Page 1
VMware Horizon View Administration
View 5.2
View Manager 5.2
View Composer 5.2
This document supports the version of each product listed and
supports all subsequent versions until the document is replaced
by a new edition. To check for more recent editions of this
document, see http://www.vmware.com/support/pubs.
EN-001024-00
Page 2
VMware Horizon View Administration
You can find the most up-to-date technical documentation on the VMware Web site at:
http://www.vmware.com/support/
The VMware Web site also provides the latest product updates.
If you have comments about this documentation, submit your feedback to:
docfeedback@vmware.com
Copyright © 2013 VMware, Inc. All rights reserved. This product is protected by U.S. and international copyright and intellectual
property laws. VMware products are covered by one or more patents listed at http://www.vmware.com/go/patents.
VMware is a registered trademark or trademark of VMware, Inc. in the United States and/or other jurisdictions. All other marks
and names mentioned herein may be trademarks of their respective companies.
VMware, Inc.
3401 Hillview Ave.
Palo Alto, CA 94304
www.vmware.com
2 VMware, Inc.
Page 3
Contents
VMware Horizon View Administration
9
Configuring View Connection Server 11
1
Using View Administrator 11
Configuring vCenter Server and View Composer
Backing Up View Connection Server 26
Configuring Settings for Client Sessions 26
Disable or Enable View Connection Server 35
Edit the External URLs 35
Join or Withdraw from the Customer Experience Program 36
View LDAP Directory 36
14
Configuring Role-Based Delegated Administration 39
2
Understanding Roles and Privileges 39
Using Folders to Delegate Administration 40
Understanding Permissions 41
Manage Administrators 42
Manage and Review Permissions 43
Manage and Review Folders 45
Manage Custom Roles 47
Predefined Roles and Privileges 48
Required Privileges for Common Tasks 51
Best Practices for Administrator Users and Groups 53
Preparing Unmanaged Desktop Sources 55
3
Prepare an Unmanaged Desktop Source for View Desktop Deployment 55
Install View Agent on an Unmanaged Desktop Source 55
Creating and Preparing Virtual Machines 59
4
Creating Virtual Machines for View Desktop Deployment 59
Install View Agent on a Virtual Machine 64
Install View Agent Silently 66
Configure a Virtual Machine with Multiple NICs for View Agent 70
Optimize Windows Guest Operating System Performance 70
Optimize Windows 7 and Windows 8 Guest Operating System Performance 71
Optimizing Windows 7 and Windows 8 for Linked-Clone Desktops 73
Preparing Virtual Machines for View Composer 79
Creating Virtual Machine Templates 85
Creating Customization Specifications 86
VMware, Inc. 3
Page 4
VMware Horizon View Administration
Creating Desktop Pools 87
5
Automated Pools That Contain Full Virtual Machines 88
Linked-Clone Desktop Pools
Manual Desktop Pools 119
Microsoft Terminal Services Pools 123
Provisioning Desktop Pools 125
Setting Power Policies for Desktop Pools 140
Configure View Storage Accelerator for Desktop Pools 145
Deploying Large Desktop Pools 147
92
Entitling Users and Groups 149
6
Add Entitlements to Desktop Pools 149
Remove Entitlements from a Desktop Pool 149
Review Desktop Pool Entitlements 150
Restricting View Desktop Access 150
Setting Up User Authentication 155
7
Using SAML 2.0 Authentication 155
Using Smart Card Authentication 157
Using Smart Card Certificate Revocation Checking 165
Using Two-Factor Authentication 168
Using the Log In as Current User Feature Available with Windows-Based View Client 172
Allow Users to Save Credentials 173
Configuring Policies 175
8
Setting Policies in View Administrator 175
Using Active Directory Group Policies 179
Using the View Group Policy Administrative Template Files 180
Setting Up Location-Based Printing 218
Using Terminal Services Group Policies 221
Active Directory Group Policy Example 222
Configuring User Profiles with View Persona Management 227
9
Providing User Personas in View 227
Using View Persona Management with Standalone Systems 228
Migrating User Profiles with View Persona Management 229
Persona Management and Windows Roaming Profiles 231
Configuring a View Persona Management Deployment 232
Best Practices for Configuring a View Persona Management Deployment 240
View Persona Management Group Policy Settings 243
Managing Linked-Clone Desktops 251
10
Reduce Linked-Clone Size with Desktop Refresh 251
Update Linked-Clone Desktops 253
Rebalance Linked-Clone Desktops 257
Manage View Composer Persistent Disks 260
4 VMware, Inc.
Page 5
Managing Desktops and Desktop Pools 265
11
Managing Desktop Pools 265
Reducing Adobe Flash Bandwidth
Managing Virtual-Machine Desktops 272
Export View Information to External Files 278
271
Contents
Managing Physical Computers and Terminal Servers 281
12
Add an Unmanaged Desktop Source to a Pool 281
Remove an Unmanaged Desktop Source from a Pool 282
Delete a Pool That Contains Unmanaged Desktops 282
Unregister an Unmanaged Desktop Source 283
Desktop Status of Physical Computers and Terminal Servers 283
Managing ThinApp Applications in View Administrator 285
13
View Requirements for ThinApp Applications 285
Capturing and Storing Application Packages 286
Assigning ThinApp Applications to Desktops and Pools 289
Maintaining ThinApp Applications in View Administrator 296
Monitoring and Troubleshooting ThinApp Applications in View Administrator 299
ThinApp Configuration Example 302
Managing Local Desktops 303
14
Benefits of Using View Desktops in Local Mode 303
Managing View Transfer Server 309
Managing the Transfer Server Repository 313
Managing Data Transfers 319
Configure Security and Optimization for Local Desktop Operations 323
Configuring Endpoint Resource Usage 328
Configuring an HTTP Cache to Provision Local Desktops Over a WAN 332
Configuring the Heartbeat Interval for Local Desktop Client Computers 336
Manually Downloading a Local Desktop to a Location with Poor Network Connections 337
Troubleshooting View Transfer Server and Local Desktop Operations 340
Maintaining View Components 351
15
Backing Up and Restoring View Configuration Data 351
Monitor View Components 358
Monitor Desktop Status 358
Understanding View Manager Services 359
Add Licenses to VMware Horizon View 361
Update General User Information from Active Directory 361
Migrate View Composer to Another Computer 362
Update the Certificates on a View Connection Server Instance, Security Server, or View Composer 367
Information Collected by the Customer Experience Improvement Program 368
Troubleshooting View Components 379
16
Monitoring System Health 380
Monitor Events in View Manager 380
Send Messages to Desktop Users 381
VMware, Inc. 5
Page 6
VMware Horizon View Administration
Display Desktops with Suspected Problems 381
Troubleshoot a Problem Desktop Virtual Machine Using the vSphere Web Client
Manage Desktops and Policies for Unentitled Users 383
Collecting Diagnostic Information for VMware Horizon View 383
Update Support Requests 387
Troubleshooting Network Connection Problems 388
Troubleshooting Desktop Pool Creation Problems 391
Troubleshooting an Unsuccessful Security Server Pairing with View Connection Server 395
Troubleshooting View Server Certificate Revocation Checking 395
Troubleshooting Smart Card Certificate Revocation Checking 396
Troubleshooting USB Redirection Problems 397
Troubleshooting Desktops That Are Repeatedly Deleted and Recreated 398
Troubleshooting QuickPrep Customization Problems 399
View Composer Provisioning Errors 400
Removing Orphaned or Deleted Linked Clones 401
Finding and Unprotecting Unused View Composer Replicas 402
Windows XP Linked Clones Fail to Join the Domain 404
Troubleshooting GINA Problems on Windows XP Desktops 404
Further Troubleshooting Information 405
382
Using the vdmadmin Command 407
17
vdmadmin Command Usage 409
Configuring Logging in View Agent Using the -A Option 411
Overriding IP Addresses Using the -A Option 413
Setting the Name of a View Connection Server Group Using the -C Option 414
Updating Foreign Security Principals Using the -F Option 414
Listing and Displaying Health Monitors Using the -H Option 415
Listing and Displaying Reports of View Manager Operation Using the -I Option 416
Generating View Event Log Messages in Syslog Format Using the -I Option 417
Assigning Dedicated Desktops Using the -L Option 418
Displaying Information About Machines Using the -M Option 419
Reclaiming Disk Space on Virtual Machines Using the -M Option 420
Configuring Domain Filters Using the -N Option 421
Configuring Domain Filters 423
Displaying the Desktops and Policies of Unentitled Users Using the -O and -P Options 427
Configuring Clients in Kiosk Mode Using the -Q Option 428
Displaying the First User of a Desktop Using the -R Option 432
Removing the Entry for a View Connection Server Instance or Security Server Using the -S Option 432
Setting the Split Limit for Publishing View Transfer Server Packages Using the -T Option 433
Displaying Information About Users Using the -U Option 434
Decrypting the Virtual Machine of a Local Desktop Using the -V Option 434
Recovering a Local Desktop by Using the -V Option When the Desktop Was Modified in the
Datacenter 435
Unlocking or Locking Virtual Machines Using the -V Option 437
Detecting and Resolving LDAP Entry Collisions Using the -X Option 438
Setting Up Clients in Kiosk Mode 439
18
Configure Clients in Kiosk Mode 439
6 VMware, Inc.
Page 7
Index 449
Contents
VMware, Inc. 7
Page 8
VMware Horizon View Administration
8 VMware, Inc.
Page 9
VMware Horizon View Administration
VMware Horizon View Administration describes how to configure and administer VMware Horizon View™,
including how to configure View Connection Server, create administrators, provision and deploy View
desktops,
Administrator. This information also describes how to maintain and troubleshoot VMware Horizon View
components.
Intended Audience
This information is intended for anyone who wants to configure and administer VMware Horizon View. The
information is written for experienced Windows or Linux system administrators who are familiar with virtual
machine technology and datacenter operations.
set up user authentication, configure policies, and manage VMware ThinApp™ applications in View
VMware, Inc. 9
Page 10
VMware Horizon View Administration
10 VMware, Inc.
Page 11
Configuring View Connection Server 1
After you install and perform initial configuration of View Connection Server, you can add vCenter Server
instances
and schedule backups of your configuration data.
This chapter includes the following topics:
n
n
n
n
n
n
n
n
Using View Administrator
and View Composer services to View Manager, set up roles to delegate administrator responsibilities,
“Using View Administrator,” on page 11
“Configuring vCenter Server and View Composer,” on page 14
“Backing Up View Connection Server,” on page 26
“Configuring Settings for Client Sessions,” on page 26
“Disable or Enable View Connection Server,” on page 35
“Edit the External URLs,” on page 35
“Join or Withdraw from the Customer Experience Program,” on page 36
“View LDAP Directory,” on page 36
View Administrator is the Web interface through which you configure View Connection Server and manage
your View desktops.
For a comparison of the operations that you can perform with View Administrator, View cmdlets, and
vdmadmin, see the VMware Horizon View Integration document.
View Administrator and View Connection Server
View Administrator provides a management interface for View Manager.
Depending on your View deployment, you use one or more View Administrator interfaces.
n
Use one View Administrator interface to manage the View components that are associated with a single,
standalone View Connection Server instance or a group of replicated View Connection Server instances.
You can use the IP address of any replicated instance to log in to View Administrator.
n
You must use a separate View Administrator interface to manage the View components for each single,
standalone View Connection Server instance and each group of replicated View Connection Server
instances.
VMware, Inc. 11
Page 12
VMware Horizon View Administration
You also use View Administrator to manage security servers and View Transfer Server instances associated
with View Connection Server.
n
Each security server is associated with one View Connection Server instance.
n
Each View Transfer Server instance can communicate with any View Connection Server instance in a
group of replicated instances.
Log In to View Administrator
To
perform initial configuration tasks, you must log in to View Administrator. You access View Administrator
by using a secure (SSL) connection.
Prerequisites
n
Verify that View Connection Server is installed on a dedicated computer.
n
Verify that you are using a Web browser supported by View Administrator. For View Administrator
requirements, see the VMware Horizon View Installation document.
Procedure
1 Open your Web browser and enter the following URL, where server is the host name of the View
Connection Server instance.
https://
server
/admin
NOTE You can use the IP address if you have to access a View Connection Server instance when the host
name is not resolvable. However, the host that you contact will not match the SSL certificate that is
configured for the View Connection Server instance, resulting in blocked access or access with reduced
security.
Your access to View Administrator depends on the type of certificate that is configured on the View
Connection Server computer.
Option Description
You configured a certificate signed
by
a CA for View Connection Server.
The default, self-signed certificate
supplied with View Connection
Server is configured.
When you first connect, your Web browser displays View Administrator.
When you first connect, your Web browser might display a page warning
that the security certificate associated with the address is not issued by a
trusted certificate authority.
Click Ignore to continue using the current SSL certificate.
2
Log in as a user with credentials to access the View Administrators account.
You specify the View Administrators account when you install a standalone View Connection Server
instance or the first View Connection Server instance in a replicated group. The View Administrators
account can be the local Administrators group (BUILTIN\Administrators) on the View Connection Server
computer or a domain user or group account.
After you log in to View Administrator, you can use View Configuration > Administrators to change the list
of users and groups that have the View Administrators role.
12 VMware, Inc.
Page 13
Chapter 1 Configuring View Connection Server
Tips for Using the View Administrator Interface
You can use View Administrator user-interface features to navigate View Pages and to find, filter, and sort
View objects.
View
Administrator includes many common user interface features. For example, the navigation pane on the
left side of each page directs you to other View Administrator pages. The search filters let you select filtering
criteria that are related to the objects you are searching for.
Table 1-1 describes a few additional features that can help you to use View Administrator.
Table 1-1. View Administrator Navigation and Display Features
View Administrator Feature Description
Navigating backward and forward in
View Administrator pages
Bookmarking View Administrator pages You can bookmark View Administrator pages in your browser.
Multicolumn sorting You can sort View objects in a variety of ways by using multicolumn sorting.
Customizing table columns You can customize the display of View Administrator table columns by hiding
Click your browser's Back button to go to the previously displayed View
Administrator page. Click the Forward button to return to the current page.
you click the browser's Back button while you are using a View Administrator
If
wizard or dialog box, you return to the main View Administrator page. The
information you entered in the wizard or dialog is lost.
In View versions that preceded the View 5.1 release, you could not use your
browser's Back and Forward buttons to navigate within View Administrator.
Separate Back and Forward buttons in the View Administrator window were
provided for navigation. These buttons are removed in the View 5.1 release.
Click a heading in the top row of a View Administrator table to sort the View
objects in alphabetical order based on that heading.
For example, in the Inventory > Desktops page, you can click Pool to sort
desktops by the pools that contain them.
The number 1 appears next to the heading to indicate that it is the primary
sorting column. You can click the heading again to reverse the sorting order,
indicated by an up or down arrow.
To sort the View objects by a secondary item, Ctrl+click another heading.
For
example, in the Desktops table, you can click Users to perform a secondary
sort by users to whom the desktops are dedicated. A number 2 appears next to
the secondary heading. In this example, desktops are sorted by pool and by users
within each pool.
You can continue to Ctrl+click to sort all the columns in a table in descending
order of importance.
Press Ctrl+Shift and click to deselect a sort item.
For example, you might want to display the desktops in a pool that are in a
particular state and are stored on a particular datastore. You can click
Inventory > Pools, double-click the pool ID, click the Inventory tab, click the
Datastore heading, and Ctrl+click the Status heading.
selected columns and locking the first column. This feature lets you control the
display of large tables such as Inventory > Desktops that contain many columns.
Right-click any column header to display a context menu that lets you take the
following actions:
n
Hide the selected column.
n
Customize columns. A dialog displays all columns in the table. You can
select the columns to display or hide.
n
Lock the first column. This option forces the left-hand column to remain
displayed as you scroll horizontally across a table with many columns. For
example, on the Inventory > Desktops page, the desktop ID remains
displayed as you scroll horizontally to see other desktop characteristics.
Your customized settings persist while you remain on the current View
Administrator page. The settings do not persist if you navigate to another page.
VMware, Inc. 13
Page 14
VMware Horizon View Administration
Table 1-1. View Administrator Navigation and Display Features
View Administrator Feature Description
Selecting View objects and displaying
View object details
Expanding dialog boxes to view details You can expand View Administrator dialog boxes to view details such as
Displaying context menus for View
objects
In View Administrator tables that list View objects, you can select an object or
display object details.
n
select an object, click anywhere in the object's row in the table. At the top
To
of the page, menus and commands that manage the object become active.
n
To display object details, double-click the left cell in the object's row. A new
page displays the object's details.
For example, on the Inventory > Pools page, click anywhere in an individual
pool's row to activate commands that affect the pool.
Double-click the Pool ID cell in the left column to display a new page that
contains details about the pool.
desktop names and user names in table columns.
To expand a dialog box, place your mouse over the dots in the lower right corner
of the dialog box and drag the corner.
You can right-click View objects in View Administrator tables to display context
menus. A context menu gives you access to the commands that operate on the
selected View object.
For example, in the Inventory > Pools page, you can right-click a desktop pool
to display commands such as Add, Edit, Delete, Disable (or Enable)
Provisioning, and so on.
(Continued)
Troubleshooting the Text Display in View Administrator
If your Web browser runs on a non-Windows operating system such as Linux, UNIX, or Mac OS, the text in
View Administrator does not display properly.
Problem
The text in the View Administrator interface is garbled. For example, spaces occur in the middle of words.
Cause
View Administrator requires Microsoft-specific fonts.
Solution
Install Microsoft-specific fonts on your computer.
Currently, the Microsoft Web site does not distribute Microsoft fonts, but you can download them from
independent Web sites.
Configuring vCenter Server and View Composer
To
use virtual machines as desktop sources, you must configure View Manager to communicate with vCenter
Server. To create and manage linked-clone desktops, you must configure View Composer settings in View
Manager.
You can also configure storage settings for View. You can allow ESXi hosts to reclaim disk space on linkedclone virtual machines. To allow ESXi hosts to cache virtual machine data, you must enable View Storage
Accelerator for vCenter Server.
14 VMware, Inc.
Page 15
Chapter 1 Configuring View Connection Server
Create a User Account for View Composer
If you use View Composer, you must create a user account in Active Directory to use with View Composer.
View Composer requires this account to join linked-clone desktops to your Active Directory domain.
To ensure security, you should create a separate user account to use with View Composer. By creating a
separate account, you can guarantee that it does not have additional privileges that are defined for another
purpose.
in a specified Active Directory container. For example, the View Composer account does not require domain
administrator privileges.
Procedure
1 In Active Directory, create a user account in the same domain as your View Connection Server host or in
2 Add the Create Computer Objects, Delete Computer Objects, and Write All Properties permissions to
You can give the account the minimum privileges that it needs to create and remove computer objects
a trusted domain.
the account in the Active Directory container in which the linked-clone computer accounts are created or
to which the linked-clone computer accounts are moved.
The following list shows all the required permissions for the user account, including permissions that are
assigned by default:
n
List Contents
n
Read All Properties
n
Write All Properties
n
Read Permissions
n
Reset Password
n
Create Computer Objects
n
Delete Computer Objects
NOTE If you select the Allow reuse of pre-existing computer accounts setting for a desktop pool, you
only need to add the following permissions:
n
List Contents
n
Read All Properties
n
Read Permissions
n
Reset Password
3 Make sure that the user account's permissions apply to the Active Directory container and to all child
objects of the container.
What to do next
Specify
the account in View Administrator when you configure View Composer for vCenter Server and when
you configure and deploy linked-clone desktop pools.
Add vCenter Server Instances to View Manager
You must configure View Manager to connect to the vCenter Server instances in your View deployment.
vCenter Server creates and manages the virtual machines that View Manager uses as desktop sources.
If you run vCenter Server instances in a Linked Mode group, you must add each vCenter Server instance to
View Manager separately.
View Manager connects to the vCenter Server instance using a secure channel (SSL).
VMware, Inc. 15
Page 16
VMware Horizon View Administration
Prerequisites
n
Install the View Connection Server product license key.
n
Prepare a vCenter Server user with permission to perform the operations in vCenter Server that are
necessary
to support View Manager. To use View Composer, you must give the user additional privileges.
To manage desktops that are used in local mode, you must give the user privileges in addition to those
that are required for View Manager and View Composer.
For details about configuring a vCenter Server user for View Manager, see the VMware Horizon View
Installation document.
n
Verify that an SSL server certificate is installed on the vCenter Server host. In a production environment,
install a valid SSL certificate that is signed by a trusted Certificate Authority (CA).
In a testing environment, you can use the default certificate that is installed with vCenter Server, but you
must accept the certificate thumbprint when you add vCenter Server to View.
n
Verify that all View Connection Server instances in the replicated group trust the root CA certificate for
the server certificate that is installed on the vCenter Server host. Check if the root CA certificate is in the
Trusted Root Certification Authorities > Certificates folder in the Windows local computer certificate
stores on the View Connection Server hosts. If it is not, import the root CA certificate into the Windows
local computer certificate stores.
See "Import a Root Certificate and Intermediate Certificates into a Windows Certificate Store" in the
VMware Horizon View Installation document.
n
Verify that the vCenter Server instance contains ESXi hosts. If no hosts are configured in the vCenter Server
instance, you cannot add the instance to View.
n
Familiarize yourself with the settings that determine the maximum operations limits for vCenter Server
and View Composer. See “Concurrent Operations Limits for vCenter Server and View Composer,” on
page 21 and “Setting a Concurrent Power Operations Rate to Support View Desktop Logon Storms,” on
page 22.
Procedure
1 In View Administrator, click View Configuration > Servers.
2 In the vCenter Servers tab, click Add.
3 In the vCenter Server Settings server address text box, type the fully qualified domain name (FQDN) of
the vCenter Server instance.
The FQDN includes the host name and domain name. For example, in the FQDN
myserverhost.companydomain
.com,
myserverhost
is the host name and
companydomain
.com is the domain.
NOTE If you enter a server by using a DNS name or URL, View Manager does not perform a DNS lookup
to verify whether an administrator previously added this server to View Manager by using its IP address.
A conflict arises if you add a vCenter Server with both its DNS name and its IP address.
4 Type the name of the vCenter Server user.
For example: domain\user or user@domain.com
5
Type the vCenter Server user password.
6 (Optional) Type a description for this vCenter Server instance.
7 Type the TCP port number.
The default port is 443.
8 Under Advanced Settings, set the concurrent operations limits for vCenter Server and View Composer
operations.
16 VMware, Inc.
Page 17
Chapter 1 Configuring View Connection Server
9 Click Next to display the View Composer Settings page.
What to do next
Configure View Composer settings.
n
If the vCenter Server instance is configured with a signed SSL certificate, and View Connection Server
trusts the root certificate, the Add vCenter Server wizard displays the View Composer Settings page.
n
If the vCenter Server instance is configured with a default certificate, you must first determine whether
to accept the thumbprint of the existing certificate. See “Accept the Thumbprint of a Default SSL
Certificate,” on page 23.
If
View Manager uses multiple vCenter Server instances, repeat this procedure to add the other vCenter Server
instances.
Configure View Composer Settings
To use View Composer, you must configure settings that allow View Manager to connect to the View Composer
service. View Composer can be installed on its own separate host or on the same host as vCenter Server.
There must be a one-to-one mapping between each View Composer service and vCenter Server instance. A
View Composer service can operate with only one vCenter Server instance. A vCenter Server instance can be
associated with only one View Composer service.
After the initial View deployment, you can migrate the View Composer service to a new host to support a
growing or changing View deployment. You can edit the initial View Composer settings in View
Administrator, but you must perform additional steps to ensure that the migration succeeds. See “Migrate
View Composer to Another Computer,” on page 362.
Prerequisites
n
Verify that you created a user in Active Directory with permission to add and remove virtual machines
from the Active Directory domain that contains your linked clones. See “Create a User Account for View
Composer,” on page 15.
n
Verify that you configured View Manager to connect to vCenter Server. To do so, you must complete the
vCenter Server Information page in the Add vCenter Server wizard. See “Add vCenter Server Instances
to View Manager,” on page 15.
n
Verify that this View Composer service is not already configured to connect to a different vCenter Server
instance.
Procedure
1 In View Administrator, complete the vCenter Server Information page in the Add vCenter Server wizard.
a Click View Configuration > Servers.
b In the vCenter Servers tab, click Add and provide the vCenter Server settings.
2 On the View Composer Settings page, if you are not using View Composer, select Do not use View
Composer.
