sessions (Continued)
Setting Description
Enable Windows Server desktops Determines whether you can select available Windows Server 2008 R2 and Windows
Server 2012 R2 machines for use as desktops. When this setting is enabled, View
Administrator displays all available Windows Server machines, including machines on
which View server components are installed.
Note The Horizon Agent software cannot coexist on the same virtual or physical
machine with any other View server software component, including a security server,
View Connection Server, or View Composer.
Clean up credential when tab closed
for HTML Access
Removes a user's credentials from cache when a user closes a tab that connects to a
remote desktop or application, or closes a tab that connects to the desktop and
application selection page, in the HTML Access client.
When this setting is enabled, View also removes the credentials from cache in the
following HTML Access client scenarios:
n
A user refreshes the desktop and application selection page or the remote session
page.
n
The server presents a self-signed certificate, a user launches a remote desktop or
application, and the user accepts the certificate when the security warning appears.
n
A user runs a URI command in the tab that contains the remote session.
When this setting is disabled, the credentials remain in cache. This feature is disabled by
default.
Note This feature is available in Horizon 7 version 7.0.2 and later.
Mirage Server configuration Allows you to specify the URL of a Mirage server, using the format
mirage://server-name:port or mirages://server-name:port. Here server-name
is the fully qualified domain name. If you do not specify the port number, the default port
number 8000 is used.
Note You can override this global setting by specifying a Mirage server in the desktop
pool settings.
Specifying the Mirage server in View Administrator is an alternative to specifying the
Mirage server when installing the Mirage client. To find out which versions of Mirage
support having the server specified in View Administrator, see the Mirage
documentation, at https://www.vmware.com/support/pubs/mirage_pubs.html.
VMware, Inc. 30
Loading...