VMware Horizon View - 5.2 Installation Manual
VMware Horizon View Installation
View 5.2
View Manager 5.2
View Composer 5.2
This document supports the version of each product listed and
supports all subsequent versions until the document is
replaced by a new edition. To check for more recent editions
of this document, see http://www.vmware.com/support/pubs.
EN-001020-01
VMware Horizon View Installation
You can find the most up-to-date technical documentation on the VMware Web site at:
http://www.vmware.com/support/
The VMware Web site also provides the latest product updates.
If you have comments about this documentation, submit your feedback to:
docfeedback@vmware.com
Copyright © 2010–2013 VMware, Inc. All rights reserved. Copyright and trademark information.
VMware, Inc.
3401 Hillview Ave.
Palo Alto, CA 94304
www.vmware.com
2 VMware, Inc.
Contents
VMware Horizon View Installation 5
System Requirements for Server Components 7
1
View Connection Server Requirements 7
View Administrator Requirements 9
View Composer Requirements 9
View Transfer Server Requirements 11
System Requirements for Guest Operating Systems 15
2
Supported Operating Systems for View Agent 15
Supported Operating Systems for Standalone View Persona Management 16
Remote Display Protocol and Software Support 16
Preparing Active Directory 21
3
Configuring Domains and Trust Relationships 21
Creating an OU for View Desktops 22
Creating OUs and Groups for Kiosk Mode Client Accounts 22
Creating Groups for View Users 22
Creating a User Account for vCenter Server 22
Create a User Account for View Composer 23
Configure the Restricted Groups Policy 24
Using View Group Policy Administrative Template Files 24
Prepare Active Directory for Smart Card Authentication 25
VMware, Inc.
Installing View Composer 29
4
Prepare a View Composer Database 29
Configuring an SSL Certificate for View Composer 35
Install the View Composer Service 35
Configuring Your Infrastructure for View Composer 37
Installing View Connection Server 39
5
Installing the View Connection Server Software 39
Installation Prerequisites for View Connection Server 40
Install View Connection Server with a New Configuration 40
Install a Replicated Instance of View Connection Server 45
Configure a Security Server Pairing Password 50
Install a Security Server 51
Firewall Rules for View Connection Server 57
Reinstall View Connection Server with a Backup Configuration 58
Microsoft Windows Installer Command-Line Options 60
Uninstalling View Products Silently by Using MSI Command-Line Options 61
3
VMware Horizon View Installation
Installing View Transfer Server 63
6
Install View Transfer Server 64
Add View Transfer Server to View Manager 65
Configure the Transfer Server Repository 66
Firewall Rules for View Transfer Server 67
Installing View Transfer Server Silently 67
Configuring SSL Certificates for View Servers 71
7
Understanding SSL Certificates for View Servers 71
Overview of Tasks for Setting Up SSL Certificates 73
Obtaining a Signed SSL Certificate from a CA 74
Configure View Connection Server, Security Server, or View Composer to Use a New SSL
Certificate 75
Configure View Clients to Trust Root and Intermediate Certificates 80
Configuring Certificate Revocation Checking on Server Certificates 82
Configuring Certificate Checking in View Client for Windows 83
Configure the PCoIP Secure Gateway to Use a New SSL Certificate 83
View Transfer Server and SSL Certificates 87
Setting View Administrator to Trust a vCenter Server or View Composer Certificate 88
Benefits of Using SSL Certificates Signed by a CA 88
Configuring View for the First Time 89
8
Configuring User Accounts for vCenter Server and View Composer 89
Configuring View Connection Server for the First Time 93
Configuring View Client Connections 103
Replacing Default Ports for View Services 109
Sizing Windows Server Settings to Support Your Deployment 112
Adding the View Desktops Plug-in to the vSphere Web Client 115
9
Add the View Desktops Plug-in 115
Search for View Users in the vSphere Web Client 119
Remove the View Desktops Plug-in 120
Configuring Event Reporting 121
10
Add a Database and Database User for View Events 121
Prepare an SQL Server Database for Event Reporting 122
Configure the Event Database 123
Configure Event Logging for Syslog Servers 124
Index 127
4 VMware, Inc.
VMware Horizon View Installation
VMware Horizon View Installation explains how to install the VMware® Horizon View™ server and client
components.
Intended Audience
This information is intended for anyone who wants to install VMware Horizon View. The information is
written for experienced Windows or Linux system administrators who are familiar with virtual machine
technology and datacenter operations.
VMware, Inc. 5
VMware Horizon View Installation
6 VMware, Inc.
System Requirements for Server
Components 1
Hosts that run VMware Horizon View server components must meet specific hardware and software
requirements.
This chapter includes the following topics:
“View Connection Server Requirements,” on page 7
n
“View Administrator Requirements,” on page 9
n
“View Composer Requirements,” on page 9
n
“View Transfer Server Requirements,” on page 11
n
View Connection Server Requirements
View Connection Server acts as a broker for client connections by authenticating and then directing
incoming user requests to the appropriate View desktop. View Connection Server has specific hardware,
operating system, installation, and supporting software requirements.
Hardware Requirements for View Connection Server on page 8
n
You must install all View Connection Server installation types, including standard, replica, and
security server installations, on a dedicated physical or virtual machine that meets specific hardware
requirements.
VMware, Inc.
Supported Operating Systems for View Connection Server on page 8
n
You must install View Connection Server on a Windows Server 2008 R2 operating system.
Virtualization Software Requirements for View Connection Server on page 8
n
View Connection Server requires certain versions of VMware virtualization software.