If you select Do not use View Composer, the other View Composer settings become inactive. When you
click Next, the Add vCenter Server wizard displays the Storage Settings page. The View Composer
Domains page is not displayed.
VMware, Inc. 17
Page 18
VMware Horizon View Administration
3 If you are using View Composer, select the location of the View Composer host.
Option Description
View Composer is installed on the
same host as vCenter Server.
View Composer is installed on its
own separate host.
4
Click Next to display the View Composer Domains page.
What to do next
Configure View Composer domains.
a Select View Composer co-installed with the vCenter Server.
b Make
a Select Standalone View Composer Server.
b
c Type the name of the View Composer user.
d Type the password of the View Composer user.
e Make sure that the port number is the same as the port that you specified
sure that the port number is the same as the port that you specified
when you installed the View Composer service on vCenter Server. The
default port number is 18443.
In the View Composer server address text box, type the fully qualified
domain name (FQDN) of the View Composer host.
For example: domain.com\user or user@domain.com
when you installed the View Composer service. The default port number
is 18443.
n
If the View Composer instance is configured with a signed SSL certificate, and View Connection Server
trusts the root certificate, the Add vCenter Server wizard displays the View Composer Domains page.
n
If the View Composer instance is configured with a default certificate, you must first determine whether
to accept the thumbprint of the existing certificate. See “Accept the Thumbprint of a Default SSL
Certificate,” on page 23.
Configure View Composer Domains
You must configure an Active Directory domain in which View Composer deploys linked-clone desktops. You
can configure multiple domains for View Composer. After you first add vCenter Server and View Composer
settings to View, you can add more View Composer domains by editing the vCenter Server instance in View
Administrator.
Prerequisites
In View Administrator, verify that you completed the vCenter Server Information and View Composer Settings
pages in the Add vCenter Server wizard.
Procedure
1 On the View Composer Domains page, click Add to add the domain user for View Composer account
information.
2 Type the domain name of the Active Directory domain.
For example: domain.com
3 Type the domain user name, including the domain name.
For example: domain.com\admin
4 Type the account password.
5 Click OK.
6 To add domain user accounts with privileges in other Active Directory domains in which you deploy
linked-clone pools, repeat the preceding steps.
18 VMware, Inc.
Page 19
Chapter 1 Configuring View Connection Server
7 Click Next to display the Storage Settings page.
What to do next
Enable virtual machine disk space reclamation and configure View Storage Accelerator for View.
Allow vSphere to Reclaim Disk Space in Linked-Clone Virtual Machines
In vSphere 5.1 and later, you can enable the disk space reclamation feature for View. Starting in vSphere 5.1,
View
creates linked-clone virtual machines in an efficient disk format that allows ESXi hosts to reclaim unused
disk space in the linked clones, reducing the total storage space required for linked clones.
As users interact with linked-clone desktops, the clones' OS disks grow and can eventually use almost as much
disk space as full-clone desktops. Disk space reclamation reduces the size of the OS disks without requiring
you to refresh or recompose the linked clones. Space can be reclaimed while the virtual machines are powered
on and users are interacting with their desktops.
Disk space reclamation is especially useful for deployments that cannot take advantage of storage-saving
strategies such as refresh on logoff. For example, knowledge workers who install user applications on dedicated
desktops might lose their personal applications if the desktops were refreshed or recomposed. With disk space
reclamation, View can maintain linked clones at close to the reduced size they start out with when they are
first provisioned.
This feature has two components: space-efficient disk format and space reclamation operations.
In a vSphere 5.1 or later environment, when a parent virtual machine is virtual hardware version 9 or later,
View creates linked clones with space-efficient OS disks, whether or not space reclamation operations are
enabled.
To enable space reclamation operations, you must use View Administrator to enable space reclamation for
vCenter Server and reclaim VM disk space for individual desktop pools. The space reclamation setting for
vCenter Server gives you the option to disable this feature on all desktop pools that are managed by the vCenter
Server instance. Disabling the feature for vCenter Server overrides the setting at the desktop pool level.
The following guidelines apply to the space reclamation feature:
n
It operates only on space-efficient OS disks in linked clones.
n
It does not affect View Composer persistent disks.
n
It works only with vSphere 5.1 or later and only on desktops that are virtual hardware version 9 or later.
n
It does not operate on full-clone desktops.
n
It operates on virtual machines with SCSI controllers. IDE controllers are not supported.
n
It operates on Windows XP and Windows 7 desktops only. It does not operate on Windows 8 desktops.
Native NFS snapshot technology (VAAI) is not supported in pools that contain virtual machines with spaceefficient disks.
Prerequisites
n
Verify that your vCenter Server and ESXi hosts are version 5.1 with ESXi 5.1 download patch
ESXi510-201212001 or later.
In an ESXi cluster, verify that all the hosts are version 5.1 with download patch ESXi510-201212001 or later.
VMware, Inc. 19
Page 20
VMware Horizon View Administration
Procedure
1 In
View Administrator, complete the Add vCenter Server wizard pages that precede the Storage Settings
page.
a Select View Configuration > Servers.
b In the vCenter Servers tab, click Add.
c Complete the vCenter Server Information, View Composer Settings, and View Composer Domains
pages.
2 On the Storage Settings page, make sure that Enable space reclamation is selected.
Space reclamation is selected by default if you are performing a fresh installation of View 5.2 or later. You
must select Enable space reclamation if you are upgrading to View 5.2 or later from View 5.1 or an earlier
release.
What to do next
On the Storage Settings page, configure View Storage Accelerator.
To finish configuring disk space reclamation in View, set up space reclamation for desktop pools.
Configure View Storage Accelerator for vCenter Server
In vSphere 5.0 and later, you can configure ESXi hosts to cache virtual machine disk data. This feature, called
View Storage Accelerator, uses the Content Based Read Cache (CBRC) feature in ESXi hosts. View Storage
Accelerator improves View performance during I/O storms, which can take place when many desktops start
up or run anti-virus scans at once. The feature is also beneficial when administrators or users load applications
or data frequently. Instead of reading the entire OS or application from the storage system over and over, a
host can read common data blocks from cache.
By reducing the number of IOPS during boot storms, View Storage Accelerator lowers the demand on the
storage array, which lets you use less storage I/O bandwidth to support your View deployment.
You enable caching on your ESXi hosts by selecting the View Storage Accelerator setting in the vCenter Server
wizard in View Administrator, as described in this procedure.
Make sure that View Storage Accelerator is also configured for individual desktop pools. View Storage
Accelerator is enabled for pools by default, but this feature can be disabled or enabled when you create or edit
a pool. To operate on a pool, View Storage Accelerator must be enabled for vCenter Server and for the
individual pool.
You can enable View Storage Accelerator on pools that contain linked clones and pools that contain full virtual
machines.
View Storage Accelerator is also supported with local mode. Users can check out desktops in pools that are
enabled for View Storage Accelerator. View Storage Accelerator is disabled while a desktop is checked out and
reenabled after the desktop is checked in.
Native NFS snapshot technology (VAAI) is not supported in pools that are enabled for View Storage
Accelerator.
View Storage Accelerator is now qualified to work in configurations that use View replica tiering, in which
replicas are stored on a separate datastore than linked clones. Although the performance benefits of using View
Storage Accelerator with View replica tiering are not materially significant, certain capacity-related benefits
might be realized by storing the replicas on a separate datastore. Hence, this combination is tested and
supported.
20 VMware, Inc.
Page 21
Chapter 1 Configuring View Connection Server
Prerequisites
n
Verify that your vCenter Server and ESXi hosts are version 5.0 or later.
In an ESXi cluster, verify that all the hosts are version 5.0 or later.
n
Verify
that the vCenter Server user was assigned the Global > Act as vCenter Server privilege in vCenter
Server. See the topics in the VMware Horizon View Installation documentation that describe View Manager
and View Composer privileges required for the vCenter Server user.
Procedure
1 In View Administrator, complete the Add vCenter Server wizard pages that precede the Storage Settings
page.
a Select View Configuration > Servers.
b In the vCenter Servers tab, click Add.
c Complete the vCenter Server Information, View Composer Settings, and View Composer Domains
pages.
2 On the Storage Settings page, make sure that the Enable View Storage Accelerator check box is selected.
This check box is selected by default.
3 Specify a default host cache size.
The default cache size applies to all ESXi hosts that are managed by this vCenter Server instance.
The default value is 1,024MB. The cache size must be between 100MB and 2,048MB.
4 To specify a different cache size for an individual ESXi host, select an ESXi host and click Edit cache
size.
a In the Host cache dialog box, check Override default host cache size.
b Type a Host cache size value between 100MB and 2,048MB and click OK.
5 On the Storage Settings page, click Next.
6 Click Finish to add vCenter Server, View Composer, and Storage Settings to View.
What to do next
Configure settings for client sessions and connections. See “Configuring Settings for Client Sessions,” on
page 26.
To complete View Storage Accelerator settings in View, configure View Storage Accelerator for desktop pools.
See “Configure View Storage Accelerator for Desktop Pools,” on page 145.
Concurrent Operations Limits for vCenter Server and View Composer
When you add vCenter Server to View or edit the vCenter Server settings, you can configure several options
that set the maximum number of concurrent operations that are performed by vCenter Server and View
Composer.
You configure these options in the Advanced Settings panel on the vCenter Server Information page.
VMware, Inc. 21
Page 22
VMware Horizon View Administration
Table 1-2. Concurrent Operations Limits for vCenter Server and View Composer
Setting Description
Max concurrent vCenter provisioning operations Determines the maximum number of concurrent requests
Max concurrent power operations Determines the maximum number of concurrent power
Max concurrent View Composer maintenance operations Determines the maximum number of concurrent View
Max concurrent View Composer provisioning operations Determines the maximum number of concurrent creation
that View Manager can make to provision and delete full
virtual machines in this vCenter Server instance.
The default value is 20.
This setting applies to full virtual machines only.
operations (startup, shutdown, suspend, and so on) that can
take place on virtual machines managed by View Manager
in this vCenter Server instance.
The default value is 50.
For guidelines for calculating a value for this setting, see
“Setting a Concurrent Power Operations Rate to Support
View Desktop Logon Storms,” on page 22.
This setting applies to full virtual machines and linked
clones.
Composer refresh, recompose, and rebalance operations that
can take place on linked clones managed by this View
Composer instance.
The default value is 12.
Desktops that have active sessions must be logged off before
a maintenance operation can begin. If you force users to log
off as soon as a maintenance operation begins, the maximum
number of concurrent operations on desktops that require
logoffs is half the configured value. For example, if you
configure this setting as 24 and force users to log off, the
maximum number of concurrent operations on desktops that
require logoffs is 12.
This setting applies to linked clones only.
and deletion operations that can take place on linked clones
managed by this View Composer instance.
The default value is 8.
This setting applies to linked clones only.
Setting a Concurrent Power Operations Rate to Support View Desktop Logon Storms
The Max
that can occur on View desktop virtual machines in a vCenter Server instance. Starting in View 5.0, this limit
is set to 50 by default. You can change this value to support peak power-on rates when many users log on to
their desktops at the same time.
As a best practice, you can conduct a pilot phase to determine the correct value for this setting. For planning
guidelines, see "Architecture Design Elements and Planning Guidelines" in the VMware Horizon View
Architecture Planning document.
The required number of concurrent power operations is based on the peak rate at which desktops are powered
on and the amount of time it takes for the desktop to power on, boot, and become available for connection. In
general, the recommended power operations limit is the total time it takes for the desktop to start multiplied
by the peak power-on rate.
For example, the average desktop takes two to three minutes to start. Therefore, the concurrent power
operations limit should be 3 times the peak power-on rate. The default setting of 50 is expected to support a
peak power-on rate of 16 desktops per minute.
22 VMware, Inc.
concurrent power operations setting governs the maximum number of concurrent power operations
Page 23
Chapter 1 Configuring View Connection Server
View waits a maximum of five minutes for a desktop to start. If the start time takes longer, other errors are
likely
to occur. To be conservative, you can set a concurrent power operations limit of 5 times the peak poweron rate. With a conservative approach, the default setting of 50 supports a peak power-on rate of 10 desktops
per minute.
Logons, and therefore desktop power on operations, typically occur in a normally distributed manner over a
certain time window. You can approximate the peak power-on rate by assuming that it occurs in the middle
of the time window, during which about 40% of the power-on operations occur in 1/6th of the time window.
For example, if users log on between 8:00 AM and 9:00 AM, the time window is one hour, and 40% of the logons
occur in the 10 minutes between 8:25 AM and 8:35 AM. If there are 2,000 users, 20% of whom have their desktops
powered off, then 40% of the 400 desktop power-on operations occur in those 10 minutes. The peak power-on
rate is 16 desktops per minute.
Accept the Thumbprint of a Default SSL Certificate
When you add vCenter Server and View Composer instances to Horizon View, you must ensure that the SSL
certificates that are used for the vCenter Server and View Composer instances are valid and trusted by View
Connection Server. If the default certificates that are installed with vCenter Server and View Composer are
still in place, you must determine whether to accept these certificates' thumbprints.
If a vCenter Server or View Composer instance is configured with a certificate that is signed by a CA, and the
root certificate is trusted by View Connection Server, you do not have to accept the certificate thumbprint. No
action is required.
If you replace a default certificate with a certificate that is signed by a CA, but View Connection Server does
not trust the root certificate, you must determine whether to accept the certificate thumbprint. A thumbprint
is a cryptographic hash of a certificate. The thumbprint is used to quickly determine if a presented certificate
is the same as another certificate, such as the certificate that was accepted previously.
NOTE If you install vCenter Server and View Composer on the same Windows Server host, they can use the
same SSL certificate, but you must configure the certificate separately for each component.
For details about configuring SSL certificates, see "Configuring SSL Certificates for View Servers" in the
VMware Horizon View Installation document.
You first add vCenter Server and View Composer in View Administrator by using the Add vCenter Server
wizard.
If a certificate is untrusted and you do not accept the thumbprint, you cannot add vCenter Server and
View Composer.
After these servers are added, you can reconfigure them in the Edit vCenter Server dialog box.
NOTE You also must accept a certificate thumbprint when you upgrade from an earlier release to
Horizon View 5.1 or later, and a vCenter Server or View Composer certificate is untrusted, or if you replace a
trusted certificate with an untrusted certificate.
On the View Administrator dashboard, the vCenter Server or View Composer icon turns red and an Invalid
Certificate Detected dialog box appears. You must click Verify and follow the procedure shown here.
Similarly, in View Administrator you can configure a SAML 2.0 authenticator for use by a View Connection
Server
instance. If the SAML 2.0 server certificate is not trusted by View Connection Server, you must determine
whether to accept the certificate thumbprint. If you do not accept the thumbprint, you cannot configure the
SAML 2.0 authenticator in Horizon View. After a SAML 2.0 authenticator is configured, you can reconfigure
it in the Edit View Connection Server dialog box.
Procedure
1 When View Administrator displays an Invalid Certificate Detected dialog box, click View Certificate.
2 Examine the certificate thumbprint in the Certificate Information window.
VMware, Inc. 23
Page 24
VMware Horizon View Administration
3 Examine
the certificate thumbprint that was configured for the vCenter Server or View Composer instance.
a On the vCenter Server or View Composer host, start the MMC snap-in and open the Windows
Certificate Store.
b Navigate to the vCenter Server or View Composer certificate.
c Click the Certificate Details tab to display the certificate thumbprint.
Similarly, examine the certificate thumbprint for a SAML 2.0 authenticator. If appropriate, take the
preceding steps on the SAML 2.0 authenticator host.
4 Verify that the thumbprint in the Certificate Information window matches the thumbprint for the
vCenter Server or View Composer instance.
Similarly, verify that the thumbprints match for a SAML 2.0 authenticator.
5 Determine whether to accept the certificate thumbprint.
Option Description
The thumbprints match.
The thumbprints do not match.
Click Accept to use the default certificate.
Click Reject.
Troubleshoot the mismatched certificates. For example, you might have
provided an incorrect IP address for
vCenter Server or View Composer.
Remove a vCenter Server Instance from View Manager
You
can remove the connection between View Manager and a vCenter Server instance. When you do so, View
Manager no longer manages the View desktops created in that vCenter Server instance.
Prerequisites
Delete all the View desktops that are associated with the vCenter Server instance. See “Delete a Desktop Pool
from View Manager,” on page 269.
Procedure
1 Click View Configuration > Servers.
2 In the vCenter Servers panel, select the vCenter Server instance.
3 Click Remove.
A dialog warns you that View Manager will no longer have access to the virtual machines that are managed
by this vCenter Server instance.
4 Click OK.
View Manager can no longer access the virtual machines created in the vCenter Server instance.
Remove View Composer from View Manager
You can remove the connection between View Manager and the View Composer service that is associated with
a vCenter Server instance.
Before you disable the connection to View Composer, you must remove from View Manager all the linkedclone desktops that were created by View Composer. View Manager prevents you from removing View
Composer if any associated linked clones still exist. After the connection to View Composer is disabled, View
Manager cannot provision or manage new linked clones.
24 VMware, Inc.
Page 25
Chapter 1 Configuring View Connection Server
Procedure
1
Remove the linked-clone pools that were created by View Composer.
a In View Administrator, click Inventory > Pools.
b Select a linked-clone pool and click Delete.
A dialog box warns that you will permanently delete the linked-clone pool from View Manager. If
the linked-clone desktops are configured with persistent disks, you can detach or delete the persistent
disks.
c Click OK.
The virtual machines are deleted from vCenter Server. In addition, the associated View Composer
database entries and the replicas that were created by View Composer are removed.
d Repeat these steps for each linked-clone pool that was created by View Composer.
2 Click View Configuration > Servers.
3 In the vCenter Servers tab, select the vCenter Server instance with which View Composer is associated.
4 Click Edit.
5 Under View Composer Server Settings, click Edit, select Do not use View Composer, and click OK.
You can no longer create linked-clone desktops in this vCenter Server instance, but you can continue to create
and manage full virtual-machine desktop pools in the vCenter Server instance.
What to do next
If you intend to install View Composer on another host and reconfigure View Manager to connect to the new
View Composer service, you must perform certain additional steps. See “Migrate View Composer Without
Linked-Clone Desktops,” on page 365.
Conflicting vCenter Server Unique IDs
If you have multiple vCenter Server instances configured in your environment, an attempt to add a new
instance might fail because of conflicting unique IDs.
Problem
You try to add a vCenter Server instance to View Manager, but the unique ID of the new vCenter Server instance
conflicts with an existing instance.
Cause
Two vCenter Server instances cannot use the same unique ID. By default, a vCenter Server unique ID is
randomly generated, but you can edit it.
Solution
1 In vSphere Client, click Administration > vCenter Server Settings > Runtime Settings.
2 Type a new unique ID and click OK.
For details about editing vCenter Server unique ID values, see the vSphere documentation.
VMware, Inc. 25
Page 26
VMware Horizon View Administration
Backing Up View Connection Server
you complete the initial configuration of View Connection Server, you should schedule regular backups
After
of your View Manager and View Composer configuration data.
For information about backing up and restoring your View configuration, see “Backing Up and Restoring View
Configuration Data,” on page 351.
Configuring Settings for Client Sessions
You can configure global settings that affect the client sessions and connections that are managed by a View
Connection Server instance or replicated group. You can set the session timeout length, display prelogin and
warning messages, and set security-related client connection options.
Set Options for Client Sessions and Connections
You configure global settings to determine the way client sessions and connections work.
The global settings are not specific to a single View Connection Server instance. They affect all client sessions
that are managed by a standalone View Connection Server instance or a group of replicated instances.
You can also configure View Connection Server instances to use direct, nontunneled connections between View
clients and View desktops. See “Configure the Secure Tunnel and PCoIP Secure Gateway,” on page 31 for
information about configuring direct connections.
Prerequisites
Familiarize yourself with the global settings. See “Global Settings for Client Sessions,” on page 28 and “Global
Security Settings for Client Sessions and Connections,” on page 29.
Procedure
1 In View Administrator, click View Configuration > Global Settings.
2 Choose whether to configure general settings or security settings.
Option Description
General global settings
Global security settings
3
Configure the global settings.
4 Click OK.
What to do next
You can change the data recovery password that was provided during installation. See “Change the Data
Recovery Password,” on page 26.
In the General pane, click Edit.
In the Security pane, click Edit.
Change the Data Recovery Password
You provide a data recovery password when you install View Connection Server version 5.1 or later. After
installation, you can change this password in View Administrator. The password is required when you restore
the View LDAP configuration from a backup.
When you back up View Connection Server, the View LDAP configuration is exported as encrypted LDIF data.
To restore the encrypted backup View configuration, you must provide the data recovery password.
The password must contain between 1 and 128 characters. Follow your organization's best practices for
generating secure passwords.
26 VMware, Inc.
Page 27
Chapter 1 Configuring View Connection Server
Procedure
1
In View Administrator, click View Configuration > Global Settings.
2 In the Security pane, click Change data recovery password.
3 Type and retype the new password.
4 (Optional) Type a password reminder.
NOTE You can also change the data recovery password when you schedule your View configuration data to
be backed up. See “Schedule View Manager Configuration Backups,” on page 352.
What to do next
When you use the vdmimport utility to restore a backup View configuration, provide the new password.
VMware, Inc. 27
Page 28
VMware Horizon View Administration
Global Settings for Client Sessions
General
global settings determine session timeout lengths, SSO enablement and timeout limits, status updates
in View Administrator, and whether prelogin and warning messages are displayed.
Table 1-3. General Global Settings for Client Sessions
Setting Description
Session timeout Determines how long a user can keep a session open after logging in to
View Connection Server.
The value is set in minutes. You must type a value. The default is 600
minutes.
When a desktop session times out, the session is terminated and the
View client is disconnected from the desktop.
This value determines the amount of time that a single View Client
can stay connected to a desktop. It does not affect the amount of
session
time that a Windows session remains running on a desktop virtual
machine.
SSO Determines whether to enable or disable Single Sign-on (SSO) for View
users and sets the SSO timeout limit.
When SSO is in effect, when a user logs in to View Connection Server
from View Client, the user does not have to log in again to connect to
the View desktop. During a desktop session, a user can leave the
desktop, allow it to become inactive, and return without having to
authenticate again.
This setting has the following options:
n
Disable after. Enables SSO until the specified timeout limit is
reached. This is the default option.
By default, the user's SSO credentials are no longer valid after 15
minutes. This SSO timeout limit reduces the chance that someone
else could start using the desktop session.
You can change the SSO timeout limit by typing another value in
the Disable after text box.
The timeout limit is set in minutes. The time limit counter starts
when the user logs in to View Connection Server. For example, if
you set the value to 10 minutes, the user's SSO credentials are
invalidated 10 minutes after the user logs in to View Connection
Server.
n
Always enabled. Enables SSO with no timeout limit.
n
Disabled. Disables SSO altogether.
On
remote desktops, a new SSO timeout limit takes effect immediately.
You do not need to restart the View Connection Server service or the
client computer. For desktops that run in local mode, see “SSO Timeout
Limits and Local Mode Desktops,” on page 29.
View Administrator session timeout Determines how long an idle View Administrator session continues
before the session times out.
IMPORTANT Setting the View Administrator session timeout to a high
number of minutes increases the risk of unauthorized use of View
Administrator. Use caution when you allow an idle session to persist a
long time.
By default, the View Administrator session timeout is 30 minutes. You
can set a session timeout from 1 to 4320 minutes (72 hours).
Enable automatic status updates Determines if View Manager updates the global status pane in the upper
left corner of View Administrator every few minutes. The dashboard
page of View Administrator is also updated every few minutes.
By default, this setting is not enabled.
28 VMware, Inc.
Page 29
Chapter 1 Configuring View Connection Server
Table 1-3. General Global Settings for Client Sessions
Setting Description
Display a pre-login message Displays a disclaimer or another message to View Client users when
they log in.
Type your information or instructions in the text box in the Global
Settings dialog window.
To display no message, leave the check box unselected.
Display warning before forced logoff Displays a warning message when users are forced to log off because a
scheduled or immediate update such as a desktop-refresh operation is
about to start. This setting also determines how long to wait after the
warning is shown before the user is logged off.
Check the box to display a warning message.
Type
before logging off the user. The default is five minutes.
Type your warning message. You can use the default message:
Your desktop is scheduled for an important update and
will be shut down in 5 minutes. Please save any unsaved
work now.
(Continued)
the number of minutes to wait after the warning is displayed and
SSO Timeout Limits and Local Mode Desktops
On desktops that run in local mode, a new SSO timeout limit takes effect the next time a client computer that
hosts the local desktop sends a heartbeat message to View Connection Server.
