VMware View - 4.5 Administrator’s Guide

VMware View Administrator's Guide

View Manager 4.5

View Composer 2.5

This document supports the version of each product listed and supports all subsequent versions until the document is replaced by a new edition. To check for more recent editions of this document, see http://www.vmware.com/support/pubs.

EN-000244-00

VMware View Administrator's Guide

You can find the most up-to-date technical documentation on the VMware Web site at:

http://www.vmware.com/support/

The VMware Web site also provides the latest product updates.

If you have comments about this documentation, submit your feedback to:

docfeedback@vmware.com

Copyright © 2010 VMware, Inc. All rights reserved. This product is protected by U.S. and international copyright and intellectual property laws. VMware products are covered by one or more patents listed at http://www.vmware.com/go/patents.

VMware is a registered trademark or trademark of VMware, Inc. in the United States and/or other jurisdictions. All other marks and names mentioned herein may be trademarks of their respective companies.

VMware, Inc.

3401 Hillview Ave. Palo Alto, CA 94304 www.vmware.com

2 VMware, Inc.

About This Book

Configuring View Connection Server 9

Using View Administrator 9

Configuring vCenter Server and View Composer

Backing Up View Connection Server 16

Configuring Settings for Client Sessions 17

Disable or Enable View Connection Server 20

Edit an External URL 21

View LDAP Directory 21

Configuring View Connection Server Settings 22

Configuring Role-Based Delegated Administration 23

Understanding Roles and Privileges 23

Using Folders to Delegate Administration 24

Understanding Permissions 25

Manage Administrators 26

Manage and Review Permissions 27

Manage and Review Folders 29

Manage Custom Roles 31

Predefined Roles and Privileges 32

Required Privileges for Common Tasks 35

Best Practices for Administrator Users and Groups 37

Preparing Unmanaged Desktop Sources 39

Prepare an Unmanaged Desktop Source for View Desktop Deployment 39

Install View Agent on an Unmanaged Desktop Source 39

Creating and Preparing Virtual Machines 43

Creating Virtual Machines for View Desktop Deployment 43

Install View Agent on a Virtual Machine 47

Install View Agent Silently 49

Configure a Virtual Machine with Multiple NICs for View Agent 54

Optimize Windows Guest Operating System Performance 54

Optimize Windows 7 Guest Operating System Performance 55

Optimizing Windows 7 for Linked-Clone Desktops 56

Preparing Virtual Machines for View Composer 62

Creating Virtual Machine Templates 67

Creating Customization Specifications 68

VMware, Inc. 3

VMware View Administrator's Guide

Creating Desktop Pools 69

Automated Pools That Contain Full Virtual Machines 70

Linked-Clone Desktop Pools

Manual Desktop Pools 92

Microsoft Terminal Services Pools 96

Provisioning Desktop Pools 98

Setting Power Policies for Desktop Pools 107

Entitling Users and Groups 113

Add Entitlements to Desktop Pools 113

Remove Entitlements from a Desktop Pool 113

Review Desktop Pool Entitlements 114

Restricting View Desktop Access 114

Setting Up User Authentication 119

Using Smart Card Authentication 119

Using Smart Card Certificate Revocation Checking 127

Using RSA SecurID Authentication 131

Using the Log in as Current User Feature 133

Configuring Policies 135

Setting Policies in View Administrator 135

Using Active Directory Group Policies 139

Using the View Group Policy Administrative Template Files 140

Setting Up Location-Based Printing 153

Using Terminal Services Group Policies 156

Active Directory Group Policy Example 157

Managing Linked-Clone Desktops 161

Reduce Linked-Clone Size with Desktop Refresh 161

Update Linked-Clone Desktops 163

Rebalance Linked-Clone Desktops 168

Manage View Composer Persistent Disks 170

Managing Desktops and Desktop Pools 175

Managing Desktop Pools 175

Reducing Adobe Flash Bandwidth 180

Managing Virtual-Machine Desktops 182

Export View Information to External Files 187

Managing Physical Computers and Terminal Servers 189

Add an Unmanaged Desktop Source to a Pool 189

Remove an Unmanaged Desktop Source from a Pool 190

Delete a Pool That Contains Unmanaged Desktops 190

Unregister an Unmanaged Desktop Source 191

Desktop Status of Physical Computers and Terminal Servers 191

4 VMware, Inc.

Managing ThinApp Applications in View Administrator 193

View Requirements for ThinApp Applications 193

Capturing and Storing Application Packages

Assigning ThinApp Applications to Desktops and Pools 197

Maintaining ThinApp Applications in View Administrator 203

Monitoring and Troubleshooting ThinApp Applications in View Administrator 206

ThinApp Configuration Example 209

194

Contents

Managing Local Desktops 211

Benefits of Using View Desktops in Local Mode 211

Managing View Transfer Server 217

Managing the Transfer Server Repository 221

Managing Data Transfers 227

Configure Security and Optimization for Local Desktop Operations 231

Configuring Endpoint Resource Usage 236

Configuring an HTTP Cache to Provision Local Desktops Over a WAN 240

Configuring the Heartbeat Interval for Local Desktop Client Computers 243

Manually Downloading a Local Desktop to a Location with Poor Network Connections 245