Network Requirements for Replicated View Connection Server Instances on page 8
n
If you install replicated View Connection Server instances, configure the instances in the same location
and connect them over a high-performance LAN.
7
VMware Horizon View Installation
Hardware Requirements for View Connection Server
You must install all View Connection Server installation types, including standard, replica, and security
server installations, on a dedicated physical or virtual machine that meets specific hardware requirements.
Table 1‑1. View Connection Server Hardware Requirements
Hardware Component Required Recommended
Processor Pentium IV 2.0GHz processor
or higher
Networking One or more 10/100Mbps
network interface cards (NICs)
Memory
Windows Server 2008 64-bit
These requirements also apply to replica and security server View Connection Server instances that you
install for high availability or external access.
IMPORTANT The physical or virtual machine that hosts View Connection Server must use a static IP address.
4GB RAM or higher At least 10GB RAM for deployments of 50 or more
4 CPUs
1Gbps NICs
View desktops
Supported Operating Systems for View Connection Server
You must install View Connection Server on a Windows Server 2008 R2 operating system.
The following operating systems support all View Connection Server installation types, including standard,
replica, and security server installations.
Table 1‑2. Operating System Support for View Connection Server
Operating System Version Edition
Windows Server 2008 R2 64-bit Standard
Enterprise
Windows Server 2008 R2 SP1 64-bit Standard
Enterprise
Virtualization Software Requirements for View Connection Server
View Connection Server requires certain versions of VMware virtualization software.
If you are using vSphere, you must use a supported version of vSphere ESX/ESXi hosts and vCenter Server.
For details about which versions of Horizon View are compatible with which versions of vCenter Server and
ESX/ESXi, see the VMware Product Interoperability Matrix at
http://www.vmware.com/resources/compatibility/sim/interop_matrix.php.
Network Requirements for Replicated View Connection Server Instances
If you install replicated View Connection Server instances, configure the instances in the same location and
connect them over a high-performance LAN.
When installing replicated View Connection Server instances, you must configure the instances in the same
physical location and connect them over a high-performance LAN. Do not use a WAN, MAN (metropolitan
area network), or other non-LAN to connect replicated View Connection Server instances.
Even a high-performance WAN, MAN, or other non-LAN with low average latency and high throughput
might have periods when the network cannot deliver the performance characteristics that are needed for
View Connection Server instances to maintain consistency.
8 VMware, Inc.
If the View LDAP configurations on View Connection Server instances become inconsistent, users might not
be able to access their desktops. A user might be denied access when connecting to a View Connection
Server instance with an out-of-date configuration.
View Administrator Requirements
Administrators use View Administrator to configure View Connection Server, deploy and manage
desktops, control user authentication, initiate and examine system events, and carry out analytical activities.
Client systems that run View Administrator must meet certain requirements.
View Administrator is a Web-based application that is installed when you install View Connection Server.
You can access and use View Administrator with the following Web browsers:
Internet Explorer 8
n
Internet Explorer 9
n
Internet Explorer 10 (from a Windows 8 system in Desktop mode)
n
Firefox 6 and later releases
n
To use View Administrator with your Web browser, you must install Adobe Flash Player 10 or later. Your
client system must have access to the Internet to allow Adobe Flash Player to be installed.
The computer on which you launch View Administrator must trust the root and intermediate certificates of
the server that hosts View Connection Server. The supported browsers already contain certificates for all of
the well-known certificate authorities (CAs). If your certificates come from a CA that is not well known, you
must follow the instructions in the VMware Horizon View Installation document about importing root and
intermediate certificates.
Chapter 1 System Requirements for Server Components
To display text properly, View Administrator requires Microsoft-specific fonts. If your Web browser runs on
a non-Windows operating system such as Linux, UNIX, or Mac OS X, make sure that Microsoft-specific
fonts are installed on your computer.
Currently, the Microsoft Web site does not distribute Microsoft fonts, but you can download them from
independent Web sites.
View Composer Requirements
View Manager uses View Composer to deploy multiple linked-clone desktops from a single centralized base
image. View Composer has specific installation and storage requirements.
Supported Operating Systems for View Composer on page 10
n
View Composer supports 64-bit operating systems with specific requirements and limitations. You can
install View Composer on the same physical or virtual machine as vCenter Server or on a separate
server.
Hardware Requirements for Standalone View Composer on page 10
n
With View 5.1 and later releases, View Composer is no longer required to be installed on the same
physical or virtual machine as vCenter Server. If you install View Composer on a separate server, you
must use a dedicated physical or virtual machine that meets specific hardware requirements.
Database Requirements for View Composer on page 10
n
View Composer requires an SQL database to store data. The View Composer database must reside on,
or be available to, the View Composer server host.
VMware, Inc. 9
VMware Horizon View Installation
Supported Operating Systems for View Composer
View Composer supports 64-bit operating systems with specific requirements and limitations. You can
install View Composer on the same physical or virtual machine as vCenter Server or on a separate server.
Table 1‑3. Operating System Support for View Composer
Operating System Version Edition
Windows Server 2008 R2 64-bit Standard
Windows Server 2008 R2 SP1 64-bit Standard
If you plan to install View Composer on a different physical or virtual machine than vCenter Server, see
“Hardware Requirements for Standalone View Composer,” on page 10.
Hardware Requirements for Standalone View Composer
With View 5.1 and later releases, View Composer is no longer required to be installed on the same physical
or virtual machine as vCenter Server. If you install View Composer on a separate server, you must use a
dedicated physical or virtual machine that meets specific hardware requirements.