On View desktops that are used in local mode, a checkout operation might take longer than the SSO timeout
limit. In this case, the user's SSO credentials expire before the checkout is completed.
For
example, you might set the SSO timeout limit to 10 minutes. A user might log in to View Connection Server
and check out a desktop. If the checkout takes 20 minutes and the user then launches the desktop, the user still
needs to log in to the desktop manually, even though the user has not yet spent any time in a desktop session.
SSO succeeds after the user closes View Client and reconnects to View Connection Server.
A first-time checkout in a low-bandwidth environment might take longer than 15 minutes, the default timeout
limit. A user's SSO credentials might expire during the first checkout if the default SSO timeout limit is in effect.
Global Security Settings for Client Sessions and Connections
Global security settings determine whether clients are reauthenticated after interruptions, message security
mode is enabled, IPSec is used for security server connections, and SSO is used for local desktop operations.
SSL is required for all View Client connections and View Administrator connections to View. If your View
deployment uses load balancers or other client-facing, intermediate servers, you can off-load SSL to them and
then configure non-SSL connections on individual View Connection Server instances and security servers. See
“Off-load SSL Connections to Intermediate Servers,” on page 33.
VMware, Inc. 29
Page 30
VMware Horizon View Administration
Table 1-4. Global Security Settings for Client Sessions and Connections
Setting Description
Reauthenticate secure tunnel connections after
network interruption
Message security mode Determines if signing and verification of the JMS messages passed
Use IPSec for Security Server connections Determines whether to use Internet Protocol Security (IPSec) for
Disable Single Sign-on for Local Mode
operations
Determines if user credentials must be reauthenticated after a network
interruption when View clients use secure tunnel connections to View
desktops.
When you select this setting, if a secure tunnel connection ends during
a desktop session, View Client requires the user to reauthenticate before
reconnecting.
This setting offers increased security. For example, if a laptop is stolen
and moved to a different network, the user cannot automatically gain
access to the remote desktop because the network connection was
temporarily interrupted.
When this setting is not selected, the client reconnects to the desktop
without requiring the user to reauthenticate.
This setting has no effect when you use direct connection.
between View Manager components takes place. For details, see
“Message Security Mode for View Components,” on page 30.
By default, message security mode is enabled.
connections between security servers and View Connection Server
instances.
By default, secure connections (using IPSec) for security server
connections is enabled.
Determines if single sign-on is enabled when users log in to their local
desktops.
If you enable this setting, users must manually log in to their desktops
to start their Windows sessions after they log in.
When you change this setting, the change takes effect for each user at
the next user operation.
NOTE If you upgrade to View 5.1 or later from an earlier View release, the global setting Require SSL for
client connections is displayed in View Administrator, but only if the setting was disabled in your View
configuration before you upgraded. Because SSL is required for all View Client connections and View
Administrator connections to View, this setting is not displayed in fresh installations of View 5.1 or later
versions and is not displayed after an upgrade if the setting was already enabled in the previous View
configuration.
After an upgrade, if you do not enable the Require SSL for client connections setting, HTTPS connections
from View clients will fail, unless they connect to an intermediate device that is configured to make onward
connections using HTTP. See “Off-load SSL Connections to Intermediate Servers,” on page 33.
Message Security Mode for View Components
You can set message security mode for View components. This setting determines how sender signatures in
JMS messages are treated. By default, JMS messages are rejected if the signature is missing or invalid, or if a
message was modified after it was signed.
If any component in your View environment predates View Manager 3.0, when message security was
introduced, you can change the mode to log a warning if any of these conditions are found, or to not verify
signatures at all. These options are not recommended and it is preferable to upgrade older components.
Some
JMS messages are encrypted because they carry sensitive information such as user credentials. Consider
using IPSec to encrypt all JMS messages between View Connection Server instances, and between View
Connection Server instances and security servers.
30 VMware, Inc.
Page 31
Chapter 1 Configuring View Connection Server
Table 1-5 shows the options you can select to configure the message security mode. To set an option, select it
from the Message security mode list in the Global Settings dialog window.
Table 1-5. Message Security Mode Options
Option Description
Disabled Message security mode is disabled.
Mixed Message security mode is enabled but not enforced.
You can use this mode to detect components in your View environment that predate
View Manager 3.0. The log files generated by View Connection Server contain references
to these components.
Enabled Message security mode is enabled. Unsigned messages are rejected by View components.
Message security mode is enabled by default.
NOTE View components that predate View Manager 3.0 are not allowed to communicate
with other View components
When you first install View on a system, the message security mode is set to Enabled. If you upgrade View,
the message security mode remains unchanged from its existing setting.
Message
security mode is supported in View Manager 3.0 and later. If you change the message security mode
from Disabled or Mixed to Enabled, you cannot launch a desktop with a View Agent from Virtual Desktop
Manager version 2.1 or earlier. If you then change the message security mode from Enabled to Mixed or
Disabled, the desktop still fails to launch. To launch a desktop after you change the message security mode
from Enabled to Mixed or Disabled, you must restart the desktop.
If you plan to change an active View environment from Disabled to Enabled, or from Enabled to Disabled,
change to Mixed mode for a short time before you make the final change. For example, if your current mode
is Disabled, change to Mixed mode for one day, then change to Enabled. In Mixed mode, signatures are
attached to messages but not verified, which allows the change of message mode to propagate through the
environment.
Configure the Secure Tunnel and PCoIP Secure Gateway
When the secure tunnel is enabled, View Client makes a second HTTPS connection to the View Connection
Server or security server host when users connect to a View desktop.
When the PCoIP Secure Gateway is enabled, View Client makes a further secure connection to the View
Connection Server or security server host when users connect to a View desktop with the PCoIP display
protocol.
When the secure tunnel or PCoIP Secure Gateway is not enabled, the desktop session is established directly
between the client system and the View desktop virtual machine, bypassing the View Connection Server or
security server host. This type of connection is called a direct connection.
IMPORTANT A typical network configuration that provides secure connections for external clients includes a
security server. To use View Administrator to enable or disable the secure tunnel and PCoIP Secure Gateway
on a security server, you must edit the View Connection Server instance that is paired with the security server.
In a network configuration in which external clients connect directly to a View Connection Server host, you
enable or disable the secure tunnel and PCoIP Secure Gateway by editing that View Connection Server instance
in View Administrator.
Prerequisites
n
If you intend to enable the PCoIP Secure Gateway, verify that the View Connection Server instance and
paired security server are View 4.6 or later.
n
If
you pair a security server to a View Connection Server instance on which you already enabled the PCoIP
Secure Gateway, verify that the security server is View 4.6 or later.
VMware, Inc. 31
Page 32
VMware Horizon View Administration
Procedure
1
In View Administrator, click View Configuration > Servers.
2 In the View Connection Servers panel, select a View Connection Server instance and click Edit.
3 Configure use of the secure tunnel.
Option Description
Enable the secure tunnel
Disable the secure tunnel
The secure tunnel is enabled by default.
4
Configure use of the PCoIP Secure Gateway.
Option Description
Enable the PCoIP Secure Gateway
Disable the PCoIP secure Gateway
The PCoIP Secure Gateway is disabled by default.
5
Click OK to save your changes.
Select Use secure tunnel connection to desktop.
Deselect Use secure tunnel connection to desktop.
Select Use PCoIP Secure Gateway for PCoIP connections to desktop
Deselect Use PCoIP Secure Gateway for PCoIP connections to desktop
Configure Secure HTML Access
In View Administrator, you can configure the use of the Blast Secure Gateway to provide secure HTML access
to View desktops.
You can provide secure connections to external users who use HTML Access to connect to View desktops. The
Blast Secure Gateway, enabled by default on View Connection Server and security server hosts, ensures that
only authenticated users can communicate with View desktops. With HTML Access, View Client software
does not have to be installed on the users' endpoint devices.
When the Blast Secure Gateway is not enabled, client Web browsers use HTML Access to establish direct
connections to View desktop virtual machines, bypassing the Blast Secure Gateway.
IMPORTANT A typical network configuration that provides secure connections for external users includes a
security server. To enable or disable the Blast Secure Gateway on a security server, you must edit the View
Connection Server instance that is paired with the security server. If external users connect directly to a View
Connection Server host, you enable or disable the Blast Secure Gateway by editing that View Connection Server
instance.
Prerequisites
n
If
users select View desktops by using the Horizon User Portal, verify that Horizon Workspace is installed
and configured for use with View Connection Server and that View Connection Server is paired with a
SAML 2.0 Authentication server.
n
Verify that the secure tunnel is enabled. If the secure tunnel is disabled, the Blast Secure Gateway cannot
be enabled.
Procedure
1 In View Administrator, select View Configuration > Servers.
2 In the View Connection Servers panel, select a View Connection Server instance and click Edit.
32 VMware, Inc.
Page 33
Chapter 1 Configuring View Connection Server
3 Configure use of the Blast Secure Gateway.
Option Description
Enable the Blast Secure Gateway
Disable the Blast secure Gateway
Select Use Blast Secure Gateway for HTML access to desktop
Deselect Use Blast Secure Gateway for HTML access to desktop
The Blast Secure Gateway is enabled by default.
4
Click OK to save your changes.
Open the Port Used by HTML Access on Security Servers
When you install View Connection Server or security server, the View server installer creates the Windows
Firewall rule for the port that is used by HTML Access for client connections, but the installer leaves the rule
disabled until it is actually needed. When you later install HTML Access on a View Connection Server instance,
the HTML Access installer automatically enables the rule to allow communication to that port. However, on
security servers, you must manually enable the rule in the Windows Firewall to allow communication to the
port.
By default, HTML Access uses TCP port 8443 for client connections to the Blast Secure Gateway.
Procedure
n
To open the port used by HTML Access on a View Connection Server computer, install HTML Access on
that computer.
The HTML Access installer enables the VMware View Connection Server (Blast-In) rule in the Windows
Firewall.
n
To open the port for HTML Access on a security server, manually enable the VMware View Connection
Server (Blast-In) rule in the Windows Firewall.
Off-load SSL Connections to Intermediate Servers
View Clients must use HTTPS to connect to View Manager. If your View Clients connect to load balancers or
other intermediate servers that pass on the connections to View Connection Server instances or security servers,
you can off-load SSL to the intermediate servers.
Import SSL Off-loading Servers' Certificates to View Servers
If you off-load SSL connections to an intermediate server, you must import the intermediate server's certificate
onto the View Connection Server instances or security servers that it is off-loading. The same SSL server
certificate must reside on both the off-loading intermediate server and the off-loaded View servers.
If the intermediate server's certificate is not installed on the View Connection Server instance or security server,
View Clients cannot validate their connections to View. In this situation, the certificate thumbprint sent by the
View server does not match the certificate on the intermediate server to which View Clients are connecting.
Do not confuse load balancing with SSL off-loading. The preceding requirement applies to any device that is
configured to provide SSL off-loading, including some types of load balancers. However, pure load balancing
does not require copying of certificates between devices.
For information about importing certificates to View servers, see "Import a Signed Server Certificate into a
Windows Certificate Store" in the VMware Horizon View Installation document.
VMware, Inc. 33
Page 34
VMware Horizon View Administration
Set View Server External URLs to Point Clients to SSL Off-loading Servers
If
SSL is off-loaded to an intermediate server and View Clients use the secure tunnel to connect to View, make
sure to set the secure tunnel external URL to an address that clients can use to access the intermediate server.
If View Clients use the PCoIP Secure Gateway, set the secure tunnel external URL and PCoIP external URL to
addresses that allow clients to connect to the intermediate server.
You configure the external URL settings on the View Connection Server instance or security server that
connects to the intermediate server. For more information, see “Configuring External URLs for PCoIP Secure
Gateway and Tunnel Connections” in the VMware Horizon View Installation document.
Allow HTTP Connections to Intermediate Servers
When SSL is off-loaded to an intermediate server, you can configure View Connection Server instances or
security servers to allow HTTP connections from the client-facing, intermediate devices. The intermediate
devices must accept HTTPS for View Client connections.
To allow HTTP connections between View servers and intermediate devices, you must configure the
locked.properties file on each View Connection Server instance and security server on which HTTP
connections are allowed.
Even when HTTP connections between View servers and intermediate devices are allowed, you cannot disable
SSL in View. View servers continue to accept HTTPS connections as well as HTTP connections.
NOTE If your View Clients use smart card authentication, the clients must make HTTPS connections directly
to View Connection Server or security server. SSL off-loading is not supported with smart card authentication.
Procedure
1 Create
or edit the locked.properties file in the SSL gateway configuration folder on the View Connection
Server or security server host.
For example:
install_directory
\VMware\VMware View\Server\sslgateway\conf\locked.properties
2 To configure the View server's protocol, add the serverProtocol property and set it to http.
The value http must be typed in lower case.
3 (Optional) Add properties to configure a non-default HTTP listening port and a network interface on the
View server.
n
To change the HTTP listening port from 80, set serverPortNonSSL to another port number to which
the intermediate device is configured to connect.
n
If the View server has more than one network interface, and you intend the server to listen for HTTP
connections on only one interface, set serverHost to the IP address of that network interface.
4 Save the locked.properties file.
5 Restart the View Connection Server service or security server service to make your changes take effect.
Example: locked.properties file
This file allows non-SSL HTTP connections to a View server. The IP address of the View server's client-facing
network interface is 10.20.30.40. The server uses the default port 80 to listen for HTTP connections. The value
http must be lower case.
serverProtocol=http
serverHost=10.20.30.40
34 VMware, Inc.
Page 35
Disable or Enable View Connection Server
You can disable a View Connection Server instance to prevent users from logging in to their View desktops.
After you disable an instance, you can enable it again.
you disable a View Connection Server instance, users who are currently logged in to View desktops are
When
not affected.
Your View Manager deployment determines how users are affected by disabling an instance.
n
If this is a single, standalone View Connection Server instance, users cannot log in to their desktops. They
cannot connect to View Connection Server.
n
If this is a replicated View Connection Server instance, your network topology determines whether users
can be routed to another replicated instance. If users can access another instance, they can log in to their
desktops.
Procedure
1 In View Administrator, click View Configuration > Servers.
2 In the View Connection Servers panel, select the View Connection Server instance.
3 Click Disable.
Chapter 1 Configuring View Connection Server
You can enable the instance again by clicking Enable.
Edit the External URLs
You can use View Administrator to edit external URLs for View Connection Server instances and security
servers.
By default, a View Connection Server or security server host can be contacted only by tunnel clients that reside
within the same network. Tunnel clients that run outside of your network must use a client-resolvable URL to
connect to a View Connection Server or security server host.
When users connect to View desktops with the PCoIP display protocol, View Client can make a further
connection to the PCoIP Secure Gateway on the View Connection Server or security server host. To use the
PCoIP Secure Gateway, a client system must have access to an IP address that allows the client to reach the
View Connection Server or security server host. You specify this IP address in the PCoIP external URL.
Both the secure tunnel external URL and PCoIP external URL must be the addresses that client systems use to
reach this host. For example, if you configure a View Connection Server host, do not specify the secure tunnel
external URL for this host and the PCoIP external URL for a paired security server.
NOTE You cannot edit the external URLs for a security server that has not been upgraded to View Connection
Server 4.5 or later.
Procedure
1
In View Administrator, click View Configuration > Servers.
Option Action
View Connection Server instance
Security server
Select the View Connection Server instance in the View Connection Servers
panel and click Edit.
Select the security server in the Security Servers panel and click Edit.
VMware, Inc. 35
Page 36
VMware Horizon View Administration
2 Type the secure tunnel external URL in the External URL text box.
The URL must contain the protocol, client-resolvable host name and port number.
For example: https://view.example.com:443
NOTE You can use the IP address if you have to access a View Connection Server instance or security
server when the host name is not resolvable. However, the host that you contact will not match the SSL
certificate that is configured for the View Connection Server instance or security server, resulting in
blocked access or access with reduced security.
3 Type the PCoIP Secure Gateway external URL in the PCoIP External URL text box.
Specify the PCoIP external URL as an IP address with the port number 4172. Do not include a protocol
name.
For example: 10.20.30.40:4172
The URL must contain the IP address and port number that a client system can use to reach this security
server
or View Connection Server instance. You can type into the text box only if a PCoIP Secure Gateway
is installed on the security server or View Connection Server instance.
4 Click OK to save your changes.
The external URLs are updated immediately. You do not need to restart the View Connection Server service
or the security server service for the changes to take effect.
Join or Withdraw from the Customer Experience Program
When you install View Connection Server with a new configuration, you can choose to participate in a customer
experience improvement program. If you change your mind about participating after the installation, you can
join or withdraw from the program by using View Administrator.
If you participate in the program, VMware collects anonymous data about your deployment in order to
improve VMware's response to user requirements. No data that identifies your organization is collected.
To review the list of fields from which data is collected, including the fields that are made anonymous, see
“Information Collected by the Customer Experience Improvement Program,” on page 368.
Procedure
1 In View Administrator, click View Configuration > Product Licensing and Usage.
2 In the Customer Experience Program pane, click Edit Settings.
3 Decide whether to participate in or withdraw from the program by selecting or deselecting the Send
anonymous data to VMware checkbox.
4 (Optional) If you participate, you can select the geographic location, type of business, and number of
employees in your organization.
5 Click OK.
View LDAP Directory
View LDAP is the data repository for all View Manager configuration information. View LDAP is an embedded
Lightweight Directory Access Protocol (LDAP) directory that is provided with the View Connection Server
installation.
View LDAP contains standard LDAP directory components that are used by View Manager.
n
View Manager schema definitions
n
Directory information tree (DIT) definitions
36 VMware, Inc.
Page 37
Chapter 1 Configuring View Connection Server
n
Access control lists (ACLs)
View LDAP contains directory entries that represent View Manager objects.
n
desktop entries that represent each accessible desktop. Each entry contains references to the Foreign
View
Security Principal (FSP) entries of Windows users and groups in Active Directory who are authorized to
use the desktop.
n
View desktop pool entries that represent multiple desktops managed together
n
Virtual machine entries that represent the vCenter Server virtual machine for each desktop
n
View Manager component entries that store configuration settings
View LDAP also contains a set of View Manager plug-in DLLs that provide automation and notification
services for other View Manager components.
NOTE Security server instances do not contain a View LDAP directory.
VMware, Inc. 37
Page 38
VMware Horizon View Administration
38 VMware, Inc.
Page 39
Configuring Role-Based Delegated
Administration 2
One key management task in a View environment is to determine who can use View Administrator and what
tasks those users are authorized to perform. With role-based delegated administration, you can selectively
assign administrative rights by assigning administrator roles to specific Active Directory users and groups.
This chapter includes the following topics:
n
“Understanding Roles and Privileges,” on page 39
n
“Using Folders to Delegate Administration,” on page 40
n
“Understanding Permissions,” on page 41
n
“Manage Administrators,” on page 42
n
“Manage and Review Permissions,” on page 43
n
“Manage and Review Folders,” on page 45
n
“Manage Custom Roles,” on page 47
n
“Predefined Roles and Privileges,” on page 48
n
“Required Privileges for Common Tasks,” on page 51
n
“Best Practices for Administrator Users and Groups,” on page 53
Understanding Roles and Privileges
The ability to perform tasks in View Administrator is governed by an access control system that consists of
administrator roles and privileges. This system is similar to the vCenter Server access control system.
An
administrator role is a collection of privileges. Privileges grant the ability to perform specific actions, such
as entitling a user to a desktop pool. Privileges also control what an administrator can see in View
Administrator. For example, if an administrator does not have privileges to view or modify global policies,
the Global Policies setting is not visible in the navigation panel when the administrator logs in to View
Administrator.
Administrator privileges are either global or object-specific. Global privileges control system-wide operations,
such as viewing and changing global settings. Object-specific privileges control operations on specific types
of inventory objects.
Administrator roles typically combine all of the individual privileges required to perform a higher-level
administration task. View Administrator includes predefined roles that contain the privileges required to
perform common administration tasks. You can assign these predefined roles to your administrator users and
groups, or you can create your own roles by combining selected privileges. You cannot modify the predefined
roles.
VMware, Inc. 39
Page 40
VMware Horizon View Administration
To create administrators, you select users and groups from your Active Directory users and groups and assign
administrator roles. Administrators obtain privileges through their role assignments. You cannot assign
privileges
directly to administrators. An administrator that has multiple role assignments acquires the sum of
all the privileges contained in those roles.
Using Folders to Delegate Administration
By default, desktop pools are created in the root folder, which appears as / or Root(/) in View Administrator.
You can create folders under the root folder to subdivide your desktop pools and then delegate the
administration of specific desktop pools to different administrators.
A desktop inherits the folder from its pool. An attached persistent disk inherits the folder from its desktop.
You can have a maximum of 100 folders, including the root folder.
You configure administrator access to the resources in a folder by assigning a role to an administrator on that
folder. Administrators can access the resources that reside only in folders for which they have assigned roles.
The role that an administrator has on a folder determines the level of access that the administrator has to the
resources in that folder.
Because roles are inherited from the root folder, an administrator that has a role on the root folder has that role
on all folders. Administrators that have the Administrators role on the root folder are super administrators
because they have full access to all of the inventory objects in the system.
A role must contain at least one object-specific privilege to apply to a folder. Roles that contain only global
privileges cannot be applied to folders.
You can use View Administrator to create folders and to move existing pools to folders. You can also select a
folder when you create a desktop pool. If you do not select a folder during pool creation, the pool is created
in the root folder by default.
NOTE If you intend to provide access to your desktops through Horizon Workspace, verify that you create
the desktop pools as a user with Administrators permissions on the root folder in View. If you give the user
Administrators permissions on a folder other than the root folder, Horizon Workspace will not recognize the
SAML 2.0 Authenticator you configure in View, and you cannot configure the pool in Horizon Workspace.
n
Different Administrators for Different Folders on page 40
You can create a different administrator to manage each folder in your configuration.
n
Different Administrators for the Same Folder on page 41
You can create different administrators to manage the same folder.
Different Administrators for Different Folders
You can create a different administrator to manage each folder in your configuration.
For example, if your corporate desktop pools are in one folder and your desktop pools for software developers
are in another folder, you can create different administrators to manage the resources in each folder.
Table 2-1 shows an example of this type of configuration.
Table 2-1. Different Administrators for Different Folders
Administrator Role Folder
view-domain.com\Admin1 Inventory Administrators
view-domain.com\Admin2 Inventory Administrators
/CorporateDesktops
/DeveloperDesktops
In this example, the administrator called Admin1 has the Inventory Administrators role on the folder called
CorporateDesktops and the administrator called Admin2 has the Inventory Administrators role on the folder
called DeveloperDesktops.
40 VMware, Inc.
Page 41
Different Administrators for the Same Folder
You can create different administrators to manage the same folder.
For
example, if your corporate desktop pools are in one folder, you can create one administrator that can view
and modify those pools and another administrator that can only view them.
Table 2-2 shows an example of this type of configuration.
Table 2-2. Different Administrators for the Same Folder
Administrator Role Folder
view-domain.com\Admin1 Inventory Administrators
view-domain.com\Admin2 Inventory Administrators (Read only)
In this example, the administrator called Admin1 has the Inventory Administrators role on the folder called
CorporateDesktops and the administrator called Admin2 has the Inventory Administrators (Read only) role
on the same folder.
Understanding Permissions
View Administrator presents the combination of a role, an administrator user or group, and a folder as a
permission. The role defines the actions that can be performed, the user or group indicates who can perform
the action, and the folder contains the objects that are the target of the action.
Chapter 2 Configuring Role-Based Delegated Administration
/CorporateDesktops
/CorporateDesktops
Permissions
appear differently in View Administrator depending on whether you select an administrator user
or group, a folder, or a role.
Table 2-3 shows how permissions appear in View Administrator when you select an administrator user or
group. The administrator user is called Admin 1 and it has two permissions.
Table 2-3. Permissions on the Administrators and Groups Tab for Admin 1
Role Folder
Inventory Administrators
Administrators (Read only)
MarketingDesktops
/
The first permission shows that Admin 1 has the Inventory Administrators role on the folder called
MarketingDesktops. The second permission shows that Admin 1 has the Administrators (Read only) role on
the root folder.
Table 2-4 shows how the same permissions appear in View Administrator when you select the
MarketingDesktops folder.
Table 2-4. Permissions on the Folders Tab for MarketingDesktops
Admin Role Inherited
view-domain.com\Admin1 Inventory Administrators
view-domain.com\Admin1 Administrators (Read only) Yes
The first permission is the same as the first permission shown in Table 2-3.
