VMware Horizon HTML Access 4.6 Installation Manual

VMware Horizon HTML Access Installation and Setup Guide
Modified for Horizon 7 7.3.2 VMware Horizon HTML Access 4.6 VMware Horizon 7 7.3
VMware Horizon HTML Access Installation and Setup Guide
https://docs.vmware.com/
If you have comments about this documentation, submit your feedback to
docfeedback@vmware.com
VMware, Inc.
3401 Hillview Ave. Palo Alto, CA 94304 www.vmware.com
Copyright © 2013–2017 VMware, Inc. All rights reserved. Copyright and trademark information.
VMware, Inc. 2

Contents

VMware Horizon HTML Access Installation and Setup Guide 5
Setup and Installation 6
1
System Requirements for HTML Access 6
Preparing Connection Server and Security Servers for HTML Access 8
Firewall Rules for HTML Access 10
Configure View to Remove Credentials From Cache 11
Prepare Desktops, Pools, and Farms for HTML Access 11
Configure HTML Access Agents to Use New SSL Certificates 13
Add the Certificate Snap-In to MMC on a View Desktop 14
Import a Certificate for the HTML Access Agent into the Windows Certificate Store 15
Import Root and Intermediate Certificates for the HTML Access Agent 16
Set the Certificate Thumbprint in the Windows Registry 16
Configure HTML Access Agents to Use Specific Cipher Suites 17
Configuring iOS to Use CA-Signed Certificates 18
Upgrading the HTML Access Software 18
Uninstall HTML Access from View Connection Server 18
Data Collected by VMware 19
Configuring HTML Access for End Users 21
2
Configure the VMware Horizon Web Portal Page for End Users 21
Using URIs to Configure HTML Access Web Clients 25
Syntax for Creating URIs for HTML Access 26
Examples of URIs 28
HTML Access Group Policy Settings 30
VMware, Inc.
Using a Remote Desktop or Application 31
3
Feature Support Matrix 32
Internationalization 33
Connect to a Remote Desktop or Application 33
Trust a Self-Signed Root Certificate 35
Connect to a Server in Workspace ONE Mode 36
Use Unauthenticated Access to Connect to Remote Applications 36
Shortcut Key Combinations 37
International Keyboards 41
Screen Resolution 41
H.264 Decoding 42
Setting the Time Zone 43
3
VMware Horizon HTML Access Installation and Setup Guide
Using the Sidebar 43
Use Multiple Monitors 46
Using DPI Synchronization 47
Sound 48
Copying and Pasting Text 49
Use the Copy and Paste Feature 49
Transferring Files Between the Client and a Remote Desktop 51
Download Files from a Desktop to the Client 51
Upload Files from the Client to a Desktop 52
Using the Real-Time Audio-Video Feature for Webcams and Microphones 52
Log Off or Disconnect 53
Reset a Remote Desktop or Remote Applications 54
Restart a Remote Desktop 55
VMware, Inc. 4

VMware Horizon HTML Access Installation and Setup Guide

This guide, VMware Horizon HTML Access Installation and Setup Guide, describes how to install,
configure, and use the VMware Horizon® HTML Access™ software to connect to virtual desktops without
having to install any software on a client system.
The information in this document includes system requirements and instructions for installing
HTML Access software on a VMware Horizon 7 server and on a remote desktop virtual machine so that
end users can use a Web browser to access remote desktops.
Important This information is intended for administrators who already have some experience using
Horizon 7 and VMware vSphere. If you are a novice user of Horizon 7, you might occasionally need to
refer to the step-by-step instructions for basic procedures in the View Installation documentation and the
View Administration documentation.
VMware, Inc.
5

Setup and Installation 1

Setting up a View deployment for HTML Access involves installing HTML Access on View Connection
Server, opening the required ports, and installing the HTML Access component in the remote desktop
virtual machine.
End users can then access their remote desktops by opening a supported browser and entering the URL
for View Connection Server.
This section includes the following topics:
n