Enterprise
Enterprise
A standalone View Composer installation works with vCenter Server installed on a Windows Server
computer and with the Linux-based vCenter Server Appliance. VMware recommends having a one-to-one
mapping between each View Composer service and vCenter Server instance.
Table 1‑4. View Composer Hardware Requirements
Hardware Component Required Recommended
Processor 1.4 GHz or faster Intel 64 or
AMD 64 processor with 2 CPUs
Networking One or more 10/100Mbps
network interface cards (NICs)
Memory 4GB RAM or higher 8GB RAM or higher for deployments of 50 or more
Disk space 40GB 60GB
2GHz or faster and 4 CPUs
1Gbps NICs
View desktops
IMPORTANT The physical or virtual machine that hosts View Composer must use a static IP address.
Database Requirements for View Composer
View Composer requires an SQL database to store data. The View Composer database must reside on, or be
available to, the View Composer server host.
If a database server already exists for vCenter Server, View Composer can use that existing database server
if it is a version listed in Table 1-5. For example, View Composer can use the Microsoft SQL Server 2005 or
2008 Express instance provided with vCenter Server. If a database server does not already exist, you must
install one.
10 VMware, Inc.
Chapter 1 System Requirements for Server Components
View Composer supports a subset of the database servers that vCenter Server supports. If you are already
using vCenter Server with a database server that is not supported by View Composer, continue to use that
database server for vCenter Server and install a separate database server to use for View Composer and
View Manager database events.
IMPORTANT If you create the View Composer database on the same SQL Server instance as vCenter Server,
do not overwrite the vCenter Server database.
Table 1-5 lists the supported database servers and versions. For a complete list of database versions
supported with vCenter Server, see the VMware vSphere Compatibility Matrixes on the VMware vSphere
documentation Web site.
The versions of vCenter Server listed in the table column headings are general. For specific supported
update versions of each vCenter Server release, see the VMware vSphere Compatibility Matrixes on the
VMware vSphere documentation Web site.
Table 1‑5. Supported Database Servers for View Composer
Database
Microsoft SQL Server 2005 (SP4), Standard, Enterprise, and
Datacenter
(32- and 64-bit)
Microsoft SQL Server 2008 Express (R2 SP1)
(64-bit)
Microsoft SQL Server 2008 (SP2), Standard, Enterprise, and
Datacenter
(32- and 64-bit)
Microsoft SQL Server 2008 (R2), Standard and Enterprise
(32- and 64-bit)
Oracle 10g Release 2, Standard, Standard ONE, and
Enterprise [10.2.0.4]
(32- and 64-bit)
Oracle 11g Release 2, Standard, Standard ONE, and
Enterprise [11.2.0.1]
with Patch 5
(32- and 64-bit)
vCenter
Server 5.1
Yes Yes Standard
Yes Yes No No
Yes Yes Yes Yes
Yes Yes Yes Yes
Yes Yes Yes Yes
Yes Yes Yes Yes
vCenter
Server 5.0
vCenter
Server 4.1
only
vCenter
Server 4.0
Standard
only
NOTE If you use an Oracle 11g R2 database, you must install Oracle 11.2.0.1 Patch 5. This patch requirement
applies to both 32-bit and 64-bit versions.
View Transfer Server Requirements
View Transfer Server is an optional View Manager component that supports check in, check out, and
replication of desktops that run in local mode. View Transfer Server has specific installation, operating
system, and storage requirements.
Installation and Upgrade Requirements for View Transfer Server on page 12
n
You must install View Transfer Server as a Windows application in a virtual machine that meets
specific requirements.
Supported Operating Systems for View Transfer Server on page 12
n
You must install View Transfer Server on a supported operating system with at least the minimum
required amount of RAM.
VMware, Inc. 11
VMware Horizon View Installation
Storage Requirements for View Transfer Server on page 13
n
View Transfer Server transfers static content to and from the Transfer Server repository and dynamic
content between local desktops and remote desktops in the datacenter. View Transfer Server has
specific storage requirements.
Installation and Upgrade Requirements for View Transfer Server
You must install View Transfer Server as a Windows application in a virtual machine that meets specific
requirements.
IMPORTANT If users will be checking out local desktops that use the space-efficient sparse disk format (SEFlex), available starting with vSphere 5.1, View Transfer Server must be hosted on a vSphere 5.1 or later
virtual machine (virtual hardware version 9). The SE Sparse disk format allows stale or deleted data within
a guest operating system to be reclaimed with a wipe and shrink process.
To use the space reclamation feature, you must verify that your vCenter Server and hosts are version 5.1
with ESXi 5.1 download patch ESXi510-201212001 or later. In an ESXi cluster, verify that all the hosts are
version 5.1 with download patch ESXi510-201212001 or later.
The virtual machine that hosts View Transfer Server must meet several requirements regarding network
connectivity:
It must be managed by the same vCenter Server instance as the local desktops that it will manage.
n
It does not have to be part of a domain.
n
It must use a static IP address.
n
The View Transfer Server software cannot coexist on the same virtual machine with any other View
Manager software component, including View Connection Server.
Do not manually add or remove PCI devices on the virtual machine that hosts View Transfer Server. If you
add or remove PCI devices, View might be unable to discover hot-added devices, which might cause data
transfer operations to fail.
You can install multiple View Transfer Server instances for high availability and scalability.
Supported Operating Systems for View Transfer Server
You must install View Transfer Server on a supported operating system with at least the minimum required
amount of RAM.
Table 1‑6. Operating System Support for View Transfer Server
Operating System Version Edition Minimum RAM
Windows Server 2008 R2 64-bit Standard
Enterprise
Windows Server 2008 R2 SP1 64-bit Standard
Enterprise
IMPORTANT Configure two virtual CPUs for virtual machines that host View Transfer Server.
