VMware Horizon View - 5.2 Administrator’s Guide

VMware Horizon View Administration

View Manager 5.2

View Composer 5.2

This document supports the version of each product listed and supports all subsequent versions until the document is replaced by a new edition. To check for more recent editions of this document, see http://www.vmware.com/support/pubs.

EN-001024-00

VMware Horizon View Administration

You can find the most up-to-date technical documentation on the VMware Web site at:

http://www.vmware.com/support/

The VMware Web site also provides the latest product updates.

If you have comments about this documentation, submit your feedback to:

docfeedback@vmware.com

Copyright © 2013 VMware, Inc. All rights reserved. This product is protected by U.S. and international copyright and intellectual property laws. VMware products are covered by one or more patents listed at http://www.vmware.com/go/patents.

VMware is a registered trademark or trademark of VMware, Inc. in the United States and/or other jurisdictions. All other marks and names mentioned herein may be trademarks of their respective companies.

VMware, Inc.

3401 Hillview Ave. Palo Alto, CA 94304 www.vmware.com

2 VMware, Inc.

VMware Horizon View Administration

Configuring View Connection Server 11

Using View Administrator 11

Configuring vCenter Server and View Composer

Backing Up View Connection Server 26

Configuring Settings for Client Sessions 26

Disable or Enable View Connection Server 35

Edit the External URLs 35

Join or Withdraw from the Customer Experience Program 36

View LDAP Directory 36

Configuring Role-Based Delegated Administration 39

Understanding Roles and Privileges 39

Using Folders to Delegate Administration 40

Understanding Permissions 41

Manage Administrators 42

Manage and Review Permissions 43

Manage and Review Folders 45

Manage Custom Roles 47

Predefined Roles and Privileges 48

Required Privileges for Common Tasks 51

Best Practices for Administrator Users and Groups 53

Preparing Unmanaged Desktop Sources 55

Prepare an Unmanaged Desktop Source for View Desktop Deployment 55

Install View Agent on an Unmanaged Desktop Source 55

Creating and Preparing Virtual Machines 59

Creating Virtual Machines for View Desktop Deployment 59

Install View Agent on a Virtual Machine 64

Install View Agent Silently 66

Configure a Virtual Machine with Multiple NICs for View Agent 70

Optimize Windows Guest Operating System Performance 70

Optimize Windows 7 and Windows 8 Guest Operating System Performance 71

Optimizing Windows 7 and Windows 8 for Linked-Clone Desktops 73

Preparing Virtual Machines for View Composer 79

Creating Virtual Machine Templates 85

Creating Customization Specifications 86

VMware, Inc. 3

VMware Horizon View Administration

Creating Desktop Pools 87

Automated Pools That Contain Full Virtual Machines 88

Linked-Clone Desktop Pools

Manual Desktop Pools 119

Microsoft Terminal Services Pools 123

Provisioning Desktop Pools 125

Setting Power Policies for Desktop Pools 140

Configure View Storage Accelerator for Desktop Pools 145

Deploying Large Desktop Pools 147

Entitling Users and Groups 149

Add Entitlements to Desktop Pools 149

Remove Entitlements from a Desktop Pool 149

Review Desktop Pool Entitlements 150

Restricting View Desktop Access 150

Setting Up User Authentication 155

Using SAML 2.0 Authentication 155

Using Smart Card Authentication 157

Using Smart Card Certificate Revocation Checking 165

Using Two-Factor Authentication 168

Using the Log In as Current User Feature Available with Windows-Based View Client 172

Allow Users to Save Credentials 173

Configuring Policies 175

Setting Policies in View Administrator 175

Using Active Directory Group Policies 179

Using the View Group Policy Administrative Template Files 180

Setting Up Location-Based Printing 218

Using Terminal Services Group Policies 221

Active Directory Group Policy Example 222

Configuring User Profiles with View Persona Management 227

Providing User Personas in View 227

Using View Persona Management with Standalone Systems 228

Migrating User Profiles with View Persona Management 229

Persona Management and Windows Roaming Profiles 231

Configuring a View Persona Management Deployment 232

Best Practices for Configuring a View Persona Management Deployment 240

View Persona Management Group Policy Settings 243

Managing Linked-Clone Desktops 251

Reduce Linked-Clone Size with Desktop Refresh 251

Update Linked-Clone Desktops 253

Rebalance Linked-Clone Desktops 257

Manage View Composer Persistent Disks 260

4 VMware, Inc.

Managing Desktops and Desktop Pools 265

Managing Desktop Pools 265

Reducing Adobe Flash Bandwidth

Managing Virtual-Machine Desktops 272

Export View Information to External Files 278

271

Contents

Managing Physical Computers and Terminal Servers 281

Add an Unmanaged Desktop Source to a Pool 281

Remove an Unmanaged Desktop Source from a Pool 282

Delete a Pool That Contains Unmanaged Desktops 282

Unregister an Unmanaged Desktop Source 283

Desktop Status of Physical Computers and Terminal Servers 283

Managing ThinApp Applications in View Administrator 285

View Requirements for ThinApp Applications 285

Capturing and Storing Application Packages 286

Assigning ThinApp Applications to Desktops and Pools 289

Maintaining ThinApp Applications in View Administrator 296

Monitoring and Troubleshooting ThinApp Applications in View Administrator 299

ThinApp Configuration Example 302

Managing Local Desktops 303

Benefits of Using View Desktops in Local Mode 303

Managing View Transfer Server 309

Managing the Transfer Server Repository 313

Managing Data Transfers 319

Configure Security and Optimization for Local Desktop Operations 323

Configuring Endpoint Resource Usage 328

Configuring an HTTP Cache to Provision Local Desktops Over a WAN 332

Configuring the Heartbeat Interval for Local Desktop Client Computers 336

Manually Downloading a Local Desktop to a Location with Poor Network Connections 337

Troubleshooting View Transfer Server and Local Desktop Operations 340

Maintaining View Components 351

Backing Up and Restoring View Configuration Data 351

Monitor View Components 358

Monitor Desktop Status 358

Understanding View Manager Services 359

Add Licenses to VMware Horizon View 361

Update General User Information from Active Directory 361

Migrate View Composer to Another Computer 362

Update the Certificates on a View Connection Server Instance, Security Server, or View Composer 367

