VMware Horizon View - 7.0, Horizon 4.0 User Manual
Using HTML Access
March 2016
VMware Horizon
This document supports the version of each product listed and
supports all subsequent versions until the document is
replaced by a new edition. To check for more recent editions
of this document, see http://www.vmware.com/support/pubs.
EN-002044-00
Using HTML Access
You can find the most up-to-date technical documentation on the VMware Web site at:
http://www.vmware.com/support/
The VMware Web site also provides the latest product updates.
If you have comments about this documentation, submit your feedback to:
docfeedback@vmware.com
Copyright © 2013–2016 VMware, Inc. All rights reserved. Copyright and trademark information.
VMware, Inc.
3401 Hillview Ave.
Palo Alto, CA 94304
www.vmware.com
2 VMware, Inc.
Contents
Using HTML Access 5
Setup and Installation 7
1
System Requirements for HTML Access 7
Preparing View Connection Server and Security Servers for HTML Access 10
Firewall Rules for HTML Access 12
Prepare Desktops, Pools, and Farms for HTML Access 12
Configure HTML Access Agents to Use New SSL Certificates 14
Add the Certificate Snap-In to MMC on a View Desktop 15
Import a Certificate for the HTML Access Agent into the Windows Certificate Store 15
Import Root and Intermediate Certificates for the HTML Access Agent 16
Set the Certificate Thumbprint in the Windows Registry 17
Configure HTML Access Agents to Use Specific Cipher Suites 17
Configuring iOS to Use CA-Signed Certificates 18
Upgrading the HTML Access Software 18
Uninstall HTML Access from View Connection Server 19
Data Collected by VMware 20
Configuring HTML Access for End Users 23
2
Configure the VMware Horizon Web Portal Page for End Users 23
Using URIs to Configure HTML Access Web Clients 25
Syntax for Creating URIs for HTML Access 26
Examples of URIs 27
Configure Group Policy Settings for HTML Access 28
Group Policy Settings for HTML Access 29
Using a Remote Desktop or Application 31
3
Feature Support Matrix 31
Internationalization 33
Connect to a Remote Desktop or Application 33
Trust a Self-Signed Root Certificate 34
Shortcut Key Combinations 35
International Keyboards 38
Screen Resolution 38
Using the Sidebar 39
Sound 42
Copying and Pasting Text 42
Use the Copy and Paste Feature 42
Log Off or Disconnect 44
Reset a Remote Desktop or Application 44
Index 47
VMware, Inc. 3
Using HTML Access
4 VMware, Inc.
Using HTML Access
This guide, Using HTML Access, provides information about installing and using the HTML Access feature
of VMware Horizon™ 7 to connect to virtual desktops without having to install any software on a client
system.
The information in this document includes system requirements and instructions for installing
HTML Access software on a View server and in a remote desktop virtual machine so that end users can use
a Web browser to access remote desktops.
IMPORTANT This information is written for administrators who already have some experience using View
and VMware vSphere. If you are a novice user of View, you might occasionally need to refer to the step-bystep instructions for basic procedures in the View Installation documentation and the View Administration
documentation.
VMware, Inc.
5
Using HTML Access
6 VMware, Inc.
Setup and Installation 1
Setting up a View deployment for HTML Access involves installing HTML Access on View Connection
Server, opening the required ports, and installing the HTML Access component in the remote desktop
virtual machine.
End users can then access their remote desktops by opening a supported browser and entering the URL for
View Connection Server.
This chapter includes the following topics:
“System Requirements for HTML Access,” on page 7
n
“Preparing View Connection Server and Security Servers for HTML Access,” on page 10
n
“Prepare Desktops, Pools, and Farms for HTML Access,” on page 12
n
“Configure HTML Access Agents to Use New SSL Certificates,” on page 14
n
“Configure HTML Access Agents to Use Specific Cipher Suites,” on page 17
n
“Configuring iOS to Use CA-Signed Certificates,” on page 18
n
“Upgrading the HTML Access Software,” on page 18
n
“Uninstall HTML Access from View Connection Server,” on page 19
n
“Data Collected by VMware,” on page 20
n
System Requirements for HTML Access
With HTML Access the client system does not require any software other than a supported browser. The
View deployment must meet certain software requirements.
NOTE Starting with version 7.0, View Agent is renamed Horizon Agent.