4GB
4GB
12 VMware, Inc.
Chapter 1 System Requirements for Server Components
Storage Requirements for View Transfer Server
View Transfer Server transfers static content to and from the Transfer Server repository and dynamic
content between local desktops and remote desktops in the datacenter. View Transfer Server has specific
storage requirements.
The disk drive on which you configure the Transfer Server repository must have enough space to store
n
your static image files. Image files are View Composer base images.
View Transfer Server must have access to the datastores that store the desktop disks to be transferred.
n
The datastores must be accessible from the ESX/ESXi host where the View Transfer Server virtual
machine is running.
The recommended maximum number of concurrent disk transfers that View Transfer Server can
n
support is 20.
During a transfer operation, a local desktop's virtual disk is mounted on View Transfer Server. The
View Transfer Server virtual machine has four SCSI controllers. This configuration allows
multiple disks to be attached to the virtual machine at one time.
Because local desktops can contain sensitive user data, make sure data is encrypted during its transit
n
over the network.
In View Administrator, you can configure data-transfer security options on each View Connection
Server instance. To configure these options in View Administrator, click View Configuration > Servers,
select a View Connection Server instance, and click Edit.
When View Transfer Server is added to View Manager, its Distributed Resource Scheduler (DRS)
n
automation policy is set to Manual, which effectively disables DRS.
To migrate a View Transfer Server instance to another ESX host or datastore, you must place the
instance in maintenance mode before you begin the migration.
When View Transfer Server is removed from View Manager, the DRS automation policy is reset to the
value it had before View Transfer Server was added to View Manager.
VMware, Inc. 13
VMware Horizon View Installation
14 VMware, Inc.
System Requirements for Guest
Operating Systems 2
Systems running View Agent or Standalone View Persona Management must meet certain hardware and
software requirements.
This chapter includes the following topics:
“Supported Operating Systems for View Agent,” on page 15
n
“Supported Operating Systems for Standalone View Persona Management,” on page 16
n
“Remote Display Protocol and Software Support,” on page 16
n
Supported Operating Systems for View Agent
The View Agent component assists with session management, single sign-on, and device redirection. You
must install View Agent on all virtual machines, physical systems, and terminal servers that will be
managed by View Manager.
Table 2‑1. View Agent Operating System Support
Guest Operating System Version Edition Service Pack
Windows 8 64-bit and 32-bit Enterprise and
Professional
Windows 7 64-bit and 32-bit Enterprise and
Professional
Windows Vista 32-bit Business and
Enterprise
Windows XP 32-bit Professional SP3
Windows 2008 R2 Terminal Server 64-bit Standard SP1
Windows 2008 Terminal Server 64-bit Standard SP2
N/A
None and SP1
SP1 and SP2
VMware, Inc.
To use the View Persona Management setup option with View Agent, you must install View Agent on
Windows 8, Windows 7, Windows Vista, or Windows XP virtual machines. This option does not operate on
physical computers or Microsoft Terminal Servers.
You can install the standalone version of View Persona Management on physical computers. See
“Supported Operating Systems for Standalone View Persona Management,” on page 16.
15
VMware Horizon View Installation
Supported Operating Systems for Standalone View Persona Management
The standalone View Persona Management software provides persona management for standalone physical
computers and virtual machines that do not have View Agent 5.x installed. When users log in, their profiles
are downloaded dynamically from a remote profile repository to their standalone systems.
NOTE To configure View Persona Management for View desktops, install View Agent with the View
Persona Management setup option. The standalone View Persona Management software is intended for
non-View systems only.
Table 2-2 lists the operating systems supported for the standalone View Persona Management software.
Table 2‑2. Operating System Support for Standalone View Persona Management
Guest Operating System Version Edition Service Pack
Windows 8 64-bit and 32-bit Pro - Desktop and Enterprise -
Desktop
Windows 7 64-bit and 32-bit Enterprise and Professional None and SP1
Windows Vista 32-bit Business and Enterprise SP1 and SP2
Windows XP 32-bit Professional SP3
N/A
The standalone View Persona Management software is not supported on Microsoft Terminal Services or
Microsoft Remote Desktop Services.
Remote Display Protocol and Software Support
Remote display protocols and software provide access to the desktops of remote computers over a network
connection. View Client supports the Microsoft Remote Desktop Protocol (RDP) and PCoIP from VMware.
Horizon View with PCoIP on page 16
n
PCoIP provides an optimized desktop experience for the delivery of the entire desktop environment,
including applications, images, audio, and video content for a wide range of users on the LAN or
across the WAN. PCoIP can compensate for an increase in latency or a reduction in bandwidth, to
ensure that end users can remain productive regardless of network conditions.
Microsoft RDP on page 18
n
Remote Desktop Protocol is the same multichannel protocol many people already use to access their
work computer from their home computer. Microsoft Remote Desktop Connection (RDC) uses RDP to
transmit data.
Horizon View with PCoIP
PCoIP provides an optimized desktop experience for the delivery of the entire desktop environment,
including applications, images, audio, and video content for a wide range of users on the LAN or across the
WAN. PCoIP can compensate for an increase in latency or a reduction in bandwidth, to ensure that end
users can remain productive regardless of network conditions.
PCoIP is supported as the display protocol for View desktops with virtual machines and with physical
machines that contain Teradici host cards.
16 VMware, Inc.
Chapter 2 System Requirements for Guest Operating Systems
PCoIP Features
Key features of PCoIP include the following:
Users outside the corporate firewall can use this protocol with your company's virtual private network
n
(VPN), or users can make secure, encrypted connections to a View security server in the corporate
DMZ.