Information Collected by the Customer Experience Improvement Program 368

Troubleshooting View Components 379

Monitoring System Health 380

Monitor Events in View Manager 380

Send Messages to Desktop Users 381

VMware, Inc. 5

VMware Horizon View Administration

Display Desktops with Suspected Problems 381

Troubleshoot a Problem Desktop Virtual Machine Using the vSphere Web Client

Manage Desktops and Policies for Unentitled Users 383

Collecting Diagnostic Information for VMware Horizon View 383

Update Support Requests 387

Troubleshooting Network Connection Problems 388

Troubleshooting Desktop Pool Creation Problems 391

Troubleshooting an Unsuccessful Security Server Pairing with View Connection Server 395

Troubleshooting View Server Certificate Revocation Checking 395

Troubleshooting Smart Card Certificate Revocation Checking 396

Troubleshooting USB Redirection Problems 397

Troubleshooting Desktops That Are Repeatedly Deleted and Recreated 398

Troubleshooting QuickPrep Customization Problems 399

View Composer Provisioning Errors 400

Removing Orphaned or Deleted Linked Clones 401

Finding and Unprotecting Unused View Composer Replicas 402

Windows XP Linked Clones Fail to Join the Domain 404

Troubleshooting GINA Problems on Windows XP Desktops 404

Further Troubleshooting Information 405

382

Using the vdmadmin Command 407

vdmadmin Command Usage 409

Configuring Logging in View Agent Using the -A Option 411

Overriding IP Addresses Using the -A Option 413

Setting the Name of a View Connection Server Group Using the -C Option 414

Updating Foreign Security Principals Using the -F Option 414

Listing and Displaying Health Monitors Using the -H Option 415

Listing and Displaying Reports of View Manager Operation Using the -I Option 416

Generating View Event Log Messages in Syslog Format Using the -I Option 417

Assigning Dedicated Desktops Using the -L Option 418

Displaying Information About Machines Using the -M Option 419

Reclaiming Disk Space on Virtual Machines Using the -M Option 420

Configuring Domain Filters Using the -N Option 421

Configuring Domain Filters 423

Displaying the Desktops and Policies of Unentitled Users Using the -O and -P Options 427

Configuring Clients in Kiosk Mode Using the -Q Option 428

Displaying the First User of a Desktop Using the -R Option 432

Removing the Entry for a View Connection Server Instance or Security Server Using the -S Option 432

Setting the Split Limit for Publishing View Transfer Server Packages Using the -T Option 433

Displaying Information About Users Using the -U Option 434

Decrypting the Virtual Machine of a Local Desktop Using the -V Option 434

Recovering a Local Desktop by Using the -V Option When the Desktop Was Modified in the

Datacenter 435

Unlocking or Locking Virtual Machines Using the -V Option 437

Detecting and Resolving LDAP Entry Collisions Using the -X Option 438

Setting Up Clients in Kiosk Mode 439

Configure Clients in Kiosk Mode 439

6 VMware, Inc.

Index 449

Contents

VMware, Inc. 7

VMware Horizon View Administration

8 VMware, Inc.

VMware Horizon View Administration

VMware Horizon View Administration describes how to configure and administer VMware Horizon View™, including how to configure View Connection Server, create administrators, provision and deploy View desktops, Administrator. This information also describes how to maintain and troubleshoot VMware Horizon View components.

Intended Audience

This information is intended for anyone who wants to configure and administer VMware Horizon View. The information is written for experienced Windows or Linux system administrators who are familiar with virtual machine technology and datacenter operations.

set up user authentication, configure policies, and manage VMware ThinApp™ applications in View

VMware, Inc. 9

VMware Horizon View Administration

10 VMware, Inc.

Configuring View Connection Server 1

After you install and perform initial configuration of View Connection Server, you can add vCenter Server instances and schedule backups of your configuration data.

This chapter includes the following topics:

Using View Administrator

and View Composer services to View Manager, set up roles to delegate administrator responsibilities,

“Using View Administrator,” on page 11

“Configuring vCenter Server and View Composer,” on page 14

“Backing Up View Connection Server,” on page 26

“Configuring Settings for Client Sessions,” on page 26

“Disable or Enable View Connection Server,” on page 35

“Edit the External URLs,” on page 35

“Join or Withdraw from the Customer Experience Program,” on page 36

“View LDAP Directory,” on page 36

View Administrator is the Web interface through which you configure View Connection Server and manage your View desktops.

For a comparison of the operations that you can perform with View Administrator, View cmdlets, and

vdmadmin, see the VMware Horizon View Integration document.

View Administrator and View Connection Server

View Administrator provides a management interface for View Manager.

Depending on your View deployment, you use one or more View Administrator interfaces.

Use one View Administrator interface to manage the View components that are associated with a single, standalone View Connection Server instance or a group of replicated View Connection Server instances.

You can use the IP address of any replicated instance to log in to View Administrator.

You must use a separate View Administrator interface to manage the View components for each single, standalone View Connection Server instance and each group of replicated View Connection Server instances.

VMware, Inc. 11

VMware Horizon View Administration

You also use View Administrator to manage security servers and View Transfer Server instances associated with View Connection Server.

Each security server is associated with one View Connection Server instance.

Each View Transfer Server instance can communicate with any View Connection Server instance in a group of replicated instances.

Log In to View Administrator

perform initial configuration tasks, you must log in to View Administrator. You access View Administrator

by using a secure (SSL) connection.

Prerequisites

Verify that View Connection Server is installed on a dedicated computer.

Verify that you are using a Web browser supported by View Administrator. For View Administrator requirements, see the VMware Horizon View Installation document.

Procedure

1 Open your Web browser and enter the following URL, where server is the host name of the View

Connection Server instance.

https://

server

/admin

NOTE You can use the IP address if you have to access a View Connection Server instance when the host name is not resolvable. However, the host that you contact will not match the SSL certificate that is configured for the View Connection Server instance, resulting in blocked access or access with reduced security.

Your access to View Administrator depends on the type of certificate that is configured on the View Connection Server computer.

Option Description

You configured a certificate signed by

a CA for View Connection Server.

The default, self-signed certificate supplied with View Connection Server is configured.

When you first connect, your Web browser displays View Administrator.

When you first connect, your Web browser might display a page warning that the security certificate associated with the address is not issued by a trusted certificate authority.

Click Ignore to continue using the current SSL certificate.

You specify the View Administrators account when you install a standalone View Connection Server instance or the first View Connection Server instance in a replicated group. The View Administrators account can be the local Administrators group (BUILTIN\Administrators) on the View Connection Server computer or a domain user or group account.

After you log in to View Administrator, you can use View Configuration > Administrators to change the list of users and groups that have the View Administrators role.

12 VMware, Inc.

Chapter 1 Configuring View Connection Server

Tips for Using the View Administrator Interface

You can use View Administrator user-interface features to navigate View Pages and to find, filter, and sort View objects.