The second permission is inherited
from the second permission shown in Table 2-3. Because folders inherit permissions from the root folder,
Admin1 has the Administrators (Read only) role on the MarketingDesktops folder. When a permission is
inherited, Yes appears in the Inherited column.
Table 2-5 shows how the first permission in Table 2-3 appears in View Administrator when you select the
Inventory Administrators role.
VMware, Inc. 41
Page 42
VMware Horizon View Administration
Table 2-5. Permissions on the Role Tab for Inventory Administrators
Administrator Folder
view-domain.com\Admin1
Manage Administrators
Users who have the Administrators role can use View Administrator to add and remove administrator users
and groups.
The Administrators role is the most powerful role in View Administrator. Initially, members of the View
Administrators
you install View Connection Server. The View Administrators account can be the local Administrators group
(BUILTIN\Administrators) on the View Connection Server computer or a domain user or group account.
NOTE By default, the Domain Admins group is a member of the local Administrators group. If you specified
the View Administrators account as the local Administrators group, and you do not want domain
administrators to have full access to inventory objects and View configuration settings, you must remove the
Domain Admins group from the local Administrators group.
n
Create an Administrator on page 42
To create an administrator, you select a user or group from your Active Directory users and groups in
View Administrator and assign an administrator role.
account are given the Administrators role. You specify the View Administrators account when
/MarketingDesktops
n
Remove an Administrator on page 43
You can remove an administrator user or group. You cannot remove the last super administrator in the
system. A super administrator is an administrator that has the Administrators role on the root folder.
Create an Administrator
To create an administrator, you select a user or group from your Active Directory users and groups in View
Administrator and assign an administrator role.
Prerequisites
n
Familiarize yourself with the predefined administrator roles. See “Predefined Roles and Privileges,” on
page 48.
n
Familiarize yourself with the best practices for creating administrator users and groups. See “Best Practices
for Administrator Users and Groups,” on page 53.
n
To assign a custom role to the administrator, create the custom role. See “Add a Custom Role,” on
page 47.
n
To create an administrator that can manage specific desktop pools, create a folder and move the desktop
pools to that folder. See “Manage and Review Folders,” on page 45.
Procedure
1 In View Administrator, select View Configuration > Administrators.
2 On the Administrators and Groups tab, click Add User or Group.
3 Click Add, select one or more search criteria, and click Find to filter Active Directory users or groups based
on your search criteria.
4 Select the Active Directory user or group that you want to be an administrator user or group, click OK
and click Next.
You can press the Ctrl and Shift keys to select multiple users and groups.
42 VMware, Inc.
Page 43
Chapter 2 Configuring Role-Based Delegated Administration
5 Select a role to assign to the administrator user or group.
The Apply to Folder column indicates whether a role applies to folders. Only roles that contain objectspecific privileges apply to folders. Roles that contain only global privileges do not apply to folders.
Option Action
The role you selected applies to
folders
You want the permission to apply to
all folders
Select one or more folders and click Next.
Select the root folder and click Next.
6
Click Finish to create the administrator user or group.
The new administrator user or group appears in the left pane and the role and folder that you selected appear
in the right pane on the Administrators and Groups tab.
Remove an Administrator
You can remove an administrator user or group. You cannot remove the last super administrator in the system.
A super administrator is an administrator that has the Administrators role on the root folder.
Procedure
1 In View Administrator, select View Configuration > Administrators.
2 On the Administrators and Groups tab, select the administrator user or group, click Remove User or
Group, and click OK.
The administrator user or group no longer appears on the Administrators and Groups tab.
Manage and Review Permissions
You can use View Administrator to add, delete, and review permissions for specific administrator users and
groups, for specific roles, and for specific folders.
n
Add a Permission on page 43
You can add a permission that includes a specific administrator user or group, a specific role, or a specific
folder.
n
Delete a Permission on page 44
You can delete a permission that includes a specific administrator user or group, a specific role, or a
specific folder.
n
Review Permissions on page 45
You can review the permissions that include a specific administrator or group, a specific role, or a specific
folder.
Add a Permission
You can add a permission that includes a specific administrator user or group, a specific role, or a specific
folder.
Procedure
1 In View Administrator, select View Configuration > Administrators.
VMware, Inc. 43
Page 44
VMware Horizon View Administration
2 Create the permission.
Option Action
Create a permission that includes a
specific administrator user or group
Create a permission that includes a
specific role
Create a permission that includes a
specific folder
a On the Administrators and Groups tab, select the administrator or
group and click Add Permission.
Select a role.
b
c If the role does not apply to folders, click Finish.
d If the role applies to folders, click Next, select one or more folders, and
click Finish. A role must contain at least one object-specific privilege to
apply to a folder.
a On the Roles tab, select the role, click Permissions, and clickAdd
Permission.
b
Click Add, select one or more search criteria, and click Find to find
administrator users or groups that match your search criteria.
c Select an administrator user or group to include in the permission and
click OK. You can press the Ctrl and Shift keys to select multiple users
and groups.
d If the role does not apply to folders, click Finish.
e If the role applies to folders, click Next, select one or more folders, and
click Finish. A role must contain at least one object-specific privilege to
apply to a folder.
a On the Folders tab, select the folder and click Add Permission.
Click Add, select one or more search criteria, and click Find to find
b
administrator users or groups that match your search criteria.
c Select an administrator user or group to include in the permission and
click OK. You can press the Ctrl and Shift keys to select multiple users
and groups.
d Click Next, select a role, and click Finish. A role must contain at least
one object-specific privilege to apply to a folder.
Delete a Permission
You can delete a permission that includes a specific administrator user or group, a specific role, or a specific
folder.
If
you remove the last permission for an administrator user or group, that administrator user or group is also
removed. Because at least one administrator must have the Administrators role on the root folder, you cannot
remove a permission that would cause that administrator to be removed. You cannot delete an inherited
permission.
Procedure
1 In View Administrator, select View Configuration > Administrators.
2 Select the permission to delete.
Option Action
Delete a permission that applies to a
specific administrator or group
Delete a permission that applies to a
specific role
Delete a permission that applies to a
specific folder
3
Select the permission and click Delete Permission.
Select the administrator or group on the Administrators and Groups tab.
Select the role on the Roles tab.
Select the folder on the Folders tab.
44 VMware, Inc.
Page 45
Review Permissions
You can review the permissions that include a specific administrator or group, a specific role, or a specific
folder.
Procedure
1
Select View Configuration > Administrators.
2 Review the permissions.
Option Action
Review the permissions that include
a specific administrator or group
Review the permissions that include
a specific role
Review the permissions that include
a specific folder
Manage and Review Folders
Chapter 2 Configuring Role-Based Delegated Administration
Select the administrator or group on the Administrators and Groups tab.
Select the role on the Roles tab and click Permissions.
Select the folder on the Folders tab.
You
can use View Administrator to add and delete folders and to review the desktop pools and desktops in a
particular folder.
n
Add a Folder on page 45
If you want to delegate the administration of specific desktops or pools to different administrators, you
must create folders to subdivide your desktops or pools. If you do not create folders, all desktops and
pools reside in the root folder.
n
Move a Desktop Pool to a Different Folder on page 46
After you create a folder to subdivide your desktop pools, you must manually move desktop pools to
the new folder. If you decide to change the way your desktop pools are subdivided, you can move
desktops pools from one folder to another.
n
Remove a Folder on page 46
You can remove a folder if it does not contain inventory objects. You cannot remove the root folder.
n
Review the Desktop Pools in a Folder on page 46
You can see all of the desktop pools in a particular folder in View Administrator.
n
Review the Desktops in a Folder on page 46
You can see all of the desktops in a particular folder in View Administrator. A desktop inherits the folder
from its pool.
Add a Folder
If you want to delegate the administration of specific desktops or pools to different administrators, you must
create folders to subdivide your desktops or pools. If you do not create folders, all desktops and pools reside
in the root folder.
You can have a maximum of 100 folders, including the root folder.
Procedure
1 In View Administrator, select Inventory > Pools.
2 From the Folder drop-down menu on the command bar, select New Folder.
VMware, Inc. 45
Page 46
VMware Horizon View Administration
3 Type a name and description for the folder and click OK.
The description is optional.
What to do next
Move one or more desktop pools to the folder.
Move a Desktop Pool to a Different Folder
After
you create a folder to subdivide your desktop pools, you must manually move desktop pools to the new
folder. If you decide to change the way your desktop pools are subdivided, you can move desktops pools from
one folder to another.
Procedure
1 In View Administrator, select Inventory > Pools and select the pool.
2 From the Folder drop-down menu, select Change Folder.
3 Select the folder and click OK.
View Administrator moves the pool to the folder that you selected.
Remove a Folder
You can remove a folder if it does not contain inventory objects. You cannot remove the root folder.
Prerequisites
If the folder contains inventory objects, move the objects to another folder or to the root folder. See “Move a
Desktop Pool to a Different Folder,” on page 46.
Procedure
1 In View Administrator, select View Configuration > Administrators.
2 On the Folders tab, select the folder and click Remove Folder.
3 Click OK to remove the folder.
Review the Desktop Pools in a Folder
You can see all of the desktop pools in a particular folder in View Administrator.
Procedure
1 In View Administrator, select Inventory > Pools.
The Pools page shows the pools in all folders by default.
2 Select the folder from the Folder drop-down menu.
The Pools page shows the pools in the folder that you selected.
Review the Desktops in a Folder
You can see all of the desktops in a particular folder in View Administrator. A desktop inherits the folder from
its pool.
Procedure
1 In View Administrator, select Inventory > Desktops.
The Desktops page shows the desktops in all folders by default.
46 VMware, Inc.
Page 47
2 Select the folder from the Folder drop-down menu.
The Desktops page shows the pools in the folder that you selected.
Manage Custom Roles
You can use View Administrator to add, modify, and delete custom roles.
n
Add a Custom Role on page 47
If the predefined administrator roles do not meet your needs, you can combine specific privileges to
create your own roles in View Administrator.
n
Modify the Privileges in a Custom Role on page 47
You can modify the privileges in a custom role. You cannot modify the predefined administrator roles.
n
Remove a Custom Role on page 48
You can remove a custom role if it is not included in a permission. You cannot remove the predefined
administrator roles.
Add a Custom Role
If the predefined administrator roles do not meet your needs, you can combine specific privileges to create
your own roles in View Administrator.
Chapter 2 Configuring Role-Based Delegated Administration
Prerequisites
Familiarize
Roles and Privileges,” on page 48.
Procedure
1 In View Administrator, select View Configuration > Administrators.
2 On the Roles tab, click Add Role.
3 Type a name and description for the new role, select one or more privileges, and click OK.
yourself with the administrator privileges that you can use to create custom roles. See “Predefined
The new role appears in the left pane.
Modify the Privileges in a Custom Role
You can modify the privileges in a custom role. You cannot modify the predefined administrator roles.
Prerequisites
Familiarize yourself with the administrator privileges that you can use to create custom roles. See “Predefined
Roles and Privileges,” on page 48.
Procedure
1 In View Administrator, select View Configuration > Administrators.
2 On the Roles tab, select the role.
3 Click Privileges to display the privileges in the role and click Edit.
4 Select or deselect privileges.
5 Click OK to save your changes.
VMware, Inc. 47
Page 48
VMware Horizon View Administration
Remove a Custom Role
You can remove a custom role if it is not included in a permission. You cannot remove the predefined
administrator roles.
Prerequisites
If the role is included in a permission, delete the permission. See “Delete a Permission,” on page 44.
Procedure
1
In View Administrator, select View Configuration > Administrators.
2 On the Roles tab, select the role and click Remove Role.
The Remove Role button is not available for predefined roles or for custom roles that are included in a
permission.
3 Click OK to remove the role.
Predefined Roles and Privileges
View Administrator includes predefined roles that you can assign to your administrator users and groups.
You can also create your own administrator roles by combining selected privileges.
n
Predefined Administrator Roles on page 48
The predefined administrator roles combine all of the individual privileges required to perform common
administration tasks. You cannot modify the predefined roles.
n
Global Privileges on page 49
Global privileges control system-wide operations, such as viewing and changing global settings. Roles
that contain only global privileges cannot be applied to folders.
n
Object-Specific Privileges on page 50
Object-specific privileges control operations on specific types of inventory objects. Roles that contain
object-specific privileges can be applied to folders.
n
Internal Privileges on page 51
Some of the predefined administrator roles contain internal privileges. You cannot select internal
privileges when you create custom roles.
Predefined Administrator Roles
The predefined administrator roles combine all of the individual privileges required to perform common
administration tasks. You cannot modify the predefined roles.
Table 2-6 describes the predefined roles and indicates whether a role can be applied to a folder.
48 VMware, Inc.
Page 49
Chapter 2 Configuring Role-Based Delegated Administration
Table 2-6. Predefined Roles in View Administrator
Role User Capabilities Applies to a Folder
Administrators Perform all administrator operations, including creating
additional administrator users and groups. Administrators that
have the Administrators role on the root folder are super
administrators because they have full access to all of the inventory
objects in the system. Because the Administrators role contains all
privileges, you should assign it to a limited set of users.
Initially, members of the local Administrators group on your View
Connection Server host are given this role on the root folder.
IMPORTANT An administrator must have the Administrators role
on the root folder to perform the following tasks:
n
Add and delete folders.
n
Manage ThinApp applications and configuration settings in
View Administrator.
n
View and modify View Transfer Server instances and the
Transfer Server repository.
n
Use the vdmadmin and vdmimport commands.
Administrators (Read only)
n
View, but not modify, global settings and inventory objects.
n
View, but not modify, ThinApp applications and settings,
View Transfer Server instances, and the Transfer Server
repository.
n
Run all PowerShell commands and command line utilities,
including vdmexport but excluding vdmadmin and
vdmimport.
administrators have this role on a folder, they can only view
When
the inventory objects in that folder.
Agent Registration
Administrators
Global Configuration and
Policy Administrators
Register unmanaged desktop sources such as physical systems,
standalone virtual machines, and terminal servers.
View and modify global policies and configuration settings except
administrator roles and permissions, ThinApp applications and
for
settings, View Transfer Server instances, and the Transfer Server
repository.
Global Configuration and
Policy Administrators (Read
only)
View, but not modify, global policies and configuration settings
except for administrator roles and permissions, ThinApp
applications and settings, View Transfer Server instances, and the
Transfer Server repository.
Inventory Administrators
n
Perform all desktop, session, and pool-related operations.
n
Manage persistent disks.
n
Resync, Refresh, and Rebalance linked-clone pools and change
the default pool image.
When administrators have this role on a folder, they can only
perform these operations on the inventory objects in that folder.
Inventory Administrators
(Read only)
View, but not modify, inventory objects.
When administrators have this role on a folder, they can only view
the inventory objects in that folder.
Yes
Yes
No
No
No
Yes
Yes
Global Privileges
Global privileges control system-wide operations, such as viewing and changing global settings. Roles that
contain only global privileges cannot be applied to folders.
Table 2-7 describes the global privileges and lists the predefined roles that contain each privilege.
VMware, Inc. 49
Page 50
VMware Horizon View Administration
Table 2-7. Global Privileges
Privilege User Capabilities Predefined Roles
Console Interaction Log in to and use View Administrator. Administrators
Direct Interaction Run all PowerShell commands and command
Manage Global
Configuration and
Policies
Manage Roles and
Permissions
Register Agent Install View Agent on unmanaged desktop
line utilities, except for vdmadmin and
vdmimport.
Administrators must have the Administrators
role on the root folder to use the vdmadmin
and vdmimport commands.
View and modify global policies and
configuration settings except for
administrator roles and permissions.
Create, modify, and delete administrator
roles and permissions.
sources such as physical systems, standalone
virtual machines, and terminal servers.
During View Agent installation, you must
provide your administrator login credentials
to register the unmanaged desktop source
with the View Connection Server instance.
Administrators (Read only)
Inventory Administrators
Inventory Administrators (Read only)
Global Configuration and Policy Administrators
Global Configuration and Policy Administrators
(Read only)
Administrators
Administrators (Read only)
Administrators
Configuration and Policy Administrators
Global
Administrators
Administrators
Agent Registration Administrators
Object-Specific Privileges
Object-specific privileges control operations on specific types of inventory objects. Roles that contain objectspecific privileges can be applied to folders.
Table 2-8 describes the object-specific privileges. The predefined roles Administrators and Inventory
Administrators contain all of these privileges.
Table 2-8. Object-Specific Privileges
Privilege User Capabilities Object
Enable Pool Enable and disable desktop pools. Desktop pool
Entitle Pool Add and remove user entitlements. Desktop pool
Manage Composer Pool
Image
Manage Desktop Perform all desktop and session-related operations. Desktop
Manage Local Sessions Roll back and initiate replications for local desktops. Desktop
Manage Persistent Disks Perform all View Composer persistent disk operations,
Manage Pool Add, modify, and delete desktop pools and add and
Manage Remote Sessions Disconnect and log off remote sessions and send
Manage Reboot Operation Reset desktops. Desktop
Resync, Refresh, and Rebalance linked-clone pools and
change the default pool image.
including attaching, detaching, and importing
persistent disks.
remove desktops.
messages to desktop users.
Desktop pool
Persistent disk
Desktop pool
Desktop
50 VMware, Inc.
Page 51
Internal Privileges
Some of the predefined administrator roles contain internal privileges. You cannot select internal privileges
when you create custom roles.
Table 2-9 describes the internal privileges and lists the predefined roles that contain each privilege.
Table 2-9. Internal Privileges
Privilege Description Predefined Roles
Full (Read only) Grants read-only access to all settings. Administrators (Read only)
Manage Inventory
(Read only)
Manage Global
Configuration and
Policies (Read only)
Grants read-only access to inventory objects. Inventory Administrators (Read only)
Grants read-only access to configuration
settings and global policies except for
administrators and roles.
Required Privileges for Common Tasks
Many common administration tasks require a coordinated set of privileges. Some operations require
permission at the root folder in addition to access to the object that is being manipulated.
Chapter 2 Configuring Role-Based Delegated Administration
Global Configuration and Policy Administrators
(Read only)
Privileges for Managing Pools
An administrator must have certain privileges to manage pools in View Administrator.
Table 2-10 lists common pool management tasks and shows the privileges that are required to perform each
task. You perform these tasks on the Pools page in View Administrator.
Table 2-10. Pool Management Tasks and Privileges
Task Required Privileges
Enable or disable a pool Enable Pool on the pool.
Entitle or unentitle users to a pool Entitle Pool on the pool.
Add a pool Manage Pool
IMPORTANT
the Administrators role on the root folder to publish the base
image to the Transfer Server repository.
Modify or delete a pool Manage Pool on the pool.
Add or remove desktops from a pool Manage Pool on the pool.
Refresh, Recompose, Rebalance, or change the default View
Composer image
Change folders Manage Pool on both the source and target folders.
Manage Composer Pool Image on the pool.
When adding a linked-clone pool, you must have
Privileges for Managing Desktops
An administrator must have certain privileges to manage desktops in View Administrator.
Table 2-11 lists common desktop management tasks and shows the privileges that are required to perform
each task. You perform these tasks on the Desktops page in View Administrator.
VMware, Inc. 51
Page 52
VMware Horizon View Administration
Table 2-11. Desktop Management Tasks and Privileges
Task Required Privileges
Remove a virtual machine Manage Pool on the pool.
Reset a virtual machine Manage Reboot Operation on the desktop.
Cancel, pause, or resume a task Manage Composer Pool Image
Assign or remove user ownership Manage Desktop on the desktop.
Enter or exit maintenance mode Manage Desktop on the desktop.
Roll back or initiate replications Manage Local Sessions on the desktop.
Disconnect or log off a remote session Manage Remote Sessions on the desktop.
Privileges for Managing Persistent Disks
An administrator must have certain privileges to manage persistent disks in View Administrator.
Table 2-12 lists common persistent disk management tasks and shows the privileges that are required to
perform each task. You perform these tasks on the Persistent Disks page in View Administrator.
Table 2-12. Persistent Disk Management Tasks and Privileges
Task Required Privileges
Detach a disk Manage Persistent Disks on the disk and Manage Pool on
the pool.
Attach a disk Manage Persistent Disks on the disk and Manage Pool on
the desktop.
Edit a disk Manage Persistent Disks on the disk and Manage Pool on
the selected pool.
Change folders Manage Persistent Disks on the source and target folders.
Recreate desktop Manage Persistent Disks on the disk and Manage Pool on
the last pool.
Import from vCenter Manage Persistent Disks on the folder and Manage Pool on
the pool.
Delete a disk Manage Persistent Disks on the disk.
Privileges for Managing Users and Administrators
An administrator must have certain privileges to manage users and administrators in View Administrator.
Table
2-13 lists common user and administrator management tasks and shows the privileges that are required
to perform each task. You manage users on the Users and Groups page in View Administrator. You manage
administrators on the Global Administrators View page in View Administrator.
Table 2-13. User and Administrator Management Tasks and Privileges
Task Required Privileges
Update general user information Manage Global Configuration and Policies
Send messages to desktop users Manage Remote Sessions on the desktop.
Add an administrator user or group Manage Roles and Permissions
Add, modify, or delete an administrator permission Manage Roles and Permissions
Add, modify, or delete an administrator role Manage Roles and Permissions
52 VMware, Inc.
Page 53
Chapter 2 Configuring Role-Based Delegated Administration
Privileges for General Administration Tasks and Commands
An
administrator must have certain privileges to perform general administration tasks and run command line
utilities.
Table 2-14 shows the privileges that are required to perform general administration tasks and run command
line utilities.
Table 2-14. Privileges for General Administration Tasks and Commands
Task Required Privileges
Add or delete a folder Must have the Administrators role on the root folder.
Manage ThinApp applications and settings in View
Administrator
View and modify View Transfer Server instances and the
Transfer Server repository
Install View Agent on an unmanaged desktop source, such
a physical system, standalone virtual machine, or terminal
as
server
View or modify configuration settings (except for
administrators) in View Administrator
Run all PowerShell commands and command line utilities
except for vdmadmin and vdmimport.
Use the vdmadmin and vdmimport commands Must have the Administrators role on the root folder.
Use the vdmexport command Must have the Administrators role or the Administrators
Must have the Administrators role on the root folder.
Must have the Administrators role on the root folder.
Register Agent
Manage Global Configuration and Policies
Direct Interaction
(Read only) role on the root folder.
Best Practices for Administrator Users and Groups
To
increase the security and manageability of your View environment, you should follow best practices when
managing administrator users and groups.
n
Because the Administrators role contains all privileges, assign it to a single user or to a limited set of users.
n
Choose a local Windows user or group to have the Administrators role.
n
Create new user groups for administrators. Avoid using Windows built-in groups or other existing groups
that might contain additional users or groups.
n
Because it is highly visible and easily guessed, avoid using the name Administrator when creating
administrator users and groups.
n
Create folders to segregate sensitive desktops. Delegate the administration of those folders to a limited
set of users.
n
Create separate administrators that can modify global policies and View configuration settings.
VMware, Inc. 53
Page 54
VMware Horizon View Administration
54 VMware, Inc.
Page 55
Preparing Unmanaged Desktop
Sources 3
Users can access View desktops delivered by machines that are not managed by vCenter Server. These
unmanaged
on VMware Server and other virtualization platforms. You must prepare an unmanaged desktop source to
deliver View desktop access.
This chapter includes the following topics:
n
“Prepare an Unmanaged Desktop Source for View Desktop Deployment,” on page 55
n
“Install View Agent on an Unmanaged Desktop Source,” on page 55
Prepare an Unmanaged Desktop Source for View Desktop Deployment
You must perform certain tasks to prepare an unmanaged desktop source for View desktop deployment.
Prerequisites
n
Verify that you have administrative rights on the unmanaged desktop source.
n
To make sure that View desktop users are added to the local Remote Desktop Users group of the
unmanaged desktop source, create a restricted Remote Desktop Users group in Active Directory. See the
VMware Horizon View Installation document for more information.
desktop sources can include physical computers, terminal servers, and virtual machines running
Procedure
1 Power on the unmanaged desktop source and verify that it is accessible to the View Connection Server
instance.
2 Join the unmanaged desktop source to the Active Directory domain for your View desktops.
3 Configure the Windows firewall to allow Remote Desktop connections to the unmanaged desktop source.
What to do next
Install View Agent on the unmanaged desktop source. See “Install View Agent on an Unmanaged Desktop
Source,” on page 55.