Troubleshooting View Transfer Server and Local Desktop Operations 248

Maintaining View Components 257

Backing Up and Restoring View Configuration Data 257

Monitor View Components 262

Monitor Desktop Status 263

Understanding View Manager Services 263

Add Licenses to VMware View 266

Update General User Information from Active Directory 266

Migrating View Composer with an Existing Database 266

Troubleshooting View Components 269

Monitoring System Health 270

Monitor Events in View Manager 270

Send Messages to Desktop Users 271

Display Desktops with Suspected Problems 271

Manage Desktops and Policies for Unentitled Users 272

Collecting Diagnostic Information for VMware View 272

Update Support Requests 276

Further Troubleshooting Information 276

Troubleshooting Network Connection Problems 276

Troubleshooting Desktop Pool Creation Problems 278

Troubleshooting USB Redirection Problems 282

Troubleshooting QuickPrep Customization Problems 283

View Composer Provisioning Errors 284

Windows XP Linked Clones Fail to Join the Domain 285

Using the vdmadmin Command 287

vdmadmin Command Usage 288

Configuring Logging in View Agent Using the -A Option 291

VMware, Inc. 5

VMware View Administrator's Guide

Overriding IP Addresses Using the -A Option 292

Setting the Name of a View Connection Server Group Using the -C Option

Updating Foreign Security Principals Using the -F Option 294

Listing and Displaying Health Monitors Using the -H Option 294

Listing and Displaying Reports of View Manager Operation Using the -I Option 295

Assigning Dedicated Desktops Using the -L Option 296

Displaying Information About Machines Using the -M Option 297

Configuring Domain Filters Using the -N Option 298

Configuring Domain Filters 300

Displaying the Desktops and Policies of Unentitled Users Using the -O and -P Options 304

Configuring Clients in Kiosk Mode Using the -Q Option 305

Displaying the First User of a Desktop Using the -R Option 309

Removing the Entry for a View Connection Server Instance Using the -S Option 309

Setting the Split Limit for Publishing View Transfer Server Packages Using the -T Option 310

Displaying Information About Users Using the -U Option 310

Decrypting the Virtual Machine of a Local Desktop Using the -V Option 311

Unlocking or Locking Virtual Machines Using the -V Option 312

293

Setting Up Clients in Kiosk Mode 315

Configure Clients in Kiosk Mode 316

Running View Client from the Command Line 325

View Client Command Usage 325

View Client Configuration File 327

View Client Registry Settings 327

View Client Exit Codes 328

Index 331

6 VMware, Inc.

About This Book

The VMware how to configure View Connection Server, create administrators, provision and deploy View desktops, set up user authentication, configure policies, and manage VMware ThinApp™ applications in View Administrator. This guide also describes how to maintain and troubleshoot VMware View components.

View Administrator's Guide describes how to configure and administer VMware View™, including

Intended Audience

This guide is intended for anyone who wants to configure and administer VMware View. The information in this guide is written for experienced Windows or Linux system administrators who are familiar with virtual machine technology and datacenter operations.

VMware Technical Publications Glossary

VMware® Technical Publications provides a glossary of terms that might be unfamiliar to you. For definitions of terms as they are used in VMware technical documentation, go to

http://www.vmware.com/support/pubs.

Document Feedback

VMware welcomes your suggestions for improving our documentation. If you have comments, send your feedback to docfeedback@vmware.com.

Technical Support and Education Resources

The following technical support resources are available to you. To access the current version of this book and other books, go to http://www.vmware.com/support/pubs.

Online and Telephone Support

Support Offerings

VMware Professional Services

VMware, Inc. 7

To use online support to submit technical support requests, view your product and contract information, and register your products, go to

http://www.vmware.com/support.

Customers with appropriate support contracts should use telephone support for the fastest response on priority 1 issues. Go to

http://www.vmware.com/support/phone_support.html.

To find out how VMware support offerings can help meet your business needs, go to http://www.vmware.com/support/services.

VMware Education Services courses offer extensive hands-on labs, case study examples, and course materials designed to be used as on-the-job reference tools. Courses are available onsite, in the classroom, and live online. For onsite pilot programs and implementation best practices, VMware Consulting

VMware View Administrator's Guide

Services provides offerings to help you assess, plan, build, and manage your virtual environment. To access information about education classes, certification programs, and consulting services, go to

http://www.vmware.com/services.

8 VMware, Inc.

Configuring View Connection Server 1

After you install and perform initial configuration of View Connection Server, you can add vCenter Server instances and schedule backups of your configuration data.

This chapter includes the following topics:

Using View Administrator

and View Composer services to View Manager, set up roles to delegate administrator responsibilities,

“Using View Administrator,” on page 9

“Configuring vCenter Server and View Composer,” on page 12

“Backing Up View Connection Server,” on page 16

“Configuring Settings for Client Sessions,” on page 17

“Disable or Enable View Connection Server,” on page 20

“Edit an External URL,” on page 21

“View LDAP Directory,” on page 21

“Configuring View Connection Server Settings,” on page 22

View Administrator is the Web interface through which you configure View Connection Server and manage your View desktops.

For a comparison of the operations that you can perform with View Administrator, View cmdlets, and

vdmadmin, see the VMware View Integration Guide.

View Administrator and View Connection Server

View Administrator provides a management interface for View Manager.

Depending on your View deployment, you use one or more View Administrator interfaces.

Use one View Administrator interface to manage the View components that are associated with a single, standalone View Connection Server instance or a group of replicated View Connection Server instances.

You can use the IP address of any replicated instance to log in to View Administrator.

You must use a separate View Administrator interface to manage the View components for each single, standalone View Connection Server instance and each group of replicated View Connection Server instances.

VMware, Inc. 9

VMware View Administrator's Guide

You also use View Administrator to manage security servers and View Transfer Server instances associated with View Connection Server.

Each security server is associated with one View Connection Server instance.

Each View Transfer Server instance can communicate with any View Connection Server instance in a group of replicated instances.

Log In to View Administrator

To perform initial configuration tasks, you must log in to View Administrator.

Prerequisites

Verify that View Connection Server is installed on a dedicated computer.

Verify that you are using a Web browser supported by View Administrator. For View Administrator requirements, see the VMware View Installation Guide.

Procedure

1 Open

your Web browser and enter the following URL, where server is the host name or IP address of the

View Connection Server instance.

https://

server

/admin

You access View Administrator by using a secure (SSL) connection. When you first connect, your Web browser might display a page warning that the security certificate associated with the address is not issued by a trusted certificate authority. This response is expected behavior because the default certificate supplied with View Connection Server is self-signed.

2 Click Ignore to continue using the current SSL certificate.

3 Log in using administrator credentials on the View Connection Server computer.

Initially, all users who are members of the local Administrators group (BUILTIN\Administrators) on the View Connection Server computer are allowed to log in to View Administrator.