View

Administrator includes many common user interface features. For example, the navigation pane on the left side of each page directs you to other View Administrator pages. The search filters let you select filtering criteria that are related to the objects you are searching for.

Table 1-1 describes a few additional features that can help you to use View Administrator.

Table 1-1. View Administrator Navigation and Display Features

View Administrator Feature Description

Navigating backward and forward in View Administrator pages

Bookmarking View Administrator pages You can bookmark View Administrator pages in your browser.

Multicolumn sorting You can sort View objects in a variety of ways by using multicolumn sorting.

Customizing table columns You can customize the display of View Administrator table columns by hiding

Click your browser's Back button to go to the previously displayed View Administrator page. Click the Forward button to return to the current page.

you click the browser's Back button while you are using a View Administrator

If wizard or dialog box, you return to the main View Administrator page. The information you entered in the wizard or dialog is lost.

In View versions that preceded the View 5.1 release, you could not use your browser's Back and Forward buttons to navigate within View Administrator. Separate Back and Forward buttons in the View Administrator window were provided for navigation. These buttons are removed in the View 5.1 release.

Click a heading in the top row of a View Administrator table to sort the View objects in alphabetical order based on that heading.

For example, in the Inventory > Desktops page, you can click Pool to sort desktops by the pools that contain them.

The number 1 appears next to the heading to indicate that it is the primary sorting column. You can click the heading again to reverse the sorting order, indicated by an up or down arrow.

To sort the View objects by a secondary item, Ctrl+click another heading.

For

example, in the Desktops table, you can click Users to perform a secondary

sort by users to whom the desktops are dedicated. A number 2 appears next to the secondary heading. In this example, desktops are sorted by pool and by users within each pool.

You can continue to Ctrl+click to sort all the columns in a table in descending order of importance.

Press Ctrl+Shift and click to deselect a sort item.

For example, you might want to display the desktops in a pool that are in a particular state and are stored on a particular datastore. You can click

Inventory > Pools, double-click the pool ID, click the Inventory tab, click the Datastore heading, and Ctrl+click the Status heading.

selected columns and locking the first column. This feature lets you control the display of large tables such as Inventory > Desktops that contain many columns.

Right-click any column header to display a context menu that lets you take the following actions:

Hide the selected column.

Customize columns. A dialog displays all columns in the table. You can select the columns to display or hide.

Lock the first column. This option forces the left-hand column to remain displayed as you scroll horizontally across a table with many columns. For example, on the Inventory > Desktops page, the desktop ID remains displayed as you scroll horizontally to see other desktop characteristics.

Your customized settings persist while you remain on the current View Administrator page. The settings do not persist if you navigate to another page.

VMware, Inc. 13

VMware Horizon View Administration

Table 1-1. View Administrator Navigation and Display Features

View Administrator Feature Description

Selecting View objects and displaying View object details

Expanding dialog boxes to view details You can expand View Administrator dialog boxes to view details such as

Displaying context menus for View objects

In View Administrator tables that list View objects, you can select an object or display object details.

select an object, click anywhere in the object's row in the table. At the top

To of the page, menus and commands that manage the object become active.

To display object details, double-click the left cell in the object's row. A new page displays the object's details.

For example, on the Inventory > Pools page, click anywhere in an individual pool's row to activate commands that affect the pool.

Double-click the Pool ID cell in the left column to display a new page that contains details about the pool.

desktop names and user names in table columns.

To expand a dialog box, place your mouse over the dots in the lower right corner of the dialog box and drag the corner.

You can right-click View objects in View Administrator tables to display context menus. A context menu gives you access to the commands that operate on the selected View object.

For example, in the Inventory > Pools page, you can right-click a desktop pool to display commands such as Add, Edit, Delete, Disable (or Enable) Provisioning, and so on.

(Continued)

Troubleshooting the Text Display in View Administrator

If your Web browser runs on a non-Windows operating system such as Linux, UNIX, or Mac OS, the text in View Administrator does not display properly.

Problem

The text in the View Administrator interface is garbled. For example, spaces occur in the middle of words.

Cause

View Administrator requires Microsoft-specific fonts.

Solution

Install Microsoft-specific fonts on your computer.

Currently, the Microsoft Web site does not distribute Microsoft fonts, but you can download them from independent Web sites.

Configuring vCenter Server and View Composer

use virtual machines as desktop sources, you must configure View Manager to communicate with vCenter Server. To create and manage linked-clone desktops, you must configure View Composer settings in View Manager.

You can also configure storage settings for View. You can allow ESXi hosts to reclaim disk space on linkedclone virtual machines. To allow ESXi hosts to cache virtual machine data, you must enable View Storage Accelerator for vCenter Server.

14 VMware, Inc.

Chapter 1 Configuring View Connection Server

Create a User Account for View Composer

If you use View Composer, you must create a user account in Active Directory to use with View Composer. View Composer requires this account to join linked-clone desktops to your Active Directory domain.

To ensure security, you should create a separate user account to use with View Composer. By creating a separate account, you can guarantee that it does not have additional privileges that are defined for another purpose. in a specified Active Directory container. For example, the View Composer account does not require domain administrator privileges.

Procedure

1 In Active Directory, create a user account in the same domain as your View Connection Server host or in

2 Add the Create Computer Objects, Delete Computer Objects, and Write All Properties permissions to

You can give the account the minimum privileges that it needs to create and remove computer objects

a trusted domain.

the account in the Active Directory container in which the linked-clone computer accounts are created or to which the linked-clone computer accounts are moved.

The following list shows all the required permissions for the user account, including permissions that are assigned by default:

List Contents

Read All Properties

Write All Properties

Read Permissions

Reset Password

Create Computer Objects

Delete Computer Objects

NOTE If you select the Allow reuse of pre-existing computer accounts setting for a desktop pool, you only need to add the following permissions:

List Contents

Read All Properties

Read Permissions

Reset Password

3 Make sure that the user account's permissions apply to the Active Directory container and to all child

objects of the container.

What to do next

Specify

the account in View Administrator when you configure View Composer for vCenter Server and when

you configure and deploy linked-clone desktop pools.

Add vCenter Server Instances to View Manager

You must configure View Manager to connect to the vCenter Server instances in your View deployment. vCenter Server creates and manages the virtual machines that View Manager uses as desktop sources.

If you run vCenter Server instances in a Linked Mode group, you must add each vCenter Server instance to View Manager separately.

View Manager connects to the vCenter Server instance using a secure channel (SSL).

VMware, Inc. 15

VMware Horizon View Administration

Prerequisites

Install the View Connection Server product license key.