System Requirements for HTML Access

n
Preparing Connection Server and Security Servers for HTML Access
n
Configure View to Remove Credentials From Cache
n
Prepare Desktops, Pools, and Farms for HTML Access
n
Configure HTML Access Agents to Use New SSL Certificates
n
Configure HTML Access Agents to Use Specific Cipher Suites
n
Configuring iOS to Use CA-Signed Certificates
n
Upgrading the HTML Access Software
n
Uninstall HTML Access from View Connection Server
n
Data Collected by VMware
System Requirements for HTML Access
With HTML Access the client system does not require any software other than a supported browser. The
View deployment must meet certain software requirements.
Note Starting with version 7.0, View Agent is renamed Horizon Agent.
Browser on client
systems
VMware, Inc. 6
Browser Version
Chrome 60, 61
Chrome on Android device 59
Internet Explorer 11
VMware Horizon HTML Access Installation and Setup Guide
Browser Version
Safari 9, 10
Safari on mobile device iOS 9, iOS 10
Firefox 54, 55
Microsoft Edge 40
Note Chrome on an Android device does not support the Windows key,
multiple monitors, copy and paste to the system, file transfer, printing, H.
264 decoding, credential cleanup, and an external mouse. The following
key and key combinations also do not work on the software keyboard: Del,
Ctrl+A, Ctrl+C, Ctrl+V, Ctrl+X, Ctrl+Y, Ctrl+Z.
Client operating
Operating System Version
systems
Windows 7 SP1 (32-bit and 64-bit)
Windows 8.x (32-bit and 64-bit)
Windows 10 (32-bit and 64-bit)
Mac OS X 10.11 (El Capitan)
macOS 10.12.x (Sierra)
iOS 9
iOS 10
Chrome OS 28.x and later
Android 7
Remote desktops HTML Access requires Horizon Agent 7.0 or later, and supports all the
desktop operating systems that Horizon 7.0 supports. For more information,
see the topic "Supported Operating Systems for Horizon Agent" in version
7.0 or later of View Installation.
Pool settings HTML Access requires the following pool settings, in Horizon Administrator:
n
The Max resolution of any one monitor setting must be 1920x1200
or higher so that the remote desktop has at least 17.63 MB of video
RAM.
If you use 3D applications or if end users use a MacBook with Retina
Display or a Google Chromebook Pixel, see Screen Resolution.
n
The HTML Access setting must be enabled.
Configuration instructions are provided in Prepare Desktops, Pools, and
Farms for HTML Access.
Connection Server Connection Server with the HTML Access option must be installed on the
server.
VMware, Inc. 7
VMware Horizon HTML Access Installation and Setup Guide
When you install the HTML Access component, the VMware Horizon View
Connection Server (Blast-In) rule is enabled in the Windows Firewall, so
that the firewall is automatically configured to allow inbound traffic to TCP
port 8443.
Security Server The same version as Connection Server must be installed on the security
server.
If client systems connect from outside the corporate firewall, use a security
server. With a security server, client systems do not require a VPN
connection.
Note A single security server can support up to 800 simultaneous
connections to Web clients.
Third-party firewalls Add rules to allow the following traffic:
n
Servers (including security servers, Connection Server instances, and
replica servers): inbound traffic to TCP port 8443.
n
Remote desktop virtual machines: inbound traffic (from servers) to TCP
port 22443.
Display protocol for
Horizon
VMware Blast
When you use a Web browser to access a remote desktop, the VMware
Blast protocol is used rather than PCoIP or Microsoft RDP. VMware Blast
uses HTTPS (HTTP over SSL/TLS).