After you log in to View Administrator, you can use View Configuration > Administrators to change the list of View Manager administrators.

Tips for Using the View Administrator Interface

You can use View Administrator user-interface features to navigate View Pages and to find, filter, and sort View objects.

View Administrator includes many common user interface features. For example, the navigation pane on the left side of each page directs you to other View Administrator pages. The search filters let you select filtering criteria that are related to the objects you are searching for.

Table 1-1 describes a few additional features that can help you to use View Administrator.

10 VMware, Inc.

Table 1-1. View Administrator Navigation and Display Features

View Administrator Feature Description

Chapter 1 Configuring View Connection Server

Navigating backward and forward in View Administrator pages.

Multicolumn sorting You can sort View objects in a variety of ways by using multicolumn sorting.

Selecting View objects and displaying View object details

Expanding dialog boxes to view details You can expand View Administrator dialog boxes to view details such as

Click the Back button in the upper left corner of a View Administrator page to go to the previously displayed View Administrator page. Click the Forward button to return to the current page.

Do not use your browser's Back button. This button displays the View Administrator log-in page.

Click a heading in the top row of a View Administrator table to sort the View objects in alphabetical order based on that heading.

For example, in the Inventory > Desktops page, you can click Pool to sort desktops by the pools that contain them.

The number 1 appears next to the heading to indicate that it is the primary sorting column. You can click the heading again to reverse the sorting order, indicated by an up or down arrow.

To sort the View objects by a secondary item, Ctrl+click another heading.

For example, in the Desktops table, you can click Users to perform a secondary sort by users to whom the desktops are dedicated. A number 2 appears next to the secondary heading. In this example, desktops are sorted by pool and by users within each pool.

You can continue to Ctrl+click to sort all the columns in a table in descending order of importance.

Press Ctrl+Shift and click to deselect a sort item.

For example, you might want to display the desktops in a pool that are in a particular state and are stored on a particular datastore. You can click Inventory > Pools, click the pool ID, click the Datastore heading, and Ctrl+click the Status heading.

In View Administrator tables that list View objects, you can select an object or display object details.

To select an object, click anywhere in the object's row in the table. At the top of the page, menus and commands that manage the object become active.

To display object details, double-click the left cell in the object's row. A new page displays the object's details.

For example, on the Inventory > Pools page, click anywhere in an individual pool's row to activate commands that affect the pool.

Double-click the Pool ID cell in the left column to display a new page that contains details about the pool.

desktop names and user names in table columns.

To expand a dialog box, place your mouse over the dots in the lower right corner of the dialog box and drag the corner.

Troubleshooting Access to View Administrator Without a Secure SSL Connection

You cannot log in to View Administrator through a Web browser when the SSL setting for your View clients is not consistent with the URL you use to connect to View Administrator. If you deselect the SSL setting, you cannot use https in the URL.

Problem

The URL that you use to log in to View Administrator no longer works. A connection failure occurs.

Cause

By default, View Manager uses SSL to create secure connections between View clients and View Connection Server. This setting also applies to computers that connect to View Administrator through a Web browser.

VMware, Inc. 11

VMware View Administrator's Guide

This problem occurs when you change this setting in View Administrator by navigating to View > Global Settings and deselecting the Require SSL for client connections and View Administrator check box.

Solution

Use the following URL to connect to View Administrator, where server is the host name or IP address of the View Connection Server instance.

http://

server

/admin

Configuration

Troubleshooting the Text Display in View Administrator

If your Web browser runs on a non-Windows operating system such as Linux, UNIX, or Mac OS, the text in View Administrator does not display properly.

Problem

The text in the View Administrator interface is garbled. For example, spaces occur in the middle of words.

Cause

View Administrator requires Microsoft-specific fonts.

Solution

Install Microsoft-specific fonts on your computer.

Currently, the Microsoft Web site does not distribute Microsoft fonts, but you can download them from independent Web sites.

Configuring vCenter Server and View Composer

To use virtual machines as desktop sources, you must configure View Manager to communicate with vCenter Server. To create and manage linked-clone desktops, you must configure View Composer settings in View Manager.

Add vCenter Server Instances to View Manager

You must configure View Manager to connect to the vCenter Server instances in your View deployment. vCenter Server creates and manages the virtual machines that View Manager uses as desktop sources.

Prerequisites

Install the View Connection Server product license key.

Prepare a vCenter Server user with permission to perform the operations in vCenter Server that are necessary to support View Manager. To use View Composer, you must give the user additional privileges. To manage desktops that are used in local mode, you must give the user privileges in addition to those that are required for View Manager and View Composer.

For details about configuring a vCenter Server user for View Manager, see the VMware View Installation Guide.

Procedure

1 In View Administrator, click View Configuration > Servers.

2 In the vCenter Servers panel, click Add.

12 VMware, Inc.

Chapter 1 Configuring View Connection Server

3 In

the server address text box, type the fully qualified domain name (FQDN) or IP address of the vCenter

Server instance.

The FQDN includes the host name and domain name. For example, in the FQDN

myserverhost.companydomain

.com,

myserverhost

is the host name and

companydomain

.com is the domain.

NOTE If you enter a server by using a DNS name or URL, View Manager does not perform a DNS lookup to verify whether an administrator previously added this server to View Manager by using its IP address. A conflict arises if you add a vCenter Server with both its DNS name and its IP address.

4 Type the name of the vCenter Server user.

Type the vCenter Server user password.

6 (Optional) Type a description for this vCenter Server instance.

7 To connect to the vCenter Server instance using a secure channel (SSL), make sure that Connect using SSL

is selected. SSL connection is the default setting.

8 Type the TCP port number.

The default port is 443.

9 (Optional) Click Advanced to configure the maximum concurrent pool operations in vCenter Server.

a Set the maximum number of concurrent provisioning operations.