Advanced Encryption Standard (AES) 128-bit encryption is supported and is turned on by default. You
n
can, however, change the encryption key cipher to AES-192 or AES-256.
Connections to Windows desktops with the View Agent operating system versions listed in “Supported
n
Operating Systems for View Agent,” on page 15 are supported.
Connections from all types of View clients.
n
MMR redirection is supported for some Windows client operating systems and some View desktop
n
(agent) operating systems. See "Feature Support Matrix" in the VMware Horizon View Architecture
Planning document..
USB redirection is supported for some client types.
n
Audio redirection with dynamic audio quality adjustment for LAN and WAN is supported.
n
Optimization controls for reducing bandwidth usage on the LAN and WAN.
n
Multiple monitors are supported for some client types. For example, on Windows-based clients, you
n
can use up to four monitors and adjust the resolution for each monitor separately, with a resolution of
up to 2560x1600 per display. Pivot display and autofit are also supported.
When the 3D feature is enabled, up to 2 monitors are supported with a resolution of up to 1920 X 1200.
32-bit color is supported for virtual displays.
n
ClearType fonts are supported.
n
Copy and paste of text and images between a Windows-based client operating system and a View
n
desktop is supported, up to 1MB. Supported file formats include text, images, and RTF (Rich Text
Format). You cannot copy and paste system objects such as folders and files between systems.
For information about which client devices support specific PCoIP features, go to
https://www.vmware.com/support/viewclients/doc/viewclients_pubs.html.
Recommended Guest Operating System Settings
Recommended guest operating system settings include the following settings:
For Windows XP desktops: 768MB RAM or more and a single CPU.
n
For Windows 7 or 8 desktops: 1GB of RAM or more and a dual CPU is recommended for playing in
n
high-definition, full screen mode, or 720p or higher formatted video.
VMware, Inc. 17
VMware Horizon View Installation
Video Quality Requirements
480p-formatted video
720p-formatted video
1080p-formatted video
3D
You can play video at 480p or lower at native resolutions when the View
desktop has a single virtual CPU. If the operating system is Windows 7 or
later and you want to play the video in high-definition Flash or in full screen
mode, the desktop requires a dual virtual CPU. Even with a dual virtual
CPU desktop, as low as 360p-formatted video played in full screen mode can
lag behind audio, particularly on Windows clients.
You can play video at 720p at native resolutions if the View desktop has a
dual virtual CPU. Performance might be affected if you play videos at 720p
in high definition or in full screen mode.
If the View desktop has a dual virtual CPU, you can play 1080p formatted
video, although the media player might need to be adjusted to a smaller
window size.
If you use VMware vSphere 5.1 or later, you can configure View desktops to
use software or hardware accelerated graphics.
With Virtual Shared Graphics Acceleration (vSGA), a vSphere 5.1
n
feature that uses physical graphics cards installed on the ESXi hosts, you
can use 3D applications for design, modeling, and multimedia.
With the software accelerated graphics feature, available with vSphere
n
5.0 and later, you can use less demanding 3D applications such as
Windows Aero themes, Microsoft Office 2010, and Google Earth.
This non-hardware accelerated graphics feature enables you to run
DirectX 9 and OpenGL 2.1 applications without requiring a physical
graphics processing unit (GPU).
For 3D applications, up to 2 monitors are supported, and the maximum
screen resolution is 1920 x 1200. The guest operating system on the View
desktops must be Windows 7 or later.
Hardware Requirements for Client Systems
For information about processor and memory requirements, see the "Using VMware Horizon View Client"
document for the specific type of desktop or mobile client device. Go to
https://www.vmware.com/support/viewclients/doc/viewclients_pubs.html.
Microsoft RDP
Remote Desktop Protocol is the same multichannel protocol many people already use to access their work
computer from their home computer. Microsoft Remote Desktop Connection (RDC) uses RDP to transmit
data.
Microsoft RDP provides the following features:
With RDP 6, you can use multiple monitors in span mode. RDP 7 has true multiple monitor support, for
n
up to 16 monitors.
You can copy and paste text and system objects such as folders and files between the local system and
n
the View desktop.
32-bit color is supported for virtual displays.
n
RDP supports 128-bit encryption.
n
18 VMware, Inc.
Chapter 2 System Requirements for Guest Operating Systems
Users outside the corporate firewall can use this protocol with your company's virtual private network
n
(VPN), or users can make secure, encrypted connections to a View security server in the corporate
DMZ.
NOTE For Windows XP desktop virtual machines, you must install the RDP patches listed in Microsoft
Knowledge Base (KB) articles 323497 and 884020. If you do not install the RDP patches, a Windows Sockets
failed error message might appear on the client.
Hardware Requirements for Client Systems
For information about processor and memory requirements, see the "Using VMware Horizon View Client"
document for the specific type of client system. Go to
https://www.vmware.com/support/viewclients/doc/viewclients_pubs.html.
NOTE iOS and Android client devices use only the PCoIP display protocol.
VMware, Inc. 19
VMware Horizon View Installation
20 VMware, Inc.
Preparing Active Directory 3
View uses your existing Microsoft Active Directory infrastructure for user authentication and management.
You must perform certain tasks to prepare Active Directory for use with View.