Install View Agent on an Unmanaged Desktop Source
You must install View Agent on an all unmanaged desktop sources. View cannot manage an unmanaged
desktop source unless View Agent is installed.
To install View Agent on multiple Windows physical computers without having to respond to wizard prompts,
you can install View Agent silently. See “Install View Agent Silently,” on page 66.
VMware, Inc. 55
Page 56
VMware Horizon View Administration
Prerequisites
n
Verify that you have administrative rights on the unmanaged desktop source.
n
Familiarize yourself with the View Agent custom setup options for unmanaged desktop sources. See
“View Agent Custom Setup Options for Unmanaged Desktop Sources,” on page 57.
n
Familiarize yourself with the TCP ports that the View Agent installation program opens on the firewall.
See the VMware Horizon View Architecture Planning document for more information.
n
Download the View Agent installer file from the VMware product page at
http://www.vmware.com/products/.
Procedure
1
To start the View Agent installation program, double-click the installer file.
The installer filename is VMware-viewagent-
xxxxxx
.exe, where y.y.y is the version number and xxxxxx is the build number.
y.y.y-xxxxxx
.exe or VMware-viewagent-x86_64-
y.y.y
-
2 Accept the VMware license terms.
3 Select your custom setup options.
4 Accept or change the destination folder.
5 In the Server text box, type the host name or IP address of a View Connection Server host.
During installation, the installer registers the unmanaged desktop source with this View Connection
Server instance. After registration, the specified View Connection Server instance, and any additional
instances in the same View Connection Server group, can communicate with the unmanaged desktop
source.
6 Select an authentication method to register the unmanaged desktop source with the View Connection
Server instance.
Option Action
Authenticate as the currently logged
in user
Specify administrator credentials
The Username and Password text boxes are disabled and you are logged in
to the View Connection Server instance with your current username and
password.
You must provide the username and password of a View Connection Server
administrator in the Username and Password text boxes.
Follow the prompts in the View Agent installation program and finish the installation.
7
8 If you selected the USB redirection option, restart the unmanaged desktop source to enable USB support.
In addition, the Found New Hardware wizard might start. Follow the prompts in the wizard to configure
the hardware before you restart the unmanaged desktop source.
The VMware View Agent service is started on the unmanaged desktop source.
If Windows Media Player is not installed, the View Agent installation program does not install the multimedia
redirection (MMR) feature. If you install Windows Media Player after installing View Agent, you can install
the MMR feature by running the View Agent installation program again and selecting the Repair option.
What to do next
Use the unmanaged desktop source to create a View desktop. See “Manual Desktop Pools,” on page 119.
56 VMware, Inc.
Page 57
Chapter 3 Preparing Unmanaged Desktop Sources
View Agent Custom Setup Options for Unmanaged Desktop Sources
When
you install View Agent on an unmanaged desktop source, you can select certain custom setup options.
Table 3-1. View Agent Custom Setup Options for Unmanaged Desktop Sources
Option Description
USB Redirection Gives users access to locally connected USB devices on their
desktops.
Windows 2003 and Windows 2008 do not support USB
redirection.
NOTE You can use group policy settings to disable USB
redirection for specific users.
PCoIP Server Lets users connect to the View desktop with the PCoIP
display protocol.
NOTE On Windows Vista, if you install the PCoIP Server
component, the Windows group policy Disable or enable
software Secure Attention Sequence is enabled and set to
Services
setting, single sign-on does not work correctly.
PCoIP Smartcard Lets users authenticate with smart cards when they use the
PCoIP display protocol.
and Ease of Access applications. If you change this
VMware, Inc. 57
Page 58
VMware Horizon View Administration
58 VMware, Inc.
Page 59
Creating and Preparing Virtual
Machines 4
You can use virtual machines managed by vCenter Server to provision and deploy View desktops. You can
use
a virtual machine managed by vCenter Server as a template for an automated pool, a parent for a linkedclone pool, or a desktop source in a manual pool. You must prepare virtual machines to deliver View desktop
access.
This chapter includes the following topics:
n
“Creating Virtual Machines for View Desktop Deployment,” on page 59
n
“Install View Agent on a Virtual Machine,” on page 64
n
“Install View Agent Silently,” on page 66
n
“Configure a Virtual Machine with Multiple NICs for View Agent,” on page 70
n
“Optimize Windows Guest Operating System Performance,” on page 70
n
“Optimize Windows 7 and Windows 8 Guest Operating System Performance,” on page 71
n
“Optimizing Windows 7 and Windows 8 for Linked-Clone Desktops,” on page 73
n
“Preparing Virtual Machines for View Composer,” on page 79
n
“Creating Virtual Machine Templates,” on page 85
n
“Creating Customization Specifications,” on page 86
Creating Virtual Machines for View Desktop Deployment
The initial virtual machine establishes a virtual hardware profile and operating system to be used for rapid
deployment of View desktops.
1 Create a Virtual Machine for View Desktop Deployment on page 59
You use vSphere Client to create virtual machines in vCenter Server for View desktops.
2 Install a Guest Operating System on page 61
After you create a virtual machine, you must install a guest operating system.
3 Prepare a Guest Operating System for View Desktop Deployment on page 62
You must perform certain tasks to prepare a guest operating system for View desktop deployment.
Create a Virtual Machine for View Desktop Deployment
You use vSphere Client to create virtual machines in vCenter Server for View desktops.
Prerequisites
n
Upload an ISO image file of the guest operating system to a datastore on your ESX server.
VMware, Inc. 59
Page 60
VMware Horizon View Administration
n
Familiarize
yourself with the custom configuration parameters for virtual machines. See “Virtual Machine
Custom Configuration Parameters,” on page 60.
Procedure
1 In vSphere Client, log in to the vCenter Server system.
2 Select File > New > Virtual Machine to start the New Virtual Machine wizard.
3 Select Custom and configure custom configuration parameters.
4 Select Edit the virtual machine settings before completion and click Continue to configure hardware
settings.
a Add a CD/DVD drive, set the media type to use an ISO image file, select the ISO image file of the
guest operating system that you uploaded to your datastore, and select Connect at power on.
b If you are installing a Windows XP guest operating system, add a floppy drive and set the Device
Type to Client Device.
c Set Power-on Boot Delay to 10,000 milliseconds.
5 Click Finish to create the virtual machine.
What to do next
Install a guest operating system on the virtual machine.
Virtual Machine Custom Configuration Parameters
You can use virtual machine custom configuration parameters as baseline settings when you create a virtual
machine for View desktop deployment.
If you use View Administrator as your View desktop manager for deploying pooled desktops, you can change
these settings when deploying template-based View desktops.
Table 4-1. Custom Configuration Parameters
Parameter Description and Recommendations
Name and Location
Host/Cluster
Resource Pool
Datastore
Hardware Machine Version
Guest Operating System
The name and location of the virtual machine.
If
you plan to use the virtual machine as a template, assign a
generic name. The location can be any folder within your
datacenter inventory.
The ESX server or cluster of server resources that will run the
virtual machine.
If you plan to use the virtual machine as a template, the
location of the initial virtual machine does not necessarily
specify where future virtual machines created from template
will reside.
If the physical ESX server resources are divided into resource
pools, you can assign them to the virtual machine.
The location of files associated with the virtual machine.
If you create the virtual machine on an ESXi 5.1 or later host
or cluster, you can select virtual hardware version 9 or 8.
Version 9 provides greater virtual machine functionality.
If the host or cluster is ESX/ESXi 5.0 or later, you can select
virtual hardware version 8 or 7.
If the host or cluster is ESX/ESXi 4.0 or later, you can select
virtual hardware version 7 only.
The type of operating system that you will install in the
virtual machine.
60 VMware, Inc.
Page 61
Chapter 4 Creating and Preparing Virtual Machines
Table 4-1. Custom Configuration Parameters
Parameter Description and Recommendations
CPUs
Memory
Network
SCSI Controller
Select a Disk
(Continued)
The number of virtual processors in the virtual machine.
For most guest operating systems, a single processor is
sufficient.
The amount of memory to allocate to the virtual machine.
In most cases, 512MB is sufficient.
The number of virtual network adapters (NICs) in the virtual
machine.
One NIC is usually sufficient. The network name should be
consistent across virtual infrastructures. An incorrect
network name in a template can cause failures during the
instance customization phases.
When you install View Agent on a virtual machine that has
more
Agent uses. See “Configure a Virtual Machine with Multiple
NICs for View Agent,” on page 70 for more information.
IMPORTANT For Windows8, Windows 7, and Windows Vista
operating systems, you must select the VMXNET 3 network
adapter. Using the default E1000 adapter can cause
customization timeout errors on virtual machines. To use the
VMXNET 3 adapter, you must install a Microsoft hotfix
patch:
n
n
The type of SCSI adapter to use with the virtual machine.
For Windows8, Windows 7, and Windows XP guest
operating systems, you should specify the LSI Logic adapter.
The LSI Logic adapter has improved performance and works
better with generic SCSI devices.
LSI Logic SAS is available only for virtual machines with
hardware version 7 and later.
NOTE Windows XP does not include a driver for the LSI
Logic adapter. You must download the driver from the LSI
Logic Web site.
The disk to use with the virtual machine.
Create a new virtual disk based on the amount of local
storage that you decide to allocate to each user. Allow
enough storage space for the OS installation, patches, and
locally installed applications.
To reduce the need for disk space and management of local
data, you should store the user's information, profile, and
documents on network shares rather than on a local disk.
than one NIC, you must configure the subnet that View
For Windows 7 SP1:
http://support.microsoft.com/kb/2550978
For Windows 7 versions previous to SP1:
http://support.microsoft.com/kb/2344941
Install a Guest Operating System
After you create a virtual machine, you must install a guest operating system.
Prerequisites
n
Verify that an ISO image file of the guest operating system is on a datastore on your ESX server.
n
Verify that the CD/DVD drive in the virtual machine points to the ISO image file of the guest operating
system and that the CD/DVD drive is configured to connect at power on.
VMware, Inc. 61
Page 62
VMware Horizon View Administration
n
you are installing Windows XP and you selected the LSI Logic adapter for the virtual machine, download
If
the LSI20320-R controller driver from the LSI Logic Web site, create a floppy image (.flp) file that contains
the driver, and upload the file to a datastore on your ESX server.
Procedure
1 In vSphere Client, log in to the vCenter Server system where the virtual machine resides.
2 Right-click the virtual machine, select Power, and select Power On to start the virtual machine.
Because you configured the CD/DVD drive to point to the ISO image of the guest operating system and
to connect at power on, the guest operating system installation process begins automatically.
3 Click the Console tab and follow the installation instructions provided by the operating system vendor.
4 If you are installing Windows XP and you selected the LSI Logic adapter for the virtual machine, install
the LSI Logic driver during the Windows setup process.
a Press F6 to select additional SCSI drivers.
b Type S to specify an additional device.
c On the vSphere Client toolbar, click Connect Floppy to select the LSI Logic driver floppy image
(.flp) file.
d Return to the Windows Setup screen and press Enter to continue the Windows setup process.
e When the Windows setup process has finished, disconnect the virtual floppy disk drive.
5 If you are installing Windows 7 or Windows 8, activate Windows online.
What to do next
Prepare the guest operating system for View desktop deployment.
Prepare a Guest Operating System for View Desktop Deployment
You must perform certain tasks to prepare a guest operating system for View desktop deployment.
Prerequisites
n
Create a virtual machine and install a guest operating system.
n
Configure an Active Directory domain controller for your View desktops. See the VMware Horizon View
Installation document for more information.
n
To make sure that View desktop users are added to the local Remote Desktop Users group of the virtual
machine, create a restricted Remote Desktop Users group in Active Directory. See the VMware Horizon
View Installation document for more information.
n
Verify that Remote Desktop Services, called Terminal Services on Windows XP systems, are started on
the virtual machine. Remote Desktop Services are required for View Agent installation, SSO, and other
View operations. You can disable RDP access to your View desktops by configuring desktop pool settings
and group policy settings. See “Prevent Access to View Desktops Through RDP,” on page 139.
n
Verify that you have administrative rights on the guest operating system.
n
On Windows Vista operating systems, verify that the Windows Update Service is enabled. If you disable
this service on Windows Vista, the View Agent installer fails to install the USB driver.
n
If you intend to configure 3D graphics rendering for desktop pools, familiarize yourself with the Enable
3D Support setting for virtual machines.
This setting is active on Windows 7 and later operating systems. On ESXi 5.1 and later hosts, you can also
select options that determine how the 3D renderer is managed on the ESXi host. For details, see the vSphere
Virtual Machine Administration document.
62 VMware, Inc.
Page 63
Chapter 4 Creating and Preparing Virtual Machines
Procedure
1
In vSphere Client, log in to the vCenter Server system where the virtual machine resides.
2 Right-click the virtual machine, select Power, and select Power On to start the virtual machine.
3 Right-click the virtual machine, select Guest, and select Install/Upgrade VMware Tools to install the latest
version of VMware Tools.
4 Use the VMware Tools time synchronization function to ensure that the virtual machine is synchronized
to ESX.
ESX must synchronize to an external NTP source, for example, the same time source as Active Directory.
Disable other time synchronization mechanisms such as Windows Time Service.
The VMware Tools online help provides information on configuring time synchronization between guest
and host.
5 Install service packs and updates.
6 Install antivirus software.
7 Install other applications and software, such as Windows Media Player if you are using MMR and smart
card drivers if you are using smart card authentication.
If you plan to use Horizon Workspace to offer a catalog that includes ThinApp applications, you must
install the Horizon Agent.
On Windows XP systems, install all third-party applications and software (except Microsoft .NET
Framework) before you install View Agent.
IMPORTANT If you are installing Microsoft .NET Framework, you must install it after you install View
Agent.
8 If View clients will connect to the virtual machine with the PCoIP display protocol, set the power option
Turn off the display to Never.
If you do not disable this setting, the display will appear to freeze in its last state when power savings
mode starts.
9
If View clients will connect to the virtual machine with the PCoIP display protocol, go to Control Panel
> System > Advanced System Settings > Performance Settings and change the setting for Visual
Effects to Adjust for best performance.
If you instead use the setting called Adjust for best appearance or Let Windows choose what's best for
my computer and Windows chooses appearance instead of performance, performance is negatively
affected.
10 If a proxy server is used in your network environment, configure network proxy settings.
11 Configure network connection properties.
a Assign a static IP address or specify that an IP address is assigned by a DHCP server.
View does not support link-local (169.254.x.x) addresses for View desktops.
b Set the preferred and alternate DNS server addresses to your Active Directory server address.
12 Join the virtual machine to the Active Directory domain for your View desktops.
A parent virtual machine that you use for View Composer must either belong to the same Active Directory
domain as the domain that the linked-clone desktops will join or be a member of the local WORKGROUP.
13 Configure the Windows firewall to allow Remote Desktop connections to the virtual machine.
VMware, Inc. 63
Page 64
VMware Horizon View Administration
14 (Optional) Disable Hot Plug PCI devices.
This step prevents users from accidentally disconnecting the virtual network device (vNIC) from the
virtual machine.
15
(Optional) Configure user customization scripts.
What to do next
Install View Agent. See “Install View Agent on a Virtual Machine,” on page 64.
Install View Agent on a Virtual Machine
You must install View Agent on virtual machines that are managed by vCenter Server so that View Connection
Server can communicate with them. Install View Agent on all virtual machines that you use as templates for
automated desktop pools, parents for linked-clone desktop pools, and desktop sources in manual desktop
pools.
To install View Agent on multiple Windows virtual machines without having to respond to wizard prompts,
you can install View Agent silently. See “Install View Agent Silently,” on page 66.
The View Agent software cannot coexist on the same virtual or physical machine with any other View Manager
software component, including a security server, replica server, View Connection Server, View Composer,
View Client, or View Transfer Server.
Prerequisites
n
Prepare the guest operating system for View desktop deployment. See “Prepare a Guest Operating System
for View Desktop Deployment,” on page 62.
n
Download the View Agent installer file from the VMware product page at
http://www.vmware.com/products/.
n
Verify that you have administrative rights on the virtual machine.
n
Familiarize yourself with the View Agent custom setup options. See “View Agent Custom Setup
Options,” on page 65.
n
Familiarize yourself with the TCP ports that the View Agent installation program opens on the firewall.
See the VMware Horizon View Architecture Planning document for more information.
n
If you select the View Composer Agent custom setup option, verify that you have a license to use View
Composer.
Procedure
1 To start the View Agent installation program, double-click the installer file.
The installer filename is VMware-viewagent-
xxxxxx
.exe, where y.y.y is the version number and xxxxxx is the build number.
y.y.y-xxxxxx
.exe or VMware-viewagent-x86_64-
y.y.y
2 Accept the VMware license terms.
3 Select your custom setup options.
-
To deploy linked-clone desktops, select the View Composer Agent option.
4 Accept or change the destination folder.
5 Follow the prompts in the View Agent installation program and finish the installation.
NOTE If you did not enable Remote Desktop support during guest operating system preparation, the
View Agent installation program prompts you to enable it. If you do not enable Remote Desktop support
during View Agent installation, you must enable it manually after the installation is finished.
64 VMware, Inc.
Page 65
Chapter 4 Creating and Preparing Virtual Machines
6 If you selected the USB redirection option, restart the virtual machine to enable USB support.
In
addition, the Found New Hardware wizard might start. Follow the prompts in the wizard to configure
the hardware before you restart the virtual machine.
The VMware View Agent service is started on the virtual machine.
If you selected the View Composer Agent option, the VMware View Composer Guest Agent Server service is
started on the virtual machine.
If Windows Media Player is not installed, the View Agent installation program does not install the multimedia
redirection (MMR) feature. If you install Windows Media Player after installing View Agent, you can install
the MMR feature by running the View Agent installation program again and selecting the Repair option.
What to do next
If the virtual machine has multiple NICs, configure the subnet that View Agent uses. See “Configure a Virtual
Machine with Multiple NICs for View Agent,” on page 70.
View Agent Custom Setup Options
When you install View Agent on a virtual machine, you can select custom setup options.
Table 4-2. View Agent Custom Setup Options
Option Description
USB Redirection Gives users access to locally connected USB devices on their
desktops.
Windows 2003 and Windows 2008 do not support USB
redirection.
NOTE You can use group policy settings to disable USB
redirection for specific users.
View Composer Agent Lets View Agent run on the linked-clone desktops that are
deployed from this virtual machine.
Virtual Printing Lets users print to any printer available on their Windows
client computers. Users do not have to install additional
drivers on their desktops.
PCoIP Server Lets users connect to the View desktop using the PCoIP
display protocol.
Installing the PCoIP Server feature disables sleep mode on
Windows 8, Windows 7, and Windows Vista desktops and
standby mode on Windows XP desktops. When a user
navigates to the Power Options or Shut Down menu, sleep
mode or standby mode is inactive. Desktops do not go into
sleep or standby mode after a default period of inactivity.
Desktops remain in active mode.
NOTE If you install the PCoIP Server feature on Windows
the Windows group policy Disable or enable software
Vista,
Secure Attention Sequence is enabled and set to Services
and Ease of Access applications. If you change this setting,
single sign-on does not work correctly.
PCoIP Smartcard Lets users authenticate with smart cards when they use the
PCoIP display protocol.
View Persona Management Synchronizes the user profile on the local desktop with a
remote profile repository, so that users have access to their
profiles whenever they log in to a desktop.
VMware, Inc. 65
Page 66
VMware Horizon View Administration
Install View Agent Silently
You can use the silent installation feature of the Microsoft Windows Installer (MSI) to install View Agent on
several Windows virtual machines or physical computers. In a silent installation, you use the command line
and do not have to respond to wizard prompts.
With silent installation, you can efficiently deploy View components in a large enterprise.
Prerequisites
n
Prepare
the guest operating system for View desktop deployment. See “Prepare a Guest Operating System
for View Desktop Deployment,” on page 62.
n
Download the View Agent installer file from the VMware product page at
http://www.vmware.com/products/.
The installer filename is VMware-viewagent-
xxxxxx
.exe, where y.y.y is the version number and xxxxxx is the build number.
n
Verify that you have administrative rights on the virtual machine or physical PC.
n
Familiarize yourself with the View Agent custom setup options. See “View Agent Custom Setup
y.y.y-xxxxxx
.exe or VMware-viewagent-x86_64-
y.y.y
Options,” on page 65.
n
If you select the View Composer Agent custom setup option, verify that you have a license to use View
Composer.
n
Familiarize yourself with the MSI installer command-line options. See “Microsoft Windows Installer
Command-Line Options,” on page 67.
n
Familiarize yourself with the silent installation properties available with View Agent. See “Silent
Installation Properties for View Agent,” on page 68.
n
Familiarize yourself with the TCP ports that the View Agent installation program opens on the firewall.
See the VMware Horizon View Architecture Planning document for more information.
Procedure
1 Open a Windows command prompt on the virtual machine or physical PC.
-
2 Type the installation command on one line.
This example installs View Agent in a virtual machine that is managed by vCenter Server. The installer
configures the PCoIP, View Composer Agent, Virtual Printing, and USB redirection custom setup options.
VMware-viewagentADDLOCAL=Core,PCoIP,SVIAgent,ThinPrint,USB"
y.y.y-xxxxxx
.exe /s /v"/qn VDM_VC_MANAGED_AGENT=1
This example installs View Agent on an unmanaged computer and registers the desktop with the specified
View Connection Server, cs1.companydomain.com. The installer configures the SSO, Virtual Printing, and
USB redirection custom setup options.
VMware-viewagentVDM_SERVER_NAME=cs1.companydomain.com VDM_SERVER_USERNAME=admin.companydomain.com
VDM_SERVER_PASSWORD=secret ADDLOCAL=Core,ThinPrint,USB"
y.y.y-xxxxxx
.exe /s /v"/qn VDM_VC_MANAGED_AGENT=0
The VMware View Agent service is started on the virtual machine.
If you selected the View Composer Agent option, the VMware View Composer Guest Agent Server service is
started on the virtual machine.
66 VMware, Inc.
Page 67
If Windows Media Player is not installed, the View Agent installation program does not install the multimedia
redirection (MMR) feature. If you install Windows Media Player after installing View Agent, you can install
the MMR feature by running the View Agent installation program again and selecting the Repair option.
What to do next
If
the virtual machine has multiple NICs, configure the subnet that View Agent uses. See “Configure a Virtual
Machine with Multiple NICs for View Agent,” on page 70.
Microsoft Windows Installer Command-Line Options
To install View components silently, you must use Microsoft Windows Installer (MSI) command-line options
and properties. The View component installers are MSI programs and use standard MSI features.
For details about MSI, see the Microsoft Web site. For MSI command-line options, see the Microsoft Developer
Network (MSDN) Library Web site and search for MSI command-line options. To see MSI command-line usage,
you can open a command prompt on the View component computer and type msiexec /?.
To run a View component installer silently, you begin by disabling the bootstrap program that extracts the
installer into a temporary directory and starts an interactive installation.
At the command line, you must enter command-line options that control the installer's bootstrap program.
Table 4-3. Command-Line Options for a View Component's Bootstrap Program
Option Description
/s
/v"
MSI_command_line_options
Disables the bootstrap splash screen and extraction dialog, which prevents the display of
interactive dialogs.
For example: VMware-viewconnectionserver-
The /s option is required to run a silent installation.
Instructs the installer to pass the double-quote-enclosed string that you enter at the command line
"
as a set of options for MSI to interpret. You must enclose your command-line entries between
double quotes. Place a double quote after the /v and at the end of the command line.
For example: VMware-viewagent-
To instruct the MSI installer to interpret a string that contains spaces, enclose the string in two sets
of double quotes. For example, you might want to install the View component in an installation
path name that contains spaces.
For example: VMware-viewconnectionserver-
xxxxxx
.exe /s /v"
In this example, the MSI installer passes on the installation-directory path and does not attempt
to interpret the string as two command-line options. Note the final double quote that encloses the
entire command line.
command_line_options
The /v"
command_line_options
y.y.y-xxxxxx
" option is required to run a silent installation.
y.y.y-xxxxxx
.exe /s /v"
y.y.y
INSTALLDIR=""d:\abc\my folder"""
Chapter 4 Creating and Preparing Virtual Machines
.exe /s
command_line_options
-
"
You control the remainder of a silent installation by passing command-line options and MSI property values
to the MSI installer, msiexec.exe. The MSI installer includes the View component's installation code. The
installer uses the values and options that you enter in the command line to interpret installation choices and
setup options that are specific to the View component.