Browser on client
systems
VMware, Inc. 7
HTML Access 4.0 supports the following browsers.
n
Browser Version
Chrome 47, 48
Internet Explorer 11
Safari 8, 9
Safari on mobile device iOS 8, iOS 9
Using HTML Access
Browser Version
Firefox 43, 44
Microsoft Edge 20, 25
HTML Access 3.5 supports the following browsers.
n
Browser Version
Chrome 43, 44
Internet Explorer 10, 11
Safari 7, 8 (Mobile Safari is not supported.)
Firefox 38, 39
Microsoft Edge 20
HTML Access 3.4 supports the following browsers.
n
Browser Version
Chrome 41, 42, 43
Internet Explorer 10, 11
Safari 7, 8 (Mobile Safari is not supported.)
Firefox 36, 37, 38
Client operating
systems
HTML Access 4.0 supports the following operating systems.
n
Operating System Version
Windows 7 SP1 (32- and 64-bit)
Windows 8.x (32- and 64-bit)
Windows 10 (32- and 64-bit)
Mac OS X 10.10.x (Yosemite)
Mac OS X 10.11 (El Capitan)
iOS 8
iOS 9
Chrome OS 28.x and later
HTML Access 3.5 supports the following operating systems.
n
Operating System Version
Windows 7 SP1 (32- and 64-bit)
Windows 8.x (32- and 64-bit)
Windows 10 (32- and 64-bit)
Mac OS X 10.9.x (Mavericks)
Max OS X 10.10.x (Yosemite)
Chrome OS 28.x and later
8 VMware, Inc.
Chapter 1 Setup and Installation
HTML Access 3.4 supports the following operating systems.
n
Operating System Version
Windows 7 SP1 (32- and 64-bit)
Windows 8 (32- and 64-bit)
Mac OS X 10.9.x (Mavericks)
Max OS X 10.10.x (Yosemite)
Chrome OS 28.x and later
NOTE For HTML Access 3.5 and earlier, iOS devices such as phones and
tablets are not supported. VMware recommends that you instead use
Horizon Client for iOS. If you must support HTML Access on these devices,
do not install HTML Access 3.x. Instead use HTML Access 2.6, which is the
default version installed with View Connection Server 6.1.1.
Remote desktops
Pool settings
HTML Access 4.0 requires Horizon Agent 7.0 or later, and supports all
n
the desktop operating systems that Horizon 7.0 supports. For more
information, see the topic "Supported Operating Systems for View
Agent" in version 7.0 of View Installation.
HTML Access 3.5 requires View Agent 6.1 or later, and supports all the
n
desktop operating systems that View 6.2 supports. For more
information, see the topic "Supported Operating Systems for View
Agent" in version 6.2 of View Installation.
HTML Access 3.4 requires View Agent 6.1.1, and supports all the
n
desktop operating systems that View 6.1 supports. For more
information, see the topic "Supported Operating Systems for View
Agent" in version 6.1 of View Installation.
HTML Access requires the following pool settings, in View Administrator:
The Max resolution of any one monitor setting must be 1920x1200 or
n
higher so that the remote desktop has at least 17.63 MB of video RAM.
If you plan to use 3D applications or if end users will use a Macbook
with Retina Display or a Google Chromebook Pixel, see “Screen
Resolution,” on page 38.
The HTML Access setting must be enabled.
n
Configuration instructions are provided in “Prepare Desktops, Pools, and
Farms for HTML Access,” on page 12.
View Connection Server
View Connection Server with the HTML Access option must be installed on
the server.
HTML Access 3.5 requires View Connection Server 6.2. When you install
View Connection Server 6.2, you must select the Install HTML Access
option.
HTML Access 3.4 requires View Connection Server 6.1.1. After you install or
upgrade to View Connection Server 6.1.1 and verify that your remote
desktops and RDS hosts are running View Agent 6.1.1, you must run a
separate HTML Access installer on View Connection Server instances.
VMware, Inc. 9
Using HTML Access
When you install the HTML Access component, the VMware Horizon View
Connection Server (Blast-In) rule is enabled in the Windows Firewall, so
that the firewall is automatically configured to allow inbound traffic to TCP
port 8443.
Security Server
View Security Server: The same version as View Connection Server must be
installed on the security server.
If client systems connect from outside the corporate firewall, VMware
recommends that you use a security server. With a security server, client
systems will not require a VPN connection.
NOTE A single security server can support up to 800 simultaneous
connections to Web clients.
Third-party firewalls
Add rules to allow the following traffic:
Servers (including security servers, View Connection Server instances,
n
and replica servers): inbound traffic to TCP port 8443.
Remote desktop virtual machines: inbound traffic (from servers) to TCP
n
port 22443.
Display protocol for
View
VMware Blast
When you use a Web browser to access a remote desktop, the VMware Blast
protocol is used rather than PCoIP or Microsoft RDP. VMware Blast uses
HTTPS (HTTP over SSL/TLS).