View supports the following versions of Active Directory:
Windows 2003 Active Directory
n
Windows 2008 Active Directory
n
This chapter includes the following topics:
“Configuring Domains and Trust Relationships,” on page 21
n
“Creating an OU for View Desktops,” on page 22
n
“Creating OUs and Groups for Kiosk Mode Client Accounts,” on page 22
n
“Creating Groups for View Users,” on page 22
n
“Creating a User Account for vCenter Server,” on page 22
n
“Create a User Account for View Composer,” on page 23
n
“Configure the Restricted Groups Policy,” on page 24
n
“Using View Group Policy Administrative Template Files,” on page 24
n
“Prepare Active Directory for Smart Card Authentication,” on page 25
n
Configuring Domains and Trust Relationships
You must join each View Connection Server host to an Active Directory domain. The host must not be a
domain controller. You place View desktops in the same domain as the View Connection Server host or in a
domain that has a two-way trust relationship with the View Connection Server host's domain.
You can entitle users and groups in the View Connection host's domain to View desktops and pools. You
can also select users and groups from the View Connection Server host's domain to be administrators in
View Administrator. To entitle or select users and groups from a different domain, you must establish a
two-way trust relationship between that domain and the View Connection Server host's domain.
Users are authenticated against Active Directory for the View Connection Server host's domain and against
any additional user domains with which a trust agreement exists.
NOTE Because security servers do not access any authentication repositories, including Active Directory,
they do not need to reside in an Active Directory domain.
VMware, Inc.
21
VMware Horizon View Installation
Trust Relationships and Domain Filtering
To determine which domains it can access, a View Connection Server instance traverses trust relationships
beginning with its own domain.
For a small, well-connected set of domains, View Connection Server can quickly determine the full list of
domains, but the time that it takes increases as the number of domains increases or as the connectivity
between the domains decreases. The list might also include domains that you would prefer not to offer to
users when they log in to their View desktops.
You can use the vdmadmin command to configure domain filtering to limit the domains that a View
Connection Server instance searches and that it displays to users. See the VMware Horizon View
Administration document for more information.
Creating an OU for View Desktops
You should create an organizational unit (OU) specifically for your View desktops. An OU is a subdivision
in Active Directory that contains users, groups, computers, or other OUs.
To prevent group policy settings from being applied to other Windows servers or workstations in the same
domain as your desktops, you can create a GPO for your View group policies and link it to the OU that
contains your View desktops. You can also delegate control of the OU to subordinate groups, such as server
operators or individual users.
If you use View Composer, you should create a separate Active Directory container for linked-clone
desktops that is based on the OU for your View desktops. View administrators that have OU administrator
privileges in Active Directory can provision linked-clone desktops without domain administrator privileges.
If you change administrator credentials in Active Directory, you must also update the credential
information in View Composer.
Creating OUs and Groups for Kiosk Mode Client Accounts
A client in kiosk mode is a thin client or a locked-down PC that runs View Client to connect to a View
Connection Server instance and launch a remote desktop session. If you configure clients in kiosk mode, you
should create dedicated OUs and groups in Active Directory for kiosk mode client accounts.
Creating dedicated OUs and groups for kiosk mode client accounts partitions client systems against
unwarranted intrusion and simplifies client configuration and administration.
See the VMware Horizon View Administration document for more information.
Creating Groups for View Users
You should create groups for different types of View users in Active Directory. For example, you can create
a group called VMware Horizon View Users for your View desktop users and another group called
VMware Horizon View Administrators for users that will administer View desktops.
Creating a User Account for vCenter Server
You must create a user account in Active Directory to use with vCenter Server. You specify this user account
when you add a vCenter Server instance in View Administrator.
The user account must be in the same domain as your View Connection Server host or in a trusted domain.
If you use View Composer, you must add the user account to the local Administrators group on the vCenter
Server computer.
22 VMware, Inc.
You must give the user account privileges to perform certain operations in vCenter Server. If you use View
Composer, you must give the user account additional privileges. See “Configuring User Accounts for
vCenter Server and View Composer,” on page 89 for information on configuring these privileges.
Create a User Account for View Composer
If you use View Composer, you must create a user account in Active Directory to use with View Composer.
View Composer requires this account to join linked-clone desktops to your Active Directory domain.
To ensure security, you should create a separate user account to use with View Composer. By creating a
separate account, you can guarantee that it does not have additional privileges that are defined for another
purpose. You can give the account the minimum privileges that it needs to create and remove computer
objects in a specified Active Directory container. For example, the View Composer account does not require
domain administrator privileges.
Procedure
1 In Active Directory, create a user account in the same domain as your View Connection Server host or
in a trusted domain.
2 Add the Create Computer Objects, Delete Computer Objects, and Write All Properties permissions to
the account in the Active Directory container in which the linked-clone computer accounts are created
or to which the linked-clone computer accounts are moved.
Chapter 3 Preparing Active Directory
The following list shows all the required permissions for the user account, including permissions that
are assigned by default:
List Contents
n
Read All Properties
n
Write All Properties
n
Read Permissions
n
Reset Password
n
Create Computer Objects
n
Delete Computer Objects
n
NOTE If you select the Allow reuse of pre-existing computer accounts setting for a desktop pool, you
only need to add the following permissions:
List Contents
n
Read All Properties
n
Read Permissions
n
Reset Password
n
3 Make sure that the user account's permissions apply to the Active Directory container and to all child
objects of the container.
What to do next
Specify the account in View Administrator when you configure View Composer for vCenter Server and
when you configure and deploy linked-clone desktop pools.
VMware, Inc. 23
VMware Horizon View Installation
Configure the Restricted Groups Policy
To be able to log in to a View desktop, users must belong to the local Remote Desktop Users group of the
View desktop. You can use the Restricted Groups policy in Active Directory to add users or groups to the
local Remote Desktop Users group of every View desktop that is joined to your domain.