VMware, Inc. 67
Page 68
VMware Horizon View Administration
Table 4-4. MSI Command-Line Options and MSI Properties
MSI Option or Property Description
/qn
INSTALLDIR
ADDLOCAL
REBOOT
log_file
/l*v
Instructs the MSI installer not to display the installer wizard pages.
For example, you might want to install View Agent silently and use only default setup
options and features:
VMware-viewagent-
Alternatively, you can use the /qb option to display the wizard pages in a noninteractive,
automated installation. As the installation proceeds, the wizard pages are displayed, but
you cannot respond to them.
The /qn or /qb option is required to run a silent installation.
Specifies an alternative installation path for the View component.
Use the format
property if you want to install the View component in the default path.
This MSI property is optional.
Determines the component-specific features to install. In an interactive installation, the
View installer displays custom setup options to select. The MSI property, ADDLOCAL, lets
you specify these setup options on the command line.
To install all available custom setup options, enter ADDLOCAL=ALL.
For example: VMware-viewagent-
If you do not use the MSI property, ADDLOCAL, the default setup options are installed.
To specify individual setup options, enter a comma-separated list of setup option names.
Do not use spaces between names. Use the format
For example, you might want to install View Agent in a guest operating system with the
View Composer Agent and PCoIP features:
VMware-viewagentADDLOCAL=Core,SVIAgent,PCoIP"
NOTE The Core feature is required in View Agent.
This MSI property is optional.
You can use the REBOOT=ReallySuppress option to allow system configuration tasks to
complete before the system reboots.
This MSI property is optional.
Writes logging information into the specified log file with verbose output.
For example: /l*v ""%TEMP%\vmmsi.log""
This example generates a detailed log file that is similar to the log generated during an
interactive installation.
You can use this option to record custom features that might apply uniquely to your
installation. You can use the recorded information to specify installation features in future
silent installations.
The /l*v option is optional.
y.y.y-xxxxxx
INSTALLDIR=path
y.y.y-xxxxxx
.exe /s /v"/qn"
to specify an installation path. You can ignore this MSI
y.y.y-xxxxxx
.exe /s /v"/qn
.exe /s /v"/qn ADDLOCAL=ALL"
ADDLOCAL=value,value,value...
.
Silent Installation Properties for View Agent
You can include specific properties when you silently install View Agent from the command line. You must
a
PROPERTY=value
use
Table 4-5 shows the View Agent silent installation properties that you can use at the command-line.
68 VMware, Inc.
format so that Microsoft Windows Installer (MSI) can interpret the properties and values.
Page 69
Chapter 4 Creating and Preparing Virtual Machines
Table 4-5. MSI Properties for Silently Installing View Agent
MSI Property Description Default Value
INSTALLDIR
RDPCHOICE
VDM_VC_MANAGED_AGENT
VDM_SERVER_NAME
VDM_SERVER_USERNAME
VDM_SERVER_PASSWORD
The path and folder in which the View Agent software is installed.
For example: INSTALLDIR=""D:\abc\my folder""
The sets of two double quotes that enclose the path permit the MSI
installer to ignore the space in the path.
This MSI property is optional.
Determines whether to enable Remote Desktop Protocol (RDP) on
the desktop.
A value of 1 enables RDP. A value of 0 leaves the RDP setting
disabled.
This MSI property is optional.
Determines whether vCenter Server manages the virtual machine on
which View Agent is installed.
A value of 1 configures the desktop as a vCenter Server-managed
virtual machine.
value of 0 configures the desktop as unmanaged by vCenter Server.
A
This MSI property is required.
The host name or IP address of the View Connection Server computer
on which the View Agent installer registers an unmanaged desktop.
This property applies to unmanaged desktops only.
For example: VDM_SERVER_NAME=10.123.01.01
This MSI property is required for unmanaged desktops.
Do not use this MSI property for virtual-machine desktops that are
managed by vCenter Server.
The user name of the administrator on the View Connection Server
computer. This MSI property applies to unmanaged desktops only.
For example: VDM_SERVER_USERNAME=admin.companydomain.com
This MSI property is required for unmanaged desktops.
Do not use this MSI property for virtual-machine desktops that are
managed by vCenter Server.
The View Connection Server administrator user password.
For example: VDM_SERVER_PASSWORD=secret
This MSI property is required for unmanaged desktops.
Do not use this MSI property for virtual-machine desktops that are
managed by vCenter Server.
%ProgramFiles
%\VMware\VMware
View\Agent
1
None
None
None
None
In a silent installation command, you can use the MSI property, ADDLOCAL=, to specify custom features that
the View Agent installer configures. Each silent-installation feature corresponds to a custom setup option that
you can select during an interactive installation.
Table 4-6 shows the View Agent features you can type at the command line and the corresponding custom
setup options.
Table 4-6. View Agent Silent Installation Features and Interactive Custom Setup Options
Silent Installation Feature Custom Setup Option in an Interactive Installation
Core.
If you specify individual features with the MSI property,
ADDLOCAL=, you must include Core.
If you specify ADDLOCAL=ALL, all features, including Core,
are installed.
SVIAgent View Composer Agent
ThinPrint Virtual Printing
VMware, Inc. 69
None.
During an interactive installation, the core View Agent
functions are installed by default.
Page 70
VMware Horizon View Administration
Table 4-6. View Agent Silent Installation Features and Interactive Custom Setup Options (Continued)
Silent Installation Feature Custom Setup Option in an Interactive Installation
ThinPrintPCoIP Virtual Printing with PCoIP
PCoIP PCoIP Protocol
USB USB Redirection
VPA View Persona Management
VmVideo In an interactive installation, this feature is not a separate
custom setup option.
VmwV
audio In an interactive installation, this feature is not a separate
custom setup option.
SmartCard In an interactive installation, the SmartCard feature is not a
separate custom setup option.
VMCI In an interactive installation, the VMCI feature is not a
separate custom setup option.
For details about the custom setup options, see “View Agent Custom Setup Options,” on page 65.
Configure a Virtual Machine with Multiple NICs for View Agent
When you
install View Agent on a virtual machine that has more than one NIC, you must configure the subnet
that View Agent uses. The subnet determines which network address View Agent provides to the View
Connection Server instance for client protocol connections.
Procedure
u
On the virtual machine on which View Agent is installed, open a command prompt, type regedit.exe,
and create a registry entry to configure the subnet.
For example: HKLM\Software\VMware, Inc.\VMware VDM\Node Manager\subnet =
In this example, n.n.n.n is the TCP/IP subnet and m is the number of bits in the subnet mask.
Optimize Windows Guest Operating System Performance
You can perform certain steps to optimize guest operating system performance for View desktop deployment.
The steps apply to all Windows operating systems. All of the steps are optional.
These recommendations include turning off the screen saver and not specifying a sleep timer. Your
organization might require the use of screen savers. For example, you might have a GPO-managed security
policy that locks a desktop a certain time after the screen saver starts. In this case, use a blank screen saver.
Prerequisites
Prepare a guest operating system for View desktop deployment.
Procedure
n.n.n.n/m
(REG_SZ)
n
Disable any unused ports, such as COM1, COM2, and LPT.
n
Adjust display properties.
a Choose a basic theme.
b Set the background to a solid color.
c Set the screen saver to None.
d Verify that hardware acceleration is enabled.
70 VMware, Inc.
Page 71
Chapter 4 Creating and Preparing Virtual Machines
n
Select a high-performance power option and do not specify a sleep timer.
n
Disable the Indexing Service component.
NOTE Indexing improves searches by cataloging files. Do not disable this feature for users who search
often.
n
Remove or minimize System Restore points.
n
Turn off system protection on C:\.
n
Disable any unnecessary services.
n
Set the sound scheme to No Sounds.
n
Set visual effects to Adjust for best performance.
n
Open Windows Media Player and use the default settings.
n
Turn off automatic computer maintenance.
n
Adjust performance settings for best performance.
n
Delete any hidden uninstall folders in C:\Windows, such $NtUninstallKB893756$.
n
Delete all event logs.
n
Run Disk Cleanup to remove temporary files, empty the Recycle Bin, and remove system files and other
items that are no longer needed.
n
Run Disk Defragmenter to rearrange fragmented data.
n
If users are going to play full-screen videos or run 3D applications on desktops that run in a vSphere 5.1
environment, follow the instructions to modify the registry described in Microsoft KB 235257.
The
Microsoft KB is titled "Server Does Not Use All Bandwidth Available When Streaming Files with Bit
Rates over 100 Kbps" and is located at http://support.microsoft.com/kb/235257. Restart the virtual machine
to enable the modified registry setting to take effect.
Without this optimization, brief freezes can occur, or the videos can stutter.
NOTE Making this optimization delivers performance improvements in both ESXi 5.x and ESXi 5.1, but
it is required for ESXi 5.1.
What to do next
Windows 7 and Windows 8 guest operating systems, perform additional optimization tasks. See “Optimize
For
Windows 7 and Windows 8 Guest Operating System Performance,” on page 71.
Optimize Windows 7 and Windows 8 Guest Operating System Performance
You can perform additional steps to optimize Windows 7 and Windows 8 guest operating system performance
for View desktop deployment. All of the steps are optional.
Prerequisites
n
Perform the guest operating system optimization steps that apply to all Windows operating systems. See
“Optimize Windows Guest Operating System Performance,” on page 70.
n
Familiarize yourself with the procedure for disabling the Windows Customer Experience Improvement
Program. See “Disable the Windows Customer Experience Improvement Program,” on page 72.
VMware, Inc. 71
Page 72
VMware Horizon View Administration
Procedure
1
Uninstall Tablet PC Components, unless this feature is needed.
2 Disable IPv6, unless it is needed.
3 Use the File System Utility (fsutil) command to disable the setting that keeps track of the last time a file
was accessed.
For example: fsutil behavior set disablelastaccess 1
4 Start the Registry Editor (regedit.exe) and change the TimeOutValue REG_DWORD in
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\Disk to 0x000000be(190).
5 Turn off the Windows Customer Experience Improvement Program and disable related tasks from the
Task Scheduler.
6 Shut down the guest operating system and power off the virtual machine.
7 Power on the virtual machine.
What to do next
See “Optimizing Windows 7 and Windows 8 for Linked-Clone Desktops,” on page 73 for information on
disabling certain Windows 7 and Windows 8 services and tasks to reduce the growth of View Composer linkedclone desktops. Disabling certain services and tasks can also result in performance benefits for full virtual
machines.
Disable the Windows Customer Experience Improvement Program
Disabling the Windows Customer Experience Improvement Program and the related Task Scheduler tasks
that control this program can improve Windows 7 and Windows 8 system performance in large View desktop
pools.
Procedure
1 In the Windows 7 or Windows 8 guest operating system, start the control panel and click Action Center
> Change Action Center settings.
2 Click Customer Experience Improvement Program settings.
3 Select No, I don't want to participate in the program and click Save changes.
4 Start the control panel and click Administrative Tools > Task Scheduler.
5 In the Task Scheduler (Local) pane of the Task Scheduler dialog box, expand the Task Scheduler
Library > Microsoft > Windows nodes and open the Application Experience folder.
6 Disable the AITAgent and ProgramDataUpdater tasks.
7 In the Task Scheduler Library > Microsoft > Windows node, open the Customer Experience
Improvement Program folder.
8 Disable the Consolidator, KernelCEIPTask, and Use CEIP tasks.
What to do next
Perform other Windows 7 or Windows 8 optimization tasks. See “Optimize Windows 7 and Windows 8 Guest
Operating System Performance,” on page 71.
72 VMware, Inc.
Page 73
Chapter 4 Creating and Preparing Virtual Machines
Optimizing Windows 7 and Windows 8 for Linked-Clone Desktops
disabling certain Windows 7 or Windows 8 services and tasks, you can reduce the growth of View Composer
By
linked-clone desktops. Disabling certain services and tasks can also result in performance benefits for full
virtual machines.
Benefits of Disabling Windows 7 and Windows 8 Services and Tasks
Windows 7 and Windows 8 schedule services and tasks that can cause View Composer linked clones to grow,
even when the linked-clone desktops are idle. The incremental growth of linked-clone OS disks can undo the
storage savings that you achieve when you first create the linked-clone desktops. You can reduce linked-clone
growth by disabling these Windows services.
Windows 7 and Windows 8 introduce new services and schedules older services, such as disk defragmentation,
to run by default. These services run in the background if you do not disable them.
Services that affect OS disk growth also generate input/output operations per second (IOPS) on the Windows
7 or Windows 8 virtual machines. Disabling these services can reduce IOPS and improve performance on full
virtual machines and linked clones.
Disabling certain services also might benefit Windows XP and Windows Vista operating systems.
These best practices for optimizing Windows 7 and Windows 8 apply to most user environments. However,
you must evaluate the effect of disabling each service on your users, applications, and desktops. You might
require certain services to stay active.
For example, disabling Windows Update Service makes sense if you refresh and recompose the linked-clone
desktops. A refresh operation restores the OS disks to their last snapshots, deleting all automatic Windows
updates since the last snapshots were taken. A recompose operation recreates the OS disks from a new snapshot
that can contain the current Windows updates, making automatic Windows updates redundant.
If you do not use refresh and recompose regularly, you might decide to keep Windows Update Service active.
Overview of Windows 7 and Windows 8 Services and Tasks That Cause LinkedClone Growth
Certain services and tasks in Windows 7 and Windows 8 can cause linked-clone OS disks to grow incrementally
every few hours, even when the linked-clone desktops are idle. If you disable these services and tasks, you can
control the OS disk growth.
Services that affect OS disk growth also generate IOPS on Windows 7 and Windows 8 virtual machines. You
can evaluate the benefits of disabling these services on full virtual machines as well as linked clones.
Before you disable the Windows 7 or Windows 8 services that are shown in Table 4-7, verify that you took the
optimization steps in “Optimize Windows Guest Operating System Performance,” on page 70 and “Optimize
Windows 7 and Windows 8 Guest Operating System Performance,” on page 71.
VMware, Inc. 73
Page 74
VMware Horizon View Administration
Table 4-7. Impact of Windows 7 and Windows 8 Services and Tasks on OS Disk Growth and IOPS When OS Is Left
Idle
Default
Service or Task Description
Occurrence or
Startup
Impact on LinkedClone OS Disks Impact on IOPS
Turn Off This
Service or Task?
Windows
Hibernation
Windows Scheduled
Disk
Defragmentation
Windows Update
Service
Windows
Diagnostic Policy
Service
Prefetch/Superfetch Stores specific
Provides a powersaving state by
storing open
documents and
programs in a file
before the
computer is
powered off. The
file is reloaded into
memory when the
computer is
restarted, restoring
the state when the
hibernation was
invoked.
Disk
defragmentation is
scheduled as a
background
process.
Detects,
downloads, and
installs updates for
Windows and
other programs.
Detects,
troubleshoots, and
resolves problems
in Windows
components. If you
stop this service,
diagnostics no
longer function.
information about
applications that
you run to help
them start faster.
This feature was
introduced in
Windows XP.
Default powerplan settings
disable
hibernation.
Once a week High.
Automatic startup Medium to high.
Automatic startup Medium to high.
Always on, unless
it is disabled.
High.
By default, the size
of the hibernation
file,
hiberfil.sys, is
the same as the
installed RAM on
the virtual
machine. This
feature affects all
guest operating
systems.
Repeated
defragmentation
operations can
increase the size of
linked-clone OS
disks by several GB
and do little to
make disk access
more efficient on
linked clones.
Causes frequent
writes to the
linked-clones' OS
disks because
update checks
occur often. The
impact depends on
the updates that are
downloaded.
The service is
triggered on
demand. The write
frequency varies,
depending on
demand.
Medium
Causes periodic
updates to its
layout and
database
information and
individual prefetch
files, which are
generated on
demand.
High.
When hibernation
is triggered, the
system writes a
hiberfil.sys file
the size of the
installed RAM.
High Yes
Medium to high Yes, if you use View
Small to medium Yes, if you do not
Medium Yes, if application
Yes
Hibernation
provides no benefit
in a virtual
environment.
For instructions, see
“Disable Windows
Hibernation in the
Parent Virtual
Machine,” on
page 82..
Composer
recompose to install
Windows updates
and refresh to return
OS disks to their
original snapshots.
need the diagnostic
tools to function on
the desktops.
startup times are
acceptable after you
disable this feature.
74 VMware, Inc.
Page 75
Chapter 4 Creating and Preparing Virtual Machines
Table 4-7. Impact of Windows 7 and Windows 8 Services and Tasks on OS Disk Growth and IOPS When OS Is Left
Idle (Continued)
Default
Service or Task Description
Occurrence or
Startup
Impact on LinkedClone OS Disks Impact on IOPS
Turn Off This
Service or Task?
Windows Registry
Backup
(RegIdleBackup)
System Restore Reverts the
Windows Defender Provides anti-
Microsoft Feeds
Synchronization
task
(msfeedssync.exe)
Automatically
backs up the
Windows registry
when the system is
idle.
Windows system
to a previous,
healthy state.
spyware features.
Periodically
updates RSS feeds
in Windows
Internet Explorer
Web browsers.
This task updates
RSS feeds that have
automatic RSS
feeds
synchronization
turned on. The
process appears in
Windows Task
Manager only
when Internet
Explorer is
running.
Every 10 days at
12:00 am
When Windows
starts up and once a
day thereafter.
When Windows
starts up. Performs
a quick scan once a
day. Checks for
updates before
each scan.
Once a day. Medium.
Medium.
Each time this task
runs, it generates
registry backup
files.
Small to medium.
Captures a system
restore point
whenever the
system detects that
it is needed. When
the linked clone is
idle, this overhead
is small.
Medium to high.
Performs
definition updates,
scheduled scans,
and scans that are
started on demand.
Affects OS-disk
growth if persistent
disks are not
configured. If
persistent disks are
configured, the
impact is diverted
to the persistent
disks.
Medium. Yes.
There is no need for
Windows Registry
Backup. To restore
registry data, you
can use the View
Composer refresh
operation.
No major impact. Yes
Although its impact
is small, this task is
redundant if you use
View Composer
refresh to return OS
disks to their
original snapshots.
Medium to high. Yes, if other anti-
spyware software is
installed.
Medium Yes, if your users do
not require
automatic RSS feed
updates on their
desktops.
Disable Scheduled Disk Defragmentation on Windows 7 and Windows 8 Parent Virtual Machines
Before you create linked clones, you must disable scheduled defragmentations on Windows 7 and Windows
8 parent virtual machines. Windows 7 and Windows 8 schedule weekly disk defragmentations by default.
Repeated
disk access more efficient on linked clones.
When you create a linked-clone pool from the parent virtual machine, the linked clones share the replica's disk.
Subsequent defragmentation operations do not affect the replica's disk, which is read-only. Instead,
defragmentations expand each clone's OS disk.
VMware, Inc. 75
defragmentation operations significantly increase the size of linked-clone OS disks and do not make
Page 76
VMware Horizon View Administration
As a best practice, defragment the parent virtual machine one time, before you take a snapshot and create the
pool.
The linked clones benefit from the defragmentation because they share the replica's optimized, read-only
disk.
Prerequisites
n
Verify that the applications that you intend to deploy to the linked clones are installed on the virtual
machine.
n
Verify that View Agent with View Composer Agent is installed on the virtual machine.
Procedure
1 In vSphere Client, select the parent virtual machine and select Open Console.
2 Log in to the Windows 7 or Windows 8 guest operating system as an administrator.
3 Click Start and type defrag in the Search programs and files box.
4 In the Programs pane, click Disk Defragmenter.
5 In the Disk Defragmenter dialog box, click Defragment disk.
The Disk Defragmenter consolidates defragmented files on the virtual machine's hard disk.
6 In the Disk Defragmenter dialog box, click Configure schedule.
7 Deselect Run on a schedule (recommended) and click OK.
Defragmentation operations will not take place on linked-clone virtual machines that are created from this
parent virtual machine.
Disable the Windows Update Service on Windows 7 and Windows 8 Virtual Machines
Disabling the Windows Update Service can reduce the number of files that are created and writes that occur
when updates are downloaded and installed. This action can reduce linked-clone growth and reduce IOPS in
linked clones and full virtual machines.
Disable Windows Update Service if you refresh and recompose the linked-clone desktops. A refresh operation
restores the OS disks to their original snapshots, deleting the automatic Windows updates. A recompose
operation recreates the OS disks from a new snapshot that can contain Windows updates, making automatic
Windows updates redundant.
Do not disable the Windows Update Service if you do not use recompose to install Windows updates in the
linked clones.
Prerequisites
Verify that the most recent Windows updates are downloaded and installed on the virtual machine.
Procedure
1 In vSphere Client, select the parent virtual machine and select Open Console.
2 Log in to the Windows 7 or Windows 8 guest operating system as an administrator.
3 Click Start > Control Panel > System and Security > Turn automatic updating on or off.
4 In the Important updates menu, select Never check for updates.
5 Deselect Give me recommended updates the same way I receive important updates.
6 Deselect Allow all users to install updates on this computer and click OK.
76 VMware, Inc.
Page 77
Chapter 4 Creating and Preparing Virtual Machines
Disable the Diagnostic Policy Service on Windows 7 and Windows 8 Virtual Machines
Disabling the Windows Diagnostic Policy Service can minimize the number of system writes and reduce the
growth of linked-clone desktops.
Do no disable the Windows Diagnostic Policy Service if your users require the diagnostic tools on their
desktops.
Procedure
1
In vSphere Client, select the parent virtual machine and select Open Console.
2 Log in to the Windows 7 or Windows 8 guest operating system as an administrator.
3 Click Start > Control Panel > System and Security > Administrative Tools.
4 Select Services and click Open.
5 Double-click Diagnostic Policy Service.
6 In the Diagnostic Policy Service Properties (Local Computer) dialog, click Stop.
7 In the Startup type menu, select Disabled.
8 Click OK.
Disable the Prefetch and Superfetch Features on Windows 7 and Windows 8 Virtual Machines
By disabling the Windows prefetch and superfetch features, you can avoid generating prefetch files and the
overhead associated with prefetch and superfetch operations. This action can reduce the growth of linkedclone desktops and minimize IOPS on full virtual machines and linked clones.
To disable the prefetch and superfetch features, you must edit a Windows registry key and disable the Prefetch
service on the virtual machine.
Prerequisites
See the Microsoft TechNet Web site for information on how to use the Windows Registry Editor on Windows 7
and Windows 8.
Procedure
1 Start the Windows Registry Editor on the local Windows 7 or Windows 8 virtual machine.
2 Navigate to the registry key called PrefetchParameters.
The registry key is located in the following path:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Memory
Management\PrefetchParameters.
3 Set the EnablePrefetcher and EnableSuperfetch values to 0.
4 Click Start > Control Panel > System and Security > Administrative Tools.
5 Select Services and click Open.
6 Double-click the Superfetch service.
7 In the Superfetch Properties (Local Computer) dialog, click Stop.
8 In the Startup type menu, select Disabled.
9 Click OK.
VMware, Inc. 77
Page 78
VMware Horizon View Administration
Disable Windows Registry Backup on Windows 7 and Windows 8 Virtual Machines
Disabling the Windows registry backup feature, RegIdleBackup, can minimize the number of system writes
and reduce the growth of linked-clone desktops.
Procedure
1
In vSphere Client, select the parent virtual machine and select Open Console.
2 Log in to the Windows 7 or Windows 8 guest operating system as an administrator.
3 Click Start > Control Panel > System and Security > Administrative Tools.
4 Select Task Scheduler and click Open.
5 In the left pane, expand Task Scheduler Library, Microsoft, Windows.
6 Double-click Registry and select RegIdleBackup.
7 In the Actions pane, click Disable.
Disable the System Restore on Windows 7 and Windows 8 Virtual Machines
You do not need to use the Windows System Restore feature if you use View Composer refresh to restore
linked-clone OS disks to their original snapshots.
When the operating system is idle, System Restore does not have a visible impact on OS-disk growth. However,
when the operating system is in use, System Restore generates restore points based on system use, which can
have a significant impact on OS-disk growth.
The function of Windows System Restore is the same as View Composer refresh.
As a best practice, you can disable Windows System Restore and avoid unnecessary growth in your linked
clones.
If you do not use refresh, evaluate whether it is best to leave System Restore active in your View environment.