Preparing View Connection Server and Security Servers for HTML Access
Administrators must perform specific tasks so that end users can connect to remote desktops using a Web
browser.
Before end users can connect to View Connection Server or a security server and access a remote desktop,
you must install View Connection Server with the HTML Access component and install security servers.
IMPORTANT For some versions of HTML Access, if you accidentally install View Connection Server without
the HTML Access option and then later decide that you do want the HTML Access component, you must
uninstall View Connection Server and then run the installer again with the HTML Access option selected.
When you uninstall View Connection Server, do not uninstall the View LDAP configuration, called the AD
LDS Instance VMwareVDMDS instance.
For other versions of HTML Access, you use a separate installer for HTML Access and so do not need to
reinstall View Connection Server.
Table 1‑1. Installer Requirements for HTML Access Versions
View Connection Server
HTML Access Version
4.0 7.0 No separate HTML Access installer
3.5 6.2 No separate HTML Access installer
3.4 6.1.1 Separate installer
2.6 6.1, 6.1.1 No separate HTML Access installer
Version Install Requirements
10 VMware, Inc.
Chapter 1 Setup and Installation
Following is a check list of the tasks you must perform in order to use HTML Access:
1 Install View Connection Server with the HTML Access option on the server or servers that will
compose a View Connection Server replicated group.
By default, the HTML Access component is already selected in the installer. For installation
instructions, see the View Installation documentation.
NOTE To check whether the HTML Access component is installed, you can open the Uninstall a
Program applet in the Windows operating system and look for View HTML Access in the list.
2 For HTML Access 3.4 only, download the HTML Access Web Portal installer onto your View
Connection Server instances and run the installer. For other versions, this step is not necessary because
HTML Access is automatically installed in step 1.
The HTML Access 3.4 installer is available from the Horizon 6 version 6.1.1 download page
(http://www.vmware.com/go/downloadview). The installer is named VMware-Horizon-View-HTML-
Access_X64-3.4.0-xxxxxx.exe, where xxxxxx is the build number.
NOTE If you are performing an upgrade rather than a new installation, you must upgrade View Agent
before you perform this step. Follow the steps in “Upgrading the HTML Access Software,” on
page 18.
3 If you use security servers, install View Security Server.
For installation instructions, see the View Installation documentation.
IMPORTANT The version of View Security Server must match the version of View Connection Server.
4 Verify that each View Connection Server instance or security server has a security certificate that can be
fully verified by using the host name that you enter in the browser.
For more information, see the View Installation documentation.
5 To use two-factor authentication, such as RSA SecurID or RADIUS authentication, verify that this
feature is enabled on View Connection Server.
For more information, see the topics about two-factor authentication in the View Administration
documentation.
6 If you use third-party firewalls, configure rules to allow inbound traffic to TCP port 8443 for all security
servers and View Connection Server hosts in a replicated group, and configure a rule to allow inbound
traffic (from View servers) to TCP port 22443 on remote desktops in the datacenter. For more
information, see “Firewall Rules for HTML Access,” on page 12.
After the servers are installed, if you look in View Administrator, you will see that the Blast Secure
Gateway setting is enabled on the applicable View Connection Server instances and security servers. Also,
the Blast External URL setting is automatically configured to use for the Blast Secure Gateway on the
applicable View Connection Server instances and security servers. By default, the URL includes the FQDN
of the secure tunnel external URL and the default port number, 8443. The URL must contain the FQDN and
port number that a client system can use to reach this View Connection Server host or security server host.
For more information, see "Set the External URLs for a View Connection Server Instance," in the View
Installation documentation.
NOTE You can use HTML Access in conjunction with VMware Workspace Portal to allow users to connect
to their desktops from an HTML5 browser. For information about installing Workspace Portal and
configuring it for use with View Connection Server, see the Workspace Portal documentation. For
information about pairing View Connection Server with a SAML Authentication server, see the View
Administration documentation.
VMware, Inc. 11
Using HTML Access
Firewall Rules for HTML Access
To allow client Web browsers to use HTML Access to make connections to security servers, View
Connection Server instances, and remote desktops, your firewalls must allow inbound traffic on certain TCP
ports.
HTML Access connections must use HTTPS. HTTP connections are not allowed.
By default, when you install a View Connection Server instance or security server, the VMware Horizon
View Connection Server (Blast-In) rule is enabled in the Windows Firewall, so that the firewall is
automatically configured to allow inbound traffic to TCP port 8443.