Preparing Connection Server and Security Servers for HTML Access

Administrators must perform specific tasks so that end users can connect to remote desktops using a
Web browser.
Before end users can connect to Connection Server or a security server and access a remote desktop,
you must install Connection Server with the HTML Access component and install security servers.
Following is a check list of the tasks you must perform in order to use HTML Access:
1 Install Connection Server with the HTML Access option on the server or servers that will compose a
Connection Server replicated group.
By default, the HTML Access component is already selected in the installer. For installation
instructions, see the View Installation documentation.
Note To check whether the HTML Access component is installed, you can open the Uninstall a
Program applet in the Windows operating system and look for View HTML Access in the list.
2 If you use security servers, install Security Server.
VMware, Inc. 8
VMware Horizon HTML Access Installation and Setup Guide
For installation instructions, see the View Installation documentation.
Important The version of Security Server must match the version of Connection Server.
3 Verify that each Connection Server instance or security server has a security certificate that can be
fully verified by using the host name that you enter in the browser.
For more information, see the View Installation documentation.
4 To use two-factor authentication, such as RSA SecurID or RADIUS authentication, verify that this
feature is enabled on Connection Server.
For more information, see the topics about two-factor authentication in the View Administration
documentation.
Important If you enable the Hide domain list in client user interface settings and select two-factor
authentication (RSA SecureID or RADIUS) for the Connection Server instance, do not enforce
Windows user name matching. Enforcing Windows user name matching will prevent users from being
able to enter domain information in the user name text box and login will always fail. For more
information, see the topics about two-factor authentication in the View Administration document.
5 If you use third-party firewalls, configure rules to allow inbound traffic to TCP port 8443 for all security
servers and Connection Server hosts in a replicated group, and configure a rule to allow inbound
traffic (from View servers) to TCP port 22443 on remote desktops in the datacenter. For more
information, see Firewall Rules for HTML Access.
6 To provide users unauthenticated access to published applications in Horizon Client, you must enable
this feature in Connection Server. For more information, see the topics about unauthenticated access
in the View Administration document.
After the servers are installed, if you look in Horizon Administrator, you will see that the Blast Secure
Gateway setting is enabled on the applicable Connection Server instances and security servers. Also, the
Blast External URL setting is automatically configured to use for the Blast Secure Gateway on the
applicable Connection Server instances and security servers. By default, the URL includes the FQDN of
the secure tunnel external URL and the default port number, 8443. The URL must contain the FQDN and
port number that a client system can use to reach this Connection Server host or security server host. For
more information, see "Set the External URLs for a Connection Server Instance," in the View Installation
documentation.
Note You can use HTML Access with VMware Workspace ONE to allow users to connect to their
desktops from an HTML5 browser. For information about installing Workspace ONE and configuring it for
use with Connection Server, see the Workspace ONE documentation. For information about pairing
Connection Server with a SAML Authentication server, see the View Administration document.
VMware, Inc. 9
VMware Horizon HTML Access Installation and Setup Guide

Firewall Rules for HTML Access

To allow client Web browsers to use HTML Access to make connections to security servers, View
Connection Server instances, and remote desktops, your firewalls must allow inbound traffic on certain
TCP ports.
HTML Access connections must use HTTPS. HTTP connections are not allowed.
By default, when you install a View Connection Server instance or security server, the VMware Horizon
View Connection Server (Blast-In) rule is enabled in the Windows Firewall, so that the firewall is
automatically configured to allow inbound traffic to TCP port 8443.
Table 11. Firewall Rules for HTML Access
Source
Client Web
browser
Client Web
browser
Blast Secure
Gateway
Client Web
browser
Default
Source
Port Protocol Target
TCP Any HTTPS Security
server or
View
Connection
Server
instance
TCP Any HTTPS Blast Secure
Gateway
TCP Any HTTPS HTML
Access
agent
TCP Any HTTPS HTML
Access
agent
Default
Target
Port Notes
TCP 443 To make the initial connection to Horizon, the Web browser on
a client device connects to a security server or Horizon
Connection Server instance on TCP port 443.
TCP 8443 After the initial connection to Horizon is made, the Web
browser on a client device connects to the Blast Secure
Gateway on TCP port 8443. The Blast Secure Gateway must
be enabled on a security server or Horizon Connection Server
instance to allow this second connection to take place.
TCP
22443
TCP
22443
If the Blast Secure Gateway is enabled, after the user selects
a remote desktop, the Blast Secure Gateway connects to the
HTML Access agent on TCP port 22443 on the desktop. This
agent component is included when you install Horizon Agent.
If the Blast Secure Gateway is not enabled, after the user
selects a View desktop, the Web browser on a client device
makes a direct connection to the HTML Access agent on TCP
port 22443 on the desktop. This agent component is included
when you install Horizon Agent.
VMware, Inc. 10
VMware Horizon HTML Access Installation and Setup Guide
Configure View to Remove Credentials From Cache
You can configure View to remove a user's credentials from cache when a user closes a tab that connects
to a remote desktop or application, or closes a tab that connects to the desktop and application selection
page, in the HTML Access client.
When this feature is disabled (the default setting), the credentials remain in cache.
Note When you enable this feature, the credentials are also removed from cache when a user refreshes
the desktop and application selection page or the remote session page, or runs a URI command in the
tab that contains the remote session. If the server presents a self-signed certificate, the credentials are
removed from cache after a user launches a remote desktop or application and accepts the certificate
when the security warning appears.
Prerequisites
This feature requires Horizon 7 version 7.0.2 or later.
Procedure
1 In Horizon Administrator, select View Configuration > Global Settings and click Edit in the General
pane.
2 Select the Clean up credential when tab closed for HTML Access check box.
3 Click OK to save your changes.
Your changes take effect immediately. You do not need to restart Connection Server.