This setting determines the largest number of concurrent requests that View Manager can make to provision full virtual machines in this vCenter Server instance. The default value is eight. This setting does not control linked-clone provisioning.

b Set the maximum number of concurrent power operations.

This setting determines the largest number of power operations (startup, shutdown, suspend, and so on) that can take place simultaneously on full virtual machines managed by View Manager in this vCenter Server instance. The default value is five. This setting controls power operations for full virtual machines and linked clones.

10 Choose whether to configure View Composer.

Option

You are not using View Composer

You are using View Composer

Action

Click OK.

Configure the View Composer settings.

What to do next

this View Connection Server instance or group of replicated View Connection Server instances uses multiple

vCenter Server instances, repeat this procedure to add the other vCenter Server instances.

Remove a vCenter Server Instance from View Manager

You can remove the connection between View Manager and a vCenter Server instance. When you do so, View Manager no longer manages the View desktops created in that vCenter Server instance.

Prerequisites

Delete all the View desktops that are associated with the vCenter Server instance. See “Delete a Desktop Pool

from View Manager,” on page 179.

VMware, Inc. 13

VMware View Administrator's Guide

Procedure

Click View Configuration > Servers.

2 In the vCenter Servers panel, select the vCenter Server instance.

3 Click Remove.

A dialog warns you that View Manager will no longer have access to the virtual machines that are managed by this vCenter Server instance.

4 Click OK.

View Manager can no longer access the virtual machines created in the vCenter Server instance.

Create a User Account for View Composer

If you use View Composer, you must create a user account in Active Directory to use with View Composer. View Composer requires this account to join linked-clone desktops to your Active Directory domain.

To ensure security, you should create a separate user account to use with View Composer. By creating a separate account, you can guarantee that it does not have additional privileges that are defined for another purpose. You can give the account the minimum privileges that it needs to create and remove computer objects in a specified Active Directory container. For example, the View Composer account does not require domain administrator privileges.

Procedure

1 In Active Directory, create a user account in the same domain as your View Connection Server host or in

a trusted domain.

2 Add the Create Computer Objects, Delete Computer Objects, and Write All Properties permissions to

the account in the Active Directory container in which the linked-clone computer accounts are created or to which the linked-clone computer accounts are moved.

The following list shows all the required permissions for the user account, including permissions that are assigned by default:

List Contents

Read All Properties

Write All Properties

Read Permissions

Create Computer Objects

Delete Computer Objects

3 Make sure that the user account's permissions apply to the Active Directory container and to all child

objects of the container.

What to do next

Specify the account in View Administrator when you configure View Composer for vCenter Server and when you configure and deploy linked-clone desktop pools.

Configure View Composer Settings for vCenter Server

To use View Composer, you must configure View Manager with initial settings that match the settings for the View Composer service that is installed in vCenter Server. View Composer is a feature of View Manager, but its service operates directly on virtual machines in vCenter Server.

NOTE If you are not using View Composer, you can skip this task.

14 VMware, Inc.

Chapter 1 Configuring View Connection Server

Prerequisites

Verify that you created a user in Active Directory with permission to add and remove virtual machines from

the Active Directory domain that contains your linked clones. See “Create a User Account for View

Composer,” on page 14.

Verify that you configured View Manager to connect to vCenter Server. See “Add vCenter Server Instances

to View Manager,” on page 12.

Procedure

1 In View Administrator, open the Edit vCenter Server dialog box.

a Click View Configuration > Servers.

b In the vCenter Servers panel, select the vCenter Server entry.

c Click Edit.

2 Select Enable View Composer and make sure that the port number is the same as the port that you

specified when you installed the View Composer service on vCenter Server.

View Manager verifies that the View Composer service is running on vCenter Server.

3 Click Add to add the domain user for View Composer account information.

a Type the domain name of the Active Directory domain.

For example: domain.com

b Type the domain user name, including the domain name.

For example: domain.com\admin

c Type the account password.

d Click OK.

e To add domain user accounts with privileges in other Active Directory domains in which you deploy

linked-clone pools, repeat the preceding steps.

4 Click OK to close the Edit vCenter Server dialog box.

What to do next

Repeat this procedure for each vCenter Server instance in which View Composer services are installed.

Remove View Composer from View Manager

You can remove the connection between View Manager and the View Composer service installed in a vCenter Server instance. When you do so, View Manager no longer manages the linked-clone desktops created by View Composer in the vCenter Server instance.

Before you disable the connection to View Composer, you must remove from View Manager all the linkedclone desktops that were created by View Composer. After the connection to View Composer is disabled, View Manager cannot provision, manage, or delete the linked clones. View Manager does not force you to delete the linked clones. You must take this action on your own.

VMware, Inc. 15

VMware View Administrator's Guide

Procedure

Remove the linked-clone pools that were created by View Composer.

a In View Administrator, click Inventory > Pools.

b Select a linked-clone pool and click Delete.

A dialog box warns that you will permanently delete the linked-clone pool from View Manager. The virtual machines are deleted from vCenter Server. In addition, the associated View Composer database entries and the replicas that were created by View Composer are removed.

c Click OK.

d Repeat these steps for each linked-clone pool that was created by View Composer.

2 Click View Configuration > Servers.

3 In the vCenter Servers panel, select the vCenter Server instance in which View Composer is installed.

4 Click Edit.

5 In the View Composer Settings panel, deselect Enable View Composer and click OK.

You can no longer create linked-clone desktops in this vCenter Server instance, but you can continue to create and manage full virtual-machine desktop pools in the vCenter Server instance.

If linked-clone desktops were not deleted before you disabled the connection to View Composer, you can try enabling the connection to View Composer, deleting the linked clones, and disabling the connection to View Composer again. For details about enabling View Composer, see “Configure View Composer Settings for

vCenter Server,” on page 14.

Conflicting vCenter Server Unique IDs

If you have multiple vCenter Server instances configured in your environment, an attempt to add a new instance might fail because of conflicting unique IDs.

Problem

You try to add a vCenter Server instance to View Manager, but the unique ID of the new vCenter Server instance conflicts with an existing instance.