Table 1‑2. Firewall Rules for HTML Access
Default
Source
Source
Client Web
browser
Client Web
browser
Blast Secure
Gateway
Client Web
browser
Port Protocol Target
TCP
Any
TCP
Any
TCP
Any
TCP
Any
HTTPS Security
server or
View
Connection
Server
instance
HTTPS Blast Secure
Gateway
HTTPS HTML
Access agent
HTTPS HTML
Access agent
Default
Target
Port Notes
TCP 443 To make the initial connection to View, the Web browser on a
client device connects to a security server or View Connection
Server instance on TCP port 443.
TCP 8443 After the initial connection to View is made, the Web browser
on a client device connects to the Blast Secure Gateway on
TCP port 8443. The Blast Secure Gateway must be enabled on
a security server or View Connection Server instance to allow
this second connection to take place.
TCP
22443
TCP
22443
If the Blast Secure Gateway is enabled, after the user selects a
remote desktop, the Blast Secure Gateway connects to the
HTML Access agent on TCP port 22443 on the desktop. This
agent component is included when you install View Agent.
If the Blast Secure Gateway is not enabled, after the user
selects a View desktop, the Web browser on a client device
makes a direct connection to the HTML Access agent on TCP
port 22443 on the desktop. This agent component is included
when you install View Agent.
Prepare Desktops, Pools, and Farms for HTML Access
Before end users can access a remote desktop or application, administrators must configure certain pool and
farm settings and install View Agent on remote desktop virtual machines and RDS hosts in the data center.
The HTML Access client is a good alternative when Horizon Client software is not installed on the client
system.
NOTE The Horizon Client software offers more features and better performance than the HTML Access
client. For example, with the HTML Access client, some key combinations do not work in the remote
desktop, but these key combinations do work with Horizon Client.
Prerequisites
Verify that your vSphere infrastructure and View components meet the system requirements for
n
HTML Access.
See “System Requirements for HTML Access,” on page 7.
12 VMware, Inc.
Chapter 1 Setup and Installation
Verify that the HTML Access component is installed with View Connection Server on the host or hosts
n
and that the Windows firewalls on View Connection Server instances and any security servers allow
inbound traffic on TCP port 8443.
See “Preparing View Connection Server and Security Servers for HTML Access,” on page 10.
If you use third-party firewalls, configure a rule to allow inbound traffic from View servers to TCP port
n
22443 on View desktops in the data center.
Verify that the virtual machine you plan to use as a desktop source or RDS host has the following
n
software installed: a supported operating system and VMware Tools.
For a list of the supported operating systems, see “System Requirements for HTML Access,” on page 7.
Familiarize yourself with the procedures for creating pools and farms and entitling users. See the topics
n
about creating pools and farms in Setting Up Desktops and Applications in View.
To verify that the remote desktop or application is accessible to end users, verify that you have
n
Horizon Client software installed on a client system. You will test the connection by using the
Horizon Client software before attempting to connect from a browser.
For Horizon Client installation instructions, see the Horizon Client documentation site at
https://www.vmware.com/support/viewclients/doc/viewclients_pubs.html.
Verify that you have one of the supported browsers for accessing a remote desktop. See “System
n
Requirements for HTML Access,” on page 7.
Procedure
1 Install View Agent with the HTML Access option on all parent virtual machines for linked-clone pools,
virtual machine templates for full clone pools, virtual machines for manual pools, and RDS hosts for
desktop and hosted application pools.
2 For RDS desktops and applications, use View Administrator to create or edit the farm and enable the
Allow HTML Access to desktops and applications on this farm option in the farm settings.
3 For single-session desktop pools, use View Administrator to create or edit the desktop pool so that the
pool can be used with HTML Access.
a Enable the HTML Access in the Desktop Pool settings.
The HTML Access setting does not appear in the Add Desktop Pool wizard when you create RDS
desktop pools. Instead, you enable the Allow HTML Access to desktops and applications on this
farm option when creating or editing the farm of RDS hosts.
b In the pool settings, verify that the Max resolution of any one monitor setting is 1920x1200 or
higher.
4 After the pools are created, recomposed, or upgraded to use View Agent with the HTML Access
option, use Horizon Client to log in to a desktop or application.
With this step, before you attempt to use HTML Access, you verify that the pool is working correctly.
5 Open a supported browser and enter a URL that points to your View Connection Server instance.
For example:
https://horizon.mycompany.com
Be sure to use https in the URL.
6 On the Web page that appears, click VMware Horizon HTML Access and log in as you would with the
Horizon Client software.