Prepare Desktops, Pools, and Farms for HTML Access

Before end users can access a remote desktop or application, administrators must configure certain pool
and farm settings and install Horizon Agent on remote desktop virtual machines and RDS hosts in the
data center.
The HTML Access client is a good alternative when Horizon Client software is not installed on the client
system.
Note The Horizon Client software offers more features and better performance than the HTML Access
client. For example, with the HTML Access client, some key combinations do not work in the remote
desktop, but these key combinations do work with Horizon Client.
Prerequisites
n
Verify that your vSphere infrastructure and Horizon components meet the system requirements for
HTML Access.
See System Requirements for HTML Access.
VMware, Inc. 11
VMware Horizon HTML Access Installation and Setup Guide
n
Verify that the HTML Access component is installed with Connection Server on the host or hosts and
that the Windows firewalls on Connection Server instances and any security servers allow inbound
traffic on TCP port 8443.
See Preparing Connection Server and Security Servers for HTML Access.
n
If you use third-party firewalls, configure a rule to allow inbound traffic from Horizon servers to TCP
port 22443 on Horizon desktops in the data center.
n
Verify that the virtual machine you plan to use as a desktop source or RDS host has the following
software installed: a supported operating system and VMware Tools.
For a list of the supported operating systems, see System Requirements for HTML Access.
n
Familiarize yourself with the procedures for creating pools and farms and entitling users. See the
topics about creating pools and farms in Setting Up Desktops and Applications in View.
n
To verify that the remote desktop or application is accessible to end users, verify that you have
Horizon Client software installed on a client system. You will test the connection by using the
Horizon Client software before attempting to connect from a browser.
For Horizon Client installation instructions, see the Horizon Client documentation site at
https://www.vmware.com/support/viewclients/doc/viewclients_pubs.html.
n
Verify that you have one of the supported browsers for accessing a remote desktop. See System
Requirements for HTML Access.
Procedure
1 For RDS desktops and applications, use Horizon Administrator to create or edit the farm and enable
the Allow HTML Access to desktops and applications on this farm option in the farm settings.
2 For single-session desktop pools, use Horizon Administrator to create or edit the desktop pool so that
the pool can be used with HTML Access.
a Enable the HTML Access in the Desktop Pool settings.
The HTML Access setting does not appear in the Add Desktop Pool wizard when you create
RDS desktop pools. Instead, you enable the Allow HTML Access to desktops and
applications on this farm option when creating or editing the farm of RDS hosts.
b In the pool settings, verify that the Max resolution of any one monitor setting is 1920x1200 or
higher.
3 After the pools are created, recomposed, or upgraded to use Horizon Agent with the HTML Access
option, use Horizon Client to log in to a desktop or application.
With this step, before you attempt to use HTML Access, you verify that the pool is working correctly.
VMware, Inc. 12
VMware Horizon HTML Access Installation and Setup Guide
4 Open a supported browser and enter a URL that points to your Connection Server instance.
For example:
https://horizon.mycompany.com
Be sure to use https in the URL.
5 On the Web page that appears, click VMware Horizon HTML Access and log in as you would with
the Horizon Client software.
6 On the desktop and application selection page that appears, click an icon to connect.
You can now access a remote desktop or application from a Web browser when you are using a client
device that does not or cannot have Horizon Client software installed in its operating system.
What to do next
For added security, if your security policies require that the Blast agent on the remote desktop uses an
SSL certificate from a certificate authority, see Configure HTML Access Agents to Use New SSL
Certificates.
Configure HTML Access Agents to Use New SSL Certificates
To comply with industry or security regulations, you can replace the default SSL certificates that are
generated by the HTML Access Agent with certificates that are signed by a Certificate Authority (CA).
When you install the HTML Access Agent on View desktops, the HTML Access Agent service creates
default, self-signed certificates. The service presents the default certificates to browsers that use
HTML Access to connect to View.
Note In the guest operating system on the desktop virtual machine, this service is called the VMware