Prepare a vCenter Server user with permission to perform the operations in vCenter Server that are necessary

to support View Manager. To use View Composer, you must give the user additional privileges. To manage desktops that are used in local mode, you must give the user privileges in addition to those that are required for View Manager and View Composer.

For details about configuring a vCenter Server user for View Manager, see the VMware Horizon View Installation document.

Verify that an SSL server certificate is installed on the vCenter Server host. In a production environment, install a valid SSL certificate that is signed by a trusted Certificate Authority (CA).

In a testing environment, you can use the default certificate that is installed with vCenter Server, but you must accept the certificate thumbprint when you add vCenter Server to View.

Verify that all View Connection Server instances in the replicated group trust the root CA certificate for the server certificate that is installed on the vCenter Server host. Check if the root CA certificate is in the Trusted Root Certification Authorities > Certificates folder in the Windows local computer certificate stores on the View Connection Server hosts. If it is not, import the root CA certificate into the Windows local computer certificate stores.

See "Import a Root Certificate and Intermediate Certificates into a Windows Certificate Store" in the VMware Horizon View Installation document.

Verify that the vCenter Server instance contains ESXi hosts. If no hosts are configured in the vCenter Server instance, you cannot add the instance to View.

Familiarize yourself with the settings that determine the maximum operations limits for vCenter Server and View Composer. See “Concurrent Operations Limits for vCenter Server and View Composer,” on page 21 and “Setting a Concurrent Power Operations Rate to Support View Desktop Logon Storms,” on page 22.

Procedure

1 In View Administrator, click View Configuration > Servers.

2 In the vCenter Servers tab, click Add.

3 In the vCenter Server Settings server address text box, type the fully qualified domain name (FQDN) of

the vCenter Server instance.

The FQDN includes the host name and domain name. For example, in the FQDN

myserverhost.companydomain

.com,

myserverhost

is the host name and

companydomain

.com is the domain.

NOTE If you enter a server by using a DNS name or URL, View Manager does not perform a DNS lookup to verify whether an administrator previously added this server to View Manager by using its IP address. A conflict arises if you add a vCenter Server with both its DNS name and its IP address.

4 Type the name of the vCenter Server user.

For example: domain\user or user@domain.com

Type the vCenter Server user password.

6 (Optional) Type a description for this vCenter Server instance.

7 Type the TCP port number.

The default port is 443.

8 Under Advanced Settings, set the concurrent operations limits for vCenter Server and View Composer

operations.

16 VMware, Inc.

Chapter 1 Configuring View Connection Server

9 Click Next to display the View Composer Settings page.

What to do next

Configure View Composer settings.

If the vCenter Server instance is configured with a signed SSL certificate, and View Connection Server trusts the root certificate, the Add vCenter Server wizard displays the View Composer Settings page.

If the vCenter Server instance is configured with a default certificate, you must first determine whether to accept the thumbprint of the existing certificate. See “Accept the Thumbprint of a Default SSL

Certificate,” on page 23.

View Manager uses multiple vCenter Server instances, repeat this procedure to add the other vCenter Server

instances.

Configure View Composer Settings

To use View Composer, you must configure settings that allow View Manager to connect to the View Composer service. View Composer can be installed on its own separate host or on the same host as vCenter Server.

There must be a one-to-one mapping between each View Composer service and vCenter Server instance. A View Composer service can operate with only one vCenter Server instance. A vCenter Server instance can be associated with only one View Composer service.

After the initial View deployment, you can migrate the View Composer service to a new host to support a growing or changing View deployment. You can edit the initial View Composer settings in View Administrator, but you must perform additional steps to ensure that the migration succeeds. See “Migrate

View Composer to Another Computer,” on page 362.

Prerequisites

Verify that you created a user in Active Directory with permission to add and remove virtual machines from the Active Directory domain that contains your linked clones. See “Create a User Account for View

Composer,” on page 15.

Verify that you configured View Manager to connect to vCenter Server. To do so, you must complete the vCenter Server Information page in the Add vCenter Server wizard. See “Add vCenter Server Instances

to View Manager,” on page 15.

Verify that this View Composer service is not already configured to connect to a different vCenter Server instance.

Procedure

1 In View Administrator, complete the vCenter Server Information page in the Add vCenter Server wizard.

a Click View Configuration > Servers.

b In the vCenter Servers tab, click Add and provide the vCenter Server settings.

2 On the View Composer Settings page, if you are not using View Composer, select Do not use View

Composer.

If you select Do not use View Composer, the other View Composer settings become inactive. When you click Next, the Add vCenter Server wizard displays the Storage Settings page. The View Composer Domains page is not displayed.

VMware, Inc. 17

VMware Horizon View Administration

3 If you are using View Composer, select the location of the View Composer host.

Option Description

View Composer is installed on the same host as vCenter Server.

View Composer is installed on its own separate host.

Click Next to display the View Composer Domains page.

What to do next

Configure View Composer domains.

a Select View Composer co-installed with the vCenter Server.

b Make

a Select Standalone View Composer Server.

c Type the name of the View Composer user.

d Type the password of the View Composer user.

e Make sure that the port number is the same as the port that you specified

sure that the port number is the same as the port that you specified when you installed the View Composer service on vCenter Server. The default port number is 18443.

In the View Composer server address text box, type the fully qualified domain name (FQDN) of the View Composer host.

For example: domain.com\user or user@domain.com

when you installed the View Composer service. The default port number is 18443.

If the View Composer instance is configured with a signed SSL certificate, and View Connection Server trusts the root certificate, the Add vCenter Server wizard displays the View Composer Domains page.

If the View Composer instance is configured with a default certificate, you must first determine whether to accept the thumbprint of the existing certificate. See “Accept the Thumbprint of a Default SSL

Certificate,” on page 23.

Configure View Composer Domains

You must configure an Active Directory domain in which View Composer deploys linked-clone desktops. You can configure multiple domains for View Composer. After you first add vCenter Server and View Composer settings to View, you can add more View Composer domains by editing the vCenter Server instance in View Administrator.

Prerequisites

In View Administrator, verify that you completed the vCenter Server Information and View Composer Settings pages in the Add vCenter Server wizard.

Procedure

1 On the View Composer Domains page, click Add to add the domain user for View Composer account

information.

2 Type the domain name of the Active Directory domain.

For example: domain.com

3 Type the domain user name, including the domain name.

For example: domain.com\admin

4 Type the account password.

5 Click OK.

6 To add domain user accounts with privileges in other Active Directory domains in which you deploy

linked-clone pools, repeat the preceding steps.