The Restricted Groups policy sets the local group membership of computers in the domain to match the
membership list settings defined in the Restricted Groups policy. The members of your View desktop users
group are always added to the local Remote Desktop Users group of every View desktop that is joined to
your domain. When adding new users, you need only add them to your View desktop users group.
Prerequisites
Create a group for View desktop users in your domain in Active Directory.
Procedure
1 On the Active Directory server, navigate to the Group Policy Management plug-in.
AD Version Navigation Path
Windows 2003
Windows 2008
2 Expand the Computer Configuration section and open Windows Settings\Security Settings.
a Select Start > All Programs > Administrative Tools > Active Directory
Users and Computers.
b Right-click your domain and click Properties.
c On the Group Policy tab, click Open to open the Group Policy
Management plug-in.
d Right-click Default Domain Policy, and click Edit.
a Select Start > Administrative Tools > Group Policy Management.
b Expand your domain, right-click Default Domain Policy, and click
Edit.
3 Right-click Restricted Groups, select Add Group, and add the Remote Desktop Users group.
4 Right-click the new restricted Remote Desktop Users group and add your View desktop users group to
the group membership list.
5 Click OK to save your changes.
Using View Group Policy Administrative Template Files
View includes several component-specific group policy administrative (ADM) template files.
During View Connection Server installation, the View ADM template files are installed in the
install_directory\VMware\VMware View\Server\Extras\GroupPolicyFiles directory on your View
Connection Server host. You must copy these files to a directory on your Active Directory server.
You can optimize and secure View desktops by adding the policy settings in these files to a new or existing
GPO in Active Directory and then linking that GPO to the OU that contains your View desktops.
See the VMware Horizon View Administration document for information on using View group policy settings.
24 VMware, Inc.
Chapter 3 Preparing Active Directory
Prepare Active Directory for Smart Card Authentication
You might need to perform certain tasks in Active Directory when you implement smart card
authentication.
Add UPNs for Smart Card Users on page 25
n
Because smart card logins rely on user principal names (UPNs), the Active Directory accounts of users
that use smart cards to authenticate in View must have a valid UPN.
Add the Root Certificate to Trusted Root Certification Authorities on page 26
n
If you use a certification authority (CA) to issue smart card login or domain controller certificates, you
must add the root certificate to the Trusted Root Certification Authorities group policy in Active
Directory. You do not need to perform this procedure if the Windows domain controller acts as the
root CA.
Add an Intermediate Certificate to Intermediate Certification Authorities on page 26
n
If you use an intermediate certification authority (CA) to issue smart card login or domain controller
certificates, you must add the intermediate certificate to the Intermediate Certification Authorities
group policy in Active Directory.
Add the Root Certificate to the Enterprise NTAuth Store on page 27
n
If you use a CA to issue smart card login or domain controller certificates, you must add the root
certificate to the Enterprise NTAuth store in Active Directory. You do not need to perform this
procedure if the Windows domain controller acts as the root CA.
Add UPNs for Smart Card Users
Because smart card logins rely on user principal names (UPNs), the Active Directory accounts of users that
use smart cards to authenticate in View must have a valid UPN.
If the domain a smart card user resides in is different from the domain that your root certificate was issued
from, you must set the user’s UPN to the Subject Alternative Name (SAN) contained in the root certificate of
the trusted CA. If your root certificate was issued from a server in the smart card user's current domain, you
do not need to modify the user's UPN.
NOTE You might need to set the UPN for built-in Active Directory accounts, even if the certificate is issued
from the same domain. Built-in accounts, including Administrator, do not have a UPN set by default.
Prerequisites
Obtain the SAN contained in the root certificate of the trusted CA by viewing the certificate properties.
n
If the ADSI Edit utility is not present on your Active Directory server, download and install the
n
appropriate Windows Support Tools from the Microsoft Web site.
Procedure
1 On your Active Directory server, start the ADSI Edit utility.
2 In the left pane, expand the domain the user is located in and double-click CN=Users.
3 In the right pane, right-click the user and then click Properties.
4 Double-click the userPrincipalName attribute and type the SAN value of the trusted CA certificate.
5 Click OK to save the attribute setting.
VMware, Inc. 25
VMware Horizon View Installation
Add the Root Certificate to Trusted Root Certification Authorities
If you use a certification authority (CA) to issue smart card login or domain controller certificates, you must
add the root certificate to the Trusted Root Certification Authorities group policy in Active Directory. You
do not need to perform this procedure if the Windows domain controller acts as the root CA.
Procedure
1 On the Active Directory server, navigate to the Group Policy Management plug-in.
AD Version Navigation Path
Windows 2003
Windows 2008
2 Expand the Computer Configuration section and open Windows Settings\Security Settings\Public
Key.
a Select Start > All Programs > Administrative Tools > Active Directory
Users and Computers.
b Right-click your domain and click Properties.
c On the Group Policy tab, click Open to open the Group Policy
Management plug-in.
d Right-click Default Domain Policy, and click Edit.
a Select Start > Administrative Tools > Group Policy Management.
b Expand your domain, right-click Default Domain Policy, and click
Edit.
3 Right-click Trusted Root Certification Authorities and select Import.
4 Follow the prompts in the wizard to import the root certificate (for example, rootCA.cer) and click OK.
5 Close the Group Policy window.
All of the systems in the domain now have a copy of the root certificate in their trusted root store.
What to do next
If an intermediate certification authority (CA) issues your smart card login or domain controller certificates,
add the intermediate certificate to the Intermediate Certification Authorities group policy in Active
Directory. See “Add an Intermediate Certificate to Intermediate Certification Authorities,” on page 26.