Blast service.
To replace the default certificates with signed certificates that you obtain from a CA, you must import a
certificate into the Windows local computer certificate store on each View desktop. You must also set a
registry value on each desktop that allows the HTML Access Agent to use the new certificate.
If you replace the default HTML Access Agent certificates with CA-signed certificates, VMware
recommends that you configure a unique certificate on each desktop. Do not configure a CA-signed
certificate on a parent virtual machine or template that you use to create a desktop pool. That approach
would result in hundreds or thousands of desktops with identical certificates.
Procedure
1 Add the Certificate Snap-In to MMC on a View Desktop
Before you can add certificates to the Windows local computer certificate store, you must add the
Certificate snap-in to the Microsoft Management Console (MMC) on the View desktops where the
HTML Access Agent is installed.
VMware, Inc. 13
VMware Horizon HTML Access Installation and Setup Guide
2 Import a Certificate for the HTML Access Agent into the Windows Certificate Store
To replace a default HTML Access Agent certificate with a CA-signed certificate, you must import the
CA-signed certificate into the Windows local computer certificate store. Perform this procedure on
each desktop where the HTML Access Agent is installed.
3 Import Root and Intermediate Certificates for the HTML Access Agent
If the root certificate and intermediate certificates in the certificate chain are not imported with the
SSL certificate that you imported for the HTML Access Agent, you must import these certificates into
the Windows local computer certificate store.
4 Set the Certificate Thumbprint in the Windows Registry
To allow the HTML Access Agent to use a CA-signed certificate that was imported into the Windows
certificate store, you must configure the certificate thumbprint in a Windows registry key. You must
take this step on each desktop on which you replace the default certificate with a CA-signed
certificate.
Add the Certificate Snap-In to MMC on a View Desktop
Before you can add certificates to the Windows local computer certificate store, you must add the
Certificate snap-in to the Microsoft Management Console (MMC) on the View desktops where the
HTML Access Agent is installed.
Prerequisites
Verify that the MMC and Certificate snap-in are available on the Windows guest operating system where
the HTML Access Agent is installed.
Procedure
1 On the View desktop, click Start and type mmc.exe.
2 In the MMC window, go to File > Add/Remove Snap-in.
3 In the Add or Remove Snap-ins window, select Certificates and click Add.
4 In the Certificates snap-in window, select Computer account, click Next, select Local computer,
and click Finish.
5 In the Add or Remove snap-in window, click OK.
What to do next
Import the SSL certificate into the Windows local computer certificate store. See Import a Certificate for
the HTML Access Agent into the Windows Certificate Store.
VMware, Inc. 14
VMware Horizon HTML Access Installation and Setup Guide
Import a Certificate for the HTML Access Agent into the Windows Certificate Store
To replace a default HTML Access Agent certificate with a CA-signed certificate, you must import the CA-
signed certificate into the Windows local computer certificate store. Perform this procedure on each
desktop where the HTML Access Agent is installed.
Prerequisites
n
Verify that the HTML Access Agent is installed on the View desktop.
n
Verify that the CA-signed certificate was copied to the desktop.
n
Verify that the Certificate snap-in was added to MMC. See Add the Certificate Snap-In to MMC on a
View Desktop.
Procedure
1 In the MMC window on the View desktop, expand the Certificates (Local Computer) node and
select the Personal folder.
2 In the Actions pane, go to More Actions > All Tasks > Import.
3 In the Certificate Import wizard, click Next and browse to the location where the certificate is stored.
4 Select the certificate file and click Open.
To display your certificate file type, you can select its file format from the File name drop-down menu.
5 Type the password for the private key that is included in the certificate file.
6 Select Mark this key as exportable.
7 Select Include all extendable properties.
8 Click Next and click Finish.
The new certificate appears in the Certificates (Local Computer) > Personal > Certificates folder.
9 Verify that the new certificate contains a private key.
a In the Certificates (Local Computer) > Personal > Certificates folder, double-click the new
certificate.
b In the General tab of the Certificate Information dialog box, verify that the following statement