Cause

Two vCenter Server instances cannot use the same unique ID. By default, a vCenter Server unique ID is randomly generated, but you can edit it.

Solution

1 In vSphere Client, click Administration > vCenter Server Settings > Runtime Settings.

2 Type a new unique ID and click OK.

For details about editing vCenter Server unique ID values, see the vSphere documentation.

Backing Up View Connection Server

After you complete the initial configuration of View Connection Server, you should schedule regular backups of your View Manager and View Composer configuration data.

For information about backing up and restoring your View configuration, see “Backing Up and Restoring View

Configuration Data,” on page 257.

16 VMware, Inc.

Configuring Settings for Client Sessions

can configure global settings that affect the client sessions that are managed by a View Connection Server

You instance or replicated group. You can set the session-timeout length, require SSL for client connections and View Administrator, display prelogin and warning messages, and set other client-connection options.

Set Options for Client Sessions and Connections

You configure global settings to determine the way client sessions and connections work.

The global settings are not specific to a single View Connection Server instance. They affect all client sessions that are managed by a standalone View Connection Server instance or a group of replicated instances.

You can also configure View Connection Server instances to use direct, nontunneled connections between View clients and View desktops. See “Configure the Tunnel Connection,” on page 20 for information about configuring direct connections.

Prerequisites

Familiarize yourself with the global settings. See “Global Settings for Client Sessions and Connections,” on page 18.

Procedure

Chapter 1 Configuring View Connection Server

1 In View Administrator, click View Configuration > Global Settings.

2 Click Edit.

3 Configure the global settings.

4 Click OK.

What to do next

If you change one of the following global settings, you must restart the View Connection Server service to make your changes take effect.

Require SSL for client connections and View Administrator

Reauthenticate secure VPN connections after network interruption

Display a pre-login message

In a group of replicated View Connection Server instances, you must restart the View Connection Server service on all instances in the group. You do not have to restart the Windows Server computer where View Connection Server is installed.

VMware, Inc. 17

VMware View Administrator's Guide

Global Settings for Client Sessions and Connections

Global settings determine session time-out length and whether SSL is used, clients are reauthenticated after interruptions, View components use secure internal communications, prelogin and warning messages are displayed, and SSO is used for local-desktop operations.

Table 1-2. Global Settings for Client Sessions and Connections

Setting Description

Session timeout Determines how long a user can keep a session open after logging in to

View Connection Server.

The value is set in minutes. You must type a value. The default is 600 minutes.

Require SSL for client connections and View Administrator

Reauthenticate secure VPN connections after network interruption

Message security mode Determines the security of communications between View Manager

Disable Single Sign-on for Local Mode operations

Enable automatic status updates Determines if View Manager updates the global status pane in the upper

Determines if a secure SSL communication channel is used between View Connection Server and View desktop clients, and between View Connection Server and clients that access View Administrator.

When you select this setting, clients must use SSL connections.

You must select this setting if you use smart card authentication.

After you change this setting, you must restart the View Connection Server service to make your change take effect.

Determines if user credentials must be reauthenticated after a network interruption when you use tunneled, secure VPN connections to the client.

This setting has no effect when you use direct connection.

After you change this setting, you must restart the View Connection Server service to make your change take effect.

components. Specifically, determines if signing and verification of the JMS messages passed between View Manager components takes place. For details, see “Message Security Mode for View Components,” on page 19.

Determines if single sign-on is enabled when users log in to their local desktops.

If you disable this setting, users must manually log in to their desktops to start their Windows sessions after they log in.

When you change this setting, the change takes effect for each user at the next user operation.

left corner of View Administrator every few minutes. The dashboard page of View Administrator is also updated every few minutes.

When you enable this setting, idle sessions do not time out for any user who is logged into View Administrator.

IMPORTANT Disabling idle-session timeouts increases the risk of unauthorized use of View Administrator. Use caution when you enable this setting.

By default, this setting is not enabled. Idle-session timeouts do occur.

18 VMware, Inc.

Chapter 1 Configuring View Connection Server

Table 1-2. Global Settings for Client Sessions and Connections

Setting

Display a pre-login message Displays a disclaimer or another message to View Client users when

Display warning before forced logoff Displays a warning message when users are forced to log off because a

Description

they log in.

Type your information or instructions in the text box in the Global Settings dialog window.

To display no message, leave the text box blank.

After you change this setting, you must restart the View Connection Server service to make your change take effect.

scheduled or immediate update such as a desktop-refresh operation is about to start. This setting also determines how long to wait after the warning is shown before the user is logged off.

Check the box to display a warning message.

Type the number of minutes to wait after the warning is displayed and before logging off the user. The default is five minutes.

Type your warning message. You can use the default message:

Your desktop is scheduled for an important update and will be restarted in 5 minutes. Please save any unsaved work now.

(Continued)

Message Security Mode for View Components

You can set the level of security for communications between View components. This setting determines whether to sign and verify JMS messages that are passed between View Manager components. Enabling this setting prevents control messages that did not come from an authorized source from being processed.

any component in your View environment predates View Manager 3.0, signing and verification cannot take

place.

Table 1-3 shows the options you can select to configure the message security level. To set an option, select it

from the Message security mode list in the Global Settings dialog window.

Table 1-3. Message Security Mode Options

Option

Disabled Message security mode is disabled.

Mixed Message security mode is enabled but not enforced.

Enabled Message security mode is enabled. Unsigned messages are rejected by View components.

Description

You can use this mode to detect components in your View environment that predate View Manager 3.0. The log files generated by View Connection Server contain references to these components.

NOTE View components that predate View Manager 3.0 are not allowed to communicate with other View components

Message security mode is supported in View Manager 3.1 and later. If you change the message security mode from Disabled or Mixed to Enabled, you cannot launch a desktop with a View Agent from Virtual Desktop Manager version 2.1 or earlier. If you then change the message security mode from Enabled to Mixed to Disabled, the desktop still fails to launch. To launch a desktop after you change the message security mode from Enabled to Mixed to Disabled, you must restart the desktop.