Add an Intermediate Certificate to Intermediate Certification Authorities
If you use an intermediate certification authority (CA) to issue smart card login or domain controller
certificates, you must add the intermediate certificate to the Intermediate Certification Authorities group
policy in Active Directory.
Procedure
1 On the Active Directory server, navigate to the Group Policy Management plug-in.
AD Version Navigation Path
Windows 2003
Windows 2008
a Select Start > All Programs > Administrative Tools > Active Directory
Users and Computers.
b Right-click your domain and click Properties.
c On the Group Policy tab, click Open to open the Group Policy
Management plug-in.
d Right-click Default Domain Policy, and click Edit.
a Select Start > Administrative Tools > Group Policy Management.
b Expand your domain, right-click Default Domain Policy, and click
Edit.
26 VMware, Inc.
Chapter 3 Preparing Active Directory
2 Expand the Computer Configuration section and open the policy for Windows Settings\Security
Settings\Public Key.
3 Right-click Intermediate Certification Authorities and select Import.
4 Follow the prompts in the wizard to import the intermediate certificate (for example,
intermediateCA.cer) and click OK.
5 Close the Group Policy window.
All of the systems in the domain now have a copy of the intermediate certificate in their intermediate
certification authority store.
Add the Root Certificate to the Enterprise NTAuth Store
If you use a CA to issue smart card login or domain controller certificates, you must add the root certificate
to the Enterprise NTAuth store in Active Directory. You do not need to perform this procedure if the
Windows domain controller acts as the root CA.
Procedure
On your Active Directory server, use the certutil command to publish the certificate to the Enterprise
u
NTAuth store.
For example: certutil -dspublish -f path_to_root_CA_cert NTAuthCA
The CA is now trusted to issue certificates of this type.
VMware, Inc. 27
VMware Horizon View Installation
28 VMware, Inc.
Installing View Composer 4
To use View Composer, you create a View Composer database, install the View Composer service, and
optimize your View infrastructure to support View Composer. You can install the View Composer service
on the same host as vCenter Server or on a separate host.
View Composer is an optional feature. Install View Composer if you intend to deploy linked-clone desktop
pools.
You must have a license to install and use the View Composer feature.
This chapter includes the following topics:
“Prepare a View Composer Database,” on page 29
n
“Configuring an SSL Certificate for View Composer,” on page 35
n
“Install the View Composer Service,” on page 35
n
“Configuring Your Infrastructure for View Composer,” on page 37
n
Prepare a View Composer Database
You must create a database and data source name (DSN) to store View Composer data.
VMware, Inc.
The View Composer service does not include a database. If a database instance does not exist in your
network environment, you must install one. After you install a database instance, you add the View
Composer database to the instance.
You can add the View Composer database to the instance on which the vCenter Server database is located.
You can configure the database locally, or remotely, on a network-connected Linux, UNIX, or Windows
Server computer.
The View Composer database stores information about connections and components that are used by View
Composer:
vCenter Server connections
n
Active Directory connections
n
Linked-clone desktops that are deployed by View Composer
n
Replicas that are created by View Composer
n
Each instance of the View Composer service must have its own View Composer database. Multiple View
Composer services cannot share a View Composer database.
For a list of supported database versions, see “Database Requirements for View Composer,” on page 10.
To add a View Composer database to an installed database instance, choose one of these procedures.
29
VMware Horizon View Installation
Create a SQL Server Database for View Composer on page 30
n
View Composer can store linked-clone desktop information in a SQL Server database. You create a
View Composer database by adding it to SQL Server and configuring an ODBC data source for it.
Create an Oracle Database for View Composer on page 32
n
View Composer can store linked-clone desktop information in an Oracle 11g or 10g database. You
create a View Composer database by adding it to an existing Oracle instance and configuring an
ODBC data source for it. You can add a new View Composer database by using the Oracle Database
Configuration Assistant or by running a SQL statement.
Create a SQL Server Database for View Composer
View Composer can store linked-clone desktop information in a SQL Server database. You create a View
Composer database by adding it to SQL Server and configuring an ODBC data source for it.
Add a View Composer Database to SQL Server
You can add a new View Composer database to an existing Microsoft SQL Server instance to store linkedclone data for View Composer.
If the database resides locally, on the system on which View Composer will be installed, you can use the
Integrated Windows Authentication security model. If the database resides on a remote system, you cannot
use this method of authentication.
Prerequisites
Verify that a supported version of SQL Server is installed on the computer on which you will install
n
View Composer or in your network environment. For details, see “Database Requirements for View
Composer,” on page 10.
Verify that you use SQL Server Management Studio or SQL Server Management Studio Express to
n
create and administer the data source. You can download and install SQL Server Management Studio
Express from the following Web site.
http://www.microsoft.com/downloadS/details.aspx?
familyid=C243A5AE-4BD1-4E3D-94B8-5A0F62BF7796
Procedure
1 On the View Composer computer, select Start > All Programs > Microsoft SQL Server 2008 or
Microsoft SQL Server 2005.
2 Select SQL Server Management Studio Express and connect to the existing SQL Server instance for
vSphere Management.
3 In the Object Explorer panel, right-click the Databases entry and select New Database.
4 In the New Database dialog box, type a name in the Database name text box.
For example: viewComposer
5 Click OK.
SQL Server Management Studio Express adds your database to the Databases entry in the Object
Explorer panel.
6 Exit Microsoft SQL Server Management Studio Express.
What to do next
Follow the instructions in “Add an ODBC Data Source to SQL Server,” on page 31.
30 VMware, Inc.
Loading...