Procedure
1 In vSphere Client, select the parent virtual machine and select Open Console.
2 Log in to the Windows 7 or Windows 8 guest operating system as an administrator.
3 Click Start > Control Panel > System and Security > Administrative Tools.
4 Select Task Scheduler and click Open.
5 In the left pane, expand Task Scheduler Library, Microsoft, Windows.
6 Double-click SystemRestore and select SR.
7 In the Actions pane, click Disable.
Disable Windows Defender on Windows 7 and Windows 8 Virtual Machines
Microsoft Windows Defender can contribute to linked-clone OS disk growth and increase IOPS in linked clones
and full virtual machines. Disable Windows Defender if you install other anti-spyware software on the virtual
machine.
If Windows Defender is the only anti-spyware installed on the virtual machine, you might prefer to keep
Windows Defender active on the desktops in your environment.
78 VMware, Inc.
Page 79
Chapter 4 Creating and Preparing Virtual Machines
Procedure
1
In vSphere Client, select the parent virtual machine and select Open Console.
2 Log in to the Windows 7 or Windows 8 guest operating system as an administrator.
3 Click Start and type Windows Defender in the Search programs and files box.
4 Click Tools > Options > Administrator.
5 Deselect Use this program and click Save.
Disable Microsoft Feeds Synchronization on Windows 7 and Windows 8 Virtual Machines
Windows Internet Explorer uses the Microsoft Feeds Synchronization task to update RSS feeds in users' Web
browsers. This task can contribute to linked-clone growth. Disable this task if your users do not require
automatic RSS feed updates in their browsers.
Microsoft Feeds Synchronization can cause OS-disk growth if persistent disks are not configured. If persistent
disks are configured, the impact is diverted to the persistent disks. In this situation, you should still disable
Microsoft Feeds Synchronization to control persistent-disk growth.
Procedure
1 In vSphere Client, select the parent virtual machine and select Open Console.
2 Log in to the Windows 7 or Windows 8 guest operating system as an administrator.
3 Click Start > Control Panel > Network and Internet > Internet Options.
4 Click the Content tab.
5 Under Feeds and Web Slices, click Settings.
6 Deselect Automatically check feeds and Web Slices for updates and click OK.
7 In the Internet Properties dialog, click OK.
Preparing Virtual Machines for View Composer
To deploy linked-clone desktops, you must prepare a parent virtual machine that meets the requirements of
the View Composer service.
n
Prepare a Parent Virtual Machine on page 80
The View Composer service requires a parent virtual machine from which you generate a base image
for creating and managing linked-clone desktops.
n
Activating Windows on Linked-Clone Desktops on page 82
To make sure that View Composer properly activates Windows 8, Windows 7, and Windows Vista
operating systems on linked-clone desktops, you must use Microsoft volume activation on the parent
virtual machine. The volume-activation technology requires a volume license key.
n
Disable Windows Hibernation in the Parent Virtual Machine on page 82
The Windows hibernation option creates a large system file that can increase the size of the linked-clone
OS disks that are created from the parent virtual machine. Disabling the hibernation option reduces the
size of linked-clones.
n
Configure a Parent Virtual Machine to Use Local Storage on page 83
When you prepare a parent virtual machine for View Composer, you can configure the parent virtual
machine and linked-clone desktops to store virtual-machine swap files on the local datastore. This
optional strategy lets you take advantage of local storage.
VMware, Inc. 79
Page 80
VMware Horizon View Administration
n
Keep a Record of the Parent Virtual Machine's Paging-File Size on page 84
you create a linked-clone pool, you can redirect the linked clones' guest OS paging and temp files
When
to a separate disk. You must configure this disk to be larger than the paging file in the guest OS.
n
Increase the Timeout Limit of QuickPrep Customization Scripts on page 84
View Composer terminates a QuickPrep post-synchronization or power-off script that takes longer than
20 seconds. You can increase the timeout limit for these scripts by changing the ExecScriptTimeout
Windows registry value on the parent virtual machine.
Prepare a Parent Virtual Machine
The View Composer service requires a parent virtual machine from which you generate a base image for
creating and managing linked-clone desktops.
Prerequisites
n
Verify that you prepared a virtual machine to use for deploying View desktops. See “Creating Virtual
Machines for View Desktop Deployment,” on page 59.
A parent virtual machine that you use for View Composer must either belong to the same Active Directory
domain as the domain that the linked-clone desktops will join or be a member of the local WORKGROUP.
IMPORTANT To use features that are supported in View Manager 4.5 or later, such as redirecting disposable
data to a separate disk and customizing linked-clone desktops with Sysprep, you must deploy the desktops
from a parent virtual machine on which View Agent 4.5 or later is installed.
You cannot use View Composer to deploy desktops that run Windows Vista Ultimate Edition or Windows
XP Professional SP1.
n
Verify
that the virtual machine was not converted from a View Composer linked clone. A virtual machine
that is converted from a linked clone has the clone's internal disk and state information. A parent virtual
machine cannot have state information.
IMPORTANT Linked clones and virtual machines that were converted from linked clones are not supported
as parent virtual machines.
n
If
the parent virtual machine runs Windows XP, and your Active Directory runs on Windows Server 2008,
apply an update patch on the Windows XP virtual machine. See the Microsoft Support Article 944043 at
the following location: http://support.microsoft.com/kb/944043/en-us.
If you do not install the Windows Server 2008 read-only domain controller (RODC) compatibility pack
for Windows XP, linked clones that are deployed from this parent virtual machine fail to join the domain.
n
When you install View Agent on the parent virtual machine, select the View Composer Agent option. See
“Install View Agent on a Virtual Machine,” on page 64.
To update View Agent in a large environment, you can use standard Windows update mechanisms such
as Altiris, SMS, LanDesk, BMC, or other systems management software. You can also use the recompose
operation to update View Agent.
NOTE Do not change the log on account for the VMware View Composer Guest Agent Server service in
a parent virtual machine. By default, this is the Local System account. If you change this account, the linked
clones created from the parent do not start.
n
To deploy desktops that run Windows 8, Windows 7, or Windows Vista, configure a volume license key
and activate the parent virtual machine's operating system with volume activation. See “Activating
Windows on Linked-Clone Desktops,” on page 82.
80 VMware, Inc.
Page 81
Chapter 4 Creating and Preparing Virtual Machines
n
If the parent virtual machine runs Windows 7 or Windows 8, verify that you followed the best practices
for optimizing the operating system. See “Optimizing Windows 7 and Windows 8 for Linked-Clone
Desktops,” on page 73.
n
Familiarize
yourself with the procedure for disabling searching Windows Update for device drivers. See
the Microsoft Technet article, "Disable Searching Windows Update for Device Drivers" at
http://technet.microsoft.com/en-us/library/cc730606(v=ws.10).aspx.
Procedure
n
Remove the DHCP lease on the parent virtual machine to avoid copying a leased IP address to the linked
clones in the pool.
a On the parent virtual machine, open a command prompt.
b Type the ipconfig /release command.
n
Verify that the system disk contains a single volume.
You cannot deploy linked clones from a parent virtual machine that contains more than one volume. The
View Composer service does not support multiple disk partitions. Multiple virtual disks are supported.
NOTE If the parent virtual machine contains multiple virtual disks, when you create a desktop pool, do
not select a drive letter for the View Composer persistent disk or disposable data disk that already exists
on the parent virtual machine or that conflicts with a drive letter that is used for a network-mounted drive.
n
Verify that the virtual machine does not contain an independent disk.
An
independent disk is excluded when you take a snapshot of the virtual machine. Linked clones that are
created or recomposed from the virtual machine will not contain the independent disk.
n
If you plan to configure disposable data disks when you create linked-clone desktops, remove default user
TEMP and TMP variables from the parent virtual machine.
You can also remove the pagefile.sys file to avoid duplicating the file on all the linked clones. If you leave
the pagefile.sys file on the parent virtual machine, a read-only version of the file is inherited by the linked
clones, while a second version of the file is used on the disposable data disk.
n
Disable the hibernation option to reduce the size of linked-clone OS disks that are created from the parent
virtual machine.
n
Before you take a snapshot of the parent virtual machine, disable searching Windows Update for device
drivers.
This Windows feature can interfere with the customization of linked-clone desktops. As each linked clone
is customized, Windows might search for the best drivers on the Internet for that clone, resulting in
repeated searches and customization delays.
n
In vSphere Client, disable the vApp Options setting on the parent virtual machine.
You can deploy a linked-clone pool from the parent virtual machine.
What to do next
Use vSphere Client to take a snapshot of the parent virtual machine in its powered-down state. This snapshot
is used as the baseline configuration for the first set of linked-clone desktops that are anchored to the parent
virtual machine.
IMPORTANT Before you take a snapshot, completely shut down the parent virtual machine by using the Shut
Down command in the guest operating system.
VMware, Inc. 81
Page 82
VMware Horizon View Administration
Activating Windows on Linked-Clone Desktops
To
make sure that View Composer properly activates Windows 8, Windows 7, and Windows Vista operating
systems on linked-clone desktops, you must use Microsoft volume activation on the parent virtual machine.
The volume-activation technology requires a volume license key.
To activate Windows 8, Windows 7 or Windows Vista with volume activation, you use Key Management
Service (KMS), which requires a KMS license key. See your Microsoft dealer to acquire a volume license key
and configure volume activation.
NOTE View Composer does not support Multiple Activation Key (MAK) licensing.
Before you create linked-clone desktops with View Composer, you must use volume activation to activate the
operating system on the parent virtual machine.
NOTE Windows XP desktops with volume licenses do not require an activation.
When a linked-clone desktop is created, and each time the linked clone is recomposed, the View Composer
agent uses the parent virtual machine's KMS server to activate the operating system on the linked clone.
The View Composer QuickPrep tool implements the activation through these steps:
1
Invokes a script to remove the existing license status on the linked-clone virtual machine
2 Restarts the guest operating system
3 Invokes a script that uses KMS licensing to activate the operating system on the clone.
Each time QuickPrep runs on a linked clone, the activation takes place.
For KMS licensing, View Composer uses the KMS server that is configured to activate the parent virtual
machine. The KMS server treats an activated linked clone as a computer with a newly issued license.
Disable Windows Hibernation in the Parent Virtual Machine
The Windows hibernation option creates a large system file that can increase the size of the linked-clone OS
disks that are created from the parent virtual machine. Disabling the hibernation option reduces the size of
linked-clones.
The Windows hibernation option creates a hidden system file, Hiberfil.sys. Windows uses this file to store a
copy of system memory on the hard disk when the hybrid sleep setting is turned on. When you create a linkedclone pool, the file is created on each linked clone's OS disk.
On Windows 7 or Windows 8 virtual machines, this file can be 10GB.
CAUTION
if the hybrid sleep setting is turned on and a power loss occurs.
Prerequisites
Familiarize yourself with the Windows hibernation feature. See the Microsoft Support Web site. For
information about disabling hibernation on Windows 8, Windows 7 or Windows Vista, see the Microsoft
Support Web site and search for how to disable and re-enable hibernation on a computer that is running
Windows.
When you make hibernation unavailable, the hybrid sleep setting does not work. Users can lose data
Procedure
1
In vSphere Client, select the parent virtual machine and select Open Console.
2 Log in to the Windows guest operating system as an administrator.
82 VMware, Inc.
Page 83
Chapter 4 Creating and Preparing Virtual Machines
3 Disable the hibernation option.
Operating System Action
Windows 8, Windows 7 or Windows
Vista
Windows XP
a Click Start and type cmd in the Start Search box.
the search results list, right-click Command Prompt and click Run as
b In
Administrator.
c At the User Account Control prompt, click Continue.
d At the command prompt, type powercfg.exe /hibernate off and
press Enter.
e Type exit and press Enter.
a Click Start > Run.
Type cmd and click OK.
b
c At the command prompt, type powercfg.exe /hibernate off and
press Enter.
d Type exit and press Enter.
Log out of the guest operating system.
4
When you create linked clone desktops from the parent virtual machine, the Hiberfil.sys file is not created
on the linked-clone OS disks.
Configure a Parent Virtual Machine to Use Local Storage
When you prepare a parent virtual machine for View Composer, you can configure the parent virtual machine
and linked-clone desktops to store virtual-machine swap files on the local datastore. This optional strategy lets
you take advantage of local storage.
In this procedure, you configure local storage for the virtual-machine swap files, not the paging and temp files
in the guest OS. When you create a linked-clone pool, you also can redirect guest OS paging and temp files to
a separate disk. See “Worksheet for Creating a Linked-Clone Desktop Pool,” on page 92.
Prerequisites
Prepare the parent virtual machine to meet the requirements of the View Composer service. See “Prepare a
Parent Virtual Machine,” on page 80.
Procedure
1 Configure a swapfile datastore on the ESX/ESXi host or cluster on which you will deploy the linked-clone
pool.
2 When you create the parent virtual machine in vCenter Server, store the virtual-machine swap files on the
swapfile datastore on the local ESX/ESXi host or cluster:
a In vSphere Client, select the parent virtual machine.
b Click Edit Settings and click the Options tab.
c Click Swapfile location and click Store in the host's swapfile datastore.
For detailed instructions, see the VMware vSphere documentation.
When you deploy a pool from this parent virtual machine, the linked-clone desktops use the local ESX host's
swapfile datastore.
VMware, Inc. 83
Page 84
VMware Horizon View Administration
Keep a Record of the Parent Virtual Machine's Paging-File Size
When you create a linked-clone pool, you can redirect the linked clones' guest OS paging and temp files to a
separate disk. You must configure this disk to be larger than the paging file in the guest OS.
When a linked clone that is configured with a separate disk for the disposable files is powered off, View
Manager
with the linked-clone pool. This feature can slow the growth of linked clones. However, this feature can work
only if you configure the disposable-file disk to be large enough to hold the guest OS's paging files.
Before you can configure the disposable-file disk, you must know the maximum paging-file size in the parent
virtual machine. The linked clones have the same paging-file size as the parent virtual machine from which
they are created.
As a best practice, you can remove the pagefile.sys file from the parent virtual machine before you take a
snapshot, to avoid duplicating the file on all the linked clones. See “Prepare a Parent Virtual Machine,” on
page 80.
NOTE This feature is not that same as configuring local storage for the virtual-machine swap files. See
“Configure a Parent Virtual Machine to Use Local Storage,” on page 83.
Procedure
replaces the temporary disk with a copy of the original temporary disk that View Composer created
1
In vSphere Client, right-click the parent virtual machine and click Open Console.
2 Select Start > Settings > Control Panel > System.
3 Click the Advanced tab.
4 In the Performance pane, click Settings.
5 Click the Advanced tab.
6 In the Virtual memory pane, click Change.
The Virtual Memory page appears.
7 Set the paging file size to a larger value than the size of the memory that is assigned to the virtual machine.
IMPORTANT If the Maximum size (MB) setting is smaller than the virtual-machine memory size, type a
larger value and save the new value.
8 Keep a record of the Maximum size (MB) setting that is configured in the Paging file size for selected
drive pane.
What to do next
When
you configure a linked-clone pool from this parent virtual machine, configure a disposable-file disk that
is larger than the paging-file size.
Increase the Timeout Limit of QuickPrep Customization Scripts
View Composer terminates a QuickPrep post-synchronization or power-off script that takes longer than 20
seconds. You can increase the timeout limit for these scripts by changing the ExecScriptTimeout Windows
registry value on the parent virtual machine.
The increased timeout limit is propagated to linked clones that are created from the parent virtual machine.
QuickPrep customization scripts can run on the linked clones for the time that you specify.
84 VMware, Inc.
Page 85
Chapter 4 Creating and Preparing Virtual Machines
Alternatively, you can use your customization script to launch another script or process that performs the longrunning task.
NOTE Most QuickPrep customization scripts can finish running within the 20-second limit. Test your scripts
before you increase the limit.
Prerequisites
n
Install View Agent with the View Composer Agent option on the parent virtual machine.
n
Verify that the parent virtual machine is prepared to create a linked-clone pool. See “Prepare a Parent
Virtual Machine,” on page 80.
Procedure
1
On the parent virtual machine, start the Windows Registry Editor.
a Select Start > Command Prompt.
b At the command prompt, type regedit.
2 In the Windows registry, locate the vmware-viewcomposer-ga registry key.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\vmware-viewcomposer-ga
3 Click Edit and modify the registry value.
Value Name: ExecScriptTimeout
Value Type: REG_DWORD
Value unit: milliseconds
The default value is 20000 milliseconds.
The timeout value is increased. You do not have to restart Windows for this value to take effect.
What to do next
Take a snapshot of the parent virtual machine and create a linked-clone pool.
Creating Virtual Machine Templates
You must create a virtual machine template before you can create an automated pool that contains full virtual
machines.
A virtual machine template is a master copy of a virtual machine that can be used to create and provision new
virtual machines. Typically, a template includes an installed guest operating system and a set of applications.
You create virtual machine templates in vSphere Client. You can create a virtual machine template from a
previously configured virtual machine, or you can convert a previously configured virtual machine to a virtual
machine template.
See the vSphere Basic System Administration guide for information on using vSphere Client to create virtual
machine templates. See “Automated Pools That Contain Full Virtual Machines,” on page 88 for information
on creating automated pools.
NOTE You do not create a linked-clone pool from a virtual machine template.
VMware, Inc. 85
Page 86
VMware Horizon View Administration
Creating Customization Specifications
Customization specifications are optional, but they can greatly expedite automated pool deployments by
providing
settings.
With customization specifications, you can customize View desktops as they are created in View
Administrator. You create new customization specifications by using the Customization Specification wizard
in vSphere Client. You can also use the Customization Specification wizard to import existing custom
sysprep.ini files.
See the vSphere Virtual Machine Administration document for information on using the Customization
Specification wizard.
Make sure that the customization specifications are accurate before you use them in View Administrator. In
vSphere Client, deploy and customize a virtual machine from your template using the customization
specifications. Fully test the virtual machine, including DHCP and authentication, before you create View
desktops.
NOTE To apply customization specifications to desktop pools that use Windows XP, you must install Microsoft
Sysprep tools on your vCenter Server machine.
You do not have to install Sysprep tools in vCenter Server for desktop pools that use Windows 8, Windows 7
or Vista. Sysprep tools are built into these operating systems.
configuration information for general properties such as licensing, domain attachment, and DHCP
When you use a Sysprep customization specification to join a Windows 8 or Windows 7 desktop to a domain,
you must use the fully qualified domain name (FQDN) of the Active Directory domain. You cannot use the
NetBIOS name of the Active Directory domain.
86 VMware, Inc.
Page 87
Creating Desktop Pools 5
With View Manager, you create pools of desktops that deliver View desktop access to clients. View Manager
deploys
machines that run on another virtualization platform, or physical computers, terminal servers, or blade PCs.
You can create several types of desktop pools. You can also provision an individual desktop by deploying a
manual pool with a single desktop source.
n
n
n
pools from desktop sources, which can be virtual machines that are managed by vCenter Server, virtual
Automated Pools That Contain Full Virtual Machines on page 88
To create an automated desktop pool, View Manager dynamically provisions desktops based on settings
that you apply to the pool. View Manager uses a virtual machine template as the desktop source for the
pool and creates a new virtual machine in vCenter Server for each desktop.
Linked-Clone Desktop Pools on page 92
To create a linked-clone desktop pool, View Composer generates linked-clone virtual machines from a
snapshot of a parent virtual machine. View Manager dynamically provisions the linked-clone desktops
based on settings that you apply to the pool.
Manual Desktop Pools on page 119
To create a manual desktop pool, View Manager provisions desktops from existing desktop sources. You
select a separate desktop source for each desktop in the pool.
n
Microsoft Terminal Services Pools on page 123
You can use Microsoft Terminal Servers to provide Terminal Services sessions as desktops to View clients.
View Manager manages Terminal Services sessions in the same way that it manages other View desktops.
n
Provisioning Desktop Pools on page 125
When you create a desktop pool, you select configuration options that determine how the pool is
managed and how users interact with the desktops.
n
Setting Power Policies for Desktop Pools on page 140
You can configure a power policy for the virtual machines in a desktop pool if the virtual machines are
managed by vCenter Server.
n
Configure View Storage Accelerator for Desktop Pools on page 145
You can configure desktop pools to enable ESXi hosts to cache virtual machine disk data. This feature,
called View Storage Accelerator, uses the Content Based Read Cache (CBRC) feature in ESXi hosts. View
Storage Accelerator can reduce IOPS and improve performance during boot storms, when many
desktops start up or run anti-virus scans at once. The feature is also beneficial when administrators or
users load applications or data frequently. To use this feature, you must make sure that View Storage
Accelerator is enabled for individual desktop pools.
VMware, Inc. 87
Page 88
VMware Horizon View Administration
n
Deploying Large Desktop Pools on page 147
many users require the same desktop image, you can create one large automated pool from a single
When
template or parent virtual machine. By using a single base image and pool name, you can avoid dividing
the desktops arbitrarily into smaller groups that must be managed separately. This strategy simplifies
your View deployment and administration tasks.
Automated Pools That Contain Full Virtual Machines
To create an automated desktop pool, View Manager dynamically provisions desktops based on settings that
you apply to the pool. View Manager uses a virtual machine template as the desktop source for the pool and
creates a new virtual machine in vCenter Server for each desktop.
Worksheet for Creating an Automated Pool That Contains Full Virtual Machines
When you create an automated desktop pool, the View Administrator Add Pool wizard prompts you to
configure certain options. Use this worksheet to prepare your configuration options before you create the pool.
You can print this worksheet and write down the values you want to specify when you run the Add Pool
wizard.
To create a linked-clone pool, see “Linked-Clone Desktop Pools,” on page 92.
Table 5-1. Worksheet: Configuration Options for Creating an Automated Pool That Contains Full Virtual
Machines
Option Description Fill In Your Value Here
User assignment Choose the type of user assignment:
n
In a dedicated-assignment pool, each user is
assigned to a desktop. Users receive the same
desktop each time they log in.
n
In a floating-assignment pool, users receive
different desktops each time they log in.
For details, see “User Assignment in Desktop
Pools,” on page 126.
Enable automatic assignment In a dedicated-assignment pool, a desktop is
assigned
pool. You can also explicitly assign desktops to
users.
If you do not enable automatic assignment, you
must explicitly assign a desktop to each user.
vCenter Server Select the vCenter Server that manages the virtual
machines in the pool.
Pool ID The unique name that identifies the pool in View
Administrator.
If multiple vCenter Servers are running in your
environment, make sure that another vCenter
Server is not using the same pool ID.
A View Connection Server configuration can be a
standalone View Connection Server instance or a
group
View LDAP configuration.
Display name The pool name that users see when they log in with
View
the pool ID is displayed to users.
to a user when the user first logs in to the
of replicated instances that share a common
Client. If you do not specify a display name,
88 VMware, Inc.
Page 89
Chapter 5 Creating Desktop Pools
Table 5-1. Worksheet: Configuration Options for Creating an Automated Pool That Contains Full Virtual
Machines (Continued)
Option Description Fill In Your Value Here
View Folder Select a View Folder in which to place the pool or
leave the pool in the default root folder.
If you use a View Folder, you can delegate
managing the pool to an administrator with a
specific role. For details, see “Using Folders to
Delegate Administration,” on page 40.
NOTE View folders are different than vCenter
folders that store desktop virtual machines.
Server
You select a vCenter Server folder later in the
wizard with other vCenter Server settings.
Delete desktop after logoff If you select floating user assignment, choose
whether to delete desktops after users log off.
NOTE You set this option on the Pool Settings
page.
Pool Settings Settings that determine the desktop state, power
status
when a virtual machine is not in use, display
protocol, Adobe Flash quality, and so on.
For descriptions, see “Desktop and Pool
Settings,” on page 132.
For a list of the settings that apply to automated
pools, see “Desktop Settings for Automated Pools
That Contain Full Virtual Machines,” on
page 91.
For more information about power policies and
automated pools, see “Setting Power Policies for
Desktop Pools,” on page 140.
Virtual machine naming Choose whether to provision desktops by
manually specifying a list of desktop names or by
providing a naming pattern and the total number
of desktops.
For details, see “Naming Desktops Manually or
Providing a Naming Pattern,” on page 126.
List of desktop names If you specify names manually, prepare a list of
desktop names and, optionally, the associated user
names.
Naming pattern If you use this naming method, provide the
pattern.
View Manager uses your pattern as a prefix in all
the desktop names and appends a unique number
to identify each desktop.
For details, see “Using a Naming Pattern for
Automated Desktop Pools,” on page 129.
Maximum number of desktops If you use a naming pattern, specify the total
number of desktops in the pool.
You can also specify a minimum number of
desktops to provision when you first create the
pool.