VMware, Inc. 19

VMware View Administrator's Guide

Configure the Tunnel Connection

When

the tunnel connection is enabled, View Client makes a second HTTPS connection to the View Connection

Server or security server host when users connect to a View desktop with the Microsoft RDP display protocol.

When the tunnel connection is disabled, View desktop sessions are established directly between the client system and the View desktop virtual machine, bypassing the View Connection Server or security server host. This type of connection is called a direct connection.

NOTE Clients that use the PCoIP and HP RGS display protocols do not use the tunnel connection.

Procedure

In View Administrator, click View Configuration > Servers.

2 In the View Connection Servers panel, select a View Connection Server instance and click Edit.

Option

Disable the tunnel connection

Enable the tunnel connection

Description

Deselect Use secure tunnel connection to desktop.

Select Use secure tunnel connection to desktop.

The tunnel connection is enabled by default.

Click OK to save your changes.

Disable or Enable View Connection Server

You can disable a View Connection Server instance to prevent users from logging in to their View desktops. After you disable an instance, you can enable it again.

When you disable a View Connection Server instance, users who are currently logged in to View desktops are not affected.

Your View Manager deployment determines how users are affected by disabling an instance.

If this is a single, standalone View Connection Server instance, users cannot log in to their desktops. They cannot connect to View Connection Server.

If this is a replicated View Connection Server instance, your network topology determines whether users can be routed to another replicated instance. If users can access another instance, they can log in to their desktops.

Procedure

1 In View Administrator, click View Configuration > Servers.

2 In the View Connection Servers panel, select the View Connection Server instance.

3 Click Disable.

You can enable the instance again by clicking Enable.

20 VMware, Inc.

Edit an External URL

You can use View Administrator to edit external URLs for View Connection Server instances and security servers.

default, a View Connection Server or security server host can be contacted only by tunnel clients that reside

By within the same network. Tunnel clients that run outside of your network must use an externally resolvable URL to connect to a View Connection Server instance.

NOTE You cannot edit the external URL for a security server that has not been upgraded to View Connection Server 4.5.

Procedure

In View Administrator, click View Configuration > Servers.

Chapter 1 Configuring View Connection Server

Option

View Connection Server instance

Security server

Type the external URL in the External URL text box.

The URL must contain the protocol, externally resolvable host name, and port number.

For example: https://view.example.com:443

3 Click OK to save your changes.

The external URL is updated immediately. You do not need to restart the View Connection Server service or the security server service for the change to take effect.

View LDAP Directory

View LDAP is the data repository for all View Manager configuration information. View LDAP is an embedded Lightweight Directory Access Protocol (LDAP) directory that is provided with the View Connection Server installation.

View LDAP contains standard LDAP directory components that are used by View Manager.

View Manager schema definitions

Directory information tree (DIT) definitions

Action

Select the View Connection Server instance in the View Connection Servers panel and click Edit.

Select the security server in the Security Servers panel and click Edit.

Access control lists (ACLs)

View LDAP contains directory entries that represent View Manager objects.

View desktop entries that represent each accessible desktop. Each entry contains references to the Foreign Security Principal (FSP) entries of Windows users and groups in Active Directory who are authorized to use the desktop.

View desktop pool entries that represent multiple desktops managed together

Virtual machine entries that represent the vCenter Server virtual machine for each desktop

View Manager component entries that store configuration settings

View LDAP also contains a set of View Manager plug-in DLLs that provide automation and notification services for other View Manager components.

NOTE Security server instances do not contain a View LDAP directory.

VMware, Inc. 21

VMware View Administrator's Guide

Configuring View Connection Server Settings

You can use View Administrator to modify configuration settings for View Connection Server instances.

22 VMware, Inc.

Configuring Role-Based Delegated

Administration 2

One key management task in a View environment is to determine who can use View Administrator and what tasks those users are authorized to perform. With role-based delegated administration, you can selectively assign administrative rights by assigning administrator roles to specific Active Directory users and groups.

This chapter includes the following topics:

“Understanding Roles and Privileges,” on page 23

“Using Folders to Delegate Administration,” on page 24

“Understanding Permissions,” on page 25

“Manage Administrators,” on page 26

“Manage and Review Permissions,” on page 27

“Manage and Review Folders,” on page 29

“Manage Custom Roles,” on page 31

“Predefined Roles and Privileges,” on page 32

“Required Privileges for Common Tasks,” on page 35

“Best Practices for Administrator Users and Groups,” on page 37

Understanding Roles and Privileges

The ability to perform tasks in View Administrator is governed by an access control system that consists of administrator roles and privileges. This system is similar to the vCenter Server access control system.

administrator role is a collection of privileges. Privileges grant the ability to perform specific actions, such as entitling a user to a desktop pool. Privileges also control what an administrator can see in View Administrator. For example, if an administrator does not have privileges to view or modify global policies, the Global Policies setting is not visible in the navigation panel when the administrator logs in to View Administrator.

Administrator privileges are either global or object-specific. Global privileges control system-wide operations, such as viewing and changing global settings. Object-specific privileges control operations on specific types of inventory objects.

Administrator roles typically combine all of the individual privileges required to perform a higher-level administration task. View Administrator includes predefined roles that contain the privileges required to perform common administration tasks. You can assign these predefined roles to your administrator users and groups, or you can create your own roles by combining selected privileges. You cannot modify the predefined roles.

VMware, Inc. 23

VMware View Administrator's Guide

To create administrators, you select users and groups from your Active Directory users and groups and assign administrator roles. Administrators obtain privileges through their role assignments. You cannot assign privileges

directly to administrators. An administrator that has multiple role assignments acquires the sum of

all the privileges contained in those roles.

Using Folders to Delegate Administration

By default, desktop pools are created in the root folder, which appears as / or Root(/) in View Administrator. You can create folders under the root folder to subdivide your desktop pools and then delegate the administration of specific desktop pools to different administrators.