appears: You have a private key that corresponds to this certificate.
What to do next
If necessary, import the root certificate and intermediate certificates into the Windows certificate store.
See Import Root and Intermediate Certificates for the HTML Access Agent.
Configure the appropriate registry key with the certificate thumbprint. See Set the Certificate Thumbprint
in the Windows Registry.
VMware, Inc. 15
VMware Horizon HTML Access Installation and Setup Guide
Import Root and Intermediate Certificates for the HTML Access Agent
If the root certificate and intermediate certificates in the certificate chain are not imported with the SSL
certificate that you imported for the HTML Access Agent, you must import these certificates into the
Windows local computer certificate store.
Procedure
1 In the MMC console on the View desktop, expand the Certificates (Local Computer) node and go to
the Trusted Root Certification Authorities > Certificates folder.
n
If your root certificate is in this folder, and there are no intermediate certificates in your certificate
chain, skip this procedure.
n
If your root certificate is not in this folder, proceed to step 2.
2 Right-click the Trusted Root Certification Authorities > Certificates folder and click All Tasks >
Import.
3 In the Certificate Import wizard, click Next and browse to the location where the root CA certificate
is stored.
4 Select the root CA certificate file and click Open.
5 Click Next, click Next, and click Finish.
6 If your server certificate was signed by an intermediate CA, import all intermediate certificates in the
certificate chain into the Windows local computer certificate store.
a Go to the Certificates (Local Computer) > Intermediate Certification Authorities >
Certificates folder.
b Repeat steps 3 through 6 for each intermediate certificate that must be imported.
What to do next
Configure the appropriate registry key with the certificate thumbprint. See Set the Certificate Thumbprint
in the Windows Registry.
Set the Certificate Thumbprint in the Windows Registry
To allow the HTML Access Agent to use a CA-signed certificate that was imported into the Windows
certificate store, you must configure the certificate thumbprint in a Windows registry key. You must take
this step on each desktop on which you replace the default certificate with a CA-signed certificate.
Prerequisites
Verify that the CA-signed certificate is imported into the Windows certificate store. See Import a Certificate
for the HTML Access Agent into the Windows Certificate Store.
VMware, Inc. 16
VMware Horizon HTML Access Installation and Setup Guide
Procedure
1 In the MMC window on the View desktop where the HTML Access Agent is installed, navigate to the
Certificates (Local Computer) > Personal > Certificates folder.
2 Double-click the CA-signed certificate that you imported into the Windows certificate store.
3 In the Certificates dialog box, click the Details tab, scroll down, and select the Thumbprint icon.
4 Copy the selected thumbprint to a text file.
For example: 31 2a 32 50 1a 0b 34 b1 65 46 13 a8 0a 5e f7 43 6e a9 2c 3e
Note When you copy the thumbprint, do not to include the leading space. If you inadvertently paste
the leading space with the thumbprint into the registry key (in Step 7), the certificate might not be
configured successfully. This problem can occur even though the leading space is not displayed in
the registry value text box.
5 Start the Windows Registry Editor on the desktop where the HTML Access Agent is installed.
6 Navigate to the HKEY_LOCAL_MACHINE\SOFTWARE\VMware, Inc.\VMware Blast\Config registry
key.
7 Modify the SslHash value and paste the certificate thumbprint into the text box.
8 Reboot Windows.
When a user connects to a desktop through HTML Access, the HTML Access Agent presents the CA-
signed certificate to the user's browser.
Configure HTML Access Agents to Use Specific Cipher Suites
You can configure the HTML Access Agent to use specific cipher suites instead of the default set of
ciphers.
By default, the HTML Access Agent requires incoming SSL connections to use encryption based on
certain ciphers that provide strong protection against network eavesdropping and forgery. You can
configure an alternative list of ciphers for the HTML Access Agent to use. The set of acceptable ciphers is
expressed in the OpenSSL format. which is described at
https://www.openssl.org/docs/manmaster/man1/ciphers.html.
Procedure
1 Start the Windows Registry Editor on the desktop where the HTML Access Agent is installed.
2 Navigate to the HKEY_LOCAL_MACHINE\SOFTWARE\VMware, Inc.\VMware Blast\Config registry
key.
3 Add a new String (REG_SZ) value, SslCiphers, and paste the cipher list in the OpenSSL format into
the text box.
VMware, Inc. 17
Loading...
+ 38 hidden pages