18 VMware, Inc.

Chapter 1 Configuring View Connection Server

7 Click Next to display the Storage Settings page.

What to do next

Enable virtual machine disk space reclamation and configure View Storage Accelerator for View.

Allow vSphere to Reclaim Disk Space in Linked-Clone Virtual Machines

In vSphere 5.1 and later, you can enable the disk space reclamation feature for View. Starting in vSphere 5.1, View

creates linked-clone virtual machines in an efficient disk format that allows ESXi hosts to reclaim unused

disk space in the linked clones, reducing the total storage space required for linked clones.

As users interact with linked-clone desktops, the clones' OS disks grow and can eventually use almost as much disk space as full-clone desktops. Disk space reclamation reduces the size of the OS disks without requiring you to refresh or recompose the linked clones. Space can be reclaimed while the virtual machines are powered on and users are interacting with their desktops.

Disk space reclamation is especially useful for deployments that cannot take advantage of storage-saving strategies such as refresh on logoff. For example, knowledge workers who install user applications on dedicated desktops might lose their personal applications if the desktops were refreshed or recomposed. With disk space reclamation, View can maintain linked clones at close to the reduced size they start out with when they are first provisioned.

This feature has two components: space-efficient disk format and space reclamation operations.

In a vSphere 5.1 or later environment, when a parent virtual machine is virtual hardware version 9 or later, View creates linked clones with space-efficient OS disks, whether or not space reclamation operations are enabled.

To enable space reclamation operations, you must use View Administrator to enable space reclamation for vCenter Server and reclaim VM disk space for individual desktop pools. The space reclamation setting for vCenter Server gives you the option to disable this feature on all desktop pools that are managed by the vCenter Server instance. Disabling the feature for vCenter Server overrides the setting at the desktop pool level.

The following guidelines apply to the space reclamation feature:

It operates only on space-efficient OS disks in linked clones.

It does not affect View Composer persistent disks.

It works only with vSphere 5.1 or later and only on desktops that are virtual hardware version 9 or later.

It does not operate on full-clone desktops.

It operates on virtual machines with SCSI controllers. IDE controllers are not supported.

It operates on Windows XP and Windows 7 desktops only. It does not operate on Windows 8 desktops.

Native NFS snapshot technology (VAAI) is not supported in pools that contain virtual machines with spaceefficient disks.

Prerequisites

Verify that your vCenter Server and ESXi hosts are version 5.1 with ESXi 5.1 download patch ESXi510-201212001 or later.

In an ESXi cluster, verify that all the hosts are version 5.1 with download patch ESXi510-201212001 or later.

VMware, Inc. 19

VMware Horizon View Administration

Procedure

1 In

View Administrator, complete the Add vCenter Server wizard pages that precede the Storage Settings

page.

a Select View Configuration > Servers.

b In the vCenter Servers tab, click Add.

c Complete the vCenter Server Information, View Composer Settings, and View Composer Domains

pages.

2 On the Storage Settings page, make sure that Enable space reclamation is selected.

Space reclamation is selected by default if you are performing a fresh installation of View 5.2 or later. You must select Enable space reclamation if you are upgrading to View 5.2 or later from View 5.1 or an earlier release.

What to do next

On the Storage Settings page, configure View Storage Accelerator.

To finish configuring disk space reclamation in View, set up space reclamation for desktop pools.

Configure View Storage Accelerator for vCenter Server

In vSphere 5.0 and later, you can configure ESXi hosts to cache virtual machine disk data. This feature, called View Storage Accelerator, uses the Content Based Read Cache (CBRC) feature in ESXi hosts. View Storage Accelerator improves View performance during I/O storms, which can take place when many desktops start up or run anti-virus scans at once. The feature is also beneficial when administrators or users load applications or data frequently. Instead of reading the entire OS or application from the storage system over and over, a host can read common data blocks from cache.

By reducing the number of IOPS during boot storms, View Storage Accelerator lowers the demand on the storage array, which lets you use less storage I/O bandwidth to support your View deployment.

You enable caching on your ESXi hosts by selecting the View Storage Accelerator setting in the vCenter Server wizard in View Administrator, as described in this procedure.

Make sure that View Storage Accelerator is also configured for individual desktop pools. View Storage Accelerator is enabled for pools by default, but this feature can be disabled or enabled when you create or edit a pool. To operate on a pool, View Storage Accelerator must be enabled for vCenter Server and for the individual pool.

You can enable View Storage Accelerator on pools that contain linked clones and pools that contain full virtual machines.

View Storage Accelerator is also supported with local mode. Users can check out desktops in pools that are enabled for View Storage Accelerator. View Storage Accelerator is disabled while a desktop is checked out and reenabled after the desktop is checked in.

Native NFS snapshot technology (VAAI) is not supported in pools that are enabled for View Storage Accelerator.

View Storage Accelerator is now qualified to work in configurations that use View replica tiering, in which replicas are stored on a separate datastore than linked clones. Although the performance benefits of using View Storage Accelerator with View replica tiering are not materially significant, certain capacity-related benefits might be realized by storing the replicas on a separate datastore. Hence, this combination is tested and supported.

20 VMware, Inc.

Chapter 1 Configuring View Connection Server

Prerequisites

Verify that your vCenter Server and ESXi hosts are version 5.0 or later.

In an ESXi cluster, verify that all the hosts are version 5.0 or later.

Verify

that the vCenter Server user was assigned the Global > Act as vCenter Server privilege in vCenter

Server. See the topics in the VMware Horizon View Installation documentation that describe View Manager and View Composer privileges required for the vCenter Server user.

Procedure

1 In View Administrator, complete the Add vCenter Server wizard pages that precede the Storage Settings

page.

a Select View Configuration > Servers.

b In the vCenter Servers tab, click Add.

c Complete the vCenter Server Information, View Composer Settings, and View Composer Domains

pages.

2 On the Storage Settings page, make sure that the Enable View Storage Accelerator check box is selected.

This check box is selected by default.

3 Specify a default host cache size.

The default cache size applies to all ESXi hosts that are managed by this vCenter Server instance.

The default value is 1,024MB. The cache size must be between 100MB and 2,048MB.

4 To specify a different cache size for an individual ESXi host, select an ESXi host and click Edit cache

size.

a In the Host cache dialog box, check Override default host cache size.

b Type a Host cache size value between 100MB and 2,048MB and click OK.

5 On the Storage Settings page, click Next.

6 Click Finish to add vCenter Server, View Composer, and Storage Settings to View.

What to do next

Configure settings for client sessions and connections. See “Configuring Settings for Client Sessions,” on page 26.