A desktop inherits the folder from its pool. An attached persistent disk inherits the folder from its desktop. You can have a maximum of 100 folders, including the root folder.

You configure administrator access to the resources in a folder by assigning a role to an administrator on that folder. Administrators can access the resources that reside only in folders for which they have assigned roles. The role that an administrator has on a folder determines the level of access that the administrator has to the resources in that folder.

Because roles are inherited from the root folder, an administrator that has a role on the root folder has that role on all folders. Administrators that have the Administrators role on the root folder are super administrators because they have full access to all of the inventory objects in the system.

A role must contain at least one object-specific privilege to apply to a folder. Roles that contain only global privileges cannot be applied to folders.

You can use View Administrator to create folders and to move existing pools to folders. You can also select a folder when you create a desktop pool. If you do not select a folder during pool creation, the pool is created in the root folder by default.

Different Administrators for Different Folders on page 24

You can create a different administrator to manage each folder in your configuration.

Different Administrators for the Same Folder on page 25

You can create different administrators to manage the same folder.

Different Administrators for Different Folders

You can create a different administrator to manage each folder in your configuration.

For example, if your corporate desktop pools are in one folder and your desktop pools for software developers are in another folder, you can create different administrators to manage the resources in each folder.

Table 2-1 shows an example of this type of configuration.

Table 2-1. Different Administrators for Different Folders

Administrator

view-domain.com\Admin1 Inventory Administrators

view-domain.com\Admin2 Inventory Administrators

In this example, the administrator called Admin1 has the Inventory Administrators role on the folder called

CorporateDesktops and the administrator called Admin2 has the Inventory Administrators role on the folder

called DeveloperDesktops.

Role Folder

/CorporateDesktops

/DeveloperDesktops

24 VMware, Inc.

Different Administrators for the Same Folder

You can create different administrators to manage the same folder.

For

example, if your corporate desktop pools are in one folder, you can create one administrator that can view

and modify those pools and another administrator that can only view them.

Table 2-2 shows an example of this type of configuration.

Table 2-2. Different Administrators for the Same Folder

Administrator

view-domain.com\Admin1 Inventory Administrators

view-domain.com\Admin2 Inventory Administrators (Read only)

Role Folder

In this example, the administrator called Admin1 has the Inventory Administrators role on the folder called

CorporateDesktops and the administrator called Admin2 has the Inventory Administrators (Read only) role

on the same folder.

Understanding Permissions

View Administrator presents the combination of a role, an administrator user or group, and a folder as a permission. The role defines the actions that can be performed, the user or group indicates who can perform the action, and the folder contains the objects that are the target of the action.

Chapter 2 Configuring Role-Based Delegated Administration

/CorporateDesktops

Permissions

appear differently in View Administrator depending on whether you select an administrator user

or group, a folder, or a role.

Table 2-3 shows how permissions appear in View Administrator when you select an administrator user or

group. The administrator user is called Admin 1 and it has two permissions.

Table 2-3. Permissions on the Administrators and Groups Tab for Admin 1

Role

Inventory Administrators

Administrators (Read only)

Folder

MarketingDesktops

The first permission shows that Admin 1 has the Inventory Administrators role on the folder called

MarketingDesktops. The second permission shows that Admin 1 has the Administrators (Read only) role on

the root folder.

Table 2-4 shows how the same permissions appear in View Administrator when you select the

MarketingDesktops folder.

Table 2-4. Permissions on the Folders Tab for MarketingDesktops

Admin

view-domain.com\Admin1 Inventory Administrators

view-domain.com\Admin1 Administrators (Read only) Yes

The first permission is the same as the first permission shown in Table 2-3.

Role Inherited

The second permission is inherited

from the second permission shown in Table 2-3. Because folders inherit permissions from the root folder, Admin1 has the Administrators (Read only) role on the MarketingDesktops folder. When a permission is inherited, Yes appears in the Inherited column.

Table 2-5 shows how the first permission in Table 2-3 appears in View Administrator when you select the

Inventory Administrators role.

VMware, Inc. 25

VMware View Administrator's Guide

Table 2-5. Permissions on the Role Tab for Inventory Administrators

Administrator Folder

view-domain.com\Admin1

Manage Administrators

Users who have the Administrators role can use View Administrator to add and remove administrator users and groups.

The Administrators role is the most powerful role in View Administrator. Initially, members of the local Administrators group (BUILTIN\Administrators) on your View Connection Server host are given the Administrators role in View Administrator.

NOTE By default, the Domain Admins group is a member of the local Administrators group. If you do not

domain administrators to have full access to inventory objects and View configuration settings, you must

want remove the Domain Admins group from the local Administrators group.

Create an Administrator on page 26

To create an administrator, you select a user or group from your Active Directory users and groups in View Administrator and assign an administrator role.

/MarketingDesktops

Remove an Administrator on page 27

You can remove an administrator user or group. You cannot remove the last super administrator in the system. A super administrator is an administrator that has the Administrators role on the root folder.

Create an Administrator

To create an administrator, you select a user or group from your Active Directory users and groups in View Administrator and assign an administrator role.

Prerequisites

Familiarize yourself with the predefined administrator roles. See “Predefined Roles and Privileges,” on page 32.

Familiarize yourself with the best practices for creating administrator users and groups. See “Best Practices

for Administrator Users and Groups,” on page 37.

To assign a custom role to the administrator, create the custom role. See “Add a Custom Role,” on page 31.

To create an administrator that can manage specific desktop pools, create a folder and move the desktop pools to that folder. See “Manage and Review Folders,” on page 29.

Procedure

1 In View Administrator, select View Configuration > Administrators.

2 On the Administrators and Groups tab, click Add User or Group.

3 Click Add, select one or more search criteria, and click Find to filter Active Directory users or groups based

on your search criteria.

4 Select the Active Directory user or group that you want to be an administrator user or group, click OK

and click Next.

You can press the Ctrl and Shift keys to select multiple users and groups.