7 On the desktop and application selection page that appears, click an icon to connect.
VMware, Inc. 13
Using HTML Access
You can now access a remote desktop or application from a Web browser when you are using a client device
that does not or cannot have Horizon Client software installed in its operating system.
What to do next
For added security, if your security policies require that the Blast agent on the remote desktop uses an SSL
certificate from a certificate authority, see “Configure HTML Access Agents to Use New SSL Certificates,”
on page 14.
Configure HTML Access Agents to Use New SSL Certificates
To comply with industry or security regulations, you can replace the default SSL certificates that are
generated by the HTML Access Agent with certificates that are signed by a Certificate Authority (CA).
When you install the HTML Access Agent on View desktops, the HTML Access Agent service creates
default, self-signed certificates. The service presents the default certificates to browsers that use
HTML Access to connect to View.
NOTE In the guest operating system on the desktop virtual machine, this service is called the VMware Blast
service.
To replace the default certificates with signed certificates that you obtain from a CA, you must import a
certificate into the Windows local computer certificate store on each View desktop. You must also set a
registry value on each desktop that allows the HTML Access Agent to use the new certificate.
If you replace the default HTML Access Agent certificates with CA-signed certificates, VMware
recommends that you configure a unique certificate on each desktop. Do not configure a CA-signed
certificate on a parent virtual machine or template that you use to create a desktop pool. That approach
would result in hundreds or thousands of desktops with identical certificates.
Procedure
1 Add the Certificate Snap-In to MMC on a View Desktop on page 15
Before you can add certificates to the Windows local computer certificate store, you must add the
Certificate snap-in to the Microsoft Management Console (MMC) on the View desktops where the
HTML Access Agent is installed.
2 Import a Certificate for the HTML Access Agent into the Windows Certificate Store on page 15
To replace a default HTML Access Agent certificate with a CA-signed certificate, you must import the
CA-signed certificate into the Windows local computer certificate store. Perform this procedure on
each desktop where the HTML Access Agent is installed.
3 Import Root and Intermediate Certificates for the HTML Access Agent on page 16
If the root certificate and intermediate certificates in the certificate chain are not imported with the SSL
certificate that you imported for the HTML Access Agent, you must import these certificates into the
Windows local computer certificate store.
4 Set the Certificate Thumbprint in the Windows Registry on page 17
To allow the HTML Access Agent to use a CA-signed certificate that was imported into the Windows
certificate store, you must configure the certificate thumbprint in a Windows registry key. You must
take this step on each desktop on which you replace the default certificate with a CA-signed certificate.
14 VMware, Inc.
Chapter 1 Setup and Installation
Add the Certificate Snap-In to MMC on a View Desktop
Before you can add certificates to the Windows local computer certificate store, you must add the Certificate
snap-in to the Microsoft Management Console (MMC) on the View desktops where the HTML Access Agent
is installed.
Prerequisites
Verify that the MMC and Certificate snap-in are available on the Windows guest operating system where
the HTML Access Agent is installed.
Procedure
1 On the View desktop, click Start and type mmc.exe.
2 In the MMC window, go to File > Add/Remove Snap-in.
3 In the Add or Remove Snap-ins window, select Certificates and click Add.
4 In the Certificates snap-in window, select Computer account, click Next, select Local computer, and
click Finish.
5 In the Add or Remove snap-in window, click OK.
What to do next
Import the SSL certificate into the Windows local computer certificate store. See “Import a Certificate for the
HTML Access Agent into the Windows Certificate Store,” on page 15.
Import a Certificate for the HTML Access Agent into the Windows Certificate Store
To replace a default HTML Access Agent certificate with a CA-signed certificate, you must import the CAsigned certificate into the Windows local computer certificate store. Perform this procedure on each desktop
where the HTML Access Agent is installed.
Prerequisites
Verify that the HTML Access Agent is installed on the View desktop.
n
Verify that the CA-signed certificate was copied to the desktop.
n
Verify that the Certificate snap-in was added to MMC. See “Add the Certificate Snap-In to MMC on a
n
View Desktop,” on page 15.
Procedure
1 In the MMC window on the View desktop, expand the Certificates (Local Computer) node and select
the Personal folder.
2 In the Actions pane, go to More Actions > All Tasks > Import.
3 In the Certificate Import wizard, click Next and browse to the location where the certificate is stored.
4 Select the certificate file and click Open.
To display your certificate file type, you can select its file format from the File name drop-down menu.
5 Type the password for the private key that is included in the certificate file.
6 Select Mark this key as exportable.
7 Select Include all extendable properties.
VMware, Inc. 15
Loading...