To complete View Storage Accelerator settings in View, configure View Storage Accelerator for desktop pools. See “Configure View Storage Accelerator for Desktop Pools,” on page 145.

Concurrent Operations Limits for vCenter Server and View Composer

When you add vCenter Server to View or edit the vCenter Server settings, you can configure several options that set the maximum number of concurrent operations that are performed by vCenter Server and View Composer.

You configure these options in the Advanced Settings panel on the vCenter Server Information page.

VMware, Inc. 21

VMware Horizon View Administration

Table 1-2. Concurrent Operations Limits for vCenter Server and View Composer

Setting Description

Max concurrent vCenter provisioning operations Determines the maximum number of concurrent requests

Max concurrent power operations Determines the maximum number of concurrent power

Max concurrent View Composer maintenance operations Determines the maximum number of concurrent View

Max concurrent View Composer provisioning operations Determines the maximum number of concurrent creation

that View Manager can make to provision and delete full virtual machines in this vCenter Server instance.

The default value is 20.

This setting applies to full virtual machines only.

operations (startup, shutdown, suspend, and so on) that can take place on virtual machines managed by View Manager in this vCenter Server instance.

The default value is 50.

For guidelines for calculating a value for this setting, see

“Setting a Concurrent Power Operations Rate to Support View Desktop Logon Storms,” on page 22.

This setting applies to full virtual machines and linked clones.

Composer refresh, recompose, and rebalance operations that can take place on linked clones managed by this View Composer instance.

The default value is 12.

Desktops that have active sessions must be logged off before a maintenance operation can begin. If you force users to log off as soon as a maintenance operation begins, the maximum number of concurrent operations on desktops that require logoffs is half the configured value. For example, if you configure this setting as 24 and force users to log off, the maximum number of concurrent operations on desktops that require logoffs is 12.

This setting applies to linked clones only.

and deletion operations that can take place on linked clones managed by this View Composer instance.

The default value is 8.

This setting applies to linked clones only.

Setting a Concurrent Power Operations Rate to Support View Desktop Logon Storms

The Max that can occur on View desktop virtual machines in a vCenter Server instance. Starting in View 5.0, this limit is set to 50 by default. You can change this value to support peak power-on rates when many users log on to their desktops at the same time.

As a best practice, you can conduct a pilot phase to determine the correct value for this setting. For planning guidelines, see "Architecture Design Elements and Planning Guidelines" in the VMware Horizon View Architecture Planning document.

The required number of concurrent power operations is based on the peak rate at which desktops are powered on and the amount of time it takes for the desktop to power on, boot, and become available for connection. In general, the recommended power operations limit is the total time it takes for the desktop to start multiplied by the peak power-on rate.

For example, the average desktop takes two to three minutes to start. Therefore, the concurrent power operations limit should be 3 times the peak power-on rate. The default setting of 50 is expected to support a peak power-on rate of 16 desktops per minute.

22 VMware, Inc.

concurrent power operations setting governs the maximum number of concurrent power operations

Chapter 1 Configuring View Connection Server

View waits a maximum of five minutes for a desktop to start. If the start time takes longer, other errors are likely

to occur. To be conservative, you can set a concurrent power operations limit of 5 times the peak poweron rate. With a conservative approach, the default setting of 50 supports a peak power-on rate of 10 desktops per minute.

Logons, and therefore desktop power on operations, typically occur in a normally distributed manner over a certain time window. You can approximate the peak power-on rate by assuming that it occurs in the middle of the time window, during which about 40% of the power-on operations occur in 1/6th of the time window. For example, if users log on between 8:00 AM and 9:00 AM, the time window is one hour, and 40% of the logons occur in the 10 minutes between 8:25 AM and 8:35 AM. If there are 2,000 users, 20% of whom have their desktops powered off, then 40% of the 400 desktop power-on operations occur in those 10 minutes. The peak power-on rate is 16 desktops per minute.

Accept the Thumbprint of a Default SSL Certificate

When you add vCenter Server and View Composer instances to Horizon View, you must ensure that the SSL certificates that are used for the vCenter Server and View Composer instances are valid and trusted by View Connection Server. If the default certificates that are installed with vCenter Server and View Composer are still in place, you must determine whether to accept these certificates' thumbprints.

If a vCenter Server or View Composer instance is configured with a certificate that is signed by a CA, and the root certificate is trusted by View Connection Server, you do not have to accept the certificate thumbprint. No action is required.

If you replace a default certificate with a certificate that is signed by a CA, but View Connection Server does not trust the root certificate, you must determine whether to accept the certificate thumbprint. A thumbprint is a cryptographic hash of a certificate. The thumbprint is used to quickly determine if a presented certificate is the same as another certificate, such as the certificate that was accepted previously.

NOTE If you install vCenter Server and View Composer on the same Windows Server host, they can use the same SSL certificate, but you must configure the certificate separately for each component.

For details about configuring SSL certificates, see "Configuring SSL Certificates for View Servers" in the VMware Horizon View Installation document.

You first add vCenter Server and View Composer in View Administrator by using the Add vCenter Server wizard.

If a certificate is untrusted and you do not accept the thumbprint, you cannot add vCenter Server and

View Composer.

After these servers are added, you can reconfigure them in the Edit vCenter Server dialog box.

NOTE You also must accept a certificate thumbprint when you upgrade from an earlier release to Horizon View 5.1 or later, and a vCenter Server or View Composer certificate is untrusted, or if you replace a trusted certificate with an untrusted certificate.

On the View Administrator dashboard, the vCenter Server or View Composer icon turns red and an Invalid Certificate Detected dialog box appears. You must click Verify and follow the procedure shown here.

Similarly, in View Administrator you can configure a SAML 2.0 authenticator for use by a View Connection Server

instance. If the SAML 2.0 server certificate is not trusted by View Connection Server, you must determine whether to accept the certificate thumbprint. If you do not accept the thumbprint, you cannot configure the SAML 2.0 authenticator in Horizon View. After a SAML 2.0 authenticator is configured, you can reconfigure it in the Edit View Connection Server dialog box.

Procedure

1 When View Administrator displays an Invalid Certificate Detected dialog box, click View Certificate.

2 Examine the certificate thumbprint in the Certificate Information window.

VMware, Inc. 23

VMware Horizon View Administration

3 Examine

the certificate thumbprint that was configured for the vCenter Server or View Composer instance.

a On the vCenter Server or View Composer host, start the MMC snap-in and open the Windows

Certificate Store.

b Navigate to the vCenter Server or View Composer certificate.

c Click the Certificate Details tab to display the certificate thumbprint.