26 VMware, Inc.

Chapter 2 Configuring Role-Based Delegated Administration

5 Select a role to assign to the administrator user or group.

The Apply to Folder column indicates whether a role applies to folders. Only roles that contain objectspecific privileges apply to folders. Roles that contain only global privileges do not apply to folders.

Option Action

The role you selected applies to folders

You want the permission to apply to all folders

Select one or more folders and click Next.

Select the root folder and click Next.

Click Finish to create the administrator user or group.

The new administrator user or group appears in the left pane and the role and folder that you selected appear in the right pane on the Administrators and Groups tab.

Remove an Administrator

Procedure

1 In View Administrator, select View Configuration > Administrators.

2 On the Administrators and Groups tab, select the administrator user or group, click Remove User or

Group, and click OK.

The administrator user or group no longer appears on the Administrators and Groups tab.

Manage and Review Permissions

You can use View Administrator to add, delete, and review permissions for specific administrator users and groups, for specific roles, and for specific folders.

Add a Permission on page 28

You can add a permission that includes a specific administrator user or group, a specific role, or a specific folder.

Delete a Permission on page 28

You can delete a permission that includes a specific administrator user or group, a specific role, or a specific folder.

Review Permissions on page 29

You can review the permissions that include a specific administrator or group, a specific role, or a specific folder.

VMware, Inc. 27

VMware View Administrator's Guide

Add a Permission

You can add a permission that includes a specific administrator user or group, a specific role, or a specific folder.

Procedure

In View Administrator, select View Configuration > Administrators.

2 Create the permission.

Option

Create a permission that includes a specific administrator user or group

Create a permission that includes a specific role

Create a permission that includes a specific folder

Action

a On the Administrators and Groups tab, select the administrator or

group and click Add Permission.

Select a role.

c If the role does not apply to folders, click Finish.

d If the role applies to folders, click Next, select one or more folders, and

click Finish. A role must contain at least one object-specific privilege to apply to a folder.

a On the Roles tab, select the role, click Permissions, and click Add

Permission.

b Click Add, select one or more search criteria, and click Find to find

administrator users or groups that match your search criteria.

c Select an administrator user or group to include in the permission and

click OK. You can press the Ctrl and Shift keys to select multiple users and groups.

d If the role does not apply to folders, click Finish.

e If the role applies to folders, click Next, select one or more folders, and

click Finish. A role must contain at least one object-specific privilege to apply to a folder.

a On the Folders tab, select the folder and click Add Permission.

b Click Add, select one or more search criteria, and click Find to find

administrator users or groups that match your search criteria.

c Select an administrator user or group to include in the permission and

click OK. You can press the Ctrl and Shift keys to select multiple users and groups.

d Click Next, select a role, and click Finish. A role must contain at least

one object-specific privilege to apply to a folder.

Delete a Permission

You can delete a permission that includes a specific administrator user or group, a specific role, or a specific folder.

you remove the last permission for an administrator user or group, that administrator user or group is also removed. Because at least one administrator must have the Administrators role on the root folder, you cannot remove a permission that would cause that administrator to be removed. You cannot delete an inherited permission.

28 VMware, Inc.

Chapter 2 Configuring Role-Based Delegated Administration

Procedure

In View Administrator, select View Configuration > Administrators.

2 Select the permission to delete.

Option

Delete a permission that applies to a specific administrator or group

Delete a permission that applies to a specific role

Delete a permission that applies to a specific folder

Action

Select the administrator or group on the Administrators and Groups tab.

Select the role on the Roles tab.

Select the folder on the Folders tab.

Select the permission and click Delete Permission.

Review Permissions

You can review the permissions that include a specific administrator or group, a specific role, or a specific folder.

Procedure

1 Select View Configuration > Administrators.

2 Review the permissions.

Option

Review the permissions that include a specific administrator or group

Review the permissions that include a specific role

Review the permissions that include a specific folder

Action

Select the administrator or group on the Administrators and Groups tab.

Select the role on the Roles tab and click Permissions.

Select the folder on the Folders tab.

Manage and Review Folders

You

can use View Administrator to add and delete folders and to review the desktop pools and desktops in a

particular folder.

Add a Folder on page 30

If you want to delegate the administration of specific desktops or pools to different administrators, you must create folders to subdivide your desktops or pools. If you do not create folders, all desktops and pools reside in the root folder.

Move a Desktop Pool to a Different Folder on page 30

After you create a folder to subdivide your desktop pools, you must manually move desktop pools to the new folder. If you decide to change the way your desktop pools are subdivided, you can move desktops pools from one folder to another.

Remove a Folder on page 30

You can remove a folder if it does not contain inventory objects. You cannot remove the root folder.

VMware, Inc. 29

VMware View Administrator's Guide

Review the Desktop Pools in a Folder on page 31

You can see all of the desktop pools in a particular folder in View Administrator.

Review the Desktops in a Folder on page 31

can see all of the desktops in a particular folder in View Administrator. A desktop inherits the folder

You from its pool.

Add a Folder

You can have a maximum of 100 folders, including the root folder.

Procedure

1 In View Administrator, select Inventory > Pools.

2 From the Folder drop-down menu on the command bar, select New Folder.

3 Type a name and description for the folder and click OK.

The description is optional.

What to do next

Move one or more desktop pools to the folder.

Move a Desktop Pool to a Different Folder

Procedure

1 In View Administrator, select Inventory > Pools and select the pool.

2 From the Folder drop-down menu, select Change Folder.

3 Select the folder and click OK.

View Administrator moves the pool to the folder that you selected.

Remove a Folder

You can remove a folder if it does not contain inventory objects. You cannot remove the root folder.

Prerequisites

If the folder contains inventory objects, move the objects to another folder or to the root folder. See “Move a

Desktop Pool to a Different Folder,” on page 30.

Procedure

1 In View Administrator, select View Configuration > Administrators.

2 On the Folders tab, select the folder and click Remove Folder.

3 Click OK to remove the folder.

30 VMware, Inc.

+ 312 hidden pages