Number of spare (powered on)
desktops
If you specify names manually or use a naming
pattern, specify a number of desktops that View
Manager keeps available and powered on for new
users. For details, see “Naming Desktops
Manually or Providing a Naming Pattern,” on
page 126.
When you specify names manually, this option is
called # Unassigned desktops kept powered on.
VMware, Inc. 89
Page 90
VMware Horizon View Administration
Table 5-1. Worksheet: Configuration Options for Creating an Automated Pool That Contains Full Virtual
Machines (Continued)
Option Description Fill In Your Value Here
Minimum number of desktops If you use a naming pattern and provision
Template Select the virtual machine template that View
vCenter Server folder Select the folder in vCenter Server in which the
Host or cluster Select the ESX host or cluster on which the desktop
Resource pool Select the vCenter Server resource pool in which
Datastores Select one or more datastores on which to store the
Use View Storage Accelerator Determine whether ESXi hosts cache common
Guest customization Select a customization specification (SYSPREP)
desktops on demand, specify a minimum number
of desktops in the pool.
View Manager creates the minimum number of
desktops when you create the pool.
If you provision desktops on demand, View
Manager dynamically creates additional desktops
as users connect to the pool for the first time or as
you assign desktops to users.
Manager uses to create the pool.
desktop pool resides.
virtual machines run.
In vSphere 5.1 or later, you can select a cluster with
up to 32 ESXi hosts.
the desktop pool resides.
desktop pool.
For clusters, you can use shared or local datastores.
virtual machine disk data. View Storage
Accelerator can improve performance and reduce
the need for extra storage I/O bandwidth to
manage boot storms and anti-virus scanning I/O
storms.
This feature is supported on vSphere 5.0 and later.
This feature is enabled by default.
For details, see “Configure View Storage
Accelerator for Desktop Pools,” on page 145.
from the list to let View Manager configure
licensing, domain attachment, DHCP settings, and
other properties on the desktops.
Alternatively, you can customize the desktops
manually after View Manager creates them.
Create an Automated Pool That Contains Full Virtual Machines
You
can create an automated desktop pool based on a virtual machine template that you select. View Manager
dynamically deploys the desktops, creating a new virtual machine in vCenter Server for each desktop.
To create a linked-clone pool, see “Linked-Clone Desktop Pools,” on page 92.
Prerequisites
n
Prepare a virtual machine template that View Manager will use to create the desktops. View Agent must
be installed on the template. See Chapter 4, “Creating and Preparing Virtual Machines,” on page 59.
n
If you intend to use a customization specification, make sure that the specifications are accurate. In vSphere
Client, deploy and customize a virtual machine from your template using the customization specification.
Fully test the resulting virtual machine, including DHCP and authentication.
90 VMware, Inc.
Page 91
Chapter 5 Creating Desktop Pools
n
that you have a sufficient number of ports on the ESX virtual switch that is used for desktop virtual
Verify
machines. The default value might not be sufficient if you create large desktop pools. The number of virtual
switch ports on the ESX host must equal or exceed the number of desktop virtual machines multiplied by
the number of virtual NICs per virtual machine.
n
Gather the configuration information you must provide to create the pool. See “Worksheet for Creating
an Automated Pool That Contains Full Virtual Machines,” on page 88.
n
Decide how to configure power settings, display protocol, Adobe Flash quality, and other settings. See
“Desktop and Pool Settings,” on page 132.
n
If you intend to provide access to your desktops through Horizon Workspace, verify that you create the
desktop pools as a user with Administrators permissions on the root folder in View. If you give the user
Administrators permissions on a folder other than the root folder, Horizon Workspace will not recognize
the SAML Authenticator you configure in View, and you cannot configure the pool in
Horizon Workspace.
Procedure
1 In View Administrator, click Inventory > Pools.
2 Click Add.
3 Select Automated Pool.
4 On the vCenter Server page, choose Full virtual machines.
5 Follow the prompts in the wizard to create the pool.
Use the configuration information that you gathered in the worksheet. You can go directly back to any
wizard page that you completed by clicking the page name in the navigation panel.
In View Administrator, you can view the desktops as they are added to the pool by clicking Inventory >
Desktops.
What to do next
Entitle users to access the pool. See “Add Entitlements to Desktop Pools,” on page 149.
Desktop Settings for Automated Pools That Contain Full Virtual Machines
You must specify desktop and pool settings when you configure automated pools that contain full virtual
machines. Different settings apply to pools with dedicated user assignments and floating user assignments.
Table 5-2 lists the settings that apply to automated pools with dedicated assignments and floating assignments.
For descriptions of each desktop setting, see “Desktop and Pool Settings,” on page 132.
Table 5-2. Settings for Automated Pools That Contain Full Virtual Machines
Automated Pool, Dedicated
Setting
State Yes Yes
Connection Server restrictions Yes Yes
Remote desktop power policy Yes Yes
Automatic logoff after disconnect Yes Yes
Allow users to reset their desktops Yes Yes
Allow multiple sessions per user Yes
Delete desktop after logoff Yes
Default display protocol Yes Yes
Assignment
Automated Pool, Floating
Assignment
VMware, Inc. 91
Page 92
VMware Horizon View Administration
Table 5-2. Settings for Automated Pools That Contain Full Virtual Machines
Automated Pool, Dedicated
Setting
Allow users to choose protocol Yes Yes
3D Renderer Yes Yes
Max number of monitors Yes Yes
Max resolution of any one monitor Yes Yes
Adobe Flash quality Yes Yes
Adobe Flash throttling Yes Yes
Assignment
Linked-Clone Desktop Pools
To create a linked-clone desktop pool, View Composer generates linked-clone virtual machines from a
snapshot
on settings that you apply to the pool.
Because linked-clone desktops share a base system-disk image, they use less storage than full virtual machines.
Worksheet for Creating a Linked-Clone Desktop Pool
When you create a linked-clone desktop pool, the View Administrator Add Pool wizard prompts you to
configure certain options. Use this worksheet to prepare your configuration options before you create the pool.
of a parent virtual machine. View Manager dynamically provisions the linked-clone desktops based
(Continued)
Automated Pool, Floating
Assignment
You can print this worksheet and write down the values you want to specify when you run the Add Pool
wizard.
Before you create a linked-clone pool, you must use vCenter Server to take a snapshot of the parent virtual
machine that you prepare for the pool. You must shut down the parent virtual machine before you take the
snapshot. View Composer uses the snapshot as the base image from which the clones are created.
NOTE You cannot create a linked-clone pool from a virtual machine template.
Table 5-3. Worksheet: Configuration Options for Creating a Linked-Clone Desktop Pool
Option Description Fill In Your Value Here
User assignment Choose the type of user assignment:
n
In a dedicated-assignment pool, each user is
assigned to a desktop. Users receive the same
desktop each time they log in.
n
In a floating-assignment pool, users receive
different desktops each time they log in.
For details, see “User Assignment in Desktop
Pools,” on page 126.
Enable automatic assignment In a dedicated-assignment pool, a desktop is
assigned to a user when the user first logs in to the
pool. You can also explicitly assign desktops to
users.
If you do not enable automatic assignment, you
must explicitly assign a desktop to each user.
vCenter Server Select the vCenter Server that manages the virtual
machines in the pool.
92 VMware, Inc.
Page 93
Chapter 5 Creating Desktop Pools
Table 5-3. Worksheet: Configuration Options for Creating a Linked-Clone Desktop Pool
Option Description Fill In Your Value Here
Pool ID The unique name that identifies the pool in View
Administrator.
multiple View Connection Server configurations
If
are running in your environment, make sure that
another View Connection Server configuration is
not using the same pool ID.
A View Connection Server configuration can be a
standalone View Connection Server instance or a
group of replicated instances that share a common
View LDAP configuration.
Display name The pool name that users see when they log in with
View
Client. If you do not specify a display name,
the pool ID is displayed to users.
View Folder Select a View Folder in which to place the pool or
leave the pool in the default root folder.
If you use a View Folder, you can delegate
managing the pool to an administrator with a
specific role. For details, see “Using Folders to
Delegate Administration,” on page 40.
NOTE View folders are different than vCenter
Server folders that store desktop virtual machines.
You select a vCenter Server folder later in the
wizard with other vCenter Server settings.
Delete or refresh desktop on
logoff
Pool Settings Settings that determine the desktop state, power
Virtual machine naming Choose whether to provision desktops by
List of desktop names If you specify names manually, prepare a list of
Naming pattern If you use this naming method, provide the
If you select floating user assignment, choose
whether to refresh desktops, delete desktops, or do
nothing after users log off.
NOTE You set this option on the Pool Settings
page.
status when a virtual machine is not in use, display
protocol, Adobe Flash quality, and so on.
For descriptions, see “Desktop and Pool
Settings,” on page 132.
For a list of the settings that apply to linked-clone
pools, see “Desktop Settings for Linked-Clone
Desktop Pools,” on page 102.
For more information about power policies and
automated pools, see “Setting Power Policies for
Desktop Pools,” on page 140.
manually specifying a list of desktop names or by
providing a naming pattern and the total number
of desktops.
For details, see “Naming Desktops Manually or
Providing a Naming Pattern,” on page 126.
desktop names and, optionally, the associated user
names.
pattern.
View Manager uses your pattern as a prefix in all
the desktop names and appends a unique number
to identify each desktop.
For details, see “Using a Naming Pattern for
Automated Desktop Pools,” on page 129.
(Continued)
VMware, Inc. 93
Page 94
VMware Horizon View Administration
Table 5-3. Worksheet: Configuration Options for Creating a Linked-Clone Desktop Pool
(Continued)
Option Description Fill In Your Value Here
Max number of desktops If you use a naming pattern, specify the total
number of desktops in the pool.
You can also specify a minimum number of
desktops to provision when you first create the
pool.
Number of spare (powered on)
desktops
If you specify names manually or use a naming
pattern, specify a number of desktops that View
Manager
keeps available and powered on for new
users. For details, see “Naming Desktops
Manually or Providing a Naming Pattern,” on
page 126.
When you specify names manually, this option is
called # Unassigned desktops kept powered on.
Minimum number of ready
(provisioned) desktops during
View Composer maintenance
operations
If you specify names manually or use a naming
pattern, specify a minimum number of desktops
that are ready and provisioned while View
Composer operations take place.
This setting lets you keep desktops provisioned
and ready to accept connection requests from
users while View Composer refreshes,
recomposes, or rebalances the desktops in the
pool.
This value must be smaller than the Min number
of desktops, which you specify if you provision
desktops on demand.
See “Keeping Linked-Clone Desktops Provisioned
and Ready During View Composer Operations,”
on page 117.
Provision desktops on demand
or
Provision all desktops up front
If you use a naming pattern, choose whether to
provision all desktops when the pool is created or
provision desktops as they are needed.
n
Provision all desktops up front. When the
pool is created, View Manager provisions the
number of desktops you specify in Max
number of desktops.
n
Provision desktops on demand. When the
pool is created, View Manager creates the
number of desktops that you specify in Min
number of desktops. View Manager
dynamically creates additional desktops as
users connect to the pool for the first time or
as you assign desktops to users.
Min number of desktops If you use a naming pattern and provision
desktops on demand, specify a minimum number
of desktops in the pool.
View Manager creates the minimum number of
desktops when you create the pool. View Manager
maintains the minimum number of desktops even
when other settings such as Delete or refresh
desktop on logoff cause desktops to be deleted.
94 VMware, Inc.
Page 95
Chapter 5 Creating Desktop Pools
Table 5-3. Worksheet: Configuration Options for Creating a Linked-Clone Desktop Pool
Option Description Fill In Your Value Here
Redirect Windows profile to
persistent disks
Disk size and drive letter for
persistent disk
Disposable File Redirection Choose whether to redirect the guest OS's paging
Disk size and drive letter for
disposable file disk
Select separate datastores for
persistent and OS disks
If you select dedicated user assignments, choose
whether to store Windows user-profile data on a
separate View Composer persistent disk or the
same disk as the OS data.
Separate persistent disks let you preserve user
data and settings. View Composer refresh,
recompose,
persistent disks. You can detach a persistent disk
from a linked clone and recreate the linked-clone
desktop from the detached disk. For example,
when a desktop or pool is deleted, you can detach
the persistent disk and recreate the desktop,
preserving the original user data and settings.
If you store the Windows profile in the OS disk,
user data and settings are removed during refresh,
recompose, and rebalance operations.
If you store user profile data on a separate View
Composer
megabytes and the drive letter.
NOTE Do not select a drive letter that already exists
on the parent virtual machine or that conflicts with
a drive letter that is used for a network-mounted
drive.
and temp files to a separate, nonpersistent disk. If
you do, provide the disk size in megabytes.
With this configuration, when a linked clone is
powered off, View Manager replaces the
disposable-file disk with a copy of the original disk
that was created with the linked-clone pool.
Linked clones can increase in size as users interact
with their desktops. Disposable file redirection can
save storage space by slowing the growth of linked
clones.
If you redirect disposable files to a nonpersistent
disk, provide the disk size in megabytes and the
drive letter.
The disk size should be larger than page-file size
of the guest OS. To determine the page-file size,
see “Keep a Record of the Parent Virtual Machine's
Paging-File Size,” on page 84.
When you configure the disposable file disk size,
consider that the actual size of a formatted disk
partition is slightly smaller than the value you
provide in View Administrator.
You can select a drive letter for the disposable file
disk. The default value, Auto, directs View to
assign the drive letter.
NOTE Do not select a drive letter that already exists
on the parent virtual machine or that conflicts with
a drive letter that is used for a network-mounted
drive.
If you redirect user profiles to separate persistent
disks, you can store the persistent disks and OS
disks on different datastores.
and rebalance operations do not affect
persistent disk, provide the disk size in
(Continued)
VMware, Inc. 95
Page 96
VMware Horizon View Administration
Table 5-3. Worksheet: Configuration Options for Creating a Linked-Clone Desktop Pool
Option Description Fill In Your Value Here
Select separate datastores for
replica and OS disks
Parent virtual machine Select the parent virtual machine for the pool.
Default image (snapshot) Select the snapshot of the parent virtual machine
Publish base image to the Transfer
Server repository.
vCenter Server folder Select the folder in vCenter Server in which the
Host or cluster Select the ESX host or cluster on which the desktop
Resource pool Select the vCenter Server resource pool in which
You can store the replica (master) virtual machine
disk on a high performance datastore and the
linked clones on separate datastores.
For details, see “Storing View Composer Replicas
and Linked Clones on Separate Datastores,” on
page 113.
If you store replicas and OS disks on separate
datastores, native NFS snapshots cannot be used.
Native cloning on a NAS device can only take
place if the replica and OS disks are stored on the
same datastores.
To use features that are supported in View
Manager 4.5 or later, such as redirecting
disposable
the linked clones with Sysprep, you must select a
parent virtual machine on which View Agent 4.5
or later is installed.
NOTE You cannot use View Composer to deploy
desktops that run Windows Vista Ultimate Edition
or Windows XP Professional SP1.
to use as the base image for the pool.
Do not delete the snapshot and parent virtual
machine from vCenter Server, unless no linked
clones in the pool use the default image, and no
more linked clones will be created from this
default image. View Manager requires the parent
virtual machine and snapshot to provision new
linked clones in the pool, according to pool
policies. The parent virtual machine and snapshot
are also required for View Composer maintenance
operations.
Select this option if you use the pool to provision
local desktops. When a local desktop is
provisioned, View Transfer Server downloads the
base image from the Transfer Server repository to
the client.
You can also publish the base image after you
create the pool.
desktop pool resides.
virtual machines run.
In vSphere 5.1 or later, you can select a cluster with
up to 32 ESXi hosts if the replicas are stored on
VMFS5 or later datastores or NFS datastores. If
you store replicas on a VMFS version earlier than
VMFS5, a cluster can have at most eight hosts.
In vSphere 5.0, you can select a cluster with more
than eight ESXi hosts if the replicas are stored on
NFS datastores. If you store replicas on VMFS
datastores, a cluster can have at most eight hosts.
See “Configuring Pools on Clusters With More
Than Eight Hosts,” on page 147.
the desktop pool resides.
data to a separate disk and customizing
(Continued)
96 VMware, Inc.
Page 97
Chapter 5 Creating Desktop Pools
Table 5-3. Worksheet: Configuration Options for Creating a Linked-Clone Desktop Pool
Option Description Fill In Your Value Here
Select Datastores Select one or more datastores on which to store the
desktop pool.
A table on the Select Datastores page of the Add
Pool wizard provides high-level guidelines for
estimating the pool's storage requirements. These
guidelines can help you determine which
datastores are large enough to store the linkedclone disks. For details, see “Storage Sizing for
Linked-Clone Desktop Pools,” on page 106.
You can use shared or local datastores for an
individual
local datastores in an ESXi cluster, you must
consider the vSphere infrastructure constraints
that are imposed on your desktop deployment. See
“Storing Linked-Clone Desktops on Local
Datastores,” on page 112.
In vSphere 5.1 or later, a cluster can have more than
eight ESXi hosts if the replicas are stored on
datastores that are VMFS5 or later or NFS. In
vSphere 5.0, a cluster can have more than eight
ESXi hosts only if the replicas are stored on NFS
datastores. See “Configuring Pools on Clusters
With More Than Eight Hosts,” on page 147.
For more information about the disks that are
created for linked clones, see “Linked-Clone
Desktop Data Disks,” on page 119.
Storage Overcommit Determine the storage-overcommit level at which
View Manager creates linked-clone desktops on
each datastore.
As the level increases, more linked clones fit on the
datastore and less space is reserved to let
individual clones grow. A high storageovercommit level lets you create linked clones that
have a total logical size larger than the physical
storage limit of the datastore. For details, see “Set
the Storage Overcommit Level for Linked-Clone
Desktops,” on page 110.
Use View Storage Accelerator Determine whether to use View Storage
Accelerator, which allows ESXi hosts to cache
common virtual machine disk data. View Storage
Accelerator can improve performance and reduce
the need for extra storage I/O bandwidth to
manage boot storms and anti-virus scanning I/O
storms.
This feature is supported on vSphere 5.0 and later.
This feature is enabled by default.
For details, see “Configure View Storage
Accelerator for Desktop Pools,” on page 145.
ESXi host or for ESXi clusters. If you use
(Continued)
VMware, Inc. 97
Page 98
VMware Horizon View Administration
Table 5-3. Worksheet: Configuration Options for Creating a Linked-Clone Desktop Pool
Option Description Fill In Your Value Here
Use native NFS snapshots (VAAI)
- Tech Preview
Reclaim VM disk space Determine whether to allow ESXi hosts to reclaim
Initiate reclamation when unused
space on VM exceeds:
Blackout Times Configure days and times during which View
If your deployment includes NAS devices that
support the vStorage APIs for Array Integration
(VAAI), you can use native snapshot technology
to clone virtual machines.
Native NFS snapshot technology (VAAI) is
NOTE
a Tech Preview feature. The feature is available for
you to try out, but it is not recommended for
production use and no support is provided.
You can use this feature only if you select
datastores that reside on NAS devices that support
native cloning operations through VAAI.
You cannot use this feature if you store replicas
and OS disks on separate datastores. You cannot
use this feature in a pool that is enabled for View
Storage Accelerator or virtual machine disk space
reclamation.
This feature is supported on vSphere 5.0 and later.
For details, see “Using View Composer Array
Integration with Native NFS Snapshot Technology
(VAAI),” on page 114.
unused
disk space on linked clones that are created
in space-efficient disk format. The space
reclamation feature reduces the total storage space
required for linked-clone desktops.
This feature is supported on vSphere 5.1 and later.
The linked-clone virtual machines must be virtual
hardware version 9 or later.
For details, see “Reclaim Disk Space on Linked-
Clone Desktops,” on page 115.
Type the minimum amount of unused disk space,
in gigabytes, that must accumulate on a linkedclone OS disk to trigger space reclamation. When
the unused disk space exceeds this threshold,
View initiates the operation that directs the ESXi
host to reclaim space on the OS disk.
This value is measured per virtual machine. The
unused disk space must exceed the specified
threshold on an individual virtual machine before
View starts the space reclamation process on that
machine.
For example: 2 GB.
The default value is 1 GB.
Storage Accelerator regeneration and the
reclamation of virtual machine disk space do not
take place.
To ensure that ESXi resources are dedicated to
foreground
the ESXi hosts from performing these operations
during specified periods of time on specified days.
For details, see “Set Blackout Times for ESXi
Operations on View Desktops,” on page 116.
tasks when necessary, you can prevent
(Continued)
98 VMware, Inc.
Page 99
Chapter 5 Creating Desktop Pools
Table 5-3. Worksheet: Configuration Options for Creating a Linked-Clone Desktop Pool
Option Description Fill In Your Value Here
Active Directory domain Select the Active Directory domain and user name.
Composer requires certain user privileges to
View
create a linked-clone pool. The domain and user
account are used by QuickPrep or Sysprep to
customize the linked-clone desktops. For details,
see “Create a User Account for View Composer,”
on page 15.
You specify this user when you configure View
Composer settings for vCenter Server. For details,
see “Configure View Composer Settings,” on
page 17. You can specify multiple domains and
users when you configure View Composer
settings. When you use the Add Pool wizard to
create a pool, you must select one domain and user
from the list.
Active Directory container Provide the Active Directory container relative
distinguished name.
For example: CN=Computers
When you run the Add Pool wizard, you can
browse your Active Directory tree for the
container.
Use QuickPrep or a customization
specification (Sysprep)
Power-off script QuickPrep can run a customization script on
Choose whether to use QuickPrep or select a
customization specification (Sysprep) to let View
Manager configure licensing, domain attachment,
DHCP settings, and other properties on the
desktops.
Sysprep is supported for linked clones only on
vSphere 4.1 or later software.
After you use QuickPrep or Sysprep when you
create a pool, you cannot switch to the other
customization method later on, when you create
or recompose desktops in the pool.
For details, see “Choosing QuickPrep or Sysprep
to Customize Linked-Clone Desktops,” on
page 103.
linked-clone desktops before they are powered off.
Provide the path to the script on the parent virtual
machine.
(Continued)
VMware, Inc. 99
Page 100
VMware Horizon View Administration
Table 5-3. Worksheet: Configuration Options for Creating a Linked-Clone Desktop Pool
Option Description Fill In Your Value Here
Post synchronization script QuickPrep can run a customization script on
linked-clone desktops after they are created,
recomposed, and refreshed.
the path to the script on the parent virtual
Provide
machine.
Allow reuse of pre-existing
computer accounts
Select this option to use existing computer
accounts in Active Directory for linked clones that
are provisioned by View Composer. This option
lets you control the computer accounts that are
created in Active Directory.
When a linked clone is provisioned, if an existing
AD computer account name matches the linked
clone desktop name, View Composer uses the
existing computer account. Otherwise, a new
computer account is created.
The existing computer accounts must be located in
the Active Directory container that you specify
with the Active Directory container setting.
When this option is disabled, a new AD computer
account is created when View Composer
provisions a linked clone. This option is disabled
by default.
For details, see “Use Existing Active Directory
Computer Accounts for Linked Clones,” on
page 117.
(Continued)
Create a Linked-Clone Desktop Pool
You
can create an automated, linked-clone desktop pool based on a parent virtual machine that you select. The
View Composer service dynamically creates a new linked-clone virtual machine in vCenter Server for each
desktop.
To create an automated pool that contains full virtual machines, see “Automated Pools That Contain Full
Virtual Machines,” on page 88.
Prerequisites
n
Verify that the View Composer service is installed, either on the same host as vCenter Server or on a
separate host, and that a View Composer database is configured. See the VMware Horizon View
Installation document.
n
Verify that View Composer settings for vCenter Server are configured in View Administrator. See
“Configure View Composer Settings,” on page 17.
n
Verify that you have a sufficient number of ports on the ESX virtual switch that is used for desktop virtual
machines. The default value might not be sufficient if you create large desktop pools. The number of virtual
switch ports on the ESX host must equal or exceed the number of desktop virtual machines multiplied by
the number of virtual NICs per virtual machine.
n
Verify that you prepared a parent virtual machine. View Agent must be installed on the parent virtual
machine. See Chapter 4, “Creating and Preparing Virtual Machines,” on page 59.
n
Take a snapshot of the parent virtual machine in vCenter Server. You must shut down the parent virtual
machine before you take the snapshot. View Composer uses the snapshot as the base image from which
the clones are created.
NOTE You cannot create a linked-clone pool from a virtual machine template.
100 VMware, Inc.
Loading...