Similarly, examine the certificate thumbprint for a SAML 2.0 authenticator. If appropriate, take the preceding steps on the SAML 2.0 authenticator host.

4 Verify that the thumbprint in the Certificate Information window matches the thumbprint for the

vCenter Server or View Composer instance.

Similarly, verify that the thumbprints match for a SAML 2.0 authenticator.

5 Determine whether to accept the certificate thumbprint.

Option Description

The thumbprints match.

The thumbprints do not match.

Click Accept to use the default certificate.

Click Reject.

Troubleshoot the mismatched certificates. For example, you might have provided an incorrect IP address for

vCenter Server or View Composer.

Remove a vCenter Server Instance from View Manager

You

can remove the connection between View Manager and a vCenter Server instance. When you do so, View

Manager no longer manages the View desktops created in that vCenter Server instance.

Prerequisites

Delete all the View desktops that are associated with the vCenter Server instance. See “Delete a Desktop Pool

from View Manager,” on page 269.

Procedure

1 Click View Configuration > Servers.

2 In the vCenter Servers panel, select the vCenter Server instance.

3 Click Remove.

A dialog warns you that View Manager will no longer have access to the virtual machines that are managed by this vCenter Server instance.

4 Click OK.

View Manager can no longer access the virtual machines created in the vCenter Server instance.

Remove View Composer from View Manager

You can remove the connection between View Manager and the View Composer service that is associated with a vCenter Server instance.

Before you disable the connection to View Composer, you must remove from View Manager all the linkedclone desktops that were created by View Composer. View Manager prevents you from removing View Composer if any associated linked clones still exist. After the connection to View Composer is disabled, View Manager cannot provision or manage new linked clones.

24 VMware, Inc.

Chapter 1 Configuring View Connection Server

Procedure

Remove the linked-clone pools that were created by View Composer.

a In View Administrator, click Inventory > Pools.

b Select a linked-clone pool and click Delete.

A dialog box warns that you will permanently delete the linked-clone pool from View Manager. If the linked-clone desktops are configured with persistent disks, you can detach or delete the persistent disks.

c Click OK.

The virtual machines are deleted from vCenter Server. In addition, the associated View Composer database entries and the replicas that were created by View Composer are removed.

d Repeat these steps for each linked-clone pool that was created by View Composer.

2 Click View Configuration > Servers.

3 In the vCenter Servers tab, select the vCenter Server instance with which View Composer is associated.

4 Click Edit.

5 Under View Composer Server Settings, click Edit, select Do not use View Composer, and click OK.

You can no longer create linked-clone desktops in this vCenter Server instance, but you can continue to create and manage full virtual-machine desktop pools in the vCenter Server instance.

What to do next

If you intend to install View Composer on another host and reconfigure View Manager to connect to the new View Composer service, you must perform certain additional steps. See “Migrate View Composer Without

Linked-Clone Desktops,” on page 365.

Conflicting vCenter Server Unique IDs

If you have multiple vCenter Server instances configured in your environment, an attempt to add a new instance might fail because of conflicting unique IDs.

Problem

You try to add a vCenter Server instance to View Manager, but the unique ID of the new vCenter Server instance conflicts with an existing instance.

Cause

Two vCenter Server instances cannot use the same unique ID. By default, a vCenter Server unique ID is randomly generated, but you can edit it.

Solution

1 In vSphere Client, click Administration > vCenter Server Settings > Runtime Settings.

2 Type a new unique ID and click OK.

For details about editing vCenter Server unique ID values, see the vSphere documentation.

VMware, Inc. 25

VMware Horizon View Administration

Backing Up View Connection Server

you complete the initial configuration of View Connection Server, you should schedule regular backups

After of your View Manager and View Composer configuration data.

For information about backing up and restoring your View configuration, see “Backing Up and Restoring View

Configuration Data,” on page 351.

Configuring Settings for Client Sessions

You can configure global settings that affect the client sessions and connections that are managed by a View Connection Server instance or replicated group. You can set the session timeout length, display prelogin and warning messages, and set security-related client connection options.

Set Options for Client Sessions and Connections

You configure global settings to determine the way client sessions and connections work.

The global settings are not specific to a single View Connection Server instance. They affect all client sessions that are managed by a standalone View Connection Server instance or a group of replicated instances.

You can also configure View Connection Server instances to use direct, nontunneled connections between View clients and View desktops. See “Configure the Secure Tunnel and PCoIP Secure Gateway,” on page 31 for information about configuring direct connections.

Prerequisites

Familiarize yourself with the global settings. See “Global Settings for Client Sessions,” on page 28 and “Global

Security Settings for Client Sessions and Connections,” on page 29.

Procedure

1 In View Administrator, click View Configuration > Global Settings.

2 Choose whether to configure general settings or security settings.

Option Description

General global settings

Global security settings

Configure the global settings.

4 Click OK.

What to do next

You can change the data recovery password that was provided during installation. See “Change the Data

Recovery Password,” on page 26.

In the General pane, click Edit.

In the Security pane, click Edit.

Change the Data Recovery Password

You provide a data recovery password when you install View Connection Server version 5.1 or later. After installation, you can change this password in View Administrator. The password is required when you restore the View LDAP configuration from a backup.

When you back up View Connection Server, the View LDAP configuration is exported as encrypted LDIF data. To restore the encrypted backup View configuration, you must provide the data recovery password.

The password must contain between 1 and 128 characters. Follow your organization's best practices for generating secure passwords.

26 VMware, Inc.

Chapter 1 Configuring View Connection Server

Procedure

In View Administrator, click View Configuration > Global Settings.

2 In the Security pane, click Change data recovery password.

3 Type and retype the new password.

4 (Optional) Type a password reminder.

NOTE You can also change the data recovery password when you schedule your View configuration data to be backed up. See “Schedule View Manager Configuration Backups,” on page 352.

What to do next

When you use the vdmimport utility to restore a backup View configuration, provide the new password.

VMware, Inc. 27

VMware Horizon View Administration

Global Settings for Client Sessions

General

global settings determine session timeout lengths, SSO enablement and timeout limits, status updates

in View Administrator, and whether prelogin and warning messages are displayed.

Table 1-3. General Global Settings for Client Sessions

Setting Description

Session timeout Determines how long a user can keep a session open after logging in to

View Connection Server.

The value is set in minutes. You must type a value. The default is 600 minutes.

When a desktop session times out, the session is terminated and the View client is disconnected from the desktop.

This value determines the amount of time that a single View Client

can stay connected to a desktop. It does not affect the amount of

session time that a Windows session remains running on a desktop virtual machine.

SSO Determines whether to enable or disable Single Sign-on (SSO) for View

users and sets the SSO timeout limit.

When SSO is in effect, when a user logs in to View Connection Server from View Client, the user does not have to log in again to connect to the View desktop. During a desktop session, a user can leave the desktop, allow it to become inactive, and return without having to authenticate again.

This setting has the following options:

Disable after. Enables SSO until the specified timeout limit is reached. This is the default option.

By default, the user's SSO credentials are no longer valid after 15 minutes. This SSO timeout limit reduces the chance that someone else could start using the desktop session.

You can change the SSO timeout limit by typing another value in the Disable after text box.

The timeout limit is set in minutes. The time limit counter starts when the user logs in to View Connection Server. For example, if you set the value to 10 minutes, the user's SSO credentials are invalidated 10 minutes after the user logs in to View Connection Server.

Always enabled. Enables SSO with no timeout limit.

Disabled. Disables SSO altogether.

remote desktops, a new SSO timeout limit takes effect immediately. You do not need to restart the View Connection Server service or the client computer. For desktops that run in local mode, see “SSO Timeout

Limits and Local Mode Desktops,” on page 29.

View Administrator session timeout Determines how long an idle View Administrator session continues

before the session times out.

IMPORTANT Setting the View Administrator session timeout to a high number of minutes increases the risk of unauthorized use of View Administrator. Use caution when you allow an idle session to persist a long time.

By default, the View Administrator session timeout is 30 minutes. You can set a session timeout from 1 to 4320 minutes (72 hours).

Enable automatic status updates Determines if View Manager updates the global status pane in the upper

left corner of View Administrator every few minutes. The dashboard page of View Administrator is also updated every few minutes.

By default, this setting is not enabled.

28 VMware, Inc.

Chapter 1 Configuring View Connection Server

Table 1-3. General Global Settings for Client Sessions

Setting Description

Display a pre-login message Displays a disclaimer or another message to View Client users when

they log in.

Type your information or instructions in the text box in the Global Settings dialog window.

To display no message, leave the check box unselected.

Display warning before forced logoff Displays a warning message when users are forced to log off because a

scheduled or immediate update such as a desktop-refresh operation is about to start. This setting also determines how long to wait after the warning is shown before the user is logged off.

Check the box to display a warning message.

Type before logging off the user. The default is five minutes.

Type your warning message. You can use the default message:

Your desktop is scheduled for an important update and will be shut down in 5 minutes. Please save any unsaved work now.

(Continued)

the number of minutes to wait after the warning is displayed and

SSO Timeout Limits and Local Mode Desktops

On desktops that run in local mode, a new SSO timeout limit takes effect the next time a client computer that hosts the local desktop sends a heartbeat message to View Connection Server.

On View desktops that are used in local mode, a checkout operation might take longer than the SSO timeout limit. In this case, the user's SSO credentials expire before the checkout is completed.

For

example, you might set the SSO timeout limit to 10 minutes. A user might log in to View Connection Server and check out a desktop. If the checkout takes 20 minutes and the user then launches the desktop, the user still needs to log in to the desktop manually, even though the user has not yet spent any time in a desktop session. SSO succeeds after the user closes View Client and reconnects to View Connection Server.

A first-time checkout in a low-bandwidth environment might take longer than 15 minutes, the default timeout limit. A user's SSO credentials might expire during the first checkout if the default SSO timeout limit is in effect.

Global Security Settings for Client Sessions and Connections

Global security settings determine whether clients are reauthenticated after interruptions, message security mode is enabled, IPSec is used for security server connections, and SSO is used for local desktop operations.

SSL is required for all View Client connections and View Administrator connections to View. If your View deployment uses load balancers or other client-facing, intermediate servers, you can off-load SSL to them and then configure non-SSL connections on individual View Connection Server instances and security servers. See

“Off-load SSL Connections to Intermediate Servers,” on page 33.

VMware, Inc. 29

VMware Horizon View Administration

Table 1-4. Global Security Settings for Client Sessions and Connections

Setting Description

Reauthenticate secure tunnel connections after network interruption

Message security mode Determines if signing and verification of the JMS messages passed

Use IPSec for Security Server connections Determines whether to use Internet Protocol Security (IPSec) for

Disable Single Sign-on for Local Mode operations

Determines if user credentials must be reauthenticated after a network interruption when View clients use secure tunnel connections to View desktops.

When you select this setting, if a secure tunnel connection ends during a desktop session, View Client requires the user to reauthenticate before reconnecting.

This setting offers increased security. For example, if a laptop is stolen and moved to a different network, the user cannot automatically gain access to the remote desktop because the network connection was temporarily interrupted.

When this setting is not selected, the client reconnects to the desktop without requiring the user to reauthenticate.

This setting has no effect when you use direct connection.

between View Manager components takes place. For details, see

“Message Security Mode for View Components,” on page 30.

By default, message security mode is enabled.

connections between security servers and View Connection Server instances.

By default, secure connections (using IPSec) for security server connections is enabled.

Determines if single sign-on is enabled when users log in to their local desktops.

If you enable this setting, users must manually log in to their desktops to start their Windows sessions after they log in.

When you change this setting, the change takes effect for each user at the next user operation.

NOTE If you upgrade to View 5.1 or later from an earlier View release, the global setting Require SSL for client connections is displayed in View Administrator, but only if the setting was disabled in your View

configuration before you upgraded. Because SSL is required for all View Client connections and View Administrator connections to View, this setting is not displayed in fresh installations of View 5.1 or later versions and is not displayed after an upgrade if the setting was already enabled in the previous View configuration.

After an upgrade, if you do not enable the Require SSL for client connections setting, HTTPS connections from View clients will fail, unless they connect to an intermediate device that is configured to make onward connections using HTTP. See “Off-load SSL Connections to Intermediate Servers,” on page 33.

Message Security Mode for View Components

You can set message security mode for View components. This setting determines how sender signatures in JMS messages are treated. By default, JMS messages are rejected if the signature is missing or invalid, or if a message was modified after it was signed.

If any component in your View environment predates View Manager 3.0, when message security was introduced, you can change the mode to log a warning if any of these conditions are found, or to not verify signatures at all. These options are not recommended and it is preferable to upgrade older components.

Some

JMS messages are encrypted because they carry sensitive information such as user credentials. Consider using IPSec to encrypt all JMS messages between View Connection Server instances, and between View Connection Server instances and security servers.

30 VMware, Inc.

+ 432 